commit 3df76730b1e135164451de3192fcf5e1166eb944 Author: Greg Kroah-Hartman Date: Mon Jan 18 10:23:35 2010 -0800 Linux 2.6.32.4 commit 5877960869333e42ebeb733e8d9d5630ff96d350 Author: David Woodhouse Date: Wed Dec 2 11:00:05 2009 +0000 agp/intel-agp: Clear entire GTT on startup commit fc61901373987ad61851ed001fe971f3ee8d96a3 upstream. Some BIOSes fail to initialise the GTT, which will cause DMA faults when the IOMMU is enabled. We need to clear the whole thing to point at the scratch page, not just the part that Linux is going to use. Signed-off-by: David Woodhouse [anholt: Note that this may also help with stability in the presence of driver bugs, by not drawing to memory we don't own] Signed-off-by: Eric Anholt Cc: Zhenyu Wang Cc: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit 5deb72edb39542650c73e3fa7bf4a4a3ef14cc63 Author: David S. Miller Date: Wed Jan 13 17:27:37 2010 -0800 ipv6: skb_dst() can be NULL in ipv6_hop_jumbo(). commit 2570a4f5428bcdb1077622342181755741e7fa60 upstream. This fixes CERT-FI FICORA #341748 Discovered by Olli Jarva and Tuomo Untinen from the CROSS project at Codenomicon Ltd. Just like in CVE-2007-4567, we can't rely upon skb_dst() being non-NULL at this point. We fixed that in commit e76b2b2567b83448c2ee85a896433b96150c92e6 ("[IPV6]: Do no rely on skb->dst before it is assigned.") However commit 483a47d2fe794328d29950fe00ce26dd405d9437 ("ipv6: added net argument to IP6_INC_STATS_BH") put a new version of the same bug into this function. Complicating analysis further, this bug can only trigger when network namespaces are enabled in the build. When namespaces are turned off, the dev_net() does not evaluate it's argument, so the dereference would not occur. So, for a long time, namespaces couldn't be turned on unless SYSFS was disabled. Therefore, this code has largely been disabled except by people turning it on explicitly for namespace development. With help from Eugene Teo Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 54f1b39ce06aaf023db558ce4cc73f1d550d0d53 Author: Rusty Russell Date: Tue Dec 15 16:28:32 2009 -0600 module: handle ppc64 relocating kcrctabs when CONFIG_RELOCATABLE=y commit d4703aefdbc8f9f347f6dcefcddd791294314eb7 upstream. powerpc applies relocations to the kcrctab. They're absolute symbols, but it's not completely unreasonable: other archs may too, but the relocation is often 0. http://lists.ozlabs.org/pipermail/linuxppc-dev/2009-November/077972.html Inspired-by: Neil Horman Signed-off-by: Rusty Russell Tested-by: Neil Horman Acked-by: Paul Mackerras Signed-off-by: Greg Kroah-Hartman commit 9ef9a7c717299c9c57cba7a246462bf1c342118a Author: Al Viro Date: Sat Dec 19 16:03:30 2009 +0000 fix more leaks in audit_tree.c tag_chunk() commit b4c30aad39805902cf5b855aa8a8b22d728ad057 upstream. Several leaks in audit_tree didn't get caught by commit 318b6d3d7ddbcad3d6867e630711b8a705d873d7, including the leak on normal exit in case of multiple rules refering to the same chunk. Signed-off-by: Al Viro Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit dffaea5bd7145629d54ba57a49366bbd8157ddef Author: Al Viro Date: Sat Dec 19 15:59:45 2009 +0000 fix braindamage in audit_tree.c untag_chunk() commit 6f5d51148921c242680a7a1d9913384a30ab3cbe upstream. ... aka "Al had badly fscked up when writing that thing and nobody noticed until Eric had fixed leaks that used to mask the breakage". The function essentially creates a copy of old array sans one element and replaces the references to elements of original (they are on cyclic lists) with those to corresponding elements of new one. After that the old one is fair game for freeing. First of all, there's a dumb braino: when we get to list_replace_init we use indices for wrong arrays - position in new one with the old array and vice versa. Another bug is more subtle - termination condition is wrong if the element to be excluded happens to be the last one. We shouldn't go until we fill the new array, we should go until we'd finished the old one. Otherwise the element we are trying to kill will remain on the cyclic lists... That crap used to be masked by several leaks, so it was not quite trivial to hit. Eric had fixed some of those leaks a while ago and the shit had hit the fan... Signed-off-by: Al Viro Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d3b1e3bff1a2ed3a145634775588f1019bc76f5c Author: Johannes Berg Date: Thu Jan 14 20:51:53 2010 +0100 mac80211: fix skb buffering issue (and fixes to that) This is a backport of the mainline patches cf0277e714a0db302a8f80e1b85fd61c32cf00b3 045cfb71a3901005bf6dcedae98cecb3360a0bfc b49bb574e44226b332c28439999d196ddec2f643 Here is the description of the first of those patches (the other two just fixed bugs added by that patch): Since I removed the master netdev, we've been keeping internal queues only, and even before that we never told the networking stack above the virtual interfaces about congestion. This means that packets are queued in mac80211 and the upper layers never know, possibly leading to memory exhaustion and other problems. This patch makes all interfaces multiqueue and uses ndo_select_queue to put the packets into queues per AC. Additionally, when the driver stops a queue, we now stop all corresponding queues for the virtual interfaces as well. The injection case will use VO by default for non-data frames, and BE for data frames, but downgrade any data frames according to ACM. It needs to be fleshed out in the future to allow chosing the queue/AC in radiotap. Signed-off-by: Johannes Berg Cc: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 71c77079a7b5c22e01eba239f93ce38bd6126725 Author: Mike Frysinger Date: Fri Jan 8 00:40:42 2010 -0500 kernel/sysctl.c: fix stable merge error in NOMMU mmap_min_addr Stable commit 0399123f3dcce1a515d021107ec0fb4413ca3efa didn't match the original upstream commit. The CONFIG_MMU check was added much too early in the list disabling a lot of proc entries in the process. Signed-off-by: Mike Frysinger Signed-off-by: Greg Kroah-Hartman commit 904e3733fd1c50e81f4726f56759343207874a95 Author: Samuel Ortiz Date: Fri Dec 18 11:36:49 2009 +0100 libertas: Remove carrier signaling from the scan code commit 659c8e5243caf14564155ad8421404f044dd8031 upstream. There is no reason to signal a carrier off when doing a 802.11 scan. Cc: Holger Schurig Signed-off-by: Samuel Ortiz Acked-by: Dan Williams Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit b9945e752afed38518d7041ae00dea25f6272a34 Author: Jesse Barnes Date: Thu Dec 17 11:11:13 2009 -0800 drm/i915: remove render reclock support commit cda9d05c499093c67b4a376a15009923acc2127a upstream. This code generally fails to adjust the render clock, and when it does, it conflicts with some other register settings and can cause problems. So remove this code altogether. I'm reworking it now to do the right thing, but the only bit it will share is the VBT check for whether reclocking is supported, so I'm leaving that bit. Reverts most of 652c393a3368af84359da37c45afc35a91144960 ("add dynamic clock frequency control"), though for many the regressions showed up in the later 181a5336d6cc836f05507410d66988c483ad0154 ("Fix render reclock availability detection"). Signed-off-by: Jesse Barnes Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 9b13cca3a8623088d95d9897d29370b4e0b9c213 Author: Felix Fietkau Date: Thu Jan 7 20:23:53 2010 +0100 mac80211: add missing sanity checks for action frames commit d79074488083ec0d7ecd15352192dc1631f25643 upstream. Various missing sanity checks caused rejected action frames to be interpreted as channel switch announcements, which can cause a client mode interface to switch away from its operating channel, thereby losing connectivity. This patch ensures that only spectrum management action frames are processed by the CSA handling function and prevents rejected action frames from getting processed by the MLME code. Signed-off-by: Felix Fietkau Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 0ea5505e18a1cb8eebf3384f825840897894ceda Author: Dan Carpenter Date: Sun Jan 3 11:19:35 2010 +0200 iwl: off by one bug commit 8a9ac160e844c7ce8074f6aa531feefb4acdee7c upstream. tid is used as an array offset. agg = &priv->stations[sta_id].tid[tid].agg; iwl4965_tx_status_reply_tx(priv, agg, tx_resp, txq_id, index); It should be limitted to MAX_TID_COUNT - 1; struct iwl_tid_data tid[MAX_TID_COUNT]; regards, dan carpenter Signed-off-by: Dan Carpenter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 724ad42667b42b363bbef867d1c31850b599fecc Author: Luis R. Rodriguez Date: Mon Jan 4 11:37:39 2010 -0500 cfg80211: fix syntax error on user regulatory hints commit e12822e1d3fface0d9e1095c5177e10141bd6bd6 upstream. This fixes a syntax error when setting up the user regulatory hint. This change yields the same exact binary object though so it ends up just being a syntax typo fix, fortunately. Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit e6efac7b7c4ce45d40f5e07d3105e07704e95673 Author: Luis R. Rodriguez Date: Mon Jan 4 10:40:39 2010 -0500 ath5k: Fix eeprom checksum check for custom sized eeproms commit 359207c687cc8f4f9845c8dadd0d6dabad44e584 upstream. Commit 8bf3d79bc401ca417ccf9fc076d3295d1a71dbf5 enabled EEPROM checksum checks to avoid bogus bug reports but failed to address updating the code to consider devices with custom EEPROM sizes. Devices with custom sized EEPROMs have the upper limit size stuffed in the EEPROM. Use this as the upper limit instead of the static default size. In case of a checksum error also provide back the max size and whether or not this was the default size or a custom one. If the EEPROM is busted we add a failsafe check to ensure we don't loop forever or try to read bogus areas of hardware. This closes bug 14874 http://bugzilla.kernel.org/show_bug.cgi?id=14874 Cc: David Quan Cc: Stephen Beahm Reported-by: Joshua Covington Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit fc95845f174a07d4200a30681067d22c9e34723c Author: Zhu Yi Date: Fri Jan 8 10:04:30 2010 -0800 iwlwifi: fix iwl_queue_used bug when read_ptr == write_ptr commit c8106d7625a58ee4387cb2efe3e82320ad44b467 upstream. When txq read_ptr equals to write_ptr, iwl_queue_used should always return false. Because there is no used TFD in this case. This is a complementary fix to the fix already included in commit "iwl3945: fix panic in iwl3945 driver". Both fixes are needed to address the panic below. This problem was discussed on linux-wireless in http://thread.gmane.org/gmane.linux.kernel.wireless.general/43568 <1>[ 7290.414172] IP: [] iwl3945_rx_reply_tx+0xc1/0x450 [iwl3945] <4>[ 7290.414205] PGD 0 <1>[ 7290.414214] Thread overran stack, or stack corrupted <0>[ 7290.414229] Oops: 0002 [#1] PREEMPT SMP <0>[ 7290.414246] last sysfs file: /sys/devices/platform/coretemp.1/temp1_input <4>[ 7290.414265] CPU 0 <4>[ 7290.414274] Modules linked in: af_packet nfsd usb_storage usb_libusual cpufreq_powersave exportfs cpufreq_conservative iwl3945 nfs cpufreq_userspace snd_hda_codec_realtek acpi_cpufreq uvcvideo lockd iwlcore snd_hda_intel joydev coretemp nfs_acl videodev snd_hda_codec mac80211 v4l1_compat snd_hwdep sbp2 v4l2_compat_ioctl32 uhci_hcd psmouse auth_rpcgss ohci1394 cfg80211 ehci_hcd video ieee1394 snd_pcm serio_raw battery ac nvidia(P) usbcore output sunrpc evdev lirc_ene0100 snd_page_alloc rfkill tg3 libphy fuse lzo lzo_decompress lzo_compress <6>[ 7290.414486] Pid: 0, comm: swapper Tainted: P 2.6.32-rc8-wl #213 Aspire 5720 <6>[ 7290.414507] RIP: 0010:[] [] iwl3945_rx_reply_tx+0xc1/0x450 [iwl3945] <6>[ 7290.414541] RSP: 0018:ffff880002203d60 EFLAGS: 00010246 <6>[ 7290.414557] RAX: 000000000000004f RBX: ffff880064c11600 RCX: 0000000000000013 <6>[ 7290.414576] RDX: ffffffffa0ddcf20 RSI: ffff8800512b7008 RDI: 0000000000000038 <6>[ 7290.414596] RBP: ffff880002203dd0 R08: 0000000000000000 R09: 0000000000000100 <6>[ 7290.414616] R10: 0000000000000001 R11: 0000000000000000 R12: 00000000000000a0 <6>[ 7290.414635] R13: 0000000000000002 R14: 0000000000000013 R15: 0000000000020201 <6>[ 7290.414655] FS: 0000000000000000(0000) GS:ffff880002200000(0000) knlGS:0000000000000000 <6>[ 7290.414677] CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b <6>[ 7290.414693] CR2: 0000000000000041 CR3: 0000000001001000 CR4: 00000000000006f0 <6>[ 7290.414712] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 <6>[ 7290.414732] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 <4>[ 7290.414752] Process swapper (pid: 0, threadinfo ffffffff81524000, task ffffffff81528b60) <0>[ 7290.414772] Stack: <4>[ 7290.414780] ffff880002203da0 0000000000000046 0000000000000000 0000000000000046 <4>[ 7290.414804] <0> 0000000000000282 0000000000000282 0000000000000282 ffff880064c12010 <4>[ 7290.414830] <0> ffff880002203db0 ffff880064c11600 ffff880064c12e50 ffff8800512b7000 <0>[ 7290.414858] Call Trace: <0>[ 7290.414867] <4>[ 7290.414884] [] iwl3945_irq_tasklet+0x657/0x1740 [iwl3945] <4>[ 7290.414910] [] ? _spin_unlock+0x30/0x60 <4>[ 7290.414931] [] tasklet_action+0x101/0x110 <4>[ 7290.414950] [] __do_softirq+0xc0/0x160 <4>[ 7290.414968] [] call_softirq+0x1c/0x30 <4>[ 7290.414986] [] do_softirq+0x75/0xb0 <4>[ 7290.415003] [] irq_exit+0x95/0xa0 <4>[ 7290.415020] [] do_IRQ+0x77/0xf0 <4>[ 7290.415038] [] ret_from_intr+0x0/0xf <0>[ 7290.415052] <4>[ 7290.415067] [] ? acpi_idle_enter_bm+0x270/0x2a5 <4>[ 7290.415087] [] ? acpi_idle_enter_bm+0x27a/0x2a5 <4>[ 7290.415107] [] ? acpi_idle_enter_bm+0x270/0x2a5 <4>[ 7290.415130] [] ? cpuidle_idle_call+0x93/0xf0 <4>[ 7290.415149] [] ? cpu_idle+0xa7/0x110 <4>[ 7290.415168] [] ? rest_init+0x75/0x80 <4>[ 7290.415187] [] ? start_kernel+0x3a7/0x3b3 <4>[ 7290.415206] [] ? x86_64_start_reservations+0x125/0x129 <4>[ 7290.415227] [] ? x86_64_start_kernel+0xe4/0xeb <0>[ 7290.415243] Code: 00 41 39 ce 0f 8d e8 01 00 00 48 8b 47 40 48 63 d2 48 69 d2 98 00 00 00 4c 8b 04 02 48 c7 c2 20 cf dd a0 49 8d 78 38 49 8d 40 4f 47 09 00 c6 47 0c 00 c6 47 0f 00 c6 47 12 00 c6 47 15 00 49 <1>[ 7290.415382] RIP [] iwl3945_rx_reply_tx+0xc1/0x450 [iwl3945] <4>[ 7290.415410] RSP <0>[ 7290.415421] CR2: 0000000000000041 <4>[ 7290.415436] ---[ end trace ec46807277caa515 ]--- <0>[ 7290.415450] Kernel panic - not syncing: Fatal exception in interrupt <4>[ 7290.415468] Pid: 0, comm: swapper Tainted: P D 2.6.32-rc8-wl #213 <4>[ 7290.415486] Call Trace: <4>[ 7290.415495] [] panic+0x7d/0x13a <4>[ 7290.415519] [] oops_end+0xda/0xe0 <4>[ 7290.415538] [] no_context+0xea/0x250 <4>[ 7290.415557] [] ? select_task_rq_fair+0x511/0x780 <4>[ 7290.415578] [] __bad_area_nosemaphore+0x125/0x1e0 <4>[ 7290.415597] [] ? __enqueue_entity+0x7c/0x80 <4>[ 7290.415616] [] ? enqueue_task_fair+0x111/0x150 <4>[ 7290.415636] [] bad_area_nosemaphore+0xe/0x10 <4>[ 7290.415656] [] do_page_fault+0x26a/0x320 <4>[ 7290.415674] [] page_fault+0x1f/0x30 <4>[ 7290.415697] [] ? iwl3945_rx_reply_tx+0xc1/0x450 [iwl3945] <4>[ 7290.415723] [] iwl3945_irq_tasklet+0x657/0x1740 [iwl3945] <4>[ 7290.415746] [] ? _spin_unlock+0x30/0x60 <4>[ 7290.415764] [] tasklet_action+0x101/0x110 <4>[ 7290.415783] [] __do_softirq+0xc0/0x160 <4>[ 7290.415801] [] call_softirq+0x1c/0x30 <4>[ 7290.415818] [] do_softirq+0x75/0xb0 <4>[ 7290.415835] [] irq_exit+0x95/0xa0 <4>[ 7290.415852] [] do_IRQ+0x77/0xf0 <4>[ 7290.415869] [] ret_from_intr+0x0/0xf <4>[ 7290.415883] [] ? acpi_idle_enter_bm+0x270/0x2a5 <4>[ 7290.415911] [] ? acpi_idle_enter_bm+0x27a/0x2a5 <4>[ 7290.415931] [] ? acpi_idle_enter_bm+0x270/0x2a5 <4>[ 7290.415952] [] ? cpuidle_idle_call+0x93/0xf0 <4>[ 7290.415971] [] ? cpu_idle+0xa7/0x110 <4>[ 7290.415989] [] ? rest_init+0x75/0x80 <4>[ 7290.416007] [] ? start_kernel+0x3a7/0x3b3 <4>[ 7290.416026] [] ? x86_64_start_reservations+0x125/0x129 <4>[ 7290.416047] [] ? x86_64_start_kernel+0xe4/0xeb Reported-by: Maxim Levitsky Tested-by: Maxim Levitsky Signed-off-by: Zhu Yi Signed-off-by: Reinette Chatre Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit a111c28a5d47bc15ed6b644a0b7c69d748c1bdb2 Author: Ian Campbell Date: Thu Dec 17 13:57:09 2009 +0000 xen: fix hang on suspend. commit c5cae661d6cf808b6984762f763261adf35f3eb7 upstream. In 65f63384 "xen: improve error handling in do_suspend" I said: - xs_suspend()/xs_resume() and dpm_suspend_noirq()/dpm_resume_noirq() were not nested in the obvious way. and changed the ordering of the calls as so: BEFORE AFTER xs_suspend dpm_suspend_noirq dpm_suspend_noirq xs_suspend *SUSPEND* *SUSPEND* dpm_resume_noirq dpm_resume_noirq xs_resume xs_resume Clearly this is not an improvement and I was talking rubbish. In particular the new ordering is susceptible to a hang if a xenstore write is in progress at the point at which the suspend kicks in. When the suspend process calls xs_suspend it tries to take the request_mutex but if a write is in progress it could be looping in xenbus_xs.c:read_reply() waiting for something to arrive on &xs_state.reply_list while holding the request_mutex (taken in the caller of read_reply). However if we have done dpm_suspend_noirq before xs_suspend then we won't get any more xenstore interrupts and process_msg() will never be woken up to add anything to the reply_list. Fix this by calling xs_suspend before dpm_suspend_noirq. If dpm_suspend_noirq fails then make sure we go through the xs_suspend_cancel() code path. Signed-off-by: Ian Campbell Acked-by: Jeremy Fitzhardinge Signed-off-by: Greg Kroah-Hartman commit 38c4d8d579c4e752e03edcdd2e96a49787d71a3a Author: Jan Kara Date: Wed Jan 6 18:03:36 2010 +0100 quota: Fix dquot_transfer for filesystems different from ext4 commit 05b5d898235401c489c68e1f3bc5706a29ad5713 upstream. Commit fd8fbfc1 modified the way we find amount of reserved space belonging to an inode. The amount of reserved space is checked from dquot_transfer and thus inode_reserved_space gets called even for filesystems that don't provide get_reserved_space callback which results in a BUG. Fix the problem by checking get_reserved_space callback and return 0 if the filesystem does not provide it. CC: Dmitry Monakhov Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit a61dcb0c6ac2aac895a17b37dcbe57b249a3d826 Author: Roger Blofeld Date: Sun Jan 10 20:52:32 2010 +0100 hwmon: (adt7462) Fix pin 28 monitoring commit bb595c923bc51dff9cdd112de18deb57ac7945d2 upstream. The ADT7462_PIN28_VOLT value is a 4-bit field, so the corresponding shift must be 4. Signed-off-by: Roger Blofeld Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 4052fbfb24712ee7bb31c4c813d551712d7a4e4e Author: Yong Wang Date: Sun Jan 10 20:52:34 2010 +0100 hwmon: (coretemp) Fix TjMax for Atom N450/D410/D510 CPUs commit 1fe63ab47a617ee95f562eaa7ddbbc59981ff8c6 upstream. The max junction temperature of Atom N450/D410/D510 CPUs is 100 degrees Celsius. Since these CPUs are always coupled with Intel NM10 chipset in one package, the best way to verify whether an Atom CPU is N450/D410/D510 is to check the host bridge device. Signed-off-by: Yong Wang Acked-by: Huaxu Wan Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 545b02070bb58430c8ce96369bdbbe15e4aef1f7 Author: Patrick McHardy Date: Thu Jan 7 18:33:18 2010 +0100 netfilter: nf_ct_ftp: fix out of bounds read in update_nl_seq() commit aaff23a95aea5f000895f50d90e91f1e2f727002 upstream. As noticed by Dan Carpenter , update_nl_seq() currently contains an out of bounds read of the seq_aft_nl array when looking for the oldest sequence number position. Fix it to only compare valid positions. Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit 635b4f931d32118a7bda1b6b7622883bc7e0dcab Author: Florian Westphal Date: Fri Jan 8 17:31:24 2010 +0100 netfilter: ebtables: enforce CAP_NET_ADMIN commit dce766af541f6605fa9889892c0280bab31c66ab upstream. normal users are currently allowed to set/modify ebtables rules. Restrict it to processes with CAP_NET_ADMIN. Note that this cannot be reproduced with unmodified ebtables binary because it uses SOCK_RAW. Signed-off-by: Florian Westphal Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit 954c8ef2187e4fd5d870ff0d2d909deebf69f90e Author: Mark Brown Date: Thu Jan 7 16:29:20 2010 +0000 ASoC: Fix WM8350 DSP mode B configuration commit 5ee518ecbcb5934e284ea51a19a939c891f5f7ea upstream. We need to set the LRCLK inversion bit to select DSP mode. Signed-off-by: Mark Brown Acked-by: Liam Girdwood Signed-off-by: Greg Kroah-Hartman commit cf99848730bff6df4f473daa089966372c131147 Author: Daniel T Chen Date: Sun Dec 27 15:48:40 2009 -0500 ALSA: atiixp: Specify codec for Foxconn RC4107MA-RS2 commit dfb12eeb0f04b37e5eb3858864d074af4ecd2ac7 upstream. BugLink: https://bugs.launchpad.net/ubuntu/+bug/498863 This mainboard needs ac97_codec=0. Tested-by: Apoorv Parle Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 0385cc0cdb6ed37d433dcf1f2e3f4451326c7c07 Author: Daniel T Chen Date: Sat Jan 9 01:22:29 2010 -0500 ALSA: ac97: Add Dell Dimension 2400 to Headphone/Line Jack Sense blacklist commit af9a75dd1a1f8a9aa406466cc8bb16208120488a upstream. This model needs both 'Headphone Jack Sense' and 'Line Jack Sense' muted for audible playback, so just add it to the ad1981 jack sense blacklist. Tested-by: Pete Signed-off-by: Daniel T Chen Signed-off-by: Jaroslav Kysela Signed-off-by: Greg Kroah-Hartman commit 5bb4e8409e9d28cc7cf6900fd68840604480caf4 Author: Takashi Iwai Date: Tue Jan 12 14:00:11 2010 +0100 ALSA: hda - Fix ALC861-VD capture source mixer commit 9c0afc861a7228f718cb6a79fa7f9d46bf9ff300 upstream. The capture source or input source mixer element wasn't created properly for ALC861-VD codec due to the wrong NID passed to alc_auto_create_input_ctls(). References: Novell bnc#568305 http://bugzilla.novell.com/show_bug.cgi?id=568305 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit e0abcea649db45223c7df49df5db04dc1aa3a271 Author: Adrian Hunter Date: Fri Jan 8 14:43:00 2010 -0800 mmc_block: fix queue cleanup commit 5fa83ce284a4b7cd9dcfadd01500b0ed4ab9b740 upstream. The main bug was that 'blk_cleanup_queue()' was called while the block device could still be in use, for example, because the card was removed while files were still open. In addition, to be sure that 'mmc_request()' will get called for all new requests (so it can error them out), the queue is emptied during cleanup. This is done after the worker thread is stopped to avoid racing with it. Finally, it is not a device error for this to be happening, so quiet the (sometimes very many) error messages. Signed-off-by: Adrian Hunter Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0c74f45acfacc220adfa9e035ffeb3d5e8f9f0d8 Author: Jarkko Lavinen Date: Fri Jan 8 14:42:59 2010 -0800 mmc_block: fix probe error cleanup bug commit 0a74ff29b8dd8b748f8856352f9a9b5c6cc362cc upstream. If mmc_blk_set_blksize() fails mmc_blk_probe() the request queue and its thread have been set up and they need to be shut down properly before putting the disk. Signed-off-by: Jarkko Lavinen Signed-off-by: Adrian Hunter Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0798abf9dc8157145d7136f751b6a16aaac1b1e8 Author: Anna Lemehova Date: Fri Jan 8 14:42:58 2010 -0800 mmc_block: add dev_t initialization check commit 7d92df692994472cab6045bbd9d0e2c4afa4365f upstream. When a card is removed before mmc_blk_probe() has called add_disk(), then the minor field is uninitialized and has value 0. This caused mmc_blk_put() to always release devidx 0 even if 0 was still in use. Then the next mmc_blk_probe() used the first free idx of 0, which oopses in sysfs, since it is used by another card. Signed-off-by: Anna Lemehova Signed-off-by: Adrian Hunter Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0696a3b5e0bb2b214b4b8293ce214f3a2e113bda Author: Andi Kleen Date: Fri Jan 8 14:42:52 2010 -0800 kernel/signal.c: fix kernel information leak with print-fatal-signals=1 commit b45c6e76bc2c72f6426c14bed64fdcbc9bf37cb0 upstream. When print-fatal-signals is enabled it's possible to dump any memory reachable by the kernel to the log by simply jumping to that address from user space. Or crash the system if there's some hardware with read side effects. The fatal signals handler will dump 16 bytes at the execution address, which is fully controlled by ring 3. In addition when something jumps to a unmapped address there will be up to 16 additional useless page faults, which might be potentially slow (and at least is not very efficient) Fortunately this option is off by default and only there on i386. But fix it by checking for kernel addresses and also stopping when there's a page fault. Signed-off-by: Andi Kleen Cc: Ingo Molnar Cc: Oleg Nesterov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ecac13f4da35b215152e8dab78470662e1b9685d Author: Krzysztof Halasa Date: Fri Jan 8 14:42:36 2010 -0800 dma-debug: allow DMA_BIDIRECTIONAL mappings to be synced with DMA_FROM_DEVICE and commit 42d53b4ff7d61487d18274ebdf1f70c1aef6f122 upstream. There is no need to perform full BIDIR sync (copying the buffers in case of swiotlb and similar schemes) if we know that the owner (CPU or device) hasn't altered the data. Addresses the false-positive reported at http://bugzilla.kernel.org/show_bug.cgi?id=14169 Signed-off-by: Krzysztof Halasa Cc: David Miller Cc: Joerg Roedel Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f21efc5709f5e0285389a10ede7e3cef54977029 Author: Sascha Hauer Date: Fri Jan 8 14:42:47 2010 -0800 lib/rational.c needs module.h commit 7ee3aebe31d2cb22c84e1c8f48182947b13a3607 upstream. lib/rational.c:62: warning: data definition has no type or storage class lib/rational.c:62: warning: type defaults to 'int' in declaration of 'EXPORT_SYMBOL' lib/rational.c:62: warning: parameter names (without types) in function declaration Signed-off-by: Sascha Hauer Signed-off-by: Uwe Kleine-König Acked-by: WANG Cong Cc: Oskar Schirmer Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 21f7654aa8eac2e3c47097497aee440c222bd9ed Author: Dave Anderson Date: Fri Jan 8 14:42:50 2010 -0800 cgroups: fix 2.6.32 regression causing BUG_ON() in cgroup_diput() commit bd4f490a079730aadfaf9a728303ea0135c01945 upstream. The LTP cgroup test suite generates a "kernel BUG at kernel/cgroup.c:790!" here in cgroup_diput(): /* * if we're getting rid of the cgroup, refcount should ensure * that there are no pidlists left. */ BUG_ON(!list_empty(&cgrp->pidlists)); The cgroup pidlist rework in 2.6.32 generates the BUG_ON, which is caused when pidlist_array_load() calls cgroup_pidlist_find(): (1) if a matching cgroup_pidlist is found, it down_write's the mutex of the pre-existing cgroup_pidlist, and increments its use_count. (2) if no matching cgroup_pidlist is found, then a new one is allocated, it down_write's its mutex, and the use_count is set to 0. (3) the matching, or new, cgroup_pidlist gets returned back to pidlist_array_load(), which increments its use_count -- regardless whether new or pre-existing -- and up_write's the mutex. So if a matching list is ever encountered by cgroup_pidlist_find() during the life of a cgroup directory, it results in an inflated use_count value, preventing it from ever getting released by cgroup_release_pid_array(). Then if the directory is subsequently removed, cgroup_diput() hits the BUG_ON() when it finds that the directory's cgroup is still populated with a pidlist. The patch simply removes the use_count increment when a matching pidlist is found by cgroup_pidlist_find(), because it gets bumped by the calling pidlist_array_load() function while still protected by the list's mutex. Signed-off-by: Dave Anderson Reviewed-by: Li Zefan Acked-by: Ben Blum Cc: Paul Menage Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6abb6ac30148ca47ff66c917ecd83df975daccbf Author: Stephen Hemminger Date: Fri Jan 8 14:43:08 2010 -0800 drivers/cpuidle/governors/menu.c: fix undefined reference to `__udivdi3' commit 5787536edf18e33d06e2bf038bfd0910f4def213 upstream. menu: use proper 64 bit math The new menu governor is incorrectly doing a 64 bit divide. Compile tested only Signed-off-by: Stephen Hemminger Cc: Arjan van de Ven Cc: Len Brown Cc: Venkatesh Pallipadi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit fdc08951c6708ecab22102ab404322c4d9de5221 Author: OGAWA Hirofumi Date: Fri Jan 8 14:43:11 2010 -0800 rtc_cmos: convert shutdown to new pnp_driver->shutdown commit 004731b2c7c658d36bee167cb1e1a399c2cbccc9 upstream. commit abd6633c67925f90775bb74755f9c547e30f1f20 ("pnp: add a shutdown method to pnp drivers") adds shutdown method to bus driver blindly. With it, driver->shutdown is no longer valid. Use pnp_driver->shutdown instead. Addresses http://bugzilla.kernel.org/show_bug.cgi?id=14889 Signed-off-by: OGAWA Hirofumi Reported-by: Malte Schröder Cc: "Rafael J. Wysocki" Cc: Bjorn Helgaas Cc: David Hardeman Cc: Dmitry Torokhov Cc: Alessandro Zummo Cc: Paul Gortmaker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0c51b5c49b554e7da4c929e1ee877d9e47ba1eec Author: Andrew Morton Date: Tue Nov 17 14:08:52 2009 -0800 drm/i915: fix unused var commit 29bd0ae25f8cb96b63560c2cbccec77b425e1603 upstream. drivers/gpu/drm/i915/i915_dma.c: In function 'i915_driver_load': drivers/gpu/drm/i915/i915_dma.c:1114: warning: 'll_base' may be used uninitialized in this function Partly this is because gcc isn't smart enough. But `ll_base' does get used uninitialised in the DRM_DEBUG() call. Cc: Jesse Barnes Cc: Eric Anholt Cc: Dave Airlie Signed-off-by: Andrew Morton Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit c7e8c269f5d886064af13e7d3eff1324cd78248c Author: Zhao Yakui Date: Mon Jan 4 16:29:32 2010 +0800 drm/i915: Select the correct BPC for LVDS on Ironlake commit e5a95eb778690bc864eb330202d2c1b974caaeb4 upstream. Select the correct BPC for LVDS on Ironlake. If it is 18-bit LVDS panel, the BPC will be 6. When it is 24-bit LVDS panel, the BPC will 8. At the same time the BPC will be 8 when the output device is CRT/HDMI/DP. Signed-off-by: Zhao Yakui Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit c04fd308e3d6148c3c8bcba688c668569759b29c Author: Zhao Yakui Date: Mon Jan 4 16:29:31 2010 +0800 drm/i915: Make the BPC in FDI rx/transcoder be consistent with that in pipeconf on Ironlake commit 8faf3b317471179c02db339aa80955a2e88c036d upstream. Make the BPC in FDI rx/transcoder be consistent with that in pipeconf on Ironlake. Signed-off-by: Zhao Yakui Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit cba0270924c7a6be1f30abd854ebdb3e0df6fb81 Author: Zhao Yakui Date: Mon Jan 4 16:29:30 2010 +0800 drm/i915: Enable/disable the dithering for LVDS based on VBT setting commit 898822ce9561ab9b58a7eb60580a162a83dadecd upstream. Enable/disable the dithering for LVDS based on VBT setting. On the 965/g4x platform the dithering flag is defined in LVDS register. And on the ironlake the dithering flag is defined in pipeconf register. Signed-off-by: Zhao Yakui Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit de040919d2c6a9a6a905b629810d2139c0d5f370 Author: Zhenyu Wang Date: Tue Jan 5 11:25:05 2010 +0800 drm: remove address mask param for drm_pci_alloc() commit e6be8d9d17bd44061116f601fe2609b3ace7aa69 upstream. drm_pci_alloc() has input of address mask for setting pci dma mask on the device, which should be properly setup by drm driver. And leave it as a param for drm_pci_alloc() would cause confusion or mistake would corrupt the correct dma mask setting, as seen on intel hw which set wrong dma mask for hw status page. So remove it from drm_pci_alloc() function. Signed-off-by: Zhenyu Wang Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit c6939598243bc2dbaece589a8dadb547d9083098 Author: Chris Wilson Date: Mon Jan 4 18:57:57 2010 +0000 drm/i915: Permit pinning whilst the device is 'suspended' commit e3d8affb0d2d95f2da61e30ce86b33177feb91e8 upstream. As pinning (allocating and binding GTT memory) does not actually invoke GPU commands, it is safe, and indeed is attempted, during resumption from suspension: [drm:intel_init_clock_gating] *ERROR* failed to pin power context: -16 Signed-off-by: Chris Wilson Reported-by: Hugh Dickins Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit d241962850065fe0aabfbe947028a5e5f14ffb45 Author: Daniel Vetter Date: Tue Dec 15 17:50:00 2009 +0100 drm/i915: fix order of fence release wrt flushing commit 96b47b65594fe2365f73aede060cb5203561fed3 upstream. i915_gem_object_unbind had the ordering wrong. The other user, i915_gem_object_put_fence_reg already has the correct ordering. Results was usually corrupted pixmaps, especially garbled font glyphs after a suspend/resume (because this evicts everything). I'm still waiting for the feedback from the bug-reporters, but because this obviously fixes a bug (at least for me) I'm already submitting it. Bugzilla: http://bugs.freedesktop.org/show_bug.cgi?id=25406 Signed-off-by: Daniel Vetter Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit d3e4d5f8ccd3dfb33d9f2907b5290509766352ea Author: Zhao Yakui Date: Fri Dec 11 09:26:11 2009 +0800 drm/i915: Update LVDS connector status when receiving ACPI LID event commit a2565377a5c31e25c77c7cabaf6752abe9a2d83a upstream. Dirk reports that nothing is displayed on LVDS when using ubuntu 9.1 after close/reopen the LID. And I also reproduce this issue on another laptop. After some tests and debug, it seems that it is related with that the LVDS status is not updated in time in course of suspend/resume. Now the LID state is used to check whether the LVDS is connected or disconnected. And when the LID is closed, it means that the LVDS is disconnected. When it is reopened, it means that the LVDS is connected. At the same time on some distributions the LID event is also used to put the system into suspend state. When the LID is closed, the system will enter the suspend state. When the LID is reopened, the system will be resumed. In such case when the LID is closed, user-space script will receive the LID notification event and detect the LVDS as disconnected. Then the system will enter the suspended state. When the LID is reopened, the system will be resumed. As the LVDS status is not updated in course of resume, it will cause that the LVDS connector is marked as unused and disabled. After the resume is finished,user-space script will try to configure the display mode for LVDS. But unfortunately as the LVDS status is not updated in time and it is still marked as disconnected, the LVDS and its corresponding CRTC will be disabled again in the function of drm_helper_disable_unused_functions after changing mode for LVDS. So we had better check and update the status of LVDS connector after receiving the LID notication event. Then after the system is resumed from suspended state, we can set the display mode for LVDS correctly. Signed-off-by: Zhao Yakui Reported-by: Dirk Hohndel Reviewed-by: Jesse Barnes Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 8064af147be22c82fa805c6af0695c7dc52bb9c5 Author: Jeff Layton Date: Fri Dec 18 16:28:20 2009 -0500 sunrpc: on successful gss error pipe write, don't return error commit 486bad2e40e938cd68fd853b7a9fa3115a9d3a4a upstream. When handling the gssd downcall, the kernel should distinguish between a successful downcall that contains an error code and a failed downcall (i.e. where the parsing failed or some other sort of problem occurred). In the former case, gss_pipe_downcall should be returning the number of bytes written to the pipe instead of an error. In the event of other errors, we generally want the initiating task to retry the upcall so we set msg.errno to -EAGAIN. An unexpected error code here is a bug however, so BUG() in that case. Signed-off-by: Jeff Layton Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 8ffe94786b66c4ea4298c5ab770de2e96993c9e3 Author: Trond Myklebust Date: Fri Dec 18 16:28:12 2009 -0500 SUNRPC: Fix the return value in gss_import_sec_context() commit b891e4a05ef6beac85465295a032431577c66b16 upstream. If the context allocation fails, it will return GSS_S_FAILURE, which is neither a valid error code, nor is it even negative. Return ENOMEM instead... Reported-by: Jeff Layton Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit e64b13f62782f5e495c085e1c06e48224545617f Author: Trond Myklebust Date: Fri Dec 18 16:28:05 2009 -0500 SUNRPC: Fix up an error return value in gss_import_sec_context_kerberos() commit 14ace024b1e16d2bb9445c8387494fbbd820a738 upstream. If the context allocation fails, the function currently returns a random error code, since the variable 'p' still points to a valid memory location. Ensure that it returns ENOMEM... Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit eb0b93d6e280e51b1056be57ea92bb6ebec01ad4 Author: Xiaotian Feng Date: Thu Dec 31 10:52:36 2009 +0800 sunrpc: fix peername failed on closed listener commit b292cf9ce70d221c3f04ff62db5ab13d9a249ca8 upstream. There're some warnings of "nfsd: peername failed (err 107)!" socket error -107 means Transport endpoint is not connected. This warning message was outputed by svc_tcp_accept() [net/sunrpc/svcsock.c], when kernel_getpeername returns -107. This means socket might be CLOSED. And svc_tcp_accept was called by svc_recv() [net/sunrpc/svc_xprt.c] if (test_bit(XPT_LISTENER, &xprt->xpt_flags)) { newxpt = xprt->xpt_ops->xpo_accept(xprt); So this might happen when xprt->xpt_flags has both XPT_LISTENER and XPT_CLOSE. Let's take a look at commit b0401d72, this commit has moved the close processing after do recvfrom method, but this commit also introduces this warnings, if the xpt_flags has both XPT_LISTENER and XPT_CLOSED, we should close it, not accpet then close. Signed-off-by: Xiaotian Feng Cc: J. Bruce Fields Cc: Neil Brown Cc: Trond Myklebust Cc: David S. Miller Cc: Nikola Ciprich Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 3aafc557edb43aa82d9a5651f071d9dae7a2638b Author: Christoph Hellwig Date: Fri Dec 25 17:44:45 2009 +0100 nfsd: make sure data is on disk before calling ->fsync commit 7211a4e859ad070b28545c06e0a6cb60b3b8aa31 upstream. nfsd is not using vfs_fsync, so I missed it when changing the calling convention during the 2.6.32 window. This patch fixes it to not only start the data writeout, but also wait for it to complete before calling into ->fsync. Signed-off-by: Christoph Hellwig Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit b7e5f77916291b3c80fdf34dd2a649d8d10138e8 Author: Rusty Russell Date: Tue Jan 5 12:48:49 2010 +1030 Revert "x86: Side-step lguest problem by only building cmpxchg8b_emu for pre-Pentium" commit db677ffa5f5a4f15b9dad4d132b3477b80766d82 upstream. This reverts commit ae1b22f6e46c03cede7cea234d0bf2253b4261cf. As Linus said in 982d007a6ee: "There was something really messy about cmpxchg8b and clone CPU's, so if you enable it on other CPUs later, do it carefully." This breaks lguest for those configs, but we can fix that by emulating if we have to. Fixes: http://bugzilla.kernel.org/show_bug.cgi?id=14884 Signed-off-by: Rusty Russell Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 24488113f0ee3d3fdb64734cb2364cbe2ca1ba33 Author: Boaz Harrosh Date: Sun Dec 27 17:01:42 2009 +0200 exofs: simple_write_end does not mark_inode_dirty commit efd124b999fb4d426b30675f1684521af0872789 upstream. exofs uses simple_write_end() for it's .write_end handler. But it is not enough because simple_write_end() does not call mark_inode_dirty() when it extends i_size. So even if we do call mark_inode_dirty at beginning of write out, with a very long IO and a saturated system we might get the .write_inode() called while still extend-writing to file and miss out on the last i_size updates. So override .write_end, call simple_write_end(), and afterwords if i_size was changed call mark_inode_dirty(). It stands to logic that since simple_write_end() was the one extending i_size it should also call mark_inode_dirty(). But it looks like all users of simple_write_end() are memory-bound pseudo filesystems, who could careless about mark_inode_dirty(). I might submit a warning-comment patch to simple_write_end() in future. Signed-off-by: Boaz Harrosh Signed-off-by: Greg Kroah-Hartman commit 8dfabfcf7b0c03f33f7cb945772027060de70b61 Author: Ben Hutchings Date: Sat Dec 19 14:43:01 2009 +0000 modules: Skip empty sections when exporting section notes commit 10b465aaf9536ee5a16652fa0700740183d48ec9 upstream. Commit 35dead4 "modules: don't export section names of empty sections via sysfs" changed the set of sections that have attributes, but did not change the iteration over these attributes in add_notes_attrs(). This can lead to add_notes_attrs() creating attributes with the wrong names or with null name pointers. Introduce a sect_empty() function and use it in both add_sect_attrs() and add_notes_attrs(). Reported-by: Martin Michlmayr Signed-off-by: Ben Hutchings Tested-by: Martin Michlmayr Signed-off-by: Rusty Russell Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit efd38f42843399cd8da8a5b63b04c8917f8d83a7 Author: Guennadi Liakhovetski Date: Thu Dec 24 01:13:51 2009 +0100 ASoC: fix params_rate() macro use in several codecs commit b3172f222ab5afdc91ea058bd11c42cf169728f3 upstream. Sevelar ASoC codec drivers wrongly assume, that the params_rate() macro returns one of SNDRV_PCM_RATE_* defines instead of the actual numerical sampling rate. Fix them. Signed-off-by: Guennadi Liakhovetski Acked-by: Liam Girdwood Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit e4dd8ca5be771aa706b0797b3284328bb595bfa1 Author: Linus Torvalds Date: Wed Dec 16 08:23:37 2009 -0800 fasync: split 'fasync_helper()' into separate add/remove functions commit 53281b6d34d44308372d16acb7fb5327609f68b6 upstream. Yes, the add and remove cases do share the same basic loop and the locking, but the compiler can inline and then CSE some of the end result anyway. And splitting it up makes the code way easier to follow, and makes it clearer exactly what the semantics are. In particular, we must make sure that the FASYNC flag in file->f_flags exactly matches the state of "is this file on any fasync list", since not only is that flag visible to user space (F_GETFL), but we also use that flag to check whether we need to remove any fasync entries on file close. We got that wrong for the case of a mixed use of file locking (which tries to remove any fasync entries for file leases) and fasync. Splitting the function up also makes it possible to do some future optimizations without making the function even messier. In particular, since the FASYNC flag has to match the state of "is this on a list", we can do the following future optimizations: - on remove, we don't even need to get the locks and traverse the list if FASYNC isn't set, since we can know a priori that there is no point (this is effectively the same optimization that we already do in __fput() wrt removing fasync on file close) - on add, we can use the FASYNC flag to decide whether we are changing an existing entry or need to allocate a new one. but this is just the cleanup + fix for the FASYNC flag. Acked-by: Al Viro Tested-by: Tavis Ormandy Cc: Jeff Dike Cc: Matt Mackall Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 1f51eb3a881359e97dc2c228e55c83fba598e349 Author: Al Viro Date: Thu Jan 14 11:39:39 2010 -0800 untangle the do_mremap() mess This backports the following upstream commits all as one patch: 54f5de709984bae0d31d823ff03de755f9dcac54 ecc1a8993751de4e82eb18640d631dae1f626bd6 1a0ef85f84feb13f07b604fcf5b90ef7c2b5c82f f106af4e90eadd76cfc0b5325f659619e08fb762 097eed103862f9c6a97f2e415e21d1134017b135 935874141df839c706cd6cdc438e85eb69d1525e 0ec62d290912bb4b989be7563851bc364ec73b56 c4caa778157dbbf04116f0ac2111e389b5cd7a29 2ea1d13f64efdf49319e86c87d9ba38c30902782 570dcf2c15463842e384eb597a87c1e39bead99b 564b3bffc619dcbdd160de597b0547a7017ea010 0067bd8a55862ac9dd212bd1c4f6f5bff1ca1301 f8b7256096a20436f6d0926747e3ac3d64c81d24 8c7b49b3ecd48923eb64ff57e07a1cdb74782970 9206de95b1ea68357996ec02be5db0638a0de2c1 2c6a10161d0b5fc047b5bd81b03693b9af99fab5 05d72faa6d13c9d857478a5d35c85db9adada685 bb52d6694002b9d632bb355f64daa045c6293a4e e77414e0aad6a1b063ba5e5750c582c75327ea6a aa65607373a4daf2010e8c3867b6317619f3c1a3 Backport done by Greg Kroah-Hartman. Only minor tweaks were needed. Cc: David S. Miller Cc: Hugh Dickins Cc: Paul Mundt Cc: Russell King Cc: Linus Torvalds Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman