commit 0bbbf93fb1ca152cc556aa80f83d653dd0bcb242 Author: Greg Kroah-Hartman Date: Wed Jul 9 10:52:25 2014 -0700 Linux 3.4.98 commit 50a28baa75d832d8f74e1f6bf7ca247eb92b77be Author: Hugh Dickins Date: Mon Jun 23 13:22:07 2014 -0700 mm: fix crashes from mbind() merging vmas commit d05f0cdcbe6388723f1900c549b4850360545201 upstream. In v2.6.34 commit 9d8cebd4bcd7 ("mm: fix mbind vma merge problem") introduced vma merging to mbind(), but it should have also changed the convention of passing start vma from queue_pages_range() (formerly check_range()) to new_vma_page(): vma merging may have already freed that structure, resulting in BUG at mm/mempolicy.c:1738 and probably worse crashes. Fixes: 9d8cebd4bcd7 ("mm: fix mbind vma merge problem") Reported-by: Naoya Horiguchi Tested-by: Naoya Horiguchi Signed-off-by: Hugh Dickins Acked-by: Christoph Lameter Cc: KOSAKI Motohiro Cc: Minchan Kim Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 2bcdd4933ff4dc46445dcae93cb37c648283b782 Author: Naoya Horiguchi Date: Mon Jun 23 13:22:03 2014 -0700 hugetlb: fix copy_hugetlb_page_range() to handle migration/hwpoisoned entry commit 4a705fef986231a3e7a6b1a6d3c37025f021f49f upstream. There's a race between fork() and hugepage migration, as a result we try to "dereference" a swap entry as a normal pte, causing kernel panic. The cause of the problem is that copy_hugetlb_page_range() can't handle "swap entry" family (migration entry and hwpoisoned entry) so let's fix it. [akpm@linux-foundation.org: coding-style fixes] Signed-off-by: Naoya Horiguchi Acked-by: Hugh Dickins Cc: Christoph Lameter Cc: [2.6.37+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 08ccce4afe13b2dcad0ac2a86b7bc138207814ff Author: Madhavan Srinivasan Date: Wed Oct 2 00:34:10 2013 +0530 powerpc/sysfs: Disable writing to PURR in guest mode commit d1211af3049f4c9c1d8d4eb8f8098cc4f4f0d0c7 upstream. arch/powerpc/kernel/sysfs.c exports PURR with write permission. This may be valid for kernel in phyp mode. But writing to the file in guest mode causes crash due to a priviledge violation Signed-off-by: Madhavan Srinivasan Signed-off-by: Benjamin Herrenschmidt [Backported to 3.4: adjust context] Signed-off-by: Yijing Wang Signed-off-by: Greg Kroah-Hartman commit badd9b71c5651a687d042966a5fa8d195e9cffe4 Author: Gustavo Maciel Dias Vieira Date: Mon Mar 4 15:23:37 2013 +0000 ACPI video: ignore BIOS backlight value for HP dm4 commit 771d09b3c4c45d4d534a83a68e6331b97fd82e15 upstream. On a HP Pavilion dm4 laptop the BIOS sets minimum backlight on boot, completely dimming the screen. Ignore this initial value for this machine. Signed-off-by: Gustavo Maciel Dias Vieira Signed-off-by: Rafael J. Wysocki Signed-off-by: Ben Hutchings [wyj: Backported to 3.4: adjust context] Signed-off-by: Yijing Wang Signed-off-by: Greg Kroah-Hartman commit 9e1ba6fccd86b50c3d893e5128515f355df6b066 Author: Anton Blanchard Date: Sun Nov 17 11:39:05 2013 +1100 powerpc/pseries: Duplicate dtl entries sometimes sent to userspace commit 84b073868b9d9e754ae48b828337633d1b386482 upstream. When reading from the dispatch trace log (dtl) userspace interface, I sometimes see duplicate entries. One example: # hexdump -C dtl.out 00000000 07 04 00 0c 00 00 48 44 00 00 00 00 00 00 00 00 00000010 00 0c a0 b4 16 83 6d 68 00 00 00 00 00 00 00 00 00000020 00 00 00 00 10 00 13 50 80 00 00 00 00 00 d0 32 00000030 07 04 00 0c 00 00 48 44 00 00 00 00 00 00 00 00 00000040 00 0c a0 b4 16 83 6d 68 00 00 00 00 00 00 00 00 00000050 00 00 00 00 10 00 13 50 80 00 00 00 00 00 d0 32 The problem is in scan_dispatch_log() where we call dtl_consumer() but bail out before incrementing the index. To fix this I moved dtl_consumer() after the timebase comparison. Signed-off-by: Anton Blanchard Signed-off-by: Benjamin Herrenschmidt [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Yijing Wang Signed-off-by: Greg Kroah-Hartman commit a1ca0f8ee2e5874e309f2a9956e74edfdf541ce4 Author: Chen Gang Date: Mon Apr 22 17:12:54 2013 +0000 powerpc/pseries/lparcfg: Fix possible overflow are more than 1026 commit 5676005acf26ab7e924a8438ea4746e47d405762 upstream. need set '\0' for 'local_buffer'. SPLPAR_MAXLENGTH is 1026, RTAS_DATA_BUF_SIZE is 4096. so the contents of rtas_data_buf may truncated in memcpy. if contents are really truncated. the splpar_strlen is more than 1026. the next while loop checking will not find the end of buffer. that will cause memory access violation. Signed-off-by: Chen Gang Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Ben Hutchings Cc: Yijing Wang Signed-off-by: Greg Kroah-Hartman commit 0b36b7f617524596dc8900c1f8c3ab051c6b9dc5 Author: Paul E. McKenney Date: Tue Oct 1 17:11:35 2013 +1000 powerpc: Restore registers on error exit from csum_partial_copy_generic() commit 8f21bd0090052e740944f9397e2be5ac7957ded7 upstream. The csum_partial_copy_generic() function saves the PowerPC non-volatile r14, r15, and r16 registers for the main checksum-and-copy loop. Unfortunately, it fails to restore them upon error exit from this loop, which results in silent corruption of these registers in the presumably rare event of an access exception within that loop. This commit therefore restores these register on error exit from the loop. Signed-off-by: Paul E. McKenney Signed-off-by: Anton Blanchard Signed-off-by: Benjamin Herrenschmidt [bwh: Backported to 3.2: register name macros use lower-case 'r'] Signed-off-by: Ben Hutchings Cc: Yijing Wang Signed-off-by: Greg Kroah-Hartman commit 58b9385170d93957a0518d4ee9c4b1c5068bc7ef Author: Benjamin Herrenschmidt Date: Tue Aug 27 16:38:33 2013 +1000 powerpc: Don't Oops when accessing /proc/powerpc/lparcfg without hypervisor commit f5f6cbb61610b7bf9d9d96db9c3979d62a424bab upstream. /proc/powerpc/lparcfg is an ancient facility (though still actively used) which allows access to some informations relative to the partition when running underneath a PAPR compliant hypervisor. It makes no sense on non-pseries machines. However, currently, not only can it be created on these if the kernel has pseries support, but accessing it on such a machine will crash due to trying to do hypervisor calls. In fact, it should also not do HV calls on older pseries that didn't have an hypervisor either. Finally, it has the plumbing to be a module but is a "bool" Kconfig option. This fixes the whole lot by turning it into a machine_device_initcall that is only created on pseries, and adding the necessary hypervisor check before calling the H_GET_EM_PARMS hypercall Signed-off-by: Benjamin Herrenschmidt [bwh: Backported to 3.2: lparcfg_cleanup() was a bit different] Signed-off-by: Ben Hutchings Cc: Yijing Wang Signed-off-by: Greg Kroah-Hartman commit 1902a25fe0413d9ffc9565f243ef3d07170e9f61 Author: Chen Gang Date: Wed Mar 20 14:30:12 2013 +0800 powerpc/smp: Section mismatch from smp_release_cpus to __initdata spinning_secondaries commit 8246aca7058f3f2c2ae503081777965cd8df7b90 upstream. the smp_release_cpus is a normal funciton and called in normal environments, but it calls the __initdata spinning_secondaries. need modify spinning_secondaries to match smp_release_cpus. the related warning: (the linker report boot_paca.33377, but it should be spinning_secondaries) ----------------------------------------------------------------------------- WARNING: arch/powerpc/kernel/built-in.o(.text+0x23176): Section mismatch in reference from the function .smp_release_cpus() to the variable .init.data:boot_paca.33377 The function .smp_release_cpus() references the variable __initdata boot_paca.33377. This is often because .smp_release_cpus lacks a __initdata annotation or the annotation of boot_paca.33377 is wrong. WARNING: arch/powerpc/kernel/built-in.o(.text+0x231fe): Section mismatch in reference from the function .smp_release_cpus() to the variable .init.data:boot_paca.33377 The function .smp_release_cpus() references the variable __initdata boot_paca.33377. This is often because .smp_release_cpus lacks a __initdata annotation or the annotation of boot_paca.33377 is wrong. ----------------------------------------------------------------------------- Signed-off-by: Chen Gang Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Ben Hutchings Cc: Yijing Wang Signed-off-by: Greg Kroah-Hartman commit 1ee65967c7b587174a32f0d28e0ceff230650d43 Author: Paul Mackerras Date: Fri Jun 14 20:07:41 2013 +1000 powerpc: Fix emulation of illegal instructions on PowerNV platform commit bf593907f7236e95698a76b7c7a2bbf8b1165327 upstream. Normally, the kernel emulates a few instructions that are unimplemented on some processors (e.g. the old dcba instruction), or privileged (e.g. mfpvr). The emulation of unimplemented instructions is currently not working on the PowerNV platform. The reason is that on these machines, unimplemented and illegal instructions cause a hypervisor emulation assist interrupt, rather than a program interrupt as on older CPUs. Our vector for the emulation assist interrupt just calls program_check_exception() directly, without setting the bit in SRR1 that indicates an illegal instruction interrupt. This fixes it by making the emulation assist interrupt set that bit before calling program_check_interrupt(). With this, old programs that use no-longer implemented instructions such as dcba now work again. Signed-off-by: Paul Mackerras Signed-off-by: Benjamin Herrenschmidt [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Yijing Wang Signed-off-by: Greg Kroah-Hartman commit edc9d9afcedef8e1cdf43b8f95baa86a2daf0ad1 Author: Kevin McKinney Date: Mon Nov 12 22:20:30 2012 -0500 Staging: bcm: Add two products and remove an existing product. commit 4f29ef050848245f7c180b95ccf67dfcd76b1fd8 upstream. This patch adds two new products and modifies the device id table to include them. In addition, product of 0xbccd - BCM_USB_PRODUCT_ID_SM250 is removed because Beceem, ZTE, Sprint use this id for block devices. Reported-by: Muhammad Minhazul Haque Signed-off-by: Kevin McKinney [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Yijing Wang Signed-off-by: Greg Kroah-Hartman commit f3e786c7aac5c4ddd5fd3faf53f47f63d5377db4 Author: Kevin McKinney Date: Tue Sep 11 22:19:06 2012 -0400 Staging: bcm: Create and initialize new device id in InterfaceInit commit e66fc1fba248738d32f3b64508f9ef1176d9e767 upstream. This patch create and initalizes a new device id of 0x172 as reported by Rinat Camalov . In addition, a comment is added to the potential invalid existing device id. Reported-by: Rinat Camalov Signed-off-by: Kevin McKinney Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Yijing Wang Signed-off-by: Greg Kroah-Hartman commit 8f668a072fbac9357815ef8af5a3b468267929b3 Author: Dan Carpenter Date: Tue Oct 29 23:00:15 2013 +0300 staging: wlags49_h2: buffer overflow setting station name commit b5e2f339865fb443107e5b10603e53bbc92dc054 upstream. We need to check the length parameter before doing the memcpy(). I've actually changed it to strlcpy() as well so that it's NUL terminated. You need CAP_NET_ADMIN to trigger these so it's not the end of the world. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Signed-off-by: Linus Torvalds [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Yijing Wang Signed-off-by: Greg Kroah-Hartman commit d4a64a9257d84e326e36fb793f0541fa0595ac83 Author: Ian Abbott Date: Fri Jul 5 16:49:34 2013 +0100 staging: comedi: fix a race between do_cmd_ioctl() and read/write commit 4b18f08be01a7b3c7b6df497137b6e3cb28adaa3 upstream. `do_cmd_ioctl()` is called with the comedi device's mutex locked to process the `COMEDI_CMD` ioctl to set up comedi's asynchronous command handling on a comedi subdevice. `comedi_read()` and `comedi_write()` are the `read` and `write` handlers for the comedi device, but do not lock the mutex (for performance reasons, as some things can hold the mutex for quite a long time). There is a race condition if `comedi_read()` or `comedi_write()` is running at the same time and for the same file object and comedi subdevice as `do_cmd_ioctl()`. `do_cmd_ioctl()` sets the subdevice's `busy` pointer to the file object way before it sets the `SRF_RUNNING` flag in the subdevice's `runflags` member. `comedi_read() and `comedi_write()` check the subdevice's `busy` pointer is pointing to the current file object, then if the `SRF_RUNNING` flag is not set, will call `do_become_nonbusy()` to shut down the asyncronous command. Bad things can happen if the asynchronous command is being shutdown and set up at the same time. To prevent the race, don't set the `busy` pointer until after the `SRF_RUNNING` flag has been set. Also, make sure the mutex is held in `comedi_read()` and `comedi_write()` while calling `do_become_nonbusy()` in order to avoid moving the race condition to a point within that function. Change some error handling `goto cleanup` statements in `do_cmd_ioctl()` to simple `return -ERRFOO` statements as a result of changing when the `busy` pointer is set. Signed-off-by: Ian Abbott [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Yijing Wang Signed-off-by: Greg Kroah-Hartman commit 2a6ae027c17987eeed85633ed9c3e84d957da70e Author: Ian Abbott Date: Fri Aug 31 20:41:29 2012 +0100 staging: comedi: das08: Correct AI encoding for das08jr-16-ao commit e6391a182865efc896cb2a8d79e07b7ac2f45b48 upstream. The element of `das08_boards[]` for the 'das08jr-16-ao' board has the `ai_encoding` member set to `das08_encode12`. It should be set to `das08_encode16` same as the 'das08jr/16' board. After all, this board has 16-bit AI resolution. The description of the A/D LSB register at offset 0 seems incorrect in the user manual "cio-das08jr-16-ao.pdf" as it implies that the AI resolution is only 12 bits. The diagrams of the A/D LSB and MSB registers show 15 data bits and a sign bit, which matches what the software expects for the `das08_encode16` AI encoding method. Signed-off-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: adjust indentation] Signed-off-by: Ben Hutchings Cc: Yijing Wang Signed-off-by: Greg Kroah-Hartman commit 0e4337b79778174128fcd785f353047384499d3e Author: Alex Hung Date: Mon May 6 08:23:43 2013 +0000 ACPI video: ignore BIOS initial backlight value for HP 1000 commit 4ef366c583d6180b1c951147869ee5a3038834f2 upstream. On HP 1000 lapops, BIOS reports minimum backlight on boot and causes backlight to dim completely. This ignores the initial backlight values and set to max brightness. References:: https://bugs.launchpad.net/bugs/1167760 Signed-off-by: Alex Hung Signed-off-by: Rafael J. Wysocki Signed-off-by: Ben Hutchings Cc: Yijing Wang Signed-off-by: Greg Kroah-Hartman commit 047cce410d083cf08de91bf76aa9bbdae989a285 Author: Bastian Triller Date: Sun May 19 11:52:33 2013 +0000 ACPI / video: Add "Asus UL30A" to ACPI video detect blacklist commit c8f6d8351ba8c89d5cd4c562552ec7ec29274e31 upstream. Like on UL30VT, the ACPI video driver can't control backlight correctly on Asus UL30A. Vendor driver (asus-laptop) can work. This patch is to add "Asus UL30A" to ACPI video detect blacklist in order to use asus-laptop for video control on the "Asus UL30A" rather than ACPI video driver. Signed-off-by: Bastian Triller Signed-off-by: Rafael J. Wysocki Signed-off-by: Ben Hutchings Cc: Yijing Wang Signed-off-by: Greg Kroah-Hartman commit 622c5c1435caee7f023de2e422f8e33d3996b9de Author: Lan Tianyu Date: Fri Nov 30 13:02:50 2012 +0100 ACPI / video: Add "Asus UL30VT" to ACPI video detect blacklist commit d0c2ce16bec0afa6013b4c5220ca4c9c67210215 upstream. The ACPI video driver can't control backlight correctly on Asus UL30VT. Vendor driver (asus-laptop) can work. This patch is to add "Asus UL30VT" to ACPI video detect blacklist in order to use asus-laptop for video control on the "Asus UL30VT" rather than ACPI video driver. References: https://bugzilla.kernel.org/show_bug.cgi?id=32592 Reported-by: Alex Williamson Signed-off-by: Lan Tianyu Signed-off-by: Rafael J. Wysocki Signed-off-by: Ben Hutchings Cc: Yijing Wang Signed-off-by: Greg Kroah-Hartman commit 89c9afdbdcfdc720fa6ce5acf3745dda6e81a7db Author: Corentin Chary Date: Wed Jun 13 09:32:04 2012 +0200 acpi/video_detect: blacklist samsung x360 commit 084940d5b101e9ca91a689eb5048151b14076839 upstream. On Samsung X360, the BIOS will set a flag (VDRV) if the generic ACPI backlight device is used. This flag will definitively break the backlight interface (even the vendor interface) untill next reboot. It's why we should prevent video.ko from being used here and we can't rely on a later call to acpi_video_unregister(). Signed-off-by: Corentin Chary Signed-off-by: Matthew Garrett Signed-off-by: Ben Hutchings Cc: Yijing Wang Signed-off-by: Greg Kroah-Hartman commit 8e51d5ac0181d0b7229536fc7fd4c790865f2cdb Author: Mikulas Patocka Date: Tue Apr 8 21:52:05 2014 -0400 sym53c8xx_2: Set DID_REQUEUE return code when aborting squeue commit fd1232b214af43a973443aec6a2808f16ee5bf70 upstream. This patch fixes I/O errors with the sym53c8xx_2 driver when the disk returns QUEUE FULL status. When the controller encounters an error (including QUEUE FULL or BUSY status), it aborts all not yet submitted requests in the function sym_dequeue_from_squeue. This function aborts them with DID_SOFT_ERROR. If the disk has full tag queue, the request that caused the overflow is aborted with QUEUE FULL status (and the scsi midlayer properly retries it until it is accepted by the disk), but the sym53c8xx_2 driver aborts the following requests with DID_SOFT_ERROR --- for them, the midlayer does just a few retries and then signals the error up to sd. The result is that disk returning QUEUE FULL causes request failures. The error was reproduced on 53c895 with COMPAQ BD03685A24 disk (rebranded ST336607LC) with command queue 48 or 64 tags. The disk has 64 tags, but under some access patterns it return QUEUE FULL when there are less than 64 pending tags. The SCSI specification allows returning QUEUE FULL anytime and it is up to the host to retry. Signed-off-by: Mikulas Patocka Cc: Matthew Wilcox Cc: James Bottomley Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d3ef6557f0130b07ff09c962593b9cf51f9f6346 Author: NeilBrown Date: Wed Jul 2 12:04:14 2014 +1000 md: flush writes before starting a recovery. commit 133d4527eab8d199a62eee6bd433f0776842df2e upstream. When we write to a degraded array which has a bitmap, we make sure the relevant bit in the bitmap remains set when the write completes (so a 're-add' can quickly rebuilt a temporarily-missing device). If, immediately after such a write starts, we incorporate a spare, commence recovery, and skip over the region where the write is happening (because the 'needs recovery' flag isn't set yet), then that write will not get to the new device. Once the recovery finishes the new device will be trusted, but will have incorrect data, leading to possible corruption. We cannot set the 'needs recovery' flag when we start the write as we do not know easily if the write will be "degraded" or not. That depends on details of the particular raid level and particular write request. This patch fixes a corruption issue of long standing and so it suitable for any -stable kernel. It applied correctly to 3.0 at least and will minor editing to earlier kernels. Reported-by: Bill Tested-by: Bill Link: http://lkml.kernel.org/r/53A518BB.60709@sbcglobal.net Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 21057e4a4d6155e0594573e7d5d8dd7dcf537774 Author: Michal Nazarewicz Date: Fri Jun 13 15:38:05 2014 +0200 tools: ffs-test: fix header values endianess commit f35f71244da6e51db4e1f2c7e318581f498ececf upstream. It appears that no one ever run ffs-test on a big-endian machine, since it used cpu-endianess for fs_count and hs_count fields which should be in little-endian format. Fix by wrapping the numbers in cpu_to_le32. Signed-off-by: Michal Nazarewicz Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit a22a7e7ba7d3b7f4288bfde1f9ab552905366f32 Author: J. Bruce Fields Date: Thu Jun 19 16:44:48 2014 -0400 nfsd: fix rare symlink decoding bug commit 76f47128f9b33af1e96819746550d789054c9664 upstream. An NFS operation that creates a new symlink includes the symlink data, which is xdr-encoded as a length followed by the data plus 0 to 3 bytes of zero-padding as required to reach a 4-byte boundary. The vfs, on the other hand, wants null-terminated data. The simple way to handle this would be by copying the data into a newly allocated buffer with space for the final null. The current nfsd_symlink code tries to be more clever by skipping that step in the (likely) case where the byte following the string is already 0. But that assumes that the byte following the string is ours to look at. In fact, it might be the first byte of a page that we can't read, or of some object that another task might modify. Worse, the NFSv4 code tries to fix the problem by actually writing to that byte. In the NFSv2/v3 cases this actually appears to be safe: - nfs3svc_decode_symlinkargs explicitly null-terminates the data (after first checking its length and copying it to a new page). - NFSv2 limits symlinks to 1k. The buffer holding the rpc request is always at least a page, and the link data (and previous fields) have maximum lengths that prevent the request from reaching the end of a page. In the NFSv4 case the CREATE op is potentially just one part of a long compound so can end up on the end of a page if you're unlucky. The minimal fix here is to copy and null-terminate in the NFSv4 case. The nfsd_symlink() interface here seems too fragile, though. It should really either do the copy itself every time or just require a null-terminated string. Reported-by: Jeff Layton Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit a96a557e2573a81ca6d62e6c5a0cee119f25ef78 Author: Paolo Bonzini Date: Thu Jun 19 11:40:18 2014 +0200 KVM: x86: preserve the high 32-bits of the PAT register commit 7cb060a91c0efc5ff94f83c6df3ed705e143cdb9 upstream. KVM does not really do much with the PAT, so this went unnoticed for a long time. It is exposed however if you try to do rdmsr on the PAT register. Reported-by: Valentine Sinitsyn Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 80bbfbaa050a92ce9937904f5d937e7a9ca2b584 Author: Nadav Amit Date: Wed Jun 18 17:21:19 2014 +0300 KVM: x86: Increase the number of fixed MTRR regs to 10 commit 682367c494869008eb89ef733f196e99415ae862 upstream. Recent Intel CPUs have 10 variable range MTRRs. Since operating systems sometime make assumptions on CPUs while they ignore capability MSRs, it is better for KVM to be consistent with recent CPUs. Reporting more MTRRs than actually supported has no functional implications. Signed-off-by: Nadav Amit Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 6e44d311e993f364bbf4d99e2b6beac25f03bdbe Author: Steve French Date: Sun Jun 22 20:38:49 2014 -0500 CIFS: fix mount failure with broken pathnames when smb3 mount with mapchars option commit ce36d9ab3bab06b7b5522f5c8b68fac231b76ffb upstream. When we SMB3 mounted with mapchars (to allow reserved characters : \ / > < * ? via the Unicode Windows to POSIX remap range) empty paths (eg when we open "" to query the root of the SMB3 directory on mount) were not null terminated so we sent garbarge as a path name on empty paths which caused SMB2/SMB2.1/SMB3 mounts to fail when mapchars was specified. mapchars is particularly important since Unix Extensions for SMB3 are not supported (yet) Signed-off-by: Steve French Reviewed-by: David Disseldorp Signed-off-by: Greg Kroah-Hartman commit 74be85d10748a196626d8c0e531c75c11d26ad95 Author: Rafał Miłecki Date: Thu Jun 12 22:28:22 2014 +0200 b43: fix frequency reported on G-PHY with /new/ firmware commit 2fc68eb122c7ea6cd5be1fe7d6650c0beb2f4f40 upstream. Support for firmware rev 508+ was added years ago, but we never noticed it reports channel in a different way for G-PHY devices. Instead of offset from 2400 MHz it simply passes channel id (AKA hw_value). So far it was (most probably) affecting monitor mode users only, but the following recent commit made it noticeable for quite everybody: commit 3afc2167f60a327a2c1e1e2600ef209a3c2b75b7 Author: Emmanuel Grumbach Date: Tue Mar 4 16:50:13 2014 +0200 cfg80211/mac80211: ignore signal if the frame was heard on wrong channel Reported-by: Aaro Koskinen Signed-off-by: Rafał Miłecki Tested-by: Aaro Koskinen Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit ba8f03aa4a5aced02df87e69737922eeb14a7350 Author: David R. Piegdon Date: Mon Jun 16 23:42:51 2014 +0000 ARM: OMAP2+: Fix parser-bug in platform muxing code commit c021f241f4fab2bb4fc4120a38a828a03dd3f970 upstream. Fix a parser-bug in the omap2 muxing code where muxtable-entries will be wrongly selected if the requested muxname is a *prefix* of their m0-entry and they have a matching mN-entry. Fix by additionally checking that the length of the m0_entry is equal. For example muxing of "dss_data2.dss_data2" on omap32xx will fail because the prefix "dss_data2" will match the mux-entries "dss_data2" as well as "dss_data20", with the suffix "dss_data2" matching m0 (for dss_data2) and m4 (for dss_data20). Thus both are recognized as signal path candidates: Relevant muxentries from mux34xx.c: _OMAP3_MUXENTRY(DSS_DATA20, 90, "dss_data20", NULL, "mcspi3_somi", "dss_data2", "gpio_90", NULL, NULL, "safe_mode"), _OMAP3_MUXENTRY(DSS_DATA2, 72, "dss_data2", NULL, NULL, NULL, "gpio_72", NULL, NULL, "safe_mode"), This will result in a failure to mux the pin at all: _omap_mux_get_by_name: Multiple signal paths (2) for dss_data2.dss_data2 Patch should apply to linus' latest master down to rather old linux-2.6 trees. Signed-off-by: David R. Piegdon Cc: stable@vger.kernel.org [tony@atomide.com: updated description to include full description] Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit dc0bfd69158e4eb64d8ca75ed382b5215f3461c1 Author: Arik Nemtsov Date: Mon May 26 14:40:51 2014 +0300 mac80211: don't check netdev state for debugfs read/write commit 923eaf367206e01f22c97aee22300e332d071916 upstream. Doing so will lead to an oops for a p2p-dev interface, since it has no netdev. Signed-off-by: Arik Nemtsov Signed-off-by: Emmanuel Grumbach Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit eb688f6a4b6090dbcdccc935cf074618c0f421c1 Author: Syam Sidhardhan Date: Thu Apr 12 20:33:17 2012 +0530 Bluetooth: Remove unused hci_le_ltk_reply() commit e10b9969f217c948c5523045f44eba4d3a758ff0 upstream. In this API, we were using sizeof operator for an array given as function argument, which is invalid. However this API is not used anywhere. Signed-off-by: Syam Sidhardhan Signed-off-by: Gustavo Padovan Signed-off-by: Greg Kroah-Hartman commit bc96ff59b2f19e924d9e15e24cee19723d674b92 Author: Johan Hedberg Date: Mon Jun 9 13:58:14 2014 +0300 Bluetooth: Fix SSP acceptor just-works confirmation without MITM commit ba15a58b179ed76a7e887177f2b06de12c58ec8f upstream. From the Bluetooth Core Specification 4.1 page 1958: "if both devices have set the Authentication_Requirements parameter to one of the MITM Protection Not Required options, authentication stage 1 shall function as if both devices set their IO capabilities to DisplayOnly (e.g., Numeric comparison with automatic confirmation on both devices)" So far our implementation has done user confirmation for all just-works cases regardless of the MITM requirements, however following the specification to the word means that we should not be doing confirmation when neither side has the MITM flag set. Signed-off-by: Johan Hedberg Tested-by: Szymon Janc Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman commit 1dbae5d755c36ab7932f9282ff146cf1fe698ade Author: Thomas Hellstrom Date: Wed Jul 2 15:47:04 2014 +0200 drm/vmwgfx: Fix incorrect write to read-only register v2: commit 4e578080ed3262ed2c3985868539bc66218d25c0 upstream. Commit "drm/vmwgfx: correct fb_fix_screeninfo.line_length", while fixing a vmwgfx fbdev bug, also writes the pitch to a supposedly read-only register: SVGA_REG_BYTES_PER_LINE, while it should be (and also in fact is) written to SVGA_REG_PITCHLOCK. This patch is Cc'd stable because of the unknown effects writing to this register might have, particularly on older device versions. v2: Updated log message. Cc: Christopher Friedt Tested-by: Christopher Friedt Signed-off-by: Thomas Hellstrom Reviewed-by: Jakob Bornecrantz Signed-off-by: Greg Kroah-Hartman commit 822780ca251deec5c3d61da9568f9f64a79233e4 Author: Alex Deucher Date: Tue May 27 16:40:51 2014 -0400 drm/radeon/atom: fix dithering on certain panels commit 642528355c694f5ed68f6bff9ff520326a249f99 upstream. We need to specify the encoder mode as LVDS for eDP when using the Crtc_Source atom table in order to properly set up the FMT hardware. bug: https://bugs.freedesktop.org/show_bug.cgi?id=73911 Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 91b75cbadcefa1a3c5d0da57c442b23b61507aae Author: Alex Deucher Date: Tue May 27 13:11:36 2014 -0400 drm/radeon: fix typo in radeon_connector_is_dp12_capable() commit af5d36539dfe043f1cf0f8b7334d6bb12cd14e75 upstream. We were checking the ext clock rather than the display clock. Noticed by ArtForz on IRC. Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit b04837090f3e97facdc59104a5aee1873769ae13 Author: Alex Deucher Date: Mon Apr 21 21:45:09 2014 -0400 drm/radeon: only apply hdmi bpc pll flags when encoder mode is hdmi commit 7d5ab3009a8ca777174f6f469277b3922d56fd4b upstream. May fix display issues with non-HDMI displays. Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit c27517de002506599c8eeb75ad4d1fa5f9204496 Author: Thomas Petazzoni Date: Thu May 22 14:56:52 2014 +0200 mtd: pxa3xx_nand: make the driver work on big-endian systems commit b7e460624f0f3c31150f3b09e75b0d009e22ba5f upstream. The pxa3xx_nand driver currently uses __raw_writel() and __raw_readl() to access I/O registers. However, those functions do not do any endianness swapping, which means that they won't work when the CPU runs in big-endian but the I/O registers are little endian, which is the common situation for ARM systems running big endian. Since __raw_writel() and __raw_readl() do not include any memory barriers and the pxa3xx_nand driver can only be compiled for ARM platforms, the closest I/o accessors functions that do endianess swapping are writel_relaxed() and readl_relaxed(). This patch has been verified to work on Armada XP GP: without the patch, the NAND is not detected when the kernel runs big endian while it is properly detected when the kernel runs little endian. With the patch applied, the NAND is properly detected in both situations (little and big endian). Signed-off-by: Thomas Petazzoni Signed-off-by: Brian Norris Signed-off-by: Greg Kroah-Hartman commit 53a7d50b755b1a71b0cfcebe22fa9175149d9d52 Author: Stanislaw Gruszka Date: Mon Jun 16 18:45:15 2014 +0200 rt2x00: fix rfkill regression on rt2500pci commit 616a8394b5df8c88f4dd416f4527439a4e365034 upstream. As reported by Niels, starting rfkill polling during device probe (commit e2bc7c5, generally sane change) broke rfkill on rt2500pci device. I considered that bug as some initalization issue, which should be fixed on rt2500pci specific code. But after several attempts (see bug report for details) we fail to find working solution. Hence I decided to revert to old behaviour on rt2500pci to fix regression. Additionally patch also unregister rfkill on device remove instead of ifconfig down, what was another issue introduced by bad commit. Bug report: https://bugzilla.kernel.org/show_bug.cgi?id=73821 Fixes: e2bc7c5f3cb8 ("rt2x00: Fix rfkill_polling register function.") Bisected-by: Niels Reported-and-tested-by: Niels Signed-off-by: Stanislaw Gruszka Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 2160caddb9166f02b0ea73b220aaa5df0a51db91 Author: Stanislaw Gruszka Date: Tue Jun 10 12:51:06 2014 +0200 rt2x00: disable TKIP on USB commit 8edcb0ba0d56f5914eef11eda6db8bfe74eb9ca8 upstream. On USB we can not get atomically TKIP key. We have to disable support for TKIP acceleration on USB hardware to avoid bug as showed bellow. [ 860.827243] BUG: scheduling while atomic: hostapd/3397/0x00000002 [ 860.827280] Call Trace: [ 860.827282] [] dump_stack+0x4d/0x66 [ 860.827284] [] __schedule_bug+0x47/0x55 [ 860.827285] [] __schedule+0x733/0x7b0 [ 860.827287] [] schedule+0x29/0x70 [ 860.827289] [] schedule_timeout+0x15a/0x2b0 [ 860.827291] [] ? ftrace_raw_event_tick_stop+0xc0/0xc0 [ 860.827294] [] ? __module_text_address+0x12/0x70 [ 860.827296] [] wait_for_completion_timeout+0xb3/0x140 [ 860.827298] [] ? wake_up_state+0x20/0x20 [ 860.827301] [] usb_start_wait_urb+0x7d/0x150 [ 860.827303] [] usb_control_msg+0xc5/0x110 [ 860.827305] [] rt2x00usb_vendor_request+0xc6/0x160 [rt2x00usb] [ 860.827307] [] rt2x00usb_vendor_req_buff_lock+0x75/0x150 [rt2x00usb] [ 860.827309] [] rt2x00usb_vendor_request_buff+0xa3/0xe0 [rt2x00usb] [ 860.827311] [] rt2x00usb_register_multiread+0x33/0x40 [rt2800usb] [ 860.827314] [] rt2800_get_tkip_seq+0x39/0x50 [rt2800lib] [ 860.827321] [] ieee80211_get_key+0x218/0x2a0 [mac80211] [ 860.827322] [] ? __nlmsg_put+0x6c/0x80 [ 860.827329] [] nl80211_get_key+0x22e/0x360 [cfg80211] Reported-and-tested-by: Peter Wu Reported-and-tested-by: Pontus Fuchs Signed-off-by: Stanislaw Gruszka Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 005564fb1a1d98ae98e720f283e15275e5734562 Author: Michal Nazarewicz Date: Tue Jun 17 17:47:41 2014 +0200 usb: gadget: f_fs: fix NULL pointer dereference when there are no strings commit f0688c8b81d2ea239c3fb0b848f623b579238d99 upstream. If the descriptors do not need any strings and user space sends empty set of strings, the ffs->stringtabs field remains NULL. Thus *ffs->stringtabs in functionfs_bind leads to a NULL pointer dereferenece. The bug was introduced by commit [fd7c9a007f: “use usb_string_ids_n()”]. While at it, remove double initialisation of lang local variable in that function. ffs->strings_count does not need to be checked in any way since in the above scenario it will remain zero and usb_string_ids_n() is a no-operation when colled with 0 argument. Signed-off-by: Michal Nazarewicz Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit d539a0515798a3790eaa4a898746fc105be237b0 Author: Johan Hovold Date: Thu Jun 5 16:05:52 2014 +0200 USB: ftdi_sio: fix null deref at port probe commit aea1ae8760314e072bf1b773521e9de5d5dda10d upstream. Fix NULL-pointer dereference when probing an interface with no endpoints. These devices have two bulk endpoints per interface, but this avoids crashing the kernel if a user forces a non-FTDI device to be probed. Note that the iterator variable was made unsigned in order to avoid a maybe-uninitialized compiler warning for ep_desc after the loop. Fixes: 895f28badce9 ("USB: ftdi_sio: fix hi-speed device packet size calculation") Reported-by: Mike Remski Tested-by: Mike Remski Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 1d4cd89665c5a7e594cd1bbd5fac776c039ad62d Author: Bjørn Mork Date: Fri Jun 6 17:25:56 2014 +0200 usb: option: add/modify Olivetti Olicard modems commit b0ebef36e93703e59003ad6a1a20227e47714417 upstream. Adding a couple of Olivetti modems and blacklisting the net function on a couple which are already supported. Reported-by: Lars Melin Signed-off-by: Bjørn Mork Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 1bd617ea5c556d7cb0fd619abd5a742cf15ba197 Author: Oliver Neukum Date: Tue May 20 16:27:40 2014 +0200 USB: option: add device ID for SpeedUp SU9800 usb 3g modem commit 1cab4c68e339086cdaff7535848e878e8f261fca upstream. Reported by Alif Mubarak Ahmad: This device vendor and product id is 1c9e:9800 It is working as serial interface with generic usbserial driver. I thought it is more suitable to use usbserial option driver, which has better capability distinguishing between modem serial interface and micro sd storage interface. [ johan: style changes ] Signed-off-by: Oliver Neukum Tested-by: Alif Mubarak Ahmad Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 3943a08b97f2e36e01172d1f321e43c8067c9094 Author: Bjørn Mork Date: Wed Oct 31 06:08:39 2012 +0100 USB: add USB_DEVICE_INTERFACE_CLASS macro commit 17b72feb2be14e6d37023267dc0e199e8e0e3fdc upstream. Matching on device and interface class with with unspecified subclass and protocol is sometimes useful. This is slightly different from USB_DEVICE_AND_INTERFACE_INFO which requires the full interface class/subclass/protocol triplet. Signed-off-by: Bjørn Mork Signed-off-by: Greg Kroah-Hartman commit 939a3a4989f3210a20f5e68734896c43d9b6ae6c Author: Wang, Yu Date: Tue Jun 24 17:14:44 2014 +0300 xhci: Fix runtime suspended xhci from blocking system suspend. commit d6236f6d1d885aa19d1cd7317346fe795227a3cc upstream. The system suspend flow as following: 1, Freeze all user processes and kenrel threads. 2, Try to suspend all devices. 2.1, If pci device is in RPM suspended state, then pci driver will try to resume it to RPM active state in the prepare stage. 2.2, xhci_resume function calls usb_hcd_resume_root_hub to queue two workqueue items to resume usb2&usb3 roothub devices. 2.3, Call suspend callbacks of devices. 2.3.1, All suspend callbacks of all hcd's children, including roothub devices are called. 2.3.2, Finally, hcd_pci_suspend callback is called. Due to workqueue threads were already frozen in step 1, the workqueue items can't be scheduled, and the roothub devices can't be resumed in this flow. The HCD_FLAG_WAKEUP_PENDING flag which is set in usb_hcd_resume_root_hub won't be cleared. Finally, hcd_pci_suspend will return -EBUSY, and system suspend fails. The reason why this issue doesn't show up very often is due to that choose_wakeup will be called in step 2.3.1. In step 2.3.1, if udev->do_remote_wakeup is not equal to device_may_wakeup(&udev->dev), then udev will resume to RPM active for changing the wakeup settings. This has been a lucky hit which hides this issue. For some special xHCI controllers which have no USB2 port, then roothub will not match hub driver due to probe failed. Then its do_remote_wakeup will be set to zero, and we won't be as lucky. xhci driver doesn't need to resume roothub devices everytime like in the above case. It's only needed when there are pending event TRBs. This patch should be back-ported to kernels as old as 3.2, that contains the commit f69e3120df82391a0ee8118e0a156239a06b2afb "USB: XHCI: resume root hubs when the controller resumes" Signed-off-by: Wang, Yu Acked-by: Alan Stern [use readl() instead of removed xhci_readl(), reword commit message -Mathias] Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit 4d7311944326ccf5977b059df7e90527a1e4ec42 Author: Mathias Nyman Date: Tue Jun 24 17:14:41 2014 +0300 xhci: correct burst count field for isoc transfers on 1.0 xhci hosts commit 3213b151387df0b95f4eada104f68eb1c1409cb3 upstream. The transfer burst count (TBC) field in xhci 1.0 hosts should be set to the number of bursts needed to transfer all packets in a isoc TD. Supported values are 0-2 (1 to 3 bursts per service interval). Formula for TBC calculation is given in xhci spec section 4.11.2.3: TBC = roundup( Transfer Descriptor Packet Count / Max Burst Size +1 ) - 1 This patch should be applied to stable kernels since 3.0 that contain the commit 5cd43e33b9519143f06f507dd7cbee6b7a621885 "xhci 1.0: Set transfer burst count field." Suggested-by: ShiChun Ma Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 7c4b5ebdfde09bfa83f0b46802fc8c846f072e0f Author: Brian King Date: Fri May 23 10:52:10 2014 -0500 ibmvscsi: Abort init sequence during error recovery commit 9ee755974bea2f9880e517ec985dc9dede1b3a36 upstream. If a CRQ reset is triggered for some reason while in the middle of performing VSCSI adapter initialization, we don't want to call the done function for the initialization MAD commands as this will only result in two threads attempting initialization at the same time, resulting in failures. Signed-off-by: Brian King Acked-by: Nathan Fontenot Signed-off-by: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman