commit a00123deed0cd4f1bed1bb78e3ec42028384e0b6 Author: Greg Kroah-Hartman Date: Wed May 26 14:49:41 2010 -0700 Linux 2.6.33.5 commit 2b5a5d1697b2d4a96428ac6439b1d81660de379c Author: Herbert Xu Date: Mon Apr 26 09:14:05 2010 +0800 crypto: authenc - Add EINPROGRESS check commit 180ce7e81030e1ef763d58f97f9ab840ff57d848 upstream. When Steffen originally wrote the authenc async hash patch, he correctly had EINPROGRESS checks in place so that we did not invoke the original completion handler with it. Unfortuantely I told him to remove it before the patch was applied. As only MAY_BACKLOG request completion handlers are required to handle EINPROGRESS completions, those checks are really needed. This patch restores them. Reported-by: Sebastian Andrzej Siewior Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 0afe7e4c1136dda6486587be78c5d277f7aac999 Author: Luis R. Rodriguez Date: Wed May 19 17:33:49 2010 -0400 Revert "ath9k: fix lockdep warning when unloading module" on stable kernels Johannes' patch 34e8950 titled: mac80211: allow station add/remove to sleep changed the way mac80211 adds and removes peers. The new sta_add() / sta_remove() callbacks allowed the driver callbacks to sleep. Johannes also ported ath9k to use sta_add() / sta_remove() via the patch 4ca7786 titled: ath9k: convert to new station add/remove callbacks but this patch forgot to address a change in locking issue which Ming Lei eventually found on his 2.6.33-wl #12 build. The 2.6.33-wl build includes code for the 802.11 subsystem for 2.6.34 though so did already have the above two patches (ath9k_sta_remove() on his trace), the 2.6.33 kernel did not however have these two patches. Ming eventually cured his lockdep warnign via the patch a9f042c titled: ath9k: fix lockdep warning when unloading module This went in to 2.6.34 and although it was not marked as a stable fix it did get trickled down and applied on both 2.6.33 and 2.6.32. In review, the culprits: mac80211: allow station add/remove to sleep git describe --contains 34e895075e21be3e21e71d6317440d1ee7969ad0 v2.6.34-rc1~233^2~49^2~107 ath9k: convert to new station add/remove callbacks git describe --contains 4ca778605cfec53d8a689f0b57babb93b030c784 v2.6.34-rc1~233^2~49^2~10 ath9k: fix lockdep warning when unloading module This last one trickled down to 2.6.33 (OK), 2.6.33 (invalid) and 2.6.32 (invalid). git describe --contains a9f042cbe5284f34ccff15f3084477e11b39b17b v2.6.34-rc2~48^2~77^2~7 git describe --contains 0524bcfa80f1fffb4e1fe18a0a28900869a58a7c v2.6.33.2~125 git describe --contains 0dcc9985f34aef3c60bffab3dfc7f7ba3748f35a v2.6.32.11~79 The patch titled "ath9k: fix lockdep warning when unloading module" should be reverted on both 2.6.33 and 2.6.32 as it is invalid and actually ended up causing the following warning: ADDRCONF(NETDEV_CHANGE): wlan31: link becomes ready phy0: WMM queue=2 aci=0 acm=0 aifs=3 cWmin=15 cWmax=1023 txop=0 phy0: WMM queue=3 aci=1 acm=0 aifs=7 cWmin=15 cWmax=1023 txop=0 phy0: WMM queue=1 aci=2 acm=0 aifs=2 cWmin=7 cWmax=15 txop=94 phy0: WMM queue=0 aci=3 acm=0 aifs=2 cWmin=3 cWmax=7 txop=47 phy0: device now idle ------------[ cut here ]------------ WARNING: at kernel/softirq.c:143 local_bh_enable_ip+0x7b/0xa0() Hardware name: 7660A14 Modules linked in: ath9k(-) mac80211 ath cfg80211 Pid: 2003, comm: rmmod Not tainted 2.6.32.11 #6 Call Trace: [] warn_slowpath_common+0x78/0xb0 [] warn_slowpath_null+0xf/0x20 [] local_bh_enable_ip+0x7b/0xa0 [] _spin_unlock_bh+0x14/0x20 [] ath_tx_node_cleanup+0x185/0x1b0 [ath9k] [] ath9k_sta_notify+0x57/0xb0 [ath9k] [] __sta_info_unlink+0x15a/0x260 [mac80211] [] sta_info_unlink+0x38/0x60 [mac80211] [] ieee80211_set_disassoc+0x1ae/0x210 [mac80211] [] ieee80211_mgd_deauth+0x109/0x110 [mac80211] [] ieee80211_deauth+0x19/0x20 [mac80211] [] __cfg80211_mlme_deauth+0xee/0x130 [cfg80211] [] ? init_object+0x50/0x90 [] __cfg80211_disconnect+0x159/0x1d0 [cfg80211] [] cfg80211_netdev_notifier_call+0x10f/0x450 [cfg80211] [] notifier_call_chain+0x47/0x90 [] raw_notifier_call_chain+0x11/0x20 [] call_netdevice_notifiers+0x16/0x20 [] dev_close+0x4d/0xa0 [] rollback_registered+0x48/0x120 [] unregister_netdevice+0x1d/0x70 [] ieee80211_remove_interfaces+0x84/0xc0 [mac80211] [] ieee80211_unregister_hw+0x42/0xf0 [mac80211] [] ath_detach+0x8e/0x180 [ath9k] [] ath_cleanup+0x11/0x50 [ath9k] [] ath_pci_remove+0x1c/0x20 [ath9k] [] pci_device_remove+0x32/0x60 [] __device_release_driver+0x53/0xb0 [] driver_detach+0xc8/0xd0 [] bus_remove_driver+0x85/0xe0 [] driver_unregister+0x5a/0x90 [] pci_unregister_driver+0x40/0xb0 [] ath_pci_exit+0x10/0x20 [ath9k] [] ath9k_exit+0x9/0x2a [ath9k] [] sys_delete_module+0x1a8/0x270 [] ? up_read+0x9/0x10 [] system_call_fastpath+0x16/0x1b ---[ end trace fad957019ffdd40b ]--- phy0: Removed STA 00:22:6b:56:fd:e8 phy0: Destroyed STA 00:22:6b:56:fd:e8 wlan31: deauthenticating from 00:22:6b:56:fd:e8 by local choice (reason=3) ath9k 0000:16:00.0: PCI INT A disabled The original lockdep fixed an issue where due to the new changes the driver was not disabling the bottom halves but it is incorrect to do this on the older kernels since IRQs are already disabled. Cc: Ming Lei Cc: Johannes Berg Cc: John W. Linville Signed-off-by: Luis R. Rodriguez Signed-off-by: Greg Kroah-Hartman commit ce4e905fd3c182fa620bf7f09bd4a897d6199526 Author: Ryusuke Konishi Date: Mon May 3 21:00:48 2010 +0900 nilfs2: fix sync silent failure commit 973bec34bfc1bc2465646181653d67f767d418c8 upstream. As of 32a88aa1, __sync_filesystem() will return 0 if s_bdi is not set. And nilfs does not set s_bdi anywhere. I noticed this problem by the warning introduced by the recent commit 5129a469 ("Catch filesystem lacking s_bdi"). WARNING: at fs/super.c:959 vfs_kern_mount+0xc5/0x14e() Hardware name: PowerEdge 2850 Modules linked in: nilfs2 loop tpm_tis tpm tpm_bios video shpchp pci_hotplug output dcdbas Pid: 3773, comm: mount.nilfs2 Not tainted 2.6.34-rc6-debug #38 Call Trace: [] warn_slowpath_common+0x60/0x90 [] warn_slowpath_null+0xd/0x10 [] vfs_kern_mount+0xc5/0x14e [] do_kern_mount+0x32/0xbd [] do_mount+0x671/0x6d0 [] ? __get_free_pages+0x1f/0x21 [] ? copy_mount_options+0x2b/0xe2 [] ? strndup_user+0x48/0x67 [] sys_mount+0x61/0x8f [] sysenter_do_call+0x12/0x32 This ensures to set s_bdi for nilfs and fixes the sync silent failure. Signed-off-by: Ryusuke Konishi Acked-by: Jens Axboe Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4e0a098e423ee1067c2b6d0cf864002a6e701e95 Author: Kees Cook Date: Thu Apr 22 12:19:17 2010 -0700 mmap_min_addr check CAP_SYS_RAWIO only for write commit 4ae69e6b718589abe97c9625ccbb1e0bc95a8c0e upstream. Redirecting directly to lsm, here's the patch discussed on lkml: http://lkml.org/lkml/2010/4/22/219 The mmap_min_addr value is useful information for an admin to see without being root ("is my system vulnerable to kernel NULL pointer attacks?") and its setting is trivially easy for an attacker to determine by calling mmap() in PAGE_SIZE increments starting at 0, so trying to keep it private has no value. Only require CAP_SYS_RAWIO if changing the value, not reading it. Comment from Serge : Me, I like to write my passwords with light blue pen on dark blue paper, pasted on my window - if you're going to get my password, you're gonna get a headache. Signed-off-by: Kees Cook Acked-by: Serge Hallyn Signed-off-by: James Morris (cherry picked from commit 822cceec7248013821d655545ea45d1c6a9d15b3) Signed-off-by: Greg Kroah-Hartman commit 5e54866e4de87f3eedcadd96fe12cf1544f374b5 Author: David Howells Date: Wed May 12 15:34:03 2010 +0100 CacheFiles: Fix error handling in cachefiles_determine_cache_security() commit 7ac512aa8237c43331ffaf77a4fd8b8d684819ba upstream. cachefiles_determine_cache_security() is expected to return with a security override in place. However, if set_create_files_as() fails, we fail to do this. In this case, we should just reinstate the security override that was set by the caller. Furthermore, if set_create_files_as() fails, we should dispose of the new credentials we were in the process of creating. Signed-off-by: David Howells Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4c55f33e52794d882f7f210841abb3a5e558a024 Author: Wey-Yi Guy Date: Tue Feb 9 08:14:11 2010 -0800 iwlwifi: clear all the stop_queue flag after load firmware commit a9e10fb9b1c6ad16e73cf2656951fce3a817611e upstream. All the queues are awake and ready to use after loading firmware, for firmware reload case, if any queues was stopped before reload, mac80211 will wake those queues after restart hardware, so make sure all the flag used to keep track of the queue status are reset correctly. Signed-off-by: Wey-Yi Guy Signed-off-by: Reinette Chatre Signed-off-by: Greg Kroah-Hartman commit bd57506de6ee6932e740b9b2b939e7ca439b8feb Author: Wey-Yi Guy Date: Wed Feb 3 12:24:44 2010 -0800 iwlwifi: check for aggregation