commit b0e43706172ebfee90c82337dfae49119a4e722e Author: Greg Kroah-Hartman Date: Tue Feb 9 04:57:19 2010 -0800 Linux 2.6.32.8 commit 6117db7678e1175d482ce4a2a31203d39f050319 Author: jamal Date: Thu Feb 4 14:50:56 2010 -0500 NET: fix oops at bootime in sysctl code This fixes the boot time oops on the 2.6.32-stable tree. It is needed only in this tree due to the divergance from upstream. From: jamal Acked-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e4a6a351099037e7d20ec8b21907f38f3e35d483 Author: Andreas Schwab Date: Sat Jan 30 10:20:59 2010 +0000 powerpc: TIF_ABI_PENDING bit removal commit 94f28da8409c6059135e89ac64a0839993124155 upstream. Here are the powerpc bits to remove TIF_ABI_PENDING now that set_personality() is called at the appropriate place in exec. Signed-off-by: Andreas Schwab Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit a420e9f34f545968efdf414de17c374445ef2589 Author: Felix Fietkau Date: Tue Jan 19 20:51:32 2010 +0100 ath9k: fix beacon slot/buffer leak commit 74401773f80b6d42f7a4c6994ca0cca883b03745 upstream. When cleaning up beacon buffers and slots, ath9k currently checks if sc->ah->opmode is set to a beacon related mode before cleaning up buffers. An unfortunate ordering of interface up/down commands can lead to sc->ah->opmode being set to monitor mode, while there are AP interfaces present on the same wiphy. Always cleaning up beacon buffers if present fixes this issue. Signed-off-by: Felix Fietkau Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 1c97637c37d73d0afa0759468eec8132b442452f Author: Felix Fietkau Date: Sat Jan 23 20:04:18 2010 +0100 ath9k: fix eeprom INI values override for 2GHz-only cards commit aa8bc9ef18a2c5b2b97e1f36ee9604cf15743f96 upstream. Among other changes, this commit: commit 06d0f0663e11cab4ec5f2c143a118d71a12fbbe9 Author: Sujith Date: Thu Feb 12 10:06:45 2009 +0530 ath9k: Enable Fractional N mode changed the hw attach code to fix up initialization values only for dual band devices, however the commit message did not give a reason as to why this would be useful or necessary. According to tests by Jorge Boncompte, this breaks at least some 2GHz-only cards, so the code should be changed back to the unconditional INI fixup. Signed-off-by: Felix Fietkau Reported-by: Jorge Boncompte Tested-by: Pavel Roskin Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 2c7f87e9dc8167999d4169b58f4be04fd357e9eb Author: Thadeu Lima de Souza Cascardo Date: Tue Feb 2 13:44:17 2010 -0800 pktcdvd: removing device does not remove its sysfs dir commit ca0bf64d99f6e3f6e2fe2585e52a0ac57354beac upstream. This is the counterpart to cba767175becadc5c4016cceb7bfdd2c7fe722f4 ("pktcdvd: remove broken dev_t export of class devices"). Device is not registered using dev_t, so it should not be destroyed using device_destroy which looks up the device by dev_t. This will fail and adding the device again will fail with the "duplicate name" error. This is fixed using device_unregister instead of device_destroy. Signed-off-by: Thadeu Lima de Souza Cascardo Cc: Kay Sievers Cc: Peter Osterlund Cc: Al Viro Cc: Jens Axboe Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b31aa5cccb9b5850135c07d8a0cb22984a5fe0f2 Author: Richard Röjfors Date: Tue Feb 2 13:44:12 2010 -0800 uartlite: fix crash when using as console commit 03eac7bb882a75e6ee5705288f7ec36ad2e7d0d5 upstream. Move the ulite_console_setup to the .devinit section since it might be called on probe, which is in devinit. Fixes the crash below where the uartlite hw is probed after the .init section is freed from the kernel. uartlite: ttyUL0 at MMIO 0xc8000100 (irq = 30) is a uartlite BUG: unable to handle kernel NULL pointer dereference at (null) IP: [] ulite_console_setup+0x6f/0xa8 *pdpt = 0000000036fb0001 *pde = 0000000000000000 Oops: 0000 [#1] PREEMPT SMP last sysfs file: /sys/devices/pci0000:00/0000:00:1f.1/host0/uevent Modules linked in: puffin(+) serio_raw Pid: 151, comm: modprobe Not tainted (2.6.31.5-1.0.b1-b1 #1) POULSBO EIP: 0060:[] EFLAGS: 00010246 CPU: 0 EIP is at ulite_console_setup+0x6f/0xa8 EAX: c16ec824 EBX: c16ec824 ECX: c176719f EDX: 00000000 ESI: 00000000 EDI: c17b42c4 EBP: f6fd1cf0 ESP: f6fd1cd8 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 Process modprobe (pid: 151, ti=f6fd0000 task=f6fa1020 task.ti=f6fd0000) Stack: c1031f51 00000000 00000000 00000246 c182237c f7742000 f6fd1d5c c11fd316 <0> c16ec85c f77420d4 0000001e 00000000 00000000 c1633e78 4f494d4d 63783020 <0> 30303038 00303031 f6fd1d3c c10e0786 f6fd1d48 00000000 f6fd1d48 00000000 Call Trace: [] ? register_console+0xf6/0x1fc [] ? uart_add_one_port+0x237/0x2bb [] ? sysfs_add_one+0x13/0xd3 [] ? sysfs_do_create_link+0xba/0xfc [] ? ulite_probe+0x198/0x1eb [] ? platform_drv_probe+0xc/0xe [] ? driver_probe_device+0x79/0x105 [] ? __device_attach+0x28/0x30 [] ? bus_for_each_drv+0x3d/0x67 [] ? device_attach+0x44/0x58 [] ? __device_attach+0x0/0x30 [] ? bus_probe_device+0x1f/0x34 [] ? device_add+0x385/0x4c0 [] ? _write_unlock+0x8/0x1f [] ? platform_device_add+0xd9/0x11c [] ? mfd_add_devices+0x165/0x1bc [] ? puffin_probe+0x2d0/0x390 [puffin] [] ? pci_match_device+0xa0/0xa7 [] ? local_pci_probe+0xe/0x10 [] ? pci_device_probe+0x43/0x66 [] ? driver_probe_device+0x79/0x105 [] ? __driver_attach+0x43/0x5f [] ? bus_for_each_dev+0x3d/0x67 [] ? driver_attach+0x14/0x16 [] ? __driver_attach+0x0/0x5f [] ? bus_add_driver+0xf9/0x220 [] ? driver_register+0x8b/0xeb [] ? __pci_register_driver+0x43/0x9f [] ? __blocking_notifier_call_chain+0x40/0x4c [] ? puffin_init+0x0/0x48 [puffin] [] ? puffin_init+0x17/0x48 [puffin] [] ? do_one_initcall+0x4c/0x131 [] ? sys_init_module+0xa7/0x1b7 [] ? syscall_call+0x7/0xb Code: 6e 74 00 00 00 92 33 00 00 18 00 0e 01 73 79 6e 63 65 2d 72 65 67 69 73 74 72 79 0c 00 49 32 00 00 14 00 09 01 61 6c 73 61 2d 69 <6e> 66 6f 00 00 00 42 37 00 00 10 00 07 01 6b 69 6c 6c 61 6c 6c EIP: [] ulite_console_setup+0x6f/0xa8 SS:ESP 0068:f6fd1cd8 CR2: 0000000000000000 Signed-off-by: Richard Röjfors Acked-by: Peter Korsgaard Cc: Alan Cox Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e06fbe9a4092960a1db1fa973c9ec13a3ddce3f9 Author: Julia Lawall Date: Wed Feb 3 09:31:36 2010 +1100 kernel/cred.c: use kmem_cache_free commit b8a1d37c5f981cdd2e83c9fd98198832324cd57a upstream. Free memory allocated using kmem_cache_zalloc using kmem_cache_free rather than kfree. The semantic patch that makes this change is as follows: (http://coccinelle.lip6.fr/) // @@ expression x,E,c; @@ x = \(kmem_cache_alloc\|kmem_cache_zalloc\|kmem_cache_alloc_node\)(c,...) ... when != x = E when != &x ?-kfree(x) +kmem_cache_free(c,x) // Signed-off-by: Julia Lawall Acked-by: David Howells Cc: James Morris Cc: Steve Dickson Signed-off-by: Andrew Morton Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 35cfb03de1dcd87f405db30a9da65bd63bfa59fe Author: Ben Hutchings Date: Tue Jan 26 18:27:09 2010 +0000 starfire: clean up properly if firmware loading fails commit c928febf4bc703ea542340e5a208e0445d998839 upstream. netdev_open() will return without cleaning up net device or hardware state if firmware loading fails. This results in a BUG() on a second attempt to bring the interface up, reported in , and probably has even worse effects if the driver is removed afterwards. Call netdev_close() to clean up on failure. Addresses http://bugzilla.kernel.org/show_bug.cgi?id=15091 Signed-off-by: Ben Hutchings Reported-by: Michael Moffatt Tested-by: Michael Moffatt Cc: "David S. Miller" Signed-off-by: Andrew Morton Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 906f68dd91cc512036909a10350d479dfc56d378 Author: Alberto Panizzo Date: Tue Feb 2 13:43:59 2010 -0800 mx3fb: some debug and initialisation fixes commit b3cb53721890879d7bde31f5f9eefd4edf41ab64 upstream. Fix the kernel oops when dev_dbg is called with mx3_fbi->txd == NULL Fix the late initialisation of mx3fb->backlight_level. If not, in the chain of function started by init_fb_chan(), in __blank() call sdc_set_brightness(mx3fb, mx3fb->backlight_level) that will shut down the CONTRAST PWM output. Signed-off-by: Alberto Panizzo Acked-by: Guennadi Liakhovetski Cc: Sascha Hauer Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 682efb8384326571bb180214a5d4661cc6befa41 Author: Uwe Kleine-König Date: Tue Feb 2 13:44:10 2010 -0800 imxfb: correct location of callbacks in suspend and resume commit 1ec562035ba64e724652cb12b8a770b3906e9bf5 upstream. The probe function passes a pointer to a struct fb_info to platform_set_drvdata(), so don't interpret the return value of platform_get_drvdata() as a pointer to struct imxfb_info. The original imxfb_info *fbi backlight_power was NULL but in imxfb_suspend it was 4 resulting in an oops as imxfb_suspend calls imxfb_disable_controller(fbi) which in turn has if (fbi->backlight_power) fbi->backlight_power(0); Signed-off-by: Uwe Kleine-König Acked-by: Sascha Hauer Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b260729c8a49452ae9491e3cb94750687f221d2b Author: Zhu Yi Date: Tue Jan 26 15:58:57 2010 +0800 mac80211: fix NULL pointer dereference when ftrace is enabled commit 3092ad054406f069991ca561adc74f2d9fbb6867 upstream. I got below kernel oops when I try to bring down the network interface if ftrace is enabled. The root cause is drv_ampdu_action() is passed with a NULL ssn pointer in the BA session tear down case. We need to check and avoid dereferencing it in trace entry assignment. BUG: unable to handle kernel NULL pointer dereference Modules linked in: at (null) IP: [] ftrace_raw_event_drv_ampdu_action+0x10a/0x160 [mac80211] *pde = 00000000 Oops: 0000 [#1] SMP DEBUG_PAGEALLOC [...] Call Trace: [] ? ftrace_raw_event_drv_ampdu_action+0x0/0x160 [mac80211] [] ? __ieee80211_stop_rx_ba_session+0xfc/0x220 [mac80211] [] ? ieee80211_sta_tear_down_BA_sessions+0x3b/0x50 [mac80211] [] ? ieee80211_set_disassoc+0xe6/0x230 [mac80211] [] ? ieee80211_set_disassoc+0x9c/0x230 [mac80211] [] ? ieee80211_mgd_deauth+0x158/0x170 [mac80211] [] ? ieee80211_deauth+0x1b/0x20 [mac80211] [] ? __cfg80211_mlme_deauth+0xe9/0x120 [cfg80211] [] ? __cfg80211_disconnect+0x170/0x1d0 [cfg80211] Cc: Johannes Berg Signed-off-by: Zhu Yi Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 3a9353f232812dc9057cbee39c618f400a8c5f60 Author: anfei zhou Date: Tue Feb 2 13:44:02 2010 -0800 mm: flush dcache before writing into page to avoid alias commit 931e80e4b3263db75c8e34f078d22f11bbabd3a3 upstream. The cache alias problem will happen if the changes of user shared mapping is not flushed before copying, then user and kernel mapping may be mapped into two different cache line, it is impossible to guarantee the coherence after iov_iter_copy_from_user_atomic. So the right steps should be: flush_dcache_page(page); kmap_atomic(page); write to page; kunmap_atomic(page); flush_dcache_page(page); More precisely, we might create two new APIs flush_dcache_user_page and flush_dcache_kern_page to replace the two flush_dcache_page accordingly. Here is a snippet tested on omap2430 with VIPT cache, and I think it is not ARM-specific: int val = 0x11111111; fd = open("abc", O_RDWR); addr = mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); *(addr+0) = 0x44444444; tmp = *(addr+0); *(addr+1) = 0x77777777; write(fd, &val, sizeof(int)); close(fd); The results are not always 0x11111111 0x77777777 at the beginning as expected. Sometimes we see 0x44444444 0x77777777. Signed-off-by: Anfei Cc: Russell King Cc: Miklos Szeredi Cc: Nick Piggin Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 78da404b13afa162e9da0384f553db5f19bc94b0 Author: David S. Miller Date: Thu Jan 28 21:36:21 2010 -0800 be2net: Fix memset() arg ordering. commit d291b9af1a1a12f59a464494900c6e0db26e2ec3 upstream. Noticed by Ben Hutchings. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e38d76ea394dd90a78c002e8298d47390b858334 Author: Ajit Khaparde Date: Wed Jan 27 21:56:44 2010 +0000 be2net: Bug fix to support newer generation of BE ASIC commit 7b139c83c590d4965259aad8889cbb08104b2891 upstream. Bug fix in be2net for newer generation of BladeEngine ASIC. Signed-off-by: Ajit Khaparde Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 43d7ff26361d05f9f97a92726bd2acc9652ce65c Author: Evgeniy Polyakov Date: Tue Feb 2 15:58:48 2010 -0800 connector: Delete buggy notification code. commit f98bfbd78c37c5946cc53089da32a5f741efdeb7 upstream. On Tue, Feb 02, 2010 at 02:57:14PM -0800, Greg KH (gregkh@suse.de) wrote: > > There are at least two ways to fix it: using a big cannon and a small > > one. The former way is to disable notification registration, since it is > > not used by anyone at all. Second way is to check whether calling > > process is root and its destination group is -1 (kind of priveledged > > one) before command is dispatched to workqueue. > > Well if no one is using it, removing it makes the most sense, right? > > No objection from me, care to make up a patch either way for this? Getting it is not used, let's drop support for notifications about (un)registered events from connector. Another option was to check credentials on receiving, but we can always restore it without bugs if needed, but genetlink has a wider code base and none complained, that userspace can not get notification when some other clients were (un)registered. Kudos for Sebastian Krahmer , who found a bug in the code. Signed-off-by: Evgeniy Polyakov Acked-by: Greg Kroah-Hartman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f06f00e00cbf497623fda3c1c317f28cf5d9a770 Author: Magnus Damm Date: Wed Jan 27 07:41:19 2010 +0000 usb: r8a66597-hdc disable interrupts fix commit e5ff15bec96ba18698dae5de0bbf7e6a0653ca65 upstream. This patch improves disable_controller() in the r8a66597-hdc driver to disable all interrupts and clear status flags. It also makes sure that disable_controller() is called during probe(). This fixes the relatively rare case of unexpected pending interrupts after kexec reboot. Signed-off-by: Magnus Damm Acked-by: Yoshihiro Shimoda Signed-off-by: Paul Mundt Signed-off-by: Greg Kroah-Hartman commit 0ae2b7de3957a477ec0f332c4da5633499b4d3aa Author: Chuck Ebbert Date: Sat Jan 30 20:28:19 2010 +0100 block: fix bugs in bio-integrity mempool usage commit 9e9432c267e4047db98b9d4fba95099c6effcef9 upstream. Fix two bugs in the bio integrity code: use_bip_pool() always returns 0 because it checks against the wrong limit, causing the mempool to be used only when regular allocation fails. When the mempool is used as a fallback we don't free the data properly. Signed-Off-By: Chuck Ebbert Acked-by: Martin K. Petersen Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 964814800330216ded04e5a9a21f95d7998dfd62 Author: Herbert Xu Date: Mon Feb 1 21:48:28 2010 +1100 random: Remove unused inode variable commit cd1510cb5f892907fe1a662f90b41fb3a42954e0 upstream. The previous changeset left behind an unused inode variable. This patch removes it. Reported-by: Stephen Rothwell Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 8857a1abeb4572aa5237d0461165e983e01da707 Author: Matt Mackall Date: Fri Jan 29 21:50:36 2010 +1300 random: drop weird m_time/a_time manipulation commit a996996dd75a9086b12d1cb4010f26e1748993f0 upstream. No other driver does anything remotely like this that I know of except for the tty drivers, and I can't see any reason for random/urandom to do it. In fact, it's a (trivial, harmless) timing information leak. And obviously, it generates power- and flash-cycle wasting I/O, especially if combined with something like hwrngd. Also, it breaks ubifs's expectations. Signed-off-by: Matt Mackall Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 94af44b66b66bf9c848f11dc12fcd1558e55f995 Author: Linus Torvalds Date: Tue Feb 2 12:37:44 2010 -0800 Fix 'flush_old_exec()/setup_new_exec()' split commit 7ab02af428c2d312c0cf8fb0b01cc1eb21131a3d upstream. Commit 221af7f87b9 ("Split 'flush_old_exec' into two functions") split the function at the point of no return - ie right where there were no more error cases to check. That made sense from a technical standpoint, but when we then also combined it with the actual personality setting going in between flush_old_exec() and setup_new_exec(), it needs to be a bit more careful. In particular, we need to make sure that we really flush the old personality bits in the 'flush' stage, rather than later in the 'setup' stage, since otherwise we might be flushing the _new_ personality state that we're just setting up. So this moves the flags and personality flushing (and 'flush_thread()', which is the arch-specific function that generally resets lazy FP state etc) of the old process into flush_old_exec(), so that it doesn't affect any state that execve() is setting up for the new process environment. This was reported by Michal Simek as breaking his Microblaze qemu environment. Reported-and-tested-by: Michal Simek Cc: Peter Anvin Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit cb723ba5d03bf719dbc7409b4d67572d4472ef8b Author: Dmitry Monakhov Date: Wed Jan 27 22:44:36 2010 +0300 block: fix bio_add_page for non trivial merge_bvec_fn case commit 1d6165851cd8e3f919d446cd6da35dee44e8837e upstream. We have to properly decrease bi_size in order to merge_bvec_fn return right result. Otherwise this result in false merge rejects for two absolutely valid bio_vecs. This may cause significant performance penalty for example fs_block_size == 1k and block device is raid0 with small chunk_size = 8k. Then it is impossible to merge 7-th fs-block in to bio which already has 6 fs-blocks. Signed-off-by: Dmitry Monakhov Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit e52299d0b100ab8d92fe6e980b4d7ee24dd1398c Author: Nick Piggin Date: Mon Feb 1 22:25:57 2010 +1100 mm: purge fragmented percpu vmap blocks commit 02b709df817c0db174f249cc59e5f7fd01b64d92 upstream. Improve handling of fragmented per-CPU vmaps. We previously don't free up per-CPU maps until all its addresses have been used and freed. So fragmented blocks could fill up vmalloc space even if they actually had no active vmap regions within them. Add some logic to allow all CPUs to have these blocks purged in the case of failure to allocate a new vm area, and also put some logic to trim such blocks of a current CPU if we hit them in the allocation path (so as to avoid a large build up of them). Christoph reported some vmap allocation failures when using the per CPU vmap APIs in XFS, which cannot be reproduced after this patch and the previous bug fix. Cc: linux-mm@kvack.org Tested-by: Christoph Hellwig Signed-off-by: Nick Piggin Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 56d4b77f0492eb137fd950e48a7b2364f380d33d Author: Nick Piggin Date: Mon Feb 1 22:24:18 2010 +1100 mm: percpu-vmap fix RCU list walking commit de5604231ce4bc8db1bc1dcd27d8540cbedf1518 upstream. RCU list walking of the per-cpu vmap cache was broken. It did not use RCU primitives, and also the union of free_list and rcu_head is obviously wrong (because free_list is indeed the list we are RCU walking). While we are there, remove a couple of unused fields from an earlier iteration. These APIs aren't actually used anywhere, because of problems with the XFS conversion. Christoph has now verified that the problems are solved with these patches. Also it is an exported interface, so I think it will be good to be merged now (and Christoph wants to get the XFS changes into their local tree). Cc: linux-mm@kvack.org Tested-by: Christoph Hellwig Signed-off-by: Nick Piggin Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit dce6a09aaf62aff73b8123e9bb8ad2247b355848 Author: Tejun Heo Date: Mon Jan 11 11:14:44 2010 +0900 libata: retry link resume if necessary commit 5040ab67a2c6d5710ba497dc52a8f7035729d7b0 upstream. Interestingly, when SIDPR is used in ata_piix, writes to DET in SControl sometimes get ignored leading to detection failure. Update sata_link_resume() such that it reads back SControl after clearing DET and retry if it's not clear. Signed-off-by: Tejun Heo Reported-by: fengxiangjun Reported-by: Jim Faulkner Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 42f7e233e4afae9d327f24c73379920adc905f95 Author: Suravee Suthikulpanit Date: Mon Jan 18 11:25:36 2010 -0600 oprofile/x86: fix crash when profiling more than 28 events commit d8cc108f4fab42b380c6b3f3356f99e8dd5372e2 upstream. With multiplexing enabled oprofile crashs when profiling more than 28 events. This patch fixes this. Signed-off-by: Suravee Suthikulpanit Signed-off-by: Robert Richter Signed-off-by: Greg Kroah-Hartman commit 9c66557324ea4879abe8c9dde769a0061c81e1ac Author: Andi Kleen Date: Thu Jan 21 23:26:27 2010 +0100 oprofile/x86: add Xeon 7500 series support commit e83e452b0692c9c13372540deb88a77d4ae2553d upstream. Add Xeon 7500 series support to oprofile. Straight forward: it's the same as Core i7, so just detect the model number. No user space changes needed. Signed-off-by: Andi Kleen Signed-off-by: Robert Richter Signed-off-by: Greg Kroah-Hartman commit 4f7d6662c57dbaa6be09cc0bad2c01d005638a4d Author: Glauber Costa Date: Mon Feb 1 16:54:05 2010 -0200 KVM: allow userspace to adjust kvmclock offset (cherry picked from afbcf7ab8d1bc8c2d04792f6d9e786e0adeb328d) When we migrate a kvm guest that uses pvclock between two hosts, we may suffer a large skew. This is because there can be significant differences between the monotonic clock of the hosts involved. When a new host with a much larger monotonic time starts running the guest, the view of time will be significantly impacted. Situation is much worse when we do the opposite, and migrate to a host with a smaller monotonic clock. This proposed ioctl will allow userspace to inform us what is the monotonic clock value in the source host, so we can keep the time skew short, and more importantly, never goes backwards. Userspace may also need to trigger the current data, since from the first migration onwards, it won't be reflected by a simple call to clock_gettime() anymore. [marcelo: future-proof abi with a flags field] [jan: fix KVM_GET_CLOCK by clearing flags field instead of checking it] Signed-off-by: Glauber Costa Signed-off-by: Marcelo Tosatti Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit a74e62c2ef1fda92ad697556261b0e00fee5d581 Author: Jarek Poplawski Date: Sat Jan 16 01:04:04 2010 -0800 ax25: netrom: rose: Fix timer oopses [ Upstream commit d00c362f1b0ff54161e0a42b4554ac621a9ef92d ] Wrong ax25_cb refcounting in ax25_send_frame() and by its callers can cause timer oopses (first reported with 2.6.29.6 kernel). Fixes: http://bugzilla.kernel.org/show_bug.cgi?id=14905 Reported-by: Bernard Pidoux Tested-by: Bernard Pidoux Signed-off-by: Jarek Poplawski Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3125258f78ae4930916d8c569a10dfd621db77ba Author: Jarek Poplawski Date: Sun Jan 10 22:04:19 2010 +0000 af_packet: Don't use skb after dev_queue_xmit() [ Upstream commit eb70df13ee52dbc0f2c0ffd8ed34a8cd27440baf ] tpacket_snd() can change and kfree an skb after dev_queue_xmit(), which is illegal. With debugging by: Stephen Hemminger Reported-by: Michael Breuer With help from: David S. Miller Signed-off-by: Jarek Poplawski Tested-by: Michael Breuer Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ecb7287c5f53747767efa0f0e844da69a6ec3a51 Author: Jamal Hadi Salim Date: Fri Dec 25 17:30:22 2009 -0800 net: restore ip source validation [ Upstream commit 28f6aeea3f12d37bd258b2c0d5ba891bff4ec479 ] when using policy routing and the skb mark: there are cases where a back path validation requires us to use a different routing table for src ip validation than the one used for mapping ingress dst ip. One such a case is transparent proxying where we pretend to be the destination system and therefore the local table is used for incoming packets but possibly a main table would be used on outbound. Make the default behavior to allow the above and if users need to turn on the symmetry via sysctl src_valid_mark Signed-off-by: Jamal Hadi Salim Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 16813330e739634925b347804d1e6a99b71c6399 Author: Jarek Poplawski Date: Mon Jan 4 08:48:41 2010 +0000 sky2: Fix oops in sky2_xmit_frame() after TX timeout [ Upstream commit 9db2f1bec36805e57a003f7bb90e003815d96de8 ] During TX timeout procedure dev could be awoken too early, e.g. by sky2_complete_tx() called from sky2_down(). Then sky2_xmit_frame() can run while buffers are freed causing an oops. This patch fixes it by adding netif_device_present() test in sky2_tx_complete(). Fixes: http://bugzilla.kernel.org/show_bug.cgi?id=14925 With debugging by: Mike McCormack Reported-by: Berck E. Nash Tested-by: Berck E. Nash Signed-off-by: Jarek Poplawski Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 16b8efad28d99afaf50b2a2116bf8edf605a0912 Author: Octavian Purdila Date: Fri Jan 8 00:00:09 2010 -0800 tcp: update the netstamp_needed counter when cloning sockets [ Upstream commit 704da560c0a0120d8869187f511491a00951a1d3 ] This fixes a netstamp_needed accounting issue when the listen socket has SO_TIMESTAMP set: s = socket(AF_INET, SOCK_STREAM, 0); setsockopt(s, SOL_SOCKET, SO_TIMESTAMP, 1); -> netstamp_needed = 1 bind(s, ...); listen(s, ...); s2 = accept(s, ...); -> netstamp_needed = 1 close(s2); -> netstamp_needed = 0 close(s); -> netstamp_needed = -1 Signed-off-by: Octavian Purdila Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 359e2f2722ef7b5d5b3d1472409a5daf8a6954d5 Author: Aaro Koskinen Date: Mon Feb 1 18:24:58 2010 +0200 clocksource: fix compilation if no GENERIC_TIME commit a362c638bdf052bf424bce7645d39b101090f6ba upstream Commit a9238ce3bb0fda6e760780b702c6cbd3793087d3 broke compilation on platforms that do not implement GENERIC_TIME (e.g. iop32x): kernel/time/clocksource.c: In function 'clocksource_register': kernel/time/clocksource.c:556: error: implicit declaration of function 'clocksource_max_deferment' Provide the implementation of clocksource_max_deferment() also for such platforms. Signed-off-by: Aaro Koskinen Cc: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 253f887cc8d719087f8de403cfe1a60b5e56b454 Author: Joerg Roedel Date: Fri Jan 22 16:40:20 2010 +0100 x86/amd-iommu: Fix possible integer overflow commit d91afd15b041f27d34859c79afa9e172018a86f4 upstream. The variable i in this function could be increased to over 2**32 which would result in an integer overflow when using int. Fix it by changing i to unsigned long. Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit d1a31038aadf0fb13befb444e60d96f3618766d0 Author: David Härdeman Date: Thu Jan 28 21:02:54 2010 +0100 x86: Add quirk for Intel DG45FC board to avoid low memory corruption commit 7c099ce1575126395f186ecf58b51a60d5c3be7d upstream. Commit 6aa542a694dc9ea4344a8a590d2628c33d1b9431 added a quirk for the Intel DG45ID board due to low memory corruption. The Intel DG45FC shares the same BIOS (and the same bug) as noted in: http://bugzilla.kernel.org/show_bug.cgi?id=13736 Signed-off-by: David Härdeman LKML-Reference: <20100128200254.GA9134@hardeman.nu> Cc: Alexey Fisher Cc: ykzhao Cc: Tony Bones Cc: Ingo Molnar Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 81590709e68af85629f969a305abab5e39649ad2 Author: Leann Ogasawara Date: Wed Jan 27 15:29:18 2010 -0800 x86: Add Dell OptiPlex 760 reboot quirk commit 35ea63d70f827a26c150993b4b940925bb02b03f upstream. Dell OptiPlex 760 hangs on reboot unless reboot=bios is used. Add quirk to reboot through the BIOS. BugLink: https://bugs.launchpad.net/bugs/488319 Signed-off-by: Leann Ogasawara LKML-Reference: <1264634958.27335.1091.camel@emiko> Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 00362b9adebdca260ae03717665a16f6948a6a4a Author: Mark Brown Date: Mon Jan 4 15:30:54 2010 +0000 regulator: Specify REGULATOR_CHANGE_STATUS for WM835x LED constraints commit a2fad9bf26a1d44a8d31a5c4528108a2b9f468ab upstream. The WM8350 LED driver needs to be able to enable and disable the regulators it is using. Previously the core wasn't properly enforcing status change constraints so the driver was able to function but this has always been intended to be required. Signed-off-by: Mark Brown Signed-off-by: Liam Girdwood Signed-off-by: Greg Kroah-Hartman commit 6db6aced4d9eb83872d6b63dfd95e3c9d2de37c2 Author: Jiri Slaby Date: Fri Aug 28 10:47:16 2009 +0200 SECURITY: selinux, fix update_rlimit_cpu parameter commit 17740d89785aeb4143770923d67c293849414710 upstream. Don't pass current RLIMIT_RTTIME to update_rlimit_cpu() in selinux_bprm_committing_creds, since update_rlimit_cpu expects RLIMIT_CPU limit. Use proper rlim[RLIMIT_CPU].rlim_cur instead to fix that. Signed-off-by: Jiri Slaby Acked-by: James Morris Cc: Stephen Smalley Cc: Eric Paris Cc: David Howells Signed-off-by: Greg Kroah-Hartman commit 80569f607b59fb59d0e7d86ae6467fefcab8e89b Author: Stefan Richter Date: Fri Jan 29 21:25:46 2010 +0100 firewire: core: add_descriptor size check Backport of commit e300839da40e99581581c5d053a95a172651fec8 upstream. Presently, firewire-core only checks whether descriptors that are to be added by userspace drivers to the local node's config ROM do not exceed a size of 256 quadlets. However, the sum of the bare minimum ROM plus all descriptors (from firewire-core, from firewire-net, from userspace) must not exceed 256 quadlets. Otherwise, the bounds of a statically allocated buffer will be overwritten. If the kernel survives that, firewire-core will subsequently be unable to parse the local node's config ROM. (Note, userspace drivers can add descriptors only through device files of local nodes. These are usually only accessible by root, unlike device files of remote nodes which may be accessible to lesser privileged users.) Therefore add a test which takes the actual present and required ROM size into account for all descriptors of kernelspace and userspace drivers. Signed-off-by: Stefan Richter Signed-off-by: Greg Kroah-Hartman commit 612e99b2d1ba8839896c6ea78d4329782d4e16b8 Author: Jesse Barnes Date: Fri Dec 11 11:07:17 2009 -0800 drm/i915: only enable hotplug for detected outputs commit b01f2c3a4a37d09a47ad73ccbb46d554d21cfeb0 upstream. This patch changes around our hotplug enable code a bit to only enable it for ports we actually detect and initialize. This prevents problems with stuck or spurious interrupts on outputs that aren't actually wired up, and is generally more correct. Fixes FDO bug #23183. Signed-off-by: Jesse Barnes Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 69bf9a60ba1577e437c36a260bb02e7e79ed7ccc Author: Wey-Yi Guy Date: Fri Oct 2 13:44:01 2009 -0700 iwlwifi: set default aggregation frame count limit to 31 commit 4d80d7210bb5a36a18978d1305b44375ecb857d9 upstream. Multiple MPDUs can be aggregated, transmitted, and finally acknowledged together using a single BA frame. Block ACK (BA) contains bitmap size of 64*16 bits so the maximum frame count is 64. The default value of aggregation frame count suggested by uCode is 31 to achieve best performance. Signed-off-by: Wey-Yi Guy Signed-off-by: Reinette Chatre Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 3492bbb3afd5fd9fa873015691004797371ec373 Author: Venkatesh Pallipadi Date: Fri Jan 29 11:27:31 2010 -0800 x86: Disable HPET MSI on ATI SB700/SB800 commit 73472a46b5b28116b145fb5fc05242c1aa8e1461 upstream HPET MSI on platforms with ATI SB700/SB800 as they seem to have some side-effects on floppy DMA. Do not use HPET MSI on such platforms. Original problem report from Mark Hounschell http://lkml.indiana.edu/hypermail/linux/kernel/0912.2/01118.html Tested-by: Mark Hounschell Signed-off-by: Venkatesh Pallipadi Cc: LKML-Reference: <20100121190952.GA32523@linux-os.sc.intel.com> Signed-off-by: H. Peter Anvin commit cf135e5571317539a44bf3022f4f2c14a64edaa1 Author: David Härdeman Date: Thu Jan 28 22:28:27 2010 -0800 Input: winbond-cir - remove dmesg spam commit 93fb84b50fe03aabca8d9dea5d3ba521a07e8571 upstream. I missed converting one dev_info call to deb_dbg before submitting the driver. Without this change, a message will be printed to dmesg for each button press if a RC6 remote is used. Signed-off-by: David Härdeman Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 5e806e1c71412081bdc0058c43595eb63d06a606 Author: H. Peter Anvin Date: Thu Jan 28 22:14:43 2010 -0800 x86: get rid of the insane TIF_ABI_PENDING bit commit 05d43ed8a89c159ff641d472f970e3f1baa66318 upstream. Now that the previous commit made it possible to do the personality setting at the point of no return, we do just that for ELF binaries. And suddenly all the reasons for that insane TIF_ABI_PENDING bit go away, and we can just make SET_PERSONALITY() just do the obvious thing for a 32-bit compat process. Everything becomes much more straightforward this way. Signed-off-by: H. Peter Anvin Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c2e245dff59d14f94d2befddcbfa4c667ac23eb0 Author: David Miller Date: Thu Jan 28 21:42:02 2010 -0800 sparc: TIF_ABI_PENDING bit removal commit 94673e968cbcce07fa78dac4b0ae05d24b5816e1 upstream. Here are the sparc bits to remove TIF_ABI_PENDING now that set_personality() is called at the appropriate place in exec. Signed-off-by: David S. Miller Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 336ca4cc1f9d14edbb5d155b41aa301aaeb731c4 Author: Linus Torvalds Date: Thu Jan 28 22:14:42 2010 -0800 Split 'flush_old_exec' into two functions commit 221af7f87b97431e3ee21ce4b0e77d5411cf1549 upstream. 'flush_old_exec()' is the point of no return when doing an execve(), and it is pretty badly misnamed. It doesn't just flush the old executable environment, it also starts up the new one. Which is very inconvenient for things like setting up the new personality, because we want the new personality to affect the starting of the new environment, but at the same time we do _not_ want the new personality to take effect if flushing the old one fails. As a result, the x86-64 '32-bit' personality is actually done using this insane "I'm going to change the ABI, but I haven't done it yet" bit (TIF_ABI_PENDING), with SET_PERSONALITY() not actually setting the personality, but just the "pending" bit, so that "flush_thread()" can do the actual personality magic. This patch in no way changes any of that insanity, but it does split the 'flush_old_exec()' function up into a preparatory part that can fail (still called flush_old_exec()), and a new part that will actually set up the new exec environment (setup_new_exec()). All callers are changed to trivially comply with the new world order. Signed-off-by: H. Peter Anvin Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 944a638b7bb07f3ef9a33af60e5ea8465b7adfd1 Author: Mike Frysinger Date: Wed Jan 6 17:23:17 2010 +0000 FDPIC: Respect PT_GNU_STACK exec protection markings when creating NOMMU stack commit 04e4f2b18c8de1389d1e00fef0f42a8099910daf upstream. The current code will load the stack size and protection markings, but then only use the markings in the MMU code path. The NOMMU code path always passes PROT_EXEC to the mmap() call. While this doesn't matter to most people whilst the code is running, it will cause a pointless icache flush when starting every FDPIC application. Typically this icache flush will be of a region on the order of 128KB in size, or may be the entire icache, depending on the facilities available on the CPU. In the case where the arch default behaviour seems to be desired (EXSTACK_DEFAULT), we probe VM_STACK_FLAGS for VM_EXEC to determine whether we should be setting PROT_EXEC or not. For arches that support an MPU (Memory Protection Unit - an MMU without the virtual mapping capability), setting PROT_EXEC or not will make an important difference. It should be noted that this change also affects the executability of the brk region, since ELF-FDPIC has that share with the stack. However, this is probably irrelevant as NOMMU programs aren't likely to use the brk region, preferring instead allocation via mmap(). Signed-off-by: Mike Frysinger Signed-off-by: David Howells Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0b3bf81197f05e1bf0ed93c5f2525030b127faaa Author: Hugh Dickins Date: Fri Jan 29 17:46:34 2010 +0000 mm: fix migratetype bug which slowed swapping commit a7016235a61d520e6806f38129001d935c4b6661 upstream. After memory pressure has forced it to dip into the reserves, 2.6.32's 5f8dcc21211a3d4e3a7a5ca366b469fb88117f61 "page-allocator: split per-cpu list into one-list-per-migrate-type" has been returning MIGRATE_RESERVE pages to the MIGRATE_MOVABLE free_list: in some sense depleting reserves. Fix that in the most straightforward way (which, considering the overheads of alternative approaches, is Mel's preference): the right migratetype is already in page_private(page), but free_pcppages_bulk() wasn't using it. How did this bug show up? As a 20% slowdown in my tmpfs loop kbuild swapping tests, on PowerMac G5 with SLUB allocator. Bisecting to that commit was easy, but explaining the magnitude of the slowdown not easy. The same effect appears, but much less markedly, with SLAB, and even less markedly on other machines (the PowerMac divides into fewer zones than x86, I think that may be a factor). We guess that lumpy reclaim of short-lived high-order pages is implicated in some way, and probably this bug has been tickling a poor decision somewhere in page reclaim. But instrumentation hasn't told me much, I've run out of time and imagination to determine exactly what's going on, and shouldn't hold up the fix any longer: it's valid, and might even fix other misbehaviours. Signed-off-by: Hugh Dickins Acked-by: Mel Gorman Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 629527c562c1cfae09776c8baeb9a8a273dc10e6 Author: Al Viro Date: Mon Jan 25 18:44:58 2010 -0500 Fix failure exit in ipathfs commit 12e9a45609054fb83d4a8b716a5265cc1a393e10 upstream. deactivate_locked_super() will be done by caller of fill_super, doing it there as well is b0rken. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 30d3844a878b9d6adb2aa76961042f0c73c7de6c Author: Al Viro Date: Sun Jan 24 00:06:22 2010 -0500 fix affs parse_options() commit 217686e98321a4ff4c1a6cc535e511e37c5d2dbf upstream. Error handling in that sucker got broken back in 2003. If function returns 0 on failure, it's not nice to add return -EINVAL into it. Adding return 1 on other failure exits is also not a good thing (and yes, original success exits with 1 and some of failure exits with 0 are still there; so's the original logics in callers). Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit d842c31e636e5dbc85c3c75d1b964a6ff6e4daeb Author: Al Viro Date: Sun Jan 24 00:04:07 2010 -0500 Fix remount races with symlink handling in affs commit 29333920a5a46edcc9b728e2cf0134d5a9b516ee upstream. A couple of fields in affs_sb_info is used in follow_link() and symlink() for handling AFFS "absolute" symlinks. Need locking against affs_remount() updates. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 36a0a4afb2e996f59651a845e5680d2f80cc6f23 Author: Al Viro Date: Mon Jan 25 06:05:54 2010 -0500 fix leak in romfs_fill_super() commit 7e32b7bb734047c5e3cecf2e896b9cf8fc35d1e8 upstream. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 26d2257801281a5bd2833d8f22cebead57a4b4c6 Author: Al Viro Date: Mon Jan 25 06:16:19 2010 -0500 fix oops in fs/9p late mount failure commit 083c73c253c23c20359a344dfe1198ea628e6259 upstream. if 9P ->get_sb() fails late (at root inode or root dentry allocation), we'll hit its ->kill_sb() with NULL ->s_root Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit deb20f1c49d390d3fcb62fa9789486f170054004 Author: Al Viro Date: Sun Jan 24 00:52:22 2010 -0500 Fix failure exits in bfs_fill_super() commit 5998649f779b7148a8a0c10c46cfa99e27d34dfe upstream. double iput(), leaks... Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 703c300c7415c0a2f25dbd7d2f8773a5abd84099 Author: Al Viro Date: Sat Jan 23 23:38:27 2010 -0500 Fix a leak in affs_fill_super() commit afc70ed05a07bfe171f7a5b8fdc80bdb073d314f upstream. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 61d4374b51386dd40c03fd15df5a7f97347de688 Author: Zhenyu Wang Date: Thu Dec 17 16:12:56 2009 +0800 drm/i915: Reload hangcheck timer too for Ironlake commit c566ec49159b806db95a90fd8f37448376cd0ad2 upstream. Make sure hangcheck timer won't beat us unexpectedly on Ironlake. Signed-off-by: Zhenyu Wang Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit f0b4195748d200d4475e1ca976e7cabaf17e7c44 Author: Jesse Brandeburg Date: Fri Jan 22 22:56:16 2010 +0000 e1000/e1000e: don't use small hardware rx buffers commit 9926146b15fd96d78a4f7c32e7a26d50639369f4 upstream. When testing the "e1000: enhance frame fragment detection" (and e1000e) patches we found some bugs with reducing the MTU size. The 1024 byte descriptor used with the 1000 mtu test also (re) introduced the (originally) reported bug, and causes us to need the e1000_clean_tx_irq "enhance frame fragment detection" fix. So what has occured here is that 2.6.32 is only vulnerable for mtu < 1500 due to the jumbo specific routines in both e1000 and e1000e. So, 2.6.32 needs the 2kB buffer len fix for those smaller MTUs, but is not vulnerable to the original issue reported. It has been pointed out that this vulnerability needs to be patched in older kernels that don't have the e1000 jumbo routine. Without the jumbo routines, we need the "enhance frame fragment detection" fix the e1000, old e1000e is only vulnerable for < 1500 mtu, and needs a similar fix. We split the patches up to provide easy backport paths. There is only a slight bit of extra code when this fix and the original "enhance frame fragment detection" fixes are applied, so please apply both, even though it is a bit of overkill. Signed-off-by: Jesse Brandeburg Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b9ad9bb6350ddfb943e30ddd9ece9d349f7b374d Author: Jesse Brandeburg Date: Tue Jan 19 14:15:59 2010 +0000 e1000e: enhance frame fragment detection commit b94b50289622e816adc9f94111cfc2679c80177c upstream. Originally patched by Neil Horman e1000e could with a jumbo frame enabled interface, and packet split disabled, receive a packet that would overflow a single rx buffer. While in practice very hard to craft a packet that could abuse this, it is possible. this is related to CVE-2009-4538 Signed-off-by: Jesse Brandeburg CC: Neil Horman Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit dff2267e0c21d0d478b29bc921e8ec4f0ea462e6 Author: Jesse Brandeburg Date: Tue Jan 19 14:15:38 2010 +0000 e1000: enhance frame fragment detection commit 40a14deaf411592b57cb0720f0e8004293ab9865 upstream. Originally From: Neil Horman Modified by: Jesse Brandeburg Hey all- A security discussion was recently given: http://events.ccc.de/congress/2009/Fahrplan//events/3596.en.html And a patch that I submitted awhile back was brought up. Apparently some of their testing revealed that they were able to force a buffer fragment in e1000 in which the trailing fragment was greater than 4 bytes. As a result the fragment check I introduced failed to detect the fragement and a partial invalid frame was passed up into the network stack. I've written this patch to correct it. I'm in the process of testing it now, but it makes good logical sense to me. Effectively it maintains a per-adapter state variable which detects a non-EOP frame, and discards it and subsequent non-EOP frames leading up to _and_ _including_ the next positive-EOP frame (as it is by definition the last fragment). This should prevent any and all partial frames from entering the network stack from e1000. Signed-off-by: Jesse Brandeburg Acked-by: Neil Horman Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cfc7e54cd19cabdadf803be3d6a04d89f2663aa5 Author: Mika Westerberg Date: Tue Jan 26 17:47:05 2010 +0200 UBI: fix volume creation input checking commit c5ce5b46af76f52dea21f467397d24c4ae6cb3ff upstream. Do not use an unchecked variable UBI_IOCMKVOL ioctl. Signed-off-by: Mika Westerberg Signed-off-by: Artem Bityutskiy Signed-off-by: Greg Kroah-Hartman commit 3b4f785d6fd9df90b783e9a6ce9414884877593e Author: Zhao Yakui Date: Fri Jan 8 21:29:58 2010 +0800 ACPI: Advertise to BIOS in _OSC: _OST on _PPC changes commit 6a4e2b7503d1f630bface040cf0f5a7aac1fabdb upstream. If the BIOS pokes the system-wide OSC bits to see if Linux supports evaluating _OST after a _PPC change notification, answer yes. Also, fix an oversight where we neglected to set the OSC bit advertising processor aggregator device support when acpi-pad is compiled as a module. Signed-off-by: Zhao Yakui Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 0d48a1a716844bc72f0e105418261024c75ce494 Author: Shaohua Li Date: Wed Dec 23 17:04:11 2009 +0800 ACPI: fix OSC regression that caused aer and pciehp not to load commit 9dc130fccb874f2959ef313d7922d306dc6d4f75 upstream. Executing _OSC returns a buffer, which has an acpi object in it. Don't directly returns the buffer, instead, we return the acpi object's buffer. This fixes a regression since caller of acpi_run_osc expects an acpi object's buffer returned. Tested-by: Yinghai Lu Signed-off-by: Shaohua Li Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 1a52addab3426e94879ce3638cb9daf9058d48fd Author: Shaohua Li Date: Thu Oct 29 11:05:05 2009 +0800 ACPI: Add platform-wide _OSC support. commit 3563ff964fdc36358cef0330936fdac28e65142a upstream. Signed-off-by: Shaohua Li Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit e62a96c8317c306d81ba5c690bf8f1be10e6cad9 Author: Shaohua Li Date: Thu Oct 29 11:04:28 2009 +0800 ACPI: Add a generic API for _OSC -v2 commit 70023de88c58a81a730ab4d13c51a30e537ec76e upstream. v2->v1: .improve debug info as suggedted by Bjorn,Kenji .API is using uuid string as suggested by Alexey Add an API to execute _OSC. A lot of devices can have this method, so add a generic API. Signed-off-by: Shaohua Li Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 1e8896049716fd580718bb9431c2ad3bddd114d7 Author: Stefan Haberland Date: Wed Jan 27 10:12:35 2010 +0100 dasd: fix possible NULL pointer errors commit 294001a80c9810e2fe27aaaad7df8be12a103065 upstream. Fix possible NULL pointer in DASD messages and correct discipline checking. Signed-off-by: Stefan Haberland Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit 083beff011df31d82abe859479ab6c33af5504f5 Author: Felix Beck Date: Wed Jan 27 10:12:39 2010 +0100 zcrypt: Do not remove coprocessor for error 8/72 commit 19b123ebacacdce5e75045bfe82122b01c821a5b upstream. In a case where the number of the input data is bigger than the modulus of the key, the coprocessor adapters will report an 8/72 error. This case is not caught yet, thus the adapter will be taken offline. To prevent this, we return an -EINVAL instead. Signed-off-by: Felix Beck Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit 63693ee86b7ebdcf8f08a40158782b6751bda3fc Author: Tejun Heo Date: Thu Jan 14 16:18:09 2010 +0900 libata: retry FS IOs even if it has failed with AC_ERR_INVALID commit 534ead709235b967b659947c55d9130873a432c4 upstream. libata currently doesn't retry if a command fails with AC_ERR_INVALID assuming that retrying won't get it any further even if retried. However, a failure may be classified as invalid through hardware glitch (incorrect reading of the error register or firmware bug) and there isn't whole lot to gain by not retrying as actually invalid commands will be failed immediately. Also, commands serving FS IOs are extremely unlikely to be invalid. Retry FS IOs even if it's marked invalid. Transient and incorrect invalid failure was seen while debugging firmware related issue on Samsung n130 on bko#14314. http://bugzilla.kernel.org/show_bug.cgi?id=14314 Signed-off-by: Tejun Heo Reported-by: Johannes Stezenbach Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 8c2cd3f39601fee6837727cb85c36dd19a083e0f Author: H. Peter Anvin Date: Sat Jan 23 18:27:47 2010 -0800 x86: Remove "x86 CPU features in debugfs" (CONFIG_X86_CPU_DEBUG) commit b160091802d4a76dd063facb09fcf10bf5d5d747 upstream. CONFIG_X86_CPU_DEBUG, which provides some parsed versions of the x86 CPU configuration via debugfs, has caused boot failures on real hardware. The value of this feature has been marginal at best, as all this information is already available to userspace via generic interfaces. Causes crashes that have not been fixed + minimal utility -> remove. See the referenced LKML thread for more information. Reported-by: Ozan Çağlayan Signed-off-by: H. Peter Anvin LKML-Reference: Cc: Jaswinder Singh Rajput Cc: Linus Torvalds Cc: Rafael J. Wysocki Cc: Yinghai Lu Signed-off-by: Greg Kroah-Hartman commit b5b39c3961de96c8c82e2642f2174b3c41cb4327 Author: David Rientjes Date: Wed Jan 20 12:10:47 2010 -0800 x86: Set hotpluggable nodes in nodes_possible_map commit 3a5fc0e40cb467e692737bc798bc99773c81e1e2 upstream. nodes_possible_map does not currently include nodes that have SRAT entries that are all ACPI_SRAT_MEM_HOT_PLUGGABLE since the bit is cleared in nodes_parsed if it does not have an online address range. Unequivocally setting the bit in nodes_parsed is insufficient since existing code, such as acpi_get_nodes(), assumes all nodes in the map have online address ranges. In fact, all code using nodes_parsed assumes such nodes represent an address range of online memory. nodes_possible_map is created by unioning nodes_parsed and cpu_nodes_parsed; the former represents nodes with online memory and the latter represents memoryless nodes. We now set the bit for hotpluggable nodes in cpu_nodes_parsed so that it also gets set in nodes_possible_map. [ hpa: Haicheng Li points out that this makes the naming of the variable cpu_nodes_parsed somewhat counterintuitive. However, leave it as is in the interest of keeping the pure bug fix patch small. ] Signed-off-by: David Rientjes Tested-by: Haicheng Li LKML-Reference: Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 76e789c066a7d65c180e916c0d74227fbe3e0b05 Author: Martin Schwidefsky Date: Wed Jan 27 10:12:40 2010 +0100 S390: fix single stepped svcs with TRACE_IRQFLAGS=y commit 21ec7f6dbf10492ce9a21718040677d3e68bd57d upstream. If irq flags tracing is enabled the TRACE_IRQS_ON macros expands to a function call which clobbers registers %r0-%r5. The macro is used in the code path for single stepped system calls. The argument registers %r2-%r6 need to be restored from the stack before the system call function is called. Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit 16a2ae6eb112b506ca1e464d848e684f6f90dadc Author: Stefan Richter Date: Tue Jan 26 21:39:07 2010 +0100 firewire: ohci: fix crashes with TSB43AB23 on 64bit systems commit 7a481436787cbc932af6c407b317ac603969a242 upstream. Unsurprisingly, Texas Instruments TSB43AB23 exhibits the same behaviour as TSB43AB22/A in dual buffer IR DMA mode: If descriptors are located at physical addresses above the 31 bit address range (2 GB), the controller will overwrite random memory. With luck, this merely prevents video reception. With only a little less luck, the machine crashes. We use the same workaround here as with TSB43AB22/A: Switch off the dual buffer capability flag and use packet-per-buffer IR DMA instead. Another possible workaround would be to limit the coherent DMA mask to 31 bits. In Linux 2.6.33, this change serves effectively only as documentation since dual buffer mode is not used for any controller anymore. But somebody might want to re-enable it in the future to make use of features of dual buffer DMA that are not available in packet-per-buffer mode. In Linux 2.6.32 and older, this update is vital for anyone with this controller, more than 2 GB RAM, a 64 bit kernel, and FireWire video or audio applications. We have at least four reports: http://bugzilla.kernel.org/show_bug.cgi?id=13808 http://marc.info/?l=linux1394-user&m=126154279004083 https://bugzilla.redhat.com/show_bug.cgi?id=552142 http://marc.info/?l=linux1394-user&m=126432246128386 Reported-by: Paul Johnson Reported-by: Ronneil Camara Reported-by: G Zornetzer Reported-by: Mark Thompson Signed-off-by: Stefan Richter Signed-off-by: Greg Kroah-Hartman commit d8e0902806c0bd2ccc4f6a267ff52565a3ec933b Author: Chris Wilson Date: Wed Jan 27 13:36:32 2010 +0000 drm/i915: Selectively enable self-reclaim commit 4bdadb9785696439c6e2b3efe34aa76df1149c83 upstream. Having missed the ENOMEM return via i915_gem_fault(), there are probably other paths that I also missed. By not enabling NORETRY by default these paths can run the shrinker and take memory from the system (but not from our own inactive lists because our shrinker can not run whilst we hold the struct mutex) and this may allow the system to survive a little longer whilst our drivers consume all available memory. References: OOM killer unexpectedly called with kernel 2.6.32 http://bugzilla.kernel.org/show_bug.cgi?id=14933 v2: Pass gfp into page mapping. v3: Use new read_cache_page_gfp() instead of open-coding. Signed-off-by: Chris Wilson Cc: KOSAKI Motohiro Cc: Hugh Dickins Cc: Jesse Barnes Cc: Eric Anholt Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 8268c0bce9f4df836265ac5c7982ff8f8808f199 Author: Linus Torvalds Date: Wed Jan 27 09:20:03 2010 -0800 mm: add new 'read_cache_page_gfp()' helper function commit 0531b2aac59c2296570ac52bfc032ef2ace7d5e1 upstream. It's a simplified 'read_cache_page()' which takes a page allocation flag, so that different paths can control how aggressive the memory allocations are that populate a address space. In particular, the intel GPU object mapping code wants to be able to do a certain amount of own internal memory management by automatically shrinking the address space when memory starts getting tight. This allows it to dynamically use different memory allocation policies on a per-allocation basis, rather than depend on the (static) address space gfp policy. The actual new function is a one-liner, but re-organizing the helper functions to the point where you can do this with a single line of code is what most of the patch is all about. Tested-by: Chris Wilson Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b7a9d922a59d221ec2cfd15fb2fc317f2c742bdc Author: Anatolij Gustschin Date: Sat Dec 12 14:52:21 2009 +0100 mptsas: Fix issue with chain pools allocation on katmai commit f1053a7ca9ce095d95bcc1cf41684c5e4f3e7751 upstream. Since commit 9d2e9d66a3f032667934144cd61c396ba49f090d mptsas driver fails to allocate memory for the MPT chain buffers for second LSI adapter on PPC440SPe Katmai platform: ... ioc1: LSISAS1068E B3: Capabilities={Initiator} mptbase: ioc1: ERROR - Unable to allocate Reply, Request, Chain Buffers! mptbase: ioc1: ERROR - didn't initialize properly! (-3) mptsas: probe of 0002:31:00.0 failed with error -3 This commit increased MPT_FC_CAN_QUEUE value but initChainBuffers() doesn't differentiate between SAS and FC causing increased allocation for SAS case, too. Later pci_alloc_consistent() fails to allocate increased chain buffer pool size for SAS case. Provide a fix by looking at the bus type and using appropriate MPT_SAS_CAN_QUEUE value while calculation of the number of chain buffers. Signed-off-by: Anatolij Gustschin Acked-by: Kashyap Desai Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit e15fca01ba2678b5db6c29b79d142d73272cfb7b Author: Boaz Harrosh Date: Tue Dec 15 17:25:43 2009 +0200 scsi_lib: Fix bug in completion of bidi commands commit 63c43b0ec1765b74c734d465ba6345ef4f434df8 upstream. Because of the terrible structuring of scsi-bidi-commands it breaks some of the life time rules of a scsi-command. It is now not allowed to free up the block-request before cleanup and partial deallocation of the scsi-command. (Which is not so for none bidi commands) The right fix to this problem would be to make bidi command a first citizen by allocating a scsi_sdb pointer at scsi command just like cmd->prot_sdb. The bidi sdb should be allocated/deallocated as part of the get/put_command (Again like the prot_sdb) and the current decoupling of scsi_cmnd and blk-request should be kept. For now make sure scsi_release_buffers() is called before the call to blk_end_request_all() which might cause the suicide of the block requests. At best the leak of bidi buffers, at worse a crash, as there is a race between the existence of the bidi_request and the free of the associated bidi_sdb. The reason this was never hit before is because only OSD has the potential of doing asynchronous bidi commands. (So does bsg but it is never used) And OSD clients just happen to do all their bidi commands synchronously, up until recently. Signed-off-by: Boaz Harrosh Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman