AgeCommit message (Collapse)Author
2010-05-26Linux Kroah-Hartman
2010-05-26Revert "parisc: Set PCI CLS early in boot."Greg Kroah-Hartman
This reverts the following patch, which shouldn't have been applied to the .32 stable tree as it causes problems. commit 5fd4514bb351b5ecb0da3692fff70741e5ed200c upstream. Set the PCI CLS early in the boot process to prevent device failures. In pcibios_set_master use the new pci_cache_line_size instead of a hard-coded value. Signed-off-by: Carlos O'Donell <> Reviewed-by: Grant Grundler <> Signed-off-by: Kyle McMartin <> Signed-off-by: Greg Kroah-Hartman <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26crypto: authenc - Add EINPROGRESS checkHerbert Xu
commit 180ce7e81030e1ef763d58f97f9ab840ff57d848 upstream. When Steffen originally wrote the authenc async hash patch, he correctly had EINPROGRESS checks in place so that we did not invoke the original completion handler with it. Unfortuantely I told him to remove it before the patch was applied. As only MAY_BACKLOG request completion handlers are required to handle EINPROGRESS completions, those checks are really needed. This patch restores them. Reported-by: Sebastian Andrzej Siewior <> Signed-off-by: Herbert Xu <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26Revert "ath9k: fix lockdep warning when unloading module" on stable kernelsLuis R. Rodriguez
Johannes' patch 34e8950 titled: mac80211: allow station add/remove to sleep changed the way mac80211 adds and removes peers. The new sta_add() / sta_remove() callbacks allowed the driver callbacks to sleep. Johannes also ported ath9k to use sta_add() / sta_remove() via the patch 4ca7786 titled: ath9k: convert to new station add/remove callbacks but this patch forgot to address a change in locking issue which Ming Lei eventually found on his 2.6.33-wl #12 build. The 2.6.33-wl build includes code for the 802.11 subsystem for 2.6.34 though so did already have the above two patches (ath9k_sta_remove() on his trace), the 2.6.33 kernel did not however have these two patches. Ming eventually cured his lockdep warnign via the patch a9f042c titled: ath9k: fix lockdep warning when unloading module This went in to 2.6.34 and although it was not marked as a stable fix it did get trickled down and applied on both 2.6.33 and 2.6.32. In review, the culprits: mac80211: allow station add/remove to sleep git describe --contains 34e895075e21be3e21e71d6317440d1ee7969ad0 v2.6.34-rc1~233^2~49^2~107 ath9k: convert to new station add/remove callbacks git describe --contains 4ca778605cfec53d8a689f0b57babb93b030c784 v2.6.34-rc1~233^2~49^2~10 ath9k: fix lockdep warning when unloading module This last one trickled down to 2.6.33 (OK), 2.6.33 (invalid) and 2.6.32 (invalid). git describe --contains a9f042cbe5284f34ccff15f3084477e11b39b17b v2.6.34-rc2~48^2~77^2~7 git describe --contains 0524bcfa80f1fffb4e1fe18a0a28900869a58a7c v2.6.33.2~125 git describe --contains 0dcc9985f34aef3c60bffab3dfc7f7ba3748f35a v2.6.32.11~79 The patch titled "ath9k: fix lockdep warning when unloading module" should be reverted on both 2.6.33 and 2.6.32 as it is invalid and actually ended up causing the following warning: ADDRCONF(NETDEV_CHANGE): wlan31: link becomes ready phy0: WMM queue=2 aci=0 acm=0 aifs=3 cWmin=15 cWmax=1023 txop=0 phy0: WMM queue=3 aci=1 acm=0 aifs=7 cWmin=15 cWmax=1023 txop=0 phy0: WMM queue=1 aci=2 acm=0 aifs=2 cWmin=7 cWmax=15 txop=94 phy0: WMM queue=0 aci=3 acm=0 aifs=2 cWmin=3 cWmax=7 txop=47 phy0: device now idle ------------[ cut here ]------------ WARNING: at kernel/softirq.c:143 local_bh_enable_ip+0x7b/0xa0() Hardware name: 7660A14 Modules linked in: ath9k(-) mac80211 ath cfg80211 <whatever-bleh-etc> Pid: 2003, comm: rmmod Not tainted #6 Call Trace: [<ffffffff8105d178>] warn_slowpath_common+0x78/0xb0 [<ffffffff8105d1bf>] warn_slowpath_null+0xf/0x20 [<ffffffff81063f8b>] local_bh_enable_ip+0x7b/0xa0 [<ffffffff815121e4>] _spin_unlock_bh+0x14/0x20 [<ffffffffa034aea5>] ath_tx_node_cleanup+0x185/0x1b0 [ath9k] [<ffffffffa0345597>] ath9k_sta_notify+0x57/0xb0 [ath9k] [<ffffffffa02ac51a>] __sta_info_unlink+0x15a/0x260 [mac80211] [<ffffffffa02ac658>] sta_info_unlink+0x38/0x60 [mac80211] [<ffffffffa02b3fbe>] ieee80211_set_disassoc+0x1ae/0x210 [mac80211] [<ffffffffa02b42d9>] ieee80211_mgd_deauth+0x109/0x110 [mac80211] [<ffffffffa02ba409>] ieee80211_deauth+0x19/0x20 [mac80211] [<ffffffffa028160e>] __cfg80211_mlme_deauth+0xee/0x130 [cfg80211] [<ffffffff81118540>] ? init_object+0x50/0x90 [<ffffffffa0285429>] __cfg80211_disconnect+0x159/0x1d0 [cfg80211] [<ffffffffa027125f>] cfg80211_netdev_notifier_call+0x10f/0x450 [cfg80211] [<ffffffff81514ca7>] notifier_call_chain+0x47/0x90 [<ffffffff8107f501>] raw_notifier_call_chain+0x11/0x20 [<ffffffff81442d66>] call_netdevice_notifiers+0x16/0x20 [<ffffffff8144352d>] dev_close+0x4d/0xa0 [<ffffffff814439a8>] rollback_registered+0x48/0x120 [<ffffffff81443a9d>] unregister_netdevice+0x1d/0x70 [<ffffffffa02b6cc4>] ieee80211_remove_interfaces+0x84/0xc0 [mac80211] [<ffffffffa02aa072>] ieee80211_unregister_hw+0x42/0xf0 [mac80211] [<ffffffffa0347bde>] ath_detach+0x8e/0x180 [ath9k] [<ffffffffa0347ce1>] ath_cleanup+0x11/0x50 [ath9k] [<ffffffffa0351a2c>] ath_pci_remove+0x1c/0x20 [ath9k] [<ffffffff8129d712>] pci_device_remove+0x32/0x60 [<ffffffff81332373>] __device_release_driver+0x53/0xb0 [<ffffffff81332498>] driver_detach+0xc8/0xd0 [<ffffffff81331405>] bus_remove_driver+0x85/0xe0 [<ffffffff81332a5a>] driver_unregister+0x5a/0x90 [<ffffffff8129da00>] pci_unregister_driver+0x40/0xb0 [<ffffffffa03518d0>] ath_pci_exit+0x10/0x20 [ath9k] [<ffffffffa0353cd5>] ath9k_exit+0x9/0x2a [ath9k] [<ffffffff81092838>] sys_delete_module+0x1a8/0x270 [<ffffffff8107ebe9>] ? up_read+0x9/0x10 [<ffffffff81011f82>] system_call_fastpath+0x16/0x1b ---[ end trace fad957019ffdd40b ]--- phy0: Removed STA 00:22:6b:56:fd:e8 phy0: Destroyed STA 00:22:6b:56:fd:e8 wlan31: deauthenticating from 00:22:6b:56:fd:e8 by local choice (reason=3) ath9k 0000:16:00.0: PCI INT A disabled The original lockdep fixed an issue where due to the new changes the driver was not disabling the bottom halves but it is incorrect to do this on the older kernels since IRQs are already disabled. Cc: Ming Lei <> Cc: Johannes Berg <> Cc: John W. Linville <> Signed-off-by: Luis R. Rodriguez <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26nilfs2: fix sync silent failureRyusuke Konishi
commit 973bec34bfc1bc2465646181653d67f767d418c8 upstream. As of 32a88aa1, __sync_filesystem() will return 0 if s_bdi is not set. And nilfs does not set s_bdi anywhere. I noticed this problem by the warning introduced by the recent commit 5129a469 ("Catch filesystem lacking s_bdi"). WARNING: at fs/super.c:959 vfs_kern_mount+0xc5/0x14e() Hardware name: PowerEdge 2850 Modules linked in: nilfs2 loop tpm_tis tpm tpm_bios video shpchp pci_hotplug output dcdbas Pid: 3773, comm: mount.nilfs2 Not tainted 2.6.34-rc6-debug #38 Call Trace: [<c1028422>] warn_slowpath_common+0x60/0x90 [<c102845f>] warn_slowpath_null+0xd/0x10 [<c1095936>] vfs_kern_mount+0xc5/0x14e [<c1095a03>] do_kern_mount+0x32/0xbd [<c10a811e>] do_mount+0x671/0x6d0 [<c1073794>] ? __get_free_pages+0x1f/0x21 [<c10a684f>] ? copy_mount_options+0x2b/0xe2 [<c107b634>] ? strndup_user+0x48/0x67 [<c10a81de>] sys_mount+0x61/0x8f [<c100280c>] sysenter_do_call+0x12/0x32 This ensures to set s_bdi for nilfs and fixes the sync silent failure. Signed-off-by: Ryusuke Konishi <> Acked-by: Jens Axboe <> Signed-off-by: Linus Torvalds <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26mmap_min_addr check CAP_SYS_RAWIO only for writeKees Cook
commit 4ae69e6b718589abe97c9625ccbb1e0bc95a8c0e upstream. Redirecting directly to lsm, here's the patch discussed on lkml: The mmap_min_addr value is useful information for an admin to see without being root ("is my system vulnerable to kernel NULL pointer attacks?") and its setting is trivially easy for an attacker to determine by calling mmap() in PAGE_SIZE increments starting at 0, so trying to keep it private has no value. Only require CAP_SYS_RAWIO if changing the value, not reading it. Comment from Serge : Me, I like to write my passwords with light blue pen on dark blue paper, pasted on my window - if you're going to get my password, you're gonna get a headache. Signed-off-by: Kees Cook <> Acked-by: Serge Hallyn <> Signed-off-by: James Morris <> (cherry picked from commit 822cceec7248013821d655545ea45d1c6a9d15b3) Signed-off-by: Greg Kroah-Hartman <>
2010-05-26megaraid_sas: fix for 32bit appsTomas Henzl
commit b3dc1a212e5167984616445990c76056034f8eeb upstream. It looks like this patch - commit 7b2519afa1abd1b9f63aa1e90879307842422dae Author: Yang, Bo <> Date: Tue Oct 6 14:52:20 2009 -0600 [SCSI] megaraid_sas: fix 64 bit sense pointer truncation has caused a problem for 32bit programs with 64bit os - fix by converting the user space 32bit pointer to a 64 bit one when needed. [jejb: fix up some 64 bit warnings] Signed-off-by: Tomas Henzl <> Cc: Bo Yang <> Signed-off-by: James Bottomley <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26CacheFiles: Fix error handling in cachefiles_determine_cache_security()David Howells
commit 7ac512aa8237c43331ffaf77a4fd8b8d684819ba upstream. cachefiles_determine_cache_security() is expected to return with a security override in place. However, if set_create_files_as() fails, we fail to do this. In this case, we should just reinstate the security override that was set by the caller. Furthermore, if set_create_files_as() fails, we should dispose of the new credentials we were in the process of creating. Signed-off-by: David Howells <> Signed-off-by: Linus Torvalds <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26p54: disable channels with incomplete calibration data setsChristian Lamparter
commit 93a59d7527147e3656664aa3179f8d19de256081 upstream. James Grossmann [1] reported that p54 spews out confusing messages instead of preventing the mayhem from happening. the reason is that "p54: generate channel list dynamically" is not perfect. It didn't discard incomplete channel data sets and therefore p54 advertised to support them as well. [1]: Cc: Larry Finger <> Reported-by: James Grossmann <> Signed-off-by: Christian Lamparter <> Signed-off-by: John W. Linville <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26iwlwifi: clear all the stop_queue flag after load firmwareWey-Yi Guy
commit a9e10fb9b1c6ad16e73cf2656951fce3a817611e upstream. All the queues are awake and ready to use after loading firmware, for firmware reload case, if any queues was stopped before reload, mac80211 will wake those queues after restart hardware, so make sure all the flag used to keep track of the queue status are reset correctly. Signed-off-by: Wey-Yi Guy <> Signed-off-by: Reinette Chatre <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26revert "procfs: provide stack information for threads" and its fixup commitsRobin Holt
commit 34441427aab4bdb3069a4ffcda69a99357abcb2e upstream. Originally, commit d899bf7b ("procfs: provide stack information for threads") attempted to introduce a new feature for showing where the threadstack was located and how many pages are being utilized by the stack. Commit c44972f1 ("procfs: disable per-task stack usage on NOMMU") was applied to fix the NO_MMU case. Commit 89240ba0 ("x86, fs: Fix x86 procfs stack information for threads on 64-bit") was applied to fix a bug in ia32 executables being loaded. Commit 9ebd4eba7 ("procfs: fix /proc/<pid>/stat stack pointer for kernel threads") was applied to fix a bug which had kernel threads printing a userland stack address. Commit 1306d603f ('proc: partially revert "procfs: provide stack information for threads"') was then applied to revert the stack pages being used to solve a significant performance regression. This patch nearly undoes the effect of all these patches. The reason for reverting these is it provides an unusable value in field 28. For x86_64, a fork will result in the task->stack_start value being updated to the current user top of stack and not the stack start address. This unpredictability of the stack_start value makes it worthless. That includes the intended use of showing how much stack space a thread has. Other architectures will get different values. As an example, ia64 gets 0. The do_fork() and copy_process() functions appear to treat the stack_start and stack_size parameters as architecture specific. I only partially reverted c44972f1 ("procfs: disable per-task stack usage on NOMMU") . If I had completely reverted it, I would have had to change mm/Makefile only build pagewalk.o when CONFIG_PROC_PAGE_MONITOR is configured. Since I could not test the builds without significant effort, I decided to not change mm/Makefile. I only partially reverted 89240ba0 ("x86, fs: Fix x86 procfs stack information for threads on 64-bit") . I left the KSTK_ESP() change in place as that seemed worthwhile. Signed-off-by: Robin Holt <> Cc: Stefani Seibold <> Cc: KOSAKI Motohiro <> Cc: Michal Simek <> Cc: Ingo Molnar <> Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26proc: partially revert "procfs: provide stack information for threads"KOSAKI Motohiro
commit 1306d603fcf1f6682f8575d1ff23631a24184b21 upstream. Commit d899bf7b (procfs: provide stack information for threads) introduced to show stack information in /proc/{pid}/status. But it cause large performance regression. Unfortunately /proc/{pid}/status is used ps command too and ps is one of most important component. Because both to take mmap_sem and page table walk are heavily operation. If many process run, the ps performance is, [before d899bf7b] % perf stat ps >/dev/null Performance counter stats for 'ps': 4090.435806 task-clock-msecs # 0.032 CPUs 229 context-switches # 0.000 M/sec 0 CPU-migrations # 0.000 M/sec 234 page-faults # 0.000 M/sec 8587565207 cycles # 2099.425 M/sec 9866662403 instructions # 1.149 IPC 3789415411 cache-references # 926.409 M/sec 30419509 cache-misses # 7.437 M/sec 128.859521955 seconds time elapsed [after d899bf7b] % perf stat ps > /dev/null Performance counter stats for 'ps': 4305.081146 task-clock-msecs # 0.028 CPUs 480 context-switches # 0.000 M/sec 2 CPU-migrations # 0.000 M/sec 237 page-faults # 0.000 M/sec 9021211334 cycles # 2095.480 M/sec 10605887536 instructions # 1.176 IPC 3612650999 cache-references # 839.160 M/sec 23917502 cache-misses # 5.556 M/sec 152.277819582 seconds time elapsed Thus, this patch revert it. Fortunately /proc/{pid}/task/{tid}/smaps provide almost same information. we can use it. Commit d899bf7b introduced two features: 1) Add the annotattion of [thread stack: xxxx] mark to /proc/{pid}/task/{tid}/maps. 2) Add StackUsage field to /proc/{pid}/status. I only revert (2), because I haven't seen (1) cause regression. Signed-off-by: KOSAKI Motohiro <> Cc: Stefani Seibold <> Cc: Ingo Molnar <> Cc: Peter Zijlstra <> Cc: Alexey Dobriyan <> Cc: "Eric W. Biederman" <> Cc: Randy Dunlap <> Cc: Andrew Morton <> Cc: Andi Kleen <> Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26ALSA: hda - New Intel HDA controllerVitaliy Kulikov
commit c602c8ad45d6ee6ad91fc544513cc96f70790983 upstream. Added a PCI controller id on new Dell laptops. Signed-off-by: Vitaliy Kulikov <> Cc: AmenophisIII <> Signed-off-by: Takashi Iwai <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26Btrfs: check for read permission on src file in the clone ioctlDan Rosenberg
commit 5dc6416414fb3ec6e2825fd4d20c8bf1d7fe0395 upstream. The existing code would have allowed you to clone a file that was only open for writing Signed-off-by: Chris Mason <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26x86, amd: Check X86_FEATURE_OSVW bit before accessing OSVW MSRsAndreas Herrmann
commit f01487119dda3d9f58c9729c7361ecc50a61c188 upstream. If host CPU is exposed to a guest the OSVW MSRs are not guaranteed to be present and a GP fault occurs. Thus checking the feature flag is essential. Signed-off-by: Andreas Herrmann <> LKML-Reference: <> Signed-off-by: H. Peter Anvin <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26x86, cacheinfo: Turn off L3 cache index disable feature in virtualized ↵Frank Arnold
environments commit 7f284d3cc96e02468a42e045f77af11e5ff8b095 upstream. When running a quest kernel on xen we get: BUG: unable to handle kernel NULL pointer dereference at 0000000000000038 IP: [<ffffffff8142f2fb>] cpuid4_cache_lookup_regs+0x2ca/0x3df PGD 0 Oops: 0000 [#1] SMP last sysfs file: CPU 0 Modules linked in: Pid: 0, comm: swapper Tainted: G W 2.6.34-rc3 #1 /HVM domU RIP: 0010:[<ffffffff8142f2fb>] [<ffffffff8142f2fb>] cpuid4_cache_lookup_regs+0x 2ca/0x3df RSP: 0018:ffff880002203e08 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000060 RDX: 0000000000000000 RSI: 0000000000000040 RDI: 0000000000000000 RBP: ffff880002203ed8 R08: 00000000000017c0 R09: ffff880002203e38 R10: ffff8800023d5d40 R11: ffffffff81a01e28 R12: ffff880187e6f5c0 R13: ffff880002203e34 R14: ffff880002203e58 R15: ffff880002203e68 FS: 0000000000000000(0000) GS:ffff880002200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000038 CR3: 0000000001a3c000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process swapper (pid: 0, threadinfo ffffffff81a00000, task ffffffff81a44020) Stack: ffffffff810d7ecb ffff880002203e20 ffffffff81059140 ffff880002203e30 <0> ffffffff810d7ec9 0000000002203e40 000000000050d140 ffff880002203e70 <0> 0000000002008140 0000000000000086 ffff880040020140 ffffffff81068b8b Call Trace: <IRQ> [<ffffffff810d7ecb>] ? sync_supers_timer_fn+0x0/0x1c [<ffffffff81059140>] ? mod_timer+0x23/0x25 [<ffffffff810d7ec9>] ? arm_supers_timer+0x34/0x36 [<ffffffff81068b8b>] ? hrtimer_get_next_event+0xa7/0xc3 [<ffffffff81058e85>] ? get_next_timer_interrupt+0x19a/0x20d [<ffffffff8142fa23>] get_cpu_leaves+0x5c/0x232 [<ffffffff8106a7b1>] ? sched_clock_local+0x1c/0x82 [<ffffffff8106a9a0>] ? sched_clock_tick+0x75/0x7a [<ffffffff8107748c>] generic_smp_call_function_single_interrupt+0xae/0xd0 [<ffffffff8101f6ef>] smp_call_function_single_interrupt+0x18/0x27 [<ffffffff8100a773>] call_function_single_interrupt+0x13/0x20 <EOI> [<ffffffff8143c468>] ? notifier_call_chain+0x14/0x63 [<ffffffff810295c6>] ? native_safe_halt+0xc/0xd [<ffffffff810114eb>] ? default_idle+0x36/0x53 [<ffffffff81008c22>] cpu_idle+0xaa/0xe4 [<ffffffff81423a9a>] rest_init+0x7e/0x80 [<ffffffff81b10dd2>] start_kernel+0x40e/0x419 [<ffffffff81b102c8>] x86_64_start_reservations+0xb3/0xb7 [<ffffffff81b103c4>] x86_64_start_kernel+0xf8/0x107 Code: 14 d5 40 ff ae 81 8b 14 02 31 c0 3b 15 47 1c 8b 00 7d 0e 48 8b 05 36 1c 8b 00 48 63 d2 48 8b 04 d0 c7 85 5c ff ff ff 00 00 00 00 <8b> 70 38 48 8d 8d 5c ff ff ff 48 8b 78 10 ba c4 01 00 00 e8 eb RIP [<ffffffff8142f2fb>] cpuid4_cache_lookup_regs+0x2ca/0x3df RSP <ffff880002203e08> CR2: 0000000000000038 ---[ end trace a7919e7f17c0a726 ]--- The L3 cache index disable feature of AMD CPUs has to be disabled if the kernel is running as guest on top of a hypervisor because northbridge devices are not available to the guest. Currently, this fixes a boot crash on top of Xen. In the future this will become an issue on KVM as well. Check if northbridge devices are present and do not enable the feature if there are none. [ hpa: backported to 2.6.34 ] Signed-off-by: Frank Arnold <> LKML-Reference: <> Acked-by: Borislav Petkov <> Signed-off-by: H. Peter Anvin <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26x86, k8: Fix build error when K8_NB is disabledBorislav Petkov
commit ade029e2aaacc8965a548b0b0f80c5bee97ffc68 upstream. K8_NB depends on PCI and when the last is disabled (allnoconfig) we fail at the final linking stage due to missing exported num_k8_northbridges. Add a header stub for that. Signed-off-by: Borislav Petkov <> LKML-Reference: <20100503183036.GJ26107@aftab> Signed-off-by: H. Peter Anvin <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26profile: fix stats and data leakageHugh Dickins
commit 16a2164bb03612efe79a76c73da6da44445b9287 upstream. If the kernel is large or the profiling step small, /proc/profile leaks data and readprofile shows silly stats, until readprofile -r has reset the buffer: clear the prof_buffer when it is vmalloc()ed. Signed-off-by: Hugh Dickins <> Signed-off-by: Linus Torvalds <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26inotify: don't leak user struct on inotify releasePavel Emelyanov
commit b3b38d842fa367d862b83e7670af4e0fd6a80fc0 upstream. inotify_new_group() receives a get_uid-ed user_struct and saves the reference on group->inotify_data.user. The problem is that free_uid() is never called on it. Issue seem to be introduced by 63c882a0 (inotify: reimplement inotify using fsnotify) after 2.6.30. Signed-off-by: Pavel Emelyanov <> Eric Paris <> Signed-off-by: Andrew Morton <> Signed-off-by: Eric Paris <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26inotify: race use after free/double free in inotify inode marksEric Paris
commit e08733446e72b983fed850fc5d8bd21b386feb29 upstream. There is a race in the inotify add/rm watch code. A task can find and remove a mark which doesn't have all of it's references. This can result in a use after free/double free situation. Task A Task B ------------ ----------- inotify_new_watch() allocate a mark (refcnt == 1) add it to the idr inotify_rm_watch() inotify_remove_from_idr() fsnotify_put_mark() refcnt hits 0, free take reference because we are on idr [at this point it is a use after free] [time goes on] refcnt may hit 0 again, double free The fix is to take the reference BEFORE the object can be found in the idr. Signed-off-by: Eric Paris <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26ALSA: hda: Fix 0 dB for Lenovo models using Conexant CX20549 (Venice)Daniel T Chen
commit 0ebf9e3692d640917fb792a7494d05e1f5b1058f upstream. Reference: As reported on the mailing list, we also need to cap to the 0 dB offset for Lenovo models, else the sound will be distorted. Reported-and-Tested-by: Tim Starling <> Signed-off-by: Daniel T Chen <> Signed-off-by: Takashi Iwai <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26ALSA: ice1724 - Fix ESI Maya44 capture source controlTakashi Iwai
commit 8213466596bf10b75887754773ee13c10cf86f5c upstream. The capture source control of maya44 was wrongly coded with the bit shift instead of the bit mask. Also, the slot for line-in was wrongly assigned (slot 5 instead of 4). Reported-by: Alex Chernyshoff <> Signed-off-by: Takashi Iwai <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26serial: imx.c: fix CTS trigger level lower to avoid lost charsValentin Longchamp
commit 1c5250d6163dac28be3afabdfb6c723f107051b7 upstream. The imx CTS trigger level is left at its reset value that is 32 chars. Since the RX FIFO has 32 entries, when CTS is raised, the FIFO already is full. However, some serial port devices first empty their TX FIFO before stopping when CTS is raised, resulting in lost chars. This patch sets the trigger level lower so that other chars arrive after CTS is raised, there is still room for 16 of them. Signed-off-by: Valentin Longchamp<> Tested-by: Philippe Rétornaz<> Acked-by: Wolfram Sang<> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26cifs: guard against hardlinking directoriesJeff Layton
commit 3d69438031b00c601c991ab447cafb7d5c3c59a6 upstream. When we made serverino the default, we trusted that the field sent by the server in the "uniqueid" field was actually unique. It turns out that it isn't reliably so. Samba, in particular, will just put the st_ino in the uniqueid field when unix extensions are enabled. When a share spans multiple filesystems, it's quite possible that there will be collisions. This is a server bug, but when the inodes in question are a directory (as is often the case) and there is a collision with the root inode of the mount, the result is a kernel panic on umount. Fix this by checking explicitly for directory inodes with the same uniqueid. If that is the case, then we can assume that using server inode numbers will be a problem and that they should be disabled. Fixes Samba bugzilla 7407 Signed-off-by: Jeff Layton <> Reviewed-and-Tested-by: Suresh Jayaraman <> Signed-off-by: Steve French <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26powerpc/perf_event: Fix oops due to perf_event_do_pending callPaul Mackerras
commit 0fe1ac48bef018bed896307cd12f6ca9b5e704ab upstream. Anton Blanchard found that large POWER systems would occasionally crash in the exception exit path when profiling with perf_events. The symptom was that an interrupt would occur late in the exit path when the MSR[RI] (recoverable interrupt) bit was clear. Interrupts should be hard-disabled at this point but they were enabled. Because the interrupt was not recoverable the system panicked. The reason is that the exception exit path was calling perf_event_do_pending after hard-disabling interrupts, and perf_event_do_pending will re-enable interrupts. The simplest and cleanest fix for this is to use the same mechanism that 32-bit powerpc does, namely to cause a self-IPI by setting the decrementer to 1. This means we can remove the tests in the exception exit path and raw_local_irq_restore. This also makes sure that the call to perf_event_do_pending from timer_interrupt() happens within irq_enter/irq_exit. (Note that calling perf_event_do_pending from timer_interrupt does not mean that there is a possible 1/HZ latency; setting the decrementer to 1 ensures that the timer interrupt will happen immediately, i.e. within one timebase tick, which is a few nanoseconds or 10s of nanoseconds.) Signed-off-by: Paul Mackerras <> Signed-off-by: Benjamin Herrenschmidt <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26ptrace: fix return value of do_syscall_trace_enter()Gerald Schaefer
commit 545c174d1f093a462b4bb9131b23d5ea72a600e1 upstream. strace may change the system call number, so regs->gprs[2] must not be read before tracehook_report_syscall_entry(). This fixes a bug where "strace -f" will hang after a vfork(). Signed-off-by: Gerald Schaefer <> Signed-off-by: Martin Schwidefsky <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26mmc: atmel-mci: remove data error interrupt after xferNicolas Ferre
commit abc2c9fdf636c4335a8d72ac3c5ae152bca44b68 upstream. Disable data error interrupts while we are actually recording that there is not such errors. This will prevent, in some cases, the warning message printed at new request queuing (in atmci_start_request()). Signed-off-by: Nicolas Ferre <> Cc: Haavard Skinnemoen <> Cc: <> Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26mmc: atmel-mci: prevent kernel oops while removing cardNicolas Ferre
commit 009a891b22395fc86e5f34057d79fffee4509ab5 upstream. The removing of an SD card in certain circumstances can lead to a kernel oops if we do not make sure that the "data" field of the host structure is valid. This patch adds a test in atmci_dma_cleanup() function and also calls atmci_stop_dma() before throwing away the reference to data. Signed-off-by: Nicolas Ferre <> Cc: Haavard Skinnemoen <> Cc: <> Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26mmc: atmel-mci: fix two parameters swappedNicolas Ferre
commit ebb1fea9b3adf25d7e2f643c614163af4f93a17f upstream. Two parameters were swapped in the calls to atmci_init_slot(). Signed-off-by: Nicolas Ferre <> Reported-by: Anders Grahn <> Cc: Haavard Skinnemoen <> Cc: <> Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26ACPI: sleep: eliminate duplicate entries in acpisleep_dmi_table[]Alex Chiang
commit 7d6fb7bd1919517937ec390f6ca2d7bcf4f89fb6 upstream. Duplicate entries ended up acpisleep_dmi_table[] by accident. They don't hurt functionality, but they are ugly, so let's get rid of them. Signed-off-by: Alex Chiang <> Signed-off-by: Linus Torvalds <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26dma-mapping: fix dma_sync_single_range_*FUJITA Tomonori
commit f33d7e2d2d113a63772bbc993cdec3b5327f0ef1 upstream. dma_sync_single_range_for_cpu() and dma_sync_single_range_for_device() use a wrong address with a partial synchronization. Signed-off-by: FUJITA Tomonori <> Reviewed-by: Konrad Rzeszutek Wilk <> Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26hugetlbfs: kill applications that use MAP_NORESERVE with SIGBUS instead of ↵Mel Gorman
OOM-killer commit 4a6018f7f4f1075c1a5403b5ec0ee7262187b86c upstream. Ordinarily, application using hugetlbfs will create mappings with reserves. For shared mappings, these pages are reserved before mmap() returns success and for private mappings, the caller process is guaranteed and a child process that cannot get the pages gets killed with sigbus. An application that uses MAP_NORESERVE gets no reservations and mmap() will always succeed at the risk the page will not be available at fault time. This might be used for example on very large sparse mappings where the developer is confident the necessary huge pages exist to satisfy all faults even though the whole mapping cannot be backed by huge pages. Unfortunately, if an allocation does fail, VM_FAULT_OOM is returned to the fault handler which proceeds to trigger the OOM-killer. This is unhelpful. Even without hugetlbfs mounted, a user using mmap() can trivially trigger the OOM-killer because VM_FAULT_OOM is returned (will provide example program if desired - it's a whopping 24 lines long). It could be considered a DOS available to an unprivileged user. This patch alters hugetlbfs to kill a process that uses MAP_NORESERVE where huge pages were not available with SIGBUS instead of triggering the OOM killer. This change affects hugetlb_cow() as well. I feel there is a failure case in there, but I didn't create one. It would need a fairly specific target in terms of the faulting application and the hugepage pool size. The hugetlb_no_page() path is much easier to hit but both might as well be closed. Signed-off-by: Mel Gorman <> Cc: Lee Schermerhorn <> Cc: David Rientjes <> Cc: Andi Kleen <> Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26fbdev: bfin-t350mcqb-fb: fix fbmem allocation with blanking linesMichael Hennerich
commit de145b44b95b9d3212a82d1c0f29b09778ef33c5 upstream. The current allocation does not include the memory required for blanking lines. So avoid memory corruption when multiple devices are using the DMA memory near each other. Signed-off-by: Michael Hennerich <> Signed-off-by: Mike Frysinger <> Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26hp_accel: fix race in device removalOliver Neukum
commit 06efbeb4a47b6f865e1c9d175ab9d6e90b69ae9e upstream. The work queue has to be flushed after the device has been made inaccessible. The patch closes a window during which a work queue might remain active after the device is removed and would then lead to ACPI calls with undefined behavior. Signed-off-by: Oliver Neukum <> Acked-by: Eric Piel <> Acked-by: Pavel Machek <> Cc: Pavel Herrmann <> Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-26ipv4: udp: fix short packet and bad checksum loggingBjørn Mork
commit ccc2d97cb7c798e785c9f198de243e2b59f7073b upstream. commit 2783ef23 moved the initialisation of saddr and daddr after pskb_may_pull() to avoid a potential data corruption. Unfortunately also placing it after the short packet and bad checksum error paths, where these variables are used for logging. The result is bogus output like [92238.389505] UDP: short packet: From 23715/178 to Moving the saddr and daddr initialisation above the error paths, while still keeping it after the pskb_may_pull() to keep the fix from commit 2783ef23. Signed-off-by: Bjørn Mork <> Acked-by: Eric Dumazet <> Signed-off-by: David S. Miller <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-12Revert "module: fix __module_ref_addr()"Greg Kroah-Hartman
This reverts commit d150a2b96558a7349cbf3a72a279c37bc67d50fb. Thanks to Jiri Benc for finding the problem that this patch is not correct for the 2.6.32-stable series. Cc: Jiri Kosina <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-12Linux Kroah-Hartman
2010-05-12MIPS: Sibyte: Apply M3 workaround only on affected chip types and versions.Ralf Baechle
(cherry picked from commit e65c7f33d75e977350ca350573d93c517ec02776) Previously it was unconditionally used on all Sibyte family SOCs. The M3 bug has to be handled in the TLB exception handler which is extremly performance sensitive, so this modification is expected to deliver around 2-3% performance improvment. This is important as required changes to the M3 workaround will make it more costly. Signed-off-by: Ralf Baechle <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-12SCSI: Retry commands with UNIT_ATTENTION sense codes to fix ext3/ext4 I/O errorJames Bottomley
commit 77a4229719e511a0d38d9c355317ae1469adeb54 upstream. There's nastyness in the way we currently handle barriers (and discards): They're effectively filesystem commands, but they get processed as BLOCK_PC commands. Unfortunately BLOCK_PC commands are taken by SCSI to be SG_IO commands and the issuer expects to see and handle any returned errors, however trivial. This leads to a huge problem, because the block layer doesn't expect this to happen and any trivially retryable error on a barrier causes an immediate I/O error to the filesystem. The only real way to hack around this is to take the usual class of offending errors (unit attentions) and make them all retryable in the case of a REQ_HARDBARRIER. A correct fix would involve a rework of the entire block and SCSI submit system, and so is out of scope for a quick fix. Cc: Hannes Reinecke <> Signed-off-by: James Bottomley <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-12Enable retries for SYNCRONIZE_CACHE commands to fix I/O errorHannes Reinecke
commit c213e1407be6b04b144794399a91472e0ef92aec upstream. Some arrays are giving I/O errors with ext3 filesystems when SYNCHRONIZE_CACHE gets a UNIT_ATTENTION. What is happening is that these commands have no retries, so the UNIT_ATTENTION causes the barrier to fail. We should be enable retries here to clear any transient error and allow the barrier to succeed. Signed-off-by: Hannes Reinecke <> Signed-off-by: James Bottomley <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-12scsi_debug: virtual_gb ignores sector_sizeDouglas Gilbert
commit 5447ed6c968e7270b656afa273c2b79d15d82edd upstream. In the scsi_debug driver, the virtual_gb option ignores the sector_size, implicitly assuming that is 512 bytes. So if 'virtual_gb=1 sector_size=4096' the result is an 8 GB (virtual) disk. Signed-off-by: Douglas Gilbert <> Signed-off-by: James Bottomley <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-12SCSI: libiscsi: regression: fix header digest errorsMike Christie
commit 96b1f96dcab87756c0a1e7ba76bc5dc2add82b88 upstream. This fixes a regression introduced with this commit: commit d3305f3407fa3e9452079ec6cc8379067456e4aa Author: Mike Christie <> Date: Thu Aug 20 15:10:58 2009 -0500 [SCSI] libiscsi: don't increment cmdsn if cmd is not sent in 2.6.32. When I moved the hdr->cmdsn after init_task, I added a bug when header digests are used. The problem is that the LLD may calculate the header digest in init_task, so if we then set the cmdsn after the init_task call we change what the digest will be calculated by the target. Signed-off-by: Mike Christie <> Signed-off-by: James Bottomley <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-12SCSI: fix locking around blk_abort_request()Tejun Heo
commit 70b25f890ce9f0520c64075ce9225a5b020a513e upstream. blk_abort_request() expects queue lock to be held by the caller. Grab it before calling the function. Lack of this synchronization led to infinite loop on corrupt q->timeout_list. Signed-off-by: Tejun Heo <> Signed-off-by: James Bottomley <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-12pxa/colibri: fix missing #include <mach/mfp.h> in colibri.hJakob Viketoft
commit ccb8d8d070b8f25f0163da5c9ceacf63a5169540 upstream. The use of mfp_cfg_t causes build errors without including <mach/mfp.h>. CC: Daniel Mack <> Signed-off-by: Jakob Viketoft <> Signed-off-by: Eric Miao <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-12cpuidle: Fix incorrect optimizationArjan van de Ven
commit 1c6fe0364fa7bf28248488753ee0afb6b759cd04 upstream. commit 672917dcc78 ("cpuidle: menu governor: reduce latency on exit") added an optimization, where the analysis on the past idle period moved from the end of idle, to the beginning of the new idle. Unfortunately, this optimization had a bug where it zeroed one key variable for new use, that is needed for the analysis. The fix is simple, zero the variable after doing the work from the previous idle. During the audit of the code that found this issue, another issue was also found; the ->measured_us data structure member is never set, a local variable is always used instead. Signed-off-by: Arjan van de Ven <> Cc: Corrado Zoccolo <> Signed-off-by: Linus Torvalds <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-12ACPI: sleep: init_set_sci_en_on_resume for Dell Studio 155xKamal Mostafa
commit ea5bc73f4f56449b2d450068d492bcd17a675d7a upstream. Add Dell Studio models (1558, 1557, 1555) to the 'set_sci_en_on_resume' list to fix hang on resume. BugLink: Signed-off-by: Kamal Mostafa <> Acked-by: Alex Chiang <> Signed-off-by: Len Brown <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-12power_meter: acpi_device_class "power_meter_resource" too longDan Carpenter
commit 18262714ca0fb65c290b8ea1807b2b02bb52d0e3 upstream. acpi_device_class can only be 19 characters and a NULL terminator. The current code has a buffer overflow in acpi_power_meter_add(): strcpy(acpi_device_class(device), ACPI_POWER_METER_CLASS); Signed-off-by: Dan Carpenter <> Cc: Len Brown <> Cc: "Darrick J. Wong" <> Signed-off-by: Andrew Morton <> Signed-off-by: Len Brown <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-12ACPI: DMI init_set_sci_en_on_resume for multiple Lenovo ThinkPadsAlex Chiang
commit 07bedca29b0973f36a6b6db36936deed367164ed upstream. Multiple Lenovo ThinkPad models with Intel Core i5/i7 CPUs can successfully suspend/resume once, and then hang on the second s/r cycle. We got confirmation that this was due to a BIOS defect. The BIOS did not properly set SCI_EN coming out of S3. The BIOS guys hinted that The Other Leading OS ignores the fact that hardware owns the bit and sets it manually. In any case, an existing DMI table exists for machines where this defect is a known problem. Lenovo promise to fix their BIOS, but for folks who either won't or can't upgrade their BIOS, allow Linux to workaround the issue. Confirmed by numerous testers in the launchpad bug that using acpi_sleep=sci_force_enable fixes the issue. We add the machines to acpisleep_dmi_table[] to automatically enable this workaround. Cc: Colin King <> Signed-off-by: Alex Chiang <> Signed-off-by: Len Brown <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-12V4L/DVB: budget: Oops: "BUG: unable to handle kernel NULL pointer dereference"Bjørn Mork
commit 6f550dc08369ee0bc6402963c377e65f0f2e3b71 upstream. Never call dvb_frontend_detach if we failed to attach a frontend. This fixes the following oops, which will be triggered by a missing stv090x module: [ 8.172997] DVB: registering new adapter (TT-Budget S2-1600 PCI) [ 8.209018] adapter has MAC addr = 00:d0:5c:cc:a7:29 [ 8.328665] Intel ICH 0000:00:1f.5: PCI INT B -> GSI 17 (level, low) -> IRQ 17 [ 8.328753] Intel ICH 0000:00:1f.5: setting latency timer to 64 [ 8.562047] DVB: Unable to find symbol stv090x_attach() [ 8.562117] BUG: unable to handle kernel NULL pointer dereference at 000000ac [ 8.562239] IP: [<e08b04a3>] dvb_frontend_detach+0x4/0x67 [dvb_core] Ref Signed-off-by: Bjørn Mork <> Signed-off-by: Mauro Carvalho Chehab <> Signed-off-by: Greg Kroah-Hartman <>
2010-05-12md/raid6: Fix raid-6 read-error correction in degraded stateGabriele A. Trombetti
commit 87aa63000c484bfb9909989316f615240dfee018 upstream. Fix: Raid-6 was not trying to correct a read-error when in singly-degraded state and was instead dropping one more device, going to doubly-degraded state. This patch fixes this behaviour. Tested-by: Janos Haar <> Signed-off-by: Gabriele A. Trombetti <> Reported-by: Janos Haar <> Signed-off-by: NeilBrown <> Signed-off-by: Greg Kroah-Hartman <>