Commits on Mar 31, 2011
  1. Release

    Signed-off-by: Andi Kleen <>
    Andi Kleen committed with AK Mar 31, 2011
  2. Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo

    [ upstream commit 243b422 ]
    Commit da48524 ("Prevent rt_sigqueueinfo and rt_tgsigqueueinfo
    from spoofing the signal code") made the check on si_code too strict.
    There are several legitimate places where glibc wants to queue a
    negative si_code different from SI_QUEUE:
     - This was first noticed with glibc's aio implementation, which wants
       to queue a signal with si_code SI_ASYNCIO; the current kernel
       causes glibc's tst-aio4 test to fail because rt_sigqueueinfo()
       fails with EPERM.
     - Further examination of the glibc source shows that getaddrinfo_a()
       wants to use SI_ASYNCNL (which the kernel does not even define).
       The timer_create() fallback code wants to queue signals with SI_TIMER.
    As suggested by Oleg Nesterov <>, loosen the check to
    forbid only the problematic SI_TKILL case.
    Reported-by: Klaus Dittrich <>
    Acked-by: Julien Tinnes <>
    Signed-off-by: Andi Kleen <>
    Cc: <>
    Signed-off-by: Roland Dreier <>
    Signed-off-by: Linus Torvalds <>
    rolandd committed with AK Mar 28, 2011
  3. KVM: VMX: Fix host userspace gsbase corruption

    commit c8770e7 upstream.
    We now use load_gs_index() to load gs safely; unfortunately this also
    changes MSR_KERNEL_GS_BASE, which we managed separately.  This resulted
    in confusion and breakage running 32-bit host userspace on a 64-bit kernel.
    Fix by
    - saving guest MSR_KERNEL_GS_BASE before we we reload the host's gs
    - doing the host save/load unconditionally, instead of only when in guest
      long mode
    Things can be cleaned up further, but this is the minmal fix for now.
    Signed-off-by: Avi Kivity <>
    Signed-off-by: Marcelo Tosatti <>
    Signed-off-by: Greg Kroah-Hartman <>
    Signed-off-by: Andi Kleen <>
    Marcelo Tosatti committed with AK Mar 31, 2011
  4. KVM: Correct ordering of ldt reload wrt fs/gs reload

    commit 0a77fe4 upstream.
    If fs or gs refer to the ldt, they must be reloaded after the ldt.  Reorder
    the code to that effect.
    Userspace code that uses the ldt with kvm is nonexistent, so this doesn't fix
    a user-visible bug.
    Signed-off-by: Avi Kivity <>
    Signed-off-by: Marcelo Tosatti <>
    Signed-off-by: Greg Kroah-Hartman <>
    Signed-off-by: Andi Kleen <>
    Avi Kivity committed with AK Mar 31, 2011
  5. KVM: Fix fs/gs reload oops with invalid ldt

    commit 9581d44 upstream.
    kvm reloads the host's fs and gs blindly, however the underlying segment
    descriptors may be invalid due to the user modifying the ldt after loading
    Fix by using the safe accessors (loadsegment() and load_gs_index()) instead
    of home grown unsafe versions.
    This is CVE-2010-3698.
    Signed-off-by: Avi Kivity <>
    Signed-off-by: Marcelo Tosatti <>
    Signed-off-by: Andi Kleen <>
    Avi Kivity committed with AK Mar 31, 2011
  6. Revert "KVM: Correct ordering of ldt reload wrt fs/gs reload"

    This reverts commit d3f813d.
    Signed-off-by: Andi Kleen <>
    Marcelo Tosatti committed with AK Mar 31, 2011
  7. KVM: i8259: initialize isr_ack

    commit a027263 upstream.
    isr_ack is never initialized.  So, until the first PIC reset, interrupts
    may fail to be injected.  This can cause Windows XP to fail to boot, as
    reported in the fallout from the fix to
    Reported-and-tested-by: Nicolas Prochazka <>
    Signed-off-by: Avi Kivity <>
    Signed-off-by: Andi Kleen <>
    Avi Kivity committed with AK Mar 31, 2011
  8. KVM: enlarge number of possible CPUID leaves

    commit 73c1160 upstream.
    Currently the number of CPUID leaves KVM handles is limited to 40.
    My desktop machine (AthlonII) already has 35 and future CPUs will
    expand this well beyond the limit. Extend the limit to 80 to make
    room for future processors.
    Signed-off-by: Andre Przywara <>
    Signed-off-by: Avi Kivity <>
    Signed-off-by: Andi Kleen <>
    aprzywar committed with AK Mar 31, 2011
  9. iwl3945: remove plcp check

    commit c91d015 upstream.
    Patch fixes:
    Many users report very low speed problem on 3945 devices,
    this patch fixes problem, but only for some of them.
    For unknown reason, sometimes after hw scanning, device is not able
    to receive frames at high rate. Since plcp health check may request
    hw scan to "reset radio", performance problem start to be observable
    after update kernel to .35, where plcp check was introduced.
    Bug reporter confirmed that removing plcp check fixed problem for him.
    Reported-and-tested-by: SilvioTO <>
    Acked-by: Wey-Yi Guy <>
    Signed-off-by: Stanislaw Gruszka <>
    Signed-off-by: Andi Kleen <>
    sgruszka committed with AK Feb 21, 2011
  10. md: Fix - again - partition detection when array becomes active

    [ upstream commit f0b4f7e ]
    When I wrote the first of these I had a wrong idea about the
    lifetime of 'struct block_device'.  It can disappear at any time that
    the block device is not open if it falls out of the inode cache.
    So relying on the 'size' recorded with it to detect when the
    device size has changed and so we need to revalidate, is wrong.
    Rather, we really do need the 'changed' attribute stored directly in
    the mddev and set/tested as appropriate.
    Without this patch, a sequence of:
       mknod / open / close / unlink
    (which can cause a block_device to be created and then destroyed)
    will result in a rescan of the partition table and consequence removal
    and addition of partitions.
    Several of these in a row can get udev racing to create and unlink and
    other code can get confused.
    With the patch, the rescan is only performed when needed and so there
    are no races.
    This is suitable for any stable kernel from 2.6.35.
    Reported-by: "Wojcik, Krzysztof" <>
    Signed-off-by: NeilBrown <>
    Signed-off-by: Andi Kleen <>
    neilbrown committed with AK Feb 24, 2011
  11. hwmon: (w83627ehf) Driver cleanup

    [ upstream commit da2e025 ]
    - Moved fan pwm register array pointers into per-instance data.
    - Only read fan pwm data for installed/supported fans.
    - Update fan max output and fan step output information from data in
    - Create max_output and step_output attribute files only if respective
      fan pwm registers exist.
    Signed-off-by: Guenter Roeck <>
    Signed-off-by: Jean Delvare <>
    Signed-off-by: Andi Kleen <>
    Guenter Roeck committed with AK Aug 14, 2010
  12. net: Fix ip link add netns oops

    [ upstream commit 13ad177 ]
    Ed Swierk <> writes:
    > On
    >  ip link add link eth0 netns 9999 type macvlan
    > where 9999 is a nonexistent PID triggers an oops and causes all network functions to hang:
    > [10663.821898] BUG: unable to handle kernel NULL pointer dereference at 000000000000006d
    >  [10663.821917] IP: [<ffffffff8149c2fa>] __dev_alloc_name+0x9a/0x170
    >  [10663.821933] PGD 1d3927067 PUD 22f5c5067 PMD 0
    >  [10663.821944] Oops: 0000 [#1] SMP
    >  [10663.821953] last sysfs file: /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq
    >  [10663.821959] CPU 3
    >  [10663.821963] Modules linked in: macvlan ip6table_filter ip6_tables rfcomm ipt_MASQUERADE binfmt_misc iptable_nat nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_state nf_conntrack sco ipt_REJECT bnep l2cap xt_tcpudp iptable_filter ip_tables x_tables bridge stp vboxnetadp vboxnetflt vboxdrv kvm_intel kvm parport_pc ppdev snd_hda_codec_intelhdmi snd_hda_codec_conexant arc4 iwlagn iwlcore mac80211 snd_hda_intel snd_hda_codec snd_hwdep snd_pcm snd_seq_midi snd_rawmidi i915 snd_seq_midi_event snd_seq thinkpad_acpi drm_kms_helper btusb tpm_tis nvram uvcvideo snd_timer snd_seq_device bluetooth videodev v4l1_compat v4l2_compat_ioctl32 tpm drm tpm_bios snd cfg80211 psmouse serio_raw intel_ips soundcore snd_page_alloc intel_agp i2c_algo_bit video output netconsole configfs lp parport usbhid hid e1000e sdhci_pci ahci libahci sdhci led_class
    >  [10663.822155]
    >  [10663.822161] Pid: 6000, comm: ip Not tainted 2.6.35-23-generic #41-Ubuntu 2901CTO/2901CTO
    >  [10663.822167] RIP: 0010:[<ffffffff8149c2fa>] [<ffffffff8149c2fa>] __dev_alloc_name+0x9a/0x170
    >  [10663.822177] RSP: 0018:ffff88014aebf7b8 EFLAGS: 00010286
    >  [10663.822182] RAX: 00000000fffffff4 RBX: ffff8801ad900800 RCX: 0000000000000000
    >  [10663.822187] RDX: ffff880000000000 RSI: 0000000000000000 RDI: ffff88014ad63000
    >  [10663.822191] RBP: ffff88014aebf808 R08: 0000000000000041 R09: 0000000000000041
    >  [10663.822196] R10: 0000000000000000 R11: dead000000200200 R12: ffff88014aebf818
    >  [10663.822201] R13: fffffffffffffffd R14: ffff88014aebf918 R15: ffff88014ad62000
    >  [10663.822207] FS: 00007f00c487f700(0000) GS:ffff880001f80000(0000) knlGS:0000000000000000
    >  [10663.822212] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    >  [10663.822216] CR2: 000000000000006d CR3: 0000000231f19000 CR4: 00000000000026e0
    >  [10663.822221] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    >  [10663.822226] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    >  [10663.822231] Process ip (pid: 6000, threadinfo ffff88014aebe000, task ffff88014afb16e0)
    >  [10663.822236] Stack:
    >  [10663.822240] ffff88014aebf808 ffffffff814a2bb5 ffff88014aebf7e8 00000000a00ee8d6
    >  [10663.822251] <0> 0000000000000000 ffffffffa00ef940 ffff8801ad900800 ffff88014aebf818
    >  [10663.822265] <0> ffff88014aebf918 ffff8801ad900800 ffff88014aebf858 ffffffff8149c413
    >  [10663.822281] Call Trace:
    >  [10663.822290] [<ffffffff814a2bb5>] ? dev_addr_init+0x75/0xb0
    >  [10663.822298] [<ffffffff8149c413>] dev_alloc_name+0x43/0x90
    >  [10663.822307] [<ffffffff814a85ee>] rtnl_create_link+0xbe/0x1b0
    >  [10663.822314] [<ffffffff814ab2aa>] rtnl_newlink+0x48a/0x570
    >  [10663.822321] [<ffffffff814aafcc>] ? rtnl_newlink+0x1ac/0x570
    >  [10663.822332] [<ffffffff81030064>] ? native_x2apic_icr_read+0x4/0x20
    >  [10663.822339] [<ffffffff814a8c17>] rtnetlink_rcv_msg+0x177/0x290
    >  [10663.822346] [<ffffffff814a8aa0>] ? rtnetlink_rcv_msg+0x0/0x290
    >  [10663.822354] [<ffffffff814c25d9>] netlink_rcv_skb+0xa9/0xd0
    >  [10663.822360] [<ffffffff814a8a85>] rtnetlink_rcv+0x25/0x40
    >  [10663.822367] [<ffffffff814c223e>] netlink_unicast+0x2de/0x2f0
    >  [10663.822374] [<ffffffff814c303e>] netlink_sendmsg+0x1fe/0x2e0
    >  [10663.822383] [<ffffffff81488533>] sock_sendmsg+0xf3/0x120
    >  [10663.822391] [<ffffffff815899fe>] ? _raw_spin_lock+0xe/0x20
    >  [10663.822400] [<ffffffff81168656>] ? __d_lookup+0x136/0x150
    >  [10663.822406] [<ffffffff815899fe>] ? _raw_spin_lock+0xe/0x20
    >  [10663.822414] [<ffffffff812b7a0d>] ? _atomic_dec_and_lock+0x4d/0x80
    >  [10663.822422] [<ffffffff8116ea90>] ? mntput_no_expire+0x30/0x110
    >  [10663.822429] [<ffffffff81486ff5>] ? move_addr_to_kernel+0x65/0x70
    >  [10663.822435] [<ffffffff81493308>] ? verify_iovec+0x88/0xe0
    >  [10663.822442] [<ffffffff81489020>] sys_sendmsg+0x240/0x3a0
    > [10663.822450] [<ffffffff8111e2a9>] ? __do_fault+0x479/0x560
    >  [10663.822457] [<ffffffff815899fe>] ? _raw_spin_lock+0xe/0x20
    >  [10663.822465] [<ffffffff8116cf4a>] ? alloc_fd+0x10a/0x150
    >  [10663.822473] [<ffffffff8158d76e>] ? do_page_fault+0x15e/0x350
    >  [10663.822482] [<ffffffff8100a0f2>] system_call_fastpath+0x16/0x1b
    >  [10663.822487] Code: 90 48 8d 78 02 be 25 00 00 00 e8 92 1d e2 ff 48 85 c0 75 cf bf 20 00 00 00 e8 c3 b1 c6 ff 49 89 c7 b8 f4 ff ff ff 4d 85 ff 74 bd <4d> 8b 75 70 49 8d 45 70 48 89 45 b8 49 83 ee 58 eb 28 48 8d 55
    >  [10663.822618] RIP [<ffffffff8149c2fa>] __dev_alloc_name+0x9a/0x170
    >  [10663.822627] RSP <ffff88014aebf7b8>
    >  [10663.822631] CR2: 000000000000006d
    >  [10663.822636] ---[ end trace 3dfd6c3ad5327ca7 ]---
    This bug was introduced in:
    commit 81adee4
    Author: Eric W. Biederman <>
    Date:   Sun Nov 8 00:53:51 2009 -0800
        net: Support specifying the network namespace upon device creation.
        There is no good reason to not support userspace specifying the
        network namespace during device creation, and it makes it easier
        to create a network device and pass it to a child network namespace
        with a well known name.
        We have to be careful to ensure that the target network namespace
        for the new device exists through the life of the call.  To keep
        that logic clear I have factored out the network namespace grabbing
        logic into rtnl_link_get_net.
        In addtion we need to continue to pass the source network namespace
        to the rtnl_link_ops.newlink method so that we can find the base
        device source network namespace.
        Signed-off-by: Eric W. Biederman <>
        Acked-by: Eric Dumazet <>
    Where apparently I forgot to add error handling to the path where we create
    a new network device in a new network namespace, and pass in an invalid pid.
    Reported-by: Ed Swierk <>
    Signed-off-by: "Eric W. Biederman" <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Andi Kleen <>
    ebiederm committed with AK Jan 29, 2011
  13. Revert "slab: Fix missing DEBUG_SLAB last user"

    [ upstream commit 3ff84a7 ]
    This reverts commit 5c5e3b3.
    The commit breaks ARM thusly:
    | Mount-cache hash table entries: 512
    | slab error in verify_redzone_free(): cache `idr_layer_cache': memory outside object was overwritten
    | Backtrace:
    | [<c0227088>] (dump_backtrace+0x0/0x110) from [<c0431afc>] (dump_stack+0x18/0x1c)
    | [<c0431ae4>] (dump_stack+0x0/0x1c) from [<c0293304>] (__slab_error+0x28/0x30)
    | [<c02932dc>] (__slab_error+0x0/0x30) from [<c0293a74>] (cache_free_debugcheck+0x1c0/0x2b8)
    | [<c02938b4>] (cache_free_debugcheck+0x0/0x2b8) from [<c0293f78>] (kmem_cache_free+0x3c/0xc0)
    | [<c0293f3c>] (kmem_cache_free+0x0/0xc0) from [<c032b1c8>] (ida_get_new_above+0x19c/0x1c0)
    | [<c032b02c>] (ida_get_new_above+0x0/0x1c0) from [<c02af7ec>] (alloc_vfsmnt+0x54/0x144)
    | [<c02af798>] (alloc_vfsmnt+0x0/0x144) from [<c0299830>] (vfs_kern_mount+0x30/0xec)
    | [<c0299800>] (vfs_kern_mount+0x0/0xec) from [<c0299908>] (kern_mount_data+0x1c/0x20)
    | [<c02998ec>] (kern_mount_data+0x0/0x20) from [<c02146c4>] (sysfs_init+0x68/0xc8)
    | [<c021465c>] (sysfs_init+0x0/0xc8) from [<c02137d4>] (mnt_init+0x90/0x1b0)
    | [<c0213744>] (mnt_init+0x0/0x1b0) from [<c0213388>] (vfs_caches_init+0x100/0x140)
    | [<c0213288>] (vfs_caches_init+0x0/0x140) from [<c0208c0c>] (start_kernel+0x2e8/0x368)
    | [<c0208924>] (start_kernel+0x0/0x368) from [<c0208034>] (__enable_mmu+0x0/0x2c)
    | c0113268: redzone 1:0xd84156c5c032b3ac, redzone 2:0xd84156c5635688c0.
    | slab error in cache_alloc_debugcheck_after(): cache `idr_layer_cache': double free, or memory outside object was overwritten
    | ...
    | c011307c: redzone 1:0x9f91102ffffffff, redzone 2:0x9f911029d74e35b
    | slab: Internal list corruption detected in cache 'idr_layer_cache'(24), slabp c0113000(16). Hexdump:
    | 000: 20 4f 10 c0 20 4f 10 c0 7c 00 00 00 7c 30 11 c0
    | 010: 10 00 00 00 10 00 00 00 00 00 c9 17 fe ff ff ff
    | 020: fe ff ff ff fe ff ff ff fe ff ff ff fe ff ff ff
    | 030: fe ff ff ff fe ff ff ff fe ff ff ff fe ff ff ff
    | 040: fe ff ff ff fe ff ff ff fe ff ff ff fe ff ff ff
    | 050: fe ff ff ff fe ff ff ff fe ff ff ff 11 00 00 00
    | 060: 12 00 00 00 13 00 00 00 14 00 00 00 15 00 00 00
    | 070: 16 00 00 00 17 00 00 00 c0 88 56 63
    | kernel BUG at /home/rmk/git/linux-2.6-rmk/mm/slab.c:2928!
    Cc: <> # 2.6.35.y and later
    Reported-and-analyzed-by: Russell King <>
    Signed-off-by: Pekka Enberg <>
    Signed-off-by: Andi Kleen <>
    penberg committed with AK Feb 14, 2011
  14. perf: Fix tear-down of inherited group events

    [ upstream commit 38b435b ]
    When destroying inherited events, we need to destroy groups too,
    otherwise the event iteration in perf_event_exit_task_context() will
    miss group siblings and we leak events with all the consequences.
    Reported-and-tested-by: Vince Weaver <>
    Signed-off-by: Peter Zijlstra <>
    Signed-off-by: Andi Kleen <>
    Cc: <> # .35+
    LKML-Reference: <1300196470.2203.61.camel@twins>
    Signed-off-by: Ingo Molnar <>
    Peter Zijlstra committed with AK Mar 15, 2011
  15. xhci: Update internal dequeue pointers after stalls.

    [ upstream commit bf161e8 ]
    When an endpoint stalls, the xHCI driver must move the endpoint ring's
    dequeue pointer past the stalled transfer.  To do that, the driver issues
    a Set TR Dequeue Pointer command, which will complete some time later.
    Takashi was having issues with USB 1.1 audio devices that stalled, and his
    analysis of the code was that the old code would not update the xHCI
    driver's ring dequeue pointer after the command completes.  However, the
    dequeue pointer is set in xhci_find_new_dequeue_state(), just before the
    set command is issued to the hardware.
    Setting the dequeue pointer before the Set TR Dequeue Pointer command
    completes is a dangerous thing to do, since the xHCI hardware can fail the
    command.  Instead, store the new dequeue pointer in the xhci_virt_ep
    structure, and update the ring's dequeue pointer when the Set TR dequeue
    pointer command completes.
    While we're at it, make sure we can't queue another Set TR Dequeue Command
    while the first one is still being processed.  This just won't work with
    the internal xHCI state code.  I'm still not sure if this is the right
    thing to do, since we might have a case where a driver queues multiple
    URBs to a control ring, one of the URBs Stalls, and then the driver tries
    to cancel the second URB.  There may be a race condition there where the
    xHCI driver might try to issue multiple Set TR Dequeue Pointer commands,
    but I would have to think very hard about how the Stop Endpoint and
    cancellation code works.  Keep the fix simple until when/if we run into
    that case.
    This patch should be queued to kernels all the way back to 2.6.31.
    Signed-off-by: Sarah Sharp <>
    Tested-by: Takashi Iwai <>
    Signed-off-by: Andi Kleen <>
    Sarah Sharp committed with AK Feb 23, 2011
  16. USB: isp1760: Implement solution for erratum 2

    The document says:
    |2.1 Problem description
    |    When at least two USB devices are simultaneously running, it is observed that
    |    sometimes the INT corresponding to one of the USB devices stops occurring. This may
    |    be observed sometimes with USB-to-serial or USB-to-network devices.
    |    The problem is not noticed when only USB mass storage devices are running.
    |2.2 Implication
    |    This issue is because of the clearing of the respective Done Map bit on reading the ATL
    |    PTD Done Map register when an INT is generated by another PTD completion, but is not
    |    found set on that read access. In this situation, the respective Done Map bit will remain
    |    reset and no further INT will be asserted so the data transfer corresponding to that USB
    |    device will stop.
    |2.3 Workaround
    |    An SOF INT can be used instead of an ATL INT with polling on Done bits. A time-out can
    |    be implemented and if a certain Done bit is never set, verification of the PTD completion
    |    can be done by reading PTD contents (valid bit).
    |    This is a proven workaround implemented in software.
    Russell King run into this with an USB-to-serial converter. This patch
    implements his suggestion to enable the high frequent SOF interrupt only
    at the time we have ATL packages queued. It goes even one step further
    and enables the SOF interrupt only if we have more than one ATL packet
    queued at the same time.
    Cc: <> # [2.6.35.x, 2.6.36.x, 2.6.37.x]
    Tested-by: Russell King <>
    Signed-off-by: Sebastian Andrzej Siewior <>
    Signed-off-by: Greg Kroah-Hartman <>
    Signed-off-by: Andi Kleen <>
    Sebastian Andrzej Siewior committed with AK Mar 31, 2011
  17. cfg80211: fix can_beacon_sec_chan, reenable HT40

    [ upstream commit 09a02fd ]
    This follows wireless-testing 9236d83
    ("cfg80211: fix extension channel checks to initiate communication") and
    fixes accidental case fall-through. Without this fix, HT40 is entirely
    Signed-off-by: Mark Mentovai <>
    Signed-off-by: Andi Kleen <>
    Acked-by: Luis R. Rodriguez <
    Signed-off-by: John W. Linville <>
    markmentovai committed with AK Nov 17, 2010
  18. revert misc: uss720.c: add another vendor/product ID

    [  122.146074] usb 2-1: new full speed USB device using uhci_hcd and address 2
    [  122.325102] usb 2-1: New USB device found, idVendor=050d, idProduct=0002
    [  122.325110] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
    [  122.325117] usb 2-1: Product: IEEE-1284 Controller
    [  122.325121] usb 2-1: Manufacturer: Belk USB Printing Support
    [  123.531167] usblp0: USB Bidirectional printer dev 2 if 0 alt 1 proto 2 vid
    0x050D pid 0x0002
    [  123.531208] usbcore: registered new interface driver usblp
    [ 8046.227051] usb 2-1: new full speed USB device using uhci_hcd and address 6
    [ 8046.408083] usb 2-1: New USB device found, idVendor=050d, idProduct=0002
    [ 8046.408088] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
    [ 8046.408092] usb 2-1: Product: IEEE-1284 Controller
    [ 8046.408094] usb 2-1: Manufacturer: Belk USB Printing Support
    [ 8047.552140] get_1284_register timeout
    [ 8047.554102] uss720: async_complete: urb error -104
    [ 8047.556111] uss720: async_complete: urb error -32
    [sequence repeats]
    [unplug connector]
    [ 8485.688067] parport0: fix this legacy no-device port driver!
    [ 8485.688427] uss720: async_complete: urb error -32
    Blacklisting the uss720 driver fixes the problem.
    From 0a67b7c Mon Sep 17 00:00:00 2001
    From: Thomas Sailer <>
    Date: Tue, 14 Dec 2010 16:04:05 +0100
    Subject: [PATCH] USB: misc: uss720.c: add another vendor/product ID
    commit ecc1624 upstream.
    Fabio Battaglia report that he has another cable that works with this
    driver, so this patch adds its vendor/product ID.
    Signed-off-by: Thomas Sailer <>
    Signed-off-by: Greg Kroah-Hartman <>
    Signed-off-by: Andi Kleen <>
    Chuck Ebbert committed with AK Mar 31, 2011
  19. Patch cab9e98 to the 2.6.35.y stable tree

    stored a ref to the current cred struct in struct scm_cookie.  This was fine
    with AF_UNIX as that calls scm_destroy() from its packet sending functions, but
    AF_NETLINK, which also uses scm_send(), does not call scm_destroy() - meaning
    that the copied credentials leak each time SCM data is sent over a netlink
    This can be triggered quite simply on a Fedora 13 or 14 userspace with the kernel (or something based off of that) by calling:
    	for ((i=0; i<100; i++))
    		su - -c /bin/true
    		cut -d: -f1 /proc/slabinfo | grep 'cred\|key\|task_struct'
    		cat /proc/keys | wc -l
    This leaks the session key that pam_keyinit creates for 'su -', which appears
    in /proc/keys as being revoked (has the R flag set against it) afterward su is
    Furthermore, if CONFIG_SLAB=y, then the cred and key slab object usage counts
    can be viewed and seen to increase.  The key slab increases by one object per
    loop, and this can be seen after the system has had a couple of minutes to
    stand after the script above has been run on it.
    If the system is working correctly, the key and cred counts should return to
    roughly what they were before.
    This patch from upstream (b47030c) is needed
    to fix the problem:
    From: Eric W. Biederman <>
    af_netlink: Add needed scm_destroy after scm_send.
    scm_send occasionally allocates state in the scm_cookie, so I have
    modified netlink_sendmsg to guarantee that when scm_send succeeds
    scm_destory will be called to free that state.
    Signed-off-by: Eric W. Biederman <>
    Signed-off-by: Andi Kleen <>
    Reviewed-by: Daniel Lezcano <>
    Acked-by: Pavel Emelyanov <>
    Signed-off-by: David S. Miller <>
    dhowells committed with AK Mar 31, 2011
  20. netfilter: arpt_mangle: fix return values of checkentry

    In 135367b "netfilter: xtables: change xt_target.checkentry return type",
    the type returned by checkentry was changed from boolean to int, but the
    return values where not adjusted.
    arptables: Input/output error
    This broke arptables with the mangle target since it returns true
    under success, which is interpreted by xtables as >0, thus
    returning EIO.
    The following Linux kernels are affected:
    Signed-off-by: Pablo Neira Ayuso <>
    Signed-off-by: Patrick McHardy <>
    Signed-off-by: Andi Kleen <>
    (cherry picked from commit 9d0db8b)
    Pablo Neira Ayuso committed with AK Feb 1, 2011
  21. classmate-laptop: depends on RFKILL or RFKILL=n

    [ upstream commit f35843e ]
    Randy Dunlap has reported that building classmate-laptop fails when
    CONFIG_RFKILL=m and CONFIG_ACPI_CMPC=y. He suggested depending on
    RFKILL, but, then, it will not be possible to select classmate-laptop
    when RFKILL is off. There's no known problem with building and using
    classmate-laptop with RFKILL off. So depend on RFKILL or RFKILL=n.
    Signed-off-by: Thadeu Lima de Souza Cascardo <>
    Signed-off-by: Matthew Garrett <>
    Signed-off-by: Andi Kleen <>
    Reported-by: Randy Dunlap <>
    Cc: Randy Dunlap <>
    Cc: Daniel Oliveira Nascimento <>
    Thadeu Lima de Souza Cascardo committed with AK May 26, 2010
  22. PM / Hibernate: Make default image size depend on total RAM size

    [ upstream commit ac5c24e ]
    The default hibernation image size is currently hard coded and euqal
    to 500 MB, which is not a reasonable default on many contemporary
    systems.  Make it equal 2/5 of the total RAM size (this is slightly
    below the maximum, i.e. 1/2 of the total RAM size, and seems to be
    generally suitable).
    Signed-off-by: Rafael J. Wysocki <>
    Tested-by: M. Vefa Bicakci <>
    Signed-off-by: Andi Kleen <>
    rjwysocki committed with AK Sep 20, 2010
  23. PM / Hibernate: Improve comments in hibernate_preallocate_memory()

    [ upstream commit 266f1a2 ]
    One comment in hibernate_preallocate_memory() is wrong, so fix it and
    add one more comment to clarify the meaning of the fixed one.
    Signed-off-by: Rafael J. Wysocki <>
    Signed-off-by: Andi Kleen <>
    rjwysocki committed with AK Sep 20, 2010
  24. eCryptfs: ecryptfs_keyring_auth_tok_for_sig() bug fix

    commit 1821df0 upstream.
    The pointer '(*auth_tok_key)' is set to NULL in case request_key()
    fails, in order to prevent its use by functions calling
    Signed-off-by: Roberto Sassu <>
    Signed-off-by: Tyler Hicks <>
    Signed-off-by: Greg Kroah-Hartman <>
    Signed-off-by: Andi Kleen <>
    Roberto Sassu committed with AK Mar 17, 2011
  25. eCryptfs: Unlock page in write_begin error path

    commit 50f198a upstream.
    Unlock the page in error path of ecryptfs_write_begin(). This may
    happen, for example, if decryption fails while bring the page
    Signed-off-by: Tyler Hicks <>
    Signed-off-by: Greg Kroah-Hartman <>
    Signed-off-by: Andi Kleen <>
    Tyler Hicks committed with AK Mar 9, 2011
  26. ses: Avoid kernel panic when lun 0 is not mapped

    commit d1e12de upstream.
    During device discovery, scsi mid layer sends INQUIRY command to LUN
    0. If the LUN 0 is not mapped to host, it creates a temporary
    scsi_device with LUN id 0 and sends REPORT_LUNS command to it. After
    the REPORT_LUNS succeeds, it walks through the LUN table and adds each
    LUN found to sysfs. At the end of REPORT_LUNS lun table scan, it will
    delete the temporary scsi_device of LUN 0.
    When scsi devices are added to sysfs, it calls add_dev function of all
    the registered class interfaces. If ses driver has been registered,
    ses_intf_add() of ses module will be called. This function calls
    scsi_device_enclosure() to check the inquiry data for EncServ
    bit. Since inquiry was not allocated for temporary LUN 0 scsi_device,
    it will cause NULL pointer exception.
    To fix the problem, sdev->inquiry is checked for NULL before reading it.
    Signed-off-by: Somasundaram Krishnasamy <>
    Signed-off-by: Babu Moger <>
    Signed-off-by: James Bottomley <>
    Signed-off-by: Greg Kroah-Hartman <>
    Signed-off-by: Andi Kleen <>
    Krishnasamy, Somasundaram committed with AK Feb 28, 2011
  27. ses: show devices for enclosures with no page 7

    commit 877a559 upstream.
    enclosure page 7 gives us the "pretty" names of the enclosure slots.
    Without a page 7, we can still use the enclosure code as long as we
    make up numeric names for the slots. Unfortunately, the current code
    fails to add any devices because the check for page 10 is in the wrong
    place if we have no page 7.  Fix it so that devices show up even if
    the enclosure has no page 7.
    Signed-off-by: James Bottomley <>
    Signed-off-by: Greg Kroah-Hartman <>
    Signed-off-by: Andi Kleen <>
    John Hughes committed with AK Nov 4, 2009
  28. mac80211: initialize sta->last_rx in sta_info_alloc

    commit 8bc8aec upstream.
    This field is used to determine the inactivity time. When in AP mode,
    hostapd uses it for kicking out inactive clients after a while. Without this
    patch, hostapd immediately deauthenticates a new client if it checks the
    inactivity time before the client sends its first data frame.
    Signed-off-by: Felix Fietkau <>
    Signed-off-by: John W. Linville <>
    Signed-off-by: Greg Kroah-Hartman <>
    Signed-off-by: Andi Kleen <>
    Felix Fietkau committed with AK Mar 21, 2011
  29. sound/oss/opl3: validate voice and channel indexes

    commit 4d00135 upstream.
    User-controllable indexes for voice and channel values may cause reading
    and writing beyond the bounds of their respective arrays, leading to
    potentially exploitable memory corruption.  Validate these indexes.
    Signed-off-by: Dan Rosenberg <>
    Signed-off-by: Takashi Iwai <>
    Signed-off-by: Greg Kroah-Hartman <>
    Signed-off-by: Andi Kleen <>
    Dan Rosenberg committed with AK Mar 23, 2011
  30. cciss: fix lost command issue

    commit 1ddd504 upstream.
    Under certain workloads a command may seem to get lost. IOW, the Smart Array
    thinks all commands have been completed but we still have commands in our
    completion queue. This may lead to system instability, filesystems going
    read-only, or even panics depending on the affected filesystem. We add an
    extra read to force the write to complete.
    Testing shows this extra read avoids the problem.
    Signed-off-by: Mike Miller <>
    Signed-off-by: Jens Axboe <>
    Signed-off-by: Greg Kroah-Hartman <>
    Signed-off-by: Andi Kleen <>
    Bud Brown committed with AK Mar 23, 2011
  31. myri10ge: fix rmmod crash

    commit cda6587 upstream.
    Rmmod myri10ge crash at free_netdev() -> netif_napi_del(), because napi
    structures are already deallocated. To fix call netif_napi_del() before
    kfree() at myri10ge_free_slices().
    Signed-off-by: Stanislaw Gruszka <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
    Signed-off-by: Andi Kleen <>
    sgruszka committed with AK Mar 23, 2011
  32. perf: Better fit max unprivileged mlock pages for tools needs

    commit 880f573 upstream.
    The maximum kilobytes of locked memory that an unprivileged user
    can reserve is of 512 kB = 128 pages by default, scaled to the
    number of onlined CPUs, which fits well with the tools that use
    128 data pages by default.
    However tools actually use 129 pages, because they need one more
    for the user control page. Thus the default mlock threshold is
    not sufficient for the default tools needs and we always end up
    to evaluate the constant mlock rlimit policy, which doesn't have
    this scaling with the number of online CPUs.
    Hence, on systems that have more than 16 CPUs, we overlap the
    rlimit threshold and fail to mmap:
    	$ perf record ls
    	Error: failed to mmap with 1 (Operation not permitted)
    Just increase the max unprivileged mlock threshold by one page
    so that it supports well perf tools even after 16 CPUs.
    Reported-by: Han Pingtian <>
    Reported-by: Peter Zijlstra <>
    Reported-by: Arnaldo Carvalho de Melo <>
    Signed-off-by: Frederic Weisbecker <>
    Acked-by: Arnaldo Carvalho de Melo <>
    Signed-off-by: Andi Kleen <>
    Cc: Stephane Eranian <>
    LKML-Reference: <>
    Signed-off-by: Ingo Molnar <>
    Signed-off-by: Greg Kroah-Hartman <>
    fweisbec committed with AK Mar 23, 2011
  33. ALSA: Fix yet another race in disconnection

    commit a45e3d6 upstream.
    This patch fixes a race between snd_card_file_remove() and
    snd_card_disconnect().  When the card is added to shutdown_files list
    in snd_card_disconnect(), but it's freed in snd_card_file_remove() at
    the same time, the shutdown_files list gets corrupted.  The list member
    must be freed in snd_card_file_remove() as well.
    Reported-and-tested-by: Russ Dill <>
    Signed-off-by: Takashi Iwai <>
    Signed-off-by: Greg Kroah-Hartman <>
    Signed-off-by: Andi Kleen <>
    tiwai committed with AK Mar 24, 2011
  34. ALSA: hda - Fix SPDIF out regression on ALC889

    commit 20b67dd upstream.
    The commit 5a8cfb4
        ALSA: hda - Use ALC_INIT_DEFAULT for really default initialization
    changed to use the default initialization method for ALC889, but
    this caused a regression on SPDIF output on some machines.
    This seems due to the COEF setup included in the default init procedure.
    For making SPDIF working again, the COEF-setup has to be avoided for
    the id 0889.
    Signed-off-by: Takashi Iwai <>
    Signed-off-by: Greg Kroah-Hartman <>
    Signed-off-by: Andi Kleen <>
    tiwai committed with AK Mar 23, 2011
  35. dcdbas: force SMI to happen when expected

    commit dd65c73 upstream.
    The dcdbas driver can do an I/O write to cause a SMI to occur.  The SMI handler
    looks at certain registers and memory locations, so the SMI needs to happen
    immediately.  On some systems I/O writes are posted, though, causing the SMI to
    happen well after the "outb" occurred, which causes random failures.  Following
    the "outb" with an "inb" forces the write to go through even if it is posted.
    Signed-off-by: Stuart Hayes <>
    Acked-by: Doug Warzecha <>
    Signed-off-by: Andi Kleen <>
    Cc: Chuck Ebbert <>
    Signed-off-by: Jiri Kosina <>
    Signed-off-by: Greg Kroah-Hartman <>
    Stuart Hayes committed with AK Mar 2, 2011