[PATCH 3.2 014/164] UBI: fix out of bounds write

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Brian Norris <computer...@gmail.com>

commit d74adbdb9abf0d2506a6c4afa534d894f28b763f upstream.

If aeb->len >= vol->reserved_pebs, we should not be writing aeb into the
PEB->LEB mapping.

Caught by Coverity, CID #711212.

Signed-off-by: Brian Norris <computer...@gmail.com>
Signed-off-by: Richard Weinberger <ric...@nod.at>
[bwh: Backported to 3.2: adjust context; s/leb/seb/g]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
drivers/mtd/ubi/eba.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/mtd/ubi/eba.c
+++ b/drivers/mtd/ubi/eba.c
@@ -1261,7 +1261,8 @@ int ubi_eba_init_scan(struct ubi_device
* during re-size.
*/
ubi_scan_move_to_list(sv, seb, &si->erase);
- vol->eba_tbl[seb->lnum] = seb->pnum;
+ else
+ vol->eba_tbl[seb->lnum] = seb->pnum;
}
}


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majo...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Lars Persson <lars.p...@axis.com>

commit 4d46a67a3eb827ccf1125959936fd51ba318dabc upstream.

The lazy cache flushing implemented in the MIPS kernel suffers from a
race condition that is exposed by do_set_pte() in mm/memory.c.

A pre-condition is a file-system that writes to the page from the CPU
in its readpage method and then calls flush_dcache_page(). One example
is ubifs. Another pre-condition is that the dcache flush is postponed
in __flush_dcache_page().

Upon a page fault for an executable mapping not existing in the
page-cache, the following will happen:
1. Write to the page
2. flush_dcache_page
3. flush_icache_page
4. set_pte_at
5. update_mmu_cache (commits the flush of a dcache-dirty page)

Between steps 4 and 5 another thread can hit the same page and it will
encounter a valid pte. Because the data still is in the L1 dcache the CPU
will fetch stale data from L2 into the icache and execute garbage.

This fix moves the commit of the cache flush to step 3 to close the
race window. It also reduces the amount of flushes on non-executable
mappings because we never enter __flush_dcache_page() for non-aliasing
CPUs.

Regressions can occur in drivers that mistakenly relies on the
flush_dcache_page() in get_user_pages() for DMA operations.

[ra...@linux-mips.org: Folded in patch 9346 to fix highmem issue.]

Signed-off-by: Lars Persson <lar...@axis.com>
Cc: linux...@linux-mips.org
Cc: paul....@imgtec.com
Cc: linux-...@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/9346/
Patchwork: https://patchwork.linux-mips.org/patch/9738/
Signed-off-by: Ralf Baechle <ra...@linux-mips.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/mips/include/asm/cacheflush.h | 38 +++++++++++++++++++++++---------------
arch/mips/mm/cache.c | 12 ++++++++++++
2 files changed, 35 insertions(+), 15 deletions(-)

--- a/arch/mips/include/asm/cacheflush.h
+++ b/arch/mips/include/asm/cacheflush.h
@@ -29,6 +29,20 @@
* - flush_icache_all() flush the entire instruction cache
* - flush_data_cache_page() flushes a page from the data cache
*/
+
+ /*
+ * This flag is used to indicate that the page pointed to by a pte
+ * is dirty and requires cleaning before returning it to the user.
+ */
+#define PG_dcache_dirty PG_arch_1
+
+#define Page_dcache_dirty(page) \
+ test_bit(PG_dcache_dirty, &(page)->flags)
+#define SetPageDcacheDirty(page) \
+ set_bit(PG_dcache_dirty, &(page)->flags)
+#define ClearPageDcacheDirty(page) \
+ clear_bit(PG_dcache_dirty, &(page)->flags)
+
extern void (*flush_cache_all)(void);
extern void (*__flush_cache_all)(void);
extern void (*flush_cache_mm)(struct mm_struct *mm);
@@ -37,13 +51,15 @@ extern void (*flush_cache_range)(struct
unsigned long start, unsigned long end);
extern void (*flush_cache_page)(struct vm_area_struct *vma, unsigned long page, unsigned long pfn);
extern void __flush_dcache_page(struct page *page);
+extern void __flush_icache_page(struct vm_area_struct *vma, struct page *page);

#define ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE 1
static inline void flush_dcache_page(struct page *page)
{
- if (cpu_has_dc_aliases || !cpu_has_ic_fills_f_dc)
+ if (cpu_has_dc_aliases)
__flush_dcache_page(page);
-
+ else if (!cpu_has_ic_fills_f_dc)
+ SetPageDcacheDirty(page);
}

#define flush_dcache_mmap_lock(mapping) do { } while (0)
@@ -61,6 +77,11 @@ static inline void flush_anon_page(struc
static inline void flush_icache_page(struct vm_area_struct *vma,
struct page *page)
{
+ if (!cpu_has_ic_fills_f_dc && (vma->vm_flags & VM_EXEC) &&
+ Page_dcache_dirty(page)) {
+ __flush_icache_page(vma, page);
+ ClearPageDcacheDirty(page);
+ }
}

extern void (*flush_icache_range)(unsigned long start, unsigned long end);
@@ -95,19 +116,6 @@ extern void (*flush_icache_all)(void);
extern void (*local_flush_data_cache_page)(void * addr);
extern void (*flush_data_cache_page)(unsigned long addr);

-/*
- * This flag is used to indicate that the page pointed to by a pte
- * is dirty and requires cleaning before returning it to the user.
- */
-#define PG_dcache_dirty PG_arch_1
-
-#define Page_dcache_dirty(page) \
- test_bit(PG_dcache_dirty, &(page)->flags)
-#define SetPageDcacheDirty(page) \
- set_bit(PG_dcache_dirty, &(page)->flags)
-#define ClearPageDcacheDirty(page) \
- clear_bit(PG_dcache_dirty, &(page)->flags)
-
/* Run kernel code uncached, useful for cache probing functions. */
unsigned long run_uncached(void *func);

--- a/arch/mips/mm/cache.c
+++ b/arch/mips/mm/cache.c
@@ -118,6 +118,18 @@ void __flush_anon_page(struct page *page

EXPORT_SYMBOL(__flush_anon_page);

+void __flush_icache_page(struct vm_area_struct *vma, struct page *page)
+{
+ unsigned long addr;
+
+ if (PageHighMem(page))
+ return;
+
+ addr = (unsigned long) page_address(page);
+ flush_data_cache_page(addr);
+}
+EXPORT_SYMBOL_GPL(__flush_icache_page);
+
void __update_cache(struct vm_area_struct *vma, unsigned long address,
pte_t pte)
{

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Sasha Levin <sasha...@oracle.com>

commit 161f873b89136eb1e69477c847d5a5033239d9ba upstream.

We used to read file_handle twice. Once to get the amount of extra
bytes, and once to fetch the entire structure.

This may be problematic since we do size verifications only after the
first read, so if the number of extra bytes changes in userspace between
the first and second calls, we'll have an incoherent view of
file_handle.

Instead, read the constant size once, and copy that over to the final
structure without having to re-read it again.

Signed-off-by: Sasha Levin <sasha...@oracle.com>
Cc: Al Viro <vi...@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

fs/fhandle.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

--- a/fs/fhandle.c
+++ b/fs/fhandle.c
@@ -196,8 +196,9 @@ static int handle_to_path(int mountdirfd
goto out_err;
}
/* copy the full handle */
- if (copy_from_user(handle, ufh,
- sizeof(struct file_handle) +
+ *handle = f_handle;
+ if (copy_from_user(&handle->f_handle,
+ &ufh->f_handle,
f_handle.handle_bytes)) {
retval = -EFAULT;
goto out_handle;

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Al Viro <vi...@zeniv.linux.org.uk>

commit 2159184ea01e4ae7d15f2017e296d4bc82d5aeb0 upstream.

when we find that a child has died while we'd been trying to ascend,
we should go into the first live sibling itself, rather than its sibling.

Off-by-one in question had been introduced in "deal with deadlock in
d_walk()" and the fix needs to be backported to all branches this one
has been backported to.

Signed-off-by: Al Viro <vi...@zeniv.linux.org.uk>
[bwh: Backported to 3.2: apply to the 3 copies of this logic we
ended up with]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

fs/dcache.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -1016,13 +1016,13 @@ ascend:
/* might go back up the wrong parent if we have had a rename */
if (!locked && read_seqretry(&rename_lock, seq))
goto rename_retry;
- next = child->d_child.next;
- while (unlikely(child->d_flags & DCACHE_DENTRY_KILLED)) {
+ /* go into the first sibling still alive */
+ do {
+ next = child->d_child.next;
if (next == &this_parent->d_subdirs)
goto ascend;
child = list_entry(next, struct dentry, d_child);
- next = next->next;
- }
+ } while (unlikely(child->d_flags & DCACHE_DENTRY_KILLED));
rcu_read_unlock();
goto resume;
}
@@ -1142,13 +1142,13 @@ ascend:
/* might go back up the wrong parent if we have had a rename */
if (!locked && read_seqretry(&rename_lock, seq))
goto rename_retry;
- next = child->d_child.next;
- while (unlikely(child->d_flags & DCACHE_DENTRY_KILLED)) {
+ /* go into the first sibling still alive */
+ do {
+ next = child->d_child.next;
if (next == &this_parent->d_subdirs)
goto ascend;
child = list_entry(next, struct dentry, d_child);
- next = next->next;
- }
+ } while (unlikely(child->d_flags & DCACHE_DENTRY_KILLED));
rcu_read_unlock();
goto resume;
}
@@ -2938,13 +2938,13 @@ ascend:
/* might go back up the wrong parent if we have had a rename */
if (!locked && read_seqretry(&rename_lock, seq))
goto rename_retry;
- next = child->d_child.next;
- while (unlikely(child->d_flags & DCACHE_DENTRY_KILLED)) {
+ /* go into the first sibling still alive */
+ do {
+ next = child->d_child.next;
if (next == &this_parent->d_subdirs)
goto ascend;
child = list_entry(next, struct dentry, d_child);
- next = next->next;
- }
+ } while (unlikely(child->d_flags & DCACHE_DENTRY_KILLED));
rcu_read_unlock();
goto resume;

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eryu Guan <guan...@gmail.com>

commit 2f974865ffdfe7b9f46a9940836c8b167342563d upstream.

The following commit introduced a bug when checking for zero length extent

5946d08 ext4: check for overlapping extents in ext4_valid_extent_entries()

Zero length extent could pass the check if lblock is zero.

Adding the explicit check for zero length back.

Signed-off-by: Eryu Guan <guan...@gmail.com>
Signed-off-by: Theodore Ts'o <ty...@mit.edu>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

fs/ext4/extents.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -321,7 +321,7 @@ static int ext4_valid_extent(struct inod
ext4_lblk_t lblock = le32_to_cpu(ext->ee_block);
ext4_lblk_t last = lblock + len - 1;

- if (lblock > last)
+ if (len == 0 || lblock > last)
return 0;
return ext4_data_block_valid(EXT4_SB(inode->i_sb), block, len);

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Janusz Dziedzic <janusz....@tieto.com>

commit 47b4e1fc4972cc43a19121bc2608a60aef3bf216 upstream.

Remove checking tailroom when adding IV as it uses only
headroom, and move the check to the ICV generation that
actually needs the tailroom.

In other case I hit such warning and datapath don't work,
when testing:
- IBSS + WEP
- ath9k with hw crypt enabled
- IPv6 data (ping6)

WARNING: CPU: 3 PID: 13301 at net/mac80211/wep.c:102 ieee80211_wep_add_iv+0x129/0x190 [mac80211]()
[...]
Call Trace:
[<ffffffff817bf491>] dump_stack+0x45/0x57
[<ffffffff8107746a>] warn_slowpath_common+0x8a/0xc0
[<ffffffff8107755a>] warn_slowpath_null+0x1a/0x20
[<ffffffffc09ae109>] ieee80211_wep_add_iv+0x129/0x190 [mac80211]
[<ffffffffc09ae7ab>] ieee80211_crypto_wep_encrypt+0x6b/0xd0 [mac80211]
[<ffffffffc09d3fb1>] invoke_tx_handlers+0xc51/0xf30 [mac80211]
[...]

Signed-off-by: Janusz Dziedzic <janusz....@tieto.com>
Signed-off-by: Johannes Berg <johann...@intel.com>
[bwh: Backported to 3.2: s/IEEE80211_WEP/WEP/]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/mac80211/wep.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

--- a/net/mac80211/wep.c
+++ b/net/mac80211/wep.c
@@ -97,8 +97,7 @@ static u8 *ieee80211_wep_add_iv(struct i

hdr->frame_control |= cpu_to_le16(IEEE80211_FCTL_PROTECTED);

- if (WARN_ON(skb_tailroom(skb) < WEP_ICV_LEN ||
- skb_headroom(skb) < WEP_IV_LEN))
+ if (WARN_ON(skb_headroom(skb) < WEP_IV_LEN))
return NULL;

hdrlen = ieee80211_hdrlen(hdr->frame_control);
@@ -160,6 +159,9 @@ int ieee80211_wep_encrypt(struct ieee802
size_t len;
u8 rc4key[3 + WLAN_KEY_LEN_WEP104];

+ if (WARN_ON(skb_tailroom(skb) < WEP_ICV_LEN))
+ return -1;
+
iv = ieee80211_wep_add_iv(local, skb, keylen, keyidx);
if (!iv)
return -1;

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Koro Chen <koro...@mediatek.com>

commit fdb6eb0a12871d5bfaf266c5a0d5259a5437a72f upstream.

When there is prefix specified, currently we will add this prefix in
widget->name, but not in widget->sname.
it causes failure at snd_soc_dapm_link_dai_widgets:

if (!w->sname || !strstr(w->sname, dai_w->name))

because dai_w->name has prefix added, but w->sname does not.
We should also add prefix for stream name

Signed-off-by: Koro Chen <koro...@mediatek.com>
Signed-off-by: Mark Brown <bro...@kernel.org>
[bwh: Backported to 3.2:
- Adjust context
- s/prefix/dapm->codec->name_prefix]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

sound/soc/soc-dapm.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)

--- a/sound/soc/soc-dapm.c
+++ b/sound/soc/soc-dapm.c
@@ -2675,12 +2675,18 @@ int snd_soc_dapm_new_control(struct snd_
kfree(w);
return -ENOMEM;
}
- if (dapm->codec && dapm->codec->name_prefix)
+ if (dapm->codec && dapm->codec->name_prefix) {
snprintf(w->name, name_len, "%s %s",
dapm->codec->name_prefix, widget->name);
- else
+ if (widget->sname)
+ w->sname = kasprintf(GFP_KERNEL, "%s %s",
+ dapm->codec->name_prefix,
+ widget->sname);
+ } else {
snprintf(w->name, name_len, "%s", widget->name);
-
+ if (widget->sname)
+ w->sname = kasprintf(GFP_KERNEL, "%s", widget->sname);
+ }
switch (w->id) {
case snd_soc_dapm_switch:
case snd_soc_dapm_mixer:

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Larry Finger <Larry....@lwfinger.net>

commit 414b7e3b9ce8b0577f613e656fdbc36b34b444dd upstream.

The USB mini-driver in rtlwifi, which is used by rtl8192cu, issues a call to
usb_control_msg() with a timeout value of 0. In some instances where the
interface is shutting down, this infinite wait results in a CPU deadlock. A
one second timeout fixes this problem without affecting any normal operations.

This bug is reported at https://bugzilla.novell.com/show_bug.cgi?id=927786.

Reported-by: Bernhard Wiedemann <bwied...@suse.com>
Tested-by: Bernhard Wiedemann <bwied...@suse.com>
Signed-off-by: Larry Finger <Larry....@lwfinger.net>
Cc: Bernhard Wiedemann <bwied...@suse.com>
Cc: Takashi Iwai<ti...@suse.com>
Signed-off-by: Kalle Valo <kv...@codeaurora.org>
[bwh: Backported to 3.2: adjust context, indentation]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/wireless/rtlwifi/usb.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wireless/rtlwifi/usb.c
+++ b/drivers/net/wireless/rtlwifi/usb.c
@@ -117,7 +117,7 @@ static int _usbctrl_vendorreq_sync_read(
reqtype = REALTEK_USB_VENQT_READ;

status = usb_control_msg(udev, pipe, request, reqtype, value, index,
- pdata, len, 0); /* max. timeout */
+ pdata, len, 1000);

if (status < 0)
pr_err("reg 0x%x, usbctrl_vendorreq TimeOut! status:0x%x value=0x%x\n",

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Davide Italiano <dccit...@gmail.com>

commit 280227a75b56ab5d35854f3a77ef74a7ad56a203 upstream.

fallocate() checks that the file is extent-based and returns
EOPNOTSUPP in case is not. Other tasks can convert from and to
indirect and extent so it's safe to check only after grabbing
the inode mutex.

Signed-off-by: Davide Italiano <dccit...@gmail.com>

Signed-off-by: Theodore Ts'o <ty...@mit.edu>

[bwh: Backported to 3.2:
- Adjust context

- Add the 'out' label]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

fs/ext4/extents.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)

--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -4470,13 +4470,6 @@ long ext4_fallocate(struct file *file, i
struct ext4_map_blocks map;
unsigned int credits, blkbits = inode->i_blkbits;

- /*
- * currently supporting (pre)allocate mode for extent-based
- * files _only_
- */
- if (!(ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS)))
- return -EOPNOTSUPP;
-
/* Return error if mode is not supported */
if (mode & ~(FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE))
return -EOPNOTSUPP;
@@ -4497,6 +4490,15 @@ long ext4_fallocate(struct file *file, i
*/
credits = ext4_chunk_trans_blocks(inode, max_blocks);
mutex_lock(&inode->i_mutex);
+
+ /*
+ * We only support preallocation for extent-based files only
+ */
+ if (!(ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))) {
+ ret = -EOPNOTSUPP;
+ goto out;
+ }
+
ret = inode_newsize_ok(inode, (len + offset));
if (ret) {
mutex_unlock(&inode->i_mutex);
@@ -4553,6 +4555,7 @@ retry:
ret = 0;
goto retry;
}
+out:
mutex_unlock(&inode->i_mutex);
trace_ext4_fallocate_exit(inode, offset, max_blocks,
ret > 0 ? ret2 : ret);

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Marcelo Ricardo Leitner <marcelo...@gmail.com>

commit 2d45a02d0166caf2627fe91897c6ffc3b19514c4 upstream.

->auto_asconf_splist is per namespace and mangled by functions like
sctp_setsockopt_auto_asconf() which doesn't guarantee any serialization.

Also, the call to inet_sk_copy_descendant() was backuping
->auto_asconf_list through the copy but was not honoring
->do_auto_asconf, which could lead to list corruption if it was
different between both sockets.

This commit thus fixes the list handling by using ->addr_wq_lock
spinlock to protect the list. A special handling is done upon socket
creation and destruction for that. Error handlig on sctp_init_sock()
will never return an error after having initialized asconf, so
sctp_destroy_sock() can be called without addrq_wq_lock. The lock now
will be take on sctp_close_sock(), before locking the socket, so we
don't do it in inverse order compared to sctp_addr_wq_timeout_handler().

Instead of taking the lock on sctp_sock_migrate() for copying and
restoring the list values, it's preferred to avoid rewritting it by
implementing sctp_copy_descendant().

Issue was found with a test application that kept flipping sysctl
default_auto_asconf on and off, but one could trigger it by issuing
simultaneous setsockopt() calls on multiple sockets or by
creating/destroying sockets fast enough. This is only triggerable
locally.

Fixes: 9f7d653b67ae ("sctp: Add Auto-ASCONF support (core).")
Reported-by: Ji Jianwen <ji...@redhat.com>
Suggested-by: Neil Horman <nho...@tuxdriver.com>
Suggested-by: Hannes Frederic Sowa <han...@stressinduktion.org>
Acked-by: Hannes Frederic Sowa <han...@stressinduktion.org>
Signed-off-by: Marcelo Ricardo Leitner <marcelo...@gmail.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
[bwh: Backported to 3.2:
- Adjust filename, context
- Most per-netns state is global]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -209,6 +209,7 @@ extern struct sctp_globals {
struct list_head addr_waitq;
struct timer_list addr_wq_timer;
struct list_head auto_asconf_splist;
+ /* Lock that protects both addr_waitq and auto_asconf_splist */
spinlock_t addr_wq_lock;

/* Lock that protects the local_addr_list writers */
@@ -355,6 +356,10 @@ struct sctp_sock {
atomic_t pd_mode;
/* Receive to here while partial delivery is in effect. */
struct sk_buff_head pd_lobby;
+
+ /* These must be the last fields, as they will skipped on copies,
+ * like on accept and peeloff operations
+ */
struct list_head auto_asconf_list;
int do_auto_asconf;
};
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1539,8 +1539,10 @@ SCTP_STATIC void sctp_close(struct sock

/* Supposedly, no process has access to the socket, but
* the net layers still may.
+ * Also, sctp_destroy_sock() needs to be called with addr_wq_lock
+ * held and that should be grabbed before socket lock.
*/
- sctp_local_bh_disable();
+ spin_lock_bh(&sctp_globals.addr_wq_lock);
sctp_bh_lock_sock(sk);

/* Hold the sock, since sk_common_release() will put sock_put()
@@ -1550,7 +1552,7 @@ SCTP_STATIC void sctp_close(struct sock
sk_common_release(sk);

sctp_bh_unlock_sock(sk);
- sctp_local_bh_enable();
+ spin_unlock_bh(&sctp_globals.addr_wq_lock);

sock_put(sk);

@@ -3499,6 +3501,7 @@ static int sctp_setsockopt_auto_asconf(s
if ((val && sp->do_auto_asconf) || (!val && !sp->do_auto_asconf))
return 0;

+ spin_lock_bh(&sctp_globals.addr_wq_lock);
if (val == 0 && sp->do_auto_asconf) {
list_del(&sp->auto_asconf_list);
sp->do_auto_asconf = 0;
@@ -3507,6 +3510,7 @@ static int sctp_setsockopt_auto_asconf(s
&sctp_auto_asconf_splist);
sp->do_auto_asconf = 1;
}
+ spin_unlock_bh(&sctp_globals.addr_wq_lock);
return 0;
}

@@ -3942,18 +3946,28 @@ SCTP_STATIC int sctp_init_sock(struct so
local_bh_disable();
percpu_counter_inc(&sctp_sockets_allocated);
sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
+
+ /* Nothing can fail after this block, otherwise
+ * sctp_destroy_sock() will be called without addr_wq_lock held
+ */
if (sctp_default_auto_asconf) {
+ spin_lock(&sctp_globals.addr_wq_lock);
list_add_tail(&sp->auto_asconf_list,
&sctp_auto_asconf_splist);
sp->do_auto_asconf = 1;
- } else
+ spin_unlock(&sctp_globals.addr_wq_lock);
+ } else {
sp->do_auto_asconf = 0;
+ }
+
local_bh_enable();

return 0;
}

-/* Cleanup any SCTP per socket resources. */
+/* Cleanup any SCTP per socket resources. Must be called with
+ * sctp_globals.addr_wq_lock held if sp->do_auto_asconf is true
+ */
SCTP_STATIC void sctp_destroy_sock(struct sock *sk)
{
struct sctp_sock *sp;
@@ -6719,6 +6733,19 @@ void sctp_copy_sock(struct sock *newsk,
newinet->mc_list = NULL;
}

+static inline void sctp_copy_descendant(struct sock *sk_to,
+ const struct sock *sk_from)
+{
+ int ancestor_size = sizeof(struct inet_sock) +
+ sizeof(struct sctp_sock) -
+ offsetof(struct sctp_sock, auto_asconf_list);
+
+ if (sk_from->sk_family == PF_INET6)
+ ancestor_size += sizeof(struct ipv6_pinfo);
+
+ __inet_sk_copy_descendant(sk_to, sk_from, ancestor_size);
+}
+
/* Populate the fields of the newsk from the oldsk and migrate the assoc
* and its messages to the newsk.
*/
@@ -6733,7 +6760,6 @@ static void sctp_sock_migrate(struct soc
struct sk_buff *skb, *tmp;
struct sctp_ulpevent *event;
struct sctp_bind_hashbucket *head;
- struct list_head tmplist;

/* Migrate socket buffer sizes and all the socket level options to the
* new socket.
@@ -6741,12 +6767,7 @@ static void sctp_sock_migrate(struct soc
newsk->sk_sndbuf = oldsk->sk_sndbuf;
newsk->sk_rcvbuf = oldsk->sk_rcvbuf;
/* Brute force copy old sctp opt. */
- if (oldsp->do_auto_asconf) {
- memcpy(&tmplist, &newsp->auto_asconf_list, sizeof(tmplist));
- inet_sk_copy_descendant(newsk, oldsk);
- memcpy(&newsp->auto_asconf_list, &tmplist, sizeof(tmplist));
- } else
- inet_sk_copy_descendant(newsk, oldsk);
+ sctp_copy_descendant(newsk, oldsk);

/* Restore the ep value that was overwritten with the above structure
* copy.

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Harald Freudenberger <fre...@linux.vnet.ibm.com>

commit a1cae34e23b1293eccbcc8ee9b39298039c3952a upstream.

Multitheaded tests showed that the icv buffer in the current ghash
implementation is not handled correctly. A move of this working ghash
buffer value to the descriptor context fixed this. Code is tested and
verified with an multithreaded application via af_alg interface.

Signed-off-by: Harald Freudenberger <fre...@linux.vnet.ibm.com>
Signed-off-by: Gerald Schaefer <gera...@linux.vnet.ibm.com>
Reported-by: Herbert Xu <her...@gondor.apana.org.au>
Signed-off-by: Herbert Xu <her...@gondor.apana.org.au>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/s390/crypto/ghash_s390.c | 25 +++++++++++++------------
1 file changed, 13 insertions(+), 12 deletions(-)

--- a/arch/s390/crypto/ghash_s390.c
+++ b/arch/s390/crypto/ghash_s390.c
@@ -16,11 +16,12 @@
#define GHASH_DIGEST_SIZE 16

struct ghash_ctx {
- u8 icv[16];
- u8 key[16];
+ u8 key[GHASH_BLOCK_SIZE];
};

struct ghash_desc_ctx {
+ u8 icv[GHASH_BLOCK_SIZE];
+ u8 key[GHASH_BLOCK_SIZE];
u8 buffer[GHASH_BLOCK_SIZE];
u32 bytes;
};
@@ -28,8 +29,10 @@ struct ghash_desc_ctx {
static int ghash_init(struct shash_desc *desc)
{
struct ghash_desc_ctx *dctx = shash_desc_ctx(desc);
+ struct ghash_ctx *ctx = crypto_shash_ctx(desc->tfm);

memset(dctx, 0, sizeof(*dctx));
+ memcpy(dctx->key, ctx->key, GHASH_BLOCK_SIZE);

return 0;
}
@@ -45,7 +48,6 @@ static int ghash_setkey(struct crypto_sh
}

memcpy(ctx->key, key, GHASH_BLOCK_SIZE);
- memset(ctx->icv, 0, GHASH_BLOCK_SIZE);

return 0;
}
@@ -54,7 +56,6 @@ static int ghash_update(struct shash_des
const u8 *src, unsigned int srclen)
{
struct ghash_desc_ctx *dctx = shash_desc_ctx(desc);
- struct ghash_ctx *ctx = crypto_shash_ctx(desc->tfm);
unsigned int n;
u8 *buf = dctx->buffer;
int ret;
@@ -70,7 +71,7 @@ static int ghash_update(struct shash_des
src += n;

if (!dctx->bytes) {
- ret = crypt_s390_kimd(KIMD_GHASH, ctx, buf,
+ ret = crypt_s390_kimd(KIMD_GHASH, dctx, buf,
GHASH_BLOCK_SIZE);
if (ret != GHASH_BLOCK_SIZE)
return -EIO;
@@ -79,7 +80,7 @@ static int ghash_update(struct shash_des

n = srclen & ~(GHASH_BLOCK_SIZE - 1);
if (n) {
- ret = crypt_s390_kimd(KIMD_GHASH, ctx, src, n);
+ ret = crypt_s390_kimd(KIMD_GHASH, dctx, src, n);
if (ret != n)
return -EIO;
src += n;
@@ -94,7 +95,7 @@ static int ghash_update(struct shash_des
return 0;
}

-static int ghash_flush(struct ghash_ctx *ctx, struct ghash_desc_ctx *dctx)
+static int ghash_flush(struct ghash_desc_ctx *dctx)
{
u8 *buf = dctx->buffer;
int ret;
@@ -104,24 +105,24 @@ static int ghash_flush(struct ghash_ctx

memset(pos, 0, dctx->bytes);

- ret = crypt_s390_kimd(KIMD_GHASH, ctx, buf, GHASH_BLOCK_SIZE);
+ ret = crypt_s390_kimd(KIMD_GHASH, dctx, buf, GHASH_BLOCK_SIZE);
if (ret != GHASH_BLOCK_SIZE)
return -EIO;
+
+ dctx->bytes = 0;
}

- dctx->bytes = 0;
return 0;
}

static int ghash_final(struct shash_desc *desc, u8 *dst)
{
struct ghash_desc_ctx *dctx = shash_desc_ctx(desc);
- struct ghash_ctx *ctx = crypto_shash_ctx(desc->tfm);
int ret;

- ret = ghash_flush(ctx, dctx);
+ ret = ghash_flush(dctx);
if (!ret)
- memcpy(dst, ctx->icv, GHASH_BLOCK_SIZE);
+ memcpy(dst, dctx->icv, GHASH_BLOCK_SIZE);
return ret;

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "K. Y. Srinivasan" <k...@microsoft.com>

commit 73cffdb65e679b98893f484063462c045adcf212 upstream.

Don't wait after sending request for offers to the host. This wait is
unnecessary and simply adds 5 seconds to the boot time.

Signed-off-by: K. Y. Srinivasan <k...@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
[bwh: Backported to 3.2: deleted variable t was declared as int]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/drivers/hv/channel_mgmt.c
+++ b/drivers/hv/channel_mgmt.c
@@ -606,7 +606,7 @@ int vmbus_request_offers(void)
{
struct vmbus_channel_message_header *msg;
struct vmbus_channel_msginfo *msginfo;
- int ret, t;
+ int ret;

msginfo = kmalloc(sizeof(*msginfo) +
sizeof(struct vmbus_channel_message_header),
@@ -614,8 +614,6 @@ int vmbus_request_offers(void)
if (!msginfo)
return -ENOMEM;

- init_completion(&msginfo->waitevent);
-
msg = (struct vmbus_channel_message_header *)msginfo->msg;

msg->msgtype = CHANNELMSG_REQUESTOFFERS;
@@ -629,14 +627,6 @@ int vmbus_request_offers(void)
goto cleanup;
}

- t = wait_for_completion_timeout(&msginfo->waitevent, 5*HZ);
- if (t == 0) {
- ret = -ETIMEDOUT;
- goto cleanup;
- }
-
-
-
cleanup:
kfree(msginfo);

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: David Sterba <dst...@suse.cz>

commit 3c3b04d10ff1811a27f86684ccd2f5ba6983211d upstream.

Due to insufficient check in btrfs_is_valid_xattr, this unexpectedly
works:

$ touch file
$ setfattr -n user. -v 1 file
$ getfattr -d file
user.="1"

ie. the missing attribute name after the namespace.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=94291
Reported-by: William Douglas <william...@intel.com>
Signed-off-by: David Sterba <dst...@suse.cz>
Signed-off-by: Chris Mason <c...@fb.com>
[bwh: Backported to 3.2: XATTR_BTRFS_PREFIX is not supported]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

fs/btrfs/xattr.c | 53 +++++++++++++++++++++++++++++++++++++++--------------
1 file changed, 39 insertions(+), 14 deletions(-)

--- a/fs/btrfs/xattr.c
+++ b/fs/btrfs/xattr.c
@@ -310,21 +310,40 @@ const struct xattr_handler *btrfs_xattr_
/*
* Check if the attribute is in a supported namespace.
*
- * This applied after the check for the synthetic attributes in the system
+ * This is applied after the check for the synthetic attributes in the system
* namespace.
*/
-static bool btrfs_is_valid_xattr(const char *name)
+static int btrfs_is_valid_xattr(const char *name)
{
- return !strncmp(name, XATTR_SECURITY_PREFIX,
- XATTR_SECURITY_PREFIX_LEN) ||
- !strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN) ||
- !strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN) ||
- !strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN);
+ int len = strlen(name);
+ int prefixlen = 0;
+
+ if (!strncmp(name, XATTR_SECURITY_PREFIX,
+ XATTR_SECURITY_PREFIX_LEN))
+ prefixlen = XATTR_SECURITY_PREFIX_LEN;
+ else if (!strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN))
+ prefixlen = XATTR_SYSTEM_PREFIX_LEN;
+ else if (!strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN))
+ prefixlen = XATTR_TRUSTED_PREFIX_LEN;
+ else if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN))
+ prefixlen = XATTR_USER_PREFIX_LEN;
+ else
+ return -EOPNOTSUPP;
+
+ /*
+ * The name cannot consist of just prefix
+ */
+ if (len <= prefixlen)
+ return -EINVAL;
+
+ return 0;
}

ssize_t btrfs_getxattr(struct dentry *dentry, const char *name,
void *buffer, size_t size)
{
+ int ret;
+
/*
* If this is a request for a synthetic attribute in the system.*
* namespace use the generic infrastructure to resolve a handler
@@ -333,8 +352,9 @@ ssize_t btrfs_getxattr(struct dentry *de
if (!strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN))
return generic_getxattr(dentry, name, buffer, size);

- if (!btrfs_is_valid_xattr(name))
- return -EOPNOTSUPP;
+ ret = btrfs_is_valid_xattr(name);
+ if (ret)
+ return ret;
return __btrfs_getxattr(dentry->d_inode, name, buffer, size);
}

@@ -342,6 +362,7 @@ int btrfs_setxattr(struct dentry *dentry
size_t size, int flags)
{
struct btrfs_root *root = BTRFS_I(dentry->d_inode)->root;
+ int ret;

/*
* The permission on security.* and system.* is not checked
@@ -358,8 +379,9 @@ int btrfs_setxattr(struct dentry *dentry
if (!strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN))
return generic_setxattr(dentry, name, value, size, flags);

- if (!btrfs_is_valid_xattr(name))
- return -EOPNOTSUPP;
+ ret = btrfs_is_valid_xattr(name);
+ if (ret)
+ return ret;

if (size == 0)
value = ""; /* empty EA, do not remove */
@@ -371,6 +393,7 @@ int btrfs_setxattr(struct dentry *dentry
int btrfs_removexattr(struct dentry *dentry, const char *name)
{
struct btrfs_root *root = BTRFS_I(dentry->d_inode)->root;
+ int ret;

/*
* The permission on security.* and system.* is not checked
@@ -387,8 +410,9 @@ int btrfs_removexattr(struct dentry *den
if (!strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN))
return generic_removexattr(dentry, name);

- if (!btrfs_is_valid_xattr(name))
- return -EOPNOTSUPP;
+ ret = btrfs_is_valid_xattr(name);
+ if (ret)
+ return ret;

return __btrfs_setxattr(NULL, dentry->d_inode, name, NULL, 0,
XATTR_REPLACE);

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Lv Zheng <lv.z...@intel.com>

commit cc2080b0e5a7c6c33ef5e9ffccbc2b8f6f861393 upstream.

ACPICA commit 7f06739db43a85083a70371c14141008f20b2198

For physical addresses, since the address may exceed 32-bit address range
after calculation, we should use %8.8X%8.8X (see ACPI_FORMAT_UINT64()) to
convert the %p formats.

This is a preparation to switch acpi_physical_address to 64-bit on 32-bit
kernel builds.

Link: https://github.com/acpica/acpica/commit/7f06739d
Signed-off-by: Lv Zheng <lv.z...@intel.com>
Signed-off-by: Bob Moore <robert...@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j...@intel.com>
Signed-off-by: Dirk Behme <dirk....@gmail.com>
[gdavis: Move tbinstall.c changes to tbutils.c due to lack of commit
"42f4786 ACPICA: Split table print utilities to a new a
separate file" in linux-3.10.y]
Signed-off-by: George G. Davis <george...@mentor.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
[bwh: Backported to 3.2:

- Drop inapplicable changes to drivers/acpi/acpica/utaddress.c and
acpi_tb_install_table()
- Fix similar format issues in acpi_tb_add_table() and
acpi_tb_install_table() that aren't present upstream]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/drivers/acpi/acpica/exfldio.c
+++ b/drivers/acpi/acpica/exfldio.c
@@ -257,17 +257,15 @@ acpi_ex_access_region(union acpi_operand
}

ACPI_DEBUG_PRINT_RAW((ACPI_DB_BFIELD,
- " Region [%s:%X], Width %X, ByteBase %X, Offset %X at %p\n",
+ " Region [%s:%X], Width %X, ByteBase %X, Offset %X at %8.8X%8.8X\n",
acpi_ut_get_region_name(rgn_desc->region.
space_id),
rgn_desc->region.space_id,
obj_desc->common_field.access_byte_width,
obj_desc->common_field.base_byte_offset,
- field_datum_byte_offset, ACPI_CAST_PTR(void,
- (rgn_desc->
- region.
- address +
- region_offset))));
+ field_datum_byte_offset,
+ ACPI_FORMAT_UINT64(rgn_desc->region.address +
+ region_offset)));

/* Invoke the appropriate address_space/op_region handler */

--- a/drivers/acpi/acpica/hwvalid.c
+++ b/drivers/acpi/acpica/hwvalid.c
@@ -141,17 +141,17 @@ acpi_hw_validate_io_request(acpi_io_addr
byte_width = ACPI_DIV_8(bit_width);
last_address = address + byte_width - 1;

- ACPI_DEBUG_PRINT((ACPI_DB_IO, "Address %p LastAddress %p Length %X",
- ACPI_CAST_PTR(void, address), ACPI_CAST_PTR(void,
- last_address),
- byte_width));
+ ACPI_DEBUG_PRINT((ACPI_DB_IO,
+ "Address %8.8X%8.8X LastAddress %8.8X%8.8X Length %X",
+ ACPI_FORMAT_UINT64(address),
+ ACPI_FORMAT_UINT64(last_address), byte_width));

/* Maximum 16-bit address in I/O space */

if (last_address > ACPI_UINT16_MAX) {
ACPI_ERROR((AE_INFO,
- "Illegal I/O port address/length above 64K: %p/0x%X",
- ACPI_CAST_PTR(void, address), byte_width));
+ "Illegal I/O port address/length above 64K: %8.8X%8.8X/0x%X",
+ ACPI_FORMAT_UINT64(address), byte_width));
return_ACPI_STATUS(AE_LIMIT);
}

@@ -180,8 +180,8 @@ acpi_hw_validate_io_request(acpi_io_addr

if (acpi_gbl_osi_data >= port_info->osi_dependency) {
ACPI_DEBUG_PRINT((ACPI_DB_IO,
- "Denied AML access to port 0x%p/%X (%s 0x%.4X-0x%.4X)",
- ACPI_CAST_PTR(void, address),
+ "Denied AML access to port 0x%8.8X%8.8X/%X (%s 0x%.4X-0x%.4X)",
+ ACPI_FORMAT_UINT64(address),
byte_width, port_info->name,
port_info->start,
port_info->end));
--- a/drivers/acpi/acpica/nsdump.c
+++ b/drivers/acpi/acpica/nsdump.c
@@ -251,12 +251,11 @@ acpi_ns_dump_one_object(acpi_handle obj_
switch (type) {
case ACPI_TYPE_PROCESSOR:

- acpi_os_printf("ID %02X Len %02X Addr %p\n",
+ acpi_os_printf("ID %02X Len %02X Addr %8.8X%8.8X\n",
obj_desc->processor.proc_id,
obj_desc->processor.length,
- ACPI_CAST_PTR(void,
- obj_desc->processor.
- address));
+ ACPI_FORMAT_UINT64(obj_desc->processor.
+ address));
break;

case ACPI_TYPE_DEVICE:
--- a/drivers/acpi/acpica/tbinstal.c
+++ b/drivers/acpi/acpica/tbinstal.c
@@ -228,9 +228,9 @@ acpi_tb_add_table(struct acpi_table_desc
status = acpi_os_table_override(table_desc->pointer, &override_table);
if (ACPI_SUCCESS(status) && override_table) {
ACPI_INFO((AE_INFO,
- "%4.4s @ 0x%p Table override, replaced with:",
+ "%4.4s @ 0x%8.8X%8.8X Table override, replaced with:",
table_desc->pointer->signature,
- ACPI_CAST_PTR(void, table_desc->address)));
+ ACPI_FORMAT_UINT64(table_desc->address)));

/* We can delete the table that was passed as a parameter */

--- a/drivers/acpi/acpica/tbutils.c
+++ b/drivers/acpi/acpica/tbutils.c
@@ -488,9 +488,8 @@ acpi_tb_install_table(acpi_physical_addr
status = acpi_os_table_override(mapped_table, &override_table);
if (ACPI_SUCCESS(status) && override_table) {
ACPI_INFO((AE_INFO,
- "%4.4s @ 0x%p Table override, replaced with:",
- mapped_table->signature, ACPI_CAST_PTR(void,
- address)));
+ "%4.4s @ 0x%8.8X%8.8X Table override, replaced with:",
+ mapped_table->signature, ACPI_FORMAT_UINT64(address)));

acpi_gbl_root_table_list.tables[table_index].pointer =
override_table;

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Brian Norris <computer...@gmail.com>

commit f16db8071ce18819fbd705ddcc91c6f392fb61f8 upstream.

In some of the 'out_not_moved' error paths, lnum may be used
uninitialized. Don't ignore the warning; let's fix it.

This uninitialized variable doesn't have much visible effect in the end,
since we just schedule the PEB for erasure, and its LEB number doesn't
really matter (it just gets printed in debug messages). But let's get it
straight anyway.

Coverity CID #113449

Signed-off-by: Brian Norris <computer...@gmail.com>
Signed-off-by: Richard Weinberger <ric...@nod.at>

[bwh: Backported to 3.2: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/mtd/ubi/wl.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/mtd/ubi/wl.c
+++ b/drivers/mtd/ubi/wl.c
@@ -665,7 +665,7 @@ static int wear_leveling_worker(struct u
int cancel)
{
int err, scrubbing = 0, torture = 0, protect = 0, erroneous = 0;
- int vol_id = -1, uninitialized_var(lnum);
+ int vol_id = -1, lnum = -1;
struct ubi_wl_entry *e1, *e2;
struct ubi_vid_hdr *vid_hdr;

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Sabrina Dubroca <s...@queasysnail.net>

commit 08e8331654d1d7b2c58045e549005bc356aa7810 upstream.

There is a race condition between e1000_change_mtu's cleanups and
netpoll, when we change the MTU across jumbo size:

Changing MTU frees all the rx buffers:
e1000_change_mtu -> e1000_down -> e1000_clean_all_rx_rings ->
e1000_clean_rx_ring

Then, close to the end of e1000_change_mtu:
pr_info -> ... -> netpoll_poll_dev -> e1000_clean ->
e1000_clean_rx_irq -> e1000_alloc_rx_buffers -> e1000_alloc_frag

And when we come back to do the rest of the MTU change:
e1000_up -> e1000_configure -> e1000_configure_rx ->
e1000_alloc_jumbo_rx_buffers

alloc_jumbo finds the buffers already != NULL, since data (shared with
page in e1000_rx_buffer->rxbuf) has been re-alloc'd, but it's garbage,
or at least not what is expected when in jumbo state.

This results in an unusable adapter (packets don't get through), and a
NULL pointer dereference on the next call to e1000_clean_rx_ring
(other mtu change, link down, shutdown):

BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<ffffffff81194d6e>] put_compound_page+0x7e/0x330

[...]

Call Trace:
[<ffffffff81195445>] put_page+0x55/0x60
[<ffffffff815d9f44>] e1000_clean_rx_ring+0x134/0x200
[<ffffffff815da055>] e1000_clean_all_rx_rings+0x45/0x60
[<ffffffff815df5e0>] e1000_down+0x1c0/0x1d0
[<ffffffff811e2260>] ? deactivate_slab+0x7f0/0x840
[<ffffffff815e21bc>] e1000_change_mtu+0xdc/0x170
[<ffffffff81647050>] dev_set_mtu+0xa0/0x140
[<ffffffff81664218>] do_setlink+0x218/0xac0
[<ffffffff814459e9>] ? nla_parse+0xb9/0x120
[<ffffffff816652d0>] rtnl_newlink+0x6d0/0x890
[<ffffffff8104f000>] ? kvm_clock_read+0x20/0x40
[<ffffffff810a2068>] ? sched_clock_cpu+0xa8/0x100
[<ffffffff81663802>] rtnetlink_rcv_msg+0x92/0x260

By setting the allocator to a dummy version, netpoll can't mess up our
rx buffers. The allocator is set back to a sane value in
e1000_configure_rx.

Fixes: edbbb3ca1077 ("e1000: implement jumbo receive with partial descriptors")
Signed-off-by: Sabrina Dubroca <s...@queasysnail.net>
Tested-by: Aaron Brown <aaron....@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey....@intel.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/ethernet/intel/e1000/e1000_main.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)

--- a/drivers/net/ethernet/intel/e1000/e1000_main.c
+++ b/drivers/net/ethernet/intel/e1000/e1000_main.c
@@ -149,6 +149,11 @@ static bool e1000_clean_rx_irq(struct e1
static bool e1000_clean_jumbo_rx_irq(struct e1000_adapter *adapter,
struct e1000_rx_ring *rx_ring,
int *work_done, int work_to_do);
+static void e1000_alloc_dummy_rx_buffers(struct e1000_adapter *adapter,
+ struct e1000_rx_ring *rx_ring,
+ int cleaned_count)
+{
+}
static void e1000_alloc_rx_buffers(struct e1000_adapter *adapter,
struct e1000_rx_ring *rx_ring,
int cleaned_count);
@@ -3322,8 +3327,11 @@ static int e1000_change_mtu(struct net_d
msleep(1);
/* e1000_down has a dependency on max_frame_size */
hw->max_frame_size = max_frame;
- if (netif_running(netdev))
+ if (netif_running(netdev)) {
+ /* prevent buffers from being reallocated */
+ adapter->alloc_rx_buf = e1000_alloc_dummy_rx_buffers;
e1000_down(adapter);
+ }

/* NOTE: netdev_alloc_skb reserves 16 bytes, and typically NET_IP_ALIGN
* means we reserve 2 more, this pushes us to allocate from the next

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Baruch Siach <bar...@tkos.co.il>

commit 838d030bda9e2da5f9dcf7251f4e117c6258cb2f upstream.

The callback function signature has changed in commit a5818a8bd0 (pinctrl:
get_group_pins() const fixes)

Fixes: a5818a8bd0 ('pinctrl: get_group_pins() const fixes')
Cc: Stephen Warren <swa...@nvidia.com>
Signed-off-by: Baruch Siach <bar...@tkos.co.il>
Signed-off-by: Linus Walleij <linus....@linaro.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

Documentation/pinctrl.txt | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/Documentation/pinctrl.txt
+++ b/Documentation/pinctrl.txt
@@ -164,8 +164,8 @@ static const char *foo_get_group_name(st
}

static int foo_get_group_pins(struct pinctrl_dev *pctldev, unsigned selector,
- unsigned ** const pins,
- unsigned * const num_pins)
+ const unsigned **pins,
+ unsigned *num_pins)
{
*pins = (unsigned *) foo_groups[selector].pins;
*num_pins = foo_groups[selector].num_pins;

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ekaterina Tumanova <tuma...@linux.vnet.ibm.com>

commit b75f4c9afac2604feb971441116c07a24ecca1ec upstream.

s390 documentation requires words 0 and 10-15 to be reserved and stored as
zeros. As we fill out all other fields, we can memset the full structure.

Signed-off-by: Ekaterina Tumanova <tuma...@linux.vnet.ibm.com>
Reviewed-by: David Hildenbrand <da...@linux.vnet.ibm.com>
Signed-off-by: Christian Borntraeger <bornt...@de.ibm.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/s390/kvm/priv.c | 1 +
1 file changed, 1 insertion(+)

--- a/arch/s390/kvm/priv.c
+++ b/arch/s390/kvm/priv.c
@@ -219,6 +219,7 @@ static void handle_stsi_3_2_2(struct kvm
for (n = mem->count - 1; n > 0 ; n--)
memcpy(&mem->vm[n], &mem->vm[n - 1], sizeof(mem->vm[0]));

+ memset(&mem->vm[0], 0, sizeof(mem->vm[0]));
mem->vm[0].cpus_total = cpus;
mem->vm[0].cpus_configured = cpus;
mem->vm[0].cpus_standby = 0;

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Krzysztof Kozlowski <k.koz...@samsung.com>

commit 1915a718b1872edffcb13e5436a9f7302d3d36f0 upstream.

The return value of power_supply_register() call was not checked and
even on error probe() function returned 0. If registering failed then
during unbind the driver tried to unregister power supply which was not
actually registered.

This could lead to memory corruption because power_supply_unregister()
unconditionally cleans up given power supply.

Fix this by checking return status of power_supply_register() call. In
case of failure, clean up sysfs entries and fail the probe.

Signed-off-by: Krzysztof Kozlowski <k.koz...@samsung.com>
Fixes: 9be0fcb5ed46 ("compal-laptop: add JHL90, battery & hwmon interface")
Signed-off-by: Sebastian Reichel <s...@kernel.org>
[bwh: Backported to 3.2: insert the appropriate cleanup code as there is no
common 'remove' label]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/drivers/platform/x86/compal-laptop.c
+++ b/drivers/platform/x86/compal-laptop.c
@@ -1046,7 +1046,14 @@ static int __devinit compal_probe(struct

/* Power supply */
initialize_power_supply_data(data);
- power_supply_register(&compal_device->dev, &data->psy);
+ err = power_supply_register(&compal_device->dev, &data->psy);
+ if (err < 0) {
+ hwmon_device_unregister(data->hwmon_dev);
+ sysfs_remove_group(&pdev->dev.kobj,
+ &compal_attribute_group);
+ kfree(data);
+ return err;
+ }

platform_set_drvdata(pdev, data);

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Filipe Manana <fdma...@suse.com>

commit dcc82f4783ad91d4ab654f89f37ae9291cdc846a upstream.

While committing a transaction we free the log roots before we write the
new super block. Freeing the log roots implies marking the disk location
of every node/leaf (metadata extent) as pinned before the new super block
is written. This is to prevent the disk location of log metadata extents
from being reused before the new super block is written, otherwise we
would have a corrupted log tree if before the new super block is written
a crash/reboot happens and the location of any log tree metadata extent
ended up being reused and rewritten.

Even though we pinned the log tree's metadata extents, we were issuing a
discard against them if the fs was mounted with the -o discard option,
resulting in corruption of the log tree if a crash/reboot happened before
writing the new super block - the next time the fs was mounted, during
the log replay process we would find nodes/leafs of the log btree with
a content full of zeroes, causing the process to fail and require the
use of the tool btrfs-zero-log to wipeout the log tree (and all data
previously fsynced becoming lost forever).

Fix this by not doing a discard when pinning an extent. The discard will
be done later when it's safe (after the new super block is committed) at
extent-tree.c:btrfs_finish_extent_commit().

Fixes: e688b7252f78 (Btrfs: fix extent pinning bugs in the tree log)
Signed-off-by: Filipe Manana <fdma...@suse.com>
Signed-off-by: Chris Mason <c...@fb.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

fs/btrfs/extent-tree.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)

--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -5678,12 +5678,11 @@ static int __btrfs_free_reserved_extent(
return -ENOSPC;
}

- if (btrfs_test_opt(root, DISCARD))
- ret = btrfs_discard_extent(root, start, len, NULL);
-
if (pin)
pin_down_extent(root, cache, start, len, 1);
else {
+ if (btrfs_test_opt(root, DISCARD))
+ ret = btrfs_discard_extent(root, start, len, NULL);
btrfs_add_free_space(cache, start, len);
btrfs_update_reserved_bytes(cache, len, RESERVE_FREE);

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Sam Ravnborg <s...@ravnborg.org>

commit d657784b70ef653350d7aa49da90a8484c29da7d upstream.

Minimal fix to allow leon to be built.

Signed-off-by: Sam Ravnborg <s...@ravnborg.org>
Cc: Konrad Eisele <kon...@gaisler.com>
Cc: Daniel Hellstrom <dan...@gaisler.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/sparc/kernel/leon_pci.c | 13 -------------
1 file changed, 13 deletions(-)

--- a/arch/sparc/kernel/leon_pci.c
+++ b/arch/sparc/kernel/leon_pci.c
@@ -78,7 +78,6 @@ EXPORT_SYMBOL(pcibios_bus_to_resource);

void __devinit pcibios_fixup_bus(struct pci_bus *pbus)
{
- struct leon_pci_info *info = pbus->sysdata;
struct pci_dev *dev;
int i, has_io, has_mem;
u16 cmd;
@@ -153,18 +152,6 @@ int pcibios_enable_device(struct pci_dev
return pci_enable_resources(dev, mask);
}

-struct device_node *pci_device_to_OF_node(struct pci_dev *pdev)
-{
- /*
- * Currently the OpenBoot nodes are not connected with the PCI device,
- * this is because the LEON PROM does not create PCI nodes. Eventually
- * this will change and the same approach as pcic.c can be used to
- * match PROM nodes with pci devices.
- */
- return NULL;
-}
-EXPORT_SYMBOL(pci_device_to_OF_node);
-
void __devinit pcibios_update_irq(struct pci_dev *dev, int irq)
{
#ifdef CONFIG_PCI_DEBUG

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ralf Baechle <ra...@linux-mips.org>

commit 9cdf30bd3bac697fc533988f44a117434a858f69 upstream.

Returns a non-zero value if the current processor implementation requires
an IHB instruction to deal with an instruction hazard as per MIPS R2
architecture specification, zero otherwise.

For a discussion, see http://patchwork.linux-mips.org/patch/9539/.

Signed-off-by: Ralf Baechle <ra...@linux-mips.org>
[bwh: Backported to 3.2: trim the CPU type list]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/mips/include/asm/cpu-features.h | 33 ++++++++++++++++++++++++++++++++-
1 file changed, 32 insertions(+), 1 deletion(-)

--- a/arch/mips/include/asm/cpu-features.h
+++ b/arch/mips/include/asm/cpu-features.h
@@ -153,8 +153,32 @@
#define cpu_has_mips_r (cpu_has_mips32r1 | cpu_has_mips32r2 | \
cpu_has_mips64r1 | cpu_has_mips64r2)

+/*
+ * cpu_has_mips_r2_exec_hazard - return if IHB is required on current processor
+ *
+ * Returns non-zero value if the current processor implementation requires
+ * an IHB instruction to deal with an instruction hazard as per MIPS R2
+ * architecture specification, zero otherwise.
+ */
#ifndef cpu_has_mips_r2_exec_hazard
-#define cpu_has_mips_r2_exec_hazard cpu_has_mips_r2
+#define cpu_has_mips_r2_exec_hazard \
+({ \
+ int __res; \
+ \
+ switch (current_cpu_type()) { \
+ case CPU_74K: \
+ case CPU_CAVIUM_OCTEON: \
+ case CPU_CAVIUM_OCTEON_PLUS: \
+ case CPU_CAVIUM_OCTEON2: \
+ __res = 0; \
+ break; \
+ \
+ default: \
+ __res = 1; \
+ } \
+ \
+ __res; \
+})
#endif

/*

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <one...@suse.de>

commit 323ece54e0761198946ecd0c2091f1d2bfdfcb64 upstream.

Values directly from descriptors given in debug statements
must be converted to native endianness.

Signed-off-by: Oliver Neukum <one...@suse.de>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

[bwh: Backported to 3.2: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/class/cdc-wdm.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)

--- a/drivers/usb/class/cdc-wdm.c
+++ b/drivers/usb/class/cdc-wdm.c
@@ -224,7 +224,7 @@ static void wdm_int_callback(struct urb
case USB_CDC_NOTIFY_RESPONSE_AVAILABLE:
dev_dbg(&desc->intf->dev,
"NOTIFY_RESPONSE_AVAILABLE received: index %d len %d",
- dr->wIndex, dr->wLength);
+ le16_to_cpu(dr->wIndex), le16_to_cpu(dr->wLength));
break;

case USB_CDC_NOTIFY_NETWORK_CONNECTION:
@@ -237,14 +237,16 @@ static void wdm_int_callback(struct urb
clear_bit(WDM_POLL_RUNNING, &desc->flags);
dev_err(&desc->intf->dev,
"unknown notification %d received: index %d len %d\n",
- dr->bNotificationType, dr->wIndex, dr->wLength);
+ dr->bNotificationType,
+ le16_to_cpu(dr->wIndex),
+ le16_to_cpu(dr->wLength));
goto exit;
}

req->bRequestType = (USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE);
req->bRequest = USB_CDC_GET_ENCAPSULATED_RESPONSE;
req->wValue = 0;
- req->wIndex = desc->inum;
+ req->wIndex = desc->inum; /* already converted */
req->wLength = cpu_to_le16(desc->wMaxCommand);

usb_fill_control_urb(
@@ -401,7 +403,7 @@ static ssize_t wdm_write
USB_RECIP_INTERFACE);
req->bRequest = USB_CDC_SEND_ENCAPSULATED_COMMAND;
req->wValue = 0;
- req->wIndex = desc->inum;
+ req->wIndex = desc->inum; /* already converted */
req->wLength = cpu_to_le16(count);
set_bit(WDM_IN_USE, &desc->flags);
desc->outbuf = buf;
@@ -414,7 +416,7 @@ static ssize_t wdm_write
dev_err(&desc->intf->dev, "Tx URB error: %d\n", rv);
} else {
dev_dbg(&desc->intf->dev, "Tx URB has been submitted index=%d",
- req->wIndex);
+ le16_to_cpu(req->wIndex));
}
out:
usb_autopm_put_interface(desc->intf);

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ralf Baechle <ra...@linux-mips.org>

commit f05ff43355e6997c18f82ddcee370a6e5f8643ce upstream.

This is no longer needed with the fixed, new and improved definition
of cpu_has_mips_r2_exec_hazard in <asm/cpu-features.h>.

For a discussion, see http://patchwork.linux-mips.org/patch/9539/.

Signed-off-by: Ralf Baechle <ra...@linux-mips.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/mips/include/asm/mach-cavium-octeon/cpu-feature-overrides.h | 1 -
1 file changed, 1 deletion(-)

--- a/arch/mips/include/asm/mach-cavium-octeon/cpu-feature-overrides.h
+++ b/arch/mips/include/asm/mach-cavium-octeon/cpu-feature-overrides.h
@@ -51,7 +51,6 @@
#define cpu_has_mips32r2 0
#define cpu_has_mips64r1 0
#define cpu_has_mips64r2 1
-#define cpu_has_mips_r2_exec_hazard 0
#define cpu_has_dsp 0
#define cpu_has_mipsmt 0
#define cpu_has_vint 0

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Mauro Carvalho Chehab <mch...@redhat.com>

commit 5b889e379f340f43b1252abde5d37a7084c846b9 upstream.

As reported by Josh Boyer <jwb...@redhat.com>:
> drivers/edac/sb_edac.c: In function 'get_memory_error_data':
> drivers/edac/sb_edac.c:861:2: warning: left shift count >= width of type
> [enabled by default]
> <snip>
> ERROR: "__udivdi3" [drivers/edac/sb_edac.ko] undefined!
> make[1]: *** [__modpost] Error 1
> make: *** [modules] Error 2

PS.: compile-tested only

Reported-by: Josh Boyer <jwb...@redhat.com>
Signed-off-by: Mauro Carvalho Chehab <mch...@redhat.com>
[bwh: Prerequisite for "sb_edac: Fix erroneous bytes->gigabytes conversion"]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/edac/Kconfig | 2 +-
drivers/edac/sb_edac.c | 48 +++++++++++++++++++++++++++++-------------------
2 files changed, 30 insertions(+), 20 deletions(-)

--- a/drivers/edac/Kconfig
+++ b/drivers/edac/Kconfig
@@ -214,7 +214,7 @@ config EDAC_I7300

config EDAC_SBRIDGE
tristate "Intel Sandy-Bridge Integrated MC"
- depends on EDAC_MM_EDAC && PCI && X86_64 && X86_MCE_INTEL
+ depends on EDAC_MM_EDAC && PCI && X86 && X86_MCE_INTEL
depends on EXPERIMENTAL
help
Support for error detection and correction the Intel
--- a/drivers/edac/sb_edac.c
+++ b/drivers/edac/sb_edac.c
@@ -20,6 +20,7 @@
#include <linux/mmzone.h>
#include <linux/smp.h>
#include <linux/bitmap.h>
+#include <linux/math64.h>
#include <asm/processor.h>
#include <asm/mce.h>

@@ -671,6 +672,7 @@ static void get_memory_layout(const stru
u32 reg;
u64 limit, prv = 0;
u64 tmp_mb;
+ u32 mb, kb;
u32 rir_way;

/*
@@ -683,8 +685,9 @@ static void get_memory_layout(const stru
pvt->tolm = GET_TOLM(reg);
tmp_mb = (1 + pvt->tolm) >> 20;

- debugf0("TOLM: %Lu.%03Lu GB (0x%016Lx)\n",
- tmp_mb / 1000, tmp_mb % 1000, (u64)pvt->tolm);
+ mb = div_u64_rem(tmp_mb, 1000, &kb);
+ debugf0("TOLM: %u.%03u GB (0x%016Lx)\n",
+ mb, kb, (u64)pvt->tolm);

/* Address range is already 45:25 */
pci_read_config_dword(pvt->pci_sad1, TOHM,
@@ -692,8 +695,9 @@ static void get_memory_layout(const stru
pvt->tohm = GET_TOHM(reg);
tmp_mb = (1 + pvt->tohm) >> 20;

- debugf0("TOHM: %Lu.%03Lu GB (0x%016Lx)",
- tmp_mb / 1000, tmp_mb % 1000, (u64)pvt->tohm);
+ mb = div_u64_rem(tmp_mb, 1000, &kb);
+ debugf0("TOHM: %u.%03u GB (0x%016Lx)",
+ mb, kb, (u64)pvt->tohm);

/*
* Step 2) Get SAD range and SAD Interleave list
@@ -715,10 +719,11 @@ static void get_memory_layout(const stru
break;

tmp_mb = (limit + 1) >> 20;
- debugf0("SAD#%d %s up to %Lu.%03Lu GB (0x%016Lx) %s reg=0x%08x\n",
+ mb = div_u64_rem(tmp_mb, 1000, &kb);
+ debugf0("SAD#%d %s up to %u.%03u GB (0x%016Lx) %s reg=0x%08x\n",
n_sads,
get_dram_attr(reg),
- tmp_mb / 1000, tmp_mb % 1000,
+ mb, kb,
((u64)tmp_mb) << 20L,
INTERLEAVE_MODE(reg) ? "Interleave: 8:6" : "Interleave: [8:6]XOR[18:16]",
reg);
@@ -748,8 +753,9 @@ static void get_memory_layout(const stru
break;
tmp_mb = (limit + 1) >> 20;

- debugf0("TAD#%d: up to %Lu.%03Lu GB (0x%016Lx), socket interleave %d, memory interleave %d, TGT: %d, %d, %d, %d, reg=0x%08x\n",
- n_tads, tmp_mb / 1000, tmp_mb % 1000,
+ mb = div_u64_rem(tmp_mb, 1000, &kb);
+ debugf0("TAD#%d: up to %u.%03u GB (0x%016Lx), socket interleave %d, memory interleave %d, TGT: %d, %d, %d, %d, reg=0x%08x\n",
+ n_tads, mb, kb,
((u64)tmp_mb) << 20L,
(u32)TAD_SOCK(reg),
(u32)TAD_CH(reg),
@@ -772,9 +778,10 @@ static void get_memory_layout(const stru
tad_ch_nilv_offset[j],
&reg);
tmp_mb = TAD_OFFSET(reg) >> 20;
- debugf0("TAD CH#%d, offset #%d: %Lu.%03Lu GB (0x%016Lx), reg=0x%08x\n",
+ mb = div_u64_rem(tmp_mb, 1000, &kb);
+ debugf0("TAD CH#%d, offset #%d: %u.%03u GB (0x%016Lx), reg=0x%08x\n",
i, j,
- tmp_mb / 1000, tmp_mb % 1000,
+ mb, kb,
((u64)tmp_mb) << 20L,
reg);
}
@@ -796,9 +803,10 @@ static void get_memory_layout(const stru

tmp_mb = RIR_LIMIT(reg) >> 20;
rir_way = 1 << RIR_WAY(reg);
- debugf0("CH#%d RIR#%d, limit: %Lu.%03Lu GB (0x%016Lx), way: %d, reg=0x%08x\n",
+ mb = div_u64_rem(tmp_mb, 1000, &kb);
+ debugf0("CH#%d RIR#%d, limit: %u.%03u GB (0x%016Lx), way: %d, reg=0x%08x\n",
i, j,
- tmp_mb / 1000, tmp_mb % 1000,
+ mb, kb,
((u64)tmp_mb) << 20L,
rir_way,
reg);
@@ -809,9 +817,10 @@ static void get_memory_layout(const stru
&reg);
tmp_mb = RIR_OFFSET(reg) << 6;

- debugf0("CH#%d RIR#%d INTL#%d, offset %Lu.%03Lu GB (0x%016Lx), tgt: %d, reg=0x%08x\n",
+ mb = div_u64_rem(tmp_mb, 1000, &kb);
+ debugf0("CH#%d RIR#%d INTL#%d, offset %u.%03u GB (0x%016Lx), tgt: %d, reg=0x%08x\n",
i, j, k,
- tmp_mb / 1000, tmp_mb % 1000,
+ mb, kb,
((u64)tmp_mb) << 20L,
(u32)RIR_RNK_TGT(reg),
reg);
@@ -849,6 +858,7 @@ static int get_memory_error_data(struct
u8 ch_way,sck_way;
u32 tad_offset;
u32 rir_way;
+ u32 mb, kb;
u64 ch_addr, offset, limit, prv = 0;


@@ -859,7 +869,7 @@ static int get_memory_error_data(struct
* range (e. g. VGA addresses). It is unlikely, however, that the
* memory controller would generate an error on that range.
*/
- if ((addr > (u64) pvt->tolm) && (addr < (1L << 32))) {
+ if ((addr > (u64) pvt->tolm) && (addr < (1LL << 32))) {
sprintf(msg, "Error at TOLM area, on addr 0x%08Lx", addr);
edac_mc_handle_ce_no_info(mci, msg);
return -EINVAL;
@@ -1054,7 +1064,7 @@ static int get_memory_error_data(struct
ch_addr = addr & 0x7f;
/* Remove socket wayness and remove 6 bits */
addr >>= 6;
- addr /= sck_xch;
+ addr = div_u64(addr, sck_xch);
#if 0
/* Divide by channel way */
addr = addr / ch_way;
@@ -1074,10 +1084,10 @@ static int get_memory_error_data(struct
continue;

limit = RIR_LIMIT(reg);
-
- debugf0("RIR#%d, limit: %Lu.%03Lu GB (0x%016Lx), way: %d\n",
+ mb = div_u64_rem(limit >> 20, 1000, &kb);
+ debugf0("RIR#%d, limit: %u.%03u GB (0x%016Lx), way: %d\n",
n_rir,
- (limit >> 20) / 1000, (limit >> 20) % 1000,
+ mb, kb,
limit,
1 << RIR_WAY(reg));
if (ch_addr <= limit)

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Felipe Balbi <ba...@ti.com>

commit e3c93e1a3f35be4cf1493d3ccfb0c6d9209e4922 upstream.

As per Mentor Graphics' documentation, we should
always handle TX endpoints before RX endpoints.

This patch fixes that error while also updating
some hard-to-read comments which were scattered
around musb_interrupt().

This patch should be backported as far back as
possible since this error has been in the driver
since it's conception.

Signed-off-by: Felipe Balbi <ba...@ti.com>
[bwh: Backported to 3.2: adjust context, indentation]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/musb/musb_core.c | 44 ++++++++++++++++++++++++++------------------
1 file changed, 26 insertions(+), 18 deletions(-)

--- a/drivers/usb/musb/musb_core.c
+++ b/drivers/usb/musb/musb_core.c
@@ -1524,16 +1524,30 @@ irqreturn_t musb_interrupt(struct musb *
(devctl & MUSB_DEVCTL_HM) ? "host" : "peripheral",
musb->int_usb, musb->int_tx, musb->int_rx);

- /* the core can interrupt us for multiple reasons; docs have
- * a generic interrupt flowchart to follow
+ /**
+ * According to Mentor Graphics' documentation, flowchart on page 98,
+ * IRQ should be handled as follows:
+ *
+ * . Resume IRQ
+ * . Session Request IRQ
+ * . VBUS Error IRQ
+ * . Suspend IRQ
+ * . Connect IRQ
+ * . Disconnect IRQ
+ * . Reset/Babble IRQ
+ * . SOF IRQ (we're not using this one)
+ * . Endpoint 0 IRQ
+ * . TX Endpoints
+ * . RX Endpoints
+ *
+ * We will be following that flowchart in order to avoid any problems
+ * that might arise with internal Finite State Machine.
*/
+
if (musb->int_usb)
retval |= musb_stage0_irq(musb, musb->int_usb,
devctl, power);

- /* "stage 1" is handling endpoint irqs */
-
- /* handle endpoint 0 first */
if (musb->int_tx & 1) {
if (devctl & MUSB_DEVCTL_HM)
retval |= musb_h_ep0_irq(musb);
@@ -1541,43 +1555,37 @@ irqreturn_t musb_interrupt(struct musb *
retval |= musb_g_ep0_irq(musb);
}

- /* RX on endpoints 1-15 */
- reg = musb->int_rx >> 1;
+ reg = musb->int_tx >> 1;
ep_num = 1;
while (reg) {
if (reg & 1) {
- /* musb_ep_select(musb->mregs, ep_num); */
- /* REVISIT just retval = ep->rx_irq(...) */
retval = IRQ_HANDLED;
if (devctl & MUSB_DEVCTL_HM) {
if (is_host_capable())
- musb_host_rx(musb, ep_num);
+ musb_host_tx(musb, ep_num);
} else {
if (is_peripheral_capable())
- musb_g_rx(musb, ep_num);
+ musb_g_tx(musb, ep_num);
}
}
-
reg >>= 1;
ep_num++;
}

- /* TX on endpoints 1-15 */
- reg = musb->int_tx >> 1;
+ reg = musb->int_rx >> 1;
ep_num = 1;
while (reg) {
if (reg & 1) {
- /* musb_ep_select(musb->mregs, ep_num); */
- /* REVISIT just retval |= ep->tx_irq(...) */
retval = IRQ_HANDLED;
if (devctl & MUSB_DEVCTL_HM) {
if (is_host_capable())
- musb_host_tx(musb, ep_num);
+ musb_host_rx(musb, ep_num);
} else {
if (is_peripheral_capable())
- musb_g_tx(musb, ep_num);
+ musb_g_rx(musb, ep_num);
}
}
+
reg >>= 1;
ep_num++;

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alex Deucher <alexande...@amd.com>

commit fd99a0943ffaa0320ea4f69d09ed188f950c0432 upstream.

Use the correct flags for atom.

v2: handle DRM_MODE_FLAG_DBLCLK

Signed-off-by: Alex Deucher <alexande...@amd.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/gpu/drm/radeon/atombios_crtc.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/radeon/atombios_crtc.c
+++ b/drivers/gpu/drm/radeon/atombios_crtc.c
@@ -302,8 +302,10 @@ atombios_set_crtc_dtd_timing(struct drm_
misc |= ATOM_COMPOSITESYNC;
if (mode->flags & DRM_MODE_FLAG_INTERLACE)
misc |= ATOM_INTERLACE;
- if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
+ if (mode->flags & DRM_MODE_FLAG_DBLCLK)
misc |= ATOM_DOUBLE_CLOCK_MODE;
+ if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
+ misc |= ATOM_H_REPLICATIONBY2 | ATOM_V_REPLICATIONBY2;

args.susModeMiscInfo.usAccess = cpu_to_le16(misc);
args.ucCRTC = radeon_crtc->crtc_id;
@@ -346,8 +348,10 @@ static void atombios_crtc_set_timing(str
misc |= ATOM_COMPOSITESYNC;
if (mode->flags & DRM_MODE_FLAG_INTERLACE)
misc |= ATOM_INTERLACE;
- if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
+ if (mode->flags & DRM_MODE_FLAG_DBLCLK)
misc |= ATOM_DOUBLE_CLOCK_MODE;
+ if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
+ misc |= ATOM_H_REPLICATIONBY2 | ATOM_V_REPLICATIONBY2;

args.susModeMiscInfo.usAccess = cpu_to_le16(misc);
args.ucCRTC = radeon_crtc->crtc_id;

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Tommi Rantala <tt.ra...@gmail.com>

commit f30bf2a5cac6c60ab366c4bc6db913597bf4d6ab upstream.

Fix memory leak introduced in commit a0840e2e165a ("IPVS: netns,
ip_vs_ctl local vars moved to ipvs struct."):

unreferenced object 0xffff88005785b800 (size 2048):
comm "(-localed)", pid 1434, jiffies 4294755650 (age 1421.089s)
hex dump (first 32 bytes):
bb 89 0b 83 ff ff ff ff b0 78 f0 4e 00 88 ff ff .........x.N....
04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff8262ea8e>] kmemleak_alloc+0x4e/0xb0
[<ffffffff811fba74>] __kmalloc_track_caller+0x244/0x430
[<ffffffff811b88a0>] kmemdup+0x20/0x50
[<ffffffff823276b7>] ip_vs_control_net_init+0x1f7/0x510
[<ffffffff8231d630>] __ip_vs_init+0x100/0x250
[<ffffffff822363a1>] ops_init+0x41/0x190
[<ffffffff82236583>] setup_net+0x93/0x150
[<ffffffff82236cc2>] copy_net_ns+0x82/0x140
[<ffffffff810ab13d>] create_new_namespaces+0xfd/0x190
[<ffffffff810ab49a>] unshare_nsproxy_namespaces+0x5a/0xc0
[<ffffffff810833e3>] SyS_unshare+0x173/0x310
[<ffffffff8265cbd7>] system_call_fastpath+0x12/0x6f
[<ffffffffffffffff>] 0xffffffffffffffff

Fixes: a0840e2e165a ("IPVS: netns, ip_vs_ctl local vars moved to ipvs struct.")
Signed-off-by: Tommi Rantala <tt.ra...@gmail.com>
Acked-by: Julian Anastasov <j...@ssi.bg>
Signed-off-by: Simon Horman <ho...@verge.net.au>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/netfilter/ipvs/ip_vs_ctl.c | 3 +++
1 file changed, 3 insertions(+)

--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -3689,6 +3689,9 @@ void __net_init ip_vs_control_net_cleanu
cancel_work_sync(&ipvs->defense_work.work);
unregister_net_sysctl_table(ipvs->sysctl_hdr);
ip_vs_stop_estimator(net, &ipvs->tot_stats);
+
+ if (!net_eq(net, &init_net))
+ kfree(ipvs->sysctl_tbl);
}

#else

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <b...@decadent.org.uk>

commit 79bae42d51a5d498500c890c19ef76df41d2bf59 upstream.

Move the calls to memcpy_fromio() up into the loop in
dmi_scan_machine(), and move the signature checks back down into
dmi_decode(). We need to check at 16-byte intervals but keep a 32-byte
buffer for an SMBIOS entry, so shift the buffer after each iteration.

Merge smbios_present() into dmi_present(), so we look for an SMBIOS
signature at the beginning of the given buffer and then for a DMI
signature at an offset of 16 bytes.

[artem....@gmail.com: use proper buf type in dmi_present()]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
Reported-by: Tim McGrath <tmhi...@gmail.com>
Tested-by: Tim Mcgrath <tmhi...@gmail.com>
Cc: Zhenzhong Duan <zhenzho...@oracle.com>
Signed-off-by: Artem Savkov <artem....@gmail.com>
Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>
[bwh: Prerequisite for "firmware: dmi_scan: Fix ordering of product_uuid"]
---
drivers/firmware/dmi_scan.c | 80 +++++++++++++++++++++------------------------
1 file changed, 37 insertions(+), 43 deletions(-)

--- a/drivers/firmware/dmi_scan.c
+++ b/drivers/firmware/dmi_scan.c
@@ -410,22 +410,45 @@ static void __init dmi_dump_ids(void)
printk(KERN_CONT "\n");
}

-static int __init dmi_present(const char __iomem *p)
+static int __init dmi_present(const u8 *buf)
{
- u8 buf[15];
+ int smbios_ver;

- memcpy_fromio(buf, p, 15);
- if (dmi_checksum(buf, 15)) {
+ if (memcmp(buf, "_SM_", 4) == 0 &&
+ buf[5] < 32 && dmi_checksum(buf, buf[5])) {
+ smbios_ver = (buf[6] << 8) + buf[7];
+
+ /* Some BIOS report weird SMBIOS version, fix that up */
+ switch (smbios_ver) {
+ case 0x021F:
+ case 0x0221:
+ pr_debug("SMBIOS version fixup(2.%d->2.%d)\n",
+ smbios_ver & 0xFF, 3);
+ smbios_ver = 0x0203;
+ break;
+ case 0x0233:
+ pr_debug("SMBIOS version fixup(2.%d->2.%d)\n", 51, 6);
+ smbios_ver = 0x0206;
+ break;
+ }
+ } else {
+ smbios_ver = 0;
+ }
+
+ buf += 16;
+
+ if (memcmp(buf, "_DMI_", 5) == 0 && dmi_checksum(buf, 15)) {
dmi_num = (buf[13] << 8) | buf[12];
dmi_len = (buf[7] << 8) | buf[6];
dmi_base = (buf[11] << 24) | (buf[10] << 16) |
(buf[9] << 8) | buf[8];

if (dmi_walk_early(dmi_decode) == 0) {
- if (dmi_ver)
+ if (smbios_ver) {
+ dmi_ver = smbios_ver;
pr_info("SMBIOS %d.%d present.\n",
dmi_ver >> 8, dmi_ver & 0xFF);
- else {
+ } else {
dmi_ver = (buf[14] & 0xF0) << 4 |
(buf[14] & 0x0F);
pr_info("Legacy DMI %d.%d present.\n",
@@ -435,40 +458,14 @@ static int __init dmi_present(const char
return 0;
}
}
- dmi_ver = 0;
- return 1;
-}

-static int __init smbios_present(const char __iomem *p)
-{
- u8 buf[32];
-
- memcpy_fromio(buf, p, 32);
- if ((buf[5] < 32) && dmi_checksum(buf, buf[5])) {
- dmi_ver = (buf[6] << 8) + buf[7];
-
- /* Some BIOS report weird SMBIOS version, fix that up */
- switch (dmi_ver) {
- case 0x021F:
- case 0x0221:
- pr_debug("SMBIOS version fixup(2.%d->2.%d)\n",
- dmi_ver & 0xFF, 3);
- dmi_ver = 0x0203;
- break;
- case 0x0233:
- pr_debug("SMBIOS version fixup(2.%d->2.%d)\n", 51, 6);
- dmi_ver = 0x0206;
- break;
- }
- return memcmp(p + 16, "_DMI_", 5) || dmi_present(p + 16);
- }
return 1;
}

void __init dmi_scan_machine(void)
{
char __iomem *p, *q;
- int rc;
+ char buf[32];

if (efi_enabled(EFI_CONFIG_TABLES)) {
if (efi.smbios == EFI_INVALID_TABLE_ADDR)
@@ -481,10 +478,10 @@ void __init dmi_scan_machine(void)
p = dmi_ioremap(efi.smbios, 32);
if (p == NULL)
goto error;
-
- rc = smbios_present(p);
+ memcpy_fromio(buf, p, 32);
dmi_iounmap(p, 32);
- if (!rc) {
+
+ if (!dmi_present(buf)) {
dmi_available = 1;
goto out;
}
@@ -499,18 +496,15 @@ void __init dmi_scan_machine(void)
if (p == NULL)
goto error;

+ memset(buf, 0, 16);
for (q = p; q < p + 0x10000; q += 16) {
- if (memcmp(q, "_SM_", 4) == 0 && q - p <= 0xFFE0)
- rc = smbios_present(q);
- else if (memcmp(q, "_DMI_", 5) == 0)
- rc = dmi_present(q);
- else
- continue;
- if (!rc) {
+ memcpy_fromio(buf + 16, q, 16);
+ if (!dmi_present(buf)) {
dmi_available = 1;
dmi_iounmap(p, 0x10000);
goto out;
}
+ memcpy(buf, buf + 16, 16);
}
dmi_iounmap(p, 0x10000);

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Rob Herring <rob.h...@calxeda.com>

commit bbb4ab43f82adf02c8b4d0d7e7b7e79d24204b05 upstream.

Make ahci_dev_classify available to the ahci platform driver for custom
hard reset function.

Signed-off-by: Rob Herring <rob.h...@calxeda.com>
Signed-off-by: Jeff Garzik <jga...@redhat.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/ata/ahci.h | 1 +
drivers/ata/libahci.c | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/ata/ahci.h
+++ b/drivers/ata/ahci.h
@@ -314,6 +314,7 @@ extern struct device_attribute *ahci_sde
extern struct ata_port_operations ahci_ops;
extern struct ata_port_operations ahci_pmp_retry_srst_ops;

+unsigned int ahci_dev_classify(struct ata_port *ap);
void ahci_fill_cmd_slot(struct ahci_port_priv *pp, unsigned int tag,
u32 opts);
void ahci_save_initial_config(struct device *dev,
--- a/drivers/ata/libahci.c
+++ b/drivers/ata/libahci.c
@@ -1137,7 +1137,7 @@ static void ahci_dev_config(struct ata_d
}
}

-static unsigned int ahci_dev_classify(struct ata_port *ap)
+unsigned int ahci_dev_classify(struct ata_port *ap)
{
void __iomem *port_mmio = ahci_port_base(ap);
struct ata_taskfile tf;
@@ -1151,6 +1151,7 @@ static unsigned int ahci_dev_classify(st

return ata_dev_classify(&tf);
}
+EXPORT_SYMBOL_GPL(ahci_dev_classify);

void ahci_fill_cmd_slot(struct ahci_port_priv *pp, unsigned int tag,
u32 opts)

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alexander Ploumistos <alex.pl...@gmail.com>

commit 2eeff0b4317a02f0e281df891d990194f0737aae upstream.

Add 04f2:aff1 to ath3k.c supported devices list and btusb.c blacklist, so
that the device can load the ath3k firmware and re-enumerate itself as an
AR3011 device.

T: Bus=05 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=04f2 ProdID=aff1 Rev= 0.01
C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms

Signed-off-by: Alexander Ploumistos <ale...@fedoraproject.org>
Signed-off-by: Marcel Holtmann <mar...@holtmann.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/bluetooth/ath3k.c | 1 +
drivers/bluetooth/btusb.c | 1 +
2 files changed, 2 insertions(+)

--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -63,6 +63,7 @@ static struct usb_device_id ath3k_table[
/* Atheros AR3011 with sflash firmware*/
{ USB_DEVICE(0x0489, 0xE027) },
{ USB_DEVICE(0x0489, 0xE03D) },
+ { USB_DEVICE(0x04F2, 0xAFF1) },
{ USB_DEVICE(0x0930, 0x0215) },
{ USB_DEVICE(0x0CF3, 0x3002) },
{ USB_DEVICE(0x0CF3, 0xE019) },
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -148,6 +148,7 @@ static struct usb_device_id blacklist_ta
/* Atheros 3011 with sflash firmware */
{ USB_DEVICE(0x0489, 0xe027), .driver_info = BTUSB_IGNORE },
{ USB_DEVICE(0x0489, 0xe03d), .driver_info = BTUSB_IGNORE },
+ { USB_DEVICE(0x04f2, 0xaff1), .driver_info = BTUSB_IGNORE },
{ USB_DEVICE(0x0930, 0x0215), .driver_info = BTUSB_IGNORE },
{ USB_DEVICE(0x0cf3, 0x3002), .driver_info = BTUSB_IGNORE },
{ USB_DEVICE(0x0cf3, 0xe019), .driver_info = BTUSB_IGNORE },

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Lv Zheng <lv.z...@intel.com>

commit 1d0a0b2f6df2bf2643fadc990eb143361eca6ada upstream.

ACPICA commit b60612373a4ef63b64a57c124576d7ddb6d8efb6

For physical addresses, since the address may exceed 32-bit address range

after calculation, we should use 0x%8.8X%8.8X instead of ACPI_PRINTF_UINT
and ACPI_FORMAT_UINT64() instead of
ACPI_FORMAT_NATIVE_UINT()/ACPI_FORMAT_TO_UINT().

This patch also removes above replaced macros as there are no users.

This is a preparation to switch acpi_physical_address to 64-bit on 32-bit
kernel builds.

Link: https://github.com/acpica/acpica/commit/b6061237

Signed-off-by: Lv Zheng <lv.z...@intel.com>
Signed-off-by: Bob Moore <robert...@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j...@intel.com>
Signed-off-by: Dirk Behme <dirk....@gmail.com>

[gdavis: Move tbprint.c changes to tbutils.c due to lack of commit

"42f4786 ACPICA: Split table print utilities to a new a
separate file" in linux-3.10.y]
Signed-off-by: George G. Davis <george...@mentor.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

[bwh: Backported to 3.2: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/drivers/acpi/acpica/acmacros.h
+++ b/drivers/acpi/acpica/acmacros.h
@@ -59,19 +59,15 @@
#define ACPI_SET64(ptr) *ACPI_CAST_PTR (u64, ptr)

/*
- * printf() format helpers
+ * printf() format helper. This macros is a workaround for the difficulties
+ * with emitting 64-bit integers and 64-bit pointers with the same code
+ * for both 32-bit and 64-bit hosts.
*/

/* Split 64-bit integer into two 32-bit values. Use with %8.8_x%8.8_x */

#define ACPI_FORMAT_UINT64(i) ACPI_HIDWORD(i), ACPI_LODWORD(i)

-#if ACPI_MACHINE_WIDTH == 64
-#define ACPI_FORMAT_NATIVE_UINT(i) ACPI_FORMAT_UINT64(i)
-#else
-#define ACPI_FORMAT_NATIVE_UINT(i) 0, (i)
-#endif
-
/*
* Macros for moving data around to/from buffers that are possibly unaligned.
* If the hardware supports the transfer of unaligned data, just do the store.
--- a/drivers/acpi/acpica/dsopcode.c
+++ b/drivers/acpi/acpica/dsopcode.c
@@ -446,7 +446,7 @@ acpi_ds_eval_region_operands(struct acpi

ACPI_DEBUG_PRINT((ACPI_DB_EXEC, "RgnObj %p Addr %8.8X%8.8X Len %X\n",
obj_desc,
- ACPI_FORMAT_NATIVE_UINT(obj_desc->region.address),
+ ACPI_FORMAT_UINT64(obj_desc->region.address),
obj_desc->region.length));

/* Now the address and length are valid for this opregion */
@@ -545,7 +545,7 @@ acpi_ds_eval_table_region_operands(struc

ACPI_DEBUG_PRINT((ACPI_DB_EXEC, "RgnObj %p Addr %8.8X%8.8X Len %X\n",
obj_desc,
- ACPI_FORMAT_NATIVE_UINT(obj_desc->region.address),
+ ACPI_FORMAT_UINT64(obj_desc->region.address),
obj_desc->region.length));

/* Now the address and length are valid for this opregion */
--- a/drivers/acpi/acpica/evregion.c
+++ b/drivers/acpi/acpica/evregion.c
@@ -450,8 +450,8 @@ acpi_ev_address_space_dispatch(union acp
ACPI_DEBUG_PRINT((ACPI_DB_OPREGION,
"Handler %p (@%p) Address %8.8X%8.8X [%s]\n",
&region_obj->region.handler->address_space, handler,
- ACPI_FORMAT_NATIVE_UINT(region_obj->region.address +
- region_offset),
+ ACPI_FORMAT_UINT64(region_obj->region.address +
+ region_offset),
acpi_ut_get_region_name(region_obj->region.
space_id)));

--- a/drivers/acpi/acpica/exdump.c
+++ b/drivers/acpi/acpica/exdump.c
@@ -613,8 +613,8 @@ void acpi_ex_dump_operand(union acpi_ope
acpi_os_printf("\n");
} else {
acpi_os_printf(" base %8.8X%8.8X Length %X\n",
- ACPI_FORMAT_NATIVE_UINT(obj_desc->region.
- address),
+ ACPI_FORMAT_UINT64(obj_desc->region.
+ address),
obj_desc->region.length);
}
break;
--- a/drivers/acpi/acpica/exregion.c
+++ b/drivers/acpi/acpica/exregion.c
@@ -174,7 +174,7 @@ acpi_ex_system_memory_space_handler(u32
if (!mem_info->mapped_logical_address) {
ACPI_ERROR((AE_INFO,
"Could not map memory at 0x%8.8X%8.8X, size %u",
- ACPI_FORMAT_NATIVE_UINT(address),
+ ACPI_FORMAT_UINT64(address),
(u32) map_length));
mem_info->mapped_length = 0;
return_ACPI_STATUS(AE_NO_MEMORY);
@@ -195,8 +195,7 @@ acpi_ex_system_memory_space_handler(u32

ACPI_DEBUG_PRINT((ACPI_DB_INFO,
"System-Memory (width %u) R/W %u Address=%8.8X%8.8X\n",
- bit_width, function,
- ACPI_FORMAT_NATIVE_UINT(address)));
+ bit_width, function, ACPI_FORMAT_UINT64(address)));

/*
* Perform the memory read or write
@@ -298,8 +297,7 @@ acpi_ex_system_io_space_handler(u32 func

ACPI_DEBUG_PRINT((ACPI_DB_INFO,
"System-IO (width %u) R/W %u Address=%8.8X%8.8X\n",
- bit_width, function,
- ACPI_FORMAT_NATIVE_UINT(address)));
+ bit_width, function, ACPI_FORMAT_UINT64(address)));

/* Decode the function parameter */

--- a/drivers/acpi/acpica/nsdump.c
+++ b/drivers/acpi/acpica/nsdump.c
@@ -326,8 +326,9 @@ acpi_ns_dump_one_object(acpi_handle obj_
space_id));
if (obj_desc->region.flags & AOPOBJ_DATA_VALID) {
acpi_os_printf(" Addr %8.8X%8.8X Len %.4X\n",
- ACPI_FORMAT_NATIVE_UINT
- (obj_desc->region.address),
+ ACPI_FORMAT_UINT64(obj_desc->
+ region.
+ address),
obj_desc->region.length);
} else {
acpi_os_printf
--- a/drivers/acpi/acpica/tbutils.c
+++ b/drivers/acpi/acpica/tbutils.c
@@ -237,16 +237,12 @@ acpi_tb_print_table_header(acpi_physical
{
struct acpi_table_header local_header;

- /*
- * The reason that the Address is cast to a void pointer is so that we
- * can use %p which will work properly on both 32-bit and 64-bit hosts.
- */
if (ACPI_COMPARE_NAME(header->signature, ACPI_SIG_FACS)) {

/* FACS only has signature and length fields */

- ACPI_INFO((AE_INFO, "%4.4s %p %05X",
- header->signature, ACPI_CAST_PTR(void, address),
+ ACPI_INFO((AE_INFO, "%4.4s 0x%8.8X%8.8X %05X",
+ header->signature, ACPI_FORMAT_UINT64(address),
header->length));
} else if (ACPI_COMPARE_NAME(header->signature, ACPI_SIG_RSDP)) {

@@ -257,8 +253,8 @@ acpi_tb_print_table_header(acpi_physical
header)->oem_id, ACPI_OEM_ID_SIZE);
acpi_tb_fix_string(local_header.oem_id, ACPI_OEM_ID_SIZE);

- ACPI_INFO((AE_INFO, "RSDP %p %05X (v%.2d %6.6s)",
- ACPI_CAST_PTR (void, address),
+ ACPI_INFO((AE_INFO, "RSDP 0x%8.8X%8.8X %05X (v%.2d %6.6s)",
+ ACPI_FORMAT_UINT64(address),
(ACPI_CAST_PTR(struct acpi_table_rsdp, header)->
revision >
0) ? ACPI_CAST_PTR(struct acpi_table_rsdp,
@@ -272,8 +268,8 @@ acpi_tb_print_table_header(acpi_physical
acpi_tb_cleanup_table_header(&local_header, header);

ACPI_INFO((AE_INFO,
- "%4.4s %p %05X (v%.2d %6.6s %8.8s %08X %4.4s %08X)",
- local_header.signature, ACPI_CAST_PTR(void, address),
+ "%-4.4s 0x%8.8X%8.8X %05X (v%.2d %-6.6s %-8.8s %08X %-4.4s %08X)",
+ local_header.signature, ACPI_FORMAT_UINT64(address),
local_header.length, local_header.revision,
local_header.oem_id, local_header.oem_table_id,
local_header.oem_revision,

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Lv Zheng <lv.z...@intel.com>

commit 85e014b4304626972bff42249556748ad3fcf812 upstream.

commit f254e3c57b9d952e987502aefa0804c177dd2503 upstream.

ACPICA commit 7d9fd64397d7c38899d3dc497525f6e6b044e0e3

OSPMs like Linux expect an acpi_physical_address returning value from
acpi_find_root_pointer(). This triggers warnings if sizeof (acpi_size) doesn't
equal to sizeof (acpi_physical_address):
drivers/acpi/osl.c:275:3: warning: passing argument 1 of 'acpi_find_root_pointer' from incompatible pointer type [enabled by default]
In file included from include/acpi/acpi.h:64:0,
from include/linux/acpi.h:36,
from drivers/acpi/osl.c:41:
include/acpi/acpixf.h:433:1: note: expected 'acpi_size *' but argument is of type 'acpi_physical_address *'
This patch corrects acpi_find_root_pointer().

Link: https://github.com/acpica/acpica/commit/7d9fd643

Signed-off-by: Lv Zheng <lv.z...@intel.com>
Signed-off-by: Bob Moore <robert...@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j...@intel.com>
Signed-off-by: Dirk Behme <dirk....@gmail.com>

Signed-off-by: George G. Davis <george...@mentor.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/acpi/acpica/tbxfroot.c | 7 ++++---
include/acpi/acpixf.h | 2 +-
2 files changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/acpi/acpica/tbxfroot.c
+++ b/drivers/acpi/acpica/tbxfroot.c
@@ -119,7 +119,7 @@ static acpi_status acpi_tb_validate_rsdp
*
******************************************************************************/

-acpi_status acpi_find_root_pointer(acpi_size *table_address)
+acpi_status acpi_find_root_pointer(acpi_physical_address * table_address)
{
u8 *table_ptr;
u8 *mem_rover;
@@ -177,7 +177,8 @@ acpi_status acpi_find_root_pointer(acpi_
physical_address +=
(u32) ACPI_PTR_DIFF(mem_rover, table_ptr);

- *table_address = physical_address;
+ *table_address =
+ (acpi_physical_address) physical_address;
return_ACPI_STATUS(AE_OK);
}
}
@@ -210,7 +211,7 @@ acpi_status acpi_find_root_pointer(acpi_
(ACPI_HI_RSDP_WINDOW_BASE +
ACPI_PTR_DIFF(mem_rover, table_ptr));

- *table_address = physical_address;
+ *table_address = (acpi_physical_address) physical_address;
return_ACPI_STATUS(AE_OK);
}

--- a/include/acpi/acpixf.h
+++ b/include/acpi/acpixf.h
@@ -125,7 +125,7 @@ void acpi_free(void *address);
*/
acpi_status acpi_reallocate_root_table(void);

-acpi_status acpi_find_root_pointer(acpi_size *rsdp_address);
+acpi_status acpi_find_root_pointer(acpi_physical_address *rsdp_address);

acpi_status acpi_load_tables(void);

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Paolo Bonzini <pbon...@redhat.com>

commit 898761158be7682082955e3efa4ad24725305fc7 upstream.

smep_andnot_wp is initialized in kvm_init_shadow_mmu and shadow pages
should not be reused for different values of it. Thus, it has to be
added to the mask in kvm_mmu_pte_write.

Reviewed-by: Xiao Guangrong <guangro...@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbon...@redhat.com>

[bwh: Backported to 3.2: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/x86/kvm/mmu.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -3609,7 +3609,7 @@ void kvm_mmu_pte_write(struct kvm_vcpu *
}
}

- mask.cr0_wp = mask.cr4_pae = mask.nxe = 1;
+ mask.cr0_wp = mask.cr4_pae = mask.nxe = mask.smep_andnot_wp = 1;
for_each_gfn_indirect_valid_sp(vcpu->kvm, sp, gfn, node) {
pte_size = sp->role.cr4_pae ? 8 : 4;
misaligned = (offset ^ (offset + bytes - 1)) & ~(pte_size - 1);

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Mathias Nyman <mathia...@linux.intel.com>

commit d104d0152a97fade389f47635b73a9ccc7295d0b upstream.

Isoc TDs usually consist of one TRB, sometimes two. When all goes well we
receive only one success event for a TD, and move the dequeue pointer to
the next TD.

This fails if the TD consists of two TRBs and we get a transfer error
on the first TRB, we will then see two events for that TD.

Fix this by making sure the event we get is for the last TRB in that TD
before moving the dequeue pointer to the next TD. This will resolve some
of the uvc and dvb issues with the
"ERROR Transfer event TRB DMA ptr not part of current TD" error message

Signed-off-by: Mathias Nyman <mathia...@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/host/xhci-ring.c | 5 +++++
1 file changed, 5 insertions(+)

--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -2060,8 +2060,13 @@ static int process_isoc_td(struct xhci_h
break;
case COMP_DEV_ERR:
case COMP_STALL:
+ frame->status = -EPROTO;
+ skip_td = true;
+ break;
case COMP_TX_ERR:
frame->status = -EPROTO;
+ if (event_trb != td->last_trb)
+ return 0;
skip_td = true;
break;
case COMP_STOP:

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Mark Salyzyn <sal...@android.com>

[ Upstream commit b48732e4a48d80ed4a14812f0bab09560846514e ]

got a rare NULL pointer dereference in clear_bit

Signed-off-by: Mark Salyzyn <sal...@android.com>
Acked-by: Hannes Frederic Sowa <han...@stressinduktion.org>
----
v2: switch to sock_flag(sk, SOCK_DEAD) and added net/caif/caif_socket.c
v3: return -ECONNRESET in upstream caller of wait function for SOCK_DEAD

Signed-off-by: David S. Miller <da...@davemloft.net>

[bwh: Backported to 3.2: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/caif/caif_socket.c | 8 ++++++++
net/unix/af_unix.c | 8 ++++++++
2 files changed, 16 insertions(+)

--- a/net/caif/caif_socket.c
+++ b/net/caif/caif_socket.c
@@ -366,6 +366,10 @@ static long caif_stream_data_wait(struct
release_sock(sk);
timeo = schedule_timeout(timeo);
lock_sock(sk);
+
+ if (sock_flag(sk, SOCK_DEAD))
+ break;
+
clear_bit(SOCK_ASYNC_WAITDATA, &sk->sk_socket->flags);
}

@@ -410,6 +414,10 @@ static int caif_stream_recvmsg(struct ki
struct sk_buff *skb;

lock_sock(sk);
+ if (sock_flag(sk, SOCK_DEAD)) {
+ err = -ECONNRESET;
+ goto unlock;
+ }
skb = skb_dequeue(&sk->sk_receive_queue);
caif_check_flow_release(sk);

--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1870,6 +1870,10 @@ static long unix_stream_data_wait(struct
unix_state_unlock(sk);
timeo = schedule_timeout(timeo);
unix_state_lock(sk);
+
+ if (sock_flag(sk, SOCK_DEAD))
+ break;
+
clear_bit(SOCK_ASYNC_WAITDATA, &sk->sk_socket->flags);
}

@@ -1930,6 +1934,10 @@ static int unix_stream_recvmsg(struct ki
struct sk_buff *skb;

unix_state_lock(sk);
+ if (sock_flag(sk, SOCK_DEAD)) {
+ err = -ECONNRESET;
+ goto unlock;
+ }
skb = skb_peek(&sk->sk_receive_queue);
if (skb == NULL) {
unix_sk(sk)->recursion_level = 0;

[Ben Hutchings]

This is the start of the stable review cycle for the 3.2.70 release.
There are 164 patches in this series, which will be posted as responses
to this one. If anyone has any issues with these being applied, please
let me know.

Responses should be made by Wed Aug 05 23:00:00 UTC 2015.
Anything received after that time might be too late.

A combined patch relative to 3.2.69 will be posted as an additional
response to this. A shortlog and diffstat can be found below.

Ben.

-------------

Al Viro (2):
d_walk() might skip too much
[2159184ea01e4ae7d15f2017e296d4bc82d5aeb0]
sg_start_req(): make sure that there's not too many elements in iovec
[451a2886b6bf90e2fb378f7c46c655450fb96e81]

Alex Deucher (1):
drm/radeon: fix doublescan modes (v2)
[fd99a0943ffaa0320ea4f69d09ed188f950c0432]

Alexander Duyck (1):
jhash: Update jhash_[321]words functions to use correct initval
[2e7056c433216f406b90a003aa0ba42e19d3bdcf]

Alexander Ploumistos (1):
Bluetooth: ath3k: Add support Atheros AR5B195 combo Mini PCIe card
[2eeff0b4317a02f0e281df891d990194f0737aae]

Alexander Sverdlin (2):
MIPS: Octeon: Remove udelay() causing huge IRQ latency
[73bf3c2a500b2db8ac966469591196bf55afb409]
sctp: Fix race between OOTB responce and route removal
[29c4afc4e98f4dc0ea9df22c631841f9c220b944]

Alexei Starovoitov (1):
x86: bpf_jit: fix compilation of large bpf programs
[3f7352bf21f8fd7ba3e2fcef9488756f188e12be]

Andrew Morton (1):
fs/binfmt_elf.c:load_elf_binary(): return -EINVAL on zero-length mappings
[2b1d3ae940acd11be44c6eced5873d47c2e00ffa]

Andrey Ryabinin (1):
ARM: 8320/1: fix integer overflow in ELF_ET_DYN_BASE
[8defb3367fcd19d1af64c07792aade0747b54e0f]

Andy Grover (1):
target/pscsi: Don't leak scsi_host if hba is VIRTUAL_HOST
[5a7125c64def3b21f8147eca8b54949a60963942]

Anton Blanchard (3):
powerpc/perf: Cap 64bit userspace backtraces to PERF_MAX_STACK_DEPTH
[9a5cbce421a283e6aea3c4007f141735bf9da8c3]
powerpc: Align TOC to 256 bytes
[5e95235ccd5442d4a4fe11ec4eb99ba1b7959368]
powerpc: Make logical to real cpu mapping code endian safe
[ac13282dff13cd0f4da0f0ccb134bc29bfa10255]

Aravind Gopalakrishnan (1):
x86/iommu: Fix header comments regarding standard and _FINISH macros
[b44915927ca88084a7292e4ddd4cf91036f365e1]

Arnd Bergmann (1):
staging: line6: avoid __sync_fetch_and_{and,or}
[9f613601482c56e05884f21565e3d218fac427ae]

Baruch Siach (1):
pinctrl: fix example .get_group_pins implementation signature
[838d030bda9e2da5f9dcf7251f4e117c6258cb2f]

Ben Greear (1):
Fix lockup related to stop_machine being stuck in __do_softirq.
[34376a50fb1fa095b9d0636fa41ed2e73125f214]

Ben Hutchings (5):
debugfs: Fix statfs() regression in 3.2.69
[not upstream; fixes a regression specific to 3.2-stable]
dmi_scan: refactor dmi_scan_machine(), {smbios,dmi}_present()
[79bae42d51a5d498500c890c19ef76df41d2bf59]
pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic
[f0d1bec9d58d4c038d0ac958c9af82be6eb18045,
637b58c2887e5e57850865839cc75f59184b23d1]
x86_64: Fix strnlen_user() to not touch memory after specified maximum
[f18c34e483ff6b1d9866472221e4015b3a4698e4]
xen-pciback: Add name prefix to global 'permissive' variable
[8014bcc86ef112eab9ee1db312dba4e6b608cf89]

Ben Serebrin (1):
KVM: VMX: Preserve host CR4.MCE value while in guest mode.
[085e68eeafbf76e21848ad5bafaecec88a11dd64]

Benjamin Tissoires (1):
Input: elantech - fix semi-mt protocol for v3 HW
[3c0213d17a09601e0c6c0ae0e27caf70d988290f]

Bob Moore (1):
ACPICA: Debug output: Update output for Processor object.
[0b232fcad225c35513c9d5719613ae552abccd82]

Brian Norris (4):
UBI: account for bitflips in both the VID header and data
[8eef7d70f7c6772c3490f410ee2bceab3b543fa1]
UBI: fix check for "too many bytes"
[299d0c5b27346a77a0777c993372bf8777d4f2e5]
UBI: fix out of bounds write
[d74adbdb9abf0d2506a6c4afa534d894f28b763f]
UBI: initialize LEB number variable
[f16db8071ce18819fbd705ddcc91c6f392fb61f8]

Christoph Hellwig (5):
3w-9xxx: fix command completion race
[118c855b5623f3e2e6204f02623d88c09e0c34de]
3w-sas: fix command completion race
[579d69bc1fd56d5af5761969aa529d1d1c188300]
3w-xxxx: fix command completion race
[9cd9554615cba14f0877cc9972a6537ad2bdde61]
megaraid_sas: use raw_smp_processor_id()
[16b8528d20607925899b1df93bfd8fbab98d267c]
nfsd: fix the check for confirmed openowner in nfs4_preprocess_stateid_op
[ebe9cb3bb13e7b9b281969cd279ce70834f7500f]

Clemens Ladisch (2):
ALSA: usb-audio: add MAYA44 USB+ mixer control names
[044bddb9ca8d49edb91bc22b9940a463b0dbb97f]
ALSA: usb-audio: fix missing input volume controls in MAYA44 USB(+)
[ea114fc27dc0cb9a550b6add5426720feb66262a]

Dan Carpenter (1):
memstick: mspro_block: add missing curly braces
[13f6b191aaa11c7fd718d35a0c565f3c16bc1d99]

Dan McGee (1):
powerpc+sparc64/mm: Remove hack in mmap randomize layout
[fa8cbaaf5a68f62db3f9a8444ecbb940b47984cb]

Dan Williams (1):
ahci: avoton port-disable reset-quirk
[dbfe8ef5599a5370abc441fcdbb382b656563eb4]

Darrick J. Wong (1):
jbd2: fix r_count overflows leading to buffer overflow in journal recovery
[e531d0bceb402e643a4499de40dd3fa39d8d2e43]

Dave Olson (1):
powerpc: Fix missing L2 cache size in /sys/devices/system/cpu
[f7e9e358362557c3aa2c1ec47490f29fe880a09e]

David Henningsson (1):
ALSA: hda - Add Conexant codecs CX20721, CX20722, CX20723 and CX20724
[6ffc0898b29a2811a6c0569c5dd9b581980110df]

David Sterba (1):
btrfs: don't accept bare namespace as a valid xattr
[3c3b04d10ff1811a27f86684ccd2f5ba6983211d]

David Vrabel (1):
xen/events: don't bind non-percpu VIRQs with percpu chip
[77bb3dfdc0d554befad58fdefbc41be5bc3ed38a]

Davide Italiano (1):
ext4: move check under lock scope to close a race.
[280227a75b56ab5d35854f3a77ef74a7ad56a203]

Ekaterina Tumanova (1):
KVM: s390: Zero out current VMDB of STSI before including level3 data.
[b75f4c9afac2604feb971441116c07a24ecca1ec]

Erez Shitrit (1):
IB/mlx4: Fix WQE LSO segment calculation
[ca9b590caa17bcbbea119594992666e96cde9c2f]

Eric Dumazet (3):
packet: read num_members once in packet_rcv_fanout()
[f98f4514d07871da7a113dd9e3e330743fd70ae4]
softirq: reduce latencies
[c10d73671ad30f54692f7f69f0e09e75d3a8926a]
udp: fix behavior of wrong checksums
[beb39db59d14990e401e235faf66a6b9b31240b0]

Eryu Guan (1):
ext4: check for zero length extent explicitly
[2f974865ffdfe7b9f46a9940836c8b167342563d]

Felipe Balbi (1):
usb: musb: core: fix TX/RX endpoint order
[e3c93e1a3f35be4cf1493d3ccfb0c6d9209e4922]

Feng Tang (1):
x86/reboot: Fix a warning message triggered by stop_other_cpus()
[55c844a4dd16a4d1fdc0cf2a283ec631a02ec448]

Filipe Manana (2):
Btrfs: fix inode eviction infinite loop after cloning into it
[ccccf3d67294714af2d72a6fd6fd7d73b01c9329]
Btrfs: fix log tree corruption when fs mounted with -o discard
[dcc82f4783ad91d4ab654f89f37ae9291cdc846a]

Gabriele Mazzotta (2):
libata: Add helper to determine when PHY events should be ignored
[8393b811f38acdf7fd8da2028708edad3e68ce1f]
libata: Ignore spurious PHY event on LPM policy change
[09c5b4803a80a5451d950d6a539d2eb311dc0fb1]

Grant Likely (1):
of: Add of_property_match_string() to find index into a string list
[7aff0fe33033fc75b61446ba29d38b1b1354af9f]

Grygorii Strashko (1):
mmc: core: add missing pm event in mmc_pm_notify to fix hib restore
[184af16b09360d6273fd6160e6ff7f8e2482ef23]

Hans Schillstrom (1):
ipvs: kernel oops - do_ip_vs_get_ctl
[8537de8a7ab6681cc72fb0411ab1ba7fdba62dd0]

Hans de Goede (2):
Input: elantech - fix detection of touchpads where the revision matches a known rate
[5f0ee9d17aae628b22be86966471db65be21f262]
usb-storage: Add NO_WP_DETECT quirk for Lacie 059f:0651 devices
[172115090f5e739660b97694618a2ba86457063a]

Harald Freudenberger (1):
crypto: s390/ghash - Fix incorrect ghash icv buffer handling.
[a1cae34e23b1293eccbcc8ee9b39298039c3952a]

Heiko Carstens (1):
s390/hibernate: fix save and restore of kernel text section
[d74419495633493c9cd3f2bbeb7f3529d0edded6]

Huacai Chen (1):
MIPS: Hibernate: flush TLB entries earlier
[2a21dc7c196209d94cb570a0d340faa6c760f7f8]

Hujianyang (1):
UBI: fix soft lockup in ubi_check_volume()
[9aa272b492e7551a9ee0e2c83c720ea013698485]

Ian Campbell (1):
xen: netback: read hotplug script once at start of day.
[31a418986a5852034d520a5bab546821ff1ccf3d]

James Hogan (1):
MIPS: Fix enabling of DEBUG_STACKOVERFLOW
[5f35b9cd553fd64415b563497d05a563c988dbd6]

Janusz Dziedzic (1):
mac80211: move WEP tailroom size check
[47b4e1fc4972cc43a19121bc2608a60aef3bf216]

Jason A. Donenfeld (1):
USB: pl2303: Remove support for Samsung I330
[48ef23a4f686b1e4519d4193c20d26834ff810ff]

Jean Delvare (1):

firmware: dmi_scan: Fix ordering of product_uuid

[5c1ac56b51b9d222ab202dec1ac2f4215346129d]

Jim Snow (1):

sb_edac: Fix erroneous bytes->gigabytes conversion

[8c009100295597f23978c224aec5751a365bc965]

Joe Lawrence (1):
xhci: gracefully handle xhci_irq dead device
[948fa13504f80b9765d2b753691ab94c83a10341]

Johan Hovold (2):
gpio: sysfs: fix memory leaks and device hotplug
[483d821108791092798f5d230686868112927044]
gpio: unregister gpiochip device before removing it
[01cca93a9491ed95992523ff7e79dd9bfcdea8e0]

John D. Blair (1):
USB: cp210x: add ID for HubZ dual ZigBee and Z-Wave dongle
[df72d588c54dad57dabb3cc8a87475d8ed66d806]

John David Anglin (1):
parisc: Provide __ucmpdi2 to resolve undefined references in 32 bit builds.
[ca0ad83da17b6ba07f9eb5902e69daac90c4fa61]

Joonsoo Kim (1):
slub: refactoring unfreeze_partials()
[43d77867a4f333de4e4189114c480dd365133c09]

Jordan Rife (1):
Input: elantech - add support for newer elantech touchpads
[ae4bedf0679d99f0a9b80a7ea9b8dd205de05d06]

Julian Anastasov (1):
neigh: do not modify unlinked entries
[2c51a97f76d20ebf1f50fef908b986cb051fdff9]

Junling Zheng (1):
net: socket: Fix the wrong returns for recvmsg and sendmsg
[08adb7dabd4874cc5666b4490653b26534702ce0]

Junxiao Bi (1):
ocfs2: dlm: fix race between purge and get lock resource
[b1432a2a35565f538586774a03bf277c27fc267d]

K. Y. Srinivasan (3):
Drivers: hv: vmbus: Don't wait after requesting offers
[73cffdb65e679b98893f484063462c045adcf212]
Drivers: hv: vmbus: Fix a bug in the error path in vmbus_open()
[40384e4bbeb9f2651fe9bffc0062d9f31ef625bf]
scsi: storvsc: Fix a bug in copy_from_bounce_buffer()
[8de580742fee8bc34d116f57a20b22b9a5f08403]

Konrad Rzeszutek Wilk (1):
config: Enable NEED_DMA_MAP_STATE by default when SWIOTLB is selected
[a6dfa128ce5c414ab46b1d690f7a1b8decb8526d]

Koro Chen (1):
ASoC: dapm: Modify widget stream name according to prefix
[fdb6eb0a12871d5bfaf266c5a0d5259a5437a72f]

Krzysztof Kozlowski (1):
compal-laptop: Check return value of power_supply_register
[1915a718b1872edffcb13e5436a9f7302d3d36f0]

Larry Finger (2):
rtlwifi: rtl8192cu: Add new USB ID
[2f92b314f4daff2117847ac5343c54d3d041bf78]
rtlwifi: rtl8192cu: Fix kernel deadlock
[414b7e3b9ce8b0577f613e656fdbc36b34b444dd]

Lars Persson (1):
MIPS: Fix race condition in lazy cache flushing.
[4d46a67a3eb827ccf1125959936fd51ba318dabc]

Lukas Czerner (1):
ext4: make fsync to sync parent dir in no-journal for real this time
[e12fb97222fc41e8442896934f76d39ef99b590a]

Lv Zheng (4):
ACPICA: Tables: Change acpi_find_root_pointer() to use acpi_physical_address.
[f254e3c57b9d952e987502aefa0804c177dd2503]
ACPICA: Utilities: Cleanup to convert physical address printing formats.
[cc2080b0e5a7c6c33ef5e9ffccbc2b8f6f861393]
ACPICA: Utilities: Cleanup to remove useless ACPI_PRINTF/FORMAT_xxx helpers.
[1d0a0b2f6df2bf2643fadc990eb143361eca6ada]
ACPICA: Utilities: split IO address types from data type models.
[2b8760100e1de69b6ff004c986328a82947db4ad]

Maksim A. Boyko (1):
ALSA: usb-audio: Fix invalid volume resolution for Logitech HD Webcam C525
[140d37de62ffe8405282a1d6498f3b4099006384]

Mancha Security (1):
lib: memzero_explicit: use barrier instead of OPTIMIZER_HIDE_VAR
[0b053c9518292705736329a8fe20ef4686ffc8e9]

Marcelo Ricardo Leitner (1):
sctp: fix ASCONF list handling
[2d45a02d0166caf2627fe91897c6ffc3b19514c4]

Mark Edwards (1):
USB: cp210x: add ID for KCF Technologies PRN device
[c735ed74d83f8ecb45c4c4c95a16853c9c3c8157]

Mark Grondona (1):
__ptrace_may_access() should not deny sub-threads
[73af963f9f3036dffed55c3a2898598186db1045]

Mark Hounschell (1):
sd: Disable support for 256 byte/sector disks
[74856fbf441929918c49ff262ace9835048e4e6a]

Mark Salyzyn (1):
unix/caif: sk_socket can disappear when state is unlocked
[b48732e4a48d80ed4a14812f0bab09560846514e]

Mathias Nyman (2):
xhci: Solve full event ring by increasing TRBS_PER_SEGMENT to 256
[18cc2f4cbbaf825a4fedcf2d60fd388d291e0a38]
xhci: fix isoc endpoint dequeue from advancing too far on transaction error
[d104d0152a97fade389f47635b73a9ccc7295d0b]

Matt Walker (1):
Input: elantech - add support for newer (August 2013) devices
[9cb80b965eaf7af1369f6e16f48a05fbaaccc021]

Matteo Delfino (1):
Input: elantech - fix for newer hardware versions (v7)
[9eebed7de660c0b5ab129a9de4f89d20b60de68c]

Mauro Carvalho Chehab (1):
Fix sb_edac compilation with 32 bits kernels
[5b889e379f340f43b1252abde5d37a7084c846b9]

Michael Davidson (1):
fs/binfmt_elf.c: fix bug in loading of PIE binaries
[a87938b2e246b81b4fb713edb371a9fa3c5c3c86]

Michael Gernoth (1):
ALSA: emu10k1: don't deadlock in proc-functions
[91bf0c2dcb935a87e5c0795f5047456b965fd143]

Michal Simek (2):
serial: of-serial: Remove device_type = "serial" registration
[6befa9d883385c580369a2cc9e53fbf329771f6d]
serial: xilinx: Use platform_get_irq to get irq description structure
[5c90c07b98c02198d9777a7c4f3047b0a94bf7ed]

Nathan Fontenot (1):
powerpc/pseries: Correct cpu affinity for dlpar added cpus
[f32393c943e297b8ae180c8f83d81a156c7d0412]

NeilBrown (1):
md/raid5: don't record new size if resize_stripes fails.
[6e9eac2dcee5e19f125967dd2be3e36558c42fff]

Nicolas Dichtel (5):
selinux/nlmsg: add XFRM_MSG_GETSPDINFO
[5e6deebafb45fb271ae6939d48832e920b8fb74e]
selinux/nlmsg: add XFRM_MSG_MAPPING
[bd2cba07381a6dba60bc1c87ed8b37931d244da1]
selinux/nlmsg: add XFRM_MSG_MIGRATE
[8d465bb777179c4bea731b828ec484088cc9fbc1]
selinux/nlmsg: add XFRM_MSG_REPORT
[b0b59b0056acd6f157a04cc895f7e24692fb08aa]
selinux/nlmsg: add XFRM_MSG_[NEW|GET]SADINFO
[5b5800fad072133e4a9c2efbf735baaac83dec86]

Nicolas Iooss (1):
firmware/ihex2fw.c: restore missing default in switch statement
[d43698e8abb58a6ac47d16e0f47bb55f452e4fc4]

Nikolay Aleksandrov (2):
bridge: fix br_stp_set_bridge_priority race conditions
[2dab80a8b486f02222a69daca6859519e05781d9]
bridge: fix multicast router rlist endless loop
[1a040eaca1a22f8da8285ceda6b5e4a2cb704867]

Oleg Nesterov (2):
include/linux/sched.h: don't use task->pid/tgid in same_thread_group/has_group_leader_pid
[e1403b8edf669ff49bbdf602cc97fefa2760cb15]
ptrace: fix race between ptrace_resume() and wait_task_stopped()
[b72c186999e689cb0b055ab1c7b3cd8fffbeb5ed]

Oliver Neukum (1):
cdc-wdm: fix endianness bug in debug statements
[323ece54e0761198946ecd0c2091f1d2bfdfcb64]

Paolo Bonzini (1):
KVM: MMU: fix CR4.SMEP=1, CR0.WP=0 with shadow pages
[898761158be7682082955e3efa4ad24725305fc7]

Pascal Huerst (1):
ASoC: cs4271: Increase delay time after reset
[74ff960222d90999508b4ba0d3449f796695b6d5]

Patrick Riphagen (1):
USB: serial: ftdi_sio: Add support for a Motion Tracker Development Board
[1df5b888f54070a373a73b34488cc78c2365b7b4]

Peter Zubaj (1):
ALSA: emu10k1: Emu10k2 32 bit DMA mode
[7241ea558c6715501e777396b5fc312c372e11d9]

Quentin Casasnovas (1):
cdc-acm: prevent infinite loop when parsing CDC headers.
[0d3bba0287d4e284c3ec7d3397e81eec920d5e7e]

Rafael J. Wysocki (1):
ACPI / init: Fix the ordering of acpi_reserve_resources()
[b9a5e5e18fbf223502c0b2264c15024e393da928]

Ralf Baechle (2):
MIPS: Fix cpu_has_mips_r2_exec_hazard.
[9cdf30bd3bac697fc533988f44a117434a858f69]
MIPS: Octeon: Delete override of cpu_has_mips_r2_exec_hazard.
[f05ff43355e6997c18f82ddcee370a6e5f8643ce]

Richard Cochran (1):
net: dp83640: fix broken calibration routine.
[397a253af5031de4a4612210055935309af4472c]

Rob Herring (1):
ahci: un-staticize ahci_dev_classify
[bbb4ab43f82adf02c8b4d0d7e7b7e79d24204b05]

Rusty Russell (1):
lguest: fix out-by-one error in address checking.
[83a35114d0e4583e6b0ca39502e68b6a92e2910c]

Ryusuke Konishi (1):
nilfs2: fix sanity check of btree level in nilfs_btree_root_broken()
[d8fd150fe3935e1692bf57c66691e17409ebb9c1]

Sabrina Dubroca (1):
e1000: add dummy allocator to fix race condition between mtu change and netpoll
[08e8331654d1d7b2c58045e549005bc356aa7810]

Sam Ravnborg (1):
sparc32,leon: fix leon build
[d657784b70ef653350d7aa49da90a8484c29da7d]

Sam hung (1):
Input: elantech - support new ICs types for version 4
[810aa0918b2b032684c8cad13f73d6ba37ad11c0]

Sasha Levin (2):
fs, omfs: add NULL terminator in the end up the token list
[dcbff39da3d815f08750552fdd04f96b51751129]
vfs: read file_handle only once in handle_to_path
[161f873b89136eb1e69477c847d5a5033239d9ba]

Scott Wood (1):
powerpc: Don't skip ePAPR spin-table CPUs
[6663a4fa6711050036562ddfd2086edf735fae21]

Sergej Sawazki (1):
ASoC: wm8741: Fix rates constraints values
[8787041d9bb832b9449b1eb878cedcebce42c61a]

Sowmini Varadhan (1):
RDS: Documentation: Document AF_RDS, PF_RDS and SOL_RDS correctly.
[ebe96e641dee2cbd135ee802ae7e40c361640088]

Steven Rostedt (1):
tracing: Have filter check for balanced ops
[2cf30dc180cea808077f003c5116388183e54f9e]

Sudip Mukherjee (1):
staging: panel: fix lcd type
[2c20d92dad5db6440cfa88d811b69fd605240ce4]

Takashi Iwai (3):
ALSA: emu10k1: Fix card shortname string buffer overflow
[d02260824e2cad626fb2a9d62e27006d34b6dedc]
ALSA: emux: Fix mutex deadlock at unloading
[07b0e5d49d227e3950cb13a3e8caf248ef2a310e]
ALSA: emux: Fix mutex deadlock in OSS emulation
[1c94e65c668f44d2c69ae7e7fc268ab3268fba3e]

Tejun Heo (1):
writeback: use |1 instead of +1 to protect against div by zero
[464d1387acb94dc43ba772b35242345e3d2ead1b]

Thadeu Lima de Souza Cascardo (1):
bridge: fix parsing of MLDv2 reports
[47cc84ce0c2fe75c99ea5963c4b5704dd78ead54]

Thierry Reding (1):
dt: Add empty of_property_match_string() function
[bd3d5500f0c41a30149cb184362716096a17bc75]

Tommi Rantala (1):
ipvs: fix memory leak in ip_vs_ctl.c
[f30bf2a5cac6c60ab366c4bc6db913597bf4d6ab]

Ulrik De Bie (1):
Input: elantech - fix absolute mode setting on some ASUS laptops
[bd884149aca61de269fd9bad83fe2a4232ffab21]

Wang Long (1):
ring-buffer-benchmark: Fix the wrong sched_priority of producer
[108029323910c5dd1ef8fa2d10da1ce5fbce6e12]

Willem de Bruijn (1):
packet: avoid out of bounds read in round robin fanout
[468479e6043c84f5a65299cc07cb08a22a28c2b1]

Wolfram Sang (1):
ALSA: usb-audio: Add mic volume fix quirk for Logitech Quickcam Fusion
[1ef9f0583514508bc93427106ceef3215e4eb1a5]

Yann Droneaud (2):
IB/core: disallow registering 0-sized memory region
[8abaae62f3fdead8f4ce0ab46b4ab93dee39bab2]
IB/core: don't disallow registering region starting at 0x0
[66578b0b2f69659f00b6169e6fe7377c4b100d18]

Zidan Wang (2):
ASoC: wm8960: fix "RINPUT3" audio route error
[85e36a1f4a735d991ba5106781ea48e89a0b8901]
ASoC: wm8994: correct BCLK DIV 348 to 384
[17fc2e0a3db11889e942c5ab15a1fcb876638f25]

洪一竹 (1):
Input: elantech - add new icbody type
[692dd1916436164e228608803dfb6cb768d6355a]

Documentation/networking/rds.txt | 9 +-
Documentation/pinctrl.txt | 4 +-
Makefile | 4 +-
arch/arm/include/asm/elf.h | 2 +-
arch/mips/include/asm/cacheflush.h | 38 +++++---
arch/mips/include/asm/cpu-features.h | 26 +++++-
.../asm/mach-cavium-octeon/cpu-feature-overrides.h | 1 -
arch/mips/include/asm/octeon/pci-octeon.h | 3 -
arch/mips/kernel/irq.c | 2 +-
arch/mips/mm/cache.c | 12 +++
arch/mips/pci/pci-octeon.c | 6 --
arch/mips/pci/pcie-octeon.c | 3 -
arch/mips/power/hibernate.S | 3 +-
arch/parisc/kernel/parisc_ksyms.c | 2 +
arch/parisc/lib/Makefile | 3 +-
arch/parisc/lib/ucmpdi2.c | 25 +++++
arch/powerpc/kernel/cacheinfo.c | 43 +++++++--
arch/powerpc/kernel/perf_callchain.c | 2 +-
arch/powerpc/kernel/setup-common.c | 16 +++-
arch/powerpc/kernel/vmlinux.lds.S | 1 +
arch/powerpc/mm/mmap_64.c | 14 +--
arch/powerpc/platforms/pseries/dlpar.c | 13 ++-
arch/s390/crypto/ghash_s390.c | 25 ++---
arch/s390/kernel/suspend.c | 6 ++
arch/s390/kvm/priv.c | 1 +
arch/sparc/kernel/leon_pci.c | 13 ---
arch/sparc/kernel/sys_sparc_64.c | 6 +-
arch/x86/Kconfig | 3 +-
arch/x86/include/asm/iommu_table.h | 11 ++-
arch/x86/kernel/reboot.c | 7 +-
arch/x86/kvm/mmu.c | 2 +-
arch/x86/kvm/vmx.c | 12 ++-
arch/x86/lib/usercopy_64.c | 2 +-
arch/x86/net/bpf_jit_comp.c | 7 +-
drivers/acpi/acpica/acmacros.h | 10 +-
drivers/acpi/acpica/dsopcode.c | 4 +-
drivers/acpi/acpica/evregion.c | 4 +-
drivers/acpi/acpica/exdump.c | 4 +-
drivers/acpi/acpica/exfldio.c | 10 +-
drivers/acpi/acpica/exregion.c | 8 +-
drivers/acpi/acpica/hwvalid.c | 16 ++--
drivers/acpi/acpica/nsdump.c | 12 +--
drivers/acpi/acpica/tbinstal.c | 4 +-
drivers/acpi/acpica/tbutils.c | 21 ++---
drivers/acpi/acpica/tbxfroot.c | 7 +-
drivers/acpi/osl.c | 6 +-
drivers/ata/ahci.c | 102 +++++++++++++++++++--
drivers/ata/ahci.h | 1 +
drivers/ata/libahci.c | 6 +-
drivers/ata/libata-core.c | 32 +++++++
drivers/ata/libata-eh.c | 3 +

drivers/bluetooth/ath3k.c | 1 +
drivers/bluetooth/btusb.c | 1 +

drivers/edac/Kconfig | 2 +-
drivers/edac/sb_edac.c | 48 ++++++----
drivers/firmware/dmi_scan.c | 85 ++++++++---------
drivers/gpio/gpiolib.c | 26 +++++-
drivers/gpu/drm/radeon/atombios_crtc.c | 8 +-
drivers/hv/channel.c | 7 +-
drivers/hv/channel_mgmt.c | 12 +--
drivers/infiniband/core/umem.c | 7 +-
drivers/infiniband/hw/mlx4/qp.c | 3 +-
drivers/input/mouse/elantech.c | 51 ++++++++---
drivers/input/mouse/elantech.h | 1 +
drivers/lguest/core.c | 2 +-
drivers/md/raid5.c | 3 +-
drivers/memstick/core/mspro_block.c | 3 +-
drivers/mmc/core/core.c | 1 +
drivers/mtd/ubi/cdev.c | 2 +-
drivers/mtd/ubi/eba.c | 3 +-
drivers/mtd/ubi/misc.c | 2 +
drivers/mtd/ubi/scan.c | 2 +-
drivers/mtd/ubi/wl.c | 2 +-
drivers/net/ethernet/intel/e1000/e1000_main.c | 10 +-
drivers/net/phy/dp83640.c | 2 +-
drivers/net/wireless/rtlwifi/rtl8192cu/sw.c | 1 +
drivers/net/wireless/rtlwifi/usb.c | 2 +-
drivers/net/xen-netback/xenbus.c | 33 ++++---
drivers/of/base.c | 36 ++++++++
drivers/platform/x86/compal-laptop.c | 9 +-
drivers/scsi/3w-9xxx.c | 57 +++---------
drivers/scsi/3w-9xxx.h | 5 -
drivers/scsi/3w-sas.c | 50 ++--------
drivers/scsi/3w-sas.h | 4 -
drivers/scsi/3w-xxxx.c | 42 ++-------
drivers/scsi/3w-xxxx.h | 5 -
drivers/scsi/megaraid/megaraid_sas_fusion.c | 4 +-
drivers/scsi/sd.c | 19 +---
drivers/scsi/sg.c | 3 +
drivers/staging/hv/storvsc_drv.c | 15 +--
drivers/staging/line6/pcm.c | 40 +++++---
drivers/staging/panel/panel.c | 13 ++-
drivers/target/target_core_pscsi.c | 3 +
drivers/target/target_core_pscsi.h | 1 +
drivers/tty/hvc/hvc_xen.c | 2 +-
drivers/tty/serial/of_serial.c | 1 -
drivers/tty/serial/uartlite.c | 11 ++-
drivers/tty/serial/xilinx_uartps.c | 12 +--
drivers/usb/class/cdc-acm.c | 7 +-
drivers/usb/class/cdc-wdm.c | 12 ++-
drivers/usb/host/xhci-ring.c | 7 +-
drivers/usb/host/xhci.h | 2 +-
drivers/usb/musb/musb_core.c | 44 +++++----
drivers/usb/serial/cp210x.c | 2 +
drivers/usb/serial/ftdi_sio.c | 1 +
drivers/usb/serial/ftdi_sio_ids.h | 1 +
drivers/usb/serial/pl2303.c | 1 -
drivers/usb/serial/pl2303.h | 4 -
drivers/usb/storage/unusual_devs.h | 7 ++
drivers/xen/events.c | 12 ++-
drivers/xen/xen-pciback/conf_space.c | 6 +-
drivers/xen/xen-pciback/conf_space.h | 2 +-
drivers/xen/xen-pciback/conf_space_header.c | 2 +-
firmware/ihex2fw.c | 1 +
fs/binfmt_elf.c | 9 +-
fs/btrfs/extent-tree.c | 5 +-
fs/btrfs/ioctl.c | 5 +
fs/btrfs/xattr.c | 50 +++++++---
fs/dcache.c | 24 ++---
fs/debugfs/inode.c | 1 +
fs/ext4/extents.c | 19 ++--
fs/ext4/namei.c | 18 ++--
fs/fhandle.c | 5 +-
fs/jbd2/recovery.c | 7 +-
fs/nfsd/nfs4state.c | 19 ++--
fs/nilfs2/btree.c | 2 +-
fs/ocfs2/dlm/dlmmaster.c | 13 +++
fs/omfs/inode.c | 3 +-
fs/pipe.c | 55 ++++++-----
include/acpi/acpixf.h | 2 +-
include/acpi/actypes.h | 20 ++++
include/acpi/platform/acenv.h | 1 +
include/linux/jhash.h | 17 ++--
include/linux/libata.h | 10 ++
include/linux/nilfs2_fs.h | 2 +-
include/linux/of.h | 10 ++
include/linux/sched.h | 8 +-
include/net/ip_vs.h | 2 +
include/net/sctp/structs.h | 5 +
include/sound/emu10k1.h | 14 ++-
include/xen/events.h | 2 +-
kernel/ptrace.c | 22 ++++-
kernel/softirq.c | 22 +++--
kernel/trace/ring_buffer_benchmark.c | 2 +-
kernel/trace/trace_events_filter.c | 10 +-
lib/string.c | 2 +-
mm/page-writeback.c | 6 +-
mm/slub.c | 45 +++------
net/bridge/br_ioctl.c | 2 -
net/bridge/br_multicast.c | 9 +-
net/bridge/br_stp_if.c | 4 +-
net/caif/caif_socket.c | 8 ++
net/core/neighbour.c | 11 +++
net/ipv4/udp.c | 6 +-
net/ipv6/udp.c | 6 +-
net/mac80211/wep.c | 6 +-
net/netfilter/ipvs/ip_vs_core.c | 9 ++
net/netfilter/ipvs/ip_vs_ctl.c | 55 ++++++-----
net/packet/af_packet.c | 20 +---
net/sctp/output.c | 4 +-
net/sctp/socket.c | 43 ++++++---
net/socket.c | 24 ++---
net/unix/af_unix.c | 8 ++
security/selinux/nlmsgtab.c | 6 ++
sound/pci/emu10k1/emu10k1.c | 6 +-
sound/pci/emu10k1/emu10k1_callback.c | 4 +-
sound/pci/emu10k1/emu10k1_main.c | 21 +++--
sound/pci/emu10k1/emupcm.c | 2 +-
sound/pci/emu10k1/emuproc.c | 12 ---
sound/pci/emu10k1/memory.c | 11 ++-
sound/pci/hda/patch_conexant.c | 12 +++
sound/soc/codecs/cs4271.c | 4 +-
sound/soc/codecs/wm8741.c | 8 +-
sound/soc/codecs/wm8960.c | 2 +-
sound/soc/codecs/wm8994.c | 2 +-
sound/soc/soc-dapm.c | 12 ++-
sound/synth/emux/emux_oss.c | 11 +--
sound/synth/emux/emux_seq.c | 29 ++++--
sound/usb/mixer.c | 10 +-
sound/usb/mixer_maps.c | 5 +
180 files changed, 1315 insertions(+), 834 deletions(-)

--
Ben Hutchings
In a hierarchy, every employee tends to rise to his level of incompetence.

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Patrick Riphagen <patrick....@xsens.com>

commit 1df5b888f54070a373a73b34488cc78c2365b7b4 upstream.

This adds support for new Xsens device, Motion Tracker Development Board,
using Xsens' own Vendor ID

Signed-off-by: Patrick Riphagen <patrick....@xsens.com>
Signed-off-by: Johan Hovold <jo...@kernel.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/serial/ftdi_sio.c | 1 +
drivers/usb/serial/ftdi_sio_ids.h | 1 +

2 files changed, 2 insertions(+)

--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -723,6 +723,7 @@ static struct usb_device_id id_table_com
{ USB_DEVICE(XSENS_VID, XSENS_AWINDA_DONGLE_PID) },
{ USB_DEVICE(XSENS_VID, XSENS_AWINDA_STATION_PID) },
{ USB_DEVICE(XSENS_VID, XSENS_CONVERTER_PID) },
+ { USB_DEVICE(XSENS_VID, XSENS_MTDEVBOARD_PID) },
{ USB_DEVICE(XSENS_VID, XSENS_MTW_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_OMNI1509) },
{ USB_DEVICE(MOBILITY_VID, MOBILITY_USB_SERIAL_PID) },
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -155,6 +155,7 @@
#define XSENS_AWINDA_STATION_PID 0x0101
#define XSENS_AWINDA_DONGLE_PID 0x0102
#define XSENS_MTW_PID 0x0200 /* Xsens MTw */
+#define XSENS_MTDEVBOARD_PID 0x0300 /* Motion Tracker Development Board */
#define XSENS_CONVERTER_PID 0xD00D /* Xsens USB-serial converter */

/* Xsens devices using FTDI VID */

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: John David Anglin <dave....@bell.net>

commit ca0ad83da17b6ba07f9eb5902e69daac90c4fa61 upstream.

The Debian experimental linux source package (3.8.5-1) build fails
with the following errors:
..
MODPOST 2016 modules
ERROR: "__ucmpdi2" [fs/btrfs/btrfs.ko] undefined!
ERROR: "__ucmpdi2" [drivers/md/dm-verity.ko] undefined!

The attached patch resolves this problem. It is based on the s390
implementation of ucmpdi2.c.

Signed-off-by: John David Anglin <dave....@bell.net>
Cc: "James E.J. Bottomley" <je...@parisc-linux.org>
Signed-off-by: Helge Deller <del...@gmx.de>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/parisc/kernel/parisc_ksyms.c | 2 ++
arch/parisc/lib/Makefile | 3 ++-
arch/parisc/lib/ucmpdi2.c | 25 +++++++++++++++++++++++++
3 files changed, 29 insertions(+), 1 deletion(-)
create mode 100644 arch/parisc/lib/ucmpdi2.c

--- a/arch/parisc/kernel/parisc_ksyms.c
+++ b/arch/parisc/kernel/parisc_ksyms.c
@@ -121,11 +121,13 @@ extern void __ashrdi3(void);
extern void __ashldi3(void);
extern void __lshrdi3(void);
extern void __muldi3(void);
+extern void __ucmpdi2(void);

EXPORT_SYMBOL(__ashrdi3);
EXPORT_SYMBOL(__ashldi3);
EXPORT_SYMBOL(__lshrdi3);
EXPORT_SYMBOL(__muldi3);
+EXPORT_SYMBOL(__ucmpdi2);

asmlinkage void * __canonicalize_funcptr_for_compare(void *);
EXPORT_SYMBOL(__canonicalize_funcptr_for_compare);
--- a/arch/parisc/lib/Makefile
+++ b/arch/parisc/lib/Makefile
@@ -2,6 +2,7 @@
# Makefile for parisc-specific library files
#

-lib-y := lusercopy.o bitops.o checksum.o io.o memset.o fixup.o memcpy.o
+lib-y := lusercopy.o bitops.o checksum.o io.o memset.o fixup.o memcpy.o \
+ ucmpdi2.o

obj-y := iomap.o
--- /dev/null
+++ b/arch/parisc/lib/ucmpdi2.c
@@ -0,0 +1,25 @@
+#include <linux/module.h>
+
+union ull_union {
+ unsigned long long ull;
+ struct {
+ unsigned int high;
+ unsigned int low;
+ } ui;
+};
+
+int __ucmpdi2(unsigned long long a, unsigned long long b)
+{
+ union ull_union au = {.ull = a};
+ union ull_union bu = {.ull = b};
+
+ if (au.ui.high < bu.ui.high)
+ return 0;
+ else if (au.ui.high > bu.ui.high)
+ return 2;
+ if (au.ui.low < bu.ui.low)
+ return 0;
+ else if (au.ui.low > bu.ui.low)
+ return 2;
+ return 1;
+}

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Willem de Bruijn <wil...@google.com>

[ Upstream commit 468479e6043c84f5a65299cc07cb08a22a28c2b1 ]

PACKET_FANOUT_LB computes f->rr_cur such that it is modulo
f->num_members. It returns the old value unconditionally, but
f->num_members may have changed since the last store. Ensure
that the return value is always < num.

When modifying the logic, simplify it further by replacing the loop
with an unconditional atomic increment.

Fixes: dc99f600698d ("packet: Add fanout support.")
Suggested-by: Eric Dumazet <edum...@google.com>
Signed-off-by: Willem de Bruijn <wil...@google.com>
Acked-by: Eric Dumazet <edum...@google.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
[bwh: Backported to 3.2:

- Adjust context
- Demux functions return a sock pointer, not an index]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/packet/af_packet.c | 18 ++----------------
1 file changed, 2 insertions(+), 16 deletions(-)

--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1170,16 +1170,6 @@ static void packet_sock_destruct(struct
sk_refcnt_debug_dec(sk);
}

-static int fanout_rr_next(struct packet_fanout *f, unsigned int num)
-{
- int x = atomic_read(&f->rr_cur) + 1;
-
- if (x >= num)
- x = 0;
-
- return x;
-}
-
static struct sock *fanout_demux_hash(struct packet_fanout *f, struct sk_buff *skb, unsigned int num)
{
u32 idx, hash = skb->rxhash;
@@ -1191,13 +1181,9 @@ static struct sock *fanout_demux_hash(st

static struct sock *fanout_demux_lb(struct packet_fanout *f, struct sk_buff *skb, unsigned int num)
{
- int cur, old;
+ unsigned int val = atomic_inc_return(&f->rr_cur);

- cur = atomic_read(&f->rr_cur);
- while ((old = atomic_cmpxchg(&f->rr_cur, cur,
- fanout_rr_next(f, num))) != cur)
- cur = old;
- return f->arr[cur];
+ return f->arr[val % num];
}

static struct sock *fanout_demux_cpu(struct packet_fanout *f, struct sk_buff *skb, unsigned int num)

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Anton Blanchard <an...@samba.org>

commit 5e95235ccd5442d4a4fe11ec4eb99ba1b7959368 upstream.

Recent toolchains force the TOC to be 256 byte aligned. We need
to enforce this alignment in our linker script, otherwise pointers
to our TOC variables (__toc_start, __prom_init_toc_start) could
be incorrect.

If they are bad, we die a few hundred instructions into boot.

Signed-off-by: Anton Blanchard <an...@samba.org>
Signed-off-by: Michael Ellerman <m...@ellerman.id.au>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/powerpc/kernel/vmlinux.lds.S | 1 +

1 file changed, 1 insertion(+)

--- a/arch/powerpc/kernel/vmlinux.lds.S
+++ b/arch/powerpc/kernel/vmlinux.lds.S
@@ -212,6 +212,7 @@ SECTIONS
*(.opd)
}

+ . = ALIGN(256);
.got : AT(ADDR(.got) - LOAD_OFFSET) {
__toc_start = .;
*(.got)

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdeg...@redhat.com>

commit 172115090f5e739660b97694618a2ba86457063a upstream.

Without this flag some versions of these enclosures do not work.

Reported-and-tested-by: Christian Schaller <csch...@redhat.com>
Signed-off-by: Hans de Goede <hdeg...@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/storage/unusual_devs.h | 7 +++++++
1 file changed, 7 insertions(+)

--- a/drivers/usb/storage/unusual_devs.h
+++ b/drivers/usb/storage/unusual_devs.h
@@ -752,6 +752,13 @@ UNUSUAL_DEV( 0x059f, 0x0643, 0x0000, 0x
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
US_FL_GO_SLOW ),

+/* Reported by Christian Schaller <csch...@redhat.com> */
+UNUSUAL_DEV( 0x059f, 0x0651, 0x0000, 0x0000,
+ "LaCie",
+ "External HDD",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_NO_WP_DETECT ),
+
/* Submitted by Joel Bourquard <num...@freesurf.ch>
* Some versions of this device need the SubClass and Protocol overrides
* while others don't.

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Joonsoo Kim <js1...@gmail.com>

commit 43d77867a4f333de4e4189114c480dd365133c09 upstream.

Current implementation of unfreeze_partials() is so complicated,
but benefit from it is insignificant. In addition many code in
do {} while loop have a bad influence to a fail rate of cmpxchg_double_slab.
Under current implementation which test status of cpu partial slab
and acquire list_lock in do {} while loop,
we don't need to acquire a list_lock and gain a little benefit
when front of the cpu partial slab is to be discarded, but this is a rare case.
In case that add_partial is performed and cmpxchg_double_slab is failed,
remove_partial should be called case by case.

I think that these are disadvantages of current implementation,
so I do refactoring unfreeze_partials().

Minimizing code in do {} while loop introduce a reduced fail rate
of cmpxchg_double_slab. Below is output of 'slabinfo -r kmalloc-256'
when './perf stat -r 33 hackbench 50 process 4000 > /dev/null' is done.

** before **
Cmpxchg_double Looping
------------------------
Locked Cmpxchg Double redos 182685
Unlocked Cmpxchg Double redos 0

** after **
Cmpxchg_double Looping
------------------------
Locked Cmpxchg Double redos 177995
Unlocked Cmpxchg Double redos 1

We can see cmpxchg_double_slab fail rate is improved slightly.

Bolow is output of './perf stat -r 30 hackbench 50 process 4000 > /dev/null'.

** before **
Performance counter stats for './hackbench 50 process 4000' (30 runs):

108517.190463 task-clock # 7.926 CPUs utilized ( +- 0.24% )
2,919,550 context-switches # 0.027 M/sec ( +- 3.07% )
100,774 CPU-migrations # 0.929 K/sec ( +- 4.72% )
124,201 page-faults # 0.001 M/sec ( +- 0.15% )
401,500,234,387 cycles # 3.700 GHz ( +- 0.24% )
<not supported> stalled-cycles-frontend
<not supported> stalled-cycles-backend
250,576,913,354 instructions # 0.62 insns per cycle ( +- 0.13% )
45,934,956,860 branches # 423.297 M/sec ( +- 0.14% )
188,219,787 branch-misses # 0.41% of all branches ( +- 0.56% )

13.691837307 seconds time elapsed ( +- 0.24% )

** after **
Performance counter stats for './hackbench 50 process 4000' (30 runs):

107784.479767 task-clock # 7.928 CPUs utilized ( +- 0.22% )
2,834,781 context-switches # 0.026 M/sec ( +- 2.33% )
93,083 CPU-migrations # 0.864 K/sec ( +- 3.45% )
123,967 page-faults # 0.001 M/sec ( +- 0.15% )
398,781,421,836 cycles # 3.700 GHz ( +- 0.22% )
<not supported> stalled-cycles-frontend
<not supported> stalled-cycles-backend
250,189,160,419 instructions # 0.63 insns per cycle ( +- 0.09% )
45,855,370,128 branches # 425.436 M/sec ( +- 0.10% )
169,881,248 branch-misses # 0.37% of all branches ( +- 0.43% )

13.596272341 seconds time elapsed ( +- 0.22% )

No regression is found, but rather we can see slightly better result.

Acked-by: Christoph Lameter <c...@linux.com>
Signed-off-by: Joonsoo Kim <js1...@gmail.com>
Signed-off-by: Pekka Enberg <pen...@kernel.org>

[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>

Cc: Zefan Li <liz...@huawei.com>
---
mm/slub.c | 48 ++++++++++++++----------------------------------
1 file changed, 14 insertions(+), 34 deletions(-)

--- a/mm/slub.c
+++ b/mm/slub.c
@@ -1873,18 +1873,24 @@ redo:
/* Unfreeze all the cpu partial slabs */
static void unfreeze_partials(struct kmem_cache *s)
{
- struct kmem_cache_node *n = NULL;
+ struct kmem_cache_node *n = NULL, *n2 = NULL;
struct kmem_cache_cpu *c = this_cpu_ptr(s->cpu_slab);
struct page *page, *discard_page = NULL;

while ((page = c->partial)) {
- enum slab_modes { M_PARTIAL, M_FREE };
- enum slab_modes l, m;
struct page new;
struct page old;

c->partial = page->next;
- l = M_FREE;
+
+ n2 = get_node(s, page_to_nid(page));
+ if (n != n2) {
+ if (n)
+ spin_unlock(&n->list_lock);
+
+ n = n2;
+ spin_lock(&n->list_lock);
+ }

do {

@@ -1897,40 +1903,17 @@ static void unfreeze_partials(struct kme

new.frozen = 0;

- if (!new.inuse && (!n || n->nr_partial > s->min_partial))
- m = M_FREE;
- else {
- struct kmem_cache_node *n2 = get_node(s,
- page_to_nid(page));
-
- m = M_PARTIAL;
- if (n != n2) {
- if (n)
- spin_unlock(&n->list_lock);
-
- n = n2;
- spin_lock(&n->list_lock);
- }
- }
-
- if (l != m) {
- if (l == M_PARTIAL)
- remove_partial(n, page);
- else
- add_partial(n, page,
- DEACTIVATE_TO_TAIL);
-
- l = m;
- }
-
} while (!cmpxchg_double_slab(s, page,
old.freelist, old.counters,
new.freelist, new.counters,
"unfreezing slab"));

- if (m == M_FREE) {
+ if (unlikely(!new.inuse && n->nr_partial > s->min_partial)) {
page->next = discard_page;
discard_page = page;
+ } else {
+ add_partial(n, page, DEACTIVATE_TO_TAIL);
+ stat(s, FREE_ADD_PARTIAL);

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Anton Blanchard <an...@samba.org>

commit ac13282dff13cd0f4da0f0ccb134bc29bfa10255 upstream.

Signed-off-by: Anton Blanchard <an...@samba.org>
Signed-off-by: Benjamin Herrenschmidt <be...@kernel.crashing.org>
[jt: fixed up context due to commit 59a53afe70fd530040bdc69581f03d880157f15a
already being backported.]
Signed-off-by: Jonathan Toppins <jtop...@cumulusnetworks.com>
Reviewed-by: Andy Gospodarek <go...@cumulusnetworks.com>
Acked-by: Curt Brune <cu...@cumulusnetworks.com>
Acked-by: Roopa Prabhu <ro...@cumulusnetworks.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/powerpc/kernel/setup-common.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/powerpc/kernel/setup-common.c b/arch/powerpc/kernel/setup-common.c
index 82288e9..675cbcf 100644
--- a/arch/powerpc/kernel/setup-common.c
+++ b/arch/powerpc/kernel/setup-common.c
@@ -428,7 +428,7 @@ void __init smp_setup_cpu_maps(void)
DBG("smp_setup_cpu_maps()\n");

while ((dn = of_find_node_by_type(dn, "cpu")) && cpu < nr_cpu_ids) {
- const int *intserv;
+ const __be32 *intserv;
int j, len;

DBG(" * %s...\n", dn->full_name);
@@ -448,9 +448,9 @@ void __init smp_setup_cpu_maps(void)

for (j = 0; j < nthreads && cpu < nr_cpu_ids; j++) {
DBG(" thread %d -> cpu %d (hard id %d)\n",
- j, cpu, intserv[j]);
+ j, cpu, be32_to_cpu(intserv[j]));
set_cpu_present(cpu, of_device_is_available(dn));
- set_hard_smp_processor_id(cpu, intserv[j]);
+ set_hard_smp_processor_id(cpu, be32_to_cpu(intserv[j]));
set_cpu_possible(cpu, true);
cpu++;

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edum...@google.com>

commit c10d73671ad30f54692f7f69f0e09e75d3a8926a upstream.

In various network workloads, __do_softirq() latencies can be up
to 20 ms if HZ=1000, and 200 ms if HZ=100.

This is because we iterate 10 times in the softirq dispatcher,
and some actions can consume a lot of cycles.

This patch changes the fallback to ksoftirqd condition to :

- A time limit of 2 ms.
- need_resched() being set on current task

When one of this condition is met, we wakeup ksoftirqd for further
softirq processing if we still have pending softirqs.

Using need_resched() as the only condition can trigger RCU stalls,
as we can keep BH disabled for too long.

I ran several benchmarks and got no significant difference in
throughput, but a very significant reduction of latencies (one order
of magnitude) :

In following bench, 200 antagonist "netperf -t TCP_RR" are started in
background, using all available cpus.

Then we start one "netperf -t TCP_RR", bound to the cpu handling the NIC
IRQ (hard+soft)

Before patch :

# netperf -H 7.7.7.84 -t TCP_RR -T2,2 -- -k
RT_LATENCY,MIN_LATENCY,MAX_LATENCY,P50_LATENCY,P90_LATENCY,P99_LATENCY,MEAN_LATENCY,STDDEV_LATENCY
MIGRATED TCP REQUEST/RESPONSE TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET
to 7.7.7.84 () port 0 AF_INET : first burst 0 : cpu bind
RT_LATENCY=550110.424
MIN_LATENCY=146858
MAX_LATENCY=997109
P50_LATENCY=305000
P90_LATENCY=550000
P99_LATENCY=710000
MEAN_LATENCY=376989.12
STDDEV_LATENCY=184046.92

After patch :

# netperf -H 7.7.7.84 -t TCP_RR -T2,2 -- -k
RT_LATENCY,MIN_LATENCY,MAX_LATENCY,P50_LATENCY,P90_LATENCY,P99_LATENCY,MEAN_LATENCY,STDDEV_LATENCY
MIGRATED TCP REQUEST/RESPONSE TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET
to 7.7.7.84 () port 0 AF_INET : first burst 0 : cpu bind
RT_LATENCY=40545.492
MIN_LATENCY=9834
MAX_LATENCY=78366
P50_LATENCY=33583
P90_LATENCY=59000
P99_LATENCY=69000
MEAN_LATENCY=38364.67
STDDEV_LATENCY=12865.26

Signed-off-by: Eric Dumazet <edum...@google.com>
Cc: David Miller <da...@davemloft.net>
Cc: Tom Herbert <ther...@google.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
Cc: Rui Xiang <rui....@huawei.com>
---
kernel/softirq.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)

--- a/kernel/softirq.c
+++ b/kernel/softirq.c
@@ -194,21 +194,21 @@ void local_bh_enable_ip(unsigned long ip
EXPORT_SYMBOL(local_bh_enable_ip);

/*
- * We restart softirq processing MAX_SOFTIRQ_RESTART times,
- * and we fall back to softirqd after that.
+ * We restart softirq processing for at most 2 ms,
+ * and if need_resched() is not set.
*
- * This number has been established via experimentation.
+ * These limits have been established via experimentation.
* The two things to balance is latency against fairness -
* we want to handle softirqs as soon as possible, but they
* should not be able to lock up the box.
*/
-#define MAX_SOFTIRQ_RESTART 10
+#define MAX_SOFTIRQ_TIME msecs_to_jiffies(2)

asmlinkage void __do_softirq(void)
{
struct softirq_action *h;
__u32 pending;
- int max_restart = MAX_SOFTIRQ_RESTART;
+ unsigned long end = jiffies + MAX_SOFTIRQ_TIME;
int cpu;

pending = local_softirq_pending();
@@ -255,11 +255,12 @@ restart:
local_irq_disable();

pending = local_softirq_pending();
- if (pending && --max_restart)
- goto restart;
+ if (pending) {
+ if (time_before(jiffies, end) && !need_resched())
+ goto restart;

- if (pending)
wakeup_softirqd();
+ }

lockdep_softirq_exit();

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Steven Rostedt <ros...@goodmis.org>

commit 2cf30dc180cea808077f003c5116388183e54f9e upstream.

When the following filter is used it causes a warning to trigger:

# cd /sys/kernel/debug/tracing
# echo "((dev==1)blocks==2)" > events/ext4/ext4_truncate_exit/filter
-bash: echo: write error: Invalid argument
# cat events/ext4/ext4_truncate_exit/filter
((dev==1)blocks==2)
^
parse_error: No error

------------[ cut here ]------------
WARNING: CPU: 2 PID: 1223 at kernel/trace/trace_events_filter.c:1640 replace_preds+0x3c5/0x990()
Modules linked in: bnep lockd grace bluetooth ...
CPU: 3 PID: 1223 Comm: bash Tainted: G W 4.1.0-rc3-test+ #450
Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012
0000000000000668 ffff8800c106bc98 ffffffff816ed4f9 ffff88011ead0cf0
0000000000000000 ffff8800c106bcd8 ffffffff8107fb07 ffffffff8136b46c
ffff8800c7d81d48 ffff8800d4c2bc00 ffff8800d4d4f920 00000000ffffffea
Call Trace:
[<ffffffff816ed4f9>] dump_stack+0x4c/0x6e
[<ffffffff8107fb07>] warn_slowpath_common+0x97/0xe0
[<ffffffff8136b46c>] ? _kstrtoull+0x2c/0x80
[<ffffffff8107fb6a>] warn_slowpath_null+0x1a/0x20
[<ffffffff81159065>] replace_preds+0x3c5/0x990
[<ffffffff811596b2>] create_filter+0x82/0xb0
[<ffffffff81159944>] apply_event_filter+0xd4/0x180
[<ffffffff81152bbf>] event_filter_write+0x8f/0x120
[<ffffffff811db2a8>] __vfs_write+0x28/0xe0
[<ffffffff811dda43>] ? __sb_start_write+0x53/0xf0
[<ffffffff812e51e0>] ? security_file_permission+0x30/0xc0
[<ffffffff811dc408>] vfs_write+0xb8/0x1b0
[<ffffffff811dc72f>] SyS_write+0x4f/0xb0
[<ffffffff816f5217>] system_call_fastpath+0x12/0x6a
---[ end trace e11028bd95818dcd ]---

Worse yet, reading the error message (the filter again) it says that
there was no error, when there clearly was. The issue is that the
code that checks the input does not check for balanced ops. That is,
having an op between a closed parenthesis and the next token.

This would only cause a warning, and fail out before doing any real
harm, but it should still not caues a warning, and the error reported
should work:

# cd /sys/kernel/debug/tracing
# echo "((dev==1)blocks==2)" > events/ext4/ext4_truncate_exit/filter
-bash: echo: write error: Invalid argument
# cat events/ext4/ext4_truncate_exit/filter
((dev==1)blocks==2)
^
parse_error: Meaningless filter expression

And give no kernel warning.

Link: http://lkml.kernel.org/r/20150615175...@gandalf.local.home

Cc: Peter Zijlstra <a.p.zi...@chello.nl>
Cc: Ingo Molnar <mi...@redhat.com>
Cc: Arnaldo Carvalho de Melo <ac...@kernel.org>
Reported-by: Vince Weaver <vincent...@maine.edu>
Tested-by: Vince Weaver <vincent...@maine.edu>
Signed-off-by: Steven Rostedt <ros...@goodmis.org>
[bwh: Backported to 3.2: drop the check for OP_NOT, which we don't have]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/kernel/trace/trace_events_filter.c
+++ b/kernel/trace/trace_events_filter.c
@@ -1343,19 +1343,25 @@ static int check_preds(struct filter_par
{
int n_normal_preds = 0, n_logical_preds = 0;
struct postfix_elt *elt;
+ int cnt = 0;

list_for_each_entry(elt, &ps->postfix, list) {
- if (elt->op == OP_NONE)
+ if (elt->op == OP_NONE) {
+ cnt++;
continue;
+ }

if (elt->op == OP_AND || elt->op == OP_OR) {
n_logical_preds++;
+ cnt--;
continue;
}
+ cnt--;
n_normal_preds++;
+ WARN_ON_ONCE(cnt < 0);
}

- if (!n_normal_preds || n_logical_preds >= n_normal_preds) {
+ if (cnt != 1 || !n_normal_preds || n_logical_preds >= n_normal_preds) {
parse_error(ps, FILT_ERR_INVALID_FILTER, 0);
return -EINVAL;

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Oleg Nesterov <ol...@redhat.com>

commit e1403b8edf669ff49bbdf602cc97fefa2760cb15 upstream.

task_struct->pid/tgid should go away.

1. Change same_thread_group() to use task->signal for comparison.

2. Change has_group_leader_pid(task) to compare task_pid(task) with
signal->leader_pid.

Signed-off-by: Oleg Nesterov <ol...@redhat.com>
Cc: Michal Hocko <mho...@suse.cz>
Cc: Sergey Dyasly <dse...@gmail.com>
Reviewed-by: "Eric W. Biederman" <ebie...@xmission.com>
Cc: Thomas Gleixner <tg...@linutronix.de>
Cc: Ingo Molnar <mi...@elte.hu>
Cc: Peter Zijlstra <a.p.zi...@chello.nl>

Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
Cc: Sheng Yong <sheng...@huawei.com>
---
include/linux/sched.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -2347,15 +2347,15 @@ static inline bool thread_group_leader(s
* all we care about is that we have a task with the appropriate
* pid, we don't actually care if we have the right task.
*/
-static inline int has_group_leader_pid(struct task_struct *p)
+static inline bool has_group_leader_pid(struct task_struct *p)
{
- return p->pid == p->tgid;
+ return task_pid(p) == p->signal->leader_pid;
}

static inline
-int same_thread_group(struct task_struct *p1, struct task_struct *p2)
+bool same_thread_group(struct task_struct *p1, struct task_struct *p2)
{
- return p1->tgid == p2->tgid;
+ return p1->signal == p2->signal;
}

static inline struct task_struct *next_thread(const struct task_struct *p)

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 483d821108791092798f5d230686868112927044 upstream.

Unregister GPIOs requested through sysfs at chip remove to avoid leaking
the associated memory and sysfs entries.

The stale sysfs entries prevented the gpio numbers from being exported
when the gpio range was later reused (e.g. at device reconnect).

This also fixes the related module-reference leak.

Note that kernfs makes sure that any on-going sysfs operations finish
before the class devices are unregistered and that further accesses
fail.

The chip exported flag is used to prevent gpiod exports during removal.
This also makes it harder to trigger, but does not fix, the related race
between gpiochip_remove and export_store, which is really a race with
gpiod_request that needs to be addressed separately.

Also note that this would prevent the crashes (e.g. NULL-dereferences)
at reconnect that affects pre-3.18 kernels, as well as use-after-free on
operations on open attribute files on pre-3.14 kernels (prior to
kernfs).

Fixes: d8f388d8dc8d ("gpio: sysfs interface")
Signed-off-by: Johan Hovold <jo...@kernel.org>
Signed-off-by: Linus Walleij <linus....@linaro.org>
[bwh: Backported to 3.2:
- Adjust filename, context
- Move up initialisation of 'desc' in gpio_export()
- Use global 'gpio_desc' array and gpio_free() function in
gpiochip_unexport()]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -726,6 +726,7 @@ static struct class gpio_class = {
*/
int gpio_export(unsigned gpio, bool direction_may_change)
{
+ struct gpio_chip *chip;
unsigned long flags;
struct gpio_desc *desc;
int status;
@@ -743,10 +744,18 @@ int gpio_export(unsigned gpio, bool dire
return -EINVAL;
}

+ desc = &gpio_desc[gpio];
+ chip = desc->chip;
+
mutex_lock(&sysfs_lock);

+ /* check if chip is being removed */
+ if (!chip || !chip->exported) {
+ status = -ENODEV;
+ goto fail_unlock;
+ }
+
spin_lock_irqsave(&gpio_lock, flags);
- desc = &gpio_desc[gpio];
if (!test_bit(FLAG_REQUESTED, &desc->flags) ||
test_bit(FLAG_EXPORT, &desc->flags)) {
spin_unlock_irqrestore(&gpio_lock, flags);
@@ -973,12 +982,15 @@ static void gpiochip_unexport(struct gpi
{
int status;
struct device *dev;
+ struct gpio_desc *desc;
+ unsigned int i;

mutex_lock(&sysfs_lock);
dev = class_find_device(&gpio_class, NULL, chip, match_export);
if (dev) {
put_device(dev);
device_unregister(dev);
+ /* prevent further gpiod exports */
chip->exported = 0;
status = 0;
} else
@@ -988,6 +1000,13 @@ static void gpiochip_unexport(struct gpi
if (status)
pr_debug("%s: chip %s status %d\n", __func__,
chip->label, status);
+
+ /* unregister gpio class devices owned by sysfs */
+ for (i = 0; i < chip->ngpio; i++) {
+ desc = &gpio_desc[chip->base + i];
+ if (test_and_clear_bit(FLAG_SYSFS, &desc->flags))
+ gpio_free(chip->base + i);
+ }
}

static int __init gpiolib_sysfs_init(void)

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Mark Edwards <sonofaf...@gmail.com>

commit c735ed74d83f8ecb45c4c4c95a16853c9c3c8157 upstream.

Added the USB serial console device ID for KCF Technologies PRN device
which has a USB port for its serial console.

Signed-off-by: Mark Edwards <sonofaf...@gmail.com>
Signed-off-by: Johan Hovold <jo...@kernel.org>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
drivers/usb/serial/cp210x.c | 1 +

1 file changed, 1 insertion(+)

--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -133,6 +133,7 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(0x10C4, 0x88A5) }, /* Planet Innovation Ingeni ZigBee USB Device */
{ USB_DEVICE(0x10C4, 0x8946) }, /* Ketra N1 Wireless Interface */
{ USB_DEVICE(0x10C4, 0x8977) }, /* CEL MeshWorks DevKit Device */
+ { USB_DEVICE(0x10C4, 0x8998) }, /* KCF Technologies PRN */
{ USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs factory default */
{ USB_DEVICE(0x10C4, 0xEA61) }, /* Silicon Labs factory default */
{ USB_DEVICE(0x10C4, 0xEA70) }, /* Silicon Labs factory default */

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Grygorii Strashko <Grygorii...@linaro.org>

commit 184af16b09360d6273fd6160e6ff7f8e2482ef23 upstream.

The PM_RESTORE_PREPARE is not handled now in mmc_pm_notify(),
as result mmc_rescan() could be scheduled and executed at
late hibernation restore stages when MMC device is suspended
already - which, in turn, will lead to system crash on TI dra7-evm board:

WARNING: CPU: 0 PID: 3188 at drivers/bus/omap_l3_noc.c:148 l3_interrupt_handler+0x258/0x374()
44000000.ocp:L3 Custom Error: MASTER MPU TARGET L4_PER1_P3 (Idle): Data Access in User mode during Functional access

Hence, add missed PM_RESTORE_PREPARE PM event in mmc_pm_notify().

Fixes: 4c2ef25fe0b8 (mmc: fix all hangs related to mmc/sd card...)
Signed-off-by: Grygorii Strashko <Grygorii...@linaro.org>
Signed-off-by: Ulf Hansson <ulf.h...@linaro.org>

[bwh: Backported to 3.2: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/mmc/core/core.c | 1 +

1 file changed, 1 insertion(+)

--- a/drivers/mmc/core/core.c
+++ b/drivers/mmc/core/core.c
@@ -2424,6 +2424,7 @@ int mmc_pm_notify(struct notifier_block
switch (mode) {
case PM_HIBERNATION_PREPARE:
case PM_SUSPEND_PREPARE:
+ case PM_RESTORE_PREPARE:

spin_lock_irqsave(&host->lock, flags);
host->rescan_disable = 1;

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: NeilBrown <ne...@suse.de>

commit 6e9eac2dcee5e19f125967dd2be3e36558c42fff upstream.

If any memory allocation in resize_stripes fails we will return
-ENOMEM, but in some cases we update conf->pool_size anyway.

This means that if we try again, the allocations will be assumed
to be larger than they are, and badness results.

So only update pool_size if there is no error.

This bug was introduced in 2.6.17 and the patch is suitable for
-stable.

Fixes: ad01c9e3752f ("[PATCH] md: Allow stripes to be expanded in preparation for expanding an array")
Signed-off-by: NeilBrown <ne...@suse.de>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/md/raid5.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -1554,7 +1554,8 @@ static int resize_stripes(struct r5conf

conf->slab_cache = sc;
conf->active_name = 1-conf->active_name;
- conf->pool_size = newsize;
+ if (!err)
+ conf->pool_size = newsize;
return err;

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <ti...@suse.de>

commit 1c94e65c668f44d2c69ae7e7fc268ab3268fba3e upstream.

The OSS emulation in synth-emux helper has a potential AB/BA deadlock
at the simultaneous closing and opening:

close ->
snd_seq_release() ->
sne_seq_free_client() ->
snd_seq_delete_all_ports(): takes client->ports_mutex ->
port_delete() ->
snd_emux_unuse(): takes emux->register_mutex

open ->
snd_seq_oss_open() ->
snd_emux_open_seq_oss(): takes emux->register_mutex ->
snd_seq_event_port_attach() ->
snd_seq_create_port(): takes client->ports_mutex

This patch addresses the deadlock by reducing the rance taking
emux->register_mutex in snd_emux_open_seq_oss(). The lock is needed
for the refcount handling, so move it locally. The calls in
emux_seq.c are already with the mutex, thus they are replaced with the
version without mutex lock/unlock.

Signed-off-by: Takashi Iwai <ti...@suse.de>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

sound/synth/emux/emux_oss.c | 11 +----------
sound/synth/emux/emux_seq.c | 27 +++++++++++++++++++++------
2 files changed, 22 insertions(+), 16 deletions(-)

--- a/sound/synth/emux/emux_oss.c
+++ b/sound/synth/emux/emux_oss.c
@@ -118,12 +118,8 @@ snd_emux_open_seq_oss(struct snd_seq_oss
if (snd_BUG_ON(!arg || !emu))
return -ENXIO;

- mutex_lock(&emu->register_mutex);
-
- if (!snd_emux_inc_count(emu)) {
- mutex_unlock(&emu->register_mutex);
+ if (!snd_emux_inc_count(emu))
return -EFAULT;
- }

memset(&callback, 0, sizeof(callback));
callback.owner = THIS_MODULE;
@@ -135,7 +131,6 @@ snd_emux_open_seq_oss(struct snd_seq_oss
if (p == NULL) {
snd_printk(KERN_ERR "can't create port\n");
snd_emux_dec_count(emu);
- mutex_unlock(&emu->register_mutex);
return -ENOMEM;
}

@@ -148,8 +143,6 @@ snd_emux_open_seq_oss(struct snd_seq_oss
reset_port_mode(p, arg->seq_mode);

snd_emux_reset_port(p);
-
- mutex_unlock(&emu->register_mutex);
return 0;
}

@@ -195,13 +188,11 @@ snd_emux_close_seq_oss(struct snd_seq_os
if (snd_BUG_ON(!emu))
return -ENXIO;

- mutex_lock(&emu->register_mutex);
snd_emux_sounds_off_all(p);
snd_soundfont_close_check(emu->sflist, SF_CLIENT_NO(p->chset.port));
snd_seq_event_port_detach(p->chset.client, p->chset.port);
snd_emux_dec_count(emu);

- mutex_unlock(&emu->register_mutex);
return 0;
}

--- a/sound/synth/emux/emux_seq.c
+++ b/sound/synth/emux/emux_seq.c
@@ -267,8 +267,8 @@ snd_emux_event_input(struct snd_seq_even
/*
* increment usage count
*/
-int
-snd_emux_inc_count(struct snd_emux *emu)
+static int
+__snd_emux_inc_count(struct snd_emux *emu)
{
emu->used++;
if (!try_module_get(emu->ops.owner))
@@ -282,12 +282,21 @@ snd_emux_inc_count(struct snd_emux *emu)
return 1;
}

+int snd_emux_inc_count(struct snd_emux *emu)
+{
+ int ret;
+
+ mutex_lock(&emu->register_mutex);
+ ret = __snd_emux_inc_count(emu);
+ mutex_unlock(&emu->register_mutex);
+ return ret;
+}

/*
* decrease usage count
*/
-void
-snd_emux_dec_count(struct snd_emux *emu)
+static void
+__snd_emux_dec_count(struct snd_emux *emu)
{
module_put(emu->card->module);
emu->used--;
@@ -296,6 +305,12 @@ snd_emux_dec_count(struct snd_emux *emu)
module_put(emu->ops.owner);
}

+void snd_emux_dec_count(struct snd_emux *emu)
+{
+ mutex_lock(&emu->register_mutex);
+ __snd_emux_dec_count(emu);
+ mutex_unlock(&emu->register_mutex);
+}

/*
* Routine that is called upon a first use of a particular port
@@ -315,7 +330,7 @@ snd_emux_use(void *private_data, struct

mutex_lock(&emu->register_mutex);
snd_emux_init_port(p);
- snd_emux_inc_count(emu);
+ __snd_emux_inc_count(emu);
mutex_unlock(&emu->register_mutex);
return 0;
}
@@ -338,7 +353,7 @@ snd_emux_unuse(void *private_data, struc

mutex_lock(&emu->register_mutex);
snd_emux_sounds_off_all(p);
- snd_emux_dec_count(emu);
+ __snd_emux_dec_count(emu);
mutex_unlock(&emu->register_mutex);
return 0;

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Peter Zubaj <pzu...@marticonet.sk>

commit 7241ea558c6715501e777396b5fc312c372e11d9 upstream.

Looks like audigy emu10k2 (probably emu10k1 - sb live too) support two
modes for DMA. Second mode is useful for 64 bit os with more then 2 GB
of ram (fixes problems with big soundfont loading)

1) 32MB from 2 GB address space using 8192 pages (used now as default)
2) 16MB from 4 GB address space using 4096 pages

Mode is set using HCFG_EXPANDED_MEM flag in HCFG register.
Also format of emu10k2 page table is then different.

Signed-off-by: Peter Zubaj <pzu...@marticonet.sk>
Tested-by: Takashi Iwai <ti...@suse.de>

Signed-off-by: Takashi Iwai <ti...@suse.de>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

include/sound/emu10k1.h | 14 +++++++++-----
sound/pci/emu10k1/emu10k1_callback.c | 4 ++--
sound/pci/emu10k1/emu10k1_main.c | 17 ++++++++++++-----
sound/pci/emu10k1/emupcm.c | 2 +-
sound/pci/emu10k1/memory.c | 11 ++++++-----
5 files changed, 30 insertions(+), 18 deletions(-)

--- a/include/sound/emu10k1.h
+++ b/include/sound/emu10k1.h
@@ -43,7 +43,8 @@

#define EMUPAGESIZE 4096
#define MAXREQVOICES 8
-#define MAXPAGES 8192
+#define MAXPAGES0 4096 /* 32 bit mode */
+#define MAXPAGES1 8192 /* 31 bit mode */
#define RESERVED 0
#define NUM_MIDI 16
#define NUM_G 64 /* use all channels */
@@ -52,8 +53,7 @@

/* FIXME? - according to the OSS driver the EMU10K1 needs a 29 bit DMA mask */
#define EMU10K1_DMA_MASK 0x7fffffffUL /* 31bit */
-#define AUDIGY_DMA_MASK 0x7fffffffUL /* 31bit FIXME - 32 should work? */
- /* See ALSA bug #1276 - rlrevell */
+#define AUDIGY_DMA_MASK 0xffffffffUL /* 32bit mode */

#define TMEMSIZE 256*1024
#define TMEMSIZEREG 4
@@ -470,8 +470,11 @@

#define MAPB 0x0d /* Cache map B */

-#define MAP_PTE_MASK 0xffffe000 /* The 19 MSBs of the PTE indexed by the PTI */
-#define MAP_PTI_MASK 0x00001fff /* The 13 bit index to one of the 8192 PTE dwords */
+#define MAP_PTE_MASK0 0xfffff000 /* The 20 MSBs of the PTE indexed by the PTI */
+#define MAP_PTI_MASK0 0x00000fff /* The 12 bit index to one of the 4096 PTE dwords */
+
+#define MAP_PTE_MASK1 0xffffe000 /* The 19 MSBs of the PTE indexed by the PTI */
+#define MAP_PTI_MASK1 0x00001fff /* The 13 bit index to one of the 8192 PTE dwords */

/* 0x0e, 0x0f: Not used */

@@ -1708,6 +1711,7 @@ struct snd_emu10k1 {
unsigned short model; /* subsystem id */
unsigned int card_type; /* EMU10K1_CARD_* */
unsigned int ecard_ctrl; /* ecard control bits */
+ unsigned int address_mode; /* address mode */
unsigned long dma_mask; /* PCI DMA mask */
unsigned int delay_pcm_irq; /* in samples */
int max_cache_pages; /* max memory size / PAGE_SIZE */
--- a/sound/pci/emu10k1/emu10k1_callback.c
+++ b/sound/pci/emu10k1/emu10k1_callback.c
@@ -415,7 +415,7 @@ start_voice(struct snd_emux_voice *vp)
snd_emu10k1_ptr_write(hw, Z2, ch, 0);

/* invalidate maps */
- temp = (hw->silent_page.addr << 1) | MAP_PTI_MASK;
+ temp = (hw->silent_page.addr << hw->address_mode) | (hw->address_mode ? MAP_PTI_MASK1 : MAP_PTI_MASK0);
snd_emu10k1_ptr_write(hw, MAPA, ch, temp);
snd_emu10k1_ptr_write(hw, MAPB, ch, temp);
#if 0
@@ -436,7 +436,7 @@ start_voice(struct snd_emux_voice *vp)
snd_emu10k1_ptr_write(hw, CDF, ch, sample);

/* invalidate maps */
- temp = ((unsigned int)hw->silent_page.addr << 1) | MAP_PTI_MASK;
+ temp = ((unsigned int)hw->silent_page.addr << hw_address_mode) | (hw->address_mode ? MAP_PTI_MASK1 : MAP_PTI_MASK0);
snd_emu10k1_ptr_write(hw, MAPA, ch, temp);
snd_emu10k1_ptr_write(hw, MAPB, ch, temp);

--- a/sound/pci/emu10k1/emu10k1_main.c
+++ b/sound/pci/emu10k1/emu10k1_main.c
@@ -282,7 +282,7 @@ static int snd_emu10k1_init(struct snd_e
snd_emu10k1_ptr_write(emu, TCB, 0, 0); /* taken from original driver */
snd_emu10k1_ptr_write(emu, TCBS, 0, 4); /* taken from original driver */

- silent_page = (emu->silent_page.addr << 1) | MAP_PTI_MASK;
+ silent_page = (emu->silent_page.addr << emu->address_mode) | (emu->address_mode ? MAP_PTI_MASK1 : MAP_PTI_MASK0);
for (ch = 0; ch < NUM_G; ch++) {
snd_emu10k1_ptr_write(emu, MAPA, ch, silent_page);
snd_emu10k1_ptr_write(emu, MAPB, ch, silent_page);
@@ -348,6 +348,11 @@ static int snd_emu10k1_init(struct snd_e
outl(reg | A_IOCFG_GPOUT0, emu->port + A_IOCFG);
}

+ if (emu->address_mode == 0) {
+ /* use 16M in 4G */
+ outl(inl(emu->port + HCFG) | HCFG_EXPANDED_MEM, emu->port + HCFG);
+ }
+
return 0;
}

@@ -1832,8 +1837,10 @@ int __devinit snd_emu10k1_create(struct

is_audigy = emu->audigy = c->emu10k2_chip;

+ /* set addressing mode */
+ emu->address_mode = is_audigy ? 0 : 1;
/* set the DMA transfer mask */
- emu->dma_mask = is_audigy ? AUDIGY_DMA_MASK : EMU10K1_DMA_MASK;
+ emu->dma_mask = emu->address_mode ? EMU10K1_DMA_MASK : AUDIGY_DMA_MASK;
if (pci_set_dma_mask(pci, emu->dma_mask) < 0 ||
pci_set_consistent_dma_mask(pci, emu->dma_mask) < 0) {
snd_printk(KERN_ERR "architecture does not support PCI busmaster DMA with mask 0x%lx\n", emu->dma_mask);
@@ -1856,7 +1863,7 @@ int __devinit snd_emu10k1_create(struct

emu->max_cache_pages = max_cache_bytes >> PAGE_SHIFT;
if (snd_dma_alloc_pages(SNDRV_DMA_TYPE_DEV, snd_dma_pci_data(pci),
- 32 * 1024, &emu->ptb_pages) < 0) {
+ (emu->address_mode ? 32 : 16) * 1024, &emu->ptb_pages) < 0) {
err = -ENOMEM;
goto error;
}
@@ -1955,8 +1962,8 @@ int __devinit snd_emu10k1_create(struct

/* Clear silent pages and set up pointers */
memset(emu->silent_page.area, 0, PAGE_SIZE);
- silent_page = emu->silent_page.addr << 1;
- for (idx = 0; idx < MAXPAGES; idx++)
+ silent_page = emu->silent_page.addr << emu->address_mode;
+ for (idx = 0; idx < (emu->address_mode ? MAXPAGES1 : MAXPAGES0); idx++)
((u32 *)emu->ptb_pages.area)[idx] = cpu_to_le32(silent_page | idx);

/* set up voice indices */
--- a/sound/pci/emu10k1/emupcm.c
+++ b/sound/pci/emu10k1/emupcm.c
@@ -379,7 +379,7 @@ static void snd_emu10k1_pcm_init_voice(s
snd_emu10k1_ptr_write(emu, Z1, voice, 0);
snd_emu10k1_ptr_write(emu, Z2, voice, 0);
/* invalidate maps */
- silent_page = ((unsigned int)emu->silent_page.addr << 1) | MAP_PTI_MASK;
+ silent_page = ((unsigned int)emu->silent_page.addr << emu->address_mode) | (emu->address_mode ? MAP_PTI_MASK1 : MAP_PTI_MASK0);
snd_emu10k1_ptr_write(emu, MAPA, voice, silent_page);
snd_emu10k1_ptr_write(emu, MAPB, voice, silent_page);
/* modulation envelope */
--- a/sound/pci/emu10k1/memory.c
+++ b/sound/pci/emu10k1/memory.c
@@ -34,10 +34,11 @@
* aligned pages in others
*/
#define __set_ptb_entry(emu,page,addr) \
- (((u32 *)(emu)->ptb_pages.area)[page] = cpu_to_le32(((addr) << 1) | (page)))
+ (((u32 *)(emu)->ptb_pages.area)[page] = cpu_to_le32(((addr) << (emu->address_mode)) | (page)))

#define UNIT_PAGES (PAGE_SIZE / EMUPAGESIZE)
-#define MAX_ALIGN_PAGES (MAXPAGES / UNIT_PAGES)
+#define MAX_ALIGN_PAGES0 (MAXPAGES0 / UNIT_PAGES)
+#define MAX_ALIGN_PAGES1 (MAXPAGES1 / UNIT_PAGES)
/* get aligned page from offset address */
#define get_aligned_page(offset) ((offset) >> PAGE_SHIFT)
/* get offset address from aligned page */
@@ -124,7 +125,7 @@ static int search_empty_map_area(struct
}
page = blk->mapped_page + blk->pages;
}
- size = MAX_ALIGN_PAGES - page;
+ size = (emu->address_mode ? MAX_ALIGN_PAGES1 : MAX_ALIGN_PAGES0) - page;
if (size >= max_size) {
*nextp = pos;
return page;
@@ -181,7 +182,7 @@ static int unmap_memblk(struct snd_emu10
q = get_emu10k1_memblk(p, mapped_link);
end_page = q->mapped_page;
} else
- end_page = MAX_ALIGN_PAGES;
+ end_page = (emu->address_mode ? MAX_ALIGN_PAGES1 : MAX_ALIGN_PAGES0);

/* remove links */
list_del(&blk->mapped_link);
@@ -305,7 +306,7 @@ snd_emu10k1_alloc_pages(struct snd_emu10
if (snd_BUG_ON(!emu))
return NULL;
if (snd_BUG_ON(runtime->dma_bytes <= 0 ||
- runtime->dma_bytes >= MAXPAGES * EMUPAGESIZE))
+ runtime->dma_bytes >= (emu->address_mode ? MAXPAGES1 : MAXPAGES0) * EMUPAGESIZE))
return NULL;
hdr = emu->memhdr;
if (snd_BUG_ON(!hdr))

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Michal Simek <michal...@xilinx.com>

commit 5c90c07b98c02198d9777a7c4f3047b0a94bf7ed upstream.

For systems with CONFIG_SERIAL_OF_PLATFORM=y and device_type =
"serial"; property in DT of_serial.c driver maps and unmaps IRQ (because
driver probe fails). Then a driver is called but irq mapping is not
created that's why driver is failing again in again on request_irq().
Based on this use platform_get_irq() instead of platform_get_resource()
which is doing irq_desc allocation and driver itself can request IRQ.

Fix both xilinx serial drivers in the tree.

Signed-off-by: Michal Simek <michal...@xilinx.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
[bwh: Backported to 3.2:
- Adjust context
- Return directly on failure in xuartps_probe()]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/drivers/tty/serial/uartlite.c
+++ b/drivers/tty/serial/uartlite.c
@@ -573,7 +573,8 @@ MODULE_DEVICE_TABLE(of, ulite_of_match);

static int __devinit ulite_probe(struct platform_device *pdev)
{
- struct resource *res, *res2;
+ struct resource *res;
+ int irq;
int id = pdev->id;
#ifdef CONFIG_OF
const __be32 *prop;
@@ -587,11 +588,11 @@ static int __devinit ulite_probe(struct
if (!res)
return -ENODEV;

- res2 = platform_get_resource(pdev, IORESOURCE_IRQ, 0);
- if (!res2)
- return -ENODEV;
+ irq = platform_get_irq(pdev, 0);
+ if (irq <= 0)
+ return -ENXIO;

- return ulite_assign(&pdev->dev, id, res->start, res2->start);
+ return ulite_assign(&pdev->dev, id, res->start, irq);
}

static int __devexit ulite_remove(struct platform_device *pdev)
--- a/drivers/tty/serial/xilinx_uartps.c
+++ b/drivers/tty/serial/xilinx_uartps.c
@@ -941,9 +941,9 @@ static struct uart_driver xuartps_uart_d
**/
static int __devinit xuartps_probe(struct platform_device *pdev)
{
- int rc;
+ int rc, irq;
struct uart_port *port;
- struct resource *res, *res2;
+ struct resource *res;
int clk = 0;

#ifdef CONFIG_OF
@@ -964,9 +964,9 @@ static int __devinit xuartps_probe(struc
if (!res)
return -ENODEV;

- res2 = platform_get_resource(pdev, IORESOURCE_IRQ, 0);
- if (!res2)
- return -ENODEV;
+ irq = platform_get_irq(pdev, 0);
+ if (irq <= 0)
+ return -ENXIO;

/* Initialize the port structure */
port = xuartps_get_port();
@@ -980,7 +980,7 @@ static int __devinit xuartps_probe(struc
* and triggers invocation of the config_port() entry point.
*/
port->mapbase = res->start;
- port->irq = res2->start;
+ port->irq = irq;
port->dev = &pdev->dev;
port->uartclk = clk;
dev_set_drvdata(&pdev->dev, port);

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Nicolas Dichtel <nicolas...@6wind.com>

commit b0b59b0056acd6f157a04cc895f7e24692fb08aa upstream.

This command is missing.

Fixes: 97a64b4577ae ("[XFRM]: Introduce XFRM_MSG_REPORT.")
Reported-by: Stephen Smalley <s...@tycho.nsa.gov>
Signed-off-by: Nicolas Dichtel <nicolas...@6wind.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

security/selinux/nlmsgtab.c | 1 +

1 file changed, 1 insertion(+)

--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -100,6 +100,7 @@ static struct nlmsg_perm nlmsg_xfrm_perm
{ XFRM_MSG_FLUSHPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_NEWAE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_GETAE, NETLINK_XFRM_SOCKET__NLMSG_READ },
+ { XFRM_MSG_REPORT, NETLINK_XFRM_SOCKET__NLMSG_READ },
{ XFRM_MSG_NEWSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
{ XFRM_MSG_GETSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
{ XFRM_MSG_GETSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Christoph Hellwig <h...@lst.de>

commit ebe9cb3bb13e7b9b281969cd279ce70834f7500f upstream.

If we find a non-confirmed openowner we jump to exit the function, but do
not set an error value. Fix this by factoring out a helper to do the
check and properly set the error from nfsd4_validate_stateid.

Signed-off-by: Christoph Hellwig <h...@lst.de>
Signed-off-by: J. Bruce Fields <bfi...@redhat.com>

[bwh: Backported to 3.2: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

fs/nfsd/nfs4state.c | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)

--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -3272,10 +3272,17 @@ static int check_stateid_generation(stat
return nfserr_old_stateid;
}

+static __be32 nfsd4_check_openowner_confirmed(struct nfs4_ol_stateid *ols)
+{
+ if (ols->st_stateowner->so_is_open_owner &&
+ !(openowner(ols->st_stateowner)->oo_flags & NFS4_OO_CONFIRMED))
+ return nfserr_bad_stateid;
+ return nfs_ok;
+}
+
__be32 nfs4_validate_stateid(struct nfs4_client *cl, stateid_t *stateid)
{
struct nfs4_stid *s;
- struct nfs4_ol_stateid *ols;
__be32 status;

if (STALE_STATEID(stateid))
@@ -3289,11 +3296,7 @@ __be32 nfs4_validate_stateid(struct nfs4
return status;
if (!(s->sc_type & (NFS4_OPEN_STID | NFS4_LOCK_STID)))
return nfs_ok;
- ols = openlockstateid(s);
- if (ols->st_stateowner->so_is_open_owner
- && !(openowner(ols->st_stateowner)->oo_flags & NFS4_OO_CONFIRMED))
- return nfserr_bad_stateid;
- return nfs_ok;
+ return nfsd4_check_openowner_confirmed(openlockstateid(s));
}

static __be32 nfsd4_lookup_stateid(stateid_t *stateid, unsigned char typemask, struct nfs4_stid **s)
@@ -3360,8 +3363,8 @@ nfs4_preprocess_stateid_op(struct nfsd4_
status = nfs4_check_fh(current_fh, stp);
if (status)
goto out;
- if (stp->st_stateowner->so_is_open_owner
- && !(openowner(stp->st_stateowner)->oo_flags & NFS4_OO_CONFIRMED))
+ status = nfsd4_check_openowner_confirmed(stp);
+ if (status)
goto out;
status = nfs4_check_openmode(stp, flags);
if (status)

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <b...@decadent.org.uk>

commit 8014bcc86ef112eab9ee1db312dba4e6b608cf89 upstream.

The variable for the 'permissive' module parameter used to be static
but was recently changed to be extern. This puts it in the kernel
global namespace if the driver is built-in, so its name should begin
with a prefix identifying the driver.

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
Fixes: af6fc858a35b ("xen-pciback: limit guest control of command register")
Signed-off-by: David Vrabel <david....@citrix.com>
---
drivers/xen/xen-pciback/conf_space.c | 6 +++---

drivers/xen/xen-pciback/conf_space.h | 2 +-
drivers/xen/xen-pciback/conf_space_header.c | 2 +-

3 files changed, 5 insertions(+), 5 deletions(-)

--- a/drivers/xen/xen-pciback/conf_space.c
+++ b/drivers/xen/xen-pciback/conf_space.c
@@ -16,8 +16,8 @@
#include "conf_space.h"
#include "conf_space_quirks.h"

-bool permissive;
-module_param(permissive, bool, 0644);
+bool xen_pcibk_permissive;
+module_param_named(permissive, xen_pcibk_permissive, bool, 0644);

/* This is where xen_pcibk_read_config_byte, xen_pcibk_read_config_word,
* xen_pcibk_write_config_word, and xen_pcibk_write_config_byte are created. */
@@ -262,7 +262,7 @@ int xen_pcibk_config_write(struct pci_de
* This means that some fields may still be read-only because
* they have entries in the config_field list that intercept
* the write and do nothing. */
- if (dev_data->permissive || permissive) {
+ if (dev_data->permissive || xen_pcibk_permissive) {
switch (size) {
case 1:
err = pci_write_config_byte(dev, offset,
--- a/drivers/xen/xen-pciback/conf_space.h
+++ b/drivers/xen/xen-pciback/conf_space.h
@@ -64,7 +64,7 @@ struct config_field_entry {
void *data;
};

-extern bool permissive;
+extern bool xen_pcibk_permissive;

#define OFFSET(cfg_entry) ((cfg_entry)->base_offset+(cfg_entry)->field->offset)

--- a/drivers/xen/xen-pciback/conf_space_header.c
+++ b/drivers/xen/xen-pciback/conf_space_header.c
@@ -105,7 +105,7 @@ static int command_write(struct pci_dev

cmd->val = value;

- if (!permissive && (!dev_data || !dev_data->permissive))
+ if (!xen_pcibk_permissive && (!dev_data || !dev_data->permissive))
return 0;

/* Only allow the guest to control certain bits. */

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Jason A. Donenfeld" <Ja...@zx2c4.com>

commit 48ef23a4f686b1e4519d4193c20d26834ff810ff upstream.

This phone is already supported by the visor driver.

Signed-off-by: Jason A. Donenfeld <Ja...@zx2c4.com>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <jo...@kernel.org>

[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/serial/pl2303.c | 1 -
drivers/usb/serial/pl2303.h | 4 ----
2 files changed, 5 deletions(-)

--- a/drivers/usb/serial/pl2303.c
+++ b/drivers/usb/serial/pl2303.c
@@ -67,7 +67,6 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(DCU10_VENDOR_ID, DCU10_PRODUCT_ID) },
{ USB_DEVICE(SITECOM_VENDOR_ID, SITECOM_PRODUCT_ID) },
{ USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_ID) },
- { USB_DEVICE(SAMSUNG_VENDOR_ID, SAMSUNG_PRODUCT_ID) },
{ USB_DEVICE(SIEMENS_VENDOR_ID, SIEMENS_PRODUCT_ID_SX1) },
{ USB_DEVICE(SIEMENS_VENDOR_ID, SIEMENS_PRODUCT_ID_X65) },
{ USB_DEVICE(SIEMENS_VENDOR_ID, SIEMENS_PRODUCT_ID_X75) },
--- a/drivers/usb/serial/pl2303.h
+++ b/drivers/usb/serial/pl2303.h
@@ -62,10 +62,6 @@
#define ALCATEL_VENDOR_ID 0x11f7
#define ALCATEL_PRODUCT_ID 0x02df

-/* Samsung I330 phone cradle */
-#define SAMSUNG_VENDOR_ID 0x04e8
-#define SAMSUNG_PRODUCT_ID 0x8001
-
#define SIEMENS_VENDOR_ID 0x11f5
#define SIEMENS_PRODUCT_ID_SX1 0x0001
#define SIEMENS_PRODUCT_ID_X65 0x0003

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "K. Y. Srinivasan" <k...@microsoft.com>

commit 40384e4bbeb9f2651fe9bffc0062d9f31ef625bf upstream.

Correctly rollback state if the failure occurs after we have handed over
the ownership of the buffer to the host.

Signed-off-by: K. Y. Srinivasan <k...@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/hv/channel.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

--- a/drivers/hv/channel.c
+++ b/drivers/hv/channel.c
@@ -177,7 +177,7 @@ int vmbus_open(struct vmbus_channel *new
GFP_KERNEL);
if (!open_info) {
err = -ENOMEM;
- goto error0;
+ goto error_gpadl;
}

init_completion(&open_info->waitevent);
@@ -193,7 +193,7 @@ int vmbus_open(struct vmbus_channel *new

if (userdatalen > MAX_USER_DEFINED_BYTES) {
err = -EINVAL;
- goto error0;
+ goto error_gpadl;
}

if (userdatalen)
@@ -234,6 +234,9 @@ error1:
list_del(&open_info->msglistentry);
spin_unlock_irqrestore(&vmbus_connection.channelmsg_lock, flags);

+error_gpadl:
+ vmbus_teardown_gpadl(newchannel, newchannel->ringbuffer_gpadlhandle);
+
error0:
free_pages((unsigned long)out,
get_order(send_ringbuffer_size + recv_ringbuffer_size));

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Bob Moore <robert...@intel.com>

commit 0b232fcad225c35513c9d5719613ae552abccd82 upstream.

Cleanup output for Processor(). Length is a byte, not a word.

Signed-off-by: Bob Moore <robert...@intel.com>
Signed-off-by: Feng Tang <feng...@intel.com>
Signed-off-by: Len Brown <len....@intel.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/acpi/acpica/nsdump.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/acpi/acpica/nsdump.c
+++ b/drivers/acpi/acpica/nsdump.c
@@ -251,7 +251,7 @@ acpi_ns_dump_one_object(acpi_handle obj_
switch (type) {
case ACPI_TYPE_PROCESSOR:

- acpi_os_printf("ID %X Len %.4X Addr %p\n",
+ acpi_os_printf("ID %02X Len %02X Addr %p\n",
obj_desc->processor.proc_id,
obj_desc->processor.length,
ACPI_CAST_PTR(void,

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Mathias Nyman <mathia...@linux.intel.com>

commit 18cc2f4cbbaf825a4fedcf2d60fd388d291e0a38 upstream.

Our event ring consists of only one segment, and we risk filling
the event ring in case we get isoc transfers with short intervals
such as webcams that fill a TD every microframe (125us)

With 64 TRB segment size one usb camera could fill the event ring in 8ms.
A setup with several cameras and other devices can fill up the
event ring as it is shared between all devices.
This has occurred when uvcvideo queues 5 * 32TD URBs which then
get cancelled when the video mode changes. The cancelled URBs are returned
in the xhci interrupt context and blocks the interrupt handler from
handling the new events.

A full event ring will block xhci from scheduling traffic and affect all
devices conneted to the xhci, will see errors such as Missed Service
Intervals for isoc devices, and and Split transaction errors for LS/FS
interrupt devices.

Increasing the TRB_PER_SEGMENT will also increase the default endpoint ring
size, which is welcome as for most isoc transfer we had to dynamically
expand the endpoint ring anyway to be able to queue the 5 * 32TDs uvcvideo
queues.

The default size used to be 64 TRBs per segment

Signed-off-by: Mathias Nyman <mathia...@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/host/xhci.h | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1231,7 +1231,7 @@ union xhci_trb {
* since the command ring is 64-byte aligned.
* It must also be greater than 16.
*/
-#define TRBS_PER_SEGMENT 64
+#define TRBS_PER_SEGMENT 256
/* Allow two commands + a link TRB, along with any reserved command TRBs */
#define MAX_RSVD_CMD_TRBS (TRBS_PER_SEGMENT - 3)
#define SEGMENT_SIZE (TRBS_PER_SEGMENT*16)

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Thadeu Lima de Souza Cascardo <casc...@redhat.com>

commit 47cc84ce0c2fe75c99ea5963c4b5704dd78ead54 upstream.

When more than a multicast address is present in a MLDv2 report, all but
the first address is ignored, because the code breaks out of the loop if
there has not been an error adding that address.

This has caused failures when two guests connected through the bridge
tried to communicate using IPv6. Neighbor discoveries would not be
transmitted to the other guest when both used a link-local address and a
static address.

This only happens when there is a MLDv2 querier in the network.

The fix will only break out of the loop when there is a failure adding a
multicast address.

The mdb before the patch:

dev ovirtmgmt port vnet0 grp ff02::1:ff7d:6603 temp
dev ovirtmgmt port vnet1 grp ff02::1:ff7d:6604 temp
dev ovirtmgmt port bond0.86 grp ff02::2 temp

After the patch:

dev ovirtmgmt port vnet0 grp ff02::1:ff7d:6603 temp
dev ovirtmgmt port vnet1 grp ff02::1:ff7d:6604 temp
dev ovirtmgmt port bond0.86 grp ff02::fb temp
dev ovirtmgmt port bond0.86 grp ff02::2 temp
dev ovirtmgmt port bond0.86 grp ff02::d temp
dev ovirtmgmt port vnet0 grp ff02::1:ff00:76 temp
dev ovirtmgmt port bond0.86 grp ff02::16 temp
dev ovirtmgmt port vnet1 grp ff02::1:ff00:77 temp
dev ovirtmgmt port bond0.86 grp ff02::1:ff00:def temp
dev ovirtmgmt port bond0.86 grp ff02::1:ffa1:40bf temp

Fixes: 08b202b67264 ("bridge br_multicast: IPv6 MLD support.")
Reported-by: Rik Theys <Rik....@esat.kuleuven.be>
Signed-off-by: Thadeu Lima de Souza Cascardo <casc...@redhat.com>
Tested-by: Rik Theys <Rik....@esat.kuleuven.be>

Signed-off-by: David S. Miller <da...@davemloft.net>

[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>

Cc: Jonathan Toppins <jtop...@cumulusnetworks.com>
---
net/bridge/br_multicast.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -972,7 +972,7 @@ static int br_ip6_multicast_mld2_report(
}

err = br_ip6_multicast_add_group(br, port, &grec->grec_mca);
- if (!err)
+ if (err)
break;

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Feng Tang <feng...@intel.com>

commit 55c844a4dd16a4d1fdc0cf2a283ec631a02ec448 upstream.

When rebooting our 24 CPU Westmere servers with 3.4-rc6, we
always see this warning msg:

Restarting system.
machine restart
------------[ cut here ]------------
WARNING: at arch/x86/kernel/smp.c:125
native_smp_send_reschedule+0x74/0xa7() Hardware name: X8DTN
Modules linked in: igb [last unloaded: scsi_wait_scan]
Pid: 1, comm: systemd-shutdow Not tainted 3.4.0-rc6+ #22
Call Trace:
<IRQ> [<ffffffff8102a41f>] warn_slowpath_common+0x7e/0x96
[<ffffffff8102a44c>] warn_slowpath_null+0x15/0x17
[<ffffffff81018cf7>] native_smp_send_reschedule+0x74/0xa7
[<ffffffff810561c1>] trigger_load_balance+0x279/0x2a6
[<ffffffff81050112>] scheduler_tick+0xe0/0xe9
[<ffffffff81036768>] update_process_times+0x60/0x70
[<ffffffff81062f2f>] tick_sched_timer+0x68/0x92
[<ffffffff81046e33>] __run_hrtimer+0xb3/0x13c
[<ffffffff81062ec7>] ? tick_nohz_handler+0xd0/0xd0
[<ffffffff810474f2>] hrtimer_interrupt+0xdb/0x198
[<ffffffff81019a35>] smp_apic_timer_interrupt+0x81/0x94
[<ffffffff81655187>] apic_timer_interrupt+0x67/0x70
<EOI> [<ffffffff8101a3c4>] ? default_send_IPI_mask_allbutself_phys+0xb4/0xc4
[<ffffffff8101c680>] physflat_send_IPI_allbutself+0x12/0x14
[<ffffffff81018db4>] native_nmi_stop_other_cpus+0x8a/0xd6
[<ffffffff810188ba>] native_machine_shutdown+0x50/0x67
[<ffffffff81018926>] machine_shutdown+0xa/0xc
[<ffffffff8101897e>] native_machine_restart+0x20/0x32
[<ffffffff810189b0>] machine_restart+0xa/0xc
[<ffffffff8103b196>] kernel_restart+0x47/0x4c
[<ffffffff8103b2e6>] sys_reboot+0x13e/0x17c
[<ffffffff8164e436>] ? _raw_spin_unlock_bh+0x10/0x12
[<ffffffff810fcac9>] ? bdi_queue_work+0xcf/0xd8
[<ffffffff810fe82f>] ? __bdi_start_writeback+0xae/0xb7
[<ffffffff810e0d64>] ? iterate_supers+0xa3/0xb7
[<ffffffff816547a2>] system_call_fastpath+0x16/0x1b
---[ end trace 320af5cb1cb60c5b ]---

The root cause seems to be the
default_send_IPI_mask_allbutself_phys() takes quite some time (I
measured it could be several ms) to complete sending NMIs to all
the other 23 CPUs, and for HZ=250/1000 system, the time is long
enough for a timer interrupt to happen, which will in turn
trigger to kick load balance to a stopped CPU and cause this
warning in native_smp_send_reschedule().

So disabling the local irq before stop_other_cpu() can fix this
problem (tested 25 times reboot ok), and it is fine as there
should be nobody caring the timer interrupt in such reboot
stage.

The latest 3.4 kernel slightly changes this behavior by sending
REBOOT_VECTOR first and only send NMI_VECTOR if the REBOOT_VCTOR
fails, and this patch is still needed to prevent the problem.

Signed-off-by: Feng Tang <feng...@intel.com>
Acked-by: Don Zickus <dzi...@redhat.com>
Cc: Peter Zijlstra <pet...@infradead.org>
Link: http://lkml.kernel.org/r/20120530231541.4c13433a@feng-i7
Signed-off-by: Ingo Molnar <mi...@kernel.org>

[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>

Cc: Vinson Lee <vl...@twopensource.com>
---
arch/x86/kernel/reboot.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

--- a/arch/x86/kernel/reboot.c
+++ b/arch/x86/kernel/reboot.c
@@ -700,9 +700,12 @@ void native_machine_shutdown(void)
/* Make certain I only run on the appropriate processor */
set_cpus_allowed_ptr(current, cpumask_of(reboot_cpu_id));

- /* O.K Now that I'm on the appropriate processor,
- * stop all of the others.
+ /*
+ * O.K Now that I'm on the appropriate processor, stop all of the
+ * others. Also disable the local irq to not receive the per-cpu
+ * timer interrupt which may trigger scheduler's load balance.
*/
+ local_irq_disable();
stop_other_cpus();
#endif

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Darrick J. Wong" <darric...@oracle.com>

commit e531d0bceb402e643a4499de40dd3fa39d8d2e43 upstream.

The journal revoke block recovery code does not check r_count for
sanity, which means that an evil value of r_count could result in
the kernel reading off the end of the revoke table and into whatever
garbage lies beyond. This could crash the kernel, so fix that.

However, in testing this fix, I discovered that the code to write
out the revoke tables also was not correctly checking to see if the
block was full -- the current offset check is fine so long as the
revoke table space size is a multiple of the record size, but this
is not true when either journal_csum_v[23] are set.

Signed-off-by: Darrick J. Wong <darric...@oracle.com>
Signed-off-by: Theodore Ts'o <ty...@mit.edu>
Reviewed-by: Jan Kara <ja...@suse.cz>
[bwh: Backported to 3.2: journal checksumming is not supported, so only
the first fix is needed]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/fs/jbd2/recovery.c
+++ b/fs/jbd2/recovery.c
@@ -711,11 +711,16 @@ static int scan_revoke_records(journal_t
{
jbd2_journal_revoke_header_t *header;
int offset, max;
+ __u32 rcount;
int record_len = 4;

header = (jbd2_journal_revoke_header_t *) bh->b_data;
offset = sizeof(jbd2_journal_revoke_header_t);
- max = be32_to_cpu(header->r_count);
+ rcount = be32_to_cpu(header->r_count);
+
+ if (rcount > journal->j_blocksize)
+ return -EINVAL;
+ max = rcount;

if (JBD2_HAS_INCOMPAT_FEATURE(journal, JBD2_FEATURE_INCOMPAT_64BIT))
record_len = 8;

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: David Vrabel <david....@citrix.com>

commit 77bb3dfdc0d554befad58fdefbc41be5bc3ed38a upstream.

A non-percpu VIRQ (e.g., VIRQ_CONSOLE) may be freed on a different
VCPU than it is bound to. This can result in a race between
handle_percpu_irq() and removing the action in __free_irq() because
handle_percpu_irq() does not take desc->lock. The interrupt handler
sees a NULL action and oopses.

Only use the percpu chip/handler for per-CPU VIRQs (like VIRQ_TIMER).

# cat /proc/interrupts | grep virq
40: 87246 0 xen-percpu-virq timer0
44: 0 0 xen-percpu-virq debug0
47: 0 20995 xen-percpu-virq timer1
51: 0 0 xen-percpu-virq debug1
69: 0 0 xen-dyn-virq xen-pcpu
74: 0 0 xen-dyn-virq mce
75: 29 0 xen-dyn-virq hvc_console

Signed-off-by: David Vrabel <david....@citrix.com>
[bwh: Backported to 3.2: adjust filename, context, indentation]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/tty/hvc/hvc_xen.c | 2 +-
drivers/xen/events.c | 12 ++++++++----
include/xen/events.h | 2 +-
3 files changed, 10 insertions(+), 6 deletions(-)

--- a/drivers/tty/hvc/hvc_xen.c
+++ b/drivers/tty/hvc/hvc_xen.c
@@ -167,7 +167,7 @@ static int __init xen_hvc_init(void)

if (xen_initial_domain()) {
ops = &dom0_hvc_ops;
- xencons_irq = bind_virq_to_irq(VIRQ_CONSOLE, 0);
+ xencons_irq = bind_virq_to_irq(VIRQ_CONSOLE, 0, false);
} else {
if (!xen_start_info->console.domU.evtchn)
return -ENODEV;
--- a/drivers/xen/events.c
+++ b/drivers/xen/events.c
@@ -895,7 +895,7 @@ static int find_virq(unsigned int virq,
return rc;
}

-int bind_virq_to_irq(unsigned int virq, unsigned int cpu)
+int bind_virq_to_irq(unsigned int virq, unsigned int cpu, bool percpu)
{
struct evtchn_bind_virq bind_virq;
int evtchn, irq, ret;
@@ -909,8 +909,12 @@ int bind_virq_to_irq(unsigned int virq,
if (irq == -1)
goto out;

- irq_set_chip_and_handler_name(irq, &xen_percpu_chip,
- handle_percpu_irq, "virq");
+ if (percpu)
+ irq_set_chip_and_handler_name(irq, &xen_percpu_chip,
+ handle_percpu_irq, "virq");
+ else
+ irq_set_chip_and_handler_name(irq, &xen_dynamic_chip,
+ handle_edge_irq, "virq");

bind_virq.virq = virq;
bind_virq.vcpu = cpu;
@@ -1023,7 +1027,7 @@ int bind_virq_to_irqhandler(unsigned int
{
int irq, retval;

- irq = bind_virq_to_irq(virq, cpu);
+ irq = bind_virq_to_irq(virq, cpu, irqflags & IRQF_PERCPU);
if (irq < 0)
return irq;
retval = request_irq(irq, handler, irqflags, devname, dev_id);
--- a/include/xen/events.h
+++ b/include/xen/events.h
@@ -12,7 +12,7 @@ int bind_evtchn_to_irqhandler(unsigned i
irq_handler_t handler,
unsigned long irqflags, const char *devname,
void *dev_id);
-int bind_virq_to_irq(unsigned int virq, unsigned int cpu);
+int bind_virq_to_irq(unsigned int virq, unsigned int cpu, bool percpu);
int bind_virq_to_irqhandler(unsigned int virq, unsigned int cpu,
irq_handler_t handler,
unsigned long irqflags, const char *devname,

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alexander Sverdlin <alexander...@nokia.com>

commit 73bf3c2a500b2db8ac966469591196bf55afb409 upstream.

udelay() in PCI/PCIe read/write callbacks cause 30ms IRQ latency on Octeon
platforms because these operations are called from PCI_OP_READ() and
PCI_OP_WRITE() under raw_spin_lock_irqsave().

Signed-off-by: Alexander Sverdlin <alexander...@nokia.com>
Cc: linux...@linux-mips.org
Cc: David Daney <dda...@cavium.com>
Cc: Rob Herring <ro...@kernel.org>
Cc: Jiri Kosina <jko...@suse.cz>
Cc: Randy Dunlap <rdu...@infradead.org>
Cc: Masanari Iida <stand...@gmail.com>
Cc: Bjorn Helgaas <bhel...@google.com>
Cc: Mathias <mathia...@nokia.com>
Patchwork: https://patchwork.linux-mips.org/patch/9576/
Signed-off-by: Ralf Baechle <ra...@linux-mips.org>
[bwh: Backported to 3.2: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/mips/include/asm/octeon/pci-octeon.h | 3 ---
arch/mips/pci/pci-octeon.c | 6 ------
arch/mips/pci/pcie-octeon.c | 8 --------
3 files changed, 17 deletions(-)

--- a/arch/mips/include/asm/octeon/pci-octeon.h
+++ b/arch/mips/include/asm/octeon/pci-octeon.h
@@ -11,9 +11,6 @@

#include <linux/pci.h>

-/* Some PCI cards require delays when accessing config space. */
-#define PCI_CONFIG_SPACE_DELAY 10000
-
/*
* The physical memory base mapped by BAR1. 256MB at the end of the
* first 4GB.
--- a/arch/mips/pci/pci-octeon.c
+++ b/arch/mips/pci/pci-octeon.c
@@ -279,9 +279,6 @@ static int octeon_read_config(struct pci
pci_addr.s.func = devfn & 0x7;
pci_addr.s.reg = reg;

-#if PCI_CONFIG_SPACE_DELAY
- udelay(PCI_CONFIG_SPACE_DELAY);
-#endif
switch (size) {
case 4:
*val = le32_to_cpu(cvmx_read64_uint32(pci_addr.u64));
@@ -316,9 +313,6 @@ static int octeon_write_config(struct pc
pci_addr.s.func = devfn & 0x7;
pci_addr.s.reg = reg;

-#if PCI_CONFIG_SPACE_DELAY
- udelay(PCI_CONFIG_SPACE_DELAY);
-#endif
switch (size) {
case 4:
cvmx_write64_uint32(pci_addr.u64, cpu_to_le32(val));
--- a/arch/mips/pci/pcie-octeon.c
+++ b/arch/mips/pci/pcie-octeon.c
@@ -1219,9 +1219,6 @@ static inline int octeon_pcie_write_conf
devfn & 0x7, reg, val);
return PCIBIOS_SUCCESSFUL;
}
-#if PCI_CONFIG_SPACE_DELAY
- udelay(PCI_CONFIG_SPACE_DELAY);
-#endif
return PCIBIOS_FUNC_NOT_SUPPORTED;

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Benjamin Tissoires <benjamin....@redhat.com>

commit 3c0213d17a09601e0c6c0ae0e27caf70d988290f upstream.

When the v3 hardware sees more than one finger, it uses the semi-mt
protocol to report the touches. However, it currently works when
num_fingers is 0, 1 or 2, but when it is 3 and above, it sends only 1
finger as if num_fingers was 1.

This confuses userspace which knows how to deal with extra fingers
when all the slots are used, but not when some are missing.

Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=90101

Signed-off-by: Benjamin Tissoires <benjamin....@redhat.com>
Signed-off-by: Dmitry Torokhov <dmitry....@gmail.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/input/mouse/elantech.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/input/mouse/elantech.c
+++ b/drivers/input/mouse/elantech.c
@@ -296,7 +296,7 @@ static void elantech_report_semi_mt_data
unsigned int x2, unsigned int y2)
{
elantech_set_slot(dev, 0, num_fingers != 0, x1, y1);
- elantech_set_slot(dev, 1, num_fingers == 2, x2, y2);
+ elantech_set_slot(dev, 1, num_fingers >= 2, x2, y2);
}

/*

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: mancha security <man...@zoho.com>

commit 0b053c9518292705736329a8fe20ef4686ffc8e9 upstream.

OPTIMIZER_HIDE_VAR(), as defined when using gcc, is insufficient to
ensure protection from dead store optimization.

For the random driver and crypto drivers, calls are emitted ...

$ gdb vmlinux
(gdb) disassemble memzero_explicit
Dump of assembler code for function memzero_explicit:
0xffffffff813a18b0 <+0>: push %rbp
0xffffffff813a18b1 <+1>: mov %rsi,%rdx
0xffffffff813a18b4 <+4>: xor %esi,%esi
0xffffffff813a18b6 <+6>: mov %rsp,%rbp
0xffffffff813a18b9 <+9>: callq 0xffffffff813a7120 <memset>
0xffffffff813a18be <+14>: pop %rbp
0xffffffff813a18bf <+15>: retq
End of assembler dump.

(gdb) disassemble extract_entropy
[...]
0xffffffff814a5009 <+313>: mov %r12,%rdi
0xffffffff814a500c <+316>: mov $0xa,%esi
0xffffffff814a5011 <+321>: callq 0xffffffff813a18b0 <memzero_explicit>
0xffffffff814a5016 <+326>: mov -0x48(%rbp),%rax
[...]

.. but in case in future we might use facilities such as LTO, then
OPTIMIZER_HIDE_VAR() is not sufficient to protect gcc from a possible
eviction of the memset(). We have to use a compiler barrier instead.

Minimal test example when we assume memzero_explicit() would *not* be
a call, but would have been *inlined* instead:

static inline void memzero_explicit(void *s, size_t count)
{
memset(s, 0, count);
<foo>
}

int main(void)
{
char buff[20];

snprintf(buff, sizeof(buff) - 1, "test");
printf("%s", buff);

memzero_explicit(buff, sizeof(buff));
return 0;
}

With <foo> := OPTIMIZER_HIDE_VAR():

(gdb) disassemble main
Dump of assembler code for function main:
[...]
0x0000000000400464 <+36>: callq 0x400410 <printf@plt>
0x0000000000400469 <+41>: xor %eax,%eax
0x000000000040046b <+43>: add $0x28,%rsp
0x000000000040046f <+47>: retq
End of assembler dump.

With <foo> := barrier():

(gdb) disassemble main
Dump of assembler code for function main:
[...]
0x0000000000400464 <+36>: callq 0x400410 <printf@plt>
0x0000000000400469 <+41>: movq $0x0,(%rsp)
0x0000000000400471 <+49>: movq $0x0,0x8(%rsp)
0x000000000040047a <+58>: movl $0x0,0x10(%rsp)
0x0000000000400482 <+66>: xor %eax,%eax
0x0000000000400484 <+68>: add $0x28,%rsp
0x0000000000400488 <+72>: retq
End of assembler dump.

As can be seen, movq, movq, movl are being emitted inlined
via memset().

Reference: http://thread.gmane.org/gmane.linux.kernel.cryptoapi/13764/
Fixes: d4c5efdb9777 ("random: add and use memzero_explicit() for clearing data")
Cc: Theodore Ts'o <ty...@mit.edu>
Signed-off-by: mancha security <man...@zoho.com>
Signed-off-by: Daniel Borkmann <dan...@iogearbox.net>
Acked-by: Hannes Frederic Sowa <han...@stressinduktion.org>
Acked-by: Stephan Mueller <smue...@chronox.de>
Signed-off-by: Herbert Xu <her...@gondor.apana.org.au>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

lib/string.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/lib/string.c
+++ b/lib/string.c
@@ -595,7 +595,7 @@ EXPORT_SYMBOL(memset);
void memzero_explicit(void *s, size_t count)
{
memset(s, 0, count);
- OPTIMIZER_HIDE_VAR(s);
+ barrier();
}
EXPORT_SYMBOL(memzero_explicit);

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Zidan Wang <zidan...@freescale.com>

commit 85e36a1f4a735d991ba5106781ea48e89a0b8901 upstream.

It should be "RINPUT3" instead of "LINPUT3" route to "Right Input
Mixer".

Signed-off-by: Zidan Wang <zidan...@freescale.com>
Acked-by: Charles Keepax <cke...@opensource.wolfsonmicro.com>
Signed-off-by: Mark Brown <bro...@kernel.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

sound/soc/codecs/wm8960.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/soc/codecs/wm8960.c
+++ b/sound/soc/codecs/wm8960.c
@@ -336,7 +336,7 @@ static const struct snd_soc_dapm_route a
{ "Right Input Mixer", "Boost Switch", "Right Boost Mixer", },
{ "Right Input Mixer", NULL, "RINPUT1", }, /* Really Boost Switch */
{ "Right Input Mixer", NULL, "RINPUT2" },
- { "Right Input Mixer", NULL, "LINPUT3" },
+ { "Right Input Mixer", NULL, "RINPUT3" },

{ "Left ADC", NULL, "Left Input Mixer" },
{ "Right ADC", NULL, "Right Input Mixer" },

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edum...@google.com>

commit beb39db59d14990e401e235faf66a6b9b31240b0 upstream.

We have two problems in UDP stack related to bogus checksums :

1) We return -EAGAIN to application even if receive queue is not empty.
This breaks applications using edge trigger epoll()

2) Under UDP flood, we can loop forever without yielding to other
processes, potentially hanging the host, especially on non SMP.

This patch is an attempt to make things better.

We might in the future add extra support for rt applications
wanting to better control time spent doing a recv() in a hostile
environment. For example we could validate checksums before queuing
packets in socket receive queue.

Signed-off-by: Eric Dumazet <edum...@google.com>
Cc: Willem de Bruijn <wil...@google.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/ipv4/udp.c | 6 ++----
net/ipv6/udp.c | 6 ++----
2 files changed, 4 insertions(+), 8 deletions(-)

--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1248,10 +1248,8 @@ csum_copy_err:
UDP_INC_STATS_USER(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
unlock_sock_fast(sk, slow);

- if (noblock)
- return -EAGAIN;
-
- /* starting over for a new packet */
+ /* starting over for a new packet, but check if we need to yield */
+ cond_resched();
msg->msg_flags &= ~MSG_TRUNC;
goto try_again;
}
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -451,10 +451,8 @@ csum_copy_err:
}
unlock_sock_fast(sk, slow);

- if (noblock)
- return -EAGAIN;
-
- /* starting over for a new packet */
+ /* starting over for a new packet, but check if we need to yield */
+ cond_resched();
msg->msg_flags &= ~MSG_TRUNC;
goto try_again;

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edum...@google.com>

[ Upstream commit f98f4514d07871da7a113dd9e3e330743fd70ae4 ]

We need to tell compiler it must not read f->num_members multiple
times. Otherwise testing if num is not zero is flaky, and we could
attempt an invalid divide by 0 in fanout_demux_cpu()

Note bug was present in packet_rcv_fanout_hash() and
packet_rcv_fanout_lb() but final 3.1 had a simple location
after commit 95ec3eb417115fb ("packet: Add 'cpu' fanout policy.")

Fixes: dc99f600698dc ("packet: Add fanout support.")

Signed-off-by: Eric Dumazet <edum...@google.com>
Cc: Willem de Bruijn <wil...@google.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/packet/af_packet.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1211,7 +1211,7 @@ static int packet_rcv_fanout(struct sk_b
struct packet_type *pt, struct net_device *orig_dev)
{
struct packet_fanout *f = pt->af_packet_priv;
- unsigned int num = f->num_members;
+ unsigned int num = ACCESS_ONCE(f->num_members);
struct packet_sock *po;
struct sock *sk;

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: David Henningsson <david.he...@canonical.com>

commit 6ffc0898b29a2811a6c0569c5dd9b581980110df upstream.

This patch adds support for Conexant HD Audio codecs
CX20721, CX20722, CX20723 and CX20724.

BugLink: https://bugs.launchpad.net/bugs/1454656
Signed-off-by: David Henningsson <david.he...@canonical.com>
Signed-off-by: Takashi Iwai <ti...@suse.de>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

sound/pci/hda/patch_conexant.c | 12 ++++++++++++
1 file changed, 12 insertions(+)

--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -4598,6 +4598,14 @@ static const struct hda_codec_preset snd
.patch = patch_conexant_auto },
{ .id = 0x14f150b9, .name = "CX20665",
.patch = patch_conexant_auto },
+ { .id = 0x14f150f1, .name = "CX20721",
+ .patch = patch_conexant_auto },
+ { .id = 0x14f150f2, .name = "CX20722",
+ .patch = patch_conexant_auto },
+ { .id = 0x14f150f3, .name = "CX20723",
+ .patch = patch_conexant_auto },
+ { .id = 0x14f150f4, .name = "CX20724",
+ .patch = patch_conexant_auto },
{ .id = 0x14f1510f, .name = "CX20751/2",
.patch = patch_conexant_auto },
{ .id = 0x14f15110, .name = "CX20751/2",
@@ -4632,6 +4640,10 @@ MODULE_ALIAS("snd-hda-codec-id:14f150ab"
MODULE_ALIAS("snd-hda-codec-id:14f150ac");
MODULE_ALIAS("snd-hda-codec-id:14f150b8");
MODULE_ALIAS("snd-hda-codec-id:14f150b9");
+MODULE_ALIAS("snd-hda-codec-id:14f150f1");
+MODULE_ALIAS("snd-hda-codec-id:14f150f2");
+MODULE_ALIAS("snd-hda-codec-id:14f150f3");
+MODULE_ALIAS("snd-hda-codec-id:14f150f4");
MODULE_ALIAS("snd-hda-codec-id:14f1510f");
MODULE_ALIAS("snd-hda-codec-id:14f15110");
MODULE_ALIAS("snd-hda-codec-id:14f15111");

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Rusty Russell <ru...@rustcorp.com.au>

commit 83a35114d0e4583e6b0ca39502e68b6a92e2910c upstream.

This bug has been there since day 1; addresses in the top guest physical
page weren't considered valid. You could map that page (the check in
check_gpte() is correct), but if a guest tried to put a pagetable there
we'd check that address manually when walking it, and kill the guest.

Signed-off-by: Rusty Russell <ru...@rustcorp.com.au>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/lguest/core.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/lguest/core.c
+++ b/drivers/lguest/core.c
@@ -171,7 +171,7 @@ static void unmap_switcher(void)
bool lguest_address_ok(const struct lguest *lg,
unsigned long addr, unsigned long len)
{
- return (addr+len) / PAGE_SIZE < lg->pfn_limit && (addr+len >= addr);
+ return addr+len <= lg->pfn_limit * PAGE_SIZE && (addr+len >= addr);
}

/*

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ulrik De Bie <ulrik.d...@e2big.org>

commit bd884149aca61de269fd9bad83fe2a4232ffab21 upstream.

On ASUS TP500LN and X750JN, the touchpad absolute mode is reset each
time set_rate is done.

In order to fix this, we will verify the firmware version, and if it
matches the one in those laptops, the set_rate function is overloaded
with a function elantech_set_rate_restore_reg_07 that performs the
set_rate with the original function, followed by a restore of reg_07
(the register that sets the absolute mode on elantech v4 hardware).

Also the ASUS TP500LN and X750JN firmware version, capabilities, and
button constellation is added to elantech.c

Reported-and-tested-by: George Moutsopoulos <gmo...@yahoo.co.uk>
Signed-off-by: Ulrik De Bie <ulrik.d...@e2big.org>
Signed-off-by: Dmitry Torokhov <dmitry....@gmail.com>

[bwh: Backported to 3.2:
- Adjust context

- Drop the insertion into a comment we don't have]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/drivers/input/mouse/elantech.c
+++ b/drivers/input/mouse/elantech.c
@@ -766,6 +766,21 @@ static psmouse_ret_t elantech_process_by
}

/*
+ * This writes the reg_07 value again to the hardware at the end of every
+ * set_rate call because the register loses its value. reg_07 allows setting
+ * absolute mode on v4 hardware
+ */
+static void elantech_set_rate_restore_reg_07(struct psmouse *psmouse,
+ unsigned int rate)
+{
+ struct elantech_data *etd = psmouse->private;
+
+ etd->original_set_rate(psmouse, rate);
+ if (elantech_write_reg(psmouse, 0x07, etd->reg_07))
+ psmouse_err(psmouse, "restoring reg_07 failed\n");
+}
+
+/*
* Put the touchpad into absolute mode
*/
static int elantech_set_absolute_mode(struct psmouse *psmouse)
@@ -1353,6 +1368,11 @@ int elantech_init(struct psmouse *psmous
goto init_fail;
}

+ if (etd->fw_version == 0x381f17) {
+ etd->original_set_rate = psmouse->set_rate;
+ psmouse->set_rate = elantech_set_rate_restore_reg_07;
+ }
+
if (elantech_set_input_params(psmouse)) {
psmouse_err(psmouse, "failed to query touchpad range.\n");
goto init_fail;
--- a/drivers/input/mouse/elantech.h
+++ b/drivers/input/mouse/elantech.h
@@ -136,6 +136,7 @@ struct elantech_data {
unsigned int width;
struct finger_pos mt[ETP_MAX_FINGERS];
unsigned char parity[256];
+ void (*original_set_rate)(struct psmouse *psmouse, unsigned int rate);
};

#ifdef CONFIG_MOUSE_PS2_ELANTECH

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Rafael J. Wysocki" <rafael.j...@intel.com>

commit b9a5e5e18fbf223502c0b2264c15024e393da928 upstream.

Since acpi_reserve_resources() is defined as a device_initcall(),
there's no guarantee that it will be executed in the right order
with respect to the rest of the ACPI initialization code. On some
systems this leads to breakage if, for example, the address range
that should be reserved for the ACPI fixed registers is given to
the PCI host bridge instead if the race is won by the wrong code
path.

Fix this by turning acpi_reserve_resources() into a void function
and calling it directly from within the ACPI initialization sequence.

Reported-and-tested-by: George McCollister <george.mc...@gmail.com>
Link: http://marc.info/?t=143092384600002&r=1&w=2
Signed-off-by: Rafael J. Wysocki <rafael.j...@intel.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/acpi/osl.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)

--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c
@@ -179,7 +179,7 @@ static void __init acpi_request_region (
request_mem_region(addr->address, length, desc);
}

-static int __init acpi_reserve_resources(void)
+static void __init acpi_reserve_resources(void)
{
acpi_request_region(&acpi_gbl_FADT.xpm1a_event_block, acpi_gbl_FADT.pm1_event_length,
"ACPI PM1a_EVT_BLK");
@@ -208,10 +208,7 @@ static int __init acpi_reserve_resources
if (!(acpi_gbl_FADT.gpe1_block_length & 0x1))
acpi_request_region(&acpi_gbl_FADT.xgpe1_block,
acpi_gbl_FADT.gpe1_block_length, "ACPI GPE1_BLK");
-
- return 0;
}
-device_initcall(acpi_reserve_resources);

void acpi_os_printf(const char *fmt, ...)
{
@@ -1630,6 +1627,7 @@ acpi_status __init acpi_os_initialize(vo

acpi_status __init acpi_os_initialize1(void)
{
+ acpi_reserve_resources();
kacpid_wq = alloc_workqueue("kacpid", 0, 1);
kacpi_notify_wq = alloc_workqueue("kacpi_notify", 0, 1);
kacpi_hotplug_wq = alloc_workqueue("kacpi_hotplug", 0, 1);

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Christoph Hellwig <h...@infradead.org>

commit 16b8528d20607925899b1df93bfd8fbab98d267c upstream.

We only want to steer the I/O completion towards a queue, but don't
actually access any per-CPU data, so the raw_ version is fine to use
and avoids the warnings when using smp_processor_id().

Signed-off-by: Christoph Hellwig <h...@lst.de>
Reported-by: Andy Lutomirski <lu...@kernel.org>
Tested-by: Andy Lutomirski <lu...@kernel.org>
Acked-by: Sumit Saxena <sumit....@avagotech.com>
Signed-off-by: James Bottomley <JBott...@Odin.com>
[bwh: Backported to 3.2: drop changes to megasas_build_dcdb_fusion()]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/scsi/megaraid/megaraid_sas_fusion.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)

--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c
+++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c
@@ -1426,11 +1426,11 @@ megasas_build_ldio_fusion(struct megasas
fp_possible = io_info.fpOkForIo;
}

- /* Use smp_processor_id() for now until cmd->request->cpu is CPU
+ /* Use raw_smp_processor_id() for now until cmd->request->cpu is CPU
id by default, not CPU group id, otherwise all MSI-X queues won't
be utilized */
cmd->request_desc->SCSIIO.MSIxIndex = instance->msix_vectors ?
- smp_processor_id() % instance->msix_vectors : 0;
+ raw_smp_processor_id() % instance->msix_vectors : 0;

if (fp_possible) {
megasas_set_pd_lba(io_request, scp->cmd_len, &io_info, scp,

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Nicolas Dichtel <nicolas...@6wind.com>

commit bd2cba07381a6dba60bc1c87ed8b37931d244da1 upstream.

This command is missing.

Fixes: 3a2dfbe8acb1 ("xfrm: Notify changes in UDP encapsulation via netlink")
CC: Martin Willi <mar...@strongswan.org>

Reported-by: Stephen Smalley <s...@tycho.nsa.gov>
Signed-off-by: Nicolas Dichtel <nicolas...@6wind.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

security/selinux/nlmsgtab.c | 1 +
1 file changed, 1 insertion(+)

--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c

@@ -105,6 +105,7 @@ static struct nlmsg_perm nlmsg_xfrm_perm

{ XFRM_MSG_NEWSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
{ XFRM_MSG_GETSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
{ XFRM_MSG_GETSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },

+ { XFRM_MSG_MAPPING, NETLINK_XFRM_SOCKET__NLMSG_READ },
};

static struct nlmsg_perm nlmsg_audit_perms[] =

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Anton Blanchard <an...@samba.org>

commit 9a5cbce421a283e6aea3c4007f141735bf9da8c3 upstream.

We cap 32bit userspace backtraces to PERF_MAX_STACK_DEPTH
(currently 127), but we forgot to do the same for 64bit backtraces.

Signed-off-by: Anton Blanchard <an...@samba.org>
Signed-off-by: Michael Ellerman <m...@ellerman.id.au>
[bwh: Backported to 3.2: adjust filename]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/powerpc/kernel/perf_callchain.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/powerpc/kernel/perf_callchain.c
+++ b/arch/powerpc/kernel/perf_callchain.c
@@ -243,7 +243,7 @@ static void perf_callchain_user_64(struc
sp = regs->gpr[1];
perf_callchain_store(entry, next_ip);

- for (;;) {
+ while (entry->nr < PERF_MAX_STACK_DEPTH) {
fp = (unsigned long __user *) sp;
if (!valid_user_sp(sp, 1) || read_user_stack_64(fp, &next_sp))
return;

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alexander Duyck <alexande...@redhat.com>

commit 2e7056c433216f406b90a003aa0ba42e19d3bdcf upstream.

Looking over the implementation for jhash2 and comparing it to jhash_3words
I realized that the two hashes were in fact very different. Doing a bit of
digging led me to "The new jhash implementation" in which lookup2 was
supposed to have been replaced with lookup3.

In reviewing the patch I noticed that jhash2 had originally initialized a
and b to JHASH_GOLDENRATIO and c to initval, but after the patch a, b, and
c were initialized to initval + (length << 2) + JHASH_INITVAL. However the
changes in jhash_3words simply replaced the initialization of a and b with
JHASH_INITVAL.

This change corrects what I believe was an oversight so that a, b, and c in
jhash_3words all have the same value added consisting of initval + (length
<< 2) + JHASH_INITVAL so that jhash2 and jhash_3words will now produce the
same hash result given the same inputs.

Fixes: 60d509c823cca ("The new jhash implementation")
Signed-off-by: Alexander Duyck <alexande...@redhat.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

include/linux/jhash.h | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)

--- a/include/linux/jhash.h
+++ b/include/linux/jhash.h
@@ -145,11 +145,11 @@ static inline u32 jhash2(const u32 *k, u
}


-/* jhash_3words - hash exactly 3, 2 or 1 word(s) */
-static inline u32 jhash_3words(u32 a, u32 b, u32 c, u32 initval)
+/* __jhash_nwords - hash exactly 3, 2 or 1 word(s) */
+static inline u32 __jhash_nwords(u32 a, u32 b, u32 c, u32 initval)
{
- a += JHASH_INITVAL;
- b += JHASH_INITVAL;
+ a += initval;
+ b += initval;
c += initval;

__jhash_final(a, b, c);
@@ -157,14 +157,19 @@ static inline u32 jhash_3words(u32 a, u3
return c;
}

+static inline u32 jhash_3words(u32 a, u32 b, u32 c, u32 initval)
+{
+ return __jhash_nwords(a, b, c, initval + JHASH_INITVAL + (3 << 2));
+}
+
static inline u32 jhash_2words(u32 a, u32 b, u32 initval)
{
- return jhash_3words(a, b, 0, initval);
+ return __jhash_nwords(a, b, 0, initval + JHASH_INITVAL + (2 << 2));
}

static inline u32 jhash_1word(u32 a, u32 initval)
{
- return jhash_3words(a, 0, 0, initval);
+ return __jhash_nwords(a, 0, 0, initval + JHASH_INITVAL + (1 << 2));
}

#endif /* _LINUX_JHASH_H */

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ryusuke Konishi <konishi...@lab.ntt.co.jp>

commit d8fd150fe3935e1692bf57c66691e17409ebb9c1 upstream.

The range check for b-tree level parameter in nilfs_btree_root_broken()
is wrong; it accepts the case of "level == NILFS_BTREE_LEVEL_MAX" even
though the level is limited to values in the range of 0 to
(NILFS_BTREE_LEVEL_MAX - 1).

Since the level parameter is read from storage device and used to index
nilfs_btree_path array whose element count is NILFS_BTREE_LEVEL_MAX, it
can cause memory overrun during btree operations if the boundary value
is set to the level parameter on device.

This fixes the broken sanity check and adds a comment to clarify that
the upper bound NILFS_BTREE_LEVEL_MAX is exclusive.

Signed-off-by: Ryusuke Konishi <konishi...@lab.ntt.co.jp>
Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

fs/nilfs2/btree.c | 2 +-
include/linux/nilfs2_fs.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)

--- a/fs/nilfs2/btree.c
+++ b/fs/nilfs2/btree.c
@@ -388,7 +388,7 @@ static int nilfs_btree_root_broken(const
nchildren = nilfs_btree_node_get_nchildren(node);

if (unlikely(level < NILFS_BTREE_LEVEL_NODE_MIN ||
- level > NILFS_BTREE_LEVEL_MAX ||
+ level >= NILFS_BTREE_LEVEL_MAX ||
nchildren < 0 ||
nchildren > NILFS_BTREE_ROOT_NCHILDREN_MAX)) {
pr_crit("NILFS: bad btree root (inode number=%lu): level = %d, flags = 0x%x, nchildren = %d\n",
--- a/include/linux/nilfs2_fs.h
+++ b/include/linux/nilfs2_fs.h
@@ -457,7 +457,7 @@ struct nilfs_btree_node {
/* level */
#define NILFS_BTREE_LEVEL_DATA 0
#define NILFS_BTREE_LEVEL_NODE_MIN (NILFS_BTREE_LEVEL_DATA + 1)
-#define NILFS_BTREE_LEVEL_MAX 14
+#define NILFS_BTREE_LEVEL_MAX 14 /* Max level (exclusive) */

/**
* struct nilfs_palloc_group_desc - block group descriptor

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.ca...@oracle.com>

commit 13f6b191aaa11c7fd718d35a0c565f3c16bc1d99 upstream.

Using the indenting we can see the curly braces were obviously intended.
This is a static checker fix, but my guess is that we don't read enough
bytes, because we don't calculate "t_len" correctly.

Fixes: f1d82698029b ('memstick: use fully asynchronous request processing')
Signed-off-by: Dan Carpenter <dan.ca...@oracle.com>
Cc: Alex Dubov <oa...@yahoo.com>

Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/memstick/core/mspro_block.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/memstick/core/mspro_block.c
+++ b/drivers/memstick/core/mspro_block.c
@@ -760,7 +760,7 @@ static int mspro_block_complete_req(stru

if (error || (card->current_mrq.tpc == MSPRO_CMD_STOP)) {
if (msb->data_dir == READ) {
- for (cnt = 0; cnt < msb->current_seg; cnt++)
+ for (cnt = 0; cnt < msb->current_seg; cnt++) {
t_len += msb->req_sg[cnt].length
/ msb->page_size;

@@ -768,6 +768,7 @@ static int mspro_block_complete_req(stru
t_len += msb->current_page - 1;

t_len *= msb->page_size;
+ }
}
} else
t_len = blk_rq_bytes(msb->block_req);

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Lv Zheng <lv.z...@intel.com>

commit 2b8760100e1de69b6ff004c986328a82947db4ad upstream.

ACPICA commit aacf863cfffd46338e268b7415f7435cae93b451

It is reported that on a physically 64-bit addressed machine, 32-bit kernel
can trigger crashes in accessing the memory regions that are beyond the
32-bit boundary. The region field's start address should still be 32-bit
compliant, but after a calculation (adding some offsets), it may exceed the
32-bit boundary. This case is rare and buggy, but there are real BIOSes
leaked with such issues (see References below).

This patch fixes this gap by always defining IO addresses as 64-bit, and
allows OSPMs to optimize it for a real 32-bit machine to reduce the size of
the internal objects.

Internal acpi_physical_address usages in the structures that can be fixed
by this change include:
1. struct acpi_object_region:
acpi_physical_address address;
2. struct acpi_address_range:
acpi_physical_address start_address;
acpi_physical_address end_address;
3. struct acpi_mem_space_context;
acpi_physical_address address;
4. struct acpi_table_desc
acpi_physical_address address;
See known issues 1 for other usages.

Note that acpi_io_address which is used for ACPI_PROCESSOR may also suffer
from same problem, so this patch changes it accordingly.

For iasl, it will enforce acpi_physical_address as 32-bit to generate
32-bit OSPM compatible tables on 32-bit platforms, we need to define
ACPI_32BIT_PHYSICAL_ADDRESS for it in acenv.h.

Known issues:
1. Cleanup of mapped virtual address
In struct acpi_mem_space_context, acpi_physical_address is used as a virtual
address:
acpi_physical_address mapped_physical_address;
It is better to introduce acpi_virtual_address or use acpi_size instead.
This patch doesn't make such a change. Because this should be done along
with a change to acpi_os_map_memory()/acpi_os_unmap_memory().
There should be no functional problem to leave this unchanged except
that only this structure is enlarged unexpectedly.

Link: https://github.com/acpica/acpica/commit/aacf863c
Reference: https://bugzilla.kernel.org/show_bug.cgi?id=87971
Reference: https://bugzilla.kernel.org/show_bug.cgi?id=79501
Reported-and-tested-by: Paul Menzel <paule...@users.sourceforge.net>
Reported-and-tested-by: Sial Nije <sial...@gmail.com>
Signed-off-by: Lv Zheng <lv.z...@intel.com>
Signed-off-by: Bob Moore <robert...@intel.com>

Signed-off-by: Rafael J. Wysocki <rafael.j...@intel.com>

[bwh: Backported to 3.2: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

include/acpi/actypes.h | 20 ++++++++++++++++++++
include/acpi/platform/acenv.h | 1 +
2 files changed, 21 insertions(+)

--- a/include/acpi/actypes.h
+++ b/include/acpi/actypes.h
@@ -198,9 +198,29 @@ typedef int INT32;
typedef s32 acpi_native_int;

typedef u32 acpi_size;
+
+#ifdef ACPI_32BIT_PHYSICAL_ADDRESS
+
+/*
+ * OSPMs can define this to shrink the size of the structures for 32-bit
+ * none PAE environment. ASL compiler may always define this to generate
+ * 32-bit OSPM compliant tables.
+ */
typedef u32 acpi_io_address;
typedef u32 acpi_physical_address;

+#else /* ACPI_32BIT_PHYSICAL_ADDRESS */
+
+/*
+ * It is reported that, after some calculations, the physical addresses can
+ * wrap over the 32-bit boundary on 32-bit PAE environment.
+ * https://bugzilla.kernel.org/show_bug.cgi?id=87971
+ */
+typedef u64 acpi_io_address;
+typedef u64 acpi_physical_address;
+
+#endif /* ACPI_32BIT_PHYSICAL_ADDRESS */
+
#define ACPI_MAX_PTR ACPI_UINT32_MAX
#define ACPI_SIZE_MAX ACPI_UINT32_MAX

--- a/include/acpi/platform/acenv.h
+++ b/include/acpi/platform/acenv.h
@@ -75,6 +75,7 @@
#define ACPI_CONSTANT_EVAL_ONLY
#define ACPI_LARGE_NAMESPACE_NODE
#define ACPI_DATA_TABLE_DISASSEMBLY
+#define ACPI_32BIT_PHYSICAL_ADDRESS
#endif

#ifdef ACPI_EXEC_APP

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Yann Droneaud <ydro...@opteya.com>

commit 66578b0b2f69659f00b6169e6fe7377c4b100d18 upstream.

In a call to ib_umem_get(), if address is 0x0 and size is
already page aligned, check added in commit 8494057ab5e4
("IB/uverbs: Prevent integer overflow in ib_umem_get address
arithmetic") will refuse to register a memory region that
could otherwise be valid (provided vm.mmap_min_addr sysctl
and mmap_low_allowed SELinux knobs allow userspace to map
something at address 0x0).

This patch allows back such registration: ib_umem_get()
should probably don't care of the base address provided it
can be pinned with get_user_pages().

There's two possible overflows, in (addr + size) and in
PAGE_ALIGN(addr + size), this patch keep ensuring none
of them happen while allowing to pin memory at address
0x0. Anyway, the case of size equal 0 is no more (partially)
handled as 0-length memory region are disallowed by an
earlier check.

Link: http://mid.gmane.org/cover.142892910...@opteya.com
Cc: Shachar Raindel <rai...@mellanox.com>
Cc: Jack Morgenstein <ja...@mellanox.com>
Cc: Or Gerlitz <oger...@mellanox.com>
Signed-off-by: Yann Droneaud <ydro...@opteya.com>
Reviewed-by: Sagi Grimberg <sa...@mellanox.com>
Reviewed-by: Haggai Eran <hag...@mellanox.com>
Signed-off-by: Doug Ledford <dled...@redhat.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/infiniband/core/umem.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/infiniband/core/umem.c
+++ b/drivers/infiniband/core/umem.c
@@ -101,8 +101,8 @@ struct ib_umem *ib_umem_get(struct ib_uc
* If the combination of the addr and size requested for this memory
* region causes an integer overflow, return error.
*/
- if ((PAGE_ALIGN(addr + size) <= size) ||
- (PAGE_ALIGN(addr + size) <= addr))
+ if (((addr + size) < addr) ||
+ PAGE_ALIGN(addr + size) < (addr + size))
return ERR_PTR(-EINVAL);

if (!can_do_mlock())

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Mark Hounschell <dma...@cfl.rr.com>

commit 74856fbf441929918c49ff262ace9835048e4e6a upstream.

256 bytes per sector support has been broken since 2.6.X,
and no-one stepped up to fix this.
So disable support for it.

Signed-off-by: Mark Hounschell <dma...@cfl.rr.com>
Signed-off-by: Hannes Reinecke <ha...@suse.de>
Signed-off-by: James Bottomley <JBott...@Odin.com>

[bwh: Backported to 3.2: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/scsi/sd.c | 19 +++++--------------
1 file changed, 5 insertions(+), 14 deletions(-)

--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -1338,6 +1338,7 @@ static unsigned int sd_completed_bytes(s
{
u64 start_lba = blk_rq_pos(scmd->request);
u64 end_lba = blk_rq_pos(scmd->request) + (scsi_bufflen(scmd) / 512);
+ u64 factor = scmd->device->sector_size / 512;
u64 bad_lba;
int info_valid;
/*
@@ -1359,16 +1360,9 @@ static unsigned int sd_completed_bytes(s
if (scsi_bufflen(scmd) <= scmd->device->sector_size)
return 0;

- if (scmd->device->sector_size < 512) {
- /* only legitimate sector_size here is 256 */
- start_lba <<= 1;
- end_lba <<= 1;
- } else {
- /* be careful ... don't want any overflows */
- u64 factor = scmd->device->sector_size / 512;
- do_div(start_lba, factor);
- do_div(end_lba, factor);
- }
+ /* be careful ... don't want any overflows */
+ do_div(start_lba, factor);
+ do_div(end_lba, factor);

/* The bad lba was reported incorrectly, we have no idea where
* the error is.
@@ -1895,8 +1889,7 @@ got_data:
if (sector_size != 512 &&
sector_size != 1024 &&
sector_size != 2048 &&
- sector_size != 4096 &&
- sector_size != 256) {
+ sector_size != 4096) {
sd_printk(KERN_NOTICE, sdkp, "Unsupported sector size %d.\n",
sector_size);
/*
@@ -1945,8 +1938,6 @@ got_data:
sdkp->capacity <<= 2;
else if (sector_size == 1024)
sdkp->capacity <<= 1;
- else if (sector_size == 256)
- sdkp->capacity >>= 1;

blk_queue_physical_block_size(sdp->request_queue,
sdkp->physical_block_size);

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Oleg Nesterov <ol...@redhat.com>

commit b72c186999e689cb0b055ab1c7b3cd8fffbeb5ed upstream.

ptrace_resume() is called when the tracee is still __TASK_TRACED. We set
tracee->exit_code and then wake_up_state() changes tracee->state. If the
tracer's sub-thread does wait() in between, task_stopped_code(ptrace => T)
wrongly looks like another report from tracee.

This confuses debugger, and since wait_task_stopped() clears ->exit_code
the tracee can miss a signal.

Test-case:

#include <stdio.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/ptrace.h>
#include <pthread.h>
#include <assert.h>

int pid;

void *waiter(void *arg)
{
int stat;

for (;;) {
assert(pid == wait(&stat));
assert(WIFSTOPPED(stat));
if (WSTOPSIG(stat) == SIGHUP)
continue;

assert(WSTOPSIG(stat) == SIGCONT);
printf("ERR! extra/wrong report:%x\n", stat);
}
}

int main(void)
{
pthread_t thread;

pid = fork();
if (!pid) {
assert(ptrace(PTRACE_TRACEME, 0,0,0) == 0);
for (;;)
kill(getpid(), SIGHUP);
}

assert(pthread_create(&thread, NULL, waiter, NULL) == 0);

for (;;)
ptrace(PTRACE_CONT, pid, 0, SIGCONT);

return 0;
}

Note for stable: the bug is very old, but without 9899d11f6544 "ptrace:
ensure arch_ptrace/ptrace_request can never race with SIGKILL" the fix
should use lock_task_sighand(child).

Signed-off-by: Oleg Nesterov <ol...@redhat.com>
Reported-by: Pavel Labath <lab...@google.com>
Tested-by: Pavel Labath <lab...@google.com>

Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

kernel/ptrace.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)

--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -640,6 +640,8 @@ static int ptrace_setsiginfo(struct task
static int ptrace_resume(struct task_struct *child, long request,
unsigned long data)
{
+ bool need_siglock;
+
if (!valid_signal(data))
return -EIO;

@@ -667,8 +669,26 @@ static int ptrace_resume(struct task_str
user_disable_single_step(child);
}

+ /*
+ * Change ->exit_code and ->state under siglock to avoid the race
+ * with wait_task_stopped() in between; a non-zero ->exit_code will
+ * wrongly look like another report from tracee.
+ *
+ * Note that we need siglock even if ->exit_code == data and/or this
+ * status was not reported yet, the new status must not be cleared by
+ * wait_task_stopped() after resume.
+ *
+ * If data == 0 we do not care if wait_task_stopped() reports the old
+ * status and clears the code too; this can't race with the tracee, it
+ * takes siglock after resume.
+ */
+ need_siglock = data && !thread_group_empty(current);
+ if (need_siglock)
+ spin_lock_irq(&child->sighand->siglock);
child->exit_code = data;
wake_up_state(child, __TASK_TRACED);
+ if (need_siglock)
+ spin_unlock_irq(&child->sighand->siglock);

return 0;

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Gabriele Mazzotta <gabrie...@gmail.com>

commit 8393b811f38acdf7fd8da2028708edad3e68ce1f upstream.

This is a preparation commit that will allow to add other criteria
according to which PHY events should be dropped.

Signed-off-by: Gabriele Mazzotta <gabrie...@gmail.com>
Signed-off-by: Tejun Heo <t...@kernel.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/ata/libahci.c | 3 +--
drivers/ata/libata-core.c | 19 +++++++++++++++++++
include/linux/libata.h | 1 +
3 files changed, 21 insertions(+), 2 deletions(-)

--- a/drivers/ata/libahci.c
+++ b/drivers/ata/libahci.c
@@ -1668,8 +1668,7 @@ static void ahci_port_intr(struct ata_po
if (unlikely(resetting))
status &= ~PORT_IRQ_BAD_PMP;

- /* if LPM is enabled, PHYRDY doesn't mean anything */
- if (ap->link.lpm_policy > ATA_LPM_MAX_POWER) {
+ if (sata_lpm_ignore_phy_events(&ap->link)) {
status &= ~PORT_IRQ_PHYRDY;
ahci_scr_write(&ap->link, SCR_ERROR, SERR_PHYRDY_CHG);
}
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -6615,6 +6615,25 @@ u32 ata_wait_register(struct ata_port *a
return tmp;
}

+/**
+ * sata_lpm_ignore_phy_events - test if PHY event should be ignored
+ * @link: Link receiving the event
+ *
+ * Test whether the received PHY event has to be ignored or not.
+ *
+ * LOCKING:
+ * None:
+ *
+ * RETURNS:
+ * True if the event has to be ignored.
+ */
+bool sata_lpm_ignore_phy_events(struct ata_link *link)
+{
+ /* if LPM is enabled, PHYRDY doesn't mean anything */
+ return !!(link->lpm_policy > ATA_LPM_MAX_POWER);
+}
+EXPORT_SYMBOL_GPL(sata_lpm_ignore_phy_events);
+
/*
* Dummy port_ops
*/
--- a/include/linux/libata.h
+++ b/include/linux/libata.h
@@ -1064,6 +1064,7 @@ extern struct ata_device *ata_dev_pair(s
extern int ata_do_set_mode(struct ata_link *link, struct ata_device **r_failed_dev);
extern void ata_scsi_port_error_handler(struct Scsi_Host *host, struct ata_port *ap);
extern void ata_scsi_cmd_error_handler(struct Scsi_Host *host, struct ata_port *ap, struct list_head *eh_q);
+extern bool sata_lpm_ignore_phy_events(struct ata_link *link);

extern int ata_cable_40wire(struct ata_port *ap);
extern int ata_cable_80wire(struct ata_port *ap);

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Filipe Manana <fdma...@suse.com>

commit ccccf3d67294714af2d72a6fd6fd7d73b01c9329 upstream.

If we attempt to clone a 0 length region into a file we can end up
inserting a range in the inode's extent_io tree with a start offset
that is greater then the end offset, which triggers immediately the
following warning:

[ 3914.619057] WARNING: CPU: 17 PID: 4199 at fs/btrfs/extent_io.c:435 insert_state+0x4b/0x10b [btrfs]()
[ 3914.620886] BTRFS: end < start 4095 4096
(...)
[ 3914.638093] Call Trace:
[ 3914.638636] [<ffffffff81425fd9>] dump_stack+0x4c/0x65
[ 3914.639620] [<ffffffff81045390>] warn_slowpath_common+0xa1/0xbb
[ 3914.640789] [<ffffffffa03ca44f>] ? insert_state+0x4b/0x10b [btrfs]
[ 3914.642041] [<ffffffff810453f0>] warn_slowpath_fmt+0x46/0x48
[ 3914.643236] [<ffffffffa03ca44f>] insert_state+0x4b/0x10b [btrfs]
[ 3914.644441] [<ffffffffa03ca729>] __set_extent_bit+0x107/0x3f4 [btrfs]
[ 3914.645711] [<ffffffffa03cb256>] lock_extent_bits+0x65/0x1bf [btrfs]
[ 3914.646914] [<ffffffff8142b2fb>] ? _raw_spin_unlock+0x28/0x33
[ 3914.648058] [<ffffffffa03cbac4>] ? test_range_bit+0xcc/0xde [btrfs]
[ 3914.650105] [<ffffffffa03cb3c3>] lock_extent+0x13/0x15 [btrfs]
[ 3914.651361] [<ffffffffa03db39e>] lock_extent_range+0x3d/0xcd [btrfs]
[ 3914.652761] [<ffffffffa03de1fe>] btrfs_ioctl_clone+0x278/0x388 [btrfs]
[ 3914.654128] [<ffffffff811226dd>] ? might_fault+0x58/0xb5
[ 3914.655320] [<ffffffffa03e0909>] btrfs_ioctl+0xb51/0x2195 [btrfs]
(...)
[ 3914.669271] ---[ end trace 14843d3e2e622fc1 ]---

This later makes the inode eviction handler enter an infinite loop that
keeps dumping the following warning over and over:

[ 3915.117629] WARNING: CPU: 22 PID: 4228 at fs/btrfs/extent_io.c:435 insert_state+0x4b/0x10b [btrfs]()
[ 3915.119913] BTRFS: end < start 4095 4096
(...)
[ 3915.137394] Call Trace:
[ 3915.137913] [<ffffffff81425fd9>] dump_stack+0x4c/0x65
[ 3915.139154] [<ffffffff81045390>] warn_slowpath_common+0xa1/0xbb
[ 3915.140316] [<ffffffffa03ca44f>] ? insert_state+0x4b/0x10b [btrfs]
[ 3915.141505] [<ffffffff810453f0>] warn_slowpath_fmt+0x46/0x48
[ 3915.142709] [<ffffffffa03ca44f>] insert_state+0x4b/0x10b [btrfs]
[ 3915.143849] [<ffffffffa03ca729>] __set_extent_bit+0x107/0x3f4 [btrfs]
[ 3915.145120] [<ffffffffa038c1e3>] ? btrfs_kill_super+0x17/0x23 [btrfs]
[ 3915.146352] [<ffffffff811548f6>] ? deactivate_locked_super+0x3b/0x50
[ 3915.147565] [<ffffffffa03cb256>] lock_extent_bits+0x65/0x1bf [btrfs]
[ 3915.148785] [<ffffffff8142b7e2>] ? _raw_write_unlock+0x28/0x33
[ 3915.149931] [<ffffffffa03bc325>] btrfs_evict_inode+0x196/0x482 [btrfs]
[ 3915.151154] [<ffffffff81168904>] evict+0xa0/0x148
[ 3915.152094] [<ffffffff811689e5>] dispose_list+0x39/0x43
[ 3915.153081] [<ffffffff81169564>] evict_inodes+0xdc/0xeb
[ 3915.154062] [<ffffffff81154418>] generic_shutdown_super+0x49/0xef
[ 3915.155193] [<ffffffff811546d1>] kill_anon_super+0x13/0x1e
[ 3915.156274] [<ffffffffa038c1e3>] btrfs_kill_super+0x17/0x23 [btrfs]
(...)
[ 3915.167404] ---[ end trace 14843d3e2e622fc2 ]---

So just bail out of the clone ioctl if the length of the region to clone
is zero, without locking any extent range, in order to prevent this issue
(same behaviour as a pwrite with a 0 length for example).

This is trivial to reproduce. For example, the steps for the test I just
made for fstests:

mkfs.btrfs -f SCRATCH_DEV
mount SCRATCH_DEV $SCRATCH_MNT

touch $SCRATCH_MNT/foo
touch $SCRATCH_MNT/bar

$CLONER_PROG -s 0 -d 4096 -l 0 $SCRATCH_MNT/foo $SCRATCH_MNT/bar
umount $SCRATCH_MNT

A test case for fstests follows soon.

Signed-off-by: Filipe Manana <fdma...@suse.com>
Reviewed-by: Omar Sandoval <osa...@osandov.com>
Signed-off-by: Chris Mason <c...@fb.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

fs/btrfs/ioctl.c | 5 +++++
1 file changed, 5 insertions(+)

--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -2263,6 +2263,11 @@ static noinline long btrfs_ioctl_clone(s
if (off + len == src->i_size)
len = ALIGN(src->i_size, bs) - off;

+ if (len == 0) {
+ ret = 0;
+ goto out_unlock;
+ }
+
/* verify the end result is block aligned */
if (!IS_ALIGNED(off, bs) || !IS_ALIGNED(off + len, bs) ||
!IS_ALIGNED(destoff, bs))

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Nicolas Dichtel <nicolas...@6wind.com>

commit 8d465bb777179c4bea731b828ec484088cc9fbc1 upstream.

This command is missing.

Fixes: 5c79de6e79cd ("[XFRM]: User interface for handling XFRM_MSG_MIGRATE")

Reported-by: Stephen Smalley <s...@tycho.nsa.gov>
Signed-off-by: Nicolas Dichtel <nicolas...@6wind.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

security/selinux/nlmsgtab.c | 1 +
1 file changed, 1 insertion(+)

--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c

@@ -101,6 +101,7 @@ static struct nlmsg_perm nlmsg_xfrm_perm
{ XFRM_MSG_NEWAE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_GETAE, NETLINK_XFRM_SOCKET__NLMSG_READ },
{ XFRM_MSG_REPORT, NETLINK_XFRM_SOCKET__NLMSG_READ },
+ { XFRM_MSG_MIGRATE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },

{ XFRM_MSG_NEWSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
{ XFRM_MSG_GETSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
{ XFRM_MSG_GETSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Aravind Gopalakrishnan <Aravind.Gop...@amd.com>

commit b44915927ca88084a7292e4ddd4cf91036f365e1 upstream.

The comment line regarding IOMMU_INIT and IOMMU_INIT_FINISH
macros is incorrect:

"The standard vs the _FINISH differs in that the _FINISH variant
will continue detecting other IOMMUs in the call list..."

It should be "..the *standard* variant will continue
detecting..."

Fix that. Also, make it readable while at it.

Signed-off-by: Aravind Gopalakrishnan <Aravind.Gop...@amd.com>
Signed-off-by: Borislav Petkov <b...@suse.de>
Cc: H. Peter Anvin <h...@zytor.com>
Cc: Thomas Gleixner <tg...@linutronix.de>
Cc: konra...@oracle.com
Fixes: 6e9636693373 ("x86, iommu: Update header comments with appropriate naming")
Link: http://lkml.kernel.org/r/1428508017-5316-1-git-send-...@amd.com
Signed-off-by: Ingo Molnar <mi...@kernel.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/x86/include/asm/iommu_table.h | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)

--- a/arch/x86/include/asm/iommu_table.h
+++ b/arch/x86/include/asm/iommu_table.h
@@ -79,11 +79,12 @@ struct iommu_table_entry {
* d). Similar to the 'init', except that this gets called from pci_iommu_init
* where we do have a memory allocator.
*
- * The standard vs the _FINISH differs in that the _FINISH variant will
- * continue detecting other IOMMUs in the call list after the
- * the detection routine returns a positive number. The _FINISH will
- * stop the execution chain. Both will still call the 'init' and
- * 'late_init' functions if they are set.
+ * The standard IOMMU_INIT differs from the IOMMU_INIT_FINISH variant
+ * in that the former will continue detecting other IOMMUs in the call
+ * list after the detection routine returns a positive number, while the
+ * latter will stop the execution chain upon first successful detection.
+ * Both variants will still call the 'init' and 'late_init' functions if
+ * they are set.
*/
#define IOMMU_INIT_FINISH(_detect, _depend, _init, _late_init) \
__IOMMU_INIT(_detect, _depend, _init, _late_init, 1)

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Erez Shitrit <ere...@mellanox.com>

commit ca9b590caa17bcbbea119594992666e96cde9c2f upstream.

The current code decreases from the mss size (which is the gso_size
from the kernel skb) the size of the packet headers.

It shouldn't do that because the mss that comes from the stack
(e.g IPoIB) includes only the tcp payload without the headers.

The result is indication to the HW that each packet that the HW sends
is smaller than what it could be, and too many packets will be sent
for big messages.

An easy way to demonstrate one more aspect of the problem is by
configuring the ipoib mtu to be less than 2*hlen (2*56) and then
run app sending big TCP messages. This will tell the HW to send packets
with giant (negative value which under unsigned arithmetics becomes
a huge positive one) length and the QP moves to SQE state.

Fixes: b832be1e4007 ('IB/mlx4: Add IPoIB LSO support')
Reported-by: Matthew Finlay <ma...@mellanox.com>
Signed-off-by: Erez Shitrit <ere...@mellanox.com>
Signed-off-by: Or Gerlitz <oger...@mellanox.com>
Signed-off-by: Doug Ledford <dled...@redhat.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/infiniband/hw/mlx4/qp.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/infiniband/hw/mlx4/qp.c
+++ b/drivers/infiniband/hw/mlx4/qp.c
@@ -1670,8 +1670,7 @@ static int build_lso_seg(struct mlx4_wqe

memcpy(wqe->header, wr->wr.ud.header, wr->wr.ud.hlen);

- *lso_hdr_sz = cpu_to_be32((wr->wr.ud.mss - wr->wr.ud.hlen) << 16 |
- wr->wr.ud.hlen);
+ *lso_hdr_sz = cpu_to_be32(wr->wr.ud.mss << 16 | wr->wr.ud.hlen);
*lso_seg_len = halign;
return 0;

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Nicolas Dichtel <nicolas...@6wind.com>

commit 5b5800fad072133e4a9c2efbf735baaac83dec86 upstream.

These commands are missing.

Fixes: 28d8909bc790 ("[XFRM]: Export SAD info.")

Signed-off-by: Nicolas Dichtel <nicolas...@6wind.com>
Signed-off-by: David S. Miller <da...@davemloft.net>

[bwh: Backported to 3.2: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

security/selinux/nlmsgtab.c | 2 ++
1 file changed, 2 insertions(+)

--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -100,6 +100,8 @@ static struct nlmsg_perm nlmsg_xfrm_perm
{ XFRM_MSG_FLUSHPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },

{ XFRM_MSG_NEWAE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_GETAE, NETLINK_XFRM_SOCKET__NLMSG_READ },

+ { XFRM_MSG_NEWSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
+ { XFRM_MSG_GETSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
{ XFRM_MSG_GETSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Christoph Hellwig <h...@lst.de>

commit 9cd9554615cba14f0877cc9972a6537ad2bdde61 upstream.

The 3w-xxxx driver needs to tear down the dma mappings before returning
the command to the midlayer, as there is no guarantee the sglist and
count are valid after that point. Also remove the dma mapping helpers
which have another inherent race due to the request_id index.

Signed-off-by: Christoph Hellwig <h...@lst.de>
Acked-by: Adam Radford <arad...@gmail.com>
Signed-off-by: James Bottomley <JBott...@Odin.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/scsi/3w-xxxx.c | 42 ++++++------------------------------------
drivers/scsi/3w-xxxx.h | 5 -----
2 files changed, 6 insertions(+), 41 deletions(-)

--- a/drivers/scsi/3w-xxxx.c
+++ b/drivers/scsi/3w-xxxx.c
@@ -1283,32 +1283,6 @@ static int tw_initialize_device_extensio
return 0;
} /* End tw_initialize_device_extension() */

-static int tw_map_scsi_sg_data(struct pci_dev *pdev, struct scsi_cmnd *cmd)
-{
- int use_sg;
-
- dprintk(KERN_WARNING "3w-xxxx: tw_map_scsi_sg_data()\n");
-
- use_sg = scsi_dma_map(cmd);
- if (use_sg < 0) {
- printk(KERN_WARNING "3w-xxxx: tw_map_scsi_sg_data(): pci_map_sg() failed.\n");
- return 0;
- }
-
- cmd->SCp.phase = TW_PHASE_SGLIST;
- cmd->SCp.have_data_in = use_sg;
-
- return use_sg;
-} /* End tw_map_scsi_sg_data() */
-
-static void tw_unmap_scsi_data(struct pci_dev *pdev, struct scsi_cmnd *cmd)
-{
- dprintk(KERN_WARNING "3w-xxxx: tw_unmap_scsi_data()\n");
-
- if (cmd->SCp.phase == TW_PHASE_SGLIST)
- scsi_dma_unmap(cmd);
-} /* End tw_unmap_scsi_data() */
-
/* This function will reset a device extension */
static int tw_reset_device_extension(TW_Device_Extension *tw_dev)
{
@@ -1331,8 +1305,8 @@ static int tw_reset_device_extension(TW_
srb = tw_dev->srb[i];
if (srb != NULL) {
srb->result = (DID_RESET << 16);
- tw_dev->srb[i]->scsi_done(tw_dev->srb[i]);
- tw_unmap_scsi_data(tw_dev->tw_pci_dev, tw_dev->srb[i]);
+ scsi_dma_unmap(srb);
+ srb->scsi_done(srb);
}
}
}
@@ -1779,8 +1753,8 @@ static int tw_scsiop_read_write(TW_Devic
command_packet->byte8.io.lba = lba;
command_packet->byte6.block_count = num_sectors;

- use_sg = tw_map_scsi_sg_data(tw_dev->tw_pci_dev, tw_dev->srb[request_id]);
- if (!use_sg)
+ use_sg = scsi_dma_map(srb);
+ if (use_sg <= 0)
return 1;

scsi_for_each_sg(tw_dev->srb[request_id], sg, use_sg, i) {
@@ -1967,9 +1941,6 @@ static int tw_scsi_queue_lck(struct scsi
/* Save the scsi command for use by the ISR */
tw_dev->srb[request_id] = SCpnt;

- /* Initialize phase to zero */
- SCpnt->SCp.phase = TW_PHASE_INITIAL;
-
switch (*command) {
case READ_10:
case READ_6:
@@ -2196,12 +2167,11 @@ static irqreturn_t tw_interrupt(int irq,

/* Now complete the io */
if ((error != TW_ISR_DONT_COMPLETE)) {
+ scsi_dma_unmap(tw_dev->srb[request_id]);
+ tw_dev->srb[request_id]->scsi_done(tw_dev->srb[request_id]);
tw_dev->state[request_id] = TW_S_COMPLETED;
tw_state_request_finish(tw_dev, request_id);
tw_dev->posted_request_count--;
- tw_dev->srb[request_id]->scsi_done(tw_dev->srb[request_id]);
-
- tw_unmap_scsi_data(tw_dev->tw_pci_dev, tw_dev->srb[request_id]);
}
}

--- a/drivers/scsi/3w-xxxx.h
+++ b/drivers/scsi/3w-xxxx.h
@@ -195,11 +195,6 @@ static unsigned char tw_sense_table[][4]
#define TW_AEN_SMART_FAIL 0x000F
#define TW_AEN_SBUF_FAIL 0x0024

-/* Phase defines */
-#define TW_PHASE_INITIAL 0
-#define TW_PHASE_SINGLE 1
-#define TW_PHASE_SGLIST 2
-
/* Misc defines */
#define TW_ALIGNMENT_6000 64 /* 64 bytes */
#define TW_ALIGNMENT_7000 4 /* 4 bytes */

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 01cca93a9491ed95992523ff7e79dd9bfcdea8e0 upstream.

Unregister gpiochip device (used to export information through sysfs)
before removing it internally. This way removal will reverse addition.

Signed-off-by: Johan Hovold <jo...@kernel.org>
Signed-off-by: Linus Walleij <linus....@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/gpio/gpiolib.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)

--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -1137,6 +1137,8 @@ int gpiochip_remove(struct gpio_chip *ch
int status = 0;
unsigned id;

+ gpiochip_unexport(chip);
+
spin_lock_irqsave(&gpio_lock, flags);

of_gpiochip_remove(chip);
@@ -1154,9 +1156,6 @@ int gpiochip_remove(struct gpio_chip *ch

spin_unlock_irqrestore(&gpio_lock, flags);

- if (status == 0)
- gpiochip_unexport(chip);
-
return status;
}
EXPORT_SYMBOL_GPL(gpiochip_remove);

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Gabriele Mazzotta <gabrie...@gmail.com>

commit 09c5b4803a80a5451d950d6a539d2eb311dc0fb1 upstream.

When the LPM policy is set to ATA_LPM_MAX_POWER, the device might
generate a spurious PHY event that cuases errors on the link.
Ignore this event if it occured within 10s after the policy change.

The timeout was chosen observing that on a Dell XPS13 9333 these
spurious events can occur up to roughly 6s after the policy change.

Link: http://lkml.kernel.org/g/3352987.ugV1Ipy7Z5@xps13

Signed-off-by: Gabriele Mazzotta <gabrie...@gmail.com>
Signed-off-by: Tejun Heo <t...@kernel.org>

[bwh: Backported to 3.2: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/ata/libata-core.c | 15 ++++++++++++++-
drivers/ata/libata-eh.c | 3 +++
include/linux/libata.h | 9 +++++++++
3 files changed, 26 insertions(+), 1 deletion(-)

--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -6629,8 +6629,21 @@ u32 ata_wait_register(struct ata_port *a
*/
bool sata_lpm_ignore_phy_events(struct ata_link *link)
{
+ unsigned long lpm_timeout = link->last_lpm_change +
+ msecs_to_jiffies(ATA_TMOUT_SPURIOUS_PHY);

+
/* if LPM is enabled, PHYRDY doesn't mean anything */

- return !!(link->lpm_policy > ATA_LPM_MAX_POWER);
+ if (link->lpm_policy > ATA_LPM_MAX_POWER)
+ return true;
+
+ /* ignore the first PHY event after the LPM policy changed
+ * as it is might be spurious
+ */
+ if ((link->flags & ATA_LFLAG_CHANGED) &&
+ time_before(jiffies, lpm_timeout))
+ return true;
+
+ return false;
}
EXPORT_SYMBOL_GPL(sata_lpm_ignore_phy_events);

--- a/drivers/ata/libata-eh.c
+++ b/drivers/ata/libata-eh.c
@@ -3423,6 +3423,9 @@ static int ata_eh_set_lpm(struct ata_lin
}
}

+ link->last_lpm_change = jiffies;
+ link->flags |= ATA_LFLAG_CHANGED;
+
return 0;

fail:
--- a/include/linux/libata.h
+++ b/include/linux/libata.h
@@ -182,6 +182,7 @@ enum {
ATA_LFLAG_DISABLED = (1 << 6), /* link is disabled */
ATA_LFLAG_SW_ACTIVITY = (1 << 7), /* keep activity stats */
ATA_LFLAG_NO_LPM = (1 << 8), /* disable LPM on this link */
+ ATA_LFLAG_CHANGED = (1 << 10), /* LPM state changed on this link */

/* struct ata_port flags */
ATA_FLAG_SLAVE_POSS = (1 << 0), /* host supports slave dev */
@@ -284,6 +285,12 @@ enum {
*/
ATA_TMOUT_PMP_SRST_WAIT = 5000,

+ /* When the LPM policy is set to ATA_LPM_MAX_POWER, there might
+ * be a spurious PHY event, so ignore the first PHY event that
+ * occurs within 10s after the policy change.
+ */
+ ATA_TMOUT_SPURIOUS_PHY = 10000,
+
/* ATA bus states */
BUS_UNKNOWN = 0,
BUS_DMA = 1,
@@ -728,6 +735,8 @@ struct ata_link {
struct ata_eh_context eh_context;

struct ata_device device[ATA_MAX_DEVICES];
+
+ unsigned long last_lpm_change; /* when last LPM change happened */
};
#define ATA_LINK_CLEAR_BEGIN offsetof(struct ata_link, active_tag)
#define ATA_LINK_CLEAR_END offsetof(struct ata_link, device[0])

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Quentin Casasnovas <quentin.c...@oracle.com>

commit 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e upstream.

Phil and I found out a problem with commit:

7e860a6e7aa6 ("cdc-acm: add sanity checks")

It added some sanity checks to ignore potential garbage in CDC headers but
also introduced a potential infinite loop. This can happen at the first
loop iteration (elength = 0 in that case) if the description isn't a
DT_CS_INTERFACE or later if 'buffer[0]' is zero.

It should also be noted that the wrong length was being added to 'buffer'
in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was
assigned after that check in the loop.

A specially crafted USB device could be used to trigger this infinite loop.

Fixes: 7e860a6e7aa6 ("cdc-acm: add sanity checks")
Signed-off-by: Phil Turnbull <phil.t...@oracle.com>
Signed-off-by: Quentin Casasnovas <quentin.c...@oracle.com>
CC: Sergei Shtylyov <sergei....@cogentembedded.com>
CC: Oliver Neukum <one...@suse.de>
CC: Adam Lee <adam...@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/class/cdc-acm.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -947,11 +947,16 @@ static int acm_probe(struct usb_interfac
}

while (buflen > 0) {
+ elength = buffer[0];
+ if (!elength) {
+ dev_err(&intf->dev, "skipping garbage byte\n");
+ elength = 1;
+ goto next_desc;
+ }
if (buffer[1] != USB_DT_CS_INTERFACE) {
dev_err(&intf->dev, "skipping garbage\n");
goto next_desc;
}
- elength = buffer[0];

switch (buffer[2]) {
case USB_CDC_UNION_TYPE: /* we've found it */

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dave Olson <ol...@cumulusnetworks.com>

commit f7e9e358362557c3aa2c1ec47490f29fe880a09e upstream.

This problem appears to have been introduced in 2.6.29 by commit
93197a36a9c1 "Rewrite sysfs processor cache info code".

This caused lscpu to error out on at least e500v2 devices, eg:

error: cannot open /sys/devices/system/cpu/cpu0/cache/index2/size: No such file or directory

Some embedded powerpc systems use cache-size in DTS for the unified L2
cache size, not d-cache-size, so we need to allow for both DTS names.
Added a new CACHE_TYPE_UNIFIED_D cache_type_info structure to handle
this.

Fixes: 93197a36a9c1 ("powerpc: Rewrite sysfs processor cache info code")
Signed-off-by: Dave Olson <ol...@cumulusnetworks.com>

Signed-off-by: Michael Ellerman <m...@ellerman.id.au>
[bwh: Backported to 3.2:

- Adjust context
- Preserve __cpuinit attribute on cache_do_one_devnode_unified()]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/arch/powerpc/kernel/cacheinfo.c
+++ b/arch/powerpc/kernel/cacheinfo.c
@@ -62,12 +62,22 @@ struct cache_type_info {
};

/* These are used to index the cache_type_info array. */
-#define CACHE_TYPE_UNIFIED 0
-#define CACHE_TYPE_INSTRUCTION 1
-#define CACHE_TYPE_DATA 2
+#define CACHE_TYPE_UNIFIED 0 /* cache-size, cache-block-size, etc. */
+#define CACHE_TYPE_UNIFIED_D 1 /* d-cache-size, d-cache-block-size, etc */
+#define CACHE_TYPE_INSTRUCTION 2
+#define CACHE_TYPE_DATA 3

static const struct cache_type_info cache_type_info[] = {
{
+ /* Embedded systems that use cache-size, cache-block-size,
+ * etc. for the Unified (typically L2) cache. */
+ .name = "Unified",
+ .size_prop = "cache-size",
+ .line_size_props = { "cache-line-size",
+ "cache-block-size", },
+ .nr_sets_prop = "cache-sets",
+ },
+ {
/* PowerPC Processor binding says the [di]-cache-*
* must be equal on unified caches, so just use
* d-cache properties. */
@@ -293,7 +303,8 @@ static struct cache *cache_find_first_si
{
struct cache *iter;

- if (cache->type == CACHE_TYPE_UNIFIED)
+ if (cache->type == CACHE_TYPE_UNIFIED ||
+ cache->type == CACHE_TYPE_UNIFIED_D)
return cache;

list_for_each_entry(iter, &cache_list, list)
@@ -324,15 +335,29 @@ static bool cache_node_is_unified(const
return of_get_property(np, "cache-unified", NULL);
}

-static struct cache *__cpuinit cache_do_one_devnode_unified(struct device_node *node, int level)
+/*
+ * Unified caches can have two different sets of tags. Most embedded
+ * use cache-size, etc. for the unified cache size, but open firmware systems
+ * use d-cache-size, etc. Check on initialization for which type we have, and
+ * return the appropriate structure type. Assume it's embedded if it isn't
+ * open firmware. If it's yet a 3rd type, then there will be missing entries
+ * in /sys/devices/system/cpu/cpu0/cache/index2/, and this code will need
+ * to be extended further.
+ */
+static int cache_is_unified_d(const struct device_node *np)
{
- struct cache *cache;
+ return of_get_property(np,
+ cache_type_info[CACHE_TYPE_UNIFIED_D].size_prop, NULL) ?
+ CACHE_TYPE_UNIFIED_D : CACHE_TYPE_UNIFIED;
+}

+/*
+ */
+static struct cache *__cpuinit cache_do_one_devnode_unified(struct device_node *node, int level)
+{
pr_debug("creating L%d ucache for %s\n", level, node->full_name);

- cache = new_cache(CACHE_TYPE_UNIFIED, level, node);
-
- return cache;
+ return new_cache(cache_is_unified_d(node), level, node);
}

static struct cache *__cpuinit cache_do_one_devnode_split(struct device_node *node, int level)

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Larry Finger <Larry....@lwfinger.net>

commit 2f92b314f4daff2117847ac5343c54d3d041bf78 upstream.

USB ID 2001:330d is used for a D-Link DWA-131.

Signed-off-by: Larry Finger <Larry....@lwfinger.net>
Signed-off-by: Kalle Valo <kv...@codeaurora.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/wireless/rtlwifi/rtl8192cu/sw.c | 1 +

1 file changed, 1 insertion(+)

--- a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
+++ b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
@@ -367,6 +367,7 @@ static struct usb_device_id rtl8192c_usb
{RTL_USB_DEVICE(0x2001, 0x3307, rtl92cu_hal_cfg)}, /*D-Link-Cameo*/
{RTL_USB_DEVICE(0x2001, 0x3309, rtl92cu_hal_cfg)}, /*D-Link-Alpha*/
{RTL_USB_DEVICE(0x2001, 0x330a, rtl92cu_hal_cfg)}, /*D-Link-Alpha*/
+ {RTL_USB_DEVICE(0x2001, 0x330d, rtl92cu_hal_cfg)}, /*D-Link DWA-131 */
{RTL_USB_DEVICE(0x2019, 0xab2b, rtl92cu_hal_cfg)}, /*Planex -Abocom*/
{RTL_USB_DEVICE(0x20f4, 0x624d, rtl92cu_hal_cfg)}, /*TRENDNet*/
{RTL_USB_DEVICE(0x2357, 0x0100, rtl92cu_hal_cfg)}, /*TP-Link WN8200ND*/

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Michael Gernoth <mic...@gernoth.net>

commit 91bf0c2dcb935a87e5c0795f5047456b965fd143 upstream.

The functions snd_emu10k1_proc_spdif_read and snd_emu1010_fpga_read
acquire the emu_lock before accessing the FPGA. The function used
to access the FPGA (snd_emu1010_fpga_read) also tries to take
the emu_lock which causes a deadlock.
Remove the outer locking in the proc-functions (guarding only the
already safe fpga read) to prevent this deadlock.

[removed superfluous flags variables too -- tiwai]

Signed-off-by: Michael Gernoth <mic...@gernoth.net>
Signed-off-by: Takashi Iwai <ti...@suse.de>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

sound/pci/emu10k1/emuproc.c | 12 ------------
1 file changed, 12 deletions(-)

--- a/sound/pci/emu10k1/emuproc.c
+++ b/sound/pci/emu10k1/emuproc.c
@@ -241,31 +241,22 @@ static void snd_emu10k1_proc_spdif_read(
struct snd_emu10k1 *emu = entry->private_data;
u32 value;
u32 value2;
- unsigned long flags;
u32 rate;

if (emu->card_capabilities->emu_model) {
- spin_lock_irqsave(&emu->emu_lock, flags);
snd_emu1010_fpga_read(emu, 0x38, &value);
- spin_unlock_irqrestore(&emu->emu_lock, flags);
if ((value & 0x1) == 0) {
- spin_lock_irqsave(&emu->emu_lock, flags);
snd_emu1010_fpga_read(emu, 0x2a, &value);
snd_emu1010_fpga_read(emu, 0x2b, &value2);
- spin_unlock_irqrestore(&emu->emu_lock, flags);
rate = 0x1770000 / (((value << 5) | value2)+1);
snd_iprintf(buffer, "ADAT Locked : %u\n", rate);
} else {
snd_iprintf(buffer, "ADAT Unlocked\n");
}
- spin_lock_irqsave(&emu->emu_lock, flags);
snd_emu1010_fpga_read(emu, 0x20, &value);
- spin_unlock_irqrestore(&emu->emu_lock, flags);
if ((value & 0x4) == 0) {
- spin_lock_irqsave(&emu->emu_lock, flags);
snd_emu1010_fpga_read(emu, 0x28, &value);
snd_emu1010_fpga_read(emu, 0x29, &value2);
- spin_unlock_irqrestore(&emu->emu_lock, flags);
rate = 0x1770000 / (((value << 5) | value2)+1);
snd_iprintf(buffer, "SPDIF Locked : %d\n", rate);
} else {
@@ -410,14 +401,11 @@ static void snd_emu_proc_emu1010_reg_rea
{
struct snd_emu10k1 *emu = entry->private_data;
u32 value;
- unsigned long flags;
int i;
snd_iprintf(buffer, "EMU1010 Registers:\n\n");

for(i = 0; i < 0x40; i+=1) {
- spin_lock_irqsave(&emu->emu_lock, flags);
snd_emu1010_fpga_read(emu, i, &value);
- spin_unlock_irqrestore(&emu->emu_lock, flags);
snd_iprintf(buffer, "%02X: %08X, %02X\n", i, value, (value >> 8) & 0x7f);

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Nathan Fontenot <nf...@linux.vnet.ibm.com>

commit f32393c943e297b8ae180c8f83d81a156c7d0412 upstream.

The incorrect ordering of operations during cpu dlpar add results in invalid
affinity for the cpu being added. The ibm,associativity property in the
device tree is populated with all zeroes for the added cpu which results in
invalid affinity mappings and all cpus appear to belong to node 0.

This occurs because rtas configure-connector is called prior to making the
rtas set-indicator calls. Phyp does not assign affinity information
for a cpu until the rtas set-indicator calls are made to set the isolation
and allocation state.

Correct the order of operations to make the rtas set-indicator
calls (done in dlpar_acquire_drc) before calling rtas configure-connector.

Fixes: 1a8061c46c46 ("powerpc/pseries: Add kernel based CPU DLPAR handling")

Signed-off-by: Nathan Fontenot <nf...@linux.vnet.ibm.com>

Signed-off-by: Michael Ellerman <m...@ellerman.id.au>
[bwh: Backported to 3.2:
- Adjust context

- Keep using goto instead of directly returning]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/powerpc/platforms/pseries/dlpar.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)

--- a/arch/powerpc/platforms/pseries/dlpar.c
+++ b/arch/powerpc/platforms/pseries/dlpar.c
@@ -416,6 +416,12 @@ static ssize_t dlpar_cpu_probe(const cha
goto out;
}

+ rc = dlpar_acquire_drc(drc_index);
+ if (rc) {
+ rc = -EINVAL;
+ goto out;
+ }
+
dn = dlpar_configure_connector(drc_index);
if (!dn) {
rc = -EINVAL;
@@ -436,13 +442,6 @@ static ssize_t dlpar_cpu_probe(const cha
kfree(dn->full_name);
dn->full_name = cpu_name;

- rc = dlpar_acquire_drc(drc_index);
- if (rc) {
- dlpar_free_cc_nodes(dn);
- rc = -EINVAL;
- goto out;
- }
-
rc = dlpar_attach_node(dn);
if (rc) {
dlpar_release_drc(drc_index);

[Ben Hutchings]

3.2.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Michal Simek <michal...@xilinx.com>

commit 6befa9d883385c580369a2cc9e53fbf329771f6d upstream.

Do not probe all serial drivers by of_serial.c which are using
device_type = "serial"; property. Only drivers which have valid
compatible strings listed in the driver should be probed.

When PORT_UNKNOWN is setup probe will fail anyway.

Arnd quotation about driver historical background:
"when I wrote that driver initially, the idea was that it would
get used as a stub to hook up all other serial drivers but after
that, the common code learned to create platform devices from DT"

This patch fix the problem with on the system with xilinx_uartps and
16550a where of_serial failed to register for xilinx_uartps and because
of irq_dispose_mapping() removed irq_desc. Then when xilinx_uartps was asking
for irq with request_irq() EINVAL is returned.

Signed-off-by: Michal Simek <michal...@xilinx.com>
Acked-by: Arnd Bergmann <ar...@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/tty/serial/of_serial.c | 1 -
1 file changed, 1 deletion(-)

--- a/drivers/tty/serial/of_serial.c
+++ b/drivers/tty/serial/of_serial.c
@@ -192,7 +192,6 @@ static struct of_device_id __devinitdata
{ .compatible = "ibm,qpace-nwp-serial",
.data = (void *)PORT_NWPSERIAL, },
#endif
- { .type = "serial", .data = (void *)PORT_UNKNOWN, },
{ /* end of list */ },