commit 0533a1fed29c6b890599647d747439f2c2af1415 Author: Greg Kroah-Hartman Date: Mon Mar 7 15:18:15 2011 -0800 Linux 2.6.32.32 commit cd5e5d1a181c663c7bde05a7389e5b7cf9018beb Author: Pavel Shilovsky Date: Mon Jan 17 20:15:44 2011 +0300 CIFS: Fix oplock break handling (try #2) commit 12fed00de963433128b5366a21a55808fab2f756 upstream. When we get oplock break notification we should set the appropriate value of OplockLevel field in oplock break acknowledge according to the oplock level held by the client in this time. As we only can have level II oplock or no oplock in the case of oplock break, we should be aware only about clientCanCacheRead field in cifsInodeInfo structure. Signed-off-by: Pavel Shilovsky Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit d54bb28bc9775dd0a5c530bd3b99f7138ef910f5 Author: Ian Campbell Date: Fri Feb 11 07:44:16 2011 +0000 arp_notify: unconditionally send gratuitous ARP for NETDEV_NOTIFY_PEERS. commit d11327ad6695db8117c78d70611e71102ceec2ac upstream. NETDEV_NOTIFY_PEER is an explicit request by the driver to send a link notification while NETDEV_UP/NETDEV_CHANGEADDR generate link notifications as a sort of side effect. In the later cases the sysctl option is present because link notification events can have undesired effects e.g. if the link is flapping. I don't think this applies in the case of an explicit request from a driver. This patch makes NETDEV_NOTIFY_PEER unconditional, if preferred we could add a new sysctl for this case which defaults to on. This change causes Xen post-migration ARP notifications (which cause switches to relearn their MAC tables etc) to be sent by default. Signed-off-by: Ian Campbell Signed-off-by: David S. Miller [reported to solve hyperv live migration problem - gkh] Cc: Haiyang Zhang Cc: Mike Surcouf Cc: Hank Janssen Signed-off-by: Greg Kroah-Hartman commit 304a854922606ce1b87cae1a972c567232a4013c Author: Kees Cook Date: Mon Oct 11 11:28:16 2010 -0700 usb: iowarrior: don't trust report_size for buffer size commit 3ed780117dbe5acb64280d218f0347f238dafed0 upstream. If the iowarrior devices in this case statement support more than 8 bytes per report, it is possible to write past the end of a kernel heap allocation. This will probably never be possible, but change the allocation to be more defensive anyway. Signed-off-by: Kees Cook Signed-off-by: Greg Kroah-Hartman Acked-by: Brandon Philips commit 7d307f637652063b51a58ea7142225d7da9c43cf Author: Stanislaw Gruszka Date: Tue Feb 22 02:00:11 2011 +0000 r8169: disable ASPM commit ba04c7c93bbcb48ce880cf75b6e9dffcd79d4c7b upstream. For some time is known that ASPM is causing troubles on r8169, i.e. make device randomly stop working without any errors in dmesg. Currently Tomi Leppikangas reports that system with r8169 device hangs with MCE errors when ASPM is enabled: https://bugzilla.redhat.com/show_bug.cgi?id=642861#c4 Lets disable ASPM for r8169 devices at all, to avoid problems with r8169 PCIe devices at least for some users. Reported-by: Tomi Leppikangas Signed-off-by: Stanislaw Gruszka Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ce473d380e079ea0c6e906599215a904c4334587 Author: Bruce Allan Date: Wed Feb 2 09:30:36 2011 +0000 e1000e: disable broken PHY wakeup for ICH10 LOMs, use MAC wakeup instead commit 4def99bbfd46e05c5e03b5b282cb4ee30e27ff19 upstream. When support for 82577/82578 was added[1] in 2.6.31, PHY wakeup was in- advertently enabled (even though it does not function properly) on ICH10 LOMs. This patch makes it so that the ICH10 LOMs use MAC wakeup instead as was done with the initial support for those devices (i.e. 82567LM-3, 82567LF-3 and 82567V-4). [1] commit a4f58f5455ba0efda36fb33c37074922d1527a10 Reported-by: Aurelien Jarno Signed-off-by: Bruce Allan Signed-off-by: Jeff Kirsher Signed-off-by: Greg Kroah-Hartman commit 721ce7b28534a4b7b633d215d42dacc3c60acee6 Author: Gerrit Renker Date: Tue Mar 1 23:02:07 2011 -0800 dccp: fix oops on Reset after close commit 720dc34bbbe9493c7bd48b2243058b4e447a929d upstream. This fixes a bug in the order of dccp_rcv_state_process() that still permitted reception even after closing the socket. A Reset after close thus causes a NULL pointer dereference by not preventing operations on an already torn-down socket. dccp_v4_do_rcv() | | state other than OPEN v dccp_rcv_state_process() | | DCCP_PKT_RESET v dccp_rcv_reset() | v dccp_time_wait() WARNING: at net/ipv4/inet_timewait_sock.c:141 __inet_twsk_hashdance+0x48/0x128() Modules linked in: arc4 ecb carl9170 rt2870sta(C) mac80211 r8712u(C) crc_ccitt ah [] (unwind_backtrace+0x0/0xec) from [] (warn_slowpath_common) [] (warn_slowpath_common+0x4c/0x64) from [] (warn_slowpath_n) [] (warn_slowpath_null+0x1c/0x24) from [] (__inet_twsk_hashd) [] (__inet_twsk_hashdance+0x48/0x128) from [] (dccp_time_wai) [] (dccp_time_wait+0x40/0xc8) from [] (dccp_rcv_state_proces) [] (dccp_rcv_state_process+0x120/0x538) from [] (dccp_v4_do_) [] (dccp_v4_do_rcv+0x11c/0x14c) from [] (release_sock+0xac/0) [] (release_sock+0xac/0x110) from [] (dccp_close+0x28c/0x380) [] (dccp_close+0x28c/0x380) from [] (inet_release+0x64/0x70) The fix is by testing the socket state first. Receiving a packet in Closed state now also produces the required "No connection" Reset reply of RFC 4340, 8.3.1. Reported-and-tested-by: Johan Hovold Signed-off-by: Gerrit Renker Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7774dc88c37fa610315066810376bdc69e0e6b3f Author: Christian Lamparter Date: Sat Feb 26 12:58:06 2011 +0100 p54usb: add Senao NUB-350 usbid commit 2b799a6b25bb9f9fbc478782cd9503e8066ab618 upstream. Reported-by: Mark Davis Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 70da0ad005a099576672c7ee0cd54bbe315538d3 Author: Jiri Kosina Date: Wed Dec 2 22:54:11 2009 +0100 HID: add support for Acan FG-8100 barcode reader commit e8d0eab4d9eda9f5e97852f780f020bfb134f9f0 upstream. Acan FG-8100 barcode reader (0x04b4/0xbca1) has vendor ID of cypress and requires the same MIN/MAX swap descriptor quirk as other barcode readers from cypress. Reported-by: Stijn Ghesquiere Signed-off-by: Jiri Kosina Cc: maximilian attems Signed-off-by: Greg Kroah-Hartman commit 7705ad5aa349ccfb78a2c61f564176cb2cf812a4 Author: Amit Kumar Salecha Date: Thu Jan 7 22:10:16 2010 +0000 netxen: fix set mac addr commit d49c9640975355c79f346869831bf9780d185de0 upstream. o If tx and rx resources are not available, during set mac request. Then this request wont be passed to firmware and it will be added to driver mac list and will never make it to firmware. So if resources are not available, don't add it to driver mac list. Signed-off-by: Amit Kumar Salecha Signed-off-by: David S. Miller Cc: maximilian attems Signed-off-by: Greg Kroah-Hartman commit d09706f85cda0c49b345b90df6d6350db7d6f9c4 Author: Michael S. Tsirkin Date: Sun Nov 29 17:52:00 2009 +0200 virtio: set pci bus master enable bit commit bc505f373979692d51a86d40925f77a8b09d17b9 upstream. As all virtio devices perform DMA, we must enable bus mastering for them to be spec compliant. This patch fixes hotplug of virtio devices with Linux guests and qemu 0.11-0.12. Tested-by: Alexander Graf Signed-off-by: Michael S. Tsirkin Cc: maximilian attems Signed-off-by: Greg Kroah-Hartman commit d96cb2c94c9ad41a97ca3f295b25881b96899614 Author: Vlad Yasevich Date: Wed Apr 28 08:47:22 2010 +0000 sctp: Fix oops when sending queued ASCONF chunks commit c0786693404cffd80ca3cb6e75ee7b35186b2825 upstream. When we finish processing ASCONF_ACK chunk, we try to send the next queued ASCONF. This action runs the sctp state machine recursively and it's not prepared to do so. kernel BUG at kernel/timer.c:790! invalid opcode: 0000 [#1] SMP last sysfs file: /sys/module/ipv6/initstate Modules linked in: sha256_generic sctp libcrc32c ipv6 dm_multipath uinput 8139too i2c_piix4 8139cp mii i2c_core pcspkr virtio_net joydev floppy virtio_blk virtio_pci [last unloaded: scsi_wait_scan] Pid: 0, comm: swapper Not tainted 2.6.34-rc4 #15 /Bochs EIP: 0060:[] EFLAGS: 00010286 CPU: 0 EIP is at add_timer+0xd/0x1b EAX: cecbab14 EBX: 000000f0 ECX: c0957b1c EDX: 03595cf4 ESI: cecba800 EDI: cf276f00 EBP: c0957aa0 ESP: c0957aa0 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 Process swapper (pid: 0, ti=c0956000 task=c0988ba0 task.ti=c0956000) Stack: c0957ae0 d1851214 c0ab62e4 c0ab5f26 0500ffff 00000004 00000005 00000004 <0> 00000000 d18694fd 00000004 1666b892 cecba800 cecba800 c0957b14 00000004 <0> c0957b94 d1851b11 ceda8b00 cecba800 cf276f00 00000001 c0957b14 000000d0 Call Trace: [] ? sctp_side_effects+0x607/0xdfc [sctp] [] ? sctp_do_sm+0x108/0x159 [sctp] [] ? sctp_pname+0x0/0x1d [sctp] [] ? sctp_primitive_ASCONF+0x36/0x3b [sctp] [] ? sctp_process_asconf_ack+0x2a4/0x2d3 [sctp] [] ? sctp_sf_do_asconf_ack+0x1dd/0x2b4 [sctp] [] ? sctp_do_sm+0xb8/0x159 [sctp] [] ? sctp_cname+0x0/0x52 [sctp] [] ? sctp_assoc_bh_rcv+0xac/0xe1 [sctp] [] ? sctp_inq_push+0x2d/0x30 [sctp] [] ? sctp_rcv+0x797/0x82e [sctp] Tested-by: Wei Yongjun Signed-off-by: Yuansong Qiao Signed-off-by: Shuaijun Zhang Signed-off-by: Vlad Yasevich Signed-off-by: David S. Miller Cc: maximilian attems Signed-off-by: Greg Kroah-Hartman commit db273d34639c4e85be6998bf60677c7e226dea4a Author: Josh Hunt Date: Thu Feb 24 11:48:22 2011 +0100 ext2: Fix link count corruption under heavy link+rename load commit e8a80c6f769dd4622d8b211b398452158ee60c0b upstream. vfs_rename_other() does not lock renamed inode with i_mutex. Thus changing i_nlink in a non-atomic manner (which happens in ext2_rename()) can corrupt it as reported and analyzed by Josh. In fact, there is no good reason to mess with i_nlink of the moved file. We did it presumably to simulate linking into the new directory and unlinking from an old one. But the practical effect of this is disputable because fsck can possibly treat file as being properly linked into both directories without writing any error which is confusing. So we just stop increment-decrement games with i_nlink which also fixes the corruption. CC: Al Viro Signed-off-by: Josh Hunt Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit f3d155634f6fc7ee665731768ed6f85d04ef442c Author: Thomas Gleixner Date: Fri Feb 25 22:34:23 2011 +0100 clockevents: Prevent oneshot mode when broadcast device is periodic commit 3a142a0672b48a853f00af61f184c7341ac9c99d upstream. When the per cpu timer is marked CLOCK_EVT_FEAT_C3STOP, then we only can switch into oneshot mode, when the backup broadcast device supports oneshot mode as well. Otherwise we would try to switch the broadcast device into an unsupported mode unconditionally. This went unnoticed so far as the current available broadcast devices support oneshot mode. Seth unearthed this problem while debugging and working around an hpet related BIOS wreckage. Add the necessary check to tick_is_oneshot_available(). Reported-and-tested-by: Seth Forshee Signed-off-by: Thomas Gleixner LKML-Reference: Signed-off-by: Greg Kroah-Hartman commit 9efe56738fecd591b5bf366a325440f9b457ebd6 Author: Miklos Szeredi Date: Fri Feb 25 14:44:58 2011 +0100 fuse: fix hang of single threaded fuseblk filesystem commit 5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 upstream. Single threaded NTFS-3G could get stuck if a delayed RELEASE reply triggered a DESTROY request via path_put(). Fix this by a) making RELEASE requests synchronous, whenever possible, on fuseblk filesystems b) if not possible (triggered by an asynchronous read/write) then do the path_put() in a separate thread with schedule_work(). Reported-by: Oliver Neukum Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit bf30c46aba4aecb1a289ed3249b46e6091b6f7b2 Author: Don Zickus Date: Mon Feb 7 23:25:00 2011 -0500 x86: Use u32 instead of long to set reset vector back to 0 commit 299c56966a72b9109d47c71a6db52097098703dd upstream. A customer of ours, complained that when setting the reset vector back to 0, it trashed other data and hung their box. They noticed when only 4 bytes were set to 0 instead of 8, everything worked correctly. Mathew pointed out: | | We're supposed to be resetting trampoline_phys_low and | trampoline_phys_high here, which are two 16-bit values. | Writing 64 bits is definitely going to overwrite space | that we're not supposed to be touching. | So limit the area modified to u32. Signed-off-by: Don Zickus Acked-by: Matthew Garrett LKML-Reference: <1297139100-424-1-git-send-email-dzickus@redhat.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit ba7c5cae3c3b1d2ca1e78716806d8a386b569b0a Author: Jochen Friedrich Date: Wed Jan 26 11:30:01 2011 +0100 mfd: Fix NULL pointer due to non-initialized ucb1x00-ts absinfo commit 9063f1f15eec35e5fd608879cef8be5728f2d12a upstream. Call input_set_abs_params instead of manually setting absbit only. This fixes this oops: Unable to handle kernel NULL pointer dereference at virtual address 00000024 Internal error: Oops: 41b67017 [#1] CPU: 0 Not tainted (2.6.37 #4) pc : [] lr : [<00000000>] psr: 20000093 sp : c19e5f30 ip : c19e5e6c fp : c19e5f58 r10: 00000000 r9 : c19e4000 r8 : 00000003 r7 : 000001e4 r6 : 00000001 r5 : c1854400 r4 : 00000003 r3 : 00000018 r2 : 00000018 r1 : 00000018 r0 : c185447c Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel Control: c1b6717f Table: c1b6717f DAC: 00000017 Stack: (0xc19e5f30 to 0xc19e6000) 5f20: 00000003 00000003 c1854400 00000013 5f40: 00000001 000001e4 000001c5 c19e5f80 c19e5f5c c016d5e8 c016cf5c 000001e4 5f60: c1854400 c18b5860 00000000 00000171 000001e4 c19e5fc4 c19e5f84 c01559a4 5f80: c016d584 c18b5868 00000000 c1bb5c40 c0035afc c18b5868 c18b5868 c1a55d54 5fa0: c18b5860 c0155750 00000013 00000000 00000000 00000000 c19e5ff4 c19e5fc8 5fc0: c0050174 c015575c 00000000 c18b5860 00000000 c19e5fd4 c19e5fd4 c1a55d54 5fe0: c00500f0 c003b464 00000000 c19e5ff8 c003b464 c00500fc 04000400 04000400 Backtrace: Function entered at [] from [] Function entered at [] from [] r8:000001e4 r7:00000171 r6:00000000 r5:c18b5860 r4:c1854400 Function entered at [] from [] Function entered at [] from [] r6:c003b464 r5:c00500f0 r4:c1a55d54 Code: e59520fc e1a03286 e0433186 e0822003 (e592000c) >>PC; c016d1fc <===== Trace; c016cf50 Trace; c016d5e8 Trace; c016d578 Trace; c01559a4 Trace; c0155750 Trace; c0050174 Trace; c00500f0 Trace; c003b464 Signed-off-by: Jochen Friedrich Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman commit 40d8d3eb87bccc1987a9e6e8ff1da03383d5155a Author: Dave Airlie Date: Thu Feb 24 08:35:06 2011 +1000 drm: fix unsigned vs signed comparison issue in modeset ctl ioctl. commit 1922756124ddd53846877416d92ba4a802bc658f upstream. This fixes CVE-2011-1013. Reported-by: Matthiew Herrb (OpenBSD X.org team) Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 08020344c3d5632890a14218f2985c89d8d6c9b9 Author: Tristan Ye Date: Fri Jan 21 18:20:18 2011 +0800 Ocfs2/refcounttree: Fix a bug for refcounttree to writeback clusters in a right number. commit acf3bb007e5636ef4c17505affb0974175108553 upstream. Current refcounttree codes actually didn't writeback the new pages out in write-back mode, due to a bug of always passing a ZERO number of clusters to 'ocfs2_cow_sync_writeback', the patch tries to pass a proper one in. Signed-off-by: Tristan Ye Signed-off-by: Joel Becker Signed-off-by: Greg Kroah-Hartman