commit cf29f916c310c9b13c19514b496700c549597e11 Author: Greg Kroah-Hartman Date: Fri Jun 3 09:34:20 2011 +0900 Linux 2.6.39.1 commit b8ccd154b8435ba1f60c6a41d38a53c30d295218 Author: Kees Cook Date: Tue May 31 11:31:41 2011 -0700 AppArmor: fix oops in apparmor_setprocattr commit a5b2c5b2ad5853591a6cac6134cd0f599a720865 upstream. When invalid parameters are passed to apparmor_setprocattr a NULL deref oops occurs when it tries to record an audit message. This is because it is passing NULL for the profile parameter for aa_audit. But aa_audit now requires that the profile passed is not NULL. Fix this by passing the current profile on the task that is trying to setprocattr. Signed-off-by: Kees Cook Signed-off-by: John Johansen Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit a50ee58396be6f8398b2de911dac148bfb424c35 Author: Lukas Czerner Date: Fri May 20 13:49:04 2011 -0400 ext4: Use schedule_timeout_interruptible() for waiting in lazyinit thread commit 4ed5c033c11b33149d993734a6a8de1016e8f03f upstream. In order to make lazyinit eat approx. 10% of io bandwidth at max, we are sleeping between zeroing each single inode table. For that purpose we are using timer which wakes up thread when it expires. It is set via add_timer() and this may cause troubles in the case that thread has been woken up earlier and in next iteration we call add_timer() on still running timer hence hitting BUG_ON in add_timer(). We could fix that by using mod_timer() instead however we can use schedule_timeout_interruptible() for waiting and hence simplifying things a lot. This commit exchange the old "waiting mechanism" with simple schedule_timeout_interruptible(), setting the time to sleep. Hence we do not longer need li_wait_daemon waiting queue and others, so get rid of it. Addresses-Red-Hat-Bugzilla: #699708 Signed-off-by: Lukas Czerner Signed-off-by: "Theodore Ts'o" Reviewed-by: Eric Sandeen Signed-off-by: Greg Kroah-Hartman commit 0e73b1f4f61142e32ec5acbda8e50bfc79dbec87 Author: Lukas Czerner Date: Fri May 20 13:55:29 2011 -0400 ext4: fix possible use-after-free in ext4_remove_li_request() commit 1bb933fb1fa8e4cb337a0d5dfd2ff4c0dc2073e8 upstream. We need to take reference to the s_li_request after we take a mutex, because it might be freed since then, hence result in accessing old already freed memory. Also we should protect the whole ext4_remove_li_request() because ext4_li_info might be in the process of being freed in ext4_lazyinit_thread(). Signed-off-by: Lukas Czerner Signed-off-by: "Theodore Ts'o" Reviewed-by: Eric Sandeen Signed-off-by: Greg Kroah-Hartman commit 9a18274e9444e3581a6ba7479ddad080d1be63c0 Author: Tejun Heo Date: Thu Apr 21 20:54:46 2011 +0200 block: don't block events on excl write for non-optical devices commit d4dc210f69bcb0b4bef5a83b1c323817be89bad1 upstream. Disk event code automatically blocks events on excl write. This is primarily to avoid issuing polling commands while burning is in progress. This behavior doesn't fit other types of devices with removeable media where polling commands don't have adverse side effects and door locking usually doesn't exist. This patch introduces new genhd flag which controls the auto-blocking behavior and uses it to enable auto-blocking only on optical devices. Note for stable: 2.6.38 and later only Signed-off-by: Tejun Heo Reported-by: Kay Sievers Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 86bc85941ec3dff36ba442f181e5d7e28ac7e2f7 Author: Tian, Kevin Date: Thu May 12 10:56:08 2011 +0800 xen mmu: fix a race window causing leave_mm BUG() commit 7899891c7d161752f29abcc9bc0a9c6c3a3af26c upstream. There's a race window in xen_drop_mm_ref, where remote cpu may exit dirty bitmap between the check on this cpu and the point where remote cpu handles drop request. So in drop_other_mm_ref we need check whether TLB state is still lazy before calling into leave_mm. This bug is rarely observed in earlier kernel, but exaggerated by the commit 831d52bc153971b70e64eccfbed2b232394f22f8 ("x86, mm: avoid possible bogus tlb entries by clearing prev mm_cpumask after switching mm") which clears bitmap after changing the TLB state. the call trace is as below: --------------------------------- kernel BUG at arch/x86/mm/tlb.c:61! invalid opcode: 0000 [#1] SMP last sysfs file: /sys/devices/system/xen_memory/xen_memory0/info/current_kb CPU 1 Modules linked in: 8021q garp xen_netback xen_blkback blktap blkback_pagemap nbd bridge stp llc autofs4 ipmi_devintf ipmi_si ipmi_msghandler lockd sunrpc bonding ipv6 xenfs dm_multipath video output sbs sbshc parport_pc lp parport ses enclosure snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device serio_raw bnx2 snd_pcm_oss snd_mixer_oss snd_pcm snd_timer iTCO_wdt snd soundcore snd_page_alloc i2c_i801 iTCO_vendor_support i2c_core pcs pkr pata_acpi ata_generic ata_piix shpchp mptsas mptscsih mptbase [last unloaded: freq_table] Pid: 25581, comm: khelper Not tainted 2.6.32.36fixxen #1 Tecal RH2285 RIP: e030:[] [] leave_mm+0x15/0x46 RSP: e02b:ffff88002805be48 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff88015f8e2da0 RDX: ffff88002805be78 RSI: 0000000000000000 RDI: 0000000000000001 RBP: ffff88002805be48 R08: ffff88009d662000 R09: dead000000200200 R10: dead000000100100 R11: ffffffff814472b2 R12: ffff88009bfc1880 R13: ffff880028063020 R14: 00000000000004f6 R15: 0000000000000000 FS: 00007f62362d66e0(0000) GS:ffff880028058000(0000) knlGS:0000000000000000 CS: e033 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000003aabc11909 CR3: 000000009b8ca000 CR4: 0000000000002660 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 00000000000000 00 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process khelper (pid: 25581, threadinfo ffff88007691e000, task ffff88009b92db40) Stack: ffff88002805be68 ffffffff8100e4ae 0000000000000001 ffff88009d733b88 <0> ffff88002805be98 ffffffff81087224 ffff88002805be78 ffff88002805be78 <0> ffff88015f808360 00000000000004f6 ffff88002805bea8 ffffffff81010108 Call Trace: [] drop_other_mm_ref+0x2a/0x53 [] generic_smp_call_function_single_interrupt+0xd8/0xfc [] xen_call_function_single_interrupt+0x13/0x28 [] handle_IRQ_event+0x66/0x120 [] handle_percpu_irq+0x41/0x6e [] __xen_evtchn_do_upcall+0x1ab/0x27d [] xen_evtchn_do_upcall+0x33/0x46 [] xen_do_hyper visor_callback+0x1e/0x30 [] ? _spin_unlock_irqrestore+0x15/0x17 [] ? xen_restore_fl_direct_end+0x0/0x1 [] ? flush_old_exec+0x3ac/0x500 [] ? load_elf_binary+0x0/0x17ef [] ? load_elf_binary+0x0/0x17ef [] ? load_elf_binary+0x398/0x17ef [] ? need_resched+0x23/0x2d [] ? process_measurement+0xc0/0xd7 [] ? load_elf_binary+0x0/0x17ef [] ? search_binary_handler+0xc8/0x255 [] ? do_execve+0x1c3/0x29e [] ? sys_execve+0x43/0x5d [] ? __call_usermodehelper+0x0/0x6f [] ? kernel_execve+0x68/0xd0 [] ? __call_usermodehelper+0x0/0x6f [] ? xen_restore_fl_direct_end+0x0/0x1 [] ? ____call_usermodehelper+0x113/0x11e [] ? child_rip+0xa/0x20 [] ? __call_usermodehelper+0x0/0x6f [] ? int_ret_from_sys_call+0x7/0x1b [] ? retint_restore_args+0x5/0x6 [] ? child_rip+0x0/0x20 Code: 41 5e 41 5f c9 c3 55 48 89 e5 0f 1f 44 00 00 e8 17 ff ff ff c9 c3 55 48 89 e5 0f 1f 44 00 00 65 8b 04 25 c8 55 01 00 ff c8 75 04 <0f> 0b eb fe 65 48 8b 34 25 c0 55 01 00 48 81 c6 b8 02 00 00 e8 RIP [] leave_mm+0x15/0x46 RSP ---[ end trace ce9cee6832a9c503 ]--- Tested-by: Maoxiaoyun Signed-off-by: Kevin Tian [v1: Fleshed out the git description a bit] Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Greg Kroah-Hartman commit 0d97559675bcba247e705712800ccd2c6d3674f1 Author: Konrad Rzeszutek Wilk Date: Tue Apr 12 07:57:15 2011 -0400 xen/setup: Ignore E820_UNUSABLE when setting 1-1 mappings. commit 15bfc094517db2ddf38ca7ed47f3a1c0ad24f7c4 upstream. When we parse the raw E820, the Xen hypervisor can set "E820_RAM" to "E820_UNUSABLE" if the mem=X argument is used. As such we should _not_ consider the E820_UNUSABLE as an 1-1 identity mapping, but instead use the same case as for E820_RAM. Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Greg Kroah-Hartman commit 0fa5814524bb6c60fdc28915f367d8a5aa2b72c4 Author: Daniel Kiper Date: Wed May 11 22:34:38 2011 +0200 xen/setup: Fix for incorrect xen_extra_mem_start initialization under 32-bit commit 0f16d0dfcdb5aab97d9e368f008b070b5b3ec6d3 upstream. git commit 24bdb0b62cc82120924762ae6bc85afc8c3f2b26 (xen: do not create the extra e820 region at an addr lower than 4G) does not take into account that ifdef CONFIG_X86_32 instead of e820_end_of_low_ram_pfn() find_low_pfn_range() is called (both calls are from arch/x86/kernel/setup.c). find_low_pfn_range() behaves correctly and does not require change in xen_extra_mem_start initialization. Additionally, if xen_extra_mem_start is initialized in the same way as ifdef CONFIG_X86_64 then memory hotplug support for Xen balloon driver (under development) is broken. Signed-off-by: Daniel Kiper Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Greg Kroah-Hartman commit da115763a03d730d374b5105fb5ded0c90b3329e Author: Konrad Rzeszutek Wilk Date: Fri Apr 1 15:18:48 2011 -0400 xen/p2m: Create entries in the P2M_MFN trees's to track 1-1 mappings commit 8c5950881c3b5e6e350e4b0438a8ccc513d90df9 upstream. .. when applicable. We need to track in the p2m_mfn and p2m_mfn_p the MFNs and pointers, respectivly, for the P2M entries that are allocated for the identity mappings. Without this, a PV domain with an E820 that triggers the 1-1 mapping to kick in, won't be able to be restored as the P2M won't have the identity mappings. Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Greg Kroah-Hartman commit e8dbdcfd31544a412f49046a2be5e70fe28f5fc9 Author: Hemant Pedanekar Date: Tue Apr 5 12:32:50 2011 +0530 PCI: Add quirk for setting valid class for TI816X Endpoint commit 63c4408074cbcc070ac17fc10e524800eb9bd0b0 upstream. TI816X (common name for DM816x/C6A816x/AM389x family) devices configured to boot as PCIe Endpoint have class code = 0. This makes kernel PCI bus code to skip allocating BARs to these devices resulting into following type of error when trying to enable them: "Device 0000:01:00.0 not available because of resource collisions" The device cannot be operated because of the above issue. This patch adds a ID specific (TI VENDOR ID and 816X DEVICE ID based) 'early' fixup quirk to replace class code with PCI_CLASS_MULTIMEDIA_VIDEO as class. Signed-off-by: Hemant Pedanekar Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 51b79580f09e3566a7bdbf885b9d2dfbd9817be1 Author: Vitaliy Gusev Date: Fri May 20 01:34:46 2011 +0400 nfs41: Correct offset for LAYOUTCOMMIT commit 4b8ee2b82e8b0b6e17ee33feb74fcdb5c6d8dbdd upstream. A client sends offset to MDS as it was seen by DS. As result, file size after copy is only half of original file size in case of 2 DS. Signed-off-by: Vitaliy Gusev Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit f2277bfde1808ad803ada27f80f1f3e7dc680c8e Author: Trond Myklebust Date: Thu May 26 14:26:35 2011 -0400 NFSv4.1: Fix the handling of NFS4ERR_SEQ_MISORDERED errors commit 444f72fe7e7b5f4db34cee933fa3546ebb8e9122 upstream. Currently, the call to nfs4_schedule_session_recovery() will actually just result in a test of the lease when what we really want is to force a session reset. Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 5f857b3e33f57e4277c04efd810902b347fc76b6 Author: Trond Myklebust Date: Thu May 26 14:26:35 2011 -0400 NFSv4: Handle expired stateids when the lease is still valid commit 0ced63d1a245ac11241a5d37932e6d04d9c8040d upstream. Currently, if the server returns NFS4ERR_EXPIRED in reply to a READ or WRITE, but the RENEW test determines that the lease is still active, we fail to recover and end up looping forever in a READ/WRITE + RENEW death spiral. Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 721c196a63eb2b149ae0856f7dc7243303a1e79b Author: Trond Myklebust Date: Fri Mar 18 20:21:23 2011 -0400 SUNRPC: Deal with the lack of a SYN_SENT sk->sk_state_change callback... commit fe19a96b10032035a35779f42ad59e35d6dd8ffd upstream. The TCP connection state code depends on the state_change() callback being called when the SYN_SENT state is set. However the networking layer doesn't actually call us back in that case. Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 0b9fb9202dac3ba4542556d57ccbe3fdd63d8b89 Author: Dave Airlie Date: Thu May 19 14:14:43 2011 +1000 drm/radeon/kms: add wait idle ioctl for eg->cayman commit 97bfd0acd32e9639c9136e03955d574655d5cc2b upstream. None of the latest GPUs had this hooked up, this is necessary for correct operation in a lot of cases, however we should test this on a few GPUs in these families as we've had problems in this area before. Reviewed-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 5e9b0976b345e6ba50bcfb663db3d6fc37a07727 Author: Dave Airlie Date: Thu May 19 14:14:41 2011 +1000 drm/radeon/kms: fix tile_config value reported to userspace on cayman. commit cde5083b051e9c66c99a8764aefbc13349e7730d upstream. cayman is reporting the wrong tile config value to userspace, this causes piglit mipmap generation tests to fail. Reviewed-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 960f84f94493758bb0ffa4d1ddea341db573bfe7 Author: Dave Airlie Date: Thu May 19 14:14:40 2011 +1000 drm/radeon/kms: fix incorrect comparison in cayman setup code. commit c289cff10a265ec4afe4396425297ff979a840b5 upstream. This was leading to a bogus value being programmed to the backend routing register. Reviewed-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 0891360a901d93135e0f79b579e7085905ee70fb Author: Alex Deucher Date: Thu May 19 11:07:57 2011 -0400 drm/radeon/evergreen/btc/fusion: setup hdp to invalidate and flush when asked commit f25a5c63bfa017498c9adecb24d649ae96ba5c68 upstream. This needs to be explicitly set on btc. It's set by default on evergreen/fusion, so it fine to just unconditionally enable it for all chips. Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit a4760aef8cda5b338de1dbe17fc51766b985e239 Author: Dave Airlie Date: Thu May 19 14:14:42 2011 +1000 drm/radeon/cayman: setup hdp to invalidate and flush when asked commit 0b65f83f9d2fab47b9b6040fe75fc2cfc73032d4 upstream. On cayman we need to set the bit to cause HDP flushes to invalidate the HDP cache also. Reviewed-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 9c9f8b0de180b801dedf0429a7788b07d5215ab5 Author: Boqun Feng Date: Mon May 16 16:02:39 2011 +0800 drm/i915: fix user irq miss in BSD ring on g4x commit 5bfa1063a775836a84f97e4df863fc36e1f856ad upstream. On g4x, user interrupt in BSD ring is missed. This is because though g4x and ironlake share the same bsd_ring, their interrupt control interfaces have _two_ differences. 1.different irq enable/disable functions: On g4x are i915_enable_irq and i915_disable_irq. On ironlake are ironlake_enable_irq and ironlake_disable_irq. 2.different irq flag: On g4x user interrupt flag in BSD ring on is I915_BSD_USER_INTERRUPT. On ironlake is GT_BSD_USER_INTERRUPT Old bsd_ring_get/put_irq call ring_get_irq and ring_get_irq. ring_get_irq and ring_put_irq only call ironlake_enable/disable_irq. So comes the irq miss on g4x. To fix this, as other rings' code do, conditionally call different functions(i915_enable/disable_irq and ironlake_enable/disable_irq) and use different interrupt flags in bsd_ring_get/put_irq. Signed-off-by: Boqun Feng Reviewed-by: Xiang, Haihao Signed-off-by: Keith Packard Signed-off-by: Greg Kroah-Hartman commit 23dffbd0c8e3d6e418c7438f7343dcc83fefa87b Author: Namhyung Kim Date: Thu May 26 21:06:50 2011 +0200 brd: handle on-demand devices correctly commit af46566885a373b0a526932484cd8fef8de7b598 upstream. When finding or allocating a ram disk device, brd_probe() did not take partition numbers into account so that it can result to a different device. Consider following example (I set CONFIG_BLK_DEV_RAM_COUNT=4 for simplicity) : $ sudo modprobe brd max_part=15 $ ls -l /dev/ram* brw-rw---- 1 root disk 1, 0 2011-05-25 15:41 /dev/ram0 brw-rw---- 1 root disk 1, 16 2011-05-25 15:41 /dev/ram1 brw-rw---- 1 root disk 1, 32 2011-05-25 15:41 /dev/ram2 brw-rw---- 1 root disk 1, 48 2011-05-25 15:41 /dev/ram3 $ sudo mknod /dev/ram4 b 1 64 $ sudo dd if=/dev/zero of=/dev/ram4 bs=4k count=256 256+0 records in 256+0 records out 1048576 bytes (1.0 MB) copied, 0.00215578 s, 486 MB/s namhyung@leonhard:linux$ ls -l /dev/ram* brw-rw---- 1 root disk 1, 0 2011-05-25 15:41 /dev/ram0 brw-rw---- 1 root disk 1, 16 2011-05-25 15:41 /dev/ram1 brw-rw---- 1 root disk 1, 32 2011-05-25 15:41 /dev/ram2 brw-rw---- 1 root disk 1, 48 2011-05-25 15:41 /dev/ram3 brw-r--r-- 1 root root 1, 64 2011-05-25 15:45 /dev/ram4 brw-rw---- 1 root disk 1, 1024 2011-05-25 15:44 /dev/ram64 After this patch, /dev/ram4 - instead of /dev/ram64 - was accessed correctly. In addition, 'range' passed to blk_register_region() should include all range of dev_t that RAMDISK_MAJOR can address. It does not need to be limited by partition numbers unless 'rd_nr' param was specified. Signed-off-by: Namhyung Kim Cc: Laurent Vivier Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit db39f5be9655ae28ba51d06b5c353f619abf826a Author: Namhyung Kim Date: Thu May 26 21:06:50 2011 +0200 brd: limit 'max_part' module param to DISK_MAX_PARTS commit 315980c8688c4b06713c1a5fe9d64cdf8ab57a72 upstream. The 'max_part' parameter controls the number of maximum partition a brd device can have. However if a user specifies very large value it would exceed the limitation of device minor number and can cause a kernel panic (or, at least, produce invalid device nodes in some cases). On my desktop system, following command kills the kernel. On qemu, it triggers similar oops but the kernel was alive: $ sudo modprobe brd max_part=100000 BUG: unable to handle kernel NULL pointer dereference at 0000000000000058 IP: [] sysfs_create_dir+0x2d/0xae PGD 7af1067 PUD 7b19067 PMD 0 Oops: 0000 [#1] SMP last sysfs file: CPU 0 Modules linked in: brd(+) Pid: 44, comm: insmod Tainted: G W 2.6.39-qemu+ #158 Bochs Bochs RIP: 0010:[] [] sysfs_create_dir+0x2d/0xae RSP: 0018:ffff880007b15d78 EFLAGS: 00000286 RAX: ffff880007b05478 RBX: ffff880007a52760 RCX: ffff880007b15dc8 RDX: ffff880007a4f900 RSI: ffff880007b15e48 RDI: ffff880007a52760 RBP: ffff880007b15da8 R08: 0000000000000002 R09: 0000000000000000 R10: ffff880007b15e48 R11: ffff880007b05478 R12: 0000000000000000 R13: ffff880007b05478 R14: 0000000000400920 R15: 0000000000000063 FS: 0000000002160880(0063) GS:ffff880007c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000058 CR3: 0000000007b1c000 CR4: 00000000000006b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 0000000000000000 DR7: 0000000000000000 Process insmod (pid: 44, threadinfo ffff880007b14000, task ffff880007acb980) Stack: ffff880007b15dc8 ffff880007b05478 ffff880007b15da8 00000000fffffffe ffff880007a52760 ffff880007b05478 ffff880007b15de8 ffffffff81143c0a 0000000000400920 ffff880007a52760 ffff880007b05478 0000000000000000 Call Trace: [] kobject_add_internal+0xdf/0x1a0 [] kobject_add_varg+0x41/0x50 [] kobject_add+0x64/0x66 [] blk_register_queue+0x5f/0xb8 [] add_disk+0xdf/0x289 [] brd_init+0xdf/0x1aa [brd] [] ? 0xffffffffa0003fff [] ? 0xffffffffa0003fff [] do_one_initcall+0x7a/0x12e [] sys_init_module+0x9c/0x1dc [] system_call_fastpath+0x16/0x1b Code: 89 e5 41 55 41 54 53 48 89 fb 48 83 ec 18 48 85 ff 75 04 0f 0b eb fe 48 8b 47 18 49 c7 c4 70 1e 4d 81 48 85 c0 74 04 4c 8b 60 30 8b 44 24 58 45 31 ed 0f b6 c4 85 c0 74 0d 48 8b 43 28 48 89 RIP [] sysfs_create_dir+0x2d/0xae RSP CR2: 0000000000000058 ---[ end trace aebb1175ce1f6739 ]--- Signed-off-by: Namhyung Kim Cc: Laurent Vivier Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 96f59247b06552ab29000012f0878cbbd522bab2 Author: Dan Williams Date: Fri May 27 04:51:54 2011 +0000 atm: expose ATM device index in sysfs commit e7a46b4d0839c2a3aa2e0ae0b145f293f6738498 upstream. It's currently exposed only through /proc which, besides requiring screen-scraping, doesn't allow userspace to distinguish between two identical ATM adapters with different ATM indexes. The ATM device index is required when using PPPoATM on a system with multiple ATM adapters. Signed-off-by: Dan Williams Reviewed-by: Eric Dumazet Tested-by: David Woodhouse Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e753e72e4d6698a629634e66580638e7bd6835ba Author: Hugh Dickins Date: Sat May 28 13:14:09 2011 -0700 tmpfs: fix race between truncate and writepage commit 826267cf1e6c6899eda1325a19f1b1d15c558b20 upstream. While running fsx on tmpfs with a memhog then swapoff, swapoff was hanging (interruptibly), repeatedly failing to locate the owner of a 0xff entry in the swap_map. Although shmem_writepage() does abandon when it sees incoming page index is beyond eof, there was still a window in which shmem_truncate_range() could come in between writepage's dropping lock and updating swap_map, find the half-completed swap_map entry, and in trying to free it, leave it in a state that swap_shmem_alloc() could not correct. Arguably a bug in __swap_duplicate()'s and swap_entry_free()'s handling of the different cases, but easiest to fix by moving swap_shmem_alloc() under cover of the lock. More interesting than the bug: it's been there since 2.6.33, why could I not see it with earlier kernels? The mmotm of two weeks ago seems to have some magic for generating races, this is just one of three I found. With yesterday's git I first saw this in mainline, bisected in search of that magic, but the easy reproducibility evaporated. Oh well, fix the bug. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ca328545a1eca31a6c15487e526ddfaf870bc749 Author: Will Deacon Date: Thu May 26 11:20:19 2011 +0100 ARM: 6941/1: cache: ensure MVA is cacheline aligned in flush_kern_dcache_area commit a248b13b21ae00b97638b4f435c8df3075808b5d upstream. The v6 and v7 implementations of flush_kern_dcache_area do not align the passed MVA to the size of a cacheline in the data cache. If a misaligned address is used, only a subset of the requested area will be flushed. This has been observed to cause failures in SMP boot where the secondary_data initialised by the primary CPU is not cacheline aligned, causing the secondary CPUs to read incorrect values for their pgd and stack pointers. This patch ensures that the base address is cacheline aligned before flushing the d-cache. Acked-by: Catalin Marinas Signed-off-by: Will Deacon Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 7d65f8ababe778107b12acc7b1ab998c03cfe48c Author: Martin K. Petersen Date: Sun May 29 13:02:55 2011 +0100 dm mpath: do not fail paths after integrity errors commit 6f13f6fba76edc7d0e7580c5deee829d59a41b2f upstream. Integrity errors need to be passed to the owner of the integrity metadata for processing. Consequently EILSEQ should be passed up the stack. Signed-off-by: Martin K. Petersen Acked-by: Mike Snitzer Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit c43a24963bf8d5dc865186d51c63599a8e5b1fd8 Author: Milan Broz Date: Sun May 29 13:02:52 2011 +0100 dm table: reject devices without request fns commit f4808ca99a203f20b4475601748e44b25a65bdec upstream. This patch adds a check that a block device has a request function defined before it is used. Otherwise, misconfiguration can cause an oops. Because we are allowing devices with zero size e.g. an offline multipath device as in commit 2cd54d9bedb79a97f014e86c0da393416b264eb3 ("dm: allow offline devices") there needs to be an additional check to ensure devices are initialised. Some block devices, like a loop device without a backing file, exist but have no request function. Reproducer is trivial: dm-mirror on unbound loop device (no backing file on loop devices) dmsetup create x --table "0 8 mirror core 2 8 sync 2 /dev/loop0 0 /dev/loop1 0" and mirror resync will immediatelly cause OOps. BUG: unable to handle kernel NULL pointer dereference at (null) ? generic_make_request+0x2bd/0x590 ? kmem_cache_alloc+0xad/0x190 submit_bio+0x53/0xe0 ? bio_add_page+0x3b/0x50 dispatch_io+0x1ca/0x210 [dm_mod] ? read_callback+0x0/0xd0 [dm_mirror] dm_io+0xbb/0x290 [dm_mod] do_mirror+0x1e0/0x748 [dm_mirror] Signed-off-by: Milan Broz Reported-by: Zdenek Kabelac Acked-by: Mike Snitzer Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 3378432e8db20345aa68e9a795f93689f1378956 Author: Tim Chen Date: Fri Feb 11 12:49:04 2011 -0800 idle governor: Avoid lock acquisition to read pm_qos before entering idle commit 333c5ae9948194428fe6c5ef5c088304fc98263b upstream. Thanks to the reviews and comments by Rafael, James, Mark and Andi. Here's version 2 of the patch incorporating your comments and also some update to my previous patch comments. I noticed that before entering idle state, the menu idle governor will look up the current pm_qos target value according to the list of qos requests received. This look up currently needs the acquisition of a lock to access the list of qos requests to find the qos target value, slowing down the entrance into idle state due to contention by multiple cpus to access this list. The contention is severe when there are a lot of cpus waking and going into idle. For example, for a simple workload that has 32 pair of processes ping ponging messages to each other, where 64 cpu cores are active in test system, I see the following profile with 37.82% of cpu cycles spent in contention of pm_qos_lock: - 37.82% swapper [kernel.kallsyms] [k] _raw_spin_lock_irqsave - _raw_spin_lock_irqsave - 95.65% pm_qos_request menu_select cpuidle_idle_call - cpu_idle 99.98% start_secondary A better approach will be to cache the updated pm_qos target value so reading it does not require lock acquisition as in the patch below. With this patch the contention for pm_qos_lock is removed and I saw a 2.2X increase in throughput for my message passing workload. Signed-off-by: Tim Chen Acked-by: Andi Kleen Acked-by: James Bottomley Acked-by: mark gross Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 75ea36a5365918b3a66d2273a87cdad146959c32 Author: Tero Kristo Date: Thu Feb 24 17:19:23 2011 +0200 cpuidle: menu: fixed wrapping timers at 4.294 seconds commit 7467571f4480b273007517b26297c07154c73924 upstream. Cpuidle menu governor is using u32 as a temporary datatype for storing nanosecond values which wrap around at 4.294 seconds. This causes errors in predicted sleep times resulting in higher than should be C state selection and increased power consumption. This also breaks cpuidle state residency statistics. Signed-off-by: Tero Kristo Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit f40e1a49dbb9bd52bb7a8ddbf98b4520e33a3190 Author: Guenter Roeck Date: Tue May 24 12:16:40 2011 -0700 hwmon: (pmbus) Initialize sysfs attributes commit eec752b2b99c794766926a9bac59b0d7df5b09c2 upstream. Initialize sysfs attrs before device_create_file() call to suppress lockdep_init_map() warning: WARNING: at kernel/lockdep.c:2701 lockdep_init_map+0x12d/0x140() Reviewed-by: Robert Coulson Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 17fdfc59e1cdf37689f5747ed527dbd5961b2010 Author: Luca Tettamanti Date: Wed May 25 20:43:31 2011 +0200 i8k: Avoid lahf in 64-bit code commit bc1f419c76a2d6450413ce4349f4e4a07be011d5 upstream. i8k uses lahf to read the flag register in 64-bit code; early x86-64 CPUs, however, lack this instruction and we get an invalid opcode exception at runtime. Use pushf to load the flag register into the stack instead. Signed-off-by: Luca Tettamanti Reported-by: Jeff Rickman Tested-by: Jeff Rickman Tested-by: Harry G McGavran Jr Cc: Massimo Dal Zotto Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 82ce79999abf4899b10481209db7f0af8057a561 Author: Serge E. Hallyn Date: Thu May 26 15:25:05 2011 -0500 Set cred->user_ns in key_replace_session_keyring commit f7285b5d631fd6096b11c6af0058ed3a2b30ef4e upstream. Since this cred was not created with copy_creds(), it needs to get initialized. Otherwise use of syscall(__NR_keyctl, KEYCTL_SESSION_TO_PARENT); can lead to a NULL deref. Thanks to Robert for finding this. But introduced by commit 47a150edc2a ("Cache user_ns in struct cred"). Signed-off-by: Serge E. Hallyn Reported-by: Robert Święcki Cc: David Howells Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 39b4e54266a625a141dac11c7bd22729b00c94d7 Author: Kevin Cernekee Date: Tue May 10 15:47:16 2011 -0700 kbuild: Fix GNU make v3.80 compatibility commit 43f67c98161c65f1b2e3af3a9ce6741850072c06 upstream. According to Documentation/Changes, the kernel should be buildable with GNU make 3.80+. Commit 88d7be031f9f975bb3f50a0b5ef3796a671e7edf (kbuild: Use a single clean rule for kernel and external modules) introduced the "$(or" construct, which requires make 3.81. This causes "make clean" to malfunction when it is used with external modules. Replace "$(or" with an equivalent "$(if" expression, to restore backward compatibility. Signed-off-by: Kevin Cernekee Signed-off-by: Michal Marek Signed-off-by: Greg Kroah-Hartman commit 817db79f05be31b511c24c2bfc731b934f46262a Author: Artem Bityutskiy Date: Fri May 6 17:08:56 2011 +0300 UBIFS: fix a rare memory leak in ro to rw remounting path commit eaeee242c531cd4b0a4a46e8b5dd7ef504380c42 upstream. When re-mounting from R/O mode to R/W mode and the LEB count in the superblock is not up-to date, because for the underlying UBI volume became larger, we re-write the superblock. We allocate RAM for these purposes, but never free it. So this is a memory leak, although very rare one. Signed-off-by: Artem Bityutskiy Signed-off-by: Greg Kroah-Hartman commit 3e06eba936b0e872ba18649cfd34398b92b120dd Author: Tyler Hicks Date: Tue May 17 00:50:33 2011 -0500 eCryptfs: Allow 2 scatterlist entries for encrypted filenames commit 8d08dab786ad5cc2aca2bf870de370144b78c85a upstream. The buffers allocated while encrypting and decrypting long filenames can sometimes straddle two pages. In this situation, virt_to_scatterlist() will return -ENOMEM, causing the operation to fail and the user will get scary error messages in their logs: kernel: ecryptfs_write_tag_70_packet: Internal error whilst attempting to convert filename memory to scatterlist; expected rc = 1; got rc = [-12]. block_aligned_filename_size = [272] kernel: ecryptfs_encrypt_filename: Error attempting to generate tag 70 packet; rc = [-12] kernel: ecryptfs_encrypt_and_encode_filename: Error attempting to encrypt filename; rc = [-12] kernel: ecryptfs_lookup: Error attempting to encrypt and encode filename; rc = [-12] The solution is to allow up to 2 scatterlist entries to be used. Signed-off-by: Tyler Hicks Signed-off-by: Greg Kroah-Hartman commit f2212c86b7bcd04b94fd11c34e95c102506180b4 Author: Tyler Hicks Date: Fri Apr 29 16:26:27 2011 -0500 eCryptfs: Clear i_nlink in rmdir commit 07850552b92b3637fa56767b5e460b4238014447 upstream. eCryptfs wasn't clearing the eCryptfs inode's i_nlink after a successful vfs_rmdir() on the lower directory. This resulted in the inode evict and destroy paths to be missed. https://bugs.launchpad.net/ecryptfs/+bug/723518 Signed-off-by: Tyler Hicks Signed-off-by: Greg Kroah-Hartman commit 1dd46c1c58394949c8d24eadaa5edc5905b55999 Author: Christian Lamparter Date: Fri May 13 21:47:23 2011 +0200 p54usb: add zoom 4410 usbid commit 9368a9a2378ab721f82f59430a135b4ce4ff5109 upstream. Reported-by: Mark Davis Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 4e2c4040f3e270dbd66e094a3dff196495d5b765 Author: Keshava Munegowda Date: Mon May 16 14:24:58 2011 +0530 mfd: Fix omap usbhs crash when rmmoding ehci or ohci commit 6eb6fbbf3eca6dfba73e72de5ab2eeb52ae41f7a upstream. The disabling of clocks and freeing GPIO are changed to fix the occurrence of the crash of rmmod of ehci and ohci drivers. The GPIOs should be freed after the spin locks are unlocked. Signed-off-by: Keshava Munegowda Acked-by: Felipe Balbi Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman commit c8b7f76958e22a88f2fa510ab05aff1ca08358a6 Author: Kuninori Morimoto Date: Fri Apr 15 16:44:27 2011 +0900 sh: fixup fpu.o compile order commit a375b15164dd9264f724ad941825e52c90145151 upstream. arch_ptrace() was modified to reference init_fpu() to fix up xstate initialization, which overlooked the fact that there are configurations that don't enable any of hard FPU support or emulation, resulting in build errors on DSP parts. Given that init_fpu() simply sets up the xstate slab cache and is side-stepped entirely for the DSP case, we can simply always build in the helper and fix up the references. Reported-by: Nobuhiro Iwamatsu Signed-off-by: Kuninori Morimoto Signed-off-by: Paul Mundt Signed-off-by: Greg Kroah-Hartman commit dd04ac7182e11f77da6d12d2c3ff868c5bbedcd1 Author: Kuninori Morimoto Date: Thu Apr 14 17:13:53 2011 +0900 sh: clkfwk: fixup clk_rate_table_build parameter in div6 clock commit 52c10ad22b7e317960b4d411c9a9ddeaf3d5ae39 upstream. div6 clock should not use arch_flags for clk_rate_table_build, because SH_CLK_DIV6_EXT doesn't care .arch_flags. clk->freq_table[] will be all CPUFREQ_ENTRY_INVALID without this patch. Signed-off-by: Kuninori Morimoto Signed-off-by: Paul Mundt Signed-off-by: Greg Kroah-Hartman commit fa7e5a133b16147d942345d4dd73665a3d8d1bb2 Author: Jonathan Nieder Date: Sun May 1 06:29:56 2011 -0300 cx88: hold device lock during sub-driver initialization commit 1d6213ab995c61f7d1d81cf6cf876acf15d6e714 upstream. cx8802_blackbird_probe makes a device node for the mpeg sub-device before it has been added to dev->drvlist. If the device is opened during that time, the open succeeds but request_acquire cannot be called, so the reference count remains zero. Later, when the device is closed, the reference count becomes negative --- uh oh. Close the race by holding core->lock during probe and not releasing until the device is in drvlist and initialization finished. Previously the BKL prevented this race. Reported-by: Andreas Huber Tested-by: Andi Huber Tested-by: Marlon de Boer Signed-off-by: Jonathan Nieder Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 09c90392d070959e7f4b7942482326aa502298f0 Author: Jonathan Nieder Date: Sun May 1 06:29:37 2011 -0300 cx88: fix locking of sub-driver operations commit 1fe70e963028f34ba5e32488a7870ff4b410b19b upstream. The BKL conversion of this driver seems to have gone wrong. Loading the cx88-blackbird driver deadlocks. The cause: mpeg_ops::open in the cx2388x blackbird driver acquires the device lock and calls the sub-driver's request_acquire, which tries to acquire the lock again. Fix it by clarifying the semantics of request_acquire, request_release, advise_acquire, and advise_release: now all will rely on the caller to acquire the device lock. Based on work by Ben Hutchings . Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=31962 Reported-by: Andi Huber Tested-by: Andi Huber Tested-by: Marlon de Boer Signed-off-by: Jonathan Nieder Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 508d613a04b5af41b4e9e030082dea0c672b1e62 Author: Jonathan Nieder Date: Sun May 1 06:29:16 2011 -0300 cx88: protect per-device driver list with device lock commit 8a317a8760cfffa8185b56ff59fb4b6c58488d79 upstream. The BKL conversion of this driver seems to have gone wrong. Various uses of the sub-device and driver lists appear to be subject to race conditions. In particular, some functions access drvlist without a relevant lock held, which will race against removal of drivers. Let's start with that --- clean up by consistently protecting dev->drvlist with dev->core->lock, noting driver functions that require the device lock to be held or not to be held. After this patch, there are still some races --- e.g., cx8802_blackbird_remove can run between the time the blackbird driver is acquired and the time it is used in mpeg_release, and there's a similar race in cx88_dvb_bus_ctrl. Later patches will address the remaining known races and the deadlock noticed by Andi. This patch just makes the semantics clearer in preparation for those later changes. Based on work by Ben Hutchings . Tested-by: Andi Huber Tested-by: Marlon de Boer Signed-off-by: Jonathan Nieder Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 673de951a6cbaa7a9c4518e03e78b88809828497 Author: Olivier Grenie Date: Tue May 3 12:27:33 2011 -0300 DiBxxxx: get rid of DMA buffer on stack commit 5a0deeed5741117ee8625d6305d0034e219f102c upstream. This patch removes the remaining on-stack buffer for USB DMA transfer. This patch also reduces the stack memory usage. Cc: Florian Mickler Signed-off-by: Olivier Grenie Signed-off-by: Patrick Boettcher Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit c98650d51417a7535746e2c9a4883380fb09bd02 Author: Alan Stern Date: Tue May 17 17:27:12 2011 -0400 USB: remove remaining usages of hcd->state from usbcore and fix regression commit 69fff59de4d844f8b4c2454c3c23d32b69dcbfd7 upstream. This patch (as1467) removes the last usages of hcd->state from usbcore. We no longer check to see if an interrupt handler finds that a controller has died; instead we rely on host controller drivers to make an explicit call to usb_hc_died(). This fixes a regression introduced by commit 9b37596a2e860404503a3f2a6513db60c296bfdc (USB: move usbcore away from hcd->state). It used to be that when a controller shared an IRQ with another device and an interrupt arrived while hcd->state was set to HC_STATE_HALT, the interrupt handler would be skipped. The commit removed that test; as a result the current code doesn't skip calling the handler and ends up believing the controller has died, even though it's only temporarily stopped. The solution is to ignore HC_STATE_HALT following the handler's return. As a consequence of this change, several of the host controller drivers need to be modified. They can no longer implicitly rely on usbcore realizing that a controller has died because of hcd->state. The patch adds calls to usb_hc_died() in the appropriate places. The patch also changes a few of the interrupt handlers. They don't expect to be called when hcd->state is equal to HC_STATE_HALT, even if the controller is still alive. Early returns were added to avoid any confusion. Signed-off-by: Alan Stern Tested-by: Manuel Lauss CC: Rodolfo Giometti CC: Olav Kongas Signed-off-by: Greg Kroah-Hartman commit 69d8d8fd0dabc5357f5ec91046bc1bd9011012b6 Author: Alan Stern Date: Mon May 16 12:15:19 2011 -0400 OHCI: fix regression caused by nVidia shutdown workaround commit 2b7aaf503d56216b847c8265421d2a7d9b42df3e upstream. This patch (as1463) fixes a regression caused by commit 3df7169e73fc1d71a39cffeacc969f6840cdf52b (OHCI: work around for nVidia shutdown problem). The original problem encountered by people using NVIDIA chipsets was that USB devices were not turning off when the system shut down. For example, the LED on an optical mouse would remain on, draining a laptop's battery. The problem was caused by a bug in the chipset; an OHCI controller in the Reset state would continue to drive a bus reset signal even after system shutdown. The workaround was to put the controllers into the Suspend state instead. It turns out that later NVIDIA chipsets do not suffer from this bug. Instead some have the opposite bug: If a system is shut down while an OHCI controller is in the Suspend state, USB devices remain powered! On other systems, shutting down with a Suspended controller causes the system to reboot immediately. Thus, working around the original bug on some machines exposes other bugs on other machines. The best solution seems to be to limit the workaround to OHCI controllers with a low-numbered PCI product ID. I don't know exactly at what point NVIDIA changed their chipsets; the value used here is a guess. So far it was worked out okay for all the people who have tested it. This fixes Bugzilla #35032. Signed-off-by: Alan Stern Tested-by: Andre "Osku" Schmidt Tested-by: Yury Siamashka Signed-off-by: Greg Kroah-Hartman commit 7808101fa826f276ac709b6386e74d3021b788ce Author: Marcin Gałczyński Date: Sun May 15 11:41:54 2011 +0200 USB: option: add support for Huawei E353 device commit 610ba42f29c3dfa46a05ff8c2cadc29f544ff76d upstream. I am sharing patch to the devices/usb/serial/option.c. This allows operation of Huawei E353 broadband modem using the “option” driver. The patch simply adds new constant with proper product ID and an entry to usb_device_id. I worked on the 2.6.38.6 sources. Tested on Dell inspiron 1764 (i3 core cpu) and brand new Huawei E353 modem, Fedora 15 beta. Looking at the type of change, i doubt it has potential to introduce problems in other parts of kernel or the driver itself. Signed-off-by: Marcin Galczynski Signed-off-by: Greg Kroah-Hartman commit f3b357fe2ce2d26501f60361e2d5410de99d09d6 Author: Sarah Sharp Date: Thu May 12 18:06:37 2011 -0700 xhci: Fix memory leak bug when dropping endpoints commit 834cb0fc4712a3b21c6b8c5cb55bd13607191311 upstream. When the USB core wants to change to an alternate interface setting that doesn't include an active endpoint, or de-configuring the device, the xHCI driver needs to issue a Configure Endpoint command to tell the host to drop some endpoints from the schedule. After the command completes, the xHCI driver needs to free rings for any endpoints that were dropped. Unfortunately, the xHCI driver wasn't actually freeing the endpoint rings for dropped endpoints. The rings would be freed if the endpoint's information was simply changed (and a new ring was installed), but dropped endpoints never had their rings freed. This caused errors when the ring segment DMA pool was freed when the xHCI driver was unloaded: [ 5582.883995] xhci_hcd 0000:06:00.0: dma_pool_destroy xHCI ring segments, ffff88003371d000 busy [ 5582.884002] xhci_hcd 0000:06:00.0: dma_pool_destroy xHCI ring segments, ffff880033716000 busy [ 5582.884011] xhci_hcd 0000:06:00.0: dma_pool_destroy xHCI ring segments, ffff880033455000 busy [ 5582.884018] xhci_hcd 0000:06:00.0: Freed segment pool [ 5582.884026] xhci_hcd 0000:06:00.0: Freed device context pool [ 5582.884033] xhci_hcd 0000:06:00.0: Freed small stream array pool [ 5582.884038] xhci_hcd 0000:06:00.0: Freed medium stream array pool [ 5582.884048] xhci_hcd 0000:06:00.0: xhci_stop completed - status = 1 [ 5582.884061] xhci_hcd 0000:06:00.0: USB bus 3 deregistered [ 5582.884193] xhci_hcd 0000:06:00.0: PCI INT A disabled Fix this issue and free endpoint rings when their endpoints are successfully dropped. This patch should be backported to kernels as old as 2.6.31. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 25afe6356878eef126a1957537ba32e0ca570bee Author: Sarah Sharp Date: Mon May 16 13:09:08 2011 -0700 xhci: Fix memory leak in ring cache deallocation. commit 30f89ca021c3e584b61bc5a14eede89f74b2e826 upstream. When an endpoint ring is freed, it is either cached in a per-device ring cache, or simply freed if the ring cache is full. If the ring was added to the cache, then virt_dev->num_rings_cached is incremented. The cache is designed to hold up to 31 endpoint rings, in array indexes 0 to 30. When the device is freed (when the slot was disabled), xhci_free_virt_device() is called, it would free the cached rings in array indexes 0 to virt_dev->num_rings_cached. Unfortunately, the original code in xhci_free_or_cache_endpoint_ring() would put the first entry into the ring cache in array index 1, instead of array index 0. This was caused by the second assignment to rings_cached: rings_cached = virt_dev->num_rings_cached; if (rings_cached < XHCI_MAX_RINGS_CACHED) { virt_dev->num_rings_cached++; rings_cached = virt_dev->num_rings_cached; virt_dev->ring_cache[rings_cached] = virt_dev->eps[ep_index].ring; This meant that when the device was freed, cached rings with indexes 0 to N would be freed, and the last cached ring in index N+1 would not be freed. When the driver was unloaded, this caused interesting messages like: xhci_hcd 0000:06:00.0: dma_pool_destroy xHCI ring segments, ffff880063040000 busy This should be queued to stable kernels back to 2.6.33. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 3a88301797a457d61cdb05754dd0f8cf05a61c60 Author: Sarah Sharp Date: Fri May 13 13:10:01 2011 -0700 xhci: Fix full speed bInterval encoding. commit b513d44751bfb609a3c20463f764c8ce822d63e9 upstream. Dmitry's patch dfa49c4ad120a784ef1ff0717168aa79f55a483a USB: xhci - fix math in xhci_get_endpoint_interval() introduced a bug. The USB 2.0 spec says that full speed isochronous endpoints' bInterval must be decoded as an exponent to a power of two (e.g. interval = 2^(bInterval - 1)). Full speed interrupt endpoints, on the other hand, don't use exponents, and the interval in frames is encoded straight into bInterval. Dmitry's patch was supposed to fix up the full speed isochronous to parse bInterval as an exponent, but instead it changed the *interrupt* endpoint bInterval decoding. The isochronous endpoint encoding was the same. This caused full speed devices with interrupt endpoints (including mice, hubs, and USB to ethernet devices) to fail under NEC 0.96 xHCI host controllers: [ 100.909818] xhci_hcd 0000:06:00.0: add ep 0x83, slot id 1, new drop flags = 0x0, new add flags = 0x99, new slot info = 0x38100000 [ 100.909821] xhci_hcd 0000:06:00.0: xhci_check_bandwidth called for udev ffff88011f0ea000 ... [ 100.910187] xhci_hcd 0000:06:00.0: ERROR: unexpected command completion code 0x11. [ 100.910190] xhci_hcd 0000:06:00.0: xhci_reset_bandwidth called for udev ffff88011f0ea000 When the interrupt endpoint was added and a Configure Endpoint command was issued to the host, the host controller would return a very odd error message (0x11 means "Slot Not Enabled", which isn't true because the slot was enabled). Probably the host controller was getting very confused with the bad encoding. Signed-off-by: Sarah Sharp Cc: Dmitry Torokhov Reported-by: Thomas Lindroth Tested-by: Thomas Lindroth Signed-off-by: Greg Kroah-Hartman commit 4cb5ddcc9b8d2f5714f608924726d3076c7c212b Author: Felipe Balbi Date: Fri May 13 16:53:48 2011 +0300 usb: gadget: rndis: don't test against req->length commit 472b91274a6c6857877b5caddb875dcb5ecdfcb8 upstream. composite.c always sets req->length to zero and expects function driver's setup handlers to return the amount of bytes to be used on req->length. If we test against req->length w_length will always be greater than req->length thus making us always stall that particular SEND_ENCAPSULATED_COMMAND request. Tested against a Windows XP SP3. Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 0e3d8df94196537be5998c7aa36827fe2dac6a2f Author: Jean-Christophe PLAGNIOL-VILLARD Date: Fri May 13 17:03:02 2011 +0200 usb/gadget: at91sam9g20 fix end point max packet size commit bf1f0a05d472e33dda8e5e69525be1584cdbd03a upstream. on 9g20 they are the same as the 9260 Signed-off-by: Jean-Christophe PLAGNIOL-VILLARD Acked-by: Nicolas Ferre Signed-off-by: Greg Kroah-Hartman commit 7d980c323625ee2b5f556f8056dbe0f059e4b231 Author: Sarah Sharp Date: Thu May 5 19:08:09 2011 -0700 xhci: Fix bug in control transfer cancellation. commit 3abeca998a44205cfd837fa0bf1f7c24f8294acb upstream. When the xHCI driver attempts to cancel a transfer, it issues a Stop Endpoint command and waits for the host controller to indicate which TRB it was in the middle of processing. The host will put an event TRB with completion code COMP_STOP on the event ring if it stops on a control transfer TRB (or other types of transfer TRBs). The ring handling code is supposed to set ep->stopped_trb to the TRB that the host stopped on when this happens. Unfortunately, there is a long-standing bug in the control transfer completion code. It doesn't actually check to see if COMP_STOP is set before attempting to process the transfer based on which part of the control TD completed. So when we get an event on the data phase of the control TRB with COMP_STOP set, it thinks it's a normal completion of the transfer and doesn't set ep->stopped_td or ep->stopped_trb. When the ring handling code goes on to process the completion of the Stop Endpoint command, it sees that ep->stopped_trb is not a part of the TD it's trying to cancel. It thinks the hardware has its enqueue pointer somewhere further up in the ring, and thinks it's safe to turn the control TRBs into no-op TRBs. Since the hardware was in the middle of the control TRBs to be cancelled, the proper software behavior is to issue a Set TR dequeue pointer command. It turns out that the NEC host controllers can handle active TRBs being set to no-op TRBs after a stop endpoint command, but other host controllers have issues with this out-of-spec software behavior. Fix this behavior. This patch should be backported to kernels as far back as 2.6.31, but it may be a bit challenging, since process_ctrl_td() was introduced in some refactoring done in 2.6.36, and some endian-safe patches added in 2.6.40 that touch the same lines. Signed-off-by: Sarah Sharp Cc: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 20a5c175ee2efee6a4e7410dc567ec2343e1933f Author: Erik Slagter Date: Wed May 11 12:06:55 2011 +0200 USB: cdc_acm: Fix oops when Droids MuIn LCD is connected commit fd5054c169d29747a44b4e1419ff47f57ae82dbc upstream. The Droids MuIn LCD operates like a serial remote terminal. Data received are displayed directly on the LCD. This patch fixes the kernel null pointer oops when it is plugged in. Add NO_DATA_INTERFACE quirk to tell the driver that "control" and "data" interfaces are not separated for this device, which prevents dereferencing a null pointer in the device probe code. Signed-off-by: Erik Slagter Signed-off-by: Maxin B. John Tested-by: Erik Slagter Signed-off-by: Greg Kroah-Hartman commit 9ca086461a130c0733b910fadb8de678018e717d Author: Marius B. Kotsbak Date: Mon Mar 21 23:27:21 2011 +0100 Bind only modem AT command endpoint to option module. commit 15b2f3204a5c878c32939094775fb7349f707263 upstream. Network interface is handled by upcoming gt_b3730 module. Removed "GT-B3710" from comment, it is another modem with another USB ID. Signed-off-by: Marius B. Kotsbak Signed-off-by: Greg Kroah-Hartman commit 26405736b2c4b993ad912c65220cf4328e8af0cf Author: Hermann Kneissel Date: Fri Apr 29 08:58:43 2011 +0200 USB: gamin_gps: Fix for data transfer problems in native mode commit b4026c4584cd70858d4d3450abfb1cd0714d4f32 upstream. This patch fixes a problem where data received from the gps is sometimes transferred incompletely to the serial port. If used in native mode now all data received via the bulk queue will be forwarded to the serial port. Signed-off-by: Hermann Kneissel Signed-off-by: Greg Kroah-Hartman commit bbe69212aa5b7b2e9e06b3c03a4387d4489cfb76 Author: Michal Nazarewicz Date: Tue Apr 26 19:08:36 2011 +0200 USB: gadget: g_multi: fixed vendor and product ID in inf files commit 7701846fd52f86dffe50715e0e63154088b7c982 upstream. Commit 1c6529e92b "USB: gadget: g_multi: fixed vendor and product ID" replaced g_multi's vendor and product ID with proper ID's from Linux Foundation. This commit now updates INF files in the Documentation/usb directory which were omitted in the original commit. Signed-off-by: Michal Nazarewicz Signed-off-by: Greg Kroah-Hartman commit 428eb700f6f94c7222e80000d0d1b95942e6e860 Author: Benedek László Date: Wed Apr 20 03:22:21 2011 +0200 USB: serial: ftdi_sio: adding support for TavIR STK500 commit 37909fe588c9e09ab57cd267e98678a17ceda64a upstream. Adding support for the TavIR STK500 (id 0403:FA33) Atmel AVR programmer device based on FTDI FT232RL. Signed-off-by: Benedek László Signed-off-by: Greg Kroah-Hartman commit a085e0068aec5489c3a07f3405c48e60e579a61b Author: Elizabeth Jennifer Myers Date: Sat Apr 16 14:49:51 2011 -0400 USB: moto_modem: Add USB identifier for the Motorola VE240. commit 3938a0b32dc12229e76735679b37095bc2bc1578 upstream. Tested on my phone, the ttyUSB device is created and is fully functional. Signed-off-by: Elizabeth Jennifer Myers Signed-off-by: Greg Kroah-Hartman commit c8809bff71a493e7951cddac5d65cb66ea5a7d46 Author: Craig Shelley Date: Sun Mar 20 13:51:13 2011 +0000 USB: CP210x Add 4 Device IDs for AC-Services Devices commit 4eff0b40a7174896b860312910e0db51f2dcc567 upstream. This patch adds 4 device IDs for CP2102 based devices manufactured by AC-Services. See http://www.ac-services.eu for further info. Signed-off-by: Craig Shelley Signed-off-by: Greg Kroah-Hartman commit ae1b0404f221396bda01b06865d2785fcae65603 Author: Vikram Narayanan Date: Tue May 24 20:58:48 2011 +0200 i2c/writing-clients: Fix foo_driver.id_table commit 3116c86033079a1d4d4e84c40028f96b614843b8 upstream. The i2c_device_id structure variable's name is not used in the i2c_driver structure. Signed-off-by: Vikram Narayanan Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 2beb758f2dc6ccc4ab6b8aee00891ef52bc58606 Author: Kenneth Waters Date: Mon Apr 25 12:29:54 2011 -0600 i2c: tegra: Enable new slave mode. commit 65a1a0ace554d61ea5a90377a54df1505275c1b1 upstream. For Tegra i2c controller to function properly new slave mode must be enabled. swarren notes: In particular, I found this was needed when working on enabling the Tegra audio driver on the Seaboard board. There are two different PCB layouts for this board; a "clamshell" version, which works just fine without this change, and the original non-clamshell version, which needs this change in order for I2C to operate correctly. Without it, I2C probing fails for some devices, e.g. with: wm8903 0-001a: Device with ID register 0 is not a WM8903 wm8903 0-001a: asoc: failed to probe CODEC wm8903.0-001a: -19 asoc: failed to instantiate card tegra-wm8903: -19 ALSA device list: No soundcards found. Signed-off-by: Rakesh Iyer Signed-off-by: Stephen Warren Signed-off-by: Ben Dooks Signed-off-by: Greg Kroah-Hartman commit 76575b1770af39c3583242c3d22fa012603c1223 Author: Namhyung Kim Date: Tue May 24 16:48:55 2011 +0200 loop: handle on-demand devices correctly commit a1c15c59feee36267c43142a41152fbf7402afb6 upstream. When finding or allocating a loop device, loop_probe() did not take partition numbers into account so that it can result to a different device. Consider following example: $ sudo modprobe loop max_part=15 $ ls -l /dev/loop* brw-rw---- 1 root disk 7, 0 2011-05-24 22:16 /dev/loop0 brw-rw---- 1 root disk 7, 16 2011-05-24 22:16 /dev/loop1 brw-rw---- 1 root disk 7, 32 2011-05-24 22:16 /dev/loop2 brw-rw---- 1 root disk 7, 48 2011-05-24 22:16 /dev/loop3 brw-rw---- 1 root disk 7, 64 2011-05-24 22:16 /dev/loop4 brw-rw---- 1 root disk 7, 80 2011-05-24 22:16 /dev/loop5 brw-rw---- 1 root disk 7, 96 2011-05-24 22:16 /dev/loop6 brw-rw---- 1 root disk 7, 112 2011-05-24 22:16 /dev/loop7 $ sudo mknod /dev/loop8 b 7 128 $ sudo losetup /dev/loop8 ~/temp/disk-with-3-parts.img $ sudo losetup -a /dev/loop128: [0805]:278201 (/home/namhyung/temp/disk-with-3-parts.img) $ ls -l /dev/loop* brw-rw---- 1 root disk 7, 0 2011-05-24 22:16 /dev/loop0 brw-rw---- 1 root disk 7, 16 2011-05-24 22:16 /dev/loop1 brw-rw---- 1 root disk 7, 2048 2011-05-24 22:18 /dev/loop128 brw-rw---- 1 root disk 7, 2049 2011-05-24 22:18 /dev/loop128p1 brw-rw---- 1 root disk 7, 2050 2011-05-24 22:18 /dev/loop128p2 brw-rw---- 1 root disk 7, 2051 2011-05-24 22:18 /dev/loop128p3 brw-rw---- 1 root disk 7, 32 2011-05-24 22:16 /dev/loop2 brw-rw---- 1 root disk 7, 48 2011-05-24 22:16 /dev/loop3 brw-rw---- 1 root disk 7, 64 2011-05-24 22:16 /dev/loop4 brw-rw---- 1 root disk 7, 80 2011-05-24 22:16 /dev/loop5 brw-rw---- 1 root disk 7, 96 2011-05-24 22:16 /dev/loop6 brw-rw---- 1 root disk 7, 112 2011-05-24 22:16 /dev/loop7 brw-r--r-- 1 root root 7, 128 2011-05-24 22:17 /dev/loop8 After this patch, /dev/loop8 - instead of /dev/loop128 - was accessed correctly. In addition, 'range' passed to blk_register_region() should include all range of dev_t that LOOP_MAJOR can address. It does not need to be limited by partition numbers unless 'max_loop' param was specified. Signed-off-by: Namhyung Kim Cc: Laurent Vivier Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 95f49bfc1c873713762561e2087de910e8824760 Author: Namhyung Kim Date: Tue May 24 16:48:54 2011 +0200 loop: limit 'max_part' module param to DISK_MAX_PARTS commit 78f4bb367fd147a0e7e3998ba6e47109999d8814 upstream. The 'max_part' parameter controls the number of maximum partition a loop block device can have. However if a user specifies very large value it would exceed the limitation of device minor number and can cause a kernel panic (or, at least, produce invalid device nodes in some cases). On my desktop system, following command kills the kernel. On qemu, it triggers similar oops but the kernel was alive: $ sudo modprobe loop max_part0000 ------------[ cut here ]------------ kernel BUG at /media/Linux_Data/project/linux/fs/sysfs/group.c:65! invalid opcode: 0000 [#1] SMP last sysfs file: CPU 0 Modules linked in: loop(+) Pid: 43, comm: insmod Tainted: G W 2.6.39-qemu+ #155 Bochs Bochs RIP: 0010:[] [] internal_create_group= +0x2a/0x170 RSP: 0018:ffff880007b3fde8 EFLAGS: 00000246 RAX: 00000000ffffffef RBX: ffff880007b3d878 RCX: 00000000000007b4 RDX: ffffffff8152da50 RSI: 0000000000000000 RDI: ffff880007b3d878 RBP: ffff880007b3fe38 R08: ffff880007b3fde8 R09: 0000000000000000 R10: ffff88000783b4a8 R11: ffff880007b3d878 R12: ffffffff8152da50 R13: ffff880007b3d868 R14: 0000000000000000 R15: ffff880007b3d800 FS: 0000000002137880(0063) GS:ffff880007c00000(0000) knlGS:00000000000000= 00 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000422680 CR3: 0000000007b50000 CR4: 00000000000006b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 0000000000000000 DR7: 0000000000000000 Process insmod (pid: 43, threadinfo ffff880007b3e000, task ffff880007afb9c= 0) Stack: ffff880007b3fe58 ffffffff811e66dd ffff880007b3fe58 ffffffff811e570b 0000000000000010 ffff880007b3d800 ffff880007a7b390 ffff880007b3d868 0000000000400920 ffff880007b3d800 ffff880007b3fe48 ffffffff8113cfc8 Call Trace: [] ? device_add+0x4bc/0x5af [] ? dev_set_name+0x3c/0x3e [] sysfs_create_group+0xe/0x12 [] blk_trace_init_sysfs+0x14/0x16 [] blk_register_queue+0x47/0xf7 [] add_disk+0xdf/0x290 [] loop_init+0xeb/0x1b8 [loop] [] ? 0xffffffffa0005fff [] do_one_initcall+0x7a/0x12e [] sys_init_module+0x9c/0x1e0 [] system_call_fastpath+0x16/0x1b Code: c3 55 48 89 e5 41 57 41 56 41 89 f6 41 55 41 54 49 89 d4 53 48 89 fb= 48 83 ec 28 48 85 ff 74 0b 85 f6 75 0b 48 83 7f 30 00 75 14 <0f> 0b eb fe = 48 83 7f 30 00 b9 ea ff ff ff 0f 84 18 01 00 00 49 RIP [] internal_create_group+0x2a/0x170 RSP ---[ end trace a123eb592043acad ]--- Signed-off-by: Namhyung Kim Cc: Laurent Vivier Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit bc50c5751c34128e0cbc30e7f5ea990bd1199429 Author: Andrew Barry Date: Tue May 24 17:12:52 2011 -0700 mm/page_alloc.c: prevent unending loop in __alloc_pages_slowpath() commit cfa54a0fcfc1017c6f122b6f21aaba36daa07f71 upstream. I believe I found a problem in __alloc_pages_slowpath, which allows a process to get stuck endlessly looping, even when lots of memory is available. Running an I/O and memory intensive stress-test I see a 0-order page allocation with __GFP_IO and __GFP_WAIT, running on a system with very little free memory. Right about the same time that the stress-test gets killed by the OOM-killer, the utility trying to allocate memory gets stuck in __alloc_pages_slowpath even though most of the systems memory was freed by the oom-kill of the stress-test. The utility ends up looping from the rebalance label down through the wait_iff_congested continiously. Because order=0, __alloc_pages_direct_compact skips the call to get_page_from_freelist. Because all of the reclaimable memory on the system has already been reclaimed, __alloc_pages_direct_reclaim skips the call to get_page_from_freelist. Since there is no __GFP_FS flag, the block with __alloc_pages_may_oom is skipped. The loop hits the wait_iff_congested, then jumps back to rebalance without ever trying to get_page_from_freelist. This loop repeats infinitely. The test case is pretty pathological. Running a mix of I/O stress-tests that do a lot of fork() and consume all of the system memory, I can pretty reliably hit this on 600 nodes, in about 12 hours. 32GB/node. Signed-off-by: Andrew Barry Signed-off-by: Minchan Kim Reviewed-by: Rik van Riel Acked-by: Mel Gorman Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a5ccaac64c17ce3cc1878a6d479a6f1b16092c24 Author: Jiri Kosina Date: Thu May 19 17:58:07 2011 +0200 HID: magicmouse: ignore 'ivalid report id' while switching modes commit 23746a66d7d9e73402c68ef00d708796b97ebd72 upstream. The device reponds with 'invalid report id' when feature report switching it into multitouch mode is sent to it. This has been silently ignored before 0825411ade ("HID: bt: Wait for ACK on Sent Reports"), but since this commit, it propagates -EIO from the _raw callback . So let the driver ignore -EIO as response to 0xd7,0x01 report, as that's how the device reacts in normal mode. Sad, but following reality. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=35022 Tested-by: Chase Douglas Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit a7ceecdbb6c3cc4368be3f4f3032dc5fb52b6308 Author: Daniel Mack Date: Tue May 24 14:10:32 2011 +0200 ASoC: fix raumfeld platform commit 477a66948ef8683f182682cc68e8520baf8a5b43 upstream. Commit f0fba2ad (ASoC: multi-component - ASoC Multi-Component Support) broke support for Raumfeld platforms as it didn't take into account the different hardware features on individual devices. In particular, Raumfeld speakers have no S/PDIF output, so the members of the snd_soc_card struct must be set dynamically. Signed-off-by: Daniel Mack Acked-by: Liam Girdwood Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 4d0d9331bb845057b558abaa83b244c12ddc606a Author: Mark Brown Date: Sun May 15 12:18:38 2011 -0700 ASoC: Add some missing volume update bit sets for wm_hubs devices commit fb5af53d421d80725172427e9076f6e889603df6 upstream. Signed-off-by: Mark Brown Acked-by: Liam Girdwood Signed-off-by: Greg Kroah-Hartman commit 7b8fd7f7dfc4a1ecc1d60325520283a4dd244e10 Author: Mark Brown Date: Sat May 14 17:21:28 2011 -0700 ASoC: Ensure output PGA is enabled for line outputs in wm_hubs commit d0b48af6c2b887354d0893e598d92911ce52620e upstream. Also fix a left/right typo while we're at it. Signed-off-by: Mark Brown Acked-by: Liam Girdwood Signed-off-by: Greg Kroah-Hartman commit 3ad8305aab787b2acc690a6e756e9fb594ab0c27 Author: Takashi Iwai Date: Fri May 20 16:29:09 2011 +0200 ALSA: hda - Use LPIB for ATI/AMD chipsets as default commit 50e3bbf9898840eead86f90a43b3625a2b2f4112 upstream. ATI and AMD chipsets seem not providing the proper position-buffer information, and it also doesn't provide FIFO register required by VIACOMBO fix. It's better to use LPIB for these. Reported-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit eff306d801588164b2763139ff98d57c3ba862aa Author: Adrian Wilkins Date: Thu May 19 21:52:38 2011 +0100 ALSA: hda - Fix input-src parse in patch_analog.c commit 5a2d227fdc7a02ed1b4cebba391d8fb9ad57caaf upstream. Compare pin type enum to the pin type and not the array index. Fixes bug#0005368. Signed-off-by: Adrian Wilkins Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 1cb49cb8e35eaa4a1721ddad5ba0206ae6631db8 Author: David Henningsson Date: Mon May 23 08:26:16 2011 +0200 ALSA: HDA: Add quirk for Lenovo U350 commit d2859fd49200f1f3efd8acdb54b6d51d3ab82302 upstream. Add model=asus quirk for Lenovo Ideapad U350 to make internal mic work correctly. BugLink: http://bugs.launchpad.net/bugs/751681 Reported-by: Kent Baxley Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit bdf305efb9acb9acdbb2d4ebebfc0d4f6285a771 Author: David Henningsson Date: Mon May 16 12:09:29 2011 +0200 ALSA: HDA: Use one dmic only for Dell Studio 1558 commit e033ebfb399227e01686260ac271029011bc6b47 upstream. There are no signs of a dmic at node 0x0b, so the user is left with an additional internal mic which does not exist. This commit removes that non-existing mic. BugLink: http://bugs.launchpad.net/bugs/731706 Reported-by: James Page Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 440316e6310c2ce372e32d12c83ccc8ddcfb5028 Author: Christoph Lameter Date: Mon May 16 15:26:08 2011 -0500 slub: Make CONFIG_DEBUG_PAGE_ALLOC work with new fastpath commit 1393d9a1857471f816d0be1ccc1d6433a86050f6 upstream. Fastpath can do a speculative access to a page that CONFIG_DEBUG_PAGE_ALLOC may have marked as invalid to retrieve the pointer to the next free object. Use probe_kernel_read in that case in order not to cause a page fault. Reported-by: Eric Dumazet Signed-off-by: Christoph Lameter Signed-off-by: Eric Dumazet Signed-off-by: Pekka Enberg Signed-off-by: Greg Kroah-Hartman commit 22d82c7586eb492067805dd781f84f5a94133357 Author: Minchan Kim Date: Tue May 24 17:11:11 2011 -0700 mm: vmscan: correctly check if reclaimer should schedule during shrink_slab commit f06590bd718ed950c98828e30ef93204028f3210 upstream. It has been reported on some laptops that kswapd is consuming large amounts of CPU and not being scheduled when SLUB is enabled during large amounts of file copying. It is expected that this is due to kswapd missing every cond_resched() point because; shrink_page_list() calls cond_resched() if inactive pages were isolated which in turn may not happen if all_unreclaimable is set in shrink_zones(). If for whatver reason, all_unreclaimable is set on all zones, we can miss calling cond_resched(). balance_pgdat() only calls cond_resched if the zones are not balanced. For a high-order allocation that is balanced, it checks order-0 again. During that window, order-0 might have become unbalanced so it loops again for order-0 and returns that it was reclaiming for order-0 to kswapd(). It can then find that a caller has rewoken kswapd for a high-order and re-enters balance_pgdat() without ever calling cond_resched(). shrink_slab only calls cond_resched() if we are reclaiming slab pages. If there are a large number of direct reclaimers, the shrinker_rwsem can be contended and prevent kswapd calling cond_resched(). This patch modifies the shrink_slab() case. If the semaphore is contended, the caller will still check cond_resched(). After each successful call into a shrinker, the check for cond_resched() remains in case one shrinker is particularly slow. [mgorman@suse.de: preserve call to cond_resched after each call into shrinker] Signed-off-by: Mel Gorman Signed-off-by: Minchan Kim Cc: Rik van Riel Cc: Johannes Weiner Cc: Wu Fengguang Cc: James Bottomley Tested-by: Colin King Cc: Raghavendra D Prabhu Cc: Jan Kara Cc: Chris Mason Cc: Christoph Lameter Cc: Pekka Enberg Cc: Rik van Riel Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 75cd1e8f7b2737a8bb2f1817f23e83135579569f Author: Johannes Weiner Date: Tue May 24 17:11:09 2011 -0700 mm: vmscan: correct use of pgdat_balanced in sleeping_prematurely commit afc7e326a3f5bafc41324d7926c324414e343ee5 upstream. There are a few reports of people experiencing hangs when copying large amounts of data with kswapd using a large amount of CPU which appear to be due to recent reclaim changes. SLUB using high orders is the trigger but not the root cause as SLUB has been using high orders for a while. The root cause was bugs introduced into reclaim which are addressed by the following two patches. Patch 1 corrects logic introduced by commit 1741c877 ("mm: kswapd: keep kswapd awake for high-order allocations until a percentage of the node is balanced") to allow kswapd to go to sleep when balanced for high orders. Patch 2 notes that it is possible for kswapd to miss every cond_resched() and updates shrink_slab() so it'll at least reach that scheduling point. Chris Wood reports that these two patches in isolation are sufficient to prevent the system hanging. AFAIK, they should also resolve similar hangs experienced by James Bottomley. This patch: Johannes Weiner poined out that the logic in commit 1741c877 ("mm: kswapd: keep kswapd awake for high-order allocations until a percentage of the node is balanced") is backwards. Instead of allowing kswapd to go to sleep when balancing for high order allocations, it keeps it kswapd running uselessly. Signed-off-by: Mel Gorman Reviewed-by: Rik van Riel Signed-off-by: Johannes Weiner Reviewed-by: Wu Fengguang Cc: James Bottomley Tested-by: Colin King Cc: Raghavendra D Prabhu Cc: Jan Kara Cc: Chris Mason Cc: Christoph Lameter Cc: Pekka Enberg Cc: Rik van Riel Reviewed-by: Minchan Kim Reviewed-by: Wu Fengguang Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a6b2de6dae30c9565999760b91d1c22f77613c9d Author: NeilBrown Date: Wed May 11 14:26:30 2011 +1000 md/bitmap: fix saving of events_cleared and other state. commit 8258c53208d7a9b7207e7d4dae36d2ea384cb278 upstream. If a bitmap is found to be 'stale' the events_cleared value is set to match 'events'. However if the array is degraded this does not get stored on disk. This can subsequently lead to incorrect behaviour. So change bitmap_update_sb to always update events_cleared in the superblock from the known events_cleared. For neatness also set ->state from ->flags. This requires updating ->state whenever we update ->flags, which makes sense anyway. This is suitable for any active -stable release. Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 37c90a7e80f988b23618db27e3b06ba4c6ea1eab Author: NeilBrown Date: Tue May 10 17:49:01 2011 +1000 md: Fix race when creating a new md device. commit b0140891a8cea36469f58d23859e599b1122bd37 upstream. There is a race when creating an md device by opening /dev/mdXX. If two processes do this at much the same time they will follow the call path __blkdev_get -> get_gendisk -> kobj_lookup The first will call -> md_probe -> md_alloc -> add_disk -> blk_register_region and the race happens when the second gets to kobj_lookup after add_disk has called blk_register_region but before it returns to md_alloc. In the case the second will not call md_probe (as the probe is already done) but will get a handle on the gendisk, return to __blkdev_get which will then call md_open (via the ->open) pointer. As mddev->gendisk hasn't been set yet, md_open will think something is wrong an return with ERESTARTSYS. This can loop endlessly while the first thread makes no progress through add_disk. Nothing is blocking it, but due to scheduler behaviour it doesn't get a turn. So this is essentially a live-lock. We fix this by simply moving the assignment to mddev->gendisk before the call the add_disk() so md_open doesn't get confused. Also move blk_queue_flush earlier because add_disk should be as late as possible. To make sure that md_open doesn't complete until md_alloc has done all that is needed, we take mddev->open_mutex during the last part of md_alloc. md_open will wait for this. This can cause a lock-up on boot so Cc:ing for stable. For 2.6.36 and earlier a different patch will be needed as the 'blk_queue_flush' call isn't there. Signed-off-by: NeilBrown Reported-by: Thomas Jarosch Tested-by: Thomas Jarosch Signed-off-by: Greg Kroah-Hartman commit 395b93001142c32243d471c391c319f9bbe91dae Author: Milton Miller Date: Thu May 12 04:13:54 2011 -0500 seqlock: Don't smp_rmb in seqlock reader spin loop commit 5db1256a5131d3b133946fa02ac9770a784e6eb2 upstream. Move the smp_rmb after cpu_relax loop in read_seqlock and add ACCESS_ONCE to make sure the test and return are consistent. A multi-threaded core in the lab didn't like the update from 2.6.35 to 2.6.36, to the point it would hang during boot when multiple threads were active. Bisection showed af5ab277ded04bd9bc6b048c5a2f0e7d70ef0867 (clockevents: Remove the per cpu tick skew) as the culprit and it is supported with stack traces showing xtime_lock waits including tick_do_update_jiffies64 and/or update_vsyscall. Experimentation showed the combination of cpu_relax and smp_rmb was significantly slowing the progress of other threads sharing the core, and this patch is effective in avoiding the hang. A theory is the rmb is affecting the whole core while the cpu_relax is causing a resource rebalance flush, together they cause an interfernce cadance that is unbroken when the seqlock reader has interrupts disabled. At first I was confused why the refactor in 3c22cd5709e8143444a6d08682a87f4c57902df3 (kernel: optimise seqlock) didn't affect this patch application, but after some study that affected seqcount not seqlock. The new seqcount was not factored back into the seqlock. I defer that the future. While the removal of the timer interrupt offset created contention for the xtime lock while a cpu does the additonal work to update the system clock, the seqlock implementation with the tight rmb spin loop goes back much further, and is just waiting for the right trigger. Signed-off-by: Milton Miller Cc: Cc: Linus Torvalds Cc: Andi Kleen Cc: Nick Piggin Cc: Benjamin Herrenschmidt Cc: Anton Blanchard Cc: Paul McKenney Acked-by: Eric Dumazet Link: http://lkml.kernel.org/r/%3Cseqlock-rmb%40mdm.bga.com%3E Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 4be113c2944089074e534bfd01ed0fa85f002587 Author: Timo Warns Date: Thu May 19 09:24:17 2011 +0200 Fix for buffer overflow in ldm_frag_add not sufficient commit cae13fe4cc3f24820ffb990c09110626837e85d4 upstream. As Ben Hutchings discovered [1], the patch for CVE-2011-1017 (buffer overflow in ldm_frag_add) is not sufficient. The original patch in commit c340b1d64000 ("fs/partitions/ldm.c: fix oops caused by corrupted partition table") does not consider that, for subsequent fragments, previously allocated memory is used. [1] http://lkml.org/lkml/2011/5/6/407 Reported-by: Ben Hutchings Signed-off-by: Timo Warns Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 02ca42f78e4cc3b41c8fecb9ad3a8f547db87a85 Author: Roland Vossen Date: Tue Apr 12 14:34:41 2011 +0200 staging: brcm80211: bugfix for div by zero in minstrel_ht_tx_status commit e9c661e08c2a6015c1b7cba1cecefa27a089df71 upstream. Caused by brcmsmac.ko suppling a 0 value to Mac80211. Mac80211 subsequently divides by this number. Bug only occurred on AMPDU traffic. This is a fix for https://bugzilla.kernel.org/show_bug.cgi?id=32032, titled 'Divide error in minstrel_ht_tx_status followed by hang', reported by Wouter Cloetens. Signed-off-by: Roland Vossen Reviewed-by: Arend van Spriel Signed-off-by: Greg Kroah-Hartman commit 9edb40ddd05b47703bb1b5757ba36e96c77d1fdd Author: Jeff Chua Date: Wed Apr 27 11:25:14 2011 -0500 staging: r8712u: Fix driver to support ad-hoc mode commit 62819fd9481021db7f87d5f61f2e2fd2be1dfcfa upstream. Driver r8712u is unable to handle ad-hoc mode. The issue is that when the driver first starts, there will not be an SSID for association. The fix is to always call the "select and join from scan" routine when in ad-hoc mode. Note: Ad-hoc mode worked intermittently before. If the driver had previously been associated, then things were OK. Signed-off-by: Jeff Chua Signed-off-by: Larry Finger Signed-off-by: Greg Kroah-Hartman commit d13ae39a34fb711bf0add4bfd25e08b2f7aba104 Author: David Chang Date: Thu May 12 18:31:11 2011 +0800 staging: usbip: fix wrong endian conversion commit cacd18a8476ce145ca5dcd46dc5b75585fd1289c upstream. Fix number_of_packets wrong endian conversion in function correct_endian_ret_submit() Signed-off-by: David Chang Acked-by: Arjan Mels Signed-off-by: Greg Kroah-Hartman commit 4538148bcdc6a2a6fa642e24a7a2f73fd19be651 Author: Steve French Date: Thu May 26 18:38:54 2011 +0000 When mandatory encryption on share, fail mount commit 6848b7334b24b47aa3d0e70342ff839ffa95d5fa upstream. When mandatory encryption is configured in samba server on a share (smb.conf parameter "smb encrypt = mandatory") the server will hang up the tcp session when we try to send the first frame after the tree connect if it is not a QueryFSUnixInfo, this causes cifs mount to hang (it must be killed with ctl-c). Move the QueryFSUnixInfo call earlier in the mount sequence, and check whether the SetFSUnixInfo fails due to mandatory encryption so we can return a sensible error (EACCES) on mount. In a future patch (for 2.6.40) we will support mandatory encryption. Reviewed-by: Pavel Shilovsky Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 83d325137dd93da7227b80a477c075f7cb1c0c54 Author: Frederic Weisbecker Date: Fri May 20 02:09:54 2011 +0200 rcu: Fix unpaired rcu_irq_enter() from locking selftests commit ba9f207c9f82115aba4ce04b22e0081af0ae300f upstream. HARDIRQ_ENTER() maps to irq_enter() which calls rcu_irq_enter(). But HARDIRQ_EXIT() maps to __irq_exit() which doesn't call rcu_irq_exit(). So for every locking selftest that simulates hardirq disabled, we create an imbalance in the rcu extended quiescent state internal state. As a result, after the first missing rcu_irq_exit(), subsequent irqs won't exit dyntick-idle mode after leaving the interrupt handler. This means that RCU won't see the affected CPU as being in an extended quiescent state, resulting in long grace-period delays (as in grace periods extending for hours). To fix this, just use __irq_enter() to simulate the hardirq context. This is sufficient for the locking selftests as we don't need to exit any extended quiescent state or perform any check that irqs normally do when they wake up from idle. As a side effect, this patch makes it possible to restore "rcu: Decrease memory-barrier usage based on semi-formal proof", which eventually helped finding this bug. Reported-and-tested-by: Yinghai Lu Signed-off-by: Frederic Weisbecker Cc: Paul E. McKenney Cc: Ingo Molnar Cc: Peter Zijlstra Signed-off-by: Paul E. McKenney Signed-off-by: Greg Kroah-Hartman commit 514c59e1338d437e820a3103e26315e4c503a45e Author: Robert Richter Date: Fri May 20 09:46:54 2011 +0200 oprofile, x86: Enable preemption during pci device setup in IBS init commit 3d2606f42984613d324ad3047cf503bcddc3880a upstream. IBS initialization is a mix of per-core register access and per-node pci device setup. Register access should be pinned to the cpu, but pci setup must run with preemption enabled. This patch better separates the code into non-/preemptible sections and fixes sleeping with preemption disabled. See bug message below. Fixes also freeing the eilvt entry by introducing put_eilvt(). BUG: sleeping function called from invalid context at mm/slub.c:824 in_atomic(): 1, irqs_disabled(): 0, pid: 32357, name: modprobe INFO: lockdep is turned off. Pid: 32357, comm: modprobe Not tainted 2.6.39-rc7+ #14 Call Trace: [] __might_sleep+0x112/0x117 [] kmem_cache_alloc_trace+0x4b/0xe7 [] kzalloc.constprop.0+0x29/0x2b [] pci_get_subsys+0x36/0x78 [] ? setup_APIC_eilvt+0xfb/0x139 [] pci_get_device+0x16/0x18 [] op_amd_init+0xd3/0x211 [oprofile] [] ? 0xffffffffa064cfff [] op_nmi_init+0x21e/0x26a [oprofile] [] oprofile_arch_init+0xe/0x26 [oprofile] [] oprofile_init+0x10/0x42 [oprofile] [] do_one_initcall+0x7f/0x13a [] sys_init_module+0x132/0x281 [] system_call_fastpath+0x16/0x1b Reported-by: Dave Jones Signed-off-by: Robert Richter Signed-off-by: Greg Kroah-Hartman commit b2df62abeb1d07812c5e409ca8cde300f39b52d0 Author: Kees Cook Date: Tue May 24 16:29:26 2011 -0700 x86, cpufeature: Update CPU feature RDRND to RDRAND commit 7ccafc5f75c87853f3c49845d5a884f2376e03ce upstream. The Intel manual changed the name of the CPUID bit to match the instruction name. We should follow suit for sanity's sake. (See Intel SDM Volume 2, Table 3-20 "Feature Information Returned in the ECX Register".) [ hpa: we can only do this at this time because there are currently no CPUs with this feature on the market, hence this is pre-hardware enabling. However, Cc:'ing stable so that stable can present a consistent ABI. ] Signed-off-by: Kees Cook Link: http://lkml.kernel.org/r/20110524232926.GA27728@outflux.net Signed-off-by: H. Peter Anvin Cc: Fenghua Yu Signed-off-by: Greg Kroah-Hartman commit 0aed459e8487eb6ebdb4efe8cefe1eafbc704b30 Author: Matthew Garrett Date: Wed May 25 09:53:13 2011 -0400 x86, efi: Retain boot service code until after switching to virtual mode commit 916f676f8dc016103f983c7ec54c18ecdbb6e349 upstream. UEFI stands for "Unified Extensible Firmware Interface", where "Firmware" is an ancient African word meaning "Why do something right when you can do it so wrong that children will weep and brave adults will cower before you", and "UEI" is Celtic for "We missed DOS so we burned it into your ROMs". The UEFI specification provides for runtime services (ie, another way for the operating system to be forced to depend on the firmware) and we rely on these for certain trivial tasks such as setting up the bootloader. But some hardware fails to work if we attempt to use these runtime services from physical mode, and so we have to switch into virtual mode. So far so dreadful. The specification makes it clear that the operating system is free to do whatever it wants with boot services code after ExitBootServices() has been called. SetVirtualAddressMap() can't be called until ExitBootServices() has been. So, obviously, a whole bunch of EFI implementations call into boot services code when we do that. Since we've been charmingly naive and trusted that the specification may be somehow relevant to the real world, we've already stuffed a picture of a penguin or something in that address space. And just to make things more entertaining, we've also marked it non-executable. This patch allocates the boot services regions during EFI init and makes sure that they're executable. Then, after SetVirtualAddressMap(), it discards them and everyone lives happily ever after. Except for the ones who have to work on EFI, who live sad lives haunted by the knowledge that someone's eventually going to write yet another firmware specification. [ hpa: adding this to urgent with a stable tag since it fixes currently-broken hardware. However, I do not know what the dependencies are and so I do not know which -stable versions this may be a candidate for. ] Signed-off-by: Matthew Garrett Link: http://lkml.kernel.org/r/1306331593-28715-1-git-send-email-mjg@redhat.com Signed-off-by: H. Peter Anvin Cc: Tony Luck Signed-off-by: Greg Kroah-Hartman commit 7e0121f7eeec1c3bd688fd45f225ffd271dabd07 Author: Roedel, Joerg Date: Thu May 19 11:13:39 2011 +0200 x86, amd: Use _safe() msr access for GartTlbWlk disable code commit d47cc0db8fd6011de2248df505fc34990b7451bf upstream. The workaround for Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=33012 introduced a read and a write to the MC4 mask msr. Unfortunatly this MSR is not emulated by the KVM hypervisor so that the kernel will get a #GP and crashes when applying this workaround when running inside KVM. This issue was reported as: https://bugzilla.kernel.org/show_bug.cgi?id=35132 and is fixed with this patch. The change just let the kernel ignore any #GP it gets while accessing this MSR by using the _safe msr access methods. Reported-by: Török Edwin Signed-off-by: Joerg Roedel Cc: Rafael J. Wysocki Cc: Maciej Rutecki Cc: Avi Kivity Cc: Andrew Morton Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 10ac0fbefd65ff09ce3a884400c5afe62c9707b5 Author: Boris Ostrovsky Date: Thu May 26 11:19:52 2011 -0400 x86, amd: Do not enable ARAT feature on AMD processors below family 0x12 commit e9cdd343a5e42c43bcda01e609fa23089e026470 upstream. Commit b87cf80af3ba4b4c008b4face3c68d604e1715c6 added support for ARAT (Always Running APIC timer) on AMD processors that are not affected by erratum 400. This erratum is present on certain processor families and prevents APIC timer from waking up the CPU when it is in a deep C state, including C1E state. Determining whether a processor is affected by this erratum may have some corner cases and handling these cases is somewhat complicated. In the interest of simplicity we won't claim ARAT support on processor families below 0x12 and will go back to broadcasting timer when going idle. Signed-off-by: Boris Ostrovsky Link: http://lkml.kernel.org/r/1306423192-19774-1-git-send-email-ostr@amd64.org Tested-by: Boris Petkov Cc: Hans Rosenfeld Cc: Andreas Herrmann Cc: Chuck Ebbert Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit f76923c73aad9b726825e70d07f49a572938dc80 Author: Daniel J Blueman Date: Wed May 18 16:31:31 2011 -0700 x86, ioapic: Fix potential resume deadlock commit b64ce24daffb634b5b3133a2e411bd4de50654e8 upstream. Fix a potential deadlock when resuming; here the calling function has disabled interrupts, so we cannot sleep. Change the memory allocation flag from GFP_KERNEL to GFP_ATOMIC. TODO: We can do away with this memory allocation during resume by reusing the ioapic suspend/resume code that uses boot time allocated buffers, but we want to keep this -stable patch simple. Signed-off-by: Daniel J Blueman Signed-off-by: Suresh Siddha Link: http://lkml.kernel.org/r/20110518233157.385970138@sbsiddha-MOBL3.sc.intel.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit ff06554f5afc8ff13b55fa3d4a13a18b2683e05d Author: Richard Weinberger Date: Mon May 23 22:51:33 2011 +0200 um: Use RWSEM_GENERIC_SPINLOCK on x86 commit 3a3679078aed2c451ebc32836bbd3b8219a65e01 upstream. Commit d12337 (rwsem: Remove redundant asmregparm annotation) broke rwsem on UML. As we cannot compile UML with -mregparm=3 and keeping asmregparm only for UML is inadequate the easiest solution is using RWSEM_GENERIC_SPINLOCK. Thanks to Thomas Gleixner for the idea. Reported-by: Toralf Förster Tested-by: Toralf Förster Signed-off-by: Richard Weinberger Cc: user-mode-linux-devel@lists.sourceforge.net Link: http://lkml.kernel.org/r/%3C1306183893-26655-1-git-send-email-richard%40nod.at%3E Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 9d6b9519ace96a810c5ebe316f1301ca8be94d92 Author: Nicholas Bellinger Date: Thu May 19 20:19:12 2011 -0700 target: Fix task->task_execute_queue=1 clear bug + LUN_RESET OOPs commit af57c3ac9947990da2608561b71f4799eb7795c6 upstream. This patch fixes a bug where task->task_execute_queue=1 was not being cleared once se_task had been removed from se_device->execute_task_list, resulting in an OOPs in core_tmr_lun_reset() for the task->task_active=0 case where transport_remove_task_from_execute_queue() was incorrectly being called. This patch fixes two cases in transport_get_task_from_execute_queue() and transport_remove_task_from_execute_queue() to properly clear task->task_execute_queue=0 once list_del(&task->t_execute_list) has been called. It also adds an explict check in transport_remove_task_from_execute_queue() to dump_stack + return if called with task->task_execute_queue=0. Signed-off-by: Nicholas Bellinger Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit c20bc94058d10ee00a72490e05b9c314f2a75d4e Author: Nicholas Bellinger Date: Thu May 19 20:19:11 2011 -0700 target: Fix bug with task_sg chained transport_free_dev_tasks release commit f436677262a5b524ac87675014c6d4e8ee153029 upstream. This patch addresses a bug in the target core release path for HW operation where transport_free_dev_tasks() was incorrectly being called from transport_lun_remove_cmd() while releasing a se_cmd reference and calling struct target_core_fabric_ops->queue_data_in(). This would result in a OOPs with HW target mode when the release of se_task->task_sg[] would happen before pci_unmap_sg() can be called in HW target mode fabric module code. This patch addresses the issue by moving transport_free_dev_tasks() from transport_lun_remove_cmd() into transport_generic_free_cmd(), and adding TRANSPORT_FREE_CMD_INTR and transport_generic_free_cmd_intr() to allow se_cmd descriptor release to happen fromfrom within transport_processing_thread() process context when release of se_cmd is not possible from HW interrupt context. Signed-off-by: Nicholas Bellinger Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 26e45fbaec96c748f807925ea3855deb3c504118 Author: Nicholas Bellinger Date: Thu May 19 20:19:10 2011 -0700 target: Fix interrupt context bug with stats_lock and core_tmr_alloc_req commit 53ab6709b4d35b1924240854d794482fd7d33d4a upstream. This patch fixes two bugs wrt to the interrupt context usage of target core with HW target mode drivers. It first converts the usage of struct se_device->stats_lock in transport_get_lun_for_cmd() and core_tmr_lun_reset() to properly use spin_lock_irq() to address an BUG with CONFIG_LOCKDEP_SUPPORT=y enabled. This patch also adds a 'in_interrupt()' check to allow GFP_ATOMIC usage from core_tmr_alloc_req() to fix a 'sleeping in interrupt context' BUG with HW target fabrics that require this logic to function. Signed-off-by: Nicholas Bellinger Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit f4d195fe897027ee3da1bd89b5a25631ebb7da6a Author: Nicholas Bellinger Date: Thu May 19 20:19:09 2011 -0700 target: Fix multi task->task_sg[] chaining logic bug commit 97868c8905a1537153d406c4a3aa39a503a5c299 upstream. This patch fixes a bug in transport_do_task_sg_chain() used by HW target mode modules with sg_chain() to provide a single sg_next() walkable memory layout for use with pci_map_sg() and friends. This patch addresses an issue with mapping multiple small block max_sector tasks across multiple struct se_task->task_sg[] mappings for HW target mode operation. This was causing OOPs with (cmd->t_task->t_tasks_no > 1) I/O traffic for HW target drivers using transport_do_task_sg_chain(), and has been tested so far with tcm_fc(openfcoe), tcm_qla2xxx, and ib_srpt fabrics with t_tasks_no > 1 IBLOCK backends using a smaller max_sectors to trigger the original issue. Signed-off-by: Nicholas Bellinger Acked-by: Kiran Patil Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 020d7f0a3afe02e399859332593067909df2f001 Author: Samuel Thibault Date: Wed May 18 17:06:05 2011 +0200 Fix Ultrastor asm snippet commit fad4dab5e44e10acf6b0235e469cb8e773b58e31 upstream. Commit 1292500b replaced "=m" (*field) : "1" (*field) with "=m" (*field) : with comment "The following patch fixes it by using the '+' operator on the (*field) operand, marking it as read-write to gcc." '+' was actually forgotten. This really puts it. Signed-off-by: Samuel Thibault Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 9f589e61371066e57513c2d878efad8f4d76e766 Author: Eddie Wai Date: Mon May 16 11:13:19 2011 -0700 bnx2i: Updated the connection shutdown/cleanup timeout commit d5307a078bb0288945c900c6f4a2fd77ba6d0817 upstream. Modified the 10s wait time for inflight offload connections to advance to the next state to 2s based on test result. Modified the 20s shutdown timeout to 30s based on test result. Signed-off-by: Eddie Wai Reviewed-by: Mike Christie Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit f04c018579fcbded5f53fb8447925e1762751315 Author: Eddie Wai Date: Mon May 16 11:13:18 2011 -0700 bnx2i: Fixed packet error created when the sq_size is set to 16 commit 7287c63e986fe1a51a89f4bb1327320274a7a741 upstream. The number of chip's internal command cell, which is use to generate SCSI cmd packets to the target, was not initialized correctly by the driver when the sq_size is changed from the default 128. This, in turn, will create a problem where the chip's transmit pipe will erroneously reuse an old command cell that is no longer valid. The fix is to correctly initialize the chip's command cell upon setup. Signed-off-by: Eddie Wai Reviewed-by: Mike Christie Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 4cfc249a3b73a6afee1ec58ab42f63aceb920f5d Author: Kashyap, Desai Date: Wed May 4 16:35:58 2011 +0530 mpt2sas: move even handling of MPT2SAS_TURN_ON_FAULT_LED into process context commit 3ace8e052be5293ebb3e00f819effccc64108a38 upstream. Driver was a sending a SEP request during interrupt context which required to go to sleep. The fix is to rearrange the code so a fake event MPT2SAS_TURN_ON_FAULT_LED is fired from interrupt context, then later during the kernel worker threads processing, the SEP request is issued to firmware. Signed-off-by: Kashyap Desai Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 6de88839e47b4cb4dc97b095a2a89399fbec8a23 Author: Stephen Hemminger Date: Tue May 24 13:50:52 2011 -0400 dst: catch uninitialized metrics [ Upstream commit 1f37070d3ff325827c6213e51b57f21fd5ac9d05 ] Catch cases where dst_metric_set() and other functions are called but _metrics is NULL. Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 88bb492456d6ba8c860060d08fc1370a8ce979b0 Author: Eric Dumazet Date: Tue May 24 13:29:50 2011 -0400 net: fix __dst_destroy_metrics_generic() [ Upstream commit b30c516f875004f025f4d10147bde28c5e98466b ] dst_default_metrics is readonly, we dont want to kfree() it later. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9df49f2bfe862573911a080c75a6d81113c5c81d Author: Eric Dumazet Date: Mon May 23 11:02:42 2011 +0000 sch_sfq: avoid giving spurious NET_XMIT_CN signals [ Upstream commit 8efa885406359af300d46910642b50ca82c0fe47 ] While chasing a possible net_sched bug, I found that IP fragments have litle chance to pass a congestioned SFQ qdisc : - Say SFQ qdisc is full because one flow is non responsive. - ip_fragment() wants to send two fragments belonging to an idle flow. - sfq_enqueue() queues first packet, but see queue limit reached : - sfq_enqueue() drops one packet from 'big consumer', and returns NET_XMIT_CN. - ip_fragment() cancel remaining fragments. This patch restores fairness, making sure we return NET_XMIT_CN only if we dropped a packet from the same flow. Signed-off-by: Eric Dumazet CC: Patrick McHardy CC: Jarek Poplawski CC: Jamal Hadi Salim CC: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 37d37d7502216a7d0e0fb33018afd8e714963b20 Author: Neil Horman Date: Wed May 25 08:13:01 2011 +0000 bonding: prevent deadlock on slave store with alb mode (v3) [ Upstream commit 9fe0617d9b6d21f700ee9e658e1c9fe3be2fb402 ] This soft lockup was recently reported: [root@dell-per715-01 ~]# echo +bond5 > /sys/class/net/bonding_masters [root@dell-per715-01 ~]# echo +eth1 > /sys/class/net/bond5/bonding/slaves bonding: bond5: doing slave updates when interface is down. bonding bond5: master_dev is not up in bond_enslave [root@dell-per715-01 ~]# echo -eth1 > /sys/class/net/bond5/bonding/slaves bonding: bond5: doing slave updates when interface is down. BUG: soft lockup - CPU#12 stuck for 60s! [bash:6444] CPU 12: Modules linked in: bonding autofs4 hidp rfcomm l2cap bluetooth lockd sunrpc be2d Pid: 6444, comm: bash Not tainted 2.6.18-262.el5 #1 RIP: 0010:[] [] .text.lock.spinlock+0x26/00 RSP: 0018:ffff810113167da8 EFLAGS: 00000286 RAX: ffff810113167fd8 RBX: ffff810123a47800 RCX: 0000000000ff1025 RDX: 0000000000000000 RSI: ffff810123a47800 RDI: ffff81021b57f6f8 RBP: ffff81021b57f500 R08: 0000000000000000 R09: 000000000000000c R10: 00000000ffffffff R11: ffff81011d41c000 R12: ffff81021b57f000 R13: 0000000000000000 R14: 0000000000000282 R15: 0000000000000282 FS: 00002b3b41ef3f50(0000) GS:ffff810123b27940(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 00002b3b456dd000 CR3: 000000031fc60000 CR4: 00000000000006e0 Call Trace: [] _spin_lock_bh+0x9/0x14 [] :bonding:tlb_clear_slave+0x22/0xa1 [] :bonding:bond_alb_deinit_slave+0xba/0xf0 [] :bonding:bond_release+0x1b4/0x450 [] __down_write_nested+0x12/0x92 [] :bonding:bonding_store_slaves+0x25c/0x2f7 [] sysfs_write_file+0xb9/0xe8 [] vfs_write+0xce/0x174 [] sys_write+0x45/0x6e [] tracesys+0xd5/0xe0 It occurs because we are able to change the slave configuarion of a bond while the bond interface is down. The bonding driver initializes some data structures only after its ndo_open routine is called. Among them is the initalization of the alb tx and rx hash locks. So if we add or remove a slave without first opening the bond master device, we run the risk of trying to lock/unlock a spinlock that has garbage for data in it, which results in our above softlock. Note that sometimes this works, because in many cases an unlocked spinlock has the raw_lock parameter initialized to zero (meaning that the kzalloc of the net_device private data is equivalent to calling spin_lock_init), but thats not true in all cases, and we aren't guaranteed that condition, so we need to pass the relevant spinlocks through the spin_lock_init function. Fix it by moving the spin_lock_init calls for the tx and rx hashtable locks to the ndo_init path, so they are ready for use by the bond_store_slaves path. Change notes: v2) Based on conversation with Jay and Nicolas it seems that the ability to enslave devices while the bond master is down should be safe to do. As such this is an outlier bug, and so instead we'll just initalize the errant spinlocks in the init path rather than the open path, solving the problem. We'll also remove the warnings about the bond being down during enslave operations, since it should be safe v3) Fix spelling error Signed-off-by: Neil Horman Reported-by: jtluka@redhat.com CC: Jay Vosburgh CC: Andy Gospodarek CC: nicolas.2p.debian@gmail.com CC: "David S. Miller" Signed-off-by: Jay Vosburgh Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b262a5da755cc6ed0cb4fba230cd9bf4037e1096 Author: Eric Dumazet Date: Wed May 25 04:40:11 2011 +0000 sch_sfq: fix peek() implementation [ Upstream commit 07bd8df5df4369487812bf85a237322ff3569b77 ] Since commit eeaeb068f139 (sch_sfq: allow big packets and be fair), sfq_peek() can return a different skb that would be normally dequeued by sfq_dequeue() [ if current slot->allot is negative ] Use generic qdisc_peek_dequeued() instead of custom implementation, to get consistent result. Signed-off-by: Eric Dumazet CC: Jarek Poplawski CC: Patrick McHardy CC: Jesper Dangaard Brouer Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5e29567e54ba77297911659047184b6d551e38e8 Author: Wei Yongjun Date: Tue May 24 21:48:02 2011 +0000 sctp: fix memory leak of the ASCONF queue when free asoc [ Upstream commit 8b4472cc13136d04727e399c6fdadf58d2218b0a ] If an ASCONF chunk is outstanding, then the following ASCONF chunk will be queued for later transmission. But when we free the asoc, we forget to free the ASCONF queue at the same time, this will cause memory leak. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 42923465fb8d025a2b5153f2e7ab1e6e1058bf00 Author: Eric Dumazet Date: Tue May 24 13:32:18 2011 -0400 bridge: initialize fake_rtable metrics [ Upstream commit 33eb9873a283a2076f2b5628813d5365ca420ea9 ] bridge netfilter code uses a fake_rtable, and we must init its _metric field or risk NULL dereference later. Ref: https://bugzilla.kernel.org/show_bug.cgi?id=35672 Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 40093a2a3e53af2f1a0754fe40b7513ebf6e0c8f Author: Veaceslav Falico Date: Mon May 23 23:15:05 2011 +0000 igmp: call ip_mc_clear_src() only when we have no users of ip_mc_list [ Upstream commit 24cf3af3fed5edcf90bc2a0ed181e6ce1513d2dc ] In igmp_group_dropped() we call ip_mc_clear_src(), which resets the number of source filters per mulitcast. However, igmp_group_dropped() is also called on NETDEV_DOWN, NETDEV_PRE_TYPE_CHANGE and NETDEV_UNREGISTER, which means that the group might get added back on NETDEV_UP, NETDEV_REGISTER and NETDEV_POST_TYPE_CHANGE respectively, leaving us with broken source filters. To fix that, we must clear the source filters only when there are no users in the ip_mc_list, i.e. in ip_mc_dec_group() and on device destroy. Acked-by: David L Stevens Signed-off-by: Veaceslav Falico Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a0e3d9a50be5f6cffbc4fbc9e44105c5def26cf0 Author: Jacek Luczak Date: Thu May 19 09:55:13 2011 +0000 SCTP: fix race between sctp_bind_addr_free() and sctp_bind_addr_conflict() [ Upstream commit c182f90bc1f22ce5039b8722e45621d5f96862c2 ] During the sctp_close() call, we do not use rcu primitives to destroy the address list attached to the endpoint. At the same time, we do the removal of addresses from this list before attempting to remove the socket from the port hash As a result, it is possible for another process to find the socket in the port hash that is in the process of being closed. It then proceeds to traverse the address list to find the conflict, only to have that address list suddenly disappear without rcu() critical section. Fix issue by closing address list removal inside RCU critical section. Race can result in a kernel crash with general protection fault or kernel NULL pointer dereference: kernel: general protection fault: 0000 [#1] SMP kernel: RIP: 0010:[] [] sctp_bind_addr_conflict+0x64/0x82 [sctp] kernel: Call Trace: kernel: [] ? sctp_get_port_local+0x17b/0x2a3 [sctp] kernel: [] ? sctp_bind_addr_match+0x33/0x68 [sctp] kernel: [] ? sctp_do_bind+0xd3/0x141 [sctp] kernel: [] ? sctp_bindx_add+0x4d/0x8e [sctp] kernel: [] ? sctp_setsockopt_bindx+0x112/0x4a4 [sctp] kernel: [] ? generic_file_aio_write+0x7f/0x9b kernel: [] ? sctp_setsockopt+0x14f/0xfee [sctp] kernel: [] ? do_sync_write+0xab/0xeb kernel: [] ? fsnotify+0x239/0x282 kernel: [] ? alloc_file+0x18/0xb1 kernel: [] ? compat_sys_setsockopt+0x1a5/0x1d9 kernel: [] ? compat_sys_socketcall+0x143/0x1a4 kernel: [] ? sysenter_dispatch+0x7/0x32 Signed-off-by: Jacek Luczak Acked-by: Vlad Yasevich CC: Eric Dumazet Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8884892fcbe700a595a6e6d11fca1a0281793d7e Author: Eric Dumazet Date: Fri May 20 14:59:23 2011 -0400 macvlan: fix panic if lowerdev in a bond [ Upstream commit d93515611bbc70c2fe4db232e5feb448ed8e4cc9 ] commit a35e2c1b6d905 (macvlan: use rx_handler_data pointer to store macvlan_port pointer V2) added a bug in macvlan_port_create() Steps to reproduce the bug: # ifenslave bond0 eth0 eth1 # ip link add link eth0 up name eth0#1 type macvlan ->error EBUSY # ip link add link eth0 up name eth0#1 type macvlan ->panic Fix: Dont set IFF_MACVLAN_PORT in error case. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3a029a52f334fcdf19da9496f3ec122fafe4cad5 Author: Eric Dumazet Date: Wed May 18 02:21:31 2011 -0400 net: add skb_dst_force() in sock_queue_err_skb() [ Upstream commit abb57ea48fd9431fa320a5c55f73e6b5a44c2efb ] Commit 7fee226ad239 (add a noref bit on skb dst) forgot to use skb_dst_force() on packets queued in sk_error_queue This triggers following warning, for applications using IP_CMSG_PKTINFO receiving one error status ------------[ cut here ]------------ WARNING: at include/linux/skbuff.h:457 ip_cmsg_recv_pktinfo+0xa6/0xb0() Hardware name: 2669UYD Modules linked in: isofs vboxnetadp vboxnetflt nfsd ebtable_nat ebtables lib80211_crypt_ccmp uinput xcbc hdaps tp_smapi thinkpad_ec radeonfb fb_ddc radeon ttm drm_kms_helper drm ipw2200 intel_agp intel_gtt libipw i2c_algo_bit i2c_i801 agpgart rng_core cfbfillrect cfbcopyarea cfbimgblt video raid10 raid1 raid0 linear md_mod vboxdrv Pid: 4697, comm: miredo Not tainted 2.6.39-rc6-00569-g5895198-dirty #22 Call Trace: [] ? printk+0x1d/0x1f [] warn_slowpath_common+0x72/0xa0 [] ? ip_cmsg_recv_pktinfo+0xa6/0xb0 [] ? ip_cmsg_recv_pktinfo+0xa6/0xb0 [] warn_slowpath_null+0x20/0x30 [] ip_cmsg_recv_pktinfo+0xa6/0xb0 [] ip_cmsg_recv+0x127/0x260 [] ? skb_dequeue+0x4d/0x70 [] ? skb_copy_datagram_iovec+0x53/0x300 [] ? sub_preempt_count+0x24/0x50 [] ip_recv_error+0x23d/0x270 [] udp_recvmsg+0x264/0x2b0 [] inet_recvmsg+0xd9/0x130 [] sock_recvmsg+0xf2/0x120 [] ? might_fault+0x4b/0xa0 [] ? verify_iovec+0x4c/0xc0 [] ? sock_recvmsg_nosec+0x100/0x100 [] __sys_recvmsg+0x114/0x1e0 [] ? __lock_acquire+0x365/0x780 [] ? fget_light+0xa6/0x3e0 [] ? fget_light+0xbf/0x3e0 [] ? fget_light+0x2e/0x3e0 [] sys_recvmsg+0x39/0x60 Close bug https://bugzilla.kernel.org/show_bug.cgi?id=34622 Reported-by: Witold Baryluk Signed-off-by: Eric Dumazet CC: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b71dedf430e6a345b4ba47212ba1b433eef999dc Author: Michał Mirosław Date: Tue May 17 16:50:02 2011 -0400 net: ethtool: fix IPV6 checksum feature name string [ Upstream commit 7cc31a9ae1477abc79d5992b3afe889f25c50c99 ] Signed-off-by: Michał Mirosław Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9532805bdd4bdcb203d53ebeac345c27a9436007 Author: Michael S. Tsirkin Date: Mon May 16 10:37:39 2011 +0000 net: Change netdev_fix_features messages loglevel [ Upstream commit 604ae14ffb6d75d6eef4757859226b758d6bf9e3 ] Cool, how about we make 'Features changed' debug as well? This way userspace can't fill up the log just by tweaking tun features with an ioctl. Signed-off-by: Michael S. Tsirkin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6fcd74f9528a56d6247454cf5cdc94706dddbb75 Author: Eric Dumazet Date: Tue May 17 13:56:59 2011 -0400 net: use hlist_del_rcu() in dev_change_name() [ Upstream commit 372b2312010bece1e36f577d6c99a6193ec54cbd ] Using plain hlist_del() in dev_change_name() is wrong since a concurrent reader can crash trying to dereference LIST_POISON1. Bug introduced in commit 72c9528bab94 (net: Introduce dev_get_by_name_rcu()) Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6406426e95eea9ccfcc8b15ac6613c8af438cffe Author: Patrick McHardy Date: Mon May 16 14:45:39 2011 +0200 netfilter: nf_ct_sip: fix SDP parsing in TCP SIP messages for some Cisco phones [ Upstream commit e6e4d9ed11fb1fab8b3256a3dc14d71b5e984ac4 ] Some Cisco phones do not place the Content-Length field at the end of the SIP message. This is valid, due to a misunderstanding of the specification the parser expects the SDP body to start directly after the Content-Length field. Fix the parser to scan for \r\n\r\n to locate the beginning of the SDP body. Reported-by: Teresa Kang Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit fa8c3f668b17e2e508d14f44bbf8368b3d7ea92e Author: Patrick McHardy Date: Mon May 16 14:42:26 2011 +0200 netfilter: nf_ct_sip: validate Content-Length in TCP SIP messages [ Upstream commit 274ea0e2a4cdf18110e5931b8ecbfef6353e5293 ] Verify that the message length of a single SIP message, which is calculated based on the Content-Length field contained in the SIP message, does not exceed the packet boundaries. Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit d9b389384c8805635af0955549cb10012b8c4d68 Author: Yang Ruirui Date: Sat Apr 16 19:17:48 2011 -0400 ext4: release page cache in ext4_mb_load_buddy error path commit 26626f1172fb4f3f323239a6a5cf4e082643fa46 upstream. Add missing page_cache_release in the error path of ext4_mb_load_buddy Signed-off-by: Yang Ruirui Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 0f9d470eb46c67c0ac63cbbc26afb83f8cd85caa Author: Ted Ts'o Date: Sat Apr 30 13:17:11 2011 -0400 jbd: fix fsync() tid wraparound bug commit d9b01934d56a96d9f4ae2d6204d4ea78a36f5f36 upstream. If an application program does not make any changes to the indirect blocks or extent tree, i_datasync_tid will not get updated. If there are enough commits (i.e., 2**31) such that tid_geq()'s calculations wrap, and there isn't a currently active transaction at the time of the fdatasync() call, this can end up triggering a BUG_ON in fs/jbd/commit.c: J_ASSERT(journal->j_running_transaction != NULL); It's pretty rare that this can happen, since it requires the use of fdatasync() plus *very* frequent and excessive use of fsync(). But with the right workload, it can. We fix this by replacing the use of tid_geq() with an equality test, since there's only one valid transaction id that is valid for us to start: namely, the currently running transaction (if it exists). Reported-by: Martin_Zielinski@McAfee.com Signed-off-by: "Theodore Ts'o" Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit 0a5cb949920f8796c684fcde2da098e00c4c28da Author: Jan Kara Date: Thu May 5 13:59:35 2011 +0200 jbd: Fix forever sleeping process in do_get_write_access() commit 2842bb20eed2e25cde5114298edc62c8883a1d9a upstream. In do_get_write_access() we wait on BH_Unshadow bit for buffer to get from shadow state. The waking code in journal_commit_transaction() has a bug because it does not issue a memory barrier after the buffer is moved from the shadow state and before wake_up_bit() is called. Thus a waitqueue check can happen before the buffer is actually moved from the shadow state and waiting process may never be woken. Fix the problem by issuing proper barrier. Reported-by: Tao Ma Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit 61485c2e416f12932cfd9423ad0641b975b4de65 Author: Jan Kara Date: Wed Apr 27 18:20:44 2011 +0200 ext3: Fix fs corruption when make_indexed_dir() fails commit 86c4f6d85595cd7da635dc6985d27bfa43b1ae10 upstream. When make_indexed_dir() fails (e.g. because of ENOSPC) after it has allocated block for index tree root, we did not properly mark all changed buffers dirty. This lead to only some of these buffers being written out and thus effectively corrupting the directory. Fix the issue by marking all changed data dirty even in the error failure case. Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit 91180a0401c2348d3c488613dbe39ae2e306ec20 Author: Alan Stern Date: Tue May 17 14:45:48 2011 -0400 usb-storage: fix up the unusual_realtek device list commit a8e62dd6d91f3bc3687abbb26227e5fc39c4829c upstream. This patch (as1461) fixes the unusual_devs entries for the Realtek USB card reader. They should be ordered by PID, and they should not override the Subclass and Protocol values provided by the device. Otherwise a notification about unnecessary entries gets printed in the kernel log during probing. Signed-off-by: Alan Stern Tested-By: Tony Vroon Signed-off-by: Greg Kroah-Hartman commit 7a538094d533fc4c836d1164103e6a15491a2daa Author: James Bottomley Date: Sun Apr 24 14:30:14 2011 -0500 pata_cm64x: fix boot crash on parisc commit 9281b16caac1276817b77033c5b8a1f5ca30102c upstream. The old IDE cmd64x checks the status of the CNTRL register to see if the ports are enabled before probing them. pata_cmd64x doesn't do this, which causes a HPMC on parisc when it tries to poke at the secondary port because apparently the BAR isn't wired up (and a non-responding piece of memory causes a HPMC). Fix this by porting the CNTRL register port detection logic from IDE cmd64x. In addition, following converns from Alan Cox, add a check to see if a mobility electronics bridge is the immediate parent and forgo the check if it is (prevents problems on hotplug controllers). Signed-off-by: James Bottomley Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit f632b4a6ec47d2ecee7d2f1c2bf902b1384201ac Author: James Bottomley Date: Fri Apr 15 08:55:47 2011 -0700 wire up syncfs syscall commit 2e7bad5f34b5beed47542490c760ed26574e38ba upstream. Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 8afcbeeb63abdd9baa50289ebde9f1f457f132db Author: James Bottomley Date: Fri Apr 15 08:55:46 2011 -0700 wire up the fhandle syscalls commit a71aae4cec120ee85cf32608fca40a4605461214 upstream. Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 8fd886735c5309c3805b33047ae4b6868cc0d534 Author: James Bottomley Date: Fri Apr 15 08:55:45 2011 -0700 wire up clock_adjtime syscall commit c3f957a22eca106bd28136943305b390b4337ebf upstream. Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 21fbdbf013675102412635fdf0f47fd1b86fc074 Author: James Bottomley Date: Fri Apr 15 08:55:44 2011 -0700 wire up fanotify syscalls commit 1824074b07ee66fa0f714e08579ad85075132d7b upstream. Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 084013b8e040a1414f83e5574d2716019c180a11 Author: Erez Zadok Date: Sat May 21 01:19:59 2011 -0400 VFS: move BUG_ON test for symlink nd->depth after current->link_count test commit 1a4022f88d40e1255920b017556092ab926d7f66 upstream. This solves a serious VFS-level bug in nested_symlink (which was rewritten from do_follow_link), and follows the order of depth tests that existed before. The bug triggers a BUG_ON in fs/namei.c:1381, when running racer with symlink and rename ops. Signed-off-by: Erez Zadok Acked-by: Miklos Szeredi Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 05e9a48acf36b2b8ded09d4c630ec4671de713db Author: Johannes Berg Date: Thu May 12 15:11:37 2011 +0200 mac80211: fix a few RCU issues commit a3836e02ba4c50db958d32d710b226f2408623dc upstream. A few configuration functions correctly do rcu_read_lock() but don't correctly reference some pointers protected by RCU. Fix that. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 195a03999469b672c2a2a709b848db378bc57f2e Author: Jouni Malinen Date: Tue May 3 22:45:16 2011 -0700 nl80211: Fix set_key regression with some drivers commit 0e579d6a8f4aea346da818f13ee71401c125e639 upstream. Commit dbd2fd656f2060abfd3a16257f8b51ec60f6d2ed added a mechanism for user space to indicate whether a default key is being configured for only unicast or only multicast frames instead of all frames. This commit added a driver capability flag for indicating whether separate default keys are supported and validation of the set_key command based on that capability. However, this single capability flag is not enough to cover possible difference based on mode (AP/IBSS/STA) and the way this change was introduced resulted in a regression with drivers that do not indicate the new capability (i.e.., more or less any non-mac80211 driver using cfg80211) when using a recent wpa_supplicant snapshot. Fix the regression by removing the new check which is not strictly speaking needed. The new separate default key functionality is needed only for RSN IBSS which has a separate capability indication. Signed-off-by: Jouni Malinen Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 7a8fa3e16202fc5caec6787b4f394aecca7dc17a Author: Rajkumar Manoharan Date: Fri Apr 29 14:48:45 2011 +0530 mac80211: use wake_queue to restart trasmit commit 470ab2a23b453518ac86937572b4531d8925ca55 upstream. netif_tx_start_all_queues is used to allow the upper layer to transmit frames but it does not restart transmission. To restart the trasmission use netif_tx_wake_all_queues. Not doing so, sometimes stalls the transmission and the application has to be restarted to proceed further. This issue was originally found while sending udp traffic in higer bandwidth in open environment without bgscan. Signed-off-by: Rajkumar Manoharan Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit a46053ab736c81bcfc442f9ca44317d64159dfb3 Author: Johannes Berg Date: Tue Mar 29 06:29:37 2011 -0700 iwlwifi: fix bugs in change_interface commit a2b76b3b31568da9d281a393845f17689594ccdf upstream. If change_interface gets invoked during a firmware restart, it may crash; prevent that from happening by checking if ctx->vif is assigned. Additionally, in my initial commit I forgot to set the vif->p2p variable correctly, so fix that too. Signed-off-by: Johannes Berg Signed-off-by: Wey-Yi Guy Signed-off-by: Greg Kroah-Hartman commit 0d6a1cd7121da74a36846dfa1701c37ccee8faac Author: Martin K. Petersen Date: Tue May 17 22:13:23 2011 -0400 libata: Use Maximum Write Same Length to report discard size limit commit 5f4e206666f834340b69ddb43f86de3851c8675a upstream. Previously we used Maximum Unmap LBA Count in the Block Limits VPD to signal the maximum number of sectors we could handle in a single Write Same command. Starting with SBC3r26 the Block Limits VPD has an explicit limit on the number of blocks in a Write Same. This means we can stop abusing a field related to the Unmap command and let our SAT use the proper value in the VPD (Maximum Write Same Length). Signed-off-by: Martin K. Petersen Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit d3b2cb8d5114ff591925a40e9d33e4cf956eb1f4 Author: Jiri Olsa Date: Thu May 12 16:30:30 2011 +0200 x86, 64-bit: Fix copy_[to/from]_user() checks for the userspace address limit commit 26afb7c661080ae3f1f13ddf7f0c58c4f931c22b upstream. As reported in BZ #30352: https://bugzilla.kernel.org/show_bug.cgi?id=30352 there's a kernel bug related to reading the last allowed page on x86_64. The _copy_to_user() and _copy_from_user() functions use the following check for address limit: if (buf + size >= limit) fail(); while it should be more permissive: if (buf + size > limit) fail(); That's because the size represents the number of bytes being read/write from/to buf address AND including the buf address. So the copy function will actually never touch the limit address even if "buf + size == limit". Following program fails to use the last page as buffer due to the wrong limit check: #include #include #include #define PAGE_SIZE (4096) #define LAST_PAGE ((void*)(0x7fffffffe000)) int main() { int fds[2], err; void * ptr = mmap(LAST_PAGE, PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0); assert(ptr == LAST_PAGE); err = socketpair(AF_LOCAL, SOCK_STREAM, 0, fds); assert(err == 0); err = send(fds[0], ptr, PAGE_SIZE, 0); perror("send"); assert(err == PAGE_SIZE); err = recv(fds[1], ptr, PAGE_SIZE, MSG_WAITALL); perror("recv"); assert(err == PAGE_SIZE); return 0; } The other place checking the addr limit is the access_ok() function, which is working properly. There's just a misleading comment for the __range_not_ok() macro - which this patch fixes as well. The last page of the user-space address range is a guard page and Brian Gerst observed that the guard page itself due to an erratum on K8 cpus (#121 Sequential Execution Across Non-Canonical Boundary Causes Processor Hang). However, the test code is using the last valid page before the guard page. The bug is that the last byte before the guard page can't be read because of the off-by-one error. The guard page is left in place. This bug would normally not show up because the last page is part of the process stack and never accessed via syscalls. Signed-off-by: Jiri Olsa Acked-by: Brian Gerst Acked-by: Linus Torvalds Link: http://lkml.kernel.org/r/1305210630-7136-1-git-send-email-jolsa@redhat.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 6fe4503c6bed5328c9edd017d54fd2987d58e7fd Author: shaohua.li@intel.com Date: Fri May 6 11:35:31 2011 -0600 SATA: enable non-queueable flush flag commit 900e599eb0c16390ff671652a44e0ea90532220e upstream. Enable non-queueable flush flag for SATA. Stable: 2.6.39 only Signed-off-by: Shaohua Li Acked-by: Tejun Heo Acked-by: Jeff Garzik Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit d27053116fa81d3730cf1604ee74480724d9ebe2 Author: Kishore Kadiyala Date: Wed May 11 21:17:27 2011 +0530 mtd: omap: fix subpage ecc issue with prefetch commit c5d8c0cae4af7d78823d32fcd1c458ee1a1b5489 upstream. When reading/writing a subpage (When HW ECC is not available/enabled) for number of bytes not aligned to 4, the mis-aligned bytes are handled first (by cpu copy method) before enabling the Prefetch engine to/from 'p'(start of buffer 'buf'). Then it reads/writes rest of the bytes with the help of Prefetch engine, if available, or again using cpu copy method. Currently, reading/writing of rest of bytes, is not done correctly since its trying to read/write again to/from begining of buffer 'buf', overwriting the mis-aligned bytes. Read & write using prefetch engine got broken in commit '2c01946c'. We never hit a scenario of not getting 'gpmc_prefetch_enable' call success. So, problem did not get caught up. Signed-off-by: Kishore Kadiyala Signed-off-by: Vimal Singh Reported-by: Bryan DE FARIA Signed-off-by: Artem Bityutskiy Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit 78a26f6c46eb3c01982b07048a1c547c5c16a4ff Author: Artem Bityutskiy Date: Thu Apr 28 20:26:59 2011 +0300 mtd: return badblockbits back commit 26d9be11485ea8c1102c3e8eaa7667412eef4950 upstream. In commit c7b28e25cb9beb943aead770ff14551b55fa8c79 the initialization of the backblockbits was accidentally removed. This patch returns it back, because otherwise some NAND drivers are broken. This problem was reported by "Saxena, Parth " here: http://lists.infradead.org/pipermail/linux-mtd/2011-April/035221.html Reported-by: Parth Saxena Signed-off-by: Artem Bityutskiy Tested-by: Parth Saxena Acked-by: Parth Saxena Acked-by: Brian Norris Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit cc5c1422098715ec19ae109b75f54ab9e029e24b Author: Felix Radensky Date: Mon Apr 25 01:57:12 2011 +0300 mtd: mtdconcat: fix NAND OOB write commit 431e1ecabddcd7cbba237182ddf431771f98bb4c upstream. Currently mtdconcat is broken for NAND. An attemtpt to create JFFS2 filesystem on concatenation of several NAND devices fails with OOB write errors. This patch fixes that problem. Signed-off-by: Felix Radensky Signed-off-by: Artem Bityutskiy Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit 9206053d7efb79adb564ccf7055342318b22475c Author: Tejun Heo Date: Thu May 26 21:06:50 2011 +0200 block: always allocate genhd->ev if check_events is implemented commit 75e3f3ee3c64968d42f4843ec49e579f84b5aa0c upstream. 9fd097b149 (block: unexport DISK_EVENT_MEDIA_CHANGE for legacy/fringe drivers) removed DISK_EVENT_MEDIA_CHANGE from legacy/fringe block drivers which have inadequate ->check_events(). Combined with earlier change 7c88a168da (block: don't propagate unlisted DISK_EVENTs to userland), this enables using ->check_events() for internal processing while avoiding enabling in-kernel block event polling which can lead to infinite event loop. Unfortunately, this made many drivers including floppy without any bit set in disk->events and ->async_events in which case disk_add_events() simply skipped allocation of disk->ev, which disables whole event handling. As ->check_events() is still used during open processing for revalidation, this can lead to open failure. This patch always allocates disk->ev if ->check_events is implemented. In the long term, it would make sense to simply include the event structure inline into genhd as it's now used by virtually all block devices. Signed-off-by: Tejun Heo Reported-by: Ondrej Zary Reported-by: Alex Villacis Lasso Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 294319fea7169f8a4abb48b1e9b3b98c7334e465 Author: James Bottomley Date: Wed May 18 16:20:10 2011 +0200 block: add proper state guards to __elv_next_request commit 0a58e077eb600d1efd7e54ad9926a75a39d7f8ae upstream. blk_cleanup_queue() calls elevator_exit() and after this, we can't touch the elevator without oopsing. __elv_next_request() must check for this state because in the refcounted queue model, we can still call it after blk_cleanup_queue() has been called. This was reported as causing an oops attributable to scsi. Signed-off-by: James Bottomley Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 071f305d6f2ecd2239f148858ead57a2f4fb16d9 Author: Martin K. Petersen Date: Wed May 18 10:37:35 2011 +0200 block: Fix discard topology stacking and reporting commit a934a00a69e940b126b9bdbf83e630ef5fe43523 upstream. In some cases we would end up stacking discard_zeroes_data incorrectly. Fix this by enabling the feature by default for stacking drivers and clearing it for low-level drivers. Incorporating a device that does not support dzd will then cause the feature to be disabled in the stacking driver. Also ensure that the maximum discard value does not overflow when exported in sysfs and return 0 in the alignment and dzd fields for devices that don't support discard. Reported-by: Lukas Czerner Signed-off-by: Martin K. Petersen Acked-by: Mike Snitzer Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 7da70b9a620f8da390bcd441b346c51cd48f979b Author: shaohua.li@intel.com Date: Fri May 6 11:34:41 2011 -0600 block: hold queue if flush is running for non-queueable flush drive commit 3ac0cc4508709d42ec9aa351086c7d38bfc0660c upstream. In some drives, flush requests are non-queueable. When flush request is running, normal read/write requests can't run. If block layer dispatches such request, driver can't handle it and requeue it. Tejun suggested we can hold the queue when flush is running. This can avoid unnecessary requeue. Also this can improve performance. For example, we have request flush1, write1, flush 2. flush1 is dispatched, then queue is hold, write1 isn't inserted to queue. After flush1 is finished, flush2 will be dispatched. Since disk cache is already clean, flush2 will be finished very soon, so looks like flush2 is folded to flush1. In my test, the queue holding completely solves a regression introduced by commit 53d63e6b0dfb95882ec0219ba6bbd50cde423794: block: make the flush insertion use the tail of the dispatch list It's not a preempt type request, in fact we have to insert it behind requests that do specify INSERT_FRONT. which causes about 20% regression running a sysbench fileio workload. Stable: 2.6.39 only Signed-off-by: Shaohua Li Acked-by: Tejun Heo Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 81b5f4969a360c24882a44e91e6177d2d79f933f Author: shaohua.li@intel.com Date: Fri May 6 11:34:32 2011 -0600 block: add a non-queueable flush flag commit f3876930952390a31c3a7fd68dd621464a36eb80 upstream. flush request isn't queueable in some drives. Add a flag to let driver notify block layer about this. We can optimize flush performance with the knowledge. Stable: 2.6.39 only Signed-off-by: Shaohua Li Acked-by: Tejun Heo Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit bd1a4347d6d4157cdd9424a85979e3ee2e9533a3 Author: Tejun Heo Date: Mon May 23 13:26:07 2011 +0200 block: move bd_set_size() above rescan_partitions() in __blkdev_get() commit 7e69723fef8771a9d57bd27d36281d756130b4b5 upstream. 02e352287a4 (block: rescan partitions on invalidated devices on -ENOMEDIA too) relocated partition rescan above explicit bd_set_size() to simplify condition check. As rescan_partitions() does its own bdev size setting, this doesn't break anything; however, rescan_partitions() prints out the following messages when adjusting bdev size, which can be confusing. sda: detected capacity change from 0 to 146815737856 sdb: detected capacity change from 0 to 146815737856 This patch restores the original order and remove the warning messages. stable: Please apply together with 02e352287a4 (block: rescan partitions on invalidated devices on -ENOMEDIA too). Signed-off-by: Tejun Heo Reported-by: Tony Luck Tested-by: Tony Luck Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 939f271827199c186116dae00ca8cea8af560992 Author: Curt Wohlgemuth Date: Sat Apr 30 13:26:26 2011 -0400 ext4: don't set PageUptodate in ext4_end_bio() commit 39db00f1c45e770856264bdb3ceca27980b01965 upstream. In the bio completion routine, we should not be setting PageUptodate at all -- it's set at sys_write() time, and is unaffected by success/failure of the write to disk. This can cause a page corruption bug when the file system's block size is less than the architecture's VM page size. if we have only written a single block -- we might end up setting the page's PageUptodate flag, indicating that page is completely read into memory, which may not be true. This could cause subsequent reads to get bad data. This commit also takes the opportunity to clean up error handling in ext4_end_bio(), and remove some extraneous code: - fixes ext4_end_bio() to set AS_EIO in the page->mapping->flags on error, which was left out by mistake. This is needed so that fsync() will return an error if there was an I/O error. - remove the clear_buffer_dirty() call on unmapped buffers for each page. - consolidate page/buffer error handling in a single section. Signed-off-by: Curt Wohlgemuth Signed-off-by: "Theodore Ts'o" Reported-by: Jim Meyering Reported-by: Hugh Dickins Cc: Mingming Cao Signed-off-by: Greg Kroah-Hartman commit 462a14519a4206926db6bf3ecddc0f13810764aa Author: Johannes Berg Date: Fri May 6 11:11:20 2011 -0700 iwlagn: fix iwl_is_any_associated commit 054ec924944912413e4ee927b8cf02f476d08783 upstream. The function iwl_is_any_associated() was intended to check both contexts, but due to an oversight it only checks the BSS context. This leads to a problem with scanning since the passive dwell time isn't restricted appropriately and a scan that includes passive channels will never finish if only the PAN context is associated since the default dwell time of 120ms won't fit into the normal 100 TU DTIM interval. Fix the function by using for_each_context() and also reorganise the other functions a bit to take advantage of each other making the code easier to read. Signed-off-by: Johannes Berg Signed-off-by: Wey-Yi Guy Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 002b0d10cb04e5e4036e0d3fd830f2cca81be69b Author: Eric B Munson Date: Mon May 23 04:22:40 2011 +0000 powerpc/oprofile: Handle events that raise an exception without overflowing commit ad5d5292f16c6c1d7d3e257c4c7407594286b97e upstream. Commit 0837e3242c73566fc1c0196b4ec61779c25ffc93 fixes a situation on POWER7 where events can roll back if a specualtive event doesn't actually complete. This can raise a performance monitor exception. We need to catch this to ensure that we reset the PMC. In all cases the PMC will be less than 256 cycles from overflow. This patch lifts Anton's fix for the problem in perf and applies it to oprofile as well. Signed-off-by: Eric B Munson Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit ae408510ef79d498015ab8614a70616175b211bc Author: Senthil Balasubramanian Date: Thu May 12 16:24:28 2011 +0530 ath9k_hw: Fix STA connection issues with AR9380 (XB113). commit be0e6aa5a0c487a2a0880dda8bc70f7f1860fc39 upstream. XB113 (AR9380) 3x3 SB 5G only cards were failing to connect to APs due to incorrect xpabiaslevel configuration. fix it. Cc: Ray Li Cc: Kathy Giori Cc: Aeolus Yang Cc: compat@orbit-lab.org Signed-off-by: Senthil Balasubramanian Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit ac256ca700c6a7eee16b03efc3f3d63f0a4f041b Author: Luis R. Rodriguez Date: Wed May 11 14:57:26 2011 -0700 ath9k_hw: fix dual band assumption for XB113 commit 9ba7f4f5eba5f4b44c7796bbad29f8ec3a7d5864 upstream. The XB113 cards are single band, 5 GHz-only, but the default settings were configured to assume it was dual band. Users of these cards then would see 2.4 GHz channels but you would never get any scan results from these channels given that the radio is not present. Cc: Fiona Cain Cc: Ray Li Cc: Kathy Giori Cc: Aeolus Yang Cc: Dan Friedman Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 37dfacd92cd7ed22c9bad21cd32e7106db23fd2b Author: Luis R. Rodriguez Date: Wed May 4 14:01:26 2011 -0700 ath9k_hw: fix power for the HT40 duplicate frames commit cf3a03b9c99a0b2715741d116f50f513f545bb2d upstream. With AR9003 at about ~ 10 feet from an AP that uses RTS / CTS you will be able to associate but not not get data through given that the power for the rates used was set too low. This increases the power and permits data connectivity at longer distances from access points when connected with HT40. Without this you will not get any data through when associated to APs configured in HT40 at about more than 10 feet away. Cc: Fiona Cain Cc: Zhen Xie Cc: Kathy Giori Cc: Neha Choksi Cc: Wayne Daniel Cc: Gaurav Jauhar Cc: Samira Naraghi CC: Ashok Chennupati Cc: Lance Zimmerman Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 0b58a77dd1aa5f775b804d720da047160c0f0ead Author: Rajkumar Manoharan Date: Wed May 4 19:37:17 2011 +0530 ath9k_hw: do noise floor calibration only on required chains commit 28ef6450f0182f95c4f50aaa0ab2043a09c72b0a upstream. At present the noise floor calibration is processed in supported control and extension chains rather than required chains. Unnccesarily doing nfcal in all supported chains leads to invalid nf readings on extn chains and these invalid values got updated into history buffer. While loading those values from history buffer is moving the chip to deaf state. This issue was observed in AR9002/AR9003 chips while doing associate/dissociate in HT40 mode and interface up/down in iterative manner. After some iterations, the chip was moved to deaf state. Somehow the pci devices are recovered by poll work after chip reset. Raading the nf values in all supported extension chains when the hw is not yet configured in HT40 mode results invalid values. Signed-off-by: Rajkumar Manoharan Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 4d298dbad2464a45b55aac309ea82dfdfe4291f5 Author: Fenghua Yu Date: Tue May 17 12:33:26 2011 -0700 x86, cpufeature: Fix cpuid leaf 7 feature detection commit 2494b030ba9334c7dd7df9b9f7abe4eacc950ec5 upstream. CPUID leaf 7, subleaf 0 returns the maximum subleaf in EAX, not the number of subleaves. Since so far only subleaf 0 is defined (and only the EBX bitfield) we do not need to qualify the test. Signed-off-by: Fenghua Yu Link: http://lkml.kernel.org/r/1305660806-17519-1-git-send-email-fenghua.yu@intel.com Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit ca2c08d39e4c5a493d12e04da38f824d7c1a9ef2 Author: Milton Miller Date: Tue May 10 19:28:33 2011 +0000 powerpc/kexec: Fix memory corruption from unallocated slaves commit 3d2cea732d68aa270c360f55d8669820ebce188a upstream. Commit 1fc711f7ffb01089efc58042cfdbac8573d1b59a (powerpc/kexec: Fix race in kexec shutdown) moved the write to signal the cpu had exited the kernel from before the transition to real mode in kexec_smp_wait to kexec_wait. Unfornately it missed that kexec_wait is used both by cpus leaving the kernel and by secondary slave cpus that were not allocated a paca for what ever reason -- they could be beyond nr_cpus or not described in the current device tree for whatever reason (for example, kexec-load was not refreshed after a cpu hotplug operation). Cpus coming through that path they will write to paca[NR_CPUS] which is beyond the space allocated for the paca data and overwrite memory not allocated to pacas but very likely still real mode accessable). Move the write back to kexec_smp_wait, which is used only by cpus that found their paca, but after the transition to real mode. Signed-off-by: Milton Miller Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 3115875e9cace0d65df3ec0b07edbe10da1068ad Author: Milton Miller Date: Tue May 10 19:28:41 2011 +0000 powerpc/kdump64: Don't reference freed memory as pacas commit bd9e5eefecb3d69018bb95796298019d309cbec8 upstream. Starting with 1426d5a3bd07589534286375998c0c8c6fdc5260 (powerpc: Dynamically allocate pacas) the space for pacas beyond cpu_possible is freed, but we failed to update the loop in crash.c. Since c1854e00727f50f7ac99e98d26ece04c087ef785 (powerpc: Set nr_cpu_ids early and use it to free PACAs) the number of pacas allocated is always nr_cpu_ids. Signed-off-by: Milton Miller Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 2016e5d81c5c3d8d0a9aa21353aac88900aa5a9d Author: Arun Easi Date: Tue May 10 11:18:17 2011 -0700 qla2xxx: Fix vport delete hang when logins are outstanding. commit 9f40682e2857a3c2ddb80a87b185af3c6a708346 upstream. Timer is required to flush out entries that may be present in work queues. Signed-off-by: Arun Easi Signed-off-by: Madhuranath Iyengar Signed-off-by: James Bottomley Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 500412699c7cbc1fcda2cc9a146da78760c5386f Author: Saurav Kashyap Date: Tue May 10 11:18:18 2011 -0700 qla2xxx: Fix virtual port failing to login after chip reset. commit cefcaba67ab97fb756b3a6af5139c94d861b660d upstream. This patch ensures qla82xx_watchdog is not being run for the vport. It also makes sure that beacon ON is not done for the vport, as it will lead to the waking up of the dpc thread again and again. Signed-off-by: Saurav Kashyap Signed-off-by: Madhuranath Iyengar Signed-off-by: James Bottomley Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 517f567248f199edf3e182fe8b1366a0422b10db Author: Arun Easi Date: Tue May 10 11:18:16 2011 -0700 qla2xxx: Fix hang during driver unload when vport is active. commit 43ebf16d762b082663976b679b813e1b546548d1 upstream. Bumping ref count during fc_vport_terminate() was the cause. vport delete would wait for ref count to drop to zero and that would never happen. Signed-off-by: Arun Easi Signed-off-by: Madhuranath Iyengar Signed-off-by: James Bottomley Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit eea39c13d16351956b93014e441dc94b54e842a2 Author: Andrew Vasquez Date: Tue May 10 11:18:15 2011 -0700 qla2xxx: Properly set the dsd_list_len for dsd_chaining in cmd type 6. commit fa96d927362a422405d65491326f8ef763572e84 upstream. The firmware spec has the fcp_data_dseg_len defined as a 32-bit value, while the corresponding field in the driver structure has it defined as a 16-bit value. Signed-off-by: Andrew Vasquez Signed-off-by: Madhuranath Iyengar Signed-off-by: James Bottomley Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 8c624dacbf94dd92bc6385cfd0b97698f56cedbd Author: Steven Rostedt Date: Fri Apr 29 22:35:33 2011 -0400 ftrace: Only update the function code on write to filter files commit 058e297d34a404caaa5ed277de15698d8dc43000 upstream. If function tracing is enabled, a read of the filter files will cause the call to stop_machine to update the function trace sites. It should only call stop_machine on write. Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit 9aefae678abf4ba79f97983dd014135c3d46f96a Author: Anton Blanchard Date: Tue May 17 15:38:57 2011 -0400 net: recvmmsg: Strip MSG_WAITFORONE when calling recvmsg commit b9eb8b8752804cecbacdb4d24b52e823cf07f107 upstream. recvmmsg fails on a raw socket with EINVAL. The reason for this is packet_recvmsg checks the incoming flags: err = -EINVAL; if (flags & ~(MSG_PEEK|MSG_DONTWAIT|MSG_TRUNC|MSG_CMSG_COMPAT|MSG_ERRQUEUE)) goto out; This patch strips out MSG_WAITFORONE when calling recvmmsg which fixes the issue. Signed-off-by: Anton Blanchard Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 61d0510ca043687e6671321be87124a4acb4a0cd Author: steven finney Date: Mon May 2 11:29:17 2011 -0700 Fix memory leak in cpufreq_stat commit 98586ed8b8878e10691203687e89a42fa3355300 upstream. When a CPU is taken offline in an SMP system, cpufreq_remove_dev() nulls out the per-cpu policy before cpufreq_stats_free_table() can make use of it. cpufreq_stats_free_table() then skips the call to sysfs_remove_group(), leaving about 100 bytes of sysfs-related memory unclaimed each time a CPU-removal occurs. Break up cpu_stats_free_table into sysfs and table portions, and call the sysfs portion early. Signed-off-by: Steven Finney Signed-off-by: Dave Jones Signed-off-by: Greg Kroah-Hartman commit 5e982fede3ac5a43fa5e13c3b4fbe86488f22c05 Author: Jacob Shin Date: Wed Apr 27 13:32:11 2011 -0500 CPU hotplug, re-create sysfs directory and symlinks commit 27ecddc2a9f99ce4ac9a59a0acd77f7100b6d034 upstream. When we discover CPUs that are affected by each other's frequency/voltage transitions, the first CPU gets a sysfs directory created, and rest of the siblings get symlinks. Currently, when we hotplug off only the first CPU, all of the symlinks and the sysfs directory gets removed. Even though rest of the siblings are still online and functional, they are orphaned, and no longer governed by cpufreq. This patch, given the above scenario, creates a sysfs directory for the first sibling and symlinks for the rest of the siblings. Please note the recursive call, it was rather too ugly to roll it out. And the removal of redundant NULL setting (it is already taken care of near the top of the function). Signed-off-by: Jacob Shin Acked-by: Mark Langsdorf Reviewed-by: Thomas Renninger Signed-off-by: Dave Jones Signed-off-by: Greg Kroah-Hartman commit 62264def13786a7009cad80a292c39cb7c5bde79 Author: Naga Chumbalkar Date: Tue Apr 26 17:05:18 2011 +0000 Fix _OSC UUID in pcc-cpufreq commit 904cc1e637a00dba1b58e7752f485f90ebf2a568 upstream. UUID needs to be written out the way it is described in Sec 18.5.124 of ACPI 4.0a Specification. Platform firmware's use of this UUID/_OSC is optional, which is why we didn't notice this bug earlier. Signed-off-by: Naga Chumbalkar Signed-off-by: Dave Jones Signed-off-by: Greg Kroah-Hartman commit 41989a22f4afd8f1b3caffd837d2d2597c4907d6 Author: Catalin Marinas Date: Thu May 19 16:25:30 2011 +0100 kmemleak: Initialise kmemleak after debug_objects_mem_init() commit 9b090f2da85bd0df5e1a1ecfe4120b7b50358f48 upstream. Kmemleak frees objects via RCU and when CONFIG_DEBUG_OBJECTS_RCU_HEAD is enabled, the RCU callback triggers a call to free_object() in lib/debugobjects.c. Since kmemleak is initialised before debug objects initialisation, it may result in a kernel panic during booting. This patch moves the kmemleak_init() call after debug_objects_mem_init(). Reported-by: Marcin Slusarz Tested-by: Tejun Heo Signed-off-by: Catalin Marinas Signed-off-by: Greg Kroah-Hartman commit eb9f63d0497bdcd721738c42c33acd07cd9558d1 Author: Catalin Marinas Date: Wed Apr 27 16:44:26 2011 +0100 kmemleak: Do not return a pointer to an object that kmemleak did not get commit 52c3ce4ec5601ee383a14f1485f6bac7b278896e upstream. The kmemleak_seq_next() function tries to get an object (and increment its use count) before returning it. If it could not get the last object during list traversal (because it may have been freed), the function should return NULL rather than a pointer to such object that it did not get. Signed-off-by: Catalin Marinas Reported-by: Phil Carmody Acked-by: Phil Carmody Signed-off-by: Greg Kroah-Hartman commit 57791b092659dca5c8194652767678c199e0236c Author: Geert Uytterhoeven Date: Fri May 6 20:57:11 2011 +0200 m68k: Really wire up sys_pselect6 and sys_ppoll commit d6d42bb2f85d875dc0c421699de5a1401b2af6a6 upstream. We reserved the numbers a long time ago, but never wired them up in the syscall table as they need TIF_RESTORE_SIGMASK, which we only got last year in commit cb6831d5d3099e772a510eb3e1ed0760ccffb45e ("m68k: Switch to saner sigsuspend()") Signed-off-by: Geert Uytterhoeven Acked-by: Greg Ungerer Signed-off-by: Greg Kroah-Hartman commit 20276a0718c8c01db6f358225b783d1da2134580 Author: Hugh Dickins Date: Fri May 20 15:47:33 2011 -0700 tmpfs: fix highmem swapoff crash regression commit e6c9366b2adb52cba64b359b3050200743c7568c upstream. Commit 778dd893ae78 ("tmpfs: fix race between umount and swapoff") forgot the new rules for strict atomic kmap nesting, causing WARNING: at arch/x86/mm/highmem_32.c:81 from __kunmap_atomic(), then BUG: unable to handle kernel paging request at fffb9000 from shmem_swp_set() when shmem_unuse_inode() is handling swapoff with highmem in use. My disgrace again. See https://bugzilla.kernel.org/show_bug.cgi?id=35352 Reported-by: Witold Baryluk Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman