commit 19f00f070c17584b5acaf186baf4d12a7d2ed125 Author: Greg Kroah-Hartman Date: Thu Apr 1 16:02:33 2010 -0700 Linux 2.6.33.2 commit 77aba144b01d97cd877dbbca15b1ba5b11192e5f Author: JosephChan@via.com.tw Date: Thu Mar 25 20:51:47 2010 +0800 pata_via: fix VT6410/6415/6330 detection issue commit bc8a67386fd462914269fa93446e1891955a8bb3 upstream. When using VT6410/6415/6330 chips on some VIA's platforms, the HDD connection to VT6410/6415/6330 cannot be detected. It is because the driver detects wrong via_isa_bridge ID, and then causes this issue to happen. Signed-off-by: Joseph Chan Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 8afdd016d273b1c2641e979fdaa28e96b6f9fb9c Author: Sachin Prabhu Date: Thu Mar 11 12:24:45 2010 -0500 GFS2: Skip check for mandatory locks when unlocking commit 720e7749279bde0d08684b1bb4e7a2eedeec6394 upstream. gfs2_lock() will skip locks on file which have mode set to 02666. This is a problem in cases where the mode of the file is changed after a process has obtained a lock on the file. Such a lock will be skipped and will result in a BUG in locks_remove_flock(). gfs2_lock() should skip the check for mandatory locks when unlocking a file. Signed-off-by: Sachin Prabhu Signed-off-by: Steven Whitehouse Signed-off-by: Greg Kroah-Hartman commit 993d82e3f2d2bd769b4b6246fa943d5ac71c46a2 Author: Thadeu Lima de Souza Cascardo Date: Tue Feb 9 17:37:27 2010 -0500 classmate-laptop: use a single MODULE_DEVICE_TABLE to get correct aliases commit 02e77a55f7b7e36888e39c62439fedb90ae4e808 upstream. Instead of a MODULE_DEVICE_TABLE for every acpi_driver ids table, we create a table containing all ids to export to get a module alias for each one. This will fix automatic loading of the driver when one of the ACPI devices is not present (like the accelerometer, which is not present in some models). Signed-off-by: Thadeu Lima de Souza Cascardo Signed-off-by: Greg Kroah-Hartman commit 39ec71179f7c02f2a9c1b37b1132f2d091a9cf1c Author: Dimitri Sivanich Date: Mon Mar 1 11:48:15 2010 -0600 x86: Fix sched_clock_cpu for systems with unsynchronized TSC commit 14be1f7454ea96ee614467a49cf018a1a383b189 upstream. On UV systems, the TSC is not synchronized across blades. The sched_clock_cpu() function is returning values that can go backwards (I've seen as much as 8 seconds) when switching between cpus. As each cpu comes up, early_init_intel() will currently set the sched_clock_stable flag true. When mark_tsc_unstable() runs, it clears the flag, but this only occurs once (the first time a cpu comes up whose TSC is not synchronized with cpu 0). After this, early_init_intel() will set the flag again as the next cpu comes up. Only set sched_clock_stable if tsc has not been marked unstable. Signed-off-by: Dimitri Sivanich Acked-by: Venkatesh Pallipadi Acked-by: Peter Zijlstra LKML-Reference: <20100301174815.GC8224@sgi.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit cb81a2ace8bd4354cc40ff341543a9791719383c Author: Michael Buesch Date: Fri Mar 19 10:38:33 2010 -0500 b43: Workaround circular locking in hw-tkip key update callback commit 96869a39399269a776a94812e9fff3d38b47d838 upstream The TKIP key update callback is called from the RX path, where the driver mutex is already locked. This results in a circular locking bug. Avoid this by removing the lock. Johannes noted that there is a separate bug: The callback still breaks on SDIO hardware, because SDIO hardware access needs to sleep, but we are not allowed to sleep in the callback due to mac80211's RCU locking. Signed-off-by: Michael Buesch Tested-by: Larry Finger Reported-by: kecsa@kutfo.hit.bme.hu Cc: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit cf724d19f2e56135927eadc1154940d3f42f9f0e Author: Andrei Emeltchenko Date: Fri Mar 19 10:26:28 2010 +0200 Bluetooth: Fix kernel crash on L2CAP stress tests commit c2c77ec83bdad17fb688557b5b3fdc36661dd1c6 upstream. Added very simple check that req buffer has enough space to fit configuration parameters. Shall be enough to reject packets with configuration size more than req buffer. Crash trace below [ 6069.659393] Unable to handle kernel paging request at virtual address 02000205 [ 6069.673034] Internal error: Oops: 805 [#1] PREEMPT ... [ 6069.727172] PC is at l2cap_add_conf_opt+0x70/0xf0 [l2cap] [ 6069.732604] LR is at l2cap_recv_frame+0x1350/0x2e78 [l2cap] ... [ 6070.030303] Backtrace: [ 6070.032806] [] (l2cap_add_conf_opt+0x0/0xf0 [l2cap]) from [] (l2cap_recv_frame+0x1350/0x2e78 [l2cap]) [ 6070.043823] r8:dc5d3100 r7:df2a91d6 r6:00000001 r5:df2a8000 r4:00000200 [ 6070.050659] [] (l2cap_recv_frame+0x0/0x2e78 [l2cap]) from [] (l2cap_recv_acldata+0x2bc/0x350 [l2cap]) [ 6070.061798] [] (l2cap_recv_acldata+0x0/0x350 [l2cap]) from [] (hci_rx_task+0x244/0x478 [bluetooth]) [ 6070.072631] r6:dc647700 r5:00000001 r4:df2ab740 [ 6070.077362] [] (hci_rx_task+0x0/0x478 [bluetooth]) from [] (tasklet_action+0x78/0xd8) [ 6070.087005] [] (tasklet_action+0x0/0xd8) from [] Signed-off-by: Andrei Emeltchenko Acked-by: Gustavo F. Padovan Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman commit a318674438c789f5bf46a91cf24b5988b2091f16 Author: Marcel Holtmann Date: Mon Mar 15 14:12:58 2010 -0700 Bluetooth: Fix potential bad memory access with sysfs files commit 101545f6fef4a0a3ea8daf0b5b880df2c6a92a69 upstream. When creating a high number of Bluetooth sockets (L2CAP, SCO and RFCOMM) it is possible to scribble repeatedly on arbitrary pages of memory. Ensure that the content of these sysfs files is always less than one page. Even if this means truncating. The files in question are scheduled to be moved over to debugfs in the future anyway. Based on initial patches from Neil Brown and Linus Torvalds Reported-by: Neil Brown Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman commit 3ecee16aa4617db7cb756ad01526d395dc86d95f Author: Tejun Heo Date: Tue Mar 16 09:50:26 2010 +0900 ahci: use BIOS date in broken_suspend list commit 9deb343189b3cf45e84dd08480f330575ffe2004 upstream. HP is recycling both DMI_PRODUCT_NAME and DMI_BIOS_VERSION making ahci_broken_suspend() trigger for later products which are not affected by the original problems. Match BIOS date instead of version and add references to bko's so that full information can be found easier later. This fixes http://bugzilla.kernel.org/show_bug.cgi?id=15462 Signed-off-by: Tejun Heo Reported-by: tigerfishdaisy@gmail.com Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit e58bb78fcd092688765b18574ea4055c2509aee5 Author: Jan Kara Date: Tue Feb 9 18:20:39 2010 +0100 quota: Fix warning when a delayed write happens before quota is enabled commit 0a5a9c725512461d19397490f3adf29931dca1f2 upstream. If a delayed-allocation write happens before quota is enabled, the kernel spits out a warning: WARNING: at fs/quota/dquot.c:988 dquot_claim_space+0x77/0x112() because the fact that user has some delayed allocation is not recorded in quota structure. Make dquot_initialize() update amount of reserved space for user if it sees inode has some space reserved. Also make sure that reserved quota space does not go negative and we warn about the filesystem bug just once. Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit 1f371c1a285e3dab9c6951cb9f4410c17bcb6ba1 Author: Dmitry Monakhov Date: Tue Feb 9 17:53:36 2010 +0100 quota: manage reserved space when quota is not active [v2] commit c469070aea5a0ada45a836937c776fd3083dae2b upstream. Since we implemented generic reserved space management interface, then it is possible to account reserved space even when quota is not active (similar to i_blocks/i_bytes). Without this patch following testcase result in massive comlain from WARN_ON in dquot_claim_space() TEST_CASE: mount /dev/sdb /mnt -oquota dd if=/dev/zero of=/mnt/test bs=1M count=1 quotaon /mnt # fs_reserved_spave == 1Mb # quota_reserved_space == 0, because quota was disabled dd if=/dev/zero of=/mnt/test seek=1 bs=1M count=1 # fs_reserved_spave == 2Mb # quota_reserved_space == 1Mb sync # ->dquot_claim_space() -> WARN_ON Signed-off-by: Dmitry Monakhov Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit e3f1272e2083ee9cf0a21a405ff24b95c2423a97 Author: Eric Dumazet Date: Mon Mar 8 11:32:01 2010 -0800 tcp: Fix tcp_make_synack() [ Upstream commit 28b2774a0d5852236dab77a4147b8b88548110f1 ] Commit 4957faad (TCPCT part 1g: Responder Cookie => Initiator), part of TCP_COOKIE_TRANSACTION implementation, forgot to correctly size synack skb in case user data must be included. Many thanks to Mika Pentillä for spotting this error. Reported-by: Penttillä Mika Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f1783b77374b69b6b91123da581e939caa13b7d1 Author: Alexandra Kossovsky Date: Thu Mar 18 20:29:24 2010 -0700 tcp: Fix OOB POLLIN avoidance. [ Upstream commit b634f87522dff87712df8bda2a6c9061954d552a ] From: Alexandra.Kossovsky@oktetlabs.ru Fixes kernel bugzilla #15541 Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit bc56fb554602a3b87c7e58bb910ddfb1e6b978bb Author: Lennart Schulte Date: Wed Mar 17 02:16:29 2010 +0000 tcp: Fix tcp_mark_head_lost() with packets == 0 [ Upstream commit 6830c25b7d08fbbd922959425193791bc42079f2 ] A packet is marked as lost in case packets == 0, although nothing should be done. This results in a too early retransmitted packet during recovery in some cases. This small patch fixes this issue by returning immediately. Signed-off-by: Lennart Schulte Signed-off-by: Arnd Hannemann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 089a124822a5c5a03480643c8265597d209ddee6 Author: Alexander Duyck Date: Tue Mar 23 20:40:50 2010 +0000 skbuff: remove unused dma_head & dma_maps fields [ Upstream commit 03e6d819c2cb2cc8ce5642669a0a7c72336ee7a2 ] The dma map fields in the skb_shared_info structure no longer has any users and can be dropped since it is making the skb_shared_info unecessarily larger. Running slabtop show that we were using 4K slabs for the skb->head on x86_64 w/ an allocation size of 1522. It turns out that the dma_head and dma_maps array made skb_shared large enough that we had crossed over the 2k boundary with standard frames and as such we were using 4k blocks of memory for all skbs. Signed-off-by: Alexander Duyck Signed-off-by: Jeff Kirsher Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a1c9d89a98cbbc52ead6c44bb0c31eaaa37c5770 Author: Eric Dumazet Date: Mon Mar 29 21:33:28 2010 -0700 net: Potential null skb->dev dereference [ Upstream commit 0641e4fbf2f824faee00ea74c459a088d94905fd ] When doing "ifenslave -d bond0 eth0", there is chance to get NULL dereference in netif_receive_skb(), because dev->master suddenly becomes NULL after we tested it. We should use ACCESS_ONCE() to avoid this (or rcu_dereference()) Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8c96206544955131f6d7cef09371950f34ebca5a Author: Neil Horman Date: Mon Mar 29 13:16:02 2010 -0700 r8169: offical fix for CVE-2009-4537 (overlength frame DMAs) [ Upstream commit c0cd884af045338476b8e69a61fceb3f34ff22f1 ] Official patch to fix the r8169 frame length check error. Based on this initial thread: http://marc.info/?l=linux-netdev&m=126202972828626&w=1 This is the official patch to fix the frame length problems in the r8169 driver. As noted in the previous thread, while this patch incurs a performance hit on the driver, its possible to improve performance dynamically by updating the mtu and rx_copybreak values at runtime to return performance to what it was for those NICS which are unaffected by the ideosyncracy (if there are any). Summary: A while back Eric submitted a patch for r8169 in which the proper allocated frame size was written to RXMaxSize to prevent the NIC from dmaing too much data. This was done in commit fdd7b4c3302c93f6833e338903ea77245eb510b4. A long time prior to that however, Francois posted 126fa4b9ca5d9d7cb7d46f779ad3bd3631ca387c, which expiclitly disabled the MaxSize setting due to the fact that the hardware behaved in odd ways when overlong frames were received on NIC's supported by this driver. This was mentioned in a security conference recently: http://events.ccc.de/congress/2009/Fahrplan//events/3596.en.html It seems that if we can't enable frame size filtering, then, as Eric correctly noticed, we can find ourselves DMA-ing too much data to a buffer, causing corruption. As a result is seems that we are forced to allocate a frame which is ready to handle a maximally sized receive. This obviously has performance issues with it, so to mitigate that issue, this patch does two things: 1) Raises the copybreak value to the frame allocation size, which should force appropriately sized packets to get allocated on rx, rather than a full new 16k buffer. 2) This patch only disables frame filtering initially (i.e., during the NIC open), changing the MTU results in ring buffer allocation of a size in relation to the new mtu (along with a warning indicating that this is dangerous). Because of item (2), individuals who can't cope with the performance hit (or can otherwise filter frames to prevent the bug), or who have hardware they are sure is unaffected by this issue, can manually lower the copybreak and reset the mtu such that performance is restored easily. Signed-off-by: Neil Horman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f8adc4007d65d74f68c8ee3cbd4a068fc415580c Author: Pablo Neira Ayuso Date: Tue Mar 16 13:30:44 2010 +0000 netlink: fix unaligned access in nla_get_be64() [ Upstream commit f5d410f2ea7ba340f11815a56e05b9fa9421c421 ] This patch fixes a unaligned access in nla_get_be64() that was introduced by myself in a17c859849402315613a0015ac8fbf101acf0cc1. Signed-off-by: Pablo Neira Ayuso Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5dda8d1fc44f3ab37c0e5c8e980254b6703ef8b2 Author: Pablo Neira Ayuso Date: Mon Mar 29 21:28:23 2010 -0700 netfilter: ctnetlink: fix reliable event delivery if message building fails [ Upstream commit 37b7ef7203240b3aba577bb1ff6765fe15225976 ] This patch fixes a bug that allows to lose events when reliable event delivery mode is used, ie. if NETLINK_BROADCAST_SEND_ERROR and NETLINK_RECV_NO_ENOBUFS socket options are set. Signed-off-by: Pablo Neira Ayuso Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9e9b5dce350fd6f34c2c6b7440951481fb594a29 Author: Pablo Neira Ayuso Date: Thu Mar 18 14:24:42 2010 +0000 netlink: fix NETLINK_RECV_NO_ENOBUFS in netlink_set_err() [ Upstream commit 1a50307ba1826e4da0024e64b245ce4eadf7688a ] Currently, ENOBUFS errors are reported to the socket via netlink_set_err() even if NETLINK_RECV_NO_ENOBUFS is set. However, that should not happen. This fixes this problem and it changes the prototype of netlink_set_err() to return the number of sockets that have set the NETLINK_RECV_NO_ENOBUFS socket option. This return value is used in the next patch in these bugfix series. Signed-off-by: Pablo Neira Ayuso Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7532d2c8a05ad49913e05716e96c3b402e1ca8ae Author: Steven J. Magnani Date: Tue Mar 16 05:22:44 2010 +0000 NET_DMA: free skbs periodically [ Upstream commit 73852e8151b7d7a529fbe019ab6d2d0c02d8f3f2 ] Under NET_DMA, data transfer can grind to a halt when userland issues a large read on a socket with a high RCVLOWAT (i.e., 512 KB for both). This appears to be because the NET_DMA design queues up lots of memcpy operations, but doesn't issue or wait for them (and thus free the associated skbs) until it is time for tcp_recvmesg() to return. The socket hangs when its TCP window goes to zero before enough data is available to satisfy the read. Periodically issue asynchronous memcpy operations, and free skbs for ones that have completed, to prevent sockets from going into zero-window mode. Signed-off-by: Steven J. Magnani Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9c93e9c757c7d3d96027a06b9b4c4e37ca87ded7 Author: YOSHIFUJI Hideaki / 吉藤英明 Date: Sun Mar 28 07:15:45 2010 +0000 ipv6: Don't drop cache route entry unless timer actually expired. [ Upstream commit 54c1a859efd9fd6cda05bc700315ba2519c14eba ] This is ipv6 variant of the commit 5e016cbf6.. ("ipv4: Don't drop redirected route cache entry unless PTMU actually expired") by Guenter Roeck . Remove cache route entry in ipv6_negative_advice() only if the timer is expired. Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e9d2d8a8891b98d3217eb008ae9cd8b483e345e3 Author: Guenter Roeck Date: Sun Mar 21 20:55:13 2010 -0700 ipv4: Don't drop redirected route cache entry unless PTMU actually expired [ Upstream commit 5e016cbf6cffd4a53b7922e0c91b775399d7fe47 ] TCP sessions over IPv4 can get stuck if routers between endpoints do not fragment packets but implement PMTU instead, and we are using those routers because of an ICMP redirect. Setup is as follows MTU1 MTU2 MTU1 A--------B------C------D with MTU1 > MTU2. A and D are endpoints, B and C are routers. B and C implement PMTU and drop packets larger than MTU2 (for example because DF is set on all packets). TCP sessions are initiated between A and D. There is packet loss between A and D, causing frequent TCP retransmits. After the number of retransmits on a TCP session reaches tcp_retries1, tcp calls dst_negative_advice() prior to each retransmit. This results in route cache entries for the peer to be deleted in ipv4_negative_advice() if the Path MTU is set. If the outstanding data on an affected TCP session is larger than MTU2, packets sent from the endpoints will be dropped by B or C, and ICMP NEEDFRAG will be returned. A and D receive NEEDFRAG messages and update PMTU. Before the next retransmit, tcp will again call dst_negative_advice(), causing the route cache entry (with correct PMTU) to be deleted. The retransmitted packet will be larger than MTU2, causing it to be dropped again. This sequence repeats until the TCP session aborts or is terminated. Problem is fixed by removing redirected route cache entries in ipv4_negative_advice() only if the PMTU is expired. Signed-off-by: Guenter Roeck Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0a8c3637ba3ae76b6454e4199f6e0a46282a5e8d Author: Timo Teräs Date: Thu Mar 18 23:20:20 2010 +0000 ipv4: check rt_genid in dst_check [ Upstream commit d11a4dc18bf41719c9f0d7ed494d295dd2973b92 ] Xfrm_dst keeps a reference to ipv4 rtable entries on each cached bundle. The only way to renew xfrm_dst when the underlying route has changed, is to implement dst_check for this. This is what ipv6 side does too. The problems started after 87c1e12b5eeb7b30b4b41291bef8e0b41fc3dde9 ("ipsec: Fix bogus bundle flowi") which fixed a bug causing xfrm_dst to not get reused, until that all lookups always generated new xfrm_dst with new route reference and path mtu worked. But after the fix, the old routes started to get reused even after they were expired causing pmtu to break (well it would occationally work if the rtable gc had run recently and marked the route obsolete causing dst_check to get called). Signed-off-by: Timo Teras Acked-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9f24b75bf551b5f343159da229ce734da380431b Author: Herbert Xu Date: Tue Mar 2 02:51:56 2010 +0000 ipsec: Fix bogus bundle flowi [ Upstream commit 87c1e12b5eeb7b30b4b41291bef8e0b41fc3dde9 ] When I merged the bundle creation code, I introduced a bogus flowi value in the bundle. Instead of getting from the caller, it was instead set to the flow in the route object, which is totally different. The end result is that the bundles we created never match, and we instead end up with an ever growing bundle list. Thanks to Jamal for find this problem. Reported-by: Jamal Hadi Salim Signed-off-by: Herbert Xu Acked-by: Steffen Klassert Acked-by: Jamal Hadi Salim Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 03017375b0122453e6dda833ff7bd4191915def5 Author: Timo Teräs Date: Sat Mar 20 02:27:58 2010 +0000 ip_gre: include route header_len in max_headroom calculation [ Upstream commit 243aad830e8a4cdda261626fbaeddde16b08d04a ] Taking route's header_len into account, and updating gre device needed_headroom will give better hints on upper bound of required headroom. This is useful if the gre traffic is xfrm'ed. Signed-off-by: Timo Teras Acked-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8fc51479fb9f3b9b06e65ce266488bae55c2965a Author: David S. Miller Date: Mon Mar 15 15:23:30 2010 -0700 e100: Fix ring parameter change handling regression. [ Upstream commit 211a0d941b1924e667483f822a55e2cc694cd212 ] When the PCI pool changes were added to fix resume failures: commit 98468efddb101f8a29af974101c17ba513b07be1 e100: Use pci pool to work around GFP_ATOMIC order 5 memory allocation failu and commit 70abc8cb90e679d8519721e2761d8366a18212a6 e100: Fix broken cbs accounting due to missing memset. This introduced a problem that can happen if the TX ring size is increased. We need to size the PCI pool using cbs->max instead of the default cbs->count value. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 45e74e6561f0da79a417be5424d2c1bf26ae79ba Author: Patrick McHardy Date: Sat Feb 27 02:52:05 2010 -0800 bonding: fix device leak on error in bond_create() [ Upstream commit 8d6184e4881b423522136aeb3ec1cbd9c35e8813 ] When the register_netdevice() call fails, the newly allocated device is not freed. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cb63112d399b25ce7e4a5d84065f342b978cd9a4 Author: Zhu Yi Date: Sun Mar 7 16:21:39 2010 +0000 net: add __must_check to sk_add_backlog [ Upstream commit 4045635318538d3ddd2007720412fdc4b08f6a62 ] Add the "__must_check" tag to sk_add_backlog() so that any failure to check and drop packets will be warned about. Signed-off-by: Zhu Yi Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a12a9a26ff389892df27e2ff4cbf03e5b2ed0d64 Author: Zhu Yi Date: Thu Mar 4 18:01:47 2010 +0000 net: backlog functions rename [ Upstream commit a3a858ff18a72a8d388e31ab0d98f7e944841a62 ] sk_add_backlog -> __sk_add_backlog sk_add_backlog_limited -> sk_add_backlog Signed-off-by: Zhu Yi Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 51c5db4ddd330e96c9221392b1cf361ce1daa88c Author: Zhu Yi Date: Thu Mar 4 18:01:46 2010 +0000 x25: use limited socket backlog [ Upstream commit 2499849ee8f513e795b9f2c19a42d6356e4943a4 ] Make x25 adapt to the limited socket backlog change. Cc: Andrew Hendry Signed-off-by: Zhu Yi Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c531ab23d0b83b6018c5f137c4093771267f505b Author: Zhu Yi Date: Thu Mar 4 18:01:45 2010 +0000 tipc: use limited socket backlog [ Upstream commit 53eecb1be5ae499d399d2923933937a9ea1a284f ] Make tipc adapt to the limited socket backlog change. Cc: Jon Maloy Cc: Allan Stephens Signed-off-by: Zhu Yi Acked-by: Eric Dumazet Acked-by: Allan Stephens Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 37d60aa805fad7d4edd06612569fbbe365a5bb20 Author: Zhu Yi Date: Thu Mar 4 18:01:44 2010 +0000 sctp: use limited socket backlog [ Upstream commit 50b1a782f845140f4138f14a1ce8a4a6dd0cc82f ] Make sctp adapt to the limited socket backlog change. Cc: Vlad Yasevich Cc: Sridhar Samudrala Signed-off-by: Zhu Yi Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9b3d968b35b5bca4260c429545e16813febfebfe Author: Zhu Yi Date: Thu Mar 4 18:01:43 2010 +0000 llc: use limited socket backlog [ Upstream commit 79545b681961d7001c1f4c3eb9ffb87bed4485db ] Make llc adapt to the limited socket backlog change. Cc: Arnaldo Carvalho de Melo Signed-off-by: Zhu Yi Acked-by: Eric Dumazet Acked-by: Arnaldo Carvalho de Melo Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 230401ee7e13ca89e15b64ddd1e8514a016a627e Author: Zhu Yi Date: Thu Mar 4 18:01:42 2010 +0000 udp: use limited socket backlog [ Upstream commit 55349790d7cbf0d381873a7ece1dcafcffd4aaa9 ] Make udp adapt to the limited socket backlog change. Cc: "David S. Miller" Cc: Alexey Kuznetsov Cc: "Pekka Savola (ipv6)" Cc: Patrick McHardy Signed-off-by: Zhu Yi Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 20a92ecc4bfd6c5c0b5a71296a7b89aa53cf49e3 Author: Zhu Yi Date: Thu Mar 4 18:01:41 2010 +0000 tcp: use limited socket backlog [ Upstream commit 6b03a53a5ab7ccf2d5d69f96cf1c739c4d2a8fb9 ] Make tcp adapt to the limited socket backlog change. Cc: "David S. Miller" Cc: Alexey Kuznetsov Cc: "Pekka Savola (ipv6)" Cc: Patrick McHardy Signed-off-by: Zhu Yi Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ab9dd052e4d0c4d281ceec0b7e410e229beb6fb2 Author: Zhu Yi Date: Thu Mar 4 18:01:40 2010 +0000 net: add limit for socket backlog [ Upstream commit 8eae939f1400326b06d0c9afe53d2a484a326871 ] We got system OOM while running some UDP netperf testing on the loopback device. The case is multiple senders sent stream UDP packets to a single receiver via loopback on local host. Of course, the receiver is not able to handle all the packets in time. But we surprisingly found that these packets were not discarded due to the receiver's sk->sk_rcvbuf limit. Instead, they are kept queuing to sk->sk_backlog and finally ate up all the memory. We believe this is a secure hole that a none privileged user can crash the system. The root cause for this problem is, when the receiver is doing __release_sock() (i.e. after userspace recv, kernel udp_recvmsg -> skb_free_datagram_locked -> release_sock), it moves skbs from backlog to sk_receive_queue with the softirq enabled. In the above case, multiple busy senders will almost make it an endless loop. The skbs in the backlog end up eat all the system memory. The issue is not only for UDP. Any protocols using socket backlog is potentially affected. The patch adds limit for socket backlog so that the backlog size cannot be expanded endlessly. Reported-by: Alex Shi Cc: David Miller Cc: Arnaldo Carvalho de Melo Cc: Alexey Kuznetsov Cc: "Pekka Savola (ipv6)" Cc: Patrick McHardy Cc: Vlad Yasevich Cc: Sridhar Samudrala Cc: Jon Maloy Cc: Allan Stephens Cc: Andrew Hendry Signed-off-by: Zhu Yi Signed-off-by: Eric Dumazet Acked-by: Arnaldo Carvalho de Melo Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b4aedbe935216fd8db97163b0e6dba6036391bcf Author: Vitaliy Gusev Date: Tue Mar 16 01:07:51 2010 +0000 route: Fix caught BUG_ON during rt_secret_rebuild_oneshot() [ Upstream commit 858a18a6a2f74e8f0e5b2e9671d4b74694aba708 ] route: Fix caught BUG_ON during rt_secret_rebuild_oneshot() Call rt_secret_rebuild can cause BUG_ON(timer_pending(&net->ipv4.rt_secret_timer)) in add_timer as there is not any synchronization for call rt_secret_rebuild_oneshot() for the same net namespace. Also this issue affects to rt_secret_reschedule(). Thus use mod_timer enstead. Signed-off-by: Vitaliy Gusev Acked-by: Neil Horman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3a8010e6225a3548e9921d986a53ae93bda433fa Author: James Chapman Date: Tue Mar 16 06:29:20 2010 +0000 l2tp: Fix UDP socket reference count bugs in the pppol2tp driver [ Upstream commit c3259c8a7060d480e8eb2166da0a99d6879146b4 ] This patch fixes UDP socket refcnt bugs in the pppol2tp driver. A bug can cause a kernel stack trace when a tunnel socket is closed. A way to reproduce the issue is to prepare the UDP socket for L2TP (by opening a tunnel pppol2tp socket) and then close it before any L2TP sessions are added to it. The sequence is Create UDP socket Create tunnel pppol2tp socket to prepare UDP socket for L2TP pppol2tp_connect: session_id=0, peer_session_id=0 L2TP SCCRP control frame received (tunnel_id==0) pppol2tp_recv_core: sock_hold() pppol2tp_recv_core: sock_put L2TP ZLB control frame received (tunnel_id=nnn) pppol2tp_recv_core: sock_hold() pppol2tp_recv_core: sock_put Close tunnel management socket pppol2tp_release: session_id=0, peer_session_id=0 Close UDP socket udp_lib_close: BUG The addition of sock_hold() in pppol2tp_connect() solves the problem. For data frames, two sock_put() calls were added to plug a refcnt leak per received data frame. The ref that is grabbed at the top of pppol2tp_recv_core() must always be released, but this wasn't done for accepted data frames or data frames discarded because of bad UDP checksums. This leak meant that any UDP socket that had passed L2TP data traffic (i.e. L2TP data frames, not just L2TP control frames) using pppol2tp would not be released by the kernel. WARNING: at include/net/sock.h:435 udp_lib_unhash+0x117/0x120() Pid: 1086, comm: openl2tpd Not tainted 2.6.33-rc1 #8 Call Trace: [] ? udp_lib_unhash+0x117/0x120 [] ? warn_slowpath_common+0x71/0xd0 [] ? udp_lib_unhash+0x117/0x120 [] ? warn_slowpath_null+0x13/0x20 [] ? udp_lib_unhash+0x117/0x120 [] ? sk_common_release+0x17/0x90 [] ? inet_release+0x33/0x60 [] ? sock_release+0x10/0x60 [] ? sock_close+0xf/0x30 [] ? __fput+0x52/0x150 [] ? filp_close+0x3e/0x70 [] ? put_files_struct+0x62/0xb0 [] ? do_exit+0x5e7/0x650 [] ? mntput_no_expire+0x13/0x70 [] ? filp_close+0x3e/0x70 [] ? do_group_exit+0x2a/0x70 [] ? sys_exit_group+0x11/0x20 [] ? sysenter_do_call+0x12/0x26 Signed-off-by: James Chapman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e76f69dbee1d94e88a47c7d811c17647d0326ab3 Author: James Chapman Date: Tue Mar 16 06:46:31 2010 +0000 l2tp: Fix oops in pppol2tp_xmit [ Upstream commit 3feec9095d12e311b7d4eb7fe7e5dfa75d4a72a5 ] When transmitting L2TP frames, we derive the outgoing interface's UDP checksum hardware assist capabilities from the tunnel dst dev. This can sometimes be NULL, especially when routing protocols are used and routing changes occur. This patch just checks for NULL dst or dev pointers when checking for netdev hardware assist features. BUG: unable to handle kernel NULL pointer dereference at 0000000c IP: [] pppol2tp_xmit+0x341/0x4da [pppol2tp] *pde = 00000000 Oops: 0000 [#1] SMP last sysfs file: /sys/class/net/lo/operstate Modules linked in: pppol2tp pppox ppp_generic slhc ipv6 dummy loop snd_hda_codec_atihdmi snd_hda_intel snd_hda_codec snd_pcm snd_timer snd soundcore snd_page_alloc evdev psmouse serio_raw processor button i2c_piix4 i2c_core ati_agp agpgart pcspkr ext3 jbd mbcache sd_mod ide_pci_generic atiixp ide_core ahci ata_generic floppy ehci_hcd ohci_hcd libata e1000e scsi_mod usbcore nls_base thermal fan thermal_sys [last unloaded: scsi_wait_scan] Pid: 0, comm: swapper Not tainted (2.6.32.8 #1) EIP: 0060:[] EFLAGS: 00010297 CPU: 3 EIP is at pppol2tp_xmit+0x341/0x4da [pppol2tp] EAX: 00000000 EBX: f64d1680 ECX: 000005b9 EDX: 00000000 ESI: f6b91850 EDI: f64d16ac EBP: f6a0c4c0 ESP: f70a9cac DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 Process swapper (pid: 0, ti=f70a8000 task=f70a31c0 task.ti=f70a8000) Stack: 000005a9 000005b9 f734c400 f66652c0 f7352e00 f67dc800 00000000 f6b91800 <0> 000005a3 f70ef6c4 f67dcda9 000005a3 f89b192e 00000246 000005a3 f64d1680 <0> f63633e0 f6363320 f64d1680 f65a7320 f65a7364 f65856c0 f64d1680 f679f02f Call Trace: [] ? ppp_push+0x459/0x50e [ppp_generic] [] ? ppp_xmit_process+0x3b6/0x430 [ppp_generic] [] ? ppp_start_xmit+0x10d/0x120 [ppp_generic] [] ? dev_hard_start_xmit+0x21f/0x2b2 [] ? sch_direct_xmit+0x48/0x10e [] ? dev_queue_xmit+0x263/0x3a6 [] ? ip_finish_output+0x1f7/0x221 [] ? ip_forward_finish+0x2e/0x30 [] ? ip_rcv_finish+0x295/0x2a9 [] ? netif_receive_skb+0x3e9/0x404 [] ? e1000_clean_rx_irq+0x253/0x2fc [e1000e] [] ? e1000_clean+0x63/0x1fc [e1000e] [] ? sched_clock_local+0x15/0x11b [] ? net_rx_action+0x96/0x195 [] ? __do_softirq+0xaa/0x151 [] ? do_softirq+0x31/0x3c [] ? irq_exit+0x26/0x58 [] ? do_IRQ+0x78/0x89 [] ? common_interrupt+0x29/0x30 [] ? native_safe_halt+0x2/0x3 [] ? default_idle+0x55/0x75 [] ? c1e_idle+0xd2/0xd5 [] ? cpu_idle+0x46/0x62 Code: 8d 45 08 f0 ff 45 08 89 6b 08 c7 43 68 7e fb 9c f8 8a 45 24 83 e0 0c 3c 04 75 09 80 63 64 f3 e9 b4 00 00 00 8b 43 18 8b 4c 24 04 <8b> 40 0c 8d 79 11 f6 40 44 0e 8a 43 64 75 51 6a 00 8b 4c 24 08 EIP: [] pppol2tp_xmit+0x341/0x4da [pppol2tp] SS:ESP 0068:f70a9cac CR2: 000000000000000c Signed-off-by: James Chapman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6bd0d3167304e1d07486d716360695451f2bc94e Author: David S. Miller Date: Mon Mar 29 22:18:29 2010 -0700 sparc64: Add very basic XVR-1000 framebuffer driver. [ Upstream commits 2d378b9179881b46a0faf11430efb421fe03ddd8 and f04e879bf296d136bcafd8c5a26e95599b141671 ] Signed-off-by: David S. Miller Acked-by: Frans van Berckel Signed-off-by: Greg Kroah-Hartman commit 21d2d1625659561fc871f03f646ed8c2ca12712f Author: David S. Miller Date: Mon Mar 29 13:08:52 2010 -0700 sparc64: Properly truncate pt_regs framepointer in perf callback. [ Upstream commit 9e8307ecaf9f8c8b5b3b22145021204c4e73114a ] For 32-bit processes, we save the full 64-bits of the regs in pt_regs. But unlike when the userspace actually does load and store instructions, the top 32-bits don't get automatically truncated by the cpu in kernel mode (because the kernel doesn't execute with PSTATE_AM address masking enabled). So we have to do it by hand. Reported-by: Frederic Weisbecker Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 09fa864403fb99f753588e5e656b5691e97a0dfb Author: Meelis Roos Date: Mon Mar 8 10:53:08 2010 -0800 qlogicpti: Remove slash in QlogicPTI irq name [ Upstream commit 77d3926306bf4eecac50150ba5625797219f14ba ] qlogicpti driver registers its irq with a name containing slash. This results in [ 71.049735] WARNING: at fs/proc/generic.c:316 __xlate_proc_name+0xa8/0xb8() [ 71.132815] name 'Qlogic/PTI' because proc_mkdir with the name of the irq fails. Fix it by just removing the slash from irq name. Discovered and tested on real hardware (Sun Ultra 1). Signed-off-by: Meelis Roos Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6eed9bde53b580fdf16f77f483e8788912a7e9b3 Author: Russell King Date: Sun Jan 3 12:35:42 2010 +0000 ide: Fix Promise UDMA33 IDE driver (pdc202xx_old) [ Upstream commit c3be57b6f35ef96a980ce84e59d6a5a8ca6184ad ] On Sun, Jan 03, 2010 at 12:23:14AM +0000, Russell King wrote: > - with IDE > - locks the interrupt line, and makes the machine extremely painful - > about an hour to get to the point of being able to unload the > pdc202xx_old module. Having manually bisected kernel versions, I've narrowed it down to some change between 2.6.30 and 2.6.31. There's not much which has changed between the two kernels, but one change stands out like a sore thumb: +static int pdc202xx_test_irq(ide_hwif_t *hwif) +{ + struct pci_dev *dev = to_pci_dev(hwif->dev); + unsigned long high_16 = pci_resource_start(dev, 4); + u8 sc1d = inb(high_16 + 0x1d); + + if (hwif->channel) { + /* + * bit 7: error, bit 6: interrupting, + * bit 5: FIFO full, bit 4: FIFO empty + */ + return ((sc1d & 0x50) == 0x40) ? 1 : 0; + } else { + /* + * bit 3: error, bit 2: interrupting, + * bit 1: FIFO full, bit 0: FIFO empty + */ + return ((sc1d & 0x05) == 0x04) ? 1 : 0; + } +} Reading the (documented as a 32-bit) system control register when the interface is idle gives: 0x01da110c So, the byte at 0x1d is 0x11, which is documented as meaning that the primary and secondary FIFOs are empty. The code above, which is trying to see whether an IRQ is pending, checks for the IRQ bit to be one, and the FIFO bit to be zero - or in English, to be non-empty. Since during a BM-DMA read, the FIFOs will naturally be drained to the PCI bus, the chance of us getting to the interface before this happens are extremely small - and if we don't, it means we decide not to service the interrupt. Hence, the screaming interrupt problem with drivers/ide. Fix this by only indicating an interrupt is ready if both the interrupt and FIFO empty bits are at '1'. This bug only affects PDC20246/PDC20247 (Promise Ultra33) based cards, and has been tested on 2.6.31 and 2.6.33-rc2. Signed-off-by: Russell King Tested-by: Russell King Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 59c91fd71f6815e40eed9e5c51fafd912b45520d Author: David S. Miller Date: Sun Mar 28 18:58:28 2010 -0700 Revert "ide: skip probe if there are no devices on the port (v2)" [ Upstream commit 9ce41aed0d392246eb788786253f242e829fd5e1 ] This reverts commit a20b2a44eca52818ef52a94959480b7e6ea2f528. As requested by David Fries. This makes CDROMs which are slave drives on a ribbon without a master disappear and causes other similar kinds of badness. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 88c97de28a502ea3b15a04c643a3e1ea66655f90 Author: Bartlomiej Zolnierkiewicz Date: Tue Jan 5 07:07:27 2010 +0000 icside: bring back ->maskproc method [ Upstream commit f75d4a238770d83d3a0475ce7f34e3fa37de161e ] Bring back ->maskproc method since it is still needed for proper operation, as noticed by Russell King: > This change is bogus. > > writeb(0, base + ICS_ARCIN_V6_INTROFFSET_1); > readb(base + ICS_ARCIN_V6_INTROFFSET_2); > > writeb(0, base + ICS_ARCIN_V6_INTROFFSET_2); > readb(base + ICS_ARCIN_V6_INTROFFSET_1); > > This sequence of code does: > > 1. enable interrupt 1 > 2. disable interrupt 2 > 3. enable interrupt 2 > 4. disable interrupt 1 > > which results in the interrupt for the second channel being enabled - > leaving channel 1 blocked. > > Firstly, icside shares its two IDE channels with one DMA engine - so it's > a simplex interface. IDE supports those (or did when the code was written) > serializing requests between the two interfaces. libata does not. > > Secondly, the interrupt lines on icside float when there's no drive connected > or when the drive has its NIEN bit set, which means that you get spurious > screaming interrupts which can kill off all expansion card interrupts on > the machine unless you disable the channel interrupt on the card. > > Since libata can not serialize the operation of the two channels like IDE > can, the libata version of the icside driver does not contain the interrupt > stearing logic. Instead, it looks at the status after reset, and if > nothing was found on that channel, it masks the interrupt from that > channel. This patch reverts changes done in commit dff8817 (I became confused due to non-standard & undocumented ->maskproc method, anyway sorry about that). Noticed-by: Russell King Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5eeb7b28921a88b6f8de786f34178345626b051e Author: Anton Vorontsov Date: Thu Mar 11 13:58:47 2010 -0800 leds-gpio: fix default state handling on OF platforms commit 0493a4ff10959ff4c8e0d65efee25b7ffd4fa5db upstream. The driver wrongly sets default state for LEDs that don't specify default-state property. Currently the driver handles default state this way: memset(&led, 0, sizeof(led)); for_each_child_of_node(np, child) { state = of_get_property(child, "default-state", NULL); if (state) { if (!strcmp(state, "keep")) led.default_state = LEDS_GPIO_DEFSTATE_KEEP; ... } ret = create_gpio_led(&led, ...); } Which means that all LEDs that do not specify default-state will inherit the last value of the default-state property, which is wrong. This patch fixes the issue by moving LED's template initialization into the loop body. Signed-off-by: Anton Vorontsov Signed-off-by: Andrew Morton Signed-off-by: Richard Purdie Signed-off-by: Greg Kroah-Hartman commit e6ebbf99c171ca872ec1eb546230cb8a42873494 Author: Vivek Natarajan Date: Thu Mar 11 13:03:01 2010 -0800 ath9k: Enable IEEE80211_HW_REPORTS_TX_ACK_STATUS flag for ath9k commit 05df49865be08b30e7ba91b9d3d94d7d52dd3033 upstream. Signed-off-by: Vivek Natarajan Signed-off-by: John W. Linville Signed-off-by: Luis R. Rodriguez Signed-off-by: Greg Kroah-Hartman commit 03d0e14875e0f4151ec039125c15ca46e056b914 Author: Vivek Natarajan Date: Thu Mar 11 12:59:53 2010 -0800 mac80211: Retry null data frame for power save commit 375177bf35efc08e1bd37bbda4cc0c8cc4db8500 upstream. Even if the null data frame is not acked by the AP, mac80211 goes into power save. This might lead to loss of frames from the AP. Prevent this by restarting dynamic_ps_timer when ack is not received for null data frames. Cc: Johannes Berg Signed-off-by: Vivek Natarajan Signed-off-by: John W. Linville Signed-off-by: Luis R. Rodriguez Signed-off-by: Greg Kroah-Hartman commit 7c74e3f2e97f7bdcb56b72919201af941ea0b4e6 Author: Senthil Balasubramanian Date: Wed Feb 3 22:50:18 2010 +0530 ath9k: configure the beacon only if the STA is associated commit 1a20034a73a40b8056731f9db0c535cec2961eb7 upstream. beacons configuration SHOULD be done only if the STA is associated. Signed-off-by: Senthil Balasubramanian Signed-off-by: John W. Linville Signed-off-by: Luis R. Rodriguez Signed-off-by: Greg Kroah-Hartman commit eb4265ff035b929a44fe58b8f2fd09a45e7fea07 Author: Senthil Balasubramanian Date: Thu Mar 11 12:10:12 2010 -0800 ath9k: Enable TIM timer interrupt only when needed. commit 3f7c5c10e9dc6bf90179eb9f7c06151d508fb324 upstream. The TIM timer interrupt is enabled even before the ACK of nullqos is received which is unnecessary. Also clean up the CONF_PS part of config callback properly for better readability. Signed-off-by: Senthil Balasubramanian Signed-off-by: John W. Linville Signed-off-by: Luis R. Rodriguez Signed-off-by: Greg Kroah-Hartman commit 8427ce07d4df285b8b4b85496abf7913b4b4839e Author: Daniel T Chen Date: Thu Mar 25 22:38:15 2010 -0700 ALSA: ac97: Add IBM ThinkPad R40e to Headphone/Line Jack Sense blacklist commit e1f7f02b45cf33a774d56e505ce1718af9392f5e upstream. BugLink: https://launchpad.net/bugs/303789 This model needs both 'Headphone Jack Sense' and 'Line Jack Sense' muted for audible audio, so just add its SSID to the blacklist and don't enumerate the controls. Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 4e6ec71b335af37b84a5f624bcb2f70fe3b197bf Author: Daniel Chen Date: Sun Mar 28 13:32:34 2010 -0700 ALSA: ac97: Add Toshiba P500 to ac97 jack sense blacklist commit 5cd165e7057020884e430941c24454d3df9a799d upstream. BugLink: https://launchpad.net/bugs/481058 The OR has verified that both 'Headphone Jack Sense' and 'Line Jack Sense' need to be muted for sound to be audible, so just add the machine's SSID to the ac97 jack sense blacklist. Reported-by: Richard Gagne Tested-by: Richard Gagne Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit cb74427cce590e5ab24962475f39cb4f159375d3 Author: Daniel T Chen Date: Sun Mar 28 02:34:40 2010 -0400 ALSA: hda: Use LPIB for ga-ma770-ud3 board commit 9ec8ddad59fadd8021adfea4cb716a49b0e232e9 upstream. BugLink: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=575669 The OR states that position_fix=1 is necessary to work around glitching during volume adjustments using PulseAudio. Reported-by: Carlos Laviola Tested-by: Carlos Laviola Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 7bb70976cdb2e926842a2e3897f47b36c5ccc3d1 Author: Dean Nelson Date: Mon Mar 29 22:03:00 2010 +0200 hwmon: (coretemp) Add missing newline to dev_warn() message commit 4d7a5644e4adfafe76c2bd8ee168e3f3b5dae3a8 upstream. Add missing newline to dev_warn() message string. This is more of an issue with older kernels that don't automatically add a newline if it was missing from the end of the previous line. Signed-off-by: Dean Nelson Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit b89725179b5fc5ea585930420c7df568de0a97be Author: Andreas Herrmann Date: Fri Mar 19 12:09:22 2010 +0100 x86, amd: Restrict usage of c1e_idle() commit 035a02c1e1de31888e8b6adac0ff667971ac04db upstream. Currently c1e_idle returns true for all CPUs greater than or equal to family 0xf model 0x40. This covers too many CPUs. Meanwhile a respective erratum for the underlying problem was filed (#400). This patch adds the logic to check whether erratum #400 applies to a given CPU. Especially for CPUs where SMI/HW triggered C1e is not supported, c1e_idle() doesn't need to be used. We can check this by looking at the respective OSVW bit for erratum #400. Signed-off-by: Andreas Herrmann LKML-Reference: <20100319110922.GA19614@alberich.amd.com> Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 9fcb3fd97bccf736945cccdd74005d64be9602e1 Author: Jan Beulich Date: Mon Mar 15 10:11:15 2010 +0000 x86: Fix placement of FIX_OHCI1394_BASE commit ff30a0543e9a6cd732582063e7cae951cdb7acf2 upstream. Ever for 32-bit with sufficiently high NR_CPUS, and starting with commit 789d03f584484af85dbdc64935270c8e45f36ef7 also for 64-bit, the statically allocated early fixmap page tables were not covering FIX_OHCI1394_BASE, leading to a boot time crash when "ohci1394_dma=early" was used. Despite this entry not being a permanently used one, it needs to be moved into the permanent range since it has to be close to FIX_DBGP_BASE and FIX_EARLYCON_MEM_BASE. Reported-bisected-and-tested-by: Justin P. Mattock Fixes-bug: http://bugzilla.kernel.org/show_bug.cgi?id=14487 Signed-off-by: Jan Beulich LKML-Reference: <4B9E15D30200007800034D23@vpn.id2.novell.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 96235004a8f9ecdd1a9dd0d8fc3fd63033e7bfbc Author: Patrick McHardy Date: Mon Mar 22 18:25:20 2010 +0100 netfilter: xt_recent: fix regression in rules using a zero hit_count commit ef1691504c83ba3eb636c0cfd3ed33f7a6d0b4ee upstream. Commit 8ccb92ad (netfilter: xt_recent: fix false match) fixed supposedly false matches in rules using a zero hit_count. As it turns out there is nothing false about these matches and people are actually using entries with a hit_count of zero to make rules dependant on addresses inserted manually through /proc. Since this slipped past the eyes of three reviewers, instead of reverting the commit in question, this patch explicitly checks for a hit_count of zero to make the intentions more clear. Reported-by: Thomas Jarosch Tested-by: Thomas Jarosch Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit 8209107cefb38f24571da7e806422709bd5e47af Author: Ben Skeggs Date: Thu Feb 25 12:12:09 2010 +1000 drm/nouveau: report unknown connector state if lid closed commit b30083bdb990bcc2829fce83d871a86059ff4fc1 upstream. This is in preference to disconnected. If there's no other outputs connected this will cause LVDS to be programmed even with the lid closed rather than having X fail to start because of no available outputs. Signed-off-by: Ben Skeggs Signed-off-by: Greg Kroah-Hartman commit 67c538878517bc45d1ac523fde97c8b12e180754 Author: Chris Wilson Date: Fri Mar 12 19:52:55 2010 +0000 drm/i915: Avoid NULL deref in get_pages() unwind after error. commit 1f2b10131f83f7caa67bf1273cec126b4283015d upstream. Fixes: http://bugzilla.kernel.org/show_bug.cgi?id=15527 NULL pointer dereference in i915_gem_object_save_bit_17_swizzle BUG: unable to handle kernel NULL pointer dereference at (null) IP: [] i915_gem_object_save_bit_17_swizzle+0x5b/0xc0 [i915] Call Trace: [] ? i915_gem_object_put_pages+0x125/0x150 [i915] [] ? i915_gem_object_get_pages+0xf1/0x110 [i915] [] ? i915_gem_object_bind_to_gtt+0xb8/0x2a0 [i915] [] ? drm_mm_get_block_generic+0x4d/0x180 [] ? i915_gem_mmap_gtt_ioctl+0x16d/0x240 [i915] [] ? i915_gem_madvise_ioctl+0x86/0x120 [i915] Signed-off-by: Chris Wilson Reported-by: maciej.rutecki@gmail.com Cc: stable@kernel.org Reviewed-by: Eric Anholt Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 211dfa81845fb609e91816791df78d60426777c0 Author: Dan Carpenter Date: Sat Mar 6 14:05:39 2010 +0300 drm/i915: fix small leak on overlay error path commit 915a428e43acfd05e4ffeaf40549b0cf163eebe2 upstream. We should free "params" before returning. Signed-off-by: Dan Carpenter Reviewed-by: Daniel Vetter Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit f6146e2078dfefc3518cf424aaa4ace9dcb1465a Author: Colin Ian King Date: Fri Mar 19 10:28:02 2010 +0000 softlockup: Stop spurious softlockup messages due to overflow commit 8c2eb4805d422bdbf60ba00ff233c794d23c3c00 upstream. Ensure additions on touch_ts do not overflow. This can occur when the top 32 bits of the TSC reach 0xffffffff causing additions to touch_ts to overflow and this in turn generates spurious softlockup warnings. Signed-off-by: Colin Ian King Cc: Peter Zijlstra Cc: Eric Dumazet LKML-Reference: <1268994482.1798.6.camel@lenovo> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 933c45323f9767493143829debff08f4d6988562 Author: Thomas Gleixner Date: Tue Mar 9 19:45:54 2010 +0100 genirq: Prevent oneshot irq thread race commit 0b1adaa031a55e44f5dd942f234bf09d28e8a0d6 upstream. Lars-Peter pointed out that the oneshot threaded interrupt handler code has the following race: CPU0 CPU1 hande_level_irq(irq X) mask_ack_irq(irq X) handle_IRQ_event(irq X) wake_up(thread_handler) thread handler(irq X) runs finalize_oneshot(irq X) does not unmask due to !(desc->status & IRQ_MASKED) return from irq does not unmask due to (desc->status & IRQ_ONESHOT) This leaves the interrupt line masked forever. The reason for this is the inconsistent handling of the IRQ_MASKED flag. Instead of setting it in the mask function the oneshot support sets the flag after waking up the irq thread. The solution for this is to set/clear the IRQ_MASKED status whenever we mask/unmask an interrupt line. That's the easy part, but that cleanup opens another race: CPU0 CPU1 hande_level_irq(irq) mask_ack_irq(irq) handle_IRQ_event(irq) wake_up(thread_handler) thread handler(irq) runs finalize_oneshot_irq(irq) unmask(irq) irq triggers again handle_level_irq(irq) mask_ack_irq(irq) return from irq due to IRQ_INPROGRESS return from irq does not unmask due to (desc->status & IRQ_ONESHOT) This requires that we synchronize finalize_oneshot_irq() with the primary handler. If IRQ_INPROGESS is set we wait until the primary handler on the other CPU has returned before unmasking the interrupt line again. We probably have never seen that problem because it does not happen on UP and on SMP the irqbalancer protects us by pinning the primary handler and the thread to the same CPU. Reported-by: Lars-Peter Clausen Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit d664e4acfdfedb7483d383c1198552299a0114c0 Author: Ryusuke Konishi Date: Mon Mar 22 21:36:06 2010 +0900 nilfs2: fix hang-up of cleaner after log writer returned with error commit 110d735a0ae69bdd11af9acb6ea3b979137eb118 upstream. According to the report from Andreas Beckmann (Message-ID: <4BA54677.3090902@abeckmann.de>), nilfs in 2.6.33 kernel got stuck after a disk full error. This turned out to be a regression by log writer updates merged at kernel 2.6.33. nilfs_segctor_abort_construction, which is a cleanup function for erroneous cases, was skipping writeback completion for some logs. This fixes the bug and would resolve the hang issue. Reported-by: Andreas Beckmann Signed-off-by: Ryusuke Konishi Tested-by: Ryusuke Konishi Signed-off-by: Greg Kroah-Hartman commit 8147bcf0da9a74b7dbec29bb3e489967f91f3c94 Author: Miao Xie Date: Tue Mar 23 13:35:34 2010 -0700 cpuset: fix the problem that cpuset_mem_spread_node() returns an offline node commit 5ab116c9349ef52d6fbd2e2917a53f13194b048e upstream. cpuset_mem_spread_node() returns an offline node, and causes an oops. This patch fixes it by initializing task->mems_allowed to node_states[N_HIGH_MEMORY], and updating task->mems_allowed when doing memory hotplug. Signed-off-by: Miao Xie Acked-by: David Rientjes Reported-by: Nick Piggin Tested-by: Nick Piggin Cc: Paul Menage Cc: Li Zefan Cc: Ingo Molnar Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c439578e379c3ffe8ffe4669f2e2af7ecfca74f1 Author: Felix Fietkau Date: Fri Mar 12 04:02:43 2010 +0100 ath9k: fix BUG_ON triggered by PAE frames commit 4fdec031b9169b3c17938b9c4168f099f457169c upstream. When I initially stumbled upon sequence number problems with PAE frames in ath9k, I submitted a patch to remove all special cases for PAE frames and let them go through the normal transmit path. Out of concern about crypto incompatibility issues, this change was merged instead: commit 6c8afef551fef87a3bf24f8a74c69a7f2f72fc82 Author: Sujith Date: Tue Feb 9 10:07:00 2010 +0530 ath9k: Fix sequence numbers for PAE frames After a lot of testing, I'm able to reliably trigger a driver crash on rekeying with current versions with this change in place. It seems that the driver does not support sending out regular MPDUs with the same TID while an A-MPDU session is active. This leads to duplicate entries in the TID Tx buffer, which hits the following BUG_ON in ath_tx_addto_baw(): index = ATH_BA_INDEX(tid->seq_start, bf->bf_seqno); cindex = (tid->baw_head + index) & (ATH_TID_MAX_BUFS - 1); BUG_ON(tid->tx_buf[cindex] != NULL); I believe until we actually have a reproducible case of an incompatibility with another AP using no PAE special cases, we should simply get rid of this mess. This patch completely fixes my crash issues in STA mode and makes it stay connected without throughput drops or connectivity issues even when the AP is configured to a very short group rekey interval. Signed-off-by: Felix Fietkau Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit ba057554f2c5bfe985d50965a2311b3c13dd6496 Author: Dean Nelson Date: Tue Mar 9 22:26:55 2010 -0500 PCI: cleanup error return for pcix get and set mmrbc functions commit 7c9e2b1c4784c6e574f69dbd904b2822f2e04d6e upstream. pcix_get_mmrbc() returns the maximum memory read byte count (mmrbc), if successful, or an appropriate error value, if not. Distinguishing errors from correct values and understanding the meaning of an error can be somewhat confusing in that: correct values: 512, 1024, 2048, 4096 errors: -EINVAL -22 PCIBIOS_FUNC_NOT_SUPPORTED 0x81 PCIBIOS_BAD_VENDOR_ID 0x83 PCIBIOS_DEVICE_NOT_FOUND 0x86 PCIBIOS_BAD_REGISTER_NUMBER 0x87 PCIBIOS_SET_FAILED 0x88 PCIBIOS_BUFFER_TOO_SMALL 0x89 The PCIBIOS_ errors are returned from the PCI functions generated by the PCI_OP_READ() and PCI_OP_WRITE() macros. In a similar manner, pcix_set_mmrbc() also returns the PCIBIOS_ error values returned from pci_read_config_[word|dword]() and pci_write_config_word(). Following pcix_get_max_mmrbc()'s example, the following patch simply returns -EINVAL for all PCIBIOS_ errors encountered by pcix_get_mmrbc(), and -EINVAL or -EIO for those encountered by pcix_set_mmrbc(). This simplification was chosen in light of the fact that none of the current callers of these functions are interested in the specific type of error encountered. In the future, should this change, one could simply create a function that maps each PCIBIOS_ error to a corresponding unique errno value, which could be called by pcix_get_max_mmrbc(), pcix_get_mmrbc(), and pcix_set_mmrbc(). Additionally, this patch eliminates some unnecessary variables. Signed-off-by: Dean Nelson Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 82f3cd669ae82f87ead2730fb3826e62e8328ccf Author: Dean Nelson Date: Tue Mar 9 22:26:48 2010 -0500 PCI: fix access of PCI_X_CMD by pcix get and set mmrbc functions commit bdc2bda7c4dd253026cc1fce45fc939304749029 upstream. An e1000 driver on a system with a PCI-X bus was always being returned a value of 135 from both pcix_get_mmrbc() and pcix_set_mmrbc(). This value reflects an error return of PCIBIOS_BAD_REGISTER_NUMBER from pci_bus_read_config_dword(,, cap + PCI_X_CMD,). This is because for a dword, the following portion of the PCI_OP_READ() macro: if (PCI_##size##_BAD) return PCIBIOS_BAD_REGISTER_NUMBER; expands to: if (pos & 3) return PCIBIOS_BAD_REGISTER_NUMBER; And is always true for 'cap + PCI_X_CMD', which is 0xe4 + 2 = 0xe6. ('cap' is the result of calling pci_find_capability(, PCI_CAP_ID_PCIX).) The same problem exists for pci_bus_write_config_dword(,, cap + PCI_X_CMD,). In both cases, instead of calling _dword(), _word() should be called. Signed-off-by: Dean Nelson Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 1ed0d0b7fac8892828cc15a20fb7e7824c2598a1 Author: Dean Nelson Date: Tue Mar 9 22:26:40 2010 -0500 PCI: fix return value from pcix_get_max_mmrbc() commit 25daeb550b69e89aff59bc6a84218a12b5203531 upstream. For the PCI_X_STATUS register, pcix_get_max_mmrbc() is returning an incorrect value, which is based on: (stat & PCI_X_STATUS_MAX_READ) >> 12 Valid return values are 512, 1024, 2048, 4096, which correspond to a 'stat' (masked and right shifted by 21) of 0, 1, 2, 3, respectively. A right shift by 11 would generate the correct return value when 'stat' (masked and right shifted by 21) has a value of 1 or 2. But for a value of 0 or 3 it's not possible to generate the correct return value by only right shifting. Fix is based on pcix_get_mmrbc()'s similar dealings with the PCI_X_CMD register. Signed-off-by: Dean Nelson Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 29ef84453e8cecb4d75e4ca8f5e28b96014d0d9d Author: OGAWA Hirofumi Date: Tue Mar 23 13:35:50 2010 -0700 fs/partition/msdos: fix unusable extended partition for > 512B sector commit 8e0cc811e0f8029a7225372fb0951fab102c012f upstream. Smaller size than a minimum blocksize can't be used, after all it's handled like 0 size. For extended partition itself, this makes sure to use bigger size than one logical sector size at least. Signed-off-by: OGAWA Hirofumi Cc: Daniel Taylor Cc: "H. Peter Anvin" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5c417206f32050f414f5eccfbfcb2f26c1dc1d3c Author: Daniel Taylor Date: Tue Mar 23 13:35:50 2010 -0700 fs/partitions/msdos: add support for large disks commit 3fbf586cf7f245392142e5407c2a56f1cff979b6 upstream. In order to use disks larger than 2TiB on Windows XP, it is necessary to use 4096-byte logical sectors in an MBR. Although the kernel storage and functions called from msdos.c used "sector_t" internally, msdos.c still used u32 variables, which results in the ability to handle XP-compatible large disks. This patch changes the internal variables to "sector_t". Daniel said: "In the near future, WD will be releasing products that need this patch". [hirofumi@mail.parknet.co.jp: tweaks and fix] Signed-off-by: Daniel Taylor Signed-off-by: OGAWA Hirofumi Cc: "H. Peter Anvin" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9504653e548f413f3c13b67816a738931d3bc1d2 Author: Paulius Zaleckas Date: Sun Mar 21 21:19:02 2010 -0700 if_tunnel.h: add missing ams/byteorder.h include commit 9bf35c8dddd56f7f247a27346f74f5adc18071f4 upstream. When compiling userspace application which includes if_tunnel.h and uses GRE_* defines you will get undefined reference to __cpu_to_be16. Fix this by adding missing #include Signed-off-by: Paulius Zaleckas Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5e2c1b11b55ed5d758d503ba0a9d6188c7f7aad1 Author: David Härdeman Date: Tue Mar 23 13:35:22 2010 -0700 kfifo: fix KFIFO_INIT in include/linux/kfifo.h commit 4c87684d32e8f95715d53039dcd2d998dc63d1eb upstream. include/linux/kfifo.h first defines and then undefines __kfifo_initializer which is used by INIT_KFIFO (which is also a macro, so building a module which uses INIT_KFIFO will fail). Signed-off-by: David Härdeman Acked-by: Stefani Seibold Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b48cf4837f3edb4b0fa8101f4544dba37be6188f Author: Dan Carpenter Date: Sun Mar 21 12:10:34 2010 -0400 sunrpc: handle allocation errors from __rpc_lookup_create() commit f1f0abe192a72e75d7c59972e30784d043fd8d73 upstream. __rpc_lookup_create() can return ERR_PTR(-ENOMEM). Signed-off-by: Dan Carpenter Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 33b122a45a92b8029b6e416ec0bdcce09abbde22 Author: Trond Myklebust Date: Fri Mar 19 15:36:22 2010 -0400 SUNRPC: Fix a potential memory leak in auth_gss commit cdead7cf12896c0e50a8be2e52de52c364603095 upstream. The function alloc_enc_pages() currently fails to release the pointer rqstp->rq_enc_pages in the error path. Signed-off-by: Trond Myklebust Acked-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 6bfaf37c703ac785efaefc5bfe20a279da52cac5 Author: Adel Gadllah Date: Sun Mar 14 19:16:25 2010 +0100 iwlwifi: Silence tfds_in_queue message commit c8406ea8fa1adde8dc5400127281d497bbcdb84a upstream. Commit a239a8b47cc0e5e6d7416a89f340beac06d5edaa introduced a noisy message, that fills up the log very fast. The error seems not to be fatal (the connection is stable and performance is ok), so make it IWL_DEBUG_TX rather than IWL_ERR. Signed-off-by: Adel Gadllah Acked-by: Reinette Chatre Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 5e3efc9e49c8ecb6b1eaf4244ad7ce9f96aed2e5 Author: Borislav Petkov Date: Tue Mar 9 20:38:48 2010 +0100 edac, mce: Filter out invalid values commit 5b89d2f9ace1970324facc68ca9b8fae19ce8096 upstream. Print the CPU associated with the error only when the field is valid. Signed-off-by: Borislav Petkov Signed-off-by: Greg Kroah-Hartman commit 8063440b1299495d330b74d6f88fa6896a8c7eff Author: Guo-Fu Tseng Date: Wed Mar 17 00:09:30 2010 +0000 jme: Protect vlgrp structure by pause RX actions. commit bf5e5360fd1df1ae429ebbd81838d7d0879797d1 upstream. Temporary stop the RX IRQ, and disable (sync) tasklet or napi. And restore it after finished the vlgrp pointer assignment. Signed-off-by: Guo-Fu Tseng Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 53238f89fcbe3626d2520ae1580c5997793827f1 Author: Guo-Fu Tseng Date: Wed Mar 17 00:09:29 2010 +0000 jme: Fix VLAN memory leak commit 17da69b8bfbe441a33a873ad5dd7d3d85800bf2b upstream. Fix memory leak while receiving 8021q tagged packet which is not registered by user. Signed-off-by: Guo-Fu Tseng Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1f80a7ae997a7e3dbe4bf8f56c2b9bc163c7e6f9 