commit 790b1f612de4635baeec28b32d672ab4fb381879 Author: Greg Kroah-Hartman Date: Mon May 9 16:03:02 2011 -0700 Linux 2.6.32.40 commit 3b4b7c75885a0acde5ff2e3f66eebe98471c3675 Author: James Bottomley Date: Sun May 1 09:42:07 2011 -0500 fix oops in scsi_run_queue() commit c055f5b2614b4f758ae6cc86733f31fa4c2c5844 upstream. The recent commit closing the race window in device teardown: commit 86cbfb5607d4b81b1a993ff689bbd2addd5d3a9b Author: James Bottomley Date: Fri Apr 22 10:39:59 2011 -0500 [SCSI] put stricter guards on queue dead checks is causing a potential NULL deref in scsi_run_queue() because the q->queuedata may already be NULL by the time this function is called. Since we shouldn't be running a queue that is being torn down, simply add a NULL check in scsi_run_queue() to forestall this. Tested-by: Jim Schutt Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 5d93d268311c91a6f47f8b1843b60788ba378e4c Author: Oliver Hartkopp Date: Wed Apr 20 01:57:15 2011 +0000 can: add missing socket check in can/raw release commit 10022a6c66e199d8f61d9044543f38785713cbbd upstream. v2: added space after 'if' according code style. We can get here with a NULL socket argument passed from userspace, so we need to handle it accordingly. Thanks to Dave Jones pointing at this issue in net/can/bcm.c Signed-off-by: Oliver Hartkopp Signed-off-by: David S. Miller Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit f413fc28a1db54519b75f731a6e57d1ef0269d78 Author: Zachary Amsden Date: Wed May 4 09:31:29 2011 -0300 KVM: x86: Fix kvmclock bug (backported from commit 28e4639adf0c9f26f6bb56149b7ab547bf33bb95) If preempted after kvmclock values are updated, but before hardware virtualization is entered, the last tsc time as read by the guest is never set. It underflows the next time kvmclock is updated if there has not yet been a successful entry / exit into hardware virt. Fix this by simply setting last_tsc to the newly read tsc value so that any computed nsec advance of kvmclock is nulled. Signed-off-by: Zachary Amsden Signed-off-by: Marcelo Tosatti BugLink: http://bugs.launchpad.net/bugs/714335 Signed-off-by: Serge E. Hallyn Reviewed-by: Stefan Bader Signed-off-by: Greg Kroah-Hartman commit ad2088cabe0fd7f633f38ba106025d33ed9a2105 Author: Zachary Amsden Date: Wed May 4 09:31:28 2011 -0300 KVM: x86: Fix a possible backwards warp of kvmclock (backported from commit 1d5f066e0b63271b67eac6d3752f8aa96adcbddb) Kernel time, which advances in discrete steps may progress much slower than TSC. As a result, when kvmclock is adjusted to a new base, the apparent time to the guest, which runs at a much higher, nsec scaled rate based on the current TSC, may have already been observed to have a larger value (kernel_ns + scaled tsc) than the value to which we are setting it (kernel_ns + 0). We must instead compute the clock as potentially observed by the guest for kernel_ns to make sure it does not go backwards. Signed-off-by: Zachary Amsden Signed-off-by: Marcelo Tosatti BugLink: http://bugs.launchpad.net/bugs/714335 Signed-off-by: Serge E. Hallyn Reviewed-by: Stefan Bader Signed-off-by: Greg Kroah-Hartman commit 64c8f7b9a24b1de710ad8413da503d61ede6ae45 Author: Zachary Amsden Date: Wed May 4 09:31:27 2011 -0300 x86: pvclock: Move scale_delta into common header (cherry-picked from commit 347bb4448c2155eb2310923ccaa4be5677649003) The scale_delta function for shift / multiply with 31-bit precision moves to a common header so it can be used by both kernel and kvm module. Signed-off-by: Zachary Amsden Signed-off-by: Marcelo Tosatti BugLink: http://bugs.launchpad.net/bugs/714335 Signed-off-by: Serge E. Hallyn Signed-off-by: Greg Kroah-Hartman commit 51028920a9424e2437d6acc3bbc0946d6d71a7aa Author: Stanislaw Gruszka Date: Wed Apr 20 15:57:14 2011 +0200 iwlwifi: fix skb usage after free commit b25026981aecde3685dd0e45ad980fff9f528daa upstream. Since commit a120e912eb51e347f36c71b60a1d13af74d30e83 Author: Stanislaw Gruszka Date: Fri Feb 19 15:47:33 2010 -0800 iwlwifi: sanity check before counting number of tfds can be free we use skb->data after calling ieee80211_tx_status_irqsafe(), which could free skb instantly. On current kernels I do not observe practical problems related with bug, but on 2.6.35.y it cause random system hangs when stressing wireless link. Signed-off-by: Stanislaw Gruszka Acked-by: Wey-Yi Guy Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 49abf47d18ef1e3c67f3a29cd9eda03f48818652 Author: Felipe Balbi Date: Thu Feb 24 10:36:53 2011 +0200 usb: musb: core: set has_tt flag commit ec95d35a6bd0047f05fe8a21e6c52f8bb418da55 upstream. MUSB is a non-standard host implementation which can handle all speeds with the same core. We need to set has_tt flag after commit d199c96d41d80a567493e12b8e96ea056a1350c1 (USB: prevent buggy hubs from crashing the USB stack) in order for MUSB HCD to continue working. Signed-off-by: Felipe Balbi Cc: Alan Stern Tested-by: Michael Jones Tested-by: Alexander Holler Signed-off-by: Greg Kroah-Hartman commit 162231ba4bb635759c3edcb1dc81a02b192c5e05 Author: Tejun Heo Date: Thu Jan 20 13:59:06 2011 +0100 libata: set queue DMA alignment to sector size for ATAPI too commit 729a6a300e628a48cf12bac93a964a535e83cd1d upstream. ata_pio_sectors() expects buffer for each sector to be contained in a single page; otherwise, it ends up overrunning the first page. This is achieved by setting queue DMA alignment. If sector_size is smaller than PAGE_SIZE and all buffers are sector_size aligned, buffer for each sector is always contained in a single page. This wasn't applied to ATAPI devices but IDENTIFY_PACKET is executed as ATA_PROT_PIO and thus uses ata_pio_sectors(). Newer versions of udev issue IDENTIFY_PACKET with unaligned buffer triggering the problem and causing oops. This patch fixes the problem by setting sdev->sector_size to ATA_SECT_SIZE on ATATPI devices and always setting DMA alignment to sector_size. While at it, add a warning for the unlikely but still possible scenario where sector_size is larger than PAGE_SIZE, in which case the alignment wouldn't be enough. Signed-off-by: Tejun Heo Reported-by: John Stanley Tested-by: John Stanley Signed-off-by: Jeff Garzik Signed-off-by: Jonathan Liu Signed-off-by: Greg Kroah-Hartman commit 63de1f2c9f4b5b47893c425579321657400b98a0 Author: Guennadi Liakhovetski Date: Tue Nov 23 17:10:24 2010 +0100 wireless: b43: fix error path in SDIO commit e476a5a41ad67d0e2b4a652820c49a3923eb936b upstream. Fix unbalanced call to sdio_release_host() on the error path. Signed-off-by: Guennadi Liakhovetski Acked-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen Signed-off-by: Greg Kroah-Hartman commit 1183c16343f6daff3e418f8c782ce924f52ae148 Author: Ben Hutchings Date: Fri Dec 17 10:16:23 2010 -0800 tehuti: Firmware filename is tehuti/bdx.bin commit 46814e08d80f87449b5adb3d549a3cae6f9f8148 upstream. My conversion of tehuti to use request_firmware() was confused about the filename of the firmware blob. Change the driver to match the blob. Signed-off-by: Ben Hutchings Signed-off-by: Andy Gospodarek Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4a6b24769e5dec6aff2752d2a5dec7f63c3d1eb9 Author: Bart Hartgers Date: Sun Jun 27 19:04:56 2010 +0100 sata_via: Delay on vt6420 when starting ATAPI DMA write commit a55ab496ea9c820b7192c15ef1fbf3291edfe638 upstream. When writing a disc on certain lite-on dvd-writers (also rebadged as optiarc/LG/...) connected to a vt6420, the ATAPI CDB ends up in the datastream and on the disc, causing silent corruption. Delaying between sending the CDB and starting DMA seems to prevent this. I do not know if there are burners that do not suffer from this, but the patch should be safe for those as well. There are many reports of this issue, but AFAICT no solution was found before. For example: http://lkml.indiana.edu/hypermail/linux/kernel/0802.3/0561.html Signed-off-by: Bart Hartgers Signed-off-by: Jeff Garzik [bwh: Remove version bump for 2.6.32] Signed-off-by: Greg Kroah-Hartman commit ad2ec68f76ce08911c87bc8bd5c92491a0c5aac9 Author: Ondrej Zary Date: Wed Jun 23 12:57:15 2010 +0200 rt2500usb: fallback to SW encryption for TKIP+AES commit 75f64dd54a185150ebfc45e99351c890d4a2252f upstream. HW crypto in rt2500usb does not seem to support keys with different ciphers, which breaks TKIP+AES mode. Fall back to software encryption to fix it. This should fix long-standing problems with rt2500usb and WPA, such as: http://rt2x00.serialmonkey.com/phpBB/viewtopic.php?f=4&t=4834 https://bugzilla.redhat.com/show_bug.cgi?id=484888 Also tested that it does not break WEP, TKIP-only and AES-only modes. Signed-off-by: Ondrej Zary Acked-by: Gertjan van Wingerde Signed-off-by: John W. Linville [bwh: Adjust context for 2.6.32] Signed-off-by: Greg Kroah-Hartman commit a1fabce3d03a20953d6c4fd61b72f6355818d925 Author: Ben Hutchings Date: Sat Jan 8 14:24:01 2011 +0000 powerpc/boot/dts: Install dts from the right directory commit 4d9ef89dee13e964ea8b064d82ff55cf36209237 upstream. The dts-installed variable is initialised using a wildcard path that will be expanded relative to the build directory. Use the existing variable dtstree to generate an absolute wildcard path that will work when building in a separate directory. Reported-by: Gerhard Pircher Signed-off-by: Ben Hutchings Tested-by: Gerhard Pircher [against 2.6.32] Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit c33790ec1212ef7a3f302c3e410cba6e0affe489 Author: Rémi Denis-Courmont Date: Mon Oct 25 10:43:32 2010 +0300 Phonet: device notifier only runs on initial namespace [bwh: This is only applicable to 2.6.32. Phonet was fixed upstream to work with multiple net namespaces.] This should really fix the OOPS when doing: unshare(CLONE_NEWNET); exit(0); while the phonet module is loaded. Signed-off-by: Rémi Denis-Courmont Signed-off-by: Greg Kroah-Hartman commit ffa7db22639e3df2c335691b9b0abbcba7ae18ed Author: Ben Hutchings Date: Tue Sep 7 04:35:19 2010 +0000 niu: Fix kernel buffer overflow for ETHTOOL_GRXCLSRLALL commit ee9c5cfad29c8a13199962614b9b16f1c4137ac9 upstream. niu_get_ethtool_tcam_all() assumes that its output buffer is the right size, and warns before returning if it is not. However, the output buffer size is under user control and ETHTOOL_GRXCLSRLALL is an unprivileged ethtool command. Therefore this is at least a local denial-of-service vulnerability. Change it to check before writing each entry and to return an error if the buffer is already full. Compile-tested only. Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller [Adjusted to apply to 2.6.32 by dann frazier ] Signed-off-by: Greg Kroah-Hartman commit 252056213a0e7d5386836f755f319117252a1451 Author: FUJITA Tomonori Date: Tue Mar 9 11:09:50 2010 +0900 mpt2sas: fix the incorrect scsi_dma_map error checking commit bb789d01620e5d36081b22edb6fb71cf55ff043c upstream. scsi_dma_map() returns -1 if an error occurred (zero means that the command has no data). So the following current code can't catch an error: sges_left = scsi_dma_map(scmd); if (!sges_left) { sdev_printk(KERN_ERR, scmd->device, "pci_map_sg" " failed: request for %d bytes!\n", scsi_bufflen(scmd)); return -ENOMEM; } Signed-off-by: FUJITA Tomonori Acked-by: "Kashyap Desai" Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 01ba5b05f88b590ae303e6f5fb4e31aa7cc2e407 Author: Ralf Baechle Date: Thu Sep 2 23:22:23 2010 +0200 MIPS: DMA: Fix computation of DMA flags from device's coherent_dma_mask. commit 3b9c6c11f519718d618f5d7c9508daf78b207f6f upstream. This only matters for ISA devices with a 24-bit DMA limit or for devices with a 32-bit DMA limit on systems with ZONE_DMA32 enabled. The latter currently only affects 32-bit PCI cards on Sibyte-based systems with more than 1GB RAM installed. Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit ec12faab23bebcfc34b7987df4c57e5e02490e79 Author: James Chapman Date: Tue Mar 16 06:29:20 2010 +0000 l2tp: Fix UDP socket reference count bugs in the pppol2tp driver commit c3259c8a7060d480e8eb2166da0a99d6879146b4 upstream. This patch fixes UDP socket refcnt bugs in the pppol2tp driver. A bug can cause a kernel stack trace when a tunnel socket is closed. A way to reproduce the issue is to prepare the UDP socket for L2TP (by opening a tunnel pppol2tp socket) and then close it before any L2TP sessions are added to it. The sequence is Create UDP socket Create tunnel pppol2tp socket to prepare UDP socket for L2TP pppol2tp_connect: session_id=0, peer_session_id=0 L2TP SCCRP control frame received (tunnel_id==0) pppol2tp_recv_core: sock_hold() pppol2tp_recv_core: sock_put L2TP ZLB control frame received (tunnel_id=nnn) pppol2tp_recv_core: sock_hold() pppol2tp_recv_core: sock_put Close tunnel management socket pppol2tp_release: session_id=0, peer_session_id=0 Close UDP socket udp_lib_close: BUG The addition of sock_hold() in pppol2tp_connect() solves the problem. For data frames, two sock_put() calls were added to plug a refcnt leak per received data frame. The ref that is grabbed at the top of pppol2tp_recv_core() must always be released, but this wasn't done for accepted data frames or data frames discarded because of bad UDP checksums. This leak meant that any UDP socket that had passed L2TP data traffic (i.e. L2TP data frames, not just L2TP control frames) using pppol2tp would not be released by the kernel. WARNING: at include/net/sock.h:435 udp_lib_unhash+0x117/0x120() Pid: 1086, comm: openl2tpd Not tainted 2.6.33-rc1 #8 Call Trace: [] ? udp_lib_unhash+0x117/0x120 [] ? warn_slowpath_common+0x71/0xd0 [] ? udp_lib_unhash+0x117/0x120 [] ? warn_slowpath_null+0x13/0x20 [] ? udp_lib_unhash+0x117/0x120 [] ? sk_common_release+0x17/0x90 [] ? inet_release+0x33/0x60 [] ? sock_release+0x10/0x60 [] ? sock_close+0xf/0x30 [] ? __fput+0x52/0x150 [] ? filp_close+0x3e/0x70 [] ? put_files_struct+0x62/0xb0 [] ? do_exit+0x5e7/0x650 [] ? mntput_no_expire+0x13/0x70 [] ? filp_close+0x3e/0x70 [] ? do_group_exit+0x2a/0x70 [] ? sys_exit_group+0x11/0x20 [] ? sysenter_do_call+0x12/0x26 Signed-off-by: James Chapman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 390a91e54402a1aefd22f1e943b02da83be3e5dc Author: Romain Francoise Date: Mon Jan 17 07:59:18 2011 +0000 ipv6: Silence privacy extensions initialization commit 2fdc1c8093255f9da877d7b9ce3f46c2098377dc upstream. When a network namespace is created (via CLONE_NEWNET), the loopback interface is automatically added to the new namespace, triggering a printk in ipv6_add_dev() if CONFIG_IPV6_PRIVACY is set. This is problematic for applications which use CLONE_NEWNET as part of a sandbox, like Chromium's suid sandbox or recent versions of vsftpd. On a busy machine, it can lead to thousands of useless "lo: Disabled Privacy Extensions" messages appearing in dmesg. It's easy enough to check the status of privacy extensions via the use_tempaddr sysctl, so just removing the printk seems like the most sensible solution. Signed-off-by: Romain Francoise Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9c392599a8c89467a1cc43cf41d74d1910c30a8f Author: Jeff Mahoney Date: Thu Feb 11 10:26:38 2010 +0000 ipg: Remove device claimed by dl2k from pci id table commit 25cca5352712561fba97bd37c495593d641c1d39 upstream. This patch removes D-Link DGE-550T PCI ID (1186:4000) from the ipg driver. The ipg driver is for IP2000-based cards and the DGE-550T is a DL2000-based card. The driver loads and works for a few moments, but once a real workload is applied it stops operating. The ipg driver claimed this ID since it was introduced in 2.6.24 and it's forced many users to blacklist it. The correct driver for this hardware is the dl2k driver, which has been claiming this PCI ID since the 2.4 days. Signed-off-by: Jeff Mahoney Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 400036c2e53672323a7dd743146017995ffecb27 Author: David Woodhouse Date: Tue Jun 15 10:57:57 2010 +0100 intel-iommu: Force-disable IOMMU for iGFX on broken Cantiga revisions. commit 2d9e667efdfb4e986074d98e7d9a424003c7c43b upstream. Certain revisions of this chipset appear to be broken. There is a shadow GTT which mirrors the real GTT but contains pre-translated physical addresses, for performance reasons. When a GTT update happens, the translations are done once and the resulting physical addresses written back to the shadow GTT. Except sometimes, the physical address is actually written back to the _real_ GTT, not the shadow GTT. Thus we start to see faults when that physical address is fed through translation again. Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit e281433b151dad34ac1556adc5d276e4cf077b43 Author: Edgar (gimli) Hucek Date: Wed Nov 3 10:36:18 2010 -0400 HID: add MacBookAir 3,1 and 3,2 support commit 99b9f758bbc904f22faffcf4d83205f4a5e7bc0c upstream. This patch add support for the MacBookAir3,1 and MacBookAir3,2 to the hid driver. Signed-off-by: Edgar (gimli) Hucek Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit dd0c46bb0f117de55dac392e99ee514178b60449 Author: Neil Horman Date: Thu Jan 20 09:02:31 2011 +0000 bonding: Ensure that we unshare skbs prior to calling pskb_may_pull commit b30532515f0a62bfe17207ab00883dd262497006 upstream. Recently reported oops: kernel BUG at net/core/skbuff.c:813! invalid opcode: 0000 [#1] SMP last sysfs file: /sys/devices/virtual/net/bond0/broadcast CPU 8 Modules linked in: sit tunnel4 cpufreq_ondemand acpi_cpufreq freq_table bonding ipv6 dm_mirror dm_region_hash dm_log cdc_ether usbnet mii serio_raw i2c_i801 i2c_core iTCO_wdt iTCO_vendor_support shpchp ioatdma i7core_edac edac_core bnx2 ixgbe dca mdio sg ext4 mbcache jbd2 sd_mod crc_t10dif mptsas mptscsih mptbase scsi_transport_sas dm_mod [last unloaded: microcode] Modules linked in: sit tunnel4 cpufreq_ondemand acpi_cpufreq freq_table bonding ipv6 dm_mirror dm_region_hash dm_log cdc_ether usbnet mii serio_raw i2c_i801 i2c_core iTCO_wdt iTCO_vendor_support shpchp ioatdma i7core_edac edac_core bnx2 ixgbe dca mdio sg ext4 mbcache jbd2 sd_mod crc_t10dif mptsas mptscsih mptbase scsi_transport_sas dm_mod [last unloaded: microcode] Pid: 0, comm: swapper Not tainted 2.6.32-71.el6.x86_64 #1 BladeCenter HS22 -[7870AC1]- RIP: 0010:[] [] pskb_expand_head+0x36/0x1e0 RSP: 0018:ffff880028303b70 EFLAGS: 00010202 RAX: 0000000000000002 RBX: ffff880c6458ec80 RCX: 0000000000000020 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff880c6458ec80 RBP: ffff880028303bc0 R08: ffffffff818a6180 R09: ffff880c6458ed64 R10: ffff880c622b36c0 R11: 0000000000000400 R12: 0000000000000000 R13: 0000000000000180 R14: ffff880c622b3000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff880028300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b CR2: 00000038653452a4 CR3: 0000000001001000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process swapper (pid: 0, threadinfo ffff8806649c2000, task ffff880c64f16ab0) Stack: ffff880028303bc0 ffffffff8104fff9 000000000000001c 0000000100000000 <0> ffff880000047d80 ffff880c6458ec80 000000000000001c ffff880c6223da00 <0> ffff880c622b3000 0000000000000000 ffff880028303c10 ffffffff81407f7a Call Trace: [] ? __wake_up_common+0x59/0x90 [] __pskb_pull_tail+0x2aa/0x360 [] bond_arp_rcv+0x2c0/0x2e0 [bonding] [] ? packet_rcv+0x377/0x440 [] netif_receive_skb+0x2db/0x670 [] napi_skb_finish+0x58/0x70 [] napi_gro_receive+0x39/0x50 [] ixgbe_clean_rx_irq+0x35b/0x900 [ixgbe] [] ixgbe_clean_rxtx_many+0x136/0x240 [ixgbe] [] net_rx_action+0x103/0x210 [] __do_softirq+0xb7/0x1e0 [] ? handle_IRQ_event+0x60/0x170 [] call_softirq+0x1c/0x30 [] do_softirq+0x65/0xa0 [] irq_exit+0x85/0x90 [] do_IRQ+0x75/0xf0 [] ret_from_intr+0x0/0x11 [] ? mwait_idle+0x71/0xd0 [] ? atomic_notifier_call_chain+0x1a/0x20 [] cpu_idle+0xb6/0x110 [] start_secondary+0x1fc/0x23f Resulted from bonding driver registering packet handlers via dev_add_pack and then trying to call pskb_may_pull. If another packet handler (like for AF_PACKET sockets) gets called first, the delivered skb will have a user count > 1, which causes pskb_may_pull to BUG halt when it does its skb_shared check. Fix this by calling skb_share_check prior to the may_pull call sites in the bonding driver to clone the skb when needed. Tested by myself and the reported successfully. Signed-off-by: Neil Horman CC: Andy Gospodarek CC: Jay Vosburgh CC: "David S. Miller" Signed-off-by: Jay Vosburgh Signed-off-by: Andy Gospodarek Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fde3d8206abc43a730965559fa62add0dbe29660 Author: Edgar (gimli) Hucek Date: Thu Nov 11 14:05:30 2010 -0800 backlight: MacBookAir3,1(3,2) mbp-nvidia-bl support commit bd760e1e5b34351e0705705e5163cb89c1316d71 upstream. Add support for the MacBookAir3,1 and MacBookAir3,2 to the mbp-nvidia-bl driver. Signed-off-by: Edgar (gimli) Hucek Acked-by: Richard Purdie Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 572a42d1f4c4dcf686eb7b25741e99e789f8d213 Author: Peter Zijlstra Date: Mon Jun 28 16:51:01 2010 +0200 init, sched: Fix race between init and kthreadd commit b433c3d4549ae74935b585115f076c6fb7bc48fe upstream. Ilya reported that on a very slow machine he could reliably reproduce a race between forking init and kthreadd. We first fork init so that it obtains pid-1, however since the scheduler is already fully running at this point it can preempt and run the init thread before we spawn and set kthreadd_task. The init thread can then attempt spawning kthreads without kthreadd being present which results in an OOPS. Reported-by: Ilya Loginov Signed-off-by: Peter Zijlstra Acked-by: Linus Torvalds LKML-Reference: <1277736661.3561.110.camel@laptop> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 6034a281f077b621859fb7b2f362fc9d693ea218 Author: Eric Dumazet Date: Wed Nov 24 09:15:27 2010 -0800 af_unix: limit unix_tot_inflight commit 9915672d41273f5b77f1b3c29b391ffb7732b84b upstream. Vegard Nossum found a unix socket OOM was possible, posting an exploit program. My analysis is we can eat all LOWMEM memory before unix_gc() being called from unix_release_sock(). Moreover, the thread blocked in unix_gc() can consume huge amount of time to perform cleanup because of huge working set. One way to handle this is to have a sensible limit on unix_tot_inflight, tested from wait_for_unix_gc() and to force a call to unix_gc() if this limit is hit. This solves the OOM and also reduce overall latencies, and should not slowdown normal workloads. Reported-by: Vegard Nossum Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6019f3837946cd5872ed473cd492d90c49228ee3 Author: Eric Dumazet Date: Thu Nov 25 04:11:39 2010 +0000 af_unix: limit recursion level commit 25888e30319f8896fc656fc68643e6a078263060 upstream. Its easy to eat all kernel memory and trigger NMI watchdog, using an exploit program that queues unix sockets on top of others. lkml ref : http://lkml.org/lkml/2010/11/25/8 This mechanism is used in applications, one choice we have is to have a recursion limit. Other limits might be needed as well (if we queue other types of files), since the passfd mechanism is currently limited by socket receive queue sizes only. Add a recursion_level to unix socket, allowing up to 4 levels. Each time we send an unix socket through sendfd mechanism, we copy its recursion level (plus one) to receiver. This recursion level is cleared when socket receive queue is emptied. Reported-by: Марк Коренберг Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller [bwh: Adjust for 2.6.32] Signed-off-by: Greg Kroah-Hartman commit 84daae5dc885913953823b1303e1fbbbb38a5a53 Author: Ben Hutchings Date: Wed Dec 29 14:55:03 2010 +0000 btrfs: Require CAP_SYS_ADMIN for filesystem rebalance commit 6f88a4403def422bd8e276ddf6863d6ac71435d2 upstream. Filesystem rebalancing (BTRFS_IOC_BALANCE) affects the entire filesystem and may run uninterruptibly for a long time. This does not seem to be something that an unprivileged user should be able to do. Reported-by: Aron Xu Signed-off-by: Ben Hutchings Signed-off-by: Chris Mason Signed-off-by: Greg Kroah-Hartman commit 4c8478ffa104fa9df0765dd05f395cce3d7a96b4 Author: Jesse Brandeburg Date: Tue Sep 7 21:01:12 2010 +0000 e1000: fix Tx hangs by disabling 64-bit DMA commit e508be174ad36b0cf9b324cd04978c2b13c21502 upstream. Several users report issues with 32-bit adapters when plugged into PCI slots in machines with >= 4GB ram. In particular AMD systems with HyperTransport to PCI bridges seem to trigger the issue, but it isn't limited to only them. This issue is not easily reproducible here, yet still continues to occur in the field. For e1000 on PCI devices, just disable DMA addresses over the 4GB boundary when in PCI (not PCI-X) mode, to prevent the issue from continuing to pop up. The performance impact for this is negligible. The code was refactored to move the init of the hw struct to its own function. This allows the init to be called very early in probe, which then allows using hw-> members for this fix. A slight refactor to the DMA mask code was done for minor correctness based on the instructions in DMA-API-HOWTO. Signed-off-by: Jesse Brandeburg Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller [bwh: Adjust for 2.6.32] Signed-off-by: Greg Kroah-Hartman commit 3aeab7c1080593a4cfdd2aebdba16db4c3a33180 Author: Bruce Allan Date: Wed May 5 22:00:27 2010 +0000 e1000e: Reset 82577/82578 PHY before first PHY register read commit 627c8a041f7aaaea93c766f69bd61d952a277586 upstream. Reset the PHY before first accessing it. Doing so, ensure that the PHY is in a known good state before we read/write PHY registers. This fixes a driver probe failure. Signed-off-by: Bruce Allan Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller [Backported to 2.6.32 by dann frazier ] Signed-off-by: Greg Kroah-Hartman commit 889491211b81de723effd26cbdd4b4b5b3e1e262 Author: Oskar Schirmer Date: Wed Nov 10 21:06:13 2010 +0000 cifs: fix another memleak, in cifs_root_iget commit a7851ce73b9fdef53f251420e6883cf4f3766534 upstream. cifs_root_iget allocates full_path through cifs_build_path_to_root, but fails to kfree it upon cifs_get_inode_info* failure. Make all failure exit paths traverse clean up handling at the end of the function. Signed-off-by: Oskar Schirmer Signed-off-by: Andi Kleen Reviewed-by: Jesper Juhl Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 04333e7c8fcee3212f21b0c431de3f454e3775f3 Author: Mike Christie Date: Fri Apr 9 22:07:37 2010 -0500 scsi_dh_emc: request flag cleanup commit 5738d4449c1baf05e8345684d12371f76296473d upstream. blk_get_request sets the cmd_flags, so we should not and do not need to set them. If we did set them to a different value then it can cause a oops in the elevator code. Signed-off-by: Mike Christie Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 4e2336131d90138320ee998c484c0799ec7dfbaa Author: Hannes Reinecke Date: Wed Dec 2 14:28:48 2009 -0600 scsi_dh_emc: fix mode select request setup commit 6c71dcb28ff9b63b814a0b76a256f5dae08d3e0d upstream. This patch fixes the request setup code for mode selects. I got the fixes from Hannes Reinecke while trying to hunt down some problems and merged it into one patch. I am sending it because Hannes is busy with other things. The patch fixes: - setting of the length for mode selects. - setting of the data direction for mode select 10. Signed-off-by: Hannes Reinecke Signed-off-by: Mike Christie Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit c6e5b7287b26a2ede20fe9f43d5c13ab19f0776f Author: Rezwanul Kabir Date: Wed Jun 23 12:02:43 2010 -0500 dell-laptop: Add another Dell laptop family to the DMI whitelist commit 410d44c74cf9942e3055d5b7d73953fac8efbacb upstream. This is to support Precision M4500 and others. Signed-off-by: Rezwanul Kabir Signed-off-by: Matthew Garrett Signed-off-by: Greg Kroah-Hartman commit 36e683f7e0d37953e9b5ddb0439c15fcbe1690fd Author: Erik Andren Date: Sun Feb 14 11:53:23 2010 -0500 dell-laptop: Add another Dell laptop to the DMI whitelist commit cb6a7937f4328a267e0806680ade500ed2c3c01a upstream. The Latitude C640 has another variation of dell in its DMI vendor entry. Add it to the whitelist in order to enjoy the sweet fruits of software backlight toggling. Signed-off-by: Erik Andren Signed-off-by: Greg Kroah-Hartman commit b7a7f2b940ba69a8dc999f2e5771e52e4f7860a5 Author: Phil Blundell Date: Wed Nov 24 11:51:47 2010 -0800 econet: fix CVE-2010-3848 commit a27e13d370415add3487949c60810e36069a23a6 upstream. Don't declare variable sized array of iovecs on the stack since this could cause stack overflow if msg->msgiovlen is large. Instead, coalesce the user-supplied data into a new buffer and use a single iovec for it. Signed-off-by: Phil Blundell Signed-off-by: David S. Miller [Adjusted to apply to 2.6.32 by dann frazier ] Signed-off-by: Greg Kroah-Hartman commit 8200a2e148cb2c01ef8a1ee77fd893227b4e15d4 Author: Hagen Paul Pfeifer Date: Wed Oct 7 14:43:04 2009 -0700 econet: Fix redeclaration of symbol len commit 9e8342971d44ce86d8567047f5366fc1c06a75ed upstream. Function argument len was redeclarated within the function. This patch fix the redeclaration of symbol 'len'. Signed-off-by: Hagen Paul Pfeifer Signed-off-by: David S. Miller [Adjusted to apply to 2.6.32 by dann frazier ] Signed-off-by: Greg Kroah-Hartman commit 46e8f021c9864285e6bc223f9ef61bc72e77d07a Author: Larry Finger Date: Thu Oct 28 10:43:26 2010 -0500 b43: Fix warning at drivers/mmc/core/core.c:237 in mmc_wait_for_cmd commit 9f2a0fac625bcef9c579bcf0b0c904ab1a56e7c4 upstream. On module removal, the sdio version of b43 generates the following warning: [ 851.560519] ------------[ cut here ]------------ [ 851.560531] WARNING: at drivers/mmc/core/core.c:237 mmc_wait_for_cmd+0x88/0x90() [ 851.560534] Hardware name: 20552PG [ 851.560536] Modules linked in: b43(-) ssb mmc_block binfmt_misc rfcomm sco bnep ppdev l2cap ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_state nf_conntrack ipt_REJECT xt_tcpudp iptable_filter ip_tables x_tables bridge stp kvm_intel kvm arc4 iwlagn snd_hda_codec_conexant snd_hda_intel snd_hda_codec iwlcore snd_hwdep snd_pcm thinkpad_acpi mac80211 snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq r852 joydev snd_timer sm_common pcmcia nand snd_seq_device cfg80211 sdhci_pci btusb psmouse tpm_tis yenta_socket nand_ids lp snd pcmcia_rsrc nand_ecc bluetooth sdhci tpm pcmcia_core parport mtd snd_page_alloc serio_raw tpm_bios soundcore nvram led_class sha256_generic aes_i586 aes_generic dm_crypt i915 drm_kms_helper drm ahci intel_agp i2c_algo_bit intel_gtt e1000e libahci video agpgart output [ 851.560620] Pid: 2504, comm: rmmod Not tainted 2.6.36-titan0+ #1 [ 851.560622] Call Trace: [ 851.560631] [] warn_slowpath_common+0x72/0xa0 [ 851.560636] [] ? mmc_wait_for_cmd+0x88/0x90 [ 851.560641] [] ? mmc_wait_for_cmd+0x88/0x90 [ 851.560645] [] warn_slowpath_null+0x22/0x30 [ 851.560649] [] mmc_wait_for_cmd+0x88/0x90 [ 851.560655] [] ? device_release+0x25/0x80 [ 851.560660] [] mmc_io_rw_direct_host+0xa0/0x150 [ 851.560665] [] mmc_io_rw_direct+0x30/0x40 [ 851.560669] [] sdio_disable_func+0x37/0xa0 [ 851.560683] [] b43_sdio_remove+0x30/0x50 [b43] [ 851.560687] [] sdio_bus_remove+0x1c/0x60 [ 851.560692] [] ? blocking_notifier_call_chain+0x1f/0x30 [ 851.560697] [] __device_release_driver+0x51/0xb0 [ 851.560701] [] driver_detach+0x8f/0xa0 [ 851.560705] [] bus_remove_driver+0x63/0xa0 [ 851.560709] [] driver_unregister+0x49/0x80 [ 851.560713] [] ? driver_unregister+0x49/0x80 [ 851.560718] [] sdio_unregister_driver+0x17/0x20 [ 851.560727] [] b43_sdio_exit+0x12/0x20 [b43] [ 851.560734] [] b43_exit+0x17/0x3c [b43] [ 851.560740] [] sys_delete_module+0x13d/0x200 [ 851.560747] [] ? do_munmap+0x212/0x300 [ 851.560752] [] sysenter_do_call+0x12/0x28 [ 851.560757] ---[ end trace 31e14488072d2f7d ]--- [ 851.560759] ------------[ cut here ]------------ The warning is caused by b43 not claiming the device before calling sdio_disable_func(). Signed-off-by: Larry Finger Reported-by: Arnd Hannemann Tested-by: Arnd Hannemann Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit ed9de8cc020e04c55c0952ce8040b6f1f1d2fab1 Author: Uwe Kleine-König Date: Wed Aug 18 09:25:38 2010 -0700 mmc: build fix: mmc_pm_notify is only available with CONFIG_PM=y commit 81ca03a0e2ea0207b2df80e0edcf4c775c07a505 upstream. This fixes a build breakage introduced by commit 4c2ef25fe0b8 ("mmc: fix all hangs related to mmc/sd card insert/removal during suspend/resume") Cc: David Brownell Cc: Alan Stern Cc: linux-mmc@vger.kernel.org Cc: Andrew Morton Signed-off-by: Uwe Kleine-König Acked-by: Kukjin Kim Acked-by: Maxim Levitsky Acked-by: Randy Dunlap Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 28e4bf4a8b80ccae1e42f9ca2d173f1cf5f60abb Author: Maxim Levitsky Date: Tue Aug 10 18:01:41 2010 -0700 mmc: fix all hangs related to mmc/sd card insert/removal during suspend/resume commit 4c2ef25fe0b847d2ae818f74758ddb0be1c27d8e upstream. If you don't use CONFIG_MMC_UNSAFE_RESUME, as soon as you attempt to suspend, the card will be removed, therefore this patch doesn't change the behavior of this option. However the removal will be done by pm notifier, which runs while userspace is still not frozen and thus can freely use del_gendisk, without the risk of deadlock which would happen otherwise. Card detect workqueue is now disabled while userspace is frozen, Therefore if you do use CONFIG_MMC_UNSAFE_RESUME, and remove the card during suspend, the removal will be detected as soon as userspace is unfrozen, again at the moment it is safe to call del_gendisk. Tested with and without CONFIG_MMC_UNSAFE_RESUME with suspend and hibernate. [akpm@linux-foundation.org: clean up function prototype] [akpm@linux-foundation.org: fix CONFIG_PM-n linkage, small cleanups] [akpm@linux-foundation.org: coding-style fixes] Signed-off-by: Maxim Levitsky Cc: David Brownell Cc: Alan Stern Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [bwh: Adjust for 2.6.32] Signed-off-by: Greg Kroah-Hartman commit f4a2d5813740264e092a90c1ad9b1b61b46ccaf1 Author: Michael Müller Date: Mon Apr 26 22:18:57 2010 -0300 V4L/DVB: Add Elgato EyeTV Diversity to dibcom driver commit 84e2f037ce9672d0fb118e3e82cecfe6122ace3f upstream. This patch introduces support for DVB-T for the following dibcom based card: Elgato EyeTV Diversity (USB-ID: 0fd9:0011) Support for the Elgato silver IR remote is added too (set parameter dvb_usb_dib0700_ir_proto=0) [w.sang@pengutronix.de: rebased to current linuxtv-master] Signed-off-by: Michael Müller Signed-off-by: Wolfram Sang Signed-off-by: Patrick Boettcher Signed-off-by: Mauro Carvalho Chehab [bwh: Adjust context and numbering for 2.6.32] Signed-off-by: Greg Kroah-Hartman commit cdcf58a4ed7461f9e4584ca1b2b46eb4bbd12811 Author: Kyle McMartin Date: Mon May 10 16:43:35 2010 -0400 perf symbols: allow forcing use of cplus_demangle commit d11c7addfe0fa501cb54c824c0fac3481d527433 upstream. For Fedora, I want to force perf to link against libiberty.a for cplus_demangle, rather than libbfd.a for bfd_demangle due to licensing insanity on binutils. (libiberty is LGPL2, libbfd is GPL3.) If we just rely on autodetection, we'll end up with libbfd linked against us, since they're both in binutils-static in the buildroot. Cc: Ingo Molnar LKML-Reference: <20100510204335.GA7565@bombadil.infradead.org> Signed-off-by: Kyle McMartin Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit 581f07ec9f17bcfea2e47e249c459895e65ba314 Author: Arnaldo Carvalho de Melo Date: Tue Jan 12 08:58:30 2010 -0200 perf tools: Check if /dev/null can be used as the -o gcc argument commit 1703f2c321a8a531c393e137a82602e16c6061cb upstream. At least on Debian PARISC64, using: acme@parisc:~/git/linux-2.6-tip$ gcc -v Using built-in specs. Target: hppa-linux-gnu Configured with: ../src/configure -v --with-pkgversion='Debian 4.3.4-6' --with-bugurl=file:///usr/share/doc/gcc-4.3/README.Bugs --enable-languages=c,c++,fortran,objc,obj-c++ --prefix=/usr --enable-shared --enable-multiarch --enable-linker-build-id --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --enable-nls --with-gxx-include-dir=/usr/include/c++/4.3 --program-suffix=-4.3 --enable-clocale=gnu --enable-libstdcxx-debug --enable-objc-gc --enable-mpfr --disable-libssp --enable-checking=release --build=hppa-linux-gnu --host=hppa-linux-gnu --target=hppa-linux-gnu Thread model: posix gcc version 4.3.4 (Debian 4.3.4-6) there are issues about using 'gcc -o /dev/null': /usr/bin/ld: final link failed: File truncated collect2: ld returned 1 exit status So we test that and use /dev/null in environments where it works, while using an .INTERMEDIATE file on those where it can't be used, so that the .perf.dev.null file can be used instead and then deleted when make exits. Researched-with: Kyle McMartin Researched-with: Mauro Carvalho Chehab Signed-off-by: Arnaldo Carvalho de Melo Cc: Frédéric Weisbecker Cc: Mike Galbraith Cc: Peter Zijlstra Cc: Paul Mackerras LKML-Reference: <1263293910-8484-2-git-send-email-acme@infradead.org> Signed-off-by: Ingo Molnar [bwh: Backport to 2.6.32] Signed-off-by: Greg Kroah-Hartman commit ddb02625a519ffb60a41c8e8bf53b6a3ac68b350 Author: Arnaldo Carvalho de Melo Date: Tue Jan 12 08:58:29 2010 -0200 perf tools: Move QUIET_STDERR def to before first use commit 830395188fae5f4028fa3c38ab1b031aae18a64c upstream. QUIET_STDERR is used when detecting if -fstack-protector-all can be used. Noticed while building the perf tools on a Debian PARISC64 machine. Signed-off-by: Arnaldo Carvalho de Melo Cc: Frédéric Weisbecker Cc: Mike Galbraith Cc: Peter Zijlstra Cc: Paul Mackerras LKML-Reference: <1263293910-8484-1-git-send-email-acme@infradead.org> Signed-off-by: Ingo Molnar [bwh: Backport to 2.6.32] Signed-off-by: Greg Kroah-Hartman commit d14085b73f362c8cdcc20a39276f5fcf9c8979f0 Author: Michael S. Tsirkin Date: Sun Nov 22 14:13:35 2009 +0200 perf: Use default compiler mode by default commit 81516c5fc83a13a1d12f466aa7e14f5fd62a63ce upstream. gcc with no flags typically is a sane default for systems to use, and looking at the running kernel is probably broken for cross-builds anyway, so let's not do this. Add EXTRA_CFLAGS so that users can override default gcc mode if they want to. Signed-off-by: Michael S. Tsirkin Acked-by: Arjan van de Ven Cc: Peter Zijlstra Cc: Paul Mackerras Cc: Frederic Weisbecker Cc: Arnaldo Carvalho de Melo LKML-Reference: <20091122121335.GA24254@redhat.com> Signed-off-by: Ingo Molnar [bwh: Backport to 2.6.32] Signed-off-by: Greg Kroah-Hartman commit d3a9ac6ecf0b900696da35c5fc8b5f116fda1077 Author: Michael S. Tsirkin Date: Sun Nov 22 15:13:11 2009 +0200 perf tools: Suggest static libraries as well commit b197c7ef7169bd5f11fb9d803b322d0daef7e256 upstream. On error, suggest installing static libraries along with shared libraries. Signed-off-by: Michael S. Tsirkin Cc: Peter Zijlstra Cc: Paul Mackerras Cc: Frederic Weisbecker Cc: Arnaldo Carvalho de Melo LKML-Reference: <20091122131311.GA24318@redhat.com> Signed-off-by: Ingo Molnar [bwh: Backport to 2.6.32] Signed-off-by: Greg Kroah-Hartman commit 8d169bab25f0f07d613a8261fecf86abb586e678 Author: Michael S. Tsirkin Date: Sun Nov 22 13:27:27 2009 +0200 perf tools: Add V=2 option to help debug config issues commit 7baed9af4bf0d7850045e36d19a43a2c76872b62 upstream. Make standard error show up on console when V=2 is set. Signed-off-by: Michael S. Tsirkin Cc: Peter Zijlstra Cc: Paul Mackerras Cc: Frederic Weisbecker Cc: Arnaldo Carvalho de Melo LKML-Reference: <20091122112726.GC13644@redhat.com> Signed-off-by: Ingo Molnar [bwh: Backport to 2.6.32] Signed-off-by: Greg Kroah-Hartman commit 9fb3f52e290c371e87215218465ec9ae95053b8e Author: Michael S. Tsirkin Date: Thu Oct 29 17:20:02 2009 +0200 perf tools: Support static build commit 751386507701010831d72c522171753d2cd903d2 upstream. This makes it possible to build perf statically, by performing: make LDFLAGS=-static Since static libraries are only searched in the order they are specified, move library list from LDFLAGS to EXTLIBS, so that they are put at the end of linker command line. Signed-off-by: Michael S. Tsirkin Cc: Peter Zijlstra Cc: Paul Mackerras Cc: Frederic Weisbecker Cc: Arnaldo Carvalho de Melo LKML-Reference: <20091029152002.GA5406@redhat.com> [ v2: resolved conflicts ] Signed-off-by: Ingo Molnar [bwh: Backport to 2.6.32] Signed-off-by: Greg Kroah-Hartman commit 3d53e5c40f526e3b911a90b390cde4c602623194 Author: Michael Cree Date: Wed Nov 11 20:43:03 2009 +1300 perf tools: Test -fstack-protector-all compiler option for inclusion in CFLAGS commit 5d7bdab75cd56d2bdc0986ae5546be3b09fea70a upstream. Some architectures (e.g. Alpha) do not support the -fstack-protector-all compiler option and the use of the option with -Werror causes the compiler to abort and the build fails. Test that the compiler supports -fstack-protector-all before inclusion in CFLAGS. Signed-off-by: Michael Cree Cc: Richard Henderson Cc: Ivan Kokshaysky Cc: Peter Zijlstra Cc: Paul Mackerras LKML-Reference: <20091111074302.GA3728@omega> Signed-off-by: Ingo Molnar [bwh: Backport to 2.6.32] Signed-off-by: Greg Kroah-Hartman commit ac4642d045978eadc2886c97bd2066972ec26dca Author: Steven Rostedt Date: Tue Oct 20 19:19:34 2009 -0400 perf tools: Add 'make DEBUG=1' to remove the -O6 cflag commit 60d526f7fa6246b8e32d5b45610d625a5608d988 upstream. When using gdb to debug perf, it is practically impossible to use when perf is compiled with -O6. For developers, this patch adds the DEBUG feature to the make command line so that a developer can easily remove the optimization flag. LKML-Reference: <1255590330.8392.446.camel@twins> Signed-off-by: Steven Rostedt Cc: Peter Zijlstra Cc: Frederic Weisbecker Cc: Arnaldo Carvalho de Melo LKML-Reference: <20091020232033.984323261@goodmis.org> Signed-off-by: Ingo Molnar [bwh: Backport to 2.6.32] Signed-off-by: Greg Kroah-Hartman commit 7d5a5a07e9bb0d57c2d7d034da8702000db07550 Author: Randy Dunlap Date: Sun Oct 18 19:20:24 2009 -0700 perf tools: Display better error messages on missing packages commit 1abc7f5500fff8422f34826a006648d8741d83d3 upstream. Check for libelf headers and glibc headers separately so that the error message correctly identifies which package installation is missing/needed. Signed-off-by: Randy Dunlap Cc: paulus@samba.org Cc: a.p.zijlstra@chello.nl Cc: efault@gmx.de Cc: fweisbec@gmail.com Cc: Arnaldo Carvalho de Melo LKML-Reference: <4ADBCCE8.3060300@oracle.com> Signed-off-by: Ingo Molnar [bwh: Backport to 2.6.32] Signed-off-by: Greg Kroah-Hartman commit 7117cec32d5e1da1fbe3c3247354589c8aec61c9 Author: Edgar (gimli) Hucek Date: Thu Nov 4 08:04:33 2010 +0100 Bluetooth: Add MacBookAir3,1(2) support commit 3e3ede7dda2d77d2cbec608e663b6a6ace501bfc upstream. Adding the new MacBookAir3,1(2) to btusb. Output without the patch and btusb loaded : T: Bus=03 Lev=02 Prnt=03 Port=02 Cnt=01 Dev#= 6 Spd=12 MxCh= 0 D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=05ac ProdID=821b Rev= 0.34 S: Manufacturer=Apple Inc. S: Product=Bluetooth USB Host Controller C:* #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr= 0mA I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none) E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none) E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none) E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none) E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none) E: Ad=83(I) Atr=01(Isoc) MxPS= 32 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 32 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none) E: Ad=83(I) Atr=01(Isoc) MxPS= 64 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 64 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none) E: Ad=83(I) Atr=01(Isoc) MxPS= 64 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 64 Ivl=1ms I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=84(I) Atr=02(Bulk) MxPS= 32 Ivl=0ms E: Ad=04(O) Atr=02(Bulk) MxPS= 32 Ivl=0ms I:* If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none) Output with the patch and btusb loaded : T: Bus=03 Lev=02 Prnt=03 Port=02 Cnt=01 Dev#= 6 Spd=12 MxCh= 0 D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=05ac ProdID=821b Rev= 0.34 S: Manufacturer=Apple Inc. S: Product=Bluetooth USB Host Controller C:* #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr= 0mA I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 32 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 32 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 64 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 64 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 64 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 64 Ivl=1ms I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=84(I) Atr=02(Bulk) MxPS= 32 Ivl=0ms E: Ad=04(O) Atr=02(Bulk) MxPS= 32 Ivl=0ms I:* If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none) Signed-off-by: Edgar (gimli) Hucek Acked-by: Marcel Holtmann Signed-off-by: Gustavo F. Padovan Signed-off-by: Greg Kroah-Hartman commit 93dfa7597abafb72252397b94b48bf9f9f5792af Author: Nobuhiro Iwamatsu Date: Fri Aug 20 16:24:07 2010 +0900 Bluetooth: Add support Bluetooth controller of MacbookPro 7,1 commit 3cd01976e702ccaffb907727caff4f8789353599 upstream. Bluetooth controller of MacbookPro 7,1 does not work. Because Device Class of these controllers was set 255 (Vendor Sepecific Class). T: Bus=04 Lev=02 Prnt=04 Port=00 Cnt=01 Dev#= 5 Spd=12 MxCh= 0 D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=05ac ProdID=8213 Rev=01.86 S: Manufacturer=Apple Inc. S: Product=Bluetooth USB Host Controller S: SerialNumber=5C5948C81B99 C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=0mA I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) I: If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=00 Driver=(none) Signed-off-by: Nobuhiro Iwamatsu Acked-by: Marcel Holtmann Signed-off-by: Gustavo F. Padovan Signed-off-by: Greg Kroah-Hartman commit e94c4aec7129f57e0ef2a8172238585ca5d274f3 Author: Nobuhiro Iwamatsu Date: Fri Aug 20 16:24:06 2010 +0900 Bluetooth: Add support Bluetooth controller of MacbookPro 6,2 commit 9c047157a20521cd525527947b13b950d168d2e6 upstream. Bluetooth controller of MacbookPro 6,2 does not work. Because Device Class of these controllers was set 255 (Vendor Sepecific Class). T: Bus=01 Lev=03 Prnt=03 Port=02 Cnt=03 Dev#= 8 Spd=12 MxCh= 0 D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=05ac ProdID=8218 Rev=00.22 S: Manufacturer=Apple Inc. S: Product=Bluetooth USB Host Controller C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=0mA I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none) I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none) I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) I: If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none) Signed-off-by: Nobuhiro Iwamatsu Acked-by: Marcel Holtmann Signed-off-by: Gustavo F. Padovan Signed-off-by: Greg Kroah-Hartman commit f61fa4b97c535d8f81dfd123d394991405090699 Author: Pavel Roskin Date: Wed Dec 30 11:36:29 2009 +0100 rt2x00: use correct headroom for transmission commit b59a52f12e483b79e7d32da7ec30dcf3b2e0210b upstream. Use rt2x00dev->ops->extra_tx_headroom, not rt2x00dev->hw->extra_tx_headroom in the tx code, as the later may include other headroom not to be used in the chipset driver. Signed-off-by: Pavel Roskin Signed-off-by: Gertjan van Wingerde Acked-by: Ivo van Doorn Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 99e9e4b6bc9ea7e1324064b18530ffe8002dfec5 Author: Gertjan van Wingerde Date: Wed Dec 30 11:36:30 2009 +0100 rt2x00: Properly request tx headroom for alignment operations. commit 7a4a77b7771164d61ce702a588067d1e1d66db7c upstream. Current rt2x00 drivers may result in a "ieee80211_tx_status: headroom too small" error message when a frame needs to be properly aligned before transmitting it. This is because the space needed to ensure proper alignment isn't requested from mac80211. Fix this by adding sufficient amount of alignment space to the amount of headroom requested for TX frames. Reported-by: David Ellingsworth Signed-off-by: Gertjan van Wingerde Acked-by: Ivo van Doorn Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit d5b0b3dec7dd9993edad5280555d078690839bfe Author: Gertjan van Wingerde Date: Mon Nov 23 22:44:52 2009 +0100 rt2x00: Centralize setting of extra TX headroom requested by rt2x00. commit e6218cc47bd54710dc523e8c983ceddba625e3ae upstream. Set the value of extra_tx_headroom in a central place, rather than in each of the drivers. This is preparatory for taking alignment space into account in the TX headroom requested by rt2x00. Signed-off-by: Gertjan van Wingerde Acked-by: Ivo van Doorn Signed-off-by: John W. Linville [bwh: Adjust for 2.6.32] Signed-off-by: Greg Kroah-Hartman commit 2b5f7f94872ef2ed281783017e1a6ac787b8c107 Author: Gertjan van Wingerde Date: Sun Oct 10 19:25:33 2010 +0100 mac80211: Add define for TX headroom reserved by mac80211 itself. commit d24deb2580823ab0b8425790c6f5d18e2ff749d8 upstream. Add a definition of the amount of TX headroom reserved by mac80211 itself for its own purposes. Also add BUILD_BUG_ON to validate the value. This define can then be used by drivers to request additional TX headroom in the most efficient manner. Signed-off-by: Gertjan van Wingerde Acked-by: Johannes Berg Signed-off-by: John W. Linville [bwh: Adjust context for 2.6.32] Signed-off-by: Greg Kroah-Hartman commit 5e93019e4a06ade55e91010371ee22a218190567 Author: Rusty Russell Date: Fri Jul 2 16:34:01 2010 +0000 virtio_net: fix oom handling on tx commit 58eba97d0774c69b1cf3e5a8ac74419409d1abbf upstream. virtio net will never try to overflow the TX ring, so the only reason add_buf may fail is out of memory. Thus, we can not stop the device until some request completes - there's no guarantee anything at all is outstanding. Make the error message clearer as well: error here does not indicate queue full. Signed-off-by: Michael S. Tsirkin Signed-off-by: Rusty Russell Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f32cd617fe33ad12fc41ea84d7e994e75eab266e Author: Bruce Rogers Date: Thu Feb 10 11:03:31 2011 -0800 virtio_net: Add schedule check to napi_enable call commit 3e9d08ec0a68f6faf718d5a7e050fe5ca0ba004f upstream. Under harsh testing conditions, including low memory, the guest would stop receiving packets. With this patch applied we no longer see any problems in the driver while performing these tests for extended periods of time. Make sure napi is scheduled subsequent to each napi_enable. Signed-off-by: Bruce Rogers Signed-off-by: Olaf Kirch Signed-off-by: Rusty Russell Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman [bwh: Adjust for 2.6.32] Signed-off-by: Greg Kroah-Hartman commit 25f60b72eac27899c0c9e8ec252342e3b2f2d5f3 Author: Edgar (gimli) Hucek Date: Wed Nov 3 08:14:10 2010 +0100 ALSA: hda - MacBookAir3,1(3,2) alsa support commit 87232dd49aeb6b7d1af291edca8bd129a82ef4b5 upstream. This patch add support for the MacBookAir3,1 and MacBookAir3,2 to the alsa sound system. Signed-off-by: Edgar (gimli) Hucek Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit f085ed734746360b7cd5e984375181e3d49c14a6 Author: Takashi Iwai Date: Mon Oct 11 14:46:35 2010 +0200 ALSA: hda - Add model=mbp55 entry for MacBookPro 7,1 commit f46119b73425df9d1e05c5d5e909a993d95b0218 upstream. Reference: Novell bnc#645066 https://bugzilla.novell.com/show_bug.cgi?id=645066 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit ea54ac6c2100b1632a8843f4d4d4bb9189ae19ee Author: Vince Weaver Date: Wed Sep 22 17:31:37 2010 -0400 ALSA: hda - MacBookPro 5,3 line-in support commit 4e7d7c6018567fa03f387d06602d4145c75ebbe0 upstream. I've found the following patch is necessary to enable line-in on my MacBookPro 5,3 machine. With the patch applied I've successfully recorded audio from the line-in jack. This is based on the existing 5,5 support. Signed-off-by: Vince Weaver Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit d249b1584c3431b0283100e9d1238dd73b613c62 Author: Rafael Avila de Espindola Date: Tue Dec 22 07:59:37 2009 +0100 ALSA: hda - Add support for the new 27 inch IMacs commit 1a5ba2e9fc7999b8de2a71c7e7b9f58d752c05e4 upstream. With the attached patch I am able to use the sound on a new IMac 27. What works: *) Internal speakers *) Internal microphone *) Headphone I don't have an external mic or a SPDIF device to test the rest. Signed-off-by: Rafael Avila de Espindola Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit acf75a8aa32686e8d37253ca70ae2cd1158560f3 Author: Risto Suominen Date: Sun Apr 4 08:00:00 2010 +0300 ALSA: powermac - Lineout detection on G4 DA commit b6d7335001f331f2d295ff15d67e385615ceff81 upstream. Lineout (Pro Speaker) detection on PowerMac G4 Digital Audio (Tumbler). Signed-off-by: Risto Suominen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 0d387be93a90e4943a1023caf65468cb4939afd5 Author: Risto Suominen Date: Sun Apr 4 07:59:30 2010 +0300 ALSA: powermac - Reverse HP detection on G4 DA commit 819ef70b135ba66cd1659c913255686bf931e3d4 upstream. Reverse headphone detection bit on PowerMac G4 Digital Audio (Tumbler). Signed-off-by: Risto Suominen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 873b0cdbacf834191ea935eb42396337d1c08dd0 Author: Ben Hutchings Date: Sun Sep 12 02:41:47 2010 +0100 ALSA: emux: Add trivial compat ioctl handler commit a254dba37c5a372fc8b44ba29509ba052d4e859d upstream. Reported-by: Carmen Cru Signed-off-by: Ben Hutchings Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 7f81077f41950f73163672fdaed7fa6951fc69b3 Author: Edgar Hucek Date: Tue Nov 9 15:15:01 2010 +0000 hwmon: (applesmc) Add MacBookAir3,1(3,2) support commit 132af03233b493101a53010383b5abb5b9ff1e51 upstream. This patch add support for the MacBookAir3,1 and MacBookAir3,2 to the applesmc driver. [rydberg@euromail.se: minor cleanup] Signed-off-by: Edgar Hucek Signed-off-by: Henrik Rydberg Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 1f65d132cfa1f10cce662c72617736d49a20ec11 Author: Henrik Rydberg Date: Thu May 27 19:58:53 2010 +0200 hwmon: (applesmc) Add generic support for MacBook Pro 7 commit 405eaa1c1d045cdd872802fc515f638573984880 upstream. This patch adds generic support for the MacBook Pro 7 family based on the 7,1 model. Signed-off-by: Henrik Rydberg Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 88067e02248740bb708365630a847d98ae9b9f0e Author: Bernhard Froemel Date: Thu May 27 19:58:52 2010 +0200 hwmon: (applesmc) Add generic support for MacBook Pro 6 commit 872bad55e2d3fcc13e1e8770a3b200f0c6ca5126 upstream. This patch adds generic support for the MacBook Pro 6 family based on the 6,2 model. [rydberg@euromail.se: patch cleanup] Signed-off-by: Bernhard Froemel Signed-off-by: Henrik Rydberg Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit fbfcf6bd6d95984cea754fa0d7ce2e9a3ca28f05 Author: Henrik Rydberg Date: Thu May 27 19:58:50 2010 +0200 hwmon: (applesmc) Add support for MacBook Pro 5,3 and 5,4 commit 4e4a99d32721800c061191027f18f780dcbd9e0b upstream. The MacBookPro 5,3 model has two fans, whereas the 5,4 model has only one. This patch adds explicit support for the 5,3 and 5,4 models. Signed-off-by: Henrik Rydberg Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 3d3f78779ca3bfb51241ab1ea9de640fd99aa4d1 Author: Justin P. Mattock Date: Wed Apr 14 16:14:10 2010 +0200 hwmon: (applesmc) Add iMac9,1 and MacBookPro2,2 support commit e1741712e85cec8004c7eeeea81186618f78eff1 upstream. Add the iMac9,1 and the MacBookPro2,2 temperature sensors to hwmon driver applesmc to fix kernel bug #14429: https://bugzilla.kernel.org/show_bug.cgi?id=14429 Signed-off-by: Justin P. Mattock Acked-by: Nicolas Boichat Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 0d9d7590e6d3a09be051ca1ff9a4cb706347e4d2 Author: Ron Murray Date: Tue Jan 19 08:02:48 2010 +0000 Please add support for Microsoft MN-120 PCMCIA network card commit 60abe78279568a7109db2bcbc71131766a91c2e5 upstream. Please add support for Microsoft MN-120 PCMCIA network card. It's an old card, I know, but adding support is very easy. You just need to get tulip_core.c to recognise its vendor/device ID. Patch for kernel 2.6.32.4 (and many previous) attached. .....Ron Murray Signed-off-by: Ron Murray Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 06200342c9c021c4ff13e7d8d1a4a568c324d6a9 Author: Linus Torvalds Date: Wed Mar 16 08:04:07 2011 -0700 Increase OSF partition limit from 8 to 18 commit 34d211a2d5df4984a35b18d8ccacbe1d10abb067 upstream. It turns out that while a maximum of 8 partitions may be what people "should" have had, you can actually fit up to 18 entries(*) in a sector. And some people clearly were taking advantage of that, like Michael Cree, who had ten partitions on one of his OSF disks. (*) The OSF partition data starts at byte offset 64 in the first sector, and the array of 16-byte partition entries start at offset 148 in the on-disk partition structure. Reported-by: Michael Cree Cc: stable@kernel.org (v2.6.38) Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 473ef924e5994fa4c0943897300c53e116eb9e42 Author: Timo Warns Date: Mon Mar 14 14:59:33 2011 +0100 Fix corrupted OSF partition table parsing commit 1eafbfeb7bdf59cfe173304c76188f3fd5f1fd05 upstream. The kernel automatically evaluates partition tables of storage devices. The code for evaluating OSF partitions contains a bug that leaks data from kernel heap memory to userspace for certain corrupted OSF partitions. In more detail: for (i = 0 ; i < le16_to_cpu(label->d_npartitions); i++, partition++) { iterates from 0 to d_npartitions - 1, where d_npartitions is read from the partition table without validation and partition is a pointer to an array of at most 8 d_partitions. Add the proper and obvious validation. Signed-off-by: Timo Warns Cc: stable@kernel.org [ Changed the patch trivially to not repeat the whole le16_to_cpu() thing, and to use an explicit constant for the magic value '8' ] Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9aa01fe50360df5e502e1098c9446cbdf51c9672 Author: Jovi Zhang Date: Wed Mar 2 23:19:37 2011 +0000 nfs: fix compilation warning commit 43b7c3f051dea504afccc39bcb56d8e26c2e0b77 upstream. this commit fix compilation warning as following: linux-2.6/fs/nfs/nfs4proc.c:3265: warning: comparison of distinct pointer types lacks a cast Signed-off-by: Jovi Zhang Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit e91d9d0e8727bb039e32704a5460abe27ecb2df3 Author: Neil Horman Date: Fri Mar 4 19:26:03 2011 -0500 nfs4: Ensure that ACL pages sent over NFS were not allocated from the slab (v3) commit e9e3d724e2145f5039b423c290ce2b2c3d8f94bc upstream. The "bad_page()" page allocator sanity check was reported recently (call chain as follows): bad_page+0x69/0x91 free_hot_cold_page+0x81/0x144 skb_release_data+0x5f/0x98 __kfree_skb+0x11/0x1a tcp_ack+0x6a3/0x1868 tcp_rcv_established+0x7a6/0x8b9 tcp_v4_do_rcv+0x2a/0x2fa tcp_v4_rcv+0x9a2/0x9f6 do_timer+0x2df/0x52c ip_local_deliver+0x19d/0x263 ip_rcv+0x539/0x57c netif_receive_skb+0x470/0x49f :virtio_net:virtnet_poll+0x46b/0x5c5 net_rx_action+0xac/0x1b3 __do_softirq+0x89/0x133 call_softirq+0x1c/0x28 do_softirq+0x2c/0x7d do_IRQ+0xec/0xf5 default_idle+0x0/0x50 ret_from_intr+0x0/0xa default_idle+0x29/0x50 cpu_idle+0x95/0xb8 start_kernel+0x220/0x225 _sinittext+0x22f/0x236 It occurs because an skb with a fraglist was freed from the tcp retransmit queue when it was acked, but a page on that fraglist had PG_Slab set (indicating it was allocated from the Slab allocator (which means the free path above can't safely free it via put_page. We tracked this back to an nfsv4 setacl operation, in which the nfs code attempted to fill convert the passed in buffer to an array of pages in __nfs4_proc_set_acl, which gets used by the skb->frags list in xs_sendpages. __nfs4_proc_set_acl just converts each page in the buffer to a page struct via virt_to_page, but the vfs allocates the buffer via kmalloc, meaning the PG_slab bit is set. We can't create a buffer with kmalloc and free it later in the tcp ack path with put_page, so we need to either: 1) ensure that when we create the list of pages, no page struct has PG_Slab set or 2) not use a page list to send this data Given that these buffers can be multiple pages and arbitrarily sized, I think (1) is the right way to go. I've written the below patch to allocate a page from the buddy allocator directly and copy the data over to it. This ensures that we have a put_page free-able page for every entry that winds up on an skb frag list, so it can be safely freed when the frame is acked. We do a put page on each entry after the rpc_call_sync call so as to drop our own reference count to the page, leaving only the ref count taken by tcp_sendpages. This way the data will be properly freed when the ack comes in Successfully tested by myself to solve the above oops. Note, as this is the result of a setacl operation that exceeded a page of data, I think this amounts to a local DOS triggerable by an uprivlidged user, so I'm CCing security on this as well. Signed-off-by: Neil Horman CC: Trond Myklebust CC: security@kernel.org CC: Jeff Layton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0ec1c448546ccd6413dd864bf007a13a3af4c7c4 Author: Andy Chittenden Date: Tue Aug 10 10:19:53 2010 -0400 SUNRPC: fix NFS client over TCP hangs due to packet loss (Bug 16494) commit 669502ff31d7dba1849aec7ee2450a3c61f57d39 upstream. When reusing a TCP connection, ensure that it's aborted if a previous shutdown attempt has been made on that connection so that the RPC over TCP recovery mechanism succeeds. Signed-off-by: Andy Chittenden Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 0682ff5eb416867ba128d8e00b05607448d936a6 Author: Abhijith Das Date: Sun Jul 4 01:33:24 2010 -0400 GFS2: BUG in gfs2_adjust_quota commit 8b4216018bdbfbb1b76150d202b15ee68c38e991 upstream. HighMem pages on i686 do not get mapped to the buffer_heads and this was causing a NULL pointer dereference when we were trying to memset page buffers to zero. We now use zero_user() that kmaps the page and directly manipulates page data. This patch also fixes a boundary condition that was incorrect. Signed-off-by: Abhi Das Signed-off-by: Steven Whitehouse [Adjusted to apply to 2.6.32 by dann frazier ] Signed-off-by: Greg Kroah-Hartman commit a03167aeee8e456241345b8d6d18b4a64f511a60 Author: Abhijith Das Date: Fri May 7 17:50:18 2010 -0400 GFS2: Fix writing to non-page aligned gfs2_quota structures commit 7e619bc3e6252dc746f64ac3b486e784822e9533 upstream. This is the upstream fix for this bug. This patch differs from the RHEL5 fix (Red Hat bz #555754) which simply writes to the 8-byte value field of the quota. In upstream quota code, we're required to write the entire quota (88 bytes) which can be split across a page boundary. We check for such quotas, and read/write the two parts from/to the corresponding pages holding these parts. With this patch, I don't see the bug anymore using the reproducer in Red Hat bz 555754. I successfully ran a couple of simple tests/mounts/ umounts and it doesn't seem like this patch breaks anything else. Signed-off-by: Abhi Das Signed-off-by: Steven Whitehouse [Backported to 2.6.32 by dann frazier ] Signed-off-by: Greg Kroah-Hartman commit 120011ea116c37f481a212f5c3d00e827777f1ee Author: Steven Whitehouse Date: Tue Sep 15 20:42:56 2009 +0100 GFS2: Clean up gfs2_adjust_quota() and do_glock() commit 1e72c0f7c40e665d2ed40014750fdd2fa9968bcf upstream. Both of these functions contained confusing and in one case duplicate code. This patch adds a new check in do_glock() so that we report -ENOENT if we are asked to sync a quota entry which doesn't exist. Due to the previous patch this is now reported correctly to userspace. Also there are a few new comments, and I hope that the code is easier to understand now. Signed-off-by: Steven Whitehouse Signed-off-by: Greg Kroah-Hartman commit a89861f3694d7e5bcd3d1d2ab2abe040ca044e0a Author: Alan Stern Date: Mon Sep 13 14:43:25 2010 -0400 USB: teach "devices" file about Wireless and SuperSpeed USB commit 834e2312e7a384877a876b0d34dffc3046c96bcb upstream. USB: teach "devices" file about Wireless and SuperSpeed USB The /sys/kernel/debug/usb/devices file doesn't know about Wireless or SuperSpeed USB. This patch (as1416b) teaches it, and updates the Documentation/usb/proc_sub_info.txt file accordingly. Signed-off-by: Alan Stern CC: David Vrabel CC: Sarah Sharp Signed-off-by: Greg Kroah-Hartman [Julien Blache: The original commit also added the correct speed for USB_SPEED_WIRELESS, I removed it as it's not supported in 2.6.32.] Signed-off-by: Greg Kroah-Hartman commit 5e35287b2bfc877558acc9ad67aca7ace01021e8 Author: Alan Stern Date: Fri Apr 2 13:21:33 2010 -0400 USB: don't enable remote wakeup by default commit 7aba8d014341341590ecb64050b7a026642a62eb upstream. This patch (as1364) avoids enabling remote wakeup by default on all non-root-hub USB devices. Individual drivers or userspace will have to enable it wherever it is needed, such as for keyboards or network interfaces. Note: This affects only system sleep, not autosuspend. External hubs will continue to relay wakeup requests received from downstream through their upstream port, even when remote wakeup is not enabled for the hub itself. Disabling remote wakeup on a hub merely prevents it from generating wakeup requests in response to connect, disconnect, and overcurrent events. Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit a30ded70e8160aa6dc8d0c1d4c9dacc47a38fee3 Author: Dan Streetman Date: Wed Jan 6 09:56:53 2010 -0500 USB: retain USB device power/wakeup setting across reconfiguration commit 16985408b5c48585762ec3b9b7bae1dec4ad7437 upstream. Currently a non-root-hub USB device's wakeup settings are initialized when the device is set to a configured state using device_init_wakeup(), but this is not correct as wakeup is split into "capable" (can_wakeup) and "enabled" (should_wakeup). The settings should be initialized instead in the device initialization (usb_new_device) with the "capable" setting disabled and the "enabled" setting enabled. The "capable" setting should be set based on the device being configured or unconfigured, and "enabled" setting set based on the sysfs power/wakeup control. This patch retains the sysfs power/wakeup setting of a non-root-hub USB device over a USB device re-configuration, which can happen (for example) after a suspend/resume cycle. Signed-off-by: Dan Streetman Cc: David Brownell Cc: Alan Stern Signed-off-by: Greg Kroah-Hartman [bwh: Adjust context for 2.6.32] Signed-off-by: Greg Kroah-Hartman commit 89822670f6cf3d499577b7a25dea8c6c8f202a8d Author: Florian Schilhabel Date: Tue Jun 8 03:47:13 2010 +0200 Staging: rtl8192su: add device ids commit 15d93ed070125d51693f102a0f94045dcaf30d9b upstream. This patch adds some device ids. The list of supported devices was extracted from realteks driver package. (0x050d, 0x815F) and (0x0df6, 0x004b) are not in the official list of supported devices and may not work correctly. In case of problems with these, they should probably be removed from the list. Signed-off-by: Florian Schilhabel Signed-off-by: Greg Kroah-Hartman [bwh: Adjust context for 2.6.32] Signed-off-by: Greg Kroah-Hartman commit 1bc5b017429778b1dd9c9831f8cacf7c02b636ca Author: Florian Schilhabel Date: Tue Jun 8 03:46:26 2010 +0200 Staging: rtl8192su: remove device ids commit 60b42de30ad6fb131dc8e9dbd11a8a9ea0ab394c upstream. This patch removes some device-ids. The list of unsupported devices was extracted from realteks driver package. removed IDs are: (0x0bda, 0x8192) (0x0bda, 0x8709) (0x07aa, 0x0043) (0x050d, 0x805E) (0x0df6, 0x0031) (0x1740, 0x9201) (0x2001, 0x3301) (0x5a57, 0x0290) These devices are _not_ rtl819su based. Signed-off-by: Florian Schilhabel Signed-off-by: Greg Kroah-Hartman commit b064372e90da6587a92d855606fc86d1fa58a061 Author: Ben Hutchings Date: Tue May 25 04:25:57 2010 +0100 Staging: rtl8192su: Fix procfs code for interfaces not named wlan0 commit 41a38d9e632f7c9ec5ad8fc627567d97f4302c4a upstream. The current code creates directories in procfs named after interfaces, but doesn't handle renaming. This can result in name collisions and consequent WARNINGs. It also means that the interface name cannot reliably be used to remove the directory - in fact the current code doesn't even try, and always uses "wlan0"! Since the name of a proc_dir_entry is embedded in it, use that when removing it. Add a netdev notifier to catch interface renaming, and remove and re-add the directory at this point. Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit b2186d364f40175dc0d13400928e0e5e17a59dbd Author: Ben Hutchings Date: Tue May 25 04:20:30 2010 +0100 Staging: rtl8192su: Clean up in case of an error in module initialisation commit 9a3dfa0555130952517b9a9c3918729495aa709a upstream. Currently various resources may be leaked in case of an error. Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit 0eec0208a159d19028b8028a192290b82e902b7e Author: Florian Schilhabel Date: Tue May 4 14:23:43 2010 +0200 Staging: rtl8192su: check for skb == NULL commit 199ef62a287b429a8fa3b7dc5ae6b69f607bf324 upstream. added 2 checks for skb == NULL. plus cosmetics Signed-off-by: Florian Schilhabel Signed-off-by: Greg Kroah-Hartman [bwh: Remove cosmetic changes] Signed-off-by: Greg Kroah-Hartman commit 276c429b5d327039be1215df8632ca959d1c8e6a Author: Éric Piel Date: Thu Aug 5 23:51:49 2010 -0700 Input: elantech - discard the first 2 positions on some firmwares commit 7f29f17b57255b6395046805a98bc663ded63fb8 upstream. According to the Dell/Ubuntu driver, what was previously observed as "jumpy cursor" corresponds to the hardware sending incorrect data for the first two reports of a one touch finger. So let's use the same workaround as in the other driver. Also, detect another firmware version with the same behaviour, as in the other driver. Signed-off-by: Éric Piel Signed-off-by: Dmitry Torokhov [bwh: Adjust for 2.6.32] Signed-off-by: Greg Kroah-Hartman commit 1747aac65b0851691c43f3aa70b0e9388b96b107 Author: Dmitry Torokhov Date: Wed May 19 10:11:13 2010 -0700 Input: elantech - relax signature checks commit a083632eaf6231162b33e40561cfec6a9c156945 upstream. Apparently there are Elantech touchpads that report non-zero in the 2nd byte of their signature. Adjust the detection routine so that if 2nd byte is zero and 3rd byte contains value that is not a valid report rate, we still assume that signature is valid. Tested-by: Eric Piel Signed-off-by: Dmitry Torokhov [bwh: Adjust context for 2.6.32] Signed-off-by: Greg Kroah-Hartman commit 8bac623e5bbf1136e16b8349e0f470ccd0ea3046 Author: Dmitry Torokhov Date: Thu May 13 00:41:15 2010 -0700 Input: elantech - use all 3 bytes when checking version commit 504e8beed161bd11a2c6cbb8aaf352c14d39b5bb upstream. Apparently all 3 bytes returned by ETP_FW_VERSION_QUERY are significant and should be taken into account when matching hardware version/features. Tested-by: Eric Piel Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 6883f580885d52941e03187f2099ac24d2564140 Author: Florian Ragwitz Date: Mon May 3 23:29:37 2010 -0700 Input: elantech - ignore high bits in the position coordinates commit e938fbfd4a7ac829d48b767c4dc365535d5c4f97 upstream. In older versions of the elantech hardware/firmware those bits always were unset, so it didn't actually matter, but newer versions seem to use those high bits for something else, screwing up the coordinates we report to the input layer for those devices. Signed-off-by: Florian Ragwitz Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit c96981dd2142894169d3fc5921fe7fb51d6a95a0 Author: Florian Ragwitz Date: Tue Apr 27 00:47:04 2010 -0700 Input: elantech - allow forcing Elantech protocol commit f81bc788ff91d4efd4baf88b2c29713838caa8e5 upstream. Apparently hardware vendors now ship elantech touchpads with different version magic. This options allows for them to be tested easier with the current driver in order to add their magic to the whitelist later. Signed-off-by: Florian Ragwitz Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 971c6dfbbf8a8e37f183d70fbbd8ff50ee766ff9 Author: Florian Ragwitz Date: Tue Apr 27 00:45:10 2010 -0700 Input: elantech - fix firmware version check commit 225c61aad38b12924b3df5f4ef43150c0d6bae8c upstream. The check determining whether device should use 4- or 6-byte packets was trying to compare firmware with 2.48, but was failing on majors greater than 2. The new check ensures that versions like 4.1 are checked properly. Signed-off-by: Florian Ragwitz Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 40ebeb0d12013a69d69e44c9706a25de83374f43 Author: Dmitry Torokhov Date: Mon Nov 16 22:12:21 2009 -0800 Input: elantech - do not advertise relative events commit c7a1f3ccfc2f99427f2e1545b3171e98539c3c95 upstream. Elantech touchpads work in absolute mode and do not generate relative events so they should not be advertising them. Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 450aae08249e89e49eea41d080eb730b9dfb8688 Author: Takashi Iwai Date: Mon Apr 19 10:37:21 2010 -0700 Input: Add support of Synaptics Clickpad device commit 5f57d67da87332a9a1ba8fa7a33bf0680e1c76e7 upstream. The new type of touchpads can be detected via a new query command 0x0c. The clickpad flags are in cap[0]:4 and cap[1]:0 bits. When the device is detected, the driver now reports only the left button as the supported buttons so that X11 driver can detect that the device is Clickpad. A Clickpad device gives the button events only as the middle button. The kernel driver morphs to the left button. The real handling of Clickpad is done rather in X driver side. Signed-off-by: Takashi Iwai Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 92da734e50b7ff290f0c2333281a9c17e4aafd1f Author: Ben Hutchings Date: Sat Nov 7 11:55:20 2009 +0000 tms380tr: declare MODULE_FIRMWARE commit b3ccbb24e8914973be0d2ee7b66e44cecaed9bf5 upstream. Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 89d3e39b27ab501ecdfc978268e4d2be4a7ae037 Author: Ben Hutchings Date: Sat Nov 7 11:55:07 2009 +0000 spider-net: declare MODULE_FIRMWARE commit 866691a21e8c9dfc58c5ab1ed77d5c41e779755b upstream. Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b6b42e93593ebd0db1eb8c381de2541944c57b1b Author: Ben Hutchings Date: Sat Nov 7 12:04:09 2009 +0000 pcnet-cs: declare MODULE_FIRMWARE commit 8489992e723b5def1a807e615854f51b75d10600 upstream. Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 65bddaea7bf2017976f8fef9d4ecf37bcf65de16 Author: Ben Hutchings Date: Sat Nov 7 11:37:36 2009 +0000 netx: declare MODULE_FIRMWARE commit 36c04a61f516742dad6f9bad8c6c1a7137a260f5 upstream. Signed-off-by: Ben Hutchings Acked-by: Sascha Hauer Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 75d0a9b3bea9380c83f7f2f19a725a274bd3f27f Author: Ben Hutchings Date: Sat Nov 7 11:54:44 2009 +0000 myri10ge: declare MODULE_FIRMWARE commit b9721d5a2fa00ad979c19a9511d43d2664d5381c upstream. Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7395c67a97ded5039b552e8b4eea3e7032273ec9 Author: Ben Hutchings Date: Sat Nov 7 11:53:52 2009 +0000 cxgb3: declare MODULE_FIRMWARE commit 34336ec032878d1a32e7df881f16ce2145e53f83 upstream. Replace run-time string formatting with preprocessor string manipulation. Signed-off-by: Ben Hutchings Acked-by: Divy Le Ray Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c90f931ff31d6af64d70391fb50e19b4d3081999 Author: Ben Hutchings Date: Sat Nov 7 11:53:39 2009 +0000 bnx2x: declare MODULE_FIRMWARE commit 45229b420f90bb6736dfeb7e491eb46cb02a3e9c upstream. Replace run-time string formatting with preprocessor string manipulation. Signed-off-by: Ben Hutchings Acked-by: Eilon Greenstein Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c23a103f0d9c2560c6839ed366feebec4cd5e556 Author: Dhananjay Phadke Date: Sat Oct 24 16:04:02 2009 +0000 netxen: module firmware hints commit 7e8e5d9718744b817bfea6f020586d7035cc89f4 upstream. Add MODULE_FIRMWARE hints for various firmware file types, required by different chip revisions. Signed-off-by: Dhananjay Phadke Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cd60404dee06cb50fb2899a9c09a7d2e03db64d6 Author: Timo Warns Date: Thu Apr 14 15:21:56 2011 -0700 fs/partitions/ldm.c: fix oops caused by corrupted partition table commit c340b1d640001c8c9ecff74f68fd90422ae2448a upstream. The kernel automatically evaluates partition tables of storage devices. The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains a bug that causes a kernel oops on certain corrupted LDM partitions. A kernel subsystem seems to crash, because, after the oops, the kernel no longer recognizes newly connected storage devices. The patch validates the value of vblk_size. [akpm@linux-foundation.org: coding-style fixes] Signed-off-by: Timo Warns Cc: Eugene Teo Cc: Harvey Harrison Cc: Richard Russon Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d459e08d10e2a6c5e3556bdd8fc7fb3b0d20644e Author: Dave Jones Date: Tue Apr 19 20:36:59 2011 -0700 can: Add missing socket check in can/bcm release. commit c6914a6f261aca0c9f715f883a353ae7ff51fe83 upstream. We can get here with a NULL socket argument passed from userspace, so we need to handle it accordingly. Signed-off-by: Dave Jones Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1c89151b1c02cfd10d09350e5d49aef9708836cd Author: Sachin Prabhu Date: Wed Apr 20 13:09:35 2011 +0100 Open with O_CREAT flag set fails to open existing files on non writable directories commit 1574dff8996ab1ed92c09012f8038b5566fce313 upstream. An open on a NFS4 share using the O_CREAT flag on an existing file for which we have permissions to open but contained in a directory with no write permissions will fail with EACCES. A tcpdump shows that the client had set the open mode to UNCHECKED which indicates that the file should be created if it doesn't exist and encountering an existing flag is not an error. Since in this case the file exists and can be opened by the user, the NFS server is wrong in attempting to check create permissions on the parent directory. The patch adds a conditional statement to check for create permissions only if the file doesn't exist. Signed-off-by: Sachin S. Prabhu Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 726f22c83def797c70b19f4fbc1c73c49f7b181a Author: Jim Bos Date: Mon Nov 15 21:22:37 2010 +0100 Fix gcc 4.5.1 miscompiling drivers/char/i8k.c (again) commit 22d3243de86bc92d874abb7c5b185d5c47aba323 upstream. The fix in commit 6b4e81db2552 ("i8k: Tell gcc that *regs gets clobbered") to work around the gcc miscompiling i8k.c to add "+m (*regs)" caused register pressure problems and a build failure. Changing the 'asm' statement to 'asm volatile' instead should prevent that and works around the gcc bug as well, so we can remove the "+m". [ Background on the gcc bug: a memory clobber fails to mark the function the asm resides in as non-pure (aka "__attribute__((const))"), so if the function does nothing else that triggers the non-pure logic, gcc will think that that function has no side effects at all. As a result, callers will be mis-compiled. Adding the "+m" made gcc see that it's not a pure function, and so does "asm volatile". The problem was never really the need to mark "*regs" as changed, since the memory clobber did that part - the problem was just a bug in the gcc "pure" function analysis - Linus ] Signed-off-by: Jim Bos Acked-by: Jakub Jelinek Cc: Andi Kleen Cc: Andreas Schwab Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 88e424fdd10c61b06e1c72defdcbe4c2f54776e8 Author: Jim Bos Date: Sat Nov 13 12:13:53 2010 +0100 i8k: Tell gcc that *regs gets clobbered commit 6b4e81db2552bad04100e7d5ddeed7e848f53b48 upstream. More recent GCC caused the i8k driver to stop working, on Slackware compiler was upgraded from gcc-4.4.4 to gcc-4.5.1 after which it didn't work anymore, meaning the driver didn't load or gave total nonsensical output. As it turned out the asm(..) statement forgot to mention it modifies the *regs variable. Credits to Andi Kleen and Andreas Schwab for providing the fix. Signed-off-by: Jim Bos Cc: Andi Kleen Cc: Andreas Schwab Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f40fe91c33e4990ad4308fc964c79e1c70a75194 Author: Dan Rosenberg Date: Fri Apr 29 15:48:07 2011 +0100 ARM: 6891/1: prevent heap corruption in OABI semtimedop commit 0f22072ab50cac7983f9660d33974b45184da4f9 upstream. When CONFIG_OABI_COMPAT is set, the wrapper for semtimedop does not bound the nsops argument. A sufficiently large value will cause an integer overflow in allocation size, followed by copying too much data into the allocated buffer. Fix this by restricting nsops to SEMOPM. Untested. Signed-off-by: Dan Rosenberg Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 1edf9b933cf1d30983f9a637962b46cd988a8280 Author: Eric W. Biederman Date: Sun Apr 24 01:54:57 2011 +0000 af_unix: Only allow recv on connected seqpacket sockets. commit a05d2ad1c1f391c7f514a1d1e09b5417968a7d07 upstream. This fixes the following oops discovered by Dan Aloni: > Anyway, the following is the output of the Oops that I got on the > Ubuntu kernel on which I first detected the problem > (2.6.37-12-generic). The Oops that followed will be more useful, I > guess. >[ 5594.669852] BUG: unable to handle kernel NULL pointer dereference > at           (null) > [ 5594.681606] IP: [] unix_dgram_recvmsg+0x1fb/0x420 > [ 5594.687576] PGD 2a05d067 PUD 2b951067 PMD 0 > [ 5594.693720] Oops: 0002 [#1] SMP > [ 5594.699888] last sysfs file: The bug was that unix domain sockets use a pseduo packet for connecting and accept uses that psudo packet to get the socket. In the buggy seqpacket case we were allowing unconnected sockets to call recvmsg and try to receive the pseudo packet. That is always wrong and as of commit 7361c36c5 the pseudo packet had become enough different from a normal packet that the kernel started oopsing. Do for seqpacket_recv what was done for seqpacket_send in 2.5 and only allow it on connected seqpacket sockets. Tested-by: Dan Aloni Signed-off-by: Eric W. Biederman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8153163101bd8bdb9c1191662ec7dbe0f79a8378 Author: Boris Ostrovsky Date: Fri Apr 29 17:47:43 2011 -0400 x86, AMD: Fix APIC timer erratum 400 affecting K8 Rev.A-E processors commit e20a2d205c05cef6b5783df339a7d54adeb50962 upstream. Older AMD K8 processors (Revisions A-E) are affected by erratum 400 (APIC timer interrupts don't occur in C states greater than C1). This, for example, means that X86_FEATURE_ARAT flag should not be set for these parts. This addresses regression introduced by commit b87cf80af3ba4b4c008b4face3c68d604e1715c6 ("x86, AMD: Set ARAT feature on AMD processors") where the system may become unresponsive until external interrupt (such as keyboard input) occurs. This results, for example, in time not being reported correctly, lack of progress on the system and other lockups. Reported-by: Joerg-Volker Peetz Tested-by: Joerg-Volker Peetz Acked-by: Borislav Petkov Signed-off-by: Boris Ostrovsky Link: http://lkml.kernel.org/r/1304113663-6586-1-git-send-email-ostr@amd64.org Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit eeea5b0bd429dcf61dd36d84c7e13c5b6dd679d9 Author: Alan Stern Date: Mon May 2 14:21:44 2011 -0400 USB: fix regression in usbip by setting has_tt flag commit cee6a262550f53a13acfefbc1e3e5ff35c96182c upstream. This patch (as1460) fixes a regression in the usbip driver caused by the new check for Transaction Translators in USB-2 hubs. The root hub registered by vhci_hcd needs to have the has_tt flag set, because it can connect to low- and full-speed devices as well as high-speed devices. Signed-off-by: Alan Stern Reported-and-tested-by: Nikola Ciprich Signed-off-by: Greg Kroah-Hartman commit 9b3315aee9440daaac8222e37e61c772c599ed90 Author: Chris Ball Date: Wed Apr 27 17:35:31 2011 -0400 mmc: sdhci: Check mrq != NULL in sdhci_tasklet_finish commit 0c9c99a765321104cc5f9c97f949382a9ba4927e upstream. It seems that under certain circumstances the sdhci_tasklet_finish() call can be entered with mrq set to NULL, causing the system to crash with a NULL pointer de-reference. Seen on S3C6410 system. Based on a patch by Dimitris Papastamos. Reported-by: Dimitris Papastamos Signed-off-by: Chris Ball Signed-off-by: Greg Kroah-Hartman commit 3de4df1efd0d953c016e3a3bca0719c04ceb4a51 Author: Ben Dooks Date: Wed Apr 27 14:24:19 2011 +0100 mmc: sdhci: Check mrq->cmd in sdhci_tasklet_finish commit b7b4d3426d2b5ecab21578eb20d8e456a1aace8f upstream. It seems that under certain circumstances that the sdhci_tasklet_finish() call can be entered with mrq->cmd set to NULL, causing the system to crash with a NULL pointer de-reference. Unable to handle kernel NULL pointer dereference at virtual address 00000000 PC is at sdhci_tasklet_finish+0x34/0xe8 LR is at sdhci_tasklet_finish+0x24/0xe8 Seen on S3C6410 system. Signed-off-by: Ben Dooks Signed-off-by: Mark Brown Signed-off-by: Chris Ball Signed-off-by: Greg Kroah-Hartman commit d98a8df82645f3c5ee883118591ad385991740bd Author: Chris Ball Date: Tue Mar 29 00:46:12 2011 -0400 mmc: sdhci-pci: Fix error case in sdhci_pci_probe_slot() commit 9fdcdbb0d84922e7ccda2f717a04ea62629f7e18 upstream. If pci_ioremap_bar() fails during probe, we "goto release;" and free the host, but then we return 0 -- which tells sdhci_pci_probe() that the probe succeeded. Since we think the probe succeeded, when we unload sdhci we'll go to sdhci_pci_remove_slot() and it will try to dereference slot->host, which is now NULL because we freed it in the error path earlier. The patch simply sets ret appropriately, so that sdhci_pci_probe() will detect the failure immediately and bail out. Signed-off-by: Chris Ball Signed-off-by: Greg Kroah-Hartman commit 0ccd644ce6a803b4f7ae5b3b4da614b8a51037cc Author: James Bottomley Date: Fri Apr 22 10:39:59 2011 -0500 put stricter guards on queue dead checks commit 86cbfb5607d4b81b1a993ff689bbd2addd5d3a9b upstream. SCSI uses request_queue->queuedata == NULL as a signal that the queue is dying. We set this state in the sdev release function. However, this allows a small window where we release the last reference but haven't quite got to this stage yet and so something will try to take a reference in scsi_request_fn and oops. It's very rare, but we had a report here, so we're pushing this as a bug fix The actual fix is to set request_queue->queuedata to NULL in scsi_remove_device() before we drop the reference. This causes correct automatic rejects from scsi_request_fn as people who hold additional references try to submit work and prevents anything from getting a new reference to the sdev that way. Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit e79b858ad011c644691905d3bccd529c930c7d5b Author: Dan Rosenberg Date: Tue Apr 5 12:45:59 2011 -0400 mpt2sas: prevent heap overflows and unchecked reads commit a1f74ae82d133ebb2aabb19d181944b4e83e9960 upstream. At two points in handling device ioctls via /dev/mpt2ctl, user-supplied length values are used to copy data from userspace into heap buffers without bounds checking, allowing controllable heap corruption and subsequently privilege escalation. Additionally, user-supplied values are used to determine the size of a copy_to_user() as well as the offset into the buffer to be read, with no bounds checking, allowing users to read arbitrary kernel memory. Signed-off-by: Dan Rosenberg Acked-by: Eric Moore Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 32334ea87f198691f373615d8acd626d5da35132 Author: Dan Rosenberg Date: Tue Apr 5 13:27:31 2011 -0400 pmcraid: reject negative request size commit 5f6279da3760ce48f478f2856aacebe0c59a39f3 upstream. There's a code path in pmcraid that can be reached via device ioctl that causes all sorts of ugliness, including heap corruption or triggering the OOM killer due to consecutive allocation of large numbers of pages. Not especially relevant from a security perspective, since users must have CAP_SYS_ADMIN to open the character device. First, the user can call pmcraid_chr_ioctl() with a type PMCRAID_PASSTHROUGH_IOCTL. A pmcraid_passthrough_ioctl_buffer is copied in, and the request_size variable is set to buffer->ioarcb.data_transfer_length, which is an arbitrary 32-bit signed value provided by the user. If a negative value is provided here, bad things can happen. For example, pmcraid_build_passthrough_ioadls() is called with this request_size, which immediately calls pmcraid_alloc_sglist() with a negative size. The resulting math on allocating a scatter list can result in an overflow in the kzalloc() call (if num_elem is 0, the sglist will be smaller than expected), or if num_elem is unexpectedly large the subsequent loop will call alloc_pages() repeatedly, a high number of pages will be allocated and the OOM killer might be invoked. Prevent this value from being negative in pmcraid_ioctl_passthrough(). Signed-off-by: Dan Rosenberg Cc: Anil Ravindranath Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 5a6e9f036828d83e30e30b5a83b637247f45e2bb Author: Igor Mammedov Date: Mon Apr 18 10:17:17 2011 -0700 Input: xen-kbdfront - fix mouse getting stuck after save/restore commit c36b58e8a9112017c2bcc322cc98e71241814303 upstream. Mouse gets "stuck" after restore of PV guest but buttons are in working condition. If driver has been configured for ABS coordinates at start it will get XENKBD_TYPE_POS events and then suddenly after restore it'll start getting XENKBD_TYPE_MOTION events, that will be dropped later and they won't get into user-space. Regression was introduced by hunk 5 and 6 of 5ea5254aa0ad269cfbd2875c973ef25ab5b5e9db ("Input: xen-kbdfront - advertise either absolute or relative coordinates"). Driver on restore should ask xen for request-abs-pointer again if it is available. So restore parts that did it before 5ea5254. Acked-by: Olaf Hering Signed-off-by: Igor Mammedov [v1: Expanded the commit description] Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Dmitry Torokhov commit 5dd27a4cb323fbfc6773107cf3325651d26e255f Author: Vasiliy Kulikov Date: Thu Apr 14 20:55:19 2011 +0400 agp: fix OOM and buffer overflow commit b522f02184b413955f3bc952e3776ce41edc6355 upstream. page_count is copied from userspace. agp_allocate_memory() tries to check whether this number is too big, but doesn't take into account the wrap case. Also agp_create_user_memory() doesn't check whether alloc_size is calculated from num_agp_pages variable without overflow. This may lead to allocation of too small buffer with following buffer overflow. Another problem in agp code is not addressed in the patch - kernel memory exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls). It is not checked whether requested pid is a pid of the caller (no check in agpioc_reserve_wrap()). Each allocation is limited to 16KB, though, there is no per-process limit. This might lead to OOM situation, which is not even solved in case of the caller death by OOM killer - the memory is allocated for another (faked) process. Signed-off-by: Vasiliy Kulikov Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 148dc7bad631f77c6bc1d1ce9e7608e3d098f312 Author: Vasiliy Kulikov Date: Thu Apr 14 20:55:16 2011 +0400 agp: fix arbitrary kernel memory writes commit 194b3da873fd334ef183806db751473512af29ce upstream. pg_start is copied from userspace on AGPIOC_BIND and AGPIOC_UNBIND ioctl cmds of agp_ioctl() and passed to agpioc_bind_wrap(). As said in the comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND, and it is not checked at all in case of AGPIOC_UNBIND. As a result, user with sufficient privileges (usually "video" group) may generate either local DoS or privilege escalation. Signed-off-by: Vasiliy Kulikov Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit e411ea9e3b04f4eb2d3ff833e4e0055fd6e12331 Author: Trond Myklebust Date: Fri Apr 15 17:34:18 2011 -0400 NFSv4.1: Ensure state manager thread dies on last umount commit 47c2199b6eb5fbe38ddb844db7cdbd914d304f9c upstream. Currently, the state manager may continue to try recovering state forever even after the last filesystem to reference that nfs_client has umounted. Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 9aa8b9cc2733f5a2e97862fc21b275e731a884ce Author: Jeff Layton Date: Wed Apr 27 11:49:09 2011 -0400 nfs: don't lose MS_SYNCHRONOUS on remount of noac mount commit 26c4c170731f00008f4317a2888a0a07ac99d90d upstream. On a remount, the VFS layer will clear the MS_SYNCHRONOUS bit on the assumption that the flags on the mount syscall will have it set if the remounted fs is supposed to keep it. In the case of "noac" though, MS_SYNCHRONOUS is implied. A remount of such a mount will lose the MS_SYNCHRONOUS flag since "sync" isn't part of the mount options. Reported-by: Max Matveev Signed-off-by: Jeff Layton Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 0d1877dfdcb4ea16ac39cbae5026ac31656a2f7f Author: Michael Schmitz Date: Tue Apr 26 14:51:53 2011 +1200 m68k/mm: Set all online nodes in N_NORMAL_MEMORY commit 4aac0b4815ba592052758f4b468f253d383dc9d6 upstream. For m68k, N_NORMAL_MEMORY represents all nodes that have present memory since it does not support HIGHMEM. This patch sets the bit at the time node_present_pages has been set by free_area_init_node. At the time the node is brought online, the node state would have to be done unconditionally since information about present memory has not yet been recorded. If N_NORMAL_MEMORY is not accurate, slub may encounter errors since it uses this nodemask to setup per-cache kmem_cache_node data structures. This pach is an alternative to the one proposed by David Rientjes attempting to set node state immediately when bringing the node online. Signed-off-by: Michael Schmitz Tested-by: Thorsten Glaser Signed-off-by: Geert Uytterhoeven Signed-off-by: Greg Kroah-Hartman commit d93ec4a17fcf5d84f323647df3216dff84f6f963 Author: Patrick Boettcher Date: Sun Apr 3 12:40:24 2011 -0300 FLEXCOP-PCI: fix __xlate_proc_name-warning for flexcop-pci commit b934c20de1398d4a82d2ecfeb588a214a910f13f upstream. This patch fixes the warning about bad names for sys-fs and other kernel-things. The flexcop-pci driver was using '/'-characters in it, which is not good. This has been fixed in several attempts by several people, but obviously never made it into the kernel. Signed-off-by: Patrick Boettcher Cc: Steffen Barszus Cc: Boris Cuber Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit ec9c79503b68c64f5afec8c6e771d843ef3f380c Author: David Rientjes Date: Wed Apr 20 19:27:13 2011 -0700 set memory ranges in N_NORMAL_MEMORY when onlined commit d9b41e0b54fd7e164daf1e9c539c1070398aa02e upstream. When a DISCONTIGMEM memory range is brought online as a NUMA node, it also needs to have its bet set in N_NORMAL_MEMORY. This is necessary for generic kernel code that utilizes N_NORMAL_MEMORY as a subset of N_ONLINE for memory savings. These types of hacks can hopefully be removed once DISCONTIGMEM is either removed or abstracted away from CONFIG_NUMA. Fixes a panic in the slub code which only initializes structures for N_NORMAL_MEMORY to save memory: Backtrace: [<000000004021c938>] add_partial+0x28/0x98 [<000000004021faa0>] __slab_free+0x1d0/0x1d8 [<000000004021fd04>] kmem_cache_free+0xc4/0x128 [<000000004033bf9c>] ida_get_new_above+0x21c/0x2c0 [<00000000402a8980>] sysfs_new_dirent+0xd0/0x238 [<00000000402a974c>] create_dir+0x5c/0x168 [<00000000402a9ab0>] sysfs_create_dir+0x98/0x128 [<000000004033d6c4>] kobject_add_internal+0x114/0x258 [<000000004033d9ac>] kobject_add_varg+0x7c/0xa0 [<000000004033df20>] kobject_add+0x50/0x90 [<000000004033dfb4>] kobject_create_and_add+0x54/0xc8 [<00000000407862a0>] cgroup_init+0x138/0x1f0 [<000000004077ce50>] start_kernel+0x5a0/0x840 [<000000004011fa3c>] start_parisc+0xa4/0xb8 [<00000000404bb034>] packet_ioctl+0x16c/0x208 [<000000004049ac30>] ip_mroute_setsockopt+0x260/0xf20 Signed-off-by: David Rientjes Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 8ba5e329539971614c5e4438f48ffb23414b67a3 Author: James Bottomley Date: Tue Apr 19 16:29:36 2011 -0500 slub: fix panic with DISCONTIGMEM commit 4a5fa3590f09999f6db41bc386bce40848fa9f63 upstream. Slub makes assumptions about page_to_nid() which are violated by DISCONTIGMEM and !NUMA. This violation results in a panic because page_to_nid() can be non-zero for pages in the discontiguous ranges and this leads to a null return by get_node(). The assertion by the maintainer is that DISCONTIGMEM should only be allowed when NUMA is also defined. However, at least six architectures: alpha, ia64, m32r, m68k, mips, parisc violate this. The panic is a regression against slab, so just mark slub broken in the problem configuration to prevent users reporting these panics. Acked-by: David Rientjes Acked-by: Pekka Enberg Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 548a4a8c2bffd5748f88aff92cea844a842535b8 Author: Herbert Xu Date: Tue Jun 15 01:52:25 2010 +0000 udp: Fix bogus UFO packet generation commit 26cde9f7e2747b6d254b704594eed87ab959afa5 upstream. It has been reported that the new UFO software fallback path fails under certain conditions with NFS. I tracked the problem down to the generation of UFO packets that are smaller than the MTU. The software fallback path simply discards these packets. This patch fixes the problem by not generating such packets on the UFO path. Signed-off-by: Herbert Xu Reviewed-by: Michael S. Tsirkin Signed-off-by: David S. Miller Cc: Stephen Hemminger Signed-off-by: Greg Kroah-Hartman commit 71447f832c6be2ab47ba6308aa9736073c36792c Author: Jie Yang Date: Tue Oct 27 22:31:19 2009 -0700 atl1c: duplicate atl1c_get_tpd commit 678b77e265f6d66f1e68f3d095841c44ba5ab112 upstream. remove duplicate atl1c_get_tpd, it may cause hardware to send wrong packets. Signed-off-by: Jie Yang Signed-off-by: David S. Miller Cc: Willy Tarreau Signed-off-by: Greg Kroah-Hartman commit 6f63415fc1b690cb50c2ad48ba6e9e6e88e271b4 Author: Fry, Donald H Date: Wed Feb 16 11:49:34 2011 -0800 iwlagn: Support new 5000 microcode. commit 41504cce240f791f1e16561db95728c5537fbad9 upstream. New iwlwifi-5000 microcode requires driver support for API version 5. Signed-off-by: Don Fry Signed-off-by: Wey-Yi Guy Signed-off-by: Stanislaw Gruszka Signed-off-by: Greg Kroah-Hartman commit 16933b04e6ccad2741022e3413abff2f1eb5d40e Author: Stefan Haberland Date: Thu Feb 17 13:13:55 2011 +0100 dasd: correct device table commit 5da24b7627ff821e154a3aaecd5d60e1d8e228a5 upstream. The 3880 storage control unit supports a 3380 device type, but not a 3390 device type. Reported-by: Stephen Powell Signed-off-by: Stefan Haberland Signed-off-by: Martin Schwidefsky Cc: Stephen Powell Cc: Jonathan Nieder Cc: Bastian Blank commit 95204a5759452645f7d131ad3791293809826c4c Author: Greg Rose Date: Tue Nov 16 19:41:36 2010 -0800 Remove extra struct page member from the buffer info structure commit b1d670f10e8078485884f0cf7e384d890909aeaa upstream. declaration. Reported-by: Andi Kleen Signed-off-by: Greg Rose Tested-by: Emil Tantilov Signed-off-by: Jeff Kirsher Cc: Andreas Radke Signed-off-by: Greg Kroah-Hartman commit e18aff3df94d4c155d262c5c760722c485d27518 Author: Artem Bityutskiy Date: Thu Apr 21 14:49:55 2011 +0300 UBIFS: fix master node recovery commit 6e0d9fd38b750d678bf9fd07db23582f52fafa55 upstream. This patch fixes the following symptoms: 1. Unmount UBIFS cleanly. 2. Start mounting UBIFS R/W and have a power cut immediately 3. Start mounting UBIFS R/O, this succeeds 4. Try to re-mount UBIFS R/W - this fails immediately or later on, because UBIFS will write the master node to the flash area which has been written before. The analysis of the problem: 1. UBIFS is unmounted cleanly, both copies of the master node are clean. 2. UBIFS is being mounter R/W, starts changing master node copy 1, and a power cut happens. The copy N1 becomes corrupted. 3. UBIFS is being mounted R/O. It notices the copy N1 is corrupted and reads copy N2. Copy N2 is clean. 4. Because of R/O mode, UBIFS cannot recover copy 1. 5. The mount code (ubifs_mount()) sees that the master node is clean, so it decides that no recovery is needed. 6. We are re-mounting R/W. UBIFS believes no recovery is needed and starts updating the master node, but copy N1 is still corrupted and was not recovered! Fix this problem by marking the master node as dirty every time we recover it and we are in R/O mode. This forces further recovery and the UBIFS cleans-up the corruptions and recovers the copy N1 when re-mounting R/W later. Signed-off-by: Artem Bityutskiy Signed-off-by: Greg Kroah-Hartman commit 98b75ef9c1f961a51ab41ec7667a95f114e4661e Author: Ben Hutchings Date: Sat Apr 23 18:42:56 2011 +0100 kconfig: Avoid buffer underrun in choice input commit 3ba41621156681afcdbcd624e3191cbc65eb94f4 upstream. Commit 40aee729b350 ('kconfig: fix default value for choice input') fixed some cases where kconfig would select the wrong option from a choice with a single valid option and thus enter an infinite loop. However, this broke the test for user input of the form 'N?', because when kconfig selects the single valid option the input is zero-length and the test will read the byte before the input buffer. If this happens to contain '?' (as it will in a mips build on Debian unstable today) then kconfig again enters an infinite loop. Signed-off-by: Ben Hutchings Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a7384887d5ea77dd3e0290a8cdddeae7c51ed7a2 Author: Mark Brown Date: Fri Apr 8 16:32:16 2011 +0900 ASoC: Fix output PGA enabling in wm_hubs CODECs commit 39cca168bdfaef9d0c496ec27f292445d6184946 upstream. The output PGA was not being powered up in headphone and speaker paths, removing the ability to offer volume control and mute with the output PGA. Signed-off-by: Mark Brown Acked-by: Liam Girdwood Signed-off-by: Greg Kroah-Hartman commit e028e896b4a5adb887533e827b57e842f8b2173f Author: Uwe Kleine-König Date: Mon Apr 11 10:59:09 2011 +0200 serial/imx: read cts state only after acking cts change irq commit 5680e94148a86e8c31fdc5cb0ea0d5c6810c05b0 upstream. If cts changes between reading the level at the cts input (USR1_RTSS) and acking the irq (USR1_RTSD) the last edge doesn't generate an irq and uart_handle_cts_change is called with a outdated value for cts. The race was introduced by commit ceca629 ([ARM] 2971/1: i.MX uart handle rts irq) Reported-by: Arwed Springer Tested-by: Arwed Springer Signed-off-by: Uwe Kleine-König Signed-off-by: Greg Kroah-Hartman commit 16b0c220618ffbe2e76cc5b20176c0cf7c3e6888 Author: Trond Myklebust Date: Tue Jan 25 15:28:21 2011 -0500 NFS: nfs_wcc_update_inode() should set nfsi->attr_gencount commit 27dc1cd3ad9300f81e1219e5fc305d91d85353f8 upstream. If the call to nfs_wcc_update_inode() results in an attribute update, we need to ensure that the inode's attr_gencount gets bumped too, otherwise we are not protected against races with other GETATTR calls. Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit e8ab09aaeabbb6b550416ac76bdffca6541831fd Author: Alex Deucher Date: Thu Apr 14 11:19:50 2011 -0400 drm/radeon/kms: fix bad shift in atom iio table parser commit 8e461123f28e6b17456225e70eb834b3b30d28bb upstream. Noticed by Patrick Lowry. Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit d9a176cac9bb6ff9439b4c1c9dadf28256f9fec0 Author: Alex Williamson Date: Fri Mar 4 14:52:30 2011 -0700 intel-iommu: Fix get_domain_for_dev() error path commit 2fe9723df8e45fd247782adea244a5e653c30bf4 upstream. If we run out of domain_ids and fail iommu_attach_domain(), we fall into domain_exit() without having setup enough of the domain structure for this to do anything useful. In fact, it typically runs off into the weeds walking the bogus domain->devices list. Just free the domain. Signed-off-by: Alex Williamson Acked-by: Donald Dutile Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit 5cf96f2df3a6e956f53a10fa534a61b30d143abf Author: Alex Williamson Date: Fri Mar 4 14:52:16 2011 -0700 intel-iommu: Unlink domain from iommu commit a97590e56d0d58e1dd262353f7cbd84e81d8e600 upstream. When we remove a device, we unlink the iommu from the domain, but we never do the reverse unlinking of the domain from the iommu. This means that we never clear iommu->domain_ids, eventually leading to resource exhaustion if we repeatedly bind and unbind a device to a driver. Also free empty domains to avoid a resource leak. Signed-off-by: Alex Williamson Acked-by: Donald Dutile Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit ef6fc37610655817ebfd0f68dbabba9ae81255f2 Author: Jason Conti Date: Thu Apr 7 21:09:57 2011 +0200 p54: Initialize extra_len in p54_tx_80211 commit a6756da9eace8b4af73e9dea43f1fc2889224c94 upstream. This patch fixes a very serious off-by-one bug in the driver, which could leave the device in an unresponsive state. The problem was that the extra_len variable [used to reserve extra scratch buffer space for the firmware] was left uninitialized. Because p54_assign_address later needs the value to reserve additional space, the resulting frame could be to big for the small device's memory window and everything would immediately come to a grinding halt. Reference: https://bugs.launchpad.net/bugs/722185 Acked-by: Christian Lamparter Signed-off-by: Jason Conti Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 752bdca00326ad699ede9f92b3a5978e13f1fe45 Author: Liu Yuan Date: Tue Apr 19 13:47:58 2011 +0200 block, blk-sysfs: Fix an err return path in blk_register_queue() commit ed5302d3c25006a9edc7a7fbea97a30483f89ef7 upstream. We do not call blk_trace_remove_sysfs() in err return path if kobject_add() fails. This path fixes it. Signed-off-by: Liu Yuan Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit ed11df0abadf6307090b657206013f96387d515c Author: Christian Lamparter Date: Wed Apr 6 20:40:31 2011 +0200 ath: add missing regdomain pair 0x5c mapping commit bd39a274fb7b43374c797bafdb7f506598f36f77 upstream. Joe Culler reported a problem with his AR9170 device: > ath: EEPROM regdomain: 0x5c > ath: EEPROM indicates we should expect a direct regpair map > ath: invalid regulatory domain/country code 0x5c > ath: Invalid EEPROM contents It turned out that the regdomain 'APL7_FCCA' was not mapped yet. According to Luis R. Rodriguez [Atheros' engineer] APL7 maps to FCC_CTL and FCCA maps to FCC_CTL as well, so the attached patch should be correct. Reported-by: Joe Culler Acked-by: Luis R. Rodriguez Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman