commit fa023d58cc6887643fe3e5e95a7ff599e2734df3 Author: Greg Kroah-Hartman Date: Sun Apr 22 15:39:43 2012 -0700 Linux 3.3.3 commit fc0d7e607bb1b2bd867a35428e1aab2348d1431d Author: Dave Airlie Date: Thu Apr 19 15:42:58 2012 +0100 drm/radeon: fix load detect on rn50 with hardcoded EDIDs. commit a09d431f344d854e4fe9cfac44f78cb8202f3eb7 upstream. When the force changes went in back in 3.3.0, we ended up returning disconnected in the !force case, and the connected in when forced, as it hit the hardcoded check. Fix it so all exits go via the hardcoded check and stop spurious modesets on platforms with hardcoded EDIDs. Reported-by: Evan McNabb (Red Hat) Reviewed-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit ef49ff4bbe3894b92d4949753ab8f352920c6151 Author: Dave Airlie Date: Fri Apr 13 11:14:50 2012 +0100 drm/radeon: disable MSI on RV515 commit 16a5e32b83fd946312b9b13590c75d20c95c5202 upstream. My rv515 card is very flaky with msi enabled. Every so often it loses a rearm and never comes back, manually banging the rearm brings it back. Reviewed-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 639a69ba1c7e0d74a916d880117b67a00d9ec161 Author: Takashi Iwai Date: Wed Apr 18 15:21:07 2012 +0200 drm/radeon/kms: fix the regression of DVI connector check commit e36325071832f1ba96ac54fb8ba1459f08b05dd8 upstream. The check of the encoder type in the commit [e00e8b5e: drm/radeon/kms: fix analog load detection on DVI-I connectors] is obviously wrong, and it's the culprit of the regression on my workstation with DVI-analog connection resulting in the blank output. Fixed the typo now. Signed-off-by: Takashi Iwai Reviewed-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 96f1ffe01afd835e18c6e0a67896376061b33d9d Author: Chris Wilson Date: Mon Apr 16 15:16:42 2012 +0100 drm/i915: Hold mode_config lock whilst changing mode for lastclose() commit c291be9dba370ba696a0d482249a212cf5c15f45 upstream. Upon lastclose(), we switch back to the fbcon configuration. This requires taking the mode_config lock in order to serialise the change with output probing elsewhere. Reported-by: Oleksij Rempel References: https://bugs.freedesktop.org/show_bug.cgi?id=48652 Signed-off-by: Chris Wilson Acked-by: Jesse Barnes Signed-Off-by: Daniel Vetter Signed-off-by: Greg Kroah-Hartman commit c01a9ac74a8b0e704f2d88c277c2a379849b818d Author: Kees Cook Date: Mon Mar 19 16:12:53 2012 -0700 futex: Do not leak robust list to unprivileged process commit bdbb776f882f5ad431aa1e694c69c1c3d6a4a5b8 upstream. It was possible to extract the robust list head address from a setuid process if it had used set_robust_list(), allowing an ASLR info leak. This changes the permission checks to be the same as those used for similar info that comes out of /proc. Running a setuid program that uses robust futexes would have had: cred->euid != pcred->euid cred->euid == pcred->uid so the old permissions check would allow it. I'm not aware of any setuid programs that use robust futexes, so this is just a preventative measure. (This patch is based on changes from grsecurity.) Signed-off-by: Kees Cook Cc: Darren Hart Cc: Peter Zijlstra Cc: Jiri Kosina Cc: Eric W. Biederman Cc: David Howells Cc: Serge E. Hallyn Cc: kernel-hardening@lists.openwall.com Cc: spender@grsecurity.net Link: http://lkml.kernel.org/r/20120319231253.GA20893@www.outflux.net Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 018bbd053d73d88b96e6ef39adb3712301d6f9b7 Author: Cho, Yu-Chen Date: Wed Mar 14 22:01:21 2012 +0200 Bluetooth: Add Atheros maryann PIDVID support commit 07c0ea874d43c299d185948452945a361052b6e3 upstream. Add Atheros maryann 0cf3:311d PIDVID support This module is AR3012 Series. Include /sys/kernel/debug/usb/devices output here for reference before: T: Bus=04 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 2 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0cf3 ProdID=311d Rev= 0.01 S: Manufacturer=Atheros Communications S: Product=Bluetooth USB Host Controller S: SerialNumber=Alaska Day 2006 C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms after: T: Bus=04 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 2 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0cf3 ProdID=311d Rev= 0.02 S: Manufacturer=Atheros Communications S: Product=Bluetooth USB Host Controller S: SerialNumber=Alaska Day 2006 C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms Signed-off-by: Cho, Yu-Chen cked-by: Marcel Holtmann Signed-off-by: Johan Hedberg Cc: Jonathan Nieder Signed-off-by: Greg Kroah-Hartman commit d97f30453d12c84cea49ce3f1f63158c5ead8314 Author: Eran Date: Mon Dec 5 22:15:29 2011 +0000 Bluetooth: Adding USB device 13d3:3375 as an Atheros AR3012. commit 9498ba7a1d38d42eef4ef6d906ab1743c9f0fd6f upstream. The bluetooth module in the Asus UX31/UX21 is based on Atheros AR3012 and requires a firmware to be uploaded before it's usable. output of usb-devices for this module: T: Bus=01 Lev=02 Prnt=02 Port=07 Cnt=03 Dev#= 6 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=13d3 ProdID=3375 Rev=00.02 S: Manufacturer=Atheros Communications S: Product=Bluetooth USB Host Controller S: SerialNumber=Alaska Day 2006 C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb Signed-off-by: Eran Tested-by: Michal Labedzki Signed-off-by: Gustavo F. Padovan Cc: Jonathan Nieder Signed-off-by: Greg Kroah-Hartman commit bc2236dd7856b3e35a64b31b74be686f16d89e5b Author: Danny Kukawka Date: Tue Feb 14 15:35:03 2012 +0100 spi-topcliff-pch: fix -Wuninitialized warning commit de3bd7e6de25141c466773c2e0fa319b2fa93655 upstream. Fix for: drivers/spi/spi-topcliff-pch.c: In function ‘pch_spi_handler_sub’: drivers/spi/spi-topcliff-pch.c:325:17: warning: ‘bpw_len’ may be used uninitialized in this function [-Wuninitialized] drivers/spi/spi-topcliff-pch.c:325:42: warning: ‘rx_index’ may be used uninitialized in this function [-Wuninitialized] drivers/spi/spi-topcliff-pch.c:325:42: warning: ‘tx_index’ may be used uninitialized in this function [-Wuninitialized] Move usage of tx_index, rx_index and bpw_len into the same block as where they are set to prevent uninitialized usage. v2: instead of init variables with 0 move the whole block [This patch title "warnings" makes you think "This patch is not for bug fix". However, this patch surely patch for bug fix.] Signed-off-by: Danny Kukawka Signed-off-by: Grant Likely Signed-off-by: Tomoya MORINAGA Signed-off-by: Greg Kroah-Hartman commit 3fae71af74f03aa3317fa43e4830117371ee46e9 Author: Jonghwan Choi Date: Wed Apr 18 17:23:04 2012 -0400 security: fix compile error in commoncap.c commit 51b79bee627d526199b2f6a6bef8ee0c0739b6d1 upstream. Add missing "personality.h" security/commoncap.c: In function 'cap_bprm_set_creds': security/commoncap.c:510: error: 'PER_CLEAR_ON_SETID' undeclared (first use in this function) security/commoncap.c:510: error: (Each undeclared identifier is reported only once security/commoncap.c:510: error: for each function it appears in.) Signed-off-by: Jonghwan Choi Acked-by: Serge Hallyn Signed-off-by: James Morris Cc: Eric Paris Signed-off-by: Greg Kroah-Hartman commit 4761766a8ccb3214a2f5a46a6e1ceaea5c65e6ed Author: Tomoya MORINAGA Date: Thu Jan 12 11:27:09 2012 +0900 usb: gadget: pch_udc: Reduce redundant interrupt commit 833310402c54ad9b676b465fc53ad276b13d36be upstream. ISSUE: USB Suspend interrupts occur frequently. CAUSE: When it is called pch_udc_reconnect() in USB Suspend, it repeats reset and Suspend. SOLUTION: pch_udc_reconnect() does not enable all interrupts. When an enumeration event occurred the driver enables all interrupts. Signed-off-by: Tomoya MORINAGA Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 903cff2aedfa61f5be2ca39629bade23da77294a Author: Tomoya MORINAGA Date: Thu Jan 12 11:27:08 2012 +0900 usb: gadget: pch_udc: Fix usb/gadget/pch_udc: Fix ether gadget connect/disconnect issue commit 1c575d2d2e3ff2a7cb3c2e2165064199cfd8ad32 upstream. ISSUE: After a USB cable is connect/disconnected, the system rarely freezes. CAUSE: Since the USB device controller cannot know to disconnect the USB cable, when it is used without detecting VBUS by GPIO, the UDC driver does not notify to USB Gadget. Since USB Gadget cannot know to disconnect, a false setting occurred when the USB cable is connected/disconnect repeatedly. Signed-off-by: Tomoya MORINAGA Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit aa95f7fa2e6124553ad3d720d30682e4d12f4feb Author: Tomoya MORINAGA Date: Thu Jan 12 11:27:07 2012 +0900 usb: gadget: pch_udc: Fix USB suspend issue commit 84566abba058b2aae8d603dfa90b5a3778a6714f upstream. ISSUE: After USB Suspend, a system rarely freezes. CAUSE: When USB Suspend occurred, the driver is not notifying a gadget of the event. Signed-off-by: Tomoya MORINAGA Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 6946296876675c23d13b3406fff1d9b933afa0c6 Author: Tomoya MORINAGA Date: Thu Jan 12 11:27:06 2012 +0900 usb: gadget: pch_udc: Fix wrong return value commit c802672cd36cd063bfd54d54c8c34825ab5b2357 upstream. ISSUE: If the return value of pch_udc_pcd_init() is False, the return value of this function is unsettled. Since pch_udc_pcd_init() always returns 0, there is not actually the issue. CAUSE: If pch_udc_pcd_init() is True, the variable, retval, is not set for an appropriate value. Signed-off-by: Tomoya MORINAGA Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit c643e97d48c1864bf48545bf322a682a5081c66e Author: Tomoya MORINAGA Date: Thu Jan 12 11:27:05 2012 +0900 usb: gadget: pch_udc: Fix disconnect issue commit c50a3bff0edb0acd49d8033a12ea4668e09a31ad upstream. ISSUE: When the driver notifies a gadget of a disconnect event, a system rarely freezes. CAUSE: When the driver calls dev->driver->disconnect(), it is not calling spin_unlock(). Signed-off-by: Tomoya MORINAGA Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 56070c9874f05a84dbd7f95c65136408a3d28d31 Author: Sarah Sharp Date: Fri Mar 16 13:19:35 2012 -0700 xhci: Fix register save/restore order. commit c7713e736526d8c9f6f87716fb90562a8ffaff2c upstream. The xHCI 1.0 spec errata released on June 13, 2011, changes the ordering that the xHCI registers are saved and restored in. It moves the interrupt pending (IMAN) and interrupt control (IMOD) registers to be saved and restored last. I believe that's because the host controller may attempt to fetch the event ring table when interrupts are re-enabled. Therefore we need to restore the event ring registers before we re-enable interrupts. This should be backported to kernels as old as 2.6.37, that contain the commit 5535b1d5f8885695c6ded783c692e3c0d0eda8ca "USB: xHCI: PCI power management implementation" Signed-off-by: Sarah Sharp Tested-by: Elric Fu Cc: Andiry Xu Signed-off-by: Greg Kroah-Hartman commit dfdf2aee99a646e8593354cd61387735528f4610 Author: Eric Paris Date: Tue Apr 17 16:26:54 2012 -0400 fcaps: clear the same personality flags as suid when fcaps are used commit d52fc5dde171f030170a6cb78034d166b13c9445 upstream. If a process increases permissions using fcaps all of the dangerous personality flags which are cleared for suid apps should also be cleared. Thus programs given priviledge with fcaps will continue to have address space randomization enabled even if the parent tried to disable it to make it easier to attack. Signed-off-by: Eric Paris Reviewed-by: Serge Hallyn Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit b84ecfc02ef20cbe49e7d67c39431b1896bc5687 Author: Linus Walleij Date: Wed Mar 21 20:15:18 2012 +0100 serial: PL011: move interrupt clearing commit c3d8b76f61586714cdc5f219ba45592a54caaa55 upstream. Commit 360f748b204275229f8398cb2f9f53955db1503b "serial: PL011: clear pending interrupts" attempts to clear interrupts by writing to a yet-unassigned memory address. This fixes the issue. The breaking patch is marked for stable so should be carried along with the other patch. Cc: Shreshtha Kumar Sahu Cc: Russell King Cc: Nicolas Pitre Reported-by: Viresh Kumar Signed-off-by: Linus Walleij Tested-by: Grant Likely Signed-off-by: Greg Kroah-Hartman commit 1c7e5ed0f96d7d653101f163a164422c7bae0d9c Author: Linus Walleij Date: Tue Mar 13 13:27:23 2012 +0100 serial: PL011: clear pending interrupts commit 9b96fbacda34079dea0638ee1e92c56286f6114a upstream. Chanho Min reported that when the boot loader transfers control to the kernel, there may be pending interrupts causing the UART to lock up in an eternal loop trying to pick tokens from the FIFO (since the RX interrupt flag indicates there are tokens) while in practice there are no tokens - in fact there is only a pending IRQ flag. This patch address the issue with a combination of two patches suggested by Russell King that clears and mask all interrupts at probe() and clears any pending error and RX interrupts at port startup time. We suspect the spurious interrupts are a side-effect of switching the UART from FIFO to non-FIFO mode. Cc: Shreshtha Kumar Sahu Reported-by: Chanho Min Suggested-by: Russell King Signed-off-by: Linus Walleij Reviewed-by: Jong-Sung Kim Signed-off-by: Greg Kroah-Hartman commit e31c1287e43fb65773fba0e9f2b2ec418268a45d Author: Hugh Dickins Date: Wed Apr 18 23:34:46 2012 -0700 memcg: fix Bad page state after replace_page_cache commit 9b7f43afd417a6feb80841d30ced4051c362eb5d upstream. My 9ce70c0240d0 "memcg: fix deadlock by inverting lrucare nesting" put a nasty little bug into v3.3's version of mem_cgroup_replace_page_cache(), sometimes used for FUSE. Replacing __mem_cgroup_commit_charge_lrucare() by __mem_cgroup_commit_charge(), I used the "pc" pointer set up earlier: but it's for oldpage, and needs now to be for newpage. Once oldpage was freed, its PageCgroupUsed bit (cleared above but set again here) caused "Bad page state" messages - and perhaps worse, being missed from newpage. (I didn't find this by using FUSE, but in reusing the function for tmpfs.) Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9462c8836507a4ed5bc677c702582f3f5f77eb86 Author: Martin Schwidefsky Date: Wed Apr 11 14:28:07 2012 +0200 fix tlb flushing for page table pages commit cd94154cc6a28dd9dc271042c1a59c08d26da886 upstream. Git commit 36409f6353fc2d7b6516e631415f938eadd92ffa "use generic RCU page-table freeing code" introduced a tlb flushing bug. Partially revert the above git commit and go back to s390 specific page table flush code. For s390 the TLB can contain three types of entries, "normal" TLB page-table entries, TLB combined region-and-segment-table (CRST) entries and real-space entries. Linux does not use real-space entries which leaves normal TLB entries and CRST entries. The CRST entries are intermediate steps in the page-table translation called translation paths. For example a 4K page access in a three-level page table setup will create two CRST TLB entries and one page-table TLB entry. The advantage of that approach is that a page access next to the previous one can reuse the CRST entries and needs just a single read from memory to create the page-table TLB entry. The disadvantage is that the TLB flushing rules are more complicated, before any page-table may be freed the TLB needs to be flushed. In short: the generic RCU page-table freeing code is incorrect for the CRST entries, in particular the check for mm_users < 2 is troublesome. This is applicable to 3.0+ kernels. Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit 81bcba5ad9bae5961fd492e6e63696e034372a03 Author: Alex He Date: Fri Mar 30 10:21:38 2012 +0800 xHCI: Correct the #define XHCI_LEGACY_DISABLE_SMI commit 95018a53f7653e791bba1f54c8d75d9cb700d1bd upstream. Re-define XHCI_LEGACY_DISABLE_SMI and used it in right way. All SMI enable bits will be cleared to zero and flag bits 29:31 are also cleared to zero. Other bits should be presvered as Table 146. This patch should be backported to kernels as old as 2.6.31. Signed-off-by: Alex He Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 42b9e286a15f3d11b66ef1f6e78fee60583d1050 Author: Elric Fu Date: Thu Mar 29 15:47:50 2012 +0800 xHCI: add XHCI_RESET_ON_RESUME quirk for VIA xHCI host commit 457a4f61f9bfc3ae76e5b49f30f25d86bb696f67 upstream. The suspend operation of VIA xHCI host have some issues and hibernate operation works fine, so The XHCI_RESET_ON_RESUME quirk is added for it. This patch should base on "xHCI: Don't write zeroed pointer to xHC registers" that is released by Sarah. Otherwise, the host system error will ocurr in the hibernate operation process. This should be backported to stable kernels as old as 2.6.37, that contain the commit c877b3b2ad5cb9d4fe523c5496185cc328ff3ae9 "xhci: Add reset on resume quirk for asrock p67 host". Signed-off-by: Elric Fu Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit b2d8f79211c71aaf409714a706e8c3aff1825fbc Author: Elric Fu Date: Mon Mar 26 21:16:02 2012 +0800 USB: fix bug of device descriptor got from superspeed device commit d8aec3dbdfd02627e198e7956ab4aaeba2a349fa upstream. When the Seagate Goflex USB3.0 device is attached to VIA xHCI host, sometimes the device will downgrade mode to high speed. By the USB analyzer, I found the device finished the link training process and worked at superspeed mode. But the device descriptor got from the device shows the device works at 2.1. It is very strange and seems like the device controller of Seagate Goflex has a little confusion. The first 8 bytes of device descriptor should be: 12 01 00 03 00 00 00 09 But the first 8 bytes of wrong device descriptor are: 12 01 10 02 00 00 00 40 The wrong device descriptor caused the initialization of mass storage failed. After a while, the device would be recognized as a high speed device and works fine. This patch will warm reset the device to fix the issue after finding the bcdUSB field of device descriptor isn't 0x0300 but the speed mode of device is superspeed. This patch should be backported to kernels as old as 3.2, or ones that contain the commit 75d7cf72ab9fa01dc70877aa5c68e8ef477229dc "usbcore: refine warm reset logic". Signed-off-by: Elric Fu Acked-by: Andiry Xu Acked-by: Sergei Shtylyov Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit c55d59b35ba555050ef4dd3e8b2ebe7d0b9f3d33 Author: Sarah Sharp Date: Fri Mar 16 13:27:39 2012 -0700 xhci: Restore event ring dequeue pointer on resume. commit fb3d85bc7193f23c9a564502df95564c49a32c91 upstream. The xhci_save_registers() function saved the event ring dequeue pointer in the s3 register structure, but xhci_restore_registers() never restored it. No other code in the xHCI successful resume path would ever restore it either. Fix that. This should be backported to kernels as old as 2.6.37, that contain the commit 5535b1d5f8885695c6ded783c692e3c0d0eda8ca "USB: xHCI: PCI power management implementation". Signed-off-by: Sarah Sharp Tested-by: Elric Fu Cc: Andiry Xu Signed-off-by: Greg Kroah-Hartman commit ba0b3a4a113e581fa4631803399d8384538b0d6a Author: Sarah Sharp Date: Fri Mar 16 13:09:39 2012 -0700 xhci: Don't write zeroed pointers to xHC registers. commit 159e1fcc9a60fc7daba23ee8fcdb99799de3fe84 upstream. When xhci_mem_cleanup() is called, we can't be sure if the xHC is actually halted. We can ask the xHC to halt by writing to the RUN bit in the command register, but that might timeout due to a HW hang. If the host controller is still running, we should not write zeroed values to the event ring dequeue pointers or base tables, the DCBAA pointers, or the command ring pointers. Eric Fu reports his VIA VL800 host accesses the event ring pointers after a failed register restore on resume from suspend. The hypothesis is that the host never actually halted before the register write to change the event ring pointer to zero. Remove all writes of zeroed values to pointer registers in xhci_mem_cleanup(). Instead, make all callers of the function reset the host controller first, which will reset those registers to zero. xhci_mem_init() is the only caller that doesn't first halt and reset the host controller before calling xhci_mem_cleanup(). This should be backported to kernels as old as 2.6.32. Signed-off-by: Sarah Sharp Tested-by: Elric Fu Signed-off-by: Greg Kroah-Hartman commit 0fc81a7ea254937d0a54e08bc78913dbf7eb5e64 Author: Felipe Balbi Date: Thu Mar 15 16:37:08 2012 +0200 xhci: don't re-enable IE constantly commit 4e833c0b87a30798e67f06120cecebef6ee9644c upstream. While we're at that, define IMAN bitfield to aid readability. The interrupt enable bit should be set once on driver init, and we shouldn't need to continually re-enable it. Commit c21599a3 introduced a read of the irq_pending register, and that allows us to preserve the state of the IE bit. Before that commit, we were blindly writing 0x3 to the register. This patch should be backported to kernels as old as 2.6.36, or ones that contain the commit c21599a36165dbc78b380846b254017a548b9de5 "USB: xhci: Reduce reads and writes of interrupter registers". Signed-off-by: Felipe Balbi Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 9237944b75722bbb47b78b6bdcef19c4dec9cca0 Author: Alan Stern Date: Wed Mar 28 15:56:17 2012 -0400 USB: don't ignore suspend errors for root hubs commit cd4376e23a59a2adf3084cb5f4a523e6d5fd4e49 upstream. This patch (as1532) fixes a mistake in the USB suspend code. When the system is going to sleep, we should ignore errors in powering down USB devices, because they don't really matter. The devices will go to low power anyway when the entire USB bus gets suspended (except for SuperSpeed devices; maybe they will need special treatment later). However we should not ignore errors in suspending root hubs, especially if the error indicates that the suspend raced with a wakeup request. Doing so might leave the bus powered on while the system was supposed to be asleep, or it might cause the suspend of the root hub's parent controller device to fail, or it might cause a wakeup request to be ignored. The patch fixes the problem by ignoring errors only when the device in question is not a root hub. Signed-off-by: Alan Stern Reported-by: Chen Peter Tested-by: Chen Peter Signed-off-by: Greg Kroah-Hartman commit d9e83d653a1dfb4e0046c9aeaba28fea5b4d4a62 Author: Alan Stern Date: Thu Mar 22 11:00:21 2012 -0400 USB: don't clear urb->dev in scatter-gather library commit bcf398537630bf20b4dbe59ba855b69f404c93cf upstream. This patch (as1517b) fixes an error in the USB scatter-gather library. The library code uses urb->dev to determine whether or nor an URB is currently active; the completion handler sets urb->dev to NULL. However the core unlinking routines need to use urb->dev. Since unlinking always racing with completion, the completion handler must not clear urb->dev -- it can lead to invalid memory accesses when a transfer has to be cancelled. This patch fixes the problem by getting rid of the lines that clear urb->dev after urb has been submitted. As a result we may end up trying to unlink an URB that failed in submission or that has already completed, so an extra check is added after each unlink to avoid printing an error message when this happens. The checks are updated in both sg_complete() and sg_cancel(), and the second is updated to match the first (currently it prints out unnecessary warning messages if a device is unplugged while a transfer is in progress). Signed-off-by: Alan Stern Reported-and-tested-by: Illia Zaitsev CC: Ming Lei Signed-off-by: Greg Kroah-Hartman commit 509bda8dc1bba274c3b8580645d1efc27b77c4f0 Author: Anton Samokhvalov Date: Wed Apr 4 22:26:01 2012 +0400 USB: sierra: add support for Sierra Wireless MC7710 commit c5d703dcc776cb542b41665f2b7e2ba054efb4a7 upstream. Just add new device id. 3G works fine, LTE not tested. Signed-off-by: Anton Samokhvalov Signed-off-by: Greg Kroah-Hartman commit 99a95b45c11f22a5c812141f7c88615707a11569 Author: Simon Arlott Date: Mon Mar 26 23:27:59 2012 +0100 USB: ftdi_sio: fix race condition in TIOCMIWAIT, and abort of TIOCMIWAIT when the device is removed commit 876ae50d94b02f3f523aa451b45ec5fb9c25d221 upstream. There are two issues here, one is that the device is generating spurious very fast modem status line changes somewhere: CTS becomes high then low 18µs later: [121226.924373] ftdi_process_packet: prev rng=0 dsr=10 dcd=0 cts=6 [121226.924378] ftdi_process_packet: status=10 prev=00 diff=10 [121226.924382] ftdi_process_packet: now rng=0 dsr=10 dcd=0 cts=7 (wake_up_interruptible is called) [121226.924391] ftdi_process_packet: prev rng=0 dsr=10 dcd=0 cts=7 [121226.924394] ftdi_process_packet: status=00 prev=10 diff=10 [121226.924397] ftdi_process_packet: now rng=0 dsr=10 dcd=0 cts=8 (wake_up_interruptible is called) This wakes up the task in TIOCMIWAIT: [121226.924405] ftdi_ioctl: 19451 rng=0->0 dsr=10->10 dcd=0->0 cts=6->8 (wait from 20:51:46 returns and observes both changes) Which then calls TIOCMIWAIT again: 20:51:46.400239 ioctl(3, TIOCMIWAIT, 0x20) = 0 22:11:09.441818 ioctl(3, TIOCMGET, [TIOCM_DTR|TIOCM_RTS]) = 0 22:11:09.442812 ioctl(3, TIOCMIWAIT, 0x20) = -1 EIO (Input/output error) (the second wake_up_interruptible takes effect and an I/O error occurs) The other issue is that TIOCMIWAIT will wait forever (unless the task is interrupted) if the device is removed. This change removes the -EIO return that occurs if the counts don't appear to have changed. Multiple counts may have been processed as one or the waiting task may have started waiting after recording the current count. It adds a bool to indicate that the device has been removed so that TIOCMIWAIT doesn't wait forever, and wakes up any tasks so that they can return -EIO. Signed-off-by: Simon Arlott Signed-off-by: Greg Kroah-Hartman commit e9775b0d35fdd30abc9b79f5d025c6b6277685c0 Author: Simon Arlott Date: Mon Mar 26 21:19:40 2012 +0100 USB: ftdi_sio: fix status line change handling for TIOCMIWAIT and TIOCGICOUNT commit fca5430d48d53eaf103498c33fd0d1984b9f448b upstream. Handling of TIOCMIWAIT was changed by commit 1d749f9afa657f6ee9336b2bc1fcd750a647d157 USB: ftdi_sio.c: Use ftdi async_icount structure for TIOCMIWAIT, as in other drivers FTDI_STATUS_B0_MASK does not indicate the changed modem status lines, it indicates the value of the current modem status lines. An xor is still required to determine which lines have changed. The count was only being incremented if the line was high. The only reason TIOCMIWAIT still worked was because the status packet is repeated every 1ms, so the count was always changing. The wakeup itself still ran based on the status lines changing. This change fixes handling of updates to the modem status lines and allows multiple processes to use TIOCMIWAIT concurrently. Tested with two processes waiting on different status lines being toggled independently. Signed-off-by: Simon Arlott Cc: Uwe Bonnes Signed-off-by: Greg Kroah-Hartman commit 7661a5c71836bad6dfc37c8d97526ddddcadba2e Author: Santiago Garcia Mantinan Date: Mon Mar 19 18:17:00 2012 +0100 USB: option: re-add NOVATELWIRELESS_PRODUCT_HSPA_HIGHSPEED to option_id array commit 9ac2feb22b5b821d81463bef92698ef7682a3145 upstream. Re-add NOVATELWIRELESS_PRODUCT_HSPA_HIGHSPEED to option_id array Signed-off-by: Santiago Garcia Mantinan Signed-off-by: Greg Kroah-Hartman commit 7d5c138878497d932eea55cf1f12922ce3b7e76b Author: Johan Hovold Date: Fri Mar 23 15:23:18 2012 +0100 USB: pl2303: fix DTR/RTS being raised on baud rate change commit ce5c9851855bab190c9a142761d54ba583ab094c upstream. DTR/RTS should only be raised when changing baudrate from B0 and not on any baud rate change (> B0). Reported-by: Søren Holm Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 91fef73a5fbe6b5a9e8ede8aebf74442b0a70d9b Author: Johan Hovold Date: Tue Mar 20 16:59:33 2012 +0100 USB: serial: fix race between probe and open commit a65a6f14dc24a90bde3f5d0073ba2364476200bf upstream. Fix race between probe and open by making sure that the disconnected flag is not cleared until all ports have been registered. A call to tty_open while probe is running may get a reference to the serial structure in serial_install before its ports have been registered. This may lead to usb_serial_core calling driver open before port is fully initialised. With ftdi_sio this result in the following NULL-pointer dereference as the private data has not been initialised at open: [ 199.698286] IP: [] ftdi_open+0x59/0xe0 [ftdi_sio] [ 199.698297] *pde = 00000000 [ 199.698303] Oops: 0000 [#1] PREEMPT SMP [ 199.698313] Modules linked in: ftdi_sio usbserial [ 199.698323] [ 199.698327] Pid: 1146, comm: ftdi_open Not tainted 3.2.11 #70 Dell Inc. Vostro 1520/0T816J [ 199.698339] EIP: 0060:[] EFLAGS: 00010286 CPU: 0 [ 199.698344] EIP is at ftdi_open+0x59/0xe0 [ftdi_sio] [ 199.698348] EAX: 0000003e EBX: f5067000 ECX: 00000000 EDX: 80000600 [ 199.698352] ESI: f48d8800 EDI: 00000001 EBP: f515dd54 ESP: f515dcfc [ 199.698356] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 [ 199.698361] Process ftdi_open (pid: 1146, ti=f515c000 task=f481e040 task.ti=f515c000) [ 199.698364] Stack: [ 199.698368] f811a9fe f811a9e0 f811b3ef 00000000 00000000 00001388 00000000 f4a86800 [ 199.698387] 00000002 00000000 f806e68e 00000000 f532765c f481e040 00000246 22222222 [ 199.698479] 22222222 22222222 22222222 f5067004 f5327600 f5327638 f515dd74 f806e6ab [ 199.698496] Call Trace: [ 199.698504] [] ? serial_activate+0x2e/0x70 [usbserial] [ 199.698511] [] serial_activate+0x4b/0x70 [usbserial] [ 199.698521] [] tty_port_open+0x7c/0xd0 [ 199.698527] [] ? serial_set_termios+0xa0/0xa0 [usbserial] [ 199.698534] [] serial_open+0x2f/0x70 [usbserial] [ 199.698540] [] tty_open+0x20c/0x510 [ 199.698546] [] chrdev_open+0xe7/0x230 [ 199.698553] [] __dentry_open+0x1f2/0x390 [ 199.698559] [] ? _raw_spin_unlock+0x2c/0x50 [ 199.698565] [] nameidata_to_filp+0x66/0x80 [ 199.698570] [] ? cdev_put+0x20/0x20 [ 199.698576] [] do_last+0x198/0x730 [ 199.698581] [] path_openat+0xa0/0x350 [ 199.698587] [] do_filp_open+0x35/0x80 [ 199.698593] [] ? _raw_spin_unlock+0x2c/0x50 [ 199.698599] [] ? alloc_fd+0xc0/0x100 [ 199.698605] [] ? getname_flags+0x72/0x120 [ 199.698611] [] do_sys_open+0xf0/0x1c0 [ 199.698617] [] ? trace_hardirqs_on_thunk+0xc/0x10 [ 199.698623] [] sys_open+0x2e/0x40 [ 199.698628] [] sysenter_do_call+0x12/0x36 [ 199.698632] Code: 85 89 00 00 00 8b 16 8b 4d c0 c1 e2 08 c7 44 24 14 88 13 00 00 81 ca 00 00 00 80 c7 44 24 10 00 00 00 00 c7 44 24 0c 00 00 00 00 <0f> b7 41 78 31 c9 89 44 24 08 c7 44 24 04 00 00 00 00 c7 04 24 [ 199.698884] EIP: [] ftdi_open+0x59/0xe0 [ftdi_sio] SS:ESP 0068:f515dcfc [ 199.698893] CR2: 0000000000000078 [ 199.698925] ---[ end trace 77c43ec023940cff ]--- Reported-and-tested-by: Ken Huang Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 26dd184bf94ef7161f23a60c99b88f1a95312f6d Author: H. Peter Anvin Date: Fri Apr 6 09:30:57 2012 -0700 x86: Use correct byte-sized register constraint in __add() commit 8c91c5325e107ec17e40a59a47c6517387d64eb7 upstream. Similar to: 2ca052a x86: Use correct byte-sized register constraint in __xchg_op() ... the __add() macro also needs to use a "q" constraint in the byte-sized case, lest we try to generate an illegal register. Link: http://lkml.kernel.org/r/4F7A3315.501@goop.org Signed-off-by: H. Peter Anvin Cc: Jeremy Fitzhardinge Cc: Leigh Scott Cc: Thomas Reitmayr Signed-off-by: Greg Kroah-Hartman commit 36f87c5f10a44a44d1c1d9111c043d965295ab44 Author: Jeremy Fitzhardinge Date: Mon Apr 2 16:15:33 2012 -0700 x86: Use correct byte-sized register constraint in __xchg_op() commit 2ca052a3710fac208eee690faefdeb8bbd4586a1 upstream. x86-64 can access the low half of any register, but i386 can only do it with a subset of registers. 'r' causes compilation failures on i386, but 'q' expresses the constraint properly. Signed-off-by: Jeremy Fitzhardinge Link: http://lkml.kernel.org/r/4F7A3315.501@goop.org Reported-by: Leigh Scott Tested-by: Thomas Reitmayr Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit a10c8741cf87142f6eb835c0adac649ffa34767e Author: Tomoya MORINAGA Date: Mon Apr 2 14:36:22 2012 +0900 pch_uart: Fix MSI setting issue commit 867c902e07d5677e2a5b54c0435e589513abde48 upstream. The following patch (MSI setting) is not enough. commit e463595fd9c752fa4bf06b47df93ef9ade3c7cf0 Author: Alexander Stein Date: Mon Jul 4 08:58:31 2011 +0200 pch_uart: Add MSI support Signed-off-by: Alexander Stein Signed-off-by: Greg Kroah-Hartman To enable MSI mode, PCI bus-mastering must be enabled. This patch enables the setting. cc: Alexander Stein Signed-off-by: Tomoya MORINAGA Signed-off-by: Greg Kroah-Hartman commit 177b07ddae959f9454f4f4f1d14ab3365be58d84 Author: Neal Cardwell Date: Tue Mar 27 15:09:37 2012 -0400 nohz: Fix stale jiffies update in tick_nohz_restart() commit 6f103929f8979d2638e58d7f7fda0beefcb8ee7e upstream. Fix tick_nohz_restart() to not use a stale ktime_t "now" value when calling tick_do_update_jiffies64(now). If we reach this point in the loop it means that we crossed a tick boundary since we grabbed the "now" timestamp, so at this point "now" refers to a time in the old jiffy, so using the old value for "now" is incorrect, and is likely to give us a stale jiffies value. In particular, the first time through the loop the tick_do_update_jiffies64(now) call is always a no-op, since the caller, tick_nohz_restart_sched_tick(), will have already called tick_do_update_jiffies64(now) with that "now" value. Note that tick_nohz_stop_sched_tick() already uses the correct approach: when we notice we cross a jiffy boundary, grab a new timestamp with ktime_get(), and *then* update jiffies. Signed-off-by: Neal Cardwell Cc: Ben Segall Cc: Ingo Molnar Link: http://lkml.kernel.org/r/1332875377-23014-1-git-send-email-ncardwell@google.com Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 61f759e8e064a4f2bb715b91957e1d848e3dc476 Author: Roland Dreier Date: Thu Apr 12 07:51:08 2012 -0700 IB/srpt: Set srq_type to IB_SRQT_BASIC commit 6f3603367b8f7c34598fdfc1058622e0e1951e98 upstream. Since commit 96104eda0169 ("RDMA/core: Add SRQ type field"), kernel users of SRQs need to specify srq_type = IB_SRQT_BASIC in struct ib_srq_init_attr, or else most low-level drivers will fail in when srpt_add_one() calls ib_create_srq() and gets -ENOSYS. (mlx4_ib works OK nearly all of the time, because it just needs srq_type != IB_SRQT_XRC. And apparently nearly everyone using ib_srpt is using mlx4 hardware) Reported-by: Alexey Shvetsov Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit eff1ddf423cf05d60760608fc59909e0241ed65b Author: Wang YanQing Date: Sun Apr 1 08:54:02 2012 +0800 video:uvesafb: Fix oops that uvesafb try to execute NX-protected page commit b78f29ca0516266431688c5eb42d39ce42ec039a upstream. This patch fix the oops below that catched in my machine [ 81.560602] uvesafb: NVIDIA Corporation, GT216 Board - 0696a290, Chip Rev , OEM: NVIDIA, VBE v3.0 [ 81.609384] uvesafb: protected mode interface info at c000:d350 [ 81.609388] uvesafb: pmi: set display start = c00cd3b3, set palette = c00cd40e [ 81.609390] uvesafb: pmi: ports = 3b4 3b5 3ba 3c0 3c1 3c4 3c5 3c6 3c7 3c8 3c9 3cc 3ce 3cf 3d0 3d1 3d2 3d3 3d4 3d5 3da [ 81.614558] uvesafb: VBIOS/hardware doesn't support DDC transfers [ 81.614562] uvesafb: no monitor limits have been set, default refresh rate will be used [ 81.614994] uvesafb: scrolling: ypan using protected mode interface, yres_virtual=4915 [ 81.744147] kernel tried to execute NX-protected page - exploit attempt? (uid: 0) [ 81.744153] BUG: unable to handle kernel paging request at c00cd3b3 [ 81.744159] IP: [] 0xc00cd3b2 [ 81.744167] *pdpt = 00000000016d6001 *pde = 0000000001c7b067 *pte = 80000000000cd163 [ 81.744171] Oops: 0011 [#1] SMP [ 81.744174] Modules linked in: uvesafb(+) cfbcopyarea cfbimgblt cfbfillrect [ 81.744178] [ 81.744181] Pid: 3497, comm: modprobe Not tainted 3.3.0-rc4NX+ #71 Acer Aspire 4741 /Aspire 4741 [ 81.744185] EIP: 0060:[] EFLAGS: 00010246 CPU: 0 [ 81.744187] EIP is at 0xc00cd3b3 [ 81.744189] EAX: 00004f07 EBX: 00000000 ECX: 00000000 EDX: 00000000 [ 81.744191] ESI: f763f000 EDI: f763f6e8 EBP: f57f3a0c ESP: f57f3a00 [ 81.744192] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 [ 81.744195] Process modprobe (pid: 3497, ti=f57f2000 task=f748c600 task.ti=f57f2000) [ 81.744196] Stack: [ 81.744197] f82512c5 f759341c 00000000 f57f3a30 c124a9bc 00000001 00000001 000001e0 [ 81.744202] f8251280 f763f000 f7593400 00000000 f57f3a40 c12598dd f5c0c000 00000000 [ 81.744206] f57f3b10 c1255efe c125a21a 00000006 f763f09c 00000000 c1c6cb60 f7593400 [ 81.744210] Call Trace: [ 81.744215] [] ? uvesafb_pan_display+0x45/0x60 [uvesafb] [ 81.744222] [] fb_pan_display+0x10c/0x160 [ 81.744226] [] ? uvesafb_vbe_find_mode+0x180/0x180 [uvesafb] [ 81.744230] [] bit_update_start+0x1d/0x50 [ 81.744232] [] fbcon_switch+0x39e/0x550 [ 81.744235] [] ? bit_cursor+0x4ea/0x560 [ 81.744240] [] redraw_screen+0x12b/0x220 [ 81.744245] [] ? tty_do_resize+0x3b/0xc0 [ 81.744247] [] vc_do_resize+0x3d2/0x3e0 [ 81.744250] [] vc_resize+0x14/0x20 [ 81.744253] [] fbcon_init+0x29d/0x500 [ 81.744255] [] ? set_inverse_trans_unicode+0xe4/0x110 [ 81.744258] [] visual_init+0xb8/0x150 [ 81.744261] [] bind_con_driver+0x16c/0x360 [ 81.744264] [] ? register_con_driver+0x6e/0x190 [ 81.744267] [] take_over_console+0x41/0x50 [ 81.744269] [] fbcon_takeover+0x6a/0xd0 [ 81.744272] [] fbcon_event_notify+0x758/0x790 [ 81.744277] [] notifier_call_chain+0x42/0xb0 [ 81.744280] [] __blocking_notifier_call_chain+0x60/0x90 [ 81.744283] [] blocking_notifier_call_chain+0x1a/0x20 [ 81.744285] [] fb_notifier_call_chain+0x11/0x20 [ 81.744288] [] register_framebuffer+0x1d9/0x2b0 [ 81.744293] [] ? ioremap_wc+0x33/0x40 [ 81.744298] [] uvesafb_probe+0xaba/0xc40 [uvesafb] [ 81.744302] [] platform_drv_probe+0xf/0x20 [ 81.744306] [] driver_probe_device+0x68/0x170 [ 81.744309] [] __device_attach+0x41/0x50 [ 81.744313] [] bus_for_each_drv+0x48/0x70 [ 81.744316] [] device_attach+0x83/0xa0 [ 81.744319] [] ? __driver_attach+0x90/0x90 [ 81.744321] [] bus_probe_device+0x6f/0x90 [ 81.744324] [] device_add+0x5e5/0x680 [ 81.744329] [] ? kvasprintf+0x43/0x60 [ 81.744332] [] ? kobject_set_name_vargs+0x64/0x70 [ 81.744335] [] ? kobject_set_name_vargs+0x64/0x70 [ 81.744339] [] platform_device_add+0xff/0x1b0 [ 81.744343] [] uvesafb_init+0x50/0x9b [uvesafb] [ 81.744346] [] do_one_initcall+0x2f/0x170 [ 81.744350] [] ? uvesafb_is_valid_mode+0x66/0x66 [uvesafb] [ 81.744355] [] sys_init_module+0xf4/0x1410 [ 81.744359] [] ? vfsmount_lock_local_unlock_cpu+0x30/0x30 [ 81.744363] [] sysenter_do_call+0x12/0x36 [ 81.744365] Code: f5 00 00 00 32 f6 66 8b da 66 d1 e3 66 ba d4 03 8a e3 b0 1c 66 ef b0 1e 66 ef 8a e7 b0 1d 66 ef b0 1f 66 ef e8 fa 00 00 00 61 c3 <60> e8 c8 00 00 00 66 8b f3 66 8b da 66 ba d4 03 b0 0c 8a e5 66 [ 81.744388] EIP: [] 0xc00cd3b3 SS:ESP 0068:f57f3a00 [ 81.744391] CR2: 00000000c00cd3b3 [ 81.744393] ---[ end trace 18b2c87c925b54d6 ]--- Signed-off-by: Wang YanQing Cc: Michal Januszewski Cc: Alan Cox Signed-off-by: Florian Tobias Schandinat Signed-off-by: Greg Kroah-Hartman commit 1cb41fe7e34a43a1d27dfdb6d65699786dd44c20 Author: David Miller Date: Tue Mar 27 03:14:18 2012 -0400 perf hists: Catch and handle out-of-date hist entry maps. commit 63fa471dd49e9c9ce029d910d1024330d9b1b145 upstream. When a process exec()'s, all the maps are retired, but we keep the hist entries around which hold references to those outdated maps. If the same library gets mapped in for which we have hist entries, a new map will be created. But when we take a perf entry hit within that map, we'll find the existing hist entry with the older map. This causes symbol translations to be done incorrectly. For example, the perf entry processing will lookup the correct uptodate map entry and use that to calculate the symbol and DSO relative address. But later when we update the histogram we'll translate the address using the outdated map file instead leading to conditions such as out-of-range offsets in symbol__inc_addr_samples(). Therefore, update the map of the hist_entry dynamically at lookup/ creation time. Signed-off-by: David S. Miller Link: http://lkml.kernel.org/r/20120327.031418.1220315351537060808.davem@davemloft.net Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit b5e18d5de2900decce2dc7495d63aea27639467e Author: Stephen M. Cameron Date: Thu Mar 22 21:40:09 2012 +0100 cciss: Fix scsi tape io with more than 255 scatter gather elements commit bc67f63650fad6b3478d9ddfd5406d45a95987c9 upstream. The total number of scatter gather elements in the CISS command used by the scsi tape code was being cast to a u8, which can hold at most 255 scatter gather elements. It should have been cast to a u16. Without this patch the command gets rejected by the controller since the total scatter gather count did not add up to the right value resulting in an i/o error. Signed-off-by: Stephen M. Cameron Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit b1f3e737064577e4b18c01125950be3bd6aca8af Author: Stephen M. Cameron Date: Thu Mar 22 21:40:08 2012 +0100 cciss: Initialize scsi host max_sectors for tape drive support commit 395d287526bb60411ff37b19ad9dd38b58ba8732 upstream. The default is too small (1024 blocks), use h->cciss_max_sectors (8192 blocks) Without this change, if you try to set the block size of a tape drive above 512*1024, via "mt -f /dev/st0 setblk nnn" where nnn is greater than 524288, it won't work right. Signed-off-by: Stephen M. Cameron Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 4bf5f0e7b6b8f2aa203bdac834317696782978d7 Author: David S. Miller Date: Fri Apr 13 11:56:22 2012 -0700 sparc64: Fix bootup crash on sun4v. commit 9e0daff30fd7ecf698e5d20b0fa7f851e427cca5 upstream. The DS driver registers as a subsys_initcall() but this can be too early, in particular this risks registering before we've had a chance to allocate and setup module_kset in kernel/params.c which is performed also as a subsyts_initcall(). Register DS using device_initcall() insteal. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f5940f71a878f7d41541ac6350c3a72ebd5df288 Author: Paul E. McKenney Date: Fri Apr 13 03:35:13 2012 +0000 sparc64: Eliminate obsolete __handle_softirq() function commit 3d3eeb2ef26112a200785e5fca58ec58dd33bf1e upstream. The invocation of softirq is now handled by irq_exit(), so there is no need for sparc64 to invoke it on the trap-return path. In fact, doing so is a bug because if the trap occurred in the idle loop, this invocation can result in lockdep-RCU failures. The problem is that RCU ignores idle CPUs, and the sparc64 trap-return path to the softirq handlers fails to tell RCU that the CPU must be considered non-idle while those handlers are executing. This means that RCU is ignoring any RCU read-side critical sections in those handlers, which in turn means that RCU-protected data can be yanked out from under those read-side critical sections. The shiny new lockdep-RCU ability to detect RCU read-side critical sections that RCU is ignoring located this problem. The fix is straightforward: Make sparc64 stop manually invoking the softirq handlers. Reported-by: Meelis Roos Suggested-by: David Miller Signed-off-by: Paul E. McKenney Tested-by: Meelis Roos Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e74711e8dcca9e5f49479c8ef1ea89698717be1e Author: Yuriy Kozlov Date: Thu Mar 29 09:55:27 2012 +0200 tty: serial: altera_uart: Check for NULL platform_data in probe. commit acede70d6561f2d042d9dbb153d9a3469479c0ed upstream. Follow altera_jtag_uart. This fixes a crash if there is a mistake in the DTS. Signed-off-by: Yuriy Kozlov Signed-off-by: Tobias Klauser Signed-off-by: Greg Kroah-Hartman commit db3c56d76ac8c7eee6c2652e056f326c699e8ce9 Author: Dan Williams Date: Fri Apr 6 11:49:50 2012 -0700 serial/8250_pci: add a "force background timer" flag and use it for the "kt" serial port commit bc02d15a3452fdf9276e8fb89c5e504a88df888a upstream. Workaround dropped notifications in the iir register. Register reads coincident with new interrupt notifications sometimes result in this device clearing the interrupt event without reporting it in the read data. The serial core already has a heuristic for determining when a device has an untrustworthy iir register. In this case when we apriori know that the iir is faulty use a flag (UPF_BUG_THRE) to bypass the test and force usage of the background timer. Acked-by: Alan Cox Reported-by: Nhan H Mai Reported-by: Sudhakar Mamillapalli Tested-by: Nhan H Mai Tested-by: Sudhakar Mamillapalli Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit 450fb07050462a1b3839a7b8d301c34cc6882461 Author: Dan Williams Date: Fri Apr 6 11:49:44 2012 -0700 Revert "serial/8250_pci: setup-quirk workaround for the kt serial controller" commit 49b532f96fda23663f8be35593d1c1372c0f91e0 upstream. This reverts commit 448ac154c957c4580531fa0c8f2045816fe2f0e7. The semantic of UPF_IIR_ONCE is only guaranteed to workaround the race condition in the kt serial's iir register if the only source of interrupts is THRE (fifo-empty) events. An modem status event at the wrong time can again cause an iir read to drop the 'empty' status leading to a hang. So, revert this in preparation for using the existing "I don't trust my iir register" workaround in the 8250 core (UART_BUG_THRE). Acked-by: Alan Cox Cc: Sudhakar Mamillapalli Reported-by: Nhan H Mai Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit 3271ab8ef851e0e9daf9172e9ea0e50e91ae25b4 Author: Kukjin Kim Date: Tue Apr 3 18:14:24 2012 -0700 serial: samsung: fix omission initialize ulcon in reset port fn() commit 7b246a1d0dfe75346a22bf6589b858a0389e6df1 upstream. Fix omission initialize ulcon in s3c24xx_serial_resetport(), reset port function in drivers/tty/serial/samsung.c. It has been happened from commit 0dfb3b41("serial: samsung: merge all SoC specific port reset functions") Signed-off-by: Kukjin Kim Signed-off-by: Greg Kroah-Hartman commit 1ae524187731d14da55b905fa6dbf3e975df7d99 Author: Dan Williams Date: Fri Apr 6 11:49:37 2012 -0700 Revert "serial/8250_pci: init-quirk msi support for kt serial controller" commit 3579812373aba92b2f3b632bdf99329bc3c05d62 upstream. This reverts commit e86ff4a63c9fdd875ba8492577cd1ad2252f525c. This tried to enforce the semantics of one interrupt per iir read of the THRE (transmit-hold empty) status, but events from other sources (particularly modem status) defeat this guarantee. This change also broke 8250_pci suspend/resume support as pciserial_resume_ports() re-runs .init() quirks, but does not run .exit() quirks in pciserial_suspend_ports() leading to reports like: sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:16.3/msi_irqs' ...and a subsequent crash. The mismatch of init/exit at suspend/resume seems like a bug in its own right. Acked-by: Alan Cox Cc: Sudhakar Mamillapalli Reported-by: Nhan H Mai Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit 1b08b14dcb588eece73b7ee89c2dd68f5fb50998 Author: Marek Belisko Date: Thu Apr 12 21:48:03 2012 +0200 staging: iio: hmc5843: Fix crash in probe function. commit 62d2feb9803f18c4e3c8a1a2c7e30a54df8a1d72 upstream. Fix crash after issuing: echo hmc5843 0x1e > /sys/class/i2c-dev/i2c-2/device/new_device [ 37.180999] device: '2-001e': device_add [ 37.188293] bus: 'i2c': add device 2-001e [ 37.194549] PM: Adding info for i2c:2-001e [ 37.200958] bus: 'i2c': driver_probe_device: matched device 2-001e with driver hmc5843 [ 37.210815] bus: 'i2c': really_probe: probing driver hmc5843 with device 2-001e [ 37.224884] HMC5843 initialized [ 37.228759] ------------[ cut here ]------------ [ 37.233612] kernel BUG at mm/slab.c:505! [ 37.237701] Internal error: Oops - BUG: 0 [#1] PREEMPT [ 37.243103] Modules linked in: [ 37.246337] CPU: 0 Not tainted (3.3.1-gta04+ #28) [ 37.251647] PC is at kfree+0x84/0x144 [ 37.255493] LR is at kfree+0x20/0x144 [ 37.259338] pc : [] lr : [] psr: 40000093 [ 37.259368] sp : de249cd8 ip : 0000000c fp : 00000090 [ 37.271362] r10: 0000000a r9 : de229eac r8 : c0236274 [ 37.276855] r7 : c09d6490 r6 : a0000013 r5 : de229c00 r4 : de229c10 [ 37.283691] r3 : c0f00218 r2 : 00000400 r1 : c0eea000 r0 : c00b4028 [ 37.290527] Flags: nZcv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user [ 37.298095] Control: 10c5387d Table: 9e1d0019 DAC: 00000015 [ 37.304107] Process sh (pid: 91, stack limit = 0xde2482f0) [ 37.309844] Stack: (0xde249cd8 to 0xde24a000) [ 37.314422] 9cc0: de229c10 de229c00 [ 37.322998] 9ce0: de229c10 ffffffea 00000005 c0236274 de140a80 c00b4798 dec00080 de140a80 [ 37.331573] 9d00: c032f37c dec00080 000080d0 00000001 de229c00 de229c10 c048d578 00000005 [ 37.340148] 9d20: de229eac 0000000a 00000090 c032fa40 00000001 00000000 00000001 de229c10 [ 37.348724] 9d40: de229eac 00000029 c075b558 00000001 00000003 00000004 de229c10 c048d594 [ 37.357299] 9d60: 00000000 60000013 00000018 205b0007 37332020 3432322e 5d343838 c0060020 [ 37.365905] 9d80: de251600 00000001 00000000 de251600 00000001 c0065a84 de229c00 de229c48 [ 37.374481] 9da0: 00000006 0048d62c de229c38 de229c00 de229c00 de1f6c00 de1f6c20 00000001 [ 37.383056] 9dc0: 00000000 c048d62c 00000000 de229c00 de229c00 de1f6c00 de1f6c20 00000001 [ 37.391632] 9de0: 00000000 c048d62c 00000000 c0330164 00000000 de1f6c20 c048d62c de1f6c00 [ 37.400207] 9e00: c0330078 de1f6c04 c078d714 de189b58 00000000 c02ccfd8 de1f6c20 c0795f40 [ 37.408782] 9e20: c0238330 00000000 00000000 c02381a8 de1b9fc0 de1f6c20 de1f6c20 de249e48 [ 37.417358] 9e40: c0238330 c0236bb0 decdbed8 de7d0f14 de1f6c20 de1f6c20 de1f6c54 de1f6c20 [ 37.425933] 9e60: 00000000 c0238030 de1f6c20 c078d7bc de1f6c20 c02377ec de1f6c20 de1f6c28 [ 37.434509] 9e80: dee64cb0 c0236138 c047c554 de189b58 00000000 c004b45c de1f6c20 de1f6cd8 [ 37.443084] 9ea0: c0edfa6c de1f6c00 dee64c68 de1f6c04 de1f6c20 dee64cb8 c047c554 de189b58 [ 37.451690] 9ec0: 00000000 c02cd634 dee64c68 de249ef4 de23b008 dee64cb0 0000000d de23b000 [ 37.460266] 9ee0: de23b007 c02cd78c 00000002 00000000 00000000 35636d68 00333438 00000000 [ 37.468841] 9f00: 00000000 00000000 001e0000 00000000 00000000 00000000 00000000 0a10cec0 [ 37.477416] 9f20: 00000002 de249f80 0000000d dee62990 de189b40 c0234d88 0000000d c010c354 [ 37.485992] 9f40: 0000000d de210f28 000acc88 de249f80 0000000d de248000 00000000 c00b7bf8 [ 37.494567] 9f60: de210f28 000acc88 de210f28 000acc88 00000000 00000000 0000000d c00b7ed8 [ 37.503143] 9f80: 00000000 00000000 0000000d 00000000 0007fa28 0000000d 000acc88 00000004 [ 37.511718] 9fa0: c000e544 c000e380 0007fa28 0000000d 00000001 000acc88 0000000d 00000000 [ 37.520294] 9fc0: 0007fa28 0000000d 000acc88 00000004 00000001 00000020 00000002 00000000 [ 37.528869] 9fe0: 00000000 beab8624 0000ea05 b6eaebac 600d0010 00000001 00000000 00000000 [ 37.537475] [] (kfree+0x84/0x144) from [] (device_add+0x530/0x57c) [ 37.545806] [] (device_add+0x530/0x57c) from [] (iio_device_register+0x8c8/0x990) [ 37.555480] [] (iio_device_register+0x8c8/0x990) from [] (hmc5843_probe+0xec/0x114) [ 37.565338] [] (hmc5843_probe+0xec/0x114) from [] (i2c_device_probe+0xc4/0xf8) [ 37.574737] [] (i2c_device_probe+0xc4/0xf8) from [] (driver_probe_device+0x118/0x218) [ 37.584777] [] (driver_probe_device+0x118/0x218) from [] (bus_for_each_drv+0x4c/0x84) [ 37.594818] [] (bus_for_each_drv+0x4c/0x84) from [] (device_attach+0x78/0xa4) [ 37.604125] [] (device_attach+0x78/0xa4) from [] (bus_probe_device+0x28/0x9c) [ 37.613433] [] (bus_probe_device+0x28/0x9c) from [] (device_add+0x3f4/0x57c) [ 37.622650] [] (device_add+0x3f4/0x57c) from [] (i2c_new_device+0xf8/0x19c) [ 37.631805] [] (i2c_new_device+0xf8/0x19c) from [] (i2c_sysfs_new_device+0xb4/0x130) [ 37.641754] [] (i2c_sysfs_new_device+0xb4/0x130) from [] (dev_attr_store+0x18/0x24) [ 37.651611] [] (dev_attr_store+0x18/0x24) from [] (sysfs_write_file+0x10c/0x140) [ 37.661193] [] (sysfs_write_file+0x10c/0x140) from [] (vfs_write+0xb0/0x178) [ 37.670410] [] (vfs_write+0xb0/0x178) from [] (sys_write+0x3c/0x68) [ 37.678833] [] (sys_write+0x3c/0x68) from [] (ret_fast_syscall+0x0/0x3c) [ 37.687683] Code: 1593301c e5932000 e3120080 1a000000 (e7f001f2) [ 37.700775] ---[ end trace aaf805debdb69390 ]--- Client data was assigned to iio_dev structure in probe but in hmc5843_init_client function casted to private driver data structure which is wrong. Possibly calling mutex_init(&data->lock); corrupt data which the lead to above crash. Signed-off-by: Marek Belisko Acked-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 0a0093a1384013532936f570da54b879570df9a6 Author: Chris Metcalf Date: Thu Apr 12 12:49:15 2012 -0700 hugetlb: fix race condition in hugetlb_fault() commit 66aebce747eaf9bc456bf1f1b217d8db843031d0 upstream. The race is as follows: Suppose a multi-threaded task forks a new process (on cpu A), thus bumping up the ref count on all the pages. While the fork is occurring (and thus we have marked all the PTEs as read-only), another thread in the original process (on cpu B) tries to write to a huge page, taking an access violation from the write-protect and calling hugetlb_cow(). Now, suppose the fork() fails. It will undo the COW and decrement the ref count on the pages, so the ref count on the huge page drops back to 1. Meanwhile hugetlb_cow() also decrements the ref count by one on the original page, since the original address space doesn't need it any more, having copied a new page to replace the original page. This leaves the ref count at zero, and when we call unlock_page(), we panic. fork on CPU A fault on CPU B ============= ============== ... down_write(&parent->mmap_sem); down_write_nested(&child->mmap_sem); ... while duplicating vmas if error break; ... up_write(&child->mmap_sem); up_write(&parent->mmap_sem); ... down_read(&parent->mmap_sem); ... lock_page(page); handle COW page_mapcount(old_page) == 2 alloc and prepare new_page ... handle error page_remove_rmap(page); put_page(page); ... fold new_page into pte page_remove_rmap(page); put_page(page); ... oops ==> unlock_page(page); up_read(&parent->mmap_sem); The solution is to take an extra reference to the page while we are holding the lock on it. Signed-off-by: Chris Metcalf Cc: Hillf Danton Cc: Michal Hocko Cc: KAMEZAWA Hiroyuki Cc: Hugh Dickins Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit eeb1784dbbf952145fc953cc7f3063a2c480d4f2 Author: Linus Walleij Date: Thu Apr 12 12:49:16 2012 -0700 drivers/rtc/rtc-pl031.c: enable clock on all ST variants commit 2f3972168353d355854d6381f1f360ce83b723e5 upstream. The ST variants of the PL031 all require bit 26 in the control register to be set before they work properly. Discovered this when testing on the Nomadik board where it would suprisingly just stand still. Signed-off-by: Linus Walleij Cc: Mian Yousaf Kaukab Cc: Alessandro Rubini Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e8514a06812f2fb3409d52fa604a2a340b0a1720 Author: Jason Wessel Date: Thu Apr 12 12:49:17 2012 -0700 panic: fix stack dump print on direct call to panic() commit 026ee1f66aaa7f01b617a0ba89ac4b531f9603f1 upstream. Commit 6e6f0a1f0fa6 ("panic: don't print redundant backtraces on oops") causes a regression where no stack trace will be printed at all for the case where kernel code calls panic() directly while not processing an oops, and of course there are 100's of instances of this type of call. The original commit executed the check (!oops_in_progress), but this will always be false because just before the dump_stack() there is a call to bust_spinlocks(1), which does the following: void __attribute__((weak)) bust_spinlocks(int yes) { if (yes) { ++oops_in_progress; The proper way to resolve the problem that original commit tried to solve is to avoid printing a stack dump from panic() when the either of the following conditions is true: 1) TAINT_DIE has been set (this is done by oops_end()) This indicates and oops has already been printed. 2) oops_in_progress > 1 This guards against the rare case where panic() is invoked a second time, or in between oops_begin() and oops_end() Signed-off-by: Jason Wessel Cc: Andi Kleen Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6295ae34d2b032c25566e5f3fbc211f9db5126ac Author: Luck, Tony Date: Mon Apr 16 16:28:01 2012 -0700 ia64: fix futex_atomic_cmpxchg_inatomic() commit c76f39bddb84f93f70a5520d9253ec0317bec216 upstream. Michel Lespinasse cleaned up the futex calling conventions in commit 37a9d912b24f ("futex: Sanitize cmpxchg_futex_value_locked API"). But the ia64 implementation was subtly broken. Gcc does not know that register "r8" will be updated by the fault handler if the cmpxchg instruction takes an exception. So it feels safe in letting the initialization of r8 slide to after the cmpxchg. Result: we always return 0 whether the user address faulted or not. Fix by moving the initialization of r8 into the __asm__ code so gcc won't move it. Reported-by: Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=42757 Tested-by: Acked-by: Michel Lespinasse Signed-off-by: Tony Luck Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ca04d1326cbb108a54da7509efa465be72d08196 Author: Theodore Ts'o Date: Mon Apr 16 12:16:20 2012 -0400 ext4: address scalability issue by removing extent cache statistics commit 9cd70b347e9761ea2d2ac3d758c529a48a8193e6 upstream. Andi Kleen and Tim Chen have reported that under certain circumstances the extent cache statistics are causing scalability problems due to cache line bounces. Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 0812bb9ffc89ca0f42f8a3b5111a202dff19f7e5 Author: Takashi Iwai Date: Thu Apr 12 08:00:19 2012 +0200 ALSA: hda/realtek - Add a fixup entry for Acer Aspire 8940G commit fe97da1f7001ca0f572358462606eb3d1bde3f23 upstream. It's compatible with 8930G. Using the same fixup gives the proper 5.1 sound back. Reported-and-tested-by: Dany Martineau Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit bfe050c8857bbc0cd6832c8bf978422573c439f5 Author: Chris Mason Date: Thu Apr 12 13:46:48 2012 -0400 Revert "Btrfs: increase the global block reserve estimates" commit 8e62c2de6e23e5c1fee04f59de51b54cc2868ca5 upstream. This reverts commit 5500cdbe14d7435e04f66ff3cfb8ecd8b8e44ebf. We've had a number of complaints of early enospc that bisect down to this patch. We'll hae to fix the reservations differently. Signed-off-by: Chris Mason Signed-off-by: Greg Kroah-Hartman commit 7cb14d84e9e4afbb1547969b923640f39eb1db84 Author: Andre Guedes Date: Fri Jan 27 19:42:03 2012 -0300 Bluetooth: Remove unneeded locking commit e72acc13c770a82b4ce4a07e9716f29320eae0f8 upstream. We don't need locking hdev in hci_conn_timeout() since it doesn't access any hdev's shared resources, it basically queues HCI commands. Signed-off-by: Andre Guedes Signed-off-by: Vinicius Costa Gomes Reviewed-by: Ulisses Furquim Acked-by: Marcel Holtmann Signed-off-by: Johan Hedberg Tested-by: Alexander Holler [reported to fix lockups on battery-powered bluetooth devices - gregkh] Signed-off-by: Greg Kroah-Hartman commit 5993a671e7146b0ab49b901588be0cb128b26431 Author: Johan Hovold Date: Thu Mar 15 14:48:41 2012 +0100 Bluetooth: hci_core: fix NULL-pointer dereference at unregister commit 94324962066231a938564bebad0f941cd2d06bb2 upstream. Make sure hci_dev_open returns immediately if hci_dev_unregister has been called. This fixes a race between hci_dev_open and hci_dev_unregister which can lead to a NULL-pointer dereference. Bug is 100% reproducible using hciattach and a disconnected serial port: 0. # hciattach -n /dev/ttyO1 any noflow 1. hci_dev_open called from hci_power_on grabs req lock 2. hci_init_req executes but device fails to initialise (times out eventually) 3. hci_dev_open is called from hci_sock_ioctl and sleeps on req lock 4. hci_uart_tty_close calls hci_dev_unregister and sleeps on req lock in hci_dev_do_close 5. hci_dev_open (1) releases req lock 6. hci_dev_do_close grabs req lock and returns as device is not up 7. hci_dev_unregister sleeps in destroy_workqueue 8. hci_dev_open (3) grabs req lock, calls hci_init_req and eventually sleeps 9. hci_dev_unregister finishes, while hci_dev_open is still running... [ 79.627136] INFO: trying to register non-static key. [ 79.632354] the code is fine but needs lockdep annotation. [ 79.638122] turning off the locking correctness validator. [ 79.643920] [] (unwind_backtrace+0x0/0xf8) from [] (__lock_acquire+0x1590/0x1ab0) [ 79.653594] [] (__lock_acquire+0x1590/0x1ab0) from [] (lock_acquire+0x9c/0x128) [ 79.663085] [] (lock_acquire+0x9c/0x128) from [] (run_timer_softirq+0x150/0x3ac) [ 79.672668] [] (run_timer_softirq+0x150/0x3ac) from [] (__do_softirq+0xd4/0x22c) [ 79.682281] [] (__do_softirq+0xd4/0x22c) from [] (irq_exit+0x8c/0x94) [ 79.690856] [] (irq_exit+0x8c/0x94) from [] (handle_IRQ+0x34/0x84) [ 79.699157] [] (handle_IRQ+0x34/0x84) from [] (omap3_intc_handle_irq+0x48/0x4c) [ 79.708648] [] (omap3_intc_handle_irq+0x48/0x4c) from [] (__irq_usr+0x3c/0x60) [ 79.718048] Exception stack(0xcf281fb0 to 0xcf281ff8) [ 79.723358] 1fa0: 0001e6a0 be8dab00 0001e698 00036698 [ 79.731933] 1fc0: 0002df98 0002df38 0000001f 00000000 b6f234d0 00000000 00000004 00000000 [ 79.740509] 1fe0: 0001e6f8 be8d6aa0 be8dac50 0000aab8 80000010 ffffffff [ 79.747497] Unable to handle kernel NULL pointer dereference at virtual address 00000000 [ 79.756011] pgd = cf3b4000 [ 79.758850] [00000000] *pgd=8f0c7831, *pte=00000000, *ppte=00000000 [ 79.765502] Internal error: Oops: 80000007 [#1] [ 79.770294] Modules linked in: [ 79.773529] CPU: 0 Tainted: G W (3.3.0-rc6-00002-gb5d5c87 #421) [ 79.781066] PC is at 0x0 [ 79.783721] LR is at run_timer_softirq+0x16c/0x3ac [ 79.788787] pc : [<00000000>] lr : [] psr: 60000113 [ 79.788787] sp : cf281ee0 ip : 00000000 fp : cf280000 [ 79.800903] r10: 00000004 r9 : 00000100 r8 : b6f234d0 [ 79.806427] r7 : c0519c28 r6 : cf093488 r5 : c0561a00 r4 : 00000000 [ 79.813323] r3 : 00000000 r2 : c054eee0 r1 : 00000001 r0 : 00000000 [ 79.820190] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user [ 79.827728] Control: 10c5387d Table: 8f3b4019 DAC: 00000015 [ 79.833801] Process gpsd (pid: 1265, stack limit = 0xcf2802e8) [ 79.839965] Stack: (0xcf281ee0 to 0xcf282000) [ 79.844573] 1ee0: 00000002 00000000 c0040a24 00000000 00000002 cf281f08 00200200 00000000 [ 79.853210] 1f00: 00000000 cf281f18 cf281f08 00000000 00000000 00000000 cf281f18 cf281f18 [ 79.861816] 1f20: 00000000 00000001 c056184c 00000000 00000001 b6f234d0 c0561848 00000004 [ 79.870452] 1f40: cf280000 c003a3b8 c051e79c 00000001 00000000 00000100 3fa9e7b8 0000000a [ 79.879089] 1f60: 00000025 cf280000 00000025 00000000 00000000 b6f234d0 00000000 00000004 [ 79.887756] 1f80: 00000000 c003a924 c053ad38 c0013a50 fa200000 cf281fb0 ffffffff c0008530 [ 79.896362] 1fa0: 0001e6a0 0000aab8 80000010 c037499c 0001e6a0 be8dab00 0001e698 00036698 [ 79.904998] 1fc0: 0002df98 0002df38 0000001f 00000000 b6f234d0 00000000 00000004 00000000 [ 79.913665] 1fe0: 0001e6f8 be8d6aa0 be8dac50 0000aab8 80000010 ffffffff 00fbf700 04ffff00 [ 79.922302] [] (run_timer_softirq+0x16c/0x3ac) from [] (__do_softirq+0xd4/0x22c) [ 79.931945] [] (__do_softirq+0xd4/0x22c) from [] (irq_exit+0x8c/0x94) [ 79.940582] [] (irq_exit+0x8c/0x94) from [] (handle_IRQ+0x34/0x84) [ 79.948913] [] (handle_IRQ+0x34/0x84) from [] (omap3_intc_handle_irq+0x48/0x4c) [ 79.958404] [] (omap3_intc_handle_irq+0x48/0x4c) from [] (__irq_usr+0x3c/0x60) [ 79.967773] Exception stack(0xcf281fb0 to 0xcf281ff8) [ 79.973083] 1fa0: 0001e6a0 be8dab00 0001e698 00036698 [ 79.981658] 1fc0: 0002df98 0002df38 0000001f 00000000 b6f234d0 00000000 00000004 00000000 [ 79.990234] 1fe0: 0001e6f8 be8d6aa0 be8dac50 0000aab8 80000010 ffffffff [ 79.997161] Code: bad PC value [ 80.000396] ---[ end trace 6f6739840475f9ee ]--- [ 80.005279] Kernel panic - not syncing: Fatal exception in interrupt Signed-off-by: Johan Hovold Acked-by: Marcel Holtmann Signed-off-by: Johan Hedberg Signed-off-by: Greg Kroah-Hartman commit 1f524bfbd5f8269ccc9eb574da90fea65c5b7f53 Author: Johan Hovold Date: Thu Mar 15 14:48:40 2012 +0100 Bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close commit 33b69bf80a3704d45341928e4ff68b6ebd470686 upstream. Do not close protocol driver until device has been unregistered. This fixes a race between tty_close and hci_dev_open which can result in a NULL-pointer dereference. The line discipline closes the protocol driver while we may still have hci_dev_open sleeping on the req_lock mutex resulting in a NULL-pointer dereference when lock is acquired and hci_init_req called. Bug is 100% reproducible using hciattach and a disconnected serial port: 0. # hciattach -n ttyO1 any noflow 1. hci_dev_open called from hci_power_on grabs req lock 2. hci_init_req executes but device fails to initialise (times out eventually) 3. hci_dev_open is called from hci_sock_ioctl and sleeps on req lock 4. hci_uart_tty_close detaches protocol driver and cancels init req 5. hci_dev_open (1) releases req lock 6. hci_dev_open (3) grabs req lock, calls hci_init_req, which triggers oops when request is prepared in hci_uart_send_frame [ 137.201263] Unable to handle kernel NULL pointer dereference at virtual address 00000028 [ 137.209838] pgd = c0004000 [ 137.212677] [00000028] *pgd=00000000 [ 137.216430] Internal error: Oops: 17 [#1] [ 137.220642] Modules linked in: [ 137.223846] CPU: 0 Tainted: G W (3.3.0-rc6-dirty #406) [ 137.230529] PC is at __lock_acquire+0x5c/0x1ab0 [ 137.235290] LR is at lock_acquire+0x9c/0x128 [ 137.239776] pc : [] lr : [] psr: 20000093 [ 137.239776] sp : cf869dd8 ip : c0529554 fp : c051c730 [ 137.251800] r10: 00000000 r9 : cf8673c0 r8 : 00000080 [ 137.257293] r7 : 00000028 r6 : 00000002 r5 : 00000000 r4 : c053fd70 [ 137.264129] r3 : 00000000 r2 : 00000000 r1 : 00000000 r0 : 00000001 [ 137.270965] Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel [ 137.278717] Control: 10c5387d Table: 8f0f4019 DAC: 00000015 [ 137.284729] Process kworker/u:1 (pid: 7, stack limit = 0xcf8682e8) [ 137.291229] Stack: (0xcf869dd8 to 0xcf86a000) [ 137.295776] 9dc0: c0529554 00000000 [ 137.304351] 9de0: cf8673c0 cf868000 d03ea1ef cf868000 000001ef 00000470 00000000 00000002 [ 137.312927] 9e00: cf8673c0 00000001 c051c730 c00716ec 0000000c 00000440 c0529554 00000001 [ 137.321533] 9e20: c051c730 cf868000 d03ea1f3 00000000 c053b978 00000000 00000028 cf868000 [ 137.330078] 9e40: 00000000 00000000 00000002 00000000 00000000 c00733f8 00000002 00000080 [ 137.338684] 9e60: 00000000 c02a1d50 00000000 00000001 60000013 c0969a1c 60000093 c053b96c [ 137.347259] 9e80: 00000002 00000018 20000013 c02a1d50 cf0ac000 00000000 00000002 cf868000 [ 137.355834] 9ea0: 00000089 c0374130 00000002 00000000 c02a1d50 cf0ac000 0000000c cf0fc540 [ 137.364410] 9ec0: 00000018 c02a1d50 cf0fc540 00000000 cf0fc540 c0282238 c028220c cf178d80 [ 137.372985] 9ee0: 127525d8 c02821cc 9a1fa451 c032727c 9a1fa451 127525d8 cf0fc540 cf0ac4ec [ 137.381561] 9f00: cf0ac000 cf0fc540 cf0ac584 c03285f4 c0328580 cf0ac4ec cf85c740 c05510cc [ 137.390136] 9f20: ce825400 c004c914 00000002 00000000 c004c884 ce8254f5 cf869f48 00000000 [ 137.398712] 9f40: c0328580 ce825415 c0a7f914 c061af64 00000000 c048cf3c cf8673c0 cf85c740 [ 137.407287] 9f60: c05510cc c051a66c c05510ec c05510c4 cf85c750 cf868000 00000089 c004d6ac [ 137.415863] 9f80: 00000000 c0073d14 00000001 cf853ed8 cf85c740 c004d558 00000013 00000000 [ 137.424438] 9fa0: 00000000 00000000 00000000 c00516b0 00000000 00000000 cf85c740 00000000 [ 137.433013] 9fc0: 00000001 dead4ead ffffffff ffffffff c0551674 00000000 00000000 c0450aa4 [ 137.441589] 9fe0: cf869fe0 cf869fe0 cf853ed8 c005162c c0013b30 c0013b30 00ffff00 00ffff00 [ 137.450164] [] (__lock_acquire+0x5c/0x1ab0) from [] (lock_acquire+0x9c/0x128) [ 137.459503] [] (lock_acquire+0x9c/0x128) from [] (_raw_spin_lock_irqsave+0x44/0x58) [ 137.469360] [] (_raw_spin_lock_irqsave+0x44/0x58) from [] (skb_queue_tail+0x18/0x48) [ 137.479339] [] (skb_queue_tail+0x18/0x48) from [] (h4_enqueue+0x2c/0x34) [ 137.488189] [] (h4_enqueue+0x2c/0x34) from [] (hci_uart_send_frame+0x34/0x68) [ 137.497497] [] (hci_uart_send_frame+0x34/0x68) from [] (hci_send_frame+0x50/0x88) [ 137.507171] [] (hci_send_frame+0x50/0x88) from [] (hci_cmd_work+0x74/0xd4) [ 137.516204] [] (hci_cmd_work+0x74/0xd4) from [] (process_one_work+0x1a0/0x4ec) [ 137.525604] [] (process_one_work+0x1a0/0x4ec) from [] (worker_thread+0x154/0x344) [ 137.535278] [] (worker_thread+0x154/0x344) from [] (kthread+0x84/0x90) [ 137.543975] [] (kthread+0x84/0x90) from [] (kernel_thread_exit+0x0/0x8) [ 137.552734] Code: e59f4e5c e5941000 e3510000 0a000031 (e5971000) [ 137.559234] ---[ end trace 1b75b31a2719ed1e ]--- Signed-off-by: Johan Hovold Acked-by: Marcel Holtmann Signed-off-by: Johan Hedberg Signed-off-by: Greg Kroah-Hartman commit a685c8da13ae4890e21c6d6b0cb4d9745044724d Author: Johan Hovold Date: Wed Apr 11 11:24:35 2012 +0200 Bluetooth: uart-ldisc: Fix memory leak This is a partial, self-contained, minimal backport of commit 797fe796c4335b35d95d5326824513befdb5d1e9 upstream which fixes the memory leak: Bluetooth: uart-ldisc: Fix memory leak and remove destruct cb We currently leak the hci_uart object if HCI_UART_PROTO_SET is never set because the hci-destruct callback will then never be called. This fix removes the hci-destruct callback and frees the driver internal private hci_uart object directly on tty-close. We call hci_unregister_dev() here so the hci-core will never call our callbacks again (except destruct). Therefore, we can safely free the driver internal data right away and set the destruct callback to NULL. Signed-off-by: David Herrmann Acked-by: Marcel Holtmann Signed-off-by: Johan Hedberg Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 18d72b3c0b16b96f722f5293848369ae9eb65116 Author: NeilBrown Date: Thu Apr 12 16:05:06 2012 +1000 md/bitmap: prevent bitmap_daemon_work running while initialising bitmap commit afbaa90b80b1ec66e5137cc3824746bfdf559b18 upstream. If a bitmap is added while the array is active, it is possible for bitmap_daemon_work to run while the bitmap is being initialised. This is particularly a problem if bitmap_daemon_work sees bitmap->filemap as non-NULL before it has been filled in properly. So hold bitmap_info.mutex while filling in ->filemap to prevent problems. This patch is suitable for any -stable kernel, though it might not apply cleanly before about 3.1. Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 128b61db6e0319afffe5e3c87a36d27e71cd0d4d Author: majianpeng Date: Thu Apr 12 16:04:47 2012 +1000 md/raid1,raid10: Fix calculation of 'vcnt' when processing error recovery. commit f4380a915823dbed0bf8e3cf502ebcf2b7c7f833 upstream. If r1bio->sectors % 8 != 0,then the memcmp and a later memcpy will omit the last bio_vec. This is suitable for any stable kernel since 3.1 when bad-block management was introduced. Signed-off-by: majianpeng Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 3bb3d575767c0e0978a079ce3765607b95ad2ce2 Author: Jonathan Austin Date: Thu Apr 12 17:45:25 2012 +0100 ARM: 7384/1: ThumbEE: Disable userspace TEEHBR access for !CONFIG_ARM_THUMBEE commit 078c04545ba56da21567728a909a496df5ff730d upstream. Currently when ThumbEE is not enabled (!CONFIG_ARM_THUMBEE) the ThumbEE register states are not saved/restored at context switch. The default state of the ThumbEE Ctrl register (TEECR) allows userspace accesses to the ThumbEE Base Handler register (TEEHBR). This can cause unexpected behaviour when people use ThumbEE on !CONFIG_ARM_THUMBEE kernels, as well as allowing covert communication - eg between userspace tasks running inside chroot jails. This patch sets up TEECR in order to prevent user-space access to TEEHBR when !CONFIG_ARM_THUMBEE. In this case, tasks are sent SIGILL if they try to access TEEHBR. Reviewed-by: Will Deacon Signed-off-by: Jonathan Austin Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 464070635ea618d01561be929bebd6a88aedf0ae Author: Marc Zyngier Date: Wed Apr 11 14:52:55 2012 +0100 ARM: 7379/1: DT: fix atags_to_fdt() second call site commit 9c5fd9e85f574d9d0361b2b878f55732290afe5b upstream. atags_to_fdt() returns 1 when it fails to find a valid FDT signature. The CONFIG_ARM_ATAG_DTB_COMPAT code is supposed to retry with another location, but only does so when the initial call doesn't fail. Fix this by using the correct condition in the assembly code. Acked-by: Nicolas Pitre Signed-off-by: Marc Zyngier Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 6bc39a3bf99f91ce15dd676765d30a1fd2d5dab2 Author: Larry Finger Date: Mon Mar 26 10:48:20 2012 -0500 rtlwifi: Add missing DMA buffer unmapping for PCI drivers commit 673f7786e205c87b5d978c62827b9a66d097bebb upstream. In https://bugzilla.kernel.org/show_bug.cgi?id=42976, a system with driver rtl8192se used as an AP suffers from "Out of SW-IOMMU space" errors. These are caused by the DMA buffers used for beacons never being unmapped. This bug was also reported at https://bugs.launchpad.net/ubuntu/+source/linux/+bug/961618 Reported-and-Tested-by: Da Xue Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit ed63f0fb7775311d675b13606affffae4d094281 Author: Larry Finger Date: Mon Mar 19 15:44:31 2012 -0500 rtlwifi: Preallocate USB read buffers and eliminate kalloc in read routine commit a7959c1394d4126a70a53b914ce4105f5173d0aa upstream. The current version of rtlwifi for USB operations uses kmalloc to acquire a 32-bit buffer for each read of the device. When _usb_read_sync() is called with the rcu_lock held, the result is a "sleeping function called from invalid context" BUG. This is reported for two cases in https://bugzilla.kernel.org/show_bug.cgi?id=42775. The first case has the lock originating from within rtlwifi and could be fixed by rearranging the locking; however, the second originates from within mac80211. The kmalloc() call is removed from _usb_read_sync() by creating a ring buffer pointer in the private area and allocating the buffer data in the probe routine. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit c30ba23cbb70c00e621ca731fec17ccc01035384 Author: Jesse Barnes Date: Wed Apr 11 09:39:02 2012 -0700 drm/i915: make rc6 module parameter read-only commit f57f9c167af7cb3fd315e6a8ebe194a8aea0832a upstream. People have been getting confused and thinking this is a runtime control. Signed-off-by: Jesse Barnes Signed-off-by: Daniel Vetter Signed-off-by: Greg Kroah-Hartman commit 4676d19c7a9244f7214d471fc69b77a3d89517d4 Author: Daniel Vetter Date: Tue Apr 10 10:42:36 2012 +0200 drm/i915: properly compute dp dithering for user-created modes commit c4867936474183332db4c19791a65fdad6474fd5 upstream. We've only computed whether we need to fall back to 6bpc due to dp link bandwidth constrains in mode_valid, but not mode_fixup. Under various circumstances X likes to create new modes which then lack proper 6bpc flags (if required), resulting in mode_fixup failures and ultimately black screens. Chris Wilson pointed out that we still get things wrong for bpp > 24, but that should be fixed in another patch (and it'll be easier because this patch consolidates the logic). The likely culprit for this regression is commit 3d794f87238f74d80e78a7611c7fbde8a54c85c2 Author: Keith Packard Date: Wed Jan 25 08:16:25 2012 -0800 drm/i915: Force explicit bpp selection for intel_dp_link_required v2: Fix indentation and tune down the too bold claim that this should fix the world. Both noticed by Chris Wilson. v3: Try to really git add things. Reported-and-tested-by: Brice Goglin Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=48170 Cc: stable@kernel.org Reviewed-by: Adam Jackson Signed-Off-by: Daniel Vetter Signed-off-by: Greg Kroah-Hartman commit 1697aeaf437074246c3ff88300c071448a6ff58e Author: Alex Deucher Date: Tue Apr 10 12:14:27 2012 -0400 drm/radeon: only add the mm i2c bus if the hw_i2c module param is set commit 46783150a6552f9513f08e62cfcc07125d6e502b upstream. It seems it can corrupt the monitor EDID in certain cases on certain boards when running sensors detect. It's rarely used anyway outside of AIW boards. http://lists.lm-sensors.org/pipermail/lm-sensors/2012-April/035847.html http://lists.freedesktop.org/archives/xorg/2011-January/052239.html Signed-off-by: Alex Deucher Acked-by: Jean Delvare Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 9e4565b215841e6b2596b35a2c0c632a6122f86d Author: Chris Wilson Date: Mon Apr 9 13:59:46 2012 +0100 drm/i915/ringbuffer: Exclude last 2 cachlines of ring on 845g commit 27c1cbd06a7620b354cbb363834f3bb8df4f410d upstream. The 845g shares the errata with i830 whereby executing a command within 2 cachelines of the end of the ringbuffer may cause a GPU hang. Signed-off-by: Chris Wilson Signed-off-by: Daniel Vetter Signed-off-by: Greg Kroah-Hartman commit 797af97b05ee50f8a25432e66f981a3fe11d80f0 Author: acreese Date: Wed Apr 4 16:22:32 2012 -0700 drm/i915: Removed IVB forced enable of sprite dest key. commit b2a71642b8bfa1965700ba248a99016e4d6b685d upstream. The destination color key is always enabled for IVB. Removed the line that does this. Signed-off-by: Armin Reese Acked-by: Jesse Barnes Signed-off-by: Daniel Vetter Signed-off-by: Greg Kroah-Hartman commit 9285285e7bdd4a151576acdb433618950ab7a327 Author: Alex Deucher Date: Tue Apr 3 17:05:41 2012 -0400 drm/radeon/kms: fix DVO setup on some r4xx chips commit afceb9319f21b18ee3bc15ee9a5f92e18ef8a8c9 upstream. Some r4xx chips have the wrong frev in the DVOEncoderControl table. It should always be 1 on r4xx. Fixes modesetting on DVO on r4xx chips with the bad frev. Reported by twied on #radeon. Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 1048aff3edf4969a6b215503e22ee667de386a83 Author: Jan Schmidt Date: Fri Mar 23 17:32:28 2012 +0100 Btrfs: fix regression in scrub path resolving commit 7a3ae2f8c8c8432e65467b7fc84d5deab04061a0 upstream. In commit 4692cf58 we introduced new backref walking code for btrfs. This assumes we're searching live roots, which requires a transaction context. While scrubbing, however, we must not join a transaction because this could deadlock with the commit path. Additionally, what scrub really wants to do is resolving a logical address in the commit root it's currently checking. This patch adds support for logical to path resolving on commit roots and makes scrub use that. Signed-off-by: Jan Schmidt Signed-off-by: Chris Mason Signed-off-by: Greg Kroah-Hartman