commit d58331bd6a2881cd265277e4b3b263fecbdf7217 Author: Greg Kroah-Hartman Date: Fri Jan 6 14:15:47 2012 -0800 Linux 3.0.16 commit eb1f526d4bfda44e94ccdf34950911eaff74b092 Author: Mohammed Shafi Shajakhan Date: Mon Dec 26 10:42:15 2011 +0530 ath9k: Fix kernel panic in AR2427 in AP mode commit b25bfda38236f349cde0d1b28952f4eea2148d3f upstream. don't do aggregation related stuff for 'AP mode client power save handling' if aggregation is not enabled in the driver, otherwise it will lead to panic because those data structures won't be never intialized in 'ath_tx_node_init' if aggregation is disabled EIP is at ath_tx_aggr_wakeup+0x37/0x80 [ath9k] EAX: e8c09a20 EBX: f2a304e8 ECX: 00000001 EDX: 00000000 ESI: e8c085e0 EDI: f2a304ac EBP: f40e1ca4 ESP: f40e1c8c DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 Process swapper/1 (pid: 0, ti=f40e0000 task=f408e860 task.ti=f40dc000) Stack: 0001e966 e8c09a20 00000000 f2a304ac e8c085e0 f2a304ac f40e1cb0 f8186741 f8186700 f40e1d2c f922988d f2a304ac 00000202 00000001 c0b4ba43 00000000 0000000f e8eb75c0 e8c085e0 205b0001 34383220 f2a304ac f2a30000 00010020 Call Trace: [] ath9k_sta_notify+0x41/0x50 [ath9k] [] ? ath9k_get_survey+0x110/0x110 [ath9k] [] ieee80211_sta_ps_deliver_wakeup+0x9d/0x350 [mac80211] [] ? __module_address+0x95/0xb0 [] ap_sta_ps_end+0x63/0xa0 [mac80211] [] ieee80211_rx_h_sta_process+0x156/0x2b0 [mac80211] [] ieee80211_rx_handlers+0xce/0x510 [mac80211] [] ? trace_hardirqs_on+0xb/0x10 [] ? skb_queue_tail+0x3e/0x50 [] ieee80211_prepare_and_rx_handle+0x111/0x750 [mac80211] [] ieee80211_rx+0x349/0xb20 [mac80211] [] ? ieee80211_rx+0x99/0xb20 [mac80211] [] ath_rx_tasklet+0x818/0x1d00 [ath9k] [] ? ath9k_tasklet+0x35/0x1c0 [ath9k] [] ? ath9k_tasklet+0x35/0x1c0 [ath9k] [] ath9k_tasklet+0xf3/0x1c0 [ath9k] [] tasklet_action+0xbe/0x180 Cc: Senthil Balasubramanian Cc: Rajkumar Manoharan Reported-by: Ashwin Mendonca Tested-by: Ashwin Mendonca Signed-off-by: Mohammed Shafi Shajakhan Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit ef50d8d96fa350c1f602f8c3bae65eb21ddb28e3 Author: Oleg Nesterov Date: Wed Jan 4 17:29:02 2012 +0100 ptrace: partially fix the do_wait(WEXITED) vs EXIT_DEAD->EXIT_ZOMBIE race commit 50b8d257486a45cba7b65ca978986ed216bbcc10 upstream. Test-case: int main(void) { int pid, status; pid = fork(); if (!pid) { for (;;) { if (!fork()) return 0; if (waitpid(-1, &status, 0) < 0) { printf("ERR!! wait: %m\n"); return 0; } } } assert(ptrace(PTRACE_ATTACH, pid, 0,0) == 0); assert(waitpid(-1, NULL, 0) == pid); assert(ptrace(PTRACE_SETOPTIONS, pid, 0, PTRACE_O_TRACEFORK) == 0); do { ptrace(PTRACE_CONT, pid, 0, 0); pid = waitpid(-1, NULL, 0); } while (pid > 0); return 1; } It fails because ->real_parent sees its child in EXIT_DEAD state while the tracer is going to change the state back to EXIT_ZOMBIE in wait_task_zombie(). The offending commit is 823b018e which moved the EXIT_DEAD check, but in fact we should not blame it. The original code was not correct as well because it didn't take ptrace_reparented() into account and because we can't really trust ->ptrace. This patch adds the additional check to close this particular race but it doesn't solve the whole problem. We simply can't rely on ->ptrace in this case, it can be cleared if the tracer is multithreaded by the exiting ->parent. I think we should kill EXIT_DEAD altogether, we should always remove the soon-to-be-reaped child from ->children or at least we should never do the DEAD->ZOMBIE transition. But this is too complex for 3.2. Reported-and-tested-by: Denys Vlasenko Tested-by: Lukasz Michalik Acked-by: Tejun Heo Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b47f3ad598247071dcab661f94655bbe8074467a Author: Linus Torvalds Date: Tue Jan 3 17:32:13 2012 -0800 Revert "rtc: Disable the alarm in the hardware" commit 157e8bf8b4823bfcdefa6c1548002374b61f61df upstream. This reverts commit c0afabd3d553c521e003779c127143ffde55a16f. It causes failures on Toshiba laptops - instead of disabling the alarm, it actually seems to enable it on the affected laptops, resulting in (for example) the laptop powering on automatically five minutes after shutdown. There's a patch for it that appears to work for at least some people, but it's too late to play around with this, so revert for now and try again in the next merge window. See for example http://bugs.debian.org/652869 Reported-and-bisected-by: Andreas Friedrich (Toshiba Tecra) Reported-by: Antonio-M. Corbi Bellot (Toshiba Portege R500) Reported-by: Marco Santos (Toshiba Portege Z830) Reported-by: Christophe Vu-Brugier (Toshiba Portege R830) Cc: Jonathan Nieder Requested-by: John Stultz Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c61e023d2b6ca9d0aaf766659a81ad5d017e5b53 Author: Mandeep Singh Baines Date: Tue Jan 3 14:41:13 2012 -0800 hung_task: fix false positive during vfork commit f9fab10bbd768b0e5254e53a4a8477a94bfc4b96 upstream. vfork parent uninterruptibly and unkillably waits for its child to exec/exit. This wait is of unbounded length. Ignore such waits in the hung_task detector. Signed-off-by: Mandeep Singh Baines Reported-by: Sasha Levin LKML-Reference: <1325344394.28904.43.camel@lappy> Cc: Linus Torvalds Cc: Ingo Molnar Cc: Peter Zijlstra Cc: Andrew Morton Cc: John Kacur Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e343400d67fa390709d8147972eb4b700018811b Author: Alexander Müller Date: Fri Dec 30 12:55:48 2011 -0500 drm/radeon/kms/atom: fix possible segfault in pm setup commit 4376eee92e5a8332b470040e672ea99cd44c826a upstream. If we end up with no power states, don't look up current vddc. fixes: https://bugs.freedesktop.org/show_bug.cgi?id=44130 agd5f: fix patch formatting Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 6826d3e80d143ca7411fd2dca05bc57c7ed3e620 Author: Christoph Hellwig Date: Wed Jan 4 09:48:36 2012 -0500 xfs: log all dirty inodes in xfs_fs_sync_fs Commit be4f1ac828776bbc7868a68b465cd8eedb733cfd upstream. Since Linux 2.6.36 the writeback code has introduces various measures for live lock prevention during sync(). Unfortunately some of these are actively harmful for the XFS model, where the inode gets marked dirty for metadata from the data I/O handler. The older_than_this checks that are now more strictly enforced since writeback: avoid livelocking WB_SYNC_ALL writeback by only calling into __writeback_inodes_sb and thus only sampling the current cut off time once. But on a slow enough devices the previous asynchronous sync pass might not have fully completed yet, and thus XFS might mark metadata dirty only after that sampling of the cut off time for the blocking pass already happened. I have not myself reproduced this myself on a real system, but by introducing artificial delay into the XFS I/O completion workqueues it can be reproduced easily. Fix this by iterating over all XFS inodes in ->sync_fs and log all that are dirty. This might log inode that only got redirtied after the previous pass, but given how cheap delayed logging of inodes is it isn't a major concern for performance. Signed-off-by: Christoph Hellwig Reviewed-by: Dave Chinner Tested-by: Mark Tinguely Reviewed-by: Mark Tinguely Signed-off-by: Ben Myers Signed-off-by: Greg Kroah-Hartman commit b32a7304bea14c51fe279281db1ff02eefad2e3a Author: Christoph Hellwig Date: Wed Jan 4 09:48:35 2012 -0500 xfs: log the inode in ->write_inode calls for kupdate Commit 0b8fd3033c308e4088760aa1d38ce77197b4e074 upstream. If the writeback code writes back an inode because it has expired we currently use the non-blockin ->write_inode path. This means any inode that is pinned is skipped. With delayed logging and a workload that has very little log traffic otherwise it is very likely that an inode that gets constantly written to is always pinned, and thus we keep refusing to write it. The VM writeback code at that point redirties it and doesn't try to write it again for another 30 seconds. This means under certain scenarious time based metadata writeback never happens. Fix this by calling into xfs_log_inode for kupdate in addition to data integrity syncs, and thus transfer the inode to the log ASAP. Signed-off-by: Christoph Hellwig Reviewed-by: Dave Chinner Tested-by: Mark Tinguely Reviewed-by: Mark Tinguely Signed-off-by: Ben Myers Signed-off-by: Greg Kroah-Hartman commit 3b26fd897af35e9d48cfbadef1e7f24287d6f1ba Author: Konrad Rzeszutek Wilk Date: Thu Dec 15 11:28:46 2011 -0500 xen/swiotlb: Use page alignment for early buffer allocation. commit 63a741757d15320a25ebf5778f8651cce2ed0611 upstream. This fixes an odd bug found on a Dell PowerEdge 1850/0RC130 (BIOS A05 01/09/2006) where all of the modules doing pci_set_dma_mask would fail with: ata_piix 0000:00:1f.1: enabling device (0005 -> 0007) ata_piix 0000:00:1f.1: can't derive routing for PCI INT A ata_piix 0000:00:1f.1: BMDMA: failed to set dma mask, falling back to PIO The issue was the Xen-SWIOTLB was allocated such as that the end of buffer was stradling a page (and also above 4GB). The fix was spotted by Kalev Leonid which was to piggyback on git commit e79f86b2ef9c0a8c47225217c1018b7d3d90101c "swiotlb: Use page alignment for early buffer allocation" which: We could call free_bootmem_late() if swiotlb is not used, and it will shrink to page alignment. So alloc them with page alignment at first, to avoid lose two pages And doing that fixes the outstanding issue. Suggested-by: "Kalev, Leonid" Reported-and-Tested-by: "Taylor, Neal E" Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Greg Kroah-Hartman commit cb3b250af580752ed54642e37640daf714b30ad3 Author: Kyle Manna Date: Thu Aug 11 22:33:13 2011 -0500 mfd: Turn on the twl4030-madc MADC clock commit 3d6271f92e98094584fd1e609a9969cd33e61122 upstream. Without turning the MADC clock on, no MADC conversions occur. $ cat /sys/class/hwmon/hwmon0/device/in8_input [ 53.428436] twl4030_madc twl4030_madc: conversion timeout! cat: read error: Resource temporarily unavailable Signed-off-by: Kyle Manna Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman commit b5e0e13b29aa292a2ece89a78757a55e85e9e626 Author: Kyle Manna Date: Thu Aug 11 22:33:14 2011 -0500 mfd: Check for twl4030-madc NULL pointer commit d0e84caeb4cd535923884735906e5730329505b4 upstream. If the twl4030-madc device wasn't registered, and another device, such as twl4030-madc-hwmon, calls twl4030_madc_conversion() a NULL pointer is dereferenced. Signed-off-by: Kyle Manna Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman commit 3ad5a4fbba0c5c863b0a42e2a6a5007de76d3102 Author: Kyle Manna Date: Thu Aug 11 22:33:12 2011 -0500 mfd: Copy the device pointer to the twl4030-madc structure commit 66cc5b8e50af87b0bbd0f179d76d2826f4549c13 upstream. Worst case this fixes the following error: [ 72.086212] (NULL device *): conversion timeout! Best case it prevents a crash Signed-off-by: Kyle Manna Signed-off-by: Samuel Ortiz commit 4838b7e04451e425895c77f462ae1a70d6d3ff62 Author: Sanjeev Premi Date: Mon Jul 11 20:50:31 2011 +0530 mfd: Fix mismatch in twl4030 mutex lock-unlock commit e178ccb33569da17dc897a08a3865441b813bdfb upstream. A mutex is locked on entry into twl4030_madc_conversion(). Immediate return on some error conditions leaves the mutex locked. This patch ensures that mutex is always unlocked before leaving the function. Signed-off-by: Sanjeev Premi Cc: Keerthy Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman commit 244e209cbfb8fef744f47f4a9fe0b8c036772d8f Author: Emmanuel Grumbach Date: Mon Dec 26 08:47:33 2011 +0200 iwlwifi: update SCD BC table for all SCD queues commit 96f1f05af76b601ab21a7dc603ae0a1cea4efc3d upstream. Since we configure all the queues as CHAINABLE, we need to update the byte count for all the queues, not only the AGGREGATABLE ones. Not doing so can confuse the SCD and make the fw assert. Signed-off-by: Emmanuel Grumbach Signed-off-by: Wey-Yi Guy Signed-off-by: John W. Linville commit 732e81a7579eb0adb26aeadb209e919ee984d01e Author: Stephen Rothwell Date: Thu Dec 22 17:03:29 2011 +1100 ipv4: using prefetch requires including prefetch.h [ Upstream commit b9eda06f80b0db61a73bd87c6b0eb67d8aca55ad ] Signed-off-by: Stephen Rothwell Acked-by: Eric Dumazet Acked-by: David Miller Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ad5dd5dc45d80c397dfe314934e91d0ead793928 Author: Eric Dumazet Date: Wed Dec 21 15:47:16 2011 -0500 ipv4: reintroduce route cache garbage collector [ Upstream commit 9f28a2fc0bd77511f649c0a788c7bf9a5fd04edb ] Commit 2c8cec5c10b (ipv4: Cache learned PMTU information in inetpeer) removed IP route cache garbage collector a bit too soon, as this gc was responsible for expired routes cleanup, releasing their neighbour reference. As pointed out by Robert Gladewitz, recent kernels can fill and exhaust their neighbour cache. Reintroduce the garbage collection, since we'll have to wait our neighbour lookups become refcount-less to not depend on this stuff. Reported-by: Robert Gladewitz Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6c3efb1526c3fcdab3e5bbc9c77710b306493507 Author: Weiping Pan Date: Thu Dec 1 15:47:06 2011 +0000 ipv4: flush route cache after change accept_local [ Upstream commit d01ff0a049f749e0bf10a35bb23edd012718c8c2 ] After reset ipv4_devconf->data[IPV4_DEVCONF_ACCEPT_LOCAL] to 0, we should flush route cache, or it will continue receive packets with local source address, which should be dropped. Signed-off-by: Weiping Pan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0e5fe3ed8d751c7be333fa193882e91dcc289158 Author: Thomas Graf Date: Mon Dec 19 04:11:40 2011 +0000 sctp: Do not account for sizeof(struct sk_buff) in estimated rwnd [ Upstream commit a76c0adf60f6ca5ff3481992e4ea0383776b24d2 ] When checking whether a DATA chunk fits into the estimated rwnd a full sizeof(struct sk_buff) is added to the needed chunk size. This quickly exhausts the available rwnd space and leads to packets being sent which are much below the PMTU limit. This can lead to much worse performance. The reason for this behaviour was to avoid putting too much memory pressure on the receiver. The concept is not completely irational because a Linux receiver does in fact clone an skb for each DATA chunk delivered. However, Linux also reserves half the available socket buffer space for data structures therefore usage of it is already accounted for. When proposing to change this the last time it was noted that this behaviour was introduced to solve a performance issue caused by rwnd overusage in combination with small DATA chunks. Trying to reproduce this I found that with the sk_buff overhead removed, the performance would improve significantly unless socket buffer limits are increased. The following numbers have been gathered using a patched iperf supporting SCTP over a live 1 Gbit ethernet network. The -l option was used to limit DATA chunk sizes. The numbers listed are based on the average of 3 test runs each. Default values have been used for sk_(r|w)mem. Chunk Size Unpatched No Overhead ------------------------------------- 4 15.2 Kbit [!] 12.2 Mbit [!] 8 35.8 Kbit [!] 26.0 Mbit [!] 16 95.5 Kbit [!] 54.4 Mbit [!] 32 106.7 Mbit 102.3 Mbit 64 189.2 Mbit 188.3 Mbit 128 331.2 Mbit 334.8 Mbit 256 537.7 Mbit 536.0 Mbit 512 766.9 Mbit 766.6 Mbit 1024 810.1 Mbit 808.6 Mbit Signed-off-by: Thomas Graf Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f6e4c89e089ae671a677242edb9e8b08c369c415 Author: Xi Wang Date: Fri Dec 16 12:44:15 2011 +0000 sctp: fix incorrect overflow check on autoclose [ Upstream commit 2692ba61a82203404abd7dd2a027bda962861f74 ] Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for limiting the autoclose value. If userspace passes in -1 on 32-bit platform, the overflow check didn't work and autoclose would be set to 0xffffffff. This patch defines a max_autoclose (in seconds) for limiting the value and exposes it through sysctl, with the following intentions. 1) Avoid overflowing autoclose * HZ. 2) Keep the default autoclose bound consistent across 32- and 64-bit platforms (INT_MAX / HZ in this patch). 3) Keep the autoclose value consistent between setsockopt() and getsockopt() calls. Suggested-by: Vlad Yasevich Signed-off-by: Xi Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 01d6bbab3834409c220083f25810be9f1a553054 Author: Eric Dumazet Date: Sun Dec 11 23:42:53 2011 +0000 sch_gred: should not use GFP_KERNEL while holding a spinlock [ Upstream commit 3f1e6d3fd37bd4f25e5b19f1c7ca21850426c33f ] gred_change_vq() is called under sch_tree_lock(sch). This means a spinlock is held, and we are not allowed to sleep in this context. We might pre-allocate memory using GFP_KERNEL before taking spinlock, but this is not suitable for stable material. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9ec14c04ec6be93ff397adf250bc91ee77742bfb Author: Gerlando Falauto Date: Mon Dec 19 22:58:04 2011 +0000 net: have ipconfig not wait if no dev is available [ Upstream commit cd7816d14953c8af910af5bb92f488b0b277e29d ] previous commit 3fb72f1e6e6165c5f495e8dc11c5bbd14c73385c makes IP-Config wait for carrier on at least one network device. Before waiting (predefined value 120s), check that at least one device was successfully brought up. Otherwise (e.g. buggy bootloader which does not set the MAC address) there is no point in waiting for carrier. Cc: Micha Nelissen Cc: Holger Brunck Signed-off-by: Gerlando Falauto Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 477a897533f9ab9a6ebb6eedfa9ca3760caa94b2 Author: Thomas Graf Date: Thu Dec 22 02:05:07 2011 +0000 mqprio: Avoid panic if no options are provided [ Upstream commit 7838f2ce36b6ab5c13ef20b1857e3bbd567f1759 ] Userspace may not provide TCA_OPTIONS, in fact tc currently does so not do so if no arguments are specified on the command line. Return EINVAL instead of panicing. Signed-off-by: Thomas Graf Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7eac8f9de24674cc55ee9797d05447bbfbdf1a96 Author: Alex Juncu Date: Thu Dec 15 23:01:25 2011 +0000 llc: llc_cmsg_rcv was getting called after sk_eat_skb. [ Upstream commit 9cef310fcdee12b49b8b4c96fd8f611c8873d284 ] Received non stream protocol packets were calling llc_cmsg_rcv that used a skb after that skb was released by sk_eat_skb. This caused received STP packets to generate kernel panics. Signed-off-by: Alexandru Juncu Signed-off-by: Kunjan Naik Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e2f377870311c6e2ecf77e1ed6bbcb175ce0dde9 Author: Djalal Harouni Date: Tue Dec 6 15:47:12 2011 +0000 ppp: fix pptp double release_sock in pptp_bind() [ Upstream commit a454daceb78844a09c08b6e2d8badcb76a5d73b9 ] Signed-off-by: Djalal Harouni Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b3c5fb8252b04ec02654f80988e68852f1a14cb5 Author: Markus Kötter Date: Sat Dec 17 11:39:08 2011 +0000 net: bpf_jit: fix an off-one bug in x86_64 cond jump target [ Upstream commit a03ffcf873fe0f2565386ca8ef832144c42e67fa ] x86 jump instruction size is 2 or 5 bytes (near/long jump), not 2 or 6 bytes. In case a conditional jump is followed by a long jump, conditional jump target is one byte past the start of target instruction. Signed-off-by: Markus Kötter Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2a89fc8b91abf1ba56daa23b05e6572b30331837 Author: David S. Miller Date: Mon Dec 26 12:30:13 2011 -0500 sparc: Fix handling of orig_i0 wrt. debugging when restarting syscalls. [ A combination of upstream commits 1d299bc7732c34d85bd43ac1a8745f5a2fed2078 and e88d2468718b0789b4c33da2f7e1cef2a1eee279 ] Although we provide a proper way for a debugger to control whether syscall restart occurs, we run into problems because orig_i0 is not saved and restored properly. Luckily we can solve this problem without having to make debuggers aware of the issue. Across system calls, several registers are considered volatile and can be safely clobbered. Therefore we use the pt_regs save area of one of those registers, %g6, as a place to save and restore orig_i0. Debuggers transparently will do the right thing because they save and restore this register already. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d4afed4d20e91a12de7cd1c64bb3451ee2236d19 Author: David S. Miller Date: Mon Oct 31 01:05:49 2011 -0700 sparc64: Fix masking and shifting in VIS fpcmp emulation. [ Upstream commit 2e8ecdc008a16b9a6c4b9628bb64d0d1c05f9f92 ] Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 23a652b45554faf08ac5a7a86c176a95cce8ca83 Author: David S. Miller Date: Wed Oct 19 15:31:55 2011 -0700 sparc32: Correct the return value of memcpy. [ Upstream commit a52312b88c8103e965979a79a07f6b34af82ca4b ] Properly return the original destination buffer pointer. Signed-off-by: David S. Miller Tested-by: Kjetil Oftedal Signed-off-by: Greg Kroah-Hartman commit 2588f7f219ab1e93be648ecf8bcb1599b1ecba09 Author: David S. Miller Date: Wed Oct 19 15:30:14 2011 -0700 sparc32: Remove uses of %g7 in memcpy implementation. [ Upstream commit 21f74d361dfd6a7d0e47574e315f780d8172084a ] This is setting things up so that we can correct the return value, so that it properly returns the original destination buffer pointer. Signed-off-by: David S. Miller Tested-by: Kjetil Oftedal Signed-off-by: Greg Kroah-Hartman commit 9dd04b12d0588de337ff615f6991862956dd40de Author: David S. Miller Date: Wed Oct 19 15:15:58 2011 -0700 sparc32: Remove non-kernel code from memcpy implementation. [ Upstream commit 045b7de9ca0cf09f1adc3efa467f668b89238390 ] Signed-off-by: David S. Miller Tested-by: Kjetil Oftedal Signed-off-by: Greg Kroah-Hartman commit 2d2eb1d284257cbb7ebb29bd75a3cbbc9275e4f7 Author: David S. Miller Date: Thu Nov 17 18:17:59 2011 -0800 sparc: Kill custom io_remap_pfn_range(). [ Upstream commit 3e37fd3153ac95088a74f5e7c569f7567e9f993a ] To handle the large physical addresses, just make a simple wrapper around remap_pfn_range() like MIPS does. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cff6d2096e9a57c2497dd5ee4aed3c97149bfc9e Author: David S. Miller Date: Thu Nov 17 22:44:58 2011 -0800 sparc64: Patch sun4v code sequences properly on module load. [ Upstream commit 0b64120cceb86e93cb1bda0dc055f13016646907 ] Some of the sun4v code patching occurs in inline functions visible to, and usable by, modules. Therefore we have to patch them up during module load. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fde939495571ffd22458e94745b0c2e6af33478d Author: David S. Miller Date: Wed Dec 14 10:05:22 2011 -0800 sparc32: Be less strict in matching %lo part of relocation. [ Upstream commit b1f44e13a525d2ffb7d5afe2273b7169d6f2222e ] The "(insn & 0x01800000) != 0x01800000" test matches 'restore' but that is a legitimate place to see the %lo() part of a 32-bit symbol relocation, particularly in tail calls. Signed-off-by: David S. Miller Tested-by: Sergei Trofimovich Signed-off-by: Greg Kroah-Hartman commit 747b409502fe765784cda1135d806042beddaa89 Author: David S. Miller Date: Thu Dec 22 13:23:59 2011 -0800 sparc64: Fix MSIQ HV call ordering in pci_sun4v_msiq_build_irq(). [ Upstream commit 7cc8583372a21d98a23b703ad96cab03180b5030 ] This silently was working for many years and stopped working on Niagara-T3 machines. We need to set the MSIQ to VALID before we can set it's state to IDLE. On Niagara-T3, setting the state to IDLE first was causing HV_EINVAL errors. The hypervisor documentation says, rather ambiguously, that the MSIQ must be "initialized" before one can set the state. I previously understood this to mean merely that a successful setconf() operation has been performed on the MSIQ, which we have done at this point. But it seems to also mean that it has been set VALID too. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fca54d03a85e883b813255c63bbf11049d2eeb7a Author: Nagalakshmi Nandigama Date: Wed Jan 4 09:25:13 2012 -0600 mpt2sas: fix non-x86 crash on shutdown Upstrem commit: 911ae9434f83e7355d343f6c2be3ef5b00ea7aed There's a bug in the MSIX backup and restore routines that cause a crash on non-x86 (direct access to PCI space not via read/write). These routines are unnecessary and were removed by the above commit, so also remove them from stable to fix the crash. Signed-off-by: Nagalakshmi Nandigama Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 7204bf5ef7295b6041047d581153990164b58988 Author: Hillf Danton Date: Wed Dec 28 15:57:16 2011 -0800 mm: hugetlb: fix non-atomic enqueue of huge page commit b0365c8d0cb6e79eb5f21418ae61ab511f31b575 upstream. If a huge page is enqueued under the protection of hugetlb_lock, then the operation is atomic and safe. Signed-off-by: Hillf Danton Reviewed-by: Michal Hocko Acked-by: KAMEZAWA Hiroyuki Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6f4214ef6a0e3c8319880eb5570ba2ae787bb577 Author: Alex Deucher Date: Wed Dec 21 11:58:17 2011 -0500 drm/radeon/kms: bail on BTC parts if MC ucode is missing commit 77e00f2ea94abee1ad13bdfde19cf7aa25992b0e upstream. We already do this for cayman, need to also do it for BTC parts. The default memory and voltage setup is not adequate for advanced operation. Continuing will result in an unusable display. Signed-off-by: Alex Deucher Cc: Jean Delvare Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 33c118d42de2ce4c0dbc60b72b2fdf124a54b19d Author: Mingarelli, Thomas Date: Mon Nov 7 10:59:00 2011 +0100 watchdog: hpwdt: Changes to handle NX secure bit in 32bit path commit e67d668e147c3b4fec638c9e0ace04319f5ceccd upstream. This patch makes use of the set_memory_x() kernel API in order to make necessary BIOS calls to source NMIs. This is needed for SLES11 SP2 and the latest upstream kernel as it appears the NX Execute Disable has grown in its control. Signed-off by: Thomas Mingarelli Signed-off by: Wim Van Sebroeck Signed-off-by: Greg Kroah-Hartman commit 3ce696d12b26c9c1cfedeb194a02606bef2854a4 Author: Hugh Dickins Date: Sat Dec 31 11:44:01 2011 -0800 futex: Fix uninterruptible loop due to gate_area commit e6780f7243eddb133cc20ec37fa69317c218b709 upstream. It was found (by Sasha) that if you use a futex located in the gate area we get stuck in an uninterruptible infinite loop, much like the ZERO_PAGE issue. While looking at this problem, PeterZ realized you'll get into similar trouble when hitting any install_special_pages() mapping. And are there still drivers setting up their own special mmaps without page->mapping, and without special VM or pte flags to make get_user_pages fail? In most cases, if page->mapping is NULL, we do not need to retry at all: Linus points out that even /proc/sys/vm/drop_caches poses no problem, because it ends up using remove_mapping(), which takes care not to interfere when the page reference count is raised. But there is still one case which does need a retry: if memory pressure called shmem_writepage in between get_user_pages_fast dropping page table lock and our acquiring page lock, then the page gets switched from filecache to swapcache (and ->mapping set to NULL) whatever the refcount. Fault it back in to get the page->mapping needed for key->shared.inode. Reported-by: Sasha Levin Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4347b837ab999865063649cf801ba4f8d7e8748e Author: Vladimir Zapolskiy Date: Thu Dec 22 16:15:40 2011 +0100 oprofile, arm/sh: Fix oprofile_arch_exit() linkage issue commit 55205c916e179e09773d98d290334d319f45ac6b upstream. This change fixes a linking problem, which happens if oprofile is selected to be compiled as built-in: `oprofile_arch_exit' referenced in section `.init.text' of arch/arm/oprofile/built-in.o: defined in discarded section `.exit.text' of arch/arm/oprofile/built-in.o The problem is appeared after commit 87121ca504, which introduced oprofile_arch_exit() calls from __init function. Note that the aforementioned commit has been backported to stable branches, and the problem is known to be reproduced at least with 3.0.13 and 3.1.5 kernels. Signed-off-by: Vladimir Zapolskiy Signed-off-by: Robert Richter Cc: Will Deacon Cc: oprofile-list Link: http://lkml.kernel.org/r/20111222151540.GB16765@erda.amd.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 9267a9e850bf6c52dd7c95f3978dc78a1d3ad1a1 Author: Ulf Hansson Date: Tue Dec 13 16:58:43 2011 +0100 ARM: 7220/1: mmc: mmci: Fixup error handling for dma commit 3b6e3c73851a9a4b0e6ed9d378206341dd65e8a5 upstream. When getting a cmd irq during an ongoing data transfer with dma, the dma job were never terminated. This is now corrected. Tested-by: Linus Walleij Signed-off-by: Per Forlin Signed-off-by: Ulf Hansson Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit bc23ab0861a252bdbdf3bd982c37a6a96c2ceba6 Author: Ulf Hansson Date: Tue Dec 13 16:51:04 2011 +0100 ARM: 7214/1: mmc: mmci: Fixup handling of MCI_STARTBITERR commit b63038d6f4ca5d1849ce01d9fc5bb9cb426dec73 upstream. The interrupt was previously enabled and then correctly cleared. Now we also handle it correctly. Tested-by: Linus Walleij Signed-off-by: Ulf Hansson Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 8048ac75378918eab0f68ba175915e72ef73e0da Author: Jason Chen Date: Mon Dec 19 11:23:28 2011 +0800 ARM:imx:fix pwm period value commit 5776ac2eb33164c77cdb4d2b48feee15616eaba3 upstream. According to imx pwm RM, the real period value should be PERIOD value in PWMPR plus 2. PWMO (Hz) = PCLK(Hz) / (period +2) Signed-off-by: Jason Chen Signed-off-by: Sascha Hauer Signed-off-by: Greg Kroah-Hartman commit f3545737cf06d342d34483b7a8421d0bb90b9c1b Author: Srivatsa S. Bhat Date: Thu Dec 22 02:45:29 2011 +0530 VFS: Fix race between CPU hotplug and lglocks commit e30e2fdfe56288576ee9e04dbb06b4bd5f282203 upstream. Currently, the *_global_[un]lock_online() routines are not at all synchronized with CPU hotplug. Soft-lockups detected as a consequence of this race was reported earlier at https://lkml.org/lkml/2011/8/24/185. (Thanks to Cong Meng for finding out that the root-cause of this issue is the race condition between br_write_[un]lock() and CPU hotplug, which results in the lock states getting messed up). Fixing this race by just adding {get,put}_online_cpus() at appropriate places in *_global_[un]lock_online() is not a good option, because, then suddenly br_write_[un]lock() would become blocking, whereas they have been kept as non-blocking all this time, and we would want to keep them that way. So, overall, we want to ensure 3 things: 1. br_write_lock() and br_write_unlock() must remain as non-blocking. 2. The corresponding lock and unlock of the per-cpu spinlocks must not happen for different sets of CPUs. 3. Either prevent any new CPU online operation in between this lock-unlock, or ensure that the newly onlined CPU does not proceed with its corresponding per-cpu spinlock unlocked. To achieve all this: (a) We introduce a new spinlock that is taken by the *_global_lock_online() routine and released by the *_global_unlock_online() routine. (b) We register a callback for CPU hotplug notifications, and this callback takes the same spinlock as above. (c) We maintain a bitmap which is close to the cpu_online_mask, and once it is initialized in the lock_init() code, all future updates to it are done in the callback, under the above spinlock. (d) The above bitmap is used (instead of cpu_online_mask) while locking and unlocking the per-cpu locks. The callback takes the spinlock upon the CPU_UP_PREPARE event. So, if the br_write_lock-unlock sequence is in progress, the callback keeps spinning, thus preventing the CPU online operation till the lock-unlock sequence is complete. This takes care of requirement (3). The bitmap that we maintain remains unmodified throughout the lock-unlock sequence, since all updates to it are managed by the callback, which takes the same spinlock as the one taken by the lock code and released only by the unlock routine. Combining this with (d) above, satisfies requirement (2). Overall, since we use a spinlock (mentioned in (a)) to prevent CPU hotplug operations from racing with br_write_lock-unlock, requirement (1) is also taken care of. By the way, it is to be noted that a CPU offline operation can actually run in parallel with our lock-unlock sequence, because our callback doesn't react to notifications earlier than CPU_DEAD (in order to maintain our bitmap properly). And this means, since we use our own bitmap (which is stale, on purpose) during the lock-unlock sequence, we could end up unlocking the per-cpu lock of an offline CPU (because we had locked it earlier, when the CPU was online), in order to satisfy requirement (2). But this is harmless, though it looks a bit awkward. Debugged-by: Cong Meng Signed-off-by: Srivatsa S. Bhat Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 4875f39a0548a1fa5f55b4a90dca0f4a7ad8f237 Author: Hillf Danton Date: Mon Dec 19 17:11:57 2011 -0800 memcg: keep root group unchanged if creation fails commit a41c58a6665cc995e237303b05db42100b71b65e upstream. If the request is to create non-root group and we fail to meet it, we should leave the root unchanged. Signed-off-by: Hillf Danton Signed-off-by: Hugh Dickins Acked-by: KAMEZAWA Hiroyuki Acked-by: Michal Hocko Cc: Balbir Singh Cc: David Rientjes Cc: Andrea Arcangeli Cc: Johannes Weiner Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a37fd0740a9d2b261dc3d7781e3f3923f9076bb1 Author: Wey-Yi Guy Date: Wed Dec 14 08:22:36 2011 -0800 iwlwifi: allow to switch to HT40 if not associated commit 78feb35b8161acd95c33a703ed6ab6f554d29387 upstream. My previous patch 34a5b4b6af104cf18eb50748509528b9bdbc4036 iwlwifi: do not re-configure HT40 after associated Fix the case of HT40 after association on specified AP, but it break the association for some APs and cause not able to establish connection. We need to address HT40 before and after addociation. Reported-by: Andrej Gelenberg Signed-off-by: Wey-Yi Guy Tested-by: Andrej Gelenberg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 3ed4fae4b9ff076b6a88b341491dc8dee2977f88 Author: Wey-Yi Guy Date: Thu Dec 8 15:52:00 2011 -0800 iwlwifi: do not set the sequence control bit is not needed commit 123877b80ed62c3b897c53357b622574c023b642 upstream. Check the IEEE80211_TX_CTL_ASSIGN_SEQ flag from mac80211, then decide how to set the TX_CMD_FLG_SEQ_CTL_MSK bit. Setting the wrong bit in BAR frame whill make the firmware to increment the sequence number which is incorrect and cause unknown behavior. Signed-off-by: Wey-Yi Guy Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 3c00ff7bd542942ff7f3e473d1372b4ae892318f Author: Rajkumar Manoharan Date: Sat Dec 10 18:59:43 2011 +0530 ath9k: fix max phy rate at rate control init commit 10636bc2d60942254bda149827b922c41f4cb4af upstream. The stations always chooses 1Mbps for all trasmitting frames, whenever the AP is configured to lock the supported rates. As the max phy rate is always set with the 4th from highest phy rate, this assumption might be wrong if we have less than that. Fix that. Cc: Paul Stewart Reported-by: Ajay Gummalla Signed-off-by: Rajkumar Manoharan Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 2daac55a9ada99404e67f4f8182a66c4ee8b3969 Author: Sylwester Nawrocki Date: Fri Nov 4 10:07:06 2011 -0300 media: s5p-fimc: Use correct fourcc for RGB565 colour format commit f83f71fda27650ae43558633be93652577dbc38c upstream. With 16-bit RGB565 colour format pixels are stored by the device in memory in the following order: | b3 | b2 | b1 | b0 | ~+-----+-----+-----+-----+ | R5 G6 B5 | R5 G6 B5 | This corresponds to V4L2_PIX_FMT_RGB565 fourcc, not V4L2_PIX_FMT_RGB565X. This change is required to avoid trouble when setting up video pipeline with the s5p-tv devices, so the colour formats at both devices can be properly matched. Signed-off-by: Sylwester Nawrocki Signed-off-by: Kyungmin Park Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 2f79eddd49d391aded0b0c20f7eef3bec6d5e096 Author: Dave Kleikamp Date: Wed Dec 21 11:05:48 2011 -0600 vfs: __read_cache_page should use gfp argument rather than GFP_KERNEL commit e6f67b8c05f5e129e126f4409ddac6f25f58ffcb upstream. lockdep reports a deadlock in jfs because a special inode's rw semaphore is taken recursively. The mapping's gfp mask is GFP_NOFS, but is not used when __read_cache_page() calls add_to_page_cache_lru(). Signed-off-by: Dave Kleikamp Acked-by: Hugh Dickins Acked-by: Al Viro Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 20e725bc08091c303a469d8e1e295bf3b360c778 Author: Ilya Yanok Date: Mon Aug 1 23:00:28 2011 +0200 mfd: Fix twl-core oops while calling twl_i2c_* for unbound driver commit 8653be1afd60d6e8c36139b487e375b70357d9ef upstream. Check inuse variable before trying to access twl_map to prevent dereferencing of uninitialized variable. Signed-off-by: Ilya Yanok Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman commit b05727c7f8e3b30309d013a7d3bbc6d1e6f860ba Author: Mandeep Singh Baines Date: Thu Dec 15 11:36:43 2011 -0800 cgroups: fix a css_set not found bug in cgroup_attach_proc commit e0197aae59e55c06db172bfbe1a1cdb8c0e1cab3 upstream. There is a BUG when migrating a PF_EXITING proc. Since css_set_prefetch() is not called for the PF_EXITING case, find_existing_css_set() will return NULL inside cgroup_task_migrate() causing a BUG. This bug is easy to reproduce. Create a zombie and echo its pid to cgroup.procs. $ cat zombie.c \#include int main() { if (fork()) pause(); return 0; } $ We are hitting this bug pretty regularly on ChromeOS. This bug is already fixed by Tejun Heo's cgroup patchset which is targetted for the next merge window: https://lkml.org/lkml/2011/11/1/356 I've create a smaller patch here which just fixes this bug so that a fix can be merged into the current release and stable. Signed-off-by: Mandeep Singh Baines Downstream-Bug-Report: http://crosbug.com/23953 Reviewed-by: Li Zefan Signed-off-by: Tejun Heo Cc: containers@lists.linux-foundation.org Cc: cgroups@vger.kernel.org Cc: KAMEZAWA Hiroyuki Cc: Frederic Weisbecker Cc: Oleg Nesterov Cc: Andrew Morton Cc: Paul Menage Cc: Olof Johansson Signed-off-by: Greg Kroah-Hartman commit 2aad1ca4711a46ca4540c924ffb84e7673a4738c Author: Rusty Russell Date: Thu Dec 15 13:34:50 2011 +1030 mmc: vub300: fix type of firmware_rom_wait_states module parameter commit 61074287c2965edf0fc75b54ae8f4ce99f182669 upstream. You didn't mean this to be a bool. Signed-off-by: Rusty Russell Acked-by: Tony Olech Signed-off-by: Chris Ball Signed-off-by: Greg Kroah-Hartman commit 2e23cd501a9c6a0bfbe2b44781b4a35b0f0d4f29 Author: Thomas Meyer Date: Mon Dec 19 17:11:55 2011 -0800 nilfs2: unbreak compat ioctl commit 695c60f21c69e525a89279a5f35bae4ff237afbc upstream. commit 828b1c50ae ("nilfs2: add compat ioctl") incidentally broke all other NILFS compat ioctls. Make them work again. Signed-off-by: Thomas Meyer Signed-off-by: Ryusuke Konishi Tested-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 52367e4731f577370011910c06cb428df55d054b Author: David Howells Date: Tue Dec 13 14:49:04 2011 +0000 SELinux: Fix RCU deref check warning in sel_netport_insert() commit 50345f1ea9cda4618d9c26e590a97ecd4bc7ac75 upstream. Fix the following bug in sel_netport_insert() where rcu_dereference() should be rcu_dereference_protected() as sel_netport_lock is held. =================================================== [ INFO: suspicious rcu_dereference_check() usage. ] --------------------------------------------------- security/selinux/netport.c:127 invoked rcu_dereference_check() without protection! other info that might help us debug this: rcu_scheduler_active = 1, debug_locks = 0 1 lock held by ossec-rootcheck/3323: #0: (sel_netport_lock){+.....}, at: [] sel_netport_sid+0xbb/0x226 stack backtrace: Pid: 3323, comm: ossec-rootcheck Not tainted 3.1.0-rc8-fsdevel+ #1095 Call Trace: [] lockdep_rcu_dereference+0xa7/0xb0 [] sel_netport_sid+0x1b7/0x226 [] ? sel_netport_avc_callback+0xbc/0xbc [] selinux_socket_bind+0x115/0x230 [] ? might_fault+0x4e/0x9e [] ? might_fault+0x97/0x9e [] security_socket_bind+0x11/0x13 [] sys_bind+0x56/0x95 [] ? sysret_check+0x27/0x62 [] ? trace_hardirqs_on_caller+0x11e/0x155 [] ? audit_syscall_entry+0x17b/0x1ae [] ? trace_hardirqs_on_thunk+0x3a/0x3f [] system_call_fastpath+0x16/0x1b Signed-off-by: David Howells Acked-by: Paul Moore Acked-by: Eric Dumazet Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 746b9ba6177ef65cd2e5b674b9b8b61b09c74421 Author: Trond Myklebust Date: Thu Dec 1 16:37:42 2011 -0500 NFSv4.1: Ensure that we handle _all_ SEQUENCE status bits. commit 111d489f0fb431f4ae85d96851fbf8d3248c09d8 upstream. Currently, the code assumes that the SEQUENCE status bits are mutually exclusive. They are not... Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 3c681ec96dcc0acd6d5386773b44e6c129919394 Author: Robert Richter Date: Mon Dec 19 16:38:30 2011 +0100 oprofile: Fix uninitialized memory access when writing to writing to oprofilefs commit 913050b91eb94f194392dd797b1ff3779f606ac0 upstream. If oprofilefs_ulong_from_user() is called with count equals zero, *val remains unchanged. Depending on the implementation it might be uninitialized. Change oprofilefs_ulong_from_user()'s interface to return count on success. Thus, we are able to return early if count equals zero which avoids using *val uninitialized. Fixing all users of oprofilefs_ulong_ from_user(). This follows write syscall implementation when count is zero: "If count is zero ... [and if] no errors are detected, 0 will be returned without causing any other effect." (man 2 write) Reported-By: Mike Waychison Signed-off-by: Robert Richter Cc: Andrew Morton Cc: oprofile-list Link: http://lkml.kernel.org/r/20111219153830.GH16765@erda.amd.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 724c6ae2912dbfc5c6a9e309f92b786fbc141462 Author: Frantisek Hrbata Date: Mon Dec 19 17:11:59 2011 -0800 oom: fix integer overflow of points in oom_badness commit ff05b6f7ae762b6eb464183eec994b28ea09f6dd upstream. An integer overflow will happen on 64bit archs if task's sum of rss, swapents and nr_ptes exceeds (2^31)/1000 value. This was introduced by commit f755a04 oom: use pte pages in OOM score where the oom score computation was divided into several steps and it's no longer computed as one expression in unsigned long(rss, swapents, nr_pte are unsigned long), where the result value assigned to points(int) is in range(1..1000). So there could be an int overflow while computing 176 points *= 1000; and points may have negative value. Meaning the oom score for a mem hog task will be one. 196 if (points <= 0) 197 return 1; For example: [ 3366] 0 3366 35390480 24303939 5 0 0 oom01 Out of memory: Kill process 3366 (oom01) score 1 or sacrifice child Here the oom1 process consumes more than 24303939(rss)*4096~=92GB physical memory, but it's oom score is one. In this situation the mem hog task is skipped and oom killer kills another and most probably innocent task with oom score greater than one. The points variable should be of type long instead of int to prevent the int overflow. Signed-off-by: Frantisek Hrbata Acked-by: KOSAKI Motohiro Acked-by: Oleg Nesterov Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5b8befdb785856462ee5eafc8a52ceb78e720f77 Author: Michel Lespinasse Date: Mon Dec 19 17:12:06 2011 -0800 binary_sysctl(): fix memory leak commit 3d3c8f93a237b64580c5c5e138edeb1377e98230 upstream. binary_sysctl() calls sysctl_getname() which allocates from names_cache slab usin __getname() The matching function to free the name is __putname(), and not putname() which should be used only to match getname() allocations. This is because when auditing is enabled, putname() calls audit_putname *instead* (not in addition) to __putname(). Then, if a syscall is in progress, audit_putname does not release the name - instead, it expects the name to get released when the syscall completes, but that will happen only if audit_getname() was called previously, i.e. if the name was allocated with getname() rather than the naked __getname(). So, __getname() followed by putname() ends up leaking memory. Signed-off-by: Michel Lespinasse Acked-by: Al Viro Cc: Christoph Hellwig Cc: Eric Paris Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d051424f29eac6b4c173365a3ba5b9bb76870ce6 Author: Eugene Surovegin Date: Thu Dec 15 11:25:59 2011 -0800 percpu: fix per_cpu_ptr_to_phys() handling of non-page-aligned addresses commit 9f57bd4d6dc69a4e3bf43044fa00fcd24dd363e3 upstream. per_cpu_ptr_to_phys() incorrectly rounds up its result for non-kmalloc case to the page boundary, which is bogus for any non-page-aligned address. This affects the only in-tree user of this function - sysfs handler for per-cpu 'crash_notes' physical address. The trouble is that the crash_notes per-cpu variable is not page-aligned: crash_notes = 0xc08e8ed4 PER-CPU OFFSET VALUES: CPU 0: 3711f000 CPU 1: 37129000 CPU 2: 37133000 CPU 3: 3713d000 So, the per-cpu addresses are: crash_notes on CPU 0: f7a07ed4 => phys 36b57ed4 crash_notes on CPU 1: f7a11ed4 => phys 36b4ded4 crash_notes on CPU 2: f7a1bed4 => phys 36b43ed4 crash_notes on CPU 3: f7a25ed4 => phys 36b39ed4 However, /sys/devices/system/cpu/cpu*/crash_notes says: /sys/devices/system/cpu/cpu0/crash_notes: 36b57000 /sys/devices/system/cpu/cpu1/crash_notes: 36b4d000 /sys/devices/system/cpu/cpu2/crash_notes: 36b43000 /sys/devices/system/cpu/cpu3/crash_notes: 36b39000 As you can see, all values are rounded down to a page boundary. Consequently, this is where kexec sets up the NOTE segments, and thus where the secondary kernel is looking for them. However, when the first kernel crashes, it saves the notes to the unaligned addresses, where they are not found. Fix it by adding offset_in_page() to the translated page address. -tj: Combined Eugene's and Petr's commit messages. Signed-off-by: Eugene Surovegin Signed-off-by: Tejun Heo Reported-by: Petr Tesarik Signed-off-by: Greg Kroah-Hartman commit 5cb6d2895e510f77514ef15c8f061621f09e4d78 Author: Dmitry Torokhov Date: Mon Dec 12 00:05:53 2011 -0800 Input: synaptics - fix touchpad not working after S2R on Vostro V13 commit 8521478f67e95ada4e87970c7b41e504c724b2cf upstream. Synaptics touchpads on several Dell laptops, particularly Vostro V13 systems, may not respond properly to PS/2 commands and queries immediately after resuming from suspend to RAM. This leads to unresponsive touchpad after suspend/resume cycle. Adding a 1-second delay after resetting the device allows touchpad to finish initializing (calibrating?) and start reacting properly. Reported-by: Daniel Manrique Tested-by: Daniel Manrique Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 43579d76bdd733c9baf131bbc29719c2a2821569 Author: Jason Chen Date: Wed Nov 30 11:34:27 2011 +0800 MXC PWM: should active during DOZE/WAIT/DBG mode commit c0d96aed8c6dd925afe9ea35491a0cd458642a86 upstream. Signed-off-by: Jason Chen Signed-off-by: Sascha Hauer Signed-off-by: Greg Kroah-Hartman commit fcd02ab513c07dfc792fff5baa7ba7e930eba4b0 Author: Hauke Mehrtens Date: Mon Dec 5 23:19:51 2011 +0100 ssb: fix init regression with SoCs commit 329456d1ffb416c220813725b7363cda9975c9aa upstream. This fixes a Data bus error on some SoCs. The first fix for this problem did not solve it on all devices. commit 6ae8ec27868bfdbb815287bee8146acbefaee867 Author: Rafał Miłecki Date: Tue Jul 5 17:25:32 2011 +0200 ssb: fix init regression of hostmode PCI core In ssb_pcicore_fix_sprom_core_index() the sprom on the PCI core is accessed, but the sprom only exists when the ssb bus is connected over a PCI bus to the rest of the system and not when the SSB Bus is the main system bus. SoCs sometimes have a PCI host controller and there this code will not be executed, but there are some old SoCs with an PCI controller in client mode around and ssb_pcicore_fix_sprom_core_index() should not be called on these devices too. The PCI controller on these devices are unused, but without this fix it results in an Data bus error when it gets initialized. Cc: Michael Buesch Cc: Rafał Miłecki Signed-off-by: Hauke Mehrtens Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit d27bf91d1a9ea58a32bf9dd949e93bb1dc1fc9bf Author: Mike Snitzer Date: Wed Nov 23 10:59:13 2011 +0100 block: initialize request_queue's numa node during commit 5151412dd4338b273afdb107c3772528e9e67d92 upstream. struct request_queue is allocated with __GFP_ZERO so its "node" field is zero before initialization. This causes an oops if node 0 is offline in the page allocator because its zonelists are not initialized. From Dave Young's dmesg: SRAT: Node 1 PXM 2 0-d0000000 SRAT: Node 1 PXM 2 100000000-330000000 SRAT: Node 0 PXM 1 330000000-630000000 Initmem setup node 1 0000000000000000-000000000affb000 ... Built 1 zonelists in Node order, mobility grouping on. ... BUG: unable to handle kernel paging request at 0000000000001c08 IP: [] __alloc_pages_nodemask+0xb5/0x870 and __alloc_pages_nodemask+0xb5 translates to a NULL pointer on zonelist->_zonerefs. The fix is to initialize q->node at the time of allocation so the correct node is passed to the slab allocator later. Since blk_init_allocated_queue_node() is no longer needed, merge it with blk_init_allocated_queue(). [rientjes@google.com: changelog, initializing q->node] Reported-by: Dave Young Signed-off-by: Mike Snitzer Signed-off-by: David Rientjes Tested-by: Dave Young Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit afa2450ce311b3182c737c3fda59bb557da93409 Author: Johannes Berg Date: Wed Dec 7 09:02:21 2011 +0100 mac80211: fix another race in aggregation start commit 15062e6a8524f5977f2cbdf6e3eb2f144262f74e upstream. Emmanuel noticed that when mac80211 stops the queues for aggregation that can leave a packet pending. This packet will be given to the driver after the AMPDU callback, but as a non-aggregated packet which messes up the sequence number etc. I also noticed by looking at the code that if packets are being processed while we clear the WANT_START bit, they might see it cleared already and queue up on tid_tx->pending. If the driver then rejects the new aggregation session we leak the packet. Fix both of these issues by changing this code to not stop the queues at all. Instead, let packets queue up on the tid_tx->pending queue instead of letting them get to the driver, and add code to recover properly in case the driver rejects the session. (The patch looks large because it has to move two functions to before their new use.) Reported-by: Emmanuel Grumbach Signed-off-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit d27020f6c090faf3688324af9a8b496435285039 Author: Thomas Gleixner Date: Fri Nov 11 20:52:01 2011 +0100 SCSI: fcoe: Fix preempt count leak in fcoe_filter_frames() commit 7e1e7ead88dff75b11b86ee0d5232c4591be1326 upstream. The error exit path leaks preempt count. Add the missing put_cpu(). Signed-off-by: Thomas Gleixner Reviewed-by: Yi Zou Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit e57a4c768c03a91334759def503b2d7616028a35 Author: Anton Blanchard Date: Mon Nov 7 22:05:21 2011 +1100 SCSI: mpt2sas: _scsih_smart_predicted_fault uses GFP_KERNEL in interrupt context commit f6a290b419a2675c4b77a6b0731cd2a64332365e upstream. _scsih_smart_predicted_fault is called in an interrupt and therefore must allocate memory using GFP_ATOMIC. Signed-off-by: Anton Blanchard Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 3b538a7aaf6468c40a1faa559417e6165456b8e3 Author: Steffen Maier Date: Fri Nov 18 20:00:40 2011 +0100 SCSI: zfcp: return early from slave_destroy if slave_alloc returned early commit 44f747fff6e9f027a4866c1a6864e26ae7c510c8 upstream. zfcp_scsi_slave_destroy erroneously always tried to finish its task even if the corresponding previous zfcp_scsi_slave_alloc returned early. This can lead to kernel page faults on accessing uninitialized fields of struct zfcp_scsi_dev in zfcp_erp_lun_shutdown_wait. Take the port field of the struct to determine if slave_alloc returned early. This zfcp bug is exposed by 4e6c82b (in turn fixing f7c9c6b to be compatible with 21208ae) which can call slave_destroy for a corresponding previous slave_alloc that did not finish. This patch is based on James Bottomley's fix suggestion in http://www.spinics.net/lists/linux-scsi/msg55449.html. Signed-off-by: Steffen Maier Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit cec3c159f674367def095745a72ac6150f889243 Author: Yasuaki Ishimatsu Date: Fri Dec 2 10:07:07 2011 +0100 cfq-iosched: fix cfq_cic_link() race confition commit 5eb46851de3904cd1be9192fdacb8d34deadc1fc upstream. cfq_cic_link() has race condition. When some processes which shared ioc issue I/O to same block device simultaneously, cfq_cic_link() returns -EEXIST sometimes. The race condition might stop I/O by following steps: step 1: Process A: Issue an I/O to /dev/sda step 2: Process A: Get an ioc (iocA here) in get_io_context() which does not linked with a cic for the device step 3: Process A: Get a new cic for the device (cicA here) in cfq_alloc_io_context() step 4: Process B: Issue an I/O to /dev/sda step 5: Process B: Get iocA in get_io_context() since process A and B share the same ioc step 6: Process B: Get a new cic for the device (cicB here) in cfq_alloc_io_context() since iocA has not been linked with a cic for the device yet step 7: Process A: Link cicA to iocA in cfq_cic_link() step 8: Process A: Dispatch I/O to driver and finish it step 9: Process B: Try to link cicB to iocA in cfq_cic_link() But it fails with showing "cfq: cic link failed!" kernel message, since iocA has already linked with cicA at step 7. step 10: Process B: Wait for finishig I/O in get_request_wait() The function does not wake up, when there is no I/O to the device. When cfq_cic_link() returns -EEXIST, it means ioc has already linked with cic. So when cfq_cic_link() return -EEXIST, retry cfq_cic_lookup(). Signed-off-by: Yasuaki Ishimatsu Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 8f8a594251e5260f53d746887890d0d2185ceebb Author: majianpeng Date: Wed Nov 30 15:47:48 2011 +0100 cfq-iosched: free cic_index if blkio_alloc_blkg_stats fails commit 2984ff38ccf6cbc02a7a996a36c7d6f69f3c6146 upstream. If we fail allocating the blkpg stats, we free cfqd and cfgq. But we need to free the IDA cfqd->cic_index as well. Signed-off-by: majianpeng Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 183647b865aea1411c87f9b76b8c74511e34807d Author: Eugeni Dodonov Date: Thu Nov 10 13:55:15 2011 -0200 drm/i915: prevent division by zero when asking for chipset power commit 4ed0b577457eb6aeb7cdc7e7316576e63d15abb2 upstream. This prevents an in-kernel division by zero which happens when we are asking for i915_chipset_val too quickly, or within a race condition between the power monitoring thread and userspace accesses via debugfs. The issue can be reproduced easily via the following command: while ``; do cat /sys/kernel/debug/dri/0/i915_emon_status; done This is particularly dangerous because it can be triggered by a non-privileged user by just reading the debugfs entry. This issue was also found independently by Konstantin Belousov