commit 512ac859f60d61374783e276f8fb7861a9d1d0b9 Author: Greg Kroah-Hartman Date: Mon Nov 22 11:01:26 2010 -0800 Linux 2.6.35.9 commit 4c3c3a114f20eb79e0fd09fba6dd13a373a73ced Author: Avi Kivity Date: Thu Aug 26 14:31:30 2010 +0300 KVM: x86 emulator: fix regression with cmpxchg8b on i386 hosts commit 16518d5ada690643453eb0aef3cc7841d3623c2d upstream. operand::val and operand::orig_val are 32-bit on i386, whereas cmpxchg8b operands are 64-bit. Fix by adding val64 and orig_val64 union members to struct operand, and using them where needed. Signed-off-by: Avi Kivity Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman commit e3a8550880f75c4ca34ac8009b8d8190d36d5c0b Author: Tilman Schmidt Date: Mon Jul 5 14:18:27 2010 +0000 isdn: avoid calling tty_ldisc_flush() in atomic context commit bc10f96757bd6ab3721510df8defa8f21c32f974 upstream. Remove the call to tty_ldisc_flush() from the RESULT_NO_CARRIER branch of isdn_tty_modem_result(), as already proposed in commit 00409bb045887ec5e7b9e351bc080c38ab6bfd33. This avoids a "sleeping function called from invalid context" BUG when the hardware driver calls the statcallb() callback with command==ISDN_STAT_DHUP in atomic context, which in turn calls isdn_tty_modem_result(RESULT_NO_CARRIER, ~), and from there, tty_ldisc_flush() which may sleep. Signed-off-by: Tilman Schmidt Signed-off-by: David S. Miller Cc: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 29d818b400cb9b0a221e1d7d8682e264f24b772e Author: Robin Holt Date: Tue Oct 26 14:21:15 2010 -0700 sgi-xp: incoming XPC channel messages can come in after the channel's partition structures have been torn down commit 09358972bff5ce99de496bbba97c85d417b3c054 upstream. Under some workloads, some channel messages have been observed being delayed on the sending side past the point where the receiving side has been able to tear down its partition structures. This condition is already detected in xpc_handle_activate_IRQ_uv(), but that information is not given to xpc_handle_activate_mq_msg_uv(). As a result, xpc_handle_activate_mq_msg_uv() assumes the structures still exist and references them, causing a NULL-pointer deref. Signed-off-by: Robin Holt Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 2a883ff9199bf4cfb8b5d37e4907662d3273ce97 Author: Mac Lin Date: Sun Nov 14 22:17:23 2010 +0000 ARM: cns3xxx: Fixup the missing second parameter to addruart macro to allow them to build. It can't be merged into Linus' tree because this file has already been changed in incompatible ways. Fixup the missing second parameter to addruart macro to allow them to build, according to to commit 0e17226f7cd289504724466f4298abc9bdfca3fe. Enabling DEBUG in head.S would cause: rch/arm/boot/compressed/head.S: Assembler messages: arch/arm/boot/compressed/head.S:1037: Error: too many positional arguments arch/arm/boot/compressed/head.S:1055: Error: too many positional arguments Signed-off-by: Mac Lin Acked-by: Russell King Signed-off-by: Greg Kroah-Hartman commit e0b20e1140f0a2b691cffd28c7ac2a29d59b96ee Author: Eric Paris Date: Tue Oct 12 11:40:08 2010 -0400 secmark: do not return early if there was no error commit 15714f7b58011cf3948cab2988abea560240c74f upstream. Commit 4a5a5c73 attempted to pass decent error messages back to userspace for netfilter errors. In xt_SECMARK.c however the patch screwed up and returned on 0 (aka no error) early and didn't finish setting up secmark. This results in a kernel BUG if you use SECMARK. Signed-off-by: Eric Paris Acked-by: Paul Moore Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit badaad1d7392eebf646b2e2d4dfe2586e40a8f18 Author: Ulrich Weber Date: Wed Sep 22 06:45:11 2010 +0000 xfrm4: strip ECN bits from tos field [ Upstream commit 94e2238969e89f5112297ad2a00103089dde7e8f ] otherwise ECT(1) bit will get interpreted as RTO_ONLINK and routing will fail with XfrmOutBundleGenError. Signed-off-by: Ulrich Weber Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e26158f99c3c79181eb3e314e898079565cc75fd Author: Ben Greear Date: Thu Oct 21 04:06:29 2010 -0700 net/core: Allow tagged VLAN packets to flow through VETH devices. [ Upstream commit d2ed817766987fd05e69b7da65d4861b38f1aa2a ] When there are VLANs on a VETH device, the packets being transmitted through the VETH device may be 4 bytes bigger than MTU. A check in dev_forward_skb did not take this into account and so dropped these packets. This patch is needed at least as far back as 2.6.34.7 and should be considered for -stable. Signed-off-by: Ben Greear Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3f266b04185de51d8e6446eb1fccec3b5e7ce575 Author: Eric Dumazet Date: Wed Sep 29 13:23:09 2010 -0700 net: add a recursion limit in xmit path [ Upstream commits 745e20f1b626b1be4b100af5d4bf7b3439392f8f and 11a766ce915fc9f8663714eac6d59239388534ea ] As tunnel devices are going to be lockless, we need to make sure a misconfigured machine wont enter an infinite loop. Add a percpu variable, and limit to three the number of stacked xmits. Reported-by: Jesse Gross Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a3c1c5704f66741f3249926b31cc4a201b1faeda Author: Neil Horman Date: Thu Oct 21 01:06:16 2010 +0000 Revert d88dca79d3852a3623f606f781e013d61486828a [ Upstream commit db5a753bf198ef7a50e17d2ff358adf37efe8648 ] TIPC needs to have its endianess issues fixed. Unfortunately, the format of a subscriber message is passed in directly from user space, so requiring this message to be in network byte order breaks user space ABI. Revert this change until such time as we can determine how to do this in a backwards compatible manner. Signed-off-by: Neil Horman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4ac86dc5d9f1407e94253e29b7b6c57517f9abae Author: Neil Horman Date: Thu Oct 21 01:06:15 2010 +0000 Revert c6537d6742985da1fbf12ae26cde6a096fd35b5c [ Upstream commit 8c974438085d2c81b006daeaab8801eedbd19758 ] Backout the tipc changes to the flags int he subscription message. These changees, while reasonable on the surface, interefere with user space ABI compatibility which is a no-no. This was part of the changes to fix the endianess issues in the TIPC protocol, which would be really nice to do but we need to do so in a way that is backwards compatible with user space. Signed-off-by: Neil Horman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ea912fae3bb8e465497f0f4c8f3dcb3e9057cf06 Author: Damian Lukowski Date: Tue Sep 28 13:08:32 2010 -0700 net-2.6: SYN retransmits: Add new parameter to retransmits_timed_out() [ Upstream commit 4d22f7d372f5769c6c0149e427ed6353e2dcfe61 ] Fixes kernel Bugzilla Bug 18952 This patch adds a syn_set parameter to the retransmits_timed_out() routine and updates its callers. If not set, TCP_RTO_MIN is taken as the calculation basis as before. If set, TCP_TIMEOUT_INIT is used instead, so that sysctl_syn_retries represents the actual amount of SYN retransmissions in case no SYNACKs are received when establishing a new connection. Signed-off-by: Damian Lukowski Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4ba3d9baf1ebfb97ea04384e8b2775744b341268 Author: Tom Marshall Date: Mon Sep 20 15:42:05 2010 -0700 tcp: Fix race in tcp_poll [ Upstream commit a4d258036ed9b2a1811c3670c6099203a0f284a0 ] If a RST comes in immediately after checking sk->sk_err, tcp_poll will return POLLIN but not POLLOUT. Fix this by checking sk->sk_err at the end of tcp_poll. Additionally, ensure the correct order of operations on SMP machines with memory barriers. Signed-off-by: Tom Marshall Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 56b8700a1069f66ace7575b9cd104f626379f8cd Author: holt@sgi.com Date: Wed Oct 20 02:03:37 2010 +0000 Limit sysctl_tcp_mem and sysctl_udp_mem initializers to prevent integer overflows. On a 16TB x86_64 machine, sysctl_tcp_mem[2], sysctl_udp_mem[2], and sysctl_sctp_mem[2] can integer overflow. Set limit such that they are maximized without overflowing. Signed-off-by: Robin Holt To: "David S. Miller" Cc: Willy Tarreau Cc: linux-kernel@vger.kernel.org Cc: netdev@vger.kernel.org Cc: linux-sctp@vger.kernel.org Cc: Alexey Kuznetsov Cc: "Pekka Savola (ipv6)" Cc: James Morris Cc: Hideaki YOSHIFUJI Cc: Patrick McHardy Cc: Vlad Yasevich Cc: Sridhar Samudrala Signed-off-by: Greg Kroah-Hartman commit 44f89254e4ce18795b2b7b9d1f722e0f6ac4711c Author: Nagendra Tomar Date: Sat Oct 2 23:45:06 2010 +0000 net: Fix the condition passed to sk_wait_event() [ Upstream commit 482964e56e1320cb7952faa1932d8ecf59c4bf75 ] This patch fixes the condition (3rd arg) passed to sk_wait_event() in sk_stream_wait_memory(). The incorrect check in sk_stream_wait_memory() causes the following soft lockup in tcp_sendmsg() when the global tcp memory pool has exhausted. >>> snip <<< localhost kernel: BUG: soft lockup - CPU#3 stuck for 11s! [sshd:6429] localhost kernel: CPU 3: localhost kernel: RIP: 0010:[sk_stream_wait_memory+0xcd/0x200] [sk_stream_wait_memory+0xcd/0x200] sk_stream_wait_memory+0xcd/0x200 localhost kernel: localhost kernel: Call Trace: localhost kernel: [sk_stream_wait_memory+0x1b1/0x200] sk_stream_wait_memory+0x1b1/0x200 localhost kernel: [] autoremove_wake_function+0x0/0x40 localhost kernel: [ipv6:tcp_sendmsg+0x6e6/0xe90] tcp_sendmsg+0x6e6/0xce0 localhost kernel: [sock_aio_write+0x126/0x140] sock_aio_write+0x126/0x140 localhost kernel: [xfs:do_sync_write+0xf1/0x130] do_sync_write+0xf1/0x130 localhost kernel: [] autoremove_wake_function+0x0/0x40 localhost kernel: [hrtimer_start+0xe3/0x170] hrtimer_start+0xe3/0x170 localhost kernel: [vfs_write+0x185/0x190] vfs_write+0x185/0x190 localhost kernel: [sys_write+0x50/0x90] sys_write+0x50/0x90 localhost kernel: [system_call+0x7e/0x83] system_call+0x7e/0x83 >>> snip <<< What is happening is, that the sk_wait_event() condition passed from sk_stream_wait_memory() evaluates to true for the case of tcp global memory exhaustion. This is because both sk_stream_memory_free() and vm_wait are true which causes sk_wait_event() to *not* call schedule_timeout(). Hence sk_stream_wait_memory() returns immediately to the caller w/o sleeping. This causes the caller to again try allocation, which again fails and again calls sk_stream_wait_memory(), and so on. [ Bug introduced by commit c1cbe4b7ad0bc4b1d98ea708a3fecb7362aa4088 ("[NET]: Avoid atomic xchg() for non-error case") -DaveM ] Signed-off-by: Nagendra Singh Tomar Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a93a9798bb28e77112ba9d2e3464b83f8b982ac8 Author: David S. Miller Date: Mon Sep 20 15:40:35 2010 -0700 rose: Fix signedness issues wrt. digi count. [ Upstream commit 9828e6e6e3f19efcb476c567b9999891d051f52f ] Just use explicit casts, since we really can't change the types of structures exported to userspace which have been around for 15 years or so. Reported-by: Dan Rosenberg Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ebe60f3215a4d398aa348987f027597d582b50ec Author: Ben Hutchings Date: Thu Oct 14 17:41:53 2010 +0000 r6040: Fix multicast filter some more [ Upstream commit e2269308359d5863b6aa1fcb95a425a2ab255f1f ] This code has been broken forever, but in several different and creative ways. So far as I can work out, the R6040 MAC filter has 4 exact-match entries, the first of which the driver uses for its assigned unicast address, plus a 64-entry hash-based filter for multicast addresses (maybe unicast as well?). The original version of this code would write the first 4 multicast addresses as exact-match entries from offset 1 (bug #1: there is no entry 4 so this could write to some PHY registers). It would fill the remainder of the exact-match entries with the broadcast address (bug #2: this would overwrite the last used entry). If more than 4 multicast addresses were configured, it would set up the hash table, write some random crap to the MAC control register (bug #3) and finally walk off the end of the list when filling the exact-match entries (bug #4). All of this seems to be pointless, since it sets the promiscuous bit when the interface is made promiscuous or if >4 multicast addresses are enabled, and never clears it (bug #5, masking bug #2). The recent(ish) changes to the multicast list fixed bug #4, but completely removed the limit on iteration over the exact-match entries (bug #6). Bug #4 was reported as and more recently as . Florian Fainelli attempted to fix these in commit 3bcf8229a8c49769e48d3e0bd1e20d8e003f8106, but that actually dealt with bugs #1-3, bug #4 having been fixed in mainline at that point. That commit fixes the most important current bug #6. Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2556c3ee6403113deb5a310826e80132adb3b1ee Author: Kumar Sanghvi Date: Mon Sep 27 23:10:42 2010 +0000 Phonet: Correct header retrieval after pskb_may_pull [ Upstream commit a91e7d471e2e384035b9746ea707ccdcd353f5dd ] Retrieve the header after doing pskb_may_pull since, pskb_may_pull could change the buffer structure. This is based on the comment given by Eric Dumazet on Phonet Pipe controller patch for a similar problem. Signed-off-by: Kumar Sanghvi Acked-by: Linus Walleij Acked-by: Eric Dumazet Acked-by: Rémi Denis-Courmont Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f38eaf1feb023c286b3c5e37185feb39b8b78b36 Author: Eric Dumazet Date: Mon Sep 20 02:28:59 2010 +0000 qlcnic: dont set skb->truesize [ Upstream commit 8df8fd27123054b02007361bd5483775db84b4a8 ] skb->truesize is set in core network. Dont change it unless dealing with fragments. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cf557ed8e65848790ec4acbb9311ab8abb2df3da Author: Eric Dumazet Date: Tue Sep 21 13:04:04 2010 -0700 netxen: dont set skb->truesize [ Upstream commit 7e96dc7045bff8758804b047c0dfb6868f182500 ] skb->truesize is set in core network. Dont change it unless dealing with fragments. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 971962be8667ef802e0ad8e55ec192747bbf31e1 Author: Maciej Żenczykowski Date: Sun Oct 3 14:49:00 2010 -0700 net: Fix IPv6 PMTU disc. w/ asymmetric routes [ Upstream commit ae878ae280bea286ff2b1e1cb6e609dd8cb4501d ] Signed-off-by: Maciej Żenczykowski Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 03b965ed6e985cd528b5a2eda0b2ddcb9fd542ef Author: Ursula Braun Date: Sun Oct 24 23:06:43 2010 +0000 ipv6: fix refcnt problem related to POSTDAD state [ Upstream commit 801715f95be37b865af83b9909ad93da141a9306 ] After running this bonding setup script modprobe bonding miimon=100 mode=0 max_bonds=1 ifconfig bond0 10.1.1.1/16 ifenslave bond0 eth1 ifenslave bond0 eth3 on s390 with qeth-driven slaves, modprobe -r fails with this message unregister_netdevice: waiting for bond0 to become free. Usage count = 1 due to twice detection of duplicate address. Problem is caused by a missing decrease of ifp->refcnt in addrconf_dad_failure. An extra call of in6_ifa_put(ifp) solves it. Problem has been introduced with commit f2344a131bccdbfc5338e17fa71a807dee7944fa. Signed-off-by: Ursula Braun Cc: David S. Miller Cc: Herbert Xu Acked-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f75c81af1527ad2a4d413ee03c55afdc681e4392 Author: Eric Dumazet Date: Tue Sep 21 08:47:45 2010 +0000 ip: fix truesize mismatch in ip fragmentation [ Upstream commit 3d13008e7345fa7a79d8f6438150dc15d6ba6e9d ] Special care should be taken when slow path is hit in ip_fragment() : When walking through frags, we transfert truesize ownership from skb to frags. Then if we hit a slow_path condition, we must undo this or risk uncharging frags->truesize twice, and in the end, having negative socket sk_wmem_alloc counter, or even freeing socket sooner than expected. Many thanks to Nick Bowler, who provided a very clean bug report and test program. Thanks to Jarek for reviewing my first patch and providing a V2 While Nick bisection pointed to commit 2b85a34e911 (net: No more expensive sock_hold()/sock_put() on each tx), underlying bug is older (2.6.12-rc5) A side effect is to extend work done in commit b2722b1c3a893e (ip_fragment: also adjust skb->truesize for packets not owned by a socket) to ipv6 as well. Reported-and-bisected-by: Nick Bowler Tested-by: Nick Bowler Signed-off-by: Eric Dumazet CC: Jarek Poplawski CC: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4d7fa13e13b6d9cf4d2ed085d8c093dc6c6b549e Author: Jarek Poplawski Date: Tue Oct 19 00:06:36 2010 +0000 gianfar: Fix crashes on RX path (Was Re: [Bugme-new] [Bug 19692] New: linux-2.6.36-rc5 crash with gianfar ethernet at full line rate traffic) [ Upstream commit 0d1fe1111c667e9c713d7efc7ae468a605f236a4 ] The rx_recycle queue is global per device but can be accesed by many napi handlers at the same time, so it needs full skb_queue primitives (with locking). Otherwise, various crashes caused by broken skbs are possible. This patch resolves, at least partly, bugzilla bug 19692. (Because of some doubts that there could be still something around which is hard to reproduce my proposal is to leave this bug opened for a month.) Fixes commit: 0fd56bb5be6455d0d42241e65aed057244665e5e ("gianfar: Add support for skb recycling") Reported-by: emin ak Tested-by: emin ak Signed-off-by: Jarek Poplawski CC: Andy Fleming Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d27645006b5e2b136c0dd8d87e0c4d73612129d5 Author: Dan Carpenter Date: Wed Oct 13 09:19:55 2010 +0000 gianfar: fix double lock typo [ Upstream commit 9756403b16cfeda85efe77e62832a2f6b5752fdf ] This should be a _restore() instead of a _save(). Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d6a9416394b2556d67f0aebfeb6821812e5960b4 Author: Kees Cook Date: Mon Oct 11 12:23:25 2010 -0700 net: clear heap allocations for privileged ethtool actions [ Upstream commit b00916b189d13a615ff05c9242201135992fcda3 ] Several other ethtool functions leave heap uncleared (potentially) by drivers. Some interfaces appear safe (eeprom, etc), in that the sizes are well controlled. In some situations (e.g. unchecked error conditions), the heap will remain unchanged in areas before copying back to userspace. Note that these are less of an issue since these all require CAP_NET_ADMIN. Cc: stable@kernel.org Signed-off-by: Kees Cook Acked-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 01660e27512db9b64070d66f95431b5869bd1b8c Author: Mike Christie Date: Wed Oct 6 03:10:59 2010 -0500 Fix regressions in scsi_internal_device_block commit 986fe6c7f50974e871b8ab5a800f5310ea25b361 upstream. Deleting a SCSI device on a blocked fc_remote_port (before fast_io_fail_tmo fires) results in a hanging thread: STACK: 0 schedule+1108 [0x5cac48] 1 schedule_timeout+528 [0x5cb7fc] 2 wait_for_common+266 [0x5ca6be] 3 blk_execute_rq+160 [0x354054] 4 scsi_execute+324 [0x3b7ef4] 5 scsi_execute_req+162 [0x3b80ca] 6 sd_sync_cache+138 [0x3cf662] 7 sd_shutdown+138 [0x3cf91a] 8 sd_remove+112 [0x3cfe4c] 9 __device_release_driver+124 [0x3a08b8] 10 device_release_driver+60 [0x3a0a5c] 11 bus_remove_device+266 [0x39fa76] 12 device_del+340 [0x39d818] 13 __scsi_remove_device+204 [0x3bcc48] 14 scsi_remove_device+66 [0x3bcc8e] 15 sysfs_schedule_callback_work+50 [0x260d66] 16 worker_thread+622 [0x162326] 17 kthread+160 [0x1680b0] 18 kernel_thread_starter+6 [0x10aaea] During the delete, the SCSI device is in moved to SDEV_CANCEL. When the FC transport class later calls scsi_target_unblock, this has no effect, since scsi_internal_device_unblock ignores SCSI devics in this state. It looks like all these are regressions caused by: 5c10e63c943b4c67561ddc6bf61e01d4141f881f [SCSI] limit state transitions in scsi_internal_device_unblock Fix by rejecting offline and cancel in the state transition. Signed-off-by: Christof Schmitt [jejb: Original patch by Christof Schmitt, modified by Mike Christie] Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 6ed019fa8d1fac16cb3d42545bce4a811b17f32a Author: Christof Schmitt Date: Wed Oct 6 13:19:44 2010 +0200 Fix race when removing SCSI devices commit 546ae796bfac6399e30da4b5af2cf7a6d0f8a4ec upstream. Removing SCSI devices through echo 1 > /sys/bus/scsi/devices/ ... /delete while the FC transport class removes the SCSI target can lead to an oops: Unable to handle kernel pointer dereference at virtual kernel address 00000000b6815000 Oops: 0011 [#1] PREEMPT SMP DEBUG_PAGEALLOC Modules linked in: sunrpc qeth_l3 binfmt_misc dm_multipath scsi_dh dm_mod ipv6 qeth ccwgroup [last unloaded: scsi_wait_scan] CPU: 1 Not tainted 2.6.35.5-45.x.20100924-s390xdefault #1 Process fc_wq_0 (pid: 861, task: 00000000b7331240, ksp: 00000000b735bac0) Krnl PSW : 0704200180000000 00000000003ff6e4 (__scsi_remove_device+0x24/0xd0) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:0 CC:2 PM:0 EA:3 Krnl GPRS: 0000000000000001 0000000000000000 00000000b6815000 00000000bc24a8c0 00000000003ff7c8 000000000056dbb8 0000000000000002 0000000000835d80 ffffffff00000000 0000000000001000 00000000b6815000 00000000bc24a7f0 00000000b68151a0 00000000b6815000 00000000b735bc20 00000000b735bbf8 Krnl Code: 00000000003ff6d6: a7840001 brc 8,3ff6d8 00000000003ff6da: a7fbffd8 aghi %r15,-40 00000000003ff6de: e3e0f0980024 stg %r14,152(%r15) >00000000003ff6e4: e31021200004 lg %r1,288(%r2) 00000000003ff6ea: a71f0000 cghi %r1,0 00000000003ff6ee: a7a40011 brc 10,3ff710 00000000003ff6f2: a7390003 lghi %r3,3 00000000003ff6f6: c0e5ffffc8b1 brasl %r14,3f8858 Call Trace: ([<0000000000001000>] 0x1000) [<00000000003ff7d2>] scsi_remove_device+0x42/0x54 [<00000000003ff8ba>] __scsi_remove_target+0xca/0xfc [<00000000003ff99a>] __remove_child+0x3a/0x48 [<00000000003e3246>] device_for_each_child+0x72/0xbc [<00000000003ff93a>] scsi_remove_target+0x4e/0x74 [<0000000000406586>] fc_rport_final_delete+0xb2/0x23c [<000000000015d080>] worker_thread+0x200/0x344 [<000000000016330c>] kthread+0xa0/0xa8 [<0000000000106c1a>] kernel_thread_starter+0x6/0xc [<0000000000106c14>] kernel_thread_starter+0x0/0xc INFO: lockdep is turned off. Last Breaking-Event-Address: [<00000000003ff7cc>] scsi_remove_device+0x3c/0x54 The function __scsi_remove_target iterates through the SCSI devices on the host, but it drops the host_lock before calling scsi_remove_device. When the SCSI device is deleted from another thread, the pointer to the SCSI device in scsi_remove_device can become invalid. Fix this by getting a reference to the SCSI device before dropping the host_lock to keep the SCSI device alive for the call to scsi_remove_device. Signed-off-by: Christof Schmitt Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 5934df9ba53c1d09c76c672cd430592c74404981 Author: Dan Carpenter Date: Fri Oct 8 09:03:07 2010 +0200 gdth: integer overflow in ioctl commit f63ae56e4e97fb12053590e41a4fa59e7daa74a4 upstream. gdth_ioctl_alloc() takes the size variable as an int. copy_from_user() takes the size variable as an unsigned long. gen.data_len and gen.sense_len are unsigned longs. On x86_64 longs are 64 bit and ints are 32 bit. We could pass in a very large number and the allocation would truncate the size to 32 bits and allocate a small buffer. Then when we do the copy_from_user(), it would result in a memory corruption. Signed-off-by: Dan Carpenter Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 77bfbe19958b2640a8bef2abc142d1b0d4dc9d83 Author: David Milburn Date: Fri Sep 3 17:13:03 2010 -0500 libsas: fix NCQ mixing with non-NCQ commit f0ad30d3d2dc924decc0e10b1ff6dc32525a5d99 upstream. Some cards (like mvsas) have issue troubles if non-NCQ commands are mixed with NCQ ones. Fix this by using the libata default NCQ check routine which waits until all NCQ commands are complete before issuing a non-NCQ one. The impact to cards (like aic94xx) which don't need this logic should be minimal Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit c5b2751c1bd98bcab5f79bba0c771ef641c14283 Author: Michael Reed Date: Mon Sep 20 11:20:22 2010 -0500 sd name space exhaustion causes system hang commit 1a03ae0f556a931aa3747b70e44b78308f5b0590 upstream. Following a site power outage which re-enabled all the ports on my FC switches, my system subsequently booted with far too many luns! I had let it run hoping it would make multi-user. It didn't. :( It hung solid after exhausting the last sd device, sdzzz, and attempting to create sdaaaa and beyond. I was unable to get a dump. Discovered using a 2.6.32.13 based system. correct this by detecting when the last index is utilized and failing the sd probe of the device. Patch applies to scsi-misc-2.6. Signed-off-by: Michael Reed Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 616ab3c99a971ec876f7db7f396ea0766347be9f Author: Corentin Chary Date: Tue Aug 24 09:30:46 2010 +0200 asus-laptop: fix gps rfkill commit 23f45c3a76e715217f40ac397c15815c774cad7f upstream. The GPS rfkill crappy code. The ops_data argument wasn't set, and was totally misused. The fix have been tested on an Asus R2H. Signed-off-by: Corentin Chary Signed-off-by: Matthew Garrett Signed-off-by: Greg Kroah-Hartman commit 21a0f6c9649fabd0b964419982a609d9543e054e Author: Alan Stern Date: Thu Oct 14 15:25:21 2010 -0400 USB: accept some invalid ep0-maxpacket values commit 56626a72a47bf3e50875d960d6b5f17b9bee0ab2 upstream. A few devices (such as the RCA VR5220 voice recorder) are so non-compliant with the USB spec that they have invalid maxpacket sizes for endpoint 0. Nevertheless, as long as we can safely use them, we may as well do so. This patch (as1432) softens our acceptance criterion by allowing high-speed devices to have ep0-maxpacket sizes other than 64. A warning is printed in the system log when this happens, and the existing error message is clarified. Signed-off-by: Alan Stern Reported-by: James Signed-off-by: Greg Kroah-Hartman commit 3952e7d5fa77c441a0e29c19009f4988da916b9c Author: Nobuhiro Iwamatsu Date: Thu Oct 14 14:52:54 2010 +0900 usb: r8a66597-hcd: Change mistake of the outsw function commit ac9dfe9cdda4eb42ecaa9f13b0fee518e0b6518e upstream. Some functions changed by 1c98347e613bf17ea2f18c9766ce0ab77f65a96d. However, There was a change mistake of the function (outsw). Signed-off-by: Nobuhiro Iwamatsu CC: Paul Mundt Acked-by: Yoshihiro Shimoda Signed-off-by: Greg Kroah-Hartman commit 973d98819ea61350ce7905c4211441bed74b5c5c Author: Alon Ziv Date: Sun Oct 10 08:32:18 2010 +0200 USB: opticon: Fix long-standing bugs in opticon driver commit 97cd8dc4ca9a1a5efb2cc38758e01492e3b013e2 upstream. The bulk-read callback had two bugs: a) The bulk-in packet's leading two zeros were returned (and the two last bytes truncated) b) The wrong URB was transmitted for the second (and later) read requests, causing further reads to return the entire packet (including leading zeros) Signed-off-by: Alon Ziv Signed-off-by: Greg Kroah-Hartman commit 867b3d875ffd9f3c6ee23506dce7e20833948d55 Author: Johan Hovold Date: Tue Oct 12 01:07:05 2010 +0200 USB: visor: fix initialisation of UX50/TH55 devices commit cfb8da8f69b81d367b766888e83ec0483a31bf01 upstream. Fix regression introduced by commit 214916f2ec6701e1c9972f26c60b3dc37d3153c6 (USB: visor: reimplement using generic framework) which broke initialisation of UX50/TH55 devices that used re-mapped bulk-out endpoint addresses. Reported-by: Robert Gadsdon Tested-by: Robert Gadsdon Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 554521a6fbb0d8d72db8c717a3e68eb508647f4e Author: Alan Stern Date: Thu Sep 30 15:16:23 2010 -0400 USB: disable endpoints after unbinding interfaces, not before commit 80f0cf3947889014d3a3dc0ad60fb87cfda4b12a upstream. This patch (as1430) fixes a bug in usbcore. When a device configuration change occurs or a device is removed, the endpoints for the old config should be completely disabled. However it turns out they aren't; this is because usb_unbind_interface() calls usb_enable_interface() or usb_set_interface() to put interfaces back in altsetting 0, which re-enables the interfaces' endpoints. As a result, when a device goes through a config change or is unconfigured, the ep_in[] and ep_out[] arrays may be left holding old pointers to usb_host_endpoint structures. If the device is deauthorized these structures get freed, and the stale pointers cause errors when the the device is eventually unplugged. The solution is to disable the endpoints after unbinding the interfaces instead of before. This isn't as large a change as it sounds, since usb_unbind_interface() disables all the interface's endpoints anyway before calling the driver's disconnect routine, unless the driver claims to support "soft" unbind. This fixes Bugzilla #19192. Thanks to "Tom" Lei Ming for diagnosing the underlying cause of the problem. Signed-off-by: Alan Stern Tested-by: Carsten Sommer Signed-off-by: Greg Kroah-Hartman commit d0aed2ec7c2374ddb4eccb7f5af2ffb7193ac014 Author: Jean-Christophe PLAGNIOL-VILLARD Date: Mon Sep 20 18:31:07 2010 +0200 USB: atmel_usba_udc: force vbus_pin at -EINVAL when gpio_request failled commit 969affff54702785330de553b790372e261e93f9 upstream. to ensure gpio_is_valid return false Signed-off-by: Nicolas Ferre Signed-off-by: Jean-Christophe PLAGNIOL-VILLARD Signed-off-by: Greg Kroah-Hartman commit 5fc8fe8e2ea30805bee5a13420817d6ad34ea9ce Author: Anders Larsen Date: Wed Oct 6 23:46:25 2010 +0200 USB: cp210x: Add WAGO 750-923 Service Cable device ID commit 93ad03d60b5b18897030038234aa2ebae8234748 upstream. The WAGO 750-923 USB Service Cable is used for configuration and firmware updates of several industrial automation products from WAGO Kontakttechnik GmbH. Bus 004 Device 002: ID 1be3:07a6 Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x1be3 idProduct 0x07a6 bcdDevice 1.00 iManufacturer 1 Silicon Labs iProduct 2 WAGO USB Service Cable iSerial 3 1277796751 . . . Signed-off-by: Anders Larsen Signed-off-by: Greg Kroah-Hartman commit 303dde705cccff507ab7fd35fccbcfff5806dcef Author: DJ Delorie Date: Fri Sep 17 11:09:06 2010 -0400 USB: cp210x: Add Renesas RX-Stick device ID commit 2f1136d1d08a63dcdbcd462621373f30d8dfe590 upstream. RX610 development board by Renesas Bus 001 Device 024: ID 045b:0053 Hitachi, Ltd Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045b Hitachi, Ltd idProduct 0x0053 bcdDevice 1.00 iManufacturer 1 Silicon Labs iProduct 2 RX-Stick iSerial 3 0001 . . . http://am.renesas.com/rx610stick Signed-off-by: DJ Delorie Signed-off-by: Greg Kroah-Hartman commit fde2940f72513468de5c85805e62f3226fbf54f4 Author: Mauro Carvalho Chehab Date: Sun Sep 12 11:41:50 2010 -0300 USB: option: Add more ZTE modem USB id's commit ecfa153ef616b901e86d9a051b329fcda7a6ce7b upstream. There are lots of ZTE USB id's currently not covered by usb/serial. Adds them, to allow those devices to work properly on Linux. While here, put the USB ID's for 0x2002/0x2003 at the sorted order. This patch is based on zte.c file found on MF645. PS.: The ZTE driver is commenting the USB ID for 0x0053. It also adds, commented, an USB ID for 0x0026. Not sure why, but I think that 0053 is used by their devices in storage mode only. So, I opted to keep the comment on this patch. Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 86492f3cd2e888b0750f743ba62f5db07f5cd9ee Author: Praveena Nadahally Date: Fri Sep 10 23:05:03 2010 +0530 USB: Change acm_iad_descriptor bFunctionProtocol to USB_CDC_ACM_PROTO_AT_V25TER commit 5c8db070b4480c43394680d9dfd2ddb06b97d2ae upstream. The protocol code is set 00 in IAD and it's set to 01 in ACM control interface descriptor in f_acm.c file. Due to this, windows is unable to install the modem(ACM) driver based on class-subclass-protocol matching. This patch corrects the protocol code in ACM IAD to the same as in acm_control_interface_desc protocol code. Acked-by: Linus Walleij Signed-off-by: Praveena Nadahally Signed-off-by: Greg Kroah-Hartman commit b6646b62d26b88762b2487d482ba3883bffa9398 Author: Sergei Shtylyov Date: Wed Sep 29 09:54:31 2010 +0300 usb: musb: blackfin: call gpio_free() on error path in musb_platform_init() commit 00be545e49d83485d49a598d3b7e090088934be8 upstream. Blackfin's musb_platform_init() needs to call gpio_free() for error cleanup iff otg_get_transceiver() call returns NULL. Signed-off-by: Sergei Shtylyov Acked-by: Mike Frysinger Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 95112caf9788ae6d1e9385d79a202ffad4671921 Author: Sergei Shtylyov Date: Wed Sep 29 09:54:30 2010 +0300 usb: musb: blackfin: call usb_nop_xceiv_unregister() in musb_platform_exit() commit 3daad24d6c72affdd40e8b6a75c87d3c175880b6 upstream. Blackfin's musb_platform_exit() forgets to call usb_nop_xceiv_unregister(). While fixing this, also remove the unneeded blank line there. Signed-off-by: Sergei Shtylyov Acked-by: Mike Frysinger Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 5b6ebed8ce478bf5392091c1359af3241ccea6e4 Author: Sergei Shtylyov Date: Wed Sep 29 09:54:29 2010 +0300 USB: MUSB: fix kernel WARNING/oops when unloading module in OTG mode commit f405387435a85a440d1ce16f3ca36e042281643a upstream. Since commit 461972d8a4c94bc44f11a13046041c78a7cf18dd (musb_core: don't call musb_platform_exit() twice), unloading the driver module results in a WARNING "kobject: '(null)' (c73de788): is not initialized, yet kobject_put() is being called." (or even kernel oops) on e.g. DaVincis, though only in the OTG mode. There exists dubious and unbalanced put_device() call in musb_free() which takes place only in the OTG mode. As this commit caused musb_platform_exit() to be called (and so unregister the NOP transceiver) before this put_device() call, this function references already freed memory. On the other hand, all the glue layers miss the otg_put_transceiver() call, complementary to the otg_get_transceiver() call that they do. So, I think the solution is to get rid of the strange put_device() call, and instead call otg_put_transceiver() in the glue layers... Signed-off-by: Sergei Shtylyov Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 3c95a4f95e6c492af203105c7d9315a9e0164b63 Author: Greg Kroah-Hartman Date: Tue Oct 19 09:05:43 2010 -0700 USB: ftdi_sio: add device ids for ScienceScope commit 0f266abd70cd83571eca019f764b5f1992da7361 upstream. This adds the requested device ids to the ftdi_sio driver. Reported-by: Ewan Bingham Cc: Kuba Ober Signed-off-by: Greg Kroah-Hartman commit af4701764369b0cd3fc652891ee12f6e736ad50a Author: Daniel Suchy Date: Tue Oct 12 15:44:24 2010 +0200 USB: ftdi_sio: new VID/PIDs for various Papouch devices commit 59c6ccd9f9aecfa59c99ceba6d4d34b180547a05 upstream. This patch for FTDI USB serial driver ads new VID/PIDs used on various devices manufactured by Papouch (http://www.papouch.com). These devices have their own VID/PID, although they're using standard FTDI chip. In ftdi_sio.c, I also made small cleanup to have declarations for all Papouch devices together. Signed-off-by: Daniel Suchy Signed-off-by: Greg Kroah-Hartman commit b36f1df6971468a2e978765574b0ddf8bef8050e Author: Rainer Keller Date: Tue Sep 28 12:27:43 2010 +0200 USB: add PID for FTDI based OpenDCC hardware commit 99c1e4f89d1033444ce4d0c064bd2826e81c3775 upstream. The OpenDCC project is developing a new hardware. This patch adds its PID to the list of known FTDI devices. The PID can be found at http://www.opendcc.de/elektronik/usb/opendcc_usb.html Signed-off-by: Rainer Keller Signed-off-by: Greg Kroah-Hartman commit 6f5fd62a25956b0f6f968fa8e28ceef9c275430e Author: Johan Hovold Date: Sun Sep 12 16:31:45 2010 +0200 USB: ftdi_sio: revert "USB: ftdi_sio: fix DTR/RTS line modes" commit 677aeafe19e88c282af74564048243ccabb1c590 upstream. This reverts commit 6a1a82df91fa0eb1cc76069a9efe5714d087eccd. RTS and DTR should not be modified based on CRTSCTS when calling set_termios. Modem control lines are raised at port open by the tty layer and should stay raised regardless of whether hardware flow control is enabled or not. This is in conformance with the way serial ports work today and many applications depend on this behaviour to be able to talk to hardware implementing hardware flow control (without the applications actually using it). Hardware which expects different behaviour on these lines can always use TIOCMSET/TIOCMBI[SC] after port open to change them. Reported-by: Daniel Mack Reported-by: Dave Mielke Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit da768c0bacb071c078cdafd2fad9496c49f61659 Author: Rich Mattes Date: Tue Sep 14 00:35:40 2010 -0400 USB: ftdi_sio: Add PID for accesio products commit 3126d8236ca6f68eb8292c6af22c2e59afbeef24 upstream. Adds support for Accesio USB to Serial adapters, which are built around FTDI FT232 UARTs. Tested with the Accesio USB-COM-4SM. Signed-off-by: Rich Mattes Signed-off-by: Greg Kroah-Hartman commit 5aaade9e6a6f829ae8d94e5e0b04897ae9d4535e Author: Michal Nazarewicz Date: Thu Aug 12 17:43:44 2010 +0200 USB: gadget: g_multi: fixed vendor and product ID commit 1c6529e92b7682573837e9c9eb7b5ba7a8216a88 upstream. This patch fixes the vendor and product ID the gadget uses by replacing the temporary IDs that were used during development (which should never get into mainline) with proper IDs. Signed-off-by: Michal Nazarewicz Signed-off-by: Kyungmin Park Signed-off-by: Greg Kroah-Hartman commit 70cb495a276ea4f051e9d8b6edee1190c54a75d1 Author: Michal Nazarewicz Date: Thu Aug 12 17:43:45 2010 +0200 USB: gadget: g_ffs: fixed vendor and product ID commit ba0534be935d7b24e5fdd6f82c443ee75abc9149 upstream. This patch fixes the vendor and product ID the gadget uses by replacing the temporary IDs that were used during development (which should never get into mainline) with proper IDs. Signed-off-by: Michal Nazarewicz Signed-off-by: Kyungmin Park Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 8f8ed8cbe2cdc19e6978c031d8d75870d7fec50f Author: Roger Quadros Date: Wed Sep 8 13:48:44 2010 +0300 usb gadget: composite: prevent OOPS for non-standard control request commit 5c836e4d583701a5eecb288b5f131da39115f5ec upstream. The composite gadget will OOPS if the host sends a control request targetted to an interface of an un-configured composite device. This patch prevents this. The OOPS was observed during WHQL USB CV tests. With this patch, the device STALLs as per requirement. Failing test case: From host do the following. I used libusb-1.0 1) Set configuration to zero. libusb_control_transfer(device_handle, 0, /* standard OUT */ 0x9, /* setConfiguration */ 0, 0, NULL, 0, 0); 2) Query current configuratioan. libusb_control_transfer(device_handle, 0x80, /* standard IN*/ 0x8, /* getConfiguration */ 0, 0, data, 1, 0); 3) Send the non-standard ctrl transfer targetted to interface libusb_control_transfer(device_handle, 0x81, /* standard IN to interface*/ 0x6, /* getDescriptor */ 0x2300, 0, data, 0x12, 0); Signed-off-by: Roger Quadros Cc: David Brownell Cc: Michal Nazarewicz Cc: Robert Lukassen Cc: Kyungmin Park Signed-off-by: Greg Kroah-Hartman commit 185de9185eafc0f7304a977d1f19c491447879e1 Author: Julia Lawall Date: Fri Oct 15 15:00:06 2010 +0200 drivers/net/wireless/p54/eeprom.c: Return -ENOMEM on memory allocation failure commit 0d91f22b75347d9503b17a42b6c74d3f7750acd6 upstream. In this code, 0 is returned on memory allocation failure, even though other failures return -ENOMEM or other similar values. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // @@ expression ret; expression x,e1,e2,e3; @@ ret = 0 ... when != ret = e1 *x = \(kmalloc\|kcalloc\|kzalloc\)(...) ... when != ret = e2 if (x == NULL) { ... when != ret = e3 return ret; } // Signed-off-by: Julia Lawall Acked-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 4ffa3ba40ebed6a0fe70a19cb90addd20a5d57e1 Author: Christian Lamparter Date: Fri Oct 1 22:01:24 2010 +0200 p54usb: add five more USBIDs commit 1a92795dac419128eb511dce30a6aad672064b88 upstream. Source: http://www.wikidevi.com/wiki/Intersil/p54/usb/windows Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 7522ac94eb35ae9cf42540279b3e36344a5db52a Author: Christian Lamparter Date: Sun Aug 22 22:41:33 2010 +0200 p54usb: fix off-by-one on !CONFIG_PM commit 11791a6f7534906b4a01ffb54ba0b02ca39398ef upstream. The ISL3887 chip needs a USB reset, whenever the usb-frontend module "p54usb" is reloaded. This patch fixes an off-by-one bug, if the user is running a kernel without the CONFIG_PM option set and for some reason (e.g.: compat-wireless) wants to switch between different p54usb modules. Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit ea8ef5f07004708a74cf6c29a43b41db3a58dec8 Author: Nicolas Kaiser Date: Thu Oct 21 14:56:00 2010 +0200 pipe: fix failure to return error code on ->confirm() commit e5953cbdff26f7cbae7eff30cd9b18c4e19b7594 upstream. The arguments were transposed, we want to assign the error code to 'ret', which is being returned. Signed-off-by: Nicolas Kaiser Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 5ed216a908c5273995b2c65c14639c8b3448b065 Author: Johan Hovold Date: Thu Oct 21 10:49:10 2010 +0200 USB: mct_u232: fix broken close commit 92ca0dc5ee022e4c0e488177e1d8865a0778c6c2 upstream. Fix regression introduced by commit f26788da3b342099d2b02d99ba1cb7f154d6ef7b (USB: serial: refactor generic close) which broke driver close(). This driver uses non-standard semantics for the read urb which makes the generic close function fail to kill it (the read urb is actually an interrupt urb and therefore bulk_in size is zero). Reported-by: Eric Shattow "Eprecocious" Tested-by: Eric Shattow "Eprecocious" Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit fb84c60fcdbcd33c162f2503aae1ac688ee2f4d2 Author: Joerg Roedel Date: Thu Sep 2 17:29:46 2010 +0200 KVM: SVM: Restore correct registers after sel_cr0 intercept emulation commit cda0008299a06f0d7218c6037c3c02d7a865e954 upstream. This patch implements restoring of the correct rip, rsp, and rax after the svm emulation in KVM injected a selective_cr0 write intercept into the guest hypervisor. The problem was that the vmexit is emulated in the instruction emulation which later commits the registers right after the write-cr0 instruction. So the l1 guest will continue to run with the l2 rip, rsp and rax resulting in unpredictable behavior. This patch is not the final word, it is just an easy patch to fix the issue. The real fix will be done when the instruction emulator is made aware of nested virtualization. Until this is done this patch fixes the issue and provides an easy way to fix this in -stable too. Signed-off-by: Joerg Roedel Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman commit c0b67df56563d6e27b111fcf8cc8cf694ec4b87c Author: Joerg Roedel Date: Fri Sep 10 17:31:06 2010 +0200 KVM: X86: Report SVM bit to userspace only when supported commit 4c62a2dc92518c5adf434df8e5c2283c6762672a upstream. This patch fixes a bug in KVM where it _always_ reports the support of the SVM feature to userspace. But KVM only supports SVM on AMD hardware and only when it is enabled in the kernel module. This patch fixes the wrong reporting. Signed-off-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit b78891dfa05b86e74efdc4e7ed47f279ae96aa4b Author: Bart Oldeman Date: Thu Sep 23 13:16:58 2010 -0400 x86, vm86: Fix preemption bug for int1 debug and int3 breakpoint handlers. commit 6554287b1de0448f1e02e200d02b43914e997d15 upstream. Impact: fix kernel bug such as: BUG: scheduling while atomic: dosemu.bin/19680/0x00000004 See also Ubuntu bug 455067 at https://bugs.launchpad.net/ubuntu/+source/linux/+bug/455067 Commits 4915a35e35a037254550a2ba9f367a812bc37d40 ("Use preempt_conditional_sti/cli in do_int3, like on x86_64.") and 3d2a71a596bd9c761c8487a2178e95f8a61da083 ("x86, traps: converge do_debug handlers") started disabling preemption in int1 and int3 handlers on i386. The problem with vm86 is that the call to handle_vm86_trap() may jump straight to entry_32.S and never returns so preempt is never enabled again, and there is an imbalance in the preempt count. Commit be716615fe596ee117292dc615e95f707fb67fd1 ("x86, vm86: fix preemption bug"), which was later (accidentally?) reverted by commit 08d68323d1f0c34452e614263b212ca556dae47f ("hw-breakpoints: modifying generic debug exception to use thread-specific debug registers") fixed the problem for debug exceptions but not for breakpoints. There are three solutions to this problem. 1. Reenable preemption before calling handle_vm86_trap(). This was the approach that was later reverted. 2. Do not disable preemption for i386 in breakpoint and debug handlers. This was the situation before October 2008. As far as I understand preemption only needs to be disabled on x86_64 because a seperate stack is used, but it's nice to have things work the same way on i386 and x86_64. 3. Let handle_vm86_trap() return instead of jumping to assembly code. By setting a flag in _TIF_WORK_MASK, either TIF_IRET or TIF_NOTIFY_RESUME, the code in entry_32.S is instructed to return to 32 bit mode from V86 mode. The logic in entry_32.S was already present to handle signals. (I chose TIF_IRET because it's slightly more efficient in do_notify_resume() in signal.c, but in fact TIF_IRET can probably be replaced by TIF_NOTIFY_RESUME everywhere.) I'm submitting approach 3, because I believe it is the most elegant and prevents future confusion. Still, an obvious preempt_conditional_cli(regs); is necessary in traps.c to correct the bug. [ hpa: This is technically a regression, but because: 1. the regression is so old, 2. the patch seems relatively high risk, justifying more testing, and 3. we're late in the 2.6.36-rc cycle, I'm queuing it up for the 2.6.37 merge window. It might, however, justify as a -stable backport at a latter time, hence Cc: stable. ] Signed-off-by: Bart Oldeman LKML-Reference: Cc: Frederic Weisbecker Cc: K.Prasad Cc: Alan Stern Cc: Alexander van Heukelum Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit d59159c62f66de966c601c1b7174e798e4a3d0d4 Author: Cliff Wickman Date: Wed Sep 8 10:14:27 2010 -0500 x86, kdump: Change copy_oldmem_page() to use cached addressing commit 37a2f9f30a360fb03522d15c85c78265ccd80287 upstream. The copy of /proc/vmcore to a user buffer proceeds much faster if the kernel addresses memory as cached. With this patch we have seen an increase in transfer rate from less than 15MB/s to 80-460MB/s, depending on size of the transfer. This makes a big difference in time needed to save a system dump. Signed-off-by: Cliff Wickman Acked-by: "Eric W. Biederman" Cc: kexec@lists.infradead.org LKML-Reference: Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 7925978534b7180dac82c87eb6a5bbe96654ba75 Author: Suresh Siddha Date: Fri Aug 27 11:09:48 2010 -0700 x86, intr-remap: Set redirection hint in the IRTE commit 75e3cfbed6f71a8f151dc6e413b6ce3c390030cb upstream. Currently the redirection hint in the interrupt-remapping table entry is set to 0, which means the remapped interrupt is directed to the processors listed in the destination. So in logical flat mode in the presence of intr-remapping, this results in a single interrupt multi-casted to multiple cpu's as specified by the destination bit mask. But what we really want is to send that interrupt to one of the cpus based on the lowest priority delivery mode. Set the redirection hint in the IRTE to '1' to indicate that we want the remapped interrupt to be directed to only one of the processors listed in the destination. This fixes the issue of same interrupt getting delivered to multiple cpu's in the logical flat mode in the presence of interrupt-remapping. While there is no functional issue observed with this behavior, this will impact performance of such configurations (<=8 cpu's using logical flat mode in the presence of interrupt-remapping) Signed-off-by: Suresh Siddha LKML-Reference: <20100827181049.013051492@sbsiddha-MOBL3.sc.intel.com> Cc: Weidong Han Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 548bf3583a67e0af7660cfe08674d9b860ec633a Author: Andreas Herrmann Date: Thu Sep 30 14:32:35 2010 +0200 x86, mtrr: Assume SYS_CFG[Tom2ForceMemTypeWB] exists on all future AMD CPUs commit 3fdbf004c1706480a7c7fac3c9d836fa6df20d7d upstream. Instead of adapting the CPU family check in amd_special_default_mtrr() for each new CPU family assume that all new AMD CPUs support the necessary bits in SYS_CFG MSR. Tom2Enabled is architectural (defined in APM Vol.2). Tom2ForceMemTypeWB is defined in all BKDGs starting with K8 NPT. In pre K8-NPT BKDG this bit is reserved (read as zero). W/o this adaption Linux would unnecessarily complain about bad MTRR settings on every new AMD CPU family, e.g. [ 0.000000] WARNING: BIOS bug: CPU MTRRs don't cover all of memory, losing 4863MB of RAM. Signed-off-by: Andreas Herrmann LKML-Reference: <20100930123235.GB20545@loge.amd.com> Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit ce04bd41d98be5b9771ba5c50e84813d986637fc Author: Paul Fox Date: Fri Oct 1 18:17:19 2010 +0100 x86, olpc: Don't retry EC commands forever commit 286e5b97eb22baab9d9a41ca76c6b933a484252c upstream. Avoids a potential infinite loop. It was observed once, during an EC hacking/debugging session - not in regular operation. Signed-off-by: Daniel Drake Cc: dilinger@queued.net Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 644b2192d251acb3a44c5cf8a209ff0c6217716c Author: Alok Kataria Date: Mon Oct 11 14:37:08 2010 -0700 x86, kexec: Make sure to stop all CPUs before exiting the kernel commit 76fac077db6b34e2c6383a7b4f3f4f7b7d06d8ce upstream. x86 smp_ops now has a new op, stop_other_cpus which takes a parameter "wait" this allows the caller to specify if it wants to stop until all the cpus have processed the stop IPI. This is required specifically for the kexec case where we should wait for all the cpus to be stopped before starting the new kernel. We now wait for the cpus to stop in all cases except for panic/kdump where we expect things to be broken and we are doing our best to make things work anyway. This patch fixes a legitimate regression, which was introduced during 2.6.30, by commit id 4ef702c10b5df18ab04921fc252c26421d4d6c75. Signed-off-by: Alok N Kataria LKML-Reference: <1286833028.1372.20.camel@ank32.eng.vmware.com> Cc: Eric W. Biederman Cc: Jeremy Fitzhardinge Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 8298c02ab797b1e1ac2671a49038d3f8f31db20b Author: Andre Przywara Date: Mon Sep 6 15:14:17 2010 +0200 x86, cpu: Fix renamed, not-yet-shipping AMD CPUID feature bit commit 7ef8aa72ab176e0288f363d1247079732c5d5792 upstream. The AMD SSE5 feature set as-it has been replaced by some extensions to the AVX instruction set. Thus the bit formerly advertised as SSE5 is re-used for one of these extensions (XOP). Although this changes the /proc/cpuinfo output, it is not user visible, as there are no CPUs (yet) having this feature. To avoid confusion this should be added to the stable series, too. Signed-off-by: Andre Przywara LKML-Reference: <1283778860-26843-2-git-send-email-andre.przywara@amd.com> Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit ff7d23175ecbff5666f7a9f26dfe1f4334e04377 Author: Cliff Wickman Date: Thu Sep 16 11:44:02 2010 -0500 mm, x86: Saving vmcore with non-lazy freeing of vmas commit 3ee48b6af49cf534ca2f481ecc484b156a41451d upstream. During the reading of /proc/vmcore the kernel is doing ioremap()/iounmap() repeatedly. And the buildup of un-flushed vm_area_struct's is causing a great deal of overhead. (rb_next() is chewing up most of that time). This solution is to provide function set_iounmap_nonlazy(). It causes a subsequent call to iounmap() to immediately purge the vma area (with try_purge_vmap_area_lazy()). With this patch we have seen the time for writing a 250MB compressed dump drop from 71 seconds to 44 seconds. Signed-off-by: Cliff Wickman Cc: Andrew Morton Cc: kexec@lists.infradead.org LKML-Reference: Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit db11393d79684afc15b3d3d52a1664171180c350 Author: Len Brown Date: Sat Oct 23 23:25:53 2010 -0400 intel_idle: do not use the LAPIC timer for ATOM C2 commit c25d29952b2a8c9aaf00e081c9162a0e383030cd upstream. If we use the LAPIC timer during ATOM C2 on some nvidia chisets, the system stalls. https://bugzilla.kernel.org/show_bug.cgi?id=21032 Signed-off-by: Len Brown Cc: Tom Gundersen Signed-off-by: Greg Kroah-Hartman commit 4fc910677fa95f03bd8431d21766ba9d7d967fa0 Author: Tejun Heo Date: Fri Oct 15 11:00:08 2010 +0200 libahci: fix result_tf handling after an ATA PIO data-in command commit 6ad601955315b010a117306b994f2204fae85fdc upstream. ATA devices don't send D2H Reg FIS after an successful ATA PIO data-in command. The host is supposed to take the TF and E_Status of the preceding PIO Setup FIS. Update ahci_qc_fill_rtf() such that it takes TF + E_Status from PIO Setup FIS after a successful ATA PIO data-in command. Without this patch, result_tf for such a command is filled with the content of the previous D2H Reg FIS which belongs to a previous command, which can make the command incorrectly seen as failed. * Patch updated to grab the whole TF + E_Status from PIO Setup FIS instead of just E_Status as suggested by Robert Hancock. Signed-off-by: Tejun Heo Reported-by: Mark Lord Cc: Robert Hancock Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 28feaa47bc4f21545dce9834d9c8f90481647c1a Author: Suresh Jayaraman Date: Fri Sep 17 18:56:39 2010 +0530 cifs: fix broken oplock handling commit aa91c7e4ab9b0842b7d7a7cbf8cca18b20df89b5 upstream. cifs_new_fileinfo() does not use the 'oplock' value from the callers. Instead, it sets it to REQ_OPLOCK which seems wrong. We should be using the oplock value obtained from the Server to set the inode's clientCanCacheAll or clientCanCacheRead flags. Fix this by passing oplock from the callers to cifs_new_fileinfo(). This change dates back to commit a6ce4932 (2.6.30-rc3). So, all the affected versions will need this fix. Please Cc stable once reviewed and accepted. Reviewed-by: Jeff Layton Signed-off-by: Suresh Jayaraman Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 52c974f34e857dc648f013cc24f6ad4febc26040 Author: Darren Hart Date: Sun Oct 17 08:35:04 2010 -0700 futex: Fix errors in nested key ref-counting commit 7ada876a8703f23befbb20a7465a702ee39b1704 upstream. futex_wait() is leaking key references due to futex_wait_setup() acquiring an additional reference via the queue_lock() routine. The nested key ref-counting has been masking bugs and complicating code analysis. queue_lock() is only called with a previously ref-counted key, so remove the additional ref-counting from the queue_(un)lock() functions. Also futex_wait_requeue_pi() drops one key reference too many in unqueue_me_pi(). Remove the key reference handling from unqueue_me_pi(). This was paired with a queue_lock() in futex_lock_pi(), so the count remains unchanged. Document remaining nested key ref-counting sites. Signed-off-by: Darren Hart Reported-and-tested-by: Matthieu Fertré Reported-by: Louis Rilling Cc: Peter Zijlstra Cc: Eric Dumazet Cc: John Kacur Cc: Rusty Russell LKML-Reference: <4CBB17A8.70401@linux.intel.com> Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 46ee0239f6fe2bd7f2db6f4ea95e9a642cf126ec Author: Alan Cox Date: Fri Oct 22 14:11:26 2010 +0100 bluetooth: Fix missing NULL check commit c19483cc5e56ac5e22dd19cf25ba210ab1537773 upstream. Fortunately this is only exploitable on very unusual hardware. [Reported a while ago but nothing happened so just fixing it] Signed-off-by: Alan Cox Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ee6158ba96148f198a4f1b78a24770633a568b95 Author: Mathieu Desnoyers Date: Mon Sep 13 17:47:00 2010 -0400 sched: Fix string comparison in /proc/sched_features commit 7740191cd909b75d75685fb08a5d1f54b8a9d28b upstream. Fix incorrect handling of the following case: INTERACTIVE INTERACTIVE_SOMETHING_ELSE The comparison only checks up to each element's length. Changelog since v1: - Embellish using some Rostedtisms. [ mingo: ^^ == smaller and cleaner ] Signed-off-by: Mathieu Desnoyers Reviewed-by: Steven Rostedt Cc: Peter Zijlstra Cc: Tony Lindgren LKML-Reference: <20100913214700.GB16118@Krystal> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 19b0be98067611d07f68faf396041da6e95eb60e Author: Linus Walleij Date: Mon Oct 11 16:36:51 2010 +0200 sched: Drop all load weight manipulation for RT tasks commit 17bdcf949d03306b308c5fb694849cd35f119807 upstream. Load weights are for the CFS, they do not belong in the RT task. This makes all RT scheduling classes leave the CFS weights alone. This fixes a real bug as well: I noticed the following phonomena: a process elevated to SCHED_RR forks with SCHED_RESET_ON_FORK set, and the child is indeed SCHED_OTHER, and the niceval is indeed reset to 0. However the weight inserted by set_load_weight() remains at 0, giving the task insignificat priority. With this fix, the weight is reset to what the task had before being elevated to SCHED_RR/SCHED_FIFO. Cc: Lennart Poettering Signed-off-by: Linus Walleij Signed-off-by: Peter Zijlstra LKML-Reference: <1286807811-10568-1-git-send-email-linus.walleij@stericsson.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit a02c10c18f6b7d722c2e9c0db5b92c039af81e88 Author: Vasiliy Kulikov Date: Sun Oct 17 18:41:24 2010 +0400 pcmcia: synclink_cs: fix information leak to userland commit 5b917a1420d3d1a9c8da49fb0090692dc9aaee86 upstream. Structure new_line is copied to userland with some padding fields unitialized. It leads to leaking of stack memory. Signed-off-by: Vasiliy Kulikov Signed-off-by: Dominik Brodowski Signed-off-by: Greg Kroah-Hartman commit 49a9147eae80171bdc942c946e82cdaed3065a6f Author: Paul Mackerras Date: Thu Sep 9 19:02:40 2010 +0000 powerpc/perf: Fix sampling enable for PPC970 commit 9f5f9ffe50e90ed73040d2100db8bfc341cee352 upstream. The logic to distinguish marked instruction events from ordinary events on PPC970 and derivatives was flawed. The result is that instruction sampling didn't get enabled in the PMU for some marked instruction events, so they would never trigger. This fixes it by adding the appropriate break statements in the switch statement. Reported-by: David Binderman Signed-off-by: Paul Mackerras Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit c119599ec7d46c1b31d09a7968566b76e54da8e8 Author: Stephane Eranian Date: Fri Oct 15 15:26:01 2010 +0200 perf_events: Fix bogus context time tracking commit c530ccd9a1864a44a7ff35826681229ce9f2357a upstream. You can only call update_context_time() when the context is active, i.e., the thread it is attached to is still running. However, perf_event_read() can be called even when the context is inactive, e.g., user read() the counters. The call to update_context_time() must be conditioned on the status of the context, otherwise, bogus time_enabled, time_running may be returned. Here is an example on AMD64. The task program is an example from libpfm4. The -p prints deltas every 1s. $ task -p -e cpu_clk_unhalted sleep 5 2,266,610 cpu_clk_unhalted (0.00% scaling, ena=2,158,982, run=2,158,982) 0 cpu_clk_unhalted (0.00% scaling, ena=2,158,982, run=2,158,982) 0 cpu_clk_unhalted (0.00% scaling, ena=2,158,982, run=2,158,982) 0 cpu_clk_unhalted (0.00% scaling, ena=2,158,982, run=2,158,982) 0 cpu_clk_unhalted (0.00% scaling, ena=2,158,982, run=2,158,982) 5,242,358,071 cpu_clk_unhalted (99.95% scaling, ena=5,000,359,984, run=2,319,270) Whereas if you don't read deltas, e.g., no call to perf_event_read() until the process terminates: $ task -e cpu_clk_unhalted sleep 5 2,497,783 cpu_clk_unhalted (0.00% scaling, ena=2,376,899, run=2,376,899) Notice that time_enable, time_running are bogus in the first example causing bogus scaling. This patch fixes the problem, by conditionally calling update_context_time() in perf_event_read(). Signed-off-by: Stephane Eranian Signed-off-by: Peter Zijlstra LKML-Reference: <4cb856dc.51edd80a.5ae0.38fb@mx.google.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit cef2c20c88c122f0dea3dadcc56bcdc0077061c4 Author: Stephane Eranian Date: Fri Oct 15 15:15:01 2010 +0200 perf_events: Fix bogus AMD64 generic TLB events commit ba0cef3d149ce4db293c572bf36ed352b11ce7b9 upstream. PERF_COUNT_HW_CACHE_DTLB:READ:MISS had a bogus umask value of 0 which counts nothing. Needed to be 0x7 (to count all possibilities). PERF_COUNT_HW_CACHE_ITLB:READ:MISS had a bogus umask value of 0 which counts nothing. Needed to be 0x3 (to count all possibilities). Signed-off-by: Stephane Eranian Signed-off-by: Peter Zijlstra Cc: Robert Richter LKML-Reference: <4cb85478.41e9d80a.44e2.3f00@mx.google.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 2a64ff4337bc785563d187ddbfe4385888bda665 Author: Greg Kroah-Hartman Date: Sat Oct 9 13:26:12 2010 -0700 Staging: phison: fix problem caused by libata change commit cf10700bf8047f0668dd874b607f89516612e6c7 upstream. The libata core changed this function so it needed to call a different one. See https://bugzilla.kernel.org/show_bug.cgi?id=19872 for details. Reported-by: Heinz Wiesinger Tested-by: Heinz Wiesinger Signed-off-by: Greg Kroah-Hartman commit 0fa89f1c349b48e96a28e4270f2289332270f328 Author: Max Vozeler Date: Tue Sep 21 17:43:30 2010 +0200 staging: usbip: Process event flags without delay commit 584c5b7cf06194464240280483ee0376cdddbbae upstream. The way the event handler works can cause it to delay events until eventual wakeup for another event. For example, on device detach (vhci): - Write to sysfs detach file -> usbip_event_add(VDEV_EVENT_DOWN) -> wakeup() #define VDEV_EVENT_DOWN (USBIP_EH_SHUTDOWN | USBIP_EH_RESET). - Event thread wakes up and passes the event to event_handler() to process. - It processes and clears the USBIP_EH_SHUTDOWN flag then returns. - The outer event loop (event_handler_loop()) calls wait_event_interruptible(). The processing of the second flag which is part of VDEV_EVENT_DOWN (USBIP_EH_RESET) did not happen yet. It is delayed until the next event. This means the ->reset callback may not happen for a long time (if ever), leaving the usbip port in a weird state which prevents its reuse. This patch changes the handler to process all flags before waiting for another wakeup. I have verified this change to fix a problem which prevented reattach of a usbip device. It also helps for socket errors which missed the RESET as well. The delayed event processing also affects the stub side of usbip and the error handling there. Signed-off-by: Max Vozeler Reported-by: Marco Lancione Tested-by: Luc Jalbert Signed-off-by: Greg Kroah-Hartman commit 12b1e06af306d6190cc7e8cccc8a328014e7c487 Author: Max Vozeler Date: Tue Sep 21 17:31:40 2010 +0200 staging: usbip: Notify usb core of port status changes commit 0c9a32f0192e656daa2ff3c9149f6d71b4a1b873 upstream. This patch changes vhci to behave like dummy and other hcds when disconnecting a device. Previously detaching a device from the root hub did not notify the usb core of the disconnect and left the device visible. Signed-off-by: Max Vozeler Reported-by: Marco Lancione Tested-by: Luc Jalbert Signed-off-by: Greg Kroah-Hartman