Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Tag: v2.6.31.4
Commits on Oct 12, 2009
  1. @gregkh


    gregkh authored
  2. @shlusiak @gregkh

    sit: fix off-by-one in ipip6_tunnel_get_prl

    shlusiak authored gregkh committed
    [ Upstream commit 298bf12 ]
    When requesting all prl entries (kprl.addr == INADDR_ANY) and there are
    more prl entries than there is space passed from userspace, the existing
    code would always copy cmax+1 entries, which is more than can be handled.
    This patch makes the kernel copy only exactly cmax entries.
    Signed-off-by: Sascha Hlusiak <>
    Acked-By: Fred L. Templin <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  3. @gregkh

    ax25: Fix SIOCAX25GETINFO ioctl

    Eric Dumazet authored gregkh committed
    [ Upstream commit 407fc5c ]
    rcv_q & snd_q initializations were reversed in commit
    (net: correct off-by-one write allocations reports)
    Signed-off-by: Jan Rafaj <>
    Signed-off-by: Eric Dumazet <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  4. @gregkh

    ax25: Fix possible oops in ax25_make_new

    Jarek Poplawski authored gregkh committed
    [ Upstream commit 8c185ab ]
    In ax25_make_new, if kmemdup of digipeat returns an error, there would
    be an oops in sk_free while calling sk_destruct, because sk_protinfo
    is NULL at the moment; move sk->sk_destruct initialization after this.
    BTW of reported-by: Bernard Pidoux F6BVP <>
    Signed-off-by: Jarek Poplawski <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  5. @gregkh

    appletalk: Fix skb leak when ipddp interface is not loaded

    Arnaldo Carvalho de Melo authored gregkh committed
    [ Upstream commit ffcfb8d ]
    And also do a better job of returning proper NET_{RX,XMIT}_ values.
    Based on a patch by Mark Smith.
    This fixes CVE-2009-2903
    Reported-by: Mark Smith <>
    Signed-off-by: Arnaldo Carvalho de Melo <>
    Signed-off-by: Greg Kroah-Hartman <>
  6. @mikemccormack @gregkh

    sky2: Set SKY2_HW_RAM_BUFFER in sky2_init

    mikemccormack authored gregkh committed
    [ Upstream commit 74a61eb ]
    The SKY2_HW_RAM_BUFFER bit in hw->flags was checked in sky2_mac_init(),
     before being set later in sky2_up().
    Setting SKY2_HW_RAM_BUFFER in sky2_init() where other hw->flags are set
     should avoid this problem recurring.
    Signed-off-by: Mike McCormack <>
    Acked-by: Stephen Hemminger <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  7. @gregkh

    smsc95xx: fix transmission where ZLP is expected

    Steve Glendinning authored gregkh committed
    [ Upstream commit ec47562 ]
    Usbnet framework assumes USB hardware doesn't handle zero length
    packets, but SMSC LAN95xx requires these to be sent for correct
    This patch fixes an easily reproducible tx lockup when sending a frame
    that results in exactly 512 bytes in a USB transmission (e.g. a UDP
    frame with 458 data bytes, due to IP headers and our USB headers).  It
    adds an extra flag to usbnet for the hardware driver to indicate that
    it can handle and requires the zero length packets.
    This patch should not affect other usbnet users, please also consider
    for -stable.
    Signed-off-by: Steve Glendinning <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  8. @gregkh

    net: Fix sock_wfree() race

    Eric Dumazet authored gregkh committed
    [ Upstream commit d99927f ]
    Commit 2b85a34
    (net: No more expensive sock_hold()/sock_put() on each tx)
    opens a window in sock_wfree() where another cpu
    might free the socket we are working on.
    A fix is to call sk->sk_write_space(sk) while still
    holding a reference on sk.
    Reported-by: Jike Song <>
    Signed-off-by: Eric Dumazet <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  9. @gregkh


    Robert Varga authored gregkh committed
    [ Upstream commit 657e964 ]
    I have recently came across a preemption imbalance detected by:
    <4>huh, entered ffffffff80644630 with preempt_count 00000102, exited with 00000101?
    <0>------------[ cut here ]------------
    <2>kernel BUG at /usr/src/linux/kernel/timer.c:664!
    <0>invalid opcode: 0000 [1] PREEMPT SMP
    with ffffffff80644630 being inet_twdr_hangman().
    This appeared after I enabled CONFIG_TCP_MD5SIG and played with it a
    bit, so I looked at what might have caused it.
    One thing that struck me as strange is tcp_twsk_destructor(), as it
    calls tcp_put_md5sig_pool() -- which entails a put_cpu(), causing the
    detected imbalance. Found on, but 2.6.31 is affected as well,
    as far as I can tell.
    Signed-off-by: Robert Varga <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  10. @gregkh

    tun: Return -EINVAL if neither IFF_TUN nor IFF_TAP is set.

    Kusanagi Kouichi authored gregkh committed
    [ Upstream commit 36989b9 ]
    After commit 2b980db
    ("lsm: Add hooks to the TUN driver") tun_set_iff doesn't
    return -EINVAL though neither IFF_TUN nor IFF_TAP is set.
    Signed-off-by: Kusanagi Kouichi <>
    Reviewed-by: Paul Moore <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  11. @gregkh

    net: unix: fix sending fds in multiple buffers

    Miklos Szeredi authored gregkh committed
    [ Upstream commit 8ba69ba ]
    Kalle Olavi Niemitalo reported that:
      "..., when one process calls sendmsg once to send 43804 bytes of
      data and one file descriptor, and another process then calls recvmsg
      three times to receive the 16032+16032+11740 bytes, each of those
      recvmsg calls returns the file descriptor in the ancillary data.  I
      confirmed this with strace.  The behaviour differs from Linux
      2.6.26, where reportedly only one of those recvmsg calls (I think
      the first one) returned the file descriptor."
    This bug was introduced by a patch from me titled "net: unix: fix inflight
    counting bug in garbage collector", commit 6209344.
    And the reason is, quoting Kalle:
      "Before your patch, unix_attach_fds() would set scm->fp = NULL, so
      that if the loop in unix_stream_sendmsg() ran multiple iterations,
      it could not call unix_attach_fds() again.  But now,
      unix_attach_fds() leaves scm->fp unchanged, and I think this causes
      it to be called multiple times and duplicate the same file
      descriptors to each struct sk_buff."
    Fix this by introducing a flag that is cleared at the start and set
    when the fds attached to the first buffer.  The resulting code should
    work equivalently to the one on 2.6.26.
    Reported-by: Kalle Olavi Niemitalo <>
    Signed-off-by: Miklos Szeredi <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  12. @gregkh

    net: restore tx timestamping for accelerated vlans

    Eric Dumazet authored gregkh committed
    [ Upstream commit 81bbb3d ]
    Since commit 9b22ea5
    ( net: fix packet socket delivery in rx irq handler )
    We lost rx timestamping of packets received on accelerated vlans.
    Effect is that tcpdump on real dev can show strange timings, since it gets rx timestamps
    too late (ie at skb dequeueing time, not at skb queueing time)
    14:47:26.986871 IP > icmp 64: echo request seq 1
    14:47:26.986786 IP > icmp 64: echo reply seq 1
    14:47:27.986888 IP > icmp 64: echo request seq 2
    14:47:27.986781 IP > icmp 64: echo reply seq 2
    14:47:28.986896 IP > icmp 64: echo request seq 3
    14:47:28.986780 IP > icmp 64: echo reply seq 3
    Signed-off-by: Eric Dumazet <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  13. @yakuizhao @gregkh

    ACPI: fix Compaq Evo N800c (Pentium 4m) boot hang regression

    yakuizhao authored gregkh committed
    commit 3e2ada5 upstream.
    Don't disable ARB_DISABLE when the familary ID is 0x0F.
    This was a 2.6.31 regression, and so this patch
    needs to be applied to 2.6.31.stable
    Signed-off-by: Zhao Yakui <>
    Signed-off-by: Len Brown <>
    Signed-off-by: Greg Kroah-Hartman <>
  14. @jdelvare @gregkh

    ACPI: Clarify resource conflict message

    jdelvare authored gregkh committed
    commit 14f0334 upstream.
    The message "ACPI: Device needs an ACPI driver" is misleading. The
    device _may_ need an ACPI driver, if the BIOS implemented a custom
    API for the device in question (which, AFAIK, can't be checked.) If
    not, then either a generic ACPI driver may be used (for example
    "thermal"), or nothing can be done (other than a white list).
    I propose to reword the message to:
    ACPI: If an ACPI driver is available for this device, you should use
    it instead of the native driver
    which I think is more correct. Comments and suggestions welcome.
    I also added a message warning about possible problems and system
    instability when users pass acpi_enforce_resources=lax, as suggested
    by Len.
    Signed-off-by: Jean Delvare <>
    Cc: Thomas Renninger <>
    Cc: Alan Jenkins <>
    Signed-off-by: Len Brown <>
    Signed-off-by: Greg Kroah-Hartman <>
  15. @gregkh

    IMA: open new file for read

    Mimi Zohar authored gregkh committed
    commit 6c1488f upstream.
    When creating a new file, ima_path_check() assumed the new file
    was being opened for write. Call ima_path_check() with the
    appropriate acc_mode so that the read/write counters are
    incremented correctly.
    Signed-off-by: Mimi Zohar <>
    Signed-off-by: James Morris <>
    Signed-off-by: Greg Kroah-Hartman <>
  16. @gregkh

    PIT fixes to unbreak suspend/resume (bug #14222)

    john stultz authored gregkh committed
    Resolved differently upstream in commit 8cab02d
    Ondrej Zary reported a suspend/resume hang with 2.6.31 in bug #14222.
    The hang was bisected to c712184
    however, that was really just the last straw that caused the issue.
    The problem was that on suspend, the PIT is removed as a clocksource,
    and was using the mult value essentially as a is_enabled() flag. The
    mult adjustments done in the commit above caused that usage to break,
    causing bad list manipulation and the oops.
    Further, on resume, the PIT clocksource is never restored, causing the
    system to run in a degraded mode with jiffies as the clocksource.
    This issue has since been resolved in 2.6.32-rc by commit
    8cab02d which removes the clocksource
    disabling on suspend. Testing shows no issues there.
    So the following patch rectifies the situation for 2.6.31 users of the
    PIT clocksource that use suspend and resume (which is probably not that
    Many thanks to Ondrej for helping narrow down what was happening, what
    caused it, and verifying the fix.
    Avoid using the unprotected clocksource.mult value as an "is_registered"
    flag, instead us an explicit flag variable. This avoids possible list
    corruption if the clocksource is double-unregistered.
    Also re-register the PIT clocksource on resume so folks don't have to
    use jiffies after suspend.
    Signed-off-by: John Stultz <>
    Signed-off-by: Greg Kroah-Hartman <>
  17. @bzolnier @gregkh

    sis5513: fix PIO setup for ATAPI devices

    bzolnier authored gregkh committed
    commit e13ee54 upstream.
    Clear prefetch setting before potentially (re-)enabling it in
    config_drive_art_rwp() so the transition of the device type on
    the port from ATA to ATAPI (i.e. during warm-plug operation)
    is handled correctly.
    This is a really old bug (it probably goes back to very early
    days of the driver) but it was only affecting warm-plug operation
    until the recent "ide: try to use PIO Mode 0 during probe if
    possible" change (commit 6029336).
    Signed-off-by: Bartlomiej Zolnierkiewicz <>
    Tested-by: David Fries <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  18. @gregkh

    mm: add_to_swap_cache() must not sleep

    Daisuke Nishimura authored gregkh committed
    commit 31a5639 upstream.
    After commit 355cfa7 ("mm: modify swap_map and add SWAP_HAS_CACHE flag"),
    read_swap_cache_async() will busy-wait while a entry doesn't exist in swap
    cache but it has SWAP_HAS_CACHE flag.
    Such entries can exist on add/delete path of swap cache.  On add path,
    add_to_swap_cache() is called soon after SWAP_HAS_CACHE flag is set, and
    on delete path, swapcache_free() will be called (SWAP_HAS_CACHE flag is
    cleared) soon after __delete_from_swap_cache() is called.  So, the
    busy-wait works well in most cases.
    But this mechanism can cause soft lockup if add_to_swap_cache() sleeps and
    read_swap_cache_async() tries to swap-in the same entry on the same cpu.
    This patch calls radix_tree_preload() before swapcache_prepare() and
    divides add_to_swap_cache() into two part: radix_tree_preload() part and
    radix_tree_insert() part(define it as __add_to_swap_cache()).
    Signed-off-by: Daisuke Nishimura <>
    Cc: KAMEZAWA Hiroyuki <>
    Cc: Balbir Singh <>
    Cc: Hugh Dickins <>
    Cc: Johannes Weiner <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  19. @gregkh

    net: Fix wrong sizeof

    Jean Delvare authored gregkh committed
    commit b607bd9 upstream.
    Which is why I have always preferred sizeof(struct foo) over
    Signed-off-by: Jean Delvare <>
    Acked-by: Randy Dunlap <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  20. @gregkh

    KVM: SVM: Handle tsc in svm_get_msr/svm_set_msr correctly

    Joerg Roedel authored gregkh committed
    commit 20824f3 upstream.
    When running nested we need to touch the l1 guests
    tsc_offset. Otherwise changes will be lost or a wrong value
    be read.
    Signed-off-by: Joerg Roedel <>
    Signed-off-by: Marcelo Tosatti <>
    Signed-off-by: Greg Kroah-Hartman <>
  21. @gregkh

    KVM: SVM: Fix tsc offset adjustment when running nested

    Joerg Roedel authored gregkh committed
    commit 77b1ab1 upstream.
    When svm_vcpu_load is called while the vcpu is running in
    guest mode the tsc adjustment made there is lost on the next
    emulated #vmexit. This causes the tsc running backwards in
    the guest. This patch fixes the issue by also adjusting the
    tsc_offset in the emulated hsave area so that it will not
    get lost.
    Signed-off-by: Joerg Roedel <>
    Signed-off-by: Marcelo Tosatti <>
    Signed-off-by: Greg Kroah-Hartman <>
  22. @aurel32 @gregkh

    KVM: fix LAPIC timer period overflow

    aurel32 authored gregkh committed
    commit b2d83cf upstream.
    Don't overflow when computing the 64-bit period from 32-bit registers.
    Fixes sourceforge bug #2826486.
    Signed-off-by: Aurelien Jarno <>
    Signed-off-by: Marcelo Tosatti <>
    Signed-off-by: Greg Kroah-Hartman <>
  23. @gregkh

    KVM: VMX: flush TLB with INVEPT on cpu migration

    Marcelo Tosatti authored gregkh committed
    commit eb5109e upstream.
    It is possible that stale EPTP-tagged mappings are used, if a
    vcpu migrates to a different pcpu.
    Set KVM_REQ_TLB_FLUSH in vmx_vcpu_load, when switching pcpus, which
    will invalidate both VPID and EPT mappings on the next vm-entry.
    Signed-off-by: Marcelo Tosatti <>
    Signed-off-by: Greg Kroah-Hartman <>
  24. @gregkh

    KVM: Prevent overflow in KVM_GET_SUPPORTED_CPUID

    Avi Kivity authored gregkh committed
    commit 6a54435 upstream.
    The number of entries is multiplied by the entry size, which can
    overflow on 32-bit hosts.  Bound the entry count instead.
    Reported-by: David Wagner <>
    Signed-off-by: Avi Kivity <>
    Signed-off-by: Greg Kroah-Hartman <>
  25. @broonie @gregkh

    ASoC: WM8350 capture PGA mutes are inverted

    broonie authored gregkh committed
    commit 5b7dde3 upstream.
    Signed-off-by: Mark Brown <>
    Signed-off-by: Greg Kroah-Hartman <>
  26. @cladisch @gregkh

    sound: via82xx: move DXS volume controls to PCM interface

    cladisch authored gregkh committed
    commit 2fb930b upstream.
    The "VIA DXS" controls are actually volume controls that apply to the
    four PCM substreams, so we better indicate this connection by moving the
    controls to the PCM interface.
    Commit b452e08 in 2.6.30 broke the
    restoring of these volumes by "alsactl restore" that most distributions
    use; the renaming in this patch cures that regression by preventing
    alsactl from applying the old, wrong volume levels to the new controls.
    Signed-off-by: Clemens Ladisch <>
    Signed-off-by: Takashi Iwai <>
    Signed-off-by: Greg Kroah-Hartman <>
  27. @gregkh

    libata: fix incorrect link online check during probe

    Tejun Heo authored gregkh committed
    commit 3b761d3 upstream.
    While trying to work around spurious detection retries for
    non-existent devices on slave links, commit
    816ab89 incorrectly added link
    offline check logic before ata_eh_thaw() was called.  This means that
    if an occupied link goes down briefly at the time that offline check
    was performed, device class will be cleared to ATA_DEV_NONE and libata
    wouldn't retry thus failing detection of the device.
    The offline check should be done after the port is thawed together
    with online check so that such link glitches can be detected by the
    interrupt handler and handled properly.
    Signed-off-by: Tejun Heo <>
    Reported-by: Tim Blechmann <>
    Signed-off-by: Jeff Garzik <>
    Signed-off-by: Greg Kroah-Hartman <>
  28. @gregkh

    ima: ecryptfs fix imbalance message

    Mimi Zohar authored gregkh committed
    commit 36520be upstream.
    The unencrypted files are being measured.  Update the counters to get
    rid of the ecryptfs imbalance message. (
    Reported-by: Sachin Garg
    Cc: Eric Paris <>
    Cc: Dustin Kirkland <>
    Cc: James Morris <>
    Cc: David Safford <>
    Signed-off-by: Mimi Zohar <>
    Signed-off-by: Tyler Hicks <>
    Signed-off-by: Greg Kroah-Hartman <>
  29. @gregkh

    NOHZ: update idle state also when NOHZ is inactive

    Eero Nurkkala authored gregkh committed
    commit fdc6f19 upstream.
    Commit f2e21c9 had unfortunate side
    effects with cpufreq governors on some systems.
    If the system did not switch into NOHZ mode ts->inidle is not set when
    tick_nohz_stop_sched_tick() is called from the idle routine. Therefor
    all subsequent calls from irq_exit() to tick_nohz_stop_sched_tick()
    fail to call tick_nohz_start_idle(). This results in bogus idle
    accounting information which is passed to cpufreq governors.
    Set the inidle flag unconditionally of the NOHZ active state to keep
    the idle time accounting correct in any case.
    [ tglx: Added comment and tweaked the changelog ]
    Reported-by: Steven Noonan <>
    Signed-off-by: Eero Nurkkala <>
    Cc: Rik van Riel <>
    Cc: Venkatesh Pallipadi <>
    Cc: Steven Noonan <>
    LKML-Reference: <1254907901.30157.93.camel@eenurkka-desktop>
    Signed-off-by: Thomas Gleixner <>
    Signed-off-by: Greg Kroah-Hartman <>
  30. @gregkh

    futex: Fix locking imbalance

    Thomas Gleixner authored gregkh committed
    commit eaaea80 upstream.
    Rich reported a lock imbalance in the futex code:
    It's caused by the displacement of the retry_private label in
    futex_wake_op(). The code unlocks the hash bucket locks in the
    error handling path and retries without locking them again which
    makes the next unlock fail.
    Move retry_private so we lock the hash bucket locks when we retry.
    Reported-by: Rich Ercolany <>
    Signed-off-by: Thomas Gleixner <>
    Cc: Peter Zijlstra <>
    Cc: Darren Hart <>
    LKML-Reference: <new-submission>
    Signed-off-by: Ingo Molnar <>
    Signed-off-by: Greg Kroah-Hartman <>
  31. @gregkh

    futex: Nullify robust lists after cleanup

    Peter Zijlstra authored gregkh committed
    commit fc6b177 upstream.
    The robust list pointers of user space held futexes are kept intact
    over an exec() call. When the exec'ed task exits exit_robust_list() is
    called with the stale pointer. The risk of corruption is minimal, but
    still it is incorrect to keep the pointers valid. Actually glibc
    should uninstall the robust list before calling exec() but we have to
    deal with it anyway.
    Nullify the pointers after [compat_]exit_robust_list() has been
    Reported-by: Anirban Sinha <>
    Signed-off-by: Peter Zijlstra <>
    Signed-off-by: Thomas Gleixner <>
    Signed-off-by: Greg Kroah-Hartman <>
  32. @gregkh

    futex: Move exit_pi_state() call to release_mm()

    Thomas Gleixner authored gregkh committed
    commit 322a2c1 upstream.
    exit_pi_state() is called from do_exit() but not from do_execve().
    Move it to release_mm() so it gets called from do_execve() as well.
    Signed-off-by: Thomas Gleixner <>
    LKML-Reference: <new-submission>
    Cc: Anirban Sinha <>
    Cc: Peter Zijlstra <>
    Signed-off-by: Greg Kroah-Hartman <>
  33. @gregkh

    futex: fix requeue_pi key imbalance

    Darren Hart authored gregkh committed
    commit da08568 upstream.
    If futex_wait_requeue_pi() wakes prior to requeue, we drop the
    reference to the source futex_key twice, once in
    handle_early_requeue_pi_wakeup() and once on our way out.
    Remove the drop from the handle_early_requeue_pi_wakeup() and keep
    the get/drops together in futex_wait_requeue_pi().
    Reported-by: Helge Bahmann <>
    Signed-off-by: Darren Hart <>
    Cc: Helge Bahmann <>
    Cc: Peter Zijlstra <>
    Cc: Eric Dumazet <>
    Cc: Dinakar Guniguntala <>
    Cc: John Stultz <>
    LKML-Reference: <>
    Signed-off-by: Thomas Gleixner <>
    Signed-off-by: Greg Kroah-Hartman <>
  34. @gregkh

    ftrace: check for failure for all conversions

    Steven Rostedt authored gregkh committed
    commit 3279ba3 upstream.
    Due to legacy code from back when the dynamic tracer used a daemon,
    only core kernel code was checking for failures. This is no longer
    the case. We must check for failures any time we perform text modifications.
    Signed-off-by: Steven Rostedt <>
    Signed-off-by: Greg Kroah-Hartman <>
  35. @gregkh

    tracing: correct module boundaries for ftrace_release authored gregkh committed
    commit e7247a1 upstream.
    When the module is about the unload we release its call records.
    The ftrace_release function was given wrong values representing
    the module core boundaries, thus not releasing its call records.
    Plus making ftrace_release function module specific.
    Signed-off-by: Jiri Olsa <>
    LKML-Reference: <>
    Signed-off-by: Steven Rostedt <>
    Signed-off-by: Greg Kroah-Hartman <>
Something went wrong with that request. Please try again.