commit 60b1e4f20a6cf45f07d2aef7eecd7fd58007ff1e Author: Greg Kroah-Hartman Date: Fri Dec 9 09:24:23 2011 -0800 Linux 2.6.32.50 commit d88048a3d7b795e08def7519626496e1f2d3931b Author: Thomas Gleixner Date: Fri Dec 2 16:02:45 2011 +0100 clockevents: Set noop handler in clockevents_exchange_device() commit de28f25e8244c7353abed8de0c7792f5f883588c upstream. If a device is shutdown, then there might be a pending interrupt, which will be processed after we reenable interrupts, which causes the original handler to be run. If the old handler is the (broadcast) periodic handler the shutdown state might hang the kernel completely. Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 7a2d10ca36b5f50f5c34604c2c3c8bf371cb884f Author: Thomas Gleixner Date: Fri Dec 2 12:34:16 2011 +0100 tick-broadcast: Stop active broadcast device when replacing it commit c1be84309c58b1e7c6d626e28fba41a22b364c3d upstream. When a better rated broadcast device is installed, then the current active device is not disabled, which results in two running broadcast devices. Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 2a96fb69ba383c2d3923456d1e933ba4950eb4c5 Author: Ido Yariv Date: Thu Dec 1 13:55:08 2011 +0200 genirq: Fix race condition when stopping the irq thread commit 550acb19269d65f32e9ac4ddb26c2b2070e37f1c upstream. In irq_wait_for_interrupt(), the should_stop member is verified before setting the task's state to TASK_INTERRUPTIBLE and calling schedule(). In case kthread_stop sets should_stop and wakes up the process after should_stop is checked by the irq thread but before the task's state is changed, the irq thread might never exit: kthread_stop irq_wait_for_interrupt ------------ ---------------------- ... ... while (!kthread_should_stop()) { kthread->should_stop = 1; wake_up_process(k); wait_for_completion(&kthread->exited); ... set_current_state(TASK_INTERRUPTIBLE); ... schedule(); } Fix this by checking if the thread should stop after modifying the task's state. [ tglx: Simplified it a bit ] Signed-off-by: Ido Yariv Link: http://lkml.kernel.org/r/1322740508-22640-1-git-send-email-ido@wizery.com Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit b669d5d9173f5f8d0e84744bc03e19d7f94f36ed Author: Robert Richter Date: Mon Oct 10 16:21:10 2011 +0200 oprofile, x86: Fix crash when unloading module (nmi timer mode) commit 97f7f8189fe54e3cfe324ef9ad35064f3d2d3bff upstream. If oprofile uses the nmi timer interrupt there is a crash while unloading the module. The bug can be triggered with oprofile build as module and kernel parameter nolapic set. This patch fixes this. oprofile: using NMI timer interrupt. BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 IP: [] unregister_syscore_ops+0x41/0x58 PGD 42dbca067 PUD 41da6a067 PMD 0 Oops: 0002 [#1] PREEMPT SMP CPU 5 Modules linked in: oprofile(-) [last unloaded: oprofile] Pid: 2518, comm: modprobe Not tainted 3.1.0-rc7-00019-gb2fb49d #19 Advanced Micro Device Anaheim/Anaheim RIP: 0010:[] [] unregister_syscore_ops+0x41/0x58 RSP: 0018:ffff88041ef71e98 EFLAGS: 00010296 RAX: 0000000000000000 RBX: ffffffffa0017100 RCX: dead000000200200 RDX: 0000000000000000 RSI: dead000000100100 RDI: ffffffff8178c620 RBP: ffff88041ef71ea8 R08: 0000000000000001 R09: 0000000000000082 R10: 0000000000000000 R11: ffff88041ef71de8 R12: 0000000000000080 R13: fffffffffffffff5 R14: 0000000000000001 R15: 0000000000610210 FS: 00007fc902f20700(0000) GS:ffff88042fd40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000008 CR3: 000000041cdb6000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process modprobe (pid: 2518, threadinfo ffff88041ef70000, task ffff88041d348040) Stack: ffff88041ef71eb8 ffffffffa0017790 ffff88041ef71eb8 ffffffffa0013532 ffff88041ef71ec8 ffffffffa00132d6 ffff88041ef71ed8 ffffffffa00159b2 ffff88041ef71f78 ffffffff81073115 656c69666f72706f 0000000000610200 Call Trace: [] op_nmi_exit+0x15/0x17 [oprofile] [] oprofile_arch_exit+0xe/0x10 [oprofile] [] oprofile_exit+0x1e/0x20 [oprofile] [] sys_delete_module+0x1c3/0x22f [] ? trace_hardirqs_on_thunk+0x3a/0x3f [] system_call_fastpath+0x16/0x1b Code: 20 c6 78 81 e8 c5 cc 23 00 48 8b 13 48 8b 43 08 48 be 00 01 10 00 00 00 ad de 48 b9 00 02 20 00 00 00 ad de 48 c7 c7 20 c6 78 81 89 42 08 48 89 10 48 89 33 48 89 4b 08 e8 a6 c0 23 00 5a 5b RIP [] unregister_syscore_ops+0x41/0x58 RSP CR2: 0000000000000008 ---[ end trace 43a541a52956b7b0 ]--- Signed-off-by: Robert Richter Signed-off-by: Greg Kroah-Hartman commit 98e64d37b7cf1b2ce17ac7fd65da16fb708ff738 Author: Bjorn Helgaas Date: Sun Sep 25 15:29:00 2011 -0600 x86/mpparse: Account for bus types other than ISA and PCI commit 9e6866686bdf2dcf3aeb0838076237ede532dcc8 upstream. In commit f8924e770e04 ("x86: unify mp_bus_info"), the 32-bit and 64-bit versions of MP_bus_info were rearranged to match each other better. Unfortunately it introduced a regression: prior to that change we used to always set the mp_bus_not_pci bit, then clear it if we found a PCI bus. After it, we set mp_bus_not_pci for ISA buses, clear it for PCI buses, and leave it alone otherwise. In the cases of ISA and PCI, there's not much difference. But ISA is not the only non-PCI bus, so it's better to always set mp_bus_not_pci and clear it only for PCI. Without this change, Dan's Dell PowerEdge 4200 panics on boot with a log indicating interrupt routing trouble unless the "noapic" option is supplied. With this change, the machine boots reliably without "noapic". Fixes http://bugs.debian.org/586494 Reported-bisected-and-tested-by: Dan McGrath Signed-off-by: Bjorn Helgaas Cc: Dan McGrath Cc: Alexey Starikovskiy [jrnieder@gmail.com: clarified commit message] Signed-off-by: Jonathan Nieder Link: http://lkml.kernel.org/r/20111122215000.GA9151@elie.hsd1.il.comcast.net Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit e52d3fb7c83d6cb569f343a3db9b45decc801f59 Author: Salman Qazi Date: Tue Nov 15 14:12:06 2011 -0800 sched, x86: Avoid unnecessary overflow in sched_clock commit 4cecf6d401a01d054afc1e5f605bcbfe553cb9b9 upstream. (Added the missing signed-off-by line) In hundreds of days, the __cycles_2_ns calculation in sched_clock has an overflow. cyc * per_cpu(cyc2ns, cpu) exceeds 64 bits, causing the final value to become zero. We can solve this without losing any precision. We can decompose TSC into quotient and remainder of division by the scale factor, and then use this to convert TSC into nanoseconds. Signed-off-by: Salman Qazi Acked-by: John Stultz Reviewed-by: Paul Turner Signed-off-by: Peter Zijlstra Link: http://lkml.kernel.org/r/20111115221121.7262.88871.stgit@dungbeetle.mtv.corp.google.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 4708ad6374f07cdfb379c5d4100125e2cfd339d9 Author: Suresh Jayaraman Date: Fri Dec 2 16:24:56 2011 +0530 cifs: fix cifs stable patch cifs-fix-oplock-break-handling-try-2.patch The stable release 2.6.32.32 added the upstream commit 12fed00de963433128b5366a21a55808fab2f756. However, one of the hunks of the original patch seems missing from the stable backport which can be found here: http://permalink.gmane.org/gmane.linux.kernel.stable/5676 This hunk corresponds to the change in is_valid_oplock_break() at fs/cifs/misc.c. This patch backports the missing hunk and is against linux-2.6.32.y stable kernel. Cc: Steve French Signed-off-by: Pavel Shilovsky Signed-off-by: Suresh Jayaraman Signed-off-by: Greg Kroah-Hartman commit 30bed43b8963e34783ad597025e06e82f7e2a5ff Author: Hannes Reinecke Date: Wed Nov 9 08:39:24 2011 +0100 SCSI: Silencing 'killing requests for dead queue' commit 745718132c3c7cac98a622b610e239dcd5217f71 upstream. When we tear down a device we try to flush all outstanding commands in scsi_free_queue(). However the check in scsi_request_fn() is imperfect as it only signals that we _might start_ aborting commands, not that we've actually aborted some. So move the printk inside the scsi_kill_request function, this will also give us a hint about which commands are aborted. Signed-off-by: Hannes Reinecke Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit a488d32120a22ca2a2f436ab91947bcb352ee7cf Author: Jiri Slaby Date: Wed Sep 23 16:15:35 2009 +0200 SCSI: scsi_lib: fix potential NULL dereference commit 03b147083a2f9a2a3fbbd2505fa88ffa3c6ab194 upstream. Stanse found a potential NULL dereference in scsi_kill_request. Instead of triggering BUG() in 'if (unlikely(cmd == NULL))' branch, the kernel will Oops earlier on cmd dereference. Move the dereferences after the if. Signed-off-by: Jiri Slaby Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 0e7dfcd7c4b28102af501f57fd27ab2f99497148 Author: Qinglin Ye Date: Wed Nov 23 23:39:32 2011 +0800 USB: usb-storage: unusual_devs entry for Kingston DT 101 G2 commit cec28a5428793b6bc64e56687fb239759d6da74e upstream. Kingston DT 101 G2 replies a wrong tag while transporting, add an unusal_devs entry to ignore the tag validation. Signed-off-by: Qinglin Ye Signed-off-by: Greg Kroah-Hartman commit b0038b8519f8df04354464741f5e7a3699418b12 Author: Veli-Pekka Peltola Date: Thu Nov 24 22:08:56 2011 +0200 usb: option: add SIMCom SIM5218 commit ec0cd94d881ca89cc9fb61d00d0f4b2b52e605b3 upstream. Tested with SIM5218EVB-KIT evaluation kit. Signed-off-by: Veli-Pekka Peltola Signed-off-by: Greg Kroah-Hartman commit 2160d49d5fab175103267d84a0261cdd0099f4f4 Author: Marcin Kościelnicki Date: Wed Nov 30 17:01:04 2011 +0100 usb: ftdi_sio: add PID for Propox ISPcable III commit 307369b0ca06b27b511b61714e335ddfccf19c4f upstream. Signed-off-by: Marcin Kościelnicki Signed-off-by: Greg Kroah-Hartman commit 0971c0958616e62a085d86be62b21cf387565367 Author: Dan Carpenter Date: Tue Nov 22 10:28:31 2011 +0300 USB: whci-hcd: fix endian conversion in qset_clear() commit 8746c83d538cab273d335acb2be226d096f4a5af upstream. qset->qh.link is an __le64 field and we should be using cpu_to_le64() to fill it. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman commit 117dabceadaac646d2e943ecb570920d4be2f521 Author: Federico Vaga Date: Sat Oct 29 09:47:39 2011 +0200 Staging: comedi: fix signal handling in read and write commit 6a9ce6b654e491981f6ef7e214cbd4f63e033848 upstream. After sleeping on a wait queue, signal_pending(current) should be checked (not before sleeping). Acked-by: Alessandro Rubini Signed-off-by: Federico Vaga Signed-off-by: Greg Kroah-Hartman commit 300b30288b4e80da922b09db76bdef5ddfd676e6 Author: Bernd Porr Date: Tue Nov 8 21:23:03 2011 +0000 staging: comedi: fix oops for USB DAQ devices. commit 3ffab428f40849ed5f21bcfd7285bdef7902f9ca upstream. This fixes kernel oops when an USB DAQ device is plugged out while it's communicating with the userspace software. Signed-off-by: Bernd Porr Signed-off-by: Greg Kroah-Hartman commit 1890296ca407bbc02f8e0ea4683f8a885ad0ae1d Author: Bart Westgeest Date: Tue Nov 1 15:01:28 2011 -0400 staging: usbip: bugfix for deadlock commit 438957f8d4a84daa7fa5be6978ad5897a2e9e5e5 upstream. Interrupts must be disabled prior to calling usb_hcd_unlink_urb_from_ep. If interrupts are not disabled, it can potentially lead to a deadlock. The deadlock is readily reproduceable on a slower (ARM based) device such as the TI Pandaboard. Signed-off-by: Bart Westgeest Signed-off-by: Greg Kroah-Hartman commit 5aff28abc7e0ec1ddd562372ae4fa01e8e4d4073 Author: Benjamin Poirier Date: Wed Nov 30 07:47:18 2011 -0500 gro: reset vlan_tci on reuse This one liner is part of upstream commit 3701e51382a026cba10c60b03efabe534fba4ca4 Author: Jesse Gross vlan: Centralize handling of hardware acceleration. The bulk of that commit is a rework of the hardware assisted vlan tagging driver interface, and as such doesn't classify for -stable inclusion. The fix that is needed is a part of that commit but can work independently of the rest. This patch can avoid panics on the 2.6.32.y -stable kernels and is in the same spirit as mainline commits 66c46d7 gro: Reset dev pointer on reuse 6d152e2 gro: reset skb_iif on reuse which are already in -stable. For drivers using the vlan_gro_frags() interface, a packet with an invalid tci leads to GRO_DROP and napi_reuse_skb(). The skb has to be sanitized before being reused or we may send an skb with an invalid vlan_tci field up the stack where it is not expected. Signed-off-by: Benjamin Poirier Cc: Jesse Gross Acked-by: David S. Miller commit a1b4c8a58d2b14f1900861ff91b29d7724be3f18 Author: Eliad Peller Date: Thu Nov 24 18:13:56 2011 +0200 nl80211: fix MAC address validation commit e007b857e88097c96c45620bf3b04a4e309053d1 upstream. MAC addresses have a fixed length. The current policy allows passing < ETH_ALEN bytes, which might result in reading beyond the buffer. Signed-off-by: Eliad Peller Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 92afd4898af2cb25b0d99ed23ddb3ae119007e62 Author: Michael Büsch Date: Wed Nov 16 23:55:46 2011 +0100 p54spi: Fix workqueue deadlock commit 2d1618170eb493d18f66f2ac03775409a6fb97c6 upstream. priv->work must not be synced while priv->mutex is locked, because the mutex is taken in the work handler. Move cancel_work_sync down to after the device shutdown code. This is safe, because the work handler checks fw_state and bails out early in case of a race. Signed-off-by: Michael Buesch Acked-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit cd42f5dd80b534a3b61afd0e469d98602e1858d8 Author: Michael Büsch Date: Wed Nov 16 23:48:31 2011 +0100 p54spi: Add missing spin_lock_init commit 32d3a3922d617a5a685a5e2d24b20d0e88f192a9 upstream. The tx_lock is not initialized properly. Add spin_lock_init(). Signed-off-by: Michael Buesch Acked-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 5c3e9f55bbd366af73e51a12e1aa797a29532d67 Author: Hector Palacios Date: Mon Nov 14 11:15:25 2011 +0100 timekeeping: add arch_offset hook to ktime_get functions commit d004e024058a0eaca097513ce62cbcf978913e0a upstream. ktime_get and ktime_get_ts were calling timekeeping_get_ns() but later they were not calling arch_gettimeoffset() so architectures using this mechanism returned 0 ns when calling these functions. This happened for example when running Busybox's ping which calls syscall(__NR_clock_gettime, CLOCK_MONOTONIC, ts) which eventually calls ktime_get. As a result the returned ping travel time was zero. Signed-off-by: Hector Palacios Signed-off-by: John Stultz Signed-off-by: Greg Kroah-Hartman commit 5b28da531873ddafa70ab7d9ef7845991270af15 Author: Trond Myklebust Date: Tue Nov 22 14:44:28 2011 +0200 SUNRPC: Ensure we return EAGAIN in xs_nospace if congestion is cleared commit 24ca9a847791fd53d9b217330b15f3c285827a18 upstream. By returning '0' instead of 'EAGAIN' when the tests in xs_nospace() fail to find evidence of socket congestion, we are making the RPC engine believe that the message was incorrectly sent and so it disconnects the socket instead of just retrying. The bug appears to have been introduced by commit 5e3771ce2d6a69e10fcc870cdf226d121d868491 (SUNRPC: Ensure that xs_nospace return values are propagated). Reported-by: Andrew Cooper Signed-off-by: Trond Myklebust Tested-by: Andrew Cooper Signed-off-by: Greg Kroah-Hartman commit 16e43fe97575bea4191283060025d9749ca0629d Author: Tim Blechmann Date: Tue Nov 22 11:15:45 2011 +0100 ALSA: lx6464es - fix device communication via command bus commit a29878553a9a7b4c06f93c7e383527cf014d4ceb upstream. commit 6175ddf06b6172046a329e3abfd9c901a43efd2e optimized the mem*io functions that have been used to send commands to the device. these optimizations somehow corrupted the communication with the lx6464es, that resulted the device to be unusable with kernels after 2.6.33. this patch emulates the memcpy_*_io functions via a loop to avoid these problems. Signed-off-by: Tim Blechmann LKML-Reference: <4ECB5257.4040600@ladisch.de> Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit b94342e75946ed88a3048602390633b9f047d5f2 Author: Will Deacon Date: Mon Nov 14 17:24:58 2011 +0100 ARM: 7161/1: errata: no automatic store buffer drain commit 11ed0ba1754841316d4095478944300acf19acc3 upstream. This patch implements a workaround for PL310 erratum 769419. On revisions of the PL310 prior to r3p2, the Store Buffer does not automatically drain. This can cause normal, non-cacheable writes to be retained when the memory system is idle, leading to suboptimal I/O performance for drivers using coherent DMA. This patch adds an optional wmb() call to the cpu_idle loop. On systems with an outer cache, this causes an explicit flush of the store buffer. Acked-by: Catalin Marinas Tested-by: Marc Zyngier Signed-off-by: Will Deacon Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit f8b35bffd3cc4ffd14ab9c07909cdc45a9006776 Author: Bjorn Helgaas Date: Tue Aug 23 10:16:43 2011 -0600 PCI hotplug: shpchp: don't blindly claim non-AMD 0x7450 device IDs commit 4cac2eb158c6da0c761689345c6cc5df788a6292 upstream. Previously we claimed device ID 0x7450, regardless of the vendor, which is clearly wrong. Now we'll claim that device ID only for AMD. I suspect this was just a typo in the original code, but it's possible this change will break shpchp on non-7450 AMD bridges. If so, we'll have to fix them as we find them. Reference: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=638863 Reported-by: Ralf Jung Cc: Joerg Roedel Signed-off-by: Bjorn Helgaas Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 004e458207d8515cead324c06323a6054d3e77e2 Author: Tyler Hicks Date: Wed Nov 23 11:31:24 2011 -0600 eCryptfs: Extend array bounds for all filename chars commit 0f751e641a71157aa584c2a2e22fda52b52b8a56 upstream. From mhalcrow's original commit message: Characters with ASCII values greater than the size of filename_rev_map[] are valid filename characters. ecryptfs_decode_from_filename() will access kernel memory beyond that array, and ecryptfs_parse_tag_70_packet() will then decrypt those characters. The attacker, using the FNEK of the crafted file, can then re-encrypt the characters to reveal the kernel memory past the end of the filename_rev_map[] array. I expect low security impact since this array is statically allocated in the text area, and the amount of memory past the array that is accessible is limited by the largest possible ASCII filename character. This patch solves the issue reported by mhalcrow but with an implementation suggested by Linus to simply extend the length of filename_rev_map[] to 256. Characters greater than 0x7A are mapped to 0x00, which is how invalid characters less than 0x7A were previously being handled. Signed-off-by: Tyler Hicks Reported-by: Michael Halcrow Signed-off-by: Greg Kroah-Hartman commit 3724acf6680ac4233a6ce2cfbab7e71070bf93e3 Author: Jeffrey (Sheng-Hui) Chu Date: Wed Nov 23 11:33:07 2011 +0100 i2c-algo-bit: Generate correct i2c address sequence for 10-bit target commit cc6bcf7d2ec2234e7b41770185e4dc826390185e upstream. The wrong bits were put on the wire, fix that. This fixes kernel bug #42562. Signed-off-by: Sheng-Hui J. Chu Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman