Commit Graph

336016 Commits

Author SHA1 Message Date
Tommi Rantala
6e51fe7572 sctp: fix -ENOMEM result with invalid user space pointer in sendto() syscall
Consider the following program, that sets the second argument to the
sendto() syscall incorrectly:

 #include <string.h>
 #include <arpa/inet.h>
 #include <sys/socket.h>

 int main(void)
 {
         int fd;
         struct sockaddr_in sa;

         fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/);
         if (fd < 0)
                 return 1;

         memset(&sa, 0, sizeof(sa));
         sa.sin_family = AF_INET;
         sa.sin_addr.s_addr = inet_addr("127.0.0.1");
         sa.sin_port = htons(11111);

         sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa));

         return 0;
 }

We get -ENOMEM:

 $ strace -e sendto ./demo
 sendto(3, NULL, 1, 0, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 ENOMEM (Cannot allocate memory)

Propagate the error code from sctp_user_addto_chunk(), so that we will
tell user space what actually went wrong:

 $ strace -e sendto ./demo
 sendto(3, NULL, 1, 0, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EFAULT (Bad address)

Noticed while running Trinity (the syscall fuzzer).

Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-28 11:11:17 -05:00
Tommi Rantala
be364c8c0f sctp: fix memory leak in sctp_datamsg_from_user() when copy from user space fails
Trinity (the syscall fuzzer) discovered a memory leak in SCTP,
reproducible e.g. with the sendto() syscall by passing invalid
user space pointer in the second argument:

 #include <string.h>
 #include <arpa/inet.h>
 #include <sys/socket.h>

 int main(void)
 {
         int fd;
         struct sockaddr_in sa;

         fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/);
         if (fd < 0)
                 return 1;

         memset(&sa, 0, sizeof(sa));
         sa.sin_family = AF_INET;
         sa.sin_addr.s_addr = inet_addr("127.0.0.1");
         sa.sin_port = htons(11111);

         sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa));

         return 0;
 }

As far as I can tell, the leak has been around since ~2003.

Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-28 11:10:09 -05:00
Eric Dumazet
b49d3c1e1c net: ipmr: limit MRT_TABLE identifiers
Name of pimreg devices are built from following format :

char name[IFNAMSIZ]; // IFNAMSIZ == 16

sprintf(name, "pimreg%u", mrt->id);

We must therefore limit mrt->id to 9 decimal digits
or risk a buffer overflow and a crash.

Restrict table identifiers in [0 ... 999999999] interval.

Reported-by: Chen Gang <gang.chen@asianux.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-26 17:36:59 -05:00
Neal Cardwell
e1a676424c ipv4: avoid passing NULL to inet_putpeer() in icmpv4_xrlim_allow()
inet_getpeer_v4() can return NULL under OOM conditions, and while
inet_peer_xrlim_allow() is OK with a NULL peer, inet_putpeer() will
crash.

This code path now uses the same idiom as the others from:
1d861aa4b3 ("inet: Minimize use of
cached route inetpeer.").

Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-26 17:24:41 -05:00
Oliver Hartkopp
81b401100c can: bcm: initialize ifindex for timeouts without previous frame reception
Set in the rx_ifindex to pass the correct interface index in the case of a
message timeout detection. Usually the rx_ifindex value is set at receive
time. But when no CAN frame has been received the RX_TIMEOUT notification
did not contain a valid value.

Cc: linux-stable <stable@vger.kernel.org>
Reported-by: Andre Naujoks <nautsch2@googlemail.com>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2012-11-26 22:33:59 +01:00
Oliver Hartkopp
c9faaa09e2 can: peak_usb: fix hwtstamp assignment
The skb->tstamp is set to the hardware timestamp when available in the USB
urb message. This leads to user visible timestamps which contain the 'uptime'
of the USB adapter - and not the usual system generated timestamp.

Fix this wrong assignment by applying the available hardware timestamp to the
skb_shared_hwtstamps data structure - which is intended for this purpose.

Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2012-11-26 22:33:06 +01:00
Linus Torvalds
194d9831f0 Sound fix #2 for 3.7-rc7
Only a single commit for fixing the build error without CONFIG_PM
 in hda driver.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
 iQIcBAABAgAGBQJQsKlqAAoJEGwxgFQ9KSmkfrkP/2AyNsDhnZ4k8UjS1chXOCvF
 pq3xXJhCKb4pp2o+sPQfwhsFvpNC8R/E5ngoQ6MZcq5kuKWCsagtPjif6AKuBE9r
 LW/GJnh+ll4bjhPe0U1PPtzm1lhboy3s8bmDfjoPBpzPNNpb2TuxK0eaWm9adLAa
 G6oLPURnbajQDhnU+xcsdnx0YdydXthmKkiwDx+nbPT21EgKgsjJwfS9Lo4xeS7z
 73Na+OuobpER8OsbAW/TMGgV879/TCL6yQovSqf7NGzjaI+9W4iQNyH3WX3fhFrD
 MsHTT/ztKwg1JO/jKCkW0ZgrY6GkJmHyqeszP4KMZp56dKVphBv0XKTHzLHp8Rgb
 QoqdzPglbWFTHxLW3qkoXm9b5/rlRjQcXgPVzz+zysjy+YHkA3lhJh3z/UcFRPe3
 Pg0YB3ShK9Pn2yQRlMY8dEEdlachBdqygVw1RxOkCUIS8Erosc7FWk50j00CUwQL
 GAsM3k48agfe97ZiZnXvh3pouYzbBFa4L5Jx2WEoHNfPMtUqDgXrvi+kkz4KH8eK
 /KrMhC2QN5ARRFIzd0dTkKuWaxHKLEG16SBWXCzHM17i2+PlMVLpuY9nZurYEp69
 cl5hKUR0MVpXKcZyaqcm811X4FJ0fY1YbkHE4cQzARitXDvt+YaGWAvxYZDccNYj
 zDhUbXj6RV9ugnFAt5Px
 =9jnO
 -----END PGP SIGNATURE-----

Merge tag 'sound-3.7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound build error fix from Takashi Iwai:
 "Only a single commit for fixing the build error without CONFIG_PM in
  hda driver."

* tag 'sound-3.7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: hda - Fix build without CONFIG_PM
2012-11-24 08:32:11 -10:00
Takashi Iwai
d846b17475 ALSA: hda - Fix build without CONFIG_PM
I forgot this again...  codec->in_pm is in #ifdef CONFIG_PM

Reported-by: Markus Trippelsdorf <markus@trippelsdorf.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2012-11-24 12:00:43 +01:00
Linus Torvalds
2654ad44b5 Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull x86 arch fixes from Peter Anvin:
 "Here is a collection of fixes for 3.7-rc7.  This is a superset of
  tglx' earlier pull request."

* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86-64: Fix ordering of CFI directives and recent ASM_CLAC additions
  x86, microcode, AMD: Add support for family 16h processors
  x86-32: Export kernel_stack_pointer() for modules
  x86-32: Fix invalid stack address while in softirq
  x86, efi: Fix processor-specific memcpy() build error
  x86: remove dummy long from EFI stub
  x86, mm: Correct vmflag test for checking VM_HUGETLB
  x86, amd: Disable way access filter on Piledriver CPUs
  x86/mce: Do not change worker's running cpu in cmci_rediscover().
  x86/ce4100: Fix PCI configuration register access for devices without interrupts
  x86/ce4100: Fix reboot by forcing the reboot method to be KBD
  x86/ce4100: Fix pm_poweroff
  MAINTAINERS: Update email address for Robert Richter
  x86, microcode_amd: Change email addresses, MAINTAINERS entry
  MAINTAINERS: Change Boris' email address
  EDAC: Change Boris' email address
  x86, AMD: Change Boris' email address
2012-11-23 20:03:14 -10:00
Linus Torvalds
35f95d228e Most important part of this is that it fixes a regression in Samsung
NAND chip detection, introduced by some rework which went into 3.7. The
 initial fix wasn't quite complete, so it's in two parts. In fact the
 first part is committed twice (Artem committed his own copy of the same
 patch) and I've merged Artem's tree into mine which already had that fix.
 
 I'd have recommitted that to make it somewhat cleaner, but figured by
 this point in the release cycle it was better to merge *exactly* the
 commits which have been in linux-next.
 
 If I'd recommitted, I'd also omit the sparse warning fix. But it's there,
 and it's harmless — just marking one function as 'static' in onenand code.
 
 This also includes a couple more fixes for stable: an AB-BA deadlock in
 JFFS2, and an invalid range check in slram.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.12 (GNU/Linux)
 
 iEYEABECAAYFAlCwEIsACgkQdwG7hYl686NfZgCfSYFA2q8yp7jEMdDaxpFPuuDm
 FFMAoI3V27BpWxRab6GylYh8erHp9ful
 =Wo+T
 -----END PGP SIGNATURE-----

Merge tag 'for-linus-20121123' of git://git.infradead.org/mtd-2.6

Pull MTD fixes from David Woodhouse:
 "The most important part of this is that it fixes a regression in
  Samsung NAND chip detection, introduced by some rework which went into
  3.7.  The initial fix wasn't quite complete, so it's in two parts.  In
  fact the first part is committed twice (Artem committed his own copy
  of the same patch) and I've merged Artem's tree into mine which
  already had that fix.

  I'd have recommitted that to make it somewhat cleaner, but figured by
  this point in the release cycle it was better to merge *exactly* the
  commits which have been in linux-next.

  If I'd recommitted, I'd also omit the sparse warning fix.  But it's
  there, and it's harmless — just marking one function as 'static' in
  onenand code.

  This also includes a couple more fixes for stable: an AB-BA deadlock
  in JFFS2, and an invalid range check in slram."

* tag 'for-linus-20121123' of git://git.infradead.org/mtd-2.6:
  mtd: nand: fix Samsung SLC detection regression
  mtd: nand: fix Samsung SLC NAND identification regression
  jffs2: Fix lock acquisition order bug in jffs2_write_begin
  mtd: onenand: Make flexonenand_set_boundary static
  mtd: slram: invalid checking of absolute end address
  mtd: ofpart: Fix incorrect NULL check in parse_ofoldpart_partitions()
  mtd: nand: fix Samsung SLC NAND identification regression
2012-11-23 15:12:17 -10:00
Linus Torvalds
5e351cdc99 Device tree regression fix for v3.7
Simple build regression fix for DT device drivers on Sparc. An earlier
 change had masked out the of_iomap() helper on SPARC.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQIcBAABAgAGBQJQr/PiAAoJEEFnBt12D9kB5vsP/RpNnzUAE/tORTGqu/gHpMf/
 doi88Y7+on68ZrQeHrtGhVQBvBrZiAohlP9z62qYkSThBb1m63k3HRvX4/Ygk8Qd
 AID6TvtPTbsivaRh4l5cbROmKW7j22XUBUGDBO4mczbtxhTrvc58+51CPrBBH0GO
 NGv+sBgaKO97dfflgnUtgFftZ9XYDtiSpL64fQ2dvAMoz9tHhOtYt9YS2egDHV49
 wN8g8VjK7pZpuX7mRB3cCHujqEka59iFhitAzisqbr+3q4Hl6YSNAEhaNPRkuyRa
 Jn5JLV1gKi5g3j3wh9P2y8ZiDhjUidBD8kk13mPTdDJCNo7PV89zB678+9