commit cd1b44e9d1843228414295e843ef208a72c44b58 Author: Ben Hutchings Date: Wed Feb 20 03:15:40 2013 +0000 Linux 3.2.39 commit 9a9adb457bc2665cac647e4c90d76acf23f1a65e Author: Jan Beulich Date: Thu Jan 24 13:11:10 2013 +0000 x86/xen: don't assume %ds is usable in xen_iret for 32-bit PVOPS. commit 13d2b4d11d69a92574a55bfd985cfb0ca77aebdc upstream. This fixes CVE-2013-0228 / XSA-42 Drew Jones while working on CVE-2013-0190 found that that unprivileged guest user in 32bit PV guest can use to crash the > guest with the panic like this: ------------- general protection fault: 0000 [#1] SMP last sysfs file: /sys/devices/vbd-51712/block/xvda/dev Modules linked in: sunrpc ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables ipv6 xen_netfront ext4 mbcache jbd2 xen_blkfront dm_mirror dm_region_hash dm_log dm_mod [last unloaded: scsi_wait_scan] Pid: 1250, comm: r Not tainted 2.6.32-356.el6.i686 #1 EIP: 0061:[] EFLAGS: 00010086 CPU: 0 EIP is at xen_iret+0x12/0x2b EAX: eb8d0000 EBX: 00000001 ECX: 08049860 EDX: 00000010 ESI: 00000000 EDI: 003d0f00 EBP: b77f8388 ESP: eb8d1fe0 DS: 0000 ES: 007b FS: 0000 GS: 00e0 SS: 0069 Process r (pid: 1250, ti=eb8d0000 task=c2953550 task.ti=eb8d0000) Stack: 00000000 0027f416 00000073 00000206 b77f8364 0000007b 00000000 00000000 Call Trace: Code: c3 8b 44 24 18 81 4c 24 38 00 02 00 00 8d 64 24 30 e9 03 00 00 00 8d 76 00 f7 44 24 08 00 00 02 80 75 33 50 b8 00 e0 ff ff 21 e0 <8b> 40 10 8b 04 85 a0 f6 ab c0 8b 80 0c b0 b3 c0 f6 44 24 0d 02 EIP: [] xen_iret+0x12/0x2b SS:ESP 0069:eb8d1fe0 general protection fault: 0000 [#2] ---[ end trace ab0d29a492dcd330 ]--- Kernel panic - not syncing: Fatal exception Pid: 1250, comm: r Tainted: G D --------------- 2.6.32-356.el6.i686 #1 Call Trace: [] ? panic+0x6e/0x122 [] ? oops_end+0xbc/0xd0 [] ? do_general_protection+0x0/0x210 [] ? error_code+0x73/ ------------- Petr says: " I've analysed the bug and I think that xen_iret() cannot cope with mangled DS, in this case zeroed out (null selector/descriptor) by either xen_failsafe_callback() or RESTORE_REGS because the corresponding LDT entry was invalidated by the reproducer. " Jan took a look at the preliminary patch and came up a fix that solves this problem: "This code gets called after all registers other than those handled by IRET got already restored, hence a null selector in %ds or a non-null one that got loaded from a code or read-only data descriptor would cause a kernel mode fault (with the potential of crashing the kernel as a whole, if panic_on_oops is set)." The way to fix this is to realize that the we can only relay on the registers that IRET restores. The two that are guaranteed are the %cs and %ss as they are always fixed GDT selectors. Also they are inaccessible from user mode - so they cannot be altered. This is the approach taken in this patch. Another alternative option suggested by Jan would be to relay on the subtle realization that using the %ebp or %esp relative references uses the %ss segment. In which case we could switch from using %eax to %ebp and would not need the %ss over-rides. That would also require one extra instruction to compensate for the one place where the register is used as scaled index. However Andrew pointed out that is too subtle and if further work was to be done in this code-path it could escape folks attention and lead to accidents. Reviewed-by: Petr Matousek Reported-by: Petr Matousek Reviewed-by: Andrew Cooper Signed-off-by: Jan Beulich Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Ben Hutchings commit 8c94017dc1f59e33636238d16afdf3848e5e57c7 Author: Nithin Nayak Sujir Date: Mon Jan 14 17:11:00 2013 +0000 tg3: Fix crc errors on jumbo frame receive [ Upstream commit daf3ec688e057f6060fb9bb0819feac7a8bbf45c ] TG3_PHY_AUXCTL_SMDSP_ENABLE/DISABLE macros do a blind write to the phy auxiliary control register and overwrite the EXT_PKT_LEN (bit 14) resulting in intermittent crc errors on jumbo frames with some link partners. Change the code to do a read/modify/write. Signed-off-by: Nithin Nayak Sujir Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit ac7551bedf950ef638df23badb0df0a7ca8045fd Author: Nithin Nayak Sujir Date: Mon Jan 14 17:10:59 2013 +0000 tg3: Avoid null pointer dereference in tg3_interrupt in netconsole mode [ Upstream commit 9c13cb8bb477a83b9a3c9e5a5478a4e21294a760 ] When netconsole is enabled, logging messages generated during tg3_open can result in a null pointer dereference for the uninitialized tg3 status block. Use the irq_sync flag to disable polling in the early stages. irq_sync is cleared when the driver is enabling interrupts after all initialization is completed. Signed-off-by: Nithin Nayak Sujir Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 335c3391c34f5a607ca63d606f9b2d9f747bab4a Author: Sarveshwar Bandi Date: Wed Oct 10 01:15:01 2012 +0000 bridge: Pull ip header into skb->data before looking into ip header. [ Upstream commit 6caab7b0544e83e6c160b5e80f5a4a7dd69545c7 ] If lower layer driver leaves the ip header in the skb fragment, it needs to be first pulled into skb->data before inspecting ip header length or ip version number. Signed-off-by: Sarveshwar Bandi Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit f507e6ef54020383b4012778606f84b1e22f4667 Author: Eric Dumazet Date: Sun Jan 6 18:21:49 2013 +0000 tcp: fix MSG_SENDPAGE_NOTLAST logic [ Upstream commit ae62ca7b03217be5e74759dc6d7698c95df498b3 ] commit 35f9c09fe9c72e (tcp: tcp_sendpages() should call tcp_push() once) added an internal flag : MSG_SENDPAGE_NOTLAST meant to be set on all frags but the last one for a splice() call. The condition used to set the flag in pipe_to_sendpage() relied on splice() user passing the exact number of bytes present in the pipe, or a smaller one. But some programs pass an arbitrary high value, and the test fails. The effect of this bug is a lack of tcp_push() at the end of a splice(pipe -> socket) call, and possibly very slow or erratic TCP sessions. We should both test sd->total_len and fact that another fragment is in the pipe (pipe->nrbufs > 1) Many thanks to Willy for providing very clear bug report, bisection and test programs. Reported-by: Willy Tarreau Bisected-by: Willy Tarreau Tested-by: Willy Tarreau Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 4670ea19f63e7db7ca352e68e120e82e3c135fbb Author: Ilpo Järvinen Date: Mon Feb 4 02:14:25 2013 +0000 tcp: fix for zero packets_in_flight was too broad [ Upstream commit 6731d2095bd4aef18027c72ef845ab1087c3ba63 ] There are transients during normal FRTO procedure during which the packets_in_flight can go to zero between write_queue state updates and firing the resulting segments out. As FRTO processing occurs during that window the check must be more precise to not match "spuriously" :-). More specificly, e.g., when packets_in_flight is zero but FLAG_DATA_ACKED is true the problematic branch that set cwnd into zero would not be taken and new segments might be sent out later. Signed-off-by: Ilpo Järvinen Tested-by: Eric Dumazet Acked-by: Neal Cardwell Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 50a3d765940ac3f88b82b7e6dca49824c4ad78fa Author: Eric Dumazet Date: Sun Feb 3 09:13:05 2013 +0000 tcp: frto should not set snd_cwnd to 0 [ Upstream commit 2e5f421211ff76c17130b4597bc06df4eeead24f ] Commit 9dc274151a548 (tcp: fix ABC in tcp_slow_start()) uncovered a bug in FRTO code : tcp_process_frto() is setting snd_cwnd to 0 if the number of in flight packets is 0. As Neal pointed out, if no packet is in flight we lost our chance to disambiguate whether a loss timeout was spurious. We should assume it was a proper loss. Reported-by: Pasi Kärkkäinen Signed-off-by: Neal Cardwell Signed-off-by: Eric Dumazet Cc: Ilpo Järvinen Cc: Yuchung Cheng Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit adecb7c418057a934b327c1177d738e17f0cf98a Author: Ian Campbell Date: Wed Feb 6 23:41:38 2013 +0000 netback: correct netbk_tx_err to handle wrap around. [ Upstream commit b9149729ebdcfce63f853aa54a404c6a8f6ebbf3 ] Signed-off-by: Ian Campbell Acked-by: Jan Beulich Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 79d2fa0811ed0dadeb745daa0067eb672ec12fb7 Author: Ian Campbell Date: Wed Feb 6 23:41:37 2013 +0000 xen/netback: free already allocated memory on failure in xen_netbk_get_requests [ Upstream commit 4cc7c1cb7b11b6f3515bd9075527576a1eecc4aa ] Signed-off-by: Ian Campbell Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit dd4d2748d11f601975b78c88130bd274d3e90eb5 Author: Matthew Daley Date: Wed Feb 6 23:41:36 2013 +0000 xen/netback: don't leak pages on failure in xen_netbk_tx_check_gop. [ Upstream commit 7d5145d8eb2b9791533ffe4dc003b129b9696c48 ] Signed-off-by: Matthew Daley Reviewed-by: Konrad Rzeszutek Wilk Acked-by: Ian Campbell Acked-by: Jan Beulich Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit e420e6f25d364f4b0547707a1949ac3a665f3f1b Author: Ian Campbell Date: Wed Feb 6 23:41:35 2013 +0000 xen/netback: shutdown the ring if it contains garbage. [ Upstream commit 48856286b64e4b66ec62b94e504d0b29c1ade664 ] A buggy or malicious frontend should not be able to confuse netback. If we spot anything which is not as it should be then shutdown the device and don't try to continue with the ring in a potentially hostile state. Well behaved and non-hostile frontends will not be penalised. As well as making the existing checks for such errors fatal also add a new check that ensures that there isn't an insane number of requests on the ring (i.e. more than would fit in the ring). If the ring contains garbage then previously is was possible to loop over this insane number, getting an error each time and therefore not generating any more pending requests and therefore not exiting the loop in xen_netbk_tx_build_gops for an externded period. Also turn various netdev_dbg calls which no precipitate a fatal error into netdev_err, they are rate limited because the device is shutdown afterwards. This fixes at least one known DoS/softlockup of the backend domain. Signed-off-by: Ian Campbell Reviewed-by: Konrad Rzeszutek Wilk Acked-by: Jan Beulich Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 26000e569ab304e835ebec586caefe3061e27c11 Author: Daniel Borkmann Date: Fri Feb 8 03:04:35 2013 +0000 net: sctp: sctp_endpoint_free: zero out secret key data [ Upstream commit b5c37fe6e24eec194bb29d22fdd55d73bcc709bf ] On sctp_endpoint_destroy, previously used sensitive keying material should be zeroed out before the memory is returned, as we already do with e.g. auth keys when released. Signed-off-by: Daniel Borkmann Acked-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 8f8623de49e036c4af246a7cfd9abdc1bb95cdea Author: Daniel Borkmann Date: Fri Feb 8 03:04:34 2013 +0000 net: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree [ Upstream commit 6ba542a291a5e558603ac51cda9bded347ce7627 ] In sctp_setsockopt_auth_key, we create a temporary copy of the user passed shared auth key for the endpoint or association and after internal setup, we free it right away. Since it's sensitive data, we should zero out the key before returning the memory back to the allocator. Thus, use kzfree instead of kfree, just as we do in sctp_auth_key_put(). Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 87deb9f94dedf6f69ccbd52031ddfe39a6ca4cf1 Author: Neil Horman Date: Thu Jan 17 11:15:08 2013 +0000 sctp: refactor sctp_outq_teardown to insure proper re-initalization [ Upstream commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86 ] Jamie Parsons reported a problem recently, in which the re-initalization of an association (The duplicate init case), resulted in a loss of receive window space. He tracked down the root cause to sctp_outq_teardown, which discarded all the data on an outq during a re-initalization of the corresponding association, but never reset the outq->outstanding_data field to zero. I wrote, and he tested this fix, which does a proper full re-initalization of the outq, fixing this problem, and hopefully future proofing us from simmilar issues down the road. Signed-off-by: Neil Horman Reported-by: Jamie Parsons Tested-by: Jamie Parsons CC: Jamie Parsons CC: Vlad Yasevich CC: "David S. Miller" CC: netdev@vger.kernel.org Acked-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 386e01c13c41a0d773b698f9863dea0e4d11c387 Author: Heiko Carstens Date: Fri Feb 8 00:19:11 2013 +0000 atm/iphase: rename fregt_t -> ffreg_t [ Upstream commit ab54ee80aa7585f9666ff4dd665441d7ce41f1e8 ] We have conflicting type qualifiers for "freg_t" in s390's ptrace.h and the iphase atm device driver, which causes the compile error below. Unfortunately the s390 typedef can't be renamed, since it's a user visible api, nor can I change the include order in s390 code to avoid the conflict. So simply rename the iphase typedef to a new name. Fixes this compile error: In file included from drivers/atm/iphase.c:66:0: drivers/atm/iphase.h:639:25: error: conflicting type qualifiers for 'freg_t' In file included from next/arch/s390/include/asm/ptrace.h:9:0, from next/arch/s390/include/asm/lowcore.h:12, from next/arch/s390/include/asm/thread_info.h:30, from include/linux/thread_info.h:54, from include/linux/preempt.h:9, from include/linux/spinlock.h:50, from include/linux/seqlock.h:29, from include/linux/time.h:5, from include/linux/stat.h:18, from include/linux/module.h:10, from drivers/atm/iphase.c:43: next/arch/s390/include/uapi/asm/ptrace.h:197:3: note: previous declaration of 'freg_t' was here Signed-off-by: Heiko Carstens Acked-by: chas williams - CONTRACTOR Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit bf4f81cd04a2db72cea6f15b41df71b3f6e8dfd6 Author: Phil Sutter Date: Fri Feb 1 07:21:41 2013 +0000 packet: fix leakage of tx_ring memory [ Upstream commit 9665d5d62487e8e7b1f546c00e11107155384b9a ] When releasing a packet socket, the routine packet_set_ring() is reused to free rings instead of allocating them. But when calling it for the first time, it fills req->tp_block_nr with the value of rb->pg_vec_len which in the second invocation makes it bail out since req->tp_block_nr is greater zero but req->tp_block_size is zero. This patch solves the problem by passing a zeroed auto-variable to packet_set_ring() upon each invocation from packet_release(). As far as I can tell, this issue exists even since 69e3c75 (net: TX_RING and packet mmap), i.e. the original inclusion of TX ring support into af_packet, but applies only to sockets with both RX and TX ring allocated, which is probably why this was unnoticed all the time. Signed-off-by: Phil Sutter Cc: Johann Baudy Cc: Daniel Borkmann Acked-by: Daniel Borkmann Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 0d6a77079c475033cb622c07c5a880b392ef664e Author: Marcelo Ricardo Leitner Date: Tue Jan 29 22:26:08 2013 +0000 ipv6: do not create neighbor entries for local delivery [ Upstream commit bd30e947207e2ea0ff2c08f5b4a03025ddce48d3 ] They will be created at output, if ever needed. This avoids creating empty neighbor entries when TPROXYing/Forwarding packets for addresses that are not even directly reachable. Note that IPv4 already handles it this way. No neighbor entries are created for local input. Tested by myself and customer. Signed-off-by: Jiri Pirko Signed-off-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit f1d2eae64955762000021ef9844ef3967c290854 Author: Cong Wang Date: Sun Jan 27 21:14:08 2013 +0000 pktgen: correctly handle failures when adding a device [ Upstream commit 604dfd6efc9b79bce432f2394791708d8e8f6efc ] The return value of pktgen_add_device() is not checked, so even if we fail to add some device, for example, non-exist one, we still see "OK:...". This patch fixes it. After this patch, I got: # echo "add_device non-exist" > /proc/net/pktgen/kpktgend_0 -bash: echo: write error: No such device # cat /proc/net/pktgen/kpktgend_0 Running: Stopped: Result: ERROR: can not add device non-exist # echo "add_device eth0" > /proc/net/pktgen/kpktgend_0 # cat /proc/net/pktgen/kpktgend_0 Running: Stopped: eth0 Result: OK: add_device=eth0 (Candidate for -stable) Cc: David S. Miller Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 7047cf781217e4900c233ded2b3e856d7b894f5a Author: Eric Dumazet Date: Fri Jan 25 07:44:41 2013 +0000 net: loopback: fix a dst refcounting issue [ Upstream commit 794ed393b707f01858f5ebe2ae5eabaf89d00022 ] Ben Greear reported crashes in ip_rcv_finish() on a stress test involving many macvlans. We tracked the bug to a dst use after free. ip_rcv_finish() was calling dst->input() and got garbage for dst->input value. It appears the bug is in loopback driver, lacking a skb_dst_force() before calling netif_rx(). As a result, a non refcounted dst, normally protected by a RCU read_lock section, was escaping this section and could be freed before the packet being processed. [] loopback_xmit+0x64/0x83 [] dev_hard_start_xmit+0x26c/0x35e [] dev_queue_xmit+0x2c4/0x37c [] ? dev_hard_start_xmit+0x35e/0x35e [] ? eth_header+0x28/0xb6 [] neigh_resolve_output+0x176/0x1a7 [] ip_finish_output2+0x297/0x30d [] ? ip_finish_output2+0x137/0x30d [] ip_finish_output+0x63/0x68 [] ip_output+0x61/0x67 [] dst_output+0x17/0x1b [] ip_local_out+0x1e/0x23 [] ip_queue_xmit+0x315/0x353 [] ? ip_send_unicast_reply+0x2cc/0x2cc [] tcp_transmit_skb+0x7ca/0x80b [] tcp_connect+0x53c/0x587 [] ? getnstimeofday+0x44/0x7d [] ? ktime_get_real+0x11/0x3e [] tcp_v4_connect+0x3c2/0x431 [] __inet_stream_connect+0x84/0x287 [] ? inet_stream_connect+0x22/0x49 [] ? _local_bh_enable_ip+0x84/0x9f [] ? local_bh_enable+0xd/0x11 [] ? lock_sock_nested+0x6e/0x79 [] ? inet_stream_connect+0x22/0x49 [] inet_stream_connect+0x33/0x49 [] sys_connect+0x75/0x98 This bug was introduced in linux-2.6.35, in commit 7fee226ad2397b (net: add a noref bit on skb dst) skb_dst_force() is enforced in dev_queue_xmit() for devices having a qdisc. Reported-by: Ben Greear Signed-off-by: Eric Dumazet Tested-by: Ben Greear Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 3b69b853e5fd391df9489592e9e98790c4bdca96 Author: Timo Teräs Date: Mon Jan 21 22:30:35 2013 +0000 r8169: remove the obsolete and incorrect AMD workaround [ Upstream commit 5d0feaff230c0abfe4a112e6f09f096ed99e0b2d ] This was introduced in commit 6dccd16 "r8169: merge with version 6.001.00 of Realtek's r8169 driver". I did not find the version 6.001.00 online, but in 6.002.00 or any later r8169 from Realtek this hunk is no longer present. Also commit 05af214 "r8169: fix Ethernet Hangup for RTL8110SC rev d" claims to have fixed this issue otherwise. The magic compare mask of 0xfffe000 is dubious as it masks parts of the Reserved part, and parts of the VLAN tag. But this does not make much sense as the VLAN tag parts are perfectly valid there. In matter of fact this seems to be triggered with any VLAN tagged packet as RxVlanTag bit is matched. I would suspect 0xfffe0000 was intended to test reserved part only. Finally, this hunk is evil as it can cause more packets to be handled than what was NAPI quota causing net/core/dev.c: net_rx_action(): WARN_ON_ONCE(work > weight) to trigger, and mess up the NAPI state causing device to hang. As result, any system using VLANs and having high receive traffic (so that NAPI poll budget limits rtl_rx) would result in device hang. Signed-off-by: Timo Teräs Acked-by: Francois Romieu Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 02eae13ff59819b17c66b9f458ff39bab9cabe3a Author: Eric Dumazet Date: Tue Jan 22 06:33:05 2013 +0000 netxen: fix off by one bug in netxen_release_tx_buffer() [ Upstream commit a05948f296ce103989b28a2606e47d2e287c3c89 ] Christoph Paasch found netxen could trigger a BUG in its dismantle phase, in netxen_release_tx_buffer(), using full size TSO packets. cmd_buf->frag_count includes the skb->data part, so the loop must start at index 1 instead of 0, or else we can make an out of bound access to cmd_buff->frag_array[MAX_SKB_FRAGS + 2] Christoph provided the fixes in netxen_map_tx_skb() function. In case of a dma mapping error, its better to clear the dma fields so that we don't try to unmap them again in netxen_release_tx_buffer() Reported-by: Christoph Paasch Signed-off-by: Eric Dumazet Tested-by: Christoph Paasch Cc: Sony Chacko Cc: Rajesh Borundia Signed-off-by: Christoph Paasch Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 3b6e19d45b7333aa113af1209596e65312810665 Author: Tilman Schmidt Date: Mon Jan 21 11:57:21 2013 +0000 isdn/gigaset: fix zero size border case in debug dump [ Upstream commit d721a1752ba544df8d7d36959038b26bc92bdf80 ] If subtracting 12 from l leaves zero we'd do a zero size allocation, leading to an oops later when we try to set the NUL terminator. Reported-by: Dan Carpenter Signed-off-by: Tilman Schmidt Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit c475b33242df2b2d8f6ff82c4c83f72e11a4e96d Author: Romain KUNTZ Date: Wed Jan 16 12:47:40 2013 +0000 ipv6: fix header length calculation in ip6_append_data() [ Upstream commit 7efdba5bd9a2f3e2059beeb45c9fa55eefe1bced ] Commit 299b0767 (ipv6: Fix IPsec slowpath fragmentation problem) has introduced a error in the header length calculation that provokes corrupted packets when non-fragmentable extensions headers (Destination Option or Routing Header Type 2) are used. rt->rt6i_nfheader_len is the length of the non-fragmentable extension header, and it should be substracted to rt->dst.header_len, and not to exthdrlen, as it was done before commit 299b0767. This patch reverts to the original and correct behavior. It has been successfully tested with and without IPsec on packets that include non-fragmentable extensions headers. Signed-off-by: Romain Kuntz Acked-by: Steffen Klassert Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit f29cc94c3b5d91d5072a05ed4dc8cde97e3c7426 Author: Stephen Hemminger Date: Wed Jan 16 09:55:57 2013 -0800 MAINTAINERS: Stephen Hemminger email change [ Upstream commit adbbf69d1a54abf424e91875746a610dcc80017d ] I changed my email because the vyatta.com mail server is now redirected to brocade.com; and the Brocade mail system is not friendly to Linux desktop users. Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 77b3f442bce440d228ad0002974e2c8189458b41 Author: Romain Kuntz Date: Wed Jan 9 15:02:26 2013 +0100 ipv6: fix the noflags test in addrconf_get_prefix_route [ Upstream commit 85da53bf1c336bb07ac038fb951403ab0478d2c5 ] The tests on the flags in addrconf_get_prefix_route() does no make much sense: the 'noflags' parameter contains the set of flags that must not match with the route flags, so the test must be done against 'noflags', and not against 'flags'. Signed-off-by: Romain Kuntz Acked-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 35dc6fe99d2a18517078eb05f23604ca588fd207 Author: Cong Wang Date: Mon Jan 7 21:17:00 2013 +0000 net: prevent setting ttl=0 via IP_TTL [ Upstream commit c9be4a5c49cf51cc70a993f004c5bb30067a65ce ] A regression is introduced by the following commit: commit 4d52cfbef6266092d535237ba5a4b981458ab171 Author: Eric Dumazet Date: Tue Jun 2 00:42:16 2009 -0700 net: ipv4/ip_sockglue.c cleanups Pure cleanups but it is not a pure cleanup... - if (val != -1 && (val < 1 || val>255)) + if (val != -1 && (val < 0 || val > 255)) Since there is no reason provided to allow ttl=0, change it back. Reported-by: nitin padalia Cc: nitin padalia Cc: Eric Dumazet Cc: David S. Miller Signed-off-by: Cong Wang Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 52d7a53d8d87bce1b6accbf0c7e5decd55e96141 Author: T Makphaibulchoke Date: Thu Oct 4 17:16:55 2012 -0700 kernel/resource.c: fix stack overflow in __reserve_region_with_split() commit 4965f5667f36a95b41cda6638875bc992bd7d18b upstream. Using a recursive call add a non-conflicting region in __reserve_region_with_split() could result in a stack overflow in the case that the recursive calls are too deep. Convert the recursive calls to an iterative loop to avoid the problem. Tested on a machine containing 135 regions. The kernel no longer panicked with stack overflow. Also tested with code arbitrarily adding regions with no conflict, embedding two consecutive conflicts and embedding two non-consecutive conflicts. Signed-off-by: T Makphaibulchoke Reviewed-by: Ram Pai Cc: Paul Gortmaker Cc: Wei Yang Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit ef5936a9b697a4aa6e6ce87656be1dc2b79ebd19 Author: Nicholas Santos Date: Fri Dec 28 22:07:02 2012 -0500 HID: usbhid: quirk for Formosa IR receiver commit 320cde19a4e8f122b19d2df7a5c00636e11ca3fb upstream. Patch to add the Formosa Industrial Computing, Inc. Infrared Receiver [IR605A/Q] to hid-ids.h and hid-quirks.c. This IR receiver causes about a 10 second timeout when the usbhid driver attempts to initialze the device. Adding this device to the quirks list with HID_QUIRK_NO_INIT_REPORTS removes the delay. Signed-off-by: Nicholas Santos [jkosina@suse.cz: fix ordering] Signed-off-by: Jiri Kosina Signed-off-by: Ben Hutchings commit f8c9c1f1f6ee0d09fa31016a26280aa0b4256740 Author: Szymon Janc Date: Tue Dec 11 08:51:19 2012 +0100 Bluetooth: Fix sending HCI commands after reset commit dbccd791a3fbbdac12c33834b73beff3984988e9 upstream. After sending reset command wait for its command complete event before sending next command. Some chips sends CC event for command received before reset if reset was send before chip replied with CC. This is also required by specification that host shall not send additional HCI commands before receiving CC for reset. < HCI Command: Reset (0x03|0x0003) plen 0 [hci0] 18.404612 > HCI Event: Command Complete (0x0e) plen 4 [hci0] 18.405850 Write Extended Inquiry Response (0x03|0x0052) ncmd 1 Status: Success (0x00) < HCI Command: Read Local Supported Features (0x04|0x0003) plen 0 [hci0] 18.406079 > HCI Event: Command Complete (0x0e) plen 4 [hci0] 18.407864 Reset (0x03|0x0003) ncmd 1 Status: Success (0x00) < HCI Command: Read Local Supported Features (0x04|0x0003) plen 0 [hci0] 18.408062 > HCI Event: Command Complete (0x0e) plen 12 [hci0] 18.408835 Signed-off-by: Szymon Janc Acked-by: Johan Hedberg Signed-off-by: Gustavo Padovan Signed-off-by: Ben Hutchings commit 8957028bd89221048c784d524ee42513356fc822 Author: Oleg Nesterov Date: Mon Jan 21 20:48:17 2013 +0100 wake_up_process() should be never used to wakeup a TASK_STOPPED/TRACED task commit 9067ac85d533651b98c2ff903182a20cbb361fcb upstream. wake_up_process() should never wakeup a TASK_STOPPED/TRACED task. Change it to use TASK_NORMAL and add the WARN_ON(). TASK_ALL has no other users, probably can be killed. Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings commit f224540e9fc7be42e1867f1e4967889b29073abb Author: Oleg Nesterov Date: Mon Jan 21 20:48:00 2013 +0100 ptrace: ensure arch_ptrace/ptrace_request can never race with SIGKILL commit 9899d11f654474d2d54ea52ceaa2a1f4db3abd68 upstream. putreg() assumes that the tracee is not running and pt_regs_access() can safely play with its stack. However a killed tracee can return from ptrace_stop() to the low-level asm code and do RESTORE_REST, this means that debugger can actually read/modify the kernel stack until the tracee does SAVE_REST again. set_task_blockstep() can race with SIGKILL too and in some sense this race is even worse, the very fact the tracee can be woken up breaks the logic. As Linus suggested we can clear TASK_WAKEKILL around the arch_ptrace() call, this ensures that nobody can ever wakeup the tracee while the debugger looks at it. Not only this fixes the mentioned problems, we can do some cleanups/simplifications in arch_ptrace() paths. Probably ptrace_unfreeze_traced() needs more callers, for example it makes sense to make the tracee killable for oom-killer before access_process_vm(). While at it, add the comment into may_ptrace_stop() to explain why ptrace_stop() still can't rely on SIGKILL and signal_pending_state(). Reported-by: Salman Qazi Reported-by: Suleiman Souhlal Suggested-by: Linus Torvalds Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit bb24eda9eee7a1cc865bb10dbb89edf7c1f5cdc7 Author: Oleg Nesterov Date: Mon Jan 21 20:47:41 2013 +0100 ptrace: introduce signal_wake_up_state() and ptrace_signal_wake_up() commit 910ffdb18a6408e14febbb6e4b6840fd2c928c82 upstream. Cleanup and preparation for the next change. signal_wake_up(resume => true) is overused. None of ptrace/jctl callers actually want to wakeup a TASK_WAKEKILL task, but they can't specify the necessary mask. Turn signal_wake_up() into signal_wake_up_state(state), reintroduce signal_wake_up() as a trivial helper, and add ptrace_signal_wake_up() which adds __TASK_TRACED. This way ptrace_signal_wake_up() can work "inside" ptrace_request() even if the tracee doesn't have the TASK_WAKEKILL bit set. Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit 667958738244e5be2cb1e05ab1f2a112c52e1c64 Author: Oleg Nesterov Date: Sat Aug 11 18:06:42 2012 +0200 ptrace/x86: Partly fix set_task_blockstep()->update_debugctlmsr() logic commit 95cf00fa5d5e2a200a2c044c84bde8389a237e02 upstream. Afaics the usage of update_debugctlmsr() and TIF_BLOCKSTEP in step.c was always very wrong. 1. update_debugctlmsr() was simply unneeded. The child sleeps TASK_TRACED, __switch_to_xtra(next_p => child) should notice TIF_BLOCKSTEP and set/clear DEBUGCTLMSR_BTF after resume if needed. 2. It is wrong. The state of DEBUGCTLMSR_BTF bit in CPU register should always match the state of current's TIF_BLOCKSTEP bit. 3. Even get_debugctlmsr() + update_debugctlmsr() itself does not look right. Irq can change other bits in MSR_IA32_DEBUGCTLMSR register or the caller can be preempted in between. 4. It is not safe to play with TIF_BLOCKSTEP if task != current. DEBUGCTLMSR_BTF and TIF_BLOCKSTEP should always match each other if the task is running. The tracee is stopped but it can be SIGKILL'ed right before set/clear_tsk_thread_flag(). However, now that uprobes uses user_enable_single_step(current) we can't simply remove update_debugctlmsr(). So this patch adds the additional "task == current" check and disables irqs to avoid the race with interrupts/preemption. Unfortunately this patch doesn't solve the last problem, we need another fix. Probably we should teach ptrace_stop() to set/clear single/block stepping after resume. And afaics there is yet another problem: perf can play with MSR_IA32_DEBUGCTLMSR from nmi, this obviously means that even __switch_to_xtra() has problems. Signed-off-by: Oleg Nesterov Signed-off-by: Ben Hutchings commit 6d0d3f3aca8f6ec0cd91d062abab0196905a9352 Author: Oleg Nesterov Date: Fri Aug 3 17:31:46 2012 +0200 ptrace/x86: Introduce set_task_blockstep() helper commit 848e8f5f0ad3169560c516fff6471be65f76e69f upstream. No functional changes, preparation for the next fix and for uprobes single-step fixes. Move the code playing with TIF_BLOCKSTEP/DEBUGCTLMSR_BTF into the new helper, set_task_blockstep(). Signed-off-by: Oleg Nesterov Acked-by: Srikar Dronamraju Signed-off-by: Ben Hutchings commit f50fa70d35d3df3230ed51dcea309660183570ac Author: Hugh Daschbach Date: Fri Jan 4 14:39:09 2013 -0800 ahci: Add support for Enmotus Bobcat device. commit 7f9c9f8e24590e7dcd26ca408458c43df5b83e61 upstream. Silicon does not support standard AHCI BAR assignment. Add vendor/device exception to force BAR 2. Signed-off-by: Hugh Daschbach Signed-off-by: Jeff Garzik Signed-off-by: Ben Hutchings commit 6ab68d8d2079acab17e1ab3db3209a67818d3051 Author: Alessandro Rubini Date: Fri Jan 6 13:33:39 2012 +0100 ahci: support the STA2X11 I/O Hub commit 318893e1429a9d50569a0379d1e20b0ecc45c555 upstream. The AHCI controller found in the STA2X11 chip uses BAR number 0 instead of 5. Also, the chip's fixup code sets a special DMA mask for all of its PCI functions, and the mask must be preserved here. Signed-off-by: Alessandro Rubini Acked-by: Giancarlo Asnaghi Cc: Alan Cox Signed-off-by: Jeff Garzik Signed-off-by: Ben Hutchings commit fd61506bd23ffc170dac4ecf401acae8004efceb Author: Jacob Schloss Date: Sun Dec 9 20:18:25 2012 -0300 gspca_kinect: add Kinect for Windows USB id commit 98fd485795db064d0885150e2c0c7f296d8fe06e upstream. Add the USB ID for the Kinect for Windows RGB camera so it can be used with the gspca_kinect driver. Signed-off-by: Jacob Schloss Signed-off-by: Antonio Ospite Signed-off-by: Hans de Goede Signed-off-by: Mauro Carvalho Chehab [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings commit 31317e96c36a1d45bf6618a8f02839c924d2bcaf Author: Maia Kozheva Date: Sun Dec 9 16:07:40 2012 +0700 rt2800usb: Add support for 2001:3c1e (D-Link DWA-125 rev B1) USB Wi-Fi adapter commit fd7b9270120ca7e53fbf0469febe0c68acf6a0a2 upstream. D-Link DWA-125/B1 is a relatively new USB Wi-Fi adapter, using a Ralink chipset supported by the rt2800usb driver. Currently, to work around the problem (it's missing in all present kernel versions, up to and including 3.7.x), I had to add this to /etc/rc.local: echo 2001 3c1e >> /sys/bus/usb/drivers/rt2800usb/new_id After that, the device works without problems. Been using it for over a week with no bugs in sight. The attached patch is trivial and simply adds the new USB ID to the list of devices handled by rt2800usb. Signed-off-by: Maia Kozheva Signed-off-by: John W. Linville Signed-off-by: Ben Hutchings commit 8d675985b73d797b21e945979c473613690916cd Author: Jaume Delclòs Date: Fri Nov 2 23:35:20 2012 +0100 Wireless: rt2x00: Add device id for Sweex LW323 to rt2800usb.c commit 36f318bb124b231c01db6965a009f46d5731f012 upstream. This patch adds detection for the Sweex LW323 USB wireless network card in the rt2x00 driver (just one line in rt2800usb.c). It applies to linux-3.7-rc3. Signed-off-by: Jaume Delclòs Signed-off-by: John W. Linville Signed-off-by: Ben Hutchings commit 647adb462006c503a7e9f5756685fb9a1f6b1334 Author: Xose Vazquez Perez Date: Sat Apr 14 23:00:01 2012 +0200 wireless: rt2x00: rt{2500,73}usb.c put back duplicate id commit 8f35f787b75e9b6435ea37dabcae2d40dc72d31c upstream. put back 0x050d,0x7050 to rt73usb, same usb_id for two chips: K7SF5D7050A ver 2xxx is rt2500 K7SF5D7050B ver 3xxx is rt73 Signed-off-by: Xose Vazquez Perez Signed-off-by: John W. Linville Signed-off-by: Ben Hutchings commit ac58853b894c8598f20808d2745d5bcddfd2edf4 Author: Sjur Brændeland Date: Tue Jan 22 09:50:26 2013 +1030 virtio_console: Don't access uninitialized data. commit aded024a12b32fc1ed9a80639681daae2d07ec25 upstream. Don't access uninitialized work-queue when removing device. The work queue is initialized only if the device multi-queue. So don't call cancel_work unless this is a multi-queue device. This fixes the following panic: Kernel panic - not syncing: BUG! Call Trace: 62031b28: [<6026085d>] panic+0x16b/0x2d3 62031b30: [<6004ef5e>] flush_work+0x0/0x1d7 62031b60: [<602606f2>] panic+0x0/0x2d3 62031b68: [<600333b0>] memcpy+0x0/0x140 62031b80: [<6002d58a>] unblock_signals+0x0/0x84 62031ba0: [<602609c5>] printk+0x0/0xa0 62031bd8: [<60264e51>] __mutex_unlock_slowpath+0x13d/0x148 62031c10: [<6004ef5e>] flush_work+0x0/0x1d7 62031c18: [<60050234>] try_to_grab_pending+0x0/0x17e 62031c38: [<6004e984>] get_work_gcwq+0x71/0x8f 62031c48: [<60050539>] __cancel_work_timer+0x5b/0x115 62031c78: [<628acc85>] unplug_port+0x0/0x191 [virtio_console] 62031c98: [<6005061c>] cancel_work_sync+0x12/0x14 62031ca8: [<628ace96>] virtcons_remove+0x80/0x15c [virtio_console] 62031ce8: [<628191de>] virtio_dev_remove+0x1e/0x7e [virtio] 62031d08: [<601cf242>] __device_release_driver+0x75/0xe4 62031d28: [<601cf2dd>] device_release_driver+0x2c/0x40 62031d48: [<601ce0dd>] driver_unbind+0x7d/0xc6 62031d88: [<601cd5d9>] drv_attr_store+0x27/0x29 62031d98: [<60115f61>] sysfs_write_file+0x100/0x14d 62031df8: [<600b737d>] vfs_write+0xcb/0x184 62031e08: [<600b58b8>] filp_close+0x88/0x94 62031e38: [<600b7686>] sys_write+0x59/0x88 62031e88: [<6001ced1>] handle_syscall+0x5d/0x80 62031ea8: [<60030a74>] userspace+0x405/0x531 62031f08: [<600d32cc>] sys_dup+0x0/0x5e 62031f28: [<601b11d6>] strcpy+0x0/0x18 62031f38: [<600be46c>] do_execve+0x10/0x12 62031f48: [<600184c7>] run_init_process+0x43/0x45 62031fd8: [<60019a91>] new_thread_handler+0xba/0xbc Signed-off-by: Sjur Brændeland Signed-off-by: Rusty Russell Signed-off-by: Ben Hutchings commit 6ec37f6672820465afae0a1dee6d52b11248f7cd Author: Haojian Zhuang Date: Mon Feb 4 14:28:54 2013 -0800 drivers/rtc/rtc-pl031.c: fix the missing operation on enable commit e7e034e18a0ab6bafb2425c3242cac311164f4d6 upstream. The RTC control register should be enabled in the process of initializing. Without this patch, I failed to enable RTC in Hisilicon Hi3620 SoC. The register mapping section in RTC is always read as zero. So I doubt that ST guys may already enable this register in bootloader. So they won't meet this issue. Signed-off-by: Haojian Zhuang Cc: Srinidhi Kasagar Cc: Linus Walleij Cc: Alessandro Zummo Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 565b34099979a3da701b78afcf16e7d3cb1af37e Author: Jan Luebbe Date: Mon Feb 4 14:28:53 2013 -0800 drivers/rtc/rtc-isl1208.c: call rtc_update_irq() from the alarm irq handler commit 72fca4a4b32dc778b5b885c3498700e42b610d49 upstream. Previously the alarm event was not propagated into the RTC subsystem. By adding a call to rtc_update_irq, this fixes a timeout problem with the hwclock utility. Signed-off-by: Jan Luebbe Cc: Alessandro Zummo Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit 7e3901b7159e8d16908820df789042c26269c211 Author: Vyacheslav Dubeyko Date: Mon Feb 4 14:28:41 2013 -0800 nilfs2: fix fix very long mount time issue commit a9bae189542e71f91e61a4428adf6e5a7dfe8063 upstream. There exists a situation when GC can work in background alone without any other filesystem activity during significant time. The nilfs_clean_segments() method calls nilfs_segctor_construct() that updates superblocks in the case of NILFS_SC_SUPER_ROOT and THE_NILFS_DISCONTINUED flags are set. But when GC is working alone the nilfs_clean_segments() is called with unset THE_NILFS_DISCONTINUED flag. As a result, the update of superblocks doesn't occurred all this time and in the case of SPOR superblocks keep very old values of last super root placement. SYMPTOMS: Trying to mount a NILFS2 volume after SPOR in such environment ends with very long mounting time (it can achieve about several hours in some cases). REPRODUCING PATH: 1. It needs to use external USB HDD, disable automount and doesn't make any additional filesystem activity on the NILFS2 volume. 2. Generate temporary file with size about 100 - 500 GB (for example, dd if=/dev/zero of= bs=1073741824 count=200). The size of file defines duration of GC working. 3. Then it needs to delete file. 4. Start GC manually by means of command "nilfs-clean -p 0". When you start GC by means of such way then, at the end, superblocks is updated by once. So, for simulation of SPOR, it needs to wait sometime (15 - 40 minutes) and simply switch off USB HDD manually. 5. Switch on USB HDD again and try to mount NILFS2 volume. As a result, NILFS2 volume will mount during very long time. REPRODUCIBILITY: 100% FIX: This patch adds checking that superblocks need to update and set THE_NILFS_DISCONTINUED flag before nilfs_clean_segments() call. Reported-by: Sergey Alexandrov Signed-off-by: Vyacheslav Dubeyko Tested-by: Vyacheslav Dubeyko Acked-by: Ryusuke Konishi Tested-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit 011dcf0ccf703c6a5b49c789833d1c9a28d47406 Author: fangxiaozhi Date: Mon Feb 4 15:16:34 2013 +0800 USB: storage: optimize to match the Huawei USB storage devices and support new switch command commit 200e0d994d9d1919b28c87f1a5fb99a8e13b8a0f upstream. 1. Optimize the match rules with new macro for Huawei USB storage devices, to avoid to load USB storage driver for the modem interface with Huawei devices. 2. Add to support new switch command for new Huawei USB dongles. Signed-off-by: fangxiaozhi Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 19c72d766156d20221dc399ebaf27fad2251e4ce Author: fangxiaozhi Date: Mon Feb 4 15:14:46 2013 +0800 USB: storage: Define a new macro for USB storage match rules commit 07c7be3d87e5cdaf5f94c271c516456364ef286c upstream. 1. Define a new macro for USB storage match rules: matching with Vendor ID and interface descriptors. Signed-off-by: fangxiaozhi Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit fe1c910dd7963d8bf58067e8627bdb07ae3625ef Author: Petr Kubánek Date: Fri Feb 1 17:24:04 2013 +0100 USB: ftdi_sio: add Zolix FTDI PID commit 0ba3b2ccc72b3df5c305d61f59d93ab0f0e87991 upstream. Add support for Zolix Omni 1509 monochromator custom USB-RS232 converter. Signed-off-by: Petr Kubánek Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit b2592ced8a437e906ffa2c25955c8c42ee6b5ad9 Author: Bjørn Mork Date: Fri Feb 1 12:06:51 2013 +0100 USB: option: add Changhong CH690 commit d4fa681541aa7bf8570d03426dd7ba663a71c467 upstream. New device with 3 serial interfaces: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend) Sub=ff Prot=ff If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend) Sub=ff Prot=ff If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend) Sub=ff Prot=ff If#= 3 Alt= 0 #EPs= 2 Cls=08(stor) Sub=06 Prot=50 Signed-off-by: Bjørn Mork Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit b71a3a4d861b74ade66d52de0e9bd4b493537418 Author: Sven Killig Date: Fri Feb 1 23:43:06 2013 +0100 USB: ftdi_sio: add PID/VID entries for ELV WS 300 PC II commit c249f911406efcc7456cb4af79396726bf7b8c57 upstream. Add PID/VID entries for ELV WS 300 PC II weather station Signed-off-by: Sven Killig Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 61869db60d56417729327e0218d8b4afcd396c10 Author: Alexander Stein Date: Thu Dec 13 10:06:10 2012 +0100 can: c_can: Set reserved bit in IFx_MASK2 to 1 on write commit 2bd3bc4e8472424f1a6009825397639a8968920a upstream. According to C_CAN documentation, the reserved bit in IFx_MASK2 register is fixed 1. Signed-off-by: Alexander Stein Signed-off-by: Marc Kleine-Budde [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit b819a9646971e6f0bfad33a67459b23677cd5d1c Author: Alex Deucher Date: Wed Jan 30 14:24:09 2013 -0500 drm/radeon: prevent crash in the ring space allocation commit fd5d93a0015ce1a7db881382022b2fcdfdc61760 upstream. If the requested number of DWs on the ring is larger than the size of the ring itself, return an error. In testing with large VM updates, we've seen crashes when we try and allocate more space on the ring than the total size of the ring without checking. This prevents the crash but for large VM updates or bo moves of very large buffers, we will need to break the transaction down into multiple batches. I have patches to use IBs for the next kernel. Signed-off-by: Alex Deucher [bwh: Backported to 3.2: use rdev->cp.ring_size instead of ring->ring_size] Signed-off-by: Ben Hutchings commit e7a2a2e32bba0121dc1e4c2006fab092f30b4e0f Author: liu chuansheng Date: Thu Jan 31 22:13:00 2013 +0800 drm/radeon: Calling object_unrefer() when creating fb failure commit f2d68cf4daa4de97d400d94836b907e35228e54f upstream. When kzalloc() failed in radeon_user_framebuffer_create(), need to call object_unreference() to match the object_reference(). Signed-off-by: liu chuansheng Signed-off-by: xueminsu Signed-off-by: Alex Deucher Signed-off-by: Ben Hutchings commit 93322d7fee4bc923dfede42f78cad115027bfcd3 Author: Johan Hedberg Date: Tue Jan 29 10:44:23 2013 -0600 Bluetooth: Fix handling of unexpected SMP PDUs commit 8cf9fa1240229cbdd888236c0c43fcbad680cf00 upstream. The conn->smp_chan pointer can be NULL if SMP PDUs arrive at unexpected moments. To avoid NULL pointer dereferences the code should be checking for this and disconnect if an unexpected SMP PDU arrives. This patch fixes the issue by adding a check for conn->smp_chan for all other PDUs except pairing request and security request (which are are the first PDUs to come to initialize the SMP context). Signed-off-by: Johan Hedberg Acked-by: Marcel Holtmann Signed-off-by: Gustavo Padovan Signed-off-by: Ben Hutchings commit 02fb524d798d829131a3d3f7694f6fb15663665f Author: Jan Beulich Date: Wed Jan 30 07:55:53 2013 +0000 x86-64: Replace left over sti/cli in ia32 audit exit code commit 40a1ef95da85843696fc3ebe5fce39b0db32669f upstream. For some reason they didn't get replaced so far by their paravirt equivalents, resulting in code to be run with interrupts disabled that doesn't expect so (causing, in the observed case, a BUG_ON() to trigger) when syscall auditing is enabled. David (Cc-ed) came up with an identical fix, so likely this can be taken to count as an ack from him. Reported-by: Peter Moody Signed-off-by: Jan Beulich Cc: David Vrabel Cc: Konrad Rzeszutek Wilk Link: http://lkml.kernel.org/r/5108E01902000078000BA9C5@nat28.tlf.novell.com Signed-off-by: Ingo Molnar Cc: Konrad Rzeszutek Wilk Cc: David Vrabel Tested-by: Peter Moody Signed-off-by: Ben Hutchings commit 432257fa1d0fe223fb0ee4ada55cfea096572a74 Author: Alan Stern Date: Wed Jan 30 16:36:40 2013 -0500 USB: EHCI: fix bug in scheduling periodic split transfers commit 3e619d04159be54b3daa0b7036b0ce9e067f4b5d upstream. This patch (as1654) fixes a very old bug in ehci-hcd, connected with scheduling of periodic split transfers. The calculations for full/low-speed bus usage are all carried out after the correction for bit-stuffing has been applied, but the values in the max_tt_usecs array assume it hasn't been. The array should allow for allocation of up to 90% of the bus capacity, which is 900 us, not 780 us. The symptom caused by this bug is that any isochronous transfer to a full-speed device with a maxpacket size larger than about 980 bytes is always rejected with a -ENOSPC error. Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit c0e2ce8b690f9af541f1bc29e431185723bcc963 Author: Bing Zhao Date: Tue Jan 29 14:38:02 2013 -0800 mwifiex: fix incomplete scan in case of IE parsing error commit 8a7d7cbf7b5ff9912ef50b3e94c9ad9f37b1c75f upstream. A scan request is split into multiple scan commands queued in scan_pending_q. Each scan command will be sent to firmware and its response is handlded one after another. If any error is detected while parsing IE in command response buffer the remaining data will be ignored and error is returned. We should check if there is any more scan commands pending in the queue before returning error. This ensures that we will call cfg80211_scan_done if this is the last scan command, or send next scan command in scan_pending_q to firmware. Signed-off-by: Bing Zhao Signed-off-by: Amitkumar Karwar Signed-off-by: John W. Linville Signed-off-by: Ben Hutchings commit 847e14fe6ad1b35dfcbdbcefc9179480a4163769 Author: Daniele Palmas Date: Mon Jan 28 16:47:10 2013 +0100 USB: option: add support for Telit LE920 commit 03eb466f276ceef9dcf023dc5474db02af68aad9 upstream. Add PID and special handling for Telit LE920 Signed-off-by: Daniele Palmas Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 72ea6687717cfe46ed29d6f6702af03460ca8176 Author: Daniele Palmas Date: Mon Jan 28 16:48:54 2013 +0100 USB: qcserial: add Telit Gobi QDL device commit 78796ae17eacedcdcaaeb03ba73d2e532a4c8f83 upstream. Add VID and PID for Telit Gobi QDL device Signed-off-by: Daniele Palmas Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 443379201ede3b0179d268f40281af4aecdc05f7 Author: Alex Deucher Date: Tue Jan 29 16:36:47 2013 -0500 drm/radeon: add quirk for RV100 board commit 9200ee4941a6e5d1ec5df88982243686882dff3f upstream. vbios says external TMDS while the board is actually internal TMDS. fixes: https://bugs.freedesktop.org/show_bug.cgi?id=60037 Signed-off-by: Alex Deucher Signed-off-by: Ben Hutchings commit cd1063a51318108c3c1929f169c4ae07fdb726f1 Author: Larry Finger Date: Sun Jan 27 16:24:25 2013 -0600 rtlwifi: Fix the usage of the wrong variable in usb.c commit 0a06ad8e3a1cb5311b7dbafde45410aa1bce9d40 upstream. In routine _rtl_rx_pre_process(), skb_dequeue() is called to get an skb; however, the wrong variable name is used in subsequent calls. Reported-by: Guenter Roeck Signed-off-by: Larry Finger Cc: Guenter Roeck Signed-off-by: John W. Linville Signed-off-by: Ben Hutchings commit 7fc80853e471b5442bd0e793f4eadf102cdd5faa Author: Shawn Bohrer Date: Mon Jan 14 11:55:31 2013 -0600 sched/rt: Use root_domain of rt_rq not current processor commit aa7f67304d1a03180f463258aa6f15a8b434e77d upstream. When the system has multiple domains do_sched_rt_period_timer() can run on any CPU and may iterate over all rt_rq in cpu_online_mask. This means when balance_runtime() is run for a given rt_rq that rt_rq may be in a different rd than the current processor. Thus if we use smp_processor_id() to get rd in do_balance_runtime() we may borrow runtime from a rt_rq that is not part of our rd. This changes do_balance_runtime to get the rd from the passed in rt_rq ensuring that we borrow runtime only from the correct rd for the given rt_rq. This fixes a BUG at kernel/sched/rt.c:687! in __disable_runtime when we try reclaim runtime lent to other rt_rq but runtime has been lent to a rt_rq in another rd. Signed-off-by: Shawn Bohrer Acked-by: Steven Rostedt Acked-by: Mike Galbraith Cc: peterz@infradead.org Link: http://lkml.kernel.org/r/1358186131-29494-1-git-send-email-sbohrer@rgmadvisors.com Signed-off-by: Ingo Molnar [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings commit 54f9dc6f5128c165568d81e2ff493fe061008517 Author: David Moore Date: Wed Jan 23 22:19:49 2013 -0800 usb: Prevent dead ports when xhci is not enabled commit 58b2939b4d5a030eaec469d29812ab8477ee7e76 upstream. When the xHCI driver is not available, actively switch the ports to EHCI mode since some BIOSes leave them in xHCI mode where they would otherwise appear dead. This was discovered on a Dell Optiplex 7010, but it's possible other systems could be affected. This should be backported to kernels as old as 3.0, that contain the commit 69e848c2090aebba5698a1620604c7dccb448684 "Intel xhci: Support EHCI/xHCI port switching." Signed-off-by: David Moore Signed-off-by: Sarah Sharp Signed-off-by: Ben Hutchings commit dfa457e5bc96441991a223cfacab27644edd24d0 Author: Alan Stern Date: Thu Jan 17 10:32:16 2013 -0500 USB: XHCI: fix memory leak of URB-private data commit 48c3375c5f69b1c2ef3d1051a0009cb9bce0ce24 upstream. This patch (as1640) fixes a memory leak in xhci-hcd. The urb_priv data structure isn't always deallocated in the handle_tx_event() routine for non-control transfers. The patch adds a kfree() call so that all paths end up freeing the memory properly. This patch should be backported to kernels as old as 2.6.36, that contain the commit 8e51adccd4c4b9ffcd509d7f2afce0a906139f75 "USB: xHCI: Introduce urb_priv structure" Signed-off-by: Alan Stern Signed-off-by: Sarah Sharp Reported-and-tested-by: Martin Mokrejs Signed-off-by: Ben Hutchings commit 571575aa23636dd0c453ecced5561f7b59d11927 Author: Sarah Sharp Date: Fri Jan 11 13:36:35 2013 -0800 xhci: Fix TD size for isochronous URBs. commit f18f8ed2a9adc41c2d9294b85b6af115829d2af1 upstream. To calculate the TD size for a particular TRB in an isoc TD, we need know the endpoint's max packet size. Isochronous endpoints also encode the number of additional service opportunities in their wMaxPacketSize field. The TD size calculation did not mask off those bits before using the field. This resulted in incorrect TD size information for isochronous TRBs when an URB frame buffer crossed a 64KB boundary. For example: - an isoc endpoint has 2 additional service opportunites and a max packet size of 1020 bytes - a frame transfer buffer contains 3060 bytes - one frame buffer crosses a 64KB boundary, and must be split into one 1276 byte TRB, and one 1784 byte TRB. The TD size is is the number of packets that remain to be transferred for a TD after processing all the max packet sized packets in the current TRB and all previous TRBs. For this TD, the number of packets to be transferred is (3060 / 1020), or 3. The first TRB contains 1276 bytes, which means it contains one full packet, and a 256 byte remainder. After processing all the max packet-sized packets in the first TRB, the host will have 2 packets left to transfer. The old code would calculate the TD size for the first TRB as: total packet count = DIV_ROUND_UP (TD length / endpoint wMaxPacketSize) total packet count - (first TRB length / endpoint wMaxPacketSize) The math should have been: total packet count = DIV_ROUND_UP (3060 / 1020) = 3 3 - (1276 / 1020) = 2 Since the old code didn't mask off the additional service interval bits from the wMaxPacketSize field, the math ended up as total packet count = DIV_ROUND_UP (3060 / 5116) = 1 1 - (1276 / 5116) = 1 Fix this by masking off the number of additional service opportunities in the wMaxPacketSize field. This patch should be backported to stable kernels as old as 3.0, that contain the commit 4da6e6f247a2601ab9f1e63424e4d944ed4124f3 "xhci 1.0: Update TD size field format." It may not apply well to kernels older than 3.2 because of commit 29cc88979a8818cd8c5019426e945aed118b400e "USB: use usb_endpoint_maxp() instead of le16_to_cpu()". Signed-off-by: Sarah Sharp Signed-off-by: Ben Hutchings commit bc58aca952a4c965eb44d87e6765997031656272 Author: Sarah Sharp Date: Fri Jan 11 11:19:07 2013 -0800 xhci: Fix isoc TD encoding. commit 760973d2a74b93eb1697981f7448f0e62767cfc4 upstream. An isochronous TD is comprised of one isochronous TRB chained to zero or more normal TRBs. Only the isoc TRB has the TBC and TLBPC fields. The normal TRBs must set those fields to zeroes. The code was setting the TBC and TLBPC fields for both isoc and normal TRBs. Fix this. This should be backported to stable kernels as old as 3.0, that contain the commit b61d378f2da41c748aba6ca19d77e1e1c02bcea5 " xhci 1.0: Set transfer burst last packet count field." Signed-off-by: Sarah Sharp Signed-off-by: Ben Hutchings commit 60721982a634a2f88f2887fab3eab2853c6b7b0d Author: Ben Hutchings Date: Thu Feb 7 05:28:14 2013 +0000 drm/i915: Fix misplaced intel_mark_page_flip_active() In commit 28c4566d30b8, backport of commit e7d841ca03b7 ('drm/i915: Close race between processing unpin task and queueing the flip') I somehow added two calls to intel_mark_page_flip_active() from intel_gen4_queue_flip() and none from intel_gen6_queue_flip(). There should of course be one from each. Reported-by: Julien Cristau Cc: Chris Wilson Cc: Daniel Vetter Signed-off-by: Ben Hutchings