commit 145fff1f0b75c8bd6a26052d638276bb2e009983 Author: Greg Kroah-Hartman Date: Fri Apr 22 08:47:31 2011 -0700 Linux 2.6.32.39 commit dcef84f17ad3f3b1ab08dce2ffd45f9e5b0f08e0 Author: Linus Torvalds Date: Thu Oct 28 15:40:55 2010 +0000 net: fix rds_iovec page count overflow commit 1b1f693d7ad6d193862dcb1118540a030c5e761f upstream. As reported by Thomas Pollet, the rdma page counting can overflow. We get the rdma sizes in 64-bit unsigned entities, but then limit it to UINT_MAX bytes and shift them down to pages (so with a possible "+1" for an unaligned address). So each individual page count fits comfortably in an 'unsigned int' (not even close to overflowing into signed), but as they are added up, they might end up resulting in a signed return value. Which would be wrong. Catch the case of tot_pages turning negative, and return the appropriate error code. Reported-by: Thomas Pollet Signed-off-by: Linus Torvalds Signed-off-by: Andy Grover Signed-off-by: David S. Miller [v2: nr is unsigned in the old code] Signed-off-by: Stefan Bader Acked-by: Tim Gardner Acked-by: Brad Figg Signed-off-by: Greg Kroah-Hartman commit c4f6afb9ce907df438c67b2e5d5ce3e2448b9b38 Author: Kees Cook Date: Wed Jan 12 00:34:49 2011 -0800 net: ax25: fix information leak to userland harder commit 5b919f833d9d60588d026ad82d17f17e8872c7a9 upstream. Commit fe10ae53384e48c51996941b7720ee16995cbcb7 adds a memset() to clear the structure being sent back to userspace, but accidentally used the wrong size. Reported-by: Brad Spengler Signed-off-by: Kees Cook Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6f396d4afd30c6940be971bee29e2f62e5bdc437 Author: Hans Rosenfeld Date: Wed Aug 18 16:19:50 2010 +0200 x86, cpu: Fix regression in AMD errata checking code commit 07a7795ca2e6e66d00b184efb46bd0e23d90d3fe upstream. A bug in the family-model-stepping matching code caused the presence of errata to go undetected when OSVW was not used. This causes hangs on some K8 systems because the E400 workaround is not enabled. Signed-off-by: Hans Rosenfeld LKML-Reference: <1282141190-930137-1-git-send-email-hans.rosenfeld@amd.com> Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 5d7a20b586ff6ce07faa60c54947477248d34848 Author: Dmitry Torokhov Date: Wed Mar 23 22:41:23 2011 -0700 USB: xhci - fix math in xhci_get_endpoint_interval() commit dfa49c4ad120a784ef1ff0717168aa79f55a483a upstream. When parsing exponent-expressed intervals we subtract 1 from the value and then expect it to match with original + 1, which is highly unlikely, and we end with frequent spew: usb 3-4: ep 0x83 - rounding interval to 512 microframes Also, parsing interval for fullspeed isochronous endpoints was incorrect - according to USB spec they use exponent-based intervals (but xHCI spec claims frame-based intervals). I trust USB spec more, especially since USB core agrees with it. This should be queued for stable kernels back to 2.6.31. Reviewed-by: Micah Elizabeth Scott Signed-off-by: Dmitry Torokhov Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 53d5fa19a47b286d94264b630e24709e80a33cd5 Author: Dmitry Torokhov Date: Sun Mar 20 02:15:17 2011 -0700 USB: xhci - fix unsafe macro definitions commit 5a6c2f3ff039154872ce597952f8b8900ea0d732 upstream. Macro arguments used in expressions need to be enclosed in parenthesis to avoid unpleasant surprises. This should be queued for kernels back to 2.6.31 Signed-off-by: Dmitry Torokhov Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit b90adfeb126662df944e7fdfcd732ab10df6454c Author: Dmitry Torokhov Date: Fri Mar 18 21:29:01 2011 -0700 USB: fix formatting of SuperSpeed endpoints in /proc/bus/usb/devices commit 2868a2b1ba8f9c7f6c4170519ebb6c62934df70e upstream. Isochronous and interrupt SuperSpeed endpoints use the same mechanisms for decoding bInterval values as HighSpeed ones so adjust the code accordingly. Also bandwidth reservation for SuperSpeed matches highspeed, not low/full speed. Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit a572af6883a6af871d9f20894f6b51a2749f3c22 Author: Alan Stern Date: Tue Apr 5 13:36:15 2011 -0400 USB: EHCI: unlink unused QHs when the controller is stopped commit 94ae4976e253757e9b03a44d27d41b20f1829d80 upstream. This patch (as1458) fixes a problem affecting ultra-reliable systems: When hardware failover of an EHCI controller occurs, the data structures do not get released correctly. This is because the routine responsible for removing unused QHs from the async schedule assumes the controller is running properly (the frame counter is used in determining how long the QH has been idle) -- but when a failover causes the controller to be electronically disconnected from the PCI bus, obviously it stops running. The solution is simple: Allow scan_async() to remove a QH from the async schedule if it has been idle for long enough _or_ if the controller is stopped. Signed-off-by: Alan Stern Reported-and-Tested-by: Dan Duval Signed-off-by: Greg Kroah-Hartman commit d86dbfba5a2d6fe17b5fde93b41c03c864d10aa8 Author: Linus Torvalds Date: Mon Apr 18 10:36:54 2011 -0700 proc: do proper range check on readdir offset commit d8bdc59f215e62098bc5b4256fd9928bf27053a1 upstream. Rather than pass in some random truncated offset to the pid-related functions, check that the offset is in range up-front. This is just cleanup, the previous commit fixed the real problem. Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 67e022f3add1879292986e779b2aaf6ecb93fa58 Author: Linus Torvalds Date: Mon Apr 18 10:35:30 2011 -0700 next_pidmap: fix overflow condition commit c78193e9c7bcbf25b8237ad0dec82f805c4ea69b upstream. next_pidmap() just quietly accepted whatever 'last' pid that was passed in, which is not all that safe when one of the users is /proc. Admittedly the proc code should do some sanity checking on the range (and that will be the next commit), but that doesn't mean that the helper functions should just do that pidmap pointer arithmetic without checking the range of its arguments. So clamp 'last' to PID_MAX_LIMIT. The fact that we then do "last+1" doesn't really matter, the for-loop does check against the end of the pidmap array properly (it's only the actual pointer arithmetic overflow case we need to worry about, and going one bit beyond isn't going to overflow). [ Use PID_MAX_LIMIT rather than pid_max as per Eric Biederman ] Reported-by: Tavis Ormandy Analyzed-by: Robert Święcki Cc: Eric W. Biederman Cc: Pavel Emelyanov Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 3aed738e4f41feb2e18ce448bc53751beab49128 Author: Marius B. Kotsbak Date: Tue Mar 22 00:01:53 2011 +0100 USB: option: Added support for Samsung GT-B3730/GT-B3710 LTE USB modem. commit 80f9df3e0093ad9f1eeefd2ff7fd27daaa518d25 upstream. Bind only modem AT command endpoint to option. Signed-off-by: Marius B. Kotsbak Signed-off-by: Greg Kroah-Hartman commit 3cd02e97347a65765dc8e8031b90bc0cd3cfad31 Author: Enrico Mioso Date: Fri Sep 17 10:54:23 2010 +0200 USB: option: Add new ONDA vendor id and product id for ONDA MT825UP commit c6991b6fd2b4201174dc4620d0c8c4f5ff27b36f upstream. This patch, adds to the option driver the Onda Communication (http://www.ondacommunication.com) vendor id, and the MT825UP modem device id. Note that many variants of this same device are being release here in Italy (at least one or two per telephony operator). These devices are perfectly equivalent except for some predefined settings (which can be changed of course). It should be noted that most ONDA devices are allready supported (they used other vendor's ids in the past). The patch seems working fine here, and the rest of the driver seems uninfluenced. Signed-off-by: Enrico Mioso Signed-off-by: Greg Kroah-Hartman commit fbf2ed35a98e126adf6c44af7e87c6f863b28d35 Author: Paul Friedrich Date: Fri Mar 18 11:13:55 2011 +0100 USB: ftdi_sio: add ids for Hameg HO720 and HO730 commit c53c2fab40cf16e13af66f40bfd27200cda98d2f upstream. usb serial: ftdi_sio: add two missing USB ID's for Hameg interfaces HO720 and HO730 Signed-off-by: Greg Kroah-Hartman commit 2233c6ee0ec7b945376a5ffc6484d7fdbd68159d Author: Johan Hovold Date: Fri Apr 8 17:38:22 2011 +0200 USB: ftdi_sio: add PID for OCT DK201 docking station commit 11a31d84129dc3133417d626643d714c9df5317e upstream. Add PID 0x0103 for serial port of the OCT DK201 docking station. Reported-by: Jan Hoogenraad Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 6a1c23dad9a79b71889bc286ec341159fd305043 Author: Christian Simon Date: Mon Mar 28 21:54:47 2011 +0200 USB: ftdi_sio: Added IDs for CTI USB Serial Devices commit 5a9443f08c83c294c5c806a689c1184b27cb26b3 upstream. I added new ProdutIds for two devices from CTI GmbH Leipzig. Signed-off-by: Christian Simon Signed-off-by: Greg Kroah-Hartman commit 8835b61c170b6747df2312804c4f8919ad2c90d0 Author: Joerg Roedel Date: Fri Apr 15 14:47:40 2011 +0200 x86, amd: Disable GartTlbWlkErr when BIOS forgets it commit 5bbc097d890409d8eff4e3f1d26f11a9d6b7c07e upstream. This patch disables GartTlbWlk errors on AMD Fam10h CPUs if the BIOS forgets to do is (or is just too old). Letting these errors enabled can cause a sync-flood on the CPU causing a reboot. The AMD BKDG recommends disabling GART TLB Wlk Error completely. This patch is the fix for https://bugzilla.kernel.org/show_bug.cgi?id=33012 on my machine. Signed-off-by: Joerg Roedel Link: http://lkml.kernel.org/r/20110415131152.GJ18463@8bytes.org Tested-by: Alexandre Demers Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit d4274252d17368745a550db596607e7233cdc4d0 Author: Boris Ostrovsky Date: Tue Mar 15 12:13:44 2011 -0400 x86, AMD: Set ARAT feature on AMD processors commit b87cf80af3ba4b4c008b4face3c68d604e1715c6 upstream. Support for Always Running APIC timer (ARAT) was introduced in commit db954b5898dd3ef3ef93f4144158ea8f97deb058. This feature allows us to avoid switching timers from LAPIC to something else (e.g. HPET) and go into timer broadcasts when entering deep C-states. AMD processors don't provide a CPUID bit for that feature but they also keep APIC timers running in deep C-states (except for cases when the processor is affected by erratum 400). Therefore we should set ARAT feature bit on AMD CPUs. Tested-by: Borislav Petkov Acked-by: Andreas Herrmann Acked-by: Mark Langsdorf Acked-by: Thomas Gleixner Signed-off-by: Boris Ostrovsky LKML-Reference: <1300205624-4813-1-git-send-email-ostr@amd64.org> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 7a3b25c05575f86bf1ba3a397d301752dd981c49 Author: Hans Rosenfeld Date: Wed Jul 28 19:09:31 2010 +0200 x86, cpu: Clean up AMD erratum 400 workaround commit 9d8888c2a214aece2494a49e699a097c2ba9498b upstream. Remove check_c1e_idle() and use the new AMD errata checking framework instead. Signed-off-by: Hans Rosenfeld LKML-Reference: <1280336972-865982-2-git-send-email-hans.rosenfeld@amd.com> Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit bba4804ec6458830565c24107f3f71f24b46e467 Author: Hans Rosenfeld Date: Wed Jul 28 19:09:30 2010 +0200 x86, cpu: AMD errata checking framework commit d78d671db478eb8b14c78501c0cee1cc7baf6967 upstream. Errata are defined using the AMD_LEGACY_ERRATUM() or AMD_OSVW_ERRATUM() macros. The latter is intended for newer errata that have an OSVW id assigned, which it takes as first argument. Both take a variable number of family-specific model-stepping ranges created by AMD_MODEL_RANGE(). Iff an erratum has an OSVW id, OSVW is available on the CPU, and the OSVW id is known to the hardware, it is used to determine whether an erratum is present. Otherwise, the model-stepping ranges are matched against the current CPU to find out whether the erratum applies. For certain special errata, the code using this framework might have to conduct further checks to make sure an erratum is really (not) present. Signed-off-by: Hans Rosenfeld LKML-Reference: <1280336972-865982-1-git-send-email-hans.rosenfeld@amd.com> Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 4f4f117c9b75a3df8bfd552f1c4020a9206fdca5 Author: Artem Bityutskiy Date: Wed Apr 13 10:31:52 2011 +0300 UBIFS: fix oops when R/O file-system is fsync'ed commit 78530bf7f2559b317c04991b52217c1608d5a58d upstream. This patch fixes severe UBIFS bug: UBIFS oopses when we 'fsync()' an file on R/O-mounter file-system. We (the UBIFS authors) incorrectly thought that VFS would not propagate 'fsync()' down to the file-system if it is read-only, but this is not the case. It is easy to exploit this bug using the following simple perl script: use strict; use File::Sync qw(fsync sync); die "File path is not specified" if not defined $ARGV[0]; my $path = $ARGV[0]; open FILE, "<", "$path" or die "Cannot open $path: $!"; fsync(\*FILE) or die "cannot fsync $path: $!"; close FILE or die "Cannot close $path: $!"; Thanks to Reuben Dowle for reporting about this issue. Signed-off-by: Artem Bityutskiy Reported-by: Reuben Dowle Signed-off-by: Greg Kroah-Hartman commit 286ef426e335e89a43e63ee5b8ad129b651f9793 Author: Randy Dunlap Date: Thu Apr 14 15:22:07 2011 -0700 MAINTAINERS: update STABLE BRANCH info commit d00ebeac5f24f290636f7a895dafc124b2930a08 upstream. Drop Chris Wright from STABLE maintainers. He hasn't done STABLE release work for quite some time. Signed-off-by: Randy Dunlap Acked-by: Chris Wright Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e9f20dc7274c7598a75144f29299e158d6650cb7 Author: Bob Liu Date: Thu Apr 14 15:22:20 2011 -0700 ramfs: fix memleak on no-mmu arch commit b836aec53e2bce71de1d5415313380688c851477 upstream. On no-mmu arch, there is a memleak during shmem test. The cause of this memleak is ramfs_nommu_expand_for_mapping() added page refcount to 2 which makes iput() can't free that pages. The simple test file is like this: int main(void) { int i; key_t k = ftok("/etc", 42); for ( i=0; i<100; ++i) { int id = shmget(k, 10000, 0644|IPC_CREAT); if (id == -1) { printf("shmget error\n"); } if(shmctl(id, IPC_RMID, NULL ) == -1) { printf("shm rm error\n"); return -1; } } printf("run ok...\n"); return 0; } And the result: root:/> free total used free shared buffers Mem: 60320 17912 42408 0 0 -/+ buffers: 17912 42408 root:/> shmem run ok... root:/> free total used free shared buffers Mem: 60320 19096 41224 0 0 -/+ buffers: 19096 41224 root:/> shmem run ok... root:/> free total used free shared buffers Mem: 60320 20296 40024 0 0 -/+ buffers: 20296 40024 ... After this patch the test result is:(no memleak anymore) root:/> free total used free shared buffers Mem: 60320 16668 43652 0 0 -/+ buffers: 16668 43652 root:/> shmem run ok... root:/> free total used free shared buffers Mem: 60320 16668 43652 0 0 -/+ buffers: 16668 43652 Signed-off-by: Bob Liu Acked-by: Hugh Dickins Signed-off-by: David Howells Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ad18f970959f55fbd0e4cca20eb4bec9b78b7aa3 Author: Jeff Mahoney Date: Thu Feb 24 17:23:09 2011 -0500 mca.c: Fix cast from integer to pointer warning commit c1d036c4d1cb00b7e8473a2ad0a78f13e13a8183 upstream. ia64_mca_cpu_init has a void *data local variable that is assigned the value from either __get_free_pages() or mca_bootmem(). The problem is that __get_free_pages returns an unsigned long and mca_bootmem, via alloc_bootmem(), returns a void *. format_mca_init_stack takes the void *, and it's also used with __pa(), but that casts it to long anyway. This results in the following build warning: arch/ia64/kernel/mca.c:1898: warning: assignment makes pointer from integer without a cast Cast the return of __get_free_pages to a void * to avoid the warning. Signed-off-by: Jeff Mahoney Signed-off-by: Tony Luck Signed-off-by: Greg Kroah-Hartman commit e0ab4946cf39a43a10cc2ddb5bb0a0f15e14680f Author: Jeff Mahoney Date: Thu Feb 24 15:33:24 2011 -0500 tioca: Fix assignment from incompatible pointer warnings commit b4a6b3436531f6c5256e6d60d388c3c28ff1a0e9 upstream. The prototype for sn_pci_provider->{dma_map,dma_map_consistent} expects an unsigned long instead of a u64. Signed-off-by: Jeff Mahoney Signed-off-by: Tony Luck Signed-off-by: Greg Kroah-Hartman commit 17ebcafea7865b8e818760a74eac88ac90cc5a4c Author: Jan Beulich Date: Tue Mar 1 14:28:02 2011 +0000 x86: Fix a bogus unwind annotation in lib/semaphore_32.S commit e938c287ea8d977e079f07464ac69923412663ce upstream. 'simple' would have required specifying current frame address and return address location manually, but that's obviously not the case (and not necessary) here. Signed-off-by: Jan Beulich LKML-Reference: <4D6D1082020000780003454C@vpn.id2.novell.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit dd12cd10cf74fe41ecd2a683b6c90cbc4f528884 Author: Jiri Slaby Date: Sun Mar 13 06:54:31 2011 +0000 NET: cdc-phonet, handle empty phonet header commit 468c3f924f043cad7a04f4f4d5224a2c9bc886c1 upstream. Currently, for N 5800 XM I get: cdc_phonet: probe of 1-6:1.10 failed with error -22 It's because phonet_header is empty. Extra altsetting looks like there: E 05 24 00 01 10 03 24 ab 05 24 06 0a 0b 04 24 fd .$....$..$....$. E 00 . I don't see the header used anywhere so just check if the phonet descriptor is there, not the structure itself. Signed-off-by: Jiri Slaby Cc: Rémi Denis-Courmont Cc: David S. Miller Acked-by: Rémi Denis-Courmont Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6b29cc2f85eb4a488b7acc72bf02e2cc9230853b Author: Vasiliy Kulikov Date: Fri Feb 4 15:24:19 2011 +0300 UBIFS: restrict world-writable debugfs files commit 8c559d30b4e59cf6994215ada1fe744928f494bf upstream. Don't allow everybody to dump sensitive information about filesystems. Signed-off-by: Vasiliy Kulikov Signed-off-by: Artem Bityutskiy Signed-off-by: Greg Kroah-Hartman commit 55d39791d076538b62f9dc7e12dac47d4db6ccae Author: Vasiliy Kulikov Date: Fri Feb 4 09:23:33 2011 -0300 video: sn9c102: world-wirtable sysfs files commit 14ddc3188d50855ae2a419a6aced995e2834e5d4 upstream. Don't allow everybody to change video settings. Signed-off-by: Vasiliy Kulikov Acked-by: Mauro Carvalho Chehab Acked-by: Luca Risolia Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit b6502c562ac27ca48b31e7edac9cee7ee694feec Author: Jeff Layton Date: Mon Mar 14 13:48:08 2011 -0400 cifs: always do is_path_accessible check in cifs_mount commit 70945643722ffeac779d2529a348f99567fa5c33 upstream. Currently, we skip doing the is_path_accessible check in cifs_mount if there is no prefixpath. I have a report of at least one server however that allows a TREE_CONNECT to a share that has a DFS referral at its root. The reporter in this case was using a UNC that had no prefixpath, so the is_path_accessible check was not triggered and the box later hit a BUG() because we were chasing a DFS referral on the root dentry for the mount. This patch fixes this by removing the check for a zero-length prefixpath. That should make the is_path_accessible check be done in this situation and should allow the client to chase the DFS referral at mount time instead. Reported-and-Tested-by: Yogesh Sharma Signed-off-by: Jeff Layton Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman