commit f16e6e4df8ec41328d7e0841bc17f2a587eb2c67 Author: Greg Kroah-Hartman Date: Thu Oct 28 21:52:43 2010 -0700 Linux 2.6.35.8 commit 5daf133f0fb96925541cb5bf82317793a75c19f9 Author: Stefan Bader Date: Tue Aug 31 15:52:27 2010 +0200 mm: Move vma_stack_continue into mm.h commit 39aa3cb3e8250db9188a6f1e3fb62ffa1a717678 upstream. So it can be used by all that need to check for that. Signed-off-by: Stefan Bader Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e4037861387fe89ac082e8cf092b6a7bada09cb5 Author: Roland McGrath Date: Tue Sep 7 19:37:06 2010 -0700 execve: make responsive to SIGKILL with large arguments commit 9aea5a65aa7a1af9a4236dfaeb0088f1624f9919 upstream. An execve with a very large total of argument/environment strings can take a really long time in the execve system call. It runs uninterruptibly to count and copy all the strings. This change makes it abort the exec quickly if sent a SIGKILL. Note that this is the conservative change, to interrupt only for SIGKILL, by using fatal_signal_pending(). It would be perfectly correct semantics to let any signal interrupt the string-copying in execve, i.e. use signal_pending() instead of fatal_signal_pending(). We'll save that change for later, since it could have user-visible consequences, such as having a timer set too quickly make it so that an execve can never complete, though it always happened to work before. Signed-off-by: Roland McGrath Reviewed-by: KOSAKI Motohiro Cc: Chuck Ebbert Signed-off-by: Linus Torvalds commit c7d3b6415c472deae3fab07d06239abba9070c93 Author: Roland McGrath Date: Tue Sep 7 19:36:28 2010 -0700 execve: improve interactivity with large arguments commit 7993bc1f4663c0db67bb8f0d98e6678145b387cd upstream. This adds a preemption point during the copying of the argument and environment strings for execve, in copy_strings(). There is already a preemption point in the count() loop, so this doesn't add any new points in the abstract sense. When the total argument+environment strings are very large, the time spent copying them can be much more than a normal user time slice. So this change improves the interactivity of the rest of the system when one process is doing an execve with very large arguments. Signed-off-by: Roland McGrath Reviewed-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit a376eaa89e3931a4088deb6ef5d94569688efec0 Author: Roland McGrath Date: Tue Sep 7 19:35:49 2010 -0700 setup_arg_pages: diagnose excessive argument size commit 1b528181b2ffa14721fb28ad1bd539fe1732c583 upstream. The CONFIG_STACK_GROWSDOWN variant of setup_arg_pages() does not check the size of the argument/environment area on the stack. When it is unworkably large, shift_arg_pages() hits its BUG_ON. This is exploitable with a very large RLIMIT_STACK limit, to create a crash pretty easily. Check that the initial stack is not too large to make it possible to map in any executable. We're not checking that the actual executable (or intepreter, for binfmt_elf) will fit. So those mappings might clobber part of the initial stack mapping. But that is just userland lossage that userland made happen, not a kernel problem. Signed-off-by: Roland McGrath Reviewed-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit 39f477027fc8ed0115b2c73ec2a3d53f33e0d35e Author: Hugh Dickins Date: Tue Aug 24 22:44:12 2010 -0700 x86, mm: Fix CONFIG_VMSPLIT_1G and 2G_OPT trampoline commit b7d460897739e02f186425b7276e3fdb1595cea7 upstream. rc2 kernel crashes when booting second cpu on this CONFIG_VMSPLIT_2G_OPT laptop: whereas cloning from kernel to low mappings pgd range does need to limit by both KERNEL_PGD_PTRS and KERNEL_PGD_BOUNDARY, cloning kernel pgd range itself must not be limited by the smaller KERNEL_PGD_BOUNDARY. Signed-off-by: Hugh Dickins LKML-Reference: Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit d521d5c586bf14422927a3574d921b0f4af19023 Author: H. Peter Anvin Date: Wed Aug 18 11:42:23 2010 -0700 x86-32: Fix dummy trampoline-related inline stubs commit 8848a91068c018bc91f597038a0f41462a0f88a4 upstream. Fix dummy inline stubs for trampoline-related functions when no trampolines exist (until we get rid of the no-trampoline case entirely.) Signed-off-by: H. Peter Anvin Cc: Joerg Roedel Cc: Borislav Petkov LKML-Reference: <4C6C294D.3030404@zytor.com> Signed-off-by: Greg Kroah-Hartman commit ba8f2de53b32dc1f13b60dab2f9fee563e5c73bd Author: Joerg Roedel Date: Mon Aug 16 14:38:33 2010 +0200 x86-32: Separate 1:1 pagetables from swapper_pg_dir commit fd89a137924e0710078c3ae855e7cec1c43cb845 upstream. This patch fixes machine crashes which occur when heavily exercising the CPU hotplug codepaths on a 32-bit kernel. These crashes are caused by AMD Erratum 383 and result in a fatal machine check exception. Here's the scenario: 1. On 32-bit, the swapper_pg_dir page table is used as the initial page table for booting a secondary CPU. 2. To make this work, swapper_pg_dir needs a direct mapping of physical memory in it (the low mappings). By adding those low, large page (2M) mappings (PAE kernel), we create the necessary conditions for Erratum 383 to occur. 3. Other CPUs which do not participate in the off- and onlining game may use swapper_pg_dir while the low mappings are present (when leave_mm is called). For all steps below, the CPU referred to is a CPU that is using swapper_pg_dir, and not the CPU which is being onlined. 4. The presence of the low mappings in swapper_pg_dir can result in TLB entries for addresses below __PAGE_OFFSET to be established speculatively. These TLB entries are marked global and large. 5. When the CPU with such TLB entry switches to another page table, this TLB entry remains because it is global. 6. The process then generates an access to an address covered by the above TLB entry but there is a permission mismatch - the TLB entry covers a large global page not accessible to userspace. 7. Due to this permission mismatch a new 4kb, user TLB entry gets established. Further, Erratum 383 provides for a small window of time where both TLB entries are present. This results in an uncorrectable machine check exception signalling a TLB multimatch which panics the machine. There are two ways to fix this issue: 1. Always do a global TLB flush when a new cr3 is loaded and the old page table was swapper_pg_dir. I consider this a hack hard to understand and with performance implications 2. Do not use swapper_pg_dir to boot secondary CPUs like 64-bit does. This patch implements solution 2. It introduces a trampoline_pg_dir which has the same layout as swapper_pg_dir with low_mappings. This page table is used as the initial page table of the booting CPU. Later in the bringup process, it switches to swapper_pg_dir and does a global TLB flush. This fixes the crashes in our test cases. -v2: switch to swapper_pg_dir right after entering start_secondary() so that we are able to access percpu data which might not be mapped in the trampoline page table. Signed-off-by: Joerg Roedel LKML-Reference: <20100816123833.GB28147@aftab> Signed-off-by: Borislav Petkov Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit c4cf17f1e6a95168d479656d066c5b8324c16b06 Author: Zhenyu Wang Date: Fri Aug 27 11:08:57 2010 +0800 agp/intel: Fix cache control for Sandybridge commit f8f235e5bbf4e61f3e0886a44afb1dc4cfe8f337 upstream. Sandybridge GTT has new cache control bits in PTE, which controls graphics page cache in LLC or LLC/MLC, so we need to extend the mask function to respect the new bits. And set cache control to always LLC only by default on Gen6. Signed-off-by: Zhenyu Wang Signed-off-by: Chris Wilson Signed-off-by: Greg Kroah-Hartman commit 6b85aae5dfa34321a2336f57109cd9ad4ae1bb51 Author: Jacob Pan Date: Wed May 19 12:01:23 2010 -0700 x86: detect scattered cpuid features earlier commit 1dedefd1a066a795a87afca9c0236e1a94de9bf6 upstream. Some extra CPU features such as ARAT is needed in early boot so that x86_init function pointers can be set up properly. http://lkml.org/lkml/2010/5/18/519 At start_kernel() level, this patch moves init_scattered_cpuid_features() from check_bugs() to setup_arch() -> early_cpu_init() which is earlier than platform specific x86_init layer setup. Suggested by HPA. Signed-off-by: Jacob Pan LKML-Reference: <1274295685-6774-2-git-send-email-jacob.jun.pan@linux.intel.com> Acked-by: Thomas Gleixner Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit fc5ae3497e1abe79a3324a883b2c8799acc5a67b Author: Rafael J. Wysocki Date: Fri Sep 24 16:46:14 2010 -0400 PM / ACPI: Blacklist systems known to require acpi_sleep=nonvs commit 539986482b0db07b7164ab086d167ab99b4d3061 upstream. Commit 2a6b69765ad794389f2fc3e14a0afa1a995221c2 (ACPI: Store NVS state even when entering suspend to RAM) changed the ACPI suspend to RAM code so that the NVS memory area is always unconditionally saved during suspend and restored during resume, since some systems evidently need that for the suspend-resume to work on them. However, it turned out that this change broke suspend-resume on a few systems, so commit 72ad5d77fb981963edae15eee8196c80238f5ed0 (ACPI / Sleep: Allow the NVS saving to be skipped during suspend to RAM) introduced the acpi_sleep=nonvs command line switch to allow their users to work around this issue. To keep track of the systems that require this workaround and to make the life of their users slightly easier blacklist them in acpisleep_dmi_table[]. https://bugzilla.kernel.org/show_bug.cgi?id=16396 Signed-off-by: Rafael J. Wysocki Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit fe1a1f1554fd1b7f1afa95121dcd2a232eca72ca Author: Zhang Rui Date: Tue Sep 28 22:48:55 2010 -0400 ACPI: Disable Windows Vista compatibility for Toshiba P305D commit 337279ce3aa85d81d34c0f837d1c204df105103b upstream. Disable the Windows Vista (SP1) compatibility for Toshiba P305D. http://bugzilla.kernel.org/show_bug.cgi?id=14736 Signed-off-by: Zhang Rui Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 6d83ebffef9bf0d554eada20e0146981b6a4e83a Author: Len Brown Date: Tue Sep 28 17:20:20 2010 -0400 ACPI: delete ZEPTO idle=nomwait DMI quirk commit 64a32307b710c100beb101e9c78f8022f0e8ba61 upstream. per comments in the bug report, this entry seems to hurt at much as it helps. https://bugzilla.kernel.org/show_bug.cgi?id=10807 Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 223c90ef801849ffb952ad2cc85b5eddf4082f61 Author: Len Brown Date: Tue Sep 28 17:51:51 2010 -0400 ACPI: EC: add Vista incompatibility DMI entry for Toshiba Satellite L355 commit 7a1d602f5fc35d14907b7da98d5627acb69589d1 upstream. https://bugzilla.kernel.org/show_bug.cgi?id=12641 Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 00f8646ef207c509072889c922d180cd28c923b9 Author: Len Brown Date: Fri Sep 24 21:02:27 2010 -0400 intel_idle: PCI quirk to prevent Lenovo Ideapad s10-3 boot hang commit 4731fdcf6f7bdab3e369a3f844d4ea4d4017284d upstream. When the Lenovo Ideapad S10-3 is booted with HT enabled, it hits a boot hang in the intel_idle driver. This occurs when entering ATM-C4 for the first time, unless BM_STS is first cleared. acpi_idle doesn't see this because it first checks and clears BM_STS, but it would hit the same hang if that check were disabled. http://bugs.meego.com/show_bug.cgi?id=7093 https://bugs.launchpad.net/ubuntu/+source/linux/+bug/634702 Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit e5668aa876cbfb73277a5d7272e96eef30ede0d5 Author: Colin Ian King Date: Mon Aug 2 15:14:43 2010 +0000 ACPI: enable repeated PCIEXP wakeup by clearing PCIEXP_WAKE_STS on resume commit 573b638158029898caf9470c8214b7ddd29751e3 upstream. Section 4.7.3.1.1 (PM1 Status Registers) of version 4.0 of the ACPI spec concerning PCIEXP_WAKE_STS points out in in the final note field in table 4-11 that if this bit is set to 1 and the system is put into a sleeping state then the system will not automatically wake. This bit gets set by hardware to indicate that the system woke up due to a PCI Express wakeup event, so clear it during acpi_hw_clear_acpi_status() calls to enable subsequent resumes to work. BugLink: http://bugs.launchpad.net/bugs/613381 Signed-off-by: Colin Ian King Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 6fe329402817c4b918afd5154c7708a77c65b500 Author: Herton Ronaldo Krzesinski Date: Thu Jun 17 14:15:06 2010 -0300 ALSA: hda - add ideapad model for Conexant 5051 codec commit f7154de220f14073ef0d76638f85e254ad2e202f upstream. Lenovo IdeaPad Y430 has an additional subwoofer connected at pin 0x1b, which isn't muted when headphone is plugged in. This adds additional support to the extra subwoofer via new ideapad model. Signed-off-by: Herton Ronaldo Krzesinski Signed-off-by: Takashi Iwai Cc: David Henningsson Signed-off-by: Greg Kroah-Hartman commit 073676f1efde423a75fbfcb3ff4e0cbfaddb7bdb Author: Paul Fertser Date: Mon Oct 11 15:45:35 2010 -0700 b44: fix carrier detection on bind commit bcf64aa379fcadd074449cbf0c049da70071b06f upstream. For carrier detection to work properly when binding the driver with a cable unplugged, netif_carrier_off() should be called after register_netdev(), not before. Signed-off-by: Paul Fertser Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7837447f8b4372ccd19e3b28afff4c901edd3ae1 Author: Michael Neuling Date: Wed Aug 25 21:04:25 2010 +0000 powerpc: Don't use kernel stack with translation off commit 54a834043314c257210db2a9d59f8cc605571639 upstream. In f761622e59433130bc33ad086ce219feee9eb961 we changed early_setup_secondary so it's called using the proper kernel stack rather than the emergency one. Unfortunately, this stack pointer can't be used when translation is off on PHYP as this stack pointer might be outside the RMO. This results in the following on all non zero cpus: cpu 0x1: Vector: 300 (Data Access) at [c00000001639fd10] pc: 000000000001c50c lr: 000000000000821c sp: c00000001639ff90 msr: 8000000000001000 dar: c00000001639ffa0 dsisr: 42000000 current = 0xc000000016393540 paca = 0xc000000006e00200 pid = 0, comm = swapper The original patch was only tested on bare metal system, so it never caught this problem. This changes __secondary_start so that we calculate the new stack pointer but only start using it after we've called early_setup_secondary. With this patch, the above problem goes away. Signed-off-by: Michael Neuling Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 02f6f1e637a74a11bd5e834b39bc5e4dd28796c5 Author: Matt Evans Date: Thu Aug 12 20:58:28 2010 +0000 powerpc: Initialise paca->kstack before early_setup_secondary commit f761622e59433130bc33ad086ce219feee9eb961 upstream. As early setup calls down to slb_initialize(), we must have kstack initialised before checking "should we add a bolted SLB entry for our kstack?" Failing to do so means stack access requires an SLB miss exception to refill an entry dynamically, if the stack isn't accessible via SLB(0) (kernel text & static data). It's not always allowable to take such a miss, and intermittent crashes will result. Primary CPUs don't have this issue; an SLB entry is not bolted for their stack anyway (as that lives within SLB(0)). This patch therefore only affects the init of secondaries. Signed-off-by: Matt Evans Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 50c5f9ded08bf13cbef33ebbb19b78fc21b2861d Author: Yinghai Lu Date: Fri Sep 17 23:26:24 2010 -0700 ACPI: Handle ACPI0007 Device in acpi_early_set_pdc commit c1e0ddbf0a97e1704d7f13b4934f9acca002402d upstream. After | commit d8191fa4a33fdc817277da4f2b7f771ff605a41c | Author: Alex Chiang | Date: Mon Feb 22 12:11:39 2010 -0700 | | ACPI: processor: driver doesn't need to evaluate _PDC | | Now that the early _PDC evaluation path knows how to correctly | evaluate _PDC on only physically present processors, there's no | need for the processor driver to evaluate it later when it loads. | | To cover the hotplug case, push _PDC evaluation down into the | hotplug paths. only cpu with Processor Statement get processed with _PDC If bios is using Device object instead of Processor statement. SSDTs for Pstate/Cstate/Tstate can not be loaded dynamically. Need to try to scan ACPI0007 in addition to Processor. That commit is between 2.6.34-rc1 and 2.6.34-rc2, so stable tree for 2.6.34+ need this patch. Signed-off-by: Yinghai Lu Reviewed-by: Bjorn Helgaas Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 64b4822a0e7ae4f54d3d23e860a17f5c1257e1ea Author: Amit Shah Date: Wed Oct 20 13:45:43 2010 +1030 virtio: console: Don't block entire guest if host doesn't read data commit 531295e63be8c2b8b909d7400739e8b8df60d61f upstream. If the host is slow in reading data or doesn't read data at all, blocking write calls not only blocked the program that called write() but the entire guest itself. To overcome this, let's not block till the host signals it has given back the virtio ring element we passed it. Instead, send the buffer to the host and return to userspace. This operation then becomes similar to how non-blocking writes work, so let's use the existing code for this path as well. This code change also ensures blocking write calls do get blocked if there's not enough room in the virtio ring as well as they don't return -EAGAIN to userspace. Signed-off-by: Amit Shah Acked-by: Hans de Goede Signed-off-by: Rusty Russell Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 30756523ef2f21b917c7e85d2361f25488874c40 Author: Martin K. Petersen Date: Fri Sep 10 01:20:27 2010 -0400 Fix VPD inquiry page wrapper commit 16d3ea26f82271fef9b1c4523b5e1ea31fa39eec upstream. Fix two bugs in the VPD page wrapper: - Don't return failure if the user asked for page 0 - The end of buffer check failed to account for the page header size and consequently didn't work Signed-off-by: Martin K. Petersen Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 3899bc97ac29d0e81af688574b2f39197d3d655a Author: FUJITA Tomonori Date: Fri Sep 17 00:46:42 2010 +0900 bsg: fix incorrect device_status value commit 478971600e47cb83ff2d3c63c5c24f2b04b0d6a1 upstream. bsg incorrectly returns sg's masked_status value for device_status. [jejb: fix up expression logic] Reported-by: Douglas Gilbert Signed-off-by: FUJITA Tomonori Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 8706a900f0c047b49e34918cdf2b23dc82c234d5 Author: Marcelo Tosatti Date: Thu Oct 14 13:49:59 2010 -0300 KVM: Fix reboot on Intel hosts commit ca242ac9960dc61530e25a2c190e4e13fd5f1ecb upstream. When we reboot, we disable vmx extensions or otherwise INIT gets blocked. If a task on another cpu hits a vmx instruction, it will fault if vmx is disabled. We trap that to avoid a nasty oops and spin until the reboot completes. Problem is, we sleep with interrupts disabled. This blocks smp_send_stop() from running, and the reboot process halts. Fix by enabling interrupts before spinning. Signed-off-by: Avi Kivity Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman commit 85aa4285872f67bb21ecf7de0e467c57b4c6a976 Author: Marcelo Tosatti Date: Thu Oct 14 13:49:58 2010 -0300 KVM: fix irqfd assign/deassign race commit 6bbfb2653177a00f70e57e53625502d43804fed0 upstream. I think I see the following (theoretical) race: During irqfd assign, we drop irqfds lock before we schedule inject work. Therefore, deassign running on another CPU could cause shutdown and flush to run before inject, causing user after free in inject. A simple fix it to schedule inject under the lock. Signed-off-by: Michael S. Tsirkin Acked-by: Gregory Haskins Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman commit d25faf3214b1991531f2ef64b864751b002fcf8f Author: Marcelo Tosatti Date: Thu Oct 14 13:49:57 2010 -0300 KVM: x86: Move TSC reset out of vmcb_init commit 47008cd887c1836bcadda123ba73e1863de7a6c4 upstream. The VMCB is reset whenever we receive a startup IPI, so Linux is setting TSC back to zero happens very late in the boot process and destabilizing the TSC. Instead, just set TSC to zero once at VCPU creation time. Why the separate patch? So git-bisect is your friend. Signed-off-by: Zachary Amsden Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman commit 912ecf4173cb78c209090e43a0e6cd0ca295f1f8 Author: Marcelo Tosatti Date: Thu Oct 14 13:49:56 2010 -0300 KVM: x86: Fix SVM VMCB reset commit 58877679fd393d3ef71aa383031ac7817561463d upstream. On reset, VMCB TSC should be set to zero. Instead, code was setting tsc_offset to zero, which passes through the underlying TSC. Signed-off-by: Zachary Amsden Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman commit 668f36c4044b6541ea4ce92515e89f290a1c979d Author: Marcelo Tosatti Date: Thu Oct 14 13:49:55 2010 -0300 KVM: i8259: fix migration commit eebb5f31b8d9a2620dcf32297096f8ce1240b179 upstream. Top of kvm_kpic_state structure should have the same memory layout as kvm_pic_state since it is copied by memcpy. Signed-off-by: Gleb Natapov Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 431e8d4b696f8cc10db1458865262139dda15e42 Author: Stanislaw Gruszka Date: Fri Oct 8 04:25:00 2010 +0000 r8169: allocate with GFP_KERNEL flag when able to sleep commit aeb19f6052b5e5c8a24aa444fbff73b84341beac upstream. We have fedora bug report where driver fail to initialize after suspend/resume because of memory allocation errors: https://bugzilla.redhat.com/show_bug.cgi?id=629158 To fix use GFP_KERNEL allocation where possible. Tested-by: Neal Becker Signed-off-by: Stanislaw Gruszka Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2af177aa5f4de44ac9f142f6bc51469f915ab159 Author: Stanislaw Gruszka Date: Tue Oct 5 15:11:40 2010 -0700 skge: add quirk to limit DMA commit 392bd0cb000d4aac9e88e4f50823db85e7220688 upstream. Skge devices installed on some Gigabyte motherboards are not able to perform 64 dma correctly due to board PCI implementation, so limit DMA to 32bit if such boards are detected. Bug was reported here: https://bugzilla.redhat.com/show_bug.cgi?id=447489 Signed-off-by: Stanislaw Gruszka Tested-by: Luya Tshimbalanga Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4d4e307ad05e8ba402c385d780e2c03ea3c7c495 Author: Johannes Weiner Date: Fri Oct 1 07:43:54 2010 +0000 xfs: properly account for reclaimed inodes commit 081003fff467ea0e727f66d5d435b4f473a789b3 upstream. When marking an inode reclaimable, a per-AG counter is increased, the inode is tagged reclaimable in its per-AG tree, and, when this is the first reclaimable inode in the AG, the AG entry in the per-mount tree is also tagged. When an inode is finally reclaimed, however, it is only deleted from the per-AG tree. Neither the counter is decreased, nor is the parent tree's AG entry untagged properly. Since the tags in the per-mount tree are not cleared, the inode shrinker iterates over all AGs that have had reclaimable inodes at one point in time. The counters on the other hand signal an increasing amount of slab objects to reclaim. Since "70e60ce xfs: convert inode shrinker to per-filesystem context" this is not a real issue anymore because the shrinker bails out after one iteration. But the problem was observable on a machine running v2.6.34, where the reclaimable work increased and each process going into direct reclaim eventually got stuck on the xfs inode shrinking path, trying to scan several million objects. Fix this by properly unwinding the reclaimable-state tracking of an inode when it is reclaimed. Signed-off-by: Johannes Weiner Reviewed-by: Dave Chinner Signed-off-by: Alex Elder Signed-off-by: Greg Kroah-Hartman commit 47f4633f95e4ecafd829f4cfcb18d746d1afc5cd Author: Olivier Grenie Date: Tue Sep 7 12:50:45 2010 -0300 V4L/DVB: dib7770: enable the current mirror commit 90e12cec707204930934acdb5efce5f94a163a5f upstream. To improve performance on DiB7770-devices enabling the current mirror is needed. This patch adds an option to the dib7000p-driver to do that and it creates a separate device-entry in dib0700-device to use those changes on hardware which is using the DiB7770. Signed-off-by: Olivier Grenie Signed-off-by: Patrick Boettcher Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 63cb57e4d31311bf80639d07ba006d39651304bb Author: Ohad Ben-Cohen Date: Wed Oct 13 09:31:56 2010 +0200 mmc: sdio: fix SDIO suspend/resume regression commit 1c8cf9c997a4a6b36e907c7ede5f048aeaab1644 upstream. Fix SDIO suspend/resume regression introduced by 4c2ef25fe0b "mmc: fix all hangs related to mmc/sd card insert/removal during suspend/resume": PM: Syncing filesystems ... done. Freezing user space processes ... (elapsed 0.01 seconds) done. Freezing remaining freezable tasks ... (elapsed 0.01 seconds) done. Suspending console(s) (use no_console_suspend to debug) pm_op(): platform_pm_suspend+0x0/0x5c returns -38 PM: Device pxa2xx-mci.0 failed to suspend: error -38 PM: Some devices failed to suspend 4c2ef25fe0b moved the card removal/insertion mechanism out of MMC's suspend/resume path and into pm notifiers (mmc_pm_notify), and that broke SDIO's expectation that mmc_suspend_host() will remove the card, and squash the error, in case -ENOSYS is returned from the bus suspend handler (mmc_sdio_suspend() in this case). mmc_sdio_suspend() is using this whenever at least one of the card's SDIO function drivers does not have suspend/resume handlers - in that case it is agreed to force removal of the entire card. This patch fixes this regression by trivially bringing back that part of mmc_suspend_host(), which was removed by 4c2ef25fe0b. Reported-and-tested-by: Sven Neumann Signed-off-by: Ohad Ben-Cohen Cc: Maxim Levitsky Acked-by: Nicolas Pitre Signed-off-by: Chris Ball Signed-off-by: Greg Kroah-Hartman commit 414c9c2726f9aa72ee37c64e24960a6a81374c34 Author: Alex Deucher Date: Mon Sep 27 11:33:00 2010 -0400 drm/radeon/kms: add quirk for MSI K9A2GM motherboard commit f36fce0f49ed40f3e843d45fa53d476d63444b58 upstream. Board has no digital connectors Reported-by: Andy Walls Tested-by: Andy Walls Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 0097ad30cacd143b61ae58f0e9830ae8be3c6c79 Author: Alex Deucher Date: Mon Sep 27 10:57:10 2010 -0400 drm/radeon/kms: fix potential segfault in r600_ioctl_wait_idle commit e488459a0e131acc9e14df093cfee740bc431953 upstream. radeon_gem_wait_idle_ioctl can apparently get called prior to the vram page being set up or even if accel if false, so make sure it's valid before using it. Should fix: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=597636 https://bugs.freedesktop.org/show_bug.cgi?id=29834 Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit f68f4a26c5390ce47f6b4ffefb1bf35e7cac93be Author: Alex Deucher Date: Fri Sep 24 14:59:32 2010 -0400 drm/radeon/kms: fix up encoder info messages for DFP6 commit 73758a5d51280ca0613b8380fc07351f4d64f9c8 upstream. encoder info was not printed properly on boards using the DFP6 id. Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 86e3fc7194c037faae3f3094563f75312d3512a0 Author: Alex Deucher Date: Tue Oct 12 12:20:31 2010 -0400 drm/radeon/kms: fix possible sigbus in evergreen accel code Not upstream in Linus's tree as it was fixed by a much more intrusive patch in a different manner, commit c919b371cb734f42b11 2.6.35 and 2.6.36 do not contain blit support for evergreen asics so if they use unmappable vram, you can end up with an unreachable buffer address. This should not be applied to drm-next as that tree already contains evergreen blit support. This should only be applied to the 2.6.35 and 2.6.36 stable trees. Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=30188 Signed-off-by: Alex Deucher Acked-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 64ea843fbb13bb9d3014751a114f069461b32da3 Author: Dave Airlie Date: Sat Sep 25 17:45:50 2010 +1000 drm/radeon: fix PCI ID 5657 to be an RV410 commit f459ffbdfd04edb4a8ce6eea33170eb057a5e695 upstream. fixes https://bugzilla.kernel.org/show_bug.cgi?id=19012 Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 9b909fc8c3e8e04d012c20f38de2d57aedfc16a0 Author: Chris Wilson Date: Thu Sep 30 09:10:26 2010 +0100 drm: Hold the mutex when dropping the last GEM reference (v2) commit 39b4d07aa3583ceefe73622841303a0a3e942ca1 upstream. In order to be fully threadsafe we need to check that the drm_gem_object refcount is still 0 after acquiring the mutex in order to call the free function. Otherwise, we may encounter scenarios like: Thread A: Thread B: drm_gem_close unreference_unlocked kref_put mutex_lock ... i915_gem_evict ... kref_get -> BUG ... i915_gem_unbind ... kref_put ... i915_gem_object_free ... mutex_unlock mutex_lock i915_gem_object_free -> BUG i915_gem_object_unbind kfree mutex_unlock Note that no driver is currently using the free_unlocked vfunc and it is scheduled for removal, hasten that process. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=30454 Reported-and-Tested-by: Magnus Kessler Signed-off-by: Chris Wilson Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit ac9f371955a1d6ce27b1464a86137b4cdb0f43d8 Author: Chris Wilson Date: Mon Sep 27 21:28:30 2010 +0100 drm: Prune GEM vma entries commit 31dfbc93923c0aaa0440b809f80ff2830c6a531a upstream. Hook the GEM vm open/close ops into the generic drm vm open/close so that the private vma entries are created and destroy appropriately. Fixes the leak of the drm_vma_entries during the lifetime of the filp. Reported-by: Matt Mackall Cc: Jesse Barnes Signed-off-by: Chris Wilson Acked-by: Jesse Barnes Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 39a3fcd46e669818b54dd9f587f11a40ccdbebe2 Author: Jesse Barnes Date: Mon Sep 27 10:35:44 2010 -0700 drm/i915: fix GMCH power reporting commit d270ae34eb77c58dea60e5b1e300a698d2ce39ac upstream. The IPS driver needs to know the current power consumption of the GMCH in order to make decisions about when to increase or decrease the CPU and/or GPU power envelope. So fix up the divisions to save the results so the numbers are actually correct (contrary to some earlier comments and code, these functions do not modify the first argument and use it for the result). Signed-off-by: Jesse Barnes Signed-off-by: Chris Wilson Signed-off-by: Greg Kroah-Hartman commit 264cf4e651212e9f38cb24399c3cf513e13adcd2 Author: Chris Wilson Date: Sun Sep 26 20:50:05 2010 +0100 drm/i915: Sanity check pread/pwrite commit ce9d419dbecc292cc3e06e8b1d6d123d3fa813a4 upstream. Move the access control up from the fast paths, which are no longer universally taken first, up into the caller. This then duplicates some sanity checking along the slow paths, but is much simpler. Tracked as CVE-2010-2962. Reported-by: Kees Cook Signed-off-by: Chris Wilson Signed-off-by: Greg Kroah-Hartman commit f7352937752cdf338158a320b37e99b7189b411a Author: Chris Wilson Date: Fri Oct 8 13:40:27 2010 +0100 drm/i915: Prevent module unload to avoid random memory corruption commit 6939a5aca7cfada279a24c307e772f33104fca20 upstream. The i915 driver has quite a few module unload bugs, the known ones at least have fixes that are targeting 2.6.37. However, in order to maintain a stable kernel, we should prevent this known random memory corruption following driver unload. This should have very low impact on normal users who are unlikely to need to unload the i915 driver. Suggested-by: Thomas Gleixner Acked-by: Daniel Vetter Signed-off-by: Chris Wilson Signed-off-by: Greg Kroah-Hartman commit 14d7e74a7f658fdd370e9a790b55e3b93eb259fc Author: Stefan Richter Date: Sun Oct 17 14:09:12 2010 +0200 firewire: ohci: fix TI TSB82AA2 regression since 2.6.35 commit aa0170fff3c26bf2b42159af2dd9cf86444c292a upstream. Revert commit 54672386ccf36ffa21d1de8e75624af83f9b0eeb "firewire: ohci: fix up configuration of TI chips". It caused massive slow-down and data corruption with a TSB82AA2 based StarTech EC1394B2 ExpressCard and FireWire 800 harddisks. https://bugs.launchpad.net/ubuntu/+source/linux/+bug/657081 http://thread.gmane.org/gmane.linux.kernel.firewire.user/4013 The fact that some card EEPROMs do not program these enhancements may be related to TSB81BA3 phy chip errata, if not to bugs of TSB82AA2 itself. We could re-add these configuration steps, but only conditional on a whitelist of cards on which these enhancements bring a proven positive effect. Reported-and-tested-by: Eric Shattow Cc: Clemens Ladisch Signed-off-by: Stefan Richter Signed-off-by: Greg Kroah-Hartman commit fe17f612b3ea86e7af439432fc6b7d6d5e15d508 Author: Linus Torvalds Date: Fri Oct 15 11:09:28 2010 -0700 De-pessimize rds_page_copy_user commit 799c10559d60f159ab2232203f222f18fa3c4a5f upstream. Don't try to "optimize" rds_page_copy_user() by using kmap_atomic() and the unsafe atomic user mode accessor functions. It's actually slower than the straightforward code on any reasonable modern CPU. Back when the code was written (although probably not by the time it was actually merged, though), 32-bit x86 may have been the dominant architecture. And there kmap_atomic() can be a lot faster than kmap() (unless you have very good locality, in which case the virtual address caching by kmap() can overcome all the downsides). But these days, x86-64 may not be more populous, but it's getting there (and if you care about performance, it's definitely already there - you'd have upgraded your CPU's already in the last few years). And on x86-64, the non-kmap_atomic() version is faster, simply because the code is simpler and doesn't have the "re-try page fault" case. People with old hardware are not likely to care about RDS anyway, and the optimization for the 32-bit case is simply buggy, since it doesn't verify the user addresses properly. Reported-by: Dan Rosenberg Acked-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c578c13150d904533c99c2fa7759ff754ca4cee6 Author: Borislav Petkov Date: Fri Oct 8 12:08:34 2010 +0200 x86, AMD, MCE thresholding: Fix the MCi_MISCj iteration order commit 6dcbfe4f0b4e17e289d56fa534b7ce5a6b7f63a3 upstream. This fixes possible cases of not collecting valid error info in the MCE error thresholding groups on F10h hardware. The current code contains a subtle problem of checking only the Valid bit of MSR0000_0413 (which is MC4_MISC0 - DRAM thresholding group) in its first iteration and breaking out if the bit is cleared. But (!), this MSR contains an offset value, BlkPtr[31:24], which points to the remaining MSRs in this thresholding group which might contain valid information too. But if we bail out only after we checked the valid bit in the first MSR and not the block pointer too, we miss that other information. The thing is, MC4_MISC0[BlkPtr] is not predicated on MCi_STATUS[MiscV] or MC4_MISC0[Valid] and should be checked prior to iterating over the MCI_MISCj thresholding group, irrespective of the MC4_MISC0[Valid] setting. Signed-off-by: Borislav Petkov Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 75a0ef0b7765f5c98be64f6fbcdceb0693b84210 Author: Yinghai Lu Date: Sun Oct 10 19:52:15 2010 -0700 x86, numa: For each node, register the memory blocks actually used commit 73cf624d029d776a33d0a80c695485b3f9b36231 upstream. Russ reported SGI UV is broken recently. He said: | The SRAT table shows that memory range is spread over two nodes. | | SRAT: Node 0 PXM 0 100000000-800000000 | SRAT: Node 1 PXM 1 800000000-1000000000 | SRAT: Node 0 PXM 0 1000000000-1080000000 | |Previously, the kernel early_node_map[] would show three entries |with the proper node. | |[ 0.000000] 0: 0x00100000 -> 0x00800000 |[ 0.000000] 1: 0x00800000 -> 0x01000000 |[ 0.000000] 0: 0x01000000 -> 0x01080000 | |The problem is recent community kernel early_node_map[] shows |only two entries with the node 0 entry overlapping the node 1 |entry. | | 0: 0x00100000 -> 0x01080000 | 1: 0x00800000 -> 0x01000000 After looking at the changelog, Found out that it has been broken for a while by following commit |commit 8716273caef7f55f39fe4fc6c69c5f9f197f41f1 |Author: David Rientjes |Date: Fri Sep 25 15:20:04 2009 -0700 | | x86: Export srat physical topology Before that commit, register_active_regions() is called for every SRAT memory entry right away. Use nodememblk_range[] instead of nodes[] in order to make sure we capture the actual memory blocks registered with each node. nodes[] contains an extended range which spans all memory regions associated with a node, but that does not mean that all the memory in between are included. Reported-by: Russ Anderson Tested-by: Russ Anderson Signed-off-by: Yinghai Lu LKML-Reference: <4CB27BDF.5000800@kernel.org> Acked-by: David Rientjes Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 6c4a46eccf8cb90c312ba93bccccb6857d07df80 Author: Luca Tettamanti Date: Wed Sep 22 10:41:58 2010 +0000 atl1: fix resume commit ec5a32f67c603b11d68eb283d94eb89a4f6cfce1 upstream. adapter->cmb.cmb is initialized when the device is opened and freed when it's closed. Accessing it unconditionally during resume results either in a crash (NULL pointer dereference, when the interface has not been opened yet) or data corruption (when the interface has been used and brought down adapter->cmb.cmb points to a deallocated memory area). Signed-off-by: Luca Tettamanti Acked-by: Chris Snook Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7ca9783455c1226bcecd1e543b50e6cc38994535 Author: Johannes Berg Date: Fri Sep 17 00:38:25 2010 +0200 wext: fix potential private ioctl memory content leak commit df6d02300f7c2fbd0fbe626d819c8e5237d72c62 upstream. When a driver doesn't fill the entire buffer, old heap contents may remain, and if it also doesn't update the length properly, this old heap content will be copied back to userspace. It is very unlikely that this happens in any of the drivers using private ioctls since it would show up as junk being reported by iwpriv, but it seems better to be safe here, so use kzalloc. Reported-by: Jeff Mahoney Signed-off-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit ad2f6a9c0d0f32a05fbd033dfd0c8ac41e635125 Author: Mark Brown Date: Mon Aug 16 20:26:51 2010 +0100 mfd: Ignore non-GPIO IRQs when setting wm831x IRQ types commit c9d66d3515bbb0ad8062721487de7ade02d2b936 upstream. The driver was originally tested with an additional patch which made this unneeded but that patch had issuges and got lost on the way to mainline, causing problems when the errors are reported. Signed-off-by: Mark Brown Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman commit f4604440d6512452e75675272364f14af3521af0 Author: Joel Becker Date: Wed Sep 29 17:33:05 2010 -0700 ocfs2: Don't walk off the end of fast symlinks. commit 1fc8a117865b54590acd773a55fbac9221b018f0 upstream. ocfs2 fast symlinks are NUL terminated strings stored inline in the inode data area. However, disk corruption or a local attacker could, in theory, remove that NUL. Because we're using strlen() (my fault, introduced in a731d1 when removing vfs_follow_link()), we could walk off the end of that string. Signed-off-by: Joel Becker Signed-off-by: Greg Kroah-Hartman commit 5ecce9b3a94f2faa4ee0528662960ae9308aff37 Author: Frederic Weisbecker Date: Thu Sep 30 15:15:38 2010 -0700 reiserfs: fix unwanted reiserfs lock recursion commit 9d8117e72bf453dd9d85e0cd322ce4a0f8bccbc0 upstream. Prevent from recursively locking the reiserfs lock in reiserfs_unpack() because we may call journal_begin() that requires the lock to be taken only once, otherwise it won't be able to release the lock while taking other mutexes, ending up in inverted dependencies between the journal mutex and the reiserfs lock for example. This fixes: ======================================================= [ INFO: possible circular locking dependency detected ] 2.6.35.4.4a #3 ------------------------------------------------------- lilo/1620 is trying to acquire lock: (&journal->j_mutex){+.+...}, at: [] do_journal_begin_r+0x7f/0x340 [reiserfs] but task is already holding lock: (&REISERFS_SB(s)->lock){+.+.+.}, at: [] reiserfs_write_lock+0x28/0x40 [reiserfs] which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&REISERFS_SB(s)->lock){+.+.+.}: [] lock_acquire+0x67/0x80 [] __mutex_lock_common+0x4d/0x410 [] mutex_lock_nested+0x18/0x20 [] reiserfs_write_lock+0x28/0x40 [reiserfs] [] do_journal_begin_r+0x86/0x340 [reiserfs] [] journal_begin+0x77/0x140 [reiserfs] [] reiserfs_remount+0x224/0x530 [reiserfs] [] do_remount_sb+0x60/0x110 [] do_mount+0x625/0x790 [] sys_mount+0x84/0xb0 [] syscall_call+0x7/0xb -> #0 (&journal->j_mutex){+.+...}: [] __lock_acquire+0x1026/0x1180 [] lock_acquire+0x67/0x80 [] __mutex_lock_common+0x4d/0x410 [] mutex_lock_nested+0x18/0x20 [] do_journal_begin_r+0x7f/0x340 [reiserfs] [] journal_begin+0x77/0x140 [reiserfs] [] reiserfs_persistent_transaction+0x41/0x90 [reiserfs] [] reiserfs_get_block+0x22c/0x1530 [reiserfs] [] __block_prepare_write+0x1bb/0x3a0 [] block_prepare_write+0x26/0x40 [] reiserfs_prepare_write+0x88/0x170 [reiserfs] [] reiserfs_unpack+0xe6/0x120 [reiserfs] [] reiserfs_ioctl+0x272/0x320 [reiserfs] [] vfs_ioctl+0x28/0xa0 [] do_vfs_ioctl+0x32d/0x5c0 [] sys_ioctl+0x63/0x70 [] syscall_call+0x7/0xb other info that might help us debug this: 2 locks held by lilo/1620: #0: (&sb->s_type->i_mutex_key#8){+.+.+.}, at: [] reiserfs_unpack+0x6a/0x120 [reiserfs] #1: (&REISERFS_SB(s)->lock){+.+.+.}, at: [] reiserfs_write_lock+0x28/0x40 [reiserfs] stack backtrace: Pid: 1620, comm: lilo Not tainted 2.6.35.4.4a #3 Call Trace: [] __lock_acquire+0x1026/0x1180 [] lock_acquire+0x67/0x80 [] __mutex_lock_common+0x4d/0x410 [] mutex_lock_nested+0x18/0x20 [] do_journal_begin_r+0x7f/0x340 [reiserfs] [] journal_begin+0x77/0x140 [reiserfs] [] reiserfs_persistent_transaction+0x41/0x90 [reiserfs] [] reiserfs_get_block+0x22c/0x1530 [reiserfs] [] __block_prepare_write+0x1bb/0x3a0 [] block_prepare_write+0x26/0x40 [] reiserfs_prepare_write+0x88/0x170 [reiserfs] [] reiserfs_unpack+0xe6/0x120 [reiserfs] [] reiserfs_ioctl+0x272/0x320 [reiserfs] [] vfs_ioctl+0x28/0xa0 [] do_vfs_ioctl+0x32d/0x5c0 [] sys_ioctl+0x63/0x70 [] syscall_call+0x7/0xb Reported-by: Jarek Poplawski Tested-by: Jarek Poplawski Signed-off-by: Frederic Weisbecker Cc: Jeff Mahoney Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit cd1bbdfed8ff5047d96ed27a3ee7b881069daf03 Author: Frederic Weisbecker Date: Thu Sep 30 15:15:37 2010 -0700 reiserfs: fix dependency inversion between inode and reiserfs mutexes commit 3f259d092c7a2fdf217823e8f1838530adb0cdb0 upstream. The reiserfs mutex already depends on the inode mutex, so we can't lock the inode mutex in reiserfs_unpack() without using the safe locking API, because reiserfs_unpack() is always called with the reiserfs mutex locked. This fixes: ======================================================= [ INFO: possible circular locking dependency detected ] 2.6.35c #13 ------------------------------------------------------- lilo/1606 is trying to acquire lock: (&sb->s_type->i_mutex_key#8){+.+.+.}, at: [] reiserfs_unpack+0x60/0x110 [reiserfs] but task is already holding lock: (&REISERFS_SB(s)->lock){+.+.+.}, at: [] reiserfs_write_lock+0x28/0x40 [reiserfs] which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&REISERFS_SB(s)->lock){+.+.+.}: [] lock_acquire+0x67/0x80 [] __mutex_lock_common+0x4d/0x410 [] mutex_lock_nested+0x18/0x20 [] reiserfs_write_lock+0x28/0x40 [reiserfs] [] reiserfs_lookup_privroot+0x2a/0x90 [reiserfs] [] reiserfs_fill_super+0x941/0xe60 [reiserfs] [] get_sb_bdev+0x117/0x170 [] get_super_block+0x21/0x30 [reiserfs] [] vfs_kern_mount+0x6a/0x1b0 [] do_kern_mount+0x39/0xe0 [] do_mount+0x340/0x790 [] sys_mount+0x84/0xb0 [] syscall_call+0x7/0xb -> #0 (&sb->s_type->i_mutex_key#8){+.+.+.}: [] __lock_acquire+0x1026/0x1180 [] lock_acquire+0x67/0x80 [] __mutex_lock_common+0x4d/0x410 [] mutex_lock_nested+0x18/0x20 [] reiserfs_unpack+0x60/0x110 [reiserfs] [] reiserfs_ioctl+0x272/0x320 [reiserfs] [] vfs_ioctl+0x28/0xa0 [] do_vfs_ioctl+0x32d/0x5c0 [] sys_ioctl+0x63/0x70 [] syscall_call+0x7/0xb other info that might help us debug this: 1 lock held by lilo/1606: #0: (&REISERFS_SB(s)->lock){+.+.+.}, at: [] reiserfs_write_lock+0x28/0x40 [reiserfs] stack backtrace: Pid: 1606, comm: lilo Not tainted 2.6.35c #13 Call Trace: [] __lock_acquire+0x1026/0x1180 [] lock_acquire+0x67/0x80 [] __mutex_lock_common+0x4d/0x410 [] mutex_lock_nested+0x18/0x20 [] reiserfs_unpack+0x60/0x110 [reiserfs] [] reiserfs_ioctl+0x272/0x320 [reiserfs] [] vfs_ioctl+0x28/0xa0 [] do_vfs_ioctl+0x32d/0x5c0 [] sys_ioctl+0x63/0x70 [] syscall_call+0x7/0xb Reported-by: Jarek Poplawski Tested-by: Jarek Poplawski Signed-off-by: Frederic Weisbecker Cc: Jeff Mahoney Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 738757938c56703f8568b4628291361b8655bb79 Author: Yegor Yefremov Date: Thu Sep 30 14:14:22 2010 +0200 i2c-pca: Fix waitforcompletion() return value commit 6abb930af064fb1cf4177d32e2c7bfb89eee0fe5 upstream. ret is still -1, if during the polling read_byte() returns at once with I2C_PCA_CON_SI set. So ret > 0 would lead *_waitforcompletion() to return 0, in spite of the proper behavior. The routine was rewritten, so that ret has always a proper value, before returning. Signed-off-by: Yegor Yefremov Reviewed-by: Wolfram Sang Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit eafe9c354fde7597834d45a04f79e9057d24ae93 Author: Salman Qazi Date: Tue Oct 12 07:25:19 2010 -0700 hrtimer: Preserve timer state in remove_hrtimer() commit f13d4f979c518119bba5439dd2364d76d31dcd3f upstream. The race is described as follows: CPU X CPU Y remove_hrtimer // state & QUEUED == 0 timer->state = CALLBACK unlock timer base timer->f(n) //very long hrtimer_start lock timer base remove_hrtimer // no effect hrtimer_enqueue timer->state = CALLBACK | QUEUED unlock timer base hrtimer_start lock timer base remove_hrtimer mode = INACTIVE // CALLBACK bit lost! switch_hrtimer_base CALLBACK bit not set: timer->base changes to a different CPU. lock this CPU's timer base The bug was introduced with commit ca109491f (hrtimer: removing all ur callback modes) in 2.6.29 [ tglx: Feed new state via local variable and add a comment. ] Signed-off-by: Salman Qazi Cc: akpm@linux-foundation.org Cc: Peter Zijlstra LKML-Reference: <20101012142351.8485.21823.stgit@dungbeetle.mtv.corp.google.com> Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 6c05813f0d8e05b2b6643843100b02687dd03929 Author: Julia Lawall Date: Sat Oct 2 15:59:17 2010 +0200 drivers/gpu/drm/i915/i915_gem.c: Add missing error handling code commit 929f49bf225b1b6cd04d0a7b9c0f7377d9131220 upstream. Extend the error handling code with operations found in other nearby error handling code A simplified version of the sematic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // @r exists@ @r@ statement S1,S2,S3; constant C1,C2,C3; @@ *if (...) {... S1 return -C1;} ... *if (...) {... when != S1 return -C2;} ... *if (...) {... S1 return -C3;} // Signed-off-by: Julia Lawall Signed-off-by: Chris Wilson Signed-off-by: Greg Kroah-Hartman commit 677c3a487715716e4c8e61a882e0680578d90103 Author: Simon Guinot Date: Fri Sep 17 23:33:51 2010 +0200 dmaengine: fix interrupt clearing for mv_xor commit cc60f8878eab892c03d06b10f389232b9b66bd83 upstream. When using simultaneously the two DMA channels on a same engine, some transfers are never completed. For example, an endless lock can occur while writing heavily on a RAID5 array (with async-tx offload support enabled). Note that this issue can also be reproduced by using the DMA test client. On a same engine, the interrupt cause register is shared between two DMA channels. This patch make sure that the cause bit is only cleared for the requested channel. Signed-off-by: Simon Guinot Tested-by: Luc Saillard Acked-by: saeed bishara Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit 02ee32edab40e81b2af0149a8fb86986fc5ac9e7 Author: Steven Rostedt Date: Tue Oct 12 12:06:43 2010 -0400 ring-buffer: Fix typo of time extends per page commit d01343244abdedd18303d0323b518ed9cdcb1988 upstream. Time stamps for the ring buffer are created by the difference between two events. Each page of the ring buffer holds a full 64 bit timestamp. Each event has a 27 bit delta stamp from the last event. The unit of time is nanoseconds, so 27 bits can hold ~134 milliseconds. If two events happen more than 134 milliseconds apart, a time extend is inserted to add more bits for the delta. The time extend has 59 bits, which is good for ~18 years. Currently the time extend is committed separately from the event. If an event is discarded before it is committed, due to filtering, the time extend still exists. If all events are being filtered, then after ~134 milliseconds a new time extend will be added to the buffer. This can only happen till the end of the page. Since each page holds a full timestamp, there is no reason to add a time extend to the beginning of a page. Time extends can only fill a page that has actual data at the beginning, so there is no fear that time extends will fill more than a page without any data. When reading an event, a loop is made to skip over time extends since they are only used to maintain the time stamp and are never given to the caller. As a paranoid check to prevent the loop running forever, with the knowledge that time extends may only fill a page, a check is made that tests the iteration of the loop, and if the iteration is more than the number of time extends that can fit in a page a warning is printed and the ring buffer is disabled (all of ftrace is also disabled with it). There is another event type that is called a TIMESTAMP which can hold 64 bits of data in the theoretical case that two events happen 18 years apart. This code has not been implemented, but the name of this event exists, as well as the structure for it. The size of a TIMESTAMP is 16 bytes, where as a time extend is only 8 bytes. The macro used to calculate how many time extends can fit on a page used the TIMESTAMP size instead of the time extend size cutting the amount in half. The following test case can easily trigger the warning since we only need to have half the page filled with time extends to trigger the warning: # cd /sys/kernel/debug/tracing/ # echo function > current_tracer # echo 'common_pid < 0' > events/ftrace/function/filter # echo > trace # echo 1 > trace_marker # sleep 120 # cat trace Enabling the function tracer and then setting the filter to only trace functions where the process id is negative (no events), then clearing the trace buffer to ensure that we have nothing in the buffer, then write to trace_marker to add an event to the beginning of a page, sleep for 2 minutes (only 35 seconds is probably needed, but this guarantees the bug), and then finally reading the trace which will trigger the bug. This patch fixes the typo and prevents the false positive of that warning. Reported-by: Hans J. Koch Tested-by: Hans J. Koch Cc: Thomas Gleixner Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit 39a1d13e238b714c8713fd9739141b552724d1fe Author: Mike Snitzer Date: Sat Oct 9 12:12:13 2010 +1030 virtio-blk: fix request leak. commit e4c4776dea9fd0295ebb3b215599d52938d6d7a3 upstream. Must drop reference taken by blk_make_request(). Signed-off-by: Mike Snitzer Signed-off-by: Rusty Russell Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c4cb1dd93619b45e8d0295bbcb83389195ce66fb Author: Dan Carpenter Date: Sun Oct 10 19:33:52 2010 +0200 OSS: soundcard: locking bug in sound_ioctl() commit d4cfa4d12f46e2520f4c1d1a92e891ce068b7464 upstream. We shouldn't return directly here because we're still holding the &soundcard_mutex. This bug goes all the way back to the start of git. It's strange that no one has complained about it as a runtime bug. Signed-off-by: Dan Carpenter Acked-by: Arnd Bergmann Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 84602dccfecbc66a791cdd1f2f32b4481ce67586 Author: Tejun Heo Date: Fri Oct 15 12:56:21 2010 +0200 ubd: fix incorrect sector handling during request restart commit 47526903feb52f4c26a6350370bdf74e337fcdb1 upstream. Commit f81f2f7c (ubd: drop unnecessary rq->sector manipulation) dropped request->sector manipulation in preparation for global request handling cleanup; unfortunately, it incorrectly assumed that the updated sector wasn't being used. ubd tries to issue as many requests as possible to io_thread. When issuing fails due to memory pressure or other reasons, the device is put on the restart list and issuing stops. On IO completion, devices on the restart list are scanned and IO issuing is restarted. ubd issues IOs sg-by-sg and issuing can be stopped in the middle of a request, so each device on the restart queue needs to remember where to restart in its current request. ubd needs to keep track of the issue position itself because, * blk_rq_pos(req) is now updated by the block layer to keep track of _completion_ position. * Multiple io_req's for the current request may be in flight, so it's difficult to tell where blk_rq_pos(req) currently is. Add ubd->rq_pos to keep track of the issue position and use it to correctly restart io_req issue. Signed-off-by: Tejun Heo Reported-by: Richard Weinberger Tested-by: Richard Weinberger Tested-by: Chris Frey Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 6af2c5f5ab721df7e7b36b939fa11591264ade32 Author: Thomas Gleixner Date: Tue Sep 28 20:57:19 2010 +0200 x86, irq: Plug memory leak in sparse irq commit 1cf180c94e9166cda083ff65333883ab3648e852 upstream. free_irq_cfg() is not freeing the cpumask_vars in irq_cfg. Fixing this triggers a use after free caused by the fact that copying struct irq_cfg is done with memcpy, which copies the pointer not the cpumask. Fix both places. Signed-off-by: Thomas Gleixner Cc: Yinghai Lu LKML-Reference: Signed-off-by: Thomas Gleixner Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 8268a8d756bd63b9f68ee6fbe9cad0548134b2ca Author: Thomas Gleixner Date: Tue Sep 28 23:20:23 2010 +0200 x86, hpet: Fix bogus error check in hpet_assign_irq() commit 021989622810b02aab4b24f91e1f5ada2b654579 upstream. create_irq() returns -1 if the interrupt allocation failed, but the code checks for irq == 0. Use create_irq_nr() instead. Signed-off-by: Thomas Gleixner Cc: Venkatesh Pallipadi LKML-Reference: Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 22d59a19e77a8b8c2d1b83fc98272cc095ac92b7 Author: Johannes Berg Date: Fri Sep 24 11:20:47 2010 +0200 mac80211: fix use-after-free commit cd87a2d3a33d75a646f1aa1aa2ee5bf712d6f963 upstream. commit 8c0c709eea5cbab97fb464cd68b06f24acc58ee1 Author: Johannes Berg Date: Wed Nov 25 17:46:15 2009 +0100 mac80211: move cmntr flag out of rx flags moved the CMTR flag into the skb's status, and in doing so introduced a use-after-free -- when the skb has been handed to cooked monitors the status setting will touch now invalid memory. Additionally, moving it there has effectively discarded the optimisation -- since the bit is only ever set on freed SKBs, and those were a copy, it could never be checked. For the current release, fixing this properly is a bit too involved, so let's just remove the problematic code and leave userspace with one copy of each frame for each virtual interface. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit b6df308f73dee36d4c1810ede94068a78455c485 Author: Dan Williams Date: Wed Oct 13 15:43:10 2010 -0700 ioat2: fix performance regression commit c50a898fd4e736623ee175920db056194e0bb483 upstream. Commit 0793448 "DMAENGINE: generic channel status v2" changed the interface for how dma channel progress is retrieved. It inadvertently exported an internal helper function ioat_tx_status() instead of ioat_dma_tx_status(). The latter polls the hardware to get the latest completion state, while the helper just evaluates the current state without touching hardware. The effect is that we end up waiting for completion timeouts or descriptor allocation errors before the completion state is updated. iperf (before fix): [SUM] 0.0-41.3 sec 364 MBytes 73.9 Mbits/sec iperf (after fix): [SUM] 0.0- 4.5 sec 499 MBytes 940 Mbits/sec This is a regression starting with 2.6.35. Cc: Dave Jiang Cc: Jesse Brandeburg Cc: Linus Walleij Cc: Maciej Sosnowski Reported-by: Richard Scobie Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit df2b79ccc6740db529779198331064351dc87512 Author: Aristeu Rozanski Date: Sun Oct 10 14:12:33 2010 -0700 Input: wacom - fix pressure in Cintiq 21UX2 commit ca047fedd89bbb4b79b61e0656a7b799e4e45e6d upstream. Currently the pressure range in Cintiq 21UX2 is limited to half of the supported. This patch fixes the problem. Signed-off-by: Aristeu Rozanski Acked-by: Ping Cheng Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 1a93a2c2bebfc831296f0e4f8a394efac9f9b33f Author: Kenneth Waters Date: Tue Sep 21 00:58:23 2010 -0700 Input: joydev - fix JSIOCSAXMAP ioctl commit d2520a426dc3033c00077e923a553fc6c98c7564 upstream. Fixed JSIOCSAXMAP ioctl to update absmap, the map from hardware axis to event axis in addition to abspam. This fixes a regression introduced by 999b874f. Signed-off-by: Kenneth Waters Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 81e8f58379abbc46f29b7fcba6acfce90e362736 Author: Mauro Carvalho Chehab Date: Fri Sep 3 10:50:24 2010 -0300 V4L/DVB: Don't identify PV SBTVD Hybrid as a DibCom device commit 3bfb317f97cfddbbec67bbe8e35ad38af3507397 upstream. As reported by Carlos, Prolink Pixelview SBTVD Hybrid is based on Conexant cx231xx + Fujitsu 86A20S demodulator. However, both shares the same USB ID. So, we need to use USB bcdDevice, in order to properly discover what's the board. We know for sure that bcd 0x100 is used for a dib0700 device, while bcd 0x4001 is used for a cx23102 device. This patch reserves two ranges, the first one from 0x0000-0x3f00 for dib0700, and the second from 0x4000-0x4fff for cx231xx devices. This may need fixes in the future, as we get access to other devices. Thanks-to: Carlos Americo Domiciano Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 06deee8ca72d6ebbe1d505f00067c87925e17812 Author: Maxim Levitsky Date: Mon Sep 6 18:26:09 2010 -0300 V4L/DVB: IR: fix keys beeing stuck down forever commit e0172fd373ab77a83ea952fd6a75c612e1b0bf9e upstream. The logic in ir_timer_keyup was inverted. In case that values aren't equal, the meaning of the time_is_after_eq_jiffies(ir->keyup_jiffies) is that ir->keyup_jiffies is after the the jiffies or equally that that jiffies are before the the ir->keyup_jiffies which is exactly the situation we want to avoid (that the timeout is in the future) Confusing Eh? Signed-off-by: Maxim Levitsky Acked-by: Jarod Wilson Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit e530826ee487420691ef0882cfbf462959082a7a Author: Mauro Carvalho Chehab Date: Sat Sep 11 11:37:51 2010 -0300 V4L/DVB: cx231xx: Avoid an OOPS when card is unknown (card=0) commit c10469c637602c2385e2993d8c730cc44fd47d23 upstream. As reported by: Carlos Americo Domiciano : [ 220.033500] cx231xx v4l2 driver loaded. [ 220.033571] cx231xx #0: New device Conexant Corporation Polaris AV Capturb @ 480 Mbps (1554:5010) with 6 interfaces [ 220.033577] cx231xx #0: registering interface 0 [ 220.033591] cx231xx #0: registering interface 1 [ 220.033654] cx231xx #0: registering interface 6 [ 220.033910] cx231xx #0: Identified as Unknown CX231xx video grabber (card=0) [ 220.033946] BUG: unable to handle kernel NULL pointer dereference at (null) [ 220.033955] IP: [] cx231xx_pre_card_setup+0x5d/0xb0 [cx231xx] Thanks-to: Carlos Americo Domiciano Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit d7d8fdce55b63cb3a6782f02ce9ec628592d7c4c Author: Linus Torvalds Date: Fri Oct 15 11:12:38 2010 -0700 v4l1: fix 32-bit compat microcode loading translation commit 3e645d6b485446c54c6745c5e2cf5c528fe4deec upstream. The compat code for the VIDIOCSMICROCODE ioctl is totally buggered. It's only used by the VIDEO_STRADIS driver, and that one is scheduled to staging and eventually removed unless somebody steps up to maintain it (at which point it should use request_firmware() rather than some magic ioctl). So we'll get rid of it eventually. But in the meantime, the compatibility ioctl code is broken, and this tries to get it to at least limp along (even if Mauro suggested just deleting it entirely, which may be the right thing to do - I don't think the compatibility translation code has ever worked unless you were very lucky). Reported-by: Kees Cook Cc: Mauro Carvalho Chehab Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6cd8e5800457113db9a4f1ee6baf9ef654d48b1d Author: Marcin Slusarz Date: Thu Sep 30 15:15:30 2010 -0700 i7core_edac: fix panic in udimm sysfs attributes registration commit 64aab720bdf8771214a7c88872bd8e3194c2d279 upstream. Array of udimm sysfs attributes was not ended with NULL marker, leading to dereference of random memory. EDAC DEBUG: edac_create_mci_instance_attributes: edac_create_mci_instance_attributes() file udimm0 EDAC DEBUG: edac_create_mci_instance_attributes: edac_create_mci_instance_attributes() file udimm1 EDAC DEBUG: edac_create_mci_instance_attributes: edac_create_mci_instance_attributes() file udimm2 BUG: unable to handle kernel NULL pointer dereference at 00000000000001a4 IP: [] edac_create_mci_instance_attributes+0x148/0x1f1 Pid: 1, comm: swapper Not tainted 2.6.36-rc3-nv+ #483 P6T SE/System Product Name RIP: 0010:[] [] edac_create_mci_instance_attributes+0x148/0x1f1 (...) Call Trace: [] edac_create_mci_instance_attributes+0x198/0x1f1 [] edac_create_sysfs_mci_device+0xbb/0x2b2 [] edac_mc_add_mc+0x46b/0x557 [] i7core_probe+0xccf/0xec0 RIP [] edac_create_mci_instance_attributes+0x148/0x1f1 ---[ end trace 20de320855b81d78 ]--- Kernel panic - not syncing: Attempted to kill init! Signed-off-by: Marcin Slusarz Cc: Mauro Carvalho Chehab Acked-by: Doug Thompson Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 3a50feec3b1ba8db6e682affa63f2e7632537316 Author: Hugh Dickins Date: Sat Oct 2 17:49:08 2010 -0700 ksm: fix bad user data when swapping commit 4e31635c367a9e21a43cfbfae4c9deda2e19d1f4 upstream. Building under memory pressure, with KSM on 2.6.36-rc5, collapsed with an internal compiler error: typically indicating an error in swapping. Perhaps there's a timing issue which makes it now more likely, perhaps it's just a long time since I tried for so long: this bug goes back to KSM swapping in 2.6.33. Notice how reuse_swap_page() allows an exclusive page to be reused, but only does SetPageDirty if it can delete it from swap cache right then - if it's currently under Writeback, it has to be left in cache and we don't SetPageDirty, but the page can be reused. Fine, the dirty bit will get set in the pte; but notice how zap_pte_range() does not bother to transfer pte_dirty to page_dirty when unmapping a PageAnon. If KSM chooses to share such a page, it will look like a clean copy of swapcache, and not be written out to swap when its memory is needed; then stale data read back from swap when it's needed again. We could fix this in reuse_swap_page() (or even refuse to reuse a page under writeback), but it's more honest to fix my oversight in KSM's write_protect_page(). Several days of testing on three machines confirms that this fixes the issue they showed. Signed-off-by: Hugh Dickins Cc: Andrew Morton Cc: Andrea Arcangeli Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b2d8327320ca725b91013838e24fff217d643c77 Author: Steven Rostedt Date: Wed Sep 22 22:22:25 2010 -0400 tracing/x86: Don't use mcount in kvmclock.c commit 258af47479980d8238a04568b94a4e55aa1cb537 upstream. The guest can use the paravirt clock in kvmclock.c which is used by sched_clock(), which in turn is used by the tracing mechanism for timestamps, which leads to infinite recursion. Disable mcount/tracing for kvmclock.o. Cc: Jeremy Fitzhardinge Cc: Avi Kivity Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit f574ccce1edf756c98a7ab5d7a95f84b59c897fe Author: Jeremy Fitzhardinge Date: Wed Sep 22 17:07:27 2010 -0700 tracing/x86: Don't use mcount in pvclock.c commit 9ecd4e1689208afe9b059a5ce1333acb2f42c4d2 upstream. When using a paravirt clock, pvclock.c can be used by sched_clock(), which in turn is used by the tracing mechanism for timestamps, which leads to infinite recursion. Disable mcount/tracing for pvclock.o. Signed-off-by: Jeremy Fitzhardinge LKML-Reference: <4C9A9A3F.4040201@goop.org> Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit 1cd864ee52f2768c2701230b2d86dd9244947488 Author: Joerg Roedel Date: Thu Sep 23 15:15:19 2010 +0200 x86/amd-iommu: Work around S3 BIOS bug commit 4c894f47bb49284008073d351c0ddaac8860864e upstream. This patch adds a workaround for an IOMMU BIOS problem to the AMD IOMMU driver. The result of the bug is that the IOMMU does not execute commands anymore when the system comes out of the S3 state resulting in system failure. The bug in the BIOS is that is does not restore certain hardware specific registers correctly. This workaround reads out the contents of these registers at boot time and restores them on resume from S3. The workaround is limited to the specific IOMMU chipset where this problem occurs. Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit f686b1e07177ac4370ff25fe2f980c6961476c22 Author: Joerg Roedel Date: Thu Sep 23 16:12:48 2010 +0200 x86/amd-iommu: Fix rounding-bug in __unmap_single commit 04e0463e088b41060c08c255eb0d3278a504f094 upstream. In the __unmap_single function the dma_addr is rounded down to a page boundary before the dma pages are unmapped. The address is later also used to flush the TLB entries for that mapping. But without the offset into the dma page the amount of pages to flush might be miscalculated in the TLB flushing path. This patch fixes this bug by using the original address to flush the TLB. Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit b7dfcb6f10570ebf207207ff7d346078faaacf8e Author: Joerg Roedel Date: Mon Sep 20 14:33:07 2010 +0200 x86/amd-iommu: Set iommu configuration flags in enable-loop commit e9bf51971157e367aabfc111a8219db010f69cd4 upstream. This patch moves the setting of the configuration and feature flags out out the acpi table parsing path and moves it into the iommu-enable path. This is needed to reliably fix resume-from-s3. Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit 0afe0f1ae5a0c79c690e4f3738ab82613aef5441 Author: Marek Szyprowski Date: Thu Sep 23 16:22:05 2010 +0200 mmc: sdhci-s3c: fix NULL ptr access in sdhci_s3c_remove commit 9320f7cbbdd5febf013b0e91db29189724057738 upstream. If not all clocks have been defined in platform data, the driver will cause a null pointer dereference when it is removed. This patch fixes this issue. Signed-off-by: Marek Szyprowski Signed-off-by: Kyungmin Park Signed-off-by: Andrew Morton Signed-off-by: Chris Ball Signed-off-by: Greg Kroah-Hartman commit 74352c5c9e2e5c914254d2588876c0c13333c6f5 Author: Jean-François Moine Date: Mon Sep 13 05:22:37 2010 -0300 V4L/DVB: gspca - sn9c20x: Bad transfer size of Bayer images commit 04d174e99a6eca2f62b56c10ae1d7d0499d83e9d upstream. As the end of frame marker does not contain any pixel, it must not be transferred. Reported-by: Ivo Jager Signed-off-by: Jean-François Moine Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit a035671ad3092e51c5c1d92b39a2ef196b5ab83a Author: Jason Wang Date: Fri Sep 3 06:57:19 2010 -0300 V4L/DVB: gspca - main: Fix a crash of some webcams on ARM arch commit 882787ff8fdeb0be790547ee9b22b281095e95da upstream. When plugging some webcams on ARM, the system crashes. This is because we alloc buffer for an urb through usb_buffer_alloc, the alloced buffer is already in DMA coherent region, so we should set the flag of this urb to URB_NO_TRANSFER_DMA_MAP, otherwise when we submit this urb, the hcd core will handle this address as an non-DMA address and call dma_map_single/sg to map it. On arm architecture, dma_map_single a DMA coherent address will be catched by a BUG_ON(). Signed-off-by: Jason Wang Signed-off-by: Jean-François Moine Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit c1e962e493031fce0a7f15ded4fb16e94d35ac90 Author: Catalin Marinas Date: Thu Sep 16 17:57:17 2010 +0100 ARM: 6395/1: VExpress: Set bit 22 in the PL310 (cache controller) AuxCtlr register commit 1a8e41cd672f894bbd74874eac601e6cedf838fb upstream. Clearing bit 22 in the PL310 Auxiliary Control register (shared attribute override enable) has the side effect of transforming Normal Shared Non-cacheable reads into Cacheable no-allocate reads. Coherent DMA buffers in Linux always have a Cacheable alias via the kernel linear mapping and the processor can speculatively load cache lines into the PL310 controller. With bit 22 cleared, Non-cacheable reads would unexpectedly hit such cache lines leading to buffer corruption. Cc: Nicolas Pitre Signed-off-by: Catalin Marinas Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 134da12cdde543d62dfcb3a39f6487edee674339 Author: Peter Korsgaard Date: Sat Sep 18 19:55:10 2010 +0100 ARM: 6400/1: at91: fix arch_gettimeoffset fallout commit 79e27dc0677b969e2d53b76fa0fa58467cce946a upstream. 5cfc8ee0bb51 (ARM: convert arm to arch_gettimeoffset()) marked all of at91 AND at91x40 as needing ARCH_USES_GETTIMEOFFSET, and hence no high res timer support / accurate clock_gettime() - But only at91x40 needs it. Signed-off-by: Peter Korsgaard Acked-by: John Stultz Acked-by: Jean-Christophe PLAGNIOL-VILLARD Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 895384a47efb08e694fe5a72be140f463402544c Author: Alex Deucher Date: Thu Oct 14 17:14:57 2010 -0400 drm/radeon/kms: avivo cursor workaround applies to evergreen as well commit 6a2a11dbea5db417d200d38dda53c30a2e5603e0 upstream. Fixes cursor corruption in certain cases. Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 786c022aa4e6ba6805f52a49b64d948caa8b9969 Author: Alex Deucher Date: Mon Oct 11 12:41:32 2010 -0400 drm/radeon/kms: fix bad cast/shift in evergreen.c commit d31dba58480c3cdd458f449261d72ecd15287792 upstream. Missing parens. fixes: https://bugs.freedesktop.org/show_bug.cgi?id=30718 Reported-by: Dave Gilbert Signed-off-by: Alex Deucher Reviewed-by: Matt Turner Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit b8a7e2b687977fa0a2d0969d8e32fe6f5a4fbff4 Author: Steve Wise Date: Sat Sep 18 19:38:21 2010 -0500 RDMA/cxgb3: Turn off RX coalescing for iWARP connections commit bec658ff31453a5726b1c188674d587a5d40c482 upstream. The HW by default has RX coalescing on. For iWARP connections, this causes a 100ms delay in connection establishement due to the ingress MPA Start message being stalled in HW. So explicitly turn RX coalescing off when setting up iWARP connections. This was causing very bad performance for NP64 gather operations using Open MPI, due to the way it sets up connections on larger jobs. Signed-off-by: Steve Wise Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit 1b6740a13ca9774810edacafc5e12514092651e2 Author: Robert Richter Date: Wed Sep 29 16:52:25 2010 +0200 oprofile, ARM: Release resources on failure commit 98d943b02f6f1b57787ff1aa6f34d019a407e3ee upstream. This patch fixes a resource leak on failure, where the oprofilefs and some counters may not released properly. Signed-off-by: Robert Richter Acked-by: Will Deacon Cc: linux-arm-kernel@lists.infradead.org LKML-Reference: <20100929145225.GJ13563@erda.amd.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit b3d8659df019031a5829528b991e1e90d6139207 Author: Jiri Olsa Date: Tue Sep 21 03:26:35 2010 -0400 oprofile: Add Support for Intel CPU Family 6 / Model 29 commit bb7ab785ad05a97a2c9ffb3a06547ed39f3133e8 upstream. This patch adds CPU type detection for dunnington processor (Family 6 / Model 29) to be identified as core 2 family cpu type (wikipedia source). I tested oprofile on Intel(R) Xeon(R) CPU E7440 reporting itself as model 29, and it runs without an issue. Spec: http://www.intel.com/Assets/en_US/PDF/specupdate/320336.pdf Signed-off-by: Jiri Olsa Acked-by: Andi Kleen Signed-off-by: Robert Richter Signed-off-by: Greg Kroah-Hartman commit cc64346cc6b102a93ae8f2cc021de152d122fd43 Author: Len Brown Date: Tue Sep 28 22:57:02 2010 -0400 ACPI: invoke DSDT corruption workaround on all Toshiba Satellite commit 100cf87788c0e9104f6fb1b0ff5f72f73fbbbea3 upstream. Our list of Toshiba Satellite models that require this workaround is growing -- so invoke the workaround for the entire product line. https://bugzilla.kernel.org/show_bug.cgi?id=14679 Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit a7b048db83992dba877da7b85d8b1236324f9763 Author: Don Mullis Date: Thu Sep 30 15:15:32 2010 -0700 lib/list_sort: do not pass bad pointers to cmp callback commit f015ac3edd84ad72f88e08a4d83c56c360aae404 upstream. If the original list is a POT in length, the first callback from line 73 will pass a==b both pointing to the original list_head. This is dangerous because the 'list_sort()' user can use 'container_of()' and accesses the "containing" object, which does not necessary exist for the list head. So the user can access RAM which does not belong to him. If this is a write access, we can end up with memory corruption. Signed-off-by: Don Mullis Tested-by: Artem Bityutskiy Signed-off-by: Artem Bityutskiy Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 51793adc68ef938da175436919ab0db1c379eb18 Author: Tejun Heo Date: Tue Sep 21 09:25:48 2010 +0200 ahci: fix module refcount breakage introduced by libahci split commit fad16e7a7f67eef8d33f8ad58850db89382b09ce upstream. libata depends on scsi_host_template for module reference counting and sht's should be owned by each low level driver. During libahci split, the sht was left with libahci.ko leaving the actual low level drivers not reference counted. This made ahci and ahci_platform always unloadable even while they're being actively used. Fix it by defining AHCI_SHT() macro in ahci.h and defining a sht for each low level ahci driver. stable: only applicable to 2.6.35. Signed-off-by: Tejun Heo Reported-by: Pedro Francisco Tested-by: Michael Tokarev Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit cdcaefbcdc06c945dec978a9015f25f86e622844 Author: Antonio Ospite Date: Tue Oct 5 17:20:17 2010 +0200 HID: hidraw, fix a NULL pointer dereference in hidraw_write commit e42dee9a99a3ecd32b5c027e8f7411fb5bc11eb6 upstream. BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 IP: [] hidraw_write+0x3b/0x116 [hid] [...] This is reproducible by disconnecting the device while userspace writes to dev node in a loop and doesn't check return values in order to exit the loop. Signed-off-by: Antonio Ospite Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit dc7237c6b7b529c5da2776cbb8b68cc74d1555c3 Author: Antonio Ospite Date: Tue Oct 5 17:20:16 2010 +0200 HID: hidraw, fix a NULL pointer dereference in hidraw_ioctl commit d20d5ffab92f00188f360c44c791a5ffb988247c upstream. BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 IP: [] hidraw_ioctl+0xfc/0x32c [hid] [...] This is reproducible by disconnecting the device while userspace does ioctl in a loop and doesn't check return values in order to exit the loop. Signed-off-by: Antonio Ospite Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 6ce3cb681079d1f8274608b05d95b665fe66ed49 Author: Sergei Shtylyov Date: Sat Sep 11 13:23:12 2010 -0500 usb: musb: gadget: restart request on clearing endpoint halt commit a666e3e6098a9f56310e4ec2705f1dad124a34b5 upstream. Commit 46034dca515bc4ddca0399ae58106d1f5f0d809f (USB: musb_gadget_ep0: stop abusing musb_gadget_set_halt()) forgot to restart a queued request after clearing the endpoint halt feature. This results in a couple of USB resets while enumerating the file-backed storage gadget due to CSW packet not being sent for the MODE SENSE(10) command. Signed-off-by: Sergei Shtylyov Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit c9c7a50d0b30c460697328552e729e9bdc7f1908 Author: Ming Lei Date: Mon Sep 20 10:32:01 2010 +0300 usb: musb: gadget: fix kernel panic if using out ep with FIFO_TXRX style commit bd2e74d657fc7d514881cc2117e323790b257914 upstream. For shared fifo hw endpoint(with FIFO_TXRX style), only ep_in field of musb_hw_ep is intialized in musb_g_init_endpoints, and ep_out is not initialized, but musb_g_rx and rxstate may access ep_out field of musb_hw_ep by the method below: musb_ep = &musb->endpoints[epnum].ep_out which can cause the kernel panic[1] below, this patch fixes the issue by getting 'musb_ep' from '&musb->endpoints[epnum].ep_in' for shared fifo endpoint. [1], kernel panic [root@OMAP3EVM /]# musb_interrupt 1583: ** IRQ peripheral usb0008 tx0000 rx4000 musb_stage0_irq 460: <== Power=f0, DevCtl=99, int_usb=0x8 musb_g_rx 772: <== (null), rxcsr 4007 ffffffe8 musb_g_rx 786: iso overrun on ffffffe8 Unable to handle kernel NULL pointer dereference at virtual address 00000008 pgd = c0004000 [00000008] *pgd=00000000 Internal error: Oops: 17 [#1] PREEMPT last sysfs file: /sys/devices/platform/musb_hdrc/usb1/usb_device/usbdev1.1/dev Modules linked in: g_zero CPU: 0 Tainted: G W (2.6.35-rc6-gkh-wl+ #92) PC is at musb_g_rx+0xfc/0x2ec LR is at vprintk+0x3f4/0x458 pc : [] lr : [] psr: 20000193 sp : c760bd78 ip : c03c9d70 fp : c760bdbc r10: 00000000 r9 : fa0ab1e0 r8 : 0000000e r7 : c7e80158 r6 : ffffffe8 r5 : 00000001 r4 : 00004003 r3 : 00010003 r2 : c760bcd8 r1 : c03cd030 r0 : 0000002e Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel Control: 10c5387d Table: 8778c019 DAC: 00000017 Process kmemleak (pid: 421, stack limit = 0xc760a2e8) Stack: (0xc760bd78 to 0xc760c000) bd60: ffffffe8 c04b1b58 bd80: ffffffe8 c7c01ac0 00000000 c7e80d24 c0084238 00000001 00000001 c7e80158 bda0: 0000000e 00000008 00000099 000000f0 c760be04 c760bdc0 c02bcd68 c02c06b4 bdc0: 00000099 00000008 00004000 c760bdd8 c03cc4f8 00000000 00000002 c7e80158 bde0: c7d2e300 60000193 c760a000 0000005c 00000000 00000000 c760be24 c760be08 be00: c02bcecc c02bc1ac c7d2e300 c7d2e300 0000005c c760a000 c760be54 c760be28 be20: c00ad698 c02bce6c 00000000 c7d2e300 c067c258 0000005c c067c294 00000001 be40: c760a000 00000000 c760be74 c760be58 c00af984 c00ad5fc 0000005c 00000000 be60: 00000000 00000002 c760be8c c760be78 c0039080 c00af8d0 ffffffff fa200000 be80: c760beec c760be90 c0039b6c c003900c 00000001 00000000 c7d1e240 00000000 bea0: 00000000 c068bae8 00000000 60000013 00000001 00000000 00000000 c760beec bec0: c0064ecc c760bed8 c00ff7d0 c003a0a8 60000013 ffffffff 00000000 c068bae8 bee0: c760bf24 c760bef0 c00ff7d0 c0064ec4 00000001 00000000 c00ff700 00000000 bf00: c0087f00 00000000 60000013 c0d76a70 c0e23795 00000001 c760bf4c c760bf28 bf20: c00ffdd8 c00ff70c c068bb08 c068bae8 60000013 c0100938 c068bb30 00000000 bf40: c760bf84 c760bf50 c010014c c00ffd84 00000001 00000000 c010000c 00012c00 bf60: c7c33f04 00012c00 c7c33f04 00000000 c0100938 00000000 c760bf9c c760bf88 bf80: c01009a8 c0100018 c760bfa8 c7c33f04 c760bff4 c760bfa0 c0088000 c0100944 bfa0: c760bf98 00000000 00000000 00000001 dead4ead ffffffff ffffffff c08ba2bc bfc0: 00000000 c049e7fa 00000000 c0087f70 c760bfd0 c760bfd0 c7c33f04 c0087f70 bfe0: c006f5e8 00000013 00000000 c760bff8 c006f5e8 c0087f7c 7f0004ff df2000ff Backtrace: [] (musb_g_rx+0x0/0x2ec) from [] (musb_interrupt+0xbc8/0xcc0) [] (musb_interrupt+0x0/0xcc0) from [] (generic_interrupt+0x6c/0x84) [] (generic_interrupt+0x0/0x84) from [] (handle_IRQ_event+0xa8/0x1ec) r7:c760a000 r6:0000005c r5:c7d2e300 r4:c7d2e300 [] (handle_IRQ_event+0x0/0x1ec) from [] (handle_level_irq+0xc0/0x13c) [] (handle_level_irq+0x0/0x13c) from [] (asm_do_IRQ+0x80/0xa0) r7:00000002 r6:00000000 r5:00000000 r4:0000005c [] (asm_do_IRQ+0x0/0xa0) from [] (__irq_svc+0x4c/0xb4) Exception stack(0xc760be90 to 0xc760bed8) be80: 00000001 00000000 c7d1e240 00000000 bea0: 00000000 c068bae8 00000000 60000013 00000001 00000000 00000000 c760beec bec0: c0064ecc c760bed8 c00ff7d0 c003a0a8 60000013 ffffffff r5:fa200000 r4:ffffffff [] (sub_preempt_count+0x0/0x100) from [] (find_and_get_object+0xd0/0x110) r5:c068bae8 r4:00000000 [] (find_and_get_object+0x0/0x110) from [] (scan_block+0x60/0x104) r8:00000001 r7:c0e23795 r6:c0d76a70 r5:60000013 r4:00000000 [] (scan_block+0x0/0x104) from [] (kmemleak_scan+0x140/0x484) [] (kmemleak_scan+0x0/0x484) from [] (kmemleak_scan_thread+0x70/0xcc) r8:00000000 r7:c0100938 r6:00000000 r5:c7c33f04 r4:00012c00 [] (kmemleak_scan_thread+0x0/0xcc) from [] (kthread+0x90/0x98) r5:c7c33f04 r4:c760bfa8 [] (kthread+0x0/0x98) from [] (do_exit+0x0/0x684) r7:00000013 r6:c006f5e8 r5:c0087f70 r4:c7c33f04 Code: e3002312 e58d6000 e2833e16 eb0422d5 (e5963020) ---[ end trace f3d5e96f75c297b7 ]--- Signed-off-by: Ming Lei Reviewed-by: Sergei Shtylyov Cc: David Brownell Cc: Anand Gadiyar Cc: Mike Frysinger Cc: Sergei Shtylyov Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 366caa1da0d299aa7ec33bbb131bb00aebadb993 Author: Alan Stern Date: Tue Sep 21 15:01:53 2010 -0400 USB: fix bug in initialization of interface minor numbers commit 0026e00523a85b90a92a93ddf6660939ecef3e54 upstream. Recent changes in the usbhid layer exposed a bug in usbcore. If CONFIG_USB_DYNAMIC_MINORS is enabled then an interface may be assigned a minor number of 0. However interfaces that aren't registered as USB class devices also have their minor number set to 0, during initialization. As a result usb_find_interface() may return the wrong interface, leading to a crash. This patch (as1418) fixes the problem by initializing every interface's minor number to -1. It also cleans up the usb_register_dev() function, which besides being somewhat awkwardly written, does not unwind completely on all its error paths. Signed-off-by: Alan Stern Tested-by: Philip J. Turmel Tested-by: Gabriel Craciunescu Tested-by: Alex Riesen Tested-by: Matthias Bayer CC: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 085835efc676aa2a52395252b17bb91716a61925 Author: Takashi Iwai Date: Thu Sep 23 10:01:11 2010 -0700 hwmon: (lis3) Fix Oops with NULL platform data commit f7c77a3dc4683659b6f0d1b6cbc82b6253d095e0 upstream. The recent addition of threaded irq handler causes a NULL dereference when used with hp_accel driver, which has NULL pdata. Acked-by: Samu Onkalo Signed-off-by: Takashi Iwai Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 105f55f7a395070e6369383ce25721de353a18c3 Author: Clemens Ladisch Date: Fri Oct 15 12:06:18 2010 +0200 ALSA: rawmidi: fix oops (use after free) when unloading a driver module commit aa73aec6c385e2c797ac25cc7ccf0318031de7c8 upstream. When a driver module is unloaded and the last still open file is a raw MIDI device, the card and its devices will be actually freed in the snd_card_file_remove() call when that file is closed. Afterwards, rmidi and rmidi->card point into freed memory, so the module pointer is likely to be garbage. (This was introduced by commit 9a1b64caac82aa02cb74587ffc798e6f42c6170a.) Signed-off-by: Clemens Ladisch Reported-by: Krzysztof Foltman Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit b81cb9277507012a8d44e6b4efbbaba4fce19299 Author: Dan Rosenberg Date: Tue Sep 28 14:18:20 2010 -0400 ALSA: prevent heap corruption in snd_ctl_new() commit 5591bf07225523600450edd9e6ad258bb877b779 upstream. The snd_ctl_new() function in sound/core/control.c allocates space for a snd_kcontrol struct by performing arithmetic operations on a user-provided size without checking for integer overflow. If a user provides a large enough size, an overflow will occur, the allocated chunk will be too small, and a second user-influenced value will be written repeatedly past the bounds of this chunk. This code is reachable by unprivileged users who have permission to open a /dev/snd/controlC* device (on many distros, this is group "audio") via the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls. Signed-off-by: Dan Rosenberg Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit e5d843fbf633dc65353bc08ee28f6b08ce651a4d Author: Luke Yelavich Date: Tue Sep 21 17:05:46 2010 +1000 ALSA: hda - Add Dell Latitude E6400 model quirk commit 0f9f1ee9d1412d45a22bfd69dfd4d4324b506e9e upstream. BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/643891 Set the Dell Latitude E6400 (1028:0233) SSID to use AD1984_DELL_DESKTOP Signed-off-by: Luke Yelavich Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit a09d28ae69b42f3b6093b8e76f47400d94c8bfda Author: Erik J. Staab Date: Wed Sep 22 11:07:41 2010 +0200 ALSA: oxygen: fix analog capture on Claro halo cards commit 0873a5ae747847ee55a63db409dff3476e45bcd9 upstream. On the HT-Omega Claro halo card, the ADC data must be captured from the second I2S input. Using the default first input, which isn't connected to anything, would result in silence. Signed-off-by: Erik J. Staab Signed-off-by: Clemens Ladisch Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 292a45371086815942ec1ebb4e369aeee9355db0 Author: Dan Rosenberg Date: Sat Sep 25 11:07:27 2010 -0400 ALSA: sound/pci/rme9652: prevent reading uninitialized stack memory commit e68d3b316ab7b02a074edc4f770e6a746390cb7d upstream. The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctls in hdspm.c and hdsp.c allow unprivileged users to read uninitialized kernel stack memory, because several fields of the hdsp{m}_config_info structs declared on the stack are not altered or zeroed before being copied back to the user. This patch takes care of it. Signed-off-by: Dan Rosenberg Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 9f09ac68e7af2001a24242cbe0f6e40e89dd6c62 Author: H. Peter Anvin Date: Tue Sep 28 15:35:01 2010 -0700 x86, cpu: After uncapping CPUID, re-run CPU feature detection commit d900329e20f4476db6461752accebcf7935a8055 upstream. After uncapping the CPUID level, we need to also re-run the CPU feature detection code. This resolves kernel bugzilla 16322. Reported-by: boris64 LKML-Reference: Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman