commit c32b33d6d757f244ffa570478bd43a12f2ad5c77 Author: Greg Kroah-Hartman Date: Sun Oct 28 10:57:51 2012 -0700 Linux 3.6.4 commit 3ae3dacc90a358dc113b565ddb1f4560d68109b1 Author: Thomas Pedersen Date: Fri Oct 5 17:57:39 2012 -0700 mac80211: call drv_get_tsf() in sleepable context commit 55fabefe3695241e6ccfa0cd4974f3fa497693dc upstream. The call to drv_get/set_tsf() was put on the workqueue to perform tsf adjustments since that function might sleep. However it ended up inside a spinlock, whose critical section must be atomic. Do tsf adjustment outside the spinlock instead, and get rid of a warning. Signed-off-by: Thomas Pedersen Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 060672c399c00f09d8e238756c1853a4c870b48a Author: David S. Miller Date: Tue Oct 16 13:05:25 2012 -0700 sparc64: Fix bit twiddling in sparc_pmu_enable_event(). [ Upstream commit e793d8c6740f8fe704fa216e95685f4d92c4c4b9 ] There was a serious disconnect in the logic happening in sparc_pmu_disable_event() vs. sparc_pmu_enable_event(). Event disable is implemented by programming a NOP event into the PCR. However, event enable was not reversing this operation. Instead, it was setting the User/Priv/Hypervisor trace enable bits. That's not sparc_pmu_enable_event()'s job, that's what sparc_pmu_enable() and sparc_pmu_disable() do . The intent of sparc_pmu_enable_event() is clear, since it first clear out the event type encoding field. So fix this by OR'ing in the event encoding rather than the trace enable bits. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f386dbc80c65fe40a5a76806358a5e565086e23c Author: David S. Miller Date: Sun Oct 14 17:59:40 2012 -0700 sparc64: Like x86 we should check current->mm during perf backtrace generation. [ Upstream commit 08280e6c4c2e8049ac61d9e8e3536ec1df629c0d ] If the MM is not active, only report the top-level PC. Do not try to access the address space. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8f3d8be7a7259de7cff4ffa1eec1894ddc1a4397 Author: Al Viro Date: Wed Oct 10 17:25:00 2012 -0700 sparc64: fix ptrace interaction with force_successful_syscall_return() [ Upstream commit 55c2770e413e96871147b9406a9c41fe9bc5209c ] we want syscall_trace_leave() called on exit from any syscall; skipping its call in case we'd done force_successful_syscall_return() is broken... Signed-off-by: Al Viro Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8ca3905dc049794f2ada11abe8252a8cde734952 Author: Eric Dumazet Date: Tue Oct 16 07:37:27 2012 +0000 ipv6: addrconf: fix /proc/net/if_inet6 [ Upstream commit 9f0d3c2781baa1102108e16efbe640dd74564a7c ] Commit 1d5783030a1 (ipv6/addrconf: speedup /proc/net/if_inet6 filling) added bugs hiding some devices from if_inet6 and breaking applications. "ip -6 addr" could still display all IPv6 addresses, while "ifconfig -a" couldnt. One way to reproduce the bug is by starting in a shell : unshare -n /bin/bash ifconfig lo up And in original net namespace, lo device disappeared from if_inet6 Reported-by: Jan Hinnerk Stosch Tested-by: Jan Hinnerk Stosch Signed-off-by: Eric Dumazet Cc: Mihai Maruseac Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f124c052cdd3c8bafd62c2d8d98b90a16a688e7e Author: Alexey Kuznetsov Date: Fri Oct 12 04:34:17 2012 +0000 tcp: resets are misrouted [ Upstream commit 4c67525849e0b7f4bd4fab2487ec9e43ea52ef29 ] After commit e2446eaa ("tcp_v4_send_reset: binding oif to iif in no sock case").. tcp resets are always lost, when routing is asymmetric. Yes, backing out that patch will result in misrouting of resets for dead connections which used interface binding when were alive, but we actually cannot do anything here. What's died that's died and correct handling normal unbound connections is obviously a priority. Comment to comment: > This has few benefits: > 1. tcp_v6_send_reset already did that. It was done to route resets for IPv6 link local addresses. It was a mistake to do so for global addresses. The patch fixes this as well. Actually, the problem appears to be even more serious than guaranteed loss of resets. As reported by Sergey Soloviev , those misrouted resets create a lot of arp traffic and huge amount of unresolved arp entires putting down to knees NAT firewalls which use asymmetric routing. Signed-off-by: Alexey Kuznetsov Signed-off-by: Greg Kroah-Hartman commit 0b5b763426e93ed843aad22101265f0f975e48a5 Author: jeff.liu Date: Mon Oct 8 18:57:27 2012 +0000 RDS: fix rds-ping spinlock recursion [ Upstream commit 5175a5e76bbdf20a614fb47ce7a38f0f39e70226 ] This is the revised patch for fixing rds-ping spinlock recursion according to Venkat's suggestions. RDS ping/pong over TCP feature has been broken for years(2.6.39 to 3.6.0) since we have to set TCP cork and call kernel_sendmsg() between ping/pong which both need to lock "struct sock *sk". However, this lock has already been hold before rds_tcp_data_ready() callback is triggerred. As a result, we always facing spinlock resursion which would resulting in system panic. Given that RDS ping is only used to test the connectivity and not for serious performance measurements, we can queue the pong transmit to rds_wq as a delayed response. Reported-by: Dan Carpenter CC: Venkat Venkatsubra CC: David S. Miller CC: James Morris Signed-off-by: Jie Liu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c4e6940cc12c1cac1e8664a2a46ef01f0783c69c Author: Julian Anastasov Date: Mon Oct 8 11:41:20 2012 +0000 ipvs: fix ARP resolving for direct routing mode [ Upstream commit ad4d3ef8b7eb527cca478dc08c02c10936e64115 ] After the change "Make neigh lookups directly in output packet path" (commit a263b30936) IPVS can not reach the real server for DR mode because we resolve the destination address from IP header, not from route neighbour. Use the new FLOWI_FLAG_KNOWN_NH flag to request output routes with known nexthop, so that it has preference on resolving. Signed-off-by: Julian Anastasov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1f6cc51c46ed910f8f68d4f3359ad3bca7ee7bc2 Author: Julian Anastasov Date: Mon Oct 8 11:41:19 2012 +0000 ipv4: Add FLOWI_FLAG_KNOWN_NH [ Upstream commit c92b96553a80c1dbe2ebe128bbe37c8f98f148bf ] Add flag to request that output route should be returned with known rt_gateway, in case we want to use it as nexthop for neighbour resolving. The returned route can be cached as follows: - in NH exception: because the cached routes are not shared with other destinations - in FIB NH: when using gateway because all destinations for NH share same gateway As last option, to return rt_gateway!=0 we have to set DST_NOCACHE. Signed-off-by: Julian Anastasov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 87a2496fa427fd98aafb6d4dcf263a9f35f2f49c Author: Julian Anastasov Date: Mon Oct 8 11:41:18 2012 +0000 ipv4: introduce rt_uses_gateway [ Upstream commit 155e8336c373d14d87a7f91e356d85ef4b93b8f9 ] Add new flag to remember when route is via gateway. We will use it to allow rt_gateway to contain address of directly connected host for the cases when DST_NOCACHE is used or when the NH exception caches per-destination route without DST_NOCACHE flag, i.e. when routes are not used for other destinations. By this way we force the neighbour resolving to work with the routed destination but we can use different address in the packet, feature needed for IPVS-DR where original packet for virtual IP is routed via route to real IP. Signed-off-by: Julian Anastasov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c82f64b90308bcb10b3862be0515d1b0efc8f928 Author: Julian Anastasov Date: Mon Oct 8 11:41:17 2012 +0000 ipv4: make sure nh_pcpu_rth_output is always allocated [ Upstream commit f8a17175c63fd3e8b573719f7538816f8c96abf4 ] Avoid checking nh_pcpu_rth_output in fast path, abort fib_info creation on alloc_percpu failure. Signed-off-by: Julian Anastasov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 77470c37d5aa126548d5901a1e459ebabdac6308 Author: Julian Anastasov Date: Mon Oct 8 11:41:16 2012 +0000 ipv4: fix forwarding for strict source routes [ Upstream commit e0adef0f7456d5d3a3bfe8ea61c7dddf146b40e1 ] After the change "Adjust semantics of rt->rt_gateway" (commit f8126f1d51) rt_gateway can be 0 but ip_forward() compares it directly with nexthop. What we want here is to check if traffic is to directly connected nexthop and to fail if using gateway. Signed-off-by: Julian Anastasov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit da7819a17b178d73b207439dc3ca537b0d72b984 Author: Julian Anastasov Date: Mon Oct 8 11:41:15 2012 +0000 ipv4: fix sending of redirects [ Upstream commit e81da0e113a1b7fc7449ae6213f65f89ccac6d06 ] After "Cache input routes in fib_info nexthops" (commit d2d68ba9fe) and "Elide fib_validate_source() completely when possible" (commit 7a9bc9b81a) we can not send ICMP redirects. It seems we should not cache the RTCF_DOREDIRECT flag in nh_rth_input because the same fib_info can be used for traffic that is not redirected, eg. from other input devices or from sources that are not in same subnet. As result, we have to disable the caching of RTCF_DOREDIRECT flag and to force source validation for the case when forwarding traffic to the input device. If traffic comes from directly connected source we allow redirection as it was done before both changes. Avoid setting RTCF_DOREDIRECT if IN_DEV_TX_REDIRECTS is disabled, this can avoid source address validation and to help caching the routes. After the change "Adjust semantics of rt->rt_gateway" (commit f8126f1d51) we should make sure our ICMP_REDIR_HOST messages contain daddr instead of 0.0.0.0 when target is directly connected. Signed-off-by: Julian Anastasov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9f6bf366262af645ad1b8e12f241fc692d0a617b Author: Florian Zumbiehl Date: Sun Oct 7 15:51:58 2012 +0000 vlan: don't deliver frames for unknown vlans to protocols [ Upstream commit 48cc32d38a52d0b68f91a171a8d00531edc6a46e ] 6a32e4f9dd9219261f8856f817e6655114cfec2f made the vlan code skip marking vlan-tagged frames for not locally configured vlans as PACKET_OTHERHOST if there was an rx_handler, as the rx_handler could cause the frame to be received on a different (virtual) vlan-capable interface where that vlan might be configured. As rx_handlers do not necessarily return RX_HANDLER_ANOTHER, this could cause frames for unknown vlans to be delivered to the protocol stack as if they had been received untagged. For example, if an ipv6 router advertisement that's tagged for a locally not configured vlan is received on an interface with macvlan interfaces attached, macvlan's rx_handler returns RX_HANDLER_PASS after delivering the frame to the macvlan interfaces, which caused it to be passed to the protocol stack, leading to ipv6 addresses for the announced prefix being configured even though those are completely unusable on the underlying interface. The fix moves marking as PACKET_OTHERHOST after the rx_handler so the rx_handler, if there is one, sees the frame unchanged, but afterwards, before the frame is delivered to the protocol stack, it gets marked whether there is an rx_handler or not. Signed-off-by: Florian Zumbiehl Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 18850d74d599a447b22b05600b13d51238f92a3e Author: Graham Gower Date: Mon Oct 8 08:34:50 2012 +0000 skge: Add DMA mask quirk for Marvell 88E8001 on ASUS P5NSLI motherboard [ Upstream commit a2af139ff1cd85df586690ff626619ab1ee88b0a ] Marvell 88E8001 on an ASUS P5NSLI motherboard is unable to send/receive packets on a system with >4gb ram unless a 32bit DMA mask is used. This issue has been around for years and a fix was sent 3.5 years ago, but there was some debate as to whether it should instead be fixed as a PCI quirk. http://www.spinics.net/lists/netdev/msg88670.html However, 18 months later a similar workaround was introduced for another chipset exhibiting the same problem. http://www.spinics.net/lists/netdev/msg142287.html Signed-off-by: Graham Gower Signed-off-by: Jan Ceuleers Acked-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0dbade79f4fbb1035c3c846cdd358a67db67a2ce Author: Steffen Klassert Date: Mon Oct 8 00:56:54 2012 +0000 ipv4: Don't report stale pmtu values to userspace [ Upstream commit ee9a8f7ab2edf801b8b514c310455c94acc232f6 ] We report cached pmtu values even if they are already expired. Change this to not report these values after they are expired and fix a race in the expire time calculation, as suggested by Eric Dumazet. Signed-off-by: Steffen Klassert Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2db8263a627414aa2f6a60f80ec99178f12f757b Author: Steffen Klassert Date: Sun Oct 7 22:48:18 2012 +0000 ipv4: Don't create nh exeption when the device mtu is smaller than the reported pmtu [ Upstream commit 7f92d334ba19a0d8e96f8f8f092219553367d921 ] When a local tool like tracepath tries to send packets bigger than the device mtu, we create a nh exeption and set the pmtu to device mtu. The device mtu does not expire, so check if the device mtu is smaller than the reported pmtu and don't crerate a nh exeption in that case. Signed-off-by: Steffen Klassert Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b434571cec084eb0798fd160073d4b66937892ab Author: Steffen Klassert Date: Sun Oct 7 22:47:25 2012 +0000 ipv4: Always invalidate or update the route on pmtu events [ Upstream commit d851c12b60471188e15e5c8405b289073e8dd025 ] Some protocols, like IPsec still cache routes. So we need to invalidate the old route on pmtu events to avoid the reuse of stale routes. We also need to update the mtu and expire time of the route if we already use a nh exception route, otherwise we ignore newly learned pmtu values after the first expiration. With this patch we always invalidate or update the route on pmtu events. Signed-off-by: Steffen Klassert Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b50a0bdfd24cf4e3b0551fa6ae2791692231776a Author: Eric Dumazet Date: Fri Oct 5 20:43:30 2012 +0000 ipv6: GRO should be ECN friendly [ Upstream commit 51ec04038c113a811b177baa85d293feff9ce995 ] IPv4 side of the problem was addressed in commit a9e050f4e7f9d (net: tcp: GRO should be ECN friendly) This patch does the same, but for IPv6 : A Traffic Class mismatch doesnt mean flows are different, but instead should force a flush of previous packets. This patch removes artificial packet reordering problem. Signed-off-by: Eric Dumazet Cc: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ea89601ac85f4d90f1aab99801647423bd3ca069 Author: ramesh.nagappa@gmail.com Date: Fri Oct 5 19:10:15 2012 +0000 net: Fix skb_under_panic oops in neigh_resolve_output [ Upstream commit e1f165032c8bade3a6bdf546f8faf61fda4dd01c ] The retry loop in neigh_resolve_output() and neigh_connected_output() call dev_hard_header() with out reseting the skb to network_header. This causes the retry to fail with skb_under_panic. The fix is to reset the network_header within the retry loop. Signed-off-by: Ramesh Nagappa Reviewed-by: Shawn Lu Reviewed-by: Robert Coulson Reviewed-by: Billie Alsup Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 541321132ac28c92394b1d57361448d2c6dd5faf Author: Eric Dumazet Date: Fri Oct 5 06:23:55 2012 +0000 net: remove skb recycling [ Upstream commits acb600def2110b1310466c0e485c0d26299898ae and 66eef59f22275002f621ff9d951886b513d011b3. ] Over time, skb recycling infrastructure got litle interest and many bugs. Generic rx path skb allocation is now using page fragments for efficient GRO / TCP coalescing, and recyling a tx skb for rx path is not worth the pain. Last identified bug is that fat skbs can be recycled and it can endup using high order pages after few iterations. With help from Maxime Bizon, who pointed out that commit 87151b8689d (net: allow pskb_expand_head() to get maximum tailroom) introduced this regression for recycled skbs. Instead of fixing this bug, lets remove skb recycling. Drivers wanting really hot skbs should use build_skb() anyway, to allocate/populate sk_buff right before netif_receive_skb() Signed-off-by: Eric Dumazet Cc: Maxime Bizon Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e9ad2fc50a33c322bf343661851b1f179598b072 Author: Gao feng Date: Thu Oct 4 20:15:49 2012 +0000 infiniband: pass rdma_cm module to netlink_dump_start [ Upstream commit 809d5fc9bf6589276a12bd4fd611e4c7ff9940c3 ] set netlink_dump_control.module to avoid panic. Signed-off-by: Gao feng Cc: Roland Dreier Cc: Sean Hefty Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 51f2e2ce2b04971dc852643bc5cc4b3657af4bc5 Author: Gao feng Date: Thu Oct 4 20:15:48 2012 +0000 netlink: add reference of module in netlink_dump_start [ Upstream commit 6dc878a8ca39e93f70c42f3dd7260bde10c1e0f1 ] I get a panic when I use ss -a and rmmod inet_diag at the same time. It's because netlink_dump uses inet_diag_dump which belongs to module inet_diag. I search the codes and find many modules have the same problem. We need to add a reference to the module which the cb->dump belongs to. Thanks for all help from Stephen,Jan,Eric,Steffen and Pablo. Change From v3: change netlink_dump_start to inline,suggestion from Pablo and Eric. Change From v2: delete netlink_dump_done,and call module_put in netlink_dump and netlink_sock_destruct. Signed-off-by: Gao feng Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2c609a2f31e7961301c3b7ecbc8b47b29c1ea790 Author: Chris Wilson Date: Thu Aug 23 13:12:52 2012 +0100 drm/i915: Use cpu relocations if the object is in the GTT but not mappable commit 504c7267a1e84b157cbd7e9c1b805e1bc0c2c846 upstream. This prevents the case of unbinding the object in order to process the relocations through the GTT and then rebinding it only to then proceed to use cpu relocations as the object is now in the CPU write domain. By choosing to use cpu relocations up front, we can therefore avoid the rebind penalty. Signed-off-by: Chris Wilson Signed-off-by: Daniel Vetter Cc: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 1161c54f6c3d4681a1a366232b76d6a5b21b2dfa Author: Devin Heitmueller Date: Mon Aug 6 22:47:03 2012 -0300 media: au0828: fix case where STREAMOFF being called on stopped stream causes BUG() commit a595c1ce4c9d572cf53513570b9f1a263d7867f2 upstream. We weren't checking whether the resource was in use before calling res_free(), so applications which called STREAMOFF on a v4l2 device that wasn't already streaming would cause a BUG() to be hit (MythTV). Reported-by: Larry Finger Reported-by: Jay Harbeston Signed-off-by: Devin Heitmueller Signed-off-by: Mauro Carvalho Chehab commit 7551ed08b73e53a240c2f1281815bf693b12bd68 Author: Chris Zankel Date: Fri Oct 19 10:46:44 2012 -0700 xtensa: add missing system calls to the syscall table commit 7216cabfff5149670445cd65d415ed5db21314b4 upstream. Add the following system calls to the syscall table: fallocate sendmmsg umount2 syncfs epoll_create1 inotify_init1 signalfd4 dup3 pipe2 timerfd_create timerfd_settime timerfd_gettime eventfd2 preadv pwritev fanotify_init fanotify_mark process_vm_readv process_vm_writev name_to_handle_at open_by_handle_at sync_file_range perf_event_open rt_tgsigqueueinfo clock_adjtime prlimit64 kcmp Note that we have to use the 'sys_sync_file_range2' version, so that the 64-bit arguments are aligned correctly to the argument registers. Signed-off-by: Chris Zankel Signed-off-by: Greg Kroah-Hartman commit 5c61f172ad55e0d7073747f0a126d267faeb4512 Author: Andrew Morton Date: Tue Oct 23 14:09:39 2012 -0700 amd64_edac:__amd64_set_scrub_rate(): avoid overindexing scrubrates[] commit 168bfeef7bba3f9784f7540b053e4ac72b769ce9 upstream. If none of the elements in scrubrates[] matches, this loop will cause __amd64_set_scrub_rate() to incorrectly use the n+1th element. As the function is designed to use the final scrubrates[] element in the case of no match, we can fix this bug by simply terminating the array search at the n-1th element. Boris: this code is fragile anyway, see here why: http://marc.info/?l=linux-kernel&m=135102834131236&w=2 It will be rewritten more robustly soonish. Reported-by: Denis Kirjanov Cc: Doug Thompson Signed-off-by: Andrew Morton Signed-off-by: Borislav Petkov Signed-off-by: Greg Kroah-Hartman commit 351e8508d85ce80a75af36336b2d633715c1f9e3 Author: Hiro Sugawara Date: Thu Oct 18 08:35:10 2012 +0300 iommu/tegra: smmu: Fix deadly typo commit d0078e72314df2e5ede03f2102cddde06767c374 upstream. Fix a deadly typo in macro definition. Signed-off-by: Hiro Sugawara Signed-off-by: Hiroshi Doyu Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit 651d36d9fc0dc6aef0889bdf8321bb8870782141 Author: Wei Yongjun Date: Mon Oct 22 12:58:09 2012 +0800 pinctrl: fix missing unlock on error in pinctrl_groups_show() commit b4dd784ba8af03bf1f9ee5118c792d7abd4919bd upstream. Add the missing unlock on the error handle path in function pinctrl_groups_show(). Signed-off-by: Wei Yongjun Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 49d14e6bc5f7a8ff3f581f9399f0992622c35556 Author: Haojian Zhuang Date: Thu Oct 18 17:07:01 2012 +0800 pinctrl: remove mutex lock in groups show commit 7ae9d71e8df27a3ab60a05ae3add08728debc09c upstream. Mutex is locked duplicatly by pinconf_groups_show() and pin_config_group_get(). It results dead lock. So avoid to lock mutex in pinconf_groups_show(). Signed-off-by: Haojian Zhuang Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 11a1f627e40ad19f09d3e1f5690967f6123d24ca Author: Pritesh Raithatha Date: Wed Oct 17 17:09:36 2012 +0530 pinctrl: tegra: set low power mode bank width to 2 commit 154f3ebf53edcfbe28728452b4ab37a118581125 upstream. Signed-off-by: Pritesh Raithatha Acked-by: Stephen Warren Tested-by: Stephen Warren Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 501bb61ad86a43f64686230f203f21c31224d071 Author: Pritesh Raithatha Date: Wed Oct 17 17:07:00 2012 +0530 dt: Document: correct tegra20/30 pinctrl slew-rate name commit d6ec6b60a56a1e7d99da1fc69c031fa5ab54ba94 upstream. change nvidia,slew_rate* to nvidia,slew-rate* Signed-off-by: Pritesh Raithatha Acked-by: Stephen Warren Tested-by: Stephen Warren Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit f29ff626db3d3cbfdbff20b5c41eb32e1e92d1fa Author: Pritesh Raithatha Date: Wed Oct 17 11:51:37 2012 +0530 pinctrl: tegra: correct bank for pingroup and drv pingroup commit a03690e44468dcd3088f6600ab036d17bd2130ff upstream. Signed-off-by: Pritesh Raithatha Acked-by: Stephen Warren Tested-by: Stephen Warren Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 04900efcfcd89fd11302748bbe88659d12fd7fb5 Author: Tejun Heo Date: Thu Oct 18 17:52:07 2012 -0700 Revert "cgroup: Drop task_lock(parent) on cgroup_fork()" commit 9bb71308b8133d643648776243e4d5599b1c193d upstream. This reverts commit 7e381b0eb1e1a9805c37335562e8dc02e7d7848c. The commit incorrectly assumed that fork path always performed threadgroup_change_begin/end() and depended on that for synchronization against task exit and cgroup migration paths instead of explicitly grabbing task_lock(). threadgroup_change is not locked when forking a new process (as opposed to a new thread in the same process) and even if it were it wouldn't be effective as different processes use different threadgroup locks. Revert the incorrect optimization. Signed-off-by: Tejun Heo LKML-Reference: <20121008020000.GB2575@localhost> Acked-by: Li Zefan Bitterly-Acked-by: Frederic Weisbecker Signed-off-by: Greg Kroah-Hartman commit b4cd7aa6602e17f7c128ddf0c9b0dc7b4e2b897c Author: Tejun Heo Date: Thu Oct 18 17:40:30 2012 -0700 Revert "cgroup: Remove task_lock() from cgroup_post_fork()" commit d87838321124061f6c935069d97f37010fa417e6 upstream. This reverts commit 7e3aa30ac8c904a706518b725c451bb486daaae9. The commit incorrectly assumed that fork path always performed threadgroup_change_begin/end() and depended on that for synchronization against task exit and cgroup migration paths instead of explicitly grabbing task_lock(). threadgroup_change is not locked when forking a new process (as opposed to a new thread in the same process) and even if it were it wouldn't be effective as different processes use different threadgroup locks. Revert the incorrect optimization. Signed-off-by: Tejun Heo LKML-Reference: <20121008020000.GB2575@localhost> Acked-by: Li Zefan Cc: Frederic Weisbecker Signed-off-by: Greg Kroah-Hartman commit 52f65d5b473c7d5bc166ed7f86570be7852edb9a Author: Daisuke Nishimura Date: Thu Oct 4 16:37:16 2012 +0900 cgroup: notify_on_release may not be triggered in some cases commit 1f5320d5972aa50d3e8d2b227b636b370e608359 upstream. notify_on_release must be triggered when the last process in a cgroup is move to another. But if the first(and only) process in a cgroup is moved to another, notify_on_release is not triggered. # mkdir /cgroup/cpu/SRC # mkdir /cgroup/cpu/DST # # echo 1 >/cgroup/cpu/SRC/notify_on_release # echo 1 >/cgroup/cpu/DST/notify_on_release # # sleep 300 & [1] 8629 # # echo 8629 >/cgroup/cpu/SRC/tasks # echo 8629 >/cgroup/cpu/DST/tasks -> notify_on_release for /SRC must be triggered at this point, but it isn't. This is because put_css_set() is called before setting CGRP_RELEASABLE in cgroup_task_migrate(), and is a regression introduce by the commit:74a1166d(cgroups: make procs file writable), which was merged into v3.0. Acked-by: Li Zefan Cc: Ben Blum Signed-off-by: Daisuke Nishimura Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit 1f212892776010ea4ebc9982e7a725732df3a7f0 Author: Alan Stern Date: Wed Oct 10 14:10:21 2012 -0400 USB: fix port probing and removal in garmin_gps commit db5c8b524444d4fc6b1f32d368a50a3729e50002 upstream. This patch (as1615) fixes a bug in the Garmin USB serial driver. It uses attach, disconnect, and release routines to carry out actions that should be handled by port_probe and port_remove routines, because they access port-specific data. The bug causes an oops when the device in unplugged, because the private data for each port structure now gets erased when the port is unbound from the driver, resulting in a null-pointer dereference. Signed-off-by: Alan Stern Reported--by: Markus Schauler Tested-by: Markus Schauler Signed-off-by: Greg Kroah-Hartman commit 4e0532a22664501721fdd89a00d61948c1e34a23 Author: Sarah Sharp Date: Fri Oct 5 10:32:07 2012 -0700 usb: Send Set SEL before enabling parent U1/U2 timeout. commit 65a95b75bc5afa7bbb844e222481044c1c4767eb upstream. The Set SEL control transfer tells a device the exit latencies associated with a device-initated U1 or U2 exit. Since a parent hub may initiate a transition to U1 soon after a downstream port's U1 timeout is set, we need to make sure the device receives the Set SEL transfer before the parent hub timeout is set. This patch should be backported to kernels as old as 3.5, that contain the commit 1ea7e0e8e3d0f50901d335ea4178ab2aa8c88201 "USB: Add support to enable/disable USB3 link states." Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 094c5b6410392321492c59603879f8ec7d87358a Author: Sarah Sharp Date: Thu Oct 4 09:53:43 2012 -0700 USB: Enable LPM after a failed probe. commit d01f87c0ffa96cb44faa78710711eb6e974b891c upstream. Before a driver is probed, we want to disable USB 3.0 Link Power Management (LPM), in case the driver needs hub-initiated LPM disabled. After the probe finishes, we want to attempt to re-enable LPM, order to balance the LPM ref count. When a probe fails (such as when libusual doesn't want to bind to a USB 3.0 mass storage device), make sure to balance the LPM ref counts by re-enabling LPM. This patch should be backported to kernels as old as 3.5, that contain the commit 8306095fd2c1100e8244c09bf560f97aca5a311d "USB: Disable USB 3.0 LPM in critical sections." Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 6a154bb60bfcbc91b515a94ee68e35c3b4b01b7c Author: Sarah Sharp Date: Wed Oct 3 11:18:05 2012 -0700 usb: Don't enable LPM if the exit latency is zero. commit ae8963adb4ad8c5f2a89ca1d99fb7bb721e7599f upstream. Some USB 3.0 devices signal that they don't implement Link PM by having all zeroes in the U1/U2 exit latencies in their SuperSpeed BOS descriptor. Don found that a Western Digital device he has experiences transfer errors when LPM is enabled. The lsusb shows the U1/U2 exit latencies are set to zero: Binary Object Store Descriptor: bLength 5 bDescriptorType 15 wTotalLength 22 bNumDeviceCaps 2 SuperSpeed USB Device Capability: bLength 10 bDescriptorType 16 bDevCapabilityType 3 bmAttributes 0x00 Latency Tolerance Messages (LTM) Supported wSpeedsSupported 0x000e Device can operate at Full Speed (12Mbps) Device can operate at High Speed (480Mbps) Device can operate at SuperSpeed (5Gbps) bFunctionalitySupport 1 Lowest fully-functional device speed is Full Speed (12Mbps) bU1DevExitLat 0 micro seconds bU2DevExitLat 0 micro seconds The fix is to not enable LPM for a particular link state if we find its corresponding exit latency is zero. This patch should be backported to kernels as old as 3.5, that contain the commit 1ea7e0e8e3d0f50901d335ea4178ab2aa8c88201 "USB: Add support to enable/disable USB3 link states." Signed-off-by: Sarah Sharp Reported-by: Don Zickus Tested-by: Don Zickus Signed-off-by: Greg Kroah-Hartman commit 740b0a623f05bbb796a441e2c51ebfe37eef1c21 Author: Felipe Balbi Date: Thu Oct 4 11:58:00 2012 +0300 usb: dwc3: gadget: fix 'endpoint always busy' bug commit 041d81f493d90c940ec41f0ec98bc7c4f2fba431 upstream. If a USB transfer has already been started, meaning we have already issued StartTransfer command to that particular endpoint, DWC3_EP_BUSY flag has also already been set. When we try to cancel this transfer which is already in controller's cache, we will not receive XferComplete event and we must clear DWC3_EP_BUSY in order to allow subsequent requests to be properly started. The best place to clear that flag is right after issuing DWC3_DEPCMD_ENDTRANSFER. Reported-by: Moiz Sonasath Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 11c7a299c9846320859916e81f0f5d38fc596a4d Author: Bjørn Mork Date: Thu Oct 18 17:14:17 2012 +0200 USB: option: add more ZTE devices commit 4b35f1c52943851b310afb09047bfe991ac8f5ae upstream. Signed-off-by: Bjørn Mork Signed-off-by: Greg Kroah-Hartman commit 769492bc4ff326a6eb9773bf89c26d5ea26f6533 Author: Bjørn Mork Date: Thu Oct 18 17:19:53 2012 +0200 USB: option: blacklist net interface on ZTE devices commit 1452df6f1b7e396d89c2a1fdbdc0e0e839f97671 upstream. Based on information from the ZTE Windows drivers. Signed-off-by: Bjørn Mork Signed-off-by: Greg Kroah-Hartman commit d50da5d33094e51c22433e0d14acd369657aedfa Author: Johan Hovold Date: Wed Oct 17 13:35:00 2012 +0200 USB: keyspan_pda: fix port-data memory leak commit 94ab71ce288921490ca857e25ad174e1921b1e29 upstream. Fix port-data memory leak by replacing attach and release with port_probe and port_remove. Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no driver is bound) the port private data is no longer freed at release as it is no longer accessible. Note that the write waitqueue was initialised but never used. Compile-only tested. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 12ddc74e8e25107eda81aceb74e3311c1480b381 Author: Johan Hovold Date: Wed Oct 17 13:34:57 2012 +0200 USB: io_edgeport: fix port-data memory leak commit c27f3efc56080a246f6ab7f57f0a6f56d256d769 upstream. Fix port-data memory leak by moving port data allocation and deallocation to port_probe and port_remove. Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no driver is bound) the port private data is no longer freed at release as it is no longer accessible. Compile-only tested. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 982d0e9cbef68c69fb85e64d897e8cf77c4877e9 Author: Johan Hovold Date: Wed Oct 17 13:35:01 2012 +0200 USB: kl5kusb105: fix port-data memory leak commit 99a6f73c495c420df826e5b267fb073fd6766fc3 upstream. Fix port-data memory leak by replacing attach and release with port_probe and port_remove. Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no driver is bound) the port private data is no longer freed at release as it is no longer accessible. Note that the write waitqueue was initialised but never used. Compile-only tested. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit ef7c9b6a9cc09853a449a43050153cc785788d16 Author: Johan Hovold Date: Wed Oct 17 16:31:35 2012 +0200 USB: ti_usb_3410_5052: fix port-data memory leak commit 51ef847df74632e7cfdf952afc3887de105b8b35 upstream. Fix port-data memory leak by moving port data allocation and deallocation to port_probe and port_remove. Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no driver is bound) the port private data is no longer freed at release as it is no longer accessible. Compile-only tested. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 5592d451ce00a108312bf2152bde273e8532cf8c Author: Johan Hovold Date: Wed Oct 17 16:31:33 2012 +0200 USB: spcp8x5: fix port-data memory leak commit bf90ff5f3b8f67e5b42df4ea4fd543f8010a2676 upstream. Fix port-data memory leak by replacing attach and release with port_probe and port_remove. Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no driver is bound) the port private data is no longer freed at release as it is no longer accessible. Compile-only tested. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit fa21e53e263194b744e0a5b3d5676aa31a6ef0ef Author: Johan Hovold Date: Mon Oct 15 15:47:20 2012 +0200 USB: cp210x: fix port-data memory leak commit 4295fe7791a1b20c90cbaaa6f23f2fb94218b8a7 upstream. Fix port data memory leak by replacing port private data with serial private data. Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no driver is bound) the port private data is no longer freed at release. The private data is used to store the control interface number, but as this is the same for all ports on an interface it should be stored as usb-serial data anyway. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 117d01aa6303b6b7d3383077ed2551283d1ca8a3 Author: Johan Hovold Date: Wed Oct 17 13:34:55 2012 +0200 USB: cypress_m8: fix port-data memory leak commit 5c1a0f418d8d985f3a62849bcac43fc5404cc592 upstream. Fix port-data memory leak by replacing attach and release with port_probe and port_remove. Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no driver is bound) the port private data is no longer freed at release as it is no longer accessible. Compile-only tested. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit af4af5941e5be633846df08359820d4c1e886fbb Author: Johan Hovold Date: Wed Oct 17 13:35:02 2012 +0200 USB: kobil_sct: fix port-data memory leak commit 95940a04bfe8a4d246f4ca17c6a3b00148bdead0 upstream. Fix port-data memory leak by replacing attach and release with port_probe and port_remove. Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no driver is bound) the port private data is no longer freed at release as it is no longer accessible. Compile-only tested. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit d3189b39faeead89a892e8c2b1afdad0f22b6303 Author: Johan Hovold Date: Wed Oct 17 16:31:34 2012 +0200 USB: ssu100: fix port-data memory leak commit 638b9e15233c9570bce65301aa9877235316b9f0 upstream. Fix port-data memory leak by replacing attach and release with port_probe and port_remove. Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no driver is bound) the port private data is no longer freed at release as it is no longer accessible. Compile-only tested. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 4147db8f196114198142b181f90d062602528e82 Author: Johan Hovold Date: Mon Oct 15 15:47:21 2012 +0200 USB: pl2303: fix port-data memory leak commit 8bf769eb5f6efc33f95088850f33fcc05d28b508 upstream. Fix port-data memory leak by allocating and freeing port data in port_probe/remove rather than in attach/release, and by introducing serial private data to store the device type which is interface rather than port specific. Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no driver is bound) the port private data is no longer freed at release. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 18bdc54d39fdbd37c5ca89cc1f48adde43eb33b1 Author: Johan Hovold Date: Mon Oct 15 18:20:53 2012 +0200 USB: belkin_sa: fix port-data memory leak commit fa919751a2d26a88140fc5810124dd81644efe51 upstream. Fix port-data memory leak by replacing attach and release with port_probe and port_remove. Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no driver is bound) the port private data is no longer freed at release as it is no longer accessible. Note that the write waitqueue was initialised but never used. Compile-only tested. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 5b7cefbdd532b41aa75d25b7f0cdeca581e11e09 Author: Johan Hovold Date: Wed Oct 17 16:31:32 2012 +0200 USB: oti6858: fix port-data memory leak commit 289b076f89c2c3260e914dad18ae12f193ea86d5 upstream. Fix port-data memory leak by replacing attach and release with port_probe and port_remove. Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no driver is bound) the port private data is no longer freed at release as it is no longer accessible. Compile-only tested. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 98ba808a0d98b7abe03543c2ddda6396d76e33ed Author: Johan Hovold Date: Wed Oct 17 13:34:56 2012 +0200 USB: f81232: fix port-data memory leak commit 3124d1d71d3df59d40b913b5481df58099e811d1 upstream. Fix port-data memory leak by replacing attach and release with port_probe and port_remove. Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no driver is bound) the port private data is no longer freed at release as it is no longer accessible. Compile-only tested. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit bb5c0c637f4f2dc8ed38f580881c40977980f031 Author: Johan Hovold Date: Mon Oct 15 18:20:52 2012 +0200 USB: ark3116: fix NULL-pointer dereference commit 7bdce71822f471433dd3014692e9096996c7b5f0 upstream. Fix NULL-pointer dereference at release by replacing attach and release with port_probe and port_remove. Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no driver is bound) the port private data is NULL when release is called. Compile-only tested. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit e1d21d7119c98059424137340f8c3a405ee5ef3d Author: Johan Hovold Date: Thu Oct 18 10:52:17 2012 +0200 USB: iuu_phoenix: fix sysfs-attribute creation commit 0978c9499944d0670338fd048a3bdb1624dc66dc upstream. Make sure sysfs attributes are created at port probe. A recent patch ("USB: iuu_phoenix: fix port-data memory leak") removed the sysfs-attribute creation by mistake. Reported-by: Yuanhan Liu Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 8b399c3d6ae4591e28cc1bdab911ce7ccc7c2d5d Author: Johan Hovold Date: Wed Oct 17 13:34:59 2012 +0200 USB: iuu_phoenix: fix port-data memory leak commit 53636555b9190f88320d9d46cf142f8797895456 upstream. Fix port-data memory leak by replacing attach and release with port_probe and port_remove. Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no driver is bound) the port private data is no longer freed at release as it is no longer accessible. Compile-only tested. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit e8449931df18b2078327a7286c237d1d95db7715 Author: Alexis R. Cortes Date: Wed Oct 17 14:09:12 2012 -0500 usb: host: xhci: New system added for Compliance Mode Patch on SN65LVPE502CP commit 470809741a28c3092279f4e1f3f432e534d46068 upstream. This minor change adds a new system to which the "Fix Compliance Mode on SN65LVPE502CP Hardware" patch has to be applied also. System added: Vendor: Hewlett-Packard. System Model: Z1 Signed-off-by: Alexis R. Cortes Acked-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit da2f7d4a8ec01898617e0d1a1808c60b607e32fa Author: Stefano Babic Date: Mon Oct 15 11:20:22 2012 +0200 usb: musb: am35xx: drop spurious unplugging a device commit 6ff1f3d3bd7c69c62ca5773b1b684bce42eff06a upstream. On AM3517, tx and rx interrupt are detected together with the disconnect event. This generates a kernel panic in musb_interrupt, because rx / tx are handled after disconnect. This issue was seen on a Technexion's TAM3517 SOM. Unplugging a device, tx / rx interrupts together with disconnect are detected. This brings to kernel panic like this: [ 68.526153] Unable to handle kernel NULL pointer dereference at virtual address 00000011 [ 68.534698] pgd = c0004000 [ 68.537536] [00000011] *pgd=00000000 [ 68.541351] Internal error: Oops: 17 [#1] ARM [ 68.545928] Modules linked in: [ 68.549163] CPU: 0 Not tainted (3.6.0-rc5-00020-g9e05905 #178) [ 68.555694] PC is at rxstate+0x8/0xdc [ 68.559539] LR is at musb_interrupt+0x98/0x858 [ 68.564239] pc : [] lr : [] psr: 40000193 [ 68.564239] sp : ce83fb40 ip : d0906410 fp : 00000000 [ 68.576293] r10: 00000000 r9 : cf3b0e40 r8 : 00000002 [ 68.581817] r7 : 00000019 r6 : 00000001 r5 : 00000001 r4 : 000000d4 [ 68.588684] r3 : 00000000 r2 : 00000000 r1 : ffffffcc r0 : cf23c108 [ 68.595550] Flags: nZcv IRQs off FIQs on Mode SVC_32 ISA ARM Segment ke Note: this behavior is not seen with a USB hub, while it is easy to reproduce connecting a USB-pen directly to the USB-A of the board. Drop tx / rx interrupts if disconnect is detected. Signed-off-by: Stefano Babic CC: Felipe Balbi Tested-by: Dmitry Lifshitz Tested-by: Igor Grinberg Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 9e9e9cf3d8712b1af470dbc3c2c7e4c6bb4b0531 Author: Johan Hovold Date: Mon Oct 15 18:20:54 2012 +0200 USB: cyberjack: fix port-data memory leak commit a9556040119a63d06fd5238d47f5b683fba4178b upstream. Fix port-data memory leak by replacing attach and release with port_probe and port_remove. Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no driver is bound) the port private data is no longer freed at release as it is no longer accessible. Note that the write waitqueue was initialised but never used. Compile-only tested. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 2a73dc8b5746d4caf3d8624d5f6e20ce54351a9c Author: Johan Hovold Date: Thu Oct 18 11:43:28 2012 +0200 USB: io_ti: fix sysfs-attribute creation commit 5d8c61bc283826827e1f06816c146bfc507d3834 upstream. Make sure port data is initialised before creating sysfs attributes to avoid a race. A recent patch ("USB: io_ti: fix port-data memory leak") got the sysfs-attribute creation and port-data initialisation ordering wrong. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 6547e27d6b60717040b105bafb5a4f4d5d5c0f79 Author: Johan Hovold Date: Wed Oct 17 13:34:58 2012 +0200 USB: io_ti: fix port-data memory leak commit 003615302a16579531932576bcd9582ddeba9018 upstream. Fix port-data memory leak by moving port data allocation and deallocation to port_probe and port_remove. Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no driver is bound) the port private data is no longer freed at release as it is no longer accessible. Compile-only tested. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 2a0a93395560888f997be62581eca0d87c4bebb9 Author: Nicolas Boullis Date: Tue Oct 16 00:06:23 2012 +0200 usb: acm: fix the computation of the number of data bits commit 301a29da6e891e7eb95c843af0ecdbe86d01f723 upstream. The current code assumes that CSIZE is 0000060, which appears to be wrong on some arches (such as powerpc). Signed-off-by: Nicolas Boullis Acked-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman commit 081232d71a9618f2d1e87a23f8600675323d6103 Author: Ming Lei Date: Tue Oct 16 21:21:21 2012 +0800 USB: cdc-acm: fix pipe type of write endpoint commit c5211187f7ff8e8dbff4ebf7c011ac4c0ffe319c upstream. If the write endpoint is interrupt type, usb_sndintpipe() should be passed to usb_fill_int_urb() instead of usb_sndbulkpipe(). Signed-off-by: Ming Lei Cc: Oliver Neukum Signed-off-by: Greg Kroah-Hartman commit 43a9e5c3f04f3ee1c5b0bf2c81d8e2fdf9a83668 Author: David Vrabel Date: Fri Oct 19 17:29:07 2012 +0100 xen/x86: don't corrupt %eip when returning from a signal handler commit a349e23d1cf746f8bdc603dcc61fae9ee4a695f6 upstream. In 32 bit guests, if a userspace process has %eax == -ERESTARTSYS (-512) or -ERESTARTNOINTR (-513) when it is interrupted by an event /and/ the process has a pending signal then %eip (and %eax) are corrupted when returning to the main process after handling the signal. The application may then crash with SIGSEGV or a SIGILL or it may have subtly incorrect behaviour (depending on what instruction it returned to). The occurs because handle_signal() is incorrectly thinking that there is a system call that needs to restarted so it adjusts %eip and %eax to re-execute the system call instruction (even though user space had not done a system call). If %eax == -514 (-ERESTARTNOHAND (-514) or -ERESTART_RESTARTBLOCK (-516) then handle_signal() only corrupted %eax (by setting it to -EINTR). This may cause the application to crash or have incorrect behaviour. handle_signal() assumes that regs->orig_ax >= 0 means a system call so any kernel entry point that is not for a system call must push a negative value for orig_ax. For example, for physical interrupts on bare metal the inverse of the vector is pushed and page_fault() sets regs->orig_ax to -1, overwriting the hardware provided error code. xen_hypervisor_callback() was incorrectly pushing 0 for orig_ax instead of -1. Classic Xen kernels pushed %eax which works as %eax cannot be both non-negative and -RESTARTSYS (etc.), but using -1 is consistent with other non-system call entry points and avoids some of the tests in handle_signal(). There were similar bugs in xen_failsafe_callback() of both 32 and 64-bit guests. If the fault was corrected and the normal return path was used then 0 was incorrectly pushed as the value for orig_ax. Signed-off-by: David Vrabel Acked-by: Jan Beulich Acked-by: Ian Campbell Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Greg Kroah-Hartman commit 54ce8ce298f382a06186cb4672ad6aa090b050b6 Author: Jacob Shin Date: Thu Oct 20 16:15:26 2011 -0500 x86: Exclude E820_RESERVED regions and memory holes above 4 GB from direct mapping. commit 1bbbbe779aabe1f0768c2bf8f8c0a5583679b54a upstream. On systems with very large memory (1 TB in our case), BIOS may report a reserved region or a hole in the E820 map, even above the 4 GB range. Exclude these from the direct mapping. [ hpa: this should be done not just for > 4 GB but for everything above the legacy region (1 MB), at the very least. That, however, turns out to require significant restructuring. That work is well underway, but is not suitable for rc/stable. ] Signed-off-by: Jacob Shin Link: http://lkml.kernel.org/r/1319145326-13902-1-git-send-email-jacob.shin@amd.com Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 660dc78ced9178efb5425ab313e6f040c0e5c828 Author: Daniel J Blueman Date: Mon Oct 1 14:42:05 2012 +0800 x86, amd, mce: Avoid NULL pointer reference on CPU northbridge lookup commit 21c5e50e15b1abd797e62f18fd7f90b9cc004cbd upstream. When booting on a federated multi-server system (NumaScale), the processor Northbridge lookup returns NULL; add guards to prevent this causing an oops. On those systems, the northbridge is accessed through MMIO and the "normal" northbridge enumeration in amd_nb.c doesn't work since we're generating the northbridge ID from the initial APIC ID and the last is not unique on those systems. Long story short, we end up without northbridge descriptors. Signed-off-by: Daniel J Blueman Link: http://lkml.kernel.org/r/1349073725-14093-1-git-send-email-daniel@numascale-asia.com [ Boris: beef up commit message ] Signed-off-by: Borislav Petkov Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit fe6e782af66c8efaa297229fd92fa209440b4eae Author: Kees Cook Date: Fri Oct 19 18:45:53 2012 -0700 use clamp_t in UNAME26 fix commit 31fd84b95eb211d5db460a1dda85e004800a7b52 upstream. The min/max call needed to have explicit types on some architectures (e.g. mn10300). Use clamp_t instead to avoid the warning: kernel/sys.c: In function 'override_release': kernel/sys.c:1287:10: warning: comparison of distinct pointer types lacks a cast [enabled by default] Reported-by: Fengguang Wu Signed-off-by: Kees Cook Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 53a976ad28154268b3474d9fa45283cc48ff97d4 Author: Kees Cook Date: Fri Oct 19 13:56:51 2012 -0700 kernel/sys.c: fix stack memory content leak via UNAME26 commit 2702b1526c7278c4d65d78de209a465d4de2885e upstream. Calling uname() with the UNAME26 personality set allows a leak of kernel stack contents. This fixes it by defensively calculating the length of copy_to_user() call, making the len argument unsigned, and initializing the stack buffer to zero (now technically unneeded, but hey, overkill). CVE-2012-0957 Reported-by: PaX Team Signed-off-by: Kees Cook Cc: Andi Kleen Cc: PaX Team Cc: Brad Spengler Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c5d5a7c5acb92d444faad8a378a2c94a7afd7f6f Author: Arnd Bergmann Date: Mon Apr 30 13:50:56 2012 +0000 pcmcia: sharpsl: don't discard sharpsl_pcmcia_ops commit fdc858a466b738d35d3492bc7cf77b1dac98bf7c upstream. The sharpsl_pcmcia_ops structure gets passed into sa11xx_drv_pcmcia_probe, where it gets accessed at run-time, unlike all other pcmcia drivers that pass their structures into platform_device_add_data, which makes a copy. This means the gcc warning is valid and the structure must not be marked as __initdata. Without this patch, building collie_defconfig results in: drivers/pcmcia/pxa2xx_sharpsl.c:22:31: fatal error: mach-pxa/hardware.h: No such file or directory compilation terminated. make[3]: *** [drivers/pcmcia/pxa2xx_sharpsl.o] Error 1 make[2]: *** [drivers/pcmcia] Error 2 make[1]: *** [drivers] Error 2 make: *** [sub-make] Error 2 Signed-off-by: Arnd Bergmann Cc: Dominik Brodowski Cc: Russell King Cc: Pavel Machek Cc: linux-pcmcia@lists.infradead.org Cc: Jochen Friedrich Signed-off-by: Greg Kroah-Hartman commit c46d0da8fad7ef10a6f86ebd698fba26e7cadcf5 Author: Vaibhav Nagarnaik Date: Wed Oct 10 16:40:27 2012 -0700 ring-buffer: Check for uninitialized cpu buffer before resizing commit 8e49f418c9632790bf456634742d34d97120a784 upstream. With a system where, num_present_cpus < num_possible_cpus, even if all CPUs are online, non-present CPUs don't have per_cpu buffers allocated. If per_cpu//buffer_size_kb is modified for such a CPU, it can cause a panic due to NULL dereference in ring_buffer_resize(). To fix this, resize operation is allowed only if the per-cpu buffer has been initialized. Link: http://lkml.kernel.org/r/1349912427-6486-1-git-send-email-vnagarnaik@google.com Signed-off-by: Vaibhav Nagarnaik Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit 3e75581ec02473059597582fa24cf077f0e20b1b Author: Bryan Schumaker Date: Mon Oct 22 12:35:40 2012 -0400 SUNRPC: Set alloc_slot for backchannel tcp ops commit 84e28a307e376f271505af65a7b7e212dd6f61f4 upstream. f39c1bfb5a03e2d255451bff05be0d7255298fa4 (SUNRPC: Fix a UDP transport regression) introduced the "alloc_slot" function for xprt operations, but never created one for the backchannel operations. This patch fixes a null pointer dereference when mounting NFS over v4.1. Call Trace: [] ? xprt_reserve+0x47/0x50 [sunrpc] [] call_reserve+0x34/0x60 [sunrpc] [] __rpc_execute+0x90/0x400 [sunrpc] [] rpc_async_schedule+0x2a/0x40 [sunrpc] [] process_one_work+0x139/0x500 [] ? alloc_worker+0x70/0x70 [] ? __rpc_execute+0x400/0x400 [sunrpc] [] worker_thread+0x15e/0x460 [] ? preempt_schedule+0x49/0x70 [] ? rescuer_thread+0x230/0x230 [] kthread+0x93/0xa0 [] kernel_thread_helper+0x4/0x10 [] ? kthread_freezable_should_stop+0x70/0x70 [] ? gs_change+0x13/0x13 Signed-off-by: Bryan Schumaker Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit d702bf50186d554cff95c94f8d07ab5cc4e67aea Author: Sasha Levin Date: Tue Jul 17 00:01:26 2012 +0200 SUNRPC: Prevent kernel stack corruption on long values of flush commit 212ba90696ab4884e2025b0b13726d67aadc2cd4 upstream. The buffer size in read_flush() is too small for the longest possible values for it. This can lead to a kernel stack corruption: [ 43.047329] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff833e64b4 [ 43.047329] [ 43.049030] Pid: 6015, comm: trinity-child18 Tainted: G W 3.5.0-rc7-next-20120716-sasha #221 [ 43.050038] Call Trace: [ 43.050435] [] panic+0xcd/0x1f4 [ 43.050931] [] ? read_flush.isra.7+0xe4/0x100 [ 43.051602] [] __stack_chk_fail+0x16/0x20 [ 43.052206] [] read_flush.isra.7+0xe4/0x100 [ 43.052951] [] ? read_flush_pipefs+0x30/0x30 [ 43.053594] [] read_flush_procfs+0x2c/0x30 [ 43.053596] [] proc_reg_read+0x9c/0xd0 [ 43.053596] [] ? proc_reg_write+0xd0/0xd0 [ 43.053596] [] do_loop_readv_writev+0x4b/0x90 [ 43.053596] [] do_readv_writev+0xf6/0x1d0 [ 43.053596] [] vfs_readv+0x3e/0x60 [ 43.053596] [] sys_readv+0x48/0xb0 [ 43.053596] [] system_call_fastpath+0x1a/0x1f Signed-off-by: Sasha Levin Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 92b9b80b2bd99a192d0444414965b73be3349274 Author: Heiko Carstens Date: Thu Oct 18 11:11:01 2012 +0200 s390: fix linker script for 31 bit builds commit c985cb37f1b39c2c8035af741a2a0b79f1fbaca7 upstream. Because of a change in the s390 arch backend of binutils (commit 23ecd77 "Pick the default arch depending on the target size" in binutils repo) 31 bit builds will fail since the linker would now try to create 64 bit binary output. Fix this by setting OUTPUT_ARCH to s390:31-bit instead of s390. Thanks to Andreas Krebbel for figuring out the issue. Fixes this build error: LD init/built-in.o s390x-4.7.2-ld: s390:31-bit architecture of input file `arch/s390/kernel/head.o' is incompatible with s390:64-bit output Cc: Andreas Krebbel Signed-off-by: Heiko Carstens Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit 73f989c0045ae68f82038cddbda1c702fac63cf6 Author: Dan Carpenter Date: Wed Oct 10 10:18:35 2012 +0300 oprofile, x86: Fix wrapping bug in op_x86_get_ctrl() commit 44009105081b51417f311f4c3be0061870b6b8ed upstream. The "event" variable is a u16 so the shift will always wrap to zero making the line a no-op. Signed-off-by: Dan Carpenter Signed-off-by: Robert Richter Signed-off-by: Greg Kroah-Hartman commit 4e4ca99992f539bdcd1613efc0a45e4ce15f4a8d Author: Trond Myklebust Date: Sat Oct 13 00:30:28 2012 -0400 NLM: nlm_lookup_file() may return NLMv4-specific error codes commit cd0b16c1c3cda12dbed1f8de8f1a9b0591990724 upstream. If the filehandle is stale, or open access is denied for some reason, nlm_fopen() may return one of the NLMv4-specific error codes nlm4_stale_fh or nlm4_failed. These get passed right through nlm_lookup_file(), and so when nlmsvc_retrieve_args() calls the latter, it needs to filter the result through the cast_status() machinery. Failure to do so, will trigger the BUG_ON() in encode_nlm_stat... Signed-off-by: Trond Myklebust Reported-by: Larry McVoy Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 1e9b1525c67f953107066d7a062a256311199394 Author: Chris Metcalf Date: Fri Oct 19 11:43:11 2012 -0400 arch/tile: avoid generating .eh_frame information in modules commit 627072b06c362bbe7dc256f618aaa63351f0cfe6 upstream. The tile tool chain uses the .eh_frame information for backtracing. The vmlinux build drops any .eh_frame sections at link time, but when present in kernel modules, it causes a module load failure due to the presence of unsupported pc-relative relocations. When compiling to use compiler feedback support, the compiler by default omits .eh_frame information, so we don't see this problem. But when not using feedback, we need to explicitly suppress the .eh_frame. Signed-off-by: Chris Metcalf Signed-off-by: Greg Kroah-Hartman commit a6828f217248d46865ac1f8043bff2a5ae20d7b2 Author: Michal Hocko Date: Wed Oct 10 11:51:09 2012 +0530 nohz: Fix idle ticks in cpu summary line of /proc/stat commit 7386cdbf2f57ea8cff3c9fde93f206e58b9fe13f upstream. Git commit 09a1d34f8535ecf9 "nohz: Make idle/iowait counter update conditional" introduced a bug in regard to cpu hotplug. The effect is that the number of idle ticks in the cpu summary line in /proc/stat is still counting ticks for offline cpus. Reproduction is easy, just start a workload that keeps all cpus busy, switch off one or more cpus and then watch the idle field in top. On a dual-core with one cpu 100% busy and one offline cpu you will get something like this: %Cpu(s): 48.7 us, 1.3 sy, 0.0 ni, 50.0 id, 0.0 wa, 0.0 hi, 0.0 si, %0.0 st The problem is that an offline cpu still has ts->idle_active == 1. To fix this we should make sure that the cpu is online when calling get_cpu_idle_time_us and get_cpu_iowait_time_us. [Srivatsa: Rebased to current mainline] Reported-by: Martin Schwidefsky Signed-off-by: Michal Hocko Reviewed-by: Srivatsa S. Bhat Signed-off-by: Srivatsa S. Bhat Link: http://lkml.kernel.org/r/20121010061820.8999.57245.stgit@srivatsabhat.in.ibm.com Cc: deepthi@linux.vnet.ibm.com Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit e0afa17f5335bad3b257a7d1048b2b70c649b681 Author: Guenter Roeck Date: Tue Oct 9 13:23:57 2012 -0700 hwmon: (coretemp) Add support for Atom CE4110/4150/4170 commit 1102dcab849313bd5a340b299b5cf61b518fbc0f upstream. TjMax for the CE4100 series of Atom CPUs was previously reported to be 110 degrees C. cpuinfo logs on the web show existing CPU types CE4110, CE4150, and CE4170, reported as "model name : Intel(R) Atom(TM) CPU CE41{1|5|7}0 @ 1.{2|6}0GHz" with model 28 (0x1c) and stepping 10 (0x0a). Add the three known variants to the tjmax table. Signed-off-by: Guenter Roeck Acked-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit e4e29779ec498f4905461a13b6ba58ba4f60152b Author: Henrik Rydberg Date: Sat Oct 13 12:20:36 2012 +0200 usbdevfs: Fix broken scatter-gather transfer commit 014639003c77a51fc319c9fdf225e7747cb6e18d upstream. The handling of large output bulk transfers is broken; the same user page is read over and over again. Fixed with this patch. Acked-by: Peter Stuge Acked-by: Hans de Goede Acked-by: Alan Stern Signed-off-by: Henrik Rydberg Signed-off-by: Greg Kroah-Hartman commit b1f9e723563c5dae07c0c8d49b21ea9602c3e644 Author: Lukas Czerner Date: Mon Oct 22 18:01:19 2012 -0400 ext4: Avoid underflow in ext4_trim_fs() commit 5de35e8d5c02d271c20e18337e01bc20e6ef472e upstream. Currently if len argument in ext4_trim_fs() is smaller than one block, the 'end' variable underflow. Avoid that by returning EINVAL if len is smaller than file system block. Also remove useless unlikely(). Signed-off-by: Lukas Czerner Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 462f4e60ea80fc6d82b872243c4d11a9f8286d0d Author: Tao Ma Date: Mon Oct 22 00:34:32 2012 -0400 ext4: Checksum the block bitmap properly with bigalloc enabled commit 79f1ba49569e5aec919b653c55b03274c2331701 upstream. In mke2fs, we only checksum the whole bitmap block and it is right. While in the kernel, we use EXT4_BLOCKS_PER_GROUP to indicate the size of the checksumed bitmap which is wrong when we enable bigalloc. The right size should be EXT4_CLUSTERS_PER_GROUP and this patch fixes it. Also as every caller of ext4_block_bitmap_csum_set and ext4_block_bitmap_csum_verify pass in EXT4_BLOCKS_PER_GROUP(sb)/8, we'd better removes this parameter and sets it in the function itself. Signed-off-by: Tao Ma Signed-off-by: "Theodore Ts'o" Reviewed-by: Lukas Czerner Signed-off-by: Greg Kroah-Hartman commit e28b27be06c5e6a5236c0c0b370ca0768ab086bb Author: Dmitry Monakhov Date: Wed Oct 10 01:04:58 2012 -0400 ext4: race-condition protection for ext4_convert_unwritten_extents_endio commit dee1f973ca341c266229faa5a1a5bb268bed3531 upstream. We assumed that at the time we call ext4_convert_unwritten_extents_endio() extent in question is fully inside [map.m_lblk, map->m_len] because it was already split during submission. But this may not be true due to a race between writeback vs fallocate. If extent in question is larger than requested we will split it again. Special precautions should being done if zeroout required because [map.m_lblk, map->m_len] already contains valid data. Signed-off-by: Dmitry Monakhov Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman