commit af53c4ead3105c23279bfe85652ba545ed2dc378 Author: Greg Kroah-Hartman Date: Mon Mar 7 15:05:50 2011 -0800 Linux 2.6.37.3 commit de243d988027902c908b9d03352a525be57a1c74 Author: Ian Campbell Date: Fri Feb 11 07:44:16 2011 +0000 arp_notify: unconditionally send gratuitous ARP for NETDEV_NOTIFY_PEERS. commit d11327ad6695db8117c78d70611e71102ceec2ac upstream. NETDEV_NOTIFY_PEER is an explicit request by the driver to send a link notification while NETDEV_UP/NETDEV_CHANGEADDR generate link notifications as a sort of side effect. In the later cases the sysctl option is present because link notification events can have undesired effects e.g. if the link is flapping. I don't think this applies in the case of an explicit request from a driver. This patch makes NETDEV_NOTIFY_PEER unconditional, if preferred we could add a new sysctl for this case which defaults to on. This change causes Xen post-migration ARP notifications (which cause switches to relearn their MAC tables etc) to be sent by default. Signed-off-by: Ian Campbell Signed-off-by: David S. Miller [reported to solve hyperv live migration problem - gkh] Cc: Haiyang Zhang Cc: Mike Surcouf Cc: Hank Janssen Signed-off-by: Greg Kroah-Hartman commit 6a5c4eb0857e144eadc5a78a9bcf297d52811174 Author: David Howells Date: Thu Mar 3 11:28:58 2011 +0000 DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076] commit 1362fa078dae16776cd439791c6605b224ea6171 upstream. When a DNS resolver key is instantiated with an error indication, attempts to read that key will result in an oops because user_read() is expecting there to be a payload - and there isn't one [CVE-2011-1076]. Give the DNS resolver key its own read handler that returns the error cached in key->type_data.x[0] as an error rather than crashing. Also make the kenter() at the beginning of dns_resolver_instantiate() limit the amount of data it prints, since the data is not necessarily NUL-terminated. The buggy code was added in: commit 4a2d789267e00b5a1175ecd2ddefcc78b83fbf09 Author: Wang Lei Date: Wed Aug 11 09:37:58 2010 +0100 Subject: DNS: If the DNS server returns an error, allow that to be cached [ver #2] This can trivially be reproduced by any user with the following program compiled with -lkeyutils: #include #include #include static char payload[] = "#dnserror=6"; int main() { key_serial_t key; key = add_key("dns_resolver", "a", payload, sizeof(payload), KEY_SPEC_SESSION_KEYRING); if (key == -1) err(1, "add_key"); if (keyctl_read(key, NULL, 0) == -1) err(1, "read_key"); return 0; } What should happen is that keyctl_read() reports error 6 (ENXIO) to the user: dns-break: read_key: No such device or address but instead the kernel oopses. This cannot be reproduced with the 'keyutils add' or 'keyutils padd' commands as both of those cut the data down below the NUL termination that must be included in the data. Without this dns_resolver_instantiate() will return -EINVAL and the key will not be instantiated such that it can be read. The oops looks like: BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 IP: [] user_read+0x4f/0x8f PGD 3bdf8067 PUD 385b9067 PMD 0 Oops: 0000 [#1] SMP last sysfs file: /sys/devices/pci0000:00/0000:00:19.0/irq CPU 0 Modules linked in: Pid: 2150, comm: dns-break Not tainted 2.6.38-rc7-cachefs+ #468 /DG965RY RIP: 0010:[] [] user_read+0x4f/0x8f RSP: 0018:ffff88003bf47f08 EFLAGS: 00010246 RAX: 0000000000000001 RBX: ffff88003b5ea378 RCX: ffffffff81972368 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003b5ea378 RBP: ffff88003bf47f28 R08: ffff88003be56620 R09: 0000000000000000 R10: 0000000000000395 R11: 0000000000000002 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ffffffffffffffa1 FS: 00007feab5751700(0000) GS:ffff88003e000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000003de40000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process dns-break (pid: 2150, threadinfo ffff88003bf46000, task ffff88003be56090) Stack: ffff88003b5ea378 ffff88003b5ea3a0 0000000000000000 0000000000000000 ffff88003bf47f68 ffffffff811b708e ffff88003c442bc8 0000000000000000 00000000004005a0 00007fffba368060 0000000000000000 0000000000000000 Call Trace: [] keyctl_read_key+0xac/0xcf [] sys_keyctl+0x75/0xb6 [] system_call_fastpath+0x16/0x1b Code: 75 1f 48 83 7b 28 00 75 18 c6 05 58 2b fb 00 01 be bb 00 00 00 48 c7 c7 76 1c 75 81 e8 13 c2 e9 ff 4c 8b b3 e0 00 00 00 4d 85 ed <41> 0f b7 5e 10 74 2d 4d 85 e4 74 28 e8 98 79 ee ff 49 39 dd 48 RIP [] user_read+0x4f/0x8f RSP CR2: 0000000000000010 Signed-off-by: David Howells Acked-by: Jeff Layton cc: Wang Lei Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit ef4fba5d0fc816eff781d6dc70d76ebc0ac8909e Author: Bruce Allan Date: Wed Feb 2 09:30:36 2011 +0000 e1000e: disable broken PHY wakeup for ICH10 LOMs, use MAC wakeup instead commit 4def99bbfd46e05c5e03b5b282cb4ee30e27ff19 upstream. When support for 82577/82578 was added[1] in 2.6.31, PHY wakeup was in- advertently enabled (even though it does not function properly) on ICH10 LOMs. This patch makes it so that the ICH10 LOMs use MAC wakeup instead as was done with the initial support for those devices (i.e. 82567LM-3, 82567LF-3 and 82567V-4). [1] commit a4f58f5455ba0efda36fb33c37074922d1527a10 Reported-by: Aurelien Jarno Signed-off-by: Bruce Allan Signed-off-by: Jeff Kirsher Signed-off-by: Greg Kroah-Hartman commit 850d1ff24684b16c29702dcadf66083a30f0d277 Author: Gerrit Renker Date: Tue Mar 1 23:02:07 2011 -0800 dccp: fix oops on Reset after close commit 720dc34bbbe9493c7bd48b2243058b4e447a929d upstream. This fixes a bug in the order of dccp_rcv_state_process() that still permitted reception even after closing the socket. A Reset after close thus causes a NULL pointer dereference by not preventing operations on an already torn-down socket. dccp_v4_do_rcv() | | state other than OPEN v dccp_rcv_state_process() | | DCCP_PKT_RESET v dccp_rcv_reset() | v dccp_time_wait() WARNING: at net/ipv4/inet_timewait_sock.c:141 __inet_twsk_hashdance+0x48/0x128() Modules linked in: arc4 ecb carl9170 rt2870sta(C) mac80211 r8712u(C) crc_ccitt ah [] (unwind_backtrace+0x0/0xec) from [] (warn_slowpath_common) [] (warn_slowpath_common+0x4c/0x64) from [] (warn_slowpath_n) [] (warn_slowpath_null+0x1c/0x24) from [] (__inet_twsk_hashd) [] (__inet_twsk_hashdance+0x48/0x128) from [] (dccp_time_wai) [] (dccp_time_wait+0x40/0xc8) from [] (dccp_rcv_state_proces) [] (dccp_rcv_state_process+0x120/0x538) from [] (dccp_v4_do_) [] (dccp_v4_do_rcv+0x11c/0x14c) from [] (release_sock+0xac/0) [] (release_sock+0xac/0x110) from [] (dccp_close+0x28c/0x380) [] (dccp_close+0x28c/0x380) from [] (inet_release+0x64/0x70) The fix is by testing the socket state first. Receiving a packet in Closed state now also produces the required "No connection" Reset reply of RFC 4340, 8.3.1. Reported-and-tested-by: Johan Hovold Signed-off-by: Gerrit Renker Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 048882f265645e2258a6d6380622b8a1a3634217 Author: Stanislaw Gruszka Date: Tue Feb 22 02:00:11 2011 +0000 r8169: disable ASPM commit ba04c7c93bbcb48ce880cf75b6e9dffcd79d4c7b upstream. For some time is known that ASPM is causing troubles on r8169, i.e. make device randomly stop working without any errors in dmesg. Currently Tomi Leppikangas reports that system with r8169 device hangs with MCE errors when ASPM is enabled: https://bugzilla.redhat.com/show_bug.cgi?id=642861#c4 Lets disable ASPM for r8169 devices at all, to avoid problems with r8169 PCIe devices at least for some users. Reported-by: Tomi Leppikangas Signed-off-by: Stanislaw Gruszka Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5d70c044346d70fb9c4980da7c5c581260f41305 Author: Jan Puk Date: Tue Feb 22 14:49:43 2011 +0100 carl9170: add Airlive X.USB a/b/g/n USBID commit c86664e5a285af1afa06416e450e7c4af04daa7c upstream. "AirLive X.USB now works perfectly under a Linux environment!" Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 401f84f1dbc7b01163bd61328acf7e66ce0fbd3e Author: Ryusuke Konishi Date: Mon Feb 28 13:41:11 2011 +0900 nilfs2: fix regression that i-flag is not set on changeless checkpoints commit 72746ac643928f6c3113b5aa783d8ea1b13949d2 upstream. According to the report from Jiro SEKIBA titled "regression in 2.6.37?" (Message-Id: <8739n8vs1f.wl%jir@sekiba.com>), on 2.6.37 and later kernels, lscp command no longer displays "i" flag on checkpoints that snapshot operations or garbage collection created. This is a regression of nilfs2 checkpointing function, and it's critical since it broke behavior of a part of nilfs2 applications. For instance, snapshot manager of TimeBrowse gets to create meaningless snapshots continuously; snapshot creation triggers another checkpoint, but applications cannot distinguish whether the new checkpoint contains meaningful changes or not without the i-flag. This patch fixes the regression and brings that application behavior back to normal. Reported-by: Jiro SEKIBA Signed-off-by: Ryusuke Konishi Tested-by: Ryusuke Konishi Tested-by: Jiro SEKIBA Signed-off-by: Greg Kroah-Hartman commit cea4131a1d2ae214544678113eac6497ba5299e5 Author: Christian Lamparter Date: Sat Feb 26 12:58:06 2011 +0100 p54usb: add Senao NUB-350 usbid commit 2b799a6b25bb9f9fbc478782cd9503e8066ab618 upstream. Reported-by: Mark Davis Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 523e19477be751191853ae6f7bbf32654f7ee9d9 Author: Sujith Manoharan Date: Sun Feb 27 09:23:52 2011 +0530 ath9k_htc: Fix an endian issue commit 2c27392dc4d4f5ee8a3967a520b8f6cac0418031 upstream. The stream length/tag fields have to be in little endian format. Fixing this makes the driver work on big-endian platforms. Tested-by: raghunathan.kailasanathan@wipro.com Signed-off-by: Sujith Manoharan Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit f90b478078ffd8d34a7053d5461d4c4f215f0a12 Author: Petr Uzel Date: Thu Mar 3 11:48:50 2011 -0500 block: kill loop_mutex commit fd51469fb68b987032e46297e0a4fe9020063c20 upstream. Following steps lead to deadlock in kernel: dd if=/dev/zero of=img bs=512 count=1000 losetup -f img mkfs.ext2 /dev/loop0 mount -t ext2 -o loop /dev/loop0 mnt umount mnt/ Stacktrace: [] irq_exit+0x36/0x59 [] smp_apic_timer_interrupt+0x6b/0x75 [] apic_timer_interrupt+0x31/0x38 [] mutex_spin_on_owner+0x54/0x5b [] lo_release+0x12/0x67 [loop] [] __blkdev_put+0x7c/0x10c [] fput+0xd5/0x1aa [] loop_clr_fd+0x1a9/0x1b1 [loop] [] lo_release+0x39/0x67 [loop] [] __blkdev_put+0x7c/0x10c [] deactivate_locked_super+0x17/0x36 [] sys_umount+0x27e/0x2a5 [] sys_oldumount+0xb/0xe [] sysenter_do_call+0x12/0x26 [] 0xffffffff Regression since 2a48fc0ab24241755dc9, which introduced the private loop_mutex as part of the BKL removal process. As per [1], the mutex can be safely removed. [1] http://www.gossamer-threads.com/lists/linux/kernel/1341930 Addresses: https://bugzilla.novell.com/show_bug.cgi?id=669394 Addresses: https://bugzilla.kernel.org/show_bug.cgi?id=29172 Signed-off-by: Petr Uzel Reviewed-by: Nikanth Karthikesan Acked-by: Arnd Bergmann Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 29bf78d4b4b15cdec995180cbf78e69a4c1c9d14 Author: Tejun Heo Date: Wed Mar 2 08:48:06 2011 -0500 block: blk-flush shouldn't call directly into q->request_fn() __blk_run_queue() commit 255bb490c8c27eed484d538efe6ef6a7473bd3f6 upstream. blk-flush decomposes a flush into sequence of multiple requests. On completion of a request, the next one is queued; however, block layer must not implicitly call into q->request_fn() directly from completion path. This makes the queue behave unexpectedly when seen from the drivers and violates the assumption that q->request_fn() is called with process context + queue_lock. This patch makes blk-flush the following two changes to make sure q->request_fn() is not called directly from request completion path. - blk_flush_complete_seq_end_io() now asks __blk_run_queue() to always use kblockd instead of calling directly into q->request_fn(). - queue_next_fseq() uses ELEVATOR_INSERT_REQUEUE instead of ELEVATOR_INSERT_FRONT so that elv_insert() doesn't try to unplug the request queue directly. Reported by Jan in the following threads. http://thread.gmane.org/gmane.linux.ide/48778 http://thread.gmane.org/gmane.linux.ide/48786 stable: applicable to v2.6.37. Signed-off-by: Tejun Heo Reported-by: Jan Beulich Cc: "David S. Miller" Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 02d63a7def32bb4a58ea6e24f0edfce0aa653aaa Author: Tejun Heo Date: Wed Mar 2 08:48:05 2011 -0500 block: add @force_kblockd to __blk_run_queue() commit 1654e7411a1ad4999fe7890ef51d2a2bbb1fcf76 upstream. __blk_run_queue() automatically either calls q->request_fn() directly or schedules kblockd depending on whether the function is recursed. blk-flush implementation needs to be able to explicitly choose kblockd. Add @force_kblockd. All the current users are converted to specify %false for the parameter and this patch doesn't introduce any behavior change. stable: This is prerequisite for fixing ide oops caused by the new blk-flush implementation. Signed-off-by: Tejun Heo Cc: Jan Beulich Cc: James Bottomley Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit e815788988678cd443b7f77603602d09e5a0da86 Author: Vivek Goyal Date: Tue Mar 1 13:40:54 2011 -0500 blk-throttle: Do not use kblockd workqueue for throtl work commit 450adcbe518ab3a3953d8475309525d22de77cba upstream. o Dominik Klein reported a system hang issue while doing some blkio throttling testing. https://lkml.org/lkml/2011/2/24/173 o Some tracing revealed that CFQ was not dispatching any more jobs as queue unplug was not happening. And queue unplug was not happening because unplug work was not being called as there was one throttling work on same cpu which as not finished yet. And throttling work had not finished as it was tyring to dispatch a bio to CFQ but all the request descriptors were consume to it was put to sleep. o So basically it is a cyclic dependecny between CFQ unplug work and throtl dispatch work. Tejun suggested that use separate workqueue for such cases. o This patch uses a separate workqueue for throttle related work and does not rely on kblockd workqueue anymore. Reported-by: Dominik Klein Signed-off-by: Vivek Goyal Acked-by: Tejun Heo Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit c5a3ef83c9b4cd3eb38b4c33ef4aed89eb790d53 Author: Jan Niehusmann Date: Fri Mar 4 00:28:02 2011 +0100 drm/i915: fix memory corruption with GM965 and >4GB RAM commit 6927faf30920b8c03dfa007e732642a1f1f20089 upstream. On a Thinkpad x61s, I noticed some memory corruption when plugging/unplugging the external VGA connection. The symptoms are that 4 bytes at the beginning of a page get overwritten by zeroes. The address of the corruption varies when rebooting the machine, but stays constant while it's running (so it's possible to repeatedly write some data and then corrupt it again by plugging the cable). Further investigation revealed that the corrupted address is (dev_priv->status_page_dmah->busaddr & 0xffffffff), ie. the beginning of the hardware status page of the i965 graphics card, cut to 32 bits. So it seems that for some memory access, the hardware uses only 32 bit addressing. If the hardware status page is located >4GB, this corrupts unrelated memory. Signed-off-by: Jan Niehusmann Acked-by: Daniel Vetter Signed-off-by: Chris Wilson Signed-off-by: Greg Kroah-Hartman commit e8d5b85f2cce50980de6d36dad4e81ab44f53bd0 Author: Matt Carlson Date: Tue Feb 15 12:51:10 2011 +0000 tg3: Restrict phy ioctl access commit ed199facd070f8e551dc16a2ae1baa01d8d28ed4 upstream. If management firmware is present and the device is down, the firmware will assume control of the phy. If a phy access were allowed from the host, it will collide with firmware phy accesses, resulting in unpredictable behavior. This patch fixes the problem by disallowing phy accesses during the problematic condition. Signed-off-by: Matt Carlson Reviewed-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7e4c58029f8c42d57b82b670e5e25119d565ae30 Author: Daniel J Blueman Date: Tue Feb 22 00:11:06 2011 +0800 fix cfg80211_wext_siwfreq lock ordering... commit 4f919a3bc54da01db829c520ce4b1fabfde1c3f7 upstream. I previously managed to reproduce a hang while scanning wireless channels (reproducible with airodump-ng hopping channels); subsequent lockdep instrumentation revealed a lock ordering issue. Without knowing the design intent, it looks like the locks should be taken in reverse order; please comment. ======================================================= [ INFO: possible circular locking dependency detected ] 2.6.38-rc5-341cd #4 ------------------------------------------------------- airodump-ng/15445 is trying to acquire lock: (&rdev->devlist_mtx){+.+.+.}, at: [] cfg80211_wext_siwfreq+0xc6/0x100 but task is already holding lock: (&wdev->mtx){+.+.+.}, at: [] cfg80211_wext_siwfreq+0xbc/0x100 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&wdev->mtx){+.+.+.}: [] lock_acquire+0xc6/0x280 [] mutex_lock_nested+0x6e/0x4b0 [] cfg80211_netdev_notifier_call+0x430/0x5f0 [] notifier_call_chain+0x8b/0x100 [] raw_notifier_call_chain+0x11/0x20 [] call_netdevice_notifiers+0x32/0x60 [] __dev_notify_flags+0x34/0x80 [] dev_change_flags+0x40/0x70 [] do_setlink+0x1fc/0x8d0 [] rtnl_setlink+0xf2/0x140 [] rtnetlink_rcv_msg+0x163/0x270 [] netlink_rcv_skb+0xa1/0xd0 [] rtnetlink_rcv+0x20/0x30 [] netlink_unicast+0x2ba/0x300 [] netlink_sendmsg+0x267/0x3e0 [] sock_sendmsg+0xe4/0x110 [] sys_sendmsg+0x253/0x3b0 [] system_call_fastpath+0x16/0x1b -> #0 (&rdev->devlist_mtx){+.+.+.}: [] __lock_acquire+0x1622/0x1d10 [] lock_acquire+0xc6/0x280 [] mutex_lock_nested+0x6e/0x4b0 [] cfg80211_wext_siwfreq+0xc6/0x100 [] ioctl_standard_call+0x5d/0xd0 [] T.808+0x163/0x170 [] wext_handle_ioctl+0x3a/0x90 [] dev_ioctl+0x6f2/0x830 [] sock_ioctl+0xfd/0x290 [] do_vfs_ioctl+0x9d/0x590 [] sys_ioctl+0x4a/0x80 [] system_call_fastpath+0x16/0x1b other info that might help us debug this: 2 locks held by airodump-ng/15445: #0: (rtnl_mutex){+.+.+.}, at: [] rtnl_lock+0x12/0x20 #1: (&wdev->mtx){+.+.+.}, at: [] cfg80211_wext_siwfreq+0xbc/0x100 stack backtrace: Pid: 15445, comm: airodump-ng Not tainted 2.6.38-rc5-341cd #4 Call Trace: [] ? print_circular_bug+0xfa/0x100 [] ? __lock_acquire+0x1622/0x1d10 [] ? trace_hardirqs_off_caller+0x29/0xc0 [] ? lock_acquire+0xc6/0x280 [] ? cfg80211_wext_siwfreq+0xc6/0x100 [] ? mark_held_locks+0x67/0x90 [] ? mutex_lock_nested+0x6e/0x4b0 [] ? cfg80211_wext_siwfreq+0xc6/0x100 [] ? mark_held_locks+0x67/0x90 [] ? cfg80211_wext_siwfreq+0xc6/0x100 [] ? cfg80211_wext_siwfreq+0xc6/0x100 [] ? ioctl_standard_call+0x5d/0xd0 [] ? __dev_get_by_name+0x9b/0xc0 [] ? ioctl_standard_call+0x0/0xd0 [] ? T.808+0x163/0x170 [] ? might_fault+0x72/0xd0 [] ? wext_handle_ioctl+0x3a/0x90 [] ? might_fault+0xbb/0xd0 [] ? dev_ioctl+0x6f2/0x830 [] ? put_lock_stats+0xe/0x40 [] ? lock_release_holdtime+0xac/0x150 [] ? sock_ioctl+0xfd/0x290 [] ? do_vfs_ioctl+0x9d/0x590 [] ? fget_light+0x1df/0x3c0 [] ? sys_ioctl+0x4a/0x80 [] ? system_call_fastpath+0x16/0x1b Signed-off-by: Daniel J Blueman Acked-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit adbbc36af2a36f1998404e56b27f3933d0cc8afd Author: Ian Abbott Date: Mon Feb 7 13:39:52 2011 +0000 Staging: comedi: Add MODULE_LICENSE and similar to NI modules commit 3c323c01b6bd5fd01be21a8f0cdc11e55997aa06 upstream. As mentioned by W. Trevor King on the devel@linuxdriverproject.org list on "Thu, 27 Jan 2011 18:52:15 -0500", "Message-ID: <20110127235214.GA5107@thialfi.dhcp.drexel.edu>", the ni_pcimio module is missing module metadata, including a license. This patch adds module metadata to all the NI comedi driver modules. It also removes a duplicate MODULE_LICENSE("GPL") line from the "mite" module. Signed-off-by: Ian Abbott Cc: W. Trevor King Signed-off-by: Greg Kroah-Hartman commit a4e98a353e98e9d4f209bcbadb9af6300674e900 Author: Bruce Allan Date: Wed Nov 24 06:01:46 2010 +0000 e1000e: 82579 PHY incorrectly identified during init commit 664dc878ed6f0476b875547547a49e06f7a4e73b upstream. During init, reading the 2 PHY ID registers back-to-back in the default fast mode could return invalid data (all F's) and in slow mode could return data to the second read the data from the first read. To resolve the issue in fast mode, set to slow mode before any PHY accesses; to resolve the issue in slow mode, put in a delay for every 82579 PHY access. Since this PHY is currently only paired with the pch2lan MAC and the PHY type is not known before the first PHY access which can fail this way, check for this based on MAC-type. Signed-off-by: Bruce Allan Tested-by: Jeff Pieper Signed-off-by: Jeff Kirsher Acked-by: Brandon Philips Signed-off-by: Greg Kroah-Hartman commit 776be4763c7ece9b738c5a61bec68bc05b1b2d1c Author: Mel Gorman Date: Thu Jan 13 15:45:43 2011 -0800 mm: vmstat: use a single setter function and callback for adjusting percpu thresholds commit b44129b30652c8771db2265939bb8b463724043d upstream. reduce_pgdat_percpu_threshold() and restore_pgdat_percpu_threshold() exist to adjust the per-cpu vmstat thresholds while kswapd is awake to avoid errors due to counter drift. The functions duplicate some code so this patch replaces them with a single set_pgdat_percpu_threshold() that takes a callback function to calculate the desired threshold as a parameter. [akpm@linux-foundation.org: readability tweak] [kosaki.motohiro@jp.fujitsu.com: set_pgdat_percpu_threshold(): don't use for_each_online_cpu] Signed-off-by: Mel Gorman Reviewed-by: Christoph Lameter Reviewed-by: KAMEZAWA Hiroyuki Signed-off-by: KOSAKI Motohiro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 176111faba2c5785d40b4737908b855de75f026c Author: Josh Hunt Date: Thu Feb 24 11:48:22 2011 +0100 ext2: Fix link count corruption under heavy link+rename load commit e8a80c6f769dd4622d8b211b398452158ee60c0b upstream. vfs_rename_other() does not lock renamed inode with i_mutex. Thus changing i_nlink in a non-atomic manner (which happens in ext2_rename()) can corrupt it as reported and analyzed by Josh. In fact, there is no good reason to mess with i_nlink of the moved file. We did it presumably to simulate linking into the new directory and unlinking from an old one. But the practical effect of this is disputable because fsck can possibly treat file as being properly linked into both directories without writing any error which is confusing. So we just stop increment-decrement games with i_nlink which also fixes the corruption. CC: Al Viro Signed-off-by: Josh Hunt Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit 69d2dd738ce984fd0b7ab25c8f179ba07c56d2e0 Author: Thomas Gleixner Date: Fri Feb 25 22:34:23 2011 +0100 clockevents: Prevent oneshot mode when broadcast device is periodic commit 3a142a0672b48a853f00af61f184c7341ac9c99d upstream. When the per cpu timer is marked CLOCK_EVT_FEAT_C3STOP, then we only can switch into oneshot mode, when the backup broadcast device supports oneshot mode as well. Otherwise we would try to switch the broadcast device into an unsupported mode unconditionally. This went unnoticed so far as the current available broadcast devices support oneshot mode. Seth unearthed this problem while debugging and working around an hpet related BIOS wreckage. Add the necessary check to tick_is_oneshot_available(). Reported-and-tested-by: Seth Forshee Signed-off-by: Thomas Gleixner LKML-Reference: Signed-off-by: Greg Kroah-Hartman commit ca3edc920f5fd7d8ac040caaf109f925c24620a0 Author: Miklos Szeredi Date: Fri Feb 25 14:44:58 2011 +0100 fuse: fix hang of single threaded fuseblk filesystem commit 5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 upstream. Single threaded NTFS-3G could get stuck if a delayed RELEASE reply triggered a DESTROY request via path_put(). Fix this by a) making RELEASE requests synchronous, whenever possible, on fuseblk filesystems b) if not possible (triggered by an asynchronous read/write) then do the path_put() in a separate thread with schedule_work(). Reported-by: Oliver Neukum Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 4f85086a934dd7e608588c4a3bd5a91791a70ade Author: Dmitry Eremin-Solenikov Date: Wed Feb 23 02:29:11 2011 +0300 ASoC: correct pxa AC97 DAI names commit 4bfc4e2508234f9149fd33fae853e99fb9e4a75b upstream. Correct names for pxa AC97 DAI are pxa2xx-ac97 and pxa2xx-ac97-aux. Fix that for all PXA platforms. Signed-off-by: Dmitry Eremin-Solenikov Acked-by: Liam Girdwood Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 0c5769b54c296fd42e52dbe7c5c4c3c30533892b Author: Eric Bénard Date: Fri Feb 25 13:47:46 2011 +0100 eukrea-tlv320: fix platform_name commit 43c63188821dc21b2af23a40a18faea6e386e90a upstream. commit f0fba2ad1b6b53d5360125c41953b7afcd6deff0 included a mistake on the name of the platform in the snd_soc_dai_link structure. Signed-off-by: Eric Bénard Acked-by: Liam Girdwood Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 7b34f7c3f39111256fa8356ebd20ef3badefc0ef Author: Yu-Chen Cho Date: Tue Feb 15 10:20:07 2011 +0800 Bluetooth: Add Atheros BT AR5BBU12 fw supported commit e9036e336a8e5640871e0006ea4a89982b25046f upstream. Add the btusb.c blacklist [0489:e02c] for Atheros AR5BBU12 BT and add to ath3k.c supported this device. Signed-off-by: Yu-Chen Cho Signed-off-by: Gustavo F. Padovan Signed-off-by: Greg Kroah-Hartman commit 395177fa518d897f4e2075b1950d9ed183efa550 Author: Oliver Neukum Date: Fri Feb 11 13:00:06 2011 +0100 Bluetooth: fix crash with quirky dongles doing sound commit 8efdd0cdc54f3bb5db464b3baf88f7441f54da47 upstream. Quirky dongles sometimes do not use the iso interface which causes a crash with runtime PM Signed-off-by: Oliver Neukum Signed-off-by: Gustavo F. Padovan Signed-off-by: Greg Kroah-Hartman commit d3d6df2b6a0210db29d934b9228ab64b728ef3da Author: Yu-Chen Cho Date: Wed Jan 26 17:10:59 2011 +0800 Bluetooth: add Atheros BT AR9285 fw supported commit 509e7861d8a5e26bb07b5a3a13e2b9e442283631 upstream. Add the btusb.c blacklist [03f0:311d] for Atheros AR9285 Malbec BT and add to ath3k.c ath3-1.fw (md5:1211fa34c09e10ba48381586b7c3883d) supported this device. Signed-off-by: Yu-Chen Cho Signed-off-by: Gustavo F. Padovan Signed-off-by: Greg Kroah-Hartman commit aee193072ec3de9a272a651cab20480d71b421f6 Author: Don Zickus Date: Mon Feb 7 23:25:00 2011 -0500 x86: Use u32 instead of long to set reset vector back to 0 commit 299c56966a72b9109d47c71a6db52097098703dd upstream. A customer of ours, complained that when setting the reset vector back to 0, it trashed other data and hung their box. They noticed when only 4 bytes were set to 0 instead of 8, everything worked correctly. Mathew pointed out: | | We're supposed to be resetting trampoline_phys_low and | trampoline_phys_high here, which are two 16-bit values. | Writing 64 bits is definitely going to overwrite space | that we're not supposed to be touching. | So limit the area modified to u32. Signed-off-by: Don Zickus Acked-by: Matthew Garrett LKML-Reference: <1297139100-424-1-git-send-email-dzickus@redhat.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 4aafe23d8b99faa78d8904dd9a9ded8bdcbb1272 Author: Jochen Friedrich Date: Wed Jan 26 11:30:01 2011 +0100 mfd: Fix NULL pointer due to non-initialized ucb1x00-ts absinfo commit 9063f1f15eec35e5fd608879cef8be5728f2d12a upstream. Call input_set_abs_params instead of manually setting absbit only. This fixes this oops: Unable to handle kernel NULL pointer dereference at virtual address 00000024 Internal error: Oops: 41b67017 [#1] CPU: 0 Not tainted (2.6.37 #4) pc : [] lr : [<00000000>] psr: 20000093 sp : c19e5f30 ip : c19e5e6c fp : c19e5f58 r10: 00000000 r9 : c19e4000 r8 : 00000003 r7 : 000001e4 r6 : 00000001 r5 : c1854400 r4 : 00000003 r3 : 00000018 r2 : 00000018 r1 : 00000018 r0 : c185447c Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel Control: c1b6717f Table: c1b6717f DAC: 00000017 Stack: (0xc19e5f30 to 0xc19e6000) 5f20: 00000003 00000003 c1854400 00000013 5f40: 00000001 000001e4 000001c5 c19e5f80 c19e5f5c c016d5e8 c016cf5c 000001e4 5f60: c1854400 c18b5860 00000000 00000171 000001e4 c19e5fc4 c19e5f84 c01559a4 5f80: c016d584 c18b5868 00000000 c1bb5c40 c0035afc c18b5868 c18b5868 c1a55d54 5fa0: c18b5860 c0155750 00000013 00000000 00000000 00000000 c19e5ff4 c19e5fc8 5fc0: c0050174 c015575c 00000000 c18b5860 00000000 c19e5fd4 c19e5fd4 c1a55d54 5fe0: c00500f0 c003b464 00000000 c19e5ff8 c003b464 c00500fc 04000400 04000400 Backtrace: Function entered at [] from [] Function entered at [] from [] r8:000001e4 r7:00000171 r6:00000000 r5:c18b5860 r4:c1854400 Function entered at [] from [] Function entered at [] from [] r6:c003b464 r5:c00500f0 r4:c1a55d54 Code: e59520fc e1a03286 e0433186 e0822003 (e592000c) >>PC; c016d1fc <===== Trace; c016cf50 Trace; c016d5e8 Trace; c016d578 Trace; c01559a4 Trace; c0155750 Trace; c0050174 Trace; c00500f0 Trace; c003b464 Signed-off-by: Jochen Friedrich Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman commit 588a737af5a60c380136bb6e400ca29a6ad0e216 Author: vwadekar@nvidia.com Date: Thu Feb 24 10:18:13 2011 +0530 mfd: Avoid tps6586x burst writes commit 4b57018dcd6418e18c08088c89f123da8a7bfc45 upstream. tps6586 does not support burst writes. i2c writes have to be 1 byte at a time. Signed-off-by: Varun Wadekar Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman commit 29b37a14b0197d9d62e1886adaefd16f83b5b5f5 Author: Vasiliy Kulikov Date: Sat Feb 19 14:18:08 2011 +0100 ACPI / debugfs: Fix buffer overflows, double free commit 2949ad50711cc161721cf788711722eeeca33764 upstream. File position is not controlled, it may lead to overwrites of arbitrary kernel memory. Also the code may kfree() the same pointer multiple times. One more flaw is still present: if multiple processes open the file then all 3 static variables are shared, leading to various race conditions. They should be moved to file->private_data. Signed-off-by: Vasiliy Kulikov Reviewed-by: WANG Cong Reviewed-by: Eugene Teo Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit deca27950a4fcf88963d99e3b926c0e78ab4e5df Author: Dave Airlie Date: Thu Feb 24 08:35:06 2011 +1000 drm: fix unsigned vs signed comparison issue in modeset ctl ioctl. commit 1922756124ddd53846877416d92ba4a802bc658f upstream. This fixes CVE-2011-1013. Reported-by: Matthiew Herrb (OpenBSD X.org team) Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 4b33fadfd4eddc8a41fd2dc08c623ed401519fff Author: Tristan Ye Date: Fri Jan 21 18:20:18 2011 +0800 Ocfs2/refcounttree: Fix a bug for refcounttree to writeback clusters in a right number. commit acf3bb007e5636ef4c17505affb0974175108553 upstream. Current refcounttree codes actually didn't writeback the new pages out in write-back mode, due to a bug of always passing a ZERO number of clusters to 'ocfs2_cow_sync_writeback', the patch tries to pass a proper one in. Signed-off-by: Tristan Ye Signed-off-by: Joel Becker Signed-off-by: Greg Kroah-Hartman commit dbb59808e7fca1d4c794a3bfeea7f2046fc25f12 Author: Mark Fasheh Date: Mon Jan 31 11:31:04 2011 -0800 ocfs2: Check heartbeat mode for kernel stacks only commit 52c303c56c3638944b5f733e3961dc58eb8c7270 upstream. Commit 2c442719e90a44a6982c033d69df4aae4b167cfa added some checks for proper heartbeat mode when the o2cb stack is running. Unfortunately, it didn't take into account that a userpsace stack could be running. Fix this by only doing the check if o2cb is in use. This patch allows userspace stacks to mount the fs again. Signed-off-by: Mark Fasheh Signed-off-by: Joel Becker Signed-off-by: Greg Kroah-Hartman commit 857f5c5af132d55dfa0e5aff8843fff43d45b9fb Author: David Henningsson Date: Wed Feb 23 13:15:56 2011 +0100 ALSA: HDA: Add ideapad quirk for two Dell machines commit ebbd224c22a00dbbee95031a0d6d595460f6f2b3 upstream. These two Dell machines have been reported working well with the ideapad model. BugLink: http://bugs.launchpad.net/bugs/723676 Tested-by: David Chen Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 23f61fe2e0bb27ade93ac479affb2909c406eb36 Author: David Henningsson Date: Mon Feb 21 10:23:18 2011 +0100 ALSA: HDA: Fix mic initialization in VIA auto parser commit 306496761745942d8167e9193a738b559a7fb0b3 upstream. This typo caused some microphone inputs not to be correctly initialized on VIA codecs. Reported-By: Mark Goldstein Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit e770095afdbd2dab6d3b48f1feedba2880dd4fd0 Author: Takashi Iwai Date: Tue Feb 22 10:21:18 2011 +0100 ALSA: usb-audio: fix oops due to cleanup race when disconnecting commit 382225e62bdb8059b7f915b133426425516dd300 upstream. When a USB audio device is disconnected, snd_usb_audio_disconnect() kills all audio URBs. At the same time, the application, after being notified of the disconnection, might close the device, in which case ALSA calls the .hw_free callback, which should free the URBs too. Commit de1b8b93a0ba "[ALSA] Fix hang-up at disconnection of usb-audio" prevented snd_usb_hw_free() from freeing the URBs to avoid a hang that resulted from this race, but this introduced another race because the URB callbacks could now be executed after snd_usb_hw_free() has returned, and try to access already freed data. Fix the first race by introducing a mutex to serialize the disconnect callback and all PCM callbacks that manage URBs (hw_free and hw_params). Reported-and-tested-by: Pierre-Louis Bossart [CL: also serialize hw_params callback] Signed-off-by: Clemens Ladisch Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 1e90d1bbd00a32b873cf511fb2521e8912f20ff3 Author: David Henningsson Date: Tue Feb 8 07:16:06 2011 +0100 ALSA: HDA: Add a new Conexant codec 506e (20590) commit 6da8b51657a9cd5a87b4e6e4c7bc76b598a95175 upstream. Conexant 506e/20590 has the same graph as the rest of the 5066 family. BugLink: http://bugs.launchpad.net/bugs/723672 Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 89a7828cac76a0dbc8e243c486151642e53f15e0 Author: Felipe Balbi Date: Thu Feb 24 10:36:53 2011 +0200 usb: musb: core: set has_tt flag commit ec95d35a6bd0047f05fe8a21e6c52f8bb418da55 upstream. MUSB is a non-standard host implementation which can handle all speeds with the same core. We need to set has_tt flag after commit d199c96d41d80a567493e12b8e96ea056a1350c1 (USB: prevent buggy hubs from crashing the USB stack) in order for MUSB HCD to continue working. Signed-off-by: Felipe Balbi Cc: Alan Stern Tested-by: Michael Jones Tested-by: Alexander Holler Signed-off-by: Greg Kroah-Hartman commit d50101f24d48314cdc4b2db10d1469c9f8dd8523 Author: Alan Stern Date: Mon Jan 31 10:56:37 2011 -0500 USB: prevent buggy hubs from crashing the USB stack commit d199c96d41d80a567493e12b8e96ea056a1350c1 upstream. If anyone comes across a high-speed hub that (by mistake or by design) claims to have no Transaction Translators, plugging a full- or low-speed device into it will cause the USB stack to crash. This patch (as1446) prevents the problem by ignoring such devices, since the kernel has no way to communicate with them. Signed-off-by: Alan Stern Tested-by: Perry Neben Signed-off-by: Greg Kroah-Hartman commit 8adc60863e6f85a50212d0b8623c38fdb7e5d4c7 Author: Luben Tuikov Date: Fri Feb 11 11:33:10 2011 -0800 USB: Reset USB 3.0 devices on (re)discovery commit 07194ab7be63a972096309ab0ea747df455c6a20 upstream. If the device isn't reset, the XHCI HCD sends SET ADDRESS to address 0 while the device is already in Addressed state, and the request is dropped on the floor as it is addressed to the default address. This sequence of events, which this patch fixes looks like this: usb_reset_and_verify_device() hub_port_init() hub_set_address() SET_ADDRESS to 0 with 1 usb_get_device_descriptor(udev, 8) usb_get_device_descriptor(udev, 18) descriptors_changed() --> goto re_enumerate: hub_port_logical_disconnect() kick_khubd() And then: hub_events() hub_port_connect_change() usb_disconnect() usb_disable_device() new device struct sets device state to Powered choose_address() hub_port_init() <-- no reset, but SET ADDRESS to 0 with 1, timeout! The solution is to always reset the device in hub_port_init() to put it in a known state. Note from Sarah Sharp: This patch should be queued for stable trees all the way back to 2.6.34, since that was the first kernel that supported configured device reset. The code this patch touches has been there since 2.6.32, but the bug would never be hit before 2.6.34 because the xHCI driver would completely reject an attempt to reset a configured device under xHCI. Signed-off-by: Luben Tuikov Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 929364a96776f45edc9b1d71680bf87852dfc39b Author: Paul Zimmerman Date: Sat Feb 12 14:07:57 2011 -0800 xhci: Fix an error in count_sg_trbs_needed() commit bcd2fde05341cef0052e49566ec88b406a521cf3 upstream. The expression while (running_total < sg_dma_len(sg)) does not take into account that the remaining data length can be less than sg_dma_len(sg). In that case, running_total can end up being greater than the total data length, so an extra TRB is counted. Changing the expression to while (running_total < sg_dma_len(sg) && running_total < temp) fixes that. This patch should be queued for stable kernels back to 2.6.31. Signed-off-by: Paul Zimmerman Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 286681ef90a00ad6fdab8d47ac794d1f59004305 Author: Paul Zimmerman Date: Sat Feb 12 14:07:20 2011 -0800 xhci: Fix errors in the running total calculations in the TRB math commit 5807795bd4dececdf553719cc02869e633395787 upstream. Calculations like running_total = TRB_MAX_BUFF_SIZE - (sg_dma_address(sg) & (TRB_MAX_BUFF_SIZE - 1)); if (running_total != 0) num_trbs++; are incorrect, because running_total can never be zero, so the if() expression will never be true. I think the intention was that running_total be in the range of 0 to TRB_MAX_BUFF_SIZE-1, not 1 to TRB_MAX_BUFF_SIZE. So adding a running_total &= TRB_MAX_BUFF_SIZE - 1; fixes the problem. This patch should be queued for stable kernels back to 2.6.31. Signed-off-by: Paul Zimmerman Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 2094b73f358ba57e57e11a775965d66f36a3647d Author: Paul Zimmerman Date: Sat Feb 12 14:06:44 2011 -0800 xhci: Clarify some expressions in the TRB math commit a2490187011cc2263117626615a581927d19f1d3 upstream. This makes it easier to spot some problems, which will be fixed by the next patch in the series. Also change dev_dbg to dev_err in check_trb_math(), so any math errors will be visible even when running with debug disabled. Note: This patch changes the expressions containing "((1 << TRB_MAX_BUFF_SHIFT) - 1)" to use the equivalent "(TRB_MAX_BUFF_SIZE - 1)". No change in behavior is intended for those expressions. This patch should be queued for stable kernels back to 2.6.31. Signed-off-by: Paul Zimmerman Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 07570c3e32779255a8585ce05290ad056ef8b05b Author: Paul Zimmerman Date: Sat Feb 12 14:06:06 2011 -0800 xhci: Avoid BUG() in interrupt context commit 68e41c5d032668e2905404afbef75bc58be179d6 upstream. Change the BUGs in xhci_find_new_dequeue_state() to WARN_ONs, to avoid bringing down the box if one of them is hit This patch should be queued for stable kernels back to 2.6.31. Signed-off-by: Paul Zimmerman Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 64e8cdcc476ee10293ed205febbc9703c8ea1d0e Author: Andreas Herrmann Date: Thu Feb 24 15:53:46 2011 +0100 x86 quirk: Fix polarity for IRQ0 pin2 override on SB800 systems commit 7f74f8f28a2bd9db9404f7d364e2097a0c42cc12 upstream. On some SB800 systems polarity for IOAPIC pin2 is wrongly specified as low active by BIOS. This caused system hangs after resume from S3 when HPET was used in one-shot mode on such systems because a timer interrupt was missed (HPET signal is high active). For more details see: http://marc.info/?l=linux-kernel&m=129623757413868 Tested-by: Manoj Iyer Tested-by: Andre Przywara Signed-off-by: Andreas Herrmann Cc: Borislav Petkov LKML-Reference: <20110224145346.GD3658@alberich.amd.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit dfa89fb5845c0b6d73650a488864be0f7cf83e92 Author: Rafael J. Wysocki Date: Thu Feb 24 11:10:01 2011 +0100 PM: Make ACPI wakeup from S5 work again when CONFIG_PM_SLEEP is unset commit 805bdaec1a44155db35f6ee5410d6bbc365324a8 upstream. Commit 074037e (PM / Wakeup: Introduce wakeup source objects and event statistics (v3)) caused ACPI wakeup to only work if CONFIG_PM_SLEEP is set, but it also worked for CONFIG_PM_SLEEP unset before. This can be fixed by making device_set_wakeup_enable(), device_init_wakeup() and device_may_wakeup() work in the same way as before commit 074037e when CONFIG_PM_SLEEP is unset. Reported-and-tested-by: Justin Maggard Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 645557910671f18c97ce78fd7d3949a1c3927486 Author: NeilBrown Date: Thu Feb 24 17:25:47 2011 +1100 Fix over-zealous flush_disk when changing device size. commit 93b270f76e7ef3b81001576860c2701931cdc78b upstream. There are two cases when we call flush_disk. In one, the device has disappeared (check_disk_change) so any data will hold becomes irrelevant. In the oter, the device has changed size (check_disk_size_change) so data we hold may be irrelevant. In both cases it makes sense to discard any 'clean' buffers, so they will be read back from the device if needed. In the former case it makes sense to discard 'dirty' buffers as there will never be anywhere safe to write the data. In the second case it *does*not* make sense to discard dirty buffers as that will lead to file system corruption when you simply enlarge the containing devices. flush_disk calls __invalidate_devices. __invalidate_device calls both invalidate_inodes and invalidate_bdev. invalidate_inodes *does* discard I_DIRTY inodes and this does lead to fs corruption. invalidate_bev *does*not* discard dirty pages, but I don't really care about that at present. So this patch adds a flag to __invalidate_device (calling it __invalidate_device2) to indicate whether dirty buffers should be killed, and this is passed to invalidate_inodes which can choose to skip dirty inodes. flusk_disk then passes true from check_disk_change and false from check_disk_size_change. dm avoids tripping over this problem by calling i_size_write directly rathher than using check_disk_size_change. md does use check_disk_size_change and so is affected. This regression was introduced by commit 608aeef17a which causes check_disk_size_change to call flush_disk, so it is suitable for any kernel since 2.6.27. Acked-by: Jeff Moyer Cc: Andrew Patterson Cc: Jens Axboe Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit f663ed60892c3e1d4490b079a45d9e546271c40c Author: NeilBrown Date: Thu Feb 24 17:26:41 2011 +1100 md: Fix - again - partition detection when array becomes active commit f0b4f7e2f29af678bd9af43422c537dcb6008603 upstream. Revert b821eaa572fd737faaf6928ba046e571526c36c6 and f3b99be19ded511a1bf05a148276239d9f13eefa When I wrote the first of these I had a wrong idea about the lifetime of 'struct block_device'. It can disappear at any time that the block device is not open if it falls out of the inode cache. So relying on the 'size' recorded with it to detect when the device size has changed and so we need to revalidate, is wrong. Rather, we really do need the 'changed' attribute stored directly in the mddev and set/tested as appropriate. Without this patch, a sequence of: mknod / open / close / unlink (which can cause a block_device to be created and then destroyed) will result in a rescan of the partition table and consequence removal and addition of partitions. Several of these in a row can get udev racing to create and unlink and other code can get confused. With the patch, the rescan is only performed when needed and so there are no races. This is suitable for any stable kernel from 2.6.35. Reported-by: "Wojcik, Krzysztof" Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit eacacaf73496fdad9e82e4d81a1645be05cd3d59 Author: NeilBrown Date: Mon Feb 21 18:25:57 2011 +1100 md: avoid spinlock problem in blk_throtl_exit commit da9cf5050a2e3dbc3cf26a8d908482eb4485ed49 upstream. blk_throtl_exit assumes that ->queue_lock still exists, so make sure that it does. To do this, we stop redirecting ->queue_lock to conf->device_lock and leave it pointing where it is initialised - __queue_lock. As the blk_plug functions check the ->queue_lock is held, we now take that spin_lock explicitly around the plug functions. We don't need the locking, just the warning removal. This is needed for any kernel with the blk_throtl code, which is which is 2.6.37 and later. Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 43f474e73901900f948524d7ca450c4408aec93f Author: NeilBrown Date: Wed Feb 16 13:58:51 2011 +1100 md: correctly handle probe of an 'mdp' device. commit 8f5f02c460b7ca74ce55ce126ce0c1e58a3f923d upstream. 'mdp' devices are md devices with preallocated device numbers for partitions. As such it is possible to mknod and open a partition before opening the whole device. this causes md_probe() to be called with a device number of a partition, which in-turn calls mddev_find with such a number. However mddev_find expects the number of a 'whole device' and does the wrong thing with partition numbers. So add code to mddev_find to remove the 'partition' part of a device number and just work with the 'whole device'. This patch addresses https://bugzilla.kernel.org/show_bug.cgi?id=28652 Reported-by: hkmaly@bigfoot.com Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 7c457763a53170ed4815f861b7c6a758f9cb0ed3 Author: Namhyung Kim Date: Fri Feb 25 14:44:25 2011 -0800 mm: fix dubious code in __count_immobile_pages() commit 29723fccc837d20039078f7a571e8d457eb0d6c6 upstream. When pfn_valid_within() failed 'iter' was incremented twice. Signed-off-by: Namhyung Kim Reviewed-by: KAMEZAWA Hiroyuki Reviewed-by: Minchan Kim Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e03abd0eb5bb2864923626abc9ebc78c2372c3ee Author: Lei Xu Date: Fri Feb 25 14:44:23 2011 -0800 drivers/rtc/rtc-ds3232.c: fix time range difference between linux and RTC chip commit a2d6d2fa90c0e1d2cc1d59ccb5bbe93bb28b7413 upstream. In linux rtc_time struct, tm_mon range is 0~11, tm_wday range is 0~6, while in RTC HW REG, month range is 1~12, day of the week range is 1~7, this patch adjusts difference of them. The efect of this bug was that most of month will be operated on as the next month by the hardware (When in Jan it maybe even worse). For example, if in May, software wrote 4 to the hardware, which handled it as April. Then the logic would be different between software and hardware, which would cause weird things to happen. Signed-off-by: Lei Xu Cc: Alessandro Zummo Cc: john stultz Cc: Jack Lan Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9d482869ef6414b388d582f498e7eac78bd2bc20 Author: Timo Warns Date: Fri Feb 25 14:44:21 2011 -0800 ldm: corrupted partition table can cause kernel oops commit 294f6cf48666825d23c9372ef37631232746e40d upstream. The kernel automatically evaluates partition tables of storage devices. The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains a bug that causes a kernel oops on certain corrupted LDM partitions. A kernel subsystem seems to crash, because, after the oops, the kernel no longer recognizes newly connected storage devices. The patch changes ldm_parse_vmdb() to Validate the value of vblk_size. Signed-off-by: Timo Warns Cc: Eugene Teo Acked-by: Richard Russon Cc: Harvey Harrison Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 960ac8917d6f4ef3a63e64bae1159256ff7cd72c Author: FUJITA Tomonori Date: Fri Feb 25 14:44:16 2011 -0800 swiotlb: fix wrong panic commit fba99fa38b023224680308a482e12a0eca87e4e1 upstream. swiotlb's map_page wrongly calls panic() when it can't find a buffer fit for device's dma mask. It should return an error instead. Devices with an odd dma mask (i.e. under 4G) like b44 network card hit this bug (the system crashes): http://marc.info/?l=linux-kernel&m=129648943830106&w=2 If swiotlb returns an error, b44 driver can use the own bouncing mechanism. Reported-by: Chuck Ebbert Signed-off-by: FUJITA Tomonori Tested-by: Arkadiusz Miskiewicz Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a72affdbb09f3f24f64ffcbbdf62c2e57c58f379 Author: Davide Libenzi Date: Fri Feb 25 14:44:12 2011 -0800 epoll: prevent creating circular epoll structures commit 22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e upstream. In several places, an epoll fd can call another file's ->f_op->poll() method with ep->mtx held. This is in general unsafe, because that other file could itself be an epoll fd that contains the original epoll fd. The code defends against this possibility in its own ->poll() method using ep_call_nested, but there are several other unsafe calls to ->poll elsewhere that can be made to deadlock. For example, the following simple program causes the call in ep_insert recursively call the original fd's ->poll, leading to deadlock: #include #include int main(void) { int e1, e2, p[2]; struct epoll_event evt = { .events = EPOLLIN }; e1 = epoll_create(1); e2 = epoll_create(2); pipe(p); epoll_ctl(e2, EPOLL_CTL_ADD, e1, &evt); epoll_ctl(e1, EPOLL_CTL_ADD, p[0], &evt); write(p[1], p, sizeof p); epoll_ctl(e1, EPOLL_CTL_ADD, e2, &evt); return 0; } On insertion, check whether the inserted file is itself a struct epoll, and if so, do a recursive walk to detect whether inserting this file would create a loop of epoll structures, which could lead to deadlock. [nelhage@ksplice.com: Use epmutex to serialize concurrent inserts] Signed-off-by: Davide Libenzi Signed-off-by: Nelson Elhage Reported-by: Nelson Elhage Tested-by: Nelson Elhage Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit cbad04642867968e91a828af10c5d07924d1ee5e Author: Max Vozeler Date: Wed Jan 12 15:02:05 2011 +0200 staging: usbip: vhci: use urb->dev->portnum to find port commit 01446ef5af4e8802369bf4d257806e24345a9371 upstream. The access to pending_port was racy when two devices were being attached at the same time. Signed-off-by: Max Vozeler Tested-by: Mark Wehby Signed-off-by: Greg Kroah-Hartman commit 6746cdfcac6c559471738d5c94b2379960f83e09 Author: Max Vozeler Date: Wed Jan 12 15:02:02 2011 +0200 staging: usbip: vhci: refuse to enqueue for dead connections commit 6d212153a838354078cc7d96f9bb23b7d1fd3d1b upstream. There can be requests to enqueue URBs while we are shutting down a connection. Signed-off-by: Max Vozeler Tested-by: Mark Wehby Signed-off-by: Greg Kroah-Hartman commit a5cd44e3e3e926edc55aa9431e48a37611a6e528 Author: Max Vozeler Date: Wed Jan 12 15:02:01 2011 +0200 staging: usbip: vhci: give back URBs from in-flight unlink requests commit b92a5e23737172c52656a090977408a80d7f06d1 upstream. If we never received a RET_UNLINK because the TCP connection broke the pending URBs still need to be unlinked and given back. Previously processes would be stuck trying to kill the URB even after the device was detached. Signed-off-by: Max Vozeler Tested-by: Mark Wehby Signed-off-by: Greg Kroah-Hartman commit 927c3fa44e24300eb827ab9f9dacce6dff9c9bb7 Author: Max Vozeler Date: Wed Jan 12 15:02:00 2011 +0200 staging: usbip: vhci: update reference count for usb_device commit 7606ee8aa33287dd3e6eb44c78541b87a413a325 upstream. This fixes an oops observed when reading status during removal of a device: [ 1706.648285] general protection fault: 0000 [#1] SMP [ 1706.648294] last sysfs file: /sys/devices/platform/vhci_hcd/status [ 1706.648297] CPU 1 [ 1706.648300] Modules linked in: binfmt_misc microcode fuse loop vhci_hcd(N) usbip(N) usbcore usbip_common_mod(N) rtc_core rtc_lib joydev dm_mirror dm_region_hash dm_log linear dm_snapshot xennet dm_mod ext3 mbcache jbd processor thermal_sys hwmon xenblk cdrom [ 1706.648324] Supported: Yes [ 1706.648327] Pid: 10422, comm: usbip Tainted: G N 2.6.32.12-0.7-xen #1 [ 1706.648330] RIP: e030:[] [] strnlen+0x5/0x40 [ 1706.648340] RSP: e02b:ffff8800a994dd30 EFLAGS: 00010286 [ 1706.648343] RAX: ffffffff80481ec1 RBX: 0000000000000000 RCX: 0000000000000002 [ 1706.648347] RDX: 00200d1d4f1c001c RSI: ffffffffffffffff RDI: 00200d1d4f1c001c [ 1706.648350] RBP: ffff880129a1c0aa R08: ffffffffa01901c4 R09: 0000000000000006 [ 1706.648353] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800a9a1c0ab [ 1706.648357] R13: 00200d1d4f1c001c R14: 00000000ffffffff R15: ffff880129a1c0aa [ 1706.648363] FS: 00007f2f2e9ca700(0000) GS:ffff880001018000(0000) knlGS:0000000000000000 [ 1706.648367] CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1706.648370] CR2: 000000000071b048 CR3: 00000000b4b68000 CR4: 0000000000002660 [ 1706.648374] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1706.648378] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 1706.648381] Process usbip (pid: 10422, threadinfo ffff8800a994c000, task ffff88007b170200) [ 1706.648385] Stack: [ 1706.648387] ffffffff801b28c9 0000000000000002 ffffffffa01901c4 ffff8800a9a1c0ab [ 1706.648391] <0> ffffffffa01901c6 ffff8800a994de08 ffffffff801b339b 0000000000000004 [ 1706.648397] <0> 0000000affffffff ffffffffffffffff 00000000000067c0 0000000000000000 [ 1706.648404] Call Trace: [ 1706.648413] [] string+0x39/0xe0 [ 1706.648419] [] vsnprintf+0x1eb/0x620 [ 1706.648423] [] sprintf+0x43/0x50 [ 1706.648429] [] show_status+0x1b9/0x220 [vhci_hcd] [ 1706.648438] [] dev_attr_show+0x27/0x60 [ 1706.648445] [] sysfs_read_file+0x101/0x1d0 [ 1706.648451] [] vfs_read+0xc7/0x130 [ 1706.648457] [] sys_read+0x53/0xa0 [ 1706.648462] [] system_call_fastpath+0x16/0x1b [ 1706.648468] [<00007f2f2de40f30>] 0x7f2f2de40f30 [ 1706.648470] Code: 66 0f 1f 44 00 00 48 83 c2 01 80 3a 00 75 f7 48 89 d0 48 29 f8 f3 c3 66 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 48 85 f6 74 29 <80> 3f 00 74 24 48 8d 56 ff 48 89 f8 eb 0e 0f 1f 44 00 00 48 83 [ 1706.648507] RIP [] strnlen+0x5/0x40 [ 1706.648511] RSP [ 1706.649575] ---[ end trace b4eb72bf2e149593 ]--- Signed-off-by: Max Vozeler Tested-by: Mark Wehby Signed-off-by: Greg Kroah-Hartman commit 36dc1b24c025080ae6c4894d6e9ea240c23794af Author: Roland Vossen Date: Thu Feb 24 21:42:19 2011 +0100 staging: brcm80211: bugfix for softmac crash on multi cpu configurations commit 6a3be6e6e7feb4cb35275475d6a863b748d59cc3 upstream Solved a locking issue that resulted in driver crashes with the 43224 and 43225 chips. The problem has been reported on several fora. Root cause was two fold: hardware was being manipulated by two unsynchronized threads, and a scan operation could interfere with an ongoing dynamic calibration process. Fix was to invoke a lock on wl_ops_config() operation and to set internal flags when a scan operation is started and stopped. Please add this to the staging-linus branch. Reviewed-by: Arend van Spriel Signed-off-by: Roland Vossen Signed-off-by: Greg Kroah-Hartman commit a1621f168e4209c68023d4060ec77b8c9ec18547 Author: Arend van Spriel Date: Thu Feb 24 21:42:18 2011 +0100 staging: brcm80211: remove assert to avoid panic since 2.6.37 kernel commit d062d44a8386c82c06e483f0c0d1124ba3cab2c8 upstream The driver assumed it would receive skb packets from MAC80211 which are not cloned. To guard this assumption an assert was placed in the transmit routine. As of kernel 2.6.37 it turns out MAC80211 does pass skb packets that are cloned. The assert is also not needed as it does not lead to a failure state in our driver when the packet is cloned. Therefore the assert can safely be removed. > commit f8a0a781488ec7288d1049e5d2022850aa98f7b6 > Author: Felix Fietkau > Date: Sat Dec 18 19:30:50 2010 +0100 > > mac80211: fix potentially redundant skb data copying > > When an skb is shared, it needs to be duplicated, along with its data > If the skb does not have enough headroom, using skb_copy might cause t > buffer to be copied twice (once by skb_copy and once by pskb_expand_he > Fix this by using skb_clone initially and letting ieee80211_skb_resize > out the rest. > > Signed-off-by: Felix Fietkau > Signed-off-by: John W. Linville > Acked-by: Brett Rudley Signed-off-by: Arend van Spriel Signed-off-by: Greg Kroah-Hartman commit e98b9902196dd0bd598fae9b3bdbfda57a9e352b Author: Miklos Szeredi Date: Wed Feb 23 13:49:47 2011 +0100 mm: prevent concurrent unmap_mapping_range() on the same inode commit 2aa15890f3c191326678f1bd68af61ec6b8753ec upstream. Michael Leun reported that running parallel opens on a fuse filesystem can trigger a "kernel BUG at mm/truncate.c:475" Gurudas Pai reported the same bug on NFS. The reason is, unmap_mapping_range() is not prepared for more than one concurrent invocation per inode. For example: thread1: going through a big range, stops in the middle of a vma and stores the restart address in vm_truncate_count. thread2: comes in with a small (e.g. single page) unmap request on the same vma, somewhere before restart_address, finds that the vma was already unmapped up to the restart address and happily returns without doing anything. Another scenario would be two big unmap requests, both having to restart the unmapping and each one setting vm_truncate_count to its own value. This could go on forever without any of them being able to finish. Truncate and hole punching already serialize with i_mutex. Other callers of unmap_mapping_range() do not, and it's difficult to get i_mutex protection for all callers. In particular ->d_revalidate(), which calls invalidate_inode_pages2_range() in fuse, may be called with or without i_mutex. This patch adds a new mutex to 'struct address_space' to prevent running multiple concurrent unmap_mapping_range() on the same mapping. [ We'll hopefully get rid of all this with the upcoming mm preemptibility series by Peter Zijlstra, the "mm: Remove i_mmap_mutex lockbreak" patch in particular. But that is for 2.6.39 ] Signed-off-by: Miklos Szeredi Reported-by: Michael Leun Reported-by: Gurudas Pai Tested-by: Gurudas Pai Acked-by: Hugh Dickins Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ee9c1a61d8d131503faaead0d7636bdc1e44e3c3 Author: Eric Dumazet Date: Fri Feb 18 22:35:56 2011 +0000 tcp: fix inet_twsk_deschedule() commit 91035f0b7d89291af728b6f3e370c3be58fcbe1b upstream. Eric W. Biederman reported a lockdep splat in inet_twsk_deschedule() This is caused by inet_twsk_purge(), run from process context, and commit 575f4cd5a5b6394577 (net: Use rcu lookups in inet_twsk_purge.) removed the BH disabling that was necessary. Add the BH disabling but fine grained, right before calling inet_twsk_deschedule(), instead of whole function. With help from Linus Torvalds and Eric W. Biederman Reported-by: Eric W. Biederman Signed-off-by: Eric Dumazet CC: Daniel Lezcano CC: Pavel Emelyanov CC: Arnaldo Carvalho de Melo Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 05d13b4e89caaca96f73c5f46d7b3dc9bcc7b0d8 Author: Alex Deucher Date: Mon Feb 21 01:11:59 2011 -0500 Revert "drm/radeon/kms: switch back to min->max pll post divider iteration" commit bd6a60afeb4c9ada3ff27f1d13db1a2b5c11d8c0 upstream. This reverts commit a6f9761743bf35b052180f4a8bdae4d2cc0465f6. Remove this commit as it is no longer necessary. The relevant bugs were fixed properly in: drm/radeon/kms: hopefully fix pll issues for real (v3) 5b40ddf888398ce4cccbf3b9d0a18d90149ed7ff drm/radeon/kms: add missing frac fb div flag for dce4+ 9f4283f49f0a96a64c5a45fe56f0f8c942885eef This commit also broke certain ~5 Mhz modes on old arcade monitors, so reverting this commit fixes: https://bugzilla.kernel.org/show_bug.cgi?id=29502 Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 0b2421a21fecb20e00ce36acaf2637c708294648 Author: Christian Lamparter Date: Fri Feb 11 01:48:42 2011 +0100 p54pci: update receive dma buffers before and after processing commit 0bf719dfdecc5552155cbec78e49fa06e531e35c upstream. Documentation/DMA-API-HOWTO.txt states: "DMA transfers need to be synced properly in order for the cpu and device to see the most uptodate and correct copy of the DMA buffer." Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 7314803e0f47c8898ff9c14e9a04866e01cd7434 Author: Linus Torvalds Date: Wed Feb 23 19:42:03 2011 -0800 Revert "Bluetooth: Enable USB autosuspend by default on btusb" commit 78794b2cdeac37ac1fd950fc9c4454b56d88ac03 upstream. This reverts commit 556ea928f78a390fe16ae584e6433dff304d3014. Jeff Chua reports that it can cause some bluetooth devices (he mentions an Bluetooth Intermec scanner) to just stop responding after a while with messages like [ 4533.361959] btusb 8-1:1.0: no reset_resume for driver btusb? [ 4533.361964] btusb 8-1:1.1: no reset_resume for driver btusb? from the kernel. See also https://bugzilla.kernel.org/show_bug.cgi?id=26182 for other reports. Reported-by: Jeff Chua Reported-by: Andrew Meakovski Reported-by: Jim Faulkner Acked-by: Greg KH Acked-by: Matthew Garrett Acked-by: Gustavo F. Padovan Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6b0172880a8dc9663697c8034f065a310162c2f1 Author: Jon Thomas Date: Wed Feb 16 11:02:34 2011 -0500 sierra: add new ID for Airprime/Sierra USB IP modem commit e1dc5157c574e7249dc1cd072fde2e48b3011533 upstream. I picked up a new Sierra usb 308 (At&t Shockwave) on 2/2011 and the vendor code is 0x0f3d Looking up vendor and product id's I see: 0f3d Airprime, Incorporated 0112 CDMA 1xEVDO PC Card, PC 5220 Sierra and Airprime are somehow related and I'm guessing the At&t usb 308 might be have some common hardware with the AirPrime SL809x. Signed-off-by: Jon Thomas Signed-off-by: Greg Kroah-Hartman commit 4ed3cba9c1ffd79e351c375dcd4d27d01a19778a Author: Jiri Slaby Date: Tue Feb 15 15:55:07 2011 +0100 USB: serial/usb_wwan, fix tty NULL dereference commit 38237fd2be9421c104f84cc35665097bdce89013 upstream. tty_port_tty_get may return without any problems NULL. Handle this case and do not oops in usb_wwan_indat_callback by dereferencing it. The oops: Unable to handle kernel paging request for data at address 0x000000d8 Faulting instruction address: 0xc0175b3c Oops: Kernel access of bad area, sig: 11 [#1] PowerPC 40x Platform last sysfs file: /sys/devices/pci0000:00/0000:00:00.0/0000:01:00.0/0000:02:09.2/usb1/idVendor Modules linked in: NIP: c0175b3c LR: c0175e7c CTR: c0215c90 REGS: c77f7d50 TRAP: 0300 Not tainted (2.6.37-rc5) MSR: 00021030 CR: 88482028 XER: 2000005f DEAR: 000000d8, ESR: 00000000 TASK = c7141b90[1149] 'wvdial' THREAD: c2750000 GPR00: 00021030 c77f7e00 c7141b90 00000000 0000000e 00000000 0000000e c0410680 GPR08: c683db00 00000000 00000001 c03c81f8 88482028 10073ef4 ffffffb9 ffffff94 GPR16: 00000000 fde036c0 00200200 00100100 00000001 ffffff8d c34fabcc 00000000 GPR24: c71120d4 00000000 00000000 0000000e 00021030 00000000 00000000 0000000e NIP [c0175b3c] tty_buffer_request_room+0x2c/0x194 LR [c0175e7c] tty_insert_flip_string_fixed_flag+0x3c/0xb0 Call Trace: [c77f7e00] [00000003] 0x3 (unreliable) [c77f7e30] [c0175e7c] tty_insert_flip_string_fixed_flag+0x3c/0xb0 [c77f7e60] [c0215df4] usb_wwan_indat_callback+0x164/0x170 ... References: https://bugzilla.kernel.org/show_bug.cgi?id=24582 Cc: Amit Shah Cc: baoyb Signed-off-by: Jiri Slaby Signed-off-by: Greg Kroah-Hartman commit 077bbb94db7c64bd2b17f1683dc43845cd678587 Author: Maciej Szmigiero Date: Sat Feb 5 21:52:00 2011 +0100 USB: Add quirk for Samsung Android phone modem commit 72a012ce0a02c6c616676a24b40ff81d1aaeafda upstream. My Galaxy Spica needs this quirk when in modem mode, otherwise it causes endless USB bus resets and is unusable in this mode. Unfortunately Samsung decided to reuse ID of its old CDMA phone SGH-I500 for the modem part. That's why in addition to this patch the visor driver must be prevented from binding to SPH-I500 ID, so ACM driver can do that. Signed-off-by: Maciej Szmigiero Signed-off-by: Greg Kroah-Hartman commit 6267284cac14af51ea22104afa3146523a133d7a Author: Maciej Szmigiero Date: Mon Feb 7 12:42:36 2011 +0100 USB: Add Samsung SGH-I500/Android modem ID switch to visor driver commit acb52cb1613e1d3c8a8c650717cc51965c60d7d4 upstream. [USB]Add Samsung SGH-I500/Android modem ID switch to visor driver Samsung decided to reuse USB ID of its old CDMA phone SGH-I500 for the modem part of some of their Android phones. At least Galaxy Spica is affected. This modem needs ACM driver and does not work with visor driver which binds the conflicting ID for SGH-I500. Because SGH-I500 is pretty an old hardware its best to add switch to visor driver in cause somebody still wants to use that phone with Linux. Note that this is needed only when using the Android phone as modem, not in USB storage or ADB mode. Signed-off-by: Maciej Szmigiero Signed-off-by: Greg Kroah-Hartman commit 20e5fed64ca8610cc368b2b126089da167258c44 Author: Alan Stern Date: Thu Feb 17 10:26:38 2011 -0500 USB: add quirks entry for Keytouch QWERTY Panel commit 3c18e30f87ac5466bddbb05cf955605efd7db025 upstream. This patch (as1448) adds a quirks entry for the Keytouch QWERTY Panel firmware, used in the IEC 60945 keyboard. This device crashes during enumeration when the computer asks for its configuration string descriptor. Signed-off-by: Alan Stern Tested-by: kholis Signed-off-by: Greg Kroah-Hartman commit d1847a91a172be9e8caf245c6ea2622caeb6b315 Author: Johan Hovold Date: Fri Feb 11 16:57:08 2011 +0100 usb: musb: omap2430: fix kernel panic on reboot commit b193b412e62b134adf69af286c7e7f8e99259350 upstream. Cancel idle timer in musb_platform_exit. The idle timer could trigger after clock had been disabled leading to kernel panic when MUSB_DEVCTL is accessed in musb_do_idle on 2.6.37. The fault below is no longer triggered on 2.6.38-rc4 (clock is disabled later, and only if compiled as a module, and the offending memory access has moved) but the timer should be cancelled nonetheless. Rebooting... musb_hdrc musb_hdrc: remove, state 4 usb usb1: USB disconnect, address 1 musb_hdrc musb_hdrc: USB bus 1 deregistered Unhandled fault: external abort on non-linefetch (0x1028) at 0xfa0ab060 Internal error: : 1028 [#1] PREEMPT last sysfs file: /sys/kernel/uevent_seqnum Modules linked in: CPU: 0 Not tainted (2.6.37+ #6) PC is at musb_do_idle+0x24/0x138 LR is at musb_do_idle+0x18/0x138 pc : [] lr : [] psr: 80000193 sp : cf2bdd80 ip : cf2bdd80 fp : c048a20c r10: c048a60c r9 : c048a40c r8 : cf85e110 r7 : cf2bc000 r6 : 40000113 r5 : c0489800 r4 : cf85e110 r3 : 00000004 r2 : 00000006 r1 : fa0ab000 r0 : cf8a7000 Flags: Nzcv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c5387d Table: 8faac019 DAC: 00000015 Process reboot (pid: 769, stack limit = 0xcf2bc2f0) Stack: (0xcf2bdd80 to 0xcf2be000) dd80: 00000103 c0489800 c02377b4 c005fa34 00000555 c0071a8c c04a3858 cf2bdda8 dda0: 00000555 c048a00c cf2bdda8 cf2bdda8 1838beb0 00000103 00000004 cf2bc000 ddc0: 00000001 00000001 c04896c8 0000000a 00000000 c005ac14 00000001 c003f32c dde0: 00000000 00000025 00000000 cf2bc000 00000002 00000001 cf2bc000 00000000 de00: 00000001 c005ad08 cf2bc000 c002e07c c03ec039 ffffffff fa200000 c0033608 de20: 00000001 00000000 cf852c14 cf81f200 c045b714 c045b708 cf2bc000 c04a37e8 de40: c0033c04 cf2bc000 00000000 00000001 cf2bde68 cf2bde68 c01c3abc c004f7d8 de60: 60000013 ffffffff c0033c04 00000000 01234567 fee1dead 00000000 c006627c de80: 00000001 c00662c8 28121969 c00663ec cfa38c40 cf9f6a00 cf2bded0 cf9f6a0c dea0: 00000000 cf92f000 00008914 c02cd284 c04a55c8 c028b398 c00715c0 becf24a8 dec0: 30687465 00000000 00000000 00000000 00000002 1301a8c0 00000000 00000000 dee0: 00000002 1301a8c0 00000000 00000000 c0450494 cf527920 00011f10 cf2bdf08 df00: 00011f10 cf2bdf10 00011f10 cf2bdf18 c00f0b44 c004f7e8 cf2bdf18 cf2bdf18 df20: 00011f10 cf2bdf30 00011f10 cf2bdf38 cf401300 cf486100 00000008 c00d2b28 df40: 00011f10 cf401300 00200200 c00d3388 00011f10 cfb63a88 cfb63a80 c00c2f08 df60: 00000000 00000000 cfb63a80 00000000 cf0a3480 00000006 c0033c04 cfb63a80 df80: 00000000 c00c0104 00000003 cf0a3480 cfb63a80 00000000 00000001 00000004 dfa0: 00000058 c0033a80 00000000 00000001 fee1dead 28121969 01234567 00000000 dfc0: 00000000 00000001 00000004 00000058 00000001 00000001 00000000 00000001 dfe0: 4024d200 becf2cb0 00009210 4024d218 60000010 fee1dead 00000000 00000000 [] (musb_do_idle+0x24/0x138) from [] (run_timer_softirq+0x1a8/0x26) [] (run_timer_softirq+0x1a8/0x26c) from [] (__do_softirq+0x88/0x13) [] (__do_softirq+0x88/0x138) from [] (irq_exit+0x44/0x98) [] (irq_exit+0x44/0x98) from [] (asm_do_IRQ+0x7c/0xa0) [] (asm_do_IRQ+0x7c/0xa0) from [] (__irq_svc+0x48/0xa8) Exception stack(0xcf2bde20 to 0xcf2bde68) de20: 00000001 00000000 cf852c14 cf81f200 c045b714 c045b708 cf2bc000 c04a37e8 de40: c0033c04 cf2bc000 00000000 00000001 cf2bde68 cf2bde68 c01c3abc c004f7d8 de60: 60000013 ffffffff [] (__irq_svc+0x48/0xa8) from [] (sub_preempt_count+0x0/0xb8) Code: ebf86030 e5940098 e594108c e5902010 (e5d13060) ---[ end trace 3689c0d808f9bf7c ]--- Kernel panic - not syncing: Fatal exception in interrupt Signed-off-by: Johan Hovold Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman