[34-longterm 036/179] cpuidle: menu: fixed wrapping timers at 4.294 seconds

This is the start of the longterm review cycle for the v2.6.34.12 release.
There are 179 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let us know. If anyone is a maintainer of the proper subsystem, and
wants to add a Signed-off-by: line to the patch, please respond with it.

The full queue can be found at:
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git

Please try to get reponses made within 72 hours, or it may be too late.

Thanks,
Paul.
---

Alan Cox (3):
tty: Make tiocgicount a handler
tty: icount changeover for other main devices
nozomi: Fix warning from the previous TIOCGCOUNT changes

Alan Stern (4):
USB: don't let errors prevent system sleep
USB: don't let the hub driver prevent system sleep
USB: OHCI: fix another regression for NVIDIA controllers
EHCI: fix direction handling for interrupt data toggles

Alasdair G Kergon (1):
dm: fix idr leak on module removal

Andrea Arcangeli (1):
migrate: don't account swapcache as shmem

Andres Salomon (1):
tty: fix warning in synclink driver

Andrew Barry (1):
mm/page_alloc.c: prevent unending loop in __alloc_pages_slowpath()

Andy Adamson (1):
NFSv4.1: update nfs4_fattr_bitmap_maxsz

Anton Blanchard (3):
powerpc/pseries/hvconsole: Fix dropped console output
powerpc: Fix device tree claim code
powerpc: pseries: Fix kexec on machines with more than 4TB of RAM

Arnd Bergmann (1):
6pack,mkiss: fix lock inconsistency

Artem Bityutskiy (3):
UBIFS: fix a rare memory leak in ro to rw remounting path
UBIFS: fix shrinker object count reports
UBIFS: fix memory leak on error path

Ben Greear (1):
SUNRPC: Fix use of static variable in rpcb_getport_async

Benedek László (1):
USB: serial: ftdi_sio: adding support for TavIR STK500

Carolyn Wyborny (1):
igb: Fix lack of flush after register write and before delay

Catalin Marinas (1):
kmemleak: Do not return a pointer to an object that kmemleak did not
get

Chas Williams (1):
atm: br2864: sent packets truncated in VC routed mode

Chris Wright (1):
PCI: ARI is a PCIe v2 feature

Christian Lamparter (1):
p54usb: add zoom 4410 usbid

Clemens Ladisch (1):
mm: fix wrong vmap address calculations with odd NR_CPUS values

Craig Shelley (1):
USB: CP210x Add 4 Device IDs for AC-Services Devices

Dan Carpenter (1):
xen: off by one errors in multicalls.c

Dan Rosenberg (4):
pmcraid: reject negative request size
xtensa: prevent arbitrary read in ptrace
alpha: fix several security issues
score: fix off-by-one index into syscall table

Dan Williams (1):
atm: expose ATM device index in sysfs

Daniel Haid (1):
drm/radeon/kms: fix for radeon on systems >4GB without hardware iommu

Daniel J Blueman (1):
x86: Make Dell Latitude E5420 use reboot=pci

Daniel Mack (3):
ALSA: snd-usb-caiaq: Fix keymap for RigKontrol3
ALSA: snd-usb-caiaq: Correct offset fields of outbound iso_frame_desc
ALSA: snd_usb_caiaq: track submitted output urbs

Daniel T Chen (1):
ALSA: ac97: Add HP Compaq dc5100 SFF(PT003AW) to Headphone Jack Sense
whitelist

Dave Jones (1):
Remove cpufreq_stats sysfs entries on module unload.

David Chang (1):
staging: usbip: fix wrong endian conversion

David Henningsson (1):
ALSA: HDA: Use one dmic only for Dell Studio 1558

David S. Miller (2):
crypto: Move md5_transform to lib/md5.c
net: Compute protocol sequence numbers and fragment IDs using MD5.

Dmitry Torokhov (1):
USB: xhci - fix interval calculation for FS isoc endpoints

Douglas Gilbert (1):
ses: requesting a fault indication

Elizabeth Jennifer Myers (1):
USB: moto_modem: Add USB identifier for the Motorola VE240.

Eric B Munson (1):
powerpc/oprofile: Handle events that raise an exception without
overflowing

Eric Dumazet (1):
af_packet: prevent information leak

Eugene A. Shatokhin (1):
ath5k: fix memory leak when fewer than N_PD_CURVES are in use

Felipe Balbi (1):
usb: gadget: rndis: don't test against req->length

Felix Radensky (1):
mtd: mtdconcat: fix NAND OOB write

Fernando Luis Vazquez Cao (2):
netfilter: IPv6: initialize TOS field in REJECT target module
netfilter: IPv6: fix DSCP mangle code

Florian Fainelli (1):
watchdog: mtx1-wdt: request gpio before using it

Frederic Weisbecker (1):
rcu: Fix unpaired rcu_irq_enter() from locking selftests

Greg Kroah-Hartman (1):
USB: pl2303.h: checkpatch cleanups

Guo-Fu Tseng (1):
jme: Fix unmap error (Causing system freeze)

H. Peter Anvin (1):
x86-32, vdso: On system call restart after SYSENTER, use int $0x80

Hans Verkuil (3):
v4l2-ioctl.c: prefill tuner type for g_frequency and g/s_tuner
pvrusb2: fix g/s_tuner support
bttv: fix s_tuner for radio

Hans de Goede (1):
drm/i915: Add a no lvds quirk for the Asus EeeBox PC EB1007

Hemant Pedanekar (1):
PCI: Add quirk for setting valid class for TI816X Endpoint

Hermann Kneissel (1):
USB: gamin_gps: Fix for data transfer problems in native mode

Huang Ying (1):
kexec, x86: Fix incorrect jump back address if not preserving context

Hugh Dickins (2):
mm: fix ENOSPC returned by handle_mm_fault()
ksm: fix NULL pointer dereference in scan_get_next_rmap_item()

Ian Campbell (1):
xen: events: do not unmask event channels on resume

Igor Grinberg (1):
ARM: pxa/cm-x300: fix V3020 RTC functionality

J. Bruce Fields (1):
svcrpc: fix list-corrupting race on nfsd shutdown

Jack Steiner (1):
x86, UV: Remove UV delay in starting slave cpus

Jacob Shin (1):
CPU hotplug, re-create sysfs directory and symlinks

James Bottomley (3):
block: add proper state guards to __elv_next_request
Fix oops caused by queue refcounting failure
pata_cm64x: fix boot crash on parisc

Jan Kara (3):
ext3: Fix fs corruption when make_indexed_dir() fails
jbd: Fix forever sleeping process in do_get_write_access()
ext3: Fix oops in ext3_try_to_allocate_with_rsv()

Jean Delvare (1):
i2c-taos-evm: Fix log messages

Jean-Christophe PLAGNIOL-VILLARD (1):
usb/gadget: at91sam9g20 fix end point max packet size

Jeff Layton (3):
cifs: clean up cifs_find_smb_ses (try #2)
cifs: fix NULL pointer dereference in cifs_find_smb_ses
cifs: check for NULL session password

Jens Axboe (2):
block: export blk_{get,put}_queue()
cfq-iosched: fix locking around ioc->ioc_data assignment

JiSheng Zhang (1):
USB: xhci: fix OS want to own HC

Jiri Olsa (1):
x86, 64-bit: Fix copy_[to/from]_user() checks for the userspace
address limit

Jiri Slaby (1):
TTY: ldisc, do not close until there are readers

Joe Perches (2):
bug.h: Add WARN_RATELIMIT
net: filter: Use WARN_RATELIMIT

Joerg Roedel (1):
x86/amd-iommu: Fix 3 possible endless loops

Johannes Weiner (1):
xfs: properly account for reclaimed inodes

Jon Povey (1):
davinci: DM365 EVM: fix video input mux bits

Jonathan Nieder (3):
perf tools: do not look at ./config for configuration
x86/PCI: use host bridge _CRS info on MSI MS-7253
x86/PCI: do not tie MSI MS-7253 use_crs quirk to BIOS version

Jordan_...@Dell.com (1):
PCI: Set PCIE maxpayload for card during hotplug insertion

Julia Lawall (2):
ALSA: sound/core/pcm_compat.c: adjust array index
hwmon: (ibmaem) add missing kfree

Kasper Pedersen (1):
time: Compensate for rounding on odd-frequency clocksources

Libor Pechacek (1):
USB: core: Tolerate protocol stall during hub and port status read

Luben Tuikov (1):
libsas: remove expander from dev list on error

Luca Tettamanti (1):
i8k: Avoid lahf in 64-bit code

Luciano Coelho (1):
nl80211: fix check for valid SSID size in scan operations

Marcin Slusarz (2):
debugobjects: Fix boot crash when kmemleak and debugobjects enabled
drm/ttm: fix ttm_bo_add_ttm(user) failure path

Marcus Meissner (1):
net/ipv4: Check for mistakenly passed in non-IPv4 address

Mark Brown (3):
ASoC: Ensure output PGA is enabled for line outputs in wm_hubs
ASoC: Add some missing volume update bit sets for wm_hubs devices
ASoC: Fix Blackfin I2S _pointer() implementation return in bounds
values

Mathias Krause (1):
exec: delay address limit change until point of no return

Mauro Carvalho Chehab (1):
si4713-i2c: avoid potential buffer overflow on si4713

Maxim Nikulin (1):
USB: assign instead of equal in usbtmc.c

Michael Neuling (1):
powerpc/kdump: Fix timeout in crash_kexec_wait_realmode

Michal Kubecek (1):
PM: Free memory bitmaps if opening /dev/snapshot fails

Mike Snitzer (1):
dm mpath: fix potential NULL pointer in feature arg processing

Miklos Szeredi (2):
mm: prevent concurrent unmap_mapping_range() on the same inode
fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message

Milan Broz (1):
dm table: reject devices without request fns

Milton Miller (2):
powerpc/kexec: Fix memory corruption from unallocated slaves
seqlock: Don't smp_rmb in seqlock reader spin loop

Namhyung Kim (8):
loop: limit 'max_part' module param to DISK_MAX_PARTS
loop: handle on-demand devices correctly
brd: limit 'max_part' module param to DISK_MAX_PARTS
brd: handle on-demand devices correctly
nbd: limit module parameters to a sane value
md: check ->hot_remove_disk when removing disk
md/raid5: fix raid5_set_bi_hw_segments
md/raid5: fix FUA request handling in ops_run_io()

NeilBrown (1):
md: avoid endless recovery loop when waiting for fail device to
complete.

Nick Bowler (1):
USB: usb-storage: unusual_devs entry for ARM V2M motherboard.

OGAWA Hirofumi (1):
fat: Fix corrupt inode flags when remove ATTR_SYS flag

Pavel Herrmann (1):
hwmon: (max1111) Fix race condition causing NULL pointer exception

Peter Zijlstra (1):
lockdep: Fix lock_is_held() on recursion

Rafael Aquini (1):
mm: fix negative commitlimit when gigantic hugepages are allocated

Rafael J. Wysocki (2):
PM / Hibernate: Avoid hitting OOM during preallocation of memory
PM / Hibernate: Fix free_unnecessary_pages()

Rajkumar Manoharan (1):
mac80211: Restart STA timers only on associated state

Robert Richter (1):
oprofile, dcookies: Fix possible circular locking dependency

Roedel, Joerg (1):
x86, amd: Use _safe() msr access for GartTlbWlk disable code

Roland McGrath (1):
uml: fix CONFIG_STATIC_LINK=y build failure with newer glibc

Samuel Thibault (1):
Fix Ultrastor asm snippet

Sarah Sharp (2):
xhci: Fix full speed bInterval encoding.
xhci: Reject double add of active endpoints.

Sergei Shtylyov (1):
EHCI: only power off port if over-current is active

Shaohua Li (1):
cfq-iosched: fix a rcu warning

Shawn Bohrer (1):
futex: Fix regression with read only mappings

Sjoerd Simons (1):
uvcvideo: Remove buffers from the queues when freeing

Stefano Stabellini (1):
xen: partially revert "xen: set max_pfn_mapped to the last pfn
mapped"

Steffen Sledz (1):
USB: serial: add another 4N-GALAXY.DE PID to ftdi_sio driver

Stephen M. Cameron (1):
cciss: do not attempt to read from a write-only register

Steven Rostedt (1):
ftrace: Only update the function code on write to filter files

Takashi Iwai (1):
ALSA: timer - Fix Oops at closing slave timer

Ted Ts'o (1):
jbd: fix fsync() tid wraparound bug

Tejun Heo (1):
libata: fix unexpectedly frozen port after ata_eh_reset()

Tero Kristo (1):
cpuidle: menu: fixed wrapping timers at 4.294 seconds

Thomas Gleixner (5):
genirq: Add IRQF_FORCE_RESUME
xen: Use IRQF_FORCE_RESUME
clocksource: Make watchdog robust vs. interruption
x86: Hpet: Avoid the comparator readback penalty
x86: HPET: Chose a paranoid safe value for the ETIME check

Tian, Kevin (1):
xen mmu: fix a race window causing leave_mm BUG()

Toby Gray (1):
USB: cdc-acm: Adding second ACM channel support for Nokia E7 and C7

Trond Myklebust (3):
SUNRPC: Deal with the lack of a SYN_SENT sk->sk_state_change
callback...
SUNRPC: Ensure the RPC client only quits on fatal signals
SUNRPC: Fix a race between work-queue and rpc_killall_tasks

Tyler Hicks (1):
eCryptfs: Allow 2 scatterlist entries for encrypted filenames

Vasiliy Kulikov (2):
staging: comedi: fix infoleak to userspace
proc: restrict access to /proc/PID/io

Vijay Chavan (1):
USB: Serial: Added device ID for Qualcomm Modem in Sagemcom's HiLo3G

Werner Fink (1):
Blacklist Traxdata CDR4120 and IOMEGA Zip drive to avoid lock ups.

Wolfgang Denk (1):
USB: serial: add IDs for WinChipHead USB->RS232 adapter

Xufeng Zhang (2):
ipv6/udp: Use the correct variable to determine non-blocking
condition
udp/recvmsg: Clear MSG_TRUNC flag when starting over for a new packet

Yang Ruirui (1):
ext4: release page cache in ext4_mb_load_buddy error path

stephen hemminger (1):
bridge: send proper message_age in config BPDU

steven finney (1):
Fix memory leak in cpufreq_stat

arch/alpha/kernel/osf_sys.c | 11 +-
arch/arm/mach-davinci/board-dm365-evm.c | 4 +-
arch/arm/mach-pxa/cm-x300.c | 8 +-
arch/ia64/hp/sim/simserial.c | 12 +-
arch/powerpc/kernel/crash.c | 6 +-
arch/powerpc/kernel/misc_64.S | 13 +-
arch/powerpc/kernel/prom_init.c | 6 +-
arch/powerpc/oprofile/op_model_power4.c | 24 +-
arch/powerpc/platforms/pseries/hvconsole.c | 2 +-
arch/powerpc/platforms/pseries/lpar.c | 2 +-
arch/score/kernel/entry.S | 2 +-
arch/um/kernel/dyn.lds.S | 14 +-
arch/um/kernel/uml.lds.S | 17 ++
arch/x86/include/asm/uaccess.h | 2 +-
arch/x86/kernel/amd_iommu_init.c | 8 +-
arch/x86/kernel/apic/x2apic_uv_x.c | 1 -
arch/x86/kernel/cpu/amd.c | 9 +-
arch/x86/kernel/hpet.c | 53 +++--
arch/x86/kernel/process_32.c | 1 -
arch/x86/kernel/process_64.c | 1 -
arch/x86/kernel/reboot.c | 8 +
arch/x86/kernel/relocate_kernel_32.S | 2 +
arch/x86/kernel/relocate_kernel_64.S | 2 +
arch/x86/lib/copy_user_64.S | 4 +-
arch/x86/pci/acpi.c | 10 +
arch/x86/vdso/vdso32/sysenter.S | 2 +-
arch/x86/xen/mmu.c | 11 +-
arch/x86/xen/multicalls.c | 12 +-
arch/xtensa/kernel/ptrace.c | 3 +
block/blk-core.c | 2 +
block/blk.h | 3 +-
block/cfq-iosched.c | 8 +-
crypto/md5.c | 92 +-------
drivers/ata/libata-eh.c | 12 +-
drivers/ata/pata_cmd64x.c | 42 +++-
drivers/block/brd.c | 11 +-
drivers/block/cciss.h | 2 +-
drivers/block/loop.c | 11 +-
drivers/block/nbd.c | 6 +
drivers/char/amiserial.c | 56 ++---
drivers/char/cyclades.c | 49 ++--
drivers/char/i8k.c | 4 +-
drivers/char/ip2/ip2main.c | 72 +++---
drivers/char/mxser.c | 62 +++---
drivers/char/nozomi.c | 38 ++--
drivers/char/pcmcia/synclink_cs.c | 61 +++--
drivers/char/random.c | 334 +---------------------------
drivers/char/synclink.c | 73 +++---
drivers/char/synclink_gt.c | 56 ++---
drivers/char/synclinkmp.c | 61 +++--
drivers/char/tty_io.c | 21 ++
drivers/char/tty_ldisc.c | 4 +-
drivers/cpufreq/cpufreq.c | 20 +-
drivers/cpufreq/cpufreq_stats.c | 22 +-
drivers/cpuidle/governors/menu.c | 4 +-
drivers/gpu/drm/i915/intel_lvds.c | 8 +
drivers/gpu/drm/radeon/radeon_device.c | 1 +
drivers/gpu/drm/ttm/ttm_bo.c | 4 +-
drivers/hwmon/ibmaem.c | 15 +-
drivers/hwmon/max1111.c | 11 +
drivers/i2c/busses/i2c-taos-evm.c | 8 +-
drivers/md/dm-mpath.c | 5 +
drivers/md/dm-table.c | 17 ++
drivers/md/dm.c | 10 +-
drivers/md/md.c | 3 +-
drivers/md/raid5.c | 8 +-
drivers/media/radio/si4713-i2c.c | 4 +-
drivers/media/video/bt8xx/bttv-driver.c | 2 +-
drivers/media/video/pvrusb2/pvrusb2-hdw.c | 4 +
drivers/media/video/uvc/uvc_queue.c | 2 +
drivers/media/video/v4l2-ioctl.c | 6 +
drivers/mtd/mtdconcat.c | 4 +-
drivers/net/hamradio/6pack.c | 4 +-
drivers/net/hamradio/mkiss.c | 4 +-
drivers/net/igb/e1000_82575.c | 1 +
drivers/net/jme.c | 20 +-
drivers/net/wireless/ath/ath5k/eeprom.c | 8 +-
drivers/net/wireless/p54/p54usb.c | 1 +
drivers/pci/hotplug/pcihp_slot.c | 45 ++++
drivers/pci/pci.c | 7 +-
drivers/pci/quirks.c | 10 +
drivers/scsi/libsas/sas_expander.c | 3 +
drivers/scsi/pmcraid.c | 3 +
drivers/scsi/scsi_devinfo.c | 2 +
drivers/scsi/scsi_scan.c | 2 +-
drivers/scsi/scsi_sysfs.c | 1 +
drivers/scsi/ses.c | 6 +-
drivers/scsi/ultrastor.c | 2 +-
drivers/serial/68360serial.c | 51 +++--
drivers/serial/serial_core.c | 35 ++-
drivers/staging/comedi/comedi_fops.c | 4 +-
drivers/staging/usbip/usbip_common.c | 2 +-
drivers/usb/class/cdc-acm.c | 2 +
drivers/usb/class/usbtmc.c | 2 +-
drivers/usb/core/driver.c | 11 +-
drivers/usb/core/hub.c | 19 +-
drivers/usb/gadget/at91_udc.c | 2 +-
drivers/usb/gadget/f_rndis.c | 3 +-
drivers/usb/host/ehci-hub.c | 3 +-
drivers/usb/host/ehci-q.c | 3 +-
drivers/usb/host/ehci.h | 1 +
drivers/usb/host/pci-quirks.c | 30 ++-
drivers/usb/host/xhci-mem.c | 18 +-
drivers/usb/host/xhci.c | 22 +-
drivers/usb/serial/cp210x.c | 4 +
drivers/usb/serial/ftdi_sio.c | 2 +
drivers/usb/serial/ftdi_sio_ids.h | 6 +
drivers/usb/serial/garmin_gps.c | 20 +-
drivers/usb/serial/moto_modem.c | 1 +
drivers/usb/serial/pl2303.c | 1 +
drivers/usb/serial/pl2303.h | 10 +-
drivers/usb/serial/qcserial.c | 1 +
drivers/usb/serial/usb-serial.c | 13 ++
drivers/usb/storage/unusual_devs.h | 10 +
drivers/watchdog/mtx-1_wdt.c | 9 +
drivers/xen/events.c | 10 +-
fs/cifs/cifsglob.h | 2 +-
fs/cifs/connect.c | 28 ++-
fs/dcookies.c | 3 +
fs/ecryptfs/keystore.c | 46 ++--
fs/exec.c | 5 +-
fs/ext3/namei.c | 15 +-
fs/ext3/xattr.c | 12 +-
fs/ext4/mballoc.c | 2 +
fs/fat/file.c | 2 +-
fs/fuse/dev.c | 4 +
fs/gfs2/main.c | 9 +-
fs/inode.c | 22 +-
fs/jbd/commit.c | 9 +-
fs/jbd/journal.c | 16 +-
fs/nfs/nfs4xdr.c | 2 +-
fs/nilfs2/btnode.c | 14 --
fs/nilfs2/btnode.h | 1 -
fs/nilfs2/super.c | 2 +-
fs/proc/base.c | 7 +-
fs/ubifs/journal.c | 1 +
fs/ubifs/sb.c | 3 +-
fs/ubifs/shrinker.c | 6 +-
fs/ubifs/super.c | 1 +
fs/xfs/linux-2.6/xfs_sync.c | 10 +-
fs/xfs/linux-2.6/xfs_sync.h | 2 +
fs/xfs/xfs_iget.c | 1 +
include/asm-generic/bug.h | 16 ++
include/linux/clocksource.h | 1 +
include/linux/cryptohash.h | 5 +
include/linux/fs.h | 2 +
include/linux/if_packet.h | 2 +
include/linux/interrupt.h | 3 +-
include/linux/pci_ids.h | 2 +
include/linux/random.h | 11 -
include/linux/seqlock.h | 4 +-
include/linux/tty_driver.h | 9 +
include/linux/usb/serial.h | 2 +
include/net/secure_seq.h | 20 ++
kernel/futex.c | 54 ++++-
kernel/irq/manage.c | 11 +-
kernel/irq/pm.c | 3 -
kernel/lockdep.c | 2 +-
kernel/power/snapshot.c | 89 ++++++--
kernel/power/user.c | 4 +-
kernel/time/clocksource.c | 24 +-
kernel/time/timekeeping.c | 9 +-
kernel/trace/ftrace.c | 12 +-
lib/Makefile | 2 +-
lib/debugobjects.c | 2 +-
lib/locking-selftest.c | 2 +-
lib/md5.c | 95 ++++++++
mm/hugetlb.c | 12 +-
mm/kmemleak.c | 7 +-
mm/ksm.c | 6 +
mm/memory.c | 2 +
mm/migrate.c | 2 +-
mm/page_alloc.c | 2 +-
mm/vmalloc.c | 7 +-
net/atm/atm_sysfs.c | 10 +
net/atm/br2684.c | 2 -
net/bluetooth/rfcomm/tty.c | 4 -
net/bridge/br_private.h | 1 +
net/bridge/br_stp.c | 4 +-
net/core/Makefile | 2 +-
net/core/filter.c | 4 +-
net/core/secure_seq.c | 184 +++++++++++++++
net/dccp/ipv4.c | 1 +
net/dccp/ipv6.c | 9 +-
net/ipv4/af_inet.c | 3 +
net/ipv4/inet_hashtables.c | 1 +
net/ipv4/inetpeer.c | 1 +
net/ipv4/netfilter/nf_nat_proto_common.c | 1 +
net/ipv4/route.c | 1 +
net/ipv4/tcp_ipv4.c | 1 +
net/ipv4/udp.c | 3 +
net/ipv6/inet6_hashtables.c | 1 +
net/ipv6/netfilter/ip6t_REJECT.c | 4 +-
net/ipv6/tcp_ipv6.c | 1 +
net/ipv6/udp.c | 5 +-
net/mac80211/mlme.c | 3 +
net/netfilter/xt_DSCP.c | 2 +-
net/packet/af_packet.c | 2 +
net/sunrpc/auth_gss/auth_gss.c | 4 +-
net/sunrpc/clnt.c | 2 +-
net/sunrpc/rpcb_clnt.c | 2 +-
net/sunrpc/sched.c | 27 +--
net/sunrpc/svc_xprt.c | 11 +-
net/sunrpc/xprtsock.c | 16 +-
net/wireless/nl80211.c | 2 +-
sound/core/pcm_compat.c | 2 +-
sound/core/timer.c | 2 +
sound/pci/ac97/ac97_patch.c | 1 +
sound/pci/hda/patch_sigmatel.c | 2 +-
sound/soc/blackfin/bf5xx-i2s-pcm.c | 13 +-
sound/soc/codecs/wm_hubs.c | 24 +-
sound/usb/caiaq/audio.c | 37 ++-
sound/usb/caiaq/device.h | 1 +
sound/usb/caiaq/input.c | 2 +-
tools/perf/util/config.c | 7 -
215 files changed, 1794 insertions(+), 1162 deletions(-)
create mode 100644 include/net/secure_seq.h
create mode 100644 lib/md5.c
create mode 100644 net/core/secure_seq.c

Paul Gortmaker

unread,

May 14, 2012, 10:20:02 PM5/14/12

to

From: Jean Delvare <kh...@linux-fr.org>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 9b640f2e154268cb516efcaf9c434f2e73c6783e upstream.

* Print all error and information messages even when debugging is
disabled.
* Don't use adapter device to log messages before it is ready.

Signed-off-by: Jean Delvare <kh...@linux-fr.org>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/i2c/busses/i2c-taos-evm.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/i2c/busses/i2c-taos-evm.c b/drivers/i2c/busses/i2c-taos-evm.c
index dd39c1e..26c352a 100644
--- a/drivers/i2c/busses/i2c-taos-evm.c
+++ b/drivers/i2c/busses/i2c-taos-evm.c
@@ -234,7 +234,7 @@ static int taos_connect(struct serio *serio, struct serio_driver *drv)

if (taos->state != TAOS_STATE_IDLE) {
err = -ENODEV;
- dev_dbg(&serio->dev, "TAOS EVM reset failed (state=%d, "
+ dev_err(&serio->dev, "TAOS EVM reset failed (state=%d, "
"pos=%d)\n", taos->state, taos->pos);
goto exit_close;
}
@@ -255,7 +255,7 @@ static int taos_connect(struct serio *serio, struct serio_driver *drv)
msecs_to_jiffies(250));
if (taos->state != TAOS_STATE_IDLE) {
err = -ENODEV;
- dev_err(&adapter->dev, "Echo off failed "
+ dev_err(&serio->dev, "TAOS EVM echo off failed "
"(state=%d)\n", taos->state);
goto exit_close;
}
@@ -263,7 +263,7 @@ static int taos_connect(struct serio *serio, struct serio_driver *drv)
err = i2c_add_adapter(adapter);
if (err)
goto exit_close;
- dev_dbg(&serio->dev, "Connected to TAOS EVM\n");
+ dev_info(&serio->dev, "Connected to TAOS EVM\n");

taos->client = taos_instantiate_device(adapter);
return 0;
@@ -288,7 +288,7 @@ static void taos_disconnect(struct serio *serio)
serio_set_drvdata(serio, NULL);
kfree(taos);

- dev_dbg(&serio->dev, "Disconnected from TAOS EVM\n");
+ dev_info(&serio->dev, "Disconnected from TAOS EVM\n");
}

static struct serio_device_id taos_serio_ids[] = {

Paul Gortmaker

unread,

May 14, 2012, 10:20:02 PM5/14/12

to

From: Namhyung Kim <namh...@gmail.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 315980c8688c4b06713c1a5fe9d64cdf8ab57a72 upstream.

The 'max_part' parameter controls the number of maximum partition
a brd device can have. However if a user specifies very large
value it would exceed the limitation of device minor number and
can cause a kernel panic (or, at least, produce invalid device
nodes in some cases).

On my desktop system, following command kills the kernel. On qemu,
it triggers similar oops but the kernel was alive:

$ sudo modprobe brd max_part=100000
BUG: unable to handle kernel NULL pointer dereference at 0000000000000058
IP: [<ffffffff81110a9a>] sysfs_create_dir+0x2d/0xae
PGD 7af1067 PUD 7b19067 PMD 0
Oops: 0000 [#1] SMP
last sysfs file:
CPU 0
Modules linked in: brd(+)

Pid: 44, comm: insmod Tainted: G W 2.6.39-qemu+ #158 Bochs Bochs
RIP: 0010:[<ffffffff81110a9a>] [<ffffffff81110a9a>] sysfs_create_dir+0x2d/0xae
RSP: 0018:ffff880007b15d78 EFLAGS: 00000286
RAX: ffff880007b05478 RBX: ffff880007a52760 RCX: ffff880007b15dc8
RDX: ffff880007a4f900 RSI: ffff880007b15e48 RDI: ffff880007a52760
RBP: ffff880007b15da8 R08: 0000000000000002 R09: 0000000000000000
R10: ffff880007b15e48 R11: ffff880007b05478 R12: 0000000000000000
R13: ffff880007b05478 R14: 0000000000400920 R15: 0000000000000063
FS: 0000000002160880(0063) GS:ffff880007c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000058 CR3: 0000000007b1c000 CR4: 00000000000006b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 0000000000000000 DR7: 0000000000000000
Process insmod (pid: 44, threadinfo ffff880007b14000, task ffff880007acb980)
Stack:
ffff880007b15dc8 ffff880007b05478 ffff880007b15da8 00000000fffffffe
ffff880007a52760 ffff880007b05478 ffff880007b15de8 ffffffff81143c0a
0000000000400920 ffff880007a52760 ffff880007b05478 0000000000000000
Call Trace:
[<ffffffff81143c0a>] kobject_add_internal+0xdf/0x1a0
[<ffffffff81143da1>] kobject_add_varg+0x41/0x50
[<ffffffff81143e6b>] kobject_add+0x64/0x66
[<ffffffff8113bbe7>] blk_register_queue+0x5f/0xb8
[<ffffffff81140f72>] add_disk+0xdf/0x289
[<ffffffffa00040df>] brd_init+0xdf/0x1aa [brd]
[<ffffffffa0004000>] ? 0xffffffffa0003fff
[<ffffffffa0004000>] ? 0xffffffffa0003fff
[<ffffffff8100020a>] do_one_initcall+0x7a/0x12e
[<ffffffff8108516c>] sys_init_module+0x9c/0x1dc
[<ffffffff812ff4bb>] system_call_fastpath+0x16/0x1b
Code: 89 e5 41 55 41 54 53 48 89 fb 48 83 ec 18 48 85 ff 75 04 0f 0b eb fe 48 8b 47 18 49 c7 c4 70 1e 4d 81 48 85 c0 74 04 4c 8b 60 30
8b 44 24 58 45 31 ed 0f b6 c4 85 c0 74 0d 48 8b 43 28 48 89
RIP [<ffffffff81110a9a>] sysfs_create_dir+0x2d/0xae
RSP <ffff880007b15d78>
CR2: 0000000000000058
---[ end trace aebb1175ce1f6739 ]---

Signed-off-by: Namhyung Kim <namh...@gmail.com>
Cc: Laurent Vivier <Laurent...@bull.net>
Signed-off-by: Jens Axboe <jax...@fusionio.com>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/block/brd.c | 3 +++

1 file changed, 3 insertions(+)

diff --git a/drivers/block/brd.c b/drivers/block/brd.c
index 6081e81..9668128 100644
--- a/drivers/block/brd.c
+++ b/drivers/block/brd.c
@@ -531,6 +531,9 @@ static int __init brd_init(void)
if (max_part > 0)
part_shift = fls(max_part);

+ if ((1UL << part_shift) > DISK_MAX_PARTS)
+ return -EINVAL;
+
if (rd_nr > 1UL << (MINORBITS - part_shift))
return -EINVAL;

Paul Gortmaker

unread,

May 14, 2012, 10:20:02 PM5/14/12

to

From: Namhyung Kim <namh...@gmail.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit a1c15c59feee36267c43142a41152fbf7402afb6 upstream.

When finding or allocating a loop device, loop_probe() did not take
partition numbers into account so that it can result to a different
device. Consider following example:

$ sudo modprobe loop max_part=15
$ ls -l /dev/loop*
brw-rw---- 1 root disk 7, 0 2011-05-24 22:16 /dev/loop0
brw-rw---- 1 root disk 7, 16 2011-05-24 22:16 /dev/loop1
brw-rw---- 1 root disk 7, 32 2011-05-24 22:16 /dev/loop2
brw-rw---- 1 root disk 7, 48 2011-05-24 22:16 /dev/loop3
brw-rw---- 1 root disk 7, 64 2011-05-24 22:16 /dev/loop4
brw-rw---- 1 root disk 7, 80 2011-05-24 22:16 /dev/loop5
brw-rw---- 1 root disk 7, 96 2011-05-24 22:16 /dev/loop6
brw-rw---- 1 root disk 7, 112 2011-05-24 22:16 /dev/loop7
$ sudo mknod /dev/loop8 b 7 128
$ sudo losetup /dev/loop8 ~/temp/disk-with-3-parts.img
$ sudo losetup -a
/dev/loop128: [0805]:278201 (/home/namhyung/temp/disk-with-3-parts.img)
$ ls -l /dev/loop*
brw-rw---- 1 root disk 7, 0 2011-05-24 22:16 /dev/loop0
brw-rw---- 1 root disk 7, 16 2011-05-24 22:16 /dev/loop1
brw-rw---- 1 root disk 7, 2048 2011-05-24 22:18 /dev/loop128
brw-rw---- 1 root disk 7, 2049 2011-05-24 22:18 /dev/loop128p1
brw-rw---- 1 root disk 7, 2050 2011-05-24 22:18 /dev/loop128p2
brw-rw---- 1 root disk 7, 2051 2011-05-24 22:18 /dev/loop128p3
brw-rw---- 1 root disk 7, 32 2011-05-24 22:16 /dev/loop2
brw-rw---- 1 root disk 7, 48 2011-05-24 22:16 /dev/loop3
brw-rw---- 1 root disk 7, 64 2011-05-24 22:16 /dev/loop4
brw-rw---- 1 root disk 7, 80 2011-05-24 22:16 /dev/loop5
brw-rw---- 1 root disk 7, 96 2011-05-24 22:16 /dev/loop6
brw-rw---- 1 root disk 7, 112 2011-05-24 22:16 /dev/loop7
brw-r--r-- 1 root root 7, 128 2011-05-24 22:17 /dev/loop8

After this patch, /dev/loop8 - instead of /dev/loop128 - was
accessed correctly.

In addition, 'range' passed to blk_register_region() should
include all range of dev_t that LOOP_MAJOR can address. It does
not need to be limited by partition numbers unless 'max_loop'
param was specified.

Signed-off-by: Namhyung Kim <namh...@gmail.com>
Cc: Laurent Vivier <Laurent...@bull.net>
Signed-off-by: Jens Axboe <jax...@fusionio.com>
Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/block/loop.c | 8 ++++----

1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index bcd26d0..8d1c3c0e 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -1571,7 +1571,7 @@ static struct kobject *loop_probe(dev_t dev, int *part, void *data)
struct kobject *kobj;

mutex_lock(&loop_devices_mutex);
- lo = loop_init_one(dev & MINORMASK);
+ lo = loop_init_one(MINOR(dev) >> part_shift);
kobj = lo ? get_disk(lo->lo_disk) : ERR_PTR(-ENOMEM);
mutex_unlock(&loop_devices_mutex);

@@ -1612,10 +1612,10 @@ static int __init loop_init(void)

if (max_loop) {
nr = max_loop;
- range = max_loop;
+ range = max_loop << part_shift;
} else {
nr = 8;
- range = 1UL << (MINORBITS - part_shift);
+ range = 1UL << MINORBITS;
}

if (register_blkdev(LOOP_MAJOR, "loop"))
@@ -1654,7 +1654,7 @@ static void __exit loop_exit(void)
unsigned long range;
struct loop_device *lo, *next;

- range = max_loop ? max_loop : 1UL << (MINORBITS - part_shift);
+ range = max_loop ? max_loop << part_shift : 1UL << MINORBITS;

list_for_each_entry_safe(lo, next, &loop_devices, lo_list)
loop_del_one(lo);

Paul Gortmaker

unread,

May 14, 2012, 10:20:02 PM5/14/12

to

From: Toby Gray <toby...@realvnc.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 4061fde2fa80f40cb27114f60500d38d0afcf350 upstream.

This adds the Nokia E7 and C7 to the list of devices in cdc-acm, allowing
the secondary ACM channel on the device to be exposed. Without this patch
the ACM driver won't claim this secondary channel as it's marked as
having a vendor-specific protocol.

Signed-off-by: Toby Gray <toby...@realvnc.com>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/usb/class/cdc-acm.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 657b434..e907cfd 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1619,6 +1619,8 @@ static const struct usb_device_id acm_ids[] = {
{ NOKIA_PCSUITE_ACM_INFO(0x04ce), }, /* Nokia E90 */
{ NOKIA_PCSUITE_ACM_INFO(0x01d4), }, /* Nokia E55 */
{ NOKIA_PCSUITE_ACM_INFO(0x0302), }, /* Nokia N8 */
+ { NOKIA_PCSUITE_ACM_INFO(0x0335), }, /* Nokia E7 */
+ { NOKIA_PCSUITE_ACM_INFO(0x03cd), }, /* Nokia C7 */
{ SAMSUNG_PCSUITE_ACM_INFO(0x6651), }, /* Samsung GTi8510 (INNOV8) */

/* NOTE: non-Nokia COMM/ACM/0xff is likely MSFT RNDIS... NOT a modem! */

Paul Gortmaker

unread,

May 14, 2012, 10:20:03 PM5/14/12

to

From: David Henningsson <david.he...@canonical.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit e033ebfb399227e01686260ac271029011bc6b47 upstream.

There are no signs of a dmic at node 0x0b, so the user is left with
an additional internal mic which does not exist. This commit removes
that non-existing mic.

BugLink: http://bugs.launchpad.net/bugs/731706
Reported-by: James Page <james...@canonical.com>
Signed-off-by: David Henningsson <david.he...@canonical.com>
Signed-off-by: Takashi Iwai <ti...@suse.de>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

sound/pci/hda/patch_sigmatel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c
index 02b813ef6..6c06d17 100644
--- a/sound/pci/hda/patch_sigmatel.c
+++ b/sound/pci/hda/patch_sigmatel.c
@@ -1614,7 +1614,7 @@ static struct snd_pci_quirk stac92hd73xx_cfg_tbl[] = {
SND_PCI_QUIRK(PCI_VENDOR_ID_DELL, 0x02fe,
"Dell Studio XPS 1645", STAC_DELL_M6_BOTH),
SND_PCI_QUIRK(PCI_VENDOR_ID_DELL, 0x0413,
- "Dell Studio 1558", STAC_DELL_M6_BOTH),
+ "Dell Studio 1558", STAC_DELL_M6_DMIC),
{} /* terminator */
};

Paul Gortmaker

unread,

May 14, 2012, 10:30:01 PM5/14/12

to

From: Artem Bityutskiy <Artem.Bi...@nokia.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit cf610bf4199770420629d3bc273494bd27ad6c1d upstream.

Sometimes VM asks the shrinker to return amount of objects it can shrink,
and we return the ubifs_clean_zn_cnt in that case. However, it is possible
that this counter is negative for a short period of time, due to the way
UBIFS TNC code updates it. And I can observe the following warnings sometimes:

shrink_slab: ubifs_shrinker+0x0/0x2b7 [ubifs] negative objects to delete nr=-8541616642706119788

This patch makes sure UBIFS never returns negative count of objects.

Signed-off-by: Artem Bityutskiy <Artem.Bi...@nokia.com>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

fs/ubifs/shrinker.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/fs/ubifs/shrinker.c b/fs/ubifs/shrinker.c
index 02feb59..aec6689 100644
--- a/fs/ubifs/shrinker.c
+++ b/fs/ubifs/shrinker.c
@@ -283,7 +283,11 @@ int ubifs_shrinker(int nr, gfp_t gfp_mask)
long clean_zn_cnt = atomic_long_read(&ubifs_clean_zn_cnt);

if (nr == 0)
- return clean_zn_cnt;
+ /*
+ * Due to the way UBIFS updates the clean znode counter it may
+ * temporarily be negative.
+ */
+ return clean_zn_cnt >= 0 ? clean_zn_cnt : 1;

if (!clean_zn_cnt) {
/*

Paul Gortmaker

unread,

May 14, 2012, 10:30:01 PM5/14/12

to

From: Dan Rosenberg <drose...@vsecurity.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit c25a785d6647984505fa165b5cd84cfc9a95970b upstream.

If the provided system call number is equal to __NR_syscalls, the
current check will pass and a function pointer just after the system
call table may be called, since sys_call_table is an array with total
size __NR_syscalls.

Whether or not this is a security bug depends on what the compiler puts
immediately after the system call table. It's likely that this won't do
anything bad because there is an additional NULL check on the syscall
entry, but if there happens to be a non-NULL value immediately after the
system call table, this may result in local privilege escalation.

Signed-off-by: Dan Rosenberg <drose...@vsecurity.com>
Cc: <sta...@vger.kernel.org>
Cc: Chen Liqin <liqin...@sunplusct.com>
Cc: Lennox Wu <lenn...@gmail.com>
Cc: Eugene Teo <euge...@kernel.sg>
Cc: Arnd Bergmann <ar...@arndb.de>
Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

arch/score/kernel/entry.S | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/score/kernel/entry.S b/arch/score/kernel/entry.S
index 577abba..83bb960 100644
--- a/arch/score/kernel/entry.S
+++ b/arch/score/kernel/entry.S
@@ -408,7 +408,7 @@ ENTRY(handle_sys)
sw r9, [r0, PT_EPC]

cmpi.c r27, __NR_syscalls # check syscall number
- bgtu illegal_syscall
+ bgeu illegal_syscall

slli r8, r27, 2 # get syscall routine
la r11, sys_call_table

Paul Gortmaker

unread,

May 14, 2012, 10:30:02 PM5/14/12

to

From: Namhyung Kim <namh...@gmail.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit af46566885a373b0a526932484cd8fef8de7b598 upstream.

When finding or allocating a ram disk device, brd_probe() did not take

partition numbers into account so that it can result to a different

device. Consider following example (I set CONFIG_BLK_DEV_RAM_COUNT=4
for simplicity) :

$ sudo modprobe brd max_part=15
$ ls -l /dev/ram*
brw-rw---- 1 root disk 1, 0 2011-05-25 15:41 /dev/ram0
brw-rw---- 1 root disk 1, 16 2011-05-25 15:41 /dev/ram1
brw-rw---- 1 root disk 1, 32 2011-05-25 15:41 /dev/ram2
brw-rw---- 1 root disk 1, 48 2011-05-25 15:41 /dev/ram3
$ sudo mknod /dev/ram4 b 1 64
$ sudo dd if=/dev/zero of=/dev/ram4 bs=4k count=256
256+0 records in
256+0 records out
1048576 bytes (1.0 MB) copied, 0.00215578 s, 486 MB/s
namhyung@leonhard:linux$ ls -l /dev/ram*
brw-rw---- 1 root disk 1, 0 2011-05-25 15:41 /dev/ram0
brw-rw---- 1 root disk 1, 16 2011-05-25 15:41 /dev/ram1
brw-rw---- 1 root disk 1, 32 2011-05-25 15:41 /dev/ram2
brw-rw---- 1 root disk 1, 48 2011-05-25 15:41 /dev/ram3
brw-r--r-- 1 root root 1, 64 2011-05-25 15:45 /dev/ram4
brw-rw---- 1 root disk 1, 1024 2011-05-25 15:44 /dev/ram64

After this patch, /dev/ram4 - instead of /dev/ram64 - was

accessed correctly.

In addition, 'range' passed to blk_register_region() should

include all range of dev_t that RAMDISK_MAJOR can address.

It does not need to be limited by partition numbers unless

'rd_nr' param was specified.

Signed-off-by: Namhyung Kim <namh...@gmail.com>
Cc: Laurent Vivier <Laurent...@bull.net>
Signed-off-by: Jens Axboe <jax...@fusionio.com>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/block/brd.c | 8 ++++----

1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/block/brd.c b/drivers/block/brd.c
index 9668128..8358a22 100644
--- a/drivers/block/brd.c
+++ b/drivers/block/brd.c
@@ -498,7 +498,7 @@ static struct kobject *brd_probe(dev_t dev, int *part, void *data)
struct kobject *kobj;

mutex_lock(&brd_devices_mutex);
- brd = brd_init_one(dev & MINORMASK);
+ brd = brd_init_one(MINOR(dev) >> part_shift);
kobj = brd ? get_disk(brd->brd_disk) : ERR_PTR(-ENOMEM);
mutex_unlock(&brd_devices_mutex);

@@ -539,10 +539,10 @@ static int __init brd_init(void)

if (rd_nr) {
nr = rd_nr;
- range = rd_nr;
+ range = rd_nr << part_shift;
} else {
nr = CONFIG_BLK_DEV_RAM_COUNT;

- range = 1UL << (MINORBITS - part_shift);
+ range = 1UL << MINORBITS;
}

unread,

May 14, 2012, 10:30:02 PM5/14/12

to

From: Daniel Mack <zon...@gmail.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit da6094ea7d3c2295473d8f5134279307255d6ebf upstream.

The snd_usb_caiaq driver currently assumes that output urbs are serviced
in time and doesn't track when and whether they are given back by the
USB core. That usually works fine, but due to temporary limitations of
the XHCI stack, we faced that urbs were submitted more than once with
this approach.

As it's no good practice to fire and forget urbs anyway, this patch
introduces a proper bit mask to track which requests have been submitted
and given back.

That alone however doesn't make the driver work in case the host
controller is broken and doesn't give back urbs at all, and the output
stream will stop once all pre-allocated output urbs are consumed. But
it does prevent crashes of the controller stack in such cases.

See http://bugzilla.kernel.org/show_bug.cgi?id=40702 for more details.

Signed-off-by: Daniel Mack <zon...@gmail.com>
Reported-and-tested-by: Matej Laitl <ma...@laitl.cz>
Cc: Sarah Sharp <sarah....@linux.intel.com>
Signed-off-by: Takashi Iwai <ti...@suse.de>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

sound/usb/caiaq/audio.c | 31 +++++++++++++++++++++++++++----
sound/usb/caiaq/device.h | 1 +
2 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/sound/usb/caiaq/audio.c b/sound/usb/caiaq/audio.c
index 75c8446..155d6d7 100644
--- a/sound/usb/caiaq/audio.c
+++ b/sound/usb/caiaq/audio.c
@@ -139,8 +139,12 @@ static void stream_stop(struct snd_usb_caiaqdev *dev)

for (i = 0; i < N_URBS; i++) {
usb_kill_urb(dev->data_urbs_in[i]);
- usb_kill_urb(dev->data_urbs_out[i]);
+
+ if (test_bit(i, &dev->outurb_active_mask))
+ usb_kill_urb(dev->data_urbs_out[i]);
}
+
+ dev->outurb_active_mask = 0;
}

static int snd_usb_caiaq_substream_open(struct snd_pcm_substream *substream)
@@ -467,8 +471,8 @@ static void read_completed(struct urb *urb)
{
struct snd_usb_caiaq_cb_info *info = urb->context;
struct snd_usb_caiaqdev *dev;
- struct urb *out;
- int frame, len, send_it = 0, outframe = 0;
+ struct urb *out = NULL;
+ int i, frame, len, send_it = 0, outframe = 0;
size_t offset = 0;

if (urb->status || !info)
@@ -479,7 +483,17 @@ static void read_completed(struct urb *urb)
if (!dev->streaming)
return;

- out = dev->data_urbs_out[info->index];
+ /* find an unused output urb that is unused */
+ for (i = 0; i < N_URBS; i++)
+ if (test_and_set_bit(i, &dev->outurb_active_mask) == 0) {
+ out = dev->data_urbs_out[i];
+ break;
+ }
+
+ if (!out) {
+ log("Unable to find an output urb to use\n");
+ goto requeue;
+ }

/* read the recently received packet and send back one which has
* the same layout */
@@ -510,8 +524,12 @@ static void read_completed(struct urb *urb)
out->number_of_packets = outframe;
out->transfer_flags = URB_ISO_ASAP;
usb_submit_urb(out, GFP_ATOMIC);
+ } else {
+ struct snd_usb_caiaq_cb_info *oinfo = out->context;
+ clear_bit(oinfo->index, &dev->outurb_active_mask);
}

+requeue:
/* re-submit inbound urb */
for (frame = 0; frame < FRAMES_PER_URB; frame++) {
urb->iso_frame_desc[frame].offset = BYTES_PER_FRAME * frame;
@@ -533,6 +551,8 @@ static void write_completed(struct urb *urb)
dev->output_running = 1;
wake_up(&dev->prepare_wait_queue);
}
+
+ clear_bit(info->index, &dev->outurb_active_mask);
}

static struct urb **alloc_urbs(struct snd_usb_caiaqdev *dev, int dir, int *ret)
@@ -683,6 +703,9 @@ int snd_usb_caiaq_audio_init(struct snd_usb_caiaqdev *dev)
if (!dev->data_cb_info)
return -ENOMEM;

+ dev->outurb_active_mask = 0;
+ BUILD_BUG_ON(N_URBS > (sizeof(dev->outurb_active_mask) * 8));
+
for (i = 0; i < N_URBS; i++) {
dev->data_cb_info[i].dev = dev;
dev->data_cb_info[i].index = i;
diff --git a/sound/usb/caiaq/device.h b/sound/usb/caiaq/device.h
index 44e3edf..94c0c36 100644
--- a/sound/usb/caiaq/device.h
+++ b/sound/usb/caiaq/device.h
@@ -92,6 +92,7 @@ struct snd_usb_caiaqdev {
int input_panic, output_panic, warned;
char *audio_in_buf, *audio_out_buf;
unsigned int samplerates, bpp;
+ unsigned long outurb_active_mask;

struct snd_pcm_substream *sub_playback[MAX_STREAMS];
struct snd_pcm_substream *sub_capture[MAX_STREAMS];

Paul Gortmaker

unread,

May 14, 2012, 10:30:02 PM5/14/12

to

From: Jiri Slaby <jsl...@suse.cz>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 92f6fa09bd453ffe3351fa1f1377a1b7cfa911e6 upstream.

We restored tty_ldisc_wait_idle in 100eeae2c5c (TTY: restore
tty_ldisc_wait_idle). We used it in the ldisc changing path to fix the
case where there are tasks in n_tty_read waiting for data and somebody
tries to change ldisc.

Similar to the case above, there may be also tasks waiting in
n_tty_read while hangup is performed. As 65b770468e98 (tty-ldisc: turn
ldisc user count into a proper refcount) removed the wait-until-idle
from all paths, hangup path won't wait for them to disappear either
now. So add it back even to the hangup path.

There is a difference, we need uninterruptible sleep as there is
obviously HUP signal pending. So tty_ldisc_wait_idle now sleeps
without possibility to be interrupted. This is what original
tty_ldisc_wait_idle did. After the wait idle reintroduction
(100eeae2c5c), we have had interruptible sleeps for the ldisc changing
path. But as there is a 5s timeout anyway, we don't allow it to be
interrupted from now on. It's not worth the added complexity of
deciding what kind of sleep we want.

Before 65b770468e98 tty_ldisc_release was called also from
tty_ldisc_release. It is called from tty_release, so I don't think we
need to restore that one.

This is nicely reproducible after constifying the timing when
drivers/tty/n_tty.c is patched as follows ("TTY: ntty, add one more
sanity check" patch is needed to actually see it explode):
%% -1548,6 +1549,7 @@ static int n_tty_open(struct tty_struct *tty)

/* These are ugly. Currently a malloc failure here can panic */
if (!tty->read_buf) {
+ msleep(100);
tty->read_buf = kzalloc(N_TTY_BUF_SIZE, GFP_KERNEL);
if (!tty->read_buf)
return -ENOMEM;
%% -1785,6 +1788,7 @@ do_it_again:
break;
}
timeout = schedule_timeout(timeout);
+ msleep(20);
continue;
}
__set_current_state(TASK_RUNNING);
===== With a process: =====
while (1) {
int fd = open(argv[1], O_RDWR);
read(fd, buf, sizeof(buf));
close(fd);
}
===== and its child: =====
setsid();
while (1) {
int fd = open(tty, O_RDWR|O_NOCTTY);
ioctl(fd, TIOCSCTTY, 1);
vhangup();
close(fd);
usleep(100 * (10 + random() % 1000));
}
===== EOF =====

References: https://bugzilla.novell.com/show_bug.cgi?id=693374
References: https://bugzilla.novell.com/show_bug.cgi?id=694509
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
Cc: Alan Cox <al...@lxorguk.ukuu.org.uk>
Cc: Linus Torvalds <torv...@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>
[PG: account for char --> tty file rename post 2.6.34]

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/char/tty_ldisc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/char/tty_ldisc.c b/drivers/char/tty_ldisc.c
index 236628f..48de74a 100644
--- a/drivers/char/tty_ldisc.c
+++ b/drivers/char/tty_ldisc.c
@@ -543,7 +543,7 @@ static int tty_ldisc_halt(struct tty_struct *tty)
static int tty_ldisc_wait_idle(struct tty_struct *tty)
{
int ret;
- ret = wait_event_interruptible_timeout(tty_ldisc_idle,
+ ret = wait_event_timeout(tty_ldisc_idle,
atomic_read(&tty->ldisc->users) == 1, 5 * HZ);
if (ret < 0)
return ret;
@@ -750,6 +750,8 @@ static int tty_ldisc_reinit(struct tty_struct *tty, int ldisc)
if (IS_ERR(ld))
return -1;

+ WARN_ON_ONCE(tty_ldisc_wait_idle(tty));
+
tty_ldisc_close(tty, tty->ldisc);
tty_ldisc_put(tty->ldisc);
tty->ldisc = NULL;

Paul Gortmaker

unread,

May 14, 2012, 10:30:02 PM5/14/12

to

From: Alan Cox <al...@linux.intel.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 68e29655cc51761d60d5f27b2738816a5b13e415 upstream.

Just remove a now unused variable

Signed-off-by: Alan Cox <al...@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/char/nozomi.c | 1 -
1 file changed, 1 deletion(-)

diff --git a/drivers/char/nozomi.c b/drivers/char/nozomi.c
index 0924435..7ecca24 100644
--- a/drivers/char/nozomi.c
+++ b/drivers/char/nozomi.c
@@ -1829,7 +1829,6 @@ static int ntty_ioctl(struct tty_struct *tty, struct file *file,
unsigned int cmd, unsigned long arg)
{
struct port *port = tty->driver_data;
- void __user *argp = (void __user *)arg;
int rval = -ENOIOCTLCMD;

DBG1("******** IOCTL, cmd: %d", cmd);

Paul Gortmaker

unread,

May 14, 2012, 10:30:02 PM5/14/12

to

From: Jonathan Nieder <jrni...@gmail.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit a97f4f5e524bcd09a85ef0b8821a14d35e69335f upstream.

Carlos was getting

WARNING: at drivers/pci/pci.c:118 pci_ioremap_bar+0x24/0x52()

when probing his sound card, and sound did not work. After adding
pci=use_crs to the kernel command line, no more trouble.

Ok, we can add a quirk. dmidecode output reveals that this is an MSI
MS-7253, for which we already have a quirk, but the short-sighted
author tied the quirk to a single BIOS version, making it not kick in
on Carlos's machine with BIOS V1.2. If a later BIOS update makes it
no longer necessary to look at the _CRS info it will still be
harmless, so let's stop trying to guess which versions have and don't
have accurate _CRS tables.

Addresses https://bugtrack.alsa-project.org/alsa-bug/view.php?id=5533
Also see <https://bugzilla.kernel.org/show_bug.cgi?id=42619>.

Reported-by: Carlos Luna <cara...@gmail.com>
Reviewed-by: Bjorn Helgaas <bhel...@google.com>
Signed-off-by: Jonathan Nieder <jrni...@gmail.com>
Signed-off-by: Jesse Barnes <jba...@virtuousgeek.org>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

arch/x86/pci/acpi.c | 1 -

1 file changed, 1 deletion(-)

diff --git a/arch/x86/pci/acpi.c b/arch/x86/pci/acpi.c
index 9b55642..15245cf 100644
--- a/arch/x86/pci/acpi.c
+++ b/arch/x86/pci/acpi.c
@@ -51,7 +51,6 @@ static const struct dmi_system_id pci_use_crs_table[] __initconst = {
DMI_MATCH(DMI_BOARD_VENDOR, "MICRO-STAR INTERNATIONAL CO., LTD"),
DMI_MATCH(DMI_BOARD_NAME, "MS-7253"),
DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies, LTD"),
- DMI_MATCH(DMI_BIOS_VERSION, "V1.6"),
},
},
{}

Paul Gortmaker

unread,

May 14, 2012, 10:30:02 PM5/14/12

to

From: Daniel Mack <zon...@gmail.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 15439bde3af7ff88459ea2b5520b77312e958df2 upstream.

This fixes faulty outbount packets in case the inbound packets
received from the hardware are fragmented and contain bogus input
iso frames. The bug has been there for ages, but for some strange
reasons, it was only triggered by newer machines in 64bit mode.

Signed-off-by: Daniel Mack <zon...@gmail.com>
Reported-and-tested-by: William Light <w...@illest.net>
Reported-by: Pedro Ribeiro <ped...@gmail.com>
Signed-off-by: Takashi Iwai <ti...@suse.de>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

sound/usb/caiaq/audio.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/sound/usb/caiaq/audio.c b/sound/usb/caiaq/audio.c
index a184e91..75c8446 100644
--- a/sound/usb/caiaq/audio.c
+++ b/sound/usb/caiaq/audio.c
@@ -469,6 +469,7 @@ static void read_completed(struct urb *urb)
struct snd_usb_caiaqdev *dev;
struct urb *out;

int frame, len, send_it = 0, outframe = 0;

+ size_t offset = 0;

if (urb->status || !info)
return;
@@ -489,7 +490,8 @@ static void read_completed(struct urb *urb)
len = urb->iso_frame_desc[outframe].actual_length;
out->iso_frame_desc[outframe].length = len;
out->iso_frame_desc[outframe].actual_length = 0;
- out->iso_frame_desc[outframe].offset = BYTES_PER_FRAME * frame;
+ out->iso_frame_desc[outframe].offset = offset;
+ offset += len;

if (len > 0) {
spin_lock(&dev->spinlock);
@@ -505,7 +507,7 @@ static void read_completed(struct urb *urb)
}

if (send_it) {
- out->number_of_packets = FRAMES_PER_URB;
+ out->number_of_packets = outframe;

out->transfer_flags = URB_ISO_ASAP;
usb_submit_urb(out, GFP_ATOMIC);
}

Paul Gortmaker

unread,

May 14, 2012, 10:30:03 PM5/14/12

to

From: "Jordan_...@Dell.com" <Jordan_...@Dell.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit e522a7126c7c144a1dd14c6f217ac31e71082b1d upstream.

The following patch sets the MaxPayload setting to match the parent
reading when inserting a PCIE card into a hotplug slot. On our system,
the upstream bridge is set to 256, but when inserting a card, the card
setting defaults to 128. As soon as I/O is performed to the card it
starts receiving errors since the payload size is too small.

Reviewed-by: Kenji Kaneshige <kaneshi...@jp.fujitsu.com>
Signed-off-by: Jordan Hargrave <jordan_...@dell.com>
Signed-off-by: Jesse Barnes <jba...@virtuousgeek.org>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/pci/hotplug/pcihp_slot.c | 45 ++++++++++++++++++++++++++++++++++++++
1 file changed, 45 insertions(+)

diff --git a/drivers/pci/hotplug/pcihp_slot.c b/drivers/pci/hotplug/pcihp_slot.c
index 80b461c..749fdf0 100644
--- a/drivers/pci/hotplug/pcihp_slot.c
+++ b/drivers/pci/hotplug/pcihp_slot.c
@@ -158,6 +158,47 @@ static void program_hpp_type2(struct pci_dev *dev, struct hpp_type2 *hpp)
*/
}

+/* Program PCIE MaxPayload setting on device: ensure parent maxpayload <= device */
+static int pci_set_payload(struct pci_dev *dev)
+{
+ int pos, ppos;
+ u16 pctl, psz;
+ u16 dctl, dsz, dcap, dmax;
+ struct pci_dev *parent;
+
+ parent = dev->bus->self;
+ pos = pci_find_capability(dev, PCI_CAP_ID_EXP);
+ if (!pos)
+ return 0;
+
+ /* Read Device MaxPayload capability and setting */
+ pci_read_config_word(dev, pos + PCI_EXP_DEVCTL, &dctl);
+ pci_read_config_word(dev, pos + PCI_EXP_DEVCAP, &dcap);
+ dsz = (dctl & PCI_EXP_DEVCTL_PAYLOAD) >> 5;
+ dmax = (dcap & PCI_EXP_DEVCAP_PAYLOAD);
+
+ /* Read Parent MaxPayload setting */
+ ppos = pci_find_capability(parent, PCI_CAP_ID_EXP);
+ if (!ppos)
+ return 0;
+ pci_read_config_word(parent, ppos + PCI_EXP_DEVCTL, &pctl);
+ psz = (pctl & PCI_EXP_DEVCTL_PAYLOAD) >> 5;
+
+ /* If parent payload > device max payload -> error
+ * If parent payload > device payload -> set speed
+ * If parent payload <= device payload -> do nothing
+ */
+ if (psz > dmax)
+ return -1;
+ else if (psz > dsz) {
+ dev_info(&dev->dev, "Setting MaxPayload to %d\n", 128 << psz);
+ pci_write_config_word(dev, pos + PCI_EXP_DEVCTL,
+ (dctl & ~PCI_EXP_DEVCTL_PAYLOAD) +
+ (psz << 5));
+ }
+ return 0;
+}
+
void pci_configure_slot(struct pci_dev *dev)
{
struct pci_dev *cdev;
@@ -169,6 +210,10 @@ void pci_configure_slot(struct pci_dev *dev)
(dev->class >> 8) == PCI_CLASS_BRIDGE_PCI)))
return;

+ ret = pci_set_payload(dev);
+ if (ret)
+ dev_warn(&dev->dev, "could not set device max payload\n");
+
memset(&hpp, 0, sizeof(hpp));
ret = pci_get_hp_params(dev, &hpp);
if (ret)

Paul Gortmaker

unread,

May 14, 2012, 10:30:02 PM5/14/12

to

From: Jonathan Nieder <jrni...@gmail.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit aba8d056078e47350d85b06a9cabd5afcc4b72ea upstream.

In addition to /etc/perfconfig and $HOME/.perfconfig, perf looks for
configuration in the file ./config, imitating git which looks at
$GIT_DIR/config. If ./config is not a perf configuration file, it
fails, or worse, treats it as a configuration file and changes behavior
in some unexpected way.

"config" is not an unusual name for a file to be lying around and perf
does not have a private directory dedicated for its own use, so let's
just stop looking for configuration in the cwd. Callers needing
context-sensitive configuration can use the PERF_CONFIG environment
variable.

Requested-by: Christian Ohm <chr...@gmx.net>
Cc: 632...@bugs.debian.org
Cc: Ben Hutchings <b...@decadent.org.uk>
Cc: Christian Ohm <chr...@gmx.net>
Cc: Ingo Molnar <mi...@elte.hu>
Cc: Paul Mackerras <pau...@samba.org>
Cc: Peter Zijlstra <a.p.zi...@chello.nl>
Link: http://lkml.kernel.org/r/2011080516...@elie.gateway.2wire.net
Signed-off-by: Jonathan Nieder <jrni...@gmail.com>
Signed-off-by: Arnaldo Carvalho de Melo <ac...@redhat.com>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

tools/perf/util/config.c | 7 -------
1 file changed, 7 deletions(-)

diff --git a/tools/perf/util/config.c b/tools/perf/util/config.c
index 8784649..1720d01 100644
--- a/tools/perf/util/config.c
+++ b/tools/perf/util/config.c
@@ -416,7 +416,6 @@ int perf_config_global(void)
int perf_config(config_fn_t fn, void *data)
{
int ret = 0, found = 0;
- char *repo_config = NULL;
const char *home = NULL;

/* Setting $PERF_CONFIG makes perf read _only_ the given config file. */
@@ -438,12 +437,6 @@ int perf_config(config_fn_t fn, void *data)
free(user_config);
}

- repo_config = perf_pathdup("config");
- if (!access(repo_config, R_OK)) {
- ret += perf_config_from_file(fn, repo_config, data);
- found += 1;
- }
- free(repo_config);
if (found == 0)
return -1;
return ret;

Paul Gortmaker

unread,

May 14, 2012, 10:30:03 PM5/14/12

to

From: Jonathan Nieder <jrni...@gmail.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 8411371709610c826bf65684f886bfdfb5780ca1 upstream.

In the spirit of commit 29cf7a30f8a0 ("x86/PCI: use host bridge _CRS
info on ASUS M2V-MX SE"), this DMI quirk turns on "pci_use_crs" by
default on a board that needs it.

This fixes boot failures and oopses introduced in 3e3da00c01d0
("x86/pci: AMD one chain system to use pci read out res"). The quirk
is quite targetted (to a specific board and BIOS version) for two
reasons:

(1) to emphasize that this method of tackling the problem one quirk
at a time is a little insane

(2) to give BIOS vendors an opportunity to use simpler tables and
allow us to return to generic behavior (whatever that happens to
be) with a later BIOS update

In other words, I am not at all happy with having quirks like this.
But it is even worse for the kernel not to work out of the box on
these machines, so...

Reference: https://bugzilla.kernel.org/show_bug.cgi?id=42619
Reported-by: Svante Signell <svante....@telia.com>
Signed-off-by: Jonathan Nieder <jrni...@gmail.com>
Signed-off-by: Bjorn Helgaas <bhel...@google.com>
Signed-off-by: Jesse Barnes <jba...@virtuousgeek.org>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

arch/x86/pci/acpi.c | 11 +++++++++++
1 file changed, 11 insertions(+)

diff --git a/arch/x86/pci/acpi.c b/arch/x86/pci/acpi.c
index 7743fb1..9b55642 100644
--- a/arch/x86/pci/acpi.c
+++ b/arch/x86/pci/acpi.c
@@ -43,6 +43,17 @@ static const struct dmi_system_id pci_use_crs_table[] __initconst = {
DMI_MATCH(DMI_PRODUCT_NAME, "ALiveSATA2-GLAN"),
},
},
+ /* https://bugzilla.kernel.org/show_bug.cgi?id=42619 */
+ {
+ .callback = set_use_crs,
+ .ident = "MSI MS-7253",
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "MICRO-STAR INTERNATIONAL CO., LTD"),
+ DMI_MATCH(DMI_BOARD_NAME, "MS-7253"),
+ DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies, LTD"),
+ DMI_MATCH(DMI_BIOS_VERSION, "V1.6"),
+ },
+ },
{}
};

Paul Gortmaker

unread,

May 14, 2012, 10:30:03 PM5/14/12

to

From: Hemant Pedanekar <hem...@ti.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 63c4408074cbcc070ac17fc10e524800eb9bd0b0 upstream.

TI816X (common name for DM816x/C6A816x/AM389x family) devices configured
to boot as PCIe Endpoint have class code = 0. This makes kernel PCI bus
code to skip allocating BARs to these devices resulting into following
type of error when trying to enable them:

"Device 0000:01:00.0 not available because of resource collisions"

The device cannot be operated because of the above issue.

This patch adds a ID specific (TI VENDOR ID and 816X DEVICE ID based)
'early' fixup quirk to replace class code with
PCI_CLASS_MULTIMEDIA_VIDEO as class.

Signed-off-by: Hemant Pedanekar <hem...@ti.com>

Signed-off-by: Jesse Barnes <jba...@virtuousgeek.org>
Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/pci/quirks.c | 10 ++++++++++
1 file changed, 10 insertions(+)

diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
index 46aca60..6938fdc 100644
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -2682,6 +2682,16 @@ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x342e, vtd_mask_spec_errors);
DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x3c28, vtd_mask_spec_errors);
#endif

+static void __devinit fixup_ti816x_class(struct pci_dev* dev)
+{
+ /* TI 816x devices do not have class code set when in PCIe boot mode */
+ if (dev->class == PCI_CLASS_NOT_DEFINED) {
+ dev_info(&dev->dev, "Setting PCI class for 816x PCIe device\n");
+ dev->class = PCI_CLASS_MULTIMEDIA_VIDEO;
+ }
+}
+DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_TI, 0xb800, fixup_ti816x_class);
+
static void pci_do_fixups(struct pci_dev *dev, struct pci_fixup *f,
struct pci_fixup *end)
{

Paul Gortmaker

unread,

May 14, 2012, 10:30:02 PM5/14/12

to

From: Robert Richter <robert....@amd.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit fe47ae7f53e179d2ef6771024feb000cbb86640f upstream.

The lockdep warning below detects a possible A->B/B->A locking
dependency of mm->mmap_sem and dcookie_mutex. The order in
sync_buffer() is mm->mmap_sem/dcookie_mutex, while in
sys_lookup_dcookie() it is vice versa.

Fixing it in sys_lookup_dcookie() by unlocking dcookie_mutex before
copy_to_user().

oprofiled/4432 is trying to acquire lock:
(&mm->mmap_sem){++++++}, at: [<ffffffff810b444b>] might_fault+0x53/0xa3

but task is already holding lock:
(dcookie_mutex){+.+.+.}, at: [<ffffffff81124d28>] sys_lookup_dcookie+0x45/0x149

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #1 (dcookie_mutex){+.+.+.}:
[<ffffffff8106557f>] lock_acquire+0xf8/0x11e
[<ffffffff814634f0>] mutex_lock_nested+0x63/0x309
[<ffffffff81124e5c>] get_dcookie+0x30/0x144
[<ffffffffa0000fba>] sync_buffer+0x196/0x3ec [oprofile]
[<ffffffffa0001226>] task_exit_notify+0x16/0x1a [oprofile]
[<ffffffff81467b96>] notifier_call_chain+0x37/0x63
[<ffffffff8105803d>] __blocking_notifier_call_chain+0x50/0x67
[<ffffffff81058068>] blocking_notifier_call_chain+0x14/0x16
[<ffffffff8105a718>] profile_task_exit+0x1a/0x1c
[<ffffffff81039e8f>] do_exit+0x2a/0x6fc
[<ffffffff8103a5e4>] do_group_exit+0x83/0xae
[<ffffffff8103a626>] sys_exit_group+0x17/0x1b
[<ffffffff8146ad4b>] system_call_fastpath+0x16/0x1b

-> #0 (&mm->mmap_sem){++++++}:
[<ffffffff81064dfb>] __lock_acquire+0x1085/0x1711
[<ffffffff8106557f>] lock_acquire+0xf8/0x11e
[<ffffffff810b4478>] might_fault+0x80/0xa3
[<ffffffff81124de7>] sys_lookup_dcookie+0x104/0x149
[<ffffffff8146ad4b>] system_call_fastpath+0x16/0x1b

other info that might help us debug this:

1 lock held by oprofiled/4432:
#0: (dcookie_mutex){+.+.+.}, at: [<ffffffff81124d28>] sys_lookup_dcookie+0x45/0x149

stack backtrace:
Pid: 4432, comm: oprofiled Not tainted 2.6.39-00008-ge5a450d #9
Call Trace:
[<ffffffff81063193>] print_circular_bug+0xae/0xbc
[<ffffffff81064dfb>] __lock_acquire+0x1085/0x1711
[<ffffffff8102ef13>] ? get_parent_ip+0x11/0x42
[<ffffffff810b444b>] ? might_fault+0x53/0xa3
[<ffffffff8106557f>] lock_acquire+0xf8/0x11e
[<ffffffff810b444b>] ? might_fault+0x53/0xa3
[<ffffffff810d7d54>] ? path_put+0x22/0x27
[<ffffffff810b4478>] might_fault+0x80/0xa3
[<ffffffff810b444b>] ? might_fault+0x53/0xa3
[<ffffffff81124de7>] sys_lookup_dcookie+0x104/0x149
[<ffffffff8146ad4b>] system_call_fastpath+0x16/0x1b

References: https://bugzilla.kernel.org/show_bug.cgi?id=13809
Signed-off-by: Robert Richter <robert....@amd.com>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

fs/dcookies.c | 3 +++

1 file changed, 3 insertions(+)

diff --git a/fs/dcookies.c b/fs/dcookies.c
index a21cabd..dda0dc7 100644
--- a/fs/dcookies.c
+++ b/fs/dcookies.c
@@ -178,6 +178,8 @@ SYSCALL_DEFINE(lookup_dcookie)(u64 cookie64, char __user * buf, size_t len)
/* FIXME: (deleted) ? */
path = d_path(&dcs->path, kbuf, PAGE_SIZE);

+ mutex_unlock(&dcookie_mutex);
+
if (IS_ERR(path)) {
err = PTR_ERR(path);
goto out_free;
@@ -194,6 +196,7 @@ SYSCALL_DEFINE(lookup_dcookie)(u64 cookie64, char __user * buf, size_t len)

out_free:
kfree(kbuf);
+ return err;
out:
mutex_unlock(&dcookie_mutex);
return err;

Paul Gortmaker

unread,

May 14, 2012, 10:30:03 PM5/14/12

to

From: James Bottomley <James.B...@HansenPartnership.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit e73e079bf128d68284efedeba1fbbc18d78610f9 upstream.

In certain circumstances, we can get an oops from a torn down device.
Most notably this is from CD roms trying to call scsi_ioctl. The root
cause of the problem is the fact that after scsi_remove_device() has
been called, the queue is fully torn down. This is actually wrong
since the queue can be used until the sdev release function is called.
Therefore, we add an extra reference to the queue which is released in
sdev->release, so the queue always exists.

Reported-by: Parag Warudkar <parag...@gmail.com>
Signed-off-by: James Bottomley <jbott...@parallels.com>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/scsi/scsi_scan.c | 2 +-
drivers/scsi/scsi_sysfs.c | 1 +

2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c
index 38518b0..91d1724 100644
--- a/drivers/scsi/scsi_scan.c
+++ b/drivers/scsi/scsi_scan.c
@@ -295,7 +295,7 @@ static struct scsi_device *scsi_alloc_sdev(struct scsi_target *starget,
kfree(sdev);
goto out;
}
-
+ blk_get_queue(sdev->request_queue);
sdev->request_queue->queuedata = sdev;
scsi_adjust_queue_depth(sdev, 0, sdev->host->cmd_per_lun);

diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
index ed3b52f..f01117e 100644
--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@@ -319,6 +319,7 @@ static void scsi_device_dev_release_usercontext(struct work_struct *work)
kfree(evt);
}

+ blk_put_queue(sdev->request_queue);
/* NULL queue means the device can't be used */
sdev->request_queue = NULL;

Paul Gortmaker

unread,

May 14, 2012, 10:30:03 PM5/14/12

to

From: Peter Zijlstra <a.p.zi...@chello.nl>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit f2513cde93f0957d5dc6c09bc24b0cccd27d8e1d upstream.

The main lock_is_held() user is lockdep_assert_held(), avoid false
assertions in lockdep_off() sections by unconditionally reporting the
lock is taken.

[ the reason this is important is a lockdep_assert_held() in ttwu()
which triggers a warning under lockdep_off() as in printk() which
can trigger another wakeup and lock up due to spinlock
recursion, as reported and heroically debugged by Arne Jansen ]

Reported-and-tested-by: Arne Jansen <li...@die-jansens.de>
Signed-off-by: Peter Zijlstra <a.p.zi...@chello.nl>
Cc: Linus Torvalds <torv...@linux-foundation.org>
Link: http://lkml.kernel.org/r/1307398759.2497.966.camel@laptop
Signed-off-by: Ingo Molnar <mi...@elte.hu>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

kernel/lockdep.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/lockdep.c b/kernel/lockdep.c
index 2594e1c..1571452 100644
--- a/kernel/lockdep.c
+++ b/kernel/lockdep.c
@@ -3240,7 +3240,7 @@ int lock_is_held(struct lockdep_map *lock)
int ret = 0;

if (unlikely(current->lockdep_recursion))
- return ret;
+ return 1; /* avoid false negative lockdep_assert_held() */

raw_local_irq_save(flags);
check_flags(flags);

Paul Gortmaker

unread,

May 14, 2012, 10:30:03 PM5/14/12

to

From: Alan Cox <al...@linux.intel.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit d281da7ff6f70efca0553c288bb883e8605b3862 upstream.

Dan Rosenberg noted that various drivers return the struct with uncleared
fields. Instead of spending forever trying to stomp all the drivers that
get it wrong (and every new driver) do the job in one place.

This first patch adds the needed operations and hooks them up, including
the needed USB midlayer and serial core plumbing.

Signed-off-by: Alan Cox <al...@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/char/tty_io.c | 21 +++++++++++++++++++++
drivers/serial/serial_core.c | 35 ++++++++++++++++-------------------
drivers/usb/serial/usb-serial.c | 13 +++++++++++++
include/linux/tty_driver.h | 9 +++++++++
include/linux/usb/serial.h | 2 ++
5 files changed, 61 insertions(+), 19 deletions(-)

diff --git a/drivers/char/tty_io.c b/drivers/char/tty_io.c
index bc4f45d..9584289 100644
--- a/drivers/char/tty_io.c
+++ b/drivers/char/tty_io.c
@@ -96,6 +96,7 @@
#include <linux/bitops.h>
#include <linux/delay.h>
#include <linux/seq_file.h>
+#include <linux/serial.h>

#include <linux/uaccess.h>
#include <asm/system.h>
@@ -2457,6 +2458,20 @@ static int tty_tiocmset(struct tty_struct *tty, struct file *file, unsigned int
return tty->ops->tiocmset(tty, file, set, clear);
}

+static int tty_tiocgicount(struct tty_struct *tty, void __user *arg)
+{
+ int retval = -EINVAL;
+ struct serial_icounter_struct icount;
+ memset(&icount, 0, sizeof(icount));
+ if (tty->ops->get_icount)
+ retval = tty->ops->get_icount(tty, &icount);
+ if (retval != 0)
+ return retval;
+ if (copy_to_user(arg, &icount, sizeof(icount)))
+ return -EFAULT;

+ return 0;
+}
+

struct tty_struct *tty_pair_get_tty(struct tty_struct *tty)
{
if (tty->driver->type == TTY_DRIVER_TYPE_PTY &&
@@ -2577,6 +2592,12 @@ long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
case TIOCMBIC:
case TIOCMBIS:
return tty_tiocmset(tty, file, cmd, p);
+ case TIOCGICOUNT:
+ retval = tty_tiocgicount(tty, p);
+ /* For the moment allow fall through to the old method */
+ if (retval != -EINVAL)
+ return retval;
+ break;
case TCFLSH:
switch (arg) {
case TCIFLUSH:
diff --git a/drivers/serial/serial_core.c b/drivers/serial/serial_core.c
index 7f28307..232e2bb 100644
--- a/drivers/serial/serial_core.c
+++ b/drivers/serial/serial_core.c
@@ -1074,10 +1074,10 @@ uart_wait_modem_status(struct uart_state *state, unsigned long arg)
* NB: both 1->0 and 0->1 transitions are counted except for
* RI where only 0->1 is counted.
*/
-static int uart_get_count(struct uart_state *state,
- struct serial_icounter_struct __user *icnt)
+static int uart_get_icount(struct tty_struct *tty,
+ struct serial_icounter_struct *icount)
{
- struct serial_icounter_struct icount;
+ struct uart_state *state = tty->driver_data;
struct uart_icount cnow;
struct uart_port *uport = state->uart_port;

@@ -1085,19 +1085,19 @@ static int uart_get_count(struct uart_state *state,
memcpy(&cnow, &uport->icount, sizeof(struct uart_icount));
spin_unlock_irq(&uport->lock);

- icount.cts = cnow.cts;
- icount.dsr = cnow.dsr;
- icount.rng = cnow.rng;
- icount.dcd = cnow.dcd;
- icount.rx = cnow.rx;
- icount.tx = cnow.tx;
- icount.frame = cnow.frame;
- icount.overrun = cnow.overrun;
- icount.parity = cnow.parity;
- icount.brk = cnow.brk;
- icount.buf_overrun = cnow.buf_overrun;
+ icount->cts = cnow.cts;
+ icount->dsr = cnow.dsr;
+ icount->rng = cnow.rng;
+ icount->dcd = cnow.dcd;
+ icount->rx = cnow.rx;
+ icount->tx = cnow.tx;
+ icount->frame = cnow.frame;
+ icount->overrun = cnow.overrun;
+ icount->parity = cnow.parity;
+ icount->brk = cnow.brk;
+ icount->buf_overrun = cnow.buf_overrun;

- return copy_to_user(icnt, &icount, sizeof(icount)) ? -EFAULT : 0;
+ return 0;
}

/*
@@ -1150,10 +1150,6 @@ uart_ioctl(struct tty_struct *tty, struct file *filp, unsigned int cmd,
case TIOCMIWAIT:
ret = uart_wait_modem_status(state, arg);
break;
-
- case TIOCGICOUNT:
- ret = uart_get_count(state, uarg);
- break;
}

if (ret != -ENOIOCTLCMD)
@@ -2305,6 +2301,7 @@ static const struct tty_operations uart_ops = {
#endif
.tiocmget = uart_tiocmget,
.tiocmset = uart_tiocmset,
+ .get_icount = uart_get_icount,
#ifdef CONFIG_CONSOLE_POLL
.poll_init = uart_poll_init,
.poll_get_char = uart_poll_get_char,
diff --git a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c
index 3873660..b40884a 100644
--- a/drivers/usb/serial/usb-serial.c
+++ b/drivers/usb/serial/usb-serial.c
@@ -519,6 +519,18 @@ static int serial_tiocmset(struct tty_struct *tty, struct file *file,
return -EINVAL;
}

+static int serial_get_icount(struct tty_struct *tty,
+ struct serial_icounter_struct *icount)
+{
+ struct usb_serial_port *port = tty->driver_data;
+
+ dbg("%s - port %d", __func__, port->number);
+
+ if (port->serial->type->get_icount)
+ return port->serial->type->get_icount(tty, icount);
+ return -EINVAL;
+}
+
/*
* We would be calling tty_wakeup here, but unfortunately some line
* disciplines have an annoying habit of calling tty->write from
@@ -1171,6 +1183,7 @@ static const struct tty_operations serial_ops = {
.chars_in_buffer = serial_chars_in_buffer,
.tiocmget = serial_tiocmget,
.tiocmset = serial_tiocmset,
+ .get_icount = serial_get_icount,
.cleanup = serial_cleanup,
.install = serial_install,
.proc_fops = &serial_proc_fops,
diff --git a/include/linux/tty_driver.h b/include/linux/tty_driver.h
index b086779..db2d227 100644
--- a/include/linux/tty_driver.h
+++ b/include/linux/tty_driver.h
@@ -224,6 +224,12 @@
* unless the tty also has a valid tty->termiox pointer.
*
* Optional: Called under the termios lock
+ *
+ * int (*get_icount)(struct tty_struct *tty, struct serial_icounter *icount);
+ *
+ * Called when the device receives a TIOCGICOUNT ioctl. Passed a kernel
+ * structure to complete. This method is optional and will only be called
+ * if provided (otherwise EINVAL will be returned).
*/

#include <linux/fs.h>
@@ -232,6 +238,7 @@

struct tty_struct;
struct tty_driver;
+struct serial_icounter_struct;

struct tty_operations {
struct tty_struct * (*lookup)(struct tty_driver *driver,
@@ -268,6 +275,8 @@ struct tty_operations {
unsigned int set, unsigned int clear);
int (*resize)(struct tty_struct *tty, struct winsize *ws);
int (*set_termiox)(struct tty_struct *tty, struct termiox *tnew);
+ int (*get_icount)(struct tty_struct *tty,
+ struct serial_icounter_struct *icount);
#ifdef CONFIG_CONSOLE_POLL
int (*poll_init)(struct tty_driver *driver, int line, char *options);
int (*poll_get_char)(struct tty_driver *driver, int line);
diff --git a/include/linux/usb/serial.h b/include/linux/usb/serial.h
index 453ab95..71d491f 100644
--- a/include/linux/usb/serial.h
+++ b/include/linux/usb/serial.h
@@ -257,6 +257,8 @@ struct usb_serial_driver {
int (*tiocmget)(struct tty_struct *tty, struct file *file);
int (*tiocmset)(struct tty_struct *tty, struct file *file,
unsigned int set, unsigned int clear);
+ int (*get_icount)(struct tty_struct *tty,
+ struct serial_icounter_struct *icount);
/* Called by the tty layer for port level work. There may or may not
be an attached tty at this point */
void (*dtr_rts)(struct usb_serial_port *port, int on);

Paul Gortmaker

unread,

May 14, 2012, 10:30:03 PM5/14/12

to

From: Luciano Coelho <coe...@ti.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 208c72f4fe44fe09577e7975ba0e7fa0278f3d03 upstream.

In both trigger_scan and sched_scan operations, we were checking for
the SSID length before assigning the value correctly. Since the
memory was just kzalloc'ed, the check was always failing and SSID with
over 32 characters were allowed to go through.

This was causing a buffer overflow when copying the actual SSID to the
proper place.

This bug has been there since 2.6.29-rc4.

[PG: 34 codebase does not have nl80211_start_sched_scan part]

Signed-off-by: Luciano Coelho <coe...@ti.com>
Signed-off-by: John W. Linville <linv...@tuxdriver.com>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

net/wireless/nl80211.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 030cf15..0ba104f 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -3072,12 +3072,12 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
i = 0;
if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
+ request->ssids[i].ssid_len = nla_len(attr);
if (request->ssids[i].ssid_len > IEEE80211_MAX_SSID_LEN) {
err = -EINVAL;
goto out_free;
}
memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
- request->ssids[i].ssid_len = nla_len(attr);
i++;

Paul Gortmaker

unread,

May 14, 2012, 10:30:03 PM5/14/12

to

From: Clemens Ladisch <cle...@ladisch.de>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit f982f91516fa4cfd9d20518833cd04ad714585be upstream.

Commit db64fe02258f ("mm: rewrite vmap layer") introduced code that does
address calculations under the assumption that VMAP_BLOCK_SIZE is a
power of two. However, this might not be true if CONFIG_NR_CPUS is not
set to a power of two.

Wrong vmap_block index/offset values could lead to memory corruption.
However, this has never been observed in practice (or never been
diagnosed correctly); what caught this was the BUG_ON in vb_alloc() that
checks for inconsistent vmap_block indices.

To fix this, ensure that VMAP_BLOCK_SIZE always is a power of two.

BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=31572
Reported-by: Pavel Kysilka <golde...@linuxsoft.cz>
Reported-by: Matias A. Fonzo <se...@dragora.org>
Signed-off-by: Clemens Ladisch <cle...@ladisch.de>
Signed-off-by: Stefan Richter <ste...@s5r6.in-berlin.de>
Cc: Nick Piggin <npi...@suse.de>
Cc: Jeremy Fitzhardinge <jer...@goop.org>
Cc: Krzysztof Helt <krzysz...@poczta.fm>
Cc: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

mm/vmalloc.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/mm/vmalloc.c b/mm/vmalloc.c
index 20a402c..d44abdd 100644
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -671,9 +671,10 @@ static void free_unmap_vmap_area_addr(unsigned long addr)
#define VMAP_BBMAP_BITS_MIN (VMAP_MAX_ALLOC*2)
#define VMAP_MIN(x, y) ((x) < (y) ? (x) : (y)) /* can't use min() */
#define VMAP_MAX(x, y) ((x) > (y) ? (x) : (y)) /* can't use max() */
-#define VMAP_BBMAP_BITS VMAP_MIN(VMAP_BBMAP_BITS_MAX, \
- VMAP_MAX(VMAP_BBMAP_BITS_MIN, \
- VMALLOC_PAGES / NR_CPUS / 16))
+#define VMAP_BBMAP_BITS \
+ VMAP_MIN(VMAP_BBMAP_BITS_MAX, \
+ VMAP_MAX(VMAP_BBMAP_BITS_MIN, \
+ VMALLOC_PAGES / roundup_pow_of_two(NR_CPUS) / 16))

#define VMAP_BLOCK_SIZE (VMAP_BBMAP_BITS * PAGE_SIZE)

Paul Gortmaker

unread,

May 14, 2012, 10:30:02 PM5/14/12

to

From: Alan Cox <al...@linux.intel.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 0587102cf9f427c185bfdeb2cef41e13ee0264b1 upstream.

Again basically cut and paste

Convert the main driver set to use the hooks for GICOUNT

Signed-off-by: Alan Cox <al...@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

arch/ia64/hp/sim/simserial.c | 12 +-----
drivers/char/amiserial.c | 56 +++++++++++++++-------------
drivers/char/cyclades.c | 49 +++++++++++++------------
drivers/char/ip2/ip2main.c | 72 +++++++++++++++++++++---------------
drivers/char/mxser.c | 62 +++++++++++++++++--------------
drivers/char/nozomi.c | 37 +++++++++----------
drivers/char/pcmcia/synclink_cs.c | 60 ++++++++++++++----------------
drivers/char/synclink.c | 73 +++++++++++++++++--------------------
drivers/char/synclink_gt.c | 56 ++++++++++++++--------------
drivers/char/synclinkmp.c | 61 ++++++++++++++-----------------
drivers/serial/68360serial.c | 51 +++++++++++++-------------
net/bluetooth/rfcomm/tty.c | 4 --
12 files changed, 297 insertions(+), 296 deletions(-)

diff --git a/arch/ia64/hp/sim/simserial.c b/arch/ia64/hp/sim/simserial.c
index 2bef526..204f650 100644
--- a/arch/ia64/hp/sim/simserial.c
+++ b/arch/ia64/hp/sim/simserial.c
@@ -395,7 +395,7 @@ static int rs_ioctl(struct tty_struct *tty, struct file * file,
{
if ((cmd != TIOCGSERIAL) && (cmd != TIOCSSERIAL) &&
(cmd != TIOCSERCONFIG) && (cmd != TIOCSERGSTRUCT) &&
- (cmd != TIOCMIWAIT) && (cmd != TIOCGICOUNT)) {
+ (cmd != TIOCMIWAIT)) {
if (tty->flags & (1 << TTY_IO_ERROR))
return -EIO;
}
@@ -433,16 +433,6 @@ static int rs_ioctl(struct tty_struct *tty, struct file * file,
case TIOCMIWAIT:
printk(KERN_INFO "rs_ioctl: TIOCMIWAIT: called\n");
return 0;
- /*
- * Get counter of input serial line interrupts (DCD,RI,DSR,CTS)
- * Return: write counters to the user passed counter struct
- * NB: both 1->0 and 0->1 transitions are counted except for
- * RI where only 0->1 is counted.
- */
- case TIOCGICOUNT:
- printk(KERN_INFO "rs_ioctl: TIOCGICOUNT called\n");
- return 0;
-
case TIOCSERGWILD:
case TIOCSERSWILD:
/* "setserial -W" is called in Debian boot */
diff --git a/drivers/char/amiserial.c b/drivers/char/amiserial.c
index 56b2767..2a2991c 100644
--- a/drivers/char/amiserial.c
+++ b/drivers/char/amiserial.c
@@ -1262,6 +1262,36 @@ static int rs_break(struct tty_struct *tty, int break_state)
return 0;
}

+/*
+ * Get counter of input serial line interrupts (DCD,RI,DSR,CTS)
+ * Return: write counters to the user passed counter struct
+ * NB: both 1->0 and 0->1 transitions are counted except for
+ * RI where only 0->1 is counted.
+ */
+static int rs_get_icount(struct tty_struct *tty,

+ struct serial_icounter_struct *icount)
+{

+ struct async_struct *info = tty->driver_data;
+ struct async_icount cnow;
+ unsigned long flags;
+
+ local_irq_save(flags);
+ cnow = info->state->icount;
+ local_irq_restore(flags);

+ icount->cts = cnow.cts;
+ icount->dsr = cnow.dsr;
+ icount->rng = cnow.rng;
+ icount->dcd = cnow.dcd;
+ icount->rx = cnow.rx;
+ icount->tx = cnow.tx;
+ icount->frame = cnow.frame;
+ icount->overrun = cnow.overrun;
+ icount->parity = cnow.parity;
+ icount->brk = cnow.brk;
+ icount->buf_overrun = cnow.buf_overrun;

+
+ return 0;
+}

static int rs_ioctl(struct tty_struct *tty, struct file * file,

unsigned int cmd, unsigned long arg)

@@ -1331,31 +1361,6 @@ static int rs_ioctl(struct tty_struct *tty, struct file * file,
}
/* NOTREACHED */

- /*
- * Get counter of input serial line interrupts (DCD,RI,DSR,CTS)
- * Return: write counters to the user passed counter struct
- * NB: both 1->0 and 0->1 transitions are counted except for
- * RI where only 0->1 is counted.
- */
- case TIOCGICOUNT:
- local_irq_save(flags);
- cnow = info->state->icount;
- local_irq_restore(flags);

- icount.cts = cnow.cts;
- icount.dsr = cnow.dsr;
- icount.rng = cnow.rng;
- icount.dcd = cnow.dcd;
- icount.rx = cnow.rx;
- icount.tx = cnow.tx;
- icount.frame = cnow.frame;
- icount.overrun = cnow.overrun;
- icount.parity = cnow.parity;
- icount.brk = cnow.brk;
- icount.buf_overrun = cnow.buf_overrun;

-
- if (copy_to_user(argp, &icount, sizeof(icount)))
- return -EFAULT;
- return 0;
case TIOCSERGWILD:
case TIOCSERSWILD:
/* "setserial -W" is called in Debian boot */
@@ -1948,6 +1953,7 @@ static const struct tty_operations serial_ops = {
.wait_until_sent = rs_wait_until_sent,
.tiocmget = rs_tiocmget,
.tiocmset = rs_tiocmset,
+ .get_icount = rs_get_icount,
.proc_fops = &rs_proc_fops,
};

diff --git a/drivers/char/cyclades.c b/drivers/char/cyclades.c
index 9824b416..2364df8 100644
--- a/drivers/char/cyclades.c
+++ b/drivers/char/cyclades.c
@@ -2791,29 +2791,6 @@ cy_ioctl(struct tty_struct *tty, struct file *file,

* NB: both 1->0 and 0->1 transitions are counted except for
* RI where only 0->1 is counted.
*/

- case TIOCGICOUNT: {
- struct serial_icounter_struct sic = { };
-
- spin_lock_irqsave(&info->card->card_lock, flags);
- cnow = info->icount;
- spin_unlock_irqrestore(&info->card->card_lock, flags);
-
- sic.cts = cnow.cts;
- sic.dsr = cnow.dsr;
- sic.rng = cnow.rng;
- sic.dcd = cnow.dcd;
- sic.rx = cnow.rx;
- sic.tx = cnow.tx;
- sic.frame = cnow.frame;
- sic.overrun = cnow.overrun;
- sic.parity = cnow.parity;
- sic.brk = cnow.brk;
- sic.buf_overrun = cnow.buf_overrun;
-
- if (copy_to_user(argp, &sic, sizeof(sic)))
- ret_val = -EFAULT;
- break;
- }
default:
ret_val = -ENOIOCTLCMD;
}
@@ -2825,6 +2802,31 @@ cy_ioctl(struct tty_struct *tty, struct file *file,
return ret_val;
} /* cy_ioctl */

+static int cy_get_icount(struct tty_struct *tty,
+ struct serial_icounter_struct *sic)
+{
+ struct cyclades_port *info = tty->driver_data;
+ struct cyclades_icount cnow; /* Used to snapshot */
+ unsigned long flags;
+
+ spin_lock_irqsave(&info->card->card_lock, flags);
+ cnow = info->icount;
+ spin_unlock_irqrestore(&info->card->card_lock, flags);
+
+ sic->cts = cnow.cts;
+ sic->dsr = cnow.dsr;
+ sic->rng = cnow.rng;
+ sic->dcd = cnow.dcd;
+ sic->rx = cnow.rx;
+ sic->tx = cnow.tx;
+ sic->frame = cnow.frame;
+ sic->overrun = cnow.overrun;
+ sic->parity = cnow.parity;
+ sic->brk = cnow.brk;
+ sic->buf_overrun = cnow.buf_overrun;

+ return 0;
+}
+

/*
* This routine allows the tty driver to be notified when
* device's termios settings have changed. Note that a
@@ -4086,6 +4088,7 @@ static const struct tty_operations cy_ops = {
.wait_until_sent = cy_wait_until_sent,
.tiocmget = cy_tiocmget,
.tiocmset = cy_tiocmset,
+ .get_icount = cy_get_icount,
.proc_fops = &cyclades_proc_fops,
};

diff --git a/drivers/char/ip2/ip2main.c b/drivers/char/ip2/ip2main.c
index 911e1da..c0f864c 100644
--- a/drivers/char/ip2/ip2main.c
+++ b/drivers/char/ip2/ip2main.c
@@ -183,6 +183,8 @@ static void ip2_hangup(PTTY);
static int ip2_tiocmget(struct tty_struct *tty, struct file *file);
static int ip2_tiocmset(struct tty_struct *tty, struct file *file,

unsigned int set, unsigned int clear);

+static int ip2_get_icount(struct tty_struct *tty,
+ struct serial_icounter_struct *icount);

static void set_irq(int, int);
static void ip2_interrupt_bh(struct work_struct *work);
@@ -454,6 +456,7 @@ static const struct tty_operations ip2_ops = {
.hangup = ip2_hangup,
.tiocmget = ip2_tiocmget,
.tiocmset = ip2_tiocmset,
+ .get_icount = ip2_get_icount,
.proc_fops = &ip2_proc_fops,
};

@@ -2124,7 +2127,6 @@ ip2_ioctl ( PTTY tty, struct file *pFile, UINT cmd, ULONG arg )
i2ChanStrPtr pCh = DevTable[tty->index];
i2eBordStrPtr pB;
struct async_icount cprev, cnow; /* kernel counter temps */
- struct serial_icounter_struct __user *p_cuser;
int rc = 0;
unsigned long flags;

void __user *argp = (void __user *)arg;

@@ -2293,34 +2295,6 @@ ip2_ioctl ( PTTY tty, struct file *pFile, UINT cmd, ULONG arg )
break;

/*
- * Get counter of input serial line interrupts (DCD,RI,DSR,CTS)
- * Return: write counters to the user passed counter struct
- * NB: both 1->0 and 0->1 transitions are counted except for RI where
- * only 0->1 is counted. The controller is quite capable of counting
- * both, but this done to preserve compatibility with the standard
- * serial driver.
- */
- case TIOCGICOUNT:
- ip2trace (CHANN, ITRC_IOCTL, 11, 1, rc );
-
- write_lock_irqsave(&pB->read_fifo_spinlock, flags);
- cnow = pCh->icount;
- write_unlock_irqrestore(&pB->read_fifo_spinlock, flags);
- p_cuser = argp;
- rc = put_user(cnow.cts, &p_cuser->cts);
- rc = put_user(cnow.dsr, &p_cuser->dsr);
- rc = put_user(cnow.rng, &p_cuser->rng);
- rc = put_user(cnow.dcd, &p_cuser->dcd);
- rc = put_user(cnow.rx, &p_cuser->rx);
- rc = put_user(cnow.tx, &p_cuser->tx);
- rc = put_user(cnow.frame, &p_cuser->frame);
- rc = put_user(cnow.overrun, &p_cuser->overrun);
- rc = put_user(cnow.parity, &p_cuser->parity);
- rc = put_user(cnow.brk, &p_cuser->brk);
- rc = put_user(cnow.buf_overrun, &p_cuser->buf_overrun);
- break;
-
- /*
* The rest are not supported by this driver. By returning -ENOIOCTLCMD they
* will be passed to the line discipline for it to handle.
*/
@@ -2344,6 +2318,46 @@ ip2_ioctl ( PTTY tty, struct file *pFile, UINT cmd, ULONG arg )
return rc;
}

+static int ip2_get_icount(struct tty_struct *tty,

+ struct serial_icounter_struct *icount)
+{

+ i2ChanStrPtr pCh = DevTable[tty->index];
+ i2eBordStrPtr pB;
+ struct async_icount cnow; /* kernel counter temp */
+ unsigned long flags;
+
+ if ( pCh == NULL )
+ return -ENODEV;
+
+ pB = pCh->pMyBord;
+
+ /*
+ * Get counter of input serial line interrupts (DCD,RI,DSR,CTS)
+ * Return: write counters to the user passed counter struct
+ * NB: both 1->0 and 0->1 transitions are counted except for RI where
+ * only 0->1 is counted. The controller is quite capable of counting
+ * both, but this done to preserve compatibility with the standard
+ * serial driver.
+ */
+
+ write_lock_irqsave(&pB->read_fifo_spinlock, flags);
+ cnow = pCh->icount;
+ write_unlock_irqrestore(&pB->read_fifo_spinlock, flags);
+

+ icount->cts = cnow.cts;
+ icount->dsr = cnow.dsr;
+ icount->rng = cnow.rng;
+ icount->dcd = cnow.dcd;
+ icount->rx = cnow.rx;
+ icount->tx = cnow.tx;
+ icount->frame = cnow.frame;
+ icount->overrun = cnow.overrun;
+ icount->parity = cnow.parity;
+ icount->brk = cnow.brk;
+ icount->buf_overrun = cnow.buf_overrun;

+ return 0;
+}
+

/******************************************************************************/
/* Function: GetSerialInfo() */
/* Parameters: Pointer to channel structure */
diff --git a/drivers/char/mxser.c b/drivers/char/mxser.c
index d2692d4..65aeae8 100644
--- a/drivers/char/mxser.c
+++ b/drivers/char/mxser.c
@@ -1700,7 +1700,7 @@ static int mxser_ioctl(struct tty_struct *tty, struct file *file,
return 0;
}

- if (cmd != TIOCGSERIAL && cmd != TIOCMIWAIT && cmd != TIOCGICOUNT &&
+ if (cmd != TIOCGSERIAL && cmd != TIOCMIWAIT &&
test_bit(TTY_IO_ERROR, &tty->flags))
return -EIO;

@@ -1730,32 +1730,6 @@ static int mxser_ioctl(struct tty_struct *tty, struct file *file,

return wait_event_interruptible(info->port.delta_msr_wait,
mxser_cflags_changed(info, arg, &cnow));
- /*
- * Get counter of input serial line interrupts (DCD,RI,DSR,CTS)
- * Return: write counters to the user passed counter struct
- * NB: both 1->0 and 0->1 transitions are counted except for
- * RI where only 0->1 is counted.
- */
- case TIOCGICOUNT: {
- struct serial_icounter_struct icnt = { 0 };
- spin_lock_irqsave(&info->slock, flags);
- cnow = info->icount;
- spin_unlock_irqrestore(&info->slock, flags);
-
- icnt.frame = cnow.frame;
- icnt.brk = cnow.brk;
- icnt.overrun = cnow.overrun;
- icnt.buf_overrun = cnow.buf_overrun;
- icnt.parity = cnow.parity;
- icnt.rx = cnow.rx;
- icnt.tx = cnow.tx;
- icnt.cts = cnow.cts;
- icnt.dsr = cnow.dsr;
- icnt.rng = cnow.rng;
- icnt.dcd = cnow.dcd;
-
- return copy_to_user(argp, &icnt, sizeof(icnt)) ? -EFAULT : 0;
- }
case MOXA_HighSpeedOn:
return put_user(info->baud_base != 115200 ? 1 : 0, (int __user *)argp);
case MOXA_SDS_RSTICOUNTER:
@@ -1828,6 +1802,39 @@ static int mxser_ioctl(struct tty_struct *tty, struct file *file,
return 0;
}

+ /*
+ * Get counter of input serial line interrupts (DCD,RI,DSR,CTS)
+ * Return: write counters to the user passed counter struct
+ * NB: both 1->0 and 0->1 transitions are counted except for
+ * RI where only 0->1 is counted.
+ */
+
+static int mxser_get_icount(struct tty_struct *tty,

+ struct serial_icounter_struct *icount)
+

+{
+ struct mxser_port *info = tty->driver_data;
+ struct async_icount cnow;
+ unsigned long flags;
+
+ spin_lock_irqsave(&info->slock, flags);
+ cnow = info->icount;
+ spin_unlock_irqrestore(&info->slock, flags);
+

+ icount->frame = cnow.frame;

+ icount->brk = cnow.brk;

+ icount->overrun = cnow.overrun;

+ icount->buf_overrun = cnow.buf_overrun;

+ icount->parity = cnow.parity;

+ icount->rx = cnow.rx;
+ icount->tx = cnow.tx;
+ icount->cts = cnow.cts;
+ icount->dsr = cnow.dsr;
+ icount->rng = cnow.rng;
+ icount->dcd = cnow.dcd;

+ return 0;
+}
+
static void mxser_stoprx(struct tty_struct *tty)
{
struct mxser_port *info = tty->driver_data;
@@ -2326,6 +2333,7 @@ static const struct tty_operations mxser_ops = {
.wait_until_sent = mxser_wait_until_sent,
.tiocmget = mxser_tiocmget,
.tiocmset = mxser_tiocmset,
+ .get_icount = mxser_get_icount,
};

struct tty_port_operations mxser_port_ops = {
diff --git a/drivers/char/nozomi.c b/drivers/char/nozomi.c
index 18af923..0924435 100644
--- a/drivers/char/nozomi.c
+++ b/drivers/char/nozomi.c
@@ -1805,24 +1805,24 @@ static int ntty_cflags_changed(struct port *port, unsigned long flags,
return ret;
}

-static int ntty_ioctl_tiocgicount(struct port *port, void __user *argp)
+static int ntty_tiocgicount(struct tty_struct *tty,
+ struct serial_icounter_struct *icount)
{
+ struct port *port = tty->driver_data;
const struct async_icount cnow = port->tty_icount;
- struct serial_icounter_struct icount;
-

- icount.cts = cnow.cts;
- icount.dsr = cnow.dsr;
- icount.rng = cnow.rng;
- icount.dcd = cnow.dcd;
- icount.rx = cnow.rx;
- icount.tx = cnow.tx;
- icount.frame = cnow.frame;
- icount.overrun = cnow.overrun;
- icount.parity = cnow.parity;
- icount.brk = cnow.brk;
- icount.buf_overrun = cnow.buf_overrun;

-
- return copy_to_user(argp, &icount, sizeof(icount)) ? -EFAULT : 0;
+

+ icount->cts = cnow.cts;
+ icount->dsr = cnow.dsr;
+ icount->rng = cnow.rng;
+ icount->dcd = cnow.dcd;
+ icount->rx = cnow.rx;
+ icount->tx = cnow.tx;
+ icount->frame = cnow.frame;
+ icount->overrun = cnow.overrun;
+ icount->parity = cnow.parity;
+ icount->brk = cnow.brk;
+ icount->buf_overrun = cnow.buf_overrun;

+ return 0;
}

static int ntty_ioctl(struct tty_struct *tty, struct file *file,
@@ -1841,9 +1841,7 @@ static int ntty_ioctl(struct tty_struct *tty, struct file *file,
rval = wait_event_interruptible(port->tty_wait,
ntty_cflags_changed(port, arg, &cprev));
break;
- } case TIOCGICOUNT:
- rval = ntty_ioctl_tiocgicount(port, argp);
- break;
+ }
default:
DBG1("ERR: 0x%08X, %d", cmd, cmd);
break;
@@ -1923,6 +1921,7 @@ static const struct tty_operations tty_ops = {
.chars_in_buffer = ntty_chars_in_buffer,
.tiocmget = ntty_tiocmget,
.tiocmset = ntty_tiocmset,
+ .get_icount = ntty_tiocgicount,
.install = ntty_install,
.cleanup = ntty_cleanup,
};
diff --git a/drivers/char/pcmcia/synclink_cs.c b/drivers/char/pcmcia/synclink_cs.c
index 1165503..efa810e 100644
--- a/drivers/char/pcmcia/synclink_cs.c
+++ b/drivers/char/pcmcia/synclink_cs.c
@@ -2232,6 +2232,32 @@ static int mgslpc_break(struct tty_struct *tty, int break_state)
return 0;
}

+static int mgslpc_get_icount(struct tty_struct *tty,

+ struct serial_icounter_struct *icount)
+{

+ MGSLPC_INFO * info = (MGSLPC_INFO *)tty->driver_data;
+ struct mgsl_icount cnow; /* kernel counter temps */
+ unsigned long flags;
+
+ spin_lock_irqsave(&info->lock,flags);
+ cnow = info->icount;
+ spin_unlock_irqrestore(&info->lock,flags);
+

+ icount->cts = cnow.cts;
+ icount->dsr = cnow.dsr;
+ icount->rng = cnow.rng;
+ icount->dcd = cnow.dcd;
+ icount->rx = cnow.rx;
+ icount->tx = cnow.tx;
+ icount->frame = cnow.frame;
+ icount->overrun = cnow.overrun;
+ icount->parity = cnow.parity;
+ icount->brk = cnow.brk;
+ icount->buf_overrun = cnow.buf_overrun;

+

+ return 0;
+}
+

/* Service an IOCTL request
*
* Arguments:
@@ -2247,11 +2273,7 @@ static int mgslpc_ioctl(struct tty_struct *tty, struct file * file,

unsigned int cmd, unsigned long arg)

{
MGSLPC_INFO * info = (MGSLPC_INFO *)tty->driver_data;
- int error;
- struct mgsl_icount cnow; /* kernel counter temps */
- struct serial_icounter_struct __user *p_cuser; /* user space */

void __user *argp = (void __user *)arg;

- unsigned long flags;

if (debug_level >= DEBUG_LEVEL_INFO)
printk("%s(%d):mgslpc_ioctl %s cmd=%08X\n", __FILE__,__LINE__,
@@ -2261,7 +2283,7 @@ static int mgslpc_ioctl(struct tty_struct *tty, struct file * file,
return -ENODEV;

if ((cmd != TIOCGSERIAL) && (cmd != TIOCSSERIAL) &&
- (cmd != TIOCMIWAIT) && (cmd != TIOCGICOUNT)) {
+ (cmd != TIOCMIWAIT)) {
if (tty->flags & (1 << TTY_IO_ERROR))
return -EIO;
}
@@ -2291,34 +2313,6 @@ static int mgslpc_ioctl(struct tty_struct *tty, struct file * file,
return wait_events(info, argp);
case TIOCMIWAIT:
return modem_input_wait(info,(int)arg);
- case TIOCGICOUNT:
- spin_lock_irqsave(&info->lock,flags);
- cnow = info->icount;
- spin_unlock_irqrestore(&info->lock,flags);
- p_cuser = argp;
- PUT_USER(error,cnow.cts, &p_cuser->cts);
- if (error) return error;
- PUT_USER(error,cnow.dsr, &p_cuser->dsr);
- if (error) return error;
- PUT_USER(error,cnow.rng, &p_cuser->rng);
- if (error) return error;
- PUT_USER(error,cnow.dcd, &p_cuser->dcd);
- if (error) return error;
- PUT_USER(error,cnow.rx, &p_cuser->rx);
- if (error) return error;
- PUT_USER(error,cnow.tx, &p_cuser->tx);
- if (error) return error;
- PUT_USER(error,cnow.frame, &p_cuser->frame);
- if (error) return error;
- PUT_USER(error,cnow.overrun, &p_cuser->overrun);
- if (error) return error;
- PUT_USER(error,cnow.parity, &p_cuser->parity);
- if (error) return error;
- PUT_USER(error,cnow.brk, &p_cuser->brk);
- if (error) return error;
- PUT_USER(error,cnow.buf_overrun, &p_cuser->buf_overrun);
- if (error) return error;
- return 0;
default:
return -ENOIOCTLCMD;
}
diff --git a/drivers/char/synclink.c b/drivers/char/synclink.c
index 0658fc5..9970aca 100644
--- a/drivers/char/synclink.c
+++ b/drivers/char/synclink.c
@@ -2920,6 +2920,38 @@ static int mgsl_break(struct tty_struct *tty, int break_state)

} /* end of mgsl_break() */

+/*
+ * Get counter of input serial line interrupts (DCD,RI,DSR,CTS)
+ * Return: write counters to the user passed counter struct
+ * NB: both 1->0 and 0->1 transitions are counted except for
+ * RI where only 0->1 is counted.
+ */
+static int msgl_get_icount(struct tty_struct *tty,

+ struct serial_icounter_struct *icount)
+

+{
+ struct mgsl_struct * info = tty->driver_data;
+ struct mgsl_icount cnow; /* kernel counter temps */
+ unsigned long flags;
+
+ spin_lock_irqsave(&info->irq_spinlock,flags);
+ cnow = info->icount;
+ spin_unlock_irqrestore(&info->irq_spinlock,flags);
+

+ icount->cts = cnow.cts;
+ icount->dsr = cnow.dsr;
+ icount->rng = cnow.rng;
+ icount->dcd = cnow.dcd;
+ icount->rx = cnow.rx;
+ icount->tx = cnow.tx;
+ icount->frame = cnow.frame;
+ icount->overrun = cnow.overrun;
+ icount->parity = cnow.parity;
+ icount->brk = cnow.brk;
+ icount->buf_overrun = cnow.buf_overrun;

+ return 0;
+}
+

/* mgsl_ioctl() Service an IOCTL request
*
* Arguments:
@@ -2945,7 +2977,7 @@ static int mgsl_ioctl(struct tty_struct *tty, struct file * file,
return -ENODEV;

if ((cmd != TIOCGSERIAL) && (cmd != TIOCSSERIAL) &&
- (cmd != TIOCMIWAIT) && (cmd != TIOCGICOUNT)) {
+ (cmd != TIOCMIWAIT)) {
if (tty->flags & (1 << TTY_IO_ERROR))
return -EIO;
}
@@ -2958,11 +2990,7 @@ static int mgsl_ioctl(struct tty_struct *tty, struct file * file,

static int mgsl_ioctl_common(struct mgsl_struct *info, unsigned int cmd, unsigned long arg)
{
- int error;
- struct mgsl_icount cnow; /* kernel counter temps */

void __user *argp = (void __user *)arg;

- struct serial_icounter_struct __user *p_cuser; /* user space */
- unsigned long flags;

switch (cmd) {
case MGSL_IOCGPARAMS:
@@ -2991,40 +3019,6 @@ static int mgsl_ioctl_common(struct mgsl_struct *info, unsigned int cmd, unsigne
case TIOCMIWAIT:
return modem_input_wait(info,(int)arg);

- /*
- * Get counter of input serial line interrupts (DCD,RI,DSR,CTS)
- * Return: write counters to the user passed counter struct
- * NB: both 1->0 and 0->1 transitions are counted except for
- * RI where only 0->1 is counted.
- */
- case TIOCGICOUNT:
- spin_lock_irqsave(&info->irq_spinlock,flags);
- cnow = info->icount;
- spin_unlock_irqrestore(&info->irq_spinlock,flags);
- p_cuser = argp;
- PUT_USER(error,cnow.cts, &p_cuser->cts);
- if (error) return error;
- PUT_USER(error,cnow.dsr, &p_cuser->dsr);
- if (error) return error;
- PUT_USER(error,cnow.rng, &p_cuser->rng);
- if (error) return error;
- PUT_USER(error,cnow.dcd, &p_cuser->dcd);
- if (error) return error;
- PUT_USER(error,cnow.rx, &p_cuser->rx);
- if (error) return error;
- PUT_USER(error,cnow.tx, &p_cuser->tx);
- if (error) return error;
- PUT_USER(error,cnow.frame, &p_cuser->frame);
- if (error) return error;
- PUT_USER(error,cnow.overrun, &p_cuser->overrun);
- if (error) return error;
- PUT_USER(error,cnow.parity, &p_cuser->parity);
- if (error) return error;
- PUT_USER(error,cnow.brk, &p_cuser->brk);
- if (error) return error;
- PUT_USER(error,cnow.buf_overrun, &p_cuser->buf_overrun);
- if (error) return error;
- return 0;
default:
return -ENOIOCTLCMD;
}
@@ -4325,6 +4319,7 @@ static const struct tty_operations mgsl_ops = {
.hangup = mgsl_hangup,
.tiocmget = tiocmget,
.tiocmset = tiocmset,
+ .get_icount = msgl_get_icount,
.proc_fops = &mgsl_proc_fops,
};

diff --git a/drivers/char/synclink_gt.c b/drivers/char/synclink_gt.c
index 4561ce2..54fa0ee 100644
--- a/drivers/char/synclink_gt.c
+++ b/drivers/char/synclink_gt.c
@@ -1025,9 +1025,6 @@ static int ioctl(struct tty_struct *tty, struct file *file,

unsigned int cmd, unsigned long arg)
{

struct slgt_info *info = tty->driver_data;
- struct mgsl_icount cnow; /* kernel counter temps */
- struct serial_icounter_struct __user *p_cuser; /* user space */
- unsigned long flags;

void __user *argp = (void __user *)arg;

int ret;

@@ -1036,7 +1033,7 @@ static int ioctl(struct tty_struct *tty, struct file *file,
DBGINFO(("%s ioctl() cmd=%08X\n", info->device_name, cmd));

if ((cmd != TIOCGSERIAL) && (cmd != TIOCSSERIAL) &&
- (cmd != TIOCMIWAIT) && (cmd != TIOCGICOUNT)) {
+ (cmd != TIOCMIWAIT)) {
if (tty->flags & (1 << TTY_IO_ERROR))
return -EIO;
}
@@ -1089,25 +1086,6 @@ static int ioctl(struct tty_struct *tty, struct file *file,
case MGSL_IOCWAITGPIO:
ret = wait_gpio(info, argp);
break;
- case TIOCGICOUNT:
- spin_lock_irqsave(&info->lock,flags);
- cnow = info->icount;
- spin_unlock_irqrestore(&info->lock,flags);
- p_cuser = argp;
- if (put_user(cnow.cts, &p_cuser->cts) ||
- put_user(cnow.dsr, &p_cuser->dsr) ||
- put_user(cnow.rng, &p_cuser->rng) ||
- put_user(cnow.dcd, &p_cuser->dcd) ||
- put_user(cnow.rx, &p_cuser->rx) ||
- put_user(cnow.tx, &p_cuser->tx) ||
- put_user(cnow.frame, &p_cuser->frame) ||
- put_user(cnow.overrun, &p_cuser->overrun) ||
- put_user(cnow.parity, &p_cuser->parity) ||
- put_user(cnow.brk, &p_cuser->brk) ||
- put_user(cnow.buf_overrun, &p_cuser->buf_overrun))
- ret = -EFAULT;
- ret = 0;
- break;
default:
ret = -ENOIOCTLCMD;
}
@@ -1115,6 +1093,33 @@ static int ioctl(struct tty_struct *tty, struct file *file,
return ret;
}

+static int get_icount(struct tty_struct *tty,

+ struct serial_icounter_struct *icount)
+

+{
+ struct slgt_info *info = tty->driver_data;
+ struct mgsl_icount cnow; /* kernel counter temps */
+ unsigned long flags;
+
+ spin_lock_irqsave(&info->lock,flags);
+ cnow = info->icount;
+ spin_unlock_irqrestore(&info->lock,flags);
+

+ icount->cts = cnow.cts;
+ icount->dsr = cnow.dsr;
+ icount->rng = cnow.rng;
+ icount->dcd = cnow.dcd;
+ icount->rx = cnow.rx;
+ icount->tx = cnow.tx;
+ icount->frame = cnow.frame;
+ icount->overrun = cnow.overrun;
+ icount->parity = cnow.parity;
+ icount->brk = cnow.brk;
+ icount->buf_overrun = cnow.buf_overrun;

+

+ return 0;
+}
+

/*
* support for 32 bit ioctl calls on 64 bit systems
*/
@@ -1204,10 +1209,6 @@ static long slgt_compat_ioctl(struct tty_struct *tty, struct file *file,
case MGSL_IOCSGPIO:
case MGSL_IOCGGPIO:
case MGSL_IOCWAITGPIO:
- case TIOCGICOUNT:
- rc = ioctl(tty, file, cmd, (unsigned long)(compat_ptr(arg)));
- break;
-
case MGSL_IOCSTXIDLE:
case MGSL_IOCTXENABLE:
case MGSL_IOCRXENABLE:
@@ -3638,6 +3639,7 @@ static const struct tty_operations ops = {
.hangup = hangup,
.tiocmget = tiocmget,
.tiocmset = tiocmset,
+ .get_icount = get_icount,
.proc_fops = &synclink_gt_proc_fops,
};

diff --git a/drivers/char/synclinkmp.c b/drivers/char/synclinkmp.c
index 2b18adc..951b65f 100644
--- a/drivers/char/synclinkmp.c
+++ b/drivers/char/synclinkmp.c
@@ -1255,10 +1255,6 @@ static int do_ioctl(struct tty_struct *tty, struct file *file,
unsigned int cmd, unsigned long arg)
{
SLMP_INFO *info = tty->driver_data;
- int error;
- struct mgsl_icount cnow; /* kernel counter temps */
- struct serial_icounter_struct __user *p_cuser; /* user space */
- unsigned long flags;

void __user *argp = (void __user *)arg;

if (debug_level >= DEBUG_LEVEL_INFO)
@@ -1269,7 +1265,7 @@ static int do_ioctl(struct tty_struct *tty, struct file *file,
return -ENODEV;

if ((cmd != TIOCGSERIAL) && (cmd != TIOCSSERIAL) &&
- (cmd != TIOCMIWAIT) && (cmd != TIOCGICOUNT)) {
+ (cmd != TIOCMIWAIT)) {
if (tty->flags & (1 << TTY_IO_ERROR))
return -EIO;
}
@@ -1307,40 +1303,38 @@ static int do_ioctl(struct tty_struct *tty, struct file *file,

* NB: both 1->0 and 0->1 transitions are counted except for
* RI where only 0->1 is counted.
*/

- case TIOCGICOUNT:
- spin_lock_irqsave(&info->lock,flags);
- cnow = info->icount;
- spin_unlock_irqrestore(&info->lock,flags);
- p_cuser = argp;
- PUT_USER(error,cnow.cts, &p_cuser->cts);
- if (error) return error;
- PUT_USER(error,cnow.dsr, &p_cuser->dsr);
- if (error) return error;
- PUT_USER(error,cnow.rng, &p_cuser->rng);
- if (error) return error;
- PUT_USER(error,cnow.dcd, &p_cuser->dcd);
- if (error) return error;
- PUT_USER(error,cnow.rx, &p_cuser->rx);
- if (error) return error;
- PUT_USER(error,cnow.tx, &p_cuser->tx);
- if (error) return error;
- PUT_USER(error,cnow.frame, &p_cuser->frame);
- if (error) return error;
- PUT_USER(error,cnow.overrun, &p_cuser->overrun);
- if (error) return error;
- PUT_USER(error,cnow.parity, &p_cuser->parity);
- if (error) return error;
- PUT_USER(error,cnow.brk, &p_cuser->brk);
- if (error) return error;
- PUT_USER(error,cnow.buf_overrun, &p_cuser->buf_overrun);
- if (error) return error;
- return 0;
default:
return -ENOIOCTLCMD;
}
return 0;
}

+static int get_icount(struct tty_struct *tty,

+ struct serial_icounter_struct *icount)
+{

+ SLMP_INFO *info = tty->driver_data;
+ struct mgsl_icount cnow; /* kernel counter temps */
+ unsigned long flags;
+
+ spin_lock_irqsave(&info->lock,flags);
+ cnow = info->icount;
+ spin_unlock_irqrestore(&info->lock,flags);
+

+ icount->cts = cnow.cts;
+ icount->dsr = cnow.dsr;
+ icount->rng = cnow.rng;
+ icount->dcd = cnow.dcd;
+ icount->rx = cnow.rx;
+ icount->tx = cnow.tx;
+ icount->frame = cnow.frame;
+ icount->overrun = cnow.overrun;
+ icount->parity = cnow.parity;
+ icount->brk = cnow.brk;
+ icount->buf_overrun = cnow.buf_overrun;

+

+ return 0;
+}
+

static int ioctl(struct tty_struct *tty, struct file *file,
unsigned int cmd, unsigned long arg)
{
@@ -3908,6 +3902,7 @@ static const struct tty_operations ops = {
.hangup = hangup,
.tiocmget = tiocmget,
.tiocmset = tiocmset,
+ .get_icount = get_icount,
.proc_fops = &synclinkmp_proc_fops,
};

diff --git a/drivers/serial/68360serial.c b/drivers/serial/68360serial.c
index 24661cd..1e4f831 100644
--- a/drivers/serial/68360serial.c
+++ b/drivers/serial/68360serial.c
@@ -1381,6 +1381,30 @@ static void send_break(ser_info_t *info, unsigned int duration)
}

+/*
+ * Get counter of input serial line interrupts (DCD,RI,DSR,CTS)
+ * Return: write counters to the user passed counter struct
+ * NB: both 1->0 and 0->1 transitions are counted except for
+ * RI where only 0->1 is counted.
+ */
+static int rs_360_get_icount(struct tty_struct *tty,

+ struct serial_icounter_struct *icount)
+{

+ ser_info_t *info = (ser_info_t *)tty->driver_data;
+ struct async_icount cnow;
+
+ local_irq_disable();
+ cnow = info->state->icount;
+ local_irq_enable();
+

+ icount->cts = cnow.cts;
+ icount->dsr = cnow.dsr;
+ icount->rng = cnow.rng;
+ icount->dcd = cnow.dcd;
+

+ return 0;
+}
+

static int rs_360_ioctl(struct tty_struct *tty, struct file * file,

unsigned int cmd, unsigned long arg)

unread,

May 14, 2012, 10:30:04 PM5/14/12

to

From: Dmitry Torokhov <dt...@vmware.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit cd3c18ba2fac14b34d03cae111f215009735ea06 upstream.

Full-speed isoc endpoints specify interval in exponent based form in
frames, not microframes, so we need to adjust accordingly.

NEC xHCI host controllers will return an error code of 0x11 if a full
speed isochronous endpoint is added with the Interval field set to
something less than 3 (2^3 = 8 microframes, or one frame). It is
impossible for a full speed device to have an interval smaller than one
frame.

This was always an issue in the xHCI driver, but commit
dfa49c4ad120a784ef1ff0717168aa79f55a483a "USB: xhci - fix math in
xhci_get_endpoint_interval()" removed the clamping of the minimum value
in the Interval field, which revealed this bug.

This needs to be backported to stable kernels back to 2.6.31.

Reported-by: Matt Evans <ma...@ozlabs.org>
Signed-off-by: Dmitry Torokhov <dt...@vmware.com>
Signed-off-by: Sarah Sharp <sarah....@linux.intel.com>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/usb/host/xhci-mem.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
index 05b5c34..727ac40 100644
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -533,9 +533,19 @@ static unsigned int xhci_parse_exponent_interval(struct usb_device *udev,
interval = clamp_val(ep->desc.bInterval, 1, 16) - 1;
if (interval != ep->desc.bInterval - 1)
dev_warn(&udev->dev,
- "ep %#x - rounding interval to %d microframes\n",
+ "ep %#x - rounding interval to %d %sframes\n",
ep->desc.bEndpointAddress,
- 1 << interval);
+ 1 << interval,
+ udev->speed == USB_SPEED_FULL ? "" : "micro");
+
+ if (udev->speed == USB_SPEED_FULL) {
+ /*
+ * Full speed isoc endpoints specify interval in frames,
+ * not microframes. We are using microframes everywhere,
+ * so adjust accordingly.
+ */
+ interval += 3; /* 1 frame = 2^3 uframes */
+ }

return interval;

Paul Gortmaker

unread,

May 14, 2012, 10:30:03 PM5/14/12

to

From: Namhyung Kim <namh...@gmail.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 3b2710824e00d238554c13b5add347e6c701ab1a upstream.

The 'max_part' parameter controls the number of maximum partition
a nbd device can have. However if a user specifies very large
value it would exceed the limitation of device minor number and
can cause a kernel oops (or, at least, produce invalid device
nodes in some cases).

In addition, specifying large 'nbds_max' value causes same
problem for the same reason.

On my desktop, following command results to the kernel bug:

$ sudo modprobe nbd max_part=100000
kernel BUG at /media/Linux_Data/project/linux/fs/sysfs/group.c:65!
invalid opcode: 0000 [#1] SMP
last sysfs file: /sys/devices/virtual/block/nbd4/range
CPU 1
Modules linked in: nbd(+) bridge stp llc kvm_intel kvm asus_atk0110 sg sr_mod cdrom

Pid: 2522, comm: modprobe Tainted: G W 2.6.39-leonard+ #159 System manufacturer System Product Name/P5G41TD-M PRO
RIP: 0010:[<ffffffff8115aa08>] [<ffffffff8115aa08>] internal_create_group+0x2f/0x166
RSP: 0018:ffff8801009f1de8 EFLAGS: 00010246
RAX: 00000000ffffffef RBX: ffff880103920478 RCX: 00000000000a7bd3
RDX: ffffffff81a2dbe0 RSI: 0000000000000000 RDI: ffff880103920478
RBP: ffff8801009f1e38 R08: ffff880103920468 R09: ffff880103920478
R10: ffff8801009f1de8 R11: ffff88011eccbb68 R12: ffffffff81a2dbe0
R13: ffff880103920468 R14: 0000000000000000 R15: ffff880103920400
FS: 00007f3c49de9700(0000) GS:ffff88011f800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00007f3b7fe7c000 CR3: 00000000cd58d000 CR4: 00000000000406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process modprobe (pid: 2522, threadinfo ffff8801009f0000, task ffff8801009a93a0)
Stack:
ffff8801009f1e58 ffffffff812e8f6e ffff8801009f1e58 ffffffff812e7a80
ffff880000000010 ffff880103920400 ffff8801002fd0c0 ffff880103920468
0000000000000011 ffff880103920400 ffff8801009f1e48 ffffffff8115ab6a
Call Trace:
[<ffffffff812e8f6e>] ? device_add+0x4f1/0x5e4
[<ffffffff812e7a80>] ? dev_set_name+0x41/0x43
[<ffffffff8115ab6a>] sysfs_create_group+0x13/0x15
[<ffffffff810b857e>] blk_trace_init_sysfs+0x14/0x16
[<ffffffff811ee58b>] blk_register_queue+0x4c/0xfd
[<ffffffff811f3bdf>] add_disk+0xe4/0x29c
[<ffffffffa007e2ab>] nbd_init+0x2ab/0x30d [nbd]
[<ffffffffa007e000>] ? 0xffffffffa007dfff
[<ffffffff8100020f>] do_one_initcall+0x7f/0x13e
[<ffffffff8107ab0a>] sys_init_module+0xa1/0x1e3
[<ffffffff814f3542>] system_call_fastpath+0x16/0x1b
Code: 41 57 41 56 41 55 41 54 53 48 83 ec 28 0f 1f 44 00 00 48 89 fb 41 89 f6 49 89 d4 48 85 ff 74 0b 85 f6 75 0b 48 83
7f 30 00 75 14 <0f> 0b eb fe b9 ea ff ff ff 48 83 7f 30 00 0f 84 09 01 00 00 49
RIP [<ffffffff8115aa08>] internal_create_group+0x2f/0x166
RSP <ffff8801009f1de8>
---[ end trace 753285ffbf72c57c ]---

Signed-off-by: Namhyung Kim <namh...@gmail.com>
Cc: Laurent Vivier <Laurent...@bull.net>

Cc: Paul Clements <Paul.C...@steeleye.com>
Signed-off-by: Jens Axboe <jax...@fusionio.com>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/block/nbd.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index 218d091..14046ff 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -755,6 +755,12 @@ static int __init nbd_init(void)
if (max_part > 0)
part_shift = fls(max_part);

+ if ((1UL << part_shift) > DISK_MAX_PARTS)
+ return -EINVAL;
+
+ if (nbds_max > 1UL << (MINORBITS - part_shift))
+ return -EINVAL;
+
for (i = 0; i < nbds_max; i++) {
struct gendisk *disk = alloc_disk(1 << part_shift);
if (!disk)

Paul Gortmaker

unread,

May 14, 2012, 10:30:04 PM5/14/12

to

From: Artem Bityutskiy <Artem.Bi...@nokia.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 812eb258311f89bcd664a34a620f249d54a2cd83 upstream.

UBIFS leaks memory on error path in 'ubifs_jnl_update()' in case of write
failure because it forgets to free the 'struct ubifs_dent_node *dent' object.
Although the object is small, the alignment can make it large - e.g., 2KiB
if the min. I/O unit is 2KiB.

Signed-off-by: Artem Bityutskiy <Artem.Bi...@nokia.com>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

fs/ubifs/journal.c | 1 +

1 file changed, 1 insertion(+)

diff --git a/fs/ubifs/journal.c b/fs/ubifs/journal.c
index d321bae..841f77c 100644
--- a/fs/ubifs/journal.c
+++ b/fs/ubifs/journal.c
@@ -665,6 +665,7 @@ out_free:

out_release:
release_head(c, BASEHD);
+ kfree(dent);
out_ro:
ubifs_ro_mode(c, err);
if (last_reference)

Paul Gortmaker

unread,

May 14, 2012, 10:30:02 PM5/14/12

to

From: Shawn Bohrer <sbo...@rgmadvisors.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 9ea71503a8ed9184d2d0b8ccc4d269d05f7940ae upstream.

commit 7485d0d3758e8e6491a5c9468114e74dc050785d (futexes: Remove rw
parameter from get_futex_key()) in 2.6.33 fixed two problems: First, It
prevented a loop when encountering a ZERO_PAGE. Second, it fixed RW
MAP_PRIVATE futex operations by forcing the COW to occur by
unconditionally performing a write access get_user_pages_fast() to get
the page. The commit also introduced a user-mode regression in that it
broke futex operations on read-only memory maps. For example, this
breaks workloads that have one or more reader processes doing a
FUTEX_WAIT on a futex within a read only shared file mapping, and a
writer processes that has a writable mapping issuing the FUTEX_WAKE.

This fixes the regression for valid futex operations on RO mappings by
trying a RO get_user_pages_fast() when the RW get_user_pages_fast()
fails. This change makes it necessary to also check for invalid use
cases, such as anonymous RO mappings (which can never change) and the
ZERO_PAGE which the commit referenced above was written to address.

This patch does restore the original behavior with RO MAP_PRIVATE
mappings, which have inherent user-mode usage problems and don't really
make sense. With this patch performing a FUTEX_WAIT within a RO
MAP_PRIVATE mapping will be successfully woken provided another process
updates the region of the underlying mapped file. However, the mmap()
man page states that for a MAP_PRIVATE mapping:

It is unspecified whether changes made to the file after
the mmap() call are visible in the mapped region.

So user-mode users attempting to use futex operations on RO MAP_PRIVATE
mappings are depending on unspecified behavior. Additionally a
RO MAP_PRIVATE mapping could fail to wake up in the following case.

Thread-A: call futex(FUTEX_WAIT, memory-region-A).
get_futex_key() return inode based key.
sleep on the key
Thread-B: call mprotect(PROT_READ|PROT_WRITE, memory-region-A)
Thread-B: write memory-region-A.
COW happen. This process's memory-region-A become related
to new COWed private (ie PageAnon=1) page.
Thread-B: call futex(FUETX_WAKE, memory-region-A).
get_futex_key() return mm based key.
IOW, we fail to wake up Thread-A.

Once again doing something like this is just silly and users who do
something like this get what they deserve.

While RO MAP_PRIVATE mappings are nonsensical, checking for a private
mapping requires walking the vmas and was deemed too costly to avoid a
userspace hang.

This Patch is based on Peter Zijlstra's initial patch with modifications to
only allow RO mappings for futex operations that need VERIFY_READ access.

Reported-by: David Oliver <da...@rgmadvisors.com>
Signed-off-by: Shawn Bohrer <sbo...@rgmadvisors.com>
Acked-by: Peter Zijlstra <a.p.zi...@chello.nl>
Signed-off-by: Darren Hart <dvh...@linux.intel.com>
Cc: KOSAKI Motohiro <kosaki....@jp.fujitsu.com>
Cc: pet...@infradead.org
Cc: eric.d...@gmail.com
Cc: zvo...@rgmadvisors.com
Cc: hu...@google.com
Link: http://lkml.kernel.org/r/1309450892-30676-1-g...@rgmadvisors.com
Signed-off-by: Thomas Gleixner <tg...@linutronix.de>
[PG: in 34, the variable is "page"; in original 9ea71503a it is page_head]

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

kernel/futex.c | 54 ++++++++++++++++++++++++++++++++++++++++++------------
1 file changed, 42 insertions(+), 12 deletions(-)

diff --git a/kernel/futex.c b/kernel/futex.c
index e328f57..98a354d 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -203,6 +203,8 @@ static void drop_futex_key_refs(union futex_key *key)
* @uaddr: virtual address of the futex
* @fshared: 0 for a PROCESS_PRIVATE futex, 1 for PROCESS_SHARED
* @key: address where result is stored.
+ * @rw: mapping needs to be read/write (values: VERIFY_READ,
+ * VERIFY_WRITE)
*
* Returns a negative error code or 0
* The key words are stored in *key on success.
@@ -214,12 +216,12 @@ static void drop_futex_key_refs(union futex_key *key)
* lock_page() might sleep, the caller should not hold a spinlock.
*/
static int
-get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key)
+get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw)
{
unsigned long address = (unsigned long)uaddr;
struct mm_struct *mm = current->mm;
struct page *page;
- int err;
+ int err, ro = 0;

/*
* The futex address must be "naturally" aligned.
@@ -247,14 +249,31 @@ get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key)

again:
err = get_user_pages_fast(address, 1, 1, &page);
+ /*
+ * If write access is not required (eg. FUTEX_WAIT), try
+ * and get read-only access.
+ */
+ if (err == -EFAULT && rw == VERIFY_READ) {
+ err = get_user_pages_fast(address, 1, 0, &page);
+ ro = 1;
+ }
if (err < 0)
return err;
+ else
+ err = 0;

page = compound_head(page);
lock_page(page);
if (!page->mapping) {
unlock_page(page);
put_page(page);
+ /*
+ * ZERO_PAGE pages don't have a mapping. Avoid a busy loop
+ * trying to find one. RW mapping would have COW'd (and thus
+ * have a mapping) so this page is RO and won't ever change.
+ */
+ if ((page == ZERO_PAGE(address)))
+ return -EFAULT;
goto again;
}

@@ -266,6 +285,15 @@ again:
* the object not the particular process.
*/
if (PageAnon(page)) {
+ /*
+ * A RO anonymous page will never change and thus doesn't make
+ * sense for futex operations.
+ */
+ if (ro) {
+ err = -EFAULT;
+ goto out;
+ }
+
key->both.offset |= FUT_OFF_MMSHARED; /* ref taken on mm */
key->private.mm = mm;
key->private.address = address;
@@ -277,9 +305,10 @@ again:

get_futex_key_refs(key);

+out:
unlock_page(page);
put_page(page);
- return 0;
+ return err;
}

static inline
@@ -880,7 +909,7 @@ static int futex_wake(u32 __user *uaddr, int fshared, int nr_wake, u32 bitset)
if (!bitset)
return -EINVAL;

- ret = get_futex_key(uaddr, fshared, &key);
+ ret = get_futex_key(uaddr, fshared, &key, VERIFY_READ);
if (unlikely(ret != 0))
goto out;

@@ -926,10 +955,10 @@ futex_wake_op(u32 __user *uaddr1, int fshared, u32 __user *uaddr2,
int ret, op_ret;

retry:
- ret = get_futex_key(uaddr1, fshared, &key1);
+ ret = get_futex_key(uaddr1, fshared, &key1, VERIFY_READ);
if (unlikely(ret != 0))
goto out;
- ret = get_futex_key(uaddr2, fshared, &key2);
+ ret = get_futex_key(uaddr2, fshared, &key2, VERIFY_WRITE);
if (unlikely(ret != 0))
goto out_put_key1;

@@ -1188,10 +1217,11 @@ retry:
pi_state = NULL;
}

- ret = get_futex_key(uaddr1, fshared, &key1);
+ ret = get_futex_key(uaddr1, fshared, &key1, VERIFY_READ);
if (unlikely(ret != 0))
goto out;
- ret = get_futex_key(uaddr2, fshared, &key2);
+ ret = get_futex_key(uaddr2, fshared, &key2,
+ requeue_pi ? VERIFY_WRITE : VERIFY_READ);
if (unlikely(ret != 0))
goto out_put_key1;

@@ -1746,7 +1776,7 @@ static int futex_wait_setup(u32 __user *uaddr, u32 val, int fshared,
*/
retry:
q->key = FUTEX_KEY_INIT;
- ret = get_futex_key(uaddr, fshared, &q->key);
+ ret = get_futex_key(uaddr, fshared, &q->key, VERIFY_READ);
if (unlikely(ret != 0))
return ret;

@@ -1912,7 +1942,7 @@ static int futex_lock_pi(u32 __user *uaddr, int fshared,
q.requeue_pi_key = NULL;
retry:
q.key = FUTEX_KEY_INIT;
- ret = get_futex_key(uaddr, fshared, &q.key);
+ ret = get_futex_key(uaddr, fshared, &q.key, VERIFY_WRITE);
if (unlikely(ret != 0))
goto out;

@@ -2031,7 +2061,7 @@ retry:
if ((uval & FUTEX_TID_MASK) != task_pid_vnr(current))
return -EPERM;

- ret = get_futex_key(uaddr, fshared, &key);
+ ret = get_futex_key(uaddr, fshared, &key, VERIFY_WRITE);
if (unlikely(ret != 0))
goto out;

@@ -2223,7 +2253,7 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, int fshared,
rt_waiter.task = NULL;

key2 = FUTEX_KEY_INIT;
- ret = get_futex_key(uaddr2, fshared, &key2);
+ ret = get_futex_key(uaddr2, fshared, &key2, VERIFY_WRITE);
if (unlikely(ret != 0))
goto out;

Paul Gortmaker

unread,

May 14, 2012, 10:30:03 PM5/14/12

to

From: "Tian, Kevin" <kevin...@intel.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 7899891c7d161752f29abcc9bc0a9c6c3a3af26c upstream.

There's a race window in xen_drop_mm_ref, where remote cpu may exit
dirty bitmap between the check on this cpu and the point where remote
cpu handles drop request. So in drop_other_mm_ref we need check
whether TLB state is still lazy before calling into leave_mm. This
bug is rarely observed in earlier kernel, but exaggerated by the
commit 831d52bc153971b70e64eccfbed2b232394f22f8
("x86, mm: avoid possible bogus tlb entries by clearing prev mm_cpumask after switching mm")
which clears bitmap after changing the TLB state. the call trace is as below:

---------------------------------
kernel BUG at arch/x86/mm/tlb.c:61!

invalid opcode: 0000 [#1] SMP

last sysfs file: /sys/devices/system/xen_memory/xen_memory0/info/current_kb
CPU 1
Modules linked in: 8021q garp xen_netback xen_blkback blktap blkback_pagemap nbd bridge stp llc autofs4 ipmi_devintf ipmi_si ipmi_msghandler lockd sunrpc bonding ipv6 xenfs dm_multipath video output sbs sbshc parport_pc lp parport ses enclosure snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device serio_raw bnx2 snd_pcm_oss snd_mixer_oss snd_pcm snd_timer iTCO_wdt snd soundcore snd_page_alloc i2c_i801 iTCO_vendor_support i2c_core pcs pkr pata_acpi ata_generic ata_piix shpchp mptsas mptscsih mptbase [last unloaded: freq_table]
Pid: 25581, comm: khelper Not tainted 2.6.32.36fixxen #1 Tecal RH2285
RIP: e030:[<ffffffff8103a3cb>] [<ffffffff8103a3cb>] leave_mm+0x15/0x46
RSP: e02b:ffff88002805be48 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff88015f8e2da0
RDX: ffff88002805be78 RSI: 0000000000000000 RDI: 0000000000000001
RBP: ffff88002805be48 R08: ffff88009d662000 R09: dead000000200200
R10: dead000000100100 R11: ffffffff814472b2 R12: ffff88009bfc1880
R13: ffff880028063020 R14: 00000000000004f6 R15: 0000000000000000
FS: 00007f62362d66e0(0000) GS:ffff880028058000(0000) knlGS:0000000000000000
CS: e033 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000003aabc11909 CR3: 000000009b8ca000 CR4: 0000000000002660

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 00000000000000 00
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400

Process khelper (pid: 25581, threadinfo ffff88007691e000, task ffff88009b92db40)
Stack:
ffff88002805be68 ffffffff8100e4ae 0000000000000001 ffff88009d733b88
<0> ffff88002805be98 ffffffff81087224 ffff88002805be78 ffff88002805be78
<0> ffff88015f808360 00000000000004f6 ffff88002805bea8 ffffffff81010108
Call Trace:
<IRQ>
[<ffffffff8100e4ae>] drop_other_mm_ref+0x2a/0x53
[<ffffffff81087224>] generic_smp_call_function_single_interrupt+0xd8/0xfc
[<ffffffff81010108>] xen_call_function_single_interrupt+0x13/0x28
[<ffffffff810a936a>] handle_IRQ_event+0x66/0x120
[<ffffffff810aac5b>] handle_percpu_irq+0x41/0x6e
[<ffffffff8128c1c0>] __xen_evtchn_do_upcall+0x1ab/0x27d
[<ffffffff8128dd11>] xen_evtchn_do_upcall+0x33/0x46
[<ffffffff81013efe>] xen_do_hyper visor_callback+0x1e/0x30
<EOI>
[<ffffffff814472b2>] ? _spin_unlock_irqrestore+0x15/0x17
[<ffffffff8100f8cf>] ? xen_restore_fl_direct_end+0x0/0x1
[<ffffffff81113f71>] ? flush_old_exec+0x3ac/0x500
[<ffffffff81150dc5>] ? load_elf_binary+0x0/0x17ef
[<ffffffff81150dc5>] ? load_elf_binary+0x0/0x17ef
[<ffffffff8115115d>] ? load_elf_binary+0x398/0x17ef
[<ffffffff81042fcf>] ? need_resched+0x23/0x2d
[<ffffffff811f4648>] ? process_measurement+0xc0/0xd7
[<ffffffff81150dc5>] ? load_elf_binary+0x0/0x17ef
[<ffffffff81113094>] ? search_binary_handler+0xc8/0x255
[<ffffffff81114362>] ? do_execve+0x1c3/0x29e
[<ffffffff8101155d>] ? sys_execve+0x43/0x5d
[<ffffffff8106fc45>] ? __call_usermodehelper+0x0/0x6f
[<ffffffff81013e28>] ? kernel_execve+0x68/0xd0
[<ffffffff 8106fc45>] ? __call_usermodehelper+0x0/0x6f
[<ffffffff8100f8cf>] ? xen_restore_fl_direct_end+0x0/0x1
[<ffffffff8106fb64>] ? ____call_usermodehelper+0x113/0x11e
[<ffffffff81013daa>] ? child_rip+0xa/0x20
[<ffffffff8106fc45>] ? __call_usermodehelper+0x0/0x6f
[<ffffffff81012f91>] ? int_ret_from_sys_call+0x7/0x1b
[<ffffffff8101371d>] ? retint_restore_args+0x5/0x6
[<ffffffff81013da0>] ? child_rip+0x0/0x20
Code: 41 5e 41 5f c9 c3 55 48 89 e5 0f 1f 44 00 00 e8 17 ff ff ff c9 c3 55 48 89 e5 0f 1f 44 00 00 65 8b 04 25 c8 55 01 00 ff c8 75 04 <0f> 0b eb fe 65 48 8b 34 25 c0 55 01 00 48 81 c6 b8 02 00 00 e8
RIP [<ffffffff8103a3cb>] leave_mm+0x15/0x46
RSP <ffff88002805be48>
---[ end trace ce9cee6832a9c503 ]---

Tested-by: Maoxiaoyun<tinny...@hotmail.com>
Signed-off-by: Kevin Tian <kevin...@intel.com>
[v1: Fleshed out the git description a bit]
Signed-off-by: Konrad Rzeszutek Wilk <konra...@oracle.com>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

arch/x86/xen/mmu.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

unread,

May 14, 2012, 10:30:04 PM5/14/12

to

From: Jens Axboe <jax...@fusionio.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit d86e0e83b32bc84600adb0b6ea1fce389b266682 upstream.

We need them in SCSI to fix a bug, but currently they are not
exported to modules. Export them.

Signed-off-by: Jens Axboe <jax...@fusionio.com>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

block/blk-core.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/block/blk-core.c b/block/blk-core.c
index dd9795d..94f274b 100644
--- a/block/blk-core.c
+++ b/block/blk-core.c
@@ -439,6 +439,7 @@ void blk_put_queue(struct request_queue *q)
{
kobject_put(&q->kobj);
}
+EXPORT_SYMBOL(blk_put_queue);

void blk_cleanup_queue(struct request_queue *q)
{
@@ -612,6 +613,7 @@ int blk_get_queue(struct request_queue *q)

return 1;
}
+EXPORT_SYMBOL(blk_get_queue);

static inline void blk_free_request(struct request_queue *q, struct request *rq)
{

Paul Gortmaker

unread,

May 14, 2012, 10:30:04 PM5/14/12

to

From: Dan Carpenter <err...@gmail.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit f124c6ae59e193705c9ddac57684d50006d710e6 upstream.

b->args[] has MC_ARGS elements, so the comparison here should be
">=" instead of ">". Otherwise we read past the end of the array
one space.

Signed-off-by: Dan Carpenter <err...@gmail.com>

Signed-off-by: Konrad Rzeszutek Wilk <konra...@oracle.com>

Signed-off-by: Jeremy Fitzhardinge <jeremy.fi...@citrix.com>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

unread,

May 14, 2012, 10:40:01 PM5/14/12

to

From: Milan Broz <mb...@redhat.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit f4808ca99a203f20b4475601748e44b25a65bdec upstream.

This patch adds a check that a block device has a request function
defined before it is used. Otherwise, misconfiguration can cause an oops.

Because we are allowing devices with zero size e.g. an offline multipath
device as in commit 2cd54d9bedb79a97f014e86c0da393416b264eb3
("dm: allow offline devices") there needs to be an additional check
to ensure devices are initialised. Some block devices, like a loop
device without a backing file, exist but have no request function.

Reproducer is trivial: dm-mirror on unbound loop device
(no backing file on loop devices)

dmsetup create x --table "0 8 mirror core 2 8 sync 2 /dev/loop0 0 /dev/loop1 0"

and mirror resync will immediatelly cause OOps.

BUG: unable to handle kernel NULL pointer dereference at (null)
? generic_make_request+0x2bd/0x590
? kmem_cache_alloc+0xad/0x190
submit_bio+0x53/0xe0
? bio_add_page+0x3b/0x50
dispatch_io+0x1ca/0x210 [dm_mod]
? read_callback+0x0/0xd0 [dm_mirror]
dm_io+0xbb/0x290 [dm_mod]
do_mirror+0x1e0/0x748 [dm_mirror]

Signed-off-by: Milan Broz <mb...@redhat.com>
Reported-by: Zdenek Kabelac <zkab...@redhat.com>
Acked-by: Mike Snitzer <sni...@redhat.com>
Signed-off-by: Alasdair G Kergon <a...@redhat.com>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/md/dm-table.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)

diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c
index 4a83321..ebb3864 100644
--- a/drivers/md/dm-table.c
+++ b/drivers/md/dm-table.c
@@ -352,6 +352,7 @@ static void close_dev(struct dm_dev_internal *d, struct mapped_device *md)
static int device_area_is_invalid(struct dm_target *ti, struct dm_dev *dev,
sector_t start, sector_t len, void *data)
{
+ struct request_queue *q;
struct queue_limits *limits = data;
struct block_device *bdev = dev->bdev;
sector_t dev_size =
@@ -360,6 +361,22 @@ static int device_area_is_invalid(struct dm_target *ti, struct dm_dev *dev,
limits->logical_block_size >> SECTOR_SHIFT;
char b[BDEVNAME_SIZE];

+ /*
+ * Some devices exist without request functions,
+ * such as loop devices not yet bound to backing files.
+ * Forbid the use of such devices.
+ */
+ q = bdev_get_queue(bdev);
+ if (!q || !q->make_request_fn) {
+ DMWARN("%s: %s is not yet initialised: "
+ "start=%llu, len=%llu, dev_size=%llu",
+ dm_device_name(ti->table->md), bdevname(bdev, b),
+ (unsigned long long)start,
+ (unsigned long long)len,
+ (unsigned long long)dev_size);
+ return 1;
+ }
+
if (!dev_size)
return 0;

Paul Gortmaker

unread,

May 14, 2012, 10:40:01 PM5/14/12

to

From: Jeff Layton <jla...@redhat.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 24e6cf92fde1f140d8eb0bf7cd24c2c78149b6b2 upstream.

It's possible for a cifsSesInfo struct to have a NULL password, so we
need to check for that prior to running strncmp on it.

Signed-off-by: Jeff Layton <jla...@redhat.com>
Signed-off-by: Steve French <sfr...@us.ibm.com>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

fs/cifs/connect.c | 1 +

1 file changed, 1 insertion(+)

diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 0fbc8d2..f31ad2d 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -1609,6 +1609,7 @@ cifs_find_smb_ses(struct TCP_Server_Info *server, struct smb_vol *vol)
MAX_USERNAME_SIZE))
continue;
if (strlen(vol->username) != 0 &&
+ ses->password != NULL &&
strncmp(ses->password,
vol->password ? vol->password : "",
MAX_PASSWORD_SIZE))

Paul Gortmaker

unread,

May 14, 2012, 10:40:01 PM5/14/12

to

From: "J. Bruce Fields" <bfi...@redhat.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit ebc63e531cc6a457595dd110b07ac530eae788c3 upstream.

After commit 3262c816a3d7fb1eaabce633caa317887ed549ae "[PATCH] knfsd:
split svc_serv into pools", svc_delete_xprt (then svc_delete_socket) no
longer removed its xpt_ready (then sk_ready) field from whatever list it
was on, noting that there was no point since the whole list was about to
be destroyed anyway.

That was mostly true, but forgot that a few svc_xprt_enqueue()'s might
still be hanging around playing with the about-to-be-destroyed list, and
could get themselves into trouble writing to freed memory if we left
this xprt on the list after freeing it.

(This is actually functionally identical to a patch made first by Ben
Greear, but with more comments.)

Cc: g...@fmeh.org
Reported-by: Ben Greear <gre...@candelatech.com>
Tested-by: Ben Greear <gre...@candelatech.com>
Signed-off-by: J. Bruce Fields <bfi...@redhat.com>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

net/sunrpc/svc_xprt.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
index aa1d2c6..33df29b 100644
--- a/net/sunrpc/svc_xprt.c
+++ b/net/sunrpc/svc_xprt.c
@@ -892,12 +892,13 @@ void svc_delete_xprt(struct svc_xprt *xprt)
if (!test_and_set_bit(XPT_DETACHED, &xprt->xpt_flags))
list_del_init(&xprt->xpt_list);
/*
- * We used to delete the transport from whichever list
- * it's sk_xprt.xpt_ready node was on, but we don't actually
- * need to. This is because the only time we're called
- * while still attached to a queue, the queue itself
- * is about to be destroyed (in svc_destroy).
+ * The only time we're called while xpt_ready is still on a list
+ * is while the list itself is about to be destroyed (in
+ * svc_destroy). BUT svc_xprt_enqueue could still be attempting
+ * to add new entries to the sp_sockets list, so we can't leave
+ * a freed xprt on it.
*/
+ list_del_init(&xprt->xpt_ready);
if (test_bit(XPT_TEMP, &xprt->xpt_flags))
serv->sv_tmpcnt--;

Paul Gortmaker

unread,

May 14, 2012, 10:40:01 PM5/14/12

to

From: Anton Blanchard <an...@samba.org>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit bed9a31527af8ff3dfbad62a1a42815cef4baab7 upstream.

On a box with 8TB of RAM the MMU hashtable is 64GB in size. That
means we have 4G PTEs. pSeries_lpar_hptab_clear was using a signed
int to store the index which will overflow at 2G.

Signed-off-by: Anton Blanchard <an...@samba.org>
Acked-by: Michael Neuling <mi...@neuling.org>
Signed-off-by: Benjamin Herrenschmidt <be...@kernel.crashing.org>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

arch/powerpc/platforms/pseries/lpar.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/powerpc/platforms/pseries/lpar.c b/arch/powerpc/platforms/pseries/lpar.c
index cf79b46..7e0eba4 100644
--- a/arch/powerpc/platforms/pseries/lpar.c
+++ b/arch/powerpc/platforms/pseries/lpar.c
@@ -372,7 +372,7 @@ static void pSeries_lpar_hptab_clear(void)
unsigned long ptel;
} ptes[4];
long lpar_rc;
- int i, j;
+ unsigned long i, j;

/* Read in batches of 4,
* invalidate only valid entries not in the VRMA

Paul Gortmaker

unread,

May 14, 2012, 10:40:01 PM5/14/12

to

From: Chris Wright <chr...@sous-sol.org>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 864d296cf948aef0fa32b81407541572583f7572 upstream.

The function pci_enable_ari() may mistakenly set the downstream port
of a v1 PCIe switch in ARI Forwarding mode. This is a PCIe v2 feature,
and with an SR-IOV device on that switch port believing the switch above
is ARI capable it may attempt to use functions 8-255, translating into
invalid (non-zero) device numbers for that bus. This has been seen
to cause Completion Timeouts and general misbehaviour including hangs
and panics.

Acked-by: Don Dutile <ddu...@redhat.com>
Tested-by: Don Dutile <ddu...@redhat.com>
Signed-off-by: Chris Wright <chr...@sous-sol.org>
Signed-off-by: Jesse Barnes <jba...@virtuousgeek.org>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/pci/pci.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
index 8abe983..2326637 100644
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -1713,7 +1713,7 @@ void pci_enable_ari(struct pci_dev *dev)
{
int pos;
u32 cap;
- u16 ctrl;
+ u16 flags, ctrl;
struct pci_dev *bridge;

if (!pci_is_pcie(dev) || dev->devfn)
@@ -1731,6 +1731,11 @@ void pci_enable_ari(struct pci_dev *dev)
if (!pos)
return;

+ /* ARI is a PCIe v2 feature */
+ pci_read_config_word(bridge, pos + PCI_EXP_FLAGS, &flags);
+ if ((flags & PCI_EXP_FLAGS_VERS) < 2)
+ return;
+
pci_read_config_dword(bridge, pos + PCI_EXP_DEVCAP2, &cap);
if (!(cap & PCI_EXP_DEVCAP2_ARI))
return;

Paul Gortmaker

unread,

May 14, 2012, 10:40:01 PM5/14/12

to

From: Artem Bityutskiy <Artem.Bi...@nokia.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit eaeee242c531cd4b0a4a46e8b5dd7ef504380c42 upstream.

When re-mounting from R/O mode to R/W mode and the LEB count in the superblock
is not up-to date, because for the underlying UBI volume became larger, we
re-write the superblock. We allocate RAM for these purposes, but never free it.
So this is a memory leak, although very rare one.

Signed-off-by: Artem Bityutskiy <Artem.Bi...@nokia.com>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

fs/ubifs/sb.c | 3 ++-
fs/ubifs/super.c | 1 +
2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/ubifs/sb.c b/fs/ubifs/sb.c
index 96cb62c..f75f89b 100644
--- a/fs/ubifs/sb.c
+++ b/fs/ubifs/sb.c
@@ -475,7 +475,8 @@ failed:
* @c: UBIFS file-system description object
*
* This function returns a pointer to the superblock node or a negative error
- * code.
+ * code. Note, the user of this function is responsible of kfree()'ing the
+ * returned superblock buffer.
*/
struct ubifs_sb_node *ubifs_read_sb_node(struct ubifs_info *c)
{
diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c
index 4d2f215..f4d0c36 100644
--- a/fs/ubifs/super.c
+++ b/fs/ubifs/super.c
@@ -1545,6 +1545,7 @@ static int ubifs_remount_rw(struct ubifs_info *c)
}
sup->leb_cnt = cpu_to_le32(c->leb_cnt);
err = ubifs_write_sb_node(c, sup);
+ kfree(sup);
if (err)
goto out;

Paul Gortmaker

unread,

May 14, 2012, 10:40:02 PM5/14/12

to

From: Julia Lawall <ju...@diku.dk>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit ca9380fd68514c7bc952282c1b4fc70607e9fe43 upstream.

Convert array index from the loop bound to the loop index.

A simplified version of the semantic patch that fixes this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@@
expression e1,e2,ar;
@@

for(e1 = 0; e1 < e2; e1++) { <...
ar[
- e2
+ e1
]
...> }
// </smpl>

Signed-off-by: Julia Lawall <ju...@diku.dk>
Signed-off-by: Takashi Iwai <ti...@suse.de>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

sound/core/pcm_compat.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

unread,

May 14, 2012, 10:40:02 PM5/14/12

to

From: Felipe Balbi <ba...@ti.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 472b91274a6c6857877b5caddb875dcb5ecdfcb8 upstream.

composite.c always sets req->length to zero
and expects function driver's setup handlers
to return the amount of bytes to be used
on req->length. If we test against req->length
w_length will always be greater than req->length
thus making us always stall that particular
SEND_ENCAPSULATED_COMMAND request.

Tested against a Windows XP SP3.

Signed-off-by: Felipe Balbi <ba...@ti.com>

Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>
Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/usb/gadget/f_rndis.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/usb/gadget/f_rndis.c b/drivers/usb/gadget/f_rndis.c
index 56b0221..d1eb94a 100644
--- a/drivers/usb/gadget/f_rndis.c
+++ b/drivers/usb/gadget/f_rndis.c
@@ -420,8 +420,7 @@ rndis_setup(struct usb_function *f, const struct usb_ctrlrequest *ctrl)
*/
case ((USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE) << 8)
| USB_CDC_SEND_ENCAPSULATED_COMMAND:
- if (w_length > req->length || w_value
- || w_index != rndis->ctrl_id)
+ if (w_value || w_index != rndis->ctrl_id)
goto invalid;
/* read the request; process it later */
value = w_length;

Paul Gortmaker

unread,

May 14, 2012, 10:40:02 PM5/14/12

to

From: Vasiliy Kulikov <seg...@openwall.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 1d1221f375c94ef961ba8574ac4f85c8870ddd51 upstream.

/proc/PID/io may be used for gathering private information. E.g. for
openssh and vsftpd daemons wchars/rchars may be used to learn the
precise password length. Restrict it to processes being able to ptrace
the target process.

ptrace_may_access() is needed to prevent keeping open file descriptor of
"io" file, executing setuid binary and gathering io information of the
setuid'ed process.

Signed-off-by: Vasiliy Kulikov <seg...@openwall.com>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

fs/proc/base.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/fs/proc/base.c b/fs/proc/base.c
index 268f00d..08741b0 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2518,6 +2518,9 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole)
struct task_io_accounting acct = task->ioac;
unsigned long flags;

+ if (!ptrace_may_access(task, PTRACE_MODE_READ))
+ return -EACCES;
+
if (whole && lock_task_sighand(task, &flags)) {
struct task_struct *t = task;

@@ -2640,7 +2643,7 @@ static const struct pid_entry tgid_base_stuff[] = {
REG("coredump_filter", S_IRUGO|S_IWUSR, proc_coredump_filter_operations),
#endif
#ifdef CONFIG_TASK_IO_ACCOUNTING
- INF("io", S_IRUGO, proc_tgid_io_accounting),
+ INF("io", S_IRUSR, proc_tgid_io_accounting),
#endif
};

@@ -2976,7 +2979,7 @@ static const struct pid_entry tid_base_stuff[] = {
REG("make-it-fail", S_IRUGO|S_IWUSR, proc_fault_inject_operations),
#endif
#ifdef CONFIG_TASK_IO_ACCOUNTING
- INF("io", S_IRUGO, proc_tid_io_accounting),
+ INF("io", S_IRUSR, proc_tid_io_accounting),
#endif

Paul Gortmaker

unread,

May 14, 2012, 10:40:02 PM5/14/12

to

From: Alan Stern <st...@rowland.harvard.edu>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit e04f5f7e423018bcec84c11af2058cdce87816f3 upstream.

This patch (as1480) fixes a rather obscure bug in ehci-hcd. The
qh_update() routine needs to know the number and direction of the
endpoint corresponding to its QH argument. The number can be taken
directly from the QH data structure, but the direction isn't stored
there. The direction is taken instead from the first qTD linked to
the QH.

However, it turns out that for interrupt transfers, qh_update() gets
called before the qTDs are linked to the QH. As a result, qh_update()
computes a bogus direction value, which messes up the endpoint toggle
handling. Under the right combination of circumstances this causes
usb_reset_endpoint() not to work correctly, which causes packets to be
dropped and communications to fail.

Now, it's silly for the QH structure not to have direct access to all
the descriptor information for the corresponding endpoint. Ultimately
it may get a pointer to the usb_host_endpoint structure; for now,
adding a copy of the direction flag solves the immediate problem.

This allows the Spyder2 color-calibration system (a low-speed USB
device that sends all its interrupt data packets with the toggle set
to 0 and hance requires constant use of usb_reset_endpoint) to work
when connected through a high-speed hub. Thanks to Graeme Gill for
supplying the hardware that allowed me to track down this bug.

Signed-off-by: Alan Stern <st...@rowland.harvard.edu>
Reported-by: Graeme Gill <gra...@argyllcms.com>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/usb/host/ehci-q.c | 3 ++-
drivers/usb/host/ehci.h | 1 +

2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/host/ehci-q.c b/drivers/usb/host/ehci-q.c
index 781c573..9b46a1e 100644
--- a/drivers/usb/host/ehci-q.c
+++ b/drivers/usb/host/ehci-q.c
@@ -103,7 +103,7 @@ qh_update (struct ehci_hcd *ehci, struct ehci_qh *qh, struct ehci_qtd *qtd)
if (!(hw->hw_info1 & cpu_to_hc32(ehci, 1 << 14))) {
unsigned is_out, epnum;

- is_out = !(qtd->hw_token & cpu_to_hc32(ehci, 1 << 8));
+ is_out = qh->is_out;
epnum = (hc32_to_cpup(ehci, &hw->hw_info1) >> 8) & 0x0f;
if (unlikely (!usb_gettoggle (qh->dev, epnum, is_out))) {
hw->hw_token &= ~cpu_to_hc32(ehci, QTD_TOGGLE);
@@ -945,6 +945,7 @@ done:
hw = qh->hw;
hw->hw_info1 = cpu_to_hc32(ehci, info1);
hw->hw_info2 = cpu_to_hc32(ehci, info2);
+ qh->is_out = !is_input;
usb_settoggle (urb->dev, usb_pipeendpoint (urb->pipe), !is_input, 1);
qh_refresh (ehci, qh);
return qh;
diff --git a/drivers/usb/host/ehci.h b/drivers/usb/host/ehci.h
index 20b5e16..1bb7a7f 100644
--- a/drivers/usb/host/ehci.h
+++ b/drivers/usb/host/ehci.h
@@ -367,6 +367,7 @@ struct ehci_qh {
#define NO_FRAME ((unsigned short)~0) /* pick new start */

struct usb_device *dev; /* access to TT */
+ unsigned is_out:1; /* bulk or intr OUT */
unsigned clearing_tt:1; /* Clear-TT-Buf in progress */

Paul Gortmaker

unread,

May 14, 2012, 10:40:02 PM5/14/12

to

From: Thomas Gleixner <tg...@linutronix.de>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit f1c18071ad70e2a78ab31fc26a18fcfa954a05c6 upstream.

commit 995bd3bb5 (x86: Hpet: Avoid the comparator readback penalty)
chose 8 HPET cycles as a safe value for the ETIME check, as we had the
confirmation that the posted write to the comparator register is
delayed by two HPET clock cycles on Intel chipsets which showed
readback problems.

After that patch hit mainline we got reports from machines with newer
AMD chipsets which seem to have an even longer delay. See
http://thread.gmane.org/gmane.linux.kernel/1054283 and
http://thread.gmane.org/gmane.linux.kernel/1069458 for further
information.

Boris tried to come up with an ACPI based selection of the minimum
HPET cycles, but this failed on a couple of test machines. And of
course we did not get any useful information from the hardware folks.

For now our only option is to chose a paranoid high and safe value for
the minimum HPET cycles used by the ETIME check. Adjust the minimum ns
value for the HPET clockevent accordingly.

Reported-Bistected-and-Tested-by: Markus Trippelsdorf <mar...@trippelsdorf.de>
Signed-off-by: Thomas Gleixner <tg...@linutronix.de>
LKML-Reference: <alpine.LFD.2.00.1...@localhost6.localdomain6>
Cc: Simon Kirby <s...@hostway.ca>
Cc: Borislav Petkov <b...@alien8.de>
Cc: Andreas Herrmann <Andreas....@amd.com>
Cc: John Stultz <john...@us.ibm.com>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

arch/x86/kernel/hpet.c | 26 ++++++++++++++++----------
1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/arch/x86/kernel/hpet.c b/arch/x86/kernel/hpet.c
index e3be610..2de7aaf 100644
--- a/arch/x86/kernel/hpet.c
+++ b/arch/x86/kernel/hpet.c
@@ -28,6 +28,9 @@
#define HPET_DEV_FSB_CAP 0x1000
#define HPET_DEV_PERI_CAP 0x2000

+#define HPET_MIN_CYCLES 128
+#define HPET_MIN_PROG_DELTA (HPET_MIN_CYCLES + (HPET_MIN_CYCLES >> 1))
+
#define EVT_TO_HPET_DEV(evt) container_of(evt, struct hpet_dev, evt)

/*
@@ -300,8 +303,9 @@ static void hpet_legacy_clockevent_register(void)
/* Calculate the min / max delta */
hpet_clockevent.max_delta_ns = clockevent_delta2ns(0x7FFFFFFF,
&hpet_clockevent);
- /* 5 usec minimum reprogramming delta. */
- hpet_clockevent.min_delta_ns = 5000;
+ /* Setup minimum reprogramming delta. */
+ hpet_clockevent.min_delta_ns = clockevent_delta2ns(HPET_MIN_PROG_DELTA,
+ &hpet_clockevent);

/*
* Start hpet with the boot cpu mask and make it
@@ -394,22 +398,24 @@ static int hpet_next_event(unsigned long delta,
* the wraparound into account) nor a simple count down event
* mode. Further the write to the comparator register is
* delayed internally up to two HPET clock cycles in certain
- * chipsets (ATI, ICH9,10). We worked around that by reading
- * back the compare register, but that required another
- * workaround for ICH9,10 chips where the first readout after
- * write can return the old stale value. We already have a
- * minimum delta of 5us enforced, but a NMI or SMI hitting
+ * chipsets (ATI, ICH9,10). Some newer AMD chipsets have even
+ * longer delays. We worked around that by reading back the
+ * compare register, but that required another workaround for
+ * ICH9,10 chips where the first readout after write can
+ * return the old stale value. We already had a minimum
+ * programming delta of 5us enforced, but a NMI or SMI hitting
* between the counter readout and the comparator write can
* move us behind that point easily. Now instead of reading
* the compare register back several times, we make the ETIME
* decision based on the following: Return ETIME if the
- * counter value after the write is less than 8 HPET cycles
+ * counter value after the write is less than HPET_MIN_CYCLES
* away from the event or if the counter is already ahead of
- * the event.
+ * the event. The minimum programming delta for the generic
+ * clockevents code is set to 1.5 * HPET_MIN_CYCLES.
*/
res = (s32)(cnt - hpet_readl(HPET_COUNTER));

- return res < 8 ? -ETIME : 0;
+ return res < HPET_MIN_CYCLES ? -ETIME : 0;
}

static void hpet_legacy_set_mode(enum clock_event_mode mode,

Paul Gortmaker

unread,

May 14, 2012, 10:40:02 PM5/14/12

to

From: Sergei Shtylyov <ssht...@ru.mvista.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 81463c1d707186adbbe534016cd1249edeab0dac upstream.

MAX4967 USB power supply chip we use on our boards signals over-current when
power is not enabled; once it's enabled, over-current signal returns to normal.
That unfortunately caused the endless stream of "over-current change on port"
messages. The EHCI root hub code reacts on every over-current signal change
with powering off the port -- such change event is generated the moment the
port power is enabled, so once enabled the power is immediately cut off.
I think we should only cut off power when we're seeing the active over-current
signal, so I'm adding such check to that code. I also think that the fact that
we've cut off the port power should be reflected in the result of GetPortStatus
request immediately, hence I'm adding a PORTSCn register readback after write...

Signed-off-by: Sergei Shtylyov <ssht...@ru.mvista.com>
Acked-by: Alan Stern <st...@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/usb/host/ehci-hub.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/host/ehci-hub.c b/drivers/usb/host/ehci-hub.c
index 1b2af4d..ae32f02 100644
--- a/drivers/usb/host/ehci-hub.c
+++ b/drivers/usb/host/ehci-hub.c
@@ -837,10 +837,11 @@ static int ehci_hub_control (
* power switching; they're allowed to just limit the
* current. khubd will turn the power back on.
*/
- if (HCS_PPC (ehci->hcs_params)){
+ if ((temp & PORT_OC) && HCS_PPC(ehci->hcs_params)) {
ehci_writel(ehci,
temp & ~(PORT_RWC_BITS | PORT_POWER),
status_reg);
+ temp = ehci_readl(ehci, status_reg);

Paul Gortmaker

unread,

May 14, 2012, 10:40:02 PM5/14/12

to

From: Thomas Gleixner <tg...@linutronix.de>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 995bd3bb5c78f3ff71339803c0b8337ed36d64fb upstream.

Due to the overly intelligent design of HPETs, we need to workaround
the problem that the compare value which we write is already behind
the actual counter value at the point where the value hits the real
compare register. This happens for two reasons:

1) We read out the counter, add the delta and write the result to the
compare register. When a NMI or SMI hits between the read out and
the write then the counter can be ahead of the event already

2) The write to the compare register is delayed by up to two HPET
cycles in certain chipsets.

We worked around this by reading back the compare register to make
sure that the written value has hit the hardware. For certain ICH9+
chipsets this can require two readouts, as the first one can return
the previous compare register value. That's bad performance wise for
the normal case where the event is far enough in the future.

As we already know that the write can be delayed by up to two cycles
we can avoid the read back of the compare register completely if we
make the decision whether the delta has elapsed already or not based
on the following calculation:

cmp = event - actual_count;

If cmp is less than 8 HPET clock cycles, then we decide that the event
has happened already and return -ETIME. That covers the above #1 and
seconds).

Signed-off-by: Thomas Gleixner <tg...@linutronix.de>
Tested-by: Nix <n...@esperi.org.uk>
Tested-by: Artur Skawina <art....@gmail.com>
Cc: Damien Wyart <damien...@free.fr>
Tested-by: John Drescher <dresc...@gmail.com>
Cc: Venkatesh Pallipadi <ve...@google.com>
Cc: Arjan van de Ven <ar...@linux.intel.com>
Cc: Andreas Herrmann <andreas....@amd.com>
Tested-by: Borislav Petkov <borisla...@amd.com>
Cc: Suresh Siddha <suresh....@intel.com>
LKML-Reference: <alpine.LFD.2.00.1...@localhost6.localdomain6>
[PG: diffstat differs from 995bd3bb since deleted comment was re-wrapped]

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

arch/x86/kernel/hpet.c | 43 +++++++++++++++++++++----------------------
1 file changed, 21 insertions(+), 22 deletions(-)

diff --git a/arch/x86/kernel/hpet.c b/arch/x86/kernel/hpet.c
index c5f8121..e3be610 100644
--- a/arch/x86/kernel/hpet.c
+++ b/arch/x86/kernel/hpet.c
@@ -381,36 +381,35 @@ static int hpet_next_event(unsigned long delta,
struct clock_event_device *evt, int timer)
{
u32 cnt;
+ s32 res;

cnt = hpet_readl(HPET_COUNTER);
cnt += (u32) delta;
hpet_writel(cnt, HPET_Tn_CMP(timer));

/*
- * We need to read back the CMP register on certain HPET
- * implementations (ATI chipsets) which seem to delay the
- * transfer of the compare register into the internal compare
- * logic. With small deltas this might actually be too late as
- * the counter could already be higher than the compare value
- * at that point and we would wait for the next hpet interrupt
- * forever. We found out that reading the CMP register back
- * forces the transfer so we can rely on the comparison with
- * the counter register below. If the read back from the
- * compare register does not match the value we programmed
- * then we might have a real hardware problem. We can not do
- * much about it here, but at least alert the user/admin with
- * a prominent warning.
- * An erratum on some chipsets (ICH9,..), results in comparator read
- * immediately following a write returning old value. Workaround
- * for this is to read this value second time, when first
- * read returns old value.
+ * HPETs are a complete disaster. The compare register is
+ * based on a equal comparison and neither provides a less
+ * than or equal functionality (which would require to take
+ * the wraparound into account) nor a simple count down event
+ * mode. Further the write to the comparator register is
+ * delayed internally up to two HPET clock cycles in certain
+ * chipsets (ATI, ICH9,10). We worked around that by reading
+ * back the compare register, but that required another
+ * workaround for ICH9,10 chips where the first readout after
+ * write can return the old stale value. We already have a
+ * minimum delta of 5us enforced, but a NMI or SMI hitting
+ * between the counter readout and the comparator write can
+ * move us behind that point easily. Now instead of reading
+ * the compare register back several times, we make the ETIME
+ * decision based on the following: Return ETIME if the
+ * counter value after the write is less than 8 HPET cycles
+ * away from the event or if the counter is already ahead of
+ * the event.
*/
- if (unlikely((u32)hpet_readl(HPET_Tn_CMP(timer)) != cnt)) {
- WARN_ONCE(hpet_readl(HPET_Tn_CMP(timer)) != cnt,
- KERN_WARNING "hpet: compare register read back failed.\n");
- }
+ res = (s32)(cnt - hpet_readl(HPET_COUNTER));

- return (s32)(hpet_readl(HPET_COUNTER) - cnt) >= 0 ? -ETIME : 0;
+ return res < 8 ? -ETIME : 0;

}

static void hpet_legacy_set_mode(enum clock_event_mode mode,

Paul Gortmaker

unread,

May 14, 2012, 10:40:02 PM5/14/12

to

From: Anton Blanchard <an...@samba.org>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 51d33021425e1f905beb4208823146f2fb6517da upstream.

Return -EAGAIN when we get H_BUSY back from the hypervisor. This
makes the hvc console driver retry, avoiding dropped printks.

Signed-off-by: Anton Blanchard <an...@samba.org>
Signed-off-by: Benjamin Herrenschmidt <be...@kernel.crashing.org>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

arch/powerpc/platforms/pseries/hvconsole.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/powerpc/platforms/pseries/hvconsole.c b/arch/powerpc/platforms/pseries/hvconsole.c
index 3f6a89b..041e87c 100644
--- a/arch/powerpc/platforms/pseries/hvconsole.c
+++ b/arch/powerpc/platforms/pseries/hvconsole.c
@@ -73,7 +73,7 @@ int hvc_put_chars(uint32_t vtermno, const char *buf, int count)
if (ret == H_SUCCESS)
return count;
if (ret == H_BUSY)
- return 0;
+ return -EAGAIN;
return -EIO;

Paul Gortmaker

unread,

May 14, 2012, 10:40:03 PM5/14/12

to

From: Dan Rosenberg <drose...@vsecurity.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 0d0138ebe24b94065580bd2601f8bb7eb6152f56 upstream.

Prevent an arbitrary kernel read. Check the user pointer with access_ok()
before copying data in.

[ak...@linux-foundation.org: s/EIO/EFAULT/]
Signed-off-by: Dan Rosenberg <drose...@vsecurity.com>
Cc: Christian Zankel <ch...@zankel.net>
Cc: Oleg Nesterov <ol...@redhat.com>
Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

arch/xtensa/kernel/ptrace.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/arch/xtensa/kernel/ptrace.c b/arch/xtensa/kernel/ptrace.c
index 9d4e1ce..f0ccfc7 100644
--- a/arch/xtensa/kernel/ptrace.c
+++ b/arch/xtensa/kernel/ptrace.c
@@ -147,6 +147,9 @@ int ptrace_setxregs(struct task_struct *child, void __user *uregs)
elf_xtregs_t *xtregs = uregs;
int ret = 0;

+ if (!access_ok(VERIFY_READ, uregs, sizeof(elf_xtregs_t)))
+ return -EFAULT;
+
#if XTENSA_HAVE_COPROCESSORS
/* Flush all coprocessors before we overwrite them. */
coprocessor_flush_all(ti);

Paul Gortmaker

unread,

May 14, 2012, 10:40:03 PM5/14/12

to

From: Dan Williams <dc...@redhat.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit e7a46b4d0839c2a3aa2e0ae0b145f293f6738498 upstream.

It's currently exposed only through /proc which, besides requiring
screen-scraping, doesn't allow userspace to distinguish between two
identical ATM adapters with different ATM indexes. The ATM device index
is required when using PPPoATM on a system with multiple ATM adapters.

Signed-off-by: Dan Williams <dc...@redhat.com>
Reviewed-by: Eric Dumazet <eric.d...@gmail.com>
Tested-by: David Woodhouse <dw...@infradead.org>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

net/atm/atm_sysfs.c | 10 ++++++++++
1 file changed, 10 insertions(+)

diff --git a/net/atm/atm_sysfs.c b/net/atm/atm_sysfs.c
index 799c631..67b5bcf 100644
--- a/net/atm/atm_sysfs.c
+++ b/net/atm/atm_sysfs.c
@@ -59,6 +59,14 @@ static ssize_t show_atmaddress(struct device *cdev,
return pos - buf;
}

+static ssize_t show_atmindex(struct device *cdev,
+ struct device_attribute *attr, char *buf)
+{
+ struct atm_dev *adev = to_atm_dev(cdev);
+
+ return sprintf(buf, "%d\n", adev->number);
+}
+
static ssize_t show_carrier(struct device *cdev,
struct device_attribute *attr, char *buf)
{
@@ -99,6 +107,7 @@ static ssize_t show_link_rate(struct device *cdev,

static DEVICE_ATTR(address, S_IRUGO, show_address, NULL);
static DEVICE_ATTR(atmaddress, S_IRUGO, show_atmaddress, NULL);
+static DEVICE_ATTR(atmindex, S_IRUGO, show_atmindex, NULL);
static DEVICE_ATTR(carrier, S_IRUGO, show_carrier, NULL);
static DEVICE_ATTR(type, S_IRUGO, show_type, NULL);
static DEVICE_ATTR(link_rate, S_IRUGO, show_link_rate, NULL);
@@ -106,6 +115,7 @@ static DEVICE_ATTR(link_rate, S_IRUGO, show_link_rate, NULL);
static struct device_attribute *atm_attrs[] = {
&dev_attr_atmaddress,
&dev_attr_address,
+ &dev_attr_atmindex,
&dev_attr_carrier,
&dev_attr_type,
&dev_attr_link_rate,

Paul Gortmaker

unread,

May 14, 2012, 10:40:04 PM5/14/12

to

From: Takashi Iwai <ti...@suse.de>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 0584ffa548b6e59aceb027112f23a55f0133400e upstream.

A slave-timer instance has no timer reference, and this results in
NULL-dereference at stopping the timer, typically called at closing
the device.

Reference: https://bugzilla.kernel.org/show_bug.cgi?id=40682

Signed-off-by: Takashi Iwai <ti...@suse.de>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

sound/core/timer.c | 2 ++

1 file changed, 2 insertions(+)

diff --git a/sound/core/timer.c b/sound/core/timer.c
index 5040c7b..ecb2dd5 100644
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -530,6 +530,8 @@ int snd_timer_stop(struct snd_timer_instance *timeri)
if (err < 0)
return err;
timer = timeri->timer;
+ if (!timer)
+ return -EINVAL;
spin_lock_irqsave(&timer->lock, flags);
timeri->cticks = timeri->ticks;
timeri->pticks = 0;

Paul Gortmaker

unread,

May 14, 2012, 10:40:03 PM5/14/12

to

From: Dan Rosenberg <drose...@vsecurity.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 21c5977a836e399fc710ff2c5367845ed5c2527f upstream.

Fix several security issues in Alpha-specific syscalls. Untested, but
mostly trivial.

1. Signedness issue in osf_getdomainname allows copying out-of-bounds
kernel memory to userland.

2. Signedness issue in osf_sysinfo allows copying large amounts of
kernel memory to userland.

3. Typo (?) in osf_getsysinfo bounds minimum instead of maximum copy
size, allowing copying large amounts of kernel memory to userland.

4. Usage of user pointer in osf_wait4 while under KERNEL_DS allows
privilege escalation via writing return value of sys_wait4 to kernel
memory.

Signed-off-by: Dan Rosenberg <drose...@vsecurity.com>
Cc: Richard Henderson <r...@twiddle.net>
Cc: Ivan Kokshaysky <i...@jurassic.park.msu.ru>
Cc: Matt Turner <matt...@gmail.com>

Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

arch/alpha/kernel/osf_sys.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/arch/alpha/kernel/osf_sys.c b/arch/alpha/kernel/osf_sys.c
index de9d397..57825bb 100644
--- a/arch/alpha/kernel/osf_sys.c
+++ b/arch/alpha/kernel/osf_sys.c
@@ -432,7 +432,7 @@ SYSCALL_DEFINE2(osf_getdomainname, char __user *, name, int, namelen)
return -EFAULT;

len = namelen;
- if (namelen > 32)
+ if (len > 32)
len = 32;

down_read(&uts_sem);
@@ -619,7 +619,7 @@ SYSCALL_DEFINE3(osf_sysinfo, int, command, char __user *, buf, long, count)
down_read(&uts_sem);
res = sysinfo_table[offset];
len = strlen(res)+1;
- if (len > count)
+ if ((unsigned long)len > (unsigned long)count)
len = count;
if (copy_to_user(buf, res, len))
err = -EFAULT;
@@ -674,7 +674,7 @@ SYSCALL_DEFINE5(osf_getsysinfo, unsigned long, op, void __user *, buffer,
return 1;

case GSI_GET_HWRPB:
- if (nbytes < sizeof(*hwrpb))
+ if (nbytes > sizeof(*hwrpb))
return -EINVAL;
if (copy_to_user(buffer, hwrpb, nbytes) != 0)
return -EFAULT;
@@ -1036,6 +1036,7 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, int __user *, ustatus, int, options,
{
struct rusage r;
long ret, err;
+ unsigned int status = 0;
mm_segment_t old_fs;

if (!ur)
@@ -1044,13 +1045,15 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, int __user *, ustatus, int, options,
old_fs = get_fs();

set_fs (KERNEL_DS);
- ret = sys_wait4(pid, ustatus, options, (struct rusage __user *) &r);
+ ret = sys_wait4(pid, (unsigned int __user *) &status, options,
+ (struct rusage __user *) &r);
set_fs (old_fs);

if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur)))
return -EFAULT;

err = 0;
+ err |= put_user(status, ustatus);
err |= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec);
err |= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec);
err |= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec);

Paul Gortmaker

unread,

May 14, 2012, 10:40:03 PM5/14/12

to

From: Anton Blanchard <an...@samba.org>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 966728dd88b4026ec58fee169ccceaeaf56ef120 upstream.

I have a box that fails in OF during boot with:

DEFAULT CATCH!, exception-handler=fff00400
at %SRR0: 49424d2c4c6f6768 %SRR1: 800000004000b002

ie "IBM,Logh". OF got corrupted with a device tree string.

Looking at make_room and alloc_up, we claim the first chunk (1 MB)
but we never claim any more. mem_end is always set to alloc_top
which is the top of our available address space, guaranteeing we will
never call alloc_up and claim more memory.

Also alloc_up wasn't setting alloc_bottom to the bottom of the
available address space.

This doesn't help the box to boot, but we at least fail with
an obvious error. We could relocate the device tree in a future
patch.

Signed-off-by: Anton Blanchard <an...@samba.org>
Signed-off-by: Benjamin Herrenschmidt <be...@kernel.crashing.org>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

arch/powerpc/kernel/prom_init.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/powerpc/kernel/prom_init.c b/arch/powerpc/kernel/prom_init.c
index 97d4bd9..2731a27 100644
--- a/arch/powerpc/kernel/prom_init.c
+++ b/arch/powerpc/kernel/prom_init.c
@@ -968,7 +968,7 @@ static unsigned long __init alloc_up(unsigned long size, unsigned long align)
}
if (addr == 0)
return 0;
- RELOC(alloc_bottom) = addr;
+ RELOC(alloc_bottom) = addr + size;

prom_debug(" -> %x\n", addr);
prom_debug(" alloc_bottom : %x\n", RELOC(alloc_bottom));
@@ -1782,7 +1782,7 @@ static void __init *make_room(unsigned long *mem_start, unsigned long *mem_end,
chunk = alloc_up(room, 0);
if (chunk == 0)
prom_panic("No memory for flatten_device_tree (claim failed)");
- *mem_end = RELOC(alloc_top);
+ *mem_end = chunk + room;
}

ret = (void *)*mem_start;
@@ -2001,7 +2001,7 @@ static void __init flatten_device_tree(void)
mem_start = (unsigned long)alloc_up(room, PAGE_SIZE);
if (mem_start == 0)
prom_panic("Can't allocate initial device-tree chunk\n");
- mem_end = RELOC(alloc_top);
+ mem_end = mem_start + room;

/* Get root of tree */
root = call_prom("peer", 1, 1, (phandle)0);

Paul Gortmaker

unread,

May 14, 2012, 10:40:04 PM5/14/12

to

From: Julia Lawall <ju...@diku.dk>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 66a89b2164e2d30661edbd1953eacf0594d8203a upstream.

rs_resp is dynamically allocated in aem_read_sensor(), so it should be freed
before exiting in every case. This collects the kfree and the return at
the end of the function.

Signed-off-by: Julia Lawall <ju...@diku.dk>
Signed-off-by: Guenter Roeck <guente...@ericsson.com>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/hwmon/ibmaem.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/drivers/hwmon/ibmaem.c b/drivers/hwmon/ibmaem.c
index eaee546..fd4dbef 100644
--- a/drivers/hwmon/ibmaem.c
+++ b/drivers/hwmon/ibmaem.c
@@ -430,13 +430,15 @@ static int aem_read_sensor(struct aem_data *data, u8 elt, u8 reg,
aem_send_message(ipmi);

res = wait_for_completion_timeout(&ipmi->read_complete, IPMI_TIMEOUT);
- if (!res)
- return -ETIMEDOUT;
+ if (!res) {
+ res = -ETIMEDOUT;
+ goto out;
+ }

if (ipmi->rx_result || ipmi->rx_msg_len != rs_size ||
memcmp(&rs_resp->id, &system_x_id, sizeof(system_x_id))) {
- kfree(rs_resp);
- return -ENOENT;
+ res = -ENOENT;
+ goto out;
}

switch (size) {
@@ -461,8 +463,11 @@ static int aem_read_sensor(struct aem_data *data, u8 elt, u8 reg,
break;
}
}
+ res = 0;

- return 0;
+out:
+ kfree(rs_resp);
+ return res;
}

/* Update AEM energy registers */

Paul Gortmaker

unread,

May 14, 2012, 10:40:03 PM5/14/12

to

From: Nick Bowler <nbo...@elliptictech.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit a871e4f5519d8c52430052e1d340dd5710eb5ad6 upstream.

Connecting the V2M to a Linux host results in a constant stream of
errors spammed to the console, all of the form

sd 1:0:0:0: ioctl_internal_command return code = 8070000
: Sense Key : 0x4 [current]
: ASC=0x0 ASCQ=0x0

The errors appear to be otherwise harmless. Add an unusual_devs entry
which eliminates all of the error messages.

Signed-off-by: Nick Bowler <nbo...@elliptictech.com>

Acked-by: Alan Stern <st...@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>

[PG: 2.6.34 uses US_ prefix, not USB_ prefix, change accordingly]

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/usb/storage/unusual_devs.h | 10 ++++++++++

1 file changed, 10 insertions(+)

diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h
index a33e2ba..ee5a8ba 100644
--- a/drivers/usb/storage/unusual_devs.h
+++ b/drivers/usb/storage/unusual_devs.h
@@ -1972,6 +1972,16 @@ UNUSUAL_DEV( 0x4146, 0xba01, 0x0100, 0x0100,
"Micro Mini 1GB",
US_SC_DEVICE, US_PR_DEVICE, NULL, US_FL_NOT_LOCKABLE ),

+/*
+ * Nick Bowler <nbo...@elliptictech.com>
+ * SCSI stack spams (otherwise harmless) error messages.
+ */
+UNUSUAL_DEV( 0xc251, 0x4003, 0x0100, 0x0100,
+ "Keil Software, Inc.",
+ "V2M MotherBoard",
+ US_SC_DEVICE, US_PR_DEVICE, NULL,
+ US_FL_NOT_LOCKABLE),
+
/* Reported by Andrew Simmons <andrew....@gmail.com> */
UNUSUAL_DEV( 0xed06, 0x4500, 0x0001, 0x0001,
"DataStor",

Paul Gortmaker

unread,

May 14, 2012, 10:40:03 PM5/14/12

to

From: "Stephen M. Cameron" <scam...@beardog.cce.hp.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 07d0c38e7d84f911c72058a124c7f17b3c779a65 upstream.

Most smartarrays will tolerate it, but some new ones don't.

Signed-off-by: Stephen M. Cameron <scam...@beardog.cce.hp.com>

Note: this is a regression caused by commit 1ddd5049
Signed-off-by: Jens Axboe <jax...@fusionio.com>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/block/cciss.h | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/block/cciss.h b/drivers/block/cciss.h
index 37a2d4f..759cbd9 100644
--- a/drivers/block/cciss.h
+++ b/drivers/block/cciss.h
@@ -173,7 +173,7 @@ static void SA5_submit_command( ctlr_info_t *h, CommandList_struct *c)
printk("Sending %x - down to controller\n", c->busaddr );
#endif /* CCISS_DEBUG */
writel(c->busaddr, h->vaddr + SA5_REQUEST_PORT_OFFSET);
- readl(h->vaddr + SA5_REQUEST_PORT_OFFSET);
+ readl(h->vaddr + SA5_SCRATCHPAD_OFFSET);
h->commands_outstanding++;
if ( h->commands_outstanding > h->max_outstanding)
h->max_outstanding = h->commands_outstanding;

Paul Gortmaker

unread,

May 14, 2012, 10:40:03 PM5/14/12

to

From: Luca Tettamanti <kron...@gmail.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit bc1f419c76a2d6450413ce4349f4e4a07be011d5 upstream.

i8k uses lahf to read the flag register in 64-bit code; early x86-64
CPUs, however, lack this instruction and we get an invalid opcode
exception at runtime.
Use pushf to load the flag register into the stack instead.

Signed-off-by: Luca Tettamanti <kron...@gmail.com>
Reported-by: Jeff Rickman <jric...@myamigos.us>
Tested-by: Jeff Rickman <jric...@myamigos.us>
Tested-by: Harry G McGavran Jr <w5...@arrl.net>
Cc: Massimo Dal Zotto <d...@debian.org>
Signed-off-by: Jean Delvare <kh...@linux-fr.org>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/char/i8k.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/char/i8k.c b/drivers/char/i8k.c
index 4365717..1e116ac 100644
--- a/drivers/char/i8k.c
+++ b/drivers/char/i8k.c
@@ -138,8 +138,8 @@ static int i8k_smm(struct smm_regs *regs)
"movl %%edi,20(%%rax)\n\t"
"popq %%rdx\n\t"
"movl %%edx,0(%%rax)\n\t"
- "lahf\n\t"
- "shrl $8,%%eax\n\t"
+ "pushfq\n\t"
+ "popq %%rax\n\t"
"andl $1,%%eax\n"
:"=a"(rc)
: "a"(regs)

Paul Gortmaker

unread,

May 14, 2012, 10:40:03 PM5/14/12

to

From: Maxim Nikulin <m.a.n...@gmail.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 4f1a7a3e78037721496283ea3e87cfefc64d99c7 upstream.

Assign operator instead of equality test in the usbtmc_ioctl_abort_bulk_in() function.

Signed-off-by: Maxim A. Nikulin <M.A.N...@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/usb/class/usbtmc.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c
index 3e7c1b8..cdce915 100644
--- a/drivers/usb/class/usbtmc.c
+++ b/drivers/usb/class/usbtmc.c
@@ -268,7 +268,7 @@ usbtmc_abort_bulk_in_status:
dev_err(dev, "usb_bulk_msg returned %d\n", rv);
goto exit;
}
- } while ((actual = max_size) &&
+ } while ((actual == max_size) &&
(n < USBTMC_MAX_READS_TO_CLEAR_BULK_IN));

if (actual == max_size) {

Paul Gortmaker

unread,

May 14, 2012, 10:40:03 PM5/14/12

to

From: Chas Williams <ch...@cmf.nrl.navy.mil>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit a08af810cdc29d2ca930e8a869d3d01744c392d8 upstream.

Reported-by: Pascal Hambourg <pas...@plouf.fr.eu.org>
Signed-off-by: Chas Williams <ch...@cmf.nrl.navy.mil>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

net/atm/br2684.c | 2 --
1 file changed, 2 deletions(-)

diff --git a/net/atm/br2684.c b/net/atm/br2684.c
index d6c7cea..f3bae14 100644
--- a/net/atm/br2684.c
+++ b/net/atm/br2684.c
@@ -205,8 +205,6 @@ static int br2684_xmit_vcc(struct sk_buff *skb, struct net_device *dev,
if (brdev->payload == p_bridged) {
skb_push(skb, 2);
memset(skb->data, 0, 2);
- } else { /* p_routed */
- skb_pull(skb, ETH_HLEN);
}
}
skb_debug(skb);

Paul Gortmaker

unread,

May 14, 2012, 10:40:03 PM5/14/12

to

From: Jan Kara <ja...@suse.cz>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit ad95c5e9bc8b5885f94dce720137cac8fa8da4c9 upstream.

Block allocation is called from two places: ext3_get_blocks_handle() and
ext3_xattr_block_set(). These two callers are not necessarily synchronized
because xattr code holds only xattr_sem and i_mutex, and
ext3_get_blocks_handle() may hold only truncate_mutex when called from
writepage() path. Block reservation code does not expect two concurrent
allocations to happen to the same inode and thus assertions can be triggered
or reservation structure corruption can occur.

Fix the problem by taking truncate_mutex in xattr code to serialize
allocations.

CC: Sage Weil <sa...@newdream.net>
Reported-by: Fyodor Ustinov <u...@ufm.su>
Signed-off-by: Jan Kara <ja...@suse.cz>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

unread,

May 14, 2012, 10:40:03 PM5/14/12

to

From: Michael Neuling <mi...@neuling.org>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 63f21a56f1cc0b800a4c00349c59448f82473d19 upstream.

The existing code it pretty ugly. How about we clean it up even more
like this?

From: Anton Blanchard <an...@samba.org>

We check for timeout expiry in the outer loop, but we also need to
check it in the inner loop or we can lock up forever waiting for a
CPU to hit real mode.

Signed-off-by: Anton Blanchard <an...@samba.org>
Signed-off-by: Michael Neuling <mi...@neuling.org>
Signed-off-by: Benjamin Herrenschmidt <be...@kernel.crashing.org>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

arch/powerpc/kernel/crash.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/arch/powerpc/kernel/crash.c b/arch/powerpc/kernel/crash.c
index ddf1fea..d2f619b 100644
--- a/arch/powerpc/kernel/crash.c
+++ b/arch/powerpc/kernel/crash.c
@@ -176,12 +176,8 @@ static void crash_kexec_wait_realmode(int cpu)

while (paca[i].kexec_state < KEXEC_STATE_REAL_MODE) {
barrier();
- if (!cpu_possible(i)) {
+ if (!cpu_possible(i) || !cpu_online(i) || (msecs <= 0))
break;
- }
- if (!cpu_online(i)) {
- break;
- }
msecs--;
mdelay(1);

Paul Gortmaker

unread,

May 14, 2012, 10:40:02 PM5/14/12

to

From: Christian Lamparter <chun...@googlemail.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 9368a9a2378ab721f82f59430a135b4ce4ff5109 upstream.

Reported-by: Mark Davis <mark...@gmail.com>
Signed-off-by: Christian Lamparter <chun...@googlemail.com>
Signed-off-by: John W. Linville <linv...@tuxdriver.com>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/net/wireless/p54/p54usb.c | 1 +

1 file changed, 1 insertion(+)

diff --git a/drivers/net/wireless/p54/p54usb.c b/drivers/net/wireless/p54/p54usb.c
index 3317906d..0f2ff34 100644
--- a/drivers/net/wireless/p54/p54usb.c
+++ b/drivers/net/wireless/p54/p54usb.c
@@ -82,6 +82,7 @@ static struct usb_device_id p54u_table[] __devinitdata = {
{USB_DEVICE(0x06b9, 0x0121)}, /* Thomson SpeedTouch 121g */
{USB_DEVICE(0x0707, 0xee13)}, /* SMC 2862W-G version 2 */
{USB_DEVICE(0x083a, 0x4521)}, /* Siemens Gigaset USB Adapter 54 version 2 */
+ {USB_DEVICE(0x083a, 0xc501)}, /* Zoom Wireless-G 4410 */
{USB_DEVICE(0x083a, 0xf503)}, /* Accton FD7050E ver 1010ec */
{USB_DEVICE(0x0846, 0x4240)}, /* Netgear WG111 (v2) */
{USB_DEVICE(0x0915, 0x2000)}, /* Cohiba Proto board */

Paul Gortmaker

unread,

May 14, 2012, 10:40:04 PM5/14/12

to

From: Sarah Sharp <sarah....@linux.intel.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit b513d44751bfb609a3c20463f764c8ce822d63e9 upstream.

Dmitry's patch

dfa49c4ad120a784ef1ff0717168aa79f55a483a USB: xhci - fix math in xhci_get_endpoint_interval()

introduced a bug. The USB 2.0 spec says that full speed isochronous endpoints'
bInterval must be decoded as an exponent to a power of two (e.g. interval =
2^(bInterval - 1)). Full speed interrupt endpoints, on the other hand, don't
use exponents, and the interval in frames is encoded straight into bInterval.

Dmitry's patch was supposed to fix up the full speed isochronous to parse
bInterval as an exponent, but instead it changed the *interrupt* endpoint
bInterval decoding. The isochronous endpoint encoding was the same.

This caused full speed devices with interrupt endpoints (including mice, hubs,
and USB to ethernet devices) to fail under NEC 0.96 xHCI host controllers:

[ 100.909818] xhci_hcd 0000:06:00.0: add ep 0x83, slot id 1, new drop flags = 0x0, new add flags = 0x99, new slot info = 0x38100000
[ 100.909821] xhci_hcd 0000:06:00.0: xhci_check_bandwidth called for udev ffff88011f0ea000
...
[ 100.910187] xhci_hcd 0000:06:00.0: ERROR: unexpected command completion code 0x11.
[ 100.910190] xhci_hcd 0000:06:00.0: xhci_reset_bandwidth called for udev ffff88011f0ea000

When the interrupt endpoint was added and a Configure Endpoint command was
issued to the host, the host controller would return a very odd error message
(0x11 means "Slot Not Enabled", which isn't true because the slot was enabled).
Probably the host controller was getting very confused with the bad encoding.

Signed-off-by: Sarah Sharp <sarah....@linux.intel.com>
Cc: Dmitry Torokhov <dt...@vmware.com>
Reported-by: Thomas Lindroth <thomas....@gmail.com>
Tested-by: Thomas Lindroth <thomas....@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/usb/host/xhci-mem.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
index 54a538d..05b5c34 100644
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -608,12 +608,12 @@ static inline unsigned int xhci_get_endpoint_interval(struct usb_device *udev,
break;

case USB_SPEED_FULL:
- if (usb_endpoint_xfer_int(&ep->desc)) {
+ if (usb_endpoint_xfer_isoc(&ep->desc)) {
interval = xhci_parse_exponent_interval(udev, ep);
break;
}
/*
- * Fall through for isochronous endpoint interval decoding
+ * Fall through for interrupt endpoint interval decoding
* since it uses the same rules as low speed interrupt
* endpoints.

Paul Gortmaker

unread,

May 14, 2012, 10:40:02 PM5/14/12

to

From: Jeff Layton <jla...@redhat.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit fc87a40677bbe0937e2ff0642c7e83c9a4813f3d upstream.

cifs_find_smb_ses assumes that the vol->password field is a valid
pointer, but that's only the case if a password was passed in via
the options string. It's possible that one won't be if there is
no mount helper on the box.

Reported-by: diabel <gacek...@wp.pl>
Signed-off-by: Jeff Layton <jla...@redhat.com>
Signed-off-by: Steve French <sfr...@us.ibm.com>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

fs/cifs/connect.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 4e134a7..0fbc8d2 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -1609,7 +1609,8 @@ cifs_find_smb_ses(struct TCP_Server_Info *server, struct smb_vol *vol)
MAX_USERNAME_SIZE))
continue;
if (strlen(vol->username) != 0 &&
- strncmp(ses->password, vol->password,
+ strncmp(ses->password,
+ vol->password ? vol->password : "",
MAX_PASSWORD_SIZE))
continue;

Paul Gortmaker

unread,

May 14, 2012, 10:40:03 PM5/14/12

to

From: Daniel Mack <zon...@gmail.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit f4389489b5cbe60b3441869c68bb4afe760969c4 upstream.

Signed-off-by: Daniel Mack <zon...@gmail.com>
Reported-by: Renato <nare...@gmail.com>
Signed-off-by: Takashi Iwai <ti...@suse.de>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

sound/usb/caiaq/input.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/usb/caiaq/input.c b/sound/usb/caiaq/input.c
index a48d309..c93e1aa 100644
--- a/sound/usb/caiaq/input.c
+++ b/sound/usb/caiaq/input.c
@@ -28,7 +28,7 @@ static unsigned short keycode_ak1[] = { KEY_C, KEY_B, KEY_A };
static unsigned short keycode_rk2[] = { KEY_1, KEY_2, KEY_3, KEY_4,
KEY_5, KEY_6, KEY_7 };
static unsigned short keycode_rk3[] = { KEY_1, KEY_2, KEY_3, KEY_4,
- KEY_5, KEY_6, KEY_7, KEY_5, KEY_6 };
+ KEY_5, KEY_6, KEY_7, KEY_8, KEY_9 };

static unsigned short keycode_kore[] = {
KEY_FN_F1, /* "menu" */

Paul Gortmaker

unread,

May 14, 2012, 10:50:02 PM5/14/12

to

From: Benedek László <bene...@gmail.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 37909fe588c9e09ab57cd267e98678a17ceda64a upstream.

Adding support for the TavIR STK500 (id 0403:FA33)
Atmel AVR programmer device based on FTDI FT232RL.

Signed-off-by: Benedek László <bene...@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/usb/serial/ftdi_sio.c | 1 +
drivers/usb/serial/ftdi_sio_ids.h | 5 +++++
2 files changed, 6 insertions(+)

diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
index 7d0107a..eac7330 100644
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -570,6 +570,7 @@ static struct usb_device_id id_table_combined [] = {
{ USB_DEVICE(FTDI_VID, FTDI_IBS_APP70_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_IBS_PEDO_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_IBS_PROD_PID) },
+ { USB_DEVICE(FTDI_VID, FTDI_TAVIR_STK500_PID) },
/*
* ELV devices:
*/
diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
index aaeb159..a644665 100644
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -491,6 +491,11 @@
/* www.canusb.com Lawicel CANUSB device (FTDI_VID) */
#define FTDI_CANUSB_PID 0xFFA8 /* Product Id */

+/*
+ * TavIR AVR product ids (FTDI_VID)
+ */
+#define FTDI_TAVIR_STK500_PID 0xFA33 /* STK500 AVR programmer */
+

/********************************/

Paul Gortmaker

unread,

May 14, 2012, 10:50:02 PM5/14/12

to

From: Alan Stern <st...@rowland.harvard.edu>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 6ea12a04d295235ed67010a09fdea58c949e3eb0 upstream.

The NVIDIA series of OHCI controllers continues to be troublesome. A
few people using the MCP67 chipset have reported that even with the
most recent kernels, the OHCI controller fails to handle new
connections and spams the system log with "unable to enumerate USB
port" messages. This is different from the other problems previously
reported for NVIDIA OHCI controllers, although it is probably related.

It turns out that the MCP67 controller does not like to be kept in the
RESET state very long. After only a few seconds, it decides not to
work any more. This patch (as1479) changes the PCI initialization
quirk code so that NVIDIA controllers are switched into the SUSPEND
state after 50 ms of RESET. With no interrupts enabled and all the
downstream devices reset, and thus unable to send wakeup requests,
this should be perfectly safe (even for non-NVIDIA hardware).

The removal code in ohci-hcd hasn't been changed; it will still leave
the controller in the RESET state. As a result, if someone unloads
ohci-hcd and then reloads it, the controller won't work again until
the system is rebooted. If anybody complains about this, the removal
code can be updated similarly.

This fixes Bugzilla #22052.

Tested-by: Larry Finger <Larry....@lwfinger.net>
Signed-off-by: Alan Stern <st...@rowland.harvard.edu>

Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>
Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/usb/host/pci-quirks.c | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)

diff --git a/drivers/usb/host/pci-quirks.c b/drivers/usb/host/pci-quirks.c
index 464ed97..bcf7a88 100644
--- a/drivers/usb/host/pci-quirks.c
+++ b/drivers/usb/host/pci-quirks.c
@@ -34,6 +34,8 @@
#define OHCI_INTRSTATUS 0x0c
#define OHCI_INTRENABLE 0x10
#define OHCI_INTRDISABLE 0x14
+#define OHCI_FMINTERVAL 0x34
+#define OHCI_HCR (1 << 0) /* host controller reset */
#define OHCI_OCR (1 << 3) /* ownership change request */
#define OHCI_CTRL_RWC (1 << 9) /* remote wakeup connected */
#define OHCI_CTRL_IR (1 << 8) /* interrupt routing */
@@ -204,6 +206,32 @@ static void __devinit quirk_usb_handoff_ohci(struct pci_dev *pdev)

/* reset controller, preserving RWC (and possibly IR) */
writel(control & OHCI_CTRL_MASK, base + OHCI_CONTROL);
+ readl(base + OHCI_CONTROL);
+
+ /* Some NVIDIA controllers stop working if kept in RESET for too long */
+ if (pdev->vendor == PCI_VENDOR_ID_NVIDIA) {
+ u32 fminterval;
+ int cnt;
+
+ /* drive reset for at least 50 ms (7.1.7.5) */
+ msleep(50);
+
+ /* software reset of the controller, preserving HcFmInterval */
+ fminterval = readl(base + OHCI_FMINTERVAL);
+ writel(OHCI_HCR, base + OHCI_CMDSTATUS);
+
+ /* reset requires max 10 us delay */
+ for (cnt = 30; cnt > 0; --cnt) { /* ... allow extra time */
+ if ((readl(base + OHCI_CMDSTATUS) & OHCI_HCR) == 0)
+ break;
+ udelay(1);
+ }
+ writel(fminterval, base + OHCI_FMINTERVAL);
+
+ /* Now we're in the SUSPEND state with all devices reset
+ * and wakeups and interrupts disabled
+ */
+ }

/*
* disable interrupts

Paul Gortmaker

unread,

May 14, 2012, 10:50:02 PM5/14/12

to

From: Milton Miller <mil...@bga.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 3d2cea732d68aa270c360f55d8669820ebce188a upstream.

Commit 1fc711f7ffb01089efc58042cfdbac8573d1b59a (powerpc/kexec: Fix race
in kexec shutdown) moved the write to signal the cpu had exited the kernel
from before the transition to real mode in kexec_smp_wait to kexec_wait.

Unfornately it missed that kexec_wait is used both by cpus leaving the
kernel and by secondary slave cpus that were not allocated a paca for
what ever reason -- they could be beyond nr_cpus or not described in
the current device tree for whatever reason (for example, kexec-load
was not refreshed after a cpu hotplug operation). Cpus coming through
that path they will write to paca[NR_CPUS] which is beyond the space
allocated for the paca data and overwrite memory not allocated to pacas
but very likely still real mode accessable).

Move the write back to kexec_smp_wait, which is used only by cpus that
found their paca, but after the transition to real mode.

Signed-off-by: Milton Miller <mil...@bga.com>
Signed-off-by: Benjamin Herrenschmidt <be...@kernel.crashing.org>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

arch/powerpc/kernel/misc_64.S | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/arch/powerpc/kernel/misc_64.S b/arch/powerpc/kernel/misc_64.S
index a2b18df..9161338 100644
--- a/arch/powerpc/kernel/misc_64.S
+++ b/arch/powerpc/kernel/misc_64.S
@@ -463,7 +463,8 @@ _GLOBAL(disable_kernel_fp)
* wait for the flag to change, indicating this kernel is going away but
* the slave code for the next one is at addresses 0 to 100.
*
- * This is used by all slaves.
+ * This is used by all slaves, even those that did not find a matching
+ * paca in the secondary startup code.
*
* Physical (hardware) cpu id should be in r3.
*/
@@ -472,10 +473,6 @@ _GLOBAL(kexec_wait)
1: mflr r5
addi r5,r5,kexec_flag-1b

- li r4,KEXEC_STATE_REAL_MODE
- stb r4,PACAKEXECSTATE(r13)
- SYNC
-
99: HMT_LOW
#ifdef CONFIG_KEXEC /* use no memory without kexec */
lwz r4,0(r5)
@@ -500,11 +497,17 @@ kexec_flag:
*
* get phys id from paca
* switch to real mode
+ * mark the paca as no longer used
* join other cpus in kexec_wait(phys_id)
*/
_GLOBAL(kexec_smp_wait)
lhz r3,PACAHWCPUID(r13)
bl real_mode
+
+ li r4,KEXEC_STATE_REAL_MODE
+ stb r4,PACAKEXECSTATE(r13)
+ SYNC
+
b .kexec_wait

/*

Paul Gortmaker

unread,

May 14, 2012, 10:50:02 PM5/14/12

to

From: Mark Brown <bro...@opensource.wolfsonmicro.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit e999dc50404d401150a5429b6459473a691fd1a0 upstream.

The Blackfin DMA controller can report one frame beyond the end of the
buffer in the wraparound case but ALSA requires that the pointer always
be in the buffer. Do the wraparound to handle this. A similar bug is
likely to apply to the other Blackfin PCM drivers but the code is less
obvious to inspection and I don't have a user to test.

Reported-by: Kieran O'Leary <Kieran.O'Le...@wolfsonmicro.com>
Acked-by: Liam Girdwood <l...@ti.com>
Signed-off-by: Mark Brown <bro...@opensource.wolfsonmicro.com>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

sound/soc/blackfin/bf5xx-i2s-pcm.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/sound/soc/blackfin/bf5xx-i2s-pcm.c b/sound/soc/blackfin/bf5xx-i2s-pcm.c
index 1d2a1ad..9aa41b1 100644
--- a/sound/soc/blackfin/bf5xx-i2s-pcm.c
+++ b/sound/soc/blackfin/bf5xx-i2s-pcm.c
@@ -139,11 +139,20 @@ static snd_pcm_uframes_t bf5xx_pcm_pointer(struct snd_pcm_substream *substream)
pr_debug("%s enter\n", __func__);
if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) {
diff = sport_curr_offset_tx(sport);
- frames = bytes_to_frames(substream->runtime, diff);
} else {
diff = sport_curr_offset_rx(sport);
- frames = bytes_to_frames(substream->runtime, diff);
}
+
+ /*
+ * TX at least can report one frame beyond the end of the
+ * buffer if we hit the wraparound case - clamp to within the
+ * buffer as the ALSA APIs require.
+ */
+ if (diff == snd_pcm_lib_buffer_bytes(substream))
+ diff = 0;
+
+ frames = bytes_to_frames(substream->runtime, diff);
+
return frames;

Paul Gortmaker

unread,

May 14, 2012, 10:50:02 PM5/14/12

to

From: Hans Verkuil <hans.v...@cisco.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit a024c1a6b274e11596d124619e43c25560f64c01 upstream.

Fix typo: g_tuner should have been s_tuner.

Tested with a bttv card.

Signed-off-by: Hans Verkuil <hans.v...@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mch...@redhat.com>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/media/video/bt8xx/bttv-driver.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/video/bt8xx/bttv-driver.c b/drivers/media/video/bt8xx/bttv-driver.c
index f4860f0..62502ff 100644
--- a/drivers/media/video/bt8xx/bttv-driver.c
+++ b/drivers/media/video/bt8xx/bttv-driver.c
@@ -3530,7 +3530,7 @@ static int radio_s_tuner(struct file *file, void *priv,
if (0 != t->index)
return -EINVAL;

- bttv_call_all(btv, tuner, g_tuner, t);
+ bttv_call_all(btv, tuner, s_tuner, t);
return 0;

Paul Gortmaker

unread,

May 14, 2012, 10:50:02 PM5/14/12

to

From: Vasiliy Kulikov <seg...@openwall.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 819cbb120eaec7e014e5abd029260db1ca8c5735 upstream.

driver_name and board_name are pointers to strings, not buffers of size
COMEDI_NAMELEN. Copying COMEDI_NAMELEN bytes of a string containing
less than COMEDI_NAMELEN-1 bytes would leak some unrelated bytes.

Signed-off-by: Vasiliy Kulikov <seg...@openwall.com>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/staging/comedi/comedi_fops.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
index aca9674..ac6527c 100644
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -362,8 +362,8 @@ static int do_devinfo_ioctl(struct comedi_device *dev,
/* fill devinfo structure */
devinfo.version_code = COMEDI_VERSION_CODE;
devinfo.n_subdevs = dev->n_subdevices;
- memcpy(devinfo.driver_name, dev->driver->driver_name, COMEDI_NAMELEN);
- memcpy(devinfo.board_name, dev->board_name, COMEDI_NAMELEN);
+ strlcpy(devinfo.driver_name, dev->driver->driver_name, COMEDI_NAMELEN);
+ strlcpy(devinfo.board_name, dev->board_name, COMEDI_NAMELEN);

if (read_subdev)
devinfo.read_subdevice = read_subdev - dev->subdevices;

Paul Gortmaker

unread,

May 14, 2012, 10:50:02 PM5/14/12

to

From: steven finney <Steven...@palm.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit 98586ed8b8878e10691203687e89a42fa3355300 upstream.

When a CPU is taken offline in an SMP system, cpufreq_remove_dev()
nulls out the per-cpu policy before cpufreq_stats_free_table() can
make use of it. cpufreq_stats_free_table() then skips the
call to sysfs_remove_group(), leaving about 100 bytes of sysfs-related
memory unclaimed each time a CPU-removal occurs. Break up
cpu_stats_free_table into sysfs and table portions, and
call the sysfs portion early.

Signed-off-by: Steven Finney <steven...@palm.com>
Signed-off-by: Dave Jones <da...@redhat.com>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/cpufreq/cpufreq_stats.c | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/drivers/cpufreq/cpufreq_stats.c b/drivers/cpufreq/cpufreq_stats.c
index 00d73fc..4f1b8de 100644
--- a/drivers/cpufreq/cpufreq_stats.c
+++ b/drivers/cpufreq/cpufreq_stats.c
@@ -165,17 +165,27 @@ static int freq_table_get_index(struct cpufreq_stats *stat, unsigned int freq)
return -1;
}

+/* should be called late in the CPU removal sequence so that the stats
+ * memory is still available in case someone tries to use it.
+ */
static void cpufreq_stats_free_table(unsigned int cpu)
{
struct cpufreq_stats *stat = per_cpu(cpufreq_stats_table, cpu);
- struct cpufreq_policy *policy = cpufreq_cpu_get(cpu);
- if (policy && policy->cpu == cpu)
- sysfs_remove_group(&policy->kobj, &stats_attr_group);
if (stat) {
kfree(stat->time_in_state);
kfree(stat);
}
per_cpu(cpufreq_stats_table, cpu) = NULL;
+}
+
+/* must be called early in the CPU removal sequence (before
+ * cpufreq_remove_dev) so that policy is still valid.
+ */
+static void cpufreq_stats_free_sysfs(unsigned int cpu)
+{
+ struct cpufreq_policy *policy = cpufreq_cpu_get(cpu);
+ if (policy && policy->cpu == cpu)
+ sysfs_remove_group(&policy->kobj, &stats_attr_group);
if (policy)
cpufreq_cpu_put(policy);
}
@@ -316,6 +326,9 @@ static int __cpuinit cpufreq_stat_cpu_callback(struct notifier_block *nfb,
case CPU_ONLINE_FROZEN:
cpufreq_update_policy(cpu);
break;
+ case CPU_DOWN_PREPARE:
+ cpufreq_stats_free_sysfs(cpu);
+ break;
case CPU_DEAD:
case CPU_DEAD_FROZEN:
cpufreq_stats_free_table(cpu);
@@ -324,9 +337,11 @@ static int __cpuinit cpufreq_stat_cpu_callback(struct notifier_block *nfb,
return NOTIFY_OK;
}

+/* priority=1 so this will get called before cpufreq_remove_dev */
static struct notifier_block cpufreq_stat_cpu_notifier __refdata =
{
.notifier_call = cpufreq_stat_cpu_callback,
+ .priority = 1,
};

static struct notifier_block notifier_policy_block = {

Paul Gortmaker

unread,

May 14, 2012, 10:50:02 PM5/14/12

to

From: Jean-Christophe PLAGNIOL-VILLARD <plag...@jcrosoft.com>

-------------------
This is a commit scheduled for the next v2.6.34 longterm release.
http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git
If you see a problem with using this for longterm, please comment.
-------------------

commit bf1f0a05d472e33dda8e5e69525be1584cdbd03a upstream.

on 9g20 they are the same as the 9260

Signed-off-by: Jean-Christophe PLAGNIOL-VILLARD <plag...@jcrosoft.com>
Acked-by: Nicolas Ferre <nicola...@atmel.com>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>

Signed-off-by: Paul Gortmaker <paul.go...@windriver.com>
---

drivers/usb/gadget/at91_udc.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/at91_udc.c b/drivers/usb/gadget/at91_udc.c
index df1bae9..ad617d9 100644
--- a/drivers/usb/gadget/at91_udc.c
+++ b/drivers/usb/gadget/at91_udc.c
@@ -1694,7 +1694,7 @@ static int __init at91udc_probe(struct platform_device *pdev)
}

/* newer chips have more FIFO memory than rm9200 */
- if (cpu_is_at91sam9260()) {
+ if (cpu_is_at91sam9260() || cpu_is_at91sam9g20()) {
udc->ep[0].maxpacket = 64;
udc->ep[3].maxpacket = 64;
udc->ep[4].maxpacket = 512;