1. 25 Jan, 2012 18 commits
  2. 12 Jan, 2012 21 commits
    • Greg Kroah-Hartman's avatar
      Linux 2.6.32.54 · f2ab2a12
      Greg Kroah-Hartman authored
      f2ab2a12
    • Xi Wang's avatar
      xfs: fix acl count validation in xfs_acl_from_disk() · 3c7af5a9
      Xi Wang authored
      commit 093019cf upstream.
      
      Commit fa8b18ed didn't prevent the integer overflow and possible
      memory corruption.  "count" can go negative and bypass the check.
      Signed-off-by: default avatarXi Wang <xi.wang@gmail.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarBen Myers <bpm@sgi.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      3c7af5a9
    • Christoph Hellwig's avatar
      xfs: validate acl count · 9ee3e4ab
      Christoph Hellwig authored
      commit fa8b18ed upstream.
      
      This prevents in-memory corruption and possible panics if the on-disk
      ACL is badly corrupted.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarBen Myers <bpm@sgi.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      9ee3e4ab
    • Moger, Babu's avatar
      SCSI: scsi_dh: check queuedata pointer before proceeding further · f09bb6a7
      Moger, Babu authored
      commit a18a920c upstream.
      
      This patch validates sdev pointer in scsi_dh_activate before proceeding further.
      
      Without this check we might see the panic as below. I have seen this
      panic multiple times..
      
      Call trace:
      
       #0 [ffff88007d647b50] machine_kexec at ffffffff81020902
       #1 [ffff88007d647ba0] crash_kexec at ffffffff810875b0
       #2 [ffff88007d647c70] oops_end at ffffffff8139c650
       #3 [ffff88007d647c90] __bad_area_nosemaphore at ffffffff8102dd15
       #4 [ffff88007d647d50] page_fault at ffffffff8139b8cf
          [exception RIP: scsi_dh_activate+0x82]
          RIP: ffffffffa0041922  RSP: ffff88007d647e00  RFLAGS: 00010046
          RAX: 0000000000000000  RBX: 0000000000000000  RCX: 00000000000093c5
          RDX: 00000000000093c5  RSI: ffffffffa02e6640  RDI: ffff88007cc88988
          RBP: 000000000000000f   R8: ffff88007d646000   R9: 0000000000000000
          R10: ffff880082293790  R11: 00000000ffffffff  R12: ffff88007cc88988
          R13: 0000000000000000  R14: 0000000000000286  R15: ffff880037b845e0
          ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0000
       #5 [ffff88007d647e38] run_workqueue at ffffffff81060268
       #6 [ffff88007d647e78] worker_thread at ffffffff81060386
       #7 [ffff88007d647ee8] kthread at ffffffff81064436
       #8 [ffff88007d647f48] kernel_thread at ffffffff81003fba
      Signed-off-by: default avatarBabu Moger <babu.moger@netapp.com>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Parallels.com>
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      f09bb6a7
    • Srivatsa S. Bhat's avatar
      PM / Sleep: Fix race between CPU hotplug and freezer · f71989e2
      Srivatsa S. Bhat authored
      commit 79cfbdfa upstream.
      
      The CPU hotplug notifications sent out by the _cpu_up() and _cpu_down()
      functions depend on the value of the 'tasks_frozen' argument passed to them
      (which indicates whether tasks have been frozen or not).
      (Examples for such CPU hotplug notifications: CPU_ONLINE, CPU_ONLINE_FROZEN,
      CPU_DEAD, CPU_DEAD_FROZEN).
      
      Thus, it is essential that while the callbacks for those notifications are
      running, the state of the system with respect to the tasks being frozen or
      not remains unchanged, *throughout that duration*. Hence there is a need for
      synchronizing the CPU hotplug code with the freezer subsystem.
      
      Since the freezer is involved only in the Suspend/Hibernate call paths, this
      patch hooks the CPU hotplug code to the suspend/hibernate notifiers
      PM_[SUSPEND|HIBERNATE]_PREPARE and PM_POST_[SUSPEND|HIBERNATE] to prevent
      the race between CPU hotplug and freezer, thus ensuring that CPU hotplug
      notifications will always be run with the state of the system really being
      what the notifications indicate, _throughout_ their execution time.
      Signed-off-by: default avatarSrivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
      Signed-off-by: default avatarRafael J. Wysocki <rjw@sisk.pl>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      f71989e2
    • Aurelien Jacobs's avatar
      asix: fix infinite loop in rx_fixup() · 3bb5811b
      Aurelien Jacobs authored
      commit 6c15d74d upstream.
      
      At this point if skb->len happens to be 2, the subsequant skb_pull(skb, 4)
      call won't work and the skb->len won't be decreased and won't ever reach 0,
      resulting in an infinite loop.
      
      With an ASIX 88772 under heavy load, without this patch, rx_fixup() reaches
      an infinite loop in less than a minute. With this patch applied,
      no infinite loop even after hours of heavy load.
      Signed-off-by: default avatarAurelien Jacobs <aurel@gnuage.org>
      Cc: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3bb5811b
    • Malte Schröder's avatar
      USB: Add USB-ID for Multiplex RC serial adapter to cp210x.c · 276e8d05
      Malte Schröder authored
      commit 08e87d0d upstream.
      
      Hi, below patch adds the USB-ID of the serial adapters sold by
      Multiplex RC (www.multiplex-rc.de).
      Signed-off-by: default avatarMalte Schröder <maltesch@gmx.de>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      276e8d05
    • Johan Hovold's avatar
      USB: omninet: fix write_room · 0630cde2
      Johan Hovold authored
      commit 694c6301 upstream.
      
      Fix regression introduced by commit 507ca9bc ([PATCH] USB: add
      ability for usb-serial drivers to determine if their write urb is
      currently being used.) which inverted the logic in write_room so that it
      returns zero when the write urb is actually free.
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      0630cde2
    • Oliver Neukum's avatar
      USB: add quirk for another camera · 94385b3e
      Oliver Neukum authored
      commit 35284b3d upstream.
      
      The Guillemot Webcam Hercules Dualpix Exchange camera
      has been reported with a second ID.
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      94385b3e
    • Huajun Li's avatar
      usb: usb-storage doesn't support dynamic id currently, the patch disables the... · 3e830aef
      Huajun Li authored
      usb: usb-storage doesn't support dynamic id currently, the patch disables the feature to fix an oops
      
      commit 1a3a026b upstream.
      
      Echo vendor and product number of a non usb-storage device to
      usb-storage driver's new_id, then plug in the device to host and you
      will find following oops msg, the root cause is usb_stor_probe1()
      refers invalid id entry if giving a dynamic id, so just disable the
      feature.
      
      [ 3105.018012] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC
      [ 3105.018062] CPU 0
      [ 3105.018075] Modules linked in: usb_storage usb_libusual bluetooth
      dm_crypt binfmt_misc snd_hda_codec_analog snd_hda_intel snd_hda_codec
      snd_hwdep hp_wmi ppdev sparse_keymap snd_pcm snd_seq_midi snd_rawmidi
      snd_seq_midi_event snd_seq snd_timer snd_seq_device psmouse snd
      serio_raw tpm_infineon soundcore i915 snd_page_alloc tpm_tis
      parport_pc tpm tpm_bios drm_kms_helper drm i2c_algo_bit video lp
      parport usbhid hid sg sr_mod sd_mod ehci_hcd uhci_hcd usbcore e1000e
      usb_common floppy
      [ 3105.018408]
      [ 3105.018419] Pid: 189, comm: khubd Tainted: G          I  3.2.0-rc7+
      #29 Hewlett-Packard HP Compaq dc7800p Convertible Minitower/0AACh
      [ 3105.018481] RIP: 0010:[<ffffffffa045830d>]  [<ffffffffa045830d>]
      usb_stor_probe1+0x2fd/0xc20 [usb_storage]
      [ 3105.018536] RSP: 0018:ffff880056a3d830  EFLAGS: 00010286
      [ 3105.018562] RAX: ffff880065f4e648 RBX: ffff88006bb28000 RCX: 0000000000000000
      [ 3105.018597] RDX: ffff88006f23c7b0 RSI: 0000000000000001 RDI: 0000000000000206
      [ 3105.018632] RBP: ffff880056a3d900 R08: 0000000000000000 R09: ffff880067365000
      [ 3105.018665] R10: 00000000000002ac R11: 0000000000000010 R12: ffff6000b41a7340
      [ 3105.018698] R13: ffff880065f4ef60 R14: ffff88006bb28b88 R15: ffff88006f23d270
      [ 3105.018733] FS:  0000000000000000(0000) GS:ffff88007a200000(0000)
      knlGS:0000000000000000
      [ 3105.018773] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [ 3105.018801] CR2: 00007fc99c8c4650 CR3: 0000000001e05000 CR4: 00000000000006f0
      [ 3105.018835] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [ 3105.018870] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      [ 3105.018906] Process khubd (pid: 189, threadinfo ffff880056a3c000,
      task ffff88005677a400)
      [ 3105.018945] Stack:
      [ 3105.018959]  0000000000000000 0000000000000000 ffff880056a3d8d0
      0000000000000002
      [ 3105.019011]  0000000000000000 ffff880056a3d918 ffff880000000000
      0000000000000002
      [ 3105.019058]  ffff880056a3d8d0 0000000000000012 ffff880056a3d8d0
      0000000000000006
      [ 3105.019105] Call Trace:
      [ 3105.019128]  [<ffffffffa0458cd4>] storage_probe+0xa4/0xe0 [usb_storage]
      [ 3105.019173]  [<ffffffffa0097822>] usb_probe_interface+0x172/0x330 [usbcore]
      [ 3105.019211]  [<ffffffff815fda67>] driver_probe_device+0x257/0x3b0
      [ 3105.019243]  [<ffffffff815fdd43>] __device_attach+0x73/0x90
      [ 3105.019272]  [<ffffffff815fdcd0>] ? __driver_attach+0x110/0x110
      [ 3105.019303]  [<ffffffff815fb93c>] bus_for_each_drv+0x9c/0xf0
      [ 3105.019334]  [<ffffffff815fd6c7>] device_attach+0xf7/0x120
      [ 3105.019364]  [<ffffffff815fc905>] bus_probe_device+0x45/0x80
      [ 3105.019396]  [<ffffffff815f98a6>] device_add+0x876/0x990
      [ 3105.019434]  [<ffffffffa0094e42>] usb_set_configuration+0x822/0x9e0 [usbcore]
      [ 3105.019479]  [<ffffffffa00a3492>] generic_probe+0x62/0xf0 [usbcore]
      [ 3105.019518]  [<ffffffffa0097a46>] usb_probe_device+0x66/0xb0 [usbcore]
      [ 3105.019555]  [<ffffffff815fda67>] driver_probe_device+0x257/0x3b0
      [ 3105.019589]  [<ffffffff815fdd43>] __device_attach+0x73/0x90
      [ 3105.019617]  [<ffffffff815fdcd0>] ? __driver_attach+0x110/0x110
      [ 3105.019648]  [<ffffffff815fb93c>] bus_for_each_drv+0x9c/0xf0
      [ 3105.019680]  [<ffffffff815fd6c7>] device_attach+0xf7/0x120
      [ 3105.019709]  [<ffffffff815fc905>] bus_probe_device+0x45/0x80
      [ 3105.021040] usb usb6: usb auto-resume
      [ 3105.021045] usb usb6: wakeup_rh
      [ 3105.024849]  [<ffffffff815f98a6>] device_add+0x876/0x990
      [ 3105.025086]  [<ffffffffa0088987>] usb_new_device+0x1e7/0x2b0 [usbcore]
      [ 3105.025086]  [<ffffffffa008a4d7>] hub_thread+0xb27/0x1ec0 [usbcore]
      [ 3105.025086]  [<ffffffff810d5200>] ? wake_up_bit+0x50/0x50
      [ 3105.025086]  [<ffffffffa00899b0>] ? usb_remote_wakeup+0xa0/0xa0 [usbcore]
      [ 3105.025086]  [<ffffffff810d49b8>] kthread+0xd8/0xf0
      [ 3105.025086]  [<ffffffff81939884>] kernel_thread_helper+0x4/0x10
      [ 3105.025086]  [<ffffffff8192a8c0>] ? _raw_spin_unlock_irq+0x50/0x80
      [ 3105.025086]  [<ffffffff8192b1b4>] ? retint_restore_args+0x13/0x13
      [ 3105.025086]  [<ffffffff810d48e0>] ? __init_kthread_worker+0x80/0x80
      [ 3105.025086]  [<ffffffff81939880>] ? gs_change+0x13/0x13
      [ 3105.025086] Code: 00 48 83 05 cd ad 00 00 01 48 83 05 cd ad 00 00
      01 4c 8b ab 30 0c 00 00 48 8b 50 08 48 83 c0 30 48 89 45 a0 4c 89 a3
      40 0c 00 00 <41> 0f b6 44 24 10 48 89 55 a8 3c ff 0f 84 b8 04 00 00 48
      83 05
      [ 3105.025086] RIP  [<ffffffffa045830d>] usb_stor_probe1+0x2fd/0xc20
      [usb_storage]
      [ 3105.025086]  RSP <ffff880056a3d830>
      [ 3105.060037] hub 6-0:1.0: hub_resume
      [ 3105.062616] usb usb5: usb auto-resume
      [ 3105.064317] ehci_hcd 0000:00:1d.7: resume root hub
      [ 3105.094809] ---[ end trace a7919e7f17c0a727 ]---
      [ 3105.130069] hub 5-0:1.0: hub_resume
      [ 3105.132131] usb usb4: usb auto-resume
      [ 3105.132136] usb usb4: wakeup_rh
      [ 3105.180059] hub 4-0:1.0: hub_resume
      [ 3106.290052] usb usb6: suspend_rh (auto-stop)
      [ 3106.290077] usb usb4: suspend_rh (auto-stop)
      Signed-off-by: default avatarHuajun Li <huajun.li.lee@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      
      3e830aef
    • Greg Kroah-Hartman's avatar
      USB: isight: fix kernel bug when loading firmware · e8afc51e
      Greg Kroah-Hartman authored
      commit 59bf5cf9 upstream.
      
      We were sending data on the stack when uploading firmware, which causes
      some machines fits, and is not allowed.  Fix this by using the buffer we
      already had around for this very purpose.
      Reported-by: default avatarWouter M. Koolen <wmkoolen@cwi.nl>
      Tested-by: default avatarWouter M. Koolen <wmkoolen@cwi.nl>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      e8afc51e
    • Julia Lawall's avatar
      drivers/usb/class/cdc-acm.c: clear dangling pointer · 151053ab
      Julia Lawall authored
      commit e7c8e860 upstream.
      
      On some failures, the country_code field of an acm structure is freed
      without freeing the acm structure itself.  Elsewhere, operations including
      memcpy and kfree are performed on the country_code field.  The patch sets
      the country_code field to NULL when it is freed, and likewise sets the
      country_code_size field to 0.
      Signed-off-by: default avatarJulia Lawall <julia@diku.dk>
      Acked-by: default avatarOliver Neukum <oneukum@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      151053ab
    • Alan Stern's avatar
      USB: update documentation for usbmon · 7c78b92e
      Alan Stern authored
      commit d8cae98c upstream.
      
      The documentation for usbmon is out of date; the usbfs "devices" file
      now exists in /sys/kernel/debug/usb rather than /proc/bus/usb.  This
      patch (as1505) updates the documentation accordingly, and also
      mentions that the necessary information can be found by running lsusb.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      CC: Pete Zaitcev <zaitcev@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      7c78b92e
    • Jeff Mahoney's avatar
      reiserfs: Force inode evictions before umount to avoid crash · 77915669
      Jeff Mahoney authored
      commit a9e36da6 upstream.
      
      This patch fixes a crash in reiserfs_delete_xattrs during umount.
      
      When shrink_dcache_for_umount clears the dcache from
      generic_shutdown_super, delayed evictions are forced to disk. If an
      evicted inode has extended attributes associated with it, it will
      need to walk the xattr tree to locate and remove them.
      
      But since shrink_dcache_for_umount will BUG if it encounters active
      dentries, the xattr tree must be released before it's called or it will
      crash during every umount.
      
      This patch forces the evictions to occur before generic_shutdown_super
      by calling shrink_dcache_sb first. The additional evictions caused
      by the removal of each associated xattr file and dir will be automatically
      handled as they're added to the LRU list.
      
      CC: reiserfs-devel@vger.kernel.org
      Signed-off-by: default avatarJeff Mahoney <jeffm@suse.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      77915669
    • Jan Kara's avatar
      reiserfs: Fix quota mount option parsing · 12e75890
      Jan Kara authored
      commit a06d789b upstream.
      
      When jqfmt mount option is not specified on remount, we mistakenly clear
      s_jquota_fmt value stored in superblock. Fix the problem.
      
      CC: reiserfs-devel@vger.kernel.org
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      12e75890
    • Aurelien Jacobs's avatar
      asix: new device id · 358e3075
      Aurelien Jacobs authored
      commit e8303a3b upstream.
      
      Adds the device id needed for the USB Ethernet Adapter delivered by
      ASUS with their Zenbook.
      Signed-off-by: default avatarAurelien Jacobs <aurel@gnuage.org>
      Acked-by: default avatarGrant Grundler <grundler@chromium.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      358e3075
    • Benjamin Herrenschmidt's avatar
      offb: Fix bug in calculating requested vram size · 0a3a07f1
      Benjamin Herrenschmidt authored
      commit c055fe07 upstream.
      
      We used to try to request 8 times more vram than needed, which would
      fail if the card has a too small BAR (observed with qemu & kvm).
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      0a3a07f1
    • Benjamin Herrenschmidt's avatar
      offb: Fix setting of the pseudo-palette for >8bpp · aef3cb6c
      Benjamin Herrenschmidt authored
      commit 1bb0b7d2 upstream.
      
      When using a >8bpp framebuffer, offb advertises truecolor, not directcolor,
      and doesn't touch the color map even if it has a corresponding access method
      for the real hardware.
      
      Thus it needs to set the pseudo-palette with all 3 components of the color,
      like other truecolor framebuffers, not with copies of the color index like
      a directcolor framebuffer would do.
      
      This went unnoticed for a long time because it's pretty hard to get offb
      to kick in with anything but 8bpp (old BootX under MacOS will do that and
      qemu does it).
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      aef3cb6c
    • Neil Horman's avatar
      firmware: Fix an oops on reading fw_priv->fw in sysfs loading file · 9741d973
      Neil Horman authored
      commit eea915bb upstream.
      
      This oops was reported recently:
      firmware_loading_store+0xf9/0x17b
      dev_attr_store+0x20/0x22
      sysfs_write_file+0x101/0x134
      vfs_write+0xac/0xf3
      sys_write+0x4a/0x6e
      system_call_fastpath+0x16/0x1b
      
      The complete backtrace was unfortunately not captured, but details can be found
      here:
      https://bugzilla.redhat.com/show_bug.cgi?id=769920
      
      The cause is fairly clear.
      
      Its caused by the fact that firmware_loading_store has a case 0 in its
      switch statement that reads and writes the fw_priv->fw poniter without the
      protection of the fw_lock mutex.  since there is a window between the time that
      _request_firmware sets fw_priv->fw to NULL and the time the corresponding sysfs
      file is unregistered, its possible for a user space application to race in, and
      write a zero to the loading file, causing a NULL dereference in
      firmware_loading_store.  Fix it by extending the protection of the fw_lock mutex
      to cover all of the firware_loading_store function.
      Signed-off-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      9741d973
    • Joe Perches's avatar
      Documentation: Update stable address · 9bcb99a7
      Joe Perches authored
      commit 2eb7f204 upstream.
      
      The Japanese/Korean/Chinese versions still need updating.
      
      Also, the stable kernel 2.6.x.y descriptions are out of date
      and should be updated as well.
      Signed-off-by: default avatarJoe Perches <joe@perches.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      9bcb99a7
    • Joe Perches's avatar
      MAINTAINERS: stable: Update address · c2cbfab5
      Joe Perches authored
      commit bc7a2f3a upstream.
      
      The old address hasn't worked since the great intrusion of August 2011.
      Signed-off-by: default avatarJoe Perches <joe@perches.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      c2cbfab5
  3. 06 Jan, 2012 1 commit