commit 4dc1c173169cd9515b1dd5c6b5f53a7d46e82f3c Author: Greg Kroah-Hartman Date: Mon May 21 11:42:51 2012 -0700 Linux 3.3.7 commit 22594eea7aea374c0680f70fd89eeb1fc47ae635 Author: Sachin Prabhu Date: Tue Apr 17 14:35:39 2012 +0100 Avoid reading past buffer when calling GETACL commit 5a00689930ab975fdd1b37b034475017e460cf2a upstream. Bug noticed in commit bf118a342f10dafe44b14451a1392c3254629a1f When calling GETACL, if the size of the bitmap array, the length attribute and the acl returned by the server is greater than the allocated buffer(args.acl_len), we can Oops with a General Protection fault at _copy_from_pages() when we attempt to read past the pages allocated. This patch allocates an extra PAGE for the bitmap and checks to see that the bitmap + attribute_length + ACLs don't exceed the buffer space allocated to it. Signed-off-by: Sachin Prabhu Reported-by: Jian Li [Trond: Fixed a size_t vs unsigned int printk() warning] Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 4262cd1f4b734ea5fa05c37043c89106f38b2daa Author: Sachin Prabhu Date: Tue Apr 17 14:36:40 2012 +0100 Avoid beyond bounds copy while caching ACL commit 5794d21ef4639f0e33440927bb903f9598c21e92 upstream. When attempting to cache ACLs returned from the server, if the bitmap size + the ACL size is greater than a PAGE_SIZE but the ACL size itself is smaller than a PAGE_SIZE, we can read past the buffer page boundary. Signed-off-by: Sachin Prabhu Reported-by: Jian Li Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 6c9f63a43c30f496a37ade9fd4304c63df9b01bd Author: Tomoya MORINAGA Date: Fri Dec 9 13:13:29 2011 +0900 spi-topcliff-pch: add recovery processing in case wait-event timeout commit 0f57e168aa109775430c76cc663fb64909813d84 upstream. Currently, pch_spi_start_transfer failure is not anticipated. This patch adds the processing. Signed-off-by: Tomoya MORINAGA Signed-off-by: Grant Likely Signed-off-by: Greg Kroah-Hartman commit 06dd28fc316fa8a8627c0271d24e1d68b51ca6a3 Author: Tomoya MORINAGA Date: Fri Dec 9 13:13:28 2011 +0900 spi-topcliff-pch: supports a spi mode setup and bit order setup by IO control commit f258b44e22e07f5e98ac2260c70acff5784791b6 upstream. This patch supports a spi mode setup and bit order setup by IO control. spi mode: mode 0 to mode 3 bit order: LSB first, MSB first Signed-off-by: Tomoya MORINAGA Signed-off-by: Grant Likely Signed-off-by: Greg Kroah-Hartman commit 000d91aa2297c6d9da219918afa42c729db376dd Author: Tomoya MORINAGA Date: Fri Dec 9 13:13:27 2011 +0900 spi-topcliff-pch: Fix issue for transmitting over 4KByte commit 7d05b3e868ee0f9231baf40cb77be3df5dd1f18c upstream. Currently, when spi-topcliff-pch receives transmit request over 4KByte, this driver can't process correctly. This driver needs to divide the data into 4Kbyte unit. This patch fixes the issue. Signed-off-by: Tomoya MORINAGA Signed-off-by: Grant Likely Signed-off-by: Greg Kroah-Hartman commit 801f7b75b87c9488ebcf0af5f23913cf28096614 Author: Tomoya MORINAGA Date: Fri Dec 9 13:11:42 2011 +0900 spi-topcliff-pch: Modify pci-bus number dynamically to get DMA device info commit ee2ece5261a639b89f194d141444b03b4c923179 upstream. Signed-off-by: Tomoya MORINAGA Signed-off-by: Grant Likely Signed-off-by: Greg Kroah-Hartman commit 37b37faa8a902161602c4bb536101739701b79d0 Author: Tomoya MORINAGA Date: Mon Mar 26 14:55:25 2012 +0900 i2c-eg20t: change timeout value 50msec to 1000msec commit 8a52f9f347da721b199b7f9dcc0168bbe7d0baae upstream. Currently, during i2c works alone, wait-event timeout is not occurred. However, as CPU load increases, timeout occurs frequently. So, I modified like this patch. Modifying like this patch, I've never seen the timeout event with high load test. Signed-off-by: Tomoya MORINAGA Signed-off-by: Wolfram Sang Signed-off-by: Greg Kroah-Hartman commit dfd1f501baad13e70a9eabcfbf8f72773da4caf6 Author: Danny Kukawka Date: Tue Jan 24 16:44:42 2012 +0100 OMAPDSS: VENC: fix NULL pointer dereference in DSS2 VENC sysfs debug attr on OMAP4 commit cc1d3e032df53d83d0ca4d537d8eb67eb5b3e808 upstream. Commit ba02fa37de80bea10d706f39f076dd848348320a disabled the venc driver registration on OMAP4. Since the driver never gets probed/initialised your get a dereferenceed NULL pointer if you try to get info from /sys/kernel/debug/omapdss/venc Return info message about disabled venc if venc_dump_regs() gets called. Signed-off-by: Danny Kukawka Signed-off-by: Tomi Valkeinen Signed-off-by: Greg Kroah-Hartman commit 367401149c4368f6cc79543a2d2e3515f009d7dd Author: Jeff Mahoney Date: Wed Apr 25 14:32:09 2012 +0000 dl2k: Clean up rio_ioctl commit 1bb57e940e1958e40d51f2078f50c3a96a9b2d75 upstream. The dl2k driver's rio_ioctl call has a few issues: - No permissions checking - Implements SIOCGMIIREG and SIOCGMIIREG using the SIOCDEVPRIVATE numbers - Has a few ioctls that may have been used for debugging at one point but have no place in the kernel proper. This patch removes all but the MII ioctls, renumbers them to use the standard ones, and adds the proper permission check for SIOCSMIIREG. We can also get rid of the dl2k-specific struct mii_data in favor of the generic struct mii_ioctl_data. Since we have the phyid on hand, we can add the SIOCGMIIPHY ioctl too. Most of the MII code for the driver could probably be converted to use the generic MII library but I don't have a device to test the results. Reported-by: Stephan Mueller Signed-off-by: Jeff Mahoney Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1eb1d7fb4ff9b25dd152167d05d44f1e442f8d48 Author: Jan Kiszka Date: Thu May 10 10:04:36 2012 -0300 compat: Fix RT signal mask corruption via sigprocmask commit b7dafa0ef3145c31d7753be0a08b3cbda51f0209 upstream. compat_sys_sigprocmask reads a smaller signal mask from userspace than sigprogmask accepts for setting. So the high word of blocked.sig[0] will be cleared, releasing any potentially blocked RT signal. This was discovered via userspace code that relies on get/setcontext. glibc's i386 versions of those functions use sigprogmask instead of rt_sigprogmask to save/restore signal mask and caused RT signal unblocking this way. As suggested by Linus, this replaces the sys_sigprocmask based compat version with one that open-codes the required logic, including the merge of the existing blocked set with the new one provided on SIG_SETMASK. Signed-off-by: Jan Kiszka Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4c7a674cc364f699fa5b6a6176c6cff4f586e607 Author: Dan Carpenter Date: Mon Apr 30 17:36:21 2012 +0300 cifs: fix revalidation test in cifs_llseek() commit 48a5730e5b71201e226ff06e245bf308feba5f10 upstream. This test is always true so it means we revalidate the length every time, which generates more network traffic. When it is SEEK_SET or SEEK_CUR, then we don't need to revalidate. Signed-off-by: Dan Carpenter Reviewed-by: Jeff Layton Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit ef474e8699d6214527989d09e9d4cab368a6468f Author: Sha Zhengju Date: Thu May 10 13:01:45 2012 -0700 memcg: free spare array to avoid memory leak commit 8c7577637ca31385e92769a77e2ab5b428e8b99c upstream. When the last event is unregistered, there is no need to keep the spare array anymore. So free it to avoid memory leak. Signed-off-by: Sha Zhengju Acked-by: KAMEZAWA Hiroyuki Reviewed-by: Kirill A. Shutemov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 277ff221e8b2a9d4397c247313883d1160c0403e Author: Eric Sandeen Date: Mon Feb 20 23:06:18 2012 -0500 ext4: avoid deadlock on sync-mounted FS w/o journal commit c1bb05a657fb3d8c6179a4ef7980261fae4521d7 upstream. Processes hang forever on a sync-mounted ext2 file system that is mounted with the ext4 module (default in Fedora 16). I can reproduce this reliably by mounting an ext2 partition with "-o sync" and opening a new file an that partition with vim. vim will hang in "D" state forever. The same happens on ext4 without a journal. I am attaching a small patch here that solves this issue for me. In the sync mounted case without a journal, ext4_handle_dirty_metadata() may call sync_dirty_buffer(), which can't be called with buffer lock held. Also move mb_cache_entry_release inside lock to avoid race fixed previously by 8a2bfdcb ext[34]: EA block reference count racing fix Note too that ext2 fixed this same problem in 2006 with b2f49033 [PATCH] fix deadlock in ext2 Signed-off-by: Martin.Wilck@ts.fujitsu.com [sandeen@redhat.com: move mb_cache_entry_release before unlock, edit commit msg] Signed-off-by: Eric Sandeen Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit e216671645be239b08cd2e9bf0476c19677fceac Author: Sasha Levin Date: Sat May 5 17:06:35 2012 +0200 init: don't try mounting device as nfs root unless type fully matches commit 377485f6244af255b04d662cf19cddbbc4ae4310 upstream. Currently, we'll try mounting any device who's major device number is UNNAMED_MAJOR as NFS root. This would happen for non-NFS devices as well (such as 9p devices) but it wouldn't cause any issues since mounting the device as NFS would fail quickly and the code proceeded to doing the proper mount: [ 101.522716] VFS: Unable to mount root fs via NFS, trying floppy. [ 101.534499] VFS: Mounted root (9p filesystem) on device 0:18. Commit 6829a048102a ("NFS: Retry mounting NFSROOT") introduced retries when mounting NFS root, which means that now we don't immediately fail and instead it takes an additional 90+ seconds until we stop retrying, which has revealed the issue this patch fixes. This meant that it would take an additional 90 seconds to boot when we're not using a device type which gets detected in order before NFS. This patch modifies the NFS type check to require device type to be 'Root_NFS' instead of requiring the device to have an UNNAMED_MAJOR major. This makes boot process cleaner since we now won't go through the NFS mounting code at all when the device isn't an NFS root ("/dev/nfs"). Signed-off-by: Sasha Levin Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 15ffd4cf92bed02feb5cdd3c309087b727b15f1d Author: Willy Tarreau Date: Thu May 17 11:14:14 2012 +0000 tcp: do_tcp_sendpages() must try to push data out on oom conditions commit bad115cfe5b509043b684d3a007ab54b80090aa1 upstream. Since recent changes on TCP splicing (starting with commits 2f533844 "tcp: allow splice() to build full TSO packets" and 35f9c09f "tcp: tcp_sendpages() should call tcp_push() once"), I started seeing massive stalls when forwarding traffic between two sockets using splice() when pipe buffers were larger than socket buffers. Latest changes (net: netdev_alloc_skb() use build_skb()) made the problem even more apparent. The reason seems to be that if do_tcp_sendpages() fails on out of memory condition without being able to send at least one byte, tcp_push() is not called and the buffers cannot be flushed. After applying the attached patch, I cannot reproduce the stalls at all and the data rate it perfectly stable and steady under any condition which previously caused the problem to be permanent. The issue seems to have been there since before the kernel migrated to git, which makes me think that the stalls I occasionally experienced with tux during stress-tests years ago were probably related to the same issue. This issue was first encountered on 3.0.31 and 3.2.17, so please backport to -stable. Signed-off-by: Willy Tarreau Acked-by: Eric Dumazet Signed-off-by: Greg Kroah-Hartman commit d10b5a4632c7dc2a3568a35c3cdd18b60b75b071 Author: Jonathan Brassow Date: Wed May 16 04:06:14 2012 -0500 MD: Add del_timer_sync to mddev_suspend (fix nasty panic) commit 0d9f4f135eb6dea06bdcb7065b1e4ff78274a5e9 upstream. Use del_timer_sync to remove timer before mddev_suspend finishes. We don't want a timer going off after an mddev_suspend is called. This is especially true with device-mapper, since it can call the destructor function immediately following a suspend. This results in the removal (kfree) of the structures upon which the timer depends - resulting in a very ugly panic. Therefore, we add a del_timer_sync to mddev_suspend to prevent this. Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit c54fe065e1aa33c35f774efda2842dccf1ad7727 Author: Tushar Dave Date: Thu May 17 01:04:50 2012 +0000 e1000: Prevent reset task killing itself. commit 8ce6909f77ba1b7bcdea65cc2388fd1742b6d669 upstream. Killing reset task while adapter is resetting causes deadlock. Only kill reset task if adapter is not resetting. Ref bug #43132 on bugzilla.kernel.org Signed-off-by: Tushar Dave Tested-by: Aaron Brown Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ec3b77122943883a098d80845dde974b02577612 Author: Mike Snitzer Date: Sat May 12 01:43:21 2012 +0100 dm mpath: check if scsi_dh module already loaded before trying to load commit 510193a2d3d2e03ae53b95c0ae4f33cdff02cbf8 upstream. If the requested scsi_dh module is already loaded then skip request_module(). Multipath table loads can hang in an unnecessary __request_module. Reported-by: Ben Marzinski Signed-off-by: Mike Snitzer Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 17b85e4808e2593a234a34e629a5ae08e5246958 Author: Amit Shah Date: Wed Apr 25 14:40:39 2012 +0530 virtio: console: tell host of open ports after resume from s3/s4 commit fa8b66ccd2d200b64496cfedcce90bf54fe7d6e9 upstream. If a port was open before going into one of the sleep states, the port can continue normal operation after restore. However, the host has to be told that the guest side of the connection is open to restore pre-suspend state. This wasn't noticed so far due to a bug in qemu that was fixed recently (which marked the guest-side connection as always open). Signed-off-by: Amit Shah Signed-off-by: Michael S. Tsirkin Signed-off-by: Greg Kroah-Hartman commit c52d567fdf7fb8cdaf2d34206f5b7f4adaae1595 Author: Nicholas Bellinger Date: Wed May 16 16:05:26 2012 -0700 target: Fix bug in handling of FILEIO + block_device resize ops commit cd9323fd68aee3c1c6b5b21e5746c9d1b586fb58 upstream. This patch fixes a bug in the handling of FILEIO w/ underlying block_device resize operations where the original fd_dev->fd_dev_size was incorrectly being used in fd_get_blocks() for READ_CAPACITY response payloads. This patch avoids using fd_dev->fd_dev_size for FILEIO devices with an underlying block_device, and instead changes fd_get_blocks() to get the sector count directly from i_size_read() as recommended by hch. Reported-by: Christoph Hellwig Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 2307b85fbe257c0348f56118d533769d36c9cc8a Author: Bernhard Kohl Date: Sun May 13 23:39:37 2012 +0200 target: Fix SPC-2 RELEASE bug for multi-session iSCSI client setups commit edc318d9fea6854df752ec8c645b960b0d5a1d23 upstream. This patch addresses a bug in a special case for target core SPC-2 RELEASE logic where the same physical client (eg: iSCSI InitiatorName) with differing iSCSI session identifiers (ISID) is allowed to incorrectly release the same client's SPC-2 reservation from the non reservation holding path. Note this bug is specific to iscsi-target w/ SPC-2 reservations, and with the default enforce_pr_isids=1 device attr setting in target-core controls if a InitiatorName + different ISID reservations are handled the same as a single iSCSI client entity. Signed-off-by: Bernhard Kohl Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 6b1d13f897e2b08a66724c685c06f35dc8e114d4 Author: Nicholas Bellinger Date: Thu May 10 22:05:49 2012 -0700 target: Drop incorrect se_lun_acl release for dynamic -> explict ACL conversion commit cfebf8f42f47327fa54cf05c19b98f4bd5236a26 upstream. This patch removes some potentially problematic legacy code within core_clear_initiator_node_from_tpg() that was originally intended to release left over se_lun_acl setup during dynamic NodeACL+MappedLUN generate when running with TPG demo-mode operation. Since we now only ever expect to allocate and release se_lun_acl from within target_core_fabric_configfs.c:target_fabric_make_mappedlun() and target_fabric_drop_mappedlun() context respectively, this code for demo-mode release is incorrect and needs to be removed. Cc: Christoph Hellwig Cc: Andy Grover Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit f044a884e3d24fa112e9198b66a83074020d85ca Author: Alexander Clouter Date: Sat May 12 09:45:08 2012 +0100 crypto: mv_cesa requires on CRYPTO_HASH to build commit 1ebfefcf37a6e308266a8d786e8cfea0a454058c upstream. Without CRYPTO_HASH being selected, mv_cesa has a lot of hooks into undefined exports. ---- MODPOST 81 modules Kernel: arch/arm/boot/Image is ready AS arch/arm/boot/compressed/head.o GZIP arch/arm/boot/compressed/piggy.gzip CC arch/arm/boot/compressed/misc.o CC arch/arm/boot/compressed/decompress.o ERROR: "crypto_ahash_type" [drivers/crypto/mv_cesa.ko] undefined! ERROR: "crypto_shash_final" [drivers/crypto/mv_cesa.ko] undefined! ERROR: "crypto_register_ahash" [drivers/crypto/mv_cesa.ko] undefined! ERROR: "crypto_unregister_ahash" [drivers/crypto/mv_cesa.ko] undefined! ERROR: "crypto_shash_update" [drivers/crypto/mv_cesa.ko] undefined! ERROR: "crypto_shash_digest" [drivers/crypto/mv_cesa.ko] undefined! ERROR: "crypto_shash_setkey" [drivers/crypto/mv_cesa.ko] undefined! ERROR: "crypto_alloc_shash" [drivers/crypto/mv_cesa.ko] undefined! make[1]: *** [__modpost] Error 1 make: *** [modules] Error 2 make: *** Waiting for unfinished jobs.... ---- Signed-off-by: Alexander Clouter Signed-off-by: Jason Cooper Signed-off-by: Greg Kroah-Hartman commit 1c3a16855faa9dec5d580987b0993ce7b1b303d7 Author: Chris Metcalf Date: Wed May 16 14:54:20 2012 -0400 arch/tile: apply commit 74fca9da0 to the compat signal handling as well commit a134d228298c6aa9007205c6b81cae0cac0acb5d upstream. This passes siginfo and mcontext to tilegx32 signal handlers that don't have SA_SIGINFO set just as we have been doing for tilegx64. Signed-off-by: Chris Metcalf Signed-off-by: Greg Kroah-Hartman commit 66a02109c4a5891a43b437e0de677de759ea2310 Author: Josh Cartwright Date: Thu Mar 29 19:34:53 2012 -0400 jffs2: Fix lock acquisition order bug in gc path commit 226bb7df3d22bcf4a1c0fe8206c80cc427498eae upstream. The locking policy is such that the erase_complete_block spinlock is nested within the alloc_sem mutex. This fixes a case in which the acquisition order was erroneously reversed. This issue was caught by the following lockdep splat: ======================================================= [ INFO: possible circular locking dependency detected ] 3.0.5 #1 ------------------------------------------------------- jffs2_gcd_mtd6/299 is trying to acquire lock: (&c->alloc_sem){+.+.+.}, at: [] jffs2_garbage_collect_pass+0x314/0x890 but task is already holding lock: (&(&c->erase_completion_lock)->rlock){+.+...}, at: [] jffs2_garbage_collect_pass+0x308/0x890 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&(&c->erase_completion_lock)->rlock){+.+...}: [] validate_chain+0xe6c/0x10bc [] __lock_acquire+0x54c/0xba4 [] lock_acquire+0xa4/0x114 [] _raw_spin_lock+0x3c/0x4c [] jffs2_garbage_collect_pass+0x4c/0x890 [] jffs2_garbage_collect_thread+0x1b4/0x1cc [] kthread+0x98/0xa0 [] kernel_thread_exit+0x0/0x8 -> #0 (&c->alloc_sem){+.+.+.}: [] print_circular_bug+0x70/0x2c4 [] validate_chain+0x1034/0x10bc [] __lock_acquire+0x54c/0xba4 [] lock_acquire+0xa4/0x114 [] mutex_lock_nested+0x74/0x33c [] jffs2_garbage_collect_pass+0x314/0x890 [] jffs2_garbage_collect_thread+0x1b4/0x1cc [] kthread+0x98/0xa0 [] kernel_thread_exit+0x0/0x8 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&(&c->erase_completion_lock)->rlock); lock(&c->alloc_sem); lock(&(&c->erase_completion_lock)->rlock); lock(&c->alloc_sem); *** DEADLOCK *** 1 lock held by jffs2_gcd_mtd6/299: #0: (&(&c->erase_completion_lock)->rlock){+.+...}, at: [] jffs2_garbage_collect_pass+0x308/0x890 stack backtrace: [] (unwind_backtrace+0x0/0x100) from [] (dump_stack+0x20/0x24) [] (dump_stack+0x20/0x24) from [] (print_circular_bug+0x1c8/0x2c4) [] (print_circular_bug+0x1c8/0x2c4) from [] (validate_chain+0x1034/0x10bc) [] (validate_chain+0x1034/0x10bc) from [] (__lock_acquire+0x54c/0xba4) [] (__lock_acquire+0x54c/0xba4) from [] (lock_acquire+0xa4/0x114) [] (lock_acquire+0xa4/0x114) from [] (mutex_lock_nested+0x74/0x33c) [] (mutex_lock_nested+0x74/0x33c) from [] (jffs2_garbage_collect_pass+0x314/0x890) [] (jffs2_garbage_collect_pass+0x314/0x890) from [] (jffs2_garbage_collect_thread+0x1b4/0x1cc) [] (jffs2_garbage_collect_thread+0x1b4/0x1cc) from [] (kthread+0x98/0xa0) [] (kthread+0x98/0xa0) from [] (kernel_thread_exit+0x0/0x8) This was introduce in '81cfc9f jffs2: Fix serious write stall due to erase'. Signed-off-by: Josh Cartwright Signed-off-by: Artem Bityutskiy Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit d14b723555fec17bc97e6fa8ff9932a434293f13 Author: Russ Anderson Date: Thu May 10 13:01:46 2012 -0700 mm: nobootmem: fix sign extend problem in __free_pages_memory() commit 6bc2e853c6b46a6041980d58200ad9b0a73a60ff upstream. Systems with 8 TBytes of memory or greater can hit a problem where only the the first 8 TB of memory shows up. This is due to "int i" being smaller than "unsigned long start_aligned", causing the high bits to be dropped. The fix is to change `i' to unsigned long to match start_aligned and end_aligned. Thanks to Jack Steiner for assistance tracking this down. Signed-off-by: Russ Anderson Cc: Jack Steiner Cc: Johannes Weiner Cc: Tejun Heo Cc: David S. Miller Cc: Yinghai Lu Cc: Gavin Shan Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 332c1d641e68608638dcd11588b348c37173be09 Author: Chris Metcalf Date: Thu May 10 13:01:44 2012 -0700 hugetlb: prevent BUG_ON in hugetlb_fault() -> hugetlb_cow() commit 4998a6c0edce7fae9c0a5463f6ec3fa585258ee7 upstream. Commit 66aebce747eaf ("hugetlb: fix race condition in hugetlb_fault()") added code to avoid a race condition by elevating the page refcount in hugetlb_fault() while calling hugetlb_cow(). However, one code path in hugetlb_cow() includes an assertion that the page count is 1, whereas it may now also have the value 2 in this path. The consensus is that this BUG_ON has served its purpose, so rather than extending it to cover both cases, we just remove it. Signed-off-by: Chris Metcalf Acked-by: Mel Gorman Acked-by: Hillf Danton Acked-by: Hugh Dickins Cc: Michal Hocko Cc: KAMEZAWA Hiroyuki Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 7561c7897963c7b1cfbd2c59eefa5de4e7c91977 Author: Will Newton Date: Fri Mar 30 11:51:02 2012 +0100 mtd: fix oops in dataflash driver commit 7a84477c4acebf6299b6a8bd6a1d5894eb838ffa upstream. I'm seeing an oops in mtd_dataflash.c with Linux 3.3. What appears to be happening is that otp_select_filemode calls mtd_read_fact_prot_reg with -1 for offset and length and a NULL buffer to test if OTP operations are supported. This finds its way down to otp_read in mtd_dataflash.c and causes an oops when memcpying the returned data into the NULL buf. None of the checks in otp_read catches the negative length and offset. Changing the length of the dummy read to 0 prevents the oops. Signed-off-by: Artem Bityutskiy Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit 9b5707862c86f98190c900770ce3ce5ad89dd4bd Author: Catalin Marinas Date: Wed May 9 16:55:19 2012 +0100 kmemleak: Fix the kmemleak tracking of the percpu areas with !SMP commit 100d13c3b5b9410f604b86f5e0a34da64b8cf659 upstream. Kmemleak tracks the percpu allocations via a specific API and the originally allocated areas must be removed from kmemleak (via kmemleak_free). The code was already doing this for SMP systems. Reported-by: Sami Liedes Cc: Tejun Heo Cc: Christoph Lameter Signed-off-by: Catalin Marinas Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit c93fc7ebf9357371b32e2cd3c4b44a3693296136 Author: Tejun Heo Date: Fri Apr 27 08:42:53 2012 -0700 percpu: pcpu_embed_first_chunk() should free unused parts after all allocs are complete commit 42b64281453249dac52861f9b97d18552a7ec62b upstream. pcpu_embed_first_chunk() allocates memory for each node, copies percpu data and frees unused portions of it before proceeding to the next group. This assumes that allocations for different nodes doesn't overlap; however, depending on memory topology, the bootmem allocator may end up allocating memory from a different node than the requested one which may overlap with the portion freed from one of the previous percpu areas. This leads to percpu groups for different nodes overlapping which is a serious bug. This patch separates out copy & partial free from the allocation loop such that all allocations are complete before partial frees happen. This also fixes overlapping frees which could happen on allocation failure path - out_free_areas path frees whole groups but the groups could have portions freed at that point. Signed-off-by: Tejun Heo Reported-by: "Pavel V. Panteleev" Tested-by: "Pavel V. Panteleev" LKML-Reference: Signed-off-by: Greg Kroah-Hartman commit ec4f4e71a06eb0028172a2cdf2f9930379dfb1b4 Author: Dan Williams Date: Mon May 7 04:24:51 2012 +0000 cdc_ether: add Novatel USB551L device IDs for FLAG_WWAN commit 4e6304b8420aba5311ba21fd68dab2924ae4d91a upstream. Needs to be tagged with FLAG_WWAN, which since it has generic descriptors, won't happen if we don't override the generic driver info. Cc: Oliver Neukum Cc: stable@vger.kernel.org Signed-off-by: Dan Williams Acked-by: Oliver Neukum Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 659219b22fb8010e8c4b012e9b9934055a42b582 Author: Bjørn Mork Date: Thu Apr 26 02:35:10 2012 +0000 cdc_ether: Ignore bogus union descriptor for RNDIS devices commit 6eddcb4c82883451aec3be1240f17793370fa62f upstream. Some RNDIS devices include a bogus CDC Union descriptor pointing to non-existing interfaces. The RNDIS code is already prepared to handle devices without a CDC Union descriptor by hardwiring the driver to use interfaces 0 and 1, which is correct for the devices with the bogus descriptor as well. So we can reuse the existing workaround. Cc: Markus Kolb Cc: Iker Salmón San Millán Cc: Jonathan Nieder Cc: Oliver Neukum Cc: 655387@bugs.debian.org Signed-off-by: Bjørn Mork Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b37b66352b0c79a75cefbe248fbeb4a90ef67783 Author: Mark Brown Date: Tue May 15 18:13:00 2012 +0100 ASoC: wm8994: Fix AIF2ADC power down commit c7f5f2389377b66028bc129890aa653deafe8d39 upstream. Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 0b0152275bf9e0b0d9da0d7ac5812f7af189aa19 Author: Brian Austin Date: Fri May 11 12:54:45 2012 -0500 ASoC: cs42l73: Sync digital mixer kcontrols to allow for 0dB commit 5807c3bf68eb489032ca8ff70b3d3c833fd8172b upstream. Some of the Digital mixer kcontrol max values were off by 1 not allowing a max of 0dB. Signed-off-by: Brian Austin Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 42370aa8f33d3be4e97950065c0b73511038fc1b Author: Mauro Carvalho Chehab Date: Mon May 7 15:01:37 2012 -0300 media: dvb_frontend: fix a regression with DVB-S zig-zag commit 910a5f2e9642d5be373beae3d29e1c4a3bc7d83b upstream. Changeset 5bfaadde broke zig-zag for DVB-S drivers that don't implement get_tune_settings() callback. Fix the code, in order to allow it to work as before, otherwise some channels may not be tuned anymore. Fix Fedora Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=814404 Reported-by: Michael Heijenga Tested-by: Michael Heijenga Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit b24745b32431b81ae006bdaf75bac6a30d31b31b Author: Luis Henriques Date: Sat Apr 21 12:25:21 2012 -0300 media: rc: Postpone ISR registration commit 9ef449c6b31bb6a8e6dedc24de475a3b8c79be20 upstream. An early registration of an ISR was causing a crash to several users (for example, with the ite-cir driver: http://bugs.launchpad.net/bugs/972723). The reason was that IRQs were being triggered before a driver initialisation was completed. This patch fixes this by moving the invocation to request_irq() and to request_region() to a later stage on the driver probe function. Signed-off-by: Luis Henriques Acked-by: Jarod Wilson Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 817a2eb566911b127a57cf3561bb88c98e4b6348 Author: Sylwester Nawrocki Date: Sat Apr 21 18:46:30 2012 -0300 media: s5p-fimc: Fix locking in subdev set_crop op commit e985dbf7d93e2a3e114b4525413e50f83613e0cb upstream. When setting TRY crop on the sub-device the mutex was erroneously acquired rather than released on exit path. This bug is present in kernels starting from v3.2. Signed-off-by: Sylwester Nawrocki Signed-off-by: Kyungmin Park Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 4d650fc196b3d6a600edfb7ed72ac72b47ea6185 Author: Russell King Date: Wed May 16 15:19:20 2012 +0100 ARM: prevent VM_GROWSDOWN mmaps extending below FIRST_USER_ADDRESS commit 9b61a4d1b2064dbd0c9e61754305ac852170509f upstream. Reported-by: Al Viro Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit a2e4e710c086666027b14bfcc4ca7c46773a7d6e Author: Will Deacon Date: Fri May 11 17:42:37 2012 +0100 ARM: 7417/1: vfp: ensure preemption is disabled when enabling VFP access commit 998de4acb2ba188d20768d1065658377a2e7d29b upstream. The vfp_enable function enables access to the VFP co-processor register space (cp10 and cp11) on the current CPU and must be called with preemption disabled. Unfortunately, the vfp_init late initcall does not disable preemption and can lead to an oops during boot if thread migration occurs at the wrong time and we end up attempting to access the FPSID on a CPU with VFP access disabled. This patch fixes the initcall to call vfp_enable from a non-preemptible context on each CPU and adds a BUG_ON(preemptible) to ensure that any similar problems are easily spotted in the future. Reported-by: Hyungwoo Yang Signed-off-by: Hyungwoo Yang Signed-off-by: Will Deacon Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 2429eaf3b1bf0e41b3f3f76e917fc710b9511f42 Author: Jonathan Corbet Date: Fri Apr 20 12:22:50 2012 -0300 media: marvell-cam: fix an ARM build error commit 9967232f1be5bab10c7b7a8dcf51ff5c3c1a6d77 upstream. One of the OLPC changes lost a little in its translation to mainline, leading to build errors on the ARM architecture. Remove the offending line, and all will be well. Reported-by: Mathieu Poirier Signed-off-by: Jonathan Corbet Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 64e7fc77d3eef5a0864929a58a034d6be4a6fb1d Author: David S. Miller Date: Thu May 10 11:00:46 2012 -0700 sparc64: Do not clobber %g2 in xcall_fetch_glob_regs(). [ Upstream commit a5a737e090e25981e99d69f01400e3a80356581c ] %g2 is meant to hold the CPUID number throughout this routine, since at the very beginning, and at the very end, we use %g2 to calculate indexes into per-cpu arrays. However we erroneously clobber it in order to hold the %cwp register value mid-stream. Fix this code to use %g3 for the %cwp read and related calulcations instead. Reported-by: Meelis Roos Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 406c7d0dfa49cba7ee87584fec108bd422a59d5e Author: Mike Galbraith Date: Thu May 10 13:01:45 2012 -0700 namespaces, pid_ns: fix leakage on fork() failure commit 5e2bf0142231194d36fdc9596b36a261ed2b9fe7 upstream. Fork() failure post namespace creation for a child cloned with CLONE_NEWPID leaks pid_namespace/mnt_cache due to proc being mounted during creation, but not unmounted during cleanup. Call pid_ns_release_proc() during cleanup. Signed-off-by: Mike Galbraith Acked-by: Oleg Nesterov Reviewed-by: "Eric W. Biederman" Cc: Pavel Emelyanov Cc: Cyrill Gorcunov Cc: Louis Rilling Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit bdce491491d3e9e9b647b24ab4928561d2a6434a Author: Ming Lei Date: Thu Apr 26 11:33:46 2012 +0800 usbnet: fix skb traversing races during unlink(v2) commit 5b6e9bcdeb65634b4ad604eb4536404bbfc62cfa upstream. Commit 4231d47e6fe69f061f96c98c30eaf9fb4c14b96d(net/usbnet: avoid recursive locking in usbnet_stop()) fixes the recursive locking problem by releasing the skb queue lock before unlink, but may cause skb traversing races: - after URB is unlinked and the queue lock is released, the refered skb and skb->next may be moved to done queue, even be released - in skb_queue_walk_safe, the next skb is still obtained by next pointer of the last skb - so maybe trigger oops or other problems This patch extends the usage of entry->state to describe 'start_unlink' state, so always holding the queue(rx/tx) lock to change the state if the referd skb is in rx or tx queue because we need to know if the refered urb has been started unlinking in unlink_urbs. The other part of this patch is based on Huajun's patch: always traverse from head of the tx/rx queue to get skb which is to be unlinked but not been started unlinking. Signed-off-by: Huajun Li Signed-off-by: Ming Lei Cc: Oliver Neukum Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3ffea7c7b3f291da82b3a2312199b893669ab0ef Author: Takashi Iwai Date: Tue May 15 08:07:31 2012 +0200 ALSA: hda/idt - Fix power-map for speaker-pins with some HP laptops commit b0791dda813c179e539b0fc1ecd3f5f30f2571e2 upstream. BIOS on some HP laptops don't set the speaker-pins as fixed but expose as jacks, and this confuses the driver as if these pins are jack-detectable. As a result, the machine doesn't get sounds from speakers because the driver prepares the power-map update via jack unsol events which never come up in reality. The bug was introduced in some time in 3.2 for enabling the power-mapping feature. This patch fixes the problem by replacing the check of the persistent power-map bits with a proper is_jack_detectable() call. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=43240 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 9575e19d8da3a5074c10f45dd3cc6a7007dd4419 Author: Takashi Iwai Date: Mon May 7 11:13:14 2012 +0200 ALSA: hda/realtek - Add missing CD-input pin for MSI-7350 mobo commit bca40138558f0b39357fd1ca477868e4f52f4b1e upstream. Reported-by: Philipp Matthias Hahn Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 22547d8980b1d033e629cff0bb6e69927a98efd9 Author: David Henningsson Date: Fri May 4 11:05:55 2012 +0200 ALSA: HDA: Lessen CPU usage when waiting for chip to respond commit 32cf4023e689ad5b3a81a749d8cc99d7f184cb99 upstream. When an IRQ for some reason gets lost, we wait up to a second using udelay, which is CPU intensive. This patch improves the situation by waiting about 30 ms in the CPU intensive mode, then stepping down to using msleep(2) instead. In essence, we trade some granularity in exchange for less CPU consumption when the waiting time is a bit longer. As a result, PulseAudio should no longer be killed by the kernel for taking up to much RT-prio CPU time. At least not for *this* reason. Signed-off-by: David Henningsson Tested-by: Arun Raghavan Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 72a732f47f3da70a795e52fc027b2e870f8650ab Author: Mark Hills Date: Mon Apr 30 19:39:22 2012 +0100 ALSA: echoaudio: Remove incorrect part of assertion commit c914f55f7cdfafe9d7d5b248751902c7ab57691e upstream. This assertion seems to imply that chip->dsp_code_to_load is a pointer. It's actually an integer handle on the actual firmware, and 0 has no special meaning. The assertion prevents initialisation of a Darla20 card, but would also affect other models. It seems it was introduced in commit dd7b254d. ALSA sound/pci/echoaudio/echoaudio.c:2061 Echoaudio driver starting... ALSA sound/pci/echoaudio/echoaudio.c:1969 chip=ebe4e000 ALSA sound/pci/echoaudio/echoaudio.c:2007 pci=ed568000 irq=19 subdev=0010 Init hardware... ALSA sound/pci/echoaudio/darla20_dsp.c:36 init_hw() - Darla20 ------------[ cut here ]------------ WARNING: at sound/pci/echoaudio/echoaudio_dsp.c:478 init_hw+0x1d1/0x86c [snd_darla20]() Hardware name: Dell DM051 BUG? (!chip->dsp_code_to_load || !chip->comm_page) Signed-off-by: Mark Hills Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman