Commits on Oct 7, 2012
  1. @gregkh

    Linux 3.0.45

    gregkh committed Oct 7, 2012
  2. @bvanassche @gregkh

    SCSI: scsi_dh_alua: Enable STPG for unavailable ports

    commit e47f897 upstream.
    A quote from SPC-4: "While in the unavailable primary target port
    asymmetric access state, the device server shall support those of
    the following commands that it supports while in the active/optimized
    state: [ ... ] d) SET TARGET PORT GROUPS; [ ... ]". Hence enable
    sending STPG to a target port group that is in the unavailable state.
    Signed-off-by: Bart Van Assche <>
    Reviewed-by: Mike Christie <>
    Acked-by: Hannes Reinecke <>
    Signed-off-by: James Bottomley <>
    Signed-off-by: Greg Kroah-Hartman <>
    bvanassche committed with gregkh Aug 24, 2012
  3. @gregkh

    SCSI: scsi_remove_target: fix softlockup regression on hot remove

    commit bc3f02a upstream.
    John reports:
     BUG: soft lockup - CPU#2 stuck for 23s! [kworker/u:8:2202]
     Call Trace:
      [<ffffffff8141782a>] scsi_remove_target+0xda/0x1f0
      [<ffffffff81421de5>] sas_rphy_remove+0x55/0x60
      [<ffffffff81421e01>] sas_rphy_delete+0x11/0x20
      [<ffffffff81421e35>] sas_port_delete+0x25/0x160
      [<ffffffff814549a3>] mptsas_del_end_device+0x183/0x270
    ...introduced by commit 3b661a9 "[SCSI] fix hot unplug vs async scan race".
    Don't restart lookup of more stargets in the multi-target case, just
    arrange to traverse the list once, on the assumption that new targets
    are always added at the end.  There is no guarantee that the target will
    change state in scsi_target_reap() so we can end up spinning if we
    Acked-by: Jack Wang <>
    LKML-Reference: <>
    Reported-by: John Drescher <>
    Tested-by: John Drescher <>
    Signed-off-by: Dan Williams <>
    Signed-off-by: James Bottomley <>
    Signed-off-by: Greg Kroah-Hartman <>
    Dan Williams committed with gregkh Aug 28, 2012
  4. @gregkh

    PCI: honor child buses add_size in hot plug configuration

    commit be76891 upstream.
    git commit c8adf9a
        "PCI: pre-allocate additional resources to devices only after
    	successful allocation of essential resources."
    fails to take into consideration the optional-resources needed by children
    devices while calculating the optional-resource needed by the bridge.
    This can be a problem on some setup. For example, if a hotplug bridge has 8
    children hotplug bridges, the bridge should have enough resources to accomodate
    the hotplug requirements for each of its children hotplug bridges.  Currently
    this is not the case.
    This patch fixes the problem.
    Signed-off-by: Yinghai Lu <>
    Reviewed-by: Ram Pai <>
    Signed-off-by: Jesse Barnes <>
    Cc: Andrew Worsley <>
    Signed-off-by: Greg Kroah-Hartman <>
    Yinghai Lu committed with gregkh Jul 25, 2011
  5. @gregkh

    x86/alternatives: Fix p6 nops on non-modular kernels

    commit cb09cad upstream.
    Probably a leftover from the early days of self-patching, p6nops
    are marked __initconst_or_module, which causes them to be
    discarded in a non-modular kernel.  If something later triggers
    patching, it will overwrite kernel code with garbage.
    Reported-by: Tomas Racek <>
    Signed-off-by: Avi Kivity <>
    Cc: Michael Tokarev <>
    Cc: Borislav Petkov <>
    Cc: Marcelo Tosatti <>
    Cc: Anthony Liguori <>
    Cc: H. Peter Anvin <>
    Cc: Alan Cox <>
    Cc: Alan Cox <>
    Signed-off-by: Ingo Molnar <>
    Cc: Ben Jencks <>
    Signed-off-by: Greg Kroah-Hartman <>
    Avi Kivity committed with gregkh Aug 22, 2012
  6. @djbw @gregkh

