commit c3a8e0eaafb438d5a7e6ca55c09b921291fcc1b1 Author: Greg Kroah-Hartman Date: Wed Jan 6 15:07:45 2010 -0800 Linux 2.6.32.3 commit 84d330ec80dc467baf6cb393d9c1ee006d1c024a Author: Serge E. Hallyn Date: Tue Dec 29 14:50:19 2009 -0600 generic_permission: MAY_OPEN is not write access commit 7ea6600148c265b1fd53e521022b1d7aec81d974 upstream. generic_permission was refusing CAP_DAC_READ_SEARCH-enabled processes from opening DAC-protected files read-only, because do_filp_open adds MAY_OPEN to the open mask. Ignore MAY_OPEN. After this patch, CAP_DAC_READ_SEARCH is again sufficient to open(fname, O_RDONLY) on a file to which DAC otherwise refuses us read permission. Reported-by: Mike Kazantsev Signed-off-by: Serge E. Hallyn Tested-by: Mike Kazantsev Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 3815270b3107d31c8b7bd69461f0bb3c350ee25c Author: Gertjan van Wingerde Date: Mon Dec 14 20:33:55 2009 +0100 rt2x00: Disable powersaving for rt61pci and rt2800pci. commit 93b6bd26b74efe46b4579592560f9f1cb7b61994 upstream. We've had many reports of rt61pci failures with powersaving enabled. Therefore, as a stop-gap measure, disable powersaving of the rt61pci until we have found a proper solution. Also disable powersaving on rt2800pci as it most probably will show the same problem. Signed-off-by: Gertjan van Wingerde Acked-by: Ivo van Doorn Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 8ac9e802007e99534ec66af850ef7b099df27499 Author: Hugh Dickins Date: Wed Dec 30 23:00:30 2009 +0000 ksm: fix mlockfreed to munlocked 2.6.33-rc1 commit 73848b4684e84a84cfd1555af78d41158f31e16b, adjusted to include 31e855ea7173bdb0520f9684580423a9560f66e0's movement of the unlock_page(oldpage), but omit other intervening cleanups. When KSM merges an mlocked page, it has been forgetting to munlock it: that's been left to free_page_mlock(), which reports it in /proc/vmstat as unevictable_pgs_mlockfreed instead of unevictable_pgs_munlocked, which indicates that such pages _might_ be left unevictable for long after they should be evictable. Call munlock_vma_page() to fix that. Signed-off-by: Hugh Dickins Signed-off-by: Greg Kroah-Hartman commit b2ea8cb9c8f1937cb80b9beb50548a05bfc37819 Author: Rik van Riel Date: Mon Dec 14 17:59:48 2009 -0800 vmscan: do not evict inactive pages when skipping an active list scan commit b39415b2731d7dec5e612d2d12595da82399eedf upstream. In AIM7 runs, recent kernels start swapping out anonymous pages well before they should. This is due to shrink_list falling through to shrink_inactive_list if !inactive_anon_is_low(zone, sc), when all we really wanted to do is pre-age some anonymous pages to give them extra time to be referenced while on the inactive list. The obvious fix is to make sure that shrink_list does not fall through to scanning/reclaiming inactive pages when we called it to scan one of the active lists. This change should be safe because the loop in shrink_zone ensures that we will still shrink the anon and file inactive lists whenever we should. [kosaki.motohiro@jp.fujitsu.com: inactive_file_is_low() should be inactive_anon_is_low()] Reported-by: Larry Woodman Signed-off-by: Rik van Riel Acked-by: Johannes Weiner Cc: Tomasz Chmielewski Signed-off-by: KOSAKI Motohiro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Rik Theys Signed-off-by: Greg Kroah-Hartman commit 370b7588553ff0dc89c8b9436a935e2b7fe0207d Author: Rusty Russell Date: Mon Jan 4 19:26:14 2010 +1030 lguest: fix bug in setting guest GDT entry commit 3e27249c84beed1c79d767b350e52ad038db9053 upstream. We kill the guest, but then we blatt random stuff. Reported-by: Dan Carpenter Signed-off-by: Rusty Russell Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 743c078e0e10e41b8b10f3c07973068d76fcc866 Author: Fang Wenqi Date: Thu Dec 24 17:51:42 2009 -0500 ext4: Update documentation to correct the inode_readahead_blks option name commit 6d3b82f2d31f22085e5711b28dddcb9fb3d97a25 upstream. Per commit 240799cd, the option name for readahead should be inode_readahead_blks, not inode_readahead. Signed-off-by: Fang Wenqi Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit fc310225dfa4d0ca5e8d1bfe66d49367d3e1d81a Author: Peter Zijlstra Date: Mon Nov 16 10:28:09 2009 +0100 sched: Sched_rt_periodic_timer vs cpu hotplug commit 047106adcc85e3023da210143a6ab8a55df9e0fc upstream. Heiko reported a case where a timer interrupt managed to reference a root_domain structure that was already freed by a concurrent hot-un-plug operation. Solve this like the regular sched_domain stuff is also synchronized, by adding a synchronize_sched() stmt to the free path, this ensures that a root_domain stays present for any atomic section that could have observed it. Reported-by: Heiko Carstens Signed-off-by: Peter Zijlstra Acked-by: Heiko Carstens Cc: Gregory Haskins Cc: Siddha Suresh B Cc: Martin Schwidefsky LKML-Reference: <1258363873.26714.83.camel@laptop> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 9127720087953642a8308b373a76f38916577f0e Author: Borislav Petkov Date: Mon Dec 21 18:55:18 2009 +0100 amd64_edac: fix forcing module load/unload commit 43f5e68733cfe8bed3c30b5c14c4993dffb29766 upstream. Clear the override flag after force-loading the module. Signed-off-by: Borislav Petkov Signed-off-by: Greg Kroah-Hartman commit 15383230c0603460f1479610b3dc59e70dc73611 Author: Borislav Petkov Date: Mon Dec 21 18:13:01 2009 +0100 amd64_edac: make driver loading more robust commit 56b34b91e22313294154cee0c16e294cf8a45b61 upstream. Currently, the module does not initialize fully when the DIMMs aren't ECC but remains still loaded. Propagate the error when no instance of the driver is properly initialized and prevent further loading. Reorganize and polish error handling in amd64_edac_init() while at it. Signed-off-by: Borislav Petkov Signed-off-by: Greg Kroah-Hartman commit 44a529c6b32a9254cacc0d0c6423967883d8ebcd Author: Borislav Petkov Date: Mon Dec 21 15:15:59 2009 +0100 amd64_edac: fix driver instance freeing commit 8f68ed9728193b1f2fb53ba06031b06bd8b3d1b4 upstream. Fix use-after-free errors by pushing all memory-freeing calls to the end of amd64_remove_one_instance(). Reported-by: Darren Jenkins LKML-Reference: <1261370306.11354.52.camel@ICE-BOX> Signed-off-by: Borislav Petkov Signed-off-by: Greg Kroah-Hartman commit 2d9e1f02c8fec8e339eddf6c92e836c18525d328 Author: Borislav Petkov Date: Thu Dec 17 00:16:25 2009 +0100 x86, msr: msrs_alloc/free for CONFIG_SMP=n commit 6ede31e03084ee084bcee073ef3d1136f68d0906 upstream. Randy Dunlap reported the following build error: "When CONFIG_SMP=n, CONFIG_X86_MSR=m: ERROR: "msrs_free" [drivers/edac/amd64_edac_mod.ko] undefined! ERROR: "msrs_alloc" [drivers/edac/amd64_edac_mod.ko] undefined!" This is due to the fact that is conditioned on CONFIG_SMP and in the UP case we have only the stubs in the header. Fork off SMP functionality into a new file (msr-smp.c) and build msrs_{alloc,free} unconditionally. Reported-by: Randy Dunlap Cc: H. Peter Anvin Signed-off-by: Borislav Petkov LKML-Reference: <20091216231625.GD27228@liondog.tnic> Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit eb21839600f406f76a63e6da241db7f361f7ff52 Author: Borislav Petkov Date: Fri Dec 11 18:14:40 2009 +0100 x86, msr: Add support for non-contiguous cpumasks commit 505422517d3f126bb939439e9d15dece94e11d2c upstream. The current rd/wrmsr_on_cpus helpers assume that the supplied cpumasks are contiguous. However, there are machines out there like some K8 multinode Opterons which have a non-contiguous core enumeration on each node (e.g. cores 0,2 on node 0 instead of 0,1), see http://www.gossamer-threads.com/lists/linux/kernel/1160268. This patch fixes out-of-bounds writes (see URL above) by adding per-CPU msr structs which are used on the respective cores. Additionally, two helpers, msrs_{alloc,free}, are provided for use by the callers of the MSR accessors. Cc: H. Peter Anvin Cc: Mauro Carvalho Chehab Cc: Aristeu Rozanski Cc: Randy Dunlap Cc: Doug Thompson Signed-off-by: Borislav Petkov LKML-Reference: <20091211171440.GD31998@aftab> Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 26eb2ac67f9296d5b66533e55e9a28a2edd05b48 Author: Borislav Petkov Date: Tue Nov 3 15:29:26 2009 +0100 amd64_edac: unify MCGCTL ECC switching commit f6d6ae965760906d79ab29bc38507608c5971549 upstream. Unify almost identical code into one function and remove NUMA-specific usage (specifically cpumask_of_node()) in favor of generic topology methods. Remove unused defines, while at it. Signed-off-by: Borislav Petkov Signed-off-by: Greg Kroah-Hartman commit ebd2802865c7ea5f352fd5444c293d013e528922 Author: Rusty Russell Date: Tue Nov 3 14:56:35 2009 +1030 cpumask: use modern cpumask style in drivers/edac/amd64_edac.c commit ba578cb34a71fb08fff14ac0796b934a8c9991e1 upstream. cpumask_t -> struct cpumask, and don't put one on the stack. (Note: this is actually on the stack unless CONFIG_CPUMASK_OFFSTACK=y). Signed-off-by: Rusty Russell Signed-off-by: Borislav Petkov Signed-off-by: Greg Kroah-Hartman commit a89a9e1d729d7f1bc0d18bea800087bdfcfe4957 Author: Borislav Petkov Date: Thu Jul 30 11:10:02 2009 +0200 x86, msr: Unify rdmsr_on_cpus/wrmsr_on_cpus commit b8a4754147d61f5359a765a3afd3eb03012aa052 upstream. Since rdmsr_on_cpus and wrmsr_on_cpus are almost identical, unify them into a common __rwmsr_on_cpus helper thus avoiding code duplication. While at it, convert cpumask_t's to const struct cpumask *. Signed-off-by: Borislav Petkov Signed-off-by: H. Peter Anvin Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit b2dbc4634227483a44732e73801b804915f04969 Author: Dmitry Monakhov Date: Thu Dec 10 16:36:27 2009 +0000 ext4: fix sleep inside spinlock issue with quota and dealloc (#14739) commit 39bc680a8160bb9d6743f7873b535d553ff61058 upstream. Unlock i_block_reservation_lock before vfs_dq_reserve_block(). This patch fixes http://bugzilla.kernel.org/show_bug.cgi?id=14739 Cc: Theodore Ts'o Signed-off-by: Dmitry Monakhov Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit dbe5cc0045fafc8fc452fa90dba93ad957494e14 Author: Dmitry Monakhov Date: Mon Dec 14 15:21:14 2009 +0300 ext4: Convert to generic reserved quota's space management. commit a9e7f4472075fb6937c545af3f6329e9946bbe66 upstream. This patch also fixes write vs chown race condition. Acked-by: "Theodore Ts'o" Signed-off-by: Dmitry Monakhov Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit bbf245072d81e512cc88535379ae6edb5d08f420 Author: Dmitry Monakhov Date: Mon Dec 14 15:21:13 2009 +0300 quota: decouple fs reserved space from quota reservation commit fd8fbfc1709822bd94247c5b2ab15a5f5041e103 upstream. Currently inode_reservation is managed by fs itself and this reservation is transfered on dquot_transfer(). This means what inode_reservation must always be in sync with dquot->dq_dqb.dqb_rsvspace. Otherwise dquot_transfer() will result in incorrect quota(WARN_ON in dquot_claim_reserved_space() will be triggered) This is not easy because of complex locking order issues for example http://bugzilla.kernel.org/show_bug.cgi?id=14739 The patch introduce quota reservation field for each fs-inode (fs specific inode is used in order to prevent bloating generic vfs inode). This reservation is managed by quota code internally similar to i_blocks/i_bytes and may not be always in sync with internal fs reservation. Also perform some code rearrangement: - Unify dquot_reserve_space() and dquot_reserve_space() - Unify dquot_release_reserved_space() and dquot_free_space() - Also this patch add missing warning update to release_rsv() dquot_release_reserved_space() must call flush_warnings() as dquot_free_space() does. Signed-off-by: Dmitry Monakhov Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit f07c88dd6cbcc8086e28759f3686068163d423ae Author: Dmitry Monakhov Date: Mon Dec 14 15:21:12 2009 +0300 Add unlocked version of inode_add_bytes() function commit b462707e7ccad058ae151e5c5b06eb5cadcb737f upstream. Quota code requires unlocked version of this function. Off course we can just copy-paste the code, but copy-pasting is always an evil. Signed-off-by: Dmitry Monakhov Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit 0aebc28083514af318c438fccc8a7ae23b4e1ab8 Author: Jan Kara Date: Mon Nov 30 19:47:55 2009 +0100 udf: Try harder when looking for VAT inode commit e971b0b9e0dd50d9ceecb67a6a6ab80a80906033 upstream. Some disks do not contain VAT inode in the last recorded block as required by the standard but a few blocks earlier (or the number of recorded blocks is wrong). So look for the VAT inode a bit before the end of the media. Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit 3196f989c52765aa202a7917ca381aeafa509a83 Author: Andrey Borzenkov Date: Tue Dec 22 21:38:44 2009 +0300 orinoco: fix GFP_KERNEL in orinoco_set_key with interrupts disabled commit 5b0691508aa99d309101a49b4b084dc16b3d7019 upstream. orinoco_set_key is called from two places both with interrupts disabled (under orinoco_lock). Use GFP_ATOMIC instead of GFP_KERNEL. Fixes following warning: [ 77.254109] WARNING: at /home/bor/src/linux-git/kernel/lockdep.c:2465 lockdep_trace_alloc+0x9a/0xa0() [ 77.254109] Hardware name: PORTEGE 4000 [ 77.254109] Modules linked in: af_packet irnet ppp_generic slhc ircomm_tty ircomm binfmt_misc dm_mirror dm_region_hash dm_log dm_round_robin dm_multipath dm_mod loop nvram toshiba cryptomgr aead pcompress crypto_blkcipher michael_mic crypto_hash crypto_algapi orinoco_cs orinoco cfg80211 smsc_ircc2 pcmcia irda toshiba_acpi yenta_socket video i2c_ali1535 backlight rsrc_nonstatic ali_agp pcmcia_core psmouse output crc_ccitt i2c_core alim1535_wdt rfkill sg evdev ohci_hcd agpgart usbcore pata_ali libata reiserfs [last unloaded: scsi_wait_scan] [ 77.254109] Pid: 2296, comm: wpa_supplicant Not tainted 2.6.32-1avb #1 [ 77.254109] Call Trace: [ 77.254109] [] warn_slowpath_common+0x6d/0xa0 [ 77.254109] [] ? lockdep_trace_alloc+0x9a/0xa0 [ 77.254109] [] ? lockdep_trace_alloc+0x9a/0xa0 [ 77.254109] [] warn_slowpath_null+0x15/0x20 [ 77.254109] [] lockdep_trace_alloc+0x9a/0xa0 [ 77.254109] [] __kmalloc+0x36/0x130 [ 77.254109] [] ? orinoco_set_key+0x48/0x1c0 [orinoco] [ 77.254109] [] orinoco_set_key+0x48/0x1c0 [orinoco] [ 77.254109] [] orinoco_ioctl_set_encodeext+0x1dc/0x2d0 [orinoco] [ 77.254109] [] ioctl_standard_call+0x207/0x3b0 [ 77.254109] [] ? orinoco_ioctl_set_encodeext+0x0/0x2d0 [orinoco] [ 77.254109] [] ? rtnl_lock+0xf/0x20 [ 77.254109] [] ? rtnl_lock+0xf/0x20 [ 77.254109] [] ? __dev_get_by_name+0x85/0xb0 [ 77.254109] [] wext_handle_ioctl+0x176/0x200 [ 77.254109] [] ? orinoco_ioctl_set_encodeext+0x0/0x2d0 [orinoco] [ 77.254109] [] dev_ioctl+0x6af/0x730 [ 77.254109] [] ? move_addr_to_kernel+0x55/0x60 [ 77.254109] [] ? sys_sendto+0xe9/0x130 [ 77.254109] [] sock_ioctl+0x7e/0x250 [ 77.254109] [] ? sock_ioctl+0x0/0x250 [ 77.254109] [] vfs_ioctl+0x1c/0x70 [ 77.254109] [] do_vfs_ioctl+0x6a/0x590 [ 77.254109] [] ? might_fault+0x90/0xa0 [ 77.254109] [] ? might_fault+0x4a/0xa0 [ 77.254109] [] ? sys_socketcall+0x17e/0x280 [ 77.254109] [] sys_ioctl+0x39/0x60 [ 77.254109] [] sysenter_do_call+0x12/0x32 [ 77.254109] ---[ end trace 95ef563548d21efd ]--- Signed-off-by: Andrey Borzenkov Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit fad0c314dd0f0c3293b202c23ade933ec43e6961 Author: Paolo Bonzini Date: Wed Jul 8 12:27:39 2009 +0200 xen: wait up to 5 minutes for device connetion commit ae7888012969355a548372e99b066d9e31153b62 upstream. Increases the device timeout from 10s to 5 minutes, giving the user a visual indication during that time in case there are problems. The patch is a backport of changesets 144 and 150 in the Xenbits tree. Cc: Jeremy Fitzhardinge Signed-off-by: Paolo Bonzini Signed-off-by: Jeremy Fitzhardinge Signed-off-by: Greg Kroah-Hartman commit 2cfea0096f008796246646f7cb1483f9b298b1d2 Author: Paolo Bonzini Date: Wed Jul 8 12:27:38 2009 +0200 xen: improvement to wait_for_devices() commit f8dc33088febc63286b7a60e6b678de8e064de8e upstream. When printing a warning about a timed-out device, print the current state of both ends of the device connection (i.e., backend as well as frontend). This backports half of changeset 146 from the Xenbits tree. Cc: Jeremy Fitzhardinge Signed-off-by: Paolo Bonzini Signed-off-by: Jeremy Fitzhardinge Signed-off-by: Greg Kroah-Hartman commit af70ddfa0a21d625f1b7ed3389ce30eeed0896c3 Author: Paolo Bonzini Date: Wed Jul 8 12:27:37 2009 +0200 xen: fix is_disconnected_device/exists_disconnected_device commit c6e1971139be1342902873181f3b80a979bfb33b upstream. The logic of is_disconnected_device/exists_disconnected_device is wrong in that they are used to test whether a device is trying to connect (i.e. connecting). For this reason the patch fixes them to not consider a Closing or Closed device to be connecting. At the same time the patch also renames the functions according to what they really do; you could say a closed device is "disconnected" (the old name), but not "connecting" (the new name). This patch is a backport of changeset 909 from the Xenbits tree. Cc: Jeremy Fitzhardinge Signed-off-by: Paolo Bonzini Signed-off-by: Jeremy Fitzhardinge Signed-off-by: Greg Kroah-Hartman commit 1dc51f1054ff6444540c3a3e45aad6657d130562 Author: Stefan Weinhuber Date: Mon Dec 7 12:51:48 2009 +0100 S390: dasd: support DIAG access for read-only devices commit 22825ab7693fd29769518a0d25ba43c01a50092a upstream. When a DASD device is used with the DIAG discipline, the DIAG initialization will indicate success or error with a respective return code. So far we have interpreted a return code of 4 as error, but it actually means that the initialization was successful, but the device is read-only. To allow read-only devices to be used with DIAG we need to accept a return code of 4 as success. Re-initialization of the DIAG access is also part of the DIAG error recovery. If we find that the access mode of a device has been changed from writable to read-only while the device was in use, we print an error message. Signed-off-by: Stefan Weinhuber Signed-off-by: Martin Schwidefsky Cc: Stephen Powell Signed-off-by: Greg Kroah-Hartman commit 4012cf67b9f1841ad582ca094c230439d98c8a4d Author: Zhao Yakui Date: Wed Dec 9 11:23:42 2009 +0800 drm: disable all the possible outputs/crtcs before entering KMS mode commit b16d9acbdb97452d1418420e069acf7381ef10bb upstream. Sometimes we will use a crtc for integerated LVDS, which is different with that assigned by BIOS. If we want to get flicker-free transitions, then we could read out the current state for it and set our current state accordingly. But it is true that if we aren't reading current state out, we do need to turn everything off before modesetting. Otherwise the clocks can get very angry and we get things worse than a flicker at boot. In fact we also do the similar thing in UMS mode. We will disable all the possible outputs/crtcs for the first modesetting. So we disable all the possible outputs/crtcs before entering the KMS mode. Before we configure connector/encoder/crtc, the function of drm_helper_disable_unused_function can disable all the possible outputs/crtcs. Signed-off-by: Zhao Yakui Reviewed-by: Eric Anholt Reviewed-by: Rafal Milecki Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 08ff73341f9d5bde2d5e54bfe4d6a3d2a3f2ee83 Author: Dave Airlie Date: Mon Dec 21 14:33:52 2009 +1000 drm/radeon/kms: fix crtc vblank update for r600 In 2.6.32.2 r600 had no IRQ support, however the patch in 500b758725314ab1b5316eb0caa5b0fa26740e6b to fix vblanks on avivo cards, needs irqs. So check for an R600 card and avoid this path if so. This is a stable only patch for 2.6.32.2 as 2.6.33 has IRQs for r600. Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit a09adfeb9ea89d22c301749a87480ac98edc2cce Author: Peter Zijlstra Date: Wed Nov 25 13:31:39 2009 +0100 sched: Fix balance vs hotplug race commit 6ad4c18884e864cf4c77f9074d3d1816063f99cd upstream. Since (e761b77: cpu hotplug, sched: Introduce cpu_active_map and redo sched domain managment) we have cpu_active_mask which is suppose to rule scheduler migration and load-balancing, except it never (fully) did. The particular problem being solved here is a crash in try_to_wake_up() where select_task_rq() ends up selecting an offline cpu because select_task_rq_fair() trusts the sched_domain tree to reflect the current state of affairs, similarly select_task_rq_rt() trusts the root_domain. However, the sched_domains are updated from CPU_DEAD, which is after the cpu is taken offline and after stop_machine is done. Therefore it can race perfectly well with code assuming the domains are right. Cure this by building the domains from cpu_active_mask on CPU_DOWN_PREPARE. Signed-off-by: Peter Zijlstra LKML-Reference: Signed-off-by: Ingo Molnar Cc: Mike Galbraith Cc: Holger Hoffstätte Signed-off-by: Greg Kroah-Hartman commit fb70ac4b23fc108eb92eef9434e111bbdd7fd922 Author: Geert Uytterhoeven Date: Sun Dec 13 20:21:34 2009 +0100 Keys: KEYCTL_SESSION_TO_PARENT needs TIF_NOTIFY_RESUME architecture support commit a00ae4d21b2fa9379914f270ffffd8d3bec55430 upstream. As of commit ee18d64c1f632043a02e6f5ba5e045bb26a5465f ("KEYS: Add a keyctl to install a process's session keyring on its parent [try #6]"), CONFIG_KEYS=y fails to build on architectures that haven't implemented TIF_NOTIFY_RESUME yet: security/keys/keyctl.c: In function 'keyctl_session_to_parent': security/keys/keyctl.c:1312: error: 'TIF_NOTIFY_RESUME' undeclared (first use in this function) security/keys/keyctl.c:1312: error: (Each undeclared identifier is reported only once security/keys/keyctl.c:1312: error: for each function it appears in.) Make KEYCTL_SESSION_TO_PARENT depend on TIF_NOTIFY_RESUME until m68k, and xtensa have implemented it. Signed-off-by: Geert Uytterhoeven Signed-off-by: James Morris Acked-by: Mike Frysinger Signed-off-by: Greg Kroah-Hartman commit 7fcb55881eb7a15e58ccfe81b4fe35fb06b12a7e Author: Larry Finger Date: Mon Nov 23 18:40:45 2009 -0600 b43: avoid PPC fault during resume commit c2ff581acab16c6af56d9e8c1a579bf041ec00b1 upstream. The routine b43_is_hw_radio_enabled() has long been a problem. For PPC architecture with PHY Revision < 3, a read of the register B43_MMIO_HWENABLED_LO will cause a CPU fault unless b43_status() returns a value of 2 (B43_STAT_STARTED) (BUG 14181). Fixing that results in Bug 14538 in which the driver is unable to reassociate after resuming from hibernation because b43_status() returns 0. The correct fix would be to determine why the status is 0; however, I have not yet found why that happens. The correct value is found for my device, which has PHY revision >= 3. Returning TRUE when the PHY revision < 3 and b43_status() returns 0 fixes the regression for 2.6.32. This patch fixes the problem in Red Hat Bugzilla #538523. Signed-off-by: Larry Finger Tested-by: Christian Casteyde Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit a8e3ec9aa0f527e759ab056952a1cb3ed102220d Author: Jonathan Cameron Date: Wed Dec 16 21:38:28 2009 +0100 hwmon: (sht15) Off-by-one error in array index + incorrect constants commit 4235f684b66d6f00d2cd8849c884cf8f8b57ecad upstream. Fix an off-by-one error in array index + incorrect constants. Signed-off-by: Christoph Walser Signed-off-by: Jonathan Cameron Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 048a424c2826ccbeb9b08bc3a8c6bc7acbd3116d Author: Patrick McHardy Date: Tue Dec 15 16:59:59 2009 +0100 netfilter: fix crashes in bridge netfilter caused by fragment jumps commit 8fa9ff6849bb86c59cc2ea9faadf3cb2d5223497 upstream. When fragments from bridge netfilter are passed to IPv4 or IPv6 conntrack and a reassembly queue with the same fragment key already exists from reassembling a similar packet received on a different device (f.i. with multicasted fragments), the reassembled packet might continue on a different codepath than where the head fragment originated. This can cause crashes in bridge netfilter when a fragment received on a non-bridge device (and thus with skb->nf_bridge == NULL) continues through the bridge netfilter code. Add a new reassembly identifier for packets originating from bridge netfilter and use it to put those packets in insolated queues. Fixes http://bugzilla.kernel.org/show_bug.cgi?id=14805 Reported-and-Tested-by: Chong Qiao Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit 89cf4f4c853f1f9619d58d89aa7d1fc56e24ee3a Author: Patrick McHardy Date: Tue Dec 15 16:59:18 2009 +0100 ipv6: reassembly: use seperate reassembly queues for conntrack and local delivery commit 0b5ccb2ee250136dd7385b1c7da28417d0d4d32d upstream. Currently the same reassembly queue might be used for packets reassembled by conntrack in different positions in the stack (PREROUTING/LOCAL_OUT), as well as local delivery. This can cause "packet jumps" when the fragment completing a reassembled packet is queued from a different position in the stack than the previous ones. Add a "user" identifier to the reassembly queue key to seperate the queues of each caller, similar to what we do for IPv4. Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit ee6bfc69e69474840cacb2f665831aff29bdbb40 Author: Roger Oksanen Date: Fri Dec 18 20:18:21 2009 -0800 e100: Fix broken cbs accounting due to missing memset. commit 70abc8cb90e679d8519721e2761d8366a18212a6 upstream. Alan Stern noticed that e100 caused slab corruption. commit 98468efddb101f8a29af974101c17ba513b07be1 changed the allocation of cbs to use dma pools that don't return zeroed memory, especially the cb->status field used to track which cb to clean, causing (the visible) double freeing of skbs and a wrong free cbs count. Now the cbs are explicitly zeroed at allocation time. Reported-by: Alan Stern Tested-by: Alan Stern Signed-off-by: Roger Oksanen Acked-by: Jesse Brandeburg Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ad46fed9c9b596b6ece5728aad3722a9c4acc8cb Author: Daisuke Nishimura Date: Tue Dec 15 16:47:12 2009 -0800 memcg: avoid oom-killing innocent task in case of use_hierarchy commit d31f56dbf8bafaacb0c617f9a6f137498d5c7aed upstream. task_in_mem_cgroup(), which is called by select_bad_process() to check whether a task can be a candidate for being oom-killed from memcg's limit, checks "curr->use_hierarchy"("curr" is the mem_cgroup the task belongs to). But this check return true(it's false positive) when: /aa use_hierarchy == 0 <- hitting limit /aa/00 use_hierarchy == 1 <- the task belongs to This leads to killing an innocent task in aa/00. This patch is a fix for this bug. And this patch also fixes the arg for mem_cgroup_print_oom_info(). We should print information of mem_cgroup which the task being killed, not current, belongs to. Signed-off-by: Daisuke Nishimura Acked-by: Balbir Singh Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b52d85562809f1e8b03d03f6ebc5aa28405d0576 Author: Linus Torvalds Date: Thu Dec 17 07:04:56 2009 -0800 x86/ptrace: make genregs[32]_get/set more robust commit 04a1e62c2cec820501f93526ad1e46073b802dc4 upstream. The loop condition is fragile: we compare an unsigned value to zero, and then decrement it by something larger than one in the loop. All the callers should be passing in appropriately aligned buffer lengths, but it's better to just not rely on it, and have some appropriate defensive loop limits. Acked-by: Roland McGrath Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6e2aa7de04f48bd39955fe0939dc2e02b8941839 Author: Dan Carpenter Date: Thu Dec 10 16:44:51 2009 -0300 V4L/DVB (13596): ov511.c typo: lock => unlock commit 50e9d31183ed61c787b870cb3ee8f6c3db8c8a1e upstream. This was found with a static checker and has not been tested, but it seems pretty clear that the mutex_lock() was supposed to be mutex_unlock() Signed-off-by: Dan Carpenter Signed-off-by: Douglas Schilling Landgraf Signed-off-by: Mauro Carvalho Chehab Cc: Brandon Philips Signed-off-by: Greg Kroah-Hartman commit 4b6d2635956c1ce642bc5dbfc8f460b516ed7e12 Author: WANG Cong Date: Thu Dec 17 15:27:05 2009 -0800 kernel/sysctl.c: fix the incomplete part of sysctl_max_map_count-should-be-non-negative.patch commit 3e26120cc7c819c97bc07281ca1fb9017cfe9a39 upstream. It is a mistake that we used 'proc_dointvec', it should be 'proc_dointvec_minmax', as in the original patch. Signed-off-by: WANG Cong Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 3ec268a6828ccc37a15e62a7836433b081342345 Author: Amerigo Wang Date: Mon Dec 14 17:59:52 2009 -0800 'sysctl_max_map_count' should be non-negative commit 70da2340fbc68e91e701762f785479ab495a0869 upstream. Jan Engelhardt reported we have this problem: setting max_map_count to a value large enough results in programs dying at first try. This is on 2.6.31.6: 15:59 borg:/proc/sys/vm # echo $[1<<31-1] >max_map_count 15:59 borg:/proc/sys/vm # cat max_map_count 1073741824 15:59 borg:/proc/sys/vm # echo $[1<<31] >max_map_count 15:59 borg:/proc/sys/vm # cat max_map_count Killed This is because we have a chance to make 'max_map_count' negative. but it's meaningless. Make it only accept non-negative values. Reported-by: Jan Engelhardt Signed-off-by: WANG Cong Cc: Ingo Molnar Cc: Peter Zijlstra Cc: James Morris Cc: Alexey Dobriyan Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0399123f3dcce1a515d021107ec0fb4413ca3efa Author: David Howells Date: Tue Dec 15 19:27:45 2009 +0000 NOMMU: Optimise away the {dac_,}mmap_min_addr tests commit 6e1415467614e854fee660ff6648bd10fa976e95 upstream. In NOMMU mode clamp dac_mmap_min_addr to zero to cause the tests on it to be skipped by the compiler. We do this as the minimum mmap address doesn't make any sense in NOMMU mode. mmap_min_addr and round_hint_to_min() can be discarded entirely in NOMMU mode. Signed-off-by: David Howells Acked-by: Eric Paris Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 1cfe005024b5c820f9b37c9045ec87ee75a8cfb6 Author: Luis R. Rodriguez Date: Thu Dec 24 15:26:09 2009 -0500 mac80211: fix race with suspend and dynamic_ps_disable_work commit b98c06b6debfe84c90200143bb1102f312f50a33 upstream. When mac80211 suspends it calls a driver's suspend callback as a last step and after that the driver assumes no calls will be made to it until we resume and its start callback is kicked. If such calls are made, however, suspend can end up throwing hardware in an unexpected state and making the device unusable upon resume. Fix this by preventing mac80211 to schedule dynamic_ps_disable_work by checking for when mac80211 starts to suspend and starts quiescing. Frames should be allowed to go through though as that is part of the quiescing steps and we do not flush the mac80211 workqueue since it was already done towards the beginning of suspend cycle. The other mac80211 issue will be hanled in the next patch. For further details see refer to the thread: http://marc.info/?t=126144866100001&r=1&w=2 Cc: stable@kernel.org Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 14b4d749ab35158853bca4868b42c0a8cb947206 Author: Reinette Chatre Date: Mon Dec 14 14:12:13 2009 -0800 iwlwifi: fix 40MHz operation setting on cards that do not allow it commit 6c3069b1e7e983e176a5f826e2edffefdd404a08 upstream. Some devices have 40MHz operation disabled entirely. Ensure that driver do not enable 40MHz operation if a channel does not allow this. This fixes http://bugzilla.intellinuxwireless.org/show_bug.cgi?id=2135 Signed-off-by: Reinette Chatre Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit c4ae8aea88809050e8ae76a8c3e252ba3fe6e2cc Author: Johannes Berg Date: Mon Dec 14 14:12:09 2009 -0800 iwlwifi: fix more eeprom endian bugs commit b7bb1756cb6a610cdbac8cfdad9e79bb5670b63b upstream. I've also for a long time had a problem with the temperature calculation code, which I had fixed by byte-swapping the values, and now it turns out that was the correct fix after all. Also, any use of iwl_eeprom_query_addr() that is for more than a u8 must be cast to little endian, and some structs as well. Fix all this. Again, no real impact on platforms that already are little endian. Signed-off-by: Johannes Berg Signed-off-by: Reinette Chatre Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit df5d119f46660631b9d50b91b1b888cdb512bdb2 Author: Johannes Berg Date: Mon Dec 14 14:12:08 2009 -0800 iwlwifi: fix EEPROM/OTP reading endian annotations and a bug commit af6b8ee38833b39f70946f767740565ceb126961 upstream. The construct "le16_to_cpu((__force __le16)(r >> 16))" has always bothered me when looking through the iwlwifi code, it shouldn't be necessary to __force anything, and before this code, "r" was obtained with an ioread32, which swaps each of the two u16 values in it properly when swapping the entire u32 value. I've had arguments about this code with people before, but always conceded they were right because removing it only made things not work at all on big endian platforms. However, analysing a failure of the OTP reading code, I now finally figured out what is going on, and why my intuition about that code being wrong was right all along. It turns out that the 'priv->eeprom' u8 array really wants to have the data in it in little endian. So the force code above and all really converts *to* little endian, not from it. Cf., for instance, the function iwl_eeprom_query16() -- it reads two u8 values and combines them into a u16, in a little-endian way. And considering it more, it makes sense to have the eeprom array as on the device, after all not all values really are 16-bit values, the MAC address for instance is not. Now, what this really means is that all the annotations are completely wrong. The eeprom reading code should fill the priv->eeprom array as a __le16 array, with __le16 values. This also means that iwl_read_otp_word() should really have a __le16 pointer as the data argument, since it should be filling that in a format suitable for priv->eeprom. Propagating these changes throughout, iwl_find_otp_image() is found to be, now obviously visible, defective -- it uses the data returned by iwl_read_otp_word() directly as if it was CPU endianness. Fixing that, which is this hunk of the patch: - next_link_addr = link_value * sizeof(u16); + next_link_addr = le16_to_cpu(link_value) * sizeof(u16); is the only real change of this patch. Everything else is just fixing the sparse annotations. Also, the bug only shows up on big endian platforms with a 1000 series card. 5000 and previous series do not use OTP, and 6000 series has shadow RAM support which means we don't ever use the defective code on any cards but 1000. Signed-off-by: Johannes Berg Signed-off-by: Reinette Chatre Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 0c0cdaff83704490511b462c7ba76d3ff2d0eedb Author: Zhu Yi Date: Mon Dec 14 14:12:12 2009 -0800 iwl3945: fix panic in iwl3945 driver commit dc57a303faab8562b92e85df0d79c4a05d7e2a61 upstream. 3945 updated write_ptr without regard to read_ptr on the Tx path. This messes up our TFD on high load and result in the following: <1>[ 7290.414172] IP: [] iwl3945_rx_reply_tx+0xc1/0x450 [iwl3945] <4>[ 7290.414205] PGD 0 <1>[ 7290.414214] Thread overran stack, or stack corrupted <0>[ 7290.414229] Oops: 0002 [#1] PREEMPT SMP <0>[ 7290.414246] last sysfs file: /sys/devices/platform/coretemp.1/temp1_input <4>[ 7290.414265] CPU 0 <4>[ 7290.414274] Modules linked in: af_packet nfsd usb_storage usb_libusual cpufreq_powersave exportfs cpufreq_conservative iwl3945 nfs cpufreq_userspace snd_hda_codec_realtek acpi_cpufreq uvcvideo lockd iwlcore snd_hda_intel joydev coretemp nfs_acl videodev snd_hda_codec mac80211 v4l1_compat snd_hwdep sbp2 v4l2_compat_ioctl32 uhci_hcd psmouse auth_rpcgss ohci1394 cfg80211 ehci_hcd video ieee1394 snd_pcm serio_raw battery ac nvidia(P) usbcore output sunrpc evdev lirc_ene0100 snd_page_alloc rfkill tg3 libphy fuse lzo lzo_decompress lzo_compress <6>[ 7290.414486] Pid: 0, comm: swapper Tainted: P 2.6.32-rc8-wl #213 Aspire 5720 <6>[ 7290.414507] RIP: 0010:[] [] iwl3945_rx_reply_tx+0xc1/0x450 [iwl3945] <6>[ 7290.414541] RSP: 0018:ffff880002203d60 EFLAGS: 00010246 <6>[ 7290.414557] RAX: 000000000000004f RBX: ffff880064c11600 RCX: 0000000000000013 <6>[ 7290.414576] RDX: ffffffffa0ddcf20 RSI: ffff8800512b7008 RDI: 0000000000000038 <6>[ 7290.414596] RBP: ffff880002203dd0 R08: 0000000000000000 R09: 0000000000000100 <6>[ 7290.414616] R10: 0000000000000001 R11: 0000000000000000 R12: 00000000000000a0 <6>[ 7290.414635] R13: 0000000000000002 R14: 0000000000000013 R15: 0000000000020201 <6>[ 7290.414655] FS: 0000000000000000(0000) GS:ffff880002200000(0000) knlGS:0000000000000000 <6>[ 7290.414677] CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b <6>[ 7290.414693] CR2: 0000000000000041 CR3: 0000000001001000 CR4: 00000000000006f0 <6>[ 7290.414712] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 <6>[ 7290.414732] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 <4>[ 7290.414752] Process swapper (pid: 0, threadinfo ffffffff81524000, task ffffffff81528b60) <0>[ 7290.414772] Stack: <4>[ 7290.414780] ffff880002203da0 0000000000000046 0000000000000000 0000000000000046 <4>[ 7290.414804] <0> 0000000000000282 0000000000000282 0000000000000282 ffff880064c12010 <4>[ 7290.414830] <0> ffff880002203db0 ffff880064c11600 ffff880064c12e50 ffff8800512b7000 <0>[ 7290.414858] Call Trace: <0>[ 7290.414867] <4>[ 7290.414884] [] iwl3945_irq_tasklet+0x657/0x1740 [iwl3945] <4>[ 7290.414910] [] ? _spin_unlock+0x30/0x60 <4>[ 7290.414931] [] tasklet_action+0x101/0x110 <4>[ 7290.414950] [] __do_softirq+0xc0/0x160 <4>[ 7290.414968] [] call_softirq+0x1c/0x30 <4>[ 7290.414986] [] do_softirq+0x75/0xb0 <4>[ 7290.415003] [] irq_exit+0x95/0xa0 <4>[ 7290.415020] [] do_IRQ+0x77/0xf0 <4>[ 7290.415038] [] ret_from_intr+0x0/0xf <0>[ 7290.415052] <4>[ 7290.415067] [] ? acpi_idle_enter_bm+0x270/0x2a5 <4>[ 7290.415087] [] ? acpi_idle_enter_bm+0x27a/0x2a5 <4>[ 7290.415107] [] ? acpi_idle_enter_bm+0x270/0x2a5 <4>[ 7290.415130] [] ? cpuidle_idle_call+0x93/0xf0 <4>[ 7290.415149] [] ? cpu_idle+0xa7/0x110 <4>[ 7290.415168] [] ? rest_init+0x75/0x80 <4>[ 7290.415187] [] ? start_kernel+0x3a7/0x3b3 <4>[ 7290.415206] [] ? x86_64_start_reservations+0x125/0x129 <4>[ 7290.415227] [] ? x86_64_start_kernel+0xe4/0xeb <0>[ 7290.415243] Code: 00 41 39 ce 0f 8d e8 01 00 00 48 8b 47 40 48 63 d2 48 69 d2 98 00 00 00 4c 8b 04 02 48 c7 c2 20 cf dd a0 49 8d 78 38 49 8d 40 4f 47 09 00 c6 47 0c 00 c6 47 0f 00 c6 47 12 00 c6 47 15 00 49 <1>[ 7290.415382] RIP [] iwl3945_rx_reply_tx+0xc1/0x450 [iwl3945] <4>[ 7290.415410] RSP <0>[ 7290.415421] CR2: 0000000000000041 <4>[ 7290.415436] ---[ end trace ec46807277caa515 ]--- <0>[ 7290.415450] Kernel panic - not syncing: Fatal exception in interrupt <4>[ 7290.415468] Pid: 0, comm: swapper Tainted: P D 2.6.32-rc8-wl #213 <4>[ 7290.415486] Call Trace: <4>[ 7290.415495] [] panic+0x7d/0x13a <4>[ 7290.415519] [] oops_end+0xda/0xe0 <4>[ 7290.415538] [] no_context+0xea/0x250 <4>[ 7290.415557] [] ? select_task_rq_fair+0x511/0x780 <4>[ 7290.415578] [] __bad_area_nosemaphore+0x125/0x1e0 <4>[ 7290.415597] [] ? __enqueue_entity+0x7c/0x80 <4>[ 7290.415616] [] ? enqueue_task_fair+0x111/0x150 <4>[ 7290.415636] [] bad_area_nosemaphore+0xe/0x10 <4>[ 7290.415656] [] do_page_fault+0x26a/0x320 <4>[ 7290.415674] [] page_fault+0x1f/0x30 <4>[ 7290.415697] [] ? iwl3945_rx_reply_tx+0xc1/0x450 [iwl3945] <4>[ 7290.415723] [] iwl3945_irq_tasklet+0x657/0x1740 [iwl3945] <4>[ 7290.415746] [] ? _spin_unlock+0x30/0x60 <4>[ 7290.415764] [] tasklet_action+0x101/0x110 <4>[ 7290.415783] [] __do_softirq+0xc0/0x160 <4>[ 7290.415801] [] call_softirq+0x1c/0x30 <4>[ 7290.415818] [] do_softirq+0x75/0xb0 <4>[ 7290.415835] [] irq_exit+0x95/0xa0 <4>[ 7290.415852] [] do_IRQ+0x77/0xf0 <4>[ 7290.415869] [] ret_from_intr+0x0/0xf <4>[ 7290.415883] [] ? acpi_idle_enter_bm+0x270/0x2a5 <4>[ 7290.415911] [] ? acpi_idle_enter_bm+0x27a/0x2a5 <4>[ 7290.415931] [] ? acpi_idle_enter_bm+0x270/0x2a5 <4>[ 7290.415952] [] ? cpuidle_idle_call+0x93/0xf0 <4>[ 7290.415971] [] ? cpu_idle+0xa7/0x110 <4>[ 7290.415989] [] ? rest_init+0x75/0x80 <4>[ 7290.416007] [] ? start_kernel+0x3a7/0x3b3 <4>[ 7290.416026] [] ? x86_64_start_reservations+0x125/0x129 <4>[ 7290.416047] [] ? x86_64_start_kernel+0xe4/0xeb Reported-by: Maxim Levitsky Tested-by: Maxim Levitsky Signed-off-by: Zhu Yi Signed-off-by: Reinette Chatre Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 66c9e44e5740fe9024e3ed02fd66ad6e0e57408f Author: Reinette Chatre Date: Mon Dec 14 14:12:10 2009 -0800 iwl3945: disable power save commit bc45a67079c916a9bd0a95b0b879cc0f259bac6e upstream. we see from http://bugzilla.intellinuxwireless.org/show_bug.cgi?id=2125 that power saving does not work well on 3945. Since then power saving has also been connected with association problems where an AP deathenticates a 3945 after it is unable to transmit data to it - this happens when 3945 enters power savings mode. Disable power save support until issues are resolved. Signed-off-by: Reinette Chatre Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 87d512cacd0aff44719736ef6d583cafd5c0e1be Author: Vasanthakumar Thiagarajan Date: Fri Nov 13 14:32:40 2009 +0530 ath9k_hw: Fix AR_GPIO_INPUT_EN_VAL_BT_PRIORITY_BB and its shift value in 0x4054 commit c37919bfe0a5c1bee9a31701a31e05a2f8840936 upstream. The bit value of AR_GPIO_INPUT_EN_VAL_BT_PRIORITY_BB is wrong, it should be 0x400 and the number of bits to be right shifted is 10. Having this wrong value in 0x4054 sometimes affects bt quality on btcoex environment. Signed-off-by: Vasanthakumar Thiagarajan Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit a6d8cc616a9058b2e08776f971febf5c84534551 Author: Vasanthakumar Thiagarajan Date: Fri Nov 13 14:32:39 2009 +0530 ath9k_hw: Fix possible OOB array indexing in gen_timer_index[] on 64-bit commit c90017dd43f0cdb42134b9229761e8be02bcd524 upstream. debruijn32 (0x077CB531) is used to index gen_timer_index[] which is an array of 32 u32. Having debruijn32 as unsigned long on a 64-bit platform will result in indexing more than 32 in gen_timer_index[] and there by causing a crash. Make it unsigned to fix this issue. Signed-off-by: Vasanthakumar Thiagarajan Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 12ba7097e0996b27d768504ae4b337ae3e892221 Author: Sujith Date: Wed Dec 23 20:03:27 2009 -0500 ath9k: fix suspend by waking device prior to stop commit 3867cf6a8c699846e928e8f5a9f31013708df192 upstream. Ensure the device is awake prior to trying to tell hardware to stop it. Impact of not doing this is we can likely leave the device in an undefined state likely causing issues with suspend and resume. This patch ensures harware is where it should be prior to suspend. Signed-off-by: Sujith Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit c965e1efdb88a1c42afb119b276d649cddb70387 Author: Luis R. Rodriguez Date: Wed Dec 23 20:03:29 2009 -0500 ath9k: wake hardware during AMPDU TX actions commit 8b685ba9de803f210936400612a32a2003f47cd3 upstream. AMDPDU actions poke hardware for TX operation, as such we want to turn hardware on for these actions. AMDPU RX operations do not require hardware on as nothing is done in hardware for those actions. Without this we cannot guarantee hardware has been programmed correctly for each AMPDU TX action. Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 463a7f9b2752b659f93272c0067dcbc10bd73674 Author: Felix Fietkau Date: Thu Dec 24 14:04:32 2009 +0100 ath9k: fix missed error codes in the tx status check commit 5b479a076de091590423a9e6dfc2584126b28761 upstream. My previous change added in: commit 815833e7ecf0b9a017315cae6aef4d7cd9517681 ath9k: fix tx status reporting was not checking all possible tx error conditions. This could possibly lead to throughput issues due to slow rate control adaption or missed retransmissions of failed A-MPDU frames. This patch adds a mask for all possible error conditions and uses it in the xmit ok check. Reported-by: Björn Smedman Signed-off-by: Felix Fietkau Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit bef82b626e39357fd28b8303e9f88ea5c5d1b51f Author: Sujith Date: Mon Dec 14 14:57:08 2009 +0530 ath9k: Fix TX queue draining commit e8009e9850d59000d518296af372888911a129bd upstream. When TX DMA termination has failed, the HW has to be reset completely. Doing a fast channel change in this case is insufficient. Also, change the debug level of a couple of messages to FATAL. Signed-off-by: Sujith Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 0ebbdd734f2509bae17f4340fc4fd07c530dbc59 Author: Luis R. Rodriguez Date: Wed Dec 23 20:03:28 2009 -0500 ath9k: wake hardware for interface IBSS/AP/Mesh removal commit 5f70a88f631c3480107853cae12925185eb4c598 upstream. When we remove a IBSS/AP/Mesh interface we stop DMA but to do this we should ensure hardware is on. Awaken the device prior to these calls. This should ensure DMA is stopped upon suspend and plain device removal. Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit d5086b90c5986d33308b1ee99546a86ff1571d07 Author: Bob Copeland Date: Mon Dec 21 22:26:48 2009 -0500 ath5k: fix SWI calibration interrupt storm commit 242ab7ad689accafd5e87ffd22b85cf1bf7fbbef upstream. The calibration period is now invoked by triggering a software interrupt from within the ISR by ath5k_hw_calibration_poll() instead of via a timer. However, the calibration interval isn't initialized before interrupts are enabled, so we can have a situation where an interrupt occurs before the interval is assigned, so the interval is actually negative. As a result, the ISR will arm a software interrupt to schedule the tasklet, and then rearm it when the SWI is processed, and so on, leading to a softlockup at modprobe time. Move the initialization order around so the calibration interval is set before interrupts are active. Another possible fix is to schedule the tasklet directly from the poll routine, but I think there are additional plans for the SWI. Signed-off-by: Bob Copeland Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 477702056912abc2120a18e8494fb2204ccdd958 Author: Johannes Berg Date: Wed Dec 23 13:12:05 2009 +0100 cfg80211: fix race between deauth and assoc response commit 3bdb2d48c5f58c781a4099c99044384a23620884 upstream. Joseph Nahmias reported, in http://bugs.debian.org/562016, that he was getting the following warning (with some log around the issue): ath0: direct probe to AP 00:11:95:77:e0:b0 (try 1) ath0: direct probe responded ath0: authenticate with AP 00:11:95:77:e0:b0 (try 1) ath0: authenticated ath0: associate with AP 00:11:95:77:e0:b0 (try 1) ath0: deauthenticating from 00:11:95:77:e0:b0 by local choice (reason=3) ath0: direct probe to AP 00:11:95:77:e0:b0 (try 1) ath0: RX AssocResp from 00:11:95:77:e0:b0 (capab=0x421 status=0 aid=2) ath0: associated ------------[ cut here ]------------ WARNING: at net/wireless/mlme.c:97 cfg80211_send_rx_assoc+0x14d/0x152 [cfg80211]() Hardware name: 7658CTO ... Pid: 761, comm: phy0 Not tainted 2.6.32-trunk-686 #1 Call Trace: [] ? warn_slowpath_common+0x5e/0x8a [] ? warn_slowpath_null+0xa/0xc [] ? cfg80211_send_rx_assoc+0x14d/0x152 ... ath0: link becomes ready ath0: deauthenticating from 00:11:95:77:e0:b0 by local choice (reason=3) ath0: no IPv6 routers present ath0: link is not ready ath0: direct probe to AP 00:11:95:77:e0:b0 (try 1) ath0: direct probe responded ath0: authenticate with AP 00:11:95:77:e0:b0 (try 1) ath0: authenticated ath0: associate with AP 00:11:95:77:e0:b0 (try 1) ath0: RX ReassocResp from 00:11:95:77:e0:b0 (capab=0x421 status=0 aid=2) ath0: associated It is not clear to me how the first "direct probe" here happens, but this seems to be a race condition, if the user requests to deauth after requesting assoc, but before the assoc response is received. In that case, it may happen that mac80211 tries to report the assoc success to cfg80211, but gets blocked on the wdev lock that is held because the user is requesting the deauth. The result is that we run into a warning. This is mostly harmless, but maybe cause an unexpected event to be sent to userspace; we'd send an assoc success event although userspace was no longer expecting that. To fix this, remove the warning and check whether the race happened and in that case abort processing. Reported-by: Joseph Nahmias Cc: 562016-quiet@bugs.debian.org Signed-off-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 9f7028e71d940aadcdea9f777286b066971ba5da Author: Sujith Date: Mon Nov 2 12:33:23 2009 +0530 mac80211: Fix IBSS merge commit 450aae3d7b60a970f266349a837dfb30a539198b upstream. Currently, in IBSS mode, a single creator would go into a loop trying to merge/scan. This happens because the IBSS timer is rearmed on finishing a scan and the subsequent timer invocation requests another scan immediately. This patch fixes this issue by checking if we have just completed a scan run trying to merge with other IBSS networks. Signed-off-by: Sujith Signed-off-by: John W. Linville Cc: Luis Rodriguez Signed-off-by: Greg Kroah-Hartman commit 0b41c5a957e4fb2be4a8ef960e4e50c8791999f3 Author: Johannes Berg Date: Thu Dec 17 16:16:53 2009 +0100 mac80211: fix WMM AP settings application commit 0183826b58a2712ffe608bc3302447be3e6a3ab8 upstream. My commit 77fdaa12cea26c204cc12c312fe40bc0f3dcdfd8 Author: Johannes Berg Date: Tue Jul 7 03:45:17 2009 +0200 mac80211: rework MLME for multiple authentications inadvertedly broke WMM because it removed, along with a bunch of other now useless initialisations, the line initialising sdata->u.mgd.wmm_last_param_set to -1 which would make it adopt any WMM parameter set. If, as is usually the case, the AP uses WMM parameter set sequence number zero, we'd never update it until the AP changes the sequence number. Add the missing initialisation back to get the WMM settings from the AP applied locally. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 330b9373f9b62fcad200f470be7f64c99322d7ef Author: Luis R. Rodriguez Date: Thu Dec 24 15:38:22 2009 -0500 mac80211: fix propagation of failed hardware reconfigurations commit 24feda0084722189468a65e20019cdd8ef99702b upstream. mac80211 does not propagate failed hardware reconfiguration requests. For suspend and resume this is important due to all the possible issues that can come out of the suspend <-> resume cycle. Not propagating the error means cfg80211 will assume the resume for the device went through fine and mac80211 will continue on trying to poke at the hardware, enable timers, queue work, and so on for a device which is completley unfunctional. The least we can do is to propagate device start issues and warn when this occurs upon resume. A side effect of this patch is we also now propagate the start errors upon harware reconfigurations (non-suspend), but this should also be desirable anyway, there is not point in continuing to reconfigure a device if mac80211 was unable to start the device. For further details refer to the thread: http://marc.info/?t=126151038700001&r=1&w=2 Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 38cf2a039fec0233c1ab81b09125e56311574016 Author: Zhu Yi Date: Mon Dec 28 14:23:11 2009 +0800 iwmc3200wifi: fix array out-of-boundary access commit 6c853da3f30c93eae847ecbcd9fdf10ba0da04c2 upstream. Allocate priv->rx_packets[IWM_RX_ID_HASH + 1] because the max array index is IWM_RX_ID_HASH according to IWM_RX_ID_GET_HASH(). Signed-off-by: Zhu Yi Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 08a93783c334ec4b42532b0dad62dc480a6ec823 Author: Daniel Mack Date: Wed Dec 16 05:12:58 2009 +0100 Libertas: fix buffer overflow in lbs_get_essid() commit 45b241689179a6065384260242637cf21dabfb2d upstream. The libertas driver copies the SSID buffer back to the wireless core and appends a trailing NULL character for termination. This is a) unnecessary because the buffer is allocated with kzalloc and is hence already NULLed when this function is called, and b) for priv->curbssparams.ssid_len == 32, it writes back one byte too much which causes memory corruptions. Fix this by removing the extra write. Signed-off-by: Daniel Mack Cc: Stephen Hemminger Cc: Maithili Hinge Cc: Kiran Divekar Cc: Michael Hirsch Cc: netdev@vger.kernel.org Cc: libertas-dev@lists.infradead.org Cc: linux-wireless@lists.infradead.org Acked-by: Holger Schurig Acked-by: Dan Williams Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 3b96f9a68db8401e73955a6f6c33ec08ffed9e96 Author: Marcelo Tosatti Date: Mon Dec 14 17:37:35 2009 -0200 KVM: LAPIC: make sure IRR bitmap is scanned after vm load commit 6e24a6eff4571002cd48b99a2b92dc829ce39cb9 upstream. The vcpus are initialized with irr_pending set to false, but loading the LAPIC registers with pending IRR fails to reset the irr_pending variable. Signed-off-by: Marcelo Tosatti Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 3a9f99234194d5f6c987098c288f29f200dabf5e Author: Marcelo Tosatti Date: Sat Dec 5 12:34:11 2009 -0200 KVM: MMU: remove prefault from invlpg handler commit fb341f572d26e0786167cd96b90cc4febed830cf upstream. The invlpg prefault optimization breaks Windows 2008 R2 occasionally. The visible effect is that the invlpg handler instantiates a pte which is, microseconds later, written with a different gfn by another vcpu. The OS could have other mechanisms to prevent a present translation from being used, which the hypervisor is unaware of. While the documentation states that the cpu is at liberty to prefetch tlb entries, it looks like this is not heeded, so remove tlb prefetch from invlpg. Signed-off-by: Marcelo Tosatti Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 8b9f03819c4165799c463b14a30b23f228d13cdb Author: Dan Williams Date: Sat Dec 19 15:36:02 2009 -0700 ioat2,3: put channel hardware in known state at init commit a6d52d70677e99bdb89b6921c265d0a58c22e597 upstream. Put the ioat2 and ioat3 state machines in the halted state with all errors cleared. The ioat1 init path is not disturbed for stability, there are no reported ioat1 initiaization issues. Reported-by: Roland Dreier Tested-by: Roland Dreier Acked-by: Simon Horman Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit e05a6f0307a79b77319eed3c892a9c09613f1a28 Author: Dan Williams Date: Thu Dec 17 13:52:39 2009 -0700 ioat3: fix p-disabled q-continuation commit cd78809f6191485a90ea6c92c2b58900ab5c156f upstream. When continuing a pq calculation the driver needs 3 extra sources. The driver can perform a 3 source calculation with a single descriptor, but needs an extended descriptor to process up to 8 sources in one operation. However, in the p-disabled case only one extra source is needed. When continuing a p-disabled operation there are occasions (i.e. 0 < src_cnt % 8 < 3) where the tail operation does not need an extended descriptor. Properly account for this fact otherwise invalid 'dmacount' values will be written to hardware usually causing the channel to halt with 'invalid descriptor' errors. Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit e93166f10c741f247c7e172936811bad558b4135 Author: Joerg Roedel Date: Mon Dec 21 15:51:23 2009 +0100 x86/amd-iommu: Fix initialization failure panic commit 0f764806438d5576ac58898332e5dcf30bb8a679 upstream. The assumption that acpi_table_parse passes the return value of the hanlder function to the caller proved wrong recently. The return value of the handler function is totally ignored. This makes the initialization code for AMD IOMMU buggy in a way that could cause a kernel panic on initialization. This patch fixes the issue in the AMD IOMMU driver. Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit cd7bc18e0908a287e64cf4593a480b613b07fdce Author: Jeff Layton Date: Thu Dec 3 08:09:41 2009 -0500 cifs: NULL out tcon, pSesInfo, and srvTcp pointers when chasing DFS referrals commit a2934c7b363ddcc001964f2444649f909e583bef upstream. The scenario is this: The kernel gets EREMOTE and starts chasing a DFS referral at mount time. The tcon reference is put, which puts the session reference too, but neither pointer is zeroed out. The mount gets retried (goto try_mount_again) with new mount info. Session setup fails fails and rc ends up being non-zero. The code then falls through to the end and tries to put the previously freed tcon pointer again. Oops at: cifs_put_smb_ses+0x14/0xd0 Fix this by moving the initialization of the rc variable and the tcon, pSesInfo and srvTcp pointers below the try_mount_again label. Also, add a FreeXid() before the goto to prevent xid "leaks". Signed-off-by: Jeff Layton Reported-by: Gustavo Carvalho Homem Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 6cb5fcc95450e4a8e7423128dec3d43caac8f42b Author: Ingo Molnar Date: Thu Dec 31 15:16:23 2009 +0100 dma-debug: Fix bug causing build warning commit a8fe9ea200ea21421ea750423d1d4d4f7ce037cf upstream. Stephen Rothwell reported the following build warning: lib/dma-debug.c: In function 'dma_debug_device_change': lib/dma-debug.c:680: warning: 'return' with no value, in function returning non-void Introduced by commit f797d9881b62c2ddb1d2e7bd80d87141949c84aa ("dma-debug: Do not add notifier when dma debugging is disabled"). Return 0 [notify-done] when disabled. (this is standard bus notifier behavior.) Signed-off-by: Shaun Ruffell Signed-off-by: Joerg Roedel Cc: Linus Torvalds LKML-Reference: <20091231125624.GA14666@liondog.tnic> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 120dbaa5f31dfea13be03da90d90dc2cfed77841 Author: Shaun Ruffell Date: Thu Dec 17 18:00:36 2009 -0600 dma-debug: Do not add notifier when dma debugging is disabled. commit f797d9881b62c2ddb1d2e7bd80d87141949c84aa upstream. If CONFIG_HAVE_DMA_API_DEBUG is defined and "dma_debug=off" is specified on the kernel command line, when you detach a driver from a device you can cause the following NULL pointer dereference: BUG: unable to handle kernel NULL pointer dereference at (null) IP: [] dma_debug_device_change+0x5d/0x117 The problem is that the dma_debug_device_change notifier function is added to the bus notifier chain even though the dma_entry_hash array was never initialized. If dma debugging is disabled, this patch both prevents dma_debug_device_change notifiers from being added to the chain, and additionally ensures that the dma_debug_device_change notifier function is a no-op. Signed-off-by: Shaun Ruffell Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit c4ddbba638a74b9110801026517e892e5a8db6ad Author: Nicolas Ferre Date: Wed Dec 16 16:28:03 2009 +0100 dma: at_hdmac: correct incompatible type for argument 1 of 'spin_lock_bh' commit 4297a462f455e38f08976df7b16c849614a287da upstream. Correct a typo error in locking calls. Signed-off-by: Nicolas Ferre Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit ed8f6eb171b6965d5372f008c3b2267f1da57a92 Author: NeilBrown Date: Wed Dec 30 12:08:49 2009 +1100 md: Fix unfortunate interaction with evms commit cbd1998377504df005302ac90d49db72a48552a6 upstream. evms configures md arrays by: open device send ioctl close device for each different ioctl needed. Since 2.6.29, the device can disappear after the 'close' unless a significant configuration has happened to the device. The change made by "SET_ARRAY_INFO" can too minor to stop the device from disappearing, but important enough that losing the change is bad. So: make sure SET_ARRAY_INFO sets mddev->ctime, and keep the device active as long as ctime is non-zero (it gets zeroed with lots of other things when the array is stopped). This is suitable for -stable kernels since 2.6.29. Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit acb8be461bc008fea70999310812a4f4638d9596 Author: Mike Travis Date: Mon Dec 28 13:28:25 2009 -0800 x86: SGI UV: Fix writes to led registers on remote uv hubs commit 39d30770992895d55789de64bad2349510af68d0 upstream. The wrong address was being used to write the SCIR led regs on remote hubs. Also, there was an inconsistency between how BIOS and the kernel indexed these regs. Standardize on using the lower 6 bits of the APIC ID as the index. This patch fixes the problem of writing to an errant address to a cpu # >= 64. Signed-off-by: Mike Travis Reviewed-by: Jack Steiner Cc: Robin Holt Cc: Linus Torvalds LKML-Reference: <4B3922F9.3060905@sgi.com> [ v2: fix a number of annoying checkpatch artifacts and whitespace noise ] Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 4ba51fe7d303115c0eef7cfe4a326fdff536302f Author: Julia Lawall Date: Sun Dec 13 05:47:04 2009 +0000 drivers/net/usb: Correct code taking the size of a pointer commit 6057912d7baad31be9819518674ffad349a065b1 upstream. sizeof(dev->dev_addr) is the size of a pointer. A few lines above, the size of this field is obtained using netdev->addr_len for a call to memcpy, so do the same here. A simplified version of the semantic patch that finds this problem is as follows: (http://coccinelle.lip6.fr/) // @@ expression *x; expression f; type T; @@ *f(...,(T)x,...) // Signed-off-by: Julia Lawall Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 526fed8b3c60bd7746de0df7676c83800c36b906 Author: Alan Stern Date: Tue Dec 8 15:54:44 2009 -0500 USB: fix bugs in usb_(de)authorize_device commit da307123c621b01cce147a4be313d8a754674f63 upstream. This patch (as1315) fixes some bugs in the USB core authorization code: usb_deauthorize_device() should deallocate the device strings instead of leaking them, and it should invoke usb_destroy_configuration() (which does proper reference counting) instead of freeing the config information directly. usb_authorize_device() shouldn't change the device strings until it knows that the authorization will succeed, and it should autosuspend the device at the end (having autoresumed the device at the start). Because the device strings can be changed, the sysfs routines to display the strings must protect the string pointers by locking the device. Signed-off-by: Alan Stern CC: Inaky Perez-Gonzalez Acked-by: David Vrabel Signed-off-by: Greg Kroah-Hartman commit c6d7a67b493a4bc990a2c8155787ff70903a2335 Author: Alan Stern Date: Tue Dec 8 15:50:41 2009 -0500 USB: rename usb_configure_device commit 8d8558d10806b7e805cb80df867ebb0a453d4765 upstream. This patch (as1314) renames usb_configure_device() and usb_configure_device_otg() in the hub driver. Neither name is appropriate because these routines enumerate devices, they don't configure them. That's handled by usb_choose_configuration() and usb_set_configuration(). Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit f661c3feba2d9455614d64ba0f73f182a1b39456 Author: Oliver Neukum Date: Wed Dec 16 19:23:43 2009 +0100 Bluetooth: Prevent ill-timed autosuspend in USB driver commit 652fd781a52ad6e24b908cd8b83d12699754f253 upstream. The device must be marked busy as it receives data. Signed-off-by: Oliver Neukum Tested-by: Matthew Garrett Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman commit b71bfa6a117e070139ce2cf23175378f276b9dd8 Author: Sergei Shtylyov Date: Tue Dec 15 13:30:01 2009 +0200 USB: musb: gadget_ep0: avoid SetupEnd interrupt commit 17be5c5f5ef99c94374e07f71effa78e93a20eda upstream. Gadget stalling a zero-length SETUP request results in this error message: SetupEnd came in a wrong ep0stage idle In order to avoid it, always set the CSR0.DataEnd bit after detecting a zero- length request. Add the missing '\n' to the error message itself as well... Signed-off-by: Sergei Shtylyov Acked-by: Anand Gadiyar Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 3635acd7f7f86d7319c15f3de8be7579b41defc2 Author: pancho horrillo Date: Wed Dec 23 11:09:13 2009 +0100 USB: Fix a bug on appledisplay.c regarding signedness commit 37e9066b2f85480d99d3795373f5ef0b00ac1189 upstream. brightness status is reported by the Apple Cinema Displays as an 'unsigned char' (u8) value, but the code used 'char' instead. Note that he driver was developed on the PowerPC architecture, where the two types are synonymous, which is not always the case. Fixed that. Otherwise the driver will interpret brightness levels > 127 as negative, and fail to load. Signed-off-by: pancho horrillo Signed-off-by: Greg Kroah-Hartman commit 5a82dd5dcafaf91f894f68cbb16359a1338900f5 Author: Donny Kurnia Date: Wed Dec 23 19:03:12 2009 +0700 USB: option: support hi speed for modem Haier CE100 commit c983202bd03eb82394ef1dce5906702fcbc7bb80 upstream. I made this patch for usbserial driver to add the support for EVDO modem Haier CE100. The bugs report for this is here: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/490068 This patch based on these post: http://blankblondtank.wordpress.com/2009/09/04/mengoptimalkan-koneksi-modem-haier-ce-100-cdma-di-linux/ http://tantos.web.id/blogs/how-to-internet-connection-using-cdma-evdo-modem-and-karmic-koala-ubuntu-9-10 I hope this patch can help other that have the Haier C100 modem, mostly in my country, Indonesia. Signed-off-by: Donny Kurnia Signed-off-by: Greg Kroah-Hartman commit 702a0a0aed69a97f7001c67a652f49934ac7de0d Author: Clemens Ladisch Date: Mon Dec 21 15:36:44 2009 -0800 USB: emi62: fix crash when trying to load EMI 6|2 firmware commit ac06c06770bb8761b1f1f9bdf2f5420fa6d3e9fa upstream. While converting emi62 to use request_firmware(), the driver was also changed to use the ihex helper functions. However, this broke the loading of the FPGA firmware because the code tries to access the addr field of the EOF record which works with a plain array that has an empty last record but not with the ihex helper functions where the end of the data is signaled with a NULL record pointer, resulting in: BUG: unable to handle kernel NULL pointer dereference at (null) IP: [] emi62_load_firmware+0x33c/0x740 [emi62] This can be fixed by changing the loop condition to test the return value of ihex_next_binrec() directly (like in emi26.c). Signed-off-by: Clemens Ladisch Reported-and-tested-by: Der Mickster Acked-by: David Woodhouse Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 2d67231fb86da345be96ba212dfeb4d8c912520b Author: Dave Airlie Date: Sun Dec 20 16:08:40 2009 +1000 drm/radeon: fix build on 64-bit with some compilers. commit 794f3141a194a4f4c28c1d417b071a901f78d9bb upstream. drivers/gpu/drm/radeon/radeon_test.c:45: undefined reference to `__udivdi3' Reported-by: Mr. James W. Laferriere Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 474ae5e72b8acc3c79354f0b14e77fb9e09108ff Author: Eric Millbrandt Date: Tue Dec 22 10:13:24 2009 -0500 ASoC: Do not write to invalid registers on the wm9712. commit 48e3cbb3f67a27d9c2db075f3d0f700246c40caa upstream. This patch fixes a bug where "virtual" registers were being written to the ac97 bus. This was causing unrelated registers to become corrupted (headphone 0x04, touchscreen 0x78, etc). This patch duplicates protection that was included in the wm9713 driver. Signed-off-by: Eric Millbrandt Acked-by: Liam Girdwood Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit d75621cbb1dfadcd6801b39c03867bab60d94dd7 Author: Neil Campbell Date: Mon Dec 14 04:08:57 2009 +0000 powerpc: Handle VSX alignment faults correctly in little-endian mode commit bb7f20b1c639606def3b91f4e4aca6daeee5d80a upstream. This patch fixes the handling of VSX alignment faults in little-endian mode (the current code assumes the processor is in big-endian mode). The patch also makes the handlers clear the top 8 bytes of the register when handling an 8 byte VSX load. This is based on 2.6.32. Signed-off-by: Neil Campbell Acked-by: Michael Neuling Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 8aafd7d4acb527c3dfd95d24af190528cc58326b Author: Zhao Yakui Date: Tue Dec 15 22:01:57 2009 +0800 ACPI: Use the return result of ACPI lid notifier chain correctly commit 13c199c0d0cf78b27592991129fb8cbcfc5164de upstream. On some laptops it will return NOTIFY_OK(non-zero) when calling the ACPI LID notifier. Then it is used as the result of ACPI LID resume function, which will complain the following warning message in course of suspend/resume: >PM: Device PNP0C0D:00 failed to resume: error 1 This patch is to eliminate the above warning message. http://bugzilla.kernel.org/show_bug.cgi?id=14782 Signed-off-by: Zhao Yakui Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 3872bf59ad0d88c81d7fb70ac86a5fc2f8aa6d34 Author: Alexey Starikovskiy Date: Tue Dec 22 02:42:52 2009 -0500 ACPI: EC: Fix MSI DMI detection commit 55b313f249e11b815fd0be51869f166aaf368f44 upstream. MSI strings should be ORed, not ANDed. Reference: http://bugzilla.kernel.org/show_bug.cgi?id=14446 Signed-off-by: Alexey Starikovskiy Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 5ab8996c82fdb3fa04ca1d72b1fb388ce9c42378 Author: Stefan Bader Date: Mon Dec 21 16:20:04 2009 -0800 acerhdf: limit modalias matching to supported commit bdc731bc5fcd1794e9ac8ac80c389d302381c123 upstream. BugLink: https://bugs.launchpad.net/ubuntu/+bug/435958 The module alias currently matches any Acer computer but when loaded the BIOS checks will only succeed on Aspire One models. This causes a invalid BIOS warning for all other models (seen on Aspire 4810T). This is not fatal but worries users that see this message. Limiting the moule alias to models starting with AOA or DOA for Packard Bell. Signed-off-by: Stefan Bader Acked-by: Borislav Petkov Acked-by: Peter Feuerer Signed-off-by: Andrew Morton Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 296e9be6e548bc7ede4c6b04b1adfa1d15b8ee12 Author: Takashi Iwai Date: Thu Dec 17 15:00:26 2009 +0100 ALSA: hda - Fix missing capsrc_nids for ALC88x commit 035eb0cff0671ada49ba9f3e5c9e7b0cb950efea upstream. Some model quirks missed the corresponding capsrc_nids. This resulted in non-working capture source selection. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit aec8dc2b5d45b5b4058cfa71d3ca148fdf6c3199 Author: Clemens Ladisch Date: Fri Dec 18 09:27:24 2009 +0100 sound: sgio2audio/pdaudiocf/usb-audio: initialize PCM buffer commit 3e85fd614c7b6bb7f33bb04a0dcb5a3bfca4c0fe upstream. When allocating the PCM buffer, use vmalloc_user() instead of vmalloc(). Otherwise, it would be possible for applications to play the previous contents of the kernel memory to the speakers, or to read it directly if the buffer is exported to userspace. Signed-off-by: Clemens Ladisch Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit e255d3c8a816bfc9e365a39b8b00c4cd79671ee1 Author: Guennadi Liakhovetski Date: Thu Dec 17 14:51:35 2009 +0100 ASoC: wm8974: fix a wrong bit definition commit 48c03ce72f2665f79a3fe54fc6d71b8cc3d30803 upstream. The wm8974 datasheet defines BUFIOEN as bit 2. Signed-off-by: Guennadi Liakhovetski Acked-by: Liam Girdwood Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 1ee0552bc1fa0fe88b39743920bdd5f8715a3e47 Author: Bartlomiej Zolnierkiewicz Date: Sun Dec 20 19:22:33 2009 +0100 pata_cmd64x: fix overclocking of UDMA0-2 modes commit 509426bd46ad0903dca409803e0ee3d30f99f1e8 upstream. adev->dma_mode stores the transfer mode value not UDMA mode number so the condition in cmd64x_set_dmamode() is always true and the higher UDMA clock is always selected. This can potentially result in data corruption when UDMA33 device is used, when 40-wire cable is used or when the error recovery code decides to lower the device speed down. The issue was introduced in the commit 6a40da0 ("libata cmd64x: whack into a shape that looks like the documentation") which goes back to kernel 2.6.20. Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit f31733a7aa32257dac6390f080814a7f76b419bf Author: Sergei Shtylyov Date: Thu Dec 17 01:11:27 2009 -0500 pata_hpt3x2n: fix clock turnaround commit 256ace9bbd4cdb6d48d5f55d55d42fa20527fad1 upstream. The clock turnaround code still doesn't work for several reasons: - 'USE_DPLL' flag in 'ap->host->private_data' is never initialized or updated, so the driver can only set the chip to the DPLL clock mode, not the PCI mode; - the driver doesn't serialize access to the channels depending on the current clock mode like the vendor drivers, so the clock turnaround is only executed "optionally", not always as it should be; - the wrong ports are written to when hpt3x2n_set_clock() is called for the secondary channel; - hpt3x2n_set_clock() can inadvertently enable the disabled channels when resetting the channel state machines. Signed-off-by: Sergei Shtylyov Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit fa3f5a5c1c8e6a2cbc7e21755ea7c215f8cf0577 Author: Thomas Gleixner Date: Thu Dec 10 15:35:10 2009 +0100 clockevents: Prevent clockevent_devices list corruption on cpu hotplug commit bb6eddf7676e1c1f3e637aa93c5224488d99036f upstream. Xiaotian Feng triggered a list corruption in the clock events list on CPU hotplug and debugged the root cause. If a CPU registers more than one per cpu clock event device, then only the active clock event device is removed on CPU_DEAD. The unused devices are kept in the clock events device list. On CPU up the clock event devices are registered again, which means that we list_add an already enqueued list_head. That results in list corruption. Resolve this by removing all devices which are associated to the dead CPU on CPU_DEAD. Reported-by: Xiaotian Feng Signed-off-by: Thomas Gleixner Tested-by: Xiaotian Feng Signed-off-by: Greg Kroah-Hartman commit 8e04c81a2240ac2fc5d9efe804388526331ccac7 Author: Peter Zijlstra Date: Wed Dec 16 18:04:34 2009 +0100 sched: Select_task_rq_fair() must honour SD_LOAD_BALANCE commit e4f4288842ee12747e10c354d72be7d424c0b627 upstream. We should skip !SD_LOAD_BALANCE domains. Signed-off-by: Peter Zijlstra Cc: Mike Galbraith LKML-Reference: <20091216170517.653578430@chello.nl> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit c9ac6a9e841f2c82cb2a1f3adeb00858acc1c5c7 Author: Suresh Siddha Date: Wed Dec 16 16:25:42 2009 -0800 x86, cpuid: Add "volatile" to asm in native_cpuid() commit 45a94d7cd45ed991914011919e7d40eb6d2546d1 upstream. xsave_cntxt_init() does something like: cpuid(0xd, ..); // find out what features FP/SSE/.. etc are supported xsetbv(); // enable the features known to OS cpuid(0xd, ..); // find out the size of the context for features enabled Depending on what features get enabled in xsetbv(), value of the cpuid.eax=0xd.ecx=0.ebx changes correspondingly (representing the size of the context that is enabled). As we don't have volatile keyword for native_cpuid(), gcc 4.1.2 optimizes away the second cpuid and the kernel continues to use the cpuid information obtained before xsetbv(), ultimately leading to kernel crash on processors supporting more state than the legacy FP/SSE. Add "volatile" for native_cpuid(). Signed-off-by: Suresh Siddha LKML-Reference: <1261009542.2745.55.camel@sbs-t61.sc.intel.com> Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 14ae08205860c0a902639ed2c0a601eef9c6d171 Author: Peter Zijlstra Date: Wed Dec 16 18:04:33 2009 +0100 sched: Fix task_hot() test order commit e6c8fba7771563b2f3dfb96a78f36ec17e15bdf0 upstream. Make sure not to access sched_fair fields before verifying it is indeed a sched_fair task. Signed-off-by: Peter Zijlstra Cc: Mike Galbraith LKML-Reference: <20091216170517.577998058@chello.nl> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit fdf26751111406e31e5fcb3eb8b06f299ce3a06b Author: Mike Christie Date: Tue Nov 17 21:25:16 2009 -0600 SCSI: fc class: fix fc_transport_init error handling commit 48de68a40aef032a2e198437f4781a83bfb938db upstream. If transport_class_register fails we should unregister any registered classes, or we will leak memory or other resources. I did a quick modprobe of scsi_transport_fc to test the patch. Signed-off-by: Mike Christie Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 1ab0714daac27c962256b969823e3d82c67e4b52 Author: FUJITA Tomonori Date: Thu Nov 26 09:24:13 2009 +0900 SCSI: st: fix mdata->page_order handling commit c982c368bb90adbd312faa05d0cfd842e9ab45a7 upstream. dio transfer always resets mdata->page_order to zero. It breaks high-order pages previously allocated for non-dio transfer. This patches adds reserved_page_order to st_buffer structure to save page order for non-dio transfer. http://bugzilla.kernel.org/show_bug.cgi?id=14563 When enlarge_buffer() allocates 524288 from 0, st uses six-order page allocation. So mdata->page_order is 6 and frp_seg is 2. After that, if st uses dio, sgl_map_user_pages() sets mdata->page_order to 0 for st_do_scsi(). After that, when we call normalize_buffer(), it frees only free frp_seg * PAGE_SIZE (2 * 4096) though we should free frp_seg * PAGE_SIZE << 6 (2 * 4096 << 6). So we see buffer_size is set to 516096 (524288 - 8192). Reported-by: Joachim Breuer Tested-by: Joachim Breuer Acked-by: Kai Makisara Signed-off-by: FUJITA Tomonori Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 9f63d27c1b21cb24b7c2e9f79196a4f72f7b193e Author: Michael Reed Date: Wed Dec 2 09:11:16 2009 -0600 SCSI: qla2xxx: dpc thread can execute before scsi host has been added commit 1486400f7edd009d49550da968d5744e246dc7f8 upstream. Fix crash in qla2x00_fdmi_register() due to the dpc thread executing before the scsi host has been fully added. Unable to handle kernel NULL pointer dereference (address 00000000000001d0) qla2xxx_7_dpc[4140]: Oops 8813272891392 [1] Call Trace: [] show_stack+0x50/0xa0 sp=e00000b07c59f930 bsp=e00000b07c591400 [] show_regs+0x820/0x860 sp=e00000b07c59fb00 bsp=e00000b07c5913a0 [] die+0x1a0/0x2e0 sp=e00000b07c59fb00 bsp=e00000b07c591360 [] ia64_do_page_fault+0x8c0/0x9e0 sp=e00000b07c59fb00 bsp=e00000b07c591310 [] ia64_native_leave_kernel+0x0/0x270 sp=e00000b07c59fb90 bsp=e00000b07c591310 [] qla2x00_fdmi_register+0x850/0xbe0 [qla2xxx] sp=e00000b07c59fd60 bsp=e00000b07c591290 [] qla2x00_configure_loop+0x1930/0x34c0 [qla2xxx] sp=e00000b07c59fd60 bsp=e00000b07c591128 [] qla2x00_loop_resync+0x1b0/0x2e0 [qla2xxx] sp=e00000b07c59fdf0 bsp=e00000b07c5910c0 [] qla2x00_do_dpc+0x9a0/0xce0 [qla2xxx] sp=e00000b07c59fdf0 bsp=e00000b07c590fa0 [] kthread+0x110/0x140 sp=e00000b07c59fe00 bsp=e00000b07c590f68 [] kernel_thread_helper+0xd0/0x100 sp=e00000b07c59fe30 bsp=e00000b07c590f40 [] start_kernel_thread+0x20/0x40 sp=e00000b07c59fe30 bsp=e00000b07c590f40 crash> dis a000000207197350 0xa000000207197350 : [MMI] ld1 r45=[r14];; crash> scsi_qla_host.host 0xe00000b058c73ff8 host = 0xe00000b058c73be0, crash> Scsi_Host.shost_data 0xe00000b058c73be0 shost_data = 0x0, <<<<<<<<<<< The fc_transport fc_* workqueue threads have yet to be created. crash> ps | grep _7 3891 2 2 e00000b075c80000 IN 0.0 0 0 [scsi_eh_7] 4140 2 3 e00000b07c590000 RU 0.0 0 0 [qla2xxx_7_dpc] The thread creating adding the Scsi_Host is blocked due to other activity in sysfs. crash> bt 3762 PID: 3762 TASK: e00000b071e70000 CPU: 3 COMMAND: "modprobe" #0 [BSP:e00000b071e71548] schedule at a000000100727e00 #1 [BSP:e00000b071e714c8] __mutex_lock_slowpath at a0000001007295a0 #2 [BSP:e00000b071e714a8] mutex_lock at a000000100729830 #3 [BSP:e00000b071e71478] sysfs_addrm_start at a0000001002584f0 #4 [BSP:e00000b071e71440] create_dir at a000000100259350 #5 [BSP:e00000b071e71410] sysfs_create_subdir at a000000100259510 #6 [BSP:e00000b071e713b0] internal_create_group at a00000010025c880 #7 [BSP:e00000b071e71388] sysfs_create_group at a00000010025cc50 #8 [BSP:e00000b071e71368] dpm_sysfs_add at a000000100425050 #9 [BSP:e00000b071e71310] device_add at a000000100417d90 #10 [BSP:e00000b071e712d8] scsi_add_host at a00000010045a380 #11 [BSP:e00000b071e71268] qla2x00_probe_one at a0000002071be950 #12 [BSP:e00000b071e71248] local_pci_probe at a00000010032e490 #13 [BSP:e00000b071e71218] pci_device_probe at a00000010032ecd0 #14 [BSP:e00000b071e711d8] driver_probe_device at a00000010041d480 #15 [BSP:e00000b071e711a8] __driver_attach at a00000010041d6e0 #16 [BSP:e00000b071e71170] bus_for_each_dev at a00000010041c240 #17 [BSP:e00000b071e71150] driver_attach at a00000010041d0a0 #18 [BSP:e00000b071e71108] bus_add_driver at a00000010041b080 #19 [BSP:e00000b071e710c0] driver_register at a00000010041dea0 #20 [BSP:e00000b071e71088] __pci_register_driver at a00000010032f610 #21 [BSP:e00000b071e71058] (unknown) at a000000207200270 #22 [BSP:e00000b071e71018] do_one_initcall at a00000010000a9c0 #23 [BSP:e00000b071e70f98] sys_init_module at a0000001000fef00 #24 [BSP:e00000b071e70f98] ia64_ret_from_syscall at a00000010000c740 So, it appears that qla2xxx dpc thread is moving forward before the scsi host has been completely added. This patch moves the setting of the init_done (and online) flag to after the call to scsi_add_host() to hold off the dpc thread. Found via large lun count testing using 2.6.31. Signed-off-by: Michael Reed Acked-by: Giridhar Malavali Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit c1d17da3cf8a961254fd18f4ddc8bbb743a33ab7 Author: Kleber Sacilotto de Souza Date: Wed Nov 25 20:13:43 2009 -0200 SCSI: ipr: fix EEH recovery commit 99c965dd9ee1a004efc083c3d760ba982bb76adf upstream. After commits c82f63e411f1b58427c103bd95af2863b1c96dd1 (PCI: check saved state before restore) and 4b77b0a2ba27d64f58f16d8d4d48d8319dda36ff (PCI: Clear saved_state after the state has been restored) PCI drivers are prevented from restoring the device standard configuration registers twice in a row. These changes introduced a regression on ipr EEH recovery. The ipr device driver saves the PCI state only during the device probe and restores it on ipr_reset_restore_cfg_space() during IOA resets. This behavior is causing the EEH recovery to fail after the second error detected, since the registers are not being restored. One possible solution would be saving the registers after restoring them. The problem with this approach is that while recovering from an EEH error if pci_save_state() results in an EEH error, the adapter/slot will be reset, and end up back in ipr_reset_restore_cfg_space(), but it won't have a valid saved state to restore, so pci_restore_state() will fail. The following patch introduces a workaround for this problem, hacking around the PCI API by setting pdev->state_saved = true before we do the restore. It fixes the EEH regression and prevents that we hit another EEH error during EEH recovery. [jejb: fix is a hack ... Jesse and Rafael will fix properly] Signed-off-by: Kleber Sacilotto de Souza Acked-by: Brian King Cc: Jesse Barnes Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman