commit 94ed5b4788a7cdbe68bc7cb8516972cbebdc8274 Author: Greg Kroah-Hartman Date: Thu Aug 4 21:59:21 2011 -0700 Linux 3.0.1 commit c2b498857e35bac3ae76a0c546122e1b76d1486a Author: Alasdair G Kergon Date: Tue Aug 2 12:32:01 2011 +0100 dm: fix idr leak on module removal commit d15b774c2920d55e3d58275c97fbe3adc3afde38 upstream. Destroy _minor_idr when unloading the core dm module. (Found by kmemleak.) Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit eb81cf19f5740d1397a72d1abb59570e1dda2711 Author: Mike Snitzer Date: Tue Aug 2 12:32:00 2011 +0100 dm mpath: fix potential NULL pointer in feature arg processing commit 286f367dad40beb3234a18c17391d03ba939a7f3 upstream. Avoid dereferencing a NULL pointer if the number of feature arguments supplied is fewer than indicated. Signed-off-by: Mike Snitzer Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit b41ed9c38a42daa4b474ebf18eb06ef1f17351f5 Author: Mikulas Patocka Date: Tue Aug 2 12:32:00 2011 +0100 dm snapshot: flush disk cache when merging commit 762a80d9fc9f690a3a35983f3b4619a220650808 upstream. This patch makes dm-snapshot flush disk cache when writing metadata for merging snapshot. Without cache flushing the disk may reorder metadata write and other data writes and there is a possibility of data corruption in case of power fault. Signed-off-by: Mikulas Patocka Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit ee607aa21a02855bc4ae6c4c775fd3456f961404 Author: Mikulas Patocka Date: Tue Aug 2 12:32:01 2011 +0100 dm io: flush cpu cache with vmapped io commit bb91bc7bacb906c9f3a9b22744c53fa7564b51ba upstream. For normal kernel pages, CPU cache is synchronized by the dma layer. However, this is not done for pages allocated with vmalloc. If we do I/O to/from vmallocated pages, we must synchronize CPU cache explicitly. Prior to doing I/O on vmallocated page we must call flush_kernel_vmap_range to flush dirty cache on the virtual address. After finished read we must call invalidate_kernel_vmap_range to invalidate cache on the virtual address, so that accesses to the virtual address return newly read data and not stale data from CPU cache. This patch fixes metadata corruption on dm-snapshots on PA-RISC and possibly other architectures with caches indexed by virtual address. Signed-off-by: Mikulas Patocka Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit f8c62dc268a9f499b86c051ddd3bacf10d70e347 Author: Julia Lawall Date: Thu Jul 28 14:46:05 2011 +0200 ALSA: sound/core/pcm_compat.c: adjust array index commit ca9380fd68514c7bc952282c1b4fc70607e9fe43 upstream. Convert array index from the loop bound to the loop index. A simplified version of the semantic patch that fixes this problem is as follows: (http://coccinelle.lip6.fr/) // @@ expression e1,e2,ar; @@ for(e1 = 0; e1 < e2; e1++) { <... ar[ - e2 + e1 ] ...> } // Signed-off-by: Julia Lawall Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit f9e4715d434299f8897e3edfed9b6dc90629ffda Author: David Engraf Date: Wed Jul 20 15:03:39 2011 +0200 watchdog: shwdt: fix usage of mod_timer commit bea1906620ce72b63f83735c4cc2642b25ec54ae upstream. Fix the usage of mod_timer() and make the driver usable. mod_timer() must be called with an absolute timeout in jiffies. The old implementation used a relative timeout thus the hardware watchdog was never triggered. Signed-off-by: David Engraf Signed-off-by: Paul Mundt Signed-off-by: Wim Van sebroeck Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 52880922de44a7950283451b06db5aec0fc34a99 Author: Steven Whitehouse Date: Tue Jul 26 09:15:45 2011 +0100 GFS2: Fix mount hang caused by certain access pattern to sysfs files commit 19237039919088781b4191a00bdc1284d8fea1dd upstream. Depending upon the order of userspace/kernel during the mount process, this can result in a hang without the _all version of the completion. Signed-off-by: Steven Whitehouse Signed-off-by: Greg Kroah-Hartman commit 2cd0312de9ac21f8a5d4456917144af608bc5a3c Author: Gertjan van Wingerde Date: Wed Jul 6 22:58:55 2011 +0200 rt2x00: Add device ID for RT539F device. commit 71e0b38c2914018b01f3f08b43ee9e3328197699 upstream. Reported-by: Wim Vander Schelden Signed-off-by: Gertjan van Wingerde Signed-off-by: Ivo van Doorn Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 84416db67616ae44e7111c1c904a53cc79b95b6a Author: Oleg Nesterov Date: Sat Jul 30 16:35:02 2011 +0200 oom: task->mm == NULL doesn't mean the memory was freed commit c027a474a68065391c8773f6e83ed5412657e369 upstream. exit_mm() sets ->mm == NULL then it does mmput()->exit_mmap() which frees the memory. However select_bad_process() checks ->mm != NULL before TIF_MEMDIE, so it continues to kill other tasks even if we have the oom-killed task freeing its memory. Change select_bad_process() to check ->mm after TIF_MEMDIE, but skip the tasks which have already passed exit_notify() to ensure a zombie with TIF_MEMDIE set can't block oom-killer. Alternatively we could probably clear TIF_MEMDIE after exit_mmap(). Signed-off-by: Oleg Nesterov Reviewed-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 06b943855b6dbcc8cb3cdca954c19711ce7b76b6 Author: John Johansen Date: Sat Jun 25 16:57:07 2011 +0100 AppArmor: Fix masking of capabilities in complain mode commit 25e75dff519bcce2cb35023105e7df51d7b9e691 upstream. AppArmor is masking the capabilities returned by capget against the capabilities mask in the profile. This is wrong, in complain mode the profile has effectively all capabilities, as the profile restrictions are not being enforced, merely tested against to determine if an access is known by the profile. This can result in the wrong behavior of security conscience applications like sshd which examine their capability set, and change their behavior accordingly. In this case because of the masked capability set being returned sshd fails due to DAC checks, even when the profile is in complain mode. Kernels affected: 2.6.36 - 3.0. Signed-off-by: John Johansen Signed-off-by: Greg Kroah-Hartman commit 0635a74b4ab037ed0c6d628d9cc737b949a15731 Author: John Johansen Date: Tue Jun 28 15:06:38 2011 +0100 AppArmor: Fix reference to rcu protected pointer outside of rcu_read_lock commit 04fdc099f9c80c7775dbac388fc97e156d4d47e7 upstream. The pointer returned from tracehook_tracer_task() is only valid inside the rcu_read_lock. However the tracer pointer obtained is being passed to aa_may_ptrace outside of the rcu_read_lock critical section. Mover the aa_may_ptrace test into the rcu_read_lock critical section, to fix this. Kernels affected: 2.6.36 - 3.0 Reported-by: Oleg Nesterov Signed-off-by: John Johansen Signed-off-by: Greg Kroah-Hartman commit e73ff29041b5f8991ef81669a1a9f0553d14766a Author: Manfred Spraul Date: Mon Jul 25 17:11:47 2011 -0700 ipc/sem.c: fix race with concurrent semtimedop() timeouts and IPC_RMID commit d694ad62bf539dbb20a0899ac2a954555f9e4a83 upstream. If a semaphore array is removed and in parallel a sleeping task is woken up (signal or timeout, does not matter), then the woken up task does not wait until wake_up_sem_queue_do() is completed. This will cause crashes, because wake_up_sem_queue_do() will read from a stale pointer. The fix is simple: Regardless of anything, always call get_queue_result(). This function waits until wake_up_sem_queue_do() has finished it's task. Addresses https://bugzilla.kernel.org/show_bug.cgi?id=27142 Reported-by: Yuriy Yevtukhov Reported-by: Harald Laabs Signed-off-by: Manfred Spraul Acked-by: Eric Dumazet Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9f78aa15dc4b47ca0bc6269c7c0e4f2345a66580 Author: Hendrik Brueckner Date: Tue Jul 5 21:50:18 2011 +0000 hvc_console: Improve tty/console put_chars handling commit 8c2381af0d3ef62a681dac5a141b6dabb27bf2e1 upstream. Currently, the hvc_console_print() function drops console output if the hvc backend's put_chars() returns 0. This patch changes this behavior to allow a retry through returning -EAGAIN. This change also affects the hvc_push() function. Both functions are changed to handle -EAGAIN and to retry the put_chars() operation. If a hvc backend returns -EAGAIN, the retry handling differs: - hvc_console_print() spins to write the complete console output. - hvc_push() behaves the same way as for returning 0. Now hvc backends can indirectly control the way how console output is handled through the hvc console layer. Signed-off-by: Hendrik Brueckner Acked-by: Anton Blanchard Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit dc96c18103480c2aacb6c4c7fbb9400e29c604c9 Author: Anton Blanchard Date: Tue Jul 5 21:51:36 2011 +0000 powerpc/pseries/hvconsole: Fix dropped console output commit 51d33021425e1f905beb4208823146f2fb6517da upstream. Return -EAGAIN when we get H_BUSY back from the hypervisor. This makes the hvc console driver retry, avoiding dropped printks. Signed-off-by: Anton Blanchard Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 86c361cdb455adea881fe00ee055e8290283d47c Author: Ralf Baechle Date: Mon Jun 27 14:26:56 2011 +0100 SERIAL: SC26xx: Fix link error. commit f2eb3cdf14457fccb14ae8c4d7d7cee088cd3957 upstream. Kconfig allows enabling console support for the SC26xx driver even when it's configured as a module resulting in a: ERROR: "uart_console_device" [drivers/tty/serial/sc26xx.ko] undefined! modpost error since the driver was merged in eea63e0e8a60d00485b47fb6e75d9aa2566b989b [SC26XX: New serial driver for SC2681 uarts] in 2.6.25. Fixed by only allowing console support to be enabled if the driver is builtin. Signed-off-by: Ralf Baechle Cc: linux-serial@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: linux-mips@linux-mips.org Acked-by: Alan Cox Signed-off-by: Greg Kroah-Hartman commit c4b9902f84ef10b3b1441eacb19c201211aa4307 Author: Stephen Warren Date: Fri Jun 17 09:45:07 2011 -0600 tty/serial: Fix XSCALE serial ports, e.g. ce4100 commit 5568181f188ae9485a0cdbea5ea48f63d186a298 upstream. Commit 4539c24fe4f92c09ee668ef959d3e8180df619b9 "tty/serial: Add explicit PORT_TEGRA type" introduced separate flags describing the need for IER bits UUE and RTOIE. Both bits are required for the XSCALE port type. While that patch updated uart_config[] as required, the auto-probing code wasn't updated to set the RTOIE flag when an XSCALE port type was detected. This caused such ports to stop working. This patch rectifies that. Reported-by: Sebastian Andrzej Siewior Tested-by: Sebastian Andrzej Siewior Signed-off-by: Stephen Warren Signed-off-by: Greg Kroah-Hartman commit a6f0411fbde8a3677fc3e0843db68ca031fa727c Author: Daisuke Nishimura Date: Tue Jul 26 16:08:25 2011 -0700 memcg: fix behavior of mem_cgroup_resize_limit() commit 108b6a78463bb8c7163e4f9779f36ad8bbade334 upstream. Commit 22a668d7c3ef ("memcg: fix behavior under memory.limit equals to memsw.limit") introduced "memsw_is_minimum" flag, which becomes true when mem_limit == memsw_limit. The flag is checked at the beginning of reclaim, and "noswap" is set if the flag is true, because using swap is meaningless in this case. This works well in most cases, but when we try to shrink mem_limit, which is the same as memsw_limit now, we might fail to shrink mem_limit because swap doesn't used. This patch fixes this behavior by: - check MEM_CGROUP_RECLAIM_SHRINK at the begining of reclaim - If it is set, don't set "noswap" flag even if memsw_is_minimum is true. Signed-off-by: Daisuke Nishimura Cc: Balbir Singh Acked-by: KAMEZAWA Hiroyuki Cc: Michal Hocko Cc: Ying Han Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ea530dbfb61aef022d468b597ce13c32da2fb944 Author: Sven Neumann Date: Tue Jul 12 15:52:07 2011 +0200 cfg80211: really ignore the regulatory request commit a203c2aa4cefccb879c879b8e1cad1a09a679e55 upstream. At the beginning of wiphy_update_regulatory() a check is performed whether the request is to be ignored. Then the request is sent to the driver nevertheless. This happens even if last_request points to NULL, leading to a crash in the driver: [] (lbs_set_11d_domain_info+0x28/0x1e4 [libertas]) from [] (wiphy_update_regulatory+0x4d0/0x4f4) [] (wiphy_update_regulatory+0x4d0/0x4f4) from [] (wiphy_register+0x354/0x420) [] (wiphy_register+0x354/0x420) from [] (lbs_cfg_register+0x80/0x164 [libertas]) [] (lbs_cfg_register+0x80/0x164 [libertas]) from [] (lbs_start_card+0x20/0x88 [libertas]) [] (lbs_start_card+0x20/0x88 [libertas]) from [] (if_sdio_probe+0x898/0x9c0 [libertas_sdio]) Fix this by returning early. Also remove the out: label as it is not any longer needed. Signed-off-by: Sven Neumann Cc: linux-wireless@vger.kernel.org Cc: Johannes Berg Cc: Daniel Mack Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit d10a6cb264a9a60097e46c93146259fd36ea4bf4 Author: Alan Stern Date: Tue Jul 19 14:01:23 2011 -0400 EHCI: fix direction handling for interrupt data toggles commit e04f5f7e423018bcec84c11af2058cdce87816f3 upstream. This patch (as1480) fixes a rather obscure bug in ehci-hcd. The qh_update() routine needs to know the number and direction of the endpoint corresponding to its QH argument. The number can be taken directly from the QH data structure, but the direction isn't stored there. The direction is taken instead from the first qTD linked to the QH. However, it turns out that for interrupt transfers, qh_update() gets called before the qTDs are linked to the QH. As a result, qh_update() computes a bogus direction value, which messes up the endpoint toggle handling. Under the right combination of circumstances this causes usb_reset_endpoint() not to work correctly, which causes packets to be dropped and communications to fail. Now, it's silly for the QH structure not to have direct access to all the descriptor information for the corresponding endpoint. Ultimately it may get a pointer to the usb_host_endpoint structure; for now, adding a copy of the direction flag solves the immediate problem. This allows the Spyder2 color-calibration system (a low-speed USB device that sends all its interrupt data packets with the toggle set to 0 and hance requires constant use of usb_reset_endpoint) to work when connected through a high-speed hub. Thanks to Graeme Gill for supplying the hardware that allowed me to track down this bug. Signed-off-by: Alan Stern Reported-by: Graeme Gill Signed-off-by: Greg Kroah-Hartman commit e151a2a6651a0a46fc03a845614b23c3b630042e Author: Sergei Shtylyov Date: Wed Jul 6 23:19:38 2011 +0400 EHCI: only power off port if over-current is active commit 81463c1d707186adbbe534016cd1249edeab0dac upstream. MAX4967 USB power supply chip we use on our boards signals over-current when power is not enabled; once it's enabled, over-current signal returns to normal. That unfortunately caused the endless stream of "over-current change on port" messages. The EHCI root hub code reacts on every over-current signal change with powering off the port -- such change event is generated the moment the port power is enabled, so once enabled the power is immediately cut off. I think we should only cut off power when we're seeing the active over-current signal, so I'm adding such check to that code. I also think that the fact that we've cut off the port power should be reflected in the result of GetPortStatus request immediately, hence I'm adding a PORTSCn register readback after write... Signed-off-by: Sergei Shtylyov Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 569f3720370818fe5c9d69a11217602b89ae3908 Author: Du, Alek Date: Thu Jul 7 15:16:48 2011 +0100 n_gsm: fix the wrong FCS handling commit f086ced17191fa0c5712539d2b680eae3dc972a1 upstream. FCS could be GSM0_SOF, so will break state machine... [This byte isn't quoted in any way so a SOF here doesn't imply an error occurred.] Signed-off-by: Alek Du Signed-off-by: Alan Cox [Trivial but best backported once its in 3.1rc I think] Signed-off-by: Greg Kroah-Hartman commit 8cd3f19d8310dd5086f396f78d9b5bcf459f6e81 Author: Vasiliy Kulikov Date: Tue Jul 26 16:08:38 2011 -0700 proc: fix a race in do_io_accounting() commit 293eb1e7772b25a93647c798c7b89bf26c2da2e0 upstream. If an inode's mode permits opening /proc/PID/io and the resulting file descriptor is kept across execve() of a setuid or similar binary, the ptrace_may_access() check tries to prevent using this fd against the task with escalated privileges. Unfortunately, there is a race in the check against execve(). If execve() is processed after the ptrace check, but before the actual io information gathering, io statistics will be gathered from the privileged process. At least in theory this might lead to gathering sensible information (like ssh/ftp password length) that wouldn't be available otherwise. Holding task->signal->cred_guard_mutex while gathering the io information should protect against the race. The order of locking is similar to the one inside of ptrace_attach(): first goes cred_guard_mutex, then lock_task_sighand(). Signed-off-by: Vasiliy Kulikov Cc: Al Viro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c14acb19a4b1482b6dd6e9d0874b2c8e32d6599d Author: Trond Myklebust Date: Sat Jul 30 12:45:35 2011 -0400 NFS: Fix spurious readdir cookie loop messages commit 0c0308066ca53fdf1423895f3a42838b67b3a5a8 upstream. If the directory contents change, then we have to accept that the file->f_pos value may shrink if we do a 'search-by-cookie'. In that case, we should turn off the loop detection and let the NFS client try to recover. The patch also fixes a second loop detection bug by ensuring that after turning on the ctx->duped flag, we read at least one new cookie into ctx->dir_cookie before attempting to match with ctx->dup_cookie. Reported-by: Petr Vandrovec Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 1fcb9d4b03b6ad6f4de417bbbe21d82123290114 Author: Trond Myklebust Date: Mon Jul 25 15:37:29 2011 -0400 NFSv4: Don't use the delegation->inode in nfs_mark_return_delegation() commit ed1e6211a0a134ff23592c6f057af982ad5dab52 upstream. nfs_mark_return_delegation() is usually called without any locking, and so it is not safe to dereference delegation->inode. Since the inode is only used to discover the nfs_client anyway, it makes more sense to have the callers pass a valid pointer to the nfs_server as a parameter. Reported-by: Ian Kent Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 83d20a07d3fc171d5d7cddb6ebe2cd7a5fee1047 Author: J. Bruce Fields Date: Wed Jun 29 16:49:04 2011 -0400 svcrpc: fix list-corrupting race on nfsd shutdown commit ebc63e531cc6a457595dd110b07ac530eae788c3 upstream. After commit 3262c816a3d7fb1eaabce633caa317887ed549ae "[PATCH] knfsd: split svc_serv into pools", svc_delete_xprt (then svc_delete_socket) no longer removed its xpt_ready (then sk_ready) field from whatever list it was on, noting that there was no point since the whole list was about to be destroyed anyway. That was mostly true, but forgot that a few svc_xprt_enqueue()'s might still be hanging around playing with the about-to-be-destroyed list, and could get themselves into trouble writing to freed memory if we left this xprt on the list after freeing it. (This is actually functionally identical to a patch made first by Ben Greear, but with more comments.) Cc: gnb@fmeh.org Reported-by: Ben Greear Tested-by: Ben Greear Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 4beae54c192e6f1dee12b70e205b800fd99d1fc7 Author: J. Bruce Fields Date: Wed Jun 29 08:23:50 2011 -0400 nfsd4: fix file leak on open_downgrade commit f197c27196a5e7631b89e2e92daa096fcf7c302c upstream. Stateid's hold a read reference for a read open, a write reference for a write open, and an additional one of each for each read+write open. The latter wasn't getting put on a downgrade, so something like: open RW open R downgrade to R was resulting in a file leak. Also fix an imbalance in an error path. Regression from 7d94784293096c0a46897acdb83be5abd9278ece "nfsd4: fix downgrade/lock logic". Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit ecf6c7480f0c9aef2a39e8cb881ebd98bfcb8caa Author: J. Bruce Fields Date: Mon Jun 27 16:57:12 2011 -0400 nfsd4: remember to put RW access on stateid destruction commit 499f3edc23ca0431f3a0a6736b3a40944c81bf3b upstream. Without this, for example, open read open read+write close will result in a struct file leak. Regression from 7d94784293096c0a46897acdb83be5abd9278ece "nfsd4: fix downgrade/lock logic". Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit f6d7de0ee45c2408056bb2a9e2b21ba86fbfd833 Author: Casey Bodley Date: Sat Jul 23 14:58:10 2011 -0400 nfsd: don't break lease on CLAIM_DELEGATE_CUR commit 0c12eaffdf09466f36a9ffe970dda8f4aeb6efc0 upstream. CLAIM_DELEGATE_CUR is used in response to a broken lease; allowing it to break the lease and return EAGAIN leaves the client unable to make progress in returning the delegation nfs4_get_vfs_file() now takes struct nfsd4_open for access to the claim type, and calls nfsd_open() with NFSD_MAY_NOT_BREAK_LEASE when claim type is CLAIM_DELEGATE_CUR Signed-off-by: Casey Bodley Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit efc977be4683816c39dfab38a34f68e07b78997e Author: Tyler Hicks Date: Tue Jul 26 19:47:08 2011 -0500 eCryptfs: Unlock keys needed by ecryptfsd commit b2987a5e05ec7a1af7ca42e5d5349d7a22753031 upstream. Fixes a regression caused by b5695d04634fa4ccca7dcbc05bb4a66522f02e0b Kernel keyring keys containing eCryptfs authentication tokens should not be write locked when calling out to ecryptfsd to wrap and unwrap file encryption keys. The eCryptfs kernel code can not hold the key's write lock because ecryptfsd needs to request the key after receiving such a request from the kernel. Without this fix, all file opens and creates will timeout and fail when using the eCryptfs PKI infrastructure. This is not an issue when using passphrase-based mount keys, which is the most widely deployed eCryptfs configuration. Signed-off-by: Tyler Hicks Acked-by: Roberto Sassu Tested-by: Roberto Sassu Tested-by: Alexis Hafner1 Signed-off-by: Greg Kroah-Hartman commit a21353bae5e98fce18080a3691ef75ede61dd261 Author: Thieu Le Date: Tue Jul 26 16:15:10 2011 -0700 ecryptfs: Make inode bdi consistent with superblock bdi commit 985ca0e626e195ea08a1a82b8dbeb6719747429a upstream. Make the inode mapping bdi consistent with the superblock bdi so that dirty pages are flushed properly. Signed-off-by: Thieu Le Signed-off-by: Tyler Hicks Signed-off-by: Greg Kroah-Hartman commit 57073d3492dd72685cdcc61b6fb8d05b3a38e891 Author: Jan Kara Date: Mon May 30 13:29:20 2011 +0200 ext3: Fix oops in ext3_try_to_allocate_with_rsv() commit ad95c5e9bc8b5885f94dce720137cac8fa8da4c9 upstream. Block allocation is called from two places: ext3_get_blocks_handle() and ext3_xattr_block_set(). These two callers are not necessarily synchronized because xattr code holds only xattr_sem and i_mutex, and ext3_get_blocks_handle() may hold only truncate_mutex when called from writepage() path. Block reservation code does not expect two concurrent allocations to happen to the same inode and thus assertions can be triggered or reservation structure corruption can occur. Fix the problem by taking truncate_mutex in xattr code to serialize allocations. CC: Sage Weil Reported-by: Fyodor Ustinov Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit fac04f94c7b94ef1c62490b176b77f2572086629 Author: Jiaying Zhang Date: Sun Jul 10 20:07:25 2011 -0400 ext4: free allocated and pre-allocated blocks when check_eofblocks_fl fails commit 575a1d4bdfa2ea9fc10733013136145b497e1be0 upstream. Upon corrupted inode or disk failures, we may fail after we already allocate some blocks from the inode or take some blocks from the inode's preallocation list, but before we successfully insert the corresponding extent to the extent tree. In this case, we should free any allocated blocks and discard the inode's preallocated blocks because the entries in the inode's preallocation list may be in an inconsistent state. Signed-off-by: Jiaying Zhang Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 99cdf2a47f443985d956e02323331819898d99b7 Author: Maxim Patlasov Date: Sun Jul 10 19:37:48 2011 -0400 ext4: fix i_blocks/quota accounting when extent insertion fails commit 7132de744ba76930d13033061018ddd7e3e8cd91 upstream. The current implementation of ext4_free_blocks() always calls dquot_free_block This looks quite sensible in the most cases: blocks to be freed are associated with inode and were accounted in quota and i_blocks some time ago. However, there is a case when blocks to free were not accounted by the time calling ext4_free_blocks() yet: 1. delalloc is on, write_begin pre-allocated some space in quota 2. write-back happens, ext4 allocates some blocks in ext4_ext_map_blocks() 3. then ext4_ext_map_blocks() gets an error (e.g. ENOSPC) from ext4_ext_insert_extent() and calls ext4_free_blocks(). In this scenario, ext4_free_blocks() calls dquot_free_block() who, in turn, decrements i_blocks for blocks which were not accounted yet (due to delalloc) After clean umount, e2fsck reports something like: > Inode 21, i_blocks is 5080, should be 5128. Fix? because i_blocks was erroneously decremented as explained above. The patch fixes the problem by passing the new flag EXT4_FREE_BLOCKS_NO_QUOT_UPDATE to ext4_free_blocks(), to request that the dquot_free_block() call be skipped. Signed-off-by: Maxim Patlasov Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit f7ac7c5b73c4f78f83202f8ec54ef1a73b9c5abe Author: Dan Rosenberg Date: Mon Jul 25 17:11:53 2011 -0700 xtensa: prevent arbitrary read in ptrace commit 0d0138ebe24b94065580bd2601f8bb7eb6152f56 upstream. Prevent an arbitrary kernel read. Check the user pointer with access_ok() before copying data in. [akpm@linux-foundation.org: s/EIO/EFAULT/] Signed-off-by: Dan Rosenberg Cc: Christian Zankel Cc: Oleg Nesterov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 650957da7699e730e78e82735b8c2595fcf7794a Author: Peter Zijlstra Date: Mon Jul 25 17:11:57 2011 -0700 mm/backing-dev.c: reset bdi min_ratio in bdi_unregister() commit ccb6108f5b0b541d3eb332c3a73e645c0f84278e upstream. Vito said: : The system has many usb disks coming and going day to day, with their : respective bdi's having min_ratio set to 1 when inserted. It works for : some time until eventually min_ratio can no longer be set, even when the : active set of bdi's seen in /sys/class/bdi/*/min_ratio doesn't add up to : anywhere near 100. : : This then leads to an unrelated starvation problem caused by write-heavy : fuse mounts being used atop the usb disks, a problem the min_ratio setting : at the underlying devices bdi effectively prevents. Fix this leakage by resetting the bdi min_ratio when unregistering the BDI. Signed-off-by: Peter Zijlstra Reported-by: Vito Caputo Cc: Wu Fengguang Cc: Miklos Szeredi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b045b9a265fb46d8197b7d78aff1a8f6ab8e23df Author: Benjamin Herrenschmidt Date: Mon Jul 25 17:12:32 2011 -0700 mm/futex: fix futex writes on archs with SW tracking of dirty & young commit 2efaca927f5cd7ecd0f1554b8f9b6a9a2c329c03 upstream. I haven't reproduced it myself but the fail scenario is that on such machines (notably ARM and some embedded powerpc), if you manage to hit that futex path on a writable page whose dirty bit has gone from the PTE, you'll livelock inside the kernel from what I can tell. It will go in a loop of trying the atomic access, failing, trying gup to "fix it up", getting succcess from gup, go back to the atomic access, failing again because dirty wasn't fixed etc... So I think you essentially hang in the kernel. The scenario is probably rare'ish because affected architecture are embedded and tend to not swap much (if at all) so we probably rarely hit the case where dirty is missing or young is missing, but I think Shan has a piece of SW that can reliably reproduce it using a shared writable mapping & fork or something like that. On archs who use SW tracking of dirty & young, a page without dirty is effectively mapped read-only and a page without young unaccessible in the PTE. Additionally, some architectures might lazily flush the TLB when relaxing write protection (by doing only a local flush), and expect a fault to invalidate the stale entry if it's still present on another processor. The futex code assumes that if the "in_atomic()" access -EFAULT's, it can "fix it up" by causing get_user_pages() which would then be equivalent to taking the fault. However that isn't the case. get_user_pages() will not call handle_mm_fault() in the case where the PTE seems to have the right permissions, regardless of the dirty and young state. It will eventually update those bits ... in the struct page, but not in the PTE. Additionally, it will not handle the lazy TLB flushing that can be required by some architectures in the fault case. Basically, gup is the wrong interface for the job. The patch provides a more appropriate one which boils down to just calling handle_mm_fault() since what we are trying to do is simulate a real page fault. The futex code currently attempts to write to user memory within a pagefault disabled section, and if that fails, tries to fix it up using get_user_pages(). This doesn't work on archs where the dirty and young bits are maintained by software, since they will gate access permission in the TLB, and will not be updated by gup(). In addition, there's an expectation on some archs that a spurious write fault triggers a local TLB flush, and that is missing from the picture as well. I decided that adding those "features" to gup() would be too much for this already too complex function, and instead added a new simpler fixup_user_fault() which is essentially a wrapper around handle_mm_fault() which the futex code can call. [akpm@linux-foundation.org: coding-style fixes] [akpm@linux-foundation.org: fix some nits Darren saw, fiddle comment layout] Signed-off-by: Benjamin Herrenschmidt Reported-by: Shan Hai Tested-by: Shan Hai Cc: David Laight Acked-by: Peter Zijlstra Cc: Darren Hart Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit cb83d9f7840657a0f0cc29ba5c01ce7320e28e9a Author: Philip A. Prindeville Date: Mon Jul 25 17:13:05 2011 -0700 geode: reflect mfgpt dependency on mfd commit 703f03c896fdbd726b809066ae279df513992f0e upstream. As stated in drivers/mfd/cs5535-mfd.c, the mfd driver exposes the BARs which then make the GPIO, MFGPT, ACPI, etc. all visible to the system. So the dependencies of the MFGPT stuff have changed, and most people expect Kconfig to bring in the necessary dependencies. Without them, the module fails to load and most people don't understand why because the details of the rewrite aren't captured anywhere most people who know to look. This dependency needs to be reflected in Kconfig. Signed-off-by: Philip A. Prindeville Acked-by: Alexandros C. Couloumbis Acked-by: Andres Salomon Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4d5553036a151d67c6da2e7581598ead685d452b Author: Randy Dunlap Date: Mon Jul 25 17:13:21 2011 -0700 drivers/firmware/sigma.c needs MODULE_LICENSE commit 27c46a2546c75c6814562e85b751e3d64c188ad5 upstream. Fix module tainting message: sigma: module license 'unspecified' taints kernel. Signed-off-by: Randy Dunlap Acked-by: Mike Frysinger Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 71e553ad4e5714309ccb6f9311fc1af3b0feaa6c Author: Stephen M. Cameron Date: Sat Jul 9 09:04:12 2011 +0200 cciss: do not attempt to read from a write-only register commit 07d0c38e7d84f911c72058a124c7f17b3c779a65 upstream. Most smartarrays will tolerate it, but some new ones don't. Signed-off-by: Stephen M. Cameron Note: this is a regression caused by commit 1ddd5049 Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit f3783ea4c293f276d79166c92bfcc4592d518d63 Author: Chris Wright Date: Wed Jul 13 10:14:33 2011 -0700 PCI: ARI is a PCIe v2 feature commit 864d296cf948aef0fa32b81407541572583f7572 upstream. The function pci_enable_ari() may mistakenly set the downstream port of a v1 PCIe switch in ARI Forwarding mode. This is a PCIe v2 feature, and with an SR-IOV device on that switch port believing the switch above is ARI capable it may attempt to use functions 8-255, translating into invalid (non-zero) device numbers for that bus. This has been seen to cause Completion Timeouts and general misbehaviour including hangs and panics. Acked-by: Don Dutile Tested-by: Don Dutile Signed-off-by: Chris Wright Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 947204a724d45083033b6706dad40d47022e5d70 Author: Lasse Collin Date: Sun Jul 24 19:54:25 2011 +0300 XZ: Fix missing include commit 81d67439855a7f928d90965d832aa4f2fb677342 upstream. is needed for min_t. The old version happened to work on x86 because indirectly includes , but it didn't work on ARM. includes so it's not necessary to include it explicitly anymore. Signed-off-by: Lasse Collin Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ff7b3dc6a634832a912445db8bffd18b05c15043 Author: Steven Rostedt Date: Tue Jul 5 14:32:51 2011 -0400 tracing: Have "enable" file use refcounts like the "filter" file commit 40ee4dffff061399eb9358e0c8fcfbaf8de4c8fe upstream. The "enable" file for the event system can be removed when a module is unloaded and the event system only has events from that module. As the event system nr_events count goes to zero, it may be freed if its ref_count is also set to zero. Like the "filter" file, the "enable" file may be opened by a task and referenced later, after a module has been unloaded and the events for that event system have been removed. Although the "filter" file referenced the event system structure, the "enable" file only references a pointer to the event system name. Since the name is freed when the event system is removed, it is possible that an access to the "enable" file may reference a freed pointer. Update the "enable" file to use the subsystem_open() routine that the "filter" file uses, to keep a reference to the event system structure while the "enable" file is opened. Reported-by: Johannes Berg Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit f35869d69b65ac9323a0d7ee13c062e1636d4a1b Author: Steven Rostedt Date: Tue Jul 5 11:36:06 2011 -0400 tracing: Fix bug when reading system filters on module removal commit e9dbfae53eeb9fc3d4bb7da3df87fa9875f5da02 upstream. The event system is freed when its nr_events is set to zero. This happens when a module created an event system and then later the module is removed. Modules may share systems, so the system is allocated when it is created and freed when the modules are unloaded and all the events under the system are removed (nr_events set to zero). The problem arises when a task opened the "filter" file for the system. If the module is unloaded and it removed the last event for that system, the system structure is freed. If the task that opened the filter file accesses the "filter" file after the system has been freed, the system will access an invalid pointer. By adding a ref_count, and using it to keep track of what is using the event system, we can free it after all users are finished with the event system. Reported-by: Johannes Berg Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit a3b573350c48edd314b4bdd4f3025b4fda13f0dd Author: Peter Zijlstra Date: Tue Jun 28 12:15:51 2011 +0200 irq_work, alpha: Fix up arch hooks commit 0f933625e7b6c3d91878ae95e341bf1984db7eaf upstream. Commit e360adbe29 ("irq_work: Add generic hardirq context callbacks") fouled up the Alpha bit, not properly naming the arch specific function that raises the 'self-IPI'. Signed-off-by: Peter Zijlstra Cc: Michael Cree Link: http://lkml.kernel.org/n/tip-gukh0txmql2l4thgrekzzbfy@git.kernel.org Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 4a3422bb0a18340c145ebd3f3ca19d1114f9fa08 Author: Michael Neuling Date: Mon Jul 4 20:40:10 2011 +0000 powerpc/kdump: Fix timeout in crash_kexec_wait_realmode commit 63f21a56f1cc0b800a4c00349c59448f82473d19 upstream. The existing code it pretty ugly. How about we clean it up even more like this? From: Anton Blanchard We check for timeout expiry in the outer loop, but we also need to check it in the inner loop or we can lock up forever waiting for a CPU to hit real mode. Signed-off-by: Anton Blanchard Signed-off-by: Michael Neuling Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 758705e242a729b0c82c62dd5965189e318e8763 Author: Robert Richter Date: Fri Jun 3 16:37:47 2011 +0200 oprofile, x86: Fix nmi-unsafe callgraph support commit a0e3e70243f5b270bc3eca718f0a9fa5e6b8262e upstream. Current oprofile's x86 callgraph support may trigger page faults throwing the BUG_ON(in_nmi()) message below. This patch fixes this by using the same nmi-safe copy-from-user code as in perf. ------------[ cut here ]------------ kernel BUG at .../arch/x86/kernel/traps.c:436! invalid opcode: 0000 [#1] SMP last sysfs file: /sys/devices/pci0000:00/0000:00:0a.0/0000:07:00.0/0000:08:04.0/net/eth0/broadcast CPU 5 Modules linked in: Pid: 8611, comm: opcontrol Not tainted 2.6.39-00007-gfe47ae7 #1 Advanced Micro Device Anaheim/Anaheim RIP: 0010:[] [] do_nmi+0x22/0x1ee RSP: 0000:ffff88042fd47f28 EFLAGS: 00010002 RAX: ffff88042c0a7fd8 RBX: 0000000000000001 RCX: 00000000c0000101 RDX: 00000000ffff8804 RSI: ffffffffffffffff RDI: ffff88042fd47f58 RBP: ffff88042fd47f48 R08: 0000000000000004 R09: 0000000000001484 R10: 0000000000000001 R11: 0000000000000000 R12: ffff88042fd47f58 R13: 0000000000000000 R14: ffff88042fd47d98 R15: 0000000000000020 FS: 00007fca25e56700(0000) GS:ffff88042fd40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000074 CR3: 000000042d28b000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process opcontrol (pid: 8611, threadinfo ffff88042c0a6000, task ffff88042c532310) Stack: 0000000000000000 0000000000000001 ffff88042c0a7fd8 0000000000000000 ffff88042fd47de8 ffffffff813e897a 0000000000000020 ffff88042fd47d98 0000000000000000 ffff88042c0a7fd8 ffff88042fd47de8 0000000000000074 Call Trace: [] nmi+0x1a/0x20 [] ? bad_to_user+0x25/0x771 <> Code: ff 59 5b 41 5c 41 5d c9 c3 55 65 48 8b 04 25 88 b5 00 00 48 89 e5 41 55 41 54 49 89 fc 53 48 83 ec 08 f6 80 47 e0 ff ff 04 74 04 <0f> 0b eb fe 81 80 44 e0 ff ff 00 00 01 04 65 ff 04 25 c4 0f 01 RIP [] do_nmi+0x22/0x1ee RSP ---[ end trace ed6752185092104b ]--- Kernel panic - not syncing: Fatal exception in interrupt Pid: 8611, comm: opcontrol Tainted: G D 2.6.39-00007-gfe47ae7 #1 Call Trace: [] panic+0x8c/0x188 [] oops_end+0x81/0x8e [] die+0x55/0x5e [] do_trap+0x11c/0x12b [] do_invalid_op+0x91/0x9a [] ? do_nmi+0x22/0x1ee [] ? oprofile_add_sample+0x83/0x95 [] ? op_amd_check_ctrs+0x4f/0x2cf [] invalid_op+0x15/0x20 [] ? do_nmi+0x22/0x1ee [] ? do_nmi+0x67/0x1ee [] nmi+0x1a/0x20 [] ? bad_to_user+0x25/0x771 <> Cc: John Lumby Cc: Maynard Johnson Signed-off-by: Robert Richter Signed-off-by: Greg Kroah-Hartman commit b0d8db08455d752cd74c29d1b7b765f1624ca4a2 Author: Huang Ying Date: Thu Jul 14 09:34:37 2011 +0800 kexec, x86: Fix incorrect jump back address if not preserving context commit 050438ed5a05b25cdf287f5691e56a58c2606997 upstream. In kexec jump support, jump back address passed to the kexeced kernel via function calling ABI, that is, the function call return address is the jump back entry. Furthermore, jump back entry == 0 should be used to signal that the jump back or preserve context is not enabled in the original kernel. But in the current implementation the stack position used for function call return address is not cleared context preservation is disabled. The patch fixes this bug. Reported-and-tested-by: Yin Kangkai Signed-off-by: Huang Ying Cc: Eric W. Biederman Cc: Vivek Goyal Link: http://lkml.kernel.org/r/1310607277-25029-1-git-send-email-ying.huang@intel.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 40a3e9966c347b2e722785aecd9c0165457d61f3 Author: Peng Tao Date: Sat Jul 30 20:52:34 2011 -0400 pnfs: use lwb as layoutcommit length commit 3557c6c3be5b2ca0b11365db7f8a813253eb520b upstream. Using NFS4_MAX_UINT64 will break current protocol. [Needed in v3.0] Signed-off-by: Peng Tao Signed-off-by: Jim Rees Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 892cd4a38f0d379dfdbc1a0a45eaa31a89976796 Author: Peng Tao Date: Sat Jul 30 20:52:33 2011 -0400 pnfs: let layoutcommit handle a list of lseg commit a9bae5666d0510ad69bdb437371c9a3e6b770705 upstream. There can be multiple lseg per file, so layoutcommit should be able to handle it. [Needed in v3.0] Signed-off-by: Peng Tao Signed-off-by: Boaz Harrosh Signed-off-by: Jim Rees Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit f45c1d4647a37feee31f4bca9ebd9b90ebdc98a3 Author: Peng Tao Date: Sat Jul 30 20:52:32 2011 -0400 pnfs: save layoutcommit cred at layout header init commit 9fa4075878a5faac872a63f4a97ce79c776264e9 upstream. No need to save it for every lseg. No need to save it at every pnfs_set_layoutcommit. [Needed in v3.0] Signed-off-by: Peng Tao Signed-off-by: Boaz Harrosh Signed-off-by: Jim Rees Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit a14f191cda33a02a74edbf59820150e415d68616 Author: Peng Tao Date: Sat Jul 30 20:52:31 2011 -0400 pnfs: save layoutcommit lwb at layout header commit acff5880539fe33897d016c0f3dcf062e67c61b6 upstream. No need to save it for every lseg. [Needed in v3.0] Signed-off-by: Peng Tao Signed-off-by: Jim Rees Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit cb1d0a1e91079d22cedc6d66d9c94d53ce0b0199 Author: Takashi Iwai Date: Wed Jul 27 16:41:57 2011 +0200 ALSA: hda - Fix duplicated DAC assignments for Realtek commit c48a8fb0d31d6147d8d76b8e2ad7f51a2fbb5c4d upstream. Copying hp_pins and speaker_pins from line_out_pins may confuse the parser, and it can lead to duplicated initializations for the same pin with a wrong DAC assignment. The problem appears in 3.0 kernel code. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 2415d01c0cb11b5471ee640b0ba5a1254be9a708 Author: Clemens Ladisch Date: Sun Jul 17 22:18:05 2011 +0200 ALSA: virtuoso: fix silent analog output on Xonar Essence ST Deluxe commit c81c6b356b52d3fcb4d531d149573fc100aad643 upstream. Commit dd203fa97bd5 (ALSA: virtuoso: remove non-working controls on Essence ST Deluxe) made it impossible to adjust the volume after the driver initialized it to muted. Ensure that those DACs that can be accessed with I2C are initialized to the same volume that is the reset default of the DAC without I2C. Signed-off-by: Clemens Ladisch Signed-off-by: Greg Kroah-Hartman commit eff0f0eb6357e141c1ebf6d3753e2b89177ab6db Author: Alex Deucher Date: Mon Jul 25 18:50:08 2011 -0400 drm/radeon/kms: add missing vddci setting on NI+ commit 4639dd21e759e32125adc7171abf6cb8140d54cf upstream. Need to add vddci setting to pm init as well as resume. Fixes hangs on load on some boards. Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=38754 Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 803df865c9cae516da0181406716d8cfc1ce854e Author: Jerome Glisse Date: Mon Jul 25 11:57:43 2011 -0400 drm/radeon/kms: fix DP training for DPEncoderService revision bigger than 1.1 commit 5a96a899bbdee86024ab9ea6d02b9e242faacbed upstream. DPEncoderService newer than 1.1 can't properly program the DP (display port) link training. When facing such version use the DIGxEncoderControl method instead. Fix DP link training on some R7XX. Signed-off-by: Jerome Glisse Reviewed-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit eec8f481cc0114fd86b2b3d5258b4933cd731571 Author: Alex Deucher Date: Sat Jul 23 18:02:04 2011 +0000 drm/radeon/kms: fix i2c map for rv250/280 commit 6dd666333ddee39903d86f870d5c40d9f100e0cc upstream. Those chips have crt2_ddc bus. Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=39672 Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit fbb04a1c17686592b5e74e45e210f20c40b68d08 Author: Stephen M. Cameron Date: Thu Jul 21 13:16:05 2011 -0500 hpsa: do not attempt to read from a write-only register commit fec62c368b9c8b05d5124ca6c3b8336b537f26f3 upstream. Most smartarrays tolerate it, but a few new ones don't. Without this change some newer Smart Arrays will lock up and i/o will grind to a halt. Signed-off-by: Stephen M. Cameron Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 43f7c7261fc45a4c09fbd56c0a76dcdf55d8e8f3 Author: Dan Rosenberg Date: Mon Jul 11 14:08:23 2011 -0700 pmcraid: reject negative request size commit b5b515445f4f5a905c5dd27e6e682868ccd6c09d upstream. There's a code path in pmcraid that can be reached via device ioctl that causes all sorts of ugliness, including heap corruption or triggering the OOM killer due to consecutive allocation of large numbers of pages. First, the user can call pmcraid_chr_ioctl(), with a type PMCRAID_PASSTHROUGH_IOCTL. This calls through to pmcraid_ioctl_passthrough(). Next, a pmcraid_passthrough_ioctl_buffer is copied in, and the request_size variable is set to buffer->ioarcb.data_transfer_length, which is an arbitrary 32-bit signed value provided by the user. If a negative value is provided here, bad things can happen. For example, pmcraid_build_passthrough_ioadls() is called with this request_size, which immediately calls pmcraid_alloc_sglist() with a negative size. The resulting math on allocating a scatter list can result in an overflow in the kzalloc() call (if num_elem is 0, the sglist will be smaller than expected), or if num_elem is unexpectedly large the subsequent loop will call alloc_pages() repeatedly, a high number of pages will be allocated and the OOM killer might be invoked. It looks like preventing this value from being negative in pmcraid_ioctl_passthrough() would be sufficient. Signed-off-by: Dan Rosenberg Signed-off-by: Andrew Morton Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 1768e0b7e77b5c3e11cd0f0ab15358ccba3a9880 Author: James Bottomley Date: Thu Jul 7 15:45:40 2011 -0500 fix crash in scsi_dispatch_cmd() commit bfe159a51203c15d23cb3158fffdc25ec4b4dda1 upstream. USB surprise removal of sr is triggering an oops in scsi_dispatch_command(). What seems to be happening is that USB is hanging on to a queue reference until the last close of the upper device, so the crash is caused by surprise remove of a mounted CD followed by attempted unmount. The problem is that USB doesn't issue its final commands as part of the SCSI teardown path, but on last close when the block queue is long gone. The long term fix is probably to make sr do the teardown in the same way as sd (so remove all the lower bits on ejection, but keep the upper disk alive until last close of user space). However, the current oops can be simply fixed by not allowing any commands to be sent to a dead queue. Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit b9beb51724bebfc198533144e86601f0099c026e Author: Douglas Gilbert Date: Thu Jun 9 00:27:07 2011 -0400 ses: requesting a fault indication commit 2a350cab9daf9a46322d83b091bb05cf54ccf6ab upstream. Noticed that when the sysfs interface of the SCSI SES driver was used to request a fault indication the LED flashed but the buzzer didn't sound. So it was doing what REQUEST IDENT (locate) should do. Changelog: - fix the setting of REQUEST FAULT for the device slot and array device slot elements in the enclosure control diagnostic page - note the potentially defective code that reads the FAULT SENSED and FAULT REQUESTED bits from the enclosure status diagnostic page The attached patch is against git/scsi-misc-2.6 Signed-off-by: Douglas Gilbert Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 645b2cf1067d945c662ffeea45b4c0f7036bc1ee Author: Kay Sievers Date: Thu Jun 30 15:03:48 2011 +0200 sr: check_events() ignore GET_EVENT when TUR says otherwise commit 79b9677d885d1a792bc103f2febb06f91f92de43 upstream. Some broken devices indicates that media has changed on every GET_EVENT_STATUS_NOTIFICATION. This translates into MEDIA_CHANGE uevent on every open() which lets udev run into a loop. Verify GET_EVENT result against TUR and if it generates spurious events for several times in a row, ignore the GET_EVENT events, and trust only the TUR status. This is the log of a USB stick with a (broken) fake CDROM drive: scsi 5:0:0:0: Direct-Access SanDisk U3 Cruzer Micro 8.02 PQ: 0 ANSI: 0 CCS sd 5:0:0:0: Attached scsi generic sg3 type 0 scsi 5:0:0:1: CD-ROM SanDisk U3 Cruzer Micro 8.02 PQ: 0 ANSI: 0 sd 5:0:0:0: [sdb] Attached SCSI removable disk sr2: scsi3-mmc drive: 48x/48x tray sr 5:0:0:1: Attached scsi CD-ROM sr2 sr 5:0:0:1: Attached scsi generic sg4 type 5 sr2: GET_EVENT and TUR disagree continuously, suppress GET_EVENT events sd 5:0:0:0: [sdb] 31777279 512-byte logical blocks: (16.2 GB/15.1 GiB) sd 5:0:0:0: [sdb] No Caching mode page present sd 5:0:0:0: [sdb] Assuming drive cache: write through sd 5:0:0:0: [sdb] No Caching mode page present sd 5:0:0:0: [sdb] Assuming drive cache: write through sdb: sdb1 -tj: Updated to consider only spurious GET_EVENT events among different types of disagreement and allow using TUR for kernel event polling after GET_EVENT is ignored. Reported-By: Markus Rathgeb maggu2810@googlemail.com Signed-off-by: Kay Sievers Signed-off-by: Tejun Heo Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 65bafeb9e7b942b6ff5754a03635f5d328568f5e Author: Werner Fink Date: Thu Jun 9 10:54:24 2011 +0530 Blacklist Traxdata CDR4120 and IOMEGA Zip drive to avoid lock ups. commit 82103978189e9731658cd32da5eb85ab7b8542b8 upstream. This patch resulted from the discussion at https://bugzilla.novell.com/show_bug.cgi?id=679277, https://bugzilla.novell.com/show_bug.cgi?id=681840 . Signed-off-by: Werner Fink Signed-off-by: Ankit Jain Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 462fee3af72df0de7b60b96c525ffe8baf4db0f0 Author: Peter Zijlstra Date: Thu Jul 28 20:47:10 2011 +0200 perf: Fix software event overflow The below patch is for -stable only, upstream has a much larger patch that contains the below hunk in commit a8b0ca17b80e92faab46ee7179ba9e99ccb61233 Vince found that under certain circumstances software event overflows go wrong and deadlock. Avoid trying to delete a timer from the timer callback. Reported-by: Vince Weaver Signed-off-by: Peter Zijlstra Signed-off-by: Greg Kroah-Hartman commit 6e243f86d1424d7a1d67da4f8527239a786d9c2f Author: Len Brown Date: Thu Jul 14 00:53:24 2011 -0400 x86, intel, power: Initialize MSR_IA32_ENERGY_PERF_BIAS commit abe48b108247e9b90b4c6739662a2e5c765ed114 upstream. Since 2.6.36 (23016bf0d25), Linux prints the existence of "epb" in /proc/cpuinfo, Since 2.6.38 (d5532ee7b40), the x86_energy_perf_policy(8) utility has been available in-tree to update MSR_IA32_ENERGY_PERF_BIAS. However, the typical BIOS fails to initialize the MSR, presumably because this is handled by high-volume shrink-wrap operating systems... Linux distros, on the other hand, do not yet invoke x86_energy_perf_policy(8). As a result, WSM-EP, SNB, and later hardware from Intel will run in its default hardware power-on state (performance), which assumes that users care for performance at all costs and not for energy efficiency. While that is fine for performance benchmarks, the hardware's intended default operating point is "normal" mode... Initialize the MSR to the "normal" by default during kernel boot. x86_energy_perf_policy(8) is available to change the default after boot, should the user have a different preference. Signed-off-by: Len Brown Link: http://lkml.kernel.org/r/alpine.LFD.2.02.1107140051020.18606@x980 Acked-by: Rafael J. Wysocki Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 5dd830d09df97bc9318d6e0841fcf652bdc46bfa Author: David Ahern Date: Fri Jul 15 12:34:09 2011 -0600 perf tools: Fix endian conversion reading event attr from file header commit eda3913bb70ecebac13adccffe1e7f96e93cee02 upstream. The perf_event_attr struct has two __u32's at the top and they need to be swapped individually. With this change I was able to analyze a perf.data collected in a 32-bit PPC VM on an x86 system. I tested both 32-bit and 64-bit binaries for the Intel analysis side; both read the PPC perf.data file correctly. -v2: - changed the existing perf_event__attr_swap() to swap only elements of perf_event_attr and exported it for use in swapping the attributes in the file header - updated swap_ops used for processing events Signed-off-by: David Ahern Acked-by: Frederic Weisbecker Cc: acme@ghostprotocols.net Cc: peterz@infradead.org Cc: paulus@samba.org Link: http://lkml.kernel.org/r/1310754849-12474-1-git-send-email-dsahern@gmail.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 64d488f079f68f58210f4c79c7e76b04a7c9db20 Author: David Ahern Date: Mon Jul 11 15:38:24 2011 -0600 perf tools, x86: Fix 32-bit compile on 64-bit system commit 08a4a43fc407d780bdde36d98f89c0dbb2a6be6b upstream. Builds for 32-bit perf binaries on a 64-bit host currently fail with this error: [...] bench/../../../arch/x86/lib/memcpy_64.S: Assembler messages: bench/../../../arch/x86/lib/memcpy_64.S:29: Error: bad register name `%rdi' bench/../../../arch/x86/lib/memcpy_64.S:34: Error: invalid instruction suffix for `movs' bench/../../../arch/x86/lib/memcpy_64.S:50: Error: bad register name `%rdi' bench/../../../arch/x86/lib/memcpy_64.S:61: Error: bad register name `%rdi' ... The problem is the detection of the host arch without considering passed in flags. This change fixes 32-bit builds via: make EXTRA_CFLAGS=-m32 and 64-bit builds still reference the memcpy_64.S. Signed-off-by: David Ahern Acked-by: Frederic Weisbecker Signed-off-by: Peter Zijlstra Link: http://lkml.kernel.org/r/1310420304-21452-1-git-send-email-dsahern@gmail.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 70c964e8a1baa869b7cc0b5af1b1514199e8ffc0 Author: Peter Zijlstra Date: Mon Jun 27 17:22:43 2011 +0200 irq_work, ppc: Fix up arch hooks commit 4f8b50bbbe63ae4ec6bea28a90a9a603c745ea71 upstream. Commit e360adbe29 ("irq_work: Add generic hardirq context callbacks") fouled up the ppc bit, not properly naming the arch specific function that raises the 'self-IPI'. Cc: Huang Ying Cc: Benjamin Herrenschmidt Cc: Anton Blanchard Cc: Eric B Munson Signed-off-by: Peter Zijlstra Link: http://lkml.kernel.org/n/tip-eg0aqien8p1aqvzu9dft6dtv@git.kernel.org Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 148a97cd068a58b6c8553aa5775caec7ac5a0545 Author: Rajkumar Manoharan Date: Thu Jul 7 23:33:39 2011 +0530 mac80211: Restart STA timers only on associated state commit 676b58c27475a9defccc025fea1cbd2b141ee539 upstream. A panic was observed when the device is failed to resume properly, and there are no running interfaces. ieee80211_reconfig tries to restart STA timers on unassociated state. Signed-off-by: Rajkumar Manoharan Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 11e46da8ca083512f90f8251b27194108814fe24 Author: Larry Finger Date: Sat Jul 9 13:15:58 2011 -0500 rtlwifi: rtl8192cu: Fix duplicate if test commit 1288aa4e80145d9f4196df32f717b4c1cf6aab61 upstream. A typo causes routine rtl92cu_phy_rf6052_set_cck_txpower() to test the same condition twice. The problem was found using cppcheck-1.49, and the proper fix was verified against the pre-mac80211 version of the code. Reported-by: David Binderman Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit ec16ea56c8dec5ef60681c199fb369077ecbcec5 Author: Luben Tuikov Date: Tue Jul 26 23:10:48 2011 -0700 libsas: remove expander from dev list on error commit 5911e963d3718e306bcac387b83e259aa4228896 upstream. If expander discovery fails (sas_discover_expander()), remove the expander from the port device list (sas_ex_discover_expander()), before freeing it. Else the list is corrupted and, e.g., when we attempt to send SMP commands to other devices, the kernel oopses. Signed-off-by: Luben Tuikov Reviewed-by: Jack Wang Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 7f138af8ea6ef10a6f75ec95021c3f4a2de6a987 Author: Bart Van Assche Date: Wed Jul 13 09:19:16 2011 -0700 IB/srp: Avoid duplicate devices from LUN scan commit fd1b6c4a693c9cac59375ffb36ffe5d7c079037c upstream. SCSI scanning of a channel:id:lun triplet in Linux works as follows (function scsi_scan_target() in drivers/scsi/scsi_scan.c): - If lun == SCAN_WILD_CARD, send a REPORT LUNS command to the target and process the result. - If lun != SCAN_WILD_CARD, send an INQUIRY command to the LUN corresponding to the specified channel:id:lun triplet to verify whether the LUN exists. So a SCSI driver must either take the channel and target id values in account in its quecommand() function or it should declare that it only supports one channel and one target id. Currently the ib_srp driver does neither. As a result scanning the SCSI bus via e.g. rescan-scsi-bus.sh causes many duplicate SCSI devices to be created. For each 0:0:L device, several duplicates are created with the same LUN number and with (C:I) != (0:0). Fix this by declaring that the ib_srp driver only supports one channel and one target id. Signed-off-by: Bart Van Assche Acked-by: David Dillow Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit 6f437783919467437f19ec534a0317aef2fd2584 Author: Stefan Richter Date: Sat Jul 9 16:43:22 2011 +0200 firewire: cdev: prevent race between first get_info ioctl and bus reset event queuing commit 93b37905f70083d6143f5f4dba0a45cc64379a62 upstream. Between open(2) of a /dev/fw* and the first FW_CDEV_IOC_GET_INFO ioctl(2) on it, the kernel already queues FW_CDEV_EVENT_BUS_RESET events to be read(2) by the client. The get_info ioctl is practically always issued right away after open, hence this condition only occurs if the client opens during a bus reset, especially during a rapid series of bus resets. The problem with this condition is twofold: - These bus reset events carry the (as yet undocumented) @closure value of 0. But it is not the kernel's place to choose closures; they are privat to the client. E.g., this 0 value forced from the kernel makes it unsafe for clients to dereference it as a pointer to a closure object without NULL pointer check. - It is impossible for clients to determine the relative order of bus reset events from get_info ioctl(2) versus those from read(2), except in one way: By comparison of closure values. Again, such a procedure imposes complexity on clients and reduces freedom in use of the bus reset closure. So, change the ABI to suppress queuing of bus reset events before the first FW_CDEV_IOC_GET_INFO ioctl was issued by the client. Note, this ABI change cannot be version-controlled. The kernel cannot distinguish old from new clients before the first FW_CDEV_IOC_GET_INFO ioctl. We will try to back-merge this change into currently maintained stable/ longterm series, and we only document the new behaviour. The old behavior is now considered a kernel bug, which it basically is. Signed-off-by: Stefan Richter Cc: commit 63ab4325d0df2ccefaeb932210d4046f2223e338 Author: Stefan Richter Date: Sat Jul 9 16:42:26 2011 +0200 firewire: cdev: return -ENOTTY for unimplemented ioctls, not -EINVAL commit d873d794235efa590ab3c94d5ee22bb1fab19ac4 upstream. On Jun 27 Linus Torvalds wrote: > The correct error code for "I don't understand this ioctl" is ENOTTY. > The naming may be odd, but you should think of that error value as a > "unrecognized ioctl number, you're feeding me random numbers that I > don't understand and I assume for historical reasons that you tried to > do some tty operation on me". [...] > The EINVAL thing goes way back, and is a disaster. It predates Linux > itself, as far as I can tell. You'll find lots of man-pages that have > this line in it: > > EINVAL Request or argp is not valid. > > and it shows up in POSIX etc. And sadly, it generally shows up > _before_ the line that says > > ENOTTY The specified request does not apply to the kind of object > that the descriptor d references. > > so a lot of people get to the EINVAL, and never even notice the ENOTTY. [...] > At least glibc (and hopefully other C libraries) use a _string_ that > makes much more sense: strerror(ENOTTY) is "Inappropriate ioctl for > device" So let's correct this in the ABI while it is still young, relative to distributor adoption. Side note: We return -ENOTTY not only on _IOC_TYPE or _IOC_NR mismatch, but also on _IOC_SIZE mismatch. An ioctl with an unsupported size of argument structure can be seen as an unsupported version of that ioctl. Signed-off-by: Stefan Richter Signed-off-by: Greg Kroah-Hartman commit 3de8ae6c0d1c0fb73243992adf87c7174028a531 Author: Ben Hutchings Date: Thu Jul 21 15:25:30 2011 -0700 ethtool: Allow zero-length register dumps again commit 67ae7cf1eeda777f79259c4c6cb17a0bd28dee71 upstream. Some drivers (ab)use the ethtool_ops::get_regs operation to expose only a hardware revision ID. Commit a77f5db361ed9953b5b749353ea2c7fed2bf8d93 ('ethtool: Allocate register dump buffer with vmalloc()') had the side-effect of breaking these, as vmalloc() returns a null pointer for size=0 whereas kmalloc() did not. For backward-compatibility, allow zero-length dumps again. Reported-by: Kalle Valo Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 468e4e387026f558ae1f1ac0fcc2f8985d4518b8 Author: Guo-Fu Tseng Date: Wed Jul 20 16:57:36 2011 +0000 jme: Fix unmap error (Causing system freeze) commit 94c5b41b327e08de0ddf563237855f55080652a1 upstream. This patch add the missing dma_unmap(). Which solved the critical issue of system freeze on heavy load. Michal Miroslaw's rejected patch: [PATCH v2 10/46] net: jme: convert to generic DMA API Pointed out the issue also, thank you Michal. But the fix was incorrect. It would unmap needed address when low memory. Got lots of feedback from End user and Gentoo Bugzilla. https://bugs.gentoo.org/show_bug.cgi?id=373109 Thank you all. :) Signed-off-by: Guo-Fu Tseng Acked-by: Chris Wright Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 91769ff844b3753e7643f5c72583261e99ab271a Author: Roland Vossen Date: Wed Jun 29 16:48:22 2011 -0700 staging: brcm80211: fix for reported log spam problem commit 37c962d195005d009e130e65a9e55960996c3cab upstream. Every few minutes, this message would appear in syslog: ieee80211 ph0: wl_ops_bss_info_changed: BSS idle: true (implement) The message has been deleted, the driver requires no special action on this particular event (). See: https://bugzilla.kernel.org/show_bug.cgi?id=38162 Reported-by: David Hill Signed-off-by: Roland Vossen Reviewed-by: Arend van Spriel Reviewed-by: Franky Lin Signed-off-by: Greg Kroah-Hartman Signed-off-by: Stefan Lippers-Hollmann commit e181f90e497752b371229fd8d46f1f7cc4d3e3ec Author: Pavel Shilovsky Date: Mon Jul 25 17:59:10 2011 +0400 CIFS: Fix oops while mounting with prefixpath commit f5bc1e755d23d022bf948904386337fc3e5e29a8 upstream. commit fec11dd9a0109fe52fd631e5c510778d6cbff6cc caused a regression when we have already mounted //server/share/a and want to mount //server/share/a/b. The problem is that lookup_one_len calls __lookup_hash with nd pointer as NULL. Then __lookup_hash calls do_revalidate in the case when dentry exists and we end up with NULL pointer deference in cifs_d_revalidate: if (nd->flags & LOOKUP_RCU) return -ECHILD; Fix this by checking nd for NULL. Signed-off-by: Pavel Shilovsky Reviewed-by: Shirish Pargaonkar Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 79db0af8b41b543e1fa684a4eb5949663aa52ae4 Author: Senthil Balasubramanian Date: Tue Jul 12 00:02:56 2011 +0530 ath9k_hw: Fix incorrect key_miss handling commit 0472ade031b5c0c69c21cf96acf64c50eb9ba3c2 upstream. Decryping frames on key_miss handling shouldn't be done for Michael MIC failed frames as h/w would have already decrypted such frames successfully anyway. Also leaving CRC and PHY error(where the frame is going to be dropped anyway), we are left to prcoess Decrypt error for which s/w decrypt is selected anway and so having key_miss as a separate check doesn't serve anything. So making key_miss handling mutually exlusive with other RX status handling makes much more sense. This patch addresses an issue with STA not reporting MIC failure events resulting in STA being disconnected immediately. Signed-off-by: Senthil Balasubramanian Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 2124ddf8032f814b4bc6e785f152a4db7baaff3b Author: Kalle Valo Date: Mon Jun 13 11:54:06 2011 +0300 ath6kl: fix crash when interface is closed but scan is ongoing commit 98ab5c7755b5cc9e1a8f2a57ccb22eac5e13ec50 upstream. When ath6kl module was resumed while a scan was ongoing, for example during suspend, the driver would crash in ar6k_cfg80211_scanComplete_event(): [26581.586440] Call Trace: [26581.586440] [] ? ar6k_cfg80211_scanComplete_event+0xaa/0xaa [ath6kl] [26581.586440] [] wmi_iterate_nodes+0xb/0xd [ath6kl] [26581.586440] [] ar6k_cfg80211_scanComplete_event+0x48/0xaa [ath6kl] [26581.586440] [] ar6000_close+0x77/0x7e [ath6kl] [26581.586440] [] __dev_close_many+0x87/0xab [26581.586440] [] dev_close_many+0x54/0xab [26581.586440] [] rollback_registered_many+0xa5/0x19e [26581.586440] [] rollback_registered+0x23/0x2f [26581.586440] [] unregister_netdevice_queue+0x4c/0x69 [26581.586440] [] unregister_netdev+0x18/0x1f [26581.586440] [] ar6000_destroy+0xf8/0x115 [ath6kl] [26581.586440] [] ar6k_cleanup_module+0x20/0x29 [ath6kl] [26581.586440] [] sys_delete_module+0x181/0x1d9 [26581.586440] [] ? lock_release_holdtime+0x2b/0xcd [26581.586440] [] ? sys_munmap+0x3b/0x42 [26581.586440] [] ? restore_all+0xf/0xf [26581.586440] [] sysenter_do_call+0x12/0x32 [26581.586440] Code: 89 53 6c 75 07 89 d8 e8 c0 ff ff ff 89 f0 e8 2c f2 a9 c7 5b 5e 5d c3 55 89 e5 57 56 53 89 c3 83 ec 08 89 55 f0 8d 78 04 89 4d ec <8b> b0 b8 00 00 00 46 89 b0 b8 00 00 00 89 f8 e8 ae ed a9 c7 8b Fix the function not to iterate nodes when the scan is aborted. The nodes are already freed when the module is being unloaded. Patch "ath6kl: Fix a kernel panic furing suspend/resume" tried to fix this already but it wasn't enough as a pointer was still used even after the null check. This patch removes the null check entirely as the wmi structure is not accessed anymore during module unload. Also fix a bug where the status was checked as a bitfield with '&' operator. But it's not a bitfield, just a regular (enum like) value. Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 6d4079b73c50b7880efd732c53560324c04d6f50 Author: Kalle Valo Date: Mon Jun 13 11:54:18 2011 +0300 ath6kl: cache firmware commit b42a7b1bc7c0f535dfe35b2c934f239c60bb8d30 upstream. Drivers should not request firmware during resume. Fix ath6kl to cache the firmware instead. Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit d2f9cb3ce246d63cec14c0d04735a5bb8e6dff9a Author: Mark Brown Date: Mon Jul 18 13:17:13 2011 +0900 ASoC: Mark cache as dirty when suspending commit 7be4ba24a3ea53bc8ade841635e4d4a59e98ceb5 upstream. Since quite a few drivers are not managing to flag the cache as needing to be resynced after suspend and it's a reasonable thing to do flag the cache as needing sync automatically when suspending. The expectation is that systems will mainly only keep the CODEC powered when doing audio through the CODEC so we won't actually suspend the device anyway; drivers which want to can override this behaviour when they resume. Signed-off-by: Mark Brown Acked-by: Liam Girdwood Signed-off-by: Greg Kroah-Hartman commit cad9b0afb809af7e7710dd8d3cf48e79eab5e276 Author: Rajashekhara, Sudhakar Date: Wed Jul 20 17:36:04 2011 +0530 ASoC: davinci: fix codec start and stop functions commit 3012f43eaf7592d8121426918e43e3b5db013aff upstream. According to DM365 voice codec data sheet at [1], before starting recording or playback, ADC/DAC modules should follow a reset and enable cycle. Writing a 1 to the ADC/DAC bit in the register resets the module and clearing the bit to 0 will enable the module. But the driver seems to be doing the reverse of it. [1] http://focus.ti.com/lit/ug/sprufi9b/sprufi9b.pdf Signed-off-by: Rajashekhara, Sudhakar Acked-by: Liam Girdwood Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 6d1c18d3afe7b182f09402d41f82206544d9c3ff Author: Rajashekhara, Sudhakar Date: Wed Jul 20 17:37:18 2011 +0530 ASoC: davinci: add missing break statement commit 82d1d521036eb3f5aae48b847f939d99a44c18bb upstream. In davinci_vcif_trigger() function, a break() statement was missing causing the davinci_vcif_stop() function to be called as a fallback after calling davinci_vcif_start(). Signed-off-by: Rajashekhara, Sudhakar Acked-by: Liam Girdwood Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 307167f9ca9c669ac3b67719e6619b22586858db Author: Igor Grinberg Date: Mon May 9 14:41:46 2011 +0300 ARM: pxa/cm-x300: fix V3020 RTC functionality commit 6c7b3ea52e345ab614edb91d3f0e9f3bb3713871 upstream. While in sleep mode the CS# and other V3020 RTC GPIOs must be driven high, otherwise V3020 RTC fails to keep the right time in sleep mode. Signed-off-by: Igor Grinberg Signed-off-by: Eric Miao Signed-off-by: Greg Kroah-Hartman commit 9ec4f65f5fa8211166e65854e8966d1bd5c4a180 Author: Uwe Kleine-König Date: Mon Jul 25 17:13:34 2011 -0700 drivers/rtc/rtc-tegra.c: properly initialize spinlock commit e57ee01750c4954fd0b5e3c6109cd4b870880eb9 upstream. Using __SPIN_LOCK_UNLOCKED for a dynamically allocated lock is wrong and breaks the build with PREEMPT_RT_FULL. Signed-off-by: Uwe Kleine-König Cc: Andrew Chew Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ec054bbddbd0841174f4d5c3a4685eca9f9a9f93 Author: Thomas Gleixner Date: Tue Jul 26 16:08:19 2011 -0700 rtc: limit frequency commit 431e2bcc371016824f419baa745f82388258f3ee upstream. Due to the hrtimer self rearming mode a user can DoS the machine simply because it's starved by hrtimer events. The RTC hrtimer is self rearming. We really need to limit the frequency to something sensible. Signed-off-by: Thomas Gleixner Cc: John Stultz Cc: Ingo Molnar Cc: Ben Greear Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e9c5291ba063473a5560d3387773e9a6997bad65 Author: Thomas Gleixner Date: Tue Jul 26 16:08:20 2011 -0700 rtc: fix hrtimer deadlock commit b830ac1d9a2262093bb0f3f6a2fd2a1c8278daf5 upstream. Ben reported a lockup related to rtc. The lockup happens due to: CPU0 CPU1 rtc_irq_set_state() __run_hrtimer() spin_lock_irqsave(&rtc->irq_task_lock) rtc_handle_legacy_irq(); spin_lock(&rtc->irq_task_lock); hrtimer_cancel() while (callback_running); So the running callback never finishes as it's blocked on rtc->irq_task_lock. Use hrtimer_try_to_cancel() instead and drop rtc->irq_task_lock while waiting for the callback. Fix this for both rtc_irq_set_state() and rtc_irq_set_freq(). Signed-off-by: Thomas Gleixner Reported-by: Ben Greear Cc: John Stultz Cc: Ingo Molnar Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit cc4b6e7755a8c351d7ddf32b5f2e7f101cea5aa6 Author: Thomas Gleixner Date: Tue Jul 26 16:08:18 2011 -0700 rtc: handle errors correctly in rtc_irq_set_state() commit 2c4f57d12df7696d65b0247bfd57fd082a7719e6 upstream. The code checks the correctness of the parameters, but unconditionally arms/disarms the hrtimer. The result is that a random task might arm/disarm rtc timer and surprise the real owner by either generating events or by stopping them. Signed-off-by: Thomas Gleixner Cc: John Stultz Cc: Ingo Molnar Cc: Ben Greear Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0f231ea4d4505adfcbe949e6716eb0d02e2c14a5 Author: Ajay Kumar Gupta Date: Fri Jul 8 15:06:13 2011 +0530 usb: musb: restore INDEX register in resume path commit 3c5fec75e121b21a2eb35e5a6b44291509abba6f upstream. Restoring the missing INDEX register value in musb_restore_context(). Without this suspend resume functionality is broken with offmode enabled. Acked-by: Anand Gadiyar Signed-off-by: Ajay Kumar Gupta Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 22007e1ddbe599373b116ecf3485ebf842405f73 Author: Alan Stern Date: Tue Jul 5 12:34:05 2011 -0400 USB: EHCI: go back to using the system clock for QH unlinks commit 004c19682884d4f40000ce1ded53f4a1d0b18206 upstream. This patch (as1477) fixes a problem affecting a few types of EHCI controller. Contrary to what one might expect, these controllers automatically stop their internal frame counter when no ports are enabled. Since ehci-hcd currently relies on the frame counter for determining when it should unlink QHs from the async schedule, those controllers run into trouble: The frame counter stops and the QHs never get unlinked. Some systems have also experienced other problems traced back to commit b963801164618e25fbdc0cd452ce49c3628b46c8 (USB: ehci-hcd unlink speedups), which made the original switch from using the system clock to using the frame counter. It never became clear what the reason was for these problems, but evidently it is related to use of the frame counter. To fix all these problems, this patch more or less reverts that commit and goes back to using the system clock. But this can't be done cleanly because other changes have since been made to the scan_async() subroutine. One of these changes involved the tricky logic that tries to avoid rescanning QHs that have already been seen when the scanning loop is restarted, which happens whenever an URB is given back. Switching back to clock-based unlinks would make this logic even more complicated. Therefore the new code doesn't rescan the entire async list whenever a giveback occurs. Instead it rescans only the current QH and continues on from there. This requires the use of a separate pointer to keep track of the next QH to scan, since the current QH may be unlinked while the scanning is in progress. That new pointer must be global, so that it can be adjusted forward whenever the _next_ QH gets unlinked. (uhci-hcd uses this same trick.) Simplification of the scanning loop removes a level of indentation, which accounts for the size of the patch. The amount of code changed is relatively small, and it isn't exactly a reversion of the b963801164 commit. This fixes Bugzilla #32432. Signed-off-by: Alan Stern Tested-by: Matej Kenda Signed-off-by: Greg Kroah-Hartman commit d05dcfcd0fea25eefa8b85926792b161239ac6b1 Author: Alan Stern Date: Fri Jul 15 17:22:15 2011 -0400 USB: OHCI: fix another regression for NVIDIA controllers commit 6ea12a04d295235ed67010a09fdea58c949e3eb0 upstream. The NVIDIA series of OHCI controllers continues to be troublesome. A few people using the MCP67 chipset have reported that even with the most recent kernels, the OHCI controller fails to handle new connections and spams the system log with "unable to enumerate USB port" messages. This is different from the other problems previously reported for NVIDIA OHCI controllers, although it is probably related. It turns out that the MCP67 controller does not like to be kept in the RESET state very long. After only a few seconds, it decides not to work any more. This patch (as1479) changes the PCI initialization quirk code so that NVIDIA controllers are switched into the SUSPEND state after 50 ms of RESET. With no interrupts enabled and all the downstream devices reset, and thus unable to send wakeup requests, this should be perfectly safe (even for non-NVIDIA hardware). The removal code in ohci-hcd hasn't been changed; it will still leave the controller in the RESET state. As a result, if someone unloads ohci-hcd and then reloads it, the controller won't work again until the system is rebooted. If anybody complains about this, the removal code can be updated similarly. This fixes Bugzilla #22052. Tested-by: Larry Finger Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 7cf375c453097d0dab7aee0c66fc6b7c1fbae763 Author: K. Y. Srinivasan Date: Thu Jun 16 13:16:35 2011 -0700 Staging: hv: netvsc: Increase the timeout value in the netvsc driver commit 5c5781b3f88567211ecaaada13431af15c8c6003 upstream. On some loaded windows hosts, we have discovered that the host may not respond to guest requests within the specified time (one second) as evidenced by the guest timing out. Fix this problem by increasing the timeout to 5 seconds. It may be useful to apply this patch to the 3.0 kernel as well. Signed-off-by: K. Y. Srinivasan Signed-off-by: Haiyang Zhang Signed-off-by: Hank Janssen Signed-off-by: Greg Kroah-Hartman commit 3c22382d9b35d1a8d012442315a8493bbac3b5d4 Author: K. Y. Srinivasan Date: Thu Jun 16 13:16:34 2011 -0700 Staging: hv: vmbus: Increase the timeout value in the vmbus driver commit 2dfde9644fe8c4a77f9c73f95b25d6300ca23b5d upstream. On some loaded windows hosts, we have discovered that the host may not respond to guest requests within the specified time (one second) as evidenced by the guest timing out. Fix this problem by increasing the timeout to 5 seconds. It may be useful to apply this patch to the 3.0 kernel as well. Signed-off-by: K. Y. Srinivasan Signed-off-by: Haiyang Zhang Signed-off-by: Hank Janssen Signed-off-by: Greg Kroah-Hartman commit f9211c1f7562b1057dcb6e57a9a4e96c8b853248 Author: K. Y. Srinivasan Date: Thu Jun 16 13:16:36 2011 -0700 Staging: hv: storvsc: Increase the timeout value in the storvsc driver commit 46d2eb6d82ef44be58ae192c35e8cd52485f02eb upstream. On some loaded windows hosts, we have discovered that the host may not respond to guest requests within the specified time (one second) as evidenced by the guest timing out. Fix this problem by increasing the timeout to 5 seconds. It may be useful to apply this patch to the 3.0 kernel as well. the 3.0 kernel as well. Signed-off-by: K. Y. Srinivasan Signed-off-by: Haiyang Zhang Signed-off-by: Hank Janssen Signed-off-by: Greg Kroah-Hartman commit 13949a7b5f9a9da49a7426795716aa3b68f7b13c Author: Vasiliy Kulikov Date: Sun Jun 26 12:56:22 2011 +0400 staging: comedi: fix infoleak to userspace commit 819cbb120eaec7e014e5abd029260db1ca8c5735 upstream. driver_name and board_name are pointers to strings, not buffers of size COMEDI_NAMELEN. Copying COMEDI_NAMELEN bytes of a string containing less than COMEDI_NAMELEN-1 bytes would leak some unrelated bytes. Signed-off-by: Vasiliy Kulikov Signed-off-by: Greg Kroah-Hartman commit 565af28bfba187fabda9bccf065e2009356aaae5 Author: Larry Finger Date: Sat Jun 18 22:34:34 2011 -0500 staging: r8192e_pci: Handle duplicate PCI ID 0x10ec:0x8192 conflict with rtl8192se commit 1c50bf7e415cf6ce9545dbecc2ac0d89d3916c53 upstream. There are two devices with PCI ID 0x10ec:0x8192, namely RTL8192E and RTL8192SE. The method of distinguishing them is by the revision ID at offset 0x8 of the PCI configuration space. If the value is 0x10, then the device uses rtl8192se for a driver. Signed-off-by: Larry Finger Signed-off-by: Greg Kroah-Hartman commit efa73f1334e339902993bb4894da47242f0c4173 Author: Tobias Klauser Date: Fri Jun 24 15:48:47 2011 +0200 Staging: usbip: vhci-hcd: Do not kill already dead RX/TX kthread commit 8547d4cc2b616e4f1dafebe2c673fc986422b506 upstream. When unbinding a device on the host which was still attached on the client, I got a NULL pointer dereference on the client. This turned out to be due to kthread_stop() being called on an already dead kthread. Here is how I was able to reproduce the problem: server:# usbip bind -b 1-2 client:# usbip attach -h server -b 1-2 server:# usbip unbind -b 1-2 This patch fixes the problem by checking the kthread before attempting to kill it, as it is done on the opposite side in stub_shutdown_connection(). Signed-off-by: Tobias Klauser Signed-off-by: Greg Kroah-Hartman commit 97edbc901240090ca75b81aa8955bcef8d570434 Author: Herbert Xu Date: Wed Jul 27 06:16:28 2011 -0700 gro: Only reset frag0 when skb can be pulled commit 17dd759c67f21e34f2156abcf415e1f60605a188 upstream. Currently skb_gro_header_slow unconditionally resets frag0 and frag0_len. However, when we can't pull on the skb this leaves the GRO fields in an inconsistent state. This patch fixes this by only resetting those fields after the pskb_may_pull test. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit bde99f604b42182e590ac4b7176b5235321bc94c Author: stephen hemminger Date: Fri Jul 22 07:47:06 2011 +0000 bridge: send proper message_age in config BPDU commit 0c03150e7ea8f7fcd03cfef29385e0010b22ee92 upstream. A bridge topology with three systems: +------+ +------+ | A(2) |--| B(1) | +------+ +------+ \ / +------+ | C(3) | +------+ What is supposed to happen: * bridge with the lowest ID is elected root (for example: B) * C detects that A->C is higher cost path and puts in blocking state What happens. Bridge with lowest id (B) is elected correctly as root and things start out fine initially. But then config BPDU doesn't get transmitted from A -> C. Because of that the link from A-C is transistioned to the forwarding state. The root cause of this is that the configuration messages is generated with bogus message age, and dropped before sending. In the standardmessage_age is supposed to be: the time since the generation of the Configuration BPDU by the Root that instigated the generation of this Configuration BPDU. Reimplement this by recording the timestamp (age + jiffies) when recording config information. The old code incorrectly used the time elapsed on the ageing timer which was incorrect. See also: https://bugzilla.vyatta.com/show_bug.cgi?id=7164 Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fbbc165db18d24de056e50d8ae7d6f1aa3b198fe Author: Shawn Guo Date: Tue Jun 21 22:41:49 2011 +0800 mmc: sdhci-esdhc-imx: SDHCI_CARD_PRESENT does not get cleared commit 803862a6f7de4939e0a557214e5e4b37e36f87ff upstream. The function esdhc_readl_le intends to clear bit SDHCI_CARD_PRESENT, when the card detect gpio tells there is no card. But it does not clear the bit actually. The patch gives a fix on that. Signed-off-by: Shawn Guo Acked-by: Wolfram Sang Signed-off-by: Chris Ball Signed-off-by: Greg Kroah-Hartman commit 1138473c4a69e0f49d44a0c07fffe90c3dd95824 Author: Manoj Iyer Date: Mon Jul 11 16:28:35 2011 -0500 mmc: Added quirks for Ricoh 1180:e823 lower base clock frequency commit 15bed0f2fa8e1d7db201692532c210a7823d2d21 upstream. Ricoh 1180:e823 does not recognize certain types of SD/MMC cards, as reported at http://launchpad.net/bugs/773524. Lowering the SD base clock frequency from 200Mhz to 50Mhz fixes this issue. This solution was suggest by Koji Matsumuro, Ricoh Company, Ltd. This change has no negative performance effect on standard SD cards, though it's quite possible that there will be one on UHS-1 cards. Signed-off-by: Manoj Iyer Tested-by: Daniel Manrique Cc: Koji Matsumuro Acked-by: Jesse Barnes Signed-off-by: Chris Ball Signed-off-by: Greg Kroah-Hartman commit 16b7ff08f276f31ffda6f3de02e38062a3086649 Author: Wolfgang Denk Date: Tue Jul 19 11:25:38 2011 +0200 USB: serial: add IDs for WinChipHead USB->RS232 adapter commit 026dfaf18973404a01f488d6aa556a8c466e06a4 upstream. Add ID 4348:5523 for WinChipHead USB->RS 232 adapter with Prolifec PL2303 chipset Signed-off-by: Wolfgang Denk Signed-off-by: Greg Kroah-Hartman