    isci: fix isci_pci_probe() generates warning on efi failure path

    commit 6d70a74 upstream.
    The oem parameter image embedded in the efi variable is at an offset
    from the start of the variable.  However, in the failure path we try to
    free the 'orom' pointer which is only valid when the paramaters are
    being read from the legacy option-rom space.
    Since failure to load the oem parameters is unlikely and we keep the
    memory around in the success case just defer all de-allocation to devm.
    Reported-by: Don Morris <>
    Signed-off-by: Dan Williams <>
    Signed-off-by: Greg Kroah-Hartman <>
    djbw committed with gregkh Jun 22, 2012
  7. @bvanassche @gregkh

    IB/srp: Avoid having aborted requests hang

    commit d853667 upstream.
    We need to call scsi_done() for commands after we abort them.
    Signed-off-by: Bart Van Assche <>
    Acked-by: David Dillow <>
    Signed-off-by: Roland Dreier <>
    Signed-off-by: Greg Kroah-Hartman <>
    bvanassche committed with gregkh Aug 24, 2012
  8. @bvanassche @gregkh

    IB/srp: Fix use-after-free in srp_reset_req()

    commit 9b796d0 upstream.
    srp_free_req() uses the scsi_cmnd structure contents to unmap
    buffers, so we must invoke srp_free_req() before we release
    ownership of that structure.
    Signed-off-by: Bart Van Assche <>
    Acked-by: David Dillow <>
    Signed-off-by: Roland Dreier <>
    Signed-off-by: Greg Kroah-Hartman <>
    bvanassche committed with gregkh Aug 24, 2012
  9. @kaber @gregkh

    IPoIB: Fix use-after-free of multicast object

    commit bea1e22 upstream.
    Fix a crash in ipoib_mcast_join_task().  (with help from Or Gerlitz)
    Commit c8c2afe ("IPoIB: Use rtnl lock/unlock when changing device
    flags") added a call to rtnl_lock() in ipoib_mcast_join_task(), which
    is run from the ipoib_workqueue, and hence the workqueue can't be
    flushed from the context of ipoib_stop().
    In the current code, ipoib_stop() (which doesn't flush the workqueue)
    calls ipoib_mcast_dev_flush(), which goes and deletes all the
    multicast entries.  This takes place without any synchronization with
    a possible running instance of ipoib_mcast_join_task() for the same
    ipoib device, leading to a crash due to NULL pointer dereference.
    Fix this by making sure that the workqueue is flushed before
    ipoib_mcast_dev_flush() is called.  To make that possible, we move the
    RTNL-lock wrapped code to ipoib_mcast_join_finish().
    Signed-off-by: Patrick McHardy <>
    Signed-off-by: Roland Dreier <>
    Signed-off-by: Greg Kroah-Hartman <>
    kaber committed with gregkh Aug 30, 2012
  10. @gregkh

    can: mscan-mpc5xxx: fix return value check in mpc512x_can_get_clock()

    commit f61bd05 upstream.
    In case of error, the function clk_get() returns ERR_PTR()
    and never returns NULL pointer. The NULL test in the error
    handling should be replaced with IS_ERR().
    dpatch engine is used to auto generated this patch.
    Signed-off-by: Wei Yongjun <>
    Acked-by: Wolfgang Grandegger <>
    Signed-off-by: Marc Kleine-Budde <>
    Signed-off-by: Greg Kroah-Hartman <>
    Wei Yongjun committed with gregkh Sep 21, 2012
  11. @smcameron @gregkh

    SCSI: hpsa: Use LUN reset instead of target reset

    commit 21e89af upstream.
    It turns out Smart Array logical drives do not support target
    reset and when the target reset fails, the logical drive will
    be taken off line.  Symptoms look like this:
    hpsa 0000:03:00.0: Abort request on C1:B0:T0:L0
    hpsa 0000:03:00.0: resetting device 1:0:0:0
    hpsa 0000:03:00.0: cp ffff880037c56000 is reported invalid (probably means target device no longer present)
    hpsa 0000:03:00.0: resetting device failed.
    sd 1:0:0:0: Device offlined - not ready after error recovery
    sd 1:0:0:0: rejecting I/O to offline device
    EXT3-fs error (device sdb1): read_block_bitmap:
    LUN reset is supported though, and is what we should be using.
    Target reset is also disruptive in shared SAS situations,
    for example, an external MSA1210m which does support target
    reset attached to Smart Arrays in multiple hosts -- a target
    reset from one host is disruptive to other hosts as all LUNs
    on the target will be reset and will abort all outstanding i/os
    back to all the attached hosts.  So we should use LUN reset,
    not target reset.
    Tested this with Smart Array logical drives and with tape drives.
    Not sure how this bug survived since 2009, except it must be very
    rare for a Smart Array to require more than 30s to complete a request.
    Signed-off-by: Stephen M. Cameron <>
    Signed-off-by: James Bottomley <>
    Signed-off-by: Greg Kroah-Hartman <>
    smcameron committed with gregkh Jul 26, 2012
  12. @ozbenh @gregkh

    SCSI: ibmvscsi: Fix host config length field overflow

    commit 225c569 upstream.
    The length field in the host config packet is only 16-bit long, so
    passing it 0x10000 (64K which is our standard PAGE_SIZE) doesn't
    work and result in an empty config from the server.
    Signed-off-by: Benjamin Herrenschmidt <>
    Acked-by: Robert Jennings <>
    Signed-off-by: James Bottomley <>
    Signed-off-by: Greg Kroah-Hartman <>
    ozbenh committed with gregkh Jul 30, 2012
  13. @dedekind @gregkh

    UBI: fix autoresize handling in R/O mode

    commit abb3e01 upstream.
    Currently UBI fails in autoresize when it is in R/O mode (e.g., because the
    underlying MTD device is R/O). This patch fixes the issue - we just skip
    autoresize and print a warning.
    Reported-by: Pali Rohár <>
    Signed-off-by: Artem Bityutskiy <>
    Signed-off-by: Greg Kroah-Hartman <>
    dedekind committed with gregkh Aug 18, 2012
  14. @gregkh

    n_gsm: memory leak in uplink error path

    commit 88ed2a6 upstream.
    Uplink (TX) network data will go through gsm_dlci_data_output_framed
    there is a bug where if memory allocation fails, the skb which
    has already been pulled off the list will be lost.
    In addition TX skbs were being processed in LIFO order
    Fixed the memory leak, and changed to FIFO order processing
    Signed-off-by: Russ Gorby <>
    Tested-by: Kappel, LaurentX <>
    Signed-off-by: Alan Cox <>
    Signed-off-by: Greg Kroah-Hartman <>
    Russ Gorby committed with gregkh Aug 13, 2012
  15. @spang-chromium @gregkh

    Increase XHCI suspend timeout to 16ms

    commit a6e097d upstream.
    The Intel XHCI specification says that after clearing the run/stop bit
    the controller may take up to 16ms to halt. We've seen a device take
    14ms, which with the current timeout of 10ms causes the kernel to
    abort the suspend. Increasing the timeout to the recommended value
    fixes the problem.
    This patch should be backported to kernels as old as 2.6.37, that
    contain the commit 5535b1d "USB: xHCI:
    PCI power management implementation".
    Signed-off-by: Michael Spang <>
    Signed-off-by: Sarah Sharp <>
    Signed-off-by: Greg Kroah-Hartman <>
    spang-chromium committed with gregkh Sep 14, 2012
  16. @gregkh

    coredump: prevent double-free on an error path in core dumper

    commit f34f9d1 upstream.
    In !CORE_DUMP_USE_REGSET case, if elf_note_info_init fails to allocate
    memory for info->fields, it frees already allocated stuff and returns
    error to its caller, fill_note_info.  Which in turn returns error to its
    caller, elf_core_dump.  Which jumps to cleanup label and calls
    free_note_info, which will happily try to free all info->fields again.
    This is the fix.
    Signed-off-by: Oleg Nesterov <>
    Signed-off-by: Denys Vlasenko <>
    Cc: Venu Byravarasu <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Greg Kroah-Hartman <>
    Denys Vlasenko committed with gregkh Sep 26, 2012
  17. @gregkh

    n_gsm: added interlocking for gsm_data_lock for certain code paths

    commit 5e44708 upstream.
    There were some locking holes in the management of the MUX's
    message queue for 2 code paths:
    1) gsmld_write_wakeup
    2) receipt of CMD_FCON flow-control message
    In both cases gsm_data_kick is called w/o locking so it can collide
    with other other instances of gsm_data_kick (pulling messages tx_tail)
    or potentially other instances of __gsm_data_queu (adding messages to tx_head)
    Changed to take the tx_lock in these 2 cases
    Signed-off-by: Russ Gorby <>
    Tested-by: Yin, Fengwei <>
    Signed-off-by: Alan Cox <>
    Signed-off-by: Greg Kroah-Hartman <>
    Russ Gorby committed with gregkh Aug 13, 2012
  18. @gregkh

    xhci: Intel Panther Point BEI quirk.

    commit 80fab3b upstream.
    When a device with an isochronous endpoint is behind a hub plugged into
    the Intel Panther Point xHCI host controller, and the driver submits
    multiple frames per URB, the xHCI driver will set the Block Event
    Interrupt (BEI) flag on all but the last TD for the URB.  This causes
    the host controller to place an event on the event ring, but not send an
    interrupt.  When the last TD for the URB completes, BEI is cleared, and
    we get an interrupt for the whole URB.
    However, under a Panther Point xHCI host controller, if the parent hub
    is unplugged when one or more events from transfers with BEI set are on
    the event ring, a port status change event is placed on the event ring,
    but no interrupt is generated.  This means URBs stop completing, and the
    USB device disconnect is not noticed.  Something like a USB headset will
    cause mplayer to hang when the device is disconnected.
    If another transfer is sent (such as running `sudo lsusb -v`), the next
    transfer event seems to "unstick" the event ring, the xHCI driver gets
    an interrupt, and the disconnect is reported to the USB core.
    The fix is not to use the BEI flag under the Panther Point xHCI host.
    This will impact power consumption and system responsiveness, because
    the xHCI driver will receive an interrupt for every frame in all
    isochronous URBs instead of once per URB.
    Intel chipset developers confirm that this bug will be hit if the BEI
    flag is used on any endpoint, not just ones that are behind a hub.
    This patch should be backported to kernels as old as 3.0, that contain
    the commit 69e848c "Intel xhci: Support
    EHCI/xHCI port switching."
    Signed-off-by: Sarah Sharp <>
    Signed-off-by: Greg Kroah-Hartman <>
    Sarah Sharp committed with gregkh Sep 19, 2012
  19. @gregkh

    firmware: Add missing attributes to EFI variable attribute print out …

    …from sysfs
    commit 7083909 upstream.
    Some of the EFI variable attributes are missing from print out from
    /sys/firmware/efi/vars/*/attributes. This patch adds those in. It also
    updates code to use pre-defined constants for masking current value
    of attributes.
    Signed-off-by: Khalid Aziz <>
    Reviewed-by: Kees Cook <>
    Acked-by: Matthew Garrett <>
    Signed-off-by: Greg Kroah-Hartman <>
    Khalid Aziz committed with gregkh Sep 10, 2012
  20. @lwfinger @gregkh

    b43legacy: Fix crash on unload when firmware not available

    commit 2d838bb upstream.
    When b43legacy is loaded without the firmware being available, a following
    unload generates a kernel NULL pointer dereference BUG as follows:
    [  214.330789] BUG: unable to handle kernel NULL pointer dereference at 0000004c
    [  214.330997] IP: [<c104c395>] drain_workqueue+0x15/0x170
    [  214.331179] *pde = 00000000
    [  214.331311] Oops: 0000 [#1] SMP
    [  214.331471] Modules linked in: b43legacy(-) ssb pcmcia mac80211 cfg80211 af_packet mperf arc4 ppdev sr_mod cdrom sg shpchp yenta_socket pcmcia_rsrc pci_hotplug pcmcia_core battery parport_pc parport floppy container ac button edd autofs4 ohci_hcd ehci_hcd usbcore usb_common thermal processor scsi_dh_rdac scsi_dh_hp_sw scsi_dh_emc scsi_dh_alua scsi_dh fan thermal_sys hwmon ata_generic pata_ali libata [last unloaded: cfg80211]
    [  214.333421] Pid: 3639, comm: modprobe Not tainted 3.6.0-rc6-wl+ #163 Source Technology VIC 9921/ALI Based Notebook
    [  214.333580] EIP: 0060:[<c104c395>] EFLAGS: 00010246 CPU: 0
    [  214.333687] EIP is at drain_workqueue+0x15/0x170
    [  214.333788] EAX: c162ac40 EBX: cdfb8360 ECX: 0000002a EDX: 00002a2a
    [  214.333890] ESI: 00000000 EDI: 00000000 EBP: cd767e7c ESP: cd767e5c
    [  214.333957]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
    [  214.333957] CR0: 8005003b CR2: 0000004c CR3: 0c96a000 CR4: 00000090
    [  214.333957] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
    [  214.333957] DR6: ffff0ff0 DR7: 00000400
    [  214.333957] Process modprobe (pid: 3639, ti=cd766000 task=cf802e90 task.ti=cd766000)
    [  214.333957] Stack:
    [  214.333957]  00000292 cd767e74 c12c5e09 00000296 00000296 cdfb8360 cdfb9220 00000000
    [  214.333957]  cd767e90 c104c4fd cdfb8360 cdfb9220 cd682800 cd767ea4 d0c10184 cd682800
    [  214.333957]  cd767ea4 cba31064 cd767eb8 d0867908 cba31064 d087e09c cd96f034 cd767ec4
    [  214.333957] Call Trace:
    [  214.333957]  [<c12c5e09>] ? skb_dequeue+0x49/0x60
    [  214.333957]  [<c104c4fd>] destroy_workqueue+0xd/0x150
    [  214.333957]  [<d0c10184>] ieee80211_unregister_hw+0xc4/0x100 [mac80211]
    [  214.333957]  [<d0867908>] b43legacy_remove+0x78/0x80 [b43legacy]
    [  214.333957]  [<d083654d>] ssb_device_remove+0x1d/0x30 [ssb]
    [  214.333957]  [<c126f15a>] __device_release_driver+0x5a/0xb0
    [  214.333957]  [<c126fb07>] driver_detach+0x87/0x90
    [  214.333957]  [<c126ef4c>] bus_remove_driver+0x6c/0xe0
    [  214.333957]  [<c1270120>] driver_unregister+0x40/0x70
    [  214.333957]  [<d083686b>] ssb_driver_unregister+0xb/0x10 [ssb]
    [  214.333957]  [<d087c488>] b43legacy_exit+0xd/0xf [b43legacy]
    [  214.333957]  [<c1089dde>] sys_delete_module+0x14e/0x2b0
    [  214.333957]  [<c110a4a7>] ? vfs_write+0xf7/0x150
    [  214.333957]  [<c1240050>] ? tty_write_lock+0x50/0x50
    [  214.333957]  [<c110a6f8>] ? sys_write+0x38/0x70
    [  214.333957]  [<c1397c55>] syscall_call+0x7/0xb
    [  214.333957] Code: bc 27 00 00 00 00 a1 74 61 56 c1 55 89 e5 e8 a3 fc ff ff 5d c3 90 55 89 e5 57 56 89 c6 53 b8 40 ac 62 c1 83 ec 14 e8 bb b7 34 00 <8b> 46 4c 8d 50 01 85 c0 89 56 4c 75 03 83 0e 40 80 05 40 ac 62
    [  214.333957] EIP: [<c104c395>] drain_workqueue+0x15/0x170 SS:ESP 0068:cd767e5c
    [  214.333957] CR2: 000000000000004c
    [  214.341110] ---[ end trace c7e90ec026d875a6 ]---Index: wireless-testing/drivers/net/wireless/b43legacy/main.c
    The problem is fixed by making certain that the ucode pointer is not NULL
    before deregistering the driver in mac80211.
    Signed-off-by: Larry Finger <>
    Signed-off-by: John W. Linville <>
    Signed-off-by: Greg Kroah-Hartman <>
    lwfinger committed with gregkh Sep 26, 2012
  21. @fleitner @gregkh

    serial: set correct baud_base for EXSYS EX-41092 Dual 16950

    commit 26e8220 upstream.
    Apparently the same card model has two IDs, so this patch
    complements the commit 39aced6
    adding the missing one.
    Signed-off-by: Flavio Leitner <>
    Signed-off-by: Greg Kroah-Hartman <>
    fleitner committed with gregkh Sep 21, 2012
  22. @linusw @gregkh

    serial: pl011: handle corruption at high clock speeds

    commit c5dd553 upstream.
    This works around a few glitches in the ST version of the PL011
    serial driver when using very high baud rates, as we do in the
    Ux500: 3, 3.25, 4 and 4.05 Mbps.
    Problem Observed/rootcause:
    When using high baud-rates, and the baudrate*8 is getting close to
    the provided clock frequency (so a division factor close to 1), when
    using bursts of characters (so they are abutted), then it seems as if
    there is not enough time to detect the beginning of the start-bit which
    is a timing reference for the entire character, and thus the sampling
    moment of character bits is moving towards the end of each bit, instead
    of the middle.
    Increase slightly the RX baud rate of the UART above the theoretical
    baudrate by 5%. This will definitely give more margin time to the
    UART_RX to correctly sample the data at the middle of the bit period.
    Also fix the ages old copy-paste error in the very stressed comment,
    it's referencing the registers used in the PL010 driver rather than
    the PL011 ones.
    Signed-off-by: Guillaume Jaunet <>
    Signed-off-by: Christophe Arnal <>
    Signed-off-by: Matthias Locher <>
    Signed-off-by: Rajanikanth HV <>
    Cc: Bibek Basu <>
    Cc: Par-Gunnar Hjalmdahl <>
    Signed-off-by: Linus Walleij <>
    Signed-off-by: Greg Kroah-Hartman <>
    linusw committed with gregkh Sep 26, 2012
  23. @gregkh

    TTY: ttyprintk, don't touch behind tty->write_buf

    commit ee8b593 upstream.
    If a user provides a buffer larger than a tty->write_buf chunk and
    passes '\r' at the end of the buffer, we touch an out-of-bound memory.
    Add a check there to prevent this.
    Signed-off-by: Jiri Slaby <>
    Cc: Samo Pogacnik <>
    Signed-off-by: Greg Kroah-Hartman <>
    Jiri Slaby committed with gregkh Aug 7, 2012
  24. @gregkh

    Remove BUG_ON from n_tty_read()

    commit e9490e9 upstream.
    Change the BUG_ON to WARN_ON and return in case of tty->read_buf==NULL. We want to track a
    couple of long standing reports of this but at the same time we can avoid killing the box.
    Signed-off-by: Stanislav Kozina <>
    Signed-off-by: Alan Cox <>
    Signed-off-by: Greg Kroah-Hartman <>
    Stanislav Kozina committed with gregkh Aug 16, 2012
  25. @ian-abbott @gregkh

    staging: comedi: fix memory leak for saved channel list

    commit c8cad4c upstream.
    When `do_cmd_ioctl()` allocates memory for the kernel copy of a channel
    list, it frees any previously allocated channel list in
    `async->cmd.chanlist` and replaces it with the new one.  However, if the
    device is ever removed (or "detached") the cleanup code in
    `cleanup_device()` in "drivers.c" does not free this memory so it is
    A sensible place to free the kernel copy of the channel list is in
    `do_become_nonbusy()` as at that point the comedi asynchronous command
    associated with the channel list is no longer valid.  Free the channel
    list in `do_become_nonbusy()` instead of `do_cmd_ioctl()` and clear the
    pointer to prevent it being freed more than once.
    Note that `cleanup_device()` could be called at an inappropriate time
    while the comedi device is open, but that's a separate bug not related
    to this this patch.
    Signed-off-by: Ian Abbott <>
    Signed-off-by: Greg Kroah-Hartman <>
    ian-abbott committed with gregkh Sep 19, 2012
  26. @ian-abbott @gregkh

    staging: comedi: don't dereference user memory for INSN_INTTRIG

    commit 5d06e3d upstream.
    `parse_insn()` is dereferencing the user-space pointer `insn->data`
    directly when handling the `INSN_INTTRIG` comedi instruction.  It
    shouldn't be using `insn->data` at all; it should be using the separate
    `data` pointer passed to the function.  Fix it.
    Signed-off-by: Ian Abbott <>
    Signed-off-by: Greg Kroah-Hartman <>
    ian-abbott committed with gregkh Sep 18, 2012
  27. @ian-abbott @gregkh

    staging: comedi: jr3_pci: fix iomem dereference

    commit e187895 upstream.
    Correct a direct dereference of I/O memory to use an appropriate I/O
    memory access function.  Note that the pointer being dereferenced is not
    currently tagged with `__iomem` but I plan to correct that for 3.7.
    Signed-off-by: Ian Abbott <>
    Signed-off-by: Greg Kroah-Hartman <>
    ian-abbott committed with gregkh Sep 27, 2012
  28. @ian-abbott @gregkh

    staging: comedi: s626: don't dereference insn->data

    commit b655c2c upstream.
    `s626_enc_insn_config()` is incorrectly dereferencing `insn->data` which
    is a pointer to user memory.  It should be dereferencing the separate
    `data` parameter that points to a copy of the data in kernel memory.
    Signed-off-by: Ian Abbott <>
    Reviewed-by: H Hartley Sweeten <>
    Signed-off-by: Greg Kroah-Hartman <>
    ian-abbott committed with gregkh Sep 24, 2012
  29. @bwhacks @gregkh

    staging: speakup_soft: Fix reading of init string

    commit 40fe4f8 upstream.
    softsynth_read() reads a character at a time from the init string;
    when it finds the null terminator it sets the initialized flag but
    then repeats the last character.
    Additionally, if the read() buffer is not big enough for the init
    string, the next read() will start reading from the beginning again.
    So the caller may never progress to reading anything else.
    Replace the simple initialized flag with the current position in
    the init string, carried over between calls.  Switch to reading
    real data once this reaches the null terminator.
    (This assumes that the length of the init string can't change, which
    seems to be the case.  Really, the string and position belong together
    in a per-file private struct.)
    Tested-by: Samuel Thibault <>
    Signed-off-by: Ben Hutchings <>
    Signed-off-by: Greg Kroah-Hartman <>
    bwhacks committed with gregkh Sep 16, 2012
  30. @bmork @gregkh

    USB: qcaux: add Pantech vendor class match

    commit c638eb2 upstream.
    The three Pantech devices UML190 (106c:3716), UML290 (106c:3718) and
    P4200 (106c:3721) all use the same subclasses to identify vendor
    specific functions.  Replace the existing device specific entries
    with generic vendor matching, adding support for the P4200.
    Signed-off-by: Bjørn Mork <>
    Cc: Thomas Schäfer <>
    Acked-by: Dan Williams <>
    Signed-off-by: Greg Kroah-Hartman <>
    bmork committed with gregkh Sep 19, 2012
  31. @ao2 @gregkh

    USB: ftdi_sio: add TIAO USB Multi-Protocol Adapter (TUMPA) support

    commit 54575b0 upstream.
    TIAO/DIYGADGET USB Multi-Protocol Adapter (TUMPA) is an FTDI FT2232H
    based device which provides an easily accessible JTAG, SPI, I2C, serial
    FTDI FT2232H provides two serial channels (A and B), but on the TUMPA
    channel A is dedicated to JTAG/SPI while channel B can be used for
    UART/RS-232: use the ftdi_jtag_quirk to expose only channel B as
    a usb-serial interface to userspace.
    Signed-off-by: Antonio Ospite <>
    Signed-off-by: Greg Kroah-Hartman <>
    ao2 committed with gregkh Sep 23, 2012
  32. @bmork @gregkh

    USB: option: blacklist QMI interface on ZTE MF683

    commit 160c942 upstream.
    Interface #5 on ZTE MF683 is a QMI/wwan interface.
    Signed-off-by: Bjørn Mork <>
    Cc: Shawn J. Goff <>
    Signed-off-by: Greg Kroah-Hartman <>
    bmork committed with gregkh Sep 19, 2012
  33. @snitm @gregkh

    dm: handle requests beyond end of device instead of using BUG_ON

    commit ba1cbad upstream.
    The access beyond the end of device BUG_ON that was introduced to
    dm_request_fn via commit 29e4013 ("dm: implement
    REQ_FLUSH/FUA support for request-based dm") was an overly
    drastic (but simple) response to this situation.
    I have received a report that this BUG_ON was hit and now think
    it would be better to use dm_kill_unmapped_request() to fail the clone
    and original request with -EIO.
    map_request() will assign the valid target returned by
    dm_table_find_target to tio->ti.  But when the target
    isn't valid tio->ti is never assigned (because map_request isn't
    called); so add a check for tio->ti != NULL to dm_done().
    Reported-by: Mike Christie <>
    Signed-off-by: Mike Snitzer <>
    Signed-off-by: Jun'ichi Nomura <>
    Signed-off-by: Alasdair G Kergon <>
    Signed-off-by: Greg Kroah-Hartman <>
    snitm committed with gregkh Sep 26, 2012
  34. @szmi @gregkh

    vfs: dcache: fix deadlock in tree traversal

    commit 8110e16 upstream.
    IBM reported a deadlock in select_parent().  This was found to be caused
    by taking rename_lock when already locked when restarting the tree
    There are two cases when the traversal needs to be restarted:
     1) concurrent d_move(); this can only happen when not already locked,
        since taking rename_lock protects against concurrent d_move().
     2) racing with final d_put() on child just at the moment of ascending
        to parent; rename_lock doesn't protect against this rare race, so it
        can happen when already locked.
    Because of case 2, we need to be able to handle restarting the traversal
    when rename_lock is already held.  This patch fixes all three callers of
    IBM reported that the deadlock is gone with this patch.
    [ I rewrote the patch to be smaller and just do the "goto again" if the
      lock was already held, but credit goes to Miklos for the real work.
       - Linus ]
    Signed-off-by: Miklos Szeredi <>
    Cc: Al Viro <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
    szmi committed with gregkh Sep 17, 2012
Commits on Oct 2, 2012
  1. @gregkh

    Linux 3.0.44

    gregkh committed Oct 2, 2012