commit 787a4575ad364d69416615881345eae389882588 Author: Andi Kleen Date: Tue Dec 14 23:40:18 2010 +0100 Release 2.6.35.10 Signed-off-by: Andi Kleen commit eb015d662b1831e61ce9610da234565f8349311b Author: Dan Rosenberg Date: Mon Sep 27 12:30:28 2010 -0400 Fix pktcdvd ioctl dev_minor range check Upstream 252a52aa4fa22a668f019e55b3aac3ff71ec1c29 The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a pktcdvd_device from the global pkt_devs array. The index into this array is provided directly by the user and is a signed integer, so the comparison to ensure that it falls within the bounds of this array will fail when provided with a negative index. This can be used to read arbitrary kernel memory or cause a crash due to an invalid pointer dereference. This can be exploited by users with permission to open /dev/pktcdvd/control (on many distributions, this is readable by group "cdrom"). Signed-off-by: Dan Rosenberg [ Rather than add a cast, just make the function take the right type -Linus ] Signed-off-by: Linus Torvalds Signed-off-by: Andi Kleen commit 6efba844d4ad8783c46ee2477344bfd87f737325 Author: Linus Torvalds Date: Sun Nov 28 16:27:19 2010 -0800 Un-inline get_pipe_info() helper function commit 72083646528d4887b920deb71b37e09bc7d227bb upstream. This avoids some include-file hell, and the function isn't really important enough to be inlined anyway. Reported-by: Ingo Molnar Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 23076bfefeb871c22c40f8abad5b5ea7065a265f Author: Linus Torvalds Date: Sun Nov 28 14:09:57 2010 -0800 Export 'get_pipe_info()' to other users commit c66fb347946ebdd5b10908866ecc9fa05ee2cf3d upstream. And in particular, use it in 'pipe_fcntl()'. The other pipe functions do not need to use the 'careful' version, since they are only ever called for things that are already known to be pipes. The normal read/write/ioctl functions are called through the file operations structures, so if a file isn't a pipe, they'd never get called. But pipe_fcntl() is special, and called directly from the generic fcntl code, and needs to use the same careful function that the splice code is using. Cc: Jens Axboe Cc: Andrew Morton Cc: Al Viro Cc: Dave Jones Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 1e6aa82072d3c8267011461d17fbb25c247a3214 Author: Linus Torvalds Date: Sun Nov 28 13:56:09 2010 -0800 Rename 'pipe_info()' to 'get_pipe_info()' commit 71993e62a47dabddf10302807d6aa260455503f4 upstream. .. and change it to take the 'file' pointer instead of an inode, since that's what all users want anyway. The renaming is preparatory to exporting it to other users. The old 'pipe_info()' name was too generic and is already used elsewhere, so before making the function public we need to use a more specific name. Cc: Jens Axboe Cc: Andrew Morton Cc: Al Viro Cc: Dave Jones Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 22d2fae507439362ff0efe22fe3196bb9b6e4ce4 Author: Heiko Carstens Date: Thu Nov 25 09:52:45 2010 +0100 nmi: fix clock comparator revalidation commit e8129c642155616d9e2160a75f103e127c8c3708 upstream. On each machine check all registers are revalidated. The save area for the clock comparator however only contains the upper most seven bytes of the former contents, if valid. Therefore the machine check handler uses a store clock instruction to get the current time and writes that to the clock comparator register which in turn will generate an immediate timer interrupt. However within the lowcore the expected time of the next timer interrupt is stored. If the interrupt happens before that time the handler won't be called. In turn the clock comparator won't be reprogrammed and therefore the interrupt condition stays pending which causes an interrupt loop until the expected time is reached. On NOHZ machines this can result in unresponsive machines since the time of the next expected interrupted can be a couple of days in the future. To fix this just revalidate the clock comparator register with the expected value. In addition the special handling for udelay must be changed as well. Signed-off-by: Heiko Carstens Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit fe590f17c1b2f22e5ce66d091bfb21fe5b59cac0 Author: Shan Wei Date: Fri Nov 12 00:15:25 2010 +0000 r8169: fix checksum broken commit d5d3ebe3be5c5123f2d444e186717f45284151e2 upstream. If r8196 received packets with invalid sctp/igmp(not tcp, udp) checksum, r8196 set skb->ip_summed wit CHECKSUM_UNNECESSARY. This cause that upper protocol don't check checksum field. I am not family with r8196 driver. I try to guess the meaning of RxProtoIP and IPFail. RxProtoIP stands for received IPv4 packet that upper protocol is not tcp and udp. !(opts1 & IPFail) is true means that driver correctly to check checksum in IPv4 header. If it's right, I think we should not set ip_summed wit CHECKSUM_UNNECESSARY for my sctp packets with invalid checksum. If it's not right, please tell me. Signed-off-by: Shan Wei Acked-by: Francois Romieu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 6cf6d548763e7e751a3fe77d084999bd11587834 Author: Stanislaw Gruszka Date: Wed Oct 20 22:25:42 2010 +0000 r8169: (re)init phy on resume commit fccec10b33503a2b1197c8e7a3abd30443bedb08 upstream. Fix switching device to low-speed mode after resume reported in: https://bugzilla.redhat.com/show_bug.cgi?id=502974 Reported-and-tested-by: Laurentiu Badea Signed-off-by: Stanislaw Gruszka Signed-off-by: David S. Miller Cc: Francois Romieu Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit d4114d4e08bba51c56d77ee3a3741e98ed107dc5 Author: Eric Dumazet Date: Sun Sep 5 20:04:05 2010 -0700 r8169: fix rx checksum offload commit adea1ac7effbddbe60a9de6d63462bfe79289e59 upstream. While porting GRO to r8169, I found this driver has a bug in its rx path. All skbs given to network stack had their ip_summed set to CHECKSUM_NONE, while hardware said they had correct TCP/UDP checksums. The reason is driver sets skb->ip_summed on the original skb before the copy eventually done by copybreak. The fresh skb gets the ip_summed = CHECKSUM_NONE value, forcing network stack to recompute checksum, and preventing my GRO patch to work. Fix is to make the ip_summed setting after skb copy. Note : rx_copybreak current value is 16383, so all frames are copied... Signed-off-by: Eric Dumazet Acked-by: Francois Romieu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 3acc1eff9aab5dc224463d6fdc1fc98912f97a6f Author: Luis R. Rodriguez Date: Fri Nov 12 16:31:23 2010 -0800 cfg80211: fix extension channel checks to initiate communication commit 9236d838c920e90708570d9bbd7bb82d30a38130 upstream. When operating in a mode that initiates communication and using HT40 we should fail if we cannot use both primary and secondary channels to initiate communication. Our current ht40 allowmap only covers STA mode of operation, for beaconing modes we need a check on the fly as the mode of operation is dynamic and there other flags other than disable which we should read to check if we can initiate communication. Do not allow for initiating communication if our secondary HT40 channel has is either disabled, has a passive scan flag, a no-ibss flag or is a radar channel. Userspace now has similar checks but this is also needed in-kernel. Reported-by: Jouni Malinen Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit ead0b93a89eb1bab781b1812b42b3cffeecda1d0 Author: Dan Rosenberg Date: Wed Nov 17 06:37:16 2010 +0000 rds: Integer overflow in RDS cmsg handling commit 218854af84038d828a32f061858b1902ed2beec6 upstream. In rds_cmsg_rdma_args(), the user-provided args->nr_local value is restricted to less than UINT_MAX. This seems to need a tighter upper bound, since the calculation of total iov_size can overflow, resulting in a small sock_kmalloc() allocation. This would probably just result in walking off the heap and crashing when calling rds_rdma_pages() with a high count value. If it somehow doesn't crash here, then memory corruption could occur soon after. Signed-off-by: Dan Rosenberg Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 8bad5a9770496e333505c129225074f61898c514 Author: Phil Blundell Date: Wed Nov 24 11:51:47 2010 -0800 econet: fix CVE-2010-3848 commit a27e13d370415add3487949c60810e36069a23a6 upstream. Don't declare variable sized array of iovecs on the stack since this could cause stack overflow if msg->msgiovlen is large. Instead, coalesce the user-supplied data into a new buffer and use a single iovec for it. Signed-off-by: Phil Blundell Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 5a7ce7c10112832aa73745faaca297844656138b Author: Phil Blundell Date: Wed Nov 24 11:49:53 2010 -0800 econet: fix CVE-2010-3850 commit 16c41745c7b92a243d0874f534c1655196c64b74 upstream. Add missing check for capable(CAP_NET_ADMIN) in SIOCSIFADDR operation. Signed-off-by: Phil Blundell Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 973a11aa7810c40a80ad064211fa157dd1921b37 Author: Phil Blundell Date: Wed Nov 24 11:49:19 2010 -0800 econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849 commit fa0e846494792e722d817b9d3d625a4ef4896c96 upstream. Later parts of econet_sendmsg() rely on saddr != NULL, so return early with EINVAL if NULL was passed otherwise an oops may occur. Signed-off-by: Phil Blundell Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 474a751770cdae97c5baa16c4dc2f0e94d0a464f Author: Herbert Xu Date: Thu Nov 4 14:38:39 2010 -0400 crypto: padlock - Fix AES-CBC handling on odd-block-sized input commit c054a076a1bd4731820a9c4d638b13d5c9bf5935 upstream. On certain VIA chipsets AES-CBC requires the input/output to be a multiple of 64 bytes. We had a workaround for this but it was buggy as it sent the whole input for processing when it is meant to only send the initial number of blocks which makes the rest a multiple of 64 bytes. As expected this causes memory corruption whenever the workaround kicks in. Reported-by: Phil Sutter Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 47a671800b5c4bca9c5826fc18d9a2ac090a5e3c Author: Dan Rosenberg Date: Fri Nov 12 12:44:42 2010 -0800 x25: Prevent crashing when parsing bad X.25 facilities commit 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f upstream. Now with improved comma support. On parsing malformed X.25 facilities, decrementing the remaining length may cause it to underflow. Since the length is an unsigned integer, this will result in the loop continuing until the kernel crashes. This patch adds checks to ensure decrementing the remaining length does not cause it to wrap around. Signed-off-by: Dan Rosenberg Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit c4b9d85475fe417aa1d4325e350b6bff78a70c17 Author: Oliver Hartkopp Date: Wed Nov 10 12:10:30 2010 +0000 can-bcm: fix minor heap overflow commit 0597d1b99fcfc2c0eada09a698f85ed413d4ba84 upstream. On 64-bit platforms the ASCII representation of a pointer may be up to 17 bytes long. This patch increases the length of the buffer accordingly. http://marc.info/?l=linux-netdev&m=128872251418192&w=2 Reported-by: Dan Rosenberg Signed-off-by: Oliver Hartkopp Signed-off-by: Andi Kleen CC: Linus Torvalds Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7bac9815cc7489f880db12ada19b3f10d1db1629 Author: David S. Miller Date: Wed Nov 10 10:38:24 2010 -0800 filter: make sure filters dont read uninitialized memory commit 57fe93b374a6b8711995c2d466c502af9f3a08bb upstream. There is a possibility malicious users can get limited information about uninitialized stack mem array. Even if sk_run_filter() result is bound to packet length (0 .. 65535), we could imagine this can be used by hostile user. Initializing mem[] array, like Dan Rosenberg suggested in his patch is expensive since most filters dont even use this array. Its hard to make the filter validation in sk_chk_filter(), because of the jumps. This might be done later. In this patch, I use a bitmap (a single long var) so that only filters using mem[] loads/stores pay the price of added security checks. For other filters, additional cost is a single instruction. [ Since we access fentry->k a lot now, cache it in a local variable and mark filter entry pointer as const. -DaveM ] Reported-by: Dan Rosenberg Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 69caa40820b6f142cae5485bd61362bb1dfcc12c Author: Hagen Paul Pfeifer Date: Sat Jun 19 17:05:36 2010 +0000 net: optimize Berkeley Packet Filter (BPF) processing Gcc is currenlty not in the ability to optimize the switch statement in sk_run_filter() because of dense case labels. This patch replace the OR'd labels with ordered sequenced case labels. The sk_chk_filter() function is modified to patch/replace the original OPCODES in a ordered but equivalent form. gcc is now in the ability to transform the switch statement in sk_run_filter into a jump table of complexity O(1). Until this patch gcc generates a sequence of conditional branches (O(n) of 567 byte .text segment size (arch x86_64): 7ff: 8b 06 mov (%rsi),%eax 801: 66 83 f8 35 cmp $0x35,%ax 805: 0f 84 d0 02 00 00 je adb 80b: 0f 87 07 01 00 00 ja 918 811: 66 83 f8 15 cmp $0x15,%ax 815: 0f 84 c5 02 00 00 je ae0 81b: 77 73 ja 890 81d: 66 83 f8 04 cmp $0x4,%ax 821: 0f 84 17 02 00 00 je a3e 827: 77 29 ja 852 829: 66 83 f8 01 cmp $0x1,%ax [...] With the modification the compiler translate the switch statement into the following jump table fragment: 7ff: 66 83 3e 2c cmpw $0x2c,(%rsi) 803: 0f 87 1f 02 00 00 ja a28 809: 0f b7 06 movzwl (%rsi),%eax 80c: ff 24 c5 00 00 00 00 jmpq *0x0(,%rax,8) 813: 44 89 e3 mov %r12d,%ebx 816: e9 43 03 00 00 jmpq b5e 81b: 41 89 dc mov %ebx,%r12d 81e: e9 3b 03 00 00 jmpq b5e Furthermore, I reordered the instructions to reduce cache line misses by order the most common instruction to the start. [AK: Added as dependency on next patch] Signed-off-by: Hagen Paul Pfeifer Signed-off-by: David S. Miller Signed-off-by: Andi Kleen commit 5cd63b34258b056b568b05582310e966aa65d2fd Author: andrew hendry Date: Wed Nov 3 12:54:53 2010 +0000 memory corruption in X.25 facilities parsing commit a6331d6f9a4298173b413cf99a40cc86a9d92c37 upstream. Signed-of-by: Andrew Hendry Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit a4e606c0633166f26e1456ed9bd86a185216cccb Author: Peter Ujfalusi Date: Mon Oct 11 14:18:56 2010 -0700 OMAP3: DMA: Errata i541: sDMA FIFO draining does not finish commit 0e4905c0199d683497833be60a428c784d7575b8 upstream. Implement the suggested workaround for OMAP3 regarding to sDMA draining issue, when the channel is disabled on the fly. This errata affects the following configuration: sDMA transfer is source synchronized Buffering is enabled SmartStandby is selected. The issue can be easily reproduced by creating overrun situation while recording audio. Either introduce load to the CPU: nice -19 arecord -D hw:0 -M -B 10000 -F 5000 -f dat > /dev/null & \ dd if=/dev/urandom of=/dev/null or suspending the arecord, and resuming it: arecord -D hw:0 -M -B 10000 -F 5000 -f dat > /dev/null CTRL+Z; fg; CTRL+Z; fg; ... In case of overrun audio stops DMA, and restarts it (without reseting the sDMA channel). When we hit this errata in stop case (sDMA drain did not complete), at the coming start the sDMA will not going to be operational (it is still draining). This leads to DMA stall condition. On OMAP3 we can recover with sDMA channel reset, it has been observed that by introducing unrelated sDMA activity might also help (reading from MMC for example). The same errata exists for OMAP2, where the suggestion is to disable the buffering to avoid this type of error. On OMAP3 the suggestion is to set sDMA to NoStandby before disabling the channel, and wait for the drain to finish, than configure sDMA to SmartStandby again. Signed-off-by: Peter Ujfalusi Acked-by: Jarkko Nikula Signed-off-by: Andi Kleen Acked-by : Santosh Shilimkar Acked-by : Manjunath Kondaiah G Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit 6ed9ced224293bad65454671d472eebeb53cb7ba Author: Jarkko Nikula Date: Mon Oct 11 14:18:45 2010 -0700 omap: dma: Fix buffering disable bit setting for omap24xx commit 3e57f1626b5febe5cc99aa6870377deef3ae03cc upstream. An errata workaround for omap24xx is not setting the buffering disable bit 25 what is the purpose but channel enable bit 7 instead. Background for this fix is the DMA stalling issue with ASoC omap-mcbsp driver. Peter Ujfalusi has found an issue in recording that the DMA stall could happen if there were a buffer overrun detected by ALSA and the DMA was stopped and restarted due that. This problem is known to occur on both OMAP2420 and OMAP3. It can recover on OMAP3 after dma free, dma request and reconfiguration cycle. However, on OMAP2420 it seems that only way to recover is a reset. Problem was not visible before the commit c12abc0. That commit changed that the McBSP transmitter/receiver is released from reset only when needed. That is, only enabled McBSP transmitter without transmission was able to prevent this DMA stall problem in receiving side and underlying problem did not show up until now. McBSP transmitter itself seems to no be reason since DMA stall does not recover by enabling the transmission after stall. Debugging showed that there were a DMA write active during DMA stop time and it never completed even when restarting the DMA. Experimenting showed that the DMA buffering disable bit could be used to avoid stalling when using source synchronized transfers. However that could have performance hit and OMAP3 TRM states that buffering disable is not allowed for destination synchronized transfers so subsequent patch will implement a method to complete DMA writes when stopping. This patch is based on assumtion that complete lock-up on OMAP2420 is different but related problem. I don't have access to OMAP2420 errata but I believe this old workaround here is put for a reason but unfortunately a wrong bit was typed and problem showed up only now. Signed-off-by: Jarkko Nikula Signed-off-by: Peter Ujfalusi Acked-by: Manjunath Kondaiah G Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 48d21fcef246f334706d5ac81d34c594915259b0 Author: Dmitry Torokhov Date: Thu Nov 4 09:12:44 2010 -0700 Input: i8042 - add Sony VAIO VPCZ122GX to nomux list [Note that the mainline will not have this particular fix but rather will blacklist entire VAIO line based off DMI board name. For stable I am being a bit more cautious and blacklist one particular product.] Trying to query/activate active multiplexing mode on this VAIO makes both keyboard and touchpad inoperable. Futher kernels will blacklist entire VAIO line, however here we blacklist just one particular model. Reported-by: Jesse Barnes Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 8bb1509c521bde108dcd1bd787e0e5ac9db49157 Author: David S. Miller Date: Thu Oct 28 11:41:55 2010 -0700 net: Limit socket I/O iovec total length to INT_MAX. commit 8acfe468b0384e834a303f08ebc4953d72fb690a upstream. This helps protect us from overflow issues down in the individual protocol sendmsg/recvmsg handlers. Once we hit INT_MAX we truncate out the rest of the iovec by setting the iov_len members to zero. This works because: 1) For SOCK_STREAM and SOCK_SEQPACKET sockets, partial writes are allowed and the application will just continue with another write to send the rest of the data. 2) For datagram oriented sockets, where there must be a one-to-one correspondance between write() calls and packets on the wire, INT_MAX is going to be far larger than the packet size limit the protocol is going to check for and signal with -EMSGSIZE. Based upon a patch by Linus Torvalds. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 8fb9ee234b8283ced0b5d47c26739144a254a1ed Author: Linus Torvalds Date: Sat Oct 30 16:43:10 2010 -0700 net: Truncate recvfrom and sendto length to INT_MAX. commit 253eacc070b114c2ec1f81b067d2fed7305467b0 upstream. Signed-off-by: Linus Torvalds Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 32005932e9aa0c2b97fd817edde2dff1c5640734 Author: Kenji Kaneshige Date: Tue Nov 30 17:36:08 2010 +0900 genirq: Fix incorrect proc spurious output commit 25c9170ed64a6551beefe9315882f754e14486f4 upstream. Since commit a1afb637(switch /proc/irq/*/spurious to seq_file) all /proc/irq/XX/spurious files show the information of irq 0. Current irq_spurious_proc_open() passes on NULL as the 3rd argument, which is used as an IRQ number in irq_spurious_proc_show(), to the single_open(). Because of this, all the /proc/irq/XX/spurious file shows IRQ 0 information regardless of the IRQ number. To fix the problem, irq_spurious_proc_open() must pass on the appropreate data (IRQ number) to single_open(). Signed-off-by: Kenji Kaneshige Signed-off-by: Andi Kleen Reviewed-by: Yong Zhang LKML-Reference: <4CF4B778.90604@jp.fujitsu.com> Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 1a91ff5ceb94c086e2d64de9c811f58155728fd1 Author: Heiko Carstens Date: Wed Dec 1 10:08:01 2010 +0100 nohz/s390: fix arch_needs_cpu() return value on offline cpus commit 398812159e328478ae49b4bd01f0d71efea96c39 upstream. This fixes the same problem as described in the patch "nohz: fix printk_needs_cpu() return value on offline cpus" for the arch_needs_cpu() primitive: arch_needs_cpu() may return 1 if called on offline cpus. When a cpu gets offlined it schedules the idle process which, before killing its own cpu, will call tick_nohz_stop_sched_tick(). That function in turn will call arch_needs_cpu() in order to check if the local tick can be disabled. On offline cpus this function should naturally return 0 since regardless if the tick gets disabled or not the cpu will be dead short after. That is besides the fact that __cpu_disable() should already have made sure that no interrupts on the offlined cpu will be delivered anyway. In this case it prevents tick_nohz_stop_sched_tick() to call select_nohz_load_balancer(). No idea if that really is a problem. However what made me debug this is that on 2.6.32 the function get_nohz_load_balancer() is used within __mod_timer() to select a cpu on which a timer gets enqueued. If arch_needs_cpu() returns 1 then the nohz_load_balancer cpu doesn't get updated when a cpu gets offlined. It may contain the cpu number of an offline cpu. In turn timers get enqueued on an offline cpu and not very surprisingly they never expire and cause system hangs. This has been observed 2.6.32 kernels. On current kernels __mod_timer() uses get_nohz_timer_target() which doesn't have that problem. However there might be other problems because of the too early exit tick_nohz_stop_sched_tick() in case a cpu goes offline. This specific bug was indrocuded with 3c5d92a0 "nohz: Introduce arch_needs_cpu". In this case a cpu hotplug notifier is used to fix the issue in order to keep the normal/fast path small. All we need to do is to clear the condition that makes arch_needs_cpu() return 1 since it is just a performance improvement which is supposed to keep the local tick running for a short period if a cpu goes idle. Nothing special needs to be done except for clearing the condition. Acked-by: Peter Zijlstra Signed-off-by: Heiko Carstens Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit e31b71b96e2440fd0f664443d1b1ecdf57b0bf5a Author: Thadeu Lima de Souza Cascardo Date: Sun Nov 28 19:46:50 2010 -0200 wmi: use memcmp instead of strncmp to compare GUIDs commit 8b14d7b22c61f17ccb869e0047d9df6dd9f50a9f upstream. While looking for the duplicates in /sys/class/wmi/, I couldn't find them. The code that looks for duplicates uses strncmp in a binary GUID, which may contain zero bytes. The right function is memcmp, which is also used in another section of wmi code. It was finding 49142400-C6A3-40FA-BADB-8A2652834100 as a duplicate of 39142400-C6A3-40FA-BADB-8A2652834100. Since the first byte is the fourth printed, they were found as equal by strncmp. Signed-off-by: Thadeu Lima de Souza Cascardo Signed-off-by: Matthew Garrett Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit f0ad38dade9e69ffefc37734b37e3bd93654a00f Author: Rafael J. Wysocki Date: Fri Dec 3 22:57:45 2010 +0100 PM / Hibernate: Fix memory corruption related to swap commit c9e664f1fdf34aa8cede047b206deaa8f1945af0 upstream. There is a problem that swap pages allocated before the creation of a hibernation image can be released and used for storing the contents of different memory pages while the image is being saved. Since the kernel stored in the image doesn't know of that, it causes memory corruption to occur after resume from hibernation, especially on systems with relatively small RAM that need to swap often. This issue can be addressed by keeping the GFP_IOFS bits clear in gfp_allowed_mask during the entire hibernation, including the saving of the image, until the system is finally turned off or the hibernation is aborted. Unfortunately, for this purpose it's necessary to rework the way in which the hibernate and suspend code manipulates gfp_allowed_mask. This change is based on an earlier patch from Hugh Dickins. Signed-off-by: Rafael J. Wysocki Reported-by: Ondrej Zary Acked-by: Hugh Dickins Signed-off-by: Andi Kleen Reviewed-by: KAMEZAWA Hiroyuki Signed-off-by: Greg Kroah-Hartman commit a8e8a6d0bca8893c544500e49cf824fded926a17 Author: Marcelo Roberto Jimenez Date: Mon Oct 18 22:38:08 2010 +0100 ARM: 6456/1: Fix for building DEBUG with sa11xx_base.c as a module. commit b9f515e3e3861abbaa093359f7c6f31283695228 upstream. This patch fixes a compilation issue when compiling PCMCIA SA1100 support as a module with PCMCIA_DEBUG enabled. The symbol soc_pcmcia_debug was not beeing exported. ARM: pcmcia: Fix for building DEBUG with sa11xx_base.c as a module. This patch fixes a compilation issue when compiling PCMCIA SA1100 support as a module with PCMCIA_DEBUG enabled. The symbol soc_pcmcia_debug was not beeing exported. Signed-off-by: Marcelo Roberto Jimenez Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit bb25ed06260128cf99a46950cc1b0b131e9c9477 Author: Thomas Gleixner Date: Wed Nov 24 10:05:55 2010 +0100 perf: Fix inherit vs. context rotation bug commit dddd3379a619a4cb8247bfd3c94ca9ae3797aa2e upstream. It was found that sometimes children of tasks with inherited events had one extra event. Eventually it turned out to be due to the list rotation no being exclusive with the list iteration in the inheritance code. Cure this by temporarily disabling the rotation while we inherit the events. Signed-off-by: Thomas Gleixner Signed-off-by: Peter Zijlstra Signed-off-by: Andi Kleen LKML-Reference: Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit c044cc9988cd29246c6d6781068c710817dd2f29 Author: Marek Lindner Date: Mon Nov 22 12:34:49 2010 +0100 Staging: batman-adv: ensure that eth_type_trans gets linear memory commit b6faaae1a15a352d68b3e3cd8b840e56709820bf upstream. eth_type_trans tries to pull data with the length of the ethernet header from the skb. We only ensured that enough data for the first ethernet header and the batman header is available in non-paged memory of the skb and not for the ethernet after the batman header. eth_type_trans would fail sometimes with drivers which don't ensure that all there data is perfectly linearised. The failure was noticed through a kernel bug Oops generated by the skb_pull inside eth_type_trans. Reported-by: Rafal Lesniak Signed-off-by: Marek Lindner Signed-off-by: Sven Eckelmann Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 76ff15489a634e27146f6d1ccb198b6cd1d4e35e Author: Larry Finger Date: Sat Nov 13 13:01:56 2010 -0600 staging: rtl8187se: Change panic to warn when RF switch turned off commit f36d83a8cb7224f45fdfa1129a616dff56479a09 upstream. This driver issues a kernel panic over conditions that do not justify such drastic action. Change these to log entries with a stack dump. This patch fixes the system crash reported in https://bugs.launchpad.net/ubuntu/+source/linux/+bug/674285. Signed-off-by: Larry Finger Signed-off-by: Andi Kleen Reported-and-Tested-by: Robie Basik Signed-off-by: Greg Kroah-Hartman commit b9ecedaf9df73f65d9b542ae9e394616dfd25d5d Author: Greg Kroah-Hartman Date: Tue Nov 16 11:18:33 2010 -0800 Staging: frontier: fix up some sysfs attribute permissions commit 3bad28ec006ad6ab2bca4e5103860b75391e3c9d and 2a767fda5d0d8dcff465724dfad6ee131489b3f2 upstream merged together. They should not be writable by any user Reported-by: Linus Torvalds Cc: David Taht Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 3193e96dd9c553125f93f6b02c3d6c23e5a5dd9a Author: Greg Kroah-Hartman Date: Thu Nov 18 11:21:04 2010 -0800 Staging: samsung-laptop: fix up my fixup for some sysfs attribute permissions commit 4d7bc388b44e42a1feafa35e50eef4f24d6ca59d upstream. They should be writable by root, not readable. Doh, stupid me with the wrong flags. Reported-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit ac0d92d5f069c3db8796a0cc9c75ea7e6be5e4a8 Author: Greg Kroah-Hartman Date: Tue Nov 16 11:21:03 2010 -0800 Staging: samsung-laptop: fix up some sysfs attribute permissions commit 90c05b97fdec8d2196e420d98f774bab731af7aa upstream. They should not be writable by any user Reported-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 7e9c5c7682a9c821919210b036b3d3779ad06d8f Author: Greg Kroah-Hartman Date: Thu Nov 18 11:21:04 2010 -0800 Staging: iio: adis16220: fix up my fixup for some sysfs attribute permissions commit c9e51d9e4bee3da47623622884f4828e079a0581 upstream. They should be writable by root, not readable. Doh, stupid me with the wrong flags. Reported-by: Jonathan Cameron Acked-by: Jonathan Cameron Cc: Barry Song Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 5a9af118fbe4756ac93b7f201da149810b847b12 Author: Greg Kroah-Hartman Date: Tue Nov 16 11:19:53 2010 -0800 Staging: iio: adis16220: fix up some sysfs attribute permissions commit 1d904e8950c86e670ace237eaea1d48cd81e94df upstream. They should not be writable by any user Reported-by: Linus Torvalds Cc: Jonathan Cameron Cc: Barry Song Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit ee8ee3cb9f8fe7a51ef7d2bec8495a92d2a2d338 Author: Greg Kroah-Hartman Date: Tue Nov 16 11:21:36 2010 -0800 Staging: udlfb: fix up some sysfs attribute permissions commit cc9ca9dfddda46b1802d325891a69d7efdbe1f1e and cc9ca9dfddda46b1802d325891a69d7efdbe1f1e upstream merged together. They should not be writable by any user Reported-by: Linus Torvalds Cc: Bernie Thompson Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit a0e9e686dccb2a7625f78b1e6ab0f5487a99261d Author: Steven Rostedt Date: Wed Nov 24 12:56:52 2010 -0800 leds: fix bug with reading NAS SS4200 dmi code commit 50d431e8a15701b599c98afe2b464eb33c952477 upstream. While running randconfg with ktest.pl I stumbled upon this bug: BUG: unable to handle kernel NULL pointer dereference at 0000000000000003 IP: [] strstr+0x39/0x86 PGD 0 Oops: 0000 [#1] SMP last sysfs file: CPU 0 Modules linked in: Pid: 1, comm: swapper Not tainted 2.6.37-rc1-test+ #6 DG965MQ/ RIP: 0010:[] [] strstr+0x39/0x86 RSP: 0018:ffff8800797cbd80 EFLAGS: 00010213 RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffffffffffff RDX: 0000000000000000 RSI: ffffffff82eb7ac9 RDI: 0000000000000003 RBP: ffff8800797cbda0 R08: ffff880000000003 R09: 0000000000030725 R10: ffff88007d294c00 R11: 0000000000014c00 R12: 0000000000000020 R13: ffffffff82eb7ac9 R14: ffffffffffffffff R15: ffffffff82eb7b08 FS: 0000000000000000(0000) GS:ffff88007d200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000003 CR3: 0000000002a1d000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process swapper (pid: 1, threadinfo ffff8800797ca000, task ffff8800797d0000) Stack: 00000000000000ba ffffffff82eb7ac9 ffffffff82eb7ab8 00000000000000ba ffff8800797cbdf0 ffffffff81e2050f ffff8800797cbdc0 00000000815f913b ffff8800797cbe00 ffffffff82eb7ab8 0000000000000000 0000000000000000 Call Trace: [] dmi_matches+0x117/0x154 [] dmi_check_system+0x3d/0x8d [] ? nas_gpio_init+0x0/0x2c8 [] nas_gpio_init+0x24/0x2c8 [] ? wm8350_led_init+0x0/0x20 [] ? nas_gpio_init+0x0/0x2c8 [] do_one_initcall+0xab/0x1b2 [] kernel_init+0x248/0x331 [] kernel_thread_helper+0x4/0x10 [] ? kernel_init+0x0/0x331 Found that the nas_led_whitelist dmi_system_id structure array had no NULL end delimiter, causing the dmi_check_system() loop to read an undefined entry. Signed-off-by: Steven Rostedt Acked-by: Dave Hansen Acked-by: Richard Purdie Acked-by: Arjan van de Ven Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit a678efd76c8bb4041d95973c32f7def1fc7c43bf Author: James Jones Date: Wed Nov 24 00:21:37 2010 +0100 ARM: 6482/2: Fix find_next_zero_bit and related assembly commit 0e91ec0c06d2cd15071a6021c94840a50e6671aa upstream. The find_next_bit, find_first_bit, find_next_zero_bit and find_first_zero_bit functions were not properly clamping to the maxbit argument at the bit level. They were instead only checking maxbit at the byte level. To fix this, add a compare and a conditional move instruction to the end of the common bit-within-the- byte code used by all the functions and be sure not to clobber the maxbit argument before it is used. Reviewed-by: Nicolas Pitre Tested-by: Stephen Warren Signed-off-by: James Jones Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit a683346b0f0625d3b29194fa86082235d1e858ce Author: Will Deacon Date: Fri Nov 19 13:18:31 2010 +0100 ARM: 6489/1: thumb2: fix incorrect optimisation in usracc commit 1142b71d85894dcff1466dd6c871ea3c89e0352c upstream. Commit 8b592783 added a Thumb-2 variant of usracc which, when it is called with \rept=2, calls usraccoff once with an offset of 0 and secondly with a hard-coded offset of 4 in order to avoid incrementing the pointer again. If \inc != 4 then we will store the data to the wrong offset from \ptr. Luckily, the only caller that passes \rept=2 to this function is __clear_user so we haven't been actively corrupting user data. This patch fixes usracc to pass \inc instead of #4 to usraccoff when it is called a second time. Reported-by: Tony Thompson Acked-by: Catalin Marinas Signed-off-by: Will Deacon Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit c088a5f8722f305b4bbaa94cad32f1bfa882bc71 Author: Mika Westerberg Date: Thu Oct 28 11:45:22 2010 +0100 ARM: 6464/2: fix spinlock recursion in adjust_pte() commit 4e54d93d3c9846ba1c2644ad06463dafa690d1b7 upstream. When running following code in a machine which has VIVT caches and USE_SPLIT_PTLOCKS is not defined: fd = open("/etc/passwd", O_RDONLY); addr = mmap(NULL, 4096, PROT_READ, MAP_SHARED, fd, 0); addr2 = mmap(NULL, 4096, PROT_READ, MAP_SHARED, fd, 0); v = *((int *)addr); we will hang in spinlock recursion in the page fault handler: BUG: spinlock recursion on CPU#0, mmap_test/717 lock: c5e295d8, .magic: dead4ead, .owner: mmap_test/717, .owner_cpu: 0 [] (unwind_backtrace+0x0/0xec) [] (do_raw_spin_lock+0x40/0x140) [] (update_mmu_cache+0x208/0x250) [] (__do_fault+0x320/0x3ec) [] (handle_mm_fault+0x2f0/0x6d8) [] (do_page_fault+0xdc/0x1cc) [] (do_DataAbort+0x34/0x94) This comes from the fact that when USE_SPLIT_PTLOCKS is not defined, the only lock protecting the page tables is mm->page_table_lock which is already locked before update_mmu_cache() is called. Signed-off-by: Mika Westerberg Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 5f47c09a27902117ef908f5fb07cad300e427980 Author: Pekka Enberg Date: Mon Nov 8 21:29:07 2010 +0200 perf_events: Fix perf_counter_mmap() hook in mprotect() commit 63bfd7384b119409685a17d5c58f0b56e5dc03da upstream. As pointed out by Linus, commit dab5855 ("perf_counter: Add mmap event hooks to mprotect()") is fundamentally wrong as mprotect_fixup() can free 'vma' due to merging. Fix the problem by moving perf_event_mmap() hook to mprotect_fixup(). Note: there's another successful return path from mprotect_fixup() if old flags equal to new flags. We don't, however, need to call perf_event_mmap() there because 'perf' already knows the VMA is executable. Reported-by: Dave Jones Signed-off-by: Andi Kleen Analyzed-by: Linus Torvalds Cc: Ingo Molnar Reviewed-by: Peter Zijlstra Signed-off-by: Pekka Enberg Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0b755ae07e1ff0b1c48ea286c301570d745aa0b7 Author: Dan Rosenberg Date: Tue Nov 23 11:02:13 2010 +0000 DECnet: don't leak uninitialized stack byte commit 3c6f27bf33052ea6ba9d82369fb460726fb779c0 upstream. A single uninitialized padding byte is leaked to userspace. Signed-off-by: Dan Rosenberg Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 79ec0bc0601b3c1bce4457361ec9d477b7982480 Author: Guennadi Liakhovetski Date: Thu Nov 11 17:32:25 2010 +0100 mmc: fix rmmod race for hosts using card-detection polling commit d9bcbf343ec63e1104b5276195888ee06b4d086f upstream. MMC hosts that poll for card detection by defining the MMC_CAP_NEEDS_POLL flag have a race on rmmod, where the delayed work is cancelled without waiting for completed polling. To prevent this a _sync version of the work cancellation has to be used. Signed-off-by: Guennadi Liakhovetski Signed-off-by: Chris Ball Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 1442b66f3af5b6ecfb7d70f21c5d062f7c108e0b Author: Frederic Weisbecker Date: Thu Nov 11 21:18:43 2010 +0100 x86: Ignore trap bits on single step exceptions commit 6c0aca288e726405b01dacb12cac556454d34b2a upstream. When a single step exception fires, the trap bits, used to signal hardware breakpoints, are in a random state. These trap bits might be set if another exception will follow, like a breakpoint in the next instruction, or a watchpoint in the previous one. Or there can be any junk there. So if we handle these trap bits during the single step exception, we are going to handle an exception twice, or we are going to handle junk. Just ignore them in this case. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=21332 Reported-by: Michael Stefaniuc Signed-off-by: Frederic Weisbecker Cc: Rafael J. Wysocki Cc: Maciej Rutecki Cc: Alexandre Julliard Cc: Jason Wessel Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit a28c2bb7f58fad804d4673eb37b7c0436b945f15 Author: Steven J. Magnani Date: Wed Nov 24 12:56:54 2010 -0800 nommu: yield CPU while disposing VM commit 04c3496152394d17e3bc2316f9731ee3e8a026bc upstream. Depending on processor speed, page size, and the amount of memory a process is allowed to amass, cleanup of a large VM may freeze the system for many seconds. This can result in a watchdog timeout. Make sure other tasks receive some service when cleaning up large VMs. Signed-off-by: Steven J. Magnani Cc: Greg Ungerer Signed-off-by: Andi Kleen Reviewed-by: KOSAKI Motohiro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 7e8d53c0fad544ddb5f62bb6faf836ec04256608 Author: Uwe Kleine-König Date: Wed Nov 24 12:57:14 2010 -0800 backlight: grab ops_lock before testing bd->ops commit d1d73578e053b981c3611e5a211534290d24a5eb upstream. According to the comment describing ops_lock in the definition of struct backlight_device and when comparing with other functions in backlight.c the mutex must be hold when checking ops to be non-NULL. Fixes a problem added by c835ee7f4154992e6 ("backlight: Add suspend/resume support to the backlight core") in Jan 2009. Signed-off-by: Uwe Kleine-König Acked-by: Richard Purdie Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 77caa21878730e393b25868930dbddf686e77f33 Author: Will Newton Date: Wed Nov 24 12:56:55 2010 -0800 uml: disable winch irq before freeing handler data commit 69e83dad5207f8f03c9699e57e1febb114383cb8 upstream. Disable the winch irq early to make sure we don't take an interrupt part way through the freeing of the handler data, resulting in a crash on shutdown: winch_interrupt : read failed, errno = 9 fd 13 is losing SIGWINCH support ------------[ cut here ]------------ WARNING: at lib/list_debug.c:48 list_del+0xc6/0x100() list_del corruption, next is LIST_POISON1 (00100100) 082578c8: [<081fd77f>] dump_stack+0x22/0x24 082578e0: [<0807a18a>] warn_slowpath_common+0x5a/0x80 08257908: [<0807a23e>] warn_slowpath_fmt+0x2e/0x30 08257920: [<08172196>] list_del+0xc6/0x100 08257940: [<08060244>] free_winch+0x14/0x80 08257958: [<080606fb>] winch_interrupt+0xdb/0xe0 08257978: [<080a65b5>] handle_IRQ_event+0x35/0xe0 08257998: [<080a8717>] handle_edge_irq+0xb7/0x170 082579bc: [<08059bc4>] do_IRQ+0x34/0x50 082579d4: [<08059e1b>] sigio_handler+0x5b/0x80 082579ec: [<0806a374>] sig_handler_common+0x44/0xb0 08257a68: [<0806a538>] sig_handler+0x38/0x50 08257a78: [<0806a77c>] handle_signal+0x5c/0xa0 08257a9c: [<0806be28>] hard_handler+0x18/0x20 08257aac: [<00c14400>] 0xc14400 Signed-off-by: Will Newton Acked-by: WANG Cong Cc: Jeff Dike Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit d061b20e5c1a0594a61aa2f2a789c703ac57a344 Author: Oskar Schirmer Date: Wed Nov 10 21:06:13 2010 +0000 cifs: fix another memleak, in cifs_root_iget commit a7851ce73b9fdef53f251420e6883cf4f3766534 upstream. cifs_root_iget allocates full_path through cifs_build_path_to_root, but fails to kfree it upon cifs_get_inode_info* failure. Make all failure exit paths traverse clean up handling at the end of the function. Signed-off-by: Oskar Schirmer Signed-off-by: Andi Kleen Reviewed-by: Jesper Juhl Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit fa21da1870e6626274c934722801914690b2dd55 Author: Nelson Elhage Date: Thu Dec 2 14:31:21 2010 -0800 do_exit(): make sure that we run with get_fs() == USER_DS commit 33dd94ae1ccbfb7bf0fb6c692bc3d1c4269e6177 upstream. If a user manages to trigger an oops with fs set to KERNEL_DS, fs is not otherwise reset before do_exit(). do_exit may later (via mm_release in fork.c) do a put_user to a user-controlled address, potentially allowing a user to leverage an oops into a controlled write into kernel memory. This is only triggerable in the presence of another bug, but this potentially turns a lot of DoS bugs into privilege escalations, so it's worth fixing. I have proof-of-concept code which uses this bug along with CVE-2010-3849 to write a zero to an arbitrary kernel address, so I've tested that this is not theoretical. A more logical place to put this fix might be when we know an oops has occurred, before we call do_exit(), but that would involve changing every architecture, in multiple places. Let's just stick it in do_exit instead. [akpm@linux-foundation.org: update code comment] Signed-off-by: Nelson Elhage Cc: KOSAKI Motohiro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 6c615d59289dc9e2034647f0c912561d30bdb473 Author: Andres Salomon Date: Thu Dec 2 14:31:17 2010 -0800 cs5535-gpio: apply CS5536 errata workaround for GPIOs commit 853ff88324a248a9f5da6e110850223db353ec07 upstream. The AMD Geode CS5536 Companion Device Silicon Revision B1 Specification Update mentions the follow as issue #36: "Atomic write transactions to the atomic GPIO High Bank Feature Bit registers should only affect the bits selected [...]" "after Suspend, an atomic write transaction [...] will clear all non-selected bits of the accessed register." In other words, writing to the high bank for a single GPIO bit will clear every other GPIO bit (but only sometimes after a suspend). The workaround described is obvious and simple; do a read-modify-write. This patch does that, and documents why we're doing it. Signed-off-by: Andres Salomon Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 962b4a64f5210a4aaefd09c318e6dd05242df0ce Author: Ken Sumrall Date: Wed Nov 24 12:57:00 2010 -0800 fuse: fix attributes after open(O_TRUNC) commit a0822c55779d9319939eac69f00bb729ea9d23da upstream. The attribute cache for a file was not being cleared when a file is opened with O_TRUNC. If the filesystem's open operation truncates the file ("atomic_o_trunc" feature flag is set) then the kernel should invalidate the cached st_mtime and st_ctime attributes. Also i_size should be explicitly be set to zero as it is used sometimes without refreshing the cache. Signed-off-by: Ken Sumrall Cc: Anfei Cc: "Anand V. Avati" Signed-off-by: Miklos Szeredi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit c526b926bacd31f398384c42c1950dc077c903b9 Author: Dmitri Belimov Date: Tue Oct 26 00:31:40 2010 -0300 saa7134: Fix autodetect for Behold A7 and H7 TV cards commit 35bbe587d0959712b69540077c9e0fd27d3e6baf upstream. The entries for those cards are after the generic entries, so they don't work, in practice. Moving them to happen before the generic entres fix the issue. Signed-off-by: Beholder Intl. Ltd. Dmitry Belimov Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit db2d10eec9355faf29135e5cfccfb41b1e7e0b8f Author: Dmitry Torokhov Date: Sat Sep 18 10:11:09 2010 -0700 PNPACPI: cope with invalid device IDs commit 420a0f66378c84b00b0e603e4d38210102dbe367 upstream. If primary ID (HID) is invalid try locating first valid ID on compatible ID list before giving up. This helps, for example, to recognize i8042 AUX port on Sony Vaio VPCZ1 which uses SNYSYN0003 as HID. Without the patch users are forced to boot with i8042.nopnp to make use of their touchpads. Tested-by: Jan-Hendrik Zab Signed-off-by: Dmitry Torokhov Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 594574f0ba7ae9985662f9b0b8a9754c9da552c3 Author: Dave Jones Date: Sat Nov 13 00:58:54 2010 -0500 ACPI: debugfs custom_method open to non-root commit ed3aada1bf34c5a9e98af167f125f8a740fc726a upstream. Currently we have: --w--w--w-. 1 root root 0 2010-11-11 14:56 /sys/kernel/debug/acpi/custom_method which is just crazy. Change this to --w-------. Signed-off-by: Dave Jones Signed-off-by: Len Brown Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit a499d3ff08c1c10821a2a1811fe8597d50a8de62 Author: Zhang Rui Date: Tue Oct 12 09:09:37 2010 +0800 acpi-cpufreq: fix a memleak when unloading driver commit dab5fff14df2cd16eb1ad4c02e83915e1063fece upstream. We didn't free per_cpu(acfreq_data, cpu)->freq_table when acpi_freq driver is unloaded. Resulting in the following messages in /sys/kernel/debug/kmemleak: unreferenced object 0xf6450e80 (size 64): comm "modprobe", pid 1066, jiffies 4294677317 (age 19290.453s) hex dump (first 32 bytes): 00 00 00 00 e8 a2 24 00 01 00 00 00 00 9f 24 00 ......$.......$. 02 00 00 00 00 6a 18 00 03 00 00 00 00 35 0c 00 .....j.......5.. backtrace: [] kmemleak_alloc+0x27/0x50 [] __kmalloc+0xcf/0x110 [] acpi_cpufreq_cpu_init+0x1ee/0x4e4 [acpi_cpufreq] [] cpufreq_add_dev+0x142/0x3a0 [] sysdev_driver_register+0x97/0x110 [] cpufreq_register_driver+0x86/0x140 [] 0xf9dad080 [] do_one_initcall+0x30/0x160 [] sys_init_module+0x99/0x1e0 [] sysenter_do_call+0x12/0x26 [] 0xffffffff https://bugzilla.kernel.org/show_bug.cgi?id=15807#c21 Tested-by: Toralf Forster Signed-off-by: Zhang Rui Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 1e8d602368391f61481052600a6174eb049582a9 Author: Zhang Rui Date: Fri Oct 22 10:02:06 2010 +0800 ACPI battery: support percentage battery remaining capacity commit 557d58687dcdee6bc00c1a8f1fd4e0eac8fefce9 upstream. According to the ACPI spec, some kinds of primary battery can report percentage battery remaining capacity directly to OS. In this case, it reports the LastFullChargedCapacity == 100, BatteryPresentRate = 0xFFFFFFFF, and BatteryRemaingCapacity a percentage value, which actually means RemainingBatteryPercentage. Now we found some battery follows this rule even if it's a rechargeable. https://bugzilla.kernel.org/show_bug.cgi?id=15979 Handle these batteries correctly in ACPI battery driver so that they won't break userspace. Signed-off-by: Zhang Rui Tested-by: Sitsofe Wheeler Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit e34d1f648f557f496649f35ca11663cad59e0cc2 Author: Anupam Chanda Date: Sun Nov 21 09:54:21 2010 -0800 e1000: fix screaming IRQ commit ab08853fab2093e5c6f5de56827a4c93dce4b055 upstream. VMWare reports that the e1000 driver has a bug when bringing down the interface, such that interrupts are not disabled in the hardware but the driver stops reporting that it consumed the interrupt. The fix is to set the driver's "down" flag later in the routine, after all the timers and such have exited, preventing the interrupt handler from being called and exiting early without handling the interrupt. CC: Anupam Chanda Signed-off-by: Jesse Brandeburg Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit c42fe729ad67abe81b2e79d48134db10c6a0466d Author: Alan Stern Date: Mon Nov 29 10:17:22 2010 -0500 USB: fix autosuspend bug in usb-serial commit abf03184a31a3286fc0ab30f838ddee8ba9f9b7b upstream. This patch (as1437) fixes a bug in the usb-serial autosuspend handling. Since the usb-serial core now has autosuspend support, it must set the .supports_autosuspend member in every serial driver it registers. Otherwise the usb_autopm_get_interface() call won't work. This fixes Bugzilla #23012. Signed-off-by: Alan Stern Reported-by: Kevin Smith Reported-and-tested-by: Simon Gerber Reported-and-tested-by: Matteo Croce Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 6c2ad879feaf8bc3ac8a6b031437c59936b4646b Author: Jacques Viviers Date: Wed Nov 24 11:56:38 2010 +0200 USB: serial: ftdi_sio: Vardaan USB RS422/485 converter PID added commit 6fdbad8021151a9e93af8159a6232c8f26415c09 upstream. Add the PID for the Vardaan Enterprises VEUSB422R3 USB to RS422/485 converter. It uses the same chip as the FTDI_8U232AM_PID 0x6001. This should also work with the stable branches for: 2.6.31, 2.6.32, 2.6.33, 2.6.34, 2.6.35, 2.6.36 Signed-off-by: Jacques Viviers Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit c1235a4015fe1885a2eb67184fe50d4693351f2b Author: Michael Stuermer Date: Thu Nov 18 00:45:43 2010 +0100 USB: ftdi_sio: Add ID for RT Systems USB-29B radio cable commit 28942bb6a9dd4e2ed793675e515cfb8297ed355b upstream. Another variant of the RT Systems programming cable for ham radios. Signed-off-by: Michael Stuermer Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 727c9b4d3b2958822d59376cde7ef47ea4942537 Author: Greg Kroah-Hartman Date: Mon Nov 15 11:36:44 2010 -0800 USB: misc: usbsevseg: fix up some sysfs attribute permissions commit e24d7ace4e822debcb78386bf279c9aba4d7fbd1 upstream. They should not be writable by any user. Reported-by: Linus Torvalds Cc: Harrison Metzger Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit b3f4c19eafb1a74f2e2bdf6002745bb53014ce53 Author: Greg Kroah-Hartman Date: Mon Nov 15 11:34:26 2010 -0800 USB: misc: trancevibrator: fix up a sysfs attribute permission commit d489a4b3926bad571d404ca6508f6744b9602776 upstream. It should not be writable by any user. Reported-by: Linus Torvalds Cc: Sam Hocevar Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit f523d85f52859960e420928d812341de4e6e0054 Author: Greg Kroah-Hartman Date: Mon Nov 15 11:35:49 2010 -0800 USB: misc: usbled: fix up some sysfs attribute permissions commit 48f115470e68d443436b76b22dad63ffbffd6b97 upstream. They should not be writable by any user. Reported-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 727fbf5e5760a100ab7192aa68c1738b4706d86d Author: Greg Kroah-Hartman Date: Mon Nov 15 11:32:38 2010 -0800 USB: misc: cypress_cy7c63: fix up some sysfs attribute permissions commit c990600d340641150f7270470a64bd99a5c0b225 upstream. They should not be writable by any user. Reported-by: Linus Torvalds Cc: Oliver Bock Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit b0866f4e290b7a45d1e2e82ec32a45d1a83c1737 Author: Greg Kroah-Hartman Date: Mon Nov 15 11:11:45 2010 -0800 USB: atm: ueagle-atm: fix up some permissions on the sysfs files commit e502ac5e1eca99d7dc3f12b2a6780ccbca674858 upstream. Some of the sysfs files had the incorrect permissions. Some didn't make sense at all (writable for a file that you could not write to?) Reported-by: Linus Torvalds Cc: Matthieu Castet Cc: Stanislaw Gruszka Cc: Damien Bergamini Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit b67a993c99765451994590ccc4083c2599f9de6a Author: Greg Kroah-Hartman Date: Mon Nov 15 11:17:52 2010 -0800 USB: storage: sierra_ms: fix sysfs file attribute commit d9624e75f6ad94d8a0718c1fafa89186d271a78c upstream. A non-writable sysfs file shouldn't have writable attributes. Reported-by: Linus Torvalds Cc: Kevin Lloyd Cc: Matthew Dharm Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 88472ed6fe60117b8801a68e8c3cfff5ff812835 Author: Alan Stern Date: Tue Nov 16 10:57:37 2010 -0500 USB: EHCI: fix obscure race in ehci_endpoint_disable commit 02e2c51ba3e80acde600721ea784c3ef84da5ea1 upstream. This patch (as1435) fixes an obscure and unlikely race in ehci-hcd. When an async URB is unlinked, the corresponding QH is removed from the async list. If the QH's endpoint is then disabled while the URB is being given back, ehci_endpoint_disable() won't find the QH on the async list, causing it to believe that the QH has been lost. This will lead to a memory leak at best and quite possibly to an oops. The solution is to trust usbcore not to lose track of endpoints. If the QH isn't on the async list then it doesn't need to be taken off the list, but the driver should still wait for the QH to become IDLE before disabling it. In theory this fixes Bugzilla #20182. In fact the race is so rare that it's not possible to tell whether the bug is still present. However, adding delays and making other changes to force the race seems to show that the patch works. Signed-off-by: Alan Stern Reported-by: Stefan Richter Signed-off-by: Andi Kleen CC: David Brownell Signed-off-by: Greg Kroah-Hartman commit 7135addd4bb65ec5bba2b9accf4c37df881851cd Author: John Tapsell Date: Thu Mar 25 13:30:45 2010 +0000 Staging: rt2870: Add USB ID for Buffalo Airstation WLI-UC-GN commit 251d380034c6c34efe75ffb89d863558ba68ec6a upstream. BugLink: http://bugs.launchpad.net/bugs/441990 This was tested to successfully enable the hardware. Signed-off-by: John Tapsell Signed-off-by: Stefan Bader Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 08dfe568671b01bf3c19c97b0dd91ea3a863123b Author: Vasiliy Kulikov Date: Sat Nov 6 17:41:28 2010 +0300 usb: core: fix information leak to userland commit 886ccd4520064408ce5876cfe00554ce52ecf4a7 upstream. Structure usbdevfs_connectinfo is copied to userland with padding byted after "slow" field uninitialized. It leads to leaking of contents of kernel stack memory. Signed-off-by: Vasiliy Kulikov Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 5f5e68292004921ff329aa58d27023f5e10ac27a Author: Vasiliy Kulikov Date: Sat Nov 6 17:41:31 2010 +0300 usb: misc: iowarrior: fix information leak to userland commit eca67aaeebd6e5d22b0d991af1dd0424dc703bfb upstream. Structure iowarrior_info is copied to userland with padding byted between "serial" and "revision" fields uninitialized. It leads to leaking of contents of kernel stack memory. Signed-off-by: Vasiliy Kulikov Acked-by: Kees Cook Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 1adcc1ce769c8edae42dc135c841c84874f17f7d Author: Vasiliy Kulikov Date: Sat Nov 6 17:41:35 2010 +0300 usb: misc: sisusbvga: fix information leak to userland commit 5dc92cf1d0b4b0debbd2e333b83f9746c103533d upstream. Structure sisusb_info is copied to userland with "sisusb_reserved" field uninitialized. It leads to leaking of contents of kernel stack memory. Signed-off-by: Vasiliy Kulikov Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit b588bc2a4733db29d1fe1a0fb0b9e61aa5de3199 Author: ma rui Date: Mon Nov 1 11:32:18 2010 +0800 USB: option: fix when the driver is loaded incorrectly for some Huawei devices. commit 58c0d9d70109bd7e82bdb9517007311a48499960 upstream. When huawei datacard with PID 0x14AC is insterted into Linux system, the present kernel will load the "option" driver to all the interfaces. But actually, some interfaces run as other function and do not need "option" driver. In this path, we modify the id_tables, when the PID is 0x14ac ,VID is 0x12d1, Only when the interface's Class is 0xff,Subclass is 0xff, Pro is 0xff, it does need "option" driver. Signed-off-by: ma rui Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit af39033bf6c0db7caea68b6fcd3e1d7735116007 Author: Sebastien Bourdeauducq Date: Wed Nov 3 11:54:12 2010 +0100 USB: ftdi_sio: add device IDs for Milkymist One JTAG/serial commit 7fea0f714ffb3f303d4b66933af2df2f5584c9bf upstream. Add the USB IDs for the Milkymist One FTDI-based JTAG/serial adapter (http://projects.qi-hardware.com/index.php/p/mmone-jtag-serial-cable/) to the ftdi_sio driver and disable the first serial channel (used as JTAG from userspace). Signed-off-by: Sebastien Bourdeauducq Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit eafc2de6366f8b49aeeff5698a258f86ba5ffe75 Author: Ming Lei Date: Wed Oct 27 09:42:32 2010 -0500 usb: musb: fix kernel oops when loading musb_hdrc module for the 2nd time commit b212091474a5f967979e62c5c24687ee4d0342d9 upstream. musb driver still may write MUSB_DEVCTL register after clock is disabled in musb_platform_exit, which may cause the kernel oops[1] when musb_hdrc module is loaded for the 2nd time. The patch fixes the kernel oops in this case. [1] kernel oops when loading musb_hdrc module for the 2nd time [ 93.380279] musb_hdrc: version 6.0, musb-dma, otg (peripheral+host), debug=5 [ 93.387847] bus: 'platform': add driver musb_hdrc [ 93.388153] bus: 'platform': driver_probe_device: matched device musb_hdrc with driver musb_hdrc [ 93.388183] bus: 'platform': really_probe: probing driver musb_hdrc with device musb_hdrc [ 93.405090] HS USB OTG: revision 0x33, sysconfig 0x2010, sysstatus 0x1, intrfsel 0x1, simenable 0x0 [ 93.405364] musb_hdrc: ConfigData=0xde (UTMI-8, dyn FIFOs, bulk combine, bulk split, HB-ISO Rx, HB-ISO Tx, SoftConn) [ 93.405395] musb_hdrc: MHDRC RTL version 1.400 [ 93.405426] musb_hdrc: setup fifo_mode 3 [ 93.405456] musb_hdrc: 7/31 max ep, 3648/16384 memory [ 93.405487] musb_core_init 1524: musb_hdrc: hw_ep 0shared, max 64 [ 93.405487] musb_core_init 1524: musb_hdrc: hw_ep 1tx, doublebuffer, max 512 [ 93.405517] musb_core_init 1533: musb_hdrc: hw_ep 1rx, doublebuffer, max 512 [ 93.405548] musb_core_init 1524: musb_hdrc: hw_ep 2tx, max 512 [ 93.405578] musb_core_init 1533: musb_hdrc: hw_ep 2rx, max 512 [ 93.405578] musb_core_init 1524: musb_hdrc: hw_ep 3shared, max 256 [ 93.405609] musb_core_init 1524: musb_hdrc: hw_ep 4shared, max 256 [ 93.405853] musb_platform_try_idle 133: b_idle inactive, for idle timer for 7 ms [ 93.405944] device: 'gadget': device_add [ 93.406921] PM: Adding info for No Bus:gadget [ 93.406951] musb_init_controller 2136: OTG mode, status 0, dev80 [ 93.407379] musb_do_idle 51: musb_do_idle: state=1 [ 93.408233] musb_hdrc musb_hdrc: USB OTG mode controller at fa0ab000 using DMA, IRQ 92 [ 93.416656] driver: 'musb_hdrc': driver_bound: bound to device 'musb_hdrc' [ 93.416687] bus: 'platform': really_probe: bound device musb_hdrc to driver musb_hdrc [ 124.486938] bus: 'platform': remove driver musb_hdrc [ 124.490509] twl4030_usb twl4030_usb: twl4030_phy_suspend [ 124.491424] device: 'gadget': device_unregister [ 124.491424] PM: Removing info for No Bus:gadget [ 124.495269] gadget: musb_gadget_release [ 124.498992] driver: 'musb_hdrc': driver_release [ 129.569366] musb_hdrc: version 6.0, musb-dma, otg (peripheral+host), debug=5 [ 129.576934] bus: 'platform': add driver musb_hdrc [ 129.577209] bus: 'platform': driver_probe_device: matched device musb_hdrc with driver musb_hdrc [ 129.577239] bus: 'platform': really_probe: probing driver musb_hdrc with device musb_hdrc [ 129.592651] twl4030_usb twl4030_usb: twl4030_phy_resume [ 129.592681] Unhandled fault: external abort on non-linefetch (0x1028) at 0xfa0ab404 [ 129.600830] Internal error: : 1028 [#1] [ 129.604858] last sysfs file: /sys/devices/platform/i2c_omap.3/i2c-3/i2c-dev/i2c-3/dev [ 129.613067] Modules linked in: musb_hdrc(+) [last unloaded: musb_hdrc] [ 129.619964] CPU: 0 Not tainted (2.6.36-next-20101021+ #372) [ 129.626281] PC is at musb_platform_init+0xb0/0x1c8 [musb_hdrc] [ 129.632415] LR is at mark_held_locks+0x64/0x94 [ 129.637084] pc : [] lr : [] psr: 20000013 [ 129.637084] sp : c6d5fcb0 ip : c6d5fc38 fp : c6d5fcd4 [ 129.649139] r10: c6e72180 r9 : fa0ab000 r8 : c05612e8 [ 129.654602] r7 : 0000005c r6 : c0559cc8 r5 : c6e72180 r4 : c0561548 [ 129.661468] r3 : 04d60047 r2 : fa0ab000 r1 : c07169d8 r0 : 00000000 [ 129.668304] Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user [ 129.675811] Control: 10c5387d Table: 86e4c019 DAC: 00000015 [ 129.681823] Process insmod (pid: 554, stack limit = 0xc6d5e2f0) [ 129.688049] Stack: (0xc6d5fcb0 to 0xc6d60000) [ 129.692626] fca0: fa0ab000 c0555c54 c6d5fcd4 c0561548 [ 129.701202] fcc0: 00000003 c05612e0 c6d5fe04 c6d5fcd8 bf03140c bf0320f4 c6d5fd9c c6d5fce8 [ 129.709808] fce0: c015cb94 c041448c c06d9d10 ffffffff c6d5fd14 c6d5fd00 c00adbec c6d5fd40 [ 129.718383] fd00: c015d478 c6d5fdb0 c6d5fd24 c00a9d18 c6d5e000 60000013 bf02a4ac c05612bc [ 129.726989] fd20: c0414fb4 c00a9cf0 c6d5fd54 c6d5fd38 c015bbdc c0244280 c6e8b7b0 c7929330 [ 129.735565] fd40: c6d5fdb0 c6d5fdb0 c6d5fd7c c6e7227c c015c010 c015bb90 c015c2ac c6d5fdb0 [ 129.744171] fd60: c7929330 c6d5fdb0 c7929330 c6e8b7b0 c6d5fd9c 00000000 c7929330 c6e8b7b0 [ 129.752746] fd80: c6d5fdb0 00000000 00000001 00000000 c6d5fde4 c6d5fda0 c015d478 c015cb74 [ 129.761322] fda0: c056138c 00000000 c6d5fdcc c6d5fdb8 c7929330 00000000 c056138c c05612e8 [ 129.769927] fdc0: 00000000 c05612f0 c0c5d62c c06f6e00 c73217c0 00000000 c6d5fdf4 c05612e8 [ 129.778503] fde0: c05612e8 bf02a2e4 c0c5d62c c06f6e00 c73217c0 00000000 c6d5fe14 c6d5fe08 [ 129.787109] fe00: c029a398 bf0311c8 c6d5fe4c c6d5fe18 c0299120 c029a384 c7919140 22222222 [ 129.795684] fe20: c6d5fe4c c05612e8 c056131c bf02a2e4 c0299278 c06f6e00 c73217c0 00000000 [ 129.804290] fe40: c6d5fe6c c6d5fe50 c0299314 c0299020 00000000 c6d5fe70 bf02a2e4 c0299278 [ 129.812866] fe60: c6d5fe94 c6d5fe70 c02987d4 c0299284 c7825060 c78c6618 00000000 bf02a2e4 [ 129.821441] fe80: c06e4c98 00000000 c6d5fea4 c6d5fe98 c0298ea4 c0298778 c6d5fedc c6d5fea8 [ 129.830047] fea0: c0297f84 c0298e8c bf02716c 000b9008 bf02a2e4 bf02a2d0 000b9008 bf02a2e4 [ 129.838623] fec0: 00000000 c06f6e00 bf031000 00000000 c6d5fefc c6d5fee0 c0299614 c0297ec0 [ 129.847229] fee0: bf02a2d0 000b9008 bf02a388 00000000 c6d5ff0c c6d5ff00 c029a868 c02995a8 [ 129.855804] ff00: c6d5ff24 c6d5ff10 c029a88c c029a818 0010281c 000b9008 c6d5ff34 c6d5ff28 [ 129.864410] ff20: bf03104c c029a878 c6d5ff7c c6d5ff38 c00463dc bf03100c 00000000 00000000 [ 129.872985] ff40: 00000000 0010281c 000b9008 bf02a388 00000000 0010281c 000b9008 bf02a388 [ 129.881591] ff60: 00000000 c00521c8 c6d5e000 00000000 c6d5ffa4 c6d5ff80 c00bb9b8 c00463ac [ 129.890167] ff80: c00adc88 c00ada68 00097e8e bebbfcf4 0010281c 00000080 00000000 c6d5ffa8 [ 129.898742] ffa0: c0052000 c00bb908 00097e8e bebbfcf4 402c9008 0010281c 000b9008 bebbfe5a [ 129.907348] ffc0: 00097e8e bebbfcf4 0010281c 00000080 00000014 bebbfcf4 bebbfe06 0000005b [ 129.915924] ffe0: bebbf9a0 bebbf990 0001a108 40263ec0 60000010 402c9008 011b0000 0000007c [ 129.924499] Backtrace: [ 129.927185] [] (musb_platform_init+0x0/0x1c8 [musb_hdrc]) from [] (musb_probe+0x250/0xf2c [musb_hdrc]) [ 129.938781] r6:c05612e0 r5:00000003 r4:c0561548 [ 129.943695] [] (musb_probe+0x0/0xf2c [musb_hdrc]) from [] (platform_drv_probe+0x20/0x24) [ 129.954040] [] (platform_drv_probe+0x0/0x24) from [] (driver_probe_device+0x10c/0x264) [ 129.964172] [] (driver_probe_device+0x0/0x264) from [] (__driver_attach+0x9c/0xa0) [ 129.973968] [] (__driver_attach+0x0/0xa0) from [] (bus_for_each_dev+0x68/0x94) [ 129.983367] r7:c0299278 r6:bf02a2e4 r5:c6d5fe70 r4:00000000 [ 129.989349] [] (bus_for_each_dev+0x0/0x94) from [] (driver_attach+0x24/0x28) [ 129.998565] r7:00000000 r6:c06e4c98 r5:bf02a2e4 r4:00000000 [ 130.004547] [] (driver_attach+0x0/0x28) from [] (bus_add_driver+0xd0/0x274) [ 130.013671] [] (bus_add_driver+0x0/0x274) from [] (driver_register+0x78/0x158) [ 130.023101] [] (driver_register+0x0/0x158) from [] (platform_driver_register+0x5c/0x60) [ 130.033325] r7:00000000 r6:bf02a388 r5:000b9008 r4:bf02a2d0 [ 130.039276] [] (platform_driver_register+0x0/0x60) from [] (platform_driver_probe+0x20/0xa8) [ 130.050018] [] (platform_driver_probe+0x0/0xa8) from [] (musb_init+0x4c/0x54 [musb_hdrc]) [ 130.060424] r5:000b9008 r4:0010281c [ 130.064239] [] (musb_init+0x0/0x54 [musb_hdrc]) from [] (do_one_initcall+0x3c/0x1c0) [ 130.074218] [] (do_one_initcall+0x0/0x1c0) from [] (sys_init_module+0xbc/0x1d0) [ 130.083709] [] (sys_init_module+0x0/0x1d0) from [] (ret_fast_syscall+0x0/0x3c) [ 130.093109] r7:00000080 r6:0010281c r5:bebbfcf4 r4:00097e8e [ 130.099090] Code: 0a000046 e3a01001 e12fff33 e59520e4 (e5923404) [ 130.105621] ---[ end trace 1d0bd69deb79164d ]--- Cc: Ajay Kumar Gupta Cc: Sergei Shtylyov Cc: Anand Gadiyar Signed-off-by: Ming Lei Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 3e22d87b381cf915954772a8d4a9a7681d453b83 Author: Josh Wu Date: Tue Nov 16 11:51:32 2010 +0100 USB: gadget: AT91: fix typo in atmel_usba_udc driver commit b48809518631880207796b4aab0fc39c2f036754 upstream. compile fix for bug introduced by 969affff547027) Signed-off-by: Josh Wu Cc: Jiri Kosina Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 21f71d8817c6f240ab1c863d213bf5cd164aec73 Author: Sarah Sharp Date: Tue Nov 16 15:58:52 2010 -0800 xhci: Don't let the USB core disable SuperSpeed ports. commit 6dd0a3a7e0793dbeae1b951f091025d8cf896cb4 upstream. Disabling SuperSpeed ports is a Very Bad Thing (TM). It disables SuperSpeed terminations, which means that devices will never connect at SuperSpeed on that port. For USB 2.0/1.1 ports, disabling the port meant that the USB core could always get a connect status change later. That's not true with USB 3.0 ports. Do not let the USB core disable SuperSpeed ports. We can't rely on the device speed in the port status registers, since that isn't valid until there's a USB device connected to the port. Instead, we use the port speed array that's created from the Extended Capabilities registers. Signed-off-by: Sarah Sharp Tested-by: Don Zickus Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit d52a93879e54fac8fb17f566f226c1060c7d1a84 Author: Sarah Sharp Date: Tue Oct 26 16:47:13 2010 -0700 xhci: Setup array of USB 2.0 and USB 3.0 ports. commit da6699ce4a889c3795624ccdcfe7181cc89f18e8 upstream. An xHCI host controller contains USB 2.0 and USB 3.0 ports, which can occur in any order in the PORTSC registers. We cannot read the port speed bits in the PORTSC registers at init time to determine the port speed, since those bits are only valid when a USB device is plugged into the port. Instead, we read the "Supported Protocol Capability" registers in the xHC Extended Capabilities space. Those describe the protocol, port offset in the PORTSC registers, and port count. We use those registers to create two arrays of pointers to the PORTSC registers, one for USB 3.0 ports, and another for USB 2.0 ports. A third array keeps track of the port protocol major revision, and is indexed with the internal xHCI port number. This commit is a bit big, but it should be queued for stable because the "Don't let the USB core disable SuperSpeed ports" patch depends on it. There is no other way to determine which ports are SuperSpeed ports without this patch. Signed-off-by: Sarah Sharp Tested-by: Don Zickus Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 60e2b701c5d6e82790e111c05df8a184b4eaa09e Author: Paul Zimmerman Date: Wed Nov 17 16:26:50 2010 -0800 xhci: Fix reset-device and configure-endpoint commands commit 7a3783efffc7bc2e702d774e47fad5b8e37e9ad1 upstream. We have been having problems with the USB-IF Gold Tree tests when plugging and unplugging devices from the tree. I have seen that the reset-device and configure-endpoint commands, which are invoked from xhci_discover_or_reset_device() and xhci_configure_endpoint(), will sometimes time out. After much debugging, I determined that the commands themselves do not actually time out, but rather their completion events do not get delivered to the right place. This happens when the command ring has just wrapped around, and it's enqueue pointer is left pointing to the link TRB. xhci_discover_or_reset_device() and xhci_configure_endpoint() use the enqueue pointer directly as their command TRB pointer, without checking whether it's pointing to the link TRB. When the completion event arrives, if the command TRB is pointing to the link TRB, the check against the command ring dequeue pointer in handle_cmd_in_cmd_wait_list() fails, so the completion inside the command does not get signaled. The patch below fixes the timeout problem for me. This should be queued for the 2.6.35 and 2.6.36 stable trees. Signed-off-by: Paul Zimmerman Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit b9c5ff8e4a33aa0746121ea828544a285df9f5b6 Author: Andiry Xu Date: Thu Nov 11 17:43:57 2010 +0800 xHCI: fix wMaxPacketSize mask commit dc07c91b9b4067022210e68d914a6890a4d70622 upstream. USB2.0 spec 9.6.6 says: For all endpoints, bit 10..0 specify the maximum packet size(in bytes). So the wMaxPacketSize mask should be 0x7ff rather than 0x3ff. This patch should be queued for the stable tree. The bug in xhci_endpoint_init() was present as far back as 2.6.31, and the bug in xhci_get_max_esit_payload() was present when the function was introduced in 2.6.34. Reported-by: Sander Eikelenboom Signed-off-by: Andiry Xu Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit e4027ab821c0db566c2db2fa0e82bffb76744e36 Author: Darrick J. Wong Date: Tue Nov 16 09:13:41 2010 -0800 PCI: fix offset check for sysfs mmapped files commit 8c05cd08a7504b855c265263e84af61aabafa329 upstream. I just loaded 2.6.37-rc2 on my machines, and I noticed that X no longer starts. Running an strace of the X server shows that it's doing this: open("/sys/bus/pci/devices/0000:07:00.0/resource0", O_RDWR) = 10 mmap(NULL, 16777216, PROT_READ|PROT_WRITE, MAP_SHARED, 10, 0) = -1 EINVAL (Invalid argument) This code seems to be asking for a shared read/write mapping of 16MB worth of BAR0 starting at file offset 0, and letting the kernel assign a starting address. Unfortunately, this -EINVAL causes X not to start. Looking into dmesg, there's a complaint like so: process "Xorg" tried to map 0x01000000 bytes at page 0x00000000 on 0000:07:00.0 BAR 0 (start 0x 96000000, size 0x 1000000) ...with the following code in pci_mmap_fits: pci_start = (mmap_api == PCI_MMAP_SYSFS) ? pci_resource_start(pdev, resno) >> PAGE_SHIFT : 0; if (start >= pci_start && start < pci_start + size && start + nr <= pci_start + size) It looks like the logic here is set up such that when the mmap call comes via sysfs, the check in pci_mmap_fits wants vma->vm_pgoff to be between the resource's start and end address, and the end of the vma to be no farther than the end. However, the sysfs PCI resource files always start at offset zero, which means that this test always fails for programs that mmap the sysfs files. Given the comment in the original commit 3b519e4ea618b6943a82931630872907f9ac2c2b, I _think_ the old procfs files require that the file offset be equal to the resource's base address when mmapping. I think what we want here is for pci_start to be 0 when mmap_api == PCI_MMAP_PROCFS. The following patch makes that change, after which the Matrox and Mach64 X drivers work again. Acked-by: Martin Wilck Signed-off-by: Darrick J. Wong Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 9d5538131abcd941d16009c333c8b28b7ce5dc11 Author: Martin Wilck Date: Wed Nov 10 11:03:21 2010 +0100 PCI: fix size checks for mmap() on /proc/bus/pci files commit 3b519e4ea618b6943a82931630872907f9ac2c2b upstream. The checks for valid mmaps of PCI resources made through /proc/bus/pci files that were introduced in 9eff02e2042f96fb2aedd02e032eca1c5333d767 have several problems: 1. mmap() calls on /proc/bus/pci files are made with real file offsets > 0, whereas under /sys/bus/pci/devices, the start of the resource corresponds to offset 0. This may lead to false negatives in pci_mmap_fits(), which implicitly assumes the /sys/bus/pci/devices layout. 2. The loop in proc_bus_pci_mmap doesn't skip empty resouces. This leads to false positives, because pci_mmap_fits() doesn't treat empty resources correctly (the calculated size is 1 << (8*sizeof(resource_size_t)-PAGE_SHIFT) in this case!). 3. If a user maps resources with BAR > 0, pci_mmap_fits will emit bogus WARNINGS for the first resources that don't fit until the correct one is found. On many controllers the first 2-4 BARs are used, and the others are empty. In this case, an mmap attempt will first fail on the non-empty BARs (including the "right" BAR because of 1.) and emit bogus WARNINGS because of 3., and finally succeed on the first empty BAR because of 2. This is certainly not the intended behaviour. This patch addresses all 3 issues. Updated with an enum type for the additional parameter for pci_mmap_fits(). Signed-off-by: Martin Wilck Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit bcb8e33f1cccdeeffb9cccb729f31c11259fdae0 Author: Tejun Heo Date: Mon Nov 1 11:39:19 2010 +0100 libata: fix NULL sdev dereference race in atapi_qc_complete() commit 2a5f07b5ec098edc69e05fdd2f35d3fbb1235723 upstream. SCSI commands may be issued between __scsi_add_device() and dev->sdev assignment, so it's unsafe for ata_qc_complete() to dereference dev->sdev->locked without checking whether it's NULL or not. Fix it. Signed-off-by: Tejun Heo Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 852997dd63d9da05f9376c12c50a17da75f98c94 Author: Peter Zijlstra Date: Thu Sep 16 17:50:31 2010 +0200 sched: fix RCU lockdep splat from task_group() commit 6506cf6ce68d78a5470a8360c965dafe8e4b78e3 upstream. This addresses the following RCU lockdep splat: [0.051203] CPU0: AMD QEMU Virtual CPU version 0.12.4 stepping 03 [0.052999] lockdep: fixing up alternatives. [0.054105] [0.054106] =================================================== [0.054999] [ INFO: suspicious rcu_dereference_check() usage. ] [0.054999] --------------------------------------------------- [0.054999] kernel/sched.c:616 invoked rcu_dereference_check() without protection! [0.054999] [0.054999] other info that might help us debug this: [0.054999] [0.054999] [0.054999] rcu_scheduler_active = 1, debug_locks = 1 [0.054999] 3 locks held by swapper/1: [0.054999] #0: (cpu_add_remove_lock){+.+.+.}, at: [] cpu_up+0x42/0x6a [0.054999] #1: (cpu_hotplug.lock){+.+.+.}, at: [] cpu_hotplug_begin+0x2a/0x51 [0.054999] #2: (&rq->lock){-.-...}, at: [] init_idle+0x2f/0x113 [0.054999] [0.054999] stack backtrace: [0.054999] Pid: 1, comm: swapper Not tainted 2.6.35 #1 [0.054999] Call Trace: [0.054999] [] lockdep_rcu_dereference+0x9b/0xa3 [0.054999] [] task_group+0x7b/0x8a [0.054999] [] set_task_rq+0x13/0x40 [0.054999] [] init_idle+0xd2/0x113 [0.054999] [] fork_idle+0xb8/0xc7 [0.054999] [] ? mark_held_locks+0x4d/0x6b [0.054999] [] do_fork_idle+0x17/0x2b [0.054999] [] native_cpu_up+0x1c1/0x724 [0.054999] [] ? do_fork_idle+0x0/0x2b [0.054999] [] _cpu_up+0xac/0x127 [0.054999] [] cpu_up+0x55/0x6a [0.054999] [] kernel_init+0xe1/0x1ff [0.054999] [] kernel_thread_helper+0x4/0x10 [0.054999] [] ? restore_args+0x0/0x30 [0.054999] [] ? kernel_init+0x0/0x1ff [0.054999] [] ? kernel_thread_helper+0x0/0x10 [0.056074] Booting Node 0, Processors #1lockdep: fixing up alternatives. [0.130045] #2lockdep: fixing up alternatives. [0.203089] #3 Ok. [0.275286] Brought up 4 CPUs [0.276005] Total of 4 processors activated (16017.17 BogoMIPS). The cgroup_subsys_state structures referenced by idle tasks are never freed, because the idle tasks should be part of the root cgroup, which is not removable. The problem is that while we do in-fact hold rq->lock, the newly spawned idle thread's cpu is not yet set to the correct cpu so the lockdep check in task_group(): lockdep_is_held(&task_rq(p)->lock) will fail. But this is a chicken and egg problem. Setting the CPU's runqueue requires that the CPU's runqueue already be set. ;-) So insert an RCU read-side critical section to avoid the complaint. Signed-off-by: Peter Zijlstra Signed-off-by: Paul E. McKenney Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit abf171a0b317ba700938a81d534e57a05e1a6546 Author: Daniel Vetter Date: Sat Aug 28 11:04:32 2010 +0200 intel-gtt: fix gtt_total_entries detection commit e5e408fc94595aab897f613b6f4e2f5b36870a6f upstream. In commit f1befe71 Chris Wilson added some code to clear the full gtt on g33/pineview instead of just the mappable part. The code looks like it was copy-pasted from agp/intel-gtt.c, at least an identical piece of code is still there (in intel_i830_init_gtt_entries). This lead to a regression in 2.6.35 which was supposedly fixed in commit e7b96f28 Now this commit makes absolutely no sense to me. It seems to be slightly confused about chipset generations - it references docs for 4th gen but the regression concerns 3rd gen g33. Luckily the the g33 gmch docs are available with the GMCH Graphics Control pci config register definitions. The other (bigger problem) is that the new check in there uses the i830 stolen mem bits (.5M, 1M or 8M of stolen mem). They are different since the i855GM. The most likely case is that it hits the 512M fallback, which was probably the right thing for the boxes this was tested on. So the original approach by Chris Wilson seems to be wrong and the current code is definitely wrong. There is a third approach by Jesse Barnes from his RFC patch "Who wants a bigger GTT mapping range?" where he simply shoves g33 in the same clause like later chipset generations. I've asked him and Jesse confirmed that this should work. So implement it. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=16891$ Tested-by: Anisse Astier Signed-off-by: Anisse Astier Signed-off-by: Daniel Vetter Signed-off-by: Chris Wilson Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit df5b9f1cdee1c24106013c18c195ca6a98022291 Author: Chris Wilson Date: Wed Nov 24 17:37:17 2010 +0000 drm/i915/sdvo: Always add a 30ms delay to make SDVO TV detection reliable commit ba84cd1f2b5dd49bda9300c5a11373f7e14c3c66 upstream. Commit d09c23de intended to add a 30ms delay to give the ADD time to detect any TVs connected. However, it used the sdvo->is_tv flag to do so which is dependent upon the previous detection result and not whether the output supports TVs. Signed-off-by: Chris Wilson Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 64e05f5440698463a93cb6bb97f71d7b8b7fee65 Author: Oleg Nesterov Date: Tue Nov 30 20:56:02 2010 +0100 exec: copy-and-paste the fixes into compat_do_execve() paths commit 114279be2120a916e8a04feeb2ac976a10016f2f upstream. Note: this patch targets 2.6.37 and tries to be as simple as possible. That is why it adds more copy-and-paste horror into fs/compat.c and uglifies fs/exec.c, this will be cleanuped later. compat_copy_strings() plays with bprm->vma/mm directly and thus has two problems: it lacks the RLIMIT_STACK check and argv/envp memory is not visible to oom killer. Export acct_arg_size() and get_arg_page(), change compat_copy_strings() to use get_arg_page(), change compat_do_execve() to do acct_arg_size(0) as do_execve() does. Add the fatal_signal_pending/cond_resched checks into compat_count() and compat_copy_strings(), this matches the code in fs/exec.c and certainly makes sense. Signed-off-by: Oleg Nesterov Cc: KOSAKI Motohiro Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit c9b14e575935b3540e08f4467cf6588be2669710 Author: Oleg Nesterov Date: Tue Dec 14 23:40:11 2010 +0100 exec: make argv/envp memory visible to oom-killer commit 3c77f845722158206a7209c45ccddc264d19319c upstream. Brad Spengler published a local memory-allocation DoS that evades the OOM-killer (though not the virtual memory RLIMIT): http://www.grsecurity.net/~spender/64bit_dos.c execve()->copy_strings() can allocate a lot of memory, but this is not visible to oom-killer, nobody can see the nascent bprm->mm and take it into account. With this patch get_arg_page() increments current's MM_ANONPAGES counter every time we allocate the new page for argv/envp. When do_execve() succeds or fails, we change this counter back. Technically this is not 100% correct, we can't know if the new page is swapped out and turn MM_ANONPAGES into MM_SWAPENTS, but I don't think this really matters and everything becomes correct once exec changes ->mm or fails. Compared to upstream: before 2.6.36 kernel, oom-killer's badness() takes mm->total_vm into account and nothing else. So acct_arg_size() has to play with this counter too. Reported-by: Brad Spengler Signed-off-by: Andi Kleen Reviewed-and-discussed-by: KOSAKI Motohiro Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f79f5c7c8c2fd31a9e00586aa5e5ed443af88cef Author: Alex Deucher Date: Tue Nov 30 15:46:47 2010 -0500 drm/radeon/kms: fix interlaced and doublescan handling commit c49948f4bd39e27dd06a1cdb0c3743ca2a734f5e upstream. Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 73b7f671413df8be86082244b0ae55516097eebf Author: Michel Dänzer Date: Tue Nov 9 11:50:05 2010 +0100 drm/radeon/kms: Fix retrying ttm_bo_init() after it failed once. commit 2b66b50b12cabc05f05543e792d4c9c2465d5702 upstream. If ttm_bo_init() returns failure, it already destroyed the BO, so we need to retry from scratch. Signed-off-by: Michel Dänzer Tested-by: Markus Trippelsdorf Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 7b86e65e74572b8a2935e136a901a527786d2772 Author: Alex Deucher Date: Tue Nov 30 00:15:10 2010 -0500 drm/radeon/kms: add workaround for dce3 ddc line vbios bug commit 3074adc8b6d9bf28b574a58241b958057a69a7a0 upstream. fixes: https://bugzilla.kernel.org/show_bug.cgi?id=23752 [AK: Dropped hunk for non existing i2c code in .35] Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 2aa9f3ac2b1027717eb57010b5931d1d85b216fb Author: Alex Deucher Date: Tue Nov 30 19:11:45 2010 -0500 drm/radeon/kms: fix typos in disabled vbios code commit 0ec80d645661dda50acd417bdfcb33df2e5dd31e upstream. 6xx/7xx was hitting the wrong BUS_CNTL reg and bits. Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit b7de29c5fd5a31d6fca4d9c86a2c92b4da4df626 Author: Alex Deucher Date: Wed Nov 17 02:49:40 2010 -0500 drm/radeon/kms/atom: set sane defaults in atombios_get_encoder_mode() commit c7a71fc761551dc8be8543f14a90d08cda4e77f9 upstream. If there was no connector mapped to the encoder, atombios_get_encoder_mode() returned 0 which is the id for DP. Return something sane instead based on the encoder id. This avoids hitting the DP paths on non-DP encoders. Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 6d166dd8e4157e9381a2d4dd2f77eda2600fa783 Author: Jens Axboe Date: Wed Nov 10 14:36:25 2010 +0100 bio: take care not overflow page count when mapping/copying user data commit cb4644cac4a2797afc847e6c92736664d4b0ea34 upstream. If the iovec is being set up in a way that causes uaddr + PAGE_SIZE to overflow, we could end up attempting to map a huge number of pages. Check for this invalid input type. Reported-by: Dan Rosenberg Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 533f966c7aeae378188c9ec5b8635a4afabb8ea3 Author: Dave Hansen Date: Thu Nov 11 14:05:15 2010 -0800 mm/vfs: revalidate page->mapping in do_generic_file_read() commit 8d056cb965b8fb7c53c564abf28b1962d1061cd3 upstream. 70 hours into some stress tests of a 2.6.32-based enterprise kernel, we ran into a NULL dereference in here: int block_is_partially_uptodate(struct page *page, read_descriptor_t *desc, unsigned long from) { ----> struct inode *inode = page->mapping->host; It looks like page->mapping was the culprit. (xmon trace is below). After closer examination, I realized that do_generic_file_read() does a find_get_page(), and eventually locks the page before calling block_is_partially_uptodate(). However, it doesn't revalidate the page->mapping after the page is locked. So, there's a small window between the find_get_page() and ->is_partially_uptodate() where the page could get truncated and page->mapping cleared. We _have_ a reference, so it can't get reclaimed, but it certainly can be truncated. I think the correct thing is to check page->mapping after the trylock_page(), and jump out if it got truncated. This patch has been running in the test environment for a month or so now, and we have not seen this bug pop up again. xmon info: 1f:mon> e cpu 0x1f: Vector: 300 (Data Access) at [c0000002ae36f770] pc: c0000000001e7a6c: .block_is_partially_uptodate+0xc/0x100 lr: c000000000142944: .generic_file_aio_read+0x1e4/0x770 sp: c0000002ae36f9f0 msr: 8000000000009032 dar: 0 dsisr: 40000000 current = 0xc000000378f99e30 paca = 0xc000000000f66300 pid = 21946, comm = bash 1f:mon> r R00 = 0025c0500000006d R16 = 0000000000000000 R01 = c0000002ae36f9f0 R17 = c000000362cd3af0 R02 = c000000000e8cd80 R18 = ffffffffffffffff R03 = c0000000031d0f88 R19 = 0000000000000001 R04 = c0000002ae36fa68 R20 = c0000003bb97b8a0 R05 = 0000000000000000 R21 = c0000002ae36fa68 R06 = 0000000000000000 R22 = 0000000000000000 R07 = 0000000000000001 R23 = c0000002ae36fbb0 R08 = 0000000000000002 R24 = 0000000000000000 R09 = 0000000000000000 R25 = c000000362cd3a80 R10 = 0000000000000000 R26 = 0000000000000002 R11 = c0000000001e7b60 R27 = 0000000000000000 R12 = 0000000042000484 R28 = 0000000000000001 R13 = c000000000f66300 R29 = c0000003bb97b9b8 R14 = 0000000000000001 R30 = c000000000e28a08 R15 = 000000000000ffff R31 = c0000000031d0f88 pc = c0000000001e7a6c .block_is_partially_uptodate+0xc/0x100 lr = c000000000142944 .generic_file_aio_read+0x1e4/0x770 msr = 8000000000009032 cr = 22000488 ctr = c0000000001e7a60 xer = 0000000020000000 trap = 300 dar = 0000000000000000 dsisr = 40000000 1f:mon> t [link register ] c000000000142944 .generic_file_aio_read+0x1e4/0x770 [c0000002ae36f9f0] c000000000142a14 .generic_file_aio_read+0x2b4/0x770 (unreliable) [c0000002ae36fb40] c0000000001b03e4 .do_sync_read+0xd4/0x160 [c0000002ae36fce0] c0000000001b153c .vfs_read+0xec/0x1f0 [c0000002ae36fd80] c0000000001b1768 .SyS_read+0x58/0xb0 [c0000002ae36fe30] c00000000000852c syscall_exit+0x0/0x40 --- Exception: c00 (System Call) at 00000080a840bc54 SP (fffca15df30) is in userspace 1f:mon> di c0000000001e7a6c c0000000001e7a6c e9290000 ld r9,0(r9) c0000000001e7a70 418200c0 beq c0000000001e7b30 # .block_is_partially_uptodate+0xd0/0x100 c0000000001e7a74 e9440008 ld r10,8(r4) c0000000001e7a78 78a80020 clrldi r8,r5,32 c0000000001e7a7c 3c000001 lis r0,1 c0000000001e7a80 812900a8 lwz r9,168(r9) c0000000001e7a84 39600001 li r11,1 c0000000001e7a88 7c080050 subf r0,r8,r0 c0000000001e7a8c 7f805040 cmplw cr7,r0,r10 c0000000001e7a90 7d6b4830 slw r11,r11,r9 c0000000001e7a94 796b0020 clrldi r11,r11,32 c0000000001e7a98 419d00a8 bgt cr7,c0000000001e7b40 # .block_is_partially_uptodate+0xe0/0x100 c0000000001e7a9c 7fa55840 cmpld cr7,r5,r11 c0000000001e7aa0 7d004214 add r8,r0,r8 c0000000001e7aa4 79080020 clrldi r8,r8,32 c0000000001e7aa8 419c0078 blt cr7,c0000000001e7b20 # .block_is_partially_uptodate+0xc0/0x100 Signed-off-by: Dave Hansen Reviewed-by: Minchan Kim Reviewed-by: Johannes Weiner Acked-by: Rik van Riel Cc: Cc: Cc: Christoph Hellwig Cc: Al Viro Cc: Minchan Kim Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit c6ec3bc8d63237a1c7873eda3a170710ae241847 Author: Ken Chen Date: Thu Nov 11 14:05:16 2010 -0800 latencytop: fix per task accumulator commit 38715258aa2e8cd94bd4aafadc544e5104efd551 upstream. Per task latencytop accumulator prematurely terminates due to erroneous placement of latency_record_count. It should be incremented whenever a new record is allocated instead of increment on every latencytop event. Also fix search iterator to only search known record events instead of blindly searching all pre-allocated space. Signed-off-by: Ken Chen Signed-off-by: Andi Kleen Reviewed-by: Arjan van de Ven Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 009c1847bbc6a87c995d8ad5f575f2648b76222a Author: Nick Piggin Date: Thu Nov 11 14:05:19 2010 -0800 radix-tree: fix RCU bug commit 27d20fddc8af539464fc3ba499d6a830054c3bd6 upstream. Salman Qazi describes the following radix-tree bug: In the following case, we get can get a deadlock: 0. The radix tree contains two items, one has the index 0. 1. The reader (in this case find_get_pages) takes the rcu_read_lock. 2. The reader acquires slot(s) for item(s) including the index 0 item. 3. The non-zero index item is deleted, and as a consequence the other item is moved to the root of the tree. The place where it used to be is queued for deletion after the readers finish. 3b. The zero item is deleted, removing it from the direct slot, it remains in the rcu-delayed indirect node. 4. The reader looks at the index 0 slot, and finds that the page has 0 ref count 5. The reader looks at it again, hoping that the item will either be freed or the ref count will increase. This never happens, as the slot it is looking at will never be updated. Also, this slot can never be reclaimed because the reader is holding rcu_read_lock and is in an infinite loop. The fix is to re-use the same "indirect" pointer case that requires a slot lookup retry into a general "retry the lookup" bit. Signed-off-by: Nick Piggin Reported-by: Salman Qazi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit d4587674b6ade7e1910ae70284c99239bff84ead Author: Eric Paris Date: Fri Nov 12 08:26:06 2010 +0100 netfilter: NF_HOOK_COND has wrong conditional commit ac5aa2e3332ec04889074afdbd1479424d0227a5 upstream. The NF_HOOK_COND returns 0 when it shouldn't due to what I believe to be an error in the code as the order of operations is not what was intended. C will evalutate == before =. Which means ret is getting set to the bool result, rather than the return value of the function call. The code says if (ret = function() == 1) when it meant to say: if ((ret = function()) == 1) Normally the compiler would warn, but it doesn't notice it because its a actually complex conditional and so the wrong code is wrapped in an explict set of () [exactly what the compiler wants you to do if this was intentional]. Fixing this means that errors when netfilter denies a packet get propagated back up the stack rather than lost. Problem introduced by commit 2249065f (netfilter: get rid of the grossness in netfilter.h). Signed-off-by: Eric Paris Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit c7ec3b059493edf4fc7cdaf4ce7a7883617cefb3 Author: Eric Dumazet Date: Thu Oct 28 12:34:21 2010 +0200 netfilter: nf_conntrack: allow nf_ct_alloc_hashtable() to get highmem pages commit 6b1686a71e3158d3c5f125260effce171cc7852b upstream. commit ea781f197d6a8 (use SLAB_DESTROY_BY_RCU and get rid of call_rcu()) did a mistake in __vmalloc() call in nf_ct_alloc_hashtable(). I forgot to add __GFP_HIGHMEM, so pages were taken from LOWMEM only. Signed-off-by: Eric Dumazet Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit bf2f177bdb68b531279f73f3b166360bbc22c747 Author: Daniel T Chen Date: Wed Dec 1 19:16:07 2010 -0500 ALSA: hda: Use "alienware" model quirk for another SSID commit 0defe09ca70daccdc83abd9c3c24cd89ae6a1141 upstream. BugLink: https://launchpad.net/bugs/683695 The original reporter states that headphone jacks do not appear to work. Upon inspecting his codec dump, and upon further testing, it is confirmed that the "alienware" model quirk is correct. Reported-and-tested-by: Cody Thierauf Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit bc59d7d4a0c3ab839cd8651ea639702d4d173a4b Author: Takashi Iwai Date: Tue Nov 30 08:14:21 2010 +0100 ALSA: Fix SNDCTL_DSP_RESET ioctl for OSS emulation commit 60686aa0086a14f8b15c83a09f3df1eebe3aab3c upstream. In OSS emulation, SNDCTL_DSP_RESET ioctl needs the reset of the internal buffer state in addition to drop of the running streams. Otherwise the succeeding access becomes inconsistent. Tested-by: Amit Nagal Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 48099f895b702f3c13a9828396e6efa29d0b370c Author: David Henningsson Date: Wed Nov 24 14:17:47 2010 +0100 ALSA: HDA: Add an extra DAC for Realtek ALC887-VD commit cc1c452e509aefc28f7ad2deed75bc69d4f915f7 upstream. The patch enables ALC887-VD to use the DAC at nid 0x26, which makes it possible to use this DAC for e g Headphone volume. Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit ba9219020fecff721cb7cb6e21defb63ba5c3bf6 Author: Herton Ronaldo Krzesinski Date: Thu Nov 25 00:08:01 2010 -0200 ALSA: hda - Fix ALC660-VD/ALC861-VD capture/playback mixers commit 7167594a3da7dcc33203b85d62e519594baee390 upstream. The mixer nids passed to alc_auto_create_input_ctls are wrong: 0x15 is a pin, and 0x09 is the ADC on both ALC660-VD/ALC861-VD. Thus with current code, input playback volume/switches and input source mixer controls are not created, and recording doesn't work. Select correct mixers, 0x0b (input playback mixer) and 0x22 (capture source mixer). Reference: https://qa.mandriva.com/show_bug.cgi?id=61159 Signed-off-by: Herton Ronaldo Krzesinski Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit bc23f2c11af8b5d32724fe3e226e3edb0fdf6fb2 Author: Takashi Iwai Date: Fri Nov 26 17:11:18 2010 +0100 ALSA: hda - Use ALC_INIT_DEFAULT for really default initialization commit 5a8cfb4e8ae317d283f84122ed20faa069c5e0c4 upstream. When SKU assid gives no valid bits for 0x38, the driver didn't take any action, so far. This resulted in the missing initialization for external amps, etc, thus the silent output in the end. Especially users hit this problem on ALC888 newly since 2.6.35, where the driver doesn't force to use ALC_INIT_DEFAULT any more. This patch sets the default initialization scheme to use ALC_INIT_DEFAULT when no valid bits are set for SKU assid. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=657388 Reported-and-tested-by: Kyle McMartin Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 3d35ce84b3081199d1202ad36669212c62122cfb Author: Daniel T Chen Date: Sat Nov 20 10:20:35 2010 -0500 ALSA: hda: Add Samsung R720 SSID for subwoofer pin fixup commit a0e90acc657990511c83bc69965bfd3c63386d45 upstream. BugLink: https://launchpad.net/bugs/677830 The original reporter states that the subwoofer does not mute when inserting headphones. We need an entry for his machine's SSID in the subwoofer pin fixup list, so add it there (verified using hda_analyzer). Reported-and-tested-by: i-NoD Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 43c463c71292f424f8ddb9e1852e2b1de0c86eed Author: Daniel T Chen Date: Sun Oct 10 22:39:28 2010 -0400 ALSA: hda: Add speaker pin to automute Acer Aspire 8943G commit 2df03514de41f3bbb5623f2e7f2bf594e49cb2ec upstream. BugLink: https://bugs.launchpad.net/bugs/656625 Add clause for handling Acer Aspire 8943G's subwoofer as additional speaker pin for automuting. Reported-by: RussianNeuroMancer Signed-off-by: Daniel T Chen Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 43365dd81ad90375befc33ea426d3448a04f0c38 Author: Valentine Sinitsyn Date: Fri Oct 1 22:24:08 2010 +0600 ALSA: hda - Added fixup for Lenovo Y550P commit d41185882b828896ccecac319c9f65f708baaf0d upstream. Signed-off-by: Valentine Sinitsyn Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit a5bbcf1a635c40898cf3e5209f03710df588187c Author: David Henningsson Date: Thu Sep 9 08:51:44 2010 +0200 ALSA: HDA: Add fixup pins for Ideapad Y550 commit 6cb3b707f95954ac18f19b4b3919af235738371a upstream. By adding the subwoofer as a speaker pin, it is treated correctly when auto-muting. BugLink: https://launchpad.net/bugs/611803 Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 18a9c40e9cbbde72235f911c07d9319a12db19f4 Author: Daniel T Chen Date: Mon Nov 1 01:14:51 2010 -0400 ALSA: ac97: Apply quirk for Dell Latitude D610 binding Master and Headphone controls commit 0613a59456980161d0cd468bae6c63d772743102 upstream. BugLink: https://launchpad.net/bugs/669279 The original reporter states: "The Master mixer does not change the volume from the headphone output (which is affected by the headphone mixer). Instead it only seems to control the on-board speaker volume. This confuses PulseAudio greatly as the Master channel is merged into the volume mix." Fix this symptom by applying the hp_only quirk for the reporter's SSID. The fix is applicable to all stable kernels. Reported-and-tested-by: Ben Gamari Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 0e2009a0ee6bc00043d66713e6649820042241a8 Author: Kailang Yang Date: Mon Nov 22 10:59:36 2010 +0100 ALSA: hda - Fixed ALC887-VD initial error commit 01e0f1378c47947b825eac05c98697ab1be1c86f upstream. ALC887-VD is like ALC888-VD. It can not be initialized as ALC882. Signed-off-by: Kailang Yang Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 48059b90318aff5a2578d5a1d10ea7ac76e03e18 Author: Clemens Ladisch Date: Mon Oct 25 11:42:20 2010 +0200 firewire: ohci: fix race in AR split packet handling commit a1f805e5e73a8fe166b71c6592d3837df0cd5e2e upstream. When handling an AR buffer that has been completely filled, we assumed that its descriptor will not be read by the controller and can be overwritten. However, when the last received packet happens to end at the end of the buffer, the controller might not yet have moved on to the next buffer and might read the branch address later. If we overwrite and free the page before that, the DMA context will either go dead because of an invalid Z value, or go off into some random memory. To fix this, ensure that the descriptor does not get overwritten by using only the actual buffer instead of the entire page for reassembling the split packet. Furthermore, to avoid freeing the page too early, move on to the next buffer only when some data in it guarantees that the controller has moved on. This should eliminate the remaining firewire-net problems. Signed-off-by: Clemens Ladisch Tested-by: Maxim Levitsky Signed-off-by: Stefan Richter Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 329ad1cf88c3007e095a304028d11021eae8d402 Author: Clemens Ladisch Date: Mon Oct 25 11:41:53 2010 +0200 firewire: ohci: fix buffer overflow in AR split packet handling commit 85f7ffd5d2b320f73912b15fe8cef34bae297daf upstream. When the controller had to split a received asynchronous packet into two buffers, the driver tries to reassemble it by copying both parts into the first page. However, if size + rest > PAGE_SIZE, i.e., if the yet unhandled packets before the split packet, the split packet itself, and any received packets after the split packet are together larger than one page, then the memory after the first page would get overwritten. To fix this, do not try to copy the data of all unhandled packets at once, but copy the possibly needed data every time when handling a packet. This gets rid of most of the infamous crashes and data corruptions when using firewire-net. Signed-off-by: Clemens Ladisch Tested-by: Maxim Levitsky Signed-off-by: Stefan Richter Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 4d21e4b72b282e24fdf6a1993ef21730df94fe86 Author: Axel Lin Date: Wed Nov 24 10:21:54 2010 +0800 ASoC: wm8961 - clear WM8961_MCLKDIV bit for freq <= 16500000 commit 2f7dceeda4708f470fd927adb3861bd8ebbe2310 upstream. MCLKDIV bit of Register 04h Clocking1: 0 : Divide by 1 1 : Divide by 2 Thus in the case of freq <= 16500000, we should clear MCLKDIV bit. Signed-off-by: Axel Lin Acked-by: Liam Girdwood Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 1a74f9cc24d9255e24e6001476ed5acb6448d49b Author: Axel Lin Date: Wed Nov 24 10:20:33 2010 +0800 ASoC: wm8961 - clear WM8961_DACSLOPE bit for normal mode commit 08b1a38465cab8c2224a5202c7a3b5e5f5630894 upstream. DACSLOPE bit of Register 06h ADC and DAC Control 2: 0: Normal mode 1: Sloping stop-band mode Thus in the case of normal mode, we should clear DACSLOPE bit. Signed-off-by: Axel Lin Acked-by: Liam Girdwood Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit d46d45da0b45490b805f70e3d2e05dd7fbf58a23 Author: Mark Brown Date: Fri Oct 29 15:41:17 2010 -0700 ASoC: Remove volatility from WM8900 POWER1 register commit 6d212d8e86fb4221bd91b9266b7567ee2b83bd01 upstream. Not all bits can be read back from POWER1 so avoid corruption when using a read/modify/write cycle by marking it non-volatile - the only thing we read back from it is the chip revision which has diagnostic value only. We can re-add later but that's a more invasive change than is suitable for a bugfix. Signed-off-by: Mark Brown Acked-by: Liam Girdwood Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit d3f813da18f83a31f2678988b450e6a1c94c95ed Author: Avi Kivity Date: Tue Oct 19 18:48:35 2010 +0200 KVM: Correct ordering of ldt reload wrt fs/gs reload commit 0a77fe4c188e25917799f2356d4aa5e6d80c39a2 upstream. If fs or gs refer to the ldt, they must be reloaded after the ldt. Reorder the code to that effect. Userspace code that uses the ldt with kvm is nonexistent, so this doesn't fix a user-visible bug. Signed-off-by: Avi Kivity Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit be6eb177af13eceaef0052a0628b7153844bbea9 Author: Vasiliy Kulikov Date: Sat Oct 30 22:54:47 2010 +0400 KVM: x86: fix information leak to userland commit 97e69aa62f8b5d338d6cff49be09e37cc1262838 upstream. Structures kvm_vcpu_events, kvm_debugregs, kvm_pit_state2 and kvm_clock_data are copied to userland with some padding and reserved fields unitialized. It leads to leaking of contents of kernel stack memory. We have to initialize them to zero. In patch v1 Jan Kiszka suggested to fill reserved fields with zeros instead of memset'ting the whole struct. It makes sense as these fields are explicitly marked as padding. No more fields need zeroing. Signed-off-by: Vasiliy Kulikov Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit e110ca176b8d6499d9b6d69a5e1b9055f10e6a1b Author: Michael S. Tsirkin Date: Mon Oct 25 03:21:24 2010 +0200 KVM: Write protect memory after slot swap commit edde99ce05290e50ce0b3495d209e54e6349ab47 upstream. I have observed the following bug trigger: 1. userspace calls GET_DIRTY_LOG 2. kvm_mmu_slot_remove_write_access is called and makes a page ro 3. page fault happens and makes the page writeable fault is logged in the bitmap appropriately 4. kvm_vm_ioctl_get_dirty_log swaps slot pointers a lot of time passes 5. guest writes into the page 6. userspace calls GET_DIRTY_LOG At point (5), bitmap is clean and page is writeable, thus, guest modification of memory is not logged and GET_DIRTY_LOG returns an empty bitmap. The rule is that all pages are either dirty in the current bitmap, or write-protected, which is violated here. It seems that just moving kvm_mmu_slot_remove_write_access down to after the slot pointer swap should fix this bug. Signed-off-by: Michael S. Tsirkin Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit e945dc312ad16872c7094990fd390ec0c3b5a6a0 Author: Andrew Morton Date: Fri Oct 1 18:13:41 2010 -0300 drivers/media/video/cx23885/cx23885-core.c: fix cx23885_dev_checkrevision() commit abe1def46d84aa27d3f84d729204b162e8c64d76 upstream. It was missing the `break'. Addresses https://bugzilla.kernel.org/show_bug.cgi?id=18672 Reported-by: Igor Signed-off-by: Andrew Morton Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit d00181bad9f23e62ce22503876e7a29b5424e7ed Author: James M McLaren Date: Sun Oct 3 19:09:18 2010 -0300 hdpvr: Add missing URB_NO_TRANSFER_DMA_MAP flag commit 4f5c933abb34532dc962185c999509b97a97fa1b upstream. Necessary on arm. Signed-off-by: Janne Grunau Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit d4a57ec4ecb5e724ee1a2178eff81669562f6da7 Author: Jean-François Moine Date: Thu Oct 21 04:05:15 2010 -0300 gspca - sonixj: Fix a regression of sensors hv7131r and mi0360 commit 0303a90a744662e934877a5d637a43197229274b upstream. The bug was introduced by commit 23a98274cc348880ecb6803307c254448084953a applying values of sensor sp80708 to sensors hv7131r and mi0360. Signed-off-by: Jean-François Moine Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 4164f74d5f4ab153965b797920e87cdc3991febe Author: Philipp Merkel Date: Fri Oct 1 15:38:59 2010 +0200 HID: Fix for problems with eGalax/DWAV multi-touch-screen commit f51661105c3c8a0afcd69f995a4f4a10e53da153 upstream. This patch fixes three problems with the eGalax/DWAV multi-touch screen found in the Eee PC T101MT: 1) While there is a dedicated multitouch driver for the screen (hid-egalax.c), the MULTI_INPUT quirk is also applied, preventing the hid-egalax driver from working. This patch removes the quirk so the hid-egalax driver can handle the device correctly. 2) The x and y coordinates sent by the screen in multi-touch mode are shifted by three bits from the events sent in single-touch mode, thus the coordinates are out of range, leading to the pointer being stuck in the bottom-right corner if no additional calibration is applied (e.g. in the X evdev driver). This patch shifts the coordinates back. This does not decrease accuracy as the last three bits of the "wrong" coordinates are always 0. 3) Only multi-touch pressure events are sent, single touch emulation is missing pressure information. This patch adds single-touch ABS_PRESSURE events. Signed-off-by: Philipp Merkel Acked-by: Stéphane Chatty Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 593c62f0ef892aaa5045805933d139125f9614ba Author: Ming Lei Date: Mon Nov 1 07:11:54 2010 -0700 usbnet: fix usb_autopm_get_interface failure(v1) commit b0786b430c982dffbb44d8030e6b6088671ce745 upstream. Since usbnet already took usb runtime pm, we have to enable runtime pm for usb interface of usbnet, otherwise usb_autopm_get_interface may return failure and cause 'ifconfig usb0 up' failed if USB_SUSPEND(RUNTIME_PM) is enabled. Cc: David Brownell Cc: "David S. Miller" Cc: Ben Hutchings Cc: Joe Perches Cc: Oliver Neukum Cc: Andy Shevchenko Signed-off-by: Ming Lei Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 89f26850f00bc19c52e62e47802e7088cb87f946 Author: Jiri Slaby Date: Thu Nov 25 00:27:54 2010 +0100 TTY: ldisc, fix open flag handling commit 7f90cfc505d613f4faf096e0d84ffe99208057d9 upstream. When a concrete ldisc open fails in tty_ldisc_open, we forget to clear TTY_LDISC_OPEN. This causes a false warning on the next ldisc open: WARNING: at drivers/char/tty_ldisc.c:445 tty_ldisc_open+0x26/0x38() Hardware name: System Product Name Modules linked in: ... Pid: 5251, comm: a.out Tainted: G W 2.6.32-5-686 #1 Call Trace: [] ? warn_slowpath_common+0x5e/0x8a [] ? warn_slowpath_null+0xa/0xc [] ? tty_ldisc_open+0x26/0x38 [] ? tty_set_ldisc+0x218/0x304 ... So clear the bit when failing... Introduced in c65c9bc3efa (tty: rewrite the ldisc locking) back in 2.6.31-rc1. Signed-off-by: Jiri Slaby Cc: Alan Cox Reported-by: Sergey Lapin Tested-by: Sergey Lapin Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit d509e248785859c7cd3d5b6947b92c6b1159f075 Author: Philippe Rétornaz Date: Wed Oct 27 17:13:21 2010 +0200 tty_ldisc: Fix BUG() on hangup commit 1c95ba1e1de7edffc0c4e275e147f1a9eb1f81ae upstream. A kernel BUG when bluetooth rfcomm connection drop while the associated serial port is open is sometime triggered. It seems that the line discipline can disappear between the tty_ldisc_put and tty_ldisc_get. This patch fall back to the N_TTY line discipline if the previous discipline is not available anymore. Signed-off-by: Philippe Retornaz Acked-by: Alan Cox Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 7a4239f949215adc0f5271cb176c48aafbe9a71e Author: Jiri Slaby Date: Sun Oct 31 23:17:51 2010 +0100 TTY: restore tty_ldisc_wait_idle commit 100eeae2c5ce23b4db93ff320ee330ef1d740151 upstream. It was removed in 65b770468e98 (tty-ldisc: turn ldisc user count into a proper refcount), but we need to wait for last user to quit the ldisc before we close it in tty_set_ldisc. Otherwise weird things start to happen. There might be processes waiting in tty_read->n_tty_read on tty->read_wait for input to appear and at that moment, a change of ldisc is fatal. n_tty_close is called, it frees read_buf and the waiting process is still in the middle of reading and goes nuts after it is woken. Previously we prevented close to happen when others are in ldisc ops by tty_ldisc_wait_idle in tty_set_ldisc. But the commit above removed that. So revoke the change and test whether there is 1 user (=we), and allow the close then. We can do that without ldisc/tty locks, because nobody else can open the device due to TTY_LDISC_CHANGING bit set, so we in fact wait for everybody to leave. I don't understand why tty_ldisc_lock would be needed either when the counter is an atomic variable, so this is a lockless tty_ldisc_wait_idle. On the other hand, if we fail to wait (timeout or signal), we have to reenable the halted ldiscs, so we take ldisc lock and reuse the setup path at the end of tty_set_ldisc. Signed-off-by: Jiri Slaby Acked-by: Linus Torvalds Tested-by: Sebastian Andrzej Siewior Signed-off-by: Andi Kleen LKML-Reference: <20101031104136.GA511@Chamillionaire.breakpoint.cc> LKML-Reference: <1287669539-22644-1-git-send-email-jslaby@suse.cz> Cc: Alan Cox Signed-off-by: Greg Kroah-Hartman commit e14e0aafc584d46b128301bcf399f2dd6e6d2cc7 Author: Jiri Olsa Date: Mon Nov 8 19:01:47 2010 +0100 tty: prevent DOS in the flush_to_ldisc commit e045fec48970df84647a47930fcf7a22ff7229c0 upstream. There's a small window inside the flush_to_ldisc function, where the tty is unlocked and calling ldisc's receive_buf function. If in this window new buffer is added to the tty, the processing might never leave the flush_to_ldisc function. This scenario will hog the cpu, causing other tty processing starving, and making it impossible to interface the computer via tty. I was able to exploit this via pty interface by sending only control characters to the master input, causing the flush_to_ldisc to be scheduled, but never actually generate any output. To reproduce, please run multiple instances of following code. - SNIP #define _XOPEN_SOURCE #include #include #include #include #include int main(int argc, char **argv) { int i, slave, master = getpt(); char buf[8192]; sprintf(buf, "%s", ptsname(master)); grantpt(master); unlockpt(master); slave = open(buf, O_RDWR); if (slave < 0) { perror("open slave failed"); return 1; } for(i = 0; i < sizeof(buf); i++) buf[i] = rand() % 32; while(1) { write(master, buf, sizeof(buf)); } return 0; } - SNIP The attached patch (based on -next tree) fixes this by checking on the tty buffer tail. Once it's reached, the current work is rescheduled and another could run. Signed-off-by: Jiri Olsa Acked-by: Alan Cox Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 67de320f9b82cad2dec335b3d523eada5a337b91 Author: Daniel T Chen Date: Sat Nov 27 13:58:04 2010 -0500 ALSA: hda: Use BIOS auto-parsing instead of existing model quirk for MEDION MD2 commit ac70eb1305d5a81efd1e32327d7e79be15a63a5a upstream. BugLink: https://launchpad.net/bugs/682199 A 2.6.35 (Ubuntu Maverick) user, burningphantom1, reported a regression in audio: playback was inaudible through both speakers and headphones. In commit 272a527c04 of sound-2.6.git, a new model was added with this machine's PCI SSID. Fortunately, it is now sufficient to use the auto model for BIOS auto-parsing instead of the existing quirk. Playback, capture, and jack sense were verified working for both 2.6.35 and the alsa-driver snapshot from 2010-11-27 when model=auto is used. Reported-and-tested-by: burningphantom1 Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 7f202301f48423a1327b5a4965d5d3955a7e960f Author: Justin Maggard Date: Wed Nov 24 16:36:17 2010 +1100 md: fix return value of rdev_size_change() commit c26a44ed1e552aaa1d4ceb71842002d235fe98d7 upstream. When trying to grow an array by enlarging component devices, rdev_size_store() expects the return value of rdev_size_change() to be in sectors, but the actual value is returned in KBs. This functionality was broken by commit dd8ac336c13fd8afdb082ebacb1cddd5cf727889 so this patch is suitable for any kernel since 2.6.30. Signed-off-by: Justin Maggard Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 289f4fb78983150dcea9c06c2d8a4257d8032d49 Author: NeilBrown Date: Wed Nov 24 16:39:46 2010 +1100 md/raid1: really fix recovery looping when single good device fails. commit 8f9e0ee38f75d4740daa9e42c8af628d33d19a02 upstream. Commit 4044ba58dd15cb01797c4fd034f39ef4a75f7cc3 supposedly fixed a problem where if a raid1 with just one good device gets a read-error during recovery, the recovery would abort and immediately restart in an infinite loop. However it depended on raid1_remove_disk removing the spare device from the array. But that does not happen in this case. So add a test so that in the 'recovery_disabled' case, the device will be removed. This suitable for any kernel since 2.6.29 which is when recovery_disabled was introduced. Reported-by: Sebastian Färber Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 089cffe1b45748a81ce22c777a56406d43fe0c93 Author: Roberto Sassu Date: Tue Oct 5 18:53:45 2010 +0200 ecryptfs: call vfs_setxattr() in ecryptfs_setxattr() commit 48b512e6857139393cdfce26348c362b87537018 upstream. Ecryptfs is a stackable filesystem which relies on lower filesystems the ability of setting/getting extended attributes. If there is a security module enabled on the system it updates the 'security' field of inodes according to the owned extended attribute set with the function vfs_setxattr(). When this function is performed on a ecryptfs filesystem the 'security' field is not updated for the lower filesystem since the call security_inode_post_setxattr() is missing for the lower inode. Further, the call security_inode_setxattr() is missing for the lower inode, leading to policy violations in the security module because specific checks for this hook are not performed (i. e. filesystem 'associate' permission on SELinux is not checked for the lower filesystem). This patch replaces the call of the setxattr() method of the lower inode in the function ecryptfs_setxattr() with vfs_setxattr(). Signed-off-by: Roberto Sassu Cc: Dustin Kirkland Acked-by: James Morris Signed-off-by: Tyler Hicks Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 9b0d3ea667b7988bc29b4a7af9ba6b05c43bcb2b Author: Tyler Hicks Date: Thu Sep 23 02:35:04 2010 -0500 eCryptfs: Clear LOOKUP_OPEN flag when creating lower file commit 2e21b3f124eceb6ab5a07c8a061adce14ac94e14 upstream. eCryptfs was passing the LOOKUP_OPEN flag through to the lower file system, even though ecryptfs_create() doesn't support the flag. A valid filp for the lower filesystem could be returned in the nameidata if the lower file system's create() function supported LOOKUP_OPEN, possibly resulting in unencrypted writes to the lower file. However, this is only a potential problem in filesystems (FUSE, NFS, CIFS, CEPH, 9p) that eCryptfs isn't known to support today. https://bugs.launchpad.net/ecryptfs/+bug/641703 Reported-by: Kevin Buhr Signed-off-by: Tyler Hicks Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 65f23ae22dc7bb397c35aa4453f755b6cd270c3e Author: Tejun Heo Date: Fri Nov 19 15:29:19 2010 +0100 sata_via: apply magic FIFO fix to vt6420 too commit b1353e4f40f6179ab26a3bb1b2e1fe29ffe534f5 upstream. vt6420 has the same FIFO overflow problem as vt6421 when combined with certain devices. This patch applies the magic fix to vt6420 too. Signed-off-by: Tejun Heo Reported-by: Martin Qvist Reported-by: Peter Zijlstra Cc: Joseph Chan Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 4ca06cb31057d86ed3d5ae54fdd99d15d5dc7811 Author: Florian Tobias Schandinat Date: Wed Sep 22 02:33:52 2010 +0000 viafb: use proper register for colour when doing fill ops commit efd4f6398dc92b5bf392670df862f42a19f34cf2 upstream. The colour was written to a wrong register for fillrect operations. This sometimes caused empty console space (for example after 'clear') to have a different colour than desired. Fix this by writing to the correct register. Many thanks to Daniel Drake and Jon Nettleton for pointing out this issue and pointing me in the right direction for the fix. Fixes http://dev.laptop.org/ticket/9323 Signed-off-by: Florian Tobias Schandinat Cc: Joseph Chan Cc: Daniel Drake Cc: Jon Nettleton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 75f98b7f0ecca1f82d3a3bd44b8fbda04e949096 Author: Graham Gower Date: Wed Oct 27 15:33:00 2010 -0700 drivers/char/vt_ioctl.c: fix VT_OPENQRY error value commit 1e0ad2881d50becaeea70ec696a80afeadf944d2 upstream. When all VT's are in use, VT_OPENQRY casts -1 to unsigned char before returning it to userspace as an int. VT255 is not the next available console. Signed-off-by: Graham Gower Cc: Greg KH Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit c1266e14138f7a0dc54c5db9a64556a57bbf52a8 Author: Ben Hutchings Date: Fri Oct 22 04:38:26 2010 +0000 net: NETIF_F_HW_CSUM does not imply FCoE CRC offload commit 66c68bcc489fadd4f5e8839e966e3a366e50d1d5 upstream. NETIF_F_HW_CSUM indicates the ability to update an TCP/IP-style 16-bit checksum with the checksum of an arbitrary part of the packet data, whereas the FCoE CRC is something entirely different. Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit e4b338bfb1e607111ab7b56cb6d497b08567c7e3 Author: Vasiliy Kulikov Date: Sat Oct 30 18:22:49 2010 +0400 ipc: shm: fix information leak to userland commit 3af54c9bd9e6f14f896aac1bb0e8405ae0bc7a44 upstream. The shmid_ds structure is copied to userland with shm_unused{,2,3} fields unitialized. It leads to leaking of contents of kernel stack memory. Signed-off-by: Vasiliy Kulikov Acked-by: Al Viro Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 154893c8527b3eba012328c43736dfb918627edb Author: Dan Rosenberg Date: Wed Oct 27 15:34:17 2010 -0700 ipc: initialize structure memory to zero for compat functions commit 03145beb455cf5c20a761e8451e30b8a74ba58d9 upstream. This takes care of leaking uninitialized kernel stack memory to userspace from non-zeroed fields in structs in compat ipc functions. Signed-off-by: Dan Rosenberg Cc: Manfred Spraul Cc: Arnd Bergmann Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 194587e5dfe26ffcf5358ee5c27dea79ff5e3d1d Author: Jeremy Fitzhardinge Date: Mon Nov 29 14:16:53 2010 -0800 xen: don't bother to stop other cpus on shutdown/reboot commit 31e323cca9d5c8afd372976c35a5d46192f540d1 upstream. Xen will shoot all the VCPUs when we do a shutdown hypercall, so there's no need to do it manually. In any case it will fail because all the IPI irqs have been pulled down by this point, so the cross-CPU calls will simply hang forever. Until change 76fac077db6b34e2c6383a7b4f3f4f7b7d06d8ce the function calls were not synchronously waited for, so this wasn't apparent. However after that change the calls became synchronous leading to a hang on shutdown on multi-VCPU guests. Signed-off-by: Jeremy Fitzhardinge Cc: Alok Kataria Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 18f41f489a1ee1b296482d1b5bdf2ea4f8625cb6 Author: Ian Campbell Date: Fri Oct 8 16:59:12 2010 +0100 xen: ensure that all event channels start off bound to VCPU 0 commit b0097adeec27e30223c989561ab0f7aa60d1fe93 upstream. All event channels startbound to VCPU 0 so ensure that cpu_evtchn_mask is initialised to reflect this. Otherwise there is a race after registering an event channel but before the affinity is explicitly set where the event channel can be delivered. If this happens then the event channel remains pending in the L1 (evtchn_pending) array but is cleared in L2 (evtchn_pending_sel), this means the event channel cannot be reraised until another event channel happens to trigger the same L2 entry on that VCPU. sizeof(cpu_evtchn_mask(0))==sizeof(unsigned long*) which is not correct, and causes only the first 32 or 64 event channels (depending on architecture) to be initially bound to VCPU0. Use sizeof(struct cpu_evtchn_s) instead. Signed-off-by: Ian Campbell Cc: Jeremy Fitzhardinge Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 63fa5ec8afa814e33a73db404db64fc88cc5749d Author: Robin@sgi.com Date: Wed Nov 24 12:56:59 2010 -0800 sgi-xpc: XPC fails to discover partitions with all nasids above 128 commit c22c7aeff69796f46ae0fcec141538e28f50b24e upstream. UV hardware defines 256 memory protection regions versus the baseline 64 with increasing size for the SN2 ia64. This was overlooked when XPC was modified to accomodate both UV and SN2. Without this patch, a user could reconfigure their existing system and suddenly disable cross-partition communications with no indication of what has gone wrong. It also prevents larger configurations from using cross-partition communication. Signed-off-by: Robin Holt Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 2ff4e4e9ee1d1575be941f5c1c9409a02e74927f Author: Michael Hennerich Date: Tue Oct 26 14:21:16 2010 -0700 drivers/misc/ad525x_dpot.c: fix typo in spi write16 and write24 transfer counts commit 1f9fa5216eacf4fdf9d3e4ab57feb8b642f0e78b upstream. This is a bug fix. Some SPI connected devices using 16/24 bit accesses, previously failed, now work. This typo slipped in after testing, during some restructuring. Signed-off-by: Michael Hennerich Cc: Mike Frysinger Cc: Chris Verges Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 2c48711c32475054d08c0574ebff24573611f9f9 Author: Daniel Klaffenbach Date: Fri Nov 19 21:25:21 2010 -0600 ssb: b43-pci-bridge: Add new vendor for BCM4318 commit 1d8638d4038eb8709edc80e37a0bbb77253d86e9 upstream. Add new vendor for Broadcom 4318. Signed-off-by: Daniel Klaffenbach Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 1a6880a22a0f92677b5e2a71ac96ab2ea24c219e Author: Guennadi Liakhovetski Date: Tue Nov 23 17:10:24 2010 +0100 wireless: b43: fix error path in SDIO commit e476a5a41ad67d0e2b4a652820c49a3923eb936b upstream. Fix unbalanced call to sdio_release_host() on the error path. Signed-off-by: Guennadi Liakhovetski Acked-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit b0c97dcc33e8d95e3fd4ed21bee7d7fc6733ef85 Author: Larry Finger Date: Thu Oct 28 10:43:26 2010 -0500 b43: Fix warning at drivers/mmc/core/core.c:237 in mmc_wait_for_cmd commit 9f2a0fac625bcef9c579bcf0b0c904ab1a56e7c4 upstream. On module removal, the sdio version of b43 generates the following warning: [ 851.560519] ------------[ cut here ]------------ [ 851.560531] WARNING: at drivers/mmc/core/core.c:237 mmc_wait_for_cmd+0x88/0x90() [ 851.560534] Hardware name: 20552PG [ 851.560536] Modules linked in: b43(-) ssb mmc_block binfmt_misc rfcomm sco bnep ppdev l2cap ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_state nf_conntrack ipt_REJECT xt_tcpudp iptable_filter ip_tables x_tables bridge stp kvm_intel kvm arc4 iwlagn snd_hda_codec_conexant snd_hda_intel snd_hda_codec iwlcore snd_hwdep snd_pcm thinkpad_acpi mac80211 snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq r852 joydev snd_timer sm_common pcmcia nand snd_seq_device cfg80211 sdhci_pci btusb psmouse tpm_tis yenta_socket nand_ids lp snd pcmcia_rsrc nand_ecc bluetooth sdhci tpm pcmcia_core parport mtd snd_page_alloc serio_raw tpm_bios soundcore nvram led_class sha256_generic aes_i586 aes_generic dm_crypt i915 drm_kms_helper drm ahci intel_agp i2c_algo_bit intel_gtt e1000e libahci video agpgart output [ 851.560620] Pid: 2504, comm: rmmod Not tainted 2.6.36-titan0+ #1 [ 851.560622] Call Trace: [ 851.560631] [] warn_slowpath_common+0x72/0xa0 [ 851.560636] [] ? mmc_wait_for_cmd+0x88/0x90 [ 851.560641] [] ? mmc_wait_for_cmd+0x88/0x90 [ 851.560645] [] warn_slowpath_null+0x22/0x30 [ 851.560649] [] mmc_wait_for_cmd+0x88/0x90 [ 851.560655] [] ? device_release+0x25/0x80 [ 851.560660] [] mmc_io_rw_direct_host+0xa0/0x150 [ 851.560665] [] mmc_io_rw_direct+0x30/0x40 [ 851.560669] [] sdio_disable_func+0x37/0xa0 [ 851.560683] [] b43_sdio_remove+0x30/0x50 [b43] [ 851.560687] [] sdio_bus_remove+0x1c/0x60 [ 851.560692] [] ? blocking_notifier_call_chain+0x1f/0x30 [ 851.560697] [] __device_release_driver+0x51/0xb0 [ 851.560701] [] driver_detach+0x8f/0xa0 [ 851.560705] [] bus_remove_driver+0x63/0xa0 [ 851.560709] [] driver_unregister+0x49/0x80 [ 851.560713] [] ? driver_unregister+0x49/0x80 [ 851.560718] [] sdio_unregister_driver+0x17/0x20 [ 851.560727] [] b43_sdio_exit+0x12/0x20 [b43] [ 851.560734] [] b43_exit+0x17/0x3c [b43] [ 851.560740] [] sys_delete_module+0x13d/0x200 [ 851.560747] [] ? do_munmap+0x212/0x300 [ 851.560752] [] sysenter_do_call+0x12/0x28 [ 851.560757] ---[ end trace 31e14488072d2f7d ]--- [ 851.560759] ------------[ cut here ]------------ The warning is caused by b43 not claiming the device before calling sdio_disable_func(). Signed-off-by: Larry Finger Reported-by: Arnd Hannemann Tested-by: Arnd Hannemann Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 836263b61726f425f472f5659898db6ec1426dad Author: Chris Wilson Date: Thu Oct 14 16:30:41 2010 +0100 agp/intel: Also add B43.1 to list of supported devices commit 3dde04b0152634d42994b34b86bbf3c70fbc6b19 upstream. This was a missing piece from 41a5142 that dropped recognition of the AGP module for the second B43 variant. Reported-by: Stefan Bader Signed-off-by: Chris Wilson Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 73227d4e29941ea157ff5786294877e938fe48e1 Author: KAMEZAWA Hiroyuki Date: Tue Oct 26 14:22:08 2010 -0700 mm: fix is_mem_section_removable() page_order BUG_ON check commit 572438f9b52236bd8938b1647cc15e027d27ef55 upstream. page_order() is called by memory hotplug's user interface to check the section is removable or not. (is_mem_section_removable()) It calls page_order() withoug holding zone->lock. So, even if the caller does if (PageBuddy(page)) ret = page_order(page) ... The caller may hit BUG_ON(). For fixing this, there are 2 choices. 1. add zone->lock. 2. remove BUG_ON(). is_mem_section_removable() is used for some "advice" and doesn't need to be 100% accurate. This is_removable() can be called via user program.. We don't want to take this important lock for long by user's request. So, this patch removes BUG_ON(). Signed-off-by: KAMEZAWA Hiroyuki Acked-by: Wu Fengguang Acked-by: Michal Hocko Acked-by: Mel Gorman Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 02ab02c2d3425ea6c358c6d56a9c6087d5cd3812 Author: Mel Gorman Date: Tue Oct 26 14:21:11 2010 -0700 mm, page-allocator: do not check the state of a non-existant buddy during free commit b7f50cfa3630b6e079929ffccfd442d65064ee1f upstream. There is a bug in commit 6dda9d55 ("page allocator: reduce fragmentation in buddy allocator by adding buddies that are merging to the tail of the free lists") that means a buddy at order MAX_ORDER is checked for merging. A page of this order never exists so at times, an effectively random piece of memory is being checked. Alan Curry has reported that this is causing memory corruption in userspace data on a PPC32 platform (http://lkml.org/lkml/2010/10/9/32). It is not clear why this is happening. It could be a cache coherency problem where pages mapped in both user and kernel space are getting Signed-off-by: Andi Kleen different cache lines due to the bad read from kernel space (http://lkml.org/lkml/2010/10/13/179). It could also be that there are some special registers being io-remapped at the end of the memmap array and that a read has special meaning on them. Compiler bugs have been ruled out because the assembly before and after the patch looks relatively harmless. This patch fixes the problem by ensuring we are not reading a possibly invalid location of memory. It's not clear why the read causes corruption but one way or the other it is a buggy read. Signed-off-by: Mel Gorman Cc: Corrado Zoccolo Reported-by: Alan Curry Cc: KOSAKI Motohiro Cc: Christoph Lameter Cc: Rik van Riel Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 83e28dfc81d705b795a1fe80fb33db194fb8ba71 Author: KAMEZAWA Hiroyuki Date: Tue Oct 26 14:21:10 2010 -0700 mm: fix return value of scan_lru_pages in memory unplug commit f8f72ad5396987e05a42cf7eff826fb2a15ff148 upstream. scan_lru_pages returns pfn. So, it's type should be "unsigned long" not "int". Note: I guess this has been work until now because memory hotplug tester's machine has not very big memory.... physical address < 32bit << PAGE_SHIFT. Reported-by: KOSAKI Motohiro Signed-off-by: KAMEZAWA Hiroyuki Signed-off-by: Andi Kleen Reviewed-by: KOSAKI Motohiro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5b28c745f7fd51718315cec9e4d34204c2513ca4 Author: Santosh Shilimkar Date: Wed Oct 27 11:17:15 2010 -0400 oprofile: Fix the hang while taking the cpu offline commit 4ac3dbec800d93485a5c84e37af676278eea657c upstream. The kernel build with CONFIG_OPROFILE and CPU_HOTPLUG enabled. The oprofile is initialised using system timer in absence of hardware counters supports. Oprofile isn't started from userland. In this setup while doing a CPU offline the kernel hangs in infinite for loop inside lock_hrtimer_base() function This happens because as part of oprofile_cpu_notify(, it tries to stop an hrtimer which was never started. These per-cpu hrtimers are started when the oprfile is started. echo 1 > /dev/oprofile/enable This problem also existwhen the cpu is booted with maxcpus parameter set. When bringing the remaining cpus online the timers are started even if oprofile is not yet enabled. This patch fix this issue by adding a state variable so that these hrtimer start/stop is only attempted when oprofile is started For stable kernels v2.6.35.y and v2.6.36.y. Reported-by: Jan Sebastien Tested-by: sricharan Signed-off-by: Santosh Shilimkar Signed-off-by: Robert Richter Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit ec76a70ac2f733b36f71866935071b0ba1ff95de Author: Jean Delvare Date: Thu Oct 28 20:31:50 2010 +0200 hwmon: (lm85) Fix ADT7468 frequency table commit fa7a5797e57d2ed71f9a6fb44f0ae42c2d7b74b7 upstream. The ADT7468 uses the same frequency table as the ADT7463. Signed-off-by: Jean Delvare Cc: Darrick J. Wong Acked-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 6b4100ddcb000aab7cbb86a66361989d1e87a1c3 Author: Eric Dumazet Date: Wed Oct 27 19:33:43 2010 +0200 numa: fix slab_node(MPOL_BIND) commit 800416f799e0723635ac2d720ad4449917a1481c upstream. When a node contains only HighMem memory, slab_node(MPOL_BIND) dereferences a NULL pointer. [ This code seems to go back all the way to commit 19770b32609b: "mm: filter based on a nodemask as well as a gfp_mask". Which was back in April 2008, and it got merged into 2.6.26. - Linus ] Signed-off-by: Eric Dumazet Cc: Mel Gorman Cc: Christoph Lameter Cc: Lee Schermerhorn Cc: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit cfa9f4a158d8c5fc0033798491bfcc9b8fe2619e Author: Richard Weinberger Date: Tue Oct 26 14:21:13 2010 -0700 um: fix global timer issue when using CONFIG_NO_HZ commit 482db6df1746c4fa7d64a2441d4cb2610249c679 upstream. This fixes a issue which was introduced by fe2cc53e ("uml: track and make up lost ticks"). timeval_to_ns() returns long long and not int. Due to that UML's timer did not work properlt and caused timer freezes. Signed-off-by: Richard Weinberger Acked-by: Pekka Enberg Cc: Jeff Dike Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit f876b27b05022df0c0ab813ea72ae5106f34a79c Author: Richard Weinberger Date: Tue Oct 26 14:21:16 2010 -0700 um: remove PAGE_SIZE alignment in linker script causing kernel segfault. commit 6915e04f8847bea16d0890f559694ad8eedd026c upstream. The linker script cleanup that I did in commit 5d150a97f93 ("um: Clean up linker script using standard macros.") (2.6.32) accidentally introduced an ALIGN(PAGE_SIZE) when converting to use INIT_TEXT_SECTION; Richard Weinberger reported that this causes the kernel to segfault with CONFIG_STATIC_LINK=y. I'm not certain why this extra alignment is a problem, but it seems likely it is because previously __init_begin = _stext = _text = _sinittext and with the extra ALIGN(PAGE_SIZE), _sinittext becomes different from the rest. So there is likely a bug here where something is assuming that _sinittext is the same as one of those other symbols. But reverting the accidental change fixes the regression, so it seems worth committing that now. Signed-off-by: Tim Abbott Reported-by: Richard Weinberger Cc: Jeff Dike Signed-off-by: Andi Kleen Tested by: Antoine Martin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 00997af69e7e5b447cc163a4084990f0caeeb1ae Author: Eric Dumazet Date: Tue Oct 26 14:21:17 2010 -0700 ipmi: proper spinlock initialization commit de5e2ddf9bb3ce7b643223b9b0718062254f302f upstream. Unloading ipmi module can trigger following error. (if CONFIG_DEBUG_SPINLOCK=y) [ 9633.779590] BUG: spinlock bad magic on CPU#1, rmmod/7170 [ 9633.779606] lock: f41f5414, .magic: 00000000, .owner: /-1, .owner_cpu: 0 [ 9633.779626] Pid: 7170, comm: rmmod Not tainted 2.6.36-rc7-11474-gb71eb1e-dirty #328 [ 9633.779644] Call Trace: [ 9633.779657] [] ? printk+0x18/0x1c [ 9633.779672] [] spin_bug+0xa3/0xf0 [ 9633.779685] [] do_raw_spin_lock+0x7d/0x160 [ 9633.779702] [] ? release_sysfs_dirent+0x47/0xb0 [ 9633.779718] [] ? sysfs_addrm_finish+0xa8/0xd0 [ 9633.779734] [] _raw_spin_lock_irqsave+0xc/0x20 [ 9633.779752] [] cleanup_one_si+0x6a/0x200 [ipmi_si] [ 9633.779768] [] ? sysfs_hash_and_remove+0x72/0x80 [ 9633.779786] [] ipmi_pnp_remove+0xd/0xf [ipmi_si] [ 9633.779802] [] pnp_device_remove+0x1b/0x40 Fix this by initializing spinlocks in a smi_info_alloc() helper function, right after memory allocation and clearing. Signed-off-by: Eric Dumazet Acked-by: David Miller Cc: Yinghai Lu Acked-by: Corey Minyard Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 41ba4ea6ba426acc9a6eb18abfde5e1c1287563a Author: Masanori ITOH Date: Tue Oct 26 14:21:20 2010 -0700 percpu: fix list_head init bug in __percpu_counter_init() commit 8474b591faf3bb0a1e08a60d21d6baac498f15e4 upstream. WARNING: at lib/list_debug.c:26 __list_add+0x3f/0x81() Hardware name: Express5800/B120a [N8400-085] list_add corruption. next->prev should be prev (ffffffff81a7ea00), but was dead000000200200. (next=ffff88080b872d58). Modules linked in: aoe ipt_MASQUERADE iptable_nat nf_nat autofs4 sunrpc bridge 8021q garp stp llc ipv6 cpufreq_ondemand acpi_cpufreq freq_table dm_round_robin dm_multipath kvm_intel kvm uinput lpfc scsi_transport_fc igb ioatdma scsi_tgt i2c_i801 i2c_core dca iTCO_wdt iTCO_vendor_support pcspkr shpchp megaraid_sas [last unloaded: aoe] Pid: 54, comm: events/3 Tainted: G W 2.6.34-vanilla1 #1 Call Trace: [] warn_slowpath_common+0x7c/0x94 [] warn_slowpath_fmt+0x41/0x43 [] __list_add+0x3f/0x81 [] __percpu_counter_init+0x59/0x6b [] bdi_init+0x118/0x17e [] blk_alloc_queue_node+0x79/0x143 [] blk_alloc_queue+0x11/0x13 [] aoeblk_gdalloc+0x8e/0x1c9 [aoe] [] aoecmd_sleepwork+0x25/0xa8 [aoe] [] worker_thread+0x1a9/0x237 [] ? aoecmd_sleepwork+0x0/0xa8 [aoe] [] ? autoremove_wake_function+0x0/0x39 [] ? worker_thread+0x0/0x237 [] kthread+0x7f/0x87 [] kernel_thread_helper+0x4/0x10 [] ? kthread+0x0/0x87 [] ? kernel_thread_helper+0x0/0x10 It's because there is no initialization code for a list_head contained in the struct backing_dev_info under CONFIG_HOTPLUG_CPU, and the bug comes up when block device drivers calling blk_alloc_queue() are used. In case of me, I got them by using aoe. Signed-off-by: Masanori Itoh Cc: Tejun Heo Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 992c78f9f294b8dfc72c783fce9b83151407cf74 Author: Richard A. Smith Date: Sat Sep 25 19:19:26 2010 +0100 olpc_battery: Fix endian neutral breakage for s16 values commit 7cfbb29466633e6ecdc14f76a693c8478c2b22af upstream. When the driver was updated to be endian neutral (8e9c7716c) the signed part of the s16 values was lost. This is because be16_to_cpu() returns an unsigned value. This patch casts the values back to a s16 number prior to the the implicit cast up to an int. Signed-off-by: Richard A. Smith Signed-off-by: Daniel Drake Signed-off-by: Anton Vorontsov Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit f38e82fdf2a2e201f188b9d48b145284ab38f74c Author: Jiri Slaby Date: Tue Oct 26 14:22:11 2010 -0700 hpet: unmap unused I/O space commit a56d5318716d120e040294bb258901ba89fb9c90 upstream. When the initialization code in hpet finds a memory resource and does not find an IRQ, it does not unmap the memory resource previously mapped. There are buggy BIOSes which report resources exactly like this and what is worse the memory region bases point to normal RAM. This normally would not matter since the space is not touched. But when PAT is turned on, ioremap causes the page to be uncached and sets this bit in page->flags. Then when the page is about to be used by the allocator, it is reported as: BUG: Bad page state in process md5sum pfn:3ed00 page:ffffea0000dbd800 count:0 mapcount:0 mapping:(null) index:0x0 page flags: 0x20000001000000(uncached) Pid: 7956, comm: md5sum Not tainted 2.6.34-12-desktop #1 Call Trace: [] bad_page+0xb1/0x100 [] prep_new_page+0x1a5/0x1c0 [] get_page_from_freelist+0x3a1/0x640 [] __alloc_pages_nodemask+0x10f/0x6b0 ... In this particular case: 1) HPET returns 3ed00000 as memory region base, but it is not in reserved ranges reported by the BIOS (excerpt): BIOS-e820: 0000000000100000 - 00000000af6cf000 (usable) BIOS-e820: 00000000af6cf000 - 00000000afdcf000 (reserved) 2) there is no IRQ resource reported by HPET method. On the other hand, the Intel HPET specs (1.0a) says (3.2.5.1): _CRS ( // Report 1K of memory consumed by this Timer Block memory range consumed // Optional: only used if BIOS allocates Interrupts [1] IRQs consumed ) [1] For case where Timer Block is configured to consume IRQ0/IRQ8 AND Legacy 8254/Legacy RTC hardware still exists, the device objects associated with 8254 & RTC devices should not report IRQ0/IRQ8 as "consumed resources". So in theory we should check whether if it is the case and use those interrupts instead. Anyway the address reported by the BIOS here is bogus, so non-presence of IRQ doesn't mean the "optional" part in point 2). Since I got no reply previously, fix this by simply unmapping the space when IRQ is not found and memory region was mapped previously. It would be probably more safe to walk the resources again and unmap appropriately depending on type. But as we now use only ioremap for both 2 memory resource types, it is not necessarily needed right now. Addresses https://bugzilla.novell.com/show_bug.cgi?id=629908 Reported-by: Olaf Hering Signed-off-by: Jiri Slaby Acked-by: Clemens Ladisch Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 676564419927a29c5dbdd074dbbce44dc50e1d03 Author: Clemens Ladisch Date: Tue Oct 26 14:22:13 2010 -0700 hpet: fix unwanted interrupt due to stale irq status bit commit 96e9694df446d1154ec2f4fdba8908588b9cba38 upstream. Jaswinder Singh Rajput wrote: > By executing Documentation/timers/hpet_example.c > > for polling, I requested for 3 iterations but it seems iteration work > for only 2 as first expired time is always very small. > > # ./hpet_example poll /dev/hpet 10 3 > -hpet: executing poll > hpet_poll: info.hi_flags 0x0 > hpet_poll: expired time = 0x13 > hpet_poll: revents = 0x1 > hpet_poll: data 0x1 > hpet_poll: expired time = 0x1868c > hpet_poll: revents = 0x1 > hpet_poll: data 0x1 > hpet_poll: expired time = 0x18645 > hpet_poll: revents = 0x1 > hpet_poll: data 0x1 Clearing the HPET interrupt enable bit disables interrupt generation but does not disable the timer, so the interrupt status bit will still be set when the timer elapses. If another interrupt arrives before the timer has been correctly programmed (due to some other device on the same interrupt line, or CONFIG_DEBUG_SHIRQ), this results in an extra unwanted interrupt event because the status bit is likely to be set from comparator matches that happened before the device was opened. Therefore, we have to ensure that the interrupt status bit is and stays cleared until we actually program the timer. Signed-off-by: Clemens Ladisch Reported-by: Jaswinder Singh Rajput Cc: Ingo Molnar Cc: Thomas Gleixner Cc: john stultz Cc: Bob Picco Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit c2f4c8e83521d6be0ecc8ece52172ab1dd550b68 Author: Greg Kroah-Hartman Date: Tue Nov 16 11:23:33 2010 -0800 Staging: line6: fix up some sysfs attribute permissions commit 2018845b6a169f75341f8e68ad1089cb6697cf24 and 2018845b6a169f75341f8e68ad1089cb6697cf24 upstream merged together as it had to be backported by hand. They should not be writable by any user Reported-by: Linus Torvalds Cc: Markus Grabner Cc: Mariusz Kozlowski Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 74a099583418727faca5ec6f79c60e3922b697f1 Author: Daniel T Chen Date: Sun Nov 21 14:01:14 2010 -0500 ALSA: hda: Use hp-laptop quirk to enable headphones automute for Asus A52J commit 673f7a8984c3a9e2cb1108ce221da1ebbd9e5d09 upstream. BugLink: https://launchpad.net/bugs/677652 The original reporter states that, in 2.6.35, headphones do not appear to work, nor does inserting them mute the A52J's onboard speakers. Upon inspecting the codec dump, it appears that the newly committed hp-laptop quirk will suffice to enable this basic functionality. Testing was done with an alsa-driver build from 2010-11-21. Reported-and-tested-by: Joan Creus Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit fa12a119fc79036eba048324c957eff23002d945 Author: Greg Kroah-Hartman Date: Thu Nov 18 11:21:04 2010 -0800 Staging: asus_oled: fix up my fixup for some sysfs attribute permissions commit 515b4987ccd097cdf5416530b05fdf9e01afe95a upstream. They should be writable by root, not readable. Doh, stupid me with the wrong flags. Reported-by: Jonathan Cameron Cc: Jakub Schmidtke Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit c2c9fa9f3eb11f8449beb413dadc154a37130fb1 Author: Greg Kroah-Hartman Date: Tue Nov 16 11:17:01 2010 -0800 Staging: asus_oled: fix up some sysfs attribute permissions commit 590b0b9754bd8928926bae7194b6da7ead9bda3b upstream. They should not be writable by any user Reported-by: Linus Torvalds Cc: Jakub Schmidtke Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 714cea953335738384f500f79131710d529c7583 Author: Larry Finger Date: Thu Oct 28 08:47:13 2010 -0500 staging: rt2870: Add new USB ID for Belkin F6D4050 v1 commit 705059a670f3af2b37695e82de0ee58e75e656ed upstream. Add new USB ID for FT2870 for Belkin F6D4050 v1 Signed-off-by: Larry Finger Signed-off-by: Andi Kleen Reported- and Tested-by: James Long Signed-off-by: Greg Kroah-Hartman commit e2d60d3b1a2aa3614fd385d81e90175cce0a3cbe Author: Frederic Weisbecker Date: Thu Dec 2 14:31:16 2010 -0800 reiserfs: don't acquire lock recursively in reiserfs_acl_chmod commit 238af8751f64a75f8b638193353b1c31ea32e738 upstream. reiserfs_acl_chmod() can be called by reiserfs_set_attr() and then take the reiserfs lock a second time. Thereafter it may call journal_begin() that definitely requires the lock not to be nested in order to release it before taking the journal mutex because the reiserfs lock depends on the journal mutex already. So, aviod nesting the lock in reiserfs_acl_chmod(). Reported-by: Pawel Zawora Signed-off-by: Frederic Weisbecker Tested-by: Pawel Zawora Cc: Jeff Mahoney Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 0dbd161b08707ffddfdc2cd64ab762fef72311c9 Author: Frederic Weisbecker Date: Wed Nov 24 12:57:15 2010 -0800 reiserfs: fix inode mutex - reiserfs lock misordering commit da905873effecd1c0166e578bc4b5006f041b18b upstream. reiserfs_unpack() locks the inode mutex with reiserfs_mutex_lock_safe() to protect against reiserfs lock dependency. However this protection requires to have the reiserfs lock to be locked. This is the case if reiserfs_unpack() is called by reiserfs_ioctl but not from reiserfs_quota_on() when it tries to unpack tails of quota files. Fix the ordering of the two locks in reiserfs_unpack() to fix this issue. Signed-off-by: Frederic Weisbecker Reported-by: Markus Gapp Reported-by: Jan Kara Cc: Jeff Mahoney Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 1219932ca26da2026e598590a3b7a2f36b3c3621 Author: David Howells Date: Thu Oct 7 14:08:52 2010 +0100 SH: Add missing consts to sys_execve() declaration commit d8b5fc01683c66060edc202d6bb5635365822181 upstream. Add missing consts to the sys_execve() declaration which result in the following error: arch/sh/kernel/process_32.c:303: error: conflicting types for 'sys_execve' /warthog/nfs/linux-2.6-fscache/arch/sh/include/asm/syscalls_32.h:24: error: previous declaration of 'sys_execve' was here Signed-off-by: David Howells Cc: Nobuhiro Iwamatsu Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 63999a358efe5bae5b2c73c4107187e25f76943b Author: Ken Kawasaki Date: Fri Oct 29 12:17:51 2010 +0000 pcnet_cs: add new_id commit 62391f97babb7fe0c769830b6f0e0bd184bd0704 upstream. pcnet_cs: add new_id: "corega Ether CF-TD" 10Base-T PCMCIA card. Signed-off-by: Ken Kawasaki Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 74cc0f389bb9401463ed7e8a0cbf580711dd9948 Author: Chris Wilson Date: Thu Aug 12 09:35:00 2010 +0100 drm/i915/overlay: Ensure that the reg_bo is in the GTT prior to writing. commit 0ddc1289f3ffd779779ddd3922f26ae7d0a21604 upstream. Just makes sure that writes are not being aliased by the CPU cache and do make it out to main memory. Signed-off-by: Chris Wilson Signed-off-by: Andi Kleen Reviewed-by: Daniel Vetter Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=24977 Signed-off-by: Greg Kroah-Hartman commit 46b77d237a5c4c393f5461729291030fc3e6e120 Author: Jesse Barnes Date: Thu Oct 7 16:01:25 2010 -0700 drm/i915: diasable clock gating for the panel power sequencer commit 382b09362711d7d03272230a33767015a277926e upstream. Needed on Ibex Peak and Cougar Point or the panel won't always come on. Signed-off-by: Jesse Barnes Signed-off-by: Chris Wilson Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit d428b23edbf023b941cbf54fed79a591a1348b32 Author: Keith Packard Date: Thu Oct 7 09:20:12 2010 +0100 drm/i915: Free hardware status page on unload when physically mapped commit c2873e9633fe908dccd36dbb1d370e9c59a1ca62 upstream. A physically mapped hardware status page is allocated at driver load time but was never freed. Call the existing code to free this page at driver unload time on hardware which uses this kind. Signed-off-by: Keith Packard Signed-off-by: Andi Kleen [ickle: call before tearing down registers on KMS-only path, as pointed out by Dave Airlie] Signed-off-by: Chris Wilson Signed-off-by: Greg Kroah-Hartman commit 6a132e669ac1845bef63801129800765c97d06d4 Author: Alex Deucher Date: Wed Oct 27 01:02:35 2010 -0400 drm/radeon/kms: fix handling of tex lookup disable in cs checker on r2xx commit 43b93fbffc2c080dba2e84df6fce8d7e6c0a2581 upstream. There are cases when multiple texture units have to be enabled, but not actually used to sample. This patch checks to see if the lookup_disable bit is set and if so, skips the texture check. Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=25544 Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 1fbb45731dfca95002b1b24679648fecdbab42d3 Author: Alex Deucher Date: Wed Oct 6 00:13:04 2010 -0400 drm/radeon/kms: make sure blit addr masks are 64 bit commit 2126d0a4a205e2d6b763434f892524cd60f74228 upstream. Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit b8e9a4a45f8427837f4dba89bda4d4e3f3a5c726 Author: Alex Deucher Date: Mon Oct 18 23:54:56 2010 -0400 drm/radeon/kms: properly compute group_size on 6xx/7xx commit 881fe6c1d06bf49f4ab7aef212cdaf66bd059614 upstream. Needed for tiled surfaces. Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit cde76274952b114223f4b36123ffa3450c5bbf8a Author: Alex Deucher Date: Mon Oct 25 19:44:00 2010 -0400 drm/radeon/kms: MC vram map needs to be >= pci aperture size commit b7d8cce5b558e0c0aa6898c9865356481598b46d upstream. The vram map in the radeon memory controller needs to be >= the pci aperture size. Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=28402 The problematic cards in the above bug have 64 MB of vram, but the pci aperture is 128 MB and the MC vram map was only 64 MB. This can lead to hangs. Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit babbccf4d973c20eb79b5879a669106bd67b2f33 Author: Trond Myklebust Date: Mon Oct 4 17:59:08 2010 -0400 NFS: Don't SIGBUS if nfs_vm_page_mkwrite races with a cache invalidation commit bc4866b6e0b44f8ea0df22a16e5927714beb4983 upstream. In the case where we lock the page, and then find out that the page has been thrown out of the page cache, we should just return VM_FAULT_NOPAGE. This is what block_page_mkwrite() does in these situations. Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 7c1f052075fa542153689ebbebcd6a6f959cde4b Author: Trond Myklebust Date: Mon Oct 4 17:59:08 2010 -0400 NFSv4: Fix open recovery commit b0ed9dbc24f1fd912b2dd08b995153cafc1d5b1c upstream. NFSv4 open recovery is currently broken: since we do not clear the state->flags states before attempting recovery, we end up with the 'can_open_cached()' function triggering. This again leads to no OPEN call being put on the wire. Reported-by: Sachin Prabhu Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 7340643fd14c71ff34067c920a1a5027d5fc21a6 Author: Trond Myklebust Date: Mon Oct 4 17:59:08 2010 -0400 NFSv4: Don't call nfs4_state_mark_reclaim_reboot() from error handlers commit ae1007d37e00144b72906a4bdc47d517ae91bcc1 upstream. In the case of a server reboot, the state recovery thread starts by calling nfs4_state_end_reclaim_reboot() in order to avoid edge conditions when the server reboots while the client is in the middle of recovery. However, if the client has already marked the nfs4_state as requiring reboot recovery, then the above behaviour will cause the recovery thread to treat the open as if it was part of such an edge condition: the open will be recovered as if it was part of a lease expiration (and all the locks will be lost). Fix is to remove the call to nfs4_state_mark_reclaim_reboot from nfs4_async_handle_error(), and nfs4_handle_exception(). Instead we leave it to the recovery thread to do this for us. Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit c41948fcb78d07feb70c6860976d8ddfd82a6423 Author: Trond Myklebust Date: Mon Oct 4 17:59:08 2010 -0400 NFSv4: Don't call nfs4_reclaim_complete() on receiving NFS4ERR_STALE_CLIENTID commit 6eaa61496fb3b93cceface7a296415fc4c030bce upstream. If the server sends us an NFS4ERR_STALE_CLIENTID while the state management thread is busy reclaiming state, we do want to treat all state that wasn't reclaimed before the STALE_CLIENTID as if a network partition occurred (see the edge conditions described in RFC3530 and RFC5661). What we do not want to do is to send an nfs4_reclaim_complete(), since we haven't yet even started reclaiming state after the server rebooted. Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit efbc3702f85371a9bb53e68c72d3738bf678fd5c Author: Thomas Backlund Date: Thu Oct 21 13:19:10 2010 +0300 microblaze: Fix build with make 3.82 commit b843e4ec01991a386a9e0e9030703524446e03da upstream. When running make headers_install_all on x86_64 and make 3.82 I hit this: arch/microblaze/Makefile:80: *** mixed implicit and normal rules. Stop. make: *** [headers_install_all] Error 2 So split the rules to satisfy make 3.82. Signed-off-by: Thomas Backlund Signed-off-by: Michal Simek Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit ae813a8a26a9f2df98e66471766f04522c7bbe8c Author: Michael Neuling Date: Wed Nov 17 16:32:59 2010 +0000 powerpc: Fix call to subpage_protection() commit 1c2c25c78740b2796c7c06640784cb6732fa4907 upstream. In: powerpc/mm: Fix pgtable cache cleanup with CONFIG_PPC_SUBPAGE_PROT commit d28513bc7f675d28b479db666d572e078ecf182d Author: David Gibson subpage_protection() was changed to to take an mm rather a pgdir but it didn't change calling site in hashpage_preload(). The change wasn't noticed at compile time since hashpage_preload() used a void* as the parameter to subpage_protection(). This is obviously wrong and can trigger the following crash when CONFIG_SLAB, CONFIG_DEBUG_SLAB, CONFIG_PPC_64K_PAGES CONFIG_PPC_SUBPAGE_PROT are enabled. Freeing unused kernel memory: 704k freed Unable to handle kernel paging request for data at address 0x6b6b6b6b6b6c49b7 Faulting instruction address: 0xc0000000000410f4 cpu 0x2: Vector: 300 (Data Access) at [c00000004233f590] pc: c0000000000410f4: .hash_preload+0x258/0x338 lr: c000000000041054: .hash_preload+0x1b8/0x338 sp: c00000004233f810 msr: 8000000000009032 dar: 6b6b6b6b6b6c49b7 dsisr: 40000000 current = 0xc00000007e2c0070 paca = 0xc000000007fe0500 pid = 1, comm = init enter ? for help [c00000004233f810] c000000000041020 .hash_preload+0x184/0x338 (unreliable) [c00000004233f8f0] c00000000003ed98 .update_mmu_cache+0xb0/0xd0 [c00000004233f990] c000000000157754 .__do_fault+0x48c/0x5dc [c00000004233faa0] c000000000158fd0 .handle_mm_fault+0x508/0xa8c [c00000004233fb90] c0000000006acdd4 .do_page_fault+0x428/0x6ac [c00000004233fe30] c000000000005260 handle_page_fault+0x20/0x74 Reported-by: Jim Keniston Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Michael Neuling Signed-off-by: Andi Kleen cc: David Gibson Signed-off-by: Greg Kroah-Hartman commit 4d610bd1b4eccec1002bddd584f47d1bfe612e2d Author: David Henningsson Date: Mon Oct 25 23:52:04 2010 +0200 ALSA: HDA: Enable internal mic on Dell E6410 and Dell E6510 [Not upstream as .37 fixes this differently in a much more complete way that is not able to be backported easily.] (Ported on top of 2.6.36) BugLink: http://launchpad.net/bugs/628961 BugLink: http://launchpad.net/bugs/605047 Signed-off-by: David Henningsson Signed-off-by: Diego Elio Pettenò Acked-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 4f313ac597120c8b657dba169b3bb8b71573b9de Author: Jaroslav Kysela Date: Fri Oct 8 10:48:50 2010 +0200 ALSA: OSS mixer emulation - fix locking commit 838c364ff05c143fd1810e8ad1469935d6c23a7a upstream. Fix mutex release and cleanup some locking code. Signed-off-by: Jaroslav Kysela Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 7810c3d74b3b5c06f828853424b20380526064ea Author: Takashi Iwai Date: Thu Oct 21 09:03:25 2010 +0200 ALSA: hda - Add some workarounds for Creative IBG commit 14d34f166c57e77e3d7f9bc8b43d349186d922c1 upstream. Creative HD-audio controller chips require some workarounds: - Additional delay before RIRB response - Set the initial RIRB counter to 0xc0 The latter seems to be done in general in Windows driver, so we may use this value later for all types if it's confirmed to work better. Reported-by: Wai Yew CHAY Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit fef4663d0ebc4456007953d31870ebc55d7b60af Author: Takashi Iwai Date: Thu Oct 21 08:55:13 2010 +0200 ALSA: hda - Fix wrong SPDIF NID assignment for CA0110 commit 24b55c69b66eb2a122842820ec14ab215fc8572f upstream. The dig_out_nid field must take a digital-converter widget, but the current ca0110 parser passed the pin wrongly instead. Reported-by: Wai Yew CHAY Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit af4cd8591cc750feb6f95f583a9bb79e349454d9 Author: Alex Deucher Date: Wed Nov 17 17:56:49 2010 -0500 drm/radeon/kms: register an i2c adapter name for the dp aux bus commit a5193fe50e7f21c26d22c17c8196420fac1a3ca7 upstream. This causes the connector to not be added since i2c init fails for the adapter. Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=31688 Noticed by Ari Savolainen. Signed-off-by: Alex Deucher Cc: Ari Savolainen Cc: Jean Delvare Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit a7d67728b4fc6d51d3f3127bc0490cdb5688e2ab Author: Florian Tobias Schandinat Date: Fri Sep 17 01:16:25 2010 +0000 viafb: fix i2c_transfer error handling commit 85c5702ac046b14713f776d59768252d8ed8018f upstream. i2c_transfer returns negative errno on error and number of messages processed on success. Just returning this value would give a poor interface as it is not obvious that you must compare with 2 after reading 1 or n bytes and with 1 after writing 1 byte to determine if it was successful. To avoid this error prone interface convert the error code of a successful read/write to zero and all other non-negative values to an negative error code. This fixes a regression introduced by via: Rationalize vt1636 detection which resulted in no longer detecting a VT1636 chip and therefore has broken the output in configurations which contain this chip. Signed-off-by: Florian Tobias Schandinat Acked-by: Jonathan Corbet Cc: Joseph Chan Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 93782b496da0239a3decc2d9860a6147598d703e Author: Nobuhiro Iwamatsu Date: Sun Oct 24 18:16:57 2010 +0200 i2c-pca-platform: Change device name of request_irq commit 323584436db0cb05286425d4dfd9516fce88487f upstream. i2c->adap.name shouldn't be used in request_irq. Instead the driver name "i2c-pca-platform" should be used. Signed-off-by: Nobuhiro Iwamatsu Acked-by: Wolfram Sang Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 6d4df88a9baaeae077038956f9cf876de3e3ca16 Author: Tilman Schmidt Date: Thu Sep 30 13:34:30 2010 +0000 isdn/gigaset: bas_gigaset locking fix commit b33ffa5cbf52ee751bb8068218ebb3c742c5a515 upstream. Unlock cs->lock before calling error_hangup() which is marked "cs->lock must not be held". Signed-off-by: Tilman Schmidt Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit f1c7c6e08fa6411977fb30bc9c2c6d532e3e1b0e Author: Tilman Schmidt Date: Thu Sep 30 13:34:51 2010 +0000 isdn/gigaset: correct bas_gigaset rx buffer handling commit f3d531b99fb30945b4a64d6e2e86e1e62605aca5 upstream. In transparent data reception, avoid a NULL pointer dereference in case an skbuff cannot be allocated, remove an inappropriate call to the HDLC flush routine, and correct the accounting of received bytes for continued buffers. Signed-off-by: Tilman Schmidt Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 45edc39ac72b39b936b2c99361783d4fb8bc44c1 Author: Tilman Schmidt Date: Thu Sep 30 13:34:40 2010 +0000 isdn/gigaset: fix bas_gigaset AT read error handling commit c8701a08d6a4efeae45d84d0aa87172f23b14e3c upstream. Rework the handling of USB errors in AT response reads to fix a possible infinite retry loop and a memory leak, and silence a few overly verbose kernel messages. Signed-off-by: Tilman Schmidt Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit a664846f7362bd6b9cf6f1e407dd86daa963da97 Author: Johannes Berg Date: Tue Oct 5 21:40:33 2010 +0200 mac80211: delete AddBA response timer commit 44271488b91c9eecf249e075a1805dd887e222d2 upstream. We never delete the addBA response timer, which is typically fine, but if the station it belongs to is deleted very quickly after starting the BA session, before the peer had a chance to reply, the timer may fire after the station struct has been freed already. Therefore, we need to delete the timer in a suitable spot -- best when the session is being stopped (which will happen even then) in which case the delete will be a no-op most of the time. I've reproduced the scenario and tested the fix. This fixes the crash reported at http://mid.gmane.org/4CAB6F96.6090701@candelatech.com Reported-by: Ben Greear Signed-off-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit a171652459e33373b16fe9d48e200aaa359010b8 Author: Christian Lamparter Date: Sat Oct 16 18:49:15 2010 +0200 mac80211: don't sanitize invalid rates commit 5f4e6b2d3c74c1adda1cbfd9d9d30da22c7484fc upstream. I found this bug while poking around with a pure-gn AP. Commit: cfg80211/mac80211: Use more generic bitrate mask for rate control Added some sanity checks to ensure that each tx rate index is included in the configured mask and it would change any rate indexes if it wasn't. But, the current implementation doesn't take into account that the invalid rate index "-1" has a special meaning (= no further attempts) and it should not be "changed". Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 1416ef9a67f443b26bb9b9498ca14351616eedac Author: Rajkumar Manoharan Date: Sat Oct 23 10:59:57 2010 +0530 mac80211: Fix ibss station got expired immediately commit c8716d9dc13c7f6ee92f2bfc6cc3b723b417bff8 upstream. Station addition in ieee80211_ibss_rx_queued_mgmt is not updating sta->last_rx which is causing station expiry in ieee80211_ibss_work path. So sta addition and deletion happens repeatedly. Signed-off-by: Rajkumar Manoharan Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 042a3f996b48464386e2b1ab6ecafc3be8a295c1 Author: Luis R. Rodriguez Date: Thu Sep 16 15:12:30 2010 -0400 mac80211: reset probe send counter upon connection timer reset commit 0c699c3a75d4e8d0d2c317f83048d8fd3ffe692a upstream. Upon beacon loss we send probe requests after 30 seconds of idle time and we wait for each probe response 1/2 second. We send a total of 3 probe requests before giving up on the AP. In the case that we reset the connection idle monitor we should reset the probe requests count to 0. Right now this won't help in any way but the next patch will. This patch has fixes for stable kernel [2.6.35+]. Cc: Paul Stewart Cc: Amod Bodas Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit afa9194b3aee8846357236026905fb221c1d4564 Author: Christian Lamparter Date: Tue Sep 21 21:36:18 2010 +0200 mac80211: clear txflags for ps-filtered frames commit eb7d3066cf864342e8ae6a5c1126a1602c4d06c0 upstream. This patch fixes stale mac80211_tx_control_flags for filtered / retried frames. Because ieee80211_handle_filtered_frame feeds skbs back into the tx path, they have to be stripped of some tx flags so they won't confuse the stack, driver or device. Acked-by: Johannes Berg Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 0fe79ffa47b60778e71fc8b2dcfc30eb9681db30 Author: Johannes Berg Date: Tue Sep 14 22:06:53 2010 +0200 mac80211: use correct station flags lock commit f5521b13880f4f4f612e1d20dd4f565122d16e04 upstream. This code is modifying the station flags, and as such should hold the flags lock so it can do so atomically vs. other flags modifications and readers. This issue was introduced when this code was added in eccb8e8f, as it used the wrong lock (thus not fixing the race that was previously documented in a comment.) Signed-off-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit b732c91f60cd067a497515b82af31950361367f4 Author: Luis R. Rodriguez Date: Thu Sep 16 15:12:33 2010 -0400 mac80211: disable beacon monitor while going offchannel commit 3bc3c0d748402e8c1f31b8569f5924d25d7b8e30 upstream. The beacon monitor should be disabled when going off channel to prevent spurious warnings and triggering connection deterioration work such as sending probe requests. Re-enable the beacon monitor once we come back to the home channel. This patch has fixes for stable kernels [2.6.34+]. Cc: Paul Stewart Cc: Amod Bodas Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 6f9867ece8be2ed323b085181d1ffa4424ab4ec6 Author: Luis R. Rodriguez Date: Thu Sep 16 15:12:34 2010 -0400 mac80211: send last 3/5 probe requests as unicast commit f01a067d9e4598c71e3c9ee3a84859d2e8af4f8e upstream. Some buggy APs do not respond to unicast probe requests or send unicast probe requests very delayed so in the worst case we should try to send broadcast probe requests, otherwise we can get disconnected from these APs. Even if drivers do not have filters to disregard probe responses from foreign APs mac80211 will only process probe responses from our associated AP for re-arming connection monitoring. We need to do this since the beacon monitor does not push back the connection monitor by design so even if we are getting beacons from these type of APs our connection monitor currently relies heavily on the way the probe requests are received on the AP. An example of an AP affected by this is the Nexus One, but this has also been observed with random APs. We can probably optimize this later by using null funcs instead of probe requests. For more details refer to: http://code.google.com/p/chromium-os/issues/detail?id=5715 This patch has fixes for stable kernels [2.6.35+]. Cc: Paul Stewart Cc: Amod Bodas Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 4311061afad44eff734ca645ee1e2833eb19c33d Author: Luis R. Rodriguez Date: Thu Sep 16 15:12:32 2010 -0400 mac80211: make the beacon monitor available externally commit d3a910a8e4e846b9a767d35483f4dc7c6de7af82 upstream. This will be used by other components next. The beacon monitor was added as of 2.6.34 so these fixes are applicable only to kernels >= 2.6.34. Cc: Paul Stewart Cc: Amod Bodas Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit f4fa1333cd6577a63c532bc59586ac3b80f56c7e Author: Luis R. Rodriguez Date: Thu Sep 16 15:12:31 2010 -0400 mac80211: reset connection idle when going offchannel commit 4730d5977f3e12b828d354f7752cffd94bdf39e5 upstream. When we go offchannel mac80211 currently leaves alive the connection idle monitor. This should be instead postponed until we come back to our home channel, otherwise by the time we get back to the home channel we could be triggering unecesary probe requests. For APs that do not respond to unicast probe requests (Nexus One is a simple example) this means we essentially get disconnected after the probes fails. This patch has stable fixes for kernels [2.6.35+] Cc: Paul Stewart Cc: Amod Bodas Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 82f7a2e95e8f41d56633822a649ff3621fc7a540 Author: Luis R. Rodriguez Date: Thu Sep 16 15:12:29 2010 -0400 mac80211: add helper for reseting the connection monitor commit be099e82e9cf6d5d65d044e9ef6fc8bee3c7a113 upstream. This will be used in another place later. The connection monitor was added as of 2.6.35 so these fixes will be applicable to >= 2.6.35. Cc: Paul Stewart Cc: Amod Bodas Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit b9676bfde50b87df6c2a214a46e7382ddd13a075 Author: Jouni Malinen Date: Fri Aug 27 22:21:13 2010 +0300 mac80211: Fix signal strength average initialization for CQM events commit 3ba06c6fbd651ed3377e584026d1c112b492cc8b upstream. The ave_beacon_signal value uses 1/16 dB unit and as such, must be initialized with the signal level of the first Beacon frame multiplied by 16. This fixes an issue where the initial CQM events are reported incorrectly with a burst of events while the running average approaches the correct value after the incorrect initialization. This could cause user space -based roaming decision process to get quite confused at the moment when we would like to go through authentication and DHCP. Signed-off-by: Jouni Malinen Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 96303095042fabda86dbadf7fea4ec3ad122a0f6 Author: Luis R. Rodriguez Date: Fri Sep 24 21:59:57 2010 -0400 mac80211: fix offchannel assumption upon association commit 8d4780eb1ece4e8109b4f6b2e5e61f7fc593c3f4 upstream. Association is dealt with as an atomic offchannel operation, we do this because we don't know we are associated until we get the associatin response from the AP. When we do get the associatin response though we were never clearing the offchannel state. This has a few implications, we told drivers we were still offchannel, and the first configured TX power for the channel does not take into account any power constraints. For ath9k this meant ANI calibration would not start upon association, and we'd have to wait until the first bgscan to be triggered. There may be other issues this resolves but I'm too lazy to comb the code to check. Cc: Amod Bodas Cc: Vasanth Thiagarajan Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit ce838da05df6b16b9d2ac4cf4df1e86e6c9da16f Author: Luis R. Rodriguez Date: Fri Oct 1 17:05:19 2010 -0400 mac80211: fix channel assumption for association done work commit e7480bbb926c5816e4fbfca70748096bbe0e4978 upstream. Be consistent and use the wk->chan instead of the local->hw.conf.channel for the association done work. This prevents any possible races against channel changes while we run this work. In the case that the race did happen we would be initializing the bit rates for the new AP under the assumption of a wrong channel and in the worst case, wrong band. This could lead to trying to assuming we could use CCK frames on 5 GHz, for example. This patch has a fix for kernels >= v2.6.34 Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 12e3edfbbf42a116afc5e491930c5a1e56f4edb2 Author: Luis R. Rodriguez Date: Mon Oct 18 17:44:51 2010 -0700 cfg80211: fix regression on processing country IEs commit a171fba491f54216e356efa46096171a7ed01d10 upstream. The patch 4f366c5: wireless: only use alpha2 regulatory information from country IE removed some complex intersection we were always doing between the AP's country IE info and what we got from CRDA. When CRDA sent us back a regulatory domain we would do some sanity checks on that regulatory domain response we just got. Part of these sanity checks included checking that we already had performed an intersection for the request of NL80211_REGDOM_SET_BY_COUNTRY_IE type. This mean that cfg80211 was only processing country IEs for cases where we already had an intersection, but since we removed enforcing this this is no longer required, we should just apply the country IE country hint with the data received from CRDA. This patch has fixes intended for kernels >= 2.6.36. [AK: it seems to be needed for .35 too?? Kept for now] Reported-by: Easwar Krishnan Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit b4c656d2584875fc74bbda31687eeac9dbb03d41 Author: Johannes Berg Date: Thu Sep 30 22:17:43 2010 +0200 cfg80211: fix locking commit 2234362c427e2ef667595b9b81c0125003ac5607 upstream. Add missing unlocking of the wiphy in set_channel, and don't try to unlock a non-existing wiphy in set_cqm. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 8c344624d82e34d805d9250b942158f652e9ac75 Author: Johannes Berg Date: Wed Oct 6 21:18:04 2010 +0200 cfg80211: fix BSS double-unlinking commit 3207390a8b58bfc1335750f91cf6783c48ca19ca upstream. When multiple interfaces are actively trying to associate with the same BSS, they may both find that the BSS isn't there and then try to unlink it. This can cause errors since the unlinking code can't currently deal with items that have already been unlinked. Normally this doesn't happen as most people don't try to use multiple station interfaces that associate at the same time too. Fix this by using the list entry as a flag to see if the item is still on a list. Reported-by: Ben Greear Tested-by: Hun-Kyi Wynn Signed-off-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 207b45e2615ea1bca44e6efcda22f5d01e66f3f0 Author: Samuel Ortiz Date: Wed Oct 6 01:03:12 2010 +0200 irda: Fix heap memory corruption in iriap.c commit 37f9fc452d138dfc4da2ee1ce5ae85094efc3606 upstream. While parsing the GetValuebyClass command frame, we could potentially write passed the skb->data pointer. Reported-by: Ilja Van Sprundel Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit c71b988600389db6b35e924382b93644baebf25d Author: Samuel Ortiz Date: Mon Oct 11 01:17:56 2010 +0200 irda: Fix parameter extraction stack overflow commit efc463eb508798da4243625b08c7396462cabf9f upstream. Reported-by: Ilja Van Sprundel Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 4e331654d0cb8433659b05c080ea48ec79799aa5 Author: Guo-Fu Tseng Date: Mon Oct 18 14:10:40 2010 +0000 jme: Fix PHY power-off error commit c8a8684d5cfb0f110a962c93586630c0bf91ebc1 upstream. Adding phy_on in opposition to phy_off. Signed-off-by: Guo-Fu Tseng Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 377628f218e00919da873e51cd3b8685ed6f107a Author: Alex Deucher Date: Tue Nov 2 05:26:48 2010 +0000 drm/radeon/kms: don't disable shared encoders on pre-DCE3 display blocks commit a0ae5864d42b41c411368bd689462bf063c029c8 upstream. The A/B links aren't independantly useable on these blocks so when we disable the encoders, make sure to only disable the encoder when there is no connector using it. Should fix: https://bugs.freedesktop.org/show_bug.cgi?id=18564 Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit e978df456e01ff5412c29e6fef5dd47960867476 Author: Jens Axboe Date: Fri Oct 29 08:10:18 2010 -0600 block: check for proper length of iov entries in blk_rq_map_user_iov() commit 9284bcf4e335e5f18a8bc7b26461c33ab60d0689 upstream. Ensure that we pass down properly validated iov segments before calling into the mapping or copy functions. Reported-by: Dan Rosenberg Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 116ad352e4fefafd5d6abc819691e61603604bee Author: Jens Axboe Date: Fri Oct 29 11:31:42 2010 -0600 block: take care not to overflow when calculating total iov length commit 9f864c80913467312c7b8690e41fb5ebd1b50e92 upstream. Reported-by: Dan Rosenberg Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 6033d45c07fc80b4c70899b081a3c11f5ee9f6ea Author: Jens Axboe Date: Fri Oct 29 11:46:56 2010 -0600 block: limit vec count in bio_kmalloc() and bio_alloc_map_data() commit f3f63c1c28bc861a931fac283b5bc3585efb8967 upstream. Reported-by: Dan Rosenberg Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 381709fcb98acf7803be64ceab5e49e2fc0dbbdb Author: Jan Kara Date: Thu Sep 16 20:36:36 2010 +0200 block: Fix race during disk initialization commit 01ea50638bc04ca5259f5711fcdedefcdde1cf43 upstream. When a new disk is being discovered, add_disk() first ties the bdev to gendisk (via register_disk()->blkdev_get()) and only after that calls bdi_register_bdev(). Because register_disk() also creates disk's kobject, it can happen that userspace manages to open and modify the device's data (or inode) before its BDI is properly initialized leading to a warning in __mark_inode_dirty(). Fix the problem by registering BDI early enough. This patch addresses https://bugzilla.kernel.org/show_bug.cgi?id=16312 Reported-by: Larry Finger Signed-off-by: Jan Kara Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 97d388bb0a4d7e5acc7274645382adac50260096 Author: Martin K. Petersen Date: Wed Oct 13 21:18:03 2010 +0200 block: Ensure physical block size is unsigned int commit 892b6f90db81cccb723d5d92f4fddc2d68b206e1 upstream. Physical block size was declared unsigned int to accomodate the maximum size reported by READ CAPACITY(16). Make sure we use the right type in the related functions. Signed-off-by: Martin K. Petersen Acked-by: Mike Snitzer Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen