commit 2f2ce136c8983e7b179ef8ab6097c2dcf9c5150e Author: Greg Kroah-Hartman Date: Sat Nov 26 09:12:06 2011 -0800 Linux 2.6.32.49 commit 9345f184dad224ff5ed726a7b67ca999384de262 Author: Alan Cox Date: Sun Nov 13 18:25:20 2011 +0300 tty: icount changeover for other main devices commit 0587102cf9f427c185bfdeb2cef41e13ee0264b1 upstream Again basically cut and paste Convert the main driver set to use the hooks for GICOUNT Signed-off-by: Alan Cox Signed-off-by: Greg Kroah-Hartman Signed-off-by: Dan Carpenter commit eb44c0460c54e9f3f37d139f67c52b753319dd67 Author: Alan Cox Date: Sun Nov 13 18:24:57 2011 +0300 tty: Make tiocgicount a handler commit d281da7ff6f70efca0553c288bb883e8605b3862 upstream Dan Rosenberg noted that various drivers return the struct with uncleared fields. Instead of spending forever trying to stomp all the drivers that get it wrong (and every new driver) do the job in one place. This first patch adds the needed operations and hooks them up, including the needed USB midlayer and serial core plumbing. Signed-off-by: Alan Cox Signed-off-by: Greg Kroah-Hartman Signed-off-by: Dan Carpenter commit eed767852eac13ed89e66e9a89c8668fdc79ae93 Author: sordna Date: Thu Oct 27 21:06:26 2011 -0700 USB: quirks: adding more quirky webcams to avoid squeaky audio commit 0d145d7d4a241c321c832a810bb6edad18e2217b upstream. The following patch contains additional affected webcam models, on top of the patches commited to linux-next 2394d67e446bf616a0885167d5f0d397bdacfdfc and 5b253d88cc6c65a23cefc457a5a4ef139913c5fc Signed-off-by: sordna Cc: Oliver Neukum Signed-off-by: Greg Kroah-Hartman commit 3027d2095cb4fe07dbb4441db08ddcbef8c77c14 Author: Josh Boyer Date: Wed Oct 26 13:53:17 2011 -0400 USB: add quirk for Logitech C600 web cam commit 60c71ca972a2dd3fd9d0165b405361c8ad48349b upstream. We've had another report of the "chipmunk" sound on a Logitech C600 webcam. This patch resolves the issue. Signed-off-by: Josh Boyer Signed-off-by: Greg Kroah-Hartman commit a7c5393627f3bbb97d22f98823b660e6b62b67db Author: Alan Stern Date: Tue Oct 25 10:50:58 2011 -0400 usb-storage: Accept 8020i-protocol commands longer than 12 bytes commit 2f640bf4c94324aeaa1b6385c10aab8c5ad1e1cf upstream. The 8020i protocol (also 8070i and QIC-157) uses 12-byte commands; shorter commands must be padded. Simon Detheridge reports that his 3-TB USB disk drive claims to use the 8020i protocol (which is normally meant for ATAPI devices like CD drives), and because of its large size, the disk drive requires the use of 16-byte commands. However the usb_stor_pad12_command() routine in usb-storage always sets the command length to 12, making the drive impossible to use. Since the SFF-8020i specification allows for 16-byte commands in future extensions, we may as well accept them. This patch (as1490) changes usb_stor_pad12_command() to leave commands larger than 12 bytes alone rather than truncating them. Signed-off-by: Alan Stern Tested-by: Simon Detheridge CC: Matthew Dharm Signed-off-by: Greg Kroah-Hartman commit 552f6bf1bb0eda0011c0525dd587aa9e7ba5b846 Author: Andrew Worsley Date: Fri Nov 18 23:13:33 2011 +1100 USB: Fix Corruption issue in USB ftdi driver ftdi_sio.c commit b1ffb4c851f185e9051ba837c16d9b84ef688d26 upstream. Fix for ftdi_set_termios() glitching output ftdi_set_termios() is constantly setting the baud rate, data bits and parity unnecessarily on every call, . When called while characters are being transmitted can cause the FTDI chip to corrupt the serial port bit stream output by stalling the output half a bit during the output of a character. Simple fix by skipping this setting if the baud rate/data bits/parity are unchanged. Signed-off-by: Andrew Worsley Signed-off-by: Greg Kroah-Hartman commit 4ea27e18d645d3706675bb4d49330ffe867dd487 Author: wangyanqing Date: Thu Nov 10 14:04:08 2011 +0800 USB: serial: pl2303: rm duplicate id commit 0c16595539b612fe948559433dda08ff96a8bdc7 upstream. I get report from customer that his usb-serial converter doesn't work well,it sometimes work, but sometimes it doesn't. The usb-serial converter's id: vendor_id product_id 0x4348 0x5523 Then I search the usb-serial codes, and there are two drivers announce support this device, pl2303 and ch341, commit 026dfaf1 cause it. Through many times to test, ch341 works well with this device, and pl2303 doesn't work quite often(it just work quite little). ch341 works well with this device, so we doesn't need pl2303 to support.I try to revert 026dfaf1 first, but it failed. So I prepare this patch by hand to revert it. Signed-off-by: Wang YanQing Signed-off-by: Greg Kroah-Hartman commit f4cf7f671c87c93233386fab0d70db807dc1b5ac Author: Michal Marek Date: Mon May 2 12:51:15 2011 +0200 kbuild: Fix passing -Wno-* options to gcc 4.4+ commit 8417da6f2128008c431c7d130af6cd3d9079922e upstream. Starting with 4.4, gcc will happily accept -Wno- in the cc-option test and complain later when compiling a file that has some other warning. This rather unexpected behavior is intentional as per http://gcc.gnu.org/PR28322, so work around it by testing for support of the opposite option (without the no-). Introduce a new Makefile function cc-disable-warning that does this and update two uses of cc-option in the toplevel Makefile. Reported-and-tested-by: Stephen Rothwell Signed-off-by: Michal Marek Signed-off-by: Greg Kroah-Hartman commit 85c269fa465918e1ba4668cf8c04de68e7b2298d Author: Shan Wei Date: Tue Apr 19 22:52:49 2011 +0000 ipv6: udp: fix the wrong headroom check commit a9cf73ea7ff78f52662c8658d93c226effbbedde upstream. At this point, skb->data points to skb_transport_header. So, headroom check is wrong. For some case:bridge(UFO is on) + eth device(UFO is off), there is no enough headroom for IPv6 frag head. But headroom check is always false. This will bring about data be moved to there prior to skb->head, when adding IPv6 frag header to skb. Signed-off-by: Shan Wei Acked-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f26b4e9506488626dfaacd6733f7e963f4c4ffc2 Author: Mitsuo Hayasaka Date: Thu Nov 10 13:37:16 2011 +0900 mm: avoid null pointer access in vm_struct via /proc/vmallocinfo commit f5252e009d5b87071a919221e4f6624184005368 upstream The /proc/vmallocinfo shows information about vmalloc allocations in vmlist that is a linklist of vm_struct. It, however, may access pages field of vm_struct where a page was not allocated. This results in a null pointer access and leads to a kernel panic. Why this happen: In __vmalloc_node() called from vmalloc(), newly allocated vm_struct is added to vmlist at __get_vm_area_node() and then, some fields of vm_struct such as nr_pages and pages are set at __vmalloc_area_node(). In other words, it is added to vmlist before it is fully initialized. At the same time, when the /proc/vmallocinfo is read, it accesses the pages field of vm_struct according to the nr_pages field at show_numa_info(). Thus, a null pointer access happens. Patch: This patch adds newly allocated vm_struct to the vmlist *after* it is fully initialized. So, it can avoid accessing the pages field with unallocated page when show_numa_info() is called. Signed-off-by: Mitsuo Hayasaka Cc: Andrew Morton Cc: David Rientjes Cc: Namhyung Kim Cc: "Paul E. McKenney" Cc: Jeremy Fitzhardinge Signed-off-by: Greg Kroah-Hartman commit 5e87d8ee34e32fda720f3a4e4055f570b09230d6 Author: Ian Campbell Date: Wed Nov 9 08:53:09 2011 +0000 genirq: Add IRQF_RESUME_EARLY and resume such IRQs earlier commit 9bab0b7fbaceec47d32db51cd9e59c82fb071f5a upstream This adds a mechanism to resume selected IRQs during syscore_resume instead of dpm_resume_noirq. Under Xen we need to resume IRQs associated with IPIs early enough that the resched IPI is unmasked and we can therefore schedule ourselves out of the stop_machine where the suspend/resume takes place. This issue was introduced by 676dc3cf5bc3 "xen: Use IRQF_FORCE_RESUME". Back ported to 2.6.32 (which lacks syscore support) by calling the relavant resume function directly from sysdev_resume). v2: Fixed non-x86 build errors. Signed-off-by: Ian Campbell Cc: Rafael J. Wysocki Cc: Jeremy Fitzhardinge Cc: xen-devel Cc: Konrad Rzeszutek Wilk Link: http://lkml.kernel.org/r/1318713254.11016.52.camel@dagon.hellion.org.uk Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 9e1300a17346bdef3c4edabf1cb8135e52ffeb33 Author: Chris Wilson Date: Tue Nov 15 09:51:15 2011 +0300 drm/i915: Rephrase pwrite bounds checking to avoid any potential overflow commit 7dcd2499deab8f10011713c40bc2f309c9b65077 upstream ... and do the same for pread. Signed-off-by: Chris Wilson Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman commit 4609e74a3eead6f129eb470ed5e3d09b2a2978d0 Author: Chris Wilson Date: Tue Nov 15 09:39:33 2011 +0300 drm/i915: Sanity check pread/pwrite commit ce9d419dbecc292cc3e06e8b1d6d123d3fa813a4 upstream. Move the access control up from the fast paths, which are no longer universally taken first, up into the caller. This then duplicates some sanity checking along the slow paths, but is much simpler. Tracked as CVE-2010-2962. Reported-by: Kees Cook Signed-off-by: Chris Wilson Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman commit d304a4f50fe04274a9a1b6bdeb5e0218df1d38e8 Author: Herton Ronaldo Krzesinski Date: Fri Nov 18 10:50:56 2011 -0200 Revert "ALSA: hda: Fix quirk for Dell Inspiron 910" This reverts commit fdb1e4e9d85b973679d56f23ccf9017ff85fd11f. It was wrong included in 2.6.32 stable (was intended for 2.6.38+ in the original commit changelog in Linus tree), and causes a regression on 2.6.32 (https://launchpad.net/bugs/875300). Signed-off-by: Herton Ronaldo Krzesinski Signed-off-by: Greg Kroah-Hartman commit f6ee9e1716dd692b4aafeb679295bafa9cfe40c2 Author: Mauro Carvalho Chehab Date: Mon Dec 27 08:27:05 2010 -0300 Remove the old V4L1 v4lgrab.c file commit 55fe25b418640fad04190103274841b2c907bacd upstream. This example file uses the old V4L1 API. It also doesn't use libv4l. So, it is completely obsolete. A good example already exists at v4l-utils (v4l2grab.c): http://git.linuxtv.org/v4l-utils.git Reviewed-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 61d433c479a6ccfed6a7e73e6111ca8fa0348c63 Author: NeilBrown Date: Tue Nov 8 16:22:01 2011 +1100 md/raid5: abort any pending parity operations when array fails. commit 9a3f530f39f4490eaa18b02719fb74ce5f4d2d86 upstream. When the number of failed devices exceeds the allowed number we must abort any active parity operations (checks or updates) as they are no longer meaningful, and can lead to a BUG_ON in handle_parity_checks6. This bug was introduce by commit 6c0069c0ae9659e3a91b68eaed06a5c6c37f45c8 in 2.6.29. Reported-by: Manish Katiyar Tested-by: Manish Katiyar Acked-by: Dan Williams Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 26227d2906ed5a65f7636ed5cf1c7e42bc4d14e1 Author: Axel Lin Date: Wed Oct 26 09:53:41 2011 +0800 ASoC: wm8940: Properly set codec->dapm.bias_level commit 5927f94700e860ae27ff24e7f3bc9e4f7b9922eb upstream. Reported-by: Chris Paulson-Ellis Signed-off-by: Axel Lin Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 126a2f643ee673c6dfdf782fc84ffb400bd3c4c5 Author: Dave Jones Date: Thu Apr 21 17:28:13 2011 -0400 kbuild: Disable -Wunused-but-set-variable for gcc 4.6.0 commit af0e5d565d2fffcd97d1e2d89669d627cc04e8b8 upstream. Disable the new -Wunused-but-set-variable that was added in gcc 4.6.0 It produces more false positives than useful warnings. This can still be enabled using W=1 [gregkh - No it can not for 2.6.32, but we don't care] Signed-off-by: Dave Jones Acked-by: Sam Ravnborg Tested-by: Sam Ravnborg Signed-off-by: Michal Marek Signed-off-by: Greg Kroah-Hartman commit 77e2d3fa9c82233a6f93759651d60bd4b1f013f5 Author: Dan Carpenter Date: Mon Nov 14 17:52:08 2011 +0300 hfs: add sanity check for file name length commit bc5b8a9003132ae44559edd63a1623b7b99dfb68 upstream. On a corrupted file system the ->len field could be wrong leading to a buffer overflow. Reported-and-acked-by: Clement LECIGNE Signed-off-by: Dan Carpenter Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c4b16f7f222bb71d44a94a75f291d3fc2c9292b5 Author: Dan Carpenter Date: Wed Sep 21 20:55:04 2011 +0200 PM / Suspend: Off by one in pm_suspend() commit 528f7ce6e439edeac38f6b3f8561f1be129b5e91 upstream. In enter_state() we use "state" as an offset for the pm_states[] array. The pm_states[] array only has PM_SUSPEND_MAX elements so this test is off by one. Signed-off-by: Dan Carpenter Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 1ae8bbc2af2d188dcce1c8d32831ce6bccbaecde Author: Peter Wippich Date: Mon Jun 6 15:50:58 2011 +0200 mtd: mtdchar: add missing initializer on raw write commit bf5140817b2d65faac9b32fc9057a097044ac35b upstream. On writes in MODE_RAW the mtd_oob_ops struct is not sufficiently initialized which may cause nandwrite to fail. With this patch it is possible to write raw nand/oob data without additional ECC (either for testing or when some sectors need different oob layout e.g. bootloader) like nandwrite -n -r -o /dev/mtd0 Signed-off-by: Peter Wippich Tested-by: Ricard Wanderlof Signed-off-by: Artem Bityutskiy Signed-off-by: Greg Kroah-Hartman commit 7a0d6aef962b19ac2780bec718a852aa975db618 Author: Johannes Berg Date: Thu Nov 3 00:07:32 2011 +0000 netlink: validate NLA_MSECS length commit c30bc94758ae2a38a5eb31767c1985c0aae0950b upstream. L2TP for example uses NLA_MSECS like this: policy: [L2TP_ATTR_RECV_TIMEOUT] = { .type = NLA_MSECS, }, code: if (info->attrs[L2TP_ATTR_RECV_TIMEOUT]) cfg.reorder_timeout = nla_get_msecs(info->attrs[L2TP_ATTR_RECV_TIMEOUT]); As nla_get_msecs() is essentially nla_get_u64() plus the conversion to a HZ-based value, this will not properly reject attributes from userspace that aren't long enough and might overrun the message. Add NLA_MSECS to the attribute minlen array to check the size properly. Cc: Thomas Graf Signed-off-by: Johannes Berg Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fb088f3ff1ba888aca715dd4b846cc9384431089 Author: NeilBrown Date: Tue Oct 25 10:25:49 2011 +1100 NFS/sunrpc: don't use a credential with extra groups. commit dc6f55e9f8dac4b6479be67c5c9128ad37bb491f upstream. The sunrpc layer keeps a cache of recently used credentials and 'unx_match' is used to find the credential which matches the current process. However unx_match allows a match when the cached credential has extra groups at the end of uc_gids list which are not in the process group list. So if a process with a list of (say) 4 group accesses a file and gains access because of the last group in the list, then another process with the same uid and gid, and a gid list being the first tree of the gids of the original process tries to access the file, it will be granted access even though it shouldn't as the wrong rpc credential will be used. Signed-off-by: NeilBrown Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 6403980aa8e3aa8ef0a5d3ca9556269b77005613 Author: Bart Van Assche Date: Fri Sep 23 19:48:18 2011 +0200 Make scsi_free_queue() kill pending SCSI commands commit 3308511c93e6ad0d3c58984ecd6e5e57f96b12c8 upstream. Make sure that SCSI device removal via scsi_remove_host() does finish all pending SCSI commands. Currently that's not the case and hence removal of a SCSI host during I/O can cause a deadlock. See also "blkdev_issue_discard() hangs forever if underlying storage device is removed" (http://bugzilla.kernel.org/show_bug.cgi?id=40472). See also http://lkml.org/lkml/2011/8/27/6. Signed-off-by: Bart Van Assche Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit d4da9e6f97a19945901c923e3f8123d40d3524da Author: Petr Uzel Date: Fri Oct 21 13:31:09 2011 +0200 st: fix race in st_scsi_execute_end commit c68bf8eeaa57c852e74adcf597237be149eef830 upstream. The call to complete() in st_scsi_execute_end() wakes up sleeping thread in write_behind_check(), which frees the st_request, thus invalidating the pointer to the associated bio structure, which is then passed to the blk_rq_unmap_user(). Fix by storing pointer to bio structure into temporary local variable. This bug is present since at least linux-2.6.32. Signed-off-by: Petr Uzel Reported-by: Juergen Groß Reviewed-by: Jan Kara Acked-by: Kai Mäkisara Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman