commit 9bb1282f6a7754955c18be912fbc2b55d133f1b9 Author: Greg Kroah-Hartman Date: Wed Jan 18 07:33:18 2012 -0800 Linux 3.1.10 commit 0248fedcdb0982fc15246ff23a7b926f592258d5 Author: Ludwig Nussel Date: Tue Nov 15 14:46:46 2011 -0800 x86: Fix mmap random address range commit 9af0c7a6fa860698d080481f24a342ba74b68982 upstream. On x86_32 casting the unsigned int result of get_random_int() to long may result in a negative value. On x86_32 the range of mmap_rnd() therefore was -255 to 255. The 32bit mode on x86_64 used 0 to 255 as intended. The bug was introduced by 675a081 ("x86: unify mmap_{32|64}.c") in January 2008. Signed-off-by: Ludwig Nussel Cc: Linus Torvalds Cc: harvey.harrison@gmail.com Cc: "H. Peter Anvin" Cc: Harvey Harrison Signed-off-by: Andrew Morton Link: http://lkml.kernel.org/r/201111152246.pAFMklOB028527@wpaz5.hot.corp.google.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 8d0120df91823df951facd3527e9f148b24e78f3 Author: KAMEZAWA Hiroyuki Date: Thu Jan 12 17:17:44 2012 -0800 memcg: add mem_cgroup_replace_page_cache() to fix LRU issue commit ab936cbcd02072a34b60d268f94440fd5cf1970b upstream. Commit ef6a3c6311 ("mm: add replace_page_cache_page() function") added a function replace_page_cache_page(). This function replaces a page in the radix-tree with a new page. WHen doing this, memory cgroup needs to fix up the accounting information. memcg need to check PCG_USED bit etc. In some(many?) cases, 'newpage' is on LRU before calling replace_page_cache(). So, memcg's LRU accounting information should be fixed, too. This patch adds mem_cgroup_replace_page_cache() and removes the old hooks. In that function, old pages will be unaccounted without touching res_counter and new page will be accounted to the memcg (of old page). WHen overwriting pc->mem_cgroup of newpage, take zone->lru_lock and avoid races with LRU handling. Background: replace_page_cache_page() is called by FUSE code in its splice() handling. Here, 'newpage' is replacing oldpage but this newpage is not a newly allocated page and may be on LRU. LRU mis-accounting will be critical for memory cgroup because rmdir() checks the whole LRU is empty and there is no account leak. If a page is on the other LRU than it should be, rmdir() will fail. This bug was added in March 2011, but no bug report yet. I guess there are not many people who use memcg and FUSE at the same time with upstream kernels. The result of this bug is that admin cannot destroy a memcg because of account leak. So, no panic, no deadlock. And, even if an active cgroup exist, umount can succseed. So no problem at shutdown. Signed-off-by: KAMEZAWA Hiroyuki Acked-by: Johannes Weiner Acked-by: Michal Hocko Cc: Miklos Szeredi Cc: Hugh Dickins Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c877bca3e2a5ded480a824c1999d0eb526a29f2a Author: Stanislaw Gruszka Date: Wed Jan 11 09:26:54 2012 +0100 mac80211: fix rx->key NULL pointer dereference in promiscuous mode commit 1140afa862842ac3e56678693050760edc4ecde9 upstream. Since: commit 816c04fe7ef01dd9649f5ccfe796474db8708be5 Author: Christian Lamparter Date: Sat Apr 30 15:24:30 2011 +0200 mac80211: consolidate MIC failure report handling is possible to that we dereference rx->key == NULL when driver set RX_FLAG_MMIC_STRIPPED and not RX_FLAG_IV_STRIPPED and we are in promiscuous mode. This happen with rt73usb and rt61pci at least. Before the commit we always check rx->key against NULL, so I assume fix should be done in mac80211 (also mic_fail path has similar check). References: https://bugzilla.redhat.com/show_bug.cgi?id=769766 http://rt2x00.serialmonkey.com/pipermail/users_rt2x00.serialmonkey.com/2012-January/004395.html Reported-by: Stuart D Gathman Reported-by: Kai Wohlfahrt Signed-off-by: Stanislaw Gruszka Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 7eff19fee7a5c461a1bc0a6306bb05adb53051c7 Author: Larry Finger Date: Wed Jan 4 20:50:47 2012 -0600 rtl8192se: Fix BUG caused by failure to check skb allocation commit d90db4b12bc1b9b8a787ef28550fdb767ee25a49 upstream. When downloading firmware into the device, the driver fails to check the return when allocating an skb. When the allocation fails, a BUG can be generated, as seen in https://bugzilla.redhat.com/show_bug.cgi?id=771656. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit fa3cbc36b3f28d765ad72b1a4d845fef2628c943 Author: Bjorn Helgaas Date: Thu Jan 5 14:27:24 2012 -0700 PNP: work around Dell 1536/1546 BIOS MMCONFIG bug that breaks USB commit eb31aae8cb5eb54e234ed2d857ddac868195d911 upstream. Some Dell BIOSes have MCFG tables that don't report the entire MMCONFIG area claimed by the chipset. If we move PCI devices into that claimed-but-unreported area, they don't work. This quirk reads the AMD MMCONFIG MSRs and adds PNP0C01 resources as needed to cover the entire area. Example problem scenario: BIOS-e820: 00000000cfec5400 - 00000000d4000000 (reserved) Fam 10h mmconf [d0000000, dfffffff] PCI: MMCONFIG for domain 0000 [bus 00-3f] at [mem 0xd0000000-0xd3ffffff] (base 0xd0000000) pnp 00:0c: [mem 0xd0000000-0xd3ffffff] pci 0000:00:12.0: reg 10: [mem 0xffb00000-0xffb00fff] pci 0000:00:12.0: no compatible bridge window for [mem 0xffb00000-0xffb00fff] pci 0000:00:12.0: BAR 0: assigned [mem 0xd4000000-0xd40000ff] Reported-by: Lisa Salimbas Reported-by: Tested-by: dann frazier References: https://bugzilla.kernel.org/show_bug.cgi?id=31602 References: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/647043 References: https://bugzilla.redhat.com/show_bug.cgi?id=770308 Signed-off-by: Bjorn Helgaas Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit ea509eb0fb85a1c2704d932ae6095d3a2995a589 Author: Eric Dumazet Date: Tue Dec 13 04:57:06 2011 +0100 slub: fix a possible memleak in __slab_alloc() commit 73736e0387ba0e6d2b703407b4d26168d31516a7 upstream. Zhihua Che reported a possible memleak in slub allocator on CONFIG_PREEMPT=y builds. It is possible current thread migrates right before disabling irqs in __slab_alloc(). We must check again c->freelist, and perform a normal allocation instead of scratching c->freelist. Many thanks to Zhihua Che for spotting this bug, introduced in 2.6.39 V2: Its also possible an IRQ freed one (or several) object(s) and populated c->freelist, so its not a CONFIG_PREEMPT only problem. Reported-by: Zhihua Che Signed-off-by: Eric Dumazet Acked-by: Christoph Lameter Signed-off-by: Pekka Enberg Signed-off-by: Greg Kroah-Hartman commit d70357fd5682b8d868a86551125b2d3bbc0f2cf4 Author: Roberto Sassu Date: Mon Dec 19 15:57:28 2011 +0100 ima: fix invalid memory reference commit 7b7e5916aa2f46e57f8bd8cb89c34620ebfda5da upstream. Don't free a valid measurement entry on TPM PCR extend failure. Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar Signed-off-by: Greg Kroah-Hartman commit dc2a0defaf783a0f439a39f38146622c1bb16201 Author: Roberto Sassu Date: Mon Dec 19 15:57:27 2011 +0100 ima: free duplicate measurement memory commit 45fae7493970d7c45626ccd96d4a74f5f1eea5a9 upstream. Info about new measurements are cached in the iint for performance. When the inode is flushed from cache, the associated iint is flushed as well. Subsequent access to the inode will cause the inode to be re-measured and will attempt to add a duplicate entry to the measurement list. This patch frees the duplicate measurement memory, fixing a memory leak. Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar Signed-off-by: Greg Kroah-Hartman commit ed5eb44d43c04727df9f73863ef276b75df24562 Author: NeilBrown Date: Mon Jan 9 01:41:51 2012 +1100 md/raid1: perform bad-block tests for WriteMostly devices too. commit 307729c8bc5b5a41361af8af95906eee7552acb1 upstream. We normally try to avoid reading from write-mostly devices, but when we do we really have to check for bad blocks and be sure not to try reading them. With the current code, best_good_sectors might not get set and that causes zero-length read requests to be send down which is very confusing. This bug was introduced in commit d2eb35acfdccbe2 and so the patch is suitable for 3.1.x and 3.2.x Reported-and-tested-by: Michał Mirosław Reported-and-tested-by: Art -kwaak- van Breemen Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit efac38b1b6965dd9d16b3e2c91118e583b66e128 Author: Ian Campbell Date: Wed Jan 4 09:34:49 2012 +0000 xen/xenbus: Reject replies with payload > XENSTORE_PAYLOAD_MAX. commit 9e7860cee18241633eddb36a4c34c7b61d8cecbc upstream. Haogang Chen found out that: There is a potential integer overflow in process_msg() that could result in cross-domain attack. body = kmalloc(msg->hdr.len + 1, GFP_NOIO | __GFP_HIGH); When a malicious guest passes 0xffffffff in msg->hdr.len, the subsequent call to xb_read() would write to a zero-length buffer. The other end of this connection is always the xenstore backend daemon so there is no guest (malicious or otherwise) which can do this. The xenstore daemon is a trusted component in the system. However this seem like a reasonable robustness improvement so we should have it. And Ian when read the API docs found that: The payload length (len field of the header) is limited to 4096 (XENSTORE_PAYLOAD_MAX) in both directions. If a client exceeds the limit, its xenstored connection will be immediately killed by xenstored, which is usually catastrophic from the client's point of view. Clients (particularly domains, which cannot just reconnect) should avoid this. so this patch checks against that instead. This also avoids a potential integer overflow pointed out by Haogang Chen. Signed-off-by: Ian Campbell Cc: Haogang Chen Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Greg Kroah-Hartman commit a1f73f501a775496d33b4da523b09f64b6962251 Author: nagalakshmi.nandigama@lsi.com Date: Thu Dec 1 07:53:08 2011 +0530 SCSI: mpt2sas : Fix for memory allocation error for large host credits commit aff132d95ffe14eca96cab90597cdd010b457af7 upstream. The amount of memory required for tracking chain buffers is rather large, and when the host credit count is big, memory allocation failure occurs inside __get_free_pages. The fix is to limit the number of chains to 100,000. In addition, the number of host credits is limited to 30,000 IOs. However this limitation can be overridden this using the command line option max_queue_depth. The algorithm for calculating the reply_post_queue_depth is changed so that it is equal to (reply_free_queue_depth + 16), previously it was (reply_free_queue_depth * 2). Signed-off-by: Nagalakshmi Nandigama Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 3e70c2626382037b67c97a706cb00788fad93527 Author: nagalakshmi.nandigama@lsi.com Date: Thu Dec 1 07:52:56 2011 +0530 SCSI: mpt2sas: Release spinlock for the raid device list before blocking it commit 30c43282f3d347f47f9e05199d2b14f56f3f2837 upstream. Added code to release the spinlock that is used to protect the raid device list before calling a function that can block. The blocking was causing a reschedule, and subsequently it is tried to acquire the same lock, resulting in a panic (NMI Watchdog detecting a CPU lockup). Signed-off-by: Nagalakshmi Nandigama Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 84261c01dd43cef0cb0a40d6450d91066057d5b3 Author: Bjorn Helgaas Date: Thu Jan 12 08:01:40 2012 -0700 x86/PCI: build amd_bus.o only when CONFIG_AMD_NB=y commit 5cf9a4e69c1ff0ccdd1d2b7404f95c0531355274 upstream. We only need amd_bus.o for AMD systems with PCI. arch/x86/pci/Makefile already depends on CONFIG_PCI=y, so this patch just adds the dependency on CONFIG_AMD_NB. Cc: Yinghai Lu Signed-off-by: Bjorn Helgaas Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0862c6b642fdbe4069f8285bd936738224104886 Author: Bjorn Helgaas Date: Thu Jan 5 14:27:19 2012 -0700 x86/PCI: amd: factor out MMCONFIG discovery commit 24d25dbfa63c376323096660bfa9ad45a08870ce upstream. This factors out the AMD native MMCONFIG discovery so we can use it outside amd_bus.c. amd_bus.c reads AMD MSRs so it can remove the MMCONFIG area from the PCI resources. We may also need the MMCONFIG information to work around BIOS defects in the ACPI MCFG table. Cc: Borislav Petkov Cc: Yinghai Lu Signed-off-by: Bjorn Helgaas Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 37bbe151450f9eedf4453b87b8d6856d2fba878a Author: Gary Hade Date: Mon Nov 14 15:42:16 2011 -0800 x86/PCI: Ignore CPU non-addressable _CRS reserved memory resources commit ae5cd86455381282ece162966183d3f208c6fad7 upstream. This assures that a _CRS reserved host bridge window or window region is not used if it is not addressable by the CPU. The new code either trims the window to exclude the non-addressable portion or totally ignores the window if the entire window is non-addressable. The current code has been shown to be problematic with 32-bit non-PAE kernels on systems where _CRS reserves resources above 4GB. Signed-off-by: Gary Hade Reviewed-by: Bjorn Helgaas Cc: Thomas Renninger Cc: linux-kernel@vger.kernel.org Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 99e6fbffc973fb0f9074265f80951f61a802792c Author: Eric W. Biederman Date: Mon Oct 17 11:46:06 2011 -0700 PCI: msi: Disable msi interrupts when we initialize a pci device commit a776c491ca5e38c26d9f66923ff574d041e747f4 upstream. I traced a nasty kexec on panic boot failure to the fact that we had screaming msi interrupts and we were not disabling the msi messages at kernel startup. The booting kernel had not enabled those interupts so was not prepared to handle them. I can see no reason why we would ever want to leave the msi interrupts enabled at boot if something else has enabled those interrupts. The pci spec specifies that msi interrupts should be off by default. Drivers are expected to enable the msi interrupts if they want to use them. Our interrupt handling code reprograms the interrupt handlers at boot and will not be be able to do anything useful with an unexpected interrupt. This patch applies cleanly all of the way back to 2.6.32 where I noticed the problem. Signed-off-by: Eric W. Biederman Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 5723f014a97cc8f70ebe5f17b67909a863baf26c Author: Alex Williamson Date: Wed Nov 16 09:24:16 2011 -0700 PCI: Fix PCI_EXP_TYPE_RC_EC value commit 1830ea91c20b06608f7cdb2455ce05ba834b3214 upstream. Spec shows this as 1010b = 0xa Signed-off-by: Alex Williamson Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 5634d5fe19f522d31a6d47f0dc44c596a1b75c7b Author: Artem Bityutskiy Date: Thu Jan 5 10:47:18 2012 +0200 UBI: fix use-after-free on error path commit e57e0d8e818512047fe379157c3f77f1b9fabffb upstream. When we fail to erase a PEB, we free the corresponding erase entry object, but then re-schedule this object if the error code was something like -EAGAIN. Obviously, it is a bug to use the object after we have freed it. Reported-by: Emese Revfy Signed-off-by: Artem Bityutskiy Signed-off-by: Greg Kroah-Hartman commit 7587b142d2d059f3e5fe7b8e8053c7aeed1e5108 Author: Bhavesh Parekh Date: Wed Nov 30 17:43:42 2011 +0530 UBI: fix missing scrub when there is a bit-flip commit e801e128b2200c40a0ec236cf2330b2586b6e05a upstream. Under some cases, when scrubbing the PEB if we did not get the lock on the PEB it fails to scrub. Add that PEB again to the scrub list Artem: minor amendments. Signed-off-by: Bhavesh Parekh Signed-off-by: Artem Bityutskiy Signed-off-by: Greg Kroah-Hartman commit 9a399c87c36cdd84032b297189869b07ebb5fa33 Author: Chase Douglas Date: Mon Nov 7 11:08:05 2011 -0800 HID: bump maximum global item tag report size to 96 bytes commit e46e927b9b7e8d95526e69322855243882b7e1a3 upstream. This allows the latest N-Trig devices to function properly. BugLink: https://bugs.launchpad.net/bugs/724831 Signed-off-by: Chase Douglas Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 7c8b708b0718d9fbff3aca2927e3daa3a8f719d4 Author: Jeff Layton Date: Tue Dec 20 06:57:45 2011 -0500 nfs: fix regression in handling of context= option in NFSv4 commit 8a0d551a59ac92d8ff048d6cb29d3a02073e81e8 upstream. Setting the security context of a NFSv4 mount via the context= mount option is currently broken. The NFSv4 codepath allocates a parsed options struct, and then parses the mount options to fill it. It eventually calls nfs4_remote_mount which calls security_init_mnt_opts. That clobbers the lsm_opts struct that was populated earlier. This bug also looks like it causes a small memory leak on each v4 mount where context= is used. Fix this by moving the initialization of the lsm_opts into nfs_alloc_parsed_mount_data. Also, add a destructor for nfs_parsed_mount_data to make it easier to free all of the allocations hanging off of it, and to ensure that the security_free_mnt_opts is called whenever security_init_mnt_opts is. I believe this regression was introduced quite some time ago, probably by commit c02d7adf. Signed-off-by: Jeff Layton Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit bd689a8cdbfe4cf5182f01aa93e4ba3fadf1f11c Author: Andy Adamson Date: Wed Dec 7 11:55:27 2011 -0500 NFSv4: include bitmap in nfsv4 get acl data commit bf118a342f10dafe44b14451a1392c3254629a1f upstream. The NFSv4 bitmap size is unbounded: a server can return an arbitrary sized bitmap in an FATTR4_WORD0_ACL request. Replace using the nfs4_fattr_bitmap_maxsz as a guess to the maximum bitmask returned by a server with the inclusion of the bitmap (xdr length plus bitmasks) and the acl data xdr length to the (cached) acl page data. This is a general solution to commit e5012d1f "NFSv4.1: update nfs4_fattr_bitmap_maxsz" and fixes hitting a BUG_ON in xdr_shrink_bufhead when getting ACLs. Fix a bug in decode_getacl that returned -EINVAL on ACLs > page when getxattr was called with a NULL buffer, preventing ACL > PAGE_SIZE from being retrieved. Signed-off-by: Andy Adamson Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 6ab1a5d77456d333674ed3b9a2bd3c29715965b6 Author: NeilBrown Date: Wed Nov 16 11:46:31 2011 +1100 NFS - fix recent breakage to NFS error handling. commit 2edb6bc3852c681c0d948245bd55108dc6407604 upstream. From c6d615d2b97fe305cbf123a8751ced859dca1d5e Mon Sep 17 00:00:00 2001 From: NeilBrown Date: Wed, 16 Nov 2011 09:39:05 +1100 Subject: NFS - fix recent breakage to NFS error handling. commit 02c24a82187d5a628c68edfe71ae60dc135cd178 made a small and presumably unintended change to write error handling in NFS. Previously an error from filemap_write_and_wait_range would only be of interest if nfs_file_fsync did not return an error. After this commit, an error from filemap_write_and_wait_range would mean that (the rest of) nfs_file_fsync would not even be called. This means that: 1/ you are more likely to see EIO than e.g. EDQUOT or ENOSPC. 2/ NFS_CONTEXT_ERROR_WRITE remains set for longer so more writes are synchronous. This patch restores previous behaviour. Cc: Josef Bacik Cc: Jan Kara Cc: Al Viro Signed-off-by: NeilBrown Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 6f02bf1cbb5031ad69e5b34a5912e179c6fa78c3 Author: Andy Adamson Date: Wed Nov 9 13:58:20 2011 -0500 NFSv4.1: fix backchannel slotid off-by-one bug commit 61f2e5106582d02f30b6807e3f9c07463c572ccb upstream. Signed-off-by: Andy Adamson Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit f63f8365c6ba087362cb3cbfb697179efeadc1fa Author: Chuck Lever Date: Mon Dec 5 15:40:30 2011 -0500 NFS: Retry mounting NFSROOT commit 43717c7daebf10b43f12e68512484b3095bb1ba5 upstream. Lukas Razik reports that on his SPARC system, booting with an NFS root file system stopped working after commit 56463e50 "NFS: Use super.c for NFSROOT mount option parsing." We found that the network switch to which Lukas' client was attached was delaying access to the LAN after the client's NIC driver reported that its link was up. The delay was longer than the timeouts used in the NFS client during mounting. NFSROOT worked for Lukas before commit 56463e50 because in those kernels, the client's first operation was an rpcbind request to determine which port the NFS server was listening on. When that request failed after a long timeout, the client simply selected the default NFS port (2049). By that time the switch was allowing access to the LAN, and the mount succeeded. Neither of these client behaviors is desirable, so reverting 56463e50 is really not a choice. Instead, introduce a mechanism that retries the NFSROOT mount request several times. This is the same tactic that normal user space NFS mounts employ to overcome server and network delays. Signed-off-by: Lukas Razik [ cel: match kernel coding style, add proper patch description ] [ cel: add exponential back-off ] Signed-off-by: Chuck Lever Tested-by: Lukas Razik Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 0b54b44b497be759fcc3b59150602aaf65865d7f Author: Michel Dänzer Date: Thu Jan 5 18:42:17 2012 +0100 radeon: Fix disabling PCI bus mastering on big endian hosts. commit 3df96909b75835d487a9178761622b0cbd7310d4 upstream. It would previously write basically random bits to PCI configuration space... Not very surprising that the GPU tended to stop responding completely. The resulting MCE even froze the whole machine sometimes. Now resetting the GPU after a lockup has at least a fighting chance of succeeding. Signed-off-by: Michel Dänzer Reviewed-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 76adb0e340dc36dd931c1a8bd4c7b97f77b7d23a Author: Alex Deucher Date: Tue Jan 3 09:48:38 2012 -0500 drm/radeon/kms: disable writeback on pre-R300 asics commit 28eebb703e28bc455ba704adb1026f76649b768c upstream. We often end up missing fences on older asics with writeback enabled which leads to delays in the userspace accel code, so just disable it by default on those asics. Reported-by: Helge Deller Reported-by: Dave Airlie Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit f2f565fdcac7663c89421f5ace3826d4c84f2889 Author: Rafał Miłecki Date: Fri Dec 23 20:32:18 2011 +0100 drm/radeon/kms: workaround invalid AVI infoframe checksum issue commit 92db7f6c860b8190571a9dc1fcbc16d003422fe8 upstream. This change was verified to fix both issues with no video I've investigated. I've also checked checksum calculation with fglrx on: RV620, HD54xx, HD5450, HD6310, HD6320. Signed-off-by: Rafał Miłecki Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 910fc79f722372dcc17ff3c53e1f2191c0cf816c Author: Rene Bollford Date: Sun Oct 23 09:56:42 2011 +0200 ideapad: Check if acpi already handle backlight power to avoid a page fault commit d4afc7754a60b885b63ef23fd194984e2d53a4e6 upstream. This patch avoid a page fault in the ideapad-laptop extras when turning the backlight power on or off. Signed-off-by: Rene Bolldorf Signed-off-by: Matthew Garrett Signed-off-by: Jonathan Nieder Tested-by: Artem X Signed-off-by: Greg Kroah-Hartman commit c4e7f9022e506c6635a5037713c37118e23193e4 Author: Alex Williamson Date: Thu Jan 12 12:39:54 2012 +0200 KVM: Device assignment permission checks (cherry picked from commit 3d27e23b17010c668db311140b17bbbb70c78fb9) Only allow KVM device assignment to attach to devices which: - Are not bridges - Have BAR resources (assume others are special devices) - The user has permissions to use Assigning a bridge is a configuration error, it's not supported, and typically doesn't result in the behavior the user is expecting anyway. Devices without BAR resources are typically chipset components that also don't have host drivers. We don't want users to hold such devices captive or cause system problems by fencing them off into an iommu domain. We determine "permission to use" by testing whether the user has access to the PCI sysfs resource files. By default a normal user will not have access to these files, so it provides a good indication that an administration agent has granted the user access to the device. [Yang Bai: add missing #include] [avi: fix comment style] Signed-off-by: Alex Williamson Signed-off-by: Yang Bai Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman commit 4fd9e326e5001982747225f0f7bb462e34ae9215 Author: Alex Williamson Date: Thu Jan 12 12:39:53 2012 +0200 KVM: Remove ability to assign a device without iommu support (cherry picked from commit 423873736b78f549fbfa2f715f2e4de7e6c5e1e9) This option has no users and it exposes a security hole that we can allow devices to be assigned without iommu protection. Make KVM_DEV_ASSIGN_ENABLE_IOMMU a mandatory option. Signed-off-by: Alex Williamson Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman commit 68898049e6b897cd29644c1b500e3e9593805869 Author: Jan Kiszka Date: Thu Jan 12 12:39:52 2012 +0200 KVM: x86: Prevent starting PIT timers in the absence of irqchip support (cherry picked from commit 0924ab2cfa98b1ece26c033d696651fd62896c69) User space may create the PIT and forgets about setting up the irqchips. In that case, firing PIT IRQs will crash the host: BUG: unable to handle kernel NULL pointer dereference at 0000000000000128 IP: [] kvm_set_irq+0x30/0x170 [kvm] ... Call Trace: [] pit_do_work+0x51/0xd0 [kvm] [] process_one_work+0x111/0x4d0 [] worker_thread+0x152/0x340 [] kthread+0x7e/0x90 [] kernel_thread_helper+0x4/0x10 Prevent this by checking the irqchip mode before starting a timer. We can't deny creating the PIT if the irqchips aren't set up yet as current user land expects this order to work. Signed-off-by: Jan Kiszka Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman commit da84e453c225f742b32ff68f65fd9a2af2691c7c Author: Avi Kivity Date: Thu Jan 12 12:39:51 2012 +0200 KVM guest: prevent tracing recursion with kvmclock (cherry picked from commit 95ef1e52922cf75b1ea2eae54ef886f2cc47eecb) Prevent tracing of preempt_disable() in get_cpu_var() in kvm_clock_read(). When CONFIG_DEBUG_PREEMPT is enabled, preempt_disable/enable() are traced and this causes the function_graph tracer to go into an infinite recursion. By open coding the preempt_disable() around the get_cpu_var(), we can use the notrace version which prevents preempt_disable/enable() from being traced and prevents the recursion. Based on a similar patch for Xen from Jeremy Fitzhardinge. Tested-by: Gleb Natapov Acked-by: Steven Rostedt Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 70422e598a0f7f24e914187844fefcb4d656903d Author: Takashi Iwai Date: Wed Jan 11 12:34:11 2012 +0100 ALSA: hda - Fix the lost power-setup of seconary pins after PM resume commit f2cbba7602383cd9cdd21f0a5d0b8bd1aad47b33 upstream. When multiple headphone or other detectable output pins are present, the power-map has to be updated after resume appropriately, but the current driver doesn't check all pins but only the first pin (since it's enough to check it for the mute-behavior). This resulted in the silent output from the secondary outputs after PM resume. This patch fixes the problem by checking all pins at (re-)init time. Bugzilla: https://bugzilla.novell.com/show_bug.cgi?id=740347 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 557d644e64dfa3715f5c71d7e7ca218becebba52 Author: Takashi Iwai Date: Tue Jan 10 15:16:02 2012 +0100 ALSA: hda - Fix the detection of "Loopback Mixing" control for VIA codecs commit 4808d12d1dddb046ec86425e5f6766f02e950292 upstream. Currently the driver checks only the out_mix_path[] for the primary output route for judging whether to create the loopback-mixing control or not. But, there are cases where aamix-routing is available only on headphone or speaker paths but not on the primary output path. So, the driver ignores such cases inappropriately. This patch fixes the check of the loopback-mixing control by testing all mix-routing paths. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 1e84380498cefb3a825aaf4596ceed73757013d1 Author: Takashi Iwai Date: Tue Jan 10 12:41:22 2012 +0100 ALSA: hda - Return the error from get_wcaps_type() for invalid NIDs commit 3a90274de3548ebb2aabfbf488cea8e275a73dc6 upstream. When an invalid NID is given, get_wcaps() returns zero as the error, but get_wcaps_type() takes it as the normal value and returns a bogus AC_WID_AUD_OUT value. This confuses the parser. With this patch, get_wcaps_type() returns -1 when value 0 is given, i.e. an invalid NID is passed to get_wcaps(). Bugzilla: https://bugzilla.novell.com/show_bug.cgi?id=740118 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 2afa2d7e09c67f10fe459488c3327bd23b6035ba Author: Takashi Iwai Date: Tue Jan 10 08:59:56 2012 +0100 ALSA: hda - Use auto-parser for HP laptops with cx20459 codec commit de4da59e480cdf1075b33dbaf8078fc87bc52241 upstream. These laptops can work well with the auto-parser and their BIOS setups, and in addition, the auto-parser fixes the problem with S3/S4 where the unsol event handling is killed after resume due to fallback to the single-cmd mode. Bugzilla: https://bugzilla.novell.com/show_bug.cgi?id=740115 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit f82b3653963a3dae3ee8381ab812c142f65b096d Author: Pavel Hofman Date: Thu Jan 5 23:05:18 2012 +0100 ALSA: ice1724 - Check for ac97 to avoid kernel oops commit e7848163aa2a649d9065f230fadff80dc3519775 upstream. Cards with identical PCI ids but no AC97 config in EEPROM do not have the ac97 field initialized. We must check for this case to avoid kernel oops. Signed-off-by: Pavel Hofman Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit cb9165c1d7b4cfd6878b2d46119a8c39c207a6ca Author: David Henningsson Date: Mon Jan 2 12:40:16 2012 +0100 ALSA: HDA: Fix automute for Cirrus Logic 421x commit 78e2a928e377d5124932d4399c6c581908b027a0 upstream. There was a bug in the automute logic causing speakers not to mute when headphones were plugged in. Tested-by: Hsin-Yi Chen Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit d518b6308620ea00725e396120be9270563927e4 Author: David Henningsson Date: Mon Jan 2 12:40:15 2012 +0100 ALSA: HDA: Fix master control for Cirrus Logic 421X commit 40d03e63e91af8ddccdfd5a536cc2a6e51433e1d upstream. The control name "HP/Speakers" is non-standard, and since there is only one DAC on this chip there is no need for a virtual master anyway. Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 7fe1fb575202960264f721feeda91ee0e5850995 Author: Karsten Wiese Date: Fri Dec 30 01:42:01 2011 +0100 ALSA: snd-usb-us122l: Delete calls to preempt_disable commit d0f3a2eb9062560bebca8b923424f3ca02a331ba upstream. They are not needed here. Signed-off-by: Karsten Wiese Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 683b6bd3e6b74c21de057d2a6230059f2ddb7df2 Author: Xi Wang Date: Tue Jan 10 11:51:10 2012 -0500 ext4: fix undefined behavior in ext4_fill_flex_info() commit d50f2ab6f050311dbf7b8f5501b25f0bf64a439b upstream. Commit 503358ae01b70ce6909d19dd01287093f6b6271c ("ext4: avoid divide by zero when trying to mount a corrupted file system") fixes CVE-2009-4307 by performing a sanity check on s_log_groups_per_flex, since it can be set to a bogus value by an attacker. sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex; groups_per_flex = 1 << sbi->s_log_groups_per_flex; if (groups_per_flex < 2) { ... } This patch fixes two potential issues in the previous commit. 1) The sanity check might only work on architectures like PowerPC. On x86, 5 bits are used for the shifting amount. That means, given a large s_log_groups_per_flex value like 36, groups_per_flex = 1 << 36 is essentially 1 << 4 = 16, rather than 0. This will bypass the check, leaving s_log_groups_per_flex and groups_per_flex inconsistent. 2) The sanity check relies on undefined behavior, i.e., oversized shift. A standard-confirming C compiler could rewrite the check in unexpected ways. Consider the following equivalent form, assuming groups_per_flex is unsigned for simplicity. groups_per_flex = 1 << sbi->s_log_groups_per_flex; if (groups_per_flex == 0 || groups_per_flex == 1) { We compile the code snippet using Clang 3.0 and GCC 4.6. Clang will completely optimize away the check groups_per_flex == 0, leaving the patched code as vulnerable as the original. GCC keeps the check, but there is no guarantee that future versions will do the same. Signed-off-by: Xi Wang Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 2132ecec55c2d26e90a548c32a56780f13f47a40 Author: Ben Hutchings Date: Tue Jan 10 15:11:02 2012 -0800 drivers/rtc/interface.c: fix alarm rollover when day or month is out-of-range commit e74a8f2edb92cb690b467cea0ab652c509e9f624 upstream. Commit f44f7f96a20a ("RTC: Initialize kernel state from RTC") introduced a potential infinite loop. If an alarm time contains a wildcard month and an invalid day (> 31), or a wildcard year and an invalid month (>= 12), the loop searching for the next matching date will never terminate. Treat the invalid values as wildcards. Fixes , Reported-by: leo weppelman Reported-by: "P. van Gaans" Signed-off-by: Ben Hutchings Signed-off-by: Jonathan Nieder Cc: Mark Brown Cc: Marcelo Roberto Jimenez Cc: Thomas Gleixner Cc: John Stultz Acked-by: Alessandro Zummo Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e3b499578744760561458d300b376f0af2601819 Author: Wolfram Sang Date: Tue Nov 29 15:34:08 2011 +0100 mtd: tests: stresstest: bail out if device has not enough eraseblocks commit 2f4478ccff7df845dc9c0f8996a96373122c4417 upstream. stresstest needs at least two eraseblocks. Bail out gracefully if that condition is not met. Fixes the following 'division by zero' OOPS: [ 619.100000] mtd_stresstest: MTD device size 131072, eraseblock size 131072, page size 2048, count of eraseblocks 1, pages per eraseblock 64, OOB size 64 [ 619.120000] mtd_stresstest: scanning for bad eraseblocks [ 619.120000] mtd_stresstest: scanned 1 eraseblocks, 0 are bad [ 619.130000] mtd_stresstest: doing operations [ 619.130000] mtd_stresstest: 0 operations done [ 619.140000] Division by zero in kernel. ... caused by /* Read or write up 2 eraseblocks at a time - hence 'ebcnt - 1' */ eb %= (ebcnt - 1); Signed-off-by: Wolfram Sang Signed-off-by: Artem Bityutskiy Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit 3e22c678f492f82d5c2fabf1e1e87a59a8021e90 Author: Brian Norris Date: Mon Nov 7 15:51:05 2011 -0800 mtd: mtd_blkdevs: don't increase 'open' count on error path commit 342ff28f5a2e5aa3236617bd2bddf6c749677ef2 upstream. Some error paths in mtd_blkdevs were fixed in the following commit: commit 94735ec4044a6d318b83ad3c5794e931ed168d10 mtd: mtd_blkdevs: fix error path in blktrans_open But on these error paths, the block device's `dev->open' count is already incremented before we check for errors. This meant that, while the error path was handled correctly on the first time through blktrans_open(), the device is erroneously considered already open on the second time through. This problem can be seen, for instance, when a UBI volume is simultaneously mounted as a UBIFS partition and read through its corresponding gluebi mtdblockX device. This results in blktrans_open() passing its error checks (with `dev->open > 0') without actually having a handle on the device. Here's a summarized log of the actions and results with nandsim: # modprobe nandsim # modprobe mtdblock # modprobe gluebi # modprobe ubifs # ubiattach /dev/ubi_ctrl -m 0 ... # ubimkvol /dev/ubi0 -N test -s 16MiB ... # mount -t ubifs ubi0:test /mnt # ls /dev/mtdblock* /dev/mtdblock0 /dev/mtdblock1 # cat /dev/mtdblock1 > /dev/null cat: can't open '/dev/mtdblock4': Device or resource busy # cat /dev/mtdblock1 > /dev/null CPU 0 Unable to handle kernel paging request at virtual address fffffff0, epc == 8031536c, ra == 8031f280 Oops[#1]: ... Call Trace: [<8031536c>] ubi_leb_read+0x14/0x164 [<8031f280>] gluebi_read+0xf0/0x148 [<802edba8>] mtdblock_readsect+0x64/0x198 [<802ecfe4>] mtd_blktrans_thread+0x330/0x3f4 [<8005be98>] kthread+0x88/0x90 [<8000bc04>] kernel_thread_helper+0x10/0x18 Signed-off-by: Brian Norris Signed-off-by: Artem Bityutskiy Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit 48a22f1478fb90cad84d9c75dd91cb8ea9750280 Author: Roman Tereshonkov Date: Fri Dec 2 15:07:17 2011 +0200 mtd: mtdoops: skip reading initially bad blocks commit 3538c56329936c78f7d356889908790006d0124c upstream. Use block_isbad to check and skip the bad blocks reading. This will allow to get rid of the read errors if bad blocks are present initially. Signed-off-by: Roman Tereshonkov Signed-off-by: Artem Bityutskiy Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit ac3adf0e80a661573a25bbe589a6f7f2ad1d2529 Author: Roman Tereshonkov Date: Tue Nov 29 12:49:18 2011 +0200 mtdoops: fix the oops_page_used array size commit 556f063580db2953a7e53cd46b47724246320f60 upstream. The array of unsigned long pointed by oops_page_used is allocated by vmalloc which requires the size to be in bytes. BITS_PER_LONG is equal to 32. If we want to allocate memory for 32 pages with one bit per page then 32 / BITS_PER_LONG is equal to 1 byte that is 8 bits. To fix it we need to multiply the result by sizeof(unsigned long) equal to 4. Signed-off-by: Roman Tereshonkov Signed-off-by: Artem Bityutskiy Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman