commit 65c867f20173adf7f0f39cb0cdcaaf01ddc63260 Author: Greg Kroah-Hartman Date: Mon Oct 3 11:48:15 2011 -0700 Linux 3.0.5 commit 10c7f42a488e802c65e2584724451feec7a5c504 Author: David Henningsson Date: Tue Sep 20 09:02:22 2011 +0200 ALSA: HDA: Add support for IDT 92HD93 commit 46724c2e023cb7ba5cd5000dee6481f0a15ebed9 upstream. BugLink: http://bugs.launchpad.net/bugs/854468 Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit c2b387f0295ffaeb5e96f0d6f745fde507abd651 Author: Hannes Reinecke Date: Wed Sep 28 08:07:01 2011 -0600 block: Free queue resources at blk_release_queue() commit 777eb1bf15b8532c396821774bf6451e563438f5 upstream. A kernel crash is observed when a mounted ext3/ext4 filesystem is physically removed. The problem is that blk_cleanup_queue() frees up some resources eg by calling elevator_exit(), which are not checked for in normal operation. So we should rather move these calls to the destructor function blk_release_queue() as at that point all remaining references are gone. However, in doing so we have to ensure that any externally supplied queue_lock is disconnected as the driver might free up the lock after the call of blk_cleanup_queue(), Signed-off-by: Hannes Reinecke Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit f0e47138b26bd26d312aa63522a579acac5552c6 Author: Shmulik Ravid Date: Thu Sep 22 02:33:33 2011 +0000 bnx2x: add missing break in bnx2x_dcbnl_get_cap commit a0babc80eb375aad69dab4687c3b44c47d42f241 upstream. Signed-off-by: Dmitry Kravkov Signed-off-by: Eilon Greenstein Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e69f24bc82f6cc28f7df885d401bc79ff3dc6401 Author: Dmitry Kravkov Date: Thu Sep 22 02:33:31 2011 +0000 bnx2x: fix hw attention handling commit f2eaeb58bf6995a979c413ea0cc73289533feacb upstream. Use register name to initialize attention mask Signed-off-by: Dmitry Kravkov Signed-off-by: Eilon Greenstein Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3c1c4f8e80a39ae7d6d2a159e3b28f742fd4e968 Author: Johannes Berg Date: Thu Sep 22 14:59:04 2011 -0700 iwlagn: fix dangling scan request commit 6c80c39d9a6986a566c30d797aae37bfb697eea3 upstream. If iwl_scan_initiate() fails for any reason, priv->scan_request and priv->scan_vif are left dangling. This can lead to a crash later when iwl_bg_scan_completed() tries to run a pending scan request. In practice, this seems to be very rare due to the STATUS_SCANNING check earlier. That check, however, is wrong -- it should allow a scan to be queued when a reset/roc scan is going on. When a normal scan is already going on, a new one can't be issued by mac80211, so that code can be removed completely. I introduced this bug when adding off-channel support in commit 266af4c745952e9bebf687dd68af58df553cb59d. Reported-by: Peng Yan Signed-off-by: Johannes Berg Signed-off-by: Wey-Yi Guy Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 111118a4e62d7fbe365cc47ae78e4d9e96b73b6f Author: Stanislaw Gruszka Date: Tue Sep 20 16:49:03 2011 +0200 iwlegacy: do not use interruptible waits commit 65d0f19e583e80e42b1c67c166bfc4dfdf6ab693 upstream. iwlegacy version of fix: commit effd4d9aece9184f526e6556786a94d335e38b71 Author: Johannes Berg Date: Thu Sep 15 11:46:52 2011 -0700 iwlagn: do not use interruptible waits Since the dawn of its time, iwlwifi has used interruptible waits to wait for synchronous commands and firmware loading. This leads to "interesting" bugs, because it can't actually handle the interruptions; for example when a command sending is interrupted it will assume the command completed fully, and then leave it pending, which leads to all kinds of trouble when the command finishes later. Since there's no easy way to gracefully deal with interruptions, fix the driver to not use interruptible waits. This at least fixes the error iwlagn 0000:02:00.0: Error: Response NULL in 'REPLY_SCAN_ABORT_CMD' I have seen in P2P testing, but it is likely that there are other errors caused by this. Signed-off-by: Stanislaw Gruszka Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit cc54ab32355ef870a14787d9ad7d5e0459b7007a Author: Larry Finger Date: Thu Sep 22 22:59:02 2011 -0500 rtlwifi: rtl8192cu: Fix unitialized struct commit 831d85471e761e190c3c8979b37540d699ae5812 upstream. Driver rtl8192cu assigns a new struct rtl_tcb_desc object, but fails to clear it. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit f5f582e5a75724793895cc191ba7a8d2c05f59f4 Author: Stanislaw Gruszka Date: Tue Sep 20 16:46:36 2011 +0200 iwlegacy: fix command queue timeout commit 2e2a41d6ca07d1b2aa67015c35fd80701c98e867 upstream. iwlegacy version of fix: commit 282cdb325aea4ebbc42ce753b47cc96145eb54bc Author: Johannes Berg Date: Mon Sep 12 12:09:10 2011 -0700 iwlagn: fix command queue timeout If the command queue is constantly busy, which can happen in P2P, the hangcheck timer will frequently find a command in it and will eventually reset the device because nothing sets the timestamp for this queue when commands are processed. Fix this by setting the timestamp when a command completes. iwlegacy does not support P2P, but this patch fix possible unneeded hardware resets, hence is needed. Signed-off-by: Stanislaw Gruszka Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit c7015062c18e619796e8d9c76a5fe7f300f80b7d Author: Rajkumar Manoharan Date: Tue Sep 20 16:23:51 2011 +0530 ath9k_hw: Fix Rx DMA stuck for AR9003 chips commit e9f9530bb697f53dd620df290102359a3325bb23 upstream. During the endurance testing, rx frames are not getting DMAd from MAC whereas pcu rx frame counters are getting updated properly. As per systems team input updated the initval to fix rx dma stuck issue. Signed-off-by: Rajkumar Manoharan Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 508ed7445438cb6dffa105a128333c8461bfd5e4 Author: Jouni Malinen Date: Wed Sep 21 16:13:07 2011 +0300 cfg80211: Fix validation of AKM suites commit 1b9ca0272ffae212e726380f66777b30a56ed7a5 upstream. Incorrect variable was used in validating the akm_suites array from NL80211_ATTR_AKM_SUITES. In addition, there was no explicit validation of the array length (we only have room for NL80211_MAX_NR_AKM_SUITES). This can result in a buffer write overflow for stack variables with arbitrary data from user space. The nl80211 commands using the affected functionality require GENL_ADMIN_PERM, so this is only exposed to admin users. Signed-off-by: Jouni Malinen Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 660702319c69a876dd20fac4499a588cbd66a79a Author: Randy Dunlap Date: Wed Aug 31 15:02:00 2011 -0700 scsi: qla4xxx needs libiscsi.o commit 3538a001ea7db13fa1be2966b71f69d808acff01 upstream. qla4xxx driver needs to be linked with libiscsi.o to fix build errors. This happens when no other drivers that use libiscsi.o are enabled. ERROR: "iscsi_conn_stop" [drivers/scsi/qla4xxx/qla4xxx.ko] undefined! ERROR: "iscsi_conn_get_addr_param" [drivers/scsi/qla4xxx/qla4xxx.ko] undefined! ERROR: "iscsi_session_teardown" [drivers/scsi/qla4xxx/qla4xxx.ko] undefined! ERROR: "iscsi_host_alloc" [drivers/scsi/qla4xxx/qla4xxx.ko] undefined! ERROR: "iscsi_conn_start" [drivers/scsi/qla4xxx/qla4xxx.ko] undefined! ERROR: "iscsi_conn_send_pdu" [drivers/scsi/qla4xxx/qla4xxx.ko] undefined! ERROR: "iscsi_session_get_param" [drivers/scsi/qla4xxx/qla4xxx.ko] undefined! ERROR: "iscsi_conn_get_param" [drivers/scsi/qla4xxx/qla4xxx.ko] undefined! ERROR: "iscsi_set_param" [drivers/scsi/qla4xxx/qla4xxx.ko] undefined! ERROR: "iscsi_session_failure" [drivers/scsi/qla4xxx/qla4xxx.ko] undefined! ERROR: "iscsi_complete_pdu" [drivers/scsi/qla4xxx/qla4xxx.ko] undefined! ERROR: "iscsi_session_setup" [drivers/scsi/qla4xxx/qla4xxx.ko] undefined! ERROR: "iscsi_conn_bind" [drivers/scsi/qla4xxx/qla4xxx.ko] undefined! ERROR: "iscsi_conn_setup" [drivers/scsi/qla4xxx/qla4xxx.ko] undefined! ERROR: "iscsi_itt_to_task" [drivers/scsi/qla4xxx/qla4xxx.ko] undefined! Signed-off-by: Randy Dunlap Reviewed-by: Mike Christie Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit c4c672cbd49785be16bcd46fe550b5877ae53ed0 Author: Mark Salyzyn Date: Thu Sep 1 06:11:17 2011 -0700 libsas: fix failure to revalidate domain for anything but the first expander child. commit 24926dadc41cc566e974022b0e66231b82c6375f upstream. In an enclosure model where there are chaining expanders to a large body of storage, it was discovered that libsas, responding to a broadcast event change, would only revalidate the domain of first child expander in the list. The issue is that the pointer value to the discovered source device was used to break out of the loop, rather than the content of the pointer. This still remains non-compliant as the revalidate domain code is supposed to loop through all child expanders, and not stop at the first one it finds that reports a change count. However, the design of this routine does not allow multiple device discoveries and that would be a more complicated set of patches reserved for another day. We are fixing the glaring bug rather than refactoring the code. Signed-off-by: Mark Salyzyn Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit e8cb517e6f6a5c8a1070f758c83b6a1cdd674e82 Author: Vasily Averin Date: Fri Sep 2 19:31:46 2011 +0400 aacraid: reset should disable MSI interrupt commit d0efab26f89506387a1bde898556660e06d7eb15 upstream. scsi reset on hardware with enabled MSI interrupts generates WARNING message [11027.798722] aacraid: Host adapter abort request (0,0,0,0) [11027.798814] aacraid: Host adapter reset request. SCSI hang ? [11087.762237] aacraid: SCSI bus appears hung [11135.082543] ------------[ cut here ]------------ [11135.082646] WARNING: at drivers/pci/msi.c:658 pci_enable_msi_block+0x251/0x290() Signed-off-by: Vasily Averin Acked-by: Mark Salyzyn Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 25e8bc02b48eb822dcb3d897c0ac4350f81d952a Author: James Bottomley Date: Sun Sep 18 18:56:20 2011 +0400 3w-9xxx: fix iommu_iova leak commit 96067723e46b0dd24ae7b934085ab4eff4d26a1b upstream. Following reports on the list, it looks like the 3e-9xxx driver will leak dma mappings every time we get a transient queueing error back from the card. This is because it maps the sg list in the routine that sends the command, but doesn't unmap again in the transient failure path (even though the command is sent back to the block layer). Fix by unmapping before returning the status. Reported-by: Chris Boot Tested-by: Chris Boot Acked-by: Adam Radford Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 1f7af7b08bfd481507c3fce0f39dcd0af5192e6f Author: Neil Horman Date: Tue Sep 6 13:59:13 2011 -0400 cxgb3i: convert cdev->l2opt to use rcu to prevent NULL dereference commit e48f129c2f200dde8899f6ea5c6e7173674fc482 upstream. This oops was reported recently: d:mon> e cpu 0xd: Vector: 300 (Data Access) at [c0000000fd4c7120] pc: d00000000076f194: .t3_l2t_get+0x44/0x524 [cxgb3] lr: d000000000b02108: .init_act_open+0x150/0x3d4 [cxgb3i] sp: c0000000fd4c73a0 msr: 8000000000009032 dar: 0 dsisr: 40000000 current = 0xc0000000fd640d40 paca = 0xc00000000054ff80 pid = 5085, comm = iscsid d:mon> t [c0000000fd4c7450] d000000000b02108 .init_act_open+0x150/0x3d4 [cxgb3i] [c0000000fd4c7500] d000000000e45378 .cxgbi_ep_connect+0x784/0x8e8 [libcxgbi] [c0000000fd4c7650] d000000000db33f0 .iscsi_if_rx+0x71c/0xb18 [scsi_transport_iscsi2] [c0000000fd4c7740] c000000000370c9c .netlink_data_ready+0x40/0xa4 [c0000000fd4c77c0] c00000000036f010 .netlink_sendskb+0x4c/0x9c [c0000000fd4c7850] c000000000370c18 .netlink_sendmsg+0x358/0x39c [c0000000fd4c7950] c00000000033be24 .sock_sendmsg+0x114/0x1b8 [c0000000fd4c7b50] c00000000033d208 .sys_sendmsg+0x218/0x2ac [c0000000fd4c7d70] c00000000033f55c .sys_socketcall+0x228/0x27c [c0000000fd4c7e30] c0000000000086a4 syscall_exit+0x0/0x40 commit e19fe0341717e9f9a9d04dbc6e3365886e95b577 Author: KAMEZAWA Hiroyuki Date: Tue Jul 26 16:08:24 2011 -0700 memcg: fix vmscan count in small memcgs commit 4508378b9523e22a2a0175d8bf64d932fb10a67d upstream. Commit 246e87a93934 ("memcg: fix get_scan_count() for small targets") fixes the memcg/kswapd behavior against small targets and prevent vmscan priority too high. But the implementation is too naive and adds another problem to small memcg. It always force scan to 32 pages of file/anon and doesn't handle swappiness and other rotate_info. It makes vmscan to scan anon LRU regardless of swappiness and make reclaim bad. This patch fixes it by adjusting scanning count with regard to swappiness at el. At a test "cat 1G file under 300M limit." (swappiness=20) before patch scanned_pages_by_limit 360919 scanned_anon_pages_by_limit 180469 scanned_file_pages_by_limit 180450 rotated_pages_by_limit 31 rotated_anon_pages_by_limit 25 rotated_file_pages_by_limit 6 freed_pages_by_limit 180458 freed_anon_pages_by_limit 19 freed_file_pages_by_limit 180439 elapsed_ns_by_limit 429758872 after patch scanned_pages_by_limit 180674 scanned_anon_pages_by_limit 24 scanned_file_pages_by_limit 180650 rotated_pages_by_limit 35 rotated_anon_pages_by_limit 24 rotated_file_pages_by_limit 11 freed_pages_by_limit 180634 freed_anon_pages_by_limit 0 freed_file_pages_by_limit 180634 elapsed_ns_by_limit 367119089 scanned_pages_by_system 0 the numbers of scanning anon are decreased(as expected), and elapsed time reduced. By this patch, small memcgs will work better. (*) Because the amount of file-cache is much bigger than anon, recalaim_stat's rotate-scan counter make scanning files more. Signed-off-by: KAMEZAWA Hiroyuki Cc: Daisuke Nishimura Cc: Michal Hocko Cc: Ying Han Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 81aac2ec5c236e54389d8940da0d318dd23e06ee Author: Thomas Pfaff Date: Mon Sep 26 15:43:59 2011 +0200 ALSA: usb-audio: Check for possible chip NULL pointer before clearing probing flag commit 61a6a108d15213f5ee06332e1e7766d3860e4453 upstream. Before clearing the probing flag in the error exit path, check that the chip pointer is not NULL. Signed-off-by: Thomas Pfaff Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit abdd8c6a58728c695a59f9d6b95d9b6b4d7ffbc8 Author: David Henningsson Date: Sat Sep 24 08:30:44 2011 +0200 ALSA: HDA: No power nids on 92HD93 commit 6656b15d675c9c6a049db48d50994b3cd4e76bd6 upstream. This patch is necessary to make internal speakers work on this chip. BugLink: http://bugs.launchpad.net/bugs/854468 Tested-by: Alex Wolfson Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 603a77a2233681fff6db6905a37a7525ef1e5fa5 Author: Takashi Iwai Date: Mon Sep 26 10:41:21 2011 +0200 ALSA: hda/realtek - Avoid bogus HP-pin assignment commit 5fe6e0151dbd969f5fbcd94d05c968b76d76952b upstream. When the headphone pin is assigned as primary output to line_out_pins[], the automatic HP-pin assignment by ASSID must be suppressed. Otherwise a wrong pin might be assigned to the headphone and breaks the auto-mute. Reference: https://bugzilla.novell.com/show_bug.cgi?id=716104 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 906a1b1a9e2538e45e13d111eb7927ab9c54b4b0 Author: Lars-Peter Clausen Date: Tue Sep 27 11:08:46 2011 +0200 ASoC: ssm2602: Re-enable oscillator after suspend commit 9058020cd9ae3423d6fe7de591698dc96b6701aa upstream. Currently the the internal oscillator is powered down when entering BIAS_OFF state, but not re-enabled when going back to BIAS_STANDBY. As a result the CODEC will stop working after suspend if the internal oscillator is used to generate the sysclock signal. This patch fixes it by clearing the appropriate bit in the power down register when the CODEC is re-enabled. Signed-off-by: Lars-Peter Clausen Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 60984600ff1c9da76b17e153dacb4c641671af18 Author: Jarkko Nikula Date: Fri Sep 23 11:19:13 2011 +0300 ASoC: omap-mcbsp: Do not attempt to change DAI sysclk if stream is active commit 34c869855a28af3c6031d29e2267b5a3cce0d67d upstream. Attempt to change McBSP CLKS source while another stream is active is not safe after commit d135865 ("OMAP: McBSP: implement functional clock switching via clock framework") in 2.6.37. CLKS parent clock switching using clock framework have to idle the McBSP before switching and then activate it again. This short break can cause a DMA transaction error to already running stream which halts and recovers only by closing and restarting the stream. This goes more fatal after commit e2fa61d ("OMAP3: l3: Introduce l3-interconnect error handling driver") in 2.6.39 where l3 driver detects a severe timeout error and does BUG_ON(). Fix this by not changing any configuration in omap_mcbsp_dai_set_dai_sysclk if the McBSP is already active. This test should have been here just from the beginning anyway. Signed-off-by: Jarkko Nikula Acked-by: Peter Ujfalusi Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 9d651c45adad4ed6e915e0f65706c71a0bf87ab2 Author: Linus Torvalds Date: Wed Aug 24 15:55:30 2011 -0700 firmware loader: allow builtin firmware load even if usermodehelper is disabled commit caca9510ff4e5d842c0589110243d60927836222 upstream. In commit a144c6a6c924 ("PM: Print a warning if firmware is requested when tasks are frozen") we not only printed a warning if somebody tried to load the firmware when tasks are frozen - we also failed the load. But that check was done before the check for built-in firmware, and then when we disallowed usermode helpers during bootup (commit 288d5abec831: "Boot up with usermodehelper disabled"), that actually means that built-in modules can no longer load their firmware even if the firmware is built in too. Which used to work, and some people depended on it for the R100 driver. So move the test for usermodehelper_is_disabled() down, to after checking the built-in firmware. This should fix: https://bugzilla.kernel.org/show_bug.cgi?id=40952 Reported-by: James Cloos Bisected-by: Elimar Riesebieter Cc: Michel Dänzer Cc: Rafael Wysocki Cc: Greg Kroah-Hartman Cc: Valdis Kletnieks Signed-off-by: Linus Torvalds Cc: Borislav Petkov Cc: Lucas Villa Real Signed-off-by: Greg Kroah-Hartman commit 28d5b74edcc0819cefa66256fd804c8420aff19f Author: Will Deacon Date: Fri Sep 23 14:34:12 2011 +0100 ARM: 7099/1: futex: preserve oldval in SMP __futex_atomic_op commit df77abcafc8dc881b6c9347548651777088e4b27 upstream. The SMP implementation of __futex_atomic_op clobbers oldval with the status flag from the exclusive store. This causes it to always read as zero when performing the FUTEX_OP_CMP_* operation. This patch updates the ARM __futex_atomic_op implementations to take a tmp argument, allowing us to store the strex status flag without overwriting the register containing oldval. Reported-by: Minho Ban Reviewed-by: Nicolas Pitre Signed-off-by: Will Deacon Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 85fd323003d5fe4d5c798688f016ab0eda0c9dcf Author: Will Deacon Date: Thu Sep 15 11:45:15 2011 +0100 ARM: 7091/1: errata: D-cache line maintenance operation by MVA may not succeed commit f630c1bdfbf8fe423325beaf60027cfc7fd7c610 upstream. This patch implements a workaround for erratum 764369 affecting Cortex-A9 MPCore with two or more processors (all current revisions). Under certain timing circumstances, a data cache line maintenance operation by MVA targeting an Inner Shareable memory region may fail to proceed up to either the Point of Coherency or to the Point of Unification of the system. This workaround adds a DSB instruction before the relevant cache maintenance functions and sets a specific bit in the diagnostic control register of the SCU. Signed-off-by: Will Deacon Signed-off-by: Catalin Marinas Tested-by: Mark Rutland Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 017a4b549759497c802c12c5982cf06f93806e60 Author: Russell King Date: Thu Sep 22 10:32:25 2011 +0100 ARM: dma-mapping: free allocated page if unable to map commit d8e89b47e00ee80e920761145144640aac4cf71a upstream. If the attempt to map a page for DMA fails (eg, because we're out of mapping space) then we must not hold on to the page we allocated for DMA - doing so will result in a memory leak. Reported-by: Bryan Phillippe Tested-by: Bryan Phillippe Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit a0dbac4607ee6d97aba53f0d676acbdd416c1214 Author: Roland Stigge Date: Wed Sep 21 13:06:11 2011 -0400 hwmon: (ds620) Fix handling of negative temperatures commit cc41d586e8b4d76164fe7731c1c49be6cc5fc7e6 upstream. Signed (negative) temperatures were not handled correctly. Signed-off-by: Roland Stigge Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit e70f61eb1c6ac5048edfd214a72e10c434127931 Author: Bhanu Prakash Gollapudi Date: Fri May 27 11:47:26 2011 -0700 bnx2fc: scsi_dma_unmap() not invoked on IO completions commit b5a95fe7ef464a67fab6ff870aa740739e788f90 upstream. Do not set io_req->sc_cmd to NULL until bnx2fc_unmap_sg_list() is called to enable it to unmap the DMA mappings. Signed-off-by: Bhanu Prakash Gollapudi Signed-off-by: James Bottomley commit 49aa932d3fe9c6b175d30d9e9d575f532f650cfc Author: Bhanu Prakash Gollapudi Date: Fri May 27 11:47:27 2011 -0700 bnx2fc: Fix kernel panic when deleting NPIV ports commit d36b3279e157641c345b12eddb3db78fb42da80f upstream. Deleting NPIV port causes a kernel panic when the NPIV port is in the same zone as the physical port and shares the same LUN. This happens due to the fact that vport destroy and unsolicited ELS are scheduled to run on the same workqueue, and vport destroy destroys the lport and the unsolicited ELS tries to access the invalid lport. This patch fixes this issue by maintaining a list of valid lports and verifying if the lport is valid or not before accessing it. Signed-off-by: Bhanu Prakash Gollapudi Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit e888ec89ef2ac191e71c79382ba26e0290f7d2ca Author: Michael Chan Date: Wed Jun 8 19:29:36 2011 +0000 cnic, bnx2: Check iSCSI support early in bnx2_init_one() commit 7625eb2f2fff7bfae41d3119b472c20b48874895 upstream. Based on earlier patch from Neil Horman If iSCSI is not supported on a bnx2 device, bnx2_cnic_probe() will return NULL and the cnic device will not be visible to bnx2i. This will prevent bnx2i from registering and then unregistering during cnic_start() and cause the warning message: bnx2 0003:01:00.1: eth1: Failed waiting for ULP up call to complete Signed-off-by: Michael Chan Cc: Neil Horman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 53a3c0032ef51439ea2ff9f583706ce8a7055c96 Author: Michael Chan Date: Wed Jun 8 19:29:35 2011 +0000 cnic: Improve NETDEV_UP event handling commit db1d350fcb156b58f66a67680617077bcacfe6fc upstream. During NETDEV_UP, we use symbol_get() to get the net driver's cnic probe function. This sometimes doesn't work if NETDEV_UP happens right after NETDEV_REGISTER and the net driver is still running module init code. As a result, the cnic device may not be discovered. We fix this by probing on all NETDEV events if the device's netif_running state is up. Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d66f95d5b0a66910ae7d5442a4625bf510de9805 Author: Eddie Wai Date: Wed Jun 8 19:29:34 2011 +0000 cnic: Randomize initial TCP port for iSCSI connections commit 11f23aa8ccd56786f0a6f04211cf59b3fab2ce08 upstream. This reduces the likelihood of port re-use when re-loading the driver. Signed-off-by: Eddie Wai Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c3eaf680aacef62f7a7219b9c8f3f03d7b2269f0 Author: Michael Chan Date: Wed Jun 8 19:29:33 2011 +0000 cnic: Fix race conditions with firmware commit 101c40c8cb0d10c30f423805f9f5b7a75956832d upstream. During iSCSI connection terminations, if the target is also terminating at about the same time, the firmware may not complete the driver's request to close or reset the connection. This is fixed by handling other events (instead of the expected completion event) as an indication that the driver's request has been rejected. Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8210cf522873ff4bb1027a7cebb3199fd3c5b29b Author: Michael Chan Date: Wed Jun 8 19:29:32 2011 +0000 cnic: Fix interrupt logic commit 93736656138e6d2f39f19c1d68f9ef81cfc9dd66 upstream. We need to keep looping until cnic_get_kcqes() returns 0. cnic_get_kcqes() returns a maximum of 64 entries. If there are more entries in the queue and we don't loop back, the remaining entries may not be serviced for a long time. Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 890ecd3d30e0ba8b1b676eaf6c925f65483f5f0d Author: Hidetoshi Seto Date: Sun Sep 18 10:20:46 2011 -0400 btrfs: fix d_off in the first dirent commit 3765fefaee2da83f10829fa64a74e6b7360350cb upstream. Since the d_off in the first dirent for "." (that originates from the 4th argument "offset" of filldir() for the 2nd dirent for "..") is wrongly assigned in btrfs_real_readdir(), telldir returns same offset for different locations. | # mkfs.btrfs /dev/sdb1 | # mount /dev/sdb1 fs0 | # cd fs0 | # touch file0 file1 | # ../test | telldir: 0 | readdir: d_off = 2, d_name = "." | telldir: 2 | readdir: d_off = 2, d_name = ".." | telldir: 2 | readdir: d_off = 3, d_name = "file0" | telldir: 3 | readdir: d_off = 2147483647, d_name = "file1" | telldir: 2147483647 To fix this problem, pass filp->f_pos (which is loff_t) instead. | # ../test | telldir: 0 | readdir: d_off = 1, d_name = "." | telldir: 1 | readdir: d_off = 2, d_name = ".." | telldir: 2 | readdir: d_off = 3, d_name = "file0" : At the moment the "offset" for "." is unused because there is no preceding dirent, however it is better to pass filp->f_pos to follow grammatical usage. Signed-off-by: Hidetoshi Seto Signed-off-by: Chris Mason Cc: Grazvydas Ignotas Signed-off-by: Greg Kroah-Hartman commit 8e5aefcdfc3eeeb15489f7b39145c69e2a5b2076 Author: Ben Hutchings Date: Thu Sep 22 14:39:52 2011 +0100 ALSA: fm801: Gracefully handle failure of tuner auto-detect commit c37279b92aba2893578f61076cd2eef5c5fa0e99 upstream. Commit 9676001559fce06e37c7dc230ab275f605556176 ("ALSA: fm801: add error handling if auto-detect fails") seems to break systems that were previously working without a tuner. As a bonus, this should fix init and cleanup for the case where the tuner is explicitly disabled. Reported-and-tested-by: Hor Jiun Shyong References: http://bugs.debian.org/641946 Signed-off-by: Ben Hutchings Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit f9db06c630f31bc26d4946151aa8db5aa4155c96 Author: Ben Hutchings Date: Thu Sep 22 14:38:58 2011 +0100 ALSA: fm801: Fix double free in case of error in tuner detection commit 2ba34e43ba0469086d1ff81c13a9aa9070c1a0e1 upstream. Commit 9676001559fce06e37c7dc230ab275f605556176 ("ALSA: fm801: add error handling if auto-detect fails") added incorrect error handling. Once we have successfully called snd_device_new(), the cleanup function fm801_free() will automatically be called by snd_card_free() and we must *not* also call fm801_free() directly. Reported-by: Hor Jiun Shyong References: http://bugs.debian.org/641946 Signed-off-by: Ben Hutchings Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit b5fa99b753a2b03aeb9ce2851ac038855258e847 Author: Alex Deucher Date: Thu Sep 22 10:47:23 2011 -0400 drm/radeon/kms: fix DDIA enable on some rs690 systems commit fdfc61594e6de21c23f955818ef78bcab9bafe40 upstream. DVOOutputControl checks the value of of bios scratch reg 3 on some tables and assumes the encoder is already enabled if the DFP2_ACTIVE bit is set. Clear that bit so the table sets the DDIA enable bit properly. Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 8fc04d468cc3e98099140ef3d76339f10e7ec30a Author: Thomas Pfaff Date: Thu Sep 22 18:26:06 2011 +0200 ALSA: usb-audio - clear chip->probing on error exit commit 362e4e49abe53e89d87455dfcd7c1bbaf08a839d upstream. The Terratec Aureon 5.1 USB sound card support is broken since kernel 2.6.39. 2.6.39 introduced power management support for USB sound cards that added a probing flag in struct snd_usb_audio. During the probe of the card it gives following error message : usb 7-2: new full speed USB device number 2 using uhci_hcd cannot find UAC_HEADER snd-usb-audio: probe of 7-2:1.3 failed with error -5 input: USB Audio as /devices/pci0000:00/0000:00:1d.1/usb7/7-2/7-2:1.3/input/input6 generic-usb 0003:0CCD:0028.0001: input: USB HID v1.00 Device [USB Audio] on usb-0000:00:1d.1-2/input3 I can not comment about that "cannot find UAC_HEADER" error, but until 2.6.38 the card worked anyway. With 2.6.39 chip->probing remains 1 on error exit, and any later ioctl stops in snd_usb_autoresume with -ENODEV. Signed-off-by: Thomas Pfaff Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 8413239bfc9e8b94af509c7a43c7d92bd8965630 Author: Anton Blanchard Date: Wed Aug 24 16:40:14 2011 +1000 perf symbols: Fix ppc64 SEGV in dso__load_sym with debuginfo files commit adb091846318f86e4f46c7d6a7b40d2f478abdbe upstream. 64bit PowerPC debuginfo files have an empty function descriptor section. I hit a SEGV when perf tried to use this section for symbol resolution. To fix this we need to check the section is valid and we can do this by checking for type SHT_PROGBITS. Cc: Cc: Ingo Molnar Cc: Paul Mackerras Cc: Peter Zijlstra Cc: Eric B Munson Link: http://lkml.kernel.org/r/20110824065242.895239970@samba.org Signed-off-by: Anton Blanchard Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit 99904bf394be0c65e12440bca422b18d1198d73f Author: Arnaud Lacombe Date: Thu Jul 21 13:16:20 2011 -0400 usb/host/pci-quirks.c: correct annotation of `ehci_dmi_nohandoff_table' commit a7e6401e19aa54924ab11ee548afaad0a55ffdc6 upstream. ehci_bios_handoff() is marked __devinit, `ehci_dmi_nohandoff_table' should be marked __devinitconst, not __initconst. This fixes the following section mismatch: WARNING: vmlinux.o(.devinit.text+0x4f08): Section mismatch in reference from the function ehci_bios_handoff() to the variable .init.rodata:ehci_dmi_nohandoff_table The function __devinit ehci_bios_handoff() references a variable __initconst ehci_dmi_nohandoff_table. If ehci_dmi_nohandoff_table is only used by ehci_bios_handoff then annotate ehci_dmi_nohandoff_table with a matching annotation. Cc: Sarah Sharp Signed-off-by: Arnaud Lacombe Signed-off-by: Greg Kroah-Hartman commit 6d901cfa36fbf9682aa467cafacb765baa1c10af Author: Mike Christie Date: Fri Jun 24 15:11:55 2011 -0500 libiscsi_tcp: fix LLD data allocation commit 74dcd0ec735ba9c5bef254b2f6e53068cf3f9ff0 upstream. Have libiscsi_tcp have upper layers allocate the LLD data along with the iscsi_cls_conn struct, so it is refcounted. Signed-off-by: Mike Christie Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 8341e503c2628f056a9fdfe244f15c96b31c04c9 Author: Oliver Neukum Date: Tue Aug 30 15:52:18 2011 +0200 Bluetooth: Fix timeout on scanning for the second time commit 2d20a26a92f72e3bb658fe8ce99c3663756e9e7a upstream. The checks for HCI_INQUIRY and HCI_MGMT were in the wrong order, so that second scans always failed. Signed-off-by: Oliver Neukum Signed-off-by: Gustavo F. Padovan Signed-off-by: Greg Kroah-Hartman commit caebafff01eee11443bbee4e036497d234f29d76 Author: Seth Heasley Date: Thu Jul 14 16:50:49 2011 -0700 ahci: RAID-mode SATA patch for Intel Panther Point DeviceIDs commit 2cab7a4c5ccf96e0954e767af490ba9aee2c9b6f upstream. This patch adds an additional SATA RAID controller DeviceID for the Intel Panther Point PCH. Signed-off-by: Seth Heasley Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 9185560808a0dc0432b130ca9d9965cb7ce052a6 Author: Dan Williams Date: Fri Jul 29 17:17:16 2011 -0700 isci: fix event-get pointer increment commit 77cd72a53f6426f81b7f56a862402849ee903bda upstream. Hardware only increments the put pointer on event types >= 4. Do not increment the get pointer for event type 3. Reported-by: Kapil Karkra Signed-off-by: Dan Williams Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 2cd24aec048a5653f1a8934b7fd58023009bcc1f Author: Jeff Skirvin Date: Fri Jul 29 17:17:05 2011 -0700 isci: Leave requests alone if already terminating. commit 39ea2c5b5ffaa344467da53e885cfa4ac0105050 upstream. Instead of immediately completing any request that has a second termination call made on it, wait for the TC done/abort HW event. Signed-off-by: Jeff Skirvin Signed-off-by: Dan Williams Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 0b06f35c02bcf7072556f483c5037fc90907815d Author: Marcin Tomczak Date: Fri Jul 29 17:16:50 2011 -0700 isci: change sas phy timeouts from 54us to 59us commit 985af6f70dbb8a33b3af8a7c7df508d924650e37 upstream. Need the following workaround in the driver for interoperability with the older Intel SSD drives and any other SATA drive that may exhibit the same behavior. This is a corner case where SCU speed is limited to either 3G or 1.5G and the drive has a period of DC idle when it switches speed during SATA speed negotiation. Workaround :change PHYTOV[31:24] from 0x36 to 0x3B. Signed-off-by: Marcin Tomczak Signed-off-by: Dan Williams Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit c02aabcf67bd5d770602eeb6a5cada6f482de696 Author: James Smart Date: Fri Jul 22 18:37:28 2011 -0400 lpfc 8.3.25: PCI and SR-IOV Fixes commit 0a96e9754d6c4a2a31e50ee6c6e36ec13f80bc25 upstream. PCI and SR-IOV Fixes - Call pci_save_state after the pci_restore_state completes. - After calling pci_enable_pcie_error_reporting() and checking the return value for logging messages from rc, reset rc to 0 to it will not later be interpreted for error. - Read PCI config space SR-IOV capability to get the number of VFs supported. - Check for the PF's supported number of VFs before invoking PCI enable sriov API call and log error message that user requested number of VFs is beyond the PF capability if such request is passed in. - Added check for Physical function with Virtual Functions attached. If so, first disable all the VFs before proceeding to device reset. Signed-off-by: Alex Iannicelli Signed-off-by: James Smart Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 641e746c63cb770e196226754c675c471876d4e8 Author: James Smart Date: Fri Jul 22 18:37:06 2011 -0400 lpfc 8.3.25: Fabric and Target Discovery Fixes commit 5248a7498e5f6f3d6d276080466946f82f0ea56a upstream. Fabric and Target Discovery Fixes - Clear FC_VPORT_NEEDS_INIT_VPI flag during completion of REG_VFI mailbox command. - Prevent SLI3 Code from unregistering the physical VPI. - Add an else clause to the code that checks and sets sp->cmn.request_multiple_Nport to clear the bit. - Remove a redundant mbox free. - Modified lpfc_sli4_async_fip_evt to pass in physical VPI toi lpfc_find_vport_by_vpid function. - Modified lpfc_find_vport_by_vpid to translate physical VPI to logical VPI before comparing with vport VPI. Signed-off-by: Alex Iannicelli Signed-off-by: James Smart Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 3c9e3f7d10e19d8eac404cd2dbd029a10ff2c3fe Author: James Smart Date: Fri Jul 22 18:36:52 2011 -0400 lpfc 8.3.25: Adapter Interface fixes and changes commit 7851fe2c7f294d0beccf4c3d6af52e8247b89f00 upstream. Adapter Interface fixes and changes - Modify the macro field from lpfc_init_vpi_vpi to lpfc_init_vfi_vpi - Add the new CQE_CODE_RECEIVE_V1 CQE Code, add code in the driver to handle the new Code the same as the CQE_CODE_RECEIVE code except that there are two new checks for this code that will cause the driver to use the new V1 macros for rq_id and fcf_id. - Fix a bug in lpfc_prep_seq() where the size out of the first CQE was ONLY being used, even though multiple dmabufs make up the sequence, each have their own CQE with potentially different sizes. - Fix bug in lpfc_bsg_ct_unsol_event() where the ulpContext and ulpWord[3] fields of the XMIT_SEQUENCE64_CX IOCB were being calculated incorrectly. - Do physical to logical translation before indexing into the active XRI array. - Populate physical vpi in the iocb data structure. - Put the current accumulated total in each IOCB in the chain as we are walking thru then. The last IOCB in the chain should have the total length of the sequence. Signed-off-by: Alex Iannicelli Signed-off-by: James Smart Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit ef39470caffb12b2afc3ffe5f3fe58e556eaf59f Author: James Smart Date: Fri Jul 22 18:36:33 2011 -0400 lpfc 8.3.25: Miscellaneous Bug fixes and code cleanup commit 88a2cfbb8bf3802ca5a90c7d1567a1e542e6ef0c upstream. Miscellaneous Bug fixes and code cleanup - Fix 16G link speed reporting by adding check for 16G check. - Change the check and enforcement of MAILBOX_EXT_SIZE (2048B) to the check and enforcement of BSG_MBOX_SIZE - sizeof(MAILBOX_t) (3840B). - Instead of waiting for a fixed amount of time after performing firmware reset, the driver shall wait for the Lancer SLIPORT_STATUS register for the readiness of the firmware for bring up. - Add logging to indicate when dynamic parameters are changed. - Add revision and date to the firmware image format. - Use revision instead of rev_name to check firmware image version. - Update temporary offset after memcopy is complete for firmware update. - Consolidated the use of the macros to get rid of duplicated register offset definitions. - Removed the unused second parameter in routine lpfc_bsg_diag_mode_enter() - Enable debugfs when debugfs is enabled. - Update function comments for lpfc_sli4_alloc_xri and lpfc_sli4_init_rpi_hdrs. Signed-off-by: Alex Iannicelli Signed-off-by: James Smart Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 865b5c432e9ab4910badf3e9b313ca9860a9c0b8 Author: James Smart Date: Fri Jul 22 18:36:25 2011 -0400 lpfc 8.3.25: T10 DIF Fixes commit 7c56b9fd3b6d2d933075d12abee67ceb7c90d04a upstream. T10 DIF Fixes - Fix the case where the SCSI Host supplies the CRC and driver to controller protection is on. - Only support T10 DIF type 1. LBA always goes in ref tag and app tag is not checked. - Change the format of the sense data passed up to the SCSI layer to match the Descriptor Format Sense Data found in SPC-4 sections 4.5.2.1 and 4.5.2.2. - Fix Slip PDE implementation. - Remove BUG() in else casein lpfc_sc_to_bg_opcodes. Signed-off-by: Alex Iannicelli Signed-off-by: James Smart Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 1d43a87614596faf4b9cae2d0c894aa67a7c5121 Author: Peter Huewe Date: Thu Sep 15 14:47:42 2011 -0300 TPM: Zero buffer after copying to userspace commit 3321c07ae5068568cd61ac9f4ba749006a7185c9 upstream. Since the buffer might contain security related data it might be a good idea to zero the buffer after we have copied it to userspace. This got assigned CVE-2011-1162. Signed-off-by: Rajiv Andrade Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 108885cc2856128a266423d45f617e65961048f7 Author: Peter Huewe Date: Thu Sep 15 14:37:43 2011 -0300 TPM: Call tpm_transmit with correct size commit 6b07d30aca7e52f2881b8c8c20c8a2cd28e8b3d3 upstream. This patch changes the call of tpm_transmit by supplying the size of the userspace buffer instead of TPM_BUFSIZE. This got assigned CVE-2011-1161. [The first hunk didn't make sense given one could expect way less data than TPM_BUFSIZE, so added tpm_transmit boundary check over bufsiz instead The last parameter of tpm_transmit() reflects the amount of data expected from the device, and not the buffer size being supplied to it. It isn't ideal to parse it directly, so we just set it to the maximum the input buffer can handle and let the userspace API to do such job.] Signed-off-by: Rajiv Andrade Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit e861bcf3dc9c121387d3c0daad8204c843c47f80 Author: Geert Uytterhoeven Date: Thu Sep 22 21:47:38 2011 +0200 zorro: Defer device_register() until all devices have been identified commit a7f4d00a82feb5b311f765bf9522bc55bee0684f upstream. As the Amiga Zorro II address space is limited to 8.5 MiB and Zorro devices can contain only one BAR, several Amiga Zorro II expansion boards (mainly graphics cards) contain multiple Zorro devices: a small one for the control registers and one (or more) for the graphics memory. The conversion of cirrusfb to the new driver framework introduced a regression: the driver contains a zorro_driver for the first Zorro device, and uses the (old) zorro_find_device() call to find the second Zorro device. However, as the Zorro core calls device_register() as soon as a Zorro device is identified, it may not have identified the second Zorro device belonging to the same physical Zorro expansion card. Hence cirrusfb could no longer find the second part of the Picasso II graphics card, causing a NULL pointer dereference. Defer the registration of Zorro devices with the driver framework until all Zorro devices have been identified to fix this. Note that the alternative solution (modifying cirrusfb to register a zorro_driver for all Zorro devices belonging to a graphics card, instead of only for the first one, and adding a synchronization mechanism to defer initialization until all have been found), is not an option, as on some cards one device may be optional (e.g. the second bank of 2 MiB of graphics memory on the Picasso IV in Zorro II mode). Reported-by: Ingo Jürgensmann Signed-off-by: Geert Uytterhoeven Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit af674335761a7ab9b015ec7e051ae232d5c0efab Author: Eric Dumazet Date: Tue Aug 23 19:57:05 2011 +0000 bridge: fix a possible use after free [ Upstream commit 22df13319d1fec30b8f9bcaadc295829647109bb ] br_multicast_ipv6_rcv() can call pskb_trim_rcsum() and therefore skb head can be reallocated. Cache icmp6_type field instead of dereferencing twice the struct icmp6hdr pointer. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 42270cd40ba8e0134cffd1c036a1aa3d844369a8 Author: Yan, Zheng Date: Tue Aug 23 22:54:33 2011 +0000 bridge: Pseudo-header required for the checksum of ICMPv6 [ Upstream commit 4b275d7efa1c4412f0d572fcd7f78ed0919370b3 ] Checksum of ICMPv6 is not properly computed because the pseudo header is not used. Thus, the MLD packet gets dropped by the bridge. Signed-off-by: Zheng Yan Reported-by: Ang Way Chuang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 23b576bfe4a6056afb6bca3cd1cb96581f4cb19d Author: Steffen Klassert Date: Tue Sep 20 23:38:58 2011 +0000 xfrm: Perform a replay check after return from async codepaths [ Upstream commit bcf66bf54aabffc150acd1c99e0f4bc51935eada ] When asyncronous crypto algorithms are used, there might be many packets that passed the xfrm replay check, but the replay advance function is not called yet for these packets. So the replay check function would accept a replay of all of these packets. Also the system might crash if there are more packets in async processing than the size of the anti replay window, because the replay advance function would try to update the replay window beyond the bounds. This pach adds a second replay check after resuming from the async processing to fix these issues. Signed-off-by: Steffen Klassert Acked-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b082a5631a746b494553f7c72b387cb625a1674a Author: Jiri Pirko Date: Thu Aug 18 21:29:27 2011 -0700 vlan: reset headers on accel emulation path [ Upstream commit c5114cd59d2664f258b0d021d79b1532d94bdc2b ] It's after all necessary to do reset headers here. The reason is we cannot depend that it gets reseted in __netif_receive_skb once skb is reinjected. For incoming vlanids without vlan_dev, vlan_do_receive() returns false with skb != NULL and __netif_reveive_skb continues, skb is not reinjected. This might be good material for 3.0-stable as well Reported-by: Mike Auty Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit bc4c1bd0d97dfd9a705bcb3ade46b051c3f4647d Author: Mike Waychison Date: Wed Aug 10 21:59:57 2011 -0700 tcp: initialize variable ecn_ok in syncookies path [ Upstream commit f0e3d0689da401f7d1981c2777a714ba295ea5ff ] Using a gcc 4.4.3, warnings are emitted for a possibly uninitialized use of ecn_ok. This can happen if cookie_check_timestamp() returns due to not having seen a timestamp. Defaulting to ecn off seems like a reasonable thing to do in this case, so initialized ecn_ok to false. Signed-off-by: Mike Waychison Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 616ea55abc53ced58c4097b33b26abea01a743d4 Author: Zheng Yan Date: Sun Sep 18 22:37:34 2011 -0400 tcp: fix validation of D-SACK [ Upstream commit f779b2d60ab95c17f1e025778ed0df3ec2f05d75 ] D-SACK is allowed to reside below snd_una. But the corresponding check in tcp_is_sackblock_valid() is the exact opposite. It looks like a typo. Signed-off-by: Zheng Yan Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 265d5c2eb22550566cf4193df46596dac439374c Author: Tim Chen Date: Tue Aug 9 06:48:32 2011 +0000 scm: Capture the full credentials of the scm sender [ Upstream commit e33f7a9f37d486f4c6cce5de18a6eea11d68f64f ] This patch corrects an erroneous update of credential's gid with uid introduced in commit 257b5358b32f17 since 2.6.36. Signed-off-by: Tim Chen Acked-by: Eric Dumazet Reviewed-by: James Morris Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5c97f6d48701d464dfd6e8782399383686603b65 Author: Ben Hutchings Date: Thu Sep 1 12:09:29 2011 +0000 Revert "sfc: Use write-combining to reduce TX latency" and follow-ups [ Upstream commit 86c432ca5d6da90a26ac8d3e680f2268b502d9c5 ] This reverts commits 65f0b417dee94f779ce9b77102b7d73c93723b39, d88d6b05fee3cc78e5b0273eb58c31201dcc6b76, fcfa060468a4edcf776f0c1211d826d5de1668c1, 747df2258b1b9a2e25929ef496262c339c380009 and 867955f5682f7157fdafe8670804b9f8ea077bc7. Depending on the processor model, write-combining may result in reordering that the NIC will not tolerate. This typically results in a DMA error event and reset by the driver, logged as: sfc 0000:0e:00.0: eth2: TX DMA Q reports TX_EV_PKT_ERR. sfc 0000:0e:00.0: eth2: resetting (ALL) Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 621ad27ca68f318db0d416e5c1401d35c95c6d91 Author: Florian Westphal Date: Tue Aug 9 02:04:43 2011 +0000 net_sched: prio: use qdisc_dequeue_peeked [ Upstream commit 3557619f0f6f7496ed453d4825e24958ab1884e0 ] commit 07bd8df5df4369487812bf85a237322ff3569b77 (sch_sfq: fix peek() implementation) changed sfq to use generic peek helper. This makes HFSC complain about a non-work-conserving child qdisc, if prio with sfq child is used within hfsc: hfsc peeks into prio qdisc, which will then peek into sfq. returned skb is stashed in sch->gso_skb. Next, hfsc tries to dequeue from prio, but prio will call sfq dequeue directly, which may return NULL instead of previously peeked-at skb. Have prio call qdisc_dequeue_peeked, so sfq->dequeue() is not called in this case. Cc: Eric Dumazet Signed-off-by: Florian Westphal Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 018660661b23526bbc9ebcd2dc260453ed1f49d5 Author: Julian Anastasov Date: Sun Aug 7 09:11:00 2011 +0000 netfilter: TCP and raw fix for ip_route_me_harder [ Upstream commit 797fd3913abf2f7036003ab8d3d019cbea41affd ] TCP in some cases uses different global (raw) socket to send RST and ACK. The transparent flag is not set there. Currently, it is a problem for rerouting after the previous change. Fix it by simplifying the checks in ip_route_me_harder and use FLOWI_FLAG_ANYSRC even for sockets. It looks safe because the initial routing allowed this source address to be used and now we just have to make sure the packet is rerouted. As a side effect this also allows rerouting for normal raw sockets that use spoofed source addresses which was not possible even before we eliminated the ip_route_input call. Signed-off-by: Julian Anastasov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2ce655e2c1e821c6681bb0001c8a0add874647ec Author: Yan, Zheng Date: Tue Aug 23 22:54:37 2011 +0000 mcast: Fix source address selection for multicast listener report [ Upstream commit e05c4ad3ed874ee4f5e2c969e55d318ec654332c ] Should check use count of include mode filter instead of total number of include mode filters. Signed-off-by: Zheng Yan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ea918c963323df0ad0d5052702b76c3230bf414d Author: Daniel Baluta Date: Fri Aug 19 03:19:07 2011 -0700 ipv6: Fix ipv6_getsockopt for IPV6_2292PKTOPTIONS [ Upstream commit 98e77438aed3cd3343cbb86825127b1d9d2bea33 ] IPV6_2292PKTOPTIONS is broken for 32-bit applications running in COMPAT mode on 64-bit kernels. The same problem was fixed for IPv4 with the patch: ipv4: Fix ip_getsockopt for IP_PKTOPTIONS, commit dd23198e58cd35259dd09e8892bbdb90f1d57748 Signed-off-by: Sorin Dumitru Signed-off-by: Daniel Baluta Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 025fd917321b1af0417d5cff2f17907fa77ee0a2 Author: Julian Anastasov Date: Tue Aug 9 04:01:16 2011 +0000 ipv4: some rt_iif -> rt_route_iif conversions [ Upstream commit 97a804102021431fa6fa33c21c85df762b0f5cb9 ] As rt_iif represents input device even for packets coming from loopback with output route, it is not an unique key specific to input routes. Now rt_route_iif has such role, it was fl.iif in 2.6.38, so better to change the checks at some places to save CPU cycles and to restore 2.6.38 semantics. compare_keys: - input routes: only rt_route_iif matters, rt_iif is same - output routes: only rt_oif matters, rt_iif is not used for matching in __ip_route_output_key - now we are back to 2.6.38 state ip_route_input_common: - matching rt_route_iif implies input route - compared to 2.6.38 we eliminated one rth->fl.oif check because it was not needed even for 2.6.38 compare_hash_inputs: Only the change here is not an optimization, it has effect only for output routes. I assume I'm restoring the original intention to ignore oif, it was using fl.iif - now we are back to 2.6.38 state Signed-off-by: Julian Anastasov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cbab190c501c8034b82e0dd9da7fdb4b75e08daa Author: Gao feng Date: Sun Sep 11 15:36:05 2011 +0000 fib:fix BUG_ON in fib_nl_newrule when add new fib rule [ Upstream commit 561dac2d410ffac0b57a23b85ae0a623c1a076ca ] add new fib rule can cause BUG_ON happen the reproduce shell is ip rule add pref 38 ip rule add pref 38 ip rule add to 192.168.3.0/24 goto 38 ip rule del pref 38 ip rule add to 192.168.3.0/24 goto 38 ip rule add pref 38 then the BUG_ON will happen del BUG_ON and use (ctarget == NULL) identify whether this rule is unresolved Signed-off-by: Gao feng Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5ee858c9ab53a4f6b12a095a4982793d4f417f56 Author: Eric Dumazet Date: Mon Aug 22 06:05:59 2011 +0000 bridge: fix a possible net_device leak [ Upstream commit 11f3a6bdc2528d1ce2af50202dbf7138fdee1b34 ] Jan Beulich reported a possible net_device leak in bridge code after commit bb900b27a2f4 (bridge: allow creating bridge devices with netlink) Reported-by: Jan Beulich Signed-off-by: Eric Dumazet Acked-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8e24aecbcdd00d94474a6e2e61bed59866c0d539 Author: Eric Dumazet Date: Mon Aug 22 19:32:42 2011 +0000 arp: fix rcu lockdep splat in arp_process() [ Upstream commit 20e6074eb8e096b3a595c093d1cb222f378cd671 ] Dave Jones reported a lockdep splat triggered by an arp_process() call from parp_redo(). Commit faa9dcf793be (arp: RCU changes) is the origin of the bug, since it assumed arp_process() was called under rcu_read_lock(), which is not true in this particular path. Instead of adding rcu_read_lock() in parp_redo(), I chose to add it in neigh_proxy_process() to take care of IPv6 side too. =================================================== [ INFO: suspicious rcu_dereference_check() usage. ] --------------------------------------------------- include/linux/inetdevice.h:209 invoked rcu_dereference_check() without protection! other info that might help us debug this: rcu_scheduler_active = 1, debug_locks = 0 4 locks held by setfiles/2123: #0: (&sb->s_type->i_mutex_key#13){+.+.+.}, at: [] walk_component+0x1ef/0x3e8 #1: (&isec->lock){+.+.+.}, at: [] inode_doinit_with_dentry+0x3f/0x41f #2: (&tbl->proxy_timer){+.-...}, at: [] run_timer_softirq+0x157/0x372 #3: (class){+.-...}, at: [] neigh_proxy_process +0x36/0x103 stack backtrace: Pid: 2123, comm: setfiles Tainted: G W 3.1.0-0.rc2.git7.2.fc16.x86_64 #1 Call Trace: [] lockdep_rcu_dereference+0xa7/0xaf [] __in_dev_get_rcu+0x55/0x5d [] arp_process+0x25/0x4d7 [] parp_redo+0xe/0x10 [] neigh_proxy_process+0x9a/0x103 [] run_timer_softirq+0x218/0x372 [] ? run_timer_softirq+0x157/0x372 [] ? neigh_stat_seq_open+0x41/0x41 [] ? mark_held_locks+0x6d/0x95 [] __do_softirq+0x112/0x25a [] call_softirq+0x1c/0x30 [] do_softirq+0x4b/0xa2 [] irq_exit+0x5d/0xcf [] smp_apic_timer_interrupt+0x7c/0x8a [] apic_timer_interrupt+0x73/0x80 [] ? trace_hardirqs_on_caller+0x121/0x158 [] ? __slab_free+0x30/0x24c [] ? __slab_free+0x2e/0x24c [] ? inode_doinit_with_dentry+0x2e9/0x41f [] ? inode_doinit_with_dentry+0x2e9/0x41f [] ? inode_doinit_with_dentry+0x2e9/0x41f [] kfree+0x108/0x131 [] inode_doinit_with_dentry+0x2e9/0x41f [] selinux_d_instantiate+0x1c/0x1e [] security_d_instantiate+0x21/0x23 [] d_instantiate+0x5c/0x61 [] d_splice_alias+0xbc/0xd2 [] ext4_lookup+0xba/0xeb [] d_alloc_and_lookup+0x45/0x6b [] walk_component+0x215/0x3e8 [] lookup_last+0x3b/0x3d [] path_lookupat+0x82/0x2af [] ? might_fault+0xa5/0xac [] ? might_fault+0x5c/0xac [] ? getname_flags+0x31/0x1ca [] do_path_lookup+0x28/0x97 [] user_path_at+0x59/0x96 [] ? cp_new_stat+0xf7/0x10d [] vfs_fstatat+0x44/0x6e [] vfs_lstat+0x1e/0x20 [] sys_newlstat+0x1a/0x33 [] ? trace_hardirqs_on_caller+0x121/0x158 [] ? trace_hardirqs_on_thunk+0x3a/0x3f [] system_call_fastpath+0x16/0x1b Reported-by: Dave Jones Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3b576ff8b0e8a70be60a0ee8aa7d637ba27db2c8 Author: Youquan Song Date: Tue Aug 2 14:01:35 2011 +0800 perf, x86: Add model 45 SandyBridge support commit a34668f6beb4ab01e07683276d6a24bab6c175e0 upstream. Add support to Romely-EP SandyBridge. Signed-off-by: Youquan Song Signed-off-by: Anhua Xu Signed-off-by: Lin Ming Signed-off-by: Peter Zijlstra Link: http://lkml.kernel.org/r/1312264895-2010-1-git-send-email-youquan.song@intel.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit e670d472aaaa51f93a5a49de00dc573eea8a8486 Author: Kashyap, Desai Date: Tue Jun 14 10:57:31 2011 +0530 mpt2sas: Adding support for customer specific branding commit ab3e5f60d1fc8fe725d02510ff820ff207a8dbef upstream. Signed-off-by: Kashyap Desai Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit db1f8f788b108fa627f011355ff9ba5e3e789fa6 Author: Kashyap, Desai Date: Tue Jun 14 10:57:08 2011 +0530 mpt2sas: Added DID_NO_CONNECT return when driver remove and avoid shutdown call commit 7821578caa8cb831868989041112ab808029ca65 upstream. Driver should not call shutdown call from _scsih_remove otherwise, The scsi midlayer can be deadlocked when devices are removed from the driver pci_driver->shutdown handler. Signed-off-by: Kashyap Desai Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 68cde1e274f52661b06c0b994c5280e3f880bd74 Author: Kiran Patil Date: Mon Jun 20 16:59:15 2011 -0700 fcoe: Unable to select the exchangeID from offload pool for storage targets commit 1ff9918b625457ce20d450d00f9ed0a12ba191b7 upstream. Problem: When initiator sends write command to target, target tries to assign new sequence. It allocates new exchangeID (RX_ID) always from non-offloaded pool (Non-offload EMA) Fix: Enhanced fcoe_oem_match routine to look at F_CTL flags and if it is exchange responder and command type is WRITEDATA, then function returns TRUE instead of FALSE. This function is used to determine which pool to use (offload pool of exchange is used only if this function returns TRUE). Technical Notes: N/A Signed-off-by: Kiran Patil Signed-off-by: Robert Love Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit cb9d94e8dc5b81e565ef4ecbc9a7f12be05414f8 Author: Kiran Patil Date: Mon Jun 20 16:58:59 2011 -0700 libfc: Enhancement to RPORT state machine applicable only for VN2VN mode commit 480584818a4bb3655d8d0d875ed60b427fc61cc5 upstream. Problem: Existing RPORT state machine continues witg FLOGI/PLOGI process only after it receices beacon from other end. Once claiming stage is over (either clain notify or clain repose), beacon is sent and state machine enters into operational mode where it initiates the rlogin process (FLOGI/PLOGI) to the peer but before this rlogin is initiated, exitsing implementation checks if it received beacon from other end, it beacon is not received yet, rlogin process is not initiated. Other end initiates FLOGI but peer end keeps on rejecting FLOGI, hence after 3 retries other end deletes associated rport, then sends a beacon. Once the beacon is received, peer end now initiates rlogin to the peer end but since associated rport is deleted FLOGI is neither accepted nor the reject response send out because rport is deleted. Hence unable to proceed withg FLOGI/PLOGI process and fails to establish VN2VN connection. Fix: VN2VN spec is not standard yet but based on exitsing collateral on T11, it appears that, both end shall send beacon and enter into 'operational mode' without explictly waiting for beacon from other end. Fix is to allow the RPORT login process as long as respective RPORT is created (as part of claim notification / claim response) even though state of RPORT is INIT. Means don't wait for beacon from peer end, if peer end initiates FLOGI (means peer end exist and responding). Notes: This patch is preparing the FCoE stack for target wrt offload. This is generic patch and harmless even if applied on storage initiator because 'else if' condition of function 'fcoe_oem_found' shall evaluate to TRUE only for targets. Dependencies: None Signed-off-by: Kiran Patil Signed-off-by: Robert Love Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit f85eb4c9c9c9016da4e43d86f8fc29267798eab7 Author: Giuseppe Scrivano Date: Wed Aug 3 22:10:29 2011 +0000 cdc_ncm: fix endianness problem. commit 36c35416a94f5632c3addad05217ff02c39b3b61 upstream. Fix a misusage of the struct usb_cdc_notification to pass arguments to the usb_control_msg function. The usb_control_msg function expects host endian arguments but usb_cdc_notification stores these values as little endian. Now usb_control_msg is directly invoked with host endian values. Signed-off-by: Giuseppe Scrivano Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 90278ca93cd14c1d9d1d360d333d78f0258616ab Author: Marek Vasut Date: Wed Jul 20 05:57:04 2011 +0000 ASIX: Add AX88772B USB ID commit 308859097831831a979f2e82cbeef0a94f438080 upstream. This device can be found in Acer Iconia TAB W500 tablet dock. Signed-off-by: Marek Vasut Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9ef0bbf3e5fa4ec3086495e4c48e3b4ccf12d47d Author: Michal Sroczynski Date: Tue Jul 5 21:53:35 2011 +0200 USB: PL2303: correctly handle baudrates above 115200 commit 8d48fdf689fed2c73c493e5146d1463689246442 upstream. PL2303: correctly handle baudrates above 115200 Signed-off-by: Michal Sroczynski Signed-off-by: Greg Kroah-Hartman commit 5b48fc2d4e9ce38fe045429a3ef0c76dae899ed7 Author: Anisse Astier Date: Tue Jul 5 16:38:46 2011 +0200 ehci: add pci quirk for Ordissimo and RM Slate 100 too commit 0c42a4e84502533ec40544324debe2a62836ae11 upstream. Add another variant of the Pegatron tablet used by Ordissimo, and apparently RM Slate 100, to the list of models that should skip the negociation for the handoff of the EHCI controller. Signed-off-by: Anisse Astier Signed-off-by: Greg Kroah-Hartman commit f06d716d8eb4248e75fa2a5e1288a5ddcff8a9f4 Author: Anisse Astier Date: Tue Jul 5 16:38:45 2011 +0200 ehci: refactor pci quirk to use standard dmi_check_system method commit 03c75362181b0b1d6a330e7cf8def10ba988dfbe upstream. In commit 3610ea5397b80822e417aaa0e706fd803fb05680 (ehci: workaround for pci quirk timeout on ExoPC), a workaround was added to skip the negociation for the handoff of the EHCI controller. Refactor the DMI detection code to use standard dmi_check_system function. Signed-off-by: Anisse Astier Signed-off-by: Greg Kroah-Hartman commit 352d0ff21f7a8ce23b0a70a80cd61e5ae566fe60 Author: Matt Carlson Date: Wed Jul 20 10:20:55 2011 +0000 tg3: Fix int selftest for recent devices. commit 3aa1cdf87c0b3f2345e75c474acc32ebbf0a4724 upstream. This patch fixes interrupt selftest failures for recent devices (57765, 5717, 5718. 5719, 5720) by disabling MSI one-shot mode and applying the status tag workaround to the selftest code. Signed-off-by: Matt Carlson Reviewed-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f7838b55dc1708fa0bc3170851cddc3d900c310b Author: Matt Carlson Date: Wed Jul 20 10:20:53 2011 +0000 tg3: Add 5719 and 5720 to EEE_CAP list commit 5baa5e9aa28baccd2a1227095c25bb3e999f250d upstream. This patch adds the 5719 and the 5720 to the list of devices that are EEE capable. Signed-off-by: Matt Carlson Reviewed-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 002c956aab560a58367bf6bc804548d219a5eb45 Author: Jan Glauber Date: Sun Jul 24 10:48:00 2011 +0200 qdio: clear shared DSCI before scheduling the queue handler commit b02f0c2ea25781e0f94b4fc8f6f85582057857b3 upstream. The following race can occur with qdio devices that use the shared device state change indicator: Device (Shared DSCI) CPU0 CPU1 =============================================================================== 1. DSCI 0 => 1, INT pending 2. Thinint handler * si_used = 1 * Inbound tasklet_schedule * DSCI 1 => 0 3. DSCI 0 => 1, INT pending 4. Thinint handler * si_used = 1 * Inbound tasklet_schedu le => NOP 5. Inbound tasklet run 6. DSCI = 1, INT surpressed 7. DSCI 1 => 0 The race would lead to a stall where new data in the input queue is not recognized so the device stops working in case of no further traffic. Fix the race by resetting the DSCI before scheduling the inbound tasklet so the device generates an interrupt if new data arrives in the above scenario in step 6. Reviewed-by: Ursula Braun Signed-off-by: Jan Glauber Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit cfdf7986b6398049c35f8eb6e236d2387ee7ae14 Author: Wu Fengguang Date: Wed Apr 27 19:05:21 2011 -0600 writeback: update dirtied_when for synced inode to prevent livelock commit 94c3dcbb0b0cdfd82cedd21705424d8044edc42c upstream. Explicitly update .dirtied_when on synced inodes, so that they are no longer considered for writeback in the next round. It can prevent both of the following livelock schemes: - while true; do echo data >> f; done - while true; do touch f; done (in theory) The exact livelock condition is, during sync(1): (1) no new inodes are dirtied (2) an inode being actively dirtied On (2), the inode will be tagged and synced with .nr_to_write=LONG_MAX. When finished, it will be redirty_tail()ed because it's still dirty and (.nr_to_write > 0). redirty_tail() won't update its ->dirtied_when on condition (1). The sync work will then revisit it on the next queue_io() and find it eligible again because its old ->dirtied_when predates the sync work start time. We'll do more aggressive "keep writeback as long as we wrote something" logic in wb_writeback(). The "use LONG_MAX .nr_to_write" trick in commit b9543dac5bbc ("writeback: avoid livelocking WB_SYNC_ALL writeback") will no longer be enough to stop sync livelock. Reviewed-by: Jan Kara Signed-off-by: Wu Fengguang Signed-off-by: Greg Kroah-Hartman commit ac693061b11c33d5a5c5ec1925de7abd3fcb0971 Author: Wu Fengguang Date: Sun Jun 6 10:38:15 2010 -0600 writeback: introduce .tagged_writepages for the WB_SYNC_NONE sync stage commit 6e6938b6d3130305a5960c86b1a9b21e58cf6144 upstream. sync(2) is performed in two stages: the WB_SYNC_NONE sync and the WB_SYNC_ALL sync. Identify the first stage with .tagged_writepages and do livelock prevention for it, too. Jan's commit f446daaea9 ("mm: implement writeback livelock avoidance using page tagging") is a partial fix in that it only fixed the WB_SYNC_ALL phase livelock. Although ext4 is tested to no longer livelock with commit f446daaea9, it may due to some "redirty_tail() after pages_skipped" effect which is by no means a guarantee for _all_ the file systems. Note that writeback_inodes_sb() is called by not only sync(), they are treated the same because the other callers also need livelock prevention. Impact: It changes the order in which pages/inodes are synced to disk. Now in the WB_SYNC_NONE stage, it won't proceed to write the next inode until finished with the current inode. Acked-by: Jan Kara CC: Dave Chinner Signed-off-by: Wu Fengguang Signed-off-by: Greg Kroah-Hartman commit 0d39ea76fa3b9a97e9dc45282613bc239ffa8509 Author: Jiri Slaby Date: Tue Jul 26 16:08:47 2011 -0700 ipc/mqueue.c: fix mq_open() return value commit d40dcdb0172a1ba853464983a059fb45e0aaf61a upstream. We return ENOMEM from mqueue_get_inode even when we have enough memory. Namely in case the system rlimit of mqueue was reached. This error propagates to mq_queue and user sees the error unexpectedly. So fix this up to properly return EMFILE as described in the manpage: EMFILE The process already has the maximum number of files and message queues open. instead of: ENOMEM Insufficient memory. With the previous patch we just switch to ERR_PTR/PTR_ERR/IS_ERR error handling here. Signed-off-by: Jiri Slaby Cc: Manfred Spraul Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 7688ef38157babe5bb0e24b3779e769f730b85fc Author: Jiri Slaby Date: Tue Jul 26 16:08:46 2011 -0700 ipc/mqueue.c: refactor failure handling commit 04715206c0c2fd4ec5ca77fa51e3a5b41ce71492 upstream. If new_inode fails to allocate an inode we need only to return with NULL. But now we test the opposite and have all the work in a nested block. So do the opposite to save one indentation level (and remove unnecessary line breaks). This is only a preparation/cleanup for the next patch where we fix up return values from mqueue_get_inode. Signed-off-by: Jiri Slaby Cc: Manfred Spraul Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b7d4d461ad51ad98992a1b4d0b46f86ccabd1ee0 Author: Matt Carlson Date: Wed Jul 20 10:20:50 2011 +0000 tg3: Fix io failures after chip reset commit 9e975cc291d80d5e4562d6bed15ec171e896d69b upstream. Commit f2096f94b514d88593355995d5dd276961e88af1, entitled "tg3: Add 5720 H2BMC support", needed to add code to preserve some bits set by firmware. Unfortunately the new code causes throughput to stop after a chip reset because it enables state machines before they are ready. This patch undoes the problematic code. The bits will be restored later in the init sequence. Signed-off-by: Matt Carlson Reviewed-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 52734d26ffca727da0e687963333ae88056ad84b Author: Mike Christie Date: Fri Jun 24 15:11:54 2011 -0500 iscsi_tcp: fix locking around iscsi sk user data commit 03adb5f91280b433c3685d0ee86b2e1424af3d88 upstream. iscsi_sw_tcp_conn_restore_callbacks could have set the sk_user_data field to NULL then iscsi_sw_tcp_data_ready could read that and try to access the NULL pointer. This adds some checks for NULL sk_user_data in the sk callback functions and it uses the sk_callback_lock to set/get that sk_user_data field. Signed-off-by: Mike Christie Signed-off-by: James Bottomley Signed-off-by: Hannes Reinecke Signed-off-by: Greg Kroah-Hartman commit e37143e6522a978b62ed4142741236af1f381d1d Author: Wanlong Gao Date: Wed Sep 21 10:22:10 2011 +0200 blk-cgroup: be able to remove the record of unplugged device commit d11bb4462c4cc6ddd45c6927c617ad79fa6fb8fc upstream. The bug is we're not able to remove the device from blkio cgroup's per-device control files if it gets unplugged. To reproduce the bug: # mount -t cgroup -o blkio xxx /cgroup # cd /cgroup # echo "8:0 1000" > blkio.throttle.read_bps_device # unplug the device # cat blkio.throttle.read_bps_device 8:0 1000 # echo "8:0 0" > blkio.throttle.read_bps_device -bash: echo: write error: No such device After patching, the device removal will succeed. Thanks for the comments of Paul, Zefan, and Vivek. Signed-off-by: Wanlong Gao Cc: Li Zefan Cc: Paul Menage Acked-by: Vivek Goyal Cc: Jens Axboe Signed-off-by: Andrew Morton Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 10cabb78baa285840e10ab1911033e924ff29b94 Author: Don Fry Date: Thu Sep 15 08:36:22 2011 -0700 iwlagn: workaround bug crashing some APs commit 2249b011432ca3dcce112f0f71e0f531b4bb9347 upstream. This patch reverts commit 9b7688328422b88a7a15dc0dc123ad9ab1a6e22d which was introduced in 2.6.38-rc1. It works around a problem where the iwlagn driver stimulates a bug crashing (requiring power cycle to recover) some APs under heavy traffic. Signed-off-by: Don Fry SIgned-off-by: Wey-Yi Guy Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 35ff9b5a4d0c8881d85dc5874964460f858f7e2d Author: Larry Finger Date: Wed Sep 14 16:50:23 2011 -0500 rtl2800usb: Fix incorrect storage of MAC address on big-endian platforms commit daabead1c32f331edcfb255fd973411c667977e8 upstream. The eeprom data is stored in little-endian order in the rt2x00 library. As it was converted to cpu order in the read routines, the data need to be converted to LE on a big-endian platform. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit cb49a34465aff5bb9c5209e2b8e775cead9712c7 Author: Rajkumar Manoharan Date: Wed Sep 14 14:28:17 2011 +0530 wireless: Reset beacon_found while updating regulatory commit aa3d7eef398dd4f29045e9889b817d5161afe03e upstream. During the association, the regulatory is updated by country IE that reaps the previously found beacons. The impact is that after a STA disconnects *or* when for any reason a regulatory domain change happens the beacon hint flag is not cleared therefore preventing future beacon hints to be learned. This is important as a regulatory domain change or a restore of regulatory settings would set back the passive scan and no-ibss flags on the channel. This is the right place to do this given that it covers any regulatory domain change. Reviewed-by: Luis R. Rodriguez Signed-off-by: Rajkumar Manoharan Acked-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 310fef97e2c781acbc6603f010c5e14e0e90913b Author: David Vrabel Date: Tue Sep 13 10:17:32 2011 -0400 xen/e820: if there is no dom0_mem=, don't tweak extra_pages. commit e3b73c4a25e9a5705b4ef28b91676caf01f9bc9f upstream. The patch "xen: use maximum reservation to limit amount of usable RAM" (d312ae878b6aed3912e1acaaf5d0b2a9d08a4f11) breaks machines that do not use 'dom0_mem=' argument with: reserve RAM buffer: 000000133f2e2000 - 000000133fffffff (XEN) mm.c:4976:d0 Global bit is set to kernel page fffff8117e (XEN) domain_crash_sync called from entry.S (XEN) Domain 0 (vcpu#0) crashed on cpu#0: ... The reason being that the last E820 entry is created using the 'extra_pages' (which is based on how many pages have been freed). The mentioned git commit sets the initial value of 'extra_pages' using a hypercall which returns the number of pages (if dom0_mem has been used) or -1 otherwise. If the later we return with MAX_DOMAIN_PAGES as basis for calculation: return min(max_pages, MAX_DOMAIN_PAGES); and use it: extra_limit = xen_get_max_pages(); if (extra_limit >= max_pfn) extra_pages = extra_limit - max_pfn; else extra_pages = 0; which means we end up with extra_pages = 128GB in PFNs (33554432) - 8GB in PFNs (2097152, on this specific box, can be larger or smaller), and then we add that value to the E820 making it: Xen: 00000000ff000000 - 0000000100000000 (reserved) Xen: 0000000100000000 - 000000133f2e2000 (usable) which is clearly wrong. It should look as so: Xen: 00000000ff000000 - 0000000100000000 (reserved) Xen: 0000000100000000 - 000000027fbda000 (usable) Naturally this problem does not present itself if dom0_mem=max:X is used. Signed-off-by: David Vrabel Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Greg Kroah-Hartman commit 0208b80455ff8d4a1d3df826098fbeb0dcf6dc05 Author: David Vrabel Date: Fri Aug 19 15:57:16 2011 +0100 xen: use maximum reservation to limit amount of usable RAM commit d312ae878b6aed3912e1acaaf5d0b2a9d08a4f11 upstream. Use the domain's maximum reservation to limit the amount of extra RAM for the memory balloon. This reduces the size of the pages tables and the amount of reserved low memory (which defaults to about 1/32 of the total RAM). On a system with 8 GiB of RAM with the domain limited to 1 GiB the kernel reports: Before: Memory: 627792k/4472000k available After: Memory: 549740k/11132224k available A increase of about 76 MiB (~1.5% of the unused 7 GiB). The reserved low memory is also reduced from 253 MiB to 32 MiB. The total additional usable RAM is 329 MiB. For dom0, this requires at patch to Xen ('x86: use 'dom0_mem' to limit the number of pages for dom0') (c/s 23790) Signed-off-by: David Vrabel Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Greg Kroah-Hartman commit e2d598ab82b589fc40c4656a10004e328a90b6dd Author: Dave Hansen Date: Tue Sep 20 15:19:41 2011 -0700 teach /proc/$pid/numa_maps about transparent hugepages commit 32ef43848f283e0ef945d3c67e851c143fea3970 upstream. This is modeled after the smaps code. It detects transparent hugepages and then does a single gather_stats() for the page as a whole. This has two benifits: 1. It is more efficient since it does many pages in a single shot. 2. It does not have to break down the huge page. Signed-off-by: Dave Hansen Acked-by: Hugh Dickins Acked-by: David Rientjes Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b879781180172696903fac604ba44c3204e0c1e4 Author: Dave Hansen Date: Tue Sep 20 15:19:39 2011 -0700 break out numa_maps gather_pte_stats() checks commit 3200a8aaab0c9ccdc0f59b0dac2d4a47029137fa upstream. gather_pte_stats() does a number of checks on a target page to see whether it should even be considered for statistics. This breaks that code out in to a separate function so that we can use it in the transparent hugepage case in the next patch. Signed-off-by: Dave Hansen Acked-by: Hugh Dickins Reviewed-by: Christoph Lameter Acked-by: David Rientjes Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a19dcc747653657eeea06b417d8e4593f8f44536 Author: Dave Hansen Date: Tue Sep 20 15:19:38 2011 -0700 make /proc/$pid/numa_maps gather_stats() take variable page size commit eb4866d0066ffd5446751c102d64feb3318d8bd1 upstream. We need to teach the numa_maps code about transparent huge pages. The first step is to teach gather_stats() that the pte it is dealing with might represent more than one page. Note that will we use this in a moment for transparent huge pages since they have use a single pmd_t which _acts_ as a "surrogate" for a bunch of smaller pte_t's. I'm a _bit_ unhappy that this interface counts in hugetlbfs page sizes for hugetlbfs pages and PAGE_SIZE for normal pages. That means that to figure out how many _bytes_ "dirty=1" means, you must first know the hugetlbfs page size. That's easier said than done especially if you don't have visibility in to the mount. But, that's probably a discussion for another day especially since it would change behavior to fix it. But, just in case anyone wonders why this patch only passes a '1' in the hugetlb case... Signed-off-by: Dave Hansen Acked-by: Hugh Dickins Acked-by: David Rientjes Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 2826eac8b4cf7b948eb41cdc77d67dbf84aced82 Author: Larry Finger Date: Wed Sep 14 16:50:22 2011 -0500 rt2800pci: Fix compiler error on PowerPC commit d331eb51e4d4190b2178c30fcafea54a94a577e8 upstream. Using gcc 4.4.5 on a Powerbook G4 with a PPC cpu, a complicated if statement results in incorrect flow, whereas the equivalent switch statement works correctly. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit ac82a9c88d9e0db9f33ed03517c3e3925ceae634 Author: Lasse Collin Date: Wed Sep 21 17:30:50 2011 +0300 XZ: Fix incorrect XZ_BUF_ERROR commit 9c1f8594df4814ebfd6822ca3c9444fb3445888d upstream. xz_dec_run() could incorrectly return XZ_BUF_ERROR if all of the following was true: - The caller knows how many bytes of output to expect and only provides that much output space. - When the last output bytes are decoded, the caller-provided input buffer ends right before the LZMA2 end of payload marker. So LZMA2 won't provide more output anymore, but it won't know it yet and thus won't return XZ_STREAM_END yet. - A BCJ filter is in use and it hasn't left any unfiltered bytes in the temp buffer. This can happen with any BCJ filter, but in practice it's more likely with filters other than the x86 BCJ. This fixes where Squashfs thinks that a valid file system is corrupt. This also fixes a similar bug in single-call mode where the uncompressed size of a block using BCJ + LZMA2 was 0 bytes and caller provided no output space. Many empty .xz files don't contain any blocks and thus don't trigger this bug. This also tweaks a closely related detail: xz_dec_bcj_run() could call xz_dec_lzma2_run() to decode into temp buffer when it was known to be useless. This was harmless although it wasted a minuscule number of CPU cycles. Signed-off-by: Lasse Collin Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b73077a5fce232f3e95099f3bd9c084ab320aa85 Author: Jesse Brandeburg Date: Tue Sep 20 15:13:03 2011 +0000 ixgbe: fix possible null buffer error commit b811ce9104a7f7663ddae4f7795a194a103b8f90 upstream. It seems that at least one PPC machine would occasionally give a (valid) 0 as the return value from dma_map, this caused the ixgbe code to not work correctly. A fix is pending in the PPC tree to not return 0 from dma map, but we can also fix the driver to make sure we don't mess up in other arches as well. This patch is applicable to all current stable kernels. Ref: https://bugzilla.redhat.com/show_bug.cgi?id=683611 Reported-by: Neil Horman Signed-off-by: Jesse Brandeburg CC: Alexander Duyck Tested-by: Thadeu Lima de Souza Cascardo Tested-by: Phil Schmitt Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c086c605156a8a5356a331729c6a0cab85fb386a Author: Manual Munz Date: Sun Sep 18 18:24:03 2011 -0500 b43: Fix beacon problem in ad-hoc mode commit 8c23516fbb209ccf8f8c36268311c721faff29ee upstream. In ad-hoc mode, driver b43 does not issue beacons. Signed-off-by: Manual Munz Tested-by: Larry Finger Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 4f56018181256496943d30defeff3f0e6b50e38b Author: Carsten Emde Date: Wed Sep 21 10:22:11 2011 +0200 floppy: use del_timer_sync() in init cleanup commit 6c4867f6469964e34c5f4ee229a2a7f71a34c7ff upstream. When no floppy is found the module code can be released while a timer function is pending or about to be executed. CPU0 CPU1 floppy_init() timer_softirq() spin_lock_irq(&base->lock); detach_timer(); spin_unlock_irq(&base->lock); -> Interrupt del_timer(); return -ENODEV; module_cleanup(); <- EOI call_timer_fn(); OOPS Use del_timer_sync() to prevent this. Signed-off-by: Carsten Emde Signed-off-by: Thomas Gleixner Cc: Jens Axboe Signed-off-by: Andrew Morton Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit b7290a21efb472272306d64686efa523f7e93bf6 Author: Nicolas Pitre Date: Wed Sep 14 01:22:05 2011 -0400 ARM: Dove: fix second SPI initialization call commit 72cc205611879525db0374d9831f84f787112b25 upstream. Commit 980f9f601a "ARM: orion: Consolidate SPI initialization." broke it by overwriting the SPI0 registration. Signed-off-by: Nicolas Pitre Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 562960c731b9ffba8cd200be8d38f5f793b23d74 Author: Steve French Date: Mon Aug 29 18:54:12 2011 +0000 Fix the conflict between rwpidforward and rw mount options commit c9c7fa0064f4afe1d040e72f24c2256dd8ac402d upstream. Both these options are started with "rw" - that's why the first one isn't switched on even if it is specified. Fix this by adding a length check for "rw" option check. Signed-off-by: Pavel Shilovsky Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 862bee39ef540bd3a7772b899b4fa7f3036abf0d Author: Jeff Layton Date: Tue Aug 23 07:21:28 2011 -0400 cifs: fix possible memory corruption in CIFSFindNext commit 9438fabb73eb48055b58b89fc51e0bc4db22fabd upstream. The name_len variable in CIFSFindNext is a signed int that gets set to the resume_name_len in the cifs_search_info. The resume_name_len however is unsigned and for some infolevels is populated directly from a 32 bit value sent by the server. If the server sends a very large value for this, then that value could look negative when converted to a signed int. That would make that value pass the PATH_MAX check later in CIFSFindNext. The name_len would then be used as a length value for a memcpy. It would then be treated as unsigned again, and the memcpy scribbles over a ton of memory. Fix this by making the name_len an unsigned value in CIFSFindNext. Reported-by: Darren Lavender Signed-off-by: Jeff Layton Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit e9bfcbffb7b26065a2b467e29bb6c7ec83d17646 Author: Takashi Iwai Date: Mon Sep 19 11:31:34 2011 +0200 ALSA: hda/realtek - Fix auto-mute with HP+LO configuration commit 8974bd51a77824d91010176f9a5da28513c2e1f5 upstream. When the system has only the headphone and the line-out jacks without speakers, the current auto-mute code doesn't work. It's because the spec->automute_lines flag is wrongly referred in update_speakers(). This flag must be meaningless when spec->automute_hp_lo isn't set, thus they should be always coupled. The patch fixes the problem and add a comment to indicate the relationship briefly. BugLink: http://bugs.launchpad.net/bugs/851697 Reported-by: David Henningsson Tested-By: Jayne Han Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit bdba777a08cfe193f8c4a5cbb8382549db932171 Author: Johannes Berg Date: Mon Sep 12 12:09:10 2011 -0700 iwlagn: fix command queue timeout commit 282cdb325aea4ebbc42ce753b47cc96145eb54bc upstream. If the command queue is constantly busy, which can happen in P2P, the hangcheck timer will frequently find a command in it and will eventually reset the device because nothing sets the timestamp for this queue when commands are processed. Fix this by setting the timestamp when a command completes. Signed-off-by: Johannes Berg Signed-off-by: Wey-Yi Guy Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit c3c24ca5a0a6bf57b2685c159e5c9c01df76dddb Author: Sarah Sharp Date: Mon Sep 19 16:05:11 2011 -0700 USB: xhci: Set change bit when warm reset change is set. commit 44f4c3ed60fb21e1d2dd98304390ac121e6c7c6d upstream. Sometimes, when a USB 3.0 device is disconnected, the Intel Panther Point xHCI host controller will report a link state change with the state set to "SS.Inactive". This causes the xHCI host controller to issue a warm port reset, which doesn't finish before the USB core times out while waiting for it to complete. When the warm port reset does complete, and the xHC gives back a port status change event, the xHCI driver kicks khubd. However, it fails to set the bit indicating there is a change event for that port because the logic in xhci-hub.c doesn't check for the warm port reset bit. After that, the warm port status change bit is never cleared by the USB core, and the xHC stops reporting port status change bits. (The xHCI spec says it shouldn't report more port events until all change bits are cleared.) This means any port changes when a new device is connected will never be reported, and the port will seem "dead" until the xHCI driver is unloaded and reloaded, or the computer is rebooted. Fix this by making the xHCI driver set the port change bit when a warm port reset change bit is set. A better solution would be to make the USB core handle warm port reset in differently, merging the current code with the standard port reset code that does an incremental backoff on the timeout, and tries to complete the port reset two more times before giving up. That more complicated fix will be merged next window, and this fix will be backported to stable. This should be backported to kernels as old as 3.0, since that was the first kernel with commit a11496ebf375 ("xHCI: warm reset support"). Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman Signed-off-by: Linus Torvalds commit 06b995be61d1352337c792e8f83048b773e32a41 Author: Alex Deucher Date: Fri Sep 16 12:04:08 2011 -0400 drm/radeon/kms: Make GPU/CPU page size handling consistent in blit code (v2) commit 003cefe0c238e683a29d2207dba945b508cd45b7 upstream. The BO blit code inconsistenly handled the page size. This wasn't an issue on system with 4k pages since the GPU's page size is 4k as well. Switch the driver blit callbacks to take num pages in GPU page units. Fixes lemote mipsel systems using AMD rs780/rs880 chipsets. v2: incorporate suggestions from Michel. Signed-off-by: Alex Deucher Reviewed-by: Michel Dänzer Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 3917a8efa50bc38ef2f2194a5e35c2062640feed Author: Ming Lei Date: Wed Aug 31 10:45:46 2011 +0800 firewire: ohci: add no MSI quirk for O2Micro controller commit f39aa30d7741f40ad964341e9243dbbd7f8ff057 upstream. This fixes https://bugs.launchpad.net/ubuntu/+source/linux/+bug/801719 . An O2Micro PCI Express FireWire controller, "FireWire (IEEE 1394) [0c00]: O2 Micro, Inc. Device [1217:11f7] (rev 05)" which is a combination device together with an SDHCI controller and some sort of storage controller, misses SBP-2 status writes from an attached FireWire HDD. This problem goes away if MSI is disabled for this FireWire controller. The device reportedly does not require QUIRK_CYCLE_TIMER. Signed-off-by: Ming Lei Signed-off-by: Stefan Richter Signed-off-by: Greg Kroah-Hartman commit 2e4caf2e0b5a96f5cfa838108a3a1b934cf7f4f7 Author: Anton Blanchard Date: Wed Sep 7 14:41:05 2011 +0000 ibmveth: Checksum offload is always disabled commit 91aae1e5c407d4fc79f6983e6c6ba04756c004cb upstream. Commit b9367bf3ee6d (net: ibmveth: convert to hw_features) reversed a check in ibmveth_set_csum_offload that results in checksum offload never being enabled. Signed-off-by: Anton Blanchard Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 83bc0ed804595195df6bc8c5773db5594884e2e7 Author: Anton Blanchard Date: Wed Sep 7 14:41:04 2011 +0000 ibmveth: Fix issue with DMA mapping failure commit b93da27f5234198433345e40b39ff59797bc6f6e upstream. descs[].fields.address is 32bit which truncates any dma mapping errors so dma_mapping_error() fails to catch it. Use a dma_addr_t to do the comparison. With this patch I was able to transfer many gigabytes of data with IOMMU fault injection set at 10% probability. Signed-off-by: Anton Blanchard Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 63bac6629520236226e54128c873871f1ff1f018 Author: Brian King Date: Wed Sep 7 14:41:03 2011 +0000 ibmveth: Fix DMA unmap error commit 33a48ab105a75d37021e422a0a3283241099b142 upstream. Commit 6e8ab30ec677 (ibmveth: Add scatter-gather support) introduced a DMA mapping API inconsistency resulting in dma_unmap_page getting called on memory mapped via dma_map_single. This was seen when CONFIG_DMA_API_DEBUG was enabled. Fix up this API usage inconsistency. Signed-off-by: Brian King Acked-by: Anton Blanchard Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3345c36f951a36962493b1f59f23e47b5a94d8d2 Author: Arjan van de Ven Date: Thu Sep 15 08:49:25 2011 +0200 ALSA: pcm - fix race condition in wait_for_avail() commit 763437a9e7737535b2fc72175ad4974048769be6 upstream. wait_for_avail() in pcm_lib.c has a race in it (observed in practice by an Intel validation group). The function is supposed to return once space in the buffer has become available, or if some timeout happens. The entity that creates space (irq handler of sound driver and some such) will do a wake up on a waitqueue that this function registers for. However there are two races in the existing code 1) If space became available between the caller noticing there was no space and this function actually sleeping, the wakeup is missed and the timeout condition will happen instead 2) If a wakeup happened but not sufficient space became available, the code will loop again and wait for more space. However, if the second wake comes in prior to hitting the schedule_timeout_interruptible(), it will be missed, and potentially you'll wait out until the timeout happens. The fix consists of using more careful setting of the current state (so that if a wakeup happens in the main loop window, the schedule_timeout() falls through) and by checking for available space prior to going into the schedule_timeout() loop, but after being on the waitqueue and having the state set to interruptible. [tiwai: the following changes have been added to Arjan's original patch: - merged akpm's fix for waitqueue adding order into a single patch - reduction of duplicated code of avail check ] Signed-off-by: Arjan van de Ven Signed-off-by: Andrew Morton Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit d5b1a08d0d0a73c716766275eb0c5648e143ca85 Author: Thomas Tuttle Date: Wed Sep 14 16:22:28 2011 -0700 workqueue: lock cwq access in drain_workqueue commit fa2563e41c3d6d6e8af437643981ed28ae0cb56d upstream. Take cwq->gcwq->lock to avoid racing between drain_workqueue checking to make sure the workqueues are empty and cwq_dec_nr_in_flight decrementing and then incrementing nr_active when it activates a delayed work. We discovered this when a corner case in one of our drivers resulted in us trying to destroy a workqueue in which the remaining work would always requeue itself again in the same workqueue. We would hit this race condition and trip the BUG_ON on workqueue.c:3080. Signed-off-by: Thomas Tuttle Acked-by: Tejun Heo Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c780713f786ee22532839502ed35f1bd1cb0fd1d Author: Naga Chumbalkar Date: Wed Sep 14 16:22:23 2011 -0700 drivers/cpufreq/pcc-cpufreq.c: avoid NULL pointer dereference commit e71f5cc402ecb42b407ae52add7b173bf1c53daa upstream. per_cpu(processors, n) can be NULL, resulting in: Loading CPUFreq modules[ 437.661360] BUG: unable to handle kernel NULL pointer dereference at (null) IP: [] pcc_cpufreq_cpu_init+0x74/0x220 [pcc_cpufreq] It's better to avoid the oops by failing the driver, and allowing the system to boot. Signed-off-by: Naga Chumbalkar Cc: Dave Jones Cc: Len Brown Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d9575b0bf2b1c380bde6803739513ccc1f95d1d0 Author: Johan Hovold Date: Wed Sep 14 16:22:16 2011 -0700 drivers/leds/ledtrig-timer.c: fix broken sysfs delay handling commit 7a5caabd090b8f7d782c40fc1c048d798f2b6fd7 upstream. Fix regression introduced by commit 5ada28bf7675 ("led-class: always implement blinking") which broke sysfs delay handling by not storing the updated value. Consequently it was only possible to set one of the delays through the sysfs interface as the other delay was automatically restored to it's default value. Reading the parameters always gave the defaults. Signed-off-by: Johan Hovold Acked-by: Florian Fainelli Acked-by: Richard Purdie Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d63c8a029e509ad48ee9290874731789f9008537 Author: David Vrabel Date: Wed Sep 14 16:22:02 2011 -0700 mm: sync vmalloc address space page tables in alloc_vm_area() commit 461ae488ecb125b140d7ea29ceeedbcce9327003 upstream. Xen backend drivers (e.g., blkback and netback) would sometimes fail to map grant pages into the vmalloc address space allocated with alloc_vm_area(). The GNTTABOP_map_grant_ref would fail because Xen could not find the page (in the L2 table) containing the PTEs it needed to update. (XEN) mm.c:3846:d0 Could not find L1 PTE for address fbb42000 netback and blkback were making the hypercall from a kernel thread where task->active_mm != &init_mm and alloc_vm_area() was only updating the page tables for init_mm. The usual method of deferring the update to the page tables of other processes (i.e., after taking a fault) doesn't work as a fault cannot occur during the hypercall. This would work on some systems depending on what else was using vmalloc. Fix this by reverting ef691947d8a3 ("vmalloc: remove vmalloc_sync_all() from alloc_vm_area()") and add a comment to explain why it's needed. Signed-off-by: David Vrabel Cc: Jeremy Fitzhardinge Cc: Konrad Rzeszutek Wilk Cc: Ian Campbell Cc: Keir Fraser Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 97abc52eb26f2ae8d033100c4c024e6138bdfd60 Author: Al Viro Date: Wed Sep 14 18:55:41 2011 +0100 restore pinning the victim dentry in vfs_rmdir()/vfs_rename_dir() commit 1d2ef5901483004d74947bbf78d5146c24038fe7 upstream. We used to get the victim pinned by dentry_unhash() prior to commit 64252c75a219 ("vfs: remove dget() from dentry_unhash()") and ->rmdir() and ->rename() instances relied on that; most of them don't care, but ones that used d_delete() themselves do. As the result, we are getting rmdir() oopses on NFS now. Just grab the reference before locking the victim and drop it explicitly after unlocking, same as vfs_rename_other() does. Signed-off-by: Al Viro Tested-by: Simon Kirby Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a4f5172f4f84d22889d97c527cd8fe7430f075ae Author: Michel Dänzer Date: Tue Sep 13 11:27:35 2011 +0200 drm/radeon: Don't read from CP ring write pointer registers. commit 87463ff83bcda210d8f0ae440bd64d1548f852e7 upstream. Apparently this doesn't always work reliably, e.g. at resume time. Just initialize to 0, so the ring is considered empty. Tested with hibernation on Sumo and Cayman cards. Should fix https://bugs.launchpad.net/ubuntu/+source/linux/+bug/820746/ . Signed-off-by: Michel Dänzer Reviewed-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 90199f79ba3111426070b3e04d774c25024ea1a6 Author: David Henningsson Date: Wed Sep 14 13:22:54 2011 +0200 ALSA: HDA: Cirrus - fix "Surround Speaker" volume control name commit 2e1210bc3d065a6e26ff5fef228a9a7e08921d2c upstream. This patch fixes "Surround Speaker Playback Volume" being cut off. (Commit b4dabfc452a10 was probably meant to fix this, but it fixed only the "Switch" name, not the "Volume" name.) Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 56794483bcbf98296dffd8d8923402791b305be2 Author: Thomas Gleixner Date: Tue Jul 19 16:25:42 2011 +0200 x86, iommu: Mark DMAR IRQ as non-threaded commit 477694e71113fd0694b6bb0bcc2d006b8ac62691 upstream. Mark this lowlevel IRQ handler as non-threaded. This prevents a boot crash when "threadirqs" is on the kernel commandline. Also the interrupt handler is handling hardware critical events which should not be delayed into a thread. Signed-off-by: Thomas Gleixner Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit e74aa3593a0026ea78b3997c3b7748f536e17f66 Author: Johannes Berg Date: Tue Sep 6 12:47:39 2011 +0200 mac80211: fix missing sta_lock in __sta_info_destroy commit 4bae7d976976fa52d345805ba686934cd548343e upstream. Since my commit 34e895075e21be3e21e71d6317440d1ee7969ad0 ("mac80211: allow station add/remove to sleep") there is a race in mac80211 when it clears the TIM bit because a sleeping station disconnected, the spinlock isn't held around the relevant code any more. Use the right API to acquire the spinlock correctly. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 377a4a241c44d46335b45e00c8a66d39b072fd2f Author: George Date: Sat Sep 3 10:58:48 2011 -0500 rtlwifi: Fix problem when switching connections commit bac2555c6d86387132930af4d14cb47c4dd3f4f7 upstream. The driver fails to clear encryption keys making it impossible to switch connections. Signed-off-by: George Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 47e45d75cb074fa59de2fdadc8945d7f52c2c653 Author: George Date: Sat Sep 3 10:58:47 2011 -0500 rtlwifi: rtl8192su: Fix problem connecting to HT-enabled AP commit 3401dc6eba788ebc7c14ce51018d775b1c263399 upstream. The driver fails to connect to 802.11n-enabled APs. The patch fixes Bug #42262. Signed-off-by: George Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 79e72e1b97162d5f4d4ac320238b5cc82e97f040 Author: Geert Uytterhoeven Date: Sun Sep 11 13:59:27 2011 +0200 genirq: Make irq_shutdown() symmetric vs. irq_startup again commit ed585a651681e822089087b426e6ebfb6d3d9873 upstream. If an irq_chip provides .irq_shutdown(), but neither of .irq_disable() or .irq_mask(), free_irq() crashes when jumping to NULL. Fix this by only trying .irq_disable() and .irq_mask() if there's no .irq_shutdown() provided. This revives the symmetry with irq_startup(), which tries .irq_startup(), .irq_enable(), and irq_unmask(), and makes it consistent with the comment for irq_chip.irq_shutdown() in , which says: * @irq_shutdown: shut down the interrupt (defaults to ->disable if NULL) This is also how __free_irq() behaved before the big overhaul, cfr. e.g. 3b56f0585fd4c02d047dc406668cb40159b2d340 ("genirq: Remove bogus conditional"), where the core interrupt code always overrode .irq_shutdown() to .irq_disable() if .irq_shutdown() was NULL. Signed-off-by: Geert Uytterhoeven Cc: linux-m68k@lists.linux-m68k.org Link: http://lkml.kernel.org/r/1315742394-16036-2-git-send-email-geert@linux-m68k.org Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 1e6ad9a39701e09f93d2726ef3602e05f5787ff1 Author: Anand Gadiyar Date: Thu Aug 18 16:14:31 2011 +0530 mfd: Make omap-usb-host TLL mode work again commit e600cffe618ff0da29ae1f8b8d3824ce0e2409fc upstream. This code section seems to have been accidentally copy pasted. It causes incorrect bits to be set up in the TLL_CHANNEL_CONF register and prevents the TLL mode from working correctly. Signed-off-by: Anand Gadiyar Cc: Keshava Munegowda Acked-by: Felipe Balbi Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman commit fbb3afe05e2664dd265b002a4c0992c45bb885a7 Author: Johan Hovold Date: Mon Aug 15 12:42:03 2011 +0200 mfd: Fix initialisation of tps65910 interrupts commit fa948761e685fb03823b3029e5b6bdb52229d6ce upstream. Fix regression introduced by commit a2974732ca7614aaf0baf9d6dd3ad893d50ce1c5 (TPS65911: Add new irq definitions) which caused irq_num to be incorrectly set for tps65910. Signed-off-by: Johan Hovold Acked-by: Graeme Gregory Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman commit 7edcab441920647c6ffec304451e11bc18ff1b11 Author: Mark Brown Date: Wed Aug 3 18:04:29 2011 +0900 mfd: Fix value of WM8994_CONFIGURE_GPIO commit 8efcc57dedfebc99c3cd39564e3fc47cd1a24b75 upstream. This needs to be an out of band value for the register and on this device registers are 16 bit so we must shift left one to the 17th bit. Signed-off-by: Mark Brown Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman commit 1bfc85f2f23469eedf4ac65fed44573be1a5a133 Author: Lars-Peter Clausen Date: Mon Sep 5 13:49:57 2011 +0200 ASoC: Blackfin: bf5xx-ad193x: Fix codec device name commit c5d2e650bd805a00ff9af537d5b5dede598a198c upstream. Fix the codec_name field of the dai_link to match the actual device name of the codec. Otherwise the card won't be instantiated. Signed-off-by: Lars-Peter Clausen Acked-by: Liam Girdwood Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit b549d496e8739577429bbdfde5470097bff2f2f5 Author: Mark Brown Date: Sun Sep 4 08:18:18 2011 -0700 ASoC: Fix reporting of partial jack updates commit 747da0f80e566500421bd7760b2e050fea3fde5e upstream. We need to report the entire jack state to the core jack code, not just the bits that were being updated by the caller, otherwise the status reported by other detection methods will be omitted from the state seen by userspace. Signed-off-by: Mark Brown Acked-by: Liam Girdwood Signed-off-by: Greg Kroah-Hartman commit c4a67651296888f4c91f5dbd394a279b8b4410fd Author: Jeff Kirsher Date: Tue Aug 30 20:58:56 2011 -0400 e1000: Fix driver to be used on PA RISC C8000 workstations commit e2faeec2de9e2c73958e6ea6065dde1e8cd6f3a2 upstream. The checksum field in the EEPROM on HPPA is really not a checksum but a signature (0x16d6). So allow 0x16d6 as the matching checksum on HPPA systems. This issue is present on longterm/stable kernels, I have verified that this patch is applicable back to at least 2.6.32.y kernels. v2- changed ifdef to use CONFIG_PARISC instead of __hppa__ CC: Guy Martin CC: Rolf Eike Beer CC: Matt Turner Reported-by: Mikulas Patocka Signed-off-by: Jeff Kirsher Acked-by: Jesse Brandeburg Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 88294ead621e9677bb3108027de2b8d657c25852 Author: Felix Fietkau Date: Mon Aug 29 10:06:14 2011 +0200 ath9k_hw: fix calibration on 5 ghz commit 0e4660cbe51276e86dbdab17228733dbcdb49249 upstream. ADC calibrations cannot run on 5 GHz with fast clock enabled. They need to be disabled, otherwise they'll hang and IQ mismatch calibration will not be run either. Signed-off-by: Felix Fietkau Reported-by: Adrian Chadd Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 9f4929636f54a0cc33e249d507356bbc3224c7b3 Author: Len Brown Date: Mon Aug 29 23:01:58 2011 -0400 acpica: ACPI_MAX_SLEEP should be 2 sec, not 20 commit b33c25d6a62ac253caabda2b5f43258abff451c0 upstream. This limit is a workaround for AML that sleeps too long, but the workaround didn't work b/c of a typo. https://bugzilla.kernel.org/show_bug.cgi?id=13195 Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit fb88e8c4a2b208606f5ee7e5dc087d2ade9525ce Author: Stanislaw Gruszka Date: Fri Aug 26 17:24:59 2011 +0200 iwlegacy: fix BUG_ON(info->control.rates[0].idx < 0) commit 7c2510120e9b43b0caf32c3786a6ab831f7d9e87 upstream. When trying to connect to 5GHz we can provide negative index to mac80211 what trigger BUG_ON. Reason of iwl-3945-rs malfunction on 5GHz is unknown and needs further investigation. For now, to do not trigger a bug, correct value and just print WARNING. Address bug: https://bugzilla.redhat.com/show_bug.cgi?id=730653 Reported-and-tested-by: Jan Teichmann Signed-off-by: Stanislaw Gruszka Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 1ec94e5a9d9eed782c28bf772c014e8cbdc2b0f2 Author: Andrew Vasquez Date: Tue Aug 16 11:29:28 2011 -0700 qla2xxx: Correct inadvertent loop state transitions during port-update handling. commit 58b48576966ed0afd3f63ef17480ec12748a7119 upstream. Transitioning to a LOOP_UPDATE loop-state could cause the driver to miss normal link/target processing. LOOP_UPDATE is a crufty artifact leftover from at time the driver performed it's own internal command-queuing. Safely remove this state. Signed-off-by: Andrew Vasquez Signed-off-by: Chad Dupuis Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 38702e860531aa7057fde32dc6e0a3ee3a7b5c69 Author: Stephen M. Cameron Date: Tue Aug 9 08:18:01 2011 -0500 hpsa: fix physical device lun and target numbering problem commit 01350d05539d1c95ef3568d062d864ab76ae7670 upstream. If a physical device exposed to the OS by hpsa is replaced (e.g. one hot plug tape drive is replaced by another, or a tape drive is placed into "OBDR" mode in which it acts like a CD-ROM device) and a rescan is initiated, the replaced device will be added to the SCSI midlayer with target and lun numbers set to -1. After that, a panic is likely to ensue. When a physical device is replaced, the lun and target number should be preserved. Signed-off-by: Stephen M. Cameron Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 14e09ccdeed3b3b0c173475c323903d9cb1a5b13 Author: Stephen M. Cameron Date: Tue Aug 9 08:17:30 2011 -0500 hpsa: fix problem that OBDR devices are not detected commit 0b0e1d6cbcc8627970e0399df8f06edd690ec7d9 upstream. The test to detect OBDR ("One Button Disaster Recovery") cd-rom devices was comparing against uninitialized data. Fixed by moving the test for the device to where the inquiry data is collected, and uninitialized variable altogether as it wasn't really being used. Signed-off-by: Stephen M. Cameron Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 9f89c9607925aabb7352a3f50b69c7bfdb2c1cbb Author: Timur Tabi Date: Tue Aug 23 16:48:26 2011 -0500 ASoC: MPC5200: replace of_device with platform_device commit 3bdf28feafc52864bd7f17b39deec64833a89d19 upstream. 'struct of_device' no longer exists, and its functionality has been merged into platform_device. Update the MPC5200 audio DMA driver (mpc5200_dma) accordingly. This fixes a build break. Signed-off-by: Timur Tabi Acked-by: Liam Girdwood Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit f3919ef81224e33c867882453cd33036ac0ed7ee Author: Dan Williams Date: Fri Jul 29 17:16:45 2011 -0700 isci: fix 32-bit operation when CONFIG_HIGHMEM64G=n commit ee33e2b771f9e9e4aaba2bb2ace7b727fe451a8b upstream. The unsolicited frame control infrastructure requires a table of dma addresses for the hardware to lookup the frame buffer location by an index. The hardware expects the elements of this table to be 64-bit quantities, so we cannot reference these elements as dma_addr_t. All unsolicited frame protocols are affected, particularly SATA-PIO and SMP which prevented direct-attached SATA drives and expander-attached drives to not be discovered. Reported-by: Jacek Danecki Signed-off-by: Dan Williams Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 60c48a44d308985ccc6335d4591d75acc7e1da77 Author: Dan Williams Date: Fri Jul 29 17:16:40 2011 -0700 isci: fix sata response handling commit 1a878284473284f9577d44babf16d87152a05c33 upstream. A bug (likely copy/paste) that has been carried from the original implementation. The unsolicited frame handling structure returns the d2h fis in the isci_request.stp.rsp buffer. Signed-off-by: Dan Williams Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 101e357617f790d36b999dada08c437fd2431c3c Author: Jim Garlick Date: Sun Aug 21 00:21:18 2011 +0530 fs/9p: Use protocol-defined value for lock/getlock 'type' field. commit 51b8b4fb32271d39fbdd760397406177b2b0fd36 upstream. Signed-off-by: Jim Garlick Signed-off-by: Aneesh Kumar K.V Signed-off-by: Harsh Prateek Bora Signed-off-by: Greg Kroah-Hartman commit 8bdb14f9c33bb0ad8b37a9465c968ccce4ecda3b Author: Aneesh Kumar K.V Date: Tue Aug 16 22:19:28 2011 +0530 fs/9p: Always ask new inode in lookup for cache mode disabled commit 73f507171cfa407b19f254aef95cbb058c8180cf upstream. This make sure we don't end up reusing the unlinked inode object. The ideal way is to use inode i_generation. But i_generation is not available in userspace always. Signed-off-by: Aneesh Kumar K.V Signed-off-by: Greg Kroah-Hartman commit 8926487ad88b00a9b6677f866df787dea7b3471b Author: Aneesh Kumar K.V Date: Wed Aug 17 16:56:04 2011 +0000 net/9p: Fix kernel crash with msize 512K commit b49d8b5d7007a673796f3f99688b46931293873e upstream. With msize equal to 512K (PAGE_SIZE * VIRTQUEUE_NUM), we hit multiple crashes. This patch fix those. Signed-off-by: Aneesh Kumar K.V Signed-off-by: Eric Van Hensbergen Signed-off-by: Greg Kroah-Hartman commit a111278ea956e42e2d1ac4b4f04a2c71d322235b Author: Aneesh Kumar K.V Date: Wed Aug 3 19:55:32 2011 +0530 fs/9p: Add OS dependent open flags in 9p protocol commit f88657ce3f9713a0c62101dffb0e972a979e77b9 upstream. Some of the flags are OS/arch dependent we add a 9p protocol value which maps to asm-generic/fcntl.h values in Linux Based on the original patch from Venkateswararao Jujjuri [extra comments from author as to why this needs to go to stable: Earlier for different operation such as open we used the values of open flag as defined by the OS. But some of these flags such as O_DIRECT are arch dependent. So if we have the 9p client and server running on different architectures, we end up with client sending client architecture value of these open flag and server will try to map these values to what its architecture states. For ex: O_DIRECT on a x86 client maps to #define O_DIRECT 00040000 Where as on sparc server it will maps to #define O_DIRECT 0x100000 Hence we need to map these open flags to OS/arch independent flag values. Getting these changes to an early version of kernel ensures us that we work with different combination of client and server. We should ideally backport this patch to all possible kernel version.] Signed-off-by: Aneesh Kumar K.V Signed-off-by: Harsh Prateek Bora Signed-off-by: Greg Kroah-Hartman commit 29a3e8657d2a2640384166e3fe29a086d235fc33 Author: Aneesh Kumar K.V Date: Mon Jul 25 18:06:33 2011 +0000 fs/9p: Don't update file type when updating file attributes commit 45089142b1497dab2327d60f6c71c40766fc3ea4 upstream. We should only update attributes that we can change on stat2inode. Also do file type initialization in v9fs_init_inode. Signed-off-by: Aneesh Kumar K.V Signed-off-by: Eric Van Hensbergen Signed-off-by: Greg Kroah-Hartman commit e279cdca3ca67dcd8e24051629163f9d5d838894 Author: Aneesh Kumar K.V Date: Mon Jul 25 18:06:32 2011 +0000 fs/9p: Add fid before dentry instantiation commit 5441ae5eb3614d3c28f77073370738a2820c88e4 upstream. d_instantiate marks the dentry positive. So a parallel lookup and mkdir of the directory can find dentry that doesn't have fid attached. This can result in both the code path doing v9fs_fid_add which results in v9fs_dentry leak. Signed-off-by: Aneesh Kumar K.V Signed-off-by: Eric Van Hensbergen Signed-off-by: Greg Kroah-Hartman commit 3cba74d538d72f649c036df893c2e9895bcfc9df Author: Fenghua Yu Date: Mon Jul 4 08:36:16 2011 +0000 ACPICA: Do not repair _TSS return package if _PSS is present commit 8f9c91273e36e5762c617c23e4fd48d5172e0dac upstream. We can only sort the _TSS return package if there is no _PSS in the same scope. This is because if _PSS is present, the ACPI specification dictates that the _TSS Power Dissipation field is to be ignored, and therefore some BIOSs leave garbage values in the _TSS Power field(s). In this case, it is best to just return the _TSS package as-is. Reported-by: Fenghua Yu Signed-off-by: Fenghua Yu Signed-off-by: Bob Moore Signed-off-by: Lin Ming Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 054b93a673c2b39106b02cbef05bfdc3f5ba6150 Author: Joerg Roedel Date: Fri Sep 2 14:10:32 2011 +0200 iommu/amd: Make sure iommu->need_sync contains correct value commit f1ca1512e765337a7c09eb875eedef8ea4e07654 upstream. The value is only set to true but never set back to false, which causes to many completion-wait commands to be sent to hardware. Fix it with this patch. Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit 5c755fc21c8e84aff1230e27646fe4277a19451d Author: Joerg Roedel Date: Fri Sep 2 14:19:50 2011 +0200 iommu/amd: Don't take domain->lock recursivly commit e33acde91140f1809952d1c135c36feb66a51887 upstream. The domain_flush_devices() function takes the domain->lock. But this function is only called from update_domain() which itself is already called unter the domain->lock. This causes a deadlock situation when the dma-address-space of a domain grows larger than 1GB. Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit bfa826f82f1383593e18ad180eb816221627a917 Author: Randy Dunlap Date: Tue Jun 21 20:32:53 2011 -0700 irda: fix smsc-ircc2 section mismatch warning commit f470e5ae34d68880a38aa79ee5c102ebc2a1aef6 upstream. Fix section mismatch warning: WARNING: drivers/net/irda/smsc-ircc2.o(.devinit.text+0x1a7): Section mismatch in reference from the function smsc_ircc_pnp_probe() to the function .init.text:smsc_ircc_open() Signed-off-by: Randy Dunlap Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7c0e1afbe36ec6d067638daafe6e7ee30085202b Author: Al Viro Date: Sat Jul 23 02:28:13 2011 -0400 9p: close ACL leaks commit 1ec95bf34d976b38897d1977b155a544d77b05e7 upstream. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 8aeae69113b438efadd5b9dda754e60685d8d6c1 Author: Venkateswararao Jujjuri (JV) Date: Wed Jun 29 18:06:33 2011 -0700 net/9p: Fix the msize calculation. commit c9ffb05ca5b5098d6ea468c909dd384d90da7d54 upstream. msize represents the maximum PDU size that includes P9_IOHDRSZ. Signed-off-by: Venkateswararao Jujjuri " Signed-off-by: Aneesh Kumar K.V Signed-off-by: Eric Van Hensbergen Signed-off-by: Greg Kroah-Hartman commit 926fa0b4b9cd6537f4750642165647aa20cfeae4 Author: Aneesh Kumar K.V Date: Wed Jul 6 16:32:31 2011 +0530 fs/9p: Always ask new inode in create commit ed80fcfac2565fa866d93ba14f0e75de17a8223e upstream. This make sure we don't end up reusing the unlinked inode object. The ideal way is to use inode i_generation. But i_generation is not available in userspace always. Signed-off-by: Aneesh Kumar K.V Signed-off-by: Eric Van Hensbergen Signed-off-by: Greg Kroah-Hartman commit 6170eea647404a2e5726ae81cc8ccc45db89812d Author: Prem Karat Date: Fri May 6 18:24:18 2011 +0530 fs/9p: Fix invalid mount options/args commit a2dd43bb0d7b9ce28f8a39254c25840c0730498e upstream. Without this fix, if any invalid mount options/args are passed while mouting the 9p fs, no error (-EINVAL) is returned and default arg value is assigned. This fix returns -EINVAL when an invalid arguement is found while parsing mount options. Signed-off-by: Prem Karat Signed-off-by: Aneesh Kumar K.V Signed-off-by: Eric Van Hensbergen Signed-off-by: Greg Kroah-Hartman commit e38b21e76bb89bba3e59da494de586aac23ad430 Author: Aneesh Kumar K.V Date: Mon Jul 11 16:40:59 2011 +0000 fs/9p: When doing inode lookup compare qid details and inode mode bits. commit fd2421f54423f307ecd31bdebdca6bc317e0c492 upstream. This make sure we don't use wrong inode from the inode hash. The inode number of the file deleted is reused by the next file system object created and if we only use inode number for inode hash lookup we could end up with wrong struct inode. Also compare inode generation number. Not all Linux file system provide st_gen in userspace. So it could be 0; Signed-off-by: Aneesh Kumar K.V Signed-off-by: Eric Van Hensbergen Signed-off-by: Greg Kroah-Hartman commit a0be78ef93e0656339bf14feddc0e8afb2a86894 Author: Aneesh Kumar K.V Date: Mon Jul 11 16:40:58 2011 +0000 fs/9p: Fid is not valid after a failed clunk. commit 5034990e28efb2d232ee82443a9edd62defd17ba upstream. free the fid even in case of failed clunk. Signed-off-by: Aneesh Kumar K.V Signed-off-by: Eric Van Hensbergen Signed-off-by: Greg Kroah-Hartman commit 0beac585155d05699b1f186556d23c240a9e245d Author: jvrao Date: Thu Jun 30 23:18:41 2011 +0000 VirtIO can transfer VIRTQUEUE_NUM of pages. commit 7f781679dd596c8abde8336b4d0d166d6a4aad04 upstream. Signed-off-by: Venkateswararao Jujjuri " Reviewed-by: Aneesh Kumar K.V Signed-off-by: Eric Van Hensbergen Signed-off-by: Greg Kroah-Hartman commit 8b1aebc0bef2e492a1857a1ea9dfc3ab7408b184 Author: jvrao Date: Thu Jun 30 23:18:39 2011 +0000 Fix the size of receive buffer packing onto VirtIO ring. commit 114e6f3a5ede73d5b56e145f04680c61c3dd67c4 upstream. Signed-off-by: Venkateswararao Jujjuri " Reviewed-by: Aneesh Kumar K.V Signed-off-by: Eric Van Hensbergen Signed-off-by: Greg Kroah-Hartman commit 7b551b70695eb39e8bfcc29ae9883e66254cb12d Author: Eric Van Hensbergen Date: Wed Jul 13 19:12:18 2011 -0500 net/9p: fix client code to fail more gracefully on protocol error commit b85f7d92d7bd7e3298159e8b1eed8cb8cbbb0348 upstream. There was a BUG_ON to protect against a bad id which could be dealt with more gracefully. Reported-by: Natalie Orlin Signed-off-by: Eric Van Hensbergen Signed-off-by: Greg Kroah-Hartman commit f2685ef0fbc5fff0a8f1cdc204bf37ab0c9a04a7 Author: Florian Mickler Date: Wed Aug 10 07:05:20 2011 -0300 vp7045: fix buffer setup commit fc61ccd35fd59d5362d37c8bf9c0526c85086c84 upstream. dvb_usb_device_init calls the frontend_attach method of this driver which uses vp7045_usb_ob. In order to have a buffer ready in vp7045_usb_op, it has to be allocated before that happens. Luckily we can use the whole private data as the buffer as it gets separately allocated on the heap via kzalloc in dvb_usb_device_init and is thus apt for use via usb_control_msg. This fixes a BUG: unable to handle kernel paging request at 0000000000001e78 reported by Tino Keitel and diagnosed by Dan Carpenter. Tested-by: Tino Keitel Signed-off-by: Florian Mickler Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit ac0a6fa16b992606e52d45191fcad3d7ea5b7f11 Author: Jarod Wilson Date: Mon Aug 8 17:20:40 2011 -0300 nuvoton-cir: simplify raw IR sample handling commit de4ed0c111ed078b8729a5cc49c23197740f5bad upstream. The nuvoton-cir driver was storing up consecutive pulse-pulse and space-space samples internally, for no good reason, since ir_raw_event_store_with_filter() already merges back to back like samples types for us. This should also fix a regression introduced late in 3.0 that related to a timeout change, which actually becomes correct when coupled with this change. Tested with RC6 and RC5 on my own nuvoton-cir hardware atop vanilla 3.0.0, after verifying quirky behavior in 3.0 due to the timeout change. Reported-by: Stephan Raue CC: Stephan Raue Signed-off-by: Jarod Wilson Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 71a26cb4e0e056d88903f0df669930d2208d6755 Author: NeilBrown Date: Sat Sep 10 17:21:28 2011 +1000 md: Fix handling for devices from 2TB to 4TB in 0.90 metadata. commit 27a7b260f71439c40546b43588448faac01adb93 upstream. 0.90 metadata uses an unsigned 32bit number to count the number of kilobytes used from each device. This should allow up to 4TB per device. However we multiply this by 2 (to get sectors) before casting to a larger type, so sizes above 2TB get truncated. Also we allow rdev->sectors to be larger than 4TB, so it is possible for the array to be resized larger than the metadata can handle. So make sure rdev->sectors never exceeds 4TB when 0.90 metadata is in used. Also the sanity check at the end of super_90_load should include level 1 as it used ->size too. (RAID0 and Linear don't use ->size at all). Reported-by: Pim Zandbergen Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 97e5a85664252fd3f3f84751c7779c326df9c851 Author: NeilBrown Date: Sat Sep 10 17:20:21 2011 +1000 Avoid dereferencing a 'request_queue' after last close. commit 94007751bb02797ba87bac7aacee2731ac2039a3 upstream. On the last close of an 'md' device which as been stopped, the device is destroyed and in particular the request_queue is freed. The free is done in a separate thread so it might happen a short time later. __blkdev_put calls bdev_inode_switch_bdi *after* ->release has been called. Since commit f758eeabeb96f878c860e8f110f94ec8820822a9 bdev_inode_switch_bdi will dereference the 'old' bdi, which lives inside a request_queue, to get a spin lock. This causes the last close on an md device to sometime take a spin_lock which lives in freed memory - which results in an oops. So move the called to bdev_inode_switch_bdi before the call to ->release. Cc: Christoph Hellwig Cc: Hugh Dickins Cc: Andrew Morton Cc: Wu Fengguang Acked-by: Wu Fengguang Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 045451f9de4d9b7a7a961bf2428b990edf543271 Author: Marcin Slusarz Date: Mon Aug 22 23:14:05 2011 +0200 drm/nouveau: properly handle allocation failure in nouveau_sgdma_populate commit 17c8b960930da3599e47801a54ac0ea1070545d2 upstream. Not cleaning after alloc failure would result in crash on destroy, because nouveau_sgdma_clear assumes "ttm_alloced" to be not null when "pages" is not null. Signed-off-by: Marcin Slusarz Signed-off-by: Ben Skeggs Signed-off-by: Greg Kroah-Hartman commit 766357153d2e17eff9bf45ed66bff015472c1159 Author: Linus Walleij Date: Tue Aug 2 17:48:38 2011 +0200 ARM: davinci: fix cache flush build error commit 897a6a1a14837d6d582bfd1fd7aba00be44b6469 upstream. The TNET variant of DaVinci compiles some code that it shares with other DaVinci variants, however it has a V6 CPU rather than an ARM926T, thus the hardcoded call to arm926_flush_kern_cache_all() in sleep.S will obviously fail, and we need to build with the v6_flush_kern_cache_all() call instead. This was triggered by manually altering the DaVinci config to build the TNET version. Cc: Dave Martin Cc: Arnd Bergmann Signed-off-by: Linus Walleij Signed-off-by: Sekhar Nori Signed-off-by: Greg Kroah-Hartman commit 75a9498b739fc1512e247174e398089d9ca28617 Author: Sudhakar Rajashekhara Date: Tue Jul 12 15:58:53 2011 +0530 ARM: davinci: da850 EVM: read mac address from SPI flash commit 810198bc9c109489dfadc57131c5183ce6ad2d7d upstream. DA850/OMAP-L138 EMAC driver uses random mac address instead of a fixed one because the mac address is not stuffed into EMAC platform data. This patch provides a function which reads the mac address stored in SPI flash (registered as MTD device) and populates the EMAC platform data. The function which reads the mac address is registered as a callback which gets called upon addition of MTD device. NOTE: In case the MAC address stored in SPI flash is erased, follow the instructions at [1] to restore it. [1] http://processors.wiki.ti.com/index.php/GSG:_OMAP-L138_DVEVM_Additional_Procedures#Restoring_MAC_address_on_SPI_Flash Modifications in v2: Guarded registering the mtd_notifier only when MTD is enabled. Earlier this was handled using mtd_has_partitions() call, but this has been removed in Linux v3.0. Modifications in v3: a. Guarded da850_evm_m25p80_notify_add() function and da850evm_spi_notifier structure with CONFIG_MTD macros. b. Renamed da850_evm_register_mtd_user() function to da850_evm_setup_mac_addr() and removed the struct mtd_notifier argument to this function. c. Passed the da850evm_spi_notifier structure to register_mtd_user() function. Modifications in v4: Moved the da850_evm_setup_mac_addr() function within the first CONFIG_MTD ifdef construct. Signed-off-by: Sudhakar Rajashekhara Signed-off-by: Sekhar Nori Signed-off-by: Greg Kroah-Hartman commit 8a19c4e575cae9c1038305b488430eca4642fa22 Author: Linus Walleij Date: Tue Sep 6 08:08:13 2011 +0100 ARM: 7081/1: mach-integrator: fix the clocksource commit bb9ea77846620ed2b37e74c852d72c7a476b248c upstream. I was intrigued by the fact that the clock stood still on the Integrator, but it wasn't strange at all, because the timer was set up all wrong and probably has been for a while. With this patch the clock starts ticking again: make the timer periodic (reload), |= on the divisor bit and load the timer before starting it. Signed-off-by: Linus Walleij Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit a677ecd3c42c0324df53ef8e811907af2c17c218 Author: Guenter Roeck Date: Sun Aug 28 13:01:49 2011 -0700 hwmon: (max16065) Fix current calculation commit ff71c182f461da5ae9d2d65f8a63f5a9193b9be1 upstream. Current calculation is completely wrong. Add missing brackets to fix it. Signed-off-by: Guenter Roeck Acked-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 0b129e1ec4f63447c5467373909fa8e9d15826fd Author: Konrad Rzeszutek Wilk Date: Thu Sep 1 09:48:27 2011 -0400 xen/smp: Warn user why they keel over - nosmp or noapic and what to use instead. commit ed467e69f16e6b480e2face7bc5963834d025f91 upstream. We have hit a couple of customer bugs where they would like to use those parameters to run an UP kernel - but both of those options turn of important sources of interrupt information so we end up not being able to boot. The correct way is to pass in 'dom0_max_vcpus=1' on the Xen hypervisor line and the kernel will patch itself to be a UP kernel. Fixes bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=637308 Acked-by: Ian Campbell Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Greg Kroah-Hartman commit 1f51b5d99ced3fc83ab8367e619320c08eee8a7f Author: Igor Mammedov Date: Thu Sep 1 13:46:55 2011 +0200 xen: x86_32: do not enable iterrupts when returning from exception in interrupt context commit d198d499148a0c64a41b3aba9e7dd43772832b91 upstream. If vmalloc page_fault happens inside of interrupt handler with interrupts disabled then on exit path from exception handler when there is no pending interrupts, the following code (arch/x86/xen/xen-asm_32.S:112): cmpw $0x0001, XEN_vcpu_info_pending(%eax) sete XEN_vcpu_info_mask(%eax) will enable interrupts even if they has been previously disabled according to eflags from the bounce frame (arch/x86/xen/xen-asm_32.S:99) testb $X86_EFLAGS_IF>>8, 8+1+ESP_OFFSET(%esp) setz XEN_vcpu_info_mask(%eax) Solution is in setting XEN_vcpu_info_mask only when it should be set according to cmpw $0x0001, XEN_vcpu_info_pending(%eax) but not clearing it if there isn't any pending events. Reproducer for bug is attached to RHBZ 707552 Signed-off-by: Igor Mammedov Acked-by: Jeremy Fitzhardinge Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Greg Kroah-Hartman commit 1c72a517f74eec97133923b5f87a9afbc044423d Author: Girish K S Date: Fri Aug 26 14:58:18 2011 +0530 mmc: sdhci-s3c: Fix mmc card I/O problem commit 49bb1e619568ec84785ceb366f07db2a6f0b64cc upstream. This patch fixes the problem in sdhci-s3c host driver for Samsung Soc's. During the card identification stage the mmc core driver enumerates for the best bus width in combination with the highest available data rate. It starts enumerating from the highest bus width (8) to lowest width (1). In case of few MMC cards the 4-bit bus enumeration fails and tries the 1-bit bus enumeration. When switched to 1-bit bus mode the host driver has to clear the previous bus width setting and apply the new setting. The current patch will clear the previous bus mode and apply the new mode setting. Signed-off-by: Girish K S Acked-by: Jaehoon Chung Signed-off-by: Chris Ball Signed-off-by: Greg Kroah-Hartman commit 6942511b6b2a4a6b1fb969905c6841bdb7c1083c Author: Mika Westerberg Date: Thu Aug 18 15:23:49 2011 +0300 mmc: core: use non-reentrant workqueue for clock gating commit 50a50f9248497484c678631a9c1a719f1aaeab79 upstream. The default multithread workqueue can cause the same work to be executed concurrently on a different CPUs. This isn't really suitable for clock gating as it might already gated the clock and gating it twice results both host->clk_old and host->ios.clock to be set to 0. To prevent this from happening we use system_nrt_wq instead. Signed-off-by: Mika Westerberg Reviewed-by: Linus Walleij Tested-by: Chris Ball Signed-off-by: Chris Ball Signed-off-by: Greg Kroah-Hartman commit 0bd01aeeec0a9ba11adceb71aceed08ed276e3c0 Author: Mika Westerberg Date: Thu Aug 18 15:23:48 2011 +0300 mmc: core: prevent aggressive clock gating racing with ios updates commit 778e277cb82411c9002ca28ccbd216c4d9eb9158 upstream. We have seen at least two different races when clock gating kicks in in a middle of ios structure update. First one happens when ios->clock is changed outside of aggressive clock gating framework, for example via mmc_set_clock(). The race might happen when we run following code: mmc_set_ios(): ... if (ios->clock > 0) mmc_set_ungated(host); Now if gating kicks in right after the condition check we end up setting host->clk_gated to false even though we have just gated the clock. Next time a request is started we try to ungate and restore the clock in mmc_host_clk_hold(). However since we have host->clk_gated set to false the original clock is not restored. This eventually will cause the host controller to hang since its clock is disabled while we are trying to issue a request. For example on Intel Medfield platform we see: [ 13.818610] mmc2: Timeout waiting for hardware interrupt. [ 13.818698] sdhci: =========== REGISTER DUMP (mmc2)=========== [ 13.818753] sdhci: Sys addr: 0x00000000 | Version: 0x00008901 [ 13.818804] sdhci: Blk size: 0x00000000 | Blk cnt: 0x00000000 [ 13.818853] sdhci: Argument: 0x00000000 | Trn mode: 0x00000000 [ 13.818903] sdhci: Present: 0x1fff0000 | Host ctl: 0x00000001 [ 13.818951] sdhci: Power: 0x0000000d | Blk gap: 0x00000000 [ 13.819000] sdhci: Wake-up: 0x00000000 | Clock: 0x00000000 [ 13.819049] sdhci: Timeout: 0x00000000 | Int stat: 0x00000000 [ 13.819098] sdhci: Int enab: 0x00ff00c3 | Sig enab: 0x00ff00c3 [ 13.819147] sdhci: AC12 err: 0x00000000 | Slot int: 0x00000000 [ 13.819196] sdhci: Caps: 0x6bee32b2 | Caps_1: 0x00000000 [ 13.819245] sdhci: Cmd: 0x00000000 | Max curr: 0x00000000 [ 13.819292] sdhci: Host ctl2: 0x00000000 [ 13.819331] sdhci: ADMA Err: 0x00000000 | ADMA Ptr: 0x00000000 [ 13.819377] sdhci: =========================================== [ 13.919605] mmc2: Reset 0x2 never completed. and it never recovers. Second race might happen while running mmc_power_off(): static void mmc_power_off(struct mmc_host *host) { host->ios.clock = 0; host->ios.vdd = 0; [ clock gating kicks in here ] /* * Reset ocr mask to be the highest possible voltage supported for * this mmc host. This value will be used at next power up. */ host->ocr = 1 << (fls(host->ocr_avail) - 1); if (!mmc_host_is_spi(host)) { host->ios.bus_mode = MMC_BUSMODE_OPENDRAIN; host->ios.chip_select = MMC_CS_DONTCARE; } host->ios.power_mode = MMC_POWER_OFF; host->ios.bus_width = MMC_BUS_WIDTH_1; host->ios.timing = MMC_TIMING_LEGACY; mmc_set_ios(host); } If the clock gating worker kicks in while we are only partially updated the ios structure the host controller gets incomplete ios and might not work as supposed. Again on Intel Medfield platform we get: [ 4.185349] kernel BUG at drivers/mmc/host/sdhci.c:1155! [ 4.185422] invalid opcode: 0000 [#1] PREEMPT SMP [ 4.185509] Modules linked in: [ 4.185565] [ 4.185608] Pid: 4, comm: kworker/0:0 Not tainted 3.0.0+ #240 Intel Corporation Medfield/iCDKA [ 4.185742] EIP: 0060:[] EFLAGS: 00010083 CPU: 0 [ 4.185827] EIP is at sdhci_set_power+0x3e/0xd0 [ 4.185891] EAX: f5ff98e0 EBX: f5ff98e0 ECX: 00000000 EDX: 00000001 [ 4.185970] ESI: f5ff977c EDI: f5ff9904 EBP: f644fe98 ESP: f644fe94 [ 4.186049] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 [ 4.186125] Process kworker/0:0 (pid: 4, ti=f644e000 task=f644c0e0 task.ti=f644e000) [ 4.186219] Stack: [ 4.186257] f5ff98e0 f644feb0 c1365173 00000282 f5ff9460 f5ff96e0 f5ff96e0 f644feec [ 4.186418] c1355bd8 f644c0e0 c1499c3d f5ff96e0 f644fed4 00000006 f5ff96e0 00000286 [ 4.186579] f644fedc c107922b f644feec 00000286 f5ff9460 f5ff9700 f644ff10 c135839e [ 4.186739] Call Trace: [ 4.186802] [] sdhci_set_ios+0x1c3/0x340 [ 4.186883] [] mmc_gate_clock+0x68/0x120 [ 4.186963] [] ? _raw_spin_unlock_irqrestore+0x4d/0x60 [ 4.187052] [] ? trace_hardirqs_on+0xb/0x10 [ 4.187134] [] mmc_host_clk_gate_delayed+0xbe/0x130 [ 4.187219] [] ? process_one_work+0xf9/0x5b0 [ 4.187300] [] mmc_host_clk_gate_work+0xd/0x10 [ 4.187379] [] process_one_work+0x172/0x5b0 [ 4.187457] [] ? process_one_work+0xf9/0x5b0 [ 4.187538] [] ? mmc_host_clk_gate_delayed+0x130/0x130 [ 4.187625] [] worker_thread+0x118/0x330 [ 4.187700] [] ? preempt_schedule+0x2e/0x50 [ 4.187779] [] ? rescuer_thread+0x1f0/0x1f0 [ 4.187857] [] kthread+0x74/0x80 [ 4.187931] [] ? __init_kthread_worker+0x60/0x60 [ 4.188015] [] kernel_thread_helper+0x6/0xd [ 4.188079] Code: 81 fa 00 00 04 00 0f 84 a7 00 00 00 7f 21 81 fa 80 00 00 00 0f 84 92 00 00 00 81 fa 00 00 0 [ 4.188780] EIP: [] sdhci_set_power+0x3e/0xd0 SS:ESP 0068:f644fe94 [ 4.188898] ---[ end trace a7b23eecc71777e4 ]--- This BUG() comes from the fact that ios.power_mode was still in previous value (MMC_POWER_ON) and ios.vdd was set to zero. We prevent these by inhibiting the clock gating while we update the ios structure. Both problems can be reproduced by simply running the device in a reboot loop. Signed-off-by: Mika Westerberg Reviewed-by: Linus Walleij Tested-by: Chris Ball Signed-off-by: Chris Ball Signed-off-by: Greg Kroah-Hartman commit a24cf48a9c7c0def84c226ad97b9d15efd920f9c Author: Mika Westerberg Date: Thu Aug 18 15:23:47 2011 +0300 mmc: rename mmc_host_clk_{ungate|gate} to mmc_host_clk_{hold|release} commit 08c14071fda4e69abb9d5b1566651cd092b158d3 upstream. As per suggestion by Linus Walleij: > If you think the names of the functions are confusing then > you may rename them, say like this: > > mmc_host_clk_ungate() -> mmc_host_clk_hold() > mmc_host_clk_gate() -> mmc_host_clk_release() > > Which would make the usecases more clear (This is CC'd to stable@ because the next two patches, which fix observable races, depend on it.) Signed-off-by: Mika Westerberg Reviewed-by: Linus Walleij Signed-off-by: Chris Ball Signed-off-by: Greg Kroah-Hartman commit 2dd9ce06633ff92cd2b6770c717372ef44693bfd Author: Andrey Vagin Date: Tue Aug 30 12:32:36 2011 +0400 x86, perf: Check that current->mm is alive before getting user callchain commit 20afc60f892d285fde179ead4b24e6a7938c2f1b upstream. An event may occur when an mm is already released. I added an event in dequeue_entity() and caught a panic with the following backtrace: [ 434.421110] BUG: unable to handle kernel NULL pointer dereference at 0000000000000050 [ 434.421258] IP: [] __get_user_pages_fast+0x9c/0x120 ... [ 434.421258] Call Trace: [ 434.421258] [] copy_from_user_nmi+0x51/0xf0 [ 434.421258] [] ? sched_clock_local+0x25/0x90 [ 434.421258] [] perf_callchain_user+0x128/0x170 [ 434.421258] [] ? __perf_event_header__init_id+0xed/0x100 [ 434.421258] [] perf_prepare_sample+0x200/0x280 [ 434.421258] [] __perf_event_overflow+0x1b8/0x290 [ 434.421258] [] ? tg_shares_up+0x0/0x670 [ 434.421258] [] ? walk_tg_tree+0x6a/0xb0 [ 434.421258] [] perf_swevent_overflow+0xc4/0xf0 [ 434.421258] [] do_perf_sw_event+0x1e0/0x250 [ 434.421258] [] perf_tp_event+0x44/0x70 [ 434.421258] [] ftrace_profile_sched_block+0xdf/0x110 [ 434.421258] [] dequeue_entity+0x2ad/0x2d0 [ 434.421258] [] dequeue_task_fair+0x1c/0x60 [ 434.421258] [] dequeue_task+0x9a/0xb0 [ 434.421258] [] deactivate_task+0x42/0xe0 [ 434.421258] [] thread_return+0x191/0x808 [ 434.421258] [] ? switch_task_namespaces+0x24/0x60 [ 434.421258] [] do_exit+0x464/0x910 [ 434.421258] [] do_group_exit+0x58/0xd0 [ 434.421258] [] sys_exit_group+0x17/0x20 [ 434.421258] [] system_call_fastpath+0x16/0x1b Signed-off-by: Andrey Vagin Signed-off-by: Peter Zijlstra Link: http://lkml.kernel.org/r/1314693156-24131-1-git-send-email-avagin@openvz.org Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 70a4888b98f8fe19323a7a33d8d55be5d22513e8 Author: WANG Cong Date: Thu Aug 18 20:36:57 2011 +0800 sched: Fix a memory leak in __sdt_free() commit feff8fa0075bdfd43c841e9d689ed81adda988d6 upstream. This patch fixes the following memory leak: unreferenced object 0xffff880107266800 (size 512): comm "sched-powersave", pid 3718, jiffies 4323097853 (age 27495.450s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] create_object+0x187/0x28b [] kmemleak_alloc+0x73/0x98 [] __kmalloc_node+0x104/0x159 [] kzalloc_node.clone.97+0x15/0x17 [] build_sched_domains+0xb7/0x7f3 [] partition_sched_domains+0x1db/0x24a [] do_rebuild_sched_domains+0x3b/0x47 [] rebuild_sched_domains+0x10/0x12 [] sched_power_savings_store+0x6c/0x7b [] sched_mc_power_savings_store+0x16/0x18 [] sysdev_class_store+0x20/0x22 [] sysfs_write_file+0x108/0x144 [] vfs_write+0xaf/0x102 [] sys_write+0x4d/0x74 [] system_call_fastpath+0x16/0x1b [] 0xffffffffffffffff Signed-off-by: WANG Cong Signed-off-by: Peter Zijlstra Link: http://lkml.kernel.org/r/1313671017-4112-1-git-send-email-amwang@redhat.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit f4e97b682ac92d2aed3db68f396b022113d9ad30 Author: Thomas Gleixner Date: Wed Jun 22 19:47:01 2011 +0200 sched: Move blk_schedule_flush_plug() out of __schedule() commit 9c40cef2b799f9b5e7fa5de4d2ad3a0168ba118c upstream. There is no real reason to run blk_schedule_flush_plug() with interrupts and preemption disabled. Move it into schedule() and call it when the task is going voluntarily to sleep. There might be false positives when the task is woken between that call and actually scheduling, but that's not really different from being woken immediately after switching away. This fixes a deadlock in the scheduler where the blk_schedule_flush_plug() callchain enables interrupts and thereby allows a wakeup to happen of the task that's going to sleep. Signed-off-by: Thomas Gleixner Signed-off-by: Peter Zijlstra Cc: Tejun Heo Cc: Jens Axboe Cc: Linus Torvalds Link: http://lkml.kernel.org/n/tip-dwfxtra7yg1b5r65m32ywtct@git.kernel.org Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit edbb7ce79e62d1028781b58337100108dc41471e Author: Thomas Gleixner Date: Wed Jun 22 19:47:00 2011 +0200 sched: Separate the scheduler entry for preemption commit c259e01a1ec90063042f758e409cd26b2a0963c8 upstream. Block-IO and workqueues call into notifier functions from the scheduler core code with interrupts and preemption disabled. These calls should be made before entering the scheduler core. To simplify this, separate the scheduler core code into __schedule(). __schedule() is directly called from the places which set PREEMPT_ACTIVE and from schedule(). This allows us to add the work checks into schedule(), so they are only called when a task voluntary goes to sleep. Signed-off-by: Thomas Gleixner Signed-off-by: Peter Zijlstra Cc: Tejun Heo Cc: Jens Axboe Cc: Linus Torvalds Link: http://lkml.kernel.org/r/20110622174918.813258321@linutronix.de Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 1ed2053563d4d0bf70864a9df53c7a5dce7724e9 Author: John Stultz Date: Fri Jul 22 09:12:51 2011 +0000 rtc: Fix RTC PIE frequency limit commit 938f97bcf1bdd1b681d5d14d1d7117a2e22d4434 upstream. Thomas earlier submitted a fix to limit the RTC PIE freq, but picked 5000Hz out of the air. Willy noticed that we should instead use the 8192Hz max from the rtc man documentation. Cc: Willy Tarreau Cc: Thomas Gleixner Signed-off-by: John Stultz Signed-off-by: Greg Kroah-Hartman commit c3a44b4d23f4cb1b3eafb8c2c74d88f452d50a6d Author: John Stultz Date: Wed Aug 10 10:26:09 2011 -0700 alarmtimers: Avoid possible denial of service with high freq periodic timers commit 6af7e471e5a7746b8024d70b4363d3dfe41d36b8 upstream. Its possible to jam up the alarm timers by setting very small interval timers, which will cause the alarmtimer subsystem to spend all of its time firing and restarting timers. This can effectivly lock up a box. A deeper fix is needed, closely mimicking the hrtimer code, but for now just cap the interval to 100us to avoid userland hanging the system. CC: Thomas Gleixner Signed-off-by: John Stultz Signed-off-by: Greg Kroah-Hartman commit 0898dd1603e1dec711217b85329c031b30f81710 Author: John Stultz Date: Thu Aug 4 07:51:56 2011 -0700 alarmtimers: Memset itimerspec passed into alarm_timer_get commit ea7802f630d356acaf66b3c0b28c00a945fc35dc upstream. Following common_timer_get, zero out the itimerspec passed in. CC: Thomas Gleixner Signed-off-by: John Stultz Signed-off-by: Greg Kroah-Hartman commit 26cf1a7ba1a6cc19d48c993bebd3be94c48af74a Author: John Stultz Date: Thu Aug 4 07:25:35 2011 -0700 alarmtimers: Avoid possible null pointer traversal commit 971c90bfa2f0b4fe52d6d9002178d547706f1343 upstream. We don't check if old_setting is non null before assigning it, so correct this. CC: Thomas Gleixner Signed-off-by: John Stultz Signed-off-by: Greg Kroah-Hartman commit 5607cbd164dc1913cc52abba893c0961617eafd2 Author: Troy Kisky Date: Fri Jun 24 10:52:56 2011 -0700 MXC: iomux-v3: correct NO_PAD_CTRL definition commit 425933b30b0ccfac58065bca6c853ea627443cdf upstream. iomux-v3.c uses NO_PAD_CTRL as a 32 bit value so it should not be shifted left by MUX_PAD_CTRL_SHIFT(41) Previously, anything requesting NO_PAD_CTRL would get their pad control register set to 0. Since it is a pad control mask, place it with the other mask values. Signed-off-by: Troy Kisky Acked-by: Lothar Waßmann Tested-by: Lothar Waßmann Signed-off-by: Sascha Hauer Cc: John Ogness Signed-off-by: Greg Kroah-Hartman commit 0dd4154f666ec85b7befd5026342ebb77c6c06f0 Author: Carolyn Wyborny Date: Thu Jul 7 00:24:56 2011 +0000 igb: fix WOL on second port of i350 device commit 6d337dce664b6872ddf1655f6b1fcab76ce35b08 upstream. This patch fixes a problem where WOL would fail on second port of i350 device. Reported-by: Martin Wilck Reported-by: Stefan Assmann Signed-off-by: Carolyn Wyborny Tested-by: Aaron Brown Signed-off-by: Jeff Kirsher Signed-off-by: Greg Kroah-Hartman commit 66d52cb7c42a5df2a6aded5f29dba98ac2882064 Author: Mel Gorman Date: Mon Jul 25 17:12:30 2011 -0700 mm: page allocator: reconsider zones for allocation after direct reclaim commit 76d3fbf8fbf6cc78ceb63549e0e0c5bc8a88f838 upstream. With zone_reclaim_mode enabled, it's possible for zones to be considered full in the zonelist_cache so they are skipped in the future. If the process enters direct reclaim, the ZLC may still consider zones to be full even after reclaiming pages. Reconsider all zones for allocation if direct reclaim returns successfully. Signed-off-by: Mel Gorman Cc: Minchan Kim Cc: KOSAKI Motohiro Cc: Christoph Lameter Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Stefan Priebe Signed-off-by: Greg Kroah-Hartman commit 42274b5f8129467095e8b907b5bc9536caf30fa8 Author: Mel Gorman Date: Mon Jul 25 17:12:29 2011 -0700 mm: page allocator: initialise ZLC for first zone eligible for zone_reclaim commit cd38b115d5ad79b0100ac6daa103c4fe2c50a913 upstream. There have been a small number of complaints about significant stalls while copying large amounts of data on NUMA machines reported on a distribution bugzilla. In these cases, zone_reclaim was enabled by default due to large NUMA distances. In general, the complaints have not been about the workload itself unless it was a file server (in which case the recommendation was disable zone_reclaim). The stalls are mostly due to significant amounts of time spent scanning the preferred zone for pages to free. After a failure, it might fallback to another node (as zonelists are often node-ordered rather than zone-ordered) but stall quickly again when the next allocation attempt occurs. In bad cases, each page allocated results in a full scan of the preferred zone. Patch 1 checks the preferred zone for recent allocation failure which is particularly important if zone_reclaim has failed recently. This avoids rescanning the zone in the near future and instead falling back to another node. This may hurt node locality in some cases but a failure to zone_reclaim is more expensive than a remote access. Patch 2 clears the zlc information after direct reclaim. Otherwise, zone_reclaim can mark zones full, direct reclaim can reclaim enough pages but the zone is still not considered for allocation. This was tested on a 24-thread 2-node x86_64 machine. The tests were focused on large amounts of IO. All tests were bound to the CPUs on node-0 to avoid disturbances due to processes being scheduled on different nodes. The kernels tested are 3.0-rc6-vanilla Vanilla 3.0-rc6 zlcfirst Patch 1 applied zlcreconsider Patches 1+2 applied FS-Mark ./fs_mark -d /tmp/fsmark-10813 -D 100 -N 5000 -n 208 -L 35 -t 24 -S0 -s 524288 fsmark-3.0-rc6 3.0-rc6 3.0-rc6 vanilla zlcfirs zlcreconsider Files/s min 54.90 ( 0.00%) 49.80 (-10.24%) 49.10 (-11.81%) Files/s mean 100.11 ( 0.00%) 135.17 (25.94%) 146.93 (31.87%) Files/s stddev 57.51 ( 0.00%) 138.97 (58.62%) 158.69 (63.76%) Files/s max 361.10 ( 0.00%) 834.40 (56.72%) 802.40 (55.00%) Overhead min 76704.00 ( 0.00%) 76501.00 ( 0.27%) 77784.00 (-1.39%) Overhead mean 1485356.51 ( 0.00%) 1035797.83 (43.40%) 1594680.26 (-6.86%) Overhead stddev 1848122.53 ( 0.00%) 881489.88 (109.66%) 1772354.90 ( 4.27%) Overhead max 7989060.00 ( 0.00%) 3369118.00 (137.13%) 10135324.00 (-21.18%) MMTests Statistics: duration User/Sys Time Running Test (seconds) 501.49 493.91 499.93 Total Elapsed Time (seconds) 2451.57 2257.48 2215.92 MMTests Statistics: vmstat Page Ins 46268 63840 66008 Page Outs 90821596 90671128 88043732 Swap Ins 0 0 0 Swap Outs 0 0 0 Direct pages scanned 13091697 8966863 8971790 Kswapd pages scanned 0 1830011 1831116 Kswapd pages reclaimed 0 1829068 1829930 Direct pages reclaimed 13037777 8956828 8648314 Kswapd efficiency 100% 99% 99% Kswapd velocity 0.000 810.643 826.346 Direct efficiency 99% 99% 96% Direct velocity 5340.128 3972.068 4048.788 Percentage direct scans 100% 83% 83% Page writes by reclaim 0 3 0 Slabs scanned 796672 720640 720256 Direct inode steals 7422667 7160012 7088638 Kswapd inode steals 0 1736840 2021238 Test completes far faster with a large increase in the number of files created per second. Standard deviation is high as a small number of iterations were much higher than the mean. The number of pages scanned by zone_reclaim is reduced and kswapd is used for more work. LARGE DD 3.0-rc6 3.0-rc6 3.0-rc6 vanilla zlcfirst zlcreconsider download tar 59 ( 0.00%) 59 ( 0.00%) 55 ( 7.27%) dd source files 527 ( 0.00%) 296 (78.04%) 320 (64.69%) delete source 36 ( 0.00%) 19 (89.47%) 20 (80.00%) MMTests Statistics: duration User/Sys Time Running Test (seconds) 125.03 118.98 122.01 Total Elapsed Time (seconds) 624.56 375.02 398.06 MMTests Statistics: vmstat Page Ins 3594216 439368 407032 Page Outs 23380832 23380488 23377444 Swap Ins 0 0 0 Swap Outs 0 436 287 Direct pages scanned 17482342 69315973 82864918 Kswapd pages scanned 0 519123 575425 Kswapd pages reclaimed 0 466501 522487 Direct pages reclaimed 5858054 2732949 2712547 Kswapd efficiency 100% 89% 90% Kswapd velocity 0.000 1384.254 1445.574 Direct efficiency 33% 3% 3% Direct velocity 27991.453 184832.737 208171.929 Percentage direct scans 100% 99% 99% Page writes by reclaim 0 5082 13917 Slabs scanned 17280 29952 35328 Direct inode steals 115257 1431122 332201 Kswapd inode steals 0 0 979532 This test downloads a large tarfile and copies it with dd a number of times - similar to the most recent bug report I've dealt with. Time to completion is reduced. The number of pages scanned directly is still disturbingly high with a low efficiency but this is likely due to the number of dirty pages encountered. The figures could probably be improved with more work around how kswapd is used and how dirty pages are handled but that is separate work and this result is significant on its own. Streaming Mapped Writer MMTests Statistics: duration User/Sys Time Running Test (seconds) 124.47 111.67 112.64 Total Elapsed Time (seconds) 2138.14 1816.30 1867.56 MMTests Statistics: vmstat Page Ins 90760 89124 89516 Page Outs 121028340 120199524 120736696 Swap Ins 0 86 55 Swap Outs 0 0 0 Direct pages scanned 114989363 96461439 96330619 Kswapd pages scanned 56430948 56965763 57075875 Kswapd pages reclaimed 27743219 27752044 27766606 Direct pages reclaimed 49777 46884 36655 Kswapd efficiency 49% 48% 48% Kswapd velocity 26392.541 31363.631 30561.736 Direct efficiency 0% 0% 0% Direct velocity 53780.091 53108.759 51581.004 Percentage direct scans 67% 62% 62% Page writes by reclaim 385 122 1513 Slabs scanned 43008 39040 42112 Direct inode steals 0 10 8 Kswapd inode steals 733 534 477 This test just creates a large file mapping and writes to it linearly. Time to completion is again reduced. The gains are mostly down to two things. In many cases, there is less scanning as zone_reclaim simply gives up faster due to recent failures. The second reason is that memory is used more efficiently. Instead of scanning the preferred zone every time, the allocator falls back to another zone and uses it instead improving overall memory utilisation. This patch: initialise ZLC for first zone eligible for zone_reclaim. The zonelist cache (ZLC) is used among other things to record if zone_reclaim() failed for a particular zone recently. The intention is to avoid a high cost scanning extremely long zonelists or scanning within the zone uselessly. Currently the zonelist cache is setup only after the first zone has been considered and zone_reclaim() has been called. The objective was to avoid a costly setup but zone_reclaim is itself quite expensive. If it is failing regularly such as the first eligible zone having mostly mapped pages, the cost in scanning and allocation stalls is far higher than the ZLC initialisation step. This patch initialises ZLC before the first eligible zone calls zone_reclaim(). Once initialised, it is checked whether the zone failed zone_reclaim recently. If it has, the zone is skipped. As the first zone is now being checked, additional care has to be taken about zones marked full. A zone can be marked "full" because it should not have enough unmapped pages for zone_reclaim but this is excessive as direct reclaim or kswapd may succeed where zone_reclaim fails. Only mark zones "full" after zone_reclaim fails if it failed to reclaim enough pages after scanning. Signed-off-by: Mel Gorman Cc: Minchan Kim Cc: KOSAKI Motohiro Cc: Christoph Lameter Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Stefan Priebe Signed-off-by: Greg Kroah-Hartman commit 10927d967aa3e7031b0a573be8f002af607e6227 Author: Alex Deucher Date: Thu Sep 1 17:46:15 2011 +0000 drm/radeon/kms: make sure pci max read request size is valid on evergreen+ (v2) commit d054ac16eeb658bccadb06b12c39cee22243b10f upstream. If the bios or OS sets the pci max read request size to 0 or an invalid value (6,7), it can result in a hang or slowdown. Check and set it to something sane if it's invalid. Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=42162 v2: use pci reg defines from include/linux/pci_regs.h Signed-off-by: Alex Deucher Reviewed-by: Michel Dänzer Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 34b64435133e6feea81571344077738cfd4f7ede Author: Dave Airlie Date: Tue Aug 30 20:22:04 2011 +0100 drm/radeon/kms: set a default max_pixel_clock commit 9adceaa5b3d2480e2252c4a7f9c4bd7d66b8c4a2 upstream. On some Power rv100 cards, we have no ATY OF table, but we have no combios table either, and hence we refuse all modes on VGA-0 since we end up with a 0 max pixel clock. Signed-off-by: Dave Airlie Reviewed-by: Alex Deucher Reviewed-by: Jerome Glisse Signed-off-by: Greg Kroah-Hartman commit c122ead30dcdb8712ba3d49d478ae66ac33dfb7b Author: NeilBrown Date: Thu Aug 25 14:43:53 2011 +1000 md/linear: avoid corrupting structure while waiting for rcu_free to complete. commit 1b6afa17581027218088a18a9ceda600e0ddba7a upstream. I don't know what I was thinking putting 'rcu' after a dynamically sized array! The array could still be in use when we call rcu_free() (That is the point) so we mustn't corrupt it. Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 0dbf5d84ecfa51949a4543da9b215ad36e3ac63f Author: Srinivas Kandagatla Date: Mon Aug 15 10:43:44 2011 +0100 ARM: 7014/1: cache-l2x0: Fix L2 Cache size calculation. commit 43c734be5571a4daad9f0a3e0b3229a1c0049917 upstream. This patch fixes L2 Cache size calculations for L2C-210, L2C-310 and PL310, by changing the L2X0_AUX_CTRL_WAY_SIZE_MASK from 2 bits to 3 bits. The Auxiliary Control Register for L2C-210, L2C-310 and PL310 has 3bits [19:17] for Way size, however the existing code only uses 2 bits to get this value. This results in incorrect cachesize calculations. It also results in performing operations on the whole cache when we erroneously decide that the range is big enough (due to l2x0_size being too small) and also prints incorrect cachesize. Signed-off-by: Srinivas Kandagatla Acked-by: Will Deacon Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 5297aef4dd2d5b7f17fe515a0a455bf969bb19a9 Author: Jerome Glisse Date: Wed Aug 24 20:00:17 2011 +0000 drm/radeon/kms: evergreen & ni reset SPI block on CP resume commit a49a50dad48586d42ebac1a6730c3a3cd5603421 upstream. For some reason SPI block is in broken state after module unloading. This lead to broken rendering after reloading module. Fix this by reseting SPI block in CP resume function Signed-off-by: Jerome Glisse Reviewed-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 795464a57a2a7c342ccdc0939647d45dabd24668 Author: Alex Deucher Date: Mon Aug 29 14:55:25 2011 +0000 drm/radeon/kms: add s/r quirk for Compaq Presario V5245EU commit 302a8e8b06d312dcb3b718dfeb42aa912b5f426b upstream. Fixes resume on Compaq Presario V5245EU. Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=41642 Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit f7ae5caa73f0f1b226da2dae7403e7d12d58db26 Author: David S. Miller Date: Mon Aug 29 21:14:29 2011 -0700 sparc64: Only Panther cheetah+ chips have POPC. commit 1a8e0da5937a6c87807083baa318cf8f98dac9aa upstream. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 94dea7201a65816b802d8c8b8b0877590fd67d7e Author: Axel Lin Date: Sun Jul 10 21:44:09 2011 +0800 regulator: tps65910: Add missing breaks in switch/case commit d04156bca629740a661fd0738cd69ba1f08b2b20 upstream. Also add a default case in tps65910_list_voltage_dcdc to silence 'volt' may be used uninitialized in this function warning. Signed-off-by: Axel Lin Acked-by: Mark Brown Signed-off-by: Liam Girdwood Cc: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 8d537b9f6c2bef25dd3ef257be686ebb91629dd6 Author: Kjetil Oftedal Date: Mon Aug 29 00:16:28 2011 +0200 sparc32,sun4d: Change IPI IRQ level to prevent collision between IPI and timer interrupt commit 38f7f8f05e8239e9871f7e1c4b0a842080e85315 upstream. On Sun4d systems running in SMP mode, IRQ 14 is used for timer interrupts and has a specialized interrupt handler. IPI is currently set to use IRQ 14 as well, which causes it to trigger the timer interrupt handler, and not the IPI interrupt handler. The IPI interrupt is therefore changed to IRQ 13, which is the highest normally handled interrupt. This IRQ is also used for SBUS interrupts, however there is nothing in the IPI/SBUS interrupt handlers that indicate that they will not handle sharing the interrupt. (IRQ 13 is indicated as audio interrupt, which is unlikely to be found in a sun4d system) Signed-off-by: Kjetil Oftedal Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d91d1ddeab465c3bd1a5bb503be6bc2414b451a9 Author: Ian Campbell Date: Wed Aug 17 22:14:57 2011 +0000 sparc: fix array bounds error setting up PCIC NMI trap commit 4a0342ca8e8150bd47e7118a76e300692a1b6b7b upstream. CC arch/sparc/kernel/pcic.o arch/sparc/kernel/pcic.c: In function 'pcic_probe': arch/sparc/kernel/pcic.c:359:33: error: array subscript is above array bounds [-Werror=array-bounds] arch/sparc/kernel/pcic.c:359:8: error: array subscript is above array bounds [-Werror=array-bounds] arch/sparc/kernel/pcic.c:360:33: error: array subscript is above array bounds [-Werror=array-bounds] arch/sparc/kernel/pcic.c:360:8: error: array subscript is above array bounds [-Werror=array-bounds] arch/sparc/kernel/pcic.c:361:33: error: array subscript is above array bounds [-Werror=array-bounds] arch/sparc/kernel/pcic.c:361:8: error: array subscript is above array bounds [-Werror=array-bounds] cc1: all warnings being treated as errors I'm not particularly familiar with sparc but t_nmi (defined in head_32.S via the TRAP_ENTRY macro) and pcic_nmi_trap_patch (defined in entry.S) both appear to be 4 instructions long and I presume from the usage that instructions are int sized. Signed-off-by: Ian Campbell Cc: "David S. Miller" Cc: sparclinux@vger.kernel.org Reviewed-by: Sam Ravnborg Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 69c4ec5d70afef6f947c761c40f0b1dc169176b7 Author: David S. Miller Date: Mon Aug 15 14:45:17 2011 -0700 sparc64: Set HAVE_C_RECORDMCOUNT [ Upstream commit 178a29600340bef5b13cd4157053679debe35351 ] Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a9d0a36343633a3972c8872ffe8020ba12392629 Author: David S. Miller Date: Sat Aug 20 17:14:54 2011 -0700 sparc: Allow handling signals when stack is corrupted. commit 5598473a5b40c47a8c5349dd2c2630797169cf1a upstream. If we can't push the pending register windows onto the user's stack, we disallow signal delivery even if the signal would be delivered on a valid seperate signal stack. Add a register window save area in the signal frame, and store any unsavable windows there. On sigreturn, if any windows are still queued up in the signal frame, try to push them back onto the stack and if that fails we kill the process immediately. This allows the debug/tst-longjmp_chk2 glibc test case to pass. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7fe1e169829030a8257be59636f82c45753ca941 Author: Mikael Pettersson Date: Mon Aug 15 10:11:50 2011 +0000 sparc32: unbreak arch_write_unlock() commit 3f6aa0b113846a8628baa649af422cfc6fb1d786 upstream. The sparc32 version of arch_write_unlock() is just a plain assignment. Unfortunately this allows the compiler to schedule side-effects in a protected region to occur after the HW-level unlock, which is broken. E.g., the following trivial test case gets miscompiled: #include rwlock_t lock; int counter; void foo(void) { write_lock(&lock); ++counter; write_unlock(&lock); } Fixed by adding a compiler memory barrier to arch_write_unlock(). The sparc64 version combines the barrier and assignment into a single asm(), and implements the operation as a static inline, so that's what I did too. Compile-tested with sparc32_defconfig + CONFIG_SMP=y. Signed-off-by: Mikael Pettersson Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b60c440fff5c9e6dd8d328617b79b7fd57aed9b1 Author: Mikael Pettersson Date: Mon Aug 15 10:10:31 2011 +0000 sparc64: remove unnecessary macros from spinlock_64.h commit a0fba3eb059e73fed2d376a901f8117734c12f1f upstream. The sparc64 spinlock_64.h contains a number of operations defined first as static inline functions, and then as macros with the same names and parameters as the functions. Maybe this was needed at some point in the past, but now nothing seems to depend on these macros (checked with a recursive grep looking for ifdefs on these names). Other archs don't define these identity-macros. So this patch deletes these unnecessary macros. Compile-tested with sparc64_defconfig. Signed-off-by: Mikael Pettersson Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d6b0fa557a435a3073da6298a88cd3f273fd8f5f Author: Stanislaw Gruszka Date: Thu Aug 25 17:14:26 2011 +0200 rt2x00: fix crash in rt2800usb_get_txwi commit 674db1344443204b6ce3293f2df8fd1b7665deea upstream. Patch should fix this oops: BUG: unable to handle kernel NULL pointer dereference at 000000a0 IP: [] rt2800usb_get_txwi+0x19/0x70 [rt2800usb] *pdpt = 0000000000000000 *pde = f000ff53f000ff53 Oops: 0000 [#1] SMP Pid: 198, comm: kworker/u:3 Tainted: G W 3.0.0-wl+ #9 LENOVO 6369CTO/6369CTO EIP: 0060:[] EFLAGS: 00010283 CPU: 1 EIP is at rt2800usb_get_txwi+0x19/0x70 [rt2800usb] EAX: 00000000 EBX: f465e140 ECX: f4494960 EDX: ef24c5f8 ESI: 810f21f5 EDI: f1da9960 EBP: f4581e80 ESP: f4581e70 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 Process kworker/u:3 (pid: 198, ti=f4580000 task=f4494960 task.ti=f4580000) Call Trace: [] rt2800_txdone_entry+0x2f/0xf0 [rt2800lib] [] ? warn_slowpath_common+0x7d/0xa0 [] ? rt2800usb_work_txdone+0x288/0x360 [rt2800usb] [] ? rt2800usb_work_txdone+0x288/0x360 [rt2800usb] [] rt2800usb_work_txdone+0x263/0x360 [rt2800usb] [] process_one_work+0x186/0x440 [] ? process_one_work+0x10a/0x440 [] ? rt2800usb_probe_hw+0x120/0x120 [rt2800usb] [] worker_thread+0x133/0x310 [] ? trace_hardirqs_on+0xb/0x10 [] ? manage_workers+0x1e0/0x1e0 [] kthread+0x7c/0x90 [] ? __init_kthread_worker+0x60/0x60 [] kernel_thread_helper+0x6/0x1 Oops might happen because we check rt2x00queue_empty(queue) twice, but this condition can change and we can process entry in rt2800_txdone_entry(), which was already processed by rt2800usb_txdone_entry_check() -> rt2x00lib_txdone_noinfo() and has nullify entry->skb . Reported-by: Justin Piszcz Signed-off-by: Stanislaw Gruszka Acked-by: Ivo van Doorn Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 341b1e997ffed81ea6f1a31caf13ebdd4cbc9d69 Author: Stanislaw Gruszka Date: Thu Aug 25 17:14:24 2011 +0200 rt2x00: fix crash in rt2800usb_write_tx_desc commit 4b1bfb7d2d125af6653d6c2305356b2677f79dc6 upstream. Patch should fix this oops: BUG: unable to handle kernel NULL pointer dereference at 000000a0 IP: [] rt2800usb_write_tx_desc+0x18/0xc0 [rt2800usb] *pdpt = 000000002408c001 *pde = 0000000024079067 *pte = 0000000000000000 Oops: 0000 [#1] SMP EIP: 0060:[] EFLAGS: 00010282 CPU: 0 EIP is at rt2800usb_write_tx_desc+0x18/0xc0 [rt2800usb] EAX: 00000035 EBX: ef2bef10 ECX: 00000000 EDX: d40958a0 ESI: ef1865f8 EDI: ef1865f8 EBP: d4095878 ESP: d409585c DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 Call Trace: [] rt2x00queue_write_tx_frame+0x155/0x300 [rt2x00lib] [] rt2x00mac_tx+0x7c/0x370 [rt2x00lib] [] ? mark_held_locks+0x62/0x90 [] ? _raw_spin_unlock_irqrestore+0x35/0x60 [] ? trace_hardirqs_on_caller+0x5a/0x170 [] ? trace_hardirqs_on+0xb/0x10 [] __ieee80211_tx+0x5c/0x1e0 [mac80211] [] ieee80211_tx+0xbc/0xe0 [mac80211] [] ? ieee80211_tx+0x23/0xe0 [mac80211] [] ieee80211_xmit+0xc1/0x200 [mac80211] [] ? ieee80211_tx+0xe0/0xe0 [mac80211] [] ? lock_release_holdtime+0x35/0x1b0 [] ? ieee80211_subif_start_xmit+0x446/0x5f0 [mac80211] [] ieee80211_subif_start_xmit+0x29d/0x5f0 [mac80211] [] ? ieee80211_subif_start_xmit+0x3e4/0x5f0 [mac80211] [] ? sock_setsockopt+0x6a8/0x6f0 [] ? sock_setsockopt+0x520/0x6f0 [] dev_hard_start_xmit+0x2ef/0x650 Oops might happen because we perform parallel putting new entries in a queue (rt2x00queue_write_tx_frame()) and removing entries after finishing transmitting (rt2800usb_work_txdone()). There are cases when _txdone may process an entry that was not fully send and nullify entry->skb . To fix check in _txdone if entry has flags that indicate pending transmission and wait until flags get cleared. Reported-by: Justin Piszcz Signed-off-by: Stanislaw Gruszka Acked-by: Ivo van Doorn Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit bdfd59ed66725e66155f011023771bdc15b69c7f Author: Daniel Schwierzeck Date: Fri Aug 19 12:04:20 2011 +0000 atm: br2684: Fix oops due to skb->dev being NULL commit fbe5e29ec1886967255e76946aaf537b8cc9b81e upstream. This oops have been already fixed with commit 27141666b69f535a4d63d7bc6d9e84ee5032f82a atm: [br2684] Fix oops due to skb->dev being NULL It happens that if a packet arrives in a VC between the call to open it on the hardware and the call to change the backend to br2684, br2684_regvcc processes the packet and oopses dereferencing skb->dev because it is NULL before the call to br2684_push(). but have been introduced again with commit b6211ae7f2e56837c6a4849316396d1535606e90 atm: Use SKB queue and list helpers instead of doing it by-hand. Signed-off-by: Daniel Schwierzeck Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e4dd9ac202da43712e1725087a7f5c656b79fb51 Author: Tejun Heo Date: Thu Aug 4 11:15:07 2011 +0200 pata_via: disable ATAPI DMA on AVERATEC 3200 commit 6d0e194d2eefcaab6dbdca1f639748660144acb5 upstream. On AVERATEC 3200, pata_via causes memory corruption with ATAPI DMA, which often leads to random kernel oops. The cause of the problem is not well understood yet and only small subset of machines using the controller seem affected. Blacklist ATAPI DMA on the machine. Signed-off-by: Tejun Heo Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=11426 Reported-and-tested-by: Jim Bray Cc: Alan Cox Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 088412ec9929d1a1aa58e30aba1304a0fee68c98 Author: John Stanley Date: Wed Aug 3 20:41:00 2011 -0400 savagedb: Fix typo causing regression in savage4 series video chip detection commit 4b00e4b3940eabb38adeec0823751820fe2d6fda upstream. Two additional savage4 variants were added, but the S3_SAVAGE4_SERIES macro was incompletely modified, resulting in a false positive detection of a savage4 card regardless of which savage card is actually present. For non-savage4 series cards, such as a Savage/IX-MV card, this results in garbled video and/or a hard-hang at boot time. Fix this by changing an '||' to an '&&' in the S3_SAVAGE4_SERIES macro. Signed-off-by: John P. Stanley Reviewed-by: Tormod Volden [ The macros have incomplete parenthesis too, but whatever .. -Linus ] Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit dea592062aeaa1269cfc6f1b23a15bb03a65b6df Author: Stanislaw Gruszka Date: Fri Aug 12 14:02:04 2011 +0200 rt2x00: do not drop usb dev reference counter on suspend commit 543cc38c8fe86deba4169977c61eb88491036837 upstream. When hibernating ->resume may not be called by usb core, but disconnect and probe instead, so we do not increase the counter after decreasing it in ->supend. As a result we free memory early, and get crash when unplugging usb dongle. BUG: unable to handle kernel paging request at 6b6b6b9f IP: [] driver_sysfs_remove+0x10/0x30 *pdpt = 0000000034f21001 *pde = 0000000000000000 Pid: 20, comm: khubd Not tainted 3.1.0-rc1-wl+ #20 LENOVO 6369CTO/6369CTO EIP: 0060:[] EFLAGS: 00010202 CPU: 1 EIP is at driver_sysfs_remove+0x10/0x30 EAX: 6b6b6b6b EBX: f52bba34 ECX: 00000000 EDX: 6b6b6b6b ESI: 6b6b6b6b EDI: c0a0ea20 EBP: f61c9e68 ESP: f61c9e64 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 Process khubd (pid: 20, ti=f61c8000 task=f6138270 task.ti=f61c8000) Call Trace: [] __device_release_driver+0x1f/0xa0 [] device_release_driver+0x20/0x40 [] bus_remove_device+0x84/0xe0 [] ? device_remove_attrs+0x2a/0x80 [] device_del+0xe7/0x170 [] usb_disconnect+0xd4/0x180 [] hub_thread+0x691/0x1600 [] ? wake_up_bit+0x30/0x30 [] ? complete+0x49/0x60 [] ? hub_disconnect+0xd0/0xd0 [] ? hub_disconnect+0xd0/0xd0 [] kthread+0x74/0x80 [] ? kthread_worker_fn+0x150/0x150 [] kernel_thread_helper+0x6/0x10 Signed-off-by: Stanislaw Gruszka Acked-by: Ivo van Doorn Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 6417bec17ed125eecd1bd3989c2c97e8d31d7dfd Author: Senthil Balasubramanian Date: Fri Aug 19 18:43:06 2011 +0530 ath9k_hw: Fix STA (AR9485) bringup issue due to incorrect MAC address commit b503c7a273c0a3018ad11ea8c513c639120afbf4 upstream. Due to some recent optimization done in the way the mac address bytes are written into the OTP memory, some AR9485 chipsets were forced to use the first byte from the eeprom template and the remaining bytes are read from OTP. AR9485 happens to use generic eeprom template which has 0x1 as the first byte causes issues in bringing up the card. So fixed the eeprom template accordingly to address the issue. Cc: Paul Stewart Signed-off-by: Senthil Balasubramanian Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 8a9f335df5baa97f3901378335ff10f3fecf36de Author: Alexey Khoroshilov Date: Wed Aug 24 00:44:32 2011 +0400 carl9170: Fix mismatch in carl9170_op_set_key mutex lock-unlock commit 66cb54bd24086b2d871a03035de9b0e79b2b725e upstream. If is_main_vif(ar, vif) reports that we have to fall back to software encryption, we goto err_softw; before locking ar->mutex. As a result, we have unprotected call to carl9170_set_operating_mode and unmatched mutex_unlock. The patch fix the issue by adding mutex_lock before goto. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov Acked-By: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 0b1511be7b2d36524e45a2fd70d92a2975ef0b6f Author: Anton Blanchard Date: Wed Aug 24 17:56:15 2011 -0700 ibmveth: Fix leak when recycling skb and hypervisor returns error commit c6f59d13e24187ff95427a9f4a5a7e14fb8faf5a upstream. If h_add_logical_lan_buffer returns an error we need to free the skb. Signed-off-by: Anton Blanchard Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ec518b00f722f9655c1505bbcab25240629cc2af Author: Mohammed Shafi Shajakhan Date: Wed Aug 24 21:38:07 2011 +0530 ath9k: Fix PS wrappers in ath9k_set_coverage_class commit 8b2a3827bb12430d932cd479b22d906baf08c212 upstream. this callback is called during suspend/resume and also via iw command. it configures parameters like sifs, slottime, acktimeout in ath9k_hw_init_global_settings where few REG_READ, REG_RMW are also done and hence the need for PS wrappers Signed-off-by: Mohammed Shafi Shajakhan Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 5772ee1f183ddfb9386bc7792149d731dbba8725 Author: Mathieu Desnoyers Date: Wed Aug 24 19:45:03 2011 -0700 sendmmsg/sendmsg: fix unsafe user pointer access commit bc909d9ddbf7778371e36a651d6e4194b1cc7d4c upstream. Dereferencing a user pointer directly from kernel-space without going through the copy_from_user family of functions is a bad idea. Two of such usages can be found in the sendmsg code path called from sendmmsg, added by commit c71d8ebe7a4496fb7231151cb70a6baa0cb56f9a upstream. commit 5b47b8038f183b44d2d8ff1c7d11a5c1be706b34 in the 3.0-stable tree. Usages are performed through memcmp() and memcpy() directly. Fix those by using the already copied msg_sys structure instead of the __user *msg structure. Note that msg_sys can be set to NULL by verify_compat_iovec() or verify_iovec(), which requires additional NULL pointer checks. Signed-off-by: Mathieu Desnoyers Signed-off-by: David Goulet CC: Tetsuo Handa CC: Anton Blanchard CC: David S. Miller Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f1d44226b60a7b28f949105e675ba84a09bcc9a7 Author: Sarah Sharp Date: Fri Aug 12 10:23:01 2011 -0700 xhci: Handle zero-length isochronous packets. commit 48df4a6fd8c40c0bbcbca2044f5f2bc75dcf6db1 upstream. For a long time, the xHCI driver has had this note: /* FIXME: Ignoring zero-length packets, can those happen? */ It turns out that, yes, there are drivers that need to queue zero-length transfers for isochronous OUT transfers. Without this patch, users will see kernel hang messages when a driver attempts to enqueue an isochronous URB with a zero length transfer (because count_isoc_trbs_needed will return zero for that TD, xhci_td->last_trb will never be set, and updating the dequeue pointer will cause an infinite loop). Matěj ran into this issue when using an NI Audio4DJ USB soundcard with the snd-usb-caiaq driver. See https://bugzilla.kernel.org/show_bug.cgi?id=40702 Fix count_isoc_trbs_needed() to return 1 for zero-length transfers (thanks Alan on the math help). Update the various TRB field calculations to deal with zero-length transfers. We're still transferring one packet with a zero-length data payload, so the total_packet_count should be 1. The Transfer Burst Count (TBC) and Transfer Last Burst Packet Count (TLBPC) fields should be set to zero. This patch should be backported to kernels as old as 2.6.36. Signed-off-by: Sarah Sharp Tested-by: Matěj Laitl Cc: Daniel Mack Cc: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 4343d2a21eeab544544646fed30252c184b358a9 Author: Sarah Sharp Date: Tue Aug 2 15:43:40 2011 -0700 xhci: Remove TDs from TD lists when URBs are canceled. commit 585df1d90cb07a02ca6c7a7d339e56e46d50dafb upstream. When a driver tries to cancel an URB, and the host controller is dying, xhci_urb_dequeue will giveback the URB without removing the xhci_tds that comprise that URB from the td_list or the cancelled_td_list. This can cause a race condition between the driver calling URB dequeue and the stop endpoint command watchdog timer. If the timer fires on a dying host, and a driver attempts to resubmit while the watchdog timer has dropped the xhci->lock to giveback a cancelled URB, URBs may be given back by the xhci_urb_dequeue() function. At that point, the URB's priv pointer will be freed and set to NULL, but the TDs will remain on the td_list. This will cause an oops in xhci_giveback_urb_in_irq() when the watchdog timer attempts to loop through the endpoints' td_lists, giving back killed URBs. Make sure that xhci_urb_dequeue() removes TDs from the TD lists and canceled TD lists before it gives back the URB. This patch should be backported to kernels as old as 2.6.36. Signed-off-by: Sarah Sharp Cc: Andiry Xu Signed-off-by: Greg Kroah-Hartman commit 8a8045bd9b07df6def0ae16b91ecbe8225267b35 Author: Sarah Sharp Date: Fri Jul 29 12:44:32 2011 -0700 xhci: Fix failed enqueue in the middle of isoch TD. commit 522989a27c7badb608155b1f1dea3487ed431f74 upstream. When an isochronous transfer is enqueued, xhci_queue_isoc_tx_prepare() will ensure that there is enough room on the transfer rings for all of the isochronous TDs for that URB. However, when xhci_queue_isoc_tx() is enqueueing individual isoc TDs, the prepare_transfer() function can fail if the endpoint state has changed to disabled, error, or some other unknown state. With the current code, if Nth TD (not the first TD) fails, the ring is left in a sorry state. The partially enqueued TDs are left on the ring, and the first TRB of the TD is not given back to the hardware. The enqueue pointer is left on the TRB after the last successfully enqueued TD. This means the ring is basically useless. Any new transfers will be enqueued after the failed TDs, which the hardware will never read because the cycle bit indicates it does not own them. The ring will fill up with untransferred TDs, and the endpoint will be basically unusable. The untransferred TDs will also remain on the TD list. Since the td_list is a FIFO, this basically means the ring handler will be waiting on TDs that will never be completed (or worse, dereference memory that doesn't exist any more). Change the code to clean up the isochronous ring after a failed transfer. If the first TD failed, simply return and allow the xhci_urb_enqueue function to free the urb_priv. If the Nth TD failed, first remove the TDs from the td_list. Then convert the TRBs that were enqueued into No-op TRBs. Make sure to flip the cycle bit on all enqueued TRBs (including any link TRBs in the middle or between TDs), but leave the cycle bit of the first TRB (which will show software-owned) intact. Then move the ring enqueue pointer back to the first TRB and make sure to change the xhci_ring's cycle state to what is appropriate for that ring segment. This ensures that the No-op TRBs will be overwritten by subsequent TDs, and the hardware will not start executing random TRBs because the cycle bit was left as hardware-owned. This bug is unlikely to be hit, but it was something I noticed while tracking down the watchdog timer issue. I verified that the fix works by injecting some errors on the 250th isochronous URB queued, although I could not verify that the ring is in the correct state because uvcvideo refused to talk to the device after the first usb_submit_urb() failed. Ring debugging shows that the ring looks correct, however. This patch should be backported to kernels as old as 2.6.36. Signed-off-by: Sarah Sharp Cc: Andiry Xu Signed-off-by: Greg Kroah-Hartman commit e0a4518977b9b4f65b8d5e71415d97b84c4f7efe Author: Sarah Sharp Date: Fri Jul 22 14:34:34 2011 -0700 xhci: Fix memory leak during failed enqueue. commit d13565c12828ce0cd2a3862bf6260164a0653352 upstream. When the isochronous transfer support was introduced, and the xHCI driver switched to using urb->hcpriv to store an "urb_priv" pointer, a couple of memory leaks were introduced into the URB enqueue function in its error handling paths. xhci_urb_enqueue allocates urb_priv, but it doesn't free it if changing the control endpoint's max packet size fails or the bulk endpoint is in the middle of allocating or deallocating streams. xhci_urb_enqueue also doesn't free urb_priv if any of the four endpoint types' enqueue functions fail. Instead, it expects those functions to free urb_priv if an error occurs. However, the bulk, control, and interrupt enqueue functions do not free urb_priv if the endpoint ring is NULL. It will, however, get freed if prepare_transfer() fails in those enqueue functions. Several of the error paths in the isochronous endpoint enqueue function also fail to free it. xhci_queue_isoc_tx_prepare() doesn't free urb_priv if prepare_ring() indicates there is not enough room for all the isochronous TDs in this URB. If individual isochronous TDs fail to be queued (perhaps due to an endpoint state change), urb_priv is also leaked. This argues that the freeing of urb_priv should be done in the function that allocated it, xhci_urb_enqueue. This patch looks rather ugly, but refactoring the code will have to wait because this patch needs to be backported to stable kernels. This patch should be backported to kernels as old as 2.6.36. Signed-off-by: Sarah Sharp Cc: Andiry Xu Signed-off-by: Greg Kroah-Hartman commit dbb2e00b9a1774d1e740d952e2e9e87a178866bd Author: Andiry Xu Date: Wed Aug 3 16:46:49 2011 +0800 xHCI: report USB2 port in resuming as suspend commit 8a8ff2f9399b23b968901f585ccb5a70a537c5ae upstream. When a USB2 port initiate a remote wakeup, software shall ensure that resume is signaled for at least 20ms, and then write '0' to the PLS field. According to this, xhci driver do the following things: 1. When receive a remote wakeup event in irq_handler, set the resume_done value as jiffies + 20ms, and modify rh_timer to poll root hub status at that time; 2. When receive a GetPortStatus request, if the jiffies is after the resume_done value, clear the resume signal and resume_done. However, if usb_port_resume() is called before the rh_timer triggered, it will indicate the port as Suspend Cleared and skip the clear resume signal part. The device will fail the usb_get_status request in finish_port_resume(), and usbcore will try a reset-resume instead. Device will work OK after reset-resume, but resume_done value is not cleared in this case, and xhci_bus_suspend() will fail because when it finds a non-zero resume_done value, it will regard the port as resuming and return -EBUSY. This causes issue on some platforms that the system fail to suspend after remote wakeup from suspend by USB2 devices connected to xHCI port. To fix this issue, report the port status as suspend if the resume is signaling less that 20ms, and usb_port_resume() will wait 25ms and check port status again, so xHCI driver can clear the resume signaling and resume_done value. This should be backported to kernels as old as 2.6.37. Signed-off-by: Andiry Xu Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit eff529629832537fbd6837912add0c4a8cb7d585 Author: Andiry Xu Date: Wed Aug 3 16:46:48 2011 +0800 xHCI: fix port U3 status check condition commit 5ac04bf190e6f8b17238aef179ebd7f2bdfec919 upstream. Fix the port U3 status check when Clear PORT_SUSPEND Feature. The port status should be masked with PORT_PLS_MASK to check if it's in U3 state. This should be backported to kernels as old as 2.6.37. Signed-off-by: Andiry Xu Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit cde5eaf3ce98af402a91fa67ba392f6451f5bc89 Author: Wang Zhi Date: Wed Aug 17 10:39:31 2011 +0800 USB: EHCI: Do not rely on PORT_SUSPEND to stop USB resuming in ehci_bus_resume(). commit d0f2fb2500b1c5fe4967eb45d8c9bc758d7aef80 upstream. From EHCI Spec p.28 HC should clear PORT_SUSPEND when SW clears PORT_RESUME. In Intel Oaktrail platform, MPH (Multi-Port Host Controller) core clears PORT_SUSPEND directly when SW sets PORT_RESUME bit. If we rely on PORT_SUSPEND bit to stop USB resume, we will miss the action of clearing PORT_RESUME. This will cause unexpected long resume signal on USB bus. Signed-off-by: Wang Zhi Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit f91364f8bd8bd8427bc020734724d62618e4bb97 Author: Per Forlin Date: Wed Aug 3 15:39:15 2011 +0200 usb: musb: cppi: fix build errors due to DBG and missing musb variable commit f847a79ab3c1faca3022061045cd22e4678c1b1c upstream. Replace DBG with dev_dbg and fix invalid access of musb->controller. With this patch cppi_dma builds successfully. Signed-off-by: Per Forlin Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 6ab711f962ab092c2a6b6a5b822075b246a8119e Author: Andrew Bird Date: Wed Aug 17 00:20:03 2011 +0100 USB option driver K3765/K4505 avoid CDC_DATA interface commit 6118514e8749105334f46ccec6faf9a439be6cf9 upstream. Currently the Option driver avoids binding interface 1 on Huawei K3765 and K4505 broadband modems as it should be handled by the cdc_ether driver instead. This patch ensures we don't bind the interface 2 on those devices as that is CDC_DATA. Signed-off-by: Andrew Bird Signed-off-by: Greg Kroah-Hartman commit 42dc061e21788aa7805bc4f07dcdfa5f4b8f2b11 Author: Gavin.zhu Date: Mon Aug 22 13:51:53 2011 -0700 USB: option: add YUGA device id to driver commit c6eb2d75ffcdfafa37ff010bf467de20d468ef79 upstream. Signed-off-by: Gavin.zhu Signed-off-by: Greg Kroah-Hartman commit f5cda959f6623eaf2863e72b6003fbd0dee0c17a Author: Andrew Bird Date: Tue Aug 16 13:58:21 2011 -0600 USB option driver add PID of Huawei Vodafone K4605 commit 7e1805844da18a37e6d251d286f93c94b52d791e upstream. This patch adds the product ID of Huawei's Vodafone K4605 mobile broadband modem to option.c. This is necessary so that the driver gets loaded on demand without the intervention of usb_modeswitch. This has the benefit of it becoming available faster and also ensures that the option driver is not bound to a network interface that should be claimed by suitable network driver. Signed-off-by: Andrew Bird Signed-off-by: Alex Chiang Signed-off-by: Greg Kroah-Hartman commit 04aac01839a83e2464e2a9bffc199945d1ee2ffb Author: Andrew Bird Date: Tue Aug 16 13:57:14 2011 -0600 USB option driver add PID of Huawei Vodafone K3806 commit 0e69d75ccb2f091757b38d4d6a2ed739e06b615e upstream. This patch adds the product ID of Huawei's Vodafone K3806 mobile broadband modem to option.c. This is necessary so that the driver gets loaded on demand without the intervention of usb_modeswitch. This has the benefit of it becoming available faster and also ensures that the option driver is not bound to a network interface that should be claimed by cdc_ether. Signed-off-by: Andrew Bird Signed-off-by: Alex Chiang Signed-off-by: Greg Kroah-Hartman commit b942664bf67f1f0ce021b327bd37785835e5e6b6 Author: Yulgon Kim Date: Thu Aug 18 14:02:45 2011 +0900 usb: s5p-ehci: fix a NULL pointer deference commit e5d3d4463fb30998385f9e78ab3c7f63b5813000 upstream. This patch fixes a NULL pointer deference. A NULL pointer dereference happens since s5p_ehci->hcd field is not initialized yet in probe function. [jg1.han@samsung.com: edit commit message] Signed-off-by: Yulgon Kim Signed-off-by: Jingoo Han Signed-off-by: Greg Kroah-Hartman commit 400e39dcf58c2d002fa0440a589630f3abe08bae Author: Jean-Christophe PLAGNIOL-VILLARD Date: Thu Aug 25 11:46:58 2011 +0200 USB: ftdi_sio: add Calao reference board support commit c96fbdd0ab97235f930ebf24b38fa42a2e3458cf upstream. Calao use on there dev kits a FT2232 where the port 0 is used for the JTAG and port 1 for the UART They use the same VID and PID as FTDI Chip but they program the manufacturer name in the eeprom So use this information to detect it Signed-off-by: Jean-Christophe PLAGNIOL-VILLARD Cc: Gregory Hermant Cc: Alan Cox Signed-off-by: Greg Kroah-Hartman commit a38df1a01320298198c7cb2e3e8a61fc54459d6a Author: Jiri Slaby Date: Wed Aug 10 14:59:28 2011 +0200 TTY: pty, fix pty counting commit 24d406a6bf736f7aebdc8fa0f0ec86e0890c6d24 upstream. tty_operations->remove is normally called like: queue_release_one_tty ->tty_shutdown ->tty_driver_remove_tty ->tty_operations->remove However tty_shutdown() is called from queue_release_one_tty() only if tty_operations->shutdown is NULL. But for pty, it is not. pty_unix98_shutdown() is used there as ->shutdown. So tty_operations->remove of pty (i.e. pty_unix98_remove()) is never called. This results in invalid pty_count. I.e. what can be seen in /proc/sys/kernel/pty/nr. I see this was already reported at: https://lkml.org/lkml/2009/11/5/370 But it was not fixed since then. This patch is kind of a hackish way. The problem lies in ->install. We allocate there another tty (so-called tty->link). So ->install is called once, but ->remove twice, for both tty and tty->link. The fix here is to count both tty and tty->link and divide the count by 2 for user. And to have ->remove called, let's make tty_driver_remove_tty() global and call that from pty_unix98_shutdown() (tty_operations->shutdown). While at it, let's document that when ->shutdown is defined, tty_shutdown() is not called. Signed-off-by: Jiri Slaby Cc: Alan Cox Cc: "H. Peter Anvin" Signed-off-by: Greg Kroah-Hartman commit 64da3499c911698c004a2d47fd0af6ad683a811a Author: Axel Lin Date: Mon Aug 1 21:20:10 2011 +0800 tty: Add "spi:" prefix for spi modalias commit 8c4074cd2254606aeb788d518ccc27c9f97129e1 upstream. Since commit e0626e38 (spi: prefix modalias with "spi:"), the spi modalias is prefixed with "spi:". This patch adds "spi:" prefix and removes "-spi" suffix in the modalias. Signed-off-by: Axel Lin Signed-off-by: Greg Kroah-Hartman commit db14205cc5b607f06cdad8efad52def931f23f5c Author: Al Cooper Date: Mon Jul 25 16:19:52 2011 -0400 8250: Fix race condition in serial8250_backup_timeout(). commit dbb3b1ca5609d1f3848cd387d06cc60aaacf7f98 upstream. This is to fix an issue where output will suddenly become very slow. The problem occurs on 8250 UARTS with the hardware bug UART_BUG_THRE. BACKGROUND For normal UARTs (without UART_BUG_THRE): When the serial core layer gets new transmit data and the transmitter is idle, it buffers the data and calls the 8250s' serial8250_start_tx() routine which will simply enable the TX interrupt in the IER register and return. This should immediately fire a THRE interrupt and begin transmitting the data. For buggy UARTs (with UART_BUG_THRE): merely enabling the TX interrupt in IER does not necessarily generate a new THRE interrupt. Therefore, a background timer periodically checks to see if there is pending data, and starts transmission if that is the case. The bug happens on SMP systems when the system has nothing to transmit, the transmit interrupt is disabled and the following sequence occurs: - CPU0: The background timer routine serial8250_backup_timeout() starts and saves the state of the interrupt enable register (IER) and then disables all interrupts in IER. NOTE: The transmit interrupt (TI) bit is saved as disabled. - CPU1: The serial core gets data to transmit, grabs the port lock and calls serial8250_start_tx() which enables the TI in IER. - CPU0: serial8250_backup_timeout() waits for the port lock. - CPU1: finishes (with TI enabled) and releases the port lock. - CPU0: serial8250_backup_timeout() calls the interrupt routine which will transmit the next fifo's worth of data and then restores the IER from the previously saved value (TI disabled). At this point, as long as the serial core has more transmit data buffered, it will not call serial8250_start_tx() again and the background timer routine will slowly transmit the data. The fix is to have serial8250_start_tx() get the port lock before it saves the IER state and release it after restoring IER. This will prevent serial8250_start_tx() from running in parallel. Signed-off-by: Al Cooper Signed-off-by: Greg Kroah-Hartman commit 48fb01de0ab465fab4547cf0160b9185ac6568f0 Author: Eric Smith Date: Mon Jul 11 22:53:13 2011 -0600 8250_pci: add support for Rosewill RC-305 4x serial port card commit 44178176ecc55ad370b837dd2c4b4b8bed1e3823 upstream. This patch adds support for the Rosewill RC-305 four-port PCI serial card, and probably any other four-port serial cards based on the Moschip MCS9865 chip, assuming that the EEPROM on the card was programmed in accordance with Table 6 of the MCS9865 EEPROM Application Note version 0.3 dated 16-May-2008, available from the Moschip web site (registration required). This patch is based on an earlier patch [1] for the SYBA 6x serial port card by Ira W. Snyder. [1]: http://www.gossamer-threads.com/lists/linux/kernel/1162435 Signed-off-by: Eric Smith Signed-off-by: Greg Kroah-Hartman commit ecc0d72d6d78b59fc324e1283193c6750ef6fd0f Author: Bjorn Helgaas Date: Tue Aug 16 12:02:28 2011 -0600 serial: 8250_pnp: add Intermec CV60 touchscreen device commit ab8ba3a2d2cba6a658ef596cd5b2e0905b6c8a9f upstream. It would have been nice if Intermec had supplied a PNP0501 _CID for the COM3 device, but they didn't, so we have to recognize it explicitly. Reference: https://bugzilla.kernel.org/show_bug.cgi?id=40612 CC: Jeff Chua Signed-off-by: Bjorn Helgaas Acked-by: Alan Cox Signed-off-by: Greg Kroah-Hartman commit f64bd12ba57a622981785b0f45b7c230aaad3e41 Author: Nick Pelly Date: Fri Jul 15 13:53:08 2011 -0700 omap-serial: Allow IXON and IXOFF to be disabled. commit b280a97d1caf6fe1d38b51ebb31219391f5ad1a0 upstream. Fixes logic bug that software flow control cannot be disabled, because serial_omap_configure_xonxoff() is not called if both IXON and IXOFF bits are cleared. Signed-off-by: Nick Pelly Acked-by: Govindraj.R Tested-by: Govindraj.R Signed-off-by: Greg Kroah-Hartman commit f794b763b267d591df64d5785429d37f63b7fdb5 Author: Scott Jiang Date: Fri Aug 12 18:04:11 2011 -0400 ASoC: ad193x: fix dac word len setting commit 95c93d8525ebce1024bda7316f602ae45c36cd6f upstream. dac word len value should left shift before setting Signed-off-by: Scott Jiang Acked-by: Barry Song <21cnbao@gmail.com> Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit e7f4d169ea34a31a09fc03d9c74936789e2cbc4a Author: Scott Jiang Date: Fri Aug 12 18:04:10 2011 -0400 ASoC: ad193x: fix registers definition commit bf545ed72f2eeac664695a8ea2199d9ddaef6020 upstream. fix dac word len mask and adc tdm fmt shift value Signed-off-by: Scott Jiang Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 397d8ae5dd5565a1b77402034bf4d74efd6cfff7 Author: Axel Lin Date: Sat Aug 13 19:15:01 2011 +0800 ASoC: soc-jack: Fix checking return value of request_any_context_irq commit d2b4c7bd7eabfaa2e3e5b8107d5eeb56ac879813 upstream. request_any_context_irq() returns a negative value on failure. On success, it returns either IRQC_IS_HARDIRQ or IRQC_IS_NESTED. Signed-off-by: Axel Lin Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 6d2e754003e789c6fb18de76d565a4cab83022a5 Author: Liu Gang-B34182 Date: Thu Aug 25 15:59:25 2011 -0700 arch/powerpc/sysdev/fsl_rio.c: correct IECSR register clear value commit 671ee7f0ce62e4b991b47fcf1c161c3f710dabbc upstream. This bug causes the IECSR register clear failure. In this case, the RETE (retry error threshold exceeded) interrupt will be generated and cannot be cleared. So the related ISR may be called persistently. The RETE bit in IECSR is cleared by writing a 1 to it. Signed-off-by: Liu Gang Cc: Benjamin Herrenschmidt Cc: Kumar Gala Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ae0250b118d5b55392264accf72a0a3d658e0da9 Author: Alexandre Bounine Date: Thu Aug 25 15:59:13 2011 -0700 rapidio: fix use of non-compatible registers commit 284fb68d00c56e971ed01e0b4bac5ddd4d1b74ab upstream. Replace/remove use of RIO v.1.2 registers/bits that are not forward-compatible with newer versions of RapidIO specification. RapidIO specification v.1.3 removed Write Port CSR, Doorbell CSR, Mailbox CSR and Mailbox and Doorbell bits of the PEF CAR. Use of removed (since RIO v.1.3) register bits affects users of currently available 1.3 and 2.x compliant devices who may use not so recent kernel versions. Removing checks for unsupported bits makes corresponding routines compatible with all versions of RapidIO specification. Therefore, backporting makes stable kernel versions compliant with RIO v.1.3 and later as well. Signed-off-by: Alexandre Bounine Cc: Kumar Gala Cc: Matt Porter Cc: Li Yang Cc: Thomas Moll Cc: Chul Kim Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 7f4e15693062aa1afcfc8f05f6790baf29bacfa3 Author: Nishanth Aravamudan Date: Thu Aug 25 15:59:11 2011 -0700 kernel/printk: do not turn off bootconsole in printk_late_init() if keep_bootcon commit 4c30c6f566c0989ddaee3407da44751e340a63ed upstream. It seems that 7bf693951a8e ("console: allow to retain boot console via boot option keep_bootcon") doesn't always achieve what it aims, as when printk_late_init() runs it unconditionally turns off all boot consoles. With this patch, I am able to see more messages on the boot console in KVM guests than I can without, when keep_bootcon is specified. I think it is appropriate for the relevant -stable trees. However, it's more of an annoyance than a serious bug (ideally you don't need to keep the boot console around as console handover should be working -- I was encountering a situation where the console handover wasn't working and not having the boot console available meant I couldn't see why). Signed-off-by: Nishanth Aravamudan Cc: David S. Miller Cc: Alan Cox Cc: Greg KH Acked-by: Fabio M. Di Nitto Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman