commit 3481be7e555cf2a57ee4ea0962ae27a3d87a53d5 Author: Greg Kroah-Hartman Date: Mon Aug 8 10:32:25 2011 -0700 Linux 2.6.32.44 commit 58e6859b0205a2394387a1e16a5bf455f24d4611 Author: chas williams - CONTRACTOR Date: Fri Dec 4 11:06:32 2009 +0000 atm: [br2684] allow routed mode operation again commit 2e302ebfeac04beb5a5d6af1ac583c6a1fb76d1a upstream. in routed mode, we don't have a hardware address so netdev_ops doesnt need to validate our hardware address via .ndo_validate_addr Reported-by: Manuel Fuentes Signed-off-by: Chas Williams - CONTRACTOR Signed-off-by: David S. Miller Cc: Pascal Hambourg Signed-off-by: Greg Kroah-Hartman commit bb30b1915be745fa2ef499580ac5a74e8e50e7b9 Author: Peter Zijlstra Date: Wed Aug 3 13:49:31 2011 +0200 perf: overflow/perf_count_sw_cpu_clock crashes recent kernels The below patch is for -stable only, upstream has a much larger patch that contains the below hunk in commit a8b0ca17b80e92faab46ee7179ba9e99ccb61233 Vince found that under certain circumstances software event overflows go wrong and deadlock. Avoid trying to delete a timer from the timer callback. Reported-by: Vince Weaver Signed-off-by: Peter Zijlstra Signed-off-by: Greg Kroah-Hartman commit 3d247615d6b54f39e32b9b27a148e4a88dd3b9ca Author: Alasdair G Kergon Date: Tue Aug 2 12:32:01 2011 +0100 dm: fix idr leak on module removal commit d15b774c2920d55e3d58275c97fbe3adc3afde38 upstream. Destroy _minor_idr when unloading the core dm module. (Found by kmemleak.) Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit c72ff34c937a4572946fdcd79ecbff2fe81f7654 Author: Mike Snitzer Date: Tue Aug 2 12:32:00 2011 +0100 dm mpath: fix potential NULL pointer in feature arg processing commit 286f367dad40beb3234a18c17391d03ba939a7f3 upstream. Avoid dereferencing a NULL pointer if the number of feature arguments supplied is fewer than indicated. Signed-off-by: Mike Snitzer Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 67b0a8421ec7737f20db9f2ab150445a897f138a Author: Julia Lawall Date: Thu Jul 28 14:46:05 2011 +0200 ALSA: sound/core/pcm_compat.c: adjust array index commit ca9380fd68514c7bc952282c1b4fc70607e9fe43 upstream. Convert array index from the loop bound to the loop index. A simplified version of the semantic patch that fixes this problem is as follows: (http://coccinelle.lip6.fr/) // @@ expression e1,e2,ar; @@ for(e1 = 0; e1 < e2; e1++) { <... ar[ - e2 + e1 ] ...> } // Signed-off-by: Julia Lawall Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit fc10e555b21481e5f9ccbf9b4dc804140e556a04 Author: Vasiliy Kulikov Date: Fri Jun 24 16:08:38 2011 +0400 proc: restrict access to /proc/PID/io commit 1d1221f375c94ef961ba8574ac4f85c8870ddd51 upstream. /proc/PID/io may be used for gathering private information. E.g. for openssh and vsftpd daemons wchars/rchars may be used to learn the precise password length. Restrict it to processes being able to ptrace the target process. ptrace_may_access() is needed to prevent keeping open file descriptor of "io" file, executing setuid binary and gathering io information of the setuid'ed process. Signed-off-by: Vasiliy Kulikov Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 2beffeba8046011cf87062b842327328fb22cda7 Author: Dan Rosenberg Date: Wed Jun 15 15:09:01 2011 -0700 alpha: fix several security issues commit 21c5977a836e399fc710ff2c5367845ed5c2527f upstream. Fix several security issues in Alpha-specific syscalls. Untested, but mostly trivial. 1. Signedness issue in osf_getdomainname allows copying out-of-bounds kernel memory to userland. 2. Signedness issue in osf_sysinfo allows copying large amounts of kernel memory to userland. 3. Typo (?) in osf_getsysinfo bounds minimum instead of maximum copy size, allowing copying large amounts of kernel memory to userland. 4. Usage of user pointer in osf_wait4 while under KERNEL_DS allows privilege escalation via writing return value of sys_wait4 to kernel memory. Signed-off-by: Dan Rosenberg Cc: Richard Henderson Cc: Ivan Kokshaysky Cc: Matt Turner Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 35ed3d0fb62804090a3f21a7ce84c538a6ff852f Author: Alexey Dobriyan Date: Tue Feb 16 09:05:04 2010 +0000 tunnels: fix netns vs proto registration ordering commit d5aa407f59f5b83d2c50ec88f5bf56d40f1f8978 upstream. Same stuff as in ip_gre patch: receive hook can be called before netns setup is done, oopsing in net_generic(). Signed-off-by: Alexey Dobriyan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0515423344552278c1c3c5304515088521c73478 Author: Alexey Dobriyan Date: Mon Jan 25 10:28:21 2010 +0000 netns xfrm: fixup xfrm6_tunnel error propagation commit e924960dacdf85d118a98c7262edf2f99c3015cf upstream. Signed-off-by: Alexey Dobriyan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7606088a8d06062750d6d24cab6e064d7711356e Author: Alexey Dobriyan Date: Tue Feb 16 07:57:44 2010 +0000 gre: fix netns vs proto registration ordering commit c2892f02712e9516d72841d5c019ed6916329794 upstream. GRE protocol receive hook can be called right after protocol addition is done. If netns stuff is not yet initialized, we're going to oops in net_generic(). This is remotely oopsable if ip_gre is compiled as module and packet comes at unfortunate moment of module loading. Signed-off-by: Alexey Dobriyan Signed-off-by: David S. Miller [dannf: backported to Debian's 2.6.32] Signed-off-by: Greg Kroah-Hartman commit 39371f2a8a7c27a63882c1586c3ee72f05eb6527 Author: Jeff Layton Date: Mon Aug 23 11:38:04 2010 -0400 cifs: check for NULL session password commit 24e6cf92fde1f140d8eb0bf7cd24c2c78149b6b2 upstream. It's possible for a cifsSesInfo struct to have a NULL password, so we need to check for that prior to running strncmp on it. Signed-off-by: Jeff Layton Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit eda9d27e356873efbd5f071da1741fc74a842c2b Author: Jeff Layton Date: Wed Aug 18 13:13:39 2010 -0400 cifs: fix NULL pointer dereference in cifs_find_smb_ses commit fc87a40677bbe0937e2ff0642c7e83c9a4813f3d upstream. cifs_find_smb_ses assumes that the vol->password field is a valid pointer, but that's only the case if a password was passed in via the options string. It's possible that one won't be if there is no mount helper on the box. Reported-by: diabel Signed-off-by: Jeff Layton Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 223c7f082d2836ac719b3b228bdcfab35e5e5330 Author: Jeff Layton Date: Tue Jul 6 20:43:02 2010 -0400 cifs: clean up cifs_find_smb_ses (try #2) commit 4ff67b720c02c36e54d55b88c2931879b7db1cd2 upstream. This patch replaces the earlier patch by the same name. The only difference is that MAX_PASSWORD_SIZE has been increased to attempt to match the limits that windows enforces. Do a better job of matching sessions by authtype. Matching by username for a Kerberos session is incorrect, and anonymous sessions need special handling. Also, in the case where we do match by username, we also need to match by password. That ensures that someone else doesn't "borrow" an existing session without needing to know the password. Finally, passwords can be longer than 16 bytes. Bump MAX_PASSWORD_SIZE to 512 to match the size that the userspace mount helper allows. Signed-off-by: Jeff Layton Signed-off-by: Steve French [dannf: backported to Debian's 2.6.32] Cc: Moritz Muehlenhoff Signed-off-by: Greg Kroah-Hartman commit 0d5c4526788db9e3becdef5c6c71444c0190ecd3 Author: Greg Kroah-Hartman Date: Tue Aug 2 14:45:26 2011 -0700 Revert "block: rescan partitions on invalidated devices on -ENOMEDIA too" This reverts commit 5b2745db12a3f97a9ec9efd4ffa077da707d3e4c (commit 02e352287a40bd456eb78df705bf888bc3161d3f upstream) This should have only been commited on .38 and newer, not older kernels like this one, sorry. Cc: Tejun Heo Cc: David Zeuthen Cc: Martin Pitt Cc: Kay Sievers Cc: Alan Cox Cc: Jens Axboe Cc: Andi Kleen Signed-off-by: Greg Kroah-Hartman commit 436aa5feeaee56451a2ded2e89cb80229836c687 Author: Thomas Gleixner Date: Fri Jul 29 14:07:44 2011 +0400 x86: HPET: Chose a paranoid safe value for the ETIME check (imported from commit v2.6.37-rc5-64-gf1c1807) commit 995bd3bb5 (x86: Hpet: Avoid the comparator readback penalty) chose 8 HPET cycles as a safe value for the ETIME check, as we had the confirmation that the posted write to the comparator register is delayed by two HPET clock cycles on Intel chipsets which showed readback problems. After that patch hit mainline we got reports from machines with newer AMD chipsets which seem to have an even longer delay. See http://thread.gmane.org/gmane.linux.kernel/1054283 and http://thread.gmane.org/gmane.linux.kernel/1069458 for further information. Boris tried to come up with an ACPI based selection of the minimum HPET cycles, but this failed on a couple of test machines. And of course we did not get any useful information from the hardware folks. For now our only option is to chose a paranoid high and safe value for the minimum HPET cycles used by the ETIME check. Adjust the minimum ns value for the HPET clockevent accordingly. Reported-Bistected-and-Tested-by: Markus Trippelsdorf Signed-off-by: Thomas Gleixner LKML-Reference: Cc: Simon Kirby Cc: Borislav Petkov Cc: Andreas Herrmann Cc: John Stultz Signed-off-by: Konstantin Khlebnikov Signed-off-by: Greg Kroah-Hartman commit 4534a8bbbf35dfab58a56ef886040a4a8a0ffd49 Author: Thomas Gleixner Date: Fri Jul 29 14:07:43 2011 +0400 x86: Hpet: Avoid the comparator readback penalty (imported from commit v2.6.36-rc4-167-g995bd3b) Due to the overly intelligent design of HPETs, we need to workaround the problem that the compare value which we write is already behind the actual counter value at the point where the value hits the real compare register. This happens for two reasons: 1) We read out the counter, add the delta and write the result to the compare register. When a NMI or SMI hits between the read out and the write then the counter can be ahead of the event already 2) The write to the compare register is delayed by up to two HPET cycles in certain chipsets. We worked around this by reading back the compare register to make sure that the written value has hit the hardware. For certain ICH9+ chipsets this can require two readouts, as the first one can return the previous compare register value. That's bad performance wise for the normal case where the event is far enough in the future. As we already know that the write can be delayed by up to two cycles we can avoid the read back of the compare register completely if we make the decision whether the delta has elapsed already or not based on the following calculation: cmp = event - actual_count; If cmp is less than 8 HPET clock cycles, then we decide that the event has happened already and return -ETIME. That covers the above #1 and #2 problems which would cause a wait for HPET wraparound (~306 seconds). Signed-off-by: Thomas Gleixner Tested-by: Nix Tested-by: Artur Skawina Cc: Damien Wyart Tested-by: John Drescher Cc: Venkatesh Pallipadi Cc: Arjan van de Ven Cc: Andreas Herrmann Tested-by: Borislav Petkov Cc: Suresh Siddha LKML-Reference: Signed-off-by: Konstantin Khlebnikov Signed-off-by: Greg Kroah-Hartman commit cb815937772cb08551fb9afa62a51b987eafcb27 Author: Anton Blanchard Date: Tue Jul 5 21:51:36 2011 +0000 powerpc/pseries/hvconsole: Fix dropped console output commit 51d33021425e1f905beb4208823146f2fb6517da upstream. Return -EAGAIN when we get H_BUSY back from the hypervisor. This makes the hvc console driver retry, avoiding dropped printks. Signed-off-by: Anton Blanchard Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 38e6bb765aaa79257f99b7a9b8ba6d3d034d73c5 Author: Alan Stern Date: Tue Jul 19 14:01:23 2011 -0400 EHCI: fix direction handling for interrupt data toggles commit e04f5f7e423018bcec84c11af2058cdce87816f3 upstream. This patch (as1480) fixes a rather obscure bug in ehci-hcd. The qh_update() routine needs to know the number and direction of the endpoint corresponding to its QH argument. The number can be taken directly from the QH data structure, but the direction isn't stored there. The direction is taken instead from the first qTD linked to the QH. However, it turns out that for interrupt transfers, qh_update() gets called before the qTDs are linked to the QH. As a result, qh_update() computes a bogus direction value, which messes up the endpoint toggle handling. Under the right combination of circumstances this causes usb_reset_endpoint() not to work correctly, which causes packets to be dropped and communications to fail. Now, it's silly for the QH structure not to have direct access to all the descriptor information for the corresponding endpoint. Ultimately it may get a pointer to the usb_host_endpoint structure; for now, adding a copy of the direction flag solves the immediate problem. This allows the Spyder2 color-calibration system (a low-speed USB device that sends all its interrupt data packets with the toggle set to 0 and hance requires constant use of usb_reset_endpoint) to work when connected through a high-speed hub. Thanks to Graeme Gill for supplying the hardware that allowed me to track down this bug. Signed-off-by: Alan Stern Reported-by: Graeme Gill Signed-off-by: Greg Kroah-Hartman commit 108786ae74b65d83e4cd9d43bb53cfa75048572f Author: Sergei Shtylyov Date: Wed Jul 6 23:19:38 2011 +0400 EHCI: only power off port if over-current is active commit 81463c1d707186adbbe534016cd1249edeab0dac upstream. MAX4967 USB power supply chip we use on our boards signals over-current when power is not enabled; once it's enabled, over-current signal returns to normal. That unfortunately caused the endless stream of "over-current change on port" messages. The EHCI root hub code reacts on every over-current signal change with powering off the port -- such change event is generated the moment the port power is enabled, so once enabled the power is immediately cut off. I think we should only cut off power when we're seeing the active over-current signal, so I'm adding such check to that code. I also think that the fact that we've cut off the port power should be reflected in the result of GetPortStatus request immediately, hence I'm adding a PORTSCn register readback after write... Signed-off-by: Sergei Shtylyov Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 8a8b5c1b6f911444c0623b991cde497df64cb84c Author: J. Bruce Fields Date: Wed Jun 29 16:49:04 2011 -0400 svcrpc: fix list-corrupting race on nfsd shutdown commit ebc63e531cc6a457595dd110b07ac530eae788c3 upstream. After commit 3262c816a3d7fb1eaabce633caa317887ed549ae "[PATCH] knfsd: split svc_serv into pools", svc_delete_xprt (then svc_delete_socket) no longer removed its xpt_ready (then sk_ready) field from whatever list it was on, noting that there was no point since the whole list was about to be destroyed anyway. That was mostly true, but forgot that a few svc_xprt_enqueue()'s might still be hanging around playing with the about-to-be-destroyed list, and could get themselves into trouble writing to freed memory if we left this xprt on the list after freeing it. (This is actually functionally identical to a patch made first by Ben Greear, but with more comments.) Cc: gnb@fmeh.org Reported-by: Ben Greear Tested-by: Ben Greear Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 98aea907860bce247af40351a297d56ef44d7f26 Author: Jan Kara Date: Mon May 30 13:29:20 2011 +0200 ext3: Fix oops in ext3_try_to_allocate_with_rsv() commit ad95c5e9bc8b5885f94dce720137cac8fa8da4c9 upstream. Block allocation is called from two places: ext3_get_blocks_handle() and ext3_xattr_block_set(). These two callers are not necessarily synchronized because xattr code holds only xattr_sem and i_mutex, and ext3_get_blocks_handle() may hold only truncate_mutex when called from writepage() path. Block reservation code does not expect two concurrent allocations to happen to the same inode and thus assertions can be triggered or reservation structure corruption can occur. Fix the problem by taking truncate_mutex in xattr code to serialize allocations. CC: Sage Weil Reported-by: Fyodor Ustinov Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit b259a3c0e4348587e06fbabd828fb878457c5dad Author: Dan Rosenberg Date: Mon Jul 25 17:11:53 2011 -0700 xtensa: prevent arbitrary read in ptrace commit 0d0138ebe24b94065580bd2601f8bb7eb6152f56 upstream. Prevent an arbitrary kernel read. Check the user pointer with access_ok() before copying data in. [akpm@linux-foundation.org: s/EIO/EFAULT/] Signed-off-by: Dan Rosenberg Cc: Christian Zankel Cc: Oleg Nesterov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 78a4ddf99d27b83ca7b9720338b1030206db4a0e Author: Stephen M. Cameron Date: Sat Jul 9 09:04:12 2011 +0200 cciss: do not attempt to read from a write-only register commit 07d0c38e7d84f911c72058a124c7f17b3c779a65 upstream. Most smartarrays will tolerate it, but some new ones don't. Signed-off-by: Stephen M. Cameron Note: this is a regression caused by commit 1ddd5049 Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 330091175005731845c82ae2b44ac72a93902a25 Author: Chris Wright Date: Wed Jul 13 10:14:33 2011 -0700 PCI: ARI is a PCIe v2 feature commit 864d296cf948aef0fa32b81407541572583f7572 upstream. The function pci_enable_ari() may mistakenly set the downstream port of a v1 PCIe switch in ARI Forwarding mode. This is a PCIe v2 feature, and with an SR-IOV device on that switch port believing the switch above is ARI capable it may attempt to use functions 8-255, translating into invalid (non-zero) device numbers for that bus. This has been seen to cause Completion Timeouts and general misbehaviour including hangs and panics. Acked-by: Don Dutile Tested-by: Don Dutile Signed-off-by: Chris Wright Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 1b7fbaab701bfcc77916896bf64af9624c0b62d4 Author: Michael Neuling Date: Mon Jul 4 20:40:10 2011 +0000 powerpc/kdump: Fix timeout in crash_kexec_wait_realmode commit 63f21a56f1cc0b800a4c00349c59448f82473d19 upstream. The existing code it pretty ugly. How about we clean it up even more like this? From: Anton Blanchard We check for timeout expiry in the outer loop, but we also need to check it in the inner loop or we can lock up forever waiting for a CPU to hit real mode. Signed-off-by: Anton Blanchard Signed-off-by: Michael Neuling Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 1932c7417939ce69f98926c204220fafbce31a7a Author: Huang Ying Date: Thu Jul 14 09:34:37 2011 +0800 kexec, x86: Fix incorrect jump back address if not preserving context commit 050438ed5a05b25cdf287f5691e56a58c2606997 upstream. In kexec jump support, jump back address passed to the kexeced kernel via function calling ABI, that is, the function call return address is the jump back entry. Furthermore, jump back entry == 0 should be used to signal that the jump back or preserve context is not enabled in the original kernel. But in the current implementation the stack position used for function call return address is not cleared context preservation is disabled. The patch fixes this bug. Reported-and-tested-by: Yin Kangkai Signed-off-by: Huang Ying Cc: Eric W. Biederman Cc: Vivek Goyal Link: http://lkml.kernel.org/r/1310607277-25029-1-git-send-email-ying.huang@intel.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 8d858047ce89c147eb9f14457cb31265967d110e Author: Dan Rosenberg Date: Mon Jul 11 14:08:23 2011 -0700 pmcraid: reject negative request size commit b5b515445f4f5a905c5dd27e6e682868ccd6c09d upstream. There's a code path in pmcraid that can be reached via device ioctl that causes all sorts of ugliness, including heap corruption or triggering the OOM killer due to consecutive allocation of large numbers of pages. First, the user can call pmcraid_chr_ioctl(), with a type PMCRAID_PASSTHROUGH_IOCTL. This calls through to pmcraid_ioctl_passthrough(). Next, a pmcraid_passthrough_ioctl_buffer is copied in, and the request_size variable is set to buffer->ioarcb.data_transfer_length, which is an arbitrary 32-bit signed value provided by the user. If a negative value is provided here, bad things can happen. For example, pmcraid_build_passthrough_ioadls() is called with this request_size, which immediately calls pmcraid_alloc_sglist() with a negative size. The resulting math on allocating a scatter list can result in an overflow in the kzalloc() call (if num_elem is 0, the sglist will be smaller than expected), or if num_elem is unexpectedly large the subsequent loop will call alloc_pages() repeatedly, a high number of pages will be allocated and the OOM killer might be invoked. It looks like preventing this value from being negative in pmcraid_ioctl_passthrough() would be sufficient. Signed-off-by: Dan Rosenberg Signed-off-by: Andrew Morton Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 2dee323616b55823272dc900ba09902b8febff44 Author: Douglas Gilbert Date: Thu Jun 9 00:27:07 2011 -0400 ses: requesting a fault indication commit 2a350cab9daf9a46322d83b091bb05cf54ccf6ab upstream. Noticed that when the sysfs interface of the SCSI SES driver was used to request a fault indication the LED flashed but the buzzer didn't sound. So it was doing what REQUEST IDENT (locate) should do. Changelog: - fix the setting of REQUEST FAULT for the device slot and array device slot elements in the enclosure control diagnostic page - note the potentially defective code that reads the FAULT SENSED and FAULT REQUESTED bits from the enclosure status diagnostic page The attached patch is against git/scsi-misc-2.6 Signed-off-by: Douglas Gilbert Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit e766b12ba4985002ef9c0e6fec47ef0463511521 Author: Werner Fink Date: Thu Jun 9 10:54:24 2011 +0530 Blacklist Traxdata CDR4120 and IOMEGA Zip drive to avoid lock ups. commit 82103978189e9731658cd32da5eb85ab7b8542b8 upstream. This patch resulted from the discussion at https://bugzilla.novell.com/show_bug.cgi?id=679277, https://bugzilla.novell.com/show_bug.cgi?id=681840 . Signed-off-by: Werner Fink Signed-off-by: Ankit Jain Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit eaf507ea6ca81301778353324105a5b18c436494 Author: Rajkumar Manoharan Date: Thu Jul 7 23:33:39 2011 +0530 mac80211: Restart STA timers only on associated state commit 676b58c27475a9defccc025fea1cbd2b141ee539 upstream. A panic was observed when the device is failed to resume properly, and there are no running interfaces. ieee80211_reconfig tries to restart STA timers on unassociated state. Signed-off-by: Rajkumar Manoharan Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit da229078845ada4d7b0b49a020c8eaf49420cec9 Author: Luben Tuikov Date: Tue Jul 26 23:10:48 2011 -0700 libsas: remove expander from dev list on error commit 5911e963d3718e306bcac387b83e259aa4228896 upstream. If expander discovery fails (sas_discover_expander()), remove the expander from the port device list (sas_ex_discover_expander()), before freeing it. Else the list is corrupted and, e.g., when we attempt to send SMP commands to other devices, the kernel oopses. Signed-off-by: Luben Tuikov Reviewed-by: Jack Wang Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 3cd03745e7c9affa99ed9e0fe891c8aba887c9df Author: Guo-Fu Tseng Date: Wed Jul 20 16:57:36 2011 +0000 jme: Fix unmap error (Causing system freeze) commit 94c5b41b327e08de0ddf563237855f55080652a1 upstream. This patch add the missing dma_unmap(). Which solved the critical issue of system freeze on heavy load. Michal Miroslaw's rejected patch: [PATCH v2 10/46] net: jme: convert to generic DMA API Pointed out the issue also, thank you Michal. But the fix was incorrect. It would unmap needed address when low memory. Got lots of feedback from End user and Gentoo Bugzilla. https://bugs.gentoo.org/show_bug.cgi?id=373109 Thank you all. :) Signed-off-by: Guo-Fu Tseng Acked-by: Chris Wright Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 122c9c81347704a14db5a7d87b14165cdd7d496e Author: Igor Grinberg Date: Mon May 9 14:41:46 2011 +0300 ARM: pxa/cm-x300: fix V3020 RTC functionality commit 6c7b3ea52e345ab614edb91d3f0e9f3bb3713871 upstream. While in sleep mode the CS# and other V3020 RTC GPIOs must be driven high, otherwise V3020 RTC fails to keep the right time in sleep mode. Signed-off-by: Igor Grinberg Signed-off-by: Eric Miao Signed-off-by: Greg Kroah-Hartman commit b43906bf751f5d8f26425a809806bbc1b6a33422 Author: Alan Stern Date: Tue Jun 7 11:33:01 2011 -0400 USB: dummy-hcd needs the has_tt flag commit c5c69f3f0dcf9b569c8f3ad67f3af92cfcedac43 upstream. Like with other host controllers capable of operating at both high speed and full speed, we need to indicate that the emulated controller presented by dummy-hcd has this ability. Otherwise usbcore will not accept full-speed gadgets under dummy-hcd. This patch (as1469) sets the appropriate has_tt flag. Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 262e2d9d559334e09bc80516132ea99d82f97b8c Author: Ajay Kumar Gupta Date: Fri Jul 8 15:06:13 2011 +0530 usb: musb: restore INDEX register in resume path commit 3c5fec75e121b21a2eb35e5a6b44291509abba6f upstream. Restoring the missing INDEX register value in musb_restore_context(). Without this suspend resume functionality is broken with offmode enabled. Acked-by: Anand Gadiyar Signed-off-by: Ajay Kumar Gupta Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 6691c4c32de7046a36cd94b2f904507dcfb86de7 Author: Alan Stern Date: Fri Jul 15 17:22:15 2011 -0400 USB: OHCI: fix another regression for NVIDIA controllers commit 6ea12a04d295235ed67010a09fdea58c949e3eb0 upstream. The NVIDIA series of OHCI controllers continues to be troublesome. A few people using the MCP67 chipset have reported that even with the most recent kernels, the OHCI controller fails to handle new connections and spams the system log with "unable to enumerate USB port" messages. This is different from the other problems previously reported for NVIDIA OHCI controllers, although it is probably related. It turns out that the MCP67 controller does not like to be kept in the RESET state very long. After only a few seconds, it decides not to work any more. This patch (as1479) changes the PCI initialization quirk code so that NVIDIA controllers are switched into the SUSPEND state after 50 ms of RESET. With no interrupts enabled and all the downstream devices reset, and thus unable to send wakeup requests, this should be perfectly safe (even for non-NVIDIA hardware). The removal code in ohci-hcd hasn't been changed; it will still leave the controller in the RESET state. As a result, if someone unloads ohci-hcd and then reloads it, the controller won't work again until the system is rebooted. If anybody complains about this, the removal code can be updated similarly. This fixes Bugzilla #22052. Tested-by: Larry Finger Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 51faabb807245bd12d026660d8957168df64abef Author: Vasiliy Kulikov Date: Sun Jun 26 12:56:22 2011 +0400 staging: comedi: fix infoleak to userspace commit 819cbb120eaec7e014e5abd029260db1ca8c5735 upstream. driver_name and board_name are pointers to strings, not buffers of size COMEDI_NAMELEN. Copying COMEDI_NAMELEN bytes of a string containing less than COMEDI_NAMELEN-1 bytes would leak some unrelated bytes. Signed-off-by: Vasiliy Kulikov Signed-off-by: Greg Kroah-Hartman commit 82b6e85062ae9db54a97590a473d98e2bef10789 Author: Wolfgang Denk Date: Tue Jul 19 11:25:38 2011 +0200 USB: serial: add IDs for WinChipHead USB->RS232 adapter commit 026dfaf18973404a01f488d6aa556a8c466e06a4 upstream. Add ID 4348:5523 for WinChipHead USB->RS 232 adapter with Prolifec PL2303 chipset Signed-off-by: Wolfgang Denk Signed-off-by: Greg Kroah-Hartman commit 99d74703c650de28b1dec2c17612a3ed0b386f97 Author: Greg Kroah-Hartman Date: Mon May 17 10:33:41 2010 -0700 USB: pl2303.h: checkpatch cleanups commit 5d78fcb0caf219e2e6c8e486d7e31fec1333ac06 upstream. Minor whitespace cleanups to make checkpatch happy. Signed-off-by: Greg Kroah-Hartman commit 741172eedbda7be26b0e92a4979b5b0b90c723f2 Author: Manuel Jander Date: Mon Mar 29 23:51:57 2010 +0200 USB: pl2303: add AdLink ND-6530 USB IDs commit 9a61d72602771906e11a5944e8571f8006387b39 upstream. I read a rumor that the AdLink ND6530 USB RS232, RS422 and RS485 isolated adapter is actually a PL2303 based usb serial adapter. I tried it out, and as far as I can tell it works. Signed-off-by: Manuel Jander Signed-off-by: Greg Kroah-Hartman commit 9d8970f029ad17a2f8ebce2e94f00437bd1d1225 Author: Daniel J Blueman Date: Fri May 13 09:04:59 2011 +0800 x86: Make Dell Latitude E5420 use reboot=pci commit b7798d28ec15d20fd34b70fa57eb13f0cf6d1ecd upstream. Rebooting on the Dell E5420 often hangs with the keyboard or ACPI methods, but is reliable via the PCI method. [ hpa: this was deferred because we believed for a long time that the recent reshuffling of the boot priorities in commit 660e34cebf0a11d54f2d5dd8838607452355f321 fixed this platform. Unfortunately that turned out to be incorrect. ] Signed-off-by: Daniel J Blueman Link: http://lkml.kernel.org/r/1305248699-2347-1-git-send-email-daniel.blueman@gmail.com Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 3da5a14f740df9eef668edd4a446824da2a6c299 Author: Tejun Heo Date: Wed May 25 13:19:39 2011 +0200 libata: fix unexpectedly frozen port after ata_eh_reset() commit 8c56cacc724c7650b893d43068fa66044aa29a61 upstream. To work around controllers which can't properly plug events while reset, ata_eh_reset() clears error states and ATA_PFLAG_EH_PENDING after reset but before RESET is marked done. As reset is the final recovery action and full verification of devices including onlineness and classfication match is done afterwards, this shouldn't lead to lost devices or missed hotplug events. Unfortunately, it forgot to thaw the port when clearing EH_PENDING, so if the condition happens after resetting an empty port, the port could be left frozen and EH will end without thawing it, making the port unresponsive to further hotplug events. Thaw if the port is frozen after clearing EH_PENDING. This problem is reported by Bruce Stenning in the following thread. http://thread.gmane.org/gmane.linux.kernel/1123265 stable: I think we should weather this patch a bit longer in -rcX before sending it to -stable. Please wait at least a month after this patch makes upstream. Thanks. -v2: Fixed spelling in the comment per Dave Howorth. Signed-off-by: Tejun Heo Reported-by: Bruce Stenning Cc: Dave Howorth Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 49d571cd91d115bf051aa14bc15376c5095217b6 Author: Jon Povey Date: Tue Jul 19 12:30:11 2011 +0900 davinci: DM365 EVM: fix video input mux bits commit 9daedd833a38edd90cf7baa1b1fcf61c3a0721e3 upstream. Video input mux settings for tvp7002 and imager inputs were swapped. Comment was correct. Tested on EVM with tvp7002 input. Signed-off-by: Jon Povey Acked-by: Manjunath Hadli Signed-off-by: Sekhar Nori Signed-off-by: Greg Kroah-Hartman commit 90d769e3203ce7b291790a85e53f8954a7d20588 Author: stephen hemminger Date: Fri Jul 22 07:47:06 2011 +0000 bridge: send proper message_age in config BPDU commit 0c03150e7ea8f7fcd03cfef29385e0010b22ee92 upstream. A bridge topology with three systems: +------+ +------+ | A(2) |--| B(1) | +------+ +------+ \ / +------+ | C(3) | +------+ What is supposed to happen: * bridge with the lowest ID is elected root (for example: B) * C detects that A->C is higher cost path and puts in blocking state What happens. Bridge with lowest id (B) is elected correctly as root and things start out fine initially. But then config BPDU doesn't get transmitted from A -> C. Because of that the link from A-C is transistioned to the forwarding state. The root cause of this is that the configuration messages is generated with bogus message age, and dropped before sending. In the standardmessage_age is supposed to be: the time since the generation of the Configuration BPDU by the Root that instigated the generation of this Configuration BPDU. Reimplement this by recording the timestamp (age + jiffies) when recording config information. The old code incorrectly used the time elapsed on the ageing timer which was incorrect. See also: https://bugzilla.vyatta.com/show_bug.cgi?id=7164 Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 166d832bd02cccddb49a1b07e71dbefc0e3e063f Author: Pavel Herrmann Date: Sun Jul 17 18:39:19 2011 +0200 hwmon: (max1111) Fix race condition causing NULL pointer exception commit d3f684f2820a7f42acef68bea6622d9032127fb2 upstream. spi_sync call uses its spi_message parameter to keep completion information, using a drvdata structure is not thread-safe. Use a mutex to prevent multiple access to shared driver data. Signed-off-by: Pavel Herrmann Acked-by: Russell King Acked-by: Pavel Machek Acked-by: Marek Vasut Acked-by: Cyril Hrubis Tested-by: Stanislav Brabec Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit abcd4aa304268111b33daa61cb4dbe75da41b3aa Author: Mauro Carvalho Chehab Date: Sun Jul 17 00:24:37 2011 -0300 si4713-i2c: avoid potential buffer overflow on si4713 commit dc6b845044ccb7e9e6f3b7e71bd179b3cf0223b6 upstream. While compiling it with Fedora 15, I noticed this issue: inlined from ‘si4713_write_econtrol_string’ at drivers/media/radio/si4713-i2c.c:1065:24: arch/x86/include/asm/uaccess_32.h:211:26: error: call to ‘copy_from_user_overflow’ declared with attribute error: copy_from_user() buffer size is not provably correct Signed-off-by: Mauro Carvalho Chehab Acked-by: Sakari Ailus Acked-by: Eduardo Valentin Reviewed-by: Eugene Teo Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5bba1fce7f3a1a59d6c6893234df532fe6a43766 Author: Ben Greear Date: Tue Jul 12 10:27:55 2011 -0700 SUNRPC: Fix use of static variable in rpcb_getport_async commit ec0dd267bf7d08cb30e321e45a75fd40edd7e528 upstream. Because struct rpcbind_args *map was declared static, if two threads entered this method at the same time, the values assigned to map could be sent two two differen tasks. This could cause all sorts of problems, include use-after-free and double-free of memory. Fix this by removing the static declaration so that the map pointer is on the stack. Signed-off-by: Ben Greear Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit a05061d6d457e200808514e37cae4bed805c860d Author: Trond Myklebust Date: Wed Jul 6 19:58:23 2011 -0400 SUNRPC: Fix a race between work-queue and rpc_killall_tasks commit b55c59892e1f3b6c7d4b9ccffb4263e1486fb990 upstream. Since rpc_killall_tasks may modify the rpc_task's tk_action field without any locking, we need to be careful when dereferencing it. Reported-by: Ben Greear Tested-by: Ben Greear Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 809eb666e84ba6628ab0c92b2104644685069ef3 Author: Andy Adamson Date: Mon Jul 11 17:17:42 2011 -0400 NFSv4.1: update nfs4_fattr_bitmap_maxsz commit e5012d1f3861d18c7f3814e757c1c3ab3741dbcd upstream. Attribute IDs assigned in RFC 5661 now require three bitmaps. Fixes hitting a BUG_ON in xdr_shrink_bufhead when getting ACLs. Signed-off-by: Andy Adamson Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit c3c239c62ae57a65e13a00a485435db15f8d5ad0 Author: Herbert Xu Date: Wed Jul 27 06:16:28 2011 -0700 gro: Only reset frag0 when skb can be pulled commit 17dd759c67f21e34f2156abcf415e1f60605a188 upstream. Currently skb_gro_header_slow unconditionally resets frag0 and frag0_len. However, when we can't pull on the skb this leaves the GRO fields in an inconsistent state. This patch fixes this by only resetting those fields after the pskb_may_pull test. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5c47b59050245461c088e67cc0cb7196d1dcdfb9 Author: Hans Verkuil Date: Sun Jun 12 07:02:43 2011 -0300 bttv: fix s_tuner for radio commit a024c1a6b274e11596d124619e43c25560f64c01 upstream. Fix typo: g_tuner should have been s_tuner. Tested with a bttv card. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit f89e20d61648229d1282125cdebf416634f9ac80 Author: Hans Verkuil Date: Sun Jun 12 06:39:52 2011 -0300 pvrusb2: fix g/s_tuner support commit 50e9efd60b213ce43ad6979bfc18e25eec2d8413 upstream. The tuner-core subdev requires that the type field of v4l2_tuner is filled in correctly. This is done in v4l2-ioctl.c, but pvrusb2 doesn't use that yet, so we have to do it manually based on whether the current input is radio or not. Tested with my pvrusb2. Signed-off-by: Hans Verkuil Acked-by: Mike Isely Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 46905de090c508781d0ef2a0add4503bc2066e57 Author: Hans Verkuil Date: Sun Jun 12 06:36:41 2011 -0300 v4l2-ioctl.c: prefill tuner type for g_frequency and g/s_tuner commit 227690df75382e46a4f6ea1bbc5df855a674b47f upstream. The subdevs are supposed to receive a valid tuner type for the g_frequency and g/s_tuner subdev ops. Some drivers do this, others don't. So prefill this in v4l2-ioctl.c based on whether the device node from which this is called is a radio node or not. The spec does not require applications to fill in the type, and if they leave it at 0 then the 'check_mode' call in tuner-core.c will return an error and the ioctl does nothing. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 32910025980f24cab5061901d9b1249c2b2574b2 Author: Mark Brown Date: Mon Jun 13 12:14:07 2011 +0100 ASoC: Fix Blackfin I2S _pointer() implementation return in bounds values commit e999dc50404d401150a5429b6459473a691fd1a0 upstream. The Blackfin DMA controller can report one frame beyond the end of the buffer in the wraparound case but ALSA requires that the pointer always be in the buffer. Do the wraparound to handle this. A similar bug is likely to apply to the other Blackfin PCM drivers but the code is less obvious to inspection and I don't have a user to test. Reported-by: Kieran O'Leary Acked-by: Liam Girdwood Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman