commit d724b881b05d86182ba5343e0c13e0834bb6e7bf Author: Greg Kroah-Hartman Date: Wed Oct 31 10:11:22 2012 -0700 Linux 3.6.5 commit e8a8c5319cf390ab1895d78f6ffcd2c8038f0075 Author: Peng Tao Date: Fri Aug 24 00:27:53 2012 +0800 pnfsblock: fix non-aligned DIO write commit 96c9eae638765c2bf2ca4f5a6325484f9bb69aa7 upstream. For DIO writes, if it is not blocksize aligned, we need to do internal serialization. It may slow down writers anyway. So we just bail them out and resend to MDS. Signed-off-by: Peng Tao Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit d1e1f0083e6cb81df51838f8a7824436edd96a95 Author: Peng Tao Date: Fri Aug 24 00:27:52 2012 +0800 pnfsblock: fix non-aligned DIO read commit f742dc4a32587bff50b13dde9d8894b96851951a upstream. For DIO read, if it is not sector aligned, we should reject it and resend via MDS. Otherwise there might be data corruption. Also teach bl_read_pagelist to handle partial page reads for DIO. Signed-off-by: Peng Tao Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 2865269348c0cf5448544f971d1c64afe7cdbc98 Author: Yinghai Lu Date: Mon Oct 22 16:35:18 2012 -0700 x86, mm: Use memblock memory loop instead of e820_RAM commit 1f2ff682ac951ed82cc043cf140d2851084512df upstream. We need to handle E820_RAM and E820_RESERVED_KERNEL at the same time. Also memblock has page aligned range for ram, so we could avoid mapping partial pages. Signed-off-by: Yinghai Lu Link: http://lkml.kernel.org/r/CAE9FiQVZirvaBMFYRfXMmWEcHbKSicQEHz4VAwUv0xFCk51ZNw@mail.gmail.com Acked-by: Jacob Shin Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 31fd7858aab67b6c4104cd7323a69f257a170572 Author: Olof Johansson Date: Wed Oct 24 10:00:44 2012 -0700 x86: efi: Turn off efi_enabled after setup on mixed fw/kernel commit 5189c2a7c7769ee9d037d76c1a7b8550ccf3481c upstream. When 32-bit EFI is used with 64-bit kernel (or vice versa), turn off efi_enabled once setup is done. Beyond setup, it is normally used to determine if runtime services are available and we will have none. This will resolve issues stemming from efivars modprobe panicking on a 32/64-bit setup, as well as some reboot issues on similar setups. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=45991 Reported-by: Marko Kohtala Reported-by: Maxim Kammerer Signed-off-by: Olof Johansson Acked-by: Maarten Lankhorst Cc: Matthew Garrett Signed-off-by: Matt Fleming Signed-off-by: Greg Kroah-Hartman commit c1f2d77769770f79d5dd9a8d7ab9615665343fd9 Author: Josh Triplett Date: Fri Sep 28 17:55:44 2012 -0700 efi: Defer freeing boot services memory until after ACPI init commit 785107923a83d8456bbd8564e288a24d84109a46 upstream. Some new ACPI 5.0 tables reference resources stored in boot services memory, so keep that memory around until we have ACPI and can extract data from it. Signed-off-by: Josh Triplett Link: http://lkml.kernel.org/r/baaa6d44bdc4eb0c58e5d1b4ccd2c729f854ac55.1348876882.git.josh@joshtriplett.org Signed-off-by: H. Peter Anvin Cc: Matt Fleming Signed-off-by: Greg Kroah-Hartman commit 116f83b82e7272fec7f9f0f71376bdc67b159ae2 Author: Stanislaw Gruszka Date: Mon Oct 15 14:52:41 2012 +0200 cfg80211/mac80211: avoid state mishmash on deauth commit 6863255bd0e48bc41ae5a066d5c771801e92735a upstream. Avoid situation when we are on associate state in mac80211 and on disassociate state in cfg80211. This can results on crash during modules unload (like showed on this thread: http://marc.info/?t=134373976300001&r=1&w=2) and possibly other problems. Reported-by: Pedro Francisco Cc: stable@vger.kernel.org Signed-off-by: Stanislaw Gruszka Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 7c34784313937286fe71089203d62d6b3e534c93 Author: Yinghai Lu Date: Thu Oct 25 15:45:26 2012 -0700 x86, mm: Undo incorrect revert in arch/x86/mm/init.c commit f82f64dd9f485e13f29f369772d4a0e868e5633a upstream. Commit 844ab6f9 x86, mm: Find_early_table_space based on ranges that are actually being mapped added back some lines back wrongly that has been removed in commit 7b16bbf97 Revert "x86/mm: Fix the size calculation of mapping tables" remove them again. Signed-off-by: Yinghai Lu Link: http://lkml.kernel.org/r/CAE9FiQW_vuaYQbmagVnxT2DGsYc=9tNeAbdBq53sYkitPOwxSQ@mail.gmail.com Acked-by: Jacob Shin Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 68386f3af67948d54f423c54a4384080e6b74810 Author: Jacob Shin Date: Wed Oct 24 14:24:44 2012 -0500 x86, mm: Find_early_table_space based on ranges that are actually being mapped commit 844ab6f993b1d32eb40512503d35ff6ad0c57030 upstream. Current logic finds enough space for direct mapping page tables from 0 to end. Instead, we only need to find enough space to cover mr[0].start to mr[nr_range].end -- the range that is actually being mapped by init_memory_mapping() This is needed after 1bbbbe779aabe1f0768c2bf8f8c0a5583679b54a, to address the panic reported here: https://lkml.org/lkml/2012/10/20/160 https://lkml.org/lkml/2012/10/21/157 Signed-off-by: Jacob Shin Link: http://lkml.kernel.org/r/20121024195311.GB11779@jshin-Toonie Tested-by: Tom Rini Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 4ae29d121ef48cc7f3798e69bfde93742d83c760 Author: Felix Fietkau Date: Wed Oct 17 13:50:43 2012 +0200 Revert "ath9k_hw: Updated AR9003 tx gain table for 5GHz" commit 73b26df5fa1a6245d6fc982362518b620bc7c2fe upstream. This reverts commit a240dc7b3c7463bd60cf0a9b2a90f52f78aae0fd. This commit is reducing tx power by at least 10 db on some devices, e.g. the Buffalo WZR-HP-G450H. Signed-off-by: Felix Fietkau Cc: rmanohar@qca.qualcomm.com Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit b1a9fec89349d9c41ff1ab519d4bfe2bb16814b8 Author: Andreas Herrmann Date: Tue Oct 23 00:55:10 2012 +0200 cpufreq / powernow-k8: Remove usage of smp_processor_id() in preemptible code commit e4df1cbcc1f329e53a1fff7450b2229e0addff20 upstream. Commit 6889125b8b4e09c5e53e6ecab3433bed1ce198c9 (cpufreq/powernow-k8: workqueue user shouldn't migrate the kworker to another CPU) causes powernow-k8 to trigger a preempt warning, e.g.: BUG: using smp_processor_id() in preemptible [00000000] code: cpufreq/3776 caller is powernowk8_target+0x20/0x49 Pid: 3776, comm: cpufreq Not tainted 3.6.0 #9 Call Trace: [] debug_smp_processor_id+0xc7/0xe0 [] powernowk8_target+0x20/0x49 [] __cpufreq_driver_target+0x82/0x8a [] cpufreq_governor_performance+0x4e/0x54 [] __cpufreq_governor+0x8c/0xc9 [] __cpufreq_set_policy+0x1a9/0x21e [] store_scaling_governor+0x16f/0x19b [] ? cpufreq_update_policy+0x124/0x124 [] ? _raw_spin_unlock_irqrestore+0x2c/0x49 [] store+0x60/0x88 [] sysfs_write_file+0xf4/0x130 [] vfs_write+0xb5/0x151 [] sys_write+0x4a/0x71 [] system_call_fastpath+0x16/0x1b Fix this by by always using work_on_cpu(). Signed-off-by: Andreas Herrmann Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit ceb80aec3793b4e34b84849c2823d052c91a855b Author: Stanislav Yakovlev Date: Mon Oct 15 14:14:32 2012 +0000 net/wireless: ipw2200: Fix panic occurring in ipw_handle_promiscuous_tx() commit bf11315eeda510ea4fc1a2bf972d8155d31d89b4 upstream. The driver does not count space of radiotap fields when allocating skb for radiotap packet. This leads to kernel panic with the following call trace: ... [67607.676067] [] error_code+0x67/0x6c [67607.676067] [] ? skb_put+0x91/0xa0 [67607.676067] [] ? ipw_handle_promiscuous_tx+0x16b/0x2d0 [ipw2200] [67607.676067] [] ipw_handle_promiscuous_tx+0x16b/0x2d0 [ipw2200] [67607.676067] [] ipw_net_hard_start_xmit+0x8b/0x90 [ipw2200] [67607.676067] [] libipw_xmit+0x55a/0x980 [libipw] [67607.676067] [] dev_hard_start_xmit+0x218/0x4d0 ... This bug was found by VittGam. https://bugzilla.kernel.org/show_bug.cgi?id=43255 Signed-off-by: Stanislav Yakovlev Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 3814f2b04c026fb39dda34ad7184ab6796f97271 Author: Piotr Haber Date: Thu Oct 11 14:05:15 2012 +0200 bcma: fix unregistration of cores commit 1fffa905adffbf0d3767fc978ef09afb830275eb upstream. When cores are unregistered, entries need to be removed from cores list in a safe manner. Reported-by: Stanislaw Gruszka Reviewed-by: Arend Van Spriel Signed-off-by: Piotr Haber Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 44d127e0dd6e8eec8f351b766fa57ed69e18ea19 Author: Johannes Berg Date: Tue Sep 25 16:40:12 2012 +0200 iwlwifi: fix 6000 series channel switch command commit 8f7b8db6e0557c8437adf9371e020cd89a7e85dc upstream. The channel switch command for 6000 series devices is larger than the maximum inline command size of 320 bytes. The command is therefore refused with a warning. Fix this by allocating the command and using the NOCOPY mechanism. Reviewed-by: Emmanuel Grumbach Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit fbec5144b1a52c0d81db87626e802a64fd5a9a24 Author: Wei Yongjun Date: Sun Oct 21 19:58:30 2012 +0800 dmaengine: imx-dma: fix missing unlock on error in imxdma_xfer_desc() commit 720dfd250e48a8c7fd1b2b8645955413989c4ee0 upstream. Add the missing unlock on the error handling path in function imxdma_xfer_desc(). Signed-off-by: Wei Yongjun Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit 7a263f0c7f4acdb1b58cf0e59e6a941b819bd550 Author: Barry Song Date: Thu Sep 27 16:36:10 2012 +0800 dmaengine: sirf: fix a typo in moving running dma_desc to active queue commit 26fd12209c08fe947be1828896ef4ffc5bd0e6df upstream. list_move_tail(&schan->queued, &schan->active) makes the list_empty(schan->queued) undefined, we either should change it to: list_move_tail(schan->queued.next, &schan->active) or list_move_tail(&sdesc->node, &schan->active) Signed-off-by: Barry Song Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit 4853c29c3cd5e7d5ea41bc5edd50e16b1882c294 Author: Barry Song Date: Thu Sep 27 16:35:38 2012 +0800 dmaengine: sirf: fix a typo in dma_prep_interleaved commit 5997e089e4c3a7f0958a8fb0a54ec2b5a6f06168 upstream. either DEV_TO_MEM or MEM_TO_DEV is supported, so change OR to AND. Signed-off-by: Barry Song Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit cae2c0464b08ffc8b5632cc56049ae7d2b80506f Author: Oleg Nesterov Date: Thu Oct 25 22:28:12 2012 +0200 freezer: exec should clear PF_NOFREEZE along with PF_KTHREAD commit b40a79591ca918e7b91b0d9b6abd5d00f2e88c19 upstream. flush_old_exec() clears PF_KTHREAD but forgets about PF_NOFREEZE. Signed-off-by: Oleg Nesterov Acked-by: Tejun Heo Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 577269ce50791085217d945d2ce5ae4b6903f3b9 Author: Dan Williams Date: Wed Oct 24 12:10:34 2012 +0000 qmi_wwan/cdc_ether: move Novatel 551 and E362 to qmi_wwan commit f8295ec22cb0f1ee6849b862addbfa3ea9320755 upstream. These devices provide QMI and ethernet functionality via a standard CDC ethernet descriptor. But when driven by cdc_ether, the QMI functionality is unavailable because only cdc_ether can claim the USB interface. Thus blacklist the devices in cdc_ether and add their IDs to qmi_wwan, which enables both QMI and ethernet simultaneously. Signed-off-by: Dan Williams Acked-by: Greg Kroah-Hartman Acked-by: Bjørn Mork Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7450d9b70adc4249cfb5575b35ccb11f4b58fd1f Author: Johan Hedberg Date: Thu Oct 11 16:26:06 2012 +0200 Bluetooth: SMP: Fix setting unknown auth_req bits commit 065a13e2cc665f6547dc7e8a9d6b6565badf940a upstream. When sending a pairing request or response we should not just blindly copy the value that the remote device sent. Instead we should at least make sure to mask out any unknown bits. This is particularly critical from the upcoming LE Secure Connections feature perspective as incorrectly indicating support for it (by copying the remote value) would cause a failure to pair with devices that support it. Signed-off-by: Johan Hedberg Acked-by: Marcel Holtmann Signed-off-by: Gustavo Padovan Signed-off-by: Greg Kroah-Hartman commit 8668be75982558ff50873ec256abdc881a1d25ba Author: Chris Metcalf Date: Thu Oct 25 07:25:20 2012 +0000 tilegx: fix some issues in the SW TSO support commit 3da3fff8006c608f19a51859d44ba47ca8b41461 upstream. This change correctly computes the header length and data length in the fragments to avoid a bug where we would end up with extremely slow performance. Also adopt use of skb_frag_size() accessor. Signed-off-by: Chris Metcalf Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4ade7d2eedda437e2197b57e449a308e06f9bb4d Author: Larry Finger Date: Wed Oct 24 08:57:16 2012 -0500 b43: Fix oops on unload when firmware not found commit f89ff6441df06abc2d95f3ef67525923032d6283 upstream. When b43 fails to find firmware when loaded, a subsequent unload will oops due to calling ieee80211_unregister_hw() when the corresponding register call was never made. Commit 2d838bb608e2d1f6cb4280e76748cb812dc822e7 fixed the same problem for b43legacy. Signed-off-by: Larry Finger Tested-by: Markus Kanet Cc: Markus Kanet Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit cbc71967da7f3643d668a28b26d830e672891ab0 Author: Felix Fietkau Date: Wed Oct 10 22:40:23 2012 +0200 mac80211: use ieee80211_free_txskb in a few more places commit d4fa14cd62bd078c8e3ef39283b9f237e5b2ff0f upstream. Free tx status skbs when draining power save buffers, pending frames, or when tearing down a vif. Fixes remaining conditions that can lead to hostapd/wpa_supplicant hangs when running out of socket write memory. Signed-off-by: Felix Fietkau Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 8f645c50b625f912ee7e62687cd88c468f92ac64 Author: Stanislaw Gruszka Date: Tue Oct 2 21:34:23 2012 +0200 mac80211: check if key has TKIP type before updating IV commit 4045f72bcf3c293c7c5932ef001742d8bb5ded76 upstream. This patch fix corruption which can manifest itself by following crash when switching on rfkill switch with rt2x00 driver: https://bugzilla.redhat.com/attachment.cgi?id=615362 Pointer key->u.ccmp.tfm of group key get corrupted in: ieee80211_rx_h_michael_mic_verify(): /* update IV in key information to be able to detect replays */ rx->key->u.tkip.rx[rx->security_idx].iv32 = rx->tkip_iv32; rx->key->u.tkip.rx[rx->security_idx].iv16 = rx->tkip_iv16; because rt2x00 always set RX_FLAG_MMIC_STRIPPED, even if key is not TKIP. We already check type of the key in different path in ieee80211_rx_h_michael_mic_verify() function, so adding additional check here is reasonable. Signed-off-by: Stanislaw Gruszka Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit a52e181f56c22cd26444e61c0ac87222bd187564 Author: Johannes Berg Date: Mon Oct 1 15:52:00 2012 +0200 mac80211: connect with HT20 if HT40 is not permitted commit 3a40414f826a8f1096d9b94c4a53ef91b25ba28d upstream. Some changes to fix issues with HT40 APs in Korea and follow-up changes to allow using HT40 even if the local regulatory database disallows it caused issues with iwlwifi (and could cause issues with other devices); iwlwifi firmware would assert if you tried to connect to an AP that has an invalid configuration (e.g. using HT40- on channel 140.) Fix this, while avoiding the "Korean AP" issue by disabling HT40 and advertising HT20 to the AP when connecting. Reported-by: Florian Reitmeir Tested-by: Florian Reitmeir Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit c5bb11c743f93a487b2e5806ede0cb14ca92c873 Author: Nicolas Ferre Date: Wed Oct 24 16:19:47 2012 +0200 ARM: at91: fix external interrupt specification in board code commit 69e7ea04c9365626c0963ff09bbaa3a1b49e293a upstream. Since the switch to sparse irq, we have to add the NR_IRQS_LEGACY offset to static irq numbers. It has been forgotten on these SPI irq definitions in board code. Signed-off-by: Nicolas Ferre Acked-by: Jean-Christophe PLAGNIOL-VILLARD Acked-by: Ludovic Desroches Signed-off-by: Greg Kroah-Hartman commit a009557c905f624b230c0d6f70cf41f3d9f5bd91 Author: Nicolas Ferre Date: Wed Oct 24 16:09:57 2012 +0200 ARM: at91: fix external interrupts in non-DT case commit 738a0fd752dc60e20beeda6f2f0f62e58dc0e344 upstream. Management of external interrupts has changed but the non-DT code has not integrated these changes. Add a mask to pass external irq specification from SoC specific code to the at91_aic_init() function. Signed-off-by: Nicolas Ferre Acked-by: Jean-Christophe PLAGNIOL-VILLARD Acked-by: Ludovic Desroches Signed-off-by: Greg Kroah-Hartman commit 60b84696738cc3fb760c26f2569c53d0d1fb0c7d Author: Ivan Shugov Date: Wed Oct 24 11:02:44 2012 +0200 ARM: at91: at91sam9g10: fix SOC type detection commit 3d9a0183dd3423353e9e363bcc261c1220d05f9f upstream. Newer at91sam9g10 SoC revision can't be detected, so the kernel can't boot with this kind of kernel panic: "AT91: Impossible to detect the SOC type" CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177 CPU: VIVT data cache, VIVT instruction cache Machine: Atmel AT91SAM9G10-EK Ignoring tag cmdline (using the default kernel command line) bootconsole [earlycon0] enabled Memory policy: ECC disabled, Data cache writeback Kernel panic - not syncing: AT91: Impossible to detect the SOC type [] (unwind_backtrace+0x0/0xe0) from [] (panic+0x78/0x1cc) [] (panic+0x78/0x1cc) from [] (at91_map_io+0x90/0xc8) [] (at91_map_io+0x90/0xc8) from [] (paging_init+0x564/0x6d0) [] (paging_init+0x564/0x6d0) from [] (setup_arch+0x464/0x704) [] (setup_arch+0x464/0x704) from [] (start_kernel+0x6c/0x2d4) [] (start_kernel+0x6c/0x2d4) from [<20008040>] (0x20008040) The reason for this is that the Debug Unit Chip ID Register has changed between Engineering Sample and definitive revision of the SoC. Changing the check of cidr to socid will address the problem. We do not integrate this check to the list just above because we also have to make sure that the extended id is disregarded. Signed-off-by: Ivan Shugov [nicolas.ferre@atmel.com: change commit message] Signed-off-by: Nicolas Ferre Acked-by: Jean-Christophe PLAGNIOL-VILLARD Signed-off-by: Greg Kroah-Hartman commit e5c182965ed38c70f0e99574041898c1f5a14c45 Author: Bo Shen Date: Mon Oct 15 17:30:27 2012 +0800 ARM: at91/i2c: change id to let i2c-gpio work commit 7840487cd6298f9f931103b558290d8d98d41c49 upstream. The i2c core driver will turn the platform device ID to busnum When using platfrom device ID as -1, it means dynamically assigned the busnum. When writing code, we need to make sure the busnum, and call i2c_register_board_info(int busnum, ...) to register device if using -1, we do not know the value of busnum In order to solve this issue, set the platform device ID as a fix number Here using 0 to match the busnum used in i2c_regsiter_board_info() Signed-off-by: Bo Shen Acked-by: Jean Delvare Signed-off-by: Nicolas Ferre Acked-by: Jean-Christophe PLAGNIOL-VILLARD Acked-by: Ludovic Desroches Signed-off-by: Greg Kroah-Hartman commit 9e9226a021af38ede5823b0610359dd817f35aa3 Author: Josh Wu Date: Fri Sep 14 17:01:29 2012 +0800 ARM: at91/tc: fix typo in the DT document commit 11930c530f3edf81160e4962e363d579f5cdce7e upstream. Signed-off-by: Josh Wu Signed-off-by: Nicolas Ferre Acked-by: Jean-Christophe PLAGNIOL-VILLARD Signed-off-by: Greg Kroah-Hartman commit 4ecc39f837ce9a302bd35dc35576514036bdca01 Author: Heiko Stuebner Date: Wed Oct 17 16:47:11 2012 +0900 ARM: SAMSUNG: Add naming of s3c64xx-spi devices commit 308b3afb97dc342e9c4f958d8b4c459ae0e22bd7 upstream. Commit a5238e360b71 (spi: s3c64xx: move controller information into driver data) introduced separate device names for the different subtypes of the spi controller but forgot to set these in the relevant machines. To fix this introduce a s3c64xx_spi_setname function and populate all Samsung arches with the correct names. The function resides in a new header, as the s3c64xx-spi.h contains driver platform data and should therefore at some later point move out of the Samsung include dir. Tested on a s3c2416-based machine. Signed-off-by: Heiko Stuebner Reviewed-by: Sylwester Nawrocki [s.nawrocki@samsung.com: tested on mach-exynos] Tested-by: Sylwester Nawrocki Signed-off-by: Kukjin Kim Signed-off-by: Greg Kroah-Hartman commit de7dfdace5741d91cb273b29067ee22d125eab73 Author: Michael S. Tsirkin Date: Wed Oct 24 20:37:51 2012 +0200 vhost: fix mergeable bufs on BE hosts commit 910a578f7e9400a78a3b13aba0b4d2df16a2cb05 upstream. We copy head count to a 16 bit field, this works by chance on LE but on BE guest gets 0. Fix it up. Signed-off-by: Michael S. Tsirkin Tested-by: Alexander Graf Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b0bda710d6b48cdc54b902f6bce3470b42cfab6b Author: Johan Hovold Date: Thu Oct 25 18:56:33 2012 +0200 USB: mos7840: remove invalid disconnect handling commit e681b66f2e19fadbe8a7e2a17900978cb6bc921f upstream. Remove private zombie flag used to signal disconnect and to prevent control urb from being submitted from interrupt urb completion handler. The control urb will not be re-submitted as both the control urb and the interrupt urb is killed on disconnect. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit ee52fcd83c615252a8118e146f8db61358ecdb4b Author: Johan Hovold Date: Thu Oct 25 18:56:32 2012 +0200 USB: mos7840: remove NULL-urb submission commit 28c3ae9a8cf45f439c9a0779ebd0256e2ae72813 upstream. The private int_urb is never allocated so the submission from the control completion handler will always fail. Remove this odd piece of broken code. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit da0d04fd143824b6d2657c267a8a09517194370b Author: Johan Hovold Date: Thu Oct 25 13:35:10 2012 +0200 USB: mos7840: fix port-device leak in error path commit 3eb55cc4ed88eee3b5230f66abcdbd2a91639eda upstream. The driver set the usb-serial port pointers to NULL on errors in attach, effectively preventing usb-serial core from decrementing the port ref counters and releasing the port devices and associated data. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit f36791258f9c7da44ba15aa64f3eb284b67b9939 Author: Johan Hovold Date: Thu Oct 25 13:35:09 2012 +0200 USB: mos7840: fix urb leak at release commit 65a4cdbb170e4ec1a7fa0e94936d47e24a17b0e8 upstream. Make sure control urb is freed at release. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 7e4d20169cdd2e9fb458d5d28b515397c112047f Author: Johan Hovold Date: Thu Oct 25 10:29:19 2012 +0200 USB: sierra: fix port-data memory leak commit f525c05babc7938cc1d4236550fd8a659fb05960 upstream. Fix port-data memory leak by moving port data allocation and deallocation to port_probe and port_remove. Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no driver is bound) the port private data is no longer freed at release as it is no longer accessible. Note also that urb-count for multi-port interfaces has not been changed even though the usb-serial port number is now determined from the port and interface minor numbers. Compile-only tested. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 99ad30180d1a0de0fbe4adfd8d24085ac77e1a24 Author: Johan Hovold Date: Thu Oct 25 10:29:18 2012 +0200 USB: sierra: fix memory leak in probe error path commit 084817d79399ab5ccab2f90a148b0369912a8369 upstream. Move interface data allocation to attach so that it is deallocated on errors in usb-serial probe. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit d9b48922b9d6dc1c02586d36639a27917f3dbe46 Author: Johan Hovold Date: Thu Oct 25 10:29:17 2012 +0200 USB: sierra: fix memory leak in attach error path commit 7e41f9bcdd2e813ea2a3c40db291d87ea06b559f upstream. Make sure port private data is deallocated on errors in attach. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 9fd041e480fa2da73eab4d4bbba1f5738b45dc8f Author: Lennart Sorensen Date: Wed Oct 24 10:23:09 2012 -0400 USB: serial: Fix memory leak in sierra_release() commit f7bc5051667b74c3861f79eed98c60d5c3b883f7 upstream. I found a memory leak in sierra_release() (well sierra_probe() I guess) that looses 8 bytes each time the driver releases a device. Signed-off-by: Len Sorensen Acked-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 38e602db5db176e642d66ab7bffabec143edc2f3 Author: Johan Hovold Date: Thu Oct 25 10:29:10 2012 +0200 USB: quatech2: fix io after disconnect commit 2f0295adf6438188c4cd0868f2b1976a2b034e1d upstream. Make sure no control urb is submitted during close after a disconnect by checking the disconnected flag. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit f5c21b3815667aeae65a3ec56576294c5ed751e6 Author: Johan Hovold Date: Thu Oct 25 10:29:09 2012 +0200 USB: quatech2: fix close and disconnect urb handling commit 8e512ab0b675da20e023439a5811e3f2554e6852 upstream. Kill urbs unconditionally at close and disconnect. Note that URB status is not valid outside of completion handler. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit b7e9cee3e7062435521dd933ce2349a2d721e596 Author: Johan Hovold Date: Thu Oct 25 10:29:08 2012 +0200 USB: quatech2: fix port-data memory leaks commit 40d04738491d7ac1aa708ba434ff3480ec9e1b96 upstream. Fix port-data memory leak by moving port data allocation and deallocation to port_probe and port_remove. Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no driver is bound) the port private data is no longer freed at release as it is no longer accessible. Note that this also fixes memory leaks in the error path of attach where the write urbs were not freed on errors. Make sure all interface-data deallocation is done in release by moving the read urb deallocation from disconnect. Note that the write urb is killed during close so that the call in disconnect was superfluous. Compile-only tested. Signed-off-by: Johan Hovold Cc: Bill Pemberton Signed-off-by: Greg Kroah-Hartman commit 24496dfe837363e83d9f1dde5bd68372088e6f88 Author: Johan Hovold Date: Thu Oct 25 10:29:07 2012 +0200 USB: quatech2: fix memory leak in error path commit b8a0055050b6294826171641b182c09f78f4cc63 upstream. Fix memory leak in attach error path where the read urb was never freed. Signed-off-by: Johan Hovold Cc: Bill Pemberton Signed-off-by: Greg Kroah-Hartman commit 89133c6f9cf825de28dff95aa4e933d5349b0101 Author: Johan Hovold Date: Thu Oct 25 10:29:05 2012 +0200 USB: mos7720: fix port-data memory leak commit 4230af572f95b3115bba1ee6fb95681f3851ab26 upstream. Fix port-data memory leak by moving port data allocation and deallocation to port_probe and port_remove. Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no driver is bound) the port private data is no longer freed at release as it is no longer accessible. Note that this patch also fixes a second port-data memory leak in the error path of attach, should parallel-port initialisation fail. Compile-only tested. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit bd0758d884d30c79e064db3b7d18cc1ae4899843 Author: Johan Hovold Date: Thu Oct 25 10:29:00 2012 +0200 USB: metro-usb: fix io after disconnect commit 2ee44fbeac92c36e53779a57ee84cfee1affe418 upstream. Make sure no control urb is submitted during close after a disconnect by checking the disconnected flag. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 10899e1d571d11982a4bd57e2112d475429583fa Author: Johan Hovold Date: Thu Oct 25 10:28:59 2012 +0200 USB: metro-usb: fix port-data memory leak commit 50dde8686eec41bf3d7cbec7a6f76c073ab01903 upstream. Fix port-data memory leak by moving port data allocation and deallocation to port_probe and port_remove. Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no driver is bound) the port private data is no longer freed at release as it is no longer accessible. Note that the call to metrousb_clean (close) in shutdown was redundant. Compile-only tested. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit e16f68849ef8ccd4578047f306aface94176ea2a Author: Johan Hovold Date: Thu Oct 25 10:29:12 2012 +0200 USB: opticon: fix memory leak in error path commit acbf0e5263de563e25f7c104868e4490b9e72b13 upstream. Fix memory leak in write error path. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit f2eed28b4ba4b289f51567e19d7933be0348da55 Author: Johan Hovold Date: Thu Oct 25 10:29:11 2012 +0200 USB: opticon: fix DMA from stack commit ea0dbebffe118724cd4df7d9b071ea8ee48d48f0 upstream. Make sure to allocate the control-message buffer dynamically as some platforms cannot do DMA from stack. Note that only the first byte of the old buffer was used. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 5cd933664edb0f9cb7f52c40219668267571bf40 Author: Johan Hovold Date: Thu Oct 25 10:29:02 2012 +0200 USB: whiteheat: fix port-data memory leak commit c467206ed6bcce26c83d0435612cc4fee2527305 upstream. Fix port-data memory leak by moving port data allocation and deallocation to port_probe and port_remove. Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no driver is bound) the port private data is no longer freed at release as it is no longer accessible. Note that the fifth port (command port) is never registered as a port device and thus should be handled in attach and release. Compile-only tested. Signed-off-by: Johan Hovold Cc: Signed-off-by: Greg Kroah-Hartman commit 09d35f2c69e5f92db3ec0b8f3ce62be0c0bbacc2 Author: Johan Hovold Date: Thu Oct 25 10:29:01 2012 +0200 USB: whiteheat: fix memory leak in error path commit c129197c99550d356cf5f69b046994dd53cd1b9d upstream. Make sure command buffer is deallocated in case of errors during attach. Signed-off-by: Johan Hovold Cc: Signed-off-by: Greg Kroah-Hartman commit bf66cd30357174ed30c140f79b4016f4230a0066 Author: Johan Hovold Date: Thu Oct 25 15:42:41 2012 +0200 USB: qcserial: fix interface-data memory leak in error path commit 961be09e1ead58509ed4bed0d5819a15d8613d8d upstream. Move interface data allocation to attach so that it is deallocated should usb-serial probe fail. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 1968e8d84329760f4722c5c3951aec28b5ece59b Author: Johan Hovold Date: Thu Oct 25 10:29:06 2012 +0200 USB: omninet: fix port-data memory leak commit feffa7ca6008ab859dd7ab7448a5a899bf0aa98f upstream. Fix port-data memory leak by replacing attach and release with port_probe and port_remove. Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no driver is bound) the port private data is no longer freed at release as it is no longer accessible. Compile-only tested. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 789a4bbd28e4e5128a66a6e35117ef9392fed867 Author: Johan Hovold Date: Thu Oct 25 10:29:15 2012 +0200 USB: keyspan: fix NULL-pointer dereferences and memory leaks commit f79b2d0fe81eecb412dc48e87a119afc690da8e9 upstream. Fix NULL-pointer dereference at release by moving port data allocation and deallocation to port_probe and port_remove. Fix NULL-pointer dereference at disconnect by stopping port urbs at port_remove. Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no driver is bound) the port private data is no longer accessible at disconnect or release. Note that this patch also fixes port and interface-data memory leaks in the error path of attach should port initialisation fail for any port. Compile-only tested. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit d16dbb330b8517c1df7e03c120cac572d726a5b6 Author: Johan Hovold Date: Thu Oct 25 15:42:40 2012 +0200 USB: option: fix interface-data memory leak in error path commit c2dd4a8eac7821fed2c2d19e4607d0986b53b0fe upstream. Move interface data allocation to attach so that it is deallocated should usb-serial probe fail. Note that the usb device id is stored at probe so that it can be used in attach to determine send-setup blacklisting. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 9e7922db1d38b0ee22355cda640c175bc4e5501a Author: Johan Hovold Date: Thu Oct 25 10:29:14 2012 +0200 USB: mct_u232: fix broken close commit 5260e458f5eff269a43e4f1e9c47186c57b88ddb upstream. Make sure generic close is called at close. The driver relies on the generic write implementation but did not call generic close. Note that the call to kill the read urb is not redundant, as mct_u232 uses an interrupt urb from the second port as the read urb and that generic close therefore fails to kill it. Compile-only tested. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 14e6c99bfc02a84d98ee77552a328855c1db31e5 Author: Johan Hovold Date: Thu Oct 25 10:29:13 2012 +0200 USB: mct_u232: fix port-data memory leak commit a8f2ae7a3aa59079d7e7e1ddf5007f03532f458c upstream. Fix port-data memory leak by moving port data allocation and deallocation to port_probe and port_remove. Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no driver is bound) the port private data is no longer freed at release as it is no longer accessible. Note that the write waitqueue was initialised but never used. Compile-only tested. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit e830d9c15b2b6cbc557d213c52f8d1835002c66f Author: Johan Hovold Date: Thu Oct 25 15:42:39 2012 +0200 USB: ipw: fix interface-data memory leak in error path commit a997448c89905b80aa4022f734f03685e733d711 upstream. Move interface data allocation to attach so that it is deallocated should usb-serial probe fail. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 8d7e8206ad00c040b2075184236c325cd1ba14a2 Author: Johan Hovold Date: Thu Oct 25 10:29:04 2012 +0200 USB: digi_acceleport: fix port-data memory leak commit fb44ff854e148bc5c5982dad32da98b7a0989d2d upstream. Fix port-data memory leak by moving port data allocation and deallocation to port_probe and port_remove. Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no driver is bound) the port private data is no longer freed at release as it is no longer accessible. Note that the oob port is never registered as a port device and should thus be handled in attach and release. Compile-only tested. Signed-off-by: Johan Hovold Cc: Peter Berger Cc: Al Borchers Signed-off-by: Greg Kroah-Hartman commit 226c125e2f5b479dc1fee67bbd3a84c90021c816 Author: Johan Hovold Date: Thu Oct 25 10:29:03 2012 +0200 USB: ch341: fix port-data memory leak commit 456c5be56ed070a4d883c60b587bcc1c97a8cf3e upstream. Fix port-data memory leak by moving port data allocation to port_probe and actually implementing deallocation. Note that this driver has never even bothered to try to deallocate it's port data... Compile-only tested. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 34a2ee3523326ee24676077b8c796719dfcf0efd Author: Octavian Purdila Date: Mon Oct 1 22:21:12 2012 +0300 usb hub: send clear_tt_buffer_complete events when canceling TT clear work commit 3b6054da68f9b0d5ed6a7ed0f42a79e61904352c upstream. There is a race condition in the USB hub code with regard to handling TT clear requests that can get the HCD driver in a deadlock. Usually when an TT clear request is scheduled it will be executed immediately: <7>[ 6.077583] usb 2-1.3: unlink qh1-0e01/f4d4db00 start 0 [1/2 us] <3>[ 6.078041] usb 2-1: clear tt buffer port 3, a3 ep2 t04048d82 <7>[ 6.078299] hub_tt_work:731 <7>[ 9.309089] usb 2-1.5: link qh1-0e01/f4d506c0 start 0 [1/2 us] <7>[ 9.324526] ehci_hcd 0000:00:1d.0: reused qh f4d4db00 schedule <7>[ 9.324539] usb 2-1.3: link qh1-0e01/f4d4db00 start 0 [1/2 us] <7>[ 9.341530] usb 1-1.1: link qh4-0e01/f397aec0 start 2 [1/2 us] <7>[ 10.116159] usb 2-1.3: unlink qh1-0e01/f4d4db00 start 0 [1/2 us] <3>[ 10.116459] usb 2-1: clear tt buffer port 3, a3 ep2 t04048d82 <7>[ 10.116537] hub_tt_work:731 However, if a suspend operation is triggered before hub_tt_work is scheduled, hub_quiesce will cancel the work without notifying the HCD driver: <3>[ 35.033941] usb 2-1: clear tt buffer port 3, a3 ep2 t04048d80 <5>[ 35.034022] sd 0:0:0:0: [sda] Stopping disk <7>[ 35.034039] hub 2-1:1.0: hub_suspend <7>[ 35.034067] usb 2-1: unlink qh256-0001/f3b1ab00 start 1 [1/0 us] <7>[ 35.035085] hub 1-0:1.0: hub_suspend <7>[ 35.035102] usb usb1: bus suspend, wakeup 0 <7>[ 35.035106] ehci_hcd 0000:00:1a.0: suspend root hub <7>[ 35.035298] hub 2-0:1.0: hub_suspend <7>[ 35.035313] usb usb2: bus suspend, wakeup 0 <7>[ 35.035315] ehci_hcd 0000:00:1d.0: suspend root hub <6>[ 35.250017] PM: suspend of devices complete after 216.979 msecs <6>[ 35.250822] PM: late suspend of devices complete after 0.799 msecs <7>[ 35.252343] ehci_hcd 0000:00:1d.0: wakeup: 1 <7>[ 35.262923] ehci_hcd 0000:00:1d.0: --> PCI D3hot <7>[ 35.263302] ehci_hcd 0000:00:1a.0: wakeup: 1 <7>[ 35.273912] ehci_hcd 0000:00:1a.0: --> PCI D3hot <6>[ 35.274254] PM: noirq suspend of devices complete after 23.442 msecs <6>[ 35.274975] ACPI: Preparing to enter system sleep state S3 <6>[ 35.292666] PM: Saving platform NVS memory <7>[ 35.295030] Disabling non-boot CPUs ... <6>[ 35.297351] CPU 1 is now offline <6>[ 35.300345] CPU 2 is now offline <6>[ 35.303929] CPU 3 is now offline <7>[ 35.303931] lockdep: fixing up alternatives. <6>[ 35.304825] Extended CMOS year: 2000 When the device will resume the EHCI driver will get stuck in ehci_endpoint_disable waiting for the tt_clearing flag to reset: <0>[ 47.610967] usb 2-1.3: **** DPM device timeout **** <7>[ 47.610972] f2f11c60 00000092 f2f11c0c c10624a5 00000003 f4c6e880 c1c8a4c0 c1c8a4c0 <7>[ 47.610983] 15c55698 0000000b f56b34c0 f2a45b70 f4c6e880 00000082 f2a4602c f2f11c30 <7>[ 47.610993] c10787f8 f4cac000 f2a45b70 00000000 f4cac010 f2f11c58 00000046 00000001 <7>[ 47.611004] Call Trace: <7>[ 47.611006] [] ? sched_clock_cpu+0xf5/0x160 <7>[ 47.611019] [] ? lock_release_holdtime.part.22+0x88/0xf0 <7>[ 47.611026] [] ? lock_timer_base.isra.35+0x26/0x50 <7>[ 47.611034] [] ? schedule_timeout+0x133/0x290 <7>[ 47.611044] [] schedule+0x1e/0x50 <7>[ 47.611051] [] schedule_timeout+0x138/0x290 <7>[ 47.611057] [] ? sched_clock_cpu+0xf5/0x160 <7>[ 47.611063] [] ? usleep_range+0x40/0x40 <7>[ 47.611070] [] schedule_timeout_uninterruptible+0x15/0x20 <7>[ 47.611077] [] ehci_endpoint_disable+0x64/0x160 <7>[ 47.611084] [] ? usb_hcd_flush_endpoint+0x10e/0x1d0 <7>[ 47.611092] [] ? sysfs_add_file+0x13/0x20 <7>[ 47.611100] [] usb_hcd_disable_endpoint+0x29/0x40 <7>[ 47.611107] [] usb_disable_endpoint+0x5c/0x80 <7>[ 47.611111] [] usb_disable_interface+0x37/0x50 <7>[ 47.611116] [] usb_reset_and_verify_device+0x4b0/0x640 <7>[ 47.611122] [] ? hub_port_status+0xb5/0x100 <7>[ 47.611129] [] usb_port_resume+0xd5/0x220 <7>[ 47.611136] [] generic_resume+0xf/0x30 <7>[ 47.611142] [] usb_resume+0x133/0x180 <7>[ 47.611147] [] ? usb_dev_thaw+0x10/0x10 <7>[ 47.611152] [] usb_dev_resume+0xd/0x10 <7>[ 47.611157] [] dpm_run_callback+0x40/0xb0 <7>[ 47.611164] [] ? pm_runtime_enable+0x43/0x70 <7>[ 47.611171] [] device_resume+0x1a6/0x2c0 <7>[ 47.611177] [] ? dpm_show_time+0xe0/0xe0 <7>[ 47.611183] [] async_resume+0x19/0x40 <7>[ 47.611189] [] async_run_entry_fn+0x64/0x160 <7>[ 47.611196] [] ? process_one_work+0x104/0x480 <7>[ 47.611203] [] ? process_one_work+0x10c/0x480 <7>[ 47.611209] [] process_one_work+0x180/0x480 <7>[ 47.611215] [] ? process_one_work+0x104/0x480 <7>[ 47.611220] [] ? async_schedule+0x10/0x10 <7>[ 47.611226] [] worker_thread+0x11c/0x2f0 <7>[ 47.611233] [] ? manage_workers.isra.27+0x1f0/0x1f0 <7>[ 47.611239] [] kthread+0x78/0x80 <7>[ 47.611244] [] ? timer_cpu_notify+0xd6/0x20d <7>[ 47.611253] [] ? __init_kthread_worker+0x60/0x60 <7>[ 47.611258] [] kernel_thread_helper+0x6/0xd <7>[ 47.611283] ------------[ cut here ]------------ This patch changes hub_quiesce behavior to flush the TT clear work instead of canceling it, to make sure that no TT clear request remains uncompleted before suspend. Signed-off-by: Octavian Purdila Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit d005b0ac883ef8bbd86aff81d48140ef107e50f5 Author: Johan Hovold Date: Thu Oct 25 10:29:16 2012 +0200 USB: usb-wwan: fix multiple memory leaks in error paths commit b8f0e82044c9ba40e92340c8a6d47d6bd6d819bc upstream. Fix port-data memory leak in usb-serial probe error path by moving port data allocation to port_probe. Since commit a1028f0abf ("usb: usb_wwan: replace release and disconnect with a port_remove hook") port data is deallocated in port_remove. This leaves a possibility for memory leaks if usb-serial probe fails after attach but before the port in question has been successfully registered. Note that this patch also fixes two additional memory leaks in the error path of attach should port initialisation fail for any port as the urbs were never freed and neither was the data of any of the successfully initialised ports. Compile-only tested. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 8eb72a2087ba5959de22bf90b0df18cade29bb41 Author: Michael Shigorin Date: Mon Oct 22 12:18:56 2012 +0300 usb-storage: add unusual_devs entry for Casio EX-N1 digital camera commit d7870af7e2e3a91b462075ec1ca669b482215187 upstream. This commit sets removable subclass for Casio EX-N1 digital camera. The patch has been tested within an ALT Linux kernel: http://git.altlinux.org/people/led/packages/?p=kernel-image-3.0.git;a=commitdiff;h=c0fd891836e89fe0c93a4d536a59216d90e4e3e7 See also https://bugzilla.kernel.org/show_bug.cgi?id=49221 Signed-off-by: Oleksandr Chumachenko Signed-off-by: Michael Shigorin Signed-off-by: Greg Kroah-Hartman commit 7fe28e296934557d1e1f5c91e29d3b93ab1a3dc5 Author: Anisse Astier Date: Tue Oct 9 12:22:37 2012 +0200 ehci: Add yet-another Lucid nohandoff pci quirk commit 8daf8b6086f9d575200cd0aa3797e26137255609 upstream. Board name changed on another shipping Lucid tablet. Signed-off-by: Anisse Astier Signed-off-by: Greg Kroah-Hartman commit 1b1a523d438e5bae152aebaff6fb404cbbb3f97c Author: Anisse Astier Date: Tue Oct 9 12:22:36 2012 +0200 ehci: fix Lucid nohandoff pci quirk to be more generic with BIOS versions commit c323dc023b9501e5d09582ec7efd1d40a9001d99 upstream. BIOS vendors keep changing the BIOS versions. Only match the beginning of the string to match all Lucid tablets with board name M11JB. Signed-off-by: Anisse Astier Signed-off-by: Greg Kroah-Hartman commit 2084022fc8385c62e45b1913923384c9ec890192 Author: K. Y. Srinivasan Date: Fri Oct 12 13:22:42 2012 -0700 Drivers: hv: Cleanup error handling in vmbus_open() commit 1392550240aaa72ce3a094a38bd23525cd67ce60 upstream. Fix a memory leak in the error handling path in the function vmbus_open(). Signed-off-by: K. Y. Srinivasan Reviewed-by: Haiyang Zhang Reported-by: Jason Wang Acked-by: Jason Wang Signed-off-by: Greg Kroah-Hartman commit 3ed2bcc63a56f5b8983ecfc4de37fa70d7e2e380 Author: Peter Huewe Date: Mon Sep 24 15:36:24 2012 +0900 extcon: unregister compat link on cleanup commit 824a1bc045cef278aec15bef35d8d0b59ce77856 upstream. Since extcon registers this compat link at device registration (extcon_dev_register), we should probably remove them at deregistration/cleanup. Signed-off-by: Peter Huewe Signed-off-by: Chanwoo Choi commit c5a2edcb66a0f15a5313b52dd68821ec387d8091 Author: Peter Huewe Date: Mon Sep 24 15:32:31 2012 +0900 extcon: Unregister compat class at module unload to fix oops commit 0dc77b6dabec8fd298392018cc0de5214af2dc43 upstream. If you compile extcon with CONFIG_ANDROID and then load and unload the module you get a simple oops as the driver does not unregister its compat class and thus cannot register it again. Full trace: root@(none):~# modprobe extcon_class root@(none):~# rmmod extcon_class root@(none):~# modprobe extcon_class ------------[ cut here ]------------ WARNING: at fs/sysfs/dir.c:536 sysfs_add_one+0xde/0x100() sysfs: cannot create duplicate filename '/class/switch' Modules linked in: extcon_class(+) [last unloaded: extcon_class] Call Trace: 9f451a00: [<602a58bc>] printk+0x0/0xa8 9f451a18: [<60039b43>] warn_slowpath_common+0x93/0xd0 9f451a28: [<6012c6de>] sysfs_add_one+0xde/0x100 9f451a50: [<601d3d90>] strcat+0x0/0x40 9f451a68: [<60039cdc>] warn_slowpath_fmt+0x9c/0xa0 9f451a90: [<6002fe32>] unblock_signals+0x0/0x84 9f451ab0: [<60039c40>] warn_slowpath_fmt+0x0/0xa0 9f451ac0: [<6002fe32>] unblock_signals+0x0/0x84 9f451ae8: [<6012bd97>] sysfs_pathname.isra.10+0x57/0x70 9f451b00: [<601d3d90>] strcat+0x0/0x40 9f451b18: [<6012bd97>] sysfs_pathname.isra.10+0x57/0x70 9f451b48: [<6012c6de>] sysfs_add_one+0xde/0x100 9f451b78: [<6012c96f>] create_dir+0x8f/0x100 9f451bc0: [] extcon_class_init+0x0/0x12 [extcon_class] 9f451bd8: [<6012cda6>] sysfs_create_dir+0xa6/0x1c0 9f451be8: [<601d89f1>] kvasprintf+0x81/0xa0 9f451bf8: [<601cf0f0>] kobject_get+0x0/0x50 9f451c18: [<601cf396>] kobject_add_internal+0x96/0x280 9f451c60: [] extcon_class_init+0x0/0x12 [extcon_class] 9f451c78: [<601cfb93>] kobject_add+0xd3/0x140 9f451cc0: [<601cfac0>] kobject_add+0x0/0x140 9f451cd0: [<6002fe32>] unblock_signals+0x0/0x84 9f451cf8: [<6002fffc>] set_signals+0x29/0x3f 9f451d28: [<600c1de1>] kmem_cache_alloc+0xe1/0x100 9f451d78: [<601cffa0>] kobject_create_and_add+0x50/0xa0 9f451da8: [<601fbe76>] class_compat_register+0x56/0x80 9f451dc8: [] create_extcon_class+0x88/0xd0 [extcon_class] 9f451de8: [] extcon_class_init+0x10/0x12 [extcon_class] 9f451df8: [<600189a8>] do_one_initcall+0x48/0x1f0 9f451e20: [<60061920>] blocking_notifier_call_chain+0x0/0x20 9f451e30: [<60061920>] blocking_notifier_call_chain+0x0/0x20 9f451e58: [<6007e3c3>] sys_init_module+0xa3/0x280 9f451e88: [<6001e2ad>] handle_syscall+0x8d/0x90 9f451ea8: [<60033370>] userspace+0x405/0x531 9f451ee8: [<6001e380>] copy_chunk_to_user+0x0/0x40 9f451ef8: [<6001e5cd>] do_op_one_page+0x14d/0x220 9f451fd8: [<6001a355>] fork_handler+0x95/0xa0 ---[ end trace dd512cc03fe1c367 ]--- ------------[ cut here ]------------ WARNING: at lib/kobject.c:196 kobject_add_internal+0x26e/0x280() kobject_add_internal failed for switch with -EEXIST, don't try to register things with the same name in the same directory. Modules linked in: extcon_class(+) [last unloaded: extcon_class] Call Trace: 9f451ad0: [<602a58bc>] printk+0x0/0xa8 9f451ae8: [<60039b43>] warn_slowpath_common+0x93/0xd0 9f451af8: [<601cf56e>] kobject_add_internal+0x26e/0x280 9f451b18: [<601cf140>] kobject_put+0x0/0x70 9f451b20: [] extcon_class_init+0x0/0x12 [extcon_class] 9f451b38: [<60039cdc>] warn_slowpath_fmt+0x9c/0xa0 9f451b88: [<60039c40>] warn_slowpath_fmt+0x0/0xa0 9f451bc0: [] extcon_class_init+0x0/0x12 [extcon_class] 9f451bd8: [<6012cda6>] sysfs_create_dir+0xa6/0x1c0 9f451be8: [<601d89f1>] kvasprintf+0x81/0xa0 9f451bf8: [<601cf0f0>] kobject_get+0x0/0x50 9f451c18: [<601cf56e>] kobject_add_internal+0x26e/0x280 9f451c60: [] extcon_class_init+0x0/0x12 [extcon_class] 9f451c78: [<601cfb93>] kobject_add+0xd3/0x140 9f451cc0: [<601cfac0>] kobject_add+0x0/0x140 9f451cd0: [<6002fe32>] unblock_signals+0x0/0x84 9f451cf8: [<6002fffc>] set_signals+0x29/0x3f 9f451d28: [<600c1de1>] kmem_cache_alloc+0xe1/0x100 9f451d78: [<601cffa0>] kobject_create_and_add+0x50/0xa0 9f451da8: [<601fbe76>] class_compat_register+0x56/0x80 9f451dc8: [] create_extcon_class+0x88/0xd0 [extcon_class] 9f451de8: [] extcon_class_init+0x10/0x12 [extcon_class] 9f451df8: [<600189a8>] do_one_initcall+0x48/0x1f0 9f451e20: [<60061920>] blocking_notifier_call_chain+0x0/0x20 9f451e30: [<60061920>] blocking_notifier_call_chain+0x0/0x20 9f451e58: [<6007e3c3>] sys_init_module+0xa3/0x280 9f451e88: [<6001e2ad>] handle_syscall+0x8d/0x90 9f451ea8: [<60033370>] userspace+0x405/0x531 9f451ee8: [<6001e380>] copy_chunk_to_user+0x0/0x40 9f451ef8: [<6001e5cd>] do_op_one_page+0x14d/0x220 9f451fd8: [<6001a355>] fork_handler+0x95/0xa0 ---[ end trace dd512cc03fe1c368 ]--- kobject_create_and_add: kobject_add error: -17 ------------[ cut here ]------------ WARNING: at drivers/extcon/extcon_class.c:545 create_extcon_class+0xbc/0xd0 [extcon_class]() cannot allocate Modules linked in: extcon_class(+) [last unloaded: extcon_class] Call Trace: 9f451c80: [<602a58bc>] printk+0x0/0xa8 9f451c98: [<60039b43>] warn_slowpath_common+0x93/0xd0 9f451ca0: [<6002fe32>] unblock_signals+0x0/0x84 9f451ca8: [] create_extcon_class+0xbc/0xd0 [extcon_class] 9f451cd0: [] extcon_class_init+0x0/0x12 [extcon_class] 9f451ce8: [<60039cdc>] warn_slowpath_fmt+0x9c/0xa0 9f451d20: [<6002fe32>] unblock_signals+0x0/0x84 9f451d28: [<60039c40>] warn_slowpath_fmt+0x0/0xa0 9f451d48: [<6002fffc>] set_signals+0x29/0x3f 9f451d58: [<601cf172>] kobject_put+0x32/0x70 9f451d78: [<600c22c3>] kfree+0xb3/0x100 9f451da8: [<601fbe9a>] class_compat_register+0x7a/0x80 9f451dc8: [] create_extcon_class+0xbc/0xd0 [extcon_class] 9f451de8: [] extcon_class_init+0x10/0x12 [extcon_class] 9f451df8: [<600189a8>] do_one_initcall+0x48/0x1f0 9f451e20: [<60061920>] blocking_notifier_call_chain+0x0/0x20 9f451e30: [<60061920>] blocking_notifier_call_chain+0x0/0x20 9f451e58: [<6007e3c3>] sys_init_module+0xa3/0x280 9f451e88: [<6001e2ad>] handle_syscall+0x8d/0x90 9f451ea8: [<60033370>] userspace+0x405/0x531 9f451ee8: [<6001e380>] copy_chunk_to_user+0x0/0x40 9f451ef8: [<6001e5cd>] do_op_one_page+0x14d/0x220 9f451fd8: [<6001a355>] fork_handler+0x95/0xa0 ---[ end trace dd512cc03fe1c369 ]--- FATAL: Error inserting extcon_class (/lib/modules/3.6.0-rc6-00178-g811315f/kernel/drivers/extcon/extcon_class.ko): Cannot allocate memory This patch fixes this. Signed-off-by: Peter Huewe Signed-off-by: Chanwoo Choi Signed-off-by: Greg Kroah-Hartman commit 6c04efd97dd25596a1bf80cc1c518fe7e451cc1e Author: Ian Abbott Date: Wed Oct 3 16:25:18 2012 +0100 staging: comedi: amplc_pc236: fix possible NULL deref during detach commit 2db012bd40b889d8e5483d3daa07af04c4c109d8 upstream. `pc236_detach()` is called by the comedi core to clean up if either `pc236_attach()` or `pc236_attach_pci()` returns an error. It sets `thisboard` to the return value of `comedi_board(dev)` and assumes it is non-null. This is a valid assumption if `pc236_attach()` fails, but not if `pc236_attach_pci()` fails, leading to a possible NULL pointer dereference. Check `thisboard` at the top of `pc236_detach()` and return early if it is `NULL`. This is okay because the only other thing that could have been allocated is `dev->private` and that is freed by the comedi core, not by this function. Signed-off-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman commit ec7fe3d6e91ff29ee3000e35f13f5eb3df2eca30 Author: Ian Abbott Date: Wed Oct 3 16:25:17 2012 +0100 staging: comedi: amplc_pc236: fix invalid register access during detach commit aaeb61a97b7159ebe30b18a422d04eeabfa8790b upstream. `pc236_detach()` is called by the comedi core if it attempted to attach a device and failed. `pc236_detach()` calls `pc236_intr_disable()` if the comedi device private data pointer (`devpriv`) is non-null. This test is insufficient as `pc236_intr_disable()` accesses hardware registers and the attach routine may have failed before it has saved their I/O base addresses. Fix it by checking `dev->iobase` is non-zero before calling `pc236_intr_disable()` as that means the I/O base addresses have been saved and the hardware registers can be accessed. It also implies the comedi device private data pointer is valid, so there is no need to check it. Signed-off-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman commit 3792dd12ee4419bc276cd321c8f74506a37aa93d Author: Ian Abbott Date: Wed Oct 3 16:25:19 2012 +0100 staging: comedi: amplc_pc263: fix possible NULL deref during detach commit 1d1171ffda585c1cab7bd7cf4bd8f8fd5923fb4a upstream. `pc263_detach()` is called by the comedi core to clean up if either `pc263_attach()` or `pc263_attach_pci()` returns an error. It sets `thisboard` to the return value of `comedi_board(dev)` and assumes it is non-null. This is a valid assumption if `pc263_attach()` fails, but not if `pc263_attach_pci()` fails, leading to a possible NULL pointer dereference. Check `thisboard` at the top of `pc263_detach()` and return early if it is `NULL`. This is okay because no other resources need cleaning up in this case. Signed-off-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman commit 6f9445326d4a262a863cc634fd377c5ca562e17d Author: Ian Abbott Date: Wed Oct 3 16:25:16 2012 +0100 staging: comedi: amplc_dio200: fix possible NULL deref during detach commit dfb2540e91e1f63765bc3ff497ad0b714d774261 upstream. `dio200_detach()` is called by the comedi core to clean up if either `dio200_attach()` or `dio200_attach_pci()` return an error. It assigns `thisboard` to the return value of `comedi_board(dev)` and assumes it is non-null. In the case of a previous call to `dio200_attach()` it won't be `NULL` because the comedi core will have pointed it to one of the elements of `dio200_boards[]`, but in the case of a previous call to `dio200_attach_pci()` it could be `NULL`, leading to a null pointer dereference. Check that `thisboard` is valid at the top of `dio200_detach()` and return early if it is `NULL`. This is okay because the only other thing that could have been allocated is `dev->private` and that is freed by the comedi core, not by this function. Signed-off-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman commit 9f275003e609824e738b22caef0020d5c4a4def5 Author: Ian Abbott Date: Wed Oct 3 16:25:21 2012 +0100 staging: comedi: ni_labpc: fix possible NULL deref during detach commit 922b67c1ac53014d80649a961a2fde700cd065d8 upstream. `labpc_common_detach()` is called by the comedi core to clean up if either `labpc_attach()` (including the one in the "ni_labpc_cs" module) or `labpc_attach_pci()` returns an error. It assumes the `thisboard` macro (expanding to `((struct labpc_board_struct *)dev->board_ptr)`) is non-null. This is a valid assumption if `labpc_attach()` fails, but not if `labpc_attach_pci()` fails, leading to a possible NULL pointer dereference. Check `thisboard` at the top of `labpc_common_detach()` and return early if it is `NULL`. This is okay because the only other thing that could have been allocated is `dev->private` and that is freed by the comedi core, not by this function. Signed-off-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman commit 8098a2e23e88e979566c78e68aec11fa21808df0 Author: Fred Brooks Date: Tue Oct 2 11:10:26 2012 +0100 staging: comedi: ni_daq_700: fix dio subdevice regression commit 6681e63399926651cc29bcb9d92229b6f1cf1daa upstream. Here is a small patch to fix a problem caused by a previous patch that removed the callback function. The callback remove patch: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=1de02225358988e8fd48d1dc3fd12336bbae258a I finally booted my dev machine on the latest kernel (running Debian here so it's still on 3.2 normally) to test the ni_daq_700 driver with my test program and noticed this bug. Shift the DIO_R read result to bits 8..15 Digital direction configuration: channels 0-7 output, 8-15 input (8225 device emu as port A output, port B input, port C N/A). Signed-off-by: Fred Brooks Signed-off-by: Ian Abbott Reviewed-by: H Hartley Sweeten Signed-off-by: Greg Kroah-Hartman commit d136f0fd47d9953139381c8af74976de86eeb224 Author: Ian Abbott Date: Wed Oct 3 16:25:20 2012 +0100 staging: comedi: das08: fix possible NULL deref during detach commit ee280d134f2e05e0172369a53fbe202dbfc527fa upstream. `das08_detach()` is called by the comedi core to clean up if either `das08_attach()` or `das08_attach_pci()` returns an error. It sets `thisboard` to the return value of `comedi_board(dev)` and assumes it is non-null. This is a valid assumption if `das08_attach()` fails, but not if `das08_attach_pci()` fails, leading to a possible NULL pointer dereference. Check `thisboard` at the top of `das08_detach()` and return early if it is `NULL`. This is okay because the only other thing that could have been allocated is `dev->private` and that is freed by the comedi core, not by this function. Signed-off-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman commit 88d5e653e2282bda43459dd577f3841f6ef140bf Author: Nitin Gupta Date: Wed Oct 10 17:42:18 2012 -0700 staging: zram: Fix handling of incompressible pages commit c8f2f0db1d0294aaf37e8a85bea9bbc4aaf5c0fe upstream. Change 130f315a (staging: zram: remove special handle of uncompressed page) introduced a bug in the handling of incompressible pages which resulted in memory allocation failure for such pages. When a page expands on compression, say from 4K to 4K+30, we were trying to do zsmalloc(pool, 4K+30). However, the maximum size which zsmalloc can allocate is PAGE_SIZE (for obvious reasons), so such allocation requests always return failure (0). For a page that has compressed size larger than the original size (this may happen with already compressed or random data), there is no point storing the compressed version as that would take more space and would also require time for decompression when needed again. So, the fix is to store any page, whose compressed size exceeds a threshold (max_zpage_size), as-it-is i.e. without compression. Memory required for storing this uncompressed page can then be requested from zsmalloc which supports PAGE_SIZE sized allocations. Lastly, the fix checks that we do not attempt to "decompress" the page which we stored in the uncompressed form -- we just memcpy() out such pages. Signed-off-by: Nitin Gupta Reported-by: viechweg@gmail.com Reported-by: paerley@gmail.com Reported-by: wu.tommy@gmail.com Acked-by: Minchan Kim Signed-off-by: Greg Kroah-Hartman commit e4c52c43352370daf54ba0cbe9476f593d89b0de Author: Arve Hjønnevåg Date: Tue Oct 16 15:29:55 2012 -0700 Staging: android: binder: Allow using highmem for binder buffers commit 585650dcec88e704a19bb226a34b6a7166111623 upstream. The default kernel mapping for the pages allocated for the binder buffers is never used. Set the __GFP_HIGHMEM flag when allocating these pages so we don't needlessly use low memory pages that may be required elsewhere. Signed-off-by: Arve Hjønnevåg Signed-off-by: Greg Kroah-Hartman commit ab261cc53424005d6d079320c4f73344c0a1750d Author: Arve Hjønnevåg Date: Tue Oct 16 15:29:54 2012 -0700 Staging: android: binder: Fix memory leak on thread/process exit commit 675d66b0ed5fd170d6a44cf8dbb3fa56a5347bdb upstream. If a thread or process exited while a reply, one-way transaction or death notification was pending, the struct holding the pending work was leaked. Signed-off-by: Arve Hjønnevåg Signed-off-by: Greg Kroah-Hartman commit 7886abd88bc7c4c145a2260844795604d569596b Author: Geert Uytterhoeven Date: Sat Sep 29 22:23:19 2012 +0200 sysfs: sysfs_pathname/sysfs_add_one: Use strlcat() instead of strcat() commit 66081a72517a131430dcf986775f3268aafcb546 upstream. The warning check for duplicate sysfs entries can cause a buffer overflow when printing the warning, as strcat() doesn't check buffer sizes. Use strlcat() instead. Since strlcat() doesn't return a pointer to the passed buffer, unlike strcat(), I had to convert the nested concatenation in sysfs_add_one() to an admittedly more obscure comma operator construct, to avoid emitting code for the concatenation if CONFIG_BUG is disabled. Signed-off-by: Geert Uytterhoeven Signed-off-by: Greg Kroah-Hartman commit 11c5035c9cfb7af7cfedd42e236d52f9c6bd1c49 Author: Oliver Neukum Date: Wed Oct 17 12:17:50 2012 +0200 xhci: endianness xhci_calculate_intel_u2_timeout commit 966e7a854177097083683176ced871558b631a12 upstream. An le16 is accessed without conversion. This patch should be backported to kernels as old as 3.5, that contain the commit e3567d2c15a7a8e2f992a5f7c7683453ca406d82 "xhci: Add Intel U1/U2 timeout policy." Signed-off-by: Oliver Neukum Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 15e01c0ef27c323ac1a97ba50b3021eab33a96c9 Author: Oliver Neukum Date: Wed Oct 17 10:16:16 2012 +0200 xhci: fix integer overflow commit 16b45fdf9c4e82f5d3bc53aa70737650e7c8d5ed upstream. xhci_service_interval_to_ns() returns long long to avoid an overflow. However, the type cast happens too late. The fix is to force ULL from the beginning. This patch should be backported to kernels as old as 3.5, that contain the commit e3567d2c15a7a8e2f992a5f7c7683453ca406d82 "xhci: Add Intel U1/U2 timeout policy." Signed-off-by: Oliver Neukum Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 288a8f85227007e326758197a3ad7cd56d66e3e3 Author: Sarah Sharp Date: Tue Oct 16 13:17:43 2012 -0700 xhci: Fix potential NULL ptr deref in command cancellation. commit 43a09f7fb01fa1e091416a2aa49b6c666458c1ee upstream. The command cancellation code doesn't check whether find_trb_seg() couldn't find the segment that contains the TRB to be canceled. This could cause a NULL pointer deference later in the function when next_trb is called. It's unlikely to happen unless something is wrong with the command ring pointers, so add some debugging in case it happens. This patch should be backported to stable kernels as old as 3.0, that contain the commit b63f4053cc8aa22a98e3f9a97845afe6c15d0a0d "xHCI: handle command after aborting the command ring". Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit cb499284d1cf7de50b85fcfb3248bae2db090d14 Author: Trond Myklebust Date: Wed Oct 24 08:53:35 2012 -0400 LOCKD: Clear ln->nsm_clnt only when ln->nsm_users is zero commit e498daa81295d02f7359af313c2b7f87e1062207 upstream. The current code is clearing it in all cases _except_ when zero. Reported-by: Stanislav Kinsbursky Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit eeaeb30f888f0872c029b441a69d67f43e712c80 Author: Trond Myklebust Date: Tue Oct 23 17:50:07 2012 -0400 SUNRPC: Prevent races in xs_abort_connection() commit 4bc1e68ed6a8b59be8a79eb719be515a55c7bc68 upstream. The call to xprt_disconnect_done() that is triggered by a successful connection reset will trigger another automatic wakeup of all tasks on the xprt->pending rpc_wait_queue. In particular it will cause an early wake up of the task that called xprt_connect(). All we really want to do here is clear all the socket-specific state flags, so we split that functionality out of xs_sock_mark_closed() into a helper that can be called by xs_abort_connection() Reported-by: Chris Perl Signed-off-by: Trond Myklebust Tested-by: Chris Perl Signed-off-by: Greg Kroah-Hartman commit cafefcb3f8be77ef156b4b3bd52a5374b3533679 Author: Trond Myklebust Date: Tue Oct 23 13:51:58 2012 -0400 LOCKD: fix races in nsm_client_get commit a4ee8d978e47e79d536226dccb48991f70091168 upstream. Commit e9406db20fecbfcab646bad157b4cfdc7cadddfb (lockd: per-net NSM client creation and destruction helpers introduced) contains a nasty race on initialisation of the per-net NSM client because it doesn't check whether or not the client is set after grabbing the nsm_create_mutex. Reported-by: Nix Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 2edc5969320d6e7f13d6d74e9bd3d8c0b8ec3684 Author: Trond Myklebust Date: Tue Oct 23 11:40:02 2012 -0400 Revert "SUNRPC: Ensure we close the socket on EPIPE errors too..." commit b9d2bb2ee537424a7f855e1f93eed44eb9ee0854 upstream. This reverts commit 55420c24a0d4d1fce70ca713f84aa00b6b74a70e. Now that we clear the connected flag when entering TCP_CLOSE_WAIT, the deadlock described in this commit is no longer possible. Instead, the resulting call to xs_tcp_shutdown() can interfere with pending reconnection attempts. Reported-by: Chris Perl Signed-off-by: Trond Myklebust Tested-by: Chris Perl Signed-off-by: Greg Kroah-Hartman commit a340197a85e4a27b3f974ffb6ab0308cc3f2edbc Author: Trond Myklebust Date: Tue Oct 23 11:35:47 2012 -0400 SUNRPC: Clear the connect flag when socket state is TCP_CLOSE_WAIT commit d0bea455dd48da1ecbd04fedf00eb89437455fdc upstream. This is needed to ensure that we call xprt_connect() upon the next call to call_connect(). Signed-off-by: Trond Myklebust Tested-by: Chris Perl Signed-off-by: Greg Kroah-Hartman commit 27d32c280df4953e2a28f8c8ff2d9491effa3a4c Author: Trond Myklebust Date: Mon Oct 22 17:14:36 2012 -0400 SUNRPC: Get rid of the xs_error_report socket callback commit f878b657ce8e7d3673afe48110ec208a29e38c4a upstream. Chris Perl reports that we're seeing races between the wakeup call in xs_error_report and the connect attempts. Basically, Chris has shown that in certain circumstances, the call to xs_error_report causes the rpc_task that is responsible for reconnecting to wake up early, thus triggering a disconnect and retry. Since the sk->sk_error_report() calls in the socket layer are always followed by a tcp_done() in the cases where we care about waking up the rpc_tasks, just let the state_change callbacks take responsibility for those wake ups. Reported-by: Chris Perl Signed-off-by: Trond Myklebust Tested-by: Chris Perl Signed-off-by: Greg Kroah-Hartman commit b2cbf7d3826c2dc36ce2c0332befb2dd281960ea Author: Jan Kara Date: Thu Oct 25 13:37:31 2012 -0700 mm: fix XFS oops due to dirty pages without buffers on s390 commit ef5d437f71afdf4afdbab99213add99f4b1318fd upstream. On s390 any write to a page (even from kernel itself) sets architecture specific page dirty bit. Thus when a page is written to via buffered write, HW dirty bit gets set and when we later map and unmap the page, page_remove_rmap() finds the dirty bit and calls set_page_dirty(). Dirtying of a page which shouldn't be dirty can cause all sorts of problems to filesystems. The bug we observed in practice is that buffers from the page get freed, so when the page gets later marked as dirty and writeback writes it, XFS crashes due to an assertion BUG_ON(!PagePrivate(page)) in page_buffers() called from xfs_count_page_state(). Similar problem can also happen when zero_user_segment() call from xfs_vm_writepage() (or block_write_full_page() for that matter) set the hardware dirty bit during writeback, later buffers get freed, and then page unmapped. Fix the issue by ignoring s390 HW dirty bit for page cache pages of mappings with mapping_cap_account_dirty(). This is safe because for such mappings when a page gets marked as writeable in PTE it is also marked dirty in do_wp_page() or do_page_fault(). When the dirty bit is cleared by clear_page_dirty_for_io(), the page gets writeprotected in page_mkclean(). So pagecache page is writeable if and only if it is dirty. Thanks to Hugh Dickins for pointing out mapping has to have mapping_cap_account_dirty() for things to work and proposing a cleaned up variant of the patch. The patch has survived about two hours of running fsx-linux on tmpfs while heavily swapping and several days of running on out build machines where the original problem was triggered. Signed-off-by: Jan Kara Cc: Martin Schwidefsky Cc: Mel Gorman Cc: Hugh Dickins Cc: Heiko Carstens Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 40555316c4423bb20d98c747d32aea5503c463a2 Author: Yinghai Lu Date: Mon Oct 22 16:35:18 2012 -0700 x86, mm: Trim memory in memblock to be page aligned commit 6ede1fd3cb404c0016de6ac529df46d561bd558b upstream. We will not map partial pages, so need to make sure memblock allocation will not allocate those bytes out. Also we will use for_each_mem_pfn_range() to loop to map memory range to keep them consistent. Signed-off-by: Yinghai Lu Link: http://lkml.kernel.org/r/CAE9FiQVZirvaBMFYRfXMmWEcHbKSicQEHz4VAwUv0xFCk51ZNw@mail.gmail.com Acked-by: Jacob Shin Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 8a9ff86ca1afa2381646774e4c5f10fb10996378 Author: Dave Young Date: Thu Oct 18 14:33:23 2012 +0800 Revert "x86/mm: Fix the size calculation of mapping tables" commit 7b16bbf97375d9fb7fc107b3f80afeb94a204e44 upstream. Commit: 722bc6b16771 x86/mm: Fix the size calculation of mapping tables Tried to address the issue that the first 2/4M should use 4k pages if PSE enabled, but extra counts should only be valid for x86_32. This commit caused a kdump regression: the kdump kernel hangs. Work is in progress to fundamentally fix the various page table initialization issues that we have, via the design suggested by H. Peter Anvin, but it's not ready yet to be merged. So, to get a working kdump revert to the last known working version, which is the revert of this commit and of a followup fix (which was incomplete): bd2753b2dda7 x86/mm: Only add extra pages count for the first memory range during pre-allocation Tested kdump on physical and virtual machines. Signed-off-by: Dave Young Acked-by: Yinghai Lu Acked-by: Cong Wang Acked-by: Flavio Leitner Tested-by: Flavio Leitner Cc: Dan Carpenter Cc: Cong Wang Cc: Flavio Leitner Cc: Tejun Heo Cc: ianfang.cn@gmail.com Cc: Vivek Goyal Cc: Linus Torvalds Cc: Andrew Morton Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit e7ecfa878b2a49dbe28349d9529ee52777f86225 Author: Jan Beulich Date: Thu Oct 4 14:48:10 2012 +0100 x86-64: Fix page table accounting commit 876ee61aadf01aa0db981b5d249cbdd53dc28b5e upstream. Commit 20167d3421a089a1bf1bd680b150dc69c9506810 ("x86-64: Fix accounting in kernel_physical_mapping_init()") went a little too far by entirely removing the counting of pre-populated page tables: this should be done at boot time (to cover the page tables set up in early boot code), but shouldn't be done during memory hot add. Hence, re-add the removed increments of "pages", but make them and the one in phys_pte_init() conditional upon !after_bootmem. Reported-Acked-and-Tested-by: Hugh Dickins Signed-off-by: Jan Beulich Link: http://lkml.kernel.org/r/506DAFBA020000780009FA8C@nat28.tlf.novell.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit cd88996ecbb6f66edd1dbcd15c1219f3291a3733 Author: Will Deacon Date: Fri Oct 19 17:53:01 2012 +0100 ARM: 7559/1: smp: switch away from the idmap before updating init_mm.mm_count commit 5f40b909728ad784eb43aa309d3c4e9bdf050781 upstream. When booting a secondary CPU, the primary CPU hands two sets of page tables via the secondary_data struct: (1) swapper_pg_dir: a normal, cacheable, shared (if SMP) mapping of the kernel image (i.e. the tables used by init_mm). (2) idmap_pgd: an uncached mapping of the .idmap.text ELF section. The idmap is generally used when enabling and disabling the MMU, which includes early CPU boot. In this case, the secondary CPU switches to swapper as soon as it enters C code: struct mm_struct *mm = &init_mm; unsigned int cpu = smp_processor_id(); /* * All kernel threads share the same mm context; grab a * reference and switch to it. */ atomic_inc(&mm->mm_count); current->active_mm = mm; cpumask_set_cpu(cpu, mm_cpumask(mm)); cpu_switch_mm(mm->pgd, mm); This causes a problem on ARMv7, where the identity mapping is treated as strongly-ordered leading to architecturally UNPREDICTABLE behaviour of exclusive accesses, such as those used by atomic_inc. This patch re-orders the secondary_start_kernel function so that we switch to swapper before performing any exclusive accesses. Reported-by: Gilles Chanteperdrix Cc: David McKay Signed-off-by: Will Deacon Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit e5982ed6b4de838a30c6dfaa255ffdcc8c5584f2 Author: Thadeu Lima de Souza Cascardo Date: Thu Oct 25 13:37:51 2012 -0700 genalloc: stop crashing the system when destroying a pool commit eedce141cd2dad8d0cefc5468ef41898949a7031 upstream. The genalloc code uses the bitmap API from include/linux/bitmap.h and lib/bitmap.c, which is based on long values. Both bitmap_set from lib/bitmap.c and bitmap_set_ll, which is the lockless version from genalloc.c, use BITMAP_LAST_WORD_MASK to set the first bits in a long in the bitmap. That one uses (1 << bits) - 1, 0b111, if you are setting the first three bits. This means that the API counts from the least significant bits (LSB from now on) to the MSB. The LSB in the first long is bit 0, then. The same works for the lookup functions. The genalloc code uses longs for the bitmap, as it should. In include/linux/genalloc.h, struct gen_pool_chunk has unsigned long bits[0] as its last member. When allocating the struct, genalloc should reserve enough space for the bitmap. This should be a proper number of longs that can fit the amount of bits in the bitmap. However, genalloc allocates an integer number of bytes that fit the amount of bits, but may not be an integer amount of longs. 9 bytes, for example, could be allocated for 70 bits. This is a problem in itself if the Least Significat Bit in a long is in the byte with the largest address, which happens in Big Endian machines. This means genalloc is not allocating the byte in which it will try to set or check for a bit. This may end up in memory corruption, where genalloc will try to set the bits it has not allocated. In fact, genalloc may not set these bits because it may find them already set, because they were not zeroed since they were not allocated. And that's what causes a BUG when gen_pool_destroy is called and check for any set bits. What really happens is that genalloc uses kmalloc_node with __GFP_ZERO on gen_pool_add_virt. With SLAB and SLUB, this means the whole slab will be cleared, not only the requested bytes. Since struct gen_pool_chunk has a size that is a multiple of 8, and slab sizes are multiples of 8, we get lucky and allocate and clear the right amount of bytes. Hower, this is not the case with SLOB or with older code that did memset after allocating instead of using __GFP_ZERO. So, a simple module as this (running 3.6.0), will cause a crash when rmmod'ed. [root@phantom-lp2 foo]# cat foo.c #include #include #include #include MODULE_LICENSE("GPL"); MODULE_VERSION("0.1"); static struct gen_pool *foo_pool; static __init int foo_init(void) { int ret; foo_pool = gen_pool_create(10, -1); if (!foo_pool) return -ENOMEM; ret = gen_pool_add(foo_pool, 0xa0000000, 32 << 10, -1); if (ret) { gen_pool_destroy(foo_pool); return ret; } return 0; } static __exit void foo_exit(void) { gen_pool_destroy(foo_pool); } module_init(foo_init); module_exit(foo_exit); [root@phantom-lp2 foo]# zcat /proc/config.gz | grep SLOB CONFIG_SLOB=y [root@phantom-lp2 foo]# insmod ./foo.ko [root@phantom-lp2 foo]# rmmod foo ------------[ cut here ]------------ kernel BUG at lib/genalloc.c:243! cpu 0x4: Vector: 700 (Program Check) at [c0000000bb0e7960] pc: c0000000003cb50c: .gen_pool_destroy+0xac/0x110 lr: c0000000003cb4fc: .gen_pool_destroy+0x9c/0x110 sp: c0000000bb0e7be0 msr: 8000000000029032 current = 0xc0000000bb0e0000 paca = 0xc000000006d30e00 softe: 0 irq_happened: 0x01 pid = 13044, comm = rmmod kernel BUG at lib/genalloc.c:243! [c0000000bb0e7ca0] d000000004b00020 .foo_exit+0x20/0x38 [foo] [c0000000bb0e7d20] c0000000000dff98 .SyS_delete_module+0x1a8/0x290 [c0000000bb0e7e30] c0000000000097d4 syscall_exit+0x0/0x94 --- Exception: c00 (System Call) at 000000800753d1a0 SP (fffd0b0e640) is in userspace Signed-off-by: Thadeu Lima de Souza Cascardo Cc: Paul Gortmaker Cc: Benjamin Gaignard Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 36fe350e99a78d973a2a82b6b7dbc01f52044790 Author: Jan Luebbe Date: Thu Oct 25 13:38:11 2012 -0700 drivers/rtc/rtc-imxdi.c: add missing spin lock initialization commit fee0de7791f967c2c5f0d43eb7b7261761b45e64 upstream. Signed-off-by: Jan Luebbe Cc: Alessandro Zummo Cc: Roland Stigge Cc: Grant Likely Tested-by: Roland Stigge Cc: Sascha Hauer Cc: Russell King Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 8f86e6317334a1e220b1e4b77979a0fb7149f811 Author: Kees Cook Date: Thu Oct 25 13:38:16 2012 -0700 fs/compat_ioctl.c: VIDEO_SET_SPU_PALETTE missing error check commit 12176503366885edd542389eed3aaf94be163fdb upstream. The compat ioctl for VIDEO_SET_SPU_PALETTE was missing an error check while converting ioctl arguments. This could lead to leaking kernel stack contents into userspace. Patch extracted from existing fix in grsecurity. Signed-off-by: Kees Cook Cc: David Miller Cc: Brad Spengler Cc: PaX Team Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 73e75b4b4bd0ff7d2911165e9119306b95282c21 Author: Kees Cook Date: Thu Oct 25 13:38:14 2012 -0700 gen_init_cpio: avoid stack overflow when expanding commit 20f1de659b77364d55d4e7fad2ef657e7730323f upstream. Fix possible overflow of the buffer used for expanding environment variables when building file list. In the extremely unlikely case of an attacker having control over the environment variables visible to gen_init_cpio, control over the contents of the file gen_init_cpio parses, and gen_init_cpio was built without compiler hardening, the attacker can gain arbitrary execution control via a stack buffer overflow. $ cat usr/crash.list file foo ${BIG}${BIG}${BIG}${BIG}${BIG}${BIG} 0755 0 0 $ BIG=$(perl -e 'print "A" x 4096;') ./usr/gen_init_cpio usr/crash.list *** buffer overflow detected ***: ./usr/gen_init_cpio terminated This also replaces the space-indenting with tabs. Patch based on existing fix extracted from grsecurity. Signed-off-by: Kees Cook Cc: Michal Marek Cc: Brad Spengler Cc: PaX Team Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f625bfd3fb3768dd116303e87799c40f1a4cd92e Author: Linus Torvalds Date: Fri Oct 26 10:05:07 2012 -0700 VFS: don't do protected {sym,hard}links by default commit 561ec64ae67ef25cac8d72bb9c4bfc955edfd415 upstream. In commit 800179c9b8a1 ("This adds symlink and hardlink restrictions to the Linux VFS"), the new link protections were enabled by default, in the hope that no actual application would care, despite it being technically against legacy UNIX (and documented POSIX) behavior. However, it does turn out to break some applications. It's rare, and it's unfortunate, but it's unacceptable to break existing systems, so we'll have to default to legacy behavior. In particular, it has broken the way AFD distributes files, see http://www.dwd.de/AFD/ along with some legacy scripts. Distributions can end up setting this at initrd time or in system scripts: if you have security problems due to link attacks during your early boot sequence, you have bigger problems than some kernel sysctl setting. Do: echo 1 > /proc/sys/fs/protected_symlinks echo 1 > /proc/sys/fs/protected_hardlinks to re-enable the link protections. Alternatively, we may at some point introduce a kernel config option that sets these kinds of "more secure but not traditional" behavioural options automatically. Reported-by: Nick Bowler Reported-by: Holger Kiehl Cc: Kees Cook Cc: Ingo Molnar Cc: Andrew Morton Cc: Al Viro Cc: Alan Cox Cc: Theodore Ts'o Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 64d03fc009db65b2308c7e6319c58454f499632a Author: Takashi Iwai Date: Sat Oct 20 10:55:21 2012 +0200 ALSA: hda - Fix silent headphone output from Toshiba P200 commit cb766404e6b8c566569eb9ada02ea45d28729864 upstream. By some reason, Toshiba laptop doesn't like the EAPD turned up for the headphone pin. Add a fix up code to force to turn down EAPD for NID 0x15. Bugzilla: https://bugzilla.novell.com/show_bug.cgi?id=569991 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 92b0d35d9926aa5e17540928b18cc7a997ab78cc Author: Stefán Freyr Date: Fri Oct 19 22:46:00 2012 +0200 ALSA: hda - add dock support for Thinkpad T430 commit 84f98fdf7865fbd35b312eb39ea91e5618c514c7 upstream. I have a Lenovo ThinkPad T430 and an UltraBase Series 3 docking station. Without this patch, if I plug my headphones into the jack on the computer, everything works fine. The computer speakers mute and the audio is played in the headphones. However, if I plug into the docking station headphone jack the computer speakers are muted but there is no audio in the headphones. Addresses https://bugs.launchpad.net/bugs/1060372 Signed-off-by: Joseph Salisbury Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 7eff2fdcdb9c78d8d2c9e27b223d67b4a9da3a5a Author: Alex Deucher Date: Fri Oct 19 13:27:04 2012 -0400 drm/radeon: add error output if VM CS fails on cayman commit c71721324c612f7f040657ce9917d87f530f9784 upstream. So we know why the CS was rejected. Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 1aafcaec30b2b4cfcab0472692426f46ab104ef9 Author: Alex Deucher Date: Tue Oct 16 12:51:45 2012 -0400 drm/radeon: add some new SI PCI ids commit b6aa22db7857ab7ed042d6c56b800bfc727cfdff upstream. Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman