commit 7f5e918e62cbc9ac27c2f47d3c3dd4b86f67ff0e Author: Greg Kroah-Hartman Date: Tue Feb 23 07:38:51 2010 -0800 Linux 2.6.32.9 commit c7f14122d1c633d5d6d9c999235d7f6778510b26 Author: Jonathan Brassow Date: Tue Feb 16 18:42:53 2010 +0000 dm log: userspace fix overhead_size calcuations commit ebfd32bba9b518d684009d9d21a56742337ca1b3 upstream. This patch fixes two bugs that revolve around the miscalculation and misuse of the variable 'overhead_size'. 'overhead_size' is the size of the various header structures used during communication. The first bug is the use of 'sizeof' with the pointer of a structure instead of the structure itself - resulting in the wrong size being computed. This is then used in a check to see if the payload (data_size) would be to large for the preallocated structure. Since the bug produces a smaller value for the overhead, it was possible for the structure to be breached. (Although the current users of the code do not currently send enough data to trigger this bug.) The second bug is that the 'overhead_size' value is used to compute how much of the preallocated space should be cleared before populating it with fresh data. This should have simply been 'sizeof(struct cn_msg)' not overhead_size. The fact that 'overhead_size' was computed incorrectly made this problem "less bad" - leaving only a pointer's worth of space at the end uncleared. Thus, this bug was never producing a bad result, but still needs to be fixed - especially now that the value is computed correctly. Signed-off-by: Jonathan Brassow Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 7607864c43f7d2559153179fabd9dc8ade6b70a0 Author: Nikanth Karthikesan Date: Tue Feb 16 18:42:47 2010 +0000 dm stripe: avoid divide by zero with invalid stripe count commit 781248c1b50c776a9ef4be1130f84ced1cba42fe upstream. If a table containing zero as stripe count is passed into stripe_ctr the code attempts to divide by zero. This patch changes DM_TABLE_LOAD to return -EINVAL if the stripe count is zero. We now get the following error messages: device-mapper: table: 253:0: striped: Invalid stripe count device-mapper: ioctl: error adding target to table Signed-off-by: Nikanth Karthikesan Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 98d7938431c181dea6a03f5f89b550f081ad6220 Author: Wey-Yi Guy Date: Fri Feb 5 11:40:00 2010 -0800 iwlwifi: Fix to set correct ht configuration commit 098dfded5b1b09927995e89c6d689f85a0f53384 upstream. iwl_set_rxon_ht() only get called in iwl_post_associate(); which cause possible incorrect ht configuration. Adding the call in iwl_mac_config() if IEEE80211_CONF_CHANGE_CHANNEL flag is set to re-configure and send rxon command. Fixes http://bugzilla.intellinuxwireless.org/show_bug.cgi?id=2146 Signed-off-by: Wey-Yi Guy Signed-off-by: Reinette Chatre Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit de30e10d0080bccca8fe56f8dcb75171fffdb695 Author: Benoit Papillault Date: Fri Feb 5 01:21:03 2010 +0100 mac80211: Fix probe request filtering in IBSS mode commit 0da780c269957783d341fc3559e6b4c9912af7b4 upstream. We only reply to probe request if either the requested SSID is the broadcast SSID or if the requested SSID matches our own SSID. This latter case was not properly handled since we were replying to different SSID with the same length as our own SSID. Signed-off-by: Benoit Papillault Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 20f774c4adc1f0690b300103b3f046c79d82ed99 Author: Sujith Date: Tue Feb 9 10:07:00 2010 +0530 ath9k: Fix sequence numbers for PAE frames commit 6c8afef551fef87a3bf24f8a74c69a7f2f72fc82 upstream. Currently, PAE frames are not assigned proper sequence numbers. Since sending PAE frames as part of aggregates breaks crupto with several APs, they are sent as normal MPDUs. Fix the seqeuence number issue by updating the frame with the internal sequence number. Tested-by: Felix Fietkau Signed-off-by: Sujith Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 51a53302d168c9c6089cb931acebfbc5a2e81a48 Author: Larry Finger Date: Tue Feb 2 10:08:19 2010 -0600 b43: Fix throughput regression commit b6c3f5be7c6ac3375f44de4545c1ffe216b34022 upstream. Commit c7ab5ef9bcd281135c21b4732c9be779585181be entitled "b43: implement short slot and basic rate handling" reduced the transmit throughput for my BCM4311 device from 18 Mb/s to 0.7 Mb/s. The basic rate handling portion is OK, the problem is in the short slot handling. Prior to this change, the short slot enable/disable routines were never called. Experimentation showed that the critical part was changing the value at offset 0x0010 in the shared memory. This is supposed to contain the 802.11 Slot Time in usec, but if it is changed from its initial value of zero, performance is destroyed. On the other hand, changing the value in the MMIO register corresponding to the Interframe Slot Time increased performance from 18 to 22 Mb/s. A BCM4306/3 also shows dramatic improvement of the transmit rate from 5.3 to 19.0 Mb/s. Other changes in the patch include removal of the magic number for the MMIO register, and allowing the slot time to be set for any PHY operating in the 2.4 GHz band. Previously, the routine was executed only for G PHYs. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 081312e8c147a85df0f37dcc45d7e2fbaf79dfb2 Author: Tyler Hicks Date: Wed Nov 4 02:48:01 2009 -0600 eCryptfs: Add getattr function commit f8f484d1b6677dd5cd5e7e605db747e8c30bbd47 upstream. The i_blocks field of an eCryptfs inode cannot be trusted, but generic_fillattr() uses it to instantiate the blocks field of a stat() syscall when a filesystem doesn't implement its own getattr(). Users have noticed that the output of du is incorrect on newly created files. This patch creates ecryptfs_getattr() which calls into the lower filesystem's getattr() so that eCryptfs can use its kstat.blocks value after calling generic_fillattr(). It is important to note that the block count includes the eCryptfs metadata stored in the beginning of the lower file plus any padding used to fill an extent before encryption. https://bugs.launchpad.net/ecryptfs/+bug/390833 Reported-by: Dominic Sacré Signed-off-by: Tyler Hicks Cc: Tim Gardner Signed-off-by: Greg Kroah-Hartman commit be6520201bc0c80ec869ec035607ace48a5f78c4 Author: Chuck Lever Date: Mon Feb 15 12:19:53 2010 -0500 NFS: Too many GETATTR and ACCESS calls after direct I/O commit 65d269538a1129495ac45a14a777cd11cfe881d8 upstream. The cached read and write paths initialize fattr->time_start in their setup procedures. The value of fattr->time_start is propagated to read_cache_jiffies by nfs_update_inode(). Subsequent calls to nfs_attribute_timeout() will then use a good time stamp when computing the attribute cache timeout, and squelch unneeded GETATTR calls. Since the direct I/O paths erroneously leave the inode's fattr->time_start field set to zero, read_cache_jiffies for that inode is set to zero after any direct read or write operation. This triggers an otw GETATTR or ACCESS call to update the file's attribute and access caches properly, even when the NFS READ or WRITE replies have usable post-op attributes. Make sure the direct read and write setup code performs the same fattr initialization as the cached I/O paths to prevent unnecessary GETATTR calls. This was likely introduced by commit 0e574af1 in 2.6.15, which appears to add new nfs_fattr_init() call sites in the cached read and write paths, but not in the equivalent places in fs/nfs/direct.c. A subsequent commit in the same series, 33801147, introduces the fattr->time_start field. Interestingly, the direct write reschedule path already has a call to nfs_fattr_init() in the right place. Reported-by: Quentin Barnes Signed-off-by: Chuck Lever Signed-off-by: Trond Myklebust Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 2acc8d9f806fad17c81c91b3266775b78894f252 Author: Dave Airlie Date: Sun Jan 31 07:07:14 2010 +1000 drm/radeon/kms: use udelay for short delays commit 01d4503968f471f876fb44335800d2cf8dc5a2ce upstream. For usec delays use udelay instead of scheduling, this should allow reclocking to happen faster. This also was the cause of reported 33s delays at bootup on certain systems. fixes: freedesktop.org bug 25506 Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 498a84db834a62eef2e5cb2fb85d051c39f89fff Author: Arjan van de Ven Date: Wed Jan 27 15:25:39 2010 -0800 ACPI: fix High cpu temperature with 2.6.32 commit 370d5cd88509b93b76eb2f5f97efbd71c25061cb upstream. Since the rewrite of the CPU idle governor in 2.6.32, two laptops have surfaced where the BIOS advertises a C2 power state, but for some reason this state is not functioning (as verified in both cases by powertop before the patch in .32). The old governor had the accidental behavior that if a non-working state was chosen too many times, it would end up falling back to C1. The new governor works differently and this accidental behavior is no longer there; the result is a high temperature on these two machines. This patch adds these 2 machines to the DMI table for C state anomalies; by just not using C2 both these machines are better off (the TSC can be used instead of the pm timer, giving a performance boost for example). Addresses http://bugzilla.kernel.org/show_bug.cgi?id=14742 Signed-off-by: Arjan van de Ven Reported-by: Signed-off-by: Andrew Morton Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit c51bfb22f31d384833e82a66872cccbab7c593df Author: Thomas Renninger Date: Fri Jan 29 17:48:51 2010 +0100 ACPI: Add NULL pointer check in acpi_bus_start commit d2f6650a950dadd20667a04a9dc785f240d43695 upstream. If acpi_bus_add does not return a device and it's passed to acpi_bus_start, bad things will happen: BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 IP: [] acpi_bus_start+0x14/0x24 ... [] acpiphp_bus_add+0xba/0x130 [acpiphp] [] enable_device+0x132/0x2ff [acpiphp] [] acpiphp_enable_slot+0xb8/0x130 [acpiphp] [] handle_hotplug_event_func+0x87/0x190 [acpiphp] Next patch would make this NULL pointer check obsolete, but better having one more than one missing... Signed-off-by: Thomas Renninger Acked-by: Bjorn Helgaas Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit ea658ff1d6314ed206393dd23d2cd45b22f8f6b4 Author: Jelle Martijn Kok Date: Wed Feb 10 09:34:09 2010 -0600 rtl8187: Add new device ID commit 174b24963eaf96dc5e093502ee09639aed13eb2f upstream. Add new RTL8187B device. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit fda9759364aea7d1acc8f278e26c98894f5ef52e Author: Linus Torvalds Date: Tue Feb 16 12:35:07 2010 -0800 USB: usbfs: properly clean up the as structure on error paths commit ddeee0b2eec2a51b0712b04de4b39e7bec892a53 upstream. I notice that the processcompl_compat() function seems to be leaking the 'struct async *as' in the error paths. I think that the calling convention is fundamentally buggered. The caller is the one that did the "reap_as()" to get the as thing, the caller should be the one to free it too. Freeing it in the caller also means that it very clearly always gets freed, and avoids the need for any "free in the error case too". From: Linus Torvalds Cc: Alan Stern Cc: Marcus Meissner Signed-off-by: Greg Kroah-Hartman commit 2bac497bb2f16f1c01a61a0132d2f7a8dabd0e2a Author: Greg KH Date: Mon Feb 15 09:37:46 2010 -0800 USB: usbfs: only copy the actual data received commit d4a4683ca054ed9917dfc9e3ff0f7ecf74ad90d6 upstream. We need to only copy the data received by the device to userspace, not the whole kernel buffer, which can contain "stale" data. Thanks to Marcus Meissner for pointing this out and testing the fix. Reported-by: Marcus Meissner Tested-by: Marcus Meissner Cc: Alan Stern Cc: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a206591bd37f7f63d1ccaabf73cbaff25b29f51d Author: Laurent Pinchart Date: Wed Feb 10 13:32:49 2010 +0100 class: Free the class private data in class_release commit 18d19c96457d172d913510c083bc7411ed40cb10 upstream. Fix a memory leak by freeing the memory allocated in __class_register for the class private data. Signed-off-by: Laurent Pinchart Acked-by: Artem Bityutskiy Signed-off-by: Greg Kroah-Hartman commit 0f102935a606e13e923905451c097acf8e87e4cd Author: Eric W. Biederman Date: Wed Feb 3 23:13:24 2010 -0800 sysfs: sysfs_sd_setattr set iattrs unconditionally commit 7c0ff870d1ed287504a61ed865f3d728c757436b upstream. There is currently a bug in sysfs_sd_setattr inherited from sysfs_setattr in 2.6.32 where the first time we set the attributes on a sysfs file we allocate backing store but do not set the backing store attributes. Resulting in overly restrictive permissions on sysfs files. The fix is to simply modify the code so that it always executes when we update the sysfs attributes, as we did in 2.6.31 and earlier. Signed-off-by: Eric W. Biederman Tested-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 458c2928268392756c01fafebbebc31403968c2c Author: Dick Hollenbeck Date: Wed Dec 9 12:31:34 2009 -0800 serial: 8250: add serial transmitter fully empty test commit bca476139d2ded86be146dae09b06e22548b67f3 upstream. When controlling an industrial radio modem it can be necessary to manipulate the handshake lines in order to control the radio modem's transmitter, from userspace. The transmitter should not be turned off before all characters have been transmitted. serial8250_tx_empty() was reporting that all characters were transmitted before they actually were. === Discovered in parallel with more testing and analysis by Kees Schoenmakers as follows: I ran into an NetMos 9835 serial pci board which behaves a little different than the standard. This type of expansion board is very common. "Standard" 8250 compatible devices clear the 'UART_LST_TEMT" bit together with the "UART_LSR_THRE" bit when writing data to the device. The NetMos device does it slightly different I believe that the TEMT bit is coupled to the shift register. The problem is that after writing data to the device and very quickly after that one does call serial8250_tx_empty, it returns the wrong information. My patch makes the test more robust (and solves the problem) and it does not affect the already correct devices. Alan: We may yet need to quirk this but now we know which chips we have a way to do that should we find this breaks some other 8250 clone with dodgy THRE. Signed-off-by: Dick Hollenbeck Signed-off-by: Alan Cox Cc: Kees Schoenmakers Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit d13e7a58664e0e35db5e524176cb70143c7c07c2 Author: Takashi Iwai Date: Mon Dec 28 12:24:22 2009 +0100 ALSA: usb-audio - Avoid Oops after disconnect commit 78b8d5d2ee280c463908fd75f3bdf246bcb6ac8d upstream. As the release of substreams may be done asynchronously from the disconnection, close callback needs to check the shutdown flag before actually accessing the usb interface. Reference: Novell bnc#505027 http://bugzilla.novell.com/show_bug.cgi?id=565027 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 98baa75bcbacb200b7e4e0ee01b508f4d459d8ce Author: George Kadianakis Date: Thu Dec 17 01:16:00 2009 +0200 Staging: fix rtl8187se compilation errors with mac80211 commit df574b8ecfb3a84af96229f336a6be88ca4a7055 upstream. This patch fixes compilation problems that were caused by function naming conflicts between the rtl8187se driver and the mac80211 stack. Signed-off-by: George Kadianakis Cc: maximilian attems Signed-off-by: Greg Kroah-Hartman commit 5a863d4181b7d028e19868211c12169babbee39f Author: Yinghai Lu Date: Sat Nov 21 00:23:37 2009 -0800 x86: Re-get cfg_new in case reuse/move irq_desc commit 37ef2a3029fde884808ff1b369677abc7dd9a79a upstream. When irq_desc is moved, we need to make sure to use the right cfg_new. Signed-off-by: Yinghai Lu LKML-Reference: <4B07A739.3030104@kernel.org> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 314a4e5441e5402e16c5e810f33a4ed842d0a473 Author: Joerg Roedel Date: Wed Feb 3 16:13:41 2010 +0100 x86/amd-iommu: Fix deassignment of a device from the pt_domain commit d3ad9373b7c29b63d5e8460a69453718d200cc3b upstream. Deassigning a device from the passthrough domain does not work and breaks device assignment to kvm guests. This patch fixes the issue. Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit 16ecf8a237415fac700d6c227f763a2be566c92a Author: Joerg Roedel Date: Wed Feb 3 16:13:08 2010 +0100 x86/amd-iommu: Fix IOMMU-API initialization for iommu=pt commit f5325094379158e6b876ea0010c807bf7890ec8f upstream This patch moves the initialization of the iommu-api out of the dma-ops initialization code. This ensures that the iommu-api is initialized even with iommu=pt. Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit 6d14e6b46af551e2551594ab5ab9356fb4cebbe7 Author: Rafael J. Wysocki Date: Thu Feb 4 14:00:41 2010 -0800 pktgen: Fix freezing problem commit 1b3f720bf033fde1fbb6231f9b156b918c5f68d8 upstream. Add missing try_to_freeze() to one of the pktgen_thread_worker() code paths so that it doesn't block suspend/hibernation. Fixes http://bugzilla.kernel.org/show_bug.cgi?id=15006 Signed-off-by: Rafael J. Wysocki Reported-and-tested-by: Ciprian Dorin Craciun Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e045288ec2a2274dc26eaba6b21cf2770b48e0ed Author: Tejun Heo Date: Thu Jan 28 16:04:15 2010 +0900 ahci: add Acer G725 to broken suspend list commit cedc9bf906dae044443d403371c887affdb44168 upstream. Acer G725 shares the same suspend problem with the HP laptops which lose ATA devices on resume. New firmware which fixes the problem is already available. Add G725 with old firmwares to the broken suspend list. This problem has been reported in bko#15104. http://bugzilla.kernel.org/show_bug.cgi?id=15104 Signed-off-by: Tejun Heo Reported-by: Jani-Matti Hätinen Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 2c494f553a2c3c9dc155fc5bb0eff27e3a0fbef2 Author: Catalin Marinas Date: Thu Feb 4 01:04:50 2010 -0500 Call flush_dcache_page after PIO data transfers in libata-sff.c commit 2d68b7fe55d9e19a8a868224ed0dfd6526568521 upstream. flush_dcache_page() must be called after (!ATA_TFLAG_WRITE) the data copying to avoid D-cache aliasing with user space or I-D cache coherency issues (when reading data from an ATA device using PIO, the kernel dirties the D-cache but there is no flush_dcache_page() required on Harvard architectures). Signed-off-by: Catalin Marinas Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit c74c819eabc8b9ccfc91eafc8c253bce57661dae Author: Sergey Matyukevich Date: Tue Feb 2 13:43:59 2010 -0800 rtc-fm3130: add missing braces commit f4b5162820de60204afa5c8639335f4931b7fb0c upstream. Add missing braces for multiline 'if' statements in fm3130_probe. Signed-off-by: Sergey Matyukevich Signed-off-by: Alessandro Zummo Cc: Sergey Lapin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c5fc9aa0845fa2920e0f9d70844151832bfd9d1a Author: Al Viro Date: Thu Jan 28 22:11:38 2010 -0500 befs: fix leak commit 8dd5ca532c2d2c2b85f16bc038ebfff05b8853e1 upstream. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit a63123d12b7ced1d75b548379251982ad2583fbe Author: Alex Murray Date: Wed Jan 13 23:15:03 2010 +1030 ALSA: hda - Improved MacBook (Pro) 5,1 / 5,2 support commit a76221d47ef2b73ff16c0fef00a784026308ea02 upstream. This patch adds support for automatically muting the speakers when headphones are inserted, as well as relabelling the headphone widgets from the non-standard "HP" to the standard "Headphone" for the mb5 model. Signed-off-by: Alex Murray Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit b49b8e39e9c06a4d07c215de211279a91c42abc7 Author: Eric Dumazet Date: Mon Feb 8 15:00:39 2010 -0800 dst: call cond_resched() in dst_gc_task() commit 2fc1b5dd99f66d93ffc23fd8df82d384c1a354c8 upstream. Kernel bugzilla #15239 On some workloads, it is quite possible to get a huge dst list to process in dst_gc_task(), and trigger soft lockup detection. Fix is to call cond_resched(), as we run in process context. Reported-by: Pawel Staszewski Tested-by: Pawel Staszewski Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1393ad25685ec7f91137160dc482e7bb00cb27d2 Author: Takashi Iwai Date: Fri Feb 12 18:17:06 2010 +0100 ALSA: hda - use WARN_ON_ONCE() for zero-division detection commit d6d8bf549393484e906913f02fa3c9518a2819b6 upstream. Replace the zero-division warning message with WARN_ON_ONCE() per the advice by Linus. This shouldn't happen, but if it happens, it's possible that the bug happens often due to buggy IRQs. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 473e685ee12ccd50d626b58c455dde6bbb51df61 Author: Matt Fleming Date: Fri Dec 11 22:58:17 2009 +0000 sh: Couple kernel and user write page perm bits for CONFIG_X2TLB commit fcb4ebd678858850e8b029909064175cb627868d upstream. pte_write() should check whether the permissions include either the user or kernel write permission bits. Likewise, pte_wrprotect() needs to remove both the kernel and user write bits. Without this patch handle_tlbmiss() doesn't handle faulting in pages from the P3 area (our vmalloc space) because of a write. Mappings of the P3 space have the _PAGE_EXT_KERN_WRITE bit but not _PAGE_EXT_USER_WRITE. Signed-off-by: Matt Fleming Signed-off-by: Paul Mundt Signed-off-by: Greg Kroah-Hartman commit 36a508e6c61a3c49680ee349149a8f5f1fb5acd8 Author: Kashyap, Desai Date: Mon Jan 25 16:20:52 2010 +0530 SCSI: mptfusion : mptscsih_abort return value should be SUCCESS instead of value 0. commit 9858ae38011d699d4c2fa7f3493a47accf43a0f5 upstream. retval should be SUCCESS/FAILED which is defined at scsi.h retval = 0 is directing wrong return value. It must be retval = SUCCESS. Signed-off-by: Kashyap Desai Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 483d7142396f0d8b8f8748a4069b71c13ca662e5 Author: Wu Fengguang Date: Fri Feb 5 15:02:13 2010 -0500 devmem: fix kmem write bug on memory holes commit c85e9a97c4102ce2e83112da850d838cfab5ab13 upstream devmem: fix kmem write bug on memory holes [ cebbert@redhat.com : backport to 2.6.32 ] write_kmem() used to assume vwrite() always return the full buffer length. However now vwrite() could return 0 to indicate memory hole. This creates a bug that "buf" is not advanced accordingly. Fix it to simply ignore the return value, hence the memory hole. Signed-off-by: Wu Fengguang Cc: Andi Kleen Cc: Benjamin Herrenschmidt Cc: Christoph Lameter Cc: Ingo Molnar Cc: Tejun Heo Cc: Nick Piggin Cc: KAMEZAWA Hiroyuki Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit 6b344d83ca458327faa0e1f6afd45c39cceab2a6 Author: KAMEZAWA Hiroyuki Date: Fri Feb 5 15:01:09 2010 -0500 devmem: check vmalloc address on kmem read/write commit 325fda71d0badc1073dc59f12a948f24ff05796a [ cebbert@redhat.com : backport to 2.6.32 ] devmem: check vmalloc address on kmem read/write Otherwise vmalloc_to_page() will BUG(). This also makes the kmem read/write implementation aligned with mem(4): "References to nonexistent locations cause errors to be returned." Here we return -ENXIO (inspired by Hugh) if no bytes have been transfered to/from user space, otherwise return partial read/write results. Signed-off-by: KAMEZAWA Hiroyuki Signed-off-by: Wu Fengguang Cc: Greg Kroah-Hartman Cc: Hugh Dickins Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit 0e1104ada32d242bc6169a2ce4eb19ec4febb813 Author: Wu Fengguang Date: Fri Feb 5 15:00:52 2010 -0500 /dev/mem: introduce size_inside_page() commit f222318e9c3a315723e3524fb9d6566b2430db44 upstream /dev/mem: introduce size_inside_page() [ cebbert@redhat.com : backport to 2.6.32 ] [ subset of original patch, for just /dev/kmem ] Introduce size_inside_page() to replace duplicate /dev/mem code. Also apply it to /dev/kmem, whose alignment logic was buggy. Signed-off-by: Wu Fengguang Acked-by: Andi Kleen Cc: Marcelo Tosatti Cc: Greg Kroah-Hartman Cc: Mark Brown Cc: Johannes Berg Cc: Avi Kivity Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit 06eeea406c93680a55dd333971638af7289f8f7b Author: Len Brown Date: Sat Jan 30 18:01:42 2010 -0500 dell-wmi, hp-wmi, msi-wmi: check wmi_get_event_data() return value commit fda11e61ff8a4e3a8ebbd434e46560b67cc0ca9d upstream [ backport to 2.6.32 ] When acpi_evaluate_object() is passed ACPI_ALLOCATE_BUFFER, the caller must kfree the returned buffer if AE_OK is returned. The callers of wmi_get_event_data() pass ACPI_ALLOCATE_BUFFER, and thus must check its return value before accessing or kfree() on the buffer. Signed-off-by: Len Brown Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit 9f835c304f14fe5ad4f435c58e9c1e08fda71886 Author: Anisse Astier Date: Sat Jan 30 18:00:17 2010 -0500 wmi: Free the allocated acpi objects through wmi_get_event_data commit 3e9b988e4edf065d39c1343937f717319b1c1065 upstream [ backported to 2.6.32 ] These function allocate an acpi object by calling wmi_get_event_data, which then calls acpi_evaluate_object, and it is not freed afterwards. And kernel doc is fixed for parameters of wmi_get_event_data. Signed-off-by: Anisse Astier Acked-by: Randy Dunlap Acked-by: Carlos Corbacho Signed-off-by: Len Brown Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit fa56c7eaeca469055d79d1a2fe66a67829e44bf0 Author: Herbert Xu Date: Mon Feb 1 09:17:56 2010 +1100 crypto: padlock-sha - Add import/export support commit a8d7ac279743077965afeca0c9ed748507b68e89 upstream. As the padlock driver for SHA uses a software fallback to perform partial hashing, it must implement custom import/export functions. Otherwise hmac which depends on import/export for prehashing will not work with padlock-sha. Reported-by: Wolfgang Walter Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit fe42d89779a0c5639afe0e543aac1f7d1d7d9582 Author: Stefan Haberland Date: Mon Dec 7 12:51:52 2009 +0100 dasd: remove strings from s390dbf commit b8ed5dd54895647c2690575aad6f07748c2c618a upstream. Remove strings from s390 debugfeature entries that could lead to a crash when the data is read from dbf because the strings do not exist any more. Signed-off-by: Stefan Haberland Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit 26d415dcf38423cb4c990e82c71e19011a9ad4e6 Author: Zhenyu Wang Date: Wed Nov 25 13:09:39 2009 +0800 drm/i915: Don't wait interruptible for possible plane buffer flush commit b9241ea31fae4887104e5d1b3b18f4009c25a0c4 upstream. When we setup buffer for display plane, we'll check any pending required GPU flush and possible make interruptible wait for flush complete. But that wait would be most possibly to fail in case of signals received for X process, which will then fail modeset process and put display engine in unconsistent state. The result could be blank screen or CPU hang, and DDX driver would always turn on outputs DPMS after whatever modeset fails or not. So this one creates new helper for setup display plane buffer, and when needing flush using uninterruptible wait for that. This one should fix bug like https://bugs.freedesktop.org/show_bug.cgi?id=24009. Also fixing mode switch stress test on Ironlake. Signed-off-by: Zhenyu Wang Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 47516b77eb1beb5b35c17112284493d008bc7c4a Author: Daniel Vetter Date: Tue Sep 15 22:57:32 2009 +0200 drm/i915: add i915_lp_ring_sync helper commit 48764bf43f746113fc77877d7e80f2df23ca4cbb upstream. This just waits until the hw passed the current ring position with cmd execution. This slightly changes the existing i915_wait_request function to make uninterruptible waiting possible - no point in returning to userspace while mucking around with the overlay, that piece of hw is just too fragile. Also replace a magic 0 with the symbolic constant (and kill the then superflous comment) while I was looking at the code. Signed-off-by: Daniel Vetter Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 30b1b8f0078eb8ada282f814f47dbecf4283fdfc Author: Zhenyu Wang Date: Mon Dec 28 13:23:36 2009 +0800 drm/i915: remove full registers dump debug commit 823f68fd646da6a39a9c0d3eb4c60d69dab5aa13 upstream. This one reverts 9e3a6d155ed0a7636b926a798dd7221ea107b274. As reported by http://bugzilla.kernel.org/show_bug.cgi?id=14485, this dump will cause hang problem on some machine. If something really needs this kind of full registers dump, that could be done within intel-gpu-tools. Cc: Ben Gamari Signed-off-by: Zhenyu Wang Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 242a71829e57a4962e43f89cf50d5fa99ff8a3e5 Author: Patrick McHardy Date: Mon Feb 8 11:18:07 2010 -0800 netfilter: nf_conntrack: fix hash resizing with namespaces commit d696c7bdaa55e2208e56c6f98e6bc1599f34286d upstream. As noticed by Jon Masters , the conntrack hash size is global and not per namespace, but modifiable at runtime through /sys/module/nf_conntrack/hashsize. Changing the hash size will only resize the hash in the current namespace however, so other namespaces will use an invalid hash size. This can cause crashes when enlarging the hashsize, or false negative lookups when shrinking it. Move the hash size into the per-namespace data and only use the global hash size to initialize the per-namespace value when instanciating a new namespace. Additionally restrict hash resizing to init_net for now as other namespaces are not handled currently. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d619798aab2394997e0a4b9d2cb362306f221c97 Author: Alexey Dobriyan Date: Mon Feb 8 11:17:43 2010 -0800 netfilter: xtables: compat out of scope fix commit 14c7dbe043d01a83a30633ab6b109ba2ac61d9f7 upstream. As per C99 6.2.4(2) when temporary table data goes out of scope, the behaviour is undefined: if (compat) { struct foo tmp; ... private = &tmp; } [dereference private] Signed-off-by: Alexey Dobriyan Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit 51d3a347944f76bc2f304e0622d61b9b39fec585 Author: Alexey Dobriyan Date: Mon Feb 8 11:17:22 2010 -0800 netfilter: nf_conntrack: restrict runtime expect hashsize modifications commit 13ccdfc2af03e09e60791f7d4bc4ccf53398af7c upstream. Expectation hashtable size was simply glued to a variable with no code to rehash expectations, so it was a bug to allow writing to it. Make "expect_hashsize" readonly. Signed-off-by: Alexey Dobriyan Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit 747edef00c9b2147ca0b3d5bc33e9291a9a6d86e Author: Eric Dumazet Date: Mon Feb 8 11:16:56 2010 -0800 netfilter: nf_conntrack: per netns nf_conntrack_cachep commit 5b3501faa8741d50617ce4191c20061c6ef36cb3 upstream. nf_conntrack_cachep is currently shared by all netns instances, but because of SLAB_DESTROY_BY_RCU special semantics, this is wrong. If we use a shared slab cache, one object can instantly flight between one hash table (netns ONE) to another one (netns TWO), and concurrent reader (doing a lookup in netns ONE, 'finding' an object of netns TWO) can be fooled without notice, because no RCU grace period has to be observed between object freeing and its reuse. We dont have this problem with UDP/TCP slab caches because TCP/UDP hashtables are global to the machine (and each object has a pointer to its netns). If we use per netns conntrack hash tables, we also *must* use per netns conntrack slab caches, to guarantee an object can not escape from one namespace to another one. Signed-off-by: Eric Dumazet [Patrick: added unique slab name allocation] Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit de2545859df3c04462ef39bf8056e587a1d2fa17 Author: Patrick McHardy Date: Mon Feb 8 11:16:26 2010 -0800 netfilter: nf_conntrack: fix memory corruption with multiple namespaces commit 9edd7ca0a3e3999c260642c92fa008892d82ca6e upstream. As discovered by Jon Masters , the "untracked" conntrack, which is located in the data section, might be accidentally freed when a new namespace is instantiated while the untracked conntrack is attached to a skb because the reference count it re-initialized. The best fix would be to use a seperate untracked conntrack per namespace since it includes a namespace pointer. Unfortunately this is not possible without larger changes since the namespace is not easily available everywhere we need it. For now move the untracked conntrack initialization to the init_net setup function to make sure the reference count is not re-initialized and handle cleanup in the init_net cleanup function to make sure namespaces can exit properly while the untracked conntrack is in use in other namespaces. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit dc5b9893d10ba7132098e7ad991103430227724b Author: Borislav Petkov Date: Thu Feb 11 17:15:57 2010 +0100 amd64_edac: Do not falsely trigger kerneloops commit cab4d27764d5a8654212b3e96eb0ae793aec5b94 upstream. An unfortunate "WARNING" in the message amd64_edac dumps when the system doesn't support DRAM ECC or ECC checking is not enabled in the BIOS used to trigger kerneloops which qualified the message as an OOPS thus misleading the users. See, e.g. https://bugs.launchpad.net/ubuntu/+source/linux/+bug/422536 http://bugzilla.kernel.org/show_bug.cgi?id=15238 Downgrade the message level to KERN_NOTICE and fix the formulation. Signed-off-by: Borislav Petkov Acked-by: Doug Thompson Signed-off-by: Greg Kroah-Hartman commit 00510c8f39d7b3501cc7ec79b677186ffbc7ca7e Author: Marcel Selhorst Date: Wed Feb 10 13:56:32 2010 -0800 tpm_infineon: fix suspend/resume handler for pnp_driver commit 93716b9470fbfd9efdc7d0f2445cb34635de3f6d upstream. When suspending, tpm_infineon calls the generic suspend function of the TPM framework. However, the TPM framework does not return and the system hangs upon suspend. When sending the necessary command "TPM_SaveState" directly within the driver, suspending and resuming works fine. Signed-off-by: Marcel Selhorst Cc: OGAWA Hirofumi Cc: Debora Velarde Cc: Rajiv Andrade Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d632dfd88b02f1f89cbb9ec2d595580d1eba03bf Author: Marcelo Tosatti Date: Fri Jan 29 17:28:41 2010 -0200 KVM: PIT: control word is write-only commit ee73f656a604d5aa9df86a97102e4e462dd79924 upstream. PIT control word (address 0x43) is write-only, reads are undefined. Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman commit aa1dcdd6eb7f457dee130987d5d5229e5a67184c Author: Jason Wang Date: Wed Jan 27 19:13:49 2010 +0800 kvmclock: count total_sleep_time when updating guest clock commit 923de3cf5bf12049628019010e36623fca5ef6d1 upstream. Current kvm wallclock does not consider the total_sleep_time which could cause wrong wallclock in guest after host suspend/resume. This patch solve this issue by counting total_sleep_time to get the correct host boot time. Signed-off-by: Jason Wang Acked-by: Glauber Costa Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman commit 1c63c20663a84b03a2dc47d1c1998f1883081162 Author: Jason Wang Date: Wed Jan 27 19:13:40 2010 +0800 Export the symbol of getboottime and mmonotonic_to_bootbased commit c93d89f3dbf0202bf19c07960ca8602b48c2f9a0 upstream. Export getboottime and monotonic_to_bootbased in order to let them could be used by following patch. Signed-off-by: Jason Wang Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman commit 134bb65d8d9fa4e8bf3a7637e983e8d01e063544 Author: Francesco Lavra Date: Sun Feb 7 09:49:58 2010 -0300 V4L/DVB: dvb-core: fix initialization of feeds list in demux filter commit 691c9ae099b9bcb5c27125af00a4a90120977458 upstream. A DVB demultiplexer device can be used to set up either a PES filter or a section filter. In the former case, the ts field of the feed union of struct dmxdev_filter is used, in the latter case the sec field of the same union is used. The ts field is a struct list_head, and is currently initialized in the open() method of the demux device. When for a given demuxer a section filter is set up, the sec field is played with, thus if a PES filter needs to be set up after that the ts field will be corrupted, causing a kernel oops. This fix moves the list head initialization to dvb_dmxdev_pes_filter_set(), so that the ts field is properly initialized every time a PES filter is set up. Signed-off-by: Francesco Lavra Reviewed-by: Andy Walls Tested-by: hermann pitton Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 113819bc44213c5b931517f86a1c9c93c22e2f20 Author: NeilBrown Date: Tue Feb 9 12:31:47 2010 +1100 md: fix 'degraded' calculation when starting a reshape. commit 9eb07c259207d048e3ee8be2a77b2a4680b1edd4 upstream. This code was written long ago when it was not possible to reshape a degraded array. Now it is so the current level of degraded-ness needs to be taken in to account. Also newly addded devices should only reduce degradedness if they are deemed to be in-sync. In particular, if you convert a RAID5 to a RAID6, and increase the number of devices at the same time, then the 5->6 conversion will make the array degraded so the current code will produce a wrong value for 'degraded' - "-1" to be precise. If the reshape runs to completion end_reshape will calculate a correct new value for 'degraded', but if a device fails during the reshape an incorrect decision might be made based on the incorrect value of "degraded". This patch is suitable for 2.6.32-stable and if they are still open, 2.6.31-stable and 2.6.30-stable as well. Reported-by: Michael Evans Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 892faa5a39f6236bccbe6f48a5f736a8aec9b278 Author: Trond Myklebust Date: Mon Feb 8 09:32:40 2010 -0500 NFS: Fix the mapping of the NFSERR_SERVERFAULT error commit fdcb45777a3d1689c5541e1f85ee3ebbd197d2c1 upstream. It was recently pointed out that the NFSERR_SERVERFAULT error, which is designed to inform the user of a serious internal error on the server, was being mapped to an error value that is internal to the kernel. This patch maps it to the error EREMOTEIO, which is exported to userland through errno.h. Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 5ba0facdbeb73ead6fe04d6bc5947e2fb4f29320 Author: Trond Myklebust Date: Mon Feb 8 09:32:27 2010 -0500 NFS: Fix a bug in nfs_fscache_release_page() commit 2c1740098c708b465e87637b237feb2fd98f129a upstream. Not having an fscache cookie is perfectly valid if the user didn't mount with the fscache option. This patch fixes http://bugzilla.kernel.org/show_bug.cgi?id=15234 Signed-off-by: Trond Myklebust Acked-by: David Howells Signed-off-by: Greg Kroah-Hartman commit 16e63ecd5d683fe18d91fcd1e6a7f63468f7d805 Author: Trond Myklebust Date: Wed Feb 3 08:27:35 2010 -0500 NFS: Fix a umount race commit 387c149b54b4321cbc790dadbd4f8eedb5a90468 upstream. Ensure that we unregister the bdi before kill_anon_super() calls ida_remove() on our device name. Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 04673da74dbd331040fa439bd72963a35f1b67cf Author: Trond Myklebust Date: Wed Feb 3 08:27:22 2010 -0500 NFS: Fix an Oops when truncating a file commit 9f557cd8073104b39528794d44e129331ded649f upstream. The VM/VFS does not allow mapping->a_ops->invalidatepage() to fail. Unfortunately, nfs_wb_page_cancel() may fail if a fatal signal occurs. Since the NFS code assumes that the page stays mapped for as long as the writeback is active, we can end up Oopsing (among other things). The only safe fix here is to convert nfs_wait_on_request(), so as to make it uninterruptible (as is already the case with wait_on_page_writeback()). Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit e7055c2366a5a5b507492905200d4327949b81ce Author: Trond Myklebust Date: Tue Jan 26 15:42:21 2010 -0500 NFSv4: Ensure that the NFSv4 locking can recover from stateid errors commit 2bee72a6aa1e6d0a4f5da56217f0d0bbbdd0d9a3 upstream. In most cases, we just want to mark the lock_stateid sequence id as being uninitialised. Signed-off-by: Trond Myklebust Reviewed-by: Chuck Lever Signed-off-by: Greg Kroah-Hartman commit 1236ff906f9d3044cd24d22463c3c943ee92e3a2 Author: Trond Myklebust Date: Tue Jan 26 15:42:30 2010 -0500 NFSv4: Don't allow posix locking against servers that don't support it commit 8e469ebd6dc32cbaf620e134d79f740bf0ebab79 upstream. Signed-off-by: Trond Myklebust Reviewed-by: Chuck Lever Signed-off-by: Greg Kroah-Hartman commit 438b9c70b8800b0c12ec6bc784e00bbae24a75ca Author: Trond Myklebust Date: Tue Jan 26 15:41:53 2010 -0500 NFS: Try to commit unstable writes in nfs_release_page() commit 82be934a59ff891cac598727e5a862ba2b9d1fac upstream. If someone calls nfs_release_page(), we presumably already know that the page is clean, however it may be holding an unstable write. Signed-off-by: Trond Myklebust Reviewed-by: Chuck Lever Signed-off-by: Greg Kroah-Hartman commit 1f9382ec17cc4fa5344b871658345e569fba8af7 Author: Trond Myklebust Date: Tue Jan 26 15:41:34 2010 -0500 NFS: Fix a reference leak in nfs_wb_cancel_page() commit c9edda7140ec6a22accf7f2f86da362dfbfd41fc upstream. Signed-off-by: Trond Myklebust Reviewed-by: Chuck Lever Signed-off-by: Greg Kroah-Hartman commit ea332d671c5f6802d85572c2af13b9a671d8ea88 Author: Jeff Layton Date: Fri Feb 5 13:14:00 2010 -0500 cifs: fix length calculation for converted unicode readdir names commit f12f98dba6ea1517cd7fbb912208893b9c014c15 upstream. cifs_from_ucs2 returns the length of the converted name, including the length of the NULL terminator. We don't want to include the NULL terminator in the dentry name length however since that'll throw off the hash calculation for the dentry cache. I believe that this is the root cause of several problems that have cropped up recently that seem to be papered over with the "noserverino" mount option. More confirmation of that would be good, but this is clearly a bug and it fixes at least one reproducible problem that was reported. This patch fixes at least this reproducer in this kernel.org bug: http://bugzilla.kernel.org/show_bug.cgi?id=15088#c12 Reported-by: Bjorn Tore Sund Acked-by: Dave Kleikamp Signed-off-by: Jeff Layton Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 35e2093d5d7b632c083af3578c05876375828314 Author: Michael Neuling Date: Wed Feb 10 13:56:42 2010 -0800 fs/exec.c: restrict initial stack space expansion to rlimit commit 803bf5ec259941936262d10ecc84511b76a20921 upstream. When reserving stack space for a new process, make sure we're not attempting to expand the stack by more than rlimit allows. This fixes a bug caused by b6a2fea39318e43fee84fa7b0b90d68bed92d2ba ("mm: variable length argument support") and unmasked by fc63cf237078c86214abcb2ee9926d8ad289da9b ("exec: setup_arg_pages() fails to return errors"). This bug means that when limiting the stack to less the 20*PAGE_SIZE (eg. 80K on 4K pages or 'ulimit -s 79') all processes will be killed before they start. This is particularly bad with 64K pages, where a ulimit below 1280K will kill every process. To test, do: 'ulimit -s 15; ls' before and after the patch is applied. Before it's applied, 'ls' should be killed. After the patch is applied, 'ls' should no longer be killed. A stack limit of 15KB since it's small enough to trigger 20*PAGE_SIZE. Also 15KB not a multiple of PAGE_SIZE, which is a trickier case to handle correctly with this code. 4K pages should be fine to test with. [kosaki.motohiro@jp.fujitsu.com: cleanup] [akpm@linux-foundation.org: cleanup cleanup] Signed-off-by: Michael Neuling Signed-off-by: KOSAKI Motohiro Cc: Americo Wang Cc: Anton Blanchard Cc: Oleg Nesterov Cc: James Morris Cc: Ingo Molnar Cc: Serge Hallyn Cc: Benjamin Herrenschmidt Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 3d87cb443857acc25dddd3696b6f7a459807d154 Author: Jiri Slaby Date: Thu Nov 19 17:16:37 2009 +0100 resource: add helpers for fetching rlimits commit 3e10e716abf3c71bdb5d86b8f507f9e72236c9cd upstream. We want to be sure that compiler fetches the limit variable only once, so add helpers for fetching current and maximal resource limits which do that. Add them to sched.h (instead of resource.h) due to circular dependency sched.h->resource.h->task_struct Alternative would be to create a separate res_access.h or similar. Signed-off-by: Jiri Slaby Cc: James Morris Cc: Heiko Carstens Cc: Andrew Morton Cc: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 27df9c09dd64b05f862d5a05cfb1b1e479a44f0c Author: Dan Williams Date: Wed Jan 13 13:33:12 2010 -0700 ioat: fix infinite timeout checking in ioat2_quiesce commit 7e55a70c5b9a57c12f49c44b0847c9343d4f54e4 upstream. Fix typo in ioat2_quiesce. check 'tmo' is zero, not 'end'. Also applies to 2.6.32.3 Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit 2b8fcd4ed0db58421d1600ff6e3b01dd68b3ef83 Author: Stephen M. Cameron Date: Fri Feb 5 13:14:04 2010 +0100 cciss: Make cciss_seq_show handle holes in the h->drv[] array commit 531c2dc70d339c5dfa8c3eb628c3459dc6f3a075 upstream. It is possible (and expected) for there to be holes in the h->drv[] array, that is, some elements may be NULL pointers. cciss_seq_show needs to be made aware of this possibility to avoid an Oops. To reproduce the Oops which this fixes: 1) Create two "arrays" in the Array Configuratino Utility and several logical drives on each array. 2) cat /proc/driver/cciss/cciss* in an infinite loop 3) delete some of the logical drives in the first "array." Signed-off-by: Stephen M. Cameron Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit e031c71282e8223cc8fc088e4c1bf86900ce9927 Author: Jun'ichi Nomura Date: Fri Jan 29 09:56:22 2010 +0900 freeze_bdev: don't deactivate successfully frozen MS_RDONLY sb commit 4b06e5b9ad8abb20105b2b25e42c509ebe9b2d76 upstream. Thanks Thomas and Christoph for testing and review. I removed 'smp_wmb()' before up_write from the previous patch, since up_write() should have necessary ordering constraints. (I.e. the change of s_frozen is visible to others after up_write) I'm quite sure the change is harmless but if you are uncomfortable with Tested-by/Reviewed-by on the modified patch, please remove them. If MS_RDONLY, freeze_bdev should just up_write(s_umount) instead of deactivate_locked_super(). Also, keep sb->s_frozen consistent so that remount can check the frozen state. Otherwise a crash reported here can happen: http://lkml.org/lkml/2010/1/16/37 http://lkml.org/lkml/2010/1/28/53 This patch should be applied for 2.6.32 stable series, too. Reviewed-by: Christoph Hellwig Tested-by: Thomas Backlund Signed-off-by: Jun'ichi Nomura Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 344542028e96bd2c105ea5da4330af90db94e2b7 Author: Thomas Renninger Date: Mon Dec 14 11:44:15 2009 +0100 CPUFREQ: Fix use after free of struct powernow_k8_data commit 557a701c16553b0b691dbb64ef30361115a80f64 upstream. Easy fix for a regression introduced in 2.6.31. On managed CPUs the cpufreq.c core will call driver->exit(cpu) on the managed cpus and powernow_k8 will free the core's data. Later driver->get(cpu) function might get called trying to read out the current freq of a managed cpu and the NULL pointer check does not work on the freed object -> better set it to NULL. ->get() is unsigned and must return 0 as invalid frequency. Reference: http://bugzilla.kernel.org/show_bug.cgi?id=14391 Signed-off-by: Thomas Renninger Tested-by: Michal Schmidt Signed-off-by: Dave Jones Signed-off-by: Greg Kroah-Hartman commit 65798849d8abac3b382f6d3c2ef6a3722657cd19 Author: Jody Bruchon Date: Sat Feb 6 10:46:26 2010 -0500 ALSA: hda-intel: Avoid divide by zero crash commit fed08d036f2aabd8d0c684439de37f8ebec2bbc2 upstream. On my AMD780V chipset, hda_intel.c can crash the kernel with a divide by zero for as-yet unknown reasons. A simple check for zero prevents it, though the problem that causes it remains. Since the workaround is harmless and won't affect anyone except victims of this bug, it should be safe; moreover, because this crash can be triggered by a user-mode application, there are denial of service implications on the systems affected by the bug without the patch. Signed-off-by: Jody Bruchon Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit bb0d31fbf221f50a44ba5d59dfcf54bbf128ac2b Author: Mark Brown Date: Thu Feb 11 19:20:48 2010 +0000 regulator: Fix display of null constraints for regulators commit 973e9a2795b3b41d8408a0bb6f87b783c5efc88a upstream. If the regulator constraints are empty and there is no voltage reported then nothing will be added to the text displayed for the constraints, leading to random stack data being printed. This is unlikely to happen for practical regulators since most will at least report a voltage but should still be fixed. Signed-off-by: Mark Brown Signed-off-by: Liam Girdwood Signed-off-by: Greg Kroah-Hartman commit a20bc629020fc785f75f6c7051795b5a12b0e932 Author: Daniel Vetter Date: Sun Feb 7 16:20:18 2010 +0100 drm/i915: Update write_domains on active list after flush. commit 99fcb766a3a50466fe31d743260a3400c1aee855 upstream. Before changing the status of a buffer with a pending write we will await upon a new flush for that buffer. So we can take advantage of any flushes posted whilst the buffer is active and pending processing by the GPU, by clearing its write_domain and updating its last_rendering_seqno -- thus saving a potential flush in deep queues and improves flushing behaviour upon eviction for both GTT space and fences. In order to reduce the time spent searching the active list for matching write_domains, we move those to a separate list whose elements are the buffers belong to the active/flushing list with pending writes. Orignal patch by Chris Wilson , forward-ported by me. In addition to better performance, this also fixes a real bug. Before this changes, i915_gem_evict_everything didn't work as advertised. When the gpu was actually busy and processing request, the flush and subsequent wait would not move active and dirty buffers to the inactive list, but just to the flushing list. Which triggered the BUG_ON at the end of this function. With the more tight dirty buffer tracking, all currently busy and dirty buffers get moved to the inactive list by one i915_gem_flush operation. I've left the BUG_ON I've used to prove this in there. References: Bug 25911 - 2.10.0 causes kernel oops and system hangs http://bugs.freedesktop.org/show_bug.cgi?id=25911 Bug 26101 - [i915] xf86-video-intel 2.10.0 (and git) triggers kernel oops within seconds after login http://bugs.freedesktop.org/show_bug.cgi?id=26101 Signed-off-by: Daniel Vetter Signed-off-by: Chris Wilson Tested-by: Adam Lantos Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 68c12bf53608bceef97da294778dfa10349c7223 Author: Chris Wilson Date: Tue Feb 9 14:14:36 2010 +0000 drm/i915: Increase fb alignment to 64k commit fd2e8ea597222b8f38ae8948776a61ea7958232e upstream. An untiled framebuffer must be aligned to 64k. This is normally handled by intel_pin_and_fence_fb_obj(), but the intelfb_create() likes to be different and do the pinning itself. However, it aligns the buffer object incorrectly for pre-i965 chipsets causing a PGTBL_ERR when it is installed onto the output. Fixes: KMS error message while initializing modesetting - render error detected: EIR: 0x10 [i915] http://bugs.freedesktop.org/show_bug.cgi?id=22936 Signed-off-by: Chris Wilson Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit d37bec021841c4388e9046d331291b4787932fdf Author: Jesse Barnes Date: Sat Feb 6 10:41:53 2010 -0800 drm/i915: handle FBC and self-refresh better commit ee25df2bc379728c45d81e04cf87984db1425edf upstream. On 945, we need to avoid entering self-refresh if the compressor is busy, or we may cause display FIFO underruns leading to ugly flicker. Fixes fdo bug #24314, kernel bug #15043. Tested-by: Alexander Lam Signed-off-by: Jesse Barnes Tested-by: Julien Cristau (fd.o #25371) Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 17eff773b4c988e6de965446283de7315ffbac85 Author: Jean Delvare Date: Fri Feb 5 17:48:13 2010 +0100 i2c-tiny-usb: Fix on big-endian systems commit 1c010ff8912cbc08d80e865aab9c32b6b00c527d upstream. The functionality bit vector is always returned as a little-endian 32-bit number by the device, so it must be byte-swapped to the host endianness. On the other hand, the delay value is handled by the USB stack, so no byte swapping is needed on our side. This fixes bug #15105: http://bugzilla.kernel.org/show_bug.cgi?id=15105 Reported-by: Jens Richter Signed-off-by: Jean Delvare Tested-by: Jens Richter Cc: Till Harbaum Signed-off-by: Greg Kroah-Hartman commit ce460107ed450221d040be0cf088973e58ad23eb Author: Paul Mundt Date: Thu Feb 4 06:57:58 2010 +0000 usb: r8a66597-hcd: Flush the D-cache for the pipe-in transfer buffers. commit 2717568e7c44fe7dc3f4f52ea823811cfeede2b5 upstream. This implements the same D-cache flushing logic for r8a66597-hcd as Catalin's isp1760 (http://patchwork.kernel.org/patch/76391/) change, with the same note applying here as well: When the HDC driver writes the data to the transfer buffers it pollutes the D-cache (unlike DMA drivers where the device writes the data). If the corresponding pages get mapped into user space, there are no additional cache flushing operations performed and this causes random user space faults on architectures with separate I and D caches (Harvard) or those with aliasing D-cache. This fixes up crashes during USB boot on SH7724 and others: http://marc.info/?l=linux-sh&m=126439837308912&w=2 Reported-by: Goda Yusuke Tested-by: Goda Yusuke Signed-off-by: Paul Mundt Acked-by: Yoshihiro Shimoda Signed-off-by: Greg Kroah-Hartman commit 6ea0e838a5594a90c5a0a4fdf989831e34684cb0 Author: Zhao Yakui Date: Fri Dec 11 09:26:10 2009 +0800 drm/i915: Add MALATA PC-81005 to ACPI LID quirk list commit a3cb5195f6db58dbebd8a31b877ddce082c9b63d upstream. The MALATA PC-81005 laptop always reports that the LID status is closed and we can't use it reliabily for LVDS detection. So add this box into the quirk list. https://bugs.freedesktop.org/show_bug.cgi?id=25523 Signed-off-by: Zhao Yakui Review-by: Jesse Barnes Tested-by: Hector Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 215bccb7df012f5d1fcf3e686c0a8167cea91ad3 Author: Zhao Yakui Date: Thu Jan 21 15:20:18 2010 +0800 drm/i915: Fix the incorrect DMI string for Samsung SX20S laptop commit f034b12dbb5749b11e9390e15e93ffa87ece8038 upstream. Signed-off-by: Zhao Yakui Reported-by: Philipp Kohlbecher Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 192ff23a2206eb5136c779bfed73171a4d214ad6 Author: Zhao Yakui Date: Wed Jan 6 13:30:36 2010 +0800 drm/i915: Add HP nx9020/SamsungSX20S to ACPI LID quirk list commit 40f33a92100f4d9b6e85ad642100cfe42d7ff57d upstream. The HP comaq nx9020/Samsung SX20S laptop always report that the LID status is closed and we can't use it reliabily for LVDS detection. So add the two boxes into the quirk list. http://bugzilla.kernel.org/show_bug.cgi?id=14957 http://bugzilla.kernel.org/show_bug.cgi?id=14554 Signed-off-by: Zhao Yakui Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 89fcd01fc9e169e4082c842b82cc428b3693f4b3 Author: Eric Anholt Date: Tue Dec 1 11:56:30 2009 -0800 drm/i915: Fix DDC on some systems by clearing BIOS GMBUS setup. commit f0217c42c9ab3d772e543f635ce628b9478f70b6 upstream. This is a sync of a fix I made in the old UMS code. If the BIOS uses the GMBUS and doesn't clear that setup, then our bit-banging I2C can fail, leading to monitors not being detected. Signed-off-by: Eric Anholt Cc: maximilian attems Signed-off-by: Greg Kroah-Hartman commit de00361567b613202c24bb31d48481da6d9d2959 Author: David John Date: Wed Jan 27 15:19:08 2010 +0530 drm/i915: Disable SR when more than one pipe is enabled commit 33c5fd121eabbccc9103daf6cda36941eb3c349f upstream. Self Refresh should be disabled on dual plane configs. Otherwise, as the SR watermark is not calculated for such configs, switching to non VGA mode causes FIFO underrun and display flicker. This fixes Korg Bug #14897. Signed-off-by: David John Signed-off-by: Jesse Barnes Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit e0ddca206e8b551662316053087e9e1184f11a34 Author: Jesse Barnes Date: Mon Oct 19 10:08:17 2009 +0900 drm/i915: enable self-refresh on 965 commit 1dc7546d1a73664e5d117715b214bea9cae5951c upstream. Need to calculate the SR watermark and enable it. Signed-off-by: Jesse Barnes Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 6240058ce3725f5e708e1c17c3a676217e44ba9b Author: Zhenyu Wang Date: Mon Jan 25 10:35:16 2010 +0800 drm/i915: disable hotplug detect before Ironlake CRT detect commit eceb784cec4dc0fcc2993d9ee4a7c0d111ada80a upstream. This tries to fix CRT detect loop hang seen on some Ironlake form factor, to clear up hotplug detect state before taking CRT detect to make sure next hotplug detect cycle is consistent. Signed-off-by: Zhenyu Wang Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit c58b0c5ba927f27a610bb6b0b08b2d6288d5da17 Author: Jaroslav Kysela Date: Tue Feb 2 19:58:25 2010 +0100 ALSA: ctxfi - fix PTP address initialization commit 21956b61f594f7924d98240da74bc81c28601fa9 upstream. After hours of debugging, I finally found the reason why some source and runtime combination does not work. The PTP (page table pages) address must be aligned. I am not sure how much, but alignment to PAGE_SIZE is sufficient. Also, use ALSA's page allocation routines to ensure proper virtual -> physical address translation. Signed-off-by: Jaroslav Kysela Signed-off-by: Greg Kroah-Hartman commit ea5d622831d40005e9219658d4987b1efd2350ab Author: Ray Copeland Date: Fri Feb 5 19:58:35 2010 +0100 hwmon: (adt7462) Wrong ADT7462_VOLT_COUNT commit 85f8d3e5faea8bd36c3e5196f8334f7db45e19b2 upstream. The #define ADT7462_VOLT_COUNT is wrong, it should be 13 not 12. All the for loops that use this as a limit count are of the typical form, "for (n = 0; n < ADT7462_VOLT_COUNT; n++)", so to loop through all voltages w/o missing the last one it is necessary for the count to be one greater than it is. (Specifically, you will miss the +1.5V 3GPIO input with count = 12 vs. 13.) Signed-off-by: Ray Copeland Acked-by: "Darrick J. Wong" Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 3f28a62b9db311d6f45a5b0d7a9b2d4daae4afe1 Author: Jean Delvare Date: Fri Feb 5 19:58:36 2010 +0100 hwmon: (lm78) Request I/O ports individually for probing commit 197027e6ef830d60e10f76efc8d12bf3b6c35db5 upstream. Different motherboards have different PNP declarations for LM78/LM79 chips. Some declare the whole range of I/O ports (8 ports), some declare only the useful ports (2 ports at offset 5) and some declare fancy ranges, for example 4 ports at offset 4. To properly handle all cases, request all ports individually for probing. After we have determined that we really have an LM78 or LM79 chip, the useful port range will be requested again, as a single block. This fixes the driver on the Olivetti M3000 DT 540, at least. Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 3659b59c77436fb29437cb57cdd72a26de0ded8c Author: Jean Delvare Date: Fri Feb 5 19:58:36 2010 +0100 hwmon: (w83781d) Request I/O ports individually for probing commit b0bcdd3cd0adb85a7686b396ba50493871b1135c upstream. Different motherboards have different PNP declarations for W83781D/W83782D chips. Some declare the whole range of I/O ports (8 ports), some declare only the useful ports (2 ports at offset 5) and some declare fancy ranges, for example 4 ports at offset 4. To properly handle all cases, request all ports individually for probing. After we have determined that we really have a W83781D or W83782D chip, the useful port range will be requested again, as a single block. I did not see a board which needs this yet, but I know of one for lm78 driver and I'd like to keep the logic of these two drivers in sync. Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 3520341ce308afaf676c961e8432ff5c87d3121b Author: Linus Torvalds Date: Sun Feb 7 10:11:23 2010 -0800 Fix race in tty_fasync() properly commit 80e1e823989ec44d8e35bdfddadbddcffec90424 upstream. This reverts commit 703625118069 ("tty: fix race in tty_fasync") and commit b04da8bfdfbb ("fnctl: f_modown should call write_lock_irqsave/ restore") that tried to fix up some of the fallout but was incomplete. It turns out that we really cannot hold 'tty->ctrl_lock' over calling __f_setown, because not only did that cause problems with interrupt disables (which the second commit fixed), it also causes a potential ABBA deadlock due to lock ordering. Thanks to Tetsuo Handa for following up on the issue, and running lockdep to show the problem. It goes roughly like this: - f_getown gets filp->f_owner.lock for reading without interrupts disabled, so an interrupt that happens while that lock is held can cause a lockdep chain from f_owner.lock -> sighand->siglock. - at the same time, the tty->ctrl_lock -> f_owner.lock chain that commit 703625118069 introduced, together with the pre-existing sighand->siglock -> tty->ctrl_lock chain means that we have a lock dependency the other way too. So instead of extending tty->ctrl_lock over the whole __f_setown() call, we now just take a reference to the 'pid' structure while holding the lock, and then release it after having done the __f_setown. That still guarantees that 'struct pid' won't go away from under us, which is all we really ever needed. Reported-and-tested-by: Tetsuo Handa Acked-by: Greg Kroah-Hartman Acked-by: Américo Wang Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 22240ab64b5c6e76b3aa011808111cc3aed0a1ff Author: Thomas Gleixner Date: Wed Feb 3 09:33:05 2010 +0100 futex: Handle futex value corruption gracefully commit 59647b6ac3050dd964bc556fe6ef22f4db5b935c upstream. The WARN_ON in lookup_pi_state which complains about a mismatch between pi_state->owner->pid and the pid which we retrieved from the user space futex is completely bogus. The code just emits the warning and then continues despite the fact that it detected an inconsistent state of the futex. A conveniant way for user space to spam the syslog. Replace the WARN_ON by a consistency check. If the values do not match return -EINVAL and let user space deal with the mess it created. This also fixes the missing task_pid_vnr() when we compare the pi_state->owner pid with the futex value. Reported-by: Jermome Marchand Signed-off-by: Thomas Gleixner Acked-by: Darren Hart Acked-by: Peter Zijlstra Signed-off-by: Greg Kroah-Hartman commit c03d9d422d8dd3e8d2cd9e200e420bbaed5cb577 Author: Thomas Gleixner Date: Tue Feb 2 11:40:27 2010 +0100 futex: Handle user space corruption gracefully commit 51246bfd189064079c54421507236fd2723b18f3 upstream. If the owner of a PI futex dies we fix up the pi_state and set pi_state->owner to NULL. When a malicious or just sloppy programmed user space application sets the futex value to 0 e.g. by calling pthread_mutex_init(), then the futex can be acquired again. A new waiter manages to enqueue itself on the pi_state w/o damage, but on unlock the kernel dereferences pi_state->owner and oopses. Prevent this by checking pi_state->owner in the unlock path. If pi_state->owner is not current we know that user space manipulated the futex value. Ignore the mess and return -EINVAL. This catches the above case and also the case where a task hijacks the futex by setting the tid value and then tries to unlock it. Reported-by: Jermome Marchand Signed-off-by: Thomas Gleixner Acked-by: Darren Hart Acked-by: Peter Zijlstra Signed-off-by: Greg Kroah-Hartman commit 5f6af116c22817a6fe1999cc2d3925897af89086 Author: Mikael Pettersson Date: Sat Jan 23 22:36:29 2010 +0100 futex_lock_pi() key refcnt fix commit 5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc upstream. This fixes a futex key reference count bug in futex_lock_pi(), where a key's reference count is incremented twice but decremented only once, causing the backing object to not be released. If the futex is created in a temporary file in an ext3 file system, this bug causes the file's inode to become an "undead" orphan, which causes an oops from a BUG_ON() in ext3_put_super() when the file system is unmounted. glibc's test suite is known to trigger this, see . The bug is a regression from 2.6.28-git3, namely Peter Zijlstra's 38d47c1b7075bd7ec3881141bb3629da58f88dab "[PATCH] futex: rely on get_user_pages() for shared futexes". That commit made get_futex_key() also increment the reference count of the futex key, and updated its callers to decrement the key's reference count before returning. Unfortunately the normal exit path in futex_lock_pi() wasn't corrected: the reference count is incremented by get_futex_key() and queue_lock(), but the normal exit path only decrements once, via unqueue_me_pi(). The fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31 this is easily done by 'goto out_put_key' rather than 'goto out'. Signed-off-by: Mikael Pettersson Acked-by: Peter Zijlstra Acked-by: Darren Hart Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 7313f5ad0cb1b501cbe67cf6c2dee018a2aa3321 Author: Linus Torvalds Date: Fri Feb 5 16:16:50 2010 -0800 Fix potential crash with sys_move_pages commit 6f5a55f1a6c5abee15a0e878e5c74d9f1569b8b0 upstream. We incorrectly depended on the 'node_state/node_isset()' functions testing the node range, rather than checking it explicitly. That's not reliable, even if it might often happen to work. So do the proper explicit test. Reported-by: Marcus Meissner Acked-and-tested-by: Brice Goglin Acked-by: Hugh Dickins Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman