Permalink
Commits on Jan 3, 2012
  1. Linux 2.6.32.52

    gregkh committed Jan 3, 2012
  2. Revert "clockevents: Set noop handler in clockevents_exchange_device()"

    commit 3b87487 upstream.
    
    This reverts commit de28f25.
    
    It results in resume problems for various people. See for example
    
      http://thread.gmane.org/gmane.linux.kernel/1233033
      http://thread.gmane.org/gmane.linux.kernel/1233389
      http://thread.gmane.org/gmane.linux.kernel/1233159
      http://thread.gmane.org/gmane.linux.kernel/1227868/focus=1230877
    
    and the fedora and ubuntu bug reports
    
      https://bugzilla.redhat.com/show_bug.cgi?id=767248
      https://bugs.launchpad.net/ubuntu/+source/linux/+bug/904569
    
    which got bisected down to the stable version of this commit.
    
    Reported-by: Jonathan Nieder <jrnieder@gmail.com>
    Reported-by: Phil Miller <mille121@illinois.edu>
    Reported-by: Philip Langdale <philipl@overt.org>
    Reported-by: Tim Gardner <tim.gardner@canonical.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    torvalds committed with gregkh Dec 30, 2011
Commits on Dec 21, 2011
  1. Linux 2.6.32.51

    gregkh committed Dec 21, 2011
  2. USB: cdc-acm: add IDs for Motorola H24 HSPA USB module.

    commit 6abff5d upstream.
    
    Add USB IDs for Motorola H24 HSPA USB module.
    
    Signed-off-by: Krzysztof Hałasa <khalasa@piap.pl>
    Acked-by: Oliver Neukum <oneukum@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Krzysztof Hałasa committed with gregkh Dec 12, 2011
  3. ext4: avoid hangs in ext4_da_should_update_i_disksize()

    commit ea51d13 upstream.
    
    If the pte mapping in generic_perform_write() is unmapped between
    iov_iter_fault_in_readable() and iov_iter_copy_from_user_atomic(), the
    "copied" parameter to ->end_write can be zero. ext4 couldn't cope with
    it with delayed allocations enabled. This skips the i_disksize
    enlargement logic if copied is zero and no new data was appeneded to
    the inode.
    
     gdb> bt
     #0  0xffffffff811afe80 in ext4_da_should_update_i_disksize (file=0xffff88003f606a80, mapping=0xffff88001d3824e0, pos=0x1\
     08000, len=0x1000, copied=0x0, page=0xffffea0000d792e8, fsdata=0x0) at fs/ext4/inode.c:2467
     #1  ext4_da_write_end (file=0xffff88003f606a80, mapping=0xffff88001d3824e0, pos=0x108000, len=0x1000, copied=0x0, page=0\
     xffffea0000d792e8, fsdata=0x0) at fs/ext4/inode.c:2512
     #2  0xffffffff810d97f1 in generic_perform_write (iocb=<value optimized out>, iov=<value optimized out>, nr_segs=<value o\
     ptimized out>, pos=0x108000, ppos=0xffff88001e26be40, count=<value optimized out>, written=0x0) at mm/filemap.c:2440
     #3  generic_file_buffered_write (iocb=<value optimized out>, iov=<value optimized out>, nr_segs=<value optimized out>, p\
     os=0x108000, ppos=0xffff88001e26be40, count=<value optimized out>, written=0x0) at mm/filemap.c:2482
     #4  0xffffffff810db5d1 in __generic_file_aio_write (iocb=0xffff88001e26bde8, iov=0xffff88001e26bec8, nr_segs=0x1, ppos=0\
     xffff88001e26be40) at mm/filemap.c:2600
     #5  0xffffffff810db853 in generic_file_aio_write (iocb=0xffff88001e26bde8, iov=0xffff88001e26bec8, nr_segs=<value optimi\
     zed out>, pos=<value optimized out>) at mm/filemap.c:2632
     #6  0xffffffff811a71aa in ext4_file_write (iocb=0xffff88001e26bde8, iov=0xffff88001e26bec8, nr_segs=0x1, pos=0x108000) a\
     t fs/ext4/file.c:136
     #7  0xffffffff811375aa in do_sync_write (filp=0xffff88003f606a80, buf=<value optimized out>, len=<value optimized out>, \
     ppos=0xffff88001e26bf48) at fs/read_write.c:406
     #8  0xffffffff81137e56 in vfs_write (file=0xffff88003f606a80, buf=0x1ec2960 <Address 0x1ec2960 out of bounds>, count=0x4\
     000, pos=0xffff88001e26bf48) at fs/read_write.c:435
     #9  0xffffffff8113816c in sys_write (fd=<value optimized out>, buf=0x1ec2960 <Address 0x1ec2960 out of bounds>, count=0x\
     4000) at fs/read_write.c:487
     #10 <signal handler called>
     #11 0x00007f120077a390 in __brk_reservation_fn_dmi_alloc__ ()
     #12 0x0000000000000000 in ?? ()
     gdb> print offset
     $22 = 0xffffffffffffffff
     gdb> print idx
     $23 = 0xffffffff
     gdb> print inode->i_blkbits
     $24 = 0xc
     gdb> up
     #1  ext4_da_write_end (file=0xffff88003f606a80, mapping=0xffff88001d3824e0, pos=0x108000, len=0x1000, copied=0x0, page=0\
     xffffea0000d792e8, fsdata=0x0) at fs/ext4/inode.c:2512
     2512                    if (ext4_da_should_update_i_disksize(page, end)) {
     gdb> print start
     $25 = 0x0
     gdb> print end
     $26 = 0xffffffffffffffff
     gdb> print pos
     $27 = 0x108000
     gdb> print new_i_size
     $28 = 0x108000
     gdb> print ((struct ext4_inode_info *)((char *)inode-((int)(&((struct ext4_inode_info *)0)->vfs_inode))))->i_disksize
     $29 = 0xd9000
     gdb> down
     2467            for (i = 0; i < idx; i++)
     gdb> print i
     $30 = 0xd44acbee
    
    This is 100% reproducible with some autonuma development code tuned in
    a very aggressive manner (not normal way even for knumad) which does
    "exotic" changes to the ptes. It wouldn't normally trigger but I don't
    see why it can't happen normally if the page is added to swap cache in
    between the two faults leading to "copied" being zero (which then
    hangs in ext4). So it should be fixed. Especially possible with lumpy
    reclaim (albeit disabled if compaction is enabled) as that would
    ignore the young bits in the ptes.
    
    Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Andrea Arcangeli committed with gregkh Dec 14, 2011
  4. oprofile, x86: Fix crash when unloading module (timer mode)

    Based on 97f7f81 oprofile, x86: Fix crash when unloading module (nmi timer
    mode) upstream.
    
    Fix for stable kernels v2.6.28.y to v2.6.34.y. This patch is for .32.
    
    Oprofile crashs while unlaoding modules and if in timer mode. Timer
    mode is the fallback if the architectural initialization fails. The
    pointer variable model is then used uninitialzied during exit causing
    a NULL pointer dereference.
    
    It can be triggered with kernel parameters oprofile.timer=1 nolapic
    used. Happens esp. in virtual machine environments.
    
    oprofile: using timer interrupt.
    BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
    IP: [<ffffffffa000251f>] op_nmi_exit+0x3d/0x4a [oprofile]
    PGD 42ac5e067 PUD 42ac5d067 PMD 0
    Oops: 0000 [#1] PREEMPT SMP
    last sysfs file: /sys/module/oprofile/refcnt
    CPU 0
    Modules linked in: oprofile(-)
    Pid: 2245, comm: modprobe Not tainted 2.6.32.21-oprofile-x86_64-debug-00038-gf4db115 #69 Anaheim
    RIP: 0010:[<ffffffffa000251f>]  [<ffffffffa000251f>] op_nmi_exit+0x3d/0x4a [oprofile]
    RSP: 0018:ffff88042d4f9ec8  EFLAGS: 00010246
    RAX: 0000000000000000 RBX: ffffffffa0005590 RCX: ffff88042d4f9ea8
    RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
    RBP: ffff88042d4f9ec8 R08: ffff88042d4f9ee8 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000080
    R13: 00000000fffffff5 R14: 0000000000000001 R15: 00000000006101e0
    FS:  00007fef6ac9c700(0000) GS:ffff880028200000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    CR2: 0000000000000028 CR3: 000000042ac60000 CR4: 00000000000006f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    Process modprobe (pid: 2245, threadinfo ffff88042d4f8000, task ffff88042cd66040)
    Stack:
     ffff88042d4f9ed8 ffffffffa0002096 ffff88042d4f9ee8 ffffffffa0003bbb
    <0> ffff88042d4f9f78 ffffffff810748ad 656c69666f72706f 00007fff77a07800
    <0> ffff88042d4f9f28 ffffffff81068414 000000000060f180 0000000000000000
    Call Trace:
     [<ffffffffa0002096>] oprofile_arch_exit+0xe/0x10 [oprofile]
     [<ffffffffa0003bbb>] oprofile_exit+0x13/0x15 [oprofile]
     [<ffffffff810748ad>] sys_delete_module+0x1cd/0x244
     [<ffffffff81068414>] ? trace_hardirqs_on_caller+0x114/0x13f
     [<ffffffff8143ad47>] ? trace_hardirqs_on_thunk+0x3a/0x3f
     [<ffffffff8100b13b>] system_call_fastpath+0x16/0x1b
    Code: 48 c7 c7 90 4e 00 a0 e8 e7 15 22 e1 48 c7 c7 e0 4e 00 a0 e8 bd 18 22 e1 48 c7 c7 70 4e 00 a0 e8 94 4e 41 e1 48 8b 05 d1 39 00 00 <48> 8b 40 28 48 85 c0 74 02 ff d0 c9 c3 55 48 89 e5 e8 cb 88 00
    RIP  [<ffffffffa000251f>] op_nmi_exit+0x3d/0x4a [oprofile]
     RSP <ffff88042d4f9ec8>
    CR2: 0000000000000028
    ---[ end trace 18b12420ceb19193 ]---
    
    Signed-off-by: Robert Richter <robert.richter@amd.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Robert Richter committed with gregkh Dec 12, 2011
  5. oprofile, x86: Fix nmi-unsafe callgraph support

    commit a0e3e70 upstream.
    
    Backport for stable kernel v2.6.32.y to v2.6.36.y.
    
    Current oprofile's x86 callgraph support may trigger page faults
    throwing the BUG_ON(in_nmi()) message below. This patch fixes this by
    using the same nmi-safe copy-from-user code as in perf.
    
    ------------[ cut here ]------------
    kernel BUG at .../arch/x86/kernel/traps.c:436!
    invalid opcode: 0000 [#1] SMP
    last sysfs file: /sys/devices/pci0000:00/0000:00:0a.0/0000:07:00.0/0000:08:04.0/net/eth0/broadcast
    CPU 5
    Modules linked in:
    
    Pid: 8611, comm: opcontrol Not tainted 2.6.39-00007-gfe47ae7 #1 Advanced Micro Device Anaheim/Anaheim
    RIP: 0010:[<ffffffff813e8e35>]  [<ffffffff813e8e35>] do_nmi+0x22/0x1ee
    RSP: 0000:ffff88042fd47f28  EFLAGS: 00010002
    RAX: ffff88042c0a7fd8 RBX: 0000000000000001 RCX: 00000000c0000101
    RDX: 00000000ffff8804 RSI: ffffffffffffffff RDI: ffff88042fd47f58
    RBP: ffff88042fd47f48 R08: 0000000000000004 R09: 0000000000001484
    R10: 0000000000000001 R11: 0000000000000000 R12: ffff88042fd47f58
    R13: 0000000000000000 R14: ffff88042fd47d98 R15: 0000000000000020
    FS:  00007fca25e56700(0000) GS:ffff88042fd40000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000000000074 CR3: 000000042d28b000 CR4: 00000000000006e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    Process opcontrol (pid: 8611, threadinfo ffff88042c0a6000, task ffff88042c532310)
    Stack:
     0000000000000000 0000000000000001 ffff88042c0a7fd8 0000000000000000
     ffff88042fd47de8 ffffffff813e897a 0000000000000020 ffff88042fd47d98
     0000000000000000 ffff88042c0a7fd8 ffff88042fd47de8 0000000000000074
    Call Trace:
     <NMI>
     [<ffffffff813e897a>] nmi+0x1a/0x20
     [<ffffffff813f08ab>] ? bad_to_user+0x25/0x771
     <<EOE>>
    Code: ff 59 5b 41 5c 41 5d c9 c3 55 65 48 8b 04 25 88 b5 00 00 48 89 e5 41 55 41 54 49 89 fc 53 48 83 ec 08 f6 80 47 e0 ff ff 04 74 04 <0f> 0b eb fe 81 80 44 e0 ff ff 00 00 01 04 65 ff 04 25 c4 0f 01
    RIP  [<ffffffff813e8e35>] do_nmi+0x22/0x1ee
     RSP <ffff88042fd47f28>
    ---[ end trace ed6752185092104b ]---
    Kernel panic - not syncing: Fatal exception in interrupt
    Pid: 8611, comm: opcontrol Tainted: G      D     2.6.39-00007-gfe47ae7 #1
    Call Trace:
     <NMI>  [<ffffffff813e5e0a>] panic+0x8c/0x188
     [<ffffffff813e915c>] oops_end+0x81/0x8e
     [<ffffffff8100403d>] die+0x55/0x5e
     [<ffffffff813e8c45>] do_trap+0x11c/0x12b
     [<ffffffff810023c8>] do_invalid_op+0x91/0x9a
     [<ffffffff813e8e35>] ? do_nmi+0x22/0x1ee
     [<ffffffff8131e6fa>] ? oprofile_add_sample+0x83/0x95
     [<ffffffff81321670>] ? op_amd_check_ctrs+0x4f/0x2cf
     [<ffffffff813ee4d5>] invalid_op+0x15/0x20
     [<ffffffff813e8e35>] ? do_nmi+0x22/0x1ee
     [<ffffffff813e8e7a>] ? do_nmi+0x67/0x1ee
     [<ffffffff813e897a>] nmi+0x1a/0x20
     [<ffffffff813f08ab>] ? bad_to_user+0x25/0x771
     <<EOE>>
    
    Cc: John Lumby <johnlumby@hotmail.com>
    Cc: Maynard Johnson <maynardj@us.ibm.com>
    Signed-off-by: Robert Richter <robert.richter@amd.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Robert Richter committed with gregkh Dec 12, 2011
  6. export __get_user_pages_fast() function

    commit 45888a0 upstream.
    
    Backport for stable kernel v2.6.32.y to v2.6.36.y.
    
    Needed for next patch:
    
     oprofile, x86: Fix nmi-unsafe callgraph support
    
    This function is used by KVM to pin process's page in the atomic context.
    
    Define the 'weak' function to avoid other architecture not support it
    
    Acked-by: Nick Piggin <npiggin@suse.de>
    Signed-off-by: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
    Signed-off-by: Robert Richter <robert.richter@amd.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Xiao Guangrong committed with gregkh Dec 12, 2011
  7. hfs: fix hfs_find_init() sb->ext_tree NULL ptr oops

    commit 434a964 upstream.
    
    Clement Lecigne reports a filesystem which causes a kernel oops in
    hfs_find_init() trying to dereference sb->ext_tree which is NULL.
    
    This proves to be because the filesystem has a corrupted MDB extent
    record, where the extents file does not fit into the first three extents
    in the file record (the first blocks).
    
    In hfs_get_block() when looking up the blocks for the extent file
    (HFS_EXT_CNID), it fails the first blocks special case, and falls
    through to the extent code (which ultimately calls hfs_find_init())
    which is in the process of being initialised.
    
    Hfs avoids this scenario by always having the extents b-tree fitting
    into the first blocks (the extents B-tree can't have overflow extents).
    
    The fix is to check at mount time that the B-tree fits into first
    blocks, i.e.  fail if HFS_I(inode)->alloc_blocks >=
    HFS_I(inode)->first_blocks
    
    Note, the existing commit 47f365e ("hfs: fix oops on mount with
    corrupted btree extent records") becomes subsumed into this as a special
    case, but only for the extents B-tree (HFS_EXT_CNID), it is perfectly
    acceptable for the catalog B-Tree file to grow beyond three extents,
    with the remaining extent descriptors in the extents overfow.
    
    This fixes CVE-2011-2203
    
    Reported-by: Clement LECIGNE <clement.lecigne@netasq.com>
    Signed-off-by: Phillip Lougher <plougher@redhat.com>
    Cc: Jeff Mahoney <jeffm@suse.com>
    Cc: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Moritz Mühlenhoff <jmm@inutil.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Phillip Lougher committed with gregkh Nov 2, 2011
  8. Make TASKSTATS require root access

    commit 1a51410 upstream.
    
    Ok, this isn't optimal, since it means that 'iotop' needs admin
    capabilities, and we may have to work on this some more.  But at the
    same time it is very much not acceptable to let anybody just read
    anybody elses IO statistics quite at this level.
    
    Use of the GENL_ADMIN_PERM suggested by Johannes Berg as an alternative
    to checking the capabilities by hand.
    
    Reported-by: Vasiliy Kulikov <segoon@openwall.com>
    Cc: Johannes Berg <johannes.berg@intel.com>
    Acked-by: Balbir Singh <bsingharora@gmail.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Moritz Mühlenhoff <jmm@inutil.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    torvalds committed with gregkh Sep 20, 2011
  9. jbd/jbd2: validate sb->s_first in journal_get_superblock()

    commit 8762202 upstream.
    
    I hit a J_ASSERT(blocknr != 0) failure in cleanup_journal_tail() when
    mounting a fsfuzzed ext3 image. It turns out that the corrupted ext3
    image has s_first = 0 in journal superblock, and the 0 is passed to
    journal->j_head in journal_reset(), then to blocknr in
    cleanup_journal_tail(), in the end the J_ASSERT failed.
    
    So validate s_first after reading journal superblock from disk in
    journal_get_superblock() to ensure s_first is valid.
    
    The following script could reproduce it:
    
    fstype=ext3
    blocksize=1024
    img=$fstype.img
    offset=0
    found=0
    magic="c0 3b 39 98"
    
    dd if=/dev/zero of=$img bs=1M count=8
    mkfs -t $fstype -b $blocksize -F $img
    filesize=`stat -c %s $img`
    while [ $offset -lt $filesize ]
    do
            if od -j $offset -N 4 -t x1 $img | grep -i "$magic";then
                    echo "Found journal: $offset"
                    found=1
                    break
            fi
            offset=`echo "$offset+$blocksize" | bc`
    done
    
    if [ $found -ne 1 ];then
            echo "Magic \"$magic\" not found"
            exit 1
    fi
    
    dd if=/dev/zero of=$img seek=$(($offset+23)) conv=notrunc bs=1 count=1
    
    mkdir -p ./mnt
    mount -o loop $img ./mnt
    
    Cc: Jan Kara <jack@suse.cz>
    Signed-off-by: Eryu Guan <guaneryu@gmail.com>
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
    Cc: Moritz Mühlenhoff <jmm@inutil.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    guaneryu committed with gregkh Nov 1, 2011
  10. linux/log2.h: Fix rounddown_pow_of_two(1)

    commit 13c07b0 upstream.
    
    Exactly like roundup_pow_of_two(1), the rounddown version was buggy for
    the case of a compile-time constant '1' argument.  Probably because it
    originated from the same code, sharing history with the roundup version
    from before the bugfix (for that one, see commit 1a06a52: "Fix
    roundup_pow_of_two(1)").
    
    However, unlike the roundup version, the fix for rounddown is to just
    remove the broken special case entirely.  It's simply not needed - the
    generic code
    
        1UL << ilog2(n)
    
    does the right thing for the constant '1' argment too.  The only reason
    roundup needed that special case was because rounding up does so by
    subtracting one from the argument (and then adding one to the result)
    causing the obvious problems with "ilog2(0)".
    
    But rounddown doesn't do any of that, since ilog2() naturally truncates
    (ie "rounds down") to the right rounded down value.  And without the
    ilog2(0) case, there's no reason for the special case that had the wrong
    value.
    
    tl;dr: rounddown_pow_of_two(1) should be 1, not 0.
    
    Acked-by: Dmitry Torokhov <dtor@vmware.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    torvalds committed with gregkh Dec 13, 2011
  11. xfrm: Fix key lengths for rfc3686(ctr(aes))

    commit 4203223 upstream.
    
    Fix the min and max bit lengths for AES-CTR (RFC3686) keys.
    The number of bits in key spec is the key length (128/256)
    plus 32 bits of nonce.
    
    This change takes care of the "Invalid key length" errors
    reported by setkey when specifying 288 bit keys for aes-ctr.
    
    Signed-off-by: Tushar Gohad <tgohad@mvista.com>
    Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Calvin Owens <jcalvinowens@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Tushar Gohad committed with gregkh Jul 28, 2011
  12. percpu: fix chunk range calculation

    commit a855b84 upstream.
    
