commit 1506707a6c740db316e422239a53ae5df1727591 Author: Greg Kroah-Hartman Date: Thu Aug 26 16:47:12 2010 -0700 Linux 2.6.35.4 commit bdf6e8eb218794850dfff2e2858590fda91e7f36 Author: Arjan van de Ven Date: Wed Aug 18 15:33:13 2010 -0700 tracing: Fix timer tracing commit ede1b4290781ae82ccf0f2ecc6dada8d3dd35779 upstream. PowerTOP would like to be able to trace timers. Unfortunately, the current timer tracing is not very useful: the actual timer function is not recorded in the trace at the start of timer execution. Although this is recorded for timer "start" time (when it gets armed), this is not useful; most timers get started early, and a tracer like PowerTOP will never see this event, but will only see the actual running of the timer. This patch just adds the function to the timer tracing; I've verified with PowerTOP that now it can get useful information about timers. Signed-off-by: Arjan van de Ven Cc: xiaoguangrong@cn.fujitsu.com Cc: Steven Rostedt Cc: Frederic Weisbecker Cc: Peter Zijlstra LKML-Reference: <4C6C5FA9.3000405@linux.intel.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit f5d76aba51998b28810ae026a30577bd8d2abae5 Author: Tim Chen Date: Wed Aug 18 15:00:27 2010 -0700 mutex: Improve the scalability of optimistic spinning commit 9d0f4dcc5c4d1c5dd01172172684a45b5f49d740 upstream. There is a scalability issue for current implementation of optimistic mutex spin in the kernel. It is found on a 8 node 64 core Nehalem-EX system (HT mode). The intention of the optimistic mutex spin is to busy wait and spin on a mutex if the owner of the mutex is running, in the hope that the mutex will be released soon and be acquired, without the thread trying to acquire mutex going to sleep. However, when we have a large number of threads, contending for the mutex, we could have the mutex grabbed by other thread, and then another ……, and we will keep spinning, wasting cpu cycles and adding to the contention. One possible fix is to quit spinning and put the current thread on wait-list if mutex lock switch to a new owner while we spin, indicating heavy contention (see the patch included). I did some testing on a 8 socket Nehalem-EX system with a total of 64 cores. Using Ingo's test-mutex program that creates/delete files with 256 threads (http://lkml.org/lkml/2006/1/8/50) , I see the following speed up after putting in the mutex spin fix: ./mutex-test V 256 10 Ops/sec 2.6.34 62864 With fix 197200 Repeating the test with Aim7 fserver workload, again there is a speed up with the fix: Jobs/min 2.6.34 91657 With fix 149325 To look at the impact on the distribution of mutex acquisition time, I collected the mutex acquisition time on Aim7 fserver workload with some instrumentation. The average acquisition time is reduced by 48% and number of contentions reduced by 32%. #contentions Time to acquire mutex (cycles) 2.6.34 72973 44765791 With fix 49210 23067129 The histogram of mutex acquisition time is listed below. The acquisition time is in 2^bin cycles. We see that without the fix, the acquisition time is mostly around 2^26 cycles. With the fix, we the distribution get spread out a lot more towards the lower cycles, starting from 2^13. However, there is an increase of the tail distribution with the fix at 2^28 and 2^29 cycles. It seems a small price to pay for the reduced average acquisition time and also getting the cpu to do useful work. Mutex acquisition time distribution (acq time = 2^bin cycles): 2.6.34 With Fix bin #occurrence % #occurrence % 11 2 0.00% 120 0.24% 12 10 0.01% 790 1.61% 13 14 0.02% 2058 4.18% 14 86 0.12% 3378 6.86% 15 393 0.54% 4831 9.82% 16 710 0.97% 4893 9.94% 17 815 1.12% 4667 9.48% 18 790 1.08% 5147 10.46% 19 580 0.80% 6250 12.70% 20 429 0.59% 6870 13.96% 21 311 0.43% 1809 3.68% 22 255 0.35% 2305 4.68% 23 317 0.44% 916 1.86% 24 610 0.84% 233 0.47% 25 3128 4.29% 95 0.19% 26 63902 87.69% 122 0.25% 27 619 0.85% 286 0.58% 28 0 0.00% 3536 7.19% 29 0 0.00% 903 1.83% 30 0 0.00% 0 0.00% I've done similar experiments with 2.6.35 kernel on smaller boxes as well. One is on a dual-socket Westmere box (12 cores total, with HT). Another experiment is on an old dual-socket Core 2 box (4 cores total, no HT) On the 12-core Westmere box, I see a 250% increase for Ingo's mutex-test program with my mutex patch but no significant difference in aim7's fserver workload. On the 4-core Core 2 box, I see the difference with the patch for both mutex-test and aim7 fserver are negligible. So far, it seems like the patch has not caused regression on smaller systems. Signed-off-by: Tim Chen Acked-by: Peter Zijlstra Cc: Linus Torvalds Cc: Andrew Morton Cc: Thomas Gleixner Cc: Frederic Weisbecker LKML-Reference: <1282168827.9542.72.camel@schen9-DESK> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit a87da791eaa200a75a47fabc4a39eaa32e42deca Author: Galen Seitz Date: Thu Aug 19 11:15:20 2010 -0700 USB: ftdi_sio: add product ID for Lenz LI-USB commit ea233f805537f5da16c2b34d85b6c5cf88a0f9aa upstream. Add ftdi product ID for Lenz LI-USB, a model train interface. This was NOT tested against 2.6.35, but a similar patch was tested with the CentOS 2.6.18-194.11.1.el5 kernel. It wasn't clear to me what ordering is being used in ftdi_sio.c, so I inserted the ID after another model train entry(SPROG_II). Signed-off-by: Galen Seitz Signed-off-by: Greg Kroah-Hartman commit a305c4c5dd114443b4612b3a82811aa63845f741 Author: Martin Michlmayr Date: Tue Aug 10 20:31:21 2010 +0100 USB: ftdi_sio: Add ID for Ionics PlugComputer commit 666cc076d284e32d11bfc5ea2fbfc50434cff051 upstream. Add the ID for the Ionics PlugComputer (). Signed-off-by: Martin Michlmayr Signed-off-by: Greg Kroah-Hartman commit ba6da120819f5ffc44cbb5a66fc70f1e9f2f858e Author: John Youn Date: Mon Aug 9 13:56:11 2010 -0700 USB: xhci: Remove buggy assignment in next_trb() commit a1669b2c64a9c8b031e0ac5cbf2692337a577f7c upstream. The code to increment the TRB pointer has a slight ambiguity that could lead to a bug on different compilers. The ANSI C specification does not specify the precedence of the assignment operator over the postfix operator. gcc 4.4 produced the correct code (increment the pointer and assign the value), but a MIPS compiler that one of John's clients used assigned the old (unincremented) value. Remove the unnecessary assignment to make all compilers produce the correct assembly. Signed-off-by: John Youn Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit e5af095003749e3f9bc1ff3db77ef7c91dc79459 Author: Greg Kroah-Hartman Date: Tue Aug 17 15:15:37 2010 -0700 USB: io_ti: check firmware version before updating commit 0827a9ff2bbcbb03c33f1a6eb283fe051059482c upstream. If we can't read the firmware for a device from the disk, and yet the device already has a valid firmware image in it, we don't want to replace the firmware with something invalid. So check the version number to be less than the current one to verify this is the correct thing to do. Reported-by: Chris Beauchamp Tested-by: Chris Beauchamp Cc: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 5ce775be7b38ee371c389b28efebca141fabc133 Author: Michael Wileczka Date: Wed Aug 18 07:14:37 2010 -0700 USB: ftdi_sio: fix endianess of max packet size commit d1ab903d2552b2362339b19203c7f01c797cb316 upstream. The USB max packet size (always little-endian) was not being byte swapped on big-endian systems. Applicable since [USB: ftdi_sio: fix hi-speed device packet size calculation] approx 2.6.31 Signed-off-by: Michael Wileczka Signed-off-by: Greg Kroah-Hartman commit cdead9a39eb906aa6fde0996f5274f42c603b259 Author: Craig Shelley Date: Wed Aug 18 22:13:39 2010 +0100 USB: CP210x Fix Break On/Off commit 72916791cbeb9cc607ae620cfba207dea481cd76 upstream. The definitions for BREAK_ON and BREAK_OFF are inverted, causing break requests to fail. This patch sets BREAK_ON and BREAK_OFF to the correct values. Signed-off-by: Craig Shelley Signed-off-by: Greg Kroah-Hartman commit a848012ab324c13aff0836d5778cdc6423013938 Author: Jef Driesen Date: Mon Aug 9 15:55:32 2010 +0200 USB: pl2303: New vendor and product id commit f36ecd5de93e4c85a9e3d25100c6e233155b12e5 upstream. Add support for the Zeagle N2iTiON3 dive computer interface. Since Zeagle devices are actually manufactured by Seiko, this patch will support other Seiko based models as well. Signed-off-by: Jef Driesen Signed-off-by: Greg Kroah-Hartman commit e60577f8ff1f00807cbd78a8eeab21cdd7161b42 Author: Ross Burton Date: Fri Aug 6 16:36:39 2010 +0100 USB: add device IDs for igotu to navman commit 0eee6a2b2a52e17066a572d30ad2805d3ebc7508 upstream. I recently bought a i-gotU USB GPS, and whilst hunting around for linux support discovered this post by you back in 2009: http://kerneltrap.org/mailarchive/linux-usb/2009/3/12/5148644 >Try the navman driver instead. You can either add the device id to the > driver and rebuild it, or do this before you plug the device in: > modprobe navman > echo -n "0x0df7 0x0900" > /sys/bus/usb-serial/drivers/navman/new_id > > and then plug your device in and see if that works. I can confirm that the navman driver works with the right device IDs on my i-gotU GT-600, which has the same device IDs. Attached is a patch adding the IDs. From: Ross Burton Signed-off-by: Greg Kroah-Hartman commit 51f663a00e62c08701fa74e53ece1bdfbf08fad7 Author: Michael Tokarev Date: Fri Aug 6 18:49:21 2010 +0400 USB: option: add Celot CT-650 commit 76078dc4fc389185fe467d33428f259ea9e69807 upstream. Signed-off-by: Michael Tokarev Signed-off-by: Greg Kroah-Hartman commit 680dc8e519bdbd1ad0c6ffb51d5fdc9d52f5b923 Author: Anatolij Gustschin Date: Sun Aug 15 22:26:56 2010 +0000 powerpc: Fix typo in uImage target commit c686ecf5040d287a68d4fca7f1948472f556a6d3 upstream. Commit e32e78c5ee8aadef020fbaecbe6fb741ed9029fd (powerpc: fix build with make 3.82) introduced a typo in uImage target and broke building uImage: make: *** No rule to make target `uImage'. Stop. Signed-off-by: Anatolij Gustschin Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 964505fabe0410e11cc5487a9a4b17dbec461ffd Author: Sven Eckelmann Date: Sat Aug 21 14:18:10 2010 +0200 Staging: batman-adv: Don't write in not allocated packet_buff commit f86b9984250fa2b71ce36d4693a939a58579583b upstream. Each net_device in a system will automatically managed as a possible batman_if and holds different informations like a buffer with a prepared originator messages. To reduce the memory usage, the packet_buff will only be allocated when the interface is really added/enabled for batman-adv. The function to update the hw address information inside the packet_buff just assumes that the packet_buff is always initialised and thus the kernel will just oops when we try to change the hw address of a not already fully enabled interface. We must always check if the packet_buff is allocated before we try to change information inside of it. Reported-by: Tim Glaremin Reported-by: Kazuki Shimada Signed-off-by: Sven Eckelmann Signed-off-by: Greg Kroah-Hartman commit b6c68ad83cbc3bcf4ff83f62340fbf891f44735c Author: Sven Eckelmann Date: Sat Aug 21 14:18:09 2010 +0200 Staging: batman-adv: Don't use net_dev after dev_put commit 51a00eaf6e008b60943af6ab68c17ac3622208dc upstream. dev_put allows a device to be freed when all its references are dropped. After that we are not allowed to access that information anymore. Access to the data structure of a net_device must be surrounded a dev_hold and ended using dev_put. batman-adv adds a device to its own management structure in hardif_add_interface and will release it in hardif_remove_interface. Thus it must hold a reference all the time between those functions to prevent any access to the already released net_device structure. Reported-by: Tim Glaremin Signed-off-by: Sven Eckelmann Signed-off-by: Greg Kroah-Hartman commit 6e5cab8eac427fd754cc70aba0906228277cdea2 Author: Sven Eckelmann Date: Sat Aug 21 14:18:08 2010 +0200 Staging: batman-adv: Create batman_if only on register event commit 1189f130f89b73eecb6117c0fc5e90abbcb7faa0 upstream. We try to get all events for all net_devices to be able to add special sysfs folders for the batman-adv configuration. This also includes such events like NETDEV_POST_INIT which has no valid kobject according to v2.6.32-rc3-13-g7ffbe3f. This would create an oops in that situation. It is enough to create the batman_if only on NETDEV_REGISTER events because we will also receive those events for devices which already existed when we registered the notifier call. Signed-off-by: Sven Eckelmann Signed-off-by: Greg Kroah-Hartman commit 37b419b202eaebc97c05e598895ea16cbde112a7 Author: Marek Lindner Date: Mon Aug 9 23:56:39 2010 +0200 Staging: batman-adv: unify orig_hash_lock spinlock handling to avoid deadlocks commit 9abc10238e1df7ce81c58a441f65efd5e905b9e8 upstream. The orig_hash_lock spinlock always has to be locked with IRQs being disabled to avoid deadlocks between code that is being executed in IRQ context and code that is being executed in non-IRQ context. Reported-by: Sven Eckelmann Signed-off-by: Marek Lindner Signed-off-by: Sven Eckelmann Signed-off-by: Greg Kroah-Hartman commit cbdd4c098ba34731ceec62c47c36ec8e3d0d252e Author: Dave Airlie Date: Tue Aug 17 14:46:00 2010 +1000 drm: stop information leak of old kernel stack. commit b9f0aee83335db1f3915f4e42a5e21b351740afd upstream. non-critical issue, CVE-2010-2803 Userspace controls the amount of memory to be allocate, so it can get the ioctl to allocate more memory than the kernel uses, and get access to kernel stack. This can only be done for processes authenticated to the X server for DRI access, and if the user has DRI access. Fix is to just memset the data to 0 if the user doesn't copy into it in the first place. Reported-by: Kees Cook Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit e617eefb30dd6c1494ff5b4dc51c0217daa70908 Author: Jerome Glisse Date: Mon Aug 16 11:54:36 2010 -0400 drm/radeon/kms: fix GTT/VRAM overlapping test commit 2cbeb4efc2b9739fe6019b613ae658bd2119a3eb upstream. GTT/VRAM overlapping test had a typo which leaded to not detecting case when vram_end > gtt_end. This patch fix the logic and should fix #16574 Signed-off-by: Jerome Glisse Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 1cc67a626a131a78227db806cb4fa3b557d2c3f7 Author: Alex Deucher Date: Fri Aug 20 12:47:54 2010 -0400 drm/radeon/kms: fix sideport detection on newer rs880 boards commit 4b80d954a7e54c13a5063af18d01719ad6a0daf3 upstream. The meaning of ucMemoryType changed on recent boards, however, ulBootUpSidePortClock should be set properly across all boards. Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 410ff49be76bfef96889b1e4718bf1bc2048a636 Author: Alex Deucher Date: Thu Aug 19 11:19:31 2010 -0400 drm/radeon/kms/DCE3+: switch pads to ddc mode when going i2c commit 5786e2c5a3f519647c50bbc276e45d36a704415a upstream. The pins for ddc and aux are shared so you need to switch the mode when doing ddc. The ProcessAuxChannel table already sets the pin mode to DP. This should fix unreliable ddc issues on DP ports using non-DP monitors. Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit a9982269c438c05742a58636165700f6fe0c38db Author: Alex Deucher Date: Tue Aug 17 00:35:45 2010 -0400 drm/radeon/kms: fix typo in radeon_compute_pll_gain commit 0537398b211b4f040564beec458e23571042d335 upstream. Looks like this got copied from the ddx wrong. Cc: Benjamin Herrenschmidt Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 0e485a9e6662219a4458f08c0dce6ff1a7222d8a Author: Alex Deucher Date: Fri Aug 13 10:53:35 2010 -0400 drm/radeon/kms/pm: bail early if nothing's changing commit 4e186b2d6c878793587c35d7f06c94565d76e9b8 upstream. If we aren't changing the power state, no need to take locks and schedule fences, etc. There seem to be lock ordering issues in the CP and fence code in some cases; see bug 29140 below. Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=29140 Possibly also: https://bugzilla.kernel.org/show_bug.cgi?id=16581 Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit eeba6084bb7f45c3fdedbce67cffd6bcef834ef8 Author: Alex Deucher Date: Thu Aug 12 18:05:34 2010 -0400 drm/radeon/kms: don't enable MSIs on AGP boards commit da7be684c55dbaeebfc1a048d5faf52d52cb3c1f upstream. Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=29327 Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 185726c288025a315a5d70984c80d49abb9e115d Author: Johannes Berg Date: Sun Aug 15 21:20:44 2010 +0000 netlink: fix compat recvmsg commit 68d6ac6d2740b6a55f3ae92a4e0be6d881904b32 upstream. Since commit 1dacc76d0014a034b8aca14237c127d7c19d7726 Author: Johannes Berg Date: Wed Jul 1 11:26:02 2009 +0000 net/compat/wext: send different messages to compat tasks we had a race condition when setting and then restoring frag_list. Eric attempted to fix it, but the fix created even worse problems. However, the original motivation I had when I added the code that turned out to be racy is no longer clear to me, since we only copy up to skb->len to userspace, which doesn't include the frag_list length. As a result, not doing any frag_list clearing and restoring avoids the race condition, while not introducing any other problems. Additionally, while preparing this patch I found that since none of the remaining netlink code is really aware of the frag_list, we need to use the original skb's information for packet information and credentials. This fixes, for example, the group information received by compat tasks. Cc: Eric Dumazet Signed-off-by: Johannes Berg Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e7d2aabc6f8b9b465c7f52bb119a89cf9717f817 Author: Daniel T Chen Date: Wed Aug 18 19:33:43 2010 -0400 ALSA: intel8x0: Mute External Amplifier by default for ThinkPad X31 commit 9c77b846ec8b4e0c7107dd7f820172462dc84a61 upstream. BugLink: https://bugs.launchpad.net/bugs/619439 This ThinkPad model needs External Amplifier muted for audible playback, so set the inv_eapd quirk for it. Reported-and-tested-by: Dennis Bell Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit ca3d0a0f66312d45e876ece90c04fc9225bdd3ab Author: Jan Beulich Date: Mon Aug 16 11:58:58 2010 +0100 fixes for using make 3.82 commit 3c955b407a084810f57260d61548cc92c14bc627 upstream. It doesn't like pattern and explicit rules to be on the same line, and it seems to be more picky when matching file (or really directory) names with different numbers of trailing slashes. Signed-off-by: Jan Beulich Acked-by: Sam Ravnborg Andrew Benton Signed-off-by: Michal Marek Signed-off-by: Greg Kroah-Hartman commit 637958343c8260d73a81526176286d744d90c317 Author: Johannes Berg Date: Tue Aug 17 11:24:01 2010 +0200 iwlwifi: fix 3945 filter flags commit 8b8ab9d5e352aae0dcae53c657b25ab61bb73f0f upstream. Applying the filter flags directly as done since commit 3474ad635db371b0d8d0ee40086f15d223d5b6a4 Author: Johannes Berg Date: Thu Apr 29 04:43:05 2010 -0700 iwlwifi: apply filter flags directly broke 3945 under some unknown circumstances, as reported by Alex. Since I want to keep the direct application of filter flags on iwlagn, duplicate the code into both 3945 and agn and remove committing the RXON that broke things from the 3945 version. Reported-by: Alex Romosan Signed-off-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 654cfa23ae31350403cf3db30b4fa9fa8b5bb5e2 Author: Bruce Allan Date: Thu Aug 19 15:48:52 2010 -0700 e1000e: don't check for alternate MAC addr on parts that don't support it commit 1aef70ef125165e0114a8e475636eff242a52030 upstream. From: Bruce Allan The alternate MAC address feature is only supported by 80003ES2LAN and 82571 LOMs as well as a couple 82571 mezzanine cards. Checking for an alternate MAC address on other parts can fail leading to the driver not able to load. This patch limits the check for an alternate MAC address to be done only for parts that support the feature. This issue has been around since support for the feature was introduced to the e1000e driver in 2.6.34. Signed-off-by: Bruce Allan Reported-by: Fabio Varesano Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d94b0aa7865743fda22297bc1d34e5e0fe6a6733 Author: Bruce Allan Date: Thu Aug 19 15:48:30 2010 -0700 e1000e: disable ASPM L1 on 82573 commit 19833b5dffe2f2e92a1b377f9aae9d5f32239512 upstream. On the e1000-devel mailing list, Nils Faerber reported latency issues with the 82573 LOM on a ThinkPad X60. It was found to be caused by ASPM L1; disabling it resolves the latency. The issue is present in kernels back to 2.6.34 and possibly 2.6.33. Reported-by: Nils Faerber Signed-off-by: Bruce Allan Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 305b06f7334dd43bc952b525d7232f4cae7c3818 Author: Kiyoshi Ueda Date: Thu Aug 12 04:13:56 2010 +0100 dm: separate device deletion from dm_put commit 3f77316de0ec0fd208467fbee8d9edc70e2c73b2 upstream. This patch separates the device deletion code from dm_put() to make sure the deletion happens in the process context. By this patch, device deletion always occurs in an ioctl (process) context and dm_put() can be called in interrupt context. As a result, the request-based dm's bad dm_put() usage pointed out by Mikulas below disappears. http://marc.info/?l=dm-devel&m=126699981019735&w=2 Without this patch, I confirmed there is a case to crash the system: dm_put() => dm_table_destroy() => vfree() => BUG_ON(in_interrupt()) Some more backgrounds and details: In request-based dm, a device opener can remove a mapped_device while the last request is still completing, because bios in the last request complete first and then the device opener can close and remove the mapped_device before the last request completes: CPU0 CPU1 ================================================================= <> blk_end_request_all(clone_rq) blk_update_request(clone_rq) bio_endio(clone_bio) == end_clone_bio blk_update_request(orig_rq) bio_endio(orig_bio) <> dm_blk_close() dev_remove() dm_put(md) <> blk_finish_request(clone_rq) .... dm_end_request(clone_rq) free_rq_clone(clone_rq) blk_end_request_all(orig_rq) rq_completed(md) So request-based dm used dm_get()/dm_put() to hold md for each I/O until its request completion handling is fully done. However, the final dm_put() can call the device deletion code which must not be run in interrupt context and may cause kernel panic. To solve the problem, this patch moves the device deletion code, dm_destroy(), to predetermined places that is actually deleting the mapped_device in ioctl (process) context, and changes dm_put() just to decrement the reference count of the mapped_device. By this change, dm_put() can be used in any context and the symmetric model below is introduced: dm_create(): create a mapped_device dm_destroy(): destroy a mapped_device dm_get(): increment the reference count of a mapped_device dm_put(): decrement the reference count of a mapped_device dm_destroy() waits for all references of the mapped_device to disappear, then deletes the mapped_device. dm_destroy() uses active waiting with msleep(1), since deleting the mapped_device isn't performance-critical task. And since at this point, nobody opens the mapped_device and no new reference will be taken, the pending counts are just for racing completing activity and will eventually decrease to zero. For the unlikely case of the forced module unload, dm_destroy_immediate(), which doesn't wait and forcibly deletes the mapped_device, is also introduced and used in dm_hash_remove_all(). Otherwise, "rmmod -f" may be stuck and never return. And now, because the mapped_device is deleted at this point, subsequent accesses to the mapped_device may cause NULL pointer references. Signed-off-by: Kiyoshi Ueda Signed-off-by: Jun'ichi Nomura Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 3ee378d7e0dfdb9bb342f59067d0d83cec9b766e Author: Johannes Berg Date: Mon Aug 9 10:57:02 2010 -0700 iwlagn: fix rts cts protection This is a backport of mainline commit 94597ab23ea10b3bdcba534be00a9f7b35791c07. I removed the variable renamings from it and made it apply on 2.6.35. It now also incorporates some changes from commit cfecc6b492162fb49209a83dc207f182b87ea27a since those were required as well. commit 94597ab23ea10b3bdcba534be00a9f7b35791c07 upstream. Currently the driver will try to protect all frames, which leads to a lot of odd things like sending an RTS with a zeroed RA before multicast frames, which is clearly bogus. In order to fix all of this, we need to take a step back and see what we need to achieve: * we need RTS/CTS protection if requested by the AP for the BSS, mac80211 tells us this * in that case, CTS-to-self should only be enabled when mac80211 tells us * additionally, as a hardware workaround, on some devices we have to protect aggregated frames with RTS To achieve the first two items, set up the RXON accordingly and set the protection required flag in the transmit command when mac80211 requests protection for the frame. To achieve the last item, set the rate-control RTS-requested flag for all stations that we have aggregation sessions with, and set the protection required flag when sending aggregated frames (on those devices where this is required). Since otherwise bugs can occur, do not allow the user to override the RTS-for-aggregation setting from sysfs any more. Finally, also clean up the way all these flags get set in the driver and move everything into the device-specific functions. Signed-off-by: Johannes Berg Signed-off-by: Wey-Yi Guy Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit a5f18b1cca50987eb7773bb0be0d8730dfb10306 Author: Oliver Hartkopp Date: Tue Aug 3 00:31:48 2010 -0700 can-raw: Fix skb_orphan_try handling commit cff0d6e6edac7672b3f915bb4fb59f279243b7f9 upstream. Commit fc6055a5ba31e2c14e36e8939f9bf2b6d586a7f5 (net: Introduce skb_orphan_try()) allows an early orphan of the skb and takes care on tx timestamping, which needs the sk-reference in the skb on driver level. So does the can-raw socket, which has not been taken into account here. The patch below adds a 'prevent_sk_orphan' bit in the skb tx shared info, which fixes the problem discovered by Matthias Fuchs here: http://marc.info/?t=128030411900003&r=1&w=2 Even if it's not a primary tx timestamp topic it fits well into some skb shared tx context. Or should be find a different place for the information to protect the sk reference until it reaches the driver level? Signed-off-by: Oliver Hartkopp Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 59ea469c637e35604a6989a933b33883b1fcb0ab Author: John Stultz Date: Fri Aug 13 11:30:58 2010 -0700 time: Workaround gcc loop optimization that causes 64bit div errors commit c7dcf87a6881bf796faee83003163eb3de41a309 upstream. Early 4.3 versions of gcc apparently aggressively optimize the raw time accumulation loop, replacing it with a divide. On 32bit systems, this causes the following link errors: undefined reference to `__umoddi3' undefined reference to `__udivdi3' The gcc issue has been fixed in 4.4 and greater. This patch replaces the accumulation loop with a do_div, as suggested by Linus. Signed-off-by: John Stultz CC: Jason Wessel CC: Larry Finger CC: Ingo Molnar CC: Linus Torvalds Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0d3a7582aa527a5d0107039d24571faa57114bff Author: Jason Wessel Date: Mon Aug 9 14:20:09 2010 -0700 timekeeping: Fix overflow in rawtime tv_nsec on 32 bit archs commit deda2e81961e96be4f2c09328baca4710a2fd1a0 upstream. The tv_nsec is a long and when added to the shifted interval it can wrap and become negative which later causes looping problems in the getrawmonotonic(). The edge case occurs when the system has slept for a short period of time of ~2 seconds. A trace printk of the values in this patch illustrate the problem: ftrace time stamp: log 43.716079: logarithmic_accumulation: raw: 3d0913 tv_nsec d687faa 43.718513: logarithmic_accumulation: raw: 3d0913 tv_nsec da588bd 43.722161: logarithmic_accumulation: raw: 3d0913 tv_nsec de291d0 46.349925: logarithmic_accumulation: raw: 7a122600 tv_nsec e1f9ae3 46.349930: logarithmic_accumulation: raw: 1e848980 tv_nsec 8831c0e3 The kernel starts looping at 46.349925 in the getrawmonotonic() due to the negative value from adding the raw value to tv_nsec. A simple solution is to accumulate into a u64, and then normalize it to a timespec_t. Signed-off-by: Jason Wessel [ Reworked variable names and simplified some of the code. - John ] Signed-off-by: John Stultz Cc: Thomas Gleixner Cc: H. Peter Anvin Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 516125a1d2ea63a87969c2b176c5350d49397ec0 Author: Jesse Barnes Date: Thu Jul 8 09:22:46 2010 -0700 drm/agp/i915: trim stolen space to 32M commit d1d6ca73ef548748e141747e7260798327d6a2c1 upstream. Some BIOSes will claim a large chunk of stolen space. Unless we reclaim it, our aperture for remapping buffer objects will be constrained. So clamp the stolen space to 32M and ignore the rest. Fixes https://bugzilla.kernel.org/show_bug.cgi?id=15469 among others. Adding the ignored stolen memory back into the general pool using the memory hotplug code is left as an exercise for the reader. Signed-off-by: Jesse Barnes Reviewed-by: Simon Farnsworth Tested-by: Artem S. Tashkinov Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit e29eaa0cccca2718836a26dba04ba68e98e42a62 Author: Josh Hunt Date: Wed Aug 4 20:27:05 2010 -0400 oprofile: add support for Intel processor model 30 commit a7c55cbee0c1bae9bf5a15a08300e91d88706e45 upstream. Newer Intel processors identifying themselves as model 30 are not recognized by oprofile. model : 30 model name : Intel(R) Xeon(R) CPU X3470 @ 2.93GHz Running oprofile on these machines gives the following: + opcontrol --init + opcontrol --list-events oprofile: available events for CPU type "Intel Architectural Perfmon" See Intel 64 and IA-32 Architectures Software Developer's Manual Volume 3B (Document 253669) Chapter 18 for architectural perfmon events This is a limited set of fallback events because oprofile doesn't know your CPU CPU_CLK_UNHALTED: (counter: all) Clock cycles when not halted (min count: 6000) INST_RETIRED: (counter: all) number of instructions retired (min count: 6000) LLC_MISSES: (counter: all) Last level cache demand requests from this core that missed the LLC (min count: 6000) Unit masks (default 0x41) ---------- 0x41: No unit mask LLC_REFS: (counter: all) Last level cache demand requests from this core (min count: 6000) Unit masks (default 0x4f) ---------- 0x4f: No unit mask BR_MISS_PRED_RETIRED: (counter: all) number of mispredicted branches retired (precise) (min count: 500) + opcontrol --shutdown Tested using oprofile 0.9.6. Signed-off-by: Josh Hunt Reviewed-by: Andi Kleen Signed-off-by: Robert Richter Signed-off-by: Greg Kroah-Hartman commit fb862f23acf80ceddb345e6bb460eb5fe56eeace Author: John Villalovos Date: Fri May 7 12:41:40 2010 -0400 Oprofile: Change CPUIDS from decimal to hex, and add some comments commit 45c34e05c4e3d36e7c44e790241ea11a1d90d54e upstream. Back when the patch was submitted for "Add Xeon 7500 series support to oprofile", Robert Richter had asked for a followon patch that converted all the CPU ID values to hex. I have done that here for the "i386/core_i7" and "i386/atom" class processors in the ppro_init() function and also added some comments on where to find documentation on the Intel processors. Signed-off-by: John L. Villalovos Signed-off-by: Robert Richter Signed-off-by: Greg Kroah-Hartman commit 83b79480fa5471bf4627470eb85de21d6dcb3537 Author: Dan Carpenter Date: Thu Aug 5 22:23:23 2010 +0000 isdn: gigaset: add missing unlock commit 7e27a0aeb98d53539bdc38384eee899d6db62617 upstream. We should unlock here. This is the only place where we return from the function with the lock held. The caller isn't expecting it. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Tilman Schmidt Signed-off-by: Greg Kroah-Hartman commit 9a2faa7b3b4876d76345f4eb82032c3bbd8da259 Author: Tilman Schmidt Date: Mon Jul 5 14:19:14 2010 +0000 isdn/gigaset: reduce syslog spam commit 7d060ed2877ff6d00e7238226edbaf91493d6d0b upstream. Downgrade some error messages which occur frequently during normal operation to debug messages. Impact: logging Signed-off-by: Tilman Schmidt Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1cfe75af2d0dd55aa30acbff82e37598d07c2763 Author: Marek Vasut Date: Thu Aug 12 03:53:55 2010 +0100 gen_nand: Test if nr_chips field is valid commit 01cd2ababddd55a127caa1cd20d570637e0d42e1 upstream. Signed-off-by: Marek Vasut Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit ea554ee37bcf4ad4f70b100287ffc84c2cf33066 Author: David Howells Date: Fri Aug 6 16:34:43 2010 +0100 Fix init ordering of /dev/console vs callers of modprobe commit 31d1d48e199e99077fb30f6fb9a793be7bec756f upstream. Make /dev/console get initialised before any initialisation routine that invokes modprobe because if modprobe fails, it's going to want to open /dev/console, presumably to write an error message to. The problem with that is that if the /dev/console driver is not yet initialised, the chardev handler will call request_module() to invoke modprobe, which will fail, because we never compile /dev/console as a module. This will lead to a modprobe loop, showing the following in the kernel log: request_module: runaway loop modprobe char-major-5-1 request_module: runaway loop modprobe char-major-5-1 request_module: runaway loop modprobe char-major-5-1 request_module: runaway loop modprobe char-major-5-1 request_module: runaway loop modprobe char-major-5-1 This can happen, for example, when the built in md5 module can't find the built in cryptomgr module (because the latter fails to initialise). The md5 module comes before the call to tty_init(), presumably because 'crypto' comes before 'drivers' alphabetically. Fix this by calling tty_init() from chrdev_init(). Signed-off-by: David Howells Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 1cd65f87cbf31684d778155b31ea32384f8df5d1 Author: Changli Gao Date: Thu Jul 29 13:41:46 2010 +0000 act_nat: fix wild pointer [ Upstream commit 072d79a31a3b870b49886f4347e23f81b7eca3ac ] pskb_may_pull() may change skb pointers, so adjust icmph after pskb_may_pull(). Signed-off-by: Changli Gao Acked-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1378008ccdfdfcedbd6503f00e52124bfce1e0f7 Author: Changli Gao Date: Sat Aug 7 20:35:43 2010 -0700 net: disable preemption before call smp_processor_id() [ Upstream commit cece1945bffcf1a823cdfa36669beae118419351 ] Although netif_rx() isn't expected to be called in process context with preemption enabled, it'd better handle this case. And this is why get_cpu() is used in the non-RPS #ifdef branch. If tree RCU is selected, rcu_read_lock() won't disable preemption, so preempt_disable() should be called explictly. Signed-off-by: Changli Gao Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 34793c34a78af4043f119c7fc332526d5b012fd0 Author: Jarek Poplawski Date: Tue Aug 10 22:31:02 2010 +0000 pkt_sched: Fix sch_sfq vs tc_modify_qdisc oops [ Upstream commit 41065fba846e795b31b17e4dec01cb904d56c6cd ] sch_sfq as a classful qdisc needs the .leaf handler. Otherwise, there is an oops possible in tc_modify_qdisc()/check_loop(). Fixes commit 7d2681a6ff4f9ab5e48d02550b4c6338f1638998 Signed-off-by: Jarek Poplawski Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0ff3da3bc0827cbc60d9ef37ac26d72814125fa6 Author: Jarek Poplawski Date: Fri Aug 6 00:22:35 2010 +0000 pkt_sched: Fix sch_sfq vs tcf_bind_filter oops [ Upstream commit eb4a5527b1f0d581ac217c80ef3278ed5e38693c ] Since there was added ->tcf_chain() method without ->bind_tcf() to sch_sfq class options, there is oops when a filter is added with the classid parameter. Fixes commit 7d2681a6ff4f9ab5e48d02550b4c6338f1638998 netdev thread: null pointer at cls_api.c Signed-off-by: Jarek Poplawski Reported-by: Franchoze Eric Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4c0ef2f2c0ef4245486124b84ba0ec9a2b4b3899 Author: Jarek Poplawski Date: Wed Aug 11 02:02:10 2010 +0000 net: Fix a memmove bug in dev_gro_receive() [ Upstream commit e5093aec2e6b60c3df2420057ffab9ed4a6d2792 ] >Xin Xiaohui wrote: > I looked into the code dev_gro_receive(), found the code here: > if the frags[0] is pulled to 0, then the page will be released, > and memmove() frags left. > Is that right? I'm not sure if memmove do right or not, but > frags[0].size is never set after memove at least. what I think > a simple way is not to do anything if we found frags[0].size == 0. > The patch is as followed. ... This version of the patch fixes the bug directly in memmove. Reported-by: "Xin, Xiaohui" Signed-off-by: Jarek Poplawski Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 525127bf8070a869857a66c1c5c6c5324bb335dc Author: Jarek Poplawski Date: Thu Aug 5 01:19:11 2010 +0000 net: Fix napi_gro_frags vs netpoll path [ Upstream commit ce9e76c8450fc248d3e1fc16ef05e6eb50c02fa5 ] The netpoll_rx_on() check in __napi_gro_receive() skips part of the "common" GRO_NORMAL path, especially "pull:" in dev_gro_receive(), where at least eth header should be copied for entirely paged skbs. Signed-off-by: Jarek Poplawski Acked-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b46ddc15f90dca13564f9c2be6210d7d9fef014b Author: Dan Carpenter Date: Wed Aug 4 23:38:06 2010 +0000 isdn: fix information leak [ Upstream commit 4b030d4288a569d6bdeca884d7f102d951f097f2 ] The main motivation of this patch changing strcpy() to strlcpy(). We strcpy() to copy a 48 byte buffers into a 49 byte buffers. So at best the last byte has leaked information, or maybe there is an overflow? Anyway, this patch closes the information leaks by zeroing the memory and the calls to strlcpy() prevent overflows. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1a1b1d29b0d472da80f23fc58885dc2151b62b72 Author: Oliver Hartkopp Date: Wed Aug 11 16:12:35 2010 -0700 can: add limit for nframes and clean up signed/unsigned variables [ Upstream commit 5b75c4973ce779520b9d1e392483207d6f842cde ] This patch adds a limit for nframes as the number of frames in TX_SETUP and RX_SETUP are derived from a single byte multiplex value by default. Use-cases that would require to send/filter more than 256 CAN frames should be implemented in userspace for complexity reasons anyway. Additionally the assignments of unsigned values from userspace to signed values in kernelspace and vice versa are fixed by using unsigned values in kernelspace consistently. Signed-off-by: Oliver Hartkopp Reported-by: Ben Hawkes Acked-by: Urs Thuermann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 51a9e83a53f2b20be0611349180d5b125471a86a Author: Changli Gao Date: Thu Jul 29 14:04:18 2010 +0000 act_nat: the checksum of ICMP doesn't have pseudo header [ Upstream commit 3a3dfb062c2e086c202d34f09ce29634515ad256 ] after updating the value of the ICMP payload, inet_proto_csum_replace4() should be called with zero pseudohdr. Signed-off-by: Changli Gao Acked-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1fa22dac6cea18fa4b4806427c7a895400f5b041 Author: Herbert Xu Date: Thu Jul 29 01:12:31 2010 +0000 bridge: Fix skb leak when multicast parsing fails on TX [ Upstream commit 6d1d1d398cb7db7a12c5d652d50f85355345234f ] On the bridge TX path we're leaking an skb when br_multicast_rcv returns an error. Reported-by: David Lamparter Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8eb6fff671bbe0ec4ae43f5356fe9029b3dfe984 Author: Dmitry Popov Date: Thu Jul 29 01:59:36 2010 +0000 tcp: cookie transactions setsockopt memory leak [ Upstream commit a3bdb549e30e7a263f7a589747c40e9c50110315 ] There is a bug in do_tcp_setsockopt(net/ipv4/tcp.c), TCP_COOKIE_TRANSACTIONS case. In some cases (when tp->cookie_values == NULL) new tcp_cookie_values structure can be allocated (at cvp), but not bound to tp->cookie_values. So a memory leak occurs. Signed-off-by: Dmitry Popov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f49fd7f79a1e35fd2a322f1af4d7a9ce075d972b Author: Stephen Hemminger Date: Wed Aug 18 22:56:36 2010 -0700 bridge: add rcu_read_lock on transmit [ Upstream commit eeaf61d8891f9c9ed12c1a667e72bf83f0857954 ] Long ago, when bridge was converted to RCU, rcu lock was equivalent to having preempt disabled. RCU has changed a lot since then and bridge code was still assuming the since transmit was called with bottom half disabled, it was RCU safe. Signed-off-by: Stephen Hemminger Tested-by: Johannes Berg Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 922ab18b2778c82bc52acd43ab0e41b31847afc3 Author: David S. Miller Date: Sun Aug 15 00:26:14 2010 -0700 sparc: Really fix "console=" for serial consoles. [ Upstream commit 0a492896ac07336c98f37ad7fab4a6387b6ada78 ] If a video head and keyboard are hooked up, specifying "console=ttyS0" or similar to use a serial console will not work properly. The key issue is that we must register all serial console capable devices with register_console(), otherwise the command line specified device won't be found. The sun serial drivers would only register themselves as console devices if the OpenFirmware specified console device node matched. To fix this part we now unconditionally get the serial console register by setting serial_drv->cons always. Secondarily we must not add_preferred_console() using the firmware provided console setting if the user gaven an override on the kernel command line using "console=" The "primary framebuffer" matching logic was always triggering o n openfirmware device node match, make it not when a command line override was given. Reported-by: Frans Pop Tested-by: Frans Pop Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit bbb0cf2f72e98162c7387123dd1f26938c8e1183 Author: David S. Miller Date: Wed Aug 18 14:47:23 2010 -0700 sparc64: Fix atomic64_t routine return values. [ Upstream commits 86fa04b8742ac681d470786f55e2403ada0075b2 and b10f997bb0f4e5b34d447f498fb85834a40d3acb ] Should return 'long' instead of 'int'. Thanks to Dimitris Michailidis and Tony Luck. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e214c09dc0c3a34b543cbcbacd712c5ba1a1d76c Author: David S. Miller Date: Tue Aug 17 17:09:53 2010 -0700 sparc64: Fix rwsem constant bug leading to hangs. [ Upstream commit ef201bebe5afc91a2b99b45dacc8c6dd88ca9e58 ] As noticed by Linus, it is critical that some of the rwsem constants be signed. Yet, hex constants are unsigned unless explicitly casted or negated. The most critical one is RWSEM_WAITING_BIAS. This bug was exacerbated by commit 424acaaeb3a3932d64a9b4bd59df6cf72c22d8f3 ("rwsem: wake queued readers when writer blocks on active read lock") Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ef0b95594718adf4de1e8fb8fa4bce18039a5577 Author: David S. Miller Date: Wed Aug 4 17:30:21 2010 -0700 sparc64: Add missing ID to parport probing code. [ Upstream commit bf8253bf5e7cfe17dd53e3f6340a45b11d9fb51c ] SunBlade-2500 has 'parallel' device node with compatible property "pnpALI,1533,3" so add that to the ID table. Reported-by: Mikael Pettersson Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5ef5852385892aa4d9331b5bc20962b87c91d562 Author: Carsten Otte Date: Fri Aug 6 18:19:22 2010 +0200 slab: fix object alignment commit 1ab335d8f85792e3b107ff8237d53cf64db714df upstream. This patch fixes alignment of slab objects in case CONFIG_DEBUG_PAGEALLOC is active. Before this spot in kmem_cache_create, we have this situation: - align contains the required alignment of the object - cachep->obj_offset is 0 or equals align in case of CONFIG_DEBUG_SLAB - size equals the size of the object, or object plus trailing redzone in case of CONFIG_DEBUG_SLAB This spot tries to fill one page per object if the object is in certain size limits, however setting obj_offset to PAGE_SIZE - size does break the object alignment since size may not be aligned with the required alignment. This patch simply adds an ALIGN(size, align) to the equation and fixes the object size detection accordingly. This code in drivers/s390/cio/qdio_setup_init has lead to incorrectly aligned slab objects (sizeof(struct qdio_q) equals 1792): qdio_q_cache = kmem_cache_create("qdio_q", sizeof(struct qdio_q), 256, 0, NULL); Acked-by: Christoph Lameter Signed-off-by: Carsten Otte Signed-off-by: Pekka Enberg Signed-off-by: Greg Kroah-Hartman commit 1f0a86afdf7fc4782c6d3bbd30f21cbce9b5b6f9 Author: H. Peter Anvin Date: Tue Jul 27 23:29:52 2010 -0700 x86, asm: Clean up and simplify set_64bit() commit 69309a05907546fb686b251d4ab041c26afe1e1d upstream. Clean up and simplify set_64bit(). This code is quite old (1.3.11) and contains a fair bit of auxilliary machinery that current versions of gcc handle just fine automatically. Worse, the auxilliary machinery can actually cause an unnecessary spill to memory. Furthermore, the loading of the old value inside the loop in the 32-bit case is unnecessary: if the value doesn't match, the CMPXCHG8B instruction will already have loaded the "new previous" value for us. Clean up the comment, too, and remove page references to obsolete versions of the Intel SDM. Signed-off-by: H. Peter Anvin LKML-Reference: Tested-by: Mark Stanovich Signed-off-by: Greg Kroah-Hartman commit 6bed99917d414371cd5342158b6ed514ee8fee45 Author: Linus Torvalds Date: Fri Aug 20 16:49:40 2010 -0700 mm: make stack guard page logic use vm_prev pointer commit 0e8e50e20c837eeec8323bba7dcd25fe5479194c upstream. Like the mlock() change previously, this makes the stack guard check code use vma->vm_prev to see what the mapping below the current stack is, rather than have to look it up with find_vma(). Also, accept an abutting stack segment, since that happens naturally if you split the stack with mlock or mprotect. Tested-by: Ian Campbell Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e89cfc48a21fa83088e083fe6341ff803ab32f8e Author: Linus Torvalds Date: Fri Aug 20 16:39:25 2010 -0700 mm: make the mlock() stack guard page checks stricter commit 7798330ac8114c731cfab83e634c6ecedaa233d7 upstream. If we've split the stack vma, only the lowest one has the guard page. Now that we have a doubly linked list of vma's, checking this is trivial. Tested-by: Ian Campbell Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f5981434834ad0373b8fc58deabf6493564ae42a Author: Linus Torvalds Date: Fri Aug 20 16:24:55 2010 -0700 mm: make the vma list be doubly linked commit 297c5eee372478fc32fec5fe8eed711eedb13f3d upstream. It's a really simple list, and several of the users want to go backwards in it to find the previous vma. So rather than have to look up the previous entry with 'find_vma_prev()' or something similar, just make it doubly linked instead. Tested-by: Ian Campbell Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d97eabc0a58382629c2ed4f406259ad615fcbc88 Author: Kiyoshi Ueda Date: Thu Aug 12 04:13:55 2010 +0100 dm ioctl: release _hash_lock between devices in remove_all commit 98f332855effef02aeb738e4d62e9a5b903c52fd upstream. This patch changes dm_hash_remove_all() to release _hash_lock when removing a device. After removing the device, dm_hash_remove_all() takes _hash_lock and searches the hash from scratch again. This patch is a preparation for the next patch, which changes device deletion code to wait for md reference to be 0. Without this patch, the wait in the next patch may cause AB-BA deadlock: CPU0 CPU1 ----------------------------------------------------------------------- dm_hash_remove_all() down_write(_hash_lock) table_status() md = find_device() dm_get(md) holders> dm_get_live_or_inactive_table() dm_get_inactive_table() down_write(_hash_lock) holders to be 0> Signed-off-by: Kiyoshi Ueda Signed-off-by: Jun'ichi Nomura Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit c51ca7940efce22c43da532c6ff5b36c7cb3ea5e Author: Kiyoshi Ueda Date: Thu Aug 12 04:13:54 2010 +0100 dm: prevent access to md being deleted commit abdc568b0540bec6d3e0afebac496adef1189b77 upstream. This patch prevents access to mapped_device which is being deleted. Currently, even after a mapped_device has been removed from the hash, it could be accessed through idr_find() using minor number. That could cause a race and NULL pointer reference below: CPU0 CPU1 ------------------------------------------------------------------ dev_remove(param) down_write(_hash_lock) dm_lock_for_deletion(md) spin_lock(_minor_lock) set_bit(DMF_DELETING) spin_unlock(_minor_lock) __hash_remove(hc) up_write(_hash_lock) dev_status(param) md = find_device(param) down_read(_hash_lock) __find_device_hash_cell(param) dm_get_md(param->dev) md = dm_find_md(dev) spin_lock(_minor_lock) md = idr_find(MINOR(dev)) spin_unlock(_minor_lock) dm_put(md) free_dev(md) dm_get(md) up_read(_hash_lock) __dev_status(md, param) dm_put(md) This patch fixes such problems. Signed-off-by: Kiyoshi Ueda Signed-off-by: Jun'ichi Nomura Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit d59e0c5a9314ff7d6daf93c3aa680c549d267e46 Author: Mikulas Patocka Date: Thu Aug 12 04:13:51 2010 +0100 dm snapshot: test chunk size against both origin and snapshot commit c24110450650f17f7d3ba4fbe01f01ac5a115456 upstream. Validate chunk size against both origin and snapshot sector size Don't allow chunk size smaller than either origin or snapshot logical sector size. Reading or writing data not aligned to sector size is not allowed and causes immediate errors. This requires us to open the origin before initialising the exception store and to export dm_snap_origin. Signed-off-by: Mikulas Patocka Reviewed-by: Mike Snitzer Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 72c7a360cd31bef331571fcca735adbeffb250d5 Author: Mikulas Patocka Date: Thu Aug 12 04:13:50 2010 +0100 dm snapshot: iterate origin and cow devices commit 1e5554c8428bc7209a83e2d07ca724be4d981ce3 upstream. Iterate both origin and snapshot devices iterate_devices method should call the callback for all the devices where the bio may be remapped. Thus, snapshot_iterate_devices should call the callback for both snapshot and origin underlying devices because it remaps some bios to the snapshot and some to the origin. snapshot_iterate_devices called the callback only for the origin device. This led to badly calculated device limits if snapshot and origin were placed on different types of disks. Signed-off-by: Mikulas Patocka Reviewed-by: Mike Snitzer Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 4f2624fb7b37bf8d8b36bb01e2e86939ca049dbc Author: Chris Wilson Date: Sat Aug 7 11:01:36 2010 +0100 drm/i915/edp: Flush the write before waiting for PLLs commit 5ddb954b9ee50824977d2931e0ff58b3050b337d upstream. Signed-off-by: Chris Wilson Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 8a8c25a716100dc9a50e5546fadf03e56588ee09 Author: Daniel Vetter Date: Wed Aug 4 21:22:10 2010 +0200 drm/i915: i8xx also doesn't like multiple oustanding pageflips commit 6146b3d61925116e3fecce36c2fd873665bd6614 upstream. My i855GM suffers from a 80k/s interrupt storm without this. So add 2nd gen to the list of things that don't like more than one outstanding pageflip request. Furthermore I've changed the busy loop into a ringbuffer wait. Busy-loops that don't check whether the chip died are simply evil. And performance should actually improve, because there's usually a decent amount of rendering queued on the gpu, hopefully rendering that MI_WAIT into a noop by the time it's executed. The current code holds dev->struct_mutex while executing this loop, hence stalling all other gem activity anyway. Signed-off-by: Daniel Vetter Reviewed-by: Jesse Barnes [anholt: resolved against conflict] Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit aa6b6a4b1b48e26b95af02eee80c8741eb2a4684 Author: Daniel Vetter Date: Wed Aug 4 21:22:09 2010 +0200 drm/i915: fixup pageflip ringbuffer commands for i8xx commit 69d0b96c095468526009cb3104eee561c9252a84 upstream. Add a new path for 2nd gen chips that uses the commands for i81x chips (where public docs do exist) augmented with the plane bits from i915. It seems to work and doesn't result in a black screen like before. Signed-off-by: Daniel Vetter [anholt: resolved against conflict] Reviewed-by: Jesse Barnes Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 6eb22281116bd7eea73f63884b74b3c0aca0a5d3 Author: Stefani Seibold Date: Thu Aug 5 09:19:26 2010 +0200 mtd: change struct flchip_shared spinlock locking into mutex commit 8ae664184c45def51ff0b61d4bd6c6671db6cb4f upstream. This patch prevent to schedule while atomic by changing the flchip_shared spinlock into a mutex. This should be save since no atomic path will use this lock. It was suggested by Arnd Bergmann and Vasiliy Kulikov. Signed-off-by: Stefani Seibold Signed-off-by: Artem Bityutskiy Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit 01be8ecc0e14a6c3478088f73cdaf2008d1dbdec Author: Tilman Sauerbeck Date: Fri Aug 20 14:01:47 2010 -0700 mtd: nand: Fix probe of Samsung NAND chips commit cfe3fdadb16162327773ef01a575a32000b8c7f4 upstream. Apparently, the check for a 6-byte ID string introduced by commit 426c457a3216fac74e3d44dd39729b0689f4c7ab ("mtd: nand: extend NAND flash detection to new MLC chips") is NOT sufficient to determine whether or not a Samsung chip uses their new MLC detection scheme or the old, standard scheme. This adds a condition to check cell type. Signed-off-by: Tilman Sauerbeck Signed-off-by: Brian Norris Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit e5c9bc34a675a7f9d88c63fd63815a531306a36e Author: Ondrej Zary Date: Thu Aug 19 14:13:25 2010 -0700 matroxfb: fix incorrect use of memcpy_toio() commit c81476df1b4241aefba4ff83a7701b3a926bd7ce upstream. Screen is completely corrupted since 2.6.34. Bisection revealed that it's caused by commit 6175ddf06b61720 ("x86: Clean up mem*io functions."). H. Peter Anvin explained that memcpy_toio() does not copy data in 32bit chunks anymore on x86. Signed-off-by: Ondrej Zary Cc: Brian Gerst Cc: H. Peter Anvin Cc: Petr Vandrovec Cc: Jean Delvare Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f50b2280832c249cdd0829e98be5b7eec8f55afc Author: Axel Lin Date: Mon Aug 16 16:09:09 2010 +0800 pxa3xx: fix ns2cycle equation commit 93b352fce679945845664b56b0c3afbd655a7a12 upstream. Test on a PXA310 platform with Samsung K9F2G08X0B NAND flash, with tCH=5 and clk is 156MHz, ns2cycle(5, 156000000) returns -1. ns2cycle returns negtive value will break NDTR0_tXX macros. After checking the commit log, I found the problem is introduced by commit 5b0d4d7c8a67c5ba3d35e6ceb0c5530cc6846db7 "[MTD] [NAND] pxa3xx: convert from ns to clock ticks more accurately" To get num of clock cycles, we use below equation: num of clock cycles = time (ns) / one clock cycle (ns) + 1 We need to add 1 cycle here because integer division will truncate the result. It is possible the developers set the Min values in SPEC for timing settings. Thus the truncate may cause problem, and it is safe to add an extra cycle here. The various fields in NDTR{01} are in units of clock ticks minus one, thus we should subtract 1 cycle then. Thus the correct equation should be: num of clock cycles = time (ns) / one clock cycle (ns) + 1 - 1 = time (ns) / one clock cycle (ns) Signed-off-by: Axel Lin Signed-off-by: Lei Wen Acked-by: Eric Miao Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit 18626abccb42a19a3bd6693cd5c4904d594b6c69 Author: Maxim Levitsky Date: Fri Aug 13 11:27:28 2010 -0400 ath5k: disable ASPM L0s for all cards commit 6ccf15a1a76d2ff915cdef6ae4d12d0170087118 upstream. Atheros PCIe wireless cards handled by ath5k do require L0s disabled. For distributions shipping with CONFIG_PCIEASPM (this will be enabled by default in the future in 2.6.36) this will also mean both L1 and L0s will be disabled when a pre 1.1 PCIe device is detected. We do know L1 works correctly even for all ath5k pre 1.1 PCIe devices though but cannot currently undue the effect of a blacklist, for details you can read pcie_aspm_sanity_check() and see how it adjusts the device link capability. It may be possible in the future to implement some PCI API to allow drivers to override blacklists for pre 1.1 PCIe but for now it is best to accept that both L0s and L1 will be disabled completely for distributions shipping with CONFIG_PCIEASPM rather than having this issue present. Motivation for adding this new API will be to help with power consumption for some of these devices. Example of issues you'd see: - On the Acer Aspire One (AOA150, Atheros Communications Inc. AR5001 Wireless Network Adapter [168c:001c] (rev 01)) doesn't work well with ASPM enabled, the card will eventually stall on heavy traffic with often 'unsupported jumbo' warnings appearing. Disabling ASPM L0s in ath5k fixes these problems. - On the same card you would see a storm of RXORN interrupts even though medium is idle. Credit for root causing and fixing the bug goes to Jussi Kivilinna. Cc: David Quan Cc: Matthew Garrett Cc: Tim Gardner Cc: Jussi Kivilinna Signed-off-by: Luis R. Rodriguez Signed-off-by: Maxim Levitsky Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 31e682b1a760001e14a5965ee1a3b0c582fbf125 Author: Trond Myklebust Date: Wed Aug 18 09:25:42 2010 -0400 NFS: Fix an Oops in the NFSv4 atomic open code commit 0a377cff9428af2da2b293d11e07bc4dbf064ee5 upstream. Adam Lackorzynski reports: with 2.6.35.2 I'm getting this reproducible Oops: [ 110.825396] BUG: unable to handle kernel NULL pointer dereference at (null) [ 110.828638] IP: [] encode_attrs+0x1a/0x2a4 [ 110.828638] PGD be89f067 PUD bf18f067 PMD 0 [ 110.828638] Oops: 0000 [#1] SMP [ 110.828638] last sysfs file: /sys/class/net/lo/operstate [ 110.828638] CPU 2 [ 110.828638] Modules linked in: rtc_cmos rtc_core rtc_lib amd64_edac_mod i2c_amd756 edac_core i2c_core dm_mirror dm_region_hash dm_log dm_snapshot sg sr_mod usb_storage ohci_hcd mptspi tg3 mptscsih mptbase usbcore nls_base [last unloaded: scsi_wait_scan] [ 110.828638] [ 110.828638] Pid: 11264, comm: setchecksum Not tainted 2.6.35.2 #1 [ 110.828638] RIP: 0010:[] [] encode_attrs+0x1a/0x2a4 [ 110.828638] RSP: 0000:ffff88003bf5b878 EFLAGS: 00010296 [ 110.828638] RAX: ffff8800bddb48a8 RBX: ffff88003bf5bb18 RCX: 0000000000000000 [ 110.828638] RDX: ffff8800be258800 RSI: 0000000000000000 RDI: ffff88003bf5b9f8 [ 110.828638] RBP: 0000000000000000 R08: ffff8800bddb48a8 R09: 0000000000000004 [ 110.828638] R10: 0000000000000003 R11: ffff8800be779000 R12: ffff8800be258800 [ 110.828638] R13: ffff88003bf5b9f8 R14: ffff88003bf5bb20 R15: ffff8800be258800 [ 110.828638] FS: 0000000000000000(0000) GS:ffff880041e00000(0063) knlGS:00000000556bd6b0 [ 110.828638] CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b [ 110.828638] CR2: 0000000000000000 CR3: 00000000be8ef000 CR4: 00000000000006e0 [ 110.828638] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 110.828638] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 110.828638] Process setchecksum (pid: 11264, threadinfo ffff88003bf5a000, task ffff88003f232210) [ 110.828638] Stack: [ 110.828638] 0000000000000000 ffff8800bfbcf920 0000000000000000 0000000000000ffe [ 110.828638] <0> 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [ 110.828638] <0> 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [ 110.828638] Call Trace: [ 110.828638] [] ? nfs4_xdr_enc_setattr+0x90/0xb4 [ 110.828638] [] ? call_transmit+0x1c3/0x24a [ 110.828638] [] ? __rpc_execute+0x78/0x22a [ 110.828638] [] ? rpc_run_task+0x21/0x2b [ 110.828638] [] ? rpc_call_sync+0x3d/0x5d [ 110.828638] [] ? _nfs4_do_setattr+0x11b/0x147 [ 110.828638] [] ? nfs_init_locked+0x0/0x32 [ 110.828638] [] ? ifind+0x4e/0x90 [ 110.828638] [] ? nfs4_do_setattr+0x4b/0x6e [ 110.828638] [] ? nfs4_do_open+0x291/0x3a6 [ 110.828638] [] ? nfs4_open_revalidate+0x63/0x14a [ 110.828638] [] ? nfs_open_revalidate+0xd7/0x161 [ 110.828638] [] ? do_lookup+0x1a4/0x201 [ 110.828638] [] ? link_path_walk+0x6a/0x9d5 [ 110.828638] [] ? do_last+0x17b/0x58e [ 110.828638] [] ? do_filp_open+0x1bd/0x56e [ 110.828638] [] ? _atomic_dec_and_lock+0x30/0x48 [ 110.828638] [] ? dput+0x37/0x152 [ 110.828638] [] ? alloc_fd+0x69/0x10a [ 110.828638] [] ? do_sys_open+0x56/0x100 [ 110.828638] [] ? ia32_sysret+0x0/0x5 [ 110.828638] Code: 83 f1 01 e8 f5 ca ff ff 48 83 c4 50 5b 5d 41 5c c3 41 57 41 56 41 55 49 89 fd 41 54 49 89 d4 55 48 89 f5 53 48 81 ec 18 01 00 00 <8b> 06 89 c2 83 e2 08 83 fa 01 19 db 83 e3 f8 83 c3 18 a8 01 8d [ 110.828638] RIP [] encode_attrs+0x1a/0x2a4 [ 110.828638] RSP [ 110.828638] CR2: 0000000000000000 [ 112.840396] ---[ end trace 95282e83fd77358f ]--- We need to ensure that the O_EXCL flag is turned off if the user doesn't set O_CREAT. Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 286ba0c3d1e5526a0d9600cec80f04d187465c2d Author: Patrick J. LoPresti Date: Tue Aug 10 17:28:01 2010 -0400 nfs: Add "lookupcache" to displayed mount options commit 9b00c64318cc337846a7a08a5678f5f19aeff188 upstream. Running "cat /proc/mounts" fails to display the "lookupcache" option. This oversight cost me a bunch of wasted time recently. The following simple patch fixes it. Signed-off-by: Patrick LoPresti Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit b97ef8ac88b78b67616fa6da71889ba836b6f568 Author: Rajkumar Manoharan Date: Wed Aug 11 20:27:43 2010 +0530 ath9k_htc: fix panic on packet injection using airbase-ng tool. commit da93f10684bfba2983a70c10b5d417232b6a5245 upstream. This should fix the oops which occurs during the packet injection on monitor interface. EIP is at ath9k_htc_tx_start+0x69/0x220 [ath9k_htc] [] ? invoke_tx_handlers+0xa5a/0xee0 [mac80211] [] ? ath9k_htc_tx+0x44/0xe0 [ath9k_htc] [] ? __ieee80211_tx+0xf8/0x190 [mac80211] [] ? ieee80211_tx+0x9d/0x1a0 [mac80211] [] ? ieee80211_xmit+0x9c/0x1c0 [mac80211] [] ? ieee80211_monitor_start_xmit+0x85/0xb0 [mac80211] [] ? dev_hard_start_xmit+0x1ad/0x210 [] ? __alloc_skb+0x52/0x130 [] ? sch_direct_xmit+0x105/0x170 [] ? dev_queue_xmit+0x37f/0x4b0 [] ? packet_snd+0x21e/0x250 [] ? packet_sendmsg+0x32/0x40 [] ? sock_aio_write+0x113/0x130 [] ? do_sync_write+0xc4/0x100 [] ? autoremove_wake_function+0x0/0x50 [] ? security_file_permission+0x14/0x20 [] ? rw_verify_area+0x64/0xe0 [] ? handle_mm_fault+0x338/0x390 [] ? vfs_write+0x185/0x1a0 [] ? do_page_fault+0x160/0x3a0 [] ? sys_write+0x42/0x70 [] ? syscall_call+0x7/0xb Signed-off-by: Rajkumar Manoharan Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 6a7aa7194ab55f59bb70ab6b09374b3dc993edea Author: Marek Vasut Date: Thu Aug 12 03:53:54 2010 +0100 BFIN: Fix gen_nand probe structures contents commit ef56609f9c7fdf5baa9d9f86f84a7bd8a717cd25 upstream. These two platforms didn't properly fill nr_chips in gen_nand registration and therefore depended on gen_nand bug fixed by by commit 81cbb0b17796d81cbd92defe113cf2a7c7a21fbb ("mtd: gen_nand: fix support for multiple chips") Signed-off-by: Marek Vasut Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit 665de5aa85cd9a088f594733a4430d7faea92337 Author: Marek Vasut Date: Thu Aug 12 02:14:54 2010 +0100 ARM: Fix gen_nand probe structures contents commit ef077179a2909d3d0d3accf29ad1ea9ebb19019b upstream. These three platforms didn't properly fill nr_chips in gen_nand registration and therefore depended on gen_nand bug fixed by commit 81cbb0b17796d81cbd92defe113cf2a7c7a21fbb ("mtd: gen_nand: fix support for multiple chips") Signed-off-by: Marek Vasut Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit 01d74006e1d39fa2a94fd6fde5c141f65d4069f3 Author: Russell King Date: Fri Aug 13 23:33:46 2010 +0100 ARM: Tighten check for allowable CPSR values commit 41e2e8fd34fff909a0e40129f6ac4233ecfa67a9 upstream. Reviewed-by: Arve Hjønnevåg Acked-by: Dima Zavin Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 9695add7c48adc64e21428116249c59950a660bb Author: Jean Delvare Date: Sat Aug 14 21:08:48 2010 +0200 hwmon: (pc87360) Fix device resource declaration commit b9783dcebe952bf73449fe70a19ee4814adc81a0 upstream. It's not OK to call platform_device_add_resources() multiple times in a row. Despite its name, this functions sets the resources, it doesn't add them. So we have to prepare an array with all the resources, and then call platform_device_add_resources() once. Before this fix, only the last I/O resource would be actually registered. The other I/O resources were leaked. Signed-off-by: Jean Delvare Cc: Jim Cromie Signed-off-by: Greg Kroah-Hartman commit 3770619e38c3ccdc38cf7635f5b958eca73ca284 Author: Dr. David Alan Gilbert Date: Mon Aug 2 09:43:52 2010 +1000 drm/radeon/kms: add missing copy from user commit d8ab35575098b2d6dc10b2535aeb40545933ae56 upstream. This hasn't mattered up until the ioctl started using the value, and it fell apart. fixes fd.o 29340, Ubuntu LP 606081 [airlied: cleaned up whitespace and don't need an error before pushing] Signed-off-by: Dr. David Alan Gilbert Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 03dc7fc1b97851c561f4ca5617921dbd870434a0 Author: Alex Deucher Date: Fri Aug 6 00:27:44 2010 -0400 drm/radeon/kms: add additional quirk for Acer rv620 laptop commit 9ea2c4be978d597076ddc6c550557de5d243cea8 upstream. HPD pins are reversed Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=29387 Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 53aaf5f20c73f7f35364aaefc01494b9cbe460b9 Author: Jiaju Zhang Date: Wed Jul 28 13:21:06 2010 +0800 Fix the nested PR lock calling issue in ACL commit 845b6cf34150100deb5f58c8a37a372b111f2918 upstream. Hi, Thanks a lot for all the review and comments so far;) I'd like to send the improved (V4) version of this patch. This patch fixes a deadlock in OCFS2 ACL. We found this bug in OCFS2 and Samba integration using scenario, the symptom is several smbd processes will be hung under heavy workload. Finally we found out it is the nested PR lock calling that leads to this deadlock: node1 node2 gr PR | V PR(EX)---> BAST:OCFS2_LOCK_BLOCKED | V rq PR | V wait=1 After requesting the 2nd PR lock, the process "smbd" went into D state. It can only be woken up when the 1st PR lock's RO holder equals zero. There should be an ocfs2_inode_unlock in the calling path later on, which can decrement the RO holder. But since it has been in uninterruptible sleep, the unlock function has no chance to be called. The related stack trace is: smbd D ffff8800013d0600 0 9522 5608 0x00000000 ffff88002ca7fb18 0000000000000282 ffff88002f964500 ffff88002ca7fa98 ffff8800013d0600 ffff88002ca7fae0 ffff88002f964340 ffff88002f964340 ffff88002ca7ffd8 ffff88002ca7ffd8 ffff88002f964340 ffff88002f964340 Call Trace: [] schedule_timeout+0x175/0x210 [] wait_for_common+0xf0/0x210 [] __ocfs2_cluster_lock+0x3b9/0xa90 [ocfs2] [] ocfs2_inode_lock_full_nested+0x255/0xdb0 [ocfs2] [] ocfs2_get_acl+0x69/0x120 [ocfs2] [] ocfs2_check_acl+0x28/0x80 [ocfs2] [] acl_permission_check+0x57/0xb0 [] generic_permission+0x1d/0xc0 [] ocfs2_permission+0x10a/0x1d0 [ocfs2] [] inode_permission+0x45/0x100 [] sys_chdir+0x53/0x90 [] system_call_fastpath+0x16/0x1b [<00007f34a4ef6927>] 0x7f34a4ef6927 For details, please see: https://bugzilla.novell.com/show_bug.cgi?id=614332 and http://oss.oracle.com/bugzilla/show_bug.cgi?id=1278 Signed-off-by: Jiaju Zhang Acked-by: Mark Fasheh Signed-off-by: Joel Becker Signed-off-by: Greg Kroah-Hartman commit 236550e70368f7fb5f854d5a59aa16e13f169a06 Author: Daniel Kiper Date: Fri Aug 20 00:46:16 2010 +0200 x86, apic: Fix apic=debug boot crash commit 05e407603e527f9d808dd3866d3a17c2ce4dfcc5 upstream. Fix a boot crash when apic=debug is used and the APIC is not properly initialized. This issue appears during Xen Dom0 kernel boot but the fix is generic and the crash could occur on real hardware as well. Signed-off-by: Daniel Kiper Cc: xen-devel@lists.xensource.com Cc: konrad.wilk@oracle.com Cc: jeremy@goop.org LKML-Reference: <20100819224616.GB9967@router-fw-old.local.net-space.pl> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 05a939449fc6998700eb5264feee9206a6d6e6f6 Author: Zhang, Yanmin Date: Fri Aug 6 13:39:08 2010 +0800 perf, x86: Fix Intel-nhm PMU programming errata workaround commit 351af0725e5222e35741011d1ea62215c1ed06db upstream. Fix the Errata AAK100/AAP53/BD53 workaround, the officialy documented workaround we implemented in: 11164cd: perf, x86: Add Nehelem PMU programming errata workaround doesn't actually work fully and causes a stuck PMU state under load and non-functioning perf profiling. A functional workaround was found by trial & error. Affects all Nehalem-class Intel PMUs. Signed-off-by: Zhang Yanmin Signed-off-by: Peter Zijlstra LKML-Reference: <1281073148.2125.63.camel@ymzhang.sh.intel.com> Cc: Arjan van de Ven Cc: "H. Peter Anvin" Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 6105020a90881ab1916a632532948255c9d28a8f Author: Borislav Petkov Date: Thu Aug 19 20:10:29 2010 +0200 x86, hotplug: Serialize CPU hotplug to avoid bringup concurrency issues commit d7c53c9e822a4fefa13a0cae76f3190bfd0d5c11 upstream. When testing cpu hotplug code on 32-bit we kept hitting the "CPU%d: Stuck ??" message due to multiple cores concurrently accessing the cpu_callin_mask, among others. Since these codepaths are not protected from concurrent access due to the fact that there's no sane reason for making an already complex code unnecessarily more complex - we hit the issue only when insanely switching cores off- and online - serialize hotplugging cores on the sysfs level and be done with it. [ v2.1: fix !HOTPLUG_CPU build ] Signed-off-by: Borislav Petkov LKML-Reference: <20100819181029.GC17171@aftab> Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 7e817098c960644260d1142d6bae7ae7ee8070fe Author: Victor van den Elzen Date: Sun Aug 15 01:19:33 2010 +0200 platform/x86: move rfkill for Dell Mini 1012 to compal-laptop commit c3f755e3842108c1cffe570fe9802239810352b6 upstream. Like others in the Mini series, the Dell Mini 1012 does not support the smbios hook required by dell-laptop. Signed-off-by: Victor van den Elzen Signed-off-by: Matthew Garrett Signed-off-by: Greg Kroah-Hartman commit 7811db7b800fea7a8d85045445d12a6ab639f806 Author: Eric W. Biederman Date: Wed Aug 4 13:30:27 2010 -0700 x86, apic: Map the local apic when parsing the MP table. commit 5989cd6a1cbf86587edcc856791f960978087311 upstream. This fixes a regression in 2.6.35 from 2.6.34, that is present for select models of Intel cpus when people are using an MP table. The commit cf7500c0ea133d66f8449d86392d83f840102632 "x86, ioapic: In mpparse use mp_register_ioapic" started calling mp_register_ioapic from MP_ioapic_info. An extremely simple change that was obviously correct. Unfortunately mp_register_ioapic did just a little more than the previous hand crafted code and so we gained this call path. The problem call path is: MP_ioapic_info() mp_register_ioapic() io_apic_unique_id() io_apic_get_unique_id() get_physical_broadcast() modern_apic() lapic_get_version() apic_read(APIC_LVR) Which turned out to be a problem because the local apic was not mapped, at that point, unlike the similar point in the ACPI parsing code. This problem is fixed by mapping the local apic when parsing the mptable as soon as we reasonably can. Looking at the number of places we setup the fixmap for the local apic, I see some serious simplification opportunities. For the moment except for not duplicating the setting up of the fixmap in init_apic_mappings, I have not acted on them. The regression from 2.6.34 is tracked in bug https://bugzilla.kernel.org/show_bug.cgi?id=16173 Reported-by: David Hill Reported-by: Tvrtko Ursulin Tested-by: Tvrtko Ursulin Signed-off-by: Eric W. Biederman LKML-Reference: Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit e77930c78bd9dde017a80f87e2a89d670be19202 Author: Cyrill Gorcunov Date: Thu Aug 5 19:09:17 2010 +0400 perf, x86: P4 PMU -- update nmi irq statistics and unmask lvt entry properly commit 1c250d709fdc8aa5bf42d90be99428a01a256a55 upstream. In case if last active performance counter is not overflowed at moment of NMI being triggered by another counter, the irq statistics may miss an update stage. As a more serious consequence -- apic quirk may not be triggered so apic lvt entry stay masked. Tested-by: Lin Ming Signed-off-by: Cyrill Gorcunov Cc: Stephane Eranian Cc: Peter Zijlstra Cc: Frederic Weisbecker LKML-Reference: <20100805150917.GA6311@lenovo> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit edda4cb2d00bfb83759f475ff9b228953ea82cf2 Author: Luca Barbieri Date: Fri Aug 6 04:04:38 2010 +0200 x86, asm: Refactor atomic64_386_32.S to support old binutils and be cleaner commit 30246557a06bb20618bed906a06d1e1e0faa8bb4 upstream. The old code didn't work on binutils 2.12 because setting a symbol to a register apparently requires a fairly recent version. This commit refactors the code to use the C preprocessor instead, and in the process makes the whole code a bit easier to understand. The object code produced is unchanged as expected. This fixes kernel bugzilla 16506. Reported-by: Dieter Stussy Signed-off-by: Luca Barbieri Signed-off-by: H. Peter Anvin LKML-Reference: Signed-off-by: Greg Kroah-Hartman commit 57001f2240b0cba6ec95f460da34c0e81f52b4c2 Author: Johannes Berg Date: Mon Aug 9 15:52:03 2010 +0200 cfg80211: fix locking in action frame TX commit fe100acddf438591ecf3582cb57241e560da70b7 upstream. Accesses to "wdev->current_bss" must be locked with the wdev lock, which action frame transmission is missing. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 19d3c4671fabe2b80e6d449f88dd1822b6be66da Author: Huang Ying Date: Wed Jul 28 14:14:01 2010 +0800 tracing: Fix ring_buffer_read_page reading out of page boundary commit 18fab912d4fa70133df164d2dcf3310be0c38c34 upstream. With the configuration: CONFIG_DEBUG_PAGEALLOC=y and Shaohua's patch: [PATCH]x86: make spurious_fault check correct pte bit Function call graph trace with the following will trigger a page fault. # cd /sys/kernel/debug/tracing/ # echo function_graph > current_tracer # cat per_cpu/cpu1/trace_pipe_raw > /dev/null BUG: unable to handle kernel paging request at ffff880006e99000 IP: [] rb_event_length+0x1/0x3f PGD 1b19063 PUD 1b1d063 PMD 3f067 PTE 6e99160 Oops: 0000 [#1] SMP DEBUG_PAGEALLOC last sysfs file: /sys/devices/virtual/net/lo/operstate CPU 1 Modules linked in: Pid: 1982, comm: cat Not tainted 2.6.35-rc6-aes+ #300 /Bochs RIP: 0010:[] [] rb_event_length+0x1/0x3f RSP: 0018:ffff880006475e38 EFLAGS: 00010006 RAX: 0000000000000ff0 RBX: ffff88000786c630 RCX: 000000000000001d RDX: ffff880006e98000 RSI: 0000000000000ff0 RDI: ffff880006e99000 RBP: ffff880006475eb8 R08: 000000145d7008bd R09: 0000000000000000 R10: 0000000000008000 R11: ffffffff815d9336 R12: ffff880006d08000 R13: ffff880006e605d8 R14: 0000000000000000 R15: 0000000000000018 FS: 00007f2b83e456f0(0000) GS:ffff880002100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: ffff880006e99000 CR3: 00000000064a8000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process cat (pid: 1982, threadinfo ffff880006474000, task ffff880006e40770) Stack: ffff880006475eb8 ffffffff8108730f 0000000000000ff0 000000145d7008bd <0> ffff880006e98010 ffff880006d08010 0000000000000296 ffff88000786c640 <0> ffffffff81002956 0000000000000000 ffff8800071f4680 ffff8800071f4680 Call Trace: [] ? ring_buffer_read_page+0x15a/0x24a [] ? return_to_handler+0x15/0x2f [] tracing_buffers_read+0xb9/0x164 [] vfs_read+0xaf/0x150 [] return_to_handler+0x0/0x2f [] __bad_area_nosemaphore+0x17e/0x1a1 [] return_to_handler+0x0/0x2f [] bad_area_nosemaphore+0x13/0x15 Code: 80 25 b2 16 b3 00 fe c9 c3 55 48 89 e5 f0 80 0d a4 16 b3 00 02 c9 c3 55 31 c0 48 89 e5 48 83 3d 94 16 b3 00 01 c9 0f 94 c0 c3 55 <8a> 0f 48 89 e5 83 e1 1f b8 08 00 00 00 0f b6 d1 83 fa 1e 74 27 RIP [] rb_event_length+0x1/0x3f RSP CR2: ffff880006e99000 ---[ end trace a6877bb92ccb36bb ]--- The root cause is that ring_buffer_read_page() may read out of page boundary, because the boundary checking is done after reading. This is fixed via doing boundary checking before reading. Reported-by: Shaohua Li Signed-off-by: Huang Ying LKML-Reference: <1280297641.2771.307.camel@yhuang-dev> Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit ee384c27819972c620c2eec0545b9f1472cbe0ab Author: Shaohua Li Date: Tue Jul 27 16:06:34 2010 +0800 tracing: Fix an unallocated memory access in function_graph commit 575570f02761bd680ba5731c1dfd4701062e7fb2 upstream. With CONFIG_DEBUG_PAGEALLOC, I observed an unallocated memory access in function_graph trace. It appears we find a small size entry in ring buffer, but we access it as a big size entry. The access overflows the page size and touches an unallocated page. Signed-off-by: Shaohua Li LKML-Reference: <1280217994.32400.76.camel@sli10-desk.sh.intel.com> [ Added a comment to explain the problem - SDR ] Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit 3ab47fa1a288f370ced9e9575655151df20c04fc Author: Ryusuke Konishi Date: Fri Aug 13 12:42:24 2010 +0900 nilfs2: fix list corruption after ifile creation failure commit af4e36318edb848fcc0a8d5f75000ca00cdc7595 upstream. If nilfs_attach_checkpoint() gets a memory allocation failure during creation of ifile, it will return without removing nilfs_sb_info struct from ns_supers list. When a concurrently mounted snapshot is unmounted or another new snapshot is mounted after that, this causes kernel oops as below: > BUG: unable to handle kernel NULL pointer dereference at (null) > IP: [] nilfs_find_sbinfo+0x74/0xa4 [nilfs2] > *pde = 00000000 > Oops: 0000 [#1] SMP > Call Trace: > [] ? nilfs_get_sb+0x165/0x532 [nilfs2] > [] ? ida_get_new_above+0x16d/0x187 > [] ? alloc_vfsmnt+0x7e/0x10a > [] ? kstrdup+0x2c/0x40 > [] ? vfs_kern_mount+0x96/0x14e > [] ? do_kern_mount+0x32/0xbd > [] ? do_mount+0x642/0x6a1 > [] ? do_page_fault+0x0/0x2d1 > [] ? copy_mount_options+0x80/0xe2 > [] ? strndup_user+0x48/0x67 > [] ? sys_mount+0x61/0x90 > [] ? sysenter_do_call+0x12/0x22 This fixes the problem. Signed-off-by: Ryusuke Konishi Tested-by: Ryusuke Konishi Signed-off-by: Greg Kroah-Hartman commit 208348a42d2c5027b66e49d78ddc0548bd0193f2 Author: Yuri Kululin Date: Fri Aug 13 13:46:12 2010 +0400 wl1251: fix trigger scan timeout usage commit fe0dbcc9d2e941328b3269dab102b94ad697ade5 upstream. Use appropriate command (CMD_TRIGGER_SCAN_TO) instead of scan command (CMD_SCAN) to configure trigger scan timeout. This was broken in commit 3a98c30f3e8bb1f32b5bcb74a39647b3670de275. This fix address the bug reported here: https://bugzilla.kernel.org/show_bug.cgi?id=16554 Signed-off-by: Yuri Ershov Signed-off-by: Yuri Kululin Acked-by: Kalle Valo Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 7b5b07e30b8341d54c1f311772c9183eaa1cfa7a Author: Wengang Wang Date: Fri Jul 30 23:18:00 2010 +0800 ocfs2/dlm: remove potential deadlock -V3 commit b11f1f1ab73fd358b1b734a9427744802202ba68 upstream. When we need to take both dlm_domain_lock and dlm->spinlock, we should take them in order of: dlm_domain_lock then dlm->spinlock. There is pathes disobey this order. That is calling dlm_lockres_put() with dlm->spinlock held in dlm_run_purge_list. dlm_lockres_put() calls dlm_put() at the ref and dlm_put() locks on dlm_domain_lock. Fix: Don't grab/put the dlm when the initialising/releasing lockres. That grab is not required because we don't call dlm_unregister_domain() based on refcount. Signed-off-by: Wengang Wang Signed-off-by: Joel Becker Signed-off-by: Greg Kroah-Hartman commit d79caba7b9f51221576fb4afe7dc0e165bdd0485 Author: Wengang Wang Date: Fri Jul 30 16:14:44 2010 +0800 ocfs2/dlm: avoid incorrect bit set in refmap on recovery master commit a524812b7eaa7783d7811198921100f079034e61 upstream. In the following situation, there remains an incorrect bit in refmap on the recovery master. Finally the recovery master will fail at purging the lockres due to the incorrect bit in refmap. 1) node A has no interest on lockres A any longer, so it is purging it. 2) the owner of lockres A is node B, so node A is sending de-ref message to node B. 3) at this time, node B crashed. node C becomes the recovery master. it recovers lockres A(because the master is the dead node B). 4) node A migrated lockres A to node C with a refbit there. 5) node A failed to send de-ref message to node B because it crashed. The failure is ignored. no other action is done for lockres A any more. For mormal, re-send the deref message to it to recovery master can fix it. Well, ignoring the failure of deref to the original master and not recovering the lockres to recovery master has the same effect. And the later is simpler. Signed-off-by: Wengang Wang Acked-by: Srinivas Eeda Signed-off-by: Joel Becker Signed-off-by: Greg Kroah-Hartman commit 6d4ff3b0d4438f1d3707720299c32aa7715a4317 Author: Tao Ma Date: Thu Jul 22 13:56:45 2010 +0800 ocfs2: Count more refcount records in file system fragmentation. commit 8a2e70c40ff58f82dde67770e6623ca45f0cb0c8 upstream. The refcount record calculation in ocfs2_calc_refcount_meta_credits is too optimistic that we can always allocate contiguous clusters and handle an already existed refcount rec as a whole. Actually because of file system fragmentation, we may have the chance to split a refcount record into 3 parts during the transaction. So consider the worst case in record calculation. Signed-off-by: Tao Ma Signed-off-by: Joel Becker Signed-off-by: Greg Kroah-Hartman commit caee59ec914e90b06df487fc348fe4780d3c7a34 Author: Srinivas Eeda Date: Mon Jul 19 16:04:12 2010 -0700 ocfs2 fix o2dlm dlm run purgelist (rev 3) commit 7beaf243787f85a2ef9213ccf13ab4a243283fde upstream. This patch fixes two problems in dlm_run_purgelist 1. If a lockres is found to be in use, dlm_run_purgelist keeps trying to purge the same lockres instead of trying the next lockres. 2. When a lockres is found unused, dlm_run_purgelist releases lockres spinlock before setting DLM_LOCK_RES_DROPPING_REF and calls dlm_purge_lockres. spinlock is reacquired but in this window lockres can get reused. This leads to BUG. This patch modifies dlm_run_purgelist to skip lockres if it's in use and purge next lockres. It also sets DLM_LOCK_RES_DROPPING_REF before releasing the lockres spinlock protecting it from getting reused. Signed-off-by: Srinivas Eeda Acked-by: Sunil Mushran Signed-off-by: Joel Becker Signed-off-by: Greg Kroah-Hartman commit 3730039f40020c1f8d1d94752ecbd1375cf705f9 Author: Wengang Wang Date: Fri Jul 16 23:13:33 2010 +0800 ocfs2/dlm: fix a dead lock commit 6d98c3ccb52f692f1a60339dde7c700686a5568b upstream. When we have to take both dlm->master_lock and lockres->spinlock, take them in order lockres->spinlock and then dlm->master_lock. The patch fixes a violation of the rule. We can simply move taking dlm->master_lock to where we have dropped res->spinlock since when we access res->state and free mle memory we don't need master_lock's protection. Signed-off-by: Wengang Wang Signed-off-by: Joel Becker Signed-off-by: Greg Kroah-Hartman commit 15ddf0fc153f54ed7c8432a18fa1ecde1a32d4bc Author: Tiger Yang Date: Fri Jul 16 11:21:23 2010 +0800 ocfs2: do not overwrite error codes in ocfs2_init_acl commit 6eda3dd33f8a0ce58ee56a11351758643a698db4 upstream. Setting the acl while creating a new inode depends on the error codes of posix_acl_create_masq. This patch fix a issue of overwriting the error codes of it. Reported-by: Pawel Zawora Signed-off-by: Tiger Yang Signed-off-by: Joel Becker Signed-off-by: Greg Kroah-Hartman commit 94c25715de36c1e1a89f69dbd3b05a0493e77c1f Author: Takashi Iwai Date: Mon Aug 16 10:15:57 2010 +0200 ALSA: hda - Add quirk for Dell Vostro 1220 commit c3e68fad88143fd1fe8fe640207fb19c0f087dbc upstream. model=dell-vostro is needed for Dell Vostro 1220 with Coexnat 5067. Reference: Novell bnc#631066 https://bugzilla.novell.com/show_bug.cgi?id=631066 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit a41c86f225443e29e9d7fb38731eee2873854aab Author: Jonathan Woithe Date: Sun Aug 8 00:17:05 2010 +0930 ALSA: hda - Fix missing stream for second ADC on Realtek ALC260 HDA codec commit 53bacfbbb2ddd981287b58a511c8b8f5df179886 upstream. I discovered tonight that ALSA no longer sets up a stream for the second ADC provided by the Realtek ALC260 HDA codec. At some point alc_build_pcms() started using stream_analog_alt_capture when constructing the second ADC stream, but patch_alc260() was never updated accordingly. I have no idea when this regression occurred. The trivial patch to patch_alc260() given below fixes the problem as far as I can tell. The patch is against 2.6.35. Signed-off-by: Jonathan Woithe Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 2f10b29273e6a54a870cd9c6cbaf7bd5326cb547 Author: Jaroslav Kysela Date: Wed Aug 18 14:08:17 2010 +0200 ALSA: emu10k1 - delay the PCM interrupts (add pcm_irq_delay parameter) commit 56385a12d9bb9e173751f74b6c430742018cafc0 upstream. With some hardware combinations, the PCM interrupts are acknowledged before the period boundary from the emu10k1 chip. The midlevel PCM code gets confused and the playback stream is interrupted. It seems that the interrupt processing shift by 2 samples is enough to fix this issue. This default value does not harm other, non-affected hardware. More information: Kernel bugzilla bug#16300 [A copmile warning fixed by tiwai] Signed-off-by: Jaroslav Kysela Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 6c877dfbe9b81983e254bdd6aa8854fb2a288604 Author: Takashi Iwai Date: Mon Aug 16 08:08:48 2010 +0200 ALSA: riptide - Fix detection / load of firmware files commit a5ba6beb839cfa288960c92cd2668a2601c24dda upstream. The detection and loading of firmeware on riptide driver has been broken due to rewrite of some codes, checking the presense wrongly. This patch fixes the logic again. Reference: kernel bug 16596 https://bugzilla.kernel.org/show_bug.cgi?id=16596 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 4e354ad43ae9c3b9e634cdfcb8d0920cd7278afd Author: Joonyoung Shim Date: Fri Aug 6 15:48:24 2010 +0100 regulator: Default GPIO controlled WM8994 regulators to disabled commit c4604e49c1a5832a58789a22eba7ca982933e1be upstream. This ensures that if the GPIO was not enabled prior to the driver starting the regulator API will insert the required powerup ramp delay when it enables the regulator. The gpiolib API does not provide this information. [Rewrote changelog to describe the actual change -- broonie.] Signed-off-by: Joonyoung Shim Signed-off-by: Mark Brown Signed-off-by: Liam Girdwood Signed-off-by: Greg Kroah-Hartman commit a4e5c5d32bedabd04a246892d5f4422322591191 Author: Cliff Cai Date: Sat Aug 7 11:16:27 2010 -0400 ASoC: register cache should be 1 byte aligned for 1 byte long register commit ac770267a7cd85a747b6111db46f66d1515e7cd7 upstream. Signed-off-by: Cliff Cai Signed-off-by: Mike Frysinger Acked-by: Liam Girdwood Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit f62010c99c29bf3ebe9f2d643d055445222cb03c Author: Mark Brown Date: Mon Aug 16 11:46:57 2010 +0100 ASoC: Remove DSP mode support for WM8776 commit b2c1e07b81a126e5846dfc3d36f559d861df59f4 upstream. This is not supported by current hardware revisions. Signed-off-by: Mark Brown Acked-by: Liam Girdwood Signed-off-by: Greg Kroah-Hartman commit 1360aa27ce9d429494559a85375392729317123e Author: Mark Brown Date: Fri Aug 6 17:57:12 2010 +0100 ASoC: Fix inverted mute controls for WM8580 commit 4f0ed9a51bc8ef16c2589112fdb110479e4b0df1 upstream. Signed-off-by: Mark Brown Acked-by: Liam Girdwood Signed-off-by: Greg Kroah-Hartman commit d3ad3eb081014cb4baf2b87f394bc3ec4779ef16 Author: Thomas Gleixner Date: Wed Aug 11 14:17:29 2010 -0700 acpi: fix bogus preemption logic commit 0a7992c90828a65281c3c9cf180be3b432d277b2 upstream. The ACPI_PREEMPTION_POINT() logic was introduced in commit 8bd108d (ACPICA: add preemption point after each opcode parse). The follow up commits abe1dfab6, 138d15692, c084ca70 tried to fix the preemption logic back and forth, but nobody noticed that the usage of in_atomic_preempt_off() in that context is wrong. The check which guards the call of cond_resched() is: if (!in_atomic_preempt_off() && !irqs_disabled()) in_atomic_preempt_off() is not intended for general use as the comment above the macro definition clearly says: * Check whether we were atomic before we did preempt_disable(): * (used by the scheduler, *after* releasing the kernel lock) On a CONFIG_PREEMPT=n kernel the usage of in_atomic_preempt_off() works by accident, but with CONFIG_PREEMPT=y it's just broken. The whole purpose of the ACPI_PREEMPTION_POINT() is to reduce the latency on a CONFIG_PREEMPT=n kernel, so make ACPI_PREEMPTION_POINT() depend on CONFIG_PREEMPT=n and remove the in_atomic_preempt_off() check. Addresses https://bugzilla.kernel.org/show_bug.cgi?id=16210 [akpm@linux-foundation.org: fix build] Signed-off-by: Thomas Gleixner Cc: Len Brown Cc: Francois Valenduc Cc: Lin Ming Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e9eee0b456fee111f5d6def1e562dd17e39f2b65 Author: Maxim Levitsky Date: Wed Aug 11 14:17:52 2010 -0700 memstick: fix hangs on unexpected device removal in mspro_blk commit d862b13bc8cbab9692fbe0ef44c40d0488b81af1 upstream. mspro_block_remove() is called from detect thread that first calls the mspro_block_stop(), which stops the request queue. If we call del_gendisk() with the queue stopped we get a deadlock. Signed-off-by: Maxim Levitsky Cc: Alex Dubov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit da6827e8b0e9b7c43b25396017a5198040cbc2f6 Author: Maxim Levitsky Date: Wed Aug 11 14:17:52 2010 -0700 memstick: init sysfs attributes commit 21fd0495ea61d53e0ebe575330e343ce4e6d2a61 upstream. Otherwise lockdep complains. Signed-off-by: Maxim Levitsky Cc: Alex Dubov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman