Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Commits on Dec 14, 2010
  1. Release 2.6.35.10

    Andi Kleen authored Andi Kleen committed
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  2. Fix pktcdvd ioctl dev_minor range check

    Dan Rosenberg authored Andi Kleen committed
    Upstream 252a52a
    
    The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a
    pktcdvd_device from the global pkt_devs array.  The index into this
    array is provided directly by the user and is a signed integer, so the
    comparison to ensure that it falls within the bounds of this array will
    fail when provided with a negative index.
    
    This can be used to read arbitrary kernel memory or cause a crash due to
    an invalid pointer dereference.  This can be exploited by users with
    permission to open /dev/pktcdvd/control (on many distributions, this is
    readable by group "cdrom").
    
    Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
    [ Rather than add a cast, just make the function take the right type -Linus ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  3. @torvalds

    Un-inline get_pipe_info() helper function

    torvalds authored Andi Kleen committed
    commit 7208364 upstream.
    
    This avoids some include-file hell, and the function isn't really
    important enough to be inlined anyway.
    
    Reported-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  4. @torvalds

    Export 'get_pipe_info()' to other users

    torvalds authored Andi Kleen committed
    commit c66fb34 upstream.
    
    And in particular, use it in 'pipe_fcntl()'.
    
    The other pipe functions do not need to use the 'careful' version, since
    they are only ever called for things that are already known to be pipes.
    
    The normal read/write/ioctl functions are called through the file
    operations structures, so if a file isn't a pipe, they'd never get
    called.  But pipe_fcntl() is special, and called directly from the
    generic fcntl code, and needs to use the same careful function that the
    splice code is using.
    
    Cc: Jens Axboe <jaxboe@fusionio.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Dave Jones <davej@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  5. @torvalds

    Rename 'pipe_info()' to 'get_pipe_info()'

    torvalds authored Andi Kleen committed
    commit 71993e6 upstream.
    
    .. and change it to take the 'file' pointer instead of an inode, since
    that's what all users want anyway.
    
    The renaming is preparatory to exporting it to other users.  The old
    'pipe_info()' name was too generic and is already used elsewhere, so
    before making the function public we need to use a more specific name.
    
    Cc: Jens Axboe <jaxboe@fusionio.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Dave Jones <davej@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  6. nmi: fix clock comparator revalidation

    Heiko Carstens authored Andi Kleen committed
    commit e8129c6 upstream.
    
    On each machine check all registers are revalidated. The save area for
    the clock comparator however only contains the upper most seven bytes
    of the former contents, if valid.
    Therefore the machine check handler uses a store clock instruction to
    get the current time and writes that to the clock comparator register
    which in turn will generate an immediate timer interrupt.
    However within the lowcore the expected time of the next timer
    interrupt is stored. If the interrupt happens before that time the
    handler won't be called. In turn the clock comparator won't be
    reprogrammed and therefore the interrupt condition stays pending which
    causes an interrupt loop until the expected time is reached.
    
    On NOHZ machines this can result in unresponsive machines since the
    time of the next expected interrupted can be a couple of days in the
    future.
    
    To fix this just revalidate the clock comparator register with the
    expected value.
    In addition the special handling for udelay must be changed as well.
    
    Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  7. r8169: fix checksum broken

    Shan Wei authored Andi Kleen committed
    commit d5d3ebe upstream.
    
    If r8196 received packets with invalid sctp/igmp(not tcp, udp) checksum, r8196 set skb->ip_summed
    wit CHECKSUM_UNNECESSARY. This cause that upper protocol don't check checksum field.
    
    I am not family with r8196 driver. I try to guess the meaning of RxProtoIP and IPFail.
    RxProtoIP stands for received IPv4 packet that upper protocol is not tcp and udp.
    !(opts1 & IPFail) is true means that driver correctly to check checksum in IPv4 header.
    
    If it's right, I think we should not set ip_summed wit CHECKSUM_UNNECESSARY for my sctp packets
    with invalid checksum.
    
    If it's not right, please tell me.
    
    Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
    Acked-by: Francois Romieu <romieu@fr.zoreil.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  8. @sgruszka

    r8169: (re)init phy on resume

    sgruszka authored Andi Kleen committed
    commit fccec10 upstream.
    
    Fix switching device to low-speed mode after resume reported in:
    https://bugzilla.redhat.com/show_bug.cgi?id=502974
    
    Reported-and-tested-by: Laurentiu Badea <bugzilla-redhat@wotevah.com>
    Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Cc: Francois Romieu <romieu@fr.zoreil.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  9. r8169: fix rx checksum offload

    Eric Dumazet authored Andi Kleen committed
    commit adea1ac upstream.
    
    While porting GRO to r8169, I found this driver has a bug in its rx
    path.
    
    All skbs given to network stack had their ip_summed set to
    CHECKSUM_NONE, while hardware said they had correct TCP/UDP checksums.
    
    The reason is driver sets skb->ip_summed on the original skb before the
    copy eventually done by copybreak. The fresh skb gets the ip_summed =
    CHECKSUM_NONE value, forcing network stack to recompute checksum, and
    preventing my GRO patch to work.
    
    Fix is to make the ip_summed setting after skb copy.
    
    Note : rx_copybreak current value is 16383, so all frames are copied...
    
    Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
    Acked-by: Francois Romieu <romieu@fr.zoreil.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  10. cfg80211: fix extension channel checks to initiate communication

    Luis R. Rodriguez authored Andi Kleen committed
    commit 9236d83 upstream.
    
    When operating in a mode that initiates communication and using
    HT40 we should fail if we cannot use both primary and secondary
    channels to initiate communication. Our current ht40 allowmap
    only covers STA mode of operation, for beaconing modes we need
    a check on the fly as the mode of operation is dynamic and
    there other flags other than disable which we should read
    to check if we can initiate communication.
    
    Do not allow for initiating communication if our secondary HT40
    channel has is either disabled, has a passive scan flag, a
    no-ibss flag or is a radar channel. Userspace now has similar
    checks but this is also needed in-kernel.
    
    Reported-by: Jouni Malinen <jouni.malinen@atheros.com>
    Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  11. rds: Integer overflow in RDS cmsg handling

    Dan Rosenberg authored Andi Kleen committed
    commit 218854a upstream.
    
    In rds_cmsg_rdma_args(), the user-provided args->nr_local value is
    restricted to less than UINT_MAX.  This seems to need a tighter upper
    bound, since the calculation of total iov_size can overflow, resulting
    in a small sock_kmalloc() allocation.  This would probably just result
    in walking off the heap and crashing when calling rds_rdma_pages() with
    a high count value.  If it somehow doesn't crash here, then memory
    corruption could occur soon after.
    
    Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  12. @philb

    econet: fix CVE-2010-3848

    philb authored Andi Kleen committed
    commit a27e13d upstream.
    
    Don't declare variable sized array of iovecs on the stack since this
    could cause stack overflow if msg->msgiovlen is large.  Instead, coalesce
    the user-supplied data into a new buffer and use a single iovec for it.
    
    Signed-off-by: Phil Blundell <philb@gnu.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  13. @philb

    econet: fix CVE-2010-3850

    philb authored Andi Kleen committed
    commit 16c4174 upstream.
    
    Add missing check for capable(CAP_NET_ADMIN) in SIOCSIFADDR operation.
    
    Signed-off-by: Phil Blundell <philb@gnu.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  14. @philb

    econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849

    philb authored Andi Kleen committed
    commit fa0e846 upstream.
    
    Later parts of econet_sendmsg() rely on saddr != NULL, so return early
    with EINVAL if NULL was passed otherwise an oops may occur.
    
    Signed-off-by: Phil Blundell <philb@gnu.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  15. @herbertx

    crypto: padlock - Fix AES-CBC handling on odd-block-sized input

    herbertx authored Andi Kleen committed
    commit c054a07 upstream.
    
    On certain VIA chipsets AES-CBC requires the input/output to be
    a multiple of 64 bytes.  We had a workaround for this but it was
    buggy as it sent the whole input for processing when it is meant
    to only send the initial number of blocks which makes the rest
    a multiple of 64 bytes.
    
    As expected this causes memory corruption whenever the workaround
    kicks in.
    
    Reported-by: Phil Sutter <phil@nwl.cc>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  16. x25: Prevent crashing when parsing bad X.25 facilities

    Dan Rosenberg authored Andi Kleen committed
    commit 5ef4130 upstream.
    
    Now with improved comma support.
    
    On parsing malformed X.25 facilities, decrementing the remaining length
    may cause it to underflow.  Since the length is an unsigned integer,
    this will result in the loop continuing until the kernel crashes.
    
    This patch adds checks to ensure decrementing the remaining length does
    not cause it to wrap around.
    
    Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  17. @hartkopp

    can-bcm: fix minor heap overflow

    hartkopp authored Andi Kleen committed
    commit 0597d1b upstream.
    
    On 64-bit platforms the ASCII representation of a pointer may be up to 17
    bytes long. This patch increases the length of the buffer accordingly.
    
    http://marc.info/?l=linux-netdev&m=128872251418192&w=2
    
    Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
    Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    CC: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  18. @davem330

    filter: make sure filters dont read uninitialized memory

    davem330 authored Andi Kleen committed
    commit 57fe93b upstream.
    
    There is a possibility malicious users can get limited information about
    uninitialized stack mem array. Even if sk_run_filter() result is bound
    to packet length (0 .. 65535), we could imagine this can be used by
    hostile user.
    
    Initializing mem[] array, like Dan Rosenberg suggested in his patch is
    expensive since most filters dont even use this array.
    
    Its hard to make the filter validation in sk_chk_filter(), because of
    the jumps. This might be done later.
    
    In this patch, I use a bitmap (a single long var) so that only filters
    using mem[] loads/stores pay the price of added security checks.
    
    For other filters, additional cost is a single instruction.
    
    [ Since we access fentry->k a lot now, cache it in a local variable
      and mark filter entry pointer as const. -DaveM ]
    
    Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
    Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  19. @hgn

    net: optimize Berkeley Packet Filter (BPF) processing

    hgn authored Andi Kleen committed
    Gcc is currenlty not in the ability to optimize the switch statement in
    sk_run_filter() because of dense case labels. This patch replace the
    OR'd labels with ordered sequenced case labels. The sk_chk_filter()
    function is modified to patch/replace the original OPCODES in a
    ordered but equivalent form. gcc is now in the ability to transform the
    switch statement in sk_run_filter into a jump table of complexity O(1).
    
    Until this patch gcc generates a sequence of conditional branches (O(n) of 567
    byte .text segment size (arch x86_64):
    
    7ff: 8b 06                 mov    (%rsi),%eax
    801: 66 83 f8 35           cmp    $0x35,%ax
    805: 0f 84 d0 02 00 00     je     adb <sk_run_filter+0x31d>
    80b: 0f 87 07 01 00 00     ja     918 <sk_run_filter+0x15a>
    811: 66 83 f8 15           cmp    $0x15,%ax
    815: 0f 84 c5 02 00 00     je     ae0 <sk_run_filter+0x322>
    81b: 77 73                 ja     890 <sk_run_filter+0xd2>
    81d: 66 83 f8 04           cmp    $0x4,%ax
    821: 0f 84 17 02 00 00     je     a3e <sk_run_filter+0x280>
    827: 77 29                 ja     852 <sk_run_filter+0x94>
    829: 66 83 f8 01           cmp    $0x1,%ax
    [...]
    
    With the modification the compiler translate the switch statement into
    the following jump table fragment:
    
    7ff: 66 83 3e 2c           cmpw   $0x2c,(%rsi)
    803: 0f 87 1f 02 00 00     ja     a28 <sk_run_filter+0x26a>
    809: 0f b7 06              movzwl (%rsi),%eax
    80c: ff 24 c5 00 00 00 00  jmpq   *0x0(,%rax,8)
    813: 44 89 e3              mov    %r12d,%ebx
    816: e9 43 03 00 00        jmpq   b5e <sk_run_filter+0x3a0>
    81b: 41 89 dc              mov    %ebx,%r12d
    81e: e9 3b 03 00 00        jmpq   b5e <sk_run_filter+0x3a0>
    
    Furthermore, I reordered the instructions to reduce cache line misses by
    order the most common instruction to the start.
    
    [AK: Added as dependency on next patch]
    Signed-off-by: Hagen Paul Pfeifer <hagen@jauu.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  20. @AndrewHendry

    memory corruption in X.25 facilities parsing

    AndrewHendry authored Andi Kleen committed
    commit a6331d6 upstream.
    
    Signed-of-by: Andrew Hendry <andrew.hendry@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  21. OMAP3: DMA: Errata i541: sDMA FIFO draining does not finish

    Peter Ujfalusi authored Andi Kleen committed
    commit 0e4905c upstream.
    
    Implement the suggested workaround for OMAP3 regarding to sDMA draining
    issue, when the channel is disabled on the fly.
    This errata affects the following configuration:
    sDMA transfer is source synchronized
    Buffering is enabled
    SmartStandby is selected.
    
    The issue can be easily reproduced by creating overrun situation while
    recording audio.
    Either introduce load to the CPU:
    nice -19 arecord -D hw:0 -M -B 10000 -F 5000 -f dat > /dev/null & \
    dd if=/dev/urandom of=/dev/null
    
    or suspending the arecord, and resuming it:
    arecord -D hw:0 -M -B 10000 -F 5000 -f dat > /dev/null
    CTRL+Z; fg; CTRL+Z; fg; ...
    
    In case of overrun audio stops DMA, and restarts it (without reseting
    the sDMA channel). When we hit this errata in stop case (sDMA drain did
    not complete), at the coming start the sDMA will not going to be
    operational (it is still draining).
    This leads to DMA stall condition.
    On OMAP3 we can recover with sDMA channel reset, it has been observed
    that by introducing unrelated sDMA activity might also help (reading
    from MMC for example).
    
    The same errata exists for OMAP2, where the suggestion is to disable the
    buffering to avoid this type of error.
    On OMAP3 the suggestion is to set sDMA to NoStandby before disabling
    the channel, and wait for the drain to finish, than configure sDMA to
    SmartStandby again.
    
    Signed-off-by: Peter Ujfalusi <peter.ujfalusi@nokia.com>
    Acked-by: Jarkko Nikula <jhnikula@gmail.com>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Acked-by : Santosh Shilimkar <santosh.shilimkar@ti.com>
    Acked-by : Manjunath Kondaiah G <manjugk@ti.com>
    Signed-off-by: Tony Lindgren <tony@atomide.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  22. omap: dma: Fix buffering disable bit setting for omap24xx

    Jarkko Nikula authored Andi Kleen committed
    commit 3e57f16 upstream.
    
    An errata workaround for omap24xx is not setting the buffering disable bit
    25 what is the purpose but channel enable bit 7 instead.
    
    Background for this fix is the DMA stalling issue with ASoC omap-mcbsp
    driver. Peter Ujfalusi <peter.ujfalusi@nokia.com> has found an issue in
    recording that the DMA stall could happen if there were a buffer overrun
    detected by ALSA and the DMA was stopped and restarted due that. This
    problem is known to occur on both OMAP2420 and OMAP3. It can recover on
    OMAP3 after dma free, dma request and reconfiguration cycle. However, on
    OMAP2420 it seems that only way to recover is a reset.
    
    Problem was not visible before the commit c12abc0. That commit changed that
    the McBSP transmitter/receiver is released from reset only when needed. That
    is, only enabled McBSP transmitter without transmission was able to prevent
    this DMA stall problem in receiving side and underlying problem did not show
    up until now. McBSP transmitter itself seems to no be reason since DMA
    stall does not recover by enabling the transmission after stall.
    
    Debugging showed that there were a DMA write active during DMA stop time and
    it never completed even when restarting the DMA. Experimenting showed that
    the DMA buffering disable bit could be used to avoid stalling when using
    source synchronized transfers. However that could have performance hit and
    OMAP3 TRM states that buffering disable is not allowed for destination
    synchronized transfers so subsequent patch will implement a method to
    complete DMA writes when stopping.
    
    This patch is based on assumtion that complete lock-up on OMAP2420 is
    different but related problem. I don't have access to OMAP2420 errata but
    I believe this old workaround here is put for a reason but unfortunately
    a wrong bit was typed and problem showed up only now.
    
    Signed-off-by: Jarkko Nikula <jhnikula@gmail.com>
    Signed-off-by: Peter Ujfalusi <peter.ujfalusi@nokia.com>
    Acked-by: Manjunath Kondaiah G <manjugk@ti.com>
    Signed-off-by: Tony Lindgren <tony@atomide.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  23. @dtor

    Input: i8042 - add Sony VAIO VPCZ122GX to nomux list

    dtor authored Andi Kleen committed
    [Note that the mainline will not have this particular fix but rather
    will blacklist entire VAIO line based off DMI board name. For stable
    I am being a bit more cautious and blacklist one particular product.]
    
    Trying to query/activate active multiplexing mode on this VAIO makes
    both keyboard and touchpad inoperable. Futher kernels will blacklist
    entire VAIO line, however here we blacklist just one particular model.
    
    Reported-by: Jesse Barnes <jbarnes@virtuousgeek.org>
    Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  24. @davem330

    net: Limit socket I/O iovec total length to INT_MAX.

    davem330 authored Andi Kleen committed
    commit 8acfe46 upstream.
    
    This helps protect us from overflow issues down in the
    individual protocol sendmsg/recvmsg handlers.  Once
    we hit INT_MAX we truncate out the rest of the iovec
    by setting the iov_len members to zero.
    
    This works because:
    
    1) For SOCK_STREAM and SOCK_SEQPACKET sockets, partial
       writes are allowed and the application will just continue
       with another write to send the rest of the data.
    
    2) For datagram oriented sockets, where there must be a
       one-to-one correspondance between write() calls and
       packets on the wire, INT_MAX is going to be far larger
       than the packet size limit the protocol is going to
       check for and signal with -EMSGSIZE.
    
    Based upon a patch by Linus Torvalds.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  25. @torvalds

    net: Truncate recvfrom and sendto length to INT_MAX.

    torvalds authored Andi Kleen committed
    commit 253eacc upstream.
    
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  26. genirq: Fix incorrect proc spurious output

    Kenji Kaneshige authored Andi Kleen committed
    commit 25c9170 upstream.
    
    Since commit a1afb63(switch /proc/irq/*/spurious to seq_file) all
    /proc/irq/XX/spurious files show the information of irq 0.
    
    Current irq_spurious_proc_open() passes on NULL as the 3rd argument,
    which is used as an IRQ number in irq_spurious_proc_show(), to the
    single_open(). Because of this, all the /proc/irq/XX/spurious file
    shows IRQ 0 information regardless of the IRQ number.
    
    To fix the problem, irq_spurious_proc_open() must pass on the
    appropreate data (IRQ number) to single_open().
    
    Signed-off-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Reviewed-by: Yong Zhang <yong.zhang0@gmail.com>
    LKML-Reference: <4CF4B778.90604@jp.fujitsu.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  27. nohz/s390: fix arch_needs_cpu() return value on offline cpus

    Heiko Carstens authored Andi Kleen committed
    commit 3988121 upstream.
    
    This fixes the same problem as described in the patch "nohz: fix
    printk_needs_cpu() return value on offline cpus" for the arch_needs_cpu()
    primitive:
    
    arch_needs_cpu() may return 1 if called on offline cpus. When a cpu gets
    offlined it schedules the idle process which, before killing its own cpu,
    will call tick_nohz_stop_sched_tick().
    That function in turn will call arch_needs_cpu() in order to check if the
    local tick can be disabled. On offline cpus this function should naturally
    return 0 since regardless if the tick gets disabled or not the cpu will be
    dead short after. That is besides the fact that __cpu_disable() should already
    have made sure that no interrupts on the offlined cpu will be delivered anyway.
    
    In this case it prevents tick_nohz_stop_sched_tick() to call
    select_nohz_load_balancer(). No idea if that really is a problem. However what
    made me debug this is that on 2.6.32 the function get_nohz_load_balancer() is
    used within __mod_timer() to select a cpu on which a timer gets enqueued.
    If arch_needs_cpu() returns 1 then the nohz_load_balancer cpu doesn't get
    updated when a cpu gets offlined. It may contain the cpu number of an offline
    cpu. In turn timers get enqueued on an offline cpu and not very surprisingly
    they never expire and cause system hangs.
    
    This has been observed 2.6.32 kernels. On current kernels __mod_timer() uses
    get_nohz_timer_target() which doesn't have that problem. However there might
    be other problems because of the too early exit tick_nohz_stop_sched_tick()
    in case a cpu goes offline.
    
    This specific bug was indrocuded with 3c5d92a "nohz: Introduce
    arch_needs_cpu".
    
    In this case a cpu hotplug notifier is used to fix the issue in order to keep
    the normal/fast path small. All we need to do is to clear the condition that
    makes arch_needs_cpu() return 1 since it is just a performance improvement
    which is supposed to keep the local tick running for a short period if a cpu
    goes idle. Nothing special needs to be done except for clearing the condition.
    
    Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  28. wmi: use memcmp instead of strncmp to compare GUIDs

    Thadeu Lima de Souza Cascardo authored Andi Kleen committed
    commit 8b14d7b upstream.
    
    While looking for the duplicates in /sys/class/wmi/, I couldn't find
    them. The code that looks for duplicates uses strncmp in a binary GUID,
    which may contain zero bytes. The right function is memcmp, which is
    also used in another section of wmi code.
    
    It was finding 49142400-C6A3-40FA-BADB-8A2652834100 as a duplicate of
    39142400-C6A3-40FA-BADB-8A2652834100. Since the first byte is the fourth
    printed, they were found as equal by strncmp.
    
    Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@holoscopio.com>
    Signed-off-by: Matthew Garrett <mjg@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  29. @rjwysocki

    PM / Hibernate: Fix memory corruption related to swap

    rjwysocki authored Andi Kleen committed
    commit c9e664f upstream.
    
    There is a problem that swap pages allocated before the creation of
    a hibernation image can be released and used for storing the contents
    of different memory pages while the image is being saved.  Since the
    kernel stored in the image doesn't know of that, it causes memory
    corruption to occur after resume from hibernation, especially on
    systems with relatively small RAM that need to swap often.
    
    This issue can be addressed by keeping the GFP_IOFS bits clear
    in gfp_allowed_mask during the entire hibernation, including the
    saving of the image, until the system is finally turned off or
    the hibernation is aborted.  Unfortunately, for this purpose
    it's necessary to rework the way in which the hibernate and
    suspend code manipulates gfp_allowed_mask.
    
    This change is based on an earlier patch from Hugh Dickins.
    
    Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
    Reported-by: Ondrej Zary <linux@rainbow-software.org>
    Acked-by: Hugh Dickins <hughd@google.com>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  30. ARM: 6456/1: Fix for building DEBUG with sa11xx_base.c as a module.

    Marcelo Roberto Jimenez authored Andi Kleen committed
    commit b9f515e upstream.
    
    This patch fixes a compilation issue when compiling PCMCIA SA1100
    support as a module with PCMCIA_DEBUG enabled. The symbol
    soc_pcmcia_debug was not beeing exported.
    ARM: pcmcia: Fix for building DEBUG with sa11xx_base.c as a module.
    
    This patch fixes a compilation issue when compiling PCMCIA SA1100
    support as a module with PCMCIA_DEBUG enabled. The symbol
    soc_pcmcia_debug was not beeing exported.
    
    Signed-off-by: Marcelo Roberto Jimenez <mroberto@cpti.cetuc.puc-rio.br>
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  31. perf: Fix inherit vs. context rotation bug

    Thomas Gleixner authored Andi Kleen committed
    commit dddd337 upstream.
    
    It was found that sometimes children of tasks with inherited events had
    one extra event. Eventually it turned out to be due to the list rotation
    no being exclusive with the list iteration in the inheritance code.
    
    Cure this by temporarily disabling the rotation while we inherit the events.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    LKML-Reference: <new-submission>
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  32. Staging: batman-adv: ensure that eth_type_trans gets linear memory

    Marek Lindner authored Andi Kleen committed
    commit b6faaae upstream.
    
    eth_type_trans tries to pull data with the length of the ethernet header
    from the skb. We only ensured that enough data for the first ethernet
    header and the batman header is available in non-paged memory of the skb
    and not for the ethernet after the batman header.
    
    eth_type_trans would fail sometimes with drivers which don't ensure that
    all there data is perfectly linearised.
    
    The failure was noticed through a kernel bug Oops generated by the
    skb_pull inside eth_type_trans.
    
    Reported-by: Rafal Lesniak <lesniak@eresi-project.org>
    Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
    Signed-off-by: Sven Eckelmann <sven.eckelmann@gmx.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  33. @lwfinger

    staging: rtl8187se: Change panic to warn when RF switch turned off

    lwfinger authored Andi Kleen committed
    commit f36d83a upstream.
    
    This driver issues a kernel panic over conditions that do not
    justify such drastic action. Change these to log entries with
    a stack dump.
    
    This patch fixes the system crash reported in
    https://bugs.launchpad.net/ubuntu/+source/linux/+bug/674285.
    
    Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Reported-and-Tested-by: Robie Basik <rb-oss-3@justgohome.co.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  34. @gregkh

    Staging: frontier: fix up some sysfs attribute permissions

    gregkh authored Andi Kleen committed
    commit 3bad28e and
    2a767fd upstream merged together.
    
    They should not be writable by any user
    
    Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: David Taht <d@teklibre.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  35. @gregkh

    Staging: samsung-laptop: fix up my fixup for some sysfs attribute per…

    gregkh authored Andi Kleen committed
    …missions
    
    commit 4d7bc38 upstream.
    
    They should be writable by root, not readable.
    Doh, stupid me with the wrong flags.
    
    Reported-by: Jonathan Cameron <jic23@cam.ac.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
Something went wrong with that request. Please try again.