commit d77cf23f1befd3922d81b91cb01fd3da619e0206 Author: Greg Kroah-Hartman Date: Fri Jan 7 14:39:58 2011 -0800 Linux 2.6.36.3 commit 8a77688b45d674148968877e91122541ba00be49 Author: Jean-Francois Moine Date: Tue Dec 14 16:15:37 2010 -0300 gspca - sonixj: Add a flag in the driver_info table commit c6c14330717f9850b4b4c054b81424b9979cd07d upstream. Signed-off-by: Jean-François Moine Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit ae1a348bba9f44578e9d43e0a24b9a6c82cfe82f Author: Jean-Francois Moine Date: Tue Dec 14 16:16:16 2010 -0300 gspca - sonixj: Set the flag for some devices commit b2272a49e7df37732d73988f00468ce31e1ebc92 upstream. The flag PDN_INV indicates that the sensor pin S_PWR_DN has not the same value as other webcams with the same sensor. For now, only two webcams have been so detected: the Microsoft's VX1000 and VX3000. Signed-off-by: Jean-François Moine Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit e2767cf170567c1ba2a5044a45fbe9b6a9ffc9f3 Author: David Kilroy Date: Tue Dec 7 18:50:42 2010 +0000 orinoco: initialise priv->hw before assigning the interrupt commit 229bd792be0bad245b78ed8f119952733a4752e5 upstream. The interrupt handler takes a lock - but since commit bcad6e80f3f this lock goes through an indirection specified in the hermes_t structure. We must therefore initialise the structure before setting up the interrupt handler. Fix orinoco_cs and spectrum_cs Bisected by: Matt Domsch Signed-off by: David Kilroy Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit a61eefaccfff3c8f2b6f4e24a63039258b345a16 Author: Mauro Carvalho Chehab Date: Thu Dec 2 01:57:03 2010 -0200 Don't export format_by_forcc on two different drivers commit a757ee2216211278680dd8ac869aabe7b4a9970d upstream. Drivers should append their name on exported symbols, to avoid conflicts with allyesconfig: drivers/staging/built-in.o: In function `format_by_fourcc': /home/v4l/work_trees/linus/drivers/staging/cx25821/cx25821-video.c:96: multiple definition of `format_by_fourcc' drivers/media/built-in.o:/home/v4l/work_trees/linus/drivers/media/common/saa7146_video.c:88: first defined here Let's rename both occurences with a small shellscript: for i in drivers/staging/cx25821/*.[ch]; do sed s,format_by_fourcc,cx25821_format_by_fourcc,g <$i >a && mv a $i; done for i in drivers/media/common/saa7146*.[ch]; do sed s,format_by_fourcc,saa7146_format_by_fourcc,g <$i >a && mv a $i; done for i in include/media/saa7146*.[ch]; do sed s,format_by_fourcc,saa7146_format_by_fourcc,g <$i >a && mv a $i; done Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 50476543397ba4f7191cfeb555cf6de0e2fa63c4 Author: Baruch Siach Date: Wed Oct 27 04:03:52 2010 -0300 mx2_camera: fix pixel clock polarity configuration commit 42cc37fe20cc680fb58fe12ae5ba718d683b8ca2 upstream. When SOCAM_PCLK_SAMPLE_FALLING, just leave CSICR1_REDGE unset, otherwise we get the inverted behaviour. Signed-off-by: Baruch Siach Signed-off-by: Guennadi Liakhovetski Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 2a71e215aa15cab942a814904e108d72dc86cfbb Author: Oleg Nesterov Date: Fri Nov 5 16:53:42 2010 +0100 posix-cpu-timers: workaround to suppress the problems with mt exec commit e0a70217107e6f9844628120412cb27bb4cea194 upstream. posix-cpu-timers.c correctly assumes that the dying process does posix_cpu_timers_exit_group() and removes all !CPUCLOCK_PERTHREAD timers from signal->cpu_timers list. But, it also assumes that timer->it.cpu.task is always the group leader, and thus the dead ->task means the dead thread group. This is obviously not true after de_thread() changes the leader. After that almost every posix_cpu_timer_ method has problems. It is not simple to fix this bug correctly. First of all, I think that timer->it.cpu should use struct pid instead of task_struct. Also, the locking should be reworked completely. In particular, tasklist_lock should not be used at all. This all needs a lot of nontrivial and hard-to-test changes. Change __exit_signal() to do posix_cpu_timers_exit_group() when the old leader dies during exec. This is not the fix, just the temporary hack to hide the problem for 2.6.37 and stable. IOW, this is obviously wrong but this is what we currently have anyway: cpu timers do not work after mt exec. In theory this change adds another race. The exiting leader can detach the timers which were attached to the new leader. However, the window between de_thread() and release_task() is small, we can pretend that sys_timer_create() was called before de_thread(). Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 1084a6a86b13e66605f5c97c810286d0c02417dd Author: Jesper Juhl Date: Sat Dec 25 19:57:41 2010 +0100 x86/microcode: Fix double vfree() and remove redundant pointer checks before vfree() commit 5cdd2de0a76d0ac47f107c8a7b32d75d25768dc1 upstream. In arch/x86/kernel/microcode_intel.c::generic_load_microcode() we have this: while (leftover) { ... if (get_ucode_data(mc, ucode_ptr, mc_size) || microcode_sanity_check(mc) < 0) { vfree(mc); break; } ... } if (mc) vfree(mc); This will cause a double free of 'mc'. This patch fixes that by just removing the vfree() call in the loop since 'mc' will be freed nicely just after we break out of the loop. There's also a second change in the patch. I noticed a lot of checks for pointers being NULL before passing them to vfree(). That's completely redundant since vfree() deals gracefully with being passed a NULL pointer. Removing the redundant checks yields a nice size decrease for the object file. Size before the patch: text data bss dec hex filename 4578 240 1032 5850 16da arch/x86/kernel/microcode_intel.o Size after the patch: text data bss dec hex filename 4489 240 984 5713 1651 arch/x86/kernel/microcode_intel.o Signed-off-by: Jesper Juhl Acked-by: Tigran Aivazian Cc: Shaohua Li LKML-Reference: Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 42e9b5a7c3c6697e4d03d300df72e3527b67f5b1 Author: Martin K. Petersen Date: Wed Dec 1 19:41:49 2010 +0100 block: Deprecate QUEUE_FLAG_CLUSTER and use queue_limits instead commit e692cb668fdd5a712c6ed2a2d6f2a36ee83997b4 upstream. When stacking devices, a request_queue is not always available. This forced us to have a no_cluster flag in the queue_limits that could be used as a carrier until the request_queue had been set up for a metadevice. There were several problems with that approach. First of all it was up to the stacking device to remember to set queue flag after stacking had completed. Also, the queue flag and the queue limits had to be kept in sync at all times. We got that wrong, which could lead to us issuing commands that went beyond the max scatterlist limit set by the driver. The proper fix is to avoid having two flags for tracking the same thing. We deprecate QUEUE_FLAG_CLUSTER and use the queue limit directly in the block layer merging functions. The queue_limit 'no_cluster' is turned into 'cluster' to avoid double negatives and to ease stacking. Clustering defaults to being enabled as before. The queue flag logic is removed from the stacking function, and explicitly setting the cluster flag is no longer necessary in DM and MD. Reported-by: Ed Lin Signed-off-by: Martin K. Petersen Acked-by: Mike Snitzer Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 9f4bd59e7ba7ccbd873b7af3b377f7b3b163d2ff Author: Mike Galbraith Date: Wed Dec 8 11:05:42 2010 +0100 Sched: fix skip_clock_update optimization commit f26f9aff6aaf67e9a430d16c266f91b13a5bff64 upstream. idle_balance() drops/retakes rq->lock, leaving the previous task vulnerable to set_tsk_need_resched(). Clear it after we return from balancing instead, and in setup_thread_stack() as well, so no successfully descheduled or never scheduled task has it set. Need resched confused the skip_clock_update logic, which assumes that the next call to update_rq_clock() will come nearly immediately after being set. Make the optimization robust against the waking a sleeper before it sucessfully deschedules case by checking that the current task has not been dequeued before setting the flag, since it is that useless clock update we're trying to save, and clear unconditionally in schedule() proper instead of conditionally in put_prev_task(). Signed-off-by: Mike Galbraith Reported-by: Bjoern B. Brandenburg Tested-by: Yong Zhang Signed-off-by: Peter Zijlstra LKML-Reference: <1291802742.1417.9.camel@marge.simson.net> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 008ac306ffb6c5b02e0fd27d9d3db5a726702341 Author: Daniel T Chen Date: Tue Dec 28 17:20:02 2010 -0500 ALSA: hda: Use LPIB quirk for Dell Inspiron m101z/1120 commit e03fa055bc126e536c7f65862e08a9b143138ea9 upstream. Sjoerd Simons reports that, without using position_fix=1, recording experiences overruns. Work around that by applying the LPIB quirk for his hardware. Reported-and-tested-by: Sjoerd Simons Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 232961026b76e8011d72c44395f699037e758e66 Author: Johannes Berg Date: Wed Dec 22 10:15:07 2010 +0100 mac80211: fix mesh forwarding commit b51aff057c9d0ef6c529dc25fd9f775faf7b6c63 upstream. Under memory pressure, the mac80211 mesh code may helpfully print a message that it failed to clone a mesh frame and then will proceed to crash trying to use it anyway. Fix that. Signed-off-by: Johannes Berg Acked-by: Javier Cardona Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 877f13134bcdaaf376b28713c0dc33436cbae5ea Author: Tejun Heo Date: Fri Dec 3 15:19:13 2010 +0100 libata-sff: fix HSM_ST_ERR handling in __ata_sff_port_intr() commit 687a993339c4f3a63654746230da3aab8bbdbffd upstream. While separating out BMDMA irq handler from SFF, commit c3b28894 (libata-sff: separate out BMDMA irq handler) incorrectly made __ata_sff_port_intr() consider an IRQ to be an idle one if the host state was transitioned to HSM_ST_ERR by ata_bmdma_port_intr(). This makes BMDMA drivers ignore IRQs reporting host bus error which leads to timeouts instead of triggering EH immediately. Fix it by making __ata_sff_port_intr() consider the IRQ to be an idle one iff the state is HSM_ST_IDLE. This is equivalent to adding HSM_ST_ERR to the "break"ing case but less error-prone. Signed-off-by: Tejun Heo Reported-by: Antonio Toma Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit c7874c1c2111642a8511641d8ce826d13de8ed2f Author: Mimi Zohar Date: Mon Jan 3 14:59:10 2011 -0800 ima: fix add LSM rule bug commit 867c20265459d30a01b021a9c1e81fb4c5832aa9 upstream. If security_filter_rule_init() doesn't return a rule, then not everything is as fine as the return code implies. This bug only occurs when the LSM (eg. SELinux) is disabled at runtime. Adding an empty LSM rule causes ima_match_rules() to always succeed, ignoring any remaining rules. default IMA TCB policy: # PROC_SUPER_MAGIC dont_measure fsmagic=0x9fa0 # SYSFS_MAGIC dont_measure fsmagic=0x62656572 # DEBUGFS_MAGIC dont_measure fsmagic=0x64626720 # TMPFS_MAGIC dont_measure fsmagic=0x01021994 # SECURITYFS_MAGIC dont_measure fsmagic=0x73636673 < LSM specific rule > dont_measure obj_type=var_log_t measure func=BPRM_CHECK measure func=FILE_MMAP mask=MAY_EXEC measure func=FILE_CHECK mask=MAY_READ uid=0 Thus without the patch, with the boot parameters 'tcb selinux=0', adding the above 'dont_measure obj_type=var_log_t' rule to the default IMA TCB measurement policy, would result in nothing being measured. The patch prevents the default TCB policy from being replaced. Signed-off-by: Mimi Zohar Cc: James Morris Acked-by: Serge Hallyn Cc: David Safford Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit bc690d348f5417934331c7e215c63aeb6388eaf6 Author: Saeed Bishara Date: Tue Dec 21 16:53:39 2010 +0200 mv_xor: fix race in tasklet function commit 8333f65ef094e47020cd01452b4637e7daf5a77f upstream. use mv_xor_slot_cleanup() instead of __mv_xor_slot_cleanup() as the former function aquires the spin lock that needed to protect the drivers data. Signed-off-by: Saeed Bishara Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit b6346defbc8afe642fb76736b7f59bb1fc6cc0a4 Author: Sheng Yang Date: Wed Dec 8 10:49:43 2010 +0800 KVM: Fix OSXSAVE after migration commit 3ea3aa8cf67d3bbe00a19b6a4013d19efa7d0f41 upstream. CPUID's OSXSAVE is a mirror of CR4.OSXSAVE bit. We need to update the CPUID after migration. KVM-Stable-Tag. Signed-off-by: Sheng Yang Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 918a0ca6d40a07fb7d11ac7b9e1033677e0b318b Author: Joerg Roedel Date: Tue Dec 7 17:15:05 2010 +0100 KVM: SVM: Do not report xsave in supported cpuid commit 24d1b15f72abe3465e871d11cfc9dc34d1aab8b2 upstream. To support xsave properly for the guest the SVM module need software support for it. As long as this is not present do not report the xsave as supported feature in cpuid. As a side-effect this patch moves the bit() helper function into the x86.h file so that it can be used in svm.c too. KVM-Stable-Tag. Signed-off-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 9b5f28d26b8233dff5a1e4f659b70ee55a827711 Author: Andre Przywara Date: Wed Dec 1 12:17:44 2010 +0100 KVM: enlarge number of possible CPUID leaves commit 73c1160ce377d8fc6d84cb630ebf9658808bec49 upstream. Currently the number of CPUID leaves KVM handles is limited to 40. My desktop machine (AthlonII) already has 35 and future CPUs will expand this well beyond the limit. Extend the limit to 80 to make room for future processors. KVM-Stable-Tag. Signed-off-by: Andre Przywara Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 203d86c28cd29846ff66e2d9178f870063d8de83 Author: Dan Rosenberg Date: Sat Dec 25 16:23:40 2010 -0500 sound: Prevent buffer overflow in OSS load_mixer_volumes commit d81a12bc29ae4038770e05dce4ab7f26fd5880fb upstream. The load_mixer_volumes() function, which can be triggered by unprivileged users via the SOUND_MIXER_SETLEVELS ioctl, is vulnerable to a buffer overflow. Because the provided "name" argument isn't guaranteed to be NULL terminated at the expected 32 bytes, it's possible to overflow past the end of the last element in the mixer_vols array. Further exploitation can result in an arbitrary kernel write (via subsequent calls to load_mixer_volumes()) leading to privilege escalation, or arbitrary kernel reads via get_mixer_levels(). In addition, the strcmp() may leak bytes beyond the mixer_vols array. Signed-off-by: Dan Rosenberg Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit e606509bc1d7f19fccf078907d5421b3a95bd659 Author: KAMEZAWA Hiroyuki Date: Wed Dec 29 14:07:11 2010 -0800 memcg: fix wrong VM_BUG_ON() in try_charge()'s mm->owner check commit ebb76ce16daf6908dc030dec1c00827d37129fe5 upstream. At __mem_cgroup_try_charge(), VM_BUG_ON(!mm->owner) is checked. But as commented in mem_cgroup_from_task(), mm->owner can be NULL in some racy case. This check of VM_BUG_ON() is bad. A possible story to hit this is at swapoff()->try_to_unuse(). It passes mm_struct to mem_cgroup_try_charge_swapin() while mm->owner is NULL. If we can't get proper mem_cgroup from swap_cgroup information, mm->owner is used as charge target and we see NULL. Cc: Daisuke Nishimura Cc: KOSAKI Motohiro Reported-by: Hugh Dickins Reported-by: Thomas Meyer Signed-off-by: KAMEZAWA Hiroyuki Reviewed-by: Balbir Singh Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b16e490eb5f7fb19f1e8fd07f6d45d771a487f82 Author: Eric Anholt Date: Mon Dec 20 18:40:06 2010 -0800 drm/i915, intel_ips: When i915 loads after IPS, make IPS relink to i915. commit 63ee41d794d9c555f84205517a68509848988760 upstream. The IPS driver is designed to be able to run detached from i915 and just not enable GPU turbo in that case, in order to avoid module dependencies between the two drivers. This means that we don't know what the load order between the two is going to be, and we had previously only supported IPS after (optionally) i915, but not i915 after IPS. If the wrong order was chosen, you'd get no GPU turbo, and something like half the possible graphics performance. Signed-off-by: Eric Anholt Signed-off-by: Chris Wilson Signed-off-by: Greg Kroah-Hartman commit 0f37a87fae33bbca1e2ff289330c2f4ba93b5064 Author: David Flynn Date: Wed Dec 8 16:10:21 2010 +0000 drm/i915/dp: Fix I2C/EDID handling with active DisplayPort to DVI converter commit 8316f33766a82907c694267ff911e45e256f09f9 upstream. The DisplayPort standard (1.1a) states that: The I2C-over-AUX Reply field is valid only when Native AUX CH Reply field is AUX_ACK (00). When Native AUX CH Reply field is not 00, then, I2C-over-AUX Reply field must be 00 and be ignored. This fixes broken EDID reading when using an active DisplayPort to duallink DVI converter. If the AUX CH replier chooses to defer the transaction, a short read occurs and erroneous data is returned as the i2c reply due to a lack of length checking and failure to check for AUX ACK. As a result, broken EDIDs can look like: 0 1 2 3 4 5 6 7 8 9 a b c d e f 0123456789abcdef 00: bc bc bc ff bc bc bc ff bc bc bc ac bc bc bc 45 ???.???.???????E 10: bc bc bc 10 bc bc bc 34 bc bc bc ee bc bc bc 4c ???????4???????L 20: bc bc bc 50 bc bc bc 00 bc bc bc 40 bc bc bc 00 ???P???.???@???. 30: bc bc bc 01 bc bc bc 01 bc bc bc a0 bc bc bc 40 ???????????????@ 40: bc bc bc 00 bc bc bc 00 bc bc bc 00 bc bc bc 55 ???.???.???.???U 50: bc bc bc 35 bc bc bc 31 bc bc bc 20 bc bc bc fc ???5???1??? ???? 60: bc bc bc 4c bc bc bc 34 bc bc bc 46 bc bc bc 00 ???L???4???F???. 70: bc bc bc 38 bc bc bc 11 bc bc bc 20 bc bc bc 20 ???8??????? ??? 80: bc bc bc ff bc bc bc ff bc bc bc ff bc bc bc ff ???.???.???.???. ... which can lead to: [drm:drm_edid_block_valid] *ERROR* EDID checksum is invalid, remainder [drm:drm_edid_block_valid] *ERROR* Raw EDID: <3>30 30 30 30 30 30 30 32 38 32 30 32 63 63 31 61 000000028202cc1a <3>28 00 02 8c 00 00 00 00 18 00 00 00 00 00 00 00 (............... <3>20 4c 61 73 74 20 62 65 61 63 6f 6e 3a 20 33 32 Last beacon: 32 <3>32 30 6d 73 20 61 67 6f 46 00 05 8c 00 00 00 00 20ms agoF....... <3>36 00 00 00 00 00 00 00 00 0c 57 69 2d 46 69 20 6.........Wi-Fi <3>52 6f 75 74 65 72 01 08 82 84 8b 96 24 30 48 6c Router......$0Hl <3>03 01 01 06 02 00 00 2a 01 00 2f 01 00 32 04 0c .......*../..2.. <3>12 18 60 dd 09 00 10 18 02 00 00 01 00 00 18 00 ..`............. Signed-off-by: David Flynn [ickle: fix up some surrounding checkpatch warnings] Signed-off-by: Chris Wilson Signed-off-by: Greg Kroah-Hartman commit 15418c74b6a21d2f67ce6bdb56c1b07754b1b407 Author: Alex Deucher Date: Mon Dec 20 11:22:29 2010 -0500 drm/radeon/kms: reorder display resume to avoid problems commit a93f344d3c04e4b84490c65f2a574387c593be40 upstream. On resume, we were attemping to unblank the displays before the timing and plls had be reprogrammed which led to atom timeouts waiting for things that are not yet programmed. Re-program the mode first, then reset the dpms state. This fixes the infamous atombios timeouts on resume. Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 2b8e17e8e5928b95f2ebc80f5270a084459e90a4 Author: Alex Deucher Date: Mon Dec 20 12:35:03 2010 -0500 drm/radeon/kms: fix evergreen asic reset commit 9f0c4f9c2f835eee1bbb93f96bf9483d56f1892b upstream. Only reset the grbm blocks, srbm tends to lock the GPU if not done properly and in most cases is not necessary. Also, no need to call asic init after reset the grbm blocks. Signed-off-by: Alex Deucher Reviewed-by: Jerome Glisse Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 8b9040e518c730bf0dc1dc329ebb7e43ef0123ce Author: Alex Deucher Date: Mon Dec 20 12:35:04 2010 -0500 drm/radeon/kms/evergreen: reset the grbm blocks at resume and init commit 86f5c9edbb3bac37cc8cee6528a929005ba72aad upstream. This fixes module reloading and resume as the gfx block seems to be left in a bad state in some cases. Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 9d2510f79d714b1732971709edad695859ee0781 Author: Mark Brown Date: Wed Nov 24 18:01:39 2010 +0000 mfd: Supply IRQ base for WM832x devices commit bd7c72ed18d719c1fb0fdf6ff9042d8ab78fdf71 upstream. Without this the IRQ base will not be correctly configured for the subdevices. Signed-off-by: Mark Brown Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman commit eeb140591a5e0220277d633139793d9bdb65fe35 Author: Mark Brown Date: Thu Dec 2 16:25:43 2010 +0000 mfd: Support additional parent IDs for wm831x commit b93cef556162b0f33399bfe5f307c54f51554e09 upstream. Some newer device revisions add a second parent ID. Support this in the device validity checks done at startup. Signed-off-by: Mark Brown Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman commit 1044d6d19d23ef6fc8afe808ac8f8a9a4dc827ce Author: Robert Richter Date: Mon Jan 3 12:15:14 2011 +0100 arch/x86/oprofile/op_model_amd.c: Perform initialisation on a single CPU commit c7c25802b39c443b3745cfa973dc49a97a3491f8 upstream. Disable preemption in init_ibs(). The function only checks the ibs capabilities and sets up pci devices (if necessary). It runs only on one cpu but operates with the local APIC and some MSRs, thus it is better to disable preemption. [ 7.034377] BUG: using smp_processor_id() in preemptible [00000000] code: modprobe/483 [ 7.034385] caller is setup_APIC_eilvt+0x155/0x180 [ 7.034389] Pid: 483, comm: modprobe Not tainted 2.6.37-rc1-20101110+ #1 [ 7.034392] Call Trace: [ 7.034400] [] debug_smp_processor_id+0xd2/0xf0 [ 7.034404] [] setup_APIC_eilvt+0x155/0x180 [ ... ] Addresses https://bugzilla.kernel.org/show_bug.cgi?id=22812 Reported-by: Signed-off-by: Robert Richter Cc: oprofile-list@lists.sourceforge.net Cc: Peter Zijlstra Cc: Frederic Weisbecker Cc: Rafael J. Wysocki Cc: Dan Carpenter Cc: Andrew Morton LKML-Reference: <20110103111514.GM4739@erda.amd.com> [ small cleanups ] Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 36bd931c61a97d5b8f9bc3ded62c4e43b22c34ff Author: Ben Hutchings Date: Sun Jan 2 23:02:42 2011 +0000 watchdog: Improve initialisation error message and documentation commit 551423748a4eba55f2eb0fc250d757986471f187 upstream. The error message 'NMI watchdog failed to create perf event...' does not make it clear that this is a fatal error for the watchdog. It also currently prints the error value as a pointer, rather than extracting the error code with PTR_ERR(). Fix that. Add a note to the description of the 'nowatchdog' kernel parameter to associate it with this message. Reported-by: Cesare Leonardi Signed-off-by: Ben Hutchings Cc: 599368@bugs.debian.org Cc: 608138@bugs.debian.org Cc: Don Zickus Cc: Frederic Weisbecker LKML-Reference: <1294009362.3167.126.camel@localhost> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 8ce65f6d58a7cc3d6393422f6c4d39b4f6128f45 Author: Florian Fainelli Date: Fri Nov 26 10:39:55 2010 +0100 watchdog: Fix null pointer dereference while accessing rdc321x platform_data commit 3b3c1f24e96c411a95daabb6af9e09c5381f713b upstream. rdc321x-wdt currently fetches its driver specific data by using the platform_device->platform_data pointer, this is wrong because the mfd device which registers our platform_device has been added using mfd_add_device() which sets the platform_device->driver_data pointer instead. Signed-off-by: Florian Fainelli Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman commit 8a228e5dcd2e464a974a06b4460f124afbe80ad3 Author: Ahmed S. Darwish Date: Sat Dec 25 11:57:09 2010 +0200 RAMOOPS: Don't overflow over non-allocated regions commit 1873bb8115e678ad9fd0aac9dbbc68383bc36e06 upstream. The current code mis-calculates the ramoops header size, leading to an overflow over the next record at best, or over a non-allocated region at worst. Fix that calculation. Signed-off-by: Ahmed S. Darwish Acked-by: Marco Stornelli Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 879ef03a76c5169898a121e988f3eaaabb95d73a Author: Wolfram Sang Date: Tue Dec 21 17:24:24 2010 -0800 rtc: rs5c372: fix buffer size commit 118364948fad7b6c0469ef2d3ddaee447d7a0b5f upstream. Match the buffer size to the amount of initialized values. Before, it was one too big and thus destroyed the neighbouring register causing the clock to run at false speeds. Reported-by: Andre van Rooyen Signed-off-by: Wolfram Sang Cc: Alessandro Zummo Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c9009e7208be5a127d302a63602af1a6f15b17d9 Author: Hillf Danton Date: Wed Dec 29 21:55:28 2010 +0800 fix freeing user_struct in user cache commit 4ef9e11d6867f88951e30db910fa015300e31871 upstream. When racing on adding into user cache, the new allocated from mm slab is freed without putting user namespace. Since the user namespace is already operated by getting, putting has to be issued. Signed-off-by: Hillf Danton Acked-by: Serge Hallyn Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 3c1d55408817cce6fb21d95b1cad3ba0af041c9f Author: Takashi Iwai Date: Fri Dec 10 08:40:31 2010 +0100 mmc: Fix re-probing with PM_POST_RESTORE notification commit 274476f8fe0b6ac9bac542cc39de12c3dd0f43f6 upstream. In the error-path where PM notifies PM_POST_RESTORE, the rescan-blockage should be cleared as well. Otherwise it'll be never re-probed. Also, as a bonus, this fixes a bug in S4 with user-mode suspend in the current code, as it sends PM_POST_RESTORE instead of PM_POST_HIBERNATION wrongly. Signed-off-by: Takashi Iwai Signed-off-by: Chris Ball Signed-off-by: Greg Kroah-Hartman commit 3582ab36ca47895d5fa41d341969bf0d3d12a879 Author: Nicolas Ferre Date: Fri Dec 10 19:14:32 2010 +0100 mmc: atmel-mci: fix multiblock SDIO transfers commit 2f1d791882d21a4002a719fb016a1ac21c8bd6b7 upstream. Based on report made by Yauhen in: "MMC: Fix multiblock SDIO transfers in AT91 MCI" patch, I report those changes to the brother driver: atmel-mci. So, this patch sets SDIO transfer types: SDIO block and SDIO byte transfers instead of using ordinary MMC block transfers. It is checking opcode for SDIO CMD53 and setting transfer type in MCI_CMDR register properly. Reported-by: Yauhen Kharuzhy Signed-off-by: Nicolas Ferre Acked-by: Jean-Christophe PLAGNIOL-VILLARD Signed-off-by: Chris Ball Signed-off-by: Greg Kroah-Hartman commit 4be61e8c34498beb3364de68e16ca779b9ed609f Author: Yauhen Kharuzhy Date: Thu Nov 25 12:11:51 2010 +0200 mmc: at91_mci: fix multiblock SDIO transfers commit a2255ff45143001fecbc5e5a4b58fcb999d393ae upstream. The AT91 MCI has special SDIO transfer types: SDIO block and SDIO byte transfers, but at91_mci driver doesn't use them and handles all SDIO transfers as ordinary MMC block transfers. This causes problems for multiple-block SDIO transfers (in particular for 256-bytes blocks). Fix this situation by checking the opcode for SDIO CMD53 and setting the transfer type in the AT91_MCI_CMDR register properly. This patch was tested with libertas SDIO driver: problem with TX timeouts on big packets was eliminated. Signed-off-by: Yauhen Kharuzhy Signed-off-by: Nicolas Ferre Acked-by: Jean-Christophe PLAGNIOL-VILLARD Signed-off-by: Chris Ball Signed-off-by: Greg Kroah-Hartman commit 2ea51982aef2d656e0ce5f0cf725c1c449730cba Author: Andres Salomon Date: Tue Dec 21 13:04:52 2010 -0800 cs5535-gpio: handle GPIO regs where higher (clear) bits are set commit 44658a11f312fb9217674cb90b1a11cbe17fd18d upstream. The default for non-READ_BACK GPIO regs is to have the clear bits set; this means that our original errata fix was too simplistic. This changes it to the following behavior: - when setting GPIOs, ignore the higher order bits (they're for clearing, we don't need to care about them). - when clearing GPIOs, keep all the bits, but unset (via XOR) the lower order bit that negates the clear bit that we care about. That is, if we're clearing GPIO 26 (val = 0x04000000), we first XOR what's currently in the register with 0x0400 (GPIO 26's SET bit), and then OR that with the GPIO 26's CLEAR bit. Tested-by: Daniel Drake Signed-off-by: Andres Salomon Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4403806037a7eba17c715337b4dd59d39b06cf94 Author: Andres Salomon Date: Tue Dec 21 13:04:42 2010 -0800 cs5535-gpio: don't apply errata #36 to edge detect GPIOs commit 001851659354cce436b749a793f3512a53394d80 upstream. The edge detect status GPIOs function differently from the other atomic model CS5536 GPIO registers; writing 1 to the high bits clears the GPIO, but writing 1 to the lower bits also clears the bit. This means that read-modify-write doesn't actually work for it, so don't apply the errata here. If a negative edge status gets lost after resume.. well, we tried our best! Tested-by: Daniel Drake Signed-off-by: Andres Salomon Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b3e874a07d483cfc8481626e7d812ad59c183c0b Author: Florian Fainelli Date: Fri Nov 26 10:39:54 2010 +0100 gpio: Fix null pointer dereference while accessing rdc321x platform_data commit fa6469cb5b2d16703464c344b943e2c025cb7858 upstream. rdc321x-gpio currently fetches its driver specific data by using the platform_device->platform_data pointer, this is wrong because the mfd device which registers our platform_device has been added using mfd_add_device() which sets the platform_device->driver_data pointer instead. Signed-off-by: Florian Fainelli Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman commit e67e86ead8aa2d1e36bb547100cfcb8bce964ed2 Author: Sarah Sharp Date: Thu Dec 9 10:29:00 2010 -0800 xhci: Fix issue with port array setup and buggy hosts. commit f8bbeabc34aa945ab4275abc9a4dfde0aea798ca upstream. Fix two bugs with the port array setup. The first bug will only show up with broken xHCI hosts with Extended Capabilities registers that have duplicate port speed entries for the same port. The idea with the original code was to set the port_array entry to -1 if the duplicate port speed entry said the port was a different speed than the original port speed entry. That would mean that later, the port would not be exposed to the USB core. Unfortunately, I forgot a continue statement, and the port_array entry would just be overwritten in the next line. The second bug would happen if there are conflicting port speed registers (so that some entry in port_array is -1), or one of the hardware port registers was not described in the port speed registers (so that some entry in port_array is 0). The code that sets up the usb2_ports array would accidentally claim those ports. That wouldn't really cause any user-visible issues, but it is a bug. This patch should go into the stable trees that have the port array and USB 3.0 port disabling prevention patches. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 43d896499a436a46ec95c0eb501d1d1e8aae84a8 Author: Ken Mills Date: Mon Dec 13 15:28:03 2010 +0000 n_gsm: gsm_data_alloc buffer allocation could fail and it is not being checked commit 093d804611b9a38fe59753b37c29f840518406a9 upstream. gsm_data_alloc buffer allocation could fail and it is not being checked. Add check for allocated buffer and return if the buffer allocation fails. Signed-off-by: Ken Mills Signed-off-by: Alan Cox Signed-off-by: Greg Kroah-Hartman commit bd7e2ae3d4fe121c09a12ad1917b5d8e0200d95f Author: Ken Mills Date: Mon Dec 13 15:27:27 2010 +0000 n_gsm: Fix message length handling when building header commit be7a7411d63ccad165d66fe8e0b11b2ee336159b upstream. Fix message length handling when building header When the message length is greater than 127, the length field in the header is built incorrectly. According to the spec, when the length is less than 128 the length field is a single byte formatted as: bbbbbbb1. When it is greater than 127 then the field is two bytes of the format: bbbbbbb0 bbbbbbbb. Signed-off-by: Ken Mills Signed-off-by: Alan Cox Signed-off-by: Greg Kroah-Hartman commit 2f968c28dfa000be33a2c880b36553d38c7aabaa Author: Eduardo Costa Date: Tue Dec 14 14:37:59 2010 -0600 p54usb: New USB ID for Gemtek WUBI-100GW commit 56e6417b49132d4f56e9f2241d31942b90b46315 upstream. This USB ID is for the WUBI-100GW 802.11g Wireless LAN USB Device that uses p54usb. Signed-off-by: Larry Finger Signed-off-by: Eduardo Costa Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit f05c257a7ae2582fac81df5586f1104ed3b6185e Author: Christian Lamparter Date: Sat Dec 11 12:19:48 2010 +0100 p54usb: add 5 more USBIDs commit 16cad7fba037b34ca32cc0adac65bc089d969fb8 upstream. This patch adds five more USBIDs to the table. Source: http://www.linuxant.com/pipermail/driverloader/2005q3/002307.html http://wireless.kernel.org/en/users/Drivers/p54/devices (by M. Davis) Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit ccb29760fe7e70ec464be1f1d5518e8a12a34486 Author: Greg Kroah-Hartman Date: Thu Dec 16 15:52:30 2010 -0800 Revert "USB: gadget: Allow function access to device ID data during bind()" commit dbb442b85a1d82f91cfe0524c4f9b3a5196a10ca upstream. This reverts commit 1ab83238740ff1e1773d5c13ecac43c60cf4aec4. Turns out this doesn't allow for the device ids to be overridden properly, so we need to revert the thing. Reported-by: Jef Driesen Cc: Robert Lukassen Signed-off-by: Greg Kroah-Hartman commit 91dbc8483ead3f7535617e0f3d52cb86e2fdcb42 Author: Vitaly Kuznetsov Date: Tue Dec 14 10:16:49 2010 -0500 USB: usb-storage: unusual_devs entry for the Samsung YP-CP3 commit d73a9b3001f29271c2e9f2a806b05a431c5d9591 upstream. Add an unusual_devs entry for the Samsung YP-CP3 MP4 player. User was getting the following errors in dmesg: usb 2-6: reset high speed USB device using ehci_hcd and address 2 usb 2-6: reset high speed USB device using ehci_hcd and address 2 usb 2-6: reset high speed USB device using ehci_hcd and address 2 usb 2-6: USB disconnect, address 2 sd 3:0:0:0: [sdb] Assuming drive cache: write through sdb:<2>ldm_validate_partition_table(): Disk read failed. Dev sdb: unable to read RDB block 0 unable to read partition table Signed-off-by: Vitaly Kuznetsov Acked-by: Alan Stern CC: Matthew Dharm Signed-off-by: Greg Kroah-Hartman commit 11183c51579e566f3ae658954dde2cf69eb5dd42 Author: Florian Faber Date: Wed Dec 1 10:11:08 2010 +0100 USB: ftdi_sio: Add D.O.Tec PID commit 5363cdc3c5da9bd431552cf5989ab481596f0c6d upstream. Add FTDI PID to identify D.O.Tec devices correctly. Signed-off-by: Florian Faber Signed-off-by: Greg Kroah-Hartman commit b38a49cb0d2fd2d705d109dc203e3d5866a9aeac Author: Thomas Sailer Date: Tue Dec 14 16:04:05 2010 +0100 USB: misc: uss720.c: add another vendor/product ID commit ecc1624a2fff45780959efbcb73ace18fdb3c58d upstream. Fabio Battaglia report that he has another cable that works with this driver, so this patch adds its vendor/product ID. Signed-off-by: Thomas Sailer Signed-off-by: Greg Kroah-Hartman commit c11470084f1a32748ae3b8dc010522165a2665da Author: Tavis Ormandy Date: Thu Dec 9 15:29:42 2010 +0100 install_special_mapping skips security_file_mmap check. commit 462e635e5b73ba9a4c03913b77138cd57ce4b050 upstream. The install_special_mapping routine (used, for example, to setup the vdso) skips the security check before insert_vm_struct, allowing a local attacker to bypass the mmap_min_addr security restriction by limiting the available pages for special mappings. bprm_mm_init() also skips the check, and although I don't think this can be used to bypass any restrictions, I don't see any reason not to have the security check. $ uname -m x86_64 $ cat /proc/sys/vm/mmap_min_addr 65536 $ cat install_special_mapping.s section .bss resb BSS_SIZE section .text global _start _start: mov eax, __NR_pause int 0x80 $ nasm -D__NR_pause=29 -DBSS_SIZE=0xfffed000 -f elf -o install_special_mapping.o install_special_mapping.s $ ld -m elf_i386 -Ttext=0x10000 -Tbss=0x11000 -o install_special_mapping install_special_mapping.o $ ./install_special_mapping & [1] 14303 $ cat /proc/14303/maps 0000f000-00010000 r-xp 00000000 00:00 0 [vdso] 00010000-00011000 r-xp 00001000 00:19 2453665 /home/taviso/install_special_mapping 00011000-ffffe000 rwxp 00000000 00:00 0 [stack] It's worth noting that Red Hat are shipping with mmap_min_addr set to 4096. Signed-off-by: Tavis Ormandy Acked-by: Kees Cook Acked-by: Robert Swiecki [ Changed to not drop the error code - akpm ] Reviewed-by: James Morris Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 8700fcb3172ed96f25c0dc9a7fcfc40eef8bbf92 Author: Yan Li Date: Tue Nov 30 23:51:03 2010 -0800 Input: synaptics - fix handling of 2-button ClickPads commit 3bfa321e662edf90fb8123a02c987c2965fa50bb upstream. Lenovo S10-3t's ClickPad is a 2-button ClickPad that reports BTN_LEFT and BTN_RIGHT as normal touchpad, unlike the 1-button ClickPad used in HP mini 210 that reports solely BTN_MIDDLE. In 0xc0-cap response, the 1-button ClickPad has the 20-bit set while 2-button ClickPad has the 8-bit set. This patch makes the kernel only handle 1-button ClickPad specially, and treat 2-button ClickPad in the same fashion as regular touchpads. This fixes kernel bug #18122 and MeeGo bug #4807. Signed-off-by: Yan Li Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 99ab0947abb08c8e66820155156cbc92b1387cb9 Author: Manoj Iyer Date: Tue Nov 23 07:43:44 2010 +0100 ALSA: hda - Enable jack sense for Thinkpad Edge 11 commit 6027277e77df2d2893d906c42f5c9f9abcb731e0 upstream. Add a quirk entry for Thinkpad Edge 11 as well as other TP Edge models. Signed-off-by: Manoj Iyer Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit ad59379c15062cbd55560cdebfd5958eb0701783 Author: Ivo van Doorn Date: Mon Aug 23 19:56:07 2010 +0200 rt2x00: Fix max TX power settings commit 8d1331b37d5b656a7a8e561f8e9d7661dd00c910 upstream. During initialization each driver reads the default TX power for each individual channel. However mac80211 only accepts the maximum value (which is also handled as default value). As a result, the TX power of the device was being limited to the default value, which is often quite low compared to the real maximum acceptable value. This patch allows each driver to set the maximum value on a per-channel basis which is forwarded to mac80211. The default value will be preserved for now, in case we want to update mac80211 to differentiate between the maximum and default txpower. This fixes bug complaining about limited TX power values like: https://bugzilla.kernel.org/show_bug.cgi?id=16358 Signed-off-by: Ivo van Doorn Acked-by: Helmut Schaa Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit cc1bdf49cfe22fe5f549126d9e3e1f5e754c1797 Author: Suresh Siddha Date: Mon Dec 6 12:26:30 2010 -0800 x86, vt-d: Quirk for masking vtd spec errors to platform error handling logic commit 254e42006c893f45bca48f313536fcba12206418 upstream. On platforms with Intel 7500 chipset, there were some reports of system hang/NMI's during kexec/kdump in the presence of interrupt-remapping enabled. During kdump, there is a window where the devices might be still using old kernel's interrupt information, while the kdump kernel is coming up. This can cause vt-d faults as the interrupt configuration from the old kernel map to null IRTE entries in the new kernel etc. (with out interrupt-remapping enabled, we still have the same issue but in this case we will see benign spurious interrupt hit the new kernel). Based on platform config settings, these platforms seem to generate NMI/SMI when a vt-d fault happens and there were reports that the resulting SMI causes the system to hang. Fix it by masking vt-d spec defined errors to platform error reporting logic. VT-d spec related errors are already handled by the VT-d OS code, so need to report the same error through other channels. Signed-off-by: Suresh Siddha LKML-Reference: <1291667190.2675.8.camel@sbsiddha-MOBL3.sc.intel.com> Reported-by: Max Asbock Reported-and-tested-by: Takao Indoh Acked-by: Chris Wright Acked-by: Kenji Kaneshige Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit f6e0591560cf3add6ee845cbde0825177044ca63 Author: Kenji Kaneshige Date: Wed Dec 1 09:40:32 2010 -0800 x86, vt-d: Fix the vt-d fault handling irq migration in the x2apic mode commit 086e8ced65d9bcc4a8e8f1cd39b09640f2883f90 upstream. In x2apic mode, we need to set the upper address register of the fault handling interrupt register of the vt-d hardware. Without this irq migration of the vt-d fault handling interrupt is broken. Signed-off-by: Kenji Kaneshige LKML-Reference: <1291225233.2648.39.camel@sbsiddha-MOBL3> Signed-off-by: Suresh Siddha Acked-by: Chris Wright Tested-by: Takao Indoh Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 5d3283a41c7cc33304eb90756f6f927d212fe0bf Author: Suresh Siddha Date: Tue Nov 30 22:22:29 2010 -0800 x86, vt-d: Handle previous faults after enabling fault handling commit 7f99d946e71e71d484b7543b49e990508e70d0c0 upstream. Fault handling is getting enabled after enabling the interrupt-remapping (as the success of interrupt-remapping can affect the apic mode and hence the fault handling mode). Hence there can potentially be some faults between the window of enabling interrupt-remapping in the vt-d and the fault-handling of the vt-d units. Handle any previous faults after enabling the vt-d fault handling. For v2.6.38 cleanup, need to check if we can remove the dmar_fault() in the enable_intr_remapping() and see if we can enable fault handling along with enabling intr-remapping. Signed-off-by: Suresh Siddha LKML-Reference: <20101201062244.630417138@intel.com> Acked-by: Chris Wright Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 6b1ddd2f73efbb7ec35637b592932f50274fc432 Author: Kenji Kaneshige Date: Tue Nov 30 22:22:28 2010 -0800 x86: Enable the intr-remap fault handling after local APIC setup commit 7f7fbf45c6b748074546f7f16b9488ca71de99c1 upstream. Interrupt-remapping gets enabled very early in the boot, as it determines the apic mode that the processor can use. And the current code enables the vt-d fault handling before the setup_local_APIC(). And hence the APIC LDR registers and data structure in the memory may not be initialized. So the vt-d fault handling in logical xapic/x2apic modes were broken. Fix this by enabling the vt-d fault handling in the end_local_APIC_setup() A cleaner fix of enabling fault handling while enabling intr-remapping will be addressed for v2.6.38. [ Enabling intr-remapping determines the usage of x2apic mode and the apic mode determines the fault-handling configuration. ] Signed-off-by: Kenji Kaneshige LKML-Reference: <20101201062244.541996375@intel.com> Signed-off-by: Suresh Siddha Acked-by: Chris Wright Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 832407f92081af87a2f5227c80c207ea6ee89f2e Author: H. Peter Anvin Date: Mon Dec 13 16:01:38 2010 -0800 x86, gcc-4.6: Use gcc -m options when building vdso commit de2a8cf98ecdde25231d6c5e7901e2cffaf32af9 upstream. The vdso Makefile passes linker-style -m options not to the linker but to gcc. This happens to work with earlier gcc, but fails with gcc 4.6. Pass gcc-style -m options, instead. Note: all currently supported versions of gcc supports -m32, so there is no reason to conditionalize it any more. Reported-by: H. J. Lu Signed-off-by: H. Peter Anvin LKML-Reference: Signed-off-by: Greg Kroah-Hartman commit 108d7726b7508b8aefce1f91ba97e56842f47f74 Author: Chris Metcalf Date: Tue Dec 14 15:57:49 2010 -0500 arch/tile: handle CLONE_SETTLS in copy_thread(), not user space commit bc4cf2bb271b2d557fc510426755da786fc985be upstream. Previously we were just setting up the "tp" register in the new task as started by clone() in libc. However, this is not quite right, since in principle a signal might be delivered to the new task before it had its TLS set up. (Of course, this race window still exists for resetting the libc getpid() cached value in the new task, in principle. But in any case, we are now doing this exactly the way all other architectures do it.) This change is important for 2.6.37 since the tile glibc we will be submitting upstream will not set TLS in user space any more, so it will only work on a kernel that has this fix. It should also be taken for 2.6.36.x in the stable tree if possible. Signed-off-by: Chris Metcalf Signed-off-by: Greg Kroah-Hartman commit 3ee6c4cf578834e96653b821054cc7fa7246affc Author: Slava Pestov Date: Wed Nov 24 15:13:16 2010 -0800 tracing: Fix panic when lseek() called on "trace" opened for writing commit 364829b1263b44aa60383824e4c1289d83d78ca7 upstream. The file_ops struct for the "trace" special file defined llseek as seq_lseek(). However, if the file was opened for writing only, seq_open() was not called, and the seek would dereference a null pointer, file->private_data. This patch introduces a new wrapper for seq_lseek() which checks if the file descriptor is opened for reading first. If not, it does nothing. Signed-off-by: Slava Pestov LKML-Reference: <1290640396-24179-1-git-send-email-slavapestov@google.com> Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit ccbfc7594abfb470ab719da568e8bbd4265a888d Author: NeilBrown Date: Thu Dec 9 17:02:14 2010 +1100 md: protect against NULL reference when waiting to start a raid10. commit 589a594be1fb8815b3f18e517be696c48664f728 upstream. When we fail to start a raid10 for some reason, we call md_unregister_thread to kill the thread that was created. Unfortunately md_thread() will then make one call into the handler (raid10d) even though md_wakeup_thread has not been called. This is not safe and as md_unregister_thread is called after mddev->private has been set to NULL, it will definitely cause a NULL dereference. So fix this at both ends: - md_thread should only call the handler if THREAD_WAKEUP has been set. - raid10 should call md_unregister_thread before setting things to NULL just like all the other raid modules do. This is applicable to 2.6.35 and later. Reported-by: "Citizen" Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 51e1adf0beb67766cddab3be2ae78c7787768693 Author: NeilBrown Date: Thu Dec 9 16:36:28 2010 +1100 md: fix bug with re-adding of partially recovered device. commit 1a855a0606653d2d82506281e2c686bacb4b2f45 upstream. With v0.90 metadata, a hot-spare does not become a full member of the array until recovery is complete. So if we re-add such a device to the array, we know that all of it is as up-to-date as the event count would suggest, and so it a bitmap-based recovery is possible. However with v1.x metadata, the hot-spare immediately becomes a full member of the array, but it record how much of the device has been recovered. If the array is stopped and re-assembled recovery starts from this point. When such a device is hot-added to an array we currently lose the 'how much is recovered' information and incorrectly included it as a full in-sync member (after bitmap-based fixup). This is wrong and unsafe and could corrupt data. So be more careful about setting saved_raid_disk - which is what guides the re-adding of devices back into an array. The new code matches the code in slot_store which does a similar thing, which is encouraging. This is suitable for any -stable kernel. Reported-by: "Dailey, Nate" Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit e3137a7421402111f917dff59184a5a088e88070 Author: Andreas Herrmann Date: Thu Dec 16 21:29:37 2010 +0100 x86, amd: Fix panic on AMD CPU family 0x15 [The mainline kernel doesn't have this problem. Commit "(23588c3) x86, amd: Add support for CPUID topology extension of AMD CPUs" removed the family check. But 2.6.32.y needs to be fixed.] This CPU family check is not required -- existence of the NodeId MSR is indicated by a CPUID feature flag which is already checked in amd_fixup_dcm() -- and it needlessly prevents amd_fixup_dcm() to be called for newer AMD CPUs. In worst case this can lead to a panic in the scheduler code for AMD family 0x15 multi-node AMD CPUs. I just have a picture of VGA console output so I can't copy-and-paste it herein, but the call stack of such a panic looked like: do_divide_error ... find_busiest_group run_rebalance_domains ... apic_timer_interrupt ... cpu_idle The mainline kernel doesn't have this problem. Commit "(23588c3) x86, amd: Add support for CPUID topology extension of AMD CPUs" removed the family check. But 2.6.32.y needs to be fixed. Signed-off-by: Andreas Herrmann Signed-off-by: Greg Kroah-Hartman commit 107fd06cf44abb702cd8f97c1f78a3de1c770dfb Author: David Kilroy Date: Sun Dec 5 15:45:58 2010 +0000 orinoco: clear countermeasure setting on commit commit ba34fcee476d11e7c9df95932787a22a96ff6e68 upstream. ... and interface up. In these situations, you are usually trying to connect to a new AP, so keeping TKIP countermeasures active is confusing. This is already how the driver behaves (inadvertently). However, querying SIOCGIWAUTH may tell userspace that countermeasures are active when they aren't. Clear the setting so that the reporting matches what the driver has done.. Signed-off by: David Kilroy Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit d2decdda7421a5917da51d62165417c2900a6ad6 Author: David Kilroy Date: Sun Dec 5 15:43:55 2010 +0000 orinoco: fix TKIP countermeasure behaviour commit 0a54917c3fc295cb61f3fb52373c173fd3b69f48 upstream. Enable the port when disabling countermeasures, and disable it on enabling countermeasures. This bug causes the response of the system to certain attacks to be ineffective. It also prevents wpa_supplicant from getting scan results, as wpa_supplicant disables countermeasures on startup - preventing the hardware from scanning. wpa_supplicant works with ap_mode=2 despite this bug because the commit handler re-enables the port. The log tends to look like: State: DISCONNECTED -> SCANNING Starting AP scan for wildcard SSID Scan requested (ret=0) - scan timeout 5 seconds EAPOL: disable timer tick EAPOL: Supplicant port status: Unauthorized Scan timeout - try to get results Failed to get scan results Failed to get scan results - try scanning again Setting scan request: 1 sec 0 usec Starting AP scan for wildcard SSID Scan requested (ret=-1) - scan timeout 5 seconds Failed to initiate AP scan. Reported by: Giacomo Comes Signed-off by: David Kilroy Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 51b491044a371635e678255f525117751b09ffb9 Author: Eric Paris Date: Tue Nov 23 18:18:37 2010 -0500 inotify: stop kernel memory leak on file creation failure commit a2ae4cc9a16e211c8a128ba10d22a85431f093ab upstream. If inotify_init is unable to allocate a new file for the new inotify group we leak the new group. This patch drops the reference on the group on file allocation failure. Reported-by: Vegard Nossum Signed-off-by: Eric Paris Signed-off-by: Greg Kroah-Hartman commit e87167421ba16d8b2ddd06154f6ce21070051348 Author: Rafael J. Wysocki Date: Thu Dec 16 17:11:58 2010 +0100 PM / Runtime: Fix pm_runtime_suspended() commit f08f5a0add20834d3f3d876dfe08005a5df656db upstream. There are some situations (e.g. in __pm_generic_call()), where pm_runtime_suspended() is used to decide whether or not to execute a device's (system) ->suspend() callback. The callback is not executed if pm_runtime_suspended() returns true, but it does so for devices that don't even support runtime PM, because the power.disable_depth device field is ignored by it. This leads to problems (i.e. devices are not suspened when they should), so rework pm_runtime_suspended() so that it returns false if the device's power.disable_depth field is different from zero. Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 8eebfc1e70521832bf5df619c632845bec0ebf2a Author: Lars-Peter Clausen Date: Thu Nov 4 23:25:56 2010 +0100 MIPS: jz4740: qi_lb60: Fix gpio for the 6th row of the keyboard matrix commit fe749aab1d21cbb4d87527a7df8799583c233496 upstream. This patch fixes the gpio number for the 6th row of the keyboard matrix. (And fixes a typo in my name...) Signed-off-by: Lars-Peter Clausen Cc: linux-mips@linux-mips.org Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit 712fdd3c5b2b9cfa52a01b9fb22a3be9694bf147 Author: Alexey Starikovskiy Date: Thu Dec 9 17:07:54 2010 -0500 ACPI: EC: Add another dmi match entry for MSI hardware commit a5dc4f898c2a0f66e2cefada6c687db82ba2fcbc upstream. http://bugzilla.kernel.org/show_bug.cgi?id=15418 Signed-off-by: Alexey Starikovskiy Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 2ebd26f64ae7c6f86277b0cffb7a38cddabfed2f Author: Peter Zijlstra Date: Tue Nov 30 19:48:45 2010 +0100 sched: Cure more NO_HZ load average woes commit 0f004f5a696a9434b7214d0d3cbd0525ee77d428 upstream. There's a long-running regression that proved difficult to fix and which is hitting certain people and is rather annoying in its effects. Damien reported that after 74f5187ac8 (sched: Cure load average vs NO_HZ woes) his load average is unnaturally high, he also noted that even with that patch reverted the load avgerage numbers are not correct. The problem is that the previous patch only solved half the NO_HZ problem, it addressed the part of going into NO_HZ mode, not of comming out of NO_HZ mode. This patch implements that missing half. When comming out of NO_HZ mode there are two important things to take care of: - Folding the pending idle delta into the global active count. - Correctly aging the averages for the idle-duration. So with this patch the NO_HZ interaction should be complete and behaviour between CONFIG_NO_HZ=[yn] should be equivalent. Furthermore, this patch slightly changes the load average computation by adding a rounding term to the fixed point multiplication. Reported-by: Damien Wyart Reported-by: Tim McGrath Tested-by: Damien Wyart Tested-by: Orion Poplawski Tested-by: Kyle McMartin Signed-off-by: Peter Zijlstra Cc: Chase Douglas LKML-Reference: <1291129145.32004.874.camel@laptop> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 4f7b9db5e1714319211bfdd1c31f38e6e536aa2a Author: Jeremy Fitzhardinge Date: Wed Dec 8 12:39:12 2010 -0800 xen: Provide a variant of __RING_SIZE() that is an integer constant expression commit 667c78afaec0ac500908e191e8f236e9578d7b1f upstream. Without this, gcc 4.5 won't compile xen-netfront and xen-blkfront, where this is being used to specify array sizes. Signed-off-by: Jan Beulich Signed-off-by: Jeremy Fitzhardinge Cc: Jens Axboe Cc: David Miller Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b3568787820faf58fd5429a6a392b555e6b2ae82 Author: Heiko Carstens Date: Fri Nov 26 13:42:47 2010 +0100 printk: Fix wake_up_klogd() vs cpu hotplug commit 49f4138346b3cec2706adff02658fe27ceb1e46f upstream. wake_up_klogd() may get called from preemptible context but uses __raw_get_cpu_var() to write to a per cpu variable. If it gets preempted between getting the address and writing to it, the cpu in question could be offline if the process gets scheduled back and hence writes to the per cpu data of an offline cpu. This buggy behaviour was introduced with fa33507a "printk: robustify printk, fix #2" which was supposed to fix a "using smp_processor_id() in preemptible" warning. Let's use this_cpu_write() instead which disables preemption and makes sure that the outlined scenario cannot happen. Signed-off-by: Heiko Carstens Acked-by: Eric Dumazet Signed-off-by: Peter Zijlstra LKML-Reference: <20101126124247.GC7023@osiris.boeblingen.de.ibm.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 19e88f19823998401819784fb063f18369005a7e Author: Andy Lutomirski Date: Tue Nov 16 18:40:52 2010 -0500 nouveau: Acknowledge HPD irq in handler, not bottom half commit ab838338a2a9e0cb8346eb0cab9977be13e8dce5 upstream. The old code generated an interrupt storm bad enough to completely take down my system. Signed-off-by: Andy Lutomirski Signed-off-by: Ben Skeggs Signed-off-by: Greg Kroah-Hartman commit 3ec215fbff5b6b9292874776d6c09d954d2e3eb9 Author: Bob Moore Date: Sat Oct 23 01:36:40 2010 -0400 ACPICA: Fix Scope() op in module level code commit 8df3fc981dc12d9fdcaef4100a2193b605024d7a upstream. Some Panasonic Toughbooks create nodes in module level code. Module level code is the executable AML code outside of control method, for example, below AML code creates a node \_SB.PCI0.GFX0.DD02.CUBL If (\_OSI ("Windows 2006")) { Scope (\_SB.PCI0.GFX0.DD02) { Name (CUBL, Ones) ... } } Scope() op does not actually create a new object, it refers to an existing object(\_SB.PCI0.GFX0.DD02 in above example). However, for Scope(), we want to indeed open a new scope, so the child nodes(CUBL in above example) can be created correctly under it. https://bugzilla.kernel.org/show_bug.cgi?id=19462 Signed-off-by: Bob Moore Signed-off-by: Lin Ming Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 8ea008ef14dc499b4c60ab2202e4033d8649601e Author: Andrej Ota Date: Sun Dec 12 15:06:16 2010 -0800 pppoe.c: Fix kernel panic caused by __pppoe_xmit [ Upstream commit 2a27a03d3a891e87ca33d27a858b4db734a4cbab ] __pppoe_xmit function return value was invalid resulting in additional call to kfree_skb on already freed skb. This resulted in memory corruption and consequent kernel panic after PPPoE peer terminated the link. This fixes commit 55c95e738da85373965cb03b4f975d0fd559865b. Reported-by: Gorik Van Steenberge Reported-by: Daniel Kenzelmann Reported-by: Denys Fedoryshchenko Reported-by: Pawel Staszewski Diagnosed-by: Andrej Ota Diagnosed-by: Eric Dumazet Tested-by: Denys Fedoryshchenko Tested-by: Pawel Staszewski Signed-off-by: Jarek Poplawski Signed-off-by: Andrej Ota Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 030803563383228d71ff3c4f83e3b6e4314fdc1c Author: Vasiliy Kulikov Date: Wed Nov 10 12:09:10 2010 -0800 net: packet: fix information leak to userland [ Upstream commit 67286640f638f5ad41a946b9a3dc75327950248f ] packet_getname_spkt() doesn't initialize all members of sa_data field of sockaddr struct if strlen(dev->name) < 13. This structure is then copied to userland. It leads to leaking of contents of kernel stack memory. We have to fully fill sa_data with strncpy() instead of strlcpy(). The same with packet_getname(): it doesn't initialize sll_pkttype field of sockaddr_ll. Set it to zero. Signed-off-by: Vasiliy Kulikov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b1b27e4a677bc8c92b3c83541b4981c000934bc2 Author: Eric Dumazet Date: Sun Dec 5 18:50:32 2010 +0000 net: fix skb_defer_rx_timestamp() [ Upstream commit a19faf0250e09b16cac169354126404bc8aa342b ] After commit c1f19b51d1d8 (net: support time stamping in phy devices.), kernel might crash if CONFIG_NETWORK_PHY_TIMESTAMPING=y and skb_defer_rx_timestamp() handles a packet without an ethernet header. Fixes kernel bugzilla #24102 Reference: https://bugzilla.kernel.org/show_bug.cgi?id=24102 Reported-and-tested-by: Andrew Watts Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8cd7b4be422ff636fb4359a77c437a214c6f272f Author: Mariusz Kozlowski Date: Mon Nov 8 11:58:45 2010 +0000 net: Fix header size check for GSO case in recvmsg (af_packet) [ Upstream commit 1f18b7176e2e41fada24584ce3c80e9abfaca52b] Parameter 'len' is size_t type so it will never get negative. Signed-off-by: Mariusz Kozlowski Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 948ac19ea40013395fd277d43fd9ea3c3dcb491a Author: Eric Dumazet Date: Tue Nov 9 11:46:33 2010 -0800 net/dst: dst_dev_event() called after other notifiers [ Upstream commit 332dd96f7ac15e937088fe11f15cfe0210e8edd1 ] Followup of commit ef885afbf8a37689 (net: use rcu_barrier() in rollback_registered_many) dst_dev_event() scans a garbage dst list that might be feeded by various network notifiers at device dismantle time. Its important to call dst_dev_event() after other notifiers, or we might enter the infamous msleep(250) in netdev_wait_allrefs(), and wait one second before calling again call_netdevice_notifiers(NETDEV_UNREGISTER, dev) to properly remove last device references. Use priority -10 to let dst_dev_notifier be called after other network notifiers (they have the default 0 priority) Reported-by: Ben Greear Reported-by: Nicolas Dichtel Reported-by: Octavian Purdila Reported-by: Benjamin LaHaise Tested-by: Ben Greear Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5749c7a48207e21c7a98b07ff21c51ee20ed0bff Author: Ben Hutchings Date: Fri Dec 17 10:16:23 2010 -0800 tehuti: Firmware filename is tehuti/bdx.bin [ Upstream commit 46814e08d80f87449b5adb3d549a3cae6f9f8148 ] My conversion of tehuti to use request_firmware() was confused about the filename of the firmware blob. Change the driver to match the blob. Signed-off-by: Ben Hutchings Signed-off-by: Andy Gospodarek Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b54eef07c1fcaa684cd75f4652446cdb53f8f832 Author: Apollon Oikonomopoulos Date: Tue Dec 7 09:43:30 2010 +0000 x25: decrement netdev reference counts on unload [ Upstream commit 171995e5d82dcc92bea37a7d2a2ecc21068a0f19] x25 does not decrement the network device reference counts on module unload. Thus unregistering any pre-existing interface after unloading the x25 module hangs and results in unregister_netdevice: waiting for tap0 to become free. Usage count = 1 This patch decrements the reference counts of all interfaces in x25_link_free, the way it is already done in x25_link_device_down for NETDEV_DOWN events. Signed-off-by: Apollon Oikonomopoulos Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0f8465525bd438e48ba7f8fa126795170067eaf2 Author: Michal Marek Date: Mon Dec 6 02:39:12 2010 +0000 l2tp: Fix modalias of l2tp_ip [ Upstream commit e8d34a884e4ff118920bb57664def8a73b1b784f] Using the SOCK_DGRAM enum results in "net-pf-2-proto-SOCK_DGRAM-type-115", so use the numeric value like it is done in net/dccp. Signed-off-by: Michal Marek Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b0460db42b29408661b089c477b81ddf2c5e39fd Author: Changli Gao Date: Sat Dec 4 14:09:08 2010 +0000 ifb: goto resched directly if error happens and dp->tq isn't empty [ Upstream commit 75c1c82566f23dd539fb7ccbf57a1caa7ba82628 ] If we break the loop when there are still skbs in tq and no skb in rq, the skbs will be left in txq until new skbs are enqueued into rq. In rare cases, no new skb is queued, then these skbs will stay in rq forever. After this patch, if tq isn't empty when we break the loop, we goto resched directly. Signed-off-by: Changli Gao Signed-off-by: Jamal Hadi Salim Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b5703e91bc18c166d8b97ee39902d6b9427f8cd1 Author: David S. Miller Date: Wed Dec 8 18:42:23 2010 -0800 econet: Fix crash in aun_incoming(). [ Upstream commit 4e085e76cbe558b79b54cbab772f61185879bc64 ] Unconditional use of skb->dev won't work here, try to fetch the econet device via skb_dst()->dev instead. Suggested by Eric Dumazet. Reported-by: Nelson Elhage Tested-by: Nelson Elhage Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 32f2fd79682b8b961c01c65689d2999e2081834f Author: Nelson Elhage Date: Wed Dec 8 10:13:55 2010 -0800 econet: Do the correct cleanup after an unprivileged SIOCSIFADDR. [ Upstream commit 0c62fc6dd02c8d793c75ae76a9b6881fc36388ad] We need to drop the mutex and do a dev_put, so set an error code and break like the other paths, instead of returning directly. Signed-off-by: Nelson Elhage Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 414bdc25810282f9cf56a3335e695c263e487727 Author: Eric Dumazet Date: Mon Dec 6 09:29:43 2010 -0800 filter: fix sk_filter rcu handling [ Upstream commit 46bcf14f44d8f31ecfdc8b6708ec15a3b33316d9 ] Pavel Emelyanov tried to fix a race between sk_filter_(de|at)tach and sk_clone() in commit 47e958eac280c263397 Problem is we can have several clones sharing a common sk_filter, and these clones might want to sk_filter_attach() their own filters at the same time, and can overwrite old_filter->rcu, corrupting RCU queues. We can not use filter->rcu without being sure no other thread could do the same thing. Switch code to a more conventional ref-counting technique : Do the atomic decrement immediately and queue one rcu call back when last reference is released. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3e73328da09594bc4d40736c8b05c845558f0074 Author: Herbert Xu Date: Wed Nov 3 13:31:05 2010 +0000 cls_cgroup: Fix crash on module unload [ Upstream commit c00b2c9e79466d61979cd21af526cc6d5d0ee04f ] Somewhere along the lines net_cls_subsys_id became a macro when cls_cgroup is built as a module. Not only did it make cls_cgroup completely useless, it also causes it to crash on module unload. This patch fixes this by removing that macro. Thanks to Eric Dumazet for diagnosing this problem. Reported-by: Randy Dunlap Signed-off-by: Herbert Xu Reviewed-by: Li Zefan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e4457f8db8e7c501d2c9d462c9226ae3092ca775 Author: David Stevens Date: Tue Dec 14 08:42:16 2010 +0000 bridge: fix IPv6 queries for bridge multicast snooping [ Upstream commit 76d661586c8131453ba75a2e027c1f21511a893a] This patch fixes a missing ntohs() for bridge IPv6 multicast snooping. Signed-off-by: David L Stevens Acked-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 04e3fa3f82bc7344115908275152128175adb37f Author: Hillf Danton Date: Fri Dec 10 18:54:11 2010 +0000 bonding: Fix slave selection bug. [ Upstream commit af3e5bd5f650163c2e12297f572910a1af1b8236 ] The returned slave is incorrect, if the net device under check is not charged yet by the master. Signed-off-by: Hillf Danton Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cd3999e471541992b7bbbafaa7114c26202a9916 Author: Joe Jin Date: Mon Dec 6 03:00:59 2010 +0000 driver/net/benet: fix be_cmd_multicast_set() memcpy bug [ Upstream commit 3fd40d0ceac9c234243730f4d7a6ffdb2fd3023a ] Regarding benet be_cmd_multicast_set() function, now using netdev_for_each_mc_addr() helper for mac address copy, but when copying to req->mac[] did not increase of the index. Cc: Sathya Perla Cc: Subbu Seetharaman Cc: Sarveshwar Bandi Cc: Ajit Khaparde Signed-off-by: Joe Jin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cd2e85450f014987d0c6ad364662e90c843a4a79 Author: Vasiliy Kulikov Date: Wed Nov 10 10:14:33 2010 -0800 net: ax25: fix information leak to userland [ Upstream commit fe10ae53384e48c51996941b7720ee16995cbcb7 ] Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater field of fsa struct, also the struct has padding bytes between sax25_call and sax25_ndigis fields. This structure is then copied to userland. It leads to leaking of contents of kernel stack memory. Signed-off-by: Vasiliy Kulikov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 12987cd3a4e09156453804cf90bb7cdb5a29e15c Author: Eric Dumazet Date: Thu Nov 25 04:11:39 2010 +0000 af_unix: limit recursion level [ Upstream commit 25888e30319f8896fc656fc68643e6a078263060 ] Its easy to eat all kernel memory and trigger NMI watchdog, using an exploit program that queues unix sockets on top of others. lkml ref : http://lkml.org/lkml/2010/11/25/8 This mechanism is used in applications, one choice we have is to have a recursion limit. Other limits might be needed as well (if we queue other types of files), since the passfd mechanism is currently limited by socket receive queue sizes only. Add a recursion_level to unix socket, allowing up to 4 levels. Each time we send an unix socket through sendfd mechanism, we copy its recursion level (plus one) to receiver. This recursion level is cleared when socket receive queue is emptied. Reported-by: Марк Коренберг Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f7e86272f0b8fcc627c3d4a42db21419f1995b9a Author: Eric Dumazet Date: Wed Nov 24 09:15:27 2010 -0800 af_unix: limit unix_tot_inflight [ Upstream commit 9915672d41273f5b77f1b3c29b391ffb7732b84b ] Vegard Nossum found a unix socket OOM was possible, posting an exploit program. My analysis is we can eat all LOWMEM memory before unix_gc() being called from unix_release_sock(). Moreover, the thread blocked in unix_gc() can consume huge amount of time to perform cleanup because of huge working set. One way to handle this is to have a sensible limit on unix_tot_inflight, tested from wait_for_unix_gc() and to force a call to unix_gc() if this limit is hit. This solves the OOM and also reduce overall latencies, and should not slowdown normal workloads. Reported-by: Vegard Nossum Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 306030ab289880475a63ebab1948ea300ec46d89 Author: françois romieu Date: Mon Nov 8 13:23:58 2010 +0000 r8169: fix sleeping while holding spinlock. [ Upstream commit ea80907ff066edd1dd43c5fe90ae6677d15e6384 ] As device_set_wakeup_enable can now sleep, move the call to outside the critical section. Signed-off-by: Daniel J Blueman Acked-by: Rafael J. Wysocki Acked-by: Andrew Hendry Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ed42d595284de87fd6bd4eba9be3f13163dc4546 Author: Shan Wei Date: Wed Nov 17 11:55:08 2010 -0800 8139cp: fix checksum broken [ Upstream commit 24b7ea9f6c9787fad885442ed0cc010f1aa69cca ] I am not family with RealTek RTL-8139C+ series 10/100 PCI Ethernet driver. I try to guess the meaning of RxProtoIP and IPFail. RxProtoIP stands for received IPv4 packet that upper protocol is not tcp and udp. !(status & IPFail) is true means that driver correctly to check checksum in IPv4 header. If these are right, driver will set ip_summed with CHECKSUM_UNNECESSARY for other upper protocol, e.g. sctp, igmp protocol. This will cause protocol stack ignores checksum check for packets with invalid checksum. This patch is only compile-test. Signed-off-by: Shan Wei Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2efb9908d6ac415d69b2688b684799c51eb844fd Author: Eric Dumazet Date: Tue Dec 7 12:20:47 2010 +0000 tcp: protect sysctl_tcp_cookie_size reads [ Upstream commit f19872575ff7819a3723154657a497d9bca66b33 ] Make sure sysctl_tcp_cookie_size is read once in tcp_cookie_size_check(), or we might return an illegal value to caller if sysctl_tcp_cookie_size is changed by another cpu. Signed-off-by: Eric Dumazet Cc: Ben Hutchings Cc: William Allen Simpson Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 90548909f7ff41934b9f719e9331695695cb3988 Author: Eric Dumazet Date: Tue Dec 7 12:03:55 2010 +0000 tcp: avoid a possible divide by zero [ Upstream commit ad9f4f50fe9288bbe65b7dfd76d8820afac6a24c ] sysctl_tcp_tso_win_divisor might be set to zero while one cpu runs in tcp_tso_should_defer(). Make sure we dont allow a divide by zero by reading sysctl_tcp_tso_win_divisor exactly once. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit dea96398b30bf6b5d966a9133d0ad30cd1aa946b Author: Nandita Dukkipati Date: Fri Dec 3 13:33:44 2010 +0000 tcp: Bug fix in initialization of receive window. [ Upstream commit b1afde60f2b9ee8444fba4e012dc99a3b28d224d ] The bug has to do with boundary checks on the initial receive window. If the initial receive window falls between init_cwnd and the receive window specified by the user, the initial window is incorrectly brought down to init_cwnd. The correct behavior is to allow it to remain unchanged. Signed-off-by: Nandita Dukkipati Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 60352f160a1a9d430f119a40924b0c3338ed5449 Author: David S. Miller Date: Wed Nov 24 11:47:22 2010 -0800 tcp: Make TCP_MAXSEG minimum more correct. [ Upstream commit c39508d6f118308355468314ff414644115a07f3 ] Use TCP_MIN_MSS instead of constant 64. Reported-by: Min Zhang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b4b3549b743a59b62a9324d2c9fa59a5f6bf00b3 Author: David S. Miller Date: Wed Nov 10 21:35:37 2010 -0800 tcp: Increase TCP_MAXSEG socket option minimum. [ Upstream commit 7a1abd08d52fdeddb3e9a5a33f2f15cc6a5674d2 ] As noted by Steve Chen, since commit f5fff5dc8a7a3f395b0525c02ba92c95d42b7390 ("tcp: advertise MSS requested by user") we can end up with a situation where tcp_select_initial_window() does a divide by a zero (or even negative) mss value. The problem is that sometimes we effectively subtract TCPOLEN_TSTAMP_ALIGNED and/or TCPOLEN_MD5SIG_ALIGNED from the mss. Fix this by increasing the minimum from 8 to 64. Reported-by: Steve Chen Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a20c23951bb8ec4fb95261ed18d455c3182c6c29 Author: David S. Miller Date: Fri Nov 12 13:35:00 2010 -0800 tcp: Don't change unlocked socket state in tcp_v4_err(). [ Upstream commit 8f49c2703b33519aaaccc63f571b465b9d2b3a2d ] Alexey Kuznetsov noticed a regression introduced by commit f1ecd5d9e7366609d640ff4040304ea197fbc618 ("Revert Backoff [v3]: Revert RTO on ICMP destination unreachable") The RTO and timer modification code added to tcp_v4_err() doesn't check sock_owned_by_user(), which if true means we don't have exclusive access to the socket and therefore cannot modify it's critical state. Just skip this new code block if sock_owned_by_user() is true and eliminate the now superfluous sock_owned_by_user() code block contained within. Reported-by: Alexey Kuznetsov Signed-off-by: David S. Miller CC: Damian Lukowski Acked-by: Eric Dumazet Signed-off-by: Greg Kroah-Hartman commit 8bd4c943ef702ec2b71f55945b02350c41f62c78 Author: David S. Miller Date: Tue Nov 30 20:15:58 2010 -0800 sparc: Write to prom console using indirect buffer. [ Upstream commit 595a251c0740785fd3c0d2156d78578c7479811e ] sparc64 systems have a restriction in that passing in buffer addressses above 4GB to prom calls is not reliable. We end up violating this when we do prom console writes, because we use an on-stack buffer to translate '\n' into '\r\n'. So instead, do this translation into an intermediate buffer, which is in the kernel image and thus below 4GB, then pass that to the PROM console write calls. On the 32-bit side we don't have to deal with any of these issues, so the new prom_console_write_buf() uses the existing prom_nbputchar() implementation. However we can now mark those routines static. Since the 64-bit side completely uses new code we can delete the putchar bits as they are now completely unused. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3bf4603189bbc26df2c9dc69004039aaca9efceb Author: David S. Miller Date: Tue Nov 30 14:53:05 2010 -0800 sparc: Delete prom_*getchar(). [ Upstream commit 12c7a35ee6a1c605e740733f2cbd5b5079f09f0f ] Completely unused. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c102cb1a7ba73faa22a0c600a69d61c22047d602 Author: David S. Miller Date: Tue Nov 30 14:33:29 2010 -0800 sparc: Pass buffer pointer all the way down to prom_{get,put}char(). [ Upstream commit e62cac1fd035b4cde707285008499dbe71955a86 ] This gets us closer to being able to eliminate the use of dynamic and stack based buffers, so that we can adhere to the "no buffer addresses above 4GB" rule for PROM calls. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fdd634924c92ce50311e7125212c6b61738e4a7d Author: David S. Miller Date: Wed Nov 17 10:22:56 2010 -0800 sparc: Do not export prom_nb{get,put}char(). [ Upstream commit 91921fef7c658b12de53376b312d071d757f7770 ] Never used outside of console_{32,64}.c Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6a3593f1a31600505729ebcdd6a931350045b143 Author: David S. Miller Date: Tue Nov 16 12:50:19 2010 -0800 sparc64: Delete prom_setcallback(). [ Upstream commit c540ee70e49b573535c7ddfd0e9a0fc9d549c8b7 ] Unused. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b6cb9e493c5017af761d968452997f0c0f9f4fee Author: David S. Miller Date: Tue Nov 16 12:24:16 2010 -0800 sparc64: Unexport prom_service_exists(). [ Upstream commit f7b5f55ac1623dfde24ef5319ad77c1746645f3f ] Only used by functions in misc_64.c so make it private to that file. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 58e9ccd95b82311e5344089432b66dfd0a46719b Author: David S. Miller Date: Tue Nov 16 12:23:20 2010 -0800 sparc: Kill prom devops_{32,64}.c [ Upstream commit b148246912bea92bde2a0cba125ca94f1f776b12 ] Completely unused. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4b4a1ce590594bf8e8961fc22c8ef5fd1622f80b Author: David S. Miller Date: Tue Nov 16 12:11:15 2010 -0800 sparc: Remove prom_pathtoinode() [ Upstream commit 17d70d6df0c4ea7a203b444001572a91ad9c2bef ] Unused. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a5fc05470b54d2c779622d564015dd4ff8e9f411 Author: David S. Miller Date: Tue Nov 16 12:08:23 2010 -0800 sparc64: Delete prom_puts() unused. [ Upstream commit ce05a94efaf71d562eeefd30d6bbc2ab42b06bac ] Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 41b9c9773cf0df146cd14a34b94ff4ca2dbe4fce Author: Daniel Hellstrom Date: Fri Oct 29 13:25:24 2010 -0700 SPARC/LEON: removed constant timer initialization as if HZ=100, now it reflects the value of HZ [ Upstream commit b690c425fe07c725e7f1f7d40303588416cba67f ] Signed-off-by: Daniel Hellstrom Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a3b8ff8e182a99ba957268500218a9db63d37844 Author: Helmut Schaa Date: Thu Dec 2 18:44:09 2010 +0100 mac80211: Fix BUG in pskb_expand_head when transmitting shared skbs commit 7e2447075690860e2cea96b119fc9cadbaa7e83c upstream. mac80211 doesn't handle shared skbs correctly at the moment. As a result a possible resize can trigger a BUG in pskb_expand_head. [ 676.030000] Kernel bug detected[#1]: [ 676.030000] Cpu 0 [ 676.030000] $ 0 : 00000000 00000000 819662ff 00000002 [ 676.030000] $ 4 : 81966200 00000020 00000000 00000020 [ 676.030000] $ 8 : 819662e0 800043c0 00000002 00020000 [ 676.030000] $12 : 3b9aca00 00000000 00000000 00470000 [ 676.030000] $16 : 80ea2000 00000000 00000000 00000000 [ 676.030000] $20 : 818aa200 80ea2018 80ea2000 00000008 [ 676.030000] $24 : 00000002 800ace5c [ 676.030000] $28 : 8199a000 8199bd20 81938f88 80f180d4 [ 676.030000] Hi : 0000026e [ 676.030000] Lo : 0000757e [ 676.030000] epc : 801245e4 pskb_expand_head+0x44/0x1d8 [ 676.030000] Not tainted [ 676.030000] ra : 80f180d4 ieee80211_skb_resize+0xb0/0x114 [mac80211] [ 676.030000] Status: 1000a403 KERNEL EXL IE [ 676.030000] Cause : 10800024 [ 676.030000] PrId : 0001964c (MIPS 24Kc) [ 676.030000] Modules linked in: mac80211_hwsim rt2800lib rt2x00soc rt2x00pci rt2x00lib mac80211 crc_itu_t crc_ccitt cfg80211 compat arc4 aes_generic deflate ecb cbc [last unloaded: rt2800pci] [ 676.030000] Process kpktgend_0 (pid: 97, threadinfo=8199a000, task=81879f48, tls=00000000) [ 676.030000] Stack : ffffffff 00000000 00000000 00000014 00000004 80ea2000 00000000 00000000 [ 676.030000] 818aa200 80f180d4 ffffffff 0000000a 81879f78 81879f48 81879f48 00000018 [ 676.030000] 81966246 80ea2000 818432e0 80f1a420 80203050 81814d98 00000001 81879f48 [ 676.030000] 81879f48 00000018 81966246 818432e0 0000001a 8199bdd4 0000001c 80f1b72c [ 676.030000] 80203020 8001292c 80ef4aa2 7f10b55d 801ab5b8 81879f48 00000188 80005c90 [ 676.030000] ... [ 676.030000] Call Trace: [ 676.030000] [<801245e4>] pskb_expand_head+0x44/0x1d8 [ 676.030000] [<80f180d4>] ieee80211_skb_resize+0xb0/0x114 [mac80211] [ 676.030000] [<80f1a420>] ieee80211_xmit+0x150/0x22c [mac80211] [ 676.030000] [<80f1b72c>] ieee80211_subif_start_xmit+0x6f4/0x73c [mac80211] [ 676.030000] [<8014361c>] pktgen_thread_worker+0xfac/0x16f8 [ 676.030000] [<8002ebe8>] kthread+0x7c/0x88 [ 676.030000] [<80008e0c>] kernel_thread_helper+0x10/0x18 [ 676.030000] [ 676.030000] [ 676.030000] Code: 24020001 10620005 2502001f <0200000d> 0804917a 00000000 2502001f 00441023 00531021 Fix this by making a local copy of shared skbs prior to mangeling them. To avoid copying the skb unnecessarily move the skb_copy call below the checks that don't need write access to the skb. Also, move the assignment of nh_pos and h_pos below the skb_copy to point to the correct skb. It would be possible to avoid another resize of the copied skb by using skb_copy_expand instead of skb_copy but that would make the patch more complex. Also, shared skbs are a corner case right now, so the resize shouldn't matter much. Cc: Johannes Berg Signed-off-by: Helmut Schaa Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit df60374d301d5f31210de8342c32a13881d117c0 Author: Matteo Croce Date: Fri Dec 3 02:25:08 2010 +0100 ath9k: fix bug in tx power commit 841051602e3fa18ea468fe5a177aa92b6eb44b56 upstream. The ath9k driver subtracts 3 dBm to the txpower as with two radios the signal power is doubled. The resulting value is assigned in an u16 which overflows and makes the card work at full power. Signed-off-by: Matteo Croce Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 1be6baf90fee9d7c947af2a087faeb95924b99f6 Author: Felix Fietkau Date: Wed Dec 1 19:07:46 2010 +0100 ath9k_hw: fix endian issues with CTLs on AR9003 commit e702ba18f25887c76d26c8a85cc1706463c62e9a upstream. Parsing data using bitfields is messy, because it makes endian handling much harder. AR9002 and earlier got it right, AR9003 got it wrong. This might lead to either using too high or too low tx power values, depending on frequency and eeprom settings. Fix it by getting rid of the CTL related bitfields entirely and use masks instead. Signed-off-by: Felix Fietkau Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 31f0fa5ae67535db3716b2efd5718c8595370dd4 Author: Vasanthakumar Thiagarajan Date: Tue Nov 30 23:24:09 2010 -0800 ath9k: Fix bug in reading input gpio state for ar9003 commit 9306990a656d9cfd8bf3586938012729c1f2ea50 upstream. The register which gives input gpio state is 0x404c for ar9003, currently 0x4048 is wrongly used. This will disable RF and make it unusable on some of AR9003. Signed-off-by: Vasanthakumar Thiagarajan Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit a7d44afb17b90f24f54ed42fa06da098f8ece530 Author: Senthil Balasubramanian Date: Tue Nov 30 20:15:39 2010 +0530 ath9k: Fix STA disconnect issue due to received MIC failed bcast frames commit 916448e77f6bcaaa7f13c3de0c3851783ae2bfd0 upstream. AR_RxKeyIdxValid will not be set for bcast/mcast frames and so relying this status for MIC failed frames is buggy. Due to this, MIC failure events for broadcast frames are not sent to supplicant resulted in AP disconnecting the STA. Able to pass Wifi Test case 5.2.18 with this fix. Signed-off-by: Senthil Balasubramanian Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 9d80540c4953d10835f72031fb99395a96f48fae Author: Rajkumar Manoharan Date: Fri Nov 26 23:24:31 2010 +0530 ath9k: Disable SWBA interrupt on remove_interface commit 46047784b8cdcfc916f6c1cccee0c18dd1223dfd upstream. while removing beaconing mode interface, SWBA interrupt was never disabled when there are no other beaconing interfaces. Signed-off-by: Rajkumar Manoharan Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 63315af24c7fcacc61bbaab166f58c73ba69f9d2 Author: Eric Dumazet Date: Sun Dec 5 02:03:26 2010 +0000 llc: fix a device refcount imbalance commit 35d9b0c906ad92d32a0b8db5daa6fabfcc2f068d upstream. Le dimanche 05 décembre 2010 à 12:23 +0100, Eric Dumazet a écrit : > Le dimanche 05 décembre 2010 à 09:19 +0100, Eric Dumazet a écrit : > > > Hmm.. > > > > If somebody can explain why RTNL is held in arp_ioctl() (and therefore > > in arp_req_delete()), we might first remove RTNL use in arp_ioctl() so > > that your patch can be applied. > > > > Right now it is not good, because RTNL wont be necessarly held when you > > are going to call arp_invalidate() ? > > While doing this analysis, I found a refcount bug in llc, I'll send a > patch for net-2.6 Oh well, of course I must first fix the bug in net-2.6, and wait David pull the fix in net-next-2.6 before sending this rcu conversion. Note: this patch should be sent to stable teams (2.6.34 and up) [PATCH net-2.6] llc: fix a device refcount imbalance commit abf9d537fea225 (llc: add support for SO_BINDTODEVICE) added one refcount imbalance in llc_ui_bind(), because dev_getbyhwaddr() doesnt take a reference on device, while dev_get_by_index() does. Fix this using RCU locking. And since an RCU conversion will be done for 2.6.38 for dev_getbyhwaddr(), put the rcu_read_lock/unlock exactly at their final place. Signed-off-by: Eric Dumazet Cc: Octavian Purdila Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4feb17d661dd3817245bbc90bbb38025d7d33fbe Author: Mike Hernandez Date: Tue Nov 23 16:52:46 2010 -0800 qla2xxx: Populate Command Type 6 LUN field properly. commit 85727e1f78bd8392a0657ad6a4ff85fef1cc4a6d upstream. Use the host_to_fcp_swap call to correctly populate the LUN field in the Command Type 6 path. This field is used during LUN reset cleanup and must match the field used in the FCP command. Signed-off-by: Mike Hernandez Signed-off-by: Madhuranath Iyengar Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 326212701ed2adbb83e4f6a23f48f84c54bbf456 Author: Andrew Vasquez Date: Tue Nov 23 16:52:48 2010 -0800 qla2xxx: Correct issue where NPIV-config data was not being allocated for 82xx parts. commit 087c621e22f49c326cdc65d98c6fc0737ac13533 upstream. This would cause a panic while reading the NPIV-config data. Signed-off-by: Andrew Vasquez Signed-off-by: Madhuranath Iyengar Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit b12e2289242e18aafd9b6699a5087375d2297da8 Author: Valentine Barshak Date: Tue Dec 14 00:03:16 2010 +0100 ARM: 6535/1: V6 MPCore v6_dma_inv_range and v6_dma_flush_range RWFO fix commit 85b093bcc5322baa811a03ec73de0909c157f181 upstream. Cache ownership must be acquired by reading/writing data from the cache line to make cache operation have the desired effect on the SMP MPCore CPU. However, the ownership is never acquired in the v6_dma_inv_range function when cleaning the first line and flushing the last one, in case the address is not aligned to D_CACHE_LINE_SIZE boundary. Fix this by reading/writing data if needed, before performing cache operations. While at it, fix v6_dma_flush_range to prevent RWFO outside the buffer. Signed-off-by: Valentine Barshak Signed-off-by: George G. Davis Acked-by: Catalin Marinas Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 91364cfb2f9bd6ec8d0a91989024f2010d2967b1 Author: Takashi Iwai Date: Fri Dec 10 00:16:39 2010 +0100 PM / Hibernate: Fix PM_POST_* notification with user-space suspend commit 1497dd1d29c6a53fcd3c80f7ac8d0e0239e7389e upstream. The user-space hibernation sends a wrong notification after the image restoration because of thinko for the file flag check. RDONLY corresponds to hibernation and WRONLY to restoration, confusingly. Signed-off-by: Takashi Iwai Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit ee9b8be2eb2f7bd2b56b0ed14c7652e5e14a2d9b Author: Dan Carpenter Date: Wed Oct 13 09:13:12 2010 +0000 IB/uverbs: Handle large number of entries in poll CQ commit 7182afea8d1afd432a17c18162cc3fd441d0da93 upstream. In ib_uverbs_poll_cq() code there is a potential integer overflow if userspace passes in a large cmd.ne. The calls to kmalloc() would allocate smaller buffers than intended, leading to memory corruption. There iss also an information leak if resp wasn't all used. Unprivileged userspace may call this function, although only if an RDMA device that uses this function is present. Fix this by copying CQ entries one at a time, which avoids the allocation entirely, and also by moving this copying into a function that makes sure to initialize all memory copied to userspace. Special thanks to Jason Gunthorpe for his help and advice. Signed-off-by: Dan Carpenter [ Monkey around with things a bit to avoid bad code generation by gcc when designated initializers are used. - Roland ] Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit 607cad435110a59b033077aeca9ddaa0931f5b32 Author: Suresh Siddha Date: Tue Nov 16 13:23:51 2010 -0800 x86, xsave: Use alloc_bootmem_align() instead of alloc_bootmem() commit 10340ae130fb70352eae1ae8a00b7906d91bf166 upstream. Alignment of alloc_bootmem() depends on the value of L1_CACHE_SHIFT. What we need here, however, is 64 byte alignment. Use alloc_bootmem_align() and explicitly specify the alignment instead. This fixes a kernel boot crash reported by Jody when the cpu in .config is set to MPENTIUMII but the kernel is booted on a xsave-capable CPU. Reported-by: Jody Bruchon Signed-off-by: Suresh Siddha LKML-Reference: <20101116212442.059967454@sbsiddha-MOBL3.sc.intel.com> Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 297ff1579de0847f15bb23b15b171570da270c09 Author: Suresh Siddha Date: Tue Nov 16 13:23:50 2010 -0800 bootmem: Add alloc_bootmem_align() commit 53dde5f385bc56e312f78b7cb25ffaf8efd4735d upstream. Add an alloc_bootmem_align() interface to allocate bootmem with specified alignment. This is necessary to be able to allocate the xsave area in a subsequent patch. Signed-off-by: Suresh Siddha LKML-Reference: <20101116212441.977574826@sbsiddha-MOBL3.sc.intel.com> Acked-by: H. Peter Anvin Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 6f92687b79abede5134a20e42980bb24eef1c7ea Author: Dmitry Artamonow Date: Wed Dec 8 23:36:17 2010 +0300 ASoC: fix deemphasis control in wm8904/55/60 codecs commit 3f343f8512c7882a3637d9aea4ec6b3801cbcdc5 upstream. Deemphasis control's .get callback should update control's value instead of returning it - return value of callback function is used for indicating error or success of operation. Signed-off-by: Dmitry Artamonow Acked-by: Liam Girdwood Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit a51f753947c91480c42a8480ec65b102b6ec7d22 Author: Seungwhan Youn Date: Thu Dec 9 18:07:52 2010 +0900 ASoC: WM8580: Fix R8 initial value commit a0968628097380be52db8b4664da98fc425546a5 upstream. Acc to WM8580 manual, the default value for R8 is 0x10, not 0x1c. Signed-off-by: Seungwhan Youn Acked-by: Liam Girdwood Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 38312ede5ce65fdfce7e7c4b04462de174175b55 Author: Uk Kim Date: Sun Dec 5 17:32:16 2010 +0900 ASoC: Fix off by one error in WM8994 EQ register bank size commit 3fcc0afbb9c93f3599ba03273e59915670b6c2c2 upstream. Signed-off-by: Uk Kim Acked-by: Liam Girdwood Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 42ab05297f022aa26da5e1c41bf5497ce355b0eb Author: Uk Kim Date: Sun Dec 5 17:26:07 2010 +0900 ASoC: Fix swap of left and right channels for WM8993/4 speaker boost gain commit ed8cc471d75365f8590c76f580def899d58028c0 upstream. SPKOUTL_BOOST start from third bit, SPKOUTLR_BOOST start from 0 bit. Signed-off-by: Uk Kim Acked-by: Liam Girdwood Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit cc7c6f530265ee7e537807913efe74bb8b181c54 Author: Borislav Petkov Date: Mon Dec 6 16:20:25 2010 +0100 amd64_edac: Fix interleaving check commit e726f3c368e7c1919a7166ec09c5705759f1a69d upstream. When matching error address to the range contained by one memory node, we're in valid range when node interleaving 1. is disabled, or 2. enabled and when the address bits we interleave on match the interleave selector on this node (see the "Node Interleaving" section in the BKDG for an enlightening example). Thus, when we early-exit, we need to reverse the compound logic statement properly. Signed-off-by: Borislav Petkov Signed-off-by: Greg Kroah-Hartman commit 7cd5c22944bf7abdec73beab9c30d46d363cdbfd Author: Borislav Petkov Date: Thu Dec 2 17:48:35 2010 +0100 EDAC: Fix workqueue-related crashes commit bb31b3122c0dd07d2d958da17a50ad771ce79e2b upstream. 00740c58541b6087d78418cebca1fcb86dc6077d changed edac_core to un-/register a workqueue item only if a lowlevel driver supplies a polling routine. Normally, when we remove a polling low-level driver, we go and cancel all the queued work. However, the workqueue unreg happens based on the ->op_state setting, and edac_mc_del_mc() sets this to OP_OFFLINE _before_ we cancel the work item, leading to NULL ptr oops on the workqueue list. Fix it by putting the unreg stuff in proper order. Reported-and-tested-by: Tobias Karnat LKML-Reference: <1291201307.3029.21.camel@Tobias-Karnat> Signed-off-by: Borislav Petkov Signed-off-by: Greg Kroah-Hartman commit 9bdffa72704f4c34b0efa0f4d192413a16559342 Author: Gabriele Gorla Date: Wed Dec 8 16:27:22 2010 +0100 hwmon: (adm1026) Fix setting fan_div commit 52bc9802ce849d0d287cc5fe76d06b0daa3986ca upstream. Prevent setting fan_div from stomping on other fans that share the same I2C register. Signed-off-by: Gabriele Gorla Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit b1d5eba052000b4319a410cbb2c5f73dec59e305 Author: Gabriele Gorla Date: Wed Dec 8 16:27:22 2010 +0100 hwmon: (adm1026) Allow 1 as a valid divider value commit 8b0f1840a46449e1946fc88860ef3ec8d6b1c2c7 upstream. Allow 1 as a valid div value as specified in the ADM1026 datasheet. Signed-off-by: Gabriele Gorla Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit e98a198d7100de320d794ba26d03e087cc3c230d Author: NeilBrown Date: Tue Nov 16 16:55:19 2010 +1100 sunrpc: prevent use-after-free on clearing XPT_BUSY commit ed2849d3ecfa339435818eeff28f6c3424300cec upstream. When an xprt is created, it has a refcount of 1, and XPT_BUSY is set. The refcount is *not* owned by the thread that created the xprt (as is clear from the fact that creators never put the reference). Rather, it is owned by the absence of XPT_DEAD. Once XPT_DEAD is set, (And XPT_BUSY is clear) that initial reference is dropped and the xprt can be freed. So when a creator clears XPT_BUSY it is dropping its only reference and so must not touch the xprt again. However svc_recv, after calling ->xpo_accept (and so getting an XPT_BUSY reference on a new xprt), calls svc_xprt_recieved. This clears XPT_BUSY and then svc_xprt_enqueue - this last without owning a reference. This is dangerous and has been seen to leave svc_xprt_enqueue working with an xprt containing garbage. So we need to hold an extra counted reference over that call to svc_xprt_received. For safety, any time we clear XPT_BUSY and then use the xprt again, we first get a reference, and the put it again afterwards. Note that svc_close_all does not need this extra protection as there are no threads running, and the final free can only be called asynchronously from such a thread. Signed-off-by: NeilBrown Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 03fae048803670d7dd25083fd7995a7b54ab9437 Author: Sergey Vlasov Date: Sun Nov 28 21:04:05 2010 +0000 NFS: Fix fcntl F_GETLK not reporting some conflicts commit 21ac19d484a8ffb66f64487846c8d53afef04d2b upstream. The commit 129a84de2347002f09721cda3155ccfd19fade40 (locks: fix F_GETLK regression (failure to find conflicts)) fixed the posix_test_lock() function by itself, however, its usage in NFS changed by the commit 9d6a8c5c213e34c475e72b245a8eb709258e968c (locks: give posix_test_lock same interface as ->lock) remained broken - subsequent NFS-specific locking code received F_UNLCK instead of the user-specified lock type. To fix the problem, fl->fl_type needs to be saved before the posix_test_lock() call and restored if no local conflicts were reported. Reference: https://bugzilla.kernel.org/show_bug.cgi?id=23892 Tested-by: Alexander Morozov Signed-off-by: Sergey Vlasov Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 972dc03c6d6ab89c45fbcf4e286a35e124cadcd4 Author: Neil Brown Date: Thu Dec 2 11:14:30 2010 +1100 nfsd: Fix possible BUG_ON firing in set_change_info commit c1ac3ffcd0bc7e9617f62be8c7043d53ab84deac upstream. If vfs_getattr in fill_post_wcc returns an error, we don't set fh_post_change. For NFSv4, this can result in set_change_info triggering a BUG_ON. i.e. fh_post_saved being zero isn't really a bug. So: - instead of BUGging when fh_post_saved is zero, just clear ->atomic. - if vfs_getattr fails in fill_post_wcc, take a copy of i_ctime anyway. This will be used i seg_change_info, but not overly trusted. - While we are there, remove the pointless 'if' statements in set_change_info. There is no harm setting all the values. Signed-off-by: NeilBrown Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 1e4d3ed637822285360fdefb42608feb1bdfefa7 Author: Chuck Lever Date: Fri Dec 10 12:31:14 2010 -0500 NFS: Fix panic after nfs_umount() commit 5b362ac3799ff4225c40935500f520cad4d7ed66 upstream. After a few unsuccessful NFS mount attempts in which the client and server cannot agree on an authentication flavor both support, the client panics. nfs_umount() is invoked in the kernel in this case. Turns out nfs_umount()'s UMNT RPC invocation causes the RPC client to write off the end of the rpc_clnt's iostat array. This is because the mount client's nrprocs field is initialized with the count of defined procedures (two: MNT and UMNT), rather than the size of the client's proc array (four). The fix is to use the same initialization technique used by most other upper layer clients in the kernel. Introduced by commit 0b524123, which failed to update nrprocs when support was added for UMNT in the kernel. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=24302 BugLink: http://bugs.launchpad.net/bugs/683938 Reported-by: Stefan Bader Tested-by: Stefan Bader Signed-off-by: Chuck Lever Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit b7467cd37498e1698fd67d94bd7fcc4c41d38d80 Author: Stefan Richter Date: Tue Dec 7 20:32:40 2010 +0100 firewire: ohci: fix regression with Agere FW643 rev 06, disable MSI commit 9993e0fe0f5f29c69e79efcb271ffc9843002985 upstream. Agere FW643 rev 06, listed as "11c1:5901 (rev 06) (prog-if 10 [OHCI])", produced SBP-2 I/O errors since kernel 2.6.36. Disabling MSI fixes it. Since MSI work on Agere FW643-E (same vendor and device ID, but rev 07), introduce a device revision field into firewire-ohci's quirks list so that different quirks can be defined for older and newer revisions. Reported-by: Jonathan Isom Signed-off-by: Stefan Richter Signed-off-by: Greg Kroah-Hartman commit df957d477e0b93d1a1f8e87f494af2d9cd5e0bdb Author: Stefan Richter Date: Tue Dec 7 19:16:02 2010 +0100 firewire: ohci: fix regression with VIA VT6315, disable MSI commit af0cdf4947818becfe209610b209315578645ab4 upstream. "VIA Technologies, Inc. VT6315 Series Firewire Controller [1106:3403]" does not generate any interrupts if Message Signaled Interrupts were enabled. This is a regression since kernel 2.6.36 in which MSI support was added to firewire-ohci. Hence blacklist MSI on all VIA controllers. Reported-by: Robin Cook Signed-off-by: Stefan Richter Signed-off-by: Greg Kroah-Hartman commit de25afbd8ac1f4fad6dec0caa9ab4e4eb6037a8a Author: Heiko Carstens Date: Wed Dec 1 10:11:09 2010 +0100 nohz: Fix get_next_timer_interrupt() vs cpu hotplug commit dbd87b5af055a0cc9bba17795c9a2b0d17795389 upstream. This fixes a bug as seen on 2.6.32 based kernels where timers got enqueued on offline cpus. If a cpu goes offline it might still have pending timers. These will be migrated during CPU_DEAD handling after the cpu is offline. However while the cpu is going offline it will schedule the idle task which will then call tick_nohz_stop_sched_tick(). That function in turn will call get_next_timer_intterupt() to figure out if the tick of the cpu can be stopped or not. If it turns out that the next tick is just one jiffy off (delta_jiffies == 1) tick_nohz_stop_sched_tick() incorrectly assumes that the tick should not stop and takes an early exit and thus it won't update the load balancer cpu. Just afterwards the cpu will be killed and the load balancer cpu could be the offline cpu. On 2.6.32 based kernel get_nohz_load_balancer() gets called to decide on which cpu a timer should be enqueued (see __mod_timer()). Which leads to the possibility that timers get enqueued on an offline cpu. These will never expire and can cause a system hang. This has been observed 2.6.32 kernels. On current kernels __mod_timer() uses get_nohz_timer_target() which doesn't have that problem. However there might be other problems because of the too early exit tick_nohz_stop_sched_tick() in case a cpu goes offline. The easiest and probably safest fix seems to be to let get_next_timer_interrupt() just lie and let it say there isn't any pending timer if the current cpu is offline. I also thought of moving migrate_[hr]timers() from CPU_DEAD to CPU_DYING, but seeing that there already have been fixes at least in the hrtimer code in this area I'm afraid that this could add new subtle bugs. Signed-off-by: Heiko Carstens Signed-off-by: Peter Zijlstra LKML-Reference: <20101201091109.GA8984@osiris.boeblingen.de.ibm.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit a32a0b1102cfc49bfc8df2b5478c75f2a70eb94d Author: Heiko Carstens Date: Fri Nov 26 13:00:59 2010 +0100 nohz: Fix printk_needs_cpu() return value on offline cpus commit 61ab25447ad6334a74e32f60efb135a3467223f8 upstream. This patch fixes a hang observed with 2.6.32 kernels where timers got enqueued on offline cpus. printk_needs_cpu() may return 1 if called on offline cpus. When a cpu gets offlined it schedules the idle process which, before killing its own cpu, will call tick_nohz_stop_sched_tick(). That function in turn will call printk_needs_cpu() in order to check if the local tick can be disabled. On offline cpus this function should naturally return 0 since regardless if the tick gets disabled or not the cpu will be dead short after. That is besides the fact that __cpu_disable() should already have made sure that no interrupts on the offlined cpu will be delivered anyway. In this case it prevents tick_nohz_stop_sched_tick() to call select_nohz_load_balancer(). No idea if that really is a problem. However what made me debug this is that on 2.6.32 the function get_nohz_load_balancer() is used within __mod_timer() to select a cpu on which a timer gets enqueued. If printk_needs_cpu() returns 1 then the nohz_load_balancer cpu doesn't get updated when a cpu gets offlined. It may contain the cpu number of an offline cpu. In turn timers get enqueued on an offline cpu and not very surprisingly they never expire and cause system hangs. This has been observed 2.6.32 kernels. On current kernels __mod_timer() uses get_nohz_timer_target() which doesn't have that problem. However there might be other problems because of the too early exit tick_nohz_stop_sched_tick() in case a cpu goes offline. Easiest way to fix this is just to test if the current cpu is offline and call printk_tick() directly which clears the condition. Alternatively I tried a cpu hotplug notifier which would clear the condition, however between calling the notifier function and printk_needs_cpu() something could have called printk() again and the problem is back again. This seems to be the safest fix. Signed-off-by: Heiko Carstens Signed-off-by: Peter Zijlstra LKML-Reference: <20101126120235.406766476@de.ibm.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit dee39287396d6be622ac6e76917e7ebb742e3ae7 Author: Eric Anholt Date: Thu Nov 18 09:32:58 2010 +0800 drm/i915: Always set the DP transcoder config to 8BPC. commit 220cad3cbf553f893432919b458da36489373fc6 upstream. The pipe is always set to 8BPC, but here we were leaving whatever previous bits were set by the BIOS in place. Signed-off-by: Eric Anholt Tested-by: Keith Packard Signed-off-by: Chris Wilson Signed-off-by: Greg Kroah-Hartman commit 4fd3a8d6a5211c28594a544923d509b4d1001073 Author: Alex Deucher Date: Fri Dec 3 14:37:22 2010 -0500 drm/radeon/kms: fix vram base calculation on rs780/rs880 commit 8961d52d4cc52edf5672f8f2712c57162b736793 upstream. Avoid overflowing a 32 bit value. Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit c30dd7eaf76bf7dbefd6b89521b4645992747b64 Author: Alex Deucher Date: Wed Dec 8 19:09:42 2010 -0500 drm/kms: remove spaces from connector names (v2) commit e76116ca9671e2e5239054a40303b94feab585ad upstream. Grub doesn't parse spaces in parameters correctly, so this makes it impossible to force video= parameters for kms on the grub kernel command line. v2: shorten the names to make them easier to type. Reported-by: Sergej Pupykin Cc: Sergej Pupykin Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit ba302911dfb1c83117f370b7ef38b54484a45993 Author: Alex Deucher Date: Wed Dec 8 10:05:34 2010 -0500 drm/radeon/kms: don't apply 7xx HDP flush workaround on AGP commit f3886f85cfde578f1d0ba6e40ac5f9d70043923b upstream. It should be required for all 7xx asics, but seems to cause problems on some AGP 7xx chips. Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=19002 Signed-off-by: Alex Deucher Reported-and-Tested-by: Duncan <1i5t5.duncan@cox.net> Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 037d1604eff6b6381cbda8dfa192ad39c82741b5 Author: Daniel T Chen Date: Thu Dec 2 22:45:45 2010 -0500 ALSA: hda: Use model=lg quirk for LG P1 Express to enable playback and capture commit 77c4d5cdb81d25a45fbdfb84dd3348121219a072 upstream. BugLink: https://launchpad.net/bugs/595482 The original reporter states that audible playback from the internal speaker is inaudible despite the hardware being properly detected. To work around this symptom, he uses the model=lg quirk to properly enable both playback, capture, and jack sense. Another user corroborates this workaround on separate hardware. Add this PCI SSID to the quirk table to enable it for further LG P1 Expresses. Reported-and-tested-by: Philip Peitsch Tested-by: nikhov Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 4a76bc955c488d382ffc325547a92197fec42b45 Author: Daniel T Chen Date: Sun Dec 5 08:43:14 2010 -0500 ALSA: hda: Use position_fix=1 for Acer Aspire 5538 to enable capture on internal mic commit dd5a089edfa51a74692604b4b427953d8e16bc35 upstream. BugLink: https://launchpad.net/bugs/685161 The reporter of the bug states that he must use position_fix=1 to enable capture for the internal microphone, so set it for his machine's PCI SSID. Verified using 2.6.35 and the 2010-12-04 alsa-driver build. Reported-and-tested-by: Ralph Wabel Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 3ffbc9f5f876fe39aa2ec33ca057298462f397ed Author: Anssi Hannula Date: Tue Dec 7 20:56:19 2010 +0200 ALSA: hda - Always allow basic audio irrespective of ELD info commit 3dc86429032910bdf762adeb2969112bb303924c upstream. Commit bbbe33900d1f3c added functionality to restrict PCM parameters based on ELD info (derived from EDID data) of the audio sink. However, according to CEA-861-D no SAD is needed for basic audio (32/44.1/48kHz stereo 16-bit audio), which is instead indicated with a basic audio flag in the CEA EDID Extension. The flag is not present in ELD. However, as all audio capable sinks are required to support basic audio, we can assume it to be always available. Fix allowed audio formats with sinks that have SADs (Short Audio Descriptors) which do not completely overlap with the basic audio formats (there are no reports of affected devices so far) by always assuming that basic audio is supported. Reported-by: Stephen Warren Signed-off-by: Anssi Hannula Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 3b632852ce576c23709add22e753c849a786b0ed Author: Anssi Hannula Date: Tue Dec 7 18:41:35 2010 +0200 ALSA: hda - Do not wrongly restrict min_channels based on ELD commit 4b0dbdb17f846a8887e5f7fbeea2deb0703236bd upstream. Commit bbbe33900d1f3c added functionality to restrict PCM parameters based on ELD info (derived from EDID data) of the audio sink. However, it wrongly assumes that the bits 0-2 of the first byte of CEA Short Audio Descriptors mean a supported number of channels. In reality, they mean the maximum number of channels (as per CEA-861-D 7.5.2). This means that the channel count can only be used to restrict max_channels, not min_channels. Restricting min_channels causes us to deny opening the device in stereo mode if the sink only has SADs that declare larger numbers of channels (like Primare SP32 AV Processor does). Fix that by not restricting min_channels based on ELD information. Signed-off-by: Anssi Hannula Reported-by: Jean-Yves Avenard Tested-by: Jean-Yves Avenard Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit f4a2ceaaecde63e96fb8997b3a0d09cc4c6a425f Author: David Henningsson Date: Thu Dec 9 07:17:27 2010 +0100 ALSA: HDA: Quirk for Dell Vostro 320 to make microphone work commit 8a96b1e02029aa512199b1b6d281dcede9ed81f1 upstream. BugLink: http://launchpad.net/497546 Confirmed that the ideapad model works better than the current quirk for Dell Vostro 320. Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit e60a1892cafbc6b8e5bc1ad11149f120ce2af6ea Author: Miklos Szeredi Date: Tue Nov 30 16:39:27 2010 +0100 fuse: fix ioctl when server is 32bit commit d9d318d39dd5cb686660504a3565aac453709ccc upstream. If a 32bit CUSE server is run on 64bit this results in EIO being returned to the caller. The reason is that FUSE_IOCTL_RETRY reply was defined to use 'struct iovec', which is different on 32bit and 64bit archs. Work around this by looking at the size of the reply to determine which struct was used. This is only needed if CONFIG_COMPAT is defined. A more permanent fix for the interface will be to use the same struct on both 32bit and 64bit. Reported-by: "ccmail111" Signed-off-by: Miklos Szeredi CC: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit 47c9e56abf97ecbe079bcc50a07b5b49b98b1753 Author: Miklos Szeredi Date: Tue Nov 30 16:39:27 2010 +0100 fuse: verify ioctl retries commit 7572777eef78ebdee1ecb7c258c0ef94d35bad16 upstream. Verify that the total length of the iovec returned in FUSE_IOCTL_RETRY doesn't overflow iov_length(). Signed-off-by: Miklos Szeredi CC: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit df97163bcad0311ecd0d670d78e59978cc35158e Author: H. Peter Anvin Date: Fri Dec 10 23:55:22 2010 -0500 x86, hotplug: Use mwait to offline a processor, fix the legacy case upstream ea53069231f9317062910d6e772cca4ce93de8c8 x86, hotplug: Use mwait to offline a processor, fix the legacy case Here included also some small follow-on patches to the same code: upstream a68e5c94f7d3dd64fef34dd5d97e365cae4bb42a x86, hotplug: Move WBINVD back outside the play_dead loop upstream ce5f68246bf2385d6174856708d0b746dc378f20 x86, hotplug: In the MWAIT case of play_dead, CLFLUSH the cache line https://bugzilla.kernel.org/show_bug.cgi?id=5471 Signed-off-by: H. Peter Anvin Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman