commit 76da2fb8c0f7ffe6dddbd209f8c0ab6a0f86eab5 Author: Greg Kroah-Hartman Date: Mon Aug 29 14:42:42 2011 -0700 Linux 2.6.33.19 commit 8e9e725ffc95ba048f6656dec816b6f1cef90722 Author: Carolyn Wyborny Date: Sat Jun 25 13:18:12 2011 +0000 igb: Fix lack of flush after register write and before delay commit 064b43304ed8ede8e13ff7b4338d09fd37bcffb1 upstream. Register writes followed by a delay are required to have a flush before the delay in order to commit the values to the register. Without the flush, the code following the delay may not function correctly. Reported-by: Tong Ho Reported-by: Guenter Roeck Signed-off-by: Carolyn Wyborny Tested-by: Aaron Brown Signed-off-by: Jeff Kirsher Signed-off-by: Greg Kroah-Hartman commit 54535f716d3f635179a8033a8dab6306ef5cb90e Author: Miklos Szeredi Date: Wed Aug 24 10:20:17 2011 +0200 fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message commit c2183d1e9b3f313dd8ba2b1b0197c8d9fb86a7ae upstream. FUSE_NOTIFY_INVAL_ENTRY didn't check the length of the write so the message processing could overrun and result in a "kernel BUG at fs/fuse/dev.c:629!" Reported-by: Han-Wen Nienhuys Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit af0f7f669e9cb671422111246d71c37f5d18252c Author: Marcin Slusarz Date: Mon Aug 22 21:17:57 2011 +0000 drm/ttm: fix ttm_bo_add_ttm(user) failure path commit 7c4c3960dff109bc5db4c35da481c212dadb5eb5 upstream. ttm_tt_destroy kfrees passed object, so we need to nullify a reference to it. Signed-off-by: Marcin Slusarz Reviewed-by: Thomas Hellstrom Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 9792fdb75682aeb0d23365adf8bc4e2d7a8cb97e Author: Jack Steiner Date: Fri Aug 5 09:09:00 2011 -0500 x86, UV: Remove UV delay in starting slave cpus commit 05e33fc20ea5e493a2a1e7f1d04f43cdf89f83ed upstream. Delete the 10 msec delay between the INIT and SIPI when starting slave cpus. I can find no requirement for this delay. BIOS also has similar code sequences without the delay. Removing the delay reduces boot time by 40 sec. Every bit helps. Signed-off-by: Jack Steiner Link: http://lkml.kernel.org/r/20110805140900.GA6774@sgi.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 068b8e1556805d48fcfee26c61ee65a52abc4f77 Author: H. Peter Anvin Date: Mon Aug 22 13:27:06 2011 -0700 x86-32, vdso: On system call restart after SYSENTER, use int $0x80 commit 7ca0758cdb7c241cb4e0490a8d95f0eb5b861daf upstream. When we enter a 32-bit system call via SYSENTER or SYSCALL, we shuffle the arguments to match the int $0x80 calling convention. This was probably a design mistake, but it's what it is now. This causes errors if the system call as to be restarted. For SYSENTER, we have to invoke the instruction from the vdso as the return address is hardcoded. Accordingly, we can simply replace the jump in the vdso with an int $0x80 instruction and use the slower entry point for a post-restart. Suggested-by: Linus Torvalds Signed-off-by: H. Peter Anvin Link: http://lkml.kernel.org/r/CA%2B55aFztZ=r5wa0x26KJQxvZOaQq8s2v3u50wCyJcA-Sc4g8gQ@mail.gmail.com Signed-off-by: Greg Kroah-Hartman commit 1d57518f2aa045a64886781a66b42e072a9e7bf6 Author: Shawn Bohrer Date: Thu Jun 30 11:21:32 2011 -0500 futex: Fix regression with read only mappings commit 9ea71503a8ed9184d2d0b8ccc4d269d05f7940ae upstream. commit 7485d0d3758e8e6491a5c9468114e74dc050785d (futexes: Remove rw parameter from get_futex_key()) in 2.6.33 fixed two problems: First, It prevented a loop when encountering a ZERO_PAGE. Second, it fixed RW MAP_PRIVATE futex operations by forcing the COW to occur by unconditionally performing a write access get_user_pages_fast() to get the page. The commit also introduced a user-mode regression in that it broke futex operations on read-only memory maps. For example, this breaks workloads that have one or more reader processes doing a FUTEX_WAIT on a futex within a read only shared file mapping, and a writer processes that has a writable mapping issuing the FUTEX_WAKE. This fixes the regression for valid futex operations on RO mappings by trying a RO get_user_pages_fast() when the RW get_user_pages_fast() fails. This change makes it necessary to also check for invalid use cases, such as anonymous RO mappings (which can never change) and the ZERO_PAGE which the commit referenced above was written to address. This patch does restore the original behavior with RO MAP_PRIVATE mappings, which have inherent user-mode usage problems and don't really make sense. With this patch performing a FUTEX_WAIT within a RO MAP_PRIVATE mapping will be successfully woken provided another process updates the region of the underlying mapped file. However, the mmap() man page states that for a MAP_PRIVATE mapping: It is unspecified whether changes made to the file after the mmap() call are visible in the mapped region. So user-mode users attempting to use futex operations on RO MAP_PRIVATE mappings are depending on unspecified behavior. Additionally a RO MAP_PRIVATE mapping could fail to wake up in the following case. Thread-A: call futex(FUTEX_WAIT, memory-region-A). get_futex_key() return inode based key. sleep on the key Thread-B: call mprotect(PROT_READ|PROT_WRITE, memory-region-A) Thread-B: write memory-region-A. COW happen. This process's memory-region-A become related to new COWed private (ie PageAnon=1) page. Thread-B: call futex(FUETX_WAKE, memory-region-A). get_futex_key() return mm based key. IOW, we fail to wake up Thread-A. Once again doing something like this is just silly and users who do something like this get what they deserve. While RO MAP_PRIVATE mappings are nonsensical, checking for a private mapping requires walking the vmas and was deemed too costly to avoid a userspace hang. This Patch is based on Peter Zijlstra's initial patch with modifications to only allow RO mappings for futex operations that need VERIFY_READ access. Reported-by: David Oliver Signed-off-by: Shawn Bohrer Acked-by: Peter Zijlstra Signed-off-by: Darren Hart Cc: KOSAKI Motohiro Cc: peterz@infradead.org Cc: eric.dumazet@gmail.com Cc: zvonler@rgmadvisors.com Cc: hughd@google.com Link: http://lkml.kernel.org/r/1309450892-30676-1-git-send-email-sbohrer@rgmadvisors.com Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 7d876451e8eabbfcef46e0e4ecddad99cff92e67 Author: Daniel T Chen Date: Sun Aug 14 22:43:01 2011 -0400 ALSA: ac97: Add HP Compaq dc5100 SFF(PT003AW) to Headphone Jack Sense whitelist commit eade7b281c9fc18401b989c77d5e5e660b25a3b7 upstream. BugLink: https://bugs.launchpad.net/bugs/826081 The original reporter needs 'Headphone Jack Sense' enabled to have audible audio, so add his PCI SSID to the whitelist. Reported-and-tested-by: Muhammad Khurram Khan Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit f699ee1f5af1aab237e573ee0b169d54fe24ab5d Author: Daniel Mack Date: Sun Aug 14 11:31:16 2011 +0200 ALSA: snd_usb_caiaq: track submitted output urbs commit da6094ea7d3c2295473d8f5134279307255d6ebf upstream. The snd_usb_caiaq driver currently assumes that output urbs are serviced in time and doesn't track when and whether they are given back by the USB core. That usually works fine, but due to temporary limitations of the XHCI stack, we faced that urbs were submitted more than once with this approach. As it's no good practice to fire and forget urbs anyway, this patch introduces a proper bit mask to track which requests have been submitted and given back. That alone however doesn't make the driver work in case the host controller is broken and doesn't give back urbs at all, and the output stream will stop once all pre-allocated output urbs are consumed. But it does prevent crashes of the controller stack in such cases. See http://bugzilla.kernel.org/show_bug.cgi?id=40702 for more details. Signed-off-by: Daniel Mack Reported-and-tested-by: Matej Laitl Cc: Sarah Sharp Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 505f44dd825d79078942101e8da911b90bc39057 Author: Timo Warns Date: Wed Aug 17 17:59:56 2011 +0200 befs: Validate length of long symbolic links. commit 338d0f0a6fbc82407864606f5b64b75aeb3c70f2 upstream. Signed-off-by: Timo Warns Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 93a4da70df98764e291ef9361851a1df8b38e02a Author: Timo Warns Date: Thu May 26 16:25:57 2011 -0700 fs/partitions/efi.c: corrupted GUID partition tables can cause kernel oops commit 3eb8e74ec72736b9b9d728bad30484ec89c91dde upstream. The kernel automatically evaluates partition tables of storage devices. The code for evaluating GUID partitions (in fs/partitions/efi.c) contains a bug that causes a kernel oops on certain corrupted GUID partition tables. This bug has security impacts, because it allows, for example, to prepare a storage device that crashes a kernel subsystem upon connecting the device (e.g., a "USB Stick of (Partial) Death"). crc = efi_crc32((const unsigned char *) (*gpt), le32_to_cpu((*gpt)->header_size)); computes a CRC32 checksum over gpt covering (*gpt)->header_size bytes. There is no validation of (*gpt)->header_size before the efi_crc32 call. A corrupted partition table may have large values for (*gpt)->header_size. In this case, the CRC32 computation access memory beyond the memory allocated for gpt, which may cause a kernel heap overflow. Validate value of GUID partition table header size. [akpm@linux-foundation.org: fix layout and indenting] Signed-off-by: Timo Warns Cc: Matt Domsch Cc: Eugene Teo Cc: Dave Jones Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [dannf: backported to Debian's 2.6.32] Signed-off-by: Greg Kroah-Hartman commit 2b3e6af485814965e1cf5177fea492a9c5171e06 Author: Jonathan Nieder Date: Fri Aug 5 18:58:38 2011 +0200 perf tools: do not look at ./config for configuration commit aba8d056078e47350d85b06a9cabd5afcc4b72ea upstream. In addition to /etc/perfconfig and $HOME/.perfconfig, perf looks for configuration in the file ./config, imitating git which looks at $GIT_DIR/config. If ./config is not a perf configuration file, it fails, or worse, treats it as a configuration file and changes behavior in some unexpected way. "config" is not an unusual name for a file to be lying around and perf does not have a private directory dedicated for its own use, so let's just stop looking for configuration in the cwd. Callers needing context-sensitive configuration can use the PERF_CONFIG environment variable. Requested-by: Christian Ohm Cc: 632923@bugs.debian.org Cc: Ben Hutchings Cc: Christian Ohm Cc: Ingo Molnar Cc: Paul Mackerras Cc: Peter Zijlstra Link: http://lkml.kernel.org/r/20110805165838.GA7237@elie.gateway.2wire.net Signed-off-by: Jonathan Nieder Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit 285549535a1d2ee096094214000401380c8f03e9 Author: Clemens Ladisch Date: Tue Jun 21 22:09:50 2011 +0200 mm: fix wrong vmap address calculations with odd NR_CPUS values commit f982f91516fa4cfd9d20518833cd04ad714585be upstream. Commit db64fe02258f ("mm: rewrite vmap layer") introduced code that does address calculations under the assumption that VMAP_BLOCK_SIZE is a power of two. However, this might not be true if CONFIG_NR_CPUS is not set to a power of two. Wrong vmap_block index/offset values could lead to memory corruption. However, this has never been observed in practice (or never been diagnosed correctly); what caught this was the BUG_ON in vb_alloc() that checks for inconsistent vmap_block indices. To fix this, ensure that VMAP_BLOCK_SIZE always is a power of two. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=31572 Reported-by: Pavel Kysilka Reported-by: Matias A. Fonzo Signed-off-by: Clemens Ladisch Signed-off-by: Stefan Richter Cc: Nick Piggin Cc: Jeremy Fitzhardinge Cc: Krzysztof Helt Cc: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 700ffba5936f73eddd3bfcb9fca5a945fd5a20c2 Author: Daniel Mack Date: Fri Aug 5 13:49:52 2011 +0200 ALSA: snd-usb-caiaq: Correct offset fields of outbound iso_frame_desc commit 15439bde3af7ff88459ea2b5520b77312e958df2 upstream. This fixes faulty outbount packets in case the inbound packets received from the hardware are fragmented and contain bogus input iso frames. The bug has been there for ages, but for some strange reasons, it was only triggered by newer machines in 64bit mode. Signed-off-by: Daniel Mack Reported-and-tested-by: William Light Reported-by: Pedro Ribeiro Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 261011fd5b7111db9b7d70606fc4c173b8516b5e Author: Julia Lawall Date: Tue Aug 9 11:10:56 2011 -0400 hwmon: (ibmaem) add missing kfree commit 66a89b2164e2d30661edbd1953eacf0594d8203a upstream. rs_resp is dynamically allocated in aem_read_sensor(), so it should be freed before exiting in every case. This collects the kfree and the return at the end of the function. Signed-off-by: Julia Lawall Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 62964f4c5313946f57ee937a316f34ec55bebe06 Author: Chas Williams Date: Mon Aug 1 17:56:14 2011 -0700 atm: br2864: sent packets truncated in VC routed mode commit a08af810cdc29d2ca930e8a869d3d01744c392d8 upstream. Reported-by: Pascal Hambourg Signed-off-by: Chas Williams Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 81c42706ecfd84779037229b44de77d2e2e5cf00 Author: Vijay Chavan Date: Tue Aug 9 02:41:12 2011 +0530 USB: Serial: Added device ID for Qualcomm Modem in Sagemcom's HiLo3G commit e468561739fffb972d486b98f66c723936335136 upstream. A new device ID pair is added for Qualcomm Modem present in Sagemcom's HiLo3G module. Signed-off-by: Vijay Chavan Signed-off-by: Greg Kroah-Hartman commit 43a16b3fb9b78c404b0c1696598693766bef3e28 Author: Nick Bowler Date: Wed Jul 13 11:40:09 2011 -0400 USB: usb-storage: unusual_devs entry for ARM V2M motherboard. commit a871e4f5519d8c52430052e1d340dd5710eb5ad6 upstream. Connecting the V2M to a Linux host results in a constant stream of errors spammed to the console, all of the form sd 1:0:0:0: ioctl_internal_command return code = 8070000 : Sense Key : 0x4 [current] : ASC=0x0 ASCQ=0x0 The errors appear to be otherwise harmless. Add an unusual_devs entry which eliminates all of the error messages. Signed-off-by: Nick Bowler Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 7bbcb87accae51d523a1ef63845f87e069e5cf7b Author: Maxim Nikulin Date: Sat Jul 9 23:44:44 2011 +0700 USB: assign instead of equal in usbtmc.c commit 4f1a7a3e78037721496283ea3e87cfefc64d99c7 upstream. Assign operator instead of equality test in the usbtmc_ioctl_abort_bulk_in() function. Signed-off-by: Maxim A. Nikulin Signed-off-by: Greg Kroah-Hartman commit 53fc7f3ecdc2ed20d9da4a6a7e143ca2bdde7012 Author: JiSheng Zhang Date: Sat Jul 16 11:04:19 2011 +0800 USB: xhci: fix OS want to own HC commit 6768458b17f9bf48a4c3a34e49b20344091b5f7e upstream. Software should set XHCI_HC_OS_OWNED bit to request ownership of xHC. This patch should be backported to kernels as far back as 2.6.31. Signed-off-by: JiSheng Zhang Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 6c47634d201e8d14d6de7f66493580e6fb4d06e2 Author: Stefan Lippers-Hollmann Date: Tue Aug 2 22:17:25 2011 +0200 staging: rtl8192u: declare MODULE_FIRMWARE commit 589c3ca00b7886bf743998398884cd4f4d354e17 upstream. declaring MODULE_FIRMWARE has apparently forgotten while removing the embedded firmware arrays in 0a8692b534e18fcec6eac07551bb37a22659f5c7 (rtl8192u_usb: Remove built-in firmware images). Signed-off-by: Stefan Lippers-Hollmann Signed-off-by: Greg Kroah-Hartman