frame and queue commit 45d427001b5eec03cecaacddb53c73af46bb263e upstream. Error checking for aggregation frames should go into aggregation queue, if aggregation queue not available, use legacy queue instead. Also make sure the aggregation queue is available to activate, if driver and mac80211 is out-of-sync, try to disable the queue and sync-up with mac80211. Signed-off-by: Wey-Yi Guy Signed-off-by: Reinette Chatre Signed-off-by: Greg Kroah-Hartman commit 12d1d28cfaef6f065819a717c2d4c542a2fbf138 Author: Robert Hooker Date: Fri Mar 19 15:13:27 2010 -0400 drm/i915: Disable FBC on 915GM and 945GM. commit 8d06a1e1e9c69244f08beb7d17146483f9dcd120 upstream. It is causing hangs after a suspend/resume cycle with the default powersave=1 module option on these chipsets since 2.6.32-rc. BugLink: http://bugs.launchpad.net/bugs/492392 Signed-off-by: Robert Hooker Acked-by: Jesse Barnes Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit a266f42b6eeecc21d2cd938f439b395b3d9cd015 Author: Vitaliy Kulikov Date: Mon Mar 15 09:01:26 2010 +0100 ALSA: hda - New Intel HDA controller commit c602c8ad45d6ee6ad91fc544513cc96f70790983 upstream. Added a PCI controller id on new Dell laptops. Signed-off-by: Vitaliy Kulikov Cc: AmenophisIII Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 8493589f15804898970d9cfb650ea6d86f339fe3 Author: Dan Rosenberg Date: Sat May 15 11:27:37 2010 -0400 Btrfs: check for read permission on src file in the clone ioctl commit 5dc6416414fb3ec6e2825fd4d20c8bf1d7fe0395 upstream. The existing code would have allowed you to clone a file that was only open for writing Signed-off-by: Chris Mason Signed-off-by: Greg Kroah-Hartman commit 893bb29ec037b10287d127d037fd77e61b397420 Author: Andreas Herrmann Date: Tue Apr 27 12:13:48 2010 +0200 x86, amd: Check X86_FEATURE_OSVW bit before accessing OSVW MSRs commit f01487119dda3d9f58c9729c7361ecc50a61c188 upstream. If host CPU is exposed to a guest the OSVW MSRs are not guaranteed to be present and a GP fault occurs. Thus checking the feature flag is essential. Signed-off-by: Andreas Herrmann LKML-Reference: <20100427101348.GC4489@alberich.amd.com> Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit ed46845f456ea04ad899551148efc6e085459c4e Author: Frank Arnold Date: Thu Apr 22 16:06:59 2010 +0200 x86, cacheinfo: Turn off L3 cache index disable feature in virtualized environments commit 7f284d3cc96e02468a42e045f77af11e5ff8b095 upstream. When running a quest kernel on xen we get: BUG: unable to handle kernel NULL pointer dereference at 0000000000000038 IP: [] cpuid4_cache_lookup_regs+0x2ca/0x3df PGD 0 Oops: 0000 [#1] SMP last sysfs file: CPU 0 Modules linked in: Pid: 0, comm: swapper Tainted: G W 2.6.34-rc3 #1 /HVM domU RIP: 0010:[] [] cpuid4_cache_lookup_regs+0x 2ca/0x3df RSP: 0018:ffff880002203e08 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000060 RDX: 0000000000000000 RSI: 0000000000000040 RDI: 0000000000000000 RBP: ffff880002203ed8 R08: 00000000000017c0 R09: ffff880002203e38 R10: ffff8800023d5d40 R11: ffffffff81a01e28 R12: ffff880187e6f5c0 R13: ffff880002203e34 R14: ffff880002203e58 R15: ffff880002203e68 FS: 0000000000000000(0000) GS:ffff880002200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000038 CR3: 0000000001a3c000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process swapper (pid: 0, threadinfo ffffffff81a00000, task ffffffff81a44020) Stack: ffffffff810d7ecb ffff880002203e20 ffffffff81059140 ffff880002203e30 <0> ffffffff810d7ec9 0000000002203e40 000000000050d140 ffff880002203e70 <0> 0000000002008140 0000000000000086 ffff880040020140 ffffffff81068b8b Call Trace: [] ? sync_supers_timer_fn+0x0/0x1c [] ? mod_timer+0x23/0x25 [] ? arm_supers_timer+0x34/0x36 [] ? hrtimer_get_next_event+0xa7/0xc3 [] ? get_next_timer_interrupt+0x19a/0x20d [] get_cpu_leaves+0x5c/0x232 [] ? sched_clock_local+0x1c/0x82 [] ? sched_clock_tick+0x75/0x7a [] generic_smp_call_function_single_interrupt+0xae/0xd0 [] smp_call_function_single_interrupt+0x18/0x27 [] call_function_single_interrupt+0x13/0x20 [] ? notifier_call_chain+0x14/0x63 [] ? native_safe_halt+0xc/0xd [] ? default_idle+0x36/0x53 [] cpu_idle+0xaa/0xe4 [] rest_init+0x7e/0x80 [] start_kernel+0x40e/0x419 [] x86_64_start_reservations+0xb3/0xb7 [] x86_64_start_kernel+0xf8/0x107 Code: 14 d5 40 ff ae 81 8b 14 02 31 c0 3b 15 47 1c 8b 00 7d 0e 48 8b 05 36 1c 8b 00 48 63 d2 48 8b 04 d0 c7 85 5c ff ff ff 00 00 00 00 <8b> 70 38 48 8d 8d 5c ff ff ff 48 8b 78 10 ba c4 01 00 00 e8 eb RIP [] cpuid4_cache_lookup_regs+0x2ca/0x3df RSP CR2: 0000000000000038 ---[ end trace a7919e7f17c0a726 ]--- The L3 cache index disable feature of AMD CPUs has to be disabled if the kernel is running as guest on top of a hypervisor because northbridge devices are not available to the guest. Currently, this fixes a boot crash on top of Xen. In the future this will become an issue on KVM as well. Check if northbridge devices are present and do not enable the feature if there are none. [ hpa: backported to 2.6.34 ] Signed-off-by: Frank Arnold LKML-Reference: <1271945222-5283-3-git-send-email-bp@amd64.org> Acked-by: Borislav Petkov Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 401ac15aef2dbc853d78f19b255bdbce0e136f0d Author: Borislav Petkov Date: Sat Apr 24 09:56:53 2010 +0200 x86, k8: Fix build error when K8_NB is disabled commit ade029e2aaacc8965a548b0b0f80c5bee97ffc68 upstream. K8_NB depends on PCI and when the last is disabled (allnoconfig) we fail at the final linking stage due to missing exported num_k8_northbridges. Add a header stub for that. Signed-off-by: Borislav Petkov LKML-Reference: <20100503183036.GJ26107@aftab> Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 6464a9f78632cdce047062512aeed584e66985c0 Author: Hugh Dickins Date: Fri May 14 19:44:10 2010 -0700 profile: fix stats and data leakage commit 16a2164bb03612efe79a76c73da6da44445b9287 upstream. If the kernel is large or the profiling step small, /proc/profile leaks data and readprofile shows silly stats, until readprofile -r has reset the buffer: clear the prof_buffer when it is vmalloc()ed. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit bd2000ae380153185705f2e80f2c676c1a5337e6 Author: Pavel Emelyanov Date: Wed May 12 15:34:07 2010 -0700 inotify: don't leak user struct on inotify release commit b3b38d842fa367d862b83e7670af4e0fd6a80fc0 upstream. inotify_new_group() receives a get_uid-ed user_struct and saves the reference on group->inotify_data.user. The problem is that free_uid() is never called on it. Issue seem to be introduced by 63c882a0 (inotify: reimplement inotify using fsnotify) after 2.6.30. Signed-off-by: Pavel Emelyanov Eric Paris Signed-off-by: Andrew Morton Signed-off-by: Eric Paris Signed-off-by: Greg Kroah-Hartman commit 93ff009d2e74e6983fddb4674d339a9a6d09715c Author: Eric Paris Date: Tue May 11 17:17:40 2010 -0400 inotify: race use after free/double free in inotify inode marks commit e08733446e72b983fed850fc5d8bd21b386feb29 upstream. There is a race in the inotify add/rm watch code. A task can find and remove a mark which doesn't have all of it's references. This can result in a use after free/double free situation. Task A Task B ------------ ----------- inotify_new_watch() allocate a mark (refcnt == 1) add it to the idr inotify_rm_watch() inotify_remove_from_idr() fsnotify_put_mark() refcnt hits 0, free take reference because we are on idr [at this point it is a use after free] [time goes on] refcnt may hit 0 again, double free The fix is to take the reference BEFORE the object can be found in the idr. Signed-off-by: Eric Paris Signed-off-by: Greg Kroah-Hartman commit dc96a775c1a8e72a4a96d59b8afedc0eeb0c3b21 Author: Daniel T Chen Date: Mon May 10 21:50:04 2010 +0200 ALSA: hda: Fix 0 dB for Lenovo models using Conexant CX20549 (Venice) commit 0ebf9e3692d640917fb792a7494d05e1f5b1058f upstream. Reference: http://mailman.alsa-project.org/pipermail/alsa-devel/2010-May/027525.html As reported on the mailing list, we also need to cap to the 0 dB offset for Lenovo models, else the sound will be distorted. Reported-and-Tested-by: Tim Starling Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 6bf3f4c3fd9d370c02495a435708ad2f3094120a Author: Clemens Ladisch Date: Tue May 11 16:34:39 2010 +0200 ALSA: virtuoso: fix Xonar D1/DX front panel microphone commit 6a45f7822544c54a2cf070d84f4e85f2fb32ec02 upstream. Commit 65c3ac885ce9852852b895a4a62212f62cb5f2e9 in 2.6.33 accidentally left out the initialization of the AC97 codec FMIC2MIC bit, which broke recording from the front panel microphone. Signed-off-by: Clemens Ladisch Signed-off-by: Jaroslav Kysela Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit eef8959c40ad06a127dd352cae0d4a8c309dc570 Author: Takashi Iwai Date: Wed May 12 16:43:32 2010 +0200 ALSA: ice1724 - Fix ESI Maya44 capture source control commit 8213466596bf10b75887754773ee13c10cf86f5c upstream. The capture source control of maya44 was wrongly coded with the bit shift instead of the bit mask. Also, the slot for line-in was wrongly assigned (slot 5 instead of 4). Reported-by: Alex Chernyshoff Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 90e2111a4feb6473082b723f83c6af730e06041a Author: Alan Cox Date: Tue May 4 20:42:36 2010 +0100 tty: Fix unbalanced BKL handling in error path commit 77945febbe60a69e9dcab7f49d33a1aa1e436973 upstream. Arnd noted: After the "retry_open:" label, we first get the tty_mutex and then the BKL. However a the end of tty_open, we jump back to retry_open with the BKL still held. If we run into this case, the tty_open function will be left with the BKL still held. Signed-off-by: Alan Cox Acked-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit fea3cd8871c7f5868eed8422f276a958e3d5d0b6 Author: Valentin Longchamp Date: Wed May 5 11:47:07 2010 +0200 serial: imx.c: fix CTS trigger level lower to avoid lost chars commit 1c5250d6163dac28be3afabdfb6c723f107051b7 upstream. The imx CTS trigger level is left at its reset value that is 32 chars. Since the RX FIFO has 32 entries, when CTS is raised, the FIFO already is full. However, some serial port devices first empty their TX FIFO before stopping when CTS is raised, resulting in lost chars. This patch sets the trigger level lower so that other chars arrive after CTS is raised, there is still room for 16 of them. Signed-off-by: Valentin Longchamp Tested-by: Philippe Rétornaz Acked-by: Wolfram Sang Signed-off-by: Greg Kroah-Hartman commit 2e50759db2317fbde5640914cc1ca22df01a6e4a Author: Jeff Layton Date: Tue May 11 14:59:55 2010 -0400 cifs: guard against hardlinking directories commit 3d69438031b00c601c991ab447cafb7d5c3c59a6 upstream. When we made serverino the default, we trusted that the field sent by the server in the "uniqueid" field was actually unique. It turns out that it isn't reliably so. Samba, in particular, will just put the st_ino in the uniqueid field when unix extensions are enabled. When a share spans multiple filesystems, it's quite possible that there will be collisions. This is a server bug, but when the inodes in question are a directory (as is often the case) and there is a collision with the root inode of the mount, the result is a kernel panic on umount. Fix this by checking explicitly for directory inodes with the same uniqueid. If that is the case, then we can assume that using server inode numbers will be a problem and that they should be disabled. Fixes Samba bugzilla 7407 Signed-off-by: Jeff Layton Reviewed-and-Tested-by: Suresh Jayaraman Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 0e13b2099006c76edd2c7274601f5c96863f389b Author: Paul Mackerras Date: Tue Apr 13 20:46:04 2010 +0000 powerpc/perf_event: Fix oops due to perf_event_do_pending call commit 0fe1ac48bef018bed896307cd12f6ca9b5e704ab upstream. Anton Blanchard found that large POWER systems would occasionally crash in the exception exit path when profiling with perf_events. The symptom was that an interrupt would occur late in the exit path when the MSR[RI] (recoverable interrupt) bit was clear. Interrupts should be hard-disabled at this point but they were enabled. Because the interrupt was not recoverable the system panicked. The reason is that the exception exit path was calling perf_event_do_pending after hard-disabling interrupts, and perf_event_do_pending will re-enable interrupts. The simplest and cleanest fix for this is to use the same mechanism that 32-bit powerpc does, namely to cause a self-IPI by setting the decrementer to 1. This means we can remove the tests in the exception exit path and raw_local_irq_restore. This also makes sure that the call to perf_event_do_pending from timer_interrupt() happens within irq_enter/irq_exit. (Note that calling perf_event_do_pending from timer_interrupt does not mean that there is a possible 1/HZ latency; setting the decrementer to 1 ensures that the timer interrupt will happen immediately, i.e. within one timebase tick, which is a few nanoseconds or 10s of nanoseconds.) Signed-off-by: Paul Mackerras Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 6ce2ff5259b92e67b676beab2c60bf778697f1f2 Author: Stefan Weinhuber Date: Wed May 12 09:32:11 2010 +0200 dasd: fix race between tasklet and dasd_sleep_on commit 1c1e093cbf6d3a7576ba0bd10363362a1c5c74ee upstream. The various dasd_sleep_on functions use a global wait queue when waiting for a cqr. The wait condition checks the status and devlist fields of the cqr to determine if it is safe to continue. This evaluation may return true, although the tasklet has not finished processing of the cqr and the callback function has not been called yet. When the callback is finally called, the data in the cqr may already be invalid. The sleep_on wait condition needs a safe way to determine if the tasklet has finished processing. Use the callback_data field of the cqr to store a token, which is set by the callback function itself. Signed-off-by: Stefan Weinhuber Signed-off-by: Heiko Carstens Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit 6304f31cfc670abcd2006c18cf8d960072c00c5c Author: Gerald Schaefer Date: Wed May 12 09:32:12 2010 +0200 ptrace: fix return value of do_syscall_trace_enter() commit 545c174d1f093a462b4bb9131b23d5ea72a600e1 upstream. strace may change the system call number, so regs->gprs[2] must not be read before tracehook_report_syscall_entry(). This fixes a bug where "strace -f" will hang after a vfork(). Signed-off-by: Gerald Schaefer Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit d53662168530910feb44e0058b10e9b4ec2302be Author: Jesse Barnes Date: Fri Apr 23 09:32:23 2010 -0700 drm/i915: fix non-Ironlake 965 class crashes commit 1918ad77f7f908ed67cf37c505c6ad4ac52f1ecf upstream. My PIPE_CONTROL fix (just sent via Eric's tree) was buggy; I was testing a whole set of patches together and missed a conversion to the new HAS_PIPE_CONTROL macro, which will cause breakage on non-Ironlake 965 class chips. Fortunately, the fix is trivial and has been tested. Be sure to use the HAS_PIPE_CONTROL macro in i915_get_gem_seqno, or we'll end up reading the wrong graphics memory, likely causing hangs, crashes, or worse. Reported-by: Zdenek Kabelac Reported-by: Toralf Förster Tested-by: Toralf Förster Signed-off-by: Jesse Barnes Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 1d26fe28e13ed261cace13638536d17982d2d1cd Author: Jesse Barnes Date: Wed Apr 21 11:39:23 2010 -0700 drm/i915: use PIPE_CONTROL instruction on Ironlake and Sandy Bridge commit e552eb7038a36d9b18860f525aa02875e313fe16 upstream. Since 965, the hardware has supported the PIPE_CONTROL command, which provides fine grained GPU cache flushing control. On recent chipsets, this instruction is required for reliable interrupt and sequence number reporting in the driver. So add support for this instruction, including workarounds, on Ironlake and Sandy Bridge hardware. https://bugs.freedesktop.org/show_bug.cgi?id=27108 Signed-off-by: Jesse Barnes Tested-by: Chris Wilson Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 6129e3835577255a083a32841f11519ffc43051d Author: Nicolas Ferre Date: Tue May 11 14:06:50 2010 -0700 mmc: atmel-mci: remove data error interrupt after xfer commit abc2c9fdf636c4335a8d72ac3c5ae152bca44b68 upstream. Disable data error interrupts while we are actually recording that there is not such errors. This will prevent, in some cases, the warning message printed at new request queuing (in atmci_start_request()). Signed-off-by: Nicolas Ferre Cc: Haavard Skinnemoen Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5a1cc48b4a19b5fb8550f67e71fb7005077a7b88 Author: Nicolas Ferre Date: Tue May 11 14:06:49 2010 -0700 mmc: atmel-mci: prevent kernel oops while removing card commit 009a891b22395fc86e5f34057d79fffee4509ab5 upstream. The removing of an SD card in certain circumstances can lead to a kernel oops if we do not make sure that the "data" field of the host structure is valid. This patch adds a test in atmci_dma_cleanup() function and also calls atmci_stop_dma() before throwing away the reference to data. Signed-off-by: Nicolas Ferre Cc: Haavard Skinnemoen Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 834bf5ecd5dd588040109f78958107f4909a6f15 Author: Nicolas Ferre Date: Tue May 11 14:06:48 2010 -0700 mmc: atmel-mci: fix two parameters swapped commit ebb1fea9b3adf25d7e2f643c614163af4f93a17f upstream. Two parameters were swapped in the calls to atmci_init_slot(). Signed-off-by: Nicolas Ferre Reported-by: Anders Grahn Cc: Haavard Skinnemoen Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5788c7de17f4a99fafb5decbe6900d6cc0a24154 Author: Alex Chiang Date: Tue May 11 10:21:38 2010 -0600 ACPI: sleep: eliminate duplicate entries in acpisleep_dmi_table[] commit 7d6fb7bd1919517937ec390f6ca2d7bcf4f89fb6 upstream. Duplicate entries ended up acpisleep_dmi_table[] by accident. They don't hurt functionality, but they are ugly, so let's get rid of them. Signed-off-by: Alex Chiang Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 3e8ea8f9e21e04850502833493b3cfa7c6606f5c Author: Wu Fengguang Date: Fri May 7 08:47:54 2010 +0800 ALSA: hda - fix DG45ID SPDIF output commit 4d26f44657915f082806abfe3624aeded4c121fa upstream. This reverts part of commit 52dc438606d1e, in order to fix a regression: broken SPDIF output on Intel DG45FC motherboard (IDT 92HD73E1X5 codec). --- DG45FC-IDT-codec-2.6.32 (SPDIF OK) +++ DG45FC-IDT-codec-2.6.33 (SPDIF broken) Node 0x22 [Pin Complex] wcaps 0x400301: Stereo Digital Pincap 0x00000010: OUT - Pin Default 0x40f000f0: [N/A] Other at Ext N/A - Conn = Unknown, Color = Unknown - DefAssociation = 0xf, Sequence = 0x0 - Pin-ctls: 0x00: + Pin Default 0x014510a0: [Jack] SPDIF Out at Ext Rear + Conn = Optical, Color = Black + DefAssociation = 0xa, Sequence = 0x0 + Pin-ctls: 0x40: OUT Connection: 3 0x25* 0x20 0x21 Node 0x23 [Pin Complex] wcaps 0x400301: Stereo Digital Pincap 0x00000010: OUT - Pin Default 0x01451140: [Jack] SPDIF Out at Ext Rear + Pin Default 0x074510b0: [Jack] SPDIF Out at Ext Rear Panel Conn = Optical, Color = Black - DefAssociation = 0x4, Sequence = 0x0 - Misc = NO_PRESENCE - Pin-ctls: 0x40: OUT + DefAssociation = 0xb, Sequence = 0x0 + Pin-ctls: 0x00: Connection: 3 0x26* 0x20 0x21 Cc: Alexey Fisher Tested-by: David Härdeman Signed-off-by: Wu Fengguang Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit b759d0992e1fdcf2a76ebef37289e787b375fa28 Author: Robin Holt Date: Tue May 11 14:06:46 2010 -0700 revert "procfs: provide stack information for threads" and its fixup commits commit 34441427aab4bdb3069a4ffcda69a99357abcb2e upstream. Originally, commit d899bf7b ("procfs: provide stack information for threads") attempted to introduce a new feature for showing where the threadstack was located and how many pages are being utilized by the stack. Commit c44972f1 ("procfs: disable per-task stack usage on NOMMU") was applied to fix the NO_MMU case. Commit 89240ba0 ("x86, fs: Fix x86 procfs stack information for threads on 64-bit") was applied to fix a bug in ia32 executables being loaded. Commit 9ebd4eba7 ("procfs: fix /proc//stat stack pointer for kernel threads") was applied to fix a bug which had kernel threads printing a userland stack address. Commit 1306d603f ('proc: partially revert "procfs: provide stack information for threads"') was then applied to revert the stack pages being used to solve a significant performance regression. This patch nearly undoes the effect of all these patches. The reason for reverting these is it provides an unusable value in field 28. For x86_64, a fork will result in the task->stack_start value being updated to the current user top of stack and not the stack start address. This unpredictability of the stack_start value makes it worthless. That includes the intended use of showing how much stack space a thread has. Other architectures will get different values. As an example, ia64 gets 0. The do_fork() and copy_process() functions appear to treat the stack_start and stack_size parameters as architecture specific. I only partially reverted c44972f1 ("procfs: disable per-task stack usage on NOMMU") . If I had completely reverted it, I would have had to change mm/Makefile only build pagewalk.o when CONFIG_PROC_PAGE_MONITOR is configured. Since I could not test the builds without significant effort, I decided to not change mm/Makefile. I only partially reverted 89240ba0 ("x86, fs: Fix x86 procfs stack information for threads on 64-bit") . I left the KSTK_ESP() change in place as that seemed worthwhile. Signed-off-by: Robin Holt Cc: Stefani Seibold Cc: KOSAKI Motohiro Cc: Michal Simek Cc: Ingo Molnar Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 23e7ebc2b334b2a200983e8e48289634f0b0bf5f Author: Stefan Lippers-Hollmann Date: Mon May 10 17:14:34 2010 +0200 ALSA: Revert "ALSA: hda/realtek: quirk for D945GCLF2 mainboard" commit 482c45331519524e4aeaf8a9084a445500822b85 upstream. This reverts commit 7aee67466536bbf8bb44a95712c848a61c5a0acd. As it doesn't seem to be universally valid for all mainboard revisions of the D945GCLF2 and breaks snd-hda-intel/ snd-hda-codec-realtek on the Intel Corporation "D945GCLF2" (LF94510J.86A.0229.2009.0729.0209) mainboard. 00:1b.0 Audio device [0403]: Intel Corporation N10/ICH 7 Family High Definition Audio Controller [8086:27d8] (rev 01) Signed-off-by: Stefan Lippers-Hollmann Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 56bb252ae71c2b0d28e8e7941d0e487a244ace2c Author: FUJITA Tomonori Date: Tue May 11 14:06:43 2010 -0700 dma-mapping: fix dma_sync_single_range_* commit f33d7e2d2d113a63772bbc993cdec3b5327f0ef1 upstream. dma_sync_single_range_for_cpu() and dma_sync_single_range_for_device() use a wrong address with a partial synchronization. Signed-off-by: FUJITA Tomonori Reviewed-by: Konrad Rzeszutek Wilk Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 87d9699c58f348e7127209bf1cf8d9006d164d8c Author: Mel Gorman Date: Tue May 11 14:06:53 2010 -0700 hugetlbfs: kill applications that use MAP_NORESERVE with SIGBUS instead of OOM-killer commit 4a6018f7f4f1075c1a5403b5ec0ee7262187b86c upstream. Ordinarily, application using hugetlbfs will create mappings with reserves. For shared mappings, these pages are reserved before mmap() returns success and for private mappings, the caller process is guaranteed and a child process that cannot get the pages gets killed with sigbus. An application that uses MAP_NORESERVE gets no reservations and mmap() will always succeed at the risk the page will not be available at fault time. This might be used for example on very large sparse mappings where the developer is confident the necessary huge pages exist to satisfy all faults even though the whole mapping cannot be backed by huge pages. Unfortunately, if an allocation does fail, VM_FAULT_OOM is returned to the fault handler which proceeds to trigger the OOM-killer. This is unhelpful. Even without hugetlbfs mounted, a user using mmap() can trivially trigger the OOM-killer because VM_FAULT_OOM is returned (will provide example program if desired - it's a whopping 24 lines long). It could be considered a DOS available to an unprivileged user. This patch alters hugetlbfs to kill a process that uses MAP_NORESERVE where huge pages were not available with SIGBUS instead of triggering the OOM killer. This change affects hugetlb_cow() as well. I feel there is a failure case in there, but I didn't create one. It would need a fairly specific target in terms of the faulting application and the hugepage pool size. The hugetlb_no_page() path is much easier to hit but both might as well be closed. Signed-off-by: Mel Gorman Cc: Lee Schermerhorn Cc: David Rientjes Cc: Andi Kleen Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit cd3ebf63d7c4ea3e708d9f61b7e2c92d1b2321c1 Author: Michael Hennerich Date: Tue May 11 14:07:00 2010 -0700 fbdev: bfin-t350mcqb-fb: fix fbmem allocation with blanking lines commit de145b44b95b9d3212a82d1c0f29b09778ef33c5 upstream. The current allocation does not include the memory required for blanking lines. So avoid memory corruption when multiple devices are using the DMA memory near each other. Signed-off-by: Michael Hennerich Signed-off-by: Mike Frysinger Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 1a4dd9753e578e650bcbf6a425a4f386a97e3e9b Author: Oliver Neukum Date: Tue May 11 14:07:03 2010 -0700 hp_accel: fix race in device removal commit 06efbeb4a47b6f865e1c9d175ab9d6e90b69ae9e upstream. The work queue has to be flushed after the device has been made inaccessible. The patch closes a window during which a work queue might remain active after the device is removed and would then lead to ACPI calls with undefined behavior. Signed-off-by: Oliver Neukum Acked-by: Eric Piel Acked-by: Pavel Machek Cc: Pavel Herrmann Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b7e608824a5eb85c1c324d3822760cbfb3a34dce Author: Bjørn Mork Date: Thu May 6 03:44:34 2010 +0000 ipv4: udp: fix short packet and bad checksum logging commit ccc2d97cb7c798e785c9f198de243e2b59f7073b upstream. commit 2783ef23 moved the initialisation of saddr and daddr after pskb_may_pull() to avoid a potential data corruption. Unfortunately also placing it after the short packet and bad checksum error paths, where these variables are used for logging. The result is bogus output like [92238.389505] UDP: short packet: From 2.0.0.0:65535 23715/178 to 0.0.0.0:65535 Moving the saddr and daddr initialisation above the error paths, while still keeping it after the pskb_may_pull() to keep the fix from commit 2783ef23. Signed-off-by: Bjørn Mork Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman