commit c3f403c243a408dd7eeb1ff5cb59e60f5557c9b2 Author: Ben Hutchings Date: Tue Sep 10 01:57:42 2013 +0100 Linux 3.2.51 commit 89ca702c526551f4678834ed29eafe824a0ee94b Author: David Vrabel Date: Fri Aug 16 15:42:55 2013 +0100 x86/xen: do not identity map UNUSABLE regions in the machine E820 commit 3bc38cbceb85881a8eb789ee1aa56678038b1909 upstream. If there are UNUSABLE regions in the machine memory map, dom0 will attempt to map them 1:1 which is not permitted by Xen and the kernel will crash. There isn't anything interesting in the UNUSABLE region that the dom0 kernel needs access to so we can avoid making the 1:1 mapping and treat it as RAM. We only do this for dom0, as that is where tboot case shows up. A PV domU could have an UNUSABLE region in its pseudo-physical map and would need to be handled in another patch. This fixes a boot failure on hosts with tboot. tboot marks a region in the e820 map as unusable and the dom0 kernel would attempt to map this region and Xen does not permit unusable regions to be mapped by guests. (XEN) 0000000000000000 - 0000000000060000 (usable) (XEN) 0000000000060000 - 0000000000068000 (reserved) (XEN) 0000000000068000 - 000000000009e000 (usable) (XEN) 0000000000100000 - 0000000000800000 (usable) (XEN) 0000000000800000 - 0000000000972000 (unusable) tboot marked this region as unusable. (XEN) 0000000000972000 - 00000000cf200000 (usable) (XEN) 00000000cf200000 - 00000000cf38f000 (reserved) (XEN) 00000000cf38f000 - 00000000cf3ce000 (ACPI data) (XEN) 00000000cf3ce000 - 00000000d0000000 (reserved) (XEN) 00000000e0000000 - 00000000f0000000 (reserved) (XEN) 00000000fe000000 - 0000000100000000 (reserved) (XEN) 0000000100000000 - 0000000630000000 (usable) Signed-off-by: David Vrabel [v1: Altered the patch and description with domU's with UNUSABLE regions] Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Ben Hutchings commit 13380d4622567edfeb4de4081b93dedb28189a89 Author: Dominik Dingel Date: Fri Jul 26 15:04:00 2013 +0200 KVM: s390: move kvm_guest_enter,exit closer to sie commit 2b29a9fdcb92bfc6b6f4c412d71505869de61a56 upstream. Any uaccess between guest_enter and guest_exit could trigger a page fault, the page fault handler would handle it as a guest fault and translate a user address as guest address. Signed-off-by: Dominik Dingel Signed-off-by: Christian Borntraeger Signed-off-by: Paolo Bonzini [bwh: Backported to 3.2: adjust context and add the rc variable] Signed-off-by: Ben Hutchings commit 721ab147d8dea60973244e2045fcec0389d817bb Author: Nicholas Bellinger Date: Wed Jul 24 16:15:08 2013 -0700 target: Fix trailing ASCII space usage in INQUIRY vendor+model commit ee60bddba5a5f23e39598195d944aa0eb2d455e5 upstream. This patch fixes spc_emulate_inquiry_std() to add trailing ASCII spaces for INQUIRY vendor + model fields following SPC-4 text: "ASCII data fields described as being left-aligned shall have any unused bytes at the end of the field (i.e., highest offset) and the unused bytes shall be filled with ASCII space characters (20h)." This addresses a problem with Falconstor NSS multipathing. Reported-by: Tomas Molota Signed-off-by: Nicholas Bellinger [bwh: Backported to 3.2, based on Nicholas's versions for 3.0 and 3.4] Signed-off-by: Ben Hutchings commit 9f9c4293221704c89b838e446ac846050d79804f Author: Takashi Iwai Date: Tue Aug 27 12:03:01 2013 +0200 ALSA: opti9xx: Fix conflicting driver object name commit fb615499f0ad28ed74201c1cdfddf9e64e205424 upstream. The recent commit to delay the release of kobject triggered NULL dereferences of opti9xx drivers. The cause is that all snd-opti92x-ad1848, snd-opti92x-cs4231 and snd-opti93x drivers register the PnP card driver with the very same name, and also snd-opti92x-ad1848 and -cs4231 drivers register the ISA driver with the same name, too. When these drivers are built in, quick "register-release-and-re-register" actions occur, and this results in Oops because of the same name is assigned to the kobject. The fix is simply to assign individual names. As a bonus, by using KBUILD_MODNAME, the patch reduces more lines than it adds. The fix is based on the suggestion by Russell King. Reported-and-tested-by: Fengguang Wu Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit 0a3a0aeeab072803685c1cb45e1780f2ab6a5b9c Author: David S. Miller Date: Sat May 19 15:27:01 2012 -0700 sparc32: Add ucmpdi2.o to obj-y instead of lib-y. commit 74c7b28953d4eaa6a479c187aeafcfc0280da5e8 upstream. Otherwise if no references exist in the static kernel image, we won't export the symbol properly to modules. Signed-off-by: David S. Miller Cc: Guenter Roeck Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 998f48dbf08a225e107ddd74b684b2648b4eb408 Author: Sam Ravnborg Date: Sat May 19 11:54:11 2012 +0200 sparc32: add ucmpdi2 commit de36e66d5fa52bc6e2dacd95c701a1762b5308a7 upstream. Based on copy from microblaze add ucmpdi2 implementation. This fixes build of niu driver which failed with: drivers/built-in.o: In function `niu_get_nfc': niu.c:(.text+0x91494): undefined reference to `__ucmpdi2' This driver will never be used on a sparc32 system, but patch added to fix build breakage with all*config builds. Signed-off-by: Sam Ravnborg Signed-off-by: David S. Miller Cc: Guenter Roeck Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 02050b2f11db937d5a0ef42297a9a1fadcba829a Author: Michal Simek Date: Tue Mar 27 10:10:15 2012 +0200 microblaze: Fix __futex_atomic_op macro register usage commit 8cf662ed3ef190fddc186bb5b1cd75eb3880d5a9 upstream. Old Microblaze toolchain supported "b" contstrains for all register but it always points to general purpose reg. New Microblaze toolchain is more strict in this and general purpose register should be used there "r". Signed-off-by: Michal Simek Signed-off-by: Ben Hutchings commit c9b5d71cd772004cf95683e7169e67ad5f1d5806 Author: Geert Uytterhoeven Date: Tue Jul 17 15:48:05 2012 -0700 m32r: make memset() global for CONFIG_KERNEL_BZIP2=y commit 9a75c6e5240f7edc5955e8da5b94bde6f96070b3 upstream. Fix the m32r compile error: arch/m32r/boot/compressed/misc.c:31:14: error: static declaration of 'memset' follows non-static declaration make[5]: *** [arch/m32r/boot/compressed/misc.o] Error 1 make[4]: *** [arch/m32r/boot/compressed/vmlinux] Error 2 by removing the static keyword. Signed-off-by: Geert Uytterhoeven Cc: Hirokazu Takata Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit d2cd7ba97d9a22d88aaead8ce3f067c136b7530b Author: Geert Uytterhoeven Date: Tue Jul 17 15:48:04 2012 -0700 m32r: add memcpy() for CONFIG_KERNEL_GZIP=y commit a8abbca6617e1caa2344d2d38d0a35f3e5928b79 upstream. Fix the m32r link error: LD arch/m32r/boot/compressed/vmlinux arch/m32r/boot/compressed/misc.o: In function `zlib_updatewindow': misc.c:(.text+0x190): undefined reference to `memcpy' misc.c:(.text+0x190): relocation truncated to fit: R_M32R_26_PLTREL against undefined symbol `memcpy' make[5]: *** [arch/m32r/boot/compressed/vmlinux] Error 1 by adding our own implementation of memcpy(). Signed-off-by: Geert Uytterhoeven Cc: Hirokazu Takata Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit 9853c4cbe68d791f5e81ea0966a9e1a9fbcff406 Author: Geert Uytterhoeven Date: Tue Jul 17 15:48:02 2012 -0700 m32r: consistently use "suffix-$(...)" commit df12aef6a19bb2d69859a94936bda0e6ccaf3327 upstream. Commit a556bec9955c ("m32r: fix arch/m32r/boot/compressed/Makefile") changed "$(suffix_y)" to "$(suffix-y)", but didn't update any location where "suffix_y" is set, causing: make[5]: *** No rule to make target `arch/m32r/boot/compressed/vmlinux.bin.', needed by `arch/m32r/boot/compressed/piggy.o'. Stop. make[4]: *** [arch/m32r/boot/compressed/vmlinux] Error 2 make[3]: *** [zImage] Error 2 Correct the other locations to fix this. Signed-off-by: Geert Uytterhoeven Cc: Hirokazu Takata Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit f308efc2a7a402b480716368ae34df1ba414439e Author: Paul Gortmaker Date: Wed Apr 18 17:17:19 2012 -0400 pci: frv architecture needs generic setup-bus infrastructure commit cd0a2bfb77a3edeecd652081e0b1a163d3b0696b upstream. Otherwise we get this link failure for frv's defconfig: LD .tmp_vmlinux1 drivers/built-in.o: In function `pci_assign_resource': (.text+0xbf0c): undefined reference to `pci_cardbus_resource_alignment' drivers/built-in.o: In function `pci_setup': pci.c:(.init.text+0x174): undefined reference to `pci_realloc_get_opt' pci.c:(.init.text+0x1a0): undefined reference to `pci_realloc_get_opt' make[1]: *** [.tmp_vmlinux1] Error 1 Cc: David Howells Acked-by: Bjorn Helgaas Signed-off-by: Paul Gortmaker Signed-off-by: Ben Hutchings commit ac8905cf6be324c76193debc26042fe7a746f89a Author: Radu Caragea Date: Wed Aug 21 20:55:59 2013 +0300 x86 get_unmapped_area: Access mmap_legacy_base through mm_struct member commit 41aacc1eea645c99edbe8fbcf78a97dc9b862adc upstream. This is the updated version of df54d6fa5427 ("x86 get_unmapped_area(): use proper mmap base for bottom-up direction") that only randomizes the mmap base address once. Signed-off-by: Radu Caragea Reported-and-tested-by: Jeff Shorey Cc: Andrew Morton Cc: Michel Lespinasse Cc: Oleg Nesterov Cc: Rik van Riel Cc: Ingo Molnar Cc: Adrian Sendroiu Cc: Greg KH Cc: Kamal Mostafa Signed-off-by: Linus Torvalds [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit caf51a8a6584804bc97ef2fd860eadc37c4b3f92 Author: Jakob Bornecrantz Date: Thu Aug 29 02:32:53 2013 +0200 drm/vmwgfx: Split GMR2_REMAP commands if they are to large commit 6e4dcff3adbf25acb87e74500a58e3c07bdec40f upstream. This fixes the piglit test texturing/max-texture-size causing the VM to die due to a too large SVGA command. Signed-off-by: Jakob Bornecrantz Reviewed-by: Biran Paul Reviewed-by: Zack Rusin Signed-off-by: Dave Airlie Signed-off-by: Ben Hutchings commit 95b59c0baa5253dd3a1e8191700c2706bd2f0c66 Author: Imre Deak Date: Fri Aug 23 23:50:23 2013 +0300 drm/i915: ivb: fix edp voltage swing reg val commit 77fa4cbd5fa389e28419bbe8ac491b5fdd54840d upstream. Fix the typo introduced in commit 1a2eb4604b85c5efb343da8a4dcf41288fcfca85 Author: Keith Packard Date: Wed Nov 16 16:26:07 2011 -0800 drm/i915: Hook up Ivybridge eDP This fixes eDP link-training failures and cases where all voltage swing /pre-emphasis levels were tried and failed during clock recovery and - as a fallback - we go on to do channel equalization with the last voltage swing/pre-emphasis level which will succeed. Both issues can lead to a blank screen. v2: - improve commit message Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=64880 Tested-by: Jeremy Moles Signed-off-by: Imre Deak Reviewed-by: Paulo Zanoni Signed-off-by: Daniel Vetter Signed-off-by: Ben Hutchings commit fbbd6511ab0dff8a79fc5803250b77a1260be354 Author: Tejun Heo Date: Wed Aug 28 17:33:37 2013 -0400 workqueue: cond_resched() after processing each work item commit b22ce2785d97423846206cceec4efee0c4afd980 upstream. If !PREEMPT, a kworker running work items back to back can hog CPU. This becomes dangerous when a self-requeueing work item which is waiting for something to happen races against stop_machine. Such self-requeueing work item would requeue itself indefinitely hogging the kworker and CPU it's running on while stop_machine would wait for that CPU to enter stop_machine while preventing anything else from happening on all other CPUs. The two would deadlock. Jamie Liu reports that this deadlock scenario exists around scsi_requeue_run_queue() and libata port multiplier support, where one port may exclude command processing from other ports. With the right timing, scsi_requeue_run_queue() can end up requeueing itself trying to execute an IO which is asked to be retried while another device has an exclusive access, which in turn can't make forward progress due to stop_machine. Fix it by invoking cond_resched() after executing each work item. Signed-off-by: Tejun Heo Reported-by: Jamie Liu References: http://thread.gmane.org/gmane.linux.kernel/1552567 [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 8f5f27670088ea31d93287c2bc1e0d54f5ed6841 Author: Russ Anderson Date: Wed Aug 28 16:35:18 2013 -0700 drivers/base/memory.c: fix show_mem_removable() to handle missing sections commit 21ea9f5ace3a7317cc3ba1fbc749758021a83136 upstream. "cat /sys/devices/system/memory/memory*/removable" crashed the system. The problem is that show_mem_removable() is passing a bad pfn to is_mem_section_removable(), which causes if (!node_online(page_to_nid(page))) to blow up. Why is it passing in a bad pfn? The reason is that show_mem_removable() will loop sections_per_block times. sections_per_block is 16, but mem->section_count is 8, indicating holes in this memory block. Checking that the memory section is present before checking to see if the memory section is removable fixes the problem. harp5-sys:~ # cat /sys/devices/system/memory/memory*/removable 0 1 1 1 1 1 1 1 1 1 1 1 1 1 BUG: unable to handle kernel paging request at ffffea00c3200000 IP: [] is_pageblock_removable_nolock+0x1/0x90 PGD 83ffd4067 PUD 37bdfce067 PMD 0 Oops: 0000 [#1] SMP Modules linked in: autofs4 binfmt_misc rdma_ucm rdma_cm iw_cm ib_addr ib_srp scsi_transport_srp scsi_tgt ib_ipoib ib_cm ib_uverbs ib_umad iw_cxgb3 cxgb3 mdio mlx4_en mlx4_ib ib_sa mlx4_core ib_mthca ib_mad ib_core fuse nls_iso8859_1 nls_cp437 vfat fat joydev loop hid_generic usbhid hid hwperf(O) numatools(O) dm_mod iTCO_wdt ipv6 iTCO_vendor_support igb i2c_i801 ioatdma i2c_algo_bit ehci_pci pcspkr lpc_ich i2c_core ehci_hcd ptp sg mfd_core dca rtc_cmos pps_core mperf button xhci_hcd sd_mod crc_t10dif usbcore usb_common scsi_dh_emc scsi_dh_hp_sw scsi_dh_alua scsi_dh_rdac scsi_dh gru(O) xvma(O) xfs crc32c libcrc32c thermal sata_nv processor piix mptsas mptscsih scsi_transport_sas mptbase megaraid_sas fan thermal_sys hwmon ext3 jbd ata_piix ahci libahci libata scsi_mod CPU: 4 PID: 5991 Comm: cat Tainted: G O 3.11.0-rc5-rja-uv+ #10 Hardware name: SGI UV2000/ROMLEY, BIOS SGI UV 2000/3000 series BIOS 01/15/2013 task: ffff88081f034580 ti: ffff880820022000 task.ti: ffff880820022000 RIP: 0010:[] [] is_pageblock_removable_nolock+0x1/0x90 RSP: 0018:ffff880820023df8 EFLAGS: 00010287 RAX: 0000000000040000 RBX: ffffea00c3200000 RCX: 0000000000000004 RDX: ffffea00c30b0000 RSI: 00000000001c0000 RDI: ffffea00c3200000 RBP: ffff880820023e38 R08: 0000000000000000 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000001 R12: ffffea00c33c0000 R13: 0000160000000000 R14: 6db6db6db6db6db7 R15: 0000000000000001 FS: 00007ffff7fb2700(0000) GS:ffff88083fc80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffea00c3200000 CR3: 000000081b954000 CR4: 00000000000407e0 Call Trace: show_mem_removable+0x41/0x70 dev_attr_show+0x2a/0x60 sysfs_read_file+0xf7/0x1c0 vfs_read+0xc8/0x130 SyS_read+0x5d/0xa0 system_call_fastpath+0x16/0x1b Signed-off-by: Russ Anderson Cc: Greg Kroah-Hartman Cc: "Rafael J. Wysocki" Cc: Yinghai Lu Reviewed-by: Yasuaki Ishimatsu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit 18520e30c350ad3a36a9e4e0f0b0eafb3b260332 Author: Trond Myklebust Date: Wed Aug 28 13:35:13 2013 -0400 SUNRPC: Fix memory corruption issue on 32-bit highmem systems commit 347e2233b7667e336d9f671f1a52dfa3f0416e2c upstream. Some architectures, such as ARM-32 do not return the same base address when you call kmap_atomic() twice on the same page. This causes problems for the memmove() call in the XDR helper routine "_shift_data_right_pages()", since it defeats the detection of overlapping memory ranges, and has been seen to corrupt memory. The fix is to distinguish between the case where we're doing an inter-page copy or not. In the former case of we know that the memory ranges cannot possibly overlap, so we can additionally micro-optimise by replacing memmove() with memcpy(). Reported-by: Mark Young Reported-by: Matt Craighead Cc: Bruce Fields Signed-off-by: Trond Myklebust Tested-by: Matt Craighead Signed-off-by: Ben Hutchings commit 16a68fe90cc49cd20acfa9604a35827593ce4fc3 Author: Cong Wang Date: Fri Nov 25 23:14:40 2011 +0800 sunrpc: remove the second argument of k[un]map_atomic() commit b85417860172ff693dc115d7999805fc240cec1c upstream. Signed-off-by: Cong Wang [bwh: Cherry-picked for 3.2 to let the next fix apply cleanly] Signed-off-by: Ben Hutchings commit 12ee8aa39c123500c8e340b8a83f9d5f11000152 Author: Eugene Surovegin Date: Mon Aug 26 11:53:32 2013 -0700 powerpc/hvsi: Increase handshake timeout from 200ms to 400ms. commit d220980b701d838560a70de691b53be007e99e78 upstream. This solves a problem observed in kexec'ed kernel where 200ms timeout is too short and bootconsole fails to initialize. Console did eventually become workable but much later into the boot process. Observed timeout was around 260ms, but I decided to make it a little bigger for more reliability. This has been tested on Power7 machine with Petitboot as a primary bootloader and PowerNV firmware. Signed-off-by: Eugene Surovegin Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Ben Hutchings commit 3bf7055b3d4062d835d15d734ca5a9baa9403e1e Author: Paul Mackerras Date: Tue Aug 27 16:07:49 2013 +1000 powerpc: Work around gcc miscompilation of __pa() on 64-bit commit bdbc29c19b2633b1d9c52638fb732bcde7a2031a upstream. On 64-bit, __pa(&static_var) gets miscompiled by recent versions of gcc as something like: addis 3,2,.LANCHOR1+4611686018427387904@toc@ha addi 3,3,.LANCHOR1+4611686018427387904@toc@l This ends up effectively ignoring the offset, since its bottom 32 bits are zero, and means that the result of __pa() still has 0xC in the top nibble. This happens with gcc 4.8.1, at least. To work around this, for 64-bit we make __pa() use an AND operator, and for symmetry, we make __va() use an OR operator. Using an AND operator rather than a subtraction ends up with slightly shorter code since it can be done with a single clrldi instruction, whereas it takes three instructions to form the constant (-PAGE_OFFSET) and add it on. (Note that MEMORY_START is always 0 on 64-bit.) Signed-off-by: Paul Mackerras Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Ben Hutchings commit c349bf07d6c05e89c967327af0f334604826d0e4 Author: Benjamin Herrenschmidt Date: Tue Aug 27 16:38:33 2013 +1000 powerpc: Don't Oops when accessing /proc/powerpc/lparcfg without hypervisor commit f5f6cbb61610b7bf9d9d96db9c3979d62a424bab upstream. /proc/powerpc/lparcfg is an ancient facility (though still actively used) which allows access to some informations relative to the partition when running underneath a PAPR compliant hypervisor. It makes no sense on non-pseries machines. However, currently, not only can it be created on these if the kernel has pseries support, but accessing it on such a machine will crash due to trying to do hypervisor calls. In fact, it should also not do HV calls on older pseries that didn't have an hypervisor either. Finally, it has the plumbing to be a module but is a "bool" Kconfig option. This fixes the whole lot by turning it into a machine_device_initcall that is only created on pseries, and adding the necessary hypervisor check before calling the H_GET_EM_PARMS hypercall Signed-off-by: Benjamin Herrenschmidt [bwh: Backported to 3.2: lparcfg_cleanup() was a bit different] Signed-off-by: Ben Hutchings commit 83537f7467eb1f42014cd48cbd615c101cfc4d98 Author: Helmut Schaa Date: Fri Aug 16 21:39:40 2013 +0200 ath9k_htc: Restore skb headroom when returning skb to mac80211 commit d2e9fc141e2aa21f4b35ee27072d84e9aa6e2ba0 upstream. ath9k_htc adds padding between the 802.11 header and the payload during TX by moving the header. When handing the frame back to mac80211 for TX status handling the header is not moved back into its original position. This can result in a too small skb headroom when entering ath9k_htc again (due to a soft retransmission for example) causing an skb_under_panic oops. Fix this by moving the 802.11 header back into its original position before returning the frame to mac80211 as other drivers like rt2x00 or ath5k do. Reported-by: Marc Kleine-Budde Signed-off-by: Helmut Schaa Tested-by: Marc Kleine-Budde Signed-off-by: Marc Kleine-Budde Signed-off-by: John W. Linville Signed-off-by: Ben Hutchings commit af6ecf0c758dda038d0f921844f81054c423945d Author: Stanislaw Gruszka Date: Wed Aug 21 10:18:19 2013 +0200 iwl4965: fix rfkill set state regression commit b2fcc0aee58a3435566dd6d8501a0b355552f28b upstream. My current 3.11 fix: commit 788f7a56fce1bcb2067b62b851a086fca48a0056 Author: Stanislaw Gruszka Date: Thu Aug 1 12:07:55 2013 +0200 iwl4965: reset firmware after rfkill off broke rfkill notification to user-space . I missed that bug, because I compiled without CONFIG_RFKILL, sorry about that. Signed-off-by: Stanislaw Gruszka Signed-off-by: John W. Linville [bwh: Backported to 3.2: adjust filename, context, naming] Signed-off-by: Ben Hutchings commit 2136ff0e0ad92cba89e738040cb35f56ea8a0157 Author: Richard Kuo Date: Tue Nov 15 16:58:11 2011 -0600 Hexagon: misc compile warning/error cleanup due to missing headers commit 6bbbc30ce6b0ae428575c8af7c2a6c342c534e19 upstream. Fixed warnings/errors for EXPORT_SYMBOL, linux_binprm, elf related defines Signed-off-by: Richard Kuo Signed-off-by: Ben Hutchings commit e188bae8b4648137b336c35b0abaf43939ef401e Author: Sam Ravnborg Date: Tue Dec 27 21:46:53 2011 +0100 sparc32: support atomic64_t commit aea1181b0bd0a09c54546399768f359d1e198e45 upstream. There is no-one that really require atomic64_t support on sparc32. But several drivers fails to build without proper atomic64 support. And for an allyesconfig build for sparc32 this is annoying. Include the generic atomic64_t support for sparc32. This has a text footprint cost: $size vmlinux (before atomic64_t support) text data bss dec hex filename 3578860 134260 108781 3821901 3a514d vmlinux $size vmlinux (after atomic64_t support) text data bss dec hex filename 3579892 130684 108781 3819357 3a475d vmlinux text increase (3579892 - 3578860) = 1032 bytes data decreases - but I fail to explain why! I have rebuild twice to check my numbers. Signed-off-by: Sam Ravnborg Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit c7104995c19153da39c67924bc204e82e75cfccf Author: Cong Wang Date: Fri Feb 3 15:34:16 2012 +0800 include in drivers/parisc/iommu-helpers.h commit 650275dbfb2f4c12bc91420ad5a99f955eabec98 upstream. drivers/parisc/iommu-helpers.h:62: error: implicit declaration of function 'prefetchw' make[3]: *** [drivers/parisc/sba_iommu.o] Error 1 drivers/parisc/iommu-helpers.h needs to #include where prefetchw is declared. Signed-off-by: WANG Cong Signed-off-by: James Bottomley Signed-off-by: Ben Hutchings commit 1e11845dc7a6e16ff4f65b25a09b1e07aeaf484a Author: Will Deacon Date: Sun Apr 7 21:36:10 2013 +1200 alpha: makefile: don't enforce small data model for kernel builds commit cd8d2331756751b6aeb855a3c9cb0a92fbd9c725 upstream. Due to all of the goodness being packed into today's kernels, the resulting image isn't as slim as it once was. In light of this, don't pass -msmall-data to gcc, which otherwise results in link failures due to impossible relocations when compiling anything but the most trivial configurations. Reviewed-by: Matt Turner Cc: Richard Henderson Cc: Ivan Kokshaysky Tested-by: Thorsten Kranzkowski Signed-off-by: Will Deacon Signed-off-by: Michael Cree Signed-off-by: Linus Torvalds Cc: Guenter Roeck Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit caafbc41c4c3627192662c7261dc73272ab4b1ca Author: Jesper Nilsson Date: Mon Oct 24 11:19:25 2011 +0200 CRIS: Add _sdata to vmlinux.lds.S commit 473e162eea465e60578edb93341752e7f1c1dacc upstream. Fixes link error: LD vmlinux kernel/built-in.o: In function `core_kernel_data': (.text+0x13e44): undefined reference to `_sdata' Signed-off-by: Jesper Nilsson Cc: Guenter Roeck Cc: Geert Uytterhoeven Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit fc766863a5f3201625f460c517e1a6d15044b65b Author: Paul Bolle Date: Sun May 12 14:31:19 2013 +0200 sound: Fix make allmodconfig on MIPS correctly commit a62ee234a572b4c98fe98cf5fb18e4e8b0f6e43d upstream. Commit d4702b189c ("sound: Fix make allmodconfig on MIPS") added a (negative) dependency on ISA_DMA_SUPPORT_BROKEN. Since that Kconfig symbol doesn't exist, this dependency will always evaluate to true. Apparently GENERIC_ISA_DMA_SUPPORT_BROKEN was meant to be used here. Signed-off-by: Paul Bolle Signed-off-by: Takashi Iwai Cc: Guenter Roeck Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit b0538b44109490d481625b6a0d72aa6cb7131016 Author: Takashi Iwai Date: Fri May 3 17:07:24 2013 +0200 sound: Fix make allmodconfig on MIPS commit d4702b189c6b951c1cb3260036ff998f719bfb62 upstream. The compile of soundcard.c is broken on MIPS when allmodconfig is used because of the missing MAX_DMA_CHANNELS definition. As a simple workaround, just add a Kconfig dependency. Reported-by: Andrew Morton Cc: Ralf Baechle Signed-off-by: Takashi Iwai Cc: Guenter Roeck Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 8e29b9b8cbc247be52f2eec76842d744b43da44d Author: Michal Simek Date: Fri Dec 21 10:53:59 2012 +0100 microblaze: Update microblaze defconfigs commit d0e045401f268a8de6f87d65678214748b772680 upstream. The main reason is 0-day testing system which can directly use these defconfigs for testing. Enable support for all xilinx drivers which Microblaze can use and disable dependency on external rootfs.cpio. There is only one exception which is axi ethernet driver which still uses NO_IRQ which is not defined for Microblaze. Signed-off-by: Michal Simek Cc: Guenter Roeck Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 6d9ca51bbe6d92c0b56f74a29b16d6730e31979c Author: Arnd Bergmann Date: Thu Mar 14 15:21:36 2013 +0100 SCSI: nsp32: use mdelay instead of large udelay constants commit b497ceb964a80ebada3b9b3cea4261409039e25a upstream. ARM cannot handle udelay for more than 2 miliseconds, so we should use mdelay instead for those. Signed-off-by: Arnd Bergmann Acked-by: GOTO Masanori Cc: YOKOTA Hiroshi Cc: "James E.J. Bottomley" Cc: Guenter Roeck Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 3c19c6a8bdb5454d4a98159adab3cc86418628da Author: Ben Hutchings Date: Wed Sep 4 23:57:32 2013 +0100 Revert "PM / Domains: Fix handling of wakeup devices during system resume" This reverts commit 5c6156fac087f551cbd57499f4bed2fc614d70cd, which was commit cc85b20780562d404e18a47b9b55b4a5102ae53e upstream. It broke ARM && PM configurations by adding a call to genpd_dev_active_wakeup() which was only added in Linux 3.3. Signed-off-by: Ben Hutchings commit 09427b652799cb707f9c1a6edadfce314e4902e6 Author: Vyacheslav Dubeyko Date: Thu Aug 22 16:35:45 2013 -0700 nilfs2: fix issue with counting number of bio requests for BIO_EOPNOTSUPP error detection commit 4bf93b50fd04118ac7f33a3c2b8a0a1f9fa80bc9 upstream. Fix the issue with improper counting number of flying bio requests for BIO_EOPNOTSUPP error detection case. The sb_nbio must be incremented exactly the same number of times as complete() function was called (or will be called) because nilfs_segbuf_wait() will call wail_for_completion() for the number of times set to sb_nbio: do { wait_for_completion(&segbuf->sb_bio_event); } while (--segbuf->sb_nbio > 0); Two functions complete() and wait_for_completion() must be called the same number of times for the same sb_bio_event. Otherwise, wait_for_completion() will hang or leak. Signed-off-by: Vyacheslav Dubeyko Cc: Dan Carpenter Acked-by: Ryusuke Konishi Tested-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit c74978269d1a066413b8ce93bd91566d0dc84e40 Author: Vyacheslav Dubeyko Date: Thu Aug 22 16:35:44 2013 -0700 nilfs2: remove double bio_put() in nilfs_end_bio_write() for BIO_EOPNOTSUPP error commit 2df37a19c686c2d7c4e9b4ce1505b5141e3e5552 upstream. Remove double call of bio_put() in nilfs_end_bio_write() for the case of BIO_EOPNOTSUPP error detection. The issue was found by Dan Carpenter and he suggests first version of the fix too. Signed-off-by: Vyacheslav Dubeyko Reported-by: Dan Carpenter Acked-by: Ryusuke Konishi Tested-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit 456dc002f3fc2fcd6d8dbfeff50101cde308f33b Author: Martin Peschke Date: Thu Aug 22 17:45:37 2013 +0200 zfcp: fix schedule-inside-lock in scsi_device list loops commit 924dd584b198a58aa7cb3efefd8a03326550ce8f upstream. BUG: sleeping function called from invalid context at kernel/workqueue.c:2752 in_atomic(): 1, irqs_disabled(): 1, pid: 360, name: zfcperp0.0.1700 CPU: 1 Not tainted 3.9.3+ #69 Process zfcperp0.0.1700 (pid: 360, task: 0000000075b7e080, ksp: 000000007476bc30) Call Trace: ([<00000000001165de>] show_trace+0x106/0x154) [<00000000001166a0>] show_stack+0x74/0xf4 [<00000000006ff646>] dump_stack+0xc6/0xd4 [<000000000017f3a0>] __might_sleep+0x128/0x148 [<000000000015ece8>] flush_work+0x54/0x1f8 [<00000000001630de>] __cancel_work_timer+0xc6/0x128 [<00000000005067ac>] scsi_device_dev_release_usercontext+0x164/0x23c [<0000000000161816>] execute_in_process_context+0x96/0xa8 [<00000000004d33d8>] device_release+0x60/0xc0 [<000000000048af48>] kobject_release+0xa8/0x1c4 [<00000000004f4bf2>] __scsi_iterate_devices+0xfa/0x130 [<000003ff801b307a>] zfcp_erp_strategy+0x4da/0x1014 [zfcp] [<000003ff801b3caa>] zfcp_erp_thread+0xf6/0x2b0 [zfcp] [<000000000016b75a>] kthread+0xf2/0xfc [<000000000070c9de>] kernel_thread_starter+0x6/0xc [<000000000070c9d8>] kernel_thread_starter+0x0/0xc Apparently, the ref_count for some scsi_device drops down to zero, triggering device removal through execute_in_process_context(), while the lldd error recovery thread iterates through a scsi device list. Unfortunately, execute_in_process_context() decides to immediately execute that device removal function, instead of scheduling asynchronous execution, since it detects process context and thinks it is safe to do so. But almost all calls to shost_for_each_device() in our lldd are inside spin_lock_irq, even in thread context. Obviously, schedule() inside spin_lock_irq sections is a bad idea. Change the lldd to use the proper iterator function, __shost_for_each_device(), in combination with required locking. Occurences that need to be changed include all calls in zfcp_erp.c, since those might be executed in zfcp error recovery thread context with a lock held. Other occurences of shost_for_each_device() in zfcp_fsf.c do not need to be changed (no process context, no surrounding locking). The problem was introduced in Linux 2.6.37 by commit b62a8d9b45b971a67a0f8413338c230e3117dff5 "[SCSI] zfcp: Use SCSI device data zfcp_scsi_dev instead of zfcp_unit". Reported-by: Christian Borntraeger Signed-off-by: Martin Peschke Signed-off-by: Steffen Maier Signed-off-by: James Bottomley Signed-off-by: Ben Hutchings commit db59af96379bec11e0b55ad5193b887a4a52f734 Author: Martin Peschke Date: Thu Aug 22 17:45:36 2013 +0200 zfcp: fix lock imbalance by reworking request queue locking commit d79ff142624e1be080ad8d09101f7004d79c36e1 upstream. This patch adds wait_event_interruptible_lock_irq_timeout(), which is a straight-forward descendant of wait_event_interruptible_timeout() and wait_event_interruptible_lock_irq(). The zfcp driver used to call wait_event_interruptible_timeout() in combination with some intricate and error-prone locking. Using wait_event_interruptible_lock_irq_timeout() as a replacement nicely cleans up that locking. This rework removes a situation that resulted in a locking imbalance in zfcp_qdio_sbal_get(): BUG: workqueue leaked lock or atomic: events/1/0xffffff00/10 last function: zfcp_fc_wka_port_offline+0x0/0xa0 [zfcp] It was introduced by commit c2af7545aaff3495d9bf9a7608c52f0af86fb194 "[SCSI] zfcp: Do not wait for SBALs on stopped queue", which had a new code path related to ZFCP_STATUS_ADAPTER_QDIOUP that took an early exit without a required lock being held. The problem occured when a special, non-SCSI I/O request was being submitted in process context, when the adapter's queues had been torn down. In this case the bug surfaced when the Fibre Channel port connection for a well-known address was closed during a concurrent adapter shut-down procedure, which is a rare constellation. This patch also fixes these warnings from the sparse tool (make C=1): drivers/s390/scsi/zfcp_qdio.c:224:12: warning: context imbalance in 'zfcp_qdio_sbal_check' - wrong count at exit drivers/s390/scsi/zfcp_qdio.c:244:5: warning: context imbalance in 'zfcp_qdio_sbal_get' - unexpected unlock Last but not least, we get rid of that crappy lock-unlock-lock sequence at the beginning of the critical section. It is okay to call zfcp_erp_adapter_reopen() with req_q_lock held. Reported-by: Mikulas Patocka Reported-by: Heiko Carstens Signed-off-by: Martin Peschke Signed-off-by: Steffen Maier Signed-off-by: James Bottomley Signed-off-by: Ben Hutchings commit 243c1b4b7065b9ca33e682be6f167724118e13af Author: Wladislav Wiebe Date: Mon Aug 12 13:06:53 2013 +0200 of: fdt: fix memory initialization for expanded DT commit 9e40127526e857fa3f29d51e83277204fbdfc6ba upstream. Already existing property flags are filled wrong for properties created from initial FDT. This could cause problems if this DYNAMIC device-tree functions are used later, i.e. properties are attached/detached/replaced. Simply dumping flags from the running system show, that some initial static (not allocated via kzmalloc()) nodes are marked as dynamic. I putted some debug extensions to property_proc_show(..) : .. + if (OF_IS_DYNAMIC(pp)) + pr_err("DEBUG: xxx : OF_IS_DYNAMIC\n"); + if (OF_IS_DETACHED(pp)) + pr_err("DEBUG: xxx : OF_IS_DETACHED\n"); when you operate on the nodes (e.g.: ~$ cat /proc/device-tree/*some_node*) you will see that those flags are filled wrong, basically in most cases it will dump a DYNAMIC or DETACHED status, which is in not true. (BTW. this OF_IS_DETACHED is a own define for debug purposes which which just make a test_bit(OF_DETACHED, &x->_flags) If nodes are dynamic kernel is allowed to kfree() them. But it will crash attempting to do so on the nodes from FDT -- they are not allocated via kzmalloc(). Signed-off-by: Wladislav Wiebe Acked-by: Alexander Sverdlin Signed-off-by: Rob Herring Signed-off-by: Ben Hutchings commit feded5077ba27265ce2f317eeb89dbed64674fed Author: Roland Dreier Date: Mon Aug 5 17:55:01 2013 -0700 sg: Fix user memory corruption when SG_IO is interrupted by a signal commit 35dc248383bbab0a7203fca4d722875bc81ef091 upstream. There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances leads to one process writing data into the address space of some other random unrelated process if the ioctl is interrupted by a signal. What happens is the following: - A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the underlying SCSI command will transfer data from the SCSI device to the buffer provided in the ioctl) - Before the command finishes, a signal is sent to the process waiting in the ioctl. This will end up waking up the sg_ioctl() code: result = wait_event_interruptible(sfp->read_wait, (srp_done(sfp, srp) || sdp->detached)); but neither srp_done() nor sdp->detached is true, so we end up just setting srp->orphan and returning to userspace: srp->orphan = 1; write_unlock_irq(&sfp->rq_list_lock); return result; /* -ERESTARTSYS because signal hit process */ At this point the original process is done with the ioctl and blithely goes ahead handling the signal, reissuing the ioctl, etc. - Eventually, the SCSI command issued by the first ioctl finishes and ends up in sg_rq_end_io(). At the end of that function, we run through: write_lock_irqsave(&sfp->rq_list_lock, iflags); if (unlikely(srp->orphan)) { if (sfp->keep_orphan) srp->sg_io_owned = 0; else done = 0; } srp->done = done; write_unlock_irqrestore(&sfp->rq_list_lock, iflags); if (likely(done)) { /* Now wake up any sg_read() that is waiting for this * packet. */ wake_up_interruptible(&sfp->read_wait); kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN); kref_put(&sfp->f_ref, sg_remove_sfp); } else { INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext); schedule_work(&srp->ew.work); } Since srp->orphan *is* set, we set done to 0 (assuming the userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext() to run in a workqueue. - In workqueue context we go through sg_rq_end_io_usercontext() -> sg_finish_rem_req() -> blk_rq_unmap_user() -> ... -> bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user(). The key point here is that we are doing copy_to_user() on a workqueue -- that is, we're on a kernel thread with current->mm equal to whatever random previous user process was scheduled before this kernel thread. So we end up copying whatever data the SCSI command returned to the virtual address of the buffer passed into the original ioctl, but it's quite likely we do this copying into a different address space! As suggested by James Bottomley , add a check for current->mm (which is NULL if we're on a kernel thread without a real userspace address space) in bio_uncopy_user(), and skip the copy if we're on a kernel thread. There's no reason that I can think of for any caller of bio_uncopy_user() to want to do copying on a kernel thread with a random active userspace address space. Huge thanks to Costa Sapuntzakis for the original pointer to this bug in the sg code. Signed-off-by: Roland Dreier Tested-by: David Milburn Cc: Jens Axboe Signed-off-by: James Bottomley Signed-off-by: Ben Hutchings commit efd99ef3a97b5a68e7f7bc87efd62b887f77bc89 Author: Kent Overstreet Date: Wed Feb 6 12:23:11 2013 -0800 block: Add bio_for_each_segment_all() commit d74c6d514fe314b8bdab58b487b25992291577ec upstream. __bio_for_each_segment() iterates bvecs from the specified index instead of bio->bv_idx. Currently, the only usage is to walk all the bvecs after the bio has been advanced by specifying 0 index. For immutable bvecs, we need to split these apart; bio_for_each_segment() is going to have a different implementation. This will also help document the intent of code that's using it - bio_for_each_segment_all() is only legal to use for code that owns the bio. Signed-off-by: Kent Overstreet CC: Jens Axboe CC: Neil Brown CC: Boaz Harrosh [bwh: Backported to 3.2: drop inapplicable change to drivers/block/rbd.c. This is a prerequisite for commit 35dc248383bb 'sg: Fix user memory corruption when SG_IO is interrupted by a signal'] Signed-off-by: Ben Hutchings commit 5e72fdb8d827560893642e85a251d339109a00f4 Author: David Vrabel Date: Thu Aug 15 13:21:07 2013 +0100 xen/events: mask events when changing their VCPU binding commit 4704fe4f03a5ab27e3c36184af85d5000e0f8a48 upstream. When a event is being bound to a VCPU there is a window between the EVTCHNOP_bind_vpcu call and the adjustment of the local per-cpu masks where an event may be lost. The hypervisor upcalls the new VCPU but the kernel thinks that event is still bound to the old VCPU and ignores it. There is even a problem when the event is being bound to the same VCPU as there is a small window beween the clear_bit() and set_bit() calls in bind_evtchn_to_cpu(). When scanning for pending events, the kernel may read the bit when it is momentarily clear and ignore the event. Avoid this by masking the event during the whole bind operation. Signed-off-by: David Vrabel Signed-off-by: Konrad Rzeszutek Wilk Reviewed-by: Jan Beulich [bwh: Backported to 3.2: remove the BM() cast] Signed-off-by: Ben Hutchings commit 63493b3e3db6d027fe9b9a53616b8c1a9038ea44 Author: David Vrabel Date: Thu Aug 15 13:21:06 2013 +0100 xen/events: initialize local per-cpu mask for all possible events commit 84ca7a8e45dafb49cd5ca90a343ba033e2885c17 upstream. The sizeof() argument in init_evtchn_cpu_bindings() is incorrect resulting in only the first 64 (or 32 in 32-bit guests) ports having their bindings being initialized to VCPU 0. In most cases this does not cause a problem as request_irq() will set the irq affinity which will set the correct local per-cpu mask. However, if the request_irq() is called on a VCPU other than 0, there is a window between the unmasking of the event and the affinity being set were an event may be lost because it is not locally unmasked on any VCPU. If request_irq() is called on VCPU 0 then local irqs are disabled during the window and the race does not occur. Fix this by initializing all NR_EVENT_CHANNEL bits in the local per-cpu masks. Signed-off-by: David Vrabel Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Ben Hutchings commit 343077dc5d8ec1fe65caf734d5d4205ac35b3ab2 Author: Terry Suereth Date: Sat Aug 17 15:53:12 2013 -0400 libata: apply behavioral quirks to sil3826 PMP commit 8ffff94d20b7eb446e848e0046107d51b17a20a8 upstream. Fixing support for the Silicon Image 3826 port multiplier, by applying to it the same quirks applied to the Silicon Image 3726. Specifically fixes the repeated timeout/reset process which previously afflicted the 3726, as described from line 290. Slightly based on notes from: https://bugzilla.redhat.com/show_bug.cgi?id=890237 Signed-off-by: Terry Suereth Signed-off-by: Tejun Heo Signed-off-by: Ben Hutchings commit 132823e00683166597c74acc07ab410360875ac0 Author: Chris Wilson Date: Tue Aug 6 19:01:14 2013 +0100 drm/i915: Invalidate TLBs for the rings after a reset commit 884020bf3d2a3787a1cc6df902e98e0eec60330b upstream. After any "soft gfx reset" we must manually invalidate the TLBs associated with each ring. Empirically, it seems that a suspend/resume or D3-D0 cycle count as a "soft reset". The symptom is that the hardware would fail to note the new address for its status page, and so it would continue to write the shadow registers and breadcrumbs into the old physical address (now used by something completely different, scary). Whereas the driver would read the new status page and never see any progress, it would appear that the GPU hung immediately upon resume. Based on a patch by naresh kumar kachhi Reported-by: Thiago Macieira Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=64725 Signed-off-by: Chris Wilson Tested-by: Thiago Macieira Signed-off-by: Daniel Vetter [bwh: Backported to 3.2: add definition of RING_INSTPM() from commit c1cd90ed7957 'drm/i915: collect more per ring error state'] Signed-off-by: Ben Hutchings commit 8ab959a23fae461cf05093cfd5b0e6ebdc50aa87 Author: Johan Hovold Date: Tue Aug 13 13:27:35 2013 +0200 USB: keyspan: fix null-deref at disconnect and release commit ff8a43c10f1440f07a5faca0c1556921259f7f76 upstream. Make sure to fail properly if the device is not accepted during attach in order to avoid null-pointer derefs (of missing interface private data) at disconnect or release. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit d3c49071a1db7a9900134af850b0437005d1a045 Author: Johan Hovold Date: Tue Aug 13 13:27:34 2013 +0200 USB: mos7720: fix broken control requests commit ef6c8c1d733e244f0499035be0dabe1f4ed98c6f upstream. The parallel-port code of the drivers used a stack allocated control-request buffer for asynchronous (and possibly deferred) control requests. This not only violates the no-DMA-from-stack requirement but could also lead to corrupt control requests being submitted. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 7da375bc4918d1e72f345e9b694064eecddf8d97 Author: Oliver Neukum Date: Wed Aug 14 11:01:46 2013 +0200 usb: add two quirky touchscreen commit 304ab4ab079a8ed03ce39f1d274964a532db036b upstream. These devices tend to become unresponsive after S3 Signed-off-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 595886031f65c6940b4f74703c041275cd833655 Author: Andreas Schwab Date: Fri Aug 9 15:14:08 2013 +0200 m68k: Truncate base in do_div() commit ea077b1b96e073eac5c3c5590529e964767fc5f7 upstream. Explicitly truncate the second operand of do_div() to 32 bits to guard against bogus code calling it with a 64-bit divisor. [Thorsten] After upgrading from 3.2 to 3.10, mounting a btrfs volume fails with: btrfs: setting nodatacow, compression disabled btrfs: enabling auto recovery btrfs: disk space caching is enabled commit 52bd8a0804eda6fde7f25ab24caf8dcb6d40da9e Author: Geert Uytterhoeven Date: Fri Jul 26 00:08:25 2013 +0200 m68k/atari: ARAnyM - Fix NatFeat module support commit e8184e10f89736a23ea6eea8e24cd524c5c513d2 upstream. As pointed out by Andreas Schwab, pointers passed to ARAnyM NatFeat calls should be physical addresses, not virtual addresses. Fortunately on Atari, physical and virtual kernel addresses are the same, as long as normal kernel memory is concerned, so this usually worked fine without conversion. But for modules, pointers to literal strings are located in vmalloc()ed memory. Depending on the version of ARAnyM, this causes the nf_get_id() call to just fail, or worse, crash ARAnyM itself with e.g. Gotcha! Illegal memory access. Atari PC = $968c This is a big issue for distro kernels, who want to have all drivers as loadable modules in an initrd. Add a wrapper for nf_get_id() that copies the literal to the stack to work around this issue. Reported-by: Thorsten Glaser Signed-off-by: Geert Uytterhoeven Signed-off-by: Ben Hutchings commit bd20948dc24c3a1cf5ea18385943783f11c2c751 Author: yonghua zheng Date: Tue Aug 13 16:01:03 2013 -0700 fs/proc/task_mmu.c: fix buffer overflow in add_page_map() commit 8c8296223f3abb142be8fc31711b18a704c0e7d8 upstream. Recently we met quite a lot of random kernel panic issues after enabling CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something to do with following bug in pagemap: In struct pagemapread: struct pagemapread { int pos, len; pagemap_entry_t *buffer; bool v2; }; pos is number of PM_ENTRY_BYTES in buffer, but len is the size of buffer, it is a mistake to compare pos and len in add_page_map() for checking buffer is full or not, and this can lead to buffer overflow and random kernel panic issue. Correct len to be total number of PM_ENTRY_BYTES in buffer. [akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition] Signed-off-by: Yonghua Zheng Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [bwh: Backported to 3.2: - Adjust context - There is no pagemap_entry_t definition; keep using u64] Signed-off-by: Ben Hutchings commit 1cf253ee0a4a3102a1dc89a3001abb31a8b60c00 Author: Stephen Boyd Date: Wed Aug 7 16:18:08 2013 -0700 perf/arm: Fix armpmu_map_hw_event() commit b88a2595b6d8aedbd275c07dfa784657b4f757eb upstream. Fix constraint check in armpmu_map_hw_event(). Reported-and-tested-by: Vince Weaver Signed-off-by: Ingo Molnar Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit 5fff965ef7b5b2a3715b1a4005e6515716e49305 Author: Will Deacon Date: Wed Aug 7 23:39:41 2013 +0100 ARM: 7809/1: perf: fix event validation for software group leaders commit c95eb3184ea1a3a2551df57190c81da695e2144b upstream. It is possible to construct an event group with a software event as a group leader and then subsequently add a hardware event to the group. This results in the event group being validated by adding all members of the group to a fake PMU and attempting to allocate each event on their respective PMU. Unfortunately, for software events wthout a corresponding arm_pmu, this results in a kernel crash attempting to dereference the ->get_event_idx function pointer. This patch fixes the problem by checking explicitly for software events and ignoring those in event validation (since they can always be scheduled). We will probably want to revisit this for 3.12, since the validation checks don't appear to work correctly when dealing with multiple hardware PMUs anyway. Reported-by: Vince Weaver Tested-by: Vince Weaver Tested-by: Mark Rutland Signed-off-by: Will Deacon Signed-off-by: Russell King Signed-off-by: Ben Hutchings commit c372ce3c31bf53445e71426b56252ca8238c330f Author: Johan Hovold Date: Sun Aug 11 16:49:23 2013 +0200 USB: ti_usb_3410_5052: fix big-endian firmware handling commit e877dd2f2581628b7119df707d4cf03d940cff49 upstream. Fix endianess bugs in firmware handling introduced by commits cb7a7c6a ("ti_usb_3410_5052: add Multi-Tech modem support") and 05a3d905 ("ti_usb_3410_5052: support alternate firmware") which made the driver use the wrong firmware for certain devices on big-endian machines. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 735143e24807a8202d2fde8999eab1c3b761949d Author: Johan Hovold Date: Sun Aug 11 16:49:22 2013 +0200 USB: adutux: fix big-endian device-type reporting commit d482b9d558602a9cacab063b1c8779f9b5214da7 upstream. Make sure the reported device-type on big-endian machines is the same as on little-endian ones. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit ccfdfa92dc2b0257a49a8dadec0f6377e821f6b4 Author: Jan Kara Date: Mon Aug 12 09:53:28 2013 -0400 jbd2: Fix use after free after error in jbd2_journal_dirty_metadata() commit 91aa11fae1cf8c2fd67be0609692ea9741cdcc43 upstream. When jbd2_journal_dirty_metadata() returns error, __ext4_handle_dirty_metadata() stops the handle. However callers of this function do not count with that fact and still happily used now freed handle. This use after free can result in various issues but very likely we oops soon. The motivation of adding __ext4_journal_stop() into __ext4_handle_dirty_metadata() in commit 9ea7a0df seems to be only to improve error reporting. So replace __ext4_journal_stop() with ext4_journal_abort_handle() which was there before that commit and add WARN_ON_ONCE() to dump stack to provide useful information. Reported-by: Sage Weil Signed-off-by: Jan Kara Signed-off-by: "Theodore Ts'o" Signed-off-by: Ben Hutchings commit 81b043782e78a7cdb4ee869d35e493756237a775 Author: Torsten Schenk Date: Sun Aug 11 11:11:35 2013 +0200 ALSA: 6fire: make buffers DMA-able (midi) commit 4c2aee0032b70083dafebd733ed9c774633b2fa3 upstream. Patch makes midi output buffer DMA-able by allocating it separately. Signed-off-by: Torsten Schenk Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit ea8e224015470abda7cda25600d46515115d4b7d Author: Torsten Schenk Date: Sun Aug 11 11:11:19 2013 +0200 ALSA: 6fire: make buffers DMA-able (pcm) commit 5ece263f1d93fba8d992e67e3ab8a71acf674db9 upstream. Patch makes pcm buffers DMA-able by allocating each one separately. Signed-off-by: Torsten Schenk Signed-off-by: Takashi Iwai [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 79dc7599bc129da10d6c0bb846e0312413260a5d Author: Dan Carpenter Date: Fri Aug 9 12:52:31 2013 +0300 Hostap: copying wrong data prism2_ioctl_giwaplist() commit 909bd5926d474e275599094acad986af79671ac9 upstream. We want the data stored in "addr" and "qual", but the extra ampersands mean we are copying stack data instead. Signed-off-by: Dan Carpenter Signed-off-by: John W. Linville Signed-off-by: Ben Hutchings commit d7f4f7fe6db194fb7e8c65c9d52fdcae451d4a12 Author: Jussi Kivilinna Date: Tue Aug 6 14:28:42 2013 +0300 zd1201: do not use stack as URB transfer_buffer commit 1206ff4ff9d2ef7468a355328bc58ac6ebf5be44 upstream. Patch fixes zd1201 not to use stack as URB transfer_buffer. URB buffers need to be DMA-able, which stack is not. Patch is only compile tested. Signed-off-by: Jussi Kivilinna Signed-off-by: John W. Linville Signed-off-by: Ben Hutchings commit a13fe4408d97fa1eb1063a852aeccc9ada65d8dc Author: Piotr Sarna Date: Thu Aug 8 23:02:24 2013 -0400 ext4: fix mount/remount error messages for incompatible mount options commit 6ae6514b33f941d3386da0dfbe2942766eab1577 upstream. Commit 5688978 ("ext4: improve handling of conflicting mount options") introduced incorrect messages shown while choosing wrong mount options. First of all, both cases of incorrect mount options, "data=journal,delalloc" and "data=journal,dioread_nolock" result in the same error message. Secondly, the problem above isn't solved for remount option: the mismatched parameter is simply ignored. Moreover, ext4_msg states that remount with options "data=journal,delalloc" succeeded, which is not true. To fix it up, I added a simple check after parse_options() call to ensure that data=journal and delalloc/dioread_nolock parameters are not present at the same time. Signed-off-by: Piotr Sarna Acked-by: Bartlomiej Zolnierkiewicz Signed-off-by: Kyungmin Park Signed-off-by: "Theodore Ts'o" Signed-off-by: Ben Hutchings commit c2d9f22ac7b0b4434df8cd12b6f857647d35c3b1 Author: Curt Brune Date: Thu Aug 8 12:11:03 2013 -0700 hwmon: (adt7470) Fix incorrect return code check commit 93d783bcca69bfacc8dc739d8a050498402587b5 upstream. In adt7470_write_word_data(), which writes two bytes using i2c_smbus_write_byte_data(), the return codes are incorrectly AND-ed together when they should be OR-ed together. The return code of i2c_smbus_write_byte_data() is zero for success. The upshot is only the first byte was ever written to the hardware. The 2nd byte was never written out. I noticed that trying to set the fan speed limits was not working correctly on my system. Setting the fan speed limits is the only code that uses adt7470_write_word_data(). After making the change the limit settings work and the alarms work also. Signed-off-by: Curt Brune Signed-off-by: Guenter Roeck Signed-off-by: Ben Hutchings commit d03160d52da816b9f6c87d68bed5aeecaf488191 Author: Alex Deucher Date: Sun Aug 4 12:13:17 2013 -0400 drm/radeon: always program the MC on startup commit 6fab3febf6d949b0a12b1e4e73db38e4a177a79e upstream. For r6xx+ asics. This mirrors the behavior of pre-r6xx asics. We need to program the MC even if something else in startup() fails. Failure to do so results in an unusable GPU. Based on a fix from: Mark Kettenis Signed-off-by: Alex Deucher [bwh: Backported to 3.2: adjust context, drop changes to cik.c and si.c] Signed-off-by: Ben Hutchings commit eb4a22ba43d91d58a35bc4fce11d8e6065bb4e1d Author: Jeff Layton Date: Wed Aug 7 10:29:08 2013 -0400 cifs: don't instantiate new dentries in readdir for inodes that need to be revalidated immediately commit 757c4f6260febff982276818bb946df89c1105aa upstream. David reported that commit c2b93e06 (cifs: only set ops for inodes in I_NEW state) caused a regression with mfsymlinks. Prior to that patch, if a mfsymlink dentry was instantiated at readdir time, the inode would get a new set of ops when it was revalidated. After that patch, this did not occur. This patch addresses this by simply skipping instantiating dentries in the readdir codepath when we know that they will need to be immediately revalidated. The next attempt to use that dentry will cause a new lookup to occur (which is basically what we want to happen anyway). Cc: "Stefan (metze) Metzmacher" Cc: Sachin Prabhu Reported-and-Tested-by: David McBride Signed-off-by: Jeff Layton Signed-off-by: Steve French [bwh: Backported to 3.2: need to return NULL] Signed-off-by: Ben Hutchings commit 4f440a7abb7c4b81192be3e192af8feec8e02ff3 Author: Jussi Kivilinna Date: Tue Aug 6 14:53:24 2013 +0300 ALSA: 6fire: fix DMA issues with URB transfer_buffer usage commit ddb6b5a964371e8e52e696b2b258bda144c8bd3f upstream. Patch fixes 6fire not to use stack as URB transfer_buffer. URB buffers need to be DMA-able, which stack is not. Furthermore, transfer_buffer should not be allocated as part of larger device structure because DMA coherency issues and patch fixes this issue too. Signed-off-by: Jussi Kivilinna Tested-by: Torsten Schenk Signed-off-by: Takashi Iwai [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 806dd03bbeeb524604c1f5306d5f7df13b650f3d Author: Andrew Vagin Date: Fri Aug 2 21:16:43 2013 +0400 tracing: Fix fields of struct trace_iterator that are zeroed by mistake commit ed5467da0e369e65b247b99eb6403cb79172bcda upstream. tracing_read_pipe zeros all fields bellow "seq". The declaration contains a comment about that, but it doesn't help. The first field is "snapshot", it's true when current open file is snapshot. Looks obvious, that it should not be zeroed. The second field is "started". It was converted from cpumask_t to cpumask_var_t (v2.6.28-4983-g4462344), in other words it was converted from cpumask to pointer on cpumask. Currently the reference on "started" memory is lost after the first read from tracing_read_pipe and a proper object will never be freed. The "started" is never dereferenced for trace_pipe, because trace_pipe can't have the TRACE_FILE_ANNOTATE options. Link: http://lkml.kernel.org/r/1375463803-3085183-1-git-send-email-avagin@openvz.org Signed-off-by: Andrew Vagin Signed-off-by: Steven Rostedt [bwh: Backported to 3.2: there's no snapshot field] Signed-off-by: Ben Hutchings commit 8f4b02806149a4d591c60342c3dd6de587a7dd54 Author: Sumit.Saxena@lsi.com Date: Tue Jul 16 02:26:05 2013 +0530 megaraid_sas: megaraid_sas driver init fails in kdump kernel commit 6431f5d7c6025f8b007af06ea090de308f7e6881 upstream. Problem: When Hardware IOMMU is on, megaraid_sas driver initialization fails in kdump kernel with LSI MegaRAID controller(device id-0x73). Actually this issue needs fix in firmware, but for firmware running in field, this driver fix is proposed to resolve the issue. At firmware initialization time, if firmware does not come to ready state, driver will reset the adapter and retry for firmware transition to ready state unconditionally(not only executed for kdump kernel). Signed-off-by: Sumit Saxena Signed-off-by: Kashyap Desai Signed-off-by: James Bottomley Signed-off-by: Ben Hutchings commit eb33451dce2704cbd2638e2b950f2c373222ddd5 Author: Stanislaw Gruszka Date: Thu Aug 1 12:07:55 2013 +0200 iwl4965: reset firmware after rfkill off commit 788f7a56fce1bcb2067b62b851a086fca48a0056 upstream. Using rfkill switch can make firmware unstable, what cause various Microcode errors and kernel warnings. Reseting firmware just after rfkill off (radio on) helped with that. Resolve: https://bugzilla.redhat.com/show_bug.cgi?id=977053 Reported-and-tested-by: Justin Pearce Signed-off-by: Stanislaw Gruszka Signed-off-by: John W. Linville [bwh: Backported to 3.2: adjust filenames, context, naming] Signed-off-by: Ben Hutchings commit f939bb619736f1f6ae06d6670751730bf82a413d Author: Stanislaw Gruszka Date: Thu Aug 1 12:07:13 2013 +0200 iwl4965: set power mode early commit eca396d7a5bdcc1fd67b1b12f737c213ac78a6f4 upstream. If device was put into a sleep and system was restarted or module reloaded, we have to wake device up before sending other commands. Otherwise it will fail to start with Microcode error. Signed-off-by: Stanislaw Gruszka Signed-off-by: John W. Linville [bwh: Backported to 3.2: adjust filename, context, naming] Signed-off-by: Ben Hutchings commit 14d747003cb7bb0484fa1b76d9745b8432b2f692 Author: Stanislaw Gruszka Date: Fri Jul 26 15:29:09 2013 +0200 iwlwifi: dvm: fix calling ieee80211_chswitch_done() with NULL commit 9186a1fd9ed190739423db84bc344d258ef3e3d7 upstream. If channel switch is pending and we remove interface we can crash like showed below due to passing NULL vif to mac80211: BUG: unable to handle kernel paging request at fffffffffffff8cc IP: [] strnlen+0xd/0x40 Call Trace: [] string.isra.3+0x3e/0xd0 [] vsnprintf+0x219/0x640 [] vscnprintf+0x11/0x30 [] vprintk_emit+0x115/0x4f0 [] printk+0x61/0x63 [] ieee80211_chswitch_done+0xaf/0xd0 [mac80211] [] iwl_chswitch_done+0x34/0x40 [iwldvm] [] iwlagn_commit_rxon+0x2a3/0xdc0 [iwldvm] [] ? iwlagn_set_rxon_chain+0x180/0x2c0 [iwldvm] [] iwl_set_mode+0x36/0x40 [iwldvm] [] iwlagn_mac_remove_interface+0x8d/0x1b0 [iwldvm] [] ieee80211_do_stop+0x29d/0x7f0 [mac80211] This is because we nulify ctx->vif in iwlagn_mac_remove_interface() before calling some other functions that teardown interface. To fix just check ctx->vif on iwl_chswitch_done(). We should not call ieee80211_chswitch_done() as channel switch works were already canceled by mac80211 in ieee80211_do_stop() -> ieee80211_mgd_stop(). Resolve: https://bugzilla.redhat.com/show_bug.cgi?id=979581 Reported-by: Lukasz Jagiello Signed-off-by: Stanislaw Gruszka Reviewed-by: Emmanuel Grumbach Signed-off-by: Johannes Berg [bwh: Backported to 3.2: adjust context, filename] Signed-off-by: Ben Hutchings commit 1cd4b1b1558ca2227047c17dc6f61d07f8406e2f Author: Chen Gang Date: Fri Jul 19 09:01:36 2013 +0800 cifs: extend the buffer length enought for sprintf() using commit 057d6332b24a4497c55a761c83c823eed9e3f23b upstream. For cifs_set_cifscreds() in "fs/cifs/connect.c", 'desc' buffer length is 'CIFSCREDS_DESC_SIZE' (56 is less than 256), and 'ses->domainName' length may be "255 + '\0'". The related sprintf() may cause memory overflow, so need extend related buffer enough to hold all things. It is also necessary to be sure of 'ses->domainName' must be less than 256, and define the related macro instead of hard code number '256'. Signed-off-by: Chen Gang Reviewed-by: Jeff Layton Reviewed-by: Shirish Pargaonkar Reviewed-by: Scott Lovenberg Signed-off-by: Steve French [bwh: Backported to 3.2: - Adjust context in sess.c - Drop inapplicable changes to connect.c] Signed-off-by: Ben Hutchings commit 3187e1ef04de768d37fb1472a560f648f4f97294 Author: Alex Deucher Date: Tue Jul 30 00:22:53 2013 -0400 drm/radeon/atom: initialize more atom interpretor elements to 0 commit 42a21826dc54583cdb79cc8477732e911ac9c376 upstream. The ProcessAuxChannel table on some rv635 boards assumes the divmul members are initialized to 0 otherwise we get an invalid fb offset since it has a bad mask set when setting the fb base. While here initialize all the atom interpretor elements to 0. Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=60639 Signed-off-by: Alex Deucher Signed-off-by: Ben Hutchings commit 45cc55f9365e8a43a5a0394a654abc8f966946e9 Author: Lan Tianyu Date: Tue Jul 30 14:00:42 2013 +0200 ACPI / battery: Fix parsing _BIX return value commit 016d5baad04269e8559332df05f89bd95b52d6ad upstream. The _BIX method returns extended battery info as a package. According the ACPI spec (ACPI 5, Section 10.2.2.2), the first member of that package should be "Revision". However, the current ACPI battery driver treats the first member as "Power Unit" which should be the second member. This causes the result of _BIX return data parsing to be incorrect. Fix this by adding a new member called 'revision' to struct acpi_battery and adding the offsetof() information on it to extended_info_offsets[] as the first row. [rjw: Changelog] Reported-and-tested-by: Jan Hoffmann References: http://bugzilla.kernel.org/show_bug.cgi?id=60519 Signed-off-by: Lan Tianyu Signed-off-by: Rafael J. Wysocki Signed-off-by: Ben Hutchings commit 8e4f35b04106decacc4f70e7186d9a600df8002c Author: Rick Farina (Zero_Chaos) Date: Mon Jul 29 15:17:59 2013 -0400 USB: serial: ftdi_sio: add more RT Systems ftdi devices commit fed1f1ed90bce42ea010e2904cbc04e7b8304940 upstream. RT Systems makes many usb serial cables based on the ftdi_sio driver for programming various amateur radios. This patch is a full listing of their current product offerings and should allow these cables to all be recognized. Signed-off-by: Rick Farina (Zero_Chaos) Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 9e77047af335a301ca5be02a7dcd5d73db0f92e5 Author: Stanislaw Gruszka Date: Sun Jul 28 13:17:22 2013 +0200 rt2x00: fix stop queue commit e2288b66fe7ff0288382b2af671b4da558b44472 upstream. Since we clear QUEUE_STARTED in rt2x00queue_stop_queue(), following call to rt2x00queue_pause_queue() reduce to noop, i.e we do not stop queue in mac80211. To fix that introduce rt2x00queue_pause_queue_nocheck() function, which will stop queue in mac80211 directly. Note that rt2x00_start_queue() explicitly set QUEUE_PAUSED bit. Note also that reordering operations i.e. first call to rt2x00queue_pause_queue() and then clear QUEUE_STARTED bit, will race with rt2x00queue_unpause_queue(), so calling ieee80211_stop_queue() directly is the only available solution to fix the problem without major rework. Signed-off-by: Stanislaw Gruszka Signed-off-by: John W. Linville Signed-off-by: Ben Hutchings commit 4159ea99829958762784766f4522f99c4c1d377a Author: Amit Shah Date: Mon Jul 29 14:23:21 2013 +0930 virtio: console: return -ENODEV on all read operations after unplug commit 96f97a83910cdb9d89d127c5ee523f8fc040a804 upstream. If a port gets unplugged while a user is blocked on read(), -ENODEV is returned. However, subsequent read()s returned 0, indicating there's no host-side connection (but not indicating the device went away). This also happened when a port was unplugged and the user didn't have any blocking operation pending. If the user didn't monitor the SIGIO signal, they won't have a chance to find out if the port went away. Fix by returning -ENODEV on all read()s after the port gets unplugged. write() already behaves this way. Signed-off-by: Amit Shah Signed-off-by: Rusty Russell Signed-off-by: Ben Hutchings commit 176e04b0542056d7dd9b765145958724d836a0b1 Author: Amit Shah Date: Mon Jul 29 14:21:32 2013 +0930 virtio: console: fix raising SIGIO after port unplug commit 92d3453815fbe74d539c86b60dab39ecdf01bb99 upstream. SIGIO should be sent when a port gets unplugged. It should only be sent to prcesses that have the port opened, and have asked for SIGIO to be delivered. We were clearing out guest_connected before calling send_sigio_to_port(), resulting in a sigio not getting sent to processes. Fix by setting guest_connected to false after invoking the sigio function. Signed-off-by: Amit Shah Signed-off-by: Rusty Russell Signed-off-by: Ben Hutchings commit 527e22b67db0dfce8a8157e4bfe83e3a6ee93bbc Author: Amit Shah Date: Mon Jul 29 14:20:29 2013 +0930 virtio: console: clean up port data immediately at time of unplug commit ea3768b4386a8d1790f4cc9a35de4f55b92d6442 upstream. We used to keep the port's char device structs and the /sys entries around till the last reference to the port was dropped. This is actually unnecessary, and resulted in buggy behaviour: 1. Open port in guest 2. Hot-unplug port 3. Hot-plug a port with the same 'name' property as the unplugged one This resulted in hot-plug being unsuccessful, as a port with the same name already exists (even though it was unplugged). This behaviour resulted in a warning message like this one: -------------------8<--------------------------------------- WARNING: at fs/sysfs/dir.c:512 sysfs_add_one+0xc9/0x130() (Not tainted) Hardware name: KVM sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:04.0/virtio0/virtio-ports/vport0p1' Call Trace: [] ? warn_slowpath_common+0x87/0xc0 [] ? warn_slowpath_fmt+0x46/0x50 [] ? sysfs_add_one+0xc9/0x130 [] ? create_dir+0x68/0xb0 [] ? sysfs_create_dir+0x39/0x50 [] ? kobject_add_internal+0xb9/0x260 [] ? kobject_add_varg+0x38/0x60 [] ? kobject_add+0x44/0x70 [] ? get_device_parent+0xf4/0x1d0 [] ? device_add+0xc9/0x650 -------------------8<--------------------------------------- Instead of relying on guest applications to release all references to the ports, we should go ahead and unregister the port from all the core layers. Any open/read calls on the port will then just return errors, and an unplug/plug operation on the host will succeed as expected. This also caused buggy behaviour in case of the device removal (not just a port): when the device was removed (which means all ports on that device are removed automatically as well), the ports with active users would clean up only when the last references were dropped -- and it would be too late then to be referencing char device pointers, resulting in oopses: -------------------8<--------------------------------------- PID: 6162 TASK: ffff8801147ad500 CPU: 0 COMMAND: "cat" #0 [ffff88011b9d5a90] machine_kexec at ffffffff8103232b #1 [ffff88011b9d5af0] crash_kexec at ffffffff810b9322 #2 [ffff88011b9d5bc0] oops_end at ffffffff814f4a50 #3 [ffff88011b9d5bf0] die at ffffffff8100f26b #4 [ffff88011b9d5c20] do_general_protection at ffffffff814f45e2 #5 [ffff88011b9d5c50] general_protection at ffffffff814f3db5 [exception RIP: strlen+2] RIP: ffffffff81272ae2 RSP: ffff88011b9d5d00 RFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff880118901c18 RCX: 0000000000000000 RDX: ffff88011799982c RSI: 00000000000000d0 RDI: 3a303030302f3030 RBP: ffff88011b9d5d38 R8: 0000000000000006 R9: ffffffffa0134500 R10: 0000000000001000 R11: 0000000000001000 R12: ffff880117a1cc10 R13: 00000000000000d0 R14: 0000000000000017 R15: ffffffff81aff700 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #6 [ffff88011b9d5d00] kobject_get_path at ffffffff8126dc5d #7 [ffff88011b9d5d40] kobject_uevent_env at ffffffff8126e551 #8 [ffff88011b9d5dd0] kobject_uevent at ffffffff8126e9eb #9 [ffff88011b9d5de0] device_del at ffffffff813440c7 -------------------8<--------------------------------------- So clean up when we have all the context, and all that's left to do when the references to the port have dropped is to free up the port struct itself. Reported-by: chayang Reported-by: YOGANANTH SUBRAMANIAN Reported-by: FuXiangChun Reported-by: Qunfang Zhang Reported-by: Sibiao Luo Signed-off-by: Amit Shah Signed-off-by: Rusty Russell Signed-off-by: Ben Hutchings commit 55fa4acf3f2750cf70fbae4534b630f74397e6b9 Author: Amit Shah Date: Mon Jul 29 14:17:13 2013 +0930 virtio: console: fix race in port_fops_open() and port unplug commit 671bdea2b9f210566610603ecbb6584c8a201c8c upstream. Between open() being called and processed, the port can be unplugged. Check if this happened, and bail out. A simple test script to reproduce this is: while true; do for i in $(seq 1 100); do echo $i > /dev/vport0p3; done; done; This opens and closes the port a lot of times; unplugging the port while this is happening triggers the bug. Signed-off-by: Amit Shah Signed-off-by: Rusty Russell Signed-off-by: Ben Hutchings commit 0426ea8291c0cdcf0d585c39a7bfae18e621d93b Author: Amit Shah Date: Mon Jul 29 14:16:13 2013 +0930 virtio: console: fix race with port unplug and open/close commit 057b82be3ca3d066478e43b162fc082930a746c9 upstream. There's a window between find_port_by_devt() returning a port and us taking a kref on the port, where the port could get unplugged. Fix it by taking the reference in find_port_by_devt() itself. Problem reported and analyzed by Mateusz Guzik. Reported-by: Mateusz Guzik Signed-off-by: Amit Shah Signed-off-by: Rusty Russell Signed-off-by: Ben Hutchings commit 090f5ec2de3025a9d6d0f65ff0b535c5bac01fa8 Author: Jacob Keller Date: Fri Jul 26 05:46:35 2013 -0700 ixgbe: Fix Tx Hang issue with lldpad on 82598EB commit 1eb9ac14c34a948bf1538bfb9034e8ab29099a64 upstream. This patch fixes an issue with the 82598EB device, where lldpad is causing Tx Hangs on the card as soon as it attempts to configure DCB for the device. The adapter will continually Tx hang and reset in a loop. Signed-off-by: Jacob Keller Tested-by: Phil Schmitt Tested-by: Jack Morgan Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 23d782ea98013f8d0c96233a720e9373ff741648 Author: Uwe Kleine-König Date: Fri Jun 28 11:49:41 2013 +0200 serial/mxs-auart: increase time to wait for transmitter to become idle commit 079a036f4283e2b0e5c26080b8c5112bc0cc1831 upstream. Without this patch the driver waits ~1 ms for the UART to become idle. At 115200n8 this time is (theoretically) enough to transfer 11.5 characters (= 115200 bits/s / (10 Bits/char) * 1ms). As the mxs-auart has a fifo size of 16 characters the clock is gated too early. The problem is worse for lower baud rates. This only happens to really shut down the transmitter in the middle of a transfer if /dev/ttyAPPx isn't opened in userspace (e.g. by a getty) but was at least once (because the bootloader doesn't disable the transmitter). So increase the timeout to 20 ms which should be enough for 9600n8, too. Moreover skip gating the clock if the timeout is elapsed. Signed-off-by: Uwe Kleine-König Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 5404dcaa6bc28af1bcd26e96c5010cc282c54a91 Author: Uwe Kleine-König Date: Thu Jul 4 11:28:51 2013 +0200 serial/mxs-auart: fix race condition in interrupt handler commit d970d7fe65adff5efe75b4a73c4ffc9be57089f7 upstream. The handler needs to ack the pending events before actually handling them. Otherwise a new event might come in after it it considered non-pending or handled and is acked then without being handled. So this event is only noticed when the next interrupt happens. Without this patch an i.MX28 based machine running an rt-patched kernel regularly hangs during boot. Signed-off-by: Uwe Kleine-König Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 6380025aff7900370d4488ee4bfd95ac6c6491d5 Author: Johan Hovold Date: Fri Jul 26 11:55:17 2013 +0200 USB: mos7840: fix race in register handling commit d8a083cc746664916d9d36ed9e4d08a29525f245 upstream. Fix race in mos7840_get_reg which unconditionally manipulated the control urb (which may already be in use) by adding a control-urb busy flag. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 6d047ebfeb1e96641e65cb9bf7de132fc565c01e Author: Tomasz Moń Date: Tue Jul 23 07:42:49 2013 +0200 mwifiex: Add missing endian conversion. commit 83e612f632c3897be29ef02e0472f6d63e258378 upstream. Both type and pkt_len variables are in host endian and these should be in Little Endian in the payload. Signed-off-by: Tomasz Moń Acked-by: Bing Zhao Signed-off-by: John W. Linville Signed-off-by: Ben Hutchings commit 708d8db1f9265dbc239338a26202fd2099b72337 Author: H.J. Lu Date: Fri Jul 26 09:11:56 2013 -0700 x86, fpu: correct the asm constraints for fxsave, unbreak mxcsr.daz commit eaa5a990191d204ba0f9d35dbe5505ec2cdd1460 upstream. GCC will optimize mxcsr_feature_mask_init in arch/x86/kernel/i387.c: memset(&fx_scratch, 0, sizeof(struct i387_fxsave_struct)); asm volatile("fxsave %0" : : "m" (fx_scratch)); mask = fx_scratch.mxcsr_mask; if (mask == 0) mask = 0x0000ffbf; to memset(&fx_scratch, 0, sizeof(struct i387_fxsave_struct)); asm volatile("fxsave %0" : : "m" (fx_scratch)); mask = 0x0000ffbf; since asm statement doesn’t say it will update fx_scratch. As the result, the DAZ bit will be cleared. This patch fixes it. This bug dates back to at least kernel 2.6.12. Signed-off-by: H. Peter Anvin Signed-off-by: Ben Hutchings commit 2c8efb72eb19898e2ff31184c76e37a0070c494b Author: Will Deacon Date: Thu Jul 25 11:44:48 2013 +0100 ARM: 7791/1: a.out: remove partial a.out support commit acfdd4b1f7590d02e9bae3b73bdbbc4a31b05d38 upstream. a.out support on ARM requires that argc, argv and envp are passed in r0-r2 respectively, which requires hacking load_aout_binary to prevent argc being clobbered by the return code. Whilst mainline kernels do set the registers up in start_thread, the aout loader has never carried the hack in mainline. Initialising the registers in this way actually goes against the libc expectations for ELF binaries, where argc, argv and envp are passed on the stack, with r0 being used to hold a pointer to an exit function for cleaning up after the dynamic linker if required. If the pointer is NULL, then it is ignored. When execing an ELF binary, Linux currently zeroes r0, then sets it to argc and then finally clobbers it with the return value of the execve syscall, so we actually end up with: r0 = 0 stack[0] = argc r1 = stack[1] = argv r2 = stack[2] = envp libc treats r1 and r2 as undefined. The clobbering of r0 by sys_execve works for user-spawned threads, but when executing an ELF binary from a kernel thread (via call_usermodehelper), the execve is performed on the ret_from_fork path, which restores r0 from the saved pt_regs, resulting in argc being presented to the C library. This has horrible consequences when the application exits, since we have an exit function registered using argc, resulting in a jump to hyperspace. This patch solves the problem by removing the partial a.out support from arch/arm/ altogether. Cc: Ashish Sangwan Signed-off-by: Will Deacon Signed-off-by: Russell King [bwh: Backported to 3.2: - Adjust context - Adjust uapi filename] Signed-off-by: Ben Hutchings commit b395e4661bfaff659a8a9f9ba37f894742e9d923 Author: AceLan Kao Date: Thu Jun 20 13:38:45 2013 +0800 Bluetooth: Add support for Atheros [0cf3:e003] commit 1d5b569ef85d013a775560a90050dc630614c045 upstream. Add support for the AR9462 chip T: Bus=02 Lev=02 Prnt=02 Port=04 Cnt=01 Dev#= 4 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0cf3 ProdID=e003 Rev=00.02 C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb Signed-off-by: AceLan Kao Signed-off-by: Gustavo Padovan Signed-off-by: Ben Hutchings commit 39a53ec969b52200a55974a8c6650efb0a3c4abd Author: AceLan Kao Date: Wed Jul 17 11:27:40 2013 +0800 Bluetooth: Add support for Atheros [0cf3:3121] commit 1ebd0b21ab14efb75950079840eac29afea2a26e upstream. Add support for the AR3012 chip. T: Bus=03 Lev=01 Prnt=01 Port=06 Cnt=01 Dev#= 6 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0cf3 ProdID=3121 Rev=00.02 C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb Signed-off-by: AceLan Kao Signed-off-by: Gustavo Padovan Signed-off-by: Ben Hutchings commit ba1251e87fc4643d7e3d75ef5c1ccf09b2a5e626 Author: Sujith Manoharan Date: Mon Jul 15 09:29:03 2013 +0530 Bluetooth: ath3k: Add support for ID 0x13d3/0x3402 commit 5b77a1f3d7b7360dc2b7c6d2188d39b9f8432907 upstream. T: Bus=01 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 5 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=13d3 ProdID=3402 Rev= 0.02 S: Manufacturer=Atheros Communications S: Product=Bluetooth USB Host Controller S: SerialNumber=Alaska Day 2006 C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb Bug: https://bugzilla.kernel.org/show_bug.cgi?id=59701 Signed-off-by: Sujith Manoharan Signed-off-by: Gustavo Padovan Signed-off-by: Ben Hutchings commit fb2e4631a7e23c37b9e2e7b2fd776231bbfc39d4 Author: Thomas Loo Date: Wed Jul 3 02:53:54 2013 +0200 Bluetooth: ath3k: Add support for Fujitsu Lifebook UH5x2 [04c5:1330] commit 84eb2ae1807dd1467bf6f500fc69ae61f1907b75 upstream. The Fujitsu Lifebook UH552/UH572 ships with a Qualcomm AR9462/AR3012 WLAN/BT-Combo card. Add device ID to the ath3k driver to enable the bluetooth side of things. Patch against v3.10. T: Bus=03 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#= 3 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=04c5 ProdID=1330 Rev=00.02 C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb Signed-off-by: Thomas Loo Signed-off-by: Gustavo Padovan Signed-off-by: Ben Hutchings commit ff98736cbbbeb9087d4e5d7cb89e05c3e8bd01d6 Author: Cho, Yu-Chen Date: Tue Jun 4 21:40:26 2013 +0800 Bluetooth: Add support for Mediatek Bluetooth device [0e8d:763f] commit 178c059e7640aa8e50213400c6f3dde00189d979 upstream. This patch adds support for Mediatek Bluetooth device T: Bus=02 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 D: Ver= 2.01 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0e8d ProdID=763f Rev= 1.00 S: Manufacturer=MediaTek S: Product=BT S: SerialNumber=1.0 C:* #Ifs= 2 Cfg#= 1 Atr=a0 MxPwr=450mA A: FirstIf#= 0 IfCount= 2 Cls=ff(vend.) Sub=ff Prot=ff I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=125us E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=125us E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms I: If#= 1 Alt= 6 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms Signed-off-by: Cho, Yu-Chen Signed-off-by: Gustavo Padovan Signed-off-by: John W. Linville Signed-off-by: Ben Hutchings commit 64bb65c2cc9b45e88aa38d235e9af30e70c7e01f Author: Noguchi Kazutosi Date: Sun Mar 24 23:41:10 2013 +0900 Bluetooth: Add support for Foxconn/Hon Hai [0489:e04d] commit 0fc110f4e4f569e12c472f73f0af485e05631403 upstream. Add support for the AR3012 chip. T: Bus=01 Lev=02 Prnt=02 Port=05 Cnt=03 Dev#= 21 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0489 ProdID=e04d Rev=00.02 S: Manufacturer=Atheros Communications S: Product=Bluetooth USB Host Controller S: SerialNumber=Alaska Day 2006 C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb Signed-off-by: Noguchi Kazutosi Signed-off-by: Gustavo Padovan Signed-off-by: Ben Hutchings commit cab200d2837cf98d293c06c5bbcefd5ae2df7c66 Author: Oleksij Rempel Date: Fri Jul 19 20:16:17 2013 +0200 ath9k_htc: do some initial hardware configuration commit dc2a87f519a4d8cb376ab54f22b6b98a943b51ce upstream. Currently we configure harwdare and clock, only after interface start. In this case, if we reload module or reboot PC without configuring adapter, firmware will freeze. There is no software way to reset adpter. This patch add initial configuration and set it in disabled state, to avoid this freeze. Behaviour of this patch should be similar to: ifconfig wlan0 up; ifconfig wlan0 down. Bug: https://github.com/qca/open-ath9k-htc-firmware/issues/1 Tested-by: Bo Shi Signed-off-by: Oleksij Rempel Signed-off-by: John W. Linville Signed-off-by: Ben Hutchings commit 5e61ced05ec882f0f1ab68149fa0964bf3bf8fa9 Author: Emmanuel Grumbach Date: Thu Jul 18 19:11:26 2013 +0300 iwlwifi: add DELL SKU for 5150 HMC commit a1923f1d4723e5757cefdd60f7c7ab30e472007a upstream. This SKU was missing in the list of supported devices https://bugzilla.kernel.org/show_bug.cgi?id=60577 Signed-off-by: Emmanuel Grumbach Signed-off-by: Johannes Berg [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings commit c971eae7d1ca6ec31cf1a45e5e41b70e8fc8cddc Author: Johannes Berg Date: Fri May 3 18:58:16 2013 +0200 iwlwifi: dvm: don't send BT_CONFIG on devices w/o Bluetooth commit 707aee401d2467baa785a697f40a6e2d9ee79ad5 upstream. The BT_CONFIG command that is sent to the device during startup will enable BT coex unless the module parameter turns it off, but on devices without Bluetooth this may cause problems, as reported in Redhat BZ 885407. Fix this by sending the BT_CONFIG command only when the device has Bluetooth. Reviewed-by: Emmanuel Grumbach Signed-off-by: Johannes Berg [bwh: Backported to 3.2: - Adjust filename - s/priv->lib/priv->cfg/] Signed-off-by: Ben Hutchings commit 517c62b4ca84901872c82a94ed10162111e4be97 Author: Johannes Berg Date: Thu Jul 11 22:33:26 2013 +0200 mac80211: fix duplicate retransmission detection commit 6b0f32745dcfba01d7be33acd1b40306c7a914c6 upstream. The duplicate retransmission detection code in mac80211 erroneously attempts to do the check for every frame, even frames that don't have a sequence control field or that don't use it (QoS-Null frames.) This is problematic because it causes the code to access data beyond the end of the SKB and depending on the data there will drop packets erroneously. Correct the code to not do duplicate detection for such frames. I found this error while testing AP powersave, it lead to retransmitted PS-Poll frames being dropped entirely as the data beyond the end of the SKB was always zero. Signed-off-by: Johannes Berg Signed-off-by: Ben Hutchings commit 0b06991f5cbcc15b8457b5c53e3d1e0c6d245f08 Author: Michal Kazior Date: Tue Jun 25 09:17:17 2013 +0200 nl80211: fix mgmt tx status and testmode reporting for netns commit a0ec570f4f69c4cb700d743a915096c2c8f56a99 upstream. These two events were sent to the default network namespace. This caused AP mode in a non-default netns to not work correctly. Mgmt tx status was multicasted to a different (default) netns instead of the one the AP was in. Signed-off-by: Michal Kazior Signed-off-by: Johannes Berg Signed-off-by: Ben Hutchings commit b0aede29af33b022c7a6d4ca00b3dede29899516 Author: Linus Torvalds Date: Sat Apr 27 13:25:38 2013 -0700 vm: add no-mmu vm_iomap_memory() stub commit 3c0b9de6d37a481673e81001c57ca0e410c72346 upstream. I think we could just move the full vm_iomap_memory() function into util.h or similar, but I didn't get any reply from anybody actually using nommu even to this trivial patch, so I'm not going to touch it any more than required. Here's the fairly minimal stub to make the nommu case at least potentially work. It doesn't seem like anybody cares, though. Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit a103ab32f1683201ab4b61ca53d199be4562a62d Author: Dave Kleikamp Date: Thu Aug 15 15:36:49 2013 -0500 jfs: fix readdir cookie incompatibility with NFSv4 commit 44512449c0ab368889dd13ae0031fba74ee7e1d2 upstream. NFSv4 reserves readdir cookie values 0-2 for special entries (. and ..), but jfs allows a value of 2 for a non-special entry. This incompatibility can result in the nfs client reporting a readdir loop. This patch doesn't change the value stored internally, but adds one to the value exposed to the iterate method. Signed-off-by: Dave Kleikamp Tested-by: Christian Kujau [bwh: Backported to 3.2: - Adjust context - s/ctx->pos/filp->f_pos/] Signed-off-by: Ben Hutchings commit 70bea7f2c038f04b5bc2e84f12615f79ed394d13 Author: Dan Carpenter Date: Tue Jun 12 10:37:08 2012 +0300 NFSv4.1: integer overflow in decode_cb_sequence_args() commit 0439f31c35d1da0b28988b308ea455e38e6a350d upstream. This seems like it could overflow on 32 bits. Use kmalloc_array() which has overflow protection built in. Signed-off-by: Dan Carpenter Signed-off-by: Trond Myklebust Signed-off-by: Ben Hutchings commit 433b06a8f4b04e560c3ad8e13bf60b1fa6186341 Author: Xi Wang Date: Mon Mar 5 15:14:41 2012 -0800 slab: introduce kmalloc_array() commit a8203725dfded5c1f79dca3368a4a273e24b59bb upstream. Introduce a kmalloc_array() wrapper that performs integer overflow checking without zeroing the memory. Suggested-by: Andrew Morton Suggested-by: Jens Axboe Signed-off-by: Xi Wang Cc: Dan Carpenter Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Pekka Enberg Signed-off-by: Ben Hutchings commit 0aaf4c42a31301cc59177aa3246fdd7b20b570fa Author: Dan Carpenter Date: Wed Jun 26 10:52:20 2013 +0300 ALSA: ak4xx-adda: info leak in ak4xxx_capture_source_info() commit bd5fe738e388ceaa32e5171481e0d3ec59f0ccfe upstream. "idx" is controled by the user and can be a negative offset into the input_names[] array. Signed-off-by: Dan Carpenter Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit d546eadecc19fa06a326c051640ae7a24d43de2e Author: Torstein Hegge Date: Tue Mar 19 17:12:14 2013 +0100 ALSA: usb: Parse UAC2 extension unit like for UAC1 commit 61ac51301e6c6d4ed977d7674ce2b8e713619a9b upstream. UAC2_EXTENSION_UNIT_V2 differs from UAC1_EXTENSION_UNIT, but can be handled in the same way when parsing the unit. Otherwise parse_audio_unit() fails when it sees an extension unit on a UAC2 device. UAC2_EXTENSION_UNIT_V2 is outside the range allocated by UAC1. Signed-off-by: Torstein Hegge Acked-by: Daniel Mack Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit 2ca3bc2ba143bdaf753b88310455074a3d2ed7e4 Author: Eldad Zack Date: Wed Nov 28 23:55:36 2012 +0100 ALSA: usb-audio: skip UAC2 EFFECT_UNIT commit 5dae5fd24071319bb67d3375217d5b0b6d16cb0b upstream. Current code mishandles the case where the device is a UAC2 and the bDescriptorSubtype is a UAC2 Effect Unit (0x07). It tries to parse it as a Processing Unit (which is similar to two other UAC1 units with overlapping subtypes), but since the structure is different (See: 4.7.2.10, 4.7.2.11 in UAC2 standard), the parsing is done incorrectly and prevents the device from initializing. For now, just ignore the unit. Signed-off-by: Eldad Zack Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit 54811a1992e2c5e318ae91b99ea94c9724bc8f66 Author: Nicolas Dichtel Date: Mon Feb 18 16:24:20 2013 +0100 af_key: initialize satype in key_notify_policy_flush() commit 85dfb745ee40232876663ae206cba35f24ab2a40 upstream. This field was left uninitialized. Some user daemons perform check against this field. Signed-off-by: Nicolas Dichtel Signed-off-by: Steffen Klassert Signed-off-by: Ben Hutchings commit 0c660284653b3b27cc52dc04c42ae975c4f3e6b2 Author: Daniel Vetter Date: Wed Jul 11 16:27:52 2012 +0200 drm/i915/lvds: ditch ->prepare special case commit 520c41cf2fa029d1e8b923ac2026f96664f17c4b upstream. LVDS is the first output where dpms on/off and prepare/commit don't perfectly match. Now the idea behind this special case seems to be that for simple resolution changes on the LVDS we don't need to stop the pipe, because (at least on newer chips) we can adjust the panel fitter on the fly. There are a few problems with the current code though: - We still stop and restart the pipe unconditionally, because the crtc helper code isn't flexible enough. - We show some ugly flickering, especially when changing crtcs (this the crtc helper would actually take into account, but we don't implement the encoder->get_crtc callback required to make this work properly). So it doesn't even work as advertised. I agree that it would be nice to do resolution changes on LVDS (and also eDP) whithout blacking the screen where the panel fitter allows to do that. But imo we should implement this as a special case a few layers up in the mode set code, akin to how we already detect simple framebuffer changes (and only update the required registers with ->mode_set_base). Until this is all in place, make our lives easier and just rip it out. Also note that this seems to fix actual bugs with enabling the lvds output, see: http://lists.freedesktop.org/archives/intel-gfx/2012-July/018614.html Cc: Takashi Iwai Cc: Giacomo Comes Acked-by: Chris Wilson Tested-by: Takashi Iwai Signed-Off-by: Daniel Vetter Signed-off-by: Ben Hutchings commit a0fb2c987486da9c649e35cd565507576d491cec Author: Dan Carpenter Date: Tue Jul 30 13:23:39 2013 +0300 net_sched: info leak in atm_tc_dump_class() [ Upstream commit 8cb3b9c3642c0263d48f31d525bcee7170eedc20 ] The "pvc" struct has a hole after pvc.sap_family which is not cleared. Signed-off-by: Dan Carpenter Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 508bc01145f58f40639324064f31a83d7cf371f3 Author: Dan Carpenter Date: Sun Jul 28 23:04:45 2013 +0300 af_key: more info leaks in pfkey messages [ Upstream commit ff862a4668dd6dba962b1d2d8bd344afa6375683 ] This is inspired by a5cc68f3d6 "af_key: fix info leaks in notify messages". There are some struct members which don't get initialized and could disclose small amounts of private information. Acked-by: Mathias Krause Signed-off-by: Dan Carpenter Acked-by: Steffen Klassert Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit fff2afebe918cd98ef5499af9f6e55c741bca1dd Author: David S. Miller Date: Tue Jul 30 00:16:21 2013 -0700 net_sched: Fix stack info leak in cbq_dump_wrr(). [ Upstream commit a0db856a95a29efb1c23db55c02d9f0ff4f0db48 ] Make sure the reserved fields, and padding (if any), are fully initialized. Based upon a patch by Dan Carpenter and feedback from Joe Perches. Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit bebbaccfb5aca61648dfeb8cfa25ce3293bc8ddb Author: Eric Dumazet Date: Tue Jul 23 17:15:54 2013 -0700 usbnet: do not pretend to support SG/TSO [ Upstream commit 20f0170377264e8449b6987041f0bcc4d746d3ed ] usbnet doesn't support yet SG, so drivers should not advertise SG or TSO capabilities, as they allow TCP stack to build large TSO packets that need to be linearized and might use order-5 pages. This adds an extra copy overhead and possible allocation failures. Current code ignore skb_linearize() return code so crashes are even possible. Best is to not pretend SG/TSO is supported, and add this again when/if usbnet really supports SG for devices who could get a performance gain. Based on a prior patch from Freddy Xin Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 0d7524ff0c62ea63b6a4b65173e67ef8eeefb402 Author: Hannes Frederic Sowa Date: Mon Jul 22 23:45:53 2013 +0200 ipv6: take rtnl_lock and mark mrt6 table as freed on namespace cleanup [ Upstream commit 905a6f96a1b18e490a75f810d733ced93c39b0e5 ] Otherwise we end up dereferencing the already freed net->ipv6.mrt pointer which leads to a panic (from Srivatsa S. Bhat): BUG: unable to handle kernel paging request at ffff882018552020 IP: [] ip6mr_sk_done+0x32/0xb0 [ipv6] PGD 290a067 PUD 207ffe0067 PMD 207ff1d067 PTE 8000002018552060 Oops: 0000 [#1] SMP DEBUG_PAGEALLOC Modules linked in: ebtable_nat ebtables nfs fscache nf_conntrack_ipv4 nf_defrag_ipv4 ipt_REJECT xt_CHECKSUM iptable_mangle iptable_filter ip_tables nfsd lockd nfs_acl exportfs auth_rpcgss autofs4 sunrpc 8021q garp bridge stp llc ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter +ip6_tables ipv6 vfat fat vhost_net macvtap macvlan vhost tun kvm_intel kvm uinput iTCO_wdt iTCO_vendor_support cdc_ether usbnet mii microcode i2c_i801 i2c_core lpc_ich mfd_core shpchp ioatdma dca mlx4_core be2net wmi acpi_cpufreq mperf ext4 jbd2 mbcache dm_mirror dm_region_hash dm_log dm_mod CPU: 0 PID: 7 Comm: kworker/u33:0 Not tainted 3.11.0-rc1-ea45e-a #4 Hardware name: IBM -[8737R2A]-/00Y2738, BIOS -[B2E120RUS-1.20]- 11/30/2012 Workqueue: netns cleanup_net task: ffff8810393641c0 ti: ffff881039366000 task.ti: ffff881039366000 RIP: 0010:[] [] ip6mr_sk_done+0x32/0xb0 [ipv6] RSP: 0018:ffff881039367bd8 EFLAGS: 00010286 RAX: ffff881039367fd8 RBX: ffff882018552000 RCX: dead000000200200 RDX: 0000000000000000 RSI: ffff881039367b68 RDI: ffff881039367b68 RBP: ffff881039367bf8 R08: ffff881039367b68 R09: 2222222222222222 R10: 2222222222222222 R11: 2222222222222222 R12: ffff882015a7a040 R13: ffff882014eb89c0 R14: ffff8820289e2800 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88103fc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff882018552020 CR3: 0000000001c0b000 CR4: 00000000000407f0 Stack: ffff881039367c18 ffff882014eb89c0 ffff882015e28c00 0000000000000000 ffff881039367c18 ffffffffa034d9d1 ffff8820289e2800 ffff882014eb89c0 ffff881039367c58 ffffffff815bdecb ffffffff815bddf2 ffff882014eb89c0 Call Trace: [] rawv6_close+0x21/0x40 [ipv6] [] inet_release+0xfb/0x220 [] ? inet_release+0x22/0x220 [] inet6_release+0x3f/0x50 [ipv6] [] sock_release+0x29/0xa0 [] sk_release_kernel+0x30/0x70 [] icmpv6_sk_exit+0x3b/0x80 [ipv6] [] ops_exit_list+0x39/0x60 [] cleanup_net+0xfb/0x1a0 [] process_one_work+0x1da/0x610 [] ? process_one_work+0x169/0x610 [] worker_thread+0x120/0x3a0 [] ? process_one_work+0x610/0x610 [] kthread+0xee/0x100 [] ? __init_kthread_worker+0x70/0x70 [] ret_from_fork+0x7c/0xb0 [] ? __init_kthread_worker+0x70/0x70 Code: 20 48 89 5d e8 4c 89 65 f0 4c 89 6d f8 66 66 66 66 90 4c 8b 67 30 49 89 fd e8 db 3c 1e e1 49 8b 9c 24 90 08 00 00 48 85 db 74 06 <4c> 39 6b 20 74 20 bb f3 ff ff ff e8 8e 3c 1e e1 89 d8 4c 8b 65 RIP [] ip6mr_sk_done+0x32/0xb0 [ipv6] RSP CR2: ffff882018552020 Reported-by: Srivatsa S. Bhat Tested-by: Srivatsa S. Bhat Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 681c76440d4d1a0f1956f0f655931c12cfabd5bd Author: Neil Horman Date: Wed Jun 12 14:26:44 2013 -0400 sctp: fully initialize sctp_outq in sctp_outq_init [ Upstream commit c5c7774d7eb4397891edca9ebdf750ba90977a69 ] In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86 (refactor sctp_outq_teardown to insure proper re-initalization) we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the outq structure. Steve West recently asked me why I removed the q->error = 0 initalization from sctp_outq_teardown. I did so because I was operating under the impression that sctp_outq_init would properly initalize that value for us, but it doesn't. sctp_outq_init operates under the assumption that the outq struct is all 0's (as it is when called from sctp_association_init), but using it in __sctp_outq_teardown violates that assumption. We should do a memset in sctp_outq_init to ensure that the entire structure is in a known state there instead. Signed-off-by: Neil Horman Reported-by: "West, Steve (NSN - US/Fort Worth)" CC: Vlad Yasevich CC: netdev@vger.kernel.org CC: davem@davemloft.net Acked-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 2dec485f87d4bcfe9808e379f002a8444c09321c Author: Michal Tesar Date: Fri Jul 19 14:09:01 2013 +0200 sysctl net: Keep tcp_syn_retries inside the boundary [ Upstream commit 651e92716aaae60fc41b9652f54cb6803896e0da ] Limit the min/max value passed to the /proc/sys/net/ipv4/tcp_syn_retries. Signed-off-by: Michal Tesar Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 7d406db24d89f4cbbf13d5b5f80386e145d8b6fa Author: Dan Carpenter Date: Fri Jul 19 08:48:05 2013 +0300 arcnet: cleanup sizeof parameter [ Upstream commit 087d273caf4f7d3f2159256f255f1f432bc84a5b ] This patch doesn't change the compiled code because ARC_HDR_SIZE is 4 and sizeof(int) is 4, but the intent was to use the header size and not the sizeof the header size. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 6fb06654d8b1b3e64a28765c103846852e475e9b Author: Joshua Zhu Date: Sat Jan 5 13:29:57 2013 +0800 perf tools: Add anonymous huge page recognition commit d0528b5d71faf612014dd7672e44225c915344b2 upstream. Judging anonymous memory's vm_area_struct, perf_mmap_event's filename will be set to "//anon" indicating this vma belongs to anonymous memory. Once hugepage is used, vma's vm_file points to hugetlbfs. In this way, this vma will not be regarded as anonymous memory by is_anon_memory() in perf user space utility. Signed-off-by: Joshua Zhu Cc: Akihiro Nagai Cc: Andi Kleen Cc: David Ahern Cc: Ingo Molnar Cc: Jiri Olsa Cc: Joshua Zhu Cc: Namhyung Kim Cc: Paul Mackerras Cc: Peter Zijlstra Link: http://lkml.kernel.org/r/1357363797-3550-1-git-send-email-zhu.wen-jie@hp.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Ben Hutchings commit 6c660b2a49d3ac2f09b75002aff43077b7ef9de6 Author: Jiri Olsa Date: Fri Feb 1 11:23:45 2013 +0100 perf: Fix event group context move commit 0231bb5336758426b44ccd798ccd3c5419c95d58 upstream. When we have group with mixed events (hw/sw) we want to end up with group leader being in hw context. So if group leader is initialy sw event, we move all the events under hw context. The move is done for each event by removing it from its context and adding it back into proper one. As a part of the removal the event is automatically disabled, which is not what we want at this stage of creating groups. The fix is to initialize event state after removal from sw context. This fix resulted from the following discussion: http://thread.gmane.org/gmane.linux.kernel.perf.user/1144 Reported-by: Andreas Hollmann Signed-off-by: Jiri Olsa Cc: Arnaldo Carvalho de Melo Cc: Namhyung Kim Cc: Corey Ashford Cc: Frederic Weisbecker Cc: Paul Mackerras Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Vince Weaver Link: http://lkml.kernel.org/r/1359714225-4231-1-git-send-email-jolsa@redhat.com Signed-off-by: Ingo Molnar Signed-off-by: Ben Hutchings commit 3bc95d6459a7c185f814ac2c8ba0ccda351cdc08 Author: Kamal Mostafa Date: Fri Jul 19 15:02:01 2013 -0700 drm/i915: quirk no PCH_PWM_ENABLE for Dell XPS13 backlight commit e85843bec6c2ea7c10ec61238396891cc2b753a9 upstream. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=47941 BugLink: https://bugs.launchpad.net/bugs/1163720 BugLink: https://bugs.launchpad.net/bugs/1162026 Some machines suffer from non-functional backlight controls if BLM_PCH_PWM_ENABLE is set, so provide a quirk to avoid doing so. Apply this quirk to Dell XPS 13 models. Tested-by: Eric Griffith Tested-by: Kent Baxley Signed-off-by: Kamal Mostafa Signed-off-by: Daniel Vetter [ kamal: backport to 3.2 ] Signed-off-by: Ben Hutchings commit bb8d7bf7a9f112926e8b32c8c127136dea47f03f Author: Zhu Yanhai Date: Tue Jan 8 12:56:52 2013 +0800 sched: Fix the broken sched_rr_get_interval() commit a59f4e079d19464eebb9b06513a1d4f55fdae5ba upstream. The caller of sched_sliced() should pass se.cfs_rq and se as the arguments, however in sched_rr_get_interval() we gave it rq.cfs_rq and se, which made the following computation obviously wrong. The change was introduced by commit: 77034937dc45 sched: fix crash in sys_sched_rr_get_interval() ... 5 years ago, while it had been the correct 'cfs_rq_of' before the commit. The change seems to be irrelevant to the commit msg, which was to return a 0 timeslice for tasks that are on an idle runqueue. So I believe that was just a plain typo. Signed-off-by: Zhu Yanhai Cc: Peter Zijlstra Cc: Paul Turner Cc: Thomas Gleixner Cc: Steven Rostedt Cc: Andrew Morton Cc: Linus Torvalds Link: http://lkml.kernel.org/r/1357621012-15039-1-git-send-email-gaoyang.zyh@taobao.com [ Since this is an ABI and an old bug, we'll test this via a slow upstream route, to hopefully discover any app breakage. ] Signed-off-by: Ingo Molnar Signed-off-by: Ben Hutchings commit d2f1837b4bfeca92b188de170a6abd1ee4514dbc Author: Tejun Heo Date: Mon Jul 22 16:53:36 2013 -0400 libata: make it clear that sata_inic162x is experimental commit bb9696192826a7d9279caf872e95b41bc26c7eff upstream. sata_inic162x never reached a state where it's reliable enough for production use and data corruption is a relatively common occurrence. Make the driver generate warning about the issues and mark the Kconfig option as experimental. If the situation doesn't improve, we'd be better off making it depend on CONFIG_BROKEN. Let's wait for several cycles and see if the kernel message draws any attention. Signed-off-by: Tejun Heo Reported-by: Martin Braure de Calignon Reported-by: Ben Hutchings Reported-by: risc4all@yahoo.com Signed-off-by: Ben Hutchings commit 27832cf2abc729858fcd92131d83a7e5490ed1d7 Author: Wanpeng Li Date: Wed Jul 3 15:02:40 2013 -0700 mm/memory-hotplug: fix lowmem count overflow when offline pages commit cea27eb2a202959783f81254c48c250ddd80e129 upstream. The logic for the memory-remove code fails to correctly account the Total High Memory when a memory block which contains High Memory is offlined as shown in the example below. The following patch fixes it. Before logic memory remove: MemTotal: 7603740 kB MemFree: 6329612 kB Buffers: 94352 kB Cached: 872008 kB SwapCached: 0 kB Active: 626932 kB Inactive: 519216 kB Active(anon): 180776 kB Inactive(anon): 222944 kB Active(file): 446156 kB Inactive(file): 296272 kB Unevictable: 0 kB Mlocked: 0 kB HighTotal: 7294672 kB HighFree: 5704696 kB LowTotal: 309068 kB LowFree: 624916 kB After logic memory remove: MemTotal: 7079452 kB MemFree: 5805976 kB Buffers: 94372 kB Cached: 872000 kB SwapCached: 0 kB Active: 626936 kB Inactive: 519236 kB Active(anon): 180780 kB Inactive(anon): 222944 kB Active(file): 446156 kB Inactive(file): 296292 kB Unevictable: 0 kB Mlocked: 0 kB HighTotal: 7294672 kB HighFree: 5181024 kB LowTotal: 4294752076 kB LowFree: 624952 kB [mhocko@suse.cz: fix CONFIG_HIGHMEM=n build] Signed-off-by: Wanpeng Li Reviewed-by: Michal Hocko Cc: KAMEZAWA Hiroyuki Cc: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [Backported for 3.4-stable. Adjusted context.] Signed-off-by: Zhouping Liu Signed-off-by: Ben Hutchings commit 22cbb1bd14275c52a659e8f42bfceddfea24d785 Author: Ben Hutchings Date: Sat Aug 3 12:57:06 2013 +0200 ifb: Include commit b51c3427e95b ('ifb: fix rcu_sched self-detected stalls', commit 440d57bc5ff5 upstream) added a call to cond_resched(), which is declared in '#include '. In Linux 3.2.y that header is included indirectly in some but not all configurations, so add a direct #include. Reported-by: Teck Choon Giam Signed-off-by: Ben Hutchings