commit 0cc9d5257857608ba85885b75fcada13d359b5d1 Merge: 4c3021d 456d66e Author: Linus Torvalds Date: Fri Feb 18 14:20:46 2011 -0800 Merge branch 'rtc-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip * 'rtc-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: RTC: Re-enable UIE timer/polling emulation RTC: Revert UIE emulation removal RTC: Release mutex in error path of rtc_alarm_irq_enable commit 4c3021da451fe0ea1deaba8fa3805d8d065ec84e Merge: a5bbef0 ceaaec9 Author: Linus Torvalds Date: Fri Feb 18 14:15:05 2011 -0800 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (37 commits) net: deinit automatic LIST_HEAD net: dont leave active on stack LIST_HEAD net: provide default_advmss() methods to blackhole dst_ops tg3: Restrict phy ioctl access drivers/net: Call netif_carrier_off at the end of the probe ixgbe: work around for DDP last buffer size ixgbe: fix panic due to uninitialised pointer e1000e: flush all writebacks before unload e1000e: check down flag in tasks isdn: hisax: Use l2headersize() instead of dup (and buggy) func. arp_notify: unconditionally send gratuitous ARP for NETDEV_NOTIFY_PEERS. cxgb4vf: Use defined Mailbox Timeout cxgb4vf: Quiesce Virtual Interfaces on shutdown ... cxgb4vf: Behave properly when CONFIG_DEBUG_FS isn't defined ... cxgb4vf: Check driver parameters in the right place ... pch_gbe: Fix the MAC Address load issue. iwlwifi: Delete iwl3945_good_plcp_health. net/can/softing: make CAN_SOFTING_CS depend on CAN_SOFTING netfilter: nf_iterate: fix incorrect RCU usage pch_gbe: Fix the issue that the receiving data is not normal. ... commit a5bbef0b2deb7b943f095181309ecc9e1fc91c0f Merge: bc3adfc 8dd3838 Author: Linus Torvalds Date: Fri Feb 18 12:44:41 2011 -0800 Merge branch 'for-linus/bugfixes' of git://xenbits.xen.org/people/ianc/linux-2.6 * 'for-linus/bugfixes' of git://xenbits.xen.org/people/ianc/linux-2.6: xen: suspend and resume system devices when running PVHVM commit bc3adfc6703edfd2484902b5391092c717076f87 Merge: 3c18d4d 3233cdb Author: Linus Torvalds Date: Fri Feb 18 12:36:06 2011 -0800 Merge branch 'fixes-2.6.38' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq * 'fixes-2.6.38' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq: workqueue: make sure MAYDAY_INITIAL_TIMEOUT is at least 2 jiffies long workqueue, freezer: unify spelling of 'freeze' + 'able' to 'freezable' workqueue: wake up a worker when a rescuer is leaving a gcwq commit ceaaec98ad99859ac90ac6863ad0a6cd075d8e0e Author: Eric Dumazet Date: Thu Feb 17 22:59:19 2011 +0000 net: deinit automatic LIST_HEAD commit 9b5e383c11b08784 (net: Introduce unregister_netdevice_many()) left an active LIST_HEAD() in rollback_registered(), with possible memory corruption. Even if device is freed without touching its unreg_list (and therefore touching the previous memory location holding LISTE_HEAD(single), better close the bug for good, since its really subtle. (Same fix for default_device_exit_batch() for completeness) Reported-by: Michal Hocko Tested-by: Michal Hocko Reported-by: Eric W. Biderman Tested-by: Eric W. Biderman Signed-off-by: Linus Torvalds Signed-off-by: Eric Dumazet CC: Ingo Molnar CC: Octavian Purdila CC: stable [.33+] Signed-off-by: David S. Miller commit f87e6f47933e3ebeced9bb12615e830a72cedce4 Author: Linus Torvalds Date: Thu Feb 17 22:54:38 2011 +0000 net: dont leave active on stack LIST_HEAD Eric W. Biderman and Michal Hocko reported various memory corruptions that we suspected to be related to a LIST head located on stack, that was manipulated after thread left function frame (and eventually exited, so its stack was freed and reused). Eric Dumazet suggested the problem was probably coming from commit 443457242beb (net: factorize sync-rcu call in unregister_netdevice_many) This patch fixes __dev_close() and dev_close() to properly deinit their respective LIST_HEAD(single) before exiting. References: https://lkml.org/lkml/2011/2/16/304 References: https://lkml.org/lkml/2011/2/14/223 Reported-by: Michal Hocko Tested-by: Michal Hocko Reported-by: Eric W. Biderman Tested-by: Eric W. Biderman Signed-off-by: Linus Torvalds Signed-off-by: Eric Dumazet CC: Ingo Molnar CC: Octavian Purdila Signed-off-by: David S. Miller commit 214f45c91bbda8321d9676f1197238e4663edcbb Author: Eric Dumazet Date: Fri Feb 18 11:39:01 2011 -0800 net: provide default_advmss() methods to blackhole dst_ops Commit 0dbaee3b37e118a (net: Abstract default ADVMSS behind an accessor.) introduced a possible crash in tcp_connect_init(), when dst->default_advmss() is called from dst_metric_advmss() Reported-by: George Spelvin Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller commit 3c18d4de86e4a7f93815c081e50e0543fa27200f Author: Linus Torvalds Date: Fri Feb 18 11:32:28 2011 -0800 Expand CONFIG_DEBUG_LIST to several other list operations When list debugging is enabled, we aim to readably show list corruption errors, and the basic list_add/list_del operations end up having extra debugging code in them to do some basic validation of the list entries. However, "list_del_init()" and "list_move[_tail]()" ended up avoiding the debug code due to how they were written. This fixes that. So the _next_ time we have list_move() problems with stale list entries, we'll hopefully have an easier time finding them.. Signed-off-by: Linus Torvalds commit 2a324ce7b79a3a90cc2d4ade5d5f960a99000caa Merge: c8b392e 2e725a0 Author: Linus Torvalds Date: Thu Feb 17 17:52:36 2011 -0800 Merge branch 'pm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/suspend-2.6 * 'pm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/suspend-2.6: PM / Hibernate: Return error code when alloc_image_page() fails commit c8b392e9ad7332b8e44f7f15dafa5fc837f7da8d Merge: dd8240b e138018 Author: Linus Torvalds Date: Thu Feb 17 17:52:17 2011 -0800 Merge branch 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6 * 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6: drm/radeon/kms: add missing frac fb div flag for dce4+ drm/radeon/kms: do not reject X16 and Y16X16 floating-point formats on r300 drm/nouveau: fix suspend/resume on GPUs that don't have PM support drm/nouveau: flips/flipd need to always set 'evict' for move_accel_cleanup() drm/nv40: fix tiling-related setup for a number of chipsets drm/nouveau: fix non-EDIDful native mode selection drm/nouveau: Fix detection of DDC-based LVDS on DCB15 boards. drm/nv04-nv40: Fix NULL dereference when we fail to find an LVDS native mode. drm/nv10: Fix crash when allocating a BO larger than half the available VRAM. commit dd8240bd3e59c5f4d49195a711cb4f12aeb7cf85 Merge: a0aeccd 814b0a6 Author: Linus Torvalds Date: Thu Feb 17 17:51:52 2011 -0800 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband: IB/qib: Prevent double completions after a timeout or RNR error IB/qib: Fix double add_timer() RDMA/nes: Don't generate async events for unregistered devices commit a0aeccdc694d5db3b4310a6ed1ce4f88974cf7b4 Merge: fa7ea87 b62818e Author: Linus Torvalds Date: Thu Feb 17 17:51:27 2011 -0800 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.6 * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.6: sparc64: Fix NMI startup bug which also breaks perf. sparc: fix size argument to find_next_zero_bit() sparc: use bitmap_set() sparc32: unaligned memory access (MNA) trap handler bug commit fa7ea87a057958a8b7926c1a60a3ca6d696328ed Author: Timo Warns Date: Thu Feb 17 22:27:40 2011 +0100 fs/partitions: Validate map_count in Mac partition tables Validate number of blocks in map and remove redundant variable. Signed-off-by: Timo Warns Cc: stable@kernel.org Signed-off-by: Linus Torvalds commit 456d66ecd09e3bc326b93174745faafb6ac378d6 Author: John Stultz Date: Fri Feb 11 18:15:23 2011 -0800 RTC: Re-enable UIE timer/polling emulation This patch re-enables UIE timer/polling emulation for rtc devices that do not support alarm irqs. CC: Uwe Kleine-König CC: Thomas Gleixner Reported-by: Uwe Kleine-König Tested-by: Uwe Kleine-König Signed-off-by: John Stultz commit 6e57b1d6a8d8ed1998229b71c102be1997e397c6 Author: John Stultz Date: Fri Feb 11 17:45:40 2011 -0800 RTC: Revert UIE emulation removal Uwe pointed out that my alarm based UIE emulation is not sufficient to replace the older timer/polling based UIE emulation on devices where there is no alarm irq. This causes rtc devices without alarms to return -EINVAL to UIE ioctls. The fix is to re-instate the old timer/polling method for devices without alarm irqs. This patch reverts the following commits: 042620a018afcfba1d678062b62e46 - Remove UIE emulation 1daeddd5962acad1bea55e524fc0fa - Cleanup removed UIE emulation declaration b5cc8ca1c9c3a37eaddf709b2fd3e1 - Remove Kconfig symbol for UIE emulation The emulation mode will still need to be wired-in with a following patch before it will work. CC: Uwe Kleine-König CC: Thomas Gleixner Reported-by: Uwe Kleine-König Signed-off-by: John Stultz commit 516373b8b60fa4152334b6b6f2ece0f178c540ce Author: Uwe Kleine-König Date: Mon Feb 14 11:33:17 2011 +0100 RTC: Release mutex in error path of rtc_alarm_irq_enable On hardware that doesn't support alarm interrupts, rtc_alarm_irq_enable could return without releasing the ops_lock mutex. This was introduced in aa0be0f (RTC: Propagate error handling via rtc_timer_enqueue properly) This patch corrects the issue by only returning once the mutex is released. [john.stultz: Reworded the commit log] Signed-off-by: Uwe Kleine-König Signed-off-by: John Stultz commit ed199facd070f8e551dc16a2ae1baa01d8d28ed4 Author: Matt Carlson Date: Tue Feb 15 12:51:10 2011 +0000 tg3: Restrict phy ioctl access If management firmware is present and the device is down, the firmware will assume control of the phy. If a phy access were allowed from the host, it will collide with firmware phy accesses, resulting in unpredictable behavior. This patch fixes the problem by disallowing phy accesses during the problematic condition. Signed-off-by: Matt Carlson Reviewed-by: Michael Chan Signed-off-by: David S. Miller commit 0d672e9f8ac320c6d1ea9103db6df7f99ea20361 Author: Ivan Vecera Date: Tue Feb 15 02:08:39 2011 +0000 drivers/net: Call netif_carrier_off at the end of the probe Without calling of netif_carrier_off at the end of the probe the operstate is unknown when the device is initially opened. By default the carrier is on so when the device is opened and netif_carrier_on is called the link watch event is not fired and operstate remains zero (unknown). This patch fixes this behavior in forcedeth and r8169. Signed-off-by: Ivan Vecera Acked-by: Francois Romieu Signed-off-by: David S. Miller commit 814b0a61204d24f9fba6f7c575e6450d15ce2cf1 Merge: 25a54a6b c0af2c0 Author: Roland Dreier Date: Thu Feb 17 14:04:59 2011 -0800 Merge branches 'nes' and 'qib' into for-next commit c0af2c057d7ce3f0b260f9380d187a82bb5cab28 Author: Mike Marciniszyn Date: Wed Feb 16 15:48:25 2011 +0000 IB/qib: Prevent double completions after a timeout or RNR error There is a double completion associated with error handling for RC QPs. The sequence is: - The do_rc_ack() routine fields an RNR nack and there are 0 rnr_retries configured on the QP. - qib_error_qp() stops the pending timer - qib_rc_send_complete() is called from sdma_complete() - qib_rc_send_complete() starts the timer because the msb of the psn just completed says an ack is needed. - a bunch of flushes occur as ipoib posts WQEs to an error'ed QP - rc_timeout() calls qib_restart_rc() - qib_restart_rc() calls qib_send_complete() with a IB_WC_RETRY_EXC_ERR on a wqe that has already been completed in the past The fix avoids starting the timer since another packet will never arrive. Signed-off-by: Mike Marciniszyn Signed-off-by: Roland Dreier commit 8dd38383a51d0fb6b025dc330aaa3470281da3b2 Author: Ian Campbell Date: Thu Feb 17 10:31:20 2011 +0000 xen: suspend and resume system devices when running PVHVM Otherwise we fail to properly suspend/resume all of the emulated devices. Something between 2.6.38-rc2 and rc3 appears to have exposed this issue, but it's always been wrong not to do this. Signed-off-by: Ian Campbell Acked-by: Stefano Stabellini Acked-by: Jeremy Fitzhardinge commit c600636bd560b04973174caa5e349a72bce51637 Author: Amir Hanania Date: Tue Feb 15 09:11:31 2011 +0000 ixgbe: work around for DDP last buffer size A HW limitation was recently discovered where the last buffer in a DDP offload cannot be a full buffer size in length. Fix the issue with a work around by adding another buffer with size = 1. Signed-off-by: Amir Hanania Tested-by: Ross Brattain Signed-off-by: Jeff Kirsher commit 4c7e604babd15db9dca3b07de167a0f93fe23bf4 Author: Andy Gospodarek Date: Thu Feb 17 01:13:13 2011 -0800 ixgbe: fix panic due to uninitialised pointer Systems containing an 82599EB and running a backported driver from upstream were panicing on boot. It turns out hw->mac.ops.setup_sfp is only set for 82599, so one should check to be sure that pointer is set before continuing in ixgbe_sfp_config_module_task. I verified by inspection that the upstream driver has the same issue and also added a check before the call in ixgbe_sfp_link_config. Signed-off-by: Andy Gospodarek Signed-off-by: Jeff Kirsher commit 713b3c9e4c1a6da6b45da6474ed554ed0a48de69 Author: Jesse Brandeburg Date: Wed Feb 2 10:19:50 2011 +0000 e1000e: flush all writebacks before unload The driver was not flushing all writebacks before unloading, possibly causing memory to be written by the hardware after the driver had reinitialized the rings. This adds missing functionality to flush any pending writebacks and is called in all spots where descriptors should be completed before the driver begins processing. Signed-off-by: Jesse Brandeburg Reviewed-by: Bruce Allan Tested-by: Jeff Pieper Signed-off-by: Jeff Kirsher commit 615b32af9730def64330e4c0c95c973e90bd9c6d Author: Jesse Brandeburg Date: Wed Feb 2 10:19:45 2011 +0000 e1000e: check down flag in tasks This change is part of a fix to avoid any tasks running while the driver is exiting and deinitializing resources. Signed-off-by: Jesse Brandeburg Tested-by: Jeff Pieper Signed-off-by: Jeff Kirsher commit ee715087024b91a6ceb85ba2d02f6c35d354a48c Merge: 68ac01a 47c8529 Author: Linus Torvalds Date: Wed Feb 16 21:53:41 2011 -0800 Merge branch 'for-2.6.38' of git://linux-nfs.org/~bfields/linux * 'for-2.6.38' of git://linux-nfs.org/~bfields/linux: nfsd: correctly handle return value from nfsd_map_name_to_* commit e138018e3593a6af9ad7680b68c23451587daf11 Merge: 9f4283f 317495b Author: Dave Airlie Date: Thu Feb 17 13:56:35 2011 +1000 Merge remote branch 'nouveau/drm-nouveau-next' of /ssd/git/drm-nouveau-next into drm-fixes * 'nouveau/drm-nouveau-next' of /ssd/git/drm-nouveau-next: drm/nouveau: fix suspend/resume on GPUs that don't have PM support drm/nouveau: flips/flipd need to always set 'evict' for move_accel_cleanup() drm/nv40: fix tiling-related setup for a number of chipsets drm/nouveau: fix non-EDIDful native mode selection drm/nouveau: Fix detection of DDC-based LVDS on DCB15 boards. drm/nv04-nv40: Fix NULL dereference when we fail to find an LVDS native mode. drm/nv10: Fix crash when allocating a BO larger than half the available VRAM. commit 9f4283f49f0a96a64c5a45fe56f0f8c942885eef Author: Alex Deucher Date: Wed Feb 16 21:17:04 2011 -0500 drm/radeon/kms: add missing frac fb div flag for dce4+ The fixed ref/post dividers are set by the AdjustPll table rather than the ss info table on dce4+. Make sure we enable the fractional feedback dividers when using a fixed post or ref divider on them as well. Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=29272 Signed-off-by: Alex Deucher Cc: stable@kernel.org Signed-off-by: Dave Airlie commit 16e4b8a6e44b8c736c37af370afaa428c3239fb6 Author: Marek Olšák Date: Wed Feb 16 02:26:08 2011 +0100 drm/radeon/kms: do not reject X16 and Y16X16 floating-point formats on r300 Signed-off-by: Marek Olšák Signed-off-by: Dave Airlie commit 317495b25ec1f0beb0dbac8ee0dfec59a1addf03 Author: Ben Skeggs Date: Thu Feb 17 11:11:28 2011 +1000 drm/nouveau: fix suspend/resume on GPUs that don't have PM support This has been broken since 2.6.37, and fixes resume on a couple of fermi boards I have access to. Signed-off-by: Ben Skeggs commit 68ac01a2de5faed5e19a78c06314804c6184a650 Merge: e51900f 0f3e1d2 Author: Linus Torvalds Date: Wed Feb 16 16:48:36 2011 -0800 Merge branch 'spi/merge' of git://git.secretlab.ca/git/linux-2.6 * 'spi/merge' of git://git.secretlab.ca/git/linux-2.6: spi/pxa2xx pci: fix the release - remove race commit e51900f7d38cbcfb481d84567fd92540e7e1d23a Author: Chuck Ebbert Date: Wed Feb 16 18:11:53 2011 -0500 block: revert block_dev read-only check This reverts commit 75f1dc0d076d ("block: check bdev_read_only() from blkdev_get()"). That commit added stricter checking to make sure devices that were being used read-only were actually opened in that mode. It turns out that the change breaks a bunch of kernel code that opens block devices. Affected systems include dm, md, and the loop device. Because strict checking for read-only opens of block devices was not done before this, the code that opens the devices was opening them read-write even if they were being used read-only. Auditing all that code will take time, and new userspace packages for dm, mdadm, etc. will also be required. Signed-off-by: Chuck Ebbert Signed-off-by: Linus Torvalds commit b8884da6113be83f6f3b296539bcd9f602a6abd8 Author: Ben Skeggs Date: Mon Feb 14 13:51:28 2011 +1000 drm/nouveau: flips/flipd need to always set 'evict' for move_accel_cleanup() We free the temporary binding before leaving this function, so we also have to wait for the move to actually complete. Signed-off-by: Ben Skeggs commit 1dc32671d887f05844315e4105ad4c783299ac8f Author: Ben Skeggs Date: Mon Feb 7 10:49:39 2011 +1000 drm/nv40: fix tiling-related setup for a number of chipsets Due to the default case handling the older chipsets, a bunch of the newer ones ended up having the wrong tiling regs used. This commit switches the default case to handle the newest chipsets. This also makes nv4e touch the "extra" tiling regs. "nv" doesn't touch them for C51 but traces of the NVIDIA binary driver show it being done there. I couldn't find NV41/NV45 traces to confirm the behaviour there, but an educated guess was taken at each of them. Signed-off-by: Ben Skeggs commit 0d9b6193bcc335fb05a26af5b11a0d76b70cb1a4 Author: Ben Skeggs Date: Mon Feb 7 08:41:18 2011 +1000 drm/nouveau: fix non-EDIDful native mode selection The DRM core fills this value, but at too late a stage for this to work, possibly resulting in an undesirable mode being selected. Signed-off-by: Ben Skeggs commit 77b1d5dc119f9b72bcfbb49d2431fd3679382dab Author: Francisco Jerez Date: Thu Feb 3 01:56:32 2011 +0100 drm/nouveau: Fix detection of DDC-based LVDS on DCB15 boards. Signed-off-by: Francisco Jerez Signed-off-by: Ben Skeggs commit 87886221471495c26d517a7b3ce7c7aa56cc854f Author: Francisco Jerez Date: Thu Feb 3 01:53:18 2011 +0100 drm/nv04-nv40: Fix NULL dereference when we fail to find an LVDS native mode. Reported-by: Alex Buell Signed-off-by: Francisco Jerez Signed-off-by: Ben Skeggs commit 812f219a0f8a74a558c35be7942a07232ba348a5 Author: Francisco Jerez Date: Thu Feb 3 01:49:33 2011 +0100 drm/nv10: Fix crash when allocating a BO larger than half the available VRAM. Reported-by: Alex Buell Signed-off-by: Francisco Jerez Signed-off-by: Ben Skeggs commit 47c85291d3dd1a51501555000b90f8e281a0458e Author: NeilBrown Date: Wed Feb 16 13:08:35 2011 +1100 nfsd: correctly handle return value from nfsd_map_name_to_* These functions return an nfs status, not a host_err. So don't try to convert before returning. This is a regression introduced by 3c726023402a2f3b28f49b9d90ebf9e71151157d; I fixed up two of the callers, but missed these two. Cc: stable@kernel.org Reported-by: Herbert Poetzl Signed-off-by: NeilBrown Signed-off-by: J. Bruce Fields commit 2e725a065b0153f0c449318da1923a120477633d Author: Stanislaw Gruszka Date: Sat Feb 12 21:06:51 2011 +0100 PM / Hibernate: Return error code when alloc_image_page() fails Currently we return 0 in swsusp_alloc() when alloc_image_page() fails. Fix that. Also remove unneeded "error" variable since the only useful value of error is -ENOMEM. [rjw: Fixed up the changelog and changed subject.] Signed-off-by: Stanislaw Gruszka Cc: stable@kernel.org Signed-off-by: Rafael J. Wysocki commit 3233cdbd9fa347a6d6897a94cc6ed0302ae83c4f Author: Tejun Heo Date: Wed Feb 16 18:10:19 2011 +0100 workqueue: make sure MAYDAY_INITIAL_TIMEOUT is at least 2 jiffies long MAYDAY_INITIAL_TIMEOUT is defined as HZ / 100 and depending on configuration may end up 0 or 1. Even when it's 1, depending on when the mayday timer is added in the current jiffy interval, it may expire way before a jiffy has passed. Make sure MAYDAY_INITIAL_TIMEOUT is at least two to guarantee that at least a full jiffy has passed before calling rescuers. Signed-off-by: Tejun Heo Reported-by: Ray Jui Cc: stable@kernel.org commit a2640111d5edb3f4e6dd6089c0dbddc7590110b4 Merge: 0d6e82e 1621dbb Author: Linus Torvalds Date: Wed Feb 16 09:07:00 2011 -0800 Merge git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6 * git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6: [SCSI] qla2xxx: Return DID_NO_CONNECT when FC device is lost. [SCSI] mptfusion: Bump version 03.04.18 [SCSI] mptfusion: Fix Incorrect return value in mptscsih_dev_reset [SCSI] mptfusion: mptctl_release is required in mptctl.c [SCSI] target: fix use after free detected by SLUB poison [SCSI] target: Remove procfs based target_core_mib.c code [SCSI] target: Fix SCF_SCSI_CONTROL_SG_IO_CDB breakage [SCSI] target: Fix top-level configfs_subsystem default_group shutdown breakage [SCSI] target: fixed missing lock drop in error path [SCSI] target: Fix demo-mode MappedLUN shutdown UA/PR breakage [SCSI] target/iblock: Fix failed bd claim NULL pointer dereference [SCSI] target: iblock/pscsi claim checking for NULL instead of IS_ERR [SCSI] scsi_debug: Fix 32-bit overflow in do_device_access causing memory corruption [SCSI] qla2xxx: Change from irq to irqsave with host_lock [SCSI] qla2xxx: Fix race that could hang kthread_stop() commit 0d6e82e7e0b6a192ec9c875d9ed08ad9e43c7c2f Merge: 3abb17e 9d20b57 Author: Linus Torvalds Date: Wed Feb 16 09:04:41 2011 -0800 Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 * git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: sha-s390 - Reset index after processing partial block commit 3abb17e82f08628b59e20d8cbcb55e2204180f69 Author: Linus Torvalds Date: Wed Feb 16 08:56:55 2011 -0800 vfs: fix BUG_ON() in fs/namei.c:1461 When Al moved the nameidata_dentry_drop_rcu_maybe() call into the do_follow_link function in commit 844a391799c2 ("nothing in do_follow_link() is going to see RCU"), he mistakenly left the BUG_ON(inode != path->dentry->d_inode); behind. Which would otherwise be ok, but that BUG_ON() really needs to be _after_ dropping RCU, since the dentry isn't necessarily stable otherwise. So complete the code movement in that commit, and move the BUG_ON() into do_follow_link() too. This means that we need to pass in 'inode' as an argument (just for this one use), but that's a small thing. And eventually we may be confident enough in our path lookup that we can just remove the BUG_ON() and the unnecessary inode argument. Reported-and-tested-by: Eric Dumazet Acked-by: Al Viro Signed-off-by: Linus Torvalds commit 58a69cb47ec6991bf006a3e5d202e8571b0327a4 Author: Tejun Heo Date: Wed Feb 16 09:25:31 2011 +0100 workqueue, freezer: unify spelling of 'freeze' + 'able' to 'freezable' There are two spellings in use for 'freeze' + 'able' - 'freezable' and 'freezeable'. The former is the more prominent one. The latter is mostly used by workqueue and in a few other odd places. Unify the spelling to 'freezable'. Signed-off-by: Tejun Heo Reported-by: Alan Stern Acked-by: "Rafael J. Wysocki" Acked-by: Greg Kroah-Hartman Acked-by: Dmitry Torokhov Cc: David Woodhouse Cc: Alex Dubov Cc: "David S. Miller" Cc: Steven Whitehouse commit b62818e5ff78cab4daf04fc0c12f86475dbc4b69 Author: David S. Miller Date: Tue Feb 15 15:04:07 2011 -0800 sparc64: Fix NMI startup bug which also breaks perf. Doing NMI startup as an early initcall doesn't work because we need to have SMP started up by then. So we'd only NMI startup one cpu, which causes perf PMU grab to BUG because the nmi_active count isn't what it's supposed to be. This also points out that we don't have proper CPU up/down notifiers for the NMI code which will need to be fixed at some point. Signed-off-by: David S. Miller commit 0f3e1d27a7e3f98d996d707d649128e229b65deb Author: Sebastian Andrzej Siewior Date: Thu Feb 3 00:31:21 2011 +0530 spi/pxa2xx pci: fix the release - remove race Right now the platform device and its platform data is included in one big struct which requires its custom ->release function. The problem with the release function within the driver is that it might be called after the driver was removed because someone was holding a reference to it and it was not called right after platform_device_unregister(). So we also free the platform device memory to which one might hold a reference. This patch uses the normal pdev functions so this kind of race does not occur. Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Grant Likely commit 6d90e8f45697c633f522269368297d7416fd8783 Author: David S. Miller Date: Tue Feb 15 12:18:09 2011 -0800 isdn: hisax: Use l2headersize() instead of dup (and buggy) func. There was a bug in my commit c978e7bb77dfd2cd3d1f547fa4e395cfe47f02b2 ("hisax: Fix unchecked alloc_skb() return.") One of the l2->flag checks is wrong. Even worse it turns out I'm duplicating an existing function, so use that instead. Reported-by: Milton Miller Signed-off-by: David S. Miller commit 1621dbbdb90f42b7bd14aea1c44ee49b558d1b1a Author: Andrew Vasquez Date: Fri Jan 28 15:17:55 2011 -0800 [SCSI] qla2xxx: Return DID_NO_CONNECT when FC device is lost. If the target device gets lost, this fix is needed, as it causes negative unintended responses on basic I/O tests. If the target device gets lost, the upstream qla2xxx driver returns SCSI_MLQUEUE_TARGET_BUSY which causes an immediate retry without drop in the number of allowed retries. This semantic change, as a result of removing FC_DEVICE_LOST check is reasonable, as it only extends a short transitional period, until the transport is called to notify that the rport as lost (fc_remote_port_delete()). Once transport notification is done, fc_remote_port_chkready() check will take over. Signed-off-by: Andrew Vasquez Signed-off-by: Madhuranath Iyengar Signed-off-by: James Bottomley commit d11327ad6695db8117c78d70611e71102ceec2ac Author: Ian Campbell Date: Fri Feb 11 07:44:16 2011 +0000 arp_notify: unconditionally send gratuitous ARP for NETDEV_NOTIFY_PEERS. NETDEV_NOTIFY_PEER is an explicit request by the driver to send a link notification while NETDEV_UP/NETDEV_CHANGEADDR generate link notifications as a sort of side effect. In the later cases the sysctl option is present because link notification events can have undesired effects e.g. if the link is flapping. I don't think this applies in the case of an explicit request from a driver. This patch makes NETDEV_NOTIFY_PEER unconditional, if preferred we could add a new sysctl for this case which defaults to on. This change causes Xen post-migration ARP notifications (which cause switches to relearn their MAC tables etc) to be sent by default. Signed-off-by: Ian Campbell Signed-off-by: David S. Miller commit 0550769bb7f364fb9aeeb9412229fb7790ee79c4 Author: Casey Leedom Date: Mon Feb 14 12:56:25 2011 +0000 cxgb4vf: Use defined Mailbox Timeout VF Driver should use mailbox command timeout specified in t4fw_interface.h rather than hard-coded value of 500ms. Signed-off-by: Casey Leedom Signed-off-by: David S. Miller commit 7e9c26295b2ae1be1285c7c9e593c19ce7ea7eba Author: Casey Leedom Date: Mon Feb 14 12:56:24 2011 +0000 cxgb4vf: Quiesce Virtual Interfaces on shutdown ... When a Virtual Machine is rebooted, KVM currently fails to issue a Function Level Reset against any "Attached PCI Devices" (AKA "PCI Passthrough"). In addition to leaving the attached device in a random state in the next booted kernel (which sort of violates the entire idea of a reboot reseting hardware state), this leaves our peer thinking that the link is still up. (Note that a bug has been filed with the KVM folks, #25332, but there's been no response on that as of yet.) So, we add a "->shutdown()" method for the Virtual Function PCI Device to handle administrative shutdowns like a reboot. Signed-off-by: Casey Leedom Signed-off-by: David S. Miller commit 843635e0349be9e318be224d6241069a40e23320 Author: Casey Leedom Date: Mon Feb 14 12:56:23 2011 +0000 cxgb4vf: Behave properly when CONFIG_DEBUG_FS isn't defined ... When CONFIG_DEBUG_FS we get "ERR_PTR()"s back from the debugfs routines instead of NULL. Use the right predicates to check for this. Signed-off-by: Casey Leedom Signed-off-by: David S. Miller commit bb14a1af86d01f66dc9620725ac00a240331afec Author: Casey Leedom Date: Mon Feb 14 12:56:22 2011 +0000 cxgb4vf: Check driver parameters in the right place ... Check module parameter validity in the module initialization routine instead of the PCI Device Probe routine. Signed-off-by: Casey Leedom Signed-off-by: David S. Miller commit 98200ec28a66c8db5839ac26e9a895984206b50f Author: Toshiharu Okada Date: Sun Feb 13 22:51:54 2011 +0000 pch_gbe: Fix the MAC Address load issue. With the specification of hardware, the processing at the time of driver starting was modified. This device write automatically the MAC address read from serial ROM into a MAC Adress1A/1B register at the time of power on reset. However, when stable clock is not supplied, the writing of MAC Adress1A/1B register may not be completed. In this case, it is necessary to load MAC address to MAC Address1A/1B register by the MAC Address1 load register. This patch always does the above processing, in order not to be dependent on system environment. Signed-off-by: Toshiharu Okada Signed-off-by: David S. Miller commit 5d17920bd4df6802fb48ccf8283721657c5a8257 Author: David S. Miller Date: Mon Feb 14 13:28:00 2011 -0800 iwlwifi: Delete iwl3945_good_plcp_health. Fixes this build warning: drivers/net/wireless/iwlwifi/iwl-3945.c:411:13: warning: 'iwl3945_good_plcp_health' defined but not used As per Johannes Berg. Signed-off-by: David S. Miller commit 8bc26a008f61eac5631701cbd65f88c015a63280 Merge: ddfdb50 a7b545f Author: David S. Miller Date: Mon Feb 14 12:51:42 2011 -0800 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 commit ddfdb508866b3c07b295f6c85c271981d88afe4c Author: Kurt Van Dijck Date: Mon Feb 14 11:44:01 2011 -0800 net/can/softing: make CAN_SOFTING_CS depend on CAN_SOFTING The statement 'select CAN_SOFTING' may ignore the dependancies for CAN_SOFTING while selecting CAN_SOFTING_CS, as is therefore a bad choice. Signed-off-by: Kurt Van Dijck Acked-by: Randy Dunlap Signed-off-by: David S. Miller commit af756e9d8873efc8b0565c06734ef12d9b652061 Merge: ac09664 de9963f Author: David S. Miller Date: Mon Feb 14 11:16:12 2011 -0800 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6 commit de9963f0f2dfad128b26ae7bf6005f5948416a6d Author: Patrick McHardy Date: Mon Feb 14 17:35:07 2011 +0100 netfilter: nf_iterate: fix incorrect RCU usage As noticed by Eric, nf_iterate doesn't use RCU correctly by accessing the prev pointer of a RCU protected list element when a verdict of NF_REPEAT is issued. Fix by jumping backwards to the hook invocation directly instead of loading the previous list element before continuing the list iteration. Reported-by: Eric Dumazet Acked-by: Eric Dumazet Signed-off-by: Patrick McHardy commit 7576958a9d5a4a677ad7dd40901cdbb6c1110c98 Author: Tejun Heo Date: Mon Feb 14 14:04:46 2011 +0100 workqueue: wake up a worker when a rescuer is leaving a gcwq After executing the matching works, a rescuer leaves the gcwq whether there are more pending works or not. This may decrease the concurrency level to zero and stall execution until a new work item is queued on the gcwq. Make rescuer wake up a regular worker when it leaves a gcwq if there are more works to execute, so that execution isn't stalled. Signed-off-by: Tejun Heo Reported-by: Ray Jui Cc: stable@kernel.org commit ac09664248e300342e92b937c9894a8149ddf189 Author: Toshiharu Okada Date: Tue Feb 8 22:15:59 2011 +0000 pch_gbe: Fix the issue that the receiving data is not normal. This PCH_GBE driver had an issue that the receiving data is not normal. This driver had not removed correctly the padding data which the DMA include in receiving data. This patch fixed this issue. Signed-off-by: Toshiharu Okada Signed-off-by: David S. Miller commit 539c9aa5ba7c5f71794ef0948c6dd29552f033e4 Author: Giuseppe Cavallaro Date: Sun Feb 13 17:00:05 2011 -0800 stmmac: enable wol via magic frame by default. This patch enables it by default when the driver starts. This has been required by many people and seems to actually be useful on STB. At any rate, the WoL modes can be selected and turned-on/off by using the ethtool at run-time by users. Signed-off-by: Giuseppe Cavallaro Signed-off-by: David S. Miller commit da1ab3e233eb1ff4116b178006a89ddca7dcd928 Author: Jesper Juhl Date: Sun Feb 13 10:49:32 2011 +0000 ATM, Solos PCI ADSL2+: Don't deref NULL pointer if net_ratelimit() and alloc_skb() interact badly. If alloc_skb() fails to allocate memory and returns NULL then we want to return -ENOMEM from drivers/atm/solos-pci.c::popen() regardless of the value of net_ratelimit(). The way the code is today, we may not return if net_ratelimit() returns 0, then we'll proceed to pass a NULL pointer to skb_put() which will blow up in our face. This patch ensures that we always return -ENOMEM on alloc_skb() failure and only let the dev_warn() be controlled by the value of net_ratelimit(). Signed-off-by: Jesper Juhl Signed-off-by: David S. Miller commit 5b89db0e84bef81f6aa324f8f22a9258ff873de3 Author: Jesper Juhl Date: Sun Feb 13 11:15:35 2011 +0000 Net, USB, Option, hso: Do not dereference NULL pointer In drivers/net/usb/hso.c::hso_create_bulk_serial_device() we have this code: ... serial = kzalloc(sizeof(*serial), GFP_KERNEL); if (!serial) goto exit; ... exit: hso_free_tiomget(serial); ... hso_free_tiomget() directly dereferences its argument, which in the example above is a NULL pointer, ouch. I could just add a 'if (serial)' test at the 'exit' label, but since most freeing functions in the kernel accept NULL pointers (and it seems like this was also assumed here) I opted to instead change 'hso_free_tiomget()' so that it is safe to call it with a NULL argument. I also modified the function to get rid of a pointles conditional before the call to 'usb_free_urb()' since that function already tests for NULL itself - besides fixing the NULL deref this change also buys us a few bytes in size. Before: $ size drivers/net/usb/hso.o text data bss dec hex filename 32200 592 9960 42752 a700 drivers/net/usb/hso.o After: $ size drivers/net/usb/hso.o text data bss dec hex filename 32196 592 9960 42748 a6fc drivers/net/usb/hso.o Signed-off-by: Jesper Juhl Signed-off-by: David S. Miller commit c978e7bb77dfd2cd3d1f547fa4e395cfe47f02b2 Author: David S. Miller Date: Sun Feb 13 16:50:45 2011 -0800 hisax: Fix unchecked alloc_skb() return. Jesper Juhl noticed that l2_pull_iqueue() does not check to see if alloc_skb() fails. Fix this by first trying to reallocate the headroom if necessary, rather than later after we've made hard to undo state changes. Reported-by: Jesper Juhl Signed-off-by: David S. Miller commit ab60707ffe9920b66b4fff5181b44b14cd091472 Author: Jesper Juhl Date: Thu Feb 10 10:58:45 2011 +0000 USB Network driver infrastructure: Fix leak when usb_autopm_get_interface() returns less than zero in kevent(). We'll leak the memory allocated to 'urb' in drivers/net/usb/usbnet.c:kevent() when we 'goto fail_lowmem' and the 'urb' variable goes out of scope while still completely unused. Signed-off-by: Jesper Juhl Signed-off-by: David S. Miller commit d3337de52af7fb0ebe605b02b740be4ee7dee9eb Author: Jesper Juhl Date: Thu Feb 10 11:57:16 2011 +0000 Don't potentially dereference NULL in net/dcb/dcbnl.c:dcbnl_getapp() nla_nest_start() may return NULL. If it does then we'll blow up in nla_nest_end() when we dereference the pointer. Signed-off-by: Jesper Juhl Signed-off-by: David S. Miller commit 7ec79270d7de0c8ca602c47cb25a9652ec28f37f Author: John Fastabend Date: Mon Jan 31 12:00:59 2011 +0000 net: dcb: application priority is per net_device The app_data priority may not be the same for all net devices. In order for stacks with application notifiers to identify the specific net device dcb_app_type should be passed in the ptr. This allows handlers to use dev_get_by_name() to pin priority to net devices. Signed-off-by: John Fastabend Signed-off-by: David S. Miller commit d2b2147678a8be0144d64ec4feb759e7560eb9af Author: Kashyap, Desai Date: Thu Feb 10 11:54:29 2011 +0530 [SCSI] mptfusion: Bump version 03.04.18 Signed-off-by: Kashyap Desai Signed-off-by: James Bottomley commit bcfe42e98047f1935c5571c8ea77beb2d43ec19d Author: Kashyap, Desai Date: Thu Feb 10 11:53:44 2011 +0530 [SCSI] mptfusion: Fix Incorrect return value in mptscsih_dev_reset There's a branch at the end of this function that is supposed to normalize the return value with what the mid-layer expects. In this one case, we get it wrong. Also increase the verbosity of the INFO level printk at the end of mptscsih_abort to include the actual return value and the scmd->serial_number. The reason being success or failure is actually determined by the state of the internal tag list when a TMF is issued, and not the return value of the TMF cmd. The serial_number is also used in this decision, thus it's useful to know for debugging purposes. Cc: stable@kernel.org Reported-by: Peter M. Petrakis Signed-off-by: Kashyap Desai Signed-off-by: James Bottomley commit 84857c8bf83e8aa87afc57d2956ba01f11d82386 Author: Kashyap, Desai Date: Thu Feb 10 11:52:21 2011 +0530 [SCSI] mptfusion: mptctl_release is required in mptctl.c Added missing release callback for file_operations mptctl_fops. Without release callback there will be never freed. It remains on mptctl's eent list even after the file is closed and released. Relavent RHEL bugzilla is 660871 Cc: stable@kernel.org Signed-off-by: Kashyap Desai Signed-off-by: James Bottomley commit 1f6fe7cba1c0a817a8712d7fdd0ec1b4ddd4ea2f Author: Nicholas Bellinger Date: Wed Feb 9 15:34:54 2011 -0800 [SCSI] target: fix use after free detected by SLUB poison This patch moves a large number of memory release paths inside of the configfs callback target_core_hba_item_ops->release() called from within fs/configfs/item.c: config_item_cleanup() context. This patch resolves the SLUB 'Poison overwritten' warnings. Signed-off-by: Nicholas A. Bellinger Signed-off-by: James Bottomley commit e89d15eeadb172bd53ca6362bf9ab6b22077224c Author: Nicholas Bellinger Date: Wed Feb 9 15:35:03 2011 -0800 [SCSI] target: Remove procfs based target_core_mib.c code This patch removes the legacy procfs based target_core_mib.c code, and moves the necessary scsi_index_tables functions and defines into target_core_transport.c and target_core_base.h code to allow existing fabric independent statistics to function. This includes the removal of a handful of 'atomic_t mib_ref_count' counters used in struct se_node_acl, se_session and se_hba to prevent removal while using seq_list procfs walking logic. [jejb: fix up compile failures] Signed-off-by: Nicholas A. Bellinger Signed-off-by: James Bottomley commit e63af95888894af6ca4112dc90083d1dff0fec29 Author: Nicholas Bellinger Date: Wed Feb 9 15:35:04 2011 -0800 [SCSI] target: Fix SCF_SCSI_CONTROL_SG_IO_CDB breakage This patch fixes a bug introduced during the v4 control CDB emulation refactoring that broke SCF_SCSI_CONTROL_SG_IO_CDB operation within transport_map_control_cmd_to_task(). It moves the BUG_ON() into transport_do_se_mem_map() after the TRANSPORT(dev)->do_se_mem_map() RAMDISK_DR special case, and adds the proper struct se_mem assignment when !list_empty() for normal non RAMDISK_DR backend device cases. Reported-by: Kai-Thorsten Hambrecht Signed-off-by: Nicholas A. Bellinger Signed-off-by: James Bottomley commit 7c2bf6e925c38b8e3358f5046971b0d6086ddcf8 Author: Nicholas Bellinger Date: Wed Feb 9 15:34:53 2011 -0800 [SCSI] target: Fix top-level configfs_subsystem default_group shutdown breakage This patch fixes two bugs uncovered during testing with slub_debug=FPUZ during module_exit() -> target_core_exit_configfs() with release of configfs subsystem consumer default groups, namely how this should be working with fs/configfs/dir.c:configfs_unregister_subsystem() release logic for struct config_group->default_group. The first issue involves configfs_unregister_subsystem() expecting to walk+drain the top-level subsys->su_group.default_groups directly in unlink_group(), and not directly from the configfs subsystem consumer for the top level struct config_group->default_groups. This patch drops the walk+drain of subsys->su_group.default_groups from TCM configfs subsystem consumer code, and moves the top-level ->default_groups kfree() after configfs_unregister_subsystem() has been called. The second issue involves calling core_alua_free_lu_gp(se_global->default_lu_gp) to release the default_lu_gp->lu_gp_group before configfs_unregister_subsystem() has been called. This patches also moves the core_alua_free_lu_gp() call to release default_lu_group->lu_gp_group after the subsys has been unregistered. Finally, this patch explictly clears the [lu_gp,alua,hba]_cg->default_groups pointers after kfree() to ensure that no stale memory is picked up from child struct config_group->default_group[] while configfs_unregister_subsystem() is called. Reported-by: Fubo Chen Signed-off-by: Nicholas A. Bellinger Signed-off-by: James Bottomley commit 85dc98d93f3dc41cce54118a7abab9e6aa616dd2 Author: Fubo Chen Date: Wed Feb 9 15:34:48 2011 -0800 [SCSI] target: fixed missing lock drop in error path The struct se_node_acl->device_list_lock needs to be released if either sanity check for struct se_dev_entry->se_lun_acl or deve->se_lun fails. Signed-off-by: Fubo Chen Signed-off-by: Nicholas A. Bellinger Signed-off-by: James Bottomley commit 29fe609d124d6d7478d1241bb82dc2e00509f516 Author: Nicholas Bellinger Date: Wed Feb 9 15:34:43 2011 -0800 [SCSI] target: Fix demo-mode MappedLUN shutdown UA/PR breakage This patch fixes a bug in core_update_device_list_for_node() where individual demo-mode generated MappedLUN's UA + Persistent Reservations metadata where being leaked, instead of falling through and calling existing core_scsi3_ua_release_all() and core_scsi3_free_pr_reg_from_nacl() at the end of core_update_device_list_for_node(). This bug would manifest itself with the following OOPs w/ TPG demo-mode endpoints (tfo->tpg_check_demo_mode()=1), and PROUT REGISTER+RESERVE -> explict struct se_session logout -> struct se_device shutdown: [ 697.021139] LIO_iblock used greatest stack depth: 2704 bytes left [ 702.235017] general protection fault: 0000 [#1] SMP [ 702.235074] last sysfs file: /sys/devices/virtual/net/lo/operstate [ 704.372695] CPU 0 [ 704.372725] Modules linked in: crc32c target_core_stgt scsi_tgt target_core_pscsi target_core_file target_core_iblock target_core_mod configfs sr_mod cdrom sd_mod ata_piix mptspi mptscsih libata mptbase [last unloaded: iscsi_target_mod] [ 704.375442] [ 704.375563] Pid: 4964, comm: tcm_node Not tainted 2.6.37+ #1 440BX Desktop Reference Platform/VMware Virtual Platform [ 704.375912] RIP: 0010:[] [] __core_scsi3_complete_pro_release+0x31/0x133 [target_core_mod] [ 704.376017] RSP: 0018:ffff88001e5ffcb8 EFLAGS: 00010296 [ 704.376017] RAX: 6d32335b1b0a0d0a RBX: ffff88001d952cb0 RCX: 0000000000000015 [ 704.376017] RDX: ffff88001b428000 RSI: ffff88001da5a4c0 RDI: ffff88001e5ffcd8 [ 704.376017] RBP: ffff88001e5ffd28 R08: ffff88001e5ffcd8 R09: ffff88001d952080 [ 704.377116] R10: ffff88001dfc5480 R11: ffff88001df8abb0 R12: ffff88001d952cb0 [ 704.377319] R13: 0000000000000000 R14: ffff88001df8abb0 R15: ffff88001b428000 [ 704.377521] FS: 00007f033d15c6e0(0000) GS:ffff88001fa00000(0000) knlGS:0000000000000000 [ 704.377861] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 704.378043] CR2: 00007fff09281510 CR3: 000000001e5db000 CR4: 00000000000006f0 [ 704.378110] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 704.378110] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 704.378110] Process tcm_node (pid: 4964, threadinfo ffff88001e5fe000, task ffff88001d99c260) [ 704.378110] Stack: [ 704.378110] ffffea0000678980 ffff88001da5a4c0 ffffea0000678980 ffff88001f402b00 [ 704.378110] ffff88001e5ffd08 ffffffff810ea236 ffff88001e5ffd18 0000000000000282 [ 704.379772] ffff88001d952080 ffff88001d952cb0 ffff88001d952cb0 ffff88001dc79010 [ 704.380082] Call Trace: [ 704.380220] [] ? __slab_free+0x89/0x11c [ 704.380403] [] core_scsi3_free_all_registrations+0x3e/0x157 [target_core_mod] [ 704.380479] [] se_release_device_for_hba+0xa6/0xd8 [target_core_mod] [ 704.380479] [] se_free_virtual_device+0x3b/0x45 [target_core_mod] [ 704.383750] [] target_core_drop_subdev+0x13a/0x18d [target_core_mod] [ 704.384068] [] client_drop_item+0x25/0x31 [configfs] [ 704.384263] [] configfs_rmdir+0x1a1/0x223 [configfs] [ 704.384459] [] vfs_rmdir+0x7e/0xd3 [ 704.384631] [] do_rmdir+0xa3/0xf4 [ 704.384895] [] ? filp_close+0x67/0x72 [ 704.386485] [] sys_rmdir+0x11/0x13 [ 704.387893] [] system_call_fastpath+0x16/0x1b [ 704.388083] Code: 4c 8d 45 b0 41 56 49 89 d7 41 55 41 89 cd 41 54 b9 15 00 00 00 53 48 89 fb 48 83 ec 48 4c 89 c7 48 89 75 98 48 8b 86 28 01 00 00 <48> 8b 80 90 01 00 00 48 89 45 a0 31 c0 f3 aa c7 45 ac 00 00 00 [ 704.388763] RIP [] __core_scsi3_complete_pro_release+0x31/0x133 [target_core_mod] [ 704.389142] RSP [ 704.389572] ---[ end trace 2a3614f3cd6261a5 ]--- Signed-off-by: Nicholas A. Bellinger Signed-off-by: James Bottomley commit bc66552476d3faf706ea72f5a082df717ed6c30d Author: Nicholas Bellinger Date: Wed Feb 9 15:34:38 2011 -0800 [SCSI] target/iblock: Fix failed bd claim NULL pointer dereference This patch adds an explict check for struct iblock_dev->ibd_bd in iblock_free_device() before calling blkdev_put(), which will otherwise hit the following NULL pointer dereference @ ib_dev->ibd_bd when iblock_create_virtdevice() fails to claim an already in-use struct block_device via blkdev_get_by_path(). [ 112.528578] Target_Core_ConfigFS: Allocated struct se_subsystem_dev: ffff88001e750000 se_dev_su_ptr: ffff88001dd05d70 [ 112.534681] Target_Core_ConfigFS: Calling t->free_device() for se_dev_su_ptr: ffff88001dd05d70 [ 112.535029] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 [ 112.535029] IP: [] mutex_lock+0x14/0x35 [ 112.535029] PGD 1e5d0067 PUD 1e274067 PMD 0 [ 112.535029] Oops: 0002 [#1] SMP [ 112.535029] last sysfs file: /sys/devices/pci0000:00/0000:00:07.1/host2/target2:0:0/2:0:0:0/type [ 112.535029] CPU 0 [ 112.535029] Modules linked in: iscsi_target_mod target_core_stgt scsi_tgt target_core_pscsi target_core_file target_core_iblock target_core_mod configfs sr_mod cdrom sd_mod ata_piix mptspi mptscsih libata mptbase [last unloaded: scsi_wait_scan] [ 112.535029] [ 112.535029] Pid: 3345, comm: python2.5 Not tainted 2.6.37+ #1 440BX Desktop Reference Platform/VMware Virtual Platform [ 112.535029] RIP: 0010:[] [] mutex_lock+0x14/0x35 [ 112.535029] RSP: 0018:ffff88001e6d7d58 EFLAGS: 00010246 [ 112.535029] RAX: 0000000000000000 RBX: 0000000000000020 RCX: 0000000000000082 [ 112.535029] RDX: ffff88001e6d7fd8 RSI: 0000000000000083 RDI: 0000000000000020 [ 112.535029] RBP: ffff88001e6d7d68 R08: 0000000000000000 R09: 0000000000000000 [ 112.535029] R10: ffff8800000be860 R11: ffff88001f420000 R12: 0000000000000020 [ 112.535029] R13: 0000000000000083 R14: ffff88001d809430 R15: ffff88001d8094f8 [ 112.535029] FS: 00007ff17ca7d6e0(0000) GS:ffff88001fa00000(0000) knlGS:0000000000000000 [ 112.535029] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 112.535029] CR2: 0000000000000020 CR3: 000000001e5d2000 CR4: 00000000000006f0 [ 112.535029] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 112.535029] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 112.535029] Process python2.5 (pid: 3345, threadinfo ffff88001e6d6000, task ffff88001e2d0760) [ 112.535029] Stack: [ 112.535029] ffff88001e6d7d88 0000000000000000 ffff88001e6d7d98 ffffffff811187fc [ 112.535029] ffff88001d809430 ffff88001dd05d70 ffff88001e750860 ffff88001e750000 [ 112.535029] ffff88001e6d7db8 ffffffffa00e3757 ffff88001e6d7db8 0000000000000004 [ 112.535029] Call Trace: [ 112.535029] [] blkdev_put+0x28/0x107 [ 112.535029] [] iblock_free_device+0x1d/0x36 [target_core_iblock] [ 112.535029] [] target_core_drop_subdev+0x15f/0x18d [target_core_mod] [ 112.535029] [] client_drop_item+0x25/0x31 [configfs] [ 112.535029] [] configfs_rmdir+0x1a1/0x223 [configfs] [ 112.535029] [] vfs_rmdir+0x7e/0xd3 [ 112.535029] [] do_rmdir+0xa3/0xf4 [ 112.535029] [] sys_rmdir+0x11/0x13 [ 112.535029] [] system_call_fastpath+0x16/0x1b [ 112.535029] Code: 8b 04 25 88 b5 00 00 48 2d d8 1f 00 00 48 89 43 18 31 c0 5e 5b c9 c3 55 48 89 e5 53 48 89 fb 48 83 ec 08 e8 c4 f7 ff ff 48 89 df <3e> ff 0f 79 05 e8 1e ff ff ff 65 48 8b 04 25 88 b5 00 00 48 2d [ 112.535029] RIP [] mutex_lock+0x14/0x35 [ 112.535029] RSP [ 112.535029] CR2: 0000000000000020 [ 132.679636] ---[ end trace 05754bb48eb828f0 ]--- Note it also adds an second explict check for ib_dev->ibd_bio_set before calling bioset_free() to fix the same possible NULL pointer deference during an early iblock_create_virtdevice() failure. Signed-off-by: Nicholas A. Bellinger Signed-off-by: James Bottomley commit 3ae279d25954de47c704ca713a2711ac10fcd1ee Author: Dan Carpenter Date: Wed Feb 9 15:34:36 2011 -0800 [SCSI] target: iblock/pscsi claim checking for NULL instead of IS_ERR blkdev_get_by_path() returns an ERR_PTR() or error and it doesn't return a NULL. It looks like this bug would be easy to trigger by mistake. Signed-off-by: Dan Carpenter Signed-off-by: Nicholas A. Bellinger Signed-off-by: James Bottomley commit a361cc0025614fdd07f5f69aeeaa8075530870bc Author: Darrick J. Wong Date: Mon Jan 31 18:47:54 2011 -0800 [SCSI] scsi_debug: Fix 32-bit overflow in do_device_access causing memory corruption If I create a scsi_debug device that is larger than 4GB, the multiplication of (block * scsi_debug_sector_size) can produce a 64-bit value. Unfortunately, the compiler sees two 32-bit quantities and performs a 32-bit multiplication, thus truncating the bits above 2^32. This causes the wrong memory location to be read or written. Change block and rest to be unsigned long long. Signed-off-by: Darrick J. Wong Acked-by: Douglas Gilbert Signed-off-by: James Bottomley commit 044d78e1acb6614f5d79040e490f1fd9bfa45487 Author: Madhuranath Iyengar Date: Fri Jan 28 15:17:56 2011 -0800 [SCSI] qla2xxx: Change from irq to irqsave with host_lock Make the driver safer by using irqsave/irqrestore with host_lock. Signed-off-by: Madhuranath Iyengar Signed-off-by: James Bottomley commit 563585ec4bf1319f193c2f51682985bcae400cb4 Author: James Bottomley Date: Thu Jan 27 16:12:37 2011 -0500 [SCSI] qla2xxx: Fix race that could hang kthread_stop() There is a small race window in qla2x00_do_dpc() between checking for kthread_should_stop() and going to sleep after setting TASK_INTERRUPTIBLE. If qla2x00_free_device() is called in this window, kthread_stop will wait forever because there will be no one to wake up the process. Fix by making sure we only set TASK_INTERRUPTIBLE before checking kthread_stop(). Reported-by: Bandan Das Acked-by: Madhuranath Iyengar Signed-off-by: James Bottomley commit 8a870178c0ad1bae9994c99bd01eb10c9903e616 Author: Herbert Xu Date: Sat Feb 12 01:05:42 2011 -0800 bridge: Replace mp->mglist hlist with a bool As it turns out we never need to walk through the list of multicast groups subscribed by the bridge interface itself (the only time we'd want to do that is when we shut down the bridge, in which case we simply walk through all multicast groups), we don't really need to keep an hlist for mp->mglist. This means that we can replace it with just a single bit to indicate whether the bridge interface is subscribed to a group. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller commit 24f9cdcbd743fd6adb8fb83688d8d86dcccde662 Author: Herbert Xu Date: Fri Feb 11 12:42:07 2011 +0000 bridge: Fix timer typo that may render snooping less effective In a couple of spots where we are supposed to modify the port group timer (p->timer) we instead modify the bridge interface group timer (mp->timer). The effect of this is mostly harmless. However, it can cause port subscriptions to be longer than they should be, thus making snooping less effective. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller commit 6b0d6a9b4296fa16a28d10d416db7a770fc03287 Author: Herbert Xu Date: Fri Feb 11 12:36:55 2011 +0000 bridge: Fix mglist corruption that leads to memory corruption The list mp->mglist is used to indicate whether a multicast group is active on the bridge interface itself as opposed to one of the constituent interfaces in the bridge. Unfortunately the operation that adds the mp->mglist node to the list neglected to check whether it has already been added. This leads to list corruption in the form of nodes pointing to itself. Normally this would be quite obvious as it would cause an infinite loop when walking the list. However, as this list is never actually walked (which means that we don't really need it, I'll get rid of it in a subsequent patch), this instead is hidden until we perform a delete operation on the affected nodes. As the same node may now be pointed to by more than one node, the delete operations can then cause modification of freed memory. This was observed in practice to cause corruption in 512-byte slabs, most commonly leading to crashes in jbd2. Thanks to Josef Bacik for pointing me in the right direction. Reported-by: Ian Page Hands Signed-off-by: Herbert Xu Signed-off-by: David S. Miller commit 946bf5ee3c46f73b5cbd52aab594697b1a132d1f Author: Steffen Klassert Date: Fri Feb 11 11:21:57 2011 -0800 ip_gre: Add IPPROTO_GRE to flowi in ipgre_tunnel_xmit Commit 5811662b15db018c740c57d037523683fd3e6123 ("net: use the macros defined for the members of flowi") accidentally removed the setting of IPPROTO_GRE from the struct flowi in ipgre_tunnel_xmit. This patch restores it. Signed-off-by: Steffen Klassert Acked-by: Changli Gao Signed-off-by: David S. Miller commit 0b150932197b185ad5816932912e648116c7a96a Author: Hiroaki SHIMODA Date: Thu Feb 10 23:08:33 2011 -0800 xfrm: avoid possible oopse in xfrm_alloc_dst Commit 80c802f3073e84 (xfrm: cache bundles instead of policies for outgoing flows) introduced possible oopse when dst_alloc returns NULL. Signed-off-by: Hiroaki SHIMODA Signed-off-by: David S. Miller commit 520732af9158308e96245b54f1d573861eafb631 Author: Randy Dunlap Date: Thu Feb 10 20:05:25 2011 -0800 net: fix ifenslave build flags -I (include path) should be specified for host builds. This one was overlooked somehow. Fixes https://bugzilla.kernel.org/show_bug.cgi?id=25902 Signed-off-by: Randy Dunlap Reported-by: Alexey Salmin Signed-off-by: David S. Miller commit 414ed90cee32486c50f91b28990443e0dc21c868 Author: Mike Marciniszyn Date: Thu Feb 10 14:11:28 2011 +0000 IB/qib: Fix double add_timer() The following panic BUG_ON occurs during qib testing: Kernel BUG at include/linux/timer.h:82 RIP [] :ib_qib:start_timer+0x73/0x89 RSP <0>Kernel panic - not syncing: Fatal exception <0>Dumping qib trace buffer from panic qib_set_lid INFO: IB0:1 got a lid: 0xf8 Done dumping qib trace buffer BUG: warning at kernel/panic.c:137/panic() (Tainted: G The flaw is due to a missing state test when processing responses that results in an add_timer() call when the same timer is already queued. This code was executing in parallel with a QP destroy on another CPU that had changed the state to reset, but the missing test caused to response handling code to run on into the panic. Signed-off-by: Mike Marciniszyn Signed-off-by: Roland Dreier commit a7b545f7fe753ca3dc1b51ca57f90cd59d974e44 Author: Eliad Peller Date: Tue Feb 8 18:43:19 2011 +0200 mac80211: add missing locking in ieee80211_reconfig When suspending an associated system, and then resuming, the station vif is being reconfigured without taking the sdata->u.mgd.mtx lock, which results in the following warning: WARNING: at net/mac80211/mlme.c:101 ieee80211_ap_probereq_get+0x58/0xb8 [mac80211]() Modules linked in: wl12xx_sdio wl12xx firmware_class crc7 mac80211 cfg80211 [last unloaded: crc7] Backtrace: [] (dump_backtrace+0x0/0x118) from [] (dump_stack+0x20/0x24) r7:00000000 r6:bf12d6ec r5:bf154aac r4:00000065 [] (dump_stack+0x0/0x24) from [] (warn_slowpath_common+0x5c/0x74) [] (warn_slowpath_common+0x0/0x74) from [] (warn_slowpath_null+0x2c/0x34) r9:000024ff r8:cd006460 r7:00000001 r6:00000000 r5:00000000 r4:cf1394a0 [] (warn_slowpath_null+0x0/0x34) from [] (ieee80211_ap_probereq_get+0x58/0xb8 [mac80211]) [] (ieee80211_ap_probereq_get+0x0/0xb8 [mac80211]) from [] (wl1271_cmd_build_ap_probe_req+0x30/0xf8 [wl12xx]) r4:cd007440 [] (wl1271_cmd_build_ap_probe_req+0x0/0xf8 [wl12xx]) from [] (wl1271_op_bss_info_changed+0x4c4/0x808 [wl12xx]) r5:cd007440 r4:000003b4 [] (wl1271_op_bss_info_changed+0x0/0x808 [wl12xx]) from [] (ieee80211_bss_info_change_notify+0x1a4/0x1f8 [mac80211]) [] (ieee80211_bss_info_change_notify+0x0/0x1f8 [mac80211]) from [] (ieee80211_reconfig+0x4d0/0x668 [mac80211]) r8:cf0eeea4 r7:cd00671c r6:00000000 r5:cd006460 r4:cf1394a0 [] (ieee80211_reconfig+0x0/0x668 [mac80211]) from [] (ieee80211_resume+0x60/0x70 [mac80211]) [] (ieee80211_resume+0x0/0x70 [mac80211]) from [] (wiphy_resume+0x6c/0x7c [cfg80211]) r5:cd006248 r4:cd006110 [] (wiphy_resume+0x0/0x7c [cfg80211]) from [] (legacy_resume+0x38/0x70) r7:00000000 r6:00000000 r5:cd006248 r4:cd0062fc [] (legacy_resume+0x0/0x70) from [] (device_resume+0x168/0x1a0) r8:c04ca8d8 r7:cd00627c r6:00000010 r5:cd006248 r4:cd0062fc [] (device_resume+0x0/0x1a0) from [] (dpm_resume_end+0xf8/0x3bc) r7:00000000 r6:00000005 r5:cd006248 r4:cd0062fc [] (dpm_resume_end+0x0/0x3bc) from [] (suspend_devices_and_enter+0x1b0/0x204) [] (suspend_devices_and_enter+0x0/0x204) from [] (enter_state+0xf0/0x148) r7:c037e978 r6:00000003 r5:c043d807 r4:00000000 [] (enter_state+0x0/0x148) from [] (state_store+0xa4/0xcc) r7:c037e978 r6:00000003 r5:00000003 r4:c043d807 [] (state_store+0x0/0xcc) from [] (kobj_attr_store+0x20/0x24) [] (kobj_attr_store+0x0/0x24) from [] (sysfs_write_file+0x11c/0x150) [] (sysfs_write_file+0x0/0x150) from [] (vfs_write+0xc0/0x14c) [] (vfs_write+0x0/0x14c) from [] (sys_write+0x4c/0x78) r8:40126000 r7:00000004 r6:cf1a7c80 r5:00000000 r4:00000000 [] (sys_write+0x0/0x78) from [] (ret_fast_syscall+0x0/0x30) r8:c00502c8 r7:00000004 r6:403525e8 r5:40126000 r4:00000004 Signed-off-by: Eliad Peller Signed-off-by: John W. Linville commit c91d01556f52255a31575be0cb1981c92a2a5028 Author: Stanislaw Gruszka Date: Wed Feb 9 08:46:06 2011 +0100 iwl3945: remove plcp check Patch fixes: https://bugzilla.redhat.com/show_bug.cgi?id=654599 Many users report very low speed problem on 3945 devices, this patch fixes problem, but only for some of them. For unknown reason, sometimes after hw scanning, device is not able to receive frames at high rate. Since plcp health check may request hw scan to "reset radio", performance problem start to be observable after update kernel to .35, where plcp check was introduced. Bug reporter confirmed that removing plcp check fixed problem for him. Reported-and-tested-by: SilvioTO Cc: stable@kernel.org # 2.6.35+ Signed-off-by: Stanislaw Gruszka Acked-by: Wey-Yi Guy Signed-off-by: John W. Linville commit 5dc0fa782ad4a2cfad93c016765492083e687cf3 Merge: fc7c976 e733fb6 Author: John W. Linville Date: Wed Feb 9 15:30:42 2011 -0500 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/padovan/bluetooth-2.6 commit 711c71a092ccedf5e24cff25e577bfa0148fce66 Author: Akinobu Mita Date: Tue Feb 8 04:59:50 2011 +0000 sparc: fix size argument to find_next_zero_bit() iommu_alloc_ctx() finds a zero bit in iommu->ctx_bitmap. It starts searching from iommu->ctx_lowest_free to the end of the bitmap. But the size argument to find_next_zero_bit() in iommu_alloc_ctx() is wrong. It should be the bitmap size, not the maximum size to search from the offset argument. Fortunately iommu->ctx_lowest_free is almost unused and it will not be more than 1. So the bug wasted only 1-bit at the end of iommu->ctx_bitmap. Signed-off-by: Akinobu Mita Cc: "David S. Miller" Cc: sparclinux@vger.kernel.org Signed-off-by: David S. Miller commit e637804c33494e8e7e454dbc625cc4b773f38d6f Author: Akinobu Mita Date: Tue Feb 8 04:59:49 2011 +0000 sparc: use bitmap_set() Use bitmap_set() instead of calling __set_bit() each bit. Signed-off-by: Akinobu Mita Cc: "David S. Miller" Cc: sparclinux@vger.kernel.org Signed-off-by: David S. Miller commit 9d20b571f5bda7273656e1b86ef91eddc94adacc Author: Herbert Xu Date: Mon Feb 7 20:26:06 2011 +1100 crypto: sha-s390 - Reset index after processing partial block The partial block handling in sha-s390 is broken when we get a partial block that is followed by an update which fills it with bytes left-over. Instead of storing the newly left-over bytes at the start of the buffer, it will be stored immediately after the previous partial block. This patch fixes this by resetting the index pointer. Signed-off-by: Herbert Xu commit 25a54a6bb87dc966f6a3fc1f2ac6e88db1f5614c Author: Maciej Sosnowski Date: Thu Feb 3 15:55:26 2011 -0800 RDMA/nes: Don't generate async events for unregistered devices nes_port_ibevent() should not be called when the nes RDMA device is not registered with the RDMA core. Add missing checks of of_device_registered flag. Signed-off-by: Maciej Sosnowski Signed-off-by: Roland Dreier commit e733fb62082b3b187870dfba28d5f6730b8436c4 Author: Bao Liang Date: Sat Jan 29 21:39:37 2011 +0800 Bluetooth: Set conn state to BT_DISCONN to avoid multiple responses This patch fixes a minor issue that two connection responses will be sent for one L2CAP connection request. If the L2CAP connection request is first blocked due to security reason and responded with reason "security block", the state of the connection remains BT_CONNECT2. If a pairing procedure completes successfully before the ACL connection is down, local host will send another connection complete response. See the following packets captured by hcidump. 2010-12-07 22:21:24.928096 < ACL data: handle 12 flags 0x00 dlen 16 0000: 0c 00 01 00 03 19 08 00 41 00 53 00 03 00 00 00 ........A.S..... ... ... 2010-12-07 22:21:35.791747 > HCI Event: Auth Complete (0x06) plen 3 status 0x00 handle 12 ... ... 2010-12-07 22:21:35.872372 > ACL data: handle 12 flags 0x02 dlen 16 L2CAP(s): Connect rsp: dcid 0x0054 scid 0x0040 result 0 status 0 Connection successful Signed-off-by: Liang Bao Acked-by: Ville Tervo Signed-off-by: Gustavo F. Padovan commit 2492218c63dca0fb4f041bdc366d243ae3426b40 Author: Daniel Hellstrom Date: Tue Feb 1 12:39:59 2011 -0800 sparc32: unaligned memory access (MNA) trap handler bug Since commit f0e98c387e61de00646be31fab4c2fa0224e1efb ("[SPARC]: Fix link errors with gcc-4.3") the MNA trap handler does not emulate stores to unaligned addresses correctly. MNA operation from both kernel and user space are affected. A typical effect of this bug is nr_frags in skbs are overwritten during buffer copying/checksum-calculation, or maximally 6 bytes of data in the network buffer will be overwitten with garbage. Signed-off-by: Daniel Hellstrom Signed-off-by: David S. Miller commit 509e7861d8a5e26bb07b5a3a13e2b9e442283631 Author: Cho, Yu-Chen Date: Wed Jan 26 17:10:59 2011 +0800 Bluetooth: add Atheros BT AR9285 fw supported Add the btusb.c blacklist [03f0:311d] for Atheros AR9285 Malbec BT and add to ath3k.c ath3-1.fw (md5:1211fa34c09e10ba48381586b7c3883d) supported this device. Signed-off-by: Cho, Yu-Chen Signed-off-by: Gustavo F. Padovan