    Percpu allocator recorded the cpus which map to the first and last
    units in pcpu_first/last_unit_cpu respectively and used them to
    determine the address range of a chunk - e.g. it assumed that the
    first unit has the lowest address in a chunk while the last unit has
    the highest address.
    
    This simply isn't true.  Groups in a chunk can have arbitrary positive
    or negative offsets from the previous one and there is no guarantee
    that the first unit occupies the lowest offset while the last one the
    highest.
    
    Fix it by actually comparing unit offsets to determine cpus occupying
    the lowest and highest offsets.  Also, rename pcu_first/last_unit_cpu
    to pcpu_low/high_unit_cpu to avoid confusion.
    
    The chunk address range is used to flush cache on vmalloc area
    map/unmap and decide whether a given address is in the first chunk by
    per_cpu_ptr_to_phys() and the bug was discovered by invalid
    per_cpu_ptr_to_phys() translation for crash_note.
    
    Kudos to Dave Young for tracking down the problem.
    
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Reported-by: WANG Cong <xiyou.wangcong@gmail.com>
    Reported-by: Dave Young <dyoung@redhat.com>
    Tested-by: Dave Young <dyoung@redhat.com>
    LKML-Reference: <4EC21F67.10905@redhat.com>
    Signed-off-by: Thomas Renninger <trenn@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    htejun committed with gregkh Nov 18, 2011
  13. oprofile: Fix locking dependency in sync_start()

    commit 130c5ce upstream.
    
    This fixes the A->B/B->A locking dependency, see the warning below.
    
    The function task_exit_notify() is called with (task_exit_notifier)
    .rwsem set and then calls sync_buffer() which locks buffer_mutex. In
    sync_start() the buffer_mutex was set to prevent notifier functions to
    be started before sync_start() is finished. But when registering the
    notifier, (task_exit_notifier).rwsem is locked too, but now in
    different order than in sync_buffer(). In theory this causes a locking
    dependency, what does not occur in practice since task_exit_notify()
    is always called after the notifier is registered which means the lock
    is already released.
    
    However, after checking the notifier functions it turned out the
    buffer_mutex in sync_start() is unnecessary. This is because
    sync_buffer() may be called from the notifiers even if sync_start()
    did not finish yet, the buffers are already allocated but empty. No
    need to protect this with the mutex.
    
    So we fix this theoretical locking dependency by removing buffer_mutex
    in sync_start(). This is similar to the implementation before commit:
    
     750d857 oprofile: fix crash when accessing freed task structs
    
    which introduced the locking dependency.
    
    Lockdep warning:
    
    oprofiled/4447 is trying to acquire lock:
     (buffer_mutex){+.+...}, at: [<ffffffffa0000e55>] sync_buffer+0x31/0x3ec [oprofile]
    
    but task is already holding lock:
     ((task_exit_notifier).rwsem){++++..}, at: [<ffffffff81058026>] __blocking_notifier_call_chain+0x39/0x67
    
    which lock already depends on the new lock.
    
    the existing dependency chain (in reverse order) is:
    
    -> #1 ((task_exit_notifier).rwsem){++++..}:
           [<ffffffff8106557f>] lock_acquire+0xf8/0x11e
           [<ffffffff81463a2b>] down_write+0x44/0x67
           [<ffffffff810581c0>] blocking_notifier_chain_register+0x52/0x8b
           [<ffffffff8105a6ac>] profile_event_register+0x2d/0x2f
           [<ffffffffa00013c1>] sync_start+0x47/0xc6 [oprofile]
           [<ffffffffa00001bb>] oprofile_setup+0x60/0xa5 [oprofile]
           [<ffffffffa00014e3>] event_buffer_open+0x59/0x8c [oprofile]
           [<ffffffff810cd3b9>] __dentry_open+0x1eb/0x308
           [<ffffffff810cd59d>] nameidata_to_filp+0x60/0x67
           [<ffffffff810daad6>] do_last+0x5be/0x6b2
           [<ffffffff810dbc33>] path_openat+0xc7/0x360
           [<ffffffff810dbfc5>] do_filp_open+0x3d/0x8c
           [<ffffffff810ccfd2>] do_sys_open+0x110/0x1a9
           [<ffffffff810cd09e>] sys_open+0x20/0x22
           [<ffffffff8146ad4b>] system_call_fastpath+0x16/0x1b
    
    -> #0 (buffer_mutex){+.+...}:
           [<ffffffff81064dfb>] __lock_acquire+0x1085/0x1711
           [<ffffffff8106557f>] lock_acquire+0xf8/0x11e
           [<ffffffff814634f0>] mutex_lock_nested+0x63/0x309
           [<ffffffffa0000e55>] sync_buffer+0x31/0x3ec [oprofile]
           [<ffffffffa0001226>] task_exit_notify+0x16/0x1a [oprofile]
           [<ffffffff81467b96>] notifier_call_chain+0x37/0x63
           [<ffffffff8105803d>] __blocking_notifier_call_chain+0x50/0x67
           [<ffffffff81058068>] blocking_notifier_call_chain+0x14/0x16
           [<ffffffff8105a718>] profile_task_exit+0x1a/0x1c
           [<ffffffff81039e8f>] do_exit+0x2a/0x6fc
           [<ffffffff8103a5e4>] do_group_exit+0x83/0xae
           [<ffffffff8103a626>] sys_exit_group+0x17/0x1b
           [<ffffffff8146ad4b>] system_call_fastpath+0x16/0x1b
    
    other info that might help us debug this:
    
    1 lock held by oprofiled/4447:
     #0:  ((task_exit_notifier).rwsem){++++..}, at: [<ffffffff81058026>] __blocking_notifier_call_chain+0x39/0x67
    
    stack backtrace:
    Pid: 4447, comm: oprofiled Not tainted 2.6.39-00007-gcf4d8d4 #10
    Call Trace:
     [<ffffffff81063193>] print_circular_bug+0xae/0xbc
     [<ffffffff81064dfb>] __lock_acquire+0x1085/0x1711
     [<ffffffffa0000e55>] ? sync_buffer+0x31/0x3ec [oprofile]
     [<ffffffff8106557f>] lock_acquire+0xf8/0x11e
     [<ffffffffa0000e55>] ? sync_buffer+0x31/0x3ec [oprofile]
     [<ffffffff81062627>] ? mark_lock+0x42f/0x552
     [<ffffffffa0000e55>] ? sync_buffer+0x31/0x3ec [oprofile]
     [<ffffffff814634f0>] mutex_lock_nested+0x63/0x309
     [<ffffffffa0000e55>] ? sync_buffer+0x31/0x3ec [oprofile]
     [<ffffffffa0000e55>] sync_buffer+0x31/0x3ec [oprofile]
     [<ffffffff81058026>] ? __blocking_notifier_call_chain+0x39/0x67
     [<ffffffff81058026>] ? __blocking_notifier_call_chain+0x39/0x67
     [<ffffffffa0001226>] task_exit_notify+0x16/0x1a [oprofile]
     [<ffffffff81467b96>] notifier_call_chain+0x37/0x63
     [<ffffffff8105803d>] __blocking_notifier_call_chain+0x50/0x67
     [<ffffffff81058068>] blocking_notifier_call_chain+0x14/0x16
     [<ffffffff8105a718>] profile_task_exit+0x1a/0x1c
     [<ffffffff81039e8f>] do_exit+0x2a/0x6fc
     [<ffffffff81465031>] ? retint_swapgs+0xe/0x13
     [<ffffffff8103a5e4>] do_group_exit+0x83/0xae
     [<ffffffff8103a626>] sys_exit_group+0x17/0x1b
     [<ffffffff8146ad4b>] system_call_fastpath+0x16/0x1b
    
    Reported-by: Marcin Slusarz <marcin.slusarz@gmail.com>
    Cc: Carl Love <carll@us.ibm.com>
    Signed-off-by: Robert Richter <robert.richter@amd.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Robert Richter committed with gregkh Dec 7, 2011
  14. oprofile: Free potentially owned tasks in case of errors

    commit 6ac6519 upstream.
    
    After registering the task free notifier we possibly have tasks in our
    dying_tasks list. Free them after unregistering the notifier in case
    of an error.
    
    Signed-off-by: Robert Richter <robert.richter@amd.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Robert Richter committed with gregkh Dec 7, 2011
  15. ARM: davinci: dm646x evm: wrong register used in setup_vpif_input_cha…

    …nnel_mode
    
    commit 83713fc upstream.
    
    The function setup_vpif_input_channel_mode() used the VSCLKDIS register
    instead of VIDCLKCTL. This meant that when in HD mode videoport channel 0
    used a different clock from channel 1.
    
    Clearly a copy-and-paste error.
    
    Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
    Acked-by: Manjunath Hadli <manjunath.hadli@ti.com>
    Signed-off-by: Sekhar Nori <nsekhar@ti.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Hans Verkuil committed with gregkh Nov 14, 2011
  16. ALSA: hda/realtek - Fix Oops in alc_mux_select()

    commit cce4aa3 upstream.
    
    When no imux is available (e.g. a single capture source),
    alc_auto_init_input_src() may trigger an Oops due to the access to -1.
    Add a proper zero-check to avoid it.
    
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    tiwai committed with gregkh Dec 2, 2011
  17. ALSA: sis7019 - give slow codecs more time to reset

    commit fc084e0 upstream.
    
    There are some AC97 codec and board combinations that have been observed
    to take a very long time to respond after the cold reset has completed.
    In one case, more than 350 ms was required. To allow users to have sound
    on those platforms, we'll wait up to 500ms for the codec to become
    ready.
    
    As a board may have multiple codecs, with some faster than others to
    reset, we add a module parameter to inform the driver which codecs
    should be present.
    
    Reported-by: KotCzarny <tjosko@yahoo.com>
    Signed-off-by: David Dillow <dave@thedillows.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    dillow committed with gregkh Dec 2, 2011
Commits on Dec 9, 2011
  1. Linux 2.6.32.50

    gregkh committed Dec 9, 2011
  2. clockevents: Set noop handler in clockevents_exchange_device()

    commit de28f25 upstream.
    
    If a device is shutdown, then there might be a pending interrupt,
    which will be processed after we reenable interrupts, which causes the
    original handler to be run. If the old handler is the (broadcast)
    periodic handler the shutdown state might hang the kernel completely.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Thomas Gleixner committed with gregkh Dec 2, 2011
  3. tick-broadcast: Stop active broadcast device when replacing it

    commit c1be843 upstream.
    
    When a better rated broadcast device is installed, then the current
    active device is not disabled, which results in two running broadcast
    devices.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Thomas Gleixner committed with gregkh Dec 2, 2011
  4. genirq: Fix race condition when stopping the irq thread

    commit 550acb1 upstream.
    
    In irq_wait_for_interrupt(), the should_stop member is verified before
    setting the task's state to TASK_INTERRUPTIBLE and calling schedule().
    In case kthread_stop sets should_stop and wakes up the process after
    should_stop is checked by the irq thread but before the task's state
    is changed, the irq thread might never exit:
    
    kthread_stop                    irq_wait_for_interrupt
    ------------                    ----------------------
    
                                     ...
    ...                              while (!kthread_should_stop()) {
    kthread->should_stop = 1;
    wake_up_process(k);
    wait_for_completion(&kthread->exited);
    ...
                                         set_current_state(TASK_INTERRUPTIBLE);
    
                                         ...
    
                                         schedule();
                                     }
    
    Fix this by checking if the thread should stop after modifying the
    task's state.
    
    [ tglx: Simplified it a bit ]
    
    Signed-off-by: Ido Yariv <ido@wizery.com>
    Link: http://lkml.kernel.org/r/1322740508-22640-1-git-send-email-ido@wizery.com
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    codido committed with gregkh Dec 1, 2011
  5. oprofile, x86: Fix crash when unloading module (nmi timer mode)

    commit 97f7f81 upstream.
    
    If oprofile uses the nmi timer interrupt there is a crash while
    unloading the module. The bug can be triggered with oprofile build as
    module and kernel parameter nolapic set. This patch fixes this.
    
    oprofile: using NMI timer interrupt.
    BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
    IP: [<ffffffff8123c226>] unregister_syscore_ops+0x41/0x58
    PGD 42dbca067 PUD 41da6a067 PMD 0
    Oops: 0002 [#1] PREEMPT SMP
    CPU 5
    Modules linked in: oprofile(-) [last unloaded: oprofile]
    
    Pid: 2518, comm: modprobe Not tainted 3.1.0-rc7-00019-gb2fb49d #19 Advanced Micro Device Anaheim/Anaheim
    RIP: 0010:[<ffffffff8123c226>]  [<ffffffff8123c226>] unregister_syscore_ops+0x41/0x58
    RSP: 0018:ffff88041ef71e98  EFLAGS: 00010296
    RAX: 0000000000000000 RBX: ffffffffa0017100 RCX: dead000000200200
    RDX: 0000000000000000 RSI: dead000000100100 RDI: ffffffff8178c620
    RBP: ffff88041ef71ea8 R08: 0000000000000001 R09: 0000000000000082
    R10: 0000000000000000 R11: ffff88041ef71de8 R12: 0000000000000080
    R13: fffffffffffffff5 R14: 0000000000000001 R15: 0000000000610210
    FS:  00007fc902f20700(0000) GS:ffff88042fd40000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    CR2: 0000000000000008 CR3: 000000041cdb6000 CR4: 00000000000006e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    Process modprobe (pid: 2518, threadinfo ffff88041ef70000, task ffff88041d348040)
    Stack:
     ffff88041ef71eb8 ffffffffa0017790 ffff88041ef71eb8 ffffffffa0013532
     ffff88041ef71ec8 ffffffffa00132d6 ffff88041ef71ed8 ffffffffa00159b2
     ffff88041ef71f78 ffffffff81073115 656c69666f72706f 0000000000610200
    Call Trace:
     [<ffffffffa0013532>] op_nmi_exit+0x15/0x17 [oprofile]
     [<ffffffffa00132d6>] oprofile_arch_exit+0xe/0x10 [oprofile]
     [<ffffffffa00159b2>] oprofile_exit+0x1e/0x20 [oprofile]
     [<ffffffff81073115>] sys_delete_module+0x1c3/0x22f
     [<ffffffff811bf09e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
     [<ffffffff8148070b>] system_call_fastpath+0x16/0x1b
    Code: 20 c6 78 81 e8 c5 cc 23 00 48 8b 13 48 8b 43 08 48 be 00 01 10 00 00 00 ad de 48 b9 00 02 20 00 00 00 ad de 48 c7 c7 20 c6 78 81
     89 42 08 48 89 10 48 89 33 48 89 4b 08 e8 a6 c0 23 00 5a 5b
    RIP  [<ffffffff8123c226>] unregister_syscore_ops+0x41/0x58
     RSP <ffff88041ef71e98>
    CR2: 0000000000000008
    ---[ end trace 43a541a52956b7b0 ]---
    
    Signed-off-by: Robert Richter <robert.richter@amd.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Robert Richter committed with gregkh Oct 10, 2011
  6. x86/mpparse: Account for bus types other than ISA and PCI

    commit 9e68666 upstream.
    
    In commit f8924e7 ("x86: unify mp_bus_info"), the 32-bit
    and 64-bit versions of MP_bus_info were rearranged to match each
    other better.  Unfortunately it introduced a regression: prior
    to that change we used to always set the mp_bus_not_pci bit,
    then clear it if we found a PCI bus.  After it, we set
    mp_bus_not_pci for ISA buses, clear it for PCI buses, and leave
    it alone otherwise.
    
    In the cases of ISA and PCI, there's not much difference.  But
    ISA is not the only non-PCI bus, so it's better to always set
    mp_bus_not_pci and clear it only for PCI.
    
    Without this change, Dan's Dell PowerEdge 4200 panics on boot
    with a log indicating interrupt routing trouble unless the
    "noapic" option is supplied.  With this change, the machine
    boots reliably without "noapic".
    
    Fixes http://bugs.debian.org/586494
    
    Reported-bisected-and-tested-by: Dan McGrath <troubledaemon@gmail.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Cc: Dan McGrath <troubledaemon@gmail.com>
    Cc: Alexey Starikovskiy <aystarik@gmail.com>
    [jrnieder@gmail.com: clarified commit message]
    Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
    Link: http://lkml.kernel.org/r/20111122215000.GA9151@elie.hsd1.il.comcast.net
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    bjorn-helgaas committed with gregkh Sep 25, 2011
  7. sched, x86: Avoid unnecessary overflow in sched_clock

    commit 4cecf6d upstream.
    
    (Added the missing signed-off-by line)
    
    In hundreds of days, the __cycles_2_ns calculation in sched_clock
    has an overflow.  cyc * per_cpu(cyc2ns, cpu) exceeds 64 bits, causing
    the final value to become zero.  We can solve this without losing
    any precision.
    
    We can decompose TSC into quotient and remainder of division by the
    scale factor, and then use this to convert TSC into nanoseconds.
    
    Signed-off-by: Salman Qazi <sqazi@google.com>
    Acked-by: John Stultz <johnstul@us.ibm.com>
    Reviewed-by: Paul Turner <pjt@google.com>
    Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Link: http://lkml.kernel.org/r/20111115221121.7262.88871.stgit@dungbeetle.mtv.corp.google.com
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    sqazi committed with gregkh Nov 15, 2011
  8. cifs: fix cifs stable patch cifs-fix-oplock-break-handling-try-2.patch

    The stable release 2.6.32.32 added the upstream commit
    12fed00. However, one of the hunks of
    the original patch seems missing from the stable backport which can be
    found here:
       http://permalink.gmane.org/gmane.linux.kernel.stable/5676
    
    This hunk corresponds to the change in is_valid_oplock_break() at
    fs/cifs/misc.c.
    
    This patch backports the missing hunk and is against
    linux-2.6.32.y stable kernel.
    
    
    Cc: Steve French <sfrench@us.ibm.com>
    Signed-off-by: Pavel Shilovsky <piastry@etersoft.ru>
    Signed-off-by: Suresh Jayaraman <sjayaraman@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Suresh Jayaraman committed with gregkh Dec 2, 2011
  9. SCSI: Silencing 'killing requests for dead queue'

    commit 7457181 upstream.
    
    When we tear down a device we try to flush all outstanding
    commands in scsi_free_queue(). However the check in
    scsi_request_fn() is imperfect as it only signals that
    we _might start_ aborting commands, not that we've actually
    aborted some.
    So move the printk inside the scsi_kill_request function,
    this will also give us a hint about which commands are aborted.
    
    Signed-off-by: Hannes Reinecke <hare@suse.de>
    Signed-off-by: James Bottomley <JBottomley@Parallels.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    hreinecke committed with gregkh Nov 9, 2011
  10. SCSI: scsi_lib: fix potential NULL dereference

    commit 03b1470 upstream.
    
    Stanse found a potential NULL dereference in scsi_kill_request.
    
    Instead of triggering BUG() in 'if (unlikely(cmd == NULL))' branch,
    the kernel will Oops earlier on cmd dereference.
    
    Move the dereferences after the if.
    
    Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
    Signed-off-by: James Bottomley <James.Bottomley@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    jirislaby committed with gregkh Sep 23, 2009
  11. USB: usb-storage: unusual_devs entry for Kingston DT 101 G2

    commit cec28a5 upstream.
    
    Kingston DT 101 G2 replies a wrong tag while transporting, add an
    unusal_devs entry to ignore the tag validation.
    
    Signed-off-by: Qinglin Ye <yestyle@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    yestyle committed with gregkh Nov 23, 2011
  12. usb: option: add SIMCom SIM5218

    commit ec0cd94 upstream.
    
    Tested with SIM5218EVB-KIT evaluation kit.
    
    Signed-off-by: Veli-Pekka Peltola <veli-pekka.peltola@bluegiga.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Veli-Pekka Peltola committed with gregkh Nov 24, 2011
  13. usb: ftdi_sio: add PID for Propox ISPcable III

    commit 307369b upstream.
    
    Signed-off-by: Marcin Kościelnicki <koriakin@0x04.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    koriakin committed with gregkh Nov 30, 2011
  14. USB: whci-hcd: fix endian conversion in qset_clear()

    commit 8746c83 upstream.
    
    qset->qh.link is an __le64 field and we should be using cpu_to_le64()
    to fill it.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Dan Carpenter committed with gregkh Nov 22, 2011
  15. Staging: comedi: fix signal handling in read and write

    commit 6a9ce6b upstream.
    
    After sleeping on a wait queue, signal_pending(current) should be
    checked (not before sleeping).
    
    Acked-by: Alessandro Rubini <rubini@gnudd.com>
    Signed-off-by: Federico Vaga <federico.vaga@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    FedericoVaga committed with gregkh Oct 29, 2011
  16. staging: comedi: fix oops for USB DAQ devices.

    commit 3ffab42 upstream.
    
    This fixes kernel oops when an USB DAQ device is plugged out while it's
    communicating with the userspace software.
    
    Signed-off-by: Bernd Porr <berndporr@f2s.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Bernd Porr committed with gregkh Nov 8, 2011