Commits on Jan 21, 2013
  1. fix merge conflict

    Oleksandr Natalenko committed Jan 21, 2013
  2. Linux 3.7.4

    gregkh committed Jan 21, 2013
  3. pty: return EINVAL for TIOCGPTN for BSD ptys

    commit ded2f29 upstream.
    Commit bbb63c5 (drivers:tty:fix up
    ENOIOCTLCMD error handling) changed the default return value from tty
    ioctl to be ENOTTY and not EINVAL. This is appropriate.
    But in case of TIOCGPTN for the old BSD ptys glibc started failing
    because it expects EINVAL to be returned. Only then it continues to
    obtain the pts name the other way around.
    So fix this case by explicit return of EINVAL in this case.
    Signed-off-by: Jiri Slaby <>
    Reported-by: Florian Westphal <>
    Cc: Alan Cox <>
    Signed-off-by: Greg Kroah-Hartman <>
    Jiri Slaby committed with gregkh Jan 11, 2013
  4. mxs: uart: fix setting RTS from software

    commit a683321 upstream.
    With the patch "serial: mxs-auart: fix the wrong RTS hardware flow control" the
    mainline mxs-uart driver now sets RTSEN only when hardware flow control is
    enabled via software. It is not possible any longer to set RTS manually via
    software. However, the manual modification is a valid operation.
    Regain the possibility to set RTS via software and only set RTSEN when hardware
    flow control is explicitly enabled via settermios cflag CRTSCTS.
    Signed-off-by: Steffen Trumtrar <>
    Reviewed-by: Huang Shijie <>
    Signed-off-by: Greg Kroah-Hartman <>
    strumtrar committed with gregkh Dec 13, 2012
  5. staging: vt6656: Fix inconsistent structure packing

    commit 1ee4c55 upstream.
    vt6656 has several headers that use the #pragma pack(1) directive to
    enable structure packing, but never disable it.  The layout of
    structures defined in other headers can then depend on which order the
    various headers are included in, breaking the One Definition Rule.
    In practice this resulted in crashes on x86_64 until the order of header
    inclusion was changed for some files in commit 11d404c ('staging:
    vt6656: fix headers and add cfg80211.').  But we need a proper fix that
    won't be affected by future changes to the order of inclusion.
    This removes the #pragma pack(1) directives and adds __packed to the
    structure definitions for which packing appears to have been intended.
    Reported-and-tested-by: Malcolm Priestley <>
    Signed-off-by: Ben Hutchings <>
    Signed-off-by: Greg Kroah-Hartman <>
    bwhacks committed with gregkh Jan 14, 2013
  6. staging: wlan-ng: Fix clamping of returned SSID length

    commit 811a37e upstream.
    Commit 2e25421 broke listing of available network names, since it
    clamped the length of the returned SSID to WLAN_BSSID_LEN (6) instead of
    Signed-off-by: Tormod Volden <>
    Signed-off-by: Greg Kroah-Hartman <>
    tormodvolden committed with gregkh Jan 9, 2013
  7. 8250/16?50: Add support for Broadcom TruManage redirected serial port

    commit ebebd49 upstream.
    Add support for the UART device present in Broadcom TruManage capable
    NetXtreme chips (ie: 5761m 5762, and 5725).
    This implementation has a hidden transmit FIFO, so running in single-byte
    interrupt mode results in too many interrupts.  The UART_CAP_HFIFO
    capability was added to track this.  It continues to reload the THR as long
    as the THRE and TSRE bits are set in the LSR up to a specified limit (1024
    is used here).
    Signed-off-by: Stephen Hurd <>
    Signed-off-by: Michael Chan <>
    Signed-off-by: Greg Kroah-Hartman <>
    Stephen Hurd committed with gregkh Jan 17, 2013
  8. tty: 8250_dw: Fix inverted arguments to serial_out in IRQ handler

    commit 68e56cb upstream.
    Signed-off-by: Maxime Ripard <>
    Signed-off-by: Greg Kroah-Hartman <>
    mripard committed with gregkh Jan 14, 2013
  9. tty: serial: vt8500: fix return value check in vt8500_serial_probe()

    commit a6dd114 upstream.
    In case of error, function of_clk_get() returns ERR_PTR()
    and never returns NULL. The NULL test in the return value
    check should be replaced with IS_ERR().
    Signed-off-by: Wei Yongjun <>
    Acked-by: Tony Prisk <>
    Signed-off-by: Greg Kroah-Hartman <>
    Wei Yongjun committed with gregkh Dec 2, 2012
  10. serial:ifx6x60:Delete SPI timer when shut down port

    commit 014b9b4 upstream.
    When shut down SPI port, it's possible that MRDY has been asserted and a SPI
    timer was activated waiting for SRDY assert, in the case, it needs to delete
    this timer.
    Signed-off-by: Chen Jun <>
    Signed-off-by: channing <>
    Signed-off-by: Greg Kroah-Hartman <>
    ChaoBi committed with gregkh Dec 12, 2012
  11. USB: option: blacklist network interface on ONDA MT8205 4G LTE

    Signed-off-by: Bjørn Mork <>
    commit 2291dff upstream.
    The driver description files gives these names to the vendor specific
    functions on this modem:
     Diag   VID_19D2&PID_0265&MI_00
     NMEA   VID_19D2&PID_0265&MI_01
     AT cmd VID_19D2&PID_0265&MI_02
     Modem  VID_19D2&PID_0265&MI_03
     Net    VID_19D2&PID_0265&MI_04
    Signed-off-by: Bjørn Mork <>
    Signed-off-by: Greg Kroah-Hartman <>
    bmork committed with gregkh Jan 17, 2013
  12. USB: option: add TP-LINK HSUPA Modem MA180

    commit 99beb2e upstream.
    The driver description files gives these names to the vendor specific
    functions on this modem:
     Diagnostics VID_2357&PID_0201&MI_00
     NMEA        VID_2357&PID_0201&MI_01
     Modem       VID_2357&PID_0201&MI_03
     Networkcard VID_2357&PID_0201&MI_04
    Reported-by: Thomas Schäfer <>
    Signed-off-by: Bjørn Mork <>
    Signed-off-by: Greg Kroah-Hartman <>
    bmork committed with gregkh Jan 15, 2013
  13. USB: io_ti: Fix NULL dereference in chase_port()

    commit 1ee0a22 upstream.
    The tty is NULL when the port is hanging up.
    chase_port() needs to check for this.
    This patch is intended for stable series.
    The behavior was observed and tested in Linux 3.2 and 3.7.1.
    Johan Hovold submitted a more elaborate patch for the mainline kernel.
    [   56.277883] usb 1-1: edge_bulk_in_callback - nonzero read bulk status received: -84
    [   56.278811] usb 1-1: USB disconnect, device number 3
    [   56.278856] usb 1-1: edge_bulk_in_callback - stopping read!
    [   56.279562] BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8
    [   56.280536] IP: [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
    [   56.281212] PGD 1dc1b067 PUD 1e0f7067 PMD 0
    [   56.282085] Oops: 0002 [#1] SMP
    [   56.282744] Modules linked in:
    [   56.283512] CPU 1
    [   56.283512] Pid: 25, comm: khubd Not tainted 3.7.1 #1 innotek GmbH VirtualBox/VirtualBox
    [   56.283512] RIP: 0010:[<ffffffff8144e62a>]  [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
    [   56.283512] RSP: 0018:ffff88001fa99ab0  EFLAGS: 00010046
    [   56.283512] RAX: 0000000000000046 RBX: 00000000000001c8 RCX: 0000000000640064
    [   56.283512] RDX: 0000000000010000 RSI: ffff88001fa99b20 RDI: 00000000000001c8
    [   56.283512] RBP: ffff88001fa99b20 R08: 0000000000000000 R09: 0000000000000000
    [   56.283512] R10: 0000000000000000 R11: ffffffff812fcb4c R12: ffff88001ddf53c0
    [   56.283512] R13: 0000000000000000 R14: 00000000000001c8 R15: ffff88001e19b9f4
    [   56.283512] FS:  0000000000000000(0000) GS:ffff88001fd00000(0000) knlGS:0000000000000000
    [   56.283512] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    [   56.283512] CR2: 00000000000001c8 CR3: 000000001dc51000 CR4: 00000000000006e0
    [   56.283512] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    [   56.283512] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    [   56.283512] Process khubd (pid: 25, threadinfo ffff88001fa98000, task ffff88001fa94f80)
    [   56.283512] Stack:
    [   56.283512]  0000000000000046 00000000000001c8 ffffffff810578ec ffffffff812fcb4c
    [   56.283512]  ffff88001e19b980 0000000000002710 ffffffff812ffe81 0000000000000001
    [   56.283512]  ffff88001fa94f80 0000000000000202 ffffffff00000001 0000000000000296
    [   56.283512] Call Trace:
    [   56.283512]  [<ffffffff810578ec>] ? add_wait_queue+0x12/0x3c
    [   56.283512]  [<ffffffff812fcb4c>] ? usb_serial_port_work+0x28/0x28
    [   56.283512]  [<ffffffff812ffe81>] ? chase_port+0x84/0x2d6
    [   56.283512]  [<ffffffff81063f27>] ? try_to_wake_up+0x199/0x199
    [   56.283512]  [<ffffffff81263a5c>] ? tty_ldisc_hangup+0x222/0x298
    [   56.283512]  [<ffffffff81300171>] ? edge_close+0x64/0x129
    [   56.283512]  [<ffffffff810612f7>] ? __wake_up+0x35/0x46
    [   56.283512]  [<ffffffff8106135b>] ? should_resched+0x5/0x23
    [   56.283512]  [<ffffffff81264916>] ? tty_port_shutdown+0x39/0x44
    [   56.283512]  [<ffffffff812fcb4c>] ? usb_serial_port_work+0x28/0x28
    [   56.283512]  [<ffffffff8125d38c>] ? __tty_hangup+0x307/0x351
    [   56.283512]  [<ffffffff812e6ddc>] ? usb_hcd_flush_endpoint+0xde/0xed
    [   56.283512]  [<ffffffff8144e625>] ? _raw_spin_lock_irqsave+0x14/0x35
    [   56.283512]  [<ffffffff812fd361>] ? usb_serial_disconnect+0x57/0xc2
    [   56.283512]  [<ffffffff812ea99b>] ? usb_unbind_interface+0x5c/0x131
    [   56.283512]  [<ffffffff8128d738>] ? __device_release_driver+0x7f/0xd5
    [   56.283512]  [<ffffffff8128d9cd>] ? device_release_driver+0x1a/0x25
    [   56.283512]  [<ffffffff8128d393>] ? bus_remove_device+0xd2/0xe7
    [   56.283512]  [<ffffffff8128b7a3>] ? device_del+0x119/0x167
    [   56.283512]  [<ffffffff812e8d9d>] ? usb_disable_device+0x6a/0x180
    [   56.283512]  [<ffffffff812e2ae0>] ? usb_disconnect+0x81/0xe6
    [   56.283512]  [<ffffffff812e4435>] ? hub_thread+0x577/0xe82
    [   56.283512]  [<ffffffff8144daa7>] ? __schedule+0x490/0x4be
    [   56.283512]  [<ffffffff8105798f>] ? abort_exclusive_wait+0x79/0x79
    [   56.283512]  [<ffffffff812e3ebe>] ? usb_remote_wakeup+0x2f/0x2f
    [   56.283512]  [<ffffffff812e3ebe>] ? usb_remote_wakeup+0x2f/0x2f
    [   56.283512]  [<ffffffff810570b4>] ? kthread+0x81/0x89
    [   56.283512]  [<ffffffff81057033>] ? __kthread_parkme+0x5c/0x5c
    [   56.283512]  [<ffffffff8145387c>] ? ret_from_fork+0x7c/0xb0
    [   56.283512]  [<ffffffff81057033>] ? __kthread_parkme+0x5c/0x5c
    [   56.283512] Code: 8b 7c 24 08 e8 17 0b c3 ff 48 8b 04 24 48 83 c4 10 c3 53 48 89 fb 41 50 e8 e0 0a c3 ff 48 89 04 24 e8 e7 0a c3 ff ba 00 00 01 00
    <f0> 0f c1 13 48 8b 04 24 89 d1 c1 ea 10 66 39 d1 74 07 f3 90 66
    [   56.283512] RIP  [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
    [   56.283512]  RSP <ffff88001fa99ab0>
    [   56.283512] CR2: 00000000000001c8
    [   56.283512] ---[ end trace 49714df27e1679ce ]---
    Signed-off-by: Wolfgang Frisch <>
    Cc: Johan Hovold <>
    Signed-off-by: Greg Kroah-Hartman <>
    wfr committed with gregkh Jan 17, 2013
  14. xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS gu…

    commit 9174adb upstream.
    This fixes CVE-2013-0190 / XSA-40
    There has been an error on the xen_failsafe_callback path for failed
    iret, which causes the stack pointer to be wrong when entering the
    iret_exc error path.  This can result in the kernel crashing.
    In the classic kernel case, the relevant code looked a little like:
            popl %eax      # Error code from hypervisor
            jz 5f
            addl $16,%esp
            jmp iret_exc   # Hypervisor said iret fault
    5:      addl $16,%esp
                           # Hypervisor said segment selector fault
    Here, there are two identical addls on either option of a branch which
    appears to have been optimised by hoisting it above the jz, and
    converting it to an lea, which leaves the flags register unaffected.
    In the PVOPS case, the code looks like:
            popl_cfi %eax         # Error from the hypervisor
            lea 16(%esp),%esp     # Add $16 before choosing fault path
            CFI_ADJUST_CFA_OFFSET -16
            jz 5f
            addl $16,%esp         # Incorrectly adjust %esp again
            jmp iret_exc
    It is possible unprivileged userspace applications to cause this
    behaviour, for example by loading an LDT code selector, then changing
    the code selector to be not-present.  At this point, there is a race
    condition where it is possible for the hypervisor to return back to
    userspace from an interrupt, fault on its own iret, and inject a
    failsafe_callback into the kernel.
    This bug has been present since the introduction of Xen PVOPS support
    in commit 5ead97c (xen: Core Xen implementation), in 2.6.23.
    Signed-off-by: Frediano Ziglio <>
    Signed-off-by: Andrew Cooper <>
    Signed-off-by: Konrad Rzeszutek Wilk <>
    Signed-off-by: Greg Kroah-Hartman <>
    freddy77 committed with gregkh Jan 16, 2013
  15. xen/grant-table: correctly initialize grant table version 1

    commit d0b4d64 upstream.
    Commit 85ff6ac (xen/granttable: Grant
    tables V2 implementation) changed the GREFS_PER_GRANT_FRAME macro from
    a constant to a conditional expression. The expression depends on
    grant_table_version being appropriately set. Unfortunately, at init
    time grant_table_version will be 0. The GREFS_PER_GRANT_FRAME
    conditional expression checks for "grant_table_version == 1", and
    therefore returns the number of grant references per frame for v2.
    This causes gnttab_init() to allocate fewer pages for gnttab_list, as
    a frame can old half the number of v2 entries than v1 entries. After
    gnttab_resume() is called, grant_table_version is appropriately
    set. nr_init_grefs will then be miscalculated and gnttab_free_count
    will hold a value larger than the actual number of free gref entries.
    If a guest is heavily utilizing improperly initialized v1 grant
    tables, memory corruption can occur. One common manifestation is
    corruption of the vmalloc list, resulting in a poisoned pointer
    derefrence when accessing /proc/meminfo or /proc/vmallocinfo:
    [   40.770064] BUG: unable to handle kernel paging request at 0000200200001407
    [   40.770083] IP: [<ffffffff811a6fb0>] get_vmalloc_info+0x70/0x110
    [   40.770102] PGD 0
    [   40.770107] Oops: 0000 [#1] SMP
    [   40.770114] CPU 10
    This patch introduces a static variable, grefs_per_grant_frame, to
    cache the calculated value. gnttab_init() now calls
    gnttab_request_version() early so that grant_table_version and
    grefs_per_grant_frame can be appropriately set. A few BUG_ON()s have
    been added to prevent this type of bug from reoccurring in the future.
    Signed-off-by: Matt Wilson <>
    Reviewed-and-Tested-by: Steven Noonan <>
    Acked-by: Ian Campbell <>
    Cc: Konrad Rzeszutek Wilk <>
    Cc: Annie Li <>
    Signed-off-by: Konrad Rzeszutek Wilk <>
    Signed-off-by: Greg Kroah-Hartman <>
    mswilson committed with gregkh Jan 15, 2013
  16. igb: release already assigned MSI-X interrupts if setup fails

    commit 52285b7 upstream.
    During MSI-X setup the system might run out of vectors. If this happens the
    already assigned vectors for this NIC should be freed before trying the
    disable MSI-X. Failing to do so results in the following oops.
    kernel BUG at drivers/pci/msi.c:341!
    Call Trace:
     [<ffffffff8128f39d>] pci_disable_msix+0x3d/0x60
     [<ffffffffa037d1ce>] igb_reset_interrupt_capability+0x27/0x5c [igb]
     [<ffffffffa037d229>] igb_clear_interrupt_scheme+0x26/0x2d [igb]
     [<ffffffffa0384268>] igb_request_irq+0x73/0x297 [igb]
     [<ffffffffa0384554>] __igb_open+0xc8/0x223 [igb]
     [<ffffffffa0384815>] igb_open+0x13/0x15 [igb]
     [<ffffffff8144592f>] __dev_open+0xbf/0x120
     [<ffffffff81443e51>] __dev_change_flags+0xa1/0x180
     [<ffffffff81445828>] dev_change_flags+0x28/0x70
     [<ffffffff814af537>] devinet_ioctl+0x5b7/0x620
     [<ffffffff814b01c8>] inet_ioctl+0x88/0xa0
     [<ffffffff8142e8a0>] sock_do_ioctl+0x30/0x70
     [<ffffffff8142ecf2>] sock_ioctl+0x72/0x270
     [<ffffffff8118062c>] do_vfs_ioctl+0x8c/0x340
     [<ffffffff81180981>] sys_ioctl+0xa1/0xb0
     [<ffffffff815161a9>] system_call_fastpath+0x16/0x1b
    Code: 48 89 df e8 1f 40 ed ff 4d 39 e6 49 8b 45 10 75 b6 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f c9 c3 48 8b 7b 20 e8 3e 91 db ff eb ae <0f> 0b eb fe 0f 1f 84 00 00 00 00 00 55 48 89 e5 0f 1f 44 00 00
    RIP  [<ffffffff8128e144>] free_msi_irqs+0x124/0x130
     RSP <ffff880037503bd8>
    Signed-off-by: Stefan Assmann <>
    Tested-by: Aaron Brown <>
    Signed-off-by: Jeff Kirsher <>
    Signed-off-by: Abdallah Chatila <>
    sassmann committed with gregkh Dec 4, 2012
  17. intel-iommu: Prevent devices with RMRRs from being placed into SI Domain

    commit ea2447f upstream.
    This patch is to prevent non-USB devices that have RMRRs associated with them from
    being placed into the SI Domain during init. This fixes the issue where the RMRR info
    for devices being placed in and out of the SI Domain gets lost.
    Signed-off-by: Thomas Mingarelli <>
    Tested-by: Shuah Khan <>
    Reviewed-by: Donald Dutile <>
    Reviewed-by: Alex Williamson <>
    Signed-off-by: Joerg Roedel <>
    Cc: CAI Qian <>
    Signed-off-by: Greg Kroah-Hartman <>
    Tom Mingarelli committed with gregkh Nov 20, 2012
  18. target: Add link_magic for fabric allow_link destination target_items

    commit 0ff8754 upstream.
    This patch adds [dev,lun]_link_magic value assignment + checks within generic
    target_fabric_port_link() and target_fabric_mappedlun_link() code to ensure
    destination config_item *target_item sent from configfs_symlink() ->
    config_item_operations->allow_link() is the underlying se_device->dev_group
    and se_lun->lun_group that we expect to symlink.
    Reported-by: Sebastian Andrzej Siewior <>
    Cc: Sebastian Andrzej Siewior <>
    Signed-off-by: Nicholas Bellinger <>
    Signed-off-by: CAI Qian <>
    Signed-off-by: Greg Kroah-Hartman <>
    nablio3000 committed with gregkh Dec 5, 2012
  19. drm/radeon: fix a bogus kfree

    commit a6b7e1a upstream.
    parser->chunks[.].kpage[.] is not always kmalloc-ed
    by the parser initialization, so parser_fini should
    not try to kfree it if it didn't allocate it.
    This patch fixes a kernel oops that can be provoked
    in UMS mode.
    Signed-off-by: Ilija Hadzic <>
    Signed-off-by: Alex Deucher <>
    Signed-off-by: Shuah Khan <>
    Cc: CAI Qian <>
    Signed-off-by: Greg Kroah-Hartman <>
    Ilija Hadzic committed with gregkh Jan 7, 2013
  20. drm/radeon: fix NULL pointer dereference in UMS mode

    commit ff4bd08 upstream.
    In UMS mode parser->rdev is NULL, so dereferencing
    will cause an oops.
    Signed-off-by: Ilija Hadzic <>
    Signed-off-by: Alex Deucher <>
    Cc: CAI Qian <>
    Signed-off-by: Greg Kroah-Hartman <>
    Ilija Hadzic committed with gregkh Jan 7, 2013
  21. usb: chipidea: Allow disabling streaming not only in udc mode

    commit 929473e upstream.
    When running a scp transfer using a USB/Ethernet adapter the following crash
    $ scp test.tar.gz fabio@
    fabio@'s password:
    test.tar.gz                                      0%    0     0.0KB/s   --:-- ETA
    ------------[ cut here ]------------
    WARNING: at net/sched/sch_generic.c:255 dev_watchdog+0x2cc/0x2f0()
    NETDEV WATCHDOG: eth0 (asix): transmit queue 0 timed out
    Modules linked in:
    [<80011c94>] (dump_backtrace+0x0/0x10c) from [<804d3a5c>] (dump_stack+0x18/0x1c)
     r6:000000ff r5:80412388 r4:80685dc0 r3:80696cc0
    [<804d3a44>] (dump_stack+0x0/0x1c) from [<80021868>]
    [<80021814>] (warn_slowpath_common+0x0/0x6c) from [<80021924>]
    Setting SDIS (Stream Disable Mode- bit 4 of USBMODE register) fixes the problem.
    However, in current code CI13XXX_DISABLE_STREAMING flag is only set in udc mode,
    so allow disabling streaming also in host mode.
    Tested on a mx6qsabrelite board.
    Suggested-by: Peter Chen <>
    Signed-off-by: Fabio Estevam <>
    Reviewed-by: Peter Chen <>
    Signed-off-by: Greg Kroah-Hartman <>
    Fabio Estevam committed with gregkh Dec 22, 2012
  22. ext4: init pagevec in ext4_da_block_invalidatepages

    commit 66bea92 upstream.
    ext4_da_block_invalidatepages is missing a pagevec_init(),
    which means that pvec->cold contains random garbage.
    This affects whether the page goes to the front or
    back of the LRU when ->cold makes it to
    Reviewed-by: Lukas Czerner <>
    Reviewed-by: Carlos Maiolino <>
    Signed-off-by: Eric Sandeen <>
    Signed-off-by: "Theodore Ts'o" <>
    Signed-off-by: CAI Qian <>
    Signed-off-by: Greg Kroah-Hartman <>
    Eric Sandeen committed with gregkh Nov 15, 2012
  23. ALSA: usb - fix race in creation of M-Audio Fast track pro driver

    commit b98ae27 upstream.
    A patch in the 3.2 kernel caused regression with hotplugging the
    M-Audio Fast track pro, or sound after suspend. I don't have the
    device so I haven't done a full analysis, but it seems userspace
    (both udev and pulseaudio) got confused when a card was created,
    immediately destroyed, and then created again.
    However, at least one person in the bug report (martin djfun)
    reports that this patch resolves the issue for him. It also leaves
    a message in the log:
    "snd-usb-audio: probe of 1-1.1:1.1 failed with error -5" which is
    a bit misleading. It is better than non-working audio, but maybe
    there's a more elegant solution?
    Signed-off-by: David Henningsson <>
    Signed-off-by: Takashi Iwai <>
    Cc: CAI Qian <>
    Signed-off-by: Greg Kroah-Hartman <>
    David Henningsson committed with gregkh Jan 4, 2013
  24. x86/Sandy Bridge: reserve pages when integrated graphics is present

    commit a9acc53 upstream.
    SNB graphics devices have a bug that prevent them from accessing certain
    memory ranges, namely anything below 1M and in the pages listed in the
    table.  So reserve those at boot if set detect a SNB gfx device on the
    CPU to avoid GPU hangs.
    Stephane Marchesin had a similar patch to the page allocator awhile
    back, but rather than reserving pages up front, it leaked them at
    allocation time.
    [ hpa: made a number of stylistic changes, marked arrays as static
      const, and made less verbose; use "memblock=debug" for full
      verbosity. ]
    Signed-off-by: Jesse Barnes <>
    Signed-off-by: H. Peter Anvin <>
    Cc: CAI Qian <>
    Signed-off-by: Greg Kroah-Hartman <>
    jbarnes993 committed with gregkh Nov 14, 2012
  25. s390/time: fix sched_clock() overflow

    commit ed4f209 upstream.
    Converting a 64 Bit TOD format value to nanoseconds means that the value
    must be divided by 4.096. In order to achieve that we multiply with 125
    and divide by 512.
    When used within sched_clock() this triggers an overflow after appr.
    417 days. Resulting in a sched_clock() return value that is much smaller
    than previously and therefore may cause all sort of weird things in
    subsystems that rely on a monotonic sched_clock() behaviour.
    To fix this implement a tod_to_ns() helper function which converts TOD
    values without overflow and call this function from both places that
    open coded the conversion: sched_clock() and kvm_s390_handle_wait().
    Reviewed-by: Martin Schwidefsky <>
    Signed-off-by: Heiko Carstens <>
    Signed-off-by: Martin Schwidefsky <>
    Signed-off-by: Greg Kroah-Hartman <>
    Heiko Carstens committed with gregkh Jan 14, 2013
  26. target: Release se_cmd when LUN lookup fails for TMR

    commit 5a3b6fc upstream.
    When transport_lookup_tmr_lun() fails and we return a task management
    response from target_complete_tmr_failure(), we need to call
    transport_cmd_check_stop_to_fabric() to release the last ref to the
    cmd after calling se_tfo->queue_tm_rsp(), or else we will never remove
    the failed TMR from the session command list (and we'll end up waiting
    forever when trying to tear down the session).
    (nab: Fix minor compile breakage)
    Signed-off-by: Roland Dreier <>
    Signed-off-by: Nicholas Bellinger <>
    Signed-off-by: Greg Kroah-Hartman <>
    rolandd committed with gregkh Jan 2, 2013
  27. target: Fix use-after-free in LUN RESET handling

    commit 72b59d6 upstream.
    If a backend IO takes a really long then an initiator might abort a
    command, and then when it gives up on the abort, send a LUN reset too,
    all before we process any of the original command or the abort.  (The
    abort will wait for the backend IO to complete too)
    When the backend IO final completes (or fails), the abort handling
    will proceed and queue up a "return aborted status" operation.  Then,
    while that's still pending, the LUN reset might find the original
    command still on the LUN's list of commands and try to return aborted
    status again, which leads to a use-after free when the first
    se_tfo->queue_status call frees the command and then the second
    se_tfo->queue_status call runs.
    Fix this by removing a command from the LUN state_list when we first
    are about to queue aborted status; we shouldn't do anything
    LUN-related after we've started returning status, so this seems like
    the correct thing to do.
    Signed-off-by: Roland Dreier <>
    Signed-off-by: Nicholas Bellinger <>
    Signed-off-by: Greg Kroah-Hartman <>
    rolandd committed with gregkh Jan 2, 2013
  28. target: Fix missing CMD_T_ACTIVE bit regression for pending WRITEs

    commit e627c61 upstream.
    This patch fixes a regression bug introduced during v3.6.x code with
    the following commit to drop transport_add_cmd_to_queue(), which
    originally re-set CMD_T_ACTIVE during pending WRITE I/O submission:
    commit af87729
    Author: Christoph Hellwig <>
    Date:   Sun Jul 8 15:58:49 2012 -0400
        target: replace the processing thread with a TMR work queue
    The following sequence happens for write commands (or any other
    commands with a data out phase):
     - The transport calls target_submit_cmd(), which sets CMD_T_ACTIVE in
       cmd->transport_state and sets cmd->t_state to TRANSPORT_NEW_CMD.
     - Things go on transport_generic_new_cmd(), which notices that the
       command needs to transfer data, so it sets cmd->t_state to
       TRANSPORT_WRITE_PENDING and calls transport_cmd_check_stop().
     - transport_cmd_check_stop() clears CMD_T_ACTIVE in cmd->transport_state
       and returns in the normal case.
     - Then we continue on to call ->se_tfo->write_pending().
     - The data comes back from the initiator, and the transport calls
       target_execute_cmd(), which sets cmd->t_state to TRANSPORT_PROCESSING
       and calls into the backend to actually write the data.
    At this point, the backend might take a long time to complete the
    command, since it has to do real IO.  If an abort request comes in for
    this command at this point, it will not wait for the command to finish
    since CMD_T_ACTIVE is not set.  Then when the command does finally
    finish, we blow up with use-after-free.
    Avoid this by setting CMD_T_ACTIVE in target_execute_cmd() so that
    transport_wait_for_tasks() waits for the command to finish executing.
    This matches the behavior from before commit 1389533 ("target:
    remove transport_generic_handle_data"), when data was signaled via
    transport_generic_handle_data(), which set CMD_T_ACTIVE because it
    called transport_add_cmd_to_queue().
    Signed-off-by: Roland Dreier <>
    Reported-by: Martin Svec <>
    Cc: Christoph Hellwig <>
    Signed-off-by: Nicholas Bellinger <>
    Signed-off-by: Greg Kroah-Hartman <>
    rolandd committed with gregkh Jan 2, 2013
  29. tcm_fc: Do not report target role when target is not defined

    commit edec8df upstream.
    Clear the target role when no target is provided for
    the node performing a PRLI.
    Signed-off-by: Mark Rustad <>
    Reviewed-by: Bhanu Prakash Gollapudi <>
    Acked by Robert Love <>
    Signed-off-by: Nicholas Bellinger <>
    Signed-off-by: Greg Kroah-Hartman <>
    Mark Rustad committed with gregkh Dec 21, 2012
  30. tcm_fc: Do not indicate retry capability to initiators

    commit f2eeba2 upstream.
    When generating a PRLI response to an initiator, clear the
    FCP_SPPF_RETRY bit in the response.
    Signed-off-by: Mark Rustad <>
    Reviewed-by: Bhanu Prakash Gollapudi <>
    Acked by Robert Love <>
    Signed-off-by: Nicholas Bellinger <>
    Signed-off-by: Greg Kroah-Hartman <>
    Mark Rustad committed with gregkh Dec 21, 2012
  31. target: use correct sense code for LUN communication failure

    commit 18a9df4 upstream.
    The ASC/ASCQ code for 'Logical Unit Communication failure' is
    0x08/0x00; 0x80/0x00 is vendor specific.
    Signed-off-by: Hannes Reinecke <>
    Cc: Nicholas Bellinger <>
    Signed-off-by: Nicholas Bellinger <>
    Signed-off-by: Greg Kroah-Hartman <>
    hreinecke committed with gregkh Dec 17, 2012
  32. arm64: mm: only wrprotect clean ptes if they are present

    commit 0252246 upstream.
    Marking non-present ptes as read-only can corrupt file ptes, breaking
    things like swap and file mappings.
    This patch ensures that we only manipulate user pte bits when the pte
    is marked present.
    Signed-off-by: Will Deacon <>
    Signed-off-by: Catalin Marinas <>
    Signed-off-by: Greg Kroah-Hartman <>
    wildea01 committed with gregkh Jan 9, 2013
  33. firmware: make sure the fw file size is not 0

    commit 4adf07f upstream.
    If the requested firmware file size is 0 bytes in the filesytem, we
    will try to vmalloc(0), which causes a warning:
      vmalloc: allocation failure: 0 bytes
      kworker/1:1: page allocation failure: order:0, mode:0xd2
        wl18xx_setup+0xb4/0x570 [wl18xx]
        wlcore_nvs_cb+0x64/0x9f8 [wlcore]
    To fix this, check whether the file size is less than or equal to zero
    in fw_read_file_contents().
    Signed-off-by: Luciano Coelho <>
    Acked-by: Ming Lei <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
    Luciano Coelho committed with gregkh Jan 15, 2013
  34. sh: Fix FDPIC binary loader

    commit 4a71997 upstream.
    Ensure that the aux table is properly initialized, even when optional features
    are missing.  Without this, the FDPIC loader did not work.  This was meant to
    be included in commit d5ab780.
    Signed-off-by: Thomas Schwinge <>
    Signed-off-by: Paul Mundt <>
    Signed-off-by: Greg Kroah-Hartman <>
    tschwinge committed with gregkh Nov 16, 2012
  35. ALSA: hda/hdmi - Work around "alsactl restore" errors

    commit 6f54c36 upstream.
    When "alsactl restore" is performed on HDMI codecs, it tries to
    restore the channel map value since the channel map controls are
    writable.  But hdmi_chmap_ctl_put() returns -EBADFD when no PCM stream
    is assigned yet, and this results in an error message from alsactl.
    Although the error is harmless, it's certainly ugly and can be
    regarded as a regression.
    As a workaround, this patch changes the return code in such a case to
    be zero for making others happy.  (A slight excuse is: when the chmap
    is changed through the proper alsa-lib API, the PCM status is checked
    there anyway, so we don't have to be too strict in the kernel side.)
    Signed-off-by: Takashi Iwai <>
    Signed-off-by: Greg Kroah-Hartman <>
    tiwai committed with gregkh Jan 15, 2013