commit 3db48f5c1a68e801146ca58ff94f3898c6fbf90e Author: Greg Kroah-Hartman Date: Mon Jul 5 11:24:10 2010 -0700 Linux 2.6.34.1 commit 447926d82934a627152b3841b8014b5b9e01d48d Author: Helge Deller Date: Mon May 3 20:44:21 2010 +0000 parisc: clear floating point exception flag on SIGFPE signal commit 550f0d922286556c7ea43974bb7921effb5a5278 upstream. Clear the floating point exception flag before returning to user space. This is needed, else the libc trampoline handler may hit the same SIGFPE again while building up a trampoline to a signal handler. Fixes debian bug #559406. Signed-off-by: Helge Deller Signed-off-by: Kyle McMartin Signed-off-by: Greg Kroah-Hartman commit 36346c14bde58f34c0a2df91635895f943eeb58b Author: Karsten Wiese Date: Sat Mar 27 22:48:33 2010 +0100 drm/i915: Don't touch PORT_HOTPLUG_EN in intel_dp_detect() commit 6e0032f0ae4440e75256bee11b163552cae21962 upstream. PORT_HOTPLUG_EN has allready been setup in i915_driver_irq_postinstall(), when intel_dp_detect() runs. Delete the DP[BCD]_HOTPLUG_INT_EN defines, they are not referenced anymore. I found this while searching for a fix for https://bugzilla.redhat.com/show_bug.cgi?id=528312 Signed-off-by: Karsten Wiese Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 87557bf5f6a941708534ae8f5f83cd68988d5063 Author: Joerg Roedel Date: Wed May 5 16:04:45 2010 +0200 KVM: SVM: Don't allow nested guest to VMMCALL into host This patch disables the possibility for a l2-guest to do a VMMCALL directly into the host. This would happen if the l1-hypervisor doesn't intercept VMMCALL and the l2-guest executes this instruction. Signed-off-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (Cherry-picked from commit 0d945bd9351199744c1e89d57a70615b6ee9f394) commit ce9fea841204616bc21fe42bdfbd60db8ae12d9e Author: Joerg Roedel Date: Thu May 6 11:38:43 2010 +0200 KVM: x86: Inject #GP with the right rip on efer writes This patch fixes a bug in the KVM efer-msr write path. If a guest writes to a reserved efer bit the set_efer function injects the #GP directly. The architecture dependent wrmsr function does not see this, assumes success and advances the rip. This results in a #GP in the guest with the wrong rip. This patch fixes this by reporting efer write errors back to the architectural wrmsr function. Signed-off-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (Cherry-picked from commit b69e8caef5b190af48c525f6d715e7b7728a77f6) commit 8d3c865a11cc027bee53985237e12b086a6d7f41 Author: Avi Kivity Date: Thu May 13 11:50:19 2010 +0300 KVM: x86: Add missing locking to arch specific vcpu ioctls Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (Cherry-picked from commit 8fbf065d625617bbbf6b72d5f78f84ad13c8b547) commit 548d65e9b09a7321e2da125acae765d1e902b6cd Author: Avi Kivity Date: Thu May 13 11:05:49 2010 +0300 KVM: PPC: Add missing vcpu_load()/vcpu_put() in vcpu ioctls Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (Cherry-picked from commit 98001d8d017cea1ee0f9f35c6227bbd63ef5005b) commit 0119618803088bf8be6f287fc0e160e4a08fbfa6 Author: Avi Kivity Date: Tue May 4 15:00:37 2010 +0300 KVM: Fix wallclock version writing race Wallclock writing uses an unprotected global variable to hold the version; this can cause one guest to interfere with another if both write their wallclock at the same time. Acked-by: Glauber Costa Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (Cherry-picked from commit 9ed3c444ab8987c7b219173a2f7807e3f71e234e) commit e995b3b2f8e5447928c7754f0702f05cc75646f6 Author: Avi Kivity Date: Tue May 4 12:58:32 2010 +0300 KVM: MMU: Don't read pdptrs with mmu spinlock held in mmu_alloc_roots On svm, kvm_read_pdptr() may require reading guest memory, which can sleep. Push the spinlock into mmu_alloc_roots(), and only take it after we've read the pdptr. Tested-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (Cherry-picked from commit 8facbbff071ff2b19268d3732e31badc60471e21) commit 89e16408cedfeac6b7289397074bd9b44a594034 Author: Shane Wang Date: Thu Apr 29 12:09:01 2010 -0400 KVM: VMX: enable VMXON check with SMX enabled (Intel TXT) Per document, for feature control MSR: Bit 1 enables VMXON in SMX operation. If the bit is clear, execution of VMXON in SMX operation causes a general-protection exception. Bit 2 enables VMXON outside SMX operation. If the bit is clear, execution of VMXON outside SMX operation causes a general-protection exception. This patch is to enable this kind of check with SMX for VMXON in KVM. Signed-off-by: Shane Wang Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (Cherry-picked from commit cafd66595d92591e4bd25c3904e004fc6f897e2d) commit 7bf8439befd355aa60d8448ba238b555f0242482 Author: Avi Kivity Date: Wed May 12 11:48:18 2010 +0300 KVM: MMU: Segregate shadow pages with different cr0.wp When cr0.wp=0, we may shadow a gpte having u/s=1 and r/w=0 with an spte having u/s=0 and r/w=1. This allows excessive access if the guest sets cr0.wp=1 and accesses through this spte. Fix by making cr0.wp part of the base role; we'll have different sptes for the two cases and the problem disappears. Signed-off-by: Avi Kivity Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman (Cherry-picked from commit 3dbe141595faa48a067add3e47bba3205b79d33c) commit 6809d9686bf751235b9acc8869fa5793f9fe912d Author: Sheng Yang Date: Wed May 12 16:40:40 2010 +0800 KVM: x86: Check LMA bit before set_efer kvm_x86_ops->set_efer() would execute vcpu->arch.efer = efer, so the checking of LMA bit didn't work. Signed-off-by: Sheng Yang Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman (Cherry-picked from commit a3d204e28579427609c3d15d2310127ebaa47d94) commit 52be6f3f5c4f964c154be2a97f9e22be6837c98d Author: Avi Kivity Date: Wed May 12 00:28:44 2010 +0300 KVM: Don't allow lmsw to clear cr0.pe The current lmsw implementation allows the guest to clear cr0.pe, contrary to the manual, which breaks EMM386.EXE. Fix by ORing the old cr0.pe with lmsw's operand. Signed-off-by: Avi Kivity Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman (Cherry-picked from commit f78e917688edbf1f14c318d2e50dc8e7dad20445) commit 59aab522154a2f17b25335b63c1cf68a51fb6ae0 Author: Glauber Costa Date: Tue May 11 12:17:40 2010 -0400 x86, paravirt: Add a global synchronization point for pvclock In recent stress tests, it was found that pvclock-based systems could seriously warp in smp systems. Using ingo's time-warp-test.c, I could trigger a scenario as bad as 1.5mi warps a minute in some systems. (to be fair, it wasn't that bad in most of them). Investigating further, I found out that such warps were caused by the very offset-based calculation pvclock is based on. This happens even on some machines that report constant_tsc in its tsc flags, specially on multi-socket ones. Two reads of the same kernel timestamp at approx the same time, will likely have tsc timestamped in different occasions too. This means the delta we calculate is unpredictable at best, and can probably be smaller in a cpu that is legitimately reading clock in a forward ocasion. Some adjustments on the host could make this window less likely to happen, but still, it pretty much poses as an intrinsic problem of the mechanism. A while ago, I though about using a shared variable anyway, to hold clock last state, but gave up due to the high contention locking was likely to introduce, possibly rendering the thing useless on big machines. I argue, however, that locking is not necessary. We do a read-and-return sequence in pvclock, and between read and return, the global value can have changed. However, it can only have changed by means of an addition of a positive value. So if we detected that our clock timestamp is less than the current global, we know that we need to return a higher one, even though it is not exactly the one we compared to. OTOH, if we detect we're greater than the current time source, we atomically replace the value with our new readings. This do causes contention on big boxes (but big here means *BIG*), but it seems like a good trade off, since it provide us with a time source guaranteed to be stable wrt time warps. After this patch is applied, I don't see a single warp in time during 5 days of execution, in any of the machines I saw them before. Signed-off-by: Glauber Costa Acked-by: Zachary Amsden CC: Jeremy Fitzhardinge CC: Avi Kivity CC: Marcelo Tosatti CC: Zachary Amsden Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman (Cherry-picked from commit 489fb490dbf8dab0249ad82b56688ae3842a79e8) commit fab96caf8f4af41d1ed53c1ea37c70595d8d318f Author: Joerg Roedel Date: Thu Apr 22 12:33:12 2010 +0200 KVM: SVM: Report emulated SVM features to userspace This patch implements the reporting of the emulated SVM features to userspace instead of the real hardware capabilities. Every real hardware capability needs emulation in nested svm so the old behavior was broken. Cc: stable@kernel.org Signed-off-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (Cherry-picked from commit c2c63a493924e09a1984d1374a0e60dfd54fc0b0) commit 22dc1d0096484fba8c383e63064bec6d96dff218 Author: Joerg Roedel Date: Thu Apr 22 12:33:11 2010 +0200 KVM: x86: Add callback to let modules decide over some supported cpuid bits This patch adds the get_supported_cpuid callback to kvm_x86_ops. It will be used in do_cpuid_ent to delegate the decission about some supported cpuid bits to the architecture modules. Cc: stable@kernel.org Signed-off-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (Cherry-picked from commit d4330ef2fb2236a1e3a176f0f68360f4c0a8661b) commit 12f08e9684c604aa1407a6b62d1c71876db18093 Author: Wei Yongjun Date: Tue Mar 9 14:13:43 2010 +0800 KVM: PPC: Do not create debugfs if fail to create vcpu If fail to create the vcpu, we should not create the debugfs for it. Signed-off-by: Wei Yongjun Acked-by: Alexander Graf Cc: stable@kernel.org Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (Cherry-picked from commit 06056bfb944a0302a8f22eb45f09123de7fb417b) commit d11e1d903937678a1557090cb2fff317ebe08cd2 Author: Wei Yongjun Date: Tue Mar 9 14:37:53 2010 +0800 KVM: s390: Fix possible memory leak of in kvm_arch_vcpu_create() This patch fixed possible memory leak in kvm_arch_vcpu_create() under s390, which would happen when kvm_arch_vcpu_create() fails. Signed-off-by: Wei Yongjun Acked-by: Carsten Otte Cc: stable@kernel.org Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (Cherry-picked from commit 7b06bf2ffa15e119c7439ed0b024d44f66d7b605) commit bdb19d4b8a480be7bd1da9ee8f0efb9ee5d15a8a Author: Joerg Roedel Date: Fri Feb 19 16:23:01 2010 +0100 KVM: SVM: Fix wrong interrupt injection in enable_irq_windows The nested_svm_intr() function does not execute the vmexit anymore. Therefore we may still be in the nested state after that function ran. This patch changes the nested_svm_intr() function to return wether the irq window could be enabled. Cc: stable@kernel.org Signed-off-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (Cherry-picked from commit 8fe546547cf6857a9d984bfe2f2194910f3fc5d0) commit d3994940c979188e63b7554335591608ba4fd5ee Author: Joerg Roedel Date: Fri Feb 19 16:23:06 2010 +0100 KVM: SVM: Don't sync nested cr8 to lapic and back This patch makes syncing of the guest tpr to the lapic conditional on !nested. Otherwise a nested guest using the TPR could freeze the guest. Another important change this patch introduces is that the cr8 intercept bits are no longer ORed at vmrun emulation if the guest sets VINTR_MASKING in its VMCB. The reason is that nested cr8 accesses need alway be handled by the nested hypervisor because they change the shadow version of the tpr. Cc: stable@kernel.org Signed-off-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (Cherry-picked from commit 88ab24adc7142506c8583ac36a34fa388300b750) commit db8125fa4593489fdc161ab04853be9f5a153690 Author: Joerg Roedel Date: Fri Feb 19 16:23:05 2010 +0100 KVM: SVM: Fix nested msr intercept handling The nested_svm_exit_handled_msr() function maps only one page of the guests msr permission bitmap. This patch changes the code to use kvm_read_guest to fix the bug. Cc: stable@kernel.org Signed-off-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (Cherry-picked from commit 4c7da8cb43c09e71a405b5aeaa58a1dbac3c39e9) commit 663dc3bf055cb398b7fb84b849ea42d8571871b9 Author: Joerg Roedel Date: Fri Feb 19 16:23:03 2010 +0100 KVM: SVM: Sync all control registers on nested vmexit Currently the vmexit emulation does not sync control registers were the access is typically intercepted by the nested hypervisor. But we can not count on that intercepts to sync these registers too and make the code architecturally more correct. Cc: stable@kernel.org Signed-off-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (Cherry-picked from commit cdbbdc1210223879450555fee04c29ebf116576b) commit c9c1db0b5210916c6bba2fab84537bbeb26a4bf3 Author: Joerg Roedel Date: Fri Feb 19 16:23:02 2010 +0100 KVM: SVM: Fix schedule-while-atomic on nested exception handling Move the actual vmexit routine out of code that runs with irqs and preemption disabled. Cc: stable@kernel.org Signed-off-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (Cherry-picked from commit b8e88bc8ffba5fe53fb8d8a0a4be3bbcffeebe56) commit 6a8b016c48965066af329c154ca044417e4c8fe3 Author: Joerg Roedel Date: Fri Feb 19 16:23:00 2010 +0100 KVM: SVM: Don't use kmap_atomic in nested_svm_map Use of kmap_atomic disables preemption but if we run in shadow-shadow mode the vmrun emulation executes kvm_set_cr3 which might sleep or fault. So use kmap instead for nested_svm_map. Cc: stable@kernel.org Signed-off-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (Cherry-picked from commit 7597f129d8b6799da7a264e6d6f7401668d3a36d) commit eaeb91e532a4d68d51825bd0ed82f0955c9e3250 Author: Laurent Pinchart Date: Sun Apr 25 16:27:14 2010 -0300 V4L/DVB: uvcvideo: Prevent division by 0 when control step value is 0 commit cf7a50eeb6f462a0b7d1619fcb27a727a2981769 upstream. The control step values reported by the device are used as a divisor unchecked, which can result in a division by zero. Check the step value and make it 1 when null. Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 135b48da0c911dbd8aa4c52742b9022643bc02a3 Author: Trond Myklebust Date: Wed May 26 08:42:24 2010 -0400 NFS: Fix another nfs_wb_page() deadlock commit 0522f6adedd2736cbca3c0e16ca51df668993eee upstream. J.R. Okajima reports that the call to sync_inode() in nfs_wb_page() can deadlock with other writeback flush calls. It boils down to the fact that we cannot ever call writeback_single_inode() while holding a page lock (even if we do set nr_to_write to zero) since another process may already be waiting in the call to do_writepages(), and so will deny us the I_SYNC lock. Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 53dc58fdce4053334b2f47e692d4769f92f41255 Author: Trond Myklebust Date: Wed May 26 08:42:11 2010 -0400 NFS: Ensure that we mark the inode as dirty if we exit early from commit commit c5efa5fc91f1f6d1d47e65f39e7ec6d1157c777d upstream. If we exit from nfs_commit_inode() without ensuring that the COMMIT rpc call has been completed, we must re-mark the inode as dirty. Otherwise, future calls to sync_inode() with the WB_SYNC_ALL flag set will fail to ensure that the data is on the disk. Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 99d690620ac4810b175f207a09044004bc2b4d79 Author: Shi Weihua Date: Tue May 18 00:50:32 2010 +0000 Btrfs: should add a permission check for setfacl commit 2f26afba46f0ebf155cf9be746496a0304a5b7cf upstream. On btrfs, do the following ------------------ # su user1 # cd btrfs-part/ # touch aaa # getfacl aaa # file: aaa # owner: user1 # group: user1 user::rw- group::rw- other::r-- # su user2 # cd btrfs-part/ # setfacl -m u::rwx aaa # getfacl aaa # file: aaa # owner: user1 # group: user1 user::rwx <- successed to setfacl group::rw- other::r-- ------------------ but we should prohibit it that user2 changing user1's acl. In fact, on ext3 and other fs, a message occurs: setfacl: aaa: Operation not permitted This patch fixed it. Signed-off-by: Shi Weihua Signed-off-by: Chris Mason Signed-off-by: Greg Kroah-Hartman commit 31ccb0859d5b3de20fec1c540d84d5a339c70002 Author: Steve French Date: Thu Apr 22 19:21:55 2010 +0000 CIFS: Allow null nd (as nfs server uses) on create commit fa588e0c57048b3d4bfcd772d80dc0615f83fd35 upstream. While creating a file on a server which supports unix extensions such as Samba, if a file is being created which does not supply nameidata (i.e. nd is null), cifs client can oops when calling cifs_posix_open. Signed-off-by: Shirish Pargaonkar Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 55442a2a4c899ee1201e2dca8f8c7a0dc4e59037 Author: Steven Whitehouse Date: Mon May 24 14:36:48 2010 +0100 GFS2: Fix permissions checking for setflags ioctl() commit 7df0e0397b9a18358573274db9fdab991941062f upstream. We should be checking for the ownership of the file for which flags are being set, rather than just for write access. Reported-by: Dan Rosenberg Signed-off-by: Steven Whitehouse Signed-off-by: Greg Kroah-Hartman commit 94f98453eab3c95eaa40132b2e78cc4edc1bf48f Author: Theodore Ts'o Date: Wed Jun 2 22:04:39 2010 -0400 ext4: Make sure the MOVE_EXT ioctl can't overwrite append-only files commit 1f5a81e41f8b1a782c68d3843e9ec1bfaadf7d72 upstream. Dan Roseberg has reported a problem with the MOVE_EXT ioctl. If the donor file is an append-only file, we should not allow the operation to proceed, lest we end up overwriting the contents of an append-only file. Signed-off-by: "Theodore Ts'o" Cc: Dan Rosenberg Signed-off-by: Greg Kroah-Hartman commit 5ea7d8ced3cb5376b6089ccc2213465e853da71f Author: Eric Sandeen Date: Sun May 16 01:00:00 2010 -0400 ext4: check s_log_groups_per_flex in online resize code commit 42007efd569f1cf3bfb9a61da60ef6c2179508ca upstream. If groups_per_flex < 2, sbi->s_flex_groups[] doesn't get filled out, and every other access to this first tests s_log_groups_per_flex; same thing needs to happen in resize or we'll wander off into a null pointer when doing an online resize of the file system. Thanks to Christoph Biedl, who came up with the trivial testcase: # truncate --size 128M fsfile # mkfs.ext3 -F fsfile # tune2fs -O extents,uninit_bg,dir_index,flex_bg,huge_file,dir_nlink,extra_isize fsfile # e2fsck -yDf -C0 fsfile # truncate --size 132M fsfile # losetup /dev/loop0 fsfile # mount /dev/loop0 mnt # resize2fs -p /dev/loop0 https://bugzilla.kernel.org/show_bug.cgi?id=13549 Reported-by: Alessandro Polverini Test-case-by: Christoph Biedl Signed-off-by: Eric Sandeen Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 5842e8e202ecef054e6a769e194dbf9c17b81569 Author: Peter Zijlstra Date: Thu May 27 12:54:41 2010 +0200 perf_events: Fix races and clean up perf_event and perf_mmap_data interaction commit ac9721f3f54b27a16c7e1afb2481e7ee95a70318 upstream. In order to move toward separate buffer objects, rework the whole perf_mmap_data construct to be a more self-sufficient entity, one with its own lifetime rules. This greatly sanitizes the whole output redirection code, which was riddled with bugs and races. Signed-off-by: Peter Zijlstra LKML-Reference: Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit ca2455ec0673fcde16f81ee0f585c4edc2e076e7 Author: Johannes Berg Date: Mon Jun 7 21:20:38 2010 +0200 iwlwifi: add missing rcu_read_lock commit 6db6340c42d027b6364d49fa99d69019aca24de4 upstream. Using ieee80211_find_sta() needs to be under RCU read lock, which iwlwifi currently misses, so fix it. Reported-by: Miles Lane Signed-off-by: Johannes Berg Acked-by: Reinette Chatre Tested-by: Miles Lane Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 40146189c77991baf1e3c6816b9b39da942c2974 Author: Grazvydas Ignotas Date: Sat Jun 5 02:25:47 2010 +0300 wl1251: fix a memory leak in probe commit aa679c36756003f1fabdb9fc6f00eb159559f7c3 upstream. wl1251_sdio_probe() error path is missing wl1251_free_hw, add it. Signed-off-by: Grazvydas Ignotas Acked-by: Kalle Valo Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 9276b6f4b6b5bac6b81efb6e355c77b681ddde24 Author: Christoph Hellwig Date: Tue Jun 1 21:59:18 2010 +0200 nfsd: nfsd_setattr needs to call commit_metadata commit b160fdabe93a8a53094f90f02bf4dcb500782aab upstream. The conversion of write_inode_now calls to commit_metadata in commit f501912a35c02eadc55ca9396ece55fe36f785d0 missed out the call in nfsd_setattr. But without this conversion we can't guarantee that a SETATTR request has actually been commited to disk with XFS, which causes a regression from 2.6.32 (only for NFSv2, but anyway). Signed-off-by: Christoph Hellwig Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit a07d9118270a41ff425a00194f100e25752f920f Author: Oleg Nesterov Date: Thu Jun 3 23:34:09 2010 +0200 tracing: Fix null pointer deref with SEND_SIG_FORCED commit b9b76dfaac6fa2c289ee8a005be637afd2da7e2f upstream. BUG: unable to handle kernel NULL pointer dereference at 0000000000000006 IP: [] ftrace_raw_event_signal_generate+0x87/0x140 TP_STORE_SIGINFO() forgets about SEND_SIG_FORCED, fix. We should probably export is_si_special() and change TP_STORE_SIGINFO() to use it in the longer term. Signed-off-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Steven Rostedt Cc: Andrew Morton Cc: Jason Baron Cc: Masami Hiramatsu LKML-Reference: <20100603213409.GA8307@redhat.com> Signed-off-by: Frederic Weisbecker Signed-off-by: Greg Kroah-Hartman commit 22fc69f9e98416df62729635f702b5459c4d73a5 Author: Peter Zijlstra Date: Fri Jun 4 15:18:01 2010 +0200 perf: Fix signed comparison in perf_adjust_period() commit f6ab91add6355e231e1c47897027b2a6ee4fa268 upstream. Frederic reported that frequency driven swevents didn't work properly and even caused a division-by-zero error. It turns out there are two bugs, the division-by-zero comes from a failure to deal with that in perf_calculate_period(). The other was more interesting and turned out to be a wrong comparison in perf_adjust_period(). The comparison was between an s64 and u64 and got implicitly converted to an unsigned comparison. The problem is that period_left is typically < 0, so it ended up being always true. Cure this by making the local period variables s64. Reported-by: Frederic Weisbecker Tested-by: Frederic Weisbecker Signed-off-by: Peter Zijlstra LKML-Reference: Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit ad569e0445c9073a9fd65c18b465dfef1d9bf3b4 Author: Reinette Chatre Date: Mon May 3 10:55:07 2010 -0700 iwlwifi: recalculate average tpt if not current commit 3d79b2a9eeaa066b35c49fbb17e3156a3c482c3e upstream. We currently have this check as a BUG_ON, which is being hit by people. Previously it was an error with a recalculation if not current, return that code. The BUG_ON was introduced by: commit 3110bef78cb4282c58245bc8fd6d95d9ccb19749 Author: Guy Cohen Date: Tue Sep 9 10:54:54 2008 +0800 iwlwifi: Added support for 3 antennas ... the portion adding the BUG_ON is reverted since we are encountering the error and BUG_ON was created with assumption that error is not encountered. Signed-off-by: Reinette Chatre Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit f09f06dbf31f6f6a3d95e3a51cc748794be91451 Author: Reinette Chatre Date: Thu May 13 14:49:44 2010 -0700 iwlwifi: fix internal scan race commit 073d5eab6fc85b6c278d507a5633b759a85dc878 upstream. It is possible for internal scan to race against itself if the device is not returning the scan results from first requests. What happens in this case is the cleanup done during the abort of the first internal scan also cleans up part of the new scan, causing it to access memory it shouldn't. Here are details: * First internal scan is triggered and scan command sent to device. * After seven seconds there is no scan results so the watchdog timer triggers a scan abort. * The scan abort succeeds and a SCAN_COMPLETE_NOTIFICATION is received for failed scan. * During processing of SCAN_COMPLETE_NOTIFICATION we clear STATUS_SCANNING and queue the "scan_completed" work. ** At this time, since the problem that caused the internal scan in first place is still present, a new internal scan is triggered. The behavior at this point is a bit different between 2.6.34 and 2.6.35 since 2.6.35 has a lot of this synchronized. The rest of the race description will thus be generalized. ** As part of preparing for the scan "is_internal_short_scan" is set to true. * At this point the completion work for fist scan is run. As part of this there is some locking missing around the "is_internal_short_scan" variable and it is set to "false". ** Now the second scan runs and it considers itself a real (not internal0 scan and thus causes problems with wrong memory being accessed. The fix is twofold. * Since "is_internal_short_scan" should be protected by mutex, fix this in scan completion work so that changes to it can be serialized. * Do not queue a new internal scan if one is in progress. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=15824 Signed-off-by: Reinette Chatre Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 42864ec780011c0a8357317e03151f203d3d6b8c Author: Shaohua Li Date: Tue May 25 10:16:53 2010 +0200 cfq-iosched: fix an oops caused by slab leak commit d02a2c077fb81f3224c770be62a318165b23b486 upstream. I got below oops when unloading cfq-iosched. Considering scenario: queue A merge to B, C merge to D and B will be merged to D. Before B is merged to D, we do split B. We should put B's reference for D. [ 807.768536] ============================================================================= [ 807.768539] BUG cfq_queue: Objects remaining on kmem_cache_close() [ 807.768541] ----------------------------------------------------------------------------- [ 807.768543] [ 807.768546] INFO: Slab 0xffffea0003e6b4e0 objects=26 used=1 fp=0xffff88011d584fd8 flags=0x200000000004082 [ 807.768550] Pid: 5946, comm: rmmod Tainted: G W 2.6.34-07097-gf4b87de-dirty #724 [ 807.768552] Call Trace: [ 807.768560] [] slab_err+0x8f/0x9d [ 807.768564] [] ? flush_cpu_slab+0x0/0x93 [ 807.768569] [] ? add_preempt_count+0xe/0xca [ 807.768572] [] ? sub_preempt_count+0xe/0xb6 [ 807.768577] [] ? _raw_spin_unlock+0x15/0x30 [ 807.768580] [] ? sub_preempt_count+0xe/0xb6 [ 807.768584] [] list_slab_objects+0x9b/0x19f [ 807.768588] [] ? add_preempt_count+0xc6/0xca [ 807.768591] [] kmem_cache_destroy+0x13f/0x21d [ 807.768597] [] cfq_slab_kill+0x1a/0x43 [cfq_iosched] [ 807.768601] [] cfq_exit+0x93/0x9e [cfq_iosched] [ 807.768606] [] sys_delete_module+0x1b1/0x219 [ 807.768612] [] system_call_fastpath+0x16/0x1b [ 807.768618] INFO: Object 0xffff88011d584618 @offset=1560 [ 807.768622] INFO: Allocated in cfq_get_queue+0x11e/0x274 [cfq_iosched] age=7173 cpu=1 pid=5496 [ 807.768626] ============================================================================= Signed-off-by: Shaohua Li Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit a293c6c6ad7bf4e99a16d43e80cf4e91c8fb2a41 Author: Roberto Sassu Date: Thu Jun 3 11:58:28 2010 +0200 wrong type for 'magic' argument in simple_fill_super() commit 7d683a09990ff095a91b6e724ecee0ff8733274a upstream. It's used to superblock ->s_magic, which is unsigned long. Signed-off-by: Roberto Sassu Reviewed-by: Mimi Zohar Signed-off-by: Eric Paris Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 853ac1cddf0603e4a7a61110b96867cc0c3fd59d Author: Jason Dravet Date: Sat Jun 5 15:08:29 2010 -0500 p54usb: Add device ID for Dell WLA3310 USB commit 0f666a08901f8b01f294ca0ad751019375240ae3 upstream. Add Dell WLA3310 USB wireless card, which has a Z-Com XG-705A chipset, to the USB Ids in p54usb. Signed-off-by: Jason Dravet Tested-by: Richard Gregory Tillmore Signed-off-by: Larry Finger Acked-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 3aa5ef87c4fa4be6d538c4cce37b5ea9afec7ca0 Author: Alan Stern Date: Fri Jun 4 14:02:42 2010 -0400 USB: unbind all interfaces before rebinding them commit c043f1245654a726925529007210e9f786426448 upstream. This patch (as1387) fixes a bug introduced during the changeover to the runtime PM framework. When a driver doesn't support resume or reset-resume, and consequently its interfaces need to be unbound and rebound, we have to unbind all the interfaces before trying to rebind any of them. Otherwise the driver's probe method for one interface could try to claim a different interface and fail, because that other interface hasn't been unbound yet. This fixes Bugzilla #15788. The symptom is that some USB sound cards don't work after hibernation. Signed-off-by: Alan Stern Tested-by: François Valenduc Signed-off-by: Greg Kroah-Hartman commit f4723b721570bc97eeddc6c4aeea1e2be9f09afb Author: Axel Lin Date: Mon May 31 08:04:47 2010 +0800 USB: cdc-acm: fix resource reclaim in error path of acm_probe commit c2572b78aa0447244a38e555ebb1b3b48a0088a5 upstream. This patch fixes resource reclaim in error path of acm_probe: 1. In the case of "out of memory (read urbs usb_alloc_urb)\n")", there is no need to call acm_read_buffers_free(acm) here. Fix it by goto alloc_fail6 instead of alloc_fail7. 2. In the case of "out of memory (write urbs usb_alloc_urb)", usb_alloc_urb may fail in any iteration of the for loop. Current implementation does not properly free allocated snd->urb. Fix it by goto alloc_fail8 instead of alloc_fail7. 3. In the case of device_create_file(&intf->dev,&dev_attr_iCountryCodeRelDate) fail, acm->country_codes is kfreed. As a result, device_remove_file for dev_attr_wCountryCodes will not be executed in acm_disconnect. Fix it by calling device_remove_file for dev_attr_wCountryCodes before goto skip_countries. Signed-off-by: Axel Lin Acked-by: Oliver Neukum Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 7fcd12387f790caf53fc88bf57c443a9af9f2332 Author: Daniel Mack Date: Thu Jun 3 13:55:02 2010 +0200 USB: ftdi_sio: fix DTR/RTS line modes commit 6a1a82df91fa0eb1cc76069a9efe5714d087eccd upstream. Call set_mctrl() and clear_mctrl() according to the flow control mode selected. This makes serial communication for FT232 connected devices work when CRTSCTS is not set. This fixes a regression introduced by 4175f3e31 ("tty_port: If we are opened non blocking we still need to raise the carrier"). This patch calls the low-level driver's dtr_rts() function which consequently sets TIOCM_DTR | TIOCM_RTS. A later call to set_termios() without CRTSCTS in cflags, however, does not reset these bits, and so data is not actually sent out on the serial wire. Signed-off-by: Daniel Mack Cc: Johan Hovold Cc: Alan Cox Signed-off-by: Greg Kroah-Hartman commit 2e6aac905807a7f440c15e03e6c88fa4922d849e Author: Sarah Sharp Date: Mon May 24 13:25:15 2010 -0700 USB: xhci: Wait for controller to be ready after reset. commit 2d62f3eea98354d61f90d6b115eecf9be5f4bdfe upstream. After software resets an xHCI host controller, it must wait for the "Controller Not Ready" (CNR) bit in the status register to be cleared. Software is not supposed to ring any doorbells or write to any registers except the status register until this bit is cleared. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit cf86414c11c5654ce50a5b476ce00fb4b6db46d4 Author: Sarah Sharp Date: Mon May 24 13:25:21 2010 -0700 USB: xhci: Wait for host to start running. commit ed07453fd356025cc25272629e982f5e4607632c upstream. When the run bit is set in the xHCI command register, it may take a few microseconds for the host to start running. We cannot ring any doorbells until the host is actually running, so wait until the status register says the host is running. Signed-off-by: Sarah Sharp Reported-by: Shinya Saito Signed-off-by: Greg Kroah-Hartman commit 280947b67d675a885b97857a93adaf97970a02a4 Author: Johan Hovold Date: Wed May 19 22:13:17 2010 +0200 USB: mos7840: fix null-pointer dereference commit b41709f1263bb1ad37efc43fea0bb0b670c12e78 upstream. Fix null-pointer dereference on error path. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 16e0c1f8b20427a39f8c0bfb42434932f7d20acc Author: Chris Wilson Date: Sat May 15 09:57:03 2010 +0100 drm/i915: Kill dangerous pending-flip debugging commit 9908ff736adf261e749b4887486a32ffa209304c upstream. We can, by virtue of a vblank interrupt firing in the middle of setting up the unpin work (i.e. after we set the unpin_work field and before we write to the ringbuffer) enter intel_finish_page_flip() prior to receiving the pending flip notification. Therefore we can expect to hit intel_finish_page_flip() under normal circumstances without a pending flip and even without installing the pending_flip_obj. This is exacerbated by aperture thrashing whilst binding the framebuffer References: Bug 28079 - "glresize" causes kernel panic in intel_finish_page_flip. https://bugs.freedesktop.org/show_bug.cgi?id=28079 Reported-by: Nick Bowler Signed-off-by: Chris Wilson Cc: Jesse Barnes Reviewed-by: Jesse Barnes Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 58a676c197f3deac56ec15ce9043406603bd56f7 Author: Chris Wilson Date: Thu May 27 13:18:18 2010 +0100 drm/i915: Rebind bo if currently bound with incorrect alignment. commit ac0c6b5ad3b3b513e1057806d4b7627fcc0ecc27 upstream. Whilst pinning the buffer, check that that its current alignment matches the requested alignment. If it does not, rebind. This should clear up any final render errors whilst resuming, for reference: Bug 27070 - [i915] Page table errors with empty ringbuffer https://bugs.freedesktop.org/show_bug.cgi?id=27070 Bug 15502 - render error detected, EIR: 0x00000010 https://bugzilla.kernel.org/show_bug.cgi?id=15502 Bug 13844 - i915 error: "render error detected" https://bugzilla.kernel.org/show_bug.cgi?id=13844 Signed-off-by: Chris Wilson Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit e7fd492cada7c8d79093ee5ed5482046ed9e7261 Author: Tejun Heo Date: Mon May 31 16:26:48 2010 +0200 sata_via: magic vt6421 fix for transmission problems w/ WD drives commit 8b27ff4cf6d15964aa2987aeb58db4dfb1f87a19 upstream. vt6421 has problems talking to recent WD drives. It causes a lot of transmission errors while high bandwidth transfer as reported in the following bugzilla entry. https://bugzilla.kernel.org/show_bug.cgi?id=15173 Joseph Chan provided the following fix. I don't have any idea what it does but I can verify the issue is gone with the patch applied. Signed-off-by: Tejun Heo Originally-from: Joseph Chan Reported-by: Jorrit Tijben Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit a4fd5acd21386fe469c4815e37c963562041a615 Author: Tejun Heo Date: Tue Jun 1 17:29:21 2010 +0200 sata_nv: don't diddle with nIEN on mcp55 commit f3faf8fc3fab45c3526efe8c9e99bb23f8723350 upstream. On mcp55, nIEN gets stuck once set and liteon blueray rom iHOS104-08 violates ATA specification and fails to set I on D2H Reg FIS if nIEN is set when the command was issued. When the other party is following the spec, both devices can work fine but when the two flaws are put together, they can't talk to each other. mcp55 has its own IRQ masking mechanism and there's no reason to mess with nIEN in the first place. Fix it by dropping nIEN diddling from nv_mcp55_freeze/thaw(). This was originally reported by Cengiz. Although Cengiz hasn't verified the fix yet, I could reproduce this problem and verfiy the fix. Even if Cengiz is experiencing different or additional problems, this patch is needed. Signed-off-by: Tejun Heo Reported-by: Cengiz Günay Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 0258282e4025563935d4c1d6afc484c299043dd6 Author: Stephane Eranian Date: Wed Mar 17 23:21:01 2010 +0200 perf_events: Fix resource leak in x86 __hw_perf_event_init() commit 4b24a88b35e15e04bd8f2c5dda65b5dc8ebca05f upstream. If reserve_pmc_hardware() succeeds but reserve_ds_buffers() fails, then we need to release_pmc_hardware. It won't be done by the destroy() callback because we return before setting it in case of error. Signed-off-by: Stephane Eranian Cc: peterz@infradead.org Cc: paulus@samba.org Cc: davem@davemloft.net Cc: fweisbec@gmail.com Cc: robert.richter@amd.com Cc: perfmon2-devel@lists.sf.net LKML-Reference: <4ba1568b.15185e0a.182a.7802@mx.google.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 181e8191c6f3ba70136fe83af6dfa5b90789cd42 Author: Greg Thelen Date: Fri Jun 4 14:15:03 2010 -0700 cgroups: alloc_css_id() increments hierarchy depth commit 94b3dd0f7bb393d93e84a173b1df9b8b64c83ac4 upstream. Child groups should have a greater depth than their parents. Prior to this change, the parent would incorrectly report zero memory usage for child cgroups when use_hierarchy is enabled. test script: mount -t cgroup none /cgroups -o memory cd /cgroups mkdir cg1 echo 1 > cg1/memory.use_hierarchy mkdir cg1/cg11 echo $$ > cg1/cg11/tasks dd if=/dev/zero of=/tmp/foo bs=1M count=1 echo echo CHILD grep cache cg1/cg11/memory.stat echo echo PARENT grep cache cg1/memory.stat echo $$ > tasks rmdir cg1/cg11 cg1 cd / umount /cgroups Using fae9c79, a recent patch that changed alloc_css_id() depth computation, the parent incorrectly reports zero usage: root@ubuntu:~# ./test 1+0 records in 1+0 records out 1048576 bytes (1.0 MB) copied, 0.0151844 s, 69.1 MB/s CHILD cache 1048576 total_cache 1048576 PARENT cache 0 total_cache 0 With this patch, the parent correctly includes child usage: root@ubuntu:~# ./test 1+0 records in 1+0 records out 1048576 bytes (1.0 MB) copied, 0.0136827 s, 76.6 MB/s CHILD cache 1052672 total_cache 1052672 PARENT cache 0 total_cache 1052672 Signed-off-by: Greg Thelen Acked-by: Paul Menage Acked-by: KAMEZAWA Hiroyuki Acked-by: Li Zefan Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 2f055d42e40b10d8f55439f9b6bd7defcb9d7873 Author: Alan Cox Date: Wed Jun 9 09:39:49 2010 +0100 misc: Fix allocation 'borrowed' by vhost_net commit 79907d89c397b8bc2e05b347ec94e928ea919d33 upstream. 10, 233 is allocated officially to /dev/kmview which is shipping in Ubuntu and Debian distributions. vhost_net seem to have borrowed it without making a proper request and this causes regressions in the other distributions. vhost_net can use a dynamic minor so use that instead. Also update the file with a comment to try and avoid future misunderstandings. Signed-off-by: Alan Cox [ We should have caught this before 2.6.34 got released. - Linus ] Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e2f415159f02c5815415260063c47e06cf7408ee Author: Stefan Richter Date: Sun May 30 19:43:52 2010 +0200 firewire: core: check for 1394a compliant IRM, fix inaccessibility of Sony camcorder commit 10389536742cefbedecb67a5b2906f155cf3a1c3 upstream. Per IEEE 1394 clause 8.4.2.3, a contender for the IRM role shall check whether the current IRM complies to 1394a-2000 or later. If not force a compliant node (e.g. itself) to become IRM. This was implemented in the older ieee1394 driver but not yet in firewire-core. An older Sony camcorder (Sony DCR-TRV25) which implements 1394-1995 IRM but neither 1394a-2000 IRM nor BM was now found to cause an interoperability bug: - Camcorder becomes root node when plugged in, hence gets IRM role. - firewire-core successfully contends for BM role, proceeds to perform gap count optimization and resets the bus. - Sony camcorder ignores presence of a BM (against the spec, this is a firmware bug), performs its idea of gap count optimization and resets the bus. - Preceding two steps are repeated endlessly, bus never settles, regular I/O is practically impossible. http://thread.gmane.org/gmane.linux.kernel.firewire.user/3913 This is an interoperability regression from the old to the new drivers. Fix it indirectly by adding the 1394a IRM check. The spec suggests three and a half methods to determine 1394a compliance of a remote IRM; we choose the method of testing the Config_ROM.Bus_Info.generation field. This is data that firewire-core should have readily available at this point, i.e. does not require extra I/O. Reported-by: Clemens Ladisch (missing 1394a check) Reported-by: H. S. (issue with Sony DCR-TRV25) Tested-by: H. S. Signed-off-by: Stefan Richter Signed-off-by: Greg Kroah-Hartman commit 2aa342dc19d2949ae23234c5853e8b2371a46649 Author: Tejun Heo Date: Thu Jun 3 11:57:04 2010 +0200 ahci: add pci quirk for JMB362 commit 4daedcfe8c6851aa01cc1997220f2577f4039c13 upstream. JMB362 is a new variant of jmicron controller which is similar to JMB360 but has two SATA ports instead of one. As there is no PATA port, single function AHCI mode can be used as in JMB360. Add pci quirk for JMB362. Signed-off-by: Tejun Heo Reported-by: Aries Lee Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 141a0aa6f43af935e8754178462ea1ebbce12bf5 Author: Bob Copeland Date: Fri Jun 4 08:14:14 2010 -0400 ath5k: retain promiscuous setting commit 6b5dcccb495b66b3b0b9581cdccfed038e5d68a2 upstream. Commit 56d1de0a21db28e41741cfa0a66e18bc8d920554, "ath5k: clean up filter flags setting" introduced a regression in monitor mode such that the promisc filter flag would get lost. Although we set the promisc flag when it changed, we did not preserve it across subsequent calls to configure_filter. This patch restores the original functionality. Bisected-by: weedy2887@gmail.com Tested-by: weedy2887@gmail.com Tested-by: Rick Farina Signed-off-by: Bob Copeland Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 9fff6bc91515aa9027e1ca4d37a4754964a6c875 Author: Johannes Berg Date: Mon Jun 7 21:50:07 2010 +0200 mac80211: fix deauth before assoc commit b054b747a694927879c94dd11af54d04346aed7d upstream. When we receive a deauthentication frame before having successfully associated, we neither print a message nor abort assocation. The former makes it hard to debug, while the latter later causes a warning in cfg80211 when, as will typically be the case, association timed out. This warning was reported by many, e.g. in https://bugzilla.kernel.org/show_bug.cgi?id=15981, but I couldn't initially pinpoint it. I verified the fix by hacking hostapd to send a deauth frame instead of an association response. Signed-off-by: Johannes Berg Tested-by: Miles Lane Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit cd495841c53fe3ac04578c0711339282bec90ed6 Author: Dominik Brodowski Date: Mon Jun 7 18:31:17 2010 +0200 pcmcia: avoid validate_cis failure on CIS override commit b83156b52dd77979cc93bafc2283929532f6f7d0 upstream. Commit a8408c17 introduced a new check to pccard_validate_cis(), which avoids any "late" calls to this function. This broke the insertion of cards which require a CIS override which changes the number of card functions. Fix this by asserting that this is _not_ a late call, but a proper call early during the card insertion process. Fixes https://bugzilla.kernel.org/show_bug.cgi?id=16138 Reported-by: Mikulas Patocka Signed-off-by: Dominik Brodowski Signed-off-by: Greg Kroah-Hartman commit 91d5e7b11a032cb392bf6332acc23e7e2f0679f3 Author: Dominik Brodowski Date: Fri May 21 15:16:53 2010 +0200 pcmcia: only keep saved I365_CSCINT flag if there is no PCI irq commit 02caa56e4b789b80ae7e0f0f0789f94b44ad32ef upstream. Keeping the saved I365_CSCINT flag around breaks PCMCIA on some system, and is only needed on a few systems to get PCMCIA to work. This patch allows PCMCIA to work on both types, and it fixes https://bugzilla.kernel.org/show_bug.cgi?id=16015 Reported-by: Justin P. Mattock Signed-off-by: Dominik Brodowski Signed-off-by: Greg Kroah-Hartman commit 2b2a3d8b7c699174a642bcbad080767894ce3db2 Author: Julia Lawall Date: Thu May 27 12:31:51 2010 +0200 arch/x86/kernel: Add missing spin_unlock commit 84fe6c19e4a598e8071e3bd1b2c923454eae1268 upstream. Add a spin_unlock missing on the error path. The locks and unlocks are balanced in other functions, so it seems that the same should be the case here. The semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // @@ expression E1; @@ * spin_lock(E1,...); <+... when != E1 if (...) { ... when != E1 * return ...; } ...+> * spin_unlock(E1,...); // Signed-off-by: Julia Lawall Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit ec883a3709b76f16853c29e9fc19c699e582a692 Author: Richard Kennedy Date: Thu May 27 10:22:28 2010 +0100 gconfig: fix build failure on fedora 13 commit cbab05f041a4cff6ca15856bdd35238b282b64eb upstream. Making gconfig fails on fedora 13 as the linker cannot resolve dlsym. Adding libdl to the link command fixes this. make shows this error :- /usr/bin/ld: scripts/kconfig/kconfig_load.o: undefined reference to symbol 'dlsym@@GLIBC_2.2.5' /usr/bin/ld: note: 'dlsym@@GLIBC_2.2.5' is defined in DSO /lib64/libdl.so.2 so try adding it to the linker command line /lib64/libdl.so.2: could not read symbols: Invalid operation tested on x86_64 fedora 13. Signed-off-by: Richard Kennedy Reviewed-by: WANG Cong Signed-off-by: Andrew Morton Signed-off-by: Michal Marek Signed-off-by: Greg Kroah-Hartman commit 478fc4e6d2e1622d991619583463eb4def24de60 Author: Paul Mundt Date: Wed Jun 2 17:10:44 2010 +0900 clocksource: sh_cmt: compute mult and shift before registration commit f4d7c3565c1692c54d9152b52090fe73f0029e37 upstream. Based on the sh_tmu change in 66f49121ffa41a19c59965b31b046d8368fec3c7 ("clocksource: sh_tmu: compute mult and shift before registration"). The same issues impact the sh_cmt driver, so we take the same approach here. Signed-off-by: Paul Mundt Signed-off-by: Greg Kroah-Hartman commit a214985570a6290d46800fe235f49b2989bfd784 Author: Aurelien Jarno Date: Mon May 31 21:45:48 2010 +0000 clocksource: sh_tmu: compute mult and shift before registration commit 66f49121ffa41a19c59965b31b046d8368fec3c7 upstream. Since commit 98962465ed9e6ea99c38e0af63fe1dcb5a79dc25 ("nohz: Prevent clocksource wrapping during idle"), the CPU of an R2D board never goes to idle. This commit assumes that mult and shift are assigned before the clocksource is registered. As a consequence the safe maximum sleep time is negative and the CPU never goes into idle. This patch fixes the problem by moving mult and shift initialization from sh_tmu_clocksource_enable() to sh_tmu_register_clocksource(). Signed-off-by: Aurelien Jarno Signed-off-by: Paul Mundt Signed-off-by: Greg Kroah-Hartman commit fe7f657830d40cc5a21952d7131f0bfdf4aff79d Author: Martin Homuth-Rosemann Date: Mon May 31 22:33:04 2010 +0200 Staging: comedi - correct parameter gainlkup for DAQCard-6024E in driver ni_mio_cs.c commit ebe8622342f12bed387f7de4b5fb7c52005ccb29 upstream. Correct at least one of the incorrect specs for a national instrument data acquisition card DAQCard-6024E. This card has only four different gain settings (+-10V, +-5V, +-0.5V, +-0.05V). Signed-off-by: Martin Homuth-Rosemann Signed-off-by: Greg Kroah-Hartman commit 387767af889d9465ce56bf72ee47c00dd37dad08 Author: Dmitry Torokhov Date: Fri Jun 4 14:14:52 2010 -0700 vmware balloon: clamp number of collected non-balloonable pages commit 55adaa495edc429be84399f83df80dfb7f36598b upstream. Limit number of accumulated non-balloonable pages during inflation cycle, otherwise there is a chance we will be spinning and growing the list forever. This happens during torture tests when balloon target changes while we are in the middle of inflation cycle and monitor starts refusing to lock pages (since they are not needed anymore). Signed-off-by: Dmitry Torokhov Acked-by: Bhavesh Davda Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 997e6f9cc4ccc93dc827fe6ea096f48df179c670 Author: Daniel T Chen Date: Sun May 30 13:08:41 2010 -0400 ALSA: hda: Use LPIB for ASUS M2V commit 9f75c1b12c5ef392ddcea575b13560842c28b1b3 upstream. BugLink: https://launchpad.net/bugs/587546 Symptom: On the reporter's ASUS M2V, using PulseAudio in Ubuntu 10.04 LTS results in the PA daemon crashing shortly after attempting playback of an audio file. Test case: Using Ubuntu 10.04 LTS (Linux 2.6.32.12), Linux 2.6.33, or Linux 2.6.34, attempt playback of an audio file while PulseAudio is active. Resolution: add SSID for this machine to the position_fix quirk table, explicitly specifying the LPIB method. Reported-and-Tested-By: D Tangman Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit c16a9a71155a34366d0ff3910d950745ae6b4c84 Author: Daniel T Chen Date: Sun May 30 19:31:41 2010 -0400 ALSA: hda: Use LPIB for another mainboard commit b90c076424da8166797bdc34187660fd0124f530 upstream. BugLink: https://launchpad.net/bugs/580749 Symptom: on the original reporter's VIA VT1708-based board, the PulseAudio daemon dies shortly after the user attempts to play an audio file. Test case: boot from Ubuntu 10.04 LTS live cd; attempt to play an audio file. Resolution: add SSID for the original reporter's hardware to the position_fix quirk table, explicitly specifying the LPIB method. Reported-and-Tested-By: Harald Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 9d62bd5676d23bbce6527c77b159e0e4ad2185f8 Author: Daniel T Chen Date: Sun May 30 09:55:23 2010 -0400 ALSA: hda: Use mb31 quirk for an iMac model commit 26fd74fc01991a18f0e3bd54f8b1b75945ee3dbb upstream. BugLink: https://launchpad.net/bugs/542550 Symptom: On the reporter's iMac, in Ubuntu 10.04 LTS neither playback nor capture appear audible out-of-the-box. Test case: Boot from an Ubuntu 10.04 LTS live cd or from an installed configuration and attempt to play or capture audio. Resolution: Specify the mb31 quirk for this machine in the codec SSID table. Reported-and-Tested-By: f3a97 Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 743f8ea44c3cbb8e2a8f032efa2c6e3744c758b9 Author: Daniel T Chen Date: Sun May 30 01:17:03 2010 -0400 ALSA: hda: Use LPIB for an ASUS device commit dd37f8e8659bc617c3f2a84e007a4824ccdac458 upstream. BugLink: https://launchpad.net/bugs/465942 Symptom: On the reporter's ASUS device, using PulseAudio in Ubuntu 10.04 LTS results in the PA daemon crashing shortly after attempting to select capture or to configure the audio hardware profile. Test case: Using Ubuntu 10.04 LTS (Linux 2.6.32.12), Linux 2.6.33, or Linux 2.6.34, adjust the HDA device's capture volume with PulseAudio. Resolution: add SSID for this machine to the position_fix quirk table, explicitly specifying the LPIB method. Reported-and-Tested-By: Irihapeti Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 4cf008cd7473e60fdeea935f0cdb5e493e3164c2 Author: Ian Campbell Date: Tue May 25 10:45:35 2010 +0100 xen: avoid allocation causing potential swap activity on the resume path commit b3831cb55d383e8eb55d3b56c715fb48459b87c9 upstream. Since the device we are resuming could be the device containing the swap device we should ensure that the allocation cannot cause IO. On resume, this path is triggered when the running system tries to continue using its devices. If it cannot then the resume will fail; to try to avoid this we let it dip into the emergency pools. The majority of these changes were made when linux-2.6.18-xen.hg changeset e8b49cfbdac0 was ported upstream in a144ff09bc52ef3f3684ed23eadc9c7c0e57b3aa but somehow this hunk was dropped. Signed-off-by: Ian Campbell Acked-by: Jeremy Fitzhardinge Signed-off-by: Greg Kroah-Hartman commit 410f6abbf04138c8ac7cb1317ef1cf4fdb3a0f3a Author: Ian Campbell Date: Wed May 19 16:19:25 2010 +0100 xen: ensure timer tick is resumed even on CPU driving the resume commit cd52e17ea8278f8449b6174a8e5ed439a2e44ffb upstream. The core suspend/resume code is run from stop_machine on CPU0 but parts of the suspend/resume machinery (including xen_arch_resume) are run on whichever CPU happened to schedule the xenwatch kernel thread. As part of the non-core resume code xen_arch_resume is called in order to restart the timer tick on non-boot processors. The boot processor itself is taken care of by core timekeeping code. xen_arch_resume uses smp_call_function which does not call the given function on the current processor. This means that we can end up with one CPU not receiving timer ticks if the xenwatch thread happened to be scheduled on CPU > 0. Use on_each_cpu instead of smp_call_function to ensure the timer tick is resumed everywhere. Signed-off-by: Ian Campbell Acked-by: Jeremy Fitzhardinge Signed-off-by: Greg Kroah-Hartman commit b1ec523490b04c0f7e65b64743e03bca10dc60fd Author: Gabor Gombas Date: Mon May 24 12:13:18 2010 -0700 x86, setup: Phoenix BIOS fixup is needed on Dell Inspiron Mini 1012 commit 3d6e77a3ddb8e4156b89f4273ff8c7d37abaf781 upstream. The low-memory corruption checker triggers during suspend/resume, so we need to reserve the low 64k. Don't be fooled that the BIOS identifies itself as "Dell Inc.", it's still Phoenix BIOS. [ hpa: I think we blacklist almost every BIOS in existence. We should either change this to a whitelist or just make it unconditional. ] Signed-off-by: Gabor Gombas LKML-Reference: <201005241913.o4OJDIMM010877@imap1.linux-foundation.org> Signed-off-by: Andrew Morton Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 4b85622825dc6840081f5312450b16c903966d74 Author: Jiri Kosina Date: Wed May 26 14:43:53 2010 -0700 ipmi: handle run_to_completion properly in deliver_recv_msg() commit a747c5abc329611220f16df0bb4cf0ca4a7fdf0c upstream. If run_to_completion flag is set, it means that we are running in a single-threaded mode, and thus no locks are held. This fixes a deadlock when IPMI notifier is being called during panic. Signed-off-by: Jiri Kosina Acked-by: Corey Minyard Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f49f5fa23366903b7a2c92545db3ee629958778f Author: Jeff Moyer Date: Wed May 26 11:49:40 2010 -0400 do_generic_file_read: clear page errors when issuing a fresh read of the page commit 91803b499cca2fe558abad709ce83dc896b80950 upstream. I/O errors can happen due to temporary failures, like multipath errors or losing network contact with the iSCSI server. Because of that, the VM will retry readpage on the page. However, do_generic_file_read does not clear PG_error. This causes the system to be unable to actually use the data in the page cache page, even if the subsequent readpage completes successfully! The function filemap_fault has had a ClearPageError before readpage forever. This patch simply adds the same to do_generic_file_read. Signed-off-by: Jeff Moyer Signed-off-by: Rik van Riel Acked-by: Larry Woodman Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit fa31d3fc1debc200bf66240519e77aac606d40fa Author: Heiko Carstens Date: Fri Jun 4 14:14:47 2010 -0700 fs/compat_rw_copy_check_uvector: add missing compat_ptr call commit 7cbe17701a0379c7b05a79a6df4f24e41d2afde8 upstream. A call to access_ok is missing a compat_ptr conversion. Introduced with b83733639a494d5f42fa00a2506563fbd2d3015d "compat: factor out compat_rw_copy_check_uvector from compat_do_readv_writev" fs/compat.c: In function 'compat_rw_copy_check_uvector': fs/compat.c:629: warning: passing argument 1 of '__access_ok' makes pointer from integer without a cast Signed-off-by: Heiko Carstens Reviewed-by: Jeff Moyer Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit fed3ff43e1c970cc7de6f32f795f515d4645e2a0 Author: Jeff Moyer Date: Wed May 26 14:44:25 2010 -0700 compat: factor out compat_rw_copy_check_uvector from compat_do_readv_writev commit b83733639a494d5f42fa00a2506563fbd2d3015d upstream. It was reported in http://lkml.org/lkml/2010/3/8/309 that 32 bit readv and writev AIO operations were not functioning properly. It turns out that the code to convert the 32bit io vectors to 64 bits was never written. The results of that can be pretty bad, but in my testing, it mostly ended up in generating EFAULT as we walked off the list of I/O vectors provided. This patch set fixes the problem in my environment. are greatly appreciated. This patch: Factor out code that will be used by both compat_do_readv_writev and the compat aio submission code paths. Signed-off-by: Jeff Moyer Reported-by: Michael Tokarev Cc: Zach Brown Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d3eac299ed6b90f8e670a28cac3b41db9db903f9 Author: Oleg Nesterov Date: Wed May 26 14:42:54 2010 -0700 signals: check_kill_permission(): don't check creds if same_thread_group() commit 065add3941bdca54fe04ed3471a96bce9af88793 upstream. Andrew Tridgell reports that aio_read(SIGEV_SIGNAL) can fail if the notification from the helper thread races with setresuid(), see http://samba.org/~tridge/junkcode/aio_uid.c This happens because check_kill_permission() doesn't permit sending a signal to the task with the different cred->xids. But there is not any security reason to check ->cred's when the task sends a signal (private or group-wide) to its sub-thread. Whatever we do, any thread can bypass all security checks and send SIGKILL to all threads, or it can block a signal SIG and do kill(gettid(), SIG) to deliver this signal to another sub-thread. Not to mention that CLONE_THREAD implies CLONE_VM. Change check_kill_permission() to avoid the credentials check when the sender and the target are from the same thread group. Also, move "cred = current_cred()" down to avoid calling get_current() twice. Note: David Howells pointed out we could relax this even more, the CLONE_SIGHAND (without CLONE_THREAD) case probably does not need these checks too. Roland said: : The glibc (libpthread) that does set*id across threads has : been in use for a while (2.3.4?), probably in distro's using kernels as old : or older than any active -stable streams. In the race in question, this : kernel bug is breaking valid POSIX application expectations. Reported-by: Andrew Tridgell Signed-off-by: Oleg Nesterov Acked-by: Roland McGrath Acked-by: David Howells Cc: Eric Paris Cc: Jakub Jelinek Cc: James Morris Cc: Roland McGrath Cc: Stephen Smalley Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f2ee4d37384b0813d0e59c17253d2caf9a3b467a Author: Ira W. Snyder Date: Thu May 27 19:59:02 2010 +0200 hwmon: (ltc4245) Read only one GPIO pin commit df16dd53c575d0cb9dbee20a3149927c862a9ff6 upstream. Read only one of the GPIO pins as an analog voltage. The ADC can be switched to a different GPIO pin at runtime, but this is not supported. Previously, this driver would report the analog voltage of the currently selected GPIO pin as all three GPIO voltages: in9_input, in10_input and in11_input. Signed-off-by: Ira W. Snyder Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 68b99fb8e1e21209c9cad878e99947613e445777 Author: Alexander Duyck Date: Fri May 21 14:41:35 2010 -0700 slub: move kmem_cache_node into it's own cacheline commit 73367bd8eef4f4eb311005886aaa916013073265 upstream. This patch is meant to improve the performance of SLUB by moving the local kmem_cache_node lock into it's own cacheline separate from kmem_cache. This is accomplished by simply removing the local_node when NUMA is enabled. On my system with 2 nodes I saw around a 5% performance increase w/ hackbench times dropping from 6.2 seconds to 5.9 seconds on average. I suspect the performance gain would increase as the number of nodes increases, but I do not have the data to currently back that up. Bugzilla-Reference: http://bugzilla.kernel.org/show_bug.cgi?id=15713 Reported-by: Alex Shi Tested-by: Alex Shi Acked-by: Yanmin Zhang Acked-by: Christoph Lameter Signed-off-by: Alexander Duyck Signed-off-by: Pekka Enberg Signed-off-by: Greg Kroah-Hartman commit 0d28a228f4fc8d88deaafa4c284385271a84da5c Author: Christoph Lameter Date: Thu May 27 09:17:17 2010 -0500 SLUB: Allow full duplication of kmalloc array for 390 commit 0f1f694260e0d35b5ce7d471f6e679c3dd4d7d94 upstream. Commit 756dee75872a2a764b478e18076360b8a4ec9045 ("SLUB: Get rid of dynamic DMA kmalloc cache allocation") makes S390 run out of kmalloc caches. Increase the number of kmalloc caches to a safe size. Reported-by: Heiko Carstens Tested-by: Heiko Carstens Signed-off-by: Christoph Lameter Signed-off-by: Pekka Enberg Signed-off-by: Greg Kroah-Hartman commit 6ea0fa89ee0537613d2c912796257623f226c037 Author: Dave Airlie Date: Sat May 29 06:50:37 2010 +1000 drm/radeon: fix the r100/r200 ums block 0 page fix commit cf22f20ade30f8c03955324aaf27b1049e182600 upstream. airlied -> brown paper bag. I blame Hi-5 or the Wiggles for lowering my IQ, move the fix inside some brackets instead of breaking everything in site. Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 854d0b6ecd5bbd09486493132a3d8a983d7b29c5 Author: Mark Brown Date: Tue May 25 10:49:00 2010 -0700 ASoC: Fix dB scales for WM8990 commit f68596c6d8711650722b2a54328a088a2c21bc5b upstream. These should be regular, not linear. Signed-off-by: Mark Brown Acked-by: Liam Girdwood Signed-off-by: Greg Kroah-Hartman commit 6868ebe0350b78616e9c0f53ffcfb4a57eb6d742 Author: Mark Brown Date: Tue May 25 10:48:31 2010 -0700 ASoC: Fix dB scales for WM8400 commit 3351e9fbb0fda6498ee149ee88c67f5849813c57 upstream. These scales should be regular, not linear. Signed-off-by: Mark Brown Acked-by: Liam Girdwood Signed-off-by: Greg Kroah-Hartman commit 19c83a4c2b48128d40e887ff11f8a82de122e0ea Author: Mark Brown Date: Tue May 25 10:46:05 2010 -0700 ASoC: Fix dB scales for WM835x commit e6a08c5a8990102bcd1f4bae84b668da6c23caa9 upstream. These should be regular rather than linear scales. Signed-off-by: Mark Brown Acked-by: Liam Girdwood Signed-off-by: Greg Kroah-Hartman commit f924225ca4d8b8bb24e9f8c6495000f42c375623 Author: Stuart Longland Date: Sat May 22 22:01:25 2010 +1000 ASoC: Update Freescale i.MX SSI driver DMA parameter handling commit e2b3e622b259e62aa2450a25f1c20cca1bfdc81e upstream. This updates the i.MX SSI driver to make it compatible with the ASoC tree following the move of DMA parameters from the DAI to the audio substream object. Signed-off-by: Stuart Longland Acked-by: Liam Girdwood Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit f9e1801acb7b3be613ee0f1ae263e4134deefce8 Author: Imre Deak Date: Wed May 26 14:43:38 2010 -0700 idr: fix backtrack logic in idr_remove_all commit 2dcb22b346be7b7b7e630a8970d69cf3f1111ec1 upstream. Currently idr_remove_all will fail with a use after free error if idr::layers is bigger than 2, which on 32 bit systems corresponds to items more than 1024. This is due to stepping back too many levels during backtracking. For simplicity let's assume that IDR_BITS=1 -> we have 2 nodes at each level below the root node and each leaf node stores two IDs. (In reality for 32 bit systems IDR_BITS=5, with 32 nodes at each sub-root level and 32 IDs in each leaf node). The sequence of freeing the nodes at the moment is as follows: layer 1 -> a(7) 2 -> b(3) c(5) 3 -> d(1) e(2) f(4) g(6) Until step 4 things go fine, but then node c is freed, whereas node g should be freed first. Since node c contains the pointer to node g we'll have a use after free error at step 6. How many levels we step back after visiting the leaf nodes is currently determined by the msb of the id we are currently visiting: Step 1. node d with IDs 0,1 is freed, current ID is advanced to 2. msb of the current ID bit 1. This means we need to step back 1 level to node b and take the next sibling, node e. 2-3. node e with IDs 2,3 is freed, current ID is 4, msb is bit 2. This means we need to step back 2 levels to node a, freeing node b on the way. 4-5. node f with IDs 4,5 is freed, current ID is 6, msb is still bit 2. This means we again need to step back 2 levels to node a and free c on the way. 6. We should visit node g, but its pointer is not available as node c was freed. The fix changes how we determine the number of levels to step back. Instead of deducting this merely from the msb of the current ID, we should really check if advancing the ID causes an overflow to a bit position corresponding to a given layer. In the above example overflow from bit 0 to bit 1 should mean stepping back 1 level. Overflow from bit 1 to bit 2 should mean stepping back 2 levels and so on. The fix was tested with IDs up to 1 << 20, which corresponds to 4 layers on 32 bit systems. Signed-off-by: Imre Deak Reviewed-by: Tejun Heo Cc: Eric Paris Cc: "Paul E. McKenney" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 64857a8ea697a9813bceb43f108a19c832215c8f Author: Jeff Moyer Date: Wed May 26 14:44:26 2010 -0700 aio: fix the compat vectored operations commit 9d85cba718efeef9ca00ce3f7f34f5880737aa9b upstream. The aio compat code was not converting the struct iovecs from 32bit to 64bit pointers, causing either EINVAL to be returned from io_getevents, or EFAULT as the result of the I/O. This patch passes a compat flag to io_submit to signal that pointer conversion is necessary for a given iocb array. A variant of this was tested by Michael Tokarev. I have also updated the libaio test harness to exercise this code path with good success. Further, I grabbed a copy of ltp and ran the testcases/kernel/syscall/readv and writev tests there (compiled with -m32 on my 64bit system). All seems happy, but extra eyes on this would be welcome. [akpm@linux-foundation.org: coding-style fixes] [akpm@linux-foundation.org: fix CONFIG_COMPAT=n build] Signed-off-by: Jeff Moyer Reported-by: Michael Tokarev Cc: Zach Brown Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 693b478a85a8732c4a76ad3c188be928a08eda68 Author: Russell King Date: Thu May 27 08:23:29 2010 +0100 ARM: VFP: Fix vfp_put_double() for d16-d31 commit 138de1c44a8e0606501cd8593407e9248e84f1b7 upstream. vfp_put_double() takes the double value in r0,r1 not r1,r2. Reported-by: Tarun Kanti DebBarma Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit df5fe92090f87b7bbaa3c849f1f085f157acdecf Author: Linus Walleij Date: Wed May 26 07:37:57 2010 +0100 ARM: 6144/1: TCM memory bug freeing bug commit ea208f646c8fb91c39c852e952fc911e1ad045ab upstream. This fixes a bug in mm/init.c when freeing the TCM compile memory, this was being referred to as a char * which is incorrect: this will dereference the pointer and feed in the value at the location instead of the address to it. Change it to a plain char and use &(char) to reference it. Signed-off-by: Linus Walleij Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit f4faf6a2dfda56e75b5949a437bc30a92ab6272a Author: Marek Vašut Date: Wed May 26 23:53:09 2010 +0100 ARM: 6146/1: sa1111: Prevent deadlock in resume path commit 3defb2476166445982a90c12d33f8947e75476c4 upstream. This patch reorganises the sa1111_resume() function in a manner the spinlock happens after calling the sa1111_wake(). This fixes two bugs: 1) This function called sa1111_wake() which tried to claim the same spinlock the sa1111_resume() already claimed. This would result in certain deadlock. Original idea for this part: Russell King 2) The function didn't unlock the spinlock in case the chip didn't report correct ID. Original idea for this part: Julia Lawall Signed-off-by: Marek Vasut Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 2334682accfd74ed34841ecafcd9c39051293904 Author: Khem Raj Date: Fri Jun 4 04:05:15 2010 +0100 ARM: 6164/1: Add kto and kfrom to input operands list. commit 9a40ac86152c9cffd3dca482a15ddf9a8c5716b3 upstream. When functions incoming parameters are not in input operands list gcc 4.5 does not load the parameters into registers before calling this function but the inline assembly assumes valid addresses inside this function. This breaks the code because r0 and r1 are invalid when execution enters v4wb_copy_user_page () Also the constant needs to be used as third input operand so account for that as well. Tested on qemu arm. Signed-off-by: Khem Raj Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 377b26e45229ed74ecad3ff9a8677bf420d50328 Author: Anfei Date: Tue Jun 8 15:16:49 2010 +0100 ARM: 6166/1: Proper prefetch abort handling on pre-ARMv6 commit 5e27fb78df95e027723af2c90ecc9b4527ae59e9 upstream. Instruction faults on pre-ARMv6 CPUs are interpreted as a 'translation fault', but do_translation_fault doesn't handle well if user mode trying to run instruction above TASK_SIZE, and result in the infinite retry of that instruction. Signed-off-by: Anfei Zhou Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit c5944f7cd7c13d8be74d0a811a28e59510729c20 Author: Santosh Shilimkar Date: Thu May 20 08:33:38 2010 +0100 ARM: 6139/1: ARMv7: Use the Inner Shareable I-cache on MP commit a901ff715d53c109821cbbd9d7ea1f2a311646a9 upstream. This patch fixes the flush_cache_all for ARMv7 SMP.It was missing from commit b8349b569aae661dea9d59d7d2ee587ccea3336c Signed-off-by: Santosh Shilimkar Acked-by: Catalin Marinas Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 00428967a0539a7fe594fd75dbc2cd8330883d42 Author: Sebastien Dugue Date: Thu May 20 15:58:22 2010 -0700 mlx4_core: Fix possible chunk sg list overflow in mlx4_alloc_icm() commit c0dc72bad9cf21071f5e4005de46f7c8b67a138a upstream. If the number of sg entries in the ICM chunk reaches MLX4_ICM_CHUNK_LEN, we must set chunk to NULL even for coherent mappings so that the next time through the loop will allocate another chunk. Otherwise we'll overflow the sg list the next time through the loop. This will lead to memory corruption if this case is hit. mthca does not have this bug. Signed-off-by: Sebastien Dugue Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit da7d96769c18cdf526b7c0da973fcd60cb925e57 Author: NeilBrown Date: Wed Apr 14 17:15:37 2010 +1000 md: manage redundancy group in sysfs when changing level. commit a64c876fd357906a1f7193723866562ad290654c upstream. Some levels expect the 'redundancy group' to be present, others don't. So when we change level of an array we might need to add or remove this group. This requires fixing up the current practice of overloading ->private to indicate (when ->pers == NULL) that something needs to be removed. So create a new ->to_remove to fill that role. When changing levels, we may need to add or remove attributes. When changing RAID5 -> RAID6, we both add and remove the same thing. It is important to catch this and optimise it out as the removal is delayed until a lock is released, so trying to add immediately would cause problems. Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 3bbcbb8c48b2e8e7afa7795161807c1a43b7c02c Author: KOSAKI Motohiro Date: Mon May 24 14:31:48 2010 -0700 tmpfs: insert tmpfs cache pages to inactive list at first commit e9d6c157385e4efa61cb8293e425c9d8beba70d3 upstream. Shaohua Li reported parallel file copy on tmpfs can lead to OOM killer. This is regression of caused by commit 9ff473b9a7 ("vmscan: evict streaming IO first"). Wow, It is 2 years old patch! Currently, tmpfs file cache is inserted active list at first. This means that the insertion doesn't only increase numbers of pages in anon LRU, but it also reduces anon scanning ratio. Therefore, vmscan will get totally confused. It scans almost only file LRU even though the system has plenty unused tmpfs pages. Historically, lru_cache_add_active_anon() was used for two reasons. 1) Intend to priotize shmem page rather than regular file cache. 2) Intend to avoid reclaim priority inversion of used once pages. But we've lost both motivation because (1) Now we have separate anon and file LRU list. then, to insert active list doesn't help such priotize. (2) In past, one pte access bit will cause page activation. then to insert inactive list with pte access bit mean higher priority than to insert active list. Its priority inversion may lead to uninteded lru chun. but it was already solved by commit 645747462 (vmscan: detect mapped file pages used only once). (Thanks Hannes, you are great!) Thus, now we can use lru_cache_add_anon() instead. Signed-off-by: KOSAKI Motohiro Reported-by: Shaohua Li Reviewed-by: Wu Fengguang Reviewed-by: Johannes Weiner Reviewed-by: Rik van Riel Reviewed-by: Minchan Kim Acked-by: Hugh Dickins Cc: Henrique de Moraes Holschuh Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6e9fe9b3f0408bb6b54873c00e7182513f55490b Author: FUJITA Tomonori Date: Wed May 19 23:21:38 2010 -0400 Blackfin: set ARCH_KMALLOC_MINALIGN commit 76b99699a2bbf9efdb578f9a38a202af2ecb354b upstream. Architectures that handle DMA-non-coherent memory need to set ARCH_KMALLOC_MINALIGN to make sure that kmalloc'ed buffer is DMA-safe: the buffer doesn't share a cache with the others. Signed-off-by: FUJITA Tomonori Acked-by: Pekka Enberg Signed-off-by: Mike Frysinger Signed-off-by: Greg Kroah-Hartman commit 91cb08a13af6c60db3349e533472cc9fce2c11c8 Author: FUJITA Tomonori Date: Mon May 24 14:31:45 2010 -0700 xtensa: set ARCH_KMALLOC_MINALIGN commit 498900fc9cd1adbad1ba6b55ed9d8f2f5d655ca3 upstream. Architectures that handle DMA-non-coherent memory need to set ARCH_KMALLOC_MINALIGN to make sure that kmalloc'ed buffer is DMA-safe: the buffer doesn't share a cache with the others. Signed-off-by: FUJITA Tomonori Cc: Chris Zankel Acked-by: Pekka Enberg Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4c99316b2a5e3c5d0dac0242771f0cde5baaf2d3 Author: FUJITA Tomonori Date: Mon May 24 14:32:54 2010 -0700 frv: set ARCH_KMALLOC_MINALIGN commit 69dcf3db03626c4f18de624e8632454ea12ff260 upstream. Architectures that handle DMA-non-coherent memory need to set ARCH_KMALLOC_MINALIGN to make sure that kmalloc'ed buffer is DMA-safe: the buffer doesn't share a cache with the others. Signed-off-by: FUJITA Tomonori Acked-by: David Howells Acked-by: Pekka Enberg Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a5c4932d91d8de2cd44c017da7c44d4c559758e2 Author: Maurus Cuelenaere Date: Fri Jun 4 14:14:44 2010 -0700 rtc: s3c: initialize driver data before using it commit e893de59a4982791368b3ce412bc67dd601a88a0 upstream. s3c_rtc_setfreq() uses the platform driver data to derive struct rtc_device, so make sure drvdata is set _before_ s3c_rtc_setfreq() is called. Signed-off-by: Maurus Cuelenaere Cc: Paul Gortmaker Cc: Alessandro Zummo Cc: Maurus Cuelenaere Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 2055e229ab71c4e7533a576cb428d9e94675e828 Author: Dan Carpenter Date: Mon May 24 14:33:49 2010 -0700 rtc-cmos: do dev_set_drvdata() earlier in the initialization commit 6ba8bcd457d9fc793ac9435aa2e4138f571d4ec5 upstream. The bug is an oops when dev_get_drvdata() returned null in cmos_update_irq_enable(). The call tree looks like this: rtc_dev_ioctl() => rtc_update_irq_enable() => cmos_update_irq_enable() It's caused by a race condition in the module initialization. It is rtc_device_register() which makes the ioctl operations live so I moved the call to dev_set_drvdata() before the call to rtc_device_register(). Addresses https://bugzilla.kernel.org/show_bug.cgi?id=15963 Reported-by: Randy Dunlap Signed-off-by: Dan Carpenter Tested-by: Randy Dunlap Cc: Alessandro Zummo Cc: Paul Gortmaker Cc: Malte Schroder Cc: Ralf Baechle Cc: Herton Ronaldo Krzesinski Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b87004da4e3afef8ec75fa8357cc32ef6d105403 Author: FUJITA Tomonori Date: Sun May 23 19:38:14 2010 +0200 m68k: set ARCH_KMALLOC_MINALIGN commit dd6c26a66bdc629a500174ffe73b010b070b9f1b upstream. Architectures that handle DMA-non-coherent memory need to set ARCH_KMALLOC_MINALIGN to make sure that kmalloc'ed buffer is DMA-safe: the buffer doesn't share a cache with the others. Signed-off-by: FUJITA Tomonori Cc: Geert Uytterhoeven Cc: Roman Zippel Acked-by: Pekka Enberg Signed-off-by: Andrew Morton Signed-off-by: Geert Uytterhoeven Signed-off-by: Greg Kroah-Hartman commit 3a7faef555a4b9cbd534c680628f4fd6cc3c29b1 Author: Greg Ungerer Date: Mon May 24 14:32:55 2010 -0700 m68knommu: fix broken use of BUAD_TABLE_SIZE in 68328serial driver commit e9a137cb00d8b0f71c08a9e67d993f53e7713d21 upstream. Commit 8b505ca8e2600eb9e7dd2d6b2682a81717671374 ("serial: 68328serial.c: remove BAUD_TABLE_SIZE macro") misses one use of BAUD_TABLE_SIZE. So the resulting 68328serial.c does not compile: drivers/serial/68328serial.c: In function `m68328_console_setup': drivers/serial/68328serial.c:1439: error: `BAUD_TABLE_SIZE' undeclared (first use in this function) drivers/serial/68328serial.c:1439: error: (Each undeclared identifier is reported only once drivers/serial/68328serial.c:1439: error: for each function it appears in.) Fix that last use of it. Signed-off-by: Greg Ungerer Cc: Thiago Farina Cc: Alan Cox Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c7f523cf4dbc9135487a709798561b4220e1ed12 Author: FUJITA Tomonori Date: Mon May 24 14:32:58 2010 -0700 mn10300: set ARCH_KMALLOC_MINALIGN commit 6cdafaae41d52e6ef9a5c5be23602ef083e4d0f9 upstream. Architectures that handle DMA-non-coherent memory need to set ARCH_KMALLOC_MINALIGN to make sure that kmalloc'ed buffer is DMA-safe: the buffer doesn't share a cache with the others. Signed-off-by: FUJITA Tomonori Acked-by: David Howells Cc: Koichi Yasutake Acked-by: Pekka Enberg Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c5de38e352c6ac876d7603557adf94d0c696c501 Author: Dan Carpenter Date: Fri May 7 11:05:33 2010 +0200 exofs: confusion between kmap() and kmap_atomic() api commit ddf08f4b90a413892bbb9bb2e8a57aed991cd47d upstream. For kmap_atomic() we call kunmap_atomic() on the returned pointer. That's different from kmap() and kunmap() and so it's easy to get them backwards. Signed-off-by: Dan Carpenter Signed-off-by: Boaz Harrosh Signed-off-by: Greg Kroah-Hartman commit c90680089207aee709b188e00112cd8815056114 Author: Al Viro Date: Fri May 21 16:11:04 2010 -0400 clean DCACHE_CANT_MOUNT in d_delete() commit 13e3c5e5b9c67e59074d24e29f3ff794bb4dfef0 upstream. We set the "it's dead, don't mount on it" flag _and_ do not remove it if we turn the damn thing negative and leave it around. And if it goes positive afterwards, well... Fortunately, there's only one place where that needs to be caught: only d_delete() can turn the sucker negative without immediately freeing it; all other places that can lead to ->d_iput() call are followed by unconditionally freeing struct dentry in question. So the fix is obvious: Addresses https://bugzilla.kernel.org/show_bug.cgi?id=16014 Reported-by: Adam Tkac Tested-by: Adam Tkac Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 812dd8968c6804e2b4908318b8936a13e6070208 Author: Randy Dunlap Date: Fri May 7 11:24:11 2010 -0700 eeepc-wmi: depends on BACKLIGHT_CLASS_DEVICE commit 89a7644be2c59eea443b0db2514fd42d5de909f8 upstream. eeepc-wmi uses backlight*() interfaces so it should depend on BACKLIGHT_CLASS_DEVICE. eeepc-wmi.c:(.text+0x2d7f54): undefined reference to `backlight_force_update' eeepc-wmi.c:(.text+0x2d8012): undefined reference to `backlight_device_register' eeepc-wmi.c:(.devinit.text+0x1c31c): undefined reference to `backlight_device_unregister' eeepc-wmi.c:(.devexit.text+0x2f8b): undefined reference to `backlight_device_unregister' Signed-off-by: Randy Dunlap Signed-off-by: Greg Kroah-Hartman commit d3c0c33429f930d2934fa7597e874306c07521f2 Author: Joerg Roedel Date: Mon May 31 15:05:20 2010 +0200 x86/amd-iommu: Fall back to GART if initialization fails commit d7f0776975334070a93370ae048fda0c31a91c38 upstream. This patch implements a fallback to the GART IOMMU if this is possible and the AMD IOMMU initialization failed. Otherwise the fallback would be nommu which is very problematic on machines with more than 4GB of memory or swiotlb which hurts io-performance. Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit fdb4f05da375cad6e74a6ba5d07dbb7a97d5c8c7 Author: Joerg Roedel Date: Fri May 28 14:26:48 2010 +0200 x86/amd-iommu: Fix crash when request_mem_region fails commit e82752d8b5a7e0a5e4d607fd8713549e2a4e2741 upstream. When request_mem_region fails the error path tries to disable the IOMMUs. This accesses the mmio-region which was not allocated leading to a kernel crash. This patch fixes the issue. Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit 65aa78d8d9621fb72bbf37a25a7bb1cc745ec171 Author: Dan Williams Date: Wed May 12 08:25:37 2010 +1000 md: set mddev readonly flag on blkdev BLKROSET ioctl commit e2218350465e7e0931676b4849b594c978437bce upstream. When the user sets the block device to readwrite then the mddev should follow suit. Otherwise, the BUG_ON in md_write_start() will be set to trigger. The reverse direction, setting mddev->ro to match a set readonly request, can be ignored because the blkdev level readonly flag precludes the need to have mddev->ro set correctly. Nevermind the fact that setting mddev->ro to 1 may fail if the array is in use. Signed-off-by: Dan Williams Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 82f2fa7b6f147ab16273f052a85c9ccb628d055d Author: NeilBrown Date: Thu Apr 15 10:13:47 2010 +1000 md: remove unneeded sysfs files more promptly commit b6eb127d274385d81ce8dd45c98190f097bce1b4 upstream. When an array is stopped we need to remove some sysfs files which are dependent on the type of array. We need to delay that deletion as deleting them while holding reconfig_mutex can lead to deadlocks. We currently delay them until the array is completely destroyed. However it is possible to deactivate and then reactivate the array. It is also possible to need to remove sysfs files when changing level, which can potentially happen several times before an array is destroyed. So we need to delete these files more promptly: as soon as reconfig_mutex is dropped. We need to ensure this happens before do_md_run can restart the array, so we use open_mutex for some extra locking. This is not deadlock prone. Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 784400c5bf5ded58e79d935e9d2ddc989ba4fb30 Author: NeilBrown Date: Mon May 17 11:27:00 2010 +1000 md/linear: avoid possible oops and array stop commit ef2f80ff7325b2c1888ff02ead28957b5840bf51 upstream. Since commit ef286f6fa673cd7fb367e1b145069d8dbfcc6081 it has been important that each personality clears ->private in the ->stop() function, or sets it to a attribute group to be removed. linear.c doesn't. This can sometimes lead to an oops, though it doesn't always. Suitable for 2.6.33-stable and 2.6.34. Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit cc620515a522a1914962ba11ce99b6157f918b21 Author: NeilBrown Date: Sat May 8 08:20:17 2010 +1000 md: Fix read balancing in RAID1 and RAID10 on drives > 2TB commit af3a2cd6b8a479345786e7fe5e199ad2f6240e56 upstream. read_balance uses a "unsigned long" for a sector number which will get truncated beyond 2TB. This will cause read-balancing to be non-optimal, and can cause data to be read from the 'wrong' branch during a resync. This has a very small chance of returning wrong data. Reported-by: Jordan Russell Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 7ab3fe4e7c100910f4d000814efcb1d85affdc01 Author: NeilBrown Date: Tue May 18 15:27:13 2010 +1000 md/raid1: fix counting of write targets. commit 964147d5c86d63be79b442c30f3783d49860c078 upstream. There is a very small race window when writing to a RAID1 such that if a device is marked faulty at exactly the wrong time, the write-in-progress will not be sent to the device, but the bitmap (if present) will be updated to say that the write was sent. Then if the device turned out to still be usable as was re-added to the array, the bitmap-based-resync would skip resyncing that block, possibly leading to corruption. This would only be a problem if no further writes were issued to that area of the device (i.e. that bitmap chunk). Suitable for any pending -stable kernel. Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit ff021ea1d801d155ce2ee1f9c867f1ced59ef4ab Author: Jens Axboe Date: Mon May 17 12:51:03 2010 +0200 writeback: disable periodic old data writeback for !dirty_writeback_centisecs commit 69b62d01ec44fe0d505d89917392347732135a4d upstream. Prior to 2.6.32, setting /proc/sys/vm/dirty_writeback_centisecs disabled periodic dirty writeback from kupdate. This got broken and now causes excessive sys CPU usage if set to zero, as we'll keep beating on schedule(). Reported-by: Justin Maggard Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit e0d3a4aeaff41e8cac4fc416fda9978610ff9f91 Author: Denis Kirjanov Date: Tue Jun 1 15:43:34 2010 -0400 powerpc/oprofile: fix potential buffer overrun in op_model_cell.c commit 238c1a78c957f3dc7cb848b161dcf4805793ed56 upstream. Fix potential initial_lfsr buffer overrun. Writing past the end of the buffer could happen when index == ENTRIES Signed-off-by: Denis Kirjanov Signed-off-by: Robert Richter Signed-off-by: Greg Kroah-Hartman commit b8504b8d34bf036b952c3f3b0f5cd5864d5f42e5 Author: Kumar Gala Date: Thu May 13 14:38:21 2010 -0500 powerpc/fsl-booke: Move loadcam_entry back to asm code to fix SMP ftrace commit 78f622377f7d31d988db350a43c5689dd5f31876 upstream. When we build with ftrace enabled its possible that loadcam_entry would have used the stack pointer (even though the code doesn't need it). We call loadcam_entry in __secondary_start before the stack is setup. To ensure that loadcam_entry doesn't use the stack pointer the easiest solution is to just have it in asm code. Signed-off-by: Kumar Gala Signed-off-by: Greg Kroah-Hartman commit 88693deb5838c3e0c69e03791ef7361ca77c8043 Author: Li Yang Date: Fri May 7 16:38:34 2010 +0800 powerpc/fsl-booke: Fix InstructionTLBError execute permission check commit 78e2e68a2b79f394b7cd61e07987a8a89af907f7 upstream. In CONFIG_PTE_64BIT the PTE format has unique permission bits for user and supervisor execute. However on !CONFIG_PTE_64BIT we overload the supervisor bit to imply user execute with _PAGE_USER set. This allows us to use the same permission check mask for user or supervisor code on !CONFIG_PTE_64BIT. However, on CONFIG_PTE_64BIT we map _PAGE_EXEC to _PAGE_BAP_UX so we need a different permission mask based on the fault coming from a kernel address or user space. Without unique permission masks we see issues like the following with modules: Unable to handle kernel paging request for instruction fetch Faulting instruction address: 0xf938d040 Oops: Kernel access of bad area, sig: 11 [#1] Signed-off-by: Li Yang Signed-off-by: Jin Qing Signed-off-by: Kumar Gala Signed-off-by: Greg Kroah-Hartman commit 71f530c0cbe1d180d527ef4dec4013e8bcee37c3 Author: Benjamin Herrenschmidt Date: Wed Apr 7 14:39:36 2010 +1000 powerpc: Fix ioremap_flags() with book3e pte definition commit 55052eeca6d71d76f7c3f156c0501814d8e5e6d3 upstream. We can't just clear the user read permission in book3e pte, because that will also clear supervisor read permission. This surely isn't desired. Fix the problem by adding the supervisor read back. BenH: Slightly simplified the ifdef and applied to ppc64 too Signed-off-by: Li Yang Signed-off-by: Benjamin Herrenschmidt Cc: Kumar Gala Signed-off-by: Greg Kroah-Hartman commit f7055d7153c523b65848e08ed7f8f27071d03730 Author: Michael Neuling Date: Wed Apr 28 13:39:41 2010 +0000 powerpc/pseries: Make query_cpu_stopped callable outside hotplug cpu commit f8b67691828321f5c85bb853283aa101ae673130 upstream. This moves query_cpu_stopped() out of the hotplug cpu code and into smp.c so it can called in other places and renames it to smp_query_cpu_stopped(). It also cleans up the return values by adding some #defines Signed-off-by: Michael Neuling Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 580506f5514735aa4e6b0d8f8f0dc7db7dcd4044 Author: Michael Neuling Date: Wed Apr 28 13:39:41 2010 +0000 powerpc/pseries: Only call start-cpu when a CPU is stopped commit aef40e87d866355ffd279ab21021de733242d0d5 upstream. Currently we always call start-cpu irrespective of if the CPU is stopped or not. Unfortunatley on POWER7, firmware seems to not like start-cpu being called when a cpu already been started. This was not the case on POWER6 and earlier. This patch checks to see if the CPU is stopped or not via an query-cpu-stopped-state call, and only calls start-cpu on CPUs which are stopped. This fixes a bug with kexec on POWER7 on PHYP where only the primary thread would make it to the second kernel. Reported-by: Ankita Garg Signed-off-by: Michael Neuling Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 875a8e03ec3a1ad083a6b308ce993710c5c54f0c Author: Jeff Mahoney Date: Wed Mar 17 10:55:51 2010 +0000 powerpc: Fix handling of strncmp with zero len commit 637a99022fb119b90fb281715d13172f0394fc12 upstream. Commit 0119536c, which added the assembly version of strncmp to powerpc, mentions that it adds two instructions to the version from boot/string.S to allow it to handle len=0. Unfortunately, it doesn't always return 0 when that is the case. The length is passed in r5, but the return value is passed back in r3. In certain cases, this will happen to work. Otherwise it will pass back the address of the first string as the return value. This patch lifts the len <= 0 handling code from memcpy to handle that case. Reported by: Christian_Sellars@symantec.com Signed-off-by: Jeff Mahoney Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 9f819608412a8195c82ea8fb94b5755346f1b4ac Author: Jerome Glisse Date: Fri May 21 18:48:54 2010 +0200 drm/radeon/kms: release AGP bridge at suspend commit 10b06122afcc78468bd1d009633cb71e528acdc5 upstream. I think it's good to release the AGP bridge at suspend and reacquire it at resume. Also fix : https://bugzilla.kernel.org/show_bug.cgi?id=15969 Signed-off-by: Jerome Glisse Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit fa65f3700588e69384cc5145675a7fda68361bb0 Author: Alex Deucher Date: Tue May 18 00:23:15 2010 -0400 drm/radeon/kms/atom: fix typo in LVDS panel info parsing commit 1ff26a3604d0292988d4cade0e49ba9918dbfd46 upstream. Fixes LVDS issues on some laptops; notably laptops with 2048x1536 panels. Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit c004db95b6bf09f9d1ad3c88bc15102dafe711a1 Author: Alex Deucher Date: Tue May 18 19:26:46 2010 -0400 drm/radeon/kms: reset ddc_bus in object header parsing commit 2bfcc0fc698d550689ef020c73b2d977b73e728c upstream. Some LVDS connectors don't have a ddc bus, so reset the ddc bus to invalid before parsing the next connector to avoid using stale ddc bus data. Should fix fdo bug 28164. Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 80473a09d4b7341ea6188d05664f72a920e21e89 Author: Adam Jackson Date: Thu May 13 14:55:28 2010 -0400 drm/edid: Fix 1024x768@85Hz commit 61dd98fad58f945ed720ba132681acb58fcee015 upstream. Having hsync both start and end on pixel 1072 ain't gonna work very well. Matches the X server's list. Signed-off-by: Adam Jackson Tested-By: Michael Tokarev Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit ab988002ba552efb47b3e5681a847de1216318de Author: Alex Deucher Date: Thu May 20 11:26:11 2010 -0400 drm/radeon/kms: don't default display priority to high on rs4xx commit 45737447ed160faaba036c0709226bf9057f7b72 upstream. Seems to cause issues with the sound hardware. Fixes kernel bug 15982: https://bugzilla.kernel.org/show_bug.cgi?id=15982 Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 56860aa3af1c89f6d640653905be72b7b293521f Author: Ben Hutchings Date: Sun May 16 02:28:49 2010 +0100 PCI: Disable MSI for MCP55 on P5N32-E SLI commit e4146bb9088c01c8b6e82be11f0c371f8aff023c upstream. As reported in , MSI appears to be broken for this on-board device. We already have a quirk for the P5N32-SLI Premium; extend it to cover both variants of the board. Reported-by: Romain DEGEZ Signed-off-by: Ben Hutchings Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 1ccdd27a0e7a1a05c7a925bdadbfd3f275f9d645 Author: Alex Deucher Date: Tue May 18 10:42:53 2010 -0400 PCI quirks: disable msi on AMD rs4xx internal gfx bridges commit 9313ff450400e6a2ab10fe6b9bdb12a828329410 upstream. Doesn't work reliably for internal gfx. Fixes kernel bug https://bugzilla.kernel.org/show_bug.cgi?id=15626. Signed-off-by: Alex Deucher Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 0640b3e3c65a1a52fb233bacc13959f32faba279 Author: Oliver Hartkopp Date: Tue May 18 14:03:10 2010 -0700 can: Fix SJA1000 command register writes on SMP systems commit 57c8a456640fa3ca777652f11f2db4179a3e66b6 upstream. The SJA1000 command register is concurrently written in the rx-path to free the receive buffer _and_ in the tx-path to start the transmission. The SJA1000 data sheet, 6.4.4 COMMAND REGISTER (CMR) states: "Between two commands at least one internal clock cycle is needed in order to proceed. The internal clock is half of the external oscillator frequency." On SMP systems the current implementation leads to a write stall in the tx-path, which can be solved by adding some general locking and some time to settle the write_reg() operation for the command register. Thanks to Klaus Hitschler for the original fix and detailed problem description. This patch applies on net-2.6 and (with some offsets) on net-next-2.6 . Signed-off-by: Oliver Hartkopp Acked-by: Wolfgang Grandegger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 61fddafd7867bb656f034c0434492784f680bad8 Author: Jan Beulich Date: Tue Apr 27 14:01:20 2010 -0700 drivers/base/cpu.c: fix the output from /sys/devices/system/cpu/offline commit cdc6e3d3968052cebb2f2ddcd742bff29fbd1a90 upstream. Without CONFIG_CPUMASK_OFFSTACK, simply inverting cpu_online_mask leads to CPUs beyond nr_cpu_ids to be displayed twice and CPUs not even possible to be displayed as offline. Signed-off-by: Jan Beulich Cc: Andi Kleen Cc: Stephen Rothwell Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 8ab0ea3ee657ad1235590c3e43cf9d4fbb4de105 Author: James Bottomley Date: Thu May 13 09:31:54 2010 -0500 libsas: fix deref before check in commit 70b25f890ce commit 1b4d0d8ea7b3cbd107f345ab766416f9b38ce66a upstream. commit 70b25f890ce9f0520c64075ce9225a5b020a513e Author: Tejun Heo Date: Thu Apr 15 09:00:08 2010 +0900 [SCSI] fix locking around blk_abort_request() Introduced a reference before check problem, fix this by moving the lock shorthand code to be right at the point of actual use. Reported-by: Dan Carpenter Acked-by: Tejun Heo Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 649f9bdb073f3934412ca543e64edda132a05fb1 Author: Chris Wilson Date: Thu May 27 13:18:21 2010 +0100 drm/i915: Reject bind_to_gtt() early if object > aperture commit 654fc6073f68efa3b6c466825749e73e7fbb92cd upstream. If the object is bigger than the entire aperture, reject it early before evicting everything in a vain attempt to find space. v2: Use E2BIG as suggested by Owain G. Ainsworth. Signed-off-by: Chris Wilson Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit c24e9e6e543398eaeae95f2d2f6f5b59852f3e06 Author: Sujith Date: Wed Mar 17 14:25:24 2010 +0530 ath9k_hw: fix hardware deinit commit 736b3a27b3c50c4a23717b802240435a69e8d0ff upstream. Without this you will get a panic if the device initialization fails. Also, free ath_hw instance properly. ath9k_hw_deinit() shouldn't do it. Signed-off-by: Sujith Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 787b18bfea20bb38b610258564e43b51f4f04041 Author: Felix Fietkau Date: Tue Apr 27 00:26:34 2010 +0200 mac80211: fix handling of 4-address-mode in ieee80211_change_iface commit f7917af92024d43bc20bc1afc92de27b0bd0f50b upstream. A misplaced interface type check bails out too early if the interface is not in monitor mode. This patch moves it to the right place, so that it only covers changes to the monitor flags. Signed-off-by: Felix Fietkau Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 6f6dcf87b07b45fca26ad170ca9714d2ae09dc3f Author: Shanyu Zhao Date: Tue Apr 27 11:15:12 2010 -0700 mac80211: fix rts threshold check commit a2c40249a36d0b4d76d1caf6bf806e4ae5b06e8a upstream. Currently whenever rts thresold is set, every packet will use RTS protection no matter its size exceeds the threshold or not. This is due to a bug in the rts threshold check. if (len > tx->local->hw.wiphy->rts_threshold) { txrc.rts = rts = true; } Basically it is comparing an int (len) and a u32 (rts_threshold), and the variable len is assigned as: len = min_t(int, tx->skb->len + FCS_LEN, tx->local->hw.wiphy->frag_threshold); However, when frag_threshold is "-1", len is always "-1", which is 0xffffffff therefore rts is always set to true. Signed-off-by: Shanyu Zhao Reviewed-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit c12531f62e8af466bb2e3a0a0fd8b0e6fb12fca2 Author: Jouni Malinen Date: Sun Mar 28 22:29:52 2010 -0700 mac80211: Fix robust management frame handling (MFP) commit d211e90e28a074447584729018a39910d691d1a8 upstream. Commit e34e09401ee9888dd662b2fca5d607794a56daf2 incorrectly removed use of ieee80211_has_protected() from the management frame case and in practice, made this validation drop all Action frames when MFP is enabled. This should have only been done for frames with Protected field set to zero. Signed-off-by: Jouni Malinen Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit ba0a3584f651a904587e5b13856cfbc6d6ae7e44 Author: Andres Salomon Date: Thu Feb 25 19:18:47 2010 -0500 mac80211: give warning if building w/out rate ctrl algorithm commit c2ef355bf3ef0b8006b96128726684fba47ac928 upstream. I discovered that if EMBEDDED=y, one can accidentally build a mac80211 stack and drivers w/ no rate control algorithm. For drivers like RTL8187 that don't supply their own RC algorithms, this will cause ieee80211_register_hw to fail (making the driver unusable). This will tell kconfig to provide a warning if no rate control algorithms have been selected. That'll at least warn the user; users that know that their drivers supply a rate control algorithm can safely ignore the warning, and those who don't know (or who expect to be using multiple drivers) can select a default RC algorithm. Signed-off-by: Andres Salomon Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit afbcfc2833a06d5b847f8c235059e2545bd5ad31 Author: Henrik Kretzschmar Date: Mon May 24 14:34:00 2010 -0700 fbdev: section cleanup in w100fb commit fb6cb3270af8f2ad3dd556906a9c52aa85754849 upstream. Fix up the section in the w100fb driver, by moving: * w100fb_remove() from .text to .devexit.text * w100_get_xtal_table() from .text to .devinit.text * w100fb_init() from .devinit.text to .init.text Signed-off-by: Henrik Kretzschmar Acked-by: Uwe Kleine-König Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5dfcd5d10dc505d7f23b72aa5842d08f58dbedae Author: Henrik Kretzschmar Date: Mon May 24 14:33:54 2010 -0700 fbdev: section cleanup in arcfb commit bd9b5caf8616501d2ab6f17210b11f81ea7546eb upstream. Fix the sections in the arcfb driver, by moving: * the variables arcfb_fix and arcfb_var from .init.data to .devinit.data * arcfb_remove() from .text to .devexit.text This fixes the following warnings issued by modpost: WARNING: drivers/video/built-in.o(.devinit.text+0x543): Section mismatch in reference from the function arcfb_probe() to the variable .init.data:arcfb_var The function __devinit arcfb_probe() references a variable __initdata arcfb_var. If arcfb_var is only used by arcfb_probe then annotate arcfb_var with a matching annotation. WARNING: drivers/video/built-in.o(.devinit.text+0x558): Section mismatch in reference from the function arcfb_probe() to the variable .init.data:arcfb_fix The function __devinit arcfb_probe() references a variable __initdata arcfb_fix. If arcfb_fix is only used by arcfb_probe then annotate arcfb_fix with a matching annotation. Signed-off-by: Henrik Kretzschmar Acked-by: Uwe Kleine-König Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c4c0b96648bac6102785dab14b57f54a5b323360 Author: Henrik Kretzschmar Date: Mon May 24 14:33:59 2010 -0700 fbdev: section cleanup in vga16fb commit ad1458464cbbe6935be6e20d70920301733158af upstream. Fix up the sections in the vga16fb driver, by moving: * the variables vga16_defined and vga16fb from .init.data to .devinit.data * vga16fb_setup() from .text to .init.text * vga16fb_remove() from .text. to .devexit.text This fixes the following warnings issued by modpost: WARNING: drivers/video/built-in.o(.devinit.text+0x1a420): Section mismatch in re ference from the function vga16fb_probe() to the (unknown reference) .init.data: (unknown) The function __devinit vga16fb_probe() references a (unknown reference) __initdata (unknown). If (unknown) is only used by vga16fb_probe then annotate (unknown) with a matching annotation. WARNING: drivers/video/built-in.o(.devinit.text+0x1a437): Section mismatch in reference from the function vga16fb_probe() to the variable .init.data:vga16fb_defined The function __devinit vga16fb_probe() references a variable __initdata vga16fb_defined. If vga16fb_defined is only used by vga16fb_probe then annotate vga16fb_defined with a matching annotation. WARNING: drivers/video/built-in.o(.devinit.text+0x1a457): Section mismatch in reference from the function vga16fb_probe() to the variable .init.data:vga16fb_fix The function __devinit vga16fb_probe() references a variable __initdata vga16fb_fix. If vga16fb_fix is only used by vga16fb_probe then annotate vga16fb_fix with a matching annotation. Signed-off-by: Henrik Kretzschmar Acked-by: Uwe Kleine-König Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 305f648cfb4a77f59eeb419008ca01c8b9885db9 Author: Henrik Kretzschmar Date: Mon May 24 14:33:57 2010 -0700 fbdev: section cleanup in vfb commit 3cc04971661e37e7de6fbf9808ede554b5e1cb4e upstream. Fix up the section in the vfb driver, by moving the variables vfb_default and vfb_fix from .init.data to .devinit.data This fixes the following warnings issued by modpost: WARNING: drivers/video/vfb.o(.devinit.text+0xf8): Section mismatch in reference from the function vfb_probe() to the variable .init.data:vfb_default The function __devinit vfb_probe() references a variable __initdata vfb_default. If vfb_default is only used by vfb_probe then annotate vfb_default with a matching annotation. WARNING: drivers/video/vfb.o(.devinit.text+0x114): Section mismatch in reference from the function vfb_probe() to the variable .init.data:vfb_fix The function __devinit vfb_probe() references a variable __initdata vfb_fix. If vfb_fix is only used by vfb_probe then annotate vfb_fix with a matching annotation. Signed-off-by: Henrik Kretzschmar Acked-by: Uwe Kleine-König Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit aa80642730ac9d022861feece7fd3697fd57248b Author: Henrik Kretzschmar Date: Mon May 24 14:33:56 2010 -0700 fbdev: section cleanup in hgafb commit e217e6e39f62e47f7e659b715235dbd57df480f8 upstream. Fix up the sections in the hgafb driver, by * moving hga_default_var and hga_fix from .init.data to .devinit.data * moving hga_detect() from .init.text to .devinit.text * moving hga_fb_remove() from .text to .devexit.text This fixes the following warnings issued by modpost: WARNING: drivers/video/hgafb.o(.devinit.text+0x18): Section mismatch in referenc e from the function hgafb_probe() to the function .init.text:hga_card_detect() The function __devinit hgafb_probe() references a function __init hga_card_detect(). If hga_card_detect is only used by hgafb_probe then annotate hga_card_detect with a matching annotation. WARNING: drivers/video/hgafb.o(.devinit.text+0xfe): Section mismatch in referenc e from the function hgafb_probe() to the variable .init.data:hga_fix The function __devinit hgafb_probe() references a variable __initdata hga_fix. If hga_fix is only used by hgafb_probe then annotate hga_fix with a matching annotation. WARNING: drivers/video/hgafb.o(.devinit.text+0x105): Section mismatch in reference from the function hgafb_probe() to the variable .init.data:hga_default_var The function __devinit hgafb_probe() references a variable __initdata hga_default_var. If hga_default_var is only used by hgafb_probe then annotate hga_default_var with a matching annotation. Signed-off-by: Henrik Kretzschmar Acked-by: Uwe Kleine-König Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 379dafdf83d6cc936980bad4bfb463a1558f7522 Author: Bruno Randolf Date: Wed May 19 10:18:16 2010 +0900 ath5k: consistently use rx_bufsize for RX DMA commit b5eae9ff5ba6d76de19286dd6429acd7cde3f79d upstream. We should use the same buffer size we set up for DMA also in the hardware descriptor. Previously we used common->rx_bufsize for setting up the DMA mapping, but used skb_tailroom(skb) for the size we tell to the hardware in the descriptor itself. The problem is that skb_tailroom(skb) can give us a larger value than the size we set up for DMA before. This allows the hardware to write into memory locations not set up for DMA. In practice this should rarely happen because all packets should be smaller than the maximum 802.11 packet size. On the tested platform rx_bufsize is 2528, and we allocated an skb of 2559 bytes length (including padding for cache alignment) but sbk_tailroom() was 2592. Just consistently use rx_bufsize for all RX DMA memory sizes. Also use the return value of the descriptor setup function. Signed-off-by: Bruno Randolf Reviewed-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 0775d3fb7c0be643f0bf50421d3ab471619e4dd4 Author: Andiry Xu Date: Mon May 10 19:57:17 2010 -0700 USB: xHCI: Fix wrong usage of macro TRB_TYPE commit 54b5acf3acb7a1f83ec281d111d3e2812cd7ad9d upstream. Macro TRB_TYPE is misused in some places. Fix the wrong usage. Signed-off-by: Andiry Xu Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 52045e05f6d2ab6286222eb1e6339df099385bb6 Author: Sarah Sharp Date: Tue May 18 16:05:26 2010 -0700 USB: xhci: Fix check for room on the ring. commit 44ebd037c54f80db3121ac9f5fe6e677b76e11d5 upstream. The length of the scatter gather list a driver can enqueue is limited by the bus' sg_tablesize to 62 entries. Each entry will be described by at least one transfer request block (TRB). If the entry's buffer crosses a 64KB boundary, then that entry will have to be described by two or more TRBs. So even if the USB device driver respects sg_tablesize, the whole scatter list may take more than 62 TRBs to describe, and won't fit on the ring. Don't assume that an empty ring means there is enough room on the transfer ring. The old code would unconditionally queue this too-large transfer, and over write the beginning of the transfer. This would mean the cycle bit was unchanged in those overwritten transfers, causing the hardware to think it didn't own the TRBs, and the host would seem to hang. Now drivers may see submit_urb() fail with -ENOMEM if the transfers are too big to fit on the ring. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 98edccb42c2aa2d7b17d00790249f0fb2309f43c Author: Sarah Sharp Date: Tue May 18 16:05:21 2010 -0700 USB: xhci: Limit bus sg_tablesize to 62 TRBs. commit bc88d2eba5e19d10dd546e428314909d889b3b6a upstream. When a scatter-gather list is enqueued to the xHCI driver, it translates each entry into a transfer request block (TRB). Only 63 TRBs can be used per ring segment, and there must be one additional TRB reserved to make sure the hardware does not think the ring is empty (so the enqueue pointer doesn't equal the dequeue pointer). Limit the bus sg_tablesize to 62 TRBs. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 863bbb51075021d09e607a2fe471f7ca702d40cd Author: Sarah Sharp Date: Thu May 6 13:40:08 2010 -0700 USB: xhci: Fix issue with set interface after stall. commit 1624ae1c19e227096ba85bfc389d9b99cb6f7dde upstream. When the USB core installs a new interface, it unconditionally clears the halts on all the endpoints on the new interface. Usually the xHCI host needs to know when an endpoint is reset, so it can change its internal endpoint state. In this case, it doesn't care, because the endpoints were never halted in the first place. To avoid issuing a redundant Reset Endpoint command, the xHCI driver looks at xhci_virt_ep->stopped_td to determine if the endpoint was actually halted. However, the functions that handle the stall never set that variable to NULL after it dealt with the stall. So if an endpoint stalled and a Reset Endpoint command completed, and then the class driver tried to install a new alternate setting, the xHCI driver would access the old xhci_virt_ep->stopped_td pointer. A similar problem occurs if the endpoint has been stopped to cancel a transfer. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 8adbb24bada99dde60b4d5ebdc2ae1ec61ff4698 Author: Alan Stern Date: Wed May 12 18:21:35 2010 -0400 USB: EHCI: fix controller wakeup flag settings during suspend commit 16032c4f5b291af541e9114a09ea20ff5a0dc474 upstream. This patch (as1380) fixes a bug in the wakeup settings for EHCI host controllers. When the controller is suspended, if it isn't enabled for remote wakeup then we have to turn off all the port wakeup flags. Disabling PCI PME# isn't good enough, because some systems (Intel) evidently use alternate wakeup signalling paths. In addition, the patch improves the handling of the Intel Moorestown hardware by performing various power-up and power-down delays just once instead of once for each port (i.e., the delays are moved outside of the port loops). This requires extra code, but the total delay time is reduced. There are also a few additional minor cleanups. Signed-off-by: Alan Stern Reported-by: Ondrej Zary CC: Alek Du Signed-off-by: Greg Kroah-Hartman commit a9093288d3428afaec9cf2097c3edc0982a69ad0 Author: Alek Du Date: Mon May 10 11:17:49 2010 +0800 USB: EHCI: clear PHCD before resuming commit eab80de01cb398419ef3305f35abcb367c647c8b upstream. This is a bug fix for PHCD (phy clock disable) low power feature: After PHCD is set, any write to PORTSC register is illegal, so when resume ports, clear PHCD bit first. Signed-off-by: Alek Du Cc: David Brownell Cc: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 068c984526dcdafae7fde7ce8d6135bcc48950da Author: Anton Vorontsov Date: Fri May 14 18:33:18 2010 +0400 USB: FHCI: cq_get() should check kfifo_out()'s return value commit 7f1cccd3ec8789e52897bc34420ca81a5e2edeab upstream. Since commit 7acd72eb85f1c7a15e8b5eb554994949241737f1 ("kfifo: rename kfifo_put... into kfifo_in... and kfifo_get... into kfifo_out..."), kfifo_out() is marked __must_check, and that causes gcc to produce lots of warnings like this: CC drivers/usb/host/fhci-mem.o In file included from drivers/usb/host/fhci-hcd.c:34: drivers/usb/host/fhci.h: In function 'cq_get': drivers/usb/host/fhci.h:520: warning: ignoring return value of 'kfifo_out', declared with attribute warn_unused_result ... This patch fixes the issue by properly checking the return value. Signed-off-by: Anton Vorontsov Signed-off-by: Greg Kroah-Hartman commit 4a8b98282f192abc27f1c18dc81ed2e59929e168 Author: Alan Stern Date: Fri Apr 2 13:27:28 2010 -0400 USB: fix usbmon and DMA mapping for scatter-gather URBs commit ff9c895f07d36193c75533bda8193bde8ca99d02 upstream. This patch (as1368) fixes a rather obscure bug in usbmon: When tracing URBs sent by the scatter-gather library, it accesses the data buffers while they are still mapped for DMA. The solution is to move the mapping and unmapping out of the s-g library and into the usual place in hcd.c. This requires the addition of new URB flag bits to describe the kind of mapping needed, since we have to call dma_map_sg() if the HCD supports native scatter-gather operation and dma_map_page() if it doesn't. The nice thing about having the new flags is that they simplify the testing for unmapping. The patch removes the only caller of usb_buffer_[un]map_sg(), so those functions are #if'ed out. A later patch will remove them entirely. As a result of this change, urb->sg will be set in situations where it wasn't set previously. Hence the xhci and whci drivers are adjusted to test urb->num_sgs instead, which retains its original meaning and is nonzero only when the HCD has to handle a scatterlist. Finally, even when a submission error occurs we don't want to hand URBs to usbmon before they are unmapped. The submission path is rearranged so that map_urb_for_dma() is called only for non-root-hub URBs and unmap_urb_for_dma() is called immediately after a submission error. This simplifies the error handling. Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 54f1c4229dad6dd1c3d581e3008a89ee87053a44 Author: Hans de Goede Date: Thu Apr 29 12:59:04 2010 +0200 USB: unusual-dev: Add bad sense flag for Appotech ax203 based picture frames commit a78f4f1a16d87f3d33158d036af94e48e32f8aad upstream. These Appotech controllers are found in Picture Frames, they provide a (buggy) emulation of a cdrom drive which contains the windows software Uploading of pictures happens over the corresponding /dev/sg device. Signed-off-by: Hans de Goede Signed-off-by: Greg Kroah-Hartman commit d297f82e22644b815cedf064c126d542381989e8 Author: Dinh Nguyen Date: Tue May 4 10:03:01 2010 -0500 USB: mxc: gadget: Fix bitfield for calculating maximum packet size commit 88e3b59b5adce5b12e205af0e34d518ba0dcdc0c upstream. The max packet length bit mask used for isochronous endpoints should be 0x7FF instead of 0x8FF. 0x8FF will actually clear higher-order bits in the max packet length field. This patch applies to 2.6.34-rc6. Signed-off-by: Dinh Nguyen Signed-off-by: Greg Kroah-Hartman commit ab5dda490c458da086369498f2cabf7f84102ab7 Author: Dan Williams Date: Mon May 3 13:41:01 2010 -0700 USB: qcaux: add Samsung U520 device ID commit f5cddcd0995366f15d2b6b0df556a2cd99fa806e upstream. Another CDC-ACM + vendor specific interface layout. Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit 03cf402d2352f48c82d93a9e174d67645445a815 Author: Johan Hovold Date: Wed May 19 00:01:38 2010 +0200 USB: kl5usb105: fix memory leak commit 313b0d80c1717ffe8f64b455a4d323996748b91a upstream. Private data was not freed on error path in startup. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 1bc1248edb16b844389d0da3a6286d05ffd14d64 Author: Johan Hovold Date: Thu May 13 21:02:00 2010 +0200 USB: ir-usb: fix double free commit 2ff78c0c2b67120c8e503268da3f177cae2228a2 upstream. If the user specifies a custom bulk buffer size we get a double free at port release. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 47daca4abff7f8a77e12b0103e2d2bce7cc34f1f Author: Nils Radtke Date: Mon May 17 14:14:11 2010 +0200 USB: option.c: OLIVETTI OLICARD100 support commit 86234d4975ce084d14711283a3bfc69305f97602 upstream. This patch adds support for an olivetti olicard100 HЅDPA usb-stick. This device is a zeroCD one with ID 0b3c:c700 that needs switching via eject or usb-modeswitch with MessageContent="5553424312345678000000000000061b000000030000000000000000000000". After switching it has ID 0b3c:c000 and provides 5 serial ports ttyUSB[0-4]. Port 0 (modem) and 4 are interrupt ports. Signed-off-by: Nils Radtke Signed-off-by: Greg Kroah-Hartman commit fe069e176fcc1bab9ed6141ea53369a09880cd41 Author: zhao1980ming Date: Mon May 3 00:06:37 2010 +0800 USB: option: add PID for ZTE product commit a71ee85e1d74e862d68cc9b2f2ab6a806d2550c9 upstream. this patch adds ZTE modem devices Signed-off-by: Joey Signed-off-by: Greg Kroah-Hartman commit 0e70bed3661c2fe9844e290595e16092366efef2 Author: Johan Hovold Date: Fri May 7 19:46:56 2010 +0200 USB: tty: fix incorrect use of tty_insert_flip_string_fixed_flag commit 70ced221cc9f041481f129e63cc5b1dedb0ff959 upstream. Fix regression introduced by commit a108bfcb372d8c4452701039308fb95747911c59 (USB: tty: Prune uses of tty_request_room in the USB layer) which broke three drivers (cypress_m8, digi_acceleport and spcp8x5) through incorrect use of tty_insert_flip_string_fixed_flag. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit e918d4ae5eb721dd9569c147d5f3e5c5bc5f108c Author: Johan Hovold Date: Sat May 15 17:53:43 2010 +0200 USB: kobil: fix memory leak commit c0f631d1948658b27349545b2cbcb4b32f010c7a upstream. An urb transfer buffer is allocated at every open but was never freed. This driver is a bit of a mess... Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 5c57367851bd2535460cde23e457ec456ea61fc1 Author: Craig Shelley Date: Sat May 15 13:36:38 2010 +0100 USB: CP210x New Device IDs 11 New device IDs commit eefd9029fde4d90d59804eeb54880ab8db5c1866 upstream. Signed-off-by: Craig Shelley Signed-off-by: Greg Kroah-Hartman commit 6b467ed469b5ab9aef253222cff748a303c34320 Author: Johan Hovold Date: Sat May 15 17:53:48 2010 +0200 USB: visor: fix memory leak commit 199b113978015309dd02c69844c19a1be3f4dbcf upstream. Fix memory leak for some devices (Sony Clie 3.5) due to port private data not being freed on release. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 0370cbe4d1e59d4a9a9fffb0eb2a0cdb1cb9b8c1 Author: Wolfram Sang Date: Sat May 15 11:25:35 2010 +0100 ARM: 6135/1: mx21/devices: fix USBOTG resource commit e1695307e6b85477afd2421d3b4891ca5bea8300 upstream. It got a typo from 988addf82e4c03739375279de73929580a2d4a6a. Signed-off-by: Wolfram Sang Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 03c10e5766b665075f7165d0c038ec299e3c6df7 Author: Christian Lamparter Date: Tue Mar 23 21:51:14 2010 +0100 ar9170usb: fix panic triggered by undersized rxstream buffer commit 879999cec9489f8942ebce3ec1b5f23ef948dda7 upstream. While ar9170's USB transport packet size is currently set to 8KiB, the PHY is capable of receiving AMPDUs with up to 64KiB. Such a large frame will be split over several rx URBs and exceed the previously allocated space for rx stream reconstruction. This patch increases the buffer size to 64KiB which is in fact the phy & rx stream designed size limit. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=15591 Reported-by: Christian Mehlis Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 5dbabb418f3ee53978d283cde8f59ff24d13e732 Author: Christian Lamparter Date: Tue Apr 13 18:10:26 2010 +0200 ar9170usb: add a couple more USB IDs commit 94d0bbe849190255b93fede8eb46809a38f9b8bf upstream. This patch adds the following 5 entries to the usbid device table: * Netgear WNA1000 * Proxim ORiNOCO Dual Band 802.11n USB Adapter * 3Com Dual Band 802.11n USB Adapter * H3C Dual Band 802.11n USB Adapter * WNC Generic 11n USB dongle Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 10b59786101918c9045d84439a76db09647e9395 Author: Cory Maccarrone Date: Sat May 22 13:00:28 2010 -0700 HID: Add the GYR4101US USB ID to hid-gyration commit c2fd1a4ebf9127c280d227acb635eb1df213439c upstream. This change adds in the USB product ID for the Gyration GYR4101US USB media center remote control. This remote is similar enough to the other two devices that this driver can be used without any other changes to get full support for the remote. Signed-off-by: Cory Maccarrone Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 5cb55ffd478600e5515166b304462d4ddc165278 Author: Kamal Mostafa Date: Sat May 1 12:09:49 2010 -0700 ACPI: video: fix acpi_backlight=video commit eeb4bcb4771679d7b3446c0293334faee11b090a upstream. Make "acpi_backlight=video" param enable ACPI_VIDEO_BACKLIGHT_FORCE_VIDEO as intended, instead of incorrectly enabling video output switching. BugLink: http://bugs.launchpad.net/bugs/573120 Signed-off-by: Kamal Mostafa Acked-by: Zhang Rui Cc: Bjorn Helgaas Cc: Jiri Kosina Acked-by: Thomas Renninger Signed-off-by: Andrew Morton Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit c661a17e2a3e08e2e5a637453558d352f2227889 Author: Daniel T Chen Date: Sat May 29 11:04:11 2010 -0400 ALSA: hda: Use LPIB for a Shuttle device commit 61bb42c37dfa9016dcacc86bcd41362ab2457d4a upstream. BugLink: https://launchpad.net/bugs/551949 Symptom: On the reporter's Shuttle device, using PulseAudio in Ubuntu 10.04 LTS results in "popping clicking" audio with the PA crashing shortly thereafter. Test case: Using Ubuntu 10.04 LTS (Linux 2.6.32.12), Linux 2.6.33, or Linux 2.6.34, adjust the HDA device's volume with PulseAudio. Resolution: add SSID for this machine to the position_fix quirk table, explicitly specifying the LPIB method. Reported-and-Tested-By: Christian Mehlis Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit e90c613ecc211ca08430c73feec7a3449658d1e4 Author: Daniel T Chen Date: Thu May 27 18:32:18 2010 -0400 ALSA: hda: Use LPIB for Sony VPCS11V9E commit e96d3127760a2fc509bca6bf7e61e8bc61497aeb upstream. BugLink: https://launchpad.net/bugs/586347 Symptom: On the Sony VPCS11V9E, using GStreamer-based applications with PulseAudio in Ubuntu 10.04 LTS results in stuttering audio. It appears to worsen with increased I/O. Test case: use Rhythmbox under increased I/O pressure. This symptom is reproducible in the current daily stable alsa-driver snapshots (at least up until 21 May 2010; later snapshots fail to build from source due to missing preprocessor directives when compiled against 2.6.32). Resolution: add SSID for this machine to the position_fix quirk table, explicitly specifying the LPIB method. Reported-and-Tested-By: Lauri Kainulainen Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 9d1312a1ec0f9af722ff6b5fd010e7e89328d51e Author: Daniel T Chen Date: Sat May 22 12:05:41 2010 -0400 ALSA: hda: Use LPIB for Acer Aspire 5110 commit 7a68be94e22e7643038726ebc14360752a91800b upstream. BugLink: https://launchpad.net/bugs/583983 Symptom: on a significant number of hardware, booting from a live cd results in capture working correctly, but once the distribution is installed, booting from the install results in capture not working. Test case: boot from Ubuntu 10.04 LTS live cd; capture works correctly. Install to HD and reboot; capture does not work. Reproduced with 2.6.32 mainline build (vanilla kernel.org compile). Resolution: add SSID for Acer Aspire 5110 to the position_fix quirk table, explicitly specifying the LPIB method. I'll be sending additional patches for these SSIDs as bug reports are confirmed. Reported-and-Tested-By: Leo Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 0596f63086c5ba313b0ffd68d86e878ceabb9f68 Author: Daniel T Chen Date: Sat May 22 13:12:22 2010 -0400 ALSA: hda: Use LPIB for Toshiba A100-259 commit 4e0938dba7fccf37a4aecba4d937da7f312b5d55 upstream. BugLink: https://launchpad.net/bugs/549560 Symptom: on a significant number of hardware, booting from a live cd results in capture working correctly, but once the distribution is installed, booting from the install results in capture not working. Test case: boot from Ubuntu 10.04 LTS live cd; capture works correctly. Install to HD and reboot; capture does not work. Reproduced with 2.6.32 mainline build (vanilla kernel.org compile) Resolution: add SSID for Toshiba A100-259 to the position_fix quirk table, explicitly specifying the LPIB method. I'll be sending additional patches for these SSIDs as bug reports are confirmed. This patch also trivially sorts the quirk table in ascending order by subsystem vendor. Reported-and-Tested-by: Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit f1d46e6a4db1cba246afc6d01a6d4648a7fba16f Author: Daniel T Chen Date: Sun May 23 20:47:45 2010 -0400 ALSA: hda: Fix model quirk for Dell M1730 commit 66668b6fb6861fad7f6bfef6646ac84693474c9a upstream. BugLink: https://launchpad.net/bugs/576160 Symptom: Currently (2.6.32.12) the Dell M1730 uses the 3stack model quirk. Unfortunately this means that capture is not functional out- of-the-box despite ensuring that capture settings are unmuted and raised fully. Test case: boot from Ubuntu 10.04 LTS live cd; capture does not work. Resolution: Correct the model quirk for Dell M1730 to rely on the BIOS configuration. This patch also trivially sorts the quirk into the correct section based on the comments. Reported-and-Tested-By: Tested-By: Daren Hayward Tested-By: Tobias Krais Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 8882ac1b4eb11bd9031af3710193534f18f16c2e Author: Clemens Ladisch Date: Fri May 21 09:15:59 2010 +0200 ALSA: pcm: fix the fix of the runtime->boundary calculation commit ead4046b2fdfd69acc4272e693afd249ad3eb689 upstream. Commit 7910b4a1db63fefc3d291853d33c34c5b6352e8e in 2.6.34 changed the runtime->boundary calculation to make this value a multiple of both the buffer_size and the period_size, because the latter is assumed by the runtime->hw_ptr_interrupt calculation. However, due to the lack of a ioctl that could read the software parameters before they are set, the kernel requires that alsa-lib calculates the boundary value, too. The changed algorithm leads to a different boundary value used by alsa-lib, which makes, e.g., mplayer fail to play a 44.1 kHz file because the silence_size parameter is now invalid; bug report: . This patch reverts the change to the boundary calculation, and instead fixes the hw_ptr_interrupt calculation to be period-aligned regardless of the boundary value. Signed-off-by: Clemens Ladisch Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 945fb1b1535c71df6d3ac4c1a52149662515d854 Author: Clemens Ladisch Date: Tue May 25 09:01:46 2010 +0200 ALSA: pcm: fix delta calculation at boundary wraparound commit b406e6103baa3da85950f22d3d46d21a8da654c5 upstream. In the cleanup of the hw_ptr update functions in 2.6.33, the calculation of the delta value was changed to use the modulo operator to protect against a negative difference due to the pointer wrapping around at the boundary. However, the ptr variables are unsigned, so a negative difference would result in the two complement's value which has no relation to the actual difference relative to the boundary; the result is typically some value near LONG_MAX-boundary. Furthermore, even if the modulo operation would be done with signed types, the result of a negative dividend could be negative. The invalid delta value is then caught by the following checks, but this means that the pointer update is ignored. To fix this, use a range check as in the other pointer calculations. Signed-off-by: Clemens Ladisch Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit f3b041d63fd763862ff0acd2612135d0502f9402 Author: Tony Breeds Date: Wed May 19 15:46:36 2010 +1000 mutex: Fix optimistic spinning vs. BKL commit fd6be105b883244127a734ac9f14ae94a022dcc0 upstream. Currently, we can hit a nasty case with optimistic spinning on mutexes: CPU A tries to take a mutex, while holding the BKL CPU B tried to take the BLK while holding the mutex This looks like a AB-BA scenario but in practice, is allowed and happens due to the auto-release on schedule() nature of the BKL. In that case, the optimistic spinning code can get us into a situation where instead of going to sleep, A will spin waiting for B who is spinning waiting for A, and the only way out of that loop is the need_resched() test in mutex_spin_on_owner(). This patch fixes it by completely disabling spinning if we own the BKL. This adds one more detail to the extensive list of reasons why it's a bad idea for kernel code to be holding the BKL. Signed-off-by: Tony Breeds Acked-by: Linus Torvalds Acked-by: Peter Zijlstra Cc: Benjamin Herrenschmidt LKML-Reference: <20100519054636.GC12389@ozlabs.org> [ added an unlikely() attribute to the branch ] Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 79ea60d729ec6a5cb16beefa4a927d9adee31656 Author: Linus Lüssing Date: Mon Mar 22 22:46:15 2010 +0100 Staging: batman-adv: Fixing wrap-around bug in vis commit ea4ceb18b525fd7016c10995c0f1313a729c7e2b upstream. When the seqno for a vis packet had a wrap around from i.e. 255 to 0, add_packet() would falsely claim the older packet with the seqno 255 as newer as the one with the seqno of 0 and would therefore ignore the new packet. This happens with all following vis packets until the old vis packet expires after 180 seconds timeout. This patch fixes this issue and gets rid of these highly undesired 3min. breaks for the vis-server. Signed-off-by: Linus Lüssing Signed-off-by: Sven Eckelmann Signed-off-by: Andrew Lunn Signed-off-by: Greg Kroah-Hartman commit 5405f5ae04d505e067b8e932e467301cf20b41c1 Author: Linus Lüssing Date: Mon Mar 22 22:46:14 2010 +0100 Staging: batman-adv: Fix VIS output bug for secondary interfaces commit f6497e38fda6970819daacb67725d67474079381 upstream. TQ and HNA records for originators on secondary interfaces were wrongly being included on the primary interface. Ensure we output a line for each source interface on every node, so we correctly separate primary and secondary interface records. Signed-off-by: Linus Lüssing Signed-off-by: Andrew Lunn Signed-off-by: Greg Kroah-Hartman commit 5b1599198c5992446e1e39962e83d504d72e0c18 Author: Andrew Lunn Date: Mon Mar 22 22:46:13 2010 +0100 Staging: batman-adv: don't have interrupts disabled while sending. commit 107c32fe68f0b64acb7edd31d44d79b87c7fa8b4 upstream. send_vis_packets() would disable interrupts before calling dev_queue_xmit() which resulting in a backtrace in local_bh_enable(). Fix this by using kref on the vis_info object so that we can call send_vis_packets() without holding vis_hash_lock. vis_hash_lock also used to protect recv_list, so we now need a new lock to protect that instead of vis_hash_lock. Also a few checkpatch cleanups. Reported-by: Linus Lüssing Signed-off-by: Andrew Lunn Signed-off-by: Marek Lindner Signed-off-by: Simon Wunderlich Signed-off-by: Greg Kroah-Hartman commit 100cd68085ad42f30b8591ba1eeb3dbe9c478838 Author: Nobuhiro KUSUNO Date: Thu May 6 05:23:28 2010 +0900 Staging: rt2870: add device ID of MelCo.,Inc. WLI-UC-G301N commit de37cd49b5a54facef174cf34496919857436e8f upstream. My wireless LAN module 'MelCo.,Inc. WLI-UC-G301N' works fine, if the following line is added into 2870_main_dev.c. Signed-off-by: Nobhiro KUSUNO Signed-off-by: Greg Kroah-Hartman commit 04e3c609a132a366fadef95d11532b9e34b77ce0 Author: Larry Finger Date: Sun May 9 22:10:02 2010 -0500 staging: vt6655: Fix kernel BUG on driver wpa initialization commit f65515275ea3e45fdcd0fb78455f542d6fdca086 upstream. In http://bugzilla.novell.com/show_bug.cgi?id=597299, the vt6655 driver generates a kernel BUG on a NULL pointer dereference at NULL. This problem has been traced to a failure in the wpa_set_wpadev() routine. As the vt6656 driver does not call this routine, the vt6655 code is similarly set to skip the call. Signed-off-by: Larry Finger Tested-by: Richard Meek Signed-off-by: Greg Kroah-Hartman commit 48da1f948eaff568eca729efadce88b4367c6cf2 Author: John W. Linville Date: Wed Apr 28 19:14:42 2010 -0400 rtl8180: fix tx status reporting commit d989ff7cf8d14f1b523f63ba0bf2ec1a9b7c25bc upstream. When reporting Tx status, indicate that only one rate was used. Otherwise, the rate is frozen at rate index 0 (i.e. 1Mb/s). Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 5f3753189d45e0f6807374ee9b5299ec7b17fd56 Author: Andreas Bombe Date: Mon May 17 23:12:46 2010 -0700 ARCNET: Limit com20020 PCI ID matches for SOHARD cards commit e7971c80a8e0299f91272ad8e8ac4167623e1862 upstream. The SH SOHARD ARCNET cards are implemented using generic PLX Technology PCI<->IOBus bridges. Subvendor and subdevice IDs were not specified, causing the driver to attach to any such bridge and likely crash the system by attempting to initialize an unrelated device. Fix by specifying subvendor and subdevice according to the values found in the PCI-ID Repository at http://pci-ids.ucw.cz/ . Signed-off-by: Andreas Bombe Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4b227bf55477bef00cdc5325711134139fcbcdfe Author: Tejun Heo Date: Fri May 14 11:48:50 2010 +0200 sata_nv: use ata_pci_sff_activate_host() instead of ata_host_activate() commit 95cc2c70c139936a2142bcd583da8af6f9d88efb upstream. sata_nv was incorrectly using ata_host_activate() instead of ata_pci_sff_activate_host() leading to IRQ assignment failure in legacy mode. Fix it. Signed-off-by: Tejun Heo Cc: Robert Hancock Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 70e3072d47c474aec0a4391306e3838e983f853e Author: Jeff Layton Date: Fri Mar 19 08:06:28 2010 -0400 nfsd: don't break lease while servicing a COMMIT commit 91885258e8343bb65c08f668d7e6c16563eb4284 upstream. This is the second attempt to fix the problem whereby a COMMIT call causes a lease break and triggers a possible deadlock. The problem is that nfsd attempts to break a lease on a COMMIT call. This triggers a delegation recall if the lease is held for a delegation. If the client is the one holding the delegation and it's the same one on which it's issuing the COMMIT, then it can't return that delegation until the COMMIT is complete. But, nfsd won't complete the COMMIT until the delegation is returned. The client and server are essentially deadlocked until the state is marked bad (due to the client not responding on the callback channel). The first patch attempted to deal with this by eliminating the open of the file altogether and simply had nfsd_commit pass a NULL file pointer to the vfs_fsync_range. That would conflict with some work in progress by Christoph Hellwig to clean up the fsync interface, so this patch takes a different approach. This declares a new NFSD_MAY_NOT_BREAK_LEASE access flag that indicates to nfsd_open that it should not break any leases when opening the file, and has nfsd_commit set that flag on the nfsd_open call. For now, this patch leaves nfsd_commit opening the file with write access since I'm not clear on what sort of access would be more appropriate. Signed-off-by: Jeff Layton Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit f003956dd3c142e99cf61c999cda0a250e35a37b Author: Pavel Emelyanov Date: Fri May 14 15:33:36 2010 +0400 NFSD: don't report compiled-out versions as present commit 15ddb4aec54422ead137b03ea4e9b3f5db3f7cc2 upstream. The /proc/fs/nfsd/versions file calls nfsd_vers() to check whether the particular nfsd version is present/available. The problem is that once I turn off e.g. NFSD-V4 this call returns -1 which is true from the callers POV which is wrong. The proposal is to report false in that case. The bug has existed since 6658d3a7bbfd1768 "[PATCH] knfsd: remove nfsd_versbits as intermediate storage for desired versions". Signed-off-by: Pavel Emelyanov Acked-by: NeilBrown Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 9cd8e627a68fd3b0f4581ddbbfffffd639a3309a Author: KOSAKI Motohiro Date: Wed May 19 09:37:41 2010 +0900 cpumask: fix compat getaffinity commit fa9dc265ace9774e62f0e31108e5f47911124bda upstream. Commit a45185d2d "cpumask: convert kernel/compat.c" broke libnuma, which abuses sched_getaffinity to find out NR_CPUS in order to parse /sys/devices/system/node/node*/cpumap. On NUMA systems with less than 32 possibly CPUs, the current compat_sys_sched_getaffinity now returns '4' instead of the actual NR_CPUS/8, which makes libnuma bail out when parsing the cpumap. The libnuma call sched_getaffinity(0, bitmap, 4096) at first. It mean the libnuma expect the return value of sched_getaffinity() is either len argument or NR_CPUS. But it doesn't expect to return nr_cpu_ids. Strictly speaking, userland requirement are 1) Glibc assume the return value mean the lengh of initialized of mask argument. E.g. if sched_getaffinity(1024) return 128, glibc make zero fill rest 896 byte. 2) Libnuma assume the return value can be used to guess NR_CPUS in kernel. It assume len-arg Acked-by: Rusty Russell Acked-by: Arnd Bergmann Reported-by: Ken Werner Cc: Andi Kleen Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 968ada73731c432d54d0d273bc2a82aceb06deea Author: Sebastian Andrzej Siewior Date: Sun Mar 21 22:52:23 2010 +0100 libata: don't flush dcache on slab pages commit 3842e835490cdf17013b30a788f6311bdcfd0571 upstream. page_mapping() check this via VM_BUG_ON(PageSlab(page)) so we bug here with the according debuging turned on. Future TODO: replace this with a flush_dcache_page_for_pio() API Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit f7039e09cba9c057a3097eb421616ce8906c0ce1 Author: Tejun Heo Date: Wed May 19 15:38:58 2010 +0200 libata: disable ATAPI AN by default commit e7ecd435692ca9bde9d124be30b3a26e672ea6c2 upstream. There are ATAPI devices which raise AN when hit by commands issued by open(). This leads to infinite loop of AN -> MEDIA_CHANGE uevent -> udev open() to check media -> AN. Both ACS and SerialATA standards don't define in which case ATAPI devices are supposed to raise or not raise AN. They both list media insertion event as a possible use case for ATAPI ANs but there is no clear description of what constitutes such events. As such, it seems a bit too naive to export ANs directly to userland as MEDIA_CHANGE events without further verification (which should behave similarly to windows as it apparently is the only thing that some hardware vendors are testing against). This patch adds libata.atapi_an module parameter and disables ATAPI AN by default for now. Signed-off-by: Tejun Heo Cc: Kay Sievers Cc: Nick Bowler Cc: David Zeuthen Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 4562830db9b66f4eb10fb98624af1fcba20a0c50 Author: Andrey Vagin Date: Mon May 24 12:15:33 2010 -0700 posix_timer: Fix error path in timer_create commit 45e0fffc8a7778282e6a1514a6ae3e7ae6545111 upstream. Move CLOCK_DISPATCH(which_clock, timer_create, (new_timer)) after all posible EFAULT erros. *_timer_create may allocate/get resources. (for example posix_cpu_timer_create does get_task_struct) [ tglx: fold the remove crappy comment patch into this ] Signed-off-by: Andrey Vagin Cc: Oleg Nesterov Cc: Pavel Emelyanov Reviewed-by: Stanislaw Gruszka Signed-off-by: Andrew Morton Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit b55e34571e4db0b98fe1ba0fceeed734e2eb5c33 Author: Neil Brown Date: Mon May 24 16:57:56 2010 +1000 VFS: fix recent breakage of FS_REVAL_DOT commit 176306f59ac7a35369cbba87aff13e14c5916074 upstream. Commit 1f36f774b22a0ceb7dd33eca626746c81a97b6a5 broke FS_REVAL_DOT semantics. In particular, before this patch, the command ls -l in an NFS mounted directory would always check if the directory on the server had changed and if so would flush and refill the pagecache for the dir. After this patch, the same "ls -l" will repeatedly return stale date until the cached attributes for the directory time out. The following patch fixes this by ensuring the d_revalidate is called by do_last when "." is being looked-up. link_path_walk has already called d_revalidate, but in that case LOOKUP_OPEN is not set so nfs_lookup_verify_inode chooses not to do any validation. The following patch restores the original behaviour. Signed-off-by: NeilBrown Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 9521ba4ae1028e06707b86050fe9e204bae3d818 Author: Al Viro Date: Wed May 26 17:40:29 2010 -0400 Fix racy use of anon_inode_getfd() in perf_event.c commit ea635c64e007061f6468ece5cc9cc62d41d4ecf2 upstream. once anon_inode_getfd() is called, you can't expect *anything* about struct file that descriptor points to - another thread might be doing whatever it likes with descriptor table at that point. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 81bec1f57bc4d87c74a4f7643a9bf6e57878b44f Author: Peter Zijlstra Date: Tue May 11 16:19:10 2010 +0200 perf: Fix exit() vs event-groups commit 96c21a460a37880abfbc8445d5b098dbab958a29 upstream. Corey reported that the value scale times of group siblings are not updated when the monitored task dies. The problem appears to be that we only update the group leader's time values, fix it by updating the whole group. Reported-by: Corey Ashford Signed-off-by: Peter Zijlstra Cc: Paul Mackerras Cc: Mike Galbraith Cc: Arnaldo Carvalho de Melo Cc: Frederic Weisbecker LKML-Reference: <1273588935.1810.6.camel@laptop> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit ecd8a95f7e526ea1dd8d8031b572144e9a78c9aa Author: Arnaldo Carvalho de Melo Date: Mon Mar 15 11:46:58 2010 -0300 perf top: Properly notify the user that vmlinux is missing commit b0a9ab62ab96e258a0ddd81d7fe2719c3db36006 upstream. Before this patch this message would very briefly appear on the screen and then the screen would get updates only on the top, for number of interrupts received, etc, but no annotation would be performed: [root@doppio linux-2.6-tip]# perf top -s n_tty_write > /tmp/bla objdump: '[kernel.kallsyms]': No such file Now this is what the user gets: [root@doppio linux-2.6-tip]# perf top -s n_tty_write Can't annotate n_tty_write: No vmlinux file was found in the path: [0] vmlinux [1] /boot/vmlinux [2] /boot/vmlinux-2.6.33-rc5 [3] /lib/modules/2.6.33-rc5/build/vmlinux [4] /usr/lib/debug/lib/modules/2.6.33-rc5/vmlinux [root@doppio linux-2.6-tip]# This bug was introduced when we added automatic search for vmlinux, before that time the user had to specify a vmlinux file. Reported-by: David S. Miller Reported-by: Ingo Molnar Signed-off-by: Arnaldo Carvalho de Melo Cc: Frédéric Weisbecker Cc: Mike Galbraith Cc: Peter Zijlstra Cc: Paul Mackerras LKML-Reference: <1268664418-28328-2-git-send-email-acme@infradead.org> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 03d7c94a14acd55388d9c5e50503c4969e0ba164 Author: Peter Zijlstra Date: Tue May 11 11:51:53 2010 +0200 perf: Fix exit() vs PERF_FORMAT_GROUP commit 050735b08ca8a016bbace4445fa025b88fee770b upstream. Both Stephane and Corey reported that PERF_FORMAT_GROUP didn't work as expected if the task the counters were attached to quit before the read() call. The cause is that we unconditionally destroy the grouping when we remove counters from their context. Fix this by splitting off the group destroy from the list removal such that perf_event_remove_from_context() does not do this and change perf_event_release() to do so. Reported-by: Corey Ashford Reported-by: Stephane Eranian Signed-off-by: Peter Zijlstra Cc: Arnaldo Carvalho de Melo Cc: Frederic Weisbecker Cc: Paul Mackerras LKML-Reference: <1273571513.5605.3527.camel@twins> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 08959bab0e65a42ff0d10fde4982939b472a7a96 Author: Ian Munsie Date: Tue Apr 13 18:37:33 2010 +1000 perf: Fix endianness argument compatibility with OPT_BOOLEAN() and introduce OPT_INCR() commit c05556421742eb47f80301767653a4bcb19de9de upstream. Parsing an option from the command line with OPT_BOOLEAN on a bool data type would not work on a big-endian machine due to the manner in which the boolean was being cast into an int and incremented. For example, running 'perf probe --list' on a PowerPC machine would fail to properly set the list_events bool and would therefore print out the usage information and terminate. This patch makes OPT_BOOLEAN work as expected with a bool datatype. For cases where the original OPT_BOOLEAN was intentionally being used to increment an int each time it was passed in on the command line, this patch introduces OPT_INCR with the old behaviour of OPT_BOOLEAN (the verbose variable is currently the only such example of this). I have reviewed every use of OPT_BOOLEAN to verify that a true C99 bool was passed. Where integers were used, I verified that they were only being used for boolean logic and changed them to bools to ensure that they would not be mistakenly used as ints. The major exception was the verbose variable which now uses OPT_INCR instead of OPT_BOOLEAN. Signed-off-by: Ian Munsie Acked-by: David S. Miller Cc: Cc: Git development list Cc: Ian Munsie Cc: Peter Zijlstra Cc: Paul Mackerras Cc: Arnaldo Carvalho de Melo Cc: KOSAKI Motohiro Cc: Hitoshi Mitake Cc: Rusty Russell Cc: Frederic Weisbecker Cc: Eric B Munson Cc: Valdis.Kletnieks@vt.edu Cc: WANG Cong Cc: Thiago Farina Cc: Masami Hiramatsu Cc: Xiao Guangrong Cc: Jaswinder Singh Rajput Cc: Arjan van de Ven Cc: OGAWA Hirofumi Cc: Mike Galbraith Cc: Tom Zanussi Cc: Anton Blanchard Cc: John Kacur Cc: Li Zefan Cc: Steven Rostedt LKML-Reference: <1271147857-11604-1-git-send-email-imunsie@au.ibm.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit a3f7f0540b5ccc9573230e741e7aceb966f38ac7 Author: Andi Kleen Date: Thu Apr 1 03:17:25 2010 +0200 oprofile: remove double ring buffering commit cb6e943ccf19ab6d3189147e9d625a992e016084 upstream. oprofile used a double buffer scheme for its cpu event buffer to avoid races on reading with the old locked ring buffer. But that is obsolete now with the new ring buffer, so simply use a single buffer. This greatly simplifies the code and avoids a lot of sample drops on large runs, especially with call graph. Based on suggestions from Steven Rostedt For stable kernels from v2.6.32, but not earlier. Signed-off-by: Andi Kleen Cc: Steven Rostedt Signed-off-by: Robert Richter Signed-off-by: Greg Kroah-Hartman commit ae39937e57147ecb65516066985f3805ffff717f Author: Robert Richter Date: Mon May 3 19:44:32 2010 +0200 oprofile/x86: fix uninitialized counter usage during cpu hotplug commit 2623a1d55a6260c855e1f6d1895900b50b40a896 upstream. This fixes a NULL pointer dereference that is triggered when taking a cpu offline after oprofile was initialized, e.g.: $ opcontrol --init $ opcontrol --start-daemon $ opcontrol --shutdown $ opcontrol --deinit $ echo 0 > /sys/devices/system/cpu/cpu1/online See the crash dump below. Though the counter has been disabled the cpu notifier is still active and trying to use already freed counter data. This fix is for linux-stable. To proper fix this, the hotplug code must be rewritten. Thus I will leave a WARN_ON_ONCE() message with this patch. BUG: unable to handle kernel NULL pointer dereference at (null) IP: [] op_amd_stop+0x2d/0x8e PGD 0 Oops: 0000 [#1] SMP last sysfs file: /sys/devices/system/cpu/cpu1/online CPU 1 Modules linked in: Pid: 0, comm: swapper Not tainted 2.6.34-rc5-oprofile-x86_64-standard-00210-g8c00f06 #16 Anaheim/Anaheim RIP: 0010:[] [] op_amd_stop+0x2d/0x8e RSP: 0018:ffff880001843f28 EFLAGS: 00010006 RAX: 0000000000000000 RBX: 0000000000000000 RCX: dead000000200200 RDX: ffff880001843f68 RSI: dead000000100100 RDI: 0000000000000000 RBP: ffff880001843f48 R08: 0000000000000000 R09: ffff880001843f08 R10: ffffffff8102c9a5 R11: ffff88000184ea80 R12: 0000000000000000 R13: ffff88000184f6c0 R14: 0000000000000000 R15: 0000000000000000 FS: 00007fec6a92e6f0(0000) GS:ffff880001840000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000000 CR3: 000000000163b000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process swapper (pid: 0, threadinfo ffff88042fcd8000, task ffff88042fcd51d0) Stack: ffff880001843f48 0000000000000001 ffff88042e9f7d38 ffff880001843f68 <0> ffff880001843f58 ffffffff8132a602 ffff880001843f98 ffffffff810521b3 <0> ffff880001843f68 ffff880001843f68 ffff880001843f88 ffff88042fcd9fd8 Call Trace: [] nmi_cpu_stop+0x21/0x23 [] generic_smp_call_function_single_interrupt+0xdf/0x11b [] smp_call_function_single_interrupt+0x22/0x31 [] call_function_single_interrupt+0x13/0x20 [] ? wake_up_process+0x10/0x12 [] ? default_idle+0x22/0x37 [] c1e_idle+0xdf/0xe6 [] ? atomic_notifier_call_chain+0x13/0x15 [] cpu_idle+0x4b/0x7e [] start_secondary+0x1ae/0x1b2 Code: 89 e5 41 55 49 89 fd 41 54 45 31 e4 53 31 db 48 83 ec 08 89 df e8 be f8 ff ff 48 98 48 83 3c c5 10 67 7a 81 00 74 1f 49 8b 45 08 <42> 8b 0c 20 0f 32 48 c1 e2 20 25 ff ff bf ff 48 09 d0 48 89 c2 RIP [] op_amd_stop+0x2d/0x8e RSP CR2: 0000000000000000 ---[ end trace 679ac372d674b757 ]--- Kernel panic - not syncing: Fatal exception in interrupt Pid: 0, comm: swapper Tainted: G D 2.6.34-rc5-oprofile-x86_64-standard-00210-g8c00f06 #16 Call Trace: [] panic+0x9e/0x10c [] ? up+0x34/0x39 [] ? kmsg_dump+0x112/0x12c [] oops_end+0x81/0x8e [] no_context+0x1f3/0x202 [] __bad_area_nosemaphore+0x1ba/0x1e0 [] ? enqueue_task_fair+0x16d/0x17a [] ? activate_task+0x42/0x53 [] ? try_to_wake_up+0x272/0x284 [] bad_area_nosemaphore+0xe/0x10 [] do_page_fault+0x1c8/0x37c [] ? enqueue_task_fair+0x16d/0x17a [] page_fault+0x1f/0x30 [] ? wake_up_process+0x10/0x12 [] ? op_amd_stop+0x2d/0x8e [] ? op_amd_stop+0x1c/0x8e [] nmi_cpu_stop+0x21/0x23 [] generic_smp_call_function_single_interrupt+0xdf/0x11b [] smp_call_function_single_interrupt+0x22/0x31 [] call_function_single_interrupt+0x13/0x20 [] ? wake_up_process+0x10/0x12 [] ? default_idle+0x22/0x37 [] c1e_idle+0xdf/0xe6 [] ? atomic_notifier_call_chain+0x13/0x15 [] cpu_idle+0x4b/0x7e [] start_secondary+0x1ae/0x1b2 ------------[ cut here ]------------ WARNING: at /local/rrichter/.source/linux/arch/x86/kernel/smp.c:118 native_smp_send_reschedule+0x27/0x53() Hardware name: Anaheim Modules linked in: Pid: 0, comm: swapper Tainted: G D 2.6.34-rc5-oprofile-x86_64-standard-00210-g8c00f06 #16 Call Trace: [] ? native_smp_send_reschedule+0x27/0x53 [] warn_slowpath_common+0x77/0xa4 [] warn_slowpath_null+0xf/0x11 [] native_smp_send_reschedule+0x27/0x53 [] resched_task+0x60/0x62 [] check_preempt_curr_idle+0x10/0x12 [] try_to_wake_up+0x1f5/0x284 [] default_wake_function+0xd/0xf [] pollwake+0x57/0x5a [] ? default_wake_function+0x0/0xf [] __wake_up_common+0x46/0x75 [] __wake_up+0x38/0x50 [] printk_tick+0x39/0x3b [] update_process_times+0x3f/0x5c [] tick_periodic+0x5d/0x69 [] tick_handle_periodic+0x21/0x71 [] smp_apic_timer_interrupt+0x82/0x95 [] apic_timer_interrupt+0x13/0x20 [] ? panic_blink_one_second+0x0/0x7b [] ? panic+0x10a/0x10c [] ? up+0x34/0x39 [] ? kmsg_dump+0x112/0x12c [] ? oops_end+0x81/0x8e [] ? no_context+0x1f3/0x202 [] ? __bad_area_nosemaphore+0x1ba/0x1e0 [] ? enqueue_task_fair+0x16d/0x17a [] ? activate_task+0x42/0x53 [] ? try_to_wake_up+0x272/0x284 [] ? bad_area_nosemaphore+0xe/0x10 [] ? do_page_fault+0x1c8/0x37c [] ? enqueue_task_fair+0x16d/0x17a [] ? page_fault+0x1f/0x30 [] ? wake_up_process+0x10/0x12 [] ? op_amd_stop+0x2d/0x8e [] ? op_amd_stop+0x1c/0x8e [] ? nmi_cpu_stop+0x21/0x23 [] ? generic_smp_call_function_single_interrupt+0xdf/0x11b [] ? smp_call_function_single_interrupt+0x22/0x31 [] ? call_function_single_interrupt+0x13/0x20 [] ? wake_up_process+0x10/0x12 [] ? default_idle+0x22/0x37 [] ? c1e_idle+0xdf/0xe6 [] ? atomic_notifier_call_chain+0x13/0x15 [] ? cpu_idle+0x4b/0x7e [] ? start_secondary+0x1ae/0x1b2 ---[ end trace 679ac372d674b758 ]--- Cc: Andi Kleen Signed-off-by: Robert Richter Signed-off-by: Greg Kroah-Hartman