Permalink
Commits on May 21, 2011
  1. Linux 2.6.38.7

    gregkh committed May 21, 2011
  2. tmpfs: fix highmem swapoff crash regression

    commit e6c9366 upstream.
    
    Commit 778dd89 ("tmpfs: fix race between umount and swapoff")
    forgot the new rules for strict atomic kmap nesting, causing
    
      WARNING: at arch/x86/mm/highmem_32.c:81
    
    from __kunmap_atomic(), then
    
      BUG: unable to handle kernel paging request at fffb9000
    
    from shmem_swp_set() when shmem_unuse_inode() is handling swapoff with
    highmem in use.  My disgrace again.
    
    See
      https://bugzilla.kernel.org/show_bug.cgi?id=35352
    
    Reported-by: Witold Baryluk <baryluk@smp.if.uj.edu.pl>
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Hugh Dickins committed with gregkh May 20, 2011
  3. iwlegacy: fix IBSS mode crashes

    commit eb85de3 upstream.
    
    We should not switch to non-IBSS channels when working in IBSS mode,
    otherwise there are microcode errors, and after some time system
    crashes.
    
    This bug is only observable when software scan is used in IBSS mode,
    so should be considered as regression after:
    
    commit 0263aa4
    Author: Stanislaw Gruszka <sgruszka@redhat.com>
    Date:   Tue Mar 29 11:24:21 2011 +0200
    
        iwl3945: disable hw scan by default
    
    However IBSS mode check, which this patch add again, was removed by
    
    commit b2f30e8
    Author: Johannes Berg <johannes.berg@intel.com>
    Date:   Thu Jan 21 07:32:20 2010 -0800
    
        iwlwifi: remove IBSS channel sanity check
    
    That commit claim that mac80211 will not use non-IBSS channel in IBSS
    mode, what definitely is not true. Bug probably should be fixed in
    mac80211, but that will require more work, so better to apply that patch
    temporally, and provide proper mac80211 fix latter.
    
    Resolves:
    https://bugzilla.kernel.org/show_bug.cgi?id=34452
    
    Reported-and-tested-by: Mikko Rapeli <mikko.rapeli@iki.fi>
    Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    sgruszka committed with gregkh May 7, 2011
  4. cifs: fix cifsConvertToUCS() for the mapchars case

    commit 11379b5 upstream.
    
    As Metze pointed out, commit 84cdf74 broke mapchars option:
    
        Commit "cifs: fix unaligned accesses in cifsConvertToUCS"
        (84cdf74) does multiple steps
        in just one commit (moving the function and changing it without
        testing).
    
        put_unaligned_le16(temp, &target[j]); is never called for any
        codepoint the goes via the 'default' switch statement. As a result
        we put just zero (or maybe uninitialized) bytes into the target
        buffer.
    
    His proposed patch looks correct, but doesn't apply to the current head
    of the tree. This patch should also fix it.
    
    Reported-by: Stefan Metzmacher <metze@samba.org>
    Signed-off-by: Jeff Layton <jlayton@redhat.com>
    Signed-off-by: Steve French <sfrench@us.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    jtlayton committed with gregkh May 17, 2011
  5. cifs: clean up various nits in unicode routines (try #2)

    commit 581ade4 upstream.
    
    Minor revision to the original patch. Don't abuse the __le16 variable
    on the stack by casting it to wchar_t and handing it off to char2uni.
    Declare an actual wchar_t on the stack instead. This fixes a valid
    sparse warning.
    
    Fix the spelling of UNI_ASTERISK. Eliminate the unneeded len_remaining
    variable in cifsConvertToUCS.
    
    Also, as David Howells points out. We were better off making
    cifsConvertToUCS *not* use put_unaligned_le16 since it means that we
    can't optimize the mapped characters at compile time. Switch them
    instead to use cpu_to_le16, and simply use put_unaligned to set them
    in the string.
    
    Reported-and-acked-by: David Howells <dhowells@redhat.com>
    Signed-off-by: Jeff Layton <jlayton@redhat.com>
    Signed-off-by: Steve French <sfrench@us.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    jtlayton committed with gregkh Apr 5, 2011
  6. Revert "[SCSI] Retrieve the Caching mode page"

    commit 3dea642 upstream.
    
    This reverts commit 24d720b.
    
    Previously we thought there was little possibility that devices would
    crash with this, but some have been found.
    
    Reported-by: Alan Stern <stern@rowland.harvard.edu>
    Cc: Luben Tuikov <ltuikov@yahoo.com>
    Signed-off-by: James Bottomley <James.Bottomley@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    James Bottomley committed with gregkh Mar 23, 2011
  7. vmxnet3: Fix inconsistent LRO state after initialization

    commit ebde6f8 upstream.
    
    During initialization of vmxnet3, the state of LRO
    gets out of sync with netdev->features.
    
    This leads to very poor TCP performance in a IP forwarding
    setup and is hitting many VMware users.
    
    Simplified call sequence:
    1. vmxnet3_declare_features() initializes "adapter->lro" to true.
    
    2. The kernel automatically disables LRO if IP forwarding is enabled,
    so vmxnet3_set_flags() gets called. This also updates netdev->features.
    
    3. Now vmxnet3_setup_driver_shared() is called. "adapter->lro" is still
    set to true and LRO gets enabled again, even though
    netdev->features shows it's disabled.
    
    Fix it by updating "adapter->lro", too.
    
    The private vmxnet3 adapter flags are scheduled for removal
    in net-next, see commit a0d2730
    "net: vmxnet3: convert to hw_features".
    
    Patch applies to 2.6.37 / 2.6.38 and 2.6.39-rc6.
    
    Please CC: comments.
    
    Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
    Acked-by: Stephen Hemminger <shemminger@vyatta.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    thomasjfox committed with gregkh May 16, 2011
  8. cdrom: always check_disk_change() on open

    commit bf2253a upstream.
    
    cdrom_open() called check_disk_change() after the rest of open path
    succeeded which leads to the following bizarre behavior.
    
    * After media change, if the device opened without O_NONBLOCK,
      open_for_data() naturally fails with -ENOMEDIA and
      check_disk_change() is never called.  The media is known to be gone
      and the open failure makes it obvious to the userland but device
      invalidation never happens.
    
    * But if the device is opened with O_NONBLOCK, all the checks are
      bypassed and cdrom_open() doesn't notice that the media is not there
      and check_disk_change() is called and invalidation happens.
    
    There's nothing to be gained by avoiding calling check_disk_change()
    on open failure.  Common cases end up calling check_disk_change()
    anyway.  All we get is inconsistent behavior.
    
    Fix it by moving check_disk_change() invocation to the top of
    cdrom_open() so that it always gets called regardless of how the rest
    of open proceeds.
    
    Stable: 2.6.38
    
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Reported-by: Amit Shah <amit.shah@redhat.com>
    Tested-by: Amit Shah <amit.shah@redhat.com>
    Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    htejun committed with gregkh Apr 29, 2011
  9. megaraid_sas: Sanity check user supplied length before passing it to …

    …dma_alloc_coherent()
    
    commit 98cb7e4 upstream.
    
    The ioc->sgl[i].iov_len value is supplied by the ioctl caller, and can be
    zero in some cases.  Assume that's valid and continue without error.
    
    Fixes (multiple individual reports of the same problem for quite a while):
    
    http://marc.info/?l=linux-ide&m=128941801715301
    http://bugs.debian.org/604627
    http://www.mail-archive.com/linux-poweredge@dell.com/msg02575.html
    
    megasas: Failed to alloc kernel SGL buffer for IOCTL
    
    and
    
    [   69.162538] ------------[ cut here ]------------
    [   69.162806] kernel BUG at /build/buildd/linux-2.6.32/lib/swiotlb.c:368!
    [   69.163134] invalid opcode: 0000 [#1] SMP
    [   69.163570] last sysfs file: /sys/devices/system/cpu/cpu3/cache/index2/shared_cpu_map
    [   69.163975] CPU 0
    [   69.164227] Modules linked in: fbcon tileblit font bitblit softcursor vga16fb vgastate ioatdma radeon ttm drm_kms_helper shpchp drm i2c_algo_bit lp parport floppy pata_jmicron megaraid_sas igb dca
    [   69.167419] Pid: 1206, comm: smartctl Tainted: G        W  2.6.32-25-server #45-Ubuntu X8DTN
    [   69.167843] RIP: 0010:[<ffffffff812c4dc5>]  [<ffffffff812c4dc5>] map_single+0x255/0x260
    [   69.168370] RSP: 0018:ffff88081c0ebc58  EFLAGS: 00010246
    [   69.168655] RAX: 000000000003bffc RBX: 00000000ffffffff RCX: 0000000000000002
    [   69.169000] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88001dffe000
    [   69.169346] RBP: ffff88081c0ebcb8 R08: 0000000000000000 R09: ffff880000030840
    [   69.169691] R10: 0000000000100000 R11: 0000000000000000 R12: 0000000000000000
    [   69.170036] R13: 00000000ffffffff R14: 0000000000000001 R15: 0000000000200000
    [   69.170382] FS:  00007fb8de189720(0000) GS:ffff88001de00000(0000) knlGS:0000000000000000
    [   69.170794] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [   69.171094] CR2: 00007fb8dd59237c CR3: 000000081a790000 CR4: 00000000000006f0
    [   69.171439] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    [   69.171784] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    [   69.172130] Process smartctl (pid: 1206, threadinfo ffff88081c0ea000, task ffff88081a760000)
    [   69.194513] Stack:
    [   69.205788]  0000000000000034 00000002817e3390 0000000000000000 ffff88081c0ebe00
    [   69.217739] <0> 0000000000000000 000000000003bffc 0000000000000000 0000000000000000
    [   69.241250] <0> 0000000000000000 00000000ffffffff ffff88081c5b4080 ffff88081c0ebe00
    [   69.277310] Call Trace:
    [   69.289278]  [<ffffffff812c52ac>] swiotlb_alloc_coherent+0xec/0x130
    [   69.301118]  [<ffffffff81038b31>] x86_swiotlb_alloc_coherent+0x61/0x70
    [   69.313045]  [<ffffffffa002d0ce>] megasas_mgmt_fw_ioctl+0x1ae/0x690 [megaraid_sas]
    [   69.336399]  [<ffffffffa002d748>] megasas_mgmt_ioctl_fw+0x198/0x240 [megaraid_sas]
    [   69.359346]  [<ffffffffa002f695>] megasas_mgmt_ioctl+0x35/0x50 [megaraid_sas]
    [   69.370902]  [<ffffffff81153b12>] vfs_ioctl+0x22/0xa0
    [   69.382322]  [<ffffffff8115da2a>] ? alloc_fd+0x10a/0x150
    [   69.393622]  [<ffffffff81153cb1>] do_vfs_ioctl+0x81/0x410
    [   69.404696]  [<ffffffff8155cc13>] ? do_page_fault+0x153/0x3b0
    [   69.415761]  [<ffffffff811540c1>] sys_ioctl+0x81/0xa0
    [   69.426640]  [<ffffffff810121b2>] system_call_fastpath+0x16/0x1b
    [   69.437491] Code: fe ff ff 48 8b 3d 74 38 76 00 41 bf 00 00 20 00 e8 51 f5 d7 ff 83 e0 ff 48 05 ff 07 00 00 48 c1 e8 0b 48 89 45 c8 e9 13 fe ff ff <0f> 0b eb fe 0f 1f 80 00 00 00 00 55 48 89 e5 48 83 ec 20 4c 89
    [   69.478216] RIP  [<ffffffff812c4dc5>] map_single+0x255/0x260
    [   69.489668]  RSP <ffff88081c0ebc58>
    [   69.500975] ---[ end trace 6a2181b634e2abc7 ]---
    
    Reported-by: Bokhan Artem <aptem@ngs.ru>
    Reported by: Marc-Christian Petersen <m.c.p@gmx.de>
    Signed-off-by: Bjørn Mork <bjorn@mork.no>
    Cc: Michael Benz <Michael.Benz@lsi.com>
    Signed-off-by: James Bottomley <James.Bottomley@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    bmork committed with gregkh Jan 19, 2011
  10. x86, mce, AMD: Fix leaving freed data in a list

    commit d9a5ac9 upstream.
    
    b may be added to a list, but is not removed before being freed
    in the case of an error.  This is done in the corresponding
    deallocation function, so the code here has been changed to
    follow that.
    
    The sematic match that finds this problem is as follows:
    (http://coccinelle.lip6.fr/)
    
    // <smpl>
    @@
    expression E,E1,E2;
    identifier l;
    @@
    
    *list_add(&E->l,E1);
    ... when != E1
        when != list_del(&E->l)
        when != list_del_init(&E->l)
        when != E = E2
    *kfree(E);// </smpl>
    
    Signed-off-by: Julia Lawall <julia@diku.dk>
    Cc: Borislav Petkov <borislav.petkov@amd.com>
    Cc: Robert Richter <robert.richter@amd.com>
    Cc: Yinghai Lu <yinghai@kernel.org>
    Cc: Andreas Herrmann <andreas.herrmann3@amd.com>
    Link: http://lkml.kernel.org/r/1305294731-12127-1-git-send-email-julia@diku.dk
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    JuliaLawall committed with gregkh May 13, 2011
  11. x86: Fix UV BAU for non-consecutive nasids

    commit 77ed23f upstream.
    
    This is a fix for the SGI Altix-UV Broadcast Assist Unit code,
    which is used for TLB flushing.
    
    Certain hardware configurations (that customers are ordering)
    cause nasids (numa address space id's) to be non-consecutive.
    Specifically, once you have more than 4 blades in a IRU
    (Individual Rack Unit - or 1/2 rack) but less than the maximum
    of 16, the nasid numbering becomes non-consecutive.  This
    currently results in a 'catastrophic error' (CATERR) detected by
    the firmware during OS boot.  The BAU is generating an 'INTD'
    request that is targeting a non-existent nasid value. Such
    configurations may also occur when a blade is configured off
    because of hardware errors. (There is one UV hub per blade.)
    
    This patch is required to support such configurations.
    
    The problem with the tlb_uv.c code is that is using the
    consecutive hub numbers as indices to the BAU distribution bit
    map. These are simply the ordinal position of the hub or blade
    within its partition.  It should be using physical node numbers
    (pnodes), which correspond to the physical nasid values. Use of
    the hub number only works as long as the nasids in the partition
    are consecutive and increase with a stride of 1.
    
    This patch changes the index to be the pnode number, thus
    allowing nasids to be non-consecutive.
    It also provides a table in local memory for each cpu to
    translate target cpu number to target pnode and nasid.
    And it improves naming to properly reflect 'node' and 'uvhub'
    versus 'nasid'.
    
    Signed-off-by: Cliff Wickman <cpw@sgi.com>
    Link: http://lkml.kernel.org/r/E1QJmxX-0002Mz-Fk@eag09.americas.sgi.com
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    cpwickman committed with gregkh May 10, 2011
  12. v4l: Release module if subdev registration fails

    commit b7534f0 upstream.
    
    If v4l2_device_register_subdev() fails, the reference to the subdev
    module taken by the function isn't released. Fix this.
    
    Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
    Acked-by: Hans Verkuil <hverkuil@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    pinchartl committed with gregkh Apr 30, 2011
  13. Fix cx88 remote control input

    commit 2a164d0 upstream.
    
    In the IR interrupt handler of cx88-input.c there's a 32-bit multiply
    overflow which causes IR pulse durations to be incorrectly calculated.
    
    This is a regression caused by commit 2997137.
    
    Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Lawrence Rust committed with gregkh Apr 8, 2011
  14. x86, apic: Fix spurious error interrupts triggering on all non-boot APs

    commit e503f9e upstream.
    
    This patch fixes a bug reported by a customer, who found
    that many unreasonable error interrupts reported on all
    non-boot CPUs (APs) during the system boot stage.
    
    According to Chapter 10 of Intel Software Developer Manual
    Volume 3A, Local APIC may signal an illegal vector error when
    an LVT entry is set as an illegal vector value (0~15) under
    FIXED delivery mode (bits 8-11 is 0), regardless of whether
    the mask bit is set or an interrupt actually happen. These
    errors are seen as error interrupts.
    
    The initial value of thermal LVT entries on all APs always reads
    0x10000 because APs are woken up by BSP issuing INIT-SIPI-SIPI
    sequence to them and LVT registers are reset to 0s except for
    the mask bits which are set to 1s when APs receive INIT IPI.
    
    When the BIOS takes over the thermal throttling interrupt,
    the LVT thermal deliver mode should be SMI and it is required
    from the kernel to keep AP's LVT thermal monitoring register
    programmed as such as well.
    
    This issue happens when BIOS does not take over thermal throttling
    interrupt, AP's LVT thermal monitor register will be restored to
    0x10000 which means vector 0 and fixed deliver mode, so all APs will
    signal illegal vector error interrupts.
    
    This patch check if interrupt delivery mode is not fixed mode before
    restoring AP's LVT thermal monitor register.
    
    Signed-off-by: Youquan Song <youquan.song@intel.com>
    Acked-by: Suresh Siddha <suresh.b.siddha@intel.com>
    Acked-by: Yong Wang <yong.y.wang@intel.com>
    Cc: hpa@linux.intel.com
    Cc: joe@perches.com
    Cc: jbaron@redhat.com
    Cc: trenn@suse.de
    Cc: kent.liu@intel.com
    Cc: chaohong.guo@intel.com
    Link: http://lkml.kernel.org/r/1303402963-17738-1-git-send-email-youquan.song@intel.com
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Youquan Song committed with gregkh Apr 21, 2011
  15. tick: Clear broadcast active bit when switching to oneshot

    commit 07f4beb upstream.
    
    The first cpu which switches from periodic to oneshot mode switches
    also the broadcast device into oneshot mode. The broadcast device
    serves as a backup for per cpu timers which stop in deeper
    C-states. To avoid starvation of the cpus which might be in idle and
    depend on broadcast mode it marks the other cpus as broadcast active
    and sets the brodcast expiry value of those cpus to the next tick.
    
    The oneshot mode broadcast bit for the other cpus is sticky and gets
    only cleared when those cpus exit idle. If a cpu was not idle while
    the bit got set in consequence the bit prevents that the broadcast
    device is armed on behalf of that cpu when it enters idle for the
    first time after it switched to oneshot mode.
    
    In most cases that goes unnoticed as one of the other cpus has usually
    a timer pending which keeps the broadcast device armed with a short
    timeout. Now if the only cpu which has a short timer active has the
    bit set then the broadcast device will not be armed on behalf of that
    cpu and will fire way after the expected timer expiry. In the case of
    Christians bug report it took ~145 seconds which is about half of the
    wrap around time of HPET (the limit for that device) due to the fact
    that all other cpus had no timers armed which expired before the 145
    seconds timeframe.
    
    The solution is simply to clear the broadcast active bit
    unconditionally when a cpu switches to oneshot mode after the first
    cpu switched the broadcast device over. It's not idle at that point
    otherwise it would not be executing that code.
    
    [ I fundamentally hate that broadcast crap. Why the heck thought some
      folks that when going into deep idle it's a brilliant concept to
      switch off the last device which brings the cpu back from that
      state? ]
    
    Thanks to Christian for providing all the valuable debug information!
    
    Reported-and-tested-by: Christian Hoffmann <email@christianhoffmann.info>
    Cc: John Stultz <johnstul@us.ibm.com>
    Link: http://lkml.kernel.org/r/%3Calpine.LFD.2.02.1105161105170.3078%40ionos%3E
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Thomas Gleixner committed with gregkh May 16, 2011
  16. clocksource: Install completely before selecting

    commit e05b2ef upstream.
    
    Christian Hoffmann reported that the command line clocksource override
    with acpi_pm timer fails:
    
     Kernel command line: <SNIP> clocksource=acpi_pm
     hpet clockevent registered
     Switching to clocksource hpet
     Override clocksource acpi_pm is not HRT compatible.
     Cannot switch while in HRT/NOHZ mode.
    
    The watchdog code is what enables CLOCK_SOURCE_VALID_FOR_HRES, but we
    actually end up selecting the clocksource before we enqueue it into
    the watchdog list, so that's why we see the warning and fail to switch
    to acpi_pm timer as requested. That's particularly bad when we want to
    debug timekeeping related problems in early boot.
    
    Put the selection call last.
    
    Reported-by: Christian Hoffmann <email@christianhoffmann.info>
    Signed-off-by: John Stultz <johnstul@us.ibm.com>
    Link: http://lkml.kernel.org/r/%3C1304558210.2943.24.camel%40work-vm%3E
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    john stultz committed with gregkh May 5, 2011
  17. x86, AMD: Fix ARAT feature setting again

    commit 14fb57d upstream.
    
    Trying to enable the local APIC timer on early K8 revisions
    uncovers a number of other issues with it, in conjunction with
    the C1E enter path on AMD. Fixing those causes much more churn
    and troubles than the benefit of using that timer brings so
    don't enable it on K8 at all, falling back to the original
    functionality the kernel had wrt to that.
    
    Reported-and-bisected-by: Nick Bowler <nbowler@elliptictech.com>
    Cc: Boris Ostrovsky <Boris.Ostrovsky@amd.com>
    Cc: Andreas Herrmann <andreas.herrmann3@amd.com>
    Cc: Greg Kroah-Hartman <greg@kroah.com>
    Cc: Hans Rosenfeld <hans.rosenfeld@amd.com>
    Cc: Nick Bowler <nbowler@elliptictech.com>
    Cc: Joerg-Volker-Peetz <jvpeetz@web.de>
    Signed-off-by: Borislav Petkov <borislav.petkov@amd.com>
    Link: http://lkml.kernel.org/r/1305636919-31165-3-git-send-email-bp@amd64.org
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Borislav Petkov committed with gregkh May 17, 2011
  18. Revert "x86, AMD: Fix APIC timer erratum 400 affecting K8 Rev.A-E pro…

    …cessors"
    
    commit 328935e upstream.
    
    This reverts commit e20a2d2, as it crashes
    certain boxes with specific AMD CPU models.
    
    Moving the lower endpoint of the Erratum 400 check to accomodate
    earlier K8 revisions (A-E) opens a can of worms which is simply
    not worth to fix properly by tweaking the errata checking
    framework:
    
    * missing IntPenging MSR on revisions < CG cause #GP:
    
    http://marc.info/?l=linux-kernel&m=130541471818831
    
    * makes earlier revisions use the LAPIC timer instead of the C1E
    idle routine which switches to HPET, thus not waking up in
    deeper C-states:
    
    http://lkml.org/lkml/2011/4/24/20
    
    Therefore, leave the original boundary starting with K8-revF.
    
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Borislav Petkov committed with gregkh May 17, 2011
  19. rapidio: fix default routing initialization

    commit 0bf2461 upstream.
    
    Fix switch initialization to ensure that all switches have default routing
    disabled.  This guarantees that no unexpected RapidIO packets arrive to
    the default port set by reset and there is no default routing destination
    until it is properly configured by software.
    
    This update also unifies handling of unmapped destinations by tsi57x, IDT
    Gen1 and IDT Gen2 switches.
    
    Signed-off-by: Alexandre Bounine <alexandre.bounine@idt.com>
    Cc: Kumar Gala <galak@kernel.crashing.org>
    Cc: Matt Porter <mporter@kernel.crashing.org>
    Cc: Li Yang <leoli@freescale.com>
    Cc: Thomas Moll <thomas.moll@sysgo.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    abou9 committed with gregkh May 17, 2011
  20. cifs: add fallback in is_path_accessible for old servers

    commit 221d1d7 upstream.
    
    The is_path_accessible check uses a QPathInfo call, which isn't
    supported by ancient win9x era servers. Fall back to an older
    SMBQueryInfo call if it fails with the magic error codes.
    
    Reported-and-Tested-by: Sandro Bonazzola <sandro.bonazzola@gmail.com>
    Signed-off-by: Jeff Layton <jlayton@redhat.com>
    Signed-off-by: Steve French <sfrench@us.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    jtlayton committed with gregkh May 17, 2011
  21. Revert "mmc: fix a race between card-detect rescan and clock-gate wor…

    …k instances"
    
    commit 86f315b upstream.
    
    This reverts commit 26fc877, which has
    been reported to cause boot/resume-time crashes for some users:
    
    https://bbs.archlinux.org/viewtopic.php?id=118751.
    
    Signed-off-by: Chris Ball <cjb@laptop.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    cjb committed with gregkh May 16, 2011
  22. drm/radeon/kms: fix extended lvds info parsing

    commit 05fa7ea upstream.
    
    On rev <= 1.1 tables, the offset is absolute,
    on newer tables, it's relative.
    
    Fixes:
    https://bugzilla.redhat.com/show_bug.cgi?id=700326
    
    Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
    Reviewed-by: Jerome Glisse <jglisse@redhat.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Alex Deucher committed with gregkh May 11, 2011
  23. libata: fix oops when LPM is used with PMP

    commit 5f6f12c upstream.
    
    ae01b24 (libata: Implement ATA_FLAG_NO_DIPM and apply it to mcp65)
    added ATA_FLAG_NO_DIPM and made ata_eh_set_lpm() check the flag.
    However, @ap is NULL if @link points to a PMP link and thus the
    unconditional @ap->flags dereference leads to the following oops.
    
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
      IP: [<ffffffff813f98e1>] ata_eh_recover+0x9a1/0x1510
      ...
      Pid: 295, comm: scsi_eh_4 Tainted: P            2.6.38.5-core2 #1 System76, Inc. Serval Professional/Serval Professional
      RIP: 0010:[<ffffffff813f98e1>]  [<ffffffff813f98e1>] ata_eh_recover+0x9a1/0x1510
      RSP: 0018:ffff880132defbf0  EFLAGS: 00010246
      RAX: 0000000000000000 RBX: ffff880132f40000 RCX: 0000000000000000
      RDX: ffff88013377c000 RSI: ffff880132f40000 RDI: 0000000000000000
      RBP: ffff880132defce0 R08: ffff88013377dc58 R09: ffff880132defd98
      R10: 0000000000000000 R11: 00000000ffffffff R12: 0000000000000000
      R13: 0000000000000000 R14: ffff88013377c000 R15: 0000000000000000
      FS:  0000000000000000(0000) GS:ffff8800bf700000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      CR2: 0000000000000018 CR3: 0000000001a03000 CR4: 00000000000406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process scsi_eh_4 (pid: 295, threadinfo ffff880132dee000, task ffff880133b416c0)
      Stack:
       0000000000000000 ffff880132defcc0 0000000000000000 ffff880132f42738
       ffffffff813ee8f0 ffffffff813eefe0 ffff880132defd98 ffff88013377f190
       ffffffffa00b3e30 ffffffff813ef030 0000000032defc60 ffff880100000000
      Call Trace:
       [<ffffffff81400867>] sata_pmp_error_handler+0x607/0xc30
       [<ffffffffa00b273f>] ahci_error_handler+0x1f/0x70 [libahci]
       [<ffffffff813faade>] ata_scsi_error+0x5be/0x900
       [<ffffffff813cf724>] scsi_error_handler+0x124/0x650
       [<ffffffff810834b6>] kthread+0x96/0xa0
       [<ffffffff8100cd64>] kernel_thread_helper+0x4/0x10
      Code: 8b 95 70 ff ff ff b8 00 00 00 00 48 3b 9a 10 2e 00 00 48 0f 44 c2 48 89 85 70 ff ff ff 48 8b 8d 70 ff ff ff f6 83 69 02 00 00 01 <48> 8b 41 18 0f 85 48 01 00 00 48 85 c9 74 12 48 8b 51 08 48 83
      RIP  [<ffffffff813f98e1>] ata_eh_recover+0x9a1/0x1510
       RSP <ffff880132defbf0>
      CR2: 0000000000000018
    
    Fix it by testing @link->ap->flags instead.
    
    stable: ATA_FLAG_NO_DIPM was added during 2.6.39 cycle but was
            backported to 2.6.37 and 38.  This is a fix for that and thus
            also applicable to 2.6.37 and 38.
    
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Reported-by: "Nathan A. Mourey II" <nmoureyii@ne.rr.com>
    LKML-Reference: <1304555277.2059.2.camel@localhost.localdomain>
    Cc: Connor H <cmdkhh@gmail.com>
    Signed-off-by: Jeff Garzik <jgarzik@pobox.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    htejun committed with gregkh May 9, 2011
  24. tmpfs: fix spurious ENOSPC when racing with unswap

    commit 59a16ea upstream.
    
    Testing the shmem_swaplist replacements for igrab() revealed another bug:
    writes to /dev/loop0 on a tmpfs file which fills its filesystem were
    sometimes failing with "Buffer I/O error"s.
    
    These came from ENOSPC failures of shmem_getpage(), when racing with
    swapoff: the same could happen when racing with another shmem_getpage(),
    pulling the page in from swap in between our find_lock_page() and our
    taking the info->lock (though not in the single-threaded loop case).
    
    This is unacceptable, and surprising that I've not noticed it before:
    it dates back many years, but (presumably) was made a lot easier to
    reproduce in 2.6.36, which sited a page preallocation in the race window.
    
    Fix it by rechecking the page cache before settling on an ENOSPC error.
    
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Cc: Konstantin Khlebnikov <khlebnikov@openvz.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Hugh Dickins committed with gregkh May 11, 2011
  25. tmpfs: fix off-by-one in max_blocks checks

    commit fc5da22 upstream.
    
    If you fill up a tmpfs, df was showing
    
      tmpfs                   460800         -         -   -  /tmp
    
    because of an off-by-one in the max_blocks checks.  Fix it so df shows
    
      tmpfs                   460800    460800         0 100% /tmp
    
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Cc: Tim Chen <tim.c.chen@linux.intel.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Hugh Dickins committed with gregkh Apr 14, 2011
  26. tmpfs: fix race between swapoff and writepage

    commit 05bf86b upstream.
    
    Shame on me!  Commit b1dea80 "tmpfs: fix race between umount and
    writepage" fixed the advertized race, but introduced another: as even
    its comment makes clear, we cannot safely rely on a peek at list_empty()
    while holding no lock - until info->swapped is set, shmem_unuse_inode()
    may delete any formerly-swapped inode from the shmem_swaplist, which
    in this case would leave a swap area impossible to swapoff.
    
    Although I don't relish taking the mutex every time, I don't care much
    for the alternatives either; and at least the peek at list_empty() in
    shmem_evict_inode() (a hotter path since most inodes would never have
    been swapped) remains safe, because we already truncated the whole file.
    
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Hugh Dickins committed with gregkh May 14, 2011
  27. tmpfs: fix race between umount and writepage

    commit b1dea80 upstream.
    
    Konstanin Khlebnikov reports that a dangerous race between umount and
    shmem_writepage can be reproduced by this script:
    
      for i in {1..300} ; do
    	mkdir $i
    	while true ; do
    		mount -t tmpfs none $i
    		dd if=/dev/zero of=$i/test bs=1M count=$(($RANDOM % 100))
    		umount $i
    	done &
      done
    
    on a 6xCPU node with 8Gb RAM: kernel very unstable after this accident. =)
    
    Kernel log:
    
      VFS: Busy inodes after unmount of tmpfs.
                     Self-destruct in 5 seconds.  Have a nice day...
    
      WARNING: at lib/list_debug.c:53 __list_del_entry+0x8d/0x98()
      list_del corruption. prev->next should be ffff880222fdaac8, but was (null)
      Pid: 11222, comm: mount.tmpfs Not tainted 2.6.39-rc2+ #4
      Call Trace:
       warn_slowpath_common+0x80/0x98
       warn_slowpath_fmt+0x41/0x43
       __list_del_entry+0x8d/0x98
       evict+0x50/0x113
       iput+0x138/0x141
      ...
      BUG: unable to handle kernel paging request at ffffffffffffffff
      IP: shmem_free_blocks+0x18/0x4c
      Pid: 10422, comm: dd Tainted: G        W   2.6.39-rc2+ #4
      Call Trace:
       shmem_recalc_inode+0x61/0x66
       shmem_writepage+0xba/0x1dc
       pageout+0x13c/0x24c
       shrink_page_list+0x28e/0x4be
       shrink_inactive_list+0x21f/0x382
      ...
    
    shmem_writepage() calls igrab() on the inode for the page which came from
    page reclaim, to add it later into shmem_swaplist for swapoff operation.
    
    This igrab() can race with super-block deactivating process:
    
      shrink_inactive_list()          deactivate_super()
      pageout()                       tmpfs_fs_type->kill_sb()
      shmem_writepage()               kill_litter_super()
                                      generic_shutdown_super()
                                       evict_inodes()
       igrab()
                                        atomic_read(&inode->i_count)
                                         skip-inode
       iput()
                                       if (!list_empty(&sb->s_inodes))
                                              printk("VFS: Busy inodes after...
    
    This igrap-iput pair was added in commit 1b1b32f "tmpfs: fix
    shmem_swaplist races" based on incorrect assumptions: igrab() protects the
    inode from concurrent eviction by deletion, but it does nothing to protect
    it from concurrent unmounting, which goes ahead despite the raised
    i_count.
    
    So this use of igrab() was wrong all along, but the race made much worse
    in 2.6.37 when commit 63997e9 "split invalidate_inodes()" replaced
    two attempts at invalidate_inodes() by a single evict_inodes().
    
    Konstantin posted a plausible patch, raising sb->s_active too: I'm unsure
    whether it was correct or not; but burnt once by igrab(), I am sure that
    we don't want to rely more deeply upon externals here.
    
    Fix it by adding the inode to shmem_swaplist earlier, while the page lock
    on page in page cache still secures the inode against eviction, without
    artifically raising i_count.  It was originally added later because
    shmem_unuse_inode() is liable to remove an inode from the list while it's
    unswapped; but we can guard against that by taking spinlock before
    dropping mutex.
    
    Reported-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Tested-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Hugh Dickins committed with gregkh May 11, 2011
  28. zorro8390: Fix regression caused during net_device_ops conversion

    commit cf7e032 upstream.
    
    Changeset b611479 ("zorro8390: convert to
    net_device_ops") broke zorro8390 by adding 8390.o to the link. That
    meant that lib8390.c was included twice, once in zorro8390.c and once in
    8390.c, subject to different macros. This patch reverts that by
    avoiding the wrappers in 8390.c.
    
    Fix based on commits 217cbfa ("mac8390:
    fix regression caused during net_device_ops conversion") and
    4e0168f ("mac8390: fix build with
    NET_POLL_CONTROLLER").
    
    Reported-by: Christian T. Steigies <cts@debian.org>
    Suggested-by: Finn Thain <fthain@telegraphics.com.au>
    Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
    Tested-by: Christian T. Steigies <cts@debian.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    geertu committed with gregkh May 12, 2011
  29. libertas: fix cmdpendingq locking

    commit 2ae1b8b upstream.
    
    We occasionally see list corruption using libertas.
    
    While we haven't been able to diagnose this precisely, we have spotted
    a possible cause: cmdpendingq is generally modified with driver_lock
    held. However, there are a couple of points where this is not the case.
    
    Fix up those operations to execute under the lock, it seems like
    the correct thing to do and will hopefully improve the situation.
    
    Signed-off-by: Paul Fox <pgf@laptop.org>
    Signed-off-by: Daniel Drake <dsd@laptop.org>
    Acked-by: Dan Williams <dcbw@redhat.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Paul Fox committed with gregkh May 9, 2011
  30. ehea: Fix memory hotplug oops

    commit 21ccc79 upstream.
    
    The ehea driver oopses during memory hotplug if the ports are not
    up. A simple testcase:
    
    # ifconfig ethX down
    # echo offline > /sys/devices/system/memory/memory32/state
    
    Oops: Kernel access of bad area, sig: 11 [#1]
    last sysfs file: /sys/devices/system/memory/memory32/state
    REGS: c000000709393110 TRAP: 0300   Not tainted  (2.6.39-rc2-01385-g7ef73bc-dirty)
    DAR: 0000000000000000, DSISR: 40000000
    ...
    NIP [c000000000067c98] .__wake_up_common+0x48/0xf0
    LR [c00000000006d034] .__wake_up+0x54/0x90
    Call Trace:
    [c00000000006d034] .__wake_up+0x54/0x90
    [d000000006bb6270] .ehea_rereg_mrs+0x140/0x730 [ehea]
    [d000000006bb69c4] .ehea_mem_notifier+0x164/0x170 [ehea]
    [c0000000006fc8a8] .notifier_call_chain+0x78/0xf0
    [c0000000000b3d70] .__blocking_notifier_call_chain+0x70/0xb0
    [c000000000458d78] .memory_notify+0x28/0x40
    [c0000000001871d8] .remove_memory+0x208/0x6d0
    [c000000000458264] .memory_section_action+0x94/0x140
    [c0000000004583ec] .memory_block_change_state+0xdc/0x1d0
    [c0000000004585cc] .store_mem_state+0xec/0x160
    [c00000000044768c] .sysdev_store+0x3c/0x50
    [c00000000020b48c] .sysfs_write_file+0xec/0x1f0
    [c00000000018f86c] .vfs_write+0xec/0x1e0
    [c00000000018fa88] .SyS_write+0x58/0xd0
    
    To fix this, initialise the waitqueues during port probe instead
    of port open.
    
    Signed-off-by: Anton Blanchard <anton@samba.org>
    Acked-by: Breno Leitao <leitao@linux.vnet.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    antonblanchard committed with gregkh May 10, 2011
  31. hydra: Fix regression caused during net_device_ops conversion

    commit 0b25e01 upstream.
    
    Changeset 5618f0d ("hydra: convert to
    net_device_ops") broke hydra by adding 8390.o to the link. That
    meant that lib8390.c was included twice, once in hydra.c and once in
    8390.c, subject to different macros. This patch reverts that by
    avoiding the wrappers in 8390.c.
    
    Fix based on commits 217cbfa ("mac8390:
    fix regression caused during net_device_ops conversion") and
    4e0168f ("mac8390: fix build with
    NET_POLL_CONTROLLER").
    
    Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    geertu committed with gregkh May 12, 2011
  32. ne-h8300: Fix regression caused during net_device_ops conversion

    commit 2592a73 upstream.
    
    Changeset dcd39c9 ("ne-h8300: convert to
    net_device_ops") broke ne-h8300 by adding 8390.o to the link. That
    meant that lib8390.c was included twice, once in ne-h8300.c and once in
    8390.c, subject to different macros. This patch reverts that by
    avoiding the wrappers in 8390.c.
    
    Fix based on commits 217cbfa ("mac8390:
    fix regression caused during net_device_ops conversion") and
    4e0168f ("mac8390: fix build with
    NET_POLL_CONTROLLER").
    
    Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    geertu committed with gregkh May 12, 2011
  33. ASoC: SSM2602: Fix 'Mic Boost2' control

    commit 36c90ab upstream.
    
    The 'Mic Boost2' control's shift was off by one and thus was not working.
    
    Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
    Acked-by: Liam Girdwood <lrg@ti.com>
    Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    larsclausen committed with gregkh May 5, 2011
  34. ASoC: UDA134x: Remove POWER_OFF_ON_STANDBY define.

    commit bf707de upstream.
    
    Define POWER_OFF_ON_STANDBY cause trobles when trying to get some
    sound from codec because code for bias setup was not compiled
    (define wasn't defined). This define was removed in commit:
    cc3202f but again introduced by commit: f0fba2a which then
    completely break codec functionality so remove it again.
    
    Signed-off-by: Marek Belisko <marek.belisko@open-nandra.com>
    Acked-by: Liam Girdwood <lrg@ti.com>
    Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    nandra committed with gregkh May 3, 2011
  35. slcan: fix ldisc->open retval

    commit 0d4420a upstream.
    
    TTY layer expects 0 if the ldisc->open operation succeeded.
    
    Reported-by: Matvejchikov Ilya <matvejchikov@gmail.com>
    Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    hartkopp committed with gregkh May 10, 2011