commit 9666790d5518a80bc9e2a7e21fcb6bf836c1548d Author: Greg Kroah-Hartman Date: Mon Jul 5 11:20:47 2010 -0700 Linux 2.6.33.6 commit f7cbc5375898bf07bd8cf4f943b7bed5a140459c Author: Wei Yongjun Date: Mon May 17 22:51:58 2010 -0700 sctp: fix append error cause to ERROR chunk correctly commit 2e3219b5c8a2e44e0b83ae6e04f52f20a82ac0f2 upstream. commit 5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809 sctp: Fix skb_over_panic resulting from multiple invalid \ parameter errors (CVE-2010-1173) (v4) cause 'error cause' never be add the the ERROR chunk due to some typo when check valid length in sctp_init_cause_fixed(). Signed-off-by: Wei Yongjun Reviewed-by: Neil Horman Acked-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6090875e7a6465a7cc99357494695c4dbe2ed799 Author: Ben Hutchings Date: Fri Mar 19 16:59:19 2010 -0700 qla2xxx: Disable MSI on qla24xx chips other than QLA2432. commit 6377a7ae1ab82859edccdbc8eaea63782efb134d upstream. On specific platforms, MSI is unreliable on some of the QLA24xx chips, resulting in fatal I/O errors under load, as reported in and by some RHEL customers. Signed-off-by: Giridhar Malavali Signed-off-by: James Bottomley Cc: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit d8b6569a31e9dfa66fc85afe79dc9b3aed48a1c7 Author: Toshiyuki Okajima Date: Fri Apr 30 14:32:13 2010 +0100 KEYS: find_keyring_by_name() can gain access to a freed keyring commit cea7daa3589d6b550546a8c8963599f7c1a3ae5c upstream. find_keyring_by_name() can gain access to a keyring that has had its reference count reduced to zero, and is thus ready to be freed. This then allows the dead keyring to be brought back into use whilst it is being destroyed. The following timeline illustrates the process: |(cleaner) (user) | | free_user(user) sys_keyctl() | | | | key_put(user->session_keyring) keyctl_get_keyring_ID() | || //=> keyring->usage = 0 | | |schedule_work(&key_cleanup_task) lookup_user_key() | || | | kmem_cache_free(,user) | | . |[KEY_SPEC_USER_KEYRING] | . install_user_keyrings() | . || | key_cleanup() [<= worker_thread()] || | | || | [spin_lock(&key_serial_lock)] |[mutex_lock(&key_user_keyr..mutex)] | | || | atomic_read() == 0 || | |{ rb_ease(&key->serial_node,) } || | | || | [spin_unlock(&key_serial_lock)] |find_keyring_by_name() | | ||| | keyring_destroy(keyring) ||[read_lock(&keyring_name_lock)] | || ||| | |[write_lock(&keyring_name_lock)] ||atomic_inc(&keyring->usage) | |. ||| *** GET freeing keyring *** | |. ||[read_unlock(&keyring_name_lock)] | || || | |list_del() |[mutex_unlock(&key_user_k..mutex)] | || | | |[write_unlock(&keyring_name_lock)] ** INVALID keyring is returned ** | | . | kmem_cache_free(,keyring) . | . | atomic_dec(&keyring->usage) v *** DESTROYED *** TIME If CONFIG_SLUB_DEBUG=y then we may see the following message generated: ============================================================================= BUG key_jar: Poison overwritten ----------------------------------------------------------------------------- INFO: 0xffff880197a7e200-0xffff880197a7e200. First byte 0x6a instead of 0x6b INFO: Allocated in key_alloc+0x10b/0x35f age=25 cpu=1 pid=5086 INFO: Freed in key_cleanup+0xd0/0xd5 age=12 cpu=1 pid=10 INFO: Slab 0xffffea000592cb90 objects=16 used=2 fp=0xffff880197a7e200 flags=0x200000000000c3 INFO: Object 0xffff880197a7e200 @offset=512 fp=0xffff880197a7e300 Bytes b4 0xffff880197a7e1f0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ Object 0xffff880197a7e200: 6a 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b jkkkkkkkkkkkkkkk Alternatively, we may see a system panic happen, such as: BUG: unable to handle kernel NULL pointer dereference at 0000000000000001 IP: [] kmem_cache_alloc+0x5b/0xe9 PGD 6b2b4067 PUD 6a80d067 PMD 0 Oops: 0000 [#1] SMP last sysfs file: /sys/kernel/kexec_crash_loaded CPU 1 ... Pid: 31245, comm: su Not tainted 2.6.34-rc5-nofixed-nodebug #2 D2089/PRIMERGY RIP: 0010:[] [] kmem_cache_alloc+0x5b/0xe9 RSP: 0018:ffff88006af3bd98 EFLAGS: 00010002 RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff88007d19900b RDX: 0000000100000000 RSI: 00000000000080d0 RDI: ffffffff81828430 RBP: ffffffff81828430 R08: ffff88000a293750 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000100000 R12: 00000000000080d0 R13: 00000000000080d0 R14: 0000000000000296 R15: ffffffff810f20ce FS: 00007f97116bc700(0000) GS:ffff88000a280000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000001 CR3: 000000006a91c000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process su (pid: 31245, threadinfo ffff88006af3a000, task ffff8800374414c0) Stack: 0000000512e0958e 0000000000008000 ffff880037f8d180 0000000000000001 0000000000000000 0000000000008001 ffff88007d199000 ffffffff810f20ce 0000000000008000 ffff88006af3be48 0000000000000024 ffffffff810face3 Call Trace: [] ? get_empty_filp+0x70/0x12f [] ? do_filp_open+0x145/0x590 [] ? tlb_finish_mmu+0x2a/0x33 [] ? unmap_region+0xd3/0xe2 [] ? virt_to_head_page+0x9/0x2d [] ? alloc_fd+0x69/0x10e [] ? do_sys_open+0x56/0xfc [] ? system_call_fastpath+0x16/0x1b Code: 0f 1f 44 00 00 49 89 c6 fa 66 0f 1f 44 00 00 65 4c 8b 04 25 60 e8 00 00 48 8b 45 00 49 01 c0 49 8b 18 48 85 db 74 0d 48 63 45 18 <48> 8b 04 03 49 89 00 eb 14 4c 89 f9 83 ca ff 44 89 e6 48 89 ef RIP [] kmem_cache_alloc+0x5b/0xe9 This problem is that find_keyring_by_name does not confirm that the keyring is valid before accepting it. Skipping keyrings that have been reduced to a zero count seems the way to go. To this end, use atomic_inc_not_zero() to increment the usage count and skip the candidate keyring if that returns false. The following script _may_ cause the bug to happen, but there's no guarantee as the window of opportunity is small: #!/bin/sh LOOP=100000 USER=dummy_user /bin/su -c "exit;" $USER || { /usr/sbin/adduser -m $USER; add=1; } for ((i=0; i /dev/null" $USER done (( add == 1 )) && /usr/sbin/userdel -r $USER exit Note that the nominated user must not be in use. An alternative way of testing this may be: for ((i=0; i<100000; i++)) do keyctl session foo /bin/true || break done >&/dev/null as that uses a keyring named "foo" rather than relying on the user and user-session named keyrings. Reported-by: Toshiyuki Okajima Signed-off-by: David Howells Tested-by: Toshiyuki Okajima Acked-by: Serge Hallyn Signed-off-by: James Morris Cc: Ben Hutchings Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit dde8dafc185bc593aad762dc05afbf6b43ba5e18 Author: Dan Carpenter Date: Mon May 17 14:42:35 2010 +0100 KEYS: Return more accurate error codes commit 4d09ec0f705cf88a12add029c058b53f288cfaa2 upstream. We were using the wrong variable here so the error codes weren't being returned properly. The original code returns -ENOKEY. Signed-off-by: Dan Carpenter Signed-off-by: David Howells Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 913fd105f7ff3c7439f5b67fd10bf83077e2fe1a Author: Helge Deller Date: Mon May 3 20:44:21 2010 +0000 parisc: clear floating point exception flag on SIGFPE signal commit 550f0d922286556c7ea43974bb7921effb5a5278 upstream. Clear the floating point exception flag before returning to user space. This is needed, else the libc trampoline handler may hit the same SIGFPE again while building up a trampoline to a signal handler. Fixes debian bug #559406. Signed-off-by: Helge Deller Signed-off-by: Kyle McMartin Signed-off-by: Greg Kroah-Hartman commit 9ec38fcb983c4c11b7b2cebbc6dc4361ffdc58e2 Author: Joerg Roedel Date: Wed May 5 16:04:45 2010 +0200 KVM: SVM: Don't allow nested guest to VMMCALL into host This patch disables the possibility for a l2-guest to do a VMMCALL directly into the host. This would happen if the l1-hypervisor doesn't intercept VMMCALL and the l2-guest executes this instruction. Signed-off-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 0d945bd9351199744c1e89d57a70615b6ee9f394) commit f7461bdc19bb04af2bd14b2936a485bbcfd9fb02 Author: Roedel, Joerg Date: Thu May 6 11:38:43 2010 +0200 KVM: x86: Inject #GP with the right rip on efer writes This patch fixes a bug in the KVM efer-msr write path. If a guest writes to a reserved efer bit the set_efer function injects the #GP directly. The architecture dependent wrmsr function does not see this, assumes success and advances the rip. This results in a #GP in the guest with the wrong rip. This patch fixes this by reporting efer write errors back to the architectural wrmsr function. Signed-off-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (cherry picked from commit b69e8caef5b190af48c525f6d715e7b7728a77f6) commit 36d26d70df7a96e2c906e1bf126afe975cbe02fa Author: Avi Kivity Date: Thu May 13 11:50:19 2010 +0300 KVM: x86: Add missing locking to arch specific vcpu ioctls Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 8fbf065d625617bbbf6b72d5f78f84ad13c8b547) commit aca3aac768e7b64a930370dc6a9b41762f6441cf Author: Avi Kivity Date: Thu May 13 11:05:49 2010 +0300 KVM: PPC: Add missing vcpu_load()/vcpu_put() in vcpu ioctls Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 98001d8d017cea1ee0f9f35c6227bbd63ef5005b) commit 12bf0ef607767d6817f20557d246b1eb6c11eb99 Author: Avi Kivity Date: Tue May 4 15:00:37 2010 +0300 KVM: Fix wallclock version writing race Wallclock writing uses an unprotected global variable to hold the version; this can cause one guest to interfere with another if both write their wallclock at the same time. Acked-by: Glauber Costa Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 9ed3c444ab8987c7b219173a2f7807e3f71e234e) commit 01b2090b73c8364b457d4c8d0961db2d1635726a Author: Avi Kivity Date: Tue May 4 12:58:32 2010 +0300 KVM: MMU: Don't read pdptrs with mmu spinlock held in mmu_alloc_roots On svm, kvm_read_pdptr() may require reading guest memory, which can sleep. Push the spinlock into mmu_alloc_roots(), and only take it after we've read the pdptr. Tested-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 8facbbff071ff2b19268d3732e31badc60471e21) commit 5c8f6e37b6b7ce451bb3fc25a7699c720bbcbbba Author: Shane Wang Date: Thu Apr 29 12:09:01 2010 -0400 KVM: VMX: enable VMXON check with SMX enabled (Intel TXT) Per document, for feature control MSR: Bit 1 enables VMXON in SMX operation. If the bit is clear, execution of VMXON in SMX operation causes a general-protection exception. Bit 2 enables VMXON outside SMX operation. If the bit is clear, execution of VMXON outside SMX operation causes a general-protection exception. This patch is to enable this kind of check with SMX for VMXON in KVM. Signed-off-by: Shane Wang Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (cherry picked from commit cafd66595d92591e4bd25c3904e004fc6f897e2d) commit e5085dda9c31aada430b3b57ce78ec102e934e9c Author: Avi Kivity Date: Wed May 12 11:48:18 2010 +0300 KVM: MMU: Segregate shadow pages with different cr0.wp When cr0.wp=0, we may shadow a gpte having u/s=1 and r/w=0 with an spte having u/s=0 and r/w=1. This allows excessive access if the guest sets cr0.wp=1 and accesses through this spte. Fix by making cr0.wp part of the base role; we'll have different sptes for the two cases and the problem disappears. Signed-off-by: Avi Kivity Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 3dbe141595faa48a067add3e47bba3205b79d33c) commit 22d962cf52f77eef04d635caba46ae54e30723c5 Author: Sheng Yang Date: Wed May 12 16:40:40 2010 +0800 KVM: x86: Check LMA bit before set_efer kvm_x86_ops->set_efer() would execute vcpu->arch.efer = efer, so the checking of LMA bit didn't work. Signed-off-by: Sheng Yang Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman (cherry picked from commit a3d204e28579427609c3d15d2310127ebaa47d94) commit da3013a2591def42c0e293b847435c0890b8010b Author: Avi Kivity Date: Wed May 12 00:28:44 2010 +0300 KVM: Don't allow lmsw to clear cr0.pe The current lmsw implementation allows the guest to clear cr0.pe, contrary to the manual, which breaks EMM386.EXE. Fix by ORing the old cr0.pe with lmsw's operand. Signed-off-by: Avi Kivity Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman (cherry picked from commit f78e917688edbf1f14c318d2e50dc8e7dad20445) commit cf050b037d8ab74a1f5a626b2ef62e35cc8288cb Author: Glauber Costa Date: Tue May 11 12:17:40 2010 -0400 x86, paravirt: Add a global synchronization point for pvclock In recent stress tests, it was found that pvclock-based systems could seriously warp in smp systems. Using ingo's time-warp-test.c, I could trigger a scenario as bad as 1.5mi warps a minute in some systems. (to be fair, it wasn't that bad in most of them). Investigating further, I found out that such warps were caused by the very offset-based calculation pvclock is based on. This happens even on some machines that report constant_tsc in its tsc flags, specially on multi-socket ones. Two reads of the same kernel timestamp at approx the same time, will likely have tsc timestamped in different occasions too. This means the delta we calculate is unpredictable at best, and can probably be smaller in a cpu that is legitimately reading clock in a forward ocasion. Some adjustments on the host could make this window less likely to happen, but still, it pretty much poses as an intrinsic problem of the mechanism. A while ago, I though about using a shared variable anyway, to hold clock last state, but gave up due to the high contention locking was likely to introduce, possibly rendering the thing useless on big machines. I argue, however, that locking is not necessary. We do a read-and-return sequence in pvclock, and between read and return, the global value can have changed. However, it can only have changed by means of an addition of a positive value. So if we detected that our clock timestamp is less than the current global, we know that we need to return a higher one, even though it is not exactly the one we compared to. OTOH, if we detect we're greater than the current time source, we atomically replace the value with our new readings. This do causes contention on big boxes (but big here means *BIG*), but it seems like a good trade off, since it provide us with a time source guaranteed to be stable wrt time warps. After this patch is applied, I don't see a single warp in time during 5 days of execution, in any of the machines I saw them before. Signed-off-by: Glauber Costa Acked-by: Zachary Amsden CC: Jeremy Fitzhardinge CC: Avi Kivity CC: Marcelo Tosatti CC: Zachary Amsden Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 489fb490dbf8dab0249ad82b56688ae3842a79e8) commit b6519334facc360b34e4e08639c3befceecd6c17 Author: Joerg Roedel Date: Thu Apr 22 12:33:12 2010 +0200 KVM: SVM: Report emulated SVM features to userspace This patch implements the reporting of the emulated SVM features to userspace instead of the real hardware capabilities. Every real hardware capability needs emulation in nested svm so the old behavior was broken. Cc: stable@kernel.org Signed-off-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (cherry picked from commit c2c63a493924e09a1984d1374a0e60dfd54fc0b0) commit a349e8e6a85e80a059c3014485750e1341d224b6 Author: Joerg Roedel Date: Thu Apr 22 12:33:11 2010 +0200 KVM: x86: Add callback to let modules decide over some supported cpuid bits This patch adds the get_supported_cpuid callback to kvm_x86_ops. It will be used in do_cpuid_ent to delegate the decission about some supported cpuid bits to the architecture modules. Cc: stable@kernel.org Signed-off-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (cherry picked from commit d4330ef2fb2236a1e3a176f0f68360f4c0a8661b) commit 530015c2b51b4423347fddcb0ed922672bc4e69e Author: Wei Yongjun Date: Tue Mar 9 14:13:43 2010 +0800 KVM: PPC: Do not create debugfs if fail to create vcpu If fail to create the vcpu, we should not create the debugfs for it. Signed-off-by: Wei Yongjun Acked-by: Alexander Graf Cc: stable@kernel.org Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 06056bfb944a0302a8f22eb45f09123de7fb417b) commit 12a6d6c2fcab2cad127529a972425fcc29a78e13 Author: Wei Yongjun Date: Tue Mar 9 14:37:53 2010 +0800 KVM: s390: Fix possible memory leak of in kvm_arch_vcpu_create() This patch fixed possible memory leak in kvm_arch_vcpu_create() under s390, which would happen when kvm_arch_vcpu_create() fails. Signed-off-by: Wei Yongjun Acked-by: Carsten Otte Cc: stable@kernel.org Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 7b06bf2ffa15e119c7439ed0b024d44f66d7b605) commit e73526f39bc8f6d924317bc9ffbb7e82930187b6 Author: Joerg Roedel Date: Fri Feb 19 16:23:01 2010 +0100 KVM: SVM: Fix wrong interrupt injection in enable_irq_windows The nested_svm_intr() function does not execute the vmexit anymore. Therefore we may still be in the nested state after that function ran. This patch changes the nested_svm_intr() function to return wether the irq window could be enabled. Cc: stable@kernel.org Signed-off-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 8fe546547cf6857a9d984bfe2f2194910f3fc5d0) commit 5568446dc49b787905fe0e7958151e755e7b02cf Author: Joerg Roedel Date: Fri Feb 19 16:23:06 2010 +0100 KVM: SVM: Don't sync nested cr8 to lapic and back This patch makes syncing of the guest tpr to the lapic conditional on !nested. Otherwise a nested guest using the TPR could freeze the guest. Another important change this patch introduces is that the cr8 intercept bits are no longer ORed at vmrun emulation if the guest sets VINTR_MASKING in its VMCB. The reason is that nested cr8 accesses need alway be handled by the nested hypervisor because they change the shadow version of the tpr. Cc: stable@kernel.org Signed-off-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 88ab24adc7142506c8583ac36a34fa388300b750) commit 06bef51f396d97ba9db9b531612f0a65b0ac910a Author: Joerg Roedel Date: Fri Feb 19 16:23:05 2010 +0100 KVM: SVM: Fix nested msr intercept handling The nested_svm_exit_handled_msr() function maps only one page of the guests msr permission bitmap. This patch changes the code to use kvm_read_guest to fix the bug. Cc: stable@kernel.org Signed-off-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 4c7da8cb43c09e71a405b5aeaa58a1dbac3c39e9) commit 7c0738ed0977ea841159441532f1eb33ace7eada Author: Joerg Roedel Date: Fri Feb 19 16:23:03 2010 +0100 KVM: SVM: Sync all control registers on nested vmexit Currently the vmexit emulation does not sync control registers were the access is typically intercepted by the nested hypervisor. But we can not count on that intercepts to sync these registers too and make the code architecturally more correct. Cc: stable@kernel.org Signed-off-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (cherry picked from commit cdbbdc1210223879450555fee04c29ebf116576b) commit 38088b3c9eeb079aefb7a30a6104e4621c9313e9 Author: Joerg Roedel Date: Fri Feb 19 16:23:02 2010 +0100 KVM: SVM: Fix schedule-while-atomic on nested exception handling Move the actual vmexit routine out of code that runs with irqs and preemption disabled. Cc: stable@kernel.org Signed-off-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (cherry picked from commit b8e88bc8ffba5fe53fb8d8a0a4be3bbcffeebe56) commit a5c3dc8e058b773220b9fa962e2535b832be1705 Author: Joerg Roedel Date: Fri Feb 19 16:23:00 2010 +0100 KVM: SVM: Don't use kmap_atomic in nested_svm_map Use of kmap_atomic disables preemption but if we run in shadow-shadow mode the vmrun emulation executes kvm_set_cr3 which might sleep or fault. So use kmap instead for nested_svm_map. Cc: stable@kernel.org Signed-off-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 7597f129d8b6799da7a264e6d6f7401668d3a36d) commit 28c02526fa62beda0a30fe88154bab53cb2b86d7 Author: Dmitry Torokhov Date: Thu May 13 00:42:23 2010 -0700 Input: psmouse - reset all types of mice before reconnecting commit ef110b24e28f36620f63dab94708a17c7e267358 upstream. Synaptics hardware requires resetting device after suspend to ram in order for the device to be operational. The reset lives in synaptics-specific reconnect handler, but it is not being invoked if synaptics support is disabled and the device is handled as a standard PS/2 device (bare or IntelliMouse protocol). Let's add reset into generic reconnect handler as well. Signed-off-by: Dmitry Torokhov Cc: Tim Gardner Signed-off-by: Greg Kroah-Hartman commit d8a022afa2e1b3da28c8381b783ec1fd55480e18 Author: Lai Jiangshan Date: Wed Jan 6 20:08:50 2010 +0800 tracing: Consolidate protection of reader access to the ring buffer commit 7e53bd42d14c75192b99674c40fcc359392da59d upstream. At the beginning, access to the ring buffer was fully serialized by trace_types_lock. Patch d7350c3f4569 gives more freedom to readers, and patch b04cc6b1f6 adds code to protect trace_pipe and cpu#/trace_pipe. But actually it is not enough, ring buffer readers are not always read-only, they may consume data. This patch makes accesses to trace, trace_pipe, trace_pipe_raw cpu#/trace, cpu#/trace_pipe and cpu#/trace_pipe_raw serialized. And removes tracing_reader_cpumask which is used to protect trace_pipe. Details: Ring buffer serializes readers, but it is low level protection. The validity of the events (which returns by ring_buffer_peek() ..etc) are not protected by ring buffer. The content of events may become garbage if we allow another process to consume these events concurrently: A) the page of the consumed events may become a normal page (not reader page) in ring buffer, and this page will be rewritten by the events producer. B) The page of the consumed events may become a page for splice_read, and this page will be returned to system. This patch adds trace_access_lock() and trace_access_unlock() primitives. These primitives allow multi process access to different cpu ring buffers concurrently. These primitives don't distinguish read-only and read-consume access. Multi read-only access is also serialized. And we don't use these primitives when we open files, we only use them when we read files. Signed-off-by: Lai Jiangshan LKML-Reference: <4B447D52.1050602@cn.fujitsu.com> Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit 8ce881616b79099adc73fe27e5f0aa1ea26354c4 Author: Alan Jenkins Date: Mon Feb 22 16:03:58 2010 +0000 eeepc-laptop: check wireless hotplug events commit bc9d24a3aeb1532fc3e234907a8b6d671f7ed68f upstream. Before we mark the wireless device as unplugged, check PCI config space to see whether the wireless device is really disabled (and vice versa). This works around newer models which don't want the hotplug code, where we end up disabling the wired network device. My old 701 still works correctly with this. I can also simulate an afflicted model by changing the hardcoded PCI bus/slot number in the driver, and it seems to work nicely (although it is a bit noisy). In future this type of hotplug support will be implemented by the PCI core. The existing blacklist and the new warning message will be removed at that point. Signed-off-by: Alan Jenkins Signed-off-by: Corentin Chary Signed-off-by: Greg Kroah-Hartman commit 62008a6b67c40a295086607e34ba5816d6642f88 Author: Shi Weihua Date: Tue May 18 00:50:32 2010 +0000 Btrfs: should add a permission check for setfacl commit 2f26afba46f0ebf155cf9be746496a0304a5b7cf upstream. On btrfs, do the following ------------------ # su user1 # cd btrfs-part/ # touch aaa # getfacl aaa # file: aaa # owner: user1 # group: user1 user::rw- group::rw- other::r-- # su user2 # cd btrfs-part/ # setfacl -m u::rwx aaa # getfacl aaa # file: aaa # owner: user1 # group: user1 user::rwx <- successed to setfacl group::rw- other::r-- ------------------ but we should prohibit it that user2 changing user1's acl. In fact, on ext3 and other fs, a message occurs: setfacl: aaa: Operation not permitted This patch fixed it. Signed-off-by: Shi Weihua Signed-off-by: Chris Mason Signed-off-by: Greg Kroah-Hartman commit 8ec8b5bf52a674755f688142d7ac6fd0bc82fe66 Author: James Chapman Date: Tue Mar 16 06:46:31 2010 +0000 l2tp: Fix oops in pppol2tp_xmit commit 3feec9095d12e311b7d4eb7fe7e5dfa75d4a72a5 upstream. When transmitting L2TP frames, we derive the outgoing interface's UDP checksum hardware assist capabilities from the tunnel dst dev. This can sometimes be NULL, especially when routing protocols are used and routing changes occur. This patch just checks for NULL dst or dev pointers when checking for netdev hardware assist features. BUG: unable to handle kernel NULL pointer dereference at 0000000c IP: [] pppol2tp_xmit+0x341/0x4da [pppol2tp] *pde = 00000000 Oops: 0000 [#1] SMP last sysfs file: /sys/class/net/lo/operstate Modules linked in: pppol2tp pppox ppp_generic slhc ipv6 dummy loop snd_hda_codec_atihdmi snd_hda_intel snd_hda_codec snd_pcm snd_timer snd soundcore snd_page_alloc evdev psmouse serio_raw processor button i2c_piix4 i2c_core ati_agp agpgart pcspkr ext3 jbd mbcache sd_mod ide_pci_generic atiixp ide_core ahci ata_generic floppy ehci_hcd ohci_hcd libata e1000e scsi_mod usbcore nls_base thermal fan thermal_sys [last unloaded: scsi_wait_scan] Pid: 0, comm: swapper Not tainted (2.6.32.8 #1) EIP: 0060:[] EFLAGS: 00010297 CPU: 3 EIP is at pppol2tp_xmit+0x341/0x4da [pppol2tp] EAX: 00000000 EBX: f64d1680 ECX: 000005b9 EDX: 00000000 ESI: f6b91850 EDI: f64d16ac EBP: f6a0c4c0 ESP: f70a9cac DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 Process swapper (pid: 0, ti=f70a8000 task=f70a31c0 task.ti=f70a8000) Stack: 000005a9 000005b9 f734c400 f66652c0 f7352e00 f67dc800 00000000 f6b91800 <0> 000005a3 f70ef6c4 f67dcda9 000005a3 f89b192e 00000246 000005a3 f64d1680 <0> f63633e0 f6363320 f64d1680 f65a7320 f65a7364 f65856c0 f64d1680 f679f02f Call Trace: [] ? ppp_push+0x459/0x50e [ppp_generic] [] ? ppp_xmit_process+0x3b6/0x430 [ppp_generic] [] ? ppp_start_xmit+0x10d/0x120 [ppp_generic] [] ? dev_hard_start_xmit+0x21f/0x2b2 [] ? sch_direct_xmit+0x48/0x10e [] ? dev_queue_xmit+0x263/0x3a6 [] ? ip_finish_output+0x1f7/0x221 [] ? ip_forward_finish+0x2e/0x30 [] ? ip_rcv_finish+0x295/0x2a9 [] ? netif_receive_skb+0x3e9/0x404 [] ? e1000_clean_rx_irq+0x253/0x2fc [e1000e] [] ? e1000_clean+0x63/0x1fc [e1000e] [] ? sched_clock_local+0x15/0x11b [] ? net_rx_action+0x96/0x195 [] ? __do_softirq+0xaa/0x151 [] ? do_softirq+0x31/0x3c [] ? irq_exit+0x26/0x58 [] ? do_IRQ+0x78/0x89 [] ? common_interrupt+0x29/0x30 [] ? native_safe_halt+0x2/0x3 [] ? default_idle+0x55/0x75 [] ? c1e_idle+0xd2/0xd5 [] ? cpu_idle+0x46/0x62 Code: 8d 45 08 f0 ff 45 08 89 6b 08 c7 43 68 7e fb 9c f8 8a 45 24 83 e0 0c 3c 04 75 09 80 63 64 f3 e9 b4 00 00 00 8b 43 18 8b 4c 24 04 <8b> 40 0c 8d 79 11 f6 40 44 0e 8a 43 64 75 51 6a 00 8b 4c 24 08 EIP: [] pppol2tp_xmit+0x341/0x4da [pppol2tp] SS:ESP 0068:f70a9cac CR2: 000000000000000c Signed-off-by: James Chapman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7ab3c6bcc33237784b5dd8ef86062d488fd65576 Author: Miklos Szeredi Date: Wed Feb 10 12:15:53 2010 +0100 vfs: add NOFOLLOW flag to umount(2) commit db1f05bb85d7966b9176e293f3ceead1cb8b5d79 upstream. Add a new UMOUNT_NOFOLLOW flag to umount(2). This is needed to prevent symlink attacks in unprivileged unmounts (fuse, samba, ncpfs). Additionally, return -EINVAL if an unknown flag is used (and specify an explicitly unused flag: UMOUNT_UNUSED). This makes it possible for the caller to determine if a flag is supported or not. CC: Eugene Teo CC: Michael Kerrisk Signed-off-by: Miklos Szeredi Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 8c11d9038537657cc74fb8d2242fd18c3d6a05d5 Author: Steve French Date: Thu Apr 22 19:21:55 2010 +0000 CIFS: Allow null nd (as nfs server uses) on create commit fa588e0c57048b3d4bfcd772d80dc0615f83fd35 upstream. While creating a file on a server which supports unix extensions such as Samba, if a file is being created which does not supply nameidata (i.e. nd is null), cifs client can oops when calling cifs_posix_open. Signed-off-by: Shirish Pargaonkar Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit ca12f650743dbfc723de02e37f1ac562a1978b33 Author: Neil Horman Date: Wed Apr 28 10:30:59 2010 +0000 sctp: Fix skb_over_panic resulting from multiple invalid parameter errors (CVE-2010-1173) (v4) commit 5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809 upstream. Ok, version 4 Change Notes: 1) Minor cleanups, from Vlads notes Summary: Hey- Recently, it was reported to me that the kernel could oops in the following way: <5> kernel BUG at net/core/skbuff.c:91! <5> invalid operand: 0000 [#1] <5> Modules linked in: sctp netconsole nls_utf8 autofs4 sunrpc iptable_filter ip_tables cpufreq_powersave parport_pc lp parport vmblock(U) vsock(U) vmci(U) vmxnet(U) vmmemctl(U) vmhgfs(U) acpiphp dm_mirror dm_mod button battery ac md5 ipv6 uhci_hcd ehci_hcd snd_ens1371 snd_rawmidi snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc snd_ac97_codec snd soundcore pcnet32 mii floppy ext3 jbd ata_piix libata mptscsih mptsas mptspi mptscsi mptbase sd_mod scsi_mod <5> CPU: 0 <5> EIP: 0060:[] Not tainted VLI <5> EFLAGS: 00010216 (2.6.9-89.0.25.EL) <5> EIP is at skb_over_panic+0x1f/0x2d <5> eax: 0000002c ebx: c033f461 ecx: c0357d96 edx: c040fd44 <5> esi: c033f461 edi: df653280 ebp: 00000000 esp: c040fd40 <5> ds: 007b es: 007b ss: 0068 <5> Process swapper (pid: 0, threadinfo=c040f000 task=c0370be0) <5> Stack: c0357d96 e0c29478 00000084 00000004 c033f461 df653280 d7883180 e0c2947d <5> 00000000 00000080 df653490 00000004 de4f1ac0 de4f1ac0 00000004 df653490 <5> 00000001 e0c2877a 08000800 de4f1ac0 df653490 00000000 e0c29d2e 00000004 <5> Call Trace: <5> [] sctp_addto_chunk+0xb0/0x128 [sctp] <5> [] sctp_addto_chunk+0xb5/0x128 [sctp] <5> [] sctp_init_cause+0x3f/0x47 [sctp] <5> [] sctp_process_unk_param+0xac/0xb8 [sctp] <5> [] sctp_verify_init+0xcc/0x134 [sctp] <5> [] sctp_sf_do_5_1B_init+0x83/0x28e [sctp] <5> [] sctp_do_sm+0x41/0x77 [sctp] <5> [] cache_grow+0x140/0x233 <5> [] sctp_endpoint_bh_rcv+0xc5/0x108 [sctp] <5> [] sctp_inq_push+0xe/0x10 [sctp] <5> [] sctp_rcv+0x454/0x509 [sctp] <5> [] ipt_hook+0x17/0x1c [iptable_filter] <5> [] nf_iterate+0x40/0x81 <5> [] ip_local_deliver_finish+0x0/0x151 <5> [] ip_local_deliver_finish+0xc6/0x151 <5> [] nf_hook_slow+0x83/0xb5 <5> [] ip_local_deliver+0x1a2/0x1a9 <5> [] ip_local_deliver_finish+0x0/0x151 <5> [] ip_rcv+0x334/0x3b4 <5> [] netif_receive_skb+0x320/0x35b <5> [] init_stall_timer+0x67/0x6a [uhci_hcd] <5> [] process_backlog+0x6c/0xd9 <5> [] net_rx_action+0xfe/0x1f8 <5> [] __do_softirq+0x35/0x79 <5> [] handle_IRQ_event+0x0/0x4f <5> [] do_softirq+0x46/0x4d Its an skb_over_panic BUG halt that results from processing an init chunk in which too many of its variable length parameters are in some way malformed. The problem is in sctp_process_unk_param: if (NULL == *errp) *errp = sctp_make_op_error_space(asoc, chunk, ntohs(chunk->chunk_hdr->length)); if (*errp) { sctp_init_cause(*errp, SCTP_ERROR_UNKNOWN_PARAM, WORD_ROUND(ntohs(param.p->length))); sctp_addto_chunk(*errp, WORD_ROUND(ntohs(param.p->length)), param.v); When we allocate an error chunk, we assume that the worst case scenario requires that we have chunk_hdr->length data allocated, which would be correct nominally, given that we call sctp_addto_chunk for the violating parameter. Unfortunately, we also, in sctp_init_cause insert a sctp_errhdr_t structure into the error chunk, so the worst case situation in which all parameters are in violation requires chunk_hdr->length+(sizeof(sctp_errhdr_t)*param_count) bytes of data. The result of this error is that a deliberately malformed packet sent to a listening host can cause a remote DOS, described in CVE-2010-1173: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1173 I've tested the below fix and confirmed that it fixes the issue. We move to a strategy whereby we allocate a fixed size error chunk and ignore errors we don't have space to report. Tested by me successfully Signed-off-by: Neil Horman Acked-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f38b3aedd9dea444b5109472c694ae65d612aa64 Author: Steven Whitehouse Date: Mon May 24 14:36:48 2010 +0100 GFS2: Fix permissions checking for setflags ioctl() commit 7df0e0397b9a18358573274db9fdab991941062f upstream. We should be checking for the ownership of the file for which flags are being set, rather than just for write access. Reported-by: Dan Rosenberg Signed-off-by: Steven Whitehouse Signed-off-by: Greg Kroah-Hartman commit 69d44cfd3e4d45b92a6ddea7227df030c120f871 Author: Theodore Ts'o Date: Wed Jun 2 22:04:39 2010 -0400 ext4: Make sure the MOVE_EXT ioctl can't overwrite append-only files commit 1f5a81e41f8b1a782c68d3843e9ec1bfaadf7d72 upstream. Dan Roseberg has reported a problem with the MOVE_EXT ioctl. If the donor file is an append-only file, we should not allow the operation to proceed, lest we end up overwriting the contents of an append-only file. Signed-off-by: "Theodore Ts'o" Cc: Dan Rosenberg Signed-off-by: Greg Kroah-Hartman commit d1491fb32619f09e2e2515588ea864aadcdda41a Author: Eric Sandeen Date: Sun May 16 01:00:00 2010 -0400 ext4: check s_log_groups_per_flex in online resize code commit 42007efd569f1cf3bfb9a61da60ef6c2179508ca upstream. If groups_per_flex < 2, sbi->s_flex_groups[] doesn't get filled out, and every other access to this first tests s_log_groups_per_flex; same thing needs to happen in resize or we'll wander off into a null pointer when doing an online resize of the file system. Thanks to Christoph Biedl, who came up with the trivial testcase: # truncate --size 128M fsfile # mkfs.ext3 -F fsfile # tune2fs -O extents,uninit_bg,dir_index,flex_bg,huge_file,dir_nlink,extra_isize fsfile # e2fsck -yDf -C0 fsfile # truncate --size 132M fsfile # losetup /dev/loop0 fsfile # mount /dev/loop0 mnt # resize2fs -p /dev/loop0 https://bugzilla.kernel.org/show_bug.cgi?id=13549 Reported-by: Alessandro Polverini Test-case-by: Christoph Biedl Signed-off-by: Eric Sandeen Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit b2275d444561c18cdb678f9f9f72a2080d91a4c6 Author: Grazvydas Ignotas Date: Sat Jun 5 02:25:47 2010 +0300 wl1251: fix a memory leak in probe commit aa679c36756003f1fabdb9fc6f00eb159559f7c3 upstream. wl1251_sdio_probe() error path is missing wl1251_free_hw, add it. Signed-off-by: Grazvydas Ignotas Acked-by: Kalle Valo Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit e1b8e9499b5cfcddd229a400084a211efead9239 Author: Oleg Nesterov Date: Thu Jun 3 23:34:09 2010 +0200 tracing: Fix null pointer deref with SEND_SIG_FORCED commit b9b76dfaac6fa2c289ee8a005be637afd2da7e2f upstream. BUG: unable to handle kernel NULL pointer dereference at 0000000000000006 IP: [] ftrace_raw_event_signal_generate+0x87/0x140 TP_STORE_SIGINFO() forgets about SEND_SIG_FORCED, fix. We should probably export is_si_special() and change TP_STORE_SIGINFO() to use it in the longer term. Signed-off-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Steven Rostedt Cc: Andrew Morton Cc: Jason Baron Cc: Masami Hiramatsu LKML-Reference: <20100603213409.GA8307@redhat.com> Signed-off-by: Frederic Weisbecker Signed-off-by: Greg Kroah-Hartman commit e26e13a7e153ae645a430c4983241b0e9987d5cf Author: Peter Zijlstra Date: Fri Jun 4 15:18:01 2010 +0200 perf: Fix signed comparison in perf_adjust_period() commit f6ab91add6355e231e1c47897027b2a6ee4fa268 upstream. Frederic reported that frequency driven swevents didn't work properly and even caused a division-by-zero error. It turns out there are two bugs, the division-by-zero comes from a failure to deal with that in perf_calculate_period(). The other was more interesting and turned out to be a wrong comparison in perf_adjust_period(). The comparison was between an s64 and u64 and got implicitly converted to an unsigned comparison. The problem is that period_left is typically < 0, so it ended up being always true. Cure this by making the local period variables s64. Reported-by: Frederic Weisbecker Tested-by: Frederic Weisbecker Signed-off-by: Peter Zijlstra LKML-Reference: Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 402d655a0d2df775bfcf345fcc19db8a32b3a1c8 Author: Reinette Chatre Date: Mon May 3 10:55:07 2010 -0700 iwlwifi: recalculate average tpt if not current commit 3d79b2a9eeaa066b35c49fbb17e3156a3c482c3e upstream. We currently have this check as a BUG_ON, which is being hit by people. Previously it was an error with a recalculation if not current, return that code. The BUG_ON was introduced by: commit 3110bef78cb4282c58245bc8fd6d95d9ccb19749 Author: Guy Cohen Date: Tue Sep 9 10:54:54 2008 +0800 iwlwifi: Added support for 3 antennas ... the portion adding the BUG_ON is reverted since we are encountering the error and BUG_ON was created with assumption that error is not encountered. Signed-off-by: Reinette Chatre Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 5bd90999347524d2b525d011a68b70837a922879 Author: Reinette Chatre Date: Wed Feb 3 09:38:59 2010 -0800 iwlwifi: reset card during probe commit 4843b5a731b31916d100cfc5ba4d03ae78462ed9 upstream. To ensure that card is in a sane state during probe we add a reset call. This change was prompted by users of kdump who was not able to bring up the wireless driver in the kdump kernel. The problem here was that the primary kernel, which is not running at the time, left the wireless card up and running. When the kdump kernel starts it is thus possible to immediately receive interrupts from firmware after registering interrupt, but without being ready to deal with interrupts from firmware yet. Reported-by: Stanislaw Gruszka Signed-off-by: Reinette Chatre Signed-off-by: Greg Kroah-Hartman commit 5ff290f1c541bb4d4c8df68b31378d6e031eeba1 Author: Shaohua Li Date: Tue May 25 10:16:53 2010 +0200 cfq-iosched: fix an oops caused by slab leak commit d02a2c077fb81f3224c770be62a318165b23b486 upstream. I got below oops when unloading cfq-iosched. Considering scenario: queue A merge to B, C merge to D and B will be merged to D. Before B is merged to D, we do split B. We should put B's reference for D. [ 807.768536] ============================================================================= [ 807.768539] BUG cfq_queue: Objects remaining on kmem_cache_close() [ 807.768541] ----------------------------------------------------------------------------- [ 807.768543] [ 807.768546] INFO: Slab 0xffffea0003e6b4e0 objects=26 used=1 fp=0xffff88011d584fd8 flags=0x200000000004082 [ 807.768550] Pid: 5946, comm: rmmod Tainted: G W 2.6.34-07097-gf4b87de-dirty #724 [ 807.768552] Call Trace: [ 807.768560] [] slab_err+0x8f/0x9d [ 807.768564] [] ? flush_cpu_slab+0x0/0x93 [ 807.768569] [] ? add_preempt_count+0xe/0xca [ 807.768572] [] ? sub_preempt_count+0xe/0xb6 [ 807.768577] [] ? _raw_spin_unlock+0x15/0x30 [ 807.768580] [] ? sub_preempt_count+0xe/0xb6 [ 807.768584] [] list_slab_objects+0x9b/0x19f [ 807.768588] [] ? add_preempt_count+0xc6/0xca [ 807.768591] [] kmem_cache_destroy+0x13f/0x21d [ 807.768597] [] cfq_slab_kill+0x1a/0x43 [cfq_iosched] [ 807.768601] [] cfq_exit+0x93/0x9e [cfq_iosched] [ 807.768606] [] sys_delete_module+0x1b1/0x219 [ 807.768612] [] system_call_fastpath+0x16/0x1b [ 807.768618] INFO: Object 0xffff88011d584618 @offset=1560 [ 807.768622] INFO: Allocated in cfq_get_queue+0x11e/0x274 [cfq_iosched] age=7173 cpu=1 pid=5496 [ 807.768626] ============================================================================= Signed-off-by: Shaohua Li Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 10b2ad8fecd1936e30fda32d1adcb787da3410dd Author: Roberto Sassu Date: Thu Jun 3 11:58:28 2010 +0200 wrong type for 'magic' argument in simple_fill_super() commit 7d683a09990ff095a91b6e724ecee0ff8733274a upstream. It's used to superblock ->s_magic, which is unsigned long. Signed-off-by: Roberto Sassu Reviewed-by: Mimi Zohar Signed-off-by: Eric Paris Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 0723ebb25fe048d3e6bcea6fd565837d7f0a3b4d Author: John W. Linville Date: Wed Dec 9 16:43:52 2009 -0500 wireless: report reasonable bitrate for MCS rates through wext commit 254416aae70ab2e6b57fd79782c8a67196234d02 upstream. Previously, cfg80211 had reported "0" for MCS (i.e. 802.11n) bitrates through the wireless extensions interface. However, nl80211 was converting MCS rates into a reasonable bitrate number. This patch moves the nl80211 code to cfg80211 where it is now shared between both the nl80211 interface and the wireless extensions interface. Signed-off-by: John W. Linville Cc: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit 1192e9c910740099465aa1390bd102519c92c82a Author: Jason Dravet Date: Sat Jun 5 15:08:29 2010 -0500 p54usb: Add device ID for Dell WLA3310 USB commit 0f666a08901f8b01f294ca0ad751019375240ae3 upstream. Add Dell WLA3310 USB wireless card, which has a Z-Com XG-705A chipset, to the USB Ids in p54usb. Signed-off-by: Jason Dravet Tested-by: Richard Gregory Tillmore Signed-off-by: Larry Finger Acked-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 76faf97bf04fb05924c9da5e9b243404eaee9946 Author: Axel Lin Date: Mon May 31 08:04:47 2010 +0800 USB: cdc-acm: fix resource reclaim in error path of acm_probe commit c2572b78aa0447244a38e555ebb1b3b48a0088a5 upstream. This patch fixes resource reclaim in error path of acm_probe: 1. In the case of "out of memory (read urbs usb_alloc_urb)\n")", there is no need to call acm_read_buffers_free(acm) here. Fix it by goto alloc_fail6 instead of alloc_fail7. 2. In the case of "out of memory (write urbs usb_alloc_urb)", usb_alloc_urb may fail in any iteration of the for loop. Current implementation does not properly free allocated snd->urb. Fix it by goto alloc_fail8 instead of alloc_fail7. 3. In the case of device_create_file(&intf->dev,&dev_attr_iCountryCodeRelDate) fail, acm->country_codes is kfreed. As a result, device_remove_file for dev_attr_wCountryCodes will not be executed in acm_disconnect. Fix it by calling device_remove_file for dev_attr_wCountryCodes before goto skip_countries. Signed-off-by: Axel Lin Acked-by: Oliver Neukum Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 18ba8e2c21b721d1c36e65525a30b25804e9b33e Author: Daniel Mack Date: Thu Jun 3 13:55:02 2010 +0200 USB: ftdi_sio: fix DTR/RTS line modes commit 6a1a82df91fa0eb1cc76069a9efe5714d087eccd upstream. Call set_mctrl() and clear_mctrl() according to the flow control mode selected. This makes serial communication for FT232 connected devices work when CRTSCTS is not set. This fixes a regression introduced by 4175f3e31 ("tty_port: If we are opened non blocking we still need to raise the carrier"). This patch calls the low-level driver's dtr_rts() function which consequently sets TIOCM_DTR | TIOCM_RTS. A later call to set_termios() without CRTSCTS in cflags, however, does not reset these bits, and so data is not actually sent out on the serial wire. Signed-off-by: Daniel Mack Cc: Johan Hovold Cc: Alan Cox Signed-off-by: Greg Kroah-Hartman commit 4366f8e2b21f652563bb9d54868272efd54c6654 Author: Sarah Sharp Date: Mon May 24 13:25:15 2010 -0700 USB: xhci: Wait for controller to be ready after reset. commit 2d62f3eea98354d61f90d6b115eecf9be5f4bdfe upstream. After software resets an xHCI host controller, it must wait for the "Controller Not Ready" (CNR) bit in the status register to be cleared. Software is not supposed to ring any doorbells or write to any registers except the status register until this bit is cleared. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit d85a9e8941454235ea82bb6c4f8aafd500e1e6ec Author: Sarah Sharp Date: Mon May 24 13:25:21 2010 -0700 USB: xhci: Wait for host to start running. commit ed07453fd356025cc25272629e982f5e4607632c upstream. When the run bit is set in the xHCI command register, it may take a few microseconds for the host to start running. We cannot ring any doorbells until the host is actually running, so wait until the status register says the host is running. Signed-off-by: Sarah Sharp Reported-by: Shinya Saito Signed-off-by: Greg Kroah-Hartman commit c9aa072037b4d6e5831bbf930bc934ec1dcbd2dd Author: Johan Hovold Date: Wed May 19 22:13:17 2010 +0200 USB: mos7840: fix null-pointer dereference commit b41709f1263bb1ad37efc43fea0bb0b670c12e78 upstream. Fix null-pointer dereference on error path. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 674829c058a8dc47d312be62f31c0013f116903d Author: Chris Wilson Date: Thu May 27 13:18:18 2010 +0100 drm/i915: Rebind bo if currently bound with incorrect alignment. commit ac0c6b5ad3b3b513e1057806d4b7627fcc0ecc27 upstream. Whilst pinning the buffer, check that that its current alignment matches the requested alignment. If it does not, rebind. This should clear up any final render errors whilst resuming, for reference: Bug 27070 - [i915] Page table errors with empty ringbuffer https://bugs.freedesktop.org/show_bug.cgi?id=27070 Bug 15502 - render error detected, EIR: 0x00000010 https://bugzilla.kernel.org/show_bug.cgi?id=15502 Bug 13844 - i915 error: "render error detected" https://bugzilla.kernel.org/show_bug.cgi?id=13844 Signed-off-by: Chris Wilson Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 89d35068d07dec55b33a8af7915441350857c8bf Author: Tejun Heo Date: Mon May 31 16:26:48 2010 +0200 sata_via: magic vt6421 fix for transmission problems w/ WD drives commit 8b27ff4cf6d15964aa2987aeb58db4dfb1f87a19 upstream. vt6421 has problems talking to recent WD drives. It causes a lot of transmission errors while high bandwidth transfer as reported in the following bugzilla entry. https://bugzilla.kernel.org/show_bug.cgi?id=15173 Joseph Chan provided the following fix. I don't have any idea what it does but I can verify the issue is gone with the patch applied. Signed-off-by: Tejun Heo Originally-from: Joseph Chan Reported-by: Jorrit Tijben Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 6eae141960763aa91cbcece356d6096d57206921 Author: Tejun Heo Date: Tue Jun 1 17:29:21 2010 +0200 sata_nv: don't diddle with nIEN on mcp55 commit f3faf8fc3fab45c3526efe8c9e99bb23f8723350 upstream. On mcp55, nIEN gets stuck once set and liteon blueray rom iHOS104-08 violates ATA specification and fails to set I on D2H Reg FIS if nIEN is set when the command was issued. When the other party is following the spec, both devices can work fine but when the two flaws are put together, they can't talk to each other. mcp55 has its own IRQ masking mechanism and there's no reason to mess with nIEN in the first place. Fix it by dropping nIEN diddling from nv_mcp55_freeze/thaw(). This was originally reported by Cengiz. Although Cengiz hasn't verified the fix yet, I could reproduce this problem and verfiy the fix. Even if Cengiz is experiencing different or additional problems, this patch is needed. Signed-off-by: Tejun Heo Reported-by: Cengiz Günay Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 78248878e8df22ee76bd945fc0b3e2ca1dc9f249 Author: Stephane Eranian Date: Wed Mar 17 23:21:01 2010 +0200 perf_events: Fix resource leak in x86 __hw_perf_event_init() commit 4b24a88b35e15e04bd8f2c5dda65b5dc8ebca05f upstream. If reserve_pmc_hardware() succeeds but reserve_ds_buffers() fails, then we need to release_pmc_hardware. It won't be done by the destroy() callback because we return before setting it in case of error. Signed-off-by: Stephane Eranian Cc: peterz@infradead.org Cc: paulus@samba.org Cc: davem@davemloft.net Cc: fweisbec@gmail.com Cc: robert.richter@amd.com Cc: perfmon2-devel@lists.sf.net LKML-Reference: <4ba1568b.15185e0a.182a.7802@mx.google.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 896457128ac63394d9841a265627b1fea84a0250 Author: Stefan Richter Date: Sun May 30 19:43:52 2010 +0200 firewire: core: check for 1394a compliant IRM, fix inaccessibility of Sony camcorder commit 10389536742cefbedecb67a5b2906f155cf3a1c3 upstream. Per IEEE 1394 clause 8.4.2.3, a contender for the IRM role shall check whether the current IRM complies to 1394a-2000 or later. If not force a compliant node (e.g. itself) to become IRM. This was implemented in the older ieee1394 driver but not yet in firewire-core. An older Sony camcorder (Sony DCR-TRV25) which implements 1394-1995 IRM but neither 1394a-2000 IRM nor BM was now found to cause an interoperability bug: - Camcorder becomes root node when plugged in, hence gets IRM role. - firewire-core successfully contends for BM role, proceeds to perform gap count optimization and resets the bus. - Sony camcorder ignores presence of a BM (against the spec, this is a firmware bug), performs its idea of gap count optimization and resets the bus. - Preceding two steps are repeated endlessly, bus never settles, regular I/O is practically impossible. http://thread.gmane.org/gmane.linux.kernel.firewire.user/3913 This is an interoperability regression from the old to the new drivers. Fix it indirectly by adding the 1394a IRM check. The spec suggests three and a half methods to determine 1394a compliance of a remote IRM; we choose the method of testing the Config_ROM.Bus_Info.generation field. This is data that firewire-core should have readily available at this point, i.e. does not require extra I/O. Reported-by: Clemens Ladisch (missing 1394a check) Reported-by: H. S. (issue with Sony DCR-TRV25) Tested-by: H. S. Signed-off-by: Stefan Richter Signed-off-by: Greg Kroah-Hartman commit e5973496f73a58dad755e95e0ae5310031612473 Author: Tejun Heo Date: Thu Jun 3 11:57:04 2010 +0200 ahci: add pci quirk for JMB362 commit 4daedcfe8c6851aa01cc1997220f2577f4039c13 upstream. JMB362 is a new variant of jmicron controller which is similar to JMB360 but has two SATA ports instead of one. As there is no PATA port, single function AHCI mode can be used as in JMB360. Add pci quirk for JMB362. Signed-off-by: Tejun Heo Reported-by: Aries Lee Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit ff46e9ac912b01da5325f47e7ed1c069d2d3aeef Author: Bob Copeland Date: Fri Jun 4 08:14:14 2010 -0400 ath5k: retain promiscuous setting commit 6b5dcccb495b66b3b0b9581cdccfed038e5d68a2 upstream. Commit 56d1de0a21db28e41741cfa0a66e18bc8d920554, "ath5k: clean up filter flags setting" introduced a regression in monitor mode such that the promisc filter flag would get lost. Although we set the promisc flag when it changed, we did not preserve it across subsequent calls to configure_filter. This patch restores the original functionality. Bisected-by: weedy2887@gmail.com Tested-by: weedy2887@gmail.com Tested-by: Rick Farina Signed-off-by: Bob Copeland Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 974c45b17ec9837a2eee7d37a42be250ad5b5086 Author: Julia Lawall Date: Thu May 27 12:31:51 2010 +0200 arch/x86/kernel: Add missing spin_unlock commit 84fe6c19e4a598e8071e3bd1b2c923454eae1268 upstream. Add a spin_unlock missing on the error path. The locks and unlocks are balanced in other functions, so it seems that the same should be the case here. The semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // @@ expression E1; @@ * spin_lock(E1,...); <+... when != E1 if (...) { ... when != E1 * return ...; } ...+> * spin_unlock(E1,...); // Signed-off-by: Julia Lawall Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit 1f55cdf626c7a0aaa20bba6832352fef6fb1127e Author: Richard Kennedy Date: Thu May 27 10:22:28 2010 +0100 gconfig: fix build failure on fedora 13 commit cbab05f041a4cff6ca15856bdd35238b282b64eb upstream. Making gconfig fails on fedora 13 as the linker cannot resolve dlsym. Adding libdl to the link command fixes this. make shows this error :- /usr/bin/ld: scripts/kconfig/kconfig_load.o: undefined reference to symbol 'dlsym@@GLIBC_2.2.5' /usr/bin/ld: note: 'dlsym@@GLIBC_2.2.5' is defined in DSO /lib64/libdl.so.2 so try adding it to the linker command line /lib64/libdl.so.2: could not read symbols: Invalid operation tested on x86_64 fedora 13. Signed-off-by: Richard Kennedy Reviewed-by: WANG Cong Signed-off-by: Andrew Morton Signed-off-by: Michal Marek Signed-off-by: Greg Kroah-Hartman commit 3a1b0323750fa3189736699afdc1452ba3325dae Author: Paul Mundt Date: Wed Jun 2 17:10:44 2010 +0900 clocksource: sh_cmt: compute mult and shift before registration commit f4d7c3565c1692c54d9152b52090fe73f0029e37 upstream. Based on the sh_tmu change in 66f49121ffa41a19c59965b31b046d8368fec3c7 ("clocksource: sh_tmu: compute mult and shift before registration"). The same issues impact the sh_cmt driver, so we take the same approach here. Signed-off-by: Paul Mundt Signed-off-by: Greg Kroah-Hartman commit 9fd38047c3d6da1fa9c22281dde730f8d124036d Author: Aurelien Jarno Date: Mon May 31 21:45:48 2010 +0000 clocksource: sh_tmu: compute mult and shift before registration commit 66f49121ffa41a19c59965b31b046d8368fec3c7 upstream. Since commit 98962465ed9e6ea99c38e0af63fe1dcb5a79dc25 ("nohz: Prevent clocksource wrapping during idle"), the CPU of an R2D board never goes to idle. This commit assumes that mult and shift are assigned before the clocksource is registered. As a consequence the safe maximum sleep time is negative and the CPU never goes into idle. This patch fixes the problem by moving mult and shift initialization from sh_tmu_clocksource_enable() to sh_tmu_register_clocksource(). Signed-off-by: Aurelien Jarno Signed-off-by: Paul Mundt Signed-off-by: Greg Kroah-Hartman commit abbce17d4ad49244b027158d6b46fffa5c8b6c82 Author: Martin Homuth-Rosemann Date: Mon May 31 22:33:04 2010 +0200 Staging: comedi - correct parameter gainlkup for DAQCard-6024E in driver ni_mio_cs.c commit ebe8622342f12bed387f7de4b5fb7c52005ccb29 upstream. Correct at least one of the incorrect specs for a national instrument data acquisition card DAQCard-6024E. This card has only four different gain settings (+-10V, +-5V, +-0.5V, +-0.05V). Signed-off-by: Martin Homuth-Rosemann Signed-off-by: Greg Kroah-Hartman commit 0ed91181a4d526c27ee3242e50babeb0e686727d Author: Daniel T Chen Date: Sun May 30 13:08:41 2010 -0400 ALSA: hda: Use LPIB for ASUS M2V commit 9f75c1b12c5ef392ddcea575b13560842c28b1b3 upstream. BugLink: https://launchpad.net/bugs/587546 Symptom: On the reporter's ASUS M2V, using PulseAudio in Ubuntu 10.04 LTS results in the PA daemon crashing shortly after attempting playback of an audio file. Test case: Using Ubuntu 10.04 LTS (Linux 2.6.32.12), Linux 2.6.33, or Linux 2.6.34, attempt playback of an audio file while PulseAudio is active. Resolution: add SSID for this machine to the position_fix quirk table, explicitly specifying the LPIB method. Reported-and-Tested-By: D Tangman Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit d91bcac73355d01865899a44ae06026ac8364656 Author: Daniel T Chen Date: Sun May 30 19:31:41 2010 -0400 ALSA: hda: Use LPIB for another mainboard commit b90c076424da8166797bdc34187660fd0124f530 upstream. BugLink: https://launchpad.net/bugs/580749 Symptom: on the original reporter's VIA VT1708-based board, the PulseAudio daemon dies shortly after the user attempts to play an audio file. Test case: boot from Ubuntu 10.04 LTS live cd; attempt to play an audio file. Resolution: add SSID for the original reporter's hardware to the position_fix quirk table, explicitly specifying the LPIB method. Reported-and-Tested-By: Harald Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit b0973e3247e8a556f94dbf94df4061f4da98a2c2 Author: Daniel T Chen Date: Sun May 30 09:55:23 2010 -0400 ALSA: hda: Use mb31 quirk for an iMac model commit 26fd74fc01991a18f0e3bd54f8b1b75945ee3dbb upstream. BugLink: https://launchpad.net/bugs/542550 Symptom: On the reporter's iMac, in Ubuntu 10.04 LTS neither playback nor capture appear audible out-of-the-box. Test case: Boot from an Ubuntu 10.04 LTS live cd or from an installed configuration and attempt to play or capture audio. Resolution: Specify the mb31 quirk for this machine in the codec SSID table. Reported-and-Tested-By: f3a97 Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit bd0d12e4df6840300b377ed24cb394019ee74f66 Author: Daniel T Chen Date: Sun May 30 01:17:03 2010 -0400 ALSA: hda: Use LPIB for an ASUS device commit dd37f8e8659bc617c3f2a84e007a4824ccdac458 upstream. BugLink: https://launchpad.net/bugs/465942 Symptom: On the reporter's ASUS device, using PulseAudio in Ubuntu 10.04 LTS results in the PA daemon crashing shortly after attempting to select capture or to configure the audio hardware profile. Test case: Using Ubuntu 10.04 LTS (Linux 2.6.32.12), Linux 2.6.33, or Linux 2.6.34, adjust the HDA device's capture volume with PulseAudio. Resolution: add SSID for this machine to the position_fix quirk table, explicitly specifying the LPIB method. Reported-and-Tested-By: Irihapeti Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 7fad76121d3b081e658a7616ea79650ca943a984 Author: Ian Campbell Date: Tue May 25 10:45:35 2010 +0100 xen: avoid allocation causing potential swap activity on the resume path commit b3831cb55d383e8eb55d3b56c715fb48459b87c9 upstream. Since the device we are resuming could be the device containing the swap device we should ensure that the allocation cannot cause IO. On resume, this path is triggered when the running system tries to continue using its devices. If it cannot then the resume will fail; to try to avoid this we let it dip into the emergency pools. The majority of these changes were made when linux-2.6.18-xen.hg changeset e8b49cfbdac0 was ported upstream in a144ff09bc52ef3f3684ed23eadc9c7c0e57b3aa but somehow this hunk was dropped. Signed-off-by: Ian Campbell Acked-by: Jeremy Fitzhardinge Signed-off-by: Greg Kroah-Hartman commit 11c8bbaaa1a47d0362d1156db2d916c39d46780c Author: Ian Campbell Date: Wed May 19 16:19:25 2010 +0100 xen: ensure timer tick is resumed even on CPU driving the resume commit cd52e17ea8278f8449b6174a8e5ed439a2e44ffb upstream. The core suspend/resume code is run from stop_machine on CPU0 but parts of the suspend/resume machinery (including xen_arch_resume) are run on whichever CPU happened to schedule the xenwatch kernel thread. As part of the non-core resume code xen_arch_resume is called in order to restart the timer tick on non-boot processors. The boot processor itself is taken care of by core timekeeping code. xen_arch_resume uses smp_call_function which does not call the given function on the current processor. This means that we can end up with one CPU not receiving timer ticks if the xenwatch thread happened to be scheduled on CPU > 0. Use on_each_cpu instead of smp_call_function to ensure the timer tick is resumed everywhere. Signed-off-by: Ian Campbell Acked-by: Jeremy Fitzhardinge Signed-off-by: Greg Kroah-Hartman commit 6fef5c9ad77749e70e1b44373e85ab980dc38f10 Author: Gabor Gombas Date: Mon May 24 12:13:18 2010 -0700 x86, setup: Phoenix BIOS fixup is needed on Dell Inspiron Mini 1012 commit 3d6e77a3ddb8e4156b89f4273ff8c7d37abaf781 upstream. The low-memory corruption checker triggers during suspend/resume, so we need to reserve the low 64k. Don't be fooled that the BIOS identifies itself as "Dell Inc.", it's still Phoenix BIOS. [ hpa: I think we blacklist almost every BIOS in existence. We should either change this to a whitelist or just make it unconditional. ] Signed-off-by: Gabor Gombas LKML-Reference: <201005241913.o4OJDIMM010877@imap1.linux-foundation.org> Signed-off-by: Andrew Morton Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 2fa19889cbeec82bbcca4eb914155a50e6643e23 Author: Jiri Kosina Date: Wed May 26 14:43:53 2010 -0700 ipmi: handle run_to_completion properly in deliver_recv_msg() commit a747c5abc329611220f16df0bb4cf0ca4a7fdf0c upstream. If run_to_completion flag is set, it means that we are running in a single-threaded mode, and thus no locks are held. This fixes a deadlock when IPMI notifier is being called during panic. Signed-off-by: Jiri Kosina Acked-by: Corey Minyard Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 139c793b0c742110966f2dbfd4a8677c3bf48a49 Author: Jeff Moyer Date: Wed May 26 11:49:40 2010 -0400 do_generic_file_read: clear page errors when issuing a fresh read of the page commit 91803b499cca2fe558abad709ce83dc896b80950 upstream. I/O errors can happen due to temporary failures, like multipath errors or losing network contact with the iSCSI server. Because of that, the VM will retry readpage on the page. However, do_generic_file_read does not clear PG_error. This causes the system to be unable to actually use the data in the page cache page, even if the subsequent readpage completes successfully! The function filemap_fault has had a ClearPageError before readpage forever. This patch simply adds the same to do_generic_file_read. Signed-off-by: Jeff Moyer Signed-off-by: Rik van Riel Acked-by: Larry Woodman Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0e4ce79e3cbb6140fd8fe338a1ebdc355833b58e Author: Oleg Nesterov Date: Wed May 26 14:42:54 2010 -0700 signals: check_kill_permission(): don't check creds if same_thread_group() commit 065add3941bdca54fe04ed3471a96bce9af88793 upstream. Andrew Tridgell reports that aio_read(SIGEV_SIGNAL) can fail if the notification from the helper thread races with setresuid(), see http://samba.org/~tridge/junkcode/aio_uid.c This happens because check_kill_permission() doesn't permit sending a signal to the task with the different cred->xids. But there is not any security reason to check ->cred's when the task sends a signal (private or group-wide) to its sub-thread. Whatever we do, any thread can bypass all security checks and send SIGKILL to all threads, or it can block a signal SIG and do kill(gettid(), SIG) to deliver this signal to another sub-thread. Not to mention that CLONE_THREAD implies CLONE_VM. Change check_kill_permission() to avoid the credentials check when the sender and the target are from the same thread group. Also, move "cred = current_cred()" down to avoid calling get_current() twice. Note: David Howells pointed out we could relax this even more, the CLONE_SIGHAND (without CLONE_THREAD) case probably does not need these checks too. Roland said: : The glibc (libpthread) that does set*id across threads has : been in use for a while (2.3.4?), probably in distro's using kernels as old : or older than any active -stable streams. In the race in question, this : kernel bug is breaking valid POSIX application expectations. Reported-by: Andrew Tridgell Signed-off-by: Oleg Nesterov Acked-by: Roland McGrath Acked-by: David Howells Cc: Eric Paris Cc: Jakub Jelinek Cc: James Morris Cc: Roland McGrath Cc: Stephen Smalley Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 91fe12f532fc6687218f4861f0ac7b7ded419383 Author: Ira W. Snyder Date: Thu May 27 19:59:02 2010 +0200 hwmon: (ltc4245) Read only one GPIO pin commit df16dd53c575d0cb9dbee20a3149927c862a9ff6 upstream. Read only one of the GPIO pins as an analog voltage. The ADC can be switched to a different GPIO pin at runtime, but this is not supported. Previously, this driver would report the analog voltage of the currently selected GPIO pin as all three GPIO voltages: in9_input, in10_input and in11_input. Signed-off-by: Ira W. Snyder Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit f417b91c30e84e759d395f45d524eeee95250822 Author: Dave Airlie Date: Sat May 29 06:50:37 2010 +1000 drm/radeon: fix the r100/r200 ums block 0 page fix commit cf22f20ade30f8c03955324aaf27b1049e182600 upstream. airlied -> brown paper bag. I blame Hi-5 or the Wiggles for lowering my IQ, move the fix inside some brackets instead of breaking everything in site. Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 1a0c0aa4945dfa8ac3adc2818e166b40eb5dc346 Author: Dave Airlie Date: Wed Feb 24 17:17:13 2010 +1000 drm/radeon: r100/r200 ums: block ability for userspace app to trash 0 page and beyond commit 566d84d172161cb6c0c4dd834c34abbac6bf7b38 upstream. radeon's have a special ability to passthrough writes in their internal memory space directly to PCI, this ability means that if some of the internal surfaces like the depth buffer point at 0x0, any writes to these will go directly to RAM at 0x0 via PCI busmastering. Now mesa used to always emit clears after emitting state, since the radeon mesa driver was refactored a year or more ago, it was found it could generate a clear request without ever sending any setup state to the card. So the clear would attempt to clear the depth buffer at 0x0, which would overwrite main memory at this point. fs corruption ensues. Also once one app did this correctly, it would never get set back to 0 making this messy to reproduce. The kernel should block this from happening as mesa runs without privs, though it does require the user be connected to the current running X session. This patch implements a check to make sure the depth offset has been set before a depth clear occurs and if it finds one it prints a warning and ignores the depth clear request. There is also a mesa fix to avoid sending the badness going into mesa. This only affects r100/r200 GPUs in user modesetting mode. Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 1fe767793d2a19f6852153987ae49a2ac6412a69 Author: Mark Brown Date: Tue May 25 10:49:00 2010 -0700 ASoC: Fix dB scales for WM8990 commit f68596c6d8711650722b2a54328a088a2c21bc5b upstream. These should be regular, not linear. Signed-off-by: Mark Brown Acked-by: Liam Girdwood Signed-off-by: Greg Kroah-Hartman commit 164d4163ba38c3f5fc1ff59cf3583b5ec90dd341 Author: Mark Brown Date: Tue May 25 10:48:31 2010 -0700 ASoC: Fix dB scales for WM8400 commit 3351e9fbb0fda6498ee149ee88c67f5849813c57 upstream. These scales should be regular, not linear. Signed-off-by: Mark Brown Acked-by: Liam Girdwood Signed-off-by: Greg Kroah-Hartman commit 4fd6a1a66f32e54cf512bbbc7383e7dc17fb063b Author: Mark Brown Date: Tue May 25 10:46:05 2010 -0700 ASoC: Fix dB scales for WM835x commit e6a08c5a8990102bcd1f4bae84b668da6c23caa9 upstream. These should be regular rather than linear scales. Signed-off-by: Mark Brown Acked-by: Liam Girdwood Signed-off-by: Greg Kroah-Hartman commit d46c28a06b47ff25e4a709f61530d11d9d868d5c Author: Russell King Date: Thu May 27 08:23:29 2010 +0100 ARM: VFP: Fix vfp_put_double() for d16-d31 commit 138de1c44a8e0606501cd8593407e9248e84f1b7 upstream. vfp_put_double() takes the double value in r0,r1 not r1,r2. Reported-by: Tarun Kanti DebBarma Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit e76c180c01dfe6cc219b31860205d2d8873c3788 Author: Linus Walleij Date: Wed May 26 07:37:57 2010 +0100 ARM: 6144/1: TCM memory bug freeing bug commit ea208f646c8fb91c39c852e952fc911e1ad045ab upstream. This fixes a bug in mm/init.c when freeing the TCM compile memory, this was being referred to as a char * which is incorrect: this will dereference the pointer and feed in the value at the location instead of the address to it. Change it to a plain char and use &(char) to reference it. Signed-off-by: Linus Walleij Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 82ff48a2ec25dfe6a937928b77bf82dbf44203b4 Author: Marek Vašut Date: Wed May 26 23:53:09 2010 +0100 ARM: 6146/1: sa1111: Prevent deadlock in resume path commit 3defb2476166445982a90c12d33f8947e75476c4 upstream. This patch reorganises the sa1111_resume() function in a manner the spinlock happens after calling the sa1111_wake(). This fixes two bugs: 1) This function called sa1111_wake() which tried to claim the same spinlock the sa1111_resume() already claimed. This would result in certain deadlock. Original idea for this part: Russell King 2) The function didn't unlock the spinlock in case the chip didn't report correct ID. Original idea for this part: Julia Lawall Signed-off-by: Marek Vasut Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit ee6a92f8125362d1b40485c5c268423932630a1f Author: Khem Raj Date: Fri Jun 4 04:05:15 2010 +0100 ARM: 6164/1: Add kto and kfrom to input operands list. commit 9a40ac86152c9cffd3dca482a15ddf9a8c5716b3 upstream. When functions incoming parameters are not in input operands list gcc 4.5 does not load the parameters into registers before calling this function but the inline assembly assumes valid addresses inside this function. This breaks the code because r0 and r1 are invalid when execution enters v4wb_copy_user_page () Also the constant needs to be used as third input operand so account for that as well. Tested on qemu arm. Signed-off-by: Khem Raj Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 339d1b8036cb8c09e5bf6d663ff26057ede422c9 Author: Anfei Date: Tue Jun 8 15:16:49 2010 +0100 ARM: 6166/1: Proper prefetch abort handling on pre-ARMv6 commit 5e27fb78df95e027723af2c90ecc9b4527ae59e9 upstream. Instruction faults on pre-ARMv6 CPUs are interpreted as a 'translation fault', but do_translation_fault doesn't handle well if user mode trying to run instruction above TASK_SIZE, and result in the infinite retry of that instruction. Signed-off-by: Anfei Zhou Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit e90c870c15924880cb9b810413d2605134d4e8c6 Author: Sebastien Dugue Date: Thu May 20 15:58:22 2010 -0700 mlx4_core: Fix possible chunk sg list overflow in mlx4_alloc_icm() commit c0dc72bad9cf21071f5e4005de46f7c8b67a138a upstream. If the number of sg entries in the ICM chunk reaches MLX4_ICM_CHUNK_LEN, we must set chunk to NULL even for coherent mappings so that the next time through the loop will allocate another chunk. Otherwise we'll overflow the sg list the next time through the loop. This will lead to memory corruption if this case is hit. mthca does not have this bug. Signed-off-by: Sebastien Dugue Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit e50e2441a3bde4de4dfa4701c1c2b570187b9401 Author: NeilBrown Date: Wed Apr 14 17:15:37 2010 +1000 md: manage redundancy group in sysfs when changing level. commit a64c876fd357906a1f7193723866562ad290654c upstream. Some levels expect the 'redundancy group' to be present, others don't. So when we change level of an array we might need to add or remove this group. This requires fixing up the current practice of overloading ->private to indicate (when ->pers == NULL) that something needs to be removed. So create a new ->to_remove to fill that role. When changing levels, we may need to add or remove attributes. When changing RAID5 -> RAID6, we both add and remove the same thing. It is important to catch this and optimise it out as the removal is delayed until a lock is released, so trying to add immediately would cause problems. Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 130a7957e085172019fc39cdff973a3224d49f0d Author: KOSAKI Motohiro Date: Mon May 24 14:31:48 2010 -0700 tmpfs: insert tmpfs cache pages to inactive list at first commit e9d6c157385e4efa61cb8293e425c9d8beba70d3 upstream. Shaohua Li reported parallel file copy on tmpfs can lead to OOM killer. This is regression of caused by commit 9ff473b9a7 ("vmscan: evict streaming IO first"). Wow, It is 2 years old patch! Currently, tmpfs file cache is inserted active list at first. This means that the insertion doesn't only increase numbers of pages in anon LRU, but it also reduces anon scanning ratio. Therefore, vmscan will get totally confused. It scans almost only file LRU even though the system has plenty unused tmpfs pages. Historically, lru_cache_add_active_anon() was used for two reasons. 1) Intend to priotize shmem page rather than regular file cache. 2) Intend to avoid reclaim priority inversion of used once pages. But we've lost both motivation because (1) Now we have separate anon and file LRU list. then, to insert active list doesn't help such priotize. (2) In past, one pte access bit will cause page activation. then to insert inactive list with pte access bit mean higher priority than to insert active list. Its priority inversion may lead to uninteded lru chun. but it was already solved by commit 645747462 (vmscan: detect mapped file pages used only once). (Thanks Hannes, you are great!) Thus, now we can use lru_cache_add_anon() instead. Signed-off-by: KOSAKI Motohiro Reported-by: Shaohua Li Reviewed-by: Wu Fengguang Reviewed-by: Johannes Weiner Reviewed-by: Rik van Riel Reviewed-by: Minchan Kim Acked-by: Hugh Dickins Cc: Henrique de Moraes Holschuh Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f52fe692bb5c5c87a0c6116a09ee34dff52ea163 Author: FUJITA Tomonori Date: Wed May 19 23:21:38 2010 -0400 Blackfin: set ARCH_KMALLOC_MINALIGN commit 76b99699a2bbf9efdb578f9a38a202af2ecb354b upstream. Architectures that handle DMA-non-coherent memory need to set ARCH_KMALLOC_MINALIGN to make sure that kmalloc'ed buffer is DMA-safe: the buffer doesn't share a cache with the others. Signed-off-by: FUJITA Tomonori Acked-by: Pekka Enberg Signed-off-by: Mike Frysinger Signed-off-by: Greg Kroah-Hartman commit 3106d98939132a918f434b5ac6017c0e82bbe936 Author: FUJITA Tomonori Date: Mon May 24 14:31:45 2010 -0700 xtensa: set ARCH_KMALLOC_MINALIGN commit 498900fc9cd1adbad1ba6b55ed9d8f2f5d655ca3 upstream. Architectures that handle DMA-non-coherent memory need to set ARCH_KMALLOC_MINALIGN to make sure that kmalloc'ed buffer is DMA-safe: the buffer doesn't share a cache with the others. Signed-off-by: FUJITA Tomonori Cc: Chris Zankel Acked-by: Pekka Enberg Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d5e221616c013c7d2b2205c5febcf17b149fba8b Author: FUJITA Tomonori Date: Mon May 24 14:32:54 2010 -0700 frv: set ARCH_KMALLOC_MINALIGN commit 69dcf3db03626c4f18de624e8632454ea12ff260 upstream. Architectures that handle DMA-non-coherent memory need to set ARCH_KMALLOC_MINALIGN to make sure that kmalloc'ed buffer is DMA-safe: the buffer doesn't share a cache with the others. Signed-off-by: FUJITA Tomonori Acked-by: David Howells Acked-by: Pekka Enberg Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c6ce79a12ca1f207fa485f0ad535e21338dc9c6d Author: Maurus Cuelenaere Date: Fri Jun 4 14:14:44 2010 -0700 rtc: s3c: initialize driver data before using it commit e893de59a4982791368b3ce412bc67dd601a88a0 upstream. s3c_rtc_setfreq() uses the platform driver data to derive struct rtc_device, so make sure drvdata is set _before_ s3c_rtc_setfreq() is called. Signed-off-by: Maurus Cuelenaere Cc: Paul Gortmaker Cc: Alessandro Zummo Cc: Maurus Cuelenaere Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b21fd1baa423415ee806fee4cdfe473c020522d4 Author: Dan Carpenter Date: Mon May 24 14:33:49 2010 -0700 rtc-cmos: do dev_set_drvdata() earlier in the initialization commit 6ba8bcd457d9fc793ac9435aa2e4138f571d4ec5 upstream. The bug is an oops when dev_get_drvdata() returned null in cmos_update_irq_enable(). The call tree looks like this: rtc_dev_ioctl() => rtc_update_irq_enable() => cmos_update_irq_enable() It's caused by a race condition in the module initialization. It is rtc_device_register() which makes the ioctl operations live so I moved the call to dev_set_drvdata() before the call to rtc_device_register(). Addresses https://bugzilla.kernel.org/show_bug.cgi?id=15963 Reported-by: Randy Dunlap Signed-off-by: Dan Carpenter Tested-by: Randy Dunlap Cc: Alessandro Zummo Cc: Paul Gortmaker Cc: Malte Schroder Cc: Ralf Baechle Cc: Herton Ronaldo Krzesinski Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit cd2a3526aaf029ee3eb384a23f3645c6f7f74adc Author: FUJITA Tomonori Date: Sun May 23 19:38:14 2010 +0200 m68k: set ARCH_KMALLOC_MINALIGN commit dd6c26a66bdc629a500174ffe73b010b070b9f1b upstream. Architectures that handle DMA-non-coherent memory need to set ARCH_KMALLOC_MINALIGN to make sure that kmalloc'ed buffer is DMA-safe: the buffer doesn't share a cache with the others. Signed-off-by: FUJITA Tomonori Cc: Geert Uytterhoeven Cc: Roman Zippel Acked-by: Pekka Enberg Signed-off-by: Andrew Morton Signed-off-by: Geert Uytterhoeven Signed-off-by: Greg Kroah-Hartman commit 0c65e9af67155e32113e8978f3d22565d2660ad3 Author: FUJITA Tomonori Date: Mon May 24 14:32:58 2010 -0700 mn10300: set ARCH_KMALLOC_MINALIGN commit 6cdafaae41d52e6ef9a5c5be23602ef083e4d0f9 upstream. Architectures that handle DMA-non-coherent memory need to set ARCH_KMALLOC_MINALIGN to make sure that kmalloc'ed buffer is DMA-safe: the buffer doesn't share a cache with the others. Signed-off-by: FUJITA Tomonori Acked-by: David Howells Cc: Koichi Yasutake Acked-by: Pekka Enberg Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e5c2181d15e358a0927edd545cb3f37b7ff8ca06 Author: Dan Carpenter Date: Fri May 7 11:05:33 2010 +0200 exofs: confusion between kmap() and kmap_atomic() api commit ddf08f4b90a413892bbb9bb2e8a57aed991cd47d upstream. For kmap_atomic() we call kunmap_atomic() on the returned pointer. That's different from kmap() and kunmap() and so it's easy to get them backwards. Signed-off-by: Dan Carpenter Signed-off-by: Boaz Harrosh Signed-off-by: Greg Kroah-Hartman commit 0ac5ad9b26e8879728141ad76b56a8b9cc72cd98 Author: Joerg Roedel Date: Mon May 31 15:05:20 2010 +0200 x86/amd-iommu: Fall back to GART if initialization fails commit d7f0776975334070a93370ae048fda0c31a91c38 upstream. This patch implements a fallback to the GART IOMMU if this is possible and the AMD IOMMU initialization failed. Otherwise the fallback would be nommu which is very problematic on machines with more than 4GB of memory or swiotlb which hurts io-performance. Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit 77b0b9457672d4cb8a3a5e32438737dd2b8bad79 Author: Joerg Roedel Date: Fri May 28 14:26:48 2010 +0200 x86/amd-iommu: Fix crash when request_mem_region fails commit e82752d8b5a7e0a5e4d607fd8713549e2a4e2741 upstream. When request_mem_region fails the error path tries to disable the IOMMUs. This accesses the mmio-region which was not allocated leading to a kernel crash. This patch fixes the issue. Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit 86f7d72920206f3d94af90ff65e7ed32552e41fe Author: Dan Williams Date: Wed May 12 08:25:37 2010 +1000 md: set mddev readonly flag on blkdev BLKROSET ioctl commit e2218350465e7e0931676b4849b594c978437bce upstream. When the user sets the block device to readwrite then the mddev should follow suit. Otherwise, the BUG_ON in md_write_start() will be set to trigger. The reverse direction, setting mddev->ro to match a set readonly request, can be ignored because the blkdev level readonly flag precludes the need to have mddev->ro set correctly. Nevermind the fact that setting mddev->ro to 1 may fail if the array is in use. Signed-off-by: Dan Williams Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 8e94bc5e7fda8d155462242d83ead72aa15fee8c Author: NeilBrown Date: Thu Apr 15 10:13:47 2010 +1000 md: remove unneeded sysfs files more promptly commit b6eb127d274385d81ce8dd45c98190f097bce1b4 upstream. When an array is stopped we need to remove some sysfs files which are dependent on the type of array. We need to delay that deletion as deleting them while holding reconfig_mutex can lead to deadlocks. We currently delay them until the array is completely destroyed. However it is possible to deactivate and then reactivate the array. It is also possible to need to remove sysfs files when changing level, which can potentially happen several times before an array is destroyed. So we need to delete these files more promptly: as soon as reconfig_mutex is dropped. We need to ensure this happens before do_md_run can restart the array, so we use open_mutex for some extra locking. This is not deadlock prone. Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 082aa2fd54a4482d2d59e375ce28dbef9b485bee Author: NeilBrown Date: Mon May 17 11:27:00 2010 +1000 md/linear: avoid possible oops and array stop commit ef2f80ff7325b2c1888ff02ead28957b5840bf51 upstream. Since commit ef286f6fa673cd7fb367e1b145069d8dbfcc6081 it has been important that each personality clears ->private in the ->stop() function, or sets it to a attribute group to be removed. linear.c doesn't. This can sometimes lead to an oops, though it doesn't always. Suitable for 2.6.33-stable and 2.6.34. Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit fcab0185eddfe15e4bd7f484db0d4441186a7b01 Author: NeilBrown Date: Sat May 8 08:20:17 2010 +1000 md: Fix read balancing in RAID1 and RAID10 on drives > 2TB commit af3a2cd6b8a479345786e7fe5e199ad2f6240e56 upstream. read_balance uses a "unsigned long" for a sector number which will get truncated beyond 2TB. This will cause read-balancing to be non-optimal, and can cause data to be read from the 'wrong' branch during a resync. This has a very small chance of returning wrong data. Reported-by: Jordan Russell Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 574f89ba4649de169c49028f8fc01681a51bf459 Author: NeilBrown Date: Tue May 18 15:27:13 2010 +1000 md/raid1: fix counting of write targets. commit 964147d5c86d63be79b442c30f3783d49860c078 upstream. There is a very small race window when writing to a RAID1 such that if a device is marked faulty at exactly the wrong time, the write-in-progress will not be sent to the device, but the bitmap (if present) will be updated to say that the write was sent. Then if the device turned out to still be usable as was re-added to the array, the bitmap-based-resync would skip resyncing that block, possibly leading to corruption. This would only be a problem if no further writes were issued to that area of the device (i.e. that bitmap chunk). Suitable for any pending -stable kernel. Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 904a6bd7f451ad9b2cb75ad8e2128ef0418113dc Author: Jens Axboe Date: Mon May 17 12:51:03 2010 +0200 writeback: disable periodic old data writeback for !dirty_writeback_centisecs commit 69b62d01ec44fe0d505d89917392347732135a4d upstream. Prior to 2.6.32, setting /proc/sys/vm/dirty_writeback_centisecs disabled periodic dirty writeback from kupdate. This got broken and now causes excessive sys CPU usage if set to zero, as we'll keep beating on schedule(). Reported-by: Justin Maggard Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 58e1a2bbd35a5bc67da56b4da8fab4346e75a3d0 Author: Denis Kirjanov Date: Tue Jun 1 15:43:34 2010 -0400 powerpc/oprofile: fix potential buffer overrun in op_model_cell.c commit 238c1a78c957f3dc7cb848b161dcf4805793ed56 upstream. Fix potential initial_lfsr buffer overrun. Writing past the end of the buffer could happen when index == ENTRIES Signed-off-by: Denis Kirjanov Signed-off-by: Robert Richter Signed-off-by: Greg Kroah-Hartman commit 657b225f2554228b8344c6ec7219f700228733d1 Author: Michael Neuling Date: Wed Apr 28 13:39:41 2010 +0000 powerpc/pseries: Make query_cpu_stopped callable outside hotplug cpu commit f8b67691828321f5c85bb853283aa101ae673130 upstream. This moves query_cpu_stopped() out of the hotplug cpu code and into smp.c so it can called in other places and renames it to smp_query_cpu_stopped(). It also cleans up the return values by adding some #defines Signed-off-by: Michael Neuling Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit f296ca149160391e4b6ed4ec3be030984d666de6 Author: Michael Neuling Date: Wed Apr 28 13:39:41 2010 +0000 powerpc/pseries: Only call start-cpu when a CPU is stopped commit aef40e87d866355ffd279ab21021de733242d0d5 upstream. Currently we always call start-cpu irrespective of if the CPU is stopped or not. Unfortunatley on POWER7, firmware seems to not like start-cpu being called when a cpu already been started. This was not the case on POWER6 and earlier. This patch checks to see if the CPU is stopped or not via an query-cpu-stopped-state call, and only calls start-cpu on CPUs which are stopped. This fixes a bug with kexec on POWER7 on PHYP where only the primary thread would make it to the second kernel. Reported-by: Ankita Garg Signed-off-by: Michael Neuling Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 59bc0ab7a724a9af69bc226283ec0d81ff815257 Author: Jeff Mahoney Date: Wed Mar 17 10:55:51 2010 +0000 powerpc: Fix handling of strncmp with zero len commit 637a99022fb119b90fb281715d13172f0394fc12 upstream. Commit 0119536c, which added the assembly version of strncmp to powerpc, mentions that it adds two instructions to the version from boot/string.S to allow it to handle len=0. Unfortunately, it doesn't always return 0 when that is the case. The length is passed in r5, but the return value is passed back in r3. In certain cases, this will happen to work. Otherwise it will pass back the address of the first string as the return value. This patch lifts the len <= 0 handling code from memcpy to handle that case. Reported by: Christian_Sellars@symantec.com Signed-off-by: Jeff Mahoney Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 7840726875499c2e4b195776f2a0090935d33f39 Author: Alex Deucher Date: Tue May 18 00:23:15 2010 -0400 drm/radeon/kms/atom: fix typo in LVDS panel info parsing commit 1ff26a3604d0292988d4cade0e49ba9918dbfd46 upstream. Fixes LVDS issues on some laptops; notably laptops with 2048x1536 panels. Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 66ff9ff4525f96b24867f734d99950b5d654f76b Author: Alex Deucher Date: Tue May 18 19:26:46 2010 -0400 drm/radeon/kms: reset ddc_bus in object header parsing commit 2bfcc0fc698d550689ef020c73b2d977b73e728c upstream. Some LVDS connectors don't have a ddc bus, so reset the ddc bus to invalid before parsing the next connector to avoid using stale ddc bus data. Should fix fdo bug 28164. Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 6cd696f116dc7cefc0b13765e9c7f58a8e19558b Author: Adam Jackson Date: Thu May 13 14:55:28 2010 -0400 drm/edid: Fix 1024x768@85Hz commit 61dd98fad58f945ed720ba132681acb58fcee015 upstream. Having hsync both start and end on pixel 1072 ain't gonna work very well. Matches the X server's list. Signed-off-by: Adam Jackson Tested-By: Michael Tokarev Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 31d190ca88372b44602743fc5588fed56842de1f Author: Ben Hutchings Date: Sun May 16 02:28:49 2010 +0100 PCI: Disable MSI for MCP55 on P5N32-E SLI commit e4146bb9088c01c8b6e82be11f0c371f8aff023c upstream. As reported in , MSI appears to be broken for this on-board device. We already have a quirk for the P5N32-SLI Premium; extend it to cover both variants of the board. Reported-by: Romain DEGEZ Signed-off-by: Ben Hutchings Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 7198b2665b6fb401ee8b6758dc5ea9fa092821ff Author: Alex Deucher Date: Tue May 18 10:42:53 2010 -0400 PCI quirks: disable msi on AMD rs4xx internal gfx bridges commit 9313ff450400e6a2ab10fe6b9bdb12a828329410 upstream. Doesn't work reliably for internal gfx. Fixes kernel bug https://bugzilla.kernel.org/show_bug.cgi?id=15626. Signed-off-by: Alex Deucher Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit e58a09a594492db2dffb2aecc26d0d4c7a169ade Author: Matthew Wilcox Date: Wed Mar 24 07:11:01 2010 -0600 PCI quirk: Disable MSI on VIA K8T890 systems commit 134b345081534235dbf228b1005c14590e0570ba upstream. Bugzilla 15287 indicates that there's a problem with Message Signalled Interrupts on VIA K8T890 systems. Add a quirk to disable MSI on these systems. Signed-off-by: Matthew Wilcox Tested-by: Jan Kreuzer Tested-by: lh Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 6bf0eb89c2aa017d5b9d5a859e53cf9c39fd92c3 Author: Oliver Hartkopp Date: Tue May 18 14:03:10 2010 -0700 can: Fix SJA1000 command register writes on SMP systems commit 57c8a456640fa3ca777652f11f2db4179a3e66b6 upstream. The SJA1000 command register is concurrently written in the rx-path to free the receive buffer _and_ in the tx-path to start the transmission. The SJA1000 data sheet, 6.4.4 COMMAND REGISTER (CMR) states: "Between two commands at least one internal clock cycle is needed in order to proceed. The internal clock is half of the external oscillator frequency." On SMP systems the current implementation leads to a write stall in the tx-path, which can be solved by adding some general locking and some time to settle the write_reg() operation for the command register. Thanks to Klaus Hitschler for the original fix and detailed problem description. This patch applies on net-2.6 and (with some offsets) on net-next-2.6 . Signed-off-by: Oliver Hartkopp Acked-by: Wolfgang Grandegger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 753a8491d6ccd145632d74e690391b0be3edd76b Author: Jan Beulich Date: Tue Apr 27 14:01:20 2010 -0700 drivers/base/cpu.c: fix the output from /sys/devices/system/cpu/offline commit cdc6e3d3968052cebb2f2ddcd742bff29fbd1a90 upstream. Without CONFIG_CPUMASK_OFFSTACK, simply inverting cpu_online_mask leads to CPUs beyond nr_cpu_ids to be displayed twice and CPUs not even possible to be displayed as offline. Signed-off-by: Jan Beulich Cc: Andi Kleen Cc: Stephen Rothwell Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit b2d17f0dfb4b4f6e961823b45e18442851304760 Author: Chris Wilson Date: Thu May 27 13:18:21 2010 +0100 drm/i915: Reject bind_to_gtt() early if object > aperture commit 654fc6073f68efa3b6c466825749e73e7fbb92cd upstream. If the object is bigger than the entire aperture, reject it early before evicting everything in a vain attempt to find space. v2: Use E2BIG as suggested by Owain G. Ainsworth. Signed-off-by: Chris Wilson Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit ecd352f07d6321ef166c08ddf050751836b4f4f4 Author: Adam Jackson Date: Thu Apr 15 14:03:30 2010 -0400 drm/i915: Fix 82854 PCI ID, and treat it like other 85X commit 5ce8ba7c9279a63f99e1f131602580472b8af968 upstream. pci.ids and the datasheet both say it's 358e, not 35e8. Signed-off-by: Adam Jackson Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 6baadd343cb324ba60bf15a9294142531f1472ed Author: Felix Fietkau Date: Tue Apr 27 00:26:34 2010 +0200 mac80211: fix handling of 4-address-mode in ieee80211_change_iface commit f7917af92024d43bc20bc1afc92de27b0bd0f50b upstream. A misplaced interface type check bails out too early if the interface is not in monitor mode. This patch moves it to the right place, so that it only covers changes to the monitor flags. Signed-off-by: Felix Fietkau Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit f61b2c28636ecd88e2f856327d29e3b7a8e3a543 Author: Shanyu Zhao Date: Tue Apr 27 11:15:12 2010 -0700 mac80211: fix rts threshold check commit a2c40249a36d0b4d76d1caf6bf806e4ae5b06e8a upstream. Currently whenever rts thresold is set, every packet will use RTS protection no matter its size exceeds the threshold or not. This is due to a bug in the rts threshold check. if (len > tx->local->hw.wiphy->rts_threshold) { txrc.rts = rts = true; } Basically it is comparing an int (len) and a u32 (rts_threshold), and the variable len is assigned as: len = min_t(int, tx->skb->len + FCS_LEN, tx->local->hw.wiphy->frag_threshold); However, when frag_threshold is "-1", len is always "-1", which is 0xffffffff therefore rts is always set to true. Signed-off-by: Shanyu Zhao Reviewed-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 735091bf209c26130d1380582d34990eb8af16ef Author: Jouni Malinen Date: Sun Mar 28 22:29:52 2010 -0700 mac80211: Fix robust management frame handling (MFP) commit d211e90e28a074447584729018a39910d691d1a8 upstream. Commit e34e09401ee9888dd662b2fca5d607794a56daf2 incorrectly removed use of ieee80211_has_protected() from the management frame case and in practice, made this validation drop all Action frames when MFP is enabled. This should have only been done for frames with Protected field set to zero. Signed-off-by: Jouni Malinen Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit e08018b10218825052b02c0d65cf9b5dd229f5df Author: Andres Salomon Date: Thu Feb 25 19:18:47 2010 -0500 mac80211: give warning if building w/out rate ctrl algorithm commit c2ef355bf3ef0b8006b96128726684fba47ac928 upstream. I discovered that if EMBEDDED=y, one can accidentally build a mac80211 stack and drivers w/ no rate control algorithm. For drivers like RTL8187 that don't supply their own RC algorithms, this will cause ieee80211_register_hw to fail (making the driver unusable). This will tell kconfig to provide a warning if no rate control algorithms have been selected. That'll at least warn the user; users that know that their drivers supply a rate control algorithm can safely ignore the warning, and those who don't know (or who expect to be using multiple drivers) can select a default RC algorithm. Signed-off-by: Andres Salomon Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 64b914d6daa61a17a8124a9b705de325178d59e0 Author: Bruno Randolf Date: Wed May 19 10:18:16 2010 +0900 ath5k: consistently use rx_bufsize for RX DMA commit b5eae9ff5ba6d76de19286dd6429acd7cde3f79d upstream. We should use the same buffer size we set up for DMA also in the hardware descriptor. Previously we used common->rx_bufsize for setting up the DMA mapping, but used skb_tailroom(skb) for the size we tell to the hardware in the descriptor itself. The problem is that skb_tailroom(skb) can give us a larger value than the size we set up for DMA before. This allows the hardware to write into memory locations not set up for DMA. In practice this should rarely happen because all packets should be smaller than the maximum 802.11 packet size. On the tested platform rx_bufsize is 2528, and we allocated an skb of 2559 bytes length (including padding for cache alignment) but sbk_tailroom() was 2592. Just consistently use rx_bufsize for all RX DMA memory sizes. Also use the return value of the descriptor setup function. Signed-off-by: Bruno Randolf Reviewed-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 6326f9f3d95b2c01ae24fb8a9fe6928e0b026e7f Author: Andiry Xu Date: Mon May 10 19:57:17 2010 -0700 USB: xHCI: Fix wrong usage of macro TRB_TYPE commit 54b5acf3acb7a1f83ec281d111d3e2812cd7ad9d upstream. Macro TRB_TYPE is misused in some places. Fix the wrong usage. Signed-off-by: Andiry Xu Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit a23417e033339c38ff35f3438fdea74e03ddf39b Author: Sarah Sharp Date: Tue May 18 16:05:26 2010 -0700 USB: xhci: Fix check for room on the ring. commit 44ebd037c54f80db3121ac9f5fe6e677b76e11d5 upstream. The length of the scatter gather list a driver can enqueue is limited by the bus' sg_tablesize to 62 entries. Each entry will be described by at least one transfer request block (TRB). If the entry's buffer crosses a 64KB boundary, then that entry will have to be described by two or more TRBs. So even if the USB device driver respects sg_tablesize, the whole scatter list may take more than 62 TRBs to describe, and won't fit on the ring. Don't assume that an empty ring means there is enough room on the transfer ring. The old code would unconditionally queue this too-large transfer, and over write the beginning of the transfer. This would mean the cycle bit was unchanged in those overwritten transfers, causing the hardware to think it didn't own the TRBs, and the host would seem to hang. Now drivers may see submit_urb() fail with -ENOMEM if the transfers are too big to fit on the ring. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 442f1232ae1b23382c967967b05932d2660025cd Author: Sarah Sharp Date: Tue May 18 16:05:21 2010 -0700 USB: xhci: Limit bus sg_tablesize to 62 TRBs. commit bc88d2eba5e19d10dd546e428314909d889b3b6a upstream. When a scatter-gather list is enqueued to the xHCI driver, it translates each entry into a transfer request block (TRB). Only 63 TRBs can be used per ring segment, and there must be one additional TRB reserved to make sure the hardware does not think the ring is empty (so the enqueue pointer doesn't equal the dequeue pointer). Limit the bus sg_tablesize to 62 TRBs. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit a8703df4cd58aee922d55b5b952fe4be91321a8e Author: Sarah Sharp Date: Thu May 6 13:40:08 2010 -0700 USB: xhci: Fix issue with set interface after stall. commit 1624ae1c19e227096ba85bfc389d9b99cb6f7dde upstream. When the USB core installs a new interface, it unconditionally clears the halts on all the endpoints on the new interface. Usually the xHCI host needs to know when an endpoint is reset, so it can change its internal endpoint state. In this case, it doesn't care, because the endpoints were never halted in the first place. To avoid issuing a redundant Reset Endpoint command, the xHCI driver looks at xhci_virt_ep->stopped_td to determine if the endpoint was actually halted. However, the functions that handle the stall never set that variable to NULL after it dealt with the stall. So if an endpoint stalled and a Reset Endpoint command completed, and then the class driver tried to install a new alternate setting, the xHCI driver would access the old xhci_virt_ep->stopped_td pointer. A similar problem occurs if the endpoint has been stopped to cancel a transfer. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 60ddaecd6b54a7ac29ec72571f3bc97347e0f89b Author: Alek Du Date: Mon May 10 11:17:49 2010 +0800 USB: EHCI: clear PHCD before resuming commit eab80de01cb398419ef3305f35abcb367c647c8b upstream. This is a bug fix for PHCD (phy clock disable) low power feature: After PHCD is set, any write to PORTSC register is illegal, so when resume ports, clear PHCD bit first. Signed-off-by: Alek Du Cc: David Brownell Cc: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 0b1187ee5f3b8298062a69d9e1e45ebc4773640a Author: Anton Vorontsov Date: Fri May 14 18:33:18 2010 +0400 USB: FHCI: cq_get() should check kfifo_out()'s return value commit 7f1cccd3ec8789e52897bc34420ca81a5e2edeab upstream. Since commit 7acd72eb85f1c7a15e8b5eb554994949241737f1 ("kfifo: rename kfifo_put... into kfifo_in... and kfifo_get... into kfifo_out..."), kfifo_out() is marked __must_check, and that causes gcc to produce lots of warnings like this: CC drivers/usb/host/fhci-mem.o In file included from drivers/usb/host/fhci-hcd.c:34: drivers/usb/host/fhci.h: In function 'cq_get': drivers/usb/host/fhci.h:520: warning: ignoring return value of 'kfifo_out', declared with attribute warn_unused_result ... This patch fixes the issue by properly checking the return value. Signed-off-by: Anton Vorontsov Signed-off-by: Greg Kroah-Hartman commit c39f3ce982273c2f259938647f572b1af6a81711 Author: Hans de Goede Date: Thu Apr 29 12:59:04 2010 +0200 USB: unusual-dev: Add bad sense flag for Appotech ax203 based picture frames commit a78f4f1a16d87f3d33158d036af94e48e32f8aad upstream. These Appotech controllers are found in Picture Frames, they provide a (buggy) emulation of a cdrom drive which contains the windows software Uploading of pictures happens over the corresponding /dev/sg device. Signed-off-by: Hans de Goede Signed-off-by: Greg Kroah-Hartman commit f461818c03fe247d5a9bd0a0d9077aefdcfbc957 Author: Dinh Nguyen Date: Tue May 4 10:03:01 2010 -0500 USB: mxc: gadget: Fix bitfield for calculating maximum packet size commit 88e3b59b5adce5b12e205af0e34d518ba0dcdc0c upstream. The max packet length bit mask used for isochronous endpoints should be 0x7FF instead of 0x8FF. 0x8FF will actually clear higher-order bits in the max packet length field. This patch applies to 2.6.34-rc6. Signed-off-by: Dinh Nguyen Signed-off-by: Greg Kroah-Hartman commit a1ebdcfed1628fdfacf158e3899c9ad724a7f775 Author: Johan Hovold Date: Wed May 19 00:01:38 2010 +0200 USB: kl5usb105: fix memory leak commit 313b0d80c1717ffe8f64b455a4d323996748b91a upstream. Private data was not freed on error path in startup. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit ca1469edc247d56f9d5282a6ee92e16b224205bc Author: Johan Hovold Date: Thu May 13 21:02:00 2010 +0200 USB: ir-usb: fix double free commit 2ff78c0c2b67120c8e503268da3f177cae2228a2 upstream. If the user specifies a custom bulk buffer size we get a double free at port release. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 99b8ca62d6e8310bd6d1995d6d66197dc4c6c50c Author: Nils Radtke Date: Mon May 17 14:14:11 2010 +0200 USB: option.c: OLIVETTI OLICARD100 support commit 86234d4975ce084d14711283a3bfc69305f97602 upstream. This patch adds support for an olivetti olicard100 HЅDPA usb-stick. This device is a zeroCD one with ID 0b3c:c700 that needs switching via eject or usb-modeswitch with MessageContent="5553424312345678000000000000061b000000030000000000000000000000". After switching it has ID 0b3c:c000 and provides 5 serial ports ttyUSB[0-4]. Port 0 (modem) and 4 are interrupt ports. Signed-off-by: Nils Radtke Signed-off-by: Greg Kroah-Hartman commit 16b8e683fa87f54926702dba0ba502a8c5ce5be2 Author: Greg Kroah-Hartman Date: Tue Apr 27 09:38:51 2010 -0700 USB: serial: option: add cinterion device id commit 6f44bcb60bfa58590142545096b64f44144f0bc1 upstream. This adds a device id for a Cinterion device. Reported-by: John Race Signed-off-by: Greg Kroah-Hartman commit 8fba8f195b04bcb3a385b25ee0a09b5ab691af0b Author: spark Date: Fri Mar 5 14:18:05 2010 +0800 USB: option.c: Add Pirelli VID/PID and indicate Pirelli's modem interface is 0xff commit 33c387529b7931248c6637bf9720ac7504a0b28b upstream. Signed-off-by: spark Signed-off-by: Greg Kroah-Hartman commit e936fe9d0b941e8cc5e9e580d2c1731bc82f6175 Author: zhao1980ming Date: Mon May 3 00:06:37 2010 +0800 USB: option: add PID for ZTE product commit a71ee85e1d74e862d68cc9b2f2ab6a806d2550c9 upstream. this patch adds ZTE modem devices Signed-off-by: Joey Signed-off-by: Greg Kroah-Hartman commit 780018f66c645dc98991c543bb4d6cc1133b1a06 Author: Johan Hovold Date: Sat May 15 17:53:43 2010 +0200 USB: kobil: fix memory leak commit c0f631d1948658b27349545b2cbcb4b32f010c7a upstream. An urb transfer buffer is allocated at every open but was never freed. This driver is a bit of a mess... Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit b1c2d6c2234a04895db0bbd4b50a16453b6c4567 Author: Craig Shelley Date: Sat May 15 13:36:38 2010 +0100 USB: CP210x New Device IDs 11 New device IDs commit eefd9029fde4d90d59804eeb54880ab8db5c1866 upstream. Signed-off-by: Craig Shelley Signed-off-by: Greg Kroah-Hartman commit 487c79e0e5f23d1662ac527a5685ae1f7ae196eb Author: Johan Hovold Date: Sat May 15 17:53:48 2010 +0200 USB: visor: fix memory leak commit 199b113978015309dd02c69844c19a1be3f4dbcf upstream. Fix memory leak for some devices (Sony Clie 3.5) due to port private data not being freed on release. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 774acedbe0450bf898db29f60cb155bbda2c6132 Author: Christian Lamparter Date: Tue Mar 23 21:51:14 2010 +0100 ar9170usb: fix panic triggered by undersized rxstream buffer commit 879999cec9489f8942ebce3ec1b5f23ef948dda7 upstream. While ar9170's USB transport packet size is currently set to 8KiB, the PHY is capable of receiving AMPDUs with up to 64KiB. Such a large frame will be split over several rx URBs and exceed the previously allocated space for rx stream reconstruction. This patch increases the buffer size to 64KiB which is in fact the phy & rx stream designed size limit. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=15591 Reported-by: Christian Mehlis Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 53d79eea5694856d540c19016feeb7f9d81f9d80 Author: Christian Lamparter Date: Tue Apr 13 18:10:26 2010 +0200 ar9170usb: add a couple more USB IDs commit 94d0bbe849190255b93fede8eb46809a38f9b8bf upstream. This patch adds the following 5 entries to the usbid device table: * Netgear WNA1000 * Proxim ORiNOCO Dual Band 802.11n USB Adapter * 3Com Dual Band 802.11n USB Adapter * H3C Dual Band 802.11n USB Adapter * WNC Generic 11n USB dongle Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit db3bf7c4a86e7210dbc33985cbc84de8faaec4cb Author: Cory Maccarrone Date: Sat May 22 13:00:28 2010 -0700 HID: Add the GYR4101US USB ID to hid-gyration commit c2fd1a4ebf9127c280d227acb635eb1df213439c upstream. This change adds in the USB product ID for the Gyration GYR4101US USB media center remote control. This remote is similar enough to the other two devices that this driver can be used without any other changes to get full support for the remote. Signed-off-by: Cory Maccarrone Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 2e53d4f2db2b0c204c39b56ad5ca99ce051292a3 Author: Erik Andrén Date: Mon Mar 8 17:16:00 2010 -0300 V4L/DVB: gspca - stv06xx: Remove the 046d:08da from the stv06xx driver commit 55e0b489a39bb635a44f769d620e44c70d9c065b upstream. The 046d:08da usb id shouldn't be associated with the stv06xx driver as they're not compatible with each other. This fixes a bug where Quickcam Messenger cams fail to use its proper driver (gspca-zc3xx), rendering the camera inoperable. Signed-off-by: Erik Andrén Tested-by: Gabriel Craciunescu Signed-off-by: Jean-François Moine Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 3248102fb17e21a7cdf73e4a9a55044b8affe286 Author: Kamal Mostafa Date: Sat May 1 12:09:49 2010 -0700 ACPI: video: fix acpi_backlight=video commit eeb4bcb4771679d7b3446c0293334faee11b090a upstream. Make "acpi_backlight=video" param enable ACPI_VIDEO_BACKLIGHT_FORCE_VIDEO as intended, instead of incorrectly enabling video output switching. BugLink: http://bugs.launchpad.net/bugs/573120 Signed-off-by: Kamal Mostafa Acked-by: Zhang Rui Cc: Bjorn Helgaas Cc: Jiri Kosina Acked-by: Thomas Renninger Signed-off-by: Andrew Morton Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit a86e8a1426783b1ce690c3c9f57bf4999f3d96d2 Author: Daniel T Chen Date: Sat May 29 11:04:11 2010 -0400 ALSA: hda: Use LPIB for a Shuttle device commit 61bb42c37dfa9016dcacc86bcd41362ab2457d4a upstream. BugLink: https://launchpad.net/bugs/551949 Symptom: On the reporter's Shuttle device, using PulseAudio in Ubuntu 10.04 LTS results in "popping clicking" audio with the PA crashing shortly thereafter. Test case: Using Ubuntu 10.04 LTS (Linux 2.6.32.12), Linux 2.6.33, or Linux 2.6.34, adjust the HDA device's volume with PulseAudio. Resolution: add SSID for this machine to the position_fix quirk table, explicitly specifying the LPIB method. Reported-and-Tested-By: Christian Mehlis Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 85dd19f616a7e33adb3cbfaa286457dd475ca76c Author: Daniel T Chen Date: Thu May 27 18:32:18 2010 -0400 ALSA: hda: Use LPIB for Sony VPCS11V9E commit e96d3127760a2fc509bca6bf7e61e8bc61497aeb upstream. BugLink: https://launchpad.net/bugs/586347 Symptom: On the Sony VPCS11V9E, using GStreamer-based applications with PulseAudio in Ubuntu 10.04 LTS results in stuttering audio. It appears to worsen with increased I/O. Test case: use Rhythmbox under increased I/O pressure. This symptom is reproducible in the current daily stable alsa-driver snapshots (at least up until 21 May 2010; later snapshots fail to build from source due to missing preprocessor directives when compiled against 2.6.32). Resolution: add SSID for this machine to the position_fix quirk table, explicitly specifying the LPIB method. Reported-and-Tested-By: Lauri Kainulainen Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 0214b7e222556597433f99851008c7d06b88b956 Author: Daniel T Chen Date: Sat May 22 12:05:41 2010 -0400 ALSA: hda: Use LPIB for Acer Aspire 5110 commit 7a68be94e22e7643038726ebc14360752a91800b upstream. BugLink: https://launchpad.net/bugs/583983 Symptom: on a significant number of hardware, booting from a live cd results in capture working correctly, but once the distribution is installed, booting from the install results in capture not working. Test case: boot from Ubuntu 10.04 LTS live cd; capture works correctly. Install to HD and reboot; capture does not work. Reproduced with 2.6.32 mainline build (vanilla kernel.org compile). Resolution: add SSID for Acer Aspire 5110 to the position_fix quirk table, explicitly specifying the LPIB method. I'll be sending additional patches for these SSIDs as bug reports are confirmed. Reported-and-Tested-By: Leo Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit ab201c0814c42564e74889f2d275278b8c8a8899 Author: Daniel T Chen Date: Sat May 22 13:12:22 2010 -0400 ALSA: hda: Use LPIB for Toshiba A100-259 commit 4e0938dba7fccf37a4aecba4d937da7f312b5d55 upstream. BugLink: https://launchpad.net/bugs/549560 Symptom: on a significant number of hardware, booting from a live cd results in capture working correctly, but once the distribution is installed, booting from the install results in capture not working. Test case: boot from Ubuntu 10.04 LTS live cd; capture works correctly. Install to HD and reboot; capture does not work. Reproduced with 2.6.32 mainline build (vanilla kernel.org compile) Resolution: add SSID for Toshiba A100-259 to the position_fix quirk table, explicitly specifying the LPIB method. I'll be sending additional patches for these SSIDs as bug reports are confirmed. This patch also trivially sorts the quirk table in ascending order by subsystem vendor. Reported-and-Tested-by: Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit ef803ed48601f8c4885c4e96138f7a91dc6cffbd Author: Daniel T Chen Date: Sun May 23 20:47:45 2010 -0400 ALSA: hda: Fix model quirk for Dell M1730 commit 66668b6fb6861fad7f6bfef6646ac84693474c9a upstream. BugLink: https://launchpad.net/bugs/576160 Symptom: Currently (2.6.32.12) the Dell M1730 uses the 3stack model quirk. Unfortunately this means that capture is not functional out- of-the-box despite ensuring that capture settings are unmuted and raised fully. Test case: boot from Ubuntu 10.04 LTS live cd; capture does not work. Resolution: Correct the model quirk for Dell M1730 to rely on the BIOS configuration. This patch also trivially sorts the quirk into the correct section based on the comments. Reported-and-Tested-By: Tested-By: Daren Hayward Tested-By: Tobias Krais Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 59385efa61f29199c726fe474ff353000695b03b Author: Tony Breeds Date: Wed May 19 15:46:36 2010 +1000 mutex: Fix optimistic spinning vs. BKL commit fd6be105b883244127a734ac9f14ae94a022dcc0 upstream. Currently, we can hit a nasty case with optimistic spinning on mutexes: CPU A tries to take a mutex, while holding the BKL CPU B tried to take the BLK while holding the mutex This looks like a AB-BA scenario but in practice, is allowed and happens due to the auto-release on schedule() nature of the BKL. In that case, the optimistic spinning code can get us into a situation where instead of going to sleep, A will spin waiting for B who is spinning waiting for A, and the only way out of that loop is the need_resched() test in mutex_spin_on_owner(). This patch fixes it by completely disabling spinning if we own the BKL. This adds one more detail to the extensive list of reasons why it's a bad idea for kernel code to be holding the BKL. Signed-off-by: Tony Breeds Acked-by: Linus Torvalds Acked-by: Peter Zijlstra Cc: Benjamin Herrenschmidt LKML-Reference: <20100519054636.GC12389@ozlabs.org> [ added an unlikely() attribute to the branch ] Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 3232ce8f86728d49deea779c45f8447fe1aef2eb Author: Nobuhiro KUSUNO Date: Thu May 6 05:23:28 2010 +0900 Staging: rt2870: add device ID of MelCo.,Inc. WLI-UC-G301N commit de37cd49b5a54facef174cf34496919857436e8f upstream. My wireless LAN module 'MelCo.,Inc. WLI-UC-G301N' works fine, if the following line is added into 2870_main_dev.c. Signed-off-by: Nobhiro KUSUNO Signed-off-by: Greg Kroah-Hartman commit 9541a0328b9c28709b7ee77e0412fd3984ea8642 Author: Larry Finger Date: Sun May 9 22:10:02 2010 -0500 staging: vt6655: Fix kernel BUG on driver wpa initialization commit f65515275ea3e45fdcd0fb78455f542d6fdca086 upstream. In http://bugzilla.novell.com/show_bug.cgi?id=597299, the vt6655 driver generates a kernel BUG on a NULL pointer dereference at NULL. This problem has been traced to a failure in the wpa_set_wpadev() routine. As the vt6656 driver does not call this routine, the vt6655 code is similarly set to skip the call. Signed-off-by: Larry Finger Tested-by: Richard Meek Signed-off-by: Greg Kroah-Hartman commit 78d395a26eb5fd802b846d7bf5afe3a64a5ddb63 Author: Rodrigo Linfati Date: Wed Apr 28 22:32:13 2010 +0200 Staging: add Add Sitecom WL-349 to rtl8192su commit 64a5a09218626464be35e0229d85b2ab0fcf03fd upstream. Add usb id of Sitecom WL-349 to rtl8192su Signed-off-by: Rodrigo Linfati Signed-off-by: Greg Kroah-Hartman commit 998160773234e9d27a6a6437554b6f66cb4b7da3 Author: John W. Linville Date: Wed Apr 28 19:14:42 2010 -0400 rtl8180: fix tx status reporting commit d989ff7cf8d14f1b523f63ba0bf2ec1a9b7c25bc upstream. When reporting Tx status, indicate that only one rate was used. Otherwise, the rate is frozen at rate index 0 (i.e. 1Mb/s). Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 70551a43efa4431fa57081f9b1a611e59ef8388b Author: Andreas Bombe Date: Mon May 17 23:12:46 2010 -0700 ARCNET: Limit com20020 PCI ID matches for SOHARD cards commit e7971c80a8e0299f91272ad8e8ac4167623e1862 upstream. The SH SOHARD ARCNET cards are implemented using generic PLX Technology PCI<->IOBus bridges. Subvendor and subdevice IDs were not specified, causing the driver to attach to any such bridge and likely crash the system by attempting to initialize an unrelated device. Fix by specifying subvendor and subdevice according to the values found in the PCI-ID Repository at http://pci-ids.ucw.cz/ . Signed-off-by: Andreas Bombe Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6d15bfe0c47ced1a603ab7d7352be68842be19fb Author: Tejun Heo Date: Fri May 14 11:48:50 2010 +0200 sata_nv: use ata_pci_sff_activate_host() instead of ata_host_activate() commit 95cc2c70c139936a2142bcd583da8af6f9d88efb upstream. sata_nv was incorrectly using ata_host_activate() instead of ata_pci_sff_activate_host() leading to IRQ assignment failure in legacy mode. Fix it. Signed-off-by: Tejun Heo Cc: Robert Hancock Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 5d121956703ea2e5ab9f73c48e225cbccbc9d9b6 Author: Pavel Emelyanov Date: Fri May 14 15:33:36 2010 +0400 NFSD: don't report compiled-out versions as present commit 15ddb4aec54422ead137b03ea4e9b3f5db3f7cc2 upstream. The /proc/fs/nfsd/versions file calls nfsd_vers() to check whether the particular nfsd version is present/available. The problem is that once I turn off e.g. NFSD-V4 this call returns -1 which is true from the callers POV which is wrong. The proposal is to report false in that case. The bug has existed since 6658d3a7bbfd1768 "[PATCH] knfsd: remove nfsd_versbits as intermediate storage for desired versions". Signed-off-by: Pavel Emelyanov Acked-by: NeilBrown Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 98410fc32c3d9f983860691a1de2d9b8bd3fe5ee Author: KOSAKI Motohiro Date: Wed May 19 09:37:41 2010 +0900 cpumask: fix compat getaffinity commit fa9dc265ace9774e62f0e31108e5f47911124bda upstream. Commit a45185d2d "cpumask: convert kernel/compat.c" broke libnuma, which abuses sched_getaffinity to find out NR_CPUS in order to parse /sys/devices/system/node/node*/cpumap. On NUMA systems with less than 32 possibly CPUs, the current compat_sys_sched_getaffinity now returns '4' instead of the actual NR_CPUS/8, which makes libnuma bail out when parsing the cpumap. The libnuma call sched_getaffinity(0, bitmap, 4096) at first. It mean the libnuma expect the return value of sched_getaffinity() is either len argument or NR_CPUS. But it doesn't expect to return nr_cpu_ids. Strictly speaking, userland requirement are 1) Glibc assume the return value mean the lengh of initialized of mask argument. E.g. if sched_getaffinity(1024) return 128, glibc make zero fill rest 896 byte. 2) Libnuma assume the return value can be used to guess NR_CPUS in kernel. It assume len-arg Acked-by: Rusty Russell Acked-by: Arnd Bergmann Reported-by: Ken Werner Cc: Andi Kleen Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 11f08eda06c466e39d337cb5f469018998897e89 Author: Andi Kleen Date: Thu Apr 1 03:17:25 2010 +0200 oprofile: remove double ring buffering commit cb6e943ccf19ab6d3189147e9d625a992e016084 upstream. oprofile used a double buffer scheme for its cpu event buffer to avoid races on reading with the old locked ring buffer. But that is obsolete now with the new ring buffer, so simply use a single buffer. This greatly simplifies the code and avoids a lot of sample drops on large runs, especially with call graph. Based on suggestions from Steven Rostedt For stable kernels from v2.6.32, but not earlier. Signed-off-by: Andi Kleen Cc: Steven Rostedt Signed-off-by: Robert Richter Signed-off-by: Greg Kroah-Hartman commit 6b5bfc8f3b1c19cfa86f0ac7430624df266421ee Author: Robert Richter Date: Mon May 3 19:44:32 2010 +0200 oprofile/x86: fix uninitialized counter usage during cpu hotplug commit 2623a1d55a6260c855e1f6d1895900b50b40a896 upstream. This fixes a NULL pointer dereference that is triggered when taking a cpu offline after oprofile was initialized, e.g.: $ opcontrol --init $ opcontrol --start-daemon $ opcontrol --shutdown $ opcontrol --deinit $ echo 0 > /sys/devices/system/cpu/cpu1/online See the crash dump below. Though the counter has been disabled the cpu notifier is still active and trying to use already freed counter data. This fix is for linux-stable. To proper fix this, the hotplug code must be rewritten. Thus I will leave a WARN_ON_ONCE() message with this patch. BUG: unable to handle kernel NULL pointer dereference at (null) IP: [] op_amd_stop+0x2d/0x8e PGD 0 Oops: 0000 [#1] SMP last sysfs file: /sys/devices/system/cpu/cpu1/online CPU 1 Modules linked in: Pid: 0, comm: swapper Not tainted 2.6.34-rc5-oprofile-x86_64-standard-00210-g8c00f06 #16 Anaheim/Anaheim RIP: 0010:[] [] op_amd_stop+0x2d/0x8e RSP: 0018:ffff880001843f28 EFLAGS: 00010006 RAX: 0000000000000000 RBX: 0000000000000000 RCX: dead000000200200 RDX: ffff880001843f68 RSI: dead000000100100 RDI: 0000000000000000 RBP: ffff880001843f48 R08: 0000000000000000 R09: ffff880001843f08 R10: ffffffff8102c9a5 R11: ffff88000184ea80 R12: 0000000000000000 R13: ffff88000184f6c0 R14: 0000000000000000 R15: 0000000000000000 FS: 00007fec6a92e6f0(0000) GS:ffff880001840000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000000 CR3: 000000000163b000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process swapper (pid: 0, threadinfo ffff88042fcd8000, task ffff88042fcd51d0) Stack: ffff880001843f48 0000000000000001 ffff88042e9f7d38 ffff880001843f68 <0> ffff880001843f58 ffffffff8132a602 ffff880001843f98 ffffffff810521b3 <0> ffff880001843f68 ffff880001843f68 ffff880001843f88 ffff88042fcd9fd8 Call Trace: [] nmi_cpu_stop+0x21/0x23 [] generic_smp_call_function_single_interrupt+0xdf/0x11b [] smp_call_function_single_interrupt+0x22/0x31 [] call_function_single_interrupt+0x13/0x20 [] ? wake_up_process+0x10/0x12 [] ? default_idle+0x22/0x37 [] c1e_idle+0xdf/0xe6 [] ? atomic_notifier_call_chain+0x13/0x15 [] cpu_idle+0x4b/0x7e [] start_secondary+0x1ae/0x1b2 Code: 89 e5 41 55 49 89 fd 41 54 45 31 e4 53 31 db 48 83 ec 08 89 df e8 be f8 ff ff 48 98 48 83 3c c5 10 67 7a 81 00 74 1f 49 8b 45 08 <42> 8b 0c 20 0f 32 48 c1 e2 20 25 ff ff bf ff 48 09 d0 48 89 c2 RIP [] op_amd_stop+0x2d/0x8e RSP CR2: 0000000000000000 ---[ end trace 679ac372d674b757 ]--- Kernel panic - not syncing: Fatal exception in interrupt Pid: 0, comm: swapper Tainted: G D 2.6.34-rc5-oprofile-x86_64-standard-00210-g8c00f06 #16 Call Trace: [] panic+0x9e/0x10c [] ? up+0x34/0x39 [] ? kmsg_dump+0x112/0x12c [] oops_end+0x81/0x8e [] no_context+0x1f3/0x202 [] __bad_area_nosemaphore+0x1ba/0x1e0 [] ? enqueue_task_fair+0x16d/0x17a [] ? activate_task+0x42/0x53 [] ? try_to_wake_up+0x272/0x284 [] bad_area_nosemaphore+0xe/0x10 [] do_page_fault+0x1c8/0x37c [] ? enqueue_task_fair+0x16d/0x17a [] page_fault+0x1f/0x30 [] ? wake_up_process+0x10/0x12 [] ? op_amd_stop+0x2d/0x8e [] ? op_amd_stop+0x1c/0x8e [] nmi_cpu_stop+0x21/0x23 [] generic_smp_call_function_single_interrupt+0xdf/0x11b [] smp_call_function_single_interrupt+0x22/0x31 [] call_function_single_interrupt+0x13/0x20 [] ? wake_up_process+0x10/0x12 [] ? default_idle+0x22/0x37 [] c1e_idle+0xdf/0xe6 [] ? atomic_notifier_call_chain+0x13/0x15 [] cpu_idle+0x4b/0x7e [] start_secondary+0x1ae/0x1b2 ------------[ cut here ]------------ WARNING: at /local/rrichter/.source/linux/arch/x86/kernel/smp.c:118 native_smp_send_reschedule+0x27/0x53() Hardware name: Anaheim Modules linked in: Pid: 0, comm: swapper Tainted: G D 2.6.34-rc5-oprofile-x86_64-standard-00210-g8c00f06 #16 Call Trace: [] ? native_smp_send_reschedule+0x27/0x53 [] warn_slowpath_common+0x77/0xa4 [] warn_slowpath_null+0xf/0x11 [] native_smp_send_reschedule+0x27/0x53 [] resched_task+0x60/0x62 [] check_preempt_curr_idle+0x10/0x12 [] try_to_wake_up+0x1f5/0x284 [] default_wake_function+0xd/0xf [] pollwake+0x57/0x5a [] ? default_wake_function+0x0/0xf [] __wake_up_common+0x46/0x75 [] __wake_up+0x38/0x50 [] printk_tick+0x39/0x3b [] update_process_times+0x3f/0x5c [] tick_periodic+0x5d/0x69 [] tick_handle_periodic+0x21/0x71 [] smp_apic_timer_interrupt+0x82/0x95 [] apic_timer_interrupt+0x13/0x20 [] ? panic_blink_one_second+0x0/0x7b [] ? panic+0x10a/0x10c [] ? up+0x34/0x39 [] ? kmsg_dump+0x112/0x12c [] ? oops_end+0x81/0x8e [] ? no_context+0x1f3/0x202 [] ? __bad_area_nosemaphore+0x1ba/0x1e0 [] ? enqueue_task_fair+0x16d/0x17a [] ? activate_task+0x42/0x53 [] ? try_to_wake_up+0x272/0x284 [] ? bad_area_nosemaphore+0xe/0x10 [] ? do_page_fault+0x1c8/0x37c [] ? enqueue_task_fair+0x16d/0x17a [] ? page_fault+0x1f/0x30 [] ? wake_up_process+0x10/0x12 [] ? op_amd_stop+0x2d/0x8e [] ? op_amd_stop+0x1c/0x8e [] ? nmi_cpu_stop+0x21/0x23 [] ? generic_smp_call_function_single_interrupt+0xdf/0x11b [] ? smp_call_function_single_interrupt+0x22/0x31 [] ? call_function_single_interrupt+0x13/0x20 [] ? wake_up_process+0x10/0x12 [] ? default_idle+0x22/0x37 [] ? c1e_idle+0xdf/0xe6 [] ? atomic_notifier_call_chain+0x13/0x15 [] ? cpu_idle+0x4b/0x7e [] ? start_secondary+0x1ae/0x1b2 ---[ end trace 679ac372d674b758 ]--- Cc: Andi Kleen Signed-off-by: Robert Richter Signed-off-by: Greg Kroah-Hartman commit 3a75987c127c12b27911fa583d1e9598c4702c8c Author: Sebastian Andrzej Siewior Date: Sun Mar 21 22:52:23 2010 +0100 libata: don't flush dcache on slab pages commit 3842e835490cdf17013b30a788f6311bdcfd0571 upstream. page_mapping() check this via VM_BUG_ON(PageSlab(page)) so we bug here with the according debuging turned on. Future TODO: replace this with a flush_dcache_page_for_pio() API Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 9554afc9830c730356aa9a773e9b28ecbdfa32e3 Author: Tejun Heo Date: Wed May 19 15:38:58 2010 +0200 libata: disable ATAPI AN by default commit e7ecd435692ca9bde9d124be30b3a26e672ea6c2 upstream. There are ATAPI devices which raise AN when hit by commands issued by open(). This leads to infinite loop of AN -> MEDIA_CHANGE uevent -> udev open() to check media -> AN. Both ACS and SerialATA standards don't define in which case ATAPI devices are supposed to raise or not raise AN. They both list media insertion event as a possible use case for ATAPI ANs but there is no clear description of what constitutes such events. As such, it seems a bit too naive to export ANs directly to userland as MEDIA_CHANGE events without further verification (which should behave similarly to windows as it apparently is the only thing that some hardware vendors are testing against). This patch adds libata.atapi_an module parameter and disables ATAPI AN by default for now. Signed-off-by: Tejun Heo Cc: Kay Sievers Cc: Nick Bowler Cc: David Zeuthen Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit b22ecc4e19d402ead68014587bf2e290aa856d65 Author: Andrey Vagin Date: Mon May 24 12:15:33 2010 -0700 posix_timer: Fix error path in timer_create commit 45e0fffc8a7778282e6a1514a6ae3e7ae6545111 upstream. Move CLOCK_DISPATCH(which_clock, timer_create, (new_timer)) after all posible EFAULT erros. *_timer_create may allocate/get resources. (for example posix_cpu_timer_create does get_task_struct) [ tglx: fold the remove crappy comment patch into this ] Signed-off-by: Andrey Vagin Cc: Oleg Nesterov Cc: Pavel Emelyanov Reviewed-by: Stanislaw Gruszka Signed-off-by: Andrew Morton Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit b2bdae6d2cf82649fee2640adc334d41f5038185 Author: Al Viro Date: Wed May 26 17:40:29 2010 -0400 Fix racy use of anon_inode_getfd() in perf_event.c commit ea635c64e007061f6468ece5cc9cc62d41d4ecf2 upstream. once anon_inode_getfd() is called, you can't expect *anything* about struct file that descriptor points to - another thread might be doing whatever it likes with descriptor table at that point. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman