commit 405acc3402a3df8df967d1848947dc58f0059664 Author: Greg Kroah-Hartman Date: Wed Mar 20 13:11:19 2013 -0700 Linux 3.8.4 commit 6b49734139bad7703ccdf0bded005c605f28ca61 Author: Greg Kroah-Hartman Date: Mon Mar 18 13:16:44 2013 -0700 Revert "drm/i915: reorder setup sequence to have irqs for output setup" Revert commit 2a9810441fcc26cf3f006f015f8a62094fe57a90 which is commit 52d7ecedac3f96fb562cb482c139015372728638 upstream. This caused problems in 3.8-stable, but all is fine in 3.9-rc. Signed-off-by: Greg Kroah-Hartman Cc: Imre Deak Cc: Daniel Vetter commit 2909d2604809e056e5fe3ee102c42cc7899b1739 Author: Greg Kroah-Hartman Date: Mon Mar 18 13:13:39 2013 -0700 Revert "drm/i915: enable irqs earlier when resuming" This reverts commit 31f14f4219d2a74b7a6d86c7798f49141b5eccbe which was commit 15239099d7a7a9ecdc1ccb5b187ae4cda5488ff9 upstream. It caused problems in the 3.8-stable series, but 3.9-rc is just fine. Signed-off-by: Greg Kroah-Hartman Cc: Chris Wilson Cc: Mika Kuoppala Cc: Ilya Tumaykin Cc: Daniel Vetter commit 363e95a8de7250190a38ef871923b5e0e27f1ab4 Author: YOSHIFUJI Hideaki Date: Sat Mar 9 09:11:57 2013 +0000 6lowpan: Fix endianness issue in is_addr_link_local(). [ Upstream commit 9026c4927254f5bea695cc3ef2e255280e6a3011 ] Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 451b3450126c02c195c6db7862fe0b39fa6e3fc2 Author: Mathias Krause Date: Sat Mar 9 05:52:21 2013 +0000 dcbnl: fix various netlink info leaks [ Upstream commit 29cd8ae0e1a39e239a3a7b67da1986add1199fc0 ] The dcb netlink interface leaks stack memory in various places: * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but copied completely, * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand, so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes for ieee_pfc structs, etc., * the same is true for CEE -- no in-kernel driver fills the whole struct, Prevent all of the above stack info leaks by properly initializing the buffers/structures involved. Signed-off-by: Mathias Krause Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a9583a88379d8fd8b83ac002f77f6c518038ebc9 Author: Mathias Krause Date: Sat Mar 9 05:52:20 2013 +0000 rtnl: fix info leak on RTM_GETLINK request for VF devices [ Upstream commit 84d73cd3fb142bf1298a8c13fd4ca50fd2432372 ] Initialize the mac address buffer with 0 as the driver specific function will probably not fill the whole buffer. In fact, all in-kernel drivers fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible bytes. Therefore we currently leak 26 bytes of stack memory to userland via the netlink interface. Signed-off-by: Mathias Krause Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0cc912b2067fa8c8b8a628775282ebfdabb2a666 Author: Mathias Krause Date: Sat Mar 9 05:52:19 2013 +0000 bridge: fix mdb info leaks [ Upstream commit c085c49920b2f900ba716b4ca1c1a55ece9872cc ] The bridging code discloses heap and stack bytes via the RTM_GETMDB netlink interface and via the notify messages send to group RTNLGRP_MDB afer a successful add/del. Fix both cases by initializing all unset members/padding bytes with memset(0). Cc: Stephen Hemminger Signed-off-by: Mathias Krause Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7ffeaad32ddcbf8ad98807c94ed8c686bbdbcb31 Author: Hannes Frederic Sowa Date: Fri Mar 8 02:07:23 2013 +0000 ipv6: stop multicast forwarding to process interface scoped addresses [ Upstream commit ddf64354af4a702ee0b85d0a285ba74c7278a460 ] v2: a) used struct ipv6_addr_props v3: a) reverted changes for ipv6_addr_props v4: a) do not use __ipv6_addr_needs_scope_id Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Acked-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f1e2adbba7d7f1fab29713efd3fa47324ef02ad5 Author: Cristian Bercaru Date: Fri Mar 8 07:03:38 2013 +0000 bridging: fix rx_handlers return code [ Upstream commit 3bc1b1add7a8484cc4a261c3e128dbe1528ce01f ] The frames for which rx_handlers return RX_HANDLER_CONSUMED are no longer counted as dropped. They are counted as successfully received by 'netif_receive_skb'. This allows network interface drivers to correctly update their RX-OK and RX-DRP counters based on the result of 'netif_receive_skb'. Signed-off-by: Cristian Bercaru Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d99d0841478544ae82e224deb5101fec4ca2ff65 Author: Paul Moore Date: Wed Mar 6 11:45:24 2013 +0000 netlabel: correctly list all the static label mappings [ Upstream commits 0c1233aba1e948c37f6dc7620cb7c253fcd71ce9 and a6a8fe950e1b8596bb06f2c89c3a1a4bf2011ba9 ] When we have a large number of static label mappings that spill across the netlink message boundary we fail to properly save our state in the netlink_callback struct which causes us to repeat the same listings. This patch fixes this problem by saving the state correctly between calls to the NetLabel static label netlink "dumpit" routines. Signed-off-by: Paul Moore Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9a6d24b60d50181ecd5d4e5484e86750e710b045 Author: Vlad Yasevich Date: Thu Mar 7 10:21:48 2013 +0000 macvlan: Set IFF_UNICAST_FLT flag to prevent unnecessary promisc mode. [ Upstream commit 87ab7f6f2874f1115817e394a7ed2dea1c72549e ] Macvlan already supports hw address filters. Set the IFF_UNICAST_FLT so that it doesn't needlesly enter PROMISC mode when macvlans are stacked. Signed-of-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 644f8b3b1842a0b0ae6afebf5ed4bc111ddb404c Author: Vlad Yasevich Date: Thu Mar 7 07:59:25 2013 +0000 team: unsyc the devices addresses when port is removed [ Upstream commit ba81276b1a5e3cf0674cb0e6d9525e5ae0c98695 ] When a team port is removed, unsync all devices addresses that may have been synched to the port devices. CC: Jiri Pirko Signed-off-by: Vlad Yasevich Acked-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 340f1ecd58674be9930f85062bb681bf1ce0d483 Author: Veaceslav Falico Date: Wed Mar 6 07:10:32 2013 +0000 bonding: fire NETDEV_RELEASE event only on 0 slaves [ Upstream commit 80028ea1c0afc24d4ddeb8dd2a9992fff03616ca ] Currently, if we set up netconsole over bonding and release a slave, netconsole will stop logging on the whole bonding device. Change the behavior to stop the netconsole only when the last slave is released. Signed-off-by: Veaceslav Falico Acked-by: Neil Horman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d711a393979b149e86e24662c695725fcf7ba88d Author: Zang MingJie Date: Wed Mar 6 04:37:37 2013 +0000 vxlan: fix oops when delete netns containing vxlan [ Upstream commit 9cb6cb7ed11cd3b69c47bb414983603a6ff20b1d ] The following script will produce a kernel oops: sudo ip netns add v sudo ip netns exec v ip ad add 127.0.0.1/8 dev lo sudo ip netns exec v ip link set lo up sudo ip netns exec v ip ro add 224.0.0.0/4 dev lo sudo ip netns exec v ip li add vxlan0 type vxlan id 42 group 239.1.1.1 dev lo sudo ip netns exec v ip link set vxlan0 up sudo ip netns del v where inspect by gdb: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 107] 0xffffffffa0289e33 in ?? () (gdb) bt #0 vxlan_leave_group (dev=0xffff88001bafa000) at drivers/net/vxlan.c:533 #1 vxlan_stop (dev=0xffff88001bafa000) at drivers/net/vxlan.c:1087 #2 0xffffffff812cc498 in __dev_close_many (head=head@entry=0xffff88001f2e7dc8) at net/core/dev.c:1299 #3 0xffffffff812cd920 in dev_close_many (head=head@entry=0xffff88001f2e7dc8) at net/core/dev.c:1335 #4 0xffffffff812cef31 in rollback_registered_many (head=head@entry=0xffff88001f2e7dc8) at net/core/dev.c:4851 #5 0xffffffff812cf040 in unregister_netdevice_many (head=head@entry=0xffff88001f2e7dc8) at net/core/dev.c:5752 #6 0xffffffff812cf1ba in default_device_exit_batch (net_list=0xffff88001f2e7e18) at net/core/dev.c:6170 #7 0xffffffff812cab27 in cleanup_net (work=) at net/core/net_namespace.c:302 #8 0xffffffff810540ef in process_one_work (worker=0xffff88001ba9ed40, work=0xffffffff8167d020) at kernel/workqueue.c:2157 #9 0xffffffff810549d0 in worker_thread (__worker=__worker@entry=0xffff88001ba9ed40) at kernel/workqueue.c:2276 #10 0xffffffff8105870c in kthread (_create=0xffff88001f2e5d68) at kernel/kthread.c:168 #11 #12 0x0000000000000000 in ?? () #13 0x0000000000000000 in ?? () (gdb) fr 0 #0 vxlan_leave_group (dev=0xffff88001bafa000) at drivers/net/vxlan.c:533 533 struct sock *sk = vn->sock->sk; (gdb) l 528 static int vxlan_leave_group(struct net_device *dev) 529 { 530 struct vxlan_dev *vxlan = netdev_priv(dev); 531 struct vxlan_net *vn = net_generic(dev_net(dev), vxlan_net_id); 532 int err = 0; 533 struct sock *sk = vn->sock->sk; 534 struct ip_mreqn mreq = { 535 .imr_multiaddr.s_addr = vxlan->gaddr, 536 .imr_ifindex = vxlan->link, 537 }; (gdb) p vn->sock $4 = (struct socket *) 0x0 The kernel calls `vxlan_exit_net` when deleting the netns before shutting down vxlan interfaces. Later the removal of all vxlan interfaces, where `vn->sock` is already gone causes the oops. so we should manually shutdown all interfaces before deleting `vn->sock` as the patch does. Signed-off-by: Zang MingJie Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 240ca1a998995641fd681aee2641ab9b71d0eaee Author: Eric Dumazet Date: Wed Mar 6 11:02:37 2013 +0000 tun: add a missing nf_reset() in tun_net_xmit() [ Upstream commit f8af75f3517a24838a36eb5797a1a3e60bf9e276 ] Dave reported following crash : general protection fault: 0000 [#1] SMP CPU 2 Pid: 25407, comm: qemu-kvm Not tainted 3.7.9-205.fc18.x86_64 #1 Hewlett-Packard HP Z400 Workstation/0B4Ch RIP: 0010:[] [] destroy_conntrack+0x35/0x120 [nf_conntrack] RSP: 0018:ffff880276913d78 EFLAGS: 00010206 RAX: 50626b6b7876376c RBX: ffff88026e530d68 RCX: ffff88028d158e00 RDX: ffff88026d0d5470 RSI: 0000000000000011 RDI: 0000000000000002 RBP: ffff880276913d88 R08: 0000000000000000 R09: ffff880295002900 R10: 0000000000000000 R11: 0000000000000003 R12: ffffffff81ca3b40 R13: ffffffff8151a8e0 R14: ffff880270875000 R15: 0000000000000002 FS: 00007ff3bce38a00(0000) GS:ffff88029fc40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 00007fd1430bd000 CR3: 000000027042b000 CR4: 00000000000027e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process qemu-kvm (pid: 25407, threadinfo ffff880276912000, task ffff88028c369720) Stack: ffff880156f59100 ffff880156f59100 ffff880276913d98 ffffffff815534f7 ffff880276913db8 ffffffff8151a74b ffff880270875000 ffff880156f59100 ffff880276913dd8 ffffffff8151a5a6 ffff880276913dd8 ffff88026d0d5470 Call Trace: [] nf_conntrack_destroy+0x17/0x20 [] skb_release_head_state+0x7b/0x100 [] __kfree_skb+0x16/0xa0 [] kfree_skb+0x36/0xa0 [] skb_queue_purge+0x20/0x40 [] __tun_detach+0x117/0x140 [tun] [] tun_chr_close+0x3c/0xd0 [tun] [] __fput+0xec/0x240 [] ____fput+0xe/0x10 [] task_work_run+0xa7/0xe0 [] do_notify_resume+0x71/0xb0 [] int_signal+0x12/0x17 Code: 00 00 04 48 89 e5 41 54 53 48 89 fb 4c 8b a7 e8 00 00 00 0f 85 de 00 00 00 0f b6 73 3e 0f b7 7b 2a e8 10 40 00 00 48 85 c0 74 0e <48> 8b 40 28 48 85 c0 74 05 48 89 df ff d0 48 c7 c7 08 6a 3a a0 RIP [] destroy_conntrack+0x35/0x120 [nf_conntrack] RSP This is because tun_net_xmit() needs to call nf_reset() before queuing skb into receive_queue Reported-by: Dave Jones Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d725632acb3bd015dd6abe2bb01b11a9385f10ea Author: Neal Cardwell Date: Mon Mar 4 06:23:05 2013 +0000 tcp: fix double-counted receiver RTT when leaving receiver fast path [ Upstream commit aab2b4bf224ef8358d262f95b568b8ad0cecf0a0 ] We should not update ts_recent and call tcp_rcv_rtt_measure_ts() both before and after going to step5. That wastes CPU and double-counts the receiver-side RTT sample. Signed-off-by: Neal Cardwell Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 280b2b998f326449aa18fe3d064c012deaaeaefb Author: Lorenzo Colitti Date: Sun Mar 3 20:46:46 2013 +0000 net: ipv6: Don't purge default router if accept_ra=2 [ Upstream commit 3e8b0ac3e41e3c882222a5522d5df7212438ab51 ] Setting net.ipv6.conf..accept_ra=2 causes the kernel to accept RAs even when forwarding is enabled. However, enabling forwarding purges all default routes on the system, breaking connectivity until the next RA is received. Fix this by not purging default routes on interfaces that have accept_ra=2. Signed-off-by: Lorenzo Colitti Acked-by: YOSHIFUJI Hideaki Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 273402d99210dc44926a53c4ccdbfa6b5058753c Author: Cong Wang Date: Sun Mar 3 16:18:11 2013 +0000 rds: limit the size allocated by rds_message_alloc() [ Upstream commit ece6b0a2b25652d684a7ced4ae680a863af041e0 ] Dave Jones reported the following bug: "When fed mangled socket data, rds will trust what userspace gives it, and tries to allocate enormous amounts of memory larger than what kmalloc can satisfy." WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0() Hardware name: GA-MA78GM-S2H Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65 Call Trace: [] warn_slowpath_common+0x75/0xa0 [] warn_slowpath_null+0x1a/0x20 [] __alloc_pages_nodemask+0xa0d/0xbe0 [] ? native_sched_clock+0x26/0x90 [] ? trace_hardirqs_off_caller+0x28/0xc0 [] ? trace_hardirqs_off+0xd/0x10 [] alloc_pages_current+0xb8/0x180 [] __get_free_pages+0x2a/0x80 [] kmalloc_order_trace+0x3e/0x1a0 [] __kmalloc+0x2f5/0x3a0 [] ? local_bh_enable_ip+0x7c/0xf0 [] rds_message_alloc+0x23/0xb0 [rds] [] rds_sendmsg+0x2b1/0x990 [rds] [] ? trace_hardirqs_off+0xd/0x10 [] sock_sendmsg+0xb0/0xe0 [] ? get_lock_stats+0x22/0x70 [] ? put_lock_stats.isra.23+0xe/0x40 [] sys_sendto+0x130/0x180 [] ? trace_hardirqs_on+0xd/0x10 [] ? _raw_spin_unlock_irq+0x3b/0x60 [] ? sysret_check+0x1b/0x56 [] ? trace_hardirqs_on_caller+0x115/0x1a0 [] ? trace_hardirqs_on_thunk+0x3a/0x3f [] system_call_fastpath+0x16/0x1b ---[ end trace eed6ae990d018c8b ]--- Reported-by: Dave Jones Cc: Dave Jones Cc: David S. Miller Cc: Venkat Venkatsubra Signed-off-by: Cong Wang Acked-by: Venkat Venkatsubra Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b692202210dc702367c7c3502f06ff5a9a00ac4d Author: Huang, Xiong Date: Tue Feb 19 07:23:09 2013 +0000 atl1c: restore buffer state [ Upstream commit 7cb08d7f3a5ea6131f4f243c2080530ac41cb293 ] in the previous commit : f1f220ea1dda078, the BUSY state of buffer is wrongly deleted. this patch just restore it. Signed-off-by: xiong Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1c591d4dc83d1a9266434b9253641de864b1d279 Author: Guillaume Nault Date: Fri Mar 1 05:02:02 2013 +0000 l2tp: Restore socket refcount when sendmsg succeeds [ Upstream commit 8b82547e33e85fc24d4d172a93c796de1fefa81a ] The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket reference counter after successful transmissions. Any successful sendmsg() call from userspace will then increase the reference counter forever, thus preventing the kernel's session and tunnel data from being freed later on. The problem only happens when writing directly on L2TP sockets. PPP sockets attached to L2TP are unaffected as the PPP subsystem uses pppol2tp_xmit() which symmetrically increase/decrease reference counters. This patch adds the missing call to sock_put() before returning from pppol2tp_sendmsg(). Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 10ad3eeffe25354f9ef7d7e530c60216f2f2e641 Author: Guenter Roeck Date: Wed Feb 27 10:57:31 2013 +0000 net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS commit 726bc6b092da4c093eb74d13c07184b18c1af0f1 upstream. Building sctp may fail with: In function ‘copy_from_user’, inlined from ‘sctp_getsockopt_assoc_stats’ at net/sctp/socket.c:5656:20: arch/x86/include/asm/uaccess_32.h:211:26: error: call to ‘copy_from_user_overflow’ declared with attribute error: copy_from_user() buffer size is not provably correct if built with W=1 due to a missing parameter size validation before the call to copy_from_user. Signed-off-by: Guenter Roeck Acked-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8c3dec2949ac501a61c893c4c4958621420cbb82 Author: Guo Chao Date: Thu Feb 21 15:16:49 2013 -0800 loopdev: remove an user triggerable oops commit b1a6650406875b9097a032eed89af50682fe1160 upstream. When loopdev is built as module and we pass an invalid parameter, loop_init() will return directly without deregister misc device, which will cause an oops when insert loop module next time because we left some garbage in the misc device list. Test case: sudo modprobe loop max_part=1024 (failed due to invalid parameter) sudo modprobe loop (oops) Clean up nicely to avoid such oops. Signed-off-by: Guo Chao Cc: Alexander Viro Cc: Guo Chao Cc: M. Hindess Cc: Nikanth Karthikesan Cc: Jens Axboe Signed-off-by: Andrew Morton Signed-off-by: Jens Axboe Acked-by: Jeff Mahoney Signed-off-by: Greg Kroah-Hartman commit 26dbc5832ef354bc3cade3c4aff16025342e6708 Author: Guo Chao Date: Thu Feb 21 15:16:45 2013 -0800 loopdev: fix a deadlock commit 5370019dc2d2c2ff90e95d181468071362934f3a upstream. bd_mutex and lo_ctl_mutex can be held in different order. Path #1: blkdev_open blkdev_get __blkdev_get (hold bd_mutex) lo_open (hold lo_ctl_mutex) Path #2: blkdev_ioctl lo_ioctl (hold lo_ctl_mutex) lo_set_capacity (hold bd_mutex) Lockdep does not report it, because path #2 actually holds a subclass of lo_ctl_mutex. This subclass seems creep into the code by mistake. The patch author actually just mentioned it in the changelog, see commit f028f3b2 ("loop: fix circular locking in loop_clr_fd()"), also see: http://marc.info/?l=linux-kernel&m=123806169129727&w=2 Path #2 hold bd_mutex to call bd_set_size(), I've protected it with i_mutex in a previous patch, so drop bd_mutex at this site. Signed-off-by: Guo Chao Cc: Alexander Viro Cc: Guo Chao Cc: M. Hindess Cc: Nikanth Karthikesan Cc: Jens Axboe Signed-off-by: Andrew Morton Signed-off-by: Jens Axboe Acked-by: Jeff Mahoney Signed-off-by: Greg Kroah-Hartman commit f884319c7db711bc4778a8aa4693cc444e570486 Author: Guo Chao Date: Thu Feb 21 15:16:42 2013 -0800 block: use i_size_write() in bd_set_size() commit d646a02a9d44d1421f273ae3923d97b47b918176 upstream. blkdev_ioctl(GETBLKSIZE) uses i_size_read() to read size of block device. If we update block size directly, reader may see intermediate result in some machines and configurations. Use i_size_write() instead. Signed-off-by: Guo Chao Cc: Alexander Viro Cc: Guo Chao Cc: M. Hindess Cc: Nikanth Karthikesan Cc: Jens Axboe Signed-off-by: Andrew Morton Signed-off-by: Jens Axboe Acked-by: Jeff Mahoney Signed-off-by: Greg Kroah-Hartman commit 876f239ff1a3b1ec5a93271c333d69dcbdf9ead9 Author: Amir Vadai Date: Thu Mar 7 03:46:57 2013 +0000 net/mlx4_en: Disable RFS when running in SRIOV mode commit a229e488ac3f904d06c20d8d3f47831db3c7a15a upstream. Commit 37706996 "mlx4_en: fix allocation of CPU affinity reverse-map" fixed a bug when mlx4_dev->caps.comp_pool is larger from the device rx rings, but introduced a regression. When the mlx4_core is activating its "legacy mode" (e.g when running in SRIOV mode) w.r.t to EQs/IRQs usage, comp_pool becomes zero and we're crashing on divide by zero alloc_cpu_rmap. Fix that by enabling RFS only when running in non-legacy mode. Reported-by: Yan Burman Cc: Kleber Sacilotto de Souza Signed-off-by: Amir Vadai Signed-off-by: Or Gerlitz Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fccd456f3ce352c27b0a9906ba18c0b8d7c47d2f Author: Amir Vadai Date: Thu Jan 24 01:54:19 2013 +0000 net/mlx4_en: Initialize RFS filters lock and list in init_netdev commit 78fb2de711ec28997bf38bcf3e48e108e907be77 upstream. filters_lock might have been used while it was re-initialized. Moved filters_lock and filters_list initialization to init_netdev instead of alloc_resources which is called every time the device is configured. Signed-off-by: Amir Vadai Signed-off-by: David S. Miller Signed-off-by: Or Gerlitz Signed-off-by: Greg Kroah-Hartman commit 1e109daf3c5829cf30604377d459ff7806dca645 Author: Johan Hovold Date: Tue Feb 5 14:35:11 2013 +0100 atmel_lcdfb: fix 16-bpp modes on older SOCs commit a79eac7165ed62114e6ca197195aa5060a54f137 upstream. Fix regression introduced by commit 787f9fd23283 ("atmel_lcdfb: support 16bit BGR:565 mode, remove unsupported 15bit modes") which broke 16-bpp modes for older SOCs which use IBGR:555 (msb is intensity) rather than BGR:565. Use SOC-type to determine the pixel layout. Tested on at91sam9263 and at91sam9g45. Acked-by: Peter Korsgaard Signed-off-by: Johan Hovold Signed-off-by: Nicolas Ferre Signed-off-by: Greg Kroah-Hartman commit c442763e91ee60359ee98f6c8bec12a107766e31 Author: Sam Ravnborg Date: Mon Mar 4 21:36:24 2013 +0100 kbuild: fix make headers_check with make 3.80 commit c4619bc6fa5149a6ab39be845a39142b6a996ea5 upstream. Commit 10b63956 ("UAPI: Plumb the UAPI Kbuilds into the user header installation and checking") introduced a dependency of make 3.81 due to use of $(or ...) We do not want to lift the requirement to gmake 3.81 just yet... Included are a straightforward conversion to $(if ...) Bisected-and-tested-by: Tetsuo Handa Cc: David Howells Signed-off-by: Sam Ravnborg Signed-off-by: Michal Marek Signed-off-by: Greg Kroah-Hartman commit 06aaf3b3a033032d9475eebe1cbcfb6136dbfd23 Author: Brian Norris Date: Wed Mar 13 09:51:31 2013 -0700 mtd: nand: reintroduce NAND_NO_READRDY as NAND_NEED_READRDY commit 5bc7c33ca93a285dcfe7b7fd64970f6314440ad1 upstream. This partially reverts commit 1696e6bc2ae83734e64e206ac99766ea19e9a14e ("mtd: nand: kill NAND_NO_READRDY"). In that patch I overlooked a few things. The original documentation for NAND_NO_READRDY included "True for all large page devices, as they do not support autoincrement." I was conflating "not support autoincrement" with the NAND_NO_AUTOINCR option, which was in fact doing nothing. So, when I dropped NAND_NO_AUTOINCR, I concluded that I then could harmlessly drop NAND_NO_READRDY. But of course the fact the NAND_NO_AUTOINCR was doing nothing didn't mean NAND_NO_READRDY was doing nothing... So, NAND_NO_READRDY is re-introduced as NAND_NEED_READRDY and applied only to those few remaining small-page NAND which needed it in the first place. Reported-by: Alexander Shiyan Tested-by: Alexander Shiyan Signed-off-by: Brian Norris Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit b3225f59a651408f57db4a49238113384dc7c873 Author: Eric Sandeen Date: Sat Mar 9 15:18:39 2013 +0000 btrfs: use rcu_barrier() to wait for bdev puts at unmount commit bc178622d40d87e75abc131007342429c9b03351 upstream. Doing this would reliably fail with -EBUSY for me: # mount /dev/sdb2 /mnt/scratch; umount /mnt/scratch; mkfs.btrfs -f /dev/sdb2 ... unable to open /dev/sdb2: Device or resource busy because mkfs.btrfs tries to open the device O_EXCL, and somebody still has it. Using systemtap to track bdev gets & puts shows a kworker thread doing a blkdev put after mkfs attempts a get; this is left over from the unmount path: btrfs_close_devices __btrfs_close_devices call_rcu(&device->rcu, free_device); free_device INIT_WORK(&device->rcu_work, __free_device); schedule_work(&device->rcu_work); so unmount might complete before __free_device fires & does its blkdev_put. Adding an rcu_barrier() to btrfs_close_devices() causes unmount to wait until all blkdev_put()s are done, and the device is truly free once unmount completes. Signed-off-by: Eric Sandeen Signed-off-by: Josef Bacik Signed-off-by: Chris Mason Signed-off-by: Greg Kroah-Hartman commit 38130595db91b30c5ff7965e393b3754077703f2 Author: Heiko Carstens Date: Mon Mar 4 14:14:11 2013 +0100 s390/mm: fix flush_tlb_kernel_range() commit f6a70a07079518280022286a1dceb797d12e1edf upstream. Our flush_tlb_kernel_range() implementation calls __tlb_flush_mm() with &init_mm as argument. __tlb_flush_mm() however will only flush tlbs for the passed in mm if its mm_cpumask is not empty. For the init_mm however its mm_cpumask has never any bits set. Which in turn means that our flush_tlb_kernel_range() implementation doesn't work at all. This can be easily verified with a vmalloc/vfree loop which allocates a page, writes to it and then frees the page again. A crash will follow almost instantly. To fix this remove the cpumask_empty() check in __tlb_flush_mm() since there shouldn't be too many mms with a zero mm_cpumask, besides the init_mm of course. Signed-off-by: Heiko Carstens Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit 49f3b963417563122962c47d359349a2e5b497a3 Author: Martin Schwidefsky Date: Thu Feb 28 16:28:41 2013 +0100 s390: critical section cleanup vs. machine checks commit 6551fbdfd8b85d1ab5822ac98abb4fb449bcfae0 upstream. The current machine check code uses the registers stored by the machine in the lowcore at __LC_GPREGS_SAVE_AREA as the registers of the interrupted context. The registers 0-7 of a user process can get clobbered if a machine checks interrupts the execution of a critical section in entry[64].S. The reason is that the critical section cleanup code may need to modify the PSW and the registers for the previous context to get to the end of a critical section. If registers 0-7 have to be replaced the relevant copy will be in the registers, which invalidates the copy in the lowcore. The machine check handler needs to explicitly store registers 0-7 to the stack. Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit 4dea73c2050856c498672b0f2f8e07287e1f773d Author: David Rientjes Date: Sun Mar 17 15:49:10 2013 -0700 perf,x86: fix link failure for non-Intel configs commit 6c4d3bc99b3341067775efd4d9d13cc8e655fd7c upstream. Commit 1d9d8639c063 ("perf,x86: fix kernel crash with PEBS/BTS after suspend/resume") introduces a link failure since perf_restore_debug_store() is only defined for CONFIG_CPU_SUP_INTEL: arch/x86/power/built-in.o: In function `restore_processor_state': (.text+0x45c): undefined reference to `perf_restore_debug_store' Fix it by defining the dummy function appropriately. Signed-off-by: David Rientjes Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit df4331e0e19abeb2630bbb0ad762dc95d1a1c0ec Author: Linus Torvalds Date: Sun Mar 17 15:44:43 2013 -0700 perf,x86: fix wrmsr_on_cpu() warning on suspend/resume commit 2a6e06b2aed6995af401dcd4feb5e79a0c7ea554 upstream. Commit 1d9d8639c063 ("perf,x86: fix kernel crash with PEBS/BTS after suspend/resume") fixed a crash when doing PEBS performance profiling after resuming, but in using init_debug_store_on_cpu() to restore the DS_AREA mtrr it also resulted in a new WARN_ON() triggering. init_debug_store_on_cpu() uses "wrmsr_on_cpu()", which in turn uses CPU cross-calls to do the MSR update. Which is not really valid at the early resume stage, and the warning is quite reasonable. Now, it all happens to _work_, for the simple reason that smp_call_function_single() ends up just doing the call directly on the CPU when the CPU number matches, but we really should just do the wrmsr() directly instead. This duplicates the wrmsr() logic, but hopefully we can just remove the wrmsr_on_cpu() version eventually. Reported-and-tested-by: Parag Warudkar Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4ebacce2043b81cf1178205b6216575ca2ca125a Author: Dan Carpenter Date: Sat Mar 16 12:48:11 2013 +0300 selinux: use GFP_ATOMIC under spin_lock commit 4502403dcf8f5c76abd4dbab8726c8e4ecb5cd34 upstream. The call tree here is: sk_clone_lock() <- takes bh_lock_sock(newsk); xfrm_sk_clone_policy() __xfrm_sk_clone_policy() clone_policy() <- uses GFP_ATOMIC for allocations security_xfrm_policy_clone() security_ops->xfrm_policy_clone_security() selinux_xfrm_policy_clone() Signed-off-by: Dan Carpenter Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 2f9969215930e3273ed9dfc7db0ffbb5d495fbc0 Author: Matt Porter Date: Tue Mar 5 10:58:22 2013 -0500 ARM: davinci: edma: fix dmaengine induced null pointer dereference on da830 commit 069552777a121eb39da29de4bc0383483dbe1f7e upstream. This adds additional error checking to the private edma api implementation to catch the case where the edma_alloc_slot() has an invalid controller parameter. The edma dmaengine wrapper driver relies on this condition being handled in order to avoid setting up a second edma dmaengine instance on DA830. Verfied using a DA850 with the second EDMA controller platform instance removed to simulate a DA830 which only has a single EDMA controller. Reported-by: Tomas Novotny Signed-off-by: Matt Porter Tested-by: Tomas Novotny Signed-off-by: Sekhar Nori Signed-off-by: Greg Kroah-Hartman commit 0fab6a93766984b3cac6e2ca61ac86090663495b Author: Aneesh Kumar K.V Date: Wed Mar 13 03:34:55 2013 +0000 powerpc: Rename USER_ESID_BITS* to ESID_BITS* commit af81d7878c641629f2693ae3fdaf74b4af14dfca upstream. Now we use ESID_BITS of kernel address to build proto vsid. So rename USER_ESIT_BITS to ESID_BITS Acked-by: Paul Mackerras Signed-off-by: Aneesh Kumar K.V Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 7684eb4f4596ca2b83932a7e9b76c5b125d7838e Author: Aneesh Kumar K.V Date: Wed Mar 13 03:34:54 2013 +0000 powerpc: Update kernel VSID range commit c60ac5693c47df32a2b4b18af97fca5635def015 upstream. This patch change the kernel VSID range so that we limit VSID_BITS to 37. This enables us to support 64TB with 65 bit VA (37+28). Without this patch we have boot hangs on platforms that only support 65 bit VA. With this patch we now have proto vsid generated as below: We first generate a 37-bit "proto-VSID". Proto-VSIDs are generated from mmu context id and effective segment id of the address. For user processes max context id is limited to ((1ul << 19) - 5) for kernel space, we use the top 4 context ids to map address as below 0x7fffc - [ 0xc000000000000000 - 0xc0003fffffffffff ] 0x7fffd - [ 0xd000000000000000 - 0xd0003fffffffffff ] 0x7fffe - [ 0xe000000000000000 - 0xe0003fffffffffff ] 0x7ffff - [ 0xf000000000000000 - 0xf0003fffffffffff ] Acked-by: Paul Mackerras Signed-off-by: Aneesh Kumar K.V Tested-by: Geoff Levand Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit ce1cd9571a1cbdd1367128843116589dfa4c8f87 Author: Aneesh Kumar K.V Date: Wed Mar 13 03:34:53 2013 +0000 powerpc: Make VSID_BITS* dependency explicit commit e39d1a471484662620651cd9520250d33843f235 upstream. VSID_BITS and VSID_BITS_1T depends on the context bits and user esid bits. Make the dependency explicit Acked-by: Paul Mackerras Signed-off-by: Aneesh Kumar K.V Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 6f49bbeb67b3f4705600ae87657bc02f3ae03934 Author: Benjamin Herrenschmidt Date: Wed Mar 13 09:55:02 2013 +1100 powerpc: Fix cputable entry for 970MP rev 1.0 commit d63ac5f6cf31c8a83170a9509b350c1489a7262b upstream. Commit 44ae3ab3358e962039c36ad4ae461ae9fb29596c forgot to update the entry for the 970MP rev 1.0 processor when moving some CPU features bits to the MMU feature bit mask. This breaks booting on some rare G5 models using that chip revision. Reported-by: Phileas Fogg Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 7ee816eb4af6d4ab2fe136dc10498be8ed908b04 Author: Benjamin Herrenschmidt Date: Wed Mar 13 09:49:06 2013 +1100 powerpc: Fix STAB initialization commit 13938117a57f88a22f0df9722a5db7271fda85cd upstream. Commit f5339277eb8d3aed37f12a27988366f68ab68930 accidentally removed more than just iSeries bits and took out the call to stab_initialize() thus breaking support for POWER3 processors. Put it back. (Yes, nobody noticed until now ...) Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 13e5abee60a34ad147545e8637ae0759a3b6c31d Author: Marcin Jurkowski Date: Sat Mar 2 14:50:15 2013 +0100 w1: fix oops when w1_search is called from netlink connector commit 9d1817cab2f030f6af360e961cc69bb1da8ad765 upstream. On Sat, Mar 02, 2013 at 10:45:10AM +0100, Sven Geggus wrote: > This is the bad commit I found doing git bisect: > 04f482faf50535229a5a5c8d629cf963899f857c is the first bad commit > commit 04f482faf50535229a5a5c8d629cf963899f857c > Author: Patrick McHardy > Date: Mon Mar 28 08:39:36 2011 +0000 Good job. I was too lazy to bisect for bad commit;) Reading the code I found problematic kthread_should_stop call from netlink connector which causes the oops. After applying a patch, I've been testing owfs+w1 setup for nearly two days and it seems to work very reliable (no hangs, no memleaks etc). More detailed description and possible fix is given below: Function w1_search can be called from either kthread or netlink callback. While the former works fine, the latter causes oops due to kthread_should_stop invocation. This patch adds a check if w1_search is serving netlink command, skipping kthread_should_stop invocation if so. Signed-off-by: Marcin Jurkowski Acked-by: Evgeniy Polyakov Cc: Josh Boyer Tested-by: Sven Geggus Signed-off-by: Greg Kroah-Hartman commit 430c2e7c43bff734a6684c0e6c0bc44c44a004e1 Author: Johan Hovold Date: Fri Mar 8 11:07:59 2013 +0100 w1-gpio: remove erroneous __exit and __exit_p() commit 01230551e7c2fb9a1c2519b356d703851049cbe0 upstream. Commit 8a1861d997 ("w1-gpio: Simplify & get rid of defines") changed (apparently unknowingly) the driver to a hotpluggable platform-device driver but did not not update the section markers for probe and remove (to __devinit/exit, which have since been removed). A later commit fixed the section mismatch for probe, but left remove marked with __exit. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit a175e80ac6b766405803486762ad38d96633f7f9 Author: Axel Lin Date: Thu Mar 14 16:27:18 2013 +0800 hwmon: (lineage-pem) Add missing terminating entry for pem_[input|fan]_attributes commit df069079c153d22adf6c28dcc0b1cf62bba75167 upstream. Signed-off-by: Axel Lin Acked-by: Jean Delvare Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit d5100b3ba633d3128c6bc64637d971ea3f39d5e0 Author: Guenter Roeck Date: Thu Feb 21 10:27:54 2013 -0800 hwmon: (pmbus/ltc2978) Fix temperature reporting commit 8c958c703ef8804093437959221951eaf0e1e664 upstream. On LTC2978, only READ_TEMPERATURE is supported. It reports the internal junction temperature. This register is unpaged. On LTC3880, READ_TEMPERATURE and READ_TEMPERATURE2 are supported. READ_TEMPERATURE is paged and reports external temperatures. READ_TEMPERATURE2 is unpaged and reports the internal junction temperature. Signed-off-by: Guenter Roeck Acked-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 7be4a00d5c4aaef6e47e8e4032aaf015e76ae6a4 Author: Johan Hovold Date: Tue Mar 12 20:21:34 2013 +0100 ARM: w1-gpio: fix erroneous gpio requests commit 2d798a3f20ae992b0b69a2b68c04ada397c32ed4 upstream. Fix regression introduced by commit d2323cf773 ("onewire: w1-gpio: add ext_pullup_enable pin in platform data") which added a gpio entry to the platform data, but did not add the required initialisers to the board files using it. Consequently, the driver would request gpio 0 at probe, which could break other uses of the corresponding pin. On AT91 requesting gpio 0 changes the pin muxing for PIOA0, which, for instance, breaks SPI0 on at91sam9g20. Signed-off-by: Johan Hovold Acked-by: Jean-Christophe PLAGNIOL-VILLARD Signed-off-by: Greg Kroah-Hartman commit 6ec54bb6040ff10c575c505c564182841e0dda1e Author: Takashi Iwai Date: Fri Mar 8 18:11:17 2013 +0100 ALSA: seq: Fix missing error handling in snd_seq_timer_open() commit 66efdc71d95887b652a742a5dae51fa834d71465 upstream. snd_seq_timer_open() didn't catch the whole error path but let through if the timer id is a slave. This may lead to Oops by accessing the uninitialized pointer. BUG: unable to handle kernel NULL pointer dereference at 00000000000002ae IP: [] snd_seq_timer_open+0xe7/0x130 PGD 785cd067 PUD 76964067 PMD 0 Oops: 0002 [#4] SMP CPU 0 Pid: 4288, comm: trinity-child7 Tainted: G D W 3.9.0-rc1+ #100 Bochs Bochs RIP: 0010:[] [] snd_seq_timer_open+0xe7/0x130 RSP: 0018:ffff88006ece7d38 EFLAGS: 00010246 RAX: 0000000000000286 RBX: ffff88007851b400 RCX: 0000000000000000 RDX: 000000000000ffff RSI: ffff88006ece7d58 RDI: ffff88006ece7d38 RBP: ffff88006ece7d98 R08: 000000000000000a R09: 000000000000fffe R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff8800792c5400 R14: 0000000000e8f000 R15: 0000000000000007 FS: 00007f7aaa650700(0000) GS:ffff88007f800000(0000) GS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000002ae CR3: 000000006efec000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process trinity-child7 (pid: 4288, threadinfo ffff88006ece6000, task ffff880076a8a290) Stack: 0000000000000286 ffffffff828f2be0 ffff88006ece7d58 ffffffff810f354d 65636e6575716573 2065756575712072 ffff8800792c0030 0000000000000000 ffff88006ece7d98 ffff8800792c5400 ffff88007851b400 ffff8800792c5520 Call Trace: [] ? trace_hardirqs_on+0xd/0x10 [] snd_seq_queue_timer_open+0x29/0x70 [] snd_seq_ioctl_set_queue_timer+0xda/0x120 [] snd_seq_do_ioctl+0x9b/0xd0 [] snd_seq_ioctl+0x10/0x20 [] do_vfs_ioctl+0x522/0x570 [] ? file_has_perm+0x83/0xa0 [] ? trace_hardirqs_on+0xd/0x10 [] sys_ioctl+0x5d/0xa0 [] ? trace_hardirqs_on_thunk+0x3a/0x3f [] system_call_fastpath+0x16/0x1b Reported-and-tested-by: Tommi Rantala Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit d9877b6c7c867101f4315356d48fec6eee91d2ea Author: Stephane Eranian Date: Fri Mar 15 14:26:07 2013 +0100 perf,x86: fix kernel crash with PEBS/BTS after suspend/resume commit 1d9d8639c063caf6efc2447f5f26aa637f844ff6 upstream. This patch fixes a kernel crash when using precise sampling (PEBS) after a suspend/resume. Turns out the CPU notifier code is not invoked on CPU0 (BP). Therefore, the DS_AREA (used by PEBS) is not restored properly by the kernel and keeps it power-on/resume value of 0 causing any PEBS measurement to crash when running on CPU0. The workaround is to add a hook in the actual resume code to restore the DS Area MSR value. It is invoked for all CPUS. So for all but CPU0, the DS_AREA will be restored twice but this is harmless. Reported-by: Linus Torvalds Signed-off-by: Stephane Eranian Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 48a8c582c126b6dc18e165b240b29d7319e13739 Author: Sebastian Hesselbarth Date: Wed Jan 30 21:29:58 2013 +0100 ARM: kirkwood: fix to retain gbe MAC addresses for DT kernels commit 7bf5b408b419fc849578e6e9fbd221bf43638eb6 upstream. The ethernet controller used on kirkwood looses its MAC address register contents when the corresponding clock is gated. As soon as mv643xx_eth is built as module, the clock gets gated and when loading the module, the MAC address is gone. Proper DT support for the mv643xx_eth driver is expected soon, so we add a workaround to always enable ge0/ge1 clocks on kirkwood. This workaround is also already used on non-DT kirkwood kernels. Reported-by: Simon Baatz Signed-off-by: Sebastian Hesselbarth Tested-by: Simon Baatz Signed-off-by: Jason Cooper Signed-off-by: Greg Kroah-Hartman commit f2ebfa449f40a0dc0ff35ab35a35744c4d249b82 Author: Scott Ashcroft Date: Sun Mar 3 21:35:06 2013 +0000 Fix 4 port and add support for 8 port 'Unknown' PCI serial port cards commit d13402a4a944e72612a9ec5c9190e35717c02a9d upstream. I've managed to find an 8 port version of the card 4 port card which was discussed here: http://marc.info/?l=linux-serial&m=120760744205314&w=2 Looking back at that thread there were two issues in the original patch. 1) The I/O ports for the UARTs are within BAR2 not BAR0. This can been seen in the original post. 2) A serial quirk isn't needed as these cards have no memory in BAR0 which makes pci_plx9050_init just return. This patch fixes the 4 port support to use BAR2, removes the bogus quirk and adds support for the 8 port card. $ lspci -vvv -n -s 00:08.0 00:08.0 0780: 10b5:9050 (rev 01) Subsystem: 10b5:1588 Control: I/O+ Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- SERR- Kernel driver in use: serial $ dmesg | grep 0000:00:08.0: [ 0.083320] pci 0000:00:08.0: [10b5:9050] type 0 class 0x000780 [ 0.083355] pci 0000:00:08.0: reg 14: [io 0xff00-0xff7f] [ 0.083369] pci 0000:00:08.0: reg 18: [io 0xfe00-0xfe3f] [ 0.083382] pci 0000:00:08.0: reg 1c: [io 0xfd00-0xfd07] [ 0.083460] pci 0000:00:08.0: PME# supported from D0 D3hot [ 1.212867] 0000:00:08.0: ttyS4 at I/O 0xfe00 (irq = 17) is a 16550A [ 1.233073] 0000:00:08.0: ttyS5 at I/O 0xfe08 (irq = 17) is a 16550A [ 1.253270] 0000:00:08.0: ttyS6 at I/O 0xfe10 (irq = 17) is a 16550A [ 1.273468] 0000:00:08.0: ttyS7 at I/O 0xfe18 (irq = 17) is a 16550A [ 1.293666] 0000:00:08.0: ttyS8 at I/O 0xfe20 (irq = 17) is a 16550A [ 1.313863] 0000:00:08.0: ttyS9 at I/O 0xfe28 (irq = 17) is a 16550A [ 1.334061] 0000:00:08.0: ttyS10 at I/O 0xfe30 (irq = 17) is a 16550A [ 1.354258] 0000:00:08.0: ttyS11 at I/O 0xfe38 (irq = 17) is a 16550A Signed-off-by: Scott Ashcroft Signed-off-by: Greg Kroah-Hartman commit 3c39ecfd0ed5671344845f2c866e73103d8361a0 Author: Jiri Slaby Date: Tue Jan 15 23:26:22 2013 +0100 TTY: do not reset master's packet mode commit b81273a132177edd806476b953f6afeb17b786d5 upstream. Now that login from util-linux is forced to drop all references to a TTY which it wants to hangup (to reach reference count 1) we are seeing issues with telnet. When login closes its last reference to the slave PTY, it also resets packet mode on the *master* side. And we have a race here. What telnet does is fork+exec of `login'. Then there are two scenarios: * `login' closes the slave TTY and resets thus master's packet mode, but even now telnet properly sets the mode, or * `telnetd' sets packet mode on the master, `login' closes the slave TTY and resets master's packet mode. The former case is OK. However the latter happens in much more cases, by the order of magnitude to be precise. So when one tries to login to such a messed telnet setup, they see the following: inux login: ogin incorrect Note the missing first letters -- telnet thinks it is still in the packet mode, so when it receives "linux login" from `login', it considers "l" as the type of the packet and strips it. SuS does not mention how the implementation should behave. Both BSDs I checked (Free and Net) do not reset the flag upon the last close. By this I am resurrecting an old bug, see References. We are hitting it regularly now, i.e. with updated util-linux, ergo login. Here, I am changing a behavior introduced back in 2.1 times. It would better have a long time testing before goes upstream. Signed-off-by: Jiri Slaby Cc: Mauro Carvalho Chehab Cc: Bryan Mason References: https://lkml.org/lkml/2009/11/11/223 References: https://bugzilla.redhat.com/show_bug.cgi?id=504703 References: https://bugzilla.novell.com/show_bug.cgi?id=797042 Signed-off-by: Greg Kroah-Hartman commit 34cc65c1b46e25d24eb4744be0b62541869a2bd0 Author: Jiri Slaby Date: Wed Feb 27 22:30:24 2013 +0100 TTY: disable debugging warning commit 34dcfb8479ab3c3669561eb9279284cb0eda2572 upstream. We added a warning to flush_to_ldisc to report cases when it is called with a NULL tty. It was for debugging purposes and it lead to a patchset from Peter Hurley. The patchset however did not make it to 3.9, so disable the warning now to not disturb people. We can re-add it when the series is in and we are hunting for another bugs. Reported-by: David Miller Signed-off-by: Jiri Slaby Signed-off-by: Greg Kroah-Hartman commit ec99e285dbd0dfc65495b459b57b35e1ce5dc55c Author: Ley Foon Tan Date: Thu Mar 7 10:28:37 2013 +0800 tty/serial: Add support for Altera serial port commit e06c93cacb82dd147266fd1bdb2d0a0bd45ff2c1 upstream. Add support for Altera 8250/16550 compatible serial port. Signed-off-by: Ley Foon Tan Signed-off-by: Greg Kroah-Hartman commit 53b90339a62ec1d726130a4ad273d826ebefc04d Author: Paul Bolle Date: Tue Mar 12 10:10:32 2013 +0100 tty: serial: fix typo "SERIAL_S3C2412" commit c51d41a1dd8f23a06a4ed651ebb9617de7f59368 upstream. The Kconfig symbol SERIAL_S3C2412 got removed in commit da121506eb03ee5daea55404709110b798bd61d9 ("serial: samsung: merge probe() function from all SoC specific extensions"). But it also added a last reference to that symbol. The commit and the tree make clear that CPU_S3C2412 should have been used instead. Signed-off-by: Paul Bolle Signed-off-by: Greg Kroah-Hartman commit ce05554900c8b8f9c68988c5823428f8730ed445 Author: Paul Bolle Date: Sat Mar 9 23:16:44 2013 +0100 tty: serial: fix typo "ARCH_S5P6450" commit 827aa0d36d486f359808c8fb931cf7a71011a09d upstream. This could have been either ARCH_S5P64X0 or CPU_S5P6450. Looking at commit 2555e663b367b8d555e76023f4de3f6338c28d6c ("ARM: S5P64X0: Add UART serial support for S5P6450") - which added this typo - makes clear this should be CPU_S5P6450. Signed-off-by: Paul Bolle Acked-by: Kukjin Kim Signed-off-by: Greg Kroah-Hartman commit 9858f47888317bf404d73715cfe8746df95ab351 Author: Wang YanQing Date: Fri Mar 1 11:47:20 2013 +0800 serial: 8250_pci: add support for another kind of NetMos Technology PCI 9835 Multi-I/O Controller commit 8d2f8cd424ca0b99001f3ff4f5db87c4e525f366 upstream. 01:08.0 Communication controller: NetMos Technology PCI 9835 Multi-I/O Controller (rev 01) Subsystem: Device [1000:0012] Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- SERR- Signed-off-by: Greg Kroah-Hartman commit afe509cd07fb6af0356b7c49a96fc4bb1dbf5210 Author: Josh Boyer Date: Sun Mar 10 10:33:40 2013 -0400 serial: 8250: Keep 8250. module options functional after driver rename commit f2b8dfd9e480c3db3bad0c25c590a5d11b31f4ef upstream. With commit 835d844d1 (8250_pnp: do pnp probe before legacy probe), the 8250 driver was renamed to 8250_core. This means any existing usage of the 8259. module parameters or as a kernel command line switch is now broken, as the 8250_core driver doesn't parse options belonging to something called "8250". To solve this, we redefine the module options in a dummy function using a redefined MODULE_PARAM_PREFX when built into the kernel. In the case where we're building as a module, we provide an alias to the old 8250 name. The dummy function prevents compiler errors due to global variable redefinitions that happen as part of the module_param_ macro expansions. Signed-off-by: Josh Boyer Acked-by: Jiri Slaby Signed-off-by: Greg Kroah-Hartman commit eec98f82c63730d039e4a87f623cfcf5ac612683 Author: Sean Young Date: Fri Feb 22 16:27:19 2013 +0000 tty/8250_pnp: serial port detection regression since v3.7 commit 77e372a3d82e5e4878ce1962207edd766773cc76 upstream. The InsydeH2O BIOS (version dated 09/12/2011) has the following in its pnp resouces for its serial ports: $ cat /sys/bus/pnp/devices/00:0b/resources state = active io disabled irq disabled We do not check if the resources are disabled, and create a bogus ttyS* device. Since commit 835d844d1a28e (8250_pnp: do pnp probe before legacy probe) we get a bogus ttyS0, which prevents the legacy probe from detecting it. Note, the BIOS can also be upgraded, fixing this problem, but for people who can't do that, this fix is needed. Reported-by: Vincent Deffontaines Tested-by: Vincent Deffontaines Signed-off-by: Sean Young Signed-off-by: Greg Kroah-Hartman commit 3d1e1dba617554975426e7c7477321bd26f71789 Author: Lars-Peter Clausen Date: Sat Mar 9 15:28:44 2013 +0100 ext3: Fix format string issues commit 8d0c2d10dd72c5292eda7a06231056a4c972e4cc upstream. ext3_msg() takes the printk prefix as the second parameter and the format string as the third parameter. Two callers of ext3_msg omit the prefix and pass the format string as the second parameter and the first parameter to the format string as the third parameter. In both cases this string comes from an arbitrary source. Which means the string may contain format string characters, which will lead to undefined and potentially harmful behavior. The issue was introduced in commit 4cf46b67eb("ext3: Unify log messages in ext3") and is fixed by this patch. Signed-off-by: Lars-Peter Clausen Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit cdef9602fbf1871a43f0f1b5cea10dd0f275167d Author: Kees Cook Date: Wed Mar 13 14:59:33 2013 -0700 signal: always clear sa_restorer on execve commit 2ca39528c01a933f6689cd6505ce65bd6d68a530 upstream. When the new signal handlers are set up, the location of sa_restorer is not cleared, leaking a parent process's address space location to children. This allows for a potential bypass of the parent's ASLR by examining the sa_restorer value returned when calling sigaction(). Based on what should be considered "secret" about addresses, it only matters across the exec not the fork (since the VMAs haven't changed until the exec). But since exec sets SIG_DFL and keeps sa_restorer, this is where it should be fixed. Given the few uses of sa_restorer, a "set" function was not written since this would be the only use. Instead, we use __ARCH_HAS_SA_RESTORER, as already done in other places. Example of the leak before applying this patch: $ cat /proc/$$/maps ... 7fb9f3083000-7fb9f3238000 r-xp 00000000 fd:01 404469 .../libc-2.15.so ... $ ./leak ... 7f278bc74000-7f278be29000 r-xp 00000000 fd:01 404469 .../libc-2.15.so ... 1 0 (nil) 0x7fb9f30b94a0 2 4000000 (nil) 0x7f278bcaa4a0 3 4000000 (nil) 0x7f278bcaa4a0 4 0 (nil) 0x7fb9f30b94a0 ... [akpm@linux-foundation.org: use SA_RESTORER for backportability] Signed-off-by: Kees Cook Reported-by: Emese Revfy Cc: Emese Revfy Cc: PaX Team Cc: Al Viro Cc: Oleg Nesterov Cc: "Eric W. Biederman" Cc: Serge Hallyn Cc: Julien Tinnes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d9d69bf5a076f683e6dbbd48488f401842502ccc Author: Dan Williams Date: Wed Mar 13 09:58:18 2013 -0500 qcserial: bind to DM/DIAG port on Gobi 1K devices commit 3f8bc5e4da29c7e05edeca6b475abb4fb01a5a13 upstream. Turns out we just need altsetting 1 and then we can talk to it. Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit 79ba4d02f6b7945dfb3a4a05850305b1d34f92bf Author: Ian Abbott Date: Tue Mar 5 13:13:44 2013 +0000 staging: comedi: dt9812: use CR_CHAN() for channel number commit 564c526a1bed5e42b5cd52cfe1752c4296ef17a6 upstream. As pointed out by Dan Carpenper in , the dt9812 comedi driver's use of the `chanspec` member of `struct comedi_insn` as a channel number is incorrect. Change it to use `CR_CHAN(insn->chanspec)` as the channel number (where `insn` is a pointer to the `struct comedi_insn` being processed). Reported-by: Dan Carpenter Cc: Anders Blomdell Signed-off-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman commit 6564af05b6f7e0e0519182153cfc408256803b53 Author: Malcolm Priestley Date: Mon Feb 18 19:54:18 2013 +0000 staging: vt6656: Fix oops on resume from suspend. commit 6987a6dabfc40222ef767f67b57212fe3a0225fb upstream. Remove usb_put_dev from vt6656_suspend and usb_get_dev from vt6566_resume. These are not normally in suspend/resume functions. Signed-off-by: Malcolm Priestley Signed-off-by: Greg Kroah-Hartman commit a1428c9a2c52ef76cbdf7ac724dc04f65586a7db Author: Alan Stern Date: Fri Mar 1 10:51:15 2013 -0500 USB: EHCI: don't check DMA values in QH overlays commit feca7746d5d9e84b105a613b7f3b6ad00d327372 upstream. This patch (as1661) fixes a rather obscure bug in ehci-hcd. In a couple of places, the driver compares the DMA address stored in a QH's overlay region with the address of a particular qTD, in order to see whether that qTD is the one currently being processed by the hardware. (If it is then the status in the QH's overlay region is more up-to-date than the status in the qTD, and if it isn't then the overlay's value needs to be adjusted when the QH is added back to the active schedule.) However, DMA address in the overlay region isn't always valid. It sometimes will contain a stale value, which may happen by coincidence to be equal to a qTD's DMA address. Instead of checking the DMA address, we should check whether the overlay region is active and valid. The patch tests the ACTIVE bit in the overlay, and clears this bit when the overlay becomes invalid (which happens when the currently-executing URB is unlinked). This is the second part of a fix for the regression reported at: https://bugs.launchpad.net/bugs/1088733 Signed-off-by: Alan Stern Reported-by: Joseph Salisbury Reported-and-tested-by: Stephen Thirlwall Signed-off-by: Greg Kroah-Hartman commit 3061b2346551defff86cb69cb9428f4ef00e23de Author: Bjørn Mork Date: Mon Mar 4 14:19:21 2013 +0100 USB: storage: fix Huawei mode switching regression commit ab4b71644a26d1ab92b987b2fd30e17c25e89f85 upstream. This reverts commit 200e0d99 ("USB: storage: optimize to match the Huawei USB storage devices and support new switch command" and the followup bugfix commit cd060956 ("USB: storage: properly handle the endian issues of idProduct"). The commit effectively added a large number of Huawei devices to the deprecated usb-storage mode switching logic. Many of these devices have been in use and supported by the userspace usb_modeswitch utility for years. Forcing the switching inside the kernel causes a number of regressions as a result of ignoring existing onfigurations, and also completely takes away the ability to configure mode switching per device/system/user. Known regressions caused by this: - Some of the devices support multiple modes, using different switching commands. There are existing configurations taking advantage of this. - There is a real use case for disabling mode switching and instead mounting the exposed storage device. This becomes impossible with switching logic inside the usb-storage driver. - At least on device fail as a result of the usb-storage switching command, becoming completely unswitchable. This is possibly a firmware bug, but still a regression because the device work as expected using usb_modeswitch defaults. In-kernel mode switching was deprecated years ago with the development of the more user friendly userspace alternatives. The existing list of devices in usb-storage was only kept to prevent breaking already working systems. The long term plan is to remove the list, not to add to it. Ref: http://permalink.gmane.org/gmane.linux.usb.general/28543 Signed-off-by: Bjørn Mork Cc: Signed-off-by: Greg Kroah-Hartman commit a13bd66c1ff4b340f0d1618a5d36e517ccbc8fb5 Author: Steve Conklin Date: Thu Mar 7 17:19:33 2013 -0600 usb: serial: Add Rigblaster Advantage to device table commit a57e82a18779ab8a5e5a1f5841cef937cf578913 upstream. The Rigblaster Advantage is an amateur radio interface sold by West Mountain Radio. It contains a cp210x serial interface but the device ID is not in the driver. Signed-off-by: Steve Conklin Signed-off-by: Greg Kroah-Hartman commit 728abbd3b61f8779b915fb284201832eaaa493c9 Author: Christian Schmiedl Date: Wed Mar 6 17:08:50 2013 +0100 USB: added support for Cinterion's products AH6 and PLS8 commit 1941138e1c024ecb5bd797d414928d3eb94d8662 upstream. add support for Cinterion's products AH6 and PLS8 by adding Product IDs and USB_DEVICE tuples. Signed-off-by: Christian Schmiedl Signed-off-by: Greg Kroah-Hartman commit 0f22ac8b11d6c6eb0d20dc02ccdcf66441db287c Author: Matwey V. Kornilov Date: Sat Mar 9 13:57:32 2013 +0400 usb: cp210x new Vendor/Device IDs commit be3101c23394af59694c8a2aae6d07f5da62fea5 upstream. This patch adds support for the Lake Shore Cryotronics devices to the CP210x driver. These lines are ported from cp210x driver distributed by Lake Shore web site: http://www.lakeshore.com/Documents/Lake%20Shore%20cp210x-3.0.0.tar.gz and licensed under the terms of GPLv2. Moreover, I've tested this changes with Lake Shore 335 in my labs. Signed-off-by: Matwey V. Kornilov Signed-off-by: Greg Kroah-Hartman commit d6539025b73f46c486c6c06f87b778ab3e93e8f8 Author: Felipe Balbi Date: Fri Feb 8 15:14:16 2013 +0200 usb: dwc3: core: don't forget to free coherent memory commit d9b4330adec006c2e8907bdcacd9dcc0e8874d18 upstream. commit 3921426 (usb: dwc3: core: move event buffer allocation out of dwc3_core_init()) introduced a memory leak of the coherent memory we use as event buffers on dwc3 driver. If the driver is compiled as a dynamically loadable module and use constantly loads and unloads the driver, we will continue to leak the coherent memory allocated during ->probe() because dwc3_free_event_buffers() is never called during ->remove(). Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit ee30bf86f6a7f6f8524f64852af01edff6ba231c Author: Maxin B. John Date: Thu Feb 21 01:57:51 2013 +0200 tools: usb: ffs-test: Fix build failure commit a0f11aceee531d444f58b939e6a537ee5e2b9cc5 upstream. Fixes this build failure: gcc -Wall -Wextra -g -lpthread -I../include -o testusb testusb.c gcc -Wall -Wextra -g -lpthread -I../include -o ffs-test ffs-test.c In file included from ffs-test.c:41:0: ../../include/linux/usb/functionfs.h:4:39: fatal error: uapi/linux/usb/functionfs.h: No such file or directory compilation terminated. make: *** [ffs-test] Error 1 Signed-off-by: Maxin B. John Acked-by: Michal Nazarewicz Signed-off-by: Greg Kroah-Hartman commit d30aea02153faaf6cfa99f688b0908644149508f Author: Oliver Neukum Date: Tue Mar 12 14:52:42 2013 +0100 USB: cdc-wdm: fix buffer overflow commit c0f5ecee4e741667b2493c742b60b6218d40b3aa upstream. The buffer for responses must not overflow. If this would happen, set a flag, drop the data and return an error after user space has read all remaining data. Signed-off-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman commit 69bb733b13475489b636ff970465b5f862eed995 Author: Bjørn Mork Date: Wed Feb 27 15:52:56 2013 +0100 USB: option: add Huawei E5331 commit daec90e7382cbd0e73eb6861109b3da91e5ab1f3 upstream. Another device using CDC ACM with vendor specific protocol to mark serial functions. Signed-off-by: Bjørn Mork Signed-off-by: Greg Kroah-Hartman commit 87dcef49efd69d89b4ca02f1739a3445b366e9df Author: Amit Shah Date: Fri Mar 8 11:30:18 2013 +1100 virtio: rng: disallow multiple device registrations, fixes crashes commit e84e7a56a3aa2963db506299e29a5f3f09377f9b upstream. The code currently only supports one virtio-rng device at a time. Invoking guests with multiple devices causes the guest to blow up. Check if we've already registered and initialised the driver. Also cleanup in case of registration errors or hot-unplug so that a new device can be used. Reported-by: Peter Krempa Reported-by: Signed-off-by: Amit Shah Signed-off-by: Rusty Russell Signed-off-by: Greg Kroah-Hartman commit 05b96a05942994ed9748d6ef8a18361fb195c238 Author: Konrad Rzeszutek Wilk Date: Tue Mar 5 13:14:19 2013 -0500 xen/pciback: Don't disable a PCI device that is already disabled. commit bdc5c1812cea6efe1aaefb3131fcba28cd0b2b68 upstream. While shuting down a HVM guest with pci devices passed through we get this: pciback 0000:04:00.0: restoring config space at offset 0x4 (was 0x100000, writing 0x100002) ------------[ cut here ]------------ WARNING: at drivers/pci/pci.c:1397 pci_disable_device+0x88/0xa0() Hardware name: MS-7640 Device pciback disabling already-disabled device Modules linked in: Pid: 53, comm: xenwatch Not tainted 3.9.0-rc1-20130304a+ #1 Call Trace: [] warn_slowpath_common+0x7a/0xc0 [] warn_slowpath_fmt+0x41/0x50 [] pci_disable_device+0x88/0xa0 [] xen_pcibk_reset_device+0x37/0xd0 [] ? pcistub_put_pci_dev+0x6f/0x120 [] pcistub_put_pci_dev+0x8d/0x120 [] __xen_pcibk_release_devices+0x59/0xa0 This fixes the bug. Reported-and-Tested-by: Sander Eikelenboom Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Greg Kroah-Hartman commit 84dbec4762df287cd234e86beb2ffddd981b13c7 Author: Dan Williams Date: Tue Feb 19 09:47:09 2013 -0600 qcaux: add Franklin U600 commit 2d90e63603ac235aecd7d20e234616e0682c8b1f upstream. 4 ports; AT/PPP is standard CDC-ACM. The other three (added by this patch) are QCDM/DIAG, possibly GPS, and unknown. Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman