commit 1be99f6c95e6c887756f789a60d15771235acd0c Author: Greg Kroah-Hartman Date: Thu Apr 14 13:03:56 2011 -0700 Linux 2.6.38.3 commit 212795f2be795d6538f225d157b33d58fb64d067 Author: J. Bruce Fields Date: Mon Mar 28 15:15:09 2011 +0800 nfsd4: fix oops on lock failure commit 23fcf2ec93fb8573a653408316af599939ff9a8e upstream. Lock stateid's can have access_bmap 0 if they were only partially initialized (due to a failed lock request); handle that case in free_generic_stateid. ------------[ cut here ]------------ kernel BUG at fs/nfsd/nfs4state.c:380! invalid opcode: 0000 [#1] SMP last sysfs file: /sys/kernel/mm/ksm/run Modules linked in: nfs fscache md4 nls_utf8 cifs ip6table_filter ip6_tables ebtable_nat ebtables ipt_MASQUERADE iptable_nat nf_nat bridge stp llc nfsd lockd nfs_acl auth_rpcgss sunrpc ipv6 ppdev parport_pc parport pcnet32 mii pcspkr microcode i2c_piix4 BusLogic floppy [last unloaded: mperf] Pid: 1468, comm: nfsd Not tainted 2.6.38+ #120 VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform EIP: 0060:[] EFLAGS: 00010297 CPU: 0 EIP is at nfs4_access_to_omode+0x1c/0x29 [nfsd] EAX: ffffffff EBX: dd758120 ECX: 00000000 EDX: 00000004 ESI: dd758120 EDI: ddfe657c EBP: dd54dde0 ESP: dd54dde0 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 Process nfsd (pid: 1468, ti=dd54c000 task=ddc92580 task.ti=dd54c000) Stack: dd54ddf0 e24f19ca 00000000 ddfe6560 dd54de08 e24f1a5d dd758130 deee3a20 ddfe6560 31270000 dd54df1c e24f52fd 0000000f dd758090 e2505dd0 0be304cf dbb51d68 0000000e ddfe657c ddcd8020 dd758130 dd758128 dd7580d8 dd54de68 Call Trace: [] free_generic_stateid+0x1c/0x3e [nfsd] [] release_lockowner+0x71/0x8a [nfsd] [] nfsd4_lock+0x617/0x66c [nfsd] [] ? nfsd_setuser+0x199/0x1bb [nfsd] [] ? nfsd_setuser_and_check_port+0x65/0x81 [nfsd] [] ? _cond_resched+0x8/0x1c [] ? slab_pre_alloc_hook.clone.33+0x23/0x27 [] ? kmem_cache_alloc+0x1a/0xd2 [] ? __call_rcu+0xd7/0xdd [] ? fh_verify+0x401/0x452 [nfsd] [] ? nfsd4_encode_operation+0x52/0x117 [nfsd] [] ? nfsd4_putfh+0x33/0x3b [nfsd] [] ? nfsd4_delegreturn+0xd4/0xd4 [nfsd] [] nfsd4_proc_compound+0x1ea/0x33e [nfsd] [] nfsd_dispatch+0xd1/0x1a5 [nfsd] [] svc_process_common+0x282/0x46f [sunrpc] [] svc_process+0xdc/0xfa [sunrpc] [] nfsd+0xd6/0x115 [nfsd] [] ? nfsd_shutdown+0x24/0x24 [nfsd] [] kthread+0x62/0x67 [] ? kthread_worker_fn+0x114/0x114 [] kernel_thread_helper+0x6/0x10 Code: eb 05 b8 00 00 27 4f 8d 65 f4 5b 5e 5f 5d c3 83 e0 03 55 83 f8 02 89 e5 74 17 83 f8 03 74 05 48 75 09 eb 09 b8 02 00 00 00 eb 0b <0f> 0b 31 c0 eb 05 b8 01 00 00 00 5d c3 55 89 e5 57 56 89 d6 8d EIP: [] nfs4_access_to_omode+0x1c/0x29 [nfsd] SS:ESP 0068:dd54dde0 ---[ end trace 2b0bf6c6557cb284 ]--- The trace route is: -> nfsd4_lock() -> if (lock->lk_is_new) { -> alloc_init_lock_stateid() 3739: stp->st_access_bmap = 0; ->if (status && lock->lk_is_new && lock_sop) -> release_lockowner() -> free_generic_stateid() -> nfs4_access_bmap_to_omode() -> nfs4_access_to_omode() 380: BUG(); ***** This problem was introduced by 0997b173609b9229ece28941c118a2a9b278796e. Reported-by: Mi Jinlong Tested-by: Mi Jinlong Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 39932bd2baf36a8521b89795ac21efbec7e0d976 Author: J. Bruce Fields Date: Thu Mar 24 22:51:14 2011 -0400 nfsd: fix auth_domain reference leak on nlm operations commit 954032d2527f2fce7355ba70709b5e143d6b686f upstream. This was noticed by users who performed more than 2^32 lock operations and hence made this counter overflow (eventually leading to use-after-free's). Setting rq_client to NULL here means that it won't later get auth_domain_put() when it should be. Appears to have been introduced in 2.5.42 by "[PATCH] kNFSd: Move auth domain lookup into svcauth" which moved most of the rq_client handling to common svcauth code, but left behind this one line. Cc: Neil Brown Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 6fc45e2d18e042ac3d7677fcec64e2f0308f8b5f Author: Yongqiang Yang Date: Mon Apr 4 15:40:24 2011 -0400 ext4: fix credits computing for indirect mapped files commit 5b41395fcc0265fc9f193aef9df39ce49d64677c upstream. When writing a contiguous set of blocks, two indirect blocks could be needed depending on how the blocks are aligned, so we need to increase the number of credits needed by one. [ Also fixed a another bug which could further underestimate the number of journal credits needed by 1; the code was using integer division instead of DIV_ROUND_UP() -- tytso] Signed-off-by: Yongqiang Yang Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 53224a1f02f493bb1a37bad94b596cc4314777e6 Author: Tao Ma Date: Mon Apr 4 16:00:49 2011 -0400 ext4: fix a double free in ext4_register_li_request commit 46e4690bbd9a4f8d9e7c4f34e34b48f703ad47e0 upstream. In ext4_register_li_request, we malloc a ext4_li_request and inserts it into ext4_li_info->li_request_list. In case of any error later, we free it in the end. But if we have some error in ext4_run_lazyinit_thread, the whole li_request_list will be dropped and freed in it. So we will double free this ext4_li_request. This patch just sets elr to NULL after it is inserted to the list so that the latter kfree won't double free it. Signed-off-by: Tao Ma Reviewed-by: Lukas Czerner Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit a691a7c96629740253fc52c30460607b98e05328 Author: Philip A. Prindeville Date: Wed Mar 30 13:17:04 2011 +0000 atm/solos-pci: Don't flap VCs when carrier state changes commit c031235b395433350f25943b7580a5e343c7b7b2 upstream. Don't flap VCs when carrier state changes; higher-level protocols can detect loss of connectivity and act accordingly. This is more consistent with how other network interfaces work. We no longer use release_vccs() so we can delete it. release_vccs() was duplicated from net/atm/common.c; make the corresponding function exported, since other code duplicates it and could leverage it if it were public. Signed-off-by: Philip A. Prindeville Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fe48c5e4b5b2cc1f95d3750a54c458944cc34523 Author: Philip A. Prindeville Date: Wed Mar 30 12:59:26 2011 +0000 atm/solos-pci: Don't include frame pseudo-header on transmit hex-dump commit 18b429e74eeafe42e947b1b0f9a760c7153a0b5c upstream. Omit pkt_hdr preamble when dumping transmitted packet as hex-dump; we can pull this up because the frame has already been sent, and dumping it is the last thing we do with it before freeing it. Also include the size, vpi, and vci in the debug as is done on receive. Use "port" consistently instead of "device" intermittently. Signed-off-by: Philip Prindeville Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3c215f5c980a983e5674cf0fd55a4e5f561333ba Author: Phillip Lougher Date: Tue Mar 15 22:09:55 2011 +0000 Squashfs: handle corruption of directory structure commit 44cff8a9ee8a974f9e931df910688e7fc1f0b0f9 upstream. Handle the rare case where a directory metadata block is uncompressed and corrupted, leading to a kernel oops in directory scanning (memcpy). Normally corruption is detected at the decompression stage and dealt with then, however, this will not happen if: - metadata isn't compressed (users can optionally request no metadata compression), or - the compressed metadata block was larger than the original, in which case the uncompressed version was used, or - the data was corrupt after decompression This patch fixes this by adding some sanity checks against known maximum values. Signed-off-by: Phillip Lougher Signed-off-by: Greg Kroah-Hartman commit 2b086ef28939e3cd943664fc84dc54d01d261c2c Author: Phillip Lougher Date: Tue Mar 22 23:01:26 2011 +0000 Squashfs: Use vmalloc rather than kmalloc for zlib workspace commit 117a91e0f25fd7698e20ac3dfa62086be3dc82a3 upstream. Bugzilla bug 31422 reports occasional "page allocation failure. order:4" at Squashfs mount time. Fix this by making zlib workspace allocation use vmalloc rather than kmalloc. Reported-by: Mehmet Giritli Signed-off-by: Phillip Lougher Signed-off-by: Greg Kroah-Hartman commit 8f114f1414335ed352e54d0343909d7b69a81432 Author: Greg Kroah-Hartman Date: Mon Apr 11 16:01:32 2011 -0700 Revert "x86: Cleanup highmap after brk is concluded" This reverts upstream commit e5f15b45ddf3afa2bbbb10c7ea34fb32b6de0a0e It caused problems in the stable tree and should not have been there. Cc: Yinghai Lu Cc: Stefano Stabellini Cc: H. Peter Anvin Cc: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 88210a07190401c7f5293a8c9eb26c693536bd1b Author: Chun-Yi Lee Date: Mon Mar 28 16:52:02 2011 +0800 acer-wmi: does not set persistence state by rfkill_init_sw_state commit 8215af019040ce9182728afee9642d8fdeb17f59 upstream. Acer BIOS keeps devices state when system reboot, but reset to default device states (Wlan on, Bluetooth off, wwan on) if system cold boot. That means BIOS's initial state is not always real persistence. So, removed rfkill_init_sw_state because it sets initial state to persistence then replicate to other new killswitch when rfkill-input enabled. After removed it, acer-wmi set initial soft-block state after rfkill register, and doesn't allow set_block until rfkill initial finished. Reference: bko#31002 https://bugzilla.kernel.org/show_bug.cgi?id=31002 Cc: Carlos Corbacho Cc: Matthew Garrett Cc: Dmitry Torokhov Cc: Corentin Chary Cc: Oldřich Jedlička Cc: Johannes Berg Signed-off-by: Chun-Yi Lee Signed-off-by: Matthew Garrett Signed-off-by: Greg Kroah-Hartman commit 4a349aa0c074ad2c46a6d2a1d3500da7ae300c4d Author: Alexander Strakh Date: Tue Jan 25 18:00:13 2011 -0300 drivers/media/video/tlg2300/pd-video.c: Remove second mutex_unlock in pd_vidioc_s_fmt commit a07500ef690fcbec76e879ee2093d7ca69883825 upstream. Error path in file drivers/media/video/tlg2300/pd-video.c: 1. First mutex_unlock on &pd->lock in line 767 (in function that called from line 805) 2. Second in line 806 805 pd_vidioc_s_fmt(pd, &f->fmt.pix); 806 mutex_unlock(&pd->lock); Found by Linux Device Drivers Verification Project Signed-off-by: Alexander Strakh Acked-by: Huang Shijie Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 42f9f8d3b8952cff082276a7e3f21e071113384e Author: Dan Rosenberg Date: Wed Mar 23 10:53:41 2011 -0400 sound/oss: remove offset from load_patch callbacks commit b769f49463711205d57286e64cf535ed4daf59e9 upstream. Was: [PATCH] sound/oss/midi_synth: prevent underflow, use of uninitialized value, and signedness issue The offset passed to midi_synth_load_patch() can be essentially arbitrary. If it's greater than the header length, this will result in a copy_from_user(dst, src, negative_val). While this will just return -EFAULT on x86, on other architectures this may cause memory corruption. Additionally, the length field of the sysex_info structure may not be initialized prior to its use. Finally, a signed comparison may result in an unintentionally large loop. On suggestion by Takashi Iwai, version two removes the offset argument from the load_patch callbacks entirely, which also resolves similar issues in opl3. Compile tested only. v3 adjusts comments and hopefully gets copy offsets right. Signed-off-by: Dan Rosenberg Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 7f96f975d3419d9155be5c82c6a1eac2f840b761 Author: David Sterba Date: Mon Apr 4 15:21:02 2011 +0200 netfilter: h323: bug in parsing of ASN1 SEQOF field commit b4232a22776aa5d063f890d21ca69870dbbe431b upstream. Static analyzer of clang found a dead store which appears to be a bug in reading count of items in SEQOF field, only the lower byte of word is stored. This may lead to corrupted read and communication shutdown. The bug has been in the module since it's first inclusion into linux kernel. [Patrick: the bug is real, but without practical consequence since the largest amount of sequence-of members we parse is 30.] Signed-off-by: David Sterba Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit 0fc073e4b3b2cd9f5770190e585349adf9743ee3 Author: Vasiliy Kulikov Date: Thu Mar 17 01:40:10 2011 +0000 econet: 4 byte infoleak to the network commit 67c5c6cb8129c595f21e88254a3fc6b3b841ae8e upstream. struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on x86_64. These bytes are not initialized in the variable 'ah' before sending 'ah' to the network. This leads to 4 bytes kernel stack infoleak. This bug was introduced before the git epoch. Signed-off-by: Vasiliy Kulikov Acked-by: Phil Blundell Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 182016ec35485381efc0566d88a51d0942fb354d Author: Vasiliy Kulikov Date: Tue Mar 22 16:30:19 2011 -0700 drivers/leds/leds-lp5521.c: world-writable sysfs engine* files commit 67d1da79b25c05d9a38b820bb5b5d89c91070ab2 upstream. Don't allow everybody to change LED settings. Signed-off-by: Vasiliy Kulikov Cc: Richard Purdie Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 42fa7c8b992022e7f96bb2e027bf36000038a439 Author: Vasiliy Kulikov Date: Tue Mar 22 16:30:20 2011 -0700 drivers/leds/leds-lp5523.c: world-writable engine* sysfs files commit ccd7510fd8dea5b4b2af87fb2aef2ebd6b23b76b upstream. Don't allow everybody to change LED settings. Signed-off-by: Vasiliy Kulikov Cc: Richard Purdie Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 94e8a16b0f87528287f0ed68ca7f1855ac621bfb Author: Vasiliy Kulikov Date: Tue Mar 22 16:34:01 2011 -0700 drivers/misc/ep93xx_pwm.c: world-writable sysfs files commit deb187e72470b0382d4f0cb859e76e1ebc3a1082 upstream. Don't allow everybody to change device settings. Signed-off-by: Vasiliy Kulikov Acked-by: Hartley Sweeten Cc: Matthieu Crapet Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 89371f01f085a0c9977417085427f080564f7b08 Author: Vasiliy Kulikov Date: Tue Mar 22 16:34:53 2011 -0700 drivers/rtc/rtc-ds1511.c: world-writable sysfs nvram file commit 49d50fb1c28738ef6bad0c2b87d5355a1653fed5 upstream. Don't allow everybogy to write to NVRAM. Signed-off-by: Vasiliy Kulikov Cc: Andy Sharp Cc: Alessandro Zummo Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 3e9b1b39e0a6a7bb012f2b7b4a7e7ae91bcf90ac Author: Vasiliy Kulikov Date: Fri Feb 4 15:23:36 2011 +0300 mfd: ab3100: world-writable debugfs *_priv files commit f8a0697722d12a201588225999cfc8bfcbc82781 upstream. Don't allow everybody to change device hardware registers. Signed-off-by: Vasiliy Kulikov Acked-by: Linus Walleij Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman commit 75cdaf7725a40c9b62fdf7d300a47e9e024a09c1 Author: Vasiliy Kulikov Date: Fri Feb 4 15:23:39 2011 +0300 mfd: ab3500: world-writable debugfs register-* files commit 90c861c2a83d974684974441093ff8a50e6b430b upstream. Don't allow everybody to interact with hardware registers. Signed-off-by: Vasiliy Kulikov Acked-by: Linus Walleij Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman commit 33295acabad896b34fdbcbe01b00394f80ee9768 Author: Vasiliy Kulikov Date: Fri Feb 4 15:23:43 2011 +0300 mfd: ab8500: world-writable debugfs register-* files commit 44bdcb54df2714da18c4a0c6f711a350ab4ed93c upstream. Don't allow everybody to interact with hardware registers. Signed-off-by: Vasiliy Kulikov Acked-by: Linus Walleij Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman commit 5b9cd5191326733d0d8d2377d7fbd8981a40f343 Author: Vasiliy Kulikov Date: Fri Feb 4 15:24:14 2011 +0300 scsi_transport_iscsi: make priv_sess file writeable only by root commit 523f3c80bc41d663d5b35c0cd6ce0fad7f3e7188 upstream. Signed-off-by: Vasiliy Kulikov Acked-by: Mike Christie Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 7a25e7511718fa16f65ff783d65f7f42fca823e6 Author: Vasiliy Kulikov Date: Tue Mar 15 13:37:13 2011 +0100 ipv6: netfilter: ip6_tables: fix infoleak to userspace commit 6a8ab060779779de8aea92ce3337ca348f973f54 upstream. Structures ip6t_replace, compat_ip6t_replace, and xt_get_revision are copied from userspace. Fields of these structs that are zero-terminated strings are not checked. When they are used as argument to a format string containing "%s" in request_module(), some sensitive information is leaked to userspace via argument of spawned modprobe process. The first bug was introduced before the git epoch; the second was introduced in 3bc3fe5e (v2.6.25-rc1); the third is introduced by 6b7d31fc (v2.6.15-rc1). To trigger the bug one should have CAP_NET_ADMIN. Signed-off-by: Vasiliy Kulikov Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit 5e8ba35db5884f7e3449eba28886a8f10c7e911e Author: Vasiliy Kulikov Date: Sun Mar 20 15:42:52 2011 +0100 netfilter: ipt_CLUSTERIP: fix buffer overflow commit 961ed183a9fd080cf306c659b8736007e44065a5 upstream. 'buffer' string is copied from userspace. It is not checked whether it is zero terminated. This may lead to overflow inside of simple_strtoul(). Changli Gao suggested to copy not more than user supplied 'size' bytes. It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are root writable only by default, however, on some setups permissions might be relaxed to e.g. network admin user. Signed-off-by: Vasiliy Kulikov Acked-by: Changli Gao Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit a988a0f40682cd871e3f5ad61fc779e5c7d36f5e Author: Vasiliy Kulikov Date: Tue Mar 15 13:35:21 2011 +0100 netfilter: arp_tables: fix infoleak to userspace commit 42eab94fff18cb1091d3501cd284d6bd6cc9c143 upstream. Structures ipt_replace, compat_ipt_replace, and xt_get_revision are copied from userspace. Fields of these structs that are zero-terminated strings are not checked. When they are used as argument to a format string containing "%s" in request_module(), some sensitive information is leaked to userspace via argument of spawned modprobe process. The first bug was introduced before the git epoch; the second is introduced by 6b7d31fc (v2.6.15-rc1); the third is introduced by 6b7d31fc (v2.6.15-rc1). To trigger the bug one should have CAP_NET_ADMIN. Signed-off-by: Vasiliy Kulikov Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit 53a080a724fd79d44132cc6e2f08246021503622 Author: Eric Dumazet Date: Sun Mar 20 15:40:06 2011 +0100 netfilter: xtables: fix reentrancy commit db856674ac69e31946e56085239757cca3f7655f upstream. commit f3c5c1bfd4308 (make ip_tables reentrant) introduced a race in handling the stackptr restore, at the end of ipt_do_table() We should do it before the call to xt_info_rdunlock_bh(), or we allow cpu preemption and another cpu overwrites stackptr of original one. A second fix is to change the underflow test to check the origptr value instead of 0 to detect underflow, or else we allow a jump from different hooks. Signed-off-by: Eric Dumazet Cc: Jan Engelhardt Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit ebb12d3d3feb70061157ec5f71d7366f7b6e6dd9 Author: Vasiliy Kulikov Date: Tue Mar 15 13:36:05 2011 +0100 netfilter: ip_tables: fix infoleak to userspace commit 78b79876761b86653df89c48a7010b5cbd41a84a upstream. Structures ipt_replace, compat_ipt_replace, and xt_get_revision are copied from userspace. Fields of these structs that are zero-terminated strings are not checked. When they are used as argument to a format string containing "%s" in request_module(), some sensitive information is leaked to userspace via argument of spawned modprobe process. The first and the third bugs were introduced before the git epoch; the second was introduced in 2722971c (v2.6.17-rc1). To trigger the bug one should have CAP_NET_ADMIN. Signed-off-by: Vasiliy Kulikov Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit fc50df845604fa6802b693fda447f598e23e12c2 Author: Peter Huewe Date: Tue Mar 29 13:31:25 2011 +0200 char/tpm: Fix unitialized usage of data buffer commit 1309d7afbed112f0e8e90be9af975550caa0076b upstream. This patch fixes information leakage to the userspace by initializing the data buffer to zero. Reported-by: Peter Huewe Signed-off-by: Peter Huewe Signed-off-by: Marcel Selhorst [ Also removed the silly "* sizeof(u8)". If that isn't 1, we have way deeper problems than a simple multiplication can fix. - Linus ] Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b8b602b32fb7533406880478b3872d1e1c6911dc Author: Goldwyn Rodrigues Date: Thu Feb 17 09:44:40 2011 -0600 Treat writes as new when holes span across page boundaries commit 272b62c1f0f6f742046e45b50b6fec98860208a0 upstream. When a hole spans across page boundaries, the next write forces a read of the block. This could end up reading existing garbage data from the disk in ocfs2_map_page_blocks. This leads to non-zero holes. In order to avoid this, mark the writes as new when the holes span across page boundaries. Signed-off-by: Goldwyn Rodrigues Signed-off-by: jlbec Signed-off-by: Greg Kroah-Hartman commit b2d10ef61c4f466e6f117045358cb48675d49734 Author: Marc-Antoine Perennou Date: Thu Mar 24 14:51:21 2011 -0300 Bluetooth: add support for Apple MacBook Pro 8,2 commit 63a8588debd4dc72becb9e27add9343c76301c7d upstream. Just adding the vendor details makes it work fine. Signed-off-by: Marc-Antoine Perennou Signed-off-by: Gustavo F. Padovan Signed-off-by: Greg Kroah-Hartman Tested-by: Grant Likely commit f4fc0e56a21f9b5c345965f49da91f330b7cf202 Author: Vasiliy Kulikov Date: Mon Feb 14 13:54:31 2011 +0300 Bluetooth: bnep: fix buffer overflow commit 43629f8f5ea32a998d06d1bb41eefa0e821ff573 upstream. Struct ca is copied from userspace. It is not checked whether the "device" field is NULL terminated. This potentially leads to BUG() inside of alloc_netdev_mqs() and/or information leak by creating a device with a name made of contents of kernel stack. Signed-off-by: Vasiliy Kulikov Signed-off-by: Gustavo F. Padovan Signed-off-by: Greg Kroah-Hartman commit 1d7b65a52f9bba3af57f1145e18fefff6a8df06a Author: Vasiliy Kulikov Date: Mon Feb 14 16:49:23 2011 +0100 bridge: netfilter: fix information leak commit d846f71195d57b0bbb143382647c2c6638b04c5a upstream. Struct tmp is copied from userspace. It is not checked whether the "name" field is NULL terminated. This may lead to buffer overflow and passing contents of kernel stack as a module name to try_then_request_module() and, consequently, to modprobe commandline. It would be seen by all userspace processes. Signed-off-by: Vasiliy Kulikov Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit a0ef5893ec7ae42f502993f6e4f6e60e6f941ce0 Author: Vasiliy Kulikov Date: Mon Feb 14 13:54:26 2011 +0300 Bluetooth: sco: fix information leak to userspace commit c4c896e1471aec3b004a693c689f60be3b17ac86 upstream. struct sco_conninfo has one padding byte in the end. Local variable cinfo of type sco_conninfo is copied to userspace with this uninizialized one byte, leading to old stack contents leak. Signed-off-by: Vasiliy Kulikov Signed-off-by: Gustavo F. Padovan Signed-off-by: Greg Kroah-Hartman commit c9c37ae7d59c7bebbc25f03161966e6ccf366430 Author: John W. Linville Date: Wed Mar 30 14:02:46 2011 -0400 b43: allocate receive buffers big enough for max frame len + offset commit c85ce65ecac078ab1a1835c87c4a6319cf74660a upstream. Otherwise, skb_put inside of dma_rx can fail... https://bugzilla.kernel.org/show_bug.cgi?id=32042 Signed-off-by: John W. Linville Acked-by: Larry Finger Signed-off-by: Greg Kroah-Hartman commit bb03f46aa73a6231fa8bcabe419c654300c098da Author: Randy Dunlap Date: Sun Feb 27 14:51:54 2011 -0300 media/radio/wl1273: fix build errors commit 1b149bbe9156d2eb2afd5a072bd61ad0d4bfaca7 upstream. RADIO_WL1273 needs to make sure that the mfd core is built to avoid build errors: ERROR: "mfd_add_devices" [drivers/mfd/wl1273-core.ko] undefined! ERROR: "mfd_remove_devices" [drivers/mfd/wl1273-core.ko] undefined! Signed-off-by: Randy Dunlap Cc: Matti Aaltonen Signed-off-by: Mauro Carvalho Chehab Cc: Mike Frysinger Signed-off-by: Greg Kroah-Hartman commit 1ff9aebbec267d7a877988df6ced21b95966dda8 Author: Luciano Coelho Date: Fri Apr 1 19:42:02 2011 +0300 wl12xx: fix potential buffer overflow in testmode nvs push commit 09b661b33268698d3b453dceb78cda129ad899b4 upstream. We were allocating the size of the NVS file struct and not checking whether the length of the buffer passed was correct before copying it into the allocated memory. This is a security hole because buffer overflows can occur if the userspace passes a bigger file than what is expected. With this patch, we check if the size of the data passed from userspace matches the size required. This bug was introduced in 2.6.36. Reported-by: Ido Yariv Signed-off-by: Luciano Coelho Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit dd3e5dee2c55cbb4f8afc54def21554e3e6b48f1 Author: Stanislaw Gruszka Date: Mon Apr 4 13:50:32 2011 +0200 rt2x00: fix cancelling uninitialized work commit 37f4ee0b6b39640828dac5937a482c20e8ac794f upstream. {rx,tx}done_work's are only initialized for usb devices. Signed-off-by: Stanislaw Gruszka Acked-by: Ivo van Doorn Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit d6cdf976903232d385274ffa4bbfac182b3991d6 Author: RA-Jay Hung Date: Mon Jan 10 11:27:43 2011 +0100 rt2x00: Fix radio off hang issue for PCIE interface commit 7f6e144fb99a4a70d3c5ad5f074204c5b89a6f65 upstream. PCI/PCIE radio off behavior is different from SOC/USB. They mainly use MCU command to disable DMA, TX/RX and enter power saving mode. Signed-off-by: RA-Jay Hung Signed-off-by: Ivo van Doorn Signed-off-by: John W. Linville Signed-off-by: Stanislaw Gruszka Signed-off-by: Greg Kroah-Hartman commit 4f1c3d9ebf87c2f937824624dff7478c2923a2b6 Author: Christian Lamparter Date: Sat Apr 2 11:31:29 2011 +0200 p54usb: IDs for two new devices commit 220107610c7c2c9703e09eb363e8ab31025b9315 upstream. Reported-by: Mark Davis [via p54/devices wiki] Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 23ca28c48d8e5339a8be4d136a8ba2ec94aa841f Author: John W. Linville Date: Mon Apr 4 13:18:44 2011 -0400 iwlwifi: accept EEPROM version 0x423 for iwl6000 commit 3d7dc7e8c1566acb0fc55df228b2ed91f5638e9d upstream. A number of these devices have appeared "in the wild", and apparently the Windows driver is perfectly happy to support this EEPROM version. Signed-off-by: John W. Linville Acked-by: Wey-Yi Guy Signed-off-by: Greg Kroah-Hartman commit 1a3a01f9b2aa34ee33f9872e1a3e19debae5b98d Author: Trond Myklebust Date: Wed Apr 6 10:13:32 2011 -0700 Revert "net/sunrpc: Use static const char arrays" commit 0867659fa3c245bf203d837a82e0f6ea5079c2c5 upstream. This reverts commit 411b5e05617593efebc06241dbc56f42150f2abe. Olga Kornievskaia reports: Problem: linux client mounting linux server using rc4-hmac-md5 enctype. gssd fails with create a context after receiving a reply from the server. Diagnose: putting printout statements in the server kernel and kerberos libraries revealed that client and server derived different integrity keys. Server kernel code was at fault due the the commit [aglo@skydive linux-pnfs]$ git show 411b5e05617593efebc06241dbc56f42150f2abe Trond: The problem is that since it relies on virt_to_page(), you cannot call sg_set_buf() for data in the const section. Reported-by: Olga Kornievskaia Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 3fe6bb7272a1f409098795f65c1d0ab562cdcd9c Author: Linus Torvalds Date: Thu Apr 7 07:35:50 2011 -0700 mm: avoid wrapping vm_pgoff in mremap() commit 982134ba62618c2d69fbbbd166d0a11ee3b7e3d8 upstream. The normal mmap paths all avoid creating a mapping where the pgoff inside the mapping could wrap around due to overflow. However, an expanding mremap() can take such a non-wrapping mapping and make it bigger and cause a wrapping condition. Noticed by Robert Swiecki when running a system call fuzzer, where it caused a BUG_ON() due to terminally confusing the vma_prio_tree code. A vma dumping patch by Hugh then pinpointed the crazy wrapped case. Reported-and-tested-by: Robert Swiecki Acked-by: Hugh Dickins Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 3f9346cf211cdb10f053d7cb9752f7fd6723e16b Author: Jan Kara Date: Thu Mar 31 18:36:52 2011 +0200 quota: Don't write quota info in dquot_commit() commit b03f24567ce7caf2420b8be4c6eb74c191d59a91 upstream. There's no reason to write quota info in dquot_commit(). The writing is a relict from the old days when we didn't have dquot_acquire() and dquot_release() and thus dquot_commit() could have created / removed quota structures from the file. These days dquot_commit() only updates usage counters / limits in quota structure and thus there's no need to write quota info. This also fixes an issue with journaling filesystem which didn't reserve enough space in the transaction for write of quota info (it could have been dirty at the time of dquot_commit() because of a race with other operation changing it). Reported-and-tested-by: Lukas Czerner Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit 0b23e6b9d92cd5f7faa1450cbd41bad5dce4d207 Author: Artem Bityutskiy Date: Mon Apr 4 17:16:39 2011 +0300 UBIFS: fix debugging failure in dbg_check_space_info commit 7da6443aca9be29c6948dcbd636ad50154d0bc0c upstream. This patch fixes a debugging failure with which looks like this: UBIFS error (pid 32313): dbg_check_space_info: free space changed from 6019344 to 6022654 The reason for this failure is described in the comment this patch adds to the code. But in short - 'c->freeable_cnt' may be different before and after re-mounting, and this is normal. So the debugging code should make sure that free space calculations do not depend on 'c->freeable_cnt'. A similar issue has been reported here: http://lists.infradead.org/pipermail/linux-mtd/2011-April/034647.html This patch should fix it. For the -stable guys: this patch is only relevant for kernels 2.6.30 onwards. Signed-off-by: Artem Bityutskiy Signed-off-by: Greg Kroah-Hartman commit e808fb3d4947fcd6046b462bdc19721a25f26069 Author: Artem Bityutskiy Date: Fri Mar 25 19:09:54 2011 +0200 UBIFS: fix oops on error path in read_pnode commit 54acbaaa523ca0bd284a18f67ad213c379679e86 upstream. Thanks to coverity which spotted that UBIFS will oops if 'kmalloc()' in 'read_pnode()' fails and we dereference a NULL 'pnode' pointer when we 'goto out'. Signed-off-by: Artem Bityutskiy Signed-off-by: Greg Kroah-Hartman commit 623ec9f6000b2f61bae3a4b31181ac7258569a55 Author: Artem Bityutskiy Date: Fri Mar 25 18:33:57 2011 +0200 UBIFS: do not read flash unnecessarily commit 8b229c76765816796eec7ccd428f03bd8de8b525 upstream. This fix makes the 'dbg_check_old_index()' function return immediately if debugging is disabled, instead of executing incorrect 'goto out' which causes UBIFS to: 1. Allocate memory 2. Read the flash On every commit. OK, we do not commit that often, but it is still silly to do unneeded I/O anyway. Credits to coverity for spotting this silly issue. Signed-off-by: Artem Bityutskiy Signed-off-by: Greg Kroah-Hartman commit 49e6fc727d1621fc084df4dd7f53dec7a2448f9a Author: Michael Hennerich Date: Mon Mar 21 16:44:38 2011 +0100 staging: IIO: IMU: ADIS16400: Make sure only enabled scan_elements are pushed into the ring commit 0fea4d6192cb82789e28905240d3c1dac6529c7c upstream. Signed-off-by: Michael Hennerich Acked-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 0937eb5be5088bc38dba4ccf01b2218029637918 Author: Michael Hennerich Date: Mon Mar 21 16:44:37 2011 +0100 staging: IIO: IMU: ADIS16400: Fix addresses of GYRO and ACCEL calibration offset commit b181119723d62b19904e1f12e467e996631c5a29 upstream. Signed-off-by: Michael Hennerich Acked-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 5731ed538d85a166ad1547f920efc49386239205 Author: Michael Hennerich Date: Mon Mar 21 16:44:36 2011 +0100 staging: IIO: IMU: ADIS16400: Add delay after self test commit c59c95ce6ace6d256401fc3a3648a95375ef4e63 upstream. Add delay after self test to satisfy timing requirements. Increase start-up delay. Signed-off-by: Michael Hennerich Acked-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 896b07961ed8c48bfa3431db8ee101e4486a41dc Author: Michael Hennerich Date: Mon Mar 21 16:44:35 2011 +0100 staging: IIO: IMU: ADIS16400: Fix up SPI messages cs_change behavior commit fc5b85b0ad1f9da948e4d683710081a9bda357cb upstream. cs_change must not be set in the last transfer of a spi message Signed-off-by: Michael Hennerich Acked-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit fbb739ca1d3b734687c06f7eea0e25df2c18d876 Author: Felix Fietkau Date: Fri Mar 25 15:30:38 2011 +0100 mac80211: fix a crash in minstrel_ht in HT mode with no supported MCS rates commit 4dc217df68a17a57f8464c74c1b4785e40bddf77 upstream. When a client connects in HT mode but does not provide any valid MCS rates, the function that finds the next sample rate gets stuck in an infinite loop. Fix this by falling back to legacy rates if no usable MCS rates are found. Signed-off-by: Felix Fietkau Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit d0325b60bff25923b488313f2ef10d88050bd67e Author: Felix Fietkau Date: Fri Mar 25 17:43:41 2011 +0100 ath9k: fix a chip wakeup related crash in ath9k_start commit f62d816fc4324afbb7cf90110c70b6a14139b225 upstream. When the chip is still asleep when ath9k_start is called, ath9k_hw_configpcipowersave can trigger a data bus error. Signed-off-by: Felix Fietkau Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit b544388a92e32a0f8a2a1cccc70fcf455b92fb5d Author: Jan Beulich Date: Thu Mar 31 00:01:58 2011 -0700 Input: synaptics - fix crash in synaptics_module_init() commit 708748670c7c6dd5bd3b141473086e6937e72737 upstream. 'struct dmi_system_id' arrays must always have a terminator to keep dmi_check_system() from looking at data (and possibly crashing) it isn't supposed to look at. The issue went unnoticed until ef8313bb1a22e7d2125d9d758aa8a81f1de91d81, but was introduced about a year earlier with 7705d548cbe33f18ea7713b9a07aa11047aaeca4 (which also similarly changed lifebook.c, but the problem there got eliminated shortly afterwards). The first hunk therefore is a stable candidate back to 2.6.33, while the full change is needed only on 2.6.38. Signed-off-by: Jan Beulich Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit a41fc5e39b21e83d9dc01ef3e0f02b8434c3d823 Author: Suresh Siddha Date: Tue Mar 29 15:38:12 2011 -0700 x86, mtrr, pat: Fix one cpu getting out of sync during resume commit 84ac7cdbdd0f04df6b96153f7a79127fd6e45467 upstream. On laptops with core i5/i7, there were reports that after resume graphics workloads were performing poorly on a specific AP, while the other cpu's were ok. This was observed on a 32bit kernel specifically. Debug showed that the PAT init was not happening on that AP during resume and hence it contributing to the poor workload performance on that cpu. On this system, resume flow looked like this: 1. BP starts the resume sequence and we reinit BP's MTRR's/PAT early on using mtrr_bp_restore() 2. Resume sequence brings all AP's online 3. Resume sequence now kicks off the MTRR reinit on all the AP's. 4. For some reason, between point 2 and 3, we moved from BP to one of the AP's. My guess is that printk() during resume sequence is contributing to this. We don't see similar behavior with the 64bit kernel but there is no guarantee that at this point the remaining resume sequence (after AP's bringup) has to happen on BP. 5. set_mtrr() was assuming that we are still on BP and skipped the MTRR/PAT init on that cpu (because of 1 above) 6. But we were on an AP and this led to not reprogramming PAT on this cpu leading to bad performance. Fix this by doing unconditional mtrr_if->set_all() in set_mtrr() during MTRR/PAT init. This might be unnecessary if we are still running on BP. But it is of no harm and will guarantee that after resume, all the cpu's will be in sync with respect to the MTRR/PAT registers. Signed-off-by: Suresh Siddha LKML-Reference: <1301438292-28370-1-git-send-email-eric@anholt.net> Signed-off-by: Eric Anholt Tested-by: Keith Packard Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit f54f2ff7105d2d931c638009bae3ba4d03d33b01 Author: Li Zefan Date: Mon Mar 28 02:01:25 2011 +0000 Btrfs: Fix uninitialized root flags for subvolumes commit 08fe4db170b4193603d9d31f40ebaf652d07ac9c upstream. root_item->flags and root_item->byte_limit are not initialized when a subvolume is created. This bug is not revealed until we added readonly snapshot support - now you mount a btrfs filesystem and you may find the subvolumes in it are readonly. To work around this problem, we steal a bit from root_item->inode_item->flags, and use it to indicate if those fields have been properly initialized. When we read a tree root from disk, we check if the bit is set, and if not we'll set the flag and initialize the two fields of the root item. Reported-by: Andreas Philipp Signed-off-by: Li Zefan Tested-by: Andreas Philipp Signed-off-by: Chris Mason Signed-off-by: Greg Kroah-Hartman commit 1ffe8eb4c593f56a60880e3929be66ee15d3622c Author: Dan Rosenberg Date: Sat Mar 19 20:43:43 2011 +0000 ROSE: prevent heap corruption with bad facilities commit be20250c13f88375345ad99950190685eda51eb8 upstream. When parsing the FAC_NATIONAL_DIGIS facilities field, it's possible for a remote host to provide more digipeaters than expected, resulting in heap corruption. Check against ROSE_MAX_DIGIS to prevent overflows, and abort facilities parsing on failure. Additionally, when parsing the FAC_CCITT_DEST_NSAP and FAC_CCITT_SRC_NSAP facilities fields, a remote host can provide a length of less than 10, resulting in an underflow in a memcpy size, causing a kernel panic due to massive heap corruption. A length of greater than 20 results in a stack overflow of the callsign array. Abort facilities parsing on these invalid length values. Signed-off-by: Dan Rosenberg Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f8e3c0bb58a569babfb8d72e7e0655686dbcbab1 Author: Frederic Weisbecker Date: Thu Mar 31 03:33:29 2011 +0200 perf: Rebase max unprivileged mlock threshold on top of page size commit 20443384fe090c5f8aeb016e7e85659c5bbdd69f upstream. Ensure we allow 512 kiB + 1 page for user control without assuming a 4096 bytes page size. Reported-by: Peter Zijlstra Signed-off-by: Frederic Weisbecker Signed-off-by: Peter Zijlstra Cc: Arnaldo Carvalho de Melo Cc: Paul Mackerras Cc: Stephane Eranian LKML-Reference: <1301535209-9679-1-git-send-email-fweisbec@gmail.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 80b9edca1c11ec8118ab30451af9c1d492770c90 Author: Peter Zijlstra Date: Mon Mar 28 13:13:56 2011 +0200 perf: Fix task_struct reference leak commit fd1edb3aa2c1d92618d8f0c6d15d44ea41fcac6a upstream. sys_perf_event_open() had an imbalance in the number of task refs it took causing memory leakage Cc: Jiri Olsa Cc: Oleg Nesterov Signed-off-by: Peter Zijlstra LKML-Reference: Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit c43194250ee8bb20e2d6d1edba9553842a21679c Author: Chase Douglas Date: Fri Apr 1 17:03:39 2011 -0400 HID: hid-magicmouse: Increase evdev buffer size commit cc5e0f08ca2a66fc4c6984ccff74fd529e969fac upstream. The evdev buffer isn't big enough when you get many fingers on the device. Bump up the buffer to a reasonable size, matching what other multitouch devices use. Without this change, events may be discarded in the evdev buffer before they are read. Reported-by: Simon Budig Cc: Henrik Rydberg Cc: Jiri Kosina Signed-off-by: Chase Douglas Acked-by: Henrik Rydberg Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 91d6c1f8a77a4efec2543de434a924fdc3e6f5e1 Author: Eric Paris Date: Tue Apr 5 17:20:50 2011 -0400 inotify: fix double free/corruption of stuct user commit d0de4dc584ec6aa3b26fffea320a8457827768fc upstream. On an error path in inotify_init1 a normal user can trigger a double free of struct user. This is a regression introduced by a2ae4cc9a16e ("inotify: stop kernel memory leak on file creation failure"). We fix this by making sure that if a group exists the user reference is dropped when the group is cleaned up. We should not explictly drop the reference on error and also drop the reference when the group is cleaned up. The new lifetime rules are that an inotify group lives from inotify_new_group to the last fsnotify_put_group. Since the struct user and inotify_devs are directly tied to this lifetime they are only changed/updated in those two locations. We get rid of all special casing of struct user or user->inotify_devs. Signed-off-by: Eric Paris Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 8c00d8c60ad1c0221d47122f46ba0266add6ba84 Author: John Lindgren Date: Thu Mar 24 23:28:31 2011 +0000 drm/radeon/kms: add some sanity checks to obj info record parsingi (v2) commit 97ea530f6fac1f9632b0c4792a2a56411454adbe upstream. Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=35502 agd5f: also add sanity check to connector records. v2: fix one more case. Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit e64b5314d770cb43ac1aa8c5f1c423f992c804e1 Author: Alex Deucher Date: Mon Apr 4 11:03:16 2011 -0400 drm/radeon/kms: add some new ontario pci ids commit 758f231ea280d0e5f01d537f26ad8f5c0e3de1cc upstream. Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 95bd481686a4848a902a340c4b4b1673cf97092f Author: Stanislaw Gruszka Date: Tue Mar 22 23:54:49 2011 +0000 net: fix ethtool->set_flags not intended -EINVAL return value commit 673e63c688f43104c73aad8ea4237f7ad41fa14d upstream. After commit d5dbda23804156ae6f35025ade5307a49d1db6d7 "ethtool: Add support for vlan accleration.", drivers that have NETIF_F_HW_VLAN_TX, and/or NETIF_F_HW_VLAN_RX feature, but do not allow enable/disable vlan acceleration via ethtool set_flags, always return -EINVAL from that function. Fix by returning -EINVAL only if requested features do not match current settings and can not be changed by driver. Change any driver that define ethtool->set_flags to use ethtool_invalid_flags() to avoid similar problems in the future (also on drivers that do not have the problem). Tested with modified (to reproduce this bug) myri10ge driver. Signed-off-by: Stanislaw Gruszka Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2743bc470c3a9c5f0bfdc085d6ed7b716865bc00 Author: David Henningsson Date: Thu Apr 7 11:43:00 2011 +0200 ALSA: HDA: Fix single internal mic on ALC275 (Sony Vaio VPCSB1C5E) commit 262ac22d21ee2bf3e1655b2e5e45cc94b356e62f upstream. In cases where there is only one internal mic connected to ADC 0x11, alc275_setup_dual_adc won't handle the case, so we need to add the ADC node to the array of candidates. BugLink: http://bugs.launchpad.net/bugs/752792 Reported-by: Vincenzo Pii Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 2e6de29f28f83051b83856237e331f6552f1276b Author: Aaron Plattner Date: Wed Apr 6 17:19:04 2011 -0700 ALSA: hda - HDMI: Fix MCP7x audio infoframe checksums commit 1f348522844bb1f6e7b10d50b9e8aa89a2511b09 upstream. The MCP7x hardware computes the audio infoframe channel count automatically, but requires the audio driver to set the audio infoframe checksum manually via the Nv_VERB_SET_Info_Frame_Checksum control verb. When audio starts playing, nvhdmi_8ch_7x_pcm_prepare sets the checksum to (0x71 - chan - chanmask). For example, for 2ch audio, chan == 1 and chanmask == 0 so the checksum is set to 0x70. When audio playback finishes and the device is closed, nvhdmi_8ch_7x_pcm_close resets the channel formats, causing the channel count to revert to 8ch. Since the checksum is not reset, the hardware starts generating audio infoframes with invalid checksums. This causes some displays to blank the video. Fix this by updating the checksum and channel mask when the device is closed and also when it is first initialized. In addition, make sure that the channel mask is appropriate for an 8ch infoframe by setting it to 0x13 (FL FR LFE FC RL RR RLC RRC). Signed-off-by: Aaron Plattner Acked-by: Stephen Warren Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 9fd832d903aa50c9386bd208f62262387d419e87 Author: David Henningsson Date: Tue Apr 5 07:55:24 2011 +0200 ALSA: HDA: Fix dock mic for Lenovo X220-tablet commit b2cb1292b1c7c73abbdc0e07ef3aab056fc2615f upstream. Without the "thinkpad" quirk, the dock mic in Lenovo X220 tablet edition won't work. BugLink: http://bugs.launchpad.net/bugs/751033 Tested-by: James Ferguson Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 8cb2913bdc74f4a53c11455a2024bf9dbb699cb1 Author: David Henningsson Date: Thu Mar 31 09:36:19 2011 +0200 ALSA: HDA: Add dock mic quirk for Lenovo Thinkpad X220 commit 840126579da56edae8ecc4a0d85198f742982f10 upstream. This quirk is needed for the docking station mic of Lenovo Thinkpad X220 to function correctly. BugLink: http://bugs.launchpad.net/bugs/746259 Tested-by: James Ferguson Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 254e648fde86796dd76175133448d9c0470e57ab Author: Kelly Anderson Date: Fri Apr 1 11:58:25 2011 +0200 ALSA: pcm: fix infinite loop in snd_pcm_update_hw_ptr0() commit 12ff414e2e4512f59fe191dc18e856e2939a1c79 upstream. When period interrupts are disabled, snd_pcm_update_hw_ptr0() compares the current time against the time estimated for the current hardware pointer to detect xruns. The somewhat fuzzy threshold in the while loop makes it possible that hdelta becomes negative; the comparison being done with unsigned types then makes the loop go through the entire 263 negative range, and, depending on the value, never reach an unsigned value that is small enough to stop the loop. Doing this with interrupts disabled results in the machine locking up. To prevent this, ensure that the loop condition uses signed types for both operands so that the comparison is correctly done. Many thanks to Kelly Anderson for debugging this. Reported-by: Nix Reported-by: "Christopher K." Reported-and-tested-by: Kelly Anderson Signed-off-by: Kelly Anderson [cl: remove unneeded casts; use a temp variable] Signed-off-by: Clemens Ladisch Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 4454ec7e0b90ab5b26d9d9dcd7a025a40bfa7c1d Author: Clemens Ladisch Date: Wed Mar 30 08:24:25 2011 +0200 ALSA: ens1371: fix Creative Ectiva support commit 6ebb8a4a43e34f999ab36f27f972f3cd751cda4f upstream. To make the EV1938 chip work, add a magic bit and an extra delay. Signed-off-by: Clemens Ladisch Tested-by: Tino Schmidt Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 1fa9ba2832bd843ecc4a155896fadc836178e799 Author: Mark Brown Date: Sun Mar 27 14:40:01 2011 +0100 ASoC: Fix CODEC device name for Corgi commit 326b9bdc2a0e4d556a0f444085dca103bcd505de upstream. Got typoed in the multi-component changes. Signed-off-by: Mark Brown Acked-by: Liam Girdwood Signed-off-by: Greg Kroah-Hartman commit e34910dd0fcf32e9a0e5ff6f3249910cff4c06d8 Author: Wolfram Sang Date: Fri Mar 25 16:51:45 2011 +0100 ASoC: imx: fix burstsize for DMA commit e1bb31b444668bc957c337d33803db7cb3330745 upstream. SSI counts in words, the DMA engine in bytes. (Wrong) factor got removed in bf974a0 (ASoC i.MX: switch to new DMA api). Signed-off-by: Wolfram Sang Acked-by: Liam Girdwood Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit ad5d054f79f20dfaecf23322783e652eee303d98 Author: Wolfram Sang Date: Fri Mar 25 16:51:44 2011 +0100 ASoC: imx: set watermarks for mx2-dma commit 2c4cf17a52f04fbe929977252d5b8ab81d2c6e9b upstream. They got accidently removed by f0fba2a (ASoC: multi-component - ASoC Multi-Component Support). Reintroduce them and get rid of the superfluous defines because the fiq-driver has its own hardcoded values. Signed-off-by: Wolfram Sang Acked-by: Liam Girdwood Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit e70216d4a904397fb6885f633ca4ec7fc887f337 Author: Mark Brown Date: Wed Mar 23 20:45:40 2011 +0000 ASoC: Explicitly say registerless widgets have no register commit 0ca03cd7d0fa3bfbd56958136a10f19733c4ce12 upstream. This stops code that handles widgets generically from attempting to access registers for these widgets. Signed-off-by: Mark Brown Acked-by: Liam Girdwood Signed-off-by: Greg Kroah-Hartman commit 78df5839e68ea51a460b6ab7c266049c583014dc Author: Ryusuke Konishi Date: Sun Mar 27 22:50:49 2011 +0900 nilfs2: fix data loss in mmap page write for hole blocks commit 34094537943113467faee98fe67c8a3d3f9a0a8b upstream. From the result of a function test of mmap, mmap write to shared pages turned out to be broken for hole blocks. It doesn't write out filled blocks and the data will be lost after umount. This is due to a bug that the target file is not queued for log writer when filling hole blocks. Also, nilfs_page_mkwrite function exits normal code path even after successfully filled hole blocks due to a change of block_page_mkwrite function; just after nilfs was merged into the mainline, block_page_mkwrite() started to return VM_FAULT_LOCKED instead of zero by the patch "mm: close page_mkwrite races" (commit: b827e496c893de0c). The current nilfs_page_mkwrite() is not handling this value properly. This corrects nilfs_page_mkwrite() and will resolve the data loss problem in mmap write. [This should be applied to every kernel since 2.6.30 but a fix is needed for 2.6.37 and prior kernels] Signed-off-by: Ryusuke Konishi Tested-by: Ryusuke Konishi Signed-off-by: Greg Kroah-Hartman commit 81dacc2d64030457bfd85ba901deb17a682e6196 Author: Anton Blanchard Date: Sun Mar 20 15:28:03 2011 +0000 powerpc: Fix accounting of softirq time when idle commit ad5d1c888e556bc00c4e86f452cad4a3a87d22c1 upstream. commit cf9efce0ce31 (powerpc: Account time using timebase rather than PURR) used in_irq() to detect if the time was spent in interrupt processing. This only catches hardirq context so if we are in softirq context and in the idle loop we end up accounting it as idle time. If we instead use in_interrupt() we catch both softirq and hardirq time. The issue was found when running a network intensive workload. top showed the following: 0.0%us, 1.1%sy, 0.0%ni, 85.7%id, 0.0%wa, 9.9%hi, 3.3%si, 0.0%st 85.7% idle. But this was wildly different to the perf events data. To confirm the suspicion I ran something to keep the core busy: # yes > /dev/null & 8.2%us, 0.0%sy, 0.0%ni, 0.0%id, 0.0%wa, 10.3%hi, 81.4%si, 0.0%st We only got 8.2% of the CPU for the userspace task and softirq has shot up to 81.4%. With the patch below top shows the correct stats: 0.0%us, 0.0%sy, 0.0%ni, 5.3%id, 0.0%wa, 13.3%hi, 81.3%si, 0.0%st Signed-off-by: Anton Blanchard Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit f7b5886892a642bfdc39619a63794d17ec333896 Author: Dan Rosenberg Date: Sat Mar 19 20:14:30 2011 +0000 irda: prevent heap corruption on invalid nickname commit d50e7e3604778bfc2dc40f440e0742dbae399d54 upstream. Invalid nicknames containing only spaces will result in an underflow in a memcpy size calculation, subsequently destroying the heap and panicking. v2 also catches the case where the provided nickname is longer than the buffer size, which can result in controllable heap corruption. Signed-off-by: Dan Rosenberg Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cfc637297be0a982188b60be83096b40dbf35070 Author: Dan Rosenberg Date: Sun Mar 20 15:32:06 2011 +0000 irda: validate peer name and attribute lengths commit d370af0ef7951188daeb15bae75db7ba57c67846 upstream. Length fields provided by a peer for names and attributes may be longer than the destination array sizes. Validate lengths to prevent stack buffer overflows. Signed-off-by: Dan Rosenberg Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7910591c1c2663dd3f421f5a80fbd5c439af3aef Author: Yinghai Lu Date: Wed Mar 16 20:01:07 2011 -0700 watchdog: sp5100_tco.c: Check if firmware has set correct value in tcobase. commit 90d241edd13bdeef70f264b569f7e150bf23621e upstream. Stefano found SP5100 TCO watchdog driver using wrong address. [ 9.148536] SP5100 TCO timer: SP5100 TCO WatchDog Timer Driver v0.01 [ 9.148628] DEBUG __ioremap_caller WARNING address=b8fe00 size=8 valid=1 reserved=1 and e820 said that range is RAM. We should check if we can use that reading out. BIOS could just program wrong address there. Reported-by: Stefano Stabellini Signed-off-by:Yinghai Lu Acked-by: Mike Waychison Tested-by: Konrad Rzeszutek Wilk Signed-off-by: Wim Van Sebroeck Signed-off-by: Greg Kroah-Hartman commit 984814d5a002305f9f53ec8e8d3bbefc30a13583 Author: Julia Lawall Date: Sat Feb 26 17:34:39 2011 +0100 watchdog: Convert release_resource to release_region/release_mem_region commit f712eacf02ecfbf4f1686addb8c569841549b0b7 upstream. Request_mem_region should be used with release_mem_region, not release_resource. In pnx4008_wdt.c, a missing clk_put is added as well. The semantic match that finds the first problem is as follows: (http://coccinelle.lip6.fr/) // @@ expression x,E; @@ *x = request_mem_region(...) ... when != release_mem_region(x) when != x = E * release_resource(x); // Signed-off-by: Julia Lawall Signed-off-by: Wim Van Sebroeck Signed-off-by: Greg Kroah-Hartman commit 665c7153a7d73d524ed6b4783c3bd8a521285a9b Author: Julia Lawall Date: Sat Feb 26 17:34:38 2011 +0100 watchdog: s3c2410_wdt.c: Convert release_resource to release_region/release_mem_region commit f72401e94d159bc4b2beab51d74e956da2c32e0a upstream. Request_mem_region should be used with release_mem_region, not release_resource. The semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // @@ expression x,E; @@ *x = request_mem_region(...) ... when != release_mem_region(x) when != x = E * release_resource(x); // Signed-off-by: Julia Lawall Signed-off-by: Wim Van Sebroeck Signed-off-by: Greg Kroah-Hartman commit 53a624a9467771174585e85b4b6b3d7f23ec9526 Author: Borislav Petkov Date: Tue Mar 29 18:10:53 2011 +0200 amd64_edac: Fix potential memleak commit a9f0fbe2bbf328f869fc5ee5a12c6a4118c32689 upstream. We check the pointers together but at least one of them could be invalid due to failed allocation. Since we cannot continue if either of the two allocations has failed, exit early by freeing them both. Reported-by: Mauro Carvalho Chehab Signed-off-by: Borislav Petkov Signed-off-by: Greg Kroah-Hartman commit 668c06b8508308dc98e2dcf644c340d3c15ef99c Author: Dave Chinner Date: Sat Mar 26 09:14:57 2011 +1100 xfs: register the inode cache shrinker before quotachecks commit 704b2907c2d47ceb187c0e25a6bbc2174b198f2f upstream. During mount, we can do a quotacheck that involves a bulkstat pass on all inodes. If there are more inodes in the filesystem than can be held in memory, we require the inode cache shrinker to run to ensure that we don't run out of memory. Unfortunately, the inode cache shrinker is not registered until we get to the end of the superblock setup process, which is after a quotacheck is run if it is needed. Hence we need to register the inode cache shrinker earlier in the mount process so that we don't OOM during mount. This requires that we also initialise the syncd work before we register the shrinker, so we nee dto juggle that around as well. While there, make sure that we have set up the block sizes in the VFS superblock correctly before the quotacheck is run so that any inodes that are cached as a result of the quotacheck have their block size fields set up correctly. Signed-off-by: Dave Chinner Reviewed-by: Alex Elder Signed-off-by: Greg Kroah-Hartman commit 76e61a187353bb6798284196b874938a8fbe3db9 Author: Roland Dreier Date: Mon Mar 28 14:13:35 2011 -0700 Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo commit 243b422af9ea9af4ead07a8ad54c90d4f9b6081a upstream. Commit da48524eb206 ("Prevent rt_sigqueueinfo and rt_tgsigqueueinfo from spoofing the signal code") made the check on si_code too strict. There are several legitimate places where glibc wants to queue a negative si_code different from SI_QUEUE: - This was first noticed with glibc's aio implementation, which wants to queue a signal with si_code SI_ASYNCIO; the current kernel causes glibc's tst-aio4 test to fail because rt_sigqueueinfo() fails with EPERM. - Further examination of the glibc source shows that getaddrinfo_a() wants to use SI_ASYNCNL (which the kernel does not even define). The timer_create() fallback code wants to queue signals with SI_TIMER. As suggested by Oleg Nesterov , loosen the check to forbid only the problematic SI_TKILL case. Reported-by: Klaus Dittrich Acked-by: Julien Tinnes Signed-off-by: Roland Dreier Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 68abeb71d51d40b805cd3596cfc4f45105e57cad Author: Haiyang Zhang Date: Wed Apr 6 15:18:00 2011 -0700 staging: hv: Fix GARP not sent after Quick Migration commit c996edcf1c451b81740abbcca5257ed7e353fcc6 upstream. After Quick Migration, the network is not immediately operational in the current context when receiving RNDIS_STATUS_MEDIA_CONNECT event. So, I added another netif_notify_peers() into a scheduled work, otherwise GARP packet will not be sent after quick migration, and cause network disconnection. Thanks to Mike Surcouf for reporting the bug and testing the patch. Reported-by: Mike Surcouf Tested-by: Mike Surcouf Signed-off-by: Haiyang Zhang Signed-off-by: Hank Janssen Signed-off-by: Abhishek Kane Signed-off-by: K. Y. Srinivasan Signed-off-by: Greg Kroah-Hartman commit 5fc41ed0596b18d0be02d046e2c989d6fc231f3b Author: Olaf Hering Date: Mon Mar 21 14:41:37 2011 +0100 staging: hv: use sync_bitops when interacting with the hypervisor commit 22356585712d1ff08fbfed152edd8b386873b238 upstream. Locking is required when tweaking bits located in a shared page, use the sync_ version of bitops. Without this change vmbus_on_event() will miss events and as a result, vmbus_isr() will not schedule the receive tasklet. Signed-off-by: Olaf Hering Acked-by: Haiyang Zhang Acked-by: Hank Janssen Signed-off-by: Greg Kroah-Hartman commit 8974a58bc1263e537da05ec712496e47e4bb8be4 Author: Arjan Mels Date: Tue Apr 5 20:26:59 2011 +0200 staging: usbip: bugfix for isochronous packets and optimization commit 28276a28d8b3cd19f4449991faad4945fe557656 upstream. For isochronous packets the actual_length is the sum of the actual length of each of the packets, however between the packets might be padding, so it is not sufficient to just send the first actual_length bytes of the buffer. To fix this and simultanesouly optimize the bandwidth the content of the isochronous packets are send without the padding, the padding is restored on the receiving end. Signed-off-by: Arjan Mels Cc: Takahiro Hirofuchi Cc: Max Vozeler Signed-off-by: Greg Kroah-Hartman commit 5aa02704b9ee67c5b2ee26d54c5f4eb99e93ba9a Author: Arjan Mels Date: Tue Apr 5 20:26:38 2011 +0200 staging: usbip: bugfix add number of packets for isochronous frames commit 1325f85fa49f57df034869de430f7c302ae23109 upstream. The number_of_packets was not transmitted for RET_SUBMIT packets. The linux client used the stored number_of_packet from the submitted request. The windows userland client does not do this however and needs to know the number_of_packets to determine the size of the transmission. Signed-off-by: Arjan Mels Cc: Takahiro Hirofuchi Cc: Max Vozeler Signed-off-by: Greg Kroah-Hartman commit 723342c39003aa64889f8bd5255e7f876434ef7a Author: Arjan Mels Date: Tue Apr 5 20:26:11 2011 +0200 staging: usbip: bugfixes related to kthread conversion commit d2dd0b07c3e725d386d20294ec906f7ddef207fa upstream. When doing a usb port reset do a queued reset instead to prevent a deadlock: the reset will cause the driver to unbind, causing the usb_driver_lock_for_reset to stall. Signed-off-by: Arjan Mels Cc: Takahiro Hirofuchi Cc: Max Vozeler Cc: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 1dcbe29b9a9a0e8832a8d670487380d0581d657a Author: Tadeusz Struk Date: Sun Mar 13 16:56:17 2011 +0800 crypto: aesni-intel - fixed problem with packets that are not multiple of 64bytes commit 60af520cf264ea26b2af3a6871bbd71850522aea upstream. This patch fixes problem with packets that are not multiple of 64bytes. Signed-off-by: Adrian Hoban Signed-off-by: Aidan O'Mahony Signed-off-by: Gabriele Paoloni Signed-off-by: Tadeusz Struk Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit a0d088491fdbf655fde5b27a6a4d53f7495a8a11 Author: Roberto Sassu Date: Thu Mar 17 12:48:50 2011 +0100 eCryptfs: ecryptfs_keyring_auth_tok_for_sig() bug fix commit 1821df040ac3cd6a57518739f345da6d50ea9d3f upstream. The pointer '(*auth_tok_key)' is set to NULL in case request_key() fails, in order to prevent its use by functions calling ecryptfs_keyring_auth_tok_for_sig(). Signed-off-by: Roberto Sassu Signed-off-by: Tyler Hicks Signed-off-by: Greg Kroah-Hartman commit eb7ad98797ba117b37c07517793e836ac58f33c8 Author: Tyler Hicks Date: Wed Mar 9 11:49:13 2011 -0600 eCryptfs: Unlock page in write_begin error path commit 50f198ae16ac66508d4b8d5a40967a8507ad19ee upstream. Unlock the page in error path of ecryptfs_write_begin(). This may happen, for example, if decryption fails while bring the page up-to-date. Signed-off-by: Tyler Hicks Signed-off-by: Greg Kroah-Hartman commit 2e8baeac894365899a6934987bf2dfc6a28d4dd6 Author: Rafael J. Wysocki Date: Sat Mar 5 13:21:51 2011 +0100 PCI/ACPI: Report ASPM support to BIOS if not disabled from command line commit 8b8bae901ce23addbdcdb54fa1696fb2d049feb5 upstream. We need to distinguish the situation in which ASPM support is disabled from the command line or through .config from the situation in which it is disabled, because the hardware or BIOS can't handle it. In the former case we should not report ASPM support to the BIOS through ACPI _OSC, but in the latter case we should do that. Introduce pcie_aspm_support_enabled() that can be used by acpi_pci_root_add() to determine whether or not it should report ASPM support to the BIOS through _OSC. References: https://bugzilla.kernel.org/show_bug.cgi?id=29722 References: https://bugzilla.kernel.org/show_bug.cgi?id=20232 Reported-and-tested-by: Ortwin Glück Reviewed-by: Kenji Kaneshige Tested-by: Kenji Kaneshige Signed-off-by: Rafael J. Wysocki Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit c289b973f884ea230b38b7aa1878adc2c77a32f2 Author: Krishnasamy, Somasundaram Date: Mon Feb 28 18:13:22 2011 -0500 ses: Avoid kernel panic when lun 0 is not mapped commit d1e12de804f9d8ad114786ca7c2ce593cba79891 upstream. During device discovery, scsi mid layer sends INQUIRY command to LUN 0. If the LUN 0 is not mapped to host, it creates a temporary scsi_device with LUN id 0 and sends REPORT_LUNS command to it. After the REPORT_LUNS succeeds, it walks through the LUN table and adds each LUN found to sysfs. At the end of REPORT_LUNS lun table scan, it will delete the temporary scsi_device of LUN 0. When scsi devices are added to sysfs, it calls add_dev function of all the registered class interfaces. If ses driver has been registered, ses_intf_add() of ses module will be called. This function calls scsi_device_enclosure() to check the inquiry data for EncServ bit. Since inquiry was not allocated for temporary LUN 0 scsi_device, it will cause NULL pointer exception. To fix the problem, sdev->inquiry is checked for NULL before reading it. Signed-off-by: Somasundaram Krishnasamy Signed-off-by: Babu Moger Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit e7f208ebb98b445a92f0bbc2d420599671450f88 Author: John Hughes Date: Wed Nov 4 19:01:22 2009 +0100 ses: show devices for enclosures with no page 7 commit 877a55979c189c590e819a61cbbe2b7947875f17 upstream. enclosure page 7 gives us the "pretty" names of the enclosure slots. Without a page 7, we can still use the enclosure code as long as we make up numeric names for the slots. Unfortunately, the current code fails to add any devices because the check for page 10 is in the wrong place if we have no page 7. Fix it so that devices show up even if the enclosure has no page 7. Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 523c503eab8faa13bdbdb4b21846a71c8dc92b69 Author: Felix Fietkau Date: Mon Mar 21 20:01:00 2011 +0100 mac80211: initialize sta->last_rx in sta_info_alloc commit 8bc8aecdc5e26cfda12dbd6867af4aa67836da6a upstream. This field is used to determine the inactivity time. When in AP mode, hostapd uses it for kicking out inactive clients after a while. Without this patch, hostapd immediately deauthenticates a new client if it checks the inactivity time before the client sends its first data frame. Signed-off-by: Felix Fietkau Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 2f74a0681817b04ebcad2068935807a9a554c3e8 Author: Dan Rosenberg Date: Wed Mar 23 11:42:57 2011 -0400 sound/oss/opl3: validate voice and channel indexes commit 4d00135a680727f6c3be78f8befaac009030e4df upstream. User-controllable indexes for voice and channel values may cause reading and writing beyond the bounds of their respective arrays, leading to potentially exploitable memory corruption. Validate these indexes. Signed-off-by: Dan Rosenberg Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit dd6809706f2e100ecd9afb5435bfed847c57f2e6 Author: Mohammed Shafi Shajakhan Date: Mon Mar 21 18:27:21 2011 +0530 ath9k: Fix kernel panic in AR2427 commit 61e1b0b00c793ad5a32fe2181c9f77115fed5dc4 upstream. Kernel panic occurs just after AR2427 establishes connection with AP. Unless aggregation is enabled we don't initialize the TID structure. Thus accesing the elements of the TID structure when aggregation is disabled, leads to NULL pointer dereferencing. [ 191.320358] Call Trace: [ 191.320364] [] ? ath9k_tx+0xa7/0x200 [ath9k] [ 191.320376] [] ? __ieee80211_tx+0x5c/0x1e0 [mac80211] [ 191.320386] [] ? ieee80211_tx+0x7b/0x90 [mac80211] [ 191.320395] [] ? ieee80211_xmit+0x9d/0x1d0 [mac80211] [ 191.320401] [] ? wake_up_state+0xf/0x20 [ 191.320405] [] ? signal_wake_up+0x28/0x40 [ 191.320410] [] ? default_spin_lock_flags+0x8/0x10 [ 191.320420] [] ? ieee80211_subif_start_xmit+0x2e8/0x7c0 [mac80211] [ 191.320425] [] ? do_page_fault+0x295/0x3a0 [ 191.320431] [] ? dev_hard_start_xmit+0x1ad/0x210 [ 191.320436] [] ? sch_direct_xmit+0x105/0x170 [ 191.320445] [] ? get_sta_flags+0x2a/0x40 [mac80211] [ 191.320449] [] ? dev_queue_xmit+0x37f/0x4b0 [ 191.320452] [] ? eth_header+0x0/0xb0 [ 191.320456] [] ? neigh_resolve_output+0xe9/0x310 [ 191.320461] [] ? ip6_output_finish+0xa5/0x110 [ 191.320464] [] ? ip6_output2+0x134/0x250 [ 191.320468] [] ? ip6_output+0x6d/0x100 [ 191.320471] [] ? mld_sendpack+0x395/0x3e0 [ 191.320475] [] ? add_grhead+0x31/0xa0 [ 191.320478] [] ? mld_send_cr+0x1bc/0x2b0 [ 191.320482] [] ? irq_exit+0x39/0x70 [ 191.320485] [] ? mld_ifc_timer_expire+0x10/0x40 [ 191.320489] [] ? run_timer_softirq+0x13e/0x2c0 [ 191.320493] [] ? common_interrupt+0x30/0x40 [ 191.320498] [] ? mld_ifc_timer_expire+0x0/0x40 [ 191.320502] [] ? __do_softirq+0x98/0x1b0 [ 191.320506] [] ? do_softirq+0x45/0x50 [ 191.320509] [] ? irq_exit+0x65/0x70 [ 191.320513] [] ? smp_apic_timer_interrupt+0x5c/0x8b [ 191.320516] [] ? apic_timer_interrupt+0x31/0x40 [ 191.320521] [] ? k_getrusage+0x12b/0x2f0 [ 191.320525] [] ? acpi_idle_enter_simple+0x117/0x148 [ 191.320529] [] ? cpuidle_idle_call+0x7a/0x100 [ 191.320532] [] ? cpu_idle+0x94/0xd0 [ 191.320536] [] ? rest_init+0x58/0x60 [ 191.320541] [] ? start_kernel+0x351/0x357 [ 191.320544] [] ? unknown_bootoption+0x0/0x19e [ 191.320548] [] ? i386_start_kernel+0xaa/0xb1 [ 191.320550] Code: 03 66 3d 00 03 0f 84 7c 02 00 00 83 c3 18 0f b6 03 8b 4d e0 89 c3 83 e3 0f 6b c3 48 89 5d d8 8d 04 06 8d 50 0c 89 55 d0 8b 40 20 <8b> 00 3b 01 0f 85 8e 02 00 00 f6 47 20 40 0f 84 29 ff ff ff 8b [ 191.320634] EIP: [] ath_tx_start+0x474/0x770 [ath9k] SS:ESP 0068:c0761a90 [ 191.320642] CR2: 0000000000000000 [ 191.320647] ---[ end trace 9296ef23b9076ece ]--- [ 191.320650] Kernel panic - not syncing: Fatal exception in interrupt Signed-off-by: Mohammed Shafi Shajakhan Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 8a09d32eb7481e2966fe051b9006bd8497d409ec Author: Bud Brown Date: Wed Mar 23 20:47:11 2011 +0100 cciss: fix lost command issue commit 1ddd5049545e0aa1a0ed19bca4d9c9c3ce1ac8a2 upstream. Under certain workloads a command may seem to get lost. IOW, the Smart Array thinks all commands have been completed but we still have commands in our completion queue. This may lead to system instability, filesystems going read-only, or even panics depending on the affected filesystem. We add an extra read to force the write to complete. Testing shows this extra read avoids the problem. Signed-off-by: Mike Miller Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 7cb252174f786f9ccefa519454b9de5743acaccf Author: Stanislaw Gruszka Date: Wed Mar 23 02:44:30 2011 +0000 myri10ge: fix rmmod crash commit cda6587c21a887254c8ed4b58da8fcc4040ab557 upstream. Rmmod myri10ge crash at free_netdev() -> netif_napi_del(), because napi structures are already deallocated. To fix call netif_napi_del() before kfree() at myri10ge_free_slices(). Signed-off-by: Stanislaw Gruszka Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6c66673c8abb839c99b9692d02ec8032a11e67af Author: Frederic Weisbecker Date: Wed Mar 23 19:29:39 2011 +0100 perf: Better fit max unprivileged mlock pages for tools needs commit 880f57318450dbead6a03f9e31a1468924d6dd88 upstream. The maximum kilobytes of locked memory that an unprivileged user can reserve is of 512 kB = 128 pages by default, scaled to the number of onlined CPUs, which fits well with the tools that use 128 data pages by default. However tools actually use 129 pages, because they need one more for the user control page. Thus the default mlock threshold is not sufficient for the default tools needs and we always end up to evaluate the constant mlock rlimit policy, which doesn't have this scaling with the number of online CPUs. Hence, on systems that have more than 16 CPUs, we overlap the rlimit threshold and fail to mmap: $ perf record ls Error: failed to mmap with 1 (Operation not permitted) Just increase the max unprivileged mlock threshold by one page so that it supports well perf tools even after 16 CPUs. Reported-by: Han Pingtian Reported-by: Peter Zijlstra Reported-by: Arnaldo Carvalho de Melo Signed-off-by: Frederic Weisbecker Acked-by: Arnaldo Carvalho de Melo Cc: Stephane Eranian LKML-Reference: <1300904979-5508-1-git-send-email-fweisbec@gmail.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit c27b92295ab4c6b90b1cee94c4c9c1b4732e1c2e Author: Benjamin Herrenschmidt Date: Fri Mar 25 17:51:54 2011 +1100 ALSA: vmalloc buffers should use normal mmap commit 3674f19dabd15f9541079a588149a370d888f4e6 upstream. It's a big no-no to use pgprot_noncached() when mmap'ing such buffers into userspace since they are mapped cachable in kernel space. This can cause all sort of interesting things ranging from to garbled sound to lockups on various architectures. I've observed that usb-audio is broken on powerpc 4xx for example because of that. Also remove the now unused snd_pcm_lib_mmap_noncached(). It's an arch business to know when to use uncached mappings, there's already hacks for MIPS inside snd_pcm_default_mmap() and other archs are supposed to use dma_mmap_coherent(). (See my separate patch that adds dma_mmap_coherent() to powerpc) Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 952ef7855e21fead362d72c9f422bb0f2ec02687 Author: Takashi Iwai Date: Thu Mar 24 09:50:15 2011 +0100 ALSA: Fix yet another race in disconnection commit a45e3d6b13e97506b616980c0f122c3389bcefa4 upstream. This patch fixes a race between snd_card_file_remove() and snd_card_disconnect(). When the card is added to shutdown_files list in snd_card_disconnect(), but it's freed in snd_card_file_remove() at the same time, the shutdown_files list gets corrupted. The list member must be freed in snd_card_file_remove() as well. Reported-and-tested-by: Russ Dill Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 1190f9f79730358e098f05d200af8c5d16a91302 Author: Takashi Iwai Date: Wed Mar 23 22:54:32 2011 +0100 ALSA: hda - Fix SPDIF out regression on ALC889 commit 20b67dddcc5f29d3d0c900225d85e0ac655bc69d upstream. The commit 5a8cfb4e8ae317d283f84122ed20faa069c5e0c4 ALSA: hda - Use ALC_INIT_DEFAULT for really default initialization changed to use the default initialization method for ALC889, but this caused a regression on SPDIF output on some machines. This seems due to the COEF setup included in the default init procedure. For making SPDIF working again, the COEF-setup has to be avoided for the id 0889. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=24342 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 24db9b3ec4d2b5ec08d6bc8709186539699191c8 Author: David Henningsson Date: Mon Feb 7 15:19:34 2011 +0100 ALSA: HDA: New AD1984A model for Dell Precision R5500 commit 677cd904aba939bc4cfdc3c1eada8ec46582127e upstream. For codec AD1984A, add a new model to support Dell Precision R5500 or the microphone jack won't work correctly. BugLink: http://bugs.launchpad.net/bugs/741516 Tested-by: Kent Baxley Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman