commit 2150f72fe35397cc6d6ce39866bd0462cfbcc916 Author: Will Deacon Date: Fri Dec 2 18:16:01 2011 +0100 ARM: 7185/1: perf: don't assign platform_device on unsupported CPUs In the unlikely case that a platform registers a PMU platform_device when running on a CPU that is unsupported by perf, we will encounter a NULL dereference when trying to assign the platform_device to the cpu_pmu structure. This patch checks that the CPU is supported by perf before assigning the platform_device. Reported-by: Pawel Moll Signed-off-by: Will Deacon Signed-off-by: Russell King (cherry picked from commit 6bd054096dce061560cee0e016e292e588dc438f) commit f8489660a18c1865ee4f4a47593fd2dcf67a4e88 Author: Will Deacon Date: Tue Nov 22 18:01:46 2011 +0000 ARM: perf: check that we have a platform device when reserving PMU Attempting to use a hardware counter on a platform with a supported PMU but where the platform_device (defining the interrupts) has not been registered results in a NULL pointer dereference. This patch fixes the problem by checking that we actually have a platform device registered before attempting to grab the interrupts. Reported-by: Pawel Moll Signed-off-by: Will Deacon (cherry picked from commit e5a21327644adba32816f74a415114d11c57f2e9) commit 6014abe68ef9c0a32e9c41434d50f56a7d65bc04 Author: Will Deacon Date: Thu Nov 17 15:05:14 2011 +0000 ARM: perf: initialise used_mask for fake PMU during validation When validating an event group, we call pmu->get_event_idx for each group member in order to check that the group can be scheduled as a unit on an empty PMU. As a result of 3fc2c830 ("ARM: perf: remove event limit from pmu_hw_events"), the used_mask member of struct cpu_hw_events must be setup explicitly, something which we don't do for the fake cpu_hw_events used for validation. This patch sets up an empty used_mask for the fake validation cpu_hw_events, preventing NULL deferences when trying to get the event index. Reported-by: Pawel Moll Signed-off-by: Will Deacon (cherry picked from commit bce34d14428d35d9a06ddc10cd46ecef311764c9) commit 1226e419377fb4b53d6e08c0a9fd5ecf90597cd6 Merge: ec5237f e82b9d8 Author: Nicolas Pitre Date: Wed Dec 14 12:08:53 2011 -0500 Merge branch 'thermal_cpu_cooling' of git://git.linaro.org/people/amitdanielk/linux into linaro-3.1 Conflicts: drivers/thermal/Kconfig drivers/thermal/Makefile commit ec5237f097a75b7f4d19b87377ef1557431fb199 Author: Amit Daniel Kachhap Date: Tue Dec 13 20:40:01 2011 +0530 thermal: Add generic cpu cooling implementation This patch adds support for generic cpu thermal cooling low level implementations using frequency scaling and cpuhotplugg currently. Different cpu related cooling devices can be registered by the user and the binding of these cooling devices to the corresponding trip points can be easily done as the registration API's return the cooling device pointer. Signed-off-by: Amit Daniel Kachhap Signed-off-by: Nicolas Pitre commit adb2b0bf1daac11ea0284ba259ce0f88c9231591 Author: Amit Daniel Kachhap Date: Thu Dec 1 18:51:39 2011 +0530 thermal: Add a new trip type to use cooling device instance number This patch adds a new trip type THERMAL_TRIP_STATE_ACTIVE. This trip behaves same as THERMAL_TRIP_ACTIVE but also passes the cooling device instance number. This helps the cooling device registered as different instances to perform appropriate cooling action decision in the set_cur_state call back function. Also since the trip temperature's are in ascending order so some logic is put in place to skip the un-necessary checks. Signed-off-by: Amit Daniel Kachhap Signed-off-by: Nicolas Pitre commit e82b9d821ecc1f857142a55b0fb38d0d5256fbaf Author: Amit Daniel Kachhap Date: Wed Dec 14 21:44:07 2011 +0530 ARM: exynos4: Add thermal sensor driver platform device support This patch adds necessary source definations needed for TMU driver and the platform device support. Signed-off-by: Amit Daniel Kachhap commit 6bdad5c64b0482e61d20e22ddcfae40b2aa9f83f Author: Amit Daniel Kachhap Date: Mon Dec 12 11:01:39 2011 +0530 hwmon: exynos4: Add cpu frequency clip data for certain threshold This patch helps to modify the exynos4 tmu to get the frequency clipping data from the platform if needed for a temperature trip points. Signed-off-by: Amit Daniel Kachhap commit 15bfc7956f3fef104c3b3d14a414f9e80eb94d41 Author: Amit Daniel Kachhap Date: Tue Dec 13 14:57:23 2011 +0530 thermal: exynos4: Export information from the TMU driver Export information from the hwmon tmu sensor to the samsung exynos kernel thermal framework where different cooling devices and thermal zone are binded. The exported information is based according to the data structure thermal_sensor_info present in exynos_thermal.h. HWMON sysfs functions are commented out as they are also present in generic linux thermal layer. Signed-off-by: Amit Daniel Kachhap commit d9f151cda68a86d176b0d6773c019eeae1d58301 Author: Amit Daniel Kachhap Date: Mon Dec 12 10:44:36 2011 +0530 thermal: exynos: Add thermal interface support for linux thermal layer This codes uses the generic linux thermal layer and creates a bridge between temperature sensors, linux thermal framework and cooling devices for samsung exynos platform. This layer recieves or monitor the temperature from the sensor and informs the generic thermal layer. Signed-off-by: Amit Daniel Kachhap commit a3cb3d54f43aa6fdae32be9b0e12b66a0ccedfc3 Author: Amit Daniel Kachhap Date: Fri Nov 25 15:15:18 2011 +0530 ARM: EXYNOS4: Add tmu hwmon driver Signed-off-by: Amit Daniel Kachhap commit 0e939cfbb42214337ecd1782c4e233972ed90630 Author: Amit Daniel Kachhap Date: Tue Dec 13 20:40:01 2011 +0530 thermal: Add generic cpu cooling implementation This patch adds support for generic cpu thermal cooling low level implementations using frequency scaling and cpuhotplugg currently. Different cpu related cooling devices can be registered by the user and the binding of these cooling devices to the corresponding trip points can be easily done as the registration API's return the cooling device pointer. Signed-off-by: Amit Daniel Kachhap commit 3918a3c61ea129534f6c9343df59a73f23a3a331 Author: Amit Daniel Kachhap Date: Thu Dec 1 18:51:39 2011 +0530 thermal: Add a new trip type to use cooling device instance number This patch adds a new trip type THERMAL_TRIP_STATE_ACTIVE. This trip behaves same as THERMAL_TRIP_ACTIVE but also passes the cooling device instance number. This helps the cooling device registered as different instances to perform appropriate cooling action decision in the set_cur_state call back function. Also since the trip temperature's are in ascending order so some logic is put in place to skip the un-necessary checks. Signed-off-by: Amit Daniel Kachhap commit ceb077bd2729f64b4680f81dc8dee308890ac52f Author: Jongpill Lee Date: Tue Jul 5 13:36:19 2011 +0530 EXYNOS4210: Add Support for DVS Lock Signed-off-by: Jongpill Lee Signed-off-by: SangWook Ju Signed-off-by: Jonghwan Choi Signed-off-by: Kukjin Kim commit fd899eba028e72659bf6572c974a92652e90dd23 Author: Jongpill Lee Date: Tue Jul 5 13:36:18 2011 +0530 EXYNOS4210: Cleanup sequence and unused codes This patch modifies following. 1. Remove unused register access 2. Change sequence of changing frequency 3. Minor optimization Signed-off-by: Jongpill Lee Signed-off-by: SangWook Ju Signed-off-by: Jonghwan Choi Signed-off-by: Kukjin Kim commit 0a75037e551780bf2d224f7b3db691bb9aa7dd34 Author: Jongpill Lee Date: Tue Jul 5 13:36:17 2011 +0530 EXYNOS4210: Change CPU table and divider This patch adds support 1.2GHz CPU frequency and changes CPU table and divider for stable working. Signed-off-by: Jongpill Lee Signed-off-by: SangWook Ju Signed-off-by: Kukjin Kim commit d8ed3dad2b9beb6cab09f00ea1011a7d35e860de Author: Jongpill Lee Date: Tue Jul 5 13:36:16 2011 +0530 EXYNOS4210: Remove regarding busfreq codes Since busfreq codes can be handlend on busfreq driver, this patch removes regarding busfreq codes on cpufreq. Signed-off-by: Jongpill Lee Signed-off-by: SangWook Ju Signed-off-by: Kukjin Kim commit 971be11492b1e248798f7078592b1fa0dfbf3534 Author: Nicolas Pitre Date: Tue Dec 13 14:28:39 2011 -0500 ARM: oprofile: don't mark oprofile_arch_exit() with __exit When the oprofile code is built into the kernel, the code marked with __exit is discarded at link time. This fails the build as oprofile_arch_exit() is referenced from oprofile_init() which is in a different section. Signed-off-by: Nicolas Pitre commit 874b0239d896c2b493f2c4c23b2a60ad258632b3 Merge: 4cd6f5d caf4b04 Author: Nicolas Pitre Date: Mon Dec 12 11:40:50 2011 -0500 Merge commit 'v3.1.5' into linaro-3.1 commit caf4b0430be8296bf644199bf3ed3056c02420c7 Author: Greg Kroah-Hartman Date: Fri Dec 9 08:57:05 2011 -0800 Linux 3.1.5 commit 50d224d483a7dbecf84beffff9f815ac104ee5e8 Author: Eric Dumazet Date: Thu Dec 1 11:06:34 2011 +0000 sch_red: fix red_change [ Upstream commit 1ee5fa1e9970a16036e37c7b9d5ce81c778252fc ] Le mercredi 30 novembre 2011 à 14:36 -0800, Stephen Hemminger a écrit : > (Almost) nobody uses RED because they can't figure it out. > According to Wikipedia, VJ says that: > "there are not one, but two bugs in classic RED." RED is useful for high throughput routers, I doubt many linux machines act as such devices. I was considering adding Adaptative RED (Sally Floyd, Ramakrishna Gummadi, Scott Shender), August 2001 In this version, maxp is dynamic (from 1% to 50%), and user only have to setup min_th (target average queue size) (max_th and wq (burst in linux RED) are automatically setup) By the way it seems we have a small bug in red_change() if (skb_queue_empty(&sch->q)) red_end_of_idle_period(&q->parms); First, if queue is empty, we should call red_start_of_idle_period(&q->parms); Second, since we dont use anymore sch->q, but q->qdisc, the test is meaningless. Oh well... [PATCH] sch_red: fix red_change() Now RED is classful, we must check q->qdisc->q.qlen, and if queue is empty, we start an idle period, not end it. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4851c6a079350393f4a9219878e699845412bace Author: Eric Dumazet Date: Wed Nov 30 12:10:53 2011 +0000 sch_red: fix red_calc_qavg_from_idle_time [ Upstream commit ea6a5d3b97b768561db6358f15e4c84ced0f4f7e ] Since commit a4a710c4a7490587 (pkt_sched: Change PSCHED_SHIFT from 10 to 6) it seems RED/GRED are broken. red_calc_qavg_from_idle_time() computes a delay in us units, but this delay is now 16 times bigger than real delay, so the final qavg result smaller than expected. Use standard kernel time services since there is no need to obfuscate them. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 51338aa88d3ef2d05bf8b1f8a3019ebffcea74f1 Author: Julian Anastasov Date: Fri Dec 2 11:39:42 2011 +0000 ipv4: make sure RTO_ONLINK is saved in routing cache [ Upstream commit f61759e6b831a55b89e584b198c3da325e2bc379 ] __mkroute_output fails to work with the original tos and uses value with stripped RTO_ONLINK bit. Make sure we put the original TOS bits into rt_key_tos because it used to match cached route. Signed-off-by: Julian Anastasov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9fdec5ec64644ce4f4081e045dfbcd7518276edb Author: David S. Miller Date: Thu Dec 1 13:38:59 2011 -0500 ipv4: Perform peer validation on cached route lookup. [ Upstream commit efbc368dcc6426d5430b9b8eeda944cf2cb74b8c, incorporating a follow-on change to prevent an OOPS ] Otherwise we won't notice the peer GENID change. Reported-by: Steffen Klassert Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9c8da5125682191090bf32917a6bfba3d711492d Author: Eric Dumazet Date: Sat Nov 26 12:13:44 2011 +0000 inet: add a redirect generation id in inetpeer [ Upstream commit de68dca1816660b0d3ac89fa59ffb410007a143f ] Now inetpeer is the place where we cache redirect information for ipv4 destinations, we must be able to invalidate informations when a route is added/removed on host. As inetpeer is not yet namespace aware, this patch adds a shared redirect_genid, and a per inetpeer redirect_genid. This might be changed later if inetpeer becomes ns aware. Cache information for one inerpeer is valid as long as its redirect_genid has the same value than global redirect_genid. Reported-by: Arkadiusz Miśkiewicz Tested-by: Arkadiusz Miśkiewicz Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 427814da7d68739ec2c53a9433f62323c68ef34d Author: Eric Dumazet Date: Fri Nov 18 15:24:32 2011 -0500 ipv4: fix redirect handling [ Upstream commit 9cc20b268a5a14f5e57b8ad405a83513ab0d78dc ] commit f39925dbde77 (ipv4: Cache learned redirect information in inetpeer.) introduced a regression in ICMP redirect handling. It assumed ipv4_dst_check() would be called because all possible routes were attached to the inetpeer we modify in ip_rt_redirect(), but thats not true. commit 7cc9150ebe (route: fix ICMP redirect validation) tried to fix this but solution was not complete. (It fixed only one route) So we must lookup existing routes (including different TOS values) and call check_peer_redir() on them. Reported-by: Ivan Zahariev Signed-off-by: Eric Dumazet CC: Flavio Leitner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5c9c7437749337f1af355eb9e447e75a58822da4 Author: Flavio Leitner Date: Mon Oct 24 02:56:38 2011 -0400 route: fix ICMP redirect validation [ Upstream commit 7cc9150ebe8ec06cafea9f1c10d92ddacf88d8ae ] The commit f39925dbde7788cfb96419c0f092b086aa325c0f (ipv4: Cache learned redirect information in inetpeer.) removed some ICMP packet validations which are required by RFC 1122, section 3.2.2.2: ... A Redirect message SHOULD be silently discarded if the new gateway address it specifies is not on the same connected (sub-) net through which the Redirect arrived [INTRO:2, Appendix A], or if the source of the Redirect is not the current first-hop gateway for the specified destination (see Section 3.3.1). Signed-off-by: Flavio Leitner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fe421e849a3c36373dd59eb5f302705c91a14719 Author: Gao feng Date: Wed Oct 19 15:34:09 2011 +0000 ipv4: avoid useless call of the function check_peer_pmtu [ Upstream commit 59445b6b1f90b97c4e28062b96306bacfa4fb170 ] In func ipv4_dst_check,check_peer_pmtu should be called only when peer is updated. So,if the peer is not updated in ip_rt_frag_needed,we can not inc __rt_peer_genid. Signed-off-by: Gao feng Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5eb027bb82d1f9d4af0df73a3ce08945ffc1b481 Author: Eric Dumazet Date: Wed Nov 30 04:08:58 2011 +0000 sch_teql: fix lockdep splat [ Upstream commit f7e57044eeb1841847c24aa06766c8290c202583 ] We need rcu_read_lock() protection before using dst_get_neighbour(), and we must cache its value (pass it to __teql_resolve()) teql_master_xmit() is called under rcu_read_lock_bh() protection, its not enough. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e03d2dc771361ff27ca042b793fa34b27bd6f115 Author: Frank Blaschka Date: Tue Nov 15 02:31:15 2011 +0000 qeth: l3 fix rcu splat in xmit [ Upstream commit 1d36cb479f204a0fedc1a3e7ce7b32c0a2c48769 ] when use dst_get_neighbour to get neighbour, we need rcu_read_lock to protect, since dst_get_neighbour uses rcu_dereference. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f667de2e66ea9b8f99353ff01221bb355faf3f3c Author: Eric Dumazet Date: Tue Nov 29 20:05:55 2011 +0000 ipv4: fix lockdep splat in rt_cache_seq_show [ Upstream commit 218fa90f072e4aeff9003d57e390857f4f35513e ] After commit f2c31e32b378 (fix NULL dereferences in check_peer_redir()), dst_get_neighbour() should be guarded by rcu_read_lock() / rcu_read_unlock() section. Reported-by: Miles Lane Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit db9a8a29b0c7c61b372300978fbe8b01606103f0 Author: Li Wei Date: Tue Nov 8 21:39:28 2011 +0000 ipv4: fix for ip_options_rcv_srr() daddr update. [ Upstream commit b12f62efb8ec0b9523bdb6c2d412c07193086de9 ] When opt->srr_is_hit is set skb_rtable(skb) has been updated for 'nexthop' and iph->daddr should always equals to skb_rtable->rt_dst holds, We need update iph->daddr either. Signed-off-by: Li Wei Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f82c753512bfe2fb4127ee72c882924120c11de8 Author: Nick Bowler Date: Tue Nov 8 12:12:45 2011 +0000 ah: Read nexthdr value before overwriting it in ahash input callback. [ Upstream commit b7ea81a58adc123a4e980cb0eff9eb5c144b5dc7 ] The AH4/6 ahash input callbacks read out the nexthdr field from the AH header *after* they overwrite that header. This is obviously not going to end well. Fix it up. Signed-off-by: Nick Bowler Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cfa73cca0cac4e07cc963f332aead8d118707432 Author: Nick Bowler Date: Tue Nov 8 12:12:44 2011 +0000 ah: Correctly pass error codes in ahash output callback. [ Upstream commit 069294e813ed5f27f82613b027609bcda5f1b914 ] The AH4/6 ahash output callbacks pass nexthdr to xfrm_output_resume instead of the error code. This appears to be a copy+paste error from the input case, where nexthdr is expected. This causes the driver to continuously add AH headers to the datagram until either an allocation fails and the packet is dropped or the ahash driver hits a synchronous fallback and the resulting monstrosity is transmitted. Correct this issue by simply passing the error code unadulterated. Signed-off-by: Nick Bowler Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit aeed6baa702a285cf03b7dc4182ffc1a7f4e4ed6 Author: Thomas Gleixner Date: Fri Dec 2 16:02:45 2011 +0100 clockevents: Set noop handler in clockevents_exchange_device() commit de28f25e8244c7353abed8de0c7792f5f883588c upstream. If a device is shutdown, then there might be a pending interrupt, which will be processed after we reenable interrupts, which causes the original handler to be run. If the old handler is the (broadcast) periodic handler the shutdown state might hang the kernel completely. Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 5a643352d2166077f88180372431ea5e90212b15 Author: Yang Honggang (Joseph) Date: Thu Dec 1 22:22:41 2011 -0500 clocksource: Fix bug with max_deferment margin calculation commit b1f919664d04a8d0ba29cb76673c7ca3325a2006 upstream. In order to leave a margin of 12.5% we should >> 3 not >> 5. Signed-off-by: Yang Honggang (Joseph) [jstultz: Modified commit subject] Signed-off-by: John Stultz Signed-off-by: Greg Kroah-Hartman commit 3e31d12fa35d8328128ef672a933ab6b8e09e10b Author: Robert Richter Date: Fri Oct 7 16:31:46 2011 +0200 oprofile: Fix crash when unloading module (hr timer mode) commit 87121ca504fd1d963a66b3fb0c72054b0fd9a177 upstream. Oprofile may crash in a KVM guest while unlaoding modules. This happens if oprofile_arch_init() fails and oprofile switches to the hr timer mode as a fallback. In this case oprofile_arch_exit() is called, but it never was initialized properly which causes the crash. This patch fixes this. oprofile: using timer interrupt. BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 IP: [] unregister_syscore_ops+0x41/0x58 PGD 41da3f067 PUD 41d80e067 PMD 0 Oops: 0002 [#1] PREEMPT SMP CPU 5 Modules linked in: oprofile(-) Pid: 2382, comm: modprobe Not tainted 3.1.0-rc7-00018-g709a39d #18 Advanced Micro Device Anaheim/Anaheim RIP: 0010:[] [] unregister_syscore_ops+0x41/0x58 RSP: 0018:ffff88041de1de98 EFLAGS: 00010296 RAX: 0000000000000000 RBX: ffffffffa00060e0 RCX: dead000000200200 RDX: 0000000000000000 RSI: dead000000100100 RDI: ffffffff8178c620 RBP: ffff88041de1dea8 R08: 0000000000000001 R09: 0000000000000082 R10: 0000000000000000 R11: ffff88041de1dde8 R12: 0000000000000080 R13: fffffffffffffff5 R14: 0000000000000001 R15: 0000000000610210 FS: 00007f9ae5bef700(0000) GS:ffff88042fd40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000008 CR3: 000000041ca44000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process modprobe (pid: 2382, threadinfo ffff88041de1c000, task ffff88042db6d040) Stack: ffff88041de1deb8 ffffffffa0006770 ffff88041de1deb8 ffffffffa000251e ffff88041de1dec8 ffffffffa00022c2 ffff88041de1ded8 ffffffffa0004993 ffff88041de1df78 ffffffff81073115 656c69666f72706f 0000000000610200 Call Trace: [] op_nmi_exit+0x15/0x17 [oprofile] [] oprofile_arch_exit+0xe/0x10 [oprofile] [] oprofile_exit+0x13/0x15 [oprofile] [] sys_delete_module+0x1c3/0x22f [] ? trace_hardirqs_on_thunk+0x3a/0x3f [] system_call_fastpath+0x16/0x1b Code: 20 c6 78 81 e8 c5 cc 23 00 48 8b 13 48 8b 43 08 48 be 00 01 10 00 00 00 ad de 48 b9 00 02 20 00 00 00 ad de 48 c7 c7 20 c6 78 81 89 42 08 48 89 10 48 89 33 48 89 4b 08 e8 a6 c0 23 00 5a 5b RIP [] unregister_syscore_ops+0x41/0x58 RSP CR2: 0000000000000008 ---[ end trace 06d4e95b6aa3b437 ]--- Signed-off-by: Robert Richter Signed-off-by: Greg Kroah-Hartman commit cf246087a19a4958fba3123d21f1359b6177ddb5 Author: Gleb Natapov Date: Tue Oct 18 19:55:51 2011 +0200 jump_label: jump_label_inc may return before the code is patched commit bbbf7af4bf8fc69bc751818cf30521080fa47dcb upstream. If cpu A calls jump_label_inc() just after atomic_add_return() is called by cpu B, atomic_inc_not_zero() will return value greater then zero and jump_label_inc() will return to a caller before jump_label_update() finishes its job on cpu B. Link: http://lkml.kernel.org/r/20111018175551.GH17571@redhat.com Cc: Peter Zijlstra Acked-by: Jason Baron Signed-off-by: Gleb Natapov Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit 6bdf07f3dd1c2874792bb07cd84d4210cbc15ca7 Author: Steven Rostedt Date: Fri Nov 4 16:32:25 2011 -0400 perf: Fix parsing of __print_flags() in TP_printk() commit d06c27b22aa66e48e32f03f9387328a9af9b0625 upstream. A update is made to the sched:sched_switch event that adds some logic to the first parameter of the __print_flags() that shows the state of tasks. This change cause perf to fail parsing the flags. A simple fix is needed to have the parser be able to process ops within the argument. Reported-by: Andrew Vagin Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit 491d3a9bc2ee7ad349a2e03bf259dea8895a5edd Author: Thomas Gleixner Date: Fri Dec 2 12:34:16 2011 +0100 tick-broadcast: Stop active broadcast device when replacing it commit c1be84309c58b1e7c6d626e28fba41a22b364c3d upstream. When a better rated broadcast device is installed, then the current active device is not disabled, which results in two running broadcast devices. Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit fedb66b50d774dc687ac5b6f78fbf4b9bee28865 Author: Ilya Dryomov Date: Mon Oct 31 11:07:42 2011 +0200 tracing: fix event_subsystem ref counting commit cb59974742aea24adf6637eb0c4b8e7b48bca6fb upstream. Fix a bug introduced by e9dbfae5, which prevents event_subsystem from ever being released. Ref_count was added to keep track of subsystem users, not for counting events. Subsystem is created with ref_count = 1, so there is no need to increment it for every event, we have nr_events for that. Fix this by touching ref_count only when we actually have a new user - subsystem_open(). Signed-off-by: Ilya Dryomov Link: http://lkml.kernel.org/r/1320052062-7846-1-git-send-email-idryomov@gmail.com Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit df9490f1a5f1019ebf36bd7820ff405ddc06bfa9 Author: Arve Hjønnevåg Date: Tue Nov 22 18:24:51 2011 -0800 rtc: Fix some bugs that allowed accumulating time drift in suspend/resume commit 6a8943d9ec2567572fca25cf69ad45844d0141a3 upstream. The current code checks if abs(delta_delta.tv_sec) is greater or equal to two before it discards the old delta value, but this can trigger at close to -1 seconds since -1.000000001 seconds is stored as tv_sec -2 and tv_nsec 999999999 in a normalized timespec. rtc_resume had an early return check if the rtc value had not changed since rtc_suspend. This effectivly stops time for the duration of the short sleep. Check if sleep_time is positive after all the adjustments have been applied instead since this allows the old_system adjustment in rtc_suspend to have an effect even for short sleep cycles. Signed-off-by: Arve Hjønnevåg Signed-off-by: John Stultz Signed-off-by: Greg Kroah-Hartman commit 0cbc008c56f7b4a11ba6fe80e196d7ab322baabf Author: Rabin Vincent Date: Tue Nov 22 11:03:14 2011 +0100 rtc: Disable the alarm in the hardware commit c0afabd3d553c521e003779c127143ffde55a16f upstream. Currently, the RTC code does not disable the alarm in the hardware. This means that after a sequence such as the one below (the files are in the RTC sysfs), the box will boot up after 2 minutes even though we've asked for the alarm to be turned off. # echo $((`cat since_epoch`)+120) > wakealarm # echo 0 > wakealarm # poweroff Fix this by disabling the alarm when there are no timers to run. Cc: John Stultz Signed-off-by: Rabin Vincent Signed-off-by: John Stultz Signed-off-by: Greg Kroah-Hartman commit bf34b36a208ecca76e41814ff8837f8b41528248 Author: Tejun Heo Date: Wed Nov 23 08:49:49 2011 -0800 trace_events_filter: Use rcu_assign_pointer() when setting ftrace_event_call->filter commit d3d9acf646679c1981032b0985b386d12fccc60c upstream. ftrace_event_call->filter is sched RCU protected but didn't use rcu_assign_pointer(). Use it. TODO: Add proper __rcu annotation to call->filter and all its users. -v2: Use RCU_INIT_POINTER() for %NULL clearing as suggested by Eric. Link: http://lkml.kernel.org/r/20111123164949.GA29639@google.com Cc: Eric Dumazet Cc: Frederic Weisbecker Cc: Jiri Olsa Signed-off-by: Tejun Heo Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit 03923350d5fbcdb23faca8c9ca55988aac7383c3 Author: Steven Rostedt Date: Fri Nov 4 10:45:23 2011 -0400 ftrace: Remove force undef config value left for testing commit c7c6ec8becaf742b223c7b491f4893014be23a07 upstream. A forced undef of a config value was used for testing and was accidently left in during the final commit. This causes x86 to run slower than needed while running function tracing as well as causes the function graph selftest to fail when DYNMAIC_FTRACE is not set. This is because the code in MCOUNT expects the ftrace code to be processed with the config value set that happened to be forced not set. The forced config option was left in by: commit 6331c28c962561aee59e5a493b7556a4bb585957 ftrace: Fix dynamic selftest failure on some archs Link: http://lkml.kernel.org/r/20111102150255.GA6973@debian Reported-by: Rabin Vincent Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit 5c30a5b33f77264cddcfb1a6659d3a9ac2661103 Author: Johannes Berg Date: Fri Dec 2 08:19:17 2011 -0800 iwlagn: fix HW crypto for TX-only keys commit 274b89ca3b006926cb9b45d78ab5906f4c0fc0aa upstream. Group keys in IBSS or AP mode are not programmed into the device since we give the key to it with every TX packet. However, we do need mac80211 to create the MMIC & PN in all cases. Move the code around to set the key flags all the time. We set them even when the key is removed again but that is obviously harmless. Reported-by: Reinette Chatre Signed-off-by: Johannes Berg Signed-off-by: Wey-Yi Guy Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 43c308bd8d0a3e7d98c5abcd41a4a3fada3d198f Author: Wey-Yi Guy Date: Fri Dec 2 08:19:18 2011 -0800 iwlwifi: do not re-configure HT40 after associated commit 34a5b4b6af104cf18eb50748509528b9bdbc4036 upstream. The ht40 setting should not change after association unless channel switch This fix a problem we are seeing which cause uCode assert because driver sending invalid information and make uCode confuse Here is the firmware assert message: kernel: iwlagn 0000:03:00.0: Microcode SW error detected. Restarting 0x82000000. kernel: iwlagn 0000:03:00.0: Loaded firmware version: 17.168.5.3 build 42301 kernel: iwlagn 0000:03:00.0: Start IWL Error Log Dump: kernel: iwlagn 0000:03:00.0: Status: 0x000512E4, count: 6 kernel: iwlagn 0000:03:00.0: 0x00002078 | ADVANCED_SYSASSERT kernel: iwlagn 0000:03:00.0: 0x00009514 | uPc kernel: iwlagn 0000:03:00.0: 0x00009496 | branchlink1 kernel: iwlagn 0000:03:00.0: 0x00009496 | branchlink2 kernel: iwlagn 0000:03:00.0: 0x0000D1F2 | interruptlink1 kernel: iwlagn 0000:03:00.0: 0x00000000 | interruptlink2 kernel: iwlagn 0000:03:00.0: 0x01008035 | data1 kernel: iwlagn 0000:03:00.0: 0x0000C90F | data2 kernel: iwlagn 0000:03:00.0: 0x000005A7 | line kernel: iwlagn 0000:03:00.0: 0x5080B520 | beacon time kernel: iwlagn 0000:03:00.0: 0xCC515AE0 | tsf low kernel: iwlagn 0000:03:00.0: 0x00000003 | tsf hi kernel: iwlagn 0000:03:00.0: 0x00000000 | time gp1 kernel: iwlagn 0000:03:00.0: 0x29703BF0 | time gp2 kernel: iwlagn 0000:03:00.0: 0x00000000 | time gp3 kernel: iwlagn 0000:03:00.0: 0x000111A8 | uCode version kernel: iwlagn 0000:03:00.0: 0x000000B0 | hw version kernel: iwlagn 0000:03:00.0: 0x00480303 | board version kernel: iwlagn 0000:03:00.0: 0x09E8004E | hcmd kernel: iwlagn 0000:03:00.0: CSR values: kernel: iwlagn 0000:03:00.0: (2nd byte of CSR_INT_COALESCING is CSR_INT_PERIODIC_REG) kernel: iwlagn 0000:03:00.0: CSR_HW_IF_CONFIG_REG: 0X00480303 kernel: iwlagn 0000:03:00.0: CSR_INT_COALESCING: 0X0000ff40 kernel: iwlagn 0000:03:00.0: CSR_INT: 0X00000000 kernel: iwlagn 0000:03:00.0: CSR_INT_MASK: 0X00000000 kernel: iwlagn 0000:03:00.0: CSR_FH_INT_STATUS: 0X00000000 kernel: iwlagn 0000:03:00.0: CSR_GPIO_IN: 0X00000030 kernel: iwlagn 0000:03:00.0: CSR_RESET: 0X00000000 kernel: iwlagn 0000:03:00.0: CSR_GP_CNTRL: 0X080403c5 kernel: iwlagn 0000:03:00.0: CSR_HW_REV: 0X000000b0 kernel: iwlagn 0000:03:00.0: CSR_EEPROM_REG: 0X07d60ffd kernel: iwlagn 0000:03:00.0: CSR_EEPROM_GP: 0X90000001 kernel: iwlagn 0000:03:00.0: CSR_OTP_GP_REG: 0X00030001 kernel: iwlagn 0000:03:00.0: CSR_GIO_REG: 0X00080044 kernel: iwlagn 0000:03:00.0: CSR_GP_UCODE_REG: 0X000093bb kernel: iwlagn 0000:03:00.0: CSR_GP_DRIVER_REG: 0X00000000 kernel: iwlagn 0000:03:00.0: CSR_UCODE_DRV_GP1: 0X00000000 kernel: iwlagn 0000:03:00.0: CSR_UCODE_DRV_GP2: 0X00000000 kernel: iwlagn 0000:03:00.0: CSR_LED_REG: 0X00000078 kernel: iwlagn 0000:03:00.0: CSR_DRAM_INT_TBL_REG: 0X88214dd2 kernel: iwlagn 0000:03:00.0: CSR_GIO_CHICKEN_BITS: 0X27800200 kernel: iwlagn 0000:03:00.0: CSR_ANA_PLL_CFG: 0X00000000 kernel: iwlagn 0000:03:00.0: CSR_HW_REV_WA_REG: 0X0001001a kernel: iwlagn 0000:03:00.0: CSR_DBG_HPET_MEM_REG: 0Xffff0010 kernel: iwlagn 0000:03:00.0: FH register values: kernel: iwlagn 0000:03:00.0: FH_RSCSR_CHNL0_STTS_WPTR_REG: 0X21316d00 kernel: iwlagn 0000:03:00.0: FH_RSCSR_CHNL0_RBDCB_BASE_REG: 0X021479c0 kernel: iwlagn 0000:03:00.0: FH_RSCSR_CHNL0_WPTR: 0X00000060 kernel: iwlagn 0000:03:00.0: FH_MEM_RCSR_CHNL0_CONFIG_REG: 0X80819104 kernel: iwlagn 0000:03:00.0: FH_MEM_RSSR_SHARED_CTRL_REG: 0X000000fc kernel: iwlagn 0000:03:00.0: FH_MEM_RSSR_RX_STATUS_REG: 0X07030000 kernel: iwlagn 0000:03:00.0: FH_MEM_RSSR_RX_ENABLE_ERR_IRQ2DRV: 0X00000000 kernel: iwlagn 0000:03:00.0: FH_TSSR_TX_STATUS_REG: 0X07ff0001 kernel: iwlagn 0000:03:00.0: FH_TSSR_TX_ERROR_REG: 0X00000000 kernel: iwlagn 0000:03:00.0: Start IWL Event Log Dump: display last 20 entries kernel: ------------[ cut here ]------------ WARNING: at net/mac80211/util.c:1208 ieee80211_reconfig+0x1f1/0x407() kernel: Hardware name: 4290W4H kernel: Pid: 1896, comm: kworker/0:0 Not tainted 3.1.0 #2 kernel: Call Trace: kernel: [] ? warn_slowpath_common+0x73/0x87 kernel: [] ? ieee80211_reconfig+0x1f1/0x407 kernel: [] ? ieee80211_recalc_smps_work+0x32/0x32 kernel: [] ? ieee80211_restart_work+0x7e/0x87 kernel: [] ? process_one_work+0x1c8/0x2e3 kernel: [] ? worker_thread+0x17a/0x23a kernel: [] ? manage_workers.clone.18+0x15b/0x15b kernel: [] ? manage_workers.clone.18+0x15b/0x15b kernel: [] ? kthread+0x7a/0x82 kernel: [] ? kernel_thread_helper+0x4/0x10 kernel: [] ? kthread_flush_work_fn+0x11/0x11 kernel: [] ? gs_change+0xb/0xb Reported-by: Udo Steinberg Signed-off-by: Wey-Yi Guy Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 3e4f16a375aafec68144d4edaae4ebd8e5017571 Author: Peter Zijlstra Date: Mon Nov 28 21:12:40 2011 +0100 slab, lockdep: Fix silly bug commit 52cef189165d74a5d6030184a8e05595194c69ca upstream. Commit 30765b92 ("slab, lockdep: Annotate the locks before using them") moves the init_lock_keys() call from after g_cpucache_up = FULL, to before it. And overlooks the fact that init_node_lock_keys() tests for it and ignores everything !FULL. Introduce a LATE stage and change the lockdep test to be Cc: Pekka Enberg Signed-off-by: Peter Zijlstra Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit a4b63ef678714a98dd8886fea14d5f76da671b6f Author: Ido Yariv Date: Thu Dec 1 13:55:08 2011 +0200 genirq: Fix race condition when stopping the irq thread commit 550acb19269d65f32e9ac4ddb26c2b2070e37f1c upstream. In irq_wait_for_interrupt(), the should_stop member is verified before setting the task's state to TASK_INTERRUPTIBLE and calling schedule(). In case kthread_stop sets should_stop and wakes up the process after should_stop is checked by the irq thread but before the task's state is changed, the irq thread might never exit: kthread_stop irq_wait_for_interrupt ------------ ---------------------- ... ... while (!kthread_should_stop()) { kthread->should_stop = 1; wake_up_process(k); wait_for_completion(&kthread->exited); ... set_current_state(TASK_INTERRUPTIBLE); ... schedule(); } Fix this by checking if the thread should stop after modifying the task's state. [ tglx: Simplified it a bit ] Signed-off-by: Ido Yariv Link: http://lkml.kernel.org/r/1322740508-22640-1-git-send-email-ido@wizery.com Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit aedebb8ae9811dedc3e57757a1048cd8d902fa3a Author: Luis R. Rodriguez Date: Mon Nov 28 16:47:16 2011 -0500 cfg80211: amend regulatory NULL dereference fix commit 0bac71af6e66dc798bf07d0c0dd14ee5503362f9 upstream. Johannes' patch for "cfg80211: fix regulatory NULL dereference" broke user regulaotry hints and it did not address the fact that last_request was left populated even if the previous regulatory hint was stale due to the wiphy disappearing. Fix user reguluatory hints by only bailing out if for those regulatory hints where a request_wiphy is expected. The stale last_request considerations are addressed through the previous fixes on last_request where we reset the last_request to a static world regdom request upon reset_regdomains(). In this case though we further enhance the effect by simply restoring reguluatory settings completely. Cc: Johannes Berg Signed-off-by: Luis R. Rodriguez Reviewed-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 5b157407b89257481a639b869f0f42532fceafaa Author: Luis R. Rodriguez Date: Mon Nov 28 16:47:15 2011 -0500 cfg80211: fix race on init and driver registration commit a042994dd377d86bff9446ee76151ceb6267c9ba upstream. There is a theoretical race that if hit will trigger a crash. The race is between when we issue the first regulatory hint, regulatory_hint_core(), gets processed by the workqueue and between when the first device gets registered to the wireless core. This is not easy to reproduce but it was easy to do so through the regulatory simulator I have been working on. This is a port of the fix I implemented there [1]. [1] https://github.com/mcgrof/regsim/commit/a246ccf81f059cb662eee288aa13100f631e4cc8 Cc: Johannes Berg Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 22e244d6a7b8bedfd87cba78d339b2baee00609c Author: Nikolay Martynov Date: Tue Dec 6 15:39:32 2011 +0100 mac80211: fix race condition caused by late addBA response Upstream commit d305a6557b2c4dca0110f05ffe745b1ef94adb80. If addBA responses comes in just after addba_resp_timer has expired mac80211 will still accept it and try to open the aggregation session. This causes drivers to be confused and in some cases even crash. This patch fixes the race condition and makes sure that if addba_resp_timer has expired addBA response is not longer accepted and we do not try to open half-closed session. Signed-off-by: Nikolay Martynov [some adjustments] Signed-off-by: Johannes Berg Signed-off-by: John W. Linville commit 2eca885f630f007513f9f07d9635783917bb94e2 Author: Simon Wunderlich Date: Wed Nov 30 16:56:30 2011 +0100 mac80211: fill rate filter for internal scan requests commit c72e8d335e2c6a309b6281f2abcf491f37b8b92b upstream. The rates bitmap for internal scan requests shoud be filled, otherwise there will be probe requests with zero rates supported. Signed-off-by: Simon Wunderlich Signed-off-by: Mathias Kretschmer Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 05602145e34077a8314636d15ad3dae4c7dd81e4 Author: Martin Schwidefsky Date: Thu Dec 1 13:32:17 2011 +0100 add missing .set function for NT_S390_LAST_BREAK regset commit b934069c991355d27a053a932591c77960f4e414 upstream. The last breaking event address is a read-only value, the regset misses the .set function. If a PTRACE_SETREGSET is done for NT_S390_LAST_BREAK we get an oops due to a branch to zero: Kernel BUG at 0000000000000002 verbose debug info unavailable illegal operation: 0001 #1 SMP ... Call Trace: (<0000000000158294> ptrace_regset+0x184/0x188) <00000000001595b6> ptrace_request+0x37a/0x4fc <0000000000109a78> arch_ptrace+0x108/0x1fc <00000000001590d6> SyS_ptrace+0xaa/0x12c <00000000005c7a42> sysc_noemu+0x16/0x1c <000003fffd5ec10c> 0x3fffd5ec10c Last Breaking-Event-Address: <0000000000158242> ptrace_regset+0x132/0x188 Add a nop .set function to prevent the branch to zero. Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit a6ff8af2ed1af704e400b558b2811ce7a350d2eb Author: Robert Richter Date: Mon Oct 10 16:21:10 2011 +0200 oprofile, x86: Fix crash when unloading module (nmi timer mode) commit 97f7f8189fe54e3cfe324ef9ad35064f3d2d3bff upstream. If oprofile uses the nmi timer interrupt there is a crash while unloading the module. The bug can be triggered with oprofile build as module and kernel parameter nolapic set. This patch fixes this. oprofile: using NMI timer interrupt. BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 IP: [] unregister_syscore_ops+0x41/0x58 PGD 42dbca067 PUD 41da6a067 PMD 0 Oops: 0002 [#1] PREEMPT SMP CPU 5 Modules linked in: oprofile(-) [last unloaded: oprofile] Pid: 2518, comm: modprobe Not tainted 3.1.0-rc7-00019-gb2fb49d #19 Advanced Micro Device Anaheim/Anaheim RIP: 0010:[] [] unregister_syscore_ops+0x41/0x58 RSP: 0018:ffff88041ef71e98 EFLAGS: 00010296 RAX: 0000000000000000 RBX: ffffffffa0017100 RCX: dead000000200200 RDX: 0000000000000000 RSI: dead000000100100 RDI: ffffffff8178c620 RBP: ffff88041ef71ea8 R08: 0000000000000001 R09: 0000000000000082 R10: 0000000000000000 R11: ffff88041ef71de8 R12: 0000000000000080 R13: fffffffffffffff5 R14: 0000000000000001 R15: 0000000000610210 FS: 00007fc902f20700(0000) GS:ffff88042fd40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000008 CR3: 000000041cdb6000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process modprobe (pid: 2518, threadinfo ffff88041ef70000, task ffff88041d348040) Stack: ffff88041ef71eb8 ffffffffa0017790 ffff88041ef71eb8 ffffffffa0013532 ffff88041ef71ec8 ffffffffa00132d6 ffff88041ef71ed8 ffffffffa00159b2 ffff88041ef71f78 ffffffff81073115 656c69666f72706f 0000000000610200 Call Trace: [] op_nmi_exit+0x15/0x17 [oprofile] [] oprofile_arch_exit+0xe/0x10 [oprofile] [] oprofile_exit+0x1e/0x20 [oprofile] [] sys_delete_module+0x1c3/0x22f [] ? trace_hardirqs_on_thunk+0x3a/0x3f [] system_call_fastpath+0x16/0x1b Code: 20 c6 78 81 e8 c5 cc 23 00 48 8b 13 48 8b 43 08 48 be 00 01 10 00 00 00 ad de 48 b9 00 02 20 00 00 00 ad de 48 c7 c7 20 c6 78 81 89 42 08 48 89 10 48 89 33 48 89 4b 08 e8 a6 c0 23 00 5a 5b RIP [] unregister_syscore_ops+0x41/0x58 RSP CR2: 0000000000000008 ---[ end trace 43a541a52956b7b0 ]--- Signed-off-by: Robert Richter Signed-off-by: Greg Kroah-Hartman commit b11ee9e9403ab72d52c46cc8b3b94de17ed196e6 Author: Peter Zijlstra Date: Fri Oct 7 13:36:40 2011 +0200 perf/x86: Fix PEBS instruction unwind commit 57d1c0c03c6b48b2b96870d831b9ce6b917f53ac upstream. Masami spotted that we always try to decode the instruction stream as 64bit instructions when running a 64bit kernel, this doesn't work for ia32-compat proglets. Use TIF_IA32 to detect if we need to use the 32bit instruction decoder. Reported-by: Masami Hiramatsu Signed-off-by: Peter Zijlstra Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 400b14179e4170817aa476a29e29514c53bf4e25 Author: Konrad Rzeszutek Wilk Date: Tue Nov 15 14:49:09 2011 -0800 x86/paravirt: PTE updates in k(un)map_atomic need to be synchronous, regardless of lazy_mmu mode commit 2cd1c8d4dc7ecca9e9431e2dabe41ae9c7d89e51 upstream. Fix an outstanding issue that has been reported since 2.6.37. Under a heavy loaded machine processing "fork()" calls could crash with: BUG: unable to handle kernel paging request at f573fc8c IP: [] swap_count_continued+0x104/0x180 *pdpt = 000000002a3b9027 *pde = 0000000001bed067 *pte = 0000000000000000 Oops: 0000 [#1] SMP Modules linked in: Pid: 1638, comm: apache2 Not tainted 3.0.4-linode37 #1 EIP: 0061:[] EFLAGS: 00210246 CPU: 3 EIP is at swap_count_continued+0x104/0x180 .. snip.. Call Trace: [] ? __swap_duplicate+0xc2/0x160 [] ? pte_mfn_to_pfn+0x87/0xe0 [] ? swap_duplicate+0x14/0x40 [] ? copy_pte_range+0x45b/0x500 [] ? copy_page_range+0x195/0x200 [] ? dup_mmap+0x1c6/0x2c0 [] ? dup_mm+0xa8/0x130 [] ? copy_process+0x98a/0xb30 [] ? do_fork+0x4f/0x280 [] ? getnstimeofday+0x43/0x100 [] ? sys_clone+0x30/0x40 [] ? ptregs_clone+0x15/0x48 [] ? syscall_call+0x7/0xb The problem is that in copy_page_range() we turn lazy mode on, and then in swap_entry_free() we call swap_count_continued() which ends up in: map = kmap_atomic(page, KM_USER0) + offset; and then later we touch *map. Since we are running in batched mode (lazy) we don't actually set up the PTE mappings and the kmap_atomic is not done synchronously and ends up trying to dereference a page that has not been set. Looking at kmap_atomic_prot_pfn(), it uses 'arch_flush_lazy_mmu_mode' and doing the same in kmap_atomic_prot() and __kunmap_atomic() makes the problem go away. Interestingly, commit b8bcfe997e4615 ("x86/paravirt: remove lazy mode in interrupts") removed part of this to fix an interrupt issue - but it went to far and did not consider this scenario. Signed-off-by: Konrad Rzeszutek Wilk Cc: Peter Zijlstra Cc: Jeremy Fitzhardinge Signed-off-by: Andrew Morton Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 7b4a0b336d67d9f706fb83d3050bcd9bef58cb9d Author: Peter Chubb Date: Mon Dec 5 16:53:53 2011 +0300 x86: Fix "Acer Aspire 1" reboot hang commit 1ef03890969932e9359b9a4c658f7f87771910ac upstream. Looks like on some Acer Aspire 1s with older bioses, reboot via bios fails. It works on my machine, (with BIOS version 0.3310) but not on some others (BIOS version 0.3309). There's a log of problems at: https://bbs.archlinux.org/viewtopic.php?id=124136 This patch adds a different callback to the reboot quirk table, to allow rebooting via keybaord controller. Reported-by: Uroš Vampl Tested-by: Vasily Khoruzhick Signed-off-by: Peter Chubb Cc: Don Zickus Cc: Peter Zijlstra Link: http://lkml.kernel.org/r/1323093233-9481-1-git-send-email-anarsoul@gmail.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 08673cfac6768fce130a6ddb5134299beebfd14f Author: Bjorn Helgaas Date: Sun Sep 25 15:29:00 2011 -0600 x86/mpparse: Account for bus types other than ISA and PCI commit 9e6866686bdf2dcf3aeb0838076237ede532dcc8 upstream. In commit f8924e770e04 ("x86: unify mp_bus_info"), the 32-bit and 64-bit versions of MP_bus_info were rearranged to match each other better. Unfortunately it introduced a regression: prior to that change we used to always set the mp_bus_not_pci bit, then clear it if we found a PCI bus. After it, we set mp_bus_not_pci for ISA buses, clear it for PCI buses, and leave it alone otherwise. In the cases of ISA and PCI, there's not much difference. But ISA is not the only non-PCI bus, so it's better to always set mp_bus_not_pci and clear it only for PCI. Without this change, Dan's Dell PowerEdge 4200 panics on boot with a log indicating interrupt routing trouble unless the "noapic" option is supplied. With this change, the machine boots reliably without "noapic". Fixes http://bugs.debian.org/586494 Reported-bisected-and-tested-by: Dan McGrath Signed-off-by: Bjorn Helgaas Cc: Dan McGrath Cc: Alexey Starikovskiy [jrnieder@gmail.com: clarified commit message] Signed-off-by: Jonathan Nieder Link: http://lkml.kernel.org/r/20111122215000.GA9151@elie.hsd1.il.comcast.net Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 3ef3c3830482a5de31781a5dca2a9bd7ef6d1562 Author: Salman Qazi Date: Tue Nov 15 14:12:06 2011 -0800 sched, x86: Avoid unnecessary overflow in sched_clock commit 4cecf6d401a01d054afc1e5f605bcbfe553cb9b9 upstream. (Added the missing signed-off-by line) In hundreds of days, the __cycles_2_ns calculation in sched_clock has an overflow. cyc * per_cpu(cyc2ns, cpu) exceeds 64 bits, causing the final value to become zero. We can solve this without losing any precision. We can decompose TSC into quotient and remainder of division by the scale factor, and then use this to convert TSC into nanoseconds. Signed-off-by: Salman Qazi Acked-by: John Stultz Reviewed-by: Paul Turner Signed-off-by: Peter Zijlstra Link: http://lkml.kernel.org/r/20111115221121.7262.88871.stgit@dungbeetle.mtv.corp.google.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit ba92f7efc8390db5ed6da4966ef943718eb048b7 Author: Andiry Xu Date: Wed Nov 30 16:37:41 2011 +0800 xHCI: fix bug in xhci_clear_command_ring() commit 158886cd2cf4599e04f9b7e10cb767f5f39b14f1 upstream. When system enters suspend, xHCI driver clears command ring by writing zero to all the TRBs. However, this also writes zero to the Link TRB, and the ring is mangled. This may cause driver accesses wrong memory address and the result is unpredicted. When clear the command ring, keep the last Link TRB intact, only clear its cycle bit. This should fix the "command ring full" issue reported by Oliver Neukum. This should be backported to stable kernels as old as 2.6.37, since the commit 89821320 "xhci: Fix command ring replay after resume" is merged. Signed-off-by: Andiry Xu Signed-off-by: Sarah Sharp Reported-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman commit 07b91eb2d2c53017fbae33d5eae1037cb078d3e4 Author: Matthieu CASTET Date: Mon Nov 28 11:30:22 2011 +0100 EHCI : Fix a regression in the ISO scheduler commit e3420901eba65b1c46bed86d360e3a8685d20734 upstream. Fix a regression that was introduced by commit 811c926c538f7e8d3c08b630dd5844efd7e000f6 (USB: EHCI: fix HUB TT scheduling issue with iso transfer). We detect an error if next == start, but this means uframe 0 can't be allocated anymore for iso transfer... Reported-by: Sander Eikelenboom Signed-off-by: Matthieu CASTET Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 027a53824cc8602232cc38a86d9499efec2dcbee Author: Thomas Poussevin Date: Thu Oct 27 18:46:48 2011 +0200 USB: EHCI: fix HUB TT scheduling issue with iso transfer commit 811c926c538f7e8d3c08b630dd5844efd7e000f6 upstream. The current TT scheduling doesn't allow to play and then record on a full-speed device connected to a high speed hub. The IN iso stream can only start on the first uframe (0-2 for a 165 us) because of CSPLIT transactions. For the OUT iso stream there no such restriction. uframe 0-5 are possible. The idea of this patch is that the first uframe are precious (for IN TT iso stream) and we should allocate the last uframes first if possible. For that we reverse the order of uframe allocation (last uframe first). Here an example : hid interrupt stream ---------------------------------------------------------------------- uframe | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | ---------------------------------------------------------------------- max_tt_usecs | 125 | 125 | 125 | 125 | 125 | 125 | 30 | 0 | ---------------------------------------------------------------------- used usecs on a frame | 13 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | ---------------------------------------------------------------------- iso OUT stream ---------------------------------------------------------------------- uframe | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | ---------------------------------------------------------------------- max_tt_usecs | 125 | 125 | 125 | 125 | 125 | 125 | 30 | 0 | ---------------------------------------------------------------------- used usecs on a frame | 13 | 125 | 39 | 0 | 0 | 0 | 0 | 0 | ---------------------------------------------------------------------- There no place for iso IN stream (uframe 0-2 are used) and we got "cannot submit datapipe for urb 0, error -28: not enough bandwidth" error. With the patch this become. iso OUT stream ---------------------------------------------------------------------- uframe | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | ---------------------------------------------------------------------- max_tt_usecs | 125 | 125 | 125 | 125 | 125 | 125 | 30 | 0 | ---------------------------------------------------------------------- used usecs on a frame | 13 | 0 | 0 | 0 | 125 | 39 | 0 | 0 | ---------------------------------------------------------------------- iso IN stream ---------------------------------------------------------------------- uframe | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | ---------------------------------------------------------------------- max_tt_usecs | 125 | 125 | 125 | 125 | 125 | 125 | 30 | 0 | ---------------------------------------------------------------------- used usecs on a frame | 13 | 0 | 125 | 40 | 125 | 39 | 0 | 0 | ---------------------------------------------------------------------- Signed-off-by: Matthieu Castet Signed-off-by: Thomas Poussevin Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit de5f8dc38303f9a1fc58349f0d1c6f46a8034a00 Author: Eric Dumazet Date: Tue Nov 29 22:31:23 2011 +0100 IB: Fix RCU lockdep splats commit 580da35a31f91a594f3090b7a2c39b85cb051a12 upstream. Commit f2c31e32b37 ("net: fix NULL dereferences in check_peer_redir()") forgot to take care of infiniband uses of dst neighbours. Many thanks to Marc Aurele who provided a nice bug report and feedback. Reported-by: Marc Aurele La France Signed-off-by: Eric Dumazet Cc: David Miller Signed-off-by: Roland Dreier commit 829d5a92cbfe6e906bbe24a5bb1675a6d27a5db2 Author: Qinglin Ye Date: Wed Nov 23 23:39:32 2011 +0800 USB: usb-storage: unusual_devs entry for Kingston DT 101 G2 commit cec28a5428793b6bc64e56687fb239759d6da74e upstream. Kingston DT 101 G2 replies a wrong tag while transporting, add an unusal_devs entry to ignore the tag validation. Signed-off-by: Qinglin Ye Signed-off-by: Greg Kroah-Hartman commit f769c8c9d67806d5ed3c2ab555b56eef44bb08fe Author: Veli-Pekka Peltola Date: Thu Nov 24 22:08:56 2011 +0200 usb: option: add SIMCom SIM5218 commit ec0cd94d881ca89cc9fb61d00d0f4b2b52e605b3 upstream. Tested with SIM5218EVB-KIT evaluation kit. Signed-off-by: Veli-Pekka Peltola Signed-off-by: Greg Kroah-Hartman commit c61954d8c8348de93281f322a3675bb308128414 Author: Dirk Nehring Date: Thu Nov 24 19:22:23 2011 +0100 usb: option: add Huawei E353 controlling interfaces commit 46b1848360c8e634e0b063932a1261062fa0f7d6 upstream. This patch creates the missing controlling devices for the Huawei E353 HSPA+ stick. Signed-off-by: Dirk Nehring Signed-off-by: Greg Kroah-Hartman commit 523cc1591e42c0b51e334609a841c7566be2091f Author: Marcin Kościelnicki Date: Wed Nov 30 17:01:04 2011 +0100 usb: ftdi_sio: add PID for Propox ISPcable III commit 307369b0ca06b27b511b61714e335ddfccf19c4f upstream. Signed-off-by: Marcin Kościelnicki Signed-off-by: Greg Kroah-Hartman commit 9aee2c52173b2d5ab712d692a31c2016c1dda8f2 Author: Benjamin Tissoires Date: Wed Nov 16 11:39:52 2011 +0100 HID: Correct General touch PID commit b1807719f6acdf18cc4bde3b5400d05d77801494 upstream. Genera Touch told us that 0001 is their single point device and 0003 is the multitouch one. Apparently, we made the tests someone having a prototype, and not the final product. They said it should be safe to do the switch. This partially reverts 5572da0 ("HID: hid-mulitouch: add support for the 'Sensing Win7-TwoFinger'"). Signed-off-by: Benjamin Tissoires Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit da6a65ba7034fe6273bf7dcdae174f4f04dead70 Author: Dan Carpenter Date: Tue Nov 22 10:28:31 2011 +0300 USB: whci-hcd: fix endian conversion in qset_clear() commit 8746c83d538cab273d335acb2be226d096f4a5af upstream. qset->qh.link is an __le64 field and we should be using cpu_to_le64() to fill it. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman commit b5e0fb085f337c2ab00532d09056da3525f2e847 Author: Kevin Hilman Date: Tue Nov 22 17:18:24 2011 -0800 usb: musb: PM: fix context save/restore in suspend/resume path commit 5d193ce8f1fa7c67c7fd7be2c03ef31eed344a4f upstream. Currently the driver tries to save context in the suspend path, but will cause an abort if the device is already runtime suspended. This happens, for example, if MUSB loaded/compiled-in, in host mode, but no USB devices are attached. MUSB will be runtime suspended, but then attempting a system suspend will crash due to the context save being attempted while the device is disabled. On OMAP, as of v3.1, the driver's ->runtime_suspend() callback will be called late in the suspend path (by the PM domain layer) if the driver is not already runtime suspended, ensuring a full shutdown. Therefore, the context save is not needed in the ->suspend() method since it will be called in the ->runtime_suspend() method anyways (similarily for resume.) NOTE: this leaves the suspend/resume methods basically empty (with some FIXMEs and comments, but I'll leave it to the maintainers to decide whether to remove them. Signed-off-by: Kevin Hilman Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit a7e9e05141e922b1bbf4315827dcf8c80989255c Author: Federico Vaga Date: Sat Oct 29 09:47:39 2011 +0200 Staging: comedi: fix signal handling in read and write commit 6a9ce6b654e491981f6ef7e214cbd4f63e033848 upstream. After sleeping on a wait queue, signal_pending(current) should be checked (not before sleeping). Acked-by: Alessandro Rubini Signed-off-by: Federico Vaga Signed-off-by: Greg Kroah-Hartman commit 3762465d4a6c6a92a93d361b95dd453fd736ba73 Author: Federico Vaga Date: Sat Oct 29 09:45:39 2011 +0200 Staging: comedi: fix mmap_count commit df30b21cb0eed5ba8a8e0cdfeebc66ba8cde821d upstream. In comedi_fops, mmap_count is decremented at comedi_vm_ops->close but it is not incremented at comedi_vm_ops->open. This may result in a negative counter. The patch introduces the open method to keep the counter consistent. The bug was triggerd by this sample code: mmap(0, ...., comedi_fd); fork(); exit(0); Acked-by: Alessandro Rubini Signed-off-by: Federico Vaga Signed-off-by: Greg Kroah-Hartman commit 7994d8747d9ac088be8a2136dc25ea30135ca1e8 Author: Bernd Porr Date: Tue Nov 8 21:23:03 2011 +0000 staging: comedi: fix oops for USB DAQ devices. commit 3ffab428f40849ed5f21bcfd7285bdef7902f9ca upstream. This fixes kernel oops when an USB DAQ device is plugged out while it's communicating with the userspace software. Signed-off-by: Bernd Porr Signed-off-by: Greg Kroah-Hartman commit df781a42499bdf5a1a4375c55ffed1a80cbdf5b3 Author: Bart Westgeest Date: Tue Nov 1 15:01:28 2011 -0400 staging: usbip: bugfix for deadlock commit 438957f8d4a84daa7fa5be6978ad5897a2e9e5e5 upstream. Interrupts must be disabled prior to calling usb_hcd_unlink_urb_from_ep. If interrupts are not disabled, it can potentially lead to a deadlock. The deadlock is readily reproduceable on a slower (ARM based) device such as the TI Pandaboard. Signed-off-by: Bart Westgeest Signed-off-by: Greg Kroah-Hartman commit 60709063c5d50549e834ac75288782e84c8e53db Author: wwang Date: Mon Oct 31 15:02:53 2011 +0800 staging:rts_pstor:Complete scanning_done variable commit f7364ba04b0961f3a1f978bbe77102606801e35f upstream. Complete scanning_done variable if rtsx-scan thread created failed. Signed-off-by: wwang Signed-off-by: Greg Kroah-Hartman commit bdbee02fb09ff4278de3c4656689261ee9647007 Author: Lars-Peter Clausen Date: Mon Nov 28 09:44:16 2011 +0100 firmware: Sigma: Fix endianess issues commit bda63586bc5929e97288cdb371bb6456504867ed upstream. Currently the SigmaDSP firmware loader only works correctly on little-endian systems. Fix this by using the proper endianess conversion functions. Signed-off-by: Lars-Peter Clausen Acked-by: Mike Frysinger Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 2a323db413fbe17c15cd60376d012f2ee2659f8d Author: Lars-Peter Clausen Date: Mon Nov 28 09:44:15 2011 +0100 firmware: Sigma: Skip header during CRC generation commit c56935bdc0a8edf50237d3b0205133a5b0adc604 upstream. The firmware header is not part of the CRC, so skip it. Otherwise the firmware will be rejected due to non-matching CRCs. Signed-off-by: Lars-Peter Clausen Acked-by: Mike Frysinger Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 3b958a46b7e81c432d7d6ef00ee4bd51ef2d39e2 Author: Lars-Peter Clausen Date: Mon Nov 28 09:44:14 2011 +0100 firmware: Sigma: Prevent out of bounds memory access commit 4f718a29fe4908c2cea782f751e9805319684e2b upstream. The SigmaDSP firmware loader currently does not perform enough boundary size checks when processing the firmware. As a result it is possible that a malformed firmware can cause an out of bounds memory access. This patch adds checks which ensure that both the action header and the payload are completely inside the firmware data boundaries before processing them. Signed-off-by: Lars-Peter Clausen Acked-by: Mike Frysinger Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit adc771853323bb695e50eab52299b82d675cd665 Author: Axel Lin Date: Tue Nov 22 09:46:51 2011 +0800 ASoC: Fix wrong define for AD1836_ADC_WORD_OFFSET commit 72531c9434fa884d20cb3c36fcec83752f32fdf4 upstream. According to the datasheet: The BIT[5:4] of ADC Control Register 2 is to control the word width. 00 = 25 Bits 01 = 20 Bits 10 = 16 Bits 11 = Invalid Thus, the AD1836_ADC_WORD_OFFSET should be defined as 4. Signed-off-by: Axel Lin Acked-by: Lars-Peter Clausen Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 1db3bb31add93148b1a7ae35d02bff41d9357e9c Author: Charles Chin Date: Thu Dec 1 11:21:00 2011 +0100 ALSA: hda - Fix S3/S4 problem on machines with VREF-pin mute-LED commit 88d686027bb43f585914c77dd363f6e817b42c2a upstream. The verb command in stac92xx_post_suspend caused the audio to stop working after resuming from S3 mode on HP laptops with the VREF-pin mute-LED control. Removing relevant post_suspend registering. Although removing D3 on AFG is no optimal solution, the impact should be small in comparison with the broken S3/S4. Signed-off-by: Charles Chin Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 558238140c9a86bd62b9a1146f0439e28d793215 Author: Alex Deucher Date: Mon Nov 28 14:49:26 2011 -0500 drm/radeon/kms: add some loop timeouts in pageflip code commit f64964796dedca340608fb1075ab6baad5625851 upstream. Avoid infinite loops waiting for surface updates if a GPU reset happens while waiting for a page flip. See: https://bugs.freedesktop.org/show_bug.cgi?id=43191 Signed-off-by: Alex Deucher Reviewed-by: Mario Kleiner Tested-by: Simon Farnsworth Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 296573cf874d5d78314c5635de35caec372309bd Author: Alex Deucher Date: Thu Dec 1 11:02:11 2011 -0500 drm/radeon/kms: add some new pci ids commit 2ed4d9d648cbd4fb1c232a646dbdbdfdd373ca94 upstream. Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit d22ac9ac4c241c598fba39c0f9a7dea3163e1e44 Author: Wey-Yi Guy Date: Thu Oct 27 17:19:39 2011 -0700 iwlwifi: allow pci_enable_msi fail commit 8a39ef8ba0fa0410d71db8e981e887fe4fdeca88 upstream. Continue the init process even fail to enable msi out_iounmap is no longer used, remove it Reported-by: werner Tested-by: werner Signed-off-by: Wey-Yi Guy Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit c66d16e59ba46314e8870e7abc3e1a0f935215e9 Author: stephen hemminger Date: Tue Nov 15 08:09:14 2011 +0000 bridge: correct IPv6 checksum after pull commit fa2da8cdae1dd64f78fc915ca1d1a4a93c71e7cb upstream. Bridge multicast snooping of ICMPv6 would incorrectly report a checksum problem when used with Ethernet devices like sky2 that use CHECKSUM_COMPLETE. When bytes are removed from skb, the computed checksum needs to be adjusted. Signed-off-by: Stephen Hemminger Tested-by: Martin Volf Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d3b2937da9fc51f48ae77735e78be53a8a4c0ae4 Author: Hillf Danton Date: Tue Nov 15 14:36:12 2011 -0800 hugetlb: release pages in the error path of hugetlb_cow() commit ea4039a34c4c206d015d34a49d0b00868e37db1d upstream. If we fail to prepare an anon_vma, the {new, old}_page should be released, or they will leak. Signed-off-by: Hillf Danton Reviewed-by: Andrea Arcangeli Cc: Hugh Dickins Cc: Johannes Weiner Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Michal Hocko Signed-off-by: Greg Kroah-Hartman commit 6d10c223ab5a75fa961019fa91fc811128cb876b Author: Hannes Reinecke Date: Wed Nov 9 08:39:24 2011 +0100 SCSI: Silencing 'killing requests for dead queue' commit 745718132c3c7cac98a622b610e239dcd5217f71 upstream. When we tear down a device we try to flush all outstanding commands in scsi_free_queue(). However the check in scsi_request_fn() is imperfect as it only signals that we _might start_ aborting commands, not that we've actually aborted some. So move the printk inside the scsi_kill_request function, this will also give us a hint about which commands are aborted. Signed-off-by: Hannes Reinecke Signed-off-by: James Bottomley Cc: Christoph Biedl Signed-off-by: Greg Kroah-Hartman commit 5635019b754fa0ccfc2275369b05142a8a2dbde4 Author: Mitsuo Hayasaka Date: Thu Dec 1 17:27:44 2011 -0600 xfs: use doalloc flag in xfs_qm_dqattach_one() commit db3e74b582915d66e10b0c73a62763418f54c340 upstream. The doalloc arg in xfs_qm_dqattach_one() is a flag that indicates whether a new area to handle quota information will be allocated if needed. Originally, it was passed to xfs_qm_dqget(), but has been removed by the following commit (probably by mistake): commit 8e9b6e7fa4544ea8a0e030c8987b918509c8ff47 Author: Christoph Hellwig Date: Sun Feb 8 21:51:42 2009 +0100 xfs: remove the unused XFS_QMOPT_DQLOCK flag As the result, xfs_qm_dqget() called from xfs_qm_dqattach_one() never allocates the new area even if it is needed. This patch gives the doalloc arg to xfs_qm_dqget() in xfs_qm_dqattach_one() to fix this problem. Signed-off-by: Mitsuo Hayasaka Cc: Alex Elder Cc: Christoph Hellwig Reviewed-by: Christoph Hellwig Signed-off-by: Ben Myers Signed-off-by: Greg Kroah-Hartman commit c38aeb8cd119fddc37d7cd648d6c43e782711247 Author: Carlos Maiolino Date: Thu Dec 1 17:27:43 2011 -0600 xfs: Fix possible memory corruption in xfs_readlink commit b52a360b2aa1c59ba9970fb0f52bbb093fcc7a24 upstream. Fixes a possible memory corruption when the link is larger than MAXPATHLEN and XFS_DEBUG is not enabled. This also remove the S_ISLNK assert, since the inode mode is checked previously in xfs_readlink_by_handle() and via VFS. Updated to address concerns raised by Ben Hutchings about the loose attention paid to 32- vs 64-bit values, and the lack of handling a potentially negative pathlen value: - Changed type of "pathlen" to be xfs_fsize_t, to match that of ip->i_d.di_size - Added checking for a negative pathlen to the too-long pathlen test, and generalized the message that gets reported in that case to reflect the change As a result, if a negative pathlen were encountered, this function would return EFSCORRUPTED (and would fail an assertion for a debug build)--just as would a too-long pathlen. Signed-off-by: Alex Elder Signed-off-by: Carlos Maiolino Reviewed-by: Christoph Hellwig Cc: Ben Myers Signed-off-by: Greg Kroah-Hartman commit 7f9fae139e1b34b0ecb0ff8ab051c4497d68db2c Author: Christoph Hellwig Date: Thu Dec 1 17:27:42 2011 -0600 xfs: fix buffer flushing during unmount commit 87c7bec7fc3377b3873eb3a0f4b603981ea16ebb upstream. The code to flush buffers in the umount code is a bit iffy: we first flush all delwri buffers out, but then might be able to queue up a new one when logging the sb counts. On a normal shutdown that one would get flushed out when doing the synchronous superblock write in xfs_unmountfs_writesb, but we skip that one if the filesystem has been shut down. Fix this by moving the delwri list flushing until just before unmounting the log, and while we're at it also remove the superflous delwri list and buffer lru flusing for the rt and log device that can never have cached or delwri buffers. Signed-off-by: Christoph Hellwig Reported-by: Amit Sahrawat Tested-by: Amit Sahrawat Signed-off-by: Alex Elder Cc: Ben Myers Signed-off-by: Greg Kroah-Hartman commit b4dd4c13166d1aab0c2cd8033f1cc1211f6f1678 Author: Mitsuo Hayasaka Date: Thu Dec 1 17:27:41 2011 -0600 xfs: Return -EIO when xfs_vn_getattr() failed commit ed32201e65e15f3e6955cb84cbb544b08f81e5a5 upstream. An attribute of inode can be fetched via xfs_vn_getattr() in XFS. Currently it returns EIO, not negative value, when it failed. As a result, the system call returns not negative value even though an error occured. The stat(2), ls and mv commands cannot handle this error and do not work correctly. This patch fixes this bug, and returns -EIO, not EIO when an error is detected in xfs_vn_getattr(). Signed-off-by: Mitsuo Hayasaka Reviewed-by: Christoph Hellwig Signed-off-by: Alex Elder Cc: Ben Myers Signed-off-by: Greg Kroah-Hartman commit 6a426248da83e544995fc8a494630285260ec4ee Author: Christoph Hellwig Date: Thu Dec 1 17:27:40 2011 -0600 xfs: avoid direct I/O write vs buffered I/O race commit c58cb165bd44de8aaee9755a144136ae743be116 upstream. Currently a buffered reader or writer can add pages to the pagecache while we are waiting for the iolock in xfs_file_dio_aio_write. Prevent this by re-checking mapping->nrpages after we got the iolock, and if nessecary upgrade the lock to exclusive mode. To simplify this a bit only take the ilock inside of xfs_file_aio_write_checks. Signed-off-by: Christoph Hellwig Reviewed-by: Dave Chinner Signed-off-by: Alex Elder Cc: Ben Myers Signed-off-by: Greg Kroah-Hartman commit 686da49e5aa50117d8d824c579c3fd9e0318fbc6 Author: Dave Chinner Date: Thu Dec 1 17:27:39 2011 -0600 xfs: don't serialise direct IO reads on page cache checks commit 0c38a2512df272b14ef4238b476a2e4f70da1479 upstream. There is no need to grab the i_mutex of the IO lock in exclusive mode if we don't need to invalidate the page cache. Taking these locks on every direct IO effective serialises them as taking the IO lock in exclusive mode has to wait for all shared holders to drop the lock. That only happens when IO is complete, so effective it prevents dispatch of concurrent direct IO reads to the same inode. Fix this by taking the IO lock shared to check the page cache state, and only then drop it and take the IO lock exclusively if there is work to be done. Hence for the normal direct IO case, no exclusive locking will occur. Signed-off-by: Dave Chinner Tested-by: Joern Engel Reviewed-by: Christoph Hellwig Signed-off-by: Alex Elder Cc: Ben Myers Signed-off-by: Greg Kroah-Hartman commit f06b70aa96019273ed984f76c79ad786ac216f7e Author: Emmanuel Grumbach Date: Sun Nov 27 15:29:44 2011 +0200 mac80211: fix race between the AGG SM and the Tx data path commit 2a1e0fd175dcfd72096ba9291d31e3b1b5342e60 upstream. When a packet is supposed to sent be as an a-MPDU, mac80211 sets IEEE80211_TX_CTL_AMPDU to let the driver know. On the other hand, mac80211 configures the driver for aggregration with the ampdu_action callback. There is race between these two mechanisms since the following scenario can occur when the BA agreement is torn down: Tx softIRQ drv configuration ========== ================= check OPERATIONAL bit Set the TX_CTL_AMPDU bit in the packet clear OPERATIONAL bit stop Tx AGG Pass Tx packet to the driver. In that case the driver would get a packet with TX_CTL_AMPDU set although it has already been notified that the BA session has been torn down. To fix this, we need to synchronize all the Qdisc activity after we cleared the OPERATIONAL bit. After that step, all the following packets will be buffered until the driver reports it is ready to get new packets for this RA / TID. This buffering allows not to run into another race that would send packets with TX_CTL_AMPDU unset while the driver hasn't been requested to tear down the BA session yet. This race occurs in practice and iwlwifi complains with a WARN_ON when it happens. Signed-off-by: Emmanuel Grumbach Reviewed-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 743646bb5669b390e18a7d1f45ab5db8db48e09d Author: Johannes Berg Date: Thu Nov 24 20:06:14 2011 +0100 mac80211: don't stop a single aggregation session twice commit 24f50a9d165745fd0701c6e089d35f58a229ea69 upstream. Nikolay noticed (by code review) that mac80211 can attempt to stop an aggregation session while it is already being stopped. So to fix it, check whether stop is already being done and bail out if so. Also move setting the STOPPING state into the lock so things are properly atomic. Reported-by: Nikolay Martynov Signed-off-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 737df45ddfbd5f96a9b38a16d5eef9eb7cd3a9a0 Author: Johannes Berg Date: Mon Nov 21 10:44:00 2011 +0100 cfg80211: fix regulatory NULL dereference commit de3584bd62d87b4c250129fbc46ca52c80330add upstream. By the time userspace returns with a response to the regulatory domain request, the wiphy causing the request might have gone away. If this is so, reject the update but mark the request as having been processed anyway. Cc: Luis R. Rodriguez Signed-off-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 5c76953157d60ee044e23c9050347dd3405a2338 Author: Eliad Peller Date: Thu Nov 24 18:13:56 2011 +0200 nl80211: fix MAC address validation commit e007b857e88097c96c45620bf3b04a4e309053d1 upstream. MAC addresses have a fixed length. The current policy allows passing < ETH_ALEN bytes, which might result in reading beyond the buffer. Signed-off-by: Eliad Peller Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 7ca622f2e52f3161466ebe93e177fb64c6047dc9 Author: Gertjan van Wingerde Date: Wed Nov 16 23:16:15 2011 +0100 rt2x00: Fix efuse EEPROM reading on PPC32. commit 68fa64ef606bcee688fce46d07aa68f175070156 upstream. Fix __le32 to __le16 conversion of the first word of an 8-word block of EEPROM read via the efuse method. Reported-and-tested-by: Ingvar Hagelund Signed-off-by: Gertjan van Wingerde Acked-by: Helmut Schaa Acked-by: Ivo van Doorn Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 160b68b38d29c8ab41eeb8187b2d724bf69c6756 Author: Michael Büsch Date: Wed Nov 16 23:55:46 2011 +0100 p54spi: Fix workqueue deadlock commit 2d1618170eb493d18f66f2ac03775409a6fb97c6 upstream. priv->work must not be synced while priv->mutex is locked, because the mutex is taken in the work handler. Move cancel_work_sync down to after the device shutdown code. This is safe, because the work handler checks fw_state and bails out early in case of a race. Signed-off-by: Michael Buesch Acked-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 3dcc2d249f99606863f00635e2becf95a389dc9c Author: Michael Büsch Date: Wed Nov 16 23:48:31 2011 +0100 p54spi: Add missing spin_lock_init commit 32d3a3922d617a5a685a5e2d24b20d0e88f192a9 upstream. The tx_lock is not initialized properly. Add spin_lock_init(). Signed-off-by: Michael Buesch Acked-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit be80893d309e256fe05a1e55d440bd6188ba2748 Author: John Stultz Date: Mon Oct 31 17:06:35 2011 -0400 clocksource: Avoid selecting mult values that might overflow when adjusted commit d65670a78cdbfae94f20a9e05ec705871d7cdf2b upstream. For some frequencies, the clocks_calc_mult_shift() function will unfortunately select mult values very close to 0xffffffff. This has the potential to overflow when NTP adjusts the clock, adding to the mult value. This patch adds a clocksource.maxadj value, which provides an approximation of an 11% adjustment(NTP limits adjustments to 500ppm and the tick adjustment is limited to 10%), which could be made to the clocksource.mult value. This is then used to both check that the current mult value won't overflow/underflow, as well as warning us if the timekeeping_adjust() code pushes over that 11% boundary. v2: Fix max_adjustment calculation, and improve WARN_ONCE messages. v3: Don't warn before maxadj has actually been set CC: Yong Zhang CC: David Daney CC: Thomas Gleixner CC: Chen Jie CC: zhangfx Reported-by: Chen Jie Reported-by: zhangfx Tested-by: Yong Zhang Signed-off-by: John Stultz Signed-off-by: Greg Kroah-Hartman commit eb5f9ebf61f88796a19df09751762b9e086a5214 Author: Jeff Ohlstein Date: Fri Nov 18 15:47:10 2011 -0800 hrtimer: Fix extra wakeups from __remove_hrtimer() commit 27c9cd7e601632b3794e1c3344d37b86917ffb43 upstream. __remove_hrtimer() attempts to reprogram the clockevent device when the timer being removed is the next to expire. However, __remove_hrtimer() reprograms the clockevent *before* removing the timer from the timerqueue and thus when hrtimer_force_reprogram() finds the next timer to expire it finds the timer we're trying to remove. This is especially noticeable when the system switches to NOHz mode and the system tick is removed. The timer tick is removed from the system but the clockevent is programmed to wakeup in another HZ anyway. Silence the extra wakeup by removing the timer from the timerqueue before calling hrtimer_force_reprogram() so that we actually program the clockevent for the next timer to expire. This was broken by 998adc3 "hrtimers: Convert hrtimers to use timerlist infrastructure". Signed-off-by: Jeff Ohlstein Link: http://lkml.kernel.org/r/1321660030-8520-1-git-send-email-johlstei@codeaurora.org Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 92ad5083db212ff3c5f6d1d085d85790f7a6c42c Author: Hector Palacios Date: Mon Nov 14 11:15:25 2011 +0100 timekeeping: add arch_offset hook to ktime_get functions commit d004e024058a0eaca097513ce62cbcf978913e0a upstream. ktime_get and ktime_get_ts were calling timekeeping_get_ns() but later they were not calling arch_gettimeoffset() so architectures using this mechanism returned 0 ns when calling these functions. This happened for example when running Busybox's ping which calls syscall(__NR_clock_gettime, CLOCK_MONOTONIC, ts) which eventually calls ktime_get. As a result the returned ping travel time was zero. Signed-off-by: Hector Palacios Signed-off-by: John Stultz Signed-off-by: Greg Kroah-Hartman commit c1d98cbbfc393f166b8a675b3acbdfab320adadc Author: Michal Hocko Date: Tue Nov 22 07:44:47 2011 -0800 cgroup_freezer: fix freezing groups with stopped tasks commit 884a45d964dd395eda945842afff5e16bcaedf56 upstream. 2d3cbf8b (cgroup_freezer: update_freezer_state() does incorrect state transitions) removed is_task_frozen_enough and replaced it with a simple frozen call. This, however, breaks freezing for a group with stopped tasks because those cannot be frozen and so the group remains in CGROUP_FREEZING state (update_if_frozen doesn't count stopped tasks) and never reaches CGROUP_FROZEN. Let's add is_task_frozen_enough back and use it at the original locations (update_if_frozen and try_to_freeze_cgroup). Semantically we consider stopped tasks as frozen enough so we should consider both cases when testing frozen tasks. Testcase: mkdir /dev/freezer mount -t cgroup -o freezer none /dev/freezer mkdir /dev/freezer/foo sleep 1h & pid=$! kill -STOP $pid echo $pid > /dev/freezer/foo/tasks echo FROZEN > /dev/freezer/foo/freezer.state while true do cat /dev/freezer/foo/freezer.state [ "`cat /dev/freezer/foo/freezer.state`" = "FROZEN" ] && break sleep 1 done echo OK Signed-off-by: Michal Hocko Acked-by: Li Zefan Cc: Tomasz Buchert Cc: Paul Menage Cc: Andrew Morton Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit ffdb8ca9bea2170b97edb9372bb365fd387a1ff9 Author: Tero Kristo Date: Mon Nov 28 16:53:19 2011 +0200 regulator: twl: fix twl4030 support for smps regulators commit ba305e31e88ea5c2f598ff9fbc5424711a429e30 upstream. SMPS regulator voltage control differs from the one of the LDO ones. Current TWL code was using LDO regulator ops for controlling the SMPS regulators, which fails. This was fixed fixed by adding separate regulator type which uses correct logic and calculations for the voltage levels. Signed-off-by: Tero Kristo Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 13e15d58a10698371a7d10b5dcdf2ce6630c35ef Author: Axel Lin Date: Mon Nov 28 14:06:31 2011 +0800 regulator: aat2870: Fix the logic of checking if no id is matched in aat2870_get_regulator commit d4d6373c1109b11c8118340be97ae31b8f94d66a upstream. In current implementation, the pointer ri is not NULL if no id is matched. Fix it by checking i == ARRAY_SIZE(aat2870_regulators) if no id is matched. Signed-off-by: Axel Lin Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 4148011316b640f48be6b7dd9005033b5347172c Author: Edward Donovan Date: Sun Nov 27 23:07:34 2011 -0500 genirq: fix regression in irqfixup, irqpoll commit 52553ddffad76ccf192d4dd9ce88d5818f57f62a upstream. Commit fa27271bc8d2("genirq: Fixup poll handling") introduced a regression that broke irqfixup/irqpoll for some hardware configurations. Amidst reorganizing 'try_one_irq', that patch removed a test that checked for 'action->handler' returning IRQ_HANDLED, before acting on the interrupt. Restoring this test back returns the functionality lost since 2.6.39. In the current set of tests, after 'action' is set, it must precede '!action->next' to take effect. With this and my previous patch to irq/spurious.c, c75d720fca8a, all IRQ regressions that I have encountered are fixed. Signed-off-by: Edward Donovan Reported-and-tested-by: Rogério Brito Cc: Thomas Gleixner Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 79f1685c82d882192b1e22b3114be78159c54b86 Author: Stanislaw Gruszka Date: Mon Nov 28 10:33:40 2011 +0100 rtlwifi: fix lps_lock deadlock commit e55b32c110b025ce07b40227f620e99700bf8741 upstream. rtl_lps_leave can be called from interrupt context, so we have to disable interrupts when taking lps_lock. Below is full lockdep info about deadlock: [ 93.815269] ================================= [ 93.815390] [ INFO: inconsistent lock state ] [ 93.815472] 2.6.41.1-3.offch.fc15.x86_64.debug #1 [ 93.815556] --------------------------------- [ 93.815635] inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. [ 93.815743] swapper/0 [HC0[0]:SC1[1]:HE1:SE0] takes: [ 93.815832] (&(&rtlpriv->locks.lps_lock)->rlock){+.?...}, at: [] rtl_lps_leave+0x26/0x103 [rtlwifi] [ 93.815947] {SOFTIRQ-ON-W} state was registered at: [ 93.815947] [] __lock_acquire+0x369/0xd0c [ 93.815947] [] lock_acquire+0xf3/0x13e [ 93.815947] [] _raw_spin_lock+0x45/0x79 [ 93.815947] [] rtl_swlps_rf_awake+0x5a/0x76 [rtlwifi] [ 93.815947] [] rtl_op_config+0x12a/0x32a [rtlwifi] [ 93.815947] [] ieee80211_hw_config+0x124/0x129 [mac80211] [ 93.815947] [] ieee80211_dynamic_ps_disable_work+0x32/0x47 [mac80211] [ 93.815947] [] process_one_work+0x205/0x3e7 [ 93.815947] [] worker_thread+0xda/0x15d [ 93.815947] [] kthread+0xa8/0xb0 [ 93.815947] [] kernel_thread_helper+0x4/0x10 [ 93.815947] irq event stamp: 547822 [ 93.815947] hardirqs last enabled at (547822): [] _raw_spin_unlock_irqrestore+0x45/0x61 [ 93.815947] hardirqs last disabled at (547821): [] _raw_spin_lock_irqsave+0x22/0x8e [ 93.815947] softirqs last enabled at (547790): [] _local_bh_enable+0x13/0x15 [ 93.815947] softirqs last disabled at (547791): [] call_softirq+0x1c/0x30 [ 93.815947] [ 93.815947] other info that might help us debug this: [ 93.815947] Possible unsafe locking scenario: [ 93.815947] [ 93.815947] CPU0 [ 93.815947] ---- [ 93.815947] lock(&(&rtlpriv->locks.lps_lock)->rlock); [ 93.815947] [ 93.815947] lock(&(&rtlpriv->locks.lps_lock)->rlock); [ 93.815947] [ 93.815947] *** DEADLOCK *** [ 93.815947] [ 93.815947] no locks held by swapper/0. [ 93.815947] [ 93.815947] stack backtrace: [ 93.815947] Pid: 0, comm: swapper Not tainted 2.6.41.1-3.offch.fc15.x86_64.debug #1 [ 93.815947] Call Trace: [ 93.815947] [] print_usage_bug+0x1e7/0x1f8 [ 93.815947] [] ? save_stack_trace+0x2c/0x49 [ 93.815947] [] ? print_irq_inversion_bug.part.18+0x1a0/0x1a0 [ 93.815947] [] mark_lock+0x106/0x220 [ 93.815947] [] __lock_acquire+0x2f5/0xd0c [ 93.815947] [] ? native_sched_clock+0x34/0x36 [ 93.830125] [] ? sched_clock+0x9/0xd [ 93.830125] [] ? sched_clock_local+0x12/0x75 [ 93.830125] [] ? rtl_lps_leave+0x26/0x103 [rtlwifi] [ 93.830125] [] lock_acquire+0xf3/0x13e [ 93.830125] [] ? rtl_lps_leave+0x26/0x103 [rtlwifi] [ 93.830125] [] _raw_spin_lock+0x45/0x79 [ 93.830125] [] ? rtl_lps_leave+0x26/0x103 [rtlwifi] [ 93.830125] [] ? skb_dequeue+0x62/0x6d [ 93.830125] [] rtl_lps_leave+0x26/0x103 [rtlwifi] [ 93.830125] [] _rtl_pci_ips_leave_tasklet+0xe/0x10 [rtlwifi] [ 93.830125] [] tasklet_action+0x8d/0xee [ 93.830125] [] __do_softirq+0x112/0x25a [ 93.830125] [] call_softirq+0x1c/0x30 [ 93.830125] [] do_softirq+0x4b/0xa1 [ 93.830125] [] irq_exit+0x5d/0xcf [ 93.830125] [] do_IRQ+0x8e/0xa5 [ 93.830125] [] common_interrupt+0x73/0x73 [ 93.830125] [] ? trace_hardirqs_off+0xd/0xf [ 93.830125] [] ? intel_idle+0xe5/0x10c [ 93.830125] [] ? intel_idle+0xe1/0x10c [ 93.830125] [] cpuidle_idle_call+0x11c/0x1fe [ 93.830125] [] cpu_idle+0xab/0x101 [ 93.830125] [] rest_init+0xd7/0xde [ 93.830125] [] ? csum_partial_copy_generic+0x16c/0x16c [ 93.830125] [] start_kernel+0x3dd/0x3ea [ 93.830125] [] x86_64_start_reservations+0xaf/0xb3 [ 93.830125] [] ? early_idt_handlers+0x140/0x140 [ 93.830125] [] x86_64_start_kernel+0x102/0x111 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=755154 Reported-by: vjain02@students.poly.edu Reported-and-tested-by: Oliver Paukstadt Acked-by: Larry Finger Signed-off-by: Stanislaw Gruszka Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 01da30a885baa667801facc2a54c80346ab6c414 Author: Tejun Heo Date: Thu Nov 24 19:22:24 2011 -0500 ext4: fix racy use-after-free in ext4_end_io_dio() commit 4c81f045c0bd2cbb78cc6446a4cd98038fe11a2e upstream. ext4_end_io_dio() queues io_end->work and then clears iocb->private; however, io_end->work calls aio_complete() which frees the iocb object. If that slab object gets reallocated, then ext4_end_io_dio() can end up clearing someone else's iocb->private, this use-after-free can cause a leak of a struct ext4_io_end_t structure. Detected and tested with slab poisoning. [ Note: Can also reproduce using 12 fio's against 12 file systems with the following configuration file: [global] direct=1 ioengine=libaio iodepth=1 bs=4k ba=4k size=128m [create] filename=${TESTDIR} rw=write -- tytso ] Google-Bug-Id: 5354697 Signed-off-by: Tejun Heo Signed-off-by: "Theodore Ts'o" Reported-by: Kent Overstreet Tested-by: Kent Overstreet Signed-off-by: Greg Kroah-Hartman commit 453fdf5561cc042b7e127af6a62138969726f539 Author: Trond Myklebust Date: Tue Nov 22 14:44:28 2011 +0200 SUNRPC: Ensure we return EAGAIN in xs_nospace if congestion is cleared commit 24ca9a847791fd53d9b217330b15f3c285827a18 upstream. By returning '0' instead of 'EAGAIN' when the tests in xs_nospace() fail to find evidence of socket congestion, we are making the RPC engine believe that the message was incorrectly sent and so it disconnects the socket instead of just retrying. The bug appears to have been introduced by commit 5e3771ce2d6a69e10fcc870cdf226d121d868491 (SUNRPC: Ensure that xs_nospace return values are propagated). Reported-by: Andrew Cooper Signed-off-by: Trond Myklebust Tested-by: Andrew Cooper Signed-off-by: Greg Kroah-Hartman commit 854b259aa1fbb2f4e63ba02a008f48c36606e73d Author: Mark Brown Date: Mon Nov 21 11:55:41 2011 +0000 ASoC: Ensure WM8731 register cache is synced when resuming from disabled commit ed3e80c4c991a52f9fce3421536a78e331ae0949 upstream. Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 101e07082f732dfb645ba370b0c0b510e1283f25 Author: Timo Juhani Lindfors Date: Thu Nov 17 02:52:50 2011 +0200 ASoC: wm8753: Skip noop reconfiguration of DAI mode commit 2391a0e06789a3f1718dee30b282562f7ed28c87 upstream. This patch makes it possible to set DAI mode to its currently applied value even if codec is active. This is necessary to allow aplay -t raw -r 44100 -f S16_LE -c 2 < /dev/urandom & alsactl store -f backup.state alsactl restore -f backup.state to work without returning errors. This patch is based on a patch sent by Klaus Kurzmann . Signed-off-by: Timo Juhani Lindfors Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 38c15d6ae974128158acee43380508db968c80bf Author: Timur Tabi Date: Mon Nov 14 16:35:26 2011 -0600 ASoC: fsl_ssi: properly initialize the sysfs attribute object commit 0f768a7235d3dfb6f4833030a95a06419df089cb upstream. Commit 6992f533 ("sysfs: Use one lockdep class per sysfs attribute") requires 'struct attribute' objects to be initialized with sysfs_attr_init(). Signed-off-by: Timur Tabi Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 71b3b360ee04f567eded77c3bcadb510f9a7c8f0 Author: Johannes Stezenbach Date: Mon Nov 14 17:23:16 2011 +0100 ASoC: sta32x: preserve coefficient RAM commit 54dc6cabe684375b3cf549c7b0545613d694aba8 upstream. The coefficient RAM must be saved in a shadow so it can be restored when the codec is powered on using regulator_bulk_enable(). Signed-off-by: Johannes Stezenbach Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 45445147b0cf1c398b370aa064dc2fb7f9b5128e Author: Takashi Iwai Date: Wed Nov 23 07:38:59 2011 +0100 ALSA: hda/realtek - Fix missing inits of item indices for auto-mic commit 6759dc323826c2c806c998cd93945c5476688dd2 upstream. When the imux entries are rebuilt in alc_rebuild_imux_for_auto_mic(), the initialization of index field is missing. It may work without it casually when the original imux was created by the auto-parser, but it's definitely broken in the case of static configs where no imux was parsed beforehand. Because of this, the auto-mic switching doesn't work properly on some model options. This patch adds the missing initialization of index field. Reported-by: Dmitry Nezhevenko Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 30444a763d652293e36f38ca43de13d6cf5ec3b0 Author: Tim Blechmann Date: Tue Nov 22 11:15:45 2011 +0100 ALSA: lx6464es - fix device communication via command bus commit a29878553a9a7b4c06f93c7e383527cf014d4ceb upstream. commit 6175ddf06b6172046a329e3abfd9c901a43efd2e optimized the mem*io functions that have been used to send commands to the device. these optimizations somehow corrupted the communication with the lx6464es, that resulted the device to be unusable with kernels after 2.6.33. this patch emulates the memcpy_*_io functions via a loop to avoid these problems. Signed-off-by: Tim Blechmann LKML-Reference: <4ECB5257.4040600@ladisch.de> Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 9b8fd4ef07fdfeb445ab35b2329fe3c1727297fe Author: Takashi Iwai Date: Thu Nov 24 16:33:09 2011 +0100 ALSA: hda - Fix jack-detection control of VT1708 commit 187d333edc0a8e1bb507900ce89853ffe3bd2c84 upstream. VT1708 has no support for unsolicited events per jack-plug, the driver implements the workq for polling the jack-detection. The mixer element "Jack Detect" was supposed to control this behavior on/off, but this doesn't work properly as is now. The workq is always started and the HP automute is always enabled. This patch fixes the jack-detect control behavior by triggering / stopping the work appropriately at the state change. Also the work checks the internal state to continue scheduling or not. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 03c371b70411f1f2805e2965eff0629908b59c13 Author: Will Deacon Date: Mon Nov 14 17:24:58 2011 +0100 ARM: 7161/1: errata: no automatic store buffer drain commit 11ed0ba1754841316d4095478944300acf19acc3 upstream. This patch implements a workaround for PL310 erratum 769419. On revisions of the PL310 prior to r3p2, the Store Buffer does not automatically drain. This can cause normal, non-cacheable writes to be retained when the memory system is idle, leading to suboptimal I/O performance for drivers using coherent DMA. This patch adds an optional wmb() call to the cpu_idle loop. On systems with an outer cache, this causes an explicit flush of the store buffer. Acked-by: Catalin Marinas Tested-by: Marc Zyngier Signed-off-by: Will Deacon Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit e9b529a3d8929c793ed6326d407ec7bf18bff6bb Author: Kevin Hilman Date: Wed Nov 23 14:43:01 2011 -0800 ARM: OMAP: PM: only register TWL with voltage layer when device is present commit 46232a3622c6e33605906ee6690dfef372925f53 upstream. Current code registers voltage layer details for TWL PMIC even when a TWL has not been registered. Fix this to only register the TWL with voltage layer when the TWL PMIC is initialized by board-level code. Signed-off-by: Kevin Hilman Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit 8591c9d862e86646a1b76ca3154c0ec1b58d51c6 Author: Ming Lei Date: Wed Nov 23 14:44:50 2011 -0800 ARM: OMAP2: select ARM_AMBA if OMAP3_EMU is defined commit a8a6565c7615cab3608d75af95b5c8a3522cd7c4 upstream. This patch selects ARM_AMBA if OMAP3_EMU is defined because OC_ETM depends on ARM_AMBA, so fix the link failure[1]. [1], arch/arm/kernel/built-in.o: In function `etm_remove': /home/tom/git/omap/linux-2.6-omap/arch/arm/kernel/etm.c:609: undefined reference to `amba_release_regions' arch/arm/kernel/built-in.o: In function `etb_remove': /home/tom/git/omap/linux-2.6-omap/arch/arm/kernel/etm.c:409: undefined reference to `amba_release_regions' arch/arm/kernel/built-in.o: In function `etm_init': /home/tom/git/omap/linux-2.6-omap/arch/arm/kernel/etm.c:640: undefined reference to `amba_driver_register' /home/tom/git/omap/linux-2.6-omap/arch/arm/kernel/etm.c:646: undefined reference to `amba_driver_register' /home/tom/git/omap/linux-2.6-omap/arch/arm/kernel/etm.c:648: undefined reference to `amba_driver_unregister' arch/arm/kernel/built-in.o: In function `etm_probe': /home/tom/git/omap/linux-2.6-omap/arch/arm/kernel/etm.c:545: undefined reference to `amba_request_regions' /home/tom/git/omap/linux-2.6-omap/arch/arm/kernel/etm.c:595: undefined reference to `amba_release_regions' arch/arm/kernel/built-in.o: In function `etb_probe': /home/tom/git/omap/linux-2.6-omap/arch/arm/kernel/etm.c:347: undefined reference to `amba_request_regions' /home/tom/git/omap/linux-2.6-omap/arch/arm/kernel/etm.c:392: undefined reference to `amba_release_regions' arch/arm/mach-omap2/built-in.o: In function `emu_init': /home/tom/git/omap/linux-2.6-omap/arch/arm/mach-omap2/emu.c:62: undefined reference to `amba_device_register' /home/tom/git/omap/linux-2.6-omap/arch/arm/mach-omap2/emu.c:63: undefined reference to `amba_device_register' make: *** [.tmp_vmlinux1] Error 1 making modules Signed-off-by: Ming Lei Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit 969b42a8899f173a232b5ad14b2a0f5913c8b3b1 Author: sricharan Date: Wed Nov 23 14:35:07 2011 -0800 ARM: OMAP: hwmod: Fix the addr space, irq, dma count APIs commit cc1b0765da6078b906772b79ff211b88cc0ae958 upstream. The address spaces, irqs and dma reqs count APIs return the number of corresponding entries in a hwmod including a additional null value or a -1 terminator in the structure introduced recently. More information here: - 212738a4: omap_hwmod: use a terminator record with omap_hwmod_mpu_irqs arrays - 78183f3f: omap_hwmod: use a null structure record to terminate omap_hwmod_addr_space arrays - bc614958: omap_hwmod: use a terminator record with omap_hwmod_dma_info arrays The issue with irqs and dma info was originally reported by Benoit Cousson. The devices which have multiple hwmods and use device_build_ss are broken with this, as their resources are populated with a extra null value, subsequently the probe fails. So fix the API not to include the array terminator in the count. Reported-by: Benoit Cousson Signed-off-by: Santosh Shilimkar Signed-off-by: sricharan Signed-off-by: Benoit Cousson Cc: Paul Walmsley Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit 8fe9f659b730ca92367370cf7ae6de6ef640cf62 Author: Felipe Balbi Date: Wed Nov 23 14:43:37 2011 -0800 ARM: OMAP: smartreflex: fix IRQ handling bug commit 5a4f1844c2ba21f804d7729306d9b16eaeb724a8 upstream. Fix a bug which has been on this driver since it was added by the original commit 984aa6db which would never clear IRQSTATUS bits. Signed-off-by: Felipe Balbi Signed-off-by: Kevin Hilman Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit acc0e76c23b07b8d0bd85774de9904ce278115c4 Author: Wolfram Sang Date: Sat Sep 10 12:26:07 2011 +0200 arm: mx28: fix bit operation in clock setting commit c2735391fbc68feae10d6d14e60956c8106e725f upstream. reg | (1 << clk->enable_shift) always evaluates to true. Switch it to & which makes much more sense. Same fix as 13be9f00 (ARM i.MX28: fix bit operation) at a different location. Signed-off-by: Wolfram Sang Cc: Sascha Hauer Cc: Shawn Guo Signed-off-by: Shawn Guo Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 8533dca18388b89bcb1772c5f504ac96a4826632 Author: Haojian Zhuang Date: Thu Nov 10 07:13:07 2011 +0800 ARM: pxa: fix inconsistent CONFIG_USB_PXA27X commit c0a39151a4055332897cba615623d3de2f3896df upstream. Since CONFIG_USB_GADGET_PXA27X and other macros are renamed to CONFIG_USB_PXA27X. Update them in arch/arm/mach-pxa and arch/arm/configs to keep consistent. Signed-off-by: Haojian Zhuang Acked-by: Felipe Balbi Signed-off-by: Eric Miao Signed-off-by: Greg Kroah-Hartman commit df01c1efffdaf26ef874f96986a64776c170b024 Author: Daniel Drake Date: Mon Nov 21 15:05:56 2011 +0000 viafb: correct sync polarity for OLPC DCON commit a32839696a8eef813a1aff604fbad9a32dff6c95 upstream. While the OLPC display appears to be able to handle either positive or negative sync, the Display Controller only recognises positive sync. This brings viafb (for XO-1.5) in line with lxfb (for XO-1) and fixes a recent regression where the XO-1.5 DCON could no longer be frozen. Thanks to Florian Tobias Schandinat for helping identify the fix. Test case: from a vt, echo 1 > /sys/devices/platform/dcon/freeze should cause the current screen contents to freeze, rather than garbage being displayed. Signed-off-by: Daniel Drake Signed-off-by: Florian Tobias Schandinat Signed-off-by: Greg Kroah-Hartman commit cbd00285bbef94804213974a5fd084c3f7197ec6 Author: Alex Deucher Date: Mon Nov 14 14:32:01 2011 -0500 drm/radeon/kms: fix up gpio i2c mask bits for r4xx commit 6c47e5c23aa2a7c54ad7ac13af4bd56cd9e703bf upstream. Fixes i2c test failures when i2c_algo_bit.bit_test=1. The hw doesn't actually require a mask, so just set it to the default mask bits for r1xx-r4xx radeon ddc. Signed-off-by: Alex Deucher Cc: Jean Delvare Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 14855077253713109f8a835cc6e9271432460de9 Author: Bjorn Helgaas Date: Tue Aug 23 10:16:43 2011 -0600 PCI hotplug: shpchp: don't blindly claim non-AMD 0x7450 device IDs commit 4cac2eb158c6da0c761689345c6cc5df788a6292 upstream. Previously we claimed device ID 0x7450, regardless of the vendor, which is clearly wrong. Now we'll claim that device ID only for AMD. I suspect this was just a typo in the original code, but it's possible this change will break shpchp on non-7450 AMD bridges. If so, we'll have to fix them as we find them. Reference: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=638863 Reported-by: Ralf Jung Cc: Joerg Roedel Signed-off-by: Bjorn Helgaas Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit d02f594b5287e6b8a0274991b6b6e645cef79b33 Author: Takashi Iwai Date: Wed Nov 16 10:58:03 2011 +0100 drm/i915: Fix inconsistent backlight level during disabled commit 04b38670cf46c096705f24e92a8747d1ab89e53c upstream. When the brightness property is inquired while the backlight is disabled, the driver returns a wrong value (zero) because it probes the value after the backlight was turned off. This caused a black screen even after the backlight is enabled again. It should return the internal backlight_level instead, so that it won't be influenced by the backlight-enable state. BugLink: https://bugs.freedesktop.org/show_bug.cgi?id=41926 BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/872652 Tested-by: Kamal Mostafa Cc: Alex Davis Signed-off-by: Takashi Iwai Signed-off-by: Keith Packard Signed-off-by: Greg Kroah-Hartman commit 8f9940d1bf1d7dface90977031e327ee237408ca Author: Eric Anholt Date: Mon Nov 7 16:07:05 2011 -0800 drm/i915: Turn on another required clock gating bit on gen6. commit 9ca1d10d748e56964de95e3ed80211b192f56cf4 upstream. Unlike the previous one, I don't have known testcases it fixes. I'd rather not go through the same debug cycle on whatever testcases those might be. Signed-off-by: Eric Anholt Signed-off-by: Keith Packard Signed-off-by: Greg Kroah-Hartman commit 9bdbb716a8c3a3363d40b198f351d78bfecd8917 Author: Eric Anholt Date: Mon Nov 7 16:07:04 2011 -0800 drm/i915: Turn on a required 3D clock gating bit on Sandybridge. commit 406478dc911e16677fbd9c84d1d50cdffbc031ab upstream. Fixes rendering failures in Unigine Tropics and Sanctuary and the mesa "fire" demo. Signed-off-by: Eric Anholt Signed-off-by: Keith Packard Signed-off-by: Greg Kroah-Hartman commit 03d51d153892ab5f07362ba63e088f8bf2d0512e Author: Daniel Vetter Date: Sun Oct 9 21:52:01 2011 +0200 drm/i915: Ivybridge still has fences! commit 775d17b6ca4357048f36c22151335addfe15db4b upstream. So don't forget to restore them on resume and dump them into the error state. Signed-off-by: Daniel Vetter Reviewed-by: Chris Wilson Signed-off-by: Keith Packard Signed-off-by: Greg Kroah-Hartman commit 24966e970264bfffa616f1f2d5f65a2db069b871 Author: Alex Deucher Date: Mon Nov 21 12:10:14 2011 -0500 drm/radeon/kms: fix up gpio i2c mask bits for r4xx for real commit d724502a9d7a46f4a56a1663b1f50d2dc9d1ef40 upstream. Fixes i2c test failures when i2c_algo_bit.bit_test=1. The hw doesn't actually require a mask, so just set it to the default mask bits for r1xx-r4xx radeon ddc. I missed this part the first time through. Signed-off-by: Alex Deucher Cc: Jean Delvare Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 02a04b98adead5626a395edc21bf6d7f17611938 Author: Xi Wang Date: Wed Nov 23 01:12:01 2011 -0500 drm: integer overflow in drm_mode_dirtyfb_ioctl() commit a5cd335165e31db9dbab636fd29895d41da55dd2 upstream. There is a potential integer overflow in drm_mode_dirtyfb_ioctl() if userspace passes in a large num_clips. The call to kmalloc would allocate a small buffer, and the call to fb->funcs->dirty may result in a memory corruption. Reported-by: Haogang Chen Signed-off-by: Xi Wang Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 49f5bf4e65140344f6ab824571b8325b7bd95d9b Author: Phil Sutter Date: Wed Nov 16 18:28:01 2011 +0100 crypto: mv_cesa - fix hashing of chunks > 1920 bytes commit 274252862f386b7868f35bf5ceaa5391a8ccfdf3 upstream. This was broken by commit 7759995c75ae0cbd4c861582908449f6b6208e7a (yes, myself). The basic problem here is since the digest state is only saved after the last chunk, the state array is only valid when handling the first chunk of the next buffer. Broken since linux-3.0. Signed-off-by: Phil Sutter Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 722daca8514aacaf7ed1311f2cc8e518af675049 Author: Tyler Hicks Date: Wed Nov 23 11:31:24 2011 -0600 eCryptfs: Extend array bounds for all filename chars commit 0f751e641a71157aa584c2a2e22fda52b52b8a56 upstream. From mhalcrow's original commit message: Characters with ASCII values greater than the size of filename_rev_map[] are valid filename characters. ecryptfs_decode_from_filename() will access kernel memory beyond that array, and ecryptfs_parse_tag_70_packet() will then decrypt those characters. The attacker, using the FNEK of the crafted file, can then re-encrypt the characters to reveal the kernel memory past the end of the filename_rev_map[] array. I expect low security impact since this array is statically allocated in the text area, and the amount of memory past the array that is accessible is limited by the largest possible ASCII filename character. This patch solves the issue reported by mhalcrow but with an implementation suggested by Linus to simply extend the length of filename_rev_map[] to 256. Characters greater than 0x7A are mapped to 0x00, which is how invalid characters less than 0x7A were previously being handled. Signed-off-by: Tyler Hicks Reported-by: Michael Halcrow Signed-off-by: Greg Kroah-Hartman commit a638f9564fd11b37efee4e78d7ef9dc52eb2a7cd Author: Jeffrey (Sheng-Hui) Chu Date: Wed Nov 23 11:33:07 2011 +0100 i2c-algo-bit: Generate correct i2c address sequence for 10-bit target commit cc6bcf7d2ec2234e7b41770185e4dc826390185e upstream. The wrong bits were put on the wire, fix that. This fixes kernel bug #42562. Signed-off-by: Sheng-Hui J. Chu Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 19c8acbc4a4d444d72d256a7541b040cebddc78b Author: Tyler Hicks Date: Mon Nov 21 17:31:29 2011 -0600 eCryptfs: Flush file in vma close commit 32001d6fe9ac6b0423e674a3093aa56740849f3b upstream. Dirty pages weren't being written back when an mmap'ed eCryptfs file was closed before the mapping was unmapped. Since f_ops->flush() is not called by the munmap() path, the lower file was simply being released. This patch flushes the eCryptfs file in the vm_ops->close() path. https://launchpad.net/bugs/870326 Signed-off-by: Tyler Hicks Signed-off-by: Greg Kroah-Hartman commit d1d274cd1ce2eb979c66233a36a7a92abfc0f18f Author: Tyler Hicks Date: Mon Nov 21 17:31:02 2011 -0600 eCryptfs: Prevent file create race condition commit b59db43ad4434519feb338eacb01d77eb50825c5 upstream. The file creation path prematurely called d_instantiate() and unlock_new_inode() before the eCryptfs inode info was fully allocated and initialized and before the eCryptfs metadata was written to the lower file. This could result in race conditions in subsequent file and inode operations leading to unexpected error conditions or a null pointer dereference while attempting to use the unallocated memory. https://launchpad.net/bugs/813146 Signed-off-by: Tyler Hicks Signed-off-by: Greg Kroah-Hartman commit 4cd6f5d82a1e43abb729fdfe7e7a6833892845dd Merge: 272d3c7 74517cb Author: Nicolas Pitre Date: Mon Nov 28 22:46:01 2011 -0500 Merge commit 'v3.1.4' into linaro-3.1 commit 74517cb61ec5b7b5902b36feb0ae2cc60444e8f0 Author: Greg Kroah-Hartman Date: Tue Nov 29 07:48:14 2011 +0900 Linux 3.1.4 commit 4a8dec4b97aaf62dd1d532fd1b2edbc26afd4cb9 Author: Greg Kroah-Hartman Date: Tue Nov 29 07:40:10 2011 +0900 Revert "USB: EHCI: fix HUB TT scheduling issue with iso transfer" This reverts commit f0cc710a6dec5b808a6f13f1f8853c094fce5f12. Cc: Matthieu Castet Cc: Thomas Poussevin Cc: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 272d3c754502ee3ccd898264f050721f565d0c8e Author: Kautuk Consul Date: Tue Nov 22 13:31:30 2011 -0500 arm: fault.c: Port OOM changes into do_page_fault Commit d065bd810b6deb67d4897a14bfe21f8eb526ba99 (mm: retry page fault when blocking on disk transfer) and commit 37b23e0525d393d48a7d59f870b3bc061a30ccdb (x86,mm: make pagefault killable) The above commits introduced changes into the x86 pagefault handler for making the page fault handler retryable as well as killable. These changes reduce the mmap_sem hold time, which is crucial during OOM killer invocation. Port these changes to ARM. Without these changes, my ARM board encounters many hang and livelock scenarios. After applying this patch, OOM feature performance improves according to my testing. Signed-off-by: Kautuk Consul "I think this is fine"-by Russell King - ARM Linux Signed-off-by: Nicolas Pitre commit ca6abb54069c4ab951eb71c7034ec6b4eb626a98 Merge: f6b252b a625393 Author: Nicolas Pitre Date: Mon Nov 28 11:42:42 2011 -0500 Merge commit 'v3.1.2' into linaro-3.1 commit e6c2efafa8854e544bd15bdfc8498d4d0507d805 Author: Greg Kroah-Hartman Date: Sat Nov 26 09:08:57 2011 -0800 Linux 3.1.3 commit 26e15787b98f3cac67d0b9458befd24adbef7272 Author: Mikulas Patocka Date: Mon Oct 31 17:08:57 2011 -0700 vmscan: fix shrinker callback bug in fs/super.c commit 09f363c7363eb10cfb4b82094bd7064e5608258b upstream. The callback must not return -1 when nr_to_scan is zero. Fix the bug in fs/super.c and add this requirement to the callback specification. Signed-off-by: Mikulas Patocka Cc: Dave Chinner Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 1bccf76533a1e336dfa8007554d4283253e259c7 Author: Antonio Quartulli Date: Sat Oct 22 00:55:39 2011 +0200 batman-adv: unify hash_entry field position in tt_local/global_entry commit 93840ac40bb0d0f177ef8af74e64671be67e8c37 upstream. Function tt_response_fill_table() actually uses a tt_local_entry pointer to iterate either over the local or the global table entries (it depends on the what hash table is passed as argument). To iterate over such entries the hlist_for_each_entry_rcu() macro has to access their "hash_entry" field which MUST be at the same position in both the tt_global/local_entry structures. Reported-by: Simon Wunderlich Signed-off-by: Antonio Quartulli Signed-off-by: Marek Lindner Signed-off-by: Greg Kroah-Hartman commit 9bab392e4a2120bba4f6fbe8676a5baf16756926 Author: Simon Wunderlich Date: Wed Oct 19 10:28:26 2011 +0200 batman-adv: add sanity check when removing global tts commit 6e8014947d6469df1566e9e253805557c5c0e4e0 upstream. After removing the batman-adv module, the hash may be already gone when tt_global_del_orig() tries to clean the hash. This patch adds a sanity check to avoid this. Signed-off-by: Simon Wunderlich Tested-by: Alexey Fisher Signed-off-by: Marek Lindner Signed-off-by: Greg Kroah-Hartman commit 7766f4ed0b29204dc9248dea3bc547a8c93d18cb Author: Simon Wunderlich Date: Wed Oct 19 11:02:25 2011 +0200 batman-adv: remove references for global tt entries commit 531027fcddbcf81c9937dd04f08a7e8f11fd47d2 upstream. struct tt_global_entry holds a reference to an orig_node which must be decremented before deallocating the structure. Signed-off-by: Simon Wunderlich Tested-by: Alexey Fisher Signed-off-by: Marek Lindner Signed-off-by: Greg Kroah-Hartman commit 02460fcf18a10059eb52a223cc62d7d9b43ac3c0 Author: Antonio Quartulli Date: Mon Oct 17 14:25:13 2011 +0200 batman-adv: correctly set the data field in the TT_REPONSE packet commit 9d8523931f7f5eb8900077f0da0fbe6b8ad0010b upstream. In the TT_RESPONSE packet, the number of carried entries is not correctly set. This leads to a wrong interpretation of the packet payload on the receiver side causing random entries to be added to the global translation table. Therefore the latter gets always corrupted, triggering a table recovery all the time. Signed-off-by: Antonio Quartulli Signed-off-by: Marek Lindner Signed-off-by: Greg Kroah-Hartman commit bde860c48a217a9b71fda841090afab693ccb2b6 Author: Antonio Quartulli Date: Sun Oct 16 18:53:37 2011 +0200 batman-adv: fix tt_local_reset_flags() function commit 31901264511cf20c5ed33b8649a3ca9ce28df60b upstream. Currently the counter of tt_local_entry structures (tt_local_num) is incremented each time the tt_local_reset_flags() is invoked causing the node to send wrong TT_REPONSE packets containing a copy of non-initialised memory thus corrupting other nodes global translation table and making higher level communication impossible. Reported-by: Junkeun Song Signed-off-by: Antonio Quartulli Acked-by: Junkeun Song Signed-off-by: Marek Lindner Signed-off-by: Greg Kroah-Hartman commit 89c59226317ff9ebaa54e37a39ba2479c3f11fa8 Author: Jesse Barnes Date: Mon Oct 10 14:28:52 2011 -0700 drm/i915: always set FDI composite sync bit commit c4f9c4c2b3f1831e932e04db992cf6fe92c2a95a upstream. It's needed for 3 pipe support as well as just regular functionality (e.g. DisplayPort). Signed-off-by: Jesse Barnes Tested-by: Adam Jackson Tested-by: Eugeni Dodonov Signed-off-by: Keith Packard Signed-off-by: Robert Hooker Signed-off-by: Greg Kroah-Hartman commit 8ec180a74877149cc5974b221f02660114c62acb Author: Jesse Barnes Date: Wed Oct 12 11:10:21 2011 -0700 drm/i915: fix IVB cursor support commit 65a21cd65316145f9302594be8e69074369e1050 upstream. The cursor regs have moved around, add the offsets and new macros for getting at them. Signed-off-by: Jesse Barnes Tested-By: Eugeni Dodonov Reviewed-By: Eugeni Dodonov Signed-off-by: Keith Packard Signed-off-by: Robert Hooker Signed-off-by: Greg Kroah-Hartman commit f4fb118ca065166a74757cbfa2feac4c366deed3 Author: sordna Date: Thu Oct 27 21:06:26 2011 -0700 USB: quirks: adding more quirky webcams to avoid squeaky audio commit 0d145d7d4a241c321c832a810bb6edad18e2217b upstream. The following patch contains additional affected webcam models, on top of the patches commited to linux-next 2394d67e446bf616a0885167d5f0d397bdacfdfc and 5b253d88cc6c65a23cefc457a5a4ef139913c5fc Signed-off-by: sordna Cc: Oliver Neukum Signed-off-by: Greg Kroah-Hartman commit 99acf71211a8e9d881461e9099cf30229f99b4d8 Author: Josh Boyer Date: Wed Oct 26 13:53:17 2011 -0400 USB: add quirk for Logitech C600 web cam commit 60c71ca972a2dd3fd9d0165b405361c8ad48349b upstream. We've had another report of the "chipmunk" sound on a Logitech C600 webcam. This patch resolves the issue. Signed-off-by: Josh Boyer Signed-off-by: Greg Kroah-Hartman commit f0cc710a6dec5b808a6f13f1f8853c094fce5f12 Author: Thomas Poussevin Date: Thu Oct 27 18:46:48 2011 +0200 USB: EHCI: fix HUB TT scheduling issue with iso transfer commit 811c926c538f7e8d3c08b630dd5844efd7e000f6 upstream. The current TT scheduling doesn't allow to play and then record on a full-speed device connected to a high speed hub. The IN iso stream can only start on the first uframe (0-2 for a 165 us) because of CSPLIT transactions. For the OUT iso stream there no such restriction. uframe 0-5 are possible. The idea of this patch is that the first uframe are precious (for IN TT iso stream) and we should allocate the last uframes first if possible. For that we reverse the order of uframe allocation (last uframe first). Here an example : hid interrupt stream ---------------------------------------------------------------------- uframe | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | ---------------------------------------------------------------------- max_tt_usecs | 125 | 125 | 125 | 125 | 125 | 125 | 30 | 0 | ---------------------------------------------------------------------- used usecs on a frame | 13 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | ---------------------------------------------------------------------- iso OUT stream ---------------------------------------------------------------------- uframe | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | ---------------------------------------------------------------------- max_tt_usecs | 125 | 125 | 125 | 125 | 125 | 125 | 30 | 0 | ---------------------------------------------------------------------- used usecs on a frame | 13 | 125 | 39 | 0 | 0 | 0 | 0 | 0 | ---------------------------------------------------------------------- There no place for iso IN stream (uframe 0-2 are used) and we got "cannot submit datapipe for urb 0, error -28: not enough bandwidth" error. With the patch this become. iso OUT stream ---------------------------------------------------------------------- uframe | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | ---------------------------------------------------------------------- max_tt_usecs | 125 | 125 | 125 | 125 | 125 | 125 | 30 | 0 | ---------------------------------------------------------------------- used usecs on a frame | 13 | 0 | 0 | 0 | 125 | 39 | 0 | 0 | ---------------------------------------------------------------------- iso IN stream ---------------------------------------------------------------------- uframe | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | ---------------------------------------------------------------------- max_tt_usecs | 125 | 125 | 125 | 125 | 125 | 125 | 30 | 0 | ---------------------------------------------------------------------- used usecs on a frame | 13 | 0 | 125 | 40 | 125 | 39 | 0 | 0 | ---------------------------------------------------------------------- Signed-off-by: Matthieu Castet Signed-off-by: Thomas Poussevin Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit ce0e4cbdc4e962aefc25bde683c415e25ed45ee6 Author: Alan Stern Date: Tue Oct 25 10:50:58 2011 -0400 usb-storage: Accept 8020i-protocol commands longer than 12 bytes commit 2f640bf4c94324aeaa1b6385c10aab8c5ad1e1cf upstream. The 8020i protocol (also 8070i and QIC-157) uses 12-byte commands; shorter commands must be padded. Simon Detheridge reports that his 3-TB USB disk drive claims to use the 8020i protocol (which is normally meant for ATAPI devices like CD drives), and because of its large size, the disk drive requires the use of 16-byte commands. However the usb_stor_pad12_command() routine in usb-storage always sets the command length to 12, making the drive impossible to use. Since the SFF-8020i specification allows for 16-byte commands in future extensions, we may as well accept them. This patch (as1490) changes usb_stor_pad12_command() to leave commands larger than 12 bytes alone rather than truncating them. Signed-off-by: Alan Stern Tested-by: Simon Detheridge CC: Matthew Dharm Signed-off-by: Greg Kroah-Hartman commit 4c72dfff8cfbc0d5c63145691c9dbbd1df995c1c Author: Andrew Worsley Date: Fri Nov 18 23:13:33 2011 +1100 USB: Fix Corruption issue in USB ftdi driver ftdi_sio.c commit b1ffb4c851f185e9051ba837c16d9b84ef688d26 upstream. Fix for ftdi_set_termios() glitching output ftdi_set_termios() is constantly setting the baud rate, data bits and parity unnecessarily on every call, . When called while characters are being transmitted can cause the FTDI chip to corrupt the serial port bit stream output by stalling the output half a bit during the output of a character. Simple fix by skipping this setting if the baud rate/data bits/parity are unchanged. Signed-off-by: Andrew Worsley Signed-off-by: Greg Kroah-Hartman commit 22e88b06a5779026f242c2eb628ec058c79b2ed0 Author: Bart Hartgers Date: Wed Oct 26 13:29:42 2011 +0200 USB: ark3116 initialisation fix commit 583182ba5f02c8c9be82ea550f2051eaec15b975 upstream. This patch for the usb serial ark3116 driver fixes an initialisation ordering bug that gets triggered on hotplug when using at least recent debian/ubuntu userspace. Without it, ark3116 serial cables don't work. Signed-off-by: Bart Hartgers Tested-by: law_ence.dev@ntlworld.com Signed-off-by: Greg Kroah-Hartman commit 43e3b323523373a33e4f42304db02779ef03751a Author: Alan Stern Date: Thu Oct 27 11:20:21 2011 -0400 USB: workaround for bug in old version of GCC commit 97ff22ee3b4cb3a334f7385e269773141aed702f upstream. This patch (as1491) works around a bug in GCC-3.4.6, which is still supposed to be supported. The number of microseconds in the udelay() call in quirk_usb_disable_ehci() is fixed at 100, but the compiler doesn't understand this and generates a link-time error. So we replace the otherwise unused variable "delta" with a simple constant 100. This same pattern is already used in other delay loops in that source file. Signed-off-by: Alan Stern Reported-by: Konrad Rzepecki Tested-by: Konrad Rzepecki Signed-off-by: Greg Kroah-Hartman commit 195f0cd98344bfa50c995add0397efe1d60501f6 Author: Havard Skinnemoen Date: Wed Nov 9 13:47:38 2011 -0800 USB: cdc-acm: Fix disconnect() vs close() race commit 5dc2470c602da8851907ec18942cd876c3b4ecc1 upstream. There's a race between the USB disconnect handler and the TTY close handler which may cause the acm object to be freed while it's still being used. This may lead to things like http://article.gmane.org/gmane.linux.usb.general/54250 and https://lkml.org/lkml/2011/5/29/64 This is the simplest fix I could come up with. Holding on to open_mutex while closing the TTY device prevents acm_disconnect() from freeing the acm object between acm->port.count drops to 0 and the TTY side of the cleanups are finalized. Signed-off-by: Havard Skinnemoen Cc: Oliver Neukum Signed-off-by: Greg Kroah-Hartman commit c5d412bfb9fe3dbd61d5ce2257b2ab5ed10ee44a Author: Tomoya MORINAGA Date: Fri Oct 28 09:37:34 2011 +0900 USB: pch_udc: Support new device LAPIS Semiconductor ML7831 IOH commit 731ad81e2dd97e3f222361f7b3ff4b35639e46af upstream. ML7831 is companion chip for Intel Atom E6xx series. Signed-off-by: Tomoya MORINAGA Signed-off-by: Greg Kroah-Hartman commit a0d5bdc518afcf0721bfb7d324e52bba2234030a Author: wangyanqing Date: Thu Nov 10 14:04:08 2011 +0800 USB: serial: pl2303: rm duplicate id commit 0c16595539b612fe948559433dda08ff96a8bdc7 upstream. I get report from customer that his usb-serial converter doesn't work well,it sometimes work, but sometimes it doesn't. The usb-serial converter's id: vendor_id product_id 0x4348 0x5523 Then I search the usb-serial codes, and there are two drivers announce support this device, pl2303 and ch341, commit 026dfaf1 cause it. Through many times to test, ch341 works well with this device, and pl2303 doesn't work quite often(it just work quite little). ch341 works well with this device, so we doesn't need pl2303 to support.I try to revert 026dfaf1 first, but it failed. So I prepare this patch by hand to revert it. Signed-off-by: Wang YanQing Signed-off-by: Greg Kroah-Hartman commit 6954d95fa354eb6bc277505c658fe28f9553b6b8 Author: Ferenc Wagner Date: Thu Nov 17 16:44:58 2011 +0100 USB: option: add PID of Huawei E173s 3G modem commit 4aa3648c719265bac9c2742c9ebb043e6dbdd790 upstream. Signed-off-by: Ferenc Wagner Signed-off-by: Greg Kroah-Hartman commit 8cf4a733a63a487d1028127ac567fef1e3d805eb Author: zheng.zhijian@zte.com.cn Date: Thu Nov 17 19:23:25 2011 +0800 USB: option: release new PID for ZTE 3G modem commit 46b5a277ed90317a4d17e936c16037e76011b219 upstream. This patch adds new PIDs for ZTE 3G modem, after we confirm it and tested. Thanks for Dan's work at kernel option devier. Signed-off-by: Alvin.Zheng Signed-off-by: wsalvin Signed-off-by: Greg Kroah-Hartman commit 78c5cd61577b370e47eaf8e8405c63fb3f5b8921 Author: Alan Stern Date: Thu Nov 3 11:37:10 2011 -0400 USB: XHCI: resume root hubs when the controller resumes commit f69e3120df82391a0ee8118e0a156239a06b2afb upstream. This patch (as1494) fixes a problem in xhci-hcd's resume routine. When the controller is runtime-resumed, this can only mean that one of the two root hubs has made a wakeup request and therefore needs to be resumed as well. Rather than try to determine which root hub requires attention (which might be difficult in the case where a new non-SuperSpeed device has been plugged in), the patch simply resumes both root hubs. Without this change, there is a race: The controller might be put back to sleep before it can activate its IRQ line, and the wakeup condition might never get handled. The patch also simplifies the logic in xhci_resume a little, combining some repeated flag settings into a single pair of statements. Signed-off-by: Alan Stern CC: Sarah Sharp Tested-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6b17329bbf8b902dcd1f5a0f94d43f902b72f682 Author: Don Zickus Date: Thu Oct 20 23:52:14 2011 -0400 usb, xhci: fix lockdep warning on endpoint timeout commit f43d623164022dcbf6750ef220b7a1133a1183eb upstream. While debugging a usb3 problem, I stumbled upon this lockdep warning. Oct 18 21:41:17 dhcp47-74 kernel: ================================= Oct 18 21:41:17 dhcp47-74 kernel: [ INFO: inconsistent lock state ] Oct 18 21:41:17 dhcp47-74 kernel: 3.1.0-rc4nmi+ #456 Oct 18 21:41:17 dhcp47-74 kernel: --------------------------------- Oct 18 21:41:17 dhcp47-74 kernel: inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. Oct 18 21:41:17 dhcp47-74 kernel: swapper/0 [HC0[0]:SC1[1]:HE1:SE0] takes: Oct 18 21:41:17 dhcp47-74 kernel: (&(&xhci->lock)->rlock){?.-...}, at: [] xhci_stop_endpoint_command_watchdog+0x30/0x340 [xhci_hcd] Oct 18 21:41:17 dhcp47-74 kernel: {IN-HARDIRQ-W} state was registered at: Oct 18 21:41:17 dhcp47-74 kernel: [] __lock_acquire+0x781/0x1660 Oct 18 21:41:17 dhcp47-74 kernel: [] lock_acquire+0x97/0x170 Oct 18 21:41:17 dhcp47-74 kernel: [] _raw_spin_lock+0x46/0x80 Oct 18 21:41:17 dhcp47-74 kernel: [] xhci_irq+0x3a/0x1960 [xhci_hcd] Oct 18 21:41:17 dhcp47-74 kernel: [] xhci_msi_irq+0x31/0x40 [xhci_hcd] Oct 18 21:41:17 dhcp47-74 kernel: [] handle_irq_event_percpu+0x85/0x320 Oct 18 21:41:17 dhcp47-74 kernel: [] handle_irq_event+0x48/0x70 Oct 18 21:41:17 dhcp47-74 kernel: [] handle_edge_irq+0x6d/0x130 Oct 18 21:41:17 dhcp47-74 kernel: [] handle_irq+0x49/0xa0 Oct 18 21:41:17 dhcp47-74 kernel: [] do_IRQ+0x5d/0xe0 Oct 18 21:41:17 dhcp47-74 kernel: [] ret_from_intr+0x0/0x13 Oct 18 21:41:17 dhcp47-74 kernel: [] usb_set_device_state+0x8a/0x180 Oct 18 21:41:17 dhcp47-74 kernel: [] usb_add_hcd+0x2b8/0x730 Oct 18 21:41:17 dhcp47-74 kernel: [] xhci_pci_probe+0x9e/0xd4 [xhci_hcd] Oct 18 21:41:17 dhcp47-74 kernel: [] local_pci_probe+0x5f/0xd0 Oct 18 21:41:17 dhcp47-74 kernel: [] pci_device_probe+0x119/0x120 Oct 18 21:41:17 dhcp47-74 kernel: [] driver_probe_device+0xa3/0x2c0 Oct 18 21:41:17 dhcp47-74 kernel: [] __driver_attach+0xab/0xb0 Oct 18 21:41:17 dhcp47-74 kernel: [] bus_for_each_dev+0x6c/0xa0 Oct 18 21:41:17 dhcp47-74 kernel: [] driver_attach+0x1e/0x20 Oct 18 21:41:17 dhcp47-74 kernel: [] bus_add_driver+0x1f8/0x2b0 Oct 18 21:41:17 dhcp47-74 kernel: [] driver_register+0x76/0x140 Oct 18 21:41:17 dhcp47-74 kernel: [] __pci_register_driver+0x66/0xe0 Oct 18 21:41:17 dhcp47-74 kernel: [] snd_timer_find+0x4a/0x70 [snd_timer] Oct 18 21:41:17 dhcp47-74 kernel: [] snd_timer_find+0xe/0x70 [snd_timer] Oct 18 21:41:17 dhcp47-74 kernel: [] do_one_initcall+0x43/0x180 Oct 18 21:41:17 dhcp47-74 kernel: [] sys_init_module+0x92/0x1f0 Oct 18 21:41:17 dhcp47-74 kernel: [] system_call_fastpath+0x16/0x1b Oct 18 21:41:17 dhcp47-74 kernel: irq event stamp: 631984 Oct 18 21:41:17 dhcp47-74 kernel: hardirqs last enabled at (631984): [] _raw_spin_unlock_irq+0x30/0x50 Oct 18 21:41:17 dhcp47-74 kernel: hardirqs last disabled at (631983): [] _raw_spin_lock_irq+0x19/0x90 Oct 18 21:41:17 dhcp47-74 kernel: softirqs last enabled at (631980): [] _local_bh_enable+0x13/0x20 Oct 18 21:41:17 dhcp47-74 kernel: softirqs last disabled at (631981): [] call_softirq+0x1c/0x30 Oct 18 21:41:17 dhcp47-74 kernel: Oct 18 21:41:17 dhcp47-74 kernel: other info that might help us debug this: Oct 18 21:41:17 dhcp47-74 kernel: Possible unsafe locking scenario: Oct 18 21:41:17 dhcp47-74 kernel: Oct 18 21:41:17 dhcp47-74 kernel: CPU0 Oct 18 21:41:17 dhcp47-74 kernel: ---- Oct 18 21:41:17 dhcp47-74 kernel: lock(&(&xhci->lock)->rlock); Oct 18 21:41:17 dhcp47-74 kernel: Oct 18 21:41:17 dhcp47-74 kernel: lock(&(&xhci->lock)->rlock); Oct 18 21:41:17 dhcp47-74 kernel: Oct 18 21:41:17 dhcp47-74 kernel: *** DEADLOCK *** Oct 18 21:41:17 dhcp47-74 kernel: Oct 18 21:41:17 dhcp47-74 kernel: 1 lock held by swapper/0: Oct 18 21:41:17 dhcp47-74 kernel: #0: (&ep->stop_cmd_timer){+.-...}, at: [] run_timer_softirq+0x162/0x570 Oct 18 21:41:17 dhcp47-74 kernel: Oct 18 21:41:17 dhcp47-74 kernel: stack backtrace: Oct 18 21:41:17 dhcp47-74 kernel: Pid: 0, comm: swapper Tainted: G W 3.1.0-rc4nmi+ #456 Oct 18 21:41:17 dhcp47-74 kernel: Call Trace: Oct 18 21:41:17 dhcp47-74 kernel: [] print_usage_bug+0x227/0x270 Oct 18 21:41:17 dhcp47-74 kernel: [] mark_lock+0x346/0x410 Oct 18 21:41:17 dhcp47-74 kernel: [] __lock_acquire+0x61e/0x1660 Oct 18 21:41:17 dhcp47-74 kernel: [] ? mark_lock+0x213/0x410 Oct 18 21:41:17 dhcp47-74 kernel: [] lock_acquire+0x97/0x170 Oct 18 21:41:17 dhcp47-74 kernel: [] ? xhci_stop_endpoint_command_watchdog+0x30/0x340 [xhci_hcd] Oct 18 21:41:17 dhcp47-74 kernel: [] _raw_spin_lock+0x46/0x80 Oct 18 21:41:17 dhcp47-74 kernel: [] ? xhci_stop_endpoint_command_watchdog+0x30/0x340 [xhci_hcd] Oct 18 21:41:17 dhcp47-74 kernel: [] xhci_stop_endpoint_command_watchdog+0x30/0x340 [xhci_hcd] Oct 18 21:41:17 dhcp47-74 kernel: [] ? run_timer_softirq+0x162/0x570 Oct 18 21:41:17 dhcp47-74 kernel: [] run_timer_softirq+0x20d/0x570 Oct 18 21:41:17 dhcp47-74 kernel: [] ? run_timer_softirq+0x162/0x570 Oct 18 21:41:17 dhcp47-74 kernel: [] ? xhci_queue_isoc_tx_prepare+0x8e0/0x8e0 [xhci_hcd] Oct 18 21:41:17 dhcp47-74 kernel: [] __do_softirq+0xf2/0x3f0 Oct 18 21:41:17 dhcp47-74 kernel: [] ? lapic_next_event+0x1d/0x30 Oct 18 21:41:17 dhcp47-74 kernel: [] ? clockevents_program_event+0x5e/0x90 Oct 18 21:41:17 dhcp47-74 kernel: [] call_softirq+0x1c/0x30 Oct 18 21:41:17 dhcp47-74 kernel: [] do_softirq+0x8d/0xc0 Oct 18 21:41:17 dhcp47-74 kernel: [] irq_exit+0xe5/0x100 Oct 18 21:41:17 dhcp47-74 kernel: [] smp_apic_timer_interrupt+0x6e/0x99 Oct 18 21:41:17 dhcp47-74 kernel: [] apic_timer_interrupt+0x70/0x80 Oct 18 21:41:17 dhcp47-74 kernel: [] ? trace_hardirqs_off+0xd/0x10 Oct 18 21:41:17 dhcp47-74 kernel: [] ? acpi_idle_enter_bm+0x227/0x25b Oct 18 21:41:17 dhcp47-74 kernel: [] ? acpi_idle_enter_bm+0x222/0x25b Oct 18 21:41:17 dhcp47-74 kernel: [] cpuidle_idle_call+0x103/0x290 Oct 18 21:41:17 dhcp47-74 kernel: [] cpu_idle+0xe5/0x160 Oct 18 21:41:17 dhcp47-74 kernel: [] rest_init+0xe0/0xf0 Oct 18 21:41:17 dhcp47-74 kernel: [] ? csum_partial_copy_generic+0x170/0x170 Oct 18 21:41:17 dhcp47-74 kernel: [] start_kernel+0x3fc/0x407 Oct 18 21:41:17 dhcp47-74 kernel: [] x86_64_start_reservations+0x131/0x135 Oct 18 21:41:17 dhcp47-74 kernel: [] x86_64_start_kernel+0xed/0xf4 Oct 18 21:41:17 dhcp47-74 kernel: xhci_hcd 0000:00:14.0: xHCI host not responding to stop endpoint command. Oct 18 21:41:17 dhcp47-74 kernel: xhci_hcd 0000:00:14.0: Assuming host is dying, halting host. Oct 18 21:41:17 dhcp47-74 kernel: xhci_hcd 0000:00:14.0: HC died; cleaning up Oct 18 21:41:17 dhcp47-74 kernel: usb 3-4: device descriptor read/8, error -110 Oct 18 21:41:17 dhcp47-74 kernel: usb 3-4: device descriptor read/8, error -22 Oct 18 21:41:17 dhcp47-74 kernel: hub 3-0:1.0: cannot disable port 4 (err = -19) Basically what is happening is in xhci_stop_endpoint_command_watchdog() the xhci->lock is grabbed with just spin_lock. What lockdep deduces is that if an interrupt occurred while in this function it would deadlock with xhci_irq because that function also grabs the xhci->lock. Fixing it is trivial by using spin_lock_irqsave instead. This should be queued to stable kernels as far back as 2.6.33. Signed-off-by: Don Zickus Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 88079a41ec43968a7be7d25f11de6d0ab3942b95 Author: Don Zickus Date: Thu Nov 3 09:07:18 2011 -0400 usb, xhci: Clear warm reset change event during init commit 79c3dd8150fd5236d95766a9e662e3e932b462c9 upstream. I noticed on my Panther Point system that I wasn't getting hotplug events for my usb3.0 disk on a usb3 port. I tracked it down to the fact that the system had the warm reset change bit still set. This seemed to block future events from being received, including a hotplug event. Clearing this bit during initialization allowed the hotplug event to be received and the disk to be recognized correctly. This patch should be backported to kernels as old as 2.6.39. Signed-off-by: Don Zickus Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 4e2b692943de7392100f3e1463522366f810ae83 Author: Sarah Sharp Date: Thu Nov 3 13:06:08 2011 -0700 xhci: Set slot and ep0 flags for address command. commit d31c285b3a71cf9056e6a060de41f37780b0af86 upstream. Matt's AsMedia xHCI host controller was responding with a Context Error to an address device command after a configured device reset. Some sequence of events leads both the slot and endpoint zero add flags cleared to zero, which the AsMedia host doesn't like: [ 223.701839] xhci_hcd 0000:03:00.0: Slot ID 1 Input Context: [ 223.701841] xhci_hcd 0000:03:00.0: @ffff880137b25000 (virt) @ffffc000 (dma) 0x000000 - drop flags [ 223.701843] xhci_hcd 0000:03:00.0: @ffff880137b25004 (virt) @ffffc004 (dma) 0x000000 - add flags [ 223.701846] xhci_hcd 0000:03:00.0: @ffff880137b25008 (virt) @ffffc008 (dma) 0x000000 - rsvd2[0] [ 223.701848] xhci_hcd 0000:03:00.0: @ffff880137b2500c (virt) @ffffc00c (dma) 0x000000 - rsvd2[1] [ 223.701850] xhci_hcd 0000:03:00.0: @ffff880137b25010 (virt) @ffffc010 (dma) 0x000000 - rsvd2[2] [ 223.701852] xhci_hcd 0000:03:00.0: @ffff880137b25014 (virt) @ffffc014 (dma) 0x000000 - rsvd2[3] [ 223.701854] xhci_hcd 0000:03:00.0: @ffff880137b25018 (virt) @ffffc018 (dma) 0x000000 - rsvd2[4] [ 223.701857] xhci_hcd 0000:03:00.0: @ffff880137b2501c (virt) @ffffc01c (dma) 0x000000 - rsvd2[5] [ 223.701858] xhci_hcd 0000:03:00.0: Slot Context: [ 223.701860] xhci_hcd 0000:03:00.0: @ffff880137b25020 (virt) @ffffc020 (dma) 0x8400000 - dev_info [ 223.701862] xhci_hcd 0000:03:00.0: @ffff880137b25024 (virt) @ffffc024 (dma) 0x010000 - dev_info2 [ 223.701864] xhci_hcd 0000:03:00.0: @ffff880137b25028 (virt) @ffffc028 (dma) 0x000000 - tt_info [ 223.701866] xhci_hcd 0000:03:00.0: @ffff880137b2502c (virt) @ffffc02c (dma) 0x000000 - dev_state [ 223.701869] xhci_hcd 0000:03:00.0: @ffff880137b25030 (virt) @ffffc030 (dma) 0x000000 - rsvd[0] [ 223.701871] xhci_hcd 0000:03:00.0: @ffff880137b25034 (virt) @ffffc034 (dma) 0x000000 - rsvd[1] [ 223.701873] xhci_hcd 0000:03:00.0: @ffff880137b25038 (virt) @ffffc038 (dma) 0x000000 - rsvd[2] [ 223.701875] xhci_hcd 0000:03:00.0: @ffff880137b2503c (virt) @ffffc03c (dma) 0x000000 - rsvd[3] [ 223.701877] xhci_hcd 0000:03:00.0: Endpoint 00 Context: [ 223.701879] xhci_hcd 0000:03:00.0: @ffff880137b25040 (virt) @ffffc040 (dma) 0x000000 - ep_info [ 223.701881] xhci_hcd 0000:03:00.0: @ffff880137b25044 (virt) @ffffc044 (dma) 0x2000026 - ep_info2 [ 223.701883] xhci_hcd 0000:03:00.0: @ffff880137b25048 (virt) @ffffc048 (dma) 0xffffe8e0 - deq [ 223.701885] xhci_hcd 0000:03:00.0: @ffff880137b25050 (virt) @ffffc050 (dma) 0x000000 - tx_info [ 223.701887] xhci_hcd 0000:03:00.0: @ffff880137b25054 (virt) @ffffc054 (dma) 0x000000 - rsvd[0] [ 223.701889] xhci_hcd 0000:03:00.0: @ffff880137b25058 (virt) @ffffc058 (dma) 0x000000 - rsvd[1] [ 223.701892] xhci_hcd 0000:03:00.0: @ffff880137b2505c (virt) @ffffc05c (dma) 0x000000 - rsvd[2] ... [ 223.701927] xhci_hcd 0000:03:00.0: // Ding dong! [ 223.701992] xhci_hcd 0000:03:00.0: Setup ERROR: address device command for slot 1. The xHCI spec says that both flags must be set to one for the Address Device command. When the device is first enumerated, xhci_setup_addressable_virt_dev() does set those flags. However, when the device is addressed after it has been reset in the configured state, xhci_setup_addressable_virt_dev() is not called, and xhci_copy_ep0_dequeue_into_input_ctx() is called instead. That function relies on the flags being set up by previous commands, which apparently isn't a good assumption. Move the setting of the flags into the common parent function. This should be queued for stable kernels as old as 2.6.35, since that was the first introduction of xhci_copy_ep0_dequeue_into_input_ctx. Signed-off-by: Sarah Sharp Tested-by: Matt Signed-off-by: Greg Kroah-Hartman commit 5bccc0d01594bef09e120a2fe3e1d48a1d74bcfe Author: Claudio Scordino Date: Thu Nov 17 11:08:32 2011 +0100 drivers/base/node.c: fix compilation error with older versions of gcc commit 91a13c281d7d4648c0b32dede11a0144c4e7984c upstream. Patch to fix the error message "directives may not be used inside a macro argument" which appears when the kernel is compiled for the cris architecture. Signed-off-by: Claudio Scordino Acked-by: David Rientjes Signed-off-by: Greg Kroah-Hartman commit c528b7244efaf55654b6a196234c1d3b43d29108 Author: Axel Lin Date: Mon Oct 31 10:20:28 2011 +0800 pcie-gadget-spear: Add "platform:" prefix for platform modalias commit 161f14191dc166c4e3f37f68af1bc199c6868b7d upstream. Since 43cc71eed1250755986da4c0f9898f9a635cb3bf (platform: prefix MODALIAS with "platform:"), the platform modalias is prefixed with "platform:". Signed-off-by: Axel Lin Acked-by: Pratyush Anand Signed-off-by: Greg Kroah-Hartman commit 46e18b7f722c2e4e9c4764774a2932debf35ece2 Author: Wu Fengguang Date: Tue Nov 22 16:58:35 2011 +0800 ALSA: hda - fix ELD memory leak Backported from commit b95d68b8179764e29558b75cec35ef4a6a98925b. memset(eld) clears eld->proc_entry which will leak the struct snd_info_entry when unloading module. Fix it by - memset only the fields before eld->eld_buffer - set eld->eld_valid to true _after_ all eld fields have been filled Cc: Pierre-louis Bossart Acked-by: Stephen Warren Signed-off-by: Wu Fengguang Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 0d2c754e96311f4968e13d1f1744b7c2e2ad3442 Author: Jeff Layton Date: Fri Nov 4 13:31:21 2011 -0400 nfs: when attempting to open a directory, fall back on normal lookup (try #5) commit 1788ea6e3b2a58cf4fb00206e362d9caff8d86a7 upstream. commit d953126 changed how nfs_atomic_lookup handles an -EISDIR return from an OPEN call. Prior to that patch, that caused the client to fall back to doing a normal lookup. When that patch went in, the code began returning that error to userspace. The d_revalidate codepath however never had the corresponding change, so it was still possible to end up with a NULL ctx->state pointer after that. That patch caused a regression. When we attempt to open a directory that does not have a cached dentry, that open now errors out with EISDIR. If you attempt the same open with a cached dentry, it will succeed. Fix this by reverting the change in nfs_atomic_lookup and allowing attempts to open directories to fall back to a normal lookup Also, add a NFSv4-specific f_ops->open routine that just returns -ENOTDIR. This should never be called if things are working properly, but if it ever is, then the dprintk may help in debugging. To facilitate this, a new file_operations field is also added to the nfs_rpc_ops struct. Signed-off-by: Jeff Layton Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit e901cc458a35b928f240dd3c1e3a565bfb4efa90 Author: Jiri Slaby Date: Wed Nov 16 16:27:09 2011 +0100 TTY: ldisc, wait for ldisc infinitely in hangup commit 0c73c08ec73dbe080b9ec56696ee21d32754d918 upstream. For /dev/console case, we do not kill all ldisc users. It's due to redirected_tty_write test in __tty_hangup. In that case there still might be a process waiting e.g. in n_tty_read for input. We wait for such processes to disappear. The problem is that we use a timeout. After this timeout, we continue closing the ldisc and start freeing tty resources. It obviously leads to crashes when the other process is woken. So to fix this, we wait infinitely before reiniting the ldisc. (The tiocsetd remains untouched -- times out after 5s.) This is nicely reproducible with this run from shell: exec 0<>/dev/console 1<>/dev/console 2<>/dev/console and stopping a getty like: systemctl stop serial-getty@ttyS0.service The crash proper may be produced only under load or with constified timing the same as for 92f6fa09b. Signed-off-by: Jiri Slaby Cc: Dave Young Cc: Dave Jones Cc: Ben Hutchings Cc: Dmitriy Matrosov Cc: Alan Cox Signed-off-by: Greg Kroah-Hartman commit bb4006e04c27d6204da8b535be575d71c265875d Author: Jiri Slaby Date: Wed Nov 16 16:27:08 2011 +0100 TTY: ldisc, move wait idle to caller commit 300420722e0734a4254f3b634e0f82664495d210 upstream. It is the only place where reinit is called from. And we really need to wait for the old ldisc to go once. Actually this is the place where the waiting originally was (before removed and re-added later). This will make the fix in the following patch easier to implement. Signed-off-by: Jiri Slaby Cc: Dave Young Cc: Dave Jones Cc: Ben Hutchings Cc: Dmitriy Matrosov Cc: Alan Cox Signed-off-by: Greg Kroah-Hartman commit d21ada2ca367042fc5a1a11a2c2703e04c93211d Author: Jiri Slaby Date: Wed Nov 16 16:27:07 2011 +0100 TTY: ldisc, allow waiting for ldisc arbitrarily long commit df92d0561de364de53c42abc5d43e04ab6f326a5 upstream. To fix a nasty bug in ldisc hup vs. reinit we need to wait infinitely long for ldisc to be gone. So here we add a parameter to tty_ldisc_wait_idle to allow that. This is only a preparation for the real fix which is done in the following patches. Signed-off-by: Jiri Slaby Cc: Dave Young Cc: Dave Jones Cc: Ben Hutchings Cc: Dmitriy Matrosov Cc: Alan Cox Signed-off-by: Greg Kroah-Hartman commit 5a25cbde3ff3fafa1f48a00a37ed3fda278b5641 Author: Stephen Boyd Date: Tue Oct 25 19:19:43 2011 -0700 tty: hvc_dcc: Fix duplicate character inputs commit c2a3e84f950e7ddba1f3914b005861d46ae60359 upstream. Reading from the DCC grabs a character from the buffer and clears the status bit. Since this is a context-changing operation, instructions following the character read that rely on the status bit being accurate need to be synchronized with an ISB. In this case, the status bit check needs to execute after the character read otherwise we run the risk of reading the character and checking the status bit before the read can clear the status bit in the first place. When this happens, the user will see the same character they typed twice, instead of once. Add an ISB after the read and the write, so that the status check is synchronized with the read/write operations. Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 39e005fc9f29c3afc6eedb52cf02e7a3aec38c2f Author: Tomoya MORINAGA Date: Fri Oct 28 09:38:49 2011 +0900 pch_uart: Support new device LAPIS Semiconductor ML7831 IOH commit 8249f743f732ccbc3056428945ab1d9bd36d46bf upstream. ML7831 is companion chip for Intel Atom E6xx series. Signed-off-by: Tomoya MORINAGA Acked-by: Alan Cox Signed-off-by: Greg Kroah-Hartman commit 091fb7d008800a6e3d9831ace030af3370d3a307 Author: Tomoya MORINAGA Date: Fri Nov 11 10:55:27 2011 +0900 pch_uart: Fix DMA resource leak issue commit 90f04c2926cfb5bf74533b0a7766bc896f6a0c0e upstream. Changing UART mode PIO->DMA->PIO->DMA like below, pch_uart driver can't get DMA channel resource. setserial /dev/ttyPCH0 ^low_latency setserial /dev/ttyPCH0 low_latency CAUSE: Changing mode using setserial command, ".startup" function which gets DMA channel is called before ".verify_port" function which sets dma-flag(use_dma/use_dma_flag) as 1. PIO->DMA .startup: Since dma-flag is 0, DMA channel is not requested. .verify_port: dma-flag is set as 1. .shutdown: N/A DMA->PIO .startup: Since dma-flag is 1, DMA channel is requested. .verify_port: dma-flag is set as 0. .shutdown: Since dma-flag is 0, DMA channel is not released. This means DMA channel resource leak occurs. Next time, this driver can't get DMA channel resource forever. MODIFICATION: Currently, when release DMA channel resource, this driver checks dma-flag. However, this specification occurs the above issue. This driver must check whether dma_request_channel is executed or not. The values are saved in private data variable "chan_tx/chan_tx". These variables mean if the value is NULL, DMA channel is not requested, if not NULL, DMA channel is requested. This patch fixes the issue. Signed-off-by: Tomoya MORINAGA Acked-by: Alan Cox Signed-off-by: Greg Kroah-Hartman commit 81aaad2ca2193def671c16559a136b91d0d923f6 Author: Tomoya MORINAGA Date: Thu Oct 27 15:45:18 2011 +0900 pch_uart: Fix hw-flow control issue commit a1d7cfe29f13cf45f8094929864b9c66bf0cd91b upstream. Using hardware flow control, currently, register of the control-bit(AFE) is not set. This patch fixes the issue. Signed-off-by: Tomoya MORINAGA Acked-by: Alan Cox Signed-off-by: Greg Kroah-Hartman commit 9b0c37ef53515e6b88be1fae31e3e951911365ca Author: Tomoya MORINAGA Date: Fri Nov 11 10:12:18 2011 +0900 pch_phub: Fix MAC address writing issue for LAPIS ML7831 commit 2a9887919457c6e1bd482e8448223be59d19010a upstream. ISSUE: Using ML7831, MAC address writing doesn't work well. CAUSE: ML7831 and EG20T have the same register map for MAC address access. However, this driver processes the writing the same as ML7223. This is not true. This driver must process the writing the same as EG20T. This patch fixes the issue. Signed-off-by: Tomoya MORINAGA Cc: Masayuki Ohtak Cc: Alexander Stein Cc: Denis Turischev Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 94e595f0a54e30ea9622246faf8fd188f8868230 Author: Tomoya MORINAGA Date: Fri Oct 28 09:33:13 2011 +0900 pch_phub: Support new device LAPIS Semiconductor ML7831 IOH commit 584ad00ce4bfe594e4c4a89944b3c635187a1ca1 upstream. ML7831 is companion chip for Intel Atom E6xx series. Signed-off-by: Tomoya MORINAGA Signed-off-by: Greg Kroah-Hartman commit a896cd19d7569c9754a75fea01f4c68e355697af Author: Peter Chen Date: Tue Nov 15 21:52:29 2011 +0100 PM / driver core: disable device's runtime PM during shutdown commit af8db1508f2c9f3b6e633e2d2d906c6557c617f9 upstream. There may be an issue when the user issue "reboot/shutdown" command, then the device has shut down its hardware, after that, this runtime-pm featured device's driver will probably be scheduled to do its suspend routine, and at its suspend routine, it may access hardware, but the device has already shutdown physically, then the system hang may be occurred. I ran out this issue using an auto-suspend supported USB devices, like 3G modem, keyboard. The usb runtime suspend routine may be scheduled after the usb controller has been shut down, and the usb runtime suspend routine will try to suspend its roothub(controller), it will access register, then the system hang occurs as the controller is shutdown. Signed-off-by: Peter Chen Acked-by: Ming Lei Acked-by: Greg Kroah-Hartman Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 268cd0526224188d8d36b7071e0630ae145e88bc Author: Josh Boyer Date: Thu Nov 10 15:10:23 2011 +0000 ip6_tunnel: copy parms.name after register_netdevice commit 731abb9cb27aef6013ce60808a04e04a545f3f4e upstream. Commit 1c5cae815d removed an explicit call to dev_alloc_name in ip6_tnl_create because register_netdevice will now create a valid name. This works for the net_device itself. However the tunnel keeps a copy of the name in the parms structure for the ip6_tnl associated with the tunnel. parms.name is set by copying the net_device name in ip6_tnl_dev_init_gen. That function is called from ip6_tnl_dev_init in ip6_tnl_create, but it is done before register_netdevice is called so the name is set to a bogus value in the parms.name structure. This shows up if you do a simple tunnel add, followed by a tunnel show: [root@localhost ~]# ip -6 tunnel add remote fec0::100 local fec0::200 [root@localhost ~]# ip -6 tunnel show ip6tnl0: ipv6/ipv6 remote :: local :: encaplimit 0 hoplimit 0 tclass 0x00 flowlabel 0x00000 (flowinfo 0x00000000) ip6tnl%d: ipv6/ipv6 remote fec0::100 local fec0::200 encaplimit 4 hoplimit 64 tclass 0x00 flowlabel 0x00000 (flowinfo 0x00000000) [root@localhost ~]# Fix this by moving the strcpy out of ip6_tnl_dev_init_gen, and calling it after register_netdevice has successfully returned. Signed-off-by: Josh Boyer Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1d8fdb8410ef5aca16ddf01c1176358c9154bcfa Author: Luis R. Rodriguez Date: Tue Nov 8 14:28:06 2011 -0800 cfg80211: fix bug on regulatory core exit on access to last_request commit 58ebacc66bd11be2327edcefc79de94bd6f5bb4a upstream. Commit 4d9d88d1 by Scott James Remnant added the .uevent() callback for the regulatory device used during the platform device registration. The change was done to account for queuing up udev change requests through udevadm triggers. The change also meant that upon regulatory core exit we will now send a uevent() but the uevent() callback, reg_device_uevent(), also accessed last_request. Right before commiting device suicide we free'd last_request but never set it to NULL so platform_device_unregister() would lead to bogus kernel paging request. Fix this and also simply supress uevents right before we commit suicide as they are pointless. This fix is required for kernels >= v2.6.39 $ git describe --contains 4d9d88d1 v2.6.39-rc1~468^2~25^2^2~21 The impact of not having this present is that a bogus paging access may occur (only read) upon cfg80211 unload time. You may also get this BUG complaint below. Although Johannes could not reproduce the issue this fix is theoretically correct. mac80211_hwsim: unregister radios mac80211_hwsim: closing netlink BUG: unable to handle kernel paging request at ffff88001a06b5ab IP: [] reg_device_uevent+0x1a/0x50 [cfg80211] PGD 1836063 PUD 183a063 PMD 1ffcb067 PTE 1a06b160 Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC CPU 0 Modules linked in: cfg80211(-) [last unloaded: mac80211] Pid: 2279, comm: rmmod Tainted: G W 3.1.0-wl+ #663 Bochs Bochs RIP: 0010:[] [] reg_device_uevent+0x1a/0x50 [cfg80211] RSP: 0000:ffff88001c5f9d58 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88001d2eda88 RCX: ffff88001c7468fc RDX: ffff88001a06b5a0 RSI: ffff88001c7467b0 RDI: ffff88001c7467b0 RBP: ffff88001c5f9d58 R08: 000000000000ffff R09: 000000000000ffff R10: 0000000000000000 R11: 0000000000000001 R12: ffff88001c7467b0 R13: ffff88001d2eda78 R14: ffffffff8164a840 R15: 0000000000000001 FS: 00007f8a91d8a6e0(0000) GS:ffff88001fc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: ffff88001a06b5ab CR3: 000000001c62e000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process rmmod (pid: 2279, threadinfo ffff88001c5f8000, task ffff88000023c780) Stack: ffff88001c5f9d98 ffffffff812ff7e5 ffffffff8176ab3d ffff88001c7468c2 000000000000ffff ffff88001d2eda88 ffff88001c7467b0 ffff880000114820 ffff88001c5f9e38 ffffffff81241dc7 ffff88001c5f9db8 ffffffff81040189 Call Trace: [] dev_uevent+0xc5/0x170 [] kobject_uevent_env+0x1f7/0x490 [] ? sub_preempt_count+0x29/0x60 [] ? _raw_spin_unlock_irqrestore+0x4a/0x90 [] ? devres_release_all+0x27/0x60 [] kobject_uevent+0xb/0x10 [] device_del+0x157/0x1b0 [] platform_device_del+0x1d/0x90 [] platform_device_unregister+0x16/0x30 [] regulatory_exit+0x5d/0x180 [cfg80211] [] cfg80211_exit+0x2b/0x45 [cfg80211] [] sys_delete_module+0x16c/0x220 [] ? trace_hardirqs_on_caller+0x7e/0x120 [] system_call_fastpath+0x16/0x1b Code: RIP [] reg_device_uevent+0x1a/0x50 [cfg80211] RSP CR2: ffff88001a06b5ab ---[ end trace 147c5099a411e8c0 ]--- Reported-by: Johannes Berg Cc: Scott James Remnant Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 2ebd38f358b941add49441bad15cb75217a0f08b Author: Johannes Berg Date: Thu Nov 3 09:27:01 2011 +0100 nl80211: fix HT capability attribute validation commit 6c7394197af90f6a332180e33f5d025d3037d883 upstream. Since the NL80211_ATTR_HT_CAPABILITY attribute is used as a struct, it needs a minimum, not maximum length. Enforce that properly. Not doing so could potentially lead to reading after the buffer. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 76ba12ddde1d6d4694f6b887d960bb69d338cadf Author: Johannes Berg Date: Tue Nov 8 13:04:41 2011 +0100 mac80211: fix bug in ieee80211_build_probe_req commit 5b2bbf75a24d6b06afff6de0eb4819413fd81971 upstream. ieee80211_probereq_get() can return NULL in which case we should clean up & return NULL in ieee80211_build_probe_req() as well. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 4a4d69f0ec7cf7afdcc4346cf6bc8d3835358df8 Author: Johannes Berg Date: Tue Nov 8 12:28:33 2011 +0100 mac80211: fix NULL dereference in radiotap code commit f8d1ccf15568268c76f913b45ecdd33134387f1a upstream. When receiving failed PLCP frames is enabled, there won't be a rate pointer when we add the radiotap header and thus the kernel will crash. Fix this by not assuming the rate pointer is always valid. It's still always valid for frames that have good PLCP though, and that is checked & enforced. This was broken by my commit fc88518916793af8ad6a02e05ff254d95c36d875 Author: Johannes Berg Date: Fri Jul 30 13:23:12 2010 +0200 mac80211: don't check rates on PLCP error frames where I removed the check in this case but didn't take into account that the rate info would be used. Reported-by: Xiaokang Qin Signed-off-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 7aa8983f0b2c57c25de227909072fe4f8edaa9ad Author: Gertjan van Wingerde Date: Sat Nov 12 19:10:44 2011 +0100 rt2x00: Fix sleep-while-atomic bug in powersaving code. commit ed66ba472a742cd8df37d7072804b2111cdb1014 upstream. The generic powersaving code that determines after reception of a frame whether the device should go back to sleep or whether is could stay awake was calling rt2x00lib_config directly from RX tasklet context. On a number of the devices this call can actually sleep, due to having to confirm that the sleeping commands have been executed successfully. Fix this by moving the call to rt2x00lib_config to a workqueue call. This fixes bug https://bugzilla.redhat.com/show_bug.cgi?id=731672 Tested-by: Tomas Trnka Signed-off-by: Gertjan van Wingerde Acked-by: Ivo van Doorn Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit b426a8365ad707b0f700923a5c464c3b7fed234a Author: Jesper Juhl Date: Sun Nov 13 22:14:32 2011 +0100 Net, libertas: Resolve memory leak in if_spi_host_to_card() commit fe09b32a4361bea44169b2063e8c867cabb6a8ba upstream. If we hit the default case in the switch in if_spi_host_to_card() we'll leak the memory we allocated for 'packet'. This patch resolves the leak by freeing the allocated memory in that case. Signed-off-by: Jesper Juhl Acked-by: Dan Williams Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 92fd7a89888fc223337fe5fd5dc83b79e1174340 Author: Catalin Marinas Date: Mon Nov 7 18:05:53 2011 +0100 ARM: 7150/1: Allow kernel unaligned accesses on ARMv6+ processors commit 8428e84d42179c2a00f5f6450866e70d802d1d05 upstream. Recent gcc versions generate unaligned accesses by default on ARMv6 and later processors. This patch ensures that the SCTLR.A bit is always cleared on such processors to avoid kernel traping before alignment_init() is called. Signed-off-by: Catalin Marinas Tested-by: John Linn Acked-by: Nicolas Pitre Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 57a3b9c22b828434d282b6f7a29d39a65d964b49 Author: Cornelia Huck Date: Thu Nov 17 11:00:41 2011 +0100 KVM: s390: Fix RUNNING flag misinterpretation commit 9e6dabeffd1d0ec2aa19aa076c4886067238d442 upstream. CPUSTAT_RUNNING was implemented signifying that a vcpu is not stopped. This is not, however, what the architecture says: RUNNING should be set when the host is acting on the behalf of the guest operating system. CPUSTAT_RUNNING has been changed to be set in kvm_arch_vcpu_load() and to be unset in kvm_arch_vcpu_put(). For signifying stopped state of a vcpu, a host-controlled bit has been used and is set/unset basically on the reverse as the old CPUSTAT_RUNNING bit (including pushing it down into stop handling proper in handle_stop()). Signed-off-by: Cornelia Huck Signed-off-by: Carsten Otte Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 97e14e742aa276048fa3b5456abec665799e25c0 Author: Tony Jago Date: Fri Aug 12 00:19:11 2011 -0300 saa7164: Add support for another HVR2200 hardware revision commit 62dd28d0c659db29bdb89cfe9f0aefe42f0adfe9 upstream. Hauppauge have released a new model rev, sub id 8940, this adds support. [stoth@kernellabs.com: I modified Tony's patch slightly in relation to the card numbering in saa7164.h, appending rather than inserting the new card - normal practise] Signed-off-by: Tony Jago Signed-off-by: Steven Toth Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Stefan Bader Signed-off-by: Greg Kroah-Hartman commit 49d1df8852cb97340c7b0fa31f4aa9be6ec8b759 Author: Vasily Averin Date: Fri Nov 11 13:42:16 2011 +0400 aacraid: controller hangs if kernel uses non-default ASPM policy commit cf16123c9c8e346ed1dd171295a678d77648d7f8 upstream. Aacraid controller can hang on some nodes if kernel uses non-default (powersave) ASPM policy. Controller hangs shortly after successful load and hardware detection. Scsi error handler detects this hang and tries to restart hardware but it does not help. Initially it was noticed on RHEL6-based openVZ kernel after backporting aacraid driver from mainline (RHEL6 kernel with original driver works well) http://bugzilla.openvz.org/show_bug.cgi?id=2043 This issue happens because default ASPM policy was changed in Red Hat kernels. Therefore guys from Red Hat have noticed this problem long time ago: on Fedora 12 https://bugzilla.redhat.com/show_bug.cgi?id=540478 on Fedora 14 https://bugzilla.redhat.com/show_bug.cgi?id=679385 In RHEL6 kernel this issue was fixed, ASPM was disabled in aacraid driver. In kernel changelog I've found that seems it was done by Matthew Garrett: - [scsi] aacraid: Disable ASPM by default (Matthew Garrett) [599735] However seems this patch was not submitted to mainline. I've reproduced this issue on vanilla 3.1.0 kernel booted with "pcie_aspm.policy=powersave" option, So I believe it makes sense to do it now. Signed-off-by: Vasily Averin [mjg: Checking the Windows drivers indicates that they disable ASPM under all circumstances, so:] Acked-by: Matthew Garrett Acked-by: Achim Leubner Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 611397f62fe6879f675587e62aa44b5a2a251569 Author: Matthew Garrett Date: Fri Nov 11 11:14:23 2011 -0500 hpsa: Disable ASPM commit e5a44df85e8d78e5c2d3d2e4f59b460905691e2f upstream. The Windows driver .inf disables ASPM on hpsa devices. Do the same because the selection of a non default ASPM policy can cause the device to hang. Signed-off-by: Matthew Garrett Acked-by: Mike Miller Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit bf6f111b5e891b4cfbd4f966488fd824543ba2aa Author: James Bottomley Date: Mon Nov 7 08:51:24 2011 -0600 fix WARNING: at drivers/scsi/scsi_lib.c:1704 commit 4e6c82b3614a18740ef63109d58743a359266daf upstream. On Mon, 2011-11-07 at 17:24 +1100, Stephen Rothwell wrote: > Hi all, > > Starting some time last week I am getting the following during boot on > our PPC970 blade: > > calling .ipr_init+0x0/0x68 @ 1 > ipr: IBM Power RAID SCSI Device Driver version: 2.5.2 (April 27, 2011) > ipr 0000:01:01.0: Found IOA with IRQ: 26 > ipr 0000:01:01.0: Starting IOA initialization sequence. > ipr 0000:01:01.0: Adapter firmware version: 06160039 > ipr 0000:01:01.0: IOA initialized. > scsi0 : IBM 572E Storage Adapter > ------------[ cut here ]------------ > WARNING: at drivers/scsi/scsi_lib.c:1704 > Modules linked in: > NIP: c00000000053b3d4 LR: c00000000053e5b0 CTR: c000000000541d70 > REGS: c0000000783c2f60 TRAP: 0700 Not tainted (3.1.0-autokern1) > MSR: 8000000000029032 CR: 24002024 XER: 20000002 > TASK = c0000000783b8000[1] 'swapper' THREAD: c0000000783c0000 CPU: 0 > GPR00: 0000000000000001 c0000000783c31e0 c000000000cf38b0 c00000000239a9d0 > GPR04: c000000000cbe8f8 0000000000000000 c0000000783c3040 0000000000000000 > GPR08: c000000075daf488 c000000078a3b7ff c000000000bcacc8 0000000000000000 > GPR12: 0000000044002028 c000000007ffb000 0000000002e40000 000000000099b800 > GPR16: 0000000000000000 c000000000bba5fc c000000000a61db8 0000000000000000 > GPR20: 0000000001b77200 0000000000000000 c000000078990000 0000000000000001 > GPR24: c000000002396828 0000000000000000 0000000000000000 c000000078a3b938 > GPR28: fffffffffffffffa c0000000008ad2c0 c000000000c7faa8 c00000000239a9d0 > NIP [c00000000053b3d4] .scsi_free_queue+0x24/0x90 > LR [c00000000053e5b0] .scsi_alloc_sdev+0x280/0x2e0 > Call Trace: > [c0000000783c31e0] [c000000000c7faa8] wireless_seq_fops+0x278d0/0x2eb88 (unreliable) > [c0000000783c3270] [c00000000053e5b0] .scsi_alloc_sdev+0x280/0x2e0 > [c0000000783c3330] [c00000000053eba0] .scsi_probe_and_add_lun+0x390/0xb40 > [c0000000783c34a0] [c00000000053f7ec] .__scsi_scan_target+0x16c/0x650 > [c0000000783c35f0] [c00000000053fd90] .scsi_scan_channel+0xc0/0x100 > [c0000000783c36a0] [c00000000053fefc] .scsi_scan_host_selected+0x12c/0x1c0 > [c0000000783c3750] [c00000000083dcb4] .ipr_probe+0x2c0/0x390 > [c0000000783c3830] [c0000000003f50b4] .local_pci_probe+0x34/0x50 > [c0000000783c38a0] [c0000000003f5f78] .pci_device_probe+0x148/0x150 > [c0000000783c3950] [c0000000004e1e8c] .driver_probe_device+0xdc/0x210 > [c0000000783c39f0] [c0000000004e20cc] .__driver_attach+0x10c/0x110 > [c0000000783c3a80] [c0000000004e1228] .bus_for_each_dev+0x98/0xf0 > [c0000000783c3b30] [c0000000004e1bf8] .driver_attach+0x28/0x40 > [c0000000783c3bb0] [c0000000004e07d8] .bus_add_driver+0x218/0x340 > [c0000000783c3c60] [c0000000004e2a2c] .driver_register+0x9c/0x1b0 > [c0000000783c3d00] [c0000000003f62d4] .__pci_register_driver+0x64/0x140 > [c0000000783c3da0] [c000000000b99f88] .ipr_init+0x4c/0x68 > [c0000000783c3e20] [c00000000000ad24] .do_one_initcall+0x1a4/0x1e0 > [c0000000783c3ee0] [c000000000b512d0] .kernel_init+0x14c/0x1fc > [c0000000783c3f90] [c000000000022468] .kernel_thread+0x54/0x70 > Instruction dump: > ebe1fff8 7c0803a6 4e800020 7c0802a6 fba1ffe8 fbe1fff8 7c7f1b78 f8010010 > f821ff71 e8030398 3120ffff 7c090110 <0b000000> e86303b0 482de065 60000000 > ---[ end trace 759bed76a85e8dec ]--- > scsi 0:0:1:0: Direct-Access IBM-ESXS MAY2036RC T106 PQ: 0 ANSI: 5 > ------------[ cut here ]------------ > > I get lots more of these. The obvious commit to point the finger at > is 3308511c93e6 ("[SCSI] Make scsi_free_queue() kill pending SCSI > commands") but the root cause may be something different. Caused by commit f7c9c6bb14f3104608a3a83cadea10a6943d2804 Author: Anton Blanchard Date: Thu Nov 3 08:56:22 2011 +1100 [SCSI] Fix block queue and elevator memory leak in scsi_alloc_sdev Doesn't completely do the teardown. The true fix is to do a proper teardown instead of hand rolling it Reported-by: Stephen Rothwell Tested-by: Stephen Rothwell Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit ea054a92dcd97d4f26694f7535912fc82bf0e7a9 Author: Takashi Iwai Date: Wed Nov 16 18:05:11 2011 +0100 ALSA: hda - Fix the connection selection of ADCs on Cirrus codecs commit 05ee7964a470d29889ac48cc8274c1b5a1904a11 upstream. spec->cur_adc isn't set until cs_capture_pcm_prepare() is called although the driver tries to select the connection at init time and at auto-mic switch. This results in the access to the widget NID 0, which is obviously invalid, also a wrong capture source. This patch fixes the issue by issuing the connect-select verb conditionally at appropriate places. Reported-and-tested-by: Dylan Reid Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit d6b8bd1b2d0950cd59f52d260bc7e97b04600b94 Author: Edward Donovan Date: Tue Nov 1 15:29:44 2011 -0400 genirq: Fix irqfixup, irqpoll regression commit c75d720fca8a91ce99196d33adea383621027bf2 upstream. commit d05c65fff0 ("genirq: spurious: Run only one poller at a time") introduced a regression, leaving the boot options 'irqfixup' and 'irqpoll' non-functional. The patch placed tests in each function, to exit if the function is already running. The test in 'misrouted_irq' exited when it should have proceeded, effectively disabling 'misrouted_irq' and 'poll_spurious_irqs'. The check for an already running poller needs to be "!= 1" not "== 1" as "1" is the value when the first poller starts running. Signed-off-by: Edward Donovan Cc: maciej.rutecki@gmail.com Link: http://lkml.kernel.org/r/1320175784-6745-1-git-send-email-edward.donovan@numble.net Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit a6253934bbe858fca204c0b41fa9cddb6f80ab2d Author: Greg Kroah-Hartman Date: Mon Nov 21 14:47:46 2011 -0800 Linux 3.1.2 commit 742b42b9e87b64b2d2b54826dd3761897e71502d Author: Ben Hutchings Date: Sun Nov 13 19:58:09 2011 +0100 block: Always check length of all iov entries in blk_rq_map_user_iov() commit 6b76106d8ef31111d6fc469564b83b5f5542794f upstream. Even after commit 5478755616ae2ef1ce144dded589b62b2a50d575 ("block: check for proper length of iov entries earlier ...") we still won't check for zero-length entries after an unaligned entry. Remove the break-statement, so all entries are checked. Signed-off-by: Ben Hutchings Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 5831e11b2e21372bf384ecc9ee3398fe5b8eaf6a Author: Rabin Vincent Date: Fri Nov 11 13:29:04 2011 +0100 backing-dev: ensure wakeup_timer is deleted commit 7a401a972df8e184b3d1a3fc958c0a4ddee8d312 upstream. bdi_prune_sb() in bdi_unregister() attempts to removes the bdi links from all super_blocks and then del_timer_sync() the writeback timer. However, this can race with __mark_inode_dirty(), leading to bdi_wakeup_thread_delayed() rearming the writeback timer on the bdi we're unregistering, after we've called del_timer_sync(). This can end up with the bdi being freed with an active timer inside it, as in the case of the following dump after the removal of an SD card. Fix this by redoing the del_timer_sync() in bdi_destory(). ------------[ cut here ]------------ WARNING: at /home/rabin/kernel/arm/lib/debugobjects.c:262 debug_print_object+0x9c/0xc8() ODEBUG: free active (active state 0) object type: timer_list hint: wakeup_timer_fn+0x0/0x180 Modules linked in: Backtrace: [] (dump_backtrace+0x0/0x110) from [] (dump_stack+0x18/0x1c) r6:c02bc638 r5:00000106 r4:c79f5d18 r3:00000000 [] (dump_stack+0x0/0x1c) from [] (warn_slowpath_common+0x54/0x6c) [] (warn_slowpath_common+0x0/0x6c) from [] (warn_slowpath_fmt+0x38/0x40) r8:20000013 r7:c780c6f0 r6:c031613c r5:c780c6f0 r4:c02b1b29 r3:00000009 [] (warn_slowpath_fmt+0x0/0x40) from [] (debug_print_object+0x9c/0xc8) r3:c02b1b29 r2:c02bc662 [] (debug_print_object+0x0/0xc8) from [] (debug_check_no_obj_freed+0xac/0x1dc) r6:c7964000 r5:00000001 r4:c7964000 [] (debug_check_no_obj_freed+0x0/0x1dc) from [] (kmem_cache_free+0x88/0x1f8) [] (kmem_cache_free+0x0/0x1f8) from [] (blk_release_queue+0x70/0x78) [] (blk_release_queue+0x0/0x78) from [] (kobject_release+0x70/0x84) r5:c79641f0 r4:c796420c [] (kobject_release+0x0/0x84) from [] (kref_put+0x68/0x80) r7:00000083 r6:c74083d0 r5:c015289c r4:c796420c [] (kref_put+0x0/0x80) from [] (kobject_put+0x48/0x5c) r5:c79643b4 r4:c79641f0 [] (kobject_put+0x0/0x5c) from [] (blk_cleanup_queue+0x68/0x74) r4:c7964000 [] (blk_cleanup_queue+0x0/0x74) from [] (mmc_blk_put+0x78/0xe8) r5:00000000 r4:c794c400 [] (mmc_blk_put+0x0/0xe8) from [] (mmc_blk_release+0x24/0x38) r5:c794c400 r4:c0322824 [] (mmc_blk_release+0x0/0x38) from [] (__blkdev_put+0xe8/0x170) r5:c78d5e00 r4:c74083c0 [] (__blkdev_put+0x0/0x170) from [] (blkdev_put+0x11c/0x12c) r8:c79f5f70 r7:00000001 r6:c74083d0 r5:00000083 r4:c74083c0 r3:00000000 [] (blkdev_put+0x0/0x12c) from [] (kill_block_super+0x60/0x6c) r7:c7942300 r6:c79f4000 r5:00000083 r4:c74083c0 [] (kill_block_super+0x0/0x6c) from [] (deactivate_locked_super+0x44/0x70) r6:c79f4000 r5:c031af64 r4:c794dc00 r3:c00b06c4 [] (deactivate_locked_super+0x0/0x70) from [] (deactivate_super+0x6c/0x70) r5:c794dc00 r4:c794dc00 [] (deactivate_super+0x0/0x70) from [] (mntput_no_expire+0x188/0x194) r5:c794dc00 r4:c7942300 [] (mntput_no_expire+0x0/0x194) from [] (sys_umount+0x2e4/0x310) r6:c7942300 r5:00000000 r4:00000000 r3:00000000 [] (sys_umount+0x0/0x310) from [] (ret_fast_syscall+0x0/0x30) ---[ end trace e5c83c92ada51c76 ]--- Signed-off-by: Rabin Vincent Signed-off-by: Linus Walleij Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 3549966c02c99f02ac0dd74364a4e795296d6d7e Author: Anton Blanchard Date: Mon Nov 14 12:54:47 2011 +0000 powerpc: Copy down exception vectors after feature fixups commit d715e433b7ad19c02fc4becf0d5e9a59f97925de upstream. kdump fails because we try to execute an HV only instruction. Feature fixups are being applied after we copy the exception vectors down to 0 so they miss out on any updates. We have always had this issue but it only became critical in v3.0 when we added CFAR support (breaks POWER5) and v3.1 when we added POWERNV (breaks everyone). Signed-off-by: Anton Blanchard Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit fed595473900bb9cdaf88cb56eb01b07f771f14f Author: Michael Neuling Date: Wed Nov 9 20:39:49 2011 +0000 powerpc: Add hvcall.h include to book3s_hv.c commit de1d9248eadd27539eba449b4d09428252e80c04 upstream. If you build with KVM and UP it fails with the following due to a missing include. /arch/powerpc/kvm/book3s_hv.c: In function 'do_h_register_vpa': arch/powerpc/kvm/book3s_hv.c:156:10: error: 'H_PARAMETER' undeclared (first use in this function) arch/powerpc/kvm/book3s_hv.c:156:10: note: each undeclared identifier is reported only once for each function it appears in arch/powerpc/kvm/book3s_hv.c:192:12: error: 'H_RESOURCE' undeclared (first use in this function) arch/powerpc/kvm/book3s_hv.c:222:9: error: 'H_SUCCESS' undeclared (first use in this function) arch/powerpc/kvm/book3s_hv.c: In function 'kvmppc_pseries_do_hcall': arch/powerpc/kvm/book3s_hv.c:228:30: error: 'H_SUCCESS' undeclared (first use in this function) arch/powerpc/kvm/book3s_hv.c:232:7: error: 'H_CEDE' undeclared (first use in this function) arch/powerpc/kvm/book3s_hv.c:234:7: error: 'H_PROD' undeclared (first use in this function) arch/powerpc/kvm/book3s_hv.c:238:10: error: 'H_PARAMETER' undeclared (first use in this function) arch/powerpc/kvm/book3s_hv.c:250:7: error: 'H_CONFER' undeclared (first use in this function) arch/powerpc/kvm/book3s_hv.c:252:7: error: 'H_REGISTER_VPA' undeclared (first use in this function) make[2]: *** [arch/powerpc/kvm/book3s_hv.o] Error 1 Signed-off-by: Michael Neuling Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 9c24bb2008643ecd7588a20fd5ac7e8491f7c5d4 Author: Geoff Levand Date: Tue Nov 8 12:37:26 2011 +0000 powerpc/ps3: Fix lost SMP IPIs commit 72f3bea075287785ed32b777b6dd2636aa7002e8 upstream. Fixes the PS3 bootup hang introduced in 3.0-rc1 by: commit 317f394160e9beb97d19a84c39b7e5eb3d7815a sched: Move the second half of ttwu() to the remote cpu Move the PS3's LV1 EOI call lv1_end_of_interrupt_ext() from ps3_chip_eoi() to ps3_get_irq() for IPI messages. If lv1_send_event_locally() is called between a previous call to lv1_send_event_locally() and the coresponding call to lv1_end_of_interrupt_ext() the second event will not be delivered to the target cpu. The PS3's SMP IPIs are implemented using lv1_send_event_locally(), so if two IPI messages of the same type are sent to the same target in a relatively short period of time the second IPI event can become lost when lv1_end_of_interrupt_ext() is called from ps3_chip_eoi(). Signed-off-by: Geoff Levand Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 8bb72ab63d58957270b2dc31e6c9bcfa38470d2c Author: Dan Carpenter Date: Fri Nov 4 21:24:36 2011 +0300 xen-gntalloc: signedness bug in add_grefs() commit 99cb2ddcc617f43917e94a4147aa3ccdb2bcd77e upstream. gref->gref_id is unsigned so the error handling didn't work. gnttab_grant_foreign_access() returns an int type, so we can add a cast here, and it doesn't cause any problems. gnttab_grant_foreign_access() can return a variety of errors including -ENOSPC, -ENOSYS and -ENOMEM. Signed-off-by: Dan Carpenter Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Greg Kroah-Hartman commit 1b4f3a211878328065ee7ae79a380241bedaef5a Author: Dan Carpenter Date: Fri Nov 4 21:24:08 2011 +0300 xen-gntalloc: integer overflow in gntalloc_ioctl_alloc() commit 21643e69a4c06f7ef155fbc70e3fba13fba4a756 upstream. On 32 bit systems a high value of op.count could lead to an integer overflow in the kzalloc() and gref_ids would be smaller than expected. If the you triggered another integer overflow in "if (gref_size + op.count > limit)" then you'd probably get memory corruption inside add_grefs(). Signed-off-by: Dan Carpenter Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Greg Kroah-Hartman commit 14fa9e2f0916742bf436e84895a3523551d325f5 Author: Zhenzhong Duan Date: Thu Oct 27 22:28:59 2011 -0700 xen:pvhvm: enable PVHVM VCPU placement when using more than 32 CPUs. commit 90d4f5534d14815bd94c10e8ceccc57287657ecc upstream. PVHVM running with more than 32 vcpus and pv_irq/pv_time enabled need VCPU placement to work, or else it will softlockup. Acked-by: Stefano Stabellini Signed-off-by: Zhenzhong Duan Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Greg Kroah-Hartman commit 19340174d730574e9a6c119d1c9c6cbb501165a8 Author: Thomas Weber Date: Mon Sep 5 11:26:33 2011 +0200 mfd: Fix twl4030 dependencies for audio codec commit f09ee0451a44a4e913a7c3cec3805508f7de6c54 upstream. The codec for Devkit8000 (TWL4030) was not detected except when build with CONFIG_SND_SOC_ALL_CODECS. twl-core.c still uses the CONFIG_TWL4030_CODEC for twl_has_codec(). In commit 57fe7251f5bfc4332f24479376de48a1e8ca6211 the CONFIG_TWL4030_CODEC was renamed into CONFIG_MFD_TWL4030_AUDIO, thatswhy the codec was not detected. This patch renames the CONFIG_ TWL4030_CODEC into CONFIG_MFD_TWL4030_AUDIO in twl-core.c. Signed-off-by: Thomas Weber Acked-by: Peter Ujfalusi Signed-off-by: Samuel Ortiz Cc: Jarkko Nikula Signed-off-by: Greg Kroah-Hartman commit 261a21ff99fb3cef1958b30e4456866ec4427b5b Author: Rafał Miłecki Date: Tue Nov 8 17:15:03 2011 +0100 b43: refuse to load unsupported firmware [This patch is supposed to be applied in 3.1 (and maybe older) branches only.] New kernels support newer firmware that users may try to incorrectly use with older kernels. Display error and explain the problem in such a case Signed-off-by: Rafał Miłecki Signed-off-by: Greg Kroah-Hartman commit 7608d6b743d5347a01d0afc1b2f8f863a21ebb01 Author: Arend van Spriel Date: Tue Aug 23 14:14:00 2011 +0200 staging: brcm80211: fill in proper rx rate in mac80211 rx status commit 5a84d6ad4c9306afb467a600a4c6d7b50da49440 upstream. The brcmsmac driver supports different rates on 5GHz but this is not taken into account when providing the rate index in the receive status information passed to mac80211. Reviewed-by: Roland Vossen Reviewed-by: Pieter-Paul Giesberts Reviewed-by: Henry Ptasinski Signed-off-by: Arend van Spriel Signed-off-by: Greg Kroah-Hartman commit e7829936ef31adc774aecf5f35037725b6c0e29b Author: Alex Deucher Date: Mon Nov 14 09:33:56 2011 -0500 drm/radeon: add some missing FireMV pci ids commit b872a37437e93df9d112ce674752b3b3a0a17020 upstream. Noticed by Egbert. Signed-off-by: Alex Deucher Cc: Egbert Eich Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 1c08c931337ba435bf9140f43a20b26e64085cea Author: Johan Hovold Date: Tue Nov 15 14:35:52 2011 -0800 Revert "leds: save the delay values after a successful call to blink_set()" commit cb871513f656bdfc48b185b55f37857b5c750c40 upstream. Revert commit 6123b0e274503a0d3588e84fbe07c9aa01bfaf5d. The problem this patch intends to solve has alreadqy been fixed by commit 7a5caabd090b ("drivers/leds/ledtrig-timer.c: fix broken sysfs delay handling"). Signed-off-by: Johan Hovold Cc: Antonio Ospite Cc: Johannes Berg Cc: Richard Purdie Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b8988229c7eed0ac7967fa212a2a3a5c832e7902 Author: Dan Carpenter Date: Mon Nov 14 17:52:08 2011 +0300 hfs: add sanity check for file name length commit bc5b8a9003132ae44559edd63a1623b7b99dfb68 upstream. On a corrupted file system the ->len field could be wrong leading to a buffer overflow. Reported-and-acked-by: Clement LECIGNE Signed-off-by: Dan Carpenter Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d18c0efc9b76aad26000bb562037a9b675f1c0ae Author: David Howells Date: Tue Nov 15 22:09:45 2011 +0000 KEYS: Fix a NULL pointer deref in the user-defined key type commit 9f35a33b8d06263a165efe3541d9aa0cdbd70b3b upstream. Fix a NULL pointer deref in the user-defined key type whereby updating a negative key into a fully instantiated key will cause an oops to occur when the code attempts to free the non-existent old payload. This results in an oops that looks something like the following: BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 IP: [] __call_rcu+0x11/0x13e PGD 3391d067 PUD 3894a067 PMD 0 Oops: 0002 [#1] SMP CPU 1 Pid: 4354, comm: keyctl Not tainted 3.1.0-fsdevel+ #1140 /DG965RY RIP: 0010:[] [] __call_rcu+0x11/0x13e RSP: 0018:ffff88003d591df8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000006e RDX: ffffffff8161d0c0 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff88003d591e18 R08: 0000000000000000 R09: ffffffff8152fa6c R10: 0000000000000000 R11: 0000000000000300 R12: ffff88003b8f9538 R13: ffffffff8161d0c0 R14: ffff88003b8f9d50 R15: ffff88003c69f908 FS: 00007f97eb18c720(0000) GS:ffff88003bd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 000000003d47a000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process keyctl (pid: 4354, threadinfo ffff88003d590000, task ffff88003c78a040) Stack: ffff88003e0ffde0 ffff88003b8f9538 0000000000000001 ffff88003b8f9d50 ffff88003d591e28 ffffffff810860f0 ffff88003d591e68 ffffffff8117bfea ffff88003d591e68 ffffffff00000000 ffff88003e0ffde1 ffff88003e0ffde0 Call Trace: [] call_rcu_sched+0x10/0x12 [] user_update+0x8d/0xa2 [] key_create_or_update+0x236/0x270 [] sys_add_key+0x123/0x17e [] system_call_fastpath+0x16/0x1b Signed-off-by: David Howells Acked-by: Jeff Layton Acked-by: Neil Horman Acked-by: Steve Dickson Acked-by: James Morris Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f80f33817c973746ca0187713404461b80ef5d2d Author: Takashi Iwai Date: Tue Nov 8 17:50:27 2011 +0100 ALSA: usb-audio - Fix the missing volume quirks at delayed init commit dcaaf9f2c16b56f8bb316881fcd3f15c18fc71e7 upstream. In the recent usb-audio driver, the initialization of volume ranges may be delayed when the device doesn't respond well at the probing time. But the volume quirks for certain devices are applied only in mixer_ctl_feature_info() thus only at the very first probe and will be missing when the volume range is initialized later. This patch moves the volume quirk code to be always called from the volume-range extraction (get_min_max()), so that the quirks are properly applied in the later init time. Reported-and-tested-by: Alexey Fisher Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 3485c041be44cfcbe8681a9d79f16d9aaac17529 Author: Takashi Iwai Date: Fri Aug 19 08:30:53 2011 +0200 ALSA: usb-audio - Check the dB-range validity in the later read, too commit 9fcd0ab130579d9742538340edda3225f2b49a3e upstream. When the initial check of dB-range failed due to the read error, try to check again at the later read, too. When an invalid dB range is found, remove TLV flags and notify the mixer info change. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit d047c6e8a7bfa830bca0741a0e38b1edc42b13b7 Author: Alex Deucher Date: Tue Nov 8 10:09:58 2011 -0500 drm/radeon/kms: make an aux failure debug only commit 091264f0bc12419560ac64fcef4567809d611658 upstream. Can happen when there is no DP panel attached, confusing users. Make it debug only. Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 68e7aac26cb758d7417d6689f35f2edba6f18751 Author: Marcin Slusarz Date: Fri Sep 9 14:16:42 2011 +0200 drm/nouveau: initialize chan->fence.lock before use commit 5e60ee780e792efe6dce97eceb110b1d30bab850 upstream. Fence lock needs to be initialized before any call to nouveau_channel_put because it calls nouveau_channel_idle->nouveau_fence_update which uses fence lock. BUG: spinlock bad magic on CPU#0, test/24134 lock: ffff88019f90dba8, .magic: 00000000, .owner: /-1, .owner_cpu: 0 Pid: 24134, comm: test Not tainted 3.0.0-nv+ #800 Call Trace: spin_bug+0x9c/0xa3 do_raw_spin_lock+0x29/0x13c _raw_spin_lock+0x1e/0x22 nouveau_fence_update+0x2d/0xf1 nouveau_channel_idle+0x22/0xa0 nouveau_channel_put_unlocked+0x84/0x1bd nouveau_channel_put+0x20/0x24 nouveau_channel_alloc+0x4ec/0x585 nouveau_ioctl_fifo_alloc+0x50/0x130 drm_ioctl+0x289/0x361 do_vfs_ioctl+0x4dd/0x52c sys_ioctl+0x42/0x65 system_call_fastpath+0x16/0x1b It's easily triggerable from userspace. Additionally remove double initialization of chan->fence.pending. Signed-off-by: Marcin Slusarz Signed-off-by: Ben Skeggs Signed-off-by: Greg Kroah-Hartman commit 650dd7ecc14205705292eb95fe73c2d2a1db3173 Author: Eric Anholt Date: Mon Oct 31 23:16:21 2011 -0700 drm/i915: Fix object refcount leak on mmappable size limit error path. commit 14660ccd599dc7bd6ecef17408bd76dc853f9b77 upstream. I've been seeing memory leaks on my system in the form of large (300-400MB) GEM objects created by now-dead processes laying around clogging up memory. I usually notice when it gets to about 1.2GB of them. Hopefully this clears up the issue, but I just found this bug by inspection. Signed-off-by: Eric Anholt Signed-off-by: Keith Packard Signed-off-by: Greg Kroah-Hartman commit aa85ae0189ef4d47456fa03a65359a7f81eabbed Author: Nobuhiro Iwamatsu Date: Fri Nov 4 22:13:50 2011 +0900 sh: Fix cached/uncaced address calculation in 29bit mode commit dfd3b596fbbfa48b8e7966ef996d587157554b69 upstream. In the case of 29bit mode, CAC/UNCAC_ADDR does not return a right address. This revises this problem by using P1SEGADDR and P2SEGADDR in 29bit mode. Reported-by: Yutaro Ebihara Signed-off-by: Nobuhiro Iwamatsu Tested-by: Kuninori Morimoto Tested-by: Simon Horman Signed-off-by: Paul Mundt Signed-off-by: Greg Kroah-Hartman commit d8f0e58a227e8659a357e12f0774ea63e36fd453 Author: Mark Brown Date: Fri Nov 4 15:52:31 2011 +0000 ASoC: Don't use wm8994->control_data in wm8994_readable_register() commit 8eeea521d9d0fa6afd62df8c6e6566ee946117fa upstream. The field is no longer initialised so this will crash if running on wm8958. Reported-by: Thomas Abraham Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit cf80307d470c66deaba601f9b55b617ca7ffc457 Author: Jochen Friedrich Date: Tue Oct 25 20:51:06 2011 +0200 ARM: at91: Fix USBA gadget registration commit dd0b3825495a2e7a8cd6cf0ec077618c008ac7c4 upstream. Since 193ab2a6070039e7ee2b9b9bebea754a7c52fd1b, various AT91 boards don't register USBA adapters anymore due to depending on a now non-existing symbol. Fix the symbol name. Signed-off-by: Jochen Friedrich Acked-by: Nicolas Ferre Signed-off-by: Jean-Christophe PLAGNIOL-VILLARD Signed-off-by: Greg Kroah-Hartman commit 4dc48eb2dd088717e59911663383bf79e1aa33a6 Author: Michael S. Tsirkin Date: Mon Nov 7 18:37:05 2011 +0200 virtio-pci: fix use after free commit 72103bd1285211440621f2c46f4fce377584de54 upstream. Commit 31a3ddda166cda86d2b5111e09ba4bda5239fae6 introduced a use after free in virtio-pci. The main issue is that the release method signals removal of the virtio device, while remove signals removal of the pci device. For example, on driver removal or hot-unplug, virtio_pci_release_dev is called before virtio_pci_remove. We then might get a crash as virtio_pci_remove tries to use the device freed by virtio_pci_release_dev. We allocate/free all resources together with the pci device, so we can leave the release method empty. Signed-off-by: Michael S. Tsirkin Acked-by: Amit Shah Signed-off-by: Rusty Russell Signed-off-by: Greg Kroah-Hartman commit 435dc21f524e0496863a82104ccec0eea8e3ddff Author: Takashi Iwai Date: Thu Nov 10 12:28:38 2011 +0100 ALSA: hda - Don't add elements of other codecs to vmaster slave commit aeb4b88ec0a948efce8e3a23a8f964d3560a7308 upstream. When a virtual mater control is created, the driver looks for slave elements from the assigned card instance. But this may include the elements of other codecs when multiple codecs are on the same HD-audio bus. This works at the first time, but it'll give Oops when it's once freed and re-created via reconfig sysfs. This patch changes the element-look-up strategy to limit only to the mixer elements of the same codec. Reported-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit aa535b5cc1d0e7f9671292392eb34cc0849d2080 Author: Julian Wollrath Date: Wed Nov 9 10:02:40 2011 +0100 ALSA: hda - fix internal mic on Dell Vostro 3500 laptop commit f7f9bdfadfda07afb904a9767468e38c2d1a6033 upstream. Fix the not working internal mic on Dell Vostro 3500 laptop by introducing the new model dell-vostro-3500. Signed-off-by: Julian Wollrath Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman