commit b0b3e41f6fe88a15bd27f73f6fabef48e0fea2f0 Author: Greg Kroah-Hartman Date: Mon Aug 29 14:31:54 2011 -0700 Linux 2.6.32.46 commit 12361acf4d2ca536624e2b7237ce371b29704b30 Author: Carolyn Wyborny Date: Sat Jun 25 13:18:12 2011 +0000 igb: Fix lack of flush after register write and before delay commit 064b43304ed8ede8e13ff7b4338d09fd37bcffb1 upstream. Register writes followed by a delay are required to have a flush before the delay in order to commit the values to the register. Without the flush, the code following the delay may not function correctly. Reported-by: Tong Ho Reported-by: Guenter Roeck Signed-off-by: Carolyn Wyborny Tested-by: Aaron Brown Signed-off-by: Jeff Kirsher Signed-off-by: Greg Kroah-Hartman commit 7b1ef6c0a199bd93899f167f459627dd9421913a Author: Miklos Szeredi Date: Wed Aug 24 10:20:17 2011 +0200 fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message commit c2183d1e9b3f313dd8ba2b1b0197c8d9fb86a7ae upstream. FUSE_NOTIFY_INVAL_ENTRY didn't check the length of the write so the message processing could overrun and result in a "kernel BUG at fs/fuse/dev.c:629!" Reported-by: Han-Wen Nienhuys Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 035fac5844e2cbc3bb485b6d274b4266c27aeeb2 Author: Marcin Slusarz Date: Mon Aug 22 21:17:57 2011 +0000 drm/ttm: fix ttm_bo_add_ttm(user) failure path commit 7c4c3960dff109bc5db4c35da481c212dadb5eb5 upstream. ttm_tt_destroy kfrees passed object, so we need to nullify a reference to it. Signed-off-by: Marcin Slusarz Reviewed-by: Thomas Hellstrom Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 4d3b4b41f4e2dbd884ea275a40d784a4fdd780fc Author: Jack Steiner Date: Fri Aug 5 09:09:00 2011 -0500 x86, UV: Remove UV delay in starting slave cpus commit 05e33fc20ea5e493a2a1e7f1d04f43cdf89f83ed upstream. Delete the 10 msec delay between the INIT and SIPI when starting slave cpus. I can find no requirement for this delay. BIOS also has similar code sequences without the delay. Removing the delay reduces boot time by 40 sec. Every bit helps. Signed-off-by: Jack Steiner Link: http://lkml.kernel.org/r/20110805140900.GA6774@sgi.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 2bbc3e27c16c993c5f4a1949879c288edec896bc Author: H. Peter Anvin Date: Mon Aug 22 13:27:06 2011 -0700 x86-32, vdso: On system call restart after SYSENTER, use int $0x80 commit 7ca0758cdb7c241cb4e0490a8d95f0eb5b861daf upstream. When we enter a 32-bit system call via SYSENTER or SYSCALL, we shuffle the arguments to match the int $0x80 calling convention. This was probably a design mistake, but it's what it is now. This causes errors if the system call as to be restarted. For SYSENTER, we have to invoke the instruction from the vdso as the return address is hardcoded. Accordingly, we can simply replace the jump in the vdso with an int $0x80 instruction and use the slower entry point for a post-restart. Suggested-by: Linus Torvalds Signed-off-by: H. Peter Anvin Link: http://lkml.kernel.org/r/CA%2B55aFztZ=r5wa0x26KJQxvZOaQq8s2v3u50wCyJcA-Sc4g8gQ@mail.gmail.com Signed-off-by: Greg Kroah-Hartman commit d64ec7bb4e2e4915e698e2b0dee3bc115f9ff273 Author: Shawn Bohrer Date: Thu Jun 30 11:21:32 2011 -0500 futex: Fix regression with read only mappings commit 9ea71503a8ed9184d2d0b8ccc4d269d05f7940ae upstream. commit 7485d0d3758e8e6491a5c9468114e74dc050785d (futexes: Remove rw parameter from get_futex_key()) in 2.6.33 fixed two problems: First, It prevented a loop when encountering a ZERO_PAGE. Second, it fixed RW MAP_PRIVATE futex operations by forcing the COW to occur by unconditionally performing a write access get_user_pages_fast() to get the page. The commit also introduced a user-mode regression in that it broke futex operations on read-only memory maps. For example, this breaks workloads that have one or more reader processes doing a FUTEX_WAIT on a futex within a read only shared file mapping, and a writer processes that has a writable mapping issuing the FUTEX_WAKE. This fixes the regression for valid futex operations on RO mappings by trying a RO get_user_pages_fast() when the RW get_user_pages_fast() fails. This change makes it necessary to also check for invalid use cases, such as anonymous RO mappings (which can never change) and the ZERO_PAGE which the commit referenced above was written to address. This patch does restore the original behavior with RO MAP_PRIVATE mappings, which have inherent user-mode usage problems and don't really make sense. With this patch performing a FUTEX_WAIT within a RO MAP_PRIVATE mapping will be successfully woken provided another process updates the region of the underlying mapped file. However, the mmap() man page states that for a MAP_PRIVATE mapping: It is unspecified whether changes made to the file after the mmap() call are visible in the mapped region. So user-mode users attempting to use futex operations on RO MAP_PRIVATE mappings are depending on unspecified behavior. Additionally a RO MAP_PRIVATE mapping could fail to wake up in the following case. Thread-A: call futex(FUTEX_WAIT, memory-region-A). get_futex_key() return inode based key. sleep on the key Thread-B: call mprotect(PROT_READ|PROT_WRITE, memory-region-A) Thread-B: write memory-region-A. COW happen. This process's memory-region-A become related to new COWed private (ie PageAnon=1) page. Thread-B: call futex(FUETX_WAKE, memory-region-A). get_futex_key() return mm based key. IOW, we fail to wake up Thread-A. Once again doing something like this is just silly and users who do something like this get what they deserve. While RO MAP_PRIVATE mappings are nonsensical, checking for a private mapping requires walking the vmas and was deemed too costly to avoid a userspace hang. This Patch is based on Peter Zijlstra's initial patch with modifications to only allow RO mappings for futex operations that need VERIFY_READ access. Reported-by: David Oliver Signed-off-by: Shawn Bohrer Acked-by: Peter Zijlstra Signed-off-by: Darren Hart Cc: KOSAKI Motohiro Cc: peterz@infradead.org Cc: eric.dumazet@gmail.com Cc: zvonler@rgmadvisors.com Cc: hughd@google.com Link: http://lkml.kernel.org/r/1309450892-30676-1-git-send-email-sbohrer@rgmadvisors.com Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 3d854ed83c020d229df63d9247523ac3610694e5 Author: Daniel T Chen Date: Sun Aug 14 22:43:01 2011 -0400 ALSA: ac97: Add HP Compaq dc5100 SFF(PT003AW) to Headphone Jack Sense whitelist commit eade7b281c9fc18401b989c77d5e5e660b25a3b7 upstream. BugLink: https://bugs.launchpad.net/bugs/826081 The original reporter needs 'Headphone Jack Sense' enabled to have audible audio, so add his PCI SSID to the whitelist. Reported-and-tested-by: Muhammad Khurram Khan Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 9089b3bdfdc2f07dc3adcc6feb4236db4a6ab289 Author: Daniel Mack Date: Sun Aug 14 11:31:16 2011 +0200 ALSA: snd_usb_caiaq: track submitted output urbs commit da6094ea7d3c2295473d8f5134279307255d6ebf upstream. The snd_usb_caiaq driver currently assumes that output urbs are serviced in time and doesn't track when and whether they are given back by the USB core. That usually works fine, but due to temporary limitations of the XHCI stack, we faced that urbs were submitted more than once with this approach. As it's no good practice to fire and forget urbs anyway, this patch introduces a proper bit mask to track which requests have been submitted and given back. That alone however doesn't make the driver work in case the host controller is broken and doesn't give back urbs at all, and the output stream will stop once all pre-allocated output urbs are consumed. But it does prevent crashes of the controller stack in such cases. See http://bugzilla.kernel.org/show_bug.cgi?id=40702 for more details. Signed-off-by: Daniel Mack Reported-and-tested-by: Matej Laitl Cc: Sarah Sharp Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 0af48fa3a0be99117e19b952c6878ce5409112e4 Author: Timo Warns Date: Wed Aug 17 17:59:56 2011 +0200 befs: Validate length of long symbolic links. commit 338d0f0a6fbc82407864606f5b64b75aeb3c70f2 upstream. Signed-off-by: Timo Warns Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 098c4cab3a9eaf734d7d99feb55a521be90da37d Author: Timo Warns Date: Thu May 26 16:25:57 2011 -0700 fs/partitions/efi.c: corrupted GUID partition tables can cause kernel oops commit 3eb8e74ec72736b9b9d728bad30484ec89c91dde upstream. The kernel automatically evaluates partition tables of storage devices. The code for evaluating GUID partitions (in fs/partitions/efi.c) contains a bug that causes a kernel oops on certain corrupted GUID partition tables. This bug has security impacts, because it allows, for example, to prepare a storage device that crashes a kernel subsystem upon connecting the device (e.g., a "USB Stick of (Partial) Death"). crc = efi_crc32((const unsigned char *) (*gpt), le32_to_cpu((*gpt)->header_size)); computes a CRC32 checksum over gpt covering (*gpt)->header_size bytes. There is no validation of (*gpt)->header_size before the efi_crc32 call. A corrupted partition table may have large values for (*gpt)->header_size. In this case, the CRC32 computation access memory beyond the memory allocated for gpt, which may cause a kernel heap overflow. Validate value of GUID partition table header size. [akpm@linux-foundation.org: fix layout and indenting] Signed-off-by: Timo Warns Cc: Matt Domsch Cc: Eugene Teo Cc: Dave Jones Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [dannf: backported to Debian's 2.6.32] Signed-off-by: Greg Kroah-Hartman commit b871297c35fbf85aeaa1f2776bd37c666089da26 Author: Jonathan Nieder Date: Fri Aug 5 18:58:38 2011 +0200 perf tools: do not look at ./config for configuration commit aba8d056078e47350d85b06a9cabd5afcc4b72ea upstream. In addition to /etc/perfconfig and $HOME/.perfconfig, perf looks for configuration in the file ./config, imitating git which looks at $GIT_DIR/config. If ./config is not a perf configuration file, it fails, or worse, treats it as a configuration file and changes behavior in some unexpected way. "config" is not an unusual name for a file to be lying around and perf does not have a private directory dedicated for its own use, so let's just stop looking for configuration in the cwd. Callers needing context-sensitive configuration can use the PERF_CONFIG environment variable. Requested-by: Christian Ohm Cc: 632923@bugs.debian.org Cc: Ben Hutchings Cc: Christian Ohm Cc: Ingo Molnar Cc: Paul Mackerras Cc: Peter Zijlstra Link: http://lkml.kernel.org/r/20110805165838.GA7237@elie.gateway.2wire.net Signed-off-by: Jonathan Nieder Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit 14b9d5c8e798cd4b101ed17ba84dff20a6609849 Author: Clemens Ladisch Date: Tue Jun 21 22:09:50 2011 +0200 mm: fix wrong vmap address calculations with odd NR_CPUS values commit f982f91516fa4cfd9d20518833cd04ad714585be upstream. Commit db64fe02258f ("mm: rewrite vmap layer") introduced code that does address calculations under the assumption that VMAP_BLOCK_SIZE is a power of two. However, this might not be true if CONFIG_NR_CPUS is not set to a power of two. Wrong vmap_block index/offset values could lead to memory corruption. However, this has never been observed in practice (or never been diagnosed correctly); what caught this was the BUG_ON in vb_alloc() that checks for inconsistent vmap_block indices. To fix this, ensure that VMAP_BLOCK_SIZE always is a power of two. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=31572 Reported-by: Pavel Kysilka Reported-by: Matias A. Fonzo Signed-off-by: Clemens Ladisch Signed-off-by: Stefan Richter Cc: Nick Piggin Cc: Jeremy Fitzhardinge Cc: Krzysztof Helt Cc: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6d05cd302c104ace56a7314deec12f181a92c434 Author: Daniel Mack Date: Fri Aug 5 13:49:52 2011 +0200 ALSA: snd-usb-caiaq: Correct offset fields of outbound iso_frame_desc commit 15439bde3af7ff88459ea2b5520b77312e958df2 upstream. This fixes faulty outbount packets in case the inbound packets received from the hardware are fragmented and contain bogus input iso frames. The bug has been there for ages, but for some strange reasons, it was only triggered by newer machines in 64bit mode. Signed-off-by: Daniel Mack Reported-and-tested-by: William Light Reported-by: Pedro Ribeiro Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 3ca969416e0fda795c58508d3fa918572326783d Author: Julia Lawall Date: Tue Aug 9 11:10:56 2011 -0400 hwmon: (ibmaem) add missing kfree commit 66a89b2164e2d30661edbd1953eacf0594d8203a upstream. rs_resp is dynamically allocated in aem_read_sensor(), so it should be freed before exiting in every case. This collects the kfree and the return at the end of the function. Signed-off-by: Julia Lawall Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit ae2690d07d6f898892ea2427d4757fe21c64435d Author: Chas Williams Date: Mon Aug 1 17:56:14 2011 -0700 atm: br2864: sent packets truncated in VC routed mode commit a08af810cdc29d2ca930e8a869d3d01744c392d8 upstream. Reported-by: Pascal Hambourg Signed-off-by: Chas Williams Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4bb900a7e9540ea5413cb7ee1eec87442a2a802f Author: Vijay Chavan Date: Tue Aug 9 02:41:12 2011 +0530 USB: Serial: Added device ID for Qualcomm Modem in Sagemcom's HiLo3G commit e468561739fffb972d486b98f66c723936335136 upstream. A new device ID pair is added for Qualcomm Modem present in Sagemcom's HiLo3G module. Signed-off-by: Vijay Chavan Signed-off-by: Greg Kroah-Hartman commit d1a6653bef92c315d798422959d02fde90e77296 Author: Nick Bowler Date: Wed Jul 13 11:40:09 2011 -0400 USB: usb-storage: unusual_devs entry for ARM V2M motherboard. commit a871e4f5519d8c52430052e1d340dd5710eb5ad6 upstream. Connecting the V2M to a Linux host results in a constant stream of errors spammed to the console, all of the form sd 1:0:0:0: ioctl_internal_command return code = 8070000 : Sense Key : 0x4 [current] : ASC=0x0 ASCQ=0x0 The errors appear to be otherwise harmless. Add an unusual_devs entry which eliminates all of the error messages. Signed-off-by: Nick Bowler Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 36a357ee13a526d890f9e0f639ec4b8e6f800142 Author: Maxim Nikulin Date: Sat Jul 9 23:44:44 2011 +0700 USB: assign instead of equal in usbtmc.c commit 4f1a7a3e78037721496283ea3e87cfefc64d99c7 upstream. Assign operator instead of equality test in the usbtmc_ioctl_abort_bulk_in() function. Signed-off-by: Maxim A. Nikulin Signed-off-by: Greg Kroah-Hartman commit b6708a1c905318749d1d51037c000fcf883b41b1 Author: JiSheng Zhang Date: Sat Jul 16 11:04:19 2011 +0800 USB: xhci: fix OS want to own HC commit 6768458b17f9bf48a4c3a34e49b20344091b5f7e upstream. Software should set XHCI_HC_OS_OWNED bit to request ownership of xHC. This patch should be backported to kernels as far back as 2.6.31. Signed-off-by: JiSheng Zhang Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman