commit 97596c34030ed28657ccafddb67e17a03890b90a Author: Greg Kroah-Hartman Date: Tue Oct 25 07:11:12 2011 +0200 Linux 3.0.8 commit d2a0110b7fb182c2c81144b834ddc7b3d645fe1e Author: Seth Forshee Date: Thu Sep 15 10:48:27 2011 -0400 hfsplus: Fix kfree of wrong pointers in hfsplus_fill_super() error path commit f588c960fcaa6fa8bf82930bb819c9aca4eb9347 upstream. Commit 6596528e391a ("hfsplus: ensure bio requests are not smaller than the hardware sectors") changed the pointers used for volume header allocations but failed to free the correct pointers in the error path path of hfsplus_fill_super() and hfsplus_read_wrapper. The second hunk came from a separate patch by Pavel Ivanov. Reported-by: Pavel Ivanov Signed-off-by: Seth Forshee Signed-off-by: Christoph Hellwig Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 818c85eb8d9be62cbe0938b6f93cf34c6663fffe Author: Takashi Iwai Date: Tue Oct 18 10:44:05 2011 +0200 ALSA: hda - Add position_fix quirk for Dell Inspiron 1010 commit 051a8cb6550d917225ead1cd008b5966350f6d53 upstream. The previous fix for the position-buffer check gives yet another regression on a Dell laptop. The safest fix right now is to add a static quirk for this device (and better to apply it for stable kernels too). Reported-by: Éric Piel Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 9a09cfcba1fe58a78ef6ce424b263a64edcadf26 Author: Daniel Suchy Date: Tue Oct 18 11:09:44 2011 +0200 ALSA: HDA: conexant support for Lenovo T520/W520 commit ca201c096269ee2d40037fea96a59fd0695888c4 upstream. This is patch for Conexant codec of Intel HDA driver, adding new quirk for Lenovo Thinkpad T520 and W520. Conexant autodetection works fine for T520 (similar subsystem ID is used also in W520 model) and detects more mixer features compared to generic (fallback) Lenovo quirk with hardcoded options in Conexant codec. Patch was activelly tested with Linux 3.0.4, 3.0.6 and 3.0.7 without any problems. Signed-off-by: Daniel Suchy Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit bf9f0eb856b58c7b35b38f7fc7340a889e7905e3 Author: Nick Bowler Date: Thu Oct 20 14:16:55 2011 +0200 crypto: ghash - Avoid null pointer dereference if no key is set commit 7ed47b7d142ec99ad6880bbbec51e9f12b3af74c upstream. The ghash_update function passes a pointer to gf128mul_4k_lle which will be NULL if ghash_setkey is not called or if the most recent call to ghash_setkey failed to allocate memory. This causes an oops. Fix this up by returning an error code in the null case. This is trivially triggered from unprivileged userspace through the AF_ALG interface by simply writing to the socket without setting a key. The ghash_final function has a similar issue, but triggering it requires a memory allocation failure in ghash_setkey _after_ at least one successful call to ghash_update. BUG: unable to handle kernel NULL pointer dereference at 00000670 IP: [] gf128mul_4k_lle+0x23/0x60 [gf128mul] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP Modules linked in: ghash_generic gf128mul algif_hash af_alg nfs lockd nfs_acl sunrpc bridge ipv6 stp llc Pid: 1502, comm: hashatron Tainted: G W 3.1.0-rc9-00085-ge9308cf #32 Bochs Bochs EIP: 0060:[] EFLAGS: 00000202 CPU: 0 EIP is at gf128mul_4k_lle+0x23/0x60 [gf128mul] EAX: d69db1f0 EBX: d6b8ddac ECX: 00000004 EDX: 00000000 ESI: 00000670 EDI: d6b8ddac EBP: d6b8ddc8 ESP: d6b8dda4 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 Process hashatron (pid: 1502, ti=d6b8c000 task=d6810000 task.ti=d6b8c000) Stack: 00000000 d69db1f0 00000163 00000000 d6b8ddc8 c101a520 d69db1f0 d52aa000 00000ff0 d6b8dde8 d88d310f d6b8a3f8 d52aa000 00001000 d88d502c d6b8ddfc 00001000 d6b8ddf4 c11676ed d69db1e8 d6b8de24 c11679ad d52aa000 00000000 Call Trace: [] ? kmap_atomic_prot+0x37/0xa6 [] ghash_update+0x85/0xbe [ghash_generic] [] crypto_shash_update+0x18/0x1b [] shash_ahash_update+0x22/0x36 [] shash_async_update+0xb/0xd [] hash_sendpage+0xba/0xf2 [algif_hash] [] kernel_sendpage+0x39/0x4e [] ? 0xd88cdfff [] sock_sendpage+0x37/0x3e [] ? kernel_sendpage+0x4e/0x4e [] pipe_to_sendpage+0x56/0x61 [] splice_from_pipe_feed+0x58/0xcd [] ? splice_from_pipe_begin+0x10/0x10 [] __splice_from_pipe+0x36/0x55 [] ? splice_from_pipe_begin+0x10/0x10 [] splice_from_pipe+0x51/0x64 [] ? default_file_splice_write+0x2c/0x2c [] generic_splice_sendpage+0x13/0x15 [] ? splice_from_pipe_begin+0x10/0x10 [] do_splice_from+0x5d/0x67 [] sys_splice+0x2bf/0x363 [] ? sysenter_exit+0xf/0x16 [] ? trace_hardirqs_on_caller+0x10e/0x13f [] sysenter_do_call+0x12/0x32 Code: 83 c4 0c 5b 5e 5f c9 c3 55 b9 04 00 00 00 89 e5 57 8d 7d e4 56 53 8d 5d e4 83 ec 18 89 45 e0 89 55 dc 0f b6 70 0f c1 e6 04 01 d6 a5 be 0f 00 00 00 4e 89 d8 e8 48 ff ff ff 8b 45 e0 89 da 0f EIP: [] gf128mul_4k_lle+0x23/0x60 [gf128mul] SS:ESP 0068:d6b8dda4 CR2: 0000000000000670 ---[ end trace 4eaa2a86a8e2da24 ]--- note: hashatron[1502] exited with preempt_count 1 BUG: scheduling while atomic: hashatron/1502/0x10000002 INFO: lockdep is turned off. [...] Signed-off-by: Nick Bowler Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 4ea7f3aa5d3fbec2e09edb8c03bc764f9514d3d2 Author: Matthew Daley Date: Fri Oct 14 18:45:05 2011 +0000 x25: Prevent skb overreads when checking call user data commit 7f81e25befdfb3272345a2e775f520e1d515fa20 upstream. x25_find_listener does not check that the amount of call user data given in the skb is big enough in per-socket comparisons, hence buffer overreads may occur. Fix this by adding a check. Signed-off-by: Matthew Daley Cc: Eric Dumazet Cc: Andrew Hendry Acked-by: Andrew Hendry Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6b2f66dc9cabb7eb348587fdac6b3a64545e2d5f Author: Hugh Dickins Date: Wed Oct 19 12:50:35 2011 -0700 mm: fix race between mremap and removing migration entry commit 486cf46f3f9be5f2a966016c1a8fe01e32cde09e upstream. I don't usually pay much attention to the stale "? " addresses in stack backtraces, but this lucky report from Pawel Sikora hints that mremap's move_ptes() has inadequate locking against page migration. 3.0 BUG_ON(!PageLocked(p)) in migration_entry_to_page(): kernel BUG at include/linux/swapops.h:105! RIP: 0010:[] [] migration_entry_wait+0x156/0x160 [] handle_pte_fault+0xae1/0xaf0 [] ? __pte_alloc+0x42/0x120 [] ? do_huge_pmd_anonymous_page+0xab/0x310 [] handle_mm_fault+0x181/0x310 [] ? vma_adjust+0x537/0x570 [] do_page_fault+0x11d/0x4e0 [] ? do_mremap+0x2d5/0x570 [] page_fault+0x1f/0x30 mremap's down_write of mmap_sem, together with i_mmap_mutex or lock, and pagetable locks, were good enough before page migration (with its requirement that every migration entry be found) came in, and enough while migration always held mmap_sem; but not enough nowadays, when there's memory hotremove and compaction. The danger is that move_ptes() lets a migration entry dodge around behind remove_migration_pte()'s back, so it's in the old location when looking at the new, then in the new location when looking at the old. Either mremap's move_ptes() must additionally take anon_vma lock(), or migration's remove_migration_pte() must stop peeking for is_swap_entry() before it takes pagetable lock. Consensus chooses the latter: we prefer to add overhead to migration than to mremapping, which gets used by JVMs and by exec stack setup. Reported-and-tested-by: Paweł Sikora Signed-off-by: Hugh Dickins Acked-by: Andrea Arcangeli Acked-by: Mel Gorman Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 63e010153fc0f683bb1170917874824a1927ef69 Author: Jean Delvare Date: Thu Oct 20 03:06:45 2011 -0400 hwmon: (w83627ehf) Fix negative 8-bit temperature values commit 133d324d82e144588939ad25b732b5b6c33b03d9 upstream. Since 8-bit temperature values are now handled in 16-bit struct members, values have to be cast to s8 for negative temperatures to be properly handled. This is broken since kernel version 2.6.39 (commit bce26c58df86599c9570cee83eac58bdaae760e4.) Signed-off-by: Jean Delvare Cc: Guenter Roeck Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 83643e5d134408e61504caa4e3e9dd776ddd4207 Author: Takashi Iwai Date: Sun Oct 23 23:19:12 2011 +0200 x86: Fix S4 regression commit 8548c84da2f47e71bbbe300f55edb768492575f7 upstream. Commit 4b239f458 ("x86-64, mm: Put early page table high") causes a S4 regression since 2.6.39, namely the machine reboots occasionally at S4 resume. It doesn't happen always, overall rate is about 1/20. But, like other bugs, once when this happens, it continues to happen. This patch fixes the problem by essentially reverting the memory assignment in the older way. Signed-off-by: Takashi Iwai Cc: Rafael J. Wysocki Cc: Yinghai Lu [ We'll hopefully find the real fix, but that's too late for 3.1 now ] Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f92a292abeee48559493433e4e947d0f49fcdd8d Author: Chris Boot Date: Mon Aug 22 21:38:38 2011 +0100 firewire: sbp2: fix panic after rmmod with slow targets commit 0278ccd9d53e07c4e699432b2fed9de6c56f506c upstream. If firewire-sbp2 starts a login to a target that doesn't complete ORBs in a timely manner (and has to retry the login), and the module is removed before the operation times out, you end up with a null-pointer dereference and a kernel panic. [SR: This happens because sbp2_target_get/put() do not maintain module references. scsi_device_get/put() do, but at occasions like Chris describes one, nobody holds a reference to an SBP-2 sdev.] This patch cancels pending work for each unit in sbp2_remove(), which hopefully means there are no extra references around that prevent us from unloading. This fixes my crash. Signed-off-by: Chris Boot Signed-off-by: Stefan Richter Signed-off-by: Greg Kroah-Hartman commit c7eead1e118fb7e34ee8f5063c3c090c054c3820 Author: Christoph Hellwig Date: Tue Oct 18 10:23:19 2011 -0400 xfs: revert to using a kthread for AIL pushing commit 0030807c66f058230bcb20d2573bcaf28852e804 upstream Currently we have a few issues with the way the workqueue code is used to implement AIL pushing: - it accidentally uses the same workqueue as the syncer action, and thus can be prevented from running if there are enough sync actions active in the system. - it doesn't use the HIGHPRI flag to queue at the head of the queue of work items At this point I'm not confident enough in getting all the workqueue flags and tweaks right to provide a perfectly reliable execution context for AIL pushing, which is the most important piece in XFS to make forward progress when the log fills. Revert back to use a kthread per filesystem which fixes all the above issues at the cost of having a task struct and stack around for each mounted filesystem. In addition this also gives us much better ways to diagnose any issues involving hung AIL pushing and removes a small amount of code. Signed-off-by: Christoph Hellwig Reported-by: Stefan Priebe Tested-by: Stefan Priebe Signed-off-by: Greg Kroah-Hartman commit e7bde7c73957cfda82963127421069d13a44e921 Author: Christoph Hellwig Date: Tue Oct 18 10:23:18 2011 -0400 xfs: force the log if we encounter pinned buffers in .iop_pushbuf commit 17b38471c3c07a49f0bbc2ecc2e92050c164e226 upstream We need to check for pinned buffers even in .iop_pushbuf given that inode items flush into the same buffers that may be pinned directly due operations on the unlinked inode list operating directly on buffers. To do this add a return value to .iop_pushbuf that tells the AIL push about this and use the existing log force mechanisms to unpin it. Signed-off-by: Christoph Hellwig Reported-by: Stefan Priebe Tested-by: Stefan Priebe Signed-off-by: Greg Kroah-Hartman commit 838599d118dd286b831ba45ae380c5870ff82fe9 Author: Christoph Hellwig Date: Tue Oct 18 10:23:17 2011 -0400 xfs: do not update xa_last_pushed_lsn for locked items commit bc6e588a8971aa74c02e42db4d6e0248679f3738 upstream If an item was locked we should not update xa_last_pushed_lsn and thus skip it when restarting the AIL scan as we need to be able to lock and write it out as soon as possible. Otherwise heavy lock contention might starve AIL pushing too easily, especially given the larger backoff once we moved xa_last_pushed_lsn all the way to the target lsn. Signed-off-by: Christoph Hellwig Reported-by: Stefan Priebe Tested-by: Stefan Priebe Signed-off-by: Greg Kroah-Hartman commit f5d5ee3686ab928549370e4e584a2c32ef708a37 Author: Dave Chinner Date: Tue Oct 18 10:23:16 2011 -0400 xfs: use a cursor for bulk AIL insertion commit 1d8c95a363bf8cd4d4182dd19c01693b635311c2 upstream xfs: use a cursor for bulk AIL insertion Delayed logging can insert tens of thousands of log items into the AIL at the same LSN. When the committing of log commit records occur, we can get insertions occurring at an LSN that is not at the end of the AIL. If there are thousands of items in the AIL on the tail LSN, each insertion has to walk the AIL to find the correct place to insert the new item into the AIL. This can consume large amounts of CPU time and block other operations from occurring while the traversals are in progress. To avoid this repeated walk, use a AIL cursor to record where we should be inserting the new items into the AIL without having to repeat the walk. The cursor infrastructure already provides this functionality for push walks, so is a simple extension of existing code. While this will not avoid the initial walk, it will avoid repeating it tens of thousands of times during a single checkpoint commit. This version includes logic improvements from Christoph Hellwig. Signed-off-by: Dave Chinner Reviewed-by: Christoph Hellwig Signed-off-by: Alex Elder Signed-off-by: Greg Kroah-Hartman commit eedc6389bb43769e82f2779dabd45865d2b892e4 Author: Christoph Hellwig Date: Tue Oct 18 10:23:15 2011 -0400 xfs: start periodic workers later commit 2bcf6e970f5a88fa05dced5eeb0326e13d93c4a1 upstream Start the periodic sync workers only after we have finished xfs_mountfs and thus fully set up the filesystem structures. Without this we can call into xfs_qm_sync before the quotainfo strucute is set up if the mount takes unusually long, and probably hit other incomplete states as well. Also clean up the xfs_fs_fill_super error path by using consistent label names, and removing an impossible to reach case. Signed-off-by: Christoph Hellwig Reported-by: Arkadiusz Miskiewicz Reviewed-by: Alex Elder Signed-off-by: Greg Kroah-Hartman commit f24d5457bd706667951021530dd0590a1f3e9464 Author: Pavel Shilovsky Date: Sun Aug 21 19:30:15 2011 +0400 CIFS: Fix ERR_PTR dereference in cifs_get_root commit 5b980b01212199833ee8023770fa4cbf1b85e9f4 upstream. move it to the beginning of the loop. Signed-off-by: Pavel Shilovsky Reviewed-by: Jeff Layton Signed-off-by: Steve French Cc: Josh Boyer Signed-off-by: Greg Kroah-Hartman commit 726e2766e04f31620d61cbb8bd9fbf7abe962d02 Author: Ben Skeggs Date: Mon Aug 22 03:15:04 2011 +0000 drm/ttm: unbind ttm before destroying node in accel move cleanup commit eac2095398668f989a3dd8d00be1b87850d78c01 upstream. Nouveau makes the assumption that if a TTM is bound there will be a mm_node around for it and the backwards ordering here resulted in a use-after-free on some eviction paths. Signed-off-by: Ben Skeggs Signed-off-by: Dave Airlie Cc: Josh Boyer Signed-off-by: Greg Kroah-Hartman commit 379791a66688385cf75c8aece1a81fc68f536cd4 Author: Ben Skeggs Date: Mon Aug 22 03:15:05 2011 +0000 drm/ttm: ensure ttm for new node is bound before calling move_notify() commit 8d3bb23609d4ae22803a15d232289fc09a7b61c4 upstream. This was true for new TTM_PL_SYSTEM and new TTM_PL_TT cases, but wasn't the case on TTM_PL_SYSTEM<->TTM_PL_TT moves, which causes trouble on some paths as nouveau's move_notify() hook requires that the dma addresses be valid at this point. Signed-off-by: Ben Skeggs Signed-off-by: Dave Airlie Cc: Josh Boyer Signed-off-by: Greg Kroah-Hartman commit c53c89aba3ebdfc3e9acdb18bb5ee9d2f8a328d0 Author: Seth Forshee Date: Mon Jul 18 08:06:23 2011 -0700 hfsplus: ensure bio requests are not smaller than the hardware sectors commit 6596528e391ad978a6a120142cba97a1d7324cb6 upstream. Currently all bio requests are 512 bytes, which may fail for media whose physical sector size is larger than this. Ensure these requests are not smaller than the block device logical block size. BugLink: http://bugs.launchpad.net/bugs/734883 Signed-off-by: Seth Forshee Signed-off-by: Christoph Hellwig Cc: Josh Boyer Signed-off-by: Greg Kroah-Hartman commit 16b2b5c638c12ffc89753ad19edeb9baa6f59b99 Author: Laurent Pinchart Date: Tue Sep 6 19:16:18 2011 -0300 uvcvideo: Fix crash when linking entities commit 4d9b2ebd335d83044b9e6656d0e604e8e1300334 upstream. The uvc_mc_register_entity() function wrongfully selects the media_entity associated with a UVC entity when creating links. This results in access to uninitialized media_entity structures and can hit a BUG_ON statement in media_entity_create_link(). Fix it. Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Cc: Josh Boyer Signed-off-by: Greg Kroah-Hartman commit 8dc9342126bbd39181caa83ab437fb22ee25d57d Author: Jiri Kosina Date: Thu Aug 25 14:21:37 2011 +0200 HID: magicmouse: ignore 'ivalid report id' while switching modes, v2 commit 35d851df23b093ee027f827fed2213ae5e88fc7a upstream. This is basically a more generic respin of 23746a6 ("HID: magicmouse: ignore 'ivalid report id' while switching modes") which got reverted later by c3a492. It turns out that on some configurations, this is actually still the case and we are not able to detect in runtime. The device reponds with 'invalid report id' when feature report switching it into multitouch mode is sent to it. This has been silently ignored before 0825411ade ("HID: bt: Wait for ACK on Sent Reports"), but since this commit, it propagates -EIO from the _raw callback . So let the driver ignore -EIO as response to 0xd7,0x01 report, as that's how the device reacts in normal mode. Sad, but following reality. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=35022 Reported-by: Chase Douglas Reported-by: Jaikumar Ganesh Tested-by: Chase Douglas Tested-by: Jaikumar Ganesh Signed-off-by: Jiri Kosina Cc: Josh Boyer Signed-off-by: Greg Kroah-Hartman commit 6fb50607d47e30c196e07a0ceeaf36e370196f2a Author: Thomas Courbon Date: Wed Jul 20 22:57:44 2011 +0200 Platform: fix samsung-laptop DMI identification for N150/N210/220/N230 commit 78a7539b881eb557494a7c810625c0307b27296c upstream. Some samsung latop of the N150/N2{10,20,30} serie are badly detected by the samsung-laptop platform driver, see bug # 36082. It appears that N230 identifies itself as N150/N210/N220/N230 whereas the other identify themselves as N150/N210/220. This patch attemtp fix #36082 allowing correct identification for all the said netbook model. Reported-by: Daniel Eklöf Signed-off-by: Thomas Courbon Signed-off-by: Matthew Garrett Cc: Josh Boyer Signed-off-by: Greg Kroah-Hartman commit 37b2b419970e9b380a07c15d60a26987ce09ad15 Author: Miklos Szeredi Date: Mon Sep 12 09:38:03 2011 +0200 fuse: fix memory leak commit 5dfcc87fd79dfb96ed155b524337dbd0da4f5993 upstream. kmemleak is reporting that 32 bytes are being leaked by FUSE: unreferenced object 0xe373b270 (size 32): comm "fusermount", pid 1207, jiffies 4294707026 (age 2675.187s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] kmemleak_alloc+0x27/0x50 [] kmem_cache_alloc+0xc5/0x180 [] fuse_alloc_forget+0x1e/0x20 [] fuse_alloc_inode+0xb0/0xd0 [] alloc_inode+0x1c/0x80 [] iget5_locked+0x8f/0x1a0 [] fuse_iget+0x72/0x1a0 [] fuse_get_root_inode+0x8a/0x90 [] fuse_fill_super+0x3ef/0x590 [] mount_nodev+0x3f/0x90 [] fuse_mount+0x15/0x20 [] mount_fs+0x1c/0xc0 [] vfs_kern_mount+0x41/0x90 [] do_kern_mount+0x39/0xd0 [] do_mount+0x2e5/0x660 [] sys_mount+0x66/0xa0 This leak report is consistent and happens once per boot on 3.1.0-rc5-dirty. This happens if a FORGET request is queued after the fuse device was released. Reported-by: Sitsofe Wheeler Signed-off-by: Miklos Szeredi Tested-by: Sitsofe Wheeler Signed-off-by: Linus Torvalds Cc: Josh Boyer Signed-off-by: Greg Kroah-Hartman commit 607ce3ed1cf6aa5af82a12faf1adf0de5d2f583e Author: Peter Zijlstra Date: Mon Oct 17 11:50:30 2011 +0200 cputimer: Cure lock inversion commit bcd5cff7216f9b2de0a148cc355eac199dc6f1cf upstream. There's a lock inversion between the cputimer->lock and rq->lock; notably the two callchains involved are: update_rlimit_cpu() sighand->siglock set_process_cpu_timer() cpu_timer_sample_group() thread_group_cputimer() cputimer->lock thread_group_cputime() task_sched_runtime() ->pi_lock rq->lock scheduler_tick() rq->lock task_tick_fair() update_curr() account_group_exec() cputimer->lock Where the first one is enabling a CLOCK_PROCESS_CPUTIME_ID timer, and the second one is keeping up-to-date. This problem was introduced by e8abccb7193 ("posix-cpu-timers: Cure SMP accounting oddities"). Cure the problem by removing the cputimer->lock and rq->lock nesting, this leaves concurrent enablers doing duplicate work, but the time wasted should be on the same order otherwise wasted spinning on the lock and the greater-than assignment filter should ensure we preserve monotonicity. Reported-by: Dave Jones Reported-by: Simon Kirby Signed-off-by: Peter Zijlstra Cc: Linus Torvalds Cc: Martin Schwidefsky Link: http://lkml.kernel.org/r/1318928713.21167.4.camel@twins Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit f62f4cad504f32e9d4e407ea5ba8a743da399a8a Author: Alex Deucher Date: Tue Oct 18 20:10:05 2011 -0400 drm/radeon/kms/atom: fix handling of FB scratch indices commit 5a6e8482a16e61250a9121fc9ec719ab0529e760 upstream. FB scratch indices are dword indices, but we were treating them as byte indices. As such, we were getting the wrong FB scratch data for non-0 indices. Fix the indices and guard the indexing against indices larger than the scratch allocation. Fixes memory corruption on some boards if data was written past the end of the FB scratch array. Signed-off-by: Alex Deucher Reported-by: Dave Airlie Tested-by: Dave Airlie Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 60635529f6aec7572ae7009aabd80558cf2f43b4 Author: Linus Torvalds Date: Mon Oct 17 08:24:24 2011 -0700 Avoid using variable-length arrays in kernel/sys.c commit a84a79e4d369a73c0130b5858199e949432da4c6 upstream. The size is always valid, but variable-length arrays generate worse code for no good reason (unless the function happens to be inlined and the compiler sees the length for the simple constant it is). Also, there seems to be some code generation problem on POWER, where Henrik Bakken reports that register r28 can get corrupted under some subtle circumstances (interrupt happening at the wrong time?). That all indicates some seriously broken compiler issues, but since variable length arrays are bad regardless, there's little point in trying to chase it down. "Just don't do that, then". Reported-by: Henrik Grindal Bakken Cc: Benjamin Herrenschmidt Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 05ffb6746c59a967115714ea1e5b8412291874ea Author: Jean Delvare Date: Thu Oct 13 15:49:08 2011 -0400 hwmon: (w83627ehf) Properly report thermal diode sensors commit bf164c58e58328c40ebc597a8ac00cc6840f9703 upstream. The w83627ehf driver is improperly reporting thermal diode sensors as type 2, instead of 3. This caused "sensors" and possibly other monitoring tools to report these sensors as "transistor" instead of "thermal diode". Furthermore, diode subtype selection (CPU vs. external) is only supported by the original W83627EHF/EHG. All later models only support CPU diode type, and some (NCT6776F) don't even have the register in question so we should avoid reading from it. Signed-off-by: Jean Delvare Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 5cfdd884cfdd70470323c4f37be4f3324376ac34 Author: Jeremiah Matthey Date: Tue Aug 23 09:44:30 2011 +0200 HID: usbhid: Add support for SiGma Micro chip commit f5e4282586dc0c9dab8c7d32e6c43aa07f68586b upstream. Patch to add SiGma Micro-based keyboards (1c4f:0002) to hid-quirks. These keyboards dont seem to allow the records to be initialized, and hence a timeout occurs when the usbhid driver attempts to initialize them. The patch just adds the signature for these keyboards to the hid-quirks list with the setting HID_QUIRK_NO_INIT_REPORTS. This removes the 5-10 second wait for the timeout to occur. Signed-off-by: Jeremiah Matthey Signed-off-by: Jiri Kosina Signed-off-by: Jonathan Nieder Signed-off-by: Greg Kroah-Hartman commit 9d3aaf6229361652a8ea6fe8a2fe359e055b43b9 Author: Will Deacon Date: Mon Oct 3 18:30:53 2011 +0100 ARM: 7117/1: perf: fix HW_CACHE_* events on Cortex-A9 commit 29a541f6c1f6e4a85628bb86071b9e72c9f8be2c upstream. Using COHERENT_LINE_{MISS,HIT} for cache misses and references respectively is completely wrong. Instead, use the L1D events which are a better and more useful approximation despite ignoring instruction traffic. Reported-by: Alasdair Grant Reported-by: Matt Horsnell Reported-by: Michael Williams Cc: Jean Pihet Signed-off-by: Will Deacon Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 1289deb9b5c151876feb594cd82984f3932982e8 Author: Linus Walleij Date: Thu Sep 29 09:37:23 2011 +0100 ARM: 7113/1: mm: Align bank start to MAX_ORDER_NR_PAGES commit 002ea9eefec98dada56fd5f8e432a4e8570c2a26 upstream. The VM subsystem assumes that there are valid memmap entries from the bank start aligned to MAX_ORDER_NR_PAGES. On the Ux500 we have a lot of mem=N arguments on the commandline triggering this bug several times over and causing kernel oops messages. Cc: Michael Bohan Cc: Nicolas Pitre Signed-off-by: Johan Palsson Signed-off-by: Rabin Vincent Signed-off-by: Linus Walleij Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman