commit 597d50c7a836f80d57d2f6993d4e30d5e1ba7bdb Author: Greg Kroah-Hartman Date: Mon Nov 26 12:15:45 2012 -0800 Linux 3.6.8 commit 19dfc178ae0ed43e3cc8407f7876497a3ee5ba95 Author: Theodore Ts'o Date: Wed Oct 10 01:06:58 2012 -0400 ext4: fix metadata checksum calculation for the superblock commit 06db49e68ae70cf16819b85a14057acb2820776a upstream. The function ext4_handle_dirty_super() was calculating the superblock on the wrong block data. As a result, when the superblock is modified while it is mounted (most commonly, when inodes are added or removed from the orphan list), the superblock checksum would be wrong. We didn't notice because the superblock *was* being correctly calculated in ext4_commit_super(), and this would get called when the file system was unmounted. So the problem only became obvious if the system crashed while the file system was mounted. Fix this by removing the poorly designed function signature for ext4_superblock_csum_set(); if it only took a single argument, the pointer to a struct superblock, the ambiguity which caused this mistake would have been impossible. Reported-by: George Spelvin Signed-off-by: "Theodore Ts'o" Tested-by: George Spelvin commit 03faff7a2288f69b0a2218f1cd0e0d81e31e6509 Author: Felipe Balbi Date: Tue Oct 16 17:09:22 2012 +0300 Revert "serial: omap: fix software flow control" commit a4f743851f74fc3e0cc40c13082e65c24139f481 upstream. This reverts commit 957ee7270d632245b43f6feb0e70d9a5e9ea6cf6 (serial: omap: fix software flow control). As Russell has pointed out, that commit isn't fixing Software Flow Control at all, and it actually makes it even more broken. It was agreed to revert this commit and use Russell's latest UART patches instead. Signed-off-by: Felipe Balbi Cc: Russell King Acked-by: Tony Lindgren Cc: Andreas Bießmann Signed-off-by: Greg Kroah-Hartman commit 4d60ac3f136e26522dbdbff28624f59165a27cd9 Author: Igor Murzov Date: Sat Oct 13 04:41:25 2012 +0400 ACPI video: Ignore errors after _DOD evaluation. commit fba4e087361605d1eed63343bb08811f097c83ee upstream. There are systems where video module known to work fine regardless of broken _DOD and ignoring returned value here doesn't cause any issues later. This should fix brightness controls on some laptops. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=47861 Signed-off-by: Igor Murzov Reviewed-by: Sergey V Signed-off-by: Zhang Rui Signed-off-by: Abdallah Chatila commit dd29ec65092dddc6c9ed533d8a1dca63d4ecb63e Author: Dave Jones Date: Thu Nov 8 16:09:27 2012 -0800 selinux: fix sel_netnode_insert() suspicious rcu dereference commit 88a693b5c1287be4da937699cb82068ce9db0135 upstream. =============================== [ INFO: suspicious RCU usage. ] 3.5.0-rc1+ #63 Not tainted ------------------------------- security/selinux/netnode.c:178 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 1, debug_locks = 0 1 lock held by trinity-child1/8750: #0: (sel_netnode_lock){+.....}, at: [] sel_netnode_sid+0x16a/0x3e0 stack backtrace: Pid: 8750, comm: trinity-child1 Not tainted 3.5.0-rc1+ #63 Call Trace: [] lockdep_rcu_suspicious+0xfd/0x130 [] sel_netnode_sid+0x3b1/0x3e0 [] ? sel_netnode_find+0x1a0/0x1a0 [] selinux_socket_bind+0xf6/0x2c0 [] ? trace_hardirqs_off+0xd/0x10 [] ? lock_release_holdtime.part.9+0x15/0x1a0 [] ? lock_hrtimer_base+0x31/0x60 [] security_socket_bind+0x16/0x20 [] sys_bind+0x7a/0x100 [] ? sysret_check+0x22/0x5d [] ? trace_hardirqs_on_caller+0x10d/0x1a0 [] ? trace_hardirqs_on_thunk+0x3a/0x3f [] system_call_fastpath+0x16/0x1b This patch below does what Paul McKenney suggested in the previous thread. Signed-off-by: Dave Jones Reviewed-by: Paul E. McKenney Acked-by: Paul Moore Cc: Eric Paris Signed-off-by: Andrew Morton Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 2bd5aecc3d0b659e6dbbc96483737601a69db880 Author: Alex Williamson Date: Tue Nov 13 10:22:03 2012 -0700 intel-iommu: Fix lookup in add device commit 3da4af0affbb797e8ac4c2b4598da0c34b8cc52a upstream. We can't assume this device exists, fall back to the bridge itself. Signed-off-by: Alex Williamson Tested-by: Matthew Thode Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit 2811150bc6fc7a64393531dc4cb3d2a9c586e977 Author: Jan Kara Date: Tue Nov 13 18:25:38 2012 +0100 reiserfs: Protect reiserfs_quota_write() with write lock commit 361d94a338a3fd0cee6a4ea32bbc427ba228e628 upstream. Calls into reiserfs journalling code and reiserfs_get_block() need to be protected with write lock. We remove write lock around calls to high level quota code in the next patch so these paths would suddently become unprotected. Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit 94bdc251fe3e4c14edc5d71d7197ec6e4046f715 Author: Jan Kara Date: Tue Nov 13 17:05:14 2012 +0100 reiserfs: Move quota calls out of write lock commit 7af11686933726e99af22901d622f9e161404e6b upstream. Calls into highlevel quota code cannot happen under the write lock. These calls take dqio_mutex which ranks above write lock. So drop write lock before calling back into quota code. Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit eca9da850bab6a60f07d3069ef69254dc79e10dd Author: Jan Kara Date: Tue Nov 13 16:34:17 2012 +0100 reiserfs: Protect reiserfs_quota_on() with write lock commit b9e06ef2e8706fe669b51f4364e3aeed58639eb2 upstream. In reiserfs_quota_on() we do quite some work - for example unpacking tail of a quota file. Thus we have to hold write lock until a moment we call back into the quota code. Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit 5e6883c0a2d2c59a296864a8db361fca635ffbb2 Author: Jan Kara Date: Tue Nov 13 14:55:52 2012 +0100 reiserfs: Fix lock ordering during remount commit 3bb3e1fc47aca554e7e2cc4deeddc24750987ac2 upstream. When remounting reiserfs dquot_suspend() or dquot_resume() can be called. These functions take dqonoff_mutex which ranks above write lock so we have to drop it before calling into quota code. Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit cc0e742a68460884c8e3bc982a15801b4f2bde54 Author: Szymon Janc Date: Tue Sep 25 12:42:50 2012 +0200 NFC: Use dynamic initialization for rwlocks commit fe235b58d517d623bf6d40c77afca1b0ee6fc85d upstream. If rwlock is dynamically allocated but statically initialized it is missing proper lockdep annotation. INFO: trying to register non-static key. the code is fine but needs lockdep annotation. turning off the locking correctness validator. Pid: 3352, comm: neard Not tainted 3.5.0-999-nfc+ #2 Call Trace: [] __lock_acquire+0x8f6/0x1bf0 [] ? printk+0x4d/0x4f [] lock_acquire+0x9d/0x220 [] ? nfc_llcp_sock_from_sn+0x4e/0x160 [] _raw_read_lock+0x44/0x60 [] ? nfc_llcp_sock_from_sn+0x4e/0x160 [] nfc_llcp_sock_from_sn+0x4e/0x160 [] nfc_llcp_get_sdp_ssap+0xa7/0x1b0 [] llcp_sock_bind+0x173/0x210 [] sys_bind+0xe4/0x100 [] ? trace_hardirqs_on_thunk+0x3a/0x3f [] system_call_fastpath+0x16/0x1b Signed-off-by: Szymon Janc Signed-off-by: Samuel Ortiz Cc: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 38efab61680204d6f7cedfbacdc211ab1cfe0806 Author: Martin Schwidefsky Date: Wed Nov 7 10:44:08 2012 +0100 s390/signal: set correct address space control commit fa968ee215c0ca91e4a9c3a69ac2405aae6e5d2f upstream. If user space is running in primary mode it can switch to secondary or access register mode, this is used e.g. in the clock_gettime code of the vdso. If a signal is delivered to the user space process while it has been running in access register mode the signal handler is executed in access register mode as well which will result in a crash most of the time. Set the address space control bits in the PSW to the default for the execution of the signal handler and make sure that the previous address space control is restored on signal return. Take care that user space can not switch to the kernel address space by modifying the registers in the signal frame. Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit d3230589b189623d8d79fd56826001a8076ac5a6 Author: Julian Anastasov Date: Tue Oct 9 13:00:47 2012 +0000 netfilter: nf_conntrack: fix rt_gateway checks for H.323 helper commit bbb5823cf742a7e955f35c7d891e4e936944c33a upstream. After the change "Adjust semantics of rt->rt_gateway" (commit f8126f1d51) we should properly match the nexthop when destinations are directly connected because rt_gateway can be 0. The rt_gateway checks in H.323 helper try to avoid the creation of an unnecessary expectation in this call-forwarding case: http://people.netfilter.org/zhaojingmin/h323_conntrack_nat_helper/#_Toc133598073 However, the existing code fails to avoid that in many cases, see this thread: http://marc.info/?l=linux-netdev&m=135043175028620&w=2 It seems it is not trivial to know from the kernel if two hosts have to go through the firewall to communicate each other, which is the main point of the call-forwarding filter code to avoid creating unnecessary expectations. So this patch just gets things the way they were as before commit f8126f1d51. Signed-off-by: Julian Anastasov Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit 2b5ea01a9e4664d772ec9c8fc088ae48614564cd Author: Eric Dumazet Date: Tue Oct 16 22:33:29 2012 +0000 netfilter: xt_TEE: don't use destination address found in header commit 2ad5b9e4bd314fc685086b99e90e5de3bc59e26b upstream. Torsten Luettgert bisected TEE regression starting with commit f8126f1d5136be1 (ipv4: Adjust semantics of rt->rt_gateway.) The problem is that it tries to ARP-lookup the original destination address of the forwarded packet, not the address of the gateway. Fix this using FLOWI_FLAG_KNOWN_NH Julian added in commit c92b96553a80c1 (ipv4: Add FLOWI_FLAG_KNOWN_NH), so that known nexthop (info->gw.ip) has preference on resolving. Reported-by: Torsten Luettgert Bisected-by: Torsten Luettgert Tested-by: Torsten Luettgert Cc: Julian Anastasov Signed-off-by: Eric Dumazet Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit 9a406de3049374c0e480baca0ffafd9588c57959 Author: Ulrich Weber Date: Thu Oct 25 05:34:45 2012 +0000 netfilter: nf_nat: don't check for port change on ICMP tuples commit 38fe36a248ec3228f8e6507955d7ceb0432d2000 upstream. ICMP tuples have id in src and type/code in dst. So comparing src.u.all with dst.u.all will always fail here and ip_xfrm_me_harder() is called for every ICMP packet, even if there was no NAT. Signed-off-by: Ulrich Weber Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit 4d3440149ead396a3955f08608e535aed0befbc4 Author: Nathan Walp Date: Thu Nov 1 12:08:47 2012 +0000 r8169: allow multicast packets on sub-8168f chipset. commit 0481776b7a70f09acf7d9d97c288c3a8403fbfe4 upstream. RTL_GIGA_MAC_VER_35 includes no multicast hardware filter. Signed-off-by: Nathan Walp Suggested-by: Hayes Wang Acked-by: Francois Romieu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 630a09217dc7c20f7963a2ef785404e80ba98e0b Author: Cyril Brulebois Date: Wed Oct 31 14:00:46 2012 +0000 r8169: Fix WoL on RTL8168d/8111d. commit b00e69dee4ccbb3a19989e3d4f1385bc2e3406cd upstream. This regression was spotted between Debian squeeze and Debian wheezy kernels (respectively based on 2.6.32 and 3.2). More info about Wake-on-LAN issues with Realtek's 816x chipsets can be found in the following thread: http://marc.info/?t=132079219400004 Probable regression from d4ed95d796e5126bba51466dc07e287cebc8bd19; more chipsets are likely affected. Tested on top of a 3.2.23 kernel. Reported-by: Florent Fourcot Tested-by: Florent Fourcot Hinted-by: Francois Romieu Signed-off-by: Cyril Brulebois Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 596365ec90394f937d52ad85fb674cab3d034ab3 Author: Paul Gortmaker Date: Mon Oct 1 11:43:49 2012 -0400 tg3: unconditionally select HWMON support when tg3 is enabled. commit de0a41484c47d783dd4d442914815076aa2caac2 upstream. There is the seldom used corner case where HWMON=m at the same time as TIGON3=y (typically randconfigs) which will cause a link fail like: drivers/built-in.o: In function `tg3_close': tg3.c:(.text+0x16bd86): undefined reference to `hwmon_device_unregister' drivers/built-in.o: In function `tg3_hwmon_open': tg3.c:(.text+0x16fc4b): undefined reference to `hwmon_device_register' make[1]: *** [vmlinux] Error 1 Fix it as suggested by DaveM[1] by having the Kconfig logic simply select HWMON when TIGON3 is selected. This gets rid of all the extra IS_ENABLED ifdeffery in tg3.c as a side benefit. [1] http://marc.info/?l=linux-netdev&m=134250573718151&w=2 Reported-by: Benjamin Herrenschmidt Cc: Michael Chan Reported-by: Anisse Astier Suggested-by: David S. Miller Signed-off-by: Paul Gortmaker Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0c46d72c25ddabd39d02ce5d63fc722f59671c1d Author: Jeff Skirvin Date: Wed Sep 5 21:36:47 2012 -0700 SCSI: isci: Allow SSP tasks into the task management path. commit 54b46677757ff8d6c282305fc7710f466b63d6dc upstream. This commit fixes a driver bug for SSP tasks that require task management in the target after they complete in the SCU hardware. The problem was manifested in the function "isci_task_abort_task", which tests to see if the sas_task.lldd_task is non-NULL before allowing task management; this bug would always NULL lldd_task in the SCU I/O completion path even if target management was required, which would prevent task / target manangement from happening. Note that in the case of SATA/STP targets, error recovery is provided by the libata error handler which is why SATA/STP device recovery worked correctly even though SSP handling did not. Signed-off-by: Jeff Skirvin Signed-off-by: James Bottomley Cc: "Dorau, Lukasz" Signed-off-by: Greg Kroah-Hartman commit 605e644a5c9a8665b39d544354cfc4aafcefc694 Author: Mojiong Qiu Date: Tue Nov 6 16:08:15 2012 +0800 xen/events: fix RCU warning, or Call idle notifier after irq_enter() commit 772aebcefeff310f80e32b874988af0076cb799d upstream. exit_idle() should be called after irq_enter(), otherwise it throws: [ INFO: suspicious RCU usage. ] 3.6.5 #1 Not tainted ------------------------------- include/linux/rcupdate.h:725 rcu_read_lock() used illegally while idle! other info that might help us debug this: RCU used illegally from idle CPU! rcu_scheduler_active = 1, debug_locks = 1 RCU used illegally from extended quiescent state! 1 lock held by swapper/0/0: #0: (rcu_read_lock){......}, at: [] __atomic_notifier_call_chain+0x0/0x140 stack backtrace: Pid: 0, comm: swapper/0 Not tainted 3.6.5 #1 Call Trace: [] lockdep_rcu_suspicious+0xe2/0x130 [] __atomic_notifier_call_chain+0x12c/0x140 [] ? atomic_notifier_chain_unregister+0x90/0x90 [] ? trace_hardirqs_off+0xd/0x10 [] atomic_notifier_call_chain+0x16/0x20 [] exit_idle+0x43/0x50 [] xen_evtchn_do_upcall+0x25/0x50 [] xen_do_hypervisor_callback+0x1e/0x30 [] ? hypercall_page+0x3aa/0x1000 [] ? hypercall_page+0x3aa/0x1000 [] ? xen_safe_halt+0x10/0x20 [] ? default_idle+0xba/0x570 [] ? cpu_idle+0xdf/0x140 [] ? rest_init+0x135/0x144 [] ? csum_partial_copy_generic+0x16c/0x16c [] ? start_kernel+0x3db/0x3e8 [] ? repair_env_string+0x5a/0x5a [] ? x86_64_start_reservations+0x131/0x135 [] ? xen_start_kernel+0x465/0x46 Git commit 98ad1cc14a5c4fd658f9d72c6ba5c86dfd3ce0d5 Author: Frederic Weisbecker Date: Fri Oct 7 18:22:09 2011 +0200 x86: Call idle notifier after irq_enter() did this, but it missed the Xen code. Signed-off-by: Mojiong Qiu Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Greg Kroah-Hartman commit 8deae47cf81c03c730b6b5d0a21ab3b50cda33c1 Author: Michal Schmidt Date: Sun Sep 9 13:55:26 2012 +0000 r8169: use unlimited DMA burst for TX commit aee77e4accbeb2c86b1d294cd84fec4a12dde3bd upstream. The r8169 driver currently limits the DMA burst for TX to 1024 bytes. I have a box where this prevents the interface from using the gigabit line to its full potential. This patch solves the problem by setting TX_DMA_BURST to unlimited. The box has an ASRock B75M motherboard with on-board RTL8168evl/8111evl (XID 0c900880). TSO is enabled. I used netperf (TCP_STREAM test) to measure the dependency of TX throughput on MTU. I did it for three different values of TX_DMA_BURST ('5'=512, '6'=1024, '7'=unlimited). This chart shows the results: http://michich.fedorapeople.org/r8169/r8169-effects-of-TX_DMA_BURST.png Interesting points: - With the current DMA burst limit (1024): - at the default MTU=1500 I get only 842 Mbit/s. - when going from small MTU, the performance rises monotonically with increasing MTU only up to a peak at MTU=1076 (908 MBit/s). Then there's a sudden drop to 762 MBit/s from which the throughput rises monotonically again with further MTU increases. - With a smaller DMA burst limit (512): - there's a similar peak at MTU=1076 and another one at MTU=564. - With unlimited DMA burst: - at the default MTU=1500 I get nice 940 Mbit/s. - the throughput rises monotonically with increasing MTU with no strange peaks. Notice that the peaks occur at MTU sizes that are multiples of the DMA burst limit plus 52. Why 52? Because: 20 (IP header) + 20 (TCP header) + 12 (TCP options) = 52 The Realtek-provided r8168 driver (v8.032.00) uses unlimited TX DMA burst too, except for CFG_METHOD_1 where the TX DMA burst is set to 512 bytes. CFG_METHOD_1 appears to be the oldest MAC version of "RTL8168B/8111B", i.e. RTL_GIGA_MAC_VER_11 in r8169. Not sure if this MAC version really needs the smaller burst limit, or if any other versions have similar requirements. Signed-off-by: Michal Schmidt Acked-by: Francois Romieu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3707c973f834b0035e611ceb89162d3f6081e262 Author: Benjamin Marzinski Date: Tue Nov 6 00:49:28 2012 -0600 GFS2: Don't call file_accessed() with a shared glock commit 3d1626889a64bd5a661544d582036a0a02104a60 upstream. file_accessed() was being called by gfs2_mmap() with a shared glock. If it needed to update the atime, it was crashing because it dirtied the inode in gfs2_dirty_inode() without holding an exclusive lock. gfs2_dirty_inode() checked if the caller was already holding a glock, but it didn't make sure that the glock was in the exclusive state. Now, instead of calling file_accessed() while holding the shared lock in gfs2_mmap(), file_accessed() is called after grabbing and releasing the glock to update the inode. If file_accessed() needs to update the atime, it will grab an exclusive lock in gfs2_dirty_inode(). gfs2_dirty_inode() now also checks to make sure that if the calling process has already locked the glock, it has an exclusive lock. Signed-off-by: Benjamin Marzinski Signed-off-by: Steven Whitehouse Signed-off-by: Greg Kroah-Hartman commit e01d83515635e7176cb69f1ac2c59ad1e39e8a63 Author: Takashi Iwai Date: Tue Nov 20 08:20:02 2012 +0100 ALSA: usb-audio: Fix crash at re-preparing the PCM stream commit f58161ba1b05a968e5136824b5a16b714b6a5317 upstream. There are bug reports of a crash with USB-audio devices when PCM prepare is performed immediately after the stream is stopped via trigger callback. It turned out that the problem is that we don't wait until all URBs are killed. This patch adds a new function to synchronize the pending stop operation on an endpoint, and calls in the prepare callback for avoiding the crash above. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=49181 Reported-and-tested-by: Artem S. Tashkinov Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 347bd4501eec64db816bcd2438e38784f0107041 Author: Hugh Dickins Date: Fri Nov 16 14:15:04 2012 -0800 tmpfs: change final i_blocks BUG to WARNING commit 0f3c42f522dc1ad7e27affc0a4aa8c790bce0a66 upstream. Under a particular load on one machine, I have hit shmem_evict_inode()'s BUG_ON(inode->i_blocks), enough times to narrow it down to a particular race between swapout and eviction. It comes from the "if (freed > 0)" asymmetry in shmem_recalc_inode(), and the lack of coherent locking between mapping's nrpages and shmem's swapped count. There's a window in shmem_writepage(), between lowering nrpages in shmem_delete_from_page_cache() and then raising swapped count, when the freed count appears to be +1 when it should be 0, and then the asymmetry stops it from being corrected with -1 before hitting the BUG. One answer is coherent locking: using tree_lock throughout, without info->lock; reasonable, but the raw_spin_lock in percpu_counter_add() on used_blocks makes that messier than expected. Another answer may be a further effort to eliminate the weird shmem_recalc_inode() altogether, but previous attempts at that failed. So far undecided, but for now change the BUG_ON to WARN_ON: in usual circumstances it remains a useful consistency check. Signed-off-by: Hugh Dickins Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e7c1a252a7236c6a318c703a1bf29e3261a44e9c Author: Eric Dumazet Date: Fri Nov 16 05:31:53 2012 +0000 tcp: handle tcp_net_metrics_init() order-5 memory allocation failures [ Upstream commit 976a702ac9eeacea09e588456ab165dc06f9ee83 ] order-5 allocations can fail with current kernels, we should try vmalloc() as well. Reported-by: Julien Tinnes Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c6f7b86211233142300aeec7b1ab4ae640b81abd Author: Andrew Vagin Date: Thu Nov 15 04:03:17 2012 +0000 tcp: fix retransmission in repair mode [ Upstream commit ec34232575083fd0f43d3a101e8ebb041b203761 ] Currently if a socket was repaired with a few packet in a write queue, a kernel bug may be triggered: kernel BUG at net/ipv4/tcp_output.c:2330! RIP: 0010:[] tcp_retransmit_skb+0x5ff/0x610 According to the initial realization v3.4-rc2-963-gc0e88ff, all skb-s should look like already posted. This patch fixes code according with this sentence. Here are three points, which were not done in the initial patch: 1. A tcp send head should not be changed 2. Initialize TSO state of a skb 3. Reset the retransmission time This patch moves logic from tcp_sendmsg to tcp_write_xmit. A packet passes the ussual way, but isn't sent to network. This patch solves all described problems and handles tcp_sendpages. Signed-off-by: Andrey Vagin Cc: Pavel Emelyanov Cc: "David S. Miller" Cc: Alexey Kuznetsov Cc: James Morris Cc: Hideaki YOSHIFUJI Cc: Patrick McHardy Acked-by: Pavel Emelyanov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a809dffbbbcfbac5f6e6e291e472ac3ca91e0ca2 Author: Tom Herbert Date: Fri Nov 16 09:04:15 2012 +0000 net-rps: Fix brokeness causing OOO packets [ Upstream commit baefa31db2f2b13a05d1b81bdf2d20d487f58b0a ] In commit c445477d74ab3779 which adds aRFS to the kernel, the CPU selected for RFS is not set correctly when CPU is changing. This is causing OOO packets and probably other issues. Signed-off-by: Tom Herbert Acked-by: Eric Dumazet Acked-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 37afa2af2d81d3508a47adf9a5029096c2900c21 Author: Jiri Pirko Date: Wed Nov 14 02:51:04 2012 +0000 net: correct check in dev_addr_del() [ Upstream commit a652208e0b52c190e57f2a075ffb5e897fe31c3b ] Check (ha->addr == dev->dev_addr) is always true because dev_addr_init() sets this. Correct the check to behave properly on addr removal. Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2dba0003a5cf5f7834ec89ca6d488c4763a20505 Author: Hannes Frederic Sowa Date: Sat Nov 10 19:52:34 2012 +0000 ipv6: setsockopt(IPIPPROTO_IPV6, IPV6_MINHOPCOUNT) forgot to set return value [ Upstream commit d4596bad2a713fcd0def492b1960e6d899d5baa8 ] Cc: Stephen Hemminger Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b31143d12a55f2cbb2875abf46239eb7ef417c74 Author: Saurabh Mohan Date: Wed Nov 14 18:08:15 2012 -0800 ipv4/ip_vti.c: VTI fix post-decryption forwarding [ Upstream commit b2942004fb5c9f3304b77e187b8a1977b3626c9b ] With the latest kernel there are two things that must be done post decryption so that the packet are forwarded. 1. Remove the mark from the packet. This will cause the packet to not match the ipsec-policy again. However doing this causes the post-decryption check to fail also and the packet will get dropped. (cat /proc/net/xfrm_stat). 2. Remove the sp association in the skbuff so that no policy check is done on the packet for VTI tunnels. Due to #2 above we must now do a security-policy check in the vti rcv path prior to resetting the mark in the skbuff. Signed-off-by: Saurabh Mohan Reported-by: Ruben Herold Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit dc61f8a222dd360e802205bbc908b175848aa5bf Author: Xi Wang Date: Sun Nov 11 11:20:01 2012 +0000 ipv4: avoid undefined behavior in do_ip_setsockopt() [ Upstream commit 0c9f79be295c99ac7e4b569ca493d75fdcc19e4e ] (1< Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6ee34a305634346a23fce16352019d45097dc425 Author: Andreas Schwab Date: Sat Nov 17 22:27:04 2012 +0100 m68k: fix sigset_t accessor functions commit 34fa78b59c52d1db3513db4c1a999db26b2e9ac2 upstream. The sigaddset/sigdelset/sigismember functions that are implemented with bitfield insn cannot allow the sigset argument to be placed in a data register since the sigset is wider than 32 bits. Remove the "d" constraint from the asm statements. The effect of the bug is that sending RT signals does not work, the signal number is truncated modulo 32. Signed-off-by: Andreas Schwab Signed-off-by: Geert Uytterhoeven Signed-off-by: Greg Kroah-Hartman commit 9437e9d67094de0a69de1585b28932d6ac2b1911 Author: Johan Hedberg Date: Fri Oct 19 20:10:46 2012 +0300 Bluetooth: Fix having bogus entries in mgmt_read_index_list reply commit 476e44cb19f1fbf2d5883dddcc0ce31b33b45915 upstream. The mgmt_read_index_list uses one loop to calculate the max needed size of its response with the help of an upper-bound of the controller count. The second loop is more strict as it checks for HCI_SETUP (which might have gotten set after the first loop) and could result in some indexes being skipped. Because of this the function needs to readjust the event length and index count after filling in the response array. Signed-off-by: Johan Hedberg Acked-by: Marcel Holtmann Signed-off-by: Gustavo Padovan Signed-off-by: Greg Kroah-Hartman commit c322410c338e617342312c0a7418708ee9187c1a Author: Johannes Berg Date: Mon Nov 12 10:51:34 2012 +0100 wireless: allow 40 MHz on world roaming channels 12/13 commit 43c771a1963ab461a2f194e3c97fded1d5fe262f upstream. When in world roaming mode, allow 40 MHz to be used on channels 12 and 13 so that an AP that is, e.g., using HT40+ on channel 9 (in the UK) can be used. Reported-by: Eddie Chapman Tested-by: Eddie Chapman Acked-by: Luis R. Rodriguez Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit e91533adb3ab60e10f05a537936e475098522766 Author: Johannes Berg Date: Sun Nov 4 09:29:17 2012 +0100 iwlwifi: handle DMA mapping failures commit 7c34158231b2eda8dcbd297be2bb1559e69cb433 upstream. The RX replenish code doesn't handle DMA mapping failures, which will cause issues if there actually is a failure. This was reported by Shuah Khan who found a DMA mapping framework warning ("device driver failed to check map error"). Reported-by: Shuah Khan Reviewed-by: Emmanuel Grumbach Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit dd51fb8944830c19fe9f946e32c95c569985ac85 Author: Hugh Dickins Date: Fri Nov 16 14:14:54 2012 -0800 memcg: fix hotplugged memory zone oops commit bea8c150a7efbc0f204e709b7274fe273f55e0d3 upstream. When MEMCG is configured on (even when it's disabled by boot option), when adding or removing a page to/from its lru list, the zone pointer used for stats updates is nowadays taken from the struct lruvec. (On many configurations, calculating zone from page is slower.) But we have no code to update all the lruvecs (per zone, per memcg) when a memory node is hotadded. Here's an extract from the oops which results when running numactl to bind a program to a newly onlined node: BUG: unable to handle kernel NULL pointer dereference at 0000000000000f60 IP: __mod_zone_page_state+0x9/0x60 Pid: 1219, comm: numactl Not tainted 3.6.0-rc5+ #180 Bochs Bochs Process numactl (pid: 1219, threadinfo ffff880039abc000, task ffff8800383c4ce0) Call Trace: __pagevec_lru_add_fn+0xdf/0x140 pagevec_lru_move_fn+0xb1/0x100 __pagevec_lru_add+0x1c/0x30 lru_add_drain_cpu+0xa3/0x130 lru_add_drain+0x2f/0x40 ... The natural solution might be to use a memcg callback whenever memory is hotadded; but that solution has not been scoped out, and it happens that we do have an easy location at which to update lruvec->zone. The lruvec pointer is discovered either by mem_cgroup_zone_lruvec() or by mem_cgroup_page_lruvec(), and both of those do know the right zone. So check and set lruvec->zone in those; and remove the inadequate attempt to set lruvec->zone from lruvec_init(), which is called before NODE_DATA(node) has been allocated in such cases. Ah, there was one exceptionr. For no particularly good reason, mem_cgroup_force_empty_list() has its own code for deciding lruvec. Change it to use the standard mem_cgroup_zone_lruvec() and mem_cgroup_get_lru_size() too. In fact it was already safe against such an oops (the lru lists in danger could only be empty), but we're better proofed against future changes this way. I've marked this for stable (3.6) since we introduced the problem in 3.5 (now closed to stable); but I have no idea if this is the only fix needed to get memory hotadd working with memcg in 3.6, and received no answer when I enquired twice before. Reported-by: Tang Chen Signed-off-by: Hugh Dickins Acked-by: Johannes Weiner Acked-by: KAMEZAWA Hiroyuki Cc: Konstantin Khlebnikov Cc: Wen Congyang Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 7adaec367d93adc1c3c378eedd9a0251d0f60a8e Author: Michal Hocko Date: Fri Nov 16 14:14:49 2012 -0800 memcg: oom: fix totalpages calculation for memory.swappiness==0 commit 9a5a8f19b43430752067ecaee62fc59e11e88fa6 upstream. oom_badness() takes a totalpages argument which says how many pages are available and it uses it as a base for the score calculation. The value is calculated by mem_cgroup_get_limit which considers both limit and total_swap_pages (resp. memsw portion of it). This is usually correct but since fe35004fbf9e ("mm: avoid swapping out with swappiness==0") we do not swap when swappiness is 0 which means that we cannot really use up all the totalpages pages. This in turn confuses oom score calculation if the memcg limit is much smaller than the available swap because the used memory (capped by the limit) is negligible comparing to totalpages so the resulting score is too small if adj!=0 (typically task with CAP_SYS_ADMIN or non zero oom_score_adj). A wrong process might be selected as result. The problem can be worked around by checking mem_cgroup_swappiness==0 and not considering swap at all in such a case. Signed-off-by: Michal Hocko Acked-by: David Rientjes Acked-by: Johannes Weiner Acked-by: KOSAKI Motohiro Acked-by: KAMEZAWA Hiroyuki Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6084d9f5193ccae102f767d394913a6c0043f882 Author: Zhao Yakui Date: Tue Nov 13 18:31:55 2012 +0000 ttm: Clear the ttm page allocated from high memory zone correctly commit ac207ed2471150e06af0afc76e4becc701fa2733 upstream. The TTM page can be allocated from high memory. In such case it is wrong to use the page_address(page) as the virtual address for the high memory page. bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=50241 Signed-off-by: Zhao Yakui Reviewed-by: Thomas Hellstrom Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 05e7fb4f1ab1840c84ebb3e840d8bcce90b283cd Author: Takashi Iwai Date: Fri Nov 9 15:20:17 2012 +0100 KVM: x86: Fix invalid secondary exec controls in vmx_cpuid_update() commit 29282fde80d44e587f8c152b10049a56e61659f0 upstream. The commit [ad756a16: KVM: VMX: Implement PCID/INVPCID for guests with EPT] introduced the unconditional access to SECONDARY_VM_EXEC_CONTROL, and this triggers kernel warnings like below on old CPUs: vmwrite error: reg 401e value a0568000 (err 12) Pid: 13649, comm: qemu-kvm Not tainted 3.7.0-rc4-test2+ #154 Call Trace: [] vmwrite_error+0x27/0x29 [kvm_intel] [] vmcs_writel+0x1b/0x20 [kvm_intel] [] vmx_cpuid_update+0x74/0x170 [kvm_intel] [] kvm_vcpu_ioctl_set_cpuid2+0x76/0x90 [kvm] [] kvm_arch_vcpu_ioctl+0xc37/0xed0 [kvm] [] ? __vunmap+0x9c/0x110 [] ? vmx_vcpu_load+0x39/0x1a0 [kvm_intel] [] ? kvm_arch_vcpu_load+0x52/0x1a0 [kvm] [] ? vcpu_load+0x74/0xd0 [kvm] [] kvm_vcpu_ioctl+0x110/0x5e0 [kvm] [] ? kvm_dev_ioctl+0x4d/0x4a0 [kvm] [] do_vfs_ioctl+0x8f/0x530 [] ? remove_vma+0x56/0x60 [] ? do_munmap+0x328/0x400 [] ? fget_light+0x4c/0x100 [] sys_ioctl+0x91/0xb0 [] system_call_fastpath+0x1a/0x1f This patch adds a check for the availability of secondary exec control to avoid these warnings. Signed-off-by: Takashi Iwai Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman commit 8bca5a1ee4f09bfde2f024747edaedf686ce71fe Author: Hugh Dickins Date: Fri Nov 16 14:15:03 2012 -0800 tmpfs: fix shmem_getpage_gfp() VM_BUG_ON commit 215c02bc33bbd5ff4d7379a909462d11f0103218 upstream. Fuzzing with trinity hit the "impossible" VM_BUG_ON(error) (which Fedora has converted to WARNING) in shmem_getpage_gfp(): WARNING: at mm/shmem.c:1151 shmem_getpage_gfp+0xa5c/0xa70() Pid: 29795, comm: trinity-child4 Not tainted 3.7.0-rc2+ #49 Call Trace: warn_slowpath_common+0x7f/0xc0 warn_slowpath_null+0x1a/0x20 shmem_getpage_gfp+0xa5c/0xa70 shmem_fault+0x4f/0xa0 __do_fault+0x71/0x5c0 handle_pte_fault+0x97/0xae0 handle_mm_fault+0x289/0x350 __do_page_fault+0x18e/0x530 do_page_fault+0x2b/0x50 page_fault+0x28/0x30 tracesys+0xe1/0xe6 Thanks to Johannes for pointing to truncation: free_swap_and_cache() only does a trylock on the page, so the page lock we've held since before confirming swap is not enough to protect against truncation. What cleanup is needed in this case? Just delete_from_swap_cache(), which takes care of the memcg uncharge. Signed-off-by: Hugh Dickins Reported-by: Dave Jones Cc: Johannes Weiner Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit abcf86b63e5aafbd2e9508ddf9f5be5de27942a4 Author: Alex Deucher Date: Wed Nov 14 09:10:39 2012 -0500 drm/radeon: fix logic error in atombios_encoders.c commit b9196395c905edec512dfd6690428084228c16ec upstream. Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=50431 Reported-by: David Binderman Signed-off-by: Alex Deucher Reviewed-by: Michel Dänzer Signed-off-by: Greg Kroah-Hartman commit 93010a5f6f58093d5d2204a61cdaf6bf17848d09 Author: Jani Nikula Date: Mon Nov 12 18:31:35 2012 +0200 drm/i915/sdvo: clean up connectors on intel_sdvo_init() failures commit d0ddfbd3d1346c1f481ec2289eef350cdba64b42 upstream. Any failures in intel_sdvo_init() after the intel_sdvo_setup_output() call left behind ghost connectors, attached (with a dangling pointer) to the sdvo that has been cleaned up and freed. Properly destroy any connectors attached to the encoder. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=46381 CC: Chris Wilson Signed-off-by: Jani Nikula Tested-by: bjo@nord-west.org [danvet: added a comment to explain why we need to clean up connectors even when sdvo_output_setup fails.] Signed-off-by: Daniel Vetter Signed-off-by: Greg Kroah-Hartman commit 09390c7bc9fe02c5d5565d9701e2c26c94c08c96 Author: Dan Williams Date: Thu Nov 8 11:56:53 2012 -0600 USB: option: add Alcatel X220/X500D USB IDs commit c0bc3098871dd9b964f6b45ec1e4d70d87811744 upstream. Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit 92ca7e8af21a852c1ffad3f17639f4966861ce51 Author: Dan Williams Date: Thu Nov 8 11:56:42 2012 -0600 USB: option: add Novatel E362 and Dell Wireless 5800 USB IDs commit fcb21645f1bd86d2be29baf48aa1b298de52ccc7 upstream. The Dell 5800 appears to be a simple rebrand of the Novatel E362. Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit c00d81ec46b6a4c6ad3987fde9a984acecebbbd1 Author: Johan Hovold Date: Fri Oct 26 18:44:20 2012 +0200 USB: usb_wwan: fix bulk-urb allocation commit 8e493ca1767d4951ed1322abaa74d6edbca29918 upstream. Make sure we do not allocate urbs if we do not have a bulk endpoint. Legacy code used incorrect assumption to test for bulk endpoints. Reported-by: Dan Carpenter Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 17ca63a0b5ec5e2747ffa1a69f6e28a04b7c9fcb Author: Bjørn Mork Date: Sat Nov 10 10:13:42 2012 +0100 USB: keyspan: fix typo causing GPF on open commit f0e3e35c9049087172c65302b42da8fe7ebb63a8 upstream. Commit f79b2d0f (USB: keyspan: fix NULL-pointer dereferences and memory leaks) had a small typo which made the driver use wrong offsets when mapping serial port private data. This results in in a GPF when the port is opened. Reported-by: Richard Signed-off-by: Bjørn Mork Acked-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit fc4cc3fbd6c79a96b38c4d88d07c165e869ef7bf Author: Heiko Carstens Date: Mon Oct 22 15:49:02 2012 +0200 s390/gup: add missing TASK_SIZE check to get_user_pages_fast() commit d55c4c613fc4d4ad2ba0fc6fa2b57176d420f7e4 upstream. When walking page tables we need to make sure that everything is within bounds of the ASCE limit of the task's address space. Otherwise we might calculate e.g. a pud pointer which is not within a pud and dereference it. So check against TASK_SIZE (which is the ASCE limit) before walking page tables. Reviewed-by: Gerald Schaefer Signed-off-by: Heiko Carstens Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit 8f21eab98e218f6cd38c89ad5952980234c1804d Author: Colin Cross Date: Wed Nov 7 18:21:51 2012 -0800 Revert "Staging: Android alarm: IOCTL command encoding fix" commit d38e0e3fed4f58bcddef4dc93a591dfe2f651cb0 upstream. Commit 6bd4a5d96c08dc2380f8053b1bd4f879f55cd3c9 changed the ANDROID_ALARM_GET_TIME ioctls from IOW to IOR. While technically correct, the _IOC_DIR bits are ignored by alarm_ioctl, so the commit breaks a userspace ABI used by all existing Android devices for a purely cosmetic reason. Revert it. Cc: Dae S. Kim Signed-off-by: Colin Cross Signed-off-by: Greg Kroah-Hartman commit 65cdd08d8e6cda80990107b8d911c611bdb45bf3 Author: Pritesh Raithatha Date: Tue Oct 30 15:37:09 2012 +0530 ARM: dt: tegra: fix length of pad control and mux registers commit 322337b8fbd8c392246529d5db924820fc0c7381 upstream. The reg property contains not . Fix the length values to be length not last_offset. Signed-off-by: Pritesh Raithatha Signed-off-by: Stephen Warren Signed-off-by: Greg Kroah-Hartman commit 05007e9de2deb4fd5e846ba78fd5e071fb8dc2ab Author: Christoph Fritz Date: Fri Nov 16 15:39:24 2012 +0100 ARM: imx: ehci: fix host power mask bit commit 3d5e2abe6e265acc5e1fda810301243e9bac92b2 upstream. This patch sets HPM (Host power mask bit) to bit 16 according to i.MX Reference Manual. Falsely it was set to bit 8, but this controls pull-up Impedance. Reported-by: Michael Burkey Signed-off-by: Christoph Fritz Acked-by: Eric Bénard Signed-off-by: Sascha Hauer Signed-off-by: Greg Kroah-Hartman commit e2c0b531309e4c685cad1a4e4e7a014829deee49 Author: Guenter Roeck Date: Tue Nov 13 22:27:19 2012 +0100 i2c-mux-pinctrl: Fix probe error path commit aa1e3e81e75ceb3d977c3292cefafcd5179eb8b8 upstream. When allocating the memory for i2c busses, the code checked the wrong variable and thus never detected if there was a memory error. Signed-off-by: Guenter Roeck Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 1a62325ca4a3dda40da10a21806b6baa2c8d40dd Author: Marek Szyprowski Date: Tue Nov 13 09:48:51 2012 +0100 regulator: fix voltage check in regulator_is_supported_voltage() commit f0f98b19e23d4426ca185e3d4ca80e6aff5ef51b upstream. regulator_is_supported_voltage() should return true only if the voltage of fixed/constant regulator is between min_uV and max_uV. Signed-off-by: Marek Szyprowski Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit ab37cb2a6cde96c269a9cfb14b4affbe5fe11675 Author: Colin Ian King Date: Wed Nov 14 11:49:53 2012 +0000 pstore: Fix NULL pointer dereference in console writes commit 70a6f46d7b0ec03653b9ab3f8063a9717a4a53ef upstream. Passing a NULL id causes a NULL pointer deference in writers such as erst_writer and efi_pstore_write because they expect to update this id. Pass a dummy id instead. This avoids a cascade of oopses caused when the initial pstore_console_write passes a null which in turn causes writes to the console causing further oopses in subsequent pstore_console_write calls. Signed-off-by: Colin Ian King Acked-by: Kees Cook Signed-off-by: Anton Vorontsov Signed-off-by: Greg Kroah-Hartman commit e1813d49914ec3f7751b4981d5f46c94f111b670 Author: Artem Bityutskiy Date: Wed Oct 10 10:55:28 2012 +0300 UBIFS: introduce categorized lprops counter commit 98a1eebda3cb2a84ecf1f219bb3a95769033d1bf upstream. This commit is a preparation for a subsequent bugfix. We introduce a counter for categorized lprops. Signed-off-by: Artem Bityutskiy Signed-off-by: Greg Kroah-Hartman commit bbf1959d853718c6a0f75000425744270ff6b920 Author: Artem Bityutskiy Date: Tue Oct 9 16:20:15 2012 +0300 UBIFS: fix mounting problems after power cuts commit a28ad42a4a0c6f302f488f26488b8b37c9b30024 upstream. This is a bugfix for a problem with the following symptoms: 1. A power cut happens 2. After reboot, we try to mount UBIFS 3. Mount fails with "No space left on device" error message UBIFS complains like this: UBIFS error (pid 28225): grab_empty_leb: could not find an empty LEB The root cause of this problem is that when we mount, not all LEBs are categorized. Only those which were read are. However, the 'ubifs_find_free_leb_for_idx()' function assumes that all LEBs were categorized and 'c->freeable_cnt' is valid, which is a false assumption. This patch fixes the problem by teaching 'ubifs_find_free_leb_for_idx()' to always fall back to LPT scanning if no freeable LEBs were found. This problem was reported by few people in the past, but Brent Taylor was able to reproduce it and send me a flash image which cannot be mounted, which made it easy to hunt the bug. Kudos to Brent. Reported-by: Brent Taylor Signed-off-by: Artem Bityutskiy Signed-off-by: Greg Kroah-Hartman commit 176b18a140915eb8d684ed823967f3010e8ac3bc Author: Mukund Navada Date: Fri Nov 9 11:53:40 2012 +0530 ASoC: core: Double control update err for snd_soc_put_volsw_sx commit d055852ee86703d48b0c571e94bd2eb33aa9b91d upstream. snd_soc_put_volsw_sx function fails to update second control if first control is updated by snd_soc_update_bits_locked. Signed-off-by: Mukund Navada Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit c392855dfc4259992947d4a960b57df4c19b71bc Author: Misael Lopez Cruz Date: Thu Nov 8 12:03:12 2012 -0600 ASoC: dapm: Use card_list during DAPM shutdown commit 445632ad6dda42f4d3f9df2569a852ca0d4ea608 upstream. DAPM shutdown incorrectly uses "list" field of codec struct while iterating over probed components (codec_dev_list). "list" field refers to codecs registered in the system, "card_list" field is used for probed components. Signed-off-by: Misael Lopez Cruz Signed-off-by: Liam Girdwood Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 27d215a1cf4f5f4e815b2ddf964f24b7eacee452 Author: Wei Yongjun Date: Wed Nov 7 20:38:35 2012 +0800 ASoC: cs42l52: fix the return value of cs42l52_set_fmt() commit 5c855c8e2be67f2d5a989ef1190098f924f9f820 upstream. Fix the return value of cs42l52_set_fmt() when clock inversion is not allowed and also remove the useless variable ret. dpatch engine is used to auto generate this patch. (https://github.com/weiyj/dpatch) [We had been assigning to ret but then ignoring the value we assgined -- broonie] Signed-off-by: Wei Yongjun Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 177c55702e8093a78e1f20a62bd7e529e9822df5 Author: Eric Millbrandt Date: Fri Nov 2 17:05:44 2012 -0400 ASoC: wm8978: pll incorrectly configured when codec is master commit 55c6f4cb6ef49afbb86222c6a3ff85329199c729 upstream. When MCLK is supplied externally and BCLK and LRC are configured as outputs (codec is master), the PLL values are only calculated correctly on the first transmission. On subsequent transmissions, at differenct sample rates, the wrong PLL values are used. Test for f_opclk instead of f_pllout to determine if the PLL values are needed. Signed-off-by: Eric Millbrandt Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 17ec635a73dea32ac4bdfa0e8f46c511271fceed Author: Takashi Iwai Date: Mon Nov 12 10:07:36 2012 +0100 ALSA: hda - Add a missing quirk entry for iMac 9,1 commit 05193639ca977cc889668718adb38db6d585045b upstream. This is another variant of iMac 9,1 with a different codec SSID. Reported-and-tested-by: Everaldo Canuto Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit a7d231db5cfa1da0cc43d0a889528736bde803c4 Author: Kailang Yang Date: Thu Nov 8 10:25:37 2012 +0100 ALSA: hda - Add new codec ALC668 and ALC900 (default name ALC1150) commit 19a62823eae453619604636082085812c14ee391 upstream. Signed-off-by: Kailang Yang Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 1614e57c8b9a47e315493f3b780aad058e5dabb7 Author: Kailang Yang Date: Thu Nov 8 10:23:18 2012 +0100 ALSA: hda - Improve HP depop when system enter to S3 commit 1387e2d12799e554df2f60e7ae7fe01384bcb96f upstream. alc269_toggle_power_output() was only use in ALC269VB. I rename it to alc269vb_toggle_power_output(). Signed-off-by: Kailang Yang Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 3a31a7aa8aafb51de01e31a44738ff15683df3ab Author: Takashi Iwai Date: Wed Nov 7 10:37:48 2012 +0100 ALSA: hda - Fix invalid connections in VT1802 codec commit ef4da45828603df57e5e21b8aa21a66ce309f79b upstream. VT1802 codec provides the invalid connection lists of NID 0x24 and 0x33 containing the routes to a non-exist widget 0x3e. This confuses the auto-parser. Fix it up in the driver by overriding these connections. Reported-by: Massimo Del Fedele Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit cac9141d75777308d05f9876cfd2885fd98fafa2 Author: Takashi Iwai Date: Wed Nov 7 10:32:47 2012 +0100 ALSA: hda - Fix empty DAC filling in patch_via.c commit 5b3761954dac2d1393beef8210eb8cee81d16b8d upstream. In via_auto_fill_adc_nids(), the parser tries to fill dac_nids[] at the point of the current line-out (i). When no valid path is found for this output, this results in dac = 0, thus it creates a hole in dac_nids[]. This confuses is_empty_dac() and trims the detected DAC in later reference. This patch fixes the bug by appending DAC properly to dac_nids[] in via_auto_fill_adc_nids(). Reported-by: Massimo Del Fedele Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit be6a306b17a18f0e74fa553b77ea932be7f8211f Author: Takashi Iwai Date: Mon Nov 5 12:32:46 2012 +0100 ALSA: hda - Force to reset IEC958 status bits for AD codecs commit ae24c3191ba2ab03ec6b4be323e730e00404b4b6 upstream. Several bug reports suggest that the forcibly resetting IEC958 status bits is required for AD codecs to get the SPDIF output working properly after changing streams. Original fix credit to Javeed Shaikh. BugLink: https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/359361 Reported-by: Robin Kreis Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit bd8d3a552e2cc77c63b98337b1d149a0e81d7d3c Author: Daniel J Blueman Date: Sun Nov 4 13:19:03 2012 +0800 ALSA: HDA: Fix digital microphone on CS420x commit 16337e028a6dae9fbdd718c0d42161540a668ff3 upstream. Correctly enable the digital microphones with the right bits in the right coeffecient registers on Cirrus CS4206/7 codecs. It also prevents misconfiguring ADC1/2. This fixes the digital mic on the Macbook Pro 10,1/Retina. Based-on-patch-by: Alexander Stein Signed-off-by: Daniel J Blueman Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit ce19f2c0dfca3c4680f2fde304aa81d3b4911782 Author: Alexander Stein Date: Thu Nov 1 13:42:37 2012 +0100 ALSA: hda: Cirrus: Fix coefficient index for beep configuration commit 5a83b4b5a391f07141b157ac9daa51c409e71ab5 upstream. Signed-off-by: Alexander Stein Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 6e216b4a2fa0eada850c943e6834e8e635e2fb9c Author: Jacob Keller Date: Thu Nov 1 12:30:16 2012 +0000 ptp: update adjfreq callback description commit 87f4d7c1d36f44b0822053b7e5dedc31fdd0ab99 upstream. This patch updates the adjfreq callback description to include a note that the delta in ppb is always relative to the base frequency, and not to the current frequency of the hardware clock. Signed-off-by: Jacob Keller CC: Richard Cochran CC: John Stultz Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 26a10f1df3311011e4317fafd33002309587d963 Author: Nicolas Royer Date: Tue Nov 6 17:31:03 2012 +0100 ARM: at91/AT91SAM9G45: fix crypto peripherals irq issue due to sparse irq support commit 097965ee447e5ccec9776f9b075e64cf7607e5eb upstream. Spare irq support introduced by commit 8fe82a5 (ARM: at91: sparse irq support) involves to add the NR_IRQS_LEGACY offset to irq number. Signed-off-by: Nicolas Royer Acked-by: Nicolas Ferre Acked-by: Eric Bénard Tested-by: Eric Bénard Signed-off-by: Greg Kroah-Hartman commit 9ef0ecd730892e4086a7b9ad4dc38486f7db989c Author: Jussi Kivilinna Date: Sun Oct 21 20:42:28 2012 +0300 crypto: cryptd - disable softirqs in cryptd_queue_worker to prevent data corruption commit 9efade1b3e981f5064f9db9ca971b4dc7557ae42 upstream. cryptd_queue_worker attempts to prevent simultaneous accesses to crypto workqueue by cryptd_enqueue_request using preempt_disable/preempt_enable. However cryptd_enqueue_request might be called from softirq context, so add local_bh_disable/local_bh_enable to prevent data corruption and panics. Bug report at http://marc.info/?l=linux-crypto-vger&m=134858649616319&w=2 v2: - Disable software interrupts instead of hardware interrupts Reported-by: Gurucharan Shetty Signed-off-by: Jussi Kivilinna Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 50d4bcc3701d7f6173e3e8727234a4dd81518a3d Author: Sachin Prabhu Date: Mon Nov 5 11:39:32 2012 +0000 cifs: Do not lookup hashed negative dentry in cifs_atomic_open commit 3798f47aa276b332c30da499cb4df4577e2f8872 upstream. We do not need to lookup a hashed negative directory since we have already revalidated it before and have found it to be fine. This also prevents a crash in cifs_lookup() when it attempts to rehash the already hashed negative lookup dentry. The patch has been tested using the reproducer at https://bugzilla.redhat.com/show_bug.cgi?id=867344#c28 Reported-by: Vit Zahradka Signed-off-by: Sachin Prabhu Signed-off-by: Greg Kroah-Hartman commit ea617a2c5150f9914c57215545575abf394df7bc Author: Jeff Layton Date: Sat Nov 3 09:37:28 2012 -0400 cifs: fix potential buffer overrun in cifs.idmap handling code commit 36960e440ccf94349c09fb944930d3bfe4bc473f upstream. The userspace cifs.idmap program generally works with the wbclient libs to generate binary SIDs in userspace. That program defines the struct that holds these values as having a max of 15 subauthorities. The kernel idmapping code however limits that value to 5. When the kernel copies those values around though, it doesn't sanity check the num_subauths value handed back from userspace or from the server. It's possible therefore for userspace to hand us back a bogus num_subauths value (or one that's valid, but greater than 5) that could cause the kernel to walk off the end of the cifs_sid->sub_auths array. Fix this by defining a new routine for copying sids and using that in all of the places that copy it. If we end up with a sid that's longer than expected then this approach will just lop off the "extra" subauths, but that's basically what the code does today already. Better approaches might be to fix this code to reject SIDs with >5 subauths, or fix it to handle the subauths array dynamically. At the same time, change the kernel to check the length of the data returned by userspace. If it's shorter than struct cifs_sid, reject it and return -EIO. If that happens we'll end up with fields that are basically uninitialized. Long term, it might make sense to redefine cifs_sid using a flexarray at the end, to allow for variable-length subauth lists, and teach the code to handle the case where the subauths array being passed in from userspace is shorter than 5 elements. Note too, that I don't consider this a security issue since you'd need a compromised cifs.idmap program. If you have that, you can do all sorts of nefarious stuff. Still, this is probably reasonable for stable. Reviewed-by: Shirish Pargaonkar Signed-off-by: Jeff Layton Signed-off-by: Greg Kroah-Hartman commit 01ae49199e6a67075b53150ecd8dfc627a67183b Author: Cornelia Huck Date: Fri Nov 9 14:54:12 2012 +1030 virtio: Don't access index after unregister. commit 237242bddc99041e15a4ca51b8439657cadaff17 upstream. Virtio wants to release used indices after the corresponding virtio device has been unregistered. However, virtio does not hold an extra reference, giving up its last reference with device_unregister(), making accessing dev->index afterwards invalid. I actually saw problems when testing my (not-yet-merged) virtio-ccw code: - device_add virtio-net,id=xxx -> creates device virtio with n>0 - device_del xxx -> deletes virtio, but calls ida_simple_remove with an index of 0 - device_add virtio-net,id=xxx -> tries to add virtio0, which is still in use... So let's save the index we want to release before calling device_unregister(). Signed-off-by: Cornelia Huck Acked-by: Sjur Brændeland Signed-off-by: Rusty Russell Signed-off-by: Greg Kroah-Hartman commit 17773c7701fe1eb68b8841f215b506dca07a3b6a Author: Rusty Russell Date: Thu Oct 25 10:49:25 2012 +1030 module: fix out-by-one error in kallsyms commit 59ef28b1f14899b10d6b2682c7057ca00a9a3f47 upstream. Masaki found and patched a kallsyms issue: the last symbol in a module's symtab wasn't transferred. This is because we manually copy the zero'th entry (which is always empty) then copy the rest in a loop starting at 1, though from src[0]. His fix was minimal, I prefer to rewrite the loops in more standard form. There are two loops: one to get the size, and one to copy. Make these identical: always count entry 0 and any defined symbol in an allocated non-init section. This bug exists since the following commit was introduced. module: reduce symbol table for loaded modules (v2) commit: 4a4962263f07d14660849ec134ee42b63e95ea9a LKML: http://lkml.org/lkml/2012/10/24/27 Reported-by: Masaki Kimura Signed-off-by: Rusty Russell Signed-off-by: Greg Kroah-Hartman commit d5ad050308134580749cc1dbbeae4946d4f2cefe Author: Eric Paris Date: Thu Nov 8 15:53:37 2012 -0800 fanotify: fix missing break commit 848561d368751a1c0f679b9f045a02944506a801 upstream. Anders Blomdell noted in 2010 that Fanotify lost events and provided a test case. Eric Paris confirmed it was a bug and posted a fix to the list https://groups.google.com/forum/?fromgroups=#!topic/linux.kernel/RrJfTfyW2BE but never applied it. Repeated attempts over time to actually get him to apply it have never had a reply from anyone who has raised it So apply it anyway Signed-off-by: Alan Cox Reported-by: Anders Blomdell Cc: Eric Paris Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ee62ff8a0db9d64cdd41abd1acfa1447d78dd5b4 Author: Huang Ying Date: Thu Oct 25 09:36:03 2012 +0800 PCI/PM: Fix proc config reg access for D3cold and bridge suspending commit b3c32c4f9565f93407921c0d8a4458042eb8998e upstream. In https://bugzilla.kernel.org/show_bug.cgi?id=48981 Peter reported that /proc/bus/pci/??/??.? does not work for 3.6. This is because the device configuration space registers are not accessible if the corresponding parent bridge is suspended or the device is put into D3cold state. This is the same as /sys/bus/pci/devices/0000:??:??.?/config access issue. So the function used to solve sysfs issue is used to solve this issue. This patch moves pci_config_pm_runtime_get()/_put() from pci/pci-sysfs.c to pci/pci.c and makes them extern so they can be used by both the sysfs and proc paths. [bhelgaas: changelog, references, reporters] Reference: https://bugzilla.kernel.org/show_bug.cgi?id=48981 Reference: https://bugzilla.kernel.org/show_bug.cgi?id=49031 Reported-by: Forrest Loomis Reported-by: Peter Reported-by: Micael Dias Signed-off-by: Huang Ying Signed-off-by: Bjorn Helgaas Acked-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 45f158b2641200ed81c20a118758ddc8cbfc4364 Author: Huang Ying Date: Wed Oct 24 14:54:14 2012 +0800 PCI/PM: Resume device before shutdown commit 3ff2de9ba1a2e22e548979dbcd46e999b22c93d8 upstream. Some actions during shutdown need device to be in D0 state, such as MSI shutdown etc, so resume device before shutdown. Without this patch, a device may not be enumerated after a kexec because the corresponding bridge is not in D0, so that configuration space of the device is not accessible. Signed-off-by: Huang Ying Signed-off-by: Bjorn Helgaas Acked-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 1325ed662eb4129a96320145bea7ec5bfce249c9 Author: Felix Fietkau Date: Sat Nov 10 03:44:14 2012 +0100 mac80211: call skb_dequeue/ieee80211_free_txskb instead of __skb_queue_purge commit 1f98ab7fef48a2968f37f422c256c9fbd978c3f0 upstream. Fixes more wifi status skb leaks, leading to hostapd/wpa_supplicant hangs. Signed-off-by: Felix Fietkau Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit f79b61dcf47fc54e5a4c8307bad659bc1f352a3d Author: Johannes Berg Date: Thu Nov 8 14:06:28 2012 +0100 mac80211: don't send null data packet when not associated commit 20f544eea03db4b498942558b882d463ce575c3e upstream. On resume or firmware recovery, mac80211 sends a null data packet to see if the AP is still around and hasn't disconnected us. However, it always does this even if it wasn't even connected before, leading to a warning in the new channel context code. Fix this by checking that it's associated. Reviewed-by: Emmanuel Grumbach Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit a64e7f53c0f5d061ccbd8b28fa09b51b32b7ec53 Author: Arik Nemtsov Date: Mon Nov 5 10:27:52 2012 +0200 mac80211: sync acccess to tx_filtered/ps_tx_buf queues commit 987c285c2ae2e4e32aca3a9b3252d28171c75711 upstream. These are accessed without a lock when ending STA PSM. If the sta_cleanup timer accesses these lists at the same time, we might crash. This may fix some mysterious crashes we had during ieee80211_sta_ps_deliver_wakeup. Signed-off-by: Arik Nemtsov Signed-off-by: Ido Yariv Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 77d8dd2cf8eff86d9ec00b02d3623702c45ea23e Author: Dave Chinner Date: Mon Nov 12 22:09:46 2012 +1100 xfs: drop buffer io reference when a bad bio is built commit d69043c42d8c6414fa28ad18d99973aa6c1c2e24 upstream. Error handling in xfs_buf_ioapply_map() does not handle IO reference counts correctly. We increment the b_io_remaining count before building the bio, but then fail to decrement it in the failure case. This leads to the buffer never running IO completion and releasing the reference that the IO holds, so at unmount we can leak the buffer. This leak is captured by this assert failure during unmount: XFS: Assertion failed: atomic_read(&pag->pag_ref) == 0, file: fs/xfs/xfs_mount.c, line: 273 This is not a new bug - the b_io_remaining accounting has had this problem for a long, long time - it's just very hard to get a zero length bio being built by this code... Further, the buffer IO error can be overwritten on a multi-segment buffer by subsequent bio completions for partial sections of the buffer. Hence we should only set the buffer error status if the buffer is not already carrying an error status. This ensures that a partial IO error on a multi-segment buffer will not be lost. This part of the problem is a regression, however. Signed-off-by: Dave Chinner Reviewed-by: Mark Tinguely Signed-off-by: Ben Myers Signed-off-by: Greg Kroah-Hartman commit fee02d04c682f3ef8d1d1ec46e22fb7f833c9330 Author: Aaron Lu Date: Tue Oct 9 15:37:48 2012 +0800 libata-acpi: Fix NULL ptr derference in ata_acpi_dev_handle commit 60817a680b1bd3341b6909fab7d8a1fcc3a78369 upstream. commit 6b66d95895c149cbc04d4fac5a2f5477c543a8ae didn't handle SATA PMP case in ata_acpi_bind_device and will cause a NULL ptr dereference when user attached a SATA drive to the PMP port. Fix this by checking PMP support. This bug is reported by Dan van der Ster in the following bugzilla page: https://bugzilla.kernel.org/show_bug.cgi?id=48211 Reported-by: Dan van der Ster Tested-by: Dan van der Ster Signed-off-by: Aaron Lu Signed-off-by: Jeff Garzik Tested-by: Simon Signed-off-by: Greg Kroah-Hartman commit 9e9dbb97a010f748114404bd44ab2e02082d215c Author: Takamori Yamaguchi Date: Thu Nov 8 15:53:39 2012 -0800 mm: bugfix: set current->reclaim_state to NULL while returning from kswapd() commit b0a8cc58e6b9aaae3045752059e5e6260c0b94bc upstream. In kswapd(), set current->reclaim_state to NULL before returning, as current->reclaim_state holds reference to variable on kswapd()'s stack. In rare cases, while returning from kswapd() during memory offlining, __free_slab() and freepages() can access the dangling pointer of current->reclaim_state. Signed-off-by: Takamori Yamaguchi Signed-off-by: Aaditya Kumar Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman