Skip to content
Commits on Mar 7, 2011
  1. @gregkh

    Linux 2.6.37.3

    gregkh committed Mar 7, 2011
  2. @gregkh

    arp_notify: unconditionally send gratuitous ARP for NETDEV_NOTIFY_PEERS.

    commit d11327a upstream.
    
    NETDEV_NOTIFY_PEER is an explicit request by the driver to send a link
    notification while NETDEV_UP/NETDEV_CHANGEADDR generate link
    notifications as a sort of side effect.
    
    In the later cases the sysctl option is present because link
    notification events can have undesired effects e.g. if the link is
    flapping. I don't think this applies in the case of an explicit
    request from a driver.
    
    This patch makes NETDEV_NOTIFY_PEER unconditional, if preferred we
    could add a new sysctl for this case which defaults to on.
    
    This change causes Xen post-migration ARP notifications (which cause
    switches to relearn their MAC tables etc) to be sent by default.
    
    Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    [reported to solve hyperv live migration problem - gkh]
    Cc: Haiyang Zhang <haiyangz@microsoft.com>
    Cc: Mike Surcouf <mike@surcouf.co.uk>
    Cc: Hank Janssen <hjanssen@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Ian Campbell committed with gregkh Feb 11, 2011
  3. @gregkh

    DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2…

    …011-1076]
    
    commit 1362fa0 upstream.
    
    When a DNS resolver key is instantiated with an error indication, attempts to
    read that key will result in an oops because user_read() is expecting there to
    be a payload - and there isn't one [CVE-2011-1076].
    
    Give the DNS resolver key its own read handler that returns the error cached in
    key->type_data.x[0] as an error rather than crashing.
    
    Also make the kenter() at the beginning of dns_resolver_instantiate() limit the
    amount of data it prints, since the data is not necessarily NUL-terminated.
    
    The buggy code was added in:
    
    	commit 4a2d789
    	Author: Wang Lei <wang840925@gmail.com>
    	Date:   Wed Aug 11 09:37:58 2010 +0100
    	Subject: DNS: If the DNS server returns an error, allow that to be cached [ver #2]
    
    This can trivially be reproduced by any user with the following program
    compiled with -lkeyutils:
    
    	#include <stdlib.h>
    	#include <keyutils.h>
    	#include <err.h>
    	static char payload[] = "#dnserror=6";
    	int main()
    	{
    		key_serial_t key;
    		key = add_key("dns_resolver", "a", payload, sizeof(payload),
    			      KEY_SPEC_SESSION_KEYRING);
    		if (key == -1)
    			err(1, "add_key");
    		if (keyctl_read(key, NULL, 0) == -1)
    			err(1, "read_key");
    		return 0;
    	}
    
    What should happen is that keyctl_read() reports error 6 (ENXIO) to the user:
    
    	dns-break: read_key: No such device or address
    
    but instead the kernel oopses.
    
    This cannot be reproduced with the 'keyutils add' or 'keyutils padd' commands
    as both of those cut the data down below the NUL termination that must be
    included in the data.  Without this dns_resolver_instantiate() will return
    -EINVAL and the key will not be instantiated such that it can be read.
    
    The oops looks like:
    
    BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
    IP: [<ffffffff811b99f7>] user_read+0x4f/0x8f
    PGD 3bdf8067 PUD 385b9067 PMD 0
    Oops: 0000 [#1] SMP
    last sysfs file: /sys/devices/pci0000:00/0000:00:19.0/irq
    CPU 0
    Modules linked in:
    
    Pid: 2150, comm: dns-break Not tainted 2.6.38-rc7-cachefs+ #468                  /DG965RY
    RIP: 0010:[<ffffffff811b99f7>]  [<ffffffff811b99f7>] user_read+0x4f/0x8f
    RSP: 0018:ffff88003bf47f08  EFLAGS: 00010246
    RAX: 0000000000000001 RBX: ffff88003b5ea378 RCX: ffffffff81972368
    RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003b5ea378
    RBP: ffff88003bf47f28 R08: ffff88003be56620 R09: 0000000000000000
    R10: 0000000000000395 R11: 0000000000000002 R12: 0000000000000000
    R13: 0000000000000000 R14: 0000000000000000 R15: ffffffffffffffa1
    FS:  00007feab5751700(0000) GS:ffff88003e000000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000000000010 CR3: 000000003de40000 CR4: 00000000000006f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    Process dns-break (pid: 2150, threadinfo ffff88003bf46000, task ffff88003be56090)
    Stack:
     ffff88003b5ea378 ffff88003b5ea3a0 0000000000000000 0000000000000000
     ffff88003bf47f68 ffffffff811b708e ffff88003c442bc8 0000000000000000
     00000000004005a0 00007fffba368060 0000000000000000 0000000000000000
    Call Trace:
     [<ffffffff811b708e>] keyctl_read_key+0xac/0xcf
     [<ffffffff811b7c07>] sys_keyctl+0x75/0xb6
     [<ffffffff81001f7b>] system_call_fastpath+0x16/0x1b
    Code: 75 1f 48 83 7b 28 00 75 18 c6 05 58 2b fb 00 01 be bb 00 00 00 48 c7 c7 76 1c 75 81 e8 13 c2 e9 ff 4c 8b b3 e0 00 00 00 4d 85 ed <41> 0f b7 5e 10 74 2d 4d 85 e4 74 28 e8 98 79 ee ff 49 39 dd 48
    RIP  [<ffffffff811b99f7>] user_read+0x4f/0x8f
     RSP <ffff88003bf47f08>
    CR2: 0000000000000010
    
    Signed-off-by: David Howells <dhowells@redhat.com>
    Acked-by: Jeff Layton <jlayton@redhat.com>
    cc: Wang Lei <wang840925@gmail.com>
    Signed-off-by: James Morris <jmorris@namei.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    David Howells committed with gregkh Mar 3, 2011
  4. @bwallan @gregkh

    e1000e: disable broken PHY wakeup for ICH10 LOMs, use MAC wakeup instead

    commit 4def99b upstream.
    
    When support for 82577/82578 was added[1] in 2.6.31, PHY wakeup was in-
    advertently enabled (even though it does not function properly) on ICH10
    LOMs.  This patch makes it so that the ICH10 LOMs use MAC wakeup instead
    as was done with the initial support for those devices (i.e. 82567LM-3,
    82567LF-3 and 82567V-4).
    
    [1] commit a4f58f5
    
    Reported-by: Aurelien Jarno <aurelien@aurel32.net>
    Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
    Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    bwallan committed with gregkh Feb 2, 2011
  5. @grrtrr @gregkh

    dccp: fix oops on Reset after close

    commit 720dc34 upstream.
    
    This fixes a bug in the order of dccp_rcv_state_process() that still permitted
    reception even after closing the socket. A Reset after close thus causes a NULL
    pointer dereference by not preventing operations on an already torn-down socket.
    
     dccp_v4_do_rcv()
    	|
    	| state other than OPEN
    	v
     dccp_rcv_state_process()
    	|
    	| DCCP_PKT_RESET
    	v
     dccp_rcv_reset()
    	|
    	v
     dccp_time_wait()
    
     WARNING: at net/ipv4/inet_timewait_sock.c:141 __inet_twsk_hashdance+0x48/0x128()
     Modules linked in: arc4 ecb carl9170 rt2870sta(C) mac80211 r8712u(C) crc_ccitt ah
     [<c0038850>] (unwind_backtrace+0x0/0xec) from [<c0055364>] (warn_slowpath_common)
     [<c0055364>] (warn_slowpath_common+0x4c/0x64) from [<c0055398>] (warn_slowpath_n)
     [<c0055398>] (warn_slowpath_null+0x1c/0x24) from [<c02b72d0>] (__inet_twsk_hashd)
     [<c02b72d0>] (__inet_twsk_hashdance+0x48/0x128) from [<c031caa0>] (dccp_time_wai)
     [<c031caa0>] (dccp_time_wait+0x40/0xc8) from [<c031c15c>] (dccp_rcv_state_proces)
     [<c031c15c>] (dccp_rcv_state_process+0x120/0x538) from [<c032609c>] (dccp_v4_do_)
     [<c032609c>] (dccp_v4_do_rcv+0x11c/0x14c) from [<c0286594>] (release_sock+0xac/0)
     [<c0286594>] (release_sock+0xac/0x110) from [<c031fd34>] (dccp_close+0x28c/0x380)
     [<c031fd34>] (dccp_close+0x28c/0x380) from [<c02d9a78>] (inet_release+0x64/0x70)
    
    The fix is by testing the socket state first. Receiving a packet in Closed state
    now also produces the required "No connection" Reset reply of RFC 4340, 8.3.1.
    
    Reported-and-tested-by: Johan Hovold <jhovold@gmail.com>
    Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    grrtrr committed with gregkh Mar 1, 2011
  6. @sgruszka @gregkh

    r8169: disable ASPM

    commit ba04c7c upstream.
    
    For some time is known that ASPM is causing troubles on r8169, i.e. make
    device randomly stop working without any errors in dmesg.
    
    Currently Tomi Leppikangas reports that system with r8169 device hangs
    with MCE errors when ASPM is enabled:
    https://bugzilla.redhat.com/show_bug.cgi?id=642861#c4
    
    Lets disable ASPM for r8169 devices at all, to avoid problems with
    r8169 PCIe devices at least for some users.
    
    Reported-by: Tomi Leppikangas <tomi.leppikangas@gmail.com>
    Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    sgruszka committed with gregkh Feb 22, 2011
  7. @gregkh

    carl9170: add Airlive X.USB a/b/g/n USBID

    commit c86664e upstream.
    
    "AirLive X.USB now works perfectly under a Linux
    environment!"
    
    Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Jan Puk committed with gregkh Feb 22, 2011
  8. @konis @gregkh

    nilfs2: fix regression that i-flag is not set on changeless checkpoints

    commit 72746ac upstream.
    
    According to the report from Jiro SEKIBA titled "regression in
    2.6.37?"  (Message-Id: <8739n8vs1f.wl%jir@sekiba.com>), on 2.6.37 and
    later kernels, lscp command no longer displays "i" flag on checkpoints
    that snapshot operations or garbage collection created.
    
    This is a regression of nilfs2 checkpointing function, and it's
    critical since it broke behavior of a part of nilfs2 applications.
    For instance, snapshot manager of TimeBrowse gets to create
    meaningless snapshots continuously; snapshot creation triggers another
    checkpoint, but applications cannot distinguish whether the new
    checkpoint contains meaningful changes or not without the i-flag.
    
    This patch fixes the regression and brings that application behavior
    back to normal.
    
    Reported-by: Jiro SEKIBA <jir@unicus.jp>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Tested-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Tested-by: Jiro SEKIBA <jir@unicus.jp>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    konis committed with gregkh Feb 28, 2011
  9. @chunkeey @gregkh

    p54usb: add Senao NUB-350 usbid

    commit 2b799a6 upstream.
    
    Reported-by: Mark Davis
    Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    chunkeey committed with gregkh Feb 26, 2011
  10. @gregkh

    ath9k_htc: Fix an endian issue

    commit 2c27392 upstream.
    
    The stream length/tag fields have to be in little endian
    format. Fixing this makes the driver work on big-endian
    platforms.
    
    Tested-by: raghunathan.kailasanathan@wipro.com
    Signed-off-by: Sujith Manoharan <Sujith.Manoharan@atheros.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Sujith Manoharan committed with gregkh Feb 27, 2011
  11. @knot @gregkh

    block: kill loop_mutex

    commit fd51469 upstream.
    
    Following steps lead to deadlock in kernel:
    
    dd if=/dev/zero of=img bs=512 count=1000
    losetup -f img
    mkfs.ext2 /dev/loop0
    mount -t ext2 -o loop /dev/loop0 mnt
    umount mnt/
    
    Stacktrace:
    [<c102ec04>] irq_exit+0x36/0x59
    [<c101502c>] smp_apic_timer_interrupt+0x6b/0x75
    [<c127f639>] apic_timer_interrupt+0x31/0x38
    [<c101df88>] mutex_spin_on_owner+0x54/0x5b
    [<fe2250e9>] lo_release+0x12/0x67 [loop]
    [<c10c4eae>] __blkdev_put+0x7c/0x10c
    [<c10a4da5>] fput+0xd5/0x1aa
    [<fe2250cf>] loop_clr_fd+0x1a9/0x1b1 [loop]
    [<fe225110>] lo_release+0x39/0x67 [loop]
    [<c10c4eae>] __blkdev_put+0x7c/0x10c
    [<c10a59d9>] deactivate_locked_super+0x17/0x36
    [<c10b6f37>] sys_umount+0x27e/0x2a5
    [<c10b6f69>] sys_oldumount+0xb/0xe
    [<c1002897>] sysenter_do_call+0x12/0x26
    [<ffffffff>] 0xffffffff
    
    Regression since 2a48fc0, which introduced the private
    loop_mutex as part of the BKL removal process.
    
    As per [1], the mutex can be safely removed.
    
    [1] http://www.gossamer-threads.com/lists/linux/kernel/1341930
    
    Addresses: https://bugzilla.novell.com/show_bug.cgi?id=669394
    Addresses: https://bugzilla.kernel.org/show_bug.cgi?id=29172
    
    Signed-off-by: Petr Uzel <petr.uzel@suse.cz>
    Reviewed-by: Nikanth Karthikesan <knikanth@suse.de>
    Acked-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    knot committed with gregkh Mar 3, 2011
  12. @htejun @gregkh

    block: blk-flush shouldn't call directly into q->request_fn() __blk_r…

    …un_queue()
    
    commit 255bb49 upstream.
    
    blk-flush decomposes a flush into sequence of multiple requests.  On
    completion of a request, the next one is queued; however, block layer
    must not implicitly call into q->request_fn() directly from completion
    path.  This makes the queue behave unexpectedly when seen from the
    drivers and violates the assumption that q->request_fn() is called
    with process context + queue_lock.
    
    This patch makes blk-flush the following two changes to make sure
    q->request_fn() is not called directly from request completion path.
    
    - blk_flush_complete_seq_end_io() now asks __blk_run_queue() to always
      use kblockd instead of calling directly into q->request_fn().
    
    - queue_next_fseq() uses ELEVATOR_INSERT_REQUEUE instead of
      ELEVATOR_INSERT_FRONT so that elv_insert() doesn't try to unplug the
      request queue directly.
    
    Reported by Jan in the following threads.
    
     http://thread.gmane.org/gmane.linux.ide/48778
     http://thread.gmane.org/gmane.linux.ide/48786
    
    stable: applicable to v2.6.37.
    
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Reported-by: Jan Beulich <JBeulich@novell.com>
    Cc: "David S. Miller" <davem@davemloft.net>
    Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    htejun committed with gregkh Mar 2, 2011
  13. @htejun @gregkh

    block: add @force_kblockd to __blk_run_queue()

    commit 1654e74 upstream.
    
    __blk_run_queue() automatically either calls q->request_fn() directly
    or schedules kblockd depending on whether the function is recursed.
    blk-flush implementation needs to be able to explicitly choose
    kblockd.  Add @force_kblockd.
    
    All the current users are converted to specify %false for the
    parameter and this patch doesn't introduce any behavior change.
    
    stable: This is prerequisite for fixing ide oops caused by the new
            blk-flush implementation.
    
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Cc: Jan Beulich <JBeulich@novell.com>
    Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
    Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    htejun committed with gregkh Mar 2, 2011
  14. @rhvgoyal @gregkh

    blk-throttle: Do not use kblockd workqueue for throtl work

    commit 450adcb upstream.
    
    o Dominik Klein reported a system hang issue while doing some blkio
      throttling testing.
    
      https://lkml.org/lkml/2011/2/24/173
    
    o Some tracing revealed that CFQ was not dispatching any more jobs as
      queue unplug was not happening. And queue unplug was not happening
      because unplug work was not being called as there was one throttling
      work on same cpu which as not finished yet. And throttling work had not
      finished as it was tyring to dispatch a bio to CFQ but all the request
      descriptors were consume to it was put to sleep.
    
    o So basically it is a cyclic dependecny between CFQ unplug work and
      throtl dispatch work. Tejun suggested that use separate workqueue for
      such cases.
    
    o This patch uses a separate workqueue for throttle related work and
      does not rely on kblockd workqueue anymore.
    
    Reported-by: Dominik Klein <dk@in-telegence.net>
    Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
    Acked-by: Tejun Heo <tj@kernel.org>
    Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    rhvgoyal committed with gregkh Mar 1, 2011
  15. @jannic @gregkh

    drm/i915: fix memory corruption with GM965 and >4GB RAM

    commit 6927faf upstream.
    
    On a Thinkpad x61s, I noticed some memory corruption when
    plugging/unplugging the external VGA connection. The symptoms are that
    4 bytes at the beginning of a page get overwritten by zeroes.
    The address of the corruption varies when rebooting the machine, but
    stays constant while it's running (so it's possible to repeatedly write
    some data and then corrupt it again by plugging the cable).
    
    Further investigation revealed that the corrupted address is
    (dev_priv->status_page_dmah->busaddr & 0xffffffff), ie. the beginning of
    the hardware status page of the i965 graphics card, cut to 32 bits.
    
    So it seems that for some memory access, the hardware uses only 32 bit
    addressing. If the hardware status page is located >4GB, this
    corrupts unrelated memory.
    
    Signed-off-by: Jan Niehusmann <jan@gondor.com>
    Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
    Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    jannic committed with gregkh Mar 4, 2011
  16. @gregkh

    tg3: Restrict phy ioctl access

    commit ed199fa upstream.
    
    If management firmware is present and the device is down, the firmware
    will assume control of the phy.  If a phy access were allowed from the
    host, it will collide with firmware phy accesses, resulting in
    unpredictable behavior.  This patch fixes the problem by disallowing phy
    accesses during the problematic condition.
    
    Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
    Reviewed-by: Michael Chan <mchan@broadcom.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Matt Carlson committed with gregkh Feb 15, 2011
  17. @gregkh

    fix cfg80211_wext_siwfreq lock ordering...

    commit 4f919a3 upstream.
    
    I previously managed to reproduce a hang while scanning wireless
    channels (reproducible with airodump-ng hopping channels); subsequent
    lockdep instrumentation revealed a lock ordering issue.
    
    Without knowing the design intent, it looks like the locks should be
    taken in reverse order; please comment.
    
    =======================================================
    [ INFO: possible circular locking dependency detected ]
    2.6.38-rc5-341cd #4
    -------------------------------------------------------
    airodump-ng/15445 is trying to acquire lock:
     (&rdev->devlist_mtx){+.+.+.}, at: [<ffffffff816b1266>]
    cfg80211_wext_siwfreq+0xc6/0x100
    
    but task is already holding lock:
     (&wdev->mtx){+.+.+.}, at: [<ffffffff816b125c>] cfg80211_wext_siwfreq+0xbc/0x100
    
    which lock already depends on the new lock.
    
    the existing dependency chain (in reverse order) is:
    
    -> #1 (&wdev->mtx){+.+.+.}:
           [<ffffffff810a79d6>] lock_acquire+0xc6/0x280
           [<ffffffff816d6bce>] mutex_lock_nested+0x6e/0x4b0
           [<ffffffff81696080>] cfg80211_netdev_notifier_call+0x430/0x5f0
           [<ffffffff8109351b>] notifier_call_chain+0x8b/0x100
           [<ffffffff810935b1>] raw_notifier_call_chain+0x11/0x20
           [<ffffffff81576d92>] call_netdevice_notifiers+0x32/0x60
           [<ffffffff815771a4>] __dev_notify_flags+0x34/0x80
           [<ffffffff81577230>] dev_change_flags+0x40/0x70
           [<ffffffff8158587c>] do_setlink+0x1fc/0x8d0
           [<ffffffff81586042>] rtnl_setlink+0xf2/0x140
           [<ffffffff81586923>] rtnetlink_rcv_msg+0x163/0x270
           [<ffffffff8159d741>] netlink_rcv_skb+0xa1/0xd0
           [<ffffffff815867b0>] rtnetlink_rcv+0x20/0x30
           [<ffffffff8159d39a>] netlink_unicast+0x2ba/0x300
           [<ffffffff8159dd57>] netlink_sendmsg+0x267/0x3e0
           [<ffffffff8155e364>] sock_sendmsg+0xe4/0x110
           [<ffffffff8155f3a3>] sys_sendmsg+0x253/0x3b0
           [<ffffffff81003192>] system_call_fastpath+0x16/0x1b
    
    -> #0 (&rdev->devlist_mtx){+.+.+.}:
           [<ffffffff810a7222>] __lock_acquire+0x1622/0x1d10
           [<ffffffff810a79d6>] lock_acquire+0xc6/0x280
           [<ffffffff816d6bce>] mutex_lock_nested+0x6e/0x4b0
           [<ffffffff816b1266>] cfg80211_wext_siwfreq+0xc6/0x100
           [<ffffffff816b2fad>] ioctl_standard_call+0x5d/0xd0
           [<ffffffff816b3223>] T.808+0x163/0x170
           [<ffffffff816b326a>] wext_handle_ioctl+0x3a/0x90
           [<ffffffff815798d2>] dev_ioctl+0x6f2/0x830
           [<ffffffff8155cf3d>] sock_ioctl+0xfd/0x290
           [<ffffffff8117dffd>] do_vfs_ioctl+0x9d/0x590
           [<ffffffff8117e53a>] sys_ioctl+0x4a/0x80
           [<ffffffff81003192>] system_call_fastpath+0x16/0x1b
    
    other info that might help us debug this:
    
    2 locks held by airodump-ng/15445:
     #0:  (rtnl_mutex){+.+.+.}, at: [<ffffffff81586782>] rtnl_lock+0x12/0x20
     #1:  (&wdev->mtx){+.+.+.}, at: [<ffffffff816b125c>]
    cfg80211_wext_siwfreq+0xbc/0x100
    
    stack backtrace:
    Pid: 15445, comm: airodump-ng Not tainted 2.6.38-rc5-341cd #4
    Call Trace:
     [<ffffffff810a3f0a>] ? print_circular_bug+0xfa/0x100
     [<ffffffff810a7222>] ? __lock_acquire+0x1622/0x1d10
     [<ffffffff810a1f99>] ? trace_hardirqs_off_caller+0x29/0xc0
     [<ffffffff810a79d6>] ? lock_acquire+0xc6/0x280
     [<ffffffff816b1266>] ? cfg80211_wext_siwfreq+0xc6/0x100
     [<ffffffff810a31d7>] ? mark_held_locks+0x67/0x90
     [<ffffffff816d6bce>] ? mutex_lock_nested+0x6e/0x4b0
     [<ffffffff816b1266>] ? cfg80211_wext_siwfreq+0xc6/0x100
     [<ffffffff810a31d7>] ? mark_held_locks+0x67/0x90
     [<ffffffff816b1266>] ? cfg80211_wext_siwfreq+0xc6/0x100
     [<ffffffff816b1266>] ? cfg80211_wext_siwfreq+0xc6/0x100
     [<ffffffff816b2fad>] ? ioctl_standard_call+0x5d/0xd0
     [<ffffffff8157818b>] ? __dev_get_by_name+0x9b/0xc0
     [<ffffffff816b2f50>] ? ioctl_standard_call+0x0/0xd0
     [<ffffffff816b3223>] ? T.808+0x163/0x170
     [<ffffffff8112ddf2>] ? might_fault+0x72/0xd0
     [<ffffffff816b326a>] ? wext_handle_ioctl+0x3a/0x90
     [<ffffffff8112de3b>] ? might_fault+0xbb/0xd0
     [<ffffffff815798d2>] ? dev_ioctl+0x6f2/0x830
     [<ffffffff810a1bae>] ? put_lock_stats+0xe/0x40
     [<ffffffff810a1c8c>] ? lock_release_holdtime+0xac/0x150
     [<ffffffff8155cf3d>] ? sock_ioctl+0xfd/0x290
     [<ffffffff8117dffd>] ? do_vfs_ioctl+0x9d/0x590
     [<ffffffff8116c8ff>] ? fget_light+0x1df/0x3c0
     [<ffffffff8117e53a>] ? sys_ioctl+0x4a/0x80
     [<ffffffff81003192>] ? system_call_fastpath+0x16/0x1b
    
    Signed-off-by: Daniel J Blueman <daniel.blueman@gmail.com>
    Acked-by: Johannes Berg <johannes@sipsolutions.net>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Daniel J Blueman committed with gregkh Feb 22, 2011
  18. @ian-abbott @gregkh

    Staging: comedi: Add MODULE_LICENSE and similar to NI modules

    commit 3c323c0 upstream.
    
    As mentioned by W. Trevor King on the devel@linuxdriverproject.org list
    on "Thu, 27 Jan 2011 18:52:15 -0500", "Message-ID:
    <20110127235214.GA5107@thialfi.dhcp.drexel.edu>", the ni_pcimio module
    is missing module metadata, including a license.
    
    This patch adds module metadata to all the NI comedi driver modules.  It
    also removes a duplicate MODULE_LICENSE("GPL") line from the "mite"
    module.
    
    Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
    Cc: W. Trevor King <wking@drexel.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    ian-abbott committed with gregkh Feb 7, 2011
  19. @bwallan @gregkh

    e1000e: 82579 PHY incorrectly identified during init

    commit 664dc87 upstream.
    
    During init, reading the 2 PHY ID registers back-to-back in the default
    fast mode could return invalid data (all F's) and in slow mode could
    return data to the second read the data from the first read.  To resolve
    the issue in fast mode, set to slow mode before any PHY accesses; to
    resolve the issue in slow mode, put in a delay for every 82579 PHY access.
    Since this PHY is currently only paired with the pch2lan MAC and the PHY
    type is not known before the first PHY access which can fail this way,
    check for this based on MAC-type.
    
    Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
    Tested-by: Jeff Pieper <jeffrey.e.pieper@intel.com>
    Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
    Acked-by: Brandon Philips <bphilips@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    bwallan committed with gregkh Nov 24, 2010
  20. @gormanm @gregkh

    mm: vmstat: use a single setter function and callback for adjusting p…

    …ercpu thresholds
    
    commit b44129b upstream.
    
    reduce_pgdat_percpu_threshold() and restore_pgdat_percpu_threshold() exist
    to adjust the per-cpu vmstat thresholds while kswapd is awake to avoid
    errors due to counter drift.  The functions duplicate some code so this
    patch replaces them with a single set_pgdat_percpu_threshold() that takes
    a callback function to calculate the desired threshold as a parameter.
    
    [akpm@linux-foundation.org: readability tweak]
    [kosaki.motohiro@jp.fujitsu.com: set_pgdat_percpu_threshold(): don't use for_each_online_cpu]
    Signed-off-by: Mel Gorman <mel@csn.ul.ie>
    Reviewed-by: Christoph Lameter <cl@linux.com>
    Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
    Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    gormanm committed with gregkh Jan 13, 2011
  21. @gregkh

    ext2: Fix link count corruption under heavy link+rename load

    commit e8a80c6 upstream.
    
    vfs_rename_other() does not lock renamed inode with i_mutex. Thus changing
    i_nlink in a non-atomic manner (which happens in ext2_rename()) can corrupt
    it as reported and analyzed by Josh.
    
    In fact, there is no good reason to mess with i_nlink of the moved file.
    We did it presumably to simulate linking into the new directory and unlinking
    from an old one. But the practical effect of this is disputable because fsck
    can possibly treat file as being properly linked into both directories without
    writing any error which is confusing. So we just stop increment-decrement
    games with i_nlink which also fixes the corruption.
    
    CC: Al Viro <viro@ZenIV.linux.org.uk>
    Signed-off-by: Josh Hunt <johunt@akamai.com>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Josh Hunt committed with gregkh Feb 24, 2011
  22. @gregkh

    clockevents: Prevent oneshot mode when broadcast device is periodic

    commit 3a142a0 upstream.
    
    When the per cpu timer is marked CLOCK_EVT_FEAT_C3STOP, then we only
    can switch into oneshot mode, when the backup broadcast device
    supports oneshot mode as well. Otherwise we would try to switch the
    broadcast device into an unsupported mode unconditionally. This went
    unnoticed so far as the current available broadcast devices support
    oneshot mode. Seth unearthed this problem while debugging and working
    around an hpet related BIOS wreckage.
    
    Add the necessary check to tick_is_oneshot_available().
    
    Reported-and-tested-by: Seth Forshee <seth.forshee@canonical.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    LKML-Reference: <alpine.LFD.2.00.1102252231200.2701@localhost6.localdomain6>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Thomas Gleixner committed with gregkh Feb 25, 2011
  23. @gregkh

    fuse: fix hang of single threaded fuseblk filesystem

    commit 5a18ec1 upstream.
    
    Single threaded NTFS-3G could get stuck if a delayed RELEASE reply
    triggered a DESTROY request via path_put().
    
    Fix this by
    
     a) making RELEASE requests synchronous, whenever possible, on fuseblk
     filesystems
    
     b) if not possible (triggered by an asynchronous read/write) then do
     the path_put() in a separate thread with schedule_work().
    
    Reported-by: Oliver Neukum <oneukum@suse.de>
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Miklos Szeredi committed with gregkh Feb 25, 2011
  24. @lumag @gregkh

    ASoC: correct pxa AC97 DAI names

    commit 4bfc4e2 upstream.
    
    Correct names for pxa AC97 DAI are pxa2xx-ac97 and pxa2xx-ac97-aux. Fix
    that for all PXA platforms.
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
    Acked-by: Liam Girdwood <lrg@slimlogic.co.uk>
    Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    lumag committed with gregkh Feb 23, 2011
  25. @ebenard @gregkh

    eukrea-tlv320: fix platform_name

    commit 43c6318 upstream.
    
    commit f0fba2a included a mistake
    on the name of the platform in the snd_soc_dai_link structure.
    
    Signed-off-by: Eric Bénard <eric@eukrea.com>
    Acked-by: Liam Girdwood <lrg@slimlogic.co.uk>
    Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    ebenard committed with gregkh Feb 25, 2011
  26. @gregkh

    Bluetooth: Add Atheros BT AR5BBU12 fw supported

    commit e9036e3 upstream.
    
    Add the btusb.c blacklist [0489:e02c] for Atheros AR5BBU12 BT
    and add to ath3k.c supported this device.
    
    Signed-off-by: Yu-Chen Cho <acho@novell.com>
    Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Yu-Chen Cho committed with gregkh Feb 15, 2011
  27. @gregkh

    Bluetooth: fix crash with quirky dongles doing sound

    commit 8efdd0c upstream.
    
    Quirky dongles sometimes do not use the iso interface which
    causes a crash with runtime PM
    
    Signed-off-by: Oliver Neukum <oneukum@suse.de>
    Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Oliver Neukum committed with gregkh Feb 11, 2011
  28. @gregkh

    Bluetooth: add Atheros BT AR9285 fw supported

    commit 509e786 upstream.
    
    Add the btusb.c blacklist [03f0:311d] for Atheros AR9285 Malbec BT
    and add to ath3k.c ath3-1.fw (md5:1211fa34c09e10ba48381586b7c3883d)
    supported this device.
    
    Signed-off-by: Yu-Chen Cho <acho@novell.com>
    Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Yu-Chen Cho committed with gregkh Jan 26, 2011
  29. @gregkh

    x86: Use u32 instead of long to set reset vector back to 0

    commit 299c569 upstream.
    
    A customer of ours, complained that when setting the reset
    vector back to 0, it trashed other data and hung their box.
    They noticed when only 4 bytes were set to 0 instead of 8,
    everything worked correctly.
    
    Mathew pointed out:
    
     |
     | We're supposed to be resetting trampoline_phys_low and
     | trampoline_phys_high here, which are two 16-bit values.
     | Writing 64 bits is definitely going to overwrite space
     | that we're not supposed to be touching.
     |
    
    So limit the area modified to u32.
    
    Signed-off-by: Don Zickus <dzickus@redhat.com>
    Acked-by: Matthew Garrett <mjg@redhat.com>
    LKML-Reference: <1297139100-424-1-git-send-email-dzickus@redhat.com>
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Don Zickus committed with gregkh Feb 7, 2011
  30. @gregkh

    mfd: Fix NULL pointer due to non-initialized ucb1x00-ts absinfo

    commit 9063f1f upstream.
    
    Call input_set_abs_params instead of manually setting absbit only.
    This fixes this oops:
    
    Unable to handle kernel NULL pointer dereference at virtual address 00000024
    Internal error: Oops: 41b67017 [#1]
    CPU: 0    Not tainted  (2.6.37 #4)
    pc : [<c016d1fc>]    lr : [<00000000>]    psr: 20000093
    sp : c19e5f30  ip : c19e5e6c  fp : c19e5f58
    r10: 00000000  r9 : c19e4000  r8 : 00000003
    r7 : 000001e4  r6 : 00000001  r5 : c1854400  r4 : 00000003
    r3 : 00000018  r2 : 00000018  r1 : 00000018  r0 : c185447c
    Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
    Control: c1b6717f  Table: c1b6717f  DAC: 00000017
    Stack: (0xc19e5f30 to 0xc19e6000)
    5f20:                                     00000003 00000003 c1854400 00000013
    5f40: 00000001 000001e4 000001c5 c19e5f80 c19e5f5c c016d5e8 c016cf5c 000001e4
    5f60: c1854400 c18b5860 00000000 00000171 000001e4 c19e5fc4 c19e5f84 c01559a4
    5f80: c016d584 c18b5868 00000000 c1bb5c40 c0035afc c18b5868 c18b5868 c1a55d54
    5fa0: c18b5860 c0155750 00000013 00000000 00000000 00000000 c19e5ff4 c19e5fc8
    5fc0: c0050174 c015575c 00000000 c18b5860 00000000 c19e5fd4 c19e5fd4 c1a55d54
    5fe0: c00500f0 c003b464 00000000 c19e5ff8 c003b464 c00500fc 04000400 04000400
    Backtrace:
    Function entered at [<c016cf50>] from [<c016d5e8>]
    Function entered at [<c016d578>] from [<c01559a4>]
     r8:000001e4 r7:00000171 r6:00000000 r5:c18b5860 r4:c1854400
    Function entered at [<c0155750>] from [<c0050174>]
    Function entered at [<c00500f0>] from [<c003b464>]
     r6:c003b464 r5:c00500f0 r4:c1a55d54
    Code: e59520fc e1a03286 e0433186 e0822003 (e592000c)
    
    >>PC;  c016d1fc <input_handle_event+2ac/5a0>   <=====
    
    Trace; c016cf50 <input_handle_event+0/5a0>
    Trace; c016d5e8 <input_event+70/88>
    Trace; c016d578 <input_event+0/88>
    Trace; c01559a4 <ucb1x00_thread+254/2dc>
    Trace; c0155750 <ucb1x00_thread+0/2dc>
    Trace; c0050174 <kthread+84/8c>
    Trace; c00500f0 <kthread+0/8c>
    Trace; c003b464 <do_exit+0/624>
    
    Signed-off-by: Jochen Friedrich <jochen@scram.de>
    Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Jochen Friedrich committed with gregkh Jan 26, 2011
  31. @gregkh

    mfd: Avoid tps6586x burst writes

    commit 4b57018 upstream.
    
    tps6586 does not support burst writes. i2c writes have to be
    1 byte at a time.
    
    Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
    Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    vwadekar@nvidia.com committed with gregkh Feb 24, 2011
  32. @gregkh

    ACPI / debugfs: Fix buffer overflows, double free

    commit 2949ad5 upstream.
    
    File position is not controlled, it may lead to overwrites of arbitrary
    kernel memory.  Also the code may kfree() the same pointer multiple
    times.
    
    One more flaw is still present: if multiple processes open the file then
    all 3 static variables are shared, leading to various race conditions.
    They should be moved to file->private_data.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Reviewed-by: WANG Cong <xiyou.wangcong@gmail.com>
    Reviewed-by: Eugene Teo <eugeneteo@kernel.org>
    Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Vasiliy Kulikov committed with gregkh Feb 19, 2011
  33. @theif @gregkh

    drm: fix unsigned vs signed comparison issue in modeset ctl ioctl.

    commit 1922756 upstream.
    
    This fixes CVE-2011-1013.
    
    Reported-by: Matthiew Herrb (OpenBSD X.org team)
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    theif committed with gregkh Feb 24, 2011
  34. @gregkh

    Ocfs2/refcounttree: Fix a bug for refcounttree to writeback clusters …

    …in a right number.
    
    commit acf3bb0 upstream.
    
    Current refcounttree codes actually didn't writeback the new pages out in
    write-back mode, due to a bug of always passing a ZERO number of clusters
    to 'ocfs2_cow_sync_writeback', the patch tries to pass a proper one in.
    
    Signed-off-by: Tristan Ye <tristan.ye@oracle.com>
    Signed-off-by: Joel Becker <jlbec@evilplan.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Tristan Ye committed with gregkh Jan 21, 2011
  35. @gregkh

    ocfs2: Check heartbeat mode for kernel stacks only

    commit 52c303c upstream.
    
    Commit 2c44271 added some checks for proper
    heartbeat mode when the o2cb stack is running.  Unfortunately, it didn't
    take into account that a userpsace stack could be running. Fix this by only
    doing the check if o2cb is in use. This patch allows userspace stacks to
    mount the fs again.
    
    Signed-off-by: Mark Fasheh <mfasheh@suse.com>
    Signed-off-by: Joel Becker <jlbec@evilplan.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Mark Fasheh committed with gregkh Jan 31, 2011
Something went wrong with that request. Please try again.