Author: Grazvydas Ignotas Date: Thu Mar 11 17:45:26 2010 +0200 wl1251: fix potential crash commit 3f60ebc9d6291863652d564bacc430629271e6a9 upstream. In case debugfs does not init for some reason (or is disabled on older kernels) driver does not allocate stats.fw_stats structure, but tries to clear it later and trips on a NULL pointer: Unable to handle kernel NULL pointer dereference at virtual address 00000000 PC is at __memzero+0x24/0x80 Backtrace: [] (wl1251_debugfs_reset+0x0/0x30 [wl1251]) [] (wl1251_op_stop+0x0/0x12c [wl1251]) [] (ieee80211_stop_device+0x0/0x74 [mac80211]) [] (ieee80211_stop+0x0/0x4ac [mac80211]) [] (dev_close+0x0/0xb4) [] (dev_change_flags+0x0/0x184) [] (devinet_ioctl+0x0/0x704) [] (inet_ioctl+0x0/0x100) Add a NULL pointer check to fix this. Signed-off-by: Grazvydas Ignotas Acked-by: Kalle Valo Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 0701191b8c49642be06c5c2911f9c2bf22f2c05b Author: Yoshihiro Shimoda Date: Tue Mar 16 12:29:35 2010 +0900 usb: r8a66597-hcd: fix removed from an attached hub commit d835933436ac0d1e8f5b35fe809fd4e767e55d6e upstream. fix the problem that when a USB hub is attached to the r8a66597-hcd and a device is removed from that hub, it's likely that a kernel panic follows. Reported-by: Markus Pietrek Signed-off-by: Yoshihiro Shimoda Signed-off-by: Greg Kroah-Hartman commit d08486d7bc0c3617a68f5b27693218adb6e92df9 Author: Nathaniel McCallum Date: Thu Mar 11 13:09:26 2010 -0500 USB: option: add support for a new CMOTECH device to usb/serial/option commit 3b04872aa75006e2a4adaaec21e9c9ede8b8ad9d upstream. Signed-off-by: Nathaniel McCallum Signed-off-by: Greg Kroah-Hartman commit ee4a9209f8b4bd7e9b8f2789a8510bc1328081bd Author: Nathaniel McCallum Date: Thu Mar 11 13:01:17 2010 -0500 USB: option: move hardcoded PID to a macro in usb/serial/option commit bb73ed2a268a29ab1b7d8cc50b5f248578e7e188 upstream. Signed-off-by: Nathaniel McCallum Signed-off-by: Greg Kroah-Hartman commit eeb9aac2f2680bedcdaf41b921dd7d6e33f49e8f Author: Nathaniel McCallum Date: Thu Mar 11 13:09:24 2010 -0500 USB: option: fix incorrect manufacturer name in usb/serial/option: MAXON->CMOTECH commit eaff4cdc978f414cf7b5441a333de3070d80e9c7 upstream. Signed-off-by: Nathaniel McCallum Signed-off-by: Greg Kroah-Hartman commit d0b43afe304477cb6bdfb2c083525a8532f4f46e Author: Daniel Sangorrin Date: Thu Mar 11 14:10:58 2010 -0800 USB: serial: ftdi: add CONTEC vendor and product id commit dee5658b482e9e2ac7d6205dc876fc11d4008138 upstream. This is a patch to ftdi_sio_ids.h and ftdi_sio.c that adds identifiers for CONTEC USB serial converter. I tested it with the device COM-1(USB)H [akpm@linux-foundation.org: keep the VIDs sorted a bit] Signed-off-by: Daniel Sangorrin Cc: Andreas Mohr Cc: Radek Liboska Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit c97ad5f88a6825924f111a6ae0edcc9497fe4448 Author: Andiry Xu Date: Fri Mar 12 17:10:04 2010 +0800 USB: xHCI: re-initialize cmd_completion commit 1d68064a7d80da4a7334cab0356162e36229c1a1 upstream. When a signal interrupts a Configure Endpoint command, the cmd_completion used in xhci_configure_endpoint() is not re-initialized and the wait_for_completion_interruptible_timeout() will return failure. Initialize cmd_completion in xhci_configure_endpoint(). Signed-off-by: Andiry Xu Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit c1f9a658a3b711b3c642939e716f2907aa450236 Author: Bernhard Rosenkraenzer Date: Wed Mar 10 12:36:43 2010 +0100 USB: qcserial: add new device ids commit 0725e95ea56698774e893edb7e7276b1d6890954 upstream. This patch adds various USB device IDs for Gobi 2000 devices, as found in the drivers available at https://www.codeaurora.org/wiki/GOBI_Releases Signed-off-by: Bernhard Rosenkraenzer Signed-off-by: Greg Kroah-Hartman commit a956be65f881397ee991d4879c36cf0546f7761d Author: Clemens Ladisch Date: Mon Mar 1 17:18:56 2010 +0100 USB: EHCI: adjust ehci_iso_stream for changes in ehci_qh commit 1082f57abfa26590b60c43f503afb24102a37016 upstream. The EHCI driver stores in usb_host_endpoint.hcpriv a pointer to either an ehci_qh or an ehci_iso_stream structure, and uses the contents of the hw_info1 field to distinguish the two cases. After ehci_qh was split into hw and sw parts, ehci_iso_stream must also be adjusted so that it again looks like an ehci_qh structure. This fixes a NULL pointer access in ehci_endpoint_disable() when it tries to access qh->hw->hw_info1. Signed-off-by: Clemens Ladisch Reported-by: Colin Fletcher Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 25f3bec9fc514a21be373817f2306726340e5b5a Author: Clemens Ladisch Date: Mon Mar 1 09:12:50 2010 +0100 USB: EHCI: fix ITD list order commit 92bc3648e6027384479852b770a542722fadee7c upstream. When isochronous URBs are shorter than one frame and when more than one ITD in a frame has been completed before the interrupt can be handled, scan_periodic() completes the URBs in the order in which they are found in the descriptor list. Therefore, the descriptor list must contain the ITDs in the correct order, i.e., a new ITD must be linked in after any previous ITDs of the same endpoint. This should fix garbled capture data in the USB audio drivers. Signed-off-by: Clemens Ladisch Reported-by: Colin Fletcher Signed-off-by: Greg Kroah-Hartman commit 55fe2557940e0cd1d88aa89ef580089698a7dac1 Author: Alan Stern Date: Sat Mar 6 15:04:03 2010 -0500 USB: fix usbfs regression commit 7152b592593b9d48b33f8997b1dfd6df9143f7ec upstream. This patch (as1352) fixes a bug in the way isochronous input data is returned to userspace for usbfs transfers. The entire buffer must be copied, not just the first actual_length bytes, because the individual packets will be discontiguous if any of them are short. Reported-by: Markus Rechberger Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 27f5d838191d05b6d8d6e96b3e1e9e1a75d54cad Author: Mel Gorman Date: Tue Mar 2 22:24:19 2010 +0000 tty: Take a 256 byte padding into account when buffering below sub-page units commit 352fa6ad16b89f8ffd1a93b4419b1a8f2259feab upstream. The TTY layer takes some care to ensure that only sub-page allocations are made with interrupts disabled. It does this by setting a goal of "TTY_BUFFER_PAGE" to allocate. Unfortunately, while TTY_BUFFER_PAGE takes the size of tty_buffer into account, it fails to account that tty_buffer_find() rounds the buffer size out to the next 256 byte boundary before adding on the size of the tty_buffer. This patch adjusts the TTY_BUFFER_PAGE calculation to take into account the size of the tty_buffer and the padding. Once applied, tty_buffer_alloc() should not require high-order allocations. Signed-off-by: Mel Gorman Signed-off-by: Greg Kroah-Hartman commit f0e053b3b4ddba41d6b238f1e8eb57852e13f593 Author: Alan Cox Date: Thu Feb 18 16:43:47 2010 +0000 tty: Keep the default buffering to sub-page units commit d9661adfb8e53a7647360140af3b92284cbe52d4 upstream. We allocate during interrupts so while our buffering is normally diced up small anyway on some hardware at speed we can pressure the VM excessively for page pairs. We don't really need big buffers to be linear so don't try so hard. In order to make this work well we will tidy up excess callers to request_room, which cannot itself enforce this break up. Signed-off-by: Alan Cox Signed-off-by: Greg Kroah-Hartman commit 9cb1043669666d35a3f547b6540d69dc7e4071a8 Author: Neil Brown Date: Sun Feb 28 22:01:05 2010 -0500 nfsd: ensure sockets are closed on error commit 301e99ce4a2f42a317129230fd42e6cd874c64b0 upstream. One the changes in commit d7979ae4a "svc: Move close processing to a single place" is: err_delete: - svc_delete_socket(svsk); + set_bit(SK_CLOSE, &svsk->sk_flags); return -EAGAIN; This is insufficient. The recvfrom methods must always call svc_xprt_received on completion so that the socket gets re-queued if there is any more work to do. This particular path did not make that call because it actually destroyed the svsk, making requeue pointless. When the svc_delete_socket was change to just set a bit, we should have added a call to svc_xprt_received, This is the problem that b0401d7253 attempted to fix, incorrectly. Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit f3fb6babd4e025fc1c4f00280e7c9486171a920e Author: J. Bruce Fields Date: Sun Feb 28 16:33:31 2010 -0500 Revert "sunrpc: move the close processing after do recvfrom method" commit 1b644b6e6f6160ae35ce4b52c2ca89ed3e356e18 upstream. This reverts commit b0401d725334a94d57335790b8ac2404144748ee, which moved svc_delete_xprt() outside of XPT_BUSY, and allowed it to be called after svc_xpt_recived(), removing its last reference and destroying it after it had already been queued for future processing. Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit c08a8108a40a68a0a9bda6d32af820a6af25c6bd Author: J. Bruce Fields Date: Sun Feb 28 16:32:51 2010 -0500 Revert "sunrpc: fix peername failed on closed listener" commit f5822754ea006563e1bf0a1f43faaad49c0d8bb2 upstream. This reverts commit b292cf9ce70d221c3f04ff62db5ab13d9a249ca8. The commit that it attempted to patch up, b0401d725334a94d57335790b8ac2404144748ee, was fundamentally wrong, and will also be reverted. Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 7823ec3aa5ba160848974fc37a82ccf524d7ea9c Author: Trond Myklebust Date: Fri Mar 19 13:55:17 2010 -0400 NFS: Prevent another deadlock in nfs_release_page() commit d812e575822a2b7ab1a7cadae2571505ec6ec2bd upstream. We should not attempt to free the page if __GFP_FS is not set. Otherwise we can deadlock as per http://bugzilla.kernel.org/show_bug.cgi?id=15578 Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 0a06efd61cec31c4a8b4833bb56c916a1dacb41e Author: Trond Myklebust Date: Thu Mar 11 09:19:35 2010 -0500 NFS: Avoid a deadlock in nfs_release_page commit bb6fbc4548b9ae7ebbd06ef72f00229df259d217 upstream. J.R. Okajima reports the following deadlock: INFO: task kswapd0:305 blocked for more than 120 seconds. "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. kswapd0 D 0000000000000001 0 305 2 0x00000000 ffff88001f21d4f0 0000000000000046 ffff88001fdea680 ffff88001f21c000 ffff88001f21dfd8 ffff88001f21c000 ffff88001f21dfd8 ffff88001f21dfd8 ffff88001fdea040 0000000000014c00 0000000000000001 ffff88001fdea040 Call Trace: [] io_schedule+0x4d/0x70 [] sync_page+0x65/0xa0 [] __wait_on_bit_lock+0x52/0xb0 [] ? sync_page+0x0/0xa0 [] __lock_page+0x64/0x70 [] ? wake_bit_function+0x0/0x40 [] truncate_inode_pages_range+0x344/0x4a0 [] truncate_inode_pages+0x10/0x20 [] generic_delete_inode+0x15e/0x190 [] generic_drop_inode+0x5d/0x80 [] iput+0x78/0x80 [] nfs_dentry_iput+0x38/0x50 [] dentry_iput+0x84/0x110 [] d_kill+0x2e/0x60 [] dput+0x7a/0x170 [] path_put+0x15/0x40 [] __put_nfs_open_context+0xa4/0xb0 [] ? nfs_free_request+0x0/0x50 [] put_nfs_open_context+0xb/0x10 [] nfs_free_request+0x29/0x50 [] kref_put+0x8e/0xe0 [] nfs_release_request+0x14/0x20 [] nfs_find_and_lock_request+0x89/0xa0 [] nfs_wb_page+0x80/0x110 [] nfs_release_page+0x70/0x90 [] try_to_release_page+0x5e/0x80 [] shrink_page_list+0x638/0x860 [] shrink_zone+0x63e/0xc40 We can fix this by making the call to put_nfs_open_context() happen when we actually remove the write request from the inode (which is done by the nfsiod thread in this case). Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 5783f0ea37c2693675709c1dcb27281f4500c6f9 Author: Trond Myklebust Date: Wed Mar 10 15:21:44 2010 -0500 NFSv4: Don't ignore the NFS_INO_REVAL_FORCED flag in nfs_revalidate_inode() commit b4d2314bb88b07e5a04e6c75b442a1dfcd60e340 upstream. If the NFS_INO_REVAL_FORCED flag is set, that means that we don't yet have an up to date attribute cache. Even if we hold a delegation, we must put a GETATTR on the wire. Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit ae56fa68db2da81677393b9a3b777b96ac683cbb Author: Gal Rosen Date: Thu Jan 21 10:15:32 2010 +0200 SCSI: scsi_transport_fc: Fix synchronization issue while deleting vport commit 0d9dc7c8b9b7fa0f53647423b41056ee1beed735 upstream. The issue occur while deleting 60 virtual ports through the sys interface /sys/class/fc_vports/vport-X/vport_delete. It happen while in a mistake each request sent twice for the same vport. This interface is asynchronous, entering the delete request into a work queue, allowing more than one request to enter to the delete work queue. The result is a NULL pointer. The first request already delete the vport, while the second request got a pointer to the vport before the device destroyed. Re-create vport later cause system freeze. Solution: Check vport flags before entering the request to the work queue. [jejb: fixed int<->long problem on spinlock flags variable] Signed-off-by: Gal Rosen Acked-by: James Smart Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 82df18799be6189a905651888ea471ef11e01807 Author: KOSAKI Motohiro Date: Tue Mar 23 13:35:33 2010 -0700 doc: add the documentation for mpol=local commit 5574169613b40b85d6f4c67208fa4846b897a0a1 upstream. commit 3f226aa1c (mempolicy: support mpol=local tmpfs mount option) added new mpol=local mount option. but it didn't add a documentation. This patch does it. Signed-off-by: KOSAKI Motohiro Cc: Ravikiran Thirumalai Cc: Christoph Lameter Cc: Mel Gorman Acked-by: Lee Schermerhorn Cc: Hugh Dickins Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 311f356c431bad3d1969f1b3c191ecbfefd584e1 Author: KOSAKI Motohiro Date: Tue Mar 23 13:35:32 2010 -0700 tmpfs: cleanup mpol_parse_str() commit 926f2ae04f183098cf9a30521776fb2759c8afeb upstream. mpol_parse_str() made lots 'err' variable related bug. Because it is ugly and reviewing unfriendly. This patch simplifies it. Signed-off-by: KOSAKI Motohiro Cc: Ravikiran Thirumalai Cc: Christoph Lameter Cc: Mel Gorman Acked-by: Lee Schermerhorn Cc: Hugh Dickins Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 98c3dd1b87921fc6a15718c43c4937bef98c4721 Author: KOSAKI Motohiro Date: Tue Mar 23 13:35:31 2010 -0700 tmpfs: handle MPOL_LOCAL mount option properly commit 12821f5fb942e795f8009ece14bde868893bd811 upstream. commit 71fe804b6d5 (mempolicy: use struct mempolicy pointer in shmem_sb_info) added mpol=local mount option. but its feature is broken since it was born. because such code always return 1 (i.e. mount failure). This patch fixes it. Signed-off-by: KOSAKI Motohiro Cc: Ravikiran Thirumalai Cc: Christoph Lameter Cc: Mel Gorman Acked-by: Lee Schermerhorn Cc: Hugh Dickins Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 7ba7b75f8e19026459f54c60459e325ed08363b7 Author: KOSAKI Motohiro Date: Tue Mar 23 13:35:30 2010 -0700 tmpfs: mpol=bind:0 don't cause mount error. commit d69b2e63e9172afb4d07c305601b79a55509ac4c upstream. Currently, following mount operation cause mount error. % mount -t tmpfs -ompol=bind:0 none /tmp Because commit 71fe804b6d5 (mempolicy: use struct mempolicy pointer in shmem_sb_info) corrupted MPOL_BIND parse code. This patch restore the needed one. Signed-off-by: KOSAKI Motohiro Cc: Ravikiran Thirumalai Cc: Christoph Lameter Cc: Mel Gorman Acked-by: Lee Schermerhorn Cc: Hugh Dickins Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6bb8ea2defd40c60b47fea3878347a92e9668de2 Author: Ravikiran G Thirumalai Date: Tue Mar 23 13:35:28 2010 -0700 tmpfs: fix oops on mounts with mpol=default commit 413b43deab8377819aba1dbad2abf0c15d59b491 upstream. Fix an 'oops' when a tmpfs mount point is mounted with the mpol=default mempolicy. Upon remounting a tmpfs mount point with 'mpol=default' option, the mount code crashed with a null pointer dereference. The initial problem report was on 2.6.27, but the problem exists in mainline 2.6.34-rc as well. On examining the code, we see that mpol_new returns NULL if default mempolicy was requested. This 'NULL' mempolicy is accessed to store the node mask resulting in oops. The following patch fixes it. Signed-off-by: Ravikiran Thirumalai Signed-off-by: KOSAKI Motohiro Cc: Christoph Lameter Cc: Mel Gorman Acked-by: Lee Schermerhorn Cc: Hugh Dickins Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 803557f8ebad33836b66b5d3f83dcbd902daa417 Author: Masami Hiramatsu Date: Fri Mar 12 18:22:17 2010 -0500 perf probe: Fix probe_point buffer overrun commit 594087a04eea544356f9c52e83c1a9bc380ce80f upstream. Fix probe_point array-size overrun problem. In some cases (e.g. inline function), one user-specified probe-point can be translated to many probe address, and it overruns pre-defined array-size. This also removes redundant MAX_PROBES macro definition. Signed-off-by: Masami Hiramatsu Cc: systemtap Cc: DLE LKML-Reference: <20100312232217.2017.45017.stgit@localhost6.localdomain6> [ Note that only root can create new probes. Eventually we should remove the MAX_PROBES limit, but that is a larger patch not eligible to perf/urgent treatment. ] Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 118c29f02194a7874cbbff605b2ec544b97d5610 Author: Paul Mackerras Date: Wed Mar 10 20:45:52 2010 +1100 perf_event: Fix oops triggered by cpu offline/online commit 220b140b52ab6cc133f674a7ffec8fa792054f25 upstream. Anton Blanchard found that he could reliably make the kernel hit a BUG_ON in the slab allocator by taking a cpu offline and then online while a system-wide perf record session was running. The reason is that when the cpu comes up, we completely reinitialize the ctx field of the struct perf_cpu_context for the cpu. If there is a system-wide perf record session running, then there will be a struct perf_event that has a reference to the context, so its refcount will be 2. (The perf_event has been removed from the context's group_entry and event_entry lists by perf_event_exit_cpu(), but that doesn't remove the perf_event's reference to the context and doesn't decrement the context's refcount.) When the cpu comes up, perf_event_init_cpu() gets called, and it calls __perf_event_init_context() on the cpu's context. That resets the refcount to 1. Then when the perf record session finishes and the perf_event is closed, the refcount gets decremented to 0 and the context gets kfreed after an RCU grace period. Since the context wasn't kmalloced -- it's part of a per-cpu variable -- bad things happen. In fact we don't need to completely reinitialize the context when the cpu comes up. It's sufficient to initialize the context once at boot, but we need to do it for all possible cpus. This moves the context initialization to happen at boot time. With this, we don't trash the refcount and the context never gets kfreed, and we don't hit the BUG_ON. Reported-by: Anton Blanchard Signed-off-by: Paul Mackerras Tested-by: Anton Blanchard Acked-by: Peter Zijlstra Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 9e5aa831f8aec46e8f64cfc720ead5a0dd1d6a15 Author: John Kacur Date: Thu Mar 11 13:57:00 2010 +0100 perf: Make the install relative to DESTDIR if specified commit 7ae5f21361fea11f58c398701da635f778635d13 upstream. Without this change, the install path is relative to prefix/DESTDIR where prefix is automatically set to $HOME. This can produce unexpected results. For example: make -C tools/perf DESTDIR=/home/jkacur/tmp install-man creates the directory: /home/jkacur/home/jkacur/tmp/share/... instead of the expected: /home/jkacur/tmp/share/... Signed-off-by: John Kacur Cc: Peter Zijlstra Cc: Paul Mackerras Cc: Arnaldo Carvalho de Melo Cc: Frederic Weisbecker Cc: Tom Zanussi Cc: Kyle McMartin LKML-Reference: <1268312220-12880-1-git-send-email-jkacur@redhat.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 06432c9591a2607d70580333a50aba19344e2e40 Author: Peter Zijlstra Date: Fri Mar 19 02:00:19 2010 +0100 perf: Provide generic perf_sample_data initialization This makes it easier to extend perf_sample_data and fixes a bug on arm and sparc, which failed to set ->raw to NULL, which can cause crashes when combined with PERF_SAMPLE_RAW. It also optimizes PowerPC and tracepoint, because the struct initialization is forced to zero out the whole structure. Signed-off-by: Peter Zijlstra Acked-by: Jean Pihet Reviewed-by: Frederic Weisbecker Acked-by: David S. Miller Cc: Jamie Iles Cc: Paul Mackerras Cc: Stephane Eranian LKML-Reference: <20100304140100.315416040@chello.nl> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit f3cfe648b427db8768a1039cfd201842ae8a4a1d Author: Tilman Schmidt Date: Tue Mar 16 07:04:01 2010 +0000 gigaset: correct range checking off by one error commit 6ad34145cf809384359fe513481d6e16638a57a3 upstream. Correct a potential array overrun due to an off by one error in the range check on the CAPI CONNECT_REQ CIPValue parameter. Found and reported by Dan Carpenter using smatch. Impact: bugfix Signed-off-by: Tilman Schmidt Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9e08fc1695862878f05d2ae12e5c8fc004ca8f70 Author: Tilman Schmidt Date: Wed Mar 17 14:22:07 2010 -0700 gigaset: fix build failure commit 22001a13d09d82772e831dcdac0553994a4bac5d upstream. Update the dummy LL interface to the LL interface change introduced by commit daab433c03c15fd642c71c94eb51bdd3f32602c8. This fixes the build failure occurring after that commit when enabling ISDN_DRV_GIGASET but neither ISDN_I4L nor ISDN_CAPI. Impact: bugfix Signed-off-by: Tilman Schmidt Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a42309f46fe1bef9f58da90221755280afab2fa9 Author: Tilman Schmidt Date: Sun Mar 14 12:58:05 2010 +0000 gigaset: avoid registering CAPI driver more than once commit bc35b4e347c047fb1c665bb761ddb22482539f7f upstream. Registering/unregistering the Gigaset CAPI driver when a device is connected/disconnected causes an Oops when disconnecting two Gigaset devices in a row, because the same capi_driver structure gets unregistered twice. Fix by making driver registration/unregistration a separate operation (empty in the ISDN4Linux case) called when the main module is loaded/unloaded. Impact: bugfix Signed-off-by: Tilman Schmidt Acked-by: Karsten Keil Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 49a80f179a3a8ba7c18db26dbfa9a4bca65602a0 Author: Tilman Schmidt Date: Sun Mar 14 12:58:05 2010 +0000 gigaset: prune use of tty_buffer_request_room commit 873a69a358a6b393fd8d9d92e193ec8895cac4d7 upstream. Calling tty_buffer_request_room() before tty_insert_flip_string() is unnecessary, costs CPU and for big buffers can mess up the multi-page allocation avoidance. Signed-off-by: Tilman Schmidt Acked-by: Karsten Keil CC: Alan Cox Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cfbb7c7fb13394c0b501939f721ffa83c604f647 Author: Tilman Schmidt Date: Sun Mar 14 12:58:05 2010 +0000 gigaset: correct clearing of at_state strings on RING commit 3a0a3a6b92edf181f849ebd8417122392ba73a96 upstream. In RING handling, clear the table of received parameter strings in a loop like everywhere else, instead of by enumeration which had already gotten out of sync. Impact: minor bugfix Signed-off-by: Tilman Schmidt Acked-by: Karsten Keil Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 05b94852667ef2a3b82fb7befe341049644859c6 Author: Clemens Ladisch Date: Wed Mar 24 07:10:54 2010 +0100 ALSA: cmipci: work around invalid PCM pointer commit 1c583063a5c769fe2ec604752e383972c69e6d9b upstream. When the CMI8738 FRAME2 register is read, the chip sometimes (probably when wrapping around) returns an invalid value that would be outside the programmed DMA buffer. This leads to an inconsistent PCM pointer that is likely to result in an underrun. To work around this, read the register multiple times until we get a valid value; the error state seems to be very short-lived. Signed-off-by: Clemens Ladisch Reported-and-tested-by: Matija Nalis Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit abeb14b4b0db8d303e407705a42bafafef65180e Author: Daniel T Chen Date: Sun Mar 21 18:34:43 2010 -0400 ALSA: hda: Fix 0 dB offset for HP laptops using CX20551 (Waikiki) commit 025f206c9e0f96cc41567b01c07fb852d8900da1 upstream. BugLink: https://launchpad.net/bugs/420578 The OR has verified that his hardware distorts because of the 0 dB offset not corresponding to the highest PCM level. Fix this by capping said PCM level to 0 dB similarly to what we do for CX20549 (Venice). Reported-by: Mike Pontillo Tested-by: Mike Pontillo Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 408fdc3e050451c81719eaa949d9d2082a8f9ecd Author: Takashi Iwai Date: Mon Mar 15 09:07:52 2010 +0100 ALSA: hda - Fix secondary ADC of ALC260 basic model commit 9c4cc0bdede1c39bde60a0d5d9251aac71fbe719 upstream. Fix adc_nids[] for ALC260 basic model to match with num_adc_nids. Otherwise you get an invalid NID in the secondary "Input Source" mixer element. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 6ca05d7182452b47a2e25a218254f3eebb0314fa Author: Takashi Iwai Date: Mon Mar 15 15:51:53 2010 +0100 ALSA: hda - Disable MSI for Nvidia controller commit 80c43ed724797627d8f86855248c497a6161a214 upstream. Judging from the member of enable_msi white-list, Nvidia controller seems to cause troubles with MSI enabled, e.g. boot hang up or other serious issue may come up. It's safer to disable MSI as default for Nvidia controllers again for now. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit cb6972366b36a2740e1e47b7b9c0471cc6065988 Author: Daniel T Chen Date: Sun Mar 14 23:44:03 2010 -0400 ALSA: hda: Use LPIB and 6stack-dig for eMachines T5212 commit 572c0e3c73341755f3e7dfaaef6b26df12bd709c upstream. BugLink: https://bugs.launchpad.net/bugs/538895 The OR has verified that both position_fix=1 and model=6stack-dig are necessary to have capture function properly. (The existing 3stack-6ch model quirk seems to be incorrect.) Reported-by: Reuben Bailey Tested-by: Reuben Bailey Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit f140b5c7d133655ae9c541f51218a278d24bba60 Author: Suresh Siddha Date: Thu Mar 11 09:45:44 2010 +0100 sched: Fix SCHED_MC regression caused by change in sched cpu_power commit dd5feea14a7de4edbd9f36db1a2db785de91b88d upstream On platforms like dual socket quad-core platform, the scheduler load balancer is not detecting the load imbalances in certain scenarios. This is leading to scenarios like where one socket is completely busy (with all the 4 cores running with 4 tasks) and leaving another socket completely idle. This causes performance issues as those 4 tasks share the memory controller, last-level cache bandwidth etc. Also we won't be taking advantage of turbo-mode as much as we would like, etc. Some of the comparisons in the scheduler load balancing code are comparing the "weighted cpu load that is scaled wrt sched_group's cpu_power" with the "weighted average load per task that is not scaled wrt sched_group's cpu_power". While this has probably been broken for a longer time (for multi socket numa nodes etc), the problem got aggrevated via this recent change: | | commit f93e65c186ab3c05ce2068733ca10e34fd00125e | Author: Peter Zijlstra | Date: Tue Sep 1 10:34:32 2009 +0200 | | sched: Restore __cpu_power to a straight sum of power | Also with this change, the sched group cpu power alone no longer reflects the group capacity that is needed to implement MC, MT performance (default) and power-savings (user-selectable) policies. We need to use the computed group capacity (sgs.group_capacity, that is computed using the SD_PREFER_SIBLING logic in update_sd_lb_stats()) to find out if the group with the max load is above its capacity and how much load to move etc. Reported-by: Ma Ling Initial-Analysis-by: Zhang, Yanmin Signed-off-by: Suresh Siddha [ -v2: build fix ] Signed-off-by: Peter Zijlstra LKML-Reference: <1266970432.11588.22.camel@sbs-t61.sc.intel.com> Signed-off-by: Ingo Molnar commit 84303658a8fd2bed8e27dacc25643a69dc7426fb Author: Arnaldo Carvalho de Melo Date: Thu Feb 25 12:57:40 2010 -0300 perf annotate: Defer allocating sym_priv->hist array commit 628ada0cb03666dd463f7c25947eaccdf440c309 upstream Because symbol->end is not fixed up at symbol_filter time, only after all symbols for a DSO are loaded, and that, for asm symbols, may be bogus, causing segfaults when hits happen in these symbols. Backported-from: 628ada0 Reported-by: David Miller Reported-by: Anton Blanchard Acked-by: David Miller Cc: Frédéric Weisbecker Cc: Mike Galbraith Cc: Peter Zijlstra Cc: Paul Mackerras LKML-Reference: <20100225155740.GB8553@ghostprotocols.net> Signed-off-by: Ingo Molnar Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit c2b2df61e78aa5570473e2d46db6d88f5071b520 Author: Barry Song Date: Mon Mar 8 12:13:57 2010 -0800 can: fix bfin_can build error after alloc_candev() change commit e9dcd1613f0ac0b3573b7d813a2c5672cd8302eb upstream. Looks like commit a6e4bc530403 didn't include updates to drivers so the Blackfin CAN driver fails to build now. Signed-off-by: Barry Song Signed-off-by: Mike Frysinger Acked-by: Wolfgang Grandegger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 095a7d07b8e852ba8bbcd1f3f6c056819fed5d29 Author: Stanislaw Gruszka Date: Wed Feb 10 05:07:45 2010 -0800 iwlwifi: use dma_alloc_coherent commit f36d04abe684f9e2b07c6ebe9f77ae20eb5c1e84 upstream. Change pci_alloc_consistent() to dma_alloc_coherent() so we can use GFP_KERNEL flag. Signed-off-by: Stanislaw Gruszka Signed-off-by: Reinette Chatre Signed-off-by: Greg Kroah-Hartman commit ee644b71926ee1a1fc44320b67fbcdc214441a00 Author: Michael S. Tsirkin Date: Thu Feb 25 19:08:55 2010 +0200 virtio: fix out of range array access commit 3119815912a220bdac943dfbdfee640414c0c611 upstream. I have observed the following error on virtio-net module unload: ------------[ cut here ]------------ WARNING: at kernel/irq/manage.c:858 __free_irq+0xa0/0x14c() Hardware name: Bochs Trying to free already-free IRQ 0 Modules linked in: virtio_net(-) virtio_blk virtio_pci virtio_ring virtio af_packet e1000 shpchp aacraid uhci_hcd ohci_hcd ehci_hcd [last unloaded: scsi_wait_scan] Pid: 1957, comm: rmmod Not tainted 2.6.33-rc8-vhost #24 Call Trace: [] warn_slowpath_common+0x7c/0x94 [] warn_slowpath_fmt+0x41/0x43 [] ? __free_pages+0x5a/0x70 [] __free_irq+0xa0/0x14c [] free_irq+0x3f/0x65 [] vp_del_vqs+0x81/0xb1 [virtio_pci] [] virtnet_remove+0xda/0x10b [virtio_net] [] virtio_dev_remove+0x22/0x4a [virtio] [] __device_release_driver+0x66/0xac [] driver_detach+0x83/0xa9 [] bus_remove_driver+0x91/0xb4 [] driver_unregister+0x6c/0x74 [] unregister_virtio_driver+0xe/0x10 [virtio] [] fini+0x15/0x17 [virtio_net] [] sys_delete_module+0x1c3/0x230 [] ? old_ich_force_enable_hpet+0x117/0x164 [] ? do_page_fault+0x29c/0x2cc [] sysenter_dispatch+0x7/0x27 ---[ end trace 15e88e4c576cc62b ]--- The bug is in virtio-pci: we use msix_vector as array index to get irq entry, but some vqs do not have a dedicated vector so this causes an out of bounds access. By chance, we seem to often get 0 value, which results in this error. Fix by verifying that vector is legal before using it as index. Signed-off-by: Michael S. Tsirkin Acked-by: Anthony Liguori Acked-by: Shirley Ma Acked-by: Amit Shah Signed-off-by: Greg Kroah-Hartman commit 4b920035104d38462ba289c414c140033287b48c Author: André Goddard Rosa Date: Tue Feb 23 04:04:28 2010 -0300 mqueue: fix mq_open() file descriptor leak on user-space processes commit 4294a8eedb17bbc45e1e7447c2a4d05332943248 upstream. We leak fd on lookup_one_len() failure Signed-off-by: André Goddard Rosa Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 183407c05503edf20fa80ba1410ca5699bbd41f0 Author: Luis R. Rodriguez Date: Thu Mar 11 10:58:35 2010 -0800 ath9k: add support for 802.11n bonded out AR2427 This is a backport of of upstream commit: 5ffaf8a361b4c9025963959a744f21d8173c7669 Some single chip family devices are sold in the market with 802.11n bonded out, these have no hardware capability for 02.11n but ath9k can still support them. These are called AR2427. Reported-by: Rolf Leggewie Tested-by: Bernhard Reiter Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 0524bcfa80f1fffb4e1fe18a0a28900869a58a7c Author: Ming Lei Date: Sun Feb 28 00:56:24 2010 +0800 ath9k: fix lockdep warning when unloading module commit a9f042cbe5284f34ccff15f3084477e11b39b17b upstream. Since txq->axq_lock may be hold in softirq context, it must be acquired with spin_lock_bh() instead of spin_lock() if softieq is enabled. The patch fixes the lockdep warning below when unloading ath9k modules. ================================= [ INFO: inconsistent lock state ] 2.6.33-wl #12 --------------------------------- inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage. rmmod/3642 [HC0[0]:SC0[0]:HE1:SE1] takes: (&(&txq->axq_lock)->rlock){+.?...}, at: [] ath_tx_node_cleanup+0x62/0x180 [ath9k] {IN-SOFTIRQ-W} state was registered at: [] __lock_acquire+0x2f6/0xd35 [] lock_acquire+0xcd/0xf1 [] _raw_spin_lock_bh+0x3b/0x6e [] spin_lock_bh+0xe/0x10 [ath9k] [] ath_tx_tasklet+0xcd/0x391 [ath9k] [] ath9k_tasklet+0x70/0xc8 [ath9k] [] tasklet_action+0x8c/0xf4 [] __do_softirq+0xf8/0x1cd [] call_softirq+0x1c/0x30 [] do_softirq+0x4b/0xa3 [] irq_exit+0x4a/0x8c [] do_IRQ+0xac/0xc3 [] ret_from_intr+0x0/0x16 [] cpuidle_idle_call+0x9e/0xf8 [] cpu_idle+0x62/0x9d [] rest_init+0x7e/0x80 [] start_kernel+0x3e8/0x3f3 [] x86_64_start_reservations+0xa7/0xab [] x86_64_start_kernel+0xf8/0x107 irq event stamp: 42037 hardirqs last enabled at (42037): [] _raw_spin_unlock_irqrestore+0x47/0x56 hardirqs last disabled at (42036): [] _raw_spin_lock_irqsave+0x2b/0x88 softirqs last enabled at (42000): [] spin_unlock_bh+0xe/0x10 [ath9k] softirqs last disabled at (41998): [] _raw_spin_lock_bh+0x18/0x6e other info that might help us debug this: 4 locks held by rmmod/3642: #0: (rtnl_mutex){+.+.+.}, at: [] rtnl_lock+0x17/0x19 #1: (&wdev->mtx){+.+.+.}, at: [] cfg80211_netdev_notifier_call+0x28d/0x46d [cfg80211] #2: (&ifmgd->mtx){+.+.+.}, at: [] ieee80211_mgd_deauth+0x3f/0x17e [mac80211] #3: (&local->sta_mtx){+.+.+.}, at: [] sta_info_destroy_addr+0x2b/0x5e [mac80211] stack backtrace: Pid: 3642, comm: rmmod Not tainted 2.6.33-wl #12 Call Trace: [] valid_state+0x178/0x18b [] ? save_stack_trace+0x2f/0x4c [] ? check_usage_backwards+0x0/0x88 [] mark_lock+0x113/0x230 [] __lock_acquire+0x36a/0xd35 [] ? native_sched_clock+0x2d/0x5f [] ? ath_tx_node_cleanup+0x62/0x180 [ath9k] [] lock_acquire+0xcd/0xf1 [] ? ath_tx_node_cleanup+0x62/0x180 [ath9k] [] ? trace_hardirqs_off+0xd/0xf [] _raw_spin_lock+0x36/0x69 [] ? ath_tx_node_cleanup+0x62/0x180 [ath9k] [] ath_tx_node_cleanup+0x62/0x180 [ath9k] [] ? trace_hardirqs_on+0xd/0xf [] ath9k_sta_remove+0x22/0x26 [ath9k] [] __sta_info_destroy+0x1ad/0x38c [mac80211] [] sta_info_destroy_addr+0x3e/0x5e [mac80211] [] ieee80211_set_disassoc+0x175/0x180 [mac80211] [] ieee80211_mgd_deauth+0x58/0x17e [mac80211] [] ? __mutex_lock_common+0x37f/0x3a4 [] ? cfg80211_netdev_notifier_call+0x28d/0x46d [cfg80211] [] ieee80211_deauth+0x1e/0x20 [mac80211] [] __cfg80211_mlme_deauth+0x130/0x13f [cfg80211] [] ? cfg80211_netdev_notifier_call+0x28d/0x46d [cfg80211] [] ? trace_hardirqs_off+0xd/0xf [] __cfg80211_disconnect+0x111/0x189 [cfg80211] [] cfg80211_netdev_notifier_call+0x2ce/0x46d [cfg80211] [] notifier_call_chain+0x37/0x63 [] raw_notifier_call_chain+0x14/0x16 [] call_netdevice_notifiers+0x1b/0x1d [] dev_close+0x6a/0xa6 [] rollback_registered_many+0xb6/0x2f4 [] unregister_netdevice_many+0x1b/0x66 [] ieee80211_remove_interfaces+0xc5/0xd0 [mac80211] [] ieee80211_unregister_hw+0x47/0xe8 [mac80211] [] ath9k_deinit_device+0x7a/0x9b [ath9k] [] ath_pci_remove+0x38/0x76 [ath9k] [] pci_device_remove+0x2d/0x51 [] __device_release_driver+0x7b/0xd1 [] driver_detach+0x98/0xbe [] bus_remove_driver+0x94/0xb7 [] driver_unregister+0x6c/0x74 [] pci_unregister_driver+0x46/0xad [] ath_pci_exit+0x15/0x17 [ath9k] [] ath9k_exit+0xe/0x2f [ath9k] [] sys_delete_module+0x1c7/0x236 [] ? retint_swapgs+0x13/0x1b [] ? trace_hardirqs_on_caller+0x119/0x144 [] ? audit_syscall_entry+0x11e/0x14a [] system_call_fastpath+0x16/0x1b wlan1: deauthenticating from 00:23:cd:e1:f9:b2 by local choice (reason=3) PM: Removing info for No Bus:wlan1 cfg80211: Calling CRDA to update world regulatory domain PM: Removing info for No Bus:rfkill2 PM: Removing info for No Bus:phy1 ath9k 0000:16:00.0: PCI INT A disabled Signed-off-by: Ming Lei Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 7e4c2095a352835e0ad28b61d839edc34ea2c488 Author: Nobuhiro Iwamatsu Date: Mon Feb 15 08:37:50 2010 +0000 sh: Fix zImage boot using fixed PMB. commit 319c2cc761505ee54a9536c5d0b9c2ee3fb33866 upstream. Signed-off-by: Nobuhiro Iwamatsu Signed-off-by: Yoshihiro Shimoda Signed-off-by: Paul Mundt Signed-off-by: Greg Kroah-Hartman commit 6b485cd307ba56876d20b6d443a02f3cc5bbb7a2 Author: David S. Miller Date: Wed Mar 3 09:06:03 2010 -0800 sparc64: Make prom entry spinlock NMI safe. [ Upstream commit 8a4fd1e4922413cfdfa6c51a59efb720d904a5eb ] If we do something like try to print to the OF console from an NMI while we're already in OpenFirmware, we'll deadlock on the spinlock. Use a raw spinlock and disable NMIs when we take it. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 38b5c1269e7c1582d25a2ffd71d9289d8520d9b8 Author: Alexander Duyck Date: Fri Feb 19 17:57:46 2010 +0000 pci: add support for 82576NS serdes to existing SR-IOV quirk commit 7a0deb6bcda98c2a764cb87f1441eef920fd3663 upstream. This patch adds support for the 82576NS Serdes adapter to the existing pci quirk for 82576 parts. Signed-off-by: Alexander Duyck Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ce88fa67882ff2b1501e2a72a83e4eab638df711 Author: Jan Kiszka Date: Sat Mar 13 11:33:47 2010 +0100 KVM: x86: Add KVM_CAP_X86_ROBUST_SINGLESTEP Commit d2be1651b736002e0c76d7095d6c0ba77b4a897c upstream. This marks the guest single-step API improvement of 94fe45da and 91586a3b with a capability flag to allow reliable detection by user space. Signed-off-by: Jan Kiszka Signed-off-by: Greg Kroah-Hartman commit 5cf5162132697541fe4de1290afaea4ed841473d Author: Francesco Lavra Date: Thu Dec 31 08:47:11 2009 -0300 V4L/DVB (13961): em28xx-dvb: fix memleak in dvb_fini() commit 19f48cb105b7fa18d0dcab435919a3a29b7a7c4c upstream. this patch fixes a memory leak which occurs when an em28xx card with DVB extension is unplugged or its DVB extension driver is unloaded. In dvb_fini(), dev->dvb must be freed before being set to NULL, as is done in dvb_init() in case of error. Note that this bug is also present in the latest stable kernel release. Signed-off-by: Francesco Lavra Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 6afa5c708e7f6acf6fe5e47262a6e2c95d2deaa3 Author: Neil Horman Date: Fri Mar 5 13:44:16 2010 -0800 coredump: suppress uid comparison test if core output files are pipes commit 76595f79d76fbe6267a51b3a866a028d150f06d4 upstream. Modify uid check in do_coredump so as to not apply it in the case of pipes. This just got noticed in testing. The end of do_coredump validates the uid of the inode for the created file against the uid of the crashing process to ensure that no one can pre-create a core file with different ownership and grab the information contained in the core when they shouldn' tbe able to. This causes failures when using pipes for a core dumps if the crashing process is not root, which is the uid of the pipe when it is created. The fix is simple. Since the check for matching uid's isn't relevant for pipes (a process can't create a pipe that the uermodehelper code will open anyway), we can just just skip it in the event ispipe is non-zero Reverts a pipe-affecting change which was accidentally made in : commit c46f739dd39db3b07ab5deb4e3ec81e1c04a91af : Author: Ingo Molnar : AuthorDate: Wed Nov 28 13:59:18 2007 +0100 : Commit: Linus Torvalds : CommitDate: Wed Nov 28 10:58:01 2007 -0800 : : vfs: coredumping fix Signed-off-by: Neil Horman Cc: Andi Kleen Cc: Oleg Nesterov Cc: Alan Cox Cc: Al Viro Cc: Ingo Molnar Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: maximilian attems Signed-off-by: Greg Kroah-Hartman commit a94b3267924327acf606ba22f4a5fb480e354da6 Author: Steven Rostedt Date: Fri Mar 12 20:03:30 2010 -0500 tracing: Do not record user stack trace from NMI context commit b6345879ccbd9b92864fbd7eb8ac48acdb4d6b15 upstream. A bug was found with Li Zefan's ftrace_stress_test that caused applications to segfault during the test. Placing a tracing_off() in the segfault code, and examining several traces, I found that the following was always the case. The lock tracer was enabled (lockdep being required) and userstack was enabled. Testing this out, I just enabled the two, but that was not good enough. I needed to run something else that could trigger it. Running a load like hackbench did not work, but executing a new program would. The following would trigger the segfault within seconds: # echo 1 > /debug/tracing/options/userstacktrace # echo 1 > /debug/tracing/events/lock/enable # while :; do ls > /dev/null ; done Enabling the function graph tracer and looking at what was happening I finally noticed that all cashes happened just after an NMI. 1) | copy_user_handle_tail() { 1) | bad_area_nosemaphore() { 1) | __bad_area_nosemaphore() { 1) | no_context() { 1) | fixup_exception() { 1) 0.319 us | search_exception_tables(); 1) 0.873 us | } [...] 1) 0.314 us | __rcu_read_unlock(); 1) 0.325 us | native_apic_mem_write(); 1) 0.943 us | } 1) 0.304 us | rcu_nmi_exit(); [...] 1) 0.479 us | find_vma(); 1) | bad_area() { 1) | __bad_area() { After capturing several traces of failures, all of them happened after an NMI. Curious about this, I added a trace_printk() to the NMI handler to read the regs->ip to see where the NMI happened. In which I found out it was here: ffffffff8135b660 : ffffffff8135b660: 48 83 ec 78 sub $0x78,%rsp ffffffff8135b664: e8 97 01 00 00 callq ffffffff8135b800 What was happening is that the NMI would happen at the place that a page fault occurred. It would call rcu_read_lock() which was traced by the lock events, and the user_stack_trace would run. This would trigger a page fault inside the NMI. I do not see where the CR2 register is saved or restored in NMI handling. This means that it would corrupt the page fault handling that the NMI interrupted. The reason the while loop of ls helped trigger the bug, was that each execution of ls would cause lots of pages to be faulted in, and increase the chances of the race happening. The simple solution is to not allow user stack traces in NMI context. After this patch, I ran the above "ls" test for a couple of hours without any issues. Without this patch, the bug would trigger in less than a minute. Reported-by: Li Zefan Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit 8c3492dc6b9ee58b025ffddc83431c5a5d466282 Author: Steven Rostedt Date: Fri Mar 12 19:56:00 2010 -0500 tracing: Disable buffer switching when starting or stopping trace commit a2f8071428ed9a0f06865f417c962421c9a6b488 upstream. When the trace iterator is read, tracing_start() and tracing_stop() is called to stop tracing while the iterator is processing the trace output. These functions disable both the standard buffer and the max latency buffer. But if the wakeup tracer is running, it can switch these buffers between the two disables: buffer = global_trace.buffer; if (buffer) ring_buffer_record_disable(buffer); <<<--------- swap happens here buffer = max_tr.buffer; if (buffer) ring_buffer_record_disable(buffer); What happens is that we disabled the same buffer twice. On tracing_start() we can enable the same buffer twice. All ring_buffer_record_disable() must be matched with a ring_buffer_record_enable() or the buffer can be disable permanently, or enable prematurely, and cause a bug where a reset happens while a trace is commiting. This patch protects these two by taking the ftrace_max_lock to prevent a switch from occurring. Found with Li Zefan's ftrace_stress_test. Reported-by: Lai Jiangshan Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit 70e27dedd11fdbb3a9dec79af59d8ba61a19365b Author: Steven Rostedt Date: Fri Mar 12 19:48:41 2010 -0500 tracing: Use same local variable when resetting the ring buffer commit 283740c619d211e34572cc93c8cdba92ccbdb9cc upstream. In the ftrace code that resets the ring buffer it references the buffer with a local variable, but then uses the tr->buffer as the parameter to reset. If the wakeup tracer is running, which can switch the tr->buffer with the max saved buffer, this can break the requirement of disabling the buffer before the reset. buffer = tr->buffer; ring_buffer_record_disable(buffer); synchronize_sched(); __tracing_reset(tr->buffer, cpu); If the tr->buffer is swapped, then the reset is not happening to the buffer that was disabled. This will cause the ring buffer to fail. Found with Li Zefan's ftrace_stress_test. Reported-by: Lai Jiangshan Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit fe030f50c598ffd9476da37d35a7dd7301487795 Author: Lai Jiangshan Date: Tue Mar 2 17:54:50 2010 +0800 tracing: Fix warning in s_next of trace file ops commit ac91d85456372a90af5b85eb6620fd2efb1e431b upstream. This warning in s_next() can be triggered by lseek(): [] ? s_next+0x77/0x80 [] warn_slowpath_common+0x81/0xa0 [] ? s_next+0x77/0x80 [] warn_slowpath_null+0x1a/0x20 [] s_next+0x77/0x80 [] traverse+0x117/0x200 [] seq_lseek+0xa3/0x120 [] ? seq_lseek+0x0/0x120 [] vfs_llseek+0x41/0x50 [] sys_llseek+0x66/0xa0 [] sysenter_do_call+0x12/0x26 The iterator "leftover" variable is zeroed in the opening of the trace file. But lseek can call s_start() which will call s_next() without reseting the "leftover" variable back to zero, which might trigger the WARN_ON_ONCE(iter->leftover) that is in s_next(). Signed-off-by: Lai Jiangshan LKML-Reference: <4B8CE06A.9090207@cn.fujitsu.com> Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit a86a83770fe3cc858f91b0ae6406477dc8d0bf17 Author: Steven Rostedt Date: Fri Mar 12 19:41:23 2010 -0500 function-graph: Init curr_ret_stack with ret_stack commit ea14eb714041d40fcc5180b5a586034503650149 upstream. If the graph tracer is active, and a task is forked but the allocating of the processes graph stack fails, it can cause crash later on. This is due to the temporary stack being NULL, but the curr_ret_stack variable is copied from the parent. If it is not -1, then in ftrace_graph_probe_sched_switch() the following: for (index = next->curr_ret_stack; index >= 0; index--) next->ret_stack[index].calltime += timestamp; Will cause a kernel OOPS. Found with Li Zefan's ftrace_stress_test. Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit 65bddd361043f9e65122c39f714d3d6471c5c0e3 Author: Frederic Weisbecker Date: Sun Feb 28 20:51:15 2010 +0100 hw-breakpoints: Remove stub unthrottle callback commit 1e259e0a9982078896f3404240096cbea01daca4 upstream. We support event unthrottling in breakpoint events. It means that if we have more than sysctl_perf_event_sample_rate/HZ, perf will throttle, ignoring subsequent events until the next tick. So if ptrace exceeds this max rate, it will omit events, which breaks the ptrace determinism that is supposed to report every triggered breakpoints. This is likely to happen if we set sysctl_perf_event_sample_rate to 1. This patch removes support for unthrottling in breakpoint events to break throttling and restore ptrace determinism. Signed-off-by: Frederic Weisbecker Cc: Peter Zijlstra Cc: K.Prasad Cc: Paul Mackerras Signed-off-by: Greg Kroah-Hartman commit 1dc877c1e87d46ba2bfaac30af5e1dde77b72d1c Author: Frederic Weisbecker Date: Wed Mar 3 02:25:22 2010 +0100 x86/stacktrace: Don't dereference bad frame pointers commit 29044ad1509ecc229f1d5a31aeed7a8dc61a71c4 upstream. Callers of a stacktrace might pass bad frame pointers. Those are usually checked for safety in stack walking helpers before any dereferencing, but this is not the case when we need to go through one more frame pointer that backlinks the irq stack to the previous one, as we don't have any reliable address boudaries to compare this frame pointer against. This raises crashes when we record callchains for ftrace events with perf because we don't use the right helpers to capture registers there. We get wrong frame pointers as we call task_pt_regs() even on kernel threads, which is a wrong thing as it gives us the initial state of any kernel threads freshly created. This is even not what we want for user tasks. What we want is a hot snapshot of registers when the ftrace event triggers, not the state before a task entered the kernel. This requires more thoughts to do it correctly though. So first put a guardian to ensure the given frame pointer can be dereferenced to avoid crashes. We'll think about how to fix the callers in a subsequent patch. Signed-off-by: Frederic Weisbecker Cc: Ingo Molnar Cc: Thomas Gleixner Cc: H. Peter Anvin Cc: Peter Zijlstra Cc: Paul Mackerras Cc: Steven Rostedt Cc: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit 429f074ef0e55415bb6bd72acca5be2e952719da Author: Suresh Siddha Date: Thu Feb 18 11:51:40 2010 -0800 x86_64, cpa: Don't work hard in preserving kernel 2M mappings when using 4K already commit 281ff33b7c1b1ba2a5f9b03425e5f692a94913fa upstream. We currently enforce the !RW mapping for the kernel mapping that maps holes between different text, rodata and data sections. However, kernel identity mappings will have different RWX permissions to the pages mapping to text and to the pages padding (which are freed) the text, rodata sections. Hence kernel identity mappings will be broken to smaller pages. For 64-bit, kernel text and kernel identity mappings are different, so we can enable protection checks that come with CONFIG_DEBUG_RODATA, as well as retain 2MB large page mappings for kernel text. Konrad reported a boot failure with the Linux Xen paravirt guest because of this. In this paravirt guest case, the kernel text mapping and the kernel identity mapping share the same page-table pages. Thus forcing the !RW mapping for some of the kernel mappings also cause the kernel identity mappings to be read-only resulting in the boot failure. Linux Xen paravirt guest also uses 4k mappings and don't use 2M mapping. Fix this issue and retain large page performance advantage for native kernels by not working hard and not enforcing !RW for the kernel text mapping, if the current mapping is already using small page mapping. Reported-by: Konrad Rzeszutek Wilk Signed-off-by: Suresh Siddha LKML-Reference: <1266522700.2909.34.camel@sbs-t61.sc.intel.com> Tested-by: Konrad Rzeszutek Wilk Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 01a8e5d5cc7a5dde54fbff3cee4792a2501d133b Author: Lai Jiangshan Date: Mon Mar 8 14:50:43 2010 +0800 ring-buffer: Move disabled check into preempt disable section commit 52fbe9cde7fdb5c6fac196d7ebd2d92d05ef3cd4 upstream. The ring buffer resizing and resetting relies on a schedule RCU action. The buffers are disabled, a synchronize_sched() is called and then the resize or reset takes place. But this only works if the disabling of the buffers are within the preempt disabled section, otherwise a window exists that the buffers can be written to while a reset or resize takes place. Reported-by: Li Zefan Signed-off-by: Lai Jiangshan LKML-Reference: <4B949E43.2010906@cn.fujitsu.com> Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit cd8c2b3ae748b9e8e0c9bc397a5b030800f637ae Author: Bob Copeland Date: Wed Jan 20 23:51:04 2010 -0500 ath5k: fix setup for CAB queue commit a951ae2176b982574ffa197455db6c89359fd5eb upstream. The beacon sent gating doesn't seem to work with any combination of flags. Thus, buffered frames tend to stay buffered forever, using up tx descriptors. Instead, use the DBA gating and hold transmission of the buffered frames until 80% of the beacon interval has elapsed using the ready time. This fixes the following error in AP mode: ath5k phy0: no further txbuf available, dropping packet Add a comment to acknowledge that this isn't the best solution. Signed-off-by: Bob Copeland Acked-by: Nick Kossifidis Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit d50ef74730f3f3d876dc9e0fe7ce22c57c4ec67d Author: Bob Copeland Date: Wed Jan 20 23:51:03 2010 -0500 ath5k: dont use external sleep clock in AP mode commit 5d6ce628f986d1a3c523cbb0a5a52095c48cc332 upstream. When using the external sleep clock in AP mode, the TSF increments too quickly, causing beacon interval to be much lower than it is supposed to be, resulting in lots of beacon-not-ready interrupts. This fixes http://bugzilla.kernel.org/show_bug.cgi?id=14802. Signed-off-by: Bob Copeland Acked-by: Nick Kossifidis Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit b55c7626ed9e89a5260ec43712a87495978ed519 Author: Bruno Randolf Date: Tue Mar 9 16:56:05 2010 +0900 ath5k: fix I/Q calibration (for real) commit 86415d43efd4f7093979cfa8a80232114266f1a4 upstream. I/Q calibration was completely broken, resulting in a high number of CRC errors on received packets. before i could see around 10% to 20% CRC errors, with this patch they are between 0% and 3%. 1.) the removal of the mask in commit "ath5k: Fix I/Q calibration (f1cf2dbd0f798b71b1590e7aca6647f2caef1649)" resulted in no mask beeing used when writing the I/Q values into the register. additional errors in the calculation of the values (see 2.) resulted too high numbers, exceeding the masks, so wrong values like 0xfffffffe were written. to be safe we should always use the bitmask when writing parts of a register. 2.) using a (s32) cast for q_coff is a wrong conversion to signed, since we convert to a signed value later by substracting 128. this resulted in too low numbers for Q many times, which were limited to -16 by the boundary check later on. 3.) checked everything against the HAL sources and took over comments and minor optimizations from there. 4.) we can't use ENABLE_BITS when we want to write a number (the number can contain zeros). also always write the correction values first and set ENABLE bit last, like the HAL does. Signed-off-by: Bruno Randolf Acked-by: Nick Kossifidis Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 266623b31c992d23a8651b15032c365e8db39fe2 Author: Jean Delvare Date: Sat Mar 13 20:56:53 2010 +0100 i2c-i801: Don't use the block buffer for I2C block writes commit c074c39d62306efa5ba7c69c1a1531bc7333d252 upstream. Experience has shown that the block buffer can only be used for SMBus (not I2C) block transactions, even though the datasheet doesn't mention this limitation. Reported-by: Felix Rubinstein Signed-off-by: Jean Delvare Cc: Oleg Ryjkov Signed-off-by: Greg Kroah-Hartman commit a9eaacfdf1ca545dcc62ace6ecd76da2aa37d18b Author: Jean Delvare Date: Sat Mar 13 20:56:52 2010 +0100 i2c-powermac: Be less verbose in the absence of real errors. commit 8e4b980c28c91cfe9d0ce0431bc0af56e146b49e upstream. Be less verbose in the absence of real errors. We don't have to report failed probes to the users, it's only confusing them. Signed-off-by: Jean Delvare Tested-by: Andrey Gusev Cc: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit ad39fbecc30503ad6a332a0ca4190c5656bf7a76 Author: Christoph Fritz Date: Sat Mar 13 22:26:23 2010 -0800 Input: i8042 - add ALDI/MEDION netbook E1222 to qurik reset table commit 31968ecf584330b51a25b7bf881c2b632a02a3fb upstream. ALDI/MEDION netbook E1222 needs to be in the reset quirk list for its touchpad's proper function. Reported-by: Michael Fischer Signed-off-by: Christoph Fritz Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 73c6d0219f48dd142e2c9d1bba960c1da937babf Author: Thomas Bächler Date: Tue Mar 9 20:38:48 2010 -0800 Input: alps - add support for the touchpad on Toshiba Tecra A11-11L commit eb8bff85c5bd5caef7c374ff32b86545029efb56 upstream. Signed-off-by: Thomas Bächler Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 9e6776b6653afe1df9b362d4667a82070a1dd5f1 Author: john stultz Date: Mon Mar 1 12:34:43 2010 -0800 timekeeping: Prevent oops when GENERIC_TIME=n commit ad6759fbf35d104dbf573cd6f4c6784ad6823f7e upstream. Aaro Koskinen reported an issue in kernel.org bugzilla #15366, where on non-GENERIC_TIME systems, accessing /sys/devices/system/clocksource/clocksource0/current_clocksource results in an oops. It seems the timekeeper/clocksource rework missed initializing the curr_clocksource value in the !GENERIC_TIME case. Thanks to Aaro for reporting and diagnosing the issue as well as testing the fix! Reported-by: Aaro Koskinen Signed-off-by: John Stultz Cc: Martin Schwidefsky LKML-Reference: <1267475683.4216.61.camel@localhost.localdomain> Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 9ba9ca73e6155efd4137e93796835b4377801893 Author: Takashi Iwai Date: Mon Mar 8 12:13:07 2010 +0100 ALSA: hda - Fix input source elements of secondary ADCs on Realtek commit 5311114d4867113c00f78829d4ce14be458ec925 upstream. Since alc_auto_create_input_ctls() doesn't set the elements for the secondary ADCs, "Input Source" elemtns for these also get empty, resulting in buggy outputs of alsactl like: control.14 { comment.access 'read write' comment.type ENUMERATED comment.count 1 iface MIXER name 'Input Source' index 1 value 0 } This patch fixes alc_mux_enum_*() (and others) to fall back to the first entry if the secondary input mux is empty. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit f46a0cd9a472a3f3c2d10f99558ef5b70f88ee8c Author: Ralf Gerbig Date: Tue Mar 9 18:25:47 2010 +0100 ALSA: hda - Sound MSI fallout on a Asus mobo NVIDIA MCP55 commit ecd216260f87dd8c14b2580a16f055554644bbea upstream. without the following patch audio ssttuutteerrs on ASUS M2N32-SLI PREMIUM ACPI BIOS Revision 1304 the sound device is: 00:0e.1 Audio device: nVidia Corporation MCP55 High Definition Audio (rev a2) worked with 2.6.32 Signed-off-by: Ralf Gerbig Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 58a60dad3f8990492c6dccc2e5b9ed751c222316 Author: Louis Rilling Date: Tue Mar 9 06:14:41 2010 +0000 tg3: Fix tg3_poll_controller() passing wrong pointer to tg3_interrupt() commit fe234f0e5cbb880792d2d1ac0743cf8c07e9dde3 upstream. Commit 09943a1819a240ff4a72f924d0038818fcdd0a90 Author: Matt Carlson Date: Fri Aug 28 14:01:57 2009 +0000 tg3: Convert ISR parameter to tnapi forgot to update tg3_poll_controller(), leading to intermittent crashes with netpoll. Fix this. Signed-off-by: Louis Rilling Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5421e40def70b76fb0a677f963a8390b6c3cc69a Author: Sujith Date: Mon Mar 1 14:42:57 2010 +0530 mac80211: Fix HT rate control configuration commit 4fa004373133ece3d9b1c0a7e243b0e53760b165 upstream. Handling HT configuration changes involved setting the channel with the new HT parameters and then issuing a rate_update() notification to the driver. This behavior changed after the off-channel changes. Now, the channel is not updated with the new HT params in enable_ht() - instead, it is now done when the scan work terminates. This results in the driver depending on stale information, defaulting to non-HT mode always. Fix this by passing the new channel type to the driver. Signed-off-by: Sujith Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 6c6a223088cf477b941fd57806dd0187ada219a0 Author: Russell King Date: Thu Feb 25 23:56:38 2010 +0000 ARM: Fix decompressor's kernel size estimation for ROM=y commit 98e12b5a6e05413420a7e3b3eca7fbfc2ff41b6d upstream. Commit 2552fc2 changed the way the decompressor decides if it is safe to decompress the kernel directly to its final location. Unfortunately, it took the top of the compressed data as being the stack pointer, which it is for ROM=n cases. However, for ROM=y, the stack pointer is not relevant, and results in the wrong answer. Fix this by explicitly storing the end of the biggybacked data in the decompressor, and use that to calculate the compressed image size. Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit d47325e5f164717e0b9f9158c5cd1b3acc30d7b3 Author: Russell King Date: Wed Mar 10 15:23:53 2010 -0800 decompress: fix new decompressor for PIC commit 5ceaa2f39bfa73c4398cd01e78f1c3ebde3d3383 upstream. The ARM kernel decompressor wants to be able to relocate r/w data independently from the rest of the image, and we do this by ensuring that r/w data has global visibility. Define STATIC_RW_DATA to be empty to achieve this. Signed-off-by: Russell King Cc: Alain Knaff Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 997c7813cedb9829ef8973c8ed35ecba486925ac Author: Julia Lawall Date: Wed Mar 10 15:20:42 2010 -0800 drivers/scsi/ses.c: eliminate double free commit 9b3a6549b2602ca30f58715a0071e29f9898cae9 upstream. The few lines below the kfree of hdr_buf may go to the label err_free which will also free hdr_buf. The most straightforward solution seems to be to just move the kfree of hdr_buf after these gotos. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // @r@ identifier E; expression E1; iterator I; statement S; @@ *kfree(E); ... when != E = E1 when != I(E,...) S when != &E *kfree(E); // Signed-off-by: Julia Lawall Cc: James Bottomley Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman