commit 8eedd52017a07a5bae2aded2b5023bfba5971af9 Author: Ben Hutchings Date: Wed Feb 6 04:33:58 2013 +0000 Linux 3.2.38 commit fed286bde47fde5bf24916f48dd43811e916c139 Author: Alexandre SIMON Date: Fri Feb 1 15:31:54 2013 +0100 printk: fix buffer overflow when calling log_prefix function from call_console_drivers This patch corrects a buffer overflow in kernels from 3.0 to 3.4 when calling log_prefix() function from call_console_drivers(). This bug existed in previous releases but has been revealed with commit 162a7e7500f9664636e649ba59defe541b7c2c60 (2.6.39 => 3.0) that made changes about how to allocate memory for early printk buffer (use of memblock_alloc). It disappears with commit 7ff9554bb578ba02166071d2d487b7fc7d860d62 (3.4 => 3.5) that does a refactoring of printk buffer management. In log_prefix(), the access to "p[0]", "p[1]", "p[2]" or "simple_strtoul(&p[1], &endp, 10)" may cause a buffer overflow as this function is called from call_console_drivers by passing "&LOG_BUF(cur_index)" where the index must be masked to do not exceed the buffer's boundary. The trick is to prepare in call_console_drivers() a buffer with the necessary data (PRI field of syslog message) to be safely evaluated in log_prefix(). This patch can be applied to stable kernel branches 3.0.y, 3.2.y and 3.4.y. Without this patch, one can freeze a server running this loop from shell : $ export DUMMY=`cat /dev/urandom | tr -dc '12345AZERTYUIOPQSDFGHJKLMWXCVBNazertyuiopqsdfghjklmwxcvbn' | head -c255` $ while true do ; echo $DUMMY > /dev/kmsg ; done The "server freeze" depends on where memblock_alloc does allocate printk buffer : if the buffer overflow is inside another kernel allocation the problem may not be revealed, else the server may hangs up. Signed-off-by: Alexandre SIMON Signed-off-by: Ben Hutchings commit cccd7d46b541d365a3cb1a87946a7fc30cf8e858 Author: Matt Fleming Date: Fri Jan 25 10:07:25 2013 +0000 x86, efi: Set runtime_version to the EFI spec revision commit 712ba9e9afc4b3d3d6fa81565ca36fe518915c01 upstream. efi.runtime_version is erroneously being set to the value of the vendor's firmware revision instead of that of the implemented EFI specification. We can't deduce which EFI functions are available based on the revision of the vendor's firmware since the version scheme is likely to be unique to each vendor. What we really need to know is the revision of the implemented EFI specification, which is available in the EFI System Table header. Cc: Seiji Aguchi Cc: Matthew Garrett Signed-off-by: Matt Fleming Signed-off-by: Ben Hutchings commit 7d02c8e73e3c4610882e4883d97c870384e64a72 Author: Bart Westgeest Date: Mon Jan 23 10:55:46 2012 -0500 staging: usbip: changed function return type to void commit ac2b41acfa3efe4650102067a99251587a806d70 upstream. The function usbip_pad_iso never returns anything but 0 (success). Signed-off-by: Bart Westgeest Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 6d3e269cd51bdfe7ea77bdf1242626a5d6529b85 Author: Takashi Iwai Date: Tue Jan 22 17:43:40 2013 +0100 ALSA: usb-audio: Fix regression by disconnection-race-fix patch [NOTE: the regression below is found only in 3.2-3.4 stable trees, so there is no upstream commit corresponding to this patch] The recent fix for the race at disconnection of usb-audio devices (upstream commit 978520b7) triggers Oops when a device is unplugged while playing on 3.2 and 3.4 kernels. The culprit is that the shutdown flag check was wrongly added around the urb deactivation code snippet. The urb deactivation code has to be performed even after the device disconnected. Otherwise it remains undead and pokes the wild access in the end. The regression fix is simply reverting the shutdown flag check in that code. Reported-and-tested-by: Chris J Arges Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit c64640b5e1b8e83307e3f7e86044a858c7584593 Author: Philipp Reisner Date: Thu Feb 23 12:56:26 2012 +0100 drbd: add missing part_round_stats to _drbd_start_io_acct commit 72585d2428fa3a0daab02ebad1f41e5ef517dbaa upstream. Without this, iostat frequently sees bogus svctime and >= 100% "utilization". Signed-off-by: Philipp Reisner Signed-off-by: Lars Ellenberg Signed-off-by: Ben Hutchings commit 9741339ebda19ec0622f8121123361f7ddc3b8c9 Author: Stefan Assmann Date: Tue Dec 4 06:00:17 2012 +0000 igb: release already assigned MSI-X interrupts if setup fails commit 52285b762b3681669215bf1d17ca6143448ab7d3 upstream. During MSI-X setup the system might run out of vectors. If this happens the already assigned vectors for this NIC should be freed before trying the disable MSI-X. Failing to do so results in the following oops. kernel BUG at drivers/pci/msi.c:341! [...] Call Trace: [] pci_disable_msix+0x3d/0x60 [] igb_reset_interrupt_capability+0x27/0x5c [igb] [] igb_clear_interrupt_scheme+0x26/0x2d [igb] [] igb_request_irq+0x73/0x297 [igb] [] __igb_open+0xc8/0x223 [igb] [] igb_open+0x13/0x15 [igb] [] __dev_open+0xbf/0x120 [] __dev_change_flags+0xa1/0x180 [] dev_change_flags+0x28/0x70 [] devinet_ioctl+0x5b7/0x620 [] inet_ioctl+0x88/0xa0 [] sock_do_ioctl+0x30/0x70 [] sock_ioctl+0x72/0x270 [] do_vfs_ioctl+0x8c/0x340 [] sys_ioctl+0xa1/0xb0 [] system_call_fastpath+0x16/0x1b Code: 48 89 df e8 1f 40 ed ff 4d 39 e6 49 8b 45 10 75 b6 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f c9 c3 48 8b 7b 20 e8 3e 91 db ff eb ae <0f> 0b eb fe 0f 1f 84 00 00 00 00 00 55 48 89 e5 0f 1f 44 00 00 RIP [] free_msi_irqs+0x124/0x130 RSP Signed-off-by: Stefan Assmann Tested-by: Aaron Brown Signed-off-by: Jeff Kirsher Signed-off-by: Ben Hutchings commit 8f8ad61766f6e072a27ffffe58810bf6890074b0 Author: David Henningsson Date: Fri Jan 4 17:02:18 2013 +0100 ALSA: usb - fix race in creation of M-Audio Fast track pro driver commit b98ae2729dea161edc96c9d177459b6c28bcbba5 upstream. A patch in the 3.2 kernel caused regression with hotplugging the M-Audio Fast track pro, or sound after suspend. I don't have the device so I haven't done a full analysis, but it seems userspace (both udev and pulseaudio) got confused when a card was created, immediately destroyed, and then created again. However, at least one person in the bug report (martin djfun) reports that this patch resolves the issue for him. It also leaves a message in the log: "snd-usb-audio: probe of 1-1.1:1.1 failed with error -5" which is a bit misleading. It is better than non-working audio, but maybe there's a more elegant solution? BugLink: https://bugs.launchpad.net/bugs/1095315 Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit 8a6d0db2f6a06c5fdfb7a208002d0f9961d1ad41 Author: Tom Mingarelli Date: Tue Nov 20 19:43:17 2012 +0000 intel-iommu: Prevent devices with RMRRs from being placed into SI Domain commit ea2447f700cab264019b52e2b417d689e052dcfd upstream. This patch is to prevent non-USB devices that have RMRRs associated with them from being placed into the SI Domain during init. This fixes the issue where the RMRR info for devices being placed in and out of the SI Domain gets lost. Signed-off-by: Thomas Mingarelli Tested-by: Shuah Khan Reviewed-by: Donald Dutile Reviewed-by: Alex Williamson Signed-off-by: Joerg Roedel Signed-off-by: Ben Hutchings commit ccfabf967ddeff4dad95fe1b97ab3bc2f2da3683 Author: Ian Abbott Date: Fri Mar 30 17:14:58 2012 +0100 staging: comedi: don't hijack hardware device private data commit c43435d7722134ed1fda58ce1025f41029bd58ad upstream. comedi_auto_config() associates a Comedi minor device number with an auto-configured hardware device and comedi_auto_unconfig() disassociates it. Currently, these use the hardware device's private data pointer to point to some allocated storage holding the minor device number. This is a bit of a waste of the hardware device's private data pointer, preventing it from being used for something more useful by the low-level comedi device drivers. For example, it would make more sense if comedi_usb_auto_config() was passed a pointer to the struct usb_interface instead of the struct usb_device, but this cannot be done currently because the low-level comedi drivers already use the private data pointer in the struct usb_interface for something more useful. This patch stops the comedi core hijacking the hardware device's private data pointer. Instead, comedi_auto_config() stores a pointer to the hardware device's struct device in the struct comedi_device_file_info associated with the minor device number, and comedi_auto_unconfig() calls new function comedi_find_board_minor() to recover the minor device number associated with the hardware device. Signed-off-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit c2db6e1fa351227e9849b2504075db6f9f748874 Author: Daniel Vetter Date: Mon Jan 7 10:27:13 2013 +0100 Revert "drm/i915: no lvds quirk for Zotac ZDBOX SD ID12/ID13" commit 48e858340dae43189a4e55647f6eac736766f828 upstream. This reverts commit 9756fe38d10b2bf90c81dc4d2f17d5632e135364. The bogus lvds output is actually a lvds->hdmi bridge, which we don't really support. But unconditionally disabling it breaks some existing setups. Reported-by: John Tapsell References: http://permalink.gmane.org/gmane.comp.freedesktop.xorg.drivers.intel/17237 Signed-off-by: Daniel Vetter Signed-off-by: Ben Hutchings commit d36179913a4c811f1e1b508011f1f6b9f48c3729 Author: Ian Abbott Date: Tue Jan 15 14:45:20 2013 +0000 staging: comedi: Kconfig: COMEDI_NI_AT_A2150 should select COMEDI_FC commit 34ffb33e09132401872fe79e95c30824ce194d23 upstream. The 'ni_at_a2150' module links to `cfc_write_to_buffer` in the 'comedi_fc' module, so selecting 'COMEDI_NI_AT_A2150' in the kernel config needs to also select 'COMEDI_FC'. Signed-off-by: Ian Abbott Signed-off-by: Ben Hutchings commit 756a6d71c4f566f840cf4e04fe2540e6927d2613 Author: Kees Cook Date: Fri Mar 9 16:07:10 2012 -0800 x86: Use enum instead of literals for trap values commit c94082656dac74257f63e91f78d5d458ac781fa5 upstream. The traps are referred to by their numbers and it can be difficult to understand them while reading the code without context. This patch adds enumeration of the trap numbers and replaces the numbers with the correct enum for x86. Signed-off-by: Kees Cook Link: http://lkml.kernel.org/r/20120310000710.GA32667@www.outflux.net Signed-off-by: H. Peter Anvin Cherry-picked-for: v2.3.37 Signed-off-by: John Kacur Signed-off-by: Ben Hutchings commit a423a71dafbcd05bc263f9eb42c142e4b869ed95 Author: Daniel Vetter Date: Fri Dec 14 23:38:28 2012 +0100 drm/i915: Implement WaDisableHiZPlanesWhenMSAAEnabled commit 4283908ef7f11a72c3b80dd4cf026f1a86429f82 upstream. Quoting from Bspec, 3D_CHICKEN1, bit 10 This bit needs to be set always to "1", Project: DevSNB " Reviewed-by: Rodrigo Vivi Signed-off-by: Daniel Vetter Signed-off-by: Abdallah Chatila Signed-off-by: Ben Hutchings commit 9a1f08a1a192f9177d7063d903773aed800b840f Author: Zhenzhong Duan Date: Thu Dec 20 15:05:14 2012 -0800 drivers/firmware/dmi_scan.c: fetch dmi version from SMBIOS if it exists commit 9f9c9cbb60576a1518d0bf93fb8e499cffccf377 upstream. The right dmi version is in SMBIOS if it's zero in DMI region This issue was originally found from an oracle bug. One customer noticed system UUID doesn't match between dmidecode & uek2. - HP ProLiant BL460c G6 : # cat /sys/devices/virtual/dmi/id/product_uuid 00000000-0000-4C48-3031-4D5030333531 # dmidecode | grep -i uuid UUID: 00000000-0000-484C-3031-4D5030333531 From SMBIOS 2.6 on, spec use little-endian encoding for UUID other than network byte order. So we need to get dmi version to distinguish. If version is 0.0, the real version is taken from the SMBIOS version. This is part of original kernel comment in code. [akpm@linux-foundation.org: checkpatch fixes] Signed-off-by: Zhenzhong Duan Cc: Feng Jin Cc: Jean Delvare Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit 9b5dc20f97e09e01e046f5ce8215ef2b000196ca Author: Zhenzhong Duan Date: Thu Dec 20 15:05:13 2012 -0800 drivers/firmware/dmi_scan.c: check dmi version when get system uuid commit f1d8e614d74b09531b9a85e812485340f3df7b1c upstream. As of version 2.6 of the SMBIOS specification, the first 3 fields of the UUID are supposed to be little-endian encoded. Also a minor fix to match variable meaning and mute checkpatch.pl [akpm@linux-foundation.org: tweak code comment] Signed-off-by: Zhenzhong Duan Cc: Feng Jin Cc: Jean Delvare Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit 8bdb5d1a2d352d58ac99be529bb8c006dfb9be83 Author: Joel D. Diaz Date: Wed Oct 10 10:36:11 2012 +0200 sd: Reshuffle init_sd to avoid crash commit afd5e34b2bb34881d3a789e62486814a49b47faa upstream. scsi_register_driver will register a prep_fn() function, which in turn migh need to use the sd_cdp_pool for DIF. Which hasn't been initialised at this point, leading to a crash. So reshuffle the init_sd() and exit_sd() paths to have the driver registered last. Signed-off-by: Joel D. Diaz Signed-off-by: Hannes Reinecke Signed-off-by: James Bottomley Signed-off-by: Ben Hutchings commit 2d0b97a83962b7687f196c5b348fa9ded5f27c3c Author: Alan Cox Date: Tue Sep 4 16:25:25 2012 +0100 ahci: Add identifiers for ASM106x devices commit 7b4f6ecacb14f384adc1a5a67ad95eb082c02bd1 upstream. They don't always appear as AHCI class devices but instead as IDE class. Based on an initial patch by Hiroaki Nito Resolves-bug: https://bugzilla.kernel.org/show_bug.cgi?id=42804 Signed-off-by: Alan Cox Signed-off-by: Jeff Garzik Signed-off-by: Ben Hutchings commit d5f7dc2750e8a0e33e6c86d9f4e9765ea4353876 Author: H. Peter Anvin Date: Sun Jan 13 20:56:41 2013 -0800 x86/Sandy Bridge: Sandy Bridge workaround depends on CONFIG_PCI commit e43b3cec711a61edf047adf6204d542f3a659ef8 upstream. early_pci_allowed() and read_pci_config_16() are only available if CONFIG_PCI is defined. Signed-off-by: H. Peter Anvin Cc: Jesse Barnes Signed-off-by: Ben Hutchings commit 91c90db1aa92a50fa1d7f289502b49ddb46a90d3 Author: H. Peter Anvin Date: Sun Jan 13 20:36:39 2013 -0800 x86/Sandy Bridge: mark arrays in __init functions as __initconst commit ab3cd8670e0b3fcde7f029e1503ed3c5138e9571 upstream. Mark static arrays as __initconst so they get removed when the init sections are flushed. Reported-by: Mathias Krause Link: http://lkml.kernel.org/r/75F4BEE6-CB0E-4426-B40B-697451677738@googlemail.com Signed-off-by: H. Peter Anvin Signed-off-by: Ben Hutchings commit e9bb67a262bf49f21011e82199730a10024271c4 Author: Jesse Barnes Date: Wed Nov 14 20:43:31 2012 +0000 x86/Sandy Bridge: reserve pages when integrated graphics is present commit a9acc5365dbda29f7be2884efb63771dc24bd815 upstream. SNB graphics devices have a bug that prevent them from accessing certain memory ranges, namely anything below 1M and in the pages listed in the table. So reserve those at boot if set detect a SNB gfx device on the CPU to avoid GPU hangs. Stephane Marchesin had a similar patch to the page allocator awhile back, but rather than reserving pages up front, it leaked them at allocation time. [ hpa: made a number of stylistic changes, marked arrays as static const, and made less verbose; use "memblock=debug" for full verbosity. ] Signed-off-by: Jesse Barnes Signed-off-by: H. Peter Anvin Signed-off-by: Ben Hutchings commit 78e3ae2d57c0df313b079a07f6ffc16e4041e56c Author: Trond Myklebust Date: Wed Jan 30 13:04:10 2013 -0500 NFSv4.1: Handle NFS4ERR_DELAY when resetting the NFSv4.1 session commit c489ee290bdbbace6bb63ebe6ebd4dd605819495 upstream. NFS4ERR_DELAY is a legal reply when we call DESTROY_SESSION. It usually means that the server is busy handling an unfinished RPC request. Just sleep for a second and then retry. We also need to be able to handle the NFS4ERR_BACK_CHAN_BUSY return value. If the NFS server has outstanding callbacks, we just want to similarly sleep & retry. Signed-off-by: Trond Myklebust [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 8e61814f416e0069dbcedbe15509c0a5b5af9da6 Author: Trond Myklebust Date: Tue Jan 22 00:17:06 2013 -0500 NFS: Don't silently fail setattr() requests on mountpoints commit ab225417825963b6dc66be7ea80f94ac1378dfdf upstream. Ensure that any setattr and getattr requests for junctions and/or mountpoints are sent to the server. Ever since commit 0ec26fd0698 (vfs: automount should ignore LOOKUP_FOLLOW), we have silently dropped any setattr requests to a server-side mountpoint. For referrals, we have silently dropped both getattr and setattr requests. This patch restores the original behaviour for setattr on mountpoints, and tries to do the same for referrals, provided that we have a filehandle... Signed-off-by: Trond Myklebust Signed-off-by: Ben Hutchings commit aed5dbb761cf5291dc302626957b780f4ff60564 Author: Matt Fleming Date: Thu Jan 3 09:02:37 2013 +0000 samsung-laptop: Disable on EFI hardware commit e0094244e41c4d0c7ad69920681972fc45d8ce34 upstream. It has been reported that running this driver on some Samsung laptops with EFI can cause those machines to become bricked as detailed in the following report, https://bugs.launchpad.net/ubuntu-cdimage/+bug/1040557 There have also been reports of this driver causing Machine Check Exceptions on recent EFI-enabled Samsung laptops, https://bugzilla.kernel.org/show_bug.cgi?id=47121 So disable it if booting from EFI since this driver relies on grovelling around in the BIOS memory map which isn't going to work. Cc: Corentin Chary Cc: Matthew Garrett Cc: Colin Ian King Cc: Steve Langasek Signed-off-by: Matt Fleming Signed-off-by: H. Peter Anvin [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 06c73e442edec7cda81193276c72fda1abb96fb0 Author: Matt Fleming Date: Wed Nov 14 09:42:35 2012 +0000 efi: Make 'efi_enabled' a function to query EFI facilities commit 83e68189745ad931c2afd45d8ee3303929233e7f upstream. Originally 'efi_enabled' indicated whether a kernel was booted from EFI firmware. Over time its semantics have changed, and it now indicates whether or not we are booted on an EFI machine with bit-native firmware, e.g. 64-bit kernel with 64-bit firmware. The immediate motivation for this patch is the bug report at, https://bugs.launchpad.net/ubuntu-cdimage/+bug/1040557 which details how running a platform driver on an EFI machine that is designed to run under BIOS can cause the machine to become bricked. Also, the following report, https://bugzilla.kernel.org/show_bug.cgi?id=47121 details how running said driver can also cause Machine Check Exceptions. Drivers need a new means of detecting whether they're running on an EFI machine, as sadly the expression, if (!efi_enabled) hasn't been a sufficient condition for quite some time. Users actually want to query 'efi_enabled' for different reasons - what they really want access to is the list of available EFI facilities. For instance, the x86 reboot code needs to know whether it can invoke the ResetSystem() function provided by the EFI runtime services, while the ACPI OSL code wants to know whether the EFI config tables were mapped successfully. There are also checks in some of the platform driver code to simply see if they're running on an EFI machine (which would make it a bad idea to do BIOS-y things). This patch is a prereq for the samsung-laptop fix patch. Cc: David Airlie Cc: Corentin Chary Cc: Matthew Garrett Cc: Dave Jiang Cc: Olof Johansson Cc: Peter Jones Cc: Colin Ian King Cc: Steve Langasek Cc: Tony Luck Cc: Konrad Rzeszutek Wilk Cc: Rafael J. Wysocki Signed-off-by: Matt Fleming Signed-off-by: H. Peter Anvin [bwh: Backported to 3.2: - Adjust context (a lot) - Add efi_is_native() function from commit 5189c2a7c776 ('x86: efi: Turn off efi_enabled after setup on mixed fw/kernel') - Make efi_init() bail out when booted non-native, as it would previously not be called in this case - Drop inapplicable changes to start_kernel()] Signed-off-by: Ben Hutchings commit bbc7d09f4a8680fa6ae6531048214f498b0562d2 Author: Dan Carpenter Date: Sat Jan 26 10:49:24 2013 +0300 EDAC: Test correct variable in ->store function commit 8024c4c0b1057d1cd811fc9c3f88f81de9729fcd upstream. We're testing for ->show but calling ->store(). Signed-off-by: Dan Carpenter Signed-off-by: Borislav Petkov Signed-off-by: Ben Hutchings commit d027778a1cf87dda708c66364d5bebd1e3be9ae9 Author: Takashi Iwai Date: Tue Jan 29 18:07:22 2013 +0100 ALSA: hda - Fix non-snoop page handling commit 9ddf1aeb2134e72275c97a2c6ff2e3eb04f2f27a upstream. For non-snoop mode, we fiddle with the page attributes of CORB/RIRB and the position buffer, but also the ring buffers. The problem is that the current code blindly assumes that the buffer is contiguous. However, the ring buffers may be SG-buffers, thus a wrong vmapped address is passed there, leading to Oops. This patch fixes the handling for SG-buffers. Bugzilla: https://bugzilla.novell.com/show_bug.cgi?id=800701 Signed-off-by: Takashi Iwai [bwh: Backported to 3.2: open-code snd_pcm_get_dma_buf()] Signed-off-by: Ben Hutchings commit e807626e32eb159914cee54473d17082a1920039 Author: Jan Kara Date: Wed Jan 23 13:56:18 2013 +0100 xfs: Fix possible use-after-free with AIO commit 4b05d09c18d9aa62d2e7fb4b057f54e5a38963f5 upstream. Running AIO is pinning inode in memory using file reference. Once AIO is completed using aio_complete(), file reference is put and inode can be freed from memory. So we have to be sure that calling aio_complete() is the last thing we do with the inode. CC: xfs@oss.sgi.com CC: Ben Myers Signed-off-by: Jan Kara Reviewed-by: Ben Myers Signed-off-by: Ben Myers Signed-off-by: Ben Hutchings commit 122927b09930c9272a20fb8cffc5ff7095fcbbb4 Author: Suravee Suthikulpanit Date: Thu Jan 24 13:17:53 2013 -0600 IOMMU, AMD Family15h Model10-1Fh erratum 746 Workaround commit 318fe782539c4150d1b8e4e6c9dc3a896512cb8a upstream. The IOMMU may stop processing page translations due to a perceived lack of credits for writing upstream peripheral page service request (PPR) or event logs. If the L2B miscellaneous clock gating feature is enabled the IOMMU does not properly register credits after the log request has completed, leading to a potential system hang. BIOSes are supposed to disable L2B micellaneous clock gating by setting L2_L2B_CK_GATE_CONTROL[CKGateL2BMiscDisable](D0F2xF4_x90[2]) = 1b. This patch corrects that for those which do not enable this workaround. Signed-off-by: Suravee Suthikulpanit Acked-by: Borislav Petkov Signed-off-by: Joerg Roedel [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 24283593e3a8623e692ba2791a35180b1229a6c5 Author: Wang YanQing Date: Sat Jan 26 15:53:57 2013 +0800 smp: Fix SMP function call empty cpu mask race commit f44310b98ddb7f0d06550d73ed67df5865e3eda5 upstream. I get the following warning every day with v3.7, once or twice a day: [ 2235.186027] WARNING: at /mnt/sda7/kernel/linux/arch/x86/kernel/apic/ipi.c:109 default_send_IPI_mask_logical+0x2f/0xb8() As explained by Linus as well: | | Once we've done the "list_add_rcu()" to add it to the | queue, we can have (another) IPI to the target CPU that can | now see it and clear the mask. | | So by the time we get to actually send the IPI, the mask might | have been cleared by another IPI. | This patch also fixes a system hang problem, if the data->cpumask gets cleared after passing this point: if (WARN_ONCE(!mask, "empty IPI mask")) return; then the problem in commit 83d349f35e1a ("x86: don't send an IPI to the empty set of CPU's") will happen again. Signed-off-by: Wang YanQing Acked-by: Linus Torvalds Acked-by: Jan Beulich Cc: Paul E. McKenney Cc: Andrew Morton Cc: peterz@infradead.org Cc: mina86@mina86.org Cc: srivatsa.bhat@linux.vnet.ibm.com Link: http://lkml.kernel.org/r/20130126075357.GA3205@udknight [ Tidied up the changelog and the comment in the code. ] Signed-off-by: Ingo Molnar Signed-off-by: Ben Hutchings commit f18cd12608855fa17d94bfd30fbdaf5abf56f053 Author: Clemens Ladisch Date: Thu Nov 29 17:04:23 2012 +0100 ALSA: usb-audio: fix invalid length check for RME and other UAC 2 devices commit d56268fb108c7c21e19933588ca4d94652585183 upstream. Commit 23caaf19b11e (ALSA: usb-mixer: Add support for Audio Class v2.0) forgot to adjust the length check for UAC 2.0 feature unit descriptors. This would make the code abort on encountering a feature unit without per-channel controls, and thus prevented the driver to work with any device having such a unit, such as the RME Babyface or Fireface UCX. Reported-by: Florian Hanisch Tested-by: Matthew Robbetts Tested-by: Michael Beer Cc: Daniel Mack Signed-off-by: Clemens Ladisch Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit 79654e81bbd146017c8cd55aa9e88b668cf385e9 Author: Olivier Sobrie Date: Fri Jan 18 09:32:41 2013 +0100 can: pch_can: fix invalid error codes commit ee50e135aeb048b90fab662e661c58b67341830b upstream. Errors in CAN protocol (location) are reported in data[3] of the can frame instead of data[2]. Signed-off-by: Olivier Sobrie Signed-off-by: Marc Kleine-Budde Signed-off-by: Ben Hutchings commit 6fad7bfb8aef9a8688d3d3b3ea917b3c7d1fc8b7 Author: Olivier Sobrie Date: Fri Jan 18 09:32:40 2013 +0100 can: ti_hecc: fix invalid error codes commit 71088c4bd9b8f8cbffb0e66f2abc14297e4b2ca8 upstream. Errors in CAN protocol (location) are reported in data[3] of the can frame instead of data[2]. Cc: Anant Gole Signed-off-by: Olivier Sobrie Signed-off-by: Marc Kleine-Budde Signed-off-by: Ben Hutchings commit 05a1863fb824b959ffbbc852552a3a48815b676a Author: Olivier Sobrie Date: Fri Jan 18 09:32:39 2013 +0100 can: c_can: fix invalid error codes commit 6ea45886865c1abb01bb861f7f6bdd5d0f398cb3 upstream. Errors in CAN protocol (location) are reported in data[3] of the can frame instead of data[2]. Cc: Bhupesh Sharma Signed-off-by: Olivier Sobrie Signed-off-by: Marc Kleine-Budde Signed-off-by: Ben Hutchings commit 6ebf5f3dfa9dfd384169f001eecf4e5119c670cc Author: Alan Cox Date: Thu Nov 15 13:06:22 2012 +0000 x86/msr: Add capabilities check commit c903f0456bc69176912dee6dd25c6a66ee1aed00 upstream. At the moment the MSR driver only relies upon file system checks. This means that anything as root with any capability set can write to MSRs. Historically that wasn't very interesting but on modern processors the MSRs are such that writing to them provides several ways to execute arbitary code in kernel space. Sample code and documentation on doing this is circulating and MSR attacks are used on Windows 64bit rootkits already. In the Linux case you still need to be able to open the device file so the impact is fairly limited and reduces the security of some capability and security model based systems down towards that of a generic "root owns the box" setup. Therefore they should require CAP_SYS_RAWIO to prevent an elevation of capabilities. The impact of this is fairly minimal on most setups because they don't have heavy use of capabilities. Those using SELinux, SMACK or AppArmor rules might want to consider if their rulesets on the MSR driver could be tighter. Signed-off-by: Alan Cox Cc: Linus Torvalds Cc: Andrew Morton Cc: Peter Zijlstra Signed-off-by: Ingo Molnar Signed-off-by: Ben Hutchings commit 8474b1ab89e4cbfaff2aa424ccf3f970ec0101e4 Author: Ilija Hadzic Date: Wed Jan 23 13:59:05 2013 -0500 drm/radeon: fix a rare case of double kfree commit 1da80cfa8727abf404fcee44d04743febea54069 upstream. If one (but not both) allocations of p->chunks[].kpage[] in radeon_cs_parser_init fail, the error path will free the successfully allocated page, but leave a stale pointer value in the kpage[] field. This will later cause a double-free when radeon_cs_parser_fini is called. This patch fixes the issue by forcing both pointers to NULL after kfree in the error path. The circumstances under which the problem happens are very rare. The card must be AGP and the system must run out of kmalloc area just at the right time so that one allocation succeeds, while the other fails. Signed-off-by: Ilija Hadzic Cc: Herton Ronaldo Krzesinski Signed-off-by: Alex Deucher [bwh: Backported to 3.2: s/p->chunk_ib_idx/i/] Signed-off-by: Ben Hutchings commit f3825cc9679a5b7126c3d2bdf448b5453980d568 Author: Daniel Vetter Date: Wed Jan 23 16:16:35 2013 +0100 drm/i915: dump UTS_RELEASE into the error_state commit 4518f611ba21ba165ea3714055938a8984a44ff9 upstream. Useful for statistics or on overflowing bug reports to keep things all lined up. Reviewed-by: Chris Wilson Signed-off-by: Daniel Vetter [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 3bc29347470ac9c542bcad3551a98ad4b32c11a7 Author: Daniel Vetter Date: Sun Jan 20 23:50:13 2013 +0100 iommu/intel: disable DMAR for g4x integrated gfx commit 9452618e7462181ed9755236803b6719298a13ce upstream. DMAR support on g4x/gm45 integrated gpus seems to be totally busted. So don't bother, but instead disable it by default to allow distros to unconditionally enable DMAR support. v2: Actually wire up the right quirk entry, spotted by Adam Jackson. Note that according to intel marketing materials only g45 and gm45 support DMAR/VT-d. So we have reports for all relevant gen4 pci ids by now. Still, keep all the other gen4 ids in the quirk table in case the marketing stuff confused me again, which would not be the first time. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=51921 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=538163 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=538163 Cc: Adam Jackson Cc: David Woodhouse Acked-By: David Woodhouse Tested-by: stathis Tested-by: Mihai Moldovan Signed-off-by: Daniel Vetter [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 393143615d9f2f581d87387268dc11b95adc339c Author: Chris Wilson Date: Sun Jan 20 16:33:32 2013 +0000 drm/i915: GFX_MODE Flush TLB Invalidate Mode must be '1' for scanline waits commit f05bb0c7b624252a5e768287e340e8e45df96e42 upstream. On SNB, if bit 13 of GFX_MODE, Flush TLB Invalidate Mode, is not set to 1, the hardware can not program the scanline values. Those scanline values then control when the signal is sent from the display engine to the render ring for MI_WAIT_FOR_EVENTs. Note setting this bit means that TLB invalidations must be performed explicitly through the appropriate bits being set in PIPE_CONTROL. References: https://bugzilla.kernel.org/show_bug.cgi?id=52311 Signed-off-by: Chris Wilson Reviewed-by: Ben Widawsky Signed-off-by: Daniel Vetter [bwh: Backported to 3.2: s/_MASKED_BIT/GFX_MODE/] Signed-off-by: Ben Hutchings commit a2d2dcd9e1aa9585e2ffb757ce7f3fc80bcad9f1 Author: Chris Wilson Date: Sun Jan 20 16:11:20 2013 +0000 drm/i915: Disable AsyncFlip performance optimisations commit 1c8c38c588ea91f8deeae21284840459d1bb58e3 upstream. This is a required workarounds for all products, especially on gen6+ where it causes the command streamer to fail to parse instructions following a WAIT_FOR_EVENT. We use WAIT_FOR_EVENT for synchronising between the GPU and the display engines, and so this bit being unset may cause hangs. References: https://bugzilla.kernel.org/show_bug.cgi?id=52311 Signed-off-by: Chris Wilson Reviewed-by: Imre Deak Signed-off-by: Daniel Vetter [bwh: Backported to 3.2: - Adjust context - s/_MASKED_BIT/GFX_MODE/] Signed-off-by: Ben Hutchings commit d31349bd14461e299df2443dfec5bf7725154393 Author: Eric Anholt Date: Thu Jan 19 10:50:06 2012 -0800 drm/i915: Correct the bit number for the MI_FLUSH_ENABLE. commit fc74d8e01165b567922921d110b6d16320a61fa6 upstream. Older specs claimed this was bit 11, but newer specs and the actual simulator code say it was bit 12. Regardless, we don't use MI_FLUSH, or try to enable it any more. Signed-off-by: Eric Anholt Reviewed-by: Kenneth Graunke Reviewed-by: Ben Widawsky [danvet: Anyone trying to use this bit, please read all the relevant discussions, it's epic.] Signed-off-by: Daniel Vetter Signed-off-by: Ben Hutchings commit cba89978ad340768a908c03d0bb39c8003f33e84 Author: Eric Anholt Date: Thu Jan 19 10:50:05 2012 -0800 drm/i915: Remove the MI_FLUSH_ENABLE setting. commit 8d79c3490aecfe6e51f0ba6f9780746fb1434954 upstream. We have always been using the wrong bit -- it's bit 12. However, the bit also doesn't do anything -- hardware has always accepted the MI_FLUSH command even when it was specced not to. Given that there is only one MI_FLUSH emitted in all of the driver stack on gen6+ (in i965_video.c of the 2d driver, and it should be using other code to do its flush instead), just remove the MI_FLUSH enable instead of trying to fix it. Signed-off-by: Eric Anholt Reviewed-by: Kenneth Graunke Reviewed-by: Ben Widawsky Signed-off-by: Daniel Vetter Signed-off-by: Ben Hutchings commit e733f37ff20d1075e16485afb2aa99adc7141c0e Author: Avinash Patil Date: Mon Jan 21 21:04:10 2013 -0800 mwifiex: fix typo in PCIe adapter NULL check commit 83f0c6d1f502bd75bb4a9e31e8d64e59c6894ad1 upstream. Add missing "!" as we are supposed to check "!card->adapter" in PCIe suspend handler. Signed-off-by: Avinash Patil Signed-off-by: Bing Zhao Reviewed-by: Sergey V. Signed-off-by: John W. Linville Signed-off-by: Ben Hutchings commit 959f049dfb62b517cbb3dd48ed2fb7d9c713ce16 Author: Felix Fietkau Date: Sun Jan 20 21:55:21 2013 +0100 ath9k_hw: fix chain swap setting when setting rx chainmask to 5 commit 24171dd92096fc370b195f3f6bdc0798855dc3f9 upstream. Chain swapping should only be enabled when the EEPROM chainmask is set to 5, regardless of what the runtime chainmask is. Signed-off-by: Felix Fietkau Signed-off-by: John W. Linville [bwh: Backported to 3.2: keep the special case for AR_SREV_9462 here] Signed-off-by: Ben Hutchings commit b71a6d277365335f945a793bfe431f0088d90b97 Author: Felix Fietkau Date: Sun Jan 20 21:55:20 2013 +0100 ath9k_hw: fix calibration issues on chainmask that don't include chain 0 commit 4a8f199508d79ff8a7d1e22f47b912baaf225336 upstream. Signed-off-by: Felix Fietkau Signed-off-by: John W. Linville [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 8709c92ec48f199b6bea5d624d572a81ae937cef Author: Nathan Zimmer Date: Tue Jan 8 09:02:43 2013 -0600 efi, x86: Pass a proper identity mapping in efi_call_phys_prelog commit b8f2c21db390273c3eaf0e5308faeaeb1e233840 upstream. Update efi_call_phys_prelog to install an identity mapping of all available memory. This corrects a bug on very large systems with more then 512 GB in which bios would not be able to access addresses above not in the mapping. The result is a crash that looks much like this. BUG: unable to handle kernel paging request at 000000effd870020 IP: [<0000000078bce331>] 0x78bce330 PGD 0 Oops: 0000 [#1] SMP Modules linked in: CPU 0 Pid: 0, comm: swapper/0 Tainted: G W 3.8.0-rc1-next-20121224-medusa_ntz+ #2 Intel Corp. Stoutland Platform RIP: 0010:[<0000000078bce331>] [<0000000078bce331>] 0x78bce330 RSP: 0000:ffffffff81601d28 EFLAGS: 00010006 RAX: 0000000078b80e18 RBX: 0000000000000004 RCX: 0000000000000004 RDX: 0000000078bcf958 RSI: 0000000000002400 RDI: 8000000000000000 RBP: 0000000078bcf760 R08: 000000effd870000 R09: 0000000000000000 R10: 0000000000000000 R11: 00000000000000c3 R12: 0000000000000030 R13: 000000effd870000 R14: 0000000000000000 R15: ffff88effd870000 FS: 0000000000000000(0000) GS:ffff88effe400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000effd870020 CR3: 000000000160c000 CR4: 00000000000006b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process swapper/0 (pid: 0, threadinfo ffffffff81600000, task ffffffff81614400) Stack: 0000000078b80d18 0000000000000004 0000000078bced7b ffff880078b81fff 0000000000000000 0000000000000082 0000000078bce3a8 0000000000002400 0000000060000202 0000000078b80da0 0000000078bce45d ffffffff8107cb5a Call Trace: [] ? on_each_cpu+0x77/0x83 [] ? change_page_attr_set_clr+0x32f/0x3ed [] ? efi_call4+0x46/0x80 [] ? efi_enter_virtual_mode+0x1f5/0x305 [] ? start_kernel+0x34a/0x3d2 [] ? repair_env_string+0x60/0x60 [] ? x86_64_start_reservations+0xba/0xc1 [] ? early_idt_handlers+0x120/0x120 [] ? x86_64_start_kernel+0x154/0x163 Code: Bad RIP value. RIP [<0000000078bce331>] 0x78bce330 RSP CR2: 000000effd870020 ---[ end trace ead828934fef5eab ]--- Cc: Thomas Gleixner Cc: Ingo Molnar Cc: "H. Peter Anvin" Signed-off-by: Nathan Zimmer Signed-off-by: Robin Holt Signed-off-by: Matt Fleming Signed-off-by: Ben Hutchings commit 9741d4ebfe08afb7a925cb60a20dba7c30166bed Author: Piotr Haber Date: Thu Jan 10 11:20:48 2013 +0100 brcmsmac: increase timer reference count for new timers only commit a1fe52801a992e590cdaee2fb47a94bac9b5da90 upstream. On hardware reintialization reference count of already existing timers would be increased again. This leads to problems on module unloading. Reviewed-by: Pieter-Paul Giesberts Reviewed-by: Hante Meuleman Reviewed-by: Arend van Spriel Signed-off-by: Piotr Haber Signed-off-by: Arend van Spriel Signed-off-by: John W. Linville Signed-off-by: Ben Hutchings commit a282707dd03b6cbf4acc77e2d0e9a4ea1ccb2d04 Author: Felix Fietkau Date: Wed Jan 9 16:16:53 2013 +0100 ath9k: fix double-free bug on beacon generate failure commit 1adb2e2b5f85023d17eb4f95386a57029df27c88 upstream. When the next beacon is sent, the ath_buf from the previous run is reused. If getting a new beacon from mac80211 fails, bf->bf_mpdu is not reset, yet the skb is freed, leading to a double-free on the next beacon tx attempt, resulting in a system crash. Signed-off-by: Felix Fietkau Signed-off-by: John W. Linville Signed-off-by: Ben Hutchings commit 8e75bb199071d3c86cd04ecb98b35e5b65d39594 Author: Felix Fietkau Date: Wed Jan 9 16:16:52 2013 +0100 ath9k: do not link receive buffers during flush commit a3dc48e82bb146ef11cf75676c8410c1df29b0c4 upstream. On AR9300 the rx FIFO needs to be empty during reset to ensure that no further DMA activity is generated, otherwise it might lead to memory corruption issues. Signed-off-by: Felix Fietkau Signed-off-by: John W. Linville Signed-off-by: Ben Hutchings commit 04d88fd9a962521d352b67c4ff3a86aa474315b4 Author: Sujith Manoharan Date: Wed Jan 9 16:07:48 2013 +0530 ath9k_htc: Fix memory leak commit 0981c3b24ef664f5611008a6e6d0622fac6d892b upstream. SKBs that are allocated in the HTC layer do not have callbacks registered and hence ended up not being freed, Fix this by freeing them properly in the TX completion routine. Reported-by: Larry Finger Signed-off-by: Sujith Manoharan Tested-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Ben Hutchings commit 150df53ab8dfcdf0b3872a60f7a092c4e541f138 Author: Anderson Lizardo Date: Sun Jan 6 18:28:53 2013 -0400 Bluetooth: Fix incorrect strncpy() in hidp_setup_hid() commit 0a9ab9bdb3e891762553f667066190c1d22ad62b upstream. The length parameter should be sizeof(req->name) - 1 because there is no guarantee that string provided by userspace will contain the trailing '\0'. Can be easily reproduced by manually setting req->name to 128 non-zero bytes prior to ioctl(HIDPCONNADD) and checking the device name setup on input subsystem: $ cat /sys/devices/pnp0/00\:04/tty/ttyS0/hci0/hci0\:1/input8/name AAAAAA[...]AAAAAAAAf0:af:f0:af:f0:af ("f0:af:f0:af:f0:af" is the device bluetooth address, taken from "phys" field in struct hid_device due to overflow.) Signed-off-by: Anderson Lizardo Acked-by: Marcel Holtmann Signed-off-by: Gustavo Padovan Signed-off-by: Ben Hutchings commit d62f0c40e67bb539c1e2101f7577a97889bb43cd Author: Cong Ding Date: Tue Jan 22 19:20:58 2013 -0500 fs/cifs/cifs_dfs_ref.c: fix potential memory leakage commit 10b8c7dff5d3633b69e77f57d404dab54ead3787 upstream. When it goes to error through line 144, the memory allocated to *devname is not freed, and the caller doesn't free it either in line 250. So we free the memroy of *devname in function cifs_compose_mount_options() when it goes to error. Signed-off-by: Cong Ding Reviewed-by: Jeff Layton Signed-off-by: Steve French Signed-off-by: Ben Hutchings commit a928a96a8bd2137731ab48c241db935dbd30ace6 Author: Alan Stern Date: Tue Jan 22 11:37:35 2013 -0500 USB: UHCI: fix IRQ race during initialization commit 0f815a0a700bc10547449bde6c106051a035a1b9 upstream. This patch (as1644) fixes a race that occurs during startup in uhci-hcd. If the IRQ line is shared with other devices, it's possible for the handler routine to be called before the data structures are fully initialized. The problem is fixed by adding a check to the IRQ handler routine. If the initialization hasn't finished yet, the routine will return immediately. Signed-off-by: Alan Stern Reported-by: Don Zickus Tested-by: "Huang, Adrian (ISS Linux TW)" Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 0988130fc498f91dd9f730bde92006048a0f347c Author: Steven Rostedt Date: Fri Dec 14 09:48:15 2012 -0500 ftrace: Be first to run code modification on modules commit c1bf08ac26e92122faab9f6c32ea8aba94612dae upstream. If some other kernel subsystem has a module notifier, and adds a kprobe to a ftrace mcount point (now that kprobes work on ftrace points), when the ftrace notifier runs it will fail and disable ftrace, as well as kprobes that are attached to ftrace points. Here's the error: WARNING: at kernel/trace/ftrace.c:1618 ftrace_bug+0x239/0x280() Hardware name: Bochs Modules linked in: fat(+) stap_56d28a51b3fe546293ca0700b10bcb29__8059(F) nfsv4 auth_rpcgss nfs dns_resolver fscache xt_nat iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack lockd sunrpc ppdev parport_pc parport microcode virtio_net i2c_piix4 drm_kms_helper ttm drm i2c_core [last unloaded: bid_shared] Pid: 8068, comm: modprobe Tainted: GF 3.7.0-0.rc8.git0.1.fc19.x86_64 #1 Call Trace: [] warn_slowpath_common+0x7f/0xc0 [] ? __probe_kernel_read+0x46/0x70 [] ? 0xffffffffa017ffff [] ? 0xffffffffa017ffff [] warn_slowpath_null+0x1a/0x20 [] ftrace_bug+0x239/0x280 [] ftrace_process_locs+0x376/0x520 [] ftrace_module_notify+0x47/0x50 [] notifier_call_chain+0x4d/0x70 [] __blocking_notifier_call_chain+0x58/0x80 [] blocking_notifier_call_chain+0x16/0x20 [] sys_init_module+0x73/0x220 [] system_call_fastpath+0x16/0x1b ---[ end trace 9ef46351e53bbf80 ]--- ftrace failed to modify [] init_once+0x0/0x20 [fat] actual: cc:bb:d2:4b:e1 A kprobe was added to the init_once() function in the fat module on load. But this happened before ftrace could have touched the code. As ftrace didn't run yet, the kprobe system had no idea it was a ftrace point and simply added a breakpoint to the code (0xcc in the cc:bb:d2:4b:e1). Then when ftrace went to modify the location from a call to mcount/fentry into a nop, it didn't see a call op, but instead it saw the breakpoint op and not knowing what to do with it, ftrace shut itself down. The solution is to simply give the ftrace module notifier the max priority. This should have been done regardless, as the core code ftrace modification also happens very early on in boot up. This makes the module modification closer to core modification. Link: http://lkml.kernel.org/r/20130107140333.593683061@goodmis.org Acked-by: Masami Hiramatsu Reported-by: Frank Ch. Eigler Signed-off-by: Steven Rostedt Signed-off-by: Ben Hutchings commit 08a43c1831432c8ea67e7d446515cd9014c495ab Author: Takashi Iwai Date: Mon Jan 21 16:53:37 2013 +0100 ALSA: hda - Add Conexant CX20755/20756/20757 codec IDs commit 42c364ace52ae6b4699105b39f2559c256b6cd4c upstream. These are just compatible with other CX2075x codecs. Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit fc9c1a6fcab38a410b2aa292936107924b7d5f5d Author: Takashi Iwai Date: Fri May 11 08:39:24 2012 +0200 ALSA: hda/conexant - Correct vendor IDs for new codecs commit 2d825fd82eb765412a558a56e193b77117d56699 upstream. Never trust datasheet... Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit 91abcd9460c3ac7d538c1459768031745dd9537c Author: Takashi Iwai Date: Thu May 10 08:54:23 2012 +0200 ALSA: hda - Add Conexant CX20751/2/3/4 codec support commit 61d648fb4726f8a89c07cd1904f9c2e11bf26df5 upstream. These are almost compatible with the older Conexant codecs. Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit f666957665d9c9b2ec308963333dbd224271b4d6 Author: Dmitry Kasatkin Date: Fri Jan 18 23:56:39 2013 +0200 evm: checking if removexattr is not a NULL commit a67adb997419fb53540d4a4f79c6471c60bc69b6 upstream. The following lines of code produce a kernel oops. fd = socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0); fchmod(fd, 0666); [ 139.922364] BUG: unable to handle kernel NULL pointer dereference at (null) [ 139.924982] IP: [< (null)>] (null) [ 139.924982] *pde = 00000000 [ 139.924982] Oops: 0000 [#5] SMP [ 139.924982] Modules linked in: fuse dm_crypt dm_mod i2c_piix4 serio_raw evdev binfmt_misc button [ 139.924982] Pid: 3070, comm: acpid Tainted: G D 3.8.0-rc2-kds+ #465 Bochs Bochs [ 139.924982] EIP: 0060:[<00000000>] EFLAGS: 00010246 CPU: 0 [ 139.924982] EIP is at 0x0 [ 139.924982] EAX: cf5ef000 EBX: cf5ef000 ECX: c143d600 EDX: c15225f2 [ 139.924982] ESI: cf4d2a1c EDI: cf4d2a1c EBP: cc02df10 ESP: cc02dee4 [ 139.924982] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 [ 139.924982] CR0: 80050033 CR2: 00000000 CR3: 0c059000 CR4: 000006d0 [ 139.924982] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [ 139.924982] DR6: ffff0ff0 DR7: 00000400 [ 139.924982] Process acpid (pid: 3070, ti=cc02c000 task=d7705340 task.ti=cc02c000) [ 139.924982] Stack: [ 139.924982] c1203c88 00000000 cc02def4 cf4d2a1c ae21eefa 471b60d5 1083c1ba c26a5940 [ 139.924982] e891fb5e 00000041 00000004 cc02df1c c1203964 00000000 cc02df4c c10e20c3 [ 139.924982] 00000002 00000000 00000000 22222222 c1ff2222 cf5ef000 00000000 d76efb08 [ 139.924982] Call Trace: [ 139.924982] [] ? evm_update_evmxattr+0x5b/0x62 [ 139.924982] [] evm_inode_post_setattr+0x22/0x26 [ 139.924982] [] notify_change+0x25f/0x281 [ 139.924982] [] chmod_common+0x59/0x76 [ 139.924982] [] ? put_unused_fd+0x33/0x33 [ 139.924982] [] sys_fchmod+0x39/0x5c [ 139.924982] [] syscall_call+0x7/0xb [ 139.924982] Code: Bad EIP value. This happens because sockets do not define the removexattr operation. Before removing the xattr, verify the removexattr function pointer is not NULL. Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar Signed-off-by: James Morris Signed-off-by: Ben Hutchings commit 41cb955f06fca83aa98a23a7f594000f21805c60 Author: Russell King Date: Sat Jan 19 11:05:57 2013 +0000 ARM: DMA: Fix struct page iterator in dma_cache_maint() to work with sparsemem commit 15653371c67c3fbe359ae37b720639dd4c7b42c5 upstream. Subhash Jadavani reported this partial backtrace: Now consider this call stack from MMC block driver (this is on the ARMv7 based board): [] (v7_dma_inv_range+0x30/0x48) from [] (dma_cache_maint_page+0x1c4/0x24c) [] (dma_cache_maint_page+0x1c4/0x24c) from [] (___dma_page_cpu_to_dev+0x14/0x1c) [] (___dma_page_cpu_to_dev+0x14/0x1c) from [] (dma_map_sg+0x3c/0x114) This is caused by incrementing the struct page pointer, and running off the end of the sparsemem page array. Fix this by incrementing by pfn instead, and convert the pfn to a struct page. Suggested-by: James Bottomley Tested-by: Subhash Jadavani Signed-off-by: Russell King Signed-off-by: Ben Hutchings commit 4b4b641bd7aa89d8c9827e9e73b3efc9a0fd4713 Author: Thomas Schlichter Date: Sat Jan 19 00:28:22 2013 +0100 ACPI / processor: Get power info before updating the C-states commit f427e5f1cf75bba84cccdac1d8a90552d9ae1065 upstream. acpi_processor_get_power_info() has to be called before acpi_processor_setup_cpuidle_states() to have the latest information available. This fixes the missing C-state information after AC-->DC transition. Signed-off-by: Thomas Schlichter Signed-off-by: Rafael J. Wysocki Signed-off-by: Ben Hutchings commit 8d535aa140cc74ae7f8b009e8a672820d8d15d16 Author: Konrad Rzeszutek Wilk Date: Wed Jan 16 23:40:07 2013 +0100 ACPI / cpuidle: Fix NULL pointer issues when cpuidle is disabled commit b88a634a903d9670aa5f2f785aa890628ce0dece upstream. If cpuidle is disabled, that means that: per_cpu(acpi_cpuidle_device, pr->id) is set to NULL as the acpi_processor_power_init ends up failing at retval = cpuidle_register_driver(&acpi_idle_driver) (in acpi_processor_power_init) and never sets the per_cpu idle device. So when acpi_processor_hotplug on CPU online notification tries to reference said device it crashes: cpu 3 spinlock event irq 62 BUG: unable to handle kernel NULL pointer dereference at 0000000000000004 IP: [] acpi_processor_setup_cpuidle_cx+0x3f/0x105 PGD a259b067 PUD ab38b067 PMD 0 Oops: 0002 [#1] SMP odules linked in: dm_multipath dm_mod xen_evtchn iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi libcrc32c crc32c nouveau mxm_wmi wmi radeon ttm sg sr_mod sd_mod cdrom ata_generic ata_piix libata crc32c_intel scsi_mod atl1c i915 fbcon tileblit font bitblit softcursor drm_kms_helper video xen_blkfront xen_netfront fb_sys_fops sysimgblt sysfillrect syscopyarea xenfs xen_privcmd mperf CPU 1 Pid: 3047, comm: bash Not tainted 3.8.0-rc3upstream-00250-g165c029 #1 MSI MS-7680/H61M-P23 (MS-7680) RIP: e030:[] [] acpi_processor_setup_cpuidle_cx+0x3f/0x105 RSP: e02b:ffff88001742dca8 EFLAGS: 00010202 RAX: 0000000000010be9 RBX: ffff8800a0a61800 RCX: ffff880105380000 RDX: 0000000000000003 RSI: 0000000000000200 RDI: ffff8800a0a61800 RBP: ffff88001742dce8 R08: ffffffff81812360 R09: 0000000000000200 R10: aaaaaaaaaaaaaaaa R11: 0000000000000001 R12: ffff8800a0a61800 R13: 00000000ffffff01 R14: 0000000000000000 R15: ffffffff81a907a0 FS: 00007fd6942f7700(0000) GS:ffff880105280000(0000) knlGS:0000000000000000 CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000004 CR3: 00000000a6773000 CR4: 0000000000042660 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process bash (pid: 3047, threadinfo ffff88001742c000, task ffff880017944000) Stack: 0000000000000150 ffff880100f59e00 ffff88001742dcd8 ffff8800a0a61800 0000000000000000 00000000ffffff01 0000000000000000 ffffffff81a907a0 ffff88001742dd18 ffffffff813815b1 ffff88001742dd08 ffffffff810ae336 Call Trace: [] acpi_processor_hotplug+0x7c/0x9f [] ? schedule_delayed_work_on+0x16/0x20 [] acpi_cpu_soft_notify+0x90/0xca [] notifier_call_chain+0x4d/0x70 [] __raw_notifier_call_chain+0x9/0x10 [] __cpu_notify+0x1b/0x30 [] _cpu_up+0x103/0x14b [] cpu_up+0xd9/0xec [] store_online+0x94/0xd0 [] dev_attr_store+0x1b/0x20 [] sysfs_write_file+0xf4/0x170 This patch fixes it. Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Rafael J. Wysocki Signed-off-by: Ben Hutchings commit 24d64ff793d880d298aec64369babcdfd61e6bc2 Author: Konrad Rzeszutek Wilk Date: Wed Jan 16 23:40:01 2013 +0100 intel_idle: Don't register CPU notifier if we are not running. commit 6f8c2e7933679f54b6478945dc72e59ef9a3d5e0 upstream. The 'intel_idle_probe' probes the CPU and sets the CPU notifier. But if later on during the module initialization we fail (say in cpuidle_register_driver), we stop loading, but we neglect to unregister the CPU notifier. This means that during CPU hotplug events the system will fail: calling intel_idle_init+0x0/0x326 @ 1 intel_idle: MWAIT substates: 0x1120 intel_idle: v0.4 model 0x2A intel_idle: lapic_timer_reliable_states 0xffffffff intel_idle: intel_idle yielding to none initcall intel_idle_init+0x0/0x326 returned -19 after 14 usecs ... some time later, offlining and onlining a CPU: cpu 3 spinlock event irq 62 BUG: unable to ] __cpuidle_register_device+0x1c/0x120 PGD 99b8b067 PUD 99b95067 PMD 0 Oops: 0000 [#1] SMP Modules linked in: xen_evtchn nouveau mxm_wmi wmi radeon ttm i915 fbcon tileblit font atl1c bitblit softcursor drm_kms_helper video xen_blkfront xen_netfront fb_sys_fops sysimgblt sysfillrect syscopyarea xenfs xen_privcmd mperf CPU 0 Pid: 2302, comm: udevd Not tainted 3.8.0-rc3upstream-00249-g09ad159 #1 MSI MS-7680/H61M-P23 (MS-7680) RIP: e030:[] [] __cpuidle_register_device+0x1c/0x120 RSP: e02b:ffff88009dacfcb8 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff880105380000 RCX: 000000000000001c RDX: 0000000000000000 RSI: 0000000000000055 RDI: ffff880105380000 RBP: ffff88009dacfce8 R08: ffffffff81a4f048 R09: 0000000000000008 R10: 0000000000000008 R11: 0000000000000000 R12: ffff880105380000 R13: 00000000ffffffdd R14: 0000000000000000 R15: ffffffff81a523d0 FS: 00007f37bd83b7a0(0000) GS:ffff880105200000(0000) knlGS:0000000000000000 CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 00000000a09ea000 CR4: 0000000000042660 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process udevd (pid: 2302, threadinfo ffff88009dace000, task ffff88009afb47f0) Stack: ffffffff8107f2d0 ffffffff810c2fb7 ffff88009dacfce8 00000000ffffffea ffff880105380000 00000000ffffffdd ffff88009dacfd08 ffffffff814d9882 0000000000000003 ffff880105380000 ffff88009dacfd28 ffffffff81340afd Call Trace: [] ? collect_cpu_info_local+0x30/0x30 [] ? __might_sleep+0xe7/0x100 [] cpuidle_register_device+0x32/0x70 [] intel_idle_cpu_init+0xad/0x110 [] cpu_hotplug_notify+0x68/0x80 [] notifier_call_chain+0x4d/0x70 [] __raw_notifier_call_chain+0x9/0x10 [] __cpu_notify+0x1b/0x30 [] _cpu_up+0x103/0x14b [] cpu_up+0xd9/0xec [] store_online+0x94/0xd0 [] dev_attr_store+0x1b/0x20 [] sysfs_write_file+0xf4/0x170 [] vfs_write+0xb4/0x130 [] sys_write+0x5a/0xa0 [] system_call_fastpath+0x16/0x1b Code: 03 18 00 c9 c3 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 48 83 ec 30 48 89 5d e8 4c 89 65 f0 48 89 fb 4c 89 6d f8 e8 84 08 00 00 <48> 8b 78 08 49 89 c4 e8 f8 7f c1 ff 89 c2 b8 ea ff ff ff 84 d2 RIP [] __cpuidle_register_device+0x1c/0x120 RSP This patch fixes that by moving the CPU notifier registration as the last item to be done by the module. Signed-off-by: Konrad Rzeszutek Wilk Reviewed-by: Srivatsa S. Bhat Signed-off-by: Rafael J. Wysocki [bwh: Backported to 3.2: notifier is registered only if we do not have ARAT] Signed-off-by: Ben Hutchings commit 997bc14d400b292089a3c0b89e1c72d6aacbad38 Author: Pratyush Anand Date: Fri Jan 18 16:53:56 2013 +0530 usb: dwc3: gadget: fix ep->maxburst for ep0 commit 6048e4c69d80600baba35856651056860d5d8f5a upstream. dwc3_gadget_set_ep_config expects maxburst as incremented by 1. So, by default initialize ep->maxburst to 1 for ep0. Signed-off-by: Pratyush Anand Signed-off-by: Felipe Balbi Signed-off-by: Ben Hutchings commit 7b4992729ddd232f6026c109f93d8296ca58b3ed Author: Wolfgang Frisch Date: Thu Jan 17 01:07:02 2013 +0100 USB: io_ti: Fix NULL dereference in chase_port() commit 1ee0a224bc9aad1de496c795f96bc6ba2c394811 upstream. The tty is NULL when the port is hanging up. chase_port() needs to check for this. This patch is intended for stable series. The behavior was observed and tested in Linux 3.2 and 3.7.1. Johan Hovold submitted a more elaborate patch for the mainline kernel. [ 56.277883] usb 1-1: edge_bulk_in_callback - nonzero read bulk status received: -84 [ 56.278811] usb 1-1: USB disconnect, device number 3 [ 56.278856] usb 1-1: edge_bulk_in_callback - stopping read! [ 56.279562] BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8 [ 56.280536] IP: [] _raw_spin_lock_irqsave+0x19/0x35 [ 56.281212] PGD 1dc1b067 PUD 1e0f7067 PMD 0 [ 56.282085] Oops: 0002 [#1] SMP [ 56.282744] Modules linked in: [ 56.283512] CPU 1 [ 56.283512] Pid: 25, comm: khubd Not tainted 3.7.1 #1 innotek GmbH VirtualBox/VirtualBox [ 56.283512] RIP: 0010:[] [] _raw_spin_lock_irqsave+0x19/0x35 [ 56.283512] RSP: 0018:ffff88001fa99ab0 EFLAGS: 00010046 [ 56.283512] RAX: 0000000000000046 RBX: 00000000000001c8 RCX: 0000000000640064 [ 56.283512] RDX: 0000000000010000 RSI: ffff88001fa99b20 RDI: 00000000000001c8 [ 56.283512] RBP: ffff88001fa99b20 R08: 0000000000000000 R09: 0000000000000000 [ 56.283512] R10: 0000000000000000 R11: ffffffff812fcb4c R12: ffff88001ddf53c0 [ 56.283512] R13: 0000000000000000 R14: 00000000000001c8 R15: ffff88001e19b9f4 [ 56.283512] FS: 0000000000000000(0000) GS:ffff88001fd00000(0000) knlGS:0000000000000000 [ 56.283512] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 56.283512] CR2: 00000000000001c8 CR3: 000000001dc51000 CR4: 00000000000006e0 [ 56.283512] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 56.283512] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 56.283512] Process khubd (pid: 25, threadinfo ffff88001fa98000, task ffff88001fa94f80) [ 56.283512] Stack: [ 56.283512] 0000000000000046 00000000000001c8 ffffffff810578ec ffffffff812fcb4c [ 56.283512] ffff88001e19b980 0000000000002710 ffffffff812ffe81 0000000000000001 [ 56.283512] ffff88001fa94f80 0000000000000202 ffffffff00000001 0000000000000296 [ 56.283512] Call Trace: [ 56.283512] [] ? add_wait_queue+0x12/0x3c [ 56.283512] [] ? usb_serial_port_work+0x28/0x28 [ 56.283512] [] ? chase_port+0x84/0x2d6 [ 56.283512] [] ? try_to_wake_up+0x199/0x199 [ 56.283512] [] ? tty_ldisc_hangup+0x222/0x298 [ 56.283512] [] ? edge_close+0x64/0x129 [ 56.283512] [] ? __wake_up+0x35/0x46 [ 56.283512] [] ? should_resched+0x5/0x23 [ 56.283512] [] ? tty_port_shutdown+0x39/0x44 [ 56.283512] [] ? usb_serial_port_work+0x28/0x28 [ 56.283512] [] ? __tty_hangup+0x307/0x351 [ 56.283512] [] ? usb_hcd_flush_endpoint+0xde/0xed [ 56.283512] [] ? _raw_spin_lock_irqsave+0x14/0x35 [ 56.283512] [] ? usb_serial_disconnect+0x57/0xc2 [ 56.283512] [] ? usb_unbind_interface+0x5c/0x131 [ 56.283512] [] ? __device_release_driver+0x7f/0xd5 [ 56.283512] [] ? device_release_driver+0x1a/0x25 [ 56.283512] [] ? bus_remove_device+0xd2/0xe7 [ 56.283512] [] ? device_del+0x119/0x167 [ 56.283512] [] ? usb_disable_device+0x6a/0x180 [ 56.283512] [] ? usb_disconnect+0x81/0xe6 [ 56.283512] [] ? hub_thread+0x577/0xe82 [ 56.283512] [] ? __schedule+0x490/0x4be [ 56.283512] [] ? abort_exclusive_wait+0x79/0x79 [ 56.283512] [] ? usb_remote_wakeup+0x2f/0x2f [ 56.283512] [] ? usb_remote_wakeup+0x2f/0x2f [ 56.283512] [] ? kthread+0x81/0x89 [ 56.283512] [] ? __kthread_parkme+0x5c/0x5c [ 56.283512] [] ? ret_from_fork+0x7c/0xb0 [ 56.283512] [] ? __kthread_parkme+0x5c/0x5c [ 56.283512] Code: 8b 7c 24 08 e8 17 0b c3 ff 48 8b 04 24 48 83 c4 10 c3 53 48 89 fb 41 50 e8 e0 0a c3 ff 48 89 04 24 e8 e7 0a c3 ff ba 00 00 01 00 0f c1 13 48 8b 04 24 89 d1 c1 ea 10 66 39 d1 74 07 f3 90 66 [ 56.283512] RIP [] _raw_spin_lock_irqsave+0x19/0x35 [ 56.283512] RSP [ 56.283512] CR2: 00000000000001c8 [ 56.283512] ---[ end trace 49714df27e1679ce ]--- Signed-off-by: Wolfgang Frisch Cc: Johan Hovold Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 157bb66c87286abc3dad2ed19a8cfb130ef24573 Author: Bjørn Mork Date: Tue Jan 15 10:29:49 2013 +0100 USB: option: add TP-LINK HSUPA Modem MA180 commit 99beb2e9687ffd61c92a9875141eabe6f57a71b9 upstream. The driver description files gives these names to the vendor specific functions on this modem: Diagnostics VID_2357&PID_0201&MI_00 NMEA VID_2357&PID_0201&MI_01 Modem VID_2357&PID_0201&MI_03 Networkcard VID_2357&PID_0201&MI_04 Reported-by: Thomas Schäfer Signed-off-by: Bjørn Mork Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 36a2828e044669324bf324e4bdbeadd4a96039cb Author: Bjørn Mork Date: Thu Jan 17 15:14:22 2013 +0100 USB: option: blacklist network interface on ONDA MT8205 4G LTE commit 2291dff02e5f8c708a46a7c4c888f2c467e26642 upstream. The driver description files gives these names to the vendor specific functions on this modem: Diag VID_19D2&PID_0265&MI_00 NMEA VID_19D2&PID_0265&MI_01 AT cmd VID_19D2&PID_0265&MI_02 Modem VID_19D2&PID_0265&MI_03 Net VID_19D2&PID_0265&MI_04 Signed-off-by: Bjørn Mork Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 1a14c25a0b523225ba47a983d094d1b253f2585a Author: Alexander Graf Date: Thu Jan 17 13:50:25 2013 +0100 KVM: PPC: Emulate dcbf commit d3286144c92ec876da9e30320afa875699b7e0f1 upstream. Guests can trigger MMIO exits using dcbf. Since we don't emulate cache incoherent MMIO, just do nothing and move on. Reported-by: Ben Collins Signed-off-by: Alexander Graf Tested-by: Ben Collins [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 6521d6734943f2ecb34f69c403ae91b1fcf11c64 Author: Stephen Hurd Date: Thu Jan 17 14:14:53 2013 -0800 8250/16?50: Add support for Broadcom TruManage redirected serial port commit ebebd49a8eab5e9aa1b1f8f1614ccc3c2120f886 upstream. Add support for the UART device present in Broadcom TruManage capable NetXtreme chips (ie: 5761m 5762, and 5725). This implementation has a hidden transmit FIFO, so running in single-byte interrupt mode results in too many interrupts. The UART_CAP_HFIFO capability was added to track this. It continues to reload the THR as long as the THRE and TSRE bits are set in the LSR up to a specified limit (1024 is used here). Signed-off-by: Stephen Hurd Signed-off-by: Michael Chan Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: - Adjust filenames - Adjust context - First available port type number is 22 not 24 - s/uart_8250_port/uart_port/ - Use serial_in() not serial_port_in()] Signed-off-by: Ben Hutchings commit 01b7106d2e26dfccb97e3dc03857d3a3e933c190 Author: Ben Hutchings Date: Mon Jan 14 01:29:17 2013 +0000 staging: vt6656: Fix inconsistent structure packing commit 1ee4c55fc9620451b2a825d793042a7e0775391b upstream. vt6656 has several headers that use the #pragma pack(1) directive to enable structure packing, but never disable it. The layout of structures defined in other headers can then depend on which order the various headers are included in, breaking the One Definition Rule. In practice this resulted in crashes on x86_64 until the order of header inclusion was changed for some files in commit 11d404cb56ecd ('staging: vt6656: fix headers and add cfg80211.'). But we need a proper fix that won't be affected by future changes to the order of inclusion. This removes the #pragma pack(1) directives and adds __packed to the structure definitions for which packing appears to have been intended. Reported-and-tested-by: Malcolm Priestley Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2] commit 5c0ce9fed10a58f65fe2784b664e03bdeaaac650 Author: Andrew Cooper Date: Wed Jan 16 12:00:55 2013 +0000 xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests. commit 9174adbee4a9a49d0139f5d71969852b36720809 upstream. This fixes CVE-2013-0190 / XSA-40 There has been an error on the xen_failsafe_callback path for failed iret, which causes the stack pointer to be wrong when entering the iret_exc error path. This can result in the kernel crashing. In the classic kernel case, the relevant code looked a little like: popl %eax # Error code from hypervisor jz 5f addl $16,%esp jmp iret_exc # Hypervisor said iret fault 5: addl $16,%esp # Hypervisor said segment selector fault Here, there are two identical addls on either option of a branch which appears to have been optimised by hoisting it above the jz, and converting it to an lea, which leaves the flags register unaffected. In the PVOPS case, the code looks like: popl_cfi %eax # Error from the hypervisor lea 16(%esp),%esp # Add $16 before choosing fault path CFI_ADJUST_CFA_OFFSET -16 jz 5f addl $16,%esp # Incorrectly adjust %esp again jmp iret_exc It is possible unprivileged userspace applications to cause this behaviour, for example by loading an LDT code selector, then changing the code selector to be not-present. At this point, there is a race condition where it is possible for the hypervisor to return back to userspace from an interrupt, fault on its own iret, and inject a failsafe_callback into the kernel. This bug has been present since the introduction of Xen PVOPS support in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23. Signed-off-by: Frediano Ziglio Signed-off-by: Andrew Cooper Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Ben Hutchings commit 3bba3a68cc9e846c33f7102d79bcf0ba10bad5f9 Author: Nicolas Pitre Date: Tue Jan 15 18:51:32 2013 +0100 ARM: 7628/1: head.S: map one extra section for the ATAG/DTB area commit 6f16f4998f98e42e3f2dedf663cfb691ff0324af upstream. We currently use a temporary 1MB section aligned to a 1MB boundary for mapping the provided device tree until the final page table is created. However, if the device tree happens to cross that 1MB boundary, the end of it remains unmapped and the kernel crashes when it attempts to access it. Given no restriction on the location of that DTB, it could end up with only a few bytes mapped at the end of a section. Solve this issue by mapping two consecutive sections. Signed-off-by: Nicolas Pitre Tested-by: Sascha Hauer Tested-by: Tomasz Figa Signed-off-by: Russell King [bwh: Backported to 3.2: - Adjust context - The mapping is not conditional; drop the 'ne' suffixes] Signed-off-by: Ben Hutchings commit 04bab8d5caa173ea1faea7103bed30e12d73d3fe Author: Stephen Boyd Date: Mon Jan 14 19:50:42 2013 +0100 ARM: 7627/1: Predicate preempt logic on PREEMP_COUNT not PREEMPT alone commit 568dca15aa2a0f4ddee255894ec393a159f13147 upstream. Patrik Kluba reports that the preempt count becomes invalid due to the preempt_enable() call being unbalanced with a preempt_disable() call in the vfp assembly routines. This happens because preempt_enable() and preempt_disable() update preempt counts under PREEMPT_COUNT=y but the vfp assembly routines do so under PREEMPT=y. In a configuration where PREEMPT=n and DEBUG_ATOMIC_SLEEP=y, PREEMPT_COUNT=y and so the preempt_enable() call in VFP_bounce() keeps subtracting from the preempt count until it goes negative. Fix this by always using PREEMPT_COUNT to decided when to update preempt counts in the ARM assembly code. Signed-off-by: Stephen Boyd Reported-by: Patrik Kluba Tested-by: Patrik Kluba Signed-off-by: Russell King Signed-off-by: Ben Hutchings commit 26d5d5d031a0bc51081fc5e8957dfee69e98b4b3 Author: Heiko Carstens Date: Mon Jan 14 16:55:55 2013 +0100 s390/time: fix sched_clock() overflow commit ed4f20943cd4c7b55105c04daedf8d63ab6d499c upstream. Converting a 64 Bit TOD format value to nanoseconds means that the value must be divided by 4.096. In order to achieve that we multiply with 125 and divide by 512. When used within sched_clock() this triggers an overflow after appr. 417 days. Resulting in a sched_clock() return value that is much smaller than previously and therefore may cause all sort of weird things in subsystems that rely on a monotonic sched_clock() behaviour. To fix this implement a tod_to_ns() helper function which converts TOD values without overflow and call this function from both places that open coded the conversion: sched_clock() and kvm_s390_handle_wait(). Reviewed-by: Martin Schwidefsky Signed-off-by: Heiko Carstens Signed-off-by: Martin Schwidefsky Signed-off-by: Ben Hutchings commit 2c27f1d9af77a3842e896b7c0856bad925b3f7d3 Author: Chris Wilson Date: Tue Jan 15 16:17:54 2013 +0000 drm/i915: Invalidate the relocation presumed_offsets along the slow path commit 262b6d363fcff16359c93bd58c297f961f6e6273 upstream. In the slow path, we are forced to copy the relocations prior to acquiring the struct mutex in order to handle pagefaults. We forgo copying the new offsets back into the relocation entries in order to prevent a recursive locking bug should we trigger a pagefault whilst holding the mutex for the reservations of the execbuffer. Therefore, we need to reset the presumed_offsets just in case the objects are rebound back into their old locations after relocating for this exexbuffer - if that were to happen we would assume the relocations were valid and leave the actual pointers to the kernels dangling, instant hang. Fixes regression from commit bcf50e2775bbc3101932d8e4ab8c7902aa4163b4 Author: Chris Wilson Date: Sun Nov 21 22:07:12 2010 +0000 drm/i915: Handle pagefaults in execbuffer user relocations Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=55984 Signed-off-by: Chris Wilson Cc: Daniel Vetter Signed-off-by: Daniel Vetter Signed-off-by: Ben Hutchings commit d0c5edd13ab6a7a5c3c2fe1b0ee578319e068240 Author: Maxime Ripard Date: Mon Jan 14 20:09:26 2013 +0100 tty: 8250_dw: Fix inverted arguments to serial_out in IRQ handler commit 68e56cb3a068f9c30971c6117fbbd1e32918e49e upstream. Signed-off-by: Maxime Ripard Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings commit 4078a79bd23bed074e7246aa971cef414b652809 Author: chao bi Date: Wed Dec 12 11:40:56 2012 +0800 serial:ifx6x60:Delete SPI timer when shut down port commit 014b9b4ce84281ccb3d723c792bed19815f3571a upstream. When shut down SPI port, it's possible that MRDY has been asserted and a SPI timer was activated waiting for SRDY assert, in the case, it needs to delete this timer. Signed-off-by: Chen Jun Signed-off-by: channing Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit bd6e8b8c51939b364a0ecf2cb7dc60a03edd1311 Author: Colin Ian King Date: Tue Nov 27 14:09:40 2012 +0000 PCI: Allow pcie_aspm=force even when FADT indicates it is unsupported commit 9e16721498b0c3d3ebfa0b503c63d35c0a4c0642 upstream. Right now using pcie_aspm=force will not enable ASPM if the FADT indicates ASPM is unsupported. However, the semantics of force should probably allow for this, especially as they did before 3c076351c4 ("PCI: Rework ASPM disable code") This patch just skips the clearing of any ASPM setup that the firmware has carried out on this bus if pcie_aspm=force is being used. Reference: http://bugs.launchpad.net/bugs/962038 Signed-off-by: Colin Ian King Signed-off-by: Bjorn Helgaas Signed-off-by: Ben Hutchings commit 0d36c06afe8ac3510ebdd21eb023077cb28efde6 Author: Bjorn Helgaas Date: Fri Jan 11 12:21:15 2013 -0700 PCI: shpchp: Use per-slot workqueues to avoid deadlock commit f652e7d2916fe2fcf9e7d709aa5b7476b431e2dd upstream. When we have an SHPC-capable bridge with a second SHPC-capable bridge below it, pushing the upstream bridge's attention button causes a deadlock. The deadlock happens because we use the shpchp_wq workqueue to run shpchp_pushbutton_thread(), which uses shpchp_disable_slot() to remove devices below the upstream bridge. When we remove the downstream bridge, we call shpc_remove(), the shpchp driver's .remove() method. That calls flush_workqueue(shpchp_wq), which deadlocks because the shpchp_pushbutton_thread() work item is still running. This patch avoids the deadlock by creating a workqueue for every slot and removing the single shared workqueue. Here's the call path that leads to the deadlock: shpchp_queue_pushbutton_work queue_work(shpchp_wq) # shpchp_pushbutton_thread ... shpchp_pushbutton_thread shpchp_disable_slot remove_board shpchp_unconfigure_device pci_stop_and_remove_bus_device ... shpc_remove # shpchp driver .remove method hpc_release_ctlr cleanup_slots flush_workqueue(shpchp_wq) This change is based on code inspection, since we don't have hardware with this topology. Based-on-patch-by: Yijing Wang Signed-off-by: Bjorn Helgaas [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 0809b51bdf57a2e813ccb06ac9ff01c01b341885 Author: Bjorn Helgaas Date: Fri Jan 11 12:07:22 2013 -0700 PCI: shpchp: Handle push button event asynchronously commit d347e75847c1fb299c97736638f45e6ea39702d4 upstream. Use non-ordered workqueue for attention button events. Attention button events on each slot can be handled asynchronously. So we should use non-ordered workqueue. This patch also removes ordered workqueue in shpchp as a result. 486b10b9f4 ("PCI: pciehp: Handle push button event asynchronously") made the same change to pciehp. I split this out from a patch by Yijing Wang so we fix one thing at a time and to make the shpchp history correspond more closely with the pciehp history. Signed-off-by: Bjorn Helgaas CC: Kenji Kaneshige Signed-off-by: Ben Hutchings commit c4dca1575d32be2bf92b3e4501e97a0755edec67 Author: Betty Dall Date: Sun Jan 13 15:46:18 2013 -0700 PCI/AER: pci_get_domain_bus_and_slot() call missing required pci_dev_put() commit a82b6af37d20bfe6e99a4d890f1cf1d89059929f upstream. The function aer_recover_queue() calls pci_get_domain_bus_and_slot(), which requires that the caller decrement the reference count with pci_dev_put(). This patch adds the missing call to pci_dev_put(). Signed-off-by: Betty Dall Signed-off-by: Bjorn Helgaas Reviewed-by: Shuah Khan Signed-off-by: Ben Hutchings commit bc20c871bc118f719ada8f5771704c7cad7ef0e5 Author: Tomasz Mloduchowski Date: Sun Jan 13 23:32:53 2013 +0100 usb: ftdi_sio: Crucible Technologies COMET Caller ID - pid added commit 8cf65dc386f3634a43312f436cc7a935476a40c4 upstream. Simple fix to add support for Crucible Technologies COMET Caller ID USB decoder - a device containing FTDI USB/Serial converter chip, handling 1200bps CallerID messages decoded from the phone line - adding correct USB PID is sufficient. Tested to apply cleanly and work flawlessly against 3.6.9, 3.7.0-rc8 and 3.8.0-rc3 on both amd64 and x86 arches. Signed-off-by: Tomasz Mloduchowski Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit eda0e8f5ced8fe3432abb9d1828b4145ecb30aac Author: Yijing Wang Date: Fri Jan 11 10:15:54 2013 +0800 PCI: pciehp: Use per-slot workqueues to avoid deadlock commit c2be6f93b383c873a4f9d521afa49b1b67d06085 upstream. When we have a hotplug-capable PCIe port with a second hotplug-capable PCIe port below it, removing the device below the upstream port causes a deadlock. The deadlock happens because we use the pciehp_wq workqueue to run pciehp_power_thread(), which uses pciehp_disable_slot() to remove devices below the upstream port. When we remove the downstream PCIe port, we call pciehp_remove(), the pciehp driver's .remove() method. That calls flush_workqueue(pciehp_wq), which deadlocks because the pciehp_power_thread() work item is still running. This patch avoids the deadlock by creating a workqueue for every PCIe port and removing the single shared workqueue. Here's the call path that leads to the deadlock: pciehp_queue_pushbutton_work queue_work(pciehp_wq) # queue pciehp_power_thread ... pciehp_power_thread pciehp_disable_slot remove_board pciehp_unconfigure_device pci_stop_and_remove_bus_device ... pciehp_remove # pciehp driver .remove method pciehp_release_ctrl pcie_cleanup_slot flush_workqueue(pciehp_wq) This is fairly urgent because it can be caused by simply unplugging a Thunderbolt adapter, as reported by Daniel below. [bhelgaas: changelog] Reference: http://lkml.kernel.org/r/CAMVG2ssiRgcTD1bej2tkUUfsWmpL5eNtPcNif9va2-Gzb2u8nQ@mail.gmail.com Reported-and-tested-by: Daniel J Blueman Reviewed-by: Kenji Kaneshige Signed-off-by: Yijing Wang Signed-off-by: Bjorn Helgaas [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 83d03443b68bd2aad5c831bbffba8d23e2eb933a Author: Kenji Kaneshige Date: Mon Nov 7 20:56:50 2011 +0900 PCI: pciehp: Handle push button event asynchronously commit 486b10b9f43500741cd63a878d0ef23cd87fc66d upstream. Use non-ordered workqueue for attention button events. Attention button events on each slot can be handled asynchronously. So we should use non-ordered workqueue. This patch also removes ordered workqueue in pciehp as a result. Signed-off-by: Kenji Kaneshige Signed-off-by: Jesse Barnes Signed-off-by: Ben Hutchings commit b4f439edeea055ea3681618e1c299ab3a3d32cdc Author: Kenji Kaneshige Date: Mon Nov 7 20:55:46 2011 +0900 PCI: pciehp: Fix wrong workqueue cleanup commit 027e8d52abdd44bc00e405af83cd2fbfb96c0824 upstream. Fix improper workqueue cleanup. In the current pciehp, pcied_cleanup() calls destroy_workqueue() before calling pcie_port_service_unregister(). This causes kernel oops because flush_workqueue() is called in the pcie_port_service_unregister() code path after the workqueue was destroyed. So pcied_cleanup() must call pcie_port_service_unregister() first before calling destroy_workqueue(). Signed-off-by: Kenji Kaneshige Signed-off-by: Jesse Barnes Signed-off-by: Ben Hutchings commit 3e4ba2bf729b851695f01b514e1605dc0cffd5c8 Author: Andreas Fleig Date: Wed Dec 5 16:17:49 2012 +0100 USB: Add device quirk for Microsoft VX700 webcam commit bc009eca8d539162f7271c2daf0ab5e9e3bb90a0 upstream. Add device quirk for Microsoft Lifecam VX700 v2.0 webcams. Fixes squeaking noise of the microphone. Signed-off-by: Andreas Fleig Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 458b03804988d061567a1a0f0d17c86967dfdc21 Author: Laura Abbott Date: Fri Jan 11 14:31:51 2013 -0800 mm: use aligned zone start for pfn_to_bitidx calculation commit c060f943d0929f3e429c5d9522290584f6281d6e upstream. The current calculation in pfn_to_bitidx assumes that (pfn - zone->zone_start_pfn) >> pageblock_order will return the same bit for all pfn in a pageblock. If zone_start_pfn is not aligned to pageblock_nr_pages, this may not always be correct. Consider the following with pageblock order = 10, zone start 2MB: pfn | pfn - zone start | (pfn - zone start) >> page block order ---------------------------------------------------------------- 0x26000 | 0x25e00 | 0x97 0x26100 | 0x25f00 | 0x97 0x26200 | 0x26000 | 0x98 0x26300 | 0x26100 | 0x98 This means that calling {get,set}_pageblock_migratetype on a single page will not set the migratetype for the full block. Fix this by rounding down zone_start_pfn when doing the bitidx calculation. For our use case, the effects of this bug were mostly tied to the fact that CMA allocations would either take a long time or fail to happen. Depending on the driver using CMA, this could result in anything from visual glitches to application failures. Signed-off-by: Laura Abbott Acked-by: Mel Gorman Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit 2c7ff1aa06ba37b36e07d4b47c55d7431ec9dff9 Author: Jason Liu Date: Fri Jan 11 14:31:47 2013 -0800 mm: compaction: fix echo 1 > compact_memory return error issue commit 7964c06d66c76507d8b6b662bffea770c29ef0ce upstream. when run the folloing command under shell, it will return error sh/$ echo 1 > /proc/sys/vm/compact_memory sh/$ sh: write error: Bad address After strace, I found the following log: ... write(1, "1\n", 2) = 3 write(1, "", 4294967295) = -1 EFAULT (Bad address) write(2, "echo: write error: Bad address\n", 31echo: write error: Bad address ) = 31 This tells system return 3(COMPACT_COMPLETE) after write data to compact_memory. The fix is to make the system just return 0 instead 3(COMPACT_COMPLETE) from sysctl_compaction_handler after compaction_nodes finished. Signed-off-by: Jason Liu Suggested-by: David Rientjes Acked-by: Mel Gorman Cc: Rik van Riel Cc: Minchan Kim Cc: KAMEZAWA Hiroyuki Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit 61c1cdc4b8f0789e93bfb835e69b351412762af1 Author: Oliver Neukum Date: Thu Nov 29 15:05:57 2012 +0100 USB: hub: handle claim of enabled remote wakeup after reset commit 07e72b95f5038cc82304b9a4a2eb7f9fc391ea68 upstream. Some touchscreens have buggy firmware which claims remote wakeup to be enabled after a reset. They nevertheless crash if the feature is cleared by the host. Add a check for reset resume before checking for an enabled remote wakeup feature. On compliant devices the feature must be cleared after a reset anyway. Signed-off-by: Oliver Neukum Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 011321db1cb95b2c8917c280c151b6b89bd6b8c6 Author: Denis N Ladin Date: Wed Dec 26 18:29:44 2012 +0500 USB: cdc-acm: Add support for "PSC Scanning, Magellan 800i" commit 036915a7a402753c05b8d0529f5fd08805ab46d0 upstream. Adding support "PSC Scanning, Magellan 800i" in cdc-acm Very simple, but very necessary. Suitable for all versions of the kernel > 2.6 Signed-off-by: Denis N Ladin Acked-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 5d0afa58e6045b69de6e9e7dfe23ae35279b4dd4 Author: Dzianis Kahanovich Date: Mon Dec 3 16:06:26 2012 +0300 USB: option: add Nexpring NP10T terminal id commit ad86e58661b38b279b7519d4e49c7a19dc1654bb upstream. Hyundai Petatel Inc. Nexpring NP10T terminal (EV-DO rev.A USB modem) ID Signed-off-by: Denis Kaganovich Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit f9a6b00c2a90a2229895d4c497d89bdaad66e4f5 Author: Bjørn Mork Date: Fri Dec 28 17:29:52 2012 +0100 USB: option: add Telekom Speedstick LTE II commit 5ec0085440ef8c2cf50002b34d5a504ee12aa2bf upstream. also known as Alcatel One Touch L100V LTE The driver description files gives these names to the vendor specific functions on this modem: Application1: VID_1BBB&PID_011E&MI_00 Application2: VID_1BBB&PID_011E&MI_01 Modem: VID_1BBB&PID_011E&MI_03 Ethernet: VID_1BBB&PID_011E&MI_04 Reported-by: Thomas Schäfer Signed-off-by: Bjørn Mork Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit f51d4762def5c0808b81359605d5f0cb2eb79c98 Author: Bjørn Mork Date: Wed Dec 19 15:15:17 2012 +0100 USB: option: blacklist network interface on ZTE MF880 commit fab38246f318edcd0dcb8fd3852a47cf8938878a upstream. The driver description files gives these names to the vendor specific functions on this modem: diag: VID_19D2&PID_0284&MI_00 nmea: VID_19D2&PID_0284&MI_01 at: VID_19D2&PID_0284&MI_02 mdm: VID_19D2&PID_0284&MI_03 net: VID_19D2&PID_0284&MI_04 Signed-off-by: Bjørn Mork Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 7dbea1489aef9fe5634d65a5db8ea204cbd0b17a Author: Quentin.Li Date: Wed Dec 26 16:58:22 2012 +0800 USB: option: Add new MEDIATEK PID support commit 94a85b633829b946eef53fc1825d526312fb856f upstream. In option.c, add some new MEDIATEK PIDs support for MEDIATEK new products. This is a MEDIATEK inc. release patch. Signed-off-by: Quentin.Li Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 389a31cde3d4b488b605ec1d6eda187001fb1fbe Author: Thomas Schwinge Date: Fri Nov 16 10:46:20 2012 +0100 sh: Fix FDPIC binary loader commit 4a71997a3279a339e7336ea5d0cd27282e2dea44 upstream. Ensure that the aux table is properly initialized, even when optional features are missing. Without this, the FDPIC loader did not work. This was meant to be included in commit d5ab780305bb6d60a7b5a74f18cf84eb6ad153b1. Signed-off-by: Thomas Schwinge Signed-off-by: Paul Mundt Signed-off-by: Ben Hutchings commit e14478a19adaffac219b268b2e1bece3bde9572a Author: Mark Rustad Date: Fri Dec 21 10:58:19 2012 -0800 tcm_fc: Do not report target role when target is not defined commit edec8dfefa1f372b2dd8197da555352e76a10c03 upstream. Clear the target role when no target is provided for the node performing a PRLI. Signed-off-by: Mark Rustad Reviewed-by: Bhanu Prakash Gollapudi Acked by Robert Love Signed-off-by: Nicholas Bellinger Signed-off-by: Ben Hutchings commit 5b0877634e54f1ca3041aed21b449250b86d5b38 Author: Mark Rustad Date: Fri Dec 21 10:58:14 2012 -0800 tcm_fc: Do not indicate retry capability to initiators commit f2eeba214bcd0215b7f558cab6420e5fd153042b upstream. When generating a PRLI response to an initiator, clear the FCP_SPPF_RETRY bit in the response. Signed-off-by: Mark Rustad Reviewed-by: Bhanu Prakash Gollapudi Acked by Robert Love Signed-off-by: Nicholas Bellinger Signed-off-by: Ben Hutchings commit 8f86f83299fc6eccb21172af71c22d306032e100 Author: Jerome Glisse Date: Tue Jan 8 18:41:01 2013 -0500 radeon/kms: force rn50 chip to always report connected on analog output commit 51861d4eebc2ddc25c77084343d060fa79f6e291 upstream. Those rn50 chip are often connected to console remoting hw and load detection often fails with those. Just don't try to load detect and report connect. Signed-off-by: Jerome Glisse Signed-off-by: Alex Deucher Signed-off-by: Ben Hutchings commit e8d9897ff064b1683c11c15ea1296a67a45d77b0 Author: Axel Lin Date: Wed Jan 9 19:34:57 2013 +0800 regulator: max8998: Ensure enough delay time for max8998_set_voltage_buck_time_sel commit 81d0a6ae7befb24c06f4aa4856af7f8d1f612171 upstream. Use DIV_ROUND_UP to prevent truncation by integer division issue. This ensures we return enough delay time. Signed-off-by: Axel Lin Signed-off-by: Mark Brown [bwh: Backported to 3.2: delay is done by driver, not returned to the caller] Signed-off-by: Ben Hutchings commit 5b7d898a1904e32b640de3bed57d9646fe1f69ee Author: David Henningsson Date: Wed Dec 19 09:44:47 2012 +0100 Revert "ALSA: hda - Shut up pins at power-saving mode with Conexnat codecs" commit 7ed4165e2d01bdbbb4c1086eb73eadf0f64cbbf0 upstream. This reverts commit 697c373e34613609cb5450f98b91fefb6e910588. The original patch was meant to remove clicking, but in fact caused even more clicking instead. Thanks to c4pp4 for doing most of the work with this bug. BugLink: https://bugs.launchpad.net/bugs/886975 Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit b60dc9751a36324ac4f68579d8dd3d415a58205e Author: Hannes Reinecke Date: Mon Dec 17 09:53:32 2012 +0100 target: use correct sense code for LUN communication failure commit 18a9df42d53fabfa43b78be1104838cc8b9762e1 upstream. The ASC/ASCQ code for 'Logical Unit Communication failure' is 0x08/0x00; 0x80/0x00 is vendor specific. Signed-off-by: Hannes Reinecke Cc: Nicholas Bellinger Signed-off-by: Nicholas Bellinger [bwh: Backported to 3.2: add offset to buffer index] Signed-off-by: Ben Hutchings commit 88d6d79b6a8f4469311a0b55098c98ea15ccbc94 Author: Trond Myklebust Date: Mon Jan 7 14:30:46 2013 -0500 SUNRPC: Ensure we release the socket write lock if the rpc_task exits early commit 87ed50036b866db2ec2ba16b2a7aec4a2b0b7c39 upstream. If the rpc_task exits while holding the socket write lock before it has allocated an rpc slot, then the usual mechanism for releasing the write lock in xprt_release() is defeated. The problem occurs if the call to xprt_lock_write() initially fails, so that the rpc_task is put on the xprt->sending wait queue. If the task exits after being assigned the lock by __xprt_lock_write_func, but before it has retried the call to xprt_lock_and_alloc_slot(), then it calls xprt_release() while holding the write lock, but will immediately exit due to the test for task->tk_rqstp != NULL. Reported-by: Chris Perl Signed-off-by: Trond Myklebust Signed-off-by: Ben Hutchings commit 96908901a62457cdb9272d6658cd9903ac824115 Author: Mike Dunn Date: Mon Jan 7 13:55:13 2013 -0800 ALSA: pxa27x: fix ac97 warm reset commit 3b4bc7bccc7857274705b05cf81a0c72cfd0b0dd upstream. This patch fixes some code that implements a work-around to a hardware bug in the ac97 controller on the pxa27x. A bug in the controller's warm reset functionality requires that the mfp used by the controller as the AC97_nRESET line be temporarily reconfigured as a generic output gpio (AF0) and manually held high for the duration of the warm reset cycle. This is what was done in the original code, but it was broken long ago by commit fb1bf8cd ([ARM] pxa: introduce processor specific pxa27x_assert_ac97reset()) which changed the mfp to a GPIO input instead of a high output. The fix requires the ac97 controller to obtain the gpio via gpio_request_one(), with arguments that configure the gpio as an output initially driven high. Tested on a palm treo 680 machine. Reportedly, this broken code only prevents a warm reset on hardware that lacks a pull-up on the line, which appears to be the case for me. Signed-off-by: Mike Dunn Signed-off-by: Igor Grinberg Signed-off-by: Mark Brown [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 762a4af818aeee9566231ae627694743ec168380 Author: Mike Dunn Date: Mon Jan 7 13:55:12 2013 -0800 ALSA: pxa27x: fix ac97 cold reset commit 41b645c8624df6ace020a8863ad1449d69140f7d upstream. Cold reset on the pxa27x currently fails and pxa2xx_ac97_try_cold_reset: cold reset timeout (GSR=0x44) appears in the kernel log. Through trial-and-error (the pxa270 developer's manual is mostly incoherent on the topic of ac97 reset), I got cold reset to complete by setting the WARM_RST bit in the GCR register (and later noticed that pxa3xx does this for cold reset as well). Also, a timeout loop is needed to wait for the reset to complete. Tested on a palm treo 680 machine. Signed-off-by: Mike Dunn Acked-by: Igor Grinberg Signed-off-by: Mark Brown Signed-off-by: Ben Hutchings commit 31980f8fa9e57f23b301e91dfa79f7f5c517233d Author: Axel Lin Date: Fri Dec 28 17:09:03 2012 +0800 regulator: max8997: Use uV in voltage_map_desc commit bc3b7756b5ff66828acf7bc24f148d28b8d61108 upstream. Current code does integer division (min_vol = min_uV / 1000) before pass min_vol to max8997_get_voltage_proper_val(). So it is possible min_vol is truncated to a smaller value. For example, if the request min_uV is 800900 for ldo. min_vol = 800900 / 1000 = 800 (mV) Then max8997_get_voltage_proper_val returns 800 mV for this case which is lower than the requested voltage. Use uV rather than mV in voltage_map_desc to prevent truncation by integer division. Signed-off-by: Axel Lin Signed-off-by: Mark Brown [bwh: Backported to 3.2: - Adjust context - voltage_map_desc also has an n_bits field] Signed-off-by: Ben Hutchings commit 41e52c46717b0120d247d04d330f16d1501d357d Author: Ian Abbott Date: Fri Jan 4 11:33:21 2013 +0000 staging: comedi: comedi_test: fix race when cancelling command commit c0729eeefdcd76db338f635162bf0739fd2c5f6f upstream. Éric Piel reported a kernel oops in the "comedi_test" module. It was a NULL pointer dereference within `waveform_ai_interrupt()` (actually a timer function) that sometimes occurred when a running asynchronous command is cancelled (either by the `COMEDI_CANCEL` ioctl or by closing the device file). This seems to be a race between the caller of `waveform_ai_cancel()` which on return from that function goes and tears down the running command, and the timer function which uses the command. In particular, `async->cmd.chanlist` gets freed (and the pointer set to NULL) by `do_become_nonbusy()` in "comedi_fops.c" but a previously scheduled `waveform_ai_interrupt()` timer function will dereference that pointer regardless, leading to the oops. Fix it by replacing the `del_timer()` call in `waveform_ai_cancel()` with `del_timer_sync()`. Signed-off-by: Ian Abbott Reported-by: Éric Piel Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 3288bff62342281c6c6cdd2df6e6fc19afe98498 Author: Éric Piel Date: Wed Dec 19 13:03:13 2012 +0100 staging: comedi: fix minimum AO period for NI 625x and NI 628x commit 34b55d8c48f4f76044d8f4d6ec3dc786cf210312 upstream. The minimum period was set to 357 ns, while the divider for these boards is 50 ns. This prevented to output at maximum speed as ni_ao_cmdtest() would return 357 but would not accept it. Not sure why it was set to 357 ns (this was done before the git history, which starts 5 years ago). My guess is that it comes from reading the specification stating a 2.8 MHz rate (~ 357 ns). The latest specification states a 2.86 MHz rate (~ 350 ns), which makes a lot more sense. Tested on a pci-6251. Signed-off-by: Éric Piel Acked-By: Ian Abbott Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: drop hunk for a board that's not listed] Signed-off-by: Ben Hutchings commit 4b5a0124c45f7f40f0829de7e6bade4ce4633bfa Author: Samuel Thibault Date: Mon Jan 7 22:03:51 2013 +0100 staging: speakup: avoid out-of-range access in synth_add() commit 6102c48bd421074a33e102f2ebda3724e8d275f9 upstream. Check that array index is in-bounds before accessing the synths[] array. Signed-off-by: Samuel Thibault Cc: Nickolai Zeldovich Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 5d71c43a71a2ae5d331bd65fa9fe3bfd26a7ba85 Author: Nickolai Zeldovich Date: Sat Jan 5 14:17:45 2013 -0500 staging: speakup: avoid out-of-range access in synth_init() commit ae428655b826f2755a8101b27beda42a275ef8ad upstream. Check that array index is in-bounds before accessing the synths[] array. Signed-off-by: Nickolai Zeldovich Cc: Samuel Thibault Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 6c3e9f4ad9fff8f3af7f20891da695bc7caf7c52 Author: Larry Finger Date: Sat Dec 29 11:36:53 2012 -0600 staging: r8712u: Add new device ID commit da849a92d3bafaf24d770e971c2c9e5c3f60b5d1 upstream. The ISY IWL 1000 USB WLAN stick with USB ID 050d:11f1 is a clone of the Belkin F7D1101 V1 device. Reported-by: Thomas Hartmann Signed-off-by: Larry Finger Cc: Thomas Hartmann Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 87ae8984bd9ccca7782bc29776800dc6b8b3bb99 Author: Chris Wilson Date: Wed Jan 2 10:31:22 2013 +0000 drm/i915; Only increment the user-pin-count after successfully pinning the bo commit 93be8788e648817d62fda33e2998eb6ca6ebf3a3 upstream. As along the error path we do not correct the user pin-count for the failure, we may end up with userspace believing that it has a pinned object at offset 0 (when interrupted by a signal for example). Signed-off-by: Chris Wilson Signed-off-by: Daniel Vetter [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 0310953f2c6b90c06b5591cb36d48fb77606459d Author: Shuah Khan Date: Thu Oct 25 10:22:32 2012 -0600 ioat: Fix DMA memory sync direction correct flag commit ac4989874af56435c308bdde9ad9c837a26f8b23 upstream. ioat does DMA memory sync with DMA_TO_DEVICE direction on a buffer allocated for DMA_FROM_DEVICE dma, resulting in the following warning from dma debug. Fixed the dma_sync_single_for_device() call to use the correct direction. [ 226.288947] WARNING: at lib/dma-debug.c:990 check_sync+0x132/0x550() [ 226.288948] Hardware name: ProLiant DL380p Gen8 [ 226.288951] ioatdma 0000:00:04.0: DMA-API: device driver syncs DMA memory with different direction [device address=0x00000000ffff7000] [size=4096 bytes] [mapped with DMA_FROM_DEVICE] [synced with DMA_TO_DEVICE] [ 226.288953] Modules linked in: iTCO_wdt(+) sb_edac(+) ioatdma(+) microcode serio_raw pcspkr edac_core hpwdt(+) iTCO_vendor_support hpilo(+) dca acpi_power_meter ata_generic pata_acpi sd_mod crc_t10dif ata_piix libata hpsa tg3 netxen_nic(+) sunrpc dm_mirror dm_region_hash dm_log dm_mod [ 226.288967] Pid: 1055, comm: work_for_cpu Tainted: G W 3.3.0-0.20.el7.x86_64 #1 [ 226.288968] Call Trace: [ 226.288974] [] warn_slowpath_common+0x7f/0xc0 [ 226.288977] [] warn_slowpath_fmt+0x46/0x50 [ 226.288980] [] check_sync+0x132/0x550 [ 226.288983] [] debug_dma_sync_single_for_device+0x3f/0x50 [ 226.288988] [] ? wait_for_common+0x72/0x180 [ 226.288995] [] ioat_xor_val_self_test+0x3e5/0x832 [ioatdma] [ 226.288999] [] ? kfree+0x259/0x270 [ 226.289004] [] ioat3_dma_self_test+0x1b/0x20 [ioatdma] [ 226.289008] [] ioat_probe+0x2f8/0x348 [ioatdma] [ 226.289011] [] ioat3_dma_probe+0x1d5/0x2aa [ioatdma] [ 226.289016] [] ioat_pci_probe+0x139/0x17c [ioatdma] [ 226.289020] [] local_pci_probe+0x5c/0xd0 [ 226.289023] [] ? destroy_work_on_stack+0x20/0x20 [ 226.289025] [] do_work_for_cpu+0x18/0x30 [ 226.289029] [] kthread+0xb7/0xc0 [ 226.289033] [] kernel_thread_helper+0x4/0x10 [ 226.289036] [] ? _raw_spin_unlock_irq+0x30/0x50 [ 226.289038] [] ? retint_restore_args+0x13/0x13 [ 226.289041] [] ? kthread_worker_fn+0x1a0/0x1a0 [ 226.289044] [] ? gs_change+0x13/0x13 [ 226.289045] ---[ end trace e1618afc7a606089 ]--- [ 226.289047] Mapped at: [ 226.289048] [] debug_dma_map_page+0x87/0x150 [ 226.289050] [] dma_map_page.constprop.18+0x70/0xb34 [ioatdma] [ 226.289054] [] ioat_xor_val_self_test+0x1d8/0x832 [ioatdma] [ 226.289058] [] ioat3_dma_self_test+0x1b/0x20 [ioatdma] [ 226.289061] [] ioat_probe+0x2f8/0x348 [ioatdma] Signed-off-by: Shuah Khan Signed-off-by: Vinod Koul Signed-off-by: Ben Hutchings commit 7a0cdb8eada0a0a8779a8705aca9920035a336d2 Author: Mark Brown Date: Fri Jan 4 21:18:12 2013 +0000 ASoC: wm2000: Fix sense of speech clarity enable commit 267f8fa2e1eef0612b2007e1f1846bcbc35cc1fa upstream. Signed-off-by: Mark Brown Signed-off-by: Ben Hutchings commit 8a00cb4852a6833e802e5a861b50ea91375f2c5a Author: Bing Zhao Date: Wed Jan 2 16:07:35 2013 -0800 mwifiex: check wait_event_interruptible return value commit 9c969d8ccb1e17bd20742f4ac9f00c1a64487234 upstream. wait_event_interruptible function returns -ERESTARTSYS if it's interrupted by a signal. Driver should check the return value and handle this case properly. In mwifiex_wait_queue_complete() routine, as we are now checking wait_event_interruptible return value, the condition check is not required. Also, we have removed mwifiex_cancel_pending_ioctl() call to avoid a chance of sending second command to FW by other path as soon as we clear current command node. FW can not handle two commands simultaneously. Signed-off-by: Bing Zhao Signed-off-by: Amitkumar Karwar Signed-off-by: John W. Linville [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 0f855d47fb601f23ba8a70fb7d400a06a12df20c Author: Amitkumar Karwar Date: Wed Feb 1 20:41:43 2012 -0800 mwifiex: handle association failure case correctly commit b7097eb75fa11c302dcdec83f1dbfa874e0af0d1 upstream. Currently even if association is failed "iw link" shows some information about connected BSS and "Tx timeout" error is seen in dmesg log. This patch fixes below issues in the code to handle assoc failure case correctly. 1) "status" variable in mwifiex_wait_queue_complete() is not correctly updated. Hence driver doesn't inform cfg80211 stack about association failure. 2) During association network queues are stopped but carrier is not cleared, which gives Tx timeout error in failure case Signed-off-by: Amitkumar Karwar Signed-off-by: Bing Zhao Signed-off-by: John W. Linville Signed-off-by: Ben Hutchings commit 336c24e216b6463dc374b2ca8be47901aed5be3f Author: Mark Brown Date: Fri Jan 4 21:06:08 2013 +0000 ASoC: wm5100: Remove DSP B and left justified formats commit 5f960294e2031d12f10c8488c3446fecbf59628d upstream. These are not supported Signed-off-by: Mark Brown Signed-off-by: Ben Hutchings commit da4fa01cc87133571fde1b4dadf574c4342cdf52 Author: Sarah Sharp Date: Tue Nov 27 12:30:23 2012 -0800 xhci: Avoid "dead ports", add roothub port polling. commit c52804a472649b2e5005342308739434cbd51119 upstream. The USB core hub thread (khubd) is designed with external USB hubs in mind. It expects that if a port status change bit is set, the hub will continue to send a notification through the hub status data transfer. Basically, it expects hub notifications to be level-triggered. The xHCI host controller is designed to be edge-triggered on the logical 'OR' of all the port status change bits. When all port status change bits are clear, and a new change bit is set, the xHC will generate a Port Status Change Event. If another change bit is set in the same port status register before the first bit is cleared, it will not send another event. This means that the hub code may lose port status changes because of race conditions between clearing change bits. The user sees this as a "dead port" that doesn't react to device connects. The fix is to turn on port polling whenever a new change bit is set. Once the USB core issues a hub status request that shows that no change bits are set in any USB ports, turn off port polling. We can't allow the USB core to poll the roothub for port events during host suspend because if the PCI host is in D3cold, the port registers will be all f's. Instead, stop the port polling timer, and unconditionally restart it when the host resumes. If there are no port change bits set after the resume, the first call to hub_status_data will disable polling. This patch should be backported to stable kernels with the first xHCI support, 2.6.31 and newer, that include the commit 0f2a79300a1471cf92ab43af165ea13555c8b0a5 "USB: xhci: Root hub support." There will be merge conflicts because the check for HC_STATE_SUSPENDED was moved into xhci_suspend in 3.8. Signed-off-by: Sarah Sharp Acked-by: Alan Stern Signed-off-by: Ben Hutchings commit c135dc2e2953bc4d00b711b55cb2db14e55cdbd5 Author: Sarah Sharp Date: Wed Nov 14 17:58:04 2012 -0800 USB: Handle warm reset failure on empty port. commit 65bdac5effd15d6af619b3b7218627ef4d84ed6a upstream. An empty port can transition to either Inactive or Compliance Mode if a newly connected USB 3.0 device fails to link train. In that case, we issue a warm reset. Some devices, such as John's Roseweil eusb3 enclosure, slip back into Compliance Mode after the warm reset. The current warm reset code does not check for device connect status on warm reset completion, and it incorrectly reports the warm reset succeeded. This causes the USB core to attempt to send a Set Address control transfer to a port in Compliance Mode, which will always fail. Make hub_port_wait_reset check the current connect status and link state after the warm reset completes. Return a failure status if the device is disconnected or the link state is Compliance Mode or SS.Inactive. Make hub_events disable the port if warm reset fails. This will disable the port, and then bring it back into the RxDetect state. Make the USB core ignore the connect change until the device reconnects. Note that this patch does NOT handle connected devices slipping into the Inactive state very well. This is a concern, because devices can go into the Inactive state on U1/U2 exit failure. However, the fix for that case is too large for stable, so it will be submitted in a separate patch. This patch should be backported to kernels as old as 3.2, contain the commit ID 75d7cf72ab9fa01dc70877aa5c68e8ef477229dc "usbcore: refine warm reset logic" Signed-off-by: Sarah Sharp Acked-by: Alan Stern Reported-by: John Covici Signed-off-by: Ben Hutchings commit 340eb6fe3cd235cf1f0460ff734882b0944b68b9 Author: Sarah Sharp Date: Thu Nov 15 14:58:04 2012 -0800 USB: Ignore port state until reset completes. commit 4f43447e62b37ee19c82a13f72f35b1ca60a74d3 upstream. The port reset code bails out early if the current connect status is cleared (device disconnected). If we're issuing a hot reset, it may also look at the link state before the reset is finished. Section 10.14.2.6 of the USB 3.0 spec says that when a port enters the Error state or Resetting state, the port connection bit retains the value from the previous state. Therefore we can't trust it until the reset finishes. Also, the xHCI spec section 4.19.1.2.5 says software shall ignore the link state while the port is resetting, as it can be in an unknown state. The port state during reset is also unknown for USB 2.0 hubs. The hub sends a reset signal by driving the bus into an SE0 state. This overwhelms the "connect" signal from the device, so the port can't tell whether anything is connected or not. Fix the port reset code to ignore the port link state and current connect bit until the reset finishes, and USB_PORT_STAT_RESET is cleared. Remove the check for USB_PORT_STAT_C_BH_RESET in the warm reset case, because it's redundant. When the warm reset finishes, the port reset bit will be cleared at the same time USB_PORT_STAT_C_BH_RESET is set. Remove the now-redundant check for a cleared USB_PORT_STAT_RESET bit in the code to deal with the finished reset. This patch should be backported to all stable kernels. Signed-off-by: Sarah Sharp Acked-by: Alan Stern Signed-off-by: Ben Hutchings commit fbac94c54d28c81d37f837c358401058335d8fc3 Author: Sarah Sharp Date: Wed Nov 14 17:16:52 2012 -0800 USB: Increase reset timeout. commit 77c7f072c87fa951e9a74805febf26466f31170c upstream. John's NEC 0.96 xHCI host controller needs a longer timeout for a warm reset to complete. The logs show it takes 650ms to complete the warm reset, so extend the hub reset timeout to 800ms to be on the safe side. This commit should be backported to kernels as old as 3.2, that contain the commit 75d7cf72ab9fa01dc70877aa5c68e8ef477229dc "usbcore: refine warm reset logic". Signed-off-by: Sarah Sharp Acked-by: Alan Stern Reported-by: John Covici Signed-off-by: Ben Hutchings commit 8f2c189d5159d60faf3853d4ca6d46fd355fe81f Author: Sarah Sharp Date: Wed Nov 14 16:42:32 2012 -0800 USB: Allow USB 3.0 ports to be disabled. commit 41e7e056cdc662f704fa9262e5c6e213b4ab45dd upstream. If hot and warm reset fails, or a port remains in the Compliance Mode, the USB core needs to be able to disable a USB 3.0 port. Unlike USB 2.0 ports, once the port is placed into the Disabled link state, it will not report any new device connects. To get device connect notifications, we need to put the link into the Disabled state, and then the RxDetect state. The xHCI driver needs to atomically clear all change bits on USB 3.0 port disable, so that we get Port Status Change Events for future port changes. We could technically do this in the USB core instead of in the xHCI roothub code, since the port state machine can't advance out of the disabled state until we set the link state to RxDetect. However, external USB 3.0 hubs don't need this code. They are level-triggered, not edge-triggered like xHCI, so they will continue to send interrupt events when any change bit is set. Therefore it doesn't make sense to put this code in the USB core. This patch is part of a series to fix several reports of infinite loops on device enumeration failure. This includes John, when he boots with a USB 3.0 device (Roseweil eusb3 enclosure) attached to his NEC 0.96 host controller. The fix requires warm reset support, so it does not make sense to backport this patch to stable kernels without warm reset support. This patch should be backported to kernels as old as 3.2, contain the commit ID 75d7cf72ab9fa01dc70877aa5c68e8ef477229dc "usbcore: refine warm reset logic" Signed-off-by: Sarah Sharp Acked-by: Alan Stern Reported-by: John Covici Signed-off-by: Ben Hutchings commit 6cee667eec65afd989f236d2744edefedc2a0f08 Author: Sarah Sharp Date: Wed Nov 14 16:10:49 2012 -0800 USB: Ignore xHCI Reset Device status. commit 8b8132bc3d1cc3d4c0687e4d638a482fa920d98a upstream. When the USB core finishes reseting a USB device, the xHCI driver sends a Reset Device command to the host. The xHC then updates its internal representation of the USB device to the 'Default' device state. If the device was already in the Default state, the xHC will complete the command with an error status. If a device needs to be reset several times during enumeration, the second reset will always fail because of the xHCI Reset Device command. This can cause issues during enumeration. For example, usb_reset_and_verify_device calls into hub_port_init in a loop. Say that on the first call into hub_port_init, the device is successfully reset, but doesn't respond to several set address control transfers. Then the port will be disabled, but the udev will remain in tact. usb_reset_and_verify_device will call into hub_port_init again. On the second call into hub_port_init, the device will be reset, and the xHCI driver will issue a Reset Device command. This command will fail (because the device is already in the Default state), and usb_reset_and_verify_device will fail. The port will be disabled, and the device won't be able to enumerate. Fix this by ignoring the return value of the HCD reset_device callback. This commit should be backported to kernels as old as 3.2, that contain the commit 75d7cf72ab9fa01dc70877aa5c68e8ef477229dc "usbcore: refine warm reset logic". Signed-off-by: Sarah Sharp Acked-by: Alan Stern Signed-off-by: Ben Hutchings commit 330a52700eabd56d3b50e207ff2b6f071502cdfb Author: Sarah Sharp Date: Wed Nov 14 15:58:52 2012 -0800 USB: Handle auto-transition from hot to warm reset. commit 1c7439c61fa6516419c32a9824976334ea969d47 upstream. USB 3.0 hubs and roothubs will automatically transition a failed hot reset to a warm (BH) reset. In that case, the warm reset change bit will be set, and the link state change bit may also be set. Change hub_port_finish_reset to unconditionally clear those change bits for USB 3.0 hubs. If these bits are not cleared, we may lose port change events from the roothub. This commit should be backported to kernels as old as 3.2, that contain the commit 75d7cf72ab9fa01dc70877aa5c68e8ef477229dc "usbcore: refine warm reset logic". Signed-off-by: Sarah Sharp Acked-by: Alan Stern Signed-off-by: Ben Hutchings commit 4a2b6c9519c5c2c172b5ce2485fd487759a2dcf0 Author: Sarah Sharp Date: Mon Dec 17 14:12:35 2012 -0800 xhci: Handle HS bulk/ctrl endpoints that don't NAK. commit 55c1945edaac94c5338a3647bc2e85ff75d9cf36 upstream. A high speed control or bulk endpoint may have bInterval set to zero, which means it does not NAK. If bInterval is non-zero, it means the endpoint NAKs at a rate of 2^(bInterval - 1). The xHCI code to compute the NAK interval does not handle the special case of zero properly. The current code unconditionally subtracts one from bInterval and uses it as an exponent. This causes a very large bInterval to be used, and warning messages like these will be printed: usb 1-1: ep 0x1 - rounding interval to 32768 microframes, ep desc says 0 microframes This may cause the xHCI host hardware to reject the Configure Endpoint command, which means the HS device will be unusable under xHCI ports. This patch should be backported to kernels as old as 2.6.31, that contain commit dfa49c4ad120a784ef1ff0717168aa79f55a483a "USB: xhci - fix math in xhci_get_endpoint_interval()". Reported-by: Vincent Pelletier Suggested-by: Alan Stern Signed-off-by: Sarah Sharp Signed-off-by: Ben Hutchings commit ac2c39824efafedca3fe02f429443cbfcd44cbaa Author: Johannes Berg Date: Thu Dec 13 23:08:52 2012 +0100 mac80211: use del_timer_sync for final sta cleanup timer deletion commit a56f992cdabc63f56b4b142885deebebf936ff76 upstream. This is a very old bug, but there's nothing that prevents the timer from running while the module is being removed when we only do del_timer() instead of del_timer_sync(). The timer should normally not be running at this point, but it's not clearly impossible (or we could just remove this.) Tested-by: Ben Greear Signed-off-by: Johannes Berg Signed-off-by: Ben Hutchings commit 63dddb4936fa86057e7f94a0bd10cb8ac25bc7f3 Author: Alexander Graf Date: Wed Jan 2 15:37:17 2013 +1030 virtio-blk: Don't free ida when disk is in use commit f4953fe6c4aeada2d5cafd78aa97587a46d2d8f9 upstream. When a file system is mounted on a virtio-blk disk, we then remove it and then reattach it, the reattached disk gets the same disk name and ids as the hot removed one. This leads to very nasty effects - mostly rendering the newly attached device completely unusable. Trying what happens when I do the same thing with a USB device, I saw that the sd node simply doesn't get free'd when a device gets forcefully removed. Imitate the same behavior for vd devices. This way broken vd devices simply are never free'd and newly attached ones keep working just fine. Signed-off-by: Alexander Graf Signed-off-by: Rusty Russell Signed-off-by: Ben Hutchings commit 9d38cd591c7e22932c7bb8e138231c87108c7aec Author: Sergei Shtylyov Date: Wed Nov 14 18:49:50 2012 +0300 usb: musb: core: print new line in the driver banner again commit 2ac788f705e5118dd45204e7a5bc8d5bb6873835 upstream. Commit 5c8a86e10a7c164f44537fabdc169fd8b4e7a440 (usb: musb: drop unneeded musb_debug trickery) erroneously removed '\n' from the driver's banner. Concatenate all the banner substrings while adding it back... Signed-off-by: Sergei Shtylyov Signed-off-by: Felipe Balbi Signed-off-by: Ben Hutchings commit 7cce8398c923ff7e16e992ca751dd0c32b92c22a Author: Sebastian Andrzej Siewior Date: Tue Nov 20 13:23:15 2012 +0100 usb: gadget: dummy: fix enumeration with g_multi commit 1d16638e3b9cc195bac18a8fcbca748f33c1bc24 upstream. If we do have endpoints named like "ep-a" then bEndpointAddress is counted internally by the gadget framework. If we do have endpoints named like "ep-1" then bEndpointAddress is assigned from the digit after "ep-". If we do have both, then it is likely that after we used up the "generic" endpoints we will use the digits and thus assign one bEndpointAddress to multiple endpoints. This theory can be proofed by using the completely enabled g_multi. Without this patch, the mass storage won't enumerate and times out because it shares endpoints with RNDIS. This patch also adds fills up the endpoints list so we have in total endpoints 1 to 15 in + out available while some of them are restricted to certain types like BULK or ISO. Without this change the nokia gadget won't load because the system does not provide enough (BULK) endpoints but it did before ep-a - ep-f were removed. Signed-off-by: Sebastian Andrzej Siewior Acked-by: Alan Stern Signed-off-by: Felipe Balbi Signed-off-by: Ben Hutchings