commit 42b94d5716146acdc3ec1a070540177d15b1ee1c Author: Greg Kroah-Hartman Date: Mon Aug 2 10:30:51 2010 -0700 Linux 2.6.34.2 commit b8c63c5fbc0e8d124f9e15cbbb0585b762efa08d Author: Jesse Barnes Date: Mon Jul 26 13:51:22 2010 -0700 drm/i915: make sure we shut off the panel in eDP configs commit 5620ae29f1eabe655f44335231b580a78c8364ea upstream. Fix error from the last pull request. Making sure we shut the panel off is more correct and saves power. Signed-off-by: Jesse Barnes Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c9fcc5d269949a0fbd46ffbea6cc83741e61c05f Author: Jesse Barnes Date: Thu Jul 22 13:18:19 2010 -0700 drm/i915: make sure eDP panel is turned on commit 9934c132989d5c488d2e15188220ce240960ce96 upstream. When enabling the eDP port, we need to make sure the panel is turned on after training the link. If we don't, it likely won't come back after suspend or may not come up at all. For unknown reasons, unlocking the panel regs before initiating a power on sequence is necessary. There are known bugs in the PCH panel sequencing logic, apparently this is one possible workaround. Fixes https://bugs.freedesktop.org/show_bug.cgi?id=28739. Signed-off-by: Jesse Barnes Tested-by: "Paulo J. S. Silva" Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 4a501bb2eff2b2a60bfaf41c42fa08614ff445f3 Author: Jesse Barnes Date: Thu Jul 22 13:18:18 2010 -0700 drm/i915: add PANEL_UNLOCK_REGS definition commit 4a655f043160eeae447efd3be297b6b4c397a640 upstream. In some cases, unlocking the panel regs is safe and can help us avoid a flickery, full mode set sequence. So define the unlock key and use it. Signed-off-by: Jesse Barnes Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 14393bddb10f109790dbeaa747679738445ebf09 Author: Takashi Iwai Date: Wed Jul 28 14:21:55 2010 +0200 ALSA: hda - Fix pin-detection of Nvidia HDMI commit 38faddb1afdd37218c196ac3db1cb5fbe7fc9c75 upstream. The behavior of Nvidia HDMI codec regarding the pin-detection unsol events is based on the old HD-audio spec, i.e. PD bit indicates only the update and doesn't show the current state. Since the current code assumes the new behavior, the pin-detection doesn't work relialby with these h/w. This patch adds a flag for indicating the old spec, and fixes the issue by checking the pin-detection explicitly for such hardware. Tested-by: Wei Ni Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 3fd02a351fc8aa8602fe2b39d6a098ea2538db2e Author: Alex Chiang Date: Thu Jun 17 09:08:54 2010 -0600 ACPI: processor: fix processor_physically_present on UP commit 856b185dd23da39e562983fbf28860f54e661b41 upstream. The commit 5d554a7bb06 (ACPI: processor: add internal processor_physically_present()) is broken on uniprocessor (UP) configurations, as acpi_get_cpuid() will always return -1. We use the value of num_possible_cpus() to tell us whether we got an invalid cpuid from acpi_get_cpuid() in the SMP case, or if instead, we are UP, in which case num_possible_cpus() is #defined as 1. We use num_possible_cpus() instead of num_online_cpus() to protect ourselves against the scenario of CPU hotplug, and we've taken down all the CPUs except one. Thanks to Jan Pogadl for initial report and analysis and Chen Gong for review. https://bugzilla.kernel.org/show_bug.cgi?id=16357 Reported-by: Jan Pogadl : Reviewed-by: Chen Gong Signed-off-by: Alex Chiang Signed-off-by: Len Brown Cc: Thomas Renninger Signed-off-by: Greg Kroah-Hartman commit 92f61d8a31e270f9391e7bcc0ac638bd4262a8e0 Author: Tao Ma Date: Fri Jul 9 14:53:11 2010 +0800 ocfs2: make xattr extension work with new local alloc reservation. commit a78f9f4668949a6588b8872f162e86685c63d023 upstream. The old ocfs2_xattr_extent_allocation is too optimistic about the clusters we can get. So actually if the file system is too fragmented, ocfs2_add_clusters_in_btree will return us with EGAIN and we need to allocate clusters once again. So this patch change it to a while loop so that we can allocate clusters until we reach clusters_to_add. Signed-off-by: Tao Ma Signed-off-by: Joel Becker Signed-off-by: Greg Kroah-Hartman commit 0ebeb757aa82ef2b3bdeb2002b663f5cb3e37006 Author: Dmitry Torokhov Date: Mon Jul 26 01:12:37 2010 -0700 Input: RX51 keymap - fix recent compile breakage commit 2e65a2075cc740b485ab203430bdf3459d5551b6 upstream. Commit 3fea60261e73 ("Input: twl40300-keypad - fix handling of "all ground" rows") broke compilation as I managed to use non-existent keycodes. Reported-by: Arjan van de Ven Signed-off-by: Dmitry Torokhov Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 3bc3620722100d2c49a64fca8d33dc0615caf499 Author: Bob Copeland Date: Fri Jun 18 13:15:23 2010 -0400 ath5k: initialize ah->ah_current_channel commit b6855772f4a22c4fbdd4fcaceff5c8a527035123 upstream. ath5k assumes ah_current_channel is always a valid pointer in several places, but a newly created interface may not have a channel. To avoid null pointer dereferences, set it up to point to the first available channel until later reconfigured. This fixes the following oops: $ rmmod ath5k $ insmod ath5k $ iw phy0 set distance 11000 BUG: unable to handle kernel NULL pointer dereference at 00000006 IP: [] ath5k_hw_set_coverage_class+0x74/0x1b0 [ath5k] *pde = 00000000 Oops: 0000 [#1] last sysfs file: /sys/devices/pci0000:00/0000:00:0e.0/ieee80211/phy0/index Modules linked in: usbhid option usb_storage usbserial usblp evdev lm90 scx200_acb i2c_algo_bit i2c_dev i2c_core via_rhine ohci_hcd ne2k_pci 8390 leds_alix2 xt_IMQ imq nf_nat_tftp nf_conntrack_tftp nf_nat_irc nf_cc Pid: 1597, comm: iw Not tainted (2.6.32.14 #8) EIP: 0060:[] EFLAGS: 00010296 CPU: 0 EIP is at ath5k_hw_set_coverage_class+0x74/0x1b0 [ath5k] EAX: 000000c2 EBX: 00000000 ECX: ffffffff EDX: c12d2080 ESI: 00000019 EDI: cf8c0000 EBP: d0a30edc ESP: cfa09bf4 DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 Process iw (pid: 1597, ti=cfa09000 task=cf88a000 task.ti=cfa09000) Stack: d0a34f35 d0a353f8 d0a30edc 000000fe cf8c0000 00000000 1900063d cfa8c9e0 <0> cfa8c9e8 cfa8c0c0 cfa8c000 d0a27f0c 199d84b4 cfa8c200 00000010 d09bfdc7 <0> 00000000 00000000 ffffffff d08e0d28 cf9263c0 00000001 cfa09cc4 00000000 Call Trace: [] ? ath5k_hw_attach+0xc8c/0x3c10 [ath5k] [] ? __ieee80211_request_smps+0x1347/0x1580 [mac80211] [] ? nl80211_send_scan_start+0x7b8/0x4520 [cfg80211] [] ? nla_parse+0x59/0xc0 [] ? genl_rcv_msg+0x169/0x1a0 [] ? genl_rcv_msg+0x0/0x1a0 [] ? netlink_rcv_skb+0x38/0x90 [] ? genl_rcv+0x19/0x30 [] ? netlink_unicast+0x1b3/0x220 [] ? netlink_sendmsg+0x26e/0x290 [] ? sock_sendmsg+0xbe/0xf0 [] ? autoremove_wake_function+0x0/0x50 [] ? __alloc_pages_nodemask+0x106/0x530 [] ? do_lookup+0x53/0x1b0 [] ? __link_path_walk+0x9b9/0x9e0 [] ? verify_iovec+0x50/0x90 [] ? sys_sendmsg+0x1e1/0x270 [] ? find_get_page+0x10/0x50 [] ? filemap_fault+0x5f/0x370 [] ? __do_fault+0x319/0x370 [] ? sys_socketcall+0x244/0x290 [] ? do_page_fault+0x1ec/0x270 [] ? do_page_fault+0x0/0x270 [] ? syscall_call+0x7/0xb Code: 00 b8 fe 00 00 00 b9 f8 53 a3 d0 89 5c 24 14 89 7c 24 10 89 44 24 0c 89 6c 24 08 89 4c 24 04 c7 04 24 35 4f a3 d0 e8 7c 30 60 f0 <0f> b7 43 06 ba 06 00 00 00 a8 10 75 0e 83 e0 20 83 f8 01 19 d2 EIP: [] ath5k_hw_set_coverage_class+0x74/0x1b0 [ath5k] SS:ESP 0068:cfa09bf4 CR2: 0000000000000006 ---[ end trace 54f73d6b10ceb87b ]--- Reported-by: Steve Brown Signed-off-by: Bob Copeland Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 2c43858d67b0474fde66cf50469438242ba17a3e Author: Alan Stern Date: Fri Apr 2 13:21:58 2010 -0400 HID: usbhid: enable remote wakeup for keyboards commit 3d61510f4ecacfe47c75c0eb51c0659dfa77fb1b upstream. This patch (as1365) enables remote wakeup by default for USB keyboard devices. Keyboards in general are supposed to be wakeup devices, but the correct place to enable it depends on the device's bus; no single approach will work for all keyboard devices. In particular, this covers only USB keyboards (and then only those supporting the boot protocol). Signed-off-by: Alan Stern Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 01b9cd5d1870fb45aa398124366fe872255b523c Author: Bruno Randolf Date: Mon Jul 12 00:40:28 2010 +0900 MIPS: MTX-1: Fix PCI on the MeshCube and related boards commit 98a0f86a54bb195c28ae1ccb5a5f5cda12cf7121 upstream. This patch fixes a regression introduced by commit "MIPS: Alchemy: MTX-1: Use linux gpio api." (bb706b28bbd647c2fd7f22d6bf03a18b9552be05) which broke PCI bus operation. The problem is caused by alchemy_gpio2_enable() which resets the GPIO2 block. Two PCI signals (PCI_SERR and PCI_RST) are connected to GPIO2 and they obviously do not to like the reset. Since GPIO2 is correctly initialized by the boot monitor (YAMON) it is not necessary to call this function, so just remove it. Also replace gpio_set_value() with alchemy_gpio_set_value() to avoid problems in case gpiolib gets initialized after PCI. And since alchemy gpio_set_value() calls au_sync() we don't have to au_sync() again later. Signed-off-by: Bruno Randolf To: linux-mips@linux-mips.org To: manuel.lauss@googlemail.com Patchwork: https://patchwork.linux-mips.org/patch/1448/ Tested-by: Florian Fainelli Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit 61ef6cc2a3140bab5d4e359cdd4a71bcea7c0fc3 Author: Dominik Brodowski Date: Sat Jun 19 14:33:56 2010 +0200 pcmcia: do not initialize the present flag too late. commit e4f1ac2122413736bf2791d3af6533f36b46fc61 upstream. The "present" flag was initialized too late -- possibly, a card was already registered at this time, so re-setting the flag to 0 caused pcmcia_dev_present() to fail. Reported-by: Mikulas Patocka Signed-off-by: Dominik Brodowski Signed-off-by: Greg Kroah-Hartman commit 50faa2b8b0f1d7e26ec784152d1c8021df67ce4f Author: Andre Osterhues Date: Tue Jul 13 15:59:17 2010 -0500 ecryptfs: Bugfix for error related to ecryptfs_hash_buckets commit a6f80fb7b5986fda663d94079d3bba0937a6b6ff upstream. The function ecryptfs_uid_hash wrongly assumes that the second parameter to hash_long() is the number of hash buckets instead of the number of hash bits. This patch fixes that and renames the variable ecryptfs_hash_buckets to ecryptfs_hash_bits to make it clearer. Fixes: CVE-2010-2492 Signed-off-by: Andre Osterhues Signed-off-by: Tyler Hicks Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit cdfd88c2377e95b46a8d990de84af1b6ce8c0cd6 Author: Tony Luck Date: Wed Jun 30 10:46:16 2010 -0700 Fix spinaphore down_spin() commit b70f4e85bfc4d7000036355b714a92d5c574f1be upstream. Typo in down_spin() meant it only read the low 32 bits of the "serve" value, instead of the full 64 bits. This results in the system hanging when the values in ticket/serve get larger than 32-bits. A big enough system running the right test can hit this in a just a few hours. Broken since 883a3acf5b0d4782ac35981227a0d094e8b44850 [IA64] Re-implement spinaphores using ticket lock concepts Reported via IRC by Bjorn Helgaas Signed-off-by: Tony Luck Signed-off-by: Greg Kroah-Hartman commit c1dbd27d6a46adc6e2021d0febfdc3898e383f05 Author: Rafael J. Wysocki Date: Tue Jun 8 10:50:53 2010 +0200 ACPI / ACPICA: Fix sysfs GPE interface commit 9d3c752de65dbfa6e522f1d666deb0ac152ef367 upstream. The sysfs interface allowing user space to disable/enable GPEs doesn't work correctly, because a GPE disabled this way will be re-enabled shortly by acpi_ev_asynch_enable_gpe() if it was previosuly enabled by acpi_enable_gpe() (in which case the corresponding bit in its enable register's enable_for_run mask is set). To address this issue make the sysfs GPE interface use acpi_enable_gpe() and acpi_disable_gpe() instead of acpi_set_gpe() so that GPE reference counters are modified by it along with the values of GPE enable registers. Signed-off-by: Rafael J. Wysocki Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 02f7f4c9f46e9da6d0e7f8b380703eaa7a59bebc Author: Rafael J. Wysocki Date: Tue Jun 8 10:50:20 2010 +0200 ACPI / ACPICA: Fix GPE initialization commit ce43ace02320a3fb9614ddb27edc3a8700d68b26 upstream. While developing the GPE reference counting code we overlooked the fact that acpi_ev_update_gpes() could have enabled GPEs before acpi_ev_initialize_gpe_block() was called. As a result, some GPEs are enabled twice during the initialization. To fix this issue avoid calling acpi_enable_gpe() from acpi_ev_initialize_gpe_block() for the GPEs that have nonzero runtime reference counters. Signed-off-by: Rafael J. Wysocki Signed-off-by: Len Brown commit 454981bb0d10548f35d006090a7b4419cdf74c50 Author: Rafael J. Wysocki Date: Tue Jun 8 10:49:45 2010 +0200 ACPI / ACPICA: Avoid writing full enable masks to GPE registers commit c9a8bbb7704cbf515c0fc68970abbe4e91d68521 upstream. ACPICA uses acpi_hw_write_gpe_enable_reg() to re-enable a GPE after an event signaled by it has been handled. However, this function writes the entire GPE enable mask to the GPE's enable register which may not be correct. Namely, if one of the other GPEs in the same register was previously enabled by acpi_enable_gpe() and subsequently disabled using acpi_set_gpe(), acpi_hw_write_gpe_enable_reg() will re-enable it along with the target GPE. To fix this issue rework acpi_hw_write_gpe_enable_reg() so that it calls acpi_hw_low_set_gpe() with a special action value, ACPI_GPE_COND_ENABLE, that will make it only enable the GPE if the corresponding bit in its register's enable_for_run mask is set. Signed-off-by: Rafael J. Wysocki Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit a1399262df1450b960e0c3875ce50c43a4e3499e Author: Rafael J. Wysocki Date: Tue Jun 8 10:49:08 2010 +0200 ACPI / ACPICA: Fix low-level GPE manipulation code commit fd247447c1d94a79d5cfc647430784306b3a8323 upstream. ACPICA uses acpi_ev_enable_gpe() for enabling GPEs at the low level, which is incorrect, because this function only enables the GPE if the corresponding bit in its enable register's enable_for_run mask is set. This causes acpi_set_gpe() to work incorrectly if used for enabling GPEs that were not previously enabled with acpi_enable_gpe(). As a result, among other things, wakeup-only GPEs are never enabled by acpi_enable_wakeup_device(), so the devices that use them are unable to wake up the system. To fix this issue remove acpi_ev_enable_gpe() and its counterpart acpi_ev_disable_gpe() and replace acpi_hw_low_disable_gpe() with acpi_hw_low_set_gpe() that will be used instead to manipulate GPE enable bits at the low level. Make the users of acpi_ev_enable_gpe() and acpi_ev_disable_gpe() call acpi_hw_low_set_gpe() instead and make sure that GPE enable masks are only updated by acpi_enable_gpe() and acpi_disable_gpe() when GPE reference counters change from 0 to 1 and from 1 to 0, respectively. Signed-off-by: Rafael J. Wysocki Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 11ae38f311af047a41b7181005c9df50e0ae3838 Author: Rafael J. Wysocki Date: Tue Jun 8 10:48:26 2010 +0200 ACPI / ACPICA: Use helper function for computing GPE masks commit e4e9a735991c80fb0fc1bd4a13a93681c3c17ce0 upstream. In quite a few places ACPICA needs to compute a GPE enable mask with only one bit, corresponding to a given GPE, set. Currently, that computation is always open coded which leads to unnecessary code duplication. Fix this by introducing a helper function for computing one-bit GPE enable masks and using it where appropriate. Signed-off-by: Rafael J. Wysocki Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 53c6c129e33e365128dd1231b911e5996cfef0f3 Author: Krzysztof Halasa Date: Fri Jun 11 01:08:20 2010 +0200 kbuild: Fix modpost segfault commit 1c938663d58b5b2965976a6f54cc51b5d6f691aa upstream. Alan writes: > program: /home/alan/GitTrees/linux-2.6-mid-ref/scripts/mod/modpost -o > Module.symvers -S vmlinux.o > > Program received signal SIGSEGV, Segmentation fault. It just hit me. It's the offset calculation in reloc_location() which overflows: return (void *)elf->hdr + sechdrs[section].sh_offset + (r->r_offset - sechdrs[section].sh_addr); E.g. for the first rodata r entry: r->r_offset < sechdrs[section].sh_addr and the expression in the parenthesis produces 0xFFFFFFE0 or something equally wise. Reported-by: Alan Signed-off-by: Krzysztof Hałasa Tested-by: Alan Signed-off-by: Michal Marek Signed-off-by: Greg Kroah-Hartman commit 4c4504ea2dccb7901189f6a48c3d3c0ed20d3475 Author: Reinette Chatre Date: Thu May 20 10:54:40 2010 -0700 iwl3945: enable stuck queue detection on 3945 commit a6866ac93e6cb68091326e80b4fa4619a5957644 upstream. We learn from http://bugzilla.intellinuxwireless.org/show_bug.cgi?id=1834 and https://bugzilla.redhat.com/show_bug.cgi?id=589777 that 3945 can also suffer from a stuck command queue. Enable stuck queue detection for iwl3945 to enable recovery in this case. Signed-off-by: Reinette Chatre Signed-off-by: Greg Kroah-Hartman commit ac751d718ee83f055c9ef48413d11afdea6859a6 Author: Wey-Yi Guy Date: Mon Mar 1 17:23:50 2010 -0800 iwlwifi: Recover TX flow stall due to stuck queue commit b74e31a9bc1013e69b85b139072485dc153453dd upstream. Monitors the internal TX queues periodically. When a queue is stuck for some unknown conditions causing the throughput to drop and the transfer is stop, the driver will force firmware reload and bring the system back to normal operational state. The iwlwifi devices behave differently in this regard so this feature is made part of the ops infrastructure so we can have more control on how to monitor and recover from tx queue stall case per device. Signed-off-by: Trieu 'Andrew' Nguyen Signed-off-by: Wey-Yi Guy Signed-off-by: Reinette Chatre Signed-off-by: Greg Kroah-Hartman commit 8483d9b94a15bae1dd9bcd03ef84726ec6a03536 Author: Shanyu Zhao Date: Tue Jun 1 17:13:58 2010 -0700 iwlagn: verify flow id in compressed BA packet commit b561e8274f75831ee87e4ea378cbb1f9f050a51a upstream. The flow id (scd_flow) in a compressed BA packet should match the txq_id of the queue from which the aggregated packets were sent. However, in some hardware like the 1000 series, sometimes the flow id is 0 for the txq_id (10 to 19). This can cause the annoying message: [ 2213.306191] iwlagn 0000:01:00.0: Received BA when not expected [ 2213.310178] iwlagn 0000:01:00.0: Read index for DMA queue txq id (0), index 5, is out of range [0-256] 7 7. And even worse, if agg->wait_for_ba is true when the bad BA is arriving, this can cause system hang due to NULL pointer dereference because the code is operating in a wrong tx queue! Signed-off-by: Shanyu Zhao Signed-off-by: Pradeep Kulkarni Signed-off-by: Reinette Chatre Signed-off-by: Greg Kroah-Hartman commit caf785bc19966cedc0ba3ee43526e0af43bd001a Author: Tao Ma Date: Thu Jun 24 07:43:57 2010 +0800 block: Don't count_vm_events for discard bio in submit_bio. commit 1b99973f1c82707e46e8cb9416865a1e955e8f8c upstream. In submit_bio, we count vm events by check READ/WRITE. But actually DISCARD_NOBARRIER also has the WRITE flag set. It looks as if in blkdev_issue_discard, we also add a page as the payload and the bio_has_data check isn't enough. So add another check for discard bio. Signed-off-by: Tao Ma Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 89dd01dc14e0c7d069f96c78c0929823c8734c0b Author: Laurent Pinchart Date: Mon Apr 12 10:41:22 2010 -0300 V4L/DVB: uvcvideo: Add support for V4L2_PIX_FMT_Y16 commit 61421206833a4085d9bdf35b2b84cd9a67dfdfac upstream. The Miricle 307K (17dc:0202) camera reports a 16-bit greyscale format, support it in the driver. Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 6e5c8866ce6a56a000eb8c8d80eb1379a2694df2 Author: Laurent Pinchart Date: Sat Mar 13 18:12:15 2010 -0300 V4L/DVB: uvcvideo: Add support for Packard Bell EasyNote MX52 integrated webcam commit f129b03ba272c86c42ad476684caa0d6109cb383 upstream. The camera requires the STREAM_NO_FID quirk. Add a corresponding entry in the device IDs list. Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit da220a4d2ca00b90050fa2043d38779960e9ef9f Author: Laurent Pinchart Date: Thu Mar 4 07:51:25 2010 -0300 V4L/DVB: uvcvideo: Add support for unbranded Arkmicro 18ec:3290 webcams commit 1e4d05bc95a0fe2972c5c91ed45466587d07cd2c upstream. The camera requires the PROBE_DEF quirk. Add a corresponding entry in the device IDs list. Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit c7e97b0249f59d7e32b19ef71899cc083cab1b9b Author: Dan Rosenberg Date: Thu Jun 24 12:07:47 2010 +1000 xfs: prevent swapext from operating on write-only files commit 1817176a86352f65210139d4c794ad2d19fc6b63 upstream. This patch prevents user "foo" from using the SWAPEXT ioctl to swap a write-only file owned by user "bar" into a file owned by "foo" and subsequently reading it. It does so by checking that the file descriptors passed to the ioctl are also opened for reading. Signed-off-by: Dan Rosenberg Reviewed-by: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit 8bffdea32019685abb0ad2035ab5870eecb887d4 Author: Michael Chan Date: Tue Jun 1 15:05:36 2010 +0000 bnx2: Fix hang during rmmod bnx2. commit f048fa9c8686119c3858a463cab6121dced7c0bf upstream. The regression is caused by: commit 4327ba435a56ada13eedf3eb332e583c7a0586a9 bnx2: Fix netpoll crash. If ->open() and ->close() are called multiple times, the same napi structs will be added to dev->napi_list multiple times, corrupting the dev->napi_list. This causes free_netdev() to hang during rmmod. We fix this by calling netif_napi_del() during ->close(). Also, bnx2_init_napi() must not be in the __devinit section since it is called by ->open(). Signed-off-by: Michael Chan Signed-off-by: Benjamin Li Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 131637b6e8287c90239ce1e5e6311d2e93986bce Author: Stanislaw Gruszka Date: Wed Apr 28 17:03:15 2010 +0200 mac80211: fix supported rates IE if AP doesn't give us it's rates commit 76f273640134f3eb8257179cd5b3bc6ba5fe4a96 upstream. If AP do not provide us supported rates before assiociation, send all rates we are supporting instead of empty information element. v1 -> v2: Add comment. Signed-off-by: Stanislaw Gruszka Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 79b54741620599a3abccaf26bb1ae1d50a0ef809 Author: Ben Hutchings Date: Wed Apr 7 20:55:47 2010 -0700 3c503: Fix IRQ probing commit b0cf4dfb7cd21556efd9a6a67edcba0840b4d98d upstream. The driver attempts to select an IRQ for the NIC automatically by testing which of the supported IRQs are available and then probing each available IRQ with probe_irq_{on,off}(). There are obvious race conditions here, besides which: 1. The test for availability is done by passing a NULL handler, which now always returns -EINVAL, thus the device cannot be opened: 2. probe_irq_off() will report only the first ISA IRQ handled, potentially leading to a false negative. There was another bug that meant it ignored all error codes from request_irq() except -EBUSY, so it would 'succeed' despite this (possibly causing conflicts with other ISA devices). This was fixed by ab08999d6029bb2c79c16be5405d63d2bedbdfea 'WARNING: some request_irq() failures ignored in el2_open()', which exposed bug 1. This patch: 1. Replaces the use of probe_irq_{on,off}() with a real interrupt handler 2. Adds a delay before checking the interrupt-seen flag 3. Disables interrupts on all failure paths 4. Distinguishes error codes from the second request_irq() call, consistently with the first Compile-tested only. Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e4db36f176d558bdd35e3f2d9d4e1f2669290e7b Author: Ben Hutchings Date: Sat May 15 13:45:37 2010 -0300 V4L/DVB: budget: Select correct frontends commit d46b36e7f927772bb72524dc9f1e384e3cb4a975 upstream. Update the Kconfig selections to match the code. Signed-off-by: Ben Hutchings Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit d21a551cd30abca8818fc3a8ef6d7c3015675104 Author: Jean Delvare Date: Wed May 26 10:05:11 2010 -0300 V4L/DVB: FusionHDTV: Use quick reads for I2C IR device probing commit 806b07c29b711aaf90c81d2a19711607769f8246 upstream. IR support on FusionHDTV cards is broken since kernel 2.6.31. One side effect of the switch to the standard binding model for IR I2C devices was to let i2c-core do the probing instead of the ir-kbd-i2c driver. There is a slight difference between the two probe methods: i2c-core uses 0-byte writes, while the ir-kbd-i2c was using 0-byte reads. As some IR I2C devices only support reads, the new probe method fails to detect them. For now, revert to letting the driver do the probe, using 0-byte reads. In the future, i2c-core will be extended to let callers of i2c_new_probed_device() provide a custom probing function. Signed-off-by: Jean Delvare Tested-by: "Timothy D. Lenz" Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 2213a00b8f18ea821b7b90227810723c69266916 Author: Ang Way Chuang Date: Thu May 27 02:02:09 2010 -0300 V4L/DVB: dvb-core: Fix ULE decapsulation bug commit 5c331fc8c19e181bffab46e9d18e1637cdc47170 upstream. Fix ULE decapsulation bug when less than 4 bytes of ULE SNDU is packed into the remaining bytes of a MPEG2-TS frame ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation code has a bug that incorrectly treats ULE SNDU packed into the remaining 2 or 3 bytes of a MPEG2-TS frame as having invalid pointer field on the subsequent MPEG2-TS frame. Signed-off-by: Ang Way Chuang Acked-by: Jarod Wilson Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit ab8434aada60281129fd4064b2d66a719fc9b7aa Author: Andrej Gelenberg Date: Fri May 14 15:15:58 2010 -0700 revert "[CPUFREQ] remove rwsem lock from CPUFREQ_GOV_STOP call (second call site)" commit accd846698439ba18250e8fd5681af280446b853 upstream. 395913d0b1db37092ea3d9d69b832183b1dd84c5 ("[CPUFREQ] remove rwsem lock from CPUFREQ_GOV_STOP call (second call site)") is not needed, because there is no rwsem lock in cpufreq_ondemand and cpufreq_conservative anymore. Lock should not be released until the work done. Addresses https://bugzilla.kernel.org/show_bug.cgi?id=1594 Signed-off-by: Andrej Gelenberg Cc: Mathieu Desnoyers Cc: Venkatesh Pallipadi Signed-off-by: Andrew Morton Acked-by: Mathieu Desnoyers Signed-off-by: Dave Jones Signed-off-by: Greg Kroah-Hartman commit 9117b65d6f906775a52ed54c53b6039e59124a2d Author: David Woodhouse Date: Sun May 2 11:21:21 2010 +0300 firmware_class: fix memory leak - free allocated pages commit dd336c554d8926c3348a2d5f2a5ef5597f6d1a06 upstream. fix memory leak introduced by the patch 6e03a201bbe: firmware: speed up request_firmware() 1. vfree won't release pages there were allocated explicitly and mapped using vmap. The memory has to be vunmap-ed and the pages needs to be freed explicitly 2. page array is moved into the 'struct firmware' so that we can free it from release_firmware() and not only in fw_dev_release() The fix doesn't break the firmware load speed. Cc: Johannes Berg Cc: Ming Lei Cc: Catalin Marinas Singed-off-by: Kay Sievers Signed-off-by: David Woodhouse Signed-off-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman commit 906846b7acfbdc0d31ae83b2a011ecbc5ba46786 Author: Wolfram Sang Date: Fri May 21 00:50:17 2010 +0200 mfd: Remove unneeded and dangerous clearing of clientdata commit 28ade0f217a3a3ff992b01e06e6e425c250a8406 upstream. Unlike real i2c-devices which get detached from the driver, dummy-devices get truly unregistered. So, there has never been a need to clear the clientdata because the device will go away anyhow. For the occasions fixed here, clearing clientdata was even dangerous as the structure was freed already. Signed-off-by: Wolfram Sang Acked-by: Jean Delvare Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman commit 3589bef7c2755ab044274f7cdea656bba29a94ae Author: Baruch Siach Date: Mon May 17 17:45:48 2010 -0700 dm9000: fix "BUG: spinlock recursion" commit 380fefb2ddabd4cd5f14dbe090481f0544e65078 upstream. dm9000_set_rx_csum and dm9000_hash_table are called from atomic context (in dm9000_init_dm9000), and from non-atomic context (via ethtool_ops and net_device_ops respectively). This causes a spinlock recursion BUG. Fix this by renaming these functions to *_unlocked for the atomic context, and make the original functions locking wrappers for use in the non-atomic context. Signed-off-by: Baruch Siach Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3fe45b2885d414bcfc05d61d025b8cc1bcf790e3 Author: Daniel Mack Date: Tue Apr 6 10:52:44 2010 +0200 libertas/sdio: 8686: set ECSI bit for 1-bit transfers commit 8a64c0f6b7ec7f758c4ef445e49f479e27fa2236 upstream. When operating in 1-bit mode, SDAT1 is used as dedicated interrupt line. However, the 8686 will only drive this line when the ECSI bit is set in the CCCR_IF register. Thanks to Alagu Sankar for pointing me in the right direction. Signed-off-by: Daniel Mack Cc: Alagu Sankar Cc: Volker Ernst Cc: Dan Williams Cc: John W. Linville Cc: Holger Schurig Cc: Bing Zhao Cc: libertas-dev@lists.infradead.org Cc: linux-wireless@vger.kernel.org Cc: linux-mmc@vger.kernel.org Acked-by: Dan Williams Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 60117f6527f04e0fc1fb34c6b30aeabcc2e93127 Author: Matthew Garrett Date: Tue May 11 13:49:25 2010 -0400 ACPI: Unconditionally set SCI_EN on resume commit b6dacf63e9fb2e7a1369843d6cef332f76fca6a3 upstream. The ACPI spec tells us that the firmware will reenable SCI_EN on resume. Reality disagrees in some cases. The ACPI spec tells us that the only way to set SCI_EN is via an SMM call. https://bugzilla.kernel.org/show_bug.cgi?id=13745 shows us that doing so may break machines. Tracing the ACPI calls made by Windows shows that it unconditionally sets SCI_EN on resume with a direct register write, and therefore the overwhelming probability is that everything is fine with this behaviour. Signed-off-by: Matthew Garrett Tested-by: Rafael J. Wysocki Signed-off-by: Len Brown Cc: Kamal Mostafa Signed-off-by: Greg Kroah-Hartman commit aba02e53bab9032d62c208f5e0b5bc56599b3735 Author: Rafael J. Wysocki Date: Thu Jun 17 17:40:57 2010 +0200 ACPI / PM: Do not enable GPEs for system wakeup in advance commit cb1cb1780f2025a7d612de09131bf6530f80fb1a upstream. After commit 9630bdd9b15d2f489c646d8bc04b60e53eb5ec78 (ACPI: Use GPE reference counting to support shared GPEs) the wakeup enable mask bits of GPEs are set as soon as the GPEs are enabled to wake up the system. Unfortunately, this leads to a regression reported by Michal Hocko, where a system is woken up from ACPI S5 by a device that is not supposed to do that, because the wakeup enable mask bit of this device's GPE is always set when acpi_enter_sleep_state() calls acpi_hw_enable_all_wakeup_gpes(), although it should only be set if the device is supposed to wake up the system from the target state. To work around this issue, rework the ACPI power management code so that GPEs are not enabled to wake up the system upfront, but only during a system state transition when the target state of the system is known. [Of course, this means that the reference counting of "wakeup" GPEs doesn't really make sense and it is sufficient to set/unset the wakeup mask bits for them during system sleep transitions. This will allow us to simplify the GPE handling code quite a bit, but that change is too intrusive for 2.6.35.] Fixes https://bugzilla.kernel.org/show_bug.cgi?id=15951 Signed-off-by: Rafael J. Wysocki Reported-and-tested-by: Michal Hocko Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit fac0c3bf65fbb1a29cf603909fde5a71ca7981cd Author: Len Brown Date: Thu Jul 22 16:54:27 2010 -0400 ACPI: skip checking BM_STS if the BIOS doesn't ask for it commit 718be4aaf3613cf7c2d097f925abc3d3553c0605 upstream. It turns out that there is a bit in the _CST for Intel FFH C3 that tells the OS if we should be checking BM_STS or not. Linux has been unconditionally checking BM_STS. If the chip-set is configured to enable BM_STS, it can retard or completely prevent entry into deep C-states -- as illustrated by turbostat: http://userweb.kernel.org/~lenb/acpi/utils/pmtools/turbostat/ ref: Intel Processor Vendor-Specific ACPI Interface Specification table 4 "_CST FFH GAS Field Encoding" Bit 1: Set to 1 if OSPM should use Bus Master avoidance for this C-state https://bugzilla.kernel.org/show_bug.cgi?id=15886 Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 989e4282b0d74ccd334e5049e51a4ac80e17166a Author: Tilman Schmidt Date: Mon Jun 21 13:55:20 2010 +0000 isdn/gigaset: correct CAPI connection state storage commit 1b4843c5e8cbab86830da8a53b8288882060c059 upstream. CAPI applications can handle several connections in parallel, so one connection state per application isn't sufficient. Store the connection state in the channel structure instead. Impact: bugfix Signed-off-by: Tilman Schmidt Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7432a149e2ad67e4b62f1bdb436006a0b81c0e3d Author: Tilman Schmidt Date: Mon Jun 21 13:55:05 2010 +0000 isdn/gigaset: encode HLC and BC together commit 1ce368ff288ed872a8fee93b8a2b7706111feb9a upstream. Adapt to buggy device firmware which accepts setting HLC only in the same command line as BC, by encoding HLC and BC in a single command if both are specified, and rejecting HLC without BC. Impact: bugfix Signed-off-by: Tilman Schmidt Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c89ed09d025f08de1e78a85271543375c590fafd Author: Tilman Schmidt Date: Mon Jun 21 13:54:50 2010 +0000 isdn/gigaset: correct CAPI DATA_B3 Delivery Confirmation commit 23b36778b4c82577746d26e4ac0ae66c6f462475 upstream. The Gigaset CAPI driver handled all DATA_B3_REQ messages as if the Delivery Confirmation flag bit was set, delaying the emission of the DATA_B3_CONF reply until the data was actually transmitted. Some CAPI applications (notably Asterisk) aren't happy with that behaviour. Change it to actually evaluate the Delivery Confirmation flag as described the CAPI specification. Impact: bugfix Signed-off-by: Tilman Schmidt Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 969d220fc2e66ad1a08c6df3f2381ce0b2b1cd05 Author: Tilman Schmidt Date: Mon Jun 21 13:54:35 2010 +0000 isdn/gigaset: correct CAPI voice connection encoding commit 278a582989ade4cb5335762d6c5999562018859d upstream. Make the Gigaset CAPI driver select L2_VOICE (AT^SBPR=2) as the layer 2 encoding for transparent connections, like the ISDN4Linux variant. L2_BITSYNC (AT^SBPR=0) mutes internal connections and distorts external ones. Impact: bugfix Signed-off-by: Tilman Schmidt Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4c350f3d896082d44a4b878f2e56fd9ee4ec5eae Author: Tilman Schmidt Date: Mon Jun 21 13:54:19 2010 +0000 isdn/gigaset: honor CAPI application's buffer size request commit e7752ee280608a24e27f163641121bdc2c68d6af upstream. Fix the Gigaset CAPI driver to limit the length of a connection's payload data receive buffers to the corresponding CAPI application's data buffer size, as some real-life CAPI applications tend to be rather unhappy if they receive bigger data blocks than requested. Impact: bugfix Signed-off-by: Tilman Schmidt Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b578244ed982bb29fac1363b4ae29be2142cc151 Author: Tilman Schmidt Date: Sun May 23 01:02:38 2010 +0000 isdn/gigaset: remove dummy CAPI method implementations commit e487639dc8ca6bd6c19a4140f45ebc88da56ddd5 upstream. Dummy implementations for the optional CAPI controller operations load_firmware and reset_ctr can cause userspace callers to hang indefinitely. It's better not to implement them at all. Signed-off-by: Tilman Schmidt Acked-by: Karsten Keil Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b83839af65811ffdce669ecbec121ba11c2be594 Author: Tilman Schmidt Date: Sun May 23 01:02:08 2010 +0000 isdn/capi: make reset_ctr op truly optional commit 85a83560afa69862639fb2d6f670b4440a003335 upstream. The CAPI controller operation reset_ctr is marked as optional, and not all drivers do implement it. Add a check to the kernel CAPI whether it exists before trying to call it. Signed-off-by: Tilman Schmidt Acked-by: Karsten Keil Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f082cf1cd3aa3df00aaf1f273994266140006680 Author: Rafael J. Wysocki Date: Fri Jun 18 17:04:22 2010 +0200 PCI/PM: Do not use native PCIe PME by default commit b27759f880018b0cd43543dc94c921341b64b5ec upstream. Commit c7f486567c1d0acd2e4166c47069835b9f75e77b (PCI PM: PCIe PME root port service driver) causes the native PCIe PME signaling to be used by default, if the BIOS allows the kernel to control the standard configuration registers of PCIe root ports. However, the native PCIe PME is coupled to the native PCIe hotplug and calling pcie_pme_acpi_setup() makes some BIOSes expect that the native PCIe hotplug will be used as well. That, in turn, causes problems to appear on systems where the PCIe hotplug driver is not loaded. The usual symptom, as reported by Jaroslav Kameník and others, is that the ACPI GPE associated with PCIe hotplug keeps firing continuously causing kacpid to take substantial percentage of CPU time. To work around this issue, change the default so that the native PCIe PME signaling is only used if directly requested with the help of the pcie_pme= command line switch. Fixes https://bugzilla.kernel.org/show_bug.cgi?id=15924 , which is a listed regression from 2.6.33. Signed-off-by: Rafael J. Wysocki Reported-by: Jaroslav Kameník Tested-by: Antoni Grzymala Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 552a99e0b27d299ecf755db600701d67fa566552 Author: Ondrej Zary Date: Tue Jun 8 00:32:49 2010 +0200 PM / x86: Save/restore MISC_ENABLE register commit 85a0e7539781dad4bfcffd98e72fa9f130f4e40d upstream. Save/restore MISC_ENABLE register on suspend/resume. This fixes OOPS (invalid opcode) on resume from STR on Asus P4P800-VM, which wakes up with MWAIT disabled. Fixes https://bugzilla.kernel.org/show_bug.cgi?id=15385 Signed-off-by: Ondrej Zary Tested-by: Alan Stern Acked-by: H. Peter Anvin Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit e40f6f19040c83453a98da6ad5c87ccfac0d64e7 Author: Michal Hocko Date: Wed Jun 30 09:51:19 2010 +0200 futex: futex_find_get_task remove credentails check commit 7a0ea09ad5352efce8fe79ed853150449903b9f5 upstream. futex_find_get_task is currently used (through lookup_pi_state) from two contexts, futex_requeue and futex_lock_pi_atomic. None of the paths looks it needs the credentials check, though. Different (e)uids shouldn't matter at all because the only thing that is important for shared futex is the accessibility of the shared memory. The credentail check results in glibc assert failure or process hang (if glibc is compiled without assert support) for shared robust pthread mutex with priority inheritance if a process tries to lock already held lock owned by a process with a different euid: pthread_mutex_lock.c:312: __pthread_mutex_lock_full: Assertion `(-(e)) != 3 || !robust' failed. The problem is that futex_lock_pi_atomic which is called when we try to lock already held lock checks the current holder (tid is stored in the futex value) to get the PI state. It uses lookup_pi_state which in turn gets task struct from futex_find_get_task. ESRCH is returned either when the task is not found or if credentials check fails. futex_lock_pi_atomic simply returns if it gets ESRCH. glibc code, however, doesn't expect that robust lock returns with ESRCH because it should get either success or owner died. Signed-off-by: Michal Hocko Acked-by: Darren Hart Cc: Ingo Molnar Cc: Thomas Gleixner Cc: Nick Piggin Cc: Alexey Kuznetsov Cc: Peter Zijlstra Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 73759b079bcc5f30d357cf78e10dd3506371a830 Author: Changli Gao Date: Tue Jun 29 13:10:36 2010 +0200 splice: check f_mode for seekable file commit 19c9a49b432f245c6293508d164a4350f1f2c601 upstream. check f_mode for seekable file As a seekable file is allowed without a llseek function, so the old way isn't work any more. Signed-off-by: Changli Gao Signed-off-by: Miklos Szeredi Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit f2df0ea492e2c5ce9c71d8d261522d817986d269 Author: Changli Gao Date: Tue Jun 29 13:09:18 2010 +0200 splice: direct_splice_actor() should not use pos in sd commit 2cb4b05e7647891b46b91c07c9a60304803d1688 upstream. direct_splice_actor() shouldn't use sd->pos, as sd->pos is for file reading, file->f_pos should be used instead. Signed-off-by: Changli Gao Signed-off-by: Miklos Szeredi Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 957e6faf8748ae85f165283b7b0ecf0044315b8e Author: Marcelo Tosatti Date: Wed Jun 2 11:26:26 2010 -0300 KVM: read apic->irr with ioapic lock held Read ioapic->irr inside ioapic->lock protected section. KVM-Stable-Tag Signed-off-by: Marcelo Tosatti (cherry picked from commit 07dc7263b99e4ddad2b4c69765a428ccb7d48938) commit 192a2fb14aef04d86caa255312b1f594f89074b9 Author: Marcelo Tosatti Date: Fri May 28 09:44:59 2010 -0300 KVM: MMU: invalidate and flush on spte small->large page size change Always invalidate spte and flush TLBs when changing page size, to make sure different sized translations for the same address are never cached in a CPU's TLB. Currently the only case where this occurs is when a non-leaf spte pointer is overwritten by a leaf, large spte entry. This can happen after dirty logging is disabled on a memslot, for example. Noticed by Andrea. KVM-Stable-Tag Signed-off-by: Marcelo Tosatti Signed-off-by: Avi Kivity (cherry picked from commit 3be2264be3c00865116f997dc53ebcc90fe7fc4b) commit 2ad9aa75c0c14675b763ced721e8fa615ca97f72 Author: Joerg Roedel Date: Mon May 17 14:43:35 2010 +0200 KVM: SVM: Implement workaround for Erratum 383 This patch implements a workaround for AMD erratum 383 into KVM. Without this erratum fix it is possible for a guest to kill the host machine. This patch implements the suggested workaround for hypervisors which will be published by the next revision guide update. [jan: fix overflow warning on i386] [xiao: fix unused variable warning] Cc: stable@kernel.org Signed-off-by: Joerg Roedel Signed-off-by: Jan Kiszka Signed-off-by: Xiao Guangrong Signed-off-by: Avi Kivity (cherry picked from commit 67ec66077799f2fef84b21a643912b179c422281) commit ddf9c303ea76f8d14a798eb54cdf6ebe6b105362 Author: Joerg Roedel Date: Mon May 17 14:43:34 2010 +0200 KVM: SVM: Handle MCEs early in the vmexit process This patch moves handling of the MC vmexits to an earlier point in the vmexit. The handle_exit function is too late because the vcpu might alreadry have changed its physical cpu. Cc: stable@kernel.org Signed-off-by: Joerg Roedel Signed-off-by: Avi Kivity (cherry picked from commit fe5913e4e1700cbfc337f4b1da9ddb26f6a55586) commit 2ed988589dc2ef2e952d6f9f2f588e9372493dbd Author: Avi Kivity Date: Thu May 27 14:35:58 2010 +0300 KVM: MMU: Remove user access when allowing kernel access to gpte.w=0 page If cr0.wp=0, we have to allow the guest kernel access to a page with pte.w=0. We do that by setting spte.w=1, since the host cr0.wp must remain set so the host can write protect pages. Once we allow write access, we must remove user access otherwise we mistakenly allow the user to write the page. Reviewed-by: Xiao Guangrong Signed-off-by: Avi Kivity (cherry picked from commit 69325a122580d3a7b26589e8efdd6663001c3297) commit 2a8b96d1e1100fbd27aaa69ea760dd10e38ab9cf Author: Ben Hutchings Date: Wed Jul 28 23:59:18 2010 +0100 ethtool: Fix potential user buffer overflow for ETHTOOL_{G, S}RXFH commit bf988435bd5b53529f4408a8efb1f433f6ddfda9 upstream. struct ethtool_rxnfc was originally defined in 2.6.27 for the ETHTOOL_{G,S}RXFH command with only the cmd, flow_type and data fields. It was then extended in 2.6.30 to support various additional commands. These commands should have been defined to use a new structure, but it is too late to change that now. Since user-space may still be using the old structure definition for the ETHTOOL_{G,S}RXFH commands, and since they do not need the additional fields, only copy the originally defined fields to and from user-space. Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2ab40331614a9d8e07954602d4aee20bd3be78e0 Author: Jesse Barnes Date: Fri Jul 23 12:03:37 2010 -0700 drm/i915: handle shared framebuffers when flipping commit be9a3dbf65a69933b06011f049b1e2fdfa6bc8b9 upstream. If a framebuffer is shared across CRTCs, the x,y position of one of them is likely to be something other than the origin (e.g. for extended desktop configs). So calculate the offset at flip time so such configurations can work. Fixes https://bugs.freedesktop.org/show_bug.cgi?id=28518. Signed-off-by: Jesse Barnes Tested-by: Thomas M. Tested-by: fangxun Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 642c0447f9c08aff89eefb0ff3f8cf16f7eb8235 Author: Chris Wilson Date: Thu May 27 13:18:13 2010 +0100 drm/i915: Hold the spinlock whilst resetting unpin_work along error path commit 468f0b44ce4b002ca7d9260f802a341854752c02 upstream. Delay taking the mutex until we need to and ensure that we hold the spinlock when resetting unpin_work on the error path. Also defer the debugging print messages until after we have released the spinlock. Signed-off-by: Chris Wilson Cc: Jesse Barnes Cc: Kristian Høgsberg Reviewed-by: Jesse Barnes Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 430155d430dd1496ecaebc8035c79dc5506ae4f5 Author: Jesse Barnes Date: Mon Apr 5 14:03:51 2010 -0700 drm/i915: don't queue flips during a flip pending event commit 83f7fd055eb3f1e843803cd906179d309553967b upstream. Hardware will set the flip pending ISR bit as soon as it receives the flip instruction, and (supposedly) clear it once the flip completes (e.g. at the next vblank). If we try to send down a flip instruction while the ISR bit is set, the hardware can become very confused, and we may never receive the corresponding flip pending interrupt, effectively hanging the chip. Signed-off-by: Jesse Barnes Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit aa9d89cdfcd0ca32a36be9235023c7889c4b6b0b Author: Jesse Barnes Date: Fri Mar 26 10:35:20 2010 -0700 drm/i915: gen3 page flipping fixes commit 1afe3e9d4335bf3bc5615e37243dc8fef65dac8f upstream. Gen3 chips have slightly different flip commands, and also contain a bit that indicates whether a "flip pending" interrupt means the flip has been queued or has been completed. So implement support for the gen3 flip command, and make sure we use the flip pending interrupt correctly depending on the value of ECOSKPD bit 0. Signed-off-by: Jesse Barnes Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 96bb386dcf263e281fca2f3d90ef5146dce89839 Author: Felipe Balbi Date: Mon Jul 5 12:12:01 2010 +0300 USB: musb: tusb6010: fix compile error with n8x0_defconfig commit 2b795ea00c2bbb077a1199a4d729c8ac03a6bded upstream. Drop the unnecessary empty stubs in tusb6010.c and avoid a compile error when building kernel for n8x0. Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit a5f91f111fa8827b36399ef5300ae9f664451102 Author: Corey Minyard Date: Wed Jul 21 08:39:22 2010 -0500 USB: FTDI: Add support for the RT System VX-7 radio programming cable commit fcc6cb789c77ffee31710eec64efeb25f2124f7a upstream. RT Systems has put out bunch of ham radio cables based on the FT232RL chip. Each cable type has a unique PID, this adds one for the Yaesu VX-7 radios. Signed-off-by: Corey Minyard Signed-off-by: Greg Kroah-Hartman commit a53a4e522b1912574baf01dca53a8f511c686b1a Author: Oliver Neukum Date: Wed Jul 14 18:26:22 2010 +0200 USB: add quirk for Broadcom BT dongle commit 63ab71deae67b031045bb28bf8cff45180089f8f upstream. This device needs to be reset when resuming Signed-off-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman commit e2891450bf1461078fb7b345f758c17451e6105b Author: Sarah Sharp Date: Sat Jul 10 15:48:01 2010 +0200 USB: xhci: Set Mult field in endpoint context correctly. commit c30c791c946a14a03e87819eced562ed28711961 upstream. The bmAttributes field of the SuperSpeed Endpoint Companion Descriptor has different meanings, depending on the endpoint type. If the endpoint is isochronous, the bmAttributes field is the maximum number of packets within a service interval that this endpoint supports. If the endpoint is bulk, it's the number of stream IDs this endpoint supports. Only set the Mult field of the xHCI endpoint context using the bmAttributes field if the endpoint is isochronous, and the device is a SuperSpeed device. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit a9558dd8eda25d345cbb13155de05b289348ec11 Author: Oliver Neukum Date: Fri Jul 16 17:36:26 2010 +0200 USB: sisusbvga: Fix for USB 3.0 commit 20a12f007feee1cfa761b431047271d1141d8031 upstream. Super speed is also fast enough to let sisusbvga operate. Therefor expand the checks. Signed-off-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman commit af75e8c313ec87ab4d66dc5c283caa3b8f482930 Author: Paul Mortier Date: Fri Jul 9 13:18:50 2010 +0100 USB: adds Artisman USB dongle to list of quirky devices commit 47f19c0eedb377ad1ee8114f464d001ec5f96a69 upstream. When an attempt is made to read the interface strings of the Artisman Watchdog USB dongle (idVendor:idProduct 04b4:0526) an error is written to the dmesg log (uhci_result_common: failed with status 440000) and the dongle resets itself, resulting in a disconnect/reconnect loop. Adding the dongle to the list of devices in quirks.c, with the same quirk Alan Stern's previous patch for the Saitek Cyborg Gold 3D joystick, stops the device from resetting and allows it to be used with no problems. Signed-off-by: Paul Mortier Signed-off-by: Greg Kroah-Hartman commit a4f16eede5fb267bb6c0026a4ce816cd715f3514 Author: Sarah Sharp Date: Fri Jul 9 17:08:48 2010 +0200 USB: Fix USB3.0 Port Speed Downgrade after port reset commit 809cd1cb80d7dffe75dc94bc94ef2aab3dadc86a upstream. Without this fix, a USB 3.0 port is downgraded to full speed after a port reset of a configured device. The USB 3.0 terminations will be disabled permanently, and USB 3.0 devices will always enumerate as full speed devices, until the host controller is unplugged (if it is an ExpressCard) or the computer is rebooted. Fajun Chen traced this traced the speed downgrade issue to the port reset and the interpretation of port status in USB hub driver code. The hub code was not testing for the port being a SuperSpeed port, and it fell through to the else case of Full Speed. The following patch adds SuperSpeed mapping from the port status, and fixes the speed downgrade issue. Reported-by: Fajun Chen Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit b00bd2dbb54d1c89c258e5dcd3560113820ebe72 Author: Dennis Jansen Date: Fri Jul 9 22:03:53 2010 +0200 USB: option: Add support for AMOI Skypephone S2 commit 7595931c986f50b1e197ce7b881563e36a7d041e upstream. usbserial: Add AMOI Skypephone S2 support. This patch adds support for the AMOI Skypephone S2 to the usbserial module. Tested-by: Dennis Jansen Signed-off-by: Dennis Jansen Signed-off-by: Greg Kroah-Hartman commit 77ab6bb773d338aa042997c78f7fe507a7bfd88b Author: Colin Leitner Date: Thu Jul 1 10:49:55 2010 +0200 USB: ftdi_sio: support for Signalyzer tools based on FTDI chips commit 77dbd74e16b566e9d5eeb4be18ae3ee7d5902bd3 upstream. ftdi_sio: support for Signalyzer tools based on FTDI chips This patch adds support for the Xverve Signalyzers. Signed-off-by: Colin Leitner Signed-off-by: Greg Kroah-Hartman commit 900ee852dd6d2b395003358bf92f8b9f49aca981 Author: august huber Date: Mon Jun 28 11:46:05 2010 -0700 USB: Add PID for Sierra 250U to drivers/usb/serial/sierra.c commit 9d72c81d657340e54a260a3b621f4a9f5b33829c upstream. Add VID/PID for Sierra Wireless 250U USB dongle to sierra.c Allows use of 3G radio only Signed-off-by: August Huber Cc: Elina Pasheva Signed-off-by: Greg Kroah-Hartman commit c36a54b391ecb77c403c64e2c55913ad06f55daf Author: Ömer Sezgin Ugurlu Date: Mon Jun 28 19:01:58 2010 +0300 USB: option: add support for 1da5:4518 commit 646d90e2b925578abef5c45853e0b166b6a450bf upstream. Signed-off-by: Omer Sezgin Ugurlu Signed-off-by: Greg Kroah-Hartman commit 2d3ade33686e0733ab4232f9f1b165a1359118b5 Author: Sergei Shtylyov Date: Thu Jun 24 23:07:07 2010 +0530 USB: MUSB: make non-OMAP platforms build with CONFIG_PM=y commit 9297688a9257d73956d4bba484d9dd331ca72c25 upstream. Attempt to build MUSB driver with CONFIG_PM=y (e.g. in the OTG mode) on DaVinci results in these link errors: drivers/built-in.o: In function `musb_restore_context': led-triggers.c:(.text+0x714d8): undefined reference to `musb_platform_restore_context' drivers/built-in.o: In function `musb_save_context': led-triggers.c:(.text+0x71788): undefined reference to `musb_platform_save_context' This turned out to be caused by commit 9957dd97ec5e98dd334f87ade1d9a0b24d1f86eb (usb: musb: Fix compile error for omaps for musb_hdrc). Revert it, taking into account the rename of CONFIG_ARCH_OMAP34XX into CONFIG_ARCH_OMAP3 (which that commit fixed in a completely inappropriate way) and the recent addition of OMAP4 support. Signed-off-by: Sergei Shtylyov Signed-off-by: Ajay Kumar Gupta Acked-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit bea5a7303059406b7d3bbfe73a1a47ac275032ff Author: Sergei Shtylyov Date: Thu Jun 24 23:07:06 2010 +0530 USB: musb_core: make disconnect and suspend interrupts work again commit 7d9645fdca444d53907b22a4b73e3967efe09781 upstream. Commit 1c25fda4a09e8229800979986ef399401053b46e (usb: musb: handle irqs in the order dictated by programming guide) forgot to get rid of the old 'STAGE0_MASK' filter for calling musb_stage0_irq(), so now disconnect and suspend interrupts are effectively ignored... Signed-off-by: Sergei Shtylyov Signed-off-by: Ajay Kumar Gupta Acked-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit bffdf16f221495b9ff05fe5dff6c5e3c27e50bf2 Author: Alan Stern Date: Tue Jun 22 16:14:48 2010 -0400 USB: obey the sysfs power/wakeup setting commit 48826626263d4a61d06fd8c5805da31f925aefa0 upstream. This patch (as1403) is a partial reversion of an earlier change (commit 5f677f1d45b2bf08085bbba7394392dfa586fa8e "USB: fix remote wakeup settings during system sleep"). After hearing from a user, I realized that remote wakeup should be enabled during system sleep whenever userspace allows it, and not only if a driver requests it too. Indeed, there could be a device with no driver, that does nothing but generate a wakeup request when the user presses a button. Such a device should be allowed to do its job. The problem fixed by the earlier patch -- device generating a wakeup request for no reason, causing system suspend to abort -- was also addressed by a later patch ("USB: don't enable remote wakeup by default", accepted but not yet merged into mainline). The device won't be able to generate the bogus wakeup requests because it will be disabled for remote wakeup by default. Hence this reversion will not re-introduce any old problems. Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 97d3985f8785d64a98e1bba747feeb1e87cc9a01 Author: Wolfram Sang Date: Tue Jun 15 12:34:23 2010 +0200 USB: ehci-mxc: bail out on transceiver problems commit 4c9715de52b9b6256bf1e9510917111a47b0c176 upstream. The old code registered the hcd even if there were no transceivers detected, leading to oopses like this if we try to probe a non-existant ULPI: [ 2.730000] mxc-ehci mxc-ehci.0: unable to init transceiver [ 2.740000] timeout polling for ULPI device [ 2.740000] timeout polling for ULPI device [ 2.750000] mxc-ehci mxc-ehci.0: unable to enable vbus on transceiver [ 2.750000] mxc-ehci mxc-ehci.0: Freescale On-Chip EHCI Host Controller [ 2.760000] mxc-ehci mxc-ehci.0: new USB bus registered, assigned bus number 2 [ 2.770000] Unhandled fault: external abort on non-linefetch (0x808) at 0xc4876184 [ 2.770000] Internal error: : 808 [#1] PREEMPT [ 2.770000] last sysfs file: [ 2.770000] Modules linked in: [ 2.770000] CPU: 0 Not tainted (2.6.33.5 #5) [ 2.770000] PC is at ehci_hub_control+0x4d4/0x8f8 [ 2.770000] LR is at ehci_mxc_setup+0xbc/0xdc [ 2.770000] pc : [] lr : [] psr: 00000093 [ 2.770000] sp : c3815e40 ip : 00000001 fp : 60000013 [ 2.770000] r10: c4876184 r9 : 00000000 r8 : c3814000 [ 2.770000] r7 : c391d2cc r6 : 00000001 r5 : 00000001 r4 : 00000000 [ 2.770000] r3 : 80000000 r2 : 00000007 r1 : 80000000 r0 : c4876184 [ 2.770000] Flags: nzcv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel [ 2.770000] Control: 0005317f Table: a0004000 DAC: 00000017 [ 2.770000] Process swapper (pid: 1, stack limit = 0xc3814270) ... Signed-off-by: Wolfram Sang Cc: Sascha Hauer Acked-by: Daniel Mack Signed-off-by: Greg Kroah-Hartman commit ee56af51036381add98dab548e3f6dea1406bf07 Author: Maulik Mankad Date: Tue Jun 15 14:40:27 2010 +0530 usb: musb: Fix a bug by making suspend interrupt available in device mode commit 2bb14cbf04ded4b9e394a6ba9e4f06b82fbac8b2 upstream. As a part of aligning the ISR code for MUSB with the specs, the ISR code was re-written. See Commit 1c25fda4a09e8229800979986ef399401053b46e (usb: musb: handle irqs in the order dictated by programming guide) With this the suspend interrupt came accidently under CONFIG_USB_MUSB_HDRC_HCD. The fix brings suspend interrupt handling outside CONFIG_USB_MUSB_HDRC_HCD. Signed-off-by: Maulik Mankad Cc: David Brownell Acked-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 62d488187b265f667d4a8b12b1d00ccc66c80e27 Author: Jon Povey Date: Mon Jun 14 19:42:10 2010 +0900 USB: g_serial: fix tty cleanup on unload commit b23097b793081358a6d943263c91bae4c955c4e3 upstream. Call put_tty_driver() in cleanup function, to fix Oops when trying to open gadget serial char device after module unload. Signed-off-by: Jon Povey Acked-by: David Brownell Signed-off-by: Greg Kroah-Hartman commit 54fb947936efde2d9710f3d3748755f36a381ac9 Author: Jon Povey Date: Mon Jun 14 19:41:04 2010 +0900 USB: g_serial: don't set low_latency flag commit 44a0c0190b500ee6bcfc0976fe540f65dee2cd67 upstream. No longer set low_latency flag as it causes this warning backtrace: WARNING: at kernel/mutex.c:207 __mutex_lock_slowpath+0x6c/0x288() Fix associated locking and wakeups. Signed-off-by: Jon Povey Cc: Maulik Mankad Acked-by: David Brownell Signed-off-by: Greg Kroah-Hartman commit c226e63e40f2d3caa0ecd056c35c2e17332eac68 Author: Alan Stern Date: Fri Apr 2 13:21:33 2010 -0400 USB: don't enable remote wakeup by default commit 7aba8d014341341590ecb64050b7a026642a62eb upstream. This patch (as1364) avoids enabling remote wakeup by default on all non-root-hub USB devices. Individual drivers or userspace will have to enable it wherever it is needed, such as for keyboards or network interfaces. Note: This affects only system sleep, not autosuspend. External hubs will continue to relay wakeup requests received from downstream through their upstream port, even when remote wakeup is not enabled for the hub itself. Disabling remote wakeup on a hub merely prevents it from generating wakeup requests in response to connect, disconnect, and overcurrent events. Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 97f31b3e803a18e75e4f6e5d0beeda3b6e7a9732 Author: Adam Lackorzynski Date: Tue Jul 20 15:18:19 2010 -0700 x86, i8259: Only register sysdev if we have a real 8259 PIC commit 087b255a2b43f417af83cb44e0bb02507f36b7fe upstream. My platform makes use of the null_legacy_pic choice and oopses when doing a shutdown as the shutdown code goes through all the registered sysdevs and calls their shutdown method which in my case poke on a non-existing i8259. Imho the i8259 specific sysdev should only be registered if the i8259 is actually there. Do not register the sysdev function when the null_legacy_pic is used so that the i8259 resume, suspend and shutdown functions are not called. Signed-off-by: Adam Lackorzynski LKML-Reference: <201007202218.o6KMIJ3m020955@imap1.linux-foundation.org> Cc: Jacob Pan Signed-off-by: Andrew Morton Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 43197d90b5c24db796ff4448b3ace7f46048dab3 Author: Roland McGrath Date: Fri Jul 16 18:17:12 2010 -0700 x86: kprobes: fix swapped segment registers in kretprobe commit a197479848a2f1a2a5c07cffa6c31ab5e8c82797 upstream. In commit f007ea26, the order of the %es and %ds segment registers got accidentally swapped, so synthesized 'struct pt_regs' frames have the two values inverted. It's almost sure that these values never matter, and that they also never differ. But wrong is wrong. Signed-off-by: Roland McGrath Signed-off-by: Greg Kroah-Hartman commit b55e938d07d4af42af8997a78bce880b5778f41d Author: Jacob Pan Date: Fri Jul 16 11:58:26 2010 -0700 x86, pci, mrst: Add extra sanity check in walking the PCI extended cap chain commit f82c3d71d6fd2e6a3e3416f09099e29087e39abf upstream. The fixed bar capability structure is searched in PCI extended configuration space. We need to make sure there is a valid capability ID to begin with otherwise, the search code may stuck in a infinite loop which results in boot hang. This patch adds additional check for cap ID 0, which is also invalid, and indicates end of chain. End of chain is supposed to have all fields zero, but that doesn't seem to always be the case in the field. Suggested-by: "H. Peter Anvin" Signed-off-by: Jacob Pan Reviewed-by: Jesse Barnes LKML-Reference: <1279306706-27087-1-git-send-email-jacob.jun.pan@linux.intel.com> Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit f3cc1d7b74d0d128da2cc39cf88390ed4f95e08d Author: Stefano Stabellini Date: Wed Jul 21 18:32:37 2010 +0100 x86: Do not try to disable hpet if it hasn't been initialized before commit ff4878089e1eaeac79d57878ad4ea32910fb4037 upstream. hpet_disable is called unconditionally on machine reboot if hpet support is compiled in the kernel. hpet_disable only checks if the machine is hpet capable but doesn't make sure that hpet has been initialized. [ tglx: Made it a one liner and removed the redundant hpet_address check ] Signed-off-by: Stefano Stabellini Acked-by: Venkatesh Pallipadi LKML-Reference: Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit e57cd382184cdd5881e2a53339bb6b66fd8b77ec Author: Nicolas Pitre Date: Wed Jul 14 05:21:22 2010 +0100 ARM: 6226/1: fix kprobe bug in ldr instruction emulation commit 0ebe25f90cd99bb1bcf622ec8a841421d48380d6 upstream. From: Bin Yang Signed-off-by: Bin Yang Signed-off-by: Nicolas Pitre Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit c024b55cc5f6cd9f16f2967bd7334f2a8b91981f Author: Will Deacon Date: Thu Jul 8 10:59:16 2010 +0100 ARM: 6212/1: atomic ops: add memory constraints to inline asm commit 398aa66827155ef52bab58bebd24597d90968929 upstream. Currently, the 32-bit and 64-bit atomic operations on ARM do not include memory constraints in the inline assembly blocks. In the case of barrier-less operations [for example, atomic_add], this means that the compiler may constant fold values which have actually been modified by a call to an atomic operation. This issue can be observed in the atomic64_test routine in /lib/atomic64_test.c: 00000000 : 0: e1a0c00d mov ip, sp 4: e92dd830 push {r4, r5, fp, ip, lr, pc} 8: e24cb004 sub fp, ip, #4 c: e24dd008 sub sp, sp, #8 10: e24b3014 sub r3, fp, #20 14: e30d000d movw r0, #53261 ; 0xd00d 18: e3011337 movw r1, #4919 ; 0x1337 1c: e34c0001 movt r0, #49153 ; 0xc001 20: e34a1aa3 movt r1, #43683 ; 0xaaa3 24: e16300f8 strd r0, [r3, #-8]! 28: e30c0afe movw r0, #51966 ; 0xcafe 2c: e30b1eef movw r1, #48879 ; 0xbeef 30: e34d0eaf movt r0, #57007 ; 0xdeaf 34: e34d1ead movt r1, #57005 ; 0xdead 38: e1b34f9f ldrexd r4, [r3] 3c: e1a34f90 strexd r4, r0, [r3] 40: e3340000 teq r4, #0 44: 1afffffb bne 38 48: e59f0004 ldr r0, [pc, #4] ; 54 4c: e3a0101e mov r1, #30 50: ebfffffe bl 0 <__bug> 54: 00000000 .word 0x00000000 The atomic64_set (0x38-0x44) writes to the atomic64_t, but the compiler doesn't see this, assumes the test condition is always false and generates an unconditional branch to __bug. The rest of the test is optimised away. This patch adds suitable memory constraints to the atomic operations on ARM to ensure that the compiler is informed of the correct data hazards. We have to use the "Qo" constraints to avoid hitting the GCC anomaly described at http://gcc.gnu.org/bugzilla/show_bug.cgi?id=44492 , where the compiler makes assumptions about the writeback in the addressing mode used by the inline assembly. These constraints forbid the use of auto{inc,dec} addressing modes, so it doesn't matter if we don't use the operand exactly once. Reviewed-by: Nicolas Pitre Signed-off-by: Will Deacon Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 4ed7b05dfcc8cffdc34091b06455fd03f3932a6b Author: Will Deacon Date: Thu Jul 8 10:58:06 2010 +0100 ARM: 6211/1: atomic ops: fix register constraints for atomic64_add_unless commit 068de8d1be48a04b92fd97f76bb7e113b7be82a8 upstream. The atomic64_add_unless function compares an atomic variable with a given value and, if they are not equal, adds another given value to the atomic variable. The function returns zero if the addition did not occur and non-zero otherwise. On ARM, the return value is initialised to 1 in C code. Inline assembly code then performs the atomic64_add_unless operation, setting the return value to 0 iff the addition does not occur. This means that when the addition *does* occur, the value of ret must be preserved across the inline assembly and therefore requires a "+r" constraint rather than the current one of "=&r". Thanks to Nicolas Pitre for helping to spot this. Reviewed-by: Nicolas Pitre Signed-off-by: Will Deacon Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 62de72363dc42c800c1673f9d128a95829c9804d Author: Catalin Marinas Date: Thu Jul 1 13:21:47 2010 +0100 ARM: 6201/1: RealView: Do not use outer_sync() on ARM11MPCore boards with L220 commit 2503a5ecd86c002506001eba432c524ea009fe7f upstream. RealView boards with certain revisions of the L220 cache controller (ARM11* processors only) may have issues (hardware deadlock) with the recent changes to the mb() barrier implementation (DSB followed by an L2 cache sync). The patch redefines the RealView ARM11MPCore mandatory barriers without the outer_sync() call. Tested-by: Linus Walleij Signed-off-by: Catalin Marinas Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 84a31e648dc5c2677f150ab0fadfb516a8d9abf4 Author: Dmitry Torokhov Date: Tue Jul 20 20:25:35 2010 -0700 Input: twl40300-keypad - fix handling of "all ground" rows commit 3fea60261e73dbf4a51130d40cafcc8465b0f2c3 upstream. The Nokia RX51 board code (arch/arm/mach-omap2/board-rx51-peripherals.c) defines a key map for the matrix keypad keyboard. The hardware seems to use all of the 8 rows and 8 columns of the keypad, although not all possible locations are used. The TWL4030 supports keypads with at most 8 rows and 8 columns. Most keys are defined with a row and column number between 0 and 7, except KEY(0xff, 2, KEY_F9), KEY(0xff, 4, KEY_F10), KEY(0xff, 5, KEY_F11), which represent keycodes that should be emitted when entire row is connected to the ground. since the driver handles this case as if we had an extra column in the key matrix. Unfortunately we do not allocate enough space and end up owerwriting some random memory. Reported-and-tested-by: Laurent Pinchart Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 6e34534e50579b7cdee843b0caf45a19c5647c16 Author: Kamal Mostafa Date: Mon Jul 19 11:00:52 2010 -0700 Input: i8042 - add Gigabyte Spring Peak to dmi_noloop_table commit 3e1bbc8d5018a05c0793c8a32b777a1396eb4414 upstream. Gigabyte "Spring Peak" notebook indicates wrong chassis-type, tripping up i8042 and breaking the touchpad. Add this model to i8042_dmi_noloop_table[] to resolve. BugLink: https://bugs.launchpad.net/bugs/580664 Signed-off-by: Kamal Mostafa Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 17d2c1ac34544a906cb74a8803e642788f214a55 Author: Or Gerlitz Date: Sun Jun 6 04:59:16 2010 +0000 IPoIB: Fix world-writable child interface control sysfs attributes commit 7a52b34b07122ff5f45258d47f260f8a525518f0 upstream. Sumeet Lahorani reported that the IPoIB child entries are world-writable; however we don't want ordinary users to be able to create and destroy child interfaces, so fix them to be writable only by root. Signed-off-by: Or Gerlitz Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit ecd850f110870c9a72c7e6dc1e413dff676fed3a Author: Yinghai Lu Date: Thu Jul 15 00:00:59 2010 -0700 x86: Fix x2apic preenabled system with kexec commit fd19dce7ac07973f700b0f13fb7f94b951414a4c upstream. Found one x2apic system kexec loop test failed when CONFIG_NMI_WATCHDOG=y (old) or CONFIG_LOCKUP_DETECTOR=y (current tip) first kernel can kexec second kernel, but second kernel can not kexec third one. it can be duplicated on another system with BIOS preenabled x2apic. First kernel can not kexec second kernel. It turns out, when kernel boot with pre-enabled x2apic, it will not execute disable_local_APIC on shutdown path. when init_apic_mappings() is called in setup_arch, it will skip setting of apic_phys when x2apic_mode is set. ( x2apic_mode is much early check_x2apic()) Then later, disable_local_APIC() will bail out early because !apic_phys. So check !x2apic_mode in x2apic_mode in disable_local_APIC with !apic_phys. another solution could be updating init_apic_mappings() to set apic_phys even for preenabled x2apic system. Actually even for x2apic system, that lapic address is mapped already in early stage. BTW: is there any x2apic preenabled system with apicid of boot cpu > 255? Signed-off-by: Yinghai Lu LKML-Reference: <4C3EB22B.3000701@kernel.org> Acked-by: Suresh Siddha Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit ac3c31b6403ec96ce21a92d13630c2fdf8fc0be7 Author: Dmitry Torokhov Date: Tue Jul 20 20:25:35 2010 -0700 Input: gamecon - reference correct pad in gc_psx_command() commit c25f7b763cc35a249232ce612a36a811b0e263f9 upstream. Otherwise we won't see any events from the gamepad. Addresses https://bugzilla.kernel.org/show_bug.cgi?id=16408 Reported-and-tested-by: Eugene Yudin Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 590a040d36b9bb5aa1b2a59de1675670f2823330 Author: Dmitry Torokhov Date: Tue Jul 20 20:25:35 2010 -0700 Input: gamecon - reference correct input device in NES mode commit 7b5d3312fbfbb21d2fc7de94e0db66cfdf8b0055 upstream. We moved input devices from 'struct gc' to individial pads (struct gc-pad), but gc_nes_process_packet() was still trying to use old ones and crashing. Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 34efb27b0b051927fdcde30da3aec0e42d727bb4 Author: Yinghai Lu Date: Tue Jul 20 13:24:31 2010 -0700 x86,nobootmem: make alloc_bootmem_node fall back to other node when 32bit numa is used commit b8ab9f82025adea77864115da73e70026fa4f540 upstream. Borislav Petkov reported his 32bit numa system has problem: [ 0.000000] Reserving total of 4c00 pages for numa KVA remap [ 0.000000] kva_start_pfn ~ 32800 max_low_pfn ~ 375fe [ 0.000000] max_pfn = 238000 [ 0.000000] 8202MB HIGHMEM available. [ 0.000000] 885MB LOWMEM available. [ 0.000000] mapped low ram: 0 - 375fe000 [ 0.000000] low ram: 0 - 375fe000 [ 0.000000] alloc (nid=8 100000 - 7ee00000) (1000000 - ffffffff) 1000 1000 => 34e7000 [ 0.000000] alloc (nid=8 100000 - 7ee00000) (1000000 - ffffffff) 200 40 => 34c9d80 [ 0.000000] alloc (nid=0 100000 - 7ee00000) (1000000 - ffffffffffffffff) 180 40 => 34e6140 [ 0.000000] alloc (nid=1 80000000 - c7e60000) (1000000 - ffffffffffffffff) 240 40 => 80000000 [ 0.000000] BUG: unable to handle kernel paging request at 40000000 [ 0.000000] IP: [] __alloc_memory_core_early+0x147/0x1d6 [ 0.000000] *pdpt = 0000000000000000 *pde = f000ff53f000ff00 ... [ 0.000000] Call Trace: [ 0.000000] [] ? __alloc_bootmem_node+0x216/0x22f [ 0.000000] [] ? sparse_early_usemaps_alloc_node+0x5a/0x10b [ 0.000000] [] ? sparse_init+0x1dc/0x499 [ 0.000000] [] ? paging_init+0x168/0x1df [ 0.000000] [] ? native_pagetable_setup_start+0xef/0x1bb looks like it allocates too much high address for bootmem. Try to cut limit with get_max_mapped() Reported-by: Borislav Petkov Tested-by: Conny Seidel Signed-off-by: Yinghai Lu Cc: Ingo Molnar Cc: "H. Peter Anvin" Cc: Thomas Gleixner Cc: Johannes Weiner Cc: Lee Schermerhorn Cc: Mel Gorman Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 49278791e5519df7fb896cf99b5060fb55e0b088 Author: Mark Brown Date: Sat Jul 17 14:20:17 2010 +0100 ASoC: Remove duplicate AUX definition from WM8776 commit 3c0709396df0869786f83e4b2d2d687c70ee886d upstream. Signed-off-by: Mark Brown Acked-by: Liam Girdwood Signed-off-by: Greg Kroah-Hartman commit 70213137d297bd17a42f57f0cc505a7f4203044e Author: Anton Vorontsov Date: Tue Jul 20 13:24:27 2010 -0700 edac: mpc85xx: fix MPC85xx dependency commit 1cd8521e7d77def75fdb1cb35ecd135385e4be4f upstream. Since commit 5753c082f66eca5be81f6bda85c1718c5eea6ada ("powerpc/85xx: Kconfig cleanup"), there is no MPC85xx Kconfig symbol anymore, so the driver became non-selectable. This patch fixes the issue by switching to PPC_85xx symbol. Signed-off-by: Anton Vorontsov Cc: Doug Thompson Cc: Peter Tyser Cc: Dave Jiang Cc: Kumar Gala Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c558ea6dff2c2efe3329d95bbadd9cdad272dc6d Author: Michael S. Tsirkin Date: Mon Jul 26 16:55:30 2010 +0930 virtio: fix oops on OOM commit 1fe9b6fef11771461e69ecd1bc8935a1c7c90cb5 upstream. virtio ring was changed to return an error code on OOM, but one caller was missed and still checks for vq->vring.num. The fix is just to check for <0 error code. Long term it might make sense to change goto add_head to just return an error on oom instead, but let's apply a minimal fix for 2.6.35. Reported-by: Chris Mason Signed-off-by: Michael S. Tsirkin Signed-off-by: Rusty Russell Tested-by: Chris Mason Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0094153a72107b3097818f1221c1f49c2eb0db90 Author: Rusty Russell Date: Fri Jul 2 16:34:01 2010 +0000 virtio_net: fix oom handling on tx commit 58eba97d0774c69b1cf3e5a8ac74419409d1abbf upstream. virtio net will never try to overflow the TX ring, so the only reason add_buf may fail is out of memory. Thus, we can not stop the device until some request completes - there's no guarantee anything at all is outstanding. Make the error message clearer as well: error here does not indicate queue full. Signed-off-by: Michael S. Tsirkin Signed-off-by: Rusty Russell Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8fc3550ab44cbec695d2798ac7327642fa72b8f0 Author: Marek Szyprowski Date: Tue Jul 20 13:24:33 2010 -0700 sdhci-s3c: add missing remove function commit 9d51a6b2487724e8713cd2794cf09ffeee5f6932 upstream. System will crash sooner or later once the memory with the code of the s3c-sdhci.ko module is reused for something else. I really have no idea how the lack of remove function went unnoticed into the mainline code. Signed-off-by: Marek Szyprowski Signed-off-by: Kyungmin Park Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 105adbca9af012dc51b41a1fbea71e1b6d7ebc17 Author: Catalin Marinas Date: Mon Jul 19 11:54:15 2010 +0100 kmemleak: Add support for NO_BOOTMEM configurations commit 9078370c0d2cfe4a905aa34f398bbb0d65921a2b upstream. With commits 08677214 and 59be5a8e, alloc_bootmem()/free_bootmem() and friends use the early_res functions for memory management when NO_BOOTMEM is enabled. This patch adds the kmemleak calls in the corresponding code paths for bootmem allocations. Signed-off-by: Catalin Marinas Acked-by: Pekka Enberg Acked-by: Yinghai Lu Cc: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit a0067e0cd98be2022d3ff5c41d4f5a24ff48918f Author: Anton Vorontsov Date: Thu Jul 8 21:16:14 2010 +0400 powerpc/cpm1: Fix build with various CONFIG_*_UCODE_PATCH combinations commit 2069a6ae19a34d96cc9cb284eb645b165138e03f upstream. Warnings are treated as errors for arch/powerpc code, so build fails with CONFIG_I2C_SPI_UCODE_PATCH=y: CC arch/powerpc/sysdev/micropatch.o cc1: warnings being treated as errors arch/powerpc/sysdev/micropatch.c: In function 'cpm_load_patch': arch/powerpc/sysdev/micropatch.c:630: warning: unused variable 'smp' make[1]: *** [arch/powerpc/sysdev/micropatch.o] Error 1 And with CONFIG_USB_SOF_UCODE_PATCH=y: CC arch/powerpc/sysdev/micropatch.o cc1: warnings being treated as errors arch/powerpc/sysdev/micropatch.c: In function 'cpm_load_patch': arch/powerpc/sysdev/micropatch.c:629: warning: unused variable 'spp' arch/powerpc/sysdev/micropatch.c:628: warning: unused variable 'iip' make[1]: *** [arch/powerpc/sysdev/micropatch.o] Error 1 This patch fixes these issues by introducing proper #ifdefs. Signed-off-by: Anton Vorontsov Signed-off-by: Kumar Gala Signed-off-by: Greg Kroah-Hartman commit dc1671aaead838d5a3ed5a69317c73e0a18c9546 Author: Anton Vorontsov Date: Thu Jul 8 21:16:10 2010 +0400 powerpc/cpm: Reintroduce global spi_pram struct (fixes build issue) commit 56825c88ff438f4dbb51a44591cc29e707fe783a upstream. spi_t was removed in commit 644b2a680ccc51a9ec4d6beb12e9d47d2dee98e2 ("powerpc/cpm: Remove SPI defines and spi structs"), the commit assumed that spi_t isn't used anywhere outside of the spi_mpc8xxx driver. But it appears that the struct is needed for micropatch code. So, let's reintroduce the struct. Fixes the following build issue: CC arch/powerpc/sysdev/micropatch.o micropatch.c: In function 'cpm_load_patch': micropatch.c:629: error: expected '=', ',', ';', 'asm' or '__attribute__' before '*' token micropatch.c:629: error: 'spp' undeclared (first use in this function) micropatch.c:629: error: (Each undeclared identifier is reported only once micropatch.c:629: error: for each function it appears in.) Reported-by: LEROY Christophe Reported-by: Tony Breeds Signed-off-by: Anton Vorontsov Signed-off-by: Kumar Gala Signed-off-by: Greg Kroah-Hartman commit be493139aa880313453313a426a12b13a6b084b7 Author: Johannes Berg Date: Wed Jun 16 00:09:35 2010 +0000 powerpc: Fix logic error in fixup_irqs commit 3cd8519248e9e17d982c6fab0f1a89bca6feb49a upstream. When SPARSE_IRQ is set, irq_to_desc() can return NULL. While the code here has a check for NULL, it's not really correct. Fix it by separating the check for it. This fixes CPU hot unplug for me. Reported-by: Alastair Bridgewater Signed-off-by: Johannes Berg Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit b2ae72c4a8c172cd4fbe987c0f90764e5b63c55c Author: Ben Hutchings Date: Mon Jun 28 08:44:07 2010 +0000 ethtool: Fix potential kernel buffer overflow in ETHTOOL_GRXCLSRLALL commit db048b69037e7fa6a7d9e95a1271a50dc08ae233 upstream. On a 32-bit machine, info.rule_cnt >= 0x40000000 leads to integer overflow and the buffer may be smaller than needed. Since ETHTOOL_GRXCLSRLALL is unprivileged, this can presumably be used for at least denial of service. Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4d8712a629029881f096736ea7aebe57f2dde2e2 Author: Tejun Heo Date: Tue Jun 22 12:27:26 2010 +0200 ata_generic: implement ATA_GEN_* flags and force enable DMA on MBP 7,1 commit 1529c69adce1e95f7ae72f0441590c226bbac7fc upstream. IDE mode of MCP89 on MBP 7,1 doesn't set DMA enable bits in the BMDMA status register. Make the following changes to work around the problem. * Instead of using hard coded 1 in id->driver_data as class code match, use ATA_GEN_CLASS_MATCH and carry the matched id in host->private_data. * Instead of matching PCI_VENDOR_ID_CENATEK, use ATA_GEN_FORCE_DMA flag in id instead. * Add ATA_GEN_FORCE_DMA to the id entry of MBP 7,1. Signed-off-by: Tejun Heo Cc: Peer Chen Reported-by: Anders Østhus Reported-by: Andreas Graf Reported-by: Benoit Gschwind Reported-by: Damien Cassou Reported-by: tixetsal@juno.com Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit a651b8c1114dbe0cee885a787b204e2fabb27a01 Author: Tejun Heo Date: Thu Jun 17 11:42:22 2010 +0200 ahci,ata_generic: let ata_generic handle new MBP w/ MCP89 commit c6353b4520788e34098bbf61c73fb9618ca7fdd6 upstream. For yet unknown reason, MCP89 on MBP 7,1 doesn't work w/ ahci under linux but the controller doesn't require explicit mode setting and works fine with ata_generic. Make ahci ignore the controller on MBP 7,1 and let ata_generic take it for now. Reported in bko#15923. https://bugzilla.kernel.org/show_bug.cgi?id=15923 NVIDIA is investigating why ahci mode doesn't work. Signed-off-by: Tejun Heo Cc: Peer Chen Reported-by: Anders Østhus Reported-by: Andreas Graf Reported-by: Benoit Gschwind Reported-by: Damien Cassou Reported-by: tixetsal@juno.com Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 7fd17ce98fb333003ece62ab16e873062ee64d14 Author: Joakim Tjernlund Date: Tue Jun 29 15:05:34 2010 -0700 rtc: fix ds1388 time corruption commit 96fc3a45ea073136566f3c2676cad52f8b39a7df upstream. The ds1307 driver misreads the ds1388 registers when checking for 12 or 24 hour mode. Instead of checking the hour register it reads the minute register. Therefore the driver thinks minutes >= 40 has the 12HR bit set and resets the minute register by zeroing the high bits. This results in minutes are reset to 0-9, jumping back in time 40 or 50 minutes. The time jump is also written back to the RTC. Signed-off-by: Joakim Tjernlund Cc: Wan ZongShun Cc: Alessandro Zummo Cc: Paul Gortmaker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c16b1c3809898538223a78bee8a84eeb14a7b275 Author: Mikael Pettersson Date: Tue Jun 29 15:05:25 2010 -0700 compiler-gcc.h: gcc-4.5 needs noclone and noinline on __naked functions commit 9c695203a7ddbe49dba5f22f4c941d24f47475df upstream. A __naked function is defined in C but with a body completely implemented by asm(), including any prologue and epilogue. These asm() bodies expect standard calling conventions for parameter passing. Older GCCs implement that correctly, but 4.[56] currently do not, see GCC PR44290. In the Linux kernel this breaks ARM, causing most arch/arm/mm/copypage-*.c modules to get miscompiled, resulting in kernel crashes during bootup. Part of the kernel fix is to augment the __naked function attribute to also imply noinline and noclone. This patch implements that, and has been verified to fix boot failures with gcc-4.5 compiled 2.6.34 and 2.6.35-rc1 kernels. The patch is a no-op with older GCCs. Signed-off-by: Mikael Pettersson Signed-off-by: Khem Raj Cc: Russell King Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d4de4749aea60679715d7c30a05ac2afa98bb83a Author: Liu Aleaxander Date: Tue Jun 29 15:05:40 2010 -0700 um: os-linux/mem.c needs sys/stat.h commit fb967ecc584c20c74a007de749ca597068b0fcac upstream. The os-linux/mem.c file calls fchmod function, which is declared in sys/stat.h header file, so include it. Fixes build breakage under FC13. Signed-off-by: Liu Aleaxander Acked-by: Boaz Harrosh Cc: Jeff Dike Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9ddef484b4a2af79ace9952b541cf6d826aef280 Author: Dongdong Deng Date: Thu Jun 17 11:13:40 2010 +0800 serial: cpm_uart: implement the cpm_uart_early_write() function for console poll commit 8cd774ad30c22b9d89823f1f05d845f4cdaba9e8 upstream. The cpm_uart_early_write() function which was used for console poll isn't implemented in the cpm uart driver. Implementing this function both fixes the build when CONFIG_CONSOLE_POLL is set and allows kgdboc to work via the cpm uart. Signed-off-by: Dongdong Deng Reviewed-by: Bruce Ashfield Signed-off-by: Greg Kroah-Hartman commit e13b5fd5832d25a08cf9d22ccc7a82f2cef769eb Author: Lubomir Rintel Date: Tue Jun 29 15:05:38 2010 -0700 sysvfs: fix NULL deref. when allocating new inode commit 46c23d7f520e315dde86881b38ba92ebdf34ced5 upstream. A call to sysv_write_inode() in sysv_new_inode() to its new interface that replaced wait flag with writeback structure. This was broken by a9185b41a4f84971b930c519f0c63bd450c4810d ("pass writeback_control to ->write_inode"). Signed-off-by: Lubomir Rintel Cc: Christoph Hellwig Cc: Al Viro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e86dd9fae6df8417f4461ca0c108e9aee585a077 Author: Jeff Moyer Date: Thu Jun 17 10:19:11 2010 -0400 cfq: Don't allow queue merges for queues that have no process references commit c10b61f0910466b4b99c266a7d76ac4390743fb5 upstream. Hi, A user reported a kernel bug when running a particular program that did the following: created 32 threads - each thread took a mutex, grabbed a global offset, added a buffer size to that offset, released the lock - read from the given offset in the file - created a new thread to do the same - exited The result is that cfq's close cooperator logic would trigger, as the threads were issuing I/O within the mean seek distance of one another. This workload managed to routinely trigger a use after free bug when walking the list of merge candidates for a particular cfqq (cfqq->new_cfqq). The logic used for merging queues looks like this: static void cfq_setup_merge(struct cfq_queue *cfqq, struct cfq_queue *new_cfqq) { int process_refs, new_process_refs; struct cfq_queue *__cfqq; /* Avoid a circular list and skip interim queue merges */ while ((__cfqq = new_cfqq->new_cfqq)) { if (__cfqq == cfqq) return; new_cfqq = __cfqq; } process_refs = cfqq_process_refs(cfqq); /* * If the process for the cfqq has gone away, there is no * sense in merging the queues. */ if (process_refs == 0) return; /* * Merge in the direction of the lesser amount of work. */ new_process_refs = cfqq_process_refs(new_cfqq); if (new_process_refs >= process_refs) { cfqq->new_cfqq = new_cfqq; atomic_add(process_refs, &new_cfqq->ref); } else { new_cfqq->new_cfqq = cfqq; atomic_add(new_process_refs, &cfqq->ref); } } When a merge candidate is found, we add the process references for the queue with less references to the queue with more. The actual merging of queues happens when a new request is issued for a given cfqq. In the case of the test program, it only does a single pread call to read in 1MB, so the actual merge never happens. Normally, this is fine, as when the queue exits, we simply drop the references we took on the other cfqqs in the merge chain: /* * If this queue was scheduled to merge with another queue, be * sure to drop the reference taken on that queue (and others in * the merge chain). See cfq_setup_merge and cfq_merge_cfqqs. */ __cfqq = cfqq->new_cfqq; while (__cfqq) { if (__cfqq == cfqq) { WARN(1, "cfqq->new_cfqq loop detected\n"); break; } next = __cfqq->new_cfqq; cfq_put_queue(__cfqq); __cfqq = next; } However, there is a hole in this logic. Consider the following (and keep in mind that each I/O keeps a reference to the cfqq): q1->new_cfqq = q2 // q2 now has 2 process references q3->new_cfqq = q2 // q2 now has 3 process references // the process associated with q2 exits // q2 now has 2 process references // queue 1 exits, drops its reference on q2 // q2 now has 1 process reference // q3 exits, so has 0 process references, and hence drops its references // to q2, which leaves q2 also with 0 process references q4 comes along and wants to merge with q3 q3->new_cfqq still points at q2! We follow that link and end up at an already freed cfqq. So, the fix is to not follow a merge chain if the top-most queue does not have a process reference, otherwise any queue in the chain could be already freed. I also changed the logic to disallow merging with a queue that does not have any process references. Previously, we did this check for one of the merge candidates, but not the other. That doesn't really make sense. Without the attached patch, my system would BUG within a couple of seconds of running the reproducer program. With the patch applied, my system ran the program for over an hour without issues. This addresses the following bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=16217 Thanks a ton to Phil Carns for providing the bug report and an excellent reproducer. [ Note for stable: this applies to 2.6.32/33/34 ]. Signed-off-by: Jeff Moyer Reported-by: Phil Carns Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit f5a3134583902fcc55a936502e8ba61ba041f52e Author: Thomas Gleixner Date: Mon Jun 7 17:53:51 2010 +0200 genirq: Deal with desc->set_type() changing desc->chip commit 4673247562e39a17e09440fa1400819522ccd446 upstream. The set_type() function can change the chip implementation when the trigger mode changes. That might result in using an non-initialized irq chip when called from __setup_irq() or when called via set_irq_type() on an already enabled irq. The set_irq_type() function should not be called on an enabled irq, but because we forgot to put a check into it, we have a bunch of users which grew the habit of doing that and it never blew up as the function is serialized via desc->lock against all users of desc->chip and they never hit the non-initialized irq chip issue. The easy fix for the __setup_irq() issue would be to move the irq_chip_set_defaults(desc->chip) call after the trigger setting to make sure that a chip change is covered. But as we have already users, which do the type setting after request_irq(), the safe fix for now is to call irq_chip_set_defaults() from __irq_set_trigger() when desc->set_type() changed the irq chip. It needs a deeper analysis whether we should refuse to change the chip on an already enabled irq, but that'd be a large scale change to fix all the existing users. So that's neither stable nor 2.6.35 material. Reported-by: Esben Haabendal Signed-off-by: Thomas Gleixner Cc: Benjamin Herrenschmidt Cc: linuxppc-dev Signed-off-by: Greg Kroah-Hartman commit 581c88153a829dbe8c24faea91311b1701be4b7e Author: Alex,Shi Date: Thu Jun 17 14:08:13 2010 +0800 sched: Fix over-scheduling bug commit 3c93717cfa51316e4dbb471e7c0f9d243359d5f8 upstream. Commit e70971591 ("sched: Optimize unused cgroup configuration") introduced an imbalanced scheduling bug. If we do not use CGROUP, function update_h_load won't update h_load. When the system has a large number of tasks far more than logical CPU number, the incorrect cfs_rq[cpu]->h_load value will cause load_balance() to pull too many tasks to the local CPU from the busiest CPU. So the busiest CPU keeps going in a round robin. That will hurt performance. The issue was found originally by a scientific calculation workload that developed by Yanmin. With that commit, the workload performance drops about 40%. CPU before after 00 : 2 : 7 01 : 1 : 7 02 : 11 : 6 03 : 12 : 7 04 : 6 : 6 05 : 11 : 7 06 : 10 : 6 07 : 12 : 7 08 : 11 : 6 09 : 12 : 6 10 : 1 : 6 11 : 1 : 6 12 : 6 : 6 13 : 2 : 6 14 : 2 : 6 15 : 1 : 6 Reviewed-by: Yanmin zhang Signed-off-by: Alex Shi Signed-off-by: Peter Zijlstra LKML-Reference: <1276754893.9452.5442.camel@debian> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 0dd6ec3a33cab9ee890c9ff671edea9202246c27 Author: Martin Wilck Date: Tue Jun 29 15:05:31 2010 -0700 ipmi: set schedule_timeout_wait() value back to one commit 8d1f66dc9b4f80a1441bc1c33efa98aca99e8813 upstream. Fix a regression introduced by ae74e823cb7d ("ipmi: add parameter to limit CPU usage in kipmid"). Some systems were seeing CPU usage go up dramatically with the recent changes to try to reduce timer usage in the IPMI driver. This was traced down to schedule_timeout_interruptible(1) being changed to schedule_timeout_interruptbile(0). Revert that part of the change. Addresses https://bugzilla.kernel.org/show_bug.cgi?id=16147 Reported-by: Thomas Jarosch Signed-off-by: Corey Minyard Tested-by: Thomas Jarosch Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit be25710fff49935664a4cecd7ac52a1d804049e1 Author: Will Deacon Date: Mon May 24 12:11:43 2010 -0700 sched: Prevent compiler from optimising the sched_avg_update() loop commit 0d98bb2656e9bd2dfda2d089db1fe1dbdab41504 upstream. GCC 4.4.1 on ARM has been observed to replace the while loop in sched_avg_update with a call to uldivmod, resulting in the following build failure at link-time: kernel/built-in.o: In function `sched_avg_update': kernel/sched.c:1261: undefined reference to `__aeabi_uldivmod' kernel/sched.c:1261: undefined reference to `__aeabi_uldivmod' make: *** [.tmp_vmlinux1] Error 1 This patch introduces a fake data hazard to the loop body to prevent the compiler optimising the loop away. Signed-off-by: Will Deacon Signed-off-by: Andrew Morton Acked-by: Peter Zijlstra Cc: Catalin Marinas Cc: Russell King Cc: Linus Torvalds Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 06c8d8c33e4a0e2181c42dfa3a8eb9702f9848ac Author: Darrick J. Wong Date: Wed Jun 30 17:45:19 2010 -0700 x86, Calgary: Limit the max PHB number to 256 commit d596043d71ff0d7b3d0bead19b1d68c55f003093 upstream. The x3950 family can have as many as 256 PCI buses in a single system, so change the limits to the maximum. Since there can only be 256 PCI buses in one domain, we no longer need the BUG_ON check. Signed-off-by: Darrick J. Wong LKML-Reference: <20100701004519.GQ15515@tux1.beaverton.ibm.com> Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 86bf5b52617b4a73b5a7acd78178755b1f99476e Author: Darrick J. Wong Date: Thu Jun 24 14:26:47 2010 -0700 x86, Calgary: Increase max PHB number commit 499a00e92dd9a75395081f595e681629eb1eebad upstream. Newer systems (x3950M2) can have 48 PHBs per chassis and 8 chassis, so bump the limits up and provide an explanation of the requirements for each class. Signed-off-by: Darrick J. Wong Acked-by: Muli Ben-Yehuda Cc: Corinna Schultz LKML-Reference: <20100624212647.GI15515@tux1.beaverton.ibm.com> [ v2: Fixed build bug, added back PHBS_PER_CALGARY == 4 ] Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit a6cd7a11c354c248cae71a66f4dd7c25426d662d Author: Andi Kleen Date: Fri Jun 18 23:09:00 2010 +0200 x86: Fix vsyscall on gcc 4.5 with -Os commit 124482935fb7fb9303c8a8ab930149c6a93d9910 upstream. This fixes the -Os breaks with gcc 4.5 bug. rdtsc_barrier needs to be force inlined, otherwise user space will jump into kernel space and kill init. This also addresses http://gcc.gnu.org/bugzilla/show_bug.cgi?id=44129 I believe. Signed-off-by: Andi Kleen LKML-Reference: <20100618210859.GA10913@basil.fritz.box> Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 4c326ac5f38ba7858b40db7c7319ea8dd04ff862 Author: Frederic Weisbecker Date: Wed Jun 30 15:09:06 2010 +0200 x86: Send a SIGTRAP for user icebp traps commit a1e80fafc9f0742a1776a0490258cb64912411b0 upstream. Before we had a generic breakpoint layer, x86 used to send a sigtrap for any debug event that happened in userspace, except if it was caused by lazy dr7 switches. Currently we only send such signal for single step or breakpoint events. However, there are three other kind of debug exceptions: - debug register access detected: trigger an exception if the next instruction touches the debug registers. We don't use it. - task switch, but we don't use tss. - icebp/int01 trap. This instruction (0xf1) is undocumented and generates an int 1 exception. Unlike single step through TF flag, it doesn't set the single step origin of the exception in dr6. icebp then used to be reported in userspace using trap signals but this have been incidentally broken with the new breakpoint code. Reenable this. Since this is the only debug event that doesn't set anything in dr6, this is all we have to check. This fixes a regression in Wine where World Of Warcraft got broken as it uses this for software protection checks purposes. And probably other apps do. Reported-and-tested-by: Alexandre Julliard Signed-off-by: Frederic Weisbecker Cc: Ingo Molnar Cc: H. Peter Anvin Cc: Thomas Gleixner Cc: Prasad Signed-off-by: Greg Kroah-Hartman commit da98098137f1ec05921117c0da8ad156036b74d2 Author: Frederic Weisbecker Date: Thu Jul 8 06:06:17 2010 +0200 perf: Resurrect flat callchains commit 97aa1052739c6a06cb6b0467dbf410613d20bc97 upstream. Initialize the callchain radix tree root correctly. When we walk through the parents, we must stop after the root, but since it wasn't well initialized, its parent pointer was random. Also the number of hits was random because uninitialized, hence it was part of the callchain while the root doesn't contain anything. This fixes segfaults and percentages followed by empty callchains while running: perf report -g flat Reported-by: Ingo Molnar Signed-off-by: Frederic Weisbecker Cc: Peter Zijlstra Cc: Arnaldo Carvalho de Melo Cc: Paul Mackerras Signed-off-by: Greg Kroah-Hartman commit ddf7095df25ba6d2b1dce8513c5cec250653ae05 Author: Will Deacon Date: Fri Jul 2 16:41:52 2010 +0100 ARM: 6205/1: perf: ensure counter delta is treated as unsigned commit 446a5a8b1eb91a6990e5c8fe29f14e7a95b69132 upstream. Hardware performance counters on ARM are 32-bits wide but atomic64_t variables are used to represent counter data in the hw_perf_event structure. The armpmu_event_update function right-shifts a signed 64-bit delta variable and adds the result to the event count. This can lead to shifting in sign-bits if the MSB of the 32-bit counter value is set. This results in perf output such as: Performance counter stats for 'sleep 20': 18446744073460670464 cycles <-- 0xFFFFFFFFF12A6000 7783773 instructions # 0.000 IPC 465 context-switches 161 page-faults 1172393 branches 20.154242147 seconds time elapsed This patch ensures that the delta value is treated as unsigned so that the right shift sets the upper bits to zero. Acked-by: Jamie Iles Signed-off-by: Will Deacon Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 4ff1176f3e305d525e202ae992f3130f0ace287f Author: Vince Weaver Date: Thu Jul 1 15:30:16 2010 -0400 perf, x86: Fix incorrect branches event on AMD CPUs commit f287d332ce835f77a4f5077d2c0ef1e3f9ea42d2 upstream. While doing some performance counter validation tests on some assembly language programs I noticed that the "branches:u" count was very wrong on AMD machines. It looks like the wrong event was selected. Signed-off-by: Vince Weaver Acked-by: Peter Zijlstra Cc: Paul Mackerras Cc: Arnaldo Carvalho de Melo Cc: Robert Richter Cc: Borislav Petkov Cc: Frederic Weisbecker LKML-Reference: Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 20da4de8e1c4db1907338994405b629a40b17235 Author: Borislav Petkov Date: Fri Jul 2 17:02:43 2010 +0200 amd64_edac: Fix syndrome calculation on K8 commit 41c310447fe06bcedc22b75752c18b60e0b9521b upstream. When calculating the DCT channel from the syndrome we need to know the syndrome type (x4 vs x8). On F10h, this is read out from extended PCI cfg space register F3x180 while on K8 we only support x4 syndromes and don't have extended PCI config space anyway. Make the code accessing F3x180 F10h only and fall back to x4 syndromes on everything else. Reported-by: Jeffrey Merkey Signed-off-by: Borislav Petkov Signed-off-by: Greg Kroah-Hartman commit 104ce01cb95eb7eef75181b73f7c5a68a5d4b2a0 Author: Ben Hutchings Date: Wed Mar 24 03:36:31 2010 +0000 amd64-agp: Probe unknown AGP devices the right way commit 6fd024893911dcb51b4a0aa71971db5ba38f7071 upstream. The current initialisation code probes 'unsupported' AGP devices simply by calling its own probe function. It does not lock these devices or even check whether another driver is already bound to them. We must use the device core to manage this. So if the specific device id table didn't match anything and agp_try_unsupported=1, switch the device id table and call driver_attach() again. Signed-off-by: Ben Hutchings Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit f4795406efcf49765ed02d8a5c2d366d353da017 Author: Prasanna S. Panchamukhi Date: Thu Jun 24 13:31:03 2010 +1000 md: raid10: Fix null pointer dereference in fix_read_error() commit 0544a21db02c1d8883158fd6f323364f830a120a upstream. Such NULL pointer dereference can occur when the driver was fixing the read errors/bad blocks and the disk was physically removed causing a system crash. This patch check if the rcu_dereference() returns valid rdev before accessing it in fix_read_error(). Signed-off-by: Prasanna S. Panchamukhi Signed-off-by: Rob Becker Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 63ec731a4dcb77487b1caedf9b3a8d295c3f1ad7 Author: Julia Lawall Date: Sat May 15 11:46:12 2010 +0200 SCSI: aacraid: Eliminate use after free commit 8a52da632ceb9d8b776494563df579e87b7b586b upstream. The debugging code using the freed structure is moved before the kfree. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // @free@ expression E; position p; @@ kfree@p(E) @@ expression free.E, subE<=free.E, E1; position free.p; @@ kfree@p(E) ... ( subE = E1 | * E ) // Signed-off-by: Julia Lawall Signed-off-by: James Bottomley commit 7501f55f2be0c60f3ec5efe8c15a790665e7ac1a Author: Eric Dumazet Date: Fri Jul 2 10:05:01 2010 +0200 netfilter: ip6t_REJECT: fix a dst leak in ipv6 REJECT commit 499031ac8a3df6738f6186ded9da853e8ea18253 upstream. We should release dst if dst->error is set. Bug introduced in 2.6.14 by commit e104411b82f5c ([XFRM]: Always release dst_entry on error in xfrm_lookup) Signed-off-by: Eric Dumazet Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit 1c77d470de34f59fc60e24c6e8f90ab9917503a0 Author: stephen hemminger Date: Mon Jun 21 11:00:13 2010 +0000 ipv6: fix NULL reference in proxy neighbor discovery commit 9f888160bdcccf0565dd2774956b8d9456e610be upstream. The addition of TLLAO option created a kernel OOPS regression for the case where neighbor advertisement is being sent via proxy path. When using proxy, ipv6_get_ifaddr() returns NULL causing the NULL dereference. Change causing the bug was: commit f7734fdf61ec6bb848e0bafc1fb8bad2c124bb50 Author: Octavian Purdila Date: Fri Oct 2 11:39:15 2009 +0000 make TLLAO option for NA packets configurable Signed-off-by: Stephen Hemminger Acked-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8c5b63eb1881419d190bd6f2e414a06a7d3fa172 Author: Sven Wegener Date: Wed Jun 9 16:10:57 2010 +0200 ipvs: Add missing locking during connection table hashing and unhashing commit aea9d711f3d68c656ad31ab578ecfb0bb5cd7f97 upstream. The code that hashes and unhashes connections from the connection table is missing locking of the connection being modified, which opens up a race condition and results in memory corruption when this race condition is hit. Here is what happens in pretty verbose form: CPU 0 CPU 1 ------------ ------------ An active connection is terminated and we schedule ip_vs_conn_expire() on this CPU to expire this connection. IRQ assignment is changed to this CPU, but the expire timer stays scheduled on the other CPU. New connection from same ip:port comes in right before the timer expires, we find the inactive connection in our connection table and get a reference to it. We proper lock the connection in tcp_state_transition() and read the connection flags in set_tcp_state(). ip_vs_conn_expire() gets called, we unhash the connection from our connection table and remove the hashed flag in ip_vs_conn_unhash(), without proper locking! While still holding proper locks we write the connection flags in set_tcp_state() and this sets the hashed flag again. ip_vs_conn_expire() fails to expire the connection, because the other CPU has incremented the reference count. We try to re-insert the connection into our connection table, but this fails in ip_vs_conn_hash(), because the hashed flag has been set by the other CPU. We re-schedule execution of ip_vs_conn_expire(). Now this connection has the hashed flag set, but isn't actually hashed in our connection table and has a dangling list_head. We drop the reference we held on the connection and schedule the expire timer for timeouting the connection on this CPU. Further packets won't be able to find this connection in our connection table. ip_vs_conn_expire() gets called again, we think it's already hashed, but the list_head is dangling and while removing the connection from our connection table we write to the memory location where this list_head points to. The result will probably be a kernel oops at some other point in time. This race condition is pretty subtle, but it can be triggered remotely. It needs the IRQ assignment change or another circumstance where packets coming from the same ip:port for the same service are being processed on different CPUs. And it involves hitting the exact time at which ip_vs_conn_expire() gets called. It can be avoided by making sure that all packets from one connection are always processed on the same CPU and can be made harder to exploit by changing the connection timeouts to some custom values. Signed-off-by: Sven Wegener Acked-by: Simon Horman Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit ec6aa42401e6812b909d10bf89f571fb85c21139 Author: Stephen Hemminger Date: Mon May 24 11:33:00 2010 -0700 IPv6: only notify protocols if address is completely gone (cherry picked from commit 8595805aafc8b077e01804c9a3668e9aa3510e89) The notifier for address down should only be called if address is completely gone, not just being marked as tentative on link transition. The code in net-next would case bonding/sctp/s390 to see address disappear on link down, but they would never see it reappear on link up. Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0f5eb5d25df6e95ec2f31a4be2a7312327562a0e Author: Stephen Hemminger Date: Mon May 24 11:31:18 2010 -0700 IPv6: keep route for tentative address (cherry picked from commit 93fa159abe50d3c55c7f83622d3f5c09b6e06f4b) Recent changes preserve IPv6 address when link goes down (good). But would cause address to point to dead dst entry (bad). The simplest fix is to just not delete route if address is being held for later use. Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d47f1d0c947a955b6d78befe9c6fa0928e4eff53 Author: Rajiv Andrade Date: Wed Jun 23 12:18:56 2010 -0700 tpm_tis: fix subsequent suspend failures commit 59f6fbe4291fcc078ba26ce4edf8373a7620a13a upstream. Fix subsequent suspends by issuing tpm_continue_selftest during resume. Otherwise, the tpm chip seems to be not fully initialized and will reject the save state command during suspend, thus preventing the whole system to suspend. Addresses https://bugzilla.kernel.org/show_bug.cgi?id=16256 Signed-off-by: Helmut Schaa Signed-off-by: Rajiv Andrade Cc: James Morris Cc: Debora Velarde Cc: David Safford Signed-off-by: Andrew Morton Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit f0c40cec4aee24385ffa12ccd40c227856ca5a82 Author: Alex Deucher Date: Sat Mar 6 09:43:41 2010 -0500 drm/radeon/kms: fix legacy tv-out pal mode commit ff3f011cd859072b5d6e64c0b968cff9bfdc0b37 upstream. fixes fdo bug 26915 Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 29961d36ea65dd55e0404443f56047a545c30181 Author: Alex Deucher Date: Wed Jul 21 19:37:21 2010 -0400 drm/radeon/kms: fix legacy LVDS dpms sequence commit 15cb02c0a0338ee724bf23e31c7c410ecbffeeba upstream. Add delay after turning off the LVDS encoder. Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=16389 Tested-by: Jan Kreuzer Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit d1a231bfcbb97ff68279cba07310ea1accf107e6 Author: Alex Deucher Date: Mon Jul 12 17:33:50 2010 -0400 drm/radeon/kms: fix possible mis-detection of sideport on rs690/rs740 commit 5099fa7f23d3711538cbe9fe072b4ce1ba814035 upstream. Check ulBootUpMemoryClock on AMD IGPs. Fix regression noticed by Torsten Kaiser Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 495a4d3a214e6c8c81626afc26890c116e1147df Author: Alex Deucher Date: Tue Jul 20 18:07:22 2010 -0400 drm/radeon/kms: add quirk for ASUS HD 3600 board commit e153b70b89770968a704eda0b55707c6066b2d44 upstream. Connector is actually DVI rather than HDMI. Reported-by: trapDoor Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit f48b1a82b488358a1a12567bda6e55112a15f3f8 Author: Alex Deucher Date: Tue Jul 20 11:27:54 2010 -0400 drm/radeon/kms: fix shared ddc harder commit 42f14c4b454946650cf0bf66e0b631d02e328f61 upstream. This fixes a regression caused by b2ea4aa67bfd084834edd070e0a4a47857d6db59 due to the way shared ddc with multiple digital connectors was handled. You generally have two cases where DDC lines are shared: - HDMI + VGA - HDMI + DVI-D HDMI + VGA is easy to deal with because you can check the EDID for the to see if the attached monitor is digital. A shared DDC line with two digital connectors is more complex. You can't use the hdmi bits in the EDID since they may not be there with DVI<->HDMI adapters. In this case all we can do is check the HPD pins to see which is connected as we have no way of knowing using the EDID. Reported-by: trapdoor6@gmail.com Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 4552415cf7db742e0063b8f4826a1352b62fe1fa Author: Alex Deucher Date: Thu Jul 1 10:34:56 2010 -0400 drm/radeon/kms: fix shared ddc handling commit b2ea4aa67bfd084834edd070e0a4a47857d6db59 upstream. Connectors with a shared ddc line can be connected to different encoders. Reported by Pasi Kärkkäinen on dri-devel Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 16c64e01975601eda67438a192c80a8a31db7725 Author: Roland Scheidegger Date: Sat Jun 12 12:12:37 2010 -0400 drm/radeon/kms: CS checker texture fixes for r1xx/r2xx/r3xx commit f9da52d54eb0e8822b5e7f32ab1cfa6522533d6e upstream. fixes: https://bugs.freedesktop.org/show_bug.cgi?id=28459 agd5f: apply to r1xx/r2xx as well. Signed-off-by: Roland Scheidegger Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit dd08608da1f3e7d2c0f4517e2035ca8428e8f228 Author: Alex Deucher Date: Thu Jun 10 17:06:01 2010 -0400 drm/radeon/kms: fix DP after DPMS cycle commit a5f798ce2b9de4b14c46cb68d58c488dc1b8e215 upstream. The transmitter needs to be enabled before the link is trained. Reported-By: Lars Doelle Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 230a9725dff9f5a5c8c0423069b732612728f995 Author: Roland Scheidegger Date: Sat Jun 12 13:31:11 2010 -0400 drm/radeon/r100/r200: fix calculation of compressed cube maps commit 37cf6b03f9f28c62dafb0b9ce5f1ba29c8baffa9 upstream. This needs similar handling to other compressed textures. Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=26428 Signed-off-by: sroland@vmware.com Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 2ba37a39b82fe74ce6605e9b62f6631a51418e87 Author: Roland Scheidegger Date: Sat Jun 12 13:31:10 2010 -0400 drm/radeon/r200: handle more hw tex coord types commit 688acaa2897462e4c5e2482496e2868db0760809 upstream. Code did not handle projected 2d and depth coordinates, meaning potentially set 3d or cube special handling might stick. (Not sure what depth coord actually does, but I guess handling it like a normal coordinate is the right thing to do.) Might be related to https://bugs.freedesktop.org/show_bug.cgi?id=26428 Signed-off-by: sroland@vmware.com Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit d4e0018e3e4dd685af25d300fd26a0d5a984482e Author: Adam Jackson Date: Fri Jul 2 16:43:30 2010 -0400 drm/i915: Make G4X-style PLL search more permissive commit 6ba770dc5c334aff1c055c8728d34656e0f091e2 upstream. Fixes an Ironlake laptop with a 68.940MHz 1280x800 panel and 120MHz SSC reference clock. More generally, the 0.488% tolerance used before is just too tight to reliably find a PLL setting. I extracted the search algorithm and modified it to find the dot clocks with maximum error over the valid range for the given output type: http://people.freedesktop.org/~ajax/intel_g4x_find_best_pll.c This gave: Worst dotclock for Ironlake DAC refclk is 350000kHz (error 0.00571) Worst dotclock for Ironlake SL-LVDS refclk is 102321kHz (error 0.00524) Worst dotclock for Ironlake DL-LVDS refclk is 219642kHz (error 0.00488) Worst dotclock for Ironlake SL-LVDS SSC refclk is 84374kHz (error 0.00529) Worst dotclock for Ironlake DL-LVDS SSC refclk is 183035kHz (error 0.00488) Worst dotclock for G4X SDVO refclk is 267600kHz (error 0.00448) Worst dotclock for G4X HDMI refclk is 334400kHz (error 0.00478) Worst dotclock for G4X SL-LVDS refclk is 95571kHz (error 0.00449) Worst dotclock for G4X DL-LVDS refclk is 224000kHz (error 0.00510) Signed-off-by: Adam Jackson Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 2ef2b029013e81656ea6c24b4edc03f2db8854f4 Author: Dave Airlie Date: Tue Jul 20 13:15:31 2010 +1000 drm/i915: enable low power render writes on GEN3 hardware. commit 944001201ca0196bcdb088129e5866a9f379d08c upstream. A lot of 945GMs have had stability issues for a long time, this manifested as X hangs, blitter engine hangs, and lots of crashes. one such report is at: https://bugs.freedesktop.org/show_bug.cgi?id=20560 along with numerous distro bugzillas. This only took a week of digging and hair ripping to figure out. Tracked down and tested on a 945GM Lenovo T60, previously running x11perf -copypixwin500 or x11perf -copywinpix500 repeatedly would cause the GPU to wedge within 4 or 5 tries, with random busy bits set. After this patch no hangs were observed. Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit ebd740e3f99377b1fd482d10d67eb56cf06a0509 Author: Keith Packard Date: Mon Jul 19 21:12:35 2010 -0700 drm/i915: Define MI_ARB_STATE bits commit 45503ded966c98e604c9667c0b458d40666b9ef3 upstream. The i915 memory arbiter has a register full of configuration bits which are currently not defined in the driver header file. Signed-off-by: Keith Packard Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 28ebc958bb348acab612e33b6af509aaea35ea98 Author: Daniel J Blueman Date: Mon May 17 14:23:52 2010 +0100 i915: fix lock imbalance on error path... commit f953c9353f5fe6e98fa7f32f51060a74d845b5f8 upstream. While investigating Intel i5 Arrandale GPU lockups with -rc4, I noticed a lock imbalance. Signed-off-by: Daniel J Blueman Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit aea11f5511b8d4f57d73361998655f97a3ff8f65 Author: Linus Torvalds Date: Sun Jul 18 09:44:37 2010 -0700 drm/i915: add 'reclaimable' to i915 self-reclaimable page allocations commit cd9f040df6ce46573760a507cb88192d05d27d86 upstream. The hibernate issues that got fixed in commit 985b823b9192 ("drm/i915: fix hibernation since i915 self-reclaim fixes") turn out to have been incomplete. Vefa Bicakci tested lots of hibernate cycles, and without the __GFP_RECLAIMABLE flag the system eventually fails to resume. With the flag added, Vefa can apparently hibernate forever (or until he gets bored running his automated scripts, whichever comes first). The reclaimable flag was there originally, and was one of the flags that were dropped (unintentionally) by commit 4bdadb978569 ("drm/i915: Selectively enable self-reclaim") that introduced all these problems, but I didn't want to just blindly add back all the flags in commit 985b823b9192, and it looked like __GFP_RECLAIM wasn't necessary. It clearly was. I still suspect that there is some subtle reason we're missing that causes the problems, but __GFP_RECLAIMABLE is certainly not wrong to use in this context, and is what the code historically used. And we have no idea what the causes the corruption without it. Reported-and-tested-by: M. Vefa Bicakci Cc: Dave Airlie Cc: Chris Wilson Cc: KOSAKI Motohiro Cc: Hugh Dickins Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b86d4a024be4bd761b097d83efbae5afafe46bc8 Author: Jesse Barnes Date: Wed Jun 30 13:49:37 2010 -0700 drm/i915: don't access FW_BLC_SELF on 965G commit adcdbc6651a7086b99827cf50623a02d941261f1 upstream. The register offset for FW_BLC_SELF is a totally different set of bits on Broadwater (it's actually MI_RDRET_STATE), so don't treat it like FW_BLC_SELF on 965G chips. Fixes bug https://bugs.freedesktop.org/show_bug.cgi?id=26874. Tested-by: Norman Yarvin Signed-off-by: Jesse Barnes Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 1b68c0ff661af1c4a403727937ae3f33bc278e6b Author: Linus Torvalds Date: Fri Jul 2 10:04:42 2010 +1000 drm/i915: fix hibernation since i915 self-reclaim fixes commit 985b823b919273fe1327d56d2196b4f92e5d0fae upstream. Since commit 4bdadb9785696439c6e2b3efe34aa76df1149c83 ("drm/i915: Selectively enable self-reclaim"), we've been passing GFP_MOVABLE to the i915 page allocator where we weren't before due to some over-eager removal of the page mapping gfp_flags games the code used to play. This caused hibernate on Intel hardware to result in a lot of memory corruptions on resume. See for example http://bugzilla.kernel.org/show_bug.cgi?id=13811 Reported-by: Evengi Golov (in bugzilla) Signed-off-by: Dave Airlie Tested-by: M. Vefa Bicakci Cc: Chris Wilson Cc: KOSAKI Motohiro Cc: Hugh Dickins Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 40644fb1fab29e9ebfa49a1297e011c29559eacb Author: Jason Baron Date: Tue Jul 27 13:18:01 2010 -0700 dynamic debug: move ddebug_remove_module() down into free_module() commit b82bab4bbe9efa7bc7177fc20620fff19bd95484 upstream. The command echo "file ec.c +p" >/sys/kernel/debug/dynamic_debug/control causes an oops. Move the call to ddebug_remove_module() down into free_module(). In this way it should be called from all error paths. Currently, we are missing the remove if the module init routine fails. Signed-off-by: Jason Baron Reported-by: Thomas Renninger Tested-by: Thomas Renninger Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5f0c555517928574fe2bdb68e494e245e743e132 Author: Stephane Eranian Date: Thu Jun 10 13:25:01 2010 +0200 perf_events: Fix Intel Westmere event constraints commit d11007703c31db534674ebeeb9eb047bbbe758bd upstream. Based on Intel Vol3b (March 2010), the event SNOOPQ_REQUEST_OUTSTANDING is restricted to counters 0,1 so update the event table for Intel Westmere accordingly. Signed-off-by: Stephane Eranian Cc: peterz@infradead.org Cc: paulus@samba.org Cc: davem@davemloft.net Cc: fweisbec@gmail.com Cc: perfmon2-devel@lists.sf.net Cc: eranian@gmail.com LKML-Reference: <4c10cb56.5120e30a.2eb4.ffffc3de@mx.google.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 2a2afe2056699fa842b74474c4e146f170d565df Author: Joerg Albert Date: Sun Jun 13 14:22:23 2010 +0200 p54pci: add Symbol AP-300 minipci adapters pciid commit 50900f1698f68127e54c67fdfe829e4a97b1be2b upstream. Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 7b9a13778a8e7cdb51cc4b92272163dd876d77de Author: Joel Becker Date: Tue Jul 6 14:36:06 2010 -0700 ocfs2: When zero extending, do it by page. commit a4bfb4cf11fd2211b788af59dc8a8b4394bca227 upstream. ocfs2_zero_extend() does its zeroing block by block, but it calls a function named ocfs2_write_zero_page(). Let's have ocfs2_write_zero_page() handle the page level. From ocfs2_zero_extend()'s perspective, it is now page-at-a-time. Signed-off-by: Joel Becker Signed-off-by: Greg Kroah-Hartman commit 07918549a19e570b91f44806a03ab86dc5c9c4a6 Author: Joel Becker Date: Fri Jul 2 17:20:27 2010 -0700 ocfs2: No need to zero pages past i_size. commit 693c241a5f6aa01417f5f4caf9f82e60e316398d upstream. When ocfs2 fills a hole, it does so by allocating clusters. When a cluster is larger than the write, ocfs2 must zero the portions of the cluster outside of the write. If the clustersize is smaller than a pagecache page, this is handled by the normal pagecache mechanisms, but when the clustersize is larger than a page, ocfs2's write code will zero the pages adjacent to the write. This makes sure the entire cluster is zeroed correctly. Currently ocfs2 behaves exactly the same when writing past i_size. However, this means ocfs2 is writing zeroed pages for portions of a new cluster that are beyond i_size. The page writeback code isn't expecting this. It treats all pages past the one containing i_size as left behind due to a previous truncate operation. Thankfully, ocfs2 calculates the number of pages it will be working on up front. The rest of the write code merely honors the original calculation. We can simply trim the number of pages to only cover the actual file data. Signed-off-by: Joel Becker Signed-off-by: Greg Kroah-Hartman commit b14f142dfd5131d98bba795474cd7eafa015161b Author: Dan Rosenberg Date: Mon Jul 19 16:58:20 2010 -0400 Btrfs: fix checks in BTRFS_IOC_CLONE_RANGE commit 2ebc3464781ad24474abcbd2274e6254689853b5 upstream. 1. The BTRFS_IOC_CLONE and BTRFS_IOC_CLONE_RANGE ioctls should check whether the donor file is append-only before writing to it. 2. The BTRFS_IOC_CLONE_RANGE ioctl appears to have an integer overflow that allows a user to specify an out-of-bounds range to copy from the source file (if off + len wraps around). I haven't been able to successfully exploit this, but I'd imagine that a clever attacker could use this to read things he shouldn't. Even if it's not exploitable, it couldn't hurt to be safe. Signed-off-by: Dan Rosenberg Signed-off-by: Chris Mason Signed-off-by: Greg Kroah-Hartman commit 8989e9cdd48f047bc4cde16f9507f31151d55a10 Author: Stanislaw Gruszka Date: Wed Apr 28 15:17:03 2010 +0200 mac80211: do not wip out old supported rates commit f0b058b61711ebf5be94d6865ca7b2c259b71d37 upstream. Use old supported rates, if AP do not provide supported rates information element in a new managment frame. Signed-off-by: Stanislaw Gruszka Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 4ba8e5c1e97b7ab9e1bb99659f1da711b0f6868c Author: John W. Linville Date: Mon Jun 14 14:30:25 2010 -0400 iwlwifi: cancel scan watchdog in iwl_bg_abort_scan commit a69b03e941abae00380fc6bc1877fb797a1b31e6 upstream. Avoids this: WARNING: at net/mac80211/scan.c:312 ieee80211_scan_completed+0x5f/0x1f1 [mac80211]() Hardware name: Latitude E5400 Modules linked in: aes_x86_64 aes_generic fuse ipt_MASQUERADE iptable_nat nf_nat rfcomm sco bridge stp llc bnep l2cap sunrpc cpufreq_ondemand acpi_cpufreq freq_table xt_physdev ip6t_REJECT nf_conntrack_ipv6 ip6table_filter ip6_tables ipv6 kvm_intel kvm uinput arc4 ecb snd_hda_codec_intelhdmi snd_hda_codec_idt snd_hda_intel iwlagn snd_hda_codec snd_hwdep snd_seq snd_seq_device iwlcore snd_pcm dell_wmi sdhci_pci sdhci iTCO_wdt tg3 dell_laptop mmc_core i2c_i801 wmi mac80211 snd_timer iTCO_vendor_support btusb joydev dcdbas cfg80211 bluetooth snd soundcore microcode rfkill snd_page_alloc firewire_ohci firewire_core crc_itu_t yenta_socket rsrc_nonstatic i915 drm_kms_helper drm i2c_algo_bit i2c_core video output [last unloaded: scsi_wait_scan] Pid: 979, comm: iwlagn Tainted: G W 2.6.33.3-85.fc13.x86_64 #1 Call Trace: [] warn_slowpath_common+0x77/0x8f [] warn_slowpath_null+0xf/0x11 [] ieee80211_scan_completed+0x5f/0x1f1 [mac80211] [] iwl_bg_scan_completed+0xbb/0x17a [iwlcore] [] worker_thread+0x1a4/0x232 [] ? iwl_bg_scan_completed+0x0/0x17a [iwlcore] [] ? autoremove_wake_function+0x0/0x34 [] ? worker_thread+0x0/0x232 [] kthread+0x7a/0x82 [] kernel_thread_helper+0x4/0x10 [] ? kthread+0x0/0x82 [] ? kernel_thread_helper+0x0/0x10 Reported here: https://bugzilla.redhat.com/show_bug.cgi?id=590436 Signed-off-by: John W. Linville Reported-by: Mihai Harpau Acked-by: Reinette Chatre Signed-off-by: Greg Kroah-Hartman commit 6866e1caf7e9c22dc9c964476fc411757ab005cc Author: Dave Airlie Date: Wed Jun 23 11:35:41 2010 +1000 fb: fix colliding defines for fb flags. commit b26c949755c06ec79e55a75817210083bd78fc9a upstream. When I added the flags I must have been using a 25 line terminal and missed the following flags. The collided with flag has one user in staging despite being in-tree for 5 years. I'm happy to push this via my drm tree unless someone really wants to do it. Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 20bc0849443377b314abd94895ee6f79df821c78 Author: Rajiv Andrade Date: Mon Jun 14 13:58:22 2010 -0300 TPM: ReadPubEK output struct fix commit 02a077c52ef7631275a79862ffd9f3dbe9d38bc2 upstream. This patch adds a missing element of the ReadPubEK command output, that prevents future overflow of this buffer when copying the TPM output result into it. Prevents a kernel panic in case the user tries to read the pubek from sysfs. Signed-off-by: Rajiv Andrade Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 529277e7ea6161bbabba4e9ca826791e3dc23d27 Author: Tim Gardner Date: Tue Jun 8 11:33:02 2010 -0600 hostap: Protect against initialization interrupt commit d6a574ff6bfb842bdb98065da053881ff527be46 upstream. Use an irq spinlock to hold off the IRQ handler until enough early card init is complete such that the handler can run without faulting. Signed-off-by: Tim Gardner Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 981754d8f15449591b94e4162840aa196d941b55 Author: Vivek Natarajan Date: Tue Apr 27 13:05:38 2010 +0530 ath9k: Avoid corrupt frames being forwarded to mac80211. commit 3a37495268ab45507b4cab9d4cb18c5496ab7a10 upstream. If bit 29 is set, MAC H/W can attempt to decrypt the received aggregate with WEP or TKIP, eventhough the received frame may be a CRC failed corrupted frame. If this bit is set, H/W obeys key type in keycache. If it is not set and if the key type in keycache is neither open nor AES, H/W forces key type to be open. But bit 29 should be set to 1 for AsyncFIFO feature to encrypt/decrypt the aggregate with WEP or TKIP. Reported-by: Johan Hovold Signed-off-by: Vivek Natarajan Signed-off-by: Ranga Rao Ravuri Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit f0d5dc75043d940d32787cb0040e4163accf724b Author: Grant Likely Date: Mon Jun 14 00:03:34 2010 -0600 powerpc/5200: Fix build error in sound code. commit f487537c2b6b23332bbea7ecb1fe793b6c74d5b2 upstream. Compiling in the MPC5200 sound drivers results in the following build error: sound/soc/fsl/mpc5200_psc_ac97.o: In function `to_psc_dma_stream': mpc5200_psc_ac97.c:(.text+0x0): multiple definition of `to_psc_dma_stream' sound/soc/fsl/mpc5200_dma.o:mpc5200_dma.c:(.text+0x0): first defined here sound/soc/fsl/efika-audio-fabric.o: In function `to_psc_dma_stream': efika-audio-fabric.c:(.text+0x0): multiple definition of `to_psc_dma_stream' sound/soc/fsl/mpc5200_dma.o:mpc5200_dma.c:(.text+0x0): first defined here make[3]: *** [sound/soc/fsl/built-in.o] Error 1 make[2]: *** [sound/soc/fsl] Error 2 make[1]: *** [sound/soc] Error 2 make: *** [sound] Error 2 This patch fixes it by declaring the inline function in the header file to also be a static. Signed-off-by: Grant Likely Cc: Jon Smirl Tested-by: John Hilmar Linkhorst Acked-by: Mark Brown Cc: Peter Korsgaard Signed-off-by: Greg Kroah-Hartman commit 07ddc6b62f7d2dc106f95c0ee907a26f438bae00 Author: Trond Myklebust Date: Wed Jun 16 13:57:32 2010 -0400 SUNRPC: Fix a re-entrancy bug in xs_tcp_read_calldir() commit b76ce56192bcf618013fb9aecd83488cffd645cc upstream. If the attempt to read the calldir fails, then instead of storing the read bytes, we currently discard them. This leads to a garbage final result when upon re-entry to the same routine, we read the remaining bytes. Fixes the regression in bugzilla number 16213. Please see https://bugzilla.kernel.org/show_bug.cgi?id=16213 Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 1a587ebc33f1e6175a632cc2c9b89563c8826df7 Author: Trond Myklebust Date: Fri Jun 18 12:23:58 2010 -0400 NFSv4: Ensure that /proc/self/mountinfo displays the minor version number commit 0be8189f2c87fcc747d6a4a657a0b6e2161b2318 upstream. Currently, we do not display the minor version mount parameter in the /proc mount info. Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit df82b9bdf4ea7957beb65674abfe199f9d24ea87 Author: Trond Myklebust Date: Tue Jun 22 08:52:39 2010 -0400 NFSv4: Fix an embarassing typo in encode_attrs() commit d3f6baaa34c54040b3ef30950e59b54ac0624b21 upstream. Apparently, we have never been able to set the atime correctly from the NFSv4 client. Reported-by: 小倉一夫 Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 80f562233b9674d0262d9f74fd98676ec308501b Author: Sergei Shtylyov Date: Tue May 11 00:08:03 2010 -0700 cmd640: fix kernel oops in test_irq() method commit a9ddabc52ce3757a4331d6c1e8bf4065333cc51b upstream. When implementing the test_iqr() method, I forgot that this driver is not an ordinary PCI driver and also needs to support VLB variant of the chip. Moreover, 'hwif->dev' should be NULL, potentially causing oops in pci_read_config_byte(). Signed-off-by: Sergei Shtylyov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4f2ac76df774f255bbfd1d4cc377eb43f07d07a7 Author: Mikael Pettersson Date: Tue Jul 20 18:45:14 2010 -0700 math-emu: correct test for downshifting fraction in _FP_FROM_INT() commit f8324e20f8289dffc646d64366332e05eaacab25 upstream. The kernel's math-emu code contains a macro _FP_FROM_INT() which is used to convert an integer to a raw normalized floating-point value. It does this basically in three steps: 1. Compute the exponent from the number of leading zero bits. 2. Downshift large fractions to put the MSB in the right position for normalized fractions. 3. Upshift small fractions to put the MSB in the right position. There is an boundary error in step 2, causing a fraction with its MSB exactly one bit above the normalized MSB position to not be downshifted. This results in a non-normalized raw float, which when packed becomes a massively inaccurate representation for that input. The impact of this depends on a number of arch-specific factors, but it is known to have broken emulation of FXTOD instructions on UltraSPARC III, which was originally reported as GCC bug 44631 . Any arch which uses math-emu to emulate conversions from integers to same-size floats may be affected. The fix is simple: the exponent comparison used to determine if the fraction should be downshifted must be "<=" not "<". I'm sending a kernel module to test this as a reply to this message. There are also SPARC user-space test cases in the GCC bug entry. Signed-off-by: Mikael Pettersson Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c80123ba3fbb7b40566354f54eba4c01f544b1b4 Author: Doug Kehn Date: Wed Jul 14 18:02:16 2010 -0700 net/core: neighbour update Oops commit 91a72a70594e5212c97705ca6a694bd307f7a26b upstream. When configuring DMVPN (GRE + openNHRP) and a GRE remote address is configured a kernel Oops is observed. The obserseved Oops is caused by a NULL header_ops pointer (neigh->dev->header_ops) in neigh_update_hhs() when void (*update)(struct hh_cache*, const struct net_device*, const unsigned char *) = neigh->dev->header_ops->cache_update; is executed. The dev associated with the NULL header_ops is the GRE interface. This patch guards against the possibility that header_ops is NULL. This Oops was first observed in kernel version 2.6.26.8. Signed-off-by: Doug Kehn Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 49dcc8eb452542c4ba40d8caa6a2a544c44ede7a Author: Ilpo Järvinen Date: Mon Jul 19 01:16:18 2010 +0000 tcp: fix crash in tcp_xmit_retransmit_queue commit 45e77d314585869dfe43c82679f7e08c9b35b898 upstream. It can happen that there are no packets in queue while calling tcp_xmit_retransmit_queue(). tcp_write_queue_head() then returns NULL and that gets deref'ed to get sacked into a local var. There is no work to do if no packets are outstanding so we just exit early. This oops was introduced by 08ebd1721ab8fd (tcp: remove tp->lost_out guard to make joining diff nicer). Signed-off-by: Ilpo Järvinen Reported-by: Lennart Schulte Tested-by: Lennart Schulte Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9754d26a07ffbdec54ce3391c06aaa073802c583 Author: Tom Herbert Date: Wed Jul 14 20:50:29 2010 -0700 net: fix problem in reading sock TX queue commit b0f77d0eae0c58a5a9691a067ada112ceeae2d00 upstream. Fix problem in reading the tx_queue recorded in a socket. In dev_pick_tx, the TX queue is read by doing a check with sk_tx_queue_recorded on the socket, followed by a sk_tx_queue_get. The problem is that there is not mutual exclusion across these calls in the socket so it it is possible that the queue in the sock can be invalidated after sk_tx_queue_recorded is called so that sk_tx_queue get returns -1, which sets 65535 in queue_index and thus dev_pick_tx returns 65536 which is a bogus queue and can cause crash in dev_queue_xmit. We fix this by only calling sk_tx_queue_get which does the proper checks. The interface is that sk_tx_queue_get returns the TX queue if the sock argument is non-NULL and TX queue is recorded, else it returns -1. sk_tx_queue_recorded is no longer used so it can be completely removed. Signed-off-by: Tom Herbert Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a2f0548b8b7f86d518a7f998fe1451367c9f9b56 Author: Brandon Philips Date: Wed Jun 16 16:21:58 2010 +0000 sky2: enable rx/tx in sky2_phy_reinit() commit 38000a94a902e94ca8b5498f7871c6316de8957a upstream. sky2_phy_reinit is called by the ethtool helpers sky2_set_settings, sky2_nway_reset and sky2_set_pauseparam when netif_running. However, at the end of sky2_phy_init GM_GP_CTRL has GM_GPCR_RX_ENA and GM_GPCR_TX_ENA cleared. So, doing these commands causes the device to stop working: $ ethtool -r eth0 $ ethtool -A eth0 autoneg off Fix this issue by enabling Rx/Tx after running sky2_phy_init in sky2_phy_reinit. Signed-off-by: Brandon Philips Tested-by: Brandon Philips Cc: stable@kernel.org Tested-by: Mike McCormack Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7fcce089f520a389e3f43ac0f939eb17462d7284 Author: Mike McCormack Date: Thu May 13 06:12:48 2010 +0000 sky2: Restore multicast after restart commit 37652522faa0877dc6d0dbb6b999bdccc07f0e89 upstream. Multicast settings will be lost on reset, so restore them. Signed-off-by: Mike McCormack Acked-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ba7afdd80a6a91fd7fac2aa17cadb75d4b427c13 Author: Florian Fainelli Date: Sun Jun 20 22:07:48 2010 +0000 cpmac: do not leak struct net_device on phy_connect errors commit ed770f01360b392564650bf1553ce723fa46afec upstream. If the call to phy_connect fails, we will return directly instead of freeing the previously allocated struct net_device. Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c6351bcaa687686e784b85d92e544e4c0176ef09 Author: Takashi Iwai Date: Mon Jul 5 16:50:13 2010 +0200 ALSA: hda - Restore cleared pin controls on resume commit ac0547dc62e67a3e0b0c1628b6e49efba8f517db upstream. Many codecs now clear the pin controls at suspend via snd_hda_shutup_pins() for reducing the click noise at power-off. But this leaves some pins uninitialized, and they'll be never recovered after resume. This patch adds the proper recovery of cleared pin controls on resume. Also it adds a check of bus->shutdown so that pins won't be cleared at module unloading. Reference: Kernel bug 16339 http://bugzilla.kernel.org/show_bug.cgi?id=16339 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 665f533f1927ee6582b1c896d0c1c98132853980 Author: Luke Yelavich Date: Tue Jun 22 11:04:19 2010 +1000 ALSA: hda - Add Macbook 5,2 quirk commit 3bfea98ff73d377ffce0d4c7f938b7ef958cdb35 upstream. BugLink: https://bugs.launchpad.net/bugs/463178 Set Macbook 5,2 (106b:4a00) hardware to use ALC885_MB5 Signed-off-by: Luke Yelavich Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit fd1dd3913b09ddb4478b5f94bf8137bcd9da2eb2 Author: Takashi Iwai Date: Fri Jun 11 11:24:58 2010 +0200 ALSA: hda - Don't check capture source mixer if no ADC is available commit fbe618f216830f47b183858c3380d4767b1ad02f upstream. With multiple codec configurations, some codec might have no ADC, thus it keeps spec->adc_nids = NULL. This causes an Oops in alc_build_controls(). Reference: kernel bug #16156 https://bugzilla.kernel.org/show_bug.cgi?id=16156 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 1180deda29be7691126b9bdd608d45d3678b7875 Author: David Howells Date: Thu Jul 22 12:53:18 2010 +0100 CIFS: Fix a malicious redirect problem in the DNS lookup code commit 4c0c03ca54f72fdd5912516ad0a23ec5cf01bda7 upstream. Fix the security problem in the CIFS filesystem DNS lookup code in which a malicious redirect could be installed by a random user by simply adding a result record into one of their keyrings with add_key() and then invoking a CIFS CFS lookup [CVE-2010-2524]. This is done by creating an internal keyring specifically for the caching of DNS lookups. To enforce the use of this keyring, the module init routine creates a set of override credentials with the keyring installed as the thread keyring and instructs request_key() to only install lookup result keys in that keyring. The override is then applied around the call to request_key(). This has some additional benefits when a kernel service uses this module to request a key: (1) The result keys are owned by root, not the user that caused the lookup. (2) The result keys don't pop up in the user's keyrings. (3) The result keys don't come out of the quota of the user that caused the lookup. The keyring can be viewed as root by doing cat /proc/keys: 2a0ca6c3 I----- 1 perm 1f030000 0 0 keyring .dns_resolver: 1/4 It can then be listed with 'keyctl list' by root. # keyctl list 0x2a0ca6c3 1 key in keyring: 726766307: --alswrv 0 0 dns_resolver: foo.bar.com Signed-off-by: David Howells Reviewed-and-Tested-by: Jeff Layton Acked-by: Steve French Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6fbe41cd712389ce66b48b04cf675d399c3762c6 Author: Jeff Layton Date: Tue Jun 1 16:21:01 2010 -0400 cifs: don't attempt busy-file rename unless it's in same directory commit ed0e3ace576d297a5c7015401db1060bbf677b94 upstream. Busy-file renames don't actually work across directories, so we need to limit this code to renames within the same dir. This fixes the bug detailed here: https://bugzilla.redhat.com/show_bug.cgi?id=591938 Signed-off-by: Jeff Layton Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 9fcb9b3b8cf44cdfb2e6ac9b57252b960d7c22ac Author: Jeff Layton Date: Wed Jun 16 13:40:18 2010 -0400 cifs: remove bogus first_time check in NTLMv2 session setup code commit 8a224d489454b7457105848610cfebebdec5638d upstream. This bug appears to be the result of a cut-and-paste mistake from the NTLMv1 code. The function to generate the MAC key was commented out, but not the conditional above it. The conditional then ended up causing the session setup key not to be copied to the buffer unless this was the first session on the socket, and that made all but the first NTLMv2 session setup fail. Fix this by removing the conditional and all of the commented clutter that made it difficult to see. Reported-by: Gunther Deschner Signed-off-by: Jeff Layton Signed-off-by: Greg Kroah-Hartman commit e779a25d7285a229fc93751db47d80d4c2dd9045 Author: Jean Delvare Date: Fri Jul 9 16:22:48 2010 +0200 hwmon: (it87) Fix in7 on IT8720F commit 436cad2a41a40c6c32bd9152b63d17eeb1f7c99b upstream. The IT8720F has no VIN7 pin, so VCCH should always be routed internally to VIN7 with an internal divider. Curiously, there still is a configuration bit to control this, which means it can be set incorrectly. And even more curiously, many boards out there are improperly configured, even though the IT8720F datasheet claims that the internal routing of VCCH to VIN7 is the default setting. So we force the internal routing in this case. It turns out that all boards with the wrong setting are from Gigabyte, so I suspect a BIOS bug. But it's easy enough to workaround in the driver, so let's do it. Signed-off-by: Jean Delvare Cc: Jean-Marc Spaggiari Signed-off-by: Greg Kroah-Hartman commit c32f9cf32602dc3f737ad263057f29250c6be45b Author: Jean Delvare Date: Fri Jul 9 16:22:49 2010 +0200 hwmon: (coretemp) Skip duplicate CPU entries commit d883b9f0977269d519469da72faec6a7f72cb489 upstream. On hyper-threaded CPUs, each core appears twice in the CPU list. Skip the second entry to avoid duplicate sensors. Signed-off-by: Jean Delvare Acked-by: Huaxu Wan Signed-off-by: Greg Kroah-Hartman commit 1044e560c5d07dd6bf0eccef8ba7238992831045 Author: Jean Delvare Date: Fri Jul 9 16:22:51 2010 +0200 hwmon: (coretemp) Properly label the sensors commit 3f4f09b4be35d38d6e2bf22c989443e65e70fc4c upstream. Don't assume that CPU entry number and core ID always match. It worked in the simple cases (single CPU, no HT) but fails on multi-CPU systems. Signed-off-by: Jean Delvare Acked-by: Huaxu Wan Signed-off-by: Greg Kroah-Hartman commit 2cffc5f97e17d873da2d07d6327fad22d89ce47b Author: Jean Delvare Date: Sun Jun 20 09:22:31 2010 +0200 hwmon: (k10temp) Do not blacklist known working CPU models commit eefc2d9e3d4f8820f2c128a0e44a23de28b1ed64 upstream. When detecting AM2+ or AM3 socket with DDR2, only blacklist cores which are known to exist in AM2+ format. Signed-off-by: Jean Delvare Acked-by: Clemens Ladisch Cc: Andreas Herrmann Signed-off-by: Greg Kroah-Hartman commit 23cb4986a4d4e442dd48ef7b3ea0c4b239f419ee Author: KAMEZAWA Hiroyuki Date: Sun Jun 20 09:22:31 2010 +0200 hwmon: (i5k_amb) Fix sysfs attribute for lockdep commit 0e6c7870856c7fb4ee054d28ac253b2d3d0c7e36 upstream. i5k_amb.ko uses dynamically allocated memory (by kmalloc) for attributes passed to sysfs. So, sysfs_attr_init() should be called for working happy with lockdep. Signed-off-by: KAMEZAWA Hiroyuki Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 75dfc9ef80775613c66a04d46393432df326deba Author: Andreas Herrmann Date: Fri Jul 9 16:22:47 2010 +0200 hwmon: (k8temp) Fix temperature reporting for ASB1 processor revisions commit d535bad90dad4eb42ec6528043fcfb53627d4f89 upstream. Reported temperature for ASB1 CPUs is too high. Add ASB1 CPU revisions (these are also non-desktop variants) to the list of CPUs for which the temperature fixup is not required. Example: (from LENOVO ThinkPad Edge 13, 01972NG, system was idle) Current kernel reports $ sensors k8temp-pci-00c3 Adapter: PCI adapter Core0 Temp: +74.0 C Core0 Temp: +70.0 C Core1 Temp: +69.0 C Core1 Temp: +70.0 C With this patch I have $ sensors k8temp-pci-00c3 Adapter: PCI adapter Core0 Temp: +54.0 C Core0 Temp: +51.0 C Core1 Temp: +48.0 C Core1 Temp: +49.0 C Cc: Rudolf Marek Signed-off-by: Andreas Herrmann Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit a34fc71852501f6f3573f8c95a55585c519545d2 Author: Jean Delvare Date: Sun Jun 20 09:22:32 2010 +0200 hwmon: (k8temp) Bypass core swapping on single-core processors commit cd4de21f7e65a8cd04860f5661b3c18648ee52a1 upstream. Commit a2e066bba2aad6583e3ff648bf28339d6c9f0898 introduced core swapping for CPU models 64 and later. I recently had a report about a Sempron 3200+, model 95, for which this patch broke temperature reading. It happens that this is a single-core processor, so the effect of the swapping was to read a temperature value for a core that didn't exist, leading to an incorrect value (-49 degrees C.) Disabling core swapping on singe-core processors should fix this. Additional comment from Andreas: The BKDG says Thermal Sensor Core Select (ThermSenseCoreSel)-Bit 2. This bit selects the CPU whose temperature is reported in the CurTemp field. This bit only applies to dual core processors. For single core processors CPU0 Thermal Sensor is always selected. k8temp_probe() correctly detected that SEL_CORE can't be used on single core CPU. Thus k8temp did never update the temperature values stored in temp[1][x] and -49 degrees was reported. For single core CPUs we must use the values read into temp[0][x]. Signed-off-by: Jean Delvare Tested-by: Rick Moritz Acked-by: Andreas Herrmann Signed-off-by: Greg Kroah-Hartman commit 4584740e4ec1db166d862112b1b90e35cadaad03 Author: Christoph Fritz Date: Sun Jul 11 18:26:15 2010 -0500 ssb: Handle Netbook devices where the SPROM address is changed For some Netbook computers with Broadcom BCM4312 wireless interfaces, the SPROM has been moved to a new location. When the ssb driver tries to read the old location, the systems hangs when trying to read a non-existent location. Such freezes are particularly bad as they do not log the failure. This patch is modified from commit da1fdb02d9200ff28b6f3a380d21930335fe5429 with some pieces from other mainline changes so that it can be applied to stable 2.6.34.Y. Signed-off-by: Larry Finger Signed-off-by: Greg Kroah-Hartman commit 0c7066ca14c6ac8986510ba5bd946b0b50373d84 Author: Jan Beulich Date: Tue Jul 6 11:09:00 2010 +0100 fix mis-applied upstream commit ac9721f3f54b27a16c7e1afb2481e7ee95a70318 For some reason one of the changes to sys_perf_event_open() got mis-applied, thus breaking (at least) error handling paths (pointed out by means of a compiler warning). Signed-off-by: Jan Beulich Cc: Peter Zijlstra Cc: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit cbed49406bb192d2d87a8a88c757f0bfaddb59de Author: Ben Hutchings Date: Fri Jul 2 21:49:02 2010 -0700 usbnet: Set parent device early for netdev_printk() [ Upsteam commit 0dacca73a3ddefa6cb8a7e0282f938e01faa1a64 ] netdev_printk() follows the net_device's parent device pointer, so we must set that earlier than we previously did. Reported-by: Luís Picciochi Oliveira Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4e80cae6d537201971b62e612d877ff1794c8c8d Author: Eric Dumazet Date: Thu Jun 3 05:45:47 2010 +0000 tcp: use correct net ns in cookie_v4_check() [ Upstream commit c44649216522cd607a4027d2ebf4a8147d3fa94c ] Its better to make a route lookup in appropriate namespace. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a1899b1af296841f26afc39194d1857f963cbbac Author: Eric Dumazet Date: Mon May 17 22:35:36 2010 -0700 tcp: tcp_synack_options() fix [ Upstream commit de213e5eedecdfb1b1eea7e6be28bc64cac5c078 ] Commit 33ad798c924b4a (tcp: options clean up) introduced a problem if MD5+SACK+timestamps were used in initial SYN message. Some stacks (old linux for example) try to negotiate MD5+SACK+TSTAMP sessions, but since 40 bytes of tcp options space are not enough to store all the bits needed, we chose to disable timestamps in this case. We send a SYN-ACK _without_ timestamp option, but socket has timestamps enabled and all further outgoing messages contain a TS block, all with the initial timestamp of the remote peer. Fix is to really disable timestamps option for the whole session. Reported-by: Bijay Singh Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit efa4be3c2cb92b1d9d7d04ab91736cfc937a9764 Author: Timo Teräs Date: Wed Jun 9 17:31:48 2010 -0700 r8169: fix mdio_read and update mdio_write according to hw specs [ Upstream commit 81a95f049962ec20a9aed888e676208b206f0f2e ] Realtek confirmed that a 20us delay is needed after mdio_read and mdio_write operations. Reduce the delay in mdio_write, and add it to mdio_read too. Also add a comment that the 20us is from hw specs. Signed-off-by: Timo Teräs Acked-by: Francois Romieu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3e3435c62f1c8df22a08d50efea3b0ad910b1284 Author: Timo Teräs Date: Sun Jun 6 15:38:47 2010 -0700 r8169: fix random mdio_write failures [ Upstream commit 024a07bacf8287a6ddfa83e9d5b951c5e8b4070e ] Some configurations need delay between the "write completed" indication and new write to work reliably. Realtek driver seems to use longer delay when polling the "write complete" bit, so it waits long enough between writes with high probability (but could probably break too). This patch adds a new udelay to make sure we wait unconditionally some time after the write complete indication. This caused a regression with XID 18000000 boards when the board specific phy configuration writing many mdio registers was added in commit 2e955856ff (r8169: phy init for the 8169scd). Some of the configration mdio writes would almost always fail, and depending on failure might leave the PHY in non-working state. Signed-off-by: Timo Teräs Acked-off-by: Francois Romieu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 71bd6170745cbaac9f16817c23cc830edc89e1fe Author: Tadashi Abe Date: Mon May 17 22:41:45 2010 -0700 pegasus: fix USB device ID for ETX-US2 [ Upstream commit 95718c1c25370b2c85061a4d8dfab2831b3ad280 ] USB device ID definition for I-O Data ETX-US2 is wrong. Correct ID is 0x093a. Here's snippet from /proc/bus/usb/devices; T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=ff(vend.) Sub=ff Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=04bb ProdID=093a Rev= 1.01 S: Manufacturer=I-O DATA DEVICE,INC. S: Product=I-O DATA ETX2-US2 S: SerialNumber=A26427 C:* #Ifs= 1 Cfg#= 1 Atr=80 MxPwr=224mA I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=00 Driver=pegasus E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=03(Int.) MxPS= 8 Ivl=125us This patch enables pegasus driver to work fine with ETX-US2. Signed-off-by: Tadashi Abe Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fccaf8963bdf9c58c9ee93143689dc47b66dc5f0 Author: Brian Haley Date: Fri May 28 23:02:35 2010 -0700 IPv6: fix Mobile IPv6 regression [ Upstream commit 6057fd78a8dcce6269f029b967051d5a2e9b0895 ] Commit f4f914b5 (net: ipv6 bind to device issue) caused a regression with Mobile IPv6 when it changed the meaning of fl->oif to become a strict requirement of the route lookup. Instead, only force strict mode when sk->sk_bound_dev_if is set on the calling socket, getting the intended behavior and fixing the regression. Tested-by: Arnaud Ebalard Signed-off-by: Brian Haley Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 85d9faef1812bdc2ee93a727d2bfdebf67a91d0b Author: Herbert Xu Date: Thu May 20 23:07:56 2010 -0700 gro: Fix bogus gso_size on the first fraglist entry [ Upstream commit 622e0ca1cd4d459f5af4f2c65f4dc0dd823cb4c3 ] When GRO produces fraglist entries, and the resulting skb hits an interface that is incapable of TSO but capable of FRAGLIST, we end up producing a bogus packet with gso_size non-zero. This was reported in the field with older versions of KVM that did not set the TSO bits on tuntap. This patch fixes that. Reported-by: Igor Zhang Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 894d3cf54d2f7534f024784e8558d0bb2900dcb7 Author: Yoichi Yuasa Date: Mon May 24 18:37:02 2010 -0700 net/dccp: expansion of error code size [ Upstream commit d9b52dc6fd1fbb2bad645cbc86a60f984c1cb179 ] Because MIPS's EDQUOT value is 1133(0x46d). It's larger than u8. Signed-off-by: Yoichi Yuasa Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 355580038fc997025d8ec6823fb9898b48edff69 Author: stephen hemminger Date: Tue Jun 15 06:14:12 2010 +0000 bridge: fdb cleanup runs too often [ Upstream commit 25442e06d20aaba7d7b16438078a562b3e4cf19b ] It is common in end-node, non STP bridges to set forwarding delay to zero; which causes the forwarding database cleanup to run every clock tick. Change to run only as soon as needed or at next ageing timer interval which ever is sooner. Use round_jiffies_up macro rather than attempting round up by changing value. Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5b5b5f08f32661973c8880c3aaeb916c735a2e8c Author: Michael S. Tsirkin Date: Fri Jul 2 16:32:55 2010 +0000 virtio_net: do not reschedule rx refill forever commit 1788f49548860fa1c861ee3454d47b466c877e43 upstream. We currently fill all of RX ring, then add_buf returns ENOSPC, which gets mis-detected as an out of memory condition and causes us to reschedule the work, and so on forever. Fix this by oom = err == -ENOMEM; Signed-off-by: Michael S. Tsirkin Signed-off-by: Rusty Russell Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e61dcd092ff55415060b37bb4a6cf855385768b9 Author: Michael S. Tsirkin Date: Thu Jun 10 18:16:11 2010 +0300 virtio: return ENOMEM on out of memory commit 686d363786a53ed28ee875b84ef24e6d5126ef6f upstream. add_buf returns ring size on out of memory, this is not what devices expect. Signed-off-by: Michael S. Tsirkin Acked-by: Amit Shah Signed-off-by: Rusty Russell Signed-off-by: Greg Kroah-Hartman commit d674601ce1cd0123e065884f4d84e29f10e0b108 Author: Michael S. Tsirkin Date: Wed Jun 23 22:49:06 2010 -0600 virtio-pci: disable msi at startup commit b03214d559471359e2a85ae256686381d0672f29 upstream. virtio-pci resets the device at startup by writing to the status register, but this does not clear the pci config space, specifically msi enable status which affects register layout. This breaks things like kdump when they try to use e.g. virtio-blk. Fix by forcing msi off at startup. Since pci.c already has a routine to do this, we export and use it instead of duplicating code. Signed-off-by: Michael S. Tsirkin Tested-by: Vivek Goyal Acked-by: Jesse Barnes Cc: linux-pci@vger.kernel.org Signed-off-by: Rusty Russell Signed-off-by: Greg Kroah-Hartman