commit 4640b4e7d9919e9629fe8456df94f71658431ef9 Author: Greg Kroah-Hartman Date: Wed May 12 15:04:27 2010 -0700 Linux 2.6.33.4 commit f32041d369d10bf7bfae39c6b8597fa8463ec304 Author: Ralf Baechle Date: Fri Apr 23 02:56:38 2010 +0100 MIPS: Sibyte: Apply M3 workaround only on affected chip types and versions. (cherry picked from commit e65c7f33d75e977350ca350573d93c517ec02776) Previously it was unconditionally used on all Sibyte family SOCs. The M3 bug has to be handled in the TLB exception handler which is extremly performance sensitive, so this modification is expected to deliver around 2-3% performance improvment. This is important as required changes to the M3 workaround will make it more costly. Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit 79d1e78997cd0030d4b449f4b8df46f933c480d7 Author: James Bottomley Date: Tue May 4 16:51:40 2010 -0400 SCSI: Retry commands with UNIT_ATTENTION sense codes to fix ext3/ext4 I/O error commit 77a4229719e511a0d38d9c355317ae1469adeb54 upstream. There's nastyness in the way we currently handle barriers (and discards): They're effectively filesystem commands, but they get processed as BLOCK_PC commands. Unfortunately BLOCK_PC commands are taken by SCSI to be SG_IO commands and the issuer expects to see and handle any returned errors, however trivial. This leads to a huge problem, because the block layer doesn't expect this to happen and any trivially retryable error on a barrier causes an immediate I/O error to the filesystem. The only real way to hack around this is to take the usual class of offending errors (unit attentions) and make them all retryable in the case of a REQ_HARDBARRIER. A correct fix would involve a rework of the entire block and SCSI submit system, and so is out of scope for a quick fix. Cc: Hannes Reinecke Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 7c18009f1822fd261cb7549560b44e1ebad51a11 Author: Hannes Reinecke Date: Tue May 4 16:49:21 2010 +0200 Enable retries for SYNCRONIZE_CACHE commands to fix I/O error commit c213e1407be6b04b144794399a91472e0ef92aec upstream. Some arrays are giving I/O errors with ext3 filesystems when SYNCHRONIZE_CACHE gets a UNIT_ATTENTION. What is happening is that these commands have no retries, so the UNIT_ATTENTION causes the barrier to fail. We should be enable retries here to clear any transient error and allow the barrier to succeed. Signed-off-by: Hannes Reinecke Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit a8717970e99de8f12cf65c00d9de3229138cde0e Author: Douglas Gilbert Date: Sun Apr 25 12:30:23 2010 +0200 scsi_debug: virtual_gb ignores sector_size commit 5447ed6c968e7270b656afa273c2b79d15d82edd upstream. In the scsi_debug driver, the virtual_gb option ignores the sector_size, implicitly assuming that is 512 bytes. So if 'virtual_gb=1 sector_size=4096' the result is an 8 GB (virtual) disk. Signed-off-by: Douglas Gilbert Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 2df9c62f2c89b7f3449a956167d337e0b3c3e1f8 Author: Mike Christie Date: Sat Apr 24 16:21:19 2010 -0500 SCSI: libiscsi: regression: fix header digest errors commit 96b1f96dcab87756c0a1e7ba76bc5dc2add82b88 upstream. This fixes a regression introduced with this commit: commit d3305f3407fa3e9452079ec6cc8379067456e4aa Author: Mike Christie Date: Thu Aug 20 15:10:58 2009 -0500 [SCSI] libiscsi: don't increment cmdsn if cmd is not sent in 2.6.32. When I moved the hdr->cmdsn after init_task, I added a bug when header digests are used. The problem is that the LLD may calculate the header digest in init_task, so if we then set the cmdsn after the init_task call we change what the digest will be calculated by the target. Signed-off-by: Mike Christie Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 5a904363da074781118bc161a1149494bf195128 Author: Tejun Heo Date: Thu Apr 15 09:00:08 2010 +0900 SCSI: fix locking around blk_abort_request() commit 70b25f890ce9f0520c64075ce9225a5b020a513e upstream. blk_abort_request() expects queue lock to be held by the caller. Grab it before calling the function. Lack of this synchronization led to infinite loop on corrupt q->timeout_list. Signed-off-by: Tejun Heo Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 3054cd85318d5bcf403352746bda26287b1efe9f Author: Jakob Viketoft Date: Wed May 5 18:25:27 2010 +0800 pxa/colibri: fix missing #include in colibri.h commit ccb8d8d070b8f25f0163da5c9ceacf63a5169540 upstream. The use of mfp_cfg_t causes build errors without including . CC: Daniel Mack Signed-off-by: Jakob Viketoft Signed-off-by: Eric Miao Signed-off-by: Greg Kroah-Hartman commit 2d49835cc4126fb2a029ad7a9d8804cffa2fc9f1 Author: Arjan van de Ven Date: Sat May 8 15:47:37 2010 -0700 cpuidle: Fix incorrect optimization commit 1c6fe0364fa7bf28248488753ee0afb6b759cd04 upstream. commit 672917dcc78 ("cpuidle: menu governor: reduce latency on exit") added an optimization, where the analysis on the past idle period moved from the end of idle, to the beginning of the new idle. Unfortunately, this optimization had a bug where it zeroed one key variable for new use, that is needed for the analysis. The fix is simple, zero the variable after doing the work from the previous idle. During the audit of the code that found this issue, another issue was also found; the ->measured_us data structure member is never set, a local variable is always used instead. Signed-off-by: Arjan van de Ven Cc: Corrado Zoccolo Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 3fc72e6eeef7e8a1b8499886fcebd25b4deee909 Author: Kamal Mostafa Date: Tue Apr 27 14:02:40 2010 -0700 ACPI: sleep: init_set_sci_en_on_resume for Dell Studio 155x commit ea5bc73f4f56449b2d450068d492bcd17a675d7a upstream. Add Dell Studio models (1558, 1557, 1555) to the 'set_sci_en_on_resume' list to fix hang on resume. BugLink: http://bugs.launchpad.net/bugs/553498 Signed-off-by: Kamal Mostafa Acked-by: Alex Chiang Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 912e28b8c8390235097fd471b91f5c8c2c0f083e Author: Dan Carpenter Date: Tue Apr 27 14:01:07 2010 -0700 power_meter: acpi_device_class "power_meter_resource" too long commit 18262714ca0fb65c290b8ea1807b2b02bb52d0e3 upstream. acpi_device_class can only be 19 characters and a NULL terminator. The current code has a buffer overflow in acpi_power_meter_add(): strcpy(acpi_device_class(device), ACPI_POWER_METER_CLASS); Signed-off-by: Dan Carpenter Cc: Len Brown Cc: "Darrick J. Wong" Signed-off-by: Andrew Morton Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit a84461fa4a30a846ac0e590e3ceea88ec10fed89 Author: Alex Chiang Date: Tue Apr 20 08:03:14 2010 -0600 ACPI: DMI init_set_sci_en_on_resume for multiple Lenovo ThinkPads commit 07bedca29b0973f36a6b6db36936deed367164ed upstream. Multiple Lenovo ThinkPad models with Intel Core i5/i7 CPUs can successfully suspend/resume once, and then hang on the second s/r cycle. We got confirmation that this was due to a BIOS defect. The BIOS did not properly set SCI_EN coming out of S3. The BIOS guys hinted that The Other Leading OS ignores the fact that hardware owns the bit and sets it manually. In any case, an existing DMI table exists for machines where this defect is a known problem. Lenovo promise to fix their BIOS, but for folks who either won't or can't upgrade their BIOS, allow Linux to workaround the issue. https://bugzilla.kernel.org/show_bug.cgi?id=15407 https://bugs.launchpad.net/ubuntu/+source/linux/+bug/532374 Confirmed by numerous testers in the launchpad bug that using acpi_sleep=sci_force_enable fixes the issue. We add the machines to acpisleep_dmi_table[] to automatically enable this workaround. Cc: Colin King Signed-off-by: Alex Chiang Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 9dfffb5f7f813c58de1416efbff2eb617ac73c2a Author: Bjørn Mork Date: Wed Mar 24 07:57:57 2010 -0300 V4L/DVB: budget: Oops: "BUG: unable to handle kernel NULL pointer dereference" commit 6f550dc08369ee0bc6402963c377e65f0f2e3b71 upstream. Never call dvb_frontend_detach if we failed to attach a frontend. This fixes the following oops, which will be triggered by a missing stv090x module: [ 8.172997] DVB: registering new adapter (TT-Budget S2-1600 PCI) [ 8.209018] adapter has MAC addr = 00:d0:5c:cc:a7:29 [ 8.328665] Intel ICH 0000:00:1f.5: PCI INT B -> GSI 17 (level, low) -> IRQ 17 [ 8.328753] Intel ICH 0000:00:1f.5: setting latency timer to 64 [ 8.562047] DVB: Unable to find symbol stv090x_attach() [ 8.562117] BUG: unable to handle kernel NULL pointer dereference at 000000ac [ 8.562239] IP: [] dvb_frontend_detach+0x4/0x67 [dvb_core] Ref http://bugs.debian.org/575207 Signed-off-by: Bjørn Mork Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 14f3f308ad22df647485f680b3b4f552689f23e2 Author: Gabriele A. Trombetti Date: Wed Apr 28 11:51:17 2010 +1000 md/raid6: Fix raid-6 read-error correction in degraded state commit 87aa63000c484bfb9909989316f615240dfee018 upstream. Fix: Raid-6 was not trying to correct a read-error when in singly-degraded state and was instead dropping one more device, going to doubly-degraded state. This patch fixes this behaviour. Tested-by: Janos Haar Signed-off-by: Gabriele A. Trombetti Reported-by: Janos Haar Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 23f16e57f5f2b341129c131fc809c105261338f9 Author: Stijn Tintel Date: Fri May 7 14:28:34 2010 +0930 virtio: initialize earlier commit e2dbe06c271f3bb2a495627980aad3d1d8ccef2a upstream. Move initialization of the virtio framework before the initialization of mtd, so that block2mtd can be used on virtio-based block devices. Addresses https://bugzilla.kernel.org/show_bug.cgi?id=15644 Signed-off-by: Stijn Tintel Signed-off-by: Rusty Russell Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9612e630b3e524c8c87cf3e04b04513eff67af71 Author: NeilBrown Date: Fri May 7 19:44:26 2010 +1000 md: restore ability of spare drives to spin down. commit 1176568de7e066c0be9e46c37503b9fd4730edcf upstream. Some time ago we stopped the clean/active metadata updates from being written to a 'spare' device in most cases so that it could spin down and say spun down. Device failure/removal etc are still recorded on spares. However commit 51d5668cb2e3fd1827a55 broke this 50% of the time, depending on whether the event count is even or odd. The change log entry said: This means that the alignment between 'odd/even' and 'clean/dirty' might take a little longer to attain, how ever the code makes no attempt to create that alignment, so it could take arbitrarily long. So when we find that clean/dirty is not aligned with odd/even, force a second metadata-update immediately. There are already cases where a second metadata-update is needed immediately (e.g. when a device fails during the metadata update). We just piggy-back on that. Reported-by: Joe Bryant Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 4933574421fa12c89c29f95a57c6969be8c9e2d3 Author: Dan Carpenter Date: Thu Apr 22 12:05:35 2010 +0200 security: testing the wrong variable in create_by_name() commit b338cc8207eae46640a8d534738fda7b5e48511d upstream. There is a typo here. We should be testing "*dentry" instead of "dentry". If "*dentry" is an ERR_PTR, it gets dereferenced in either mkdir() or create() which would cause an OOPs. Signed-off-by: Dan Carpenter Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 70935714dcaf540b6b10328270948a0cda85ab18 Author: David S. Miller Date: Sat Apr 10 20:26:55 2010 -0700 sparc64: Fix memory leak in pci_register_iommu_region(). [ Upstream commit e182c77cc291456eed127b1472952ddb59a81a9d ] Found by kmemleak. If request_resource() fails, we leak the struct resource we allocated to represent the IOMMU mapping area. This actually happens on sun4v machines because the IOMEM area is only reported sans the IOMMU region, unlike all previous systems. I'll need to fix that at some point, but for now fix the leak. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 28a1bdd6c2e46a94d86929d5283b72808ee147e9 Author: David S. Miller Date: Mon May 10 05:19:10 2010 -0700 sparc64: Adjust __raw_local_irq_save() to cooperate in NMIs. [ Upstream commits 0c25e9e6cbe7b233bb91d14d0e2c258bf8e6ec83 and c011f80ba0912486fe51dd2b3f71d9b33a151188 ] If we are in an NMI then doing a plain raw_local_irq_disable() will write PIL_NORMAL_MAX into %pil, which is lower than PIL_NMI, and thus we'll re-enable NMIs and recurse. Doing a simple: %pil = %pil | PIL_NORMAL_MAX does what we want, if we're already at PIL_NMI (15) we leave it at that setting, else we set it to PIL_NORMAL_MAX (14). This should get the function tracer working on sparc64. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d59547af05037f84707a57c90cee3fdfecc8c4b7 Author: David S. Miller Date: Mon Apr 12 22:16:22 2010 -0700 sparc64: Use kstack_valid() in die_if_kernel(). [ Upstream commit cb256aa60409efd803806cfb0528a4b3f8397dba ] This gets rid of a local function (is_kernel_stack()) which tries to do the same thing, yet poorly in that it doesn't handle IRQ stacks properly. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 632b87bf40eefba3fccfdeeca550540eb9c78345 Author: David S. Miller Date: Tue Apr 20 00:48:37 2010 -0700 sparc64: Fix hardirq tracing in trap return path. [ Upstream commit 28a1f533ae8606020238b840b82ae70a3f87609e ] We can overflow the hardirq stack if we set the %pil here so early, just let the normal control flow do it. This is fine as we are allowed to do the actual IRQ enable at any point after we call trace_hardirqs_on. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e460d8d05b193b8f51af1220cf60963a53d9c5a9 Author: David S. Miller Date: Mon Apr 19 01:30:51 2010 -0700 sparc64: Fix PREEMPT_ACTIVE value. [ Upstream commit 6c94b1ee0ca2bfb526d779c088ec20da6a3761db ] It currently overlaps the NMI bit. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cef0d77411b68ff897c9dc8370394baee004bbe2 Author: David S. Miller Date: Mon Apr 19 13:46:48 2010 -0700 sparc64: Use correct pt_regs in decode_access_size() error paths. [ Upstream commit baa06775e224e9f74e5c2de894c95cd49678beff ] Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 490b9c7aa0a31294aaa2b445c59cfb95979b7f04 Author: Krzysztof Halasa Date: Wed Apr 14 14:09:52 2010 +0000 WAN: flush tx_queue in hdlc_ppp to prevent panic on rmmod hw_driver. [ Upstream commit 31f634a63de7068c6a5dcb0d7b09b24b61a5cf88 ] tx_queue is used as a temporary queue when not allowed to queue skb directly to the hw device driver (which may sleep). Most paths flush it before returning, but ppp_start() currently cannot. Make sure we don't leave skbs pointing to a non-existent device. Thanks to Michael Barkowski for reporting this problem. Signed-off-by: Krzysztof Hałasa Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5049664c319adc3f8d136c2fc4bf9d57c33ffe57 Author: Jorge Boncompte [DTI2] Date: Thu Apr 8 04:56:48 2010 +0000 udp: fix for unicast RX path optimization [ Upstream commit 1223c67c0938d2df309fde618bd82c87c8c1af04 ] Commits 5051ebd275de672b807c28d93002c2fb0514a3c9 and 5051ebd275de672b807c28d93002c2fb0514a3c9 ("ipv[46]: udp: optimize unicast RX path") broke some programs. After upgrading a L2TP server to 2.6.33 it started to fail, tunnels going up an down, after the 10th tunnel came up. My modified rp-l2tp uses a global unconnected socket bound to (INADDR_ANY, 1701) and one connected socket per tunnel after parameter negotiation. After ten sockets were open and due to mixed parameters to udp[46]_lib_lookup2() kernel started to drop packets. Signed-off-by: Jorge Boncompte [DTI2] Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8ccd10349128212f41b131cd2772917c06c51406 Author: Michael S. Tsirkin Date: Tue Apr 13 04:59:44 2010 +0000 tun: orphan an skb on tx [ Upstream commit 0110d6f22f392f976e84ab49da1b42f85b64a3c5 ] The following situation was observed in the field: tap1 sends packets, tap2 does not consume them, as a result tap1 can not be closed. This happens because tun/tap devices can hang on to skbs undefinitely. As noted by Herbert, possible solutions include a timeout followed by a copy/change of ownership of the skb, or always copying/changing ownership if we're going into a hostile device. This patch implements the second approach. Note: one issue still remaining is that since skbs keep reference to tun socket and tun socket has a reference to tun device, we won't flush backlog, instead simply waiting for all skbs to get transmitted. At least this is not user-triggerable, and this was not reported in practice, my assumption is other devices besides tap complete an skb within finite time after it has been queued. A possible solution for the second issue would not to have socket reference the device, instead, implement dev->destructor for tun, and wait for all skbs to complete there, but this needs some thought, probably too risky for 2.6.34. Signed-off-by: Michael S. Tsirkin Tested-by: Yan Vugenfirer Acked-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a8464342dfdfd918bcf7ceb98281210d80ee89b4 Author: Neil Horman Date: Wed Mar 3 08:31:23 2010 +0000 tipc: Fix oops on send prior to entering networked mode (v3) [ Upstream commit d0021b252eaf65ca07ed14f0d66425dd9ccab9a6 ] Fix TIPC to disallow sending to remote addresses prior to entering NET_MODE user programs can oops the kernel by sending datagrams via AF_TIPC prior to entering networked mode. The following backtrace has been observed: ID: 13459 TASK: ffff810014640040 CPU: 0 COMMAND: "tipc-client" [exception RIP: tipc_node_select_next_hop+90] RIP: ffffffff8869d3c3 RSP: ffff81002d9a5ab8 RFLAGS: 00010202 RAX: 0000000000000001 RBX: 0000000000000001 RCX: 0000000000000001 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000001001001 RBP: 0000000001001001 R8: 0074736575716552 R9: 0000000000000000 R10: ffff81003fbd0680 R11: 00000000000000c8 R12: 0000000000000008 R13: 0000000000000001 R14: 0000000000000001 R15: ffff810015c6ca00 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 RIP: 0000003cbd8d49a3 RSP: 00007fffc84e0be8 RFLAGS: 00010206 RAX: 000000000000002c RBX: ffffffff8005d116 RCX: 0000000000000000 RDX: 0000000000000008 RSI: 00007fffc84e0c00 RDI: 0000000000000003 RBP: 0000000000000000 R8: 00007fffc84e0c10 R9: 0000000000000010 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffc84e0d10 R14: 0000000000000000 R15: 00007fffc84e0c30 ORIG_RAX: 000000000000002c CS: 0033 SS: 002b What happens is that, when the tipc module in inserted it enters a standalone node mode in which communication to its own address is allowed <0.0.0> but not to other addresses, since the appropriate data structures have not been allocated yet (specifically the tipc_net pointer). There is nothing stopping a client from trying to send such a message however, and if that happens, we attempt to dereference tipc_net.zones while the pointer is still NULL, and explode. The fix is pretty straightforward. Since these oopses all arise from the dereference of global pointers prior to their assignment to allocated values, and since these allocations are small (about 2k total), lets convert these pointers to static arrays of the appropriate size. All the accesses to these bits consider 0/NULL to be a non match when searching, so all the lookups still work properly, and there is no longer a chance of a bad dererence anywhere. As a bonus, this lets us eliminate the setup/teardown routines for those pointers, and elimnates the need to preform any locking around them to prevent access while their being allocated/freed. I've updated the tipc_net structure to behave this way to fix the exact reported problem, and also fixed up the tipc_bearers and media_list arrays to fix an obvious simmilar problem that arises from issuing tipc-config commands to manipulate bearers/links prior to entering networked mode I've tested this for a few hours by running the sanity tests and stress test with the tipcutils suite, and nothing has fallen over. There have been a few lockdep warnings, but those were there before, and can be addressed later, as they didn't actually result in any deadlock. Signed-off-by: Neil Horman CC: Allan Stephens CC: David S. Miller CC: tipc-discussion@lists.sourceforge.net Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit de0737be8e8f3bc0af093d73d816347b99cf9df6 Author: Steven J. Magnani Date: Tue Mar 30 13:56:01 2010 -0700 net: Fix oops from tcp_collapse() when using splice() [ Upstream commit baff42ab1494528907bf4d5870359e31711746ae ] tcp_read_sock() can have a eat skbs without immediately advancing copied_seq. This can cause a panic in tcp_collapse() if it is called as a result of the recv_actor dropping the socket lock. A userspace program that splices data from a socket to either another socket or to a file can trigger this bug. Signed-off-by: Steven J. Magnani Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8cee6e2f8cd203fd5dfaf10a54b64084eb572e02 Author: Vlad Yasevich Date: Wed Apr 28 08:47:22 2010 +0000 sctp: Fix oops when sending queued ASCONF chunks [ Upstream commit c0786693404cffd80ca3cb6e75ee7b35186b2825 ] When we finish processing ASCONF_ACK chunk, we try to send the next queued ASCONF. This action runs the sctp state machine recursively and it's not prepared to do so. kernel BUG at kernel/timer.c:790! invalid opcode: 0000 [#1] SMP last sysfs file: /sys/module/ipv6/initstate Modules linked in: sha256_generic sctp libcrc32c ipv6 dm_multipath uinput 8139too i2c_piix4 8139cp mii i2c_core pcspkr virtio_net joydev floppy virtio_blk virtio_pci [last unloaded: scsi_wait_scan] Pid: 0, comm: swapper Not tainted 2.6.34-rc4 #15 /Bochs EIP: 0060:[] EFLAGS: 00010286 CPU: 0 EIP is at add_timer+0xd/0x1b EAX: cecbab14 EBX: 000000f0 ECX: c0957b1c EDX: 03595cf4 ESI: cecba800 EDI: cf276f00 EBP: c0957aa0 ESP: c0957aa0 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 Process swapper (pid: 0, ti=c0956000 task=c0988ba0 task.ti=c0956000) Stack: c0957ae0 d1851214 c0ab62e4 c0ab5f26 0500ffff 00000004 00000005 00000004 <0> 00000000 d18694fd 00000004 1666b892 cecba800 cecba800 c0957b14 00000004 <0> c0957b94 d1851b11 ceda8b00 cecba800 cf276f00 00000001 c0957b14 000000d0 Call Trace: [] ? sctp_side_effects+0x607/0xdfc [sctp] [] ? sctp_do_sm+0x108/0x159 [sctp] [] ? sctp_pname+0x0/0x1d [sctp] [] ? sctp_primitive_ASCONF+0x36/0x3b [sctp] [] ? sctp_process_asconf_ack+0x2a4/0x2d3 [sctp] [] ? sctp_sf_do_asconf_ack+0x1dd/0x2b4 [sctp] [] ? sctp_do_sm+0xb8/0x159 [sctp] [] ? sctp_cname+0x0/0x52 [sctp] [] ? sctp_assoc_bh_rcv+0xac/0xe1 [sctp] [] ? sctp_inq_push+0x2d/0x30 [sctp] [] ? sctp_rcv+0x797/0x82e [sctp] Tested-by: Wei Yongjun Signed-off-by: Yuansong Qiao Signed-off-by: Shuaijun Zhang Signed-off-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 81540f22cef374ccb7fb4f10b4ff4630c93490e1 Author: Wei Yongjun Date: Wed Apr 28 08:47:21 2010 +0000 sctp: fix to calc the INIT/INIT-ACK chunk length correctly is set [ Upstream commita8170c35e738d62e9919ce5b109cf4ed66e95bde ] When calculating the INIT/INIT-ACK chunk length, we should not only account the length of parameters, but also the parameters zero padding length, such as AUTH HMACS parameter and CHUNKS parameter. Without the parameters zero padding length we may get following oops. skb_over_panic: text:ce2068d2 len:130 put:6 head:cac3fe00 data:cac3fe00 tail:0xcac3fe82 end:0xcac3fe80 dev: ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:127! invalid opcode: 0000 [#2] SMP last sysfs file: /sys/module/aes_generic/initstate Modules linked in: authenc ...... Pid: 4102, comm: sctp_darn Tainted: G D 2.6.34-rc2 #6 EIP: 0060:[] EFLAGS: 00010282 CPU: 0 EIP is at skb_over_panic+0x37/0x3e EAX: 00000078 EBX: c07c024b ECX: c07c02b9 EDX: cb607b78 ESI: 00000000 EDI: cac3fe7a EBP: 00000002 ESP: cb607b74 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 Process sctp_darn (pid: 4102, ti=cb607000 task=cabdc990 task.ti=cb607000) Stack: c07c02b9 ce2068d2 00000082 00000006 cac3fe00 cac3fe00 cac3fe82 cac3fe80 <0> c07c024b cac3fe7c cac3fe7a c0608dec ca986e80 ce2068d2 00000006 0000007a <0> cb8120ca ca986e80 cb812000 00000003 cb8120c4 ce208a25 cb8120ca cadd9400 Call Trace: [] ? sctp_addto_chunk+0x45/0x85 [sctp] [] ? skb_put+0x2e/0x32 [] ? sctp_addto_chunk+0x45/0x85 [sctp] [] ? sctp_make_init+0x279/0x28c [sctp] [] ? apic_timer_interrupt+0x2a/0x30 [] ? sctp_sf_do_prm_asoc+0x2b/0x7b [sctp] [] ? sctp_do_sm+0xa0/0x14a [sctp] [] ? sctp_pname+0x0/0x14 [sctp] [] ? sctp_primitive_ASSOCIATE+0x2b/0x31 [sctp] [] ? sctp_sendmsg+0x7a0/0x9eb [sctp] [] ? inet_sendmsg+0x3b/0x43 [] ? task_tick_fair+0x2d/0xd9 [] ? sock_sendmsg+0xa7/0xc1 [] ? smp_apic_timer_interrupt+0x6b/0x75 [] ? dequeue_task_fair+0x34/0x19b [] ? sched_clock_local+0x17/0x11e [] ? _copy_from_user+0x2b/0x10c [] ? verify_iovec+0x3c/0x6a [] ? sys_sendmsg+0x186/0x1e2 [] ? __wake_up_common+0x34/0x5b [] ? __wake_up+0x2c/0x3b [] ? tty_wakeup+0x43/0x47 [] ? remove_wait_queue+0x16/0x24 [] ? n_tty_read+0x5b8/0x65e [] ? default_wake_function+0x0/0x8 [] ? sys_socketcall+0x17f/0x1cd [] ? sysenter_do_call+0x12/0x22 Code: 0f 45 de 53 ff b0 98 00 00 00 ff b0 94 ...... EIP: [] skb_over_panic+0x37/0x3e SS:ESP 0068:cb607b74 To reproduce: # modprobe sctp # echo 1 > /proc/sys/net/sctp/addip_enable # echo 1 > /proc/sys/net/sctp/auth_enable # sctp_test -H 3ffe:501:ffff:100:20c:29ff:fe4d:f37e -P 800 -l # sctp_darn -H 3ffe:501:ffff:100:20c:29ff:fe4d:f37e -P 900 -h 192.168.0.21 -p 800 -I -s -t sctp_darn ready to send... 3ffe:501:ffff:100:20c:29ff:fe4d:f37e:900-192.168.0.21:800 Interactive mode> bindx-add=192.168.0.21 3ffe:501:ffff:100:20c:29ff:fe4d:f37e:900-192.168.0.21:800 Interactive mode> bindx-add=192.168.1.21 3ffe:501:ffff:100:20c:29ff:fe4d:f37e:900-192.168.0.21:800 Interactive mode> snd=10 ------------------------------------------------------------------ eth0 has addresses: 3ffe:501:ffff:100:20c:29ff:fe4d:f37e and 192.168.0.21 eth1 has addresses: 192.168.1.21 ------------------------------------------------------------------ Reported-by: George Cheimonidis Signed-off-by: Wei Yongjun Signed-off-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit eddb4b2aebd5e13049c9fa20f38ff8485a6341aa Author: Vlad Yasevich Date: Wed Apr 28 08:47:20 2010 +0000 sctp: per_cpu variables should be in bh_disabled section [ Upstream commit 81419d862db743fe4450a021893f24bab4698c1d ] Since the change of the atomics to percpu variables, we now have to disable BH in process context when touching percpu variables. Signed-off-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c9d7c3032e4d5850c4e019c186336466aa429626 Author: Vlad Yasevich Date: Wed Apr 28 08:47:19 2010 +0000 sctp: fix potential reference of a freed pointer [ Upstream commit 0c42749cffbb4a06be86c5e5db6c7ebad548781f ] When sctp attempts to update an assocition, it removes any addresses that were not in the updated INITs. However, the loop may attempt to refrence a transport with address after removing it. Signed-off-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fbcf931163be5f6c34cad7f00dc59ed83146e158 Author: Wei Yongjun Date: Wed Apr 28 08:47:18 2010 +0000 sctp: avoid irq lock inversion while call sk->sk_data_ready() [ Upstream commit 561b1733a465cf9677356b40c27653dd45f1ac56 ] sk->sk_data_ready() of sctp socket can be called from both BH and non-BH contexts, but the default sk->sk_data_ready(), sock_def_readable(), can not be used in this case. Therefore, we have to make a new function sctp_data_ready() to grab sk->sk_data_ready() with BH disabling. ========================================================= [ INFO: possible irq lock inversion dependency detected ] 2.6.33-rc6 #129 --------------------------------------------------------- sctp_darn/1517 just changed the state of lock: (clock-AF_INET){++.?..}, at: [] sock_def_readable+0x20/0x80 but this lock took another, SOFTIRQ-unsafe lock in the past: (slock-AF_INET){+.-...} and interrupts could create inverse lock ordering between them. other info that might help us debug this: 1 lock held by sctp_darn/1517: #0: (sk_lock-AF_INET){+.+.+.}, at: [] sctp_sendmsg+0x23d/0xc00 [sctp] Signed-off-by: Wei Yongjun Signed-off-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9a537dc8a33eb48eb5a6a2fdc5ced5251295b3ea Author: Herbert Xu Date: Wed Apr 21 00:47:15 2010 -0700 ipv6: Fix tcp_v6_send_response transport header setting. [ Upstream commit 6651ffc8e8bdd5fb4b7d1867c6cfebb4f309512c ] My recent patch to remove the open-coded checksum sequence in tcp_v6_send_response broke it as we did not set the transport header pointer on the new packet. Actually, there is code there trying to set the transport header properly, but it sets it for the wrong skb ('skb' instead of 'buff'). This bug was introduced by commit a8fdf2b331b38d61fb5f11f3aec4a4f9fb2dedcb ("ipv6: Fix tcp_v6_send_response(): it didn't set skb transport header") Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3aae65db0819a8f6bb440e12868986fc3891e96e Author: Stefan Schmidt Date: Mon Apr 26 11:20:32 2010 -0700 ieee802154: Fix oops during ieee802154_sock_ioctl [ Upstream commit 93c0c8b4a5a174645550d444bd5c3ff0cccf74cb ] Trying to run izlisten (from lowpan-tools tests) on a device that does not exists I got the oops below. The problem is that we are using get_dev_by_name without checking if we really get a device back. We don't in this case and writing to dev->type generates this oops. [Oops code removed by Dmitry Eremin-Solenikov] If possible this patch should be applied to the current -rc fixes branch. Signed-off-by: Stefan Schmidt Signed-off-by: Dmitry Eremin-Solenikov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5b0dede91684c855ab8e6abe7fa3513282f60fb6 Author: Torgny Johansson Date: Tue Apr 27 17:07:40 2010 -0700 cdc_ether: fix autosuspend for mbm devices [ Upstream commit 55964d72d63b15df49a5df11ef91dc8601270815 ] Autosuspend works until you bring the wwan interface up, then the device does not enter autosuspend anymore. The following patch fixes the problem by setting the .manage_power field in the mbm_info struct to the same as in the cdc_info struct (cdc_manager_power). Signed-off-by: Torgny Johansson Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2afddab2958e63289a538985bfd8b584502de37b Author: Michael Chan Date: Tue Apr 27 11:28:09 2010 +0000 bnx2: Fix lost MSI-X problem on 5709 NICs. commit c441b8d2cb2194b05550a558d6d95d8944e56a84 upstream. It has been reported that under certain heavy traffic conditions in MSI-X mode, the driver can lose an MSI-X vector causing all packets in the associated rx/tx ring pair to be dropped. The problem is caused by the chip dropping the write to unmask the MSI-X vector by the kernel (when migrating the IRQ for example). This can be prevented by increasing the GRC timeout value for these register read and write operations. Thanks to Dell for helping us debug this problem. Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2a2f4e85df27a534760e704d0c84c178928fee1f Author: Vaidyanathan Srinivasan Date: Mon Mar 1 02:58:23 2010 +0000 powerpc: Reduce printk from pseries_mach_cpu_die() commit a8e6da093ea8642b1320fb5d64134366f2a8d0ac upstream. Remove debug printks in pseries_mach_cpu_die(). These are noisy at runtime. Traceevents can be added to instrument this section of code. The following KERN_INFO printks are removed: cpu 62 (hwid 62) returned from cede. Decrementer value = b2802fff Timebase value = 2fa8f95035f4a cpu 62 (hwid 62) got prodded to go online cpu 58 (hwid 58) ceding for offline with hint 2 Signed-off-by: Vaidyanathan Srinivasan Cc: Gautham R Shenoy Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 815d3145a7836f6c03671a2d1a009123869ea5f2 Author: Vaidyanathan Srinivasan Date: Mon Mar 1 02:58:16 2010 +0000 powerpc: Move checks in pseries_mach_cpu_die() commit 0212f2602a38e740d5a96aba4cebfc2ebc993ecf upstream. Rearrange condition checks for better code readability and prevention of possible race conditions when preferred_offline_state can potentially change during the execution of pseries_mach_cpu_die(). The patch will make pseries_mach_cpu_die() put cpu in one of the consistent states and not hit the run over BUG() Signed-off-by: Vaidyanathan Srinivasan Cc: Gautham R Shenoy Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit a3cbce7a301b4291814296fda0ec571fcc0a1c2e Author: Vaidyanathan Srinivasan Date: Mon Mar 1 02:58:09 2010 +0000 powerpc: Reset kernel stack on cpu online from cede state commit 8dbce53cc249a76e9450708d291fce5a7e29c6a1 upstream. Cpu hotplug (offline) without dlpar operation will place cpu in cede state and the extended_cede_processor() function will return when resumed. Kernel stack pointer needs to be reset before start_secondary() is called to continue the online operation. Added new function start_secondary_resume() to do the above steps. Signed-off-by: Vaidyanathan Srinivasan Cc: Gautham R Shenoy Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 467e1b31ef815aadd8c7648929fd1fa8d46b811d Author: Dave Chinner Date: Tue May 4 12:58:20 2010 +1000 xfs: add a shrinker to background inode reclaim commit 9bf729c0af67897ea8498ce17c29b0683f7f2028 upstream On low memory boxes or those with highmem, kernel can OOM before the background reclaims inodes via xfssyncd. Add a shrinker to run inode reclaim so that it inode reclaim is expedited when memory is low. This is more complex than it needs to be because the VM folk don't want a context added to the shrinker infrastructure. Hence we need to add a global list of XFS mount structures so the shrinker can traverse them. Signed-off-by: Dave Chinner Reviewed-by: Christoph Hellwig Acked-by: Alex Elder Signed-off-by: Greg Kroah-Hartman commit 4d3dbcf9153c50f485094fdc8c3edb9affb49be8 Author: Andre Detsch Date: Mon Apr 26 07:27:07 2010 +0000 tg3: Fix INTx fallback when MSI fails commit dc8bf1b1a6edfc92465526de19772061302f0929 upstream. tg3: Fix INTx fallback when MSI fails MSI setup changes the value of irq_vec in struct tg3 *tp. This attribute must be taken into account and restored before we try to do a new request_irq for INTx fallback. In powerpc, the original code was leading to an EINVAL return within request_irq, because the driver was trying to use the disabled MSI virtual irq number instead of tp->pdev->irq. Signed-off-by: Andre Detsch Acked-by: Michael Chan Signed-off-by: David S. Miller Cc: Brandon Philips Signed-off-by: Greg Kroah-Hartman commit 023db2c37409af735e9eaee9bef89a1852e814fc Author: Douglas Gilbert Date: Sun Jan 3 13:51:15 2010 -0500 skip sense logging for some ATA PASS-THROUGH cdbs commit e7efe5932b1d3916c79326a4221693ea90a900e2 upstream. Further to the lsml thread titled: "does scsi_io_completion need to dump sense data for ata pass through (ck_cond = 1) ?" This is a patch to skip logging when the sense data is associated with a SENSE_KEY of "RECOVERED_ERROR" and the additional sense code is "ATA PASS-THROUGH INFORMATION AVAILABLE". This only occurs with the SAT ATA PASS-THROUGH commands when CK_COND=1 (in the cdb). It indicates that the sense data contains ATA registers. Smartmontools uses such commands on ATA disks connected via SAT. Periodic checks such as those done by smartd cause nuisance entries into logs that are: - neither errors nor warnings - pointless unless the cdb that caused them are also logged Signed-off-by: Douglas Gilbert Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit ab6beee9920960fb14034b45a53267aa1cc8198e Author: John W. Linville Date: Fri Apr 30 11:19:58 2010 -0400 ath9k: reorder ieee80211_free_hw behind ath9k_uninit_hw to avoid oops This code only exists in 2.6.33 -- 2.6.32 and 2.6.34 are not affected. Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 2c37568740079771561744743016544439c162a6 Author: françois romieu Date: Mon Apr 26 11:42:58 2010 +0000 r8169: more broken register writes workaround commit 908ba2bfd22253f26fa910cd855e4ccffb1467d0 upstream. 78f1cd02457252e1ffbc6caa44a17424a45286b8 ("fix broken register writes") does not work for Al Viro's r8169 (XID 18000000). Signed-off-by: Francois Romieu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 32540e100331b54d98555cdb30032a3febefa4a2 Author: Francois Romieu Date: Sat Mar 27 19:35:46 2010 -0700 r8169: fix broken register writes commit 78f1cd02457252e1ffbc6caa44a17424a45286b8 upstream. This is quite similar to b39fe41f481d20c201012e4483e76c203802dda7 though said registers are not even documented as 64-bit registers - as opposed to the initial TxDescStartAddress ones - but as single bytes which must be combined into 32 bits at the MMIO read/write level before being merged into a 64 bit logical entity. Credits go to Ben Hutchings for the MAR registers (aka "multicast is broken for ages on ARM) and to Timo Teräs for the MAC registers. Signed-off-by: Francois Romieu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 669eda1d13d3ad19f10a05b22f7e07e413508b58 Author: David Dillow Date: Wed Mar 3 16:33:10 2010 +0000 r8169: use correct barrier between cacheable and non-cacheable memory commit 4c020a961a812ffae9846b917304cea504c3a733 upstream. r8169 needs certain writes to be visible to other CPUs or the NIC before touching the hardware, but was using smp_wmb() which is only required to order cacheable memory access. Switch to wmb() which is required to order both cacheable and non-cacheable memory. Noticed by Catalin Marinas and Paul Mackerras. Signed-off-by: David Dillow Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4c001c0bb68a1672bd85f08f44a3901a5e0382a7 Author: Wufei Date: Wed Apr 28 17:42:32 2010 -0400 kgdb: don't needlessly skip PAGE_USER test for Fsl booke commit 56151e753468e34aeb322af4b0309ab727c97d2e upstream. The bypassing of this test is a leftover from 2.4 vintage kernels, and is no longer appropriate, or even used by KGDB. Currently KGDB uses probe_kernel_write() for all access to memory via the KGDB core, so it can simply be deleted. This fixes CVE-2010-1446. CC: Benjamin Herrenschmidt CC: Paul Mackerras CC: Kumar Gala Signed-off-by: Wufei Signed-off-by: Jason Wessel Signed-off-by: Greg Kroah-Hartman commit 6d63e6f4f17a6cdb8f52fb4179820b6b96cab528 Author: Darren Jenkins Date: Wed Feb 17 23:40:15 2010 +1100 drivers/net/wireless/p54/txrx.c Fix off by one error commit 088ea189c4c75cdf211146faa4b341a0f7476be6 upstream. fix off by one error in the queue size check of p54_tx_qos_accounting_alloc() Coverity CID: 13314 Signed-off-by: Darren Jenkins Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 3af5615059656baa13b1fe03f076e3f3367d80d4 Author: Bill Pemberton Date: Fri Apr 16 08:01:20 2010 -0500 jfs: fix diAllocExt error in resizing filesystem commit 2b0b39517d1af5294128dbc2fd7ed39c8effa540 upstream. Resizing the filesystem would result in an diAllocExt error in some instances because changes in bmp->db_agsize would not get noticed if goto extendBmap was called. Signed-off-by: Bill Pemberton Signed-off-by: Dave Kleikamp Cc: jfs-discussion@lists.sourceforge.net Cc: linux-kernel@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 250aafb9fec3341af0fc69e8340b7ac276992fca Author: David Howells Date: Wed Apr 21 10:28:25 2010 +0100 CRED: Fix a race in creds_are_invalid() in credentials debugging commit e134d200d57d43b171dcb0b55c178a1a0c7db14a upstream. creds_are_invalid() reads both cred->usage and cred->subscribers and then compares them to make sure the number of processes subscribed to a cred struct never exceeds the refcount of that cred struct. The problem is that this can cause a race with both copy_creds() and exit_creds() as the two counters, whilst they are of atomic_t type, are only atomic with respect to themselves, and not atomic with respect to each other. This means that if creds_are_invalid() can read the values on one CPU whilst they're being modified on another CPU, and so can observe an evolving state in which the subscribers count now is greater than the usage count a moment before. Switching the order in which the counts are read cannot help, so the thing to do is to remove that particular check. I had considered rechecking the values to see if they're in flux if the test fails, but I can't guarantee they won't appear the same, even if they've changed several times in the meantime. Note that this can only happen if CONFIG_DEBUG_CREDENTIALS is enabled. The problem is only likely to occur with multithreaded programs, and can be tested by the tst-eintr1 program from glibc's "make check". The symptoms look like: CRED: Invalid credentials CRED: At include/linux/cred.h:240 CRED: Specified credentials: ffff88003dda5878 [real][eff] CRED: ->magic=43736564, put_addr=(null) CRED: ->usage=766, subscr=766 CRED: ->*uid = { 0,0,0,0 } CRED: ->*gid = { 0,0,0,0 } CRED: ->security is ffff88003d72f538 CRED: ->security {359, 359} ------------[ cut here ]------------ kernel BUG at kernel/cred.c:850! ... RIP: 0010:[] [] __invalid_creds+0x4e/0x52 ... Call Trace: [] copy_creds+0x6b/0x23f Note the ->usage=766 and subscr=766. The values appear the same because they've been re-read since the check was made. Reported-by: Roland McGrath Signed-off-by: David Howells Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit c41ec8f4ae37ae4c7c56304ed1b685911fa46667 Author: Phillip Lougher Date: Fri Apr 23 13:18:11 2010 -0400 initramfs: handle unrecognised decompressor when unpacking commit df37bd156dcb4f5441beaf5bde444adac974e9a0 upstream. The unpack routine fails to handle the decompress_method() returning unrecognised decompressor (compress_name == NULL). This results in the routine looping eventually oopsing on an out of bounds memory access. Note this bug is usually hidden, only triggering on trailing junk after one or more correct compressed blocks. The case of the compressed archive being complete junk is (by accident?) caught by the if (state != Reset) check because state is initialised to Start, but not updated due to the decompressor not having been called. Obviously if the junk is trailing a correctly decompressed buffer, state == Reset from the previous call to the decompressor. Signed-off-by: Phillip Lougher Reported-by: Aaro Koskinen Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c52f6ef733796f6e9e115fd269087f095a1fc670 Author: Leonard Michlmayr Date: Thu Mar 4 17:07:28 2010 -0500 ext4: correctly calculate number of blocks for fiemap commit aca92ff6f57c000d1b4523e383c8bd6b8269b8b1 upstream. ext4_fiemap() rounds the length of the requested range down to blocksize, which is is not the true number of blocks that cover the requested region. This problem is especially impressive if the user requests only the first byte of a file: not a single extent will be reported. We fix this by calculating the last block of the region and then subtract to find the number of blocks in the extents. Signed-off-by: Leonard Michlmayr Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit fdeddaaa28f22a68a14a8e7daed118ea6bd8b6bd Author: Mark Lord Date: Wed Apr 7 13:52:08 2010 -0400 libata: Fix accesses at LBA28 boundary (old bug, but nasty) (v2) commit 45c4d015a92f72ec47acd0c7557abdc0c8a6499d upstream. Most drives from Seagate, Hitachi, and possibly other brands, do not allow LBA28 access to sector number 0x0fffffff (2^28 - 1). So instead use LBA48 for such accesses. This bug could bite a lot of systems, especially when the user has taken care to align partitions to 4KB boundaries. On misaligned systems, it is less likely to be encountered, since a 4KB read would end at 0x10000000 rather than at 0x0fffffff. Signed-off-by: Mark Lord Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 9ffd6e94b8029e8d6f64a6172461bc65df87a8b5 Author: Matthew Garrett Date: Thu Apr 22 09:30:51 2010 -0400 PCI: Ensure we re-enable devices on resume commit cc2893b6af5265baa1d68b17b136cffca9e40cfa upstream. If the firmware puts a device back into D0 state at resume time, we'll update its state in resume_noirq and thus skip the platform resume code. Calling that code twice should be safe and we ought to avoid getting to that point anyway, so remove the check and also allow the platform pci code to be called for D0. Fixes USB not being powered after resume on recent Lenovo machines. Acked-by: Alex Chiang Acked-by: Rafael J. Wysocki Signed-off-by: Matthew Garrett Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 0677628d0fa93ed4325223f0826b759809967b51 Author: Daniel T Chen Date: Tue May 4 22:07:58 2010 -0400 ALSA: hda: Use olpc-xo-1_5 quirk for Toshiba Satellite P500-PSPGSC-01800T commit c53666813813a0ea3d0391e1911eefc05a5e6b4f upstream. BugLink: https://launchpad.net/bugs/549267 The OR verified that using the olpc-xo-1_5 model quirk allows the headphones to be audible when inserted into the jack. Capture was also verified to work correctly. Reported-by: Richard Gagne Tested-by: Richard Gagne Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit e69f91302920a6a6bc1297889230a247bc359851 Author: Daniel T Chen Date: Mon May 3 20:39:31 2010 -0400 ALSA: hda: Use olpc-xo-1_5 quirk for Toshiba Satellite Pro T130-15F commit 4442dd4613fe3795b4c8a5f42fc96b7ffb90d01a upstream. BugLink: https://launchpad.net/bugs/573284 The OR verified that using the olpc-xo-1_5 model quirk allows the headphones to be audible when inserted into the jack. Capture was also verified to work correctly. Reported-by: Andy Couldrake Tested-by: Andy Couldrake Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 46f62239e9e2fa01aca1a3a390e2b7e5de46bfd3 Author: Daniel T Chen Date: Wed Apr 28 18:00:11 2010 -0400 ALSA: hda: Fix 0 dB for Packard Bell models using Conexant CX20549 (Venice) commit 8f0f5ff6777104084b4b2e1ae079541c2a6ed6d9 upstream. BugLink: https://launchpad.net/bugs/541802 The OR's hardware distorts at PCM 100% because it does not correspond to 0 dB. Fix this in patch_cxt5045() for all Packard Bell models. Reported-by: Valombre Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit b600add5fc072d5e3bfa8dc2e8f2d0eacdd01a4a Author: Hans de Goede Date: Wed Apr 21 11:04:08 2010 -0400 ALSA: snd-meastro3: Ignore spurious HV interrupts during suspend / resume commit 715aa675338ce6e1a3b4f77cf87ea611f93058a8 upstream. Ignore spurious HV interrupts during suspend / resume, this avoids mistaking them for a mute button press. This is not very pretty but it seems the only way to fix the master volume control gets muted after suspend issue I'm seeing. Note that the es1968 driver is doing exactly the same. Signed-off-by: Hans de Goede Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 9e64c2b1dc6c2a82c2cd64e2243df319ebadea57 Author: Hans de Goede Date: Wed Apr 21 11:04:06 2010 -0400 ALSA: snd-meastro3: Add amp_gpio quirk for Compaq EVO N600C commit 7efbfd1ae98ef9efe06352e2a1ad83e8c14ceeb1 upstream. Without this quirk sound stops working after suspend resume. With this quirk, one still needs to manually unmute the master volume control after a suspend / / resume cycle. That is fixed in another patch in this set. Note that this patch was submitted to the alsa bug tracker a long time ago: https://bugtrack.alsa-project.org/alsa-bug/view.php?id=4319 Signed-off-by: Hans de Goede Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 28856000dcc30716428e202330f5ac92d5cd878a Author: Daniel T Chen Date: Thu Apr 22 07:15:26 2010 -0400 ALSA: hda: Use ALC880_F1734 quirk for Fujitsu Siemens AMILO Xi 1526 commit 3353541fe533350a22a03e2fb7dc085b35912575 upstream. BugLink: https://launchpad.net/bugs/567494 The OR has verified that the existing model quirk, ALC880_UNIWILL, is insufficient for audible playback and capture by default. Instead, the ALC880_F1734 model quirk needs to be used. This change is necessary for both 2.6.32.11 and 2.6.33.2. Reported-by: Arnaud Malpeyre Tested-by: Arnaud Malpeyre Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 2e1ae8bddfac3a3a72fef22bfd49649cbd7b0cdd Author: Daniel T Chen Date: Thu Apr 22 17:54:45 2010 -0400 ALSA: hda: Use STAC_DELL_M6_BOTH quirk for Dell Studio 1558 commit 5c1bccf645d4ab65e4c7502acb42e8b9afdb5bdc upstream. BugLink: https://launchpad.net/bugs/568600 The OR has verified that the dell-m6 model quirk is necessary for audio to be audible by default on the Dell Studio XPS 1645. This change is necessary for 2.6.32.11 and 2.6.33.2 alike. Reported-by: Andy Ross Tested-by: Andy Ross Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit c7502e20b33219f26af819bc0cf3ab3705f4193a Author: Daniel T Chen Date: Wed Apr 21 20:41:52 2010 -0400 ALSA: hda: Use STAC_DELL_M6_BOTH quirk for Dell Studio XPS 1645 commit aac78daf8f37256283f56820ae858add7139c56c upstream. BugLink: https://launchpad.net/bugs/553002 The OR has verified that the dell-m6 model quirk is necessary for audio to be audible by default on the Dell Studio XPS 1645. This change is necessary for 2.6.32.11 and 2.6.33.2 alike. Reported-by: Robert Chambers Tested-by: Robert Chambers Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 7d852841917d061e0c34257a53be366a2f8ef951 Author: Kunal Gangakhedkar Date: Sat Mar 20 23:08:01 2010 +0530 ALSA: hda - Add PCI quirk for HP dv6-1110ax. commit e3d2530a6cea80987f77b75d8784a00f3aaf22ff upstream. Adding this PCI quirk fixes the board config detection. This also fixes jack sensing by using "hp_detect=1" via properly detected board config. Signed-off-by: Kunal Gangakhedkar Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit fd3c5970a0ab61f907d56a9d2ccf80864f664fd6 Author: Daniel T Chen Date: Wed Apr 21 19:55:43 2010 -0400 ALSA: hda: Use LPIB quirk for DG965OT board version AAD63733-203 commit 0e0280dc2b0c7395a880d25544b47f3e3e3f79db upstream. BugLink: https://launchpad.net/bugs/459083 The OR has verified with 2.6.32.11 and the latest alsa-driver stable daily snapshot that position_fix=1 is necessary for the external mic to work and for PulseAudio not to crash constantly. This patch is necessary also for 2.6.32.11 and 2.6.33.2. Reported-by: Tested-by: Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit cecce8c45585602e29690a3c93889d1a052d0a7a Author: Borislav Petkov Date: Fri Mar 12 15:43:03 2010 +0100 x86, k8 nb: Fix boot crash: enable k8_northbridges unconditionally on AMD systems commit 0e152cd7c16832bd5cadee0c2e41d9959bc9b6f9 upstream. de957628ce7c84764ff41331111036b3ae5bad0f changed setting of the x86_init.iommu.iommu_init function ptr only when GART IOMMU is found. One side effect of it is that num_k8_northbridges is not initialized anymore if not explicitly called. This resulted in uninitialized pointers in , for example, which uses the num_k8_northbridges thing through node_to_k8_nb_misc(). Fix that through an initcall that runs right after the PCI subsystem and does all the scanning. Then, remove initialization in gart_iommu_init() which is a rootfs_initcall and we're running before that. What is more, since num_k8_northbridges is being used in other places beside GART IOMMU, include it whenever we add AMD CPU support. The previous dependency chain in kconfig contained K8_NB depends on AGP_AMD64|GART_IOMMU which was clearly incorrect. The more natural way in terms of hardware dependency should be AGP_AMD64|GART_IOMMU depends on K8_NB depends on CPU_SUP_AMD && PCI. Make it so Number One! Signed-off-by: Borislav Petkov Cc: FUJITA Tomonori Cc: Joerg Roedel LKML-Reference: <20100312144303.GA29262@aftab> Signed-off-by: Ingo Molnar Tested-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit d04fe16c31384a00562f7f9ca0cf78641a510ceb Author: Prarit Bhargava Date: Tue Apr 27 11:24:42 2010 -0400 x86: Fix NULL pointer access in irq_force_complete_move() for Xen guests commit bbd391a15d82e14efe9d69ba64cadb855b061dba upstream. Upstream PV guests fail to boot because of a NULL pointer in irq_force_complete_move(). It is possible that xen guests have irq_desc->chip_data = NULL. Test for NULL chip_data pointer before attempting to complete an irq move. Signed-off-by: Prarit Bhargava LKML-Reference: <20100427152434.16193.49104.sendpatchset@prarit.bos.redhat.com> Acked-by: Suresh Siddha Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 0d9687a4d2a9f27ab52c2914b432fae5cb4a70b1 Author: H. Peter Anvin Date: Tue Apr 13 14:40:54 2010 -0700 x86: Disable large pages on CPUs with Atom erratum AAE44 commit 7a0fc404ae663776e96db43879a0fa24fec1fa3a upstream. Atom erratum AAE44/AAF40/AAG38/AAH41: "If software clears the PS (page size) bit in a present PDE (page directory entry), that will cause linear addresses mapped through this PDE to use 4-KByte pages instead of using a large page after old TLB entries are invalidated. Due to this erratum, if a code fetch uses this PDE before the TLB entry for the large page is invalidated then it may fetch from a different physical address than specified by either the old large page translation or the new 4-KByte page translation. This erratum may also cause speculative code fetches from incorrect addresses." [http://download.intel.com/design/processor/specupdt/319536.pdf] Where as commit 211b3d03c7400f48a781977a50104c9d12f4e229 seems to workaround errata AAH41 (mixed 4K TLBs) it reduces the window of opportunity for the bug to occur and does not totally remove it. This patch disables mixed 4K/4MB page tables totally avoiding the page splitting and not tripping this processor issue. This is based on an original patch by Colin King. Originally-by: Colin Ian King Cc: Colin Ian King Cc: Ingo Molnar Signed-off-by: H. Peter Anvin LKML-Reference: <1269271251-19775-1-git-send-email-colin.king@canonical.com> Signed-off-by: Greg Kroah-Hartman commit 05cb94bc742f64a3dcc4e7dbed3e523ffe88c711 Author: H. Peter Anvin Date: Fri Apr 23 16:17:40 2010 -0700 x86-64: Clear a 64-bit FS/GS base on fork if selector is nonzero commit 7ce5a2b9bb2e92902230e3121d8c3047fab9cb47 upstream. When we do a thread switch, we clear the outgoing FS/GS base if the corresponding selector is nonzero. This is taken by __switch_to() as an entry invariant; it does not verify that it is true on entry. However, copy_thread() doesn't enforce this constraint, which can result in inconsistent results after fork(). Make copy_thread() match the behavior of __switch_to(). Reported-and-tested-by: Samuel Thibault Signed-off-by: H. Peter Anvin LKML-Reference: <4BD1E061.8030605@zytor.com> Signed-off-by: Greg Kroah-Hartman commit 73f0c8de569332547c42046b5cf179483be99bef Author: Borislav Petkov Date: Fri Apr 30 15:19:02 2010 +0200 edac, mce: Fix wrong mask and macro usage commit 35d824b28fc5544d1eb7c1e3db15a1740df8ec4b upstream. Correct two mishaps which prevented reporting error type (CECC vs UECC) and extended error description. Signed-off-by: Borislav Petkov Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 7525b22412ed31cdd781f8e4a9fbf28decd2994a Author: Hans de Goede Date: Thu Apr 22 19:52:16 2010 +0200 p54pci: fix bugs in p54p_check_tx_ring commit 0250ececdf6813457c98719e2d33b3684881fde0 upstream. Hans de Goede identified a bug in p54p_check_tx_ring: there are two ring indices. 1 => tx data and 3 => tx management. But the old code had a constant "1" and this resulted in spurious dma unmapping failures. Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=583623 Bug-Identified-by: Hans de Goede Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 523bdd72c535f23103b6cc5d410ffa057af2c7f7 Author: Peter Korsgaard Date: Mon May 3 10:01:26 2010 +0000 dm9601: fix phy/eeprom write routine commit e9162ab1610531d6ea6c1833daeb2613e44275e8 upstream. Use correct bit positions in DM_SHARED_CTRL register for writes. Michael Planes recently encountered a 'KY-RS9600 USB-LAN converter', which came with a driver CD containing a Linux driver. This driver turns out to be a copy of dm9601.c with symbols renamed and my copyright stripped. That aside, it did contain 1 functional change in dm_write_shared_word(), and after checking the datasheet the original value was indeed wrong (read versus write bits). On Michaels HW, this change bumps receive speed from ~30KB/s to ~900KB/s. On other devices the difference is less spectacular, but still significant (~30%). Reported-by: Michael Planes Signed-off-by: Peter Korsgaard Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4bb6362e180555652885d52000fc156936b6ffe9 Author: Linus Torvalds Date: Fri Apr 9 10:05:33 2010 -0700 Revert "memory-hotplug: add 0x prefix to HEX block_size_bytes" commit 4dc86ae1f925b2121d4e75058675895f83e54c71 upstream. This reverts commit ba168fc37dea145deeb8fa9e7e71c748d2e00d74. It changes user-visible sysfs interfaces, and breaks some existing user space applications which apparently rely on the fact that the output does not contain the "0x" prefix. Requested-by: Heiko Carstens Acked-by: KOSAKI Motohiro Acked-by: Wu Fengguang Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 51b7721fd83309000aa19a2a6ec0edb9665bb5f9 Author: Richard Kennedy Date: Wed Apr 14 20:54:03 2010 +0200 block: ensure jiffies wrap is handled correctly in blk_rq_timed_out_timer commit a534dbe96e9929c7245924d8252d89048c23d569 upstream. blk_rq_timed_out_timer() relied on blk_add_timer() never returning a timer value of zero, but commit 7838c15b8dd18e78a523513749e5b54bda07b0cb removed the code that bumped this value when it was zero. Therefore when jiffies is near wrap we could get unlucky & not set the timeout value correctly. This patch uses a flag to indicate that the timeout value was set and so handles jiffies wrap correctly, and it keeps all the logic in one function so should be easier to maintain in the future. Signed-off-by: Richard Kennedy Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 3d563ebbbc07e5bcd89a4e8c9c6658e56a1e0f9c Author: Ping Cheng Date: Mon Mar 22 13:40:29 2010 -0700 serial: 8250_pnp - add Fujitsu Wacom device commit d9901660b53b92f0f3551c06588b8be38224b245 upstream. Add Fujitsu Wacom 1FGT Tablet PC device Signed-off-by: Ping Cheng Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit d15b5afa5324123c49dd9b19acc56d9223cadb45 Author: Dan Williams Date: Tue May 4 20:41:56 2010 -0700 raid6: fix recovery performance regression commit 5157b4aa5b7de8787b6318e61bcc285031bb9088 upstream. The raid6 recovery code should immediately drop back to the optimized synchronous path when a p+q dma resource is not available. Otherwise we run the non-optimized/multi-pass async code in sync mode. Verified with raid6test (NDISKS=255) Applies to kernels >= 2.6.32. Acked-by: NeilBrown Reported-by: H. Peter Anvin Signed-off-by: Dan Williams Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0c41fcd0b738e0ac646e043ed47b7f642947b6a0 Author: Tejun Heo Date: Sat May 1 10:11:35 2010 +0200 perf: Fix resource leak in failure path of perf_event_open() commit 048c852051d2bd5da54a4488bc1f16b0fc74c695 upstream. perf_event_open() kfrees event after init failure which doesn't release all resources allocated by perf_event_alloc(). Use free_event() instead. Signed-off-by: Tejun Heo Cc: Peter Zijlstra Cc: Paul Mackerras Cc: Arnaldo Carvalho de Melo LKML-Reference: <4BDBE237.1040809@kernel.org> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit b9d41d81abb6dba3ce122138f9593f4693f60dc9 Author: Jean Delvare Date: Tue May 4 11:09:28 2010 +0200 i2c: Fix probing of FSC hardware monitoring chips commit b1d4b390ea4bb480e65974ce522a04022608a8df upstream. Some FSC hardware monitoring chips (Syleus at least) doesn't like quick writes we typically use to probe for I2C chips. Use a regular byte read instead for the address they live at (0x73). These are the only known chips living at this address on PC systems. For clarity, this fix should not be needed for kernels 2.6.30 and later, as we started instantiating the hwmon devices explicitly based on DMI data. Still, this fix is valuable in the following two cases: * Support for recent FSC chips on older kernels. The DMI-based device instantiation is more difficult to backport than the device support itself. * Case where the DMI-based device instantiation fails, whatever the reason. We fall back to probing in that case, so it should work. This fixes kernel bug #15634: https://bugzilla.kernel.org/show_bug.cgi?id=15634 Signed-off-by: Jean Delvare Acked-by: Hans de Goede Signed-off-by: Greg Kroah-Hartman commit f6b7c3cb24d76757a2c4901f31dac6caa2930c3b Author: Stephen Hemminger Date: Thu Mar 11 09:11:37 2010 -0800 Staging: hv: name network device ethX rather than sethX commit 546d9e101e7a71e6202f47a13ddcd9b8fb05a52e upstream. This patch makes the HyperV network device use the same naming scheme as other virtual drivers (Xen, KVM). In an ideal world, userspace tools would not care what the name is, but some users and applications do care. Vyatta CLI is one of the tools that does depend on what the name is. Signed-off-by: Stephen Hemminger Cc: Hank Janssen Signed-off-by: Greg Kroah-Hartman commit 6f84f123139b79420bb384467da38613504f2675 Author: Cyrill Gorcunov Date: Mon Apr 5 20:56:57 2010 +0400 Staging: hv: Fix up memory leak on HvCleanup commit fa8ad0257ea256381126ecf447694622216c600f upstream. Don't assign NULL too early Signed-off-by: Cyrill Gorcunov Cc: Hank Janssen Cc: Haiyang Zhang Signed-off-by: Greg Kroah-Hartman commit 9b6ae1138bd46f841aa0639dc3187e2555f9cde6 Author: Haiyang Zhang Date: Mon Apr 19 15:32:11 2010 +0000 Staging: hv: Fix a bug affecting IPv6 commit 95beae90aa4afce57fb28e6f8238b78217bd7c98 upstream. Fix a bug affecting IPv6 Added the multicast flag for proper IPv6 function. Reported-by: Toshikazu Sakai Signed-off-by: Hank Janssen Signed-off-by: Haiyang Zhang Signed-off-by: Greg Kroah-Hartman commit c150018db0979f53112125208897ed621ac1a571 Author: Chuck Lever Date: Thu Apr 22 15:35:56 2010 -0400 NFS: rsize and wsize settings ignored on v4 mounts commit 356e76b855bdbfd8d1c5e75bcf0c6bf0dfe83496 upstream. NFSv4 mounts ignore the rsize and wsize mount options, and always use the default transfer size for both. This seems to be because all NFSv4 mounts are now cloned, and the cloning logic doesn't copy the rsize and wsize settings from the parent nfs_server. I tested Fedora's 2.6.32.11-99 and it seems to have this problem as well, so I'm guessing that .33, .32, and perhaps older kernels have this issue as well. Signed-off-by: Chuck Lever Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 656fdb1f49706d82e37df3488fc525490f8cca83 Author: Al Viro Date: Thu Apr 29 03:10:43 2010 +0100 nfs d_revalidate() is too trigger-happy with d_drop() commit d9e80b7de91db05c1c4d2e5ebbfd70b3b3ba0e0f upstream. If dentry found stale happens to be a root of disconnected tree, we can't d_drop() it; its d_hash is actually part of s_anon and d_drop() would simply hide it from shrink_dcache_for_umount(), leading to all sorts of fun, including busy inodes on umount and oopsen after that. Bug had been there since at least 2006 (commit c636eb already has it), so it's definitely -stable fodder. Signed-off-by: Al Viro Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 1ff21ff30e324d2e994a54baf9dc3df003985b60 Author: Mark Langsdorf Date: Wed Mar 31 21:56:45 2010 +0200 powernow-k8: Fix frequency reporting commit b810e94c9d8e3fff6741b66cd5a6f099a7887871 upstream. With F10, model 10, all valid frequencies are in the ACPI _PST table. Signed-off-by: Mark Langsdorf LKML-Reference: <1270065406-1814-6-git-send-email-bp@amd64.org> Signed-off-by: Borislav Petkov Reviewed-by: Thomas Renninger Signed-off-by: H. Peter Anvin Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit fc535314b6f4dc8b400e0bd46bbb42d974d0ff06 Author: Joel Becker Date: Fri Apr 23 15:24:59 2010 -0700 ocfs2_dlmfs: Fix math error when reading LVB. commit a36d515c7a2dfacebcf41729f6812dbc424ebcf0 upstream. When asked for a partial read of the LVB in a dlmfs file, we can accidentally calculate a negative count. Reported-by: Dan Carpenter Signed-off-by: Joel Becker Signed-off-by: Greg Kroah-Hartman commit 394a524ecc9a9469c82ea3821cc84ccf87175798 Author: Joel Becker Date: Wed Mar 31 18:25:44 2010 -0700 ocfs2: Compute metaecc for superblocks during online resize. commit a42ab8e1a37257da37e0f018e707bf365ac24531 upstream. Online resize writes out the new superblock and its backups directly. The metaecc data wasn't being recomputed. Let's do that directly. Signed-off-by: Joel Becker Acked-by: Mark Fasheh Signed-off-by: Greg Kroah-Hartman commit 756cd5a67d13cb7c432d85bc7209a2f86363346f Author: Dan Carpenter Date: Thu Apr 22 11:39:29 2010 +0200 ocfs2: potential ERR_PTR dereference on error paths commit 0350cb078f5035716ebdad4ad4709d02fe466a8a upstream. If "handle" is non null at the end of the function then we assume it's a valid pointer and pass it to ocfs2_commit_trans(); Signed-off-by: Dan Carpenter Signed-off-by: Joel Becker Signed-off-by: Greg Kroah-Hartman commit 76e0dc2e41e9d151ce0364340227dabf5ee479d5 Author: Tao Ma Date: Wed Apr 21 14:05:55 2010 +0800 ocfs2: Update VFS inode's id info after reflink. commit c21a534e2f24968cf74976a4e721ac194db30ded upstream. In reflink we update the id info on the disk but forgot to update the corresponding information in the VFS inode. Update them accordingly when we want to preserve the attributes. Reported-by: Jeff Liu Signed-off-by: Tao Ma Signed-off-by: Joel Becker Signed-off-by: Greg Kroah-Hartman commit 67dc67f6a611542cc5cf349747a064da0cef2af3 Author: Sarah Sharp Date: Fri Apr 16 08:07:27 2010 -0700 USB: xhci: properly set endpoint context fields for periodic eps. commit 9238f25d5d32a435277eb234ec82bacdd5daed41 upstream. For periodic endpoints, we must let the xHCI hardware know the maximum payload an endpoint can transfer in one service interval. The xHCI specification refers to this as the Maximum Endpoint Service Interval Time Payload (Max ESIT Payload). This is used by the hardware for bandwidth management and scheduling of packets. For SuperSpeed endpoints, the maximum is calculated by multiplying the max packet size by the number of bursts and the number of opportunities to transfer within a service interval (the Mult field of the SuperSpeed Endpoint companion descriptor). Devices advertise this in the wBytesPerInterval field of their SuperSpeed Endpoint Companion Descriptor. For high speed devices, this is taken by multiplying the max packet size by the "number of additional transaction opportunities per microframe" (the high bits of the wMaxPacketSize field in the endpoint descriptor). For FS/LS devices, this is just the max packet size. The other thing we must set in the endpoint context is the Average TRB Length. This is supposed to be the average of the total bytes in the transfer descriptor (TD), divided by the number of transfer request blocks (TRBs) it takes to describe the TD. This gives the host controller an indication of whether the driver will be enqueuing a scatter gather list with many entries comprised of small buffers, or one contiguous buffer. It also takes into account the number of extra TRBs you need for every TD. This includes No-op TRBs and Link TRBs used to link ring segments together. Some drivers may choose to chain an Event Data TRB on the end of every TD, thus increasing the average number of TRBs per TD. The Linux xHCI driver does not use Event Data TRBs. In theory, if there was an API to allow drivers to state what their bandwidth requirements are, we could set this field accurately. For now, we set it to the same number as the Max ESIT payload. The Average TRB Length should also be set for bulk and control endpoints, but I have no idea how to guess what it should be. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 3a198595ae2227d73d9cd211629d66d417c0427f Author: Sarah Sharp Date: Fri Apr 16 08:07:04 2010 -0700 USB: xhci: properly set the "Mult" field of the endpoint context. commit 1cf62246c0e394021e494e0a8f1013e80db1a1a9 upstream. A SuperSpeed interrupt or isochronous endpoint can define the number of "burst transactions" it can handle in a service interval. This is indicated by the "Mult" bits in the bmAttributes of the SuperSpeed Endpoint Companion Descriptor. For example, if it has a max packet size of 1024, a max burst of 11, and a mult of 3, the host may send 33 1024-byte packets in one service interval. We must tell the xHCI host controller the number of multiple service opportunities (mults) the device can handle when the endpoint is installed. We do that by setting the Mult field of the Endpoint Context before a configure endpoint command is sent down. The Mult field is invalid for control or bulk SuperSpeed endpoints. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 2effcfb90e7e66c668bae37b47a9f804cba6781b Author: Alan Stern Date: Tue Apr 20 10:37:57 2010 -0400 USB: OHCI: don't look at the root hub to get the number of ports commit fcf7d2141f4a363a4a8454c4a0f26bb69e766c5f upstream. This patch (as1371) fixes a small bug in ohci-hcd. The HCD already knows how many ports the controller has; there's no need to go looking at the root hub's usb_device structure to find out. Especially since the root hub's maxchild value is set correctly only while the root hub is bound to the hub driver. Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 3056f8ac2c84c3007726c00e4142eff0ff4db23e Author: Alan Stern Date: Tue Apr 20 10:40:59 2010 -0400 USB: don't choose configs with no interfaces commit 62f9cfa3ece58268b3e92ca59c23b175f86205aa upstream. This patch (as1372) fixes a bug in the routine that chooses the default configuration to install when a new USB device is detected. The algorithm is supposed to look for a config whose first interface is for a non-vendor-specific class. But the way it's currently written, it will also accept a config with no interfaces at all, which is not very useful. (Believe it or not, such things do exist.) Signed-off-by: Alan Stern Tested-by: Andrew Victor Signed-off-by: Greg Kroah-Hartman commit a52298dba1c83b9ea7557c92c0200d325a966a99 Author: Dan Carpenter Date: Thu Apr 22 12:00:52 2010 +0200 USB: fix testing the wrong variable in fs_create_by_name() commit fa7fe7af146a7b613e36a311eefbbfb5555325d1 upstream. There is a typo here. We should be testing "*dentry" which was just assigned instead of "dentry". This could result in dereferencing an ERR_PTR inside either usbfs_mkdir() or usbfs_create(). Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman commit ac0c2f38a399c63e83ce66d4ffdb693ce8bb5b66 Author: Roel Kluin Date: Thu Feb 18 02:36:23 2010 +0100 USB: don't read past config->interface[] if usb_control_msg() fails in usb_reset_configuration() commit e4a3d94658b5760fc947d7f7185c57db47ca362a upstream. While looping over the interfaces, if usb_hcd_alloc_bandwidth() fails it calls hcd->driver->reset_bandwidth(), so there was no need to reinstate the interface again. If no break occurred, the index equals config->desc.bNumInterfaces. A subsequent usb_control_msg() failure resulted in a read from config->interface[config->desc.bNumInterfaces] at label reset_old_alts. In either case the last interface should be skipped. Signed-off-by: Roel Kluin Acked-by: Alan Stern Acked-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 53c8c595e152a55b3d06a1a148d86c1144698bf4 Author: William Lightning Date: Fri Mar 26 10:51:20 2010 -0700 USB: Add id for HP ev2210 a.k.a Sierra MC5725 miniPCI-e Cell Modem. commit cfbaa39347b34837f26e01fe8f4f8dbbae60b520 upstream. Signed-off-by: William Lightning Signed-off-by: Greg Kroah-Hartman commit 2b454d9a5f0507c1bc3f01c06a2e6c464d2a2641 Author: Alan Stern Date: Fri Apr 30 12:09:23 2010 -0400 USB: fix remote wakeup settings during system sleep This is a backport of commit 5f677f1d45b2bf08085bbba7394392dfa586fa8e. Some of the functionality had to be removed, but it should still fix the webcam problem. This patch (as1363b) changes the way USB remote wakeup is handled during system sleeps. It won't be enabled unless an interface driver specifically needs it. Also, it won't be enabled during the FREEZE or QUIESCE phases of hibernation, when the system doesn't respond to wakeup events anyway. This will fix problems people have reported with certain USB webcams that generate wakeup requests when they shouldn't, and as a result cause system suspends to fail. See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/515109 Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit df21fe75bef3db5bc2276eef92792718398f5889 Author: Eric Lescouet Date: Sat Apr 24 02:55:24 2010 +0200 staging: usbip: Fix deadlock commit d01f42a22ef381ba973958e977209ac9a8667d57 upstream. When detaching a port from the client side (usbip --detach 0), the event thread, on the server side, is going to deadlock. The "eh" server thread is getting USBIP_EH_RESET event and calls: -> stub_device_reset() -> usb_reset_device() the USB framework is then calling back _in the same "eh" thread_ : -> stub_disconnect() -> usbip_stop_eh() -> wait_for_completion() the "eh" thread is being asleep forever, waiting for its own completion. This patch checks if "eh" is the current thread, in usbip_stop_eh(). Signed-off-by: Eric Lescouet Signed-off-by: Greg Kroah-Hartman commit 680e3fe449b3a78a95871bbc02398b2bb1a40174 Author: Ben Hutchings Date: Wed Apr 28 09:01:50 2010 +0000 sfc: Change falcon_probe_board() to fail for unsupported boards commit e41c11ee0cc602bcde68916be85fb97d1a484324 upstream. The driver needs specific PHY and board support code for each SFC4000 board; there is no point trying to continue if it is missing. Currently unsupported boards can trigger an 'oops'. Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 068e5818f0d028cc0469ae7ae33368fd71024886 Author: Ben Hutchings Date: Wed Apr 28 09:01:33 2010 +0000 sfc: Always close net device at the end of a disabling reset commit f49a4589e9e25ef525da449b1ce5597cb659bbb5 upstream. This fixes a regression introduced by commit eb9f6744cbfa97674c13263802259b5aa0034594 "sfc: Implement ethtool reset operation". Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fa8472cab002dbbb70bf2b1c975b56f75e5d88c6 Author: Ben Hutchings Date: Wed Apr 28 09:00:35 2010 +0000 sfc: Wait at most 10ms for the MC to finish reading out MAC statistics commit aabc5649078310094cbffb430fcbf9c25b6268f9 upstream. The original code would wait indefinitely if MAC stats DMA failed. Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b916189a5e80cabb49b1c64a350a5f13e485cb61 Author: David Howells Date: Tue Apr 27 13:13:08 2010 -0700 keys: the request_key() syscall should link an existing key to the dest keyring commit 03449cd9eaa4fa3a7faa4a59474bafe2e90bd143 upstream. The request_key() system call and request_key_and_link() should make a link from an existing key to the destination keyring (if supplied), not just from a new key to the destination keyring. This can be tested by: ring=`keyctl newring fred @s` keyctl request2 user debug:a a keyctl request user debug:a $ring keyctl list $ring If it says: keyring is empty then it didn't work. If it shows something like: 1 key in keyring: 1070462727: --alswrv 0 0 user: debug:a then it did. request_key() system call is meant to recursively search all your keyrings for the key you desire, and, optionally, if it doesn't exist, call out to userspace to create one for you. If request_key() finds or creates a key, it should, optionally, create a link to that key from the destination keyring specified. Therefore, if, after a successful call to request_key() with a desination keyring specified, you see the destination keyring empty, the code didn't work correctly. If you see the found key in the keyring, then it did - which is what the patch is required for. Signed-off-by: David Howells Cc: James Morris Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 79343596acdab2cfc0bc79cf2eed5155138f6c18 Author: Neil Brown Date: Tue Apr 20 12:16:52 2010 +1000 nfsd4: bug in read_buf commit 2bc3c1179c781b359d4f2f3439cb3df72afc17fc upstream. When read_buf is called to move over to the next page in the pagelist of an NFSv4 request, it sets argp->end to essentially a random number, certainly not an address within the page which argp->p now points to. So subsequent calls to READ_BUF will think there is much more than a page of spare space (the cast to u32 ensures an unsigned comparison) so we can expect to fall off the end of the second page. We never encountered thsi in testing because typically the only operations which use more than two pages are write-like operations, which have their own decoding logic. Something like a getattr after a write may cross a page boundary, but it would be very unusual for it to cross another boundary after that. Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit f1f48b70214c090b6ae7055710408a2496f610bd Author: Jerome Marchand Date: Tue Apr 27 13:13:06 2010 -0700 procfs: fix tid fdinfo commit 3835541dd481091c4dbf5ef83c08aed12e50fd61 upstream. Correct the file_operations struct in fdinfo entry of tid_base_stuff[]. Presently /proc/*/task/*/fdinfo contains symlinks to opened files like /proc/*/fd/. Signed-off-by: Jerome Marchand Cc: Alexander Viro Cc: Miklos Szeredi Cc: Alexey Dobriyan Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 3a82ba3f0d9f516bf2e507c3fce058cf70495257 Author: Jeff Mahoney Date: Fri Apr 23 13:17:41 2010 -0400 reiserfs: fix corruption during shrinking of xattrs commit fb2162df74bb19552db3d988fd11c787cf5fad56 upstream. Commit 48b32a3553a54740d236b79a90f20147a25875e3 ("reiserfs: use generic xattr handlers") introduced a problem that causes corruption when extended attributes are replaced with a smaller value. The issue is that the reiserfs_setattr to shrink the xattr file was moved from before the write to after the write. The root issue has always been in the reiserfs xattr code, but was papered over by the fact that in the shrink case, the file would just be expanded again while the xattr was written. The end result is that the last 8 bytes of xattr data are lost. This patch fixes it to use new_size. Addresses https://bugzilla.kernel.org/show_bug.cgi?id=14826 Signed-off-by: Jeff Mahoney Reported-by: Christian Kujau Tested-by: Christian Kujau Cc: Edward Shishkin Cc: Jethro Beekman Cc: Greg Surbey Cc: Marco Gatti Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4ce97b667489129ced62d57d6fa42140f86f94a1 Author: Jeff Mahoney Date: Fri Apr 23 13:17:37 2010 -0400 reiserfs: fix permissions on .reiserfs_priv commit cac36f707119b792b2396aed371d6b5cdc194890 upstream. Commit 677c9b2e393a0cd203bd54e9c18b012b2c73305a ("reiserfs: remove privroot hiding in lookup") removed the magic from the lookup code to hide the .reiserfs_priv directory since it was getting loaded at mount-time instead. The intent was that the entry would be hidden from the user via a poisoned d_compare, but this was faulty. This introduced a security issue where unprivileged users could access and modify extended attributes or ACLs belonging to other users, including root. This patch resolves the issue by properly hiding .reiserfs_priv. This was the intent of the xattr poisoning code, but it appears to have never worked as expected. This is fixed by using d_revalidate instead of d_compare. This patch makes -oexpose_privroot a no-op. I'm fine leaving it this way. The effort involved in working out the corner cases wrt permissions and caching outweigh the benefit of the feature. Signed-off-by: Jeff Mahoney Acked-by: Edward Shishkin Reported-by: Matt McCutchen Tested-by: Matt McCutchen Cc: Frederic Weisbecker Cc: Al Viro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a340b55ae448daf36d110677c4cebd5897dbdf06 Author: Mel Gorman Date: Fri Apr 23 13:17:56 2010 -0400 hugetlb: fix infinite loop in get_futex_key() when backed by huge pages commit 23be7468e8802a2ac1de6ee3eecb3ec7f14dc703 upstream. If a futex key happens to be located within a huge page mapped MAP_PRIVATE, get_futex_key() can go into an infinite loop waiting for a page->mapping that will never exist. See https://bugzilla.redhat.com/show_bug.cgi?id=552257 for more details about the problem. This patch makes page->mapping a poisoned value that includes PAGE_MAPPING_ANON mapped MAP_PRIVATE. This is enough for futex to continue but because of PAGE_MAPPING_ANON, the poisoned value is not dereferenced or used by futex. No other part of the VM should be dereferencing the page->mapping of a hugetlbfs page as its page cache is not on the LRU. This patch fixes the problem with the test case described in the bugzilla. [akpm@linux-foundation.org: mel cant spel] Signed-off-by: Mel Gorman Acked-by: Peter Zijlstra Acked-by: Darren Hart Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 8cae69607df46a03b65b533794f31a3259dced72 Author: Changli Gao Date: Fri Apr 23 13:17:45 2010 -0400 flex_array: fix the panic when calling flex_array_alloc() without __GFP_ZERO commit e59464c735db19619cde2aa331609adb02005f5b upstream. memset() is called with the wrong address and the kernel panics. Signed-off-by: Changli Gao Cc: Patrick McHardy Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 90a425c2d38aedbe92a73e9a59b27e98dcc823a2 Author: Johannes Berg Date: Mon Apr 19 10:48:38 2010 +0200 mac80211: remove bogus TX agg state assignment commit b4bb5c3fd9333024044362df67e23e96158489ed upstream. When the addba timer expires but has no work to do, it should not affect the state machine. If it does, TX will not see the successfully established and we can also crash trying to re-establish the session. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 90fb67fc9fa7e23a98c4f627253634de42546a2e Author: Andrea Arcangeli Date: Fri Apr 23 13:17:39 2010 -0400 memcg: fix prepare migration commit 93d5c9be1ddd57d4063ce463c9ac2be1e5ee14f1 upstream. If a signal is pending (task being killed by sigkill) __mem_cgroup_try_charge will write NULL into &mem, and css_put will oops on null pointer dereference. BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 IP: [] mem_cgroup_prepare_migration+0x7c/0xc0 PGD a5d89067 PUD a5d8a067 PMD 0 Oops: 0000 [#1] SMP last sysfs file: /sys/devices/platform/microcode/firmware/microcode/loading CPU 0 Modules linked in: nfs lockd nfs_acl auth_rpcgss sunrpc acpi_cpufreq pcspkr sg [last unloaded: microcode] Pid: 5299, comm: largepages Tainted: G W 2.6.34-rc3 #3 Penryn1600SLI-110dB/To Be Filled By O.E.M. RIP: 0010:[] [] mem_cgroup_prepare_migration+0x7c/0xc0 [nishimura@mxp.nes.nec.co.jp: fix merge issues] Signed-off-by: Andrea Arcangeli Acked-by: KAMEZAWA Hiroyuki Cc: Balbir Singh Signed-off-by: Daisuke Nishimura Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 73791763dbad4d68a1d36b7f2ded26d0214bf09c Author: Ian Dall Date: Fri Apr 23 13:17:53 2010 -0400 w1: w1 temp: fix negative termperature calculation commit 9a6a1ecd9e9b5d046a236da2f7eb6b6812f04229 upstream. Fix regression caused by commit 507e2fbaaacb6f164b4125b87c5002f95143174b ("w1: w1 temp calculation overflow fix") whereby negative temperatures for the DS18B20 are not converted properly. When the temperature exceeds 32767 milli-degrees the temperature overflows to -32768 millidegrees. These are both well within the -55 - +125 degree range for the sensor. Addresses https://bugzilla.kernel.org/show_bug.cgi?id=12646 Signed-of-by: Ian Dall Cc: Evgeniy Polyakov Tested-by: Karsten Elfenbein Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5555d67fab1f38f51faf870a445d329dc0ba3388 Author: Jeff Garzik Date: Thu Apr 22 21:59:13 2010 -0400 libata: ensure NCQ error result taskfile is fully initialized before returning it via qc->result_tf. commit a09bf4cd53b8ab000197ef81f15d50f29ecf973c upstream. Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit e878132440a48fdd8340018f88f71ce520ab0ff9 Author: Tejun Heo Date: Thu Apr 15 08:57:37 2010 +0900 libata: fix locking around blk_abort_request() commit fa41efdae7de61191a7bda3a00e88ef69afb5bb9 upstream. blk_abort_request() expectes queue lock to be held by the caller. Grab it before calling the function. Lack of this synchronization led to infinite loop on corrupt q->timeout_list. Signed-off-by: Tejun Heo Cc: Jens Axboe Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 99cc64ae9449e60795f1844c8b312b29a363e1da Author: NeilBrown Date: Fri Apr 23 07:08:28 2010 +1000 md/raid5: fix previous patch. commit 6e3b96ed610e5a1838e62ddae9fa0c3463f235fa upstream. Previous patch changes stripe and chunk_number to sector_t but mistakenly did not update all of the divisions to use sector_dev(). This patch changes all the those divisions (actually the '%' operator) to sector_div. Signed-off-by: NeilBrown Tested-by: Stefan Lippers-Hollmann Signed-off-by: Greg Kroah-Hartman commit 5c0bdba0714bef2917ec866f7c9ed112cb45d7ab Author: NeilBrown Date: Tue Apr 20 14:13:34 2010 +1000 md/raid5: allow for more than 2^31 chunks. commit 35f2a591192d0a5d9f7fc696869c76f0b8e49c3d upstream. With many large drives and small chunk sizes it is possible to create a RAID5 with more than 2^31 chunks. Make sure this works. Reported-by: Brett King Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit f483fae216ef77d997d2f38873d274b6a9f6ecdf Author: Daniel Vetter Date: Sat Apr 17 15:12:03 2010 +0200 drm/i915: fix tiling limits for i915 class hw v2 commit c36a2a6de59e4a141a68b7575de837d3b0bd96b3 upstream. Current code is definitely crap: Largest pitch allowed spills into the TILING_Y bit of the fence registers ... :( I've rewritten the limits check under the assumption that 3rd gen hw has a 3d pitch limit of 8kb (like 2nd gen). This is supported by an otherwise totally misleading XXX comment. This bug mostly resulted in tiling-corrupted pixmaps because the kernel allowed too wide buffers to be tiled. Bug brought to the light by the xf86-video-intel 2.11 release because that unconditionally enabled tiling for pixmaps, relying on the kernel to check things. Tiling for the framebuffer was not affected because the ddx does some additional checks there ensure the buffer is within hw-limits. v2: Instead of computing the value that would be written into the hw fence registers and then checking the limits simply check whether the stride is above the 8kb limit. To better document the hw, add some WARN_ONs in i915_write_fence_reg like I've done for the i830 case (using the right limits). Signed-off-by: Daniel Vetter Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=27449 Tested-by: Alexander Lam Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit fcbf4727420c02a6696499130340a60b3251b272 Author: Eric Anholt Date: Thu Oct 22 16:11:14 2009 -0700 drm/i915: Add initial bits for VGA modesetting bringup on Sandybridge. commit bad720ff3e8e47a04bd88d9bbc8317e7d7e049d3 upstream. [needed for stable as it's just a bunch of macros that other drm patches need, it changes no code functionality besides adding support for a new device type. - gregkh] Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit d6bc88ead27c25dfc63b9f90d293bc97e8032d89 Author: Shimada Hirofumi Date: Sun Feb 14 04:16:16 2010 +0900 p54usb: Add usbid for Corega CG-WLUSB2GT. commit 15a69a81731d337a3d9db51692ff8704c1114f43 upstream. Signed-off-by: Shimada Hirofumi Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: John W. Linville Cc: maximilian attems Signed-off-by: Greg Kroah-Hartman commit 4c9e0f8db0f379ba360594dc057efc8202155697 Author: Alan Stern Date: Thu Apr 8 16:56:37 2010 -0400 USB: EHCI: defer reclamation of siTDs commit 0e5f231bc16ff9910882fa5b9d64d80e7691cfab upstream. This patch (as1369) fixes a problem in ehci-hcd. Some controllers occasionally run into trouble when the driver reclaims siTDs too quickly. This can happen while streaming audio; it causes the controller to crash. The patch changes siTD reclamation to work the same way as iTD reclamation: Completed siTDs are stored on a list and not reused until at least one frame has passed. Signed-off-by: Alan Stern Tested-by: Nate Case Signed-off-by: Greg Kroah-Hartman