[ceph-commit] [ceph/ceph-client] c84299: Tools: hv: verify origin of netlink connector mess...

GitHub noreply at github.com
Tue Jul 17 05:59:23 PDT 2012


  Branch: refs/heads/linux-3.4.5-ceph
  Home:   https://github.com/ceph/ceph-client
  Commit: c84299b8ddb3de60ac857aee396d709346eed27f
      https://github.com/ceph/ceph-client/commit/c84299b8ddb3de60ac857aee396d709346eed27f
  Author: Olaf Hering <olaf at aepfle.de>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M tools/hv/hv_kvp_daemon.c

  Log Message:
  -----------
  Tools: hv: verify origin of netlink connector message

commit bcc2c9c3fff859e0eb019fe6fec26f9b8eba795c upstream.

The SuSE security team suggested to use recvfrom instead of recv to be
certain that the connector message is originated from kernel.

CVE-2012-2669

Signed-off-by: Olaf Hering <olaf at aepfle.de>
Signed-off-by: Marcus Meissner <meissner at suse.de>
Signed-off-by: Sebastian Krahmer <krahmer at suse.de>
Signed-off-by: K. Y. Srinivasan <kys at microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: c1389ce1e02c1e1f617d7cf70852ad5d9f9ef355
      https://github.com/ceph/ceph-client/commit/c1389ce1e02c1e1f617d7cf70852ad5d9f9ef355
  Author: Stephen Warren <swarren at nvidia.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M arch/arm/mach-tegra/reset.c

  Log Message:
  -----------
  ARM: tegra: make tegra_cpu_reset_handler_enable() __init

commit 6355f25ed965421725d92cf719fc63008690ca1c upstream.

This solves a section mismatch warning. I hadn't noticed this before,
because my compiler was inlining tegra_cpu_reset_handler_enable() inside
tegra_cpu_reset_handler_init(), which is already __init, but I switched
compilers and it stopped doing that.

Signed-off-by: Stephen Warren <swarren at nvidia.com>
Signed-off-by: Olof Johansson <olof at lixom.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: e4508b4cb7402c66e6f5a16df954bdff20b673b9
      https://github.com/ceph/ceph-client/commit/e4508b4cb7402c66e6f5a16df954bdff20b673b9
  Author: David Henningsson <david.henningsson at canonical.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M sound/pci/hda/patch_realtek.c

  Log Message:
  -----------
  ALSA: hda - Add Realtek ALC280 codec support

commit befae82e2906cb7155020876a531b0b8c6c8d8c8 upstream.

This chip looks very similar to ALC269 and ALC27* variants. The bug reporter
has verified that sound was working after this patch had been applied.

BugLink: https://bugs.launchpad.net/bugs/1017017
Tested-by: Richard Crossley <richardcrossley at o2.co.uk>
Signed-off-by: David Henningsson <david.henningsson at canonical.com>
Signed-off-by: Takashi Iwai <tiwai at suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 354e550aab1074eaa87f0db4404f0edeab3ec591
      https://github.com/ceph/ceph-client/commit/354e550aab1074eaa87f0db4404f0edeab3ec591
  Author: Takashi Iwai <tiwai at suse.de>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M sound/pci/hda/hda_codec.c

  Log Message:
  -----------
  ALSA: hda - Fix memory leaks at module unload

commit 59cad16bc6deb85bd2a464da92bbaae289f0286f upstream.

Some caches aren't released properly at module unloading time.

Signed-off-by: Takashi Iwai <tiwai at suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 9fe9217b874769f0b42bc4f8de4fc3df785e9ef3
      https://github.com/ceph/ceph-client/commit/9fe9217b874769f0b42bc4f8de4fc3df785e9ef3
  Author: Takashi Iwai <tiwai at suse.de>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M sound/pci/hda/patch_sigmatel.c

  Log Message:
  -----------
  ALSA: hda - Fix power-map regression for HP dv6 & co

commit 6e1c39c6b00d9141a82c231ba7c5e5b1716974b2 upstream.

The recent fix for power-map controls (commit b0791dda813) caused
regressions on some other HP laptops.  They have fixed pins but these
pins are exposed as jack-detectable.  Thus the driver tries to control
the power-map dynamically per jack detection where it never gets on.

This patch corrects the condition check for fixed pins so that the
power-map is set always for these pins.

NOTE: this is no simple backport from 3.5 kernel.  Since 3.5 kernel
had significant code change in the relevant part, I fixed this
differently.

BugLink: http://bugs.launchpad.net/bugs/1013183
Reported-by: Luis Henriques <luis.henriques at canonical.com>
Signed-off-by: Takashi Iwai <tiwai at suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 3f8d5752c3926dab96e00bfb5d0c8e2f015a975e
      https://github.com/ceph/ceph-client/commit/3f8d5752c3926dab96e00bfb5d0c8e2f015a975e
  Author: Steven Rostedt <rostedt at goodmis.org>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M arch/powerpc/kernel/irq.c

  Log Message:
  -----------
  powerpc/ftrace: Do not trace restore_interrupts()

commit 2d773aa4810d4a612d1c879faacc38594cc3f841 upstream.

As I was adding code that affects all archs, I started testing function
tracer against PPC64 and found that it currently locks up with 3.4
kernel. I figured it was due to tracing a function that shouldn't be, so
I went through the following process to bisect to find the culprit:

 cat /debug/tracing/available_filter_functions > t
 num=`wc -l t`
 sed -ne "1,${num}p" t > t1
 let num=num+1
 sed -ne "${num},$p" t > t2
 cat t1 > /debug/tracing/set_ftrace_filter
 echo function /debug/tracing/current_tracer
 <failed? bisect t1, if not bisect t2>

It finally came down to this function: restore_interrupts()

I'm not sure why this locks up the system. It just seems to prevent
scheduling from occurring. Interrupts seem to still work, as I can ping
the box. But all user processes freeze.

When restore_interrupts() is not traced, function tracing works fine.

Signed-off-by: Steven Rostedt <rostedt at goodmis.org>
Signed-off-by: Benjamin Herrenschmidt <benh at kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 3fb55c2a681f7618c828b5853abc27f86d7e9fe1
      https://github.com/ceph/ceph-client/commit/3fb55c2a681f7618c828b5853abc27f86d7e9fe1
  Author: Michael Neuling <mikey at neuling.org>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M arch/powerpc/mm/numa.c

  Log Message:
  -----------
  powerpc: Fix uninitialised error in numa.c

commit 82b2521d257b5c0efd51821cf5fa306e53bbb6ba upstream.

chroma_defconfig currently gives me this with gcc 4.6:
  arch/powerpc/mm/numa.c:638:13: error: 'dm' may be used uninitialized in this function [-Werror=uninitialized]

It's a bogus warning/error since of_get_drconf_memory() only writes it
anyway.

Signed-off-by: Michael Neuling <mikey at neuling.org>
Signed-off-by: Benjamin Herrenschmidt <benh at kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 8057f6c444173496806618f2fe173c2f02fb3995
      https://github.com/ceph/ceph-client/commit/8057f6c444173496806618f2fe173c2f02fb3995
  Author: Michael Neuling <mikey at neuling.org>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M arch/powerpc/platforms/pseries/iommu.c

  Log Message:
  -----------
  powerpc/pseries: Fix software invalidate TCE

commit bc6dc752f35488160ffac07ae91bed1bddaea32a upstream.

The following added support for powernv but broke pseries/BML:
 1f1616e powerpc/powernv: Add TCE SW invalidation support

TCE_PCI_SW_INVAL was split into FREE and CREATE flags but the tests in
the pseries code were not updated to reflect this.

Signed-off-by: Michael Neuling <mikey at neuling.org>
Signed-off-by: Benjamin Herrenschmidt <benh at kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: ee1602ff18545ddf7f19638fb350e4eec2030c0d
      https://github.com/ceph/ceph-client/commit/ee1602ff18545ddf7f19638fb350e4eec2030c0d
  Author: Anton Blanchard <anton at samba.org>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M arch/powerpc/include/asm/hw_irq.h
    M arch/powerpc/platforms/pseries/processor_idle.c

  Log Message:
  -----------
  powerpc: check_and_cede_processor() never cedes

commit 0b17ba7258db83cd02da560884e053b85de371f2 upstream.

Commit f948501b36c6 ("Make hard_irq_disable() actually hard-disable
interrupts") caused check_and_cede_processor to stop working.
->irq_happened will never be zero right after a hard_irq_disable
so the compiler removes the call to cede_processor completely.

The bug was introduced back in the lazy interrupt handling rework
of 3.4 but was hidden until recently because hard_irq_disable did
nothing.

This issue will eventually appear in 3.4 stable since the
hard_irq_disable fix is marked stable, so mark this one for stable
too.

Signed-off-by: Anton Blanchard <anton at samba.org>
Signed-off-by: Benjamin Herrenschmidt <benh at kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 7abbc8e46545b3c98734484b4fbfaf849ed29c27
      https://github.com/ceph/ceph-client/commit/7abbc8e46545b3c98734484b4fbfaf849ed29c27
  Author: Jose Miguel Goncalves <jose.goncalves at inov.pt>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M arch/arm/plat-samsung/include/plat/map-s3c.h

  Log Message:
  -----------
  ARM: SAMSUNG: Fix for S3C2412 EBI memory mapping

commit 3dca938656c7b0ff6b0717a5dde0f5f45e592be5 upstream.

While upgrading the kernel on a S3C2412 based board I've noted
that it was impossible to boot the board with a 2.6.32 or upper
kernel. I've tracked down the problem to the EBI virtual memory
mapping that is in conflict with the IO mapping definition in
arch/arm/mach-s3c24xx/s3c2412.c.

Signed-off-by: Jose Miguel Goncalves <jose.goncalves at inov.pt>
Signed-off-by: Kukjin Kim <kgene.kim at samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 45500e587ad1c2ea809c52961675c4eb9befcab5
      https://github.com/ceph/ceph-client/commit/45500e587ad1c2ea809c52961675c4eb9befcab5
  Author: Jonghwan Choi <jhbird.choi at samsung.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M arch/arm/plat-samsung/include/plat/watchdog-reset.h

  Log Message:
  -----------
  ARM: SAMSUNG: Should check for IS_ERR(clk) instead of NULL

commit a5d8f4765f0e92ef027492a8cb979c5b8d45f2c3 upstream.

On the error condition clk_get() returns ERR_PTR().

Signed-off-by: Jonghwan Choi <jhbird.choi at samsung.com>
Signed-off-by: Kukjin Kim <kgene.kim at samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 937bff779cd840aca9f74dd7f2d43dafad3979bb
      https://github.com/ceph/ceph-client/commit/937bff779cd840aca9f74dd7f2d43dafad3979bb
  Author: Nicolas Pitre <nicolas.pitre at linaro.org>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M arch/arm/mm/mmu.c

  Log Message:
  -----------
  ARM: 7438/1: fill possible PMD empty section gaps

commit 19b52abe3c5d759661500a1dc810924369b2ad46 upstream.

On ARM with the 2-level page table format, a PMD entry is represented by
two consecutive section entries covering 2MB of virtual space.

However, static mappings always were allowed to use separate 1MB section
entries.  This means in practice that a static mapping may create half
populated PMDs via create_mapping().

Since commit 0536bdf33f (ARM: move iotable mappings within the vmalloc
region) those static mappings are located in the vmalloc area. We must
ensure no such half populated PMDs are accessible once vmalloc() or
ioremap() start looking at the vmalloc area for nearby free virtual
address ranges, or various things leading to a kernel crash will happen.

Signed-off-by: Nicolas Pitre <nico at linaro.org>
Reported-by: Santosh Shilimkar <santosh.shilimkar at ti.com>
Tested-by: "R, Sricharan" <r.sricharan at ti.com>
Reviewed-by: Catalin Marinas <catalin.marinas at arm.com>
Signed-off-by: Russell King <rmk+kernel at arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 9b385370031c7880d19ce46849d3768aa30b3e09
      https://github.com/ceph/ceph-client/commit/9b385370031c7880d19ce46849d3768aa30b3e09
  Author: Michael Neuling <mikey at neuling.org>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M arch/powerpc/kvm/book3s_hv_rmhandlers.S

  Log Message:
  -----------
  powerpc/kvm: sldi should be sld

commit 2f584a146a2965b82fce89b8d2f95dc5cfe468d0 upstream.

Since we are taking a registers, this should never have been an sldi.
Talking to paulus offline, this is the correct fix.

Was introduced by:
 commit 19ccb76a1938ab364a412253daec64613acbf3df
 Author: Paul Mackerras <paulus at samba.org>
 Date:   Sat Jul 23 17:42:46 2011 +1000

Talking to paulus, this shouldn't be a literal.

Signed-off-by: Michael Neuling <mikey at neuling.org>
Signed-off-by: Benjamin Herrenschmidt <benh at kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 7e9356ed7ba29f1f76d7b5fae6b3c9f128663741
      https://github.com/ceph/ceph-client/commit/7e9356ed7ba29f1f76d7b5fae6b3c9f128663741
  Author: Anton Blanchard <anton at samba.org>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M arch/powerpc/xmon/xmon.c

  Log Message:
  -----------
  powerpc/xmon: Use cpumask iterator to avoid warning

commit bc1d7702910c7c7e88eb60b58429dbfe293683ce upstream.

We have a bug report where the kernel hits a warning in the cpumask
code:

WARNING: at include/linux/cpumask.h:107

Which is:
  WARN_ON_ONCE(cpu >= nr_cpumask_bits);

The backtrace is:
  cpu_cmd
  cmds
  xmon_core
  xmon
  die

xmon is iterating through 0 to NR_CPUS. I'm not sure why we are still
open coding this but iterating above nr_cpu_ids is definitely a bug.

This patch iterates through all possible cpus, in case we issue a
system reset and CPUs in an offline state call in.

Perhaps the old code was trying to handle CPUs that were in the
partition but were never started (eg kexec into a kernel with an
nr_cpus= boot option). They are going to die way before we get into
xmon since we haven't set any kernel state up for them.

Signed-off-by: Anton Blanchard <anton at samba.org>
Signed-off-by: Benjamin Herrenschmidt <benh at kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 8f5b330048b06ca0e2ffa88300922808ebc2b93f
      https://github.com/ceph/ceph-client/commit/8f5b330048b06ca0e2ffa88300922808ebc2b93f
  Author: Michael Krufky <mkrufky at linuxtv.org>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/media/dvb/siano/smsusb.c

  Log Message:
  -----------
  media: smsusb: add autodetection support for USB ID 2040:f5a0

commit 3e1141e2ce5667301a74ca2ef396d9bd5e995f7f upstream.

Signed-off-by: Michael Krufky <mkrufky at linuxtv.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 19d07e884b7fd22f92eb8939556dcbf55df1982c
      https://github.com/ceph/ceph-client/commit/19d07e884b7fd22f92eb8939556dcbf55df1982c
  Author: Hiroaki SHIMODA <shimoda.hiroaki at gmail.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M lib/dynamic_queue_limits.c

  Log Message:
  -----------
  bql: Fix POSDIFF() to integer overflow aware.

[ Upstream commit 0cfd32b736ae0c36b42697584811042726c07cba ]

POSDIFF() fails to take into account integer overflow case.

Signed-off-by: Hiroaki SHIMODA <shimoda.hiroaki at gmail.com>
Cc: Tom Herbert <therbert at google.com>
Cc: Eric Dumazet <eric.dumazet at gmail.com>
Cc: Denys Fedoryshchenko <denys at visp.net.lb>
Acked-by: Eric Dumazet <edumazet at google.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 1414a53d956340ca8b1b27e05ab94ba63e82ed97
      https://github.com/ceph/ceph-client/commit/1414a53d956340ca8b1b27e05ab94ba63e82ed97
  Author: Hiroaki SHIMODA <shimoda.hiroaki at gmail.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M lib/dynamic_queue_limits.c

  Log Message:
  -----------
  bql: Avoid unneeded limit decrement.

[ Upstream commit 25426b794efdc70dde7fd3134dc56fac3e7d562d ]

When below pattern is observed,
                                          TIME
       dql_queued()         dql_completed()     |
      a) initial state                          |
                                          |
      b) X bytes queued                         V

      c) Y bytes queued
                     d) X bytes completed
      e) Z bytes queued
                     f) Y bytes completed

a) dql->limit has already some value and there is no in-flight packet.
b) X bytes queued.
c) Y bytes queued and excess limit.
d) X bytes completed and dql->prev_ovlimit is set and also
   dql->prev_num_queued is set Y.
e) Z bytes queued.
f) Y bytes completed. inprogress and prev_inprogress are true.

At f), according to the comment, all_prev_completed becomes
true and limit should be increased. But POSDIFF() ignores
(completed == dql->prev_num_queued) case, so limit is decreased.

Signed-off-by: Hiroaki SHIMODA <shimoda.hiroaki at gmail.com>
Cc: Tom Herbert <therbert at google.com>
Cc: Eric Dumazet <eric.dumazet at gmail.com>
Cc: Denys Fedoryshchenko <denys at visp.net.lb>
Acked-by: Eric Dumazet <edumazet at google.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 4f4bdaeb40df95499c1ee7ea3fbca9d76174a59e
      https://github.com/ceph/ceph-client/commit/4f4bdaeb40df95499c1ee7ea3fbca9d76174a59e
  Author: Hiroaki SHIMODA <shimoda.hiroaki at gmail.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M lib/dynamic_queue_limits.c

  Log Message:
  -----------
  bql: Avoid possible inconsistent calculation.

[ Upstream commit 914bec1011a25f65cdc94988a6f974bfb9a3c10d ]

dql->num_queued could change while processing dql_completed().
To provide consistent calculation, added an on stack variable.

Signed-off-by: Hiroaki SHIMODA <shimoda.hiroaki at gmail.com>
Cc: Tom Herbert <therbert at google.com>
Cc: Eric Dumazet <eric.dumazet at gmail.com>
Cc: Denys Fedoryshchenko <denys at visp.net.lb>
Signed-off-by: Eric Dumazet <edumazet at google.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 31fab24bd9cdb9733383cbf9732cda1649f2a760
      https://github.com/ceph/ceph-client/commit/31fab24bd9cdb9733383cbf9732cda1649f2a760
  Author: Jason Wang <jasowang at redhat.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M net/core/sock.c

  Log Message:
  -----------
  net: sock: validate data_len before allocating skb in sock_alloc_send_pskb()

[ Upstream commit cc9b17ad29ecaa20bfe426a8d4dbfb94b13ff1cc ]

We need to validate the number of pages consumed by data_len, otherwise frags
array could be overflowed by userspace. So this patch validate data_len and
return -EMSGSIZE when data_len may occupies more frags than MAX_SKB_FRAGS.

Signed-off-by: Jason Wang <jasowang at redhat.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 6fc5186c0628a5dfcfdbc9355bad225613fa7618
      https://github.com/ceph/ceph-client/commit/6fc5186c0628a5dfcfdbc9355bad225613fa7618
  Author: Paul Moore <pmoore at redhat.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M include/net/cipso_ipv4.h

  Log Message:
  -----------
  cipso: handle CIPSO options correctly when NetLabel is disabled

[ Upstream commit 20e2a86485967c385d7c7befc1646e4d1d39362e ]

When NetLabel is not enabled, e.g. CONFIG_NETLABEL=n, and the system
receives a CIPSO tagged packet it is dropped (cipso_v4_validate()
returns non-zero).  In most cases this is the correct and desired
behavior, however, in the case where we are simply forwarding the
traffic, e.g. acting as a network bridge, this becomes a problem.

This patch fixes the forwarding problem by providing the basic CIPSO
validation code directly in ip_options_compile() without the need for
the NetLabel or CIPSO code.  The new validation code can not perform
any of the CIPSO option label/value verification that
cipso_v4_validate() does, but it can verify the basic CIPSO option
format.

The behavior when NetLabel is enabled is unchanged.

Signed-off-by: Paul Moore <pmoore at redhat.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 0440cf6d8187e69ef2eb52db5f7690f1da2a2c1c
      https://github.com/ceph/ceph-client/commit/0440cf6d8187e69ef2eb52db5f7690f1da2a2c1c
  Author: Devendra Naga <devendra.aaru at gmail.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/ethernet/realtek/r8169.c

  Log Message:
  -----------
  r8169: call netif_napi_del at errpaths and at driver unload

[ Upstream commit ad1be8d345416a794dea39761a374032aa471a76 ]

when register_netdev fails, the init'ed NAPIs by netif_napi_add must be
deleted with netif_napi_del, and also when driver unloads, it should
delete the NAPI before unregistering netdevice using unregister_netdev.

Signed-off-by: Devendra Naga <devendra.aaru at gmail.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: f375a27c17c033dc9503b12b8379055fd59110ba
      https://github.com/ceph/ceph-client/commit/f375a27c17c033dc9503b12b8379055fd59110ba
  Author: Eric Dumazet <edumazet at google.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M net/core/drop_monitor.c

  Log Message:
  -----------
  drop_monitor: dont sleep in atomic context

[ Upstream commit bec4596b4e6770c7037f21f6bd27567b152dc0d6 ]

drop_monitor calls several sleeping functions while in atomic context.

 BUG: sleeping function called from invalid context at mm/slub.c:943
 in_atomic(): 1, irqs_disabled(): 0, pid: 2103, name: kworker/0:2
 Pid: 2103, comm: kworker/0:2 Not tainted 3.5.0-rc1+ #55
 Call Trace:
  [<ffffffff810697ca>] __might_sleep+0xca/0xf0
  [<ffffffff811345a3>] kmem_cache_alloc_node+0x1b3/0x1c0
  [<ffffffff8105578c>] ? queue_delayed_work_on+0x11c/0x130
  [<ffffffff815343fb>] __alloc_skb+0x4b/0x230
  [<ffffffffa00b0360>] ? reset_per_cpu_data+0x160/0x160 [drop_monitor]
  [<ffffffffa00b022f>] reset_per_cpu_data+0x2f/0x160 [drop_monitor]
  [<ffffffffa00b03ab>] send_dm_alert+0x4b/0xb0 [drop_monitor]
  [<ffffffff810568e0>] process_one_work+0x130/0x4c0
  [<ffffffff81058249>] worker_thread+0x159/0x360
  [<ffffffff810580f0>] ? manage_workers.isra.27+0x240/0x240
  [<ffffffff8105d403>] kthread+0x93/0xa0
  [<ffffffff816be6d4>] kernel_thread_helper+0x4/0x10
  [<ffffffff8105d370>] ? kthread_freezable_should_stop+0x80/0x80
  [<ffffffff816be6d0>] ? gs_change+0xb/0xb

Rework the logic to call the sleeping functions in right context.

Use standard timer/workqueue api to let system chose any cpu to perform
the allocation and netlink send.

Also avoid a loop if reset_per_cpu_data() cannot allocate memory :
use mod_timer() to wait 1/10 second before next try.

Signed-off-by: Eric Dumazet <edumazet at google.com>
Cc: Neil Horman <nhorman at tuxdriver.com>
Reviewed-by: Neil Horman <nhorman at tuxdriver.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 89a5feb2d59123824c344665c09328bb9fdb4fe9
      https://github.com/ceph/ceph-client/commit/89a5feb2d59123824c344665c09328bb9fdb4fe9
  Author: Eric Dumazet <edumazet at google.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M include/net/inetpeer.h
    M net/ipv4/inetpeer.c

  Log Message:
  -----------
  inetpeer: fix a race in inetpeer_gc_worker()

[ Upstream commit 55432d2b543a4b6dfae54f5c432a566877a85d90 ]

commit 5faa5df1fa2024 (inetpeer: Invalidate the inetpeer tree along with
the routing cache) added a race :

Before freeing an inetpeer, we must respect a RCU grace period, and make
sure no user will attempt to increase refcnt.

inetpeer_invalidate_tree() waits for a RCU grace period before inserting
inetpeer tree into gc_list and waking the worker. At that time, no
concurrent lookup can find a inetpeer in this tree.

Signed-off-by: Eric Dumazet <edumazet at google.com>
Cc: Steffen Klassert <steffen.klassert at secunet.com>
Acked-by: Steffen Klassert <steffen.klassert at secunet.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: b133be60ddab3b700ec1e516cc6ec5aac20770e0
      https://github.com/ceph/ceph-client/commit/b133be60ddab3b700ec1e516cc6ec5aac20770e0
  Author: Eric Dumazet <edumazet at google.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M net/l2tp/l2tp_eth.c

  Log Message:
  -----------
  net: l2tp_eth: fix kernel panic on rmmod l2tp_eth

[ Upstream commit a06998b88b1651c5f71c0e35f528bf2057188ead ]

We must prevent module unloading if some devices are still attached to
l2tp_eth driver.

Signed-off-by: Eric Dumazet <edumazet at google.com>
Reported-by: Denys Fedoryshchenko <denys at visp.net.lb>
Tested-by: Denys Fedoryshchenko <denys at visp.net.lb>
Cc: James Chapman <jchapman at katalix.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 4ffa79bd261281152345b55d77da1709d1afdf3c
      https://github.com/ceph/ceph-client/commit/4ffa79bd261281152345b55d77da1709d1afdf3c
  Author: Eric Dumazet <edumazet at google.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M net/l2tp/l2tp_ip.c

  Log Message:
  -----------
  l2tp: fix a race in l2tp_ip_sendmsg()

[ Upstream commit 4399a4df98a63e30fd16e9d0cecc46ea92269e8f ]

Commit 081b1b1bb27f (l2tp: fix l2tp_ip_sendmsg() route handling) added
a race, in case IP route cache is disabled.

In this case, we should not do the dst_release(&rt->dst), since it'll
free the dst immediately, instead of waiting a RCU grace period.

Signed-off-by: Eric Dumazet <edumazet at google.com>
Cc: James Chapman <jchapman at katalix.com>
Cc: Denys Fedoryshchenko <denys at visp.net.lb>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 1a36f94f6a9906d389787c259f86f13fc48c82a6
      https://github.com/ceph/ceph-client/commit/1a36f94f6a9906d389787c259f86f13fc48c82a6
  Author: Eric Dumazet <edumazet at google.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/ethernet/nxp/lpc_eth.c

  Log Message:
  -----------
  lpc_eth: add missing ndo_change_mtu()

[ Upstream commit e30478598a8476d02e3b00caa89ce1a3b1dad54b ]

lpc_eth does a copy of transmitted skbs to DMA area, without checking
skb lengths, so can trigger buffer overflows :

memcpy(pldat->tx_buff_v + txidx * ENET_MAXF_SIZE, skb->data, len);

One way to get bigger skbs is to allow MTU changes above the 1500 limit.

Calling eth_change_mtu() in ndo_change_mtu() makes sure this cannot
happen.

Signed-off-by: Eric Dumazet <edumazet at google.com>
Cc: Roland Stigge <stigge at antcom.de>
Cc: Kevin Wells <kevin.wells at nxp.com>
Acked-by: Roland Stigge <stigge at antcom.de>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 3d5f5b08fa79068f567534166fb88ccebcb7c6d4
      https://github.com/ceph/ceph-client/commit/3d5f5b08fa79068f567534166fb88ccebcb7c6d4
  Author: Eric Dumazet <edumazet at google.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/ethernet/nxp/lpc_eth.c

  Log Message:
  -----------
  lpc_eth: fix tx completion

[ Upstream commit 3f16da51b0e533871d22a29682f3c3969d4f7e22 ]

__lpc_handle_xmit() has two bugs :

1) It can leak skbs in case TXSTATUS_ERROR is set

2) It can wake up txqueue while no slot was freed.

Signed-off-by: Eric Dumazet <edumazet at google.com>
Reported-by: Roland Stigge <stigge at antcom.de>
Tested-by: Roland Stigge <stigge at antcom.de>
Cc: Kevin Wells <kevin.wells at nxp.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 217fc833225f3a2ba55eabd3916bfbef38185cd1
      https://github.com/ceph/ceph-client/commit/217fc833225f3a2ba55eabd3916bfbef38185cd1
  Author: Eric Dumazet <edumazet at google.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M net/core/neighbour.c

  Log Message:
  -----------
  net: neighbour: fix neigh_dump_info()

[ Upstream commit 4bd6683bd400c8b1d2ad544bb155d86a5d10f91c ]

Denys found out "ip neigh" output was truncated to
about 54 neighbours.

Signed-off-by: Eric Dumazet <edumazet at google.com>
Reported-by: Denys Fedoryshchenko <denys at visp.net.lb>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 8ec2c824f3773dcc31316535acd8c725c22a7341
      https://github.com/ceph/ceph-client/commit/8ec2c824f3773dcc31316535acd8c725c22a7341
  Author: Thomas Graf <tgraf at suug.ch>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M net/ipv6/ip6_fib.c

  Log Message:
  -----------
  ipv6: fib: Restore NTF_ROUTER exception in fib6_age()

[ Upstream commit 8bd74516b1bd9308c17f67583134d93f777203ca ]

Commit 5339ab8b1dd82 (ipv6: fib: Convert fib6_age() to
dst_neigh_lookup().) seems to have mistakenly inverted the
exception for cached NTF_ROUTER routes.

Signed-off-by: Thomas Graf <tgraf at suug.ch>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: f9909f77764c6e7d9f6067ac58bf3f68a02ed266
      https://github.com/ceph/ceph-client/commit/f9909f77764c6e7d9f6067ac58bf3f68a02ed266
  Author: Thomas Graf <tgraf at suug.ch>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M net/ipv6/route.c

  Log Message:
  -----------
  ipv6: Move ipv6 proc file registration to end of init order

[ Upstream commit d189634ecab947c10f6f832258b103d0bbfe73cc ]

/proc/net/ipv6_route reflects the contents of fib_table_hash. The proc
handler is installed in ip6_route_net_init() whereas fib_table_hash is
allocated in fib6_net_init() _after_ the proc handler has been installed.

This opens up a short time frame to access fib_table_hash with its pants
down.

Move the registration of the proc files to a later point in the init
order to avoid the race.

Tested :-)

Signed-off-by: Thomas Graf <tgraf at suug.ch>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 019984b4454af824ff1c23aa6f53010b54b5c683
      https://github.com/ceph/ceph-client/commit/019984b4454af824ff1c23aa6f53010b54b5c683
  Author: stephen hemminger <shemminger at vyatta.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/ethernet/marvell/sky2.c

  Log Message:
  -----------
  sky2: fix checksum bit management on some chips

[ Upstream commit 5ff0feac88ced864f44adb145142269196fa79d9 ]

The newer flavors of Yukon II use a different method for receive
checksum offload. This is indicated in the driver by the SKY2_HW_NEW_LE
flag. On these newer chips, the BMU_ENA_RX_CHKSUM should not be set.

The driver would get incorrectly toggle the bit, enabling the old
checksum logic on these chips and cause a BUG_ON() assertion. If
receive checksum was toggled via ethtool.

Reported-by: Kirill Smelkov <kirr at mns.spb.ru>
Signed-off-by: Stephen Hemminger <shemminger at vyatta.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 43d950abdab622bf97d0a0c233809f88a3eb6240
      https://github.com/ceph/ceph-client/commit/43d950abdab622bf97d0a0c233809f88a3eb6240
  Author: David S. Miller <davem at davemloft.net>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/ethernet/sun/niu.c

  Log Message:
  -----------
  Revert "niu: Add support for byte queue limits."

[ Upstream commit 6a2b28ef036ab5c66fdc606fe97d9e5cb34ea409 ]

This reverts commit efa230f2c68abab817f13473077f8d0cc74f43f3.

BQL doesn't work with how this driver currently only takes TX
interrupts every 1/4 of the TX ring.  That behavior needs to be fixed,
but that's a larger non-trivial task and for now we have to revert
BQL support as this makes the device currently completely unusable.

Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: a459fdd31c96993f6fcee4879eb20bc1e7bac2ed
      https://github.com/ceph/ceph-client/commit/a459fdd31c96993f6fcee4879eb20bc1e7bac2ed
  Author: Eric Dumazet <edumazet at google.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/ethernet/emulex/benet/be_main.c

  Log Message:
  -----------
  be2net: fix a race in be_xmit()

[ Upstream commit cd8f76c0a0c6fce0b2cf23c9bd0123f91453f46d ]

As soon as hardware is notified of a transmit, we no longer can assume
skb can be dereferenced, as TX completion might have freed the packet.

Signed-off-by: Eric Dumazet <edumazet at google.com>
Cc: Sathya Perla <sathya.perla at emulex.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 09838df9d2ff31252a69a8393ea96a9734eba7e8
      https://github.com/ceph/ceph-client/commit/09838df9d2ff31252a69a8393ea96a9734eba7e8
  Author: Eric Dumazet <edumazet at google.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/dummy.c

  Log Message:
  -----------
  dummy: fix rcu_sched self-detected stalls

[ Upstream commit 16b0dc29c1af9df341428f4c49ada4f626258082 ]

Trying to "modprobe dummy numdummies=30000" triggers :

INFO: rcu_sched self-detected stall on CPU { 8} (t=60000 jiffies)

After this splat, RTNL is locked and reboot is needed.

We must call cond_resched() to avoid this, even holding RTNL.

Signed-off-by: Eric Dumazet <edumazet at google.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: c51c618955c052c1d34de9b325bb49a375e874a0
      https://github.com/ceph/ceph-client/commit/c51c618955c052c1d34de9b325bb49a375e874a0
  Author: Eric Dumazet <edumazet at google.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/bonding/bond_main.c
    M include/net/sch_generic.h

  Log Message:
  -----------
  bonding: Fix corrupted queue_mapping

[ Upstream commit 5ee31c6898ea5537fcea160999d60dc63bc0c305 ]

In the transmit path of the bonding driver, skb->cb is used to
stash the skb->queue_mapping so that the bonding device can set its
own queue mapping.  This value becomes corrupted since the skb->cb is
also used in __dev_xmit_skb.

When transmitting through bonding driver, bond_select_queue is
called from dev_queue_xmit.  In bond_select_queue the original
skb->queue_mapping is copied into skb->cb (via bond_queue_mapping)
and skb->queue_mapping is overwritten with the bond driver queue.

Subsequently in dev_queue_xmit, __dev_xmit_skb is called which writes
the packet length into skb->cb, thereby overwriting the stashed
queue mappping.  In bond_dev_queue_xmit (called from hard_start_xmit),
the queue mapping for the skb is set to the stashed value which is now
the skb length and hence is an invalid queue for the slave device.

If we want to save skb->queue_mapping into skb->cb[], best place is to
add a field in struct qdisc_skb_cb, to make sure it wont conflict with
other layers (eg : Qdiscc, Infiniband...)

This patchs also makes sure (struct qdisc_skb_cb)->data is aligned on 8
bytes :

netem qdisc for example assumes it can store an u64 in it, without
misalignment penalty.

Note : we only have 20 bytes left in (struct qdisc_skb_cb)->data[].
The largest user is CHOKe and it fills it.

Based on a previous patch from Tom Herbert.

Signed-off-by: Eric Dumazet <edumazet at google.com>
Reported-by: Tom Herbert <therbert at google.com>
Cc: John Fastabend <john.r.fastabend at intel.com>
Cc: Roland Dreier <roland at kernel.org>
Acked-by: Neil Horman <nhorman at tuxdriver.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: da7de70e5098b7b01c17ea8ac46086ac9154576e
      https://github.com/ceph/ceph-client/commit/da7de70e5098b7b01c17ea8ac46086ac9154576e
  Author: Eric Dumazet <edumazet at google.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M net/core/netpoll.c

  Log Message:
  -----------
  netpoll: fix netpoll_send_udp() bugs

[ Upstream commit 954fba0274058d27c7c07b5ea07c41b3b7477894 ]

Bogdan Hamciuc diagnosed and fixed following bug in netpoll_send_udp() :

"skb->len += len;" instead of "skb_put(skb, len);"

Meaning that _if_ a network driver needs to call skb_realloc_headroom(),
only packet headers would be copied, leaving garbage in the payload.

However the skb_realloc_headroom() must be avoided as much as possible
since it requires memory and netpoll tries hard to work even if memory
is exhausted (using a pool of preallocated skbs)

It appears netpoll_send_udp() reserved 16 bytes for the ethernet header,
which happens to work for typicall drivers but not all.

Right thing is to use LL_RESERVED_SPACE(dev)
(And also add dev->needed_tailroom of tailroom)

This patch combines both fixes.

Many thanks to Bogdan for raising this issue.

Reported-by: Bogdan Hamciuc <bogdan.hamciuc at freescale.com>
Signed-off-by: Eric Dumazet <edumazet at google.com>
Tested-by: Bogdan Hamciuc <bogdan.hamciuc at freescale.com>
Cc: Herbert Xu <herbert at gondor.apana.org.au>
Cc: Neil Horman <nhorman at tuxdriver.com>
Reviewed-by: Neil Horman <nhorman at tuxdriver.com>
Reviewed-by: Cong Wang <xiyou.wangcong at gmail.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 9bfb2101d5f2dffbfcc9d15c57c56459ca61c967
      https://github.com/ceph/ceph-client/commit/9bfb2101d5f2dffbfcc9d15c57c56459ca61c967
  Author: Eric Dumazet <edumazet at google.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/ethernet/broadcom/bnx2x/bnx2x.h
    M drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c

  Log Message:
  -----------
  bnx2x: fix checksum validation

[ Upstream commit d6cb3e41386f20fb0777d0b59a2def82c65d37f7 ]

bnx2x driver incorrectly sets ip_summed to CHECKSUM_UNNECESSARY on
encapsulated segments. TCP stack happily accepts frames with bad
checksums, if they are inside a GRE or IPIP encapsulation.

Our understanding is that if no IP or L4 csum validation was done by the
hardware, we should leave ip_summed as is (CHECKSUM_NONE), since
hardware doesn't provide CHECKSUM_COMPLETE support in its cqe.

Then, if IP/L4 checksumming was done by the hardware, set
CHECKSUM_UNNECESSARY if no error was flagged.

Patch based on findings and analysis from Robert Evans

Signed-off-by: Eric Dumazet <edumazet at google.com>
Cc: Eilon Greenstein <eilong at broadcom.com>
Cc: Yaniv Rosner <yanivr at broadcom.com>
Cc: Merav Sicron <meravs at broadcom.com>
Cc: Tom Herbert <therbert at google.com>
Cc: Robert Evans <evansr at google.com>
Cc: Willem de Bruijn <willemb at google.com>
Acked-by: Eilon Greenstein <eilong at broadcom.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 8f530e3bc3af125ac013732b5c54a3af2ad791a2
      https://github.com/ceph/ceph-client/commit/8f530e3bc3af125ac013732b5c54a3af2ad791a2
  Author: Eric Dumazet <edumazet at google.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c

  Log Message:
  -----------
  bnx2x: fix panic when TX ring is full

[ Upstream commit bc14786a100cc6a81cd060e8031ec481241b418c ]

There is a off by one error in the minimal number of BD in
bnx2x_start_xmit() and bnx2x_tx_int() before stopping/resuming tx queue.

A full size GSO packet, with data included in skb->head really needs
(MAX_SKB_FRAGS + 4) BDs, because of bnx2x_tx_split()

This error triggers if BQL is disabled and heavy TCP transmit traffic
occurs.

bnx2x_tx_split() definitely can be called, remove a wrong comment.

Reported-by: Tomas Hruby <thruby at google.com>
Signed-off-by: Eric Dumazet <edumazet at google.com>
Cc: Eilon Greenstein <eilong at broadcom.com>
Cc: Yaniv Rosner <yanivr at broadcom.com>
Cc: Merav Sicron <meravs at broadcom.com>
Cc: Tom Herbert <therbert at google.com>
Cc: Robert Evans <evansr at google.com>
Cc: Willem de Bruijn <willemb at google.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 993772c70fda9d05299fc3a8ed9d1cba268870f1
      https://github.com/ceph/ceph-client/commit/993772c70fda9d05299fc3a8ed9d1cba268870f1
  Author: Eric Dumazet <edumazet at google.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M include/linux/skbuff.h
    M net/can/raw.c
    M net/core/dev.c
    M net/iucv/af_iucv.c

  Log Message:
  -----------
  net: remove skb_orphan_try()

[ Upstream commit 62b1a8ab9b3660bb820d8dfe23148ed6cda38574 ]

Orphaning skb in dev_hard_start_xmit() makes bonding behavior
unfriendly for applications sending big UDP bursts : Once packets
pass the bonding device and come to real device, they might hit a full
qdisc and be dropped. Without orphaning, the sender is automatically
throttled because sk->sk_wmemalloc reaches sk->sk_sndbuf (assuming
sk_sndbuf is not too big)

We could try to defer the orphaning adding another test in
dev_hard_start_xmit(), but all this seems of little gain,
now that BQL tends to make packets more likely to be parked
in Qdisc queues instead of NIC TX ring, in cases where performance
matters.

Reverts commits :
fc6055a5ba31 net: Introduce skb_orphan_try()
87fd308cfc6b net: skb_tx_hash() fix relative to skb_orphan_try()
and removes SKBTX_DRV_NEEDS_SK_REF flag

Reported-and-bisected-by: Jean-Michel Hautbois <jhautbois at gmail.com>
Signed-off-by: Eric Dumazet <edumazet at google.com>
Tested-by: Oliver Hartkopp <socketcan at hartkopp.net>
Acked-by: Oliver Hartkopp <socketcan at hartkopp.net>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: f7153a449ce35459169a790ba6cce8830c116894
      https://github.com/ceph/ceph-client/commit/f7153a449ce35459169a790ba6cce8830c116894
  Author: stephen hemminger <shemminger at vyatta.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M net/bridge/br_if.c
    M net/bridge/br_netlink.c
    M net/bridge/br_private.h

  Log Message:
  -----------
  bridge: Assign rtnl_link_ops to bridge devices created via ioctl (v2)

[ Upstream commit 149ddd83a92b02c658d6c61f3276eb6500d585e8 ]

This ensures that bridges created with brctl(8) or ioctl(2) directly
also carry IFLA_LINKINFO when dumped over netlink. This also allows
to create a bridge with ioctl(2) and delete it with RTM_DELLINK.

Signed-off-by: Thomas Graf <tgraf at suug.ch>
Signed-off-by: Stephen Hemminger <shemminger at vyatta.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 3cc270f7fcd34b08d37ed51fb4c25b0f513f2e65
      https://github.com/ceph/ceph-client/commit/3cc270f7fcd34b08d37ed51fb4c25b0f513f2e65
  Author: Ian Campbell <Ian.Campbell at citrix.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/xen-netfront.c

  Log Message:
  -----------
  xen/netfront: teardown the device before unregistering it.

[ Upstream commit 6bc96d047fe32d76ef79f3195c52a542edf7c705 ]

Fixes:
[   15.470311] WARNING: at /local/scratch/ianc/devel/kernels/linux/fs/sysfs/file.c:498 sysfs_attr_ns+0x95/0xa0()
[   15.470326] sysfs: kobject eth0 without dirent
[   15.470333] Modules linked in:
[   15.470342] Pid: 12, comm: xenwatch Not tainted 3.4.0-x86_32p-xenU #93
and
[    9.150554] BUG: unable to handle kernel paging request at 2b359000
[    9.150577] IP: [<c1279561>] linkwatch_do_dev+0x81/0xc0
[    9.150592] *pdpt = 000000002c3c9027 *pde = 0000000000000000
[    9.150604] Oops: 0002 [#1] SMP
[    9.150613] Modules linked in:

This is http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675190

Reported-by: George Shuklin <george.shuklin at gmail.com>
Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
Tested-by: William Dauchy <wdauchy at gmail.com>
Cc: stable at kernel.org
Cc: 675190 at bugs.debian.org
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: d3ae4a87530c1e10c0705995c87fe8a7b4267f4b
      https://github.com/ceph/ceph-client/commit/d3ae4a87530c1e10c0705995c87fe8a7b4267f4b
  Author: Pravin B Shelar <pshelar at nicira.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M include/linux/mm_types.h

  Log Message:
  -----------
  mm: fix slab->page _count corruption when using slub

commit abca7c4965845924f65d40e0aa1092bdd895e314 upstream.

On arches that do not support this_cpu_cmpxchg_double() slab_lock is used
to do atomic cmpxchg() on double word which contains page->_count.  The
page count can be changed from get_page() or put_page() without taking
slab_lock.  That corrupts page counter.

Fix it by moving page->_count out of cmpxchg_double data.  So that slub
does no change it while updating slub meta-data in struct page.

[akpm at linux-foundation.org: use standard comment layout, tweak comment text]
Reported-by: Amey Bhide <abhide at nicira.com>
Signed-off-by: Pravin B Shelar <pshelar at nicira.com>
Acked-by: Christoph Lameter <cl at linux.com>
Cc: Pekka Enberg <penberg at cs.helsinki.fi>
Cc: Andrea Arcangeli <aarcange at redhat.com>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 6ef0d09aaa123dfba91f3261c78827c4d85e786a
      https://github.com/ceph/ceph-client/commit/6ef0d09aaa123dfba91f3261c78827c4d85e786a
  Author: Benjamin Herrenschmidt <benh at kernel.crashing.org>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M arch/powerpc/include/asm/hw_irq.h
    M arch/powerpc/kernel/irq.c
    M arch/powerpc/platforms/cell/pervasive.c
    M arch/powerpc/platforms/pseries/processor_idle.c

  Log Message:
  -----------
  powerpc: More fixes for lazy IRQ vs. idle

commit be2cf20a5ad31ebb13562c1c866ecc626fbd721e upstream.

Looks like we still have issues with pSeries and Cell idle code
vs. the lazy irq state. In fact, the reset fixes that went upstream
are exposing the problem more by causing BUG_ON() to trigger (which
this patch turns into a WARN_ON instead).

We need to be careful when using a variant of low power state that
has the side effect of turning interrupts back on, to properly set
all the SW & lazy state to look as if everything is enabled before
we enter the low power state with MSR:EE off as we will return with
MSR:EE on. If not, we have a discrepancy of state which can cause
things to go very wrong later on.

This patch moves the logic into a helper and uses it from the
pseries and cell idle code. The power4/970 idle code already got
things right (in assembly even !) so I'm not touching it. The power7
"bare metal" idle code is subtly different and correct. Remains PA6T
and some hypervisor based Cell platforms which have questionable
code in there, but they are mostly dead platforms so I'll fix them
when I manage to get final answers from the respective maintainers
about how the low power state actually works on them.

Signed-off-by: Benjamin Herrenschmidt <benh at kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: dd3ce2fa647d42d524392d5e6a0647061fc64c67
      https://github.com/ceph/ceph-client/commit/dd3ce2fa647d42d524392d5e6a0647061fc64c67
  Author: Benjamin Herrenschmidt <benh at kernel.crashing.org>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M arch/powerpc/include/asm/hw_irq.h
    M arch/powerpc/kernel/irq.c

  Log Message:
  -----------
  powerpc: Fix build of some debug irq code

commit 21b2de341270bd7bb7a811027ffe63276d9b3b75 upstream.

There was a typo, checking for CONFIG_TRACE_IRQFLAG instead of
CONFIG_TRACE_IRQFLAGS causing some useful debug code to not be
built

This in turns causes a build error on BookE 64-bit due to incorrect
semicolons at the end of a couple of macros, so let's fix that too

Signed-off-by: Benjamin Herrenschmidt <benh at kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: ee0b2dd6344911d7769f9fd638d30f45e66b8410
      https://github.com/ceph/ceph-client/commit/ee0b2dd6344911d7769f9fd638d30f45e66b8410
  Author: Eric Dumazet <edumazet at google.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M net/nfc/rawsock.c

  Log Message:
  -----------
  NFC: Return from rawsock_release when sk is NULL

commit 03e934f620101ca2cfc9383bd76172dd3e1f8567 upstream.

Sasha Levin reported following panic :

[ 2136.383310] BUG: unable to handle kernel NULL pointer dereference at
00000000000003b0
[ 2136.384022] IP: [<ffffffff8114e400>] __lock_acquire+0xc0/0x4b0
[ 2136.384022] PGD 131c4067 PUD 11c0c067 PMD 0
[ 2136.388106] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[ 2136.388106] CPU 1
[ 2136.388106] Pid: 24855, comm: trinity-child1 Tainted: G        W
3.5.0-rc2-sasha-00015-g7b268f7 #374
[ 2136.388106] RIP: 0010:[<ffffffff8114e400>]  [<ffffffff8114e400>]
__lock_acquire+0xc0/0x4b0
[ 2136.388106] RSP: 0018:ffff8800130b3ca8  EFLAGS: 00010046
[ 2136.388106] RAX: 0000000000000086 RBX: ffff88001186b000 RCX:
0000000000000000
[ 2136.388106] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
0000000000000000
[ 2136.388106] RBP: ffff8800130b3d08 R08: 0000000000000001 R09:
0000000000000000
[ 2136.388106] R10: 0000000000000000 R11: 0000000000000001 R12:
0000000000000002
[ 2136.388106] R13: 00000000000003b0 R14: 0000000000000000 R15:
0000000000000000
[ 2136.388106] FS:  00007fa5b1bd4700(0000) GS:ffff88001b800000(0000)
knlGS:0000000000000000
[ 2136.388106] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2136.388106] CR2: 00000000000003b0 CR3: 0000000011d1f000 CR4:
00000000000406e0
[ 2136.388106] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 2136.388106] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
0000000000000400
[ 2136.388106] Process trinity-child1 (pid: 24855, threadinfo
ffff8800130b2000, task ffff88001186b000)
[ 2136.388106] Stack:
[ 2136.388106]  ffff8800130b3cd8 ffffffff81121785 ffffffff81236774
000080d000000001
[ 2136.388106]  ffff88001b9d6c00 00000000001d6c00 ffffffff130b3d08
ffff88001186b000
[ 2136.388106]  0000000000000000 0000000000000002 0000000000000000
0000000000000000
[ 2136.388106] Call Trace:
[ 2136.388106]  [<ffffffff81121785>] ? sched_clock_local+0x25/0x90
[ 2136.388106]  [<ffffffff81236774>] ? get_empty_filp+0x74/0x220
[ 2136.388106]  [<ffffffff8114e97a>] lock_acquire+0x18a/0x1e0
[ 2136.388106]  [<ffffffff836b37df>] ? rawsock_release+0x4f/0xa0
[ 2136.388106]  [<ffffffff837c0ef0>] _raw_write_lock_bh+0x40/0x80
[ 2136.388106]  [<ffffffff836b37df>] ? rawsock_release+0x4f/0xa0
[ 2136.388106]  [<ffffffff836b37df>] rawsock_release+0x4f/0xa0
[ 2136.388106]  [<ffffffff8321cfe8>] sock_release+0x18/0x70
[ 2136.388106]  [<ffffffff8321d069>] sock_close+0x29/0x30
[ 2136.388106]  [<ffffffff81236bca>] __fput+0x11a/0x2c0
[ 2136.388106]  [<ffffffff81236d85>] fput+0x15/0x20
[ 2136.388106]  [<ffffffff8321de34>] sys_accept4+0x1b4/0x200
[ 2136.388106]  [<ffffffff837c165c>] ? _raw_spin_unlock_irq+0x4c/0x80
[ 2136.388106]  [<ffffffff837c1669>] ? _raw_spin_unlock_irq+0x59/0x80
[ 2136.388106]  [<ffffffff837c2565>] ? sysret_check+0x22/0x5d
[ 2136.388106]  [<ffffffff8321de8b>] sys_accept+0xb/0x10
[ 2136.388106]  [<ffffffff837c2539>] system_call_fastpath+0x16/0x1b
[ 2136.388106] Code: ec 04 00 0f 85 ea 03 00 00 be d5 0b 00 00 48 c7 c7
8a c1 40 84 e8 b1 a5 f8 ff 31 c0 e9 d4 03 00 00 66 2e 0f 1f 84 00 00 00
00 00 <49> 81 7d 00 60 73 5e 85 b8 01 00 00 00 44 0f 44 e0 83 fe 01 77
[ 2136.388106] RIP  [<ffffffff8114e400>] __lock_acquire+0xc0/0x4b0
[ 2136.388106]  RSP <ffff8800130b3ca8>
[ 2136.388106] CR2: 00000000000003b0
[ 2136.388106] ---[ end trace 6d450e935ee18982 ]---
[ 2136.388106] Kernel panic - not syncing: Fatal exception in interrupt

rawsock_release() should test if sock->sk is NULL before calling
sock_orphan()/sock_put()

Reported-by: Sasha Levin <levinsasha928 at gmail.com>
Tested-by: Sasha Levin <levinsasha928 at gmail.com>
Signed-off-by: Eric Dumazet <edumazet at google.com>
Signed-off-by: Samuel Ortiz <sameo at linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 6ee6b4d65c65a006b54b2f8f0aee405b1e01e2b2
      https://github.com/ceph/ceph-client/commit/6ee6b4d65c65a006b54b2f8f0aee405b1e01e2b2
  Author: Dan Rosenberg <dan.j.rosenberg at gmail.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M net/nfc/nci/ntf.c

  Log Message:
  -----------
  NFC: Prevent multiple buffer overflows in NCI

commit 67de956ff5dc1d4f321e16cfbd63f5be3b691b43 upstream.

Fix multiple remotely-exploitable stack-based buffer overflows due to
the NCI code pulling length fields directly from incoming frames and
copying too much data into statically-sized arrays.

Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
Cc: security at kernel.org
Cc: Lauro Ramos Venancio <lauro.venancio at openbossa.org>
Cc: Aloisio Almeida Jr <aloisio.almeida at openbossa.org>
Cc: Samuel Ortiz <sameo at linux.intel.com>
Cc: David S. Miller <davem at davemloft.net>
Acked-by: Ilan Elias <ilane at ti.com>
Signed-off-by: Samuel Ortiz <sameo at linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 684f49c63edb17b18b8ffc84495e0b0aacc8f4ad
      https://github.com/ceph/ceph-client/commit/684f49c63edb17b18b8ffc84495e0b0aacc8f4ad
  Author: Henrik Rydberg <rydberg at euromail.se>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/hwmon/applesmc.c

  Log Message:
  -----------
  hwmon: (applesmc) Limit key length in warning messages

commit ac852edb47b15900886ba2564eeeb13b3b526e3e upstream.

Key lookups may call read_smc() with a fixed-length key string,
and if the lookup fails, trailing stack content may appear in the
kernel log. Fixed with this patch.

Signed-off-by: Henrik Rydberg <rydberg at euromail.se>
Signed-off-by: Guenter Roeck <linux at roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: a4ab3b05fe0320bad00a1ba320d6fd4b9cd29643
      https://github.com/ceph/ceph-client/commit/a4ab3b05fe0320bad00a1ba320d6fd4b9cd29643
  Author: Lubomir Schmidt <gentoo.lubomir at googlemail.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/staging/rtl8712/usb_intf.c

  Log Message:
  -----------
  staging: r8712u: Add new USB IDs

commit 3026b0e942c65c65c8fc80d391d004228b52b916 upstream.

There are two new devices for this driver.

Signed-off-by: Larry Finger <Larry.Finger at lwfinger.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 615fb8b018599cfe16b466b1a1c98cf1c3ecaf0e
      https://github.com/ceph/ceph-client/commit/615fb8b018599cfe16b466b1a1c98cf1c3ecaf0e
  Author: Ryusuke Konishi <konishi.ryusuke at lab.ntt.co.jp>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M fs/nilfs2/gcinode.c
    M fs/nilfs2/segment.c

  Log Message:
  -----------
  nilfs2: ensure proper cache clearing for gc-inodes

commit fbb24a3a915f105016f1c828476be11aceac8504 upstream.

A gc-inode is a pseudo inode used to buffer the blocks to be moved by
garbage collection.

Block caches of gc-inodes must be cleared every time a garbage collection
function (nilfs_clean_segments) completes.  Otherwise, stale blocks
buffered in the caches may be wrongly reused in successive calls of the GC
function.

For user files, this is not a problem because their gc-inodes are
distinguished by a checkpoint number as well as an inode number.  They
never buffer different blocks if either an inode number, a checkpoint
number, or a block offset differs.

However, gc-inodes of sufile, cpfile and DAT file can store different data
for the same block offset.  Thus, the nilfs_clean_segments function can
move incorrect block for these meta-data files if an old block is cached.
I found this is really causing meta-data corruption in nilfs.

This fixes the issue by ensuring cache clear of gc-inodes and resolves
reported GC problems including checkpoint file corruption, b-tree
corruption, and the following warning during GC.

  nilfs_palloc_freev: entry number 307234 already freed.
  ...

Signed-off-by: Ryusuke Konishi <konishi.ryusuke at lab.ntt.co.jp>
Tested-by: Ryusuke Konishi <konishi.ryusuke at lab.ntt.co.jp>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 132a45d8bdc699d831dcc51cfd4db7238d183b42
      https://github.com/ceph/ceph-client/commit/132a45d8bdc699d831dcc51cfd4db7238d183b42
  Author: Jan Kara <jack at suse.cz>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M fs/udf/super.c

  Log Message:
  -----------
  udf: Use 'ret' instead of abusing 'i' in udf_load_logicalvol()

commit cb14d340ef1737c24125dd663eff77734a482d47 upstream.

Signed-off-by: Jan Kara <jack at suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: b3b9f9cd546c4b3d72b0a95ba4ca29c840fce28e
      https://github.com/ceph/ceph-client/commit/b3b9f9cd546c4b3d72b0a95ba4ca29c840fce28e
  Author: Jan Kara <jack at suse.cz>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M fs/udf/super.c

  Log Message:
  -----------
  udf: Avoid run away loop when partition table length is corrupted

commit adee11b2085bee90bd8f4f52123ffb07882d6256 upstream.

Check provided length of partition table so that (possibly maliciously)
corrupted partition table cannot cause accessing data beyond current buffer.

Signed-off-by: Jan Kara <jack at suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 4836ee563d65bb492f907cbe267a5761b9693e4d
      https://github.com/ceph/ceph-client/commit/4836ee563d65bb492f907cbe267a5761b9693e4d
  Author: Jan Kara <jack at suse.cz>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M fs/udf/super.c

  Log Message:
  -----------
  udf: Fortify loading of sparing table

commit 1df2ae31c724e57be9d7ac00d78db8a5dabdd050 upstream.

Add sanity checks when loading sparing table from disk to avoid accessing
unallocated memory or writing to it.

Signed-off-by: Jan Kara <jack at suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 7b9f477f5188e237f52c8a1243fd55615c63064f
      https://github.com/ceph/ceph-client/commit/7b9f477f5188e237f52c8a1243fd55615c63064f
  Author: Shuah Khan <shuah.khan at hp.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/iommu/amd_iommu_init.c

  Log Message:
  -----------
  iommu/amd: Fix missing iommu_shutdown initialization in passthrough mode

commit f2f12b6fc032c7b1419fd6db84e2868b5f05a878 upstream.

The iommu_shutdown callback is not initialized when the AMD
IOMMU driver runs in passthrough mode. Fix that by moving
the callback initialization before the check for
passthrough mode.

Signed-off-by: Shuah Khan <shuah.khan at hp.com>
Signed-off-by: Joerg Roedel <joerg.roedel at amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: b9e619e35c808f11f2da804c2fac1f2031e1cafd
      https://github.com/ceph/ceph-client/commit/b9e619e35c808f11f2da804c2fac1f2031e1cafd
  Author: Joerg Roedel <joerg.roedel at amd.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/iommu/amd_iommu.c

  Log Message:
  -----------
  iommu/amd: Initialize dma_ops for hotplug and sriov devices

commit ac1534a55d1e87d59a21c09c570605933b551480 upstream.

When a device is added to the system at runtime the AMD
IOMMU driver initializes the necessary data structures to
handle translation for it. But it forgets to change the
per-device dma_ops to point to the AMD IOMMU driver. So
mapping actually never happens and all DMA accesses end in
an IO_PAGE_FAULT. Fix this.

Reported-by: Stefan Assmann <sassmann at redhat.com>
Signed-off-by: Joerg Roedel <joerg.roedel at amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 4ce16269215ffaad3d480425bc74bf632956151e
      https://github.com/ceph/ceph-client/commit/4ce16269215ffaad3d480425bc74bf632956151e
  Author: Hiroshi DOYU <hdoyu at nvidia.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/iommu/tegra-smmu.c

  Log Message:
  -----------
  iommu/tegra: smmu: Fix unsleepable memory allocation

commit 8f53dc724a83a0082184fa27df80c25c7df47340 upstream.

allo_pdir() is called in smmu_iommu_domain_init() with spin_lock
held. memory allocations in it have to be atomic/unsleepable.

Signed-off-by: Hiroshi DOYU <hdoyu at nvidia.com>
Reported-by: Chris Wright <chrisw at sous-sol.org>
Acked-by: Chris Wright <chrisw at sous-sol.org>
Signed-off-by: Joerg Roedel <joerg.roedel at amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 735129c4609e98fd149cddda50b823e43bab0677
      https://github.com/ceph/ceph-client/commit/735129c4609e98fd149cddda50b823e43bab0677
  Author: Ohad Ben-Cohen <ohad at wizery.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/rpmsg/virtio_rpmsg_bus.c
    M include/linux/rpmsg.h

  Log Message:
  -----------
  rpmsg: avoid premature deallocation of endpoints

commit 5a081caa0414b9bbb82c17ffab9d6fe66edbb72f upstream.

When an inbound message arrives, the rpmsg core looks up its
associated endpoint and invokes the registered callback.

If a message arrives while its endpoint is being removed (because
the rpmsg driver was removed, or a recovery of a remote processor
has kicked in) we must ensure atomicity, i.e.:

- Either the ept is removed before it is found

or

- The ept is found but will not be freed until the callback returns

This is achieved by maintaining a per-ept reference count, which,
when drops to zero, will trigger deallocation of the ept.

With this in hand, it is now forbidden to directly deallocate
epts once they have been added to the endpoints idr.

Reported-by: Fernando Guzman Lugo <fernando.lugo at ti.com>
Signed-off-by: Ohad Ben-Cohen <ohad at wizery.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 0f9c37b38800c35e83f43949d93bffefff5b43af
      https://github.com/ceph/ceph-client/commit/0f9c37b38800c35e83f43949d93bffefff5b43af
  Author: Ohad Ben-Cohen <ohad at wizery.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/rpmsg/virtio_rpmsg_bus.c
    M include/linux/rpmsg.h

  Log Message:
  -----------
  rpmsg: make sure inflight messages don't invoke just-removed callbacks

commit 15fd943af50dbc5f7f4de33835795c72595f7bf4 upstream.

When inbound messages arrive, rpmsg core looks up their associated
endpoint (by destination address) and then invokes their callback.

We've made sure that endpoints will never be de-allocated after they
were found by rpmsg core, but we also need to protect against the
(rare) scenario where the rpmsg driver was just removed, and its
callback function isn't available anymore.

This is achieved by introducing a callback mutex, which must be taken
before the callback is invoked, and, obviously, before it is removed.

Reported-by: Fernando Guzman Lugo <fernando.lugo at ti.com>
Signed-off-by: Ohad Ben-Cohen <ohad at wizery.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 9471356d7e58fbc3e1d307d911432261398abb56
      https://github.com/ceph/ceph-client/commit/9471356d7e58fbc3e1d307d911432261398abb56
  Author: Suresh Jayaraman <sjayaraman at suse.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M fs/cifs/connect.c

  Log Message:
  -----------
  cifs: fix parsing of password mount option

commit e73f843a3235a19de38359c91586e9eadef12238 upstream.

The double delimiter check that allows a comma in the password parsing code is
unconditional. We set "tmp_end" to the end of the string and we continue to
check for double delimiter. In the case where the password doesn't contain a
comma we end up setting tmp_end to NULL and eventually setting "options" to
"end". This results in the premature termination of the options string and hence
the values of UNCip and UNC are being set to NULL. This results in mount failure
with "Connecting to DFS root not implemented yet" error.

This error is usually not noticable as we have password as the last option in
the superblock mountdata. But when we call expand_dfs_referral() from
cifs_mount() and try to compose mount options for the submount, the resulting
mountdata will be of the form

   ",ver=1,user=foo,pass=bar,ip=x.x.x.x,unc=\\server\share"

and hence results in the above error. This bug has been seen with older NAS
servers running Samba 3.0.24.

Fix this by moving the double delimiter check inside the conditional loop.

Changes since -v1

   - removed the wrong strlen() micro optimization.

Signed-off-by: Suresh Jayaraman <sjayaraman at suse.com>
Acked-by: Sachin Prabhu <sprabhu at redhat.com>
Signed-off-by: Steve French <sfrench at us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: f4367f246e048e7fac50769d1d1447306a984f4e
      https://github.com/ceph/ceph-client/commit/f4367f246e048e7fac50769d1d1447306a984f4e
  Author: Jeff Layton <jlayton at redhat.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M fs/cifs/connect.c

  Log Message:
  -----------
  cifs: when server doesn't set CAP_LARGE_READ_X, cap default rsize at MaxBufferSize

commit ec01d738a1691dfc85b96b9f796020267a7be577 upstream.

When the server doesn't advertise CAP_LARGE_READ_X, then MS-CIFS states
that you must cap the size of the read at the client's MaxBufferSize.
Unfortunately, testing with many older servers shows that they often
can't service a read larger than their own MaxBufferSize.

Since we can't assume what the server will do in this situation, we must
be conservative here for the default. When the server can't do large
reads, then assume that it can't satisfy any read larger than its
MaxBufferSize either.

Luckily almost all modern servers can do large reads, so this won't
affect them. This is really just for older win9x and OS/2 era servers.
Also, note that this patch just governs the default rsize. The admin can
always override this if he so chooses.

Reported-by: David H. Durgee <dhdurgee at acm.org>
Signed-off-by: Jeff Layton <jlayton at redhat.com>
Signed-off-by: Steven French <sfrench at w500smf.none>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: ad95174b4857549e7b1659f66a29b5151176ade0
      https://github.com/ceph/ceph-client/commit/ad95174b4857549e7b1659f66a29b5151176ade0
  Author: Mohammed Shafi Shajakhan <mohammed at qca.qualcomm.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/wireless/ath/ath9k/main.c

  Log Message:
  -----------
  ath9k: Fix a WARNING on suspend/resume with IBSS

commit 2031b4c2b4904f7448ab9e4bc6b9bf16e32709f5 upstream.

this patch is dependent on the patch "cfg80211: fix interface
combinations"

In ath9k currently we have ADHOC interface as a single incompatible
interface. when drv_add_interface is called during resume we got to
consider number of vifs already present in addition to checking the
drivers 'opmode' information about ADHOC.  we incorrectly assume
an ADHOC interface is already present. Then we may miss some driver
specific data for the ADHOC interface after resume.

The above mentioned checks can be removed from the driver,
as the patch 'cfg80211: fix interface combinations' ensures that
if an interface type is not advertised by the driver in any of the
interface combinations(via ieee80211_iface_combination) then it shall
be treated as a single incompatible interface. Fixes the following
warning on suspend/resume with ibss interface.
   ath: phy0: Cannot create ADHOC interface when other
  interfaces already exist.
  WARNING: at net/mac80211/driver-ops.h:12
  ieee80211_reconfig+0x1882/0x1ca0 [mac80211]()
  Hardware name: 2842RK1
  wlan2:  Failed check-sdata-in-driver check, flags: 0x0
   Call Trace:
  [<c01361b2>] warn_slowpath_common+0x72/0xa0
  [<f8aaa7c2>] ? ieee80211_reconfig+0x1882/0x1ca0
  [mac80211]
  [<f8aaa7c2>] ? ieee80211_reconfig+0x1882/0x1ca0
  [mac80211]
  [<c0136283>] warn_slowpath_fmt+0x33/0x40
  [<f8aaa7c2>] ieee80211_reconfig+0x1882/0x1ca0 [mac80211]
  [<c06c1d1a>] ? mutex_lock_nested+0x23a/0x2f0
  [<f8a95097>] ieee80211_resume+0x27/0x70 [mac80211]
  [<fd177edf>] wiphy_resume+0x8f/0xa0 [cfg80211]

Cc: Rajkumar Manoharan <rmanohar at qca.qualcomm.com>
Signed-off-by: Mohammed Shafi Shajakhan <mohammed at qca.qualcomm.com>
Signed-off-by: John W. Linville <linville at tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: e0d1c1de5638a4fffbc9d5d9f141c434531dc3b9
      https://github.com/ceph/ceph-client/commit/e0d1c1de5638a4fffbc9d5d9f141c434531dc3b9
  Author: Mohammed Shafi Shajakhan <mohammed at qca.qualcomm.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/wireless/ath/ath9k/main.c

  Log Message:
  -----------
  ath9k: Fix softlockup in AR9485

commit bcb7ad7bcbef030e6ba71ede1f9866368aca7c99 upstream.

steps to recreate:
load latest ath9k driver with AR9485
stop the network-manager and wpa_supplicant
bring the interface up

	Call Trace:
	[<ffffffffa0517490>] ? ath_hw_check+0xe0/0xe0 [ath9k]
	[<ffffffff812cd1e8>] __const_udelay+0x28/0x30
	[<ffffffffa03bae7a>] ar9003_get_pll_sqsum_dvc+0x4a/0x80 [ath9k_hw]
	[<ffffffffa05174eb>] ath_hw_pll_work+0x5b/0xe0 [ath9k]
	[<ffffffff810744fe>] process_one_work+0x11e/0x470
	[<ffffffff8107530f>] worker_thread+0x15f/0x360
	[<ffffffff810751b0>] ? manage_workers+0x230/0x230
	[<ffffffff81079af3>] kthread+0x93/0xa0
	[<ffffffff815fd3a4>] kernel_thread_helper+0x4/0x10
	[<ffffffff81079a60>] ? kthread_freezable_should_stop+0x70/0x70
	[<ffffffff815fd3a0>] ? gs_change+0x13/0x13

ensure that the PLL-WAR for AR9485/AR9340 is executed only if the STA is
associated (or) IBSS/AP mode had started beaconing. Ideally this WAR
is needed to recover from some rare beacon stuck during stress testing.
Before the STA is associated/IBSS had started beaconing, PLL4(0x1618c)
always seem to have zero even though we had configured PLL3(0x16188) to
query about PLL's locking status. When we keep on polling infinitely PLL4's
8th bit(ie check for PLL locking measurements is done), machine hangs
due to softlockup.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=811142

Reported-by: Rolf Offermanns <rolf.offermanns at gmx.net>
Tested-by: Mohammed Shafi Shajakhan <mohammed at qca.qualcomm.com>
Signed-off-by: Mohammed Shafi Shajakhan <mohammed at qca.qualcomm.com>
Signed-off-by: John W. Linville <linville at tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 7664af6e949f3facf0e8071053627a8fa4aaff5a
      https://github.com/ceph/ceph-client/commit/7664af6e949f3facf0e8071053627a8fa4aaff5a
  Author: Felix Fietkau <nbd at openwrt.org>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/wireless/ath/ath9k/xmit.c

  Log Message:
  -----------
  ath9k: fix a tx rate duration calculation bug

commit 76591bea9714a58d8924154068c78d702eb2cb17 upstream.

The rate pointer variable for a rate series is used in a loop before it is
initialized. This went unnoticed because it was used earlier for the RTS/CTS
rate. This bug can lead to the wrong PHY type being passed to the
duration calculation function.

Signed-off-by: Felix Fietkau <nbd at openwrt.org>
Signed-off-by: John W. Linville <linville at tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: d8a7bedebed60ec6366550edccff31f3e8c509a4
      https://github.com/ceph/ceph-client/commit/d8a7bedebed60ec6366550edccff31f3e8c509a4
  Author: Felix Fietkau <nbd at openwrt.org>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/wireless/ath/ath9k/ath9k.h
    M drivers/net/wireless/ath/ath9k/xmit.c

  Log Message:
  -----------
  ath9k: fix invalid pointer access in the tx path

commit 80b08a8d8829a58b5db14b1417151094cc28face upstream.

After setup_frame_info has been called, only info->control.rates is still
valid, other control fields have been overwritten by the ath_frame_info
data. Move the access to info->control.vif for checking short preamble
to setup_frame_info before it gets overwritten.

This regression was introduced in commit d47a61aa
"ath9k: Fix multi-VIF BSS handling"

Signed-off-by: Felix Fietkau <nbd at openwrt.org>
Reported-by: Thomas Hühn <thomas at net.t-labs.tu-berlin.de>
Acked-by: Sujith Manoharan <c_manoha at qca.qualcomm.com>
Signed-off-by: John W. Linville <linville at tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 084f5074c2d08a343590f386de79fd9ae2406c03
      https://github.com/ceph/ceph-client/commit/084f5074c2d08a343590f386de79fd9ae2406c03
  Author: Mohammed Shafi Shajakhan <mohammed at qca.qualcomm.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/wireless/ath/ath9k/hw.c

  Log Message:
  -----------
  ath9k_hw: avoid possible infinite loop in ar9003_get_pll_sqsum_dvc

commit f18e3c6b67f448ec47b3a5b242789bd3d5644879 upstream.

"ath9k: Fix softlockup in AR9485" with commit id
64bc1239c790e051ff677e023435d770d2ffa174 fixed the reported
issue, yet its better to avoid the possible infinite loop
in ar9003_get_pll_sqsum_dvc by having a timeout as suggested
by ath9k maintainers.
http://www.spinics.net/lists/linux-wireless/msg92126.html.
Based on my testing PLL's locking measurement is done in
~200us (2 iterations).

Cc: Rolf Offermanns <rolf.offermanns at gmx.net>
Cc: Sujith Manoharan <c_manoha at qca.qualcomm.com>
Cc: Senthil Balasubramanian <senthilb at qca.qualcomm.com>
Signed-off-by: Mohammed Shafi Shajakhan <mohammed at qca.qualcomm.com>
Signed-off-by: John W. Linville <linville at tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 301fef5503d98deb0b0d27b643b711b73e04c578
      https://github.com/ceph/ceph-client/commit/301fef5503d98deb0b0d27b643b711b73e04c578
  Author: Rajkumar Manoharan <rmanohar at qca.qualcomm.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/wireless/ath/ath9k/htc_drv_main.c

  Log Message:
  -----------
  ath9k_htc: configure bssid on ASSOC/IBSS change

commit 931cb03afed7b541392295f3afc4638da32f08a0 upstream.

After the change "mac80211: remove spurious BSSID change flag",
BSS_CHANGED_BSSID will not be passed on association or IBSS
status changes. So it could be better to program bssid on ASSOC
or IBSS change notification. Not doing so, is affecting the
packet transmission.

Reported-by: Michael Leun <lkml20120218 at newton.leun.net>
Signed-off-by: Rajkumar Manoharan <rmanohar at qca.qualcomm.com>
Signed-off-by: John W. Linville <linville at tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: aeb0da0b585868aed04e53afd1234791efcfac08
      https://github.com/ceph/ceph-client/commit/aeb0da0b585868aed04e53afd1234791efcfac08
  Author: Felix Fietkau <nbd at openwrt.org>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/wireless/ath/ath.h
    M drivers/net/wireless/ath/ath9k/recv.c
    M drivers/net/wireless/ath/key.c

  Log Message:
  -----------
  ath9k: fix dynamic WEP related regression

commit bed3d9c0b71f9afbfec905cb6db3b9f16be29d4d upstream.

commit 7a532fe7131216a02c81a6c1b1f8632da1195a58
ath9k_hw: fix interpretation of the rx KeyMiss flag

This commit used the rx key miss indication to detect packets that were
passed from the hardware without being decrypted, however it seems that
this bit is not only undefined in the static WEP case, but also for
dynamically allocated WEP keys. This caused a regression when using
WEP-LEAP.

This patch fixes the regression by keeping track of which key indexes
refer to CCMP keys and only using the key miss indication for those.

Reported-by: Stanislaw Gruszka <sgruszka at redhat.com>
Signed-off-by: Felix Fietkau <nbd at openwrt.org>
Signed-off-by: John W. Linville <linville at tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 72c06c7a0aa9158d75216a86307f6a80f284b11f
      https://github.com/ceph/ceph-client/commit/72c06c7a0aa9158d75216a86307f6a80f284b11f
  Author: Panayiotis Karabassis <panayk at gmail.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/wireless/ath/ath9k/hw.c

  Log Message:
  -----------
  ath9k: enable serialize_regmode for non-PCIE AR9287

commit 7508b657967cf664b5aa0f6367d05016e7e3bc2a upstream.

https://bugzilla.kernel.org/show_bug.cgi?id=42903

Based on the work of <fynivx at gmail.com>

Signed-off-by: Panayiotis Karabassis <panayk at gmail.com>
Signed-off-by: John W. Linville <linville at tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 78713ddf9b1d43729c9d497072b63f6dcee17d15
      https://github.com/ceph/ceph-client/commit/78713ddf9b1d43729c9d497072b63f6dcee17d15
  Author: Mark Brown <broonie at opensource.wolfsonmicro.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M sound/soc/codecs/wm2200.c

  Log Message:
  -----------
  ASoC: wm2200: Add missing BCLK rate

commit b0dfa4541e48ac4cc5f017285432c89923ad0f58 upstream.

Without this very high BCLKs will be configured incorrectly.

Reported-by: Axel Lin <axel.lin at gmail.com>
Signed-off-by: Mark Brown <broonie at opensource.wolfsonmicro.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: becbf4ebbb41acee5c0dcf2851af6bd84964fc00
      https://github.com/ceph/ceph-client/commit/becbf4ebbb41acee5c0dcf2851af6bd84964fc00
  Author: Hebbar, Gururaja <gururaja.hebbar at ti.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M sound/soc/codecs/tlv320aic3x.c
    M sound/soc/codecs/tlv320aic3x.h

  Log Message:
  -----------
  ASoC: tlv320aic3x: Fix codec pll configure bug

commit c9fe573a6584034670c1a55ee8162d623519cbbf upstream.

In sound/soc/codecs/tlv320aic3x.c
   data = snd_soc_read(codec, AIC3X_PLL_PROGA_REG);
  snd_soc_write(codec, AIC3X_PLL_PROGA_REG,
                data | (pll_p << PLLP_SHIFT));

In the above code, pll-p value is OR'ed with previous value without
clearing it. Bug is not seen if pll-p value doesn't change across
Sampling frequency.

However on some platforms (like AM335x EVM-SK), pll-p may have different
values across different sampling frequencies. In such case, above code
configures the pll with a wrong value.
Because of this bug, when a audio stream is played with pll value
different from previous stream, audio is heard as differently(like its
stretched).

Signed-off-by: Hebbar, Gururaja <gururaja.hebbar at ti.com>
Signed-off-by: Mark Brown <broonie at opensource.wolfsonmicro.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: dbc904343caccba0ce47a51379c4a743da504a8a
      https://github.com/ceph/ceph-client/commit/dbc904343caccba0ce47a51379c4a743da504a8a
  Author: Chris Mason <chris.mason at fusionio.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M fs/btrfs/tree-log.c

  Log Message:
  -----------
  Btrfs: run delayed directory updates during log replay

commit b6305567e7d31b0bec1b8cb9ec0cadd7f7086f5f upstream.

While we are resolving directory modifications in the
tree log, we are triggering delayed metadata updates to
the filesystem btrees.

This commit forces the delayed updates to run so the
replay code can find any modifications done.  It stops
us from crashing because the directory deleltion replay
expects items to be removed immediately from the tree.

Signed-off-by: Chris Mason <chris.mason at fusionio.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: dec7e3ab49dcdb1b7997008230eb18d520899119
      https://github.com/ceph/ceph-client/commit/dec7e3ab49dcdb1b7997008230eb18d520899119
  Author: Daniel Vetter <daniel.vetter at ffwll.ch>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/gpu/drm/drm_edid.c

  Log Message:
  -----------
  drm/edid: don't return stack garbage from supports_rb

commit b196a4980ff7bb54db478e2a408dc8b12be15304 upstream.

We need to initialize this to false, because the is_rb callback only
ever sets it to true.

Noticed while reading through the code.

Signed-Off-by: Daniel Vetter <daniel.vetter at ffwll.ch>
Reviewed-by: Adam Jackson <ajax at redhat.com>
Signed-off-by: Dave Airlie <airlied at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: eb858e23a8aa132d068aa639f617ba38e008d077
      https://github.com/ceph/ceph-client/commit/eb858e23a8aa132d068aa639f617ba38e008d077
  Author: Ben Skeggs <bskeggs at redhat.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/gpu/drm/nouveau/nouveau_fbcon.c

  Log Message:
  -----------
  drm/nouveau/fbcon: using nv_two_heads is not a good idea

commit 9bd0c15fcfb42f6245447c53347d65ad9e72080b upstream.

nv_two_heads() was never meant to be used outside of pre-nv50 code.  The
code checks for >= NV_10 for 2 CRTCs, then downgrades a few specific
chipsets to 1 CRTC based on (pci_device & 0x0ff0).

The breakage example seen is on GTX 560Ti, with a pciid of 0x1200, which
gets detected as an NV20 (0x020x) with 1 CRTC by nv_two_heads(), causing
memory corruption because there's actually 2 CRTCs..

This switches fbcon to use the CRTC count directly from the mode_config
structure, which will also fix the same issue on Kepler boards which have
4 CRTCs.

Signed-off-by: Ben Skeggs <bskeggs at redhat.com>
Signed-off-by: Dave Airlie <airlied at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 6ad566e162cbf778300fd6bfe37c98b5ce46d58b
      https://github.com/ceph/ceph-client/commit/6ad566e162cbf778300fd6bfe37c98b5ce46d58b
  Author: Takashi Iwai <tiwai at suse.de>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/gpu/drm/i915/i915_suspend.c

  Log Message:
  -----------
  drm/i915: Fix eDP blank screen after S3 resume on HP desktops

commit 6db65cbb941f9d433659bdad02b307f6d94465df upstream.

This patch fixes the problem on some HP desktop machines with eDP
which give blank screens after S3 resume.

It turned out that BLC_PWM_CPU_CTL must be written after
BLC_PWM_CPU_CTL2.  Otherwise it doesn't take effect on these
SNB machines.

Tested with 3.5-rc3 kernel.

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=49233

Signed-off-by: Takashi Iwai <tiwai at suse.de>
Signed-off-by: Daniel Vetter <daniel.vetter at ffwll.ch>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: a00d69ed0676b53e7e5c8d086d47a92f15b91e38
      https://github.com/ceph/ceph-client/commit/a00d69ed0676b53e7e5c8d086d47a92f15b91e38
  Author: Alex Deucher <alexander.deucher at amd.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/gpu/drm/radeon/radeon_gart.c
    M drivers/gpu/drm/radeon/si.c

  Log Message:
  -----------
  drm/radeon: fix VM page table setup on SI

commit c21b328ea8c7c71cd2daf50557db440bbaa7ef55 upstream.

Cayman and trinity allow for variable sized VM page
tables, but SI requires that all page tables be the
same size.  The current code assumes variablely sized
VM page tables so SI may end up with part of each page
table overlapping with other memory which could end
up being interpreted by the VM hw as garbage.

Change the code to better accomodate SI.  Allocate enough
space for at least 2 full page tables and always set
last_pfn to max_pfn on SI so each VM is backed by a full
page table.  This limits us to only 2 VMs active at any
given time on SI.  This will be rectified and the code can
be reunified once we move to two level page tables.

Signed-off-by: Alex Deucher <alexander.deucher at amd.com>
Reviewed-by: Jerome Glisse <jglisse at redhat.com>
Signed-off-by: Dave Airlie <airlied at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 4849c078f07f5eb93eff651d3a32cdd434f0787a
      https://github.com/ceph/ceph-client/commit/4849c078f07f5eb93eff651d3a32cdd434f0787a
  Author: Zhang Rui <rui.zhang at intel.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/acpi/video.c

  Log Message:
  -----------
  ACPI video: Still use ACPI backlight control if _DOS doesn't exist

commit b03738430c7537d5f87948e0b35d8aaf2688c6b4 upstream.

This fixes a regression in 3.4-rc1 caused by commit
ea9f8856bd6d4ed45885b06a338f7362cd6c60e5
(ACPI video: Harden video bus adding.)

Some platforms don't have _DOS control method, but the ACPI
backlight still works.
We should not invoke _DOS for these platforms.

https://bugzilla.kernel.org/show_bug.cgi?id=43168

Cc: Igor Murzov <intergalactic.anonymous at gmail.com>
Signed-off-by: Zhang Rui <rui.zhang at intel.com>
Signed-off-by: Len Brown <len.brown at intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: d54520f7cef2f18b7578d08c6a5a40eac026c3df
      https://github.com/ceph/ceph-client/commit/d54520f7cef2f18b7578d08c6a5a40eac026c3df
  Author: Stuart Hayes <Stuart_Hayes at Dell.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/acpi/acpi_pad.c

  Log Message:
  -----------
  acpi_pad: fix power_saving thread deadlock

commit 5f1601261050251a5ca293378b492a69d590dacb upstream.

The acpi_pad driver can get stuck in destroy_power_saving_task()
waiting for kthread_stop() to stop a power_saving thread.  The problem
is that the isolated_cpus_lock mutex is owned when
destroy_power_saving_task() calls kthread_stop(), which waits for a
power_saving thread to end, and the power_saving thread tries to
acquire the isolated_cpus_lock when it calls round_robin_cpu().  This
patch fixes the issue by making round_robin_cpu() use its own mutex.

https://bugzilla.kernel.org/show_bug.cgi?id=42981

Signed-off-by: Stuart Hayes <Stuart_Hayes at Dell.com>
Signed-off-by: Len Brown <len.brown at intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 890b3d0ea620c942718dd29d601a7aaa4362280b
      https://github.com/ceph/ceph-client/commit/890b3d0ea620c942718dd29d601a7aaa4362280b
  Author: Huang Ying <ying.huang at intel.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/acpi/apei/apei-base.c
    M drivers/acpi/apei/apei-internal.h
    M drivers/acpi/apei/ghes.c

  Log Message:
  -----------
  ACPI, APEI, Avoid too much error reporting in runtime

commit 34ddeb035d704eafdcdb3cbc781894300136c3c4 upstream.

This patch fixed the following bug.

https://bugzilla.kernel.org/show_bug.cgi?id=43282

This is caused by a firmware bug checking (checking generic address
register provided by firmware) in runtime.  The checking should be
done in address mapping time instead of runtime to avoid too much
error reporting in runtime.

Reported-by: Pawel Sikora <pluto at agmk.net>
Signed-off-by: Huang Ying <ying.huang at intel.com>
Tested-by: Jean Delvare <khali at linux-fr.org>
Signed-off-by: Len Brown <len.brown at intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 371122fc6eef7cafc8acaf0891fd15cf623388a3
      https://github.com/ceph/ceph-client/commit/371122fc6eef7cafc8acaf0891fd15cf623388a3
  Author: Feng Tang <feng.tang at intel.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M arch/x86/kernel/acpi/boot.c

  Log Message:
  -----------
  ACPI: Make acpi_skip_timer_override cover all source_irq==0 cases

commit ae10ccdc3093486f8c2369d227583f9d79f628e5 upstream.

Currently when acpi_skip_timer_override is set, it only cover the
(source_irq == 0 && global_irq == 2) cases. While there is also
platform which need use this option and its global_irq is not 2.
This patch will extend acpi_skip_timer_override to cover all
timer overriding cases as long as the source irq is 0.

This is the first part of a fix to kernel bug bugzilla 40002:
	"IRQ 0 assigned to VGA"
https://bugzilla.kernel.org/show_bug.cgi?id=40002

Reported-and-tested-by: Szymon Kowalczyk <fazerxlo at o2.pl>
Signed-off-by: Feng Tang <feng.tang at intel.com>
Signed-off-by: Len Brown <len.brown at intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 5752cdb805ff89942d99d12118e2844e7db34df8
      https://github.com/ceph/ceph-client/commit/5752cdb805ff89942d99d12118e2844e7db34df8
  Author: Feng Tang <feng.tang at intel.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M arch/x86/kernel/acpi/boot.c

  Log Message:
  -----------
  ACPI: Remove one board specific WARN when ignoring timer overriding

commit 7f68b4c2e158019c2ec494b5cfbd9c83b4e5b253 upstream.

Current WARN msg is only for the ati_ixp4x0 board, while this function
is used by mulitple platforms. So this one board specific warning
is not appropriate any more.

Signed-off-by: Feng Tang <feng.tang at intel.com>
Signed-off-by: Len Brown <len.brown at intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: b939c2acf1dc42b08407ef5174f2e8d6f43dd5ea
      https://github.com/ceph/ceph-client/commit/b939c2acf1dc42b08407ef5174f2e8d6f43dd5ea
  Author: Feng Tang <feng.tang at intel.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M arch/x86/kernel/acpi/boot.c

  Log Message:
  -----------
  ACPI: Add a quirk for "AMILO PRO V2030" to ignore the timer overriding

commit f6b54f083cc66cf9b11d2120d8df3c2ad4e0836d upstream.

This is the 2nd part of fix for kernel bugzilla 40002:
    "IRQ 0 assigned to VGA"
https://bugzilla.kernel.org/show_bug.cgi?id=40002

The root cause is the buggy FW, whose ACPI tables assign the GSI 16
to 2 irqs 0 and 16(VGA), and the VGA is the right owner of GSI 16.
So add a quirk to ignore the irq0 overriding GSI 16 for the
FUJITSU SIEMENS AMILO PRO V2030 platform will solve this issue.

Reported-and-tested-by: Szymon Kowalczyk <fazerxlo at o2.pl>
Signed-off-by: Feng Tang <feng.tang at intel.com>
Signed-off-by: Len Brown <len.brown at intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: b429b0cf0a702501aaa7bdf59c235643c529a83c
      https://github.com/ceph/ceph-client/commit/b429b0cf0a702501aaa7bdf59c235643c529a83c
  Author: Zhang Rui <rui.zhang at intel.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M arch/x86/kernel/reboot.c

  Log Message:
  -----------
  ACPI, x86: fix Dell M6600 ACPI reboot regression via DMI

commit 76eb9a30db4bc8fd172f9155247264b5f2686d7b upstream.

Dell Precision M6600 is known to require PCI reboot, so add it to
the reboot blacklist in pci_reboot_dmi_table[].

https://bugzilla.kernel.org/show_bug.cgi?id=42749

cc: x86 at kernel.org
Signed-off-by: Zhang Rui <rui.zhang at intel.com>
Signed-off-by: Len Brown <len.brown at intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 0bd3d94b39087298b88f7ee2570d1062e09e8dfd
      https://github.com/ceph/ceph-client/commit/0bd3d94b39087298b88f7ee2570d1062e09e8dfd
  Author: Pavel Vasilyev <pavel at pavlinux.ru>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/acpi/sysfs.c

  Log Message:
  -----------
  ACPI sysfs.c strlen fix

commit 9f132652d94c96476b0b0a8caf0c10e96ab10fa8 upstream.

Current code is ignoring the last character of "enable" and "disable"
in comparisons.

https://bugzilla.kernel.org/show_bug.cgi?id=33732

Signed-off-by: Len Brown <len.brown at intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: cb739ad1bba5a996533cf381b9079a1e876d15bb
      https://github.com/ceph/ceph-client/commit/cb739ad1bba5a996533cf381b9079a1e876d15bb
  Author: Andrew Lunn <andrew at lunn.ch>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M arch/arm/mach-kirkwood/include/mach/bridge-regs.h
    M arch/arm/mach-kirkwood/include/mach/kirkwood.h
    M arch/arm/mach-orion5x/include/mach/bridge-regs.h
    M arch/arm/mach-orion5x/include/mach/orion5x.h
    M arch/arm/plat-orion/common.c

  Log Message:
  -----------
  ARM: Orion: Fix Virtual/Physical mixup with watchdog

commit 0fa1f0609a0c1fe8b2be3c0089a2cb48f7fda521 upstream.

The orion watchdog is expecting to be passed the physcial address of
the hardware, and will ioremap() it to give a virtual address it will
use as the base address for the hardware. However, when creating the
platform resource record, a virtual address was being used.

Add the necassary #define's so we can pass the physical address as
expected.

Tested on Kirkwood and Orion5x.

Signed-off-by: Andrew Lunn <andrew at lunn.ch>
Signed-off-by: Olof Johansson <olof at lixom.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 0341705f37081a337d6c073d326e4e9ad2ddcc83
      https://github.com/ceph/ceph-client/commit/0341705f37081a337d6c073d326e4e9ad2ddcc83
  Author: Andrew Lunn <andrew at lunn.ch>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M arch/arm/mach-dove/include/mach/bridge-regs.h
    M arch/arm/mach-dove/include/mach/dove.h
    M arch/arm/mach-mv78xx0/include/mach/bridge-regs.h
    M arch/arm/mach-mv78xx0/include/mach/mv78xx0.h

  Log Message:
  -----------
  ARM: Orion: Fix WDT compile for Dove and MV78xx0

commit 1e0c1ce00d83834d03f4d8d039734ca4703298df upstream.

Commit 0fa1f0609a0c1fe8b2be3c0089a2cb48f7fda521 (ARM: Orion: Fix
Virtual/Physical mixup with watchdog) broke the Dove & MV78xx0
build. Although these two SoC don't use the watchdog, the shared
platform code still needs to build. Add the necessary defines.

Reported-by: Nicolas Pitre <nico at fluxnic.net>
Signed-off-by: Andrew Lunn <andrew at lunn.ch>
Tested-by: Nicolas Pitre <nico at fluxnic.net>
Signed-off-by: Arnd Bergmann <arnd at arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 8c890e34f58fc8d3c0eafecf0bdc92c4161b1679
      https://github.com/ceph/ceph-client/commit/8c890e34f58fc8d3c0eafecf0bdc92c4161b1679
  Author: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/block/xen-blkback/common.h

  Log Message:
  -----------
  xen/blkback: Copy id field when doing BLKIF_DISCARD.

commit 8c9ce606a60e4a0cb447bdc082ce383b96b227b4 upstream.

We weren't copying the id field so when we sent the response
back to the frontend (especially with a 64-bit host and 32-bit
guest), we ended up using a random value. This lead to the
frontend crashing as it would try to pass to __blk_end_request_all
a NULL 'struct request' (b/c it would use the 'id' to find the
proper 'struct request' in its shadow array) and end up crashing:

BUG: unable to handle kernel NULL pointer dereference at 000000e4
IP: [<c0646d4c>] __blk_end_request_all+0xc/0x40
.. snip..
EIP is at __blk_end_request_all+0xc/0x40
.. snip..
 [<ed95db72>] blkif_interrupt+0x172/0x330 [xen_blkfront]

This fixes the bug by passing in the proper id for the response.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=824641

Tested-by: William Dauchy <wdauchy at gmail.com>
Acked-by: Stefano Stabellini <stefano.stabellini at eu.citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 31b1da2a2ae8a053c33e1fd5b87ec3ea39e81b99
      https://github.com/ceph/ceph-client/commit/31b1da2a2ae8a053c33e1fd5b87ec3ea39e81b99
  Author: Tao Guo <glorioustao at gmail.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/block/umem.c

  Log Message:
  -----------
  umem: fix up unplugging

commit 32587371ad3db2f9d335de10dbd8cffd4fff5669 upstream.

Fix a regression introduced by 7eaceaccab5f40 ("block: remove per-queue
plugging").  In that patch, Jens removed the whole mm_unplug_device()
function, which used to be the trigger to make umem start to work.

We need to implement unplugging to make umem start to work, or I/O will
never be triggered.

Signed-off-by: Tao Guo <Tao.Guo at emc.com>
Cc: Neil Brown <neilb at suse.de>
Cc: Jens Axboe <axboe at kernel.dk>
Cc: Shaohua Li <shli at kernel.org>
Acked-by: NeilBrown <neilb at suse.de>
Signed-off-by: Jens Axboe <axboe at kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: a7c60136e5bf96bc58a27ab9822a2e48ed768429
      https://github.com/ceph/ceph-client/commit/a7c60136e5bf96bc58a27ab9822a2e48ed768429
  Author: Mel Gorman <mgorman at suse.de>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M Documentation/stable_kernel_rules.txt

  Log Message:
  -----------
  stable: Allow merging of backports for serious user-visible performance issues

commit eb3979f64d25120d60b9e761a4c58f70b1a02f86 upstream.

Distribution kernel maintainers routinely backport fixes for users that
were deemed important but not "something critical" as defined by the
rules. To users of these kernels they are very serious and failing to fix
them reduces the value of -stable.

The problem is that the patches fixing these issues are often subtle and
prone to regressions in other ways and need greater care and attention.
To combat this, these "serious" backports should have a higher barrier
to entry.

This patch relaxes the rules to allow a distribution maintainer to merge
to -stable a backported patch or small series that fixes a "serious"
user-visible performance issue. They should include additional information on
the user-visible bug affected and a link to the bugzilla entry if available.
The same rules about the patch being already in mainline still apply.

Signed-off-by: Mel Gorman <mgorman at suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 21017faf87a93117ca7a14aa8f0dd2f315fdeb08
      https://github.com/ceph/ceph-client/commit/21017faf87a93117ca7a14aa8f0dd2f315fdeb08
  Author: Konstantin Khlebnikov <khlebnikov at openvz.org>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M fs/exec.c
    M kernel/exit.c

  Log Message:
  -----------
  mm: correctly synchronize rss-counters at exit/exec

commit 4fe7efdbdfb1c7e7a7f31decfd831c0f31d37091 upstream.

do_exit() and exec_mmap() call sync_mm_rss() before mm_release() does
put_user(clear_child_tid) which can update task->rss_stat and thus make
mm->rss_stat inconsistent.  This triggers the "BUG:" printk in check_mm().

Let's fix this bug in the safest way, and optimize/cleanup this later.

Reported-by: Markus Trippelsdorf <markus at trippelsdorf.de>
Signed-off-by: Konstantin Khlebnikov <khlebnikov at openvz.org>
Cc: Oleg Nesterov <oleg at redhat.com>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu at jp.fujitsu.com>
Cc: Hugh Dickins <hughd at google.com>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 3d90eeae377192032aa58c1934582cc155a2498f
      https://github.com/ceph/ceph-client/commit/3d90eeae377192032aa58c1934582cc155a2498f
  Author: Mandeep Singh Baines <msb at chromium.org>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/base/power/main.c

  Log Message:
  -----------
  PM / Sleep: Prevent waiting forever on asynchronous suspend after abort

commit 1f758b23177d588a71b96ad02990e715949bb82f upstream.

__device_suspend() must always send a completion. Otherwise, parent
devices will wait forever.

Commit 1e2ef05b, "PM: Limit race conditions between runtime PM and
system sleep (v2)", introduced a regression by short-circuiting the
complete_all() for certain error cases.

This patch fixes the bug by always signalling a completion.

Addresses http://crosbug.com/31972

Tested by injecting an abort.

Signed-off-by: Mandeep Singh Baines <msb at chromium.org>
Signed-off-by: Rafael J. Wysocki <rjw at sisk.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 2f0d20928b7360267ec80bb393971752f2351463
      https://github.com/ceph/ceph-client/commit/2f0d20928b7360267ec80bb393971752f2351463
  Author: Tushar Behera <tushar.behera at linaro.org>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/dma/pl330.c

  Log Message:
  -----------
  dmaengine: pl330: dont complete descriptor for cyclic dma

commit 30c1dc0ff30b5552e8af555265dbeac5637cbb48 upstream.

Commit eab215855803 ("dmaengine: pl330: dont complete descriptor for
cyclic dma") wrongly completes descriptor for cyclic dma, hence following
BUG_ON is still hit with cyclic DMA operations.

kernel BUG at drivers/dma/dmaengine.h:53!

Signed-off-by: Tushar Behera <tushar.behera at linaro.org>
Acked-by: Jassi Brar <jaswinder.singh at linaro.org>
Signed-off-by: Vinod Koul <vinod.koul at linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: d5b8efa118c7bf1b88e0f6f0185fbdd3c0ee67ed
      https://github.com/ceph/ceph-client/commit/d5b8efa118c7bf1b88e0f6f0185fbdd3c0ee67ed
  Author: Bryan Schumaker <bjschuma at netapp.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M fs/nfs/idmap.c

  Log Message:
  -----------
  NFS: Force the legacy idmapper to be single threaded

commit b1027439dff844675f6c0df97a1b1d190791a699 upstream.

It was initially coded under the assumption that there would only be one
request at a time, so use a lock to enforce this requirement..

Signed-off-by: Bryan Schumaker <bjschuma at netapp.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: c10f88285e2daf11ef8ec9726a25804abb9a84be
      https://github.com/ceph/ceph-client/commit/c10f88285e2daf11ef8ec9726a25804abb9a84be
  Author: Rajendra Nayak <rnayak at ti.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/clk/clk.c

  Log Message:
  -----------
  clk: Allow late cache allocation for clk->parents

commit 7975059db572eb47f0fb272a62afeae272a4b209 upstream.

Parent clocks for muxes are cached in clk->parents to
avoid frequent lookups, however the cache allocation happens
only during clock registeration and later clk_set_parent()
assumes a cache space available and allocated.

This is not entirely true for platforms which do early clock
registerations wherein the cache allocation using kzalloc
could fail during clock registeration.

Allow cache allocation to happen later as part of clk_set_parent()
to help such cases and avoid crashes assuming a cache being
available.

While here also replace existing kmalloc() with kzalloc()
in the file.

Signed-off-by: Rajendra Nayak <rnayak at ti.com>
Signed-off-by: Mike Turquette <mturquette at linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 8bd6035bfc6a0c401e1ed01d2658e502a6f6683b
      https://github.com/ceph/ceph-client/commit/8bd6035bfc6a0c401e1ed01d2658e502a6f6683b
  Author: Rajendra Nayak <rnayak at ti.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/clk/clk.c

  Log Message:
  -----------
  clk: fix parent validation in __clk_set_parent()

commit 863b13271f1608ab3af6f7a371047d9a66693e38 upstream.

The below commit introduced a bug in __clk_set_parent()
which could cause it to *skip* the parent validation
which makes sure the parent passed to the api is a valid
one.

    commit 7975059db572eb47f0fb272a62afeae272a4b209
    Author: Rajendra Nayak <rnayak at ti.com>
    Date:   Wed Jun 6 14:41:31 2012 +0530
   clk: Allow late cache allocation for clk->parents

This was identified by the following compiler warning..

    drivers/clk/clk.c: In function '__clk_set_parent':
    drivers/clk/clk.c:1083:5: warning: 'i' may be used uninitialized in this function [-Wuninitialized]

.. as reported by Marc Kleine-Budde.

There were various options discussed on how to fix this, one
being initing 'i' to clk->num_parents, but the below approach
was found to be more appropriate as it also makes the 'parent
validation' code simpler to read.

Reported-by: Marc Kleine-Budde <mkl at pengutronix.de>
Signed-off-by: Rajendra Nayak <rnayak at ti.com>
Signed-off-by: Mike Turquette <mturquette at linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 96e1ecef17e300d49ecc5b7378a82e7389227191
      https://github.com/ceph/ceph-client/commit/96e1ecef17e300d49ecc5b7378a82e7389227191
  Author: Mark Brown <broonie at opensource.wolfsonmicro.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/gpio/gpio-wm8994.c

  Log Message:
  -----------
  gpiolib: wm8994: Pay attention to the value set when enabling as output

commit 8cd578b6e28693f357867a77598a88ef3deb6b39 upstream.

Not paying attention to the value being set is a bad thing because it
means that we'll not set the hardware up to reflect what was requested.
Not setting the hardware up to reflect what was requested means that the
caller won't get the results they wanted.

Signed-off-by: Mark Brown <broonie at opensource.wolfsonmicro.com>
Signed-off-by: Linus Walleij <linus.walleij at linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 96445edb34f5ade124081edda2c915714aec4b9a
      https://github.com/ceph/ceph-client/commit/96445edb34f5ade124081edda2c915714aec4b9a
  Author: Dmitry Shmygov <shmygov at rambler.ru>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/usb/serial/option.c

  Log Message:
  -----------
  USB: option: add id for Cellient MEN-200

commit 1e2c4e59d2b8797973471b4a287a43eac12a0f40 upstream.

Add vendor and product ID to option.c driver
for Cellient MEN-200 EVDO Rev.B 450MHz data module.
http://cellient.com

Signed-off-by: Dmitry Shmygov <shmygov at rambler.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 2ce4171eeb3bbe0192a5888dbb9bc499e70a9c9b
      https://github.com/ceph/ceph-client/commit/2ce4171eeb3bbe0192a5888dbb9bc499e70a9c9b
  Author: Forest Bond <forest.bond at rapidrollout.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/usb/serial/option.c

  Log Message:
  -----------
  USB: option: Add USB ID for Novatel Ovation MC551

commit 065b07e7a14676f4138ce4619d229c0be5a74230 upstream.

This device is also known as the Verizon USB551L.

Signed-off-by: Forest Bond <forest.bond at rapidrollout.com>
Acked-by: Dan Williams <dcbw at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 35733efe3599b30ace9b035eb425be85aaa3ae12
      https://github.com/ceph/ceph-client/commit/35733efe3599b30ace9b035eb425be85aaa3ae12
  Author: Craig Shelley <craig at microtron.org.uk>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/usb/serial/cp210x.c

  Log Message:
  -----------
  USB: CP210x Add 10 Device IDs

commit 3fcc8f96829776cf181918461923d1e3bbb831a2 upstream.

This patch adds 10 device IDs for CP210x based devices from the following manufacturers:
Timewave
Clipsal
Festo
Link Instruments

Signed-off-by: Craig Shelley <craig at microtron.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: b18504e4a631e31edd939fe569342274927d4b41
      https://github.com/ceph/ceph-client/commit/b18504e4a631e31edd939fe569342274927d4b41
  Author: Alan Stern <stern at rowland.harvard.edu>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/scsi/sd.c
    M drivers/usb/storage/scsiglue.c
    M include/scsi/scsi_device.h

  Log Message:
  -----------
  SCSI & usb-storage: add try_rc_10_first flag

commit 6a0bdffa0073857870a4ed1b4489762146359eb4 upstream.

Several bug reports have been received recently for USB mass-storage
devices that don't handle READ CAPACITY(16) commands properly.  They
report bogus sizes, in some cases becoming unusable as a result.

The bugs were triggered by commit
09b6b51b0b6c1b9bb61815baf205e4d74c89ff04 (SCSI & usb-storage: add
flags for VPD pages and REPORT LUNS), which caused usb-storage to stop
overriding the SCSI level reported by devices.  By default, the sd
driver will try READ CAPACITY(16) first for any device whose level is
above SCSI_SPC_2.

It seems likely that any device large enough to require the use of
READ CAPACITY(16) (i.e., 2 TB or more) would be able to handle READ
CAPACITY(10) commands properly.  Indeed, I don't know of any devices
that don't handle READ CAPACITY(10) properly.

Therefore this patch (as1559) adds a new flag telling the sd driver
to try READ CAPACITY(10) before READ CAPACITY(16), and sets this flag
for every USB mass-storage device.  If a device really is larger than
2 TB, sd will fall back to READ CAPACITY(16) just as it used to.

This fixes Bugzilla #43391.

Signed-off-by: Alan Stern <stern at rowland.harvard.edu>
Acked-by: Hans de Goede <hdegoede at redhat.com>
CC: "James E.J. Bottomley" <JBottomley at parallels.com>
CC: Matthew Dharm <mdharm-usb at one-eyed-alien.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 5a851e1314972efe28723b15b57ff645cb818003
      https://github.com/ceph/ceph-client/commit/5a851e1314972efe28723b15b57ff645cb818003
  Author: Alan Stern <stern at rowland.harvard.edu>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/usb/storage/unusual_devs.h

  Log Message:
  -----------
  usb-storage: revert commit afff07e61a52 (Add 090c:1000 to unusal-devs)

commit 0070513b5e005161a7a7fd9a3f48f982b41eb094 upstream.

This patch (as1560) reverts commit
afff07e61a5243e14ee3f0a272a0380cd744a8a3 (usb-storage: Add 090c:1000
to unusal-devs).  It is no longer needed, because usb-storage now
tells the sd driver to try READ CAPACITY(10) before READ CAPACITY(16)
for every USB mass-storage device.

Signed-off-by: Alan Stern <stern at rowland.harvard.edu>
Acked-by: Hans de Goede <hdegoede at redhat.com>
CC: Matthew Dharm <mdharm-usb at one-eyed-alien.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 0d84f6e5ba73f0b2ef3af8e5c1f96b8ab8ecff6f
      https://github.com/ceph/ceph-client/commit/0d84f6e5ba73f0b2ef3af8e5c1f96b8ab8ecff6f
  Author: Eliad Peller <eliad at wizery.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M net/wireless/reg.c

  Log Message:
  -----------
  cfg80211: fix potential deadlock in regulatory

commit fe20b39ec32e975f1054c0b7866c873a954adf05 upstream.

reg_timeout_work() calls restore_regulatory_settings() which
takes cfg80211_mutex.

reg_set_request_processed() already holds cfg80211_mutex
before calling cancel_delayed_work_sync(reg_timeout),
so it might deadlock.

Call the async cancel_delayed_work instead, in order
to avoid the potential deadlock.

This is the relevant lockdep warning:

cfg80211: Calling CRDA for country: XX

======================================================
[ INFO: possible circular locking dependency detected ]
3.4.0-rc5-wl+ #26 Not tainted
-------------------------------------------------------
kworker/0:2/1391 is trying to acquire lock:
 (cfg80211_mutex){+.+.+.}, at: [<bf28ae00>] restore_regulatory_settings+0x34/0x418 [cfg80211]

but task is already holding lock:
 ((reg_timeout).work){+.+...}, at: [<c0059e94>] process_one_work+0x1f0/0x480

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #2 ((reg_timeout).work){+.+...}:
       [<c008fd44>] validate_chain+0xb94/0x10f0
       [<c0090b68>] __lock_acquire+0x8c8/0x9b0
       [<c0090d40>] lock_acquire+0xf0/0x114
       [<c005b600>] wait_on_work+0x4c/0x154
       [<c005c000>] __cancel_work_timer+0xd4/0x11c
       [<c005c064>] cancel_delayed_work_sync+0x1c/0x20
       [<bf28b274>] reg_set_request_processed+0x50/0x78 [cfg80211]
       [<bf28bd84>] set_regdom+0x550/0x600 [cfg80211]
       [<bf294cd8>] nl80211_set_reg+0x218/0x258 [cfg80211]
       [<c03c7738>] genl_rcv_msg+0x1a8/0x1e8
       [<c03c6a00>] netlink_rcv_skb+0x5c/0xc0
       [<c03c7584>] genl_rcv+0x28/0x34
       [<c03c6720>] netlink_unicast+0x15c/0x228
       [<c03c6c7c>] netlink_sendmsg+0x218/0x298
       [<c03933c8>] sock_sendmsg+0xa4/0xc0
       [<c039406c>] __sys_sendmsg+0x1e4/0x268
       [<c0394228>] sys_sendmsg+0x4c/0x70
       [<c0013840>] ret_fast_syscall+0x0/0x3c

-> #1 (reg_mutex){+.+.+.}:
       [<c008fd44>] validate_chain+0xb94/0x10f0
       [<c0090b68>] __lock_acquire+0x8c8/0x9b0
       [<c0090d40>] lock_acquire+0xf0/0x114
       [<c04734dc>] mutex_lock_nested+0x48/0x320
       [<bf28b2cc>] reg_todo+0x30/0x538 [cfg80211]
       [<c0059f44>] process_one_work+0x2a0/0x480
       [<c005a4b4>] worker_thread+0x1bc/0x2bc
       [<c0061148>] kthread+0x98/0xa4
       [<c0014af4>] kernel_thread_exit+0x0/0x8

-> #0 (cfg80211_mutex){+.+.+.}:
       [<c008ed58>] print_circular_bug+0x68/0x2cc
       [<c008fb28>] validate_chain+0x978/0x10f0
       [<c0090b68>] __lock_acquire+0x8c8/0x9b0
       [<c0090d40>] lock_acquire+0xf0/0x114
       [<c04734dc>] mutex_lock_nested+0x48/0x320
       [<bf28ae00>] restore_regulatory_settings+0x34/0x418 [cfg80211]
       [<bf28b200>] reg_timeout_work+0x1c/0x20 [cfg80211]
       [<c0059f44>] process_one_work+0x2a0/0x480
       [<c005a4b4>] worker_thread+0x1bc/0x2bc
       [<c0061148>] kthread+0x98/0xa4
       [<c0014af4>] kernel_thread_exit+0x0/0x8

other info that might help us debug this:

Chain exists of:
  cfg80211_mutex --> reg_mutex --> (reg_timeout).work

 Possible unsafe locking scenario:
  CPU0                    CPU1
       ----                    ----
  lock((reg_timeout).work);
                         lock(reg_mutex);
                         lock((reg_timeout).work);
  lock(cfg80211_mutex);

 *** DEADLOCK ***

2 locks held by kworker/0:2/1391:
 #0:  (events){.+.+.+}, at: [<c0059e94>] process_one_work+0x1f0/0x480
 #1:  ((reg_timeout).work){+.+...}, at: [<c0059e94>] process_one_work+0x1f0/0x480

stack backtrace:
[<c001b928>] (unwind_backtrace+0x0/0x12c) from [<c0471d3c>] (dump_stack+0x20/0x24)
[<c0471d3c>] (dump_stack+0x20/0x24) from [<c008ef70>] (print_circular_bug+0x280/0x2cc)
[<c008ef70>] (print_circular_bug+0x280/0x2cc) from [<c008fb28>] (validate_chain+0x978/0x10f0)
[<c008fb28>] (validate_chain+0x978/0x10f0) from [<c0090b68>] (__lock_acquire+0x8c8/0x9b0)
[<c0090b68>] (__lock_acquire+0x8c8/0x9b0) from [<c0090d40>] (lock_acquire+0xf0/0x114)
[<c0090d40>] (lock_acquire+0xf0/0x114) from [<c04734dc>] (mutex_lock_nested+0x48/0x320)
[<c04734dc>] (mutex_lock_nested+0x48/0x320) from [<bf28ae00>] (restore_regulatory_settings+0x34/0x418 [cfg80211])
[<bf28ae00>] (restore_regulatory_settings+0x34/0x418 [cfg80211]) from [<bf28b200>] (reg_timeout_work+0x1c/0x20 [cfg80211])
[<bf28b200>] (reg_timeout_work+0x1c/0x20 [cfg80211]) from [<c0059f44>] (process_one_work+0x2a0/0x480)
[<c0059f44>] (process_one_work+0x2a0/0x480) from [<c005a4b4>] (worker_thread+0x1bc/0x2bc)
[<c005a4b4>] (worker_thread+0x1bc/0x2bc) from [<c0061148>] (kthread+0x98/0xa4)
[<c0061148>] (kthread+0x98/0xa4) from [<c0014af4>] (kernel_thread_exit+0x0/0x8)
cfg80211: Calling CRDA to update world regulatory domain
cfg80211: World regulatory domain updated:
cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
cfg80211:   (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
cfg80211:   (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
cfg80211:   (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
cfg80211:   (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)

Signed-off-by: Eliad Peller <eliad at wizery.com>
Signed-off-by: Johannes Berg <johannes.berg at intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: a7faba5c5263f9d8a31b3f542a0504552fa80932
      https://github.com/ceph/ceph-client/commit/a7faba5c5263f9d8a31b3f542a0504552fa80932
  Author: Antonio Quartulli <ordex at autistici.org>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M net/batman-adv/routing.c

  Log Message:
  -----------
  batman-adv: fix skb->data assignment

commit 2c995ff892313009e336ecc8ec3411022f5b1c39 upstream.

skb_linearize(skb) possibly rearranges the skb internal data and then changes
the skb->data pointer value. For this reason any other pointer in the code that
was assigned skb->data before invoking skb_linearise(skb) must be re-assigned.

In the current tt_query message handling code this is not done and therefore, in
case of skb linearization, the pointer used to handle the packet header ends up
in pointing to free'd memory.

This bug was introduced by a73105b8d4c765d9ebfb664d0a66802127d8e4c7
(batman-adv: improved client announcement mechanism)

Signed-off-by: Antonio Quartulli <ordex at autistici.org>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 0c290a35a401ba4f608cb9cc669645a3b07498e2
      https://github.com/ceph/ceph-client/commit/0c290a35a401ba4f608cb9cc669645a3b07498e2
  Author: Marek Lindner <lindner_marek at yahoo.de>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M net/batman-adv/translation-table.c

  Log Message:
  -----------
  batman-adv: only drop packets of known wifi clients

commit 5870adc68fc39d81089f1e80efdf64b97e5c37a1 upstream.

bug introduced with 59b699cdee039d75915c354da06937102d1f9a84

If the source or destination mac address of an ethernet packet
could not be found in the translation table the packet was
dropped if AP isolation was turned on. This behavior would
make it impossible to send broadcast packets over the mesh as
the broadcast address will never enter the translation table.

Signed-off-by: Marek Lindner <lindner_marek at yahoo.de>
Acked-by: Antonio Quartulli <ordex at autistici.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 7cc0ab128f8866767113eece040dc838175901b2
      https://github.com/ceph/ceph-client/commit/7cc0ab128f8866767113eece040dc838175901b2
  Author: Alexander Duyck <alexander.h.duyck at intel.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/ethernet/intel/ixgbe/ixgbe.h
    M drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c
    M drivers/net/ethernet/intel/ixgbe/ixgbe_main.c

  Log Message:
  -----------
  ixgbe: Do not pad FCoE frames as this can cause issues with FCoE DDP

commit 57efd44c8cad440fb00ef8078cb018ab2f221373 upstream.

FCoE target mode was experiencing issues due to the fact that we were
sending up data frames that were padded to 60 bytes after the DDP logic had
already stripped the frame down to 52 or 56 depending on the use of VLANs.
This was resulting in the FCoE DDP logic having issues since it thought the
frame still had data in it due to the padding.

To resolve this, adding code so that we do not pad FCoE frames prior to
handling them to the stack.

Signed-off-by: Alexander Duyck <alexander.h.duyck at intel.com>
Tested-by: Phil Schmitt <phillip.j.schmitt at intel.com>
Tested-by: Ross Brattain <ross.b.brattain at intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher at intel.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 8010204c43b1b1543b35972060a0dcaea2cce6fe
      https://github.com/ceph/ceph-client/commit/8010204c43b1b1543b35972060a0dcaea2cce6fe
  Author: Dan Carpenter <dan.carpenter at oracle.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/can/c_can/c_can.c

  Log Message:
  -----------
  can: c_can: precedence error in c_can_chip_config()

commit d9cb9bd63eb27ac19f26a8547128c053f43a5da8 upstream.

(CAN_CTRLMODE_LISTENONLY & CAN_CTRLMODE_LOOPBACK) is (0x02 & 0x01) which
is zero so the condition is never true.  The intent here was to test
that both flags were set.

Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
Acked-by: Oliver Hartkopp <socketcan at hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl at pengutronix.de>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 70f6c28e4621b4c7047e3d4b848fc0393a9789e3
      https://github.com/ceph/ceph-client/commit/70f6c28e4621b4c7047e3d4b848fc0393a9789e3
  Author: Hui Wang <jason77.wang at gmail.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/can/flexcan.c

  Log Message:
  -----------
  can: flexcan: use be32_to_cpup to handle the value of dt entry

commit 85f2f834e85517307f13e30e630a5fc86f757cb5 upstream.

The freescale arm i.MX series platform can support this driver, and
usually the arm cpu works in the little endian mode by default, while
device tree entry value is stored in big endian format, we should use
be32_to_cpup() to handle them, after modification, it can work well
both on the le cpu and be cpu.

Cc: Shawn Guo <shawn.guo at linaro.org>
Signed-off-by: Hui Wang <jason77.wang at gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl at pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: eb2e99be9b4f0354c28f8528cf3e87ef7b2d0ce8
      https://github.com/ceph/ceph-client/commit/eb2e99be9b4f0354c28f8528cf3e87ef7b2d0ce8
  Author: Andrew Bird (Sphere Systems) <ajb at spheresystems.co.uk>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/usb/qmi_wwan.c

  Log Message:
  -----------
  USB: qmi_wwan: Make forced int 4 whitelist generic

commit 00001880cd8faaa349fe2ebb158f7e0cd8026048 upstream.

Change the forced interface 4 whitelist to use the generic shared
binder instead of the Gobi specific one. Certain ZTE devices
(K3520-Z & K3765-Z) don't work with the Gobi version, but function
quite happily with the generic. This has been tested with the following
devices:
K3520-Z
K3565-Z
K3765-Z
K4505-Z
It hasn't been tested with the ZTE MF820D, which is the only other
device that uses this whitelist at present. Although Bjorn doesn't
expect any problems, any testing with that device would be appreciated.

Signed-off-by: Andrew Bird <ajb at spheresystems.co.uk>
Acked-by: Bjørn Mork <bjorn at mork.no>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 6052c2a9783d95a58c797931cebd5a8f1cfdbefd
      https://github.com/ceph/ceph-client/commit/6052c2a9783d95a58c797931cebd5a8f1cfdbefd
  Author: Andrew Bird (Sphere Systems) <ajb at spheresystems.co.uk>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/usb/qmi_wwan.c

  Log Message:
  -----------
  USB: qmi_wwan: Add ZTE (Vodafone) K3520-Z

commit f7142e6c226076fd40c2ebaad9fb0c9a631b790e upstream.

Signed-off-by: Andrew Bird <ajb at spheresystems.co.uk>
Acked-by: Bjørn Mork <bjorn at mork.no>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 4dd207877fcaf5453be515a529f593061bbd2d8b
      https://github.com/ceph/ceph-client/commit/4dd207877fcaf5453be515a529f593061bbd2d8b
  Author: Bjørn Mork <bjorn at mork.no>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/usb/qmi_wwan.c

  Log Message:
  -----------
  net: qmi_wwan: fix Gobi device probing

commit b9f90eb2740203ff2592efe640409ad48335d1c2 upstream.

Ignoring interfaces with additional descriptors is not a reliable
method for locating the correct interface on Gobi devices.  There
is at least one device where this method fails:
https://bbs.archlinux.org/viewtopic.php?id=143506

The result is that the AT command port (interface #2) is hidden
from qcserial, preventing traditional serial modem usage:

[   15.562552] qmi_wwan 4-1.6:1.0: cdc-wdm0: USB WDM device
[   15.562691] qmi_wwan 4-1.6:1.0: wwan0: register 'qmi_wwan' at usb-0000:00:1d.0-1.6, Qualcomm Gobi wwan/QMI device, 1e:df:3c:3a:4e:3b
[   15.563383] qmi_wwan: probe of 4-1.6:1.1 failed with error -22
[   15.564189] qmi_wwan 4-1.6:1.2: cdc-wdm1: USB WDM device
[   15.564302] qmi_wwan 4-1.6:1.2: wwan1: register 'qmi_wwan' at usb-0000:00:1d.0-1.6, Qualcomm Gobi wwan/QMI device, 1e:df:3c:3a:4e:3b
[   15.564328] qmi_wwan: probe of 4-1.6:1.3 failed with error -22
[   15.569376] qcserial 4-1.6:1.1: Qualcomm USB modem converter detected
[   15.569440] usb 4-1.6: Qualcomm USB modem converter now attached to ttyUSB0
[   15.570372] qcserial 4-1.6:1.3: Qualcomm USB modem converter detected
[   15.570430] usb 4-1.6: Qualcomm USB modem converter now attached to ttyUSB1

Use static interface numbers taken from the interface map in
qcserial for all Gobi devices instead:

	Gobi 1K USB layout:
	0: serial port (doesn't respond)
	1: serial port (doesn't respond)
	2: AT-capable modem port
	3: QMI/net

	Gobi 2K+ USB layout:
	0: QMI/net
	1: DM/DIAG (use libqcdm from ModemManager for communication)
	2: AT-capable modem port
	3: NMEA

This should be more reliable over all, and will also prevent the
noisy "probe failed" messages.  The whitelisting logic is expected
to be replaced by direct interface number matching in 3.6.

Reported-by: Heinrich Siebmanns (Harvey) <H.Siebmanns at t-online.de>
Signed-off-by: Bjørn Mork <bjorn at mork.no>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: a71e15c90f58beb7a7f8df6ab7d46fb7c4ca618b
      https://github.com/ceph/ceph-client/commit/a71e15c90f58beb7a7f8df6ab7d46fb7c4ca618b
  Author: Bjørn Mork <bjorn at mork.no>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/usb/qmi_wwan.c

  Log Message:
  -----------
  net: qmi_wwan: fix Oops while disconnecting

commit d9b8706843a501034d09bea63ca6723a2ed02b11 upstream.

usbnet_disconnect() will set intfdata to NULL before calling
the minidriver unbind function.  The cdc_wdm subdriver cannot
know that it is disconnecting until the qmi_wwan unbind
function has called its disconnect function.  This means that
we must be able to support the cdc_wdm subdriver operating
normally while usbnet_disconnect() is running, and in
particular that intfdata may be NULL.

The only place this matters is in qmi_wwan_cdc_wdm_manage_power
which is called from cdc_wdm.  Simply testing for NULL
intfdata there is sufficient to allow it to continue working
at all times.

Fixes this Oops where a cdc-wdm device was closed while the
USB device was disconnecting, causing wdm_release to call
qmi_wwan_cdc_wdm_manage_power after intfdata was set to
NULL by usbnet_disconnect:

[41819.087460] BUG: unable to handle kernel NULL pointer dereference at 00000080
[41819.087815] IP: [<f8640458>] qmi_wwan_manage_power+0x68/0x90 [qmi_wwan]
[41819.088028] *pdpt = 000000000314f001 *pde = 0000000000000000
[41819.088028] Oops: 0002 [#1] SMP
[41819.088028] Modules linked in: qmi_wwan option usb_wwan usbserial usbnet
cdc_wdm nls_iso8859_1 nls_cp437 vfat fat usb_storage bnep rfcomm bluetooth
parport_pc ppdev binfmt_misc iptable_nat nf_nat nf_conntrack_ipv4
nf_conntrack nf_defrag_ipv4 iptable_mangle iptable_filter ip_tables
x_tables dm_crypt uvcvideo snd_hda_codec_realtek snd_hda_intel
videobuf2_core snd_hda_codec joydev videodev videobuf2_vmalloc
hid_multitouch snd_hwdep arc4 videobuf2_memops snd_pcm snd_seq_midi
snd_rawmidi snd_seq_midi_event ath9k mac80211 snd_seq ath9k_common ath9k_hw
ath snd_timer snd_seq_device sparse_keymap dm_multipath scsi_dh coretemp
mac_hid snd soundcore cfg80211 snd_page_alloc psmouse serio_raw microcode
lp parport dm_mirror dm_region_hash dm_log usbhid hid i915 drm_kms_helper
drm r8169 i2c_algo_bit wmi video [last unloaded: qmi_wwan]
[41819.088028]
[41819.088028] Pid: 23292, comm: qmicli Not tainted 3.4.0-5-generic #11-Ubuntu GIGABYTE T1005/T1005
[41819.088028] EIP: 0060:[<f8640458>] EFLAGS: 00010246 CPU: 1
[41819.088028] EIP is at qmi_wwan_manage_power+0x68/0x90 [qmi_wwan]
[41819.088028] EAX: 00000000 EBX: 00000000 ECX: 000000c3 EDX: 00000000
[41819.088028] ESI: c3b27658 EDI: 00000000 EBP: c298bea4 ESP: c298be98
[41819.088028]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[41819.088028] CR0: 8005003b CR2: 00000080 CR3: 3605e000 CR4: 000007f0
[41819.088028] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[41819.088028] DR6: ffff0ff0 DR7: 00000400
[41819.088028] Process qmicli (pid: 23292, ti=c298a000 task=f343b280 task.ti=c298a000)
[41819.088028] Stack:
[41819.088028]  00000000 c3b27658 e2a80d00 c298beb0 f864051a c3b27600 c298bec0 f9027099
[41819.088028]  c2fd6000 00000008 c298bef0 c1147f96 00000001 00000000 00000000 f4e54790
[41819.088028]  ecf43a00 ecf43a00 c2fd6008 c2fd6000 ebbd7600 ffffffb9 c298bf08 c1144474
[41819.088028] Call Trace:
[41819.088028]  [<f864051a>] qmi_wwan_cdc_wdm_manage_power+0x1a/0x20 [qmi_wwan]
[41819.088028]  [<f9027099>] wdm_release+0x69/0x70 [cdc_wdm]
[41819.088028]  [<c1147f96>] fput+0xe6/0x210
[41819.088028]  [<c1144474>] filp_close+0x54/0x80
[41819.088028]  [<c1046a65>] put_files_struct+0x75/0xc0
[41819.088028]  [<c1046b56>] exit_files+0x46/0x60
[41819.088028]  [<c1046f81>] do_exit+0x141/0x780
[41819.088028]  [<c107248f>] ? wake_up_state+0xf/0x20
[41819.088028]  [<c1053f48>] ? signal_wake_up+0x28/0x40
[41819.088028]  [<c1054f3b>] ? zap_other_threads+0x6b/0x80
[41819.088028]  [<c1047864>] do_group_exit+0x34/0xa0
[41819.088028]  [<c10478e8>] sys_exit_group+0x18/0x20
[41819.088028]  [<c15bb7df>] sysenter_do_call+0x12/0x28
[41819.088028] Code: 04 83 e7 01 c1 e7 03 0f b6 42 18 83 e0 f7 09 f8 88 42
18 8b 43 04 e8 48 9a dd c8 89 f0 8b 5d f4 8b 75 f8 8b 7d fc 89 ec 5d c3 90
<f0> ff 88 80 00 00 00 0f 94 c0 84 c0 75 b7 31 f6 8b 5d f4 89 f0
[41819.088028] EIP: [<f8640458>] qmi_wwan_manage_power+0x68/0x90 [qmi_wwan] SS:ESP 0068:c298be98
[41819.088028] CR2: 0000000000000080
[41819.149492] ---[ end trace 0944479ff8257f55 ]---

Reported-by: Marius Bjørnstad Kotsbak <marius.kotsbak at gmail.com>
Signed-off-by: Bjørn Mork <bjorn at mork.no>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: a92fdd54f75eae8e7d591070c83e146ab8eec2e3
      https://github.com/ceph/ceph-client/commit/a92fdd54f75eae8e7d591070c83e146ab8eec2e3
  Author: Will Deacon <will.deacon at arm.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/oprofile/oprofile_perf.c

  Log Message:
  -----------
  oprofile: perf: use NR_CPUS instead or nr_cpumask_bits for static array

commit e734568b675c985db2026848fefaac01c22977a5 upstream.

The OProfile perf backend uses a static array to keep track of the
perf events on the system. When compiling with CONFIG_CPUMASK_OFFSTACK=y
&& SMP, nr_cpumask_bits is not a compile-time constant and the build
will fail with:

oprofile_perf.c:28: error: variably modified 'perf_events' at file scope

This patch uses NR_CPUs instead of nr_cpumask_bits for the array
initialisation. If this causes space problems in the future, we can
always move to dynamic allocation for the events array.

Cc: Matt Fleming <matt at console-pimps.org>
Reported-by: Russell King - ARM Linux <linux at arm.linux.org.uk>
Signed-off-by: Will Deacon <will.deacon at arm.com>
Signed-off-by: Robert Richter <robert.richter at amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 174d58573117bc688e9481c8f7392bd1ddf24fcf
      https://github.com/ceph/ceph-client/commit/174d58573117bc688e9481c8f7392bd1ddf24fcf
  Author: Suresh Siddha <suresh.b.siddha at intel.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M arch/x86/ia32/ia32_signal.c

  Log Message:
  -----------
  x86, compat: Use test_thread_flag(TIF_IA32) in compat signal delivery

commit 0b91f45b23cb73ce11acdc3cf4c6efd4441e3b3e upstream.

Signal delivery compat path may not have the 'TS_COMPAT' flag (that
flag indicates how we entered the kernel).  So use
test_thread_flag(TIF_IA32) instead of is_ia32_task(): one of the
functions of TIF_IA32 is just what kind of signal frame we want.

Signed-off-by: Suresh Siddha <suresh.b.siddha at intel.com>
Link: http://lkml.kernel.org/r/1339722435.3475.57.camel@sbsiddha-desk.sc.intel.com
Signed-off-by: H. Peter Anvin <hpa at zytor.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 3f616017b684a5faf29b7a6b7b100209357136e4
      https://github.com/ceph/ceph-client/commit/3f616017b684a5faf29b7a6b7b100209357136e4
  Author: H. Peter Anvin <hpa at linux.intel.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M arch/x86/include/asm/cpufeature.h
    M arch/x86/kernel/cpu/scattered.c
    M drivers/hwmon/coretemp.c

  Log Message:
  -----------
  x86, cpufeature: Rename X86_FEATURE_DTS to X86_FEATURE_DTHERM

commit 4ad33411308596f2f918603509729922a1ec4411 upstream.

It makes sense to label "Digital Thermal Sensor" as "DTS", but
unfortunately the string "dts" was already used for "Debug Store", and
/proc/cpuinfo is a user space ABI.

Therefore, rename this to "dtherm".

This conflict went into mainline via the hwmon tree without any x86
maintainer ack, and without any kind of hint in the subject.

    a4659053 x86/hwmon: fix initialization of coretemp

Reported-by: Jean Delvare <khali at linux-fr.org>
Link: http://lkml.kernel.org/r/4FE34BCB.5050305@linux.intel.com
Cc: Jan Beulich <JBeulich at suse.com>
Signed-off-by: H. Peter Anvin <hpa at linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 002aea347be398407f6e4eb7f08d754ce4f8dd71
      https://github.com/ceph/ceph-client/commit/002aea347be398407f6e4eb7f08d754ce4f8dd71
  Author: Mitch A Williams <mitch.a.williams at intel.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/ethernet/intel/igbvf/ethtool.c

  Log Message:
  -----------
  igbvf: fix divide by zero

commit 0e90b49ca4b891f085b57559a3071a4feefb496c upstream.

Using ethtool -C ethX rx-usecs 0 crashes with a divide by zero.
Refactor this function to fix this issue and make it more clear
what the intent of each conditional is. Add comment regarding
using a setting of zero.

CC: David Ahern <daahern at cisco.com>
Signed-off-by: Mitch Williams <mitch.a.williams at intel.com>
Tested-by: Aaron Brown <aaron.f.brown at intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher at intel.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 8359e058c9677f0459760f3610161bc2cfcd930f
      https://github.com/ceph/ceph-client/commit/8359e058c9677f0459760f3610161bc2cfcd930f
  Author: Larry Finger <Larry.Finger at lwfinger.net>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/wireless/rtlwifi/rtl8192cu/sw.c

  Log Message:
  -----------
  rtlwifi: rtl8192cu: New USB IDs

commit f63d7dabd5da9ef41f28f6d69b29bc084db0ca5a upstream.

The latest Realtek driver for the RTL8188CU and RTL8192CU chips adds three
new USB IDs.

Reported-by: Xose Vazquez Perez <xose.vazquez at gmail.com>
Signed-off-by: Larry Finger <Larry.Finger at lwfinger.net>
Signed-off-by: John W. Linville <linville at tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 576f080b901d7258874a4632850ad94fc296911f
      https://github.com/ceph/ceph-client/commit/576f080b901d7258874a4632850ad94fc296911f
  Author: Eliad Peller <eliad at wizery.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M net/mac80211/mlme.c

  Log Message:
  -----------
  mac80211: clear ifmgd->bssid only after building DELBA

commit 88a9e31c506c00c8b7a2f1611406d0e38dcb33b3 upstream.

ieee80211_set_disassoc() clears ifmgd->bssid before
building DELBA frames, resulting in frames with invalid
bssid ("00:00:00:00:00:00").

Fix it by clearing ifmgd->bssid only after building
all the needed frames.

After this change, we no longer need to save the
bssid (before clearing it), so remove the local array.

Reported-by: Ido Yariv <ido at wizery.com>
Signed-off-by: Eliad Peller <eliad at wizery.com>
Signed-off-by: Johannes Berg <johannes.berg at intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: cec8fdaf9656e82c599729595baae99c2c2a78b7
      https://github.com/ceph/ceph-client/commit/cec8fdaf9656e82c599729595baae99c2c2a78b7
  Author: Johannes Berg <johannes.berg at intel.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M net/mac80211/rx.c

  Log Message:
  -----------
  mac80211: correct behaviour on unrecognised action frames

commit 4b5ebccc40843104d980f0714bc86bfcd5568941 upstream.

When receiving an "individually addressed" action frame, the
receiver is required to return it to the sender. mac80211
gets this wrong as it also returns group addressed (mcast)
frames to the sender. Fix this and update the reference to
the new 802.11 standards version since things were shuffled
around significantly.

Signed-off-by: Johannes Berg <johannes.berg at intel.com>
Signed-off-by: John W. Linville <linville at tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: c482c429398b707c9a228e89535b242252cc4c33
      https://github.com/ceph/ceph-client/commit/c482c429398b707c9a228e89535b242252cc4c33
  Author: Stone Piao <piaoyun at marvell.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/wireless/mwifiex/11n_rxreorder.c
    M drivers/net/wireless/mwifiex/11n_rxreorder.h
    M drivers/net/wireless/mwifiex/wmm.c

  Log Message:
  -----------
  mwifiex: fix 11n rx packet drop issue

commit 925839243dc9aa4ef25305f5afd10ed18258a4ac upstream.

Currently we check the sequence number of last packet received
against start_win. If a sequence hole is detected, start_win is
updated to next sequence number.

Since the rx sequence number is initialized to 0, a corner case
exists when BA setup happens immediately after association. As
0 is a valid sequence number, start_win gets increased to 1
incorrectly. This causes the first packet with sequence number 0
being dropped.

Initialize rx sequence number as 0xffff and skip adjusting
start_win if the sequence number remains 0xffff. The sequence
number will be updated once the first packet is received.

Signed-off-by: Stone Piao <piaoyun at marvell.com>
Signed-off-by: Avinash Patil <patila at marvell.com>
Signed-off-by: Kiran Divekar <dkiran at marvell.com>
Signed-off-by: Bing Zhao <bzhao at marvell.com>
Signed-off-by: John W. Linville <linville at tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 30716eeec35ce79a2140b4814bd417e02da08450
      https://github.com/ceph/ceph-client/commit/30716eeec35ce79a2140b4814bd417e02da08450
  Author: Stone Piao <piaoyun at marvell.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/wireless/mwifiex/wmm.c

  Log Message:
  -----------
  mwifiex: fix WPS eapol handshake failure

commit f03ba7e9a24e5e9efaad56bd1713b994ea556b16 upstream.

After association, STA will go through eapol handshake with WPS
enabled AP. It's observed that WPS handshake fails with some 11n
AP. The reason for the failure is that the eapol packet is sent
via 11n frame aggregation.

The eapol packet should be sent directly without 11n aggregation.

This patch fixes the problem by adding WPS session control while
dequeuing Tx packets for transmission.

Signed-off-by: Stone Piao <piaoyun at marvell.com>
Signed-off-by: Avinash Patil <patila at marvell.com>
Signed-off-by: Bing Zhao <bzhao at marvell.com>
Signed-off-by: John W. Linville <linville at tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 881aa809b005753a64fe9409c1d229912cc925ce
      https://github.com/ceph/ceph-client/commit/881aa809b005753a64fe9409c1d229912cc925ce
  Author: Linus Torvalds <torvalds at linux-foundation.org>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M fs/open.c

  Log Message:
  -----------
  vfs: make O_PATH file descriptors usable for 'fchdir()'

commit 332a2e1244bd08b9e3ecd378028513396a004a24 upstream.

We already use them for openat() and friends, but fchdir() also wants to
be able to use O_PATH file descriptors.  This should make it comparable
to the O_SEARCH of Solaris.  In particular, O_PATH allows you to access
(not-quite-open) a directory you don't have read persmission to, only
execute permission.

Noticed during development of multithread support for ksh93.

Reported-by: ольга крыжановская <olga.kryzhanovska at gmail.com>
Cc: Al Viro <viro at zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: f838956ac64e227e682d7d4da9883888b9aab381
      https://github.com/ceph/ceph-client/commit/f838956ac64e227e682d7d4da9883888b9aab381
  Author: Dan Carpenter <dan.carpenter at oracle.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/mtd/nand/cafe_nand.c

  Log Message:
  -----------
  mtd: cafe_nand: fix an & vs | mistake

commit 48f8b641297df49021093763a3271119a84990a2 upstream.

The intent here was clearly to set result to true if the 0x40000000 flag
was set.  But instead there was a | vs & typo and we always set result
to true.

Artem: check the spec at
wiki.laptop.org/images/5/5c/88ALP01_Datasheet_July_2007.pdf
and this fix looks correct.

Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy at linux.intel.com>
Signed-off-by: David Woodhouse <David.Woodhouse at intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: f632881de16f8c3133cd1b0866937f50fa2e9156
      https://github.com/ceph/ceph-client/commit/f632881de16f8c3133cd1b0866937f50fa2e9156
  Author: Junxiao Bi <junxiao.bi at oracle.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M include/linux/aio.h

  Log Message:
  -----------
  aio: make kiocb->private NUll in init_sync_kiocb()

commit 2dfd06036ba7ae8e7be2daf5a2fff1dac42390bf upstream.

Ocfs2 uses kiocb.*private as a flag of unsigned long size. In
commit a11f7e6 ocfs2: serialize unaligned aio, the unaligned
io flag is involved in it to serialize the unaligned aio. As
*private is not initialized in init_sync_kiocb() of do_sync_write(),
this unaligned io flag may be unexpectly set in an aligned dio.
And this will cause OCFS2_I(inode)->ip_unaligned_aio decreased
to -1 in ocfs2_dio_end_io(), thus the following unaligned dio
will hang forever at ocfs2_aiodio_wait() in ocfs2_file_aio_write().

Signed-off-by: Junxiao Bi <junxiao.bi at oracle.com>
Acked-by: Jeff Moyer <jmoyer at redhat.com>
Signed-off-by: Joel Becker <jlbec at evilplan.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 47e38c598d1a3bf7d01c540c46d2039708337622
      https://github.com/ceph/ceph-client/commit/47e38c598d1a3bf7d01c540c46d2039708337622
  Author: Junxiao Bi <junxiao.bi at oracle.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M fs/ocfs2/file.c

  Log Message:
  -----------
  ocfs2: clear unaligned io flag when dio fails

commit 3e5d3c35a68c9a933bdbdd8685bd1a205b57e806 upstream.

The unaligned io flag is set in the kiocb when an unaligned
dio is issued, it should be cleared even when the dio fails,
or it may affect the following io which are using the same
kiocb.

Signed-off-by: Junxiao Bi <junxiao.bi at oracle.com>
Signed-off-by: Joel Becker <jlbec at evilplan.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: c86f7d63a7906495a6742dfe4a0cd708fd41b9e1
      https://github.com/ceph/ceph-client/commit/c86f7d63a7906495a6742dfe4a0cd708fd41b9e1
  Author: Johannes Berg <johannes.berg at intel.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/wireless/iwlwifi/iwl-mac80211.c

  Log Message:
  -----------
  iwlwifi: fix activating inactive stations

commit eac9ac6d1f5d0e9d33e4ded682187b630e7606cd upstream.

When authentication/association timed out, the driver would
complain bitterly, printing the message
ACTIVATE a non DRIVER active station id ... addr ...

The cause turns out to be that when the AP station is added
but we don't associate, the IWL_STA_UCODE_INPROGRESS is set
but never cleared. This then causes iwl_restore_stations()
to attempt to resend it because it uses the flag internally
and uploads even if it didn't set it itself.

To fix this issue and not upload the station again when it
has already been removed by mac80211, clear the flag after
adding it in case we add it only for association.

Reviewed-by: Meenakshi Venkataraman <meenakshi.venkataraman at intel.com>
Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach at intel.com>
Signed-off-by: Johannes Berg <johannes.berg at intel.com>
Signed-off-by: John W. Linville <linville at tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 1ee0932804c2526efca4c6623911b07f6992eb3f
      https://github.com/ceph/ceph-client/commit/1ee0932804c2526efca4c6623911b07f6992eb3f
  Author: Mark Rustad <mark.d.rustad at intel.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/target/tcm_fc/tfc_sess.c

  Log Message:
  -----------
  tcm_fc: Resolve suspicious RCU usage warnings

commit 863555be0c81558b1af277addcf68acb8f778860 upstream.

Use rcu_dereference_protected to tell rcu that the ft_lport_lock
is held during ft_lport_create. This resolved "suspicious RCU usage"
warnings when debugging options are turned on.

Signed-off-by: Mark Rustad <mark.d.rustad at intel.com>
Tested-by: Ross Brattain <ross.b.brattain at intel.com>
Signed-off-by: Nicholas Bellinger <nab at linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: e10e76db80d80227dea2a55ea83613c6a4023e67
      https://github.com/ceph/ceph-client/commit/e10e76db80d80227dea2a55ea83613c6a4023e67
  Author: Bruce Allan <bruce.w.allan at intel.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/ethernet/intel/e1000e/defines.h
    M drivers/net/ethernet/intel/e1000e/netdev.c

  Log Message:
  -----------
  e1000e: remove use of IP payload checksum

commit 2e1706f234f86ff71056ef69683d734fbf7e9e40 upstream.

Currently only used when packet split mode is enabled with jumbo frames,
IP payload checksum (for fragmented UDP packets) is mutually exclusive with
receive hashing offload since the hardware uses the same space in the
receive descriptor for the hardware-provided packet checksum and the RSS
hash, respectively.  Users currently must disable jumbos when receive
hashing offload is enabled, or vice versa, because of this incompatibility.
Since testing has shown that IP payload checksum does not provide any real
benefit, just remove it so that there is no longer a choice between jumbos
or receive hashing offload but not both as done in other Intel GbE drivers
(e.g. e1000, igb).

Also, add a missing check for IP checksum error reported by the hardware;
let the stack verify the checksum when this happens.

Signed-off-by: Bruce Allan <bruce.w.allan at intel.com>
Tested-by: Aaron Brown <aaron.f.brown at intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher at intel.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 4f160c794702b3bca35513fd64b481e90d1c6cf1
      https://github.com/ceph/ceph-client/commit/4f160c794702b3bca35513fd64b481e90d1c6cf1
  Author: Ohad Ben-Cohen <ohad at wizery.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/remoteproc/Kconfig

  Log Message:
  -----------
  remoteproc/omap: fix randconfig unmet direct dependencies

commit d50394266b340d930a7458fa669d36e99670f200 upstream.

OMAP_REMOTEPROC selects REMOTEPROC and RPMSG, both of which depend
on EXPERIMENTAL, so let's have OMAP_REMOTEPROC depend on EXPERIMENTAL
too, in order to avoid the below randconfig warnings.

warning: (OMAP_REMOTEPROC) selects REMOTEPROC which has unmet direct dependencies (EXPERIMENTAL)
warning: (OMAP_REMOTEPROC) selects RPMSG which has unmet direct dependencies (EXPERIMENTAL)

Reported-by: Tony Lindgren <tony at atomide.com>
Signed-off-by: Ohad Ben-Cohen <ohad at wizery.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 0ea4ad38312422221b1b8a4fd820f38119bfce92
      https://github.com/ceph/ceph-client/commit/0ea4ad38312422221b1b8a4fd820f38119bfce92
  Author: Ohad Ben-Cohen <ohad at wizery.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/remoteproc/Kconfig

  Log Message:
  -----------
  remoteproc: fix missing CONFIG_FW_LOADER configurations

commit e121aefa7d9f10eee5cf26ed47129237a05d940b upstream.

Remoteproc requires user space firmware loading support, so
let's select FW_LOADER explicitly to avoid painful misconfigurations
(which only show up in runtime).

Reported-by: Mark Grosen <mgrosen at ti.com>
Signed-off-by: Ohad Ben-Cohen <ohad at wizery.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 10ff23ae117665e886fed089cb5a2e015cd8b7b4
      https://github.com/ceph/ceph-client/commit/10ff23ae117665e886fed089cb5a2e015cd8b7b4
  Author: Shinya Kuribayashi <shinya.kuribayashi.px at renesas.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/hwspinlock/hwspinlock_core.c

  Log Message:
  -----------
  hwspinlock/core: use global ID to register hwspinlocks on multiple devices

commit 476a7eeb60e70ddab138e7cb4bc44ef5ac20782e upstream.

Commit 300bab9770 (hwspinlock/core: register a bank of hwspinlocks in a
single API call, 2011-09-06) introduced 'hwspin_lock_register_single()'
to register numerous (a bank of) hwspinlock instances in a single API,
'hwspin_lock_register()'.

At which time, 'hwspin_lock_register()' accidentally passes 'local IDs'
to 'hwspin_lock_register_single()', despite that ..._single() requires
'global IDs' to register hwspinlocks.

We have to convert into global IDs by supplying the missing 'base_id'.

Signed-off-by: Shinya Kuribayashi <shinya.kuribayashi.px at renesas.com>
[ohad: fix error path of hwspin_lock_register, too]
Signed-off-by: Ohad Ben-Cohen <ohad at wizery.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 04e0f69d135f6cf10534282fc09cf3efd6973c5b
      https://github.com/ceph/ceph-client/commit/04e0f69d135f6cf10534282fc09cf3efd6973c5b
  Author: NeilBrown <neilb at suse.de>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/md/raid10.c

  Log Message:
  -----------
  md/raid10: Don't try to recovery unmatched (and unused) chunks.

commit fc448a18ae6219af9a73257b1fbcd009efab4a81 upstream.

If a RAID10 has an odd number of chunks - as might happen when there
are an odd number of devices - the last chunk has no pair and so is
not mirrored.  We don't store data there, but when recovering the last
device in an array we retry to recover that last chunk from a
non-existent location.  This results in an error, and the recovery
aborts.

When we get to that last chunk we should just stop - there is nothing
more to do anyway.

This bug has been present since the introduction of RAID10, so the
patch is appropriate for any -stable kernel.

Reported-by: Christian Balzer <chibi at gol.com>
Tested-by: Christian Balzer <chibi at gol.com>
Signed-off-by: NeilBrown <neilb at suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 65c3f18b9032f7237fc74403ce3a92176eaebd8c
      https://github.com/ceph/ceph-client/commit/65c3f18b9032f7237fc74403ce3a92176eaebd8c
  Author: NeilBrown <neilb at suse.de>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/md/raid10.c

  Log Message:
  -----------
  md/raid10: fix failure when trying to repair a read error.

commit 055d3747dbf00ce85c6872ecca4d466638e80c22 upstream.

commit 58c54fcca3bac5bf9290cfed31c76e4c4bfbabaf
     md/raid10: handle further errors during fix_read_error better.

in 3.1 added "r10_sync_page_io" which takes an IO size in sectors.
But we were passing the IO size in bytes!!!
This resulting in bio_add_page failing, and empty request being sent
down, and a consequent BUG_ON in scsi_lib.

[fix missing space in error message at same time]

This fix is suitable for 3.1.y and later.

Reported-by: Christian Balzer <chibi at gol.com>
Signed-off-by: NeilBrown <neilb at suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 8d9369807370331cebf3e237b95ecce068af80f1
      https://github.com/ceph/ceph-client/commit/8d9369807370331cebf3e237b95ecce068af80f1
  Author: majianpeng <majianpeng at gmail.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/md/raid5.c

  Log Message:
  -----------
  md/raid5: In ops_run_io, inc nr_pending before calling md_wait_for_blocked_rdev

commit 1850753d2e6d9ca7856581ca5d3cf09521e6a5d7 upstream.

In ops_run_io(), the call to md_wait_for_blocked_rdev will decrement
nr_pending so we lose the reference we hold on the rdev.
So atomic_inc it first to maintain the reference.

This bug was introduced by commit  73e92e51b7969ef5477d
    md/raid5.  Don't write to known bad block on doubtful devices.

which appeared in 3.0, so patch is suitable for stable kernels since
then.

Signed-off-by: majianpeng <majianpeng at gmail.com>
Signed-off-by: NeilBrown <neilb at suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: a712c8097b28c4c4f705db4102c0eed117806162
      https://github.com/ceph/ceph-client/commit/a712c8097b28c4c4f705db4102c0eed117806162
  Author: Milan Broz <mbroz at redhat.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M Documentation/device-mapper/verity.txt

  Log Message:
  -----------
  dm: verity fix documentation

commit 18068bdd5f59229623b2fa518a6389e346642b0d upstream.

Veritysetup is now part of cryptsetup package.
Remove on-disk header description (which is not parsed in kernel)
and point users to cryptsetup where it the format is documented.
Mention units for block size paramaters.
Fix target line specification and dmsetup parameters.

Signed-off-by: Milan Broz <mbroz at redhat.com>
Signed-off-by: Alasdair G Kergon <agk at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 672c65731d62930439b91ff8a160830085d42a51
      https://github.com/ceph/ceph-client/commit/672c65731d62930439b91ff8a160830085d42a51
  Author: Mike Snitzer <snitzer at redhat.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/md/persistent-data/dm-transaction-manager.c

  Log Message:
  -----------
  dm persistent data: fix shadow_info_leak on dm_tm_destroy

commit 25d7cd6faa7ae6ed2565617c3ee2500ccb8a9f7f upstream.

Cleanup the shadow table before destroying the transaction manager.

Reference: leak was identified with kmemleak when running
test_discard_random_sectors in the thinp-test-suite.

Signed-off-by: Mike Snitzer <snitzer at redhat.com>
Signed-off-by: Alasdair G Kergon <agk at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 7723bfa90d8a1f75f41ade1a13b9b32c9255b15c
      https://github.com/ceph/ceph-client/commit/7723bfa90d8a1f75f41ade1a13b9b32c9255b15c
  Author: Mike Snitzer <snitzer at redhat.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/md/persistent-data/dm-space-map-checker.c
    M drivers/md/persistent-data/dm-space-map-disk.c
    M drivers/md/persistent-data/dm-transaction-manager.c

  Log Message:
  -----------
  dm persistent data: handle space map checker creation failure

commit 62662303e7f590fdfbb0070ab820a0ad4267c119 upstream.

If CONFIG_DM_DEBUG_SPACE_MAPS is enabled and dm_sm_checker_create()
fails, dm_tm_create_internal() would still return success even though it
cleaned up all resources it was supposed to have created.  This will
lead to a kernel crash:

general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC
...
RIP: 0010:[<ffffffff81593659>]  [<ffffffff81593659>] dm_bufio_get_block_size+0x9/0x20
Call Trace:
  [<ffffffff81599bae>] dm_bm_block_size+0xe/0x10
  [<ffffffff8159b8b8>] sm_ll_init+0x78/0xd0
  [<ffffffff8159c1a6>] sm_ll_new_disk+0x16/0xa0
  [<ffffffff8159c98e>] dm_sm_disk_create+0xfe/0x160
  [<ffffffff815abf6e>] dm_pool_metadata_open+0x16e/0x6a0
  [<ffffffff815aa010>] pool_ctr+0x3f0/0x900
  [<ffffffff8158d565>] dm_table_add_target+0x195/0x450
  [<ffffffff815904c4>] table_load+0xe4/0x330
  [<ffffffff815917ea>] ctl_ioctl+0x15a/0x2c0
  [<ffffffff81591963>] dm_ctl_ioctl+0x13/0x20
  [<ffffffff8116a4f8>] do_vfs_ioctl+0x98/0x560
  [<ffffffff8116aa51>] sys_ioctl+0x91/0xa0
  [<ffffffff81869f52>] system_call_fastpath+0x16/0x1b

Fix the space map checker code to return an appropriate ERR_PTR and have
dm_sm_disk_create() and dm_tm_create_internal() check for it with
IS_ERR.

Reported-by: Vivek Goyal <vgoyal at redhat.com>
Signed-off-by: Mike Snitzer <snitzer at redhat.com>
Signed-off-by: Alasdair G Kergon <agk at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 6d442d8f7e1a6920aad3d3f3ea544f6f8e6898b8
      https://github.com/ceph/ceph-client/commit/6d442d8f7e1a6920aad3d3f3ea544f6f8e6898b8
  Author: Mike Snitzer <snitzer at redhat.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/md/persistent-data/dm-space-map-checker.c

  Log Message:
  -----------
  dm persistent data: fix allocation failure in space map checker init

commit b0239faaf87c38bb419c9264bf20817438ddc3a9 upstream.

If CONFIG_DM_DEBUG_SPACE_MAPS is enabled and memory is fragmented and a
sufficiently-large metadata device is used in a thin pool then the space
map checker will fail to allocate the memory it requires.

Switch from kmalloc to vmalloc to allow larger virtually contiguous
allocations for the space map checker's internal count arrays.

Reported-by: Vivek Goyal <vgoyal at redhat.com>
Signed-off-by: Mike Snitzer <snitzer at redhat.com>
Signed-off-by: Alasdair G Kergon <agk at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 6dfa530c0b33f1ccd2d8b103a2dea6ec559de66c
      https://github.com/ceph/ceph-client/commit/6dfa530c0b33f1ccd2d8b103a2dea6ec559de66c
  Author: Tyler Hicks <tyhicks at canonical.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M fs/ecryptfs/miscdev.c

  Log Message:
  -----------
  eCryptfs: Gracefully refuse miscdev file ops on inherited/passed files

commit 8dc6780587c99286c0d3de747a2946a76989414a upstream.

File operations on /dev/ecryptfs would BUG() when the operations were
performed by processes other than the process that originally opened the
file. This could happen with open files inherited after fork() or file
descriptors passed through IPC mechanisms. Rather than calling BUG(), an
error code can be safely returned in most situations.

In ecryptfs_miscdev_release(), eCryptfs still needs to handle the
release even if the last file reference is being held by a process that
didn't originally open the file. ecryptfs_find_daemon_by_euid() will not
be successful, so a pointer to the daemon is stored in the file's
private_data. The private_data pointer is initialized when the miscdev
file is opened and only used when the file is released.

https://launchpad.net/bugs/994247

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Reported-by: Sasha Levin <levinsasha928 at gmail.com>
Tested-by: Sasha Levin <levinsasha928 at gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: b6d7c70709e324e074d3a69249980bba1529fd01
      https://github.com/ceph/ceph-client/commit/b6d7c70709e324e074d3a69249980bba1529fd01
  Author: Tyler Hicks <tyhicks at canonical.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M fs/ecryptfs/miscdev.c

  Log Message:
  -----------
  eCryptfs: Fix lockdep warning in miscdev operations

commit 60d65f1f07a7d81d3eb3b91fc13fca80f2fdbb12 upstream.

Don't grab the daemon mutex while holding the message context mutex.
Addresses this lockdep warning:

 ecryptfsd/2141 is trying to acquire lock:
  (&ecryptfs_msg_ctx_arr[i].mux){+.+.+.}, at: [<ffffffffa029c213>] ecryptfs_miscdev_read+0x143/0x470 [ecryptfs]

 but task is already holding lock:
  (&(*daemon)->mux){+.+...}, at: [<ffffffffa029c2ec>] ecryptfs_miscdev_read+0x21c/0x470 [ecryptfs]

 which lock already depends on the new lock.

 the existing dependency chain (in reverse order) is:

 -> #1 (&(*daemon)->mux){+.+...}:
  [<ffffffff810a3b8d>] lock_acquire+0x9d/0x220
  [<ffffffff8151c6da>] __mutex_lock_common+0x5a/0x4b0
  [<ffffffff8151cc64>] mutex_lock_nested+0x44/0x50
  [<ffffffffa029c5d7>] ecryptfs_send_miscdev+0x97/0x120 [ecryptfs]
  [<ffffffffa029b744>] ecryptfs_send_message+0x134/0x1e0 [ecryptfs]
  [<ffffffffa029a24e>] ecryptfs_generate_key_packet_set+0x2fe/0xa80 [ecryptfs]
  [<ffffffffa02960f8>] ecryptfs_write_metadata+0x108/0x250 [ecryptfs]
  [<ffffffffa0290f80>] ecryptfs_create+0x130/0x250 [ecryptfs]
  [<ffffffff811963a4>] vfs_create+0xb4/0x120
  [<ffffffff81197865>] do_last+0x8c5/0xa10
  [<ffffffff811998f9>] path_openat+0xd9/0x460
  [<ffffffff81199da2>] do_filp_open+0x42/0xa0
  [<ffffffff81187998>] do_sys_open+0xf8/0x1d0
  [<ffffffff81187a91>] sys_open+0x21/0x30
  [<ffffffff81527d69>] system_call_fastpath+0x16/0x1b

 -> #0 (&ecryptfs_msg_ctx_arr[i].mux){+.+.+.}:
  [<ffffffff810a3418>] __lock_acquire+0x1bf8/0x1c50
  [<ffffffff810a3b8d>] lock_acquire+0x9d/0x220
  [<ffffffff8151c6da>] __mutex_lock_common+0x5a/0x4b0
  [<ffffffff8151cc64>] mutex_lock_nested+0x44/0x50
  [<ffffffffa029c213>] ecryptfs_miscdev_read+0x143/0x470 [ecryptfs]
  [<ffffffff811887d3>] vfs_read+0xb3/0x180
  [<ffffffff811888ed>] sys_read+0x4d/0x90
  [<ffffffff81527d69>] system_call_fastpath+0x16/0x1b

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: b6855f6d78cee5d72adc8f07be2646dd83c171c3
      https://github.com/ceph/ceph-client/commit/b6855f6d78cee5d72adc8f07be2646dd83c171c3
  Author: Tyler Hicks <tyhicks at canonical.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M fs/ecryptfs/kthread.c

  Log Message:
  -----------
  eCryptfs: Properly check for O_RDONLY flag before doing privileged open

commit 9fe79d7600497ed8a95c3981cbe5b73ab98222f0 upstream.

If the first attempt at opening the lower file read/write fails,
eCryptfs will retry using a privileged kthread. However, the privileged
retry should not happen if the lower file's inode is read-only because a
read/write open will still be unsuccessful.

The check for determining if the open should be retried was intended to
be based on the access mode of the lower file's open flags being
O_RDONLY, but the check was incorrectly performed. This would cause the
open to be retried by the privileged kthread, resulting in a second
failed open of the lower file. This patch corrects the check to
determine if the open request should be handled by the privileged
kthread.

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Reported-by: Dan Carpenter <dan.carpenter at oracle.com>
Acked-by: Dan Carpenter <dan.carpenter at oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 40e0484473ac43b557796c9f392c2cb69b1f55ae
      https://github.com/ceph/ceph-client/commit/40e0484473ac43b557796c9f392c2cb69b1f55ae
  Author: Gavin Shan <shangw at linux.vnet.ibm.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M mm/memblock.c

  Log Message:
  -----------
  mm/memblock: cleanup on duplicate VA/PA conversion

commit 4e2f07750d9a94e8f23e86408df5ab95be88bf11 upstream.

The overall memblock has been organized into the memory regions and
reserved regions.  Initially, the memory regions and reserved regions are
stored in the predetermined arrays of "struct memblock _region".  It's
possible for the arrays to be enlarged when we have newly added regions
for them, but no enough space there.  Under the situation, We will created
double-sized array to meet the requirement.  However, the original
implementation converted the VA (Virtual Address) of the newly allocated
array of regions to PA (Physical Address), then translate back when we
allocates the new array from slab.  That's actually unnecessary.

The patch removes the duplicate VA/PA conversion.

Signed-off-by: Gavin Shan <shangw at linux.vnet.ibm.com>
Cc: Johannes Weiner <hannes at cmpxchg.org>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 659586507ac1f4219d1b2f2d471381e39f7e6961
      https://github.com/ceph/ceph-client/commit/659586507ac1f4219d1b2f2d471381e39f7e6961
  Author: Gavin Shan <shangw at linux.vnet.ibm.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M mm/memblock.c

  Log Message:
  -----------
  mm/memblock: fix memory leak on extending regions

commit 181eb39425f2b9275afcb015eaa547d11f71a02f upstream.

The overall memblock has been organized into the memory regions and
reserved regions.  Initially, the memory regions and reserved regions are
stored in the predetermined arrays of "struct memblock _region".  It's
possible for the arrays to be enlarged when we have newly added regions,
but no free space left there.  The policy here is to create double-sized
array either by slab allocator or memblock allocator.  Unfortunately, we
didn't free the old array, which might be allocated through slab allocator
before.  That would cause memory leak.

The patch introduces 2 variables to trace where (slab or memblock) the
memory and reserved regions come from.  The memory for the memory or
reserved regions will be deallocated by kfree() if that was allocated by
slab allocator.  Thus to fix the memory leak issue.

Signed-off-by: Gavin Shan <shangw at linux.vnet.ibm.com>
Cc: Johannes Weiner <hannes at cmpxchg.org>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 757fcf2b6df4814604764a4abb54d2b58f422fb5
      https://github.com/ceph/ceph-client/commit/757fcf2b6df4814604764a4abb54d2b58f422fb5
  Author: Greg Pearson <greg.pearson at hp.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M mm/memblock.c

  Log Message:
  -----------
  mm/memblock: fix overlapping allocation when doubling reserved array

commit 48c3b583bbddad2220ca4c22319ca5d1f78b2090 upstream.

__alloc_memory_core_early() asks memblock for a range of memory then try
to reserve it.  If the reserved region array lacks space for the new
range, memblock_double_array() is called to allocate more space for the
array.  If memblock is used to allocate memory for the new array it can
end up using a range that overlaps with the range originally allocated in
__alloc_memory_core_early(), leading to possible data corruption.

With this patch memblock_double_array() now calls memblock_find_in_range()
with a narrowed candidate range (in cases where the reserved.regions array
is being doubled) so any memory allocated will not overlap with the
original range that was being reserved.  The range is narrowed by passing
in the starting address and size of the previously allocated range.  Then
the range above the ending address is searched and if a candidate is not
found, the range below the starting address is searched.

Signed-off-by: Greg Pearson <greg.pearson at hp.com>
Signed-off-by: Yinghai Lu <yinghai at kernel.org>
Acked-by: Tejun Heo <tj at kernel.org>
Cc: Benjamin Herrenschmidt <benh at kernel.crashing.org>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: f33f0eaff50112270a9e629569729ce5d5d620fa
      https://github.com/ceph/ceph-client/commit/f33f0eaff50112270a9e629569729ce5d5d620fa
  Author: Tomi Valkeinen <tomi.valkeinen at ti.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/video/omap2/dss/apply.c
    M drivers/video/omap2/dss/dispc.c
    M drivers/video/omap2/dss/dss.h

  Log Message:
  -----------
  OMAPDSS: use DSI_FIFO_BUG workaround only for manual update displays

commit 3568f2a46f2a73bab18c914df06afd98a97e0e0e upstream.

There is a problem related to DSS FIFO thresholds and power management
on OMAP3. It seems that when the full PM hits in, we get underflows. The
core reason is unknown, but after experiments it looks like only
particular FIFO thresholds work correctly.

This bug is related to an earlier patch, which added special FIFO
threshold configuration for OMAP3, because DSI command mode output
didn't work with the normal threshold configuration.

However, as the above work-around worked fine for other output types
also, we currently always configure thresholds in this special way on
OMAP3. In theory there should be negligible difference with this special
way and the standard way. The first paragraph explains what happens in
practice.

This patch changes the driver to use the special threshold configuration
only when the output is a manual update display on OMAP3. This does
include RFBI displays also, and although it hasn't been tested (no
boards using RFBI) I suspect the similar behaviour is present there
also, as the DISPC side should work similarly for DSI command mode and
RFBI.

Signed-off-by: Tomi Valkeinen <tomi.valkeinen at ti.com>
Cc: Joe Woodward <jw at terrafix.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: e831cf2d290e1ecf7825d2ecfabeb0d6733b133d
      https://github.com/ceph/ceph-client/commit/e831cf2d290e1ecf7825d2ecfabeb0d6733b133d
  Author: Bruce Allan <bruce.w.allan at intel.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/ethernet/intel/e1000e/ethtool.c
    M drivers/net/ethernet/intel/e1000e/mac.c
    M drivers/net/ethernet/intel/e1000e/netdev.c
    M drivers/net/ethernet/intel/e1000e/phy.c

  Log Message:
  -----------
  e1000e: test for valid check_reset_block function pointer

commit 470a54207ccf7045a59df727573bd9d148988582 upstream.

commit 44abd5c12767a8c567dc4e45fd9aec3b13ca85e0 introduced NULL pointer
dereferences when attempting to access the check_reset_block function
pointer on 8257x and 80003es2lan non-copper devices.

This fix should be applied back through 3.4.

Signed-off-by: Bruce Allan <bruce.w.allan at intel.com>
Tested-by: Jeff Pieper <jeffrey.e.pieper at intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher at intel.com>
Acked-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 099fddaa7a49187a9405cb05c6373814884dfcff
      https://github.com/ceph/ceph-client/commit/099fddaa7a49187a9405cb05c6373814884dfcff
  Author: Benjamin Tissoires <benjamin.tissoires at enac.fr>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/hid/hid-multitouch.c

  Log Message:
  -----------
  HID: hid-multitouch: fix wrong protocol detection

commit 3ac36d15557d1bedfb1151d9911b9587b2d40759 upstream.

The previous implementation introduced a randomness in the splitting
of the different touches reported by the device. This version is more
robust as we don't rely on hi->input->absbit, but on our own structure.

This also prepares hid-multitouch to better support Win8 devices.

[Jiri Kosina <jkosina at suse.cz>: fix build]

Signed-off-by: Benjamin Tissoires <benjamin.tissoires at enac.fr>
Acked-by: Henrik Rydberg <rydberg at euromail.se>
Signed-off-by: Jiri Kosina <jkosina at suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 7c2c0261ce56126b72fbff0d67d9b1ac06f3c971
      https://github.com/ceph/ceph-client/commit/7c2c0261ce56126b72fbff0d67d9b1ac06f3c971
  Author: Rafael J. Wysocki <rjw at sisk.pl>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/acpi/sleep.c

  Log Message:
  -----------
  ACPI / PM: Make acpi_pm_device_sleep_state() follow the specification

commit dbe9a2edd17d843d80faf2b99f20a691c1853418 upstream.

The comparison between the system sleep state being entered
and the lowest system sleep state the given device may wake up
from in acpi_pm_device_sleep_state() is reversed, because the
specification (ACPI 5.0) says that for wakeup to work:

"The sleeping state being entered must be less than or equal to the
 power state declared in element 1 of the _PRW object."

In other words, the state returned by _PRW is the deepest
(lowest-power) system sleep state the device is capable of waking up
the system from.

Moreover, acpi_pm_device_sleep_state() also should check if the
wakeup capability is supported through ACPI, because in principle it
may be done via native PCIe PME, for example, in which case _SxW
should not be evaluated.

Signed-off-by: Rafael J. Wysocki <rjw at sisk.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 5a89aae8085ef69a2ea9034ff8f5624327cd4efc
      https://github.com/ceph/ceph-client/commit/5a89aae8085ef69a2ea9034ff8f5624327cd4efc
  Author: Mark Rustad <mark.d.rustad at intel.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M include/scsi/scsi_cmnd.h

  Log Message:
  -----------
  SCSI: Fix NULL dereferences in scsi_cmd_to_driver

commit 222a806af830fda34ad1f6bc991cd226916de060 upstream.

Avoid crashing if the private_data pointer happens to be NULL. This has
been seen sometimes when a host reset happens, notably when there are
many LUNs:

host3: Assigned Port ID 0c1601
scsi host3: libfc: Host reset succeeded on port (0c1601)
BUG: unable to handle kernel NULL pointer dereference at 0000000000000350
IP: [<ffffffff81352bb8>] scsi_send_eh_cmnd+0x58/0x3a0
<snip>
Process scsi_eh_3 (pid: 4144, threadinfo ffff88030920c000, task ffff880326b160c0)
Stack:
 000000010372e6ba 0000000000000282 000027100920dca0 ffffffffa0038ee0
 0000000000000000 0000000000030003 ffff88030920dc80 ffff88030920dc80
 00000002000e0000 0000000a00004000 ffff8803242f7760 ffff88031326ed80
Call Trace:
 [<ffffffff8105b590>] ? lock_timer_base+0x70/0x70
 [<ffffffff81352fbe>] scsi_eh_tur+0x3e/0xc0
 [<ffffffff81353a36>] scsi_eh_test_devices+0x76/0x170
 [<ffffffff81354125>] scsi_eh_host_reset+0x85/0x160
 [<ffffffff81354291>] scsi_eh_ready_devs+0x91/0x110
 [<ffffffff813543fd>] scsi_unjam_host+0xed/0x1f0
 [<ffffffff813546a8>] scsi_error_handler+0x1a8/0x200
 [<ffffffff81354500>] ? scsi_unjam_host+0x1f0/0x1f0
 [<ffffffff8106ec3e>] kthread+0x9e/0xb0
 [<ffffffff81509264>] kernel_thread_helper+0x4/0x10
 [<ffffffff8106eba0>] ? kthread_freezable_should_stop+0x70/0x70
 [<ffffffff81509260>] ? gs_change+0x13/0x13
Code: 25 28 00 00 00 48 89 45 c8 31 c0 48 8b 87 80 00 00 00 48 8d b5 60 ff ff ff 89 d1 48 89 fb 41 89 d6 4c 89 fa 48 8b 80 b8 00 00 00
 <48> 8b 80 50 03 00 00 48 8b 00 48 89 85 38 ff ff ff 48 8b 07 4c
RIP  [<ffffffff81352bb8>] scsi_send_eh_cmnd+0x58/0x3a0
 RSP <ffff88030920dc50>
CR2: 0000000000000350


Signed-off-by: Mark Rustad <mark.d.rustad at intel.com>
Tested-by: Marcus Dennis <marcusx.e.dennis at intel.com>
Signed-off-by: James Bottomley <JBottomley at Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 76c6b958de9e72947ef08b1c9509f094c34abd8f
      https://github.com/ceph/ceph-client/commit/76c6b958de9e72947ef08b1c9509f094c34abd8f
  Author: Dan Williams <dan.j.williams at intel.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/scsi/aic94xx/aic94xx_task.c
    M drivers/scsi/libsas/sas_ata.c
    M include/scsi/libsas.h

  Log Message:
  -----------
  SCSI: libsas: fix taskfile corruption in sas_ata_qc_fill_rtf

commit 6ef1b512f4e6f936d89aa20be3d97a7ec7c290ac upstream.

fill_result_tf() grabs the taskfile flags from the originating qc which
sas_ata_qc_fill_rtf() promptly overwrites.  The presence of an
ata_taskfile in the sata_device makes it tempting to just copy the full
contents in sas_ata_qc_fill_rtf().  However, libata really only wants
the fis contents and expects the other portions of the taskfile to not
be touched by ->qc_fill_rtf.  To that end store a fis buffer in the
sata_device and use ata_tf_from_fis() like every other ->qc_fill_rtf()
implementation.

Reported-by: Praveen Murali <pmurali at logicube.com>
Tested-by: Praveen Murali <pmurali at logicube.com>
Signed-off-by: Dan Williams <dan.j.williams at intel.com>
Signed-off-by: James Bottomley <JBottomley at Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: d63d3985914e19816e9c19faab7abe336d80be89
      https://github.com/ceph/ceph-client/commit/d63d3985914e19816e9c19faab7abe336d80be89
  Author: Jonathan Nieder <jrnieder at gmail.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/acpi/acpica/hwsleep.c

  Log Message:
  -----------
  ACPI / PM: Leave Bus Master Arbitration enabled for suspend/resume

commit dc332fdf9f373a87b1e2f423b5b004b2a3c37e1a upstream.

This is an old suspend/resume lockup fix:

	commit 2780cc4660e1
	Author: Len Brown <len.brown at intel.com>
	Date:   Thu Dec 23 13:43:30 2004 -0500

	    [ACPI] Fix suspend/resume lockup issue
	    by leaving Bus Master Arbitration enabled.
	    The ACPI spec mandates it be disabled only for C3.

	    http://bugzilla.kernel.org/show_bug.cgi?id=3599

	    Signed-off-by: David Shaohua Li <shaohua.li at intel.com>
	    Signed-off-by: Len Brown <len.brown at intel.com>

The bug snuck back in in commit 2feec47d4c5f (ACPICA: ACPI 5: Support
for new FADT SleepStatus, SleepControl registers, 2012-02-14),
presumably by copy/pasting a copy of the code without that fix for the
legacy case.

On affected machines, after that commit, the machine locks up hard on
resume from suspend.  The same fix as seven years ago still works.

Addresses <https://bugzilla.kernel.org/show_bug.cgi?id=43641>.

Reported-bisected-and-tested-by: Octavio Alvarez <alvarezp at alvarezp.com>
Reported-by: Adrian Knoth <adi at drcomp.erfurt.thur.de>
Signed-off-by: Jonathan Nieder <jrnieder at gmail.com>
Signed-off-by: Rafael J. Wysocki <rjw at sisk.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: b46b5ba5e79e61732af41dde4a9fd302a5f3184d
      https://github.com/ceph/ceph-client/commit/b46b5ba5e79e61732af41dde4a9fd302a5f3184d
  Author: Johan Hovold <jhovold at gmail.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/usb/serial/metro-usb.c

  Log Message:
  -----------
  USB: metro-usb: fix tty_flip_buffer_push use

commit b7d28e32c93801d60c1a7a817f774a02b7bdde43 upstream.

Do not set low_latency flag at open as tty_flip_buffer_push must not be
called in IRQ context with low_latency set.

Signed-off-by: Johan Hovold <jhovold at gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: b80f6db790f07c06e35bb56b1e682df1e09e2865
      https://github.com/ceph/ceph-client/commit/b80f6db790f07c06e35bb56b1e682df1e09e2865
  Author: Bjørn Mork <bjorn at mork.no>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/usb/class/cdc-wdm.c

  Log Message:
  -----------
  USB: cdc-wdm: fix lockup on error in wdm_read

commit b086b6b10d9f182cd8d2f0dcfd7fd11edba93fc9 upstream.

Clear the WDM_READ flag on empty reads to avoid running
forever in an infinite tight loop, causing lockups:

Jul  1 21:58:11 nemi kernel: [ 3658.898647] qmi_wwan 2-1:1.2: Unexpected error -71
Jul  1 21:58:36 nemi kernel: [ 3684.072021] BUG: soft lockup - CPU#0 stuck for 23s! [qmi.pl:12235]
Jul  1 21:58:36 nemi kernel: [ 3684.072212] CPU 0
Jul  1 21:58:36 nemi kernel: [ 3684.072355]
Jul  1 21:58:36 nemi kernel: [ 3684.072367] Pid: 12235, comm: qmi.pl Tainted: P           O 3.5.0-rc2+ #13 LENOVO 2776LEG/2776LEG
Jul  1 21:58:36 nemi kernel: [ 3684.072383] RIP: 0010:[<ffffffffa0635008>]  [<ffffffffa0635008>] spin_unlock_irq+0x8/0xc [cdc_wdm]
Jul  1 21:58:36 nemi kernel: [ 3684.072388] RSP: 0018:ffff88022dca1e70  EFLAGS: 00000282
Jul  1 21:58:36 nemi kernel: [ 3684.072393] RAX: ffff88022fc3f650 RBX: ffffffff811c56f7 RCX: 00000001000ce8c1
Jul  1 21:58:36 nemi kernel: [ 3684.072398] RDX: 0000000000000010 RSI: 000000000267d810 RDI: ffff88022fc3f650
Jul  1 21:58:36 nemi kernel: [ 3684.072403] RBP: ffff88022dca1eb0 R08: ffffffffa063578e R09: 0000000000000000
Jul  1 21:58:36 nemi kernel: [ 3684.072407] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000002
Jul  1 21:58:36 nemi kernel: [ 3684.072412] R13: 0000000000000246 R14: ffffffff00000002 R15: ffff8802281d8c88
Jul  1 21:58:36 nemi kernel: [ 3684.072418] FS:  00007f666a260700(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000
Jul  1 21:58:36 nemi kernel: [ 3684.072423] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jul  1 21:58:36 nemi kernel: [ 3684.072428] CR2: 000000000270d9d8 CR3: 000000022e865000 CR4: 00000000000007f0
Jul  1 21:58:36 nemi kernel: [ 3684.072433] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jul  1 21:58:36 nemi kernel: [ 3684.072438] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Jul  1 21:58:36 nemi kernel: [ 3684.072444] Process qmi.pl (pid: 12235, threadinfo ffff88022dca0000, task ffff88022ff76380)
Jul  1 21:58:36 nemi kernel: [ 3684.072448] Stack:
Jul  1 21:58:36 nemi kernel: [ 3684.072458]  ffffffffa063592e 0000000100020000 ffff88022fc3f650 ffff88022fc3f6a8
Jul  1 21:58:36 nemi kernel: [ 3684.072466]  0000000000000200 0000000100000000 000000000267d810 0000000000000000
Jul  1 21:58:36 nemi kernel: [ 3684.072475]  0000000000000000 ffff880212cfb6d0 0000000000000200 ffff880212cfb6c0
Jul  1 21:58:36 nemi kernel: [ 3684.072479] Call Trace:
Jul  1 21:58:36 nemi kernel: [ 3684.072489]  [<ffffffffa063592e>] ? wdm_read+0x1a0/0x263 [cdc_wdm]
Jul  1 21:58:36 nemi kernel: [ 3684.072500]  [<ffffffff8110adb7>] ? vfs_read+0xa1/0xfb
Jul  1 21:58:36 nemi kernel: [ 3684.072509]  [<ffffffff81040589>] ? alarm_setitimer+0x35/0x64
Jul  1 21:58:36 nemi kernel: [ 3684.072517]  [<ffffffff8110aec7>] ? sys_read+0x45/0x6e
Jul  1 21:58:36 nemi kernel: [ 3684.072525]  [<ffffffff813725f9>] ? system_call_fastpath+0x16/0x1b
Jul  1 21:58:36 nemi kernel: [ 3684.072557] Code: <66> 66 90 c3 83 ff ed 89 f8 74 16 7f 06 83 ff a1 75 0a c3 83 ff f4

The WDM_READ flag is normally cleared by wdm_int_callback
before resubmitting the read urb, and set by wdm_in_callback
when this urb returns with data or an error.  But a crashing
device may cause both a read error and cancelling all urbs.
Make sure that the flag is cleared by wdm_read if the buffer
is empty.

We don't clear the flag on errors, as there may be pending
data in the buffer which should be processed.  The flag will
instead be cleared on the next wdm_read call.

Signed-off-by: Bjørn Mork <bjorn at mork.no>
Acked-by: Oliver Neukum <oneukum at suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 62e4449435b38fbb423f53de5731a18c4d8ddc54
      https://github.com/ceph/ceph-client/commit/62e4449435b38fbb423f53de5731a18c4d8ddc54
  Author: Bjørn Mork <bjorn at mork.no>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/usb/serial/option.c

  Log Message:
  -----------
  USB: option: add ZTE MF60

commit 8e16e33c168a6efd0c9f7fa9dd4c1e1db9a74553 upstream.

Switches into a composite device by ejecting the initial
driver CD.  The four interfaces are: QCDM, AT, QMI/wwan
and mass storage.  Let this driver manage the two serial
interfaces:

T:  Bus=02 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 28 Spd=480  MxCh= 0
D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=19d2 ProdID=1402 Rev= 0.00
S:  Manufacturer=ZTE,Incorporated
S:  Product=ZTE WCDMA Technologies MSM
S:  SerialNumber=xxxxx
C:* #Ifs= 4 Cfg#= 1 Atr=c0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
E:  Ad=83(I) Atr=03(Int.) MxPS=  64 Ivl=2ms
E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 3 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms

Signed-off-by: Bjørn Mork <bjorn at mork.no>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 9da79f9050c87ede10fef8a2f723fdf41c5caf57
      https://github.com/ceph/ceph-client/commit/9da79f9050c87ede10fef8a2f723fdf41c5caf57
  Author: Gaosen Zhang <gaosen.zhang at mediatek.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/usb/serial/option.c

  Log Message:
  -----------
  USB: option: Add MEDIATEK product ids

commit aacef9c561a693341566a6850c451ce3df68cb9a upstream.

Signed-off-by: Gaosen Zhang <gaosen.zhang at mediatek.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: e171ce5cc675f30e226b72eb693cee6832bf0a09
      https://github.com/ceph/ceph-client/commit/e171ce5cc675f30e226b72eb693cee6832bf0a09
  Author: Stanislaw Ledwon <staszek.ledwon at linux.jf.intel.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/usb/core/hub.c
    M drivers/usb/host/xhci-hub.c
    M drivers/usb/host/xhci.h

  Log Message:
  -----------
  usb: Add support for root hub port status CAS

commit 8bea2bd37df08aaa599aa361a9f8b836ba98e554 upstream.

The host controller port status register supports CAS (Cold Attach
Status) bit. This bit could be set when USB3.0 device is connected
when system is in Sx state. When the system wakes to S0 this port
status with CAS bit is reported and this port can't be used by any
device.

When CAS bit is set the port should be reset by warm reset. This
was not supported by xhci driver.

The issue was found when pendrive was connected to suspended
platform. The link state of "Compliance Mode" was reported together
with CAS bit. This link state was also not supported by xhci and
core/hub.c.

The CAS bit is defined only for xhci root hub port and it is
not supported on regular hubs. The link status is used to force
warm reset on port. Make the USB core issue a warm reset when port
is in ether the 'inactive' or 'compliance mode'. Change the xHCI driver
to report 'compliance mode' when the CAS is set. This force warm reset
on the root hub port.

This patch should be backported to stable kernels as old as 3.2, that
contain the commit 10d674a82e553cb8a1f41027bb3c3e309b3f6804 "USB: When
hot reset for USB3 fails, try warm reset."

Signed-off-by: Stanislaw Ledwon <staszek.ledwon at linux.intel.com>
Signed-off-by: Sarah Sharp <sarah.a.sharp at linux.intel.com>
Acked-by: Andiry Xu <andiry.xu at amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: b62d32b9166b085a487916eca514b59b5ffdf2b7
      https://github.com/ceph/ceph-client/commit/b62d32b9166b085a487916eca514b59b5ffdf2b7
  Author: Sarah Sharp <sarah.a.sharp at linux.intel.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/usb/host/xhci-ring.c

  Log Message:
  -----------
  xhci: Fix hang on back-to-back Set TR Deq Ptr commands.

commit 0d9f78a92ef5e97d9fe51d9215ebe22f6f0d289d upstream.

The Microsoft LifeChat 3000 USB headset was causing a very reproducible
hang whenever it was plugged in.  At first, I thought the host
controller was producing bad transfer events, because the log was filled
with errors like:

xhci_hcd 0000:00:14.0: ERROR Transfer event TRB DMA ptr not part of current TD

However, it turned out to be an xHCI driver bug in the ring expansion
patches.  The bug is triggered When there are two ring segments, and a
TD that ends just before a link TRB, like so:

 ______________                     _____________
|              |              ---> | setup TRB B |
 ______________               |     _____________
|              |              |    |  data TRB B |
 ______________               |     _____________
| setup TRB A  | <-- deq      |    |  data TRB B |
 ______________               |     _____________
| data TRB A   |              |    |             | <-- enq, deq''
 ______________               |     _____________
| status TRB A |              |    |             |
 ______________               |     _____________
|  link TRB    |---------------    |  link TRB   |
 _____________  <--- deq'           _____________

TD A (the first control transfer) stalls on the data phase.  That halts
the ring.  The xHCI driver moves the hardware dequeue pointer to the
first TRB after the stalled transfer, which happens to be the link TRB.

Once the Set TR dequeue pointer command completes, the function
update_ring_for_set_deq_completion runs.  That function is supposed to
update the xHCI driver's dequeue pointer to match the internal hardware
dequeue pointer.  On the first call this would work fine, and the
software dequeue pointer would move to deq'.

However, if the transfer immediately after that stalled (TD B in this
case), another Set TR Dequeue command would be issued.  That would move
the hardware dequeue pointer to deq''.  Once that command completed,
update_ring_for_set_deq_completion would run again.

The original code would unconditionally increment the software dequeue
pointer, which moved the pointer off the ring segment into la-la-land.
The while loop would happy increment the dequeue pointer (possibly
wrapping it) until it matched the hardware pointer value.

The while loop would also access all the memory in between the first
ring segment and the second ring segment to determine if it was a link
TRB.  This could cause general protection faults, although it was
unlikely because the ring segments came from a DMA pool, and would often
have consecutive memory addresses.

If nothing in that space looked like a link TRB, the deq_seg pointer for
the ring would remain on the first segment.  Thus, the deq_seg and the
software dequeue pointer would get out of sync.

When the next transfer event came in after the stalled transfer, the
xHCI driver code would attempt to convert the software dequeue pointer
into a DMA address in order to compare the DMA address for the completed
transfer.  Since the deq_seg and the dequeue pointer were out of sync,
xhci_trb_virt_to_dma would return NULL.

The transfer event would get ignored, the transfer would eventually
timeout, and we would mistakenly convert the finished transfer to no-op
TRBs.  Some kernel driver (maybe xHCI?) would then get stuck in an
infinite loop in interrupt context, and the whole machine would hang.

This patch should be backported to kernels as old as 3.4, that contain
the commit b008df60c6369ba0290fa7daa177375407a12e07 "xHCI: count free
TRBs on transfer ring"

Signed-off-by: Sarah Sharp <sarah.a.sharp at linux.intel.com>
Cc: Andiry Xu <andiry.xu at amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 0659cf9dcd148f6771c056fa95976fda9c5abf9d
      https://github.com/ceph/ceph-client/commit/0659cf9dcd148f6771c056fa95976fda9c5abf9d
  Author: Alan Stern <stern at rowland.harvard.edu>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/pci/pci-driver.c
    M drivers/pci/pci.c
    M drivers/pci/quirks.c
    M include/linux/pci.h

  Log Message:
  -----------
  PCI: EHCI: fix crash during suspend on ASUS computers

commit dbf0e4c7257f8d684ec1a3c919853464293de66e upstream.

Quite a few ASUS computers experience a nasty problem, related to the
EHCI controllers, when going into system suspend.  It was observed
that the problem didn't occur if the controllers were not put into the
D3 power state before starting the suspend, and commit
151b61284776be2d6f02d48c23c3625678960b97 (USB: EHCI: fix crash during
suspend on ASUS computers) was created to do this.

It turned out this approach messed up other computers that didn't have
the problem -- it prevented USB wakeup from working.  Consequently
commit c2fb8a3fa25513de8fedb38509b1f15a5bbee47b (USB: add
NO_D3_DURING_SLEEP flag and revert 151b61284776be2) was merged; it
reverted the earlier commit and added a whitelist of known good board
names.

Now we know the actual cause of the problem.  Thanks to AceLan Kao for
tracking it down.

According to him, an engineer at ASUS explained that some of their
BIOSes contain a bug that was added in an attempt to work around a
problem in early versions of Windows.  When the computer goes into S3
suspend, the BIOS tries to verify that the EHCI controllers were first
quiesced by the OS.  Nothing's wrong with this, but the BIOS does it
by checking that the PCI COMMAND registers contain 0 without checking
the controllers' power state.  If the register isn't 0, the BIOS
assumes the controller needs to be quiesced and tries to do so.  This
involves making various MMIO accesses to the controller, which don't
work very well if the controller is already in D3.  The end result is
a system hang or memory corruption.

Since the value in the PCI COMMAND register doesn't matter once the
controller has been suspended, and since the value will be restored
anyway when the controller is resumed, we can work around the BIOS bug
simply by setting the register to 0 during system suspend.  This patch
(as1590) does so and also reverts the second commit mentioned above,
which is now unnecessary.

In theory we could do this for every PCI device.  However to avoid
introducing new problems, the patch restricts itself to EHCI host
controllers.

Finally the affected systems can suspend with USB wakeup working
properly.

Reference: https://bugzilla.kernel.org/show_bug.cgi?id=37632
Reference: https://bugzilla.kernel.org/show_bug.cgi?id=42728
Based-on-patch-by: AceLan Kao <acelan.kao at canonical.com>
Signed-off-by: Alan Stern <stern at rowland.harvard.edu>
Tested-by: Dâniel Fraga <fragabr at gmail.com>
Tested-by: Javier Marcet <jmarcet at gmail.com>
Tested-by: Andrey Rahmatullin <wrar at wrar.name>
Tested-by: Oleksij Rempel <bug-track at fisher-privat.net>
Tested-by: Pavel Pisa <pisa at cmp.felk.cvut.cz>
Acked-by: Bjorn Helgaas <bhelgaas at google.com>
Acked-by: Rafael J. Wysocki <rjw at sisk.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 0e924ae7ac646cf8aa95a3bc5671d19f920417c5
      https://github.com/ceph/ceph-client/commit/0e924ae7ac646cf8aa95a3bc5671d19f920417c5
  Author: Davide Gerhard <rainbow at irh.it>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/usb/ipheth.c

  Log Message:
  -----------
  ipheth: add support for iPad

commit 6de0298ec9c1edaf330b71b57346241ece8f3346 upstream.

This adds support for the iPad to the ipheth driver.
(product id = 0x129a)

Signed-off-by: Davide Gerhard <rainbow at irh.it>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 0bbc9d1b4b011e83ba65852b1d652561c7f562f1
      https://github.com/ceph/ceph-client/commit/0bbc9d1b4b011e83ba65852b1d652561c7f562f1
  Author: Stanislav Kinsbursky <skinsbursky at parallels.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M fs/lockd/clntlock.c
    M fs/lockd/svc.c
    M fs/nfsd/nfssvc.c
    M include/linux/lockd/bind.h

  Log Message:
  -----------
  Lockd: pass network namespace to creation and destruction routines

upstream commit e3f70eadb7dddfb5a2bb9afff7abfc6ee17a29d0.

v2: dereference of most probably already released nlm_host removed in
nlmclnt_done() and reclaimer().

These routines are called from locks reclaimer() kernel thread. This thread
works in "init_net" network context and currently relays on persence on lockd
thread and it's per-net resources. Thus lockd_up() and lockd_down() can't relay
on current network context. So let's pass corrent one into them.

Signed-off-by: Stanislav Kinsbursky <skinsbursky at parallels.com>
Signed-off-by: J. Bruce Fields <bfields at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 10762419cafd82a9a3a6f68bef54c29f1af75842
      https://github.com/ceph/ceph-client/commit/10762419cafd82a9a3a6f68bef54c29f1af75842
  Author: Stanislav Kinsbursky <skinsbursky at parallels.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M fs/lockd/svc.c
    M fs/nfs/callback.c
    M fs/nfsd/nfssvc.c
    M include/linux/sunrpc/svc.h
    M net/sunrpc/rpcb_clnt.c
    M net/sunrpc/svc.c

  Log Message:
  -----------
  SUNRPC: new svc_bind() routine introduced

upstream commit 9793f7c88937e7ac07305ab1af1a519225836823.

This new routine is responsible for service registration in a specified
network context.

The idea is to separate service creation from per-net operations.

Note also: since registering service with svc_bind() can fail, the
service will be destroyed and during destruction it will try to
unregister itself from rpcbind. In this case unregistration has to be
skipped.

Signed-off-by: Stanislav Kinsbursky <skinsbursky at parallels.com>
Signed-off-by: J. Bruce Fields <bfields at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: ee92389156c2cdb45b94866186a4174858b820cd
      https://github.com/ceph/ceph-client/commit/ee92389156c2cdb45b94866186a4174858b820cd
  Author: Stanislav Kinsbursky <skinsbursky at parallels.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M fs/lockd/svc.c
    M fs/nfs/callback.c
    M fs/nfsd/nfsctl.c
    M fs/nfsd/nfssvc.c
    M net/sunrpc/svc.c

  Log Message:
  -----------
  SUNRPC: move per-net operations from svc_destroy()

upstream commit 786185b5f8abefa6a8a16695bb4a59c164d5a071.

The idea is to separate service destruction and per-net operations,
because these are two different things and the mix looks ugly.

Notes:

1) For NFS server this patch looks ugly (sorry for that). But these
place will be rewritten soon during NFSd containerization.

2) LockD per-net counter increase int lockd_up() was moved prior to
make_socks() to make lockd_down_net() call safe in case of error.

Signed-off-by: Stanislav Kinsbursky <skinsbursky at parallels.com>
Signed-off-by: J. Bruce Fields <bfields at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: f183282bb88ffa944449cf3a24a649c754d9e7af
      https://github.com/ceph/ceph-client/commit/f183282bb88ffa944449cf3a24a649c754d9e7af
  Author: Stanislav Kinsbursky <skinsbursky at parallels.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M fs/nfs/callback.c

  Log Message:
  -----------
  NFS: hard-code init_net for NFS callback transports

upstream commit 12918b10d59e975fd5241eef03ef9e6d5ea3dcfe.

In case of destroying mount namespace on child reaper exit, nsproxy is zeroed
to the point already. So, dereferencing of it is invalid.
This patch hard-code "init_net" for all network namespace references for NFS
callback services. This will be fixed with proper NFS callback
containerization.

Signed-off-by: Stanislav Kinsbursky <skinsbursky at parallels.com>
Signed-off-by: J. Bruce Fields <bfields at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: bf2370ff886b0059f574d78c7dfc9c1cb6fd38e0
      https://github.com/ceph/ceph-client/commit/bf2370ff886b0059f574d78c7dfc9c1cb6fd38e0
  Author: Johannes Berg <johannes.berg at intel.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M net/mac80211/mlme.c

  Log Message:
  -----------
  mac80211: fix queues stuck issue with HT bandwidth change

No upstream commit, the buggy code was removed in 3.5 in commit
7213cf2cb0dfbb4d6b55a1da000d34338f76c0e3 and others.

Rajkumar changed code for handling channel switching in
mac80211 to stop the queues in

  commit 7cc44ed48d0ec0937c1f098642540b6c9ca38de5
  Author: Rajkumar Manoharan <rmanohar at qca.qualcomm.com>
  Date:   Fri Sep 16 15:32:34 2011 +0530

      mac80211: Fix regression on queue stop during 2040 bss change

which went into 3.2. In the 3.4 cycle, Paul's change

  commit 3117bbdb7899d43927c8ce4fe885ab7c1231c121
  Author: Paul Stewart <pstew at chromium.org>
  Date:   Tue Mar 13 07:46:18 2012 -0700

      mac80211: Don't let regulatory make us deaf

went in and changed the TX/RX enable logic, but now
the conditions for stopping and restarting the queues
were different so that now, if the AP changes between
20/40 MHz bandwidth, it can happen that we stop but
never restart the queues. This breaks the connection
and the module actually has to be reloaded to get it
back to work.

Fix this by making sure the queues are always started
when they were stopped.

Reported-by: Florian Manschwetus <manschwetus at googlemail.com>
Signed-off-by: Johannes Berg <johannes.berg at intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: dbb3e108234bf8e4bf43d2fed8bc57792e3dbd2f
      https://github.com/ceph/ceph-client/commit/dbb3e108234bf8e4bf43d2fed8bc57792e3dbd2f
  Author: Johannes Berg <johannes.berg at intel.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/wireless/iwlwifi/iwl-trans-pcie.c

  Log Message:
  -----------
  iwlwifi: remove log_event debugfs file debugging is disabled

commit 882b7b7d11d65e8eccce738f1ce97cdfdb998f9f upstream.

When debugging is disabled, the event log functions aren't
functional in the way that the debugfs file expects. This
leads to the debugfs access crashing. Since the event log
functions aren't functional then, remove the debugfs file
when CONFIG_IWLWIFI_DEBUG is not set.

Reported-by: Lekensteyn <lekensteyn at gmail.com>
Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach at intel.com>
Signed-off-by: Johannes Berg <johannes.berg at intel.com>
Signed-off-by: John W. Linville <linville at tuxdriver.com>
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 4943d9cb7d82218d196ccc034ecaf933298e7e95
      https://github.com/ceph/ceph-client/commit/4943d9cb7d82218d196ccc034ecaf933298e7e95
  Author: Vaibhav Nagarnaik <vnagarnaik at google.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M kernel/trace/trace.c

  Log Message:
  -----------
  tracing: change CPU ring buffer state from tracing_cpumask

commit 71babb2705e2203a64c27ede13ae3508a0d2c16c upstream.

According to Documentation/trace/ftrace.txt:

tracing_cpumask:
   This is a mask that lets the user only trace
  on specified CPUS. The format is a hex string
  representing the CPUS.

The tracing_cpumask currently doesn't affect the tracing state of
per-CPU ring buffers.

This patch enables/disables CPU recording as its corresponding bit in
tracing_cpumask is set/unset.

Link: http://lkml.kernel.org/r/1336096792-25373-3-git-send-email-vnagarnaik@google.com

Cc: Frederic Weisbecker <fweisbec at gmail.com>
Cc: Ingo Molnar <mingo at redhat.com>
Cc: Laurent Chavey <chavey at google.com>
Cc: Justin Teravest <teravest at google.com>
Cc: David Sharp <dhsharp at google.com>
Signed-off-by: Vaibhav Nagarnaik <vnagarnaik at google.com>
Signed-off-by: Steven Rostedt <rostedt at goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 445006de7c59a9086b00025f9c3c97c75effd3c5
      https://github.com/ceph/ceph-client/commit/445006de7c59a9086b00025f9c3c97c75effd3c5
  Author: Bing Zhao <bzhao at marvell.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/wireless/mwifiex/cfg80211.c

  Log Message:
  -----------
  mwifiex: fix wrong return values in add_virtual_intf() error cases

commit 858faa57dd9e2b91f3f870fbb1185982e42f5a2b upstream

add_virtual_intf() needs to return an ERR_PTR(), instead of NULL,
on errors, otherwise cfg80211 will crash.

Reported-by: Johannes Berg <johannes at sipsolutions.net>
Signed-off-by: Bing Zhao <bzhao at marvell.com>
Signed-off-by: John W. Linville <linville at tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: c412589f74ab4f1e30bb25b685fe6d95f2befd4d
      https://github.com/ceph/ceph-client/commit/c412589f74ab4f1e30bb25b685fe6d95f2befd4d
  Author: Hans de Goede <hdegoede at redhat.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/media/video/gspca/gspca.c

  Log Message:
  -----------
  gspca-core: Fix buffers staying in queued state after a stream_off

commit af05ef01e9cde84620c6855a8d8ab9c8a1db9009 upstream.

[Backport to linux-stable by Antonio Ospite <ospite at studenti.unina.it>]

This fixes a regression introduced by commit f7059ea and should be
backported to all supported stable kernels which have this commit.

Signed-off-by: Antonio Ospite <ospite at studenti.unina.it>
Signed-off-by: Hans de Goede <hdegoede at redhat.com>
Tested-by: Antonio Ospite <ospite at studenti.unina.it>
Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 5bbbd747918d241b41f3220ff26323d7ed943c52
      https://github.com/ceph/ceph-client/commit/5bbbd747918d241b41f3220ff26323d7ed943c52
  Author: Shaohua Li <shli at kernel.org>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/md/raid5.c

  Log Message:
  -----------
  raid5: delayed stripe fix

commit fab363b5ff502d1b39ddcfec04271f5858d9f26e upstream.

There isn't locking setting STRIPE_DELAYED and STRIPE_PREREAD_ACTIVE bits, but
the two bits have relationship. A delayed stripe can be moved to hold list only
when preread active stripe count is below IO_THRESHOLD. If a stripe has both
the bits set, such stripe will be in delayed list and preread count not 0,
which will make such stripe never leave delayed list.

Signed-off-by: Shaohua Li <shli at fusionio.com>
Signed-off-by: NeilBrown <neilb at suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 5250def1935443f4bbddce101281e0aaf2e66838
      https://github.com/ceph/ceph-client/commit/5250def1935443f4bbddce101281e0aaf2e66838
  Author: Matt Carlson <mcarlson at broadcom.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/ethernet/broadcom/tg3.c

  Log Message:
  -----------
  tg3: Apply short DMA frag workaround to 5906

commit b7abee6ef888117f92db370620ebf116a38e3f4d upstream.

5906 devices also need the short DMA fragment workaround.  This patch
makes the necessary change.

Signed-off-by: Matt Carlson <mcarlson at broadcom.com>
Tested-by: Christian Kujau <lists at nerdbynature.de>
Signed-off-by: David S. Miller <davem at davemloft.net>
Cc: Josh Boyer <jwboyer at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: e5982925c66c542aa41b17ee35fc233ae1521898
      https://github.com/ceph/ceph-client/commit/e5982925c66c542aa41b17ee35fc233ae1521898
  Author: Tom Hughes <tom at compton.nu>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/wireless/ath/ath9k/recv.c

  Log Message:
  -----------
  ath9k: fix panic caused by returning a descriptor we have queued for reuse

commit 6bb51c70cabaadddc54a6454844eceba91a56083 upstream.

Commit 3a2923e83c introduced a bug when a corrupt descriptor
is encountered - although the following descriptor is discarded
and returned to the queue for reuse the associated frame is
also returned for processing. This leads to a panic:

BUG: unable to handle kernel NULL pointer dereference at 000000000000003a
IP: [<ffffffffa02599a5>] ath_rx_tasklet+0x165/0x1b00 [ath9k]
Call Trace:
<IRQ>
[<ffffffff812d7fa0>] ? map_single+0x60/0x60
[<ffffffffa028f044>] ? ath9k_ioread32+0x34/0x90 [ath9k]
[<ffffffffa0292eec>] athk9k_tasklet+0xdc/0x160 [ath9k]
[<ffffffff8105e133>] tasklet_action+0x63/0xd0
[<ffffffff8105dbc0>] __do_softirq+0xc0/0x1e0
[<ffffffff8101a873>] ? native_sched_clock+0x13/0x80
[<ffffffff815f9d5c>] call_softirq+0x1c/0x30
[<ffffffff810151f5>] do_softirq+0x75/0xb0
[<ffffffff8105df95>] irq_exit+0xb5/0xc0
[<ffffffff815fa5b3>] do_IRQ+0x63/0xe0
[<ffffffff815f0cea>] common_interrupt+0x6a/0x6a
<EOI>
[<ffffffff8131840a>] ? intel_idle+0xea/0x150
[<ffffffff813183eb>] ? intel_idle+0xcb/0x150
[<ffffffff814a1db9>] cpuidle_enter+0x19/0x20
[<ffffffff814a23d9>] cpuidle_idle_call+0xa9/0x240
[<ffffffff8101c4bf>] cpu_idle+0xaf/0x120
[<ffffffff815cda8e>] rest_init+0x72/0x74
[<ffffffff81cf4c1a>] start_kernel+0x3b7/0x3c4
[<ffffffff81cf4662>] ? repair_env_string+0x5e/0x5e
[<ffffffff81cf4346>] x86_64_start_reservations+0x131/0x135
[<ffffffff81cf444a>] x86_64_start_kernel+0x100/0x10f

Making sure bf is cleared to NULL in this case restores the
old behaviour.

Signed-off-by: Tom Hughes <tom at compton.nu>
Signed-off-by: John W. Linville <linville at tuxdriver.com>
Cc: Josh Boyer <jwboyer at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: ff99851d5277c6131301a09f687aa3976ced31e7
      https://github.com/ceph/ceph-client/commit/ff99851d5277c6131301a09f687aa3976ced31e7
  Author: Andrea Arcangeli <aarcange at redhat.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M arch/x86/include/asm/pgtable-3level.h
    M include/asm-generic/pgtable.h

  Log Message:
  -----------
  mm: pmd_read_atomic: fix 32bit PAE pmd walk vs pmd_populate SMP race condition

commit 26c191788f18129af0eb32a358cdaea0c7479626 upstream.

When holding the mmap_sem for reading, pmd_offset_map_lock should only
run on a pmd_t that has been read atomically from the pmdp pointer,
otherwise we may read only half of it leading to this crash.

PID: 11679  TASK: f06e8000  CPU: 3   COMMAND: "do_race_2_panic"
 #0 [f06a9dd8] crash_kexec at c049b5ec
 #1 [f06a9e2c] oops_end at c083d1c2
 #2 [f06a9e40] no_context at c0433ded
 #3 [f06a9e64] bad_area_nosemaphore at c043401a
 #4 [f06a9e6c] __do_page_fault at c0434493
 #5 [f06a9eec] do_page_fault at c083eb45
 #6 [f06a9f04] error_code (via page_fault) at c083c5d5
    EAX: 01fb470c EBX: fff35000 ECX: 00000003 EDX: 00000100 EBP:
    00000000
    DS:  007b     ESI: 9e201000 ES:  007b     EDI: 01fb4700 GS:  00e0
    CS:  0060     EIP: c083bc14 ERR: ffffffff EFLAGS: 00010246
 #7 [f06a9f38] _spin_lock at c083bc14
 #8 [f06a9f44] sys_mincore at c0507b7d
 #9 [f06a9fb0] system_call at c083becd
                   start           len
    EAX: ffffffda  EBX: 9e200000  ECX: 00001000  EDX: 6228537f
    DS:  007b      ESI: 00000000  ES:  007b      EDI: 003d0f00
    SS:  007b      ESP: 62285354  EBP: 62285388  GS:  0033
    CS:  0073      EIP: 00291416  ERR: 000000da  EFLAGS: 00000286

This should be a longstanding bug affecting x86 32bit PAE without THP.
Only archs with 64bit large pmd_t and 32bit unsigned long should be
affected.

With THP enabled the barrier() in pmd_none_or_trans_huge_or_clear_bad()
would partly hide the bug when the pmd transition from none to stable,
by forcing a re-read of the *pmd in pmd_offset_map_lock, but when THP is
enabled a new set of problem arises by the fact could then transition
freely in any of the none, pmd_trans_huge or pmd_trans_stable states.
So making the barrier in pmd_none_or_trans_huge_or_clear_bad()
unconditional isn't good idea and it would be a flakey solution.

This should be fully fixed by introducing a pmd_read_atomic that reads
the pmd in order with THP disabled, or by reading the pmd atomically
with cmpxchg8b with THP enabled.

Luckily this new race condition only triggers in the places that must
already be covered by pmd_none_or_trans_huge_or_clear_bad() so the fix
is localized there but this bug is not related to THP.

NOTE: this can trigger on x86 32bit systems with PAE enabled with more
than 4G of ram, otherwise the high part of the pmd will never risk to be
truncated because it would be zero at all times, in turn so hiding the
SMP race.

This bug was discovered and fully debugged by Ulrich, quote:

----
[..]
pmd_none_or_trans_huge_or_clear_bad() loads the content of edx and
eax.

    496 static inline int pmd_none_or_trans_huge_or_clear_bad(pmd_t
    *pmd)
    497 {
    498         /* depend on compiler for an atomic pmd read */
    499         pmd_t pmdval = *pmd;
                           // edi = pmd pointer
0xc0507a74 <sys_mincore+548>:   mov    0x8(%esp),%edi
...
                          // edx = PTE page table high address
0xc0507a84 <sys_mincore+564>:   mov    0x4(%edi),%edx
...
                          // eax = PTE page table low address
0xc0507a8e <sys_mincore+574>:   mov    (%edi),%eax

[..]

Please note that the PMD is not read atomically. These are two "mov"
instructions where the high order bits of the PMD entry are fetched
first. Hence, the above machine code is prone to the following race.

-  The PMD entry {high|low} is 0x0000000000000000.
   The "mov" at 0xc0507a84 loads 0x00000000 into edx.

-  A page fault (on another CPU) sneaks in between the two "mov"
   instructions and instantiates the PMD.

-  The PMD entry {high|low} is now 0x00000003fda38067.
   The "mov" at 0xc0507a8e loads 0xfda38067 into eax.
----

Reported-by: Ulrich Obergfell <uobergfe at redhat.com>
Signed-off-by: Andrea Arcangeli <aarcange at redhat.com>
Cc: Mel Gorman <mgorman at suse.de>
Cc: Hugh Dickins <hughd at google.com>
Cc: Larry Woodman <lwoodman at redhat.com>
Cc: Petr Matousek <pmatouse at redhat.com>
Cc: Rik van Riel <riel at redhat.com>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: acf8fbd7c1182204ed723dee365bc5ba9a503dd6
      https://github.com/ceph/ceph-client/commit/acf8fbd7c1182204ed723dee365bc5ba9a503dd6
  Author: Andrea Arcangeli <aarcange at redhat.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M arch/x86/include/asm/pgtable-3level.h
    M include/asm-generic/pgtable.h

  Log Message:
  -----------
  thp: avoid atomic64_read in pmd_read_atomic for 32bit PAE

commit e4eed03fd06578571c01d4f1478c874bb432c815 upstream.

In the x86 32bit PAE CONFIG_TRANSPARENT_HUGEPAGE=y case while holding the
mmap_sem for reading, cmpxchg8b cannot be used to read pmd contents under
Xen.

So instead of dealing only with "consistent" pmdvals in
pmd_none_or_trans_huge_or_clear_bad() (which would be conceptually
simpler) we let pmd_none_or_trans_huge_or_clear_bad() deal with pmdvals
where the low 32bit and high 32bit could be inconsistent (to avoid having
to use cmpxchg8b).

The only guarantee we get from pmd_read_atomic is that if the low part of
the pmd was found null, the high part will be null too (so the pmd will be
considered unstable).  And if the low part of the pmd is found "stable"
later, then it means the whole pmd was read atomically (because after a
pmd is stable, neither MADV_DONTNEED nor page faults can alter it anymore,
and we read the high part after the low part).

In the 32bit PAE x86 case, it is enough to read the low part of the pmdval
atomically to declare the pmd as "stable" and that's true for THP and no
THP, furthermore in the THP case we also have a barrier() that will
prevent any inconsistent pmdvals to be cached by a later re-read of the
*pmd.

Signed-off-by: Andrea Arcangeli <aarcange at redhat.com>
Cc: Jonathan Nieder <jrnieder at gmail.com>
Cc: Ulrich Obergfell <uobergfe at redhat.com>
Cc: Mel Gorman <mgorman at suse.de>
Cc: Hugh Dickins <hughd at google.com>
Cc: Larry Woodman <lwoodman at redhat.com>
Cc: Petr Matousek <pmatouse at redhat.com>
Cc: Rik van Riel <riel at redhat.com>
Cc: Jan Beulich <jbeulich at suse.com>
Cc: KOSAKI Motohiro <kosaki.motohiro at gmail.com>
Tested-by: Andrew Jones <drjones at redhat.com>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 21359ac3aef0455038f6295d6f8b3aca7beabfd9
      https://github.com/ceph/ceph-client/commit/21359ac3aef0455038f6295d6f8b3aca7beabfd9
  Author: Stanislaw Gruszka <sgruszka at redhat.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/wireless/rtl818x/rtl8187/leds.c

  Log Message:
  -----------
  rtl8187: ->brightness_set can not sleep

commit 0fde0a8cfd0ede7f310d6a681c8e5a7cb3e32406 upstream.

Fix:

BUG: sleeping function called from invalid context at kernel/workqueue.c:2547
in_atomic(): 1, irqs_disabled(): 0, pid: 629, name: wpa_supplicant
2 locks held by wpa_supplicant/629:
 #0:  (rtnl_mutex){+.+.+.}, at: [<c08b2b84>] rtnl_lock+0x14/0x20
 #1:  (&trigger->leddev_list_lock){.+.?..}, at: [<c0867f41>] led_trigger_event+0x21/0x80
Pid: 629, comm: wpa_supplicant Not tainted 3.3.0-0.rc3.git5.1.fc17.i686
Call Trace:
 [<c046a9f6>] __might_sleep+0x126/0x1d0
 [<c0457d6c>] wait_on_work+0x2c/0x1d0
 [<c045a09a>] __cancel_work_timer+0x6a/0x120
 [<c045a160>] cancel_delayed_work_sync+0x10/0x20
 [<f7dd3c22>] rtl8187_led_brightness_set+0x82/0xf0 [rtl8187]
 [<c0867f7c>] led_trigger_event+0x5c/0x80
 [<f7ff5e6d>] ieee80211_led_radio+0x1d/0x40 [mac80211]
 [<f7ff3583>] ieee80211_stop_device+0x13/0x230 [mac80211]

Removing _sync is ok, because if led_on work is currently running
it will be finished before led_off work start to perform, since
they are always queued on the same mac80211 local->workqueue.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=795176

Signed-off-by: Stanislaw Gruszka <sgruszka at redhat.com>
Acked-by: Larry Finger <Larry.Finger at lwfinger.net>
Acked-by: Hin-Tak Leung <htl10 at users.sourceforge.net>
Signed-off-by: John W. Linville <linville at tuxdriver.com>
Cc: Josh Boyer <jwboyer at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 6d0535e8f0406ba353c06a5417e9caa498733372
      https://github.com/ceph/ceph-client/commit/6d0535e8f0406ba353c06a5417e9caa498733372
  Author: Jason Wang <jasowang at redhat.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/net/macvtap.c

  Log Message:
  -----------
  macvtap: zerocopy: validate vectors before building skb

commit b92946e2919134ebe2a4083e4302236295ea2a73 upstream.

There're several reasons that the vectors need to be validated:

- Return error when caller provides vectors whose num is greater than UIO_MAXIOV.
- Linearize part of skb when userspace provides vectors grater than MAX_SKB_FRAGS.
- Return error when userspace provides vectors whose total length may exceed
- MAX_SKB_FRAGS * PAGE_SIZE.

Signed-off-by: Jason Wang <jasowang at redhat.com>
Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
Cc: Josh Boyer <jwboyer at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 5318edefb61eddf91d4c4a089644fcee3ccfda62
      https://github.com/ceph/ceph-client/commit/5318edefb61eddf91d4c4a089644fcee3ccfda62
  Author: Stanislav Yakovlev <stas.yakovlev at gmail.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    A drivers/net/wireless/ipw2x00/ipw.h
    M drivers/net/wireless/ipw2x00/ipw2100.c
    M drivers/net/wireless/ipw2x00/ipw2200.c

  Log Message:
  -----------
  net/wireless: ipw2x00: add supported cipher suites to wiphy initialization

commit a141e6a0097118bb35024485f1faffc0d9042f5c upstream.

Driver doesn't report its supported cipher suites through cfg80211
interface. It still uses wext interface and probably will not work
through nl80211, but will at least correctly advertise supported
features.

Bug was reported by Omar Siam.
https://bugzilla.kernel.org/show_bug.cgi?id=43049

Signed-off-by: Stanislav Yakovlev <stas.yakovlev at gmail.com>
Signed-off-by: John W. Linville <linville at tuxdriver.com>
Cc: Josh Boyer <jwboyer at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 2c07f25ea7800adb36cd8da9b58c4ecd3fc3d064
      https://github.com/ceph/ceph-client/commit/2c07f25ea7800adb36cd8da9b58c4ecd3fc3d064
  Author: Eric Dumazet <edumazet at google.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M fs/splice.c
    M include/linux/splice.h
    M kernel/relay.c
    M kernel/trace/trace.c
    M mm/shmem.c
    M net/core/skbuff.c

  Log Message:
  -----------
  splice: fix racy pipe->buffers uses

commit 047fe3605235888f3ebcda0c728cb31937eadfe6 upstream.

Dave Jones reported a kernel BUG at mm/slub.c:3474! triggered
by splice_shrink_spd() called from vmsplice_to_pipe()

commit 35f3d14dbbc5 (pipe: add support for shrinking and growing pipes)
added capability to adjust pipe->buffers.

Problem is some paths don't hold pipe mutex and assume pipe->buffers
doesn't change for their duration.

Fix this by adding nr_pages_max field in struct splice_pipe_desc, and
use it in place of pipe->buffers where appropriate.

splice_shrink_spd() loses its struct pipe_inode_info argument.

Reported-by: Dave Jones <davej at redhat.com>
Signed-off-by: Eric Dumazet <edumazet at google.com>
Cc: Jens Axboe <axboe at kernel.dk>
Cc: Alexander Viro <viro at zeniv.linux.org.uk>
Cc: Tom Herbert <therbert at google.com>
Tested-by: Dave Jones <davej at redhat.com>
Signed-off-by: Jens Axboe <axboe at kernel.dk>
[bwh: Backported to 3.2:
 - Adjust context in vmsplice_to_pipe()
 - Update one more call to splice_shrink_spd(), from skb_splice_bits()]
Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: a08fae601d01ab177dbef90778f87f7c5467b792
      https://github.com/ceph/ceph-client/commit/a08fae601d01ab177dbef90778f87f7c5467b792
  Author: Chris Wilson <chris at chris-wilson.co.uk>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/gpu/drm/i915/i915_irq.c

  Log Message:
  -----------
  drm/i915: Refactor the deferred PM_IIR handling into a single function

commit fc6826d1dcd65f3d1e9a5377678882e4e08f02be upstream.

This function, along with the registers and deferred work hander, are
all shared with SandyBridge, IvyBridge and their variants. So remove the
duplicate code into a single function.

Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
Reviewed-by: Ben Widawsky <ben at bwidawsk.net>
Signed-Off-by: Daniel Vetter <daniel.vetter at ffwll.ch>
[bwh: Backported to 3.2: adjust context; drop changes for Valley View]
Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: c9bb51fb8c7a9d8b230c0bd184d9af919350383b
      https://github.com/ceph/ceph-client/commit/c9bb51fb8c7a9d8b230c0bd184d9af919350383b
  Author: Daniel Vetter <daniel.vetter at ffwll.ch>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/gpu/drm/i915/i915_irq.c

  Log Message:
  -----------
  drm/i915: rip out the PM_IIR WARN

commit 58bf8062d0b293b8e1028e5b0342082002886bd4 upstream.

After banging my head against this for the past few months, I still
don't see how this could possible race under the premise that once an
irq bit is masked in PM_IMR and reset in PM_IIR it won't show up again
until we unmask it in PM_IMR.

Still, we have reports of this being seen in the wild. Now Bspec has
this little bit of lovely language in the PMIIR register:

Public SNB Docs, Vol3Part2, 2.5.14 "PMIIR":

"For each bit, the IIR can store a second pending interrupt if two or
more of the same interrupt conditions occur before the first condition
is cleared. Upon clearing the interrupt, the IIR bit will momentarily
go low, then return high to indicate there is another interrupt
pending."

Now if we presume that PMIMR only prevent new interrupts from being
queued, we could easily end up masking an interrupt and clearing it,
but the 2nd pending interrupt setting the bit in PMIIR right away
again. Which leads, the next time the irq handler runs, to hitting the
WARN.

Also, no bad side effects of this have ever been reported. And we've
tracked down our issues with the gpu turbo getting stuck to bogus
interrupt generation limits in th RPLIMIT register.

So let's just rip out this WARN as bogus and call it a day. The only
shallow thing here is that this 2-deep irq queue in the hw makes you
wonder how racy the windows irq handler is ...

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=42907
Acked-by: Chris Wilson <chris at chris-wilson.co.uk>
Signed-Off-by: Daniel Vetter <daniel.vetter at ffwll.ch>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 0c4ad5cc8c01f62fe5211b5ce9563c27f795a4ab
      https://github.com/ceph/ceph-client/commit/0c4ad5cc8c01f62fe5211b5ce9563c27f795a4ab
  Author: Andy Lutomirski <luto at amacapital.net>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M mm/madvise.c

  Log Message:
  -----------
  mm: Hold a file reference in madvise_remove

commit 9ab4233dd08036fe34a89c7dc6f47a8bf2eb29eb upstream.

Otherwise the code races with munmap (causing a use-after-free
of the vma) or with close (causing a use-after-free of the struct
file).

The bug was introduced by commit 90ed52ebe481 ("[PATCH] holepunch: fix
mmap_sem i_mutex deadlock")

Cc: Hugh Dickins <hugh at veritas.com>
Cc: Miklos Szeredi <mszeredi at suse.cz>
Cc: Badari Pulavarty <pbadari at us.ibm.com>
Cc: Nick Piggin <npiggin at suse.de>
Signed-off-by: Andy Lutomirski <luto at amacapital.net>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
[bwh: Backported to 3.2:
 - Adjust context
 - madvise_remove() calls vmtruncate_range(), not do_fallocate()]
Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: d3f940223c31cffd977864cdc13c69e89f03ce55
      https://github.com/ceph/ceph-client/commit/d3f940223c31cffd977864cdc13c69e89f03ce55
  Author: majianpeng <majianpeng at gmail.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/md/raid5.c

  Log Message:
  -----------
  md/raid5: Do not add data_offset before call to is_badblock

commit 6c0544e255dd6582a9899572e120fb55d9f672a4 upstream.

In chunk_aligned_read() we are adding data_offset before calling
is_badblock.  But is_badblock also adds data_offset, so that is bad.

So move the addition of data_offset to after the call to
is_badblock.

This bug was introduced by commit 31c176ecdf3563140e639
     md/raid5: avoid reading from known bad blocks.
which first appeared in 3.0.  So that patch is suitable for any
-stable kernel from 3.0.y onwards.  However it will need minor
revision for most of those (as the comment didn't appear until
recently).

Signed-off-by: majianpeng <majianpeng at gmail.com>
Signed-off-by: NeilBrown <neilb at suse.de>
[bwh: Backported to 3.2: ignored missing comment]
Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: a2db97f10ba81ce924323e580a223ce8d17d685c
      https://github.com/ceph/ceph-client/commit/a2db97f10ba81ce924323e580a223ce8d17d685c
  Author: Lars-Peter Clausen <lars at metafoo.de>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/staging/iio/adc/ad7606_core.c

  Log Message:
  -----------
  staging:iio:ad7606: Re-add missing scale attribute

commit 279bf2e57c30c9a4482b2b6ede11b31c41e35e78 upstream.

Commit 50ac23be ("staging:iio:adc:ad7606 add local define for chan_spec
structures.") accidentally removed the scale info_mask flag. This patch
adds it back again.

Signed-off-by: Lars-Peter Clausen <lars at metafoo.de>
Acked-by: Jonathan Cameron <jic23 at kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
[herton: Backported to 3.4: info_mask was not used yet with another flag]
Signed-off-by: Herton R. Krzesinski <herton at canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 0e343dbe08acb440f7914d989bcc32c1d1576735
      https://github.com/ceph/ceph-client/commit/0e343dbe08acb440f7914d989bcc32c1d1576735
  Author: Jiang Liu <jiang.liu at huawei.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M include/linux/mmzone.h
    M mm/vmscan.c

  Log Message:
  -----------
  memory hotplug: fix invalid memory access caused by stale kswapd pointer

commit d8adde17e5f858427504725218c56aef90e90fc7 upstream.

kswapd_stop() is called to destroy the kswapd work thread when all memory
of a NUMA node has been offlined.  But kswapd_stop() only terminates the
work thread without resetting NODE_DATA(nid)->kswapd to NULL.  The stale
pointer will prevent kswapd_run() from creating a new work thread when
adding memory to the memory-less NUMA node again.  Eventually the stale
pointer may cause invalid memory access.

An example stack dump as below. It's reproduced with 2.6.32, but latest
kernel has the same issue.

  BUG: unable to handle kernel NULL pointer dereference at (null)
  IP: [<ffffffff81051a94>] exit_creds+0x12/0x78
  PGD 0
  Oops: 0000 [#1] SMP
  last sysfs file: /sys/devices/system/memory/memory391/state
  CPU 11
  Modules linked in: cpufreq_conservative cpufreq_userspace cpufreq_powersave acpi_cpufreq microcode fuse loop dm_mod tpm_tis rtc_cmos i2c_i801 rtc_core tpm serio_raw pcspkr sg tpm_bios igb i2c_core iTCO_wdt rtc_lib mptctl iTCO_vendor_support button dca bnx2 usbhid hid uhci_hcd ehci_hcd usbcore sd_mod crc_t10dif edd ext3 mbcache jbd fan ide_pci_generic ide_core ata_generic ata_piix libata thermal processor thermal_sys hwmon mptsas mptscsih mptbase scsi_transport_sas scsi_mod
  Pid: 7949, comm: sh Not tainted 2.6.32.12-qiuxishi-5-default #92 Tecal RH2285
  RIP: 0010:exit_creds+0x12/0x78
  RSP: 0018:ffff8806044f1d78  EFLAGS: 00010202
  RAX: 0000000000000000 RBX: ffff880604f22140 RCX: 0000000000019502
  RDX: 0000000000000000 RSI: 0000000000000202 RDI: 0000000000000000
  RBP: ffff880604f22150 R08: 0000000000000000 R09: ffffffff81a4dc10
  R10: 00000000000032a0 R11: ffff880006202500 R12: 0000000000000000
  R13: 0000000000c40000 R14: 0000000000008000 R15: 0000000000000001
  FS:  00007fbc03d066f0(0000) GS:ffff8800282e0000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
  CR2: 0000000000000000 CR3: 000000060f029000 CR4: 00000000000006e0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
  Process sh (pid: 7949, threadinfo ffff8806044f0000, task ffff880603d7c600)
  Stack:
   ffff880604f22140 ffffffff8103aac5 ffff880604f22140 ffffffff8104d21e
   ffff880006202500 0000000000008000 0000000000c38000 ffffffff810bd5b1
   0000000000000000 ffff880603d7c600 00000000ffffdd29 0000000000000003
  Call Trace:
    __put_task_struct+0x5d/0x97
    kthread_stop+0x50/0x58
    offline_pages+0x324/0x3da
    memory_block_change_state+0x179/0x1db
    store_mem_state+0x9e/0xbb
    sysfs_write_file+0xd0/0x107
    vfs_write+0xad/0x169
    sys_write+0x45/0x6e
    system_call_fastpath+0x16/0x1b
  Code: ff 4d 00 0f 94 c0 84 c0 74 08 48 89 ef e8 1f fd ff ff 5b 5d 31 c0 41 5c c3 53 48 8b 87 20 06 00 00 48 89 fb 48 8b bf 18 06 00 00 <8b> 00 48 c7 83 18 06 00 00 00 00 00 00 f0 ff 0f 0f 94 c0 84 c0
  RIP  exit_creds+0x12/0x78
   RSP <ffff8806044f1d78>
  CR2: 0000000000000000

[akpm at linux-foundation.org: add pglist_data.kswapd locking comments]
Signed-off-by: Xishi Qiu <qiuxishi at huawei.com>
Signed-off-by: Jiang Liu <jiang.liu at huawei.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu at jp.fujitsu.com>
Acked-by: KOSAKI Motohiro <kosaki.motohiro at jp.fujitsu.com>
Acked-by: Mel Gorman <mgorman at suse.de>
Acked-by: David Rientjes <rientjes at google.com>
Reviewed-by: Minchan Kim <minchan at kernel.org>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 0bf51a8f8756511b382aac13a3c1c7abeb8b0bec
      https://github.com/ceph/ceph-client/commit/0bf51a8f8756511b382aac13a3c1c7abeb8b0bec
  Author: Devendra Naga <devendra.aaru at gmail.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/rtc/rtc-spear.c

  Log Message:
  -----------
  drivers/rtc/rtc-spear.c: fix use-after-free in spear_rtc_remove()

commit 2a643893e50fde71d7ba84b5592ec61b467b9ab6 upstream.

`config' is freed and is then used in the rtc_device_unregister() call,
causing a kernel panic.

Signed-off-by: Devendra Naga <devendra.aaru at gmail.com>
Reviewed-by: Viresh Kumar <viresh.linux at gmail.com>
Cc: Alessandro Zummo <a.zummo at towertech.it>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: a61046645665398124b7353999713c02fc4a89eb
      https://github.com/ceph/ceph-client/commit/a61046645665398124b7353999713c02fc4a89eb
  Author: Lee Jones <lee.jones at linaro.org>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/rtc/rtc-ab8500.c

  Log Message:
  -----------
  drivers/rtc/rtc-ab8500.c: use IRQF_ONESHOT when requesting a threaded IRQ

commit 3cfd16a551dc0c188160e1765168a04baf2d3198 upstream.

This driver's IRQ registration is failing because the kernel now forces
IRQs to be ONESHOT if no IRQ handler is passed.

Signed-off-by: Lee Jones <lee.jones at linaro.org>
Cc: Alessandro Zummo <a.zummo at towertech.it>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: ae555e19b697bc90ea3ec004dc0e5541983593fa
      https://github.com/ceph/ceph-client/commit/ae555e19b697bc90ea3ec004dc0e5541983593fa
  Author: Benoît Thébaudeau <benoit.thebaudeau at advansee.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M drivers/rtc/rtc-mxc.c

  Log Message:
  -----------
  drivers/rtc/rtc-mxc.c: fix irq enabled interrupts warning

commit b59f6d1febd6cbe9fae4589bf72da0ed32bc69e0 upstream.

Fixes

  WARNING: at irq/handle.c:146 handle_irq_event_percpu+0x19c/0x1b8()
  irq 25 handler mxc_rtc_interrupt+0x0/0xac enabled interrupts
  Modules linked in:
   (unwind_backtrace+0x0/0xf0) from (warn_slowpath_common+0x4c/0x64)
   (warn_slowpath_common+0x4c/0x64) from (warn_slowpath_fmt+0x30/0x40)
   (warn_slowpath_fmt+0x30/0x40) from (handle_irq_event_percpu+0x19c/0x1b8)
   (handle_irq_event_percpu+0x19c/0x1b8) from (handle_irq_event+0x28/0x38)
   (handle_irq_event+0x28/0x38) from (handle_level_irq+0x80/0xc4)
   (handle_level_irq+0x80/0xc4) from (generic_handle_irq+0x24/0x38)
   (generic_handle_irq+0x24/0x38) from (handle_IRQ+0x30/0x84)
   (handle_IRQ+0x30/0x84) from (avic_handle_irq+0x2c/0x4c)
   (avic_handle_irq+0x2c/0x4c) from (__irq_svc+0x40/0x60)
  Exception stack(0xc050bf60 to 0xc050bfa8)
  bf60: 00000001 00000000 003c4208 c0018e20 c050a000 c050a000 c054a4c8 c050a000
  bf80: c05157a8 4117b363 80503bb4 00000000 01000000 c050bfa8 c0018e2c c000e808
  bfa0: 60000013 ffffffff
   (__irq_svc+0x40/0x60) from (default_idle+0x1c/0x30)
   (default_idle+0x1c/0x30) from (cpu_idle+0x68/0xa8)
   (cpu_idle+0x68/0xa8) from (start_kernel+0x22c/0x26c)

Signed-off-by: Benoît Thébaudeau <benoit.thebaudeau at advansee.com>
Cc: Alessandro Zummo <a.zummo at towertech.it>
Cc: Sascha Hauer <kernel at pengutronix.de>
Acked-by: Uwe Kleine-König <u.kleine-koenig at pengutronix.de>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 7a08b440fa93e036968102597c8a2ab809a9bdc4
      https://github.com/ceph/ceph-client/commit/7a08b440fa93e036968102597c8a2ab809a9bdc4
  Author: David Rientjes <rientjes at google.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M mm/compaction.c

  Log Message:
  -----------
  mm, thp: abort compaction if migration page cannot be charged to memcg

commit 4bf2bba3750f10aa9e62e6949bc7e8329990f01b upstream.

If page migration cannot charge the temporary page to the memcg,
migrate_pages() will return -ENOMEM.  This isn't considered in memory
compaction however, and the loop continues to iterate over all
pageblocks trying to isolate and migrate pages.  If a small number of
very large memcgs happen to be oom, however, these attempts will mostly
be futile leading to an enormous amout of cpu consumption due to the
page migration failures.

This patch will short circuit and fail memory compaction if
migrate_pages() returns -ENOMEM.  COMPACT_PARTIAL is returned in case
some migrations were successful so that the page allocator will retry.

Signed-off-by: David Rientjes <rientjes at google.com>
Acked-by: Mel Gorman <mgorman at suse.de>
Cc: Minchan Kim <minchan at kernel.org>
Cc: Kamezawa Hiroyuki <kamezawa.hiroyu at jp.fujitsu.com>
Cc: Rik van Riel <riel at redhat.com>
Cc: Andrea Arcangeli <aarcange at redhat.com>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 0fa627b15c842095b5147f381fa1943a6a46bb01
      https://github.com/ceph/ceph-client/commit/0fa627b15c842095b5147f381fa1943a6a46bb01
  Author: Bob Liu <lliubbo at gmail.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M fs/ramfs/file-nommu.c

  Log Message:
  -----------
  fs: ramfs: file-nommu: add SetPageUptodate()

commit fea9f718b3d68147f162ed2d870183ce5e0ad8d8 upstream.

There is a bug in the below scenario for !CONFIG_MMU:

 1. create a new file
 2. mmap the file and write to it
 3. read the file can't get the correct value

Because

  sys_read() -> generic_file_aio_read() -> simple_readpage() -> clear_page()

which causes the page to be zeroed.

Add SetPageUptodate() to ramfs_nommu_expand_for_mapping() so that
generic_file_aio_read() do not call simple_readpage().

Signed-off-by: Bob Liu <lliubbo at gmail.com>
Cc: Hugh Dickins <hughd at google.com>
Cc: David Howells <dhowells at redhat.com>
Cc: Geert Uytterhoeven <geert at linux-m68k.org>
Cc: Greg Ungerer <gerg at uclinux.org>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 7ad71f960f0f6e06cbded278809674afc515036a
      https://github.com/ceph/ceph-client/commit/7ad71f960f0f6e06cbded278809674afc515036a
  Author: Yinghai Lu <yinghai at kernel.org>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M include/linux/memblock.h
    M mm/memblock.c
    M mm/nobootmem.c

  Log Message:
  -----------
  memblock: free allocated memblock_reserved_regions later

commit 29f6738609e40227dabcc63bfb3b84b3726a75bd upstream.

memblock_free_reserved_regions() calls memblock_free(), but
memblock_free() would double reserved.regions too, so we could free the
old range for reserved.regions.

Also tj said there is another bug which could be related to this.

| I don't think we're saving any noticeable
| amount by doing this "free - give it to page allocator - reserve
| again" dancing.  We should just allocate regions aligned to page
| boundaries and free them later when memblock is no longer in use.

in that case, when DEBUG_PAGEALLOC, will get panic:

     memblock_free: [0x0000102febc080-0x0000102febf080] memblock_free_reserved_regions+0x37/0x39
  BUG: unable to handle kernel paging request at ffff88102febd948
  IP: [<ffffffff836a5774>] __next_free_mem_range+0x9b/0x155
  PGD 4826063 PUD cf67a067 PMD cf7fa067 PTE 800000102febd160
  Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
  CPU 0
  Pid: 0, comm: swapper Not tainted 3.5.0-rc2-next-20120614-sasha #447
  RIP: 0010:[<ffffffff836a5774>]  [<ffffffff836a5774>] __next_free_mem_range+0x9b/0x155

See the discussion at https://lkml.org/lkml/2012/6/13/469

So try to allocate with PAGE_SIZE alignment and free it later.

Reported-by: Sasha Levin <levinsasha928 at gmail.com>
Acked-by: Tejun Heo <tj at kernel.org>
Cc: Benjamin Herrenschmidt <benh at kernel.crashing.org>
Signed-off-by: Yinghai Lu <yinghai at kernel.org>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: bb2b649805527af1d823f871e7e3a95c4e6a018e
      https://github.com/ceph/ceph-client/commit/bb2b649805527af1d823f871e7e3a95c4e6a018e
  Author: Luis Henriques <luis.henriques at canonical.com>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M fs/ocfs2/file.c

  Log Message:
  -----------
  ocfs2: fix NULL pointer dereference in __ocfs2_change_file_space()

commit a4e08d001f2e50bb8b3c4eebadcf08e5535f02ee upstream.

As ocfs2_fallocate() will invoke __ocfs2_change_file_space() with a NULL
as the first parameter (file), it may trigger a NULL pointer dereferrence
due to a missing check.

Addresses http://bugs.launchpad.net/bugs/1006012

Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
Reported-by: Bret Towe <magnade at gmail.com>
Tested-by: Bret Towe <magnade at gmail.com>
Cc: Sunil Mushran <sunil.mushran at oracle.com>
Acked-by: Joel Becker <jlbec at evilplan.org>
Acked-by: Mark Fasheh <mfasheh at suse.com>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>


  Commit: 763c71b1319c56272e42cf6ada6994131f0193a7
      https://github.com/ceph/ceph-client/commit/763c71b1319c56272e42cf6ada6994131f0193a7
  Author: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
  Date:   2012-07-16 (Mon, 16 Jul 2012)

  Changed paths:
    M Makefile

  Log Message:
  -----------
  Linux 3.4.5


  Commit: 6af5294118de93f17f5d01e64ff1af5704c23417
      https://github.com/ceph/ceph-client/commit/6af5294118de93f17f5d01e64ff1af5704c23417
  Author: Alex Elder <elder at dreamhost.com>
  Date:   2012-07-17 (Tue, 17 Jul 2012)

  Changed paths:
    M drivers/block/rbd.c

  Log Message:
  -----------
  rbd: don't hold spinlock during messenger flush

A recent change made changes to the rbd_client_list be protected by
a spinlock.  Unfortunately in rbd_put_client(), the lock is taken
before possibly dropping the last reference to an rbd_client, and on
the last reference that eventually calls flush_workqueue() which can
sleep.

The problem was flagged by a debug spinlock warning:
    BUG: spinlock wrong CPU on CPU#3, rbd/27814

The solution is to move the spinlock acquisition and release inside
rbd_client_release(), which is the spot where it's really needed for
protecting the removal of the rbd_client from the client list.

Signed-off-by: Alex Elder <elder at dreamhost.com>
Reviewed-by: Sage Weil <sage at newdream.net>
(cherry picked from commit cd9d9f5df6098c50726200d4185e9e8da32785b3)


  Commit: 4dd0b0cdcd3bfaa071582cb17d111585a8106c87
      https://github.com/ceph/ceph-client/commit/4dd0b0cdcd3bfaa071582cb17d111585a8106c87
  Author: Sage Weil <sage at inktank.com>
  Date:   2012-07-17 (Tue, 17 Jul 2012)

  Changed paths:
    M net/ceph/crush/mapper.c

  Log Message:
  -----------
  crush: adjust local retry threshold

This small adjustment reflects a change that was made in ceph.git commit
af6a9f30696c900a2a8bd7ae24e8ed15fb4964bb, about 6 months ago.  An N-1
search is not exhaustive.  Fixed ceph.git bug #1594.

Reviewed-by: Alex Elder <elder at inktank.com>
Signed-off-by: Sage Weil <sage at inktank.com>
(cherry picked from commit c90f95ed46393e29d843686e21947d1c6fcb1164)


  Commit: b08746f089461b98adcf6d80dd2d57557be9e184
      https://github.com/ceph/ceph-client/commit/b08746f089461b98adcf6d80dd2d57557be9e184
  Author: Sage Weil <sage at inktank.com>
  Date:   2012-07-17 (Tue, 17 Jul 2012)

  Changed paths:
    M net/ceph/crush/mapper.c

  Log Message:
  -----------
  crush: be more tolerant of nonsensical crush maps

If we get a map that doesn't make sense, error out or ignore the badness
instead of BUGging out.  This reflects the ceph.git commits
9895f0bff7dc68e9b49b572613d242315fb11b6c and
8ded26472058d5205803f244c2f33cb6cb10de79.

Reviewed-by: Alex Elder <elder at inktank.com>
Signed-off-by: Sage Weil <sage at inktank.com>
(cherry picked from commit a1f4895be8bf1ba56c2306b058f51619e9b0e8f8)


  Commit: abe0b4add2fde55150704d66969445a08aa29bba
      https://github.com/ceph/ceph-client/commit/abe0b4add2fde55150704d66969445a08aa29bba
  Author: Sage Weil <sage at inktank.com>
  Date:   2012-07-17 (Tue, 17 Jul 2012)

  Changed paths:
    M include/linux/crush/crush.h
    M net/ceph/crush/crush.c

  Log Message:
  -----------
  crush: fix tree node weight lookup

Fix the node weight lookup for tree buckets by using a correct accessor.

Reflects ceph.git commit d287ade5bcbdca82a3aef145b92924cf1e856733.

Reviewed-by: Alex Elder <elder at inktank.com>
Signed-off-by: Sage Weil <sage at inktank.com>
(cherry picked from commit f671d4cd9b36691ac4ef42cde44c1b7a84e13631)


  Commit: 27980fff15e41da03543c064b4bc56de1872c8d7
      https://github.com/ceph/ceph-client/commit/27980fff15e41da03543c064b4bc56de1872c8d7
  Author: Sage Weil <sage at inktank.com>
  Date:   2012-07-17 (Tue, 17 Jul 2012)

  Changed paths:
    M net/ceph/crush/crush.c

  Log Message:
  -----------
  crush: fix memory leak when destroying tree buckets

Reflects ceph.git commit 46d63d98434b3bc9dad2fc9ab23cbaedc3bcb0e4.

Reported-by: Alexander Lyakas <alex.bolshoy at gmail.com>
Reviewed-by: Alex Elder <elder at inktank.com>
Signed-off-by: Sage Weil <sage at inktank.com>
(cherry picked from commit 6eb43f4b5a2a74599b4ff17a97c03a342327ca65)


  Commit: 045ef777a61ddbb75094854fb7b2f92c05a18eee
      https://github.com/ceph/ceph-client/commit/045ef777a61ddbb75094854fb7b2f92c05a18eee
  Author: Alex Elder <elder at dreawmhost.com>
  Date:   2012-07-17 (Tue, 17 Jul 2012)

  Changed paths:
    M net/ceph/osd_client.c

  Log Message:
  -----------
  ceph: osd_client: fix endianness bug in osd_req_encode_op()

>From Al Viro <viro at zeniv.linux.org.uk>

Al Viro noticed that we were using a non-cpu-encoded value in
a switch statement in osd_req_encode_op().  The result would
clearly not work correctly on a big-endian machine.

Signed-off-by: Alex Elder <elder at dreamhost.com>
(cherry picked from commit 065a68f9167e20f321a62d044cb2c3024393d455)


  Commit: da187b45d2e6ef36490133b96cb4fc01ad00a822
      https://github.com/ceph/ceph-client/commit/da187b45d2e6ef36490133b96cb4fc01ad00a822
  Author: Josh Durgin <josh.durgin at dreamhost.com>
  Date:   2012-07-17 (Tue, 17 Jul 2012)

  Changed paths:
    M drivers/block/rbd.c

  Log Message:
  -----------
  rbd: protect read of snapshot sequence number

This is updated whenever a snapshot is added or deleted, and the
snapc pointer is changed with every refresh of the header.

Signed-off-by: Josh Durgin <josh.durgin at dreamhost.com>
Reviewed-by: Alex Elder <elder at dreamhost.com>
Reviewed-by: Yehuda Sadeh <yehuda at hq.newdream.net>
(cherry picked from commit 403f24d3d51760a8b9368d595fa5f48c309f1a0f)


  Commit: 694e96b6f6a41a2bfa1e9ccfa752426a33a12419
      https://github.com/ceph/ceph-client/commit/694e96b6f6a41a2bfa1e9ccfa752426a33a12419
  Author: Josh Durgin <josh.durgin at dreamhost.com>
  Date:   2012-07-17 (Tue, 17 Jul 2012)

  Changed paths:
    M drivers/block/rbd.c

  Log Message:
  -----------
  rbd: store snapshot id instead of index

When a device was open at a snapshot, and snapshots were deleted or
added, data from the wrong snapshot could be read. Instead of
assuming the snap context is constant, store the actual snap id when
the device is initialized, and rely on the OSDs to signal an error
if we try reading from a snapshot that was deleted.

Signed-off-by: Josh Durgin <josh.durgin at dreamhost.com>
Reviewed-by: Alex Elder <elder at dreamhost.com>
Reviewed-by: Yehuda Sadeh <yehuda at hq.newdream.net>
(cherry picked from commit 77dfe99fe3cb0b2b0545e19e2d57b7a9134ee3c0)


  Commit: ac3e71600768681f0f77719bf92a446815a972c0
      https://github.com/ceph/ceph-client/commit/ac3e71600768681f0f77719bf92a446815a972c0
  Author: Alex Elder <elder at inktank.com>
  Date:   2012-07-17 (Tue, 17 Jul 2012)

  Changed paths:
    M net/ceph/messenger.c

  Log Message:
  -----------
  ceph: don't set WRITE_PENDING too early

prepare_write_connect() prepares a connect message, then sets
WRITE_PENDING on the connection.  Then *after* this, it calls
prepare_connect_authorizer(), which updates the content of the
connection buffer already queued for sending.  It's also possible it
will result in prepare_write_connect() returning -EAGAIN despite the
WRITE_PENDING big getting set.

Fix this by preparing the connect authorizer first, setting the
WRITE_PENDING bit only after that is done.

Partially addresses http://tracker.newdream.net/issues/2424

Signed-off-by: Alex Elder <elder at inktank.com>
Reviewed-by: Sage Weil <sage at inktank.com>
(cherry picked from commit e10c758e4031a801ea4d2f8fb39bf14c2658d74b)


  Commit: 89b472cc13be3d38b10ed2f0caa637b3ac8fc86e
      https://github.com/ceph/ceph-client/commit/89b472cc13be3d38b10ed2f0caa637b3ac8fc86e
  Author: Alex Elder <elder at inktank.com>
  Date:   2012-07-17 (Tue, 17 Jul 2012)

  Changed paths:
    M net/ceph/messenger.c

  Log Message:
  -----------
  ceph: messenger: rework prepare_connect_authorizer()

Change prepare_connect_authorizer() so it returns without dropping
the connection mutex if the connection has no get_authorizer method.

Use the symbolic CEPH_AUTH_UNKNOWN instead of 0 when assigning
authorization protocols.

Signed-off-by: Alex Elder <elder at inktank.com>
Reviewed-by: Sage Weil <sage at inktank.com>
(cherry picked from commit b1c6b9803f5491e94041e6da96bc9dec3870e792)


  Commit: 800bb2cbb920d296ddc9b86e176b4333717514ba
      https://github.com/ceph/ceph-client/commit/800bb2cbb920d296ddc9b86e176b4333717514ba
  Author: Alex Elder <elder at inktank.com>
  Date:   2012-07-17 (Tue, 17 Jul 2012)

  Changed paths:
    M net/ceph/messenger.c

  Log Message:
  -----------
  ceph: messenger: check return from get_authorizer

In prepare_connect_authorizer(), a connection's get_authorizer
method is called but ignores its return value.  This function can
return an error, so check for it and return it if that ever occurs.

Signed-off-by: Alex Elder <elder at inktank.com>
Reviewed-by: Sage Weil <sage at inktank.com>
(cherry picked from commit ed96af646011412c2bf1ffe860db170db355fae5)


  Commit: c497194f3a73bb911e9027892f66538873e8a441
      https://github.com/ceph/ceph-client/commit/c497194f3a73bb911e9027892f66538873e8a441
  Author: Alex Elder <elder at inktank.com>
  Date:   2012-07-17 (Tue, 17 Jul 2012)

  Changed paths:
    M fs/ceph/mds_client.c
    M fs/ceph/mds_client.h
    M include/linux/ceph/auth.h
    M include/linux/ceph/osd_client.h
    M net/ceph/osd_client.c

  Log Message:
  -----------
  ceph: define ceph_auth_handshake type

The definitions for the ceph_mds_session and ceph_osd both contain
five fields related only to "authorizers."  Encapsulate those fields
into their own struct type, allowing for better isolation in some
upcoming patches.

Fix the #includes in "linux/ceph/osd_client.h" to lay out their more
complete canonical path.

Signed-off-by: Alex Elder <elder at inktank.com>
Reviewed-by: Sage Weil <sage at inktank.com>
(cherry picked from commit 6c4a19158b96ea1fb8acbe0c1d5493d9dcd2f147)


  Commit: 33d8248ce1a5e50ce07a1febba8c56cce5080570
      https://github.com/ceph/ceph-client/commit/33d8248ce1a5e50ce07a1febba8c56cce5080570
  Author: Alex Elder <elder at inktank.com>
  Date:   2012-07-17 (Tue, 17 Jul 2012)

  Changed paths:
    M fs/ceph/mds_client.c
    M include/linux/ceph/auth.h
    M net/ceph/auth_none.c
    M net/ceph/auth_x.c
    M net/ceph/osd_client.c

  Log Message:
  -----------
  ceph: messenger: reduce args to create_authorizer

Make use of the new ceph_auth_handshake structure in order to reduce
the number of arguments passed to the create_authorizor method in
ceph_auth_client_ops.  Use a local variable of that type as a
shorthand in the get_authorizer method definitions.

Signed-off-by: Alex Elder <elder at inktank.com>
Reviewed-by: Sage Weil <sage at inktank.com>
(cherry picked from commit 74f1869f76d043bad12ec03b4d5f04a8c3d1f157)


  Commit: 1139fd77ec85b73dadf997425c73a7fbb1ebf17a
      https://github.com/ceph/ceph-client/commit/1139fd77ec85b73dadf997425c73a7fbb1ebf17a
  Author: Alex Elder <elder at inktank.com>
  Date:   2012-07-17 (Tue, 17 Jul 2012)

  Changed paths:
    M fs/ceph/mds_client.c
    M net/ceph/osd_client.c

  Log Message:
  -----------
  ceph: ensure auth ops are defined before use

In the create_authorizer method for both the mds and osd clients,
the auth_client->ops pointer is blindly dereferenced.  There is no
obvious guarantee that this pointer has been assigned.  And
furthermore, even if the ops pointer is non-null there is definitely
no guarantee that the create_authorizer or destroy_authorizer
methods are defined.

Add checks in both routines to make sure they are defined (non-null)
before use.  Add similar checks in a few other spots in these files
while we're at it.

Signed-off-by: Alex Elder <elder at inktank.com>
Reviewed-by: Sage Weil <sage at inktank.com>
(cherry picked from commit a255651d4cad89f1a606edd36135af892ada4f20)


  Commit: 8c8c4e1023fad29ffd9cbfcc6f5b6682c124179a
      https://github.com/ceph/ceph-client/commit/8c8c4e1023fad29ffd9cbfcc6f5b6682c124179a
  Author: Alex Elder <elder at inktank.com>
  Date:   2012-07-17 (Tue, 17 Jul 2012)

  Changed paths:
    M fs/ceph/mds_client.c
    M include/linux/ceph/messenger.h
    M net/ceph/messenger.c
    M net/ceph/osd_client.c

  Log Message:
  -----------
  ceph: have get_authorizer methods return pointers

Have the get_authorizer auth_client method return a ceph_auth
pointer rather than an integer, pointer-encoding any returned
error value.  This is to pave the way for making use of the
returned value in an upcoming patch.

Signed-off-by: Alex Elder <elder at inktank.com>
Reviewed-by: Sage Weil <sage at inktank.com>
(cherry picked from commit a3530df33eb91d787d08c7383a0a9982690e42d0)


  Commit: 2adcb59c65d7c3dacaf8d2e9865ba3596c70250f
      https://github.com/ceph/ceph-client/commit/2adcb59c65d7c3dacaf8d2e9865ba3596c70250f
  Author: Alex Elder <elder at inktank.com>
  Date:   2012-07-17 (Tue, 17 Jul 2012)

  Changed paths:
    M fs/ceph/mds_client.c
    M include/linux/ceph/messenger.h
    M net/ceph/messenger.c
    M net/ceph/osd_client.c

  Log Message:
  -----------
  ceph: use info returned by get_authorizer

Rather than passing a bunch of arguments to be filled in with the
content of the ceph_auth_handshake buffer now returned by the
get_authorizer method, just use the returned information in the
caller, and drop the unnecessary arguments.

Signed-off-by: Alex Elder <elder at inktank.com>
Reviewed-by: Sage Weil <sage at inktank.com>
(cherry picked from commit 8f43fb53894079bf0caab6e348ceaffe7adc651a)


  Commit: c2e244c4230e713af9e4eb7105a77fb3bb99aaed
      https://github.com/ceph/ceph-client/commit/c2e244c4230e713af9e4eb7105a77fb3bb99aaed
  Author: Alex Elder <elder at inktank.com>
  Date:   2012-07-17 (Tue, 17 Jul 2012)

  Changed paths:
    M net/ceph/messenger.c

  Log Message:
  -----------
  ceph: return pointer from prepare_connect_authorizer()

Change prepare_connect_authorizer() so it returns a pointer (or
pointer-coded error).

Signed-off-by: Alex Elder <elder at inktank.com>
Reviewed-by: Sage Weil <sage at inktank.com>
(cherry picked from commit 729796be9190f57ca40ccca315e8ad34a1eb8fef)


  Commit: 7d2e1939f76de41e5469325d65b76429c819e662
      https://github.com/ceph/ceph-client/commit/7d2e1939f76de41e5469325d65b76429c819e662
  Author: Alex Elder <elder at inktank.com>
  Date:   2012-07-17 (Tue, 17 Jul 2012)

  Changed paths:
    M net/ceph/messenger.c

  Log Message:
  -----------
  ceph: rename prepare_connect_authorizer()

Change the name of prepare_connect_authorizer().  The next
patch is going to make this function no longer add anything to the
connection's out_kvec, so it will no longer fit the pattern of
the rest of the prepare_connect_*() functions.

In addition, pass the address of a variable that will hold the
authorization protocol to use.  Move the assignment of that to the
connection's out_connect structure into prepare_write_connect().

Signed-off-by: Alex Elder <elder at inktank.com>
Reviewed-by: Sage Weil <sage at inktank.com>
(cherry picked from commit dac1e716c60161867a47745bca592987ca3a9cb2)


  Commit: 5a1863192f4958536bdba9c218dc6ce5cd9a4129
      https://github.com/ceph/ceph-client/commit/5a1863192f4958536bdba9c218dc6ce5cd9a4129
  Author: Alex Elder <elder at inktank.com>
  Date:   2012-07-17 (Tue, 17 Jul 2012)

  Changed paths:
    M net/ceph/messenger.c

  Log Message:
  -----------
  ceph: add auth buf in prepare_write_connect()

Move the addition of the authorizer buffer to a connection's
out_kvec out of get_connect_authorizer() and into its caller.  This
way, the caller--prepare_write_connect()--can avoid adding the
connect header to out_kvec before it has been fully initialized.

Prior to this patch, it was possible for a connect header to be
sent over the wire before the authorizer protocol or buffer length
fields were initialized.  An authorizer buffer associated with that
header could also be queued to send only after the connection header
that describes it was on the wire.

Fixes http://tracker.newdream.net/issues/2424

Signed-off-by: Alex Elder <elder at inktank.com>
Reviewed-by: Sage Weil <sage at inktank.com>

Conflicts (resolved):
	net/ceph/messenger.c


  Commit: 4fc7d281b9faa6fe1f9d28aeecbbe4f132d3346d
      https://github.com/ceph/ceph-client/commit/4fc7d281b9faa6fe1f9d28aeecbbe4f132d3346d
  Author: Sage Weil <sage at inktank.com>
  Date:   2012-07-17 (Tue, 17 Jul 2012)

  Changed paths:
    M net/ceph/osd_client.c

  Log Message:
  -----------
  libceph: avoid unregistering osd request when not registered

There is a race between two __unregister_request() callers: the
reply path and the ceph_osdc_wait_request().  If we get a reply
*and* the timeout expires at roughly the same time, both callers
will try to unregister the request, and the second one will do bad
things.

Simply check if the request is still already unregistered; if so,
return immediately and do nothing.

Fixes http://tracker.newdream.net/issues/2420

Signed-off-by: Sage Weil <sage at inktank.com>
Reviewed-by: Alex Elder <elder at inktank.com>
(cherry picked from commit 35f9f8a09e1e88e31bd34a1e645ca0e5f070dd5c)


  Commit: 87641e31660bd57e9ec78795d85eab8eedcad12b
      https://github.com/ceph/ceph-client/commit/87641e31660bd57e9ec78795d85eab8eedcad12b
  Author: Sage Weil <sage at inktank.com>
  Date:   2012-07-17 (Tue, 17 Jul 2012)

  Changed paths:
    M net/ceph/osdmap.c

  Log Message:
  -----------
  libceph: fix pg_temp updates

Usually, we are adding pg_temp entries or removing them.  Occasionally they
update.  In that case, osdmap_apply_incremental() was failing because the
rbtree entry already exists.

Fix by removing the existing entry before inserting a new one.

Fixes http://tracker.newdream.net/issues/2446

Signed-off-by: Sage Weil <sage at inktank.com>
Reviewed-by: Alex Elder <elder at inktank.com>
(cherry picked from commit 6bd9adbdf9ca6a052b0b7455ac67b925eb38cfad)


  Commit: 2a514aaac788997f9c949809a1ed630dbb93a4dd
      https://github.com/ceph/ceph-client/commit/2a514aaac788997f9c949809a1ed630dbb93a4dd
  Author: Yan, Zheng <zheng.z.yan at intel.com>
  Date:   2012-07-17 (Tue, 17 Jul 2012)

  Changed paths:
    M fs/ceph/addr.c

  Log Message:
  -----------
  ceph: check PG_Private flag before accessing page->private

I got lots of NULL pointer dereference Oops when compiling kernel on ceph.
The bug is because the kernel page migration routine replaces some pages
in the page cache with new pages, these new pages' private can be non-zero.

Signed-off-by: Zheng Yan <zheng.z.yan at intel.com>
Signed-off-by: Sage Weil <sage at inktank.com>
(cherry picked from commit 28c0254ede13ab575d2df5c6585ed3d4817c3e6b)


  Commit: dbbf60ad274475b13f672c538b4a8862471755a6
      https://github.com/ceph/ceph-client/commit/dbbf60ad274475b13f672c538b4a8862471755a6
  Author: Yan, Zheng <zheng.z.yan at intel.com>
  Date:   2012-07-17 (Tue, 17 Jul 2012)

  Changed paths:
    M drivers/block/rbd.c

  Log Message:
  -----------
  rbd: Fix ceph_snap_context size calculation

ceph_snap_context->snaps is an u64 array

Signed-off-by: Zheng Yan <zheng.z.yan at intel.com>
Reviewed-by: Alex Elder <elder at inktank.com>
(cherry picked from commit f9f9a1904467816452fc70740165030e84c2c659)


  Commit: ec2ac3271e873bf9676657a7c85f9c955f3406d7
      https://github.com/ceph/ceph-client/commit/ec2ac3271e873bf9676657a7c85f9c955f3406d7
  Author: Dan Carpenter <dan.carpenter at oracle.com>
  Date:   2012-07-17 (Tue, 17 Jul 2012)

  Changed paths:
    M drivers/block/rbd.c

  Log Message:
  -----------
  rbd: endian bug in rbd_req_cb()

Sparse complains about this because:
drivers/block/rbd.c:996:20: warning: cast to restricted __le32
drivers/block/rbd.c:996:20: warning: cast from restricted __le16

These are set in osd_req_encode_op() and they are le16.

Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
Reviewed-by: Alex Elder <elder at inktank.com>
(cherry picked from commit 895cfcc810e53d7d36639969c71efb9087221167)


  Commit: 27c0831e07c93fce0156426fb959d2dcfe45e77f
      https://github.com/ceph/ceph-client/commit/27c0831e07c93fce0156426fb959d2dcfe45e77f
  Author: Alex Elder <elder at inktank.com>
  Date:   2012-07-17 (Tue, 17 Jul 2012)

  Changed paths:
    M net/ceph/osd_client.c

  Log Message:
  -----------
  libceph: osd_client: don't drop reply reference too early

In ceph_osdc_release_request(), a reference to the r_reply message
is dropped.  But just after that, that same message is revoked if it
was in use to receive an incoming reply.  Reorder these so we are
sure we hold a reference until we're actually done with the message.

Signed-off-by: Alex Elder <elder at inktank.com>
Reviewed-by: Sage Weil <sage at inktank.com>
(cherry picked from commit ab8cb34a4b2f60281a4b18b1f1ad23bc2313d91b)


  Commit: 9c503a9d0b9b12961f6d5b835456606fdfd9be3a
      https://github.com/ceph/ceph-client/commit/9c503a9d0b9b12961f6d5b835456606fdfd9be3a
  Author: Sage Weil <sage at inktank.com>
  Date:   2012-07-17 (Tue, 17 Jul 2012)

  Changed paths:
    M net/ceph/osd_client.c

  Log Message:
  -----------
  libceph: use con get/put ops from osd_client

There were a few direct calls to ceph_con_{get,put}() instead of the con
ops from osd_client.c.  This is a bug since those ops aren't defined to
be ceph_con_get/put.

This breaks refcounting on the ceph_osd structs that contain the
ceph_connections, and could lead to all manner of strangeness.

The purpose of the ->get and ->put methods in a ceph connection are
to allow the connection to indicate it has a reference to something
external to the messaging system, *not* to indicate something
external has a reference to the connection.

[elder at inktank.com: added that last sentence]

Signed-off-by: Sage Weil <sage at newdream.net>
Reviewed-by: Alex Elder <elder at inktank.com>
(cherry picked from commit 0d47766f14211a73eaf54cab234db134ece79f49)


  Commit: 5548cd7e504a181e48d1dc2f284bc6229f5d5f90
      https://github.com/ceph/ceph-client/commit/5548cd7e504a181e48d1dc2f284bc6229f5d5f90
  Author: Yan, Zheng <zheng.z.yan at intel.com>
  Date:   2012-07-17 (Tue, 17 Jul 2012)

  Changed paths:
    M net/ceph/messenger.c

  Log Message:
  -----------
  rbd: Clear ceph_msg->bio_iter for retransmitted message

The bug can cause NULL pointer dereference in write_partial_msg_pages

Signed-off-by: Zheng Yan <zheng.z.yan at intel.com>
Reviewed-by: Alex Elder <elder at inktank.com>
(cherry picked from commit 43643528cce60ca184fe8197efa8e8da7c89a037)


  Commit: 2f9b4f2fd7a420bbb2b4102a3954f6f959f2a9af
      https://github.com/ceph/ceph-client/commit/2f9b4f2fd7a420bbb2b4102a3954f6f959f2a9af
  Author: Sage Weil <sage at inktank.com>
  Date:   2012-07-17 (Tue, 17 Jul 2012)

  Changed paths:
    M net/ceph/ceph_common.c
    M net/ceph/mon_client.c

  Log Message:
  -----------
  libceph: flush msgr queue during mon_client shutdown

We need to flush the msgr workqueue during mon_client shutdown to
ensure that any work affecting our embedded ceph_connection is
finished so that we can be safely destroyed.

Previously, we were flushing the work queue after osd_client
shutdown and before mon_client shutdown to ensure that any osd
connection refs to authorizers are flushed.  Remove the redundant
flush, and document in the comment that the mon_client flush is
needed to cover that case as well.

Signed-off-by: Sage Weil <sage at inktank.com>
Reviewed-by: Alex Elder <elder at inktank.com>
(cherry picked from commit f3dea7edd3d449fe7a6d402c1ce56a294b985261)


Compare: https://github.com/ceph/ceph-client/compare/c84299b8ddb3^...2f9b4f2fd7a4


More information about the Ceph-commit mailing list