commit d6c90f5b218c1ddf1496045e3939b1c960c7cb9f Author: Andi Kleen Date: Sun Feb 6 11:04:07 2011 -0800 Release 2.6.35.11 Release 2.6.35.11 Signed-off-by: Andi Kleen commit d3fef978044748b2ebf601abe96f52863b107e47 Author: Felix Fietkau Date: Sat Dec 18 19:30:48 2010 +0100 mac80211: fix initialization of skb->cb in ieee80211_subif_start_xmit [ upstream commit 489ee9195a7de9e6bc833d639ff6b553ffdad90e ] The change 'mac80211: Fix BUG in pskb_expand_head when transmitting shared skbs' added a check for copying the skb if it's shared, however the tx info variable still points at the cb of the old skb Signed-off-by: Felix Fietkau Acked-by: Helmut Schaa Signed-off-by: John W. Linville Signed-off-by: Andi Kleen commit f973dacde9f9eddd6ead17532d1a5b6e45a0fc72 Author: Milton Miller Date: Thu Dec 30 02:01:03 2010 -0600 mac80211: fix mesh forwarding when ratelimited too [ upstream commit 919bbad580445801c22ef6ccbe624551fee652bd ] Commit b51aff057c9d0ef6c529dc25fd9f775faf7b6c63 said: Under memory pressure, the mac80211 mesh code may helpfully print a message that it failed to clone a mesh frame and then will proceed to crash trying to use it anyway. Fix that. Avoid the reference whenever the frame copy is unsuccessful regardless of the debug message being suppressed or printed. Cc: stable@kernel.org [2.6.27+] Signed-off-by: Milton Miller Signed-off-by: John W. Linville Signed-off-by: Andi Kleen commit be9627d438a0bbad74b10fa58cc87b9869de33e6 Author: Steve Conklin Date: Sun Feb 6 11:04:06 2011 -0800 revert-drm-radeon-kms-properly-compute-group_size-on-6xx-7xx Revert drm/radeon/kms: properly compute group_size on 6xx/7xx From: Steve Conklin We discovered a regression for Radeon users in our latest proposed kernel for 2.6.35 (Maverick), and have isolated it to this patch: http://git.kernel.org/?p=linux/kernel/git/longterm/linux-2.6.35.y.git;a=commit;h=b8e9a4a45f8427837f4dba89 +bda4d4e3f3a5c726 We took that patch as part of 2.6.35.10, and one of our testers has reported that our build of that kernel also exhibits the problem. These are mainline kernels built with the Ubuntu configs. http://kernel.ubuntu.com/~kernel-ppa/mainline/v2.6.35.10-maverick/ Our bug report is here: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/703553 Upstream bug report: https://bugzilla.kernel.org/show_bug.cgi?id=24802 Signed-off-by: Andi Kleen commit c82c51bbf2cfd71b09ca98da799f03009a6507e8 Author: Jiri Kosina Date: Sat Jan 8 01:37:26 2011 -0800 Input: i8042 - introduce 'notimeout' blacklist for Dell Vostro V13 i8042 controller present in Dell Vostro V13 errorneously signals spurious timeouts. Introduce i8042.notimeout parameter for ignoring i8042-signalled timeouts and apply this quirk automatically for Dell Vostro V13, based on DMI match. In addition to that, this machine also needs to be added to nomux blacklist. Signed-off-by: Jiri Kosina Signed-off-by: Dmitry Torokhov Signed-off-by: Andi Kleen commit f776b89f14c57f89a21110b8e78d9dafe71ae80d Author: Stanislaw Gruszka Date: Mon Jan 10 13:38:21 2011 +0100 mac80211: fix hard lockup in sta_addba_resp_timer_expired Problem is 2.6.35 specific, bug was introduced in backport of upstream 44271488b91c9eecf249e075a1805dd887e222d2 commit. We can not call del_timer_sync(addba_resp_timer) from ___ieee80211_stop_tx_ba_session(), as this function can be called from that timer callback. To fix, simply use not synchronous del_timer(). Resolve https://bugzilla.redhat.com/show_bug.cgi?id=667459 Reported-and-tested-by: Mathieu Chouquet-Stringer Signed-off-by: Stanislaw Gruszka Signed-off-by: Andi Kleen commit cae5e948bc8775fb251f4b2286f34d027c21a0b1 Author: Jean-Francois Moine Date: Tue Dec 14 16:15:37 2010 -0300 gspca - sonixj: Add a flag in the driver_info table commit c6c14330717f9850b4b4c054b81424b9979cd07d upstream. Signed-off-by: Jean-François Moine Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 5655b6d4e0eb834ab2fff7d6bf0820a60cfa0fdc Author: Jean-Francois Moine Date: Tue Dec 14 16:16:16 2010 -0300 gspca - sonixj: Set the flag for some devices commit b2272a49e7df37732d73988f00468ce31e1ebc92 upstream. The flag PDN_INV indicates that the sensor pin S_PWR_DN has not the same value as other webcams with the same sensor. For now, only two webcams have been so detected: the Microsoft's VX1000 and VX3000. Signed-off-by: Jean-François Moine Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 90a95aac955755dfed6025e745a7bd5688b7c4b8 Author: Oleg Nesterov Date: Fri Nov 5 16:53:42 2010 +0100 posix-cpu-timers: workaround to suppress the problems with mt exec commit e0a70217107e6f9844628120412cb27bb4cea194 upstream. posix-cpu-timers.c correctly assumes that the dying process does posix_cpu_timers_exit_group() and removes all !CPUCLOCK_PERTHREAD timers from signal->cpu_timers list. But, it also assumes that timer->it.cpu.task is always the group leader, and thus the dead ->task means the dead thread group. This is obviously not true after de_thread() changes the leader. After that almost every posix_cpu_timer_ method has problems. It is not simple to fix this bug correctly. First of all, I think that timer->it.cpu should use struct pid instead of task_struct. Also, the locking should be reworked completely. In particular, tasklist_lock should not be used at all. This all needs a lot of nontrivial and hard-to-test changes. Change __exit_signal() to do posix_cpu_timers_exit_group() when the old leader dies during exec. This is not the fix, just the temporary hack to hide the problem for 2.6.37 and stable. IOW, this is obviously wrong but this is what we currently have anyway: cpu timers do not work after mt exec. In theory this change adds another race. The exiting leader can detach the timers which were attached to the new leader. However, the window between de_thread() and release_task() is small, we can pretend that sys_timer_create() was called before de_thread(). Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 7ff06f34531f702f726ab2632476fdfadfffe32c Author: Jesper Juhl Date: Sat Dec 25 19:57:41 2010 +0100 x86/microcode: Fix double vfree() and remove redundant pointer checks before vfree() commit 5cdd2de0a76d0ac47f107c8a7b32d75d25768dc1 upstream. In arch/x86/kernel/microcode_intel.c::generic_load_microcode() we have this: while (leftover) { ... if (get_ucode_data(mc, ucode_ptr, mc_size) || microcode_sanity_check(mc) < 0) { vfree(mc); break; } ... } if (mc) vfree(mc); This will cause a double free of 'mc'. This patch fixes that by just removing the vfree() call in the loop since 'mc' will be freed nicely just after we break out of the loop. There's also a second change in the patch. I noticed a lot of checks for pointers being NULL before passing them to vfree(). That's completely redundant since vfree() deals gracefully with being passed a NULL pointer. Removing the redundant checks yields a nice size decrease for the object file. Size before the patch: text data bss dec hex filename 4578 240 1032 5850 16da arch/x86/kernel/microcode_intel.o Size after the patch: text data bss dec hex filename 4489 240 984 5713 1651 arch/x86/kernel/microcode_intel.o Signed-off-by: Jesper Juhl Acked-by: Tigran Aivazian Signed-off-by: Andi Kleen Cc: Shaohua Li LKML-Reference: Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 3b5dd0d60f277a0f991e548894defeb6665d2c20 Author: Martin K. Petersen Date: Wed Dec 1 19:41:49 2010 +0100 block: Deprecate QUEUE_FLAG_CLUSTER and use queue_limits instead commit e692cb668fdd5a712c6ed2a2d6f2a36ee83997b4 upstream. When stacking devices, a request_queue is not always available. This forced us to have a no_cluster flag in the queue_limits that could be used as a carrier until the request_queue had been set up for a metadevice. There were several problems with that approach. First of all it was up to the stacking device to remember to set queue flag after stacking had completed. Also, the queue flag and the queue limits had to be kept in sync at all times. We got that wrong, which could lead to us issuing commands that went beyond the max scatterlist limit set by the driver. The proper fix is to avoid having two flags for tracking the same thing. We deprecate QUEUE_FLAG_CLUSTER and use the queue limit directly in the block layer merging functions. The queue_limit 'no_cluster' is turned into 'cluster' to avoid double negatives and to ease stacking. Clustering defaults to being enabled as before. The queue flag logic is removed from the stacking function, and explicitly setting the cluster flag is no longer necessary in DM and MD. Reported-by: Ed Lin Signed-off-by: Martin K. Petersen Acked-by: Mike Snitzer Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 67410e0b0c39bf7d83834232cd51493c902ff7a9 Author: Mike Galbraith Date: Wed Dec 8 11:05:42 2010 +0100 Sched: fix skip_clock_update optimization commit f26f9aff6aaf67e9a430d16c266f91b13a5bff64 upstream. idle_balance() drops/retakes rq->lock, leaving the previous task vulnerable to set_tsk_need_resched(). Clear it after we return from balancing instead, and in setup_thread_stack() as well, so no successfully descheduled or never scheduled task has it set. Need resched confused the skip_clock_update logic, which assumes that the next call to update_rq_clock() will come nearly immediately after being set. Make the optimization robust against the waking a sleeper before it sucessfully deschedules case by checking that the current task has not been dequeued before setting the flag, since it is that useless clock update we're trying to save, and clear unconditionally in schedule() proper instead of conditionally in put_prev_task(). Signed-off-by: Mike Galbraith Signed-off-by: Andi Kleen Reported-by: Bjoern B. Brandenburg Tested-by: Yong Zhang Signed-off-by: Peter Zijlstra LKML-Reference: <1291802742.1417.9.camel@marge.simson.net> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 04d11148665af608fcc9223ddc26cee1901df6e1 Author: Daniel T Chen Date: Tue Dec 28 17:20:02 2010 -0500 ALSA: hda: Use LPIB quirk for Dell Inspiron m101z/1120 commit e03fa055bc126e536c7f65862e08a9b143138ea9 upstream. Sjoerd Simons reports that, without using position_fix=1, recording experiences overruns. Work around that by applying the LPIB quirk for his hardware. Reported-and-tested-by: Sjoerd Simons Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 9c7d253b2ba4a6621b19e439cdb1441e802374e5 Author: Johannes Berg Date: Wed Dec 22 10:15:07 2010 +0100 mac80211: fix mesh forwarding commit b51aff057c9d0ef6c529dc25fd9f775faf7b6c63 upstream. Under memory pressure, the mac80211 mesh code may helpfully print a message that it failed to clone a mesh frame and then will proceed to crash trying to use it anyway. Fix that. Signed-off-by: Johannes Berg Acked-by: Javier Cardona Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit e460ad502aa1e940b4069734d8d96cc4a303062e Author: Tejun Heo Date: Fri Dec 3 15:19:13 2010 +0100 libata-sff: fix HSM_ST_ERR handling in __ata_sff_port_intr() commit 687a993339c4f3a63654746230da3aab8bbdbffd upstream. While separating out BMDMA irq handler from SFF, commit c3b28894 (libata-sff: separate out BMDMA irq handler) incorrectly made __ata_sff_port_intr() consider an IRQ to be an idle one if the host state was transitioned to HSM_ST_ERR by ata_bmdma_port_intr(). This makes BMDMA drivers ignore IRQs reporting host bus error which leads to timeouts instead of triggering EH immediately. Fix it by making __ata_sff_port_intr() consider the IRQ to be an idle one iff the state is HSM_ST_IDLE. This is equivalent to adding HSM_ST_ERR to the "break"ing case but less error-prone. Signed-off-by: Tejun Heo Signed-off-by: Andi Kleen Reported-by: Antonio Toma Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 7ca39620483ad7dbd833970bd6c7c6246edcd573 Author: Mimi Zohar Date: Mon Jan 3 14:59:10 2011 -0800 ima: fix add LSM rule bug commit 867c20265459d30a01b021a9c1e81fb4c5832aa9 upstream. If security_filter_rule_init() doesn't return a rule, then not everything is as fine as the return code implies. This bug only occurs when the LSM (eg. SELinux) is disabled at runtime. Adding an empty LSM rule causes ima_match_rules() to always succeed, ignoring any remaining rules. default IMA TCB policy: # PROC_SUPER_MAGIC dont_measure fsmagic=0x9fa0 # SYSFS_MAGIC dont_measure fsmagic=0x62656572 # DEBUGFS_MAGIC dont_measure fsmagic=0x64626720 # TMPFS_MAGIC dont_measure fsmagic=0x01021994 # SECURITYFS_MAGIC dont_measure fsmagic=0x73636673 < LSM specific rule > dont_measure obj_type=var_log_t measure func=BPRM_CHECK measure func=FILE_MMAP mask=MAY_EXEC measure func=FILE_CHECK mask=MAY_READ uid=0 Thus without the patch, with the boot parameters 'tcb selinux=0', adding the above 'dont_measure obj_type=var_log_t' rule to the default IMA TCB measurement policy, would result in nothing being measured. The patch prevents the default TCB policy from being replaced. Signed-off-by: Mimi Zohar Signed-off-by: Andi Kleen Cc: James Morris Acked-by: Serge Hallyn Cc: David Safford Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d1e1c53f02d8dd402e6a88d5976c2038087d8539 Author: Saeed Bishara Date: Tue Dec 21 16:53:39 2010 +0200 mv_xor: fix race in tasklet function commit 8333f65ef094e47020cd01452b4637e7daf5a77f upstream. use mv_xor_slot_cleanup() instead of __mv_xor_slot_cleanup() as the former function aquires the spin lock that needed to protect the drivers data. Signed-off-by: Saeed Bishara Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 6e3cd473b8826c8ca545135f5b49ddb73f15d54f Author: Dan Rosenberg Date: Sat Dec 25 16:23:40 2010 -0500 sound: Prevent buffer overflow in OSS load_mixer_volumes commit d81a12bc29ae4038770e05dce4ab7f26fd5880fb upstream. The load_mixer_volumes() function, which can be triggered by unprivileged users via the SOUND_MIXER_SETLEVELS ioctl, is vulnerable to a buffer overflow. Because the provided "name" argument isn't guaranteed to be NULL terminated at the expected 32 bytes, it's possible to overflow past the end of the last element in the mixer_vols array. Further exploitation can result in an arbitrary kernel write (via subsequent calls to load_mixer_volumes()) leading to privilege escalation, or arbitrary kernel reads via get_mixer_levels(). In addition, the strcmp() may leak bytes beyond the mixer_vols array. Signed-off-by: Dan Rosenberg Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 02e8aefffbe5cc35c1f1b090ca8d8b6fce4da46a Author: David Flynn Date: Wed Dec 8 16:10:21 2010 +0000 drm/i915/dp: Fix I2C/EDID handling with active DisplayPort to DVI converter commit 8316f33766a82907c694267ff911e45e256f09f9 upstream. The DisplayPort standard (1.1a) states that: The I2C-over-AUX Reply field is valid only when Native AUX CH Reply field is AUX_ACK (00). When Native AUX CH Reply field is not 00, then, I2C-over-AUX Reply field must be 00 and be ignored. This fixes broken EDID reading when using an active DisplayPort to duallink DVI converter. If the AUX CH replier chooses to defer the transaction, a short read occurs and erroneous data is returned as the i2c reply due to a lack of length checking and failure to check for AUX ACK. As a result, broken EDIDs can look like: 0 1 2 3 4 5 6 7 8 9 a b c d e f 0123456789abcdef 00: bc bc bc ff bc bc bc ff bc bc bc ac bc bc bc 45 ???.???.???????E 10: bc bc bc 10 bc bc bc 34 bc bc bc ee bc bc bc 4c ???????4???????L 20: bc bc bc 50 bc bc bc 00 bc bc bc 40 bc bc bc 00 ???P???.???@???. 30: bc bc bc 01 bc bc bc 01 bc bc bc a0 bc bc bc 40 ???????????????@ 40: bc bc bc 00 bc bc bc 00 bc bc bc 00 bc bc bc 55 ???.???.???.???U 50: bc bc bc 35 bc bc bc 31 bc bc bc 20 bc bc bc fc ???5???1??? ???? 60: bc bc bc 4c bc bc bc 34 bc bc bc 46 bc bc bc 00 ???L???4???F???. 70: bc bc bc 38 bc bc bc 11 bc bc bc 20 bc bc bc 20 ???8??????? ??? 80: bc bc bc ff bc bc bc ff bc bc bc ff bc bc bc ff ???.???.???.???. ... which can lead to: [drm:drm_edid_block_valid] *ERROR* EDID checksum is invalid, remainder [drm:drm_edid_block_valid] *ERROR* Raw EDID: <3>30 30 30 30 30 30 30 32 38 32 30 32 63 63 31 61 000000028202cc1a <3>28 00 02 8c 00 00 00 00 18 00 00 00 00 00 00 00 (............... <3>20 4c 61 73 74 20 62 65 61 63 6f 6e 3a 20 33 32 Last beacon: 32 <3>32 30 6d 73 20 61 67 6f 46 00 05 8c 00 00 00 00 20ms agoF....... <3>36 00 00 00 00 00 00 00 00 0c 57 69 2d 46 69 20 6.........Wi-Fi <3>52 6f 75 74 65 72 01 08 82 84 8b 96 24 30 48 6c Router......$0Hl <3>03 01 01 06 02 00 00 2a 01 00 2f 01 00 32 04 0c .......*../..2.. <3>12 18 60 dd 09 00 10 18 02 00 00 01 00 00 18 00 ..`............. Signed-off-by: David Flynn Signed-off-by: Andi Kleen [ickle: fix up some surrounding checkpatch warnings] Signed-off-by: Chris Wilson Signed-off-by: Greg Kroah-Hartman commit 2f33a030c672eff1af2a5414c497a10d66b80982 Author: Alex Deucher Date: Mon Dec 20 11:22:29 2010 -0500 drm/radeon/kms: reorder display resume to avoid problems commit a93f344d3c04e4b84490c65f2a574387c593be40 upstream. On resume, we were attemping to unblank the displays before the timing and plls had be reprogrammed which led to atom timeouts waiting for things that are not yet programmed. Re-program the mode first, then reset the dpms state. This fixes the infamous atombios timeouts on resume. Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit ee8aa621efcdd5dd76a91f0085e1f2dc940cb3b8 Author: Alex Deucher Date: Mon Dec 20 12:35:03 2010 -0500 drm/radeon/kms: fix evergreen asic reset commit 9f0c4f9c2f835eee1bbb93f96bf9483d56f1892b upstream. Only reset the grbm blocks, srbm tends to lock the GPU if not done properly and in most cases is not necessary. Also, no need to call asic init after reset the grbm blocks. Signed-off-by: Alex Deucher Signed-off-by: Andi Kleen Reviewed-by: Jerome Glisse Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit a3f86d59f4f072da1d289a9c12cd4c10fbc3e065 Author: Alex Deucher Date: Mon Dec 20 12:35:04 2010 -0500 drm/radeon/kms/evergreen: reset the grbm blocks at resume and init commit 86f5c9edbb3bac37cc8cee6528a929005ba72aad upstream. This fixes module reloading and resume as the gfx block seems to be left in a bad state in some cases. Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 87e27023b169b23410b59e24e579d8d9d55136a8 Author: Mark Brown Date: Wed Nov 24 18:01:39 2010 +0000 mfd: Supply IRQ base for WM832x devices commit bd7c72ed18d719c1fb0fdf6ff9042d8ab78fdf71 upstream. Without this the IRQ base will not be correctly configured for the subdevices. Signed-off-by: Mark Brown Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 848d070ae77a340275678ce27fde5c831e299e64 Author: Mark Brown Date: Thu Dec 2 16:25:43 2010 +0000 mfd: Support additional parent IDs for wm831x commit b93cef556162b0f33399bfe5f307c54f51554e09 upstream. Some newer device revisions add a second parent ID. Support this in the device validity checks done at startup. Signed-off-by: Mark Brown Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 26120280fe178d45390f28394e2d31399c04506d Author: Robert Richter Date: Mon Jan 3 12:15:14 2011 +0100 arch/x86/oprofile/op_model_amd.c: Perform initialisation on a single CPU commit c7c25802b39c443b3745cfa973dc49a97a3491f8 upstream. Disable preemption in init_ibs(). The function only checks the ibs capabilities and sets up pci devices (if necessary). It runs only on one cpu but operates with the local APIC and some MSRs, thus it is better to disable preemption. [ 7.034377] BUG: using smp_processor_id() in preemptible [00000000] code: modprobe/483 [ 7.034385] caller is setup_APIC_eilvt+0x155/0x180 [ 7.034389] Pid: 483, comm: modprobe Not tainted 2.6.37-rc1-20101110+ #1 [ 7.034392] Call Trace: [ 7.034400] [] debug_smp_processor_id+0xd2/0xf0 [ 7.034404] [] setup_APIC_eilvt+0x155/0x180 [ ... ] Addresses https://bugzilla.kernel.org/show_bug.cgi?id=22812 Reported-by: Signed-off-by: Robert Richter Signed-off-by: Andi Kleen Cc: oprofile-list@lists.sourceforge.net Cc: Peter Zijlstra Cc: Frederic Weisbecker Cc: Rafael J. Wysocki Cc: Dan Carpenter Cc: Andrew Morton LKML-Reference: <20110103111514.GM4739@erda.amd.com> [ small cleanups ] Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit c28dd2596ae32a0c500745f4061648a0045fed2c Author: Florian Fainelli Date: Fri Nov 26 10:39:55 2010 +0100 watchdog: Fix null pointer dereference while accessing rdc321x platform_data commit 3b3c1f24e96c411a95daabb6af9e09c5381f713b upstream. rdc321x-wdt currently fetches its driver specific data by using the platform_device->platform_data pointer, this is wrong because the mfd device which registers our platform_device has been added using mfd_add_device() which sets the platform_device->driver_data pointer instead. Signed-off-by: Florian Fainelli Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit bf4a80cbf1ec11260c1a458586f2433431646994 Author: Ahmed S. Darwish Date: Sat Dec 25 11:57:09 2010 +0200 RAMOOPS: Don't overflow over non-allocated regions commit 1873bb8115e678ad9fd0aac9dbbc68383bc36e06 upstream. The current code mis-calculates the ramoops header size, leading to an overflow over the next record at best, or over a non-allocated region at worst. Fix that calculation. Signed-off-by: Ahmed S. Darwish Acked-by: Marco Stornelli Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 39ab95f709fd14c0542ad9e5eaebebc30c681094 Author: Wolfram Sang Date: Tue Dec 21 17:24:24 2010 -0800 rtc: rs5c372: fix buffer size commit 118364948fad7b6c0469ef2d3ddaee447d7a0b5f upstream. Match the buffer size to the amount of initialized values. Before, it was one too big and thus destroyed the neighbouring register causing the clock to run at false speeds. Reported-by: Andre van Rooyen Signed-off-by: Wolfram Sang Signed-off-by: Andi Kleen Cc: Alessandro Zummo Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 55eb2febc4ec26d4ecde0964af63e4f152d353bf Author: Hillf Danton Date: Wed Dec 29 21:55:28 2010 +0800 fix freeing user_struct in user cache commit 4ef9e11d6867f88951e30db910fa015300e31871 upstream. When racing on adding into user cache, the new allocated from mm slab is freed without putting user namespace. Since the user namespace is already operated by getting, putting has to be issued. Signed-off-by: Hillf Danton Acked-by: Serge Hallyn Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 01dda54376c56e99e475193d6c112f05476e5280 Author: Takashi Iwai Date: Fri Dec 10 08:40:31 2010 +0100 mmc: Fix re-probing with PM_POST_RESTORE notification commit 274476f8fe0b6ac9bac542cc39de12c3dd0f43f6 upstream. In the error-path where PM notifies PM_POST_RESTORE, the rescan-blockage should be cleared as well. Otherwise it'll be never re-probed. Also, as a bonus, this fixes a bug in S4 with user-mode suspend in the current code, as it sends PM_POST_RESTORE instead of PM_POST_HIBERNATION wrongly. Signed-off-by: Takashi Iwai Signed-off-by: Chris Ball Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 3fa84c1cbf8baca625f08f475338193ee9be1eea Author: Nicolas Ferre Date: Fri Dec 10 19:14:32 2010 +0100 mmc: atmel-mci: fix multiblock SDIO transfers commit 2f1d791882d21a4002a719fb016a1ac21c8bd6b7 upstream. Based on report made by Yauhen in: "MMC: Fix multiblock SDIO transfers in AT91 MCI" patch, I report those changes to the brother driver: atmel-mci. So, this patch sets SDIO transfer types: SDIO block and SDIO byte transfers instead of using ordinary MMC block transfers. It is checking opcode for SDIO CMD53 and setting transfer type in MCI_CMDR register properly. Reported-by: Yauhen Kharuzhy Signed-off-by: Nicolas Ferre Acked-by: Jean-Christophe PLAGNIOL-VILLARD Signed-off-by: Chris Ball Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 84da397234ceec8449444598d8d72668d7f5bb8c Author: Yauhen Kharuzhy Date: Thu Nov 25 12:11:51 2010 +0200 mmc: at91_mci: fix multiblock SDIO transfers commit a2255ff45143001fecbc5e5a4b58fcb999d393ae upstream. The AT91 MCI has special SDIO transfer types: SDIO block and SDIO byte transfers, but at91_mci driver doesn't use them and handles all SDIO transfers as ordinary MMC block transfers. This causes problems for multiple-block SDIO transfers (in particular for 256-bytes blocks). Fix this situation by checking the opcode for SDIO CMD53 and setting the transfer type in the AT91_MCI_CMDR register properly. This patch was tested with libertas SDIO driver: problem with TX timeouts on big packets was eliminated. Signed-off-by: Yauhen Kharuzhy Signed-off-by: Nicolas Ferre Acked-by: Jean-Christophe PLAGNIOL-VILLARD Signed-off-by: Chris Ball Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 4dfbc34551053dcf44fa3c6ab8d2fcf39bd38eea Author: Andres Salomon Date: Tue Dec 21 13:04:52 2010 -0800 cs5535-gpio: handle GPIO regs where higher (clear) bits are set commit 44658a11f312fb9217674cb90b1a11cbe17fd18d upstream. The default for non-READ_BACK GPIO regs is to have the clear bits set; this means that our original errata fix was too simplistic. This changes it to the following behavior: - when setting GPIOs, ignore the higher order bits (they're for clearing, we don't need to care about them). - when clearing GPIOs, keep all the bits, but unset (via XOR) the lower order bit that negates the clear bit that we care about. That is, if we're clearing GPIO 26 (val = 0x04000000), we first XOR what's currently in the register with 0x0400 (GPIO 26's SET bit), and then OR that with the GPIO 26's CLEAR bit. Tested-by: Daniel Drake Signed-off-by: Andres Salomon Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 1d95fe9a8ddadc8700e85f5e9d9682842a1c743c Author: Andres Salomon Date: Tue Dec 21 13:04:42 2010 -0800 cs5535-gpio: don't apply errata #36 to edge detect GPIOs commit 001851659354cce436b749a793f3512a53394d80 upstream. The edge detect status GPIOs function differently from the other atomic model CS5536 GPIO registers; writing 1 to the high bits clears the GPIO, but writing 1 to the lower bits also clears the bit. This means that read-modify-write doesn't actually work for it, so don't apply the errata here. If a negative edge status gets lost after resume.. well, we tried our best! Tested-by: Daniel Drake Signed-off-by: Andres Salomon Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 876c33c2acfc57b312f1743964f0c4469932fdf7 Author: Florian Fainelli Date: Fri Nov 26 10:39:54 2010 +0100 gpio: Fix null pointer dereference while accessing rdc321x platform_data commit fa6469cb5b2d16703464c344b943e2c025cb7858 upstream. rdc321x-gpio currently fetches its driver specific data by using the platform_device->platform_data pointer, this is wrong because the mfd device which registers our platform_device has been added using mfd_add_device() which sets the platform_device->driver_data pointer instead. Signed-off-by: Florian Fainelli Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 94e0aba2a66cb0eee8c17f662c25c85a2aee141b Author: Sarah Sharp Date: Thu Dec 9 10:29:00 2010 -0800 xhci: Fix issue with port array setup and buggy hosts. commit f8bbeabc34aa945ab4275abc9a4dfde0aea798ca upstream. Fix two bugs with the port array setup. The first bug will only show up with broken xHCI hosts with Extended Capabilities registers that have duplicate port speed entries for the same port. The idea with the original code was to set the port_array entry to -1 if the duplicate port speed entry said the port was a different speed than the original port speed entry. That would mean that later, the port would not be exposed to the USB core. Unfortunately, I forgot a continue statement, and the port_array entry would just be overwritten in the next line. The second bug would happen if there are conflicting port speed registers (so that some entry in port_array is -1), or one of the hardware port registers was not described in the port speed registers (so that some entry in port_array is 0). The code that sets up the usb2_ports array would accidentally claim those ports. That wouldn't really cause any user-visible issues, but it is a bug. This patch should go into the stable trees that have the port array and USB 3.0 port disabling prevention patches. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit af98113010e7815aaa0f4281f6a54bfe0c7bed3d Author: Ken Mills Date: Mon Dec 13 15:28:03 2010 +0000 n_gsm: gsm_data_alloc buffer allocation could fail and it is not being checked commit 093d804611b9a38fe59753b37c29f840518406a9 upstream. gsm_data_alloc buffer allocation could fail and it is not being checked. Add check for allocated buffer and return if the buffer allocation fails. Signed-off-by: Ken Mills Signed-off-by: Alan Cox Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 1298db626792287d5c66ba71ae802cfd1db72d3f Author: Ken Mills Date: Mon Dec 13 15:27:27 2010 +0000 n_gsm: Fix message length handling when building header commit be7a7411d63ccad165d66fe8e0b11b2ee336159b upstream. Fix message length handling when building header When the message length is greater than 127, the length field in the header is built incorrectly. According to the spec, when the length is less than 128 the length field is a single byte formatted as: bbbbbbb1. When it is greater than 127 then the field is two bytes of the format: bbbbbbb0 bbbbbbbb. Signed-off-by: Ken Mills Signed-off-by: Alan Cox Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 138d1026f3af81004fbdc9864ea56b661780dace Author: Eduardo Costa Date: Tue Dec 14 14:37:59 2010 -0600 p54usb: New USB ID for Gemtek WUBI-100GW commit 56e6417b49132d4f56e9f2241d31942b90b46315 upstream. This USB ID is for the WUBI-100GW 802.11g Wireless LAN USB Device that uses p54usb. Signed-off-by: Larry Finger Signed-off-by: Eduardo Costa Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 3624cef1bd667d14284e9da384dc3569e416fe56 Author: Christian Lamparter Date: Sat Dec 11 12:19:48 2010 +0100 p54usb: add 5 more USBIDs commit 16cad7fba037b34ca32cc0adac65bc089d969fb8 upstream. This patch adds five more USBIDs to the table. Source: http://www.linuxant.com/pipermail/driverloader/2005q3/002307.html http://wireless.kernel.org/en/users/Drivers/p54/devices (by M. Davis) Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 4d6d8747e1fb36b33d77a5182a6305f6839aeae9 Author: Greg Kroah-Hartman Date: Thu Dec 16 15:52:30 2010 -0800 Revert "USB: gadget: Allow function access to device ID data during bind()" commit dbb442b85a1d82f91cfe0524c4f9b3a5196a10ca upstream. This reverts commit 1ab83238740ff1e1773d5c13ecac43c60cf4aec4. Turns out this doesn't allow for the device ids to be overridden properly, so we need to revert the thing. Reported-by: Jef Driesen Cc: Robert Lukassen Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 26977d2b7fedb760cef42041f3514ab968fe78ab Author: Vitaly Kuznetsov Date: Tue Dec 14 10:16:49 2010 -0500 USB: usb-storage: unusual_devs entry for the Samsung YP-CP3 commit d73a9b3001f29271c2e9f2a806b05a431c5d9591 upstream. Add an unusual_devs entry for the Samsung YP-CP3 MP4 player. User was getting the following errors in dmesg: usb 2-6: reset high speed USB device using ehci_hcd and address 2 usb 2-6: reset high speed USB device using ehci_hcd and address 2 usb 2-6: reset high speed USB device using ehci_hcd and address 2 usb 2-6: USB disconnect, address 2 sd 3:0:0:0: [sdb] Assuming drive cache: write through sdb:<2>ldm_validate_partition_table(): Disk read failed. Dev sdb: unable to read RDB block 0 unable to read partition table Signed-off-by: Vitaly Kuznetsov Acked-by: Alan Stern Signed-off-by: Andi Kleen CC: Matthew Dharm Signed-off-by: Greg Kroah-Hartman commit c4234ff9aca7aef60841327560ed228cbfcf58ba Author: Florian Faber Date: Wed Dec 1 10:11:08 2010 +0100 USB: ftdi_sio: Add D.O.Tec PID commit 5363cdc3c5da9bd431552cf5989ab481596f0c6d upstream. Add FTDI PID to identify D.O.Tec devices correctly. Signed-off-by: Florian Faber Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 0a67b7cf26d73ed1dbea7e99d63673b5c4aa479e Author: Thomas Sailer Date: Tue Dec 14 16:04:05 2010 +0100 USB: misc: uss720.c: add another vendor/product ID commit ecc1624a2fff45780959efbcb73ace18fdb3c58d upstream. Fabio Battaglia report that he has another cable that works with this driver, so this patch adds its vendor/product ID. Signed-off-by: Thomas Sailer Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 0409b72407a69538cb62bb0bc2476db0ca2b3de8 Author: Tavis Ormandy Date: Thu Dec 9 15:29:42 2010 +0100 install_special_mapping skips security_file_mmap check. commit 462e635e5b73ba9a4c03913b77138cd57ce4b050 upstream. The install_special_mapping routine (used, for example, to setup the vdso) skips the security check before insert_vm_struct, allowing a local attacker to bypass the mmap_min_addr security restriction by limiting the available pages for special mappings. bprm_mm_init() also skips the check, and although I don't think this can be used to bypass any restrictions, I don't see any reason not to have the security check. $ uname -m x86_64 $ cat /proc/sys/vm/mmap_min_addr 65536 $ cat install_special_mapping.s section .bss resb BSS_SIZE section .text global _start _start: mov eax, __NR_pause int 0x80 $ nasm -D__NR_pause=29 -DBSS_SIZE=0xfffed000 -f elf -o install_special_mapping.o install_special_mapping.s $ ld -m elf_i386 -Ttext=0x10000 -Tbss=0x11000 -o install_special_mapping install_special_mapping.o $ ./install_special_mapping & [1] 14303 $ cat /proc/14303/maps 0000f000-00010000 r-xp 00000000 00:00 0 [vdso] 00010000-00011000 r-xp 00001000 00:19 2453665 /home/taviso/install_special_mapping 00011000-ffffe000 rwxp 00000000 00:00 0 [stack] It's worth noting that Red Hat are shipping with mmap_min_addr set to 4096. Signed-off-by: Tavis Ormandy Acked-by: Kees Cook Acked-by: Robert Swiecki Signed-off-by: Andi Kleen [ Changed to not drop the error code - akpm ] Reviewed-by: James Morris Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 23d8a757d065542d5e9557cc20912833085b2395 Author: Yan Li Date: Tue Nov 30 23:51:03 2010 -0800 Input: synaptics - fix handling of 2-button ClickPads commit 3bfa321e662edf90fb8123a02c987c2965fa50bb upstream. Lenovo S10-3t's ClickPad is a 2-button ClickPad that reports BTN_LEFT and BTN_RIGHT as normal touchpad, unlike the 1-button ClickPad used in HP mini 210 that reports solely BTN_MIDDLE. In 0xc0-cap response, the 1-button ClickPad has the 20-bit set while 2-button ClickPad has the 8-bit set. This patch makes the kernel only handle 1-button ClickPad specially, and treat 2-button ClickPad in the same fashion as regular touchpads. This fixes kernel bug #18122 and MeeGo bug #4807. Signed-off-by: Yan Li Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit eb9b89ea61a1b1787cf5d42ae4366c9a4c53787d Author: Manoj Iyer Date: Tue Nov 23 07:43:44 2010 +0100 ALSA: hda - Enable jack sense for Thinkpad Edge 11 commit 6027277e77df2d2893d906c42f5c9f9abcb731e0 upstream. Add a quirk entry for Thinkpad Edge 11 as well as other TP Edge models. Signed-off-by: Manoj Iyer Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 872efb20c881ed307078621f2078b3a94527d8a1 Author: Ivo van Doorn Date: Mon Aug 23 19:56:07 2010 +0200 rt2x00: Fix max TX power settings commit 8d1331b37d5b656a7a8e561f8e9d7661dd00c910 upstream. During initialization each driver reads the default TX power for each individual channel. However mac80211 only accepts the maximum value (which is also handled as default value). As a result, the TX power of the device was being limited to the default value, which is often quite low compared to the real maximum acceptable value. This patch allows each driver to set the maximum value on a per-channel basis which is forwarded to mac80211. The default value will be preserved for now, in case we want to update mac80211 to differentiate between the maximum and default txpower. This fixes bug complaining about limited TX power values like: https://bugzilla.kernel.org/show_bug.cgi?id=16358 Signed-off-by: Ivo van Doorn Acked-by: Helmut Schaa Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 7be78b074a2a515de05d3eaed8885a38e3b06db1 Author: Suresh Siddha Date: Mon Dec 6 12:26:30 2010 -0800 x86, vt-d: Quirk for masking vtd spec errors to platform error handling logic commit 254e42006c893f45bca48f313536fcba12206418 upstream. On platforms with Intel 7500 chipset, there were some reports of system hang/NMI's during kexec/kdump in the presence of interrupt-remapping enabled. During kdump, there is a window where the devices might be still using old kernel's interrupt information, while the kdump kernel is coming up. This can cause vt-d faults as the interrupt configuration from the old kernel map to null IRTE entries in the new kernel etc. (with out interrupt-remapping enabled, we still have the same issue but in this case we will see benign spurious interrupt hit the new kernel). Based on platform config settings, these platforms seem to generate NMI/SMI when a vt-d fault happens and there were reports that the resulting SMI causes the system to hang. Fix it by masking vt-d spec defined errors to platform error reporting logic. VT-d spec related errors are already handled by the VT-d OS code, so need to report the same error through other channels. Signed-off-by: Suresh Siddha Signed-off-by: Andi Kleen LKML-Reference: <1291667190.2675.8.camel@sbsiddha-MOBL3.sc.intel.com> Reported-by: Max Asbock Reported-and-tested-by: Takao Indoh Acked-by: Chris Wright Acked-by: Kenji Kaneshige Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit db8017f7d5d564075ed244ee06aad94a761c967e Author: Kenji Kaneshige Date: Wed Dec 1 09:40:32 2010 -0800 x86, vt-d: Fix the vt-d fault handling irq migration in the x2apic mode commit 086e8ced65d9bcc4a8e8f1cd39b09640f2883f90 upstream. In x2apic mode, we need to set the upper address register of the fault handling interrupt register of the vt-d hardware. Without this irq migration of the vt-d fault handling interrupt is broken. Signed-off-by: Kenji Kaneshige Signed-off-by: Andi Kleen LKML-Reference: <1291225233.2648.39.camel@sbsiddha-MOBL3> Signed-off-by: Suresh Siddha Acked-by: Chris Wright Tested-by: Takao Indoh Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 5ed07572d5fda48533aa86ef2127bcbcda90756c Author: Suresh Siddha Date: Tue Nov 30 22:22:29 2010 -0800 x86, vt-d: Handle previous faults after enabling fault handling commit 7f99d946e71e71d484b7543b49e990508e70d0c0 upstream. Fault handling is getting enabled after enabling the interrupt-remapping (as the success of interrupt-remapping can affect the apic mode and hence the fault handling mode). Hence there can potentially be some faults between the window of enabling interrupt-remapping in the vt-d and the fault-handling of the vt-d units. Handle any previous faults after enabling the vt-d fault handling. For v2.6.38 cleanup, need to check if we can remove the dmar_fault() in the enable_intr_remapping() and see if we can enable fault handling along with enabling intr-remapping. Signed-off-by: Suresh Siddha Signed-off-by: Andi Kleen LKML-Reference: <20101201062244.630417138@intel.com> Acked-by: Chris Wright Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 7ec0309573de69959a7840e5007831625a35af87 Author: Kenji Kaneshige Date: Tue Nov 30 22:22:28 2010 -0800 x86: Enable the intr-remap fault handling after local APIC setup commit 7f7fbf45c6b748074546f7f16b9488ca71de99c1 upstream. Interrupt-remapping gets enabled very early in the boot, as it determines the apic mode that the processor can use. And the current code enables the vt-d fault handling before the setup_local_APIC(). And hence the APIC LDR registers and data structure in the memory may not be initialized. So the vt-d fault handling in logical xapic/x2apic modes were broken. Fix this by enabling the vt-d fault handling in the end_local_APIC_setup() A cleaner fix of enabling fault handling while enabling intr-remapping will be addressed for v2.6.38. [ Enabling intr-remapping determines the usage of x2apic mode and the apic mode determines the fault-handling configuration. ] Signed-off-by: Kenji Kaneshige Signed-off-by: Andi Kleen LKML-Reference: <20101201062244.541996375@intel.com> Signed-off-by: Suresh Siddha Acked-by: Chris Wright Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 9bc128312605cb2962c00fa63d626ebc22c8b4bc Author: H. Peter Anvin Date: Mon Dec 13 16:01:38 2010 -0800 x86, gcc-4.6: Use gcc -m options when building vdso commit de2a8cf98ecdde25231d6c5e7901e2cffaf32af9 upstream. The vdso Makefile passes linker-style -m options not to the linker but to gcc. This happens to work with earlier gcc, but fails with gcc 4.6. Pass gcc-style -m options, instead. Note: all currently supported versions of gcc supports -m32, so there is no reason to conditionalize it any more. Reported-by: H. J. Lu Signed-off-by: H. Peter Anvin Signed-off-by: Andi Kleen LKML-Reference: Signed-off-by: Greg Kroah-Hartman commit be5057e86f2813ec2a16bf0878d0d2cc6dae5e81 Author: Slava Pestov Date: Wed Nov 24 15:13:16 2010 -0800 tracing: Fix panic when lseek() called on "trace" opened for writing commit 364829b1263b44aa60383824e4c1289d83d78ca7 upstream. The file_ops struct for the "trace" special file defined llseek as seq_lseek(). However, if the file was opened for writing only, seq_open() was not called, and the seek would dereference a null pointer, file->private_data. This patch introduces a new wrapper for seq_lseek() which checks if the file descriptor is opened for reading first. If not, it does nothing. Signed-off-by: Slava Pestov Signed-off-by: Andi Kleen LKML-Reference: <1290640396-24179-1-git-send-email-slavapestov@google.com> Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit c3a057e54f2cb3efc797633d7d7102db90beed50 Author: NeilBrown Date: Thu Dec 9 17:02:14 2010 +1100 md: protect against NULL reference when waiting to start a raid10. commit 589a594be1fb8815b3f18e517be696c48664f728 upstream. When we fail to start a raid10 for some reason, we call md_unregister_thread to kill the thread that was created. Unfortunately md_thread() will then make one call into the handler (raid10d) even though md_wakeup_thread has not been called. This is not safe and as md_unregister_thread is called after mddev->private has been set to NULL, it will definitely cause a NULL dereference. So fix this at both ends: - md_thread should only call the handler if THREAD_WAKEUP has been set. - raid10 should call md_unregister_thread before setting things to NULL just like all the other raid modules do. This is applicable to 2.6.35 and later. Reported-by: "Citizen" Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 1eb3d729169b026e40f0094f0d602187ebdff165 Author: NeilBrown Date: Thu Dec 9 16:36:28 2010 +1100 md: fix bug with re-adding of partially recovered device. commit 1a855a0606653d2d82506281e2c686bacb4b2f45 upstream. With v0.90 metadata, a hot-spare does not become a full member of the array until recovery is complete. So if we re-add such a device to the array, we know that all of it is as up-to-date as the event count would suggest, and so it a bitmap-based recovery is possible. However with v1.x metadata, the hot-spare immediately becomes a full member of the array, but it record how much of the device has been recovered. If the array is stopped and re-assembled recovery starts from this point. When such a device is hot-added to an array we currently lose the 'how much is recovered' information and incorrectly included it as a full in-sync member (after bitmap-based fixup). This is wrong and unsafe and could corrupt data. So be more careful about setting saved_raid_disk - which is what guides the re-adding of devices back into an array. The new code matches the code in slot_store which does a similar thing, which is encouraging. This is suitable for any -stable kernel. Reported-by: "Dailey, Nate" Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 5ed561673a5aa6c8f5a65b958dd0e0b2e0bd3bda Author: Andreas Herrmann Date: Thu Dec 16 21:29:37 2010 +0100 x86, amd: Fix panic on AMD CPU family 0x15 [The mainline kernel doesn't have this problem. Commit "(23588c3) x86, amd: Add support for CPUID topology extension of AMD CPUs" removed the family check. But 2.6.32.y needs to be fixed.] This CPU family check is not required -- existence of the NodeId MSR is indicated by a CPUID feature flag which is already checked in amd_fixup_dcm() -- and it needlessly prevents amd_fixup_dcm() to be called for newer AMD CPUs. In worst case this can lead to a panic in the scheduler code for AMD family 0x15 multi-node AMD CPUs. I just have a picture of VGA console output so I can't copy-and-paste it herein, but the call stack of such a panic looked like: do_divide_error ... find_busiest_group run_rebalance_domains ... apic_timer_interrupt ... cpu_idle The mainline kernel doesn't have this problem. Commit "(23588c3) x86, amd: Add support for CPUID topology extension of AMD CPUs" removed the family check. But 2.6.32.y needs to be fixed. Signed-off-by: Andreas Herrmann Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 6660a58806566b5b452b8b6458be90526fbec054 Author: David Kilroy Date: Sun Dec 5 15:45:58 2010 +0000 orinoco: clear countermeasure setting on commit commit ba34fcee476d11e7c9df95932787a22a96ff6e68 upstream. ... and interface up. In these situations, you are usually trying to connect to a new AP, so keeping TKIP countermeasures active is confusing. This is already how the driver behaves (inadvertently). However, querying SIOCGIWAUTH may tell userspace that countermeasures are active when they aren't. Clear the setting so that the reporting matches what the driver has done.. Signed-off by: David Kilroy Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit c0be80088ed2d65565fa02732030a7bfc9a7a0c6 Author: David Kilroy Date: Sun Dec 5 15:43:55 2010 +0000 orinoco: fix TKIP countermeasure behaviour commit 0a54917c3fc295cb61f3fb52373c173fd3b69f48 upstream. Enable the port when disabling countermeasures, and disable it on enabling countermeasures. This bug causes the response of the system to certain attacks to be ineffective. It also prevents wpa_supplicant from getting scan results, as wpa_supplicant disables countermeasures on startup - preventing the hardware from scanning. wpa_supplicant works with ap_mode=2 despite this bug because the commit handler re-enables the port. The log tends to look like: State: DISCONNECTED -> SCANNING Starting AP scan for wildcard SSID Scan requested (ret=0) - scan timeout 5 seconds EAPOL: disable timer tick EAPOL: Supplicant port status: Unauthorized Scan timeout - try to get results Failed to get scan results Failed to get scan results - try scanning again Setting scan request: 1 sec 0 usec Starting AP scan for wildcard SSID Scan requested (ret=-1) - scan timeout 5 seconds Failed to initiate AP scan. Reported by: Giacomo Comes Signed-off by: David Kilroy Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit a1a584f5c28939e5c11d062b233599034748d6dd Author: Eric Paris Date: Tue Nov 23 18:18:37 2010 -0500 inotify: stop kernel memory leak on file creation failure commit a2ae4cc9a16e211c8a128ba10d22a85431f093ab upstream. If inotify_init is unable to allocate a new file for the new inotify group we leak the new group. This patch drops the reference on the group on file allocation failure. Reported-by: Vegard Nossum Signed-off-by: Eric Paris Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 6559ff535c6a7d61eb22295ddf390ac917f46275 Author: Rafael J. Wysocki Date: Thu Dec 16 17:11:58 2010 +0100 PM / Runtime: Fix pm_runtime_suspended() commit f08f5a0add20834d3f3d876dfe08005a5df656db upstream. There are some situations (e.g. in __pm_generic_call()), where pm_runtime_suspended() is used to decide whether or not to execute a device's (system) ->suspend() callback. The callback is not executed if pm_runtime_suspended() returns true, but it does so for devices that don't even support runtime PM, because the power.disable_depth device field is ignored by it. This leads to problems (i.e. devices are not suspened when they should), so rework pm_runtime_suspended() so that it returns false if the device's power.disable_depth field is different from zero. Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 998adceb18cdd62b03d267219eb1e967332a9663 Author: Alexey Starikovskiy Date: Thu Dec 9 17:07:54 2010 -0500 ACPI: EC: Add another dmi match entry for MSI hardware commit a5dc4f898c2a0f66e2cefada6c687db82ba2fcbc upstream. http://bugzilla.kernel.org/show_bug.cgi?id=15418 Signed-off-by: Alexey Starikovskiy Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 8800f8aba29a1f6d9c0cb9612926802b03516b7f Author: Peter Zijlstra Date: Tue Nov 30 19:48:45 2010 +0100 sched: Cure more NO_HZ load average woes commit 0f004f5a696a9434b7214d0d3cbd0525ee77d428 upstream. There's a long-running regression that proved difficult to fix and which is hitting certain people and is rather annoying in its effects. Damien reported that after 74f5187ac8 (sched: Cure load average vs NO_HZ woes) his load average is unnaturally high, he also noted that even with that patch reverted the load avgerage numbers are not correct. The problem is that the previous patch only solved half the NO_HZ problem, it addressed the part of going into NO_HZ mode, not of comming out of NO_HZ mode. This patch implements that missing half. When comming out of NO_HZ mode there are two important things to take care of: - Folding the pending idle delta into the global active count. - Correctly aging the averages for the idle-duration. So with this patch the NO_HZ interaction should be complete and behaviour between CONFIG_NO_HZ=[yn] should be equivalent. Furthermore, this patch slightly changes the load average computation by adding a rounding term to the fixed point multiplication. Reported-by: Damien Wyart Reported-by: Tim McGrath Tested-by: Damien Wyart Tested-by: Orion Poplawski Tested-by: Kyle McMartin Signed-off-by: Peter Zijlstra Signed-off-by: Andi Kleen Cc: Chase Douglas LKML-Reference: <1291129145.32004.874.camel@laptop> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 92bc7287b38e4eb45ff34b1cd1b543da9d1e71bd Author: Jeremy Fitzhardinge Date: Wed Dec 8 12:39:12 2010 -0800 xen: Provide a variant of __RING_SIZE() that is an integer constant expression commit 667c78afaec0ac500908e191e8f236e9578d7b1f upstream. Without this, gcc 4.5 won't compile xen-netfront and xen-blkfront, where this is being used to specify array sizes. Signed-off-by: Jan Beulich Signed-off-by: Jeremy Fitzhardinge Signed-off-by: Andi Kleen Cc: Jens Axboe Cc: David Miller Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 78dd4b02b5d68c4d64557152a35941150f90ff82 Author: Heiko Carstens Date: Fri Nov 26 13:42:47 2010 +0100 printk: Fix wake_up_klogd() vs cpu hotplug commit 49f4138346b3cec2706adff02658fe27ceb1e46f upstream. wake_up_klogd() may get called from preemptible context but uses __raw_get_cpu_var() to write to a per cpu variable. If it gets preempted between getting the address and writing to it, the cpu in question could be offline if the process gets scheduled back and hence writes to the per cpu data of an offline cpu. This buggy behaviour was introduced with fa33507a "printk: robustify printk, fix #2" which was supposed to fix a "using smp_processor_id() in preemptible" warning. Let's use this_cpu_write() instead which disables preemption and makes sure that the outlined scenario cannot happen. Signed-off-by: Heiko Carstens Acked-by: Eric Dumazet Signed-off-by: Peter Zijlstra Signed-off-by: Andi Kleen LKML-Reference: <20101126124247.GC7023@osiris.boeblingen.de.ibm.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 89c24ec0eee40272f0387eeb6a6cc31e6bbc1544 Author: Andy Lutomirski Date: Tue Nov 16 18:40:52 2010 -0500 nouveau: Acknowledge HPD irq in handler, not bottom half commit ab838338a2a9e0cb8346eb0cab9977be13e8dce5 upstream. The old code generated an interrupt storm bad enough to completely take down my system. Signed-off-by: Andy Lutomirski Signed-off-by: Ben Skeggs Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 53479596917f7de21c96b1af971370868129c8b2 Author: Bob Moore Date: Sat Oct 23 01:36:40 2010 -0400 ACPICA: Fix Scope() op in module level code commit 8df3fc981dc12d9fdcaef4100a2193b605024d7a upstream. Some Panasonic Toughbooks create nodes in module level code. Module level code is the executable AML code outside of control method, for example, below AML code creates a node \_SB.PCI0.GFX0.DD02.CUBL If (\_OSI ("Windows 2006")) { Scope (\_SB.PCI0.GFX0.DD02) { Name (CUBL, Ones) ... } } Scope() op does not actually create a new object, it refers to an existing object(\_SB.PCI0.GFX0.DD02 in above example). However, for Scope(), we want to indeed open a new scope, so the child nodes(CUBL in above example) can be created correctly under it. https://bugzilla.kernel.org/show_bug.cgi?id=19462 Signed-off-by: Bob Moore Signed-off-by: Lin Ming Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit d3c6045fee29a799083d3431da555053e3140eaf Author: Vasiliy Kulikov Date: Wed Nov 10 12:09:10 2010 -0800 net: packet: fix information leak to userland [ Upstream commit 67286640f638f5ad41a946b9a3dc75327950248f ] packet_getname_spkt() doesn't initialize all members of sa_data field of sockaddr struct if strlen(dev->name) < 13. This structure is then copied to userland. It leads to leaking of contents of kernel stack memory. We have to fully fill sa_data with strncpy() instead of strlcpy(). The same with packet_getname(): it doesn't initialize sll_pkttype field of sockaddr_ll. Set it to zero. Signed-off-by: Vasiliy Kulikov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 64c80cfe40b35c06a7cbf2806fcc2c14460405ab Author: Mariusz Kozlowski Date: Mon Nov 8 11:58:45 2010 +0000 net: Fix header size check for GSO case in recvmsg (af_packet) [ Upstream commit 1f18b7176e2e41fada24584ce3c80e9abfaca52b] Parameter 'len' is size_t type so it will never get negative. Signed-off-by: Mariusz Kozlowski Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 44a913f55f16aa0495a378f62252512cf3ad4b29 Author: Eric Dumazet Date: Tue Nov 9 11:46:33 2010 -0800 net/dst: dst_dev_event() called after other notifiers [ Upstream commit 332dd96f7ac15e937088fe11f15cfe0210e8edd1 ] Followup of commit ef885afbf8a37689 (net: use rcu_barrier() in rollback_registered_many) dst_dev_event() scans a garbage dst list that might be feeded by various network notifiers at device dismantle time. Its important to call dst_dev_event() after other notifiers, or we might enter the infamous msleep(250) in netdev_wait_allrefs(), and wait one second before calling again call_netdevice_notifiers(NETDEV_UNREGISTER, dev) to properly remove last device references. Use priority -10 to let dst_dev_notifier be called after other network notifiers (they have the default 0 priority) Reported-by: Ben Greear Reported-by: Nicolas Dichtel Reported-by: Octavian Purdila Reported-by: Benjamin LaHaise Tested-by: Ben Greear Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 0480c8a2bbec4fbc07c87cf035b0a55c20e97911 Author: Ben Hutchings Date: Fri Dec 17 10:16:23 2010 -0800 tehuti: Firmware filename is tehuti/bdx.bin [ Upstream commit 46814e08d80f87449b5adb3d549a3cae6f9f8148 ] My conversion of tehuti to use request_firmware() was confused about the filename of the firmware blob. Change the driver to match the blob. Signed-off-by: Ben Hutchings Signed-off-by: Andy Gospodarek Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 0ead25e6311a5b894daf6dae9a9734a3262f8f89 Author: Apollon Oikonomopoulos Date: Tue Dec 7 09:43:30 2010 +0000 x25: decrement netdev reference counts on unload [ Upstream commit 171995e5d82dcc92bea37a7d2a2ecc21068a0f19] x25 does not decrement the network device reference counts on module unload. Thus unregistering any pre-existing interface after unloading the x25 module hangs and results in unregister_netdevice: waiting for tap0 to become free. Usage count = 1 This patch decrements the reference counts of all interfaces in x25_link_free, the way it is already done in x25_link_device_down for NETDEV_DOWN events. Signed-off-by: Apollon Oikonomopoulos Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 41075cd5d8e431ad7f8eb4d57f851a7ad8fadc77 Author: Michal Marek Date: Mon Dec 6 02:39:12 2010 +0000 l2tp: Fix modalias of l2tp_ip [ Upstream commit e8d34a884e4ff118920bb57664def8a73b1b784f] Using the SOCK_DGRAM enum results in "net-pf-2-proto-SOCK_DGRAM-type-115", so use the numeric value like it is done in net/dccp. Signed-off-by: Michal Marek Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 9cd02000aea2084bbd44091f10877a3d921291d0 Author: Changli Gao Date: Sat Dec 4 14:09:08 2010 +0000 ifb: goto resched directly if error happens and dp->tq isn't empty [ Upstream commit 75c1c82566f23dd539fb7ccbf57a1caa7ba82628 ] If we break the loop when there are still skbs in tq and no skb in rq, the skbs will be left in txq until new skbs are enqueued into rq. In rare cases, no new skb is queued, then these skbs will stay in rq forever. After this patch, if tq isn't empty when we break the loop, we goto resched directly. Signed-off-by: Changli Gao Signed-off-by: Jamal Hadi Salim Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit f59cbe486092c277cb7c00f048ed6701ebf6cdfa Author: David S. Miller Date: Wed Dec 8 18:42:23 2010 -0800 econet: Fix crash in aun_incoming(). [ Upstream commit 4e085e76cbe558b79b54cbab772f61185879bc64 ] Unconditional use of skb->dev won't work here, try to fetch the econet device via skb_dst()->dev instead. Suggested by Eric Dumazet. Reported-by: Nelson Elhage Tested-by: Nelson Elhage Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 2a0e5f9e12c4a9ab6ff63b2b6991232a4cb5a910 Author: Nelson Elhage Date: Wed Dec 8 10:13:55 2010 -0800 econet: Do the correct cleanup after an unprivileged SIOCSIFADDR. [ Upstream commit 0c62fc6dd02c8d793c75ae76a9b6881fc36388ad] We need to drop the mutex and do a dev_put, so set an error code and break like the other paths, instead of returning directly. Signed-off-by: Nelson Elhage Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 10cac669d7b9bad2207c2d63619fb265f8cb6486 Author: Eric Dumazet Date: Mon Dec 6 09:29:43 2010 -0800 filter: fix sk_filter rcu handling [ Upstream commit 46bcf14f44d8f31ecfdc8b6708ec15a3b33316d9 ] Pavel Emelyanov tried to fix a race between sk_filter_(de|at)tach and sk_clone() in commit 47e958eac280c263397 Problem is we can have several clones sharing a common sk_filter, and these clones might want to sk_filter_attach() their own filters at the same time, and can overwrite old_filter->rcu, corrupting RCU queues. We can not use filter->rcu without being sure no other thread could do the same thing. Switch code to a more conventional ref-counting technique : Do the atomic decrement immediately and queue one rcu call back when last reference is released. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 9b8a00c1f467735fbead2228f331a1182c9bb643 Author: Herbert Xu Date: Wed Nov 3 13:31:05 2010 +0000 cls_cgroup: Fix crash on module unload [ Upstream commit c00b2c9e79466d61979cd21af526cc6d5d0ee04f ] Somewhere along the lines net_cls_subsys_id became a macro when cls_cgroup is built as a module. Not only did it make cls_cgroup completely useless, it also causes it to crash on module unload. This patch fixes this by removing that macro. Thanks to Eric Dumazet for diagnosing this problem. Reported-by: Randy Dunlap Signed-off-by: Herbert Xu Signed-off-by: Andi Kleen Reviewed-by: Li Zefan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 419765ea4d221ddb9f41558eb5948c7c838f34ba Author: David Stevens Date: Tue Dec 14 08:42:16 2010 +0000 bridge: fix IPv6 queries for bridge multicast snooping [ Upstream commit 76d661586c8131453ba75a2e027c1f21511a893a] This patch fixes a missing ntohs() for bridge IPv6 multicast snooping. Signed-off-by: David L Stevens Acked-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit f69a92aa29a6c15ccad53832a55c1418568f5977 Author: Hillf Danton Date: Fri Dec 10 18:54:11 2010 +0000 bonding: Fix slave selection bug. [ Upstream commit af3e5bd5f650163c2e12297f572910a1af1b8236 ] The returned slave is incorrect, if the net device under check is not charged yet by the master. Signed-off-by: Hillf Danton Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit b89a67e20a5ea68eb607d38c7eb2cf78b29f897f Author: Joe Jin Date: Mon Dec 6 03:00:59 2010 +0000 driver/net/benet: fix be_cmd_multicast_set() memcpy bug [ Upstream commit 3fd40d0ceac9c234243730f4d7a6ffdb2fd3023a ] Regarding benet be_cmd_multicast_set() function, now using netdev_for_each_mc_addr() helper for mac address copy, but when copying to req->mac[] did not increase of the index. Cc: Sathya Perla Cc: Subbu Seetharaman Cc: Sarveshwar Bandi Cc: Ajit Khaparde Signed-off-by: Joe Jin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 3a734d802e9db68675d947def39b697d816b8232 Author: Vasiliy Kulikov Date: Wed Nov 10 10:14:33 2010 -0800 net: ax25: fix information leak to userland [ Upstream commit fe10ae53384e48c51996941b7720ee16995cbcb7 ] Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater field of fsa struct, also the struct has padding bytes between sax25_call and sax25_ndigis fields. This structure is then copied to userland. It leads to leaking of contents of kernel stack memory. Signed-off-by: Vasiliy Kulikov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 80260452aed3ebb509e9cf6f77b5a1dd922f60ef Author: Eric Dumazet Date: Thu Nov 25 04:11:39 2010 +0000 af_unix: limit recursion level [ Upstream commit 25888e30319f8896fc656fc68643e6a078263060 ] Its easy to eat all kernel memory and trigger NMI watchdog, using an exploit program that queues unix sockets on top of others. lkml ref : http://lkml.org/lkml/2010/11/25/8 This mechanism is used in applications, one choice we have is to have a recursion limit. Other limits might be needed as well (if we queue other types of files), since the passfd mechanism is currently limited by socket receive queue sizes only. Add a recursion_level to unix socket, allowing up to 4 levels. Each time we send an unix socket through sendfd mechanism, we copy its recursion level (plus one) to receiver. This recursion level is cleared when socket receive queue is emptied. Reported-by: Марк Коренберг Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 993788a53aa0c8efd14922e799e0764220fa5a33 Author: David S. Miller Date: Wed Jun 16 16:18:25 2010 -0700 net: Export cred_to_ucred to modules. Upstream commit 3924773a5a82622167524bdd48799dc0452c57f8 AF_UNIX references this, and can be built as a module, so... Signed-off-by: David S. Miller Signed-off-by: Andi Kleen commit afa01a2cc021a5f03f02364bb867af3114395304 Author: Eric W. Biederman Date: Sun Jun 13 03:28:59 2010 +0000 sock: Introduce cred_to_ucred Upstream commit 3f551f9436c05a3b5eccdd6e94733df5bb98d2a5 To keep the coming code clear and to allow both the sock code and the scm code to share the logic introduce a fuction to translate from struct cred to struct ucred. Signed-off-by: Eric W. Biederman Acked-by: Pavel Emelyanov Signed-off-by: David S. Miller Signed-off-by: Andi Kleen commit 7d77e1c063cba215c6217e0fca3bbd4f53ec7f4d Author: Eric W. Biederman Date: Sun Jun 13 03:28:03 2010 +0000 user_ns: Introduce user_nsmap_uid and user_ns_map_gid. Upstream commit 5c1469de7545a35a16ff2b902e217044a7d2f8a5 Define what happens when a we view a uid from one user_namespace in another user_namepece. - If the user namespaces are the same no mapping is necessary. - For most cases of difference use overflowuid and overflowgid, the uid and gid currently used for 16bit apis when we have a 32bit uid that does fit in 16bits. Effectively the situation is the same, we want to return a uid or gid that is not assigned to any user. - For the case when we happen to be mapping the uid or gid of the creator of the target user namespace use uid 0 and gid as confusing that user with root is not a problem. Signed-off-by: Eric W. Biederman Acked-by: Serge E. Hallyn Signed-off-by: David S. Miller Signed-off-by: Andi Kleen commit 76319701efb717e4a159f4cdb159646c6862e6a0 Author: Eric W. Biederman Date: Sun Jun 13 03:34:33 2010 +0000 af_unix: Allow credentials to work across user and pid namespaces. Upstream commit 7361c36c5224519b258219fe3d0e8abc865d8134 In unix_skb_parms store pointers to struct pid and struct cred instead of raw uid, gid, and pid values, then translate the credentials on reception into values that are meaningful in the receiving processes namespaces. Signed-off-by: Eric W. Biederman Acked-by: Pavel Emelyanov Signed-off-by: David S. Miller Signed-off-by: Andi Kleen commit cab9e9848b9a8283b0504a2d7c435a9f5ba026de Author: Eric W. Biederman Date: Sun Jun 13 03:32:34 2010 +0000 scm: Capture the full credentials of the scm sender. Upstream commit 257b5358b32f17e0603b6ff57b13610b0e02348f Start capturing not only the userspace pid, uid and gid values of the sending process but also the struct pid and struct cred of the sending process as well. This is in preparation for properly supporting SCM_CREDENTIALS for sockets that have different uid and/or pid namespaces at the different ends. Signed-off-by: Eric W. Biederman Acked-by: Serge E. Hallyn Signed-off-by: David S. Miller Signed-off-by: Andi Kleen commit 4d6d4fae2b988f48b94d93bc398fdf353463ec40 Author: Eric Dumazet Date: Wed Nov 24 09:15:27 2010 -0800 af_unix: limit unix_tot_inflight [ Upstream commit 9915672d41273f5b77f1b3c29b391ffb7732b84b ] Vegard Nossum found a unix socket OOM was possible, posting an exploit program. My analysis is we can eat all LOWMEM memory before unix_gc() being called from unix_release_sock(). Moreover, the thread blocked in unix_gc() can consume huge amount of time to perform cleanup because of huge working set. One way to handle this is to have a sensible limit on unix_tot_inflight, tested from wait_for_unix_gc() and to force a call to unix_gc() if this limit is hit. This solves the OOM and also reduce overall latencies, and should not slowdown normal workloads. Reported-by: Vegard Nossum Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit b628317b1d1a58bc5722c982fce2729120438734 Author: françois romieu Date: Mon Nov 8 13:23:58 2010 +0000 r8169: fix sleeping while holding spinlock. [ Upstream commit ea80907ff066edd1dd43c5fe90ae6677d15e6384 ] As device_set_wakeup_enable can now sleep, move the call to outside the critical section. Signed-off-by: Daniel J Blueman Acked-by: Rafael J. Wysocki Acked-by: Andrew Hendry Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 4fef93a724a0294bc372e3f0049b5f9dfa09e44e Author: Shan Wei Date: Wed Nov 17 11:55:08 2010 -0800 8139cp: fix checksum broken [ Upstream commit 24b7ea9f6c9787fad885442ed0cc010f1aa69cca ] I am not family with RealTek RTL-8139C+ series 10/100 PCI Ethernet driver. I try to guess the meaning of RxProtoIP and IPFail. RxProtoIP stands for received IPv4 packet that upper protocol is not tcp and udp. !(status & IPFail) is true means that driver correctly to check checksum in IPv4 header. If these are right, driver will set ip_summed with CHECKSUM_UNNECESSARY for other upper protocol, e.g. sctp, igmp protocol. This will cause protocol stack ignores checksum check for packets with invalid checksum. This patch is only compile-test. Signed-off-by: Shan Wei Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 5f8d6ba121ac7b0651396e8ce71c6fea4befca45 Author: Eric Dumazet Date: Tue Dec 7 12:20:47 2010 +0000 tcp: protect sysctl_tcp_cookie_size reads [ Upstream commit f19872575ff7819a3723154657a497d9bca66b33 ] Make sure sysctl_tcp_cookie_size is read once in tcp_cookie_size_check(), or we might return an illegal value to caller if sysctl_tcp_cookie_size is changed by another cpu. Signed-off-by: Eric Dumazet Signed-off-by: Andi Kleen Cc: Ben Hutchings Cc: William Allen Simpson Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d98450d683e13c6af7b5219af44cea2671dc07ea Author: Eric Dumazet Date: Tue Dec 7 12:03:55 2010 +0000 tcp: avoid a possible divide by zero [ Upstream commit ad9f4f50fe9288bbe65b7dfd76d8820afac6a24c ] sysctl_tcp_tso_win_divisor might be set to zero while one cpu runs in tcp_tso_should_defer(). Make sure we dont allow a divide by zero by reading sysctl_tcp_tso_win_divisor exactly once. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 9a4b8e0c3674f6506c5a2b3c7ac5ea37e297c0a0 Author: Nandita Dukkipati Date: Fri Dec 3 13:33:44 2010 +0000 tcp: Bug fix in initialization of receive window. [ Upstream commit b1afde60f2b9ee8444fba4e012dc99a3b28d224d ] The bug has to do with boundary checks on the initial receive window. If the initial receive window falls between init_cwnd and the receive window specified by the user, the initial window is incorrectly brought down to init_cwnd. The correct behavior is to allow it to remain unchanged. Signed-off-by: Nandita Dukkipati Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 98fd120a33e16892e305107f33ab6525b7751421 Author: David S. Miller Date: Wed Nov 24 11:47:22 2010 -0800 tcp: Make TCP_MAXSEG minimum more correct. [ Upstream commit c39508d6f118308355468314ff414644115a07f3 ] Use TCP_MIN_MSS instead of constant 64. Reported-by: Min Zhang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 0575b918879bdc762d41b9d8b322a3bfcb7b29e0 Author: David S. Miller Date: Wed Nov 10 21:35:37 2010 -0800 tcp: Increase TCP_MAXSEG socket option minimum. [ Upstream commit 7a1abd08d52fdeddb3e9a5a33f2f15cc6a5674d2 ] As noted by Steve Chen, since commit f5fff5dc8a7a3f395b0525c02ba92c95d42b7390 ("tcp: advertise MSS requested by user") we can end up with a situation where tcp_select_initial_window() does a divide by a zero (or even negative) mss value. The problem is that sometimes we effectively subtract TCPOLEN_TSTAMP_ALIGNED and/or TCPOLEN_MD5SIG_ALIGNED from the mss. Fix this by increasing the minimum from 8 to 64. Reported-by: Steve Chen Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 433591a15ed9237eb89ae123334ae8389e0e95a5 Author: David S. Miller Date: Fri Nov 12 13:35:00 2010 -0800 tcp: Don't change unlocked socket state in tcp_v4_err(). [ Upstream commit 8f49c2703b33519aaaccc63f571b465b9d2b3a2d ] Alexey Kuznetsov noticed a regression introduced by commit f1ecd5d9e7366609d640ff4040304ea197fbc618 ("Revert Backoff [v3]: Revert RTO on ICMP destination unreachable") The RTO and timer modification code added to tcp_v4_err() doesn't check sock_owned_by_user(), which if true means we don't have exclusive access to the socket and therefore cannot modify it's critical state. Just skip this new code block if sock_owned_by_user() is true and eliminate the now superfluous sock_owned_by_user() code block contained within. Reported-by: Alexey Kuznetsov Signed-off-by: David S. Miller Signed-off-by: Andi Kleen CC: Damian Lukowski Acked-by: Eric Dumazet Signed-off-by: Greg Kroah-Hartman commit bd5560f20742f1156c97838e51dbf655ff99058b Author: David S. Miller Date: Tue Nov 30 20:15:58 2010 -0800 sparc: Write to prom console using indirect buffer. [ Upstream commit 595a251c0740785fd3c0d2156d78578c7479811e ] sparc64 systems have a restriction in that passing in buffer addressses above 4GB to prom calls is not reliable. We end up violating this when we do prom console writes, because we use an on-stack buffer to translate '\n' into '\r\n'. So instead, do this translation into an intermediate buffer, which is in the kernel image and thus below 4GB, then pass that to the PROM console write calls. On the 32-bit side we don't have to deal with any of these issues, so the new prom_console_write_buf() uses the existing prom_nbputchar() implementation. However we can now mark those routines static. Since the 64-bit side completely uses new code we can delete the putchar bits as they are now completely unused. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 84cf2fdf054b07ad33b71665a10816a3f60136ec Author: David S. Miller Date: Tue Nov 30 14:53:05 2010 -0800 sparc: Delete prom_*getchar(). [ Upstream commit 12c7a35ee6a1c605e740733f2cbd5b5079f09f0f ] Completely unused. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit fc60be699493ebfb7f8b9559c680f82e800f4aae Author: David S. Miller Date: Tue Nov 30 14:33:29 2010 -0800 sparc: Pass buffer pointer all the way down to prom_{get,put}char(). [ Upstream commit e62cac1fd035b4cde707285008499dbe71955a86 ] This gets us closer to being able to eliminate the use of dynamic and stack based buffers, so that we can adhere to the "no buffer addresses above 4GB" rule for PROM calls. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 2b06fa9327ca7ebc1f2001dbf7938732e6b07cce Author: David S. Miller Date: Wed Nov 17 10:22:56 2010 -0800 sparc: Do not export prom_nb{get,put}char(). [ Upstream commit 91921fef7c658b12de53376b312d071d757f7770 ] Never used outside of console_{32,64}.c Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 91d6efa40733c84a21bfd2173f1187da2077c262 Author: David S. Miller Date: Tue Nov 16 12:50:19 2010 -0800 sparc64: Delete prom_setcallback(). [ Upstream commit c540ee70e49b573535c7ddfd0e9a0fc9d549c8b7 ] Unused. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 4d05954829617507c44318015dc005b665ab564b Author: David S. Miller Date: Tue Nov 16 12:24:16 2010 -0800 sparc64: Unexport prom_service_exists(). [ Upstream commit f7b5f55ac1623dfde24ef5319ad77c1746645f3f ] Only used by functions in misc_64.c so make it private to that file. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 785bdcaa9babda16ce7c081966dd3d316a253b0b Author: David S. Miller Date: Tue Nov 16 12:23:20 2010 -0800 sparc: Kill prom devops_{32,64}.c [ Upstream commit b148246912bea92bde2a0cba125ca94f1f776b12 ] Completely unused. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit e63907b82666ff267e816e2b781f3c14b7d02d95 Author: David S. Miller Date: Tue Nov 16 12:11:15 2010 -0800 sparc: Remove prom_pathtoinode() [ Upstream commit 17d70d6df0c4ea7a203b444001572a91ad9c2bef ] Unused. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 55e056f742d2032972062a832316a822f7e801b6 Author: David S. Miller Date: Tue Nov 16 12:08:23 2010 -0800 sparc64: Delete prom_puts() unused. [ Upstream commit ce05a94efaf71d562eeefd30d6bbc2ab42b06bac ] Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit aeb51d41f63a8e836a055b56d9b59ec895eac312 Author: Daniel Hellstrom Date: Fri Oct 29 13:25:24 2010 -0700 SPARC/LEON: removed constant timer initialization as if HZ=100, now it reflects the value of HZ [ Upstream commit b690c425fe07c725e7f1f7d40303588416cba67f ] Signed-off-by: Daniel Hellstrom Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 3d0e4a52260a47ea1cac84b3ca16bb2582157b52 Author: Helmut Schaa Date: Thu Dec 2 18:44:09 2010 +0100 mac80211: Fix BUG in pskb_expand_head when transmitting shared skbs commit 7e2447075690860e2cea96b119fc9cadbaa7e83c upstream. mac80211 doesn't handle shared skbs correctly at the moment. As a result a possible resize can trigger a BUG in pskb_expand_head. [ 676.030000] Kernel bug detected[#1]: [ 676.030000] Cpu 0 [ 676.030000] $ 0 : 00000000 00000000 819662ff 00000002 [ 676.030000] $ 4 : 81966200 00000020 00000000 00000020 [ 676.030000] $ 8 : 819662e0 800043c0 00000002 00020000 [ 676.030000] $12 : 3b9aca00 00000000 00000000 00470000 [ 676.030000] $16 : 80ea2000 00000000 00000000 00000000 [ 676.030000] $20 : 818aa200 80ea2018 80ea2000 00000008 [ 676.030000] $24 : 00000002 800ace5c [ 676.030000] $28 : 8199a000 8199bd20 81938f88 80f180d4 [ 676.030000] Hi : 0000026e [ 676.030000] Lo : 0000757e [ 676.030000] epc : 801245e4 pskb_expand_head+0x44/0x1d8 [ 676.030000] Not tainted [ 676.030000] ra : 80f180d4 ieee80211_skb_resize+0xb0/0x114 [mac80211] [ 676.030000] Status: 1000a403 KERNEL EXL IE [ 676.030000] Cause : 10800024 [ 676.030000] PrId : 0001964c (MIPS 24Kc) [ 676.030000] Modules linked in: mac80211_hwsim rt2800lib rt2x00soc rt2x00pci rt2x00lib mac80211 crc_itu_t crc_ccitt cfg80211 compat arc4 aes_generic deflate ecb cbc [last unloaded: rt2800pci] [ 676.030000] Process kpktgend_0 (pid: 97, threadinfo=8199a000, task=81879f48, tls=00000000) [ 676.030000] Stack : ffffffff 00000000 00000000 00000014 00000004 80ea2000 00000000 00000000 [ 676.030000] 818aa200 80f180d4 ffffffff 0000000a 81879f78 81879f48 81879f48 00000018 [ 676.030000] 81966246 80ea2000 818432e0 80f1a420 80203050 81814d98 00000001 81879f48 [ 676.030000] 81879f48 00000018 81966246 818432e0 0000001a 8199bdd4 0000001c 80f1b72c [ 676.030000] 80203020 8001292c 80ef4aa2 7f10b55d 801ab5b8 81879f48 00000188 80005c90 [ 676.030000] ... [ 676.030000] Call Trace: [ 676.030000] [<801245e4>] pskb_expand_head+0x44/0x1d8 [ 676.030000] [<80f180d4>] ieee80211_skb_resize+0xb0/0x114 [mac80211] [ 676.030000] [<80f1a420>] ieee80211_xmit+0x150/0x22c [mac80211] [ 676.030000] [<80f1b72c>] ieee80211_subif_start_xmit+0x6f4/0x73c [mac80211] [ 676.030000] [<8014361c>] pktgen_thread_worker+0xfac/0x16f8 [ 676.030000] [<8002ebe8>] kthread+0x7c/0x88 [ 676.030000] [<80008e0c>] kernel_thread_helper+0x10/0x18 [ 676.030000] [ 676.030000] [ 676.030000] Code: 24020001 10620005 2502001f <0200000d> 0804917a 00000000 2502001f 00441023 00531021 Fix this by making a local copy of shared skbs prior to mangeling them. To avoid copying the skb unnecessarily move the skb_copy call below the checks that don't need write access to the skb. Also, move the assignment of nh_pos and h_pos below the skb_copy to point to the correct skb. It would be possible to avoid another resize of the copied skb by using skb_copy_expand instead of skb_copy but that would make the patch more complex. Also, shared skbs are a corner case right now, so the resize shouldn't matter much. Cc: Johannes Berg Signed-off-by: Helmut Schaa Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 798a5d41ed663468e5e02b1ebf028d6b06ed68bf Author: Matteo Croce Date: Fri Dec 3 02:25:08 2010 +0100 ath9k: fix bug in tx power commit 841051602e3fa18ea468fe5a177aa92b6eb44b56 upstream. The ath9k driver subtracts 3 dBm to the txpower as with two radios the signal power is doubled. The resulting value is assigned in an u16 which overflows and makes the card work at full power. Signed-off-by: Matteo Croce Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 33afb8f469d30dc23985054ebe6a571bf33994b5 Author: Rajkumar Manoharan Date: Fri Nov 26 23:24:31 2010 +0530 ath9k: Disable SWBA interrupt on remove_interface commit 46047784b8cdcfc916f6c1cccee0c18dd1223dfd upstream. while removing beaconing mode interface, SWBA interrupt was never disabled when there are no other beaconing interfaces. Signed-off-by: Rajkumar Manoharan Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 687a93bcec28a4fca0f8db0ea756cd0c25361a84 Author: Eric Dumazet Date: Sun Dec 5 02:03:26 2010 +0000 llc: fix a device refcount imbalance commit 35d9b0c906ad92d32a0b8db5daa6fabfcc2f068d upstream. Le dimanche 05 décembre 2010 à 12:23 +0100, Eric Dumazet a écrit : > Le dimanche 05 décembre 2010 à 09:19 +0100, Eric Dumazet a écrit : > > > Hmm.. > > > > If somebody can explain why RTNL is held in arp_ioctl() (and therefore > > in arp_req_delete()), we might first remove RTNL use in arp_ioctl() so > > that your patch can be applied. > > > > Right now it is not good, because RTNL wont be necessarly held when you > > are going to call arp_invalidate() ? > > While doing this analysis, I found a refcount bug in llc, I'll send a > patch for net-2.6 Oh well, of course I must first fix the bug in net-2.6, and wait David pull the fix in net-next-2.6 before sending this rcu conversion. Note: this patch should be sent to stable teams (2.6.34 and up) [PATCH net-2.6] llc: fix a device refcount imbalance commit abf9d537fea225 (llc: add support for SO_BINDTODEVICE) added one refcount imbalance in llc_ui_bind(), because dev_getbyhwaddr() doesnt take a reference on device, while dev_get_by_index() does. Fix this using RCU locking. And since an RCU conversion will be done for 2.6.38 for dev_getbyhwaddr(), put the rcu_read_lock/unlock exactly at their final place. Signed-off-by: Eric Dumazet Signed-off-by: Andi Kleen Cc: Octavian Purdila Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 80cb488d71fe19df2f0883ab13bc7d1bd9d48b00 Author: Mike Hernandez Date: Tue Nov 23 16:52:46 2010 -0800 qla2xxx: Populate Command Type 6 LUN field properly. commit 85727e1f78bd8392a0657ad6a4ff85fef1cc4a6d upstream. Use the host_to_fcp_swap call to correctly populate the LUN field in the Command Type 6 path. This field is used during LUN reset cleanup and must match the field used in the FCP command. Signed-off-by: Mike Hernandez Signed-off-by: Madhuranath Iyengar Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit e54e2bc342ab4be42927a81ced977ab4b83b1ee8 Author: Andrew Vasquez Date: Tue Nov 23 16:52:48 2010 -0800 qla2xxx: Correct issue where NPIV-config data was not being allocated for 82xx parts. commit 087c621e22f49c326cdc65d98c6fc0737ac13533 upstream. This would cause a panic while reading the NPIV-config data. Signed-off-by: Andrew Vasquez Signed-off-by: Madhuranath Iyengar Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit b0bb779b06b9b41e6e40d70300a99ca72a1b1873 Author: Valentine Barshak Date: Tue Dec 14 00:03:16 2010 +0100 ARM: 6535/1: V6 MPCore v6_dma_inv_range and v6_dma_flush_range RWFO fix commit 85b093bcc5322baa811a03ec73de0909c157f181 upstream. Cache ownership must be acquired by reading/writing data from the cache line to make cache operation have the desired effect on the SMP MPCore CPU. However, the ownership is never acquired in the v6_dma_inv_range function when cleaning the first line and flushing the last one, in case the address is not aligned to D_CACHE_LINE_SIZE boundary. Fix this by reading/writing data if needed, before performing cache operations. While at it, fix v6_dma_flush_range to prevent RWFO outside the buffer. Signed-off-by: Valentine Barshak Signed-off-by: George G. Davis Acked-by: Catalin Marinas Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit c85b1ca3a94d0a1de278faf545daa765f671b59b Author: Takashi Iwai Date: Fri Dec 10 00:16:39 2010 +0100 PM / Hibernate: Fix PM_POST_* notification with user-space suspend commit 1497dd1d29c6a53fcd3c80f7ac8d0e0239e7389e upstream. The user-space hibernation sends a wrong notification after the image restoration because of thinko for the file flag check. RDONLY corresponds to hibernation and WRONLY to restoration, confusingly. Signed-off-by: Takashi Iwai Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 83ec6d3cccb0cd67613880b32c85fec88233d681 Author: Dan Carpenter Date: Wed Oct 13 09:13:12 2010 +0000 IB/uverbs: Handle large number of entries in poll CQ commit 7182afea8d1afd432a17c18162cc3fd441d0da93 upstream. In ib_uverbs_poll_cq() code there is a potential integer overflow if userspace passes in a large cmd.ne. The calls to kmalloc() would allocate smaller buffers than intended, leading to memory corruption. There iss also an information leak if resp wasn't all used. Unprivileged userspace may call this function, although only if an RDMA device that uses this function is present. Fix this by copying CQ entries one at a time, which avoids the allocation entirely, and also by moving this copying into a function that makes sure to initialize all memory copied to userspace. Special thanks to Jason Gunthorpe for his help and advice. Signed-off-by: Dan Carpenter Signed-off-by: Andi Kleen [ Monkey around with things a bit to avoid bad code generation by gcc when designated initializers are used. - Roland ] Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit cc5d8c885a5ee338ab69f39e59f6703bdb901496 Author: Suresh Siddha Date: Tue Nov 16 13:23:51 2010 -0800 x86, xsave: Use alloc_bootmem_align() instead of alloc_bootmem() commit 10340ae130fb70352eae1ae8a00b7906d91bf166 upstream. Alignment of alloc_bootmem() depends on the value of L1_CACHE_SHIFT. What we need here, however, is 64 byte alignment. Use alloc_bootmem_align() and explicitly specify the alignment instead. This fixes a kernel boot crash reported by Jody when the cpu in .config is set to MPENTIUMII but the kernel is booted on a xsave-capable CPU. Reported-by: Jody Bruchon Signed-off-by: Suresh Siddha Signed-off-by: Andi Kleen LKML-Reference: <20101116212442.059967454@sbsiddha-MOBL3.sc.intel.com> Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 8724a1ca50969118196309121f0ba7179bcf8ee1 Author: Suresh Siddha Date: Tue Nov 16 13:23:50 2010 -0800 bootmem: Add alloc_bootmem_align() commit 53dde5f385bc56e312f78b7cb25ffaf8efd4735d upstream. Add an alloc_bootmem_align() interface to allocate bootmem with specified alignment. This is necessary to be able to allocate the xsave area in a subsequent patch. Signed-off-by: Suresh Siddha Signed-off-by: Andi Kleen LKML-Reference: <20101116212441.977574826@sbsiddha-MOBL3.sc.intel.com> Acked-by: H. Peter Anvin Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 6d597031f300ad36db98f888bb148914a2b0386b Author: Dmitry Artamonow Date: Wed Dec 8 23:36:17 2010 +0300 ASoC: fix deemphasis control in wm8904/55/60 codecs commit 3f343f8512c7882a3637d9aea4ec6b3801cbcdc5 upstream. Deemphasis control's .get callback should update control's value instead of returning it - return value of callback function is used for indicating error or success of operation. Signed-off-by: Dmitry Artamonow Acked-by: Liam Girdwood Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 92ba39dad3910e43309686bd978d2f3e7a953281 Author: Seungwhan Youn Date: Thu Dec 9 18:07:52 2010 +0900 ASoC: WM8580: Fix R8 initial value commit a0968628097380be52db8b4664da98fc425546a5 upstream. Acc to WM8580 manual, the default value for R8 is 0x10, not 0x1c. Signed-off-by: Seungwhan Youn Acked-by: Liam Girdwood Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 1c33da96e2e2b6c4994367d7a4702db566ccd428 Author: Uk Kim Date: Sun Dec 5 17:32:16 2010 +0900 ASoC: Fix off by one error in WM8994 EQ register bank size commit 3fcc0afbb9c93f3599ba03273e59915670b6c2c2 upstream. Signed-off-by: Uk Kim Acked-by: Liam Girdwood Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 4aaf959ea379034a6b010be9c3acc88a14f97642 Author: Uk Kim Date: Sun Dec 5 17:26:07 2010 +0900 ASoC: Fix swap of left and right channels for WM8993/4 speaker boost gain commit ed8cc471d75365f8590c76f580def899d58028c0 upstream. SPKOUTL_BOOST start from third bit, SPKOUTLR_BOOST start from 0 bit. Signed-off-by: Uk Kim Acked-by: Liam Girdwood Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit e4e576308d04c71d1f68e8896daeb5f49afd7ff2 Author: Borislav Petkov Date: Mon Dec 6 16:20:25 2010 +0100 amd64_edac: Fix interleaving check commit e726f3c368e7c1919a7166ec09c5705759f1a69d upstream. When matching error address to the range contained by one memory node, we're in valid range when node interleaving 1. is disabled, or 2. enabled and when the address bits we interleave on match the interleave selector on this node (see the "Node Interleaving" section in the BKDG for an enlightening example). Thus, when we early-exit, we need to reverse the compound logic statement properly. Signed-off-by: Borislav Petkov Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 96c72bbe72854a8680cf3a03e3bf027e8eb7ef55 Author: Borislav Petkov Date: Thu Dec 2 17:48:35 2010 +0100 EDAC: Fix workqueue-related crashes commit bb31b3122c0dd07d2d958da17a50ad771ce79e2b upstream. 00740c58541b6087d78418cebca1fcb86dc6077d changed edac_core to un-/register a workqueue item only if a lowlevel driver supplies a polling routine. Normally, when we remove a polling low-level driver, we go and cancel all the queued work. However, the workqueue unreg happens based on the ->op_state setting, and edac_mc_del_mc() sets this to OP_OFFLINE _before_ we cancel the work item, leading to NULL ptr oops on the workqueue list. Fix it by putting the unreg stuff in proper order. Reported-and-tested-by: Tobias Karnat LKML-Reference: <1291201307.3029.21.camel@Tobias-Karnat> Signed-off-by: Borislav Petkov Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 61ae3863b6d326bf6b24cb24ceb59025dbdf4d52 Author: Gabriele Gorla Date: Wed Dec 8 16:27:22 2010 +0100 hwmon: (adm1026) Fix setting fan_div commit 52bc9802ce849d0d287cc5fe76d06b0daa3986ca upstream. Prevent setting fan_div from stomping on other fans that share the same I2C register. Signed-off-by: Gabriele Gorla Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 998bd06665b1c8e1abb8c99c96f6db4103b793e4 Author: Gabriele Gorla Date: Wed Dec 8 16:27:22 2010 +0100 hwmon: (adm1026) Allow 1 as a valid divider value commit 8b0f1840a46449e1946fc88860ef3ec8d6b1c2c7 upstream. Allow 1 as a valid div value as specified in the ADM1026 datasheet. Signed-off-by: Gabriele Gorla Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 33d4654fd103c1eb2a203074b14d8cd1a584ace7 Author: NeilBrown Date: Tue Nov 16 16:55:19 2010 +1100 sunrpc: prevent use-after-free on clearing XPT_BUSY commit ed2849d3ecfa339435818eeff28f6c3424300cec upstream. When an xprt is created, it has a refcount of 1, and XPT_BUSY is set. The refcount is *not* owned by the thread that created the xprt (as is clear from the fact that creators never put the reference). Rather, it is owned by the absence of XPT_DEAD. Once XPT_DEAD is set, (And XPT_BUSY is clear) that initial reference is dropped and the xprt can be freed. So when a creator clears XPT_BUSY it is dropping its only reference and so must not touch the xprt again. However svc_recv, after calling ->xpo_accept (and so getting an XPT_BUSY reference on a new xprt), calls svc_xprt_recieved. This clears XPT_BUSY and then svc_xprt_enqueue - this last without owning a reference. This is dangerous and has been seen to leave svc_xprt_enqueue working with an xprt containing garbage. So we need to hold an extra counted reference over that call to svc_xprt_received. For safety, any time we clear XPT_BUSY and then use the xprt again, we first get a reference, and the put it again afterwards. Note that svc_close_all does not need this extra protection as there are no threads running, and the final free can only be called asynchronously from such a thread. Signed-off-by: NeilBrown Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 2341d3c4085fb6d075d6e146c0093f277396249f Author: Sergey Vlasov Date: Sun Nov 28 21:04:05 2010 +0000 NFS: Fix fcntl F_GETLK not reporting some conflicts commit 21ac19d484a8ffb66f64487846c8d53afef04d2b upstream. The commit 129a84de2347002f09721cda3155ccfd19fade40 (locks: fix F_GETLK regression (failure to find conflicts)) fixed the posix_test_lock() function by itself, however, its usage in NFS changed by the commit 9d6a8c5c213e34c475e72b245a8eb709258e968c (locks: give posix_test_lock same interface as ->lock) remained broken - subsequent NFS-specific locking code received F_UNLCK instead of the user-specified lock type. To fix the problem, fl->fl_type needs to be saved before the posix_test_lock() call and restored if no local conflicts were reported. Reference: https://bugzilla.kernel.org/show_bug.cgi?id=23892 Tested-by: Alexander Morozov Signed-off-by: Sergey Vlasov Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 74526c3deda36c784c87ba977550234a95ecbb05 Author: Neil Brown Date: Thu Dec 2 11:14:30 2010 +1100 nfsd: Fix possible BUG_ON firing in set_change_info commit c1ac3ffcd0bc7e9617f62be8c7043d53ab84deac upstream. If vfs_getattr in fill_post_wcc returns an error, we don't set fh_post_change. For NFSv4, this can result in set_change_info triggering a BUG_ON. i.e. fh_post_saved being zero isn't really a bug. So: - instead of BUGging when fh_post_saved is zero, just clear ->atomic. - if vfs_getattr fails in fill_post_wcc, take a copy of i_ctime anyway. This will be used i seg_change_info, but not overly trusted. - While we are there, remove the pointless 'if' statements in set_change_info. There is no harm setting all the values. Signed-off-by: NeilBrown Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit cdda0cb15d14a9c49c337e0bb9b69a392290016d Author: Chuck Lever Date: Fri Dec 10 12:31:14 2010 -0500 NFS: Fix panic after nfs_umount() commit 5b362ac3799ff4225c40935500f520cad4d7ed66 upstream. After a few unsuccessful NFS mount attempts in which the client and server cannot agree on an authentication flavor both support, the client panics. nfs_umount() is invoked in the kernel in this case. Turns out nfs_umount()'s UMNT RPC invocation causes the RPC client to write off the end of the rpc_clnt's iostat array. This is because the mount client's nrprocs field is initialized with the count of defined procedures (two: MNT and UMNT), rather than the size of the client's proc array (four). The fix is to use the same initialization technique used by most other upper layer clients in the kernel. Introduced by commit 0b524123, which failed to update nrprocs when support was added for UMNT in the kernel. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=24302 BugLink: http://bugs.launchpad.net/bugs/683938 Reported-by: Stefan Bader Tested-by: Stefan Bader Signed-off-by: Chuck Lever Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 8a1e3d609bb1b445e34b8bc05ac87de89c4483e8 Author: Heiko Carstens Date: Wed Dec 1 10:11:09 2010 +0100 nohz: Fix get_next_timer_interrupt() vs cpu hotplug commit dbd87b5af055a0cc9bba17795c9a2b0d17795389 upstream. This fixes a bug as seen on 2.6.32 based kernels where timers got enqueued on offline cpus. If a cpu goes offline it might still have pending timers. These will be migrated during CPU_DEAD handling after the cpu is offline. However while the cpu is going offline it will schedule the idle task which will then call tick_nohz_stop_sched_tick(). That function in turn will call get_next_timer_intterupt() to figure out if the tick of the cpu can be stopped or not. If it turns out that the next tick is just one jiffy off (delta_jiffies == 1) tick_nohz_stop_sched_tick() incorrectly assumes that the tick should not stop and takes an early exit and thus it won't update the load balancer cpu. Just afterwards the cpu will be killed and the load balancer cpu could be the offline cpu. On 2.6.32 based kernel get_nohz_load_balancer() gets called to decide on which cpu a timer should be enqueued (see __mod_timer()). Which leads to the possibility that timers get enqueued on an offline cpu. These will never expire and can cause a system hang. This has been observed 2.6.32 kernels. On current kernels __mod_timer() uses get_nohz_timer_target() which doesn't have that problem. However there might be other problems because of the too early exit tick_nohz_stop_sched_tick() in case a cpu goes offline. The easiest and probably safest fix seems to be to let get_next_timer_interrupt() just lie and let it say there isn't any pending timer if the current cpu is offline. I also thought of moving migrate_[hr]timers() from CPU_DEAD to CPU_DYING, but seeing that there already have been fixes at least in the hrtimer code in this area I'm afraid that this could add new subtle bugs. Signed-off-by: Heiko Carstens Signed-off-by: Peter Zijlstra Signed-off-by: Andi Kleen LKML-Reference: <20101201091109.GA8984@osiris.boeblingen.de.ibm.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 027f49d5bf115eab63c9ef504a76c1a9711fca66 Author: Heiko Carstens Date: Fri Nov 26 13:00:59 2010 +0100 nohz: Fix printk_needs_cpu() return value on offline cpus commit 61ab25447ad6334a74e32f60efb135a3467223f8 upstream. This patch fixes a hang observed with 2.6.32 kernels where timers got enqueued on offline cpus. printk_needs_cpu() may return 1 if called on offline cpus. When a cpu gets offlined it schedules the idle process which, before killing its own cpu, will call tick_nohz_stop_sched_tick(). That function in turn will call printk_needs_cpu() in order to check if the local tick can be disabled. On offline cpus this function should naturally return 0 since regardless if the tick gets disabled or not the cpu will be dead short after. That is besides the fact that __cpu_disable() should already have made sure that no interrupts on the offlined cpu will be delivered anyway. In this case it prevents tick_nohz_stop_sched_tick() to call select_nohz_load_balancer(). No idea if that really is a problem. However what made me debug this is that on 2.6.32 the function get_nohz_load_balancer() is used within __mod_timer() to select a cpu on which a timer gets enqueued. If printk_needs_cpu() returns 1 then the nohz_load_balancer cpu doesn't get updated when a cpu gets offlined. It may contain the cpu number of an offline cpu. In turn timers get enqueued on an offline cpu and not very surprisingly they never expire and cause system hangs. This has been observed 2.6.32 kernels. On current kernels __mod_timer() uses get_nohz_timer_target() which doesn't have that problem. However there might be other problems because of the too early exit tick_nohz_stop_sched_tick() in case a cpu goes offline. Easiest way to fix this is just to test if the current cpu is offline and call printk_tick() directly which clears the condition. Alternatively I tried a cpu hotplug notifier which would clear the condition, however between calling the notifier function and printk_needs_cpu() something could have called printk() again and the problem is back again. This seems to be the safest fix. Signed-off-by: Heiko Carstens Signed-off-by: Peter Zijlstra Signed-off-by: Andi Kleen LKML-Reference: <20101126120235.406766476@de.ibm.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit e3e8f697884d634e45e31734bc16d20a45452cb6 Author: Alex Deucher Date: Fri Dec 3 14:37:22 2010 -0500 drm/radeon/kms: fix vram base calculation on rs780/rs880 commit 8961d52d4cc52edf5672f8f2712c57162b736793 upstream. Avoid overflowing a 32 bit value. Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 6b3a20cdc30067b8825c7f773a3b0b16cb56ed21 Author: Alex Deucher Date: Wed Dec 8 19:09:42 2010 -0500 drm/kms: remove spaces from connector names (v2) commit e76116ca9671e2e5239054a40303b94feab585ad upstream. Grub doesn't parse spaces in parameters correctly, so this makes it impossible to force video= parameters for kms on the grub kernel command line. v2: shorten the names to make them easier to type. Reported-by: Sergej Pupykin Cc: Sergej Pupykin Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 099433591bd86e532987a4e481fe351c4237386e Author: Alex Deucher Date: Wed Dec 8 10:05:34 2010 -0500 drm/radeon/kms: don't apply 7xx HDP flush workaround on AGP commit f3886f85cfde578f1d0ba6e40ac5f9d70043923b upstream. It should be required for all 7xx asics, but seems to cause problems on some AGP 7xx chips. Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=19002 Signed-off-by: Alex Deucher Signed-off-by: Andi Kleen Reported-and-Tested-by: Duncan <1i5t5.duncan@cox.net> Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit b3a33e333ac922458e5b662990a6d17f7510dd52 Author: Daniel T Chen Date: Thu Dec 2 22:45:45 2010 -0500 ALSA: hda: Use model=lg quirk for LG P1 Express to enable playback and capture commit 77c4d5cdb81d25a45fbdfb84dd3348121219a072 upstream. BugLink: https://launchpad.net/bugs/595482 The original reporter states that audible playback from the internal speaker is inaudible despite the hardware being properly detected. To work around this symptom, he uses the model=lg quirk to properly enable both playback, capture, and jack sense. Another user corroborates this workaround on separate hardware. Add this PCI SSID to the quirk table to enable it for further LG P1 Expresses. Reported-and-tested-by: Philip Peitsch Tested-by: nikhov Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit f035aa4f932e2d589e3b7dc47e6043c2651bd443 Author: Daniel T Chen Date: Sun Dec 5 08:43:14 2010 -0500 ALSA: hda: Use position_fix=1 for Acer Aspire 5538 to enable capture on internal mic commit dd5a089edfa51a74692604b4b427953d8e16bc35 upstream. BugLink: https://launchpad.net/bugs/685161 The reporter of the bug states that he must use position_fix=1 to enable capture for the internal microphone, so set it for his machine's PCI SSID. Verified using 2.6.35 and the 2010-12-04 alsa-driver build. Reported-and-tested-by: Ralph Wabel Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 400d406b0a8c576002c2bc48e0d956ef613c68a3 Author: David Henningsson Date: Thu Dec 9 07:17:27 2010 +0100 ALSA: HDA: Quirk for Dell Vostro 320 to make microphone work commit 8a96b1e02029aa512199b1b6d281dcede9ed81f1 upstream. BugLink: http://launchpad.net/497546 Confirmed that the ideapad model works better than the current quirk for Dell Vostro 320. Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen commit 986afbde0f1dde7695987fd2458f9676ce0389aa Author: Miklos Szeredi Date: Tue Nov 30 16:39:27 2010 +0100 fuse: fix ioctl when server is 32bit commit d9d318d39dd5cb686660504a3565aac453709ccc upstream. If a 32bit CUSE server is run on 64bit this results in EIO being returned to the caller. The reason is that FUSE_IOCTL_RETRY reply was defined to use 'struct iovec', which is different on 32bit and 64bit archs. Work around this by looking at the size of the reply to determine which struct was used. This is only needed if CONFIG_COMPAT is defined. A more permanent fix for the interface will be to use the same struct on both 32bit and 64bit. Reported-by: "ccmail111" Signed-off-by: Miklos Szeredi Signed-off-by: Andi Kleen CC: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit 84e4371b03088be955408911af51904c66a5b43e Author: Miklos Szeredi Date: Tue Nov 30 16:39:27 2010 +0100 fuse: verify ioctl retries commit 7572777eef78ebdee1ecb7c258c0ef94d35bad16 upstream. Verify that the total length of the iovec returned in FUSE_IOCTL_RETRY doesn't overflow iov_length(). Signed-off-by: Miklos Szeredi Signed-off-by: Andi Kleen CC: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit 79c6d16d8a4e355902861a9599630b7077a82d0e Author: H. Peter Anvin Date: Fri Dec 10 23:55:22 2010 -0500 x86, hotplug: Use mwait to offline a processor, fix the legacy case upstream ea53069231f9317062910d6e772cca4ce93de8c8 x86, hotplug: Use mwait to offline a processor, fix the legacy case Here included also some small follow-on patches to the same code: upstream a68e5c94f7d3dd64fef34dd5d97e365cae4bb42a x86, hotplug: Move WBINVD back outside the play_dead loop upstream ce5f68246bf2385d6174856708d0b746dc378f20 x86, hotplug: In the MWAIT case of play_dead, CLFLUSH the cache line https://bugzilla.kernel.org/show_bug.cgi?id=5471 Signed-off-by: H. Peter Anvin Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman Signed-off-by: Andi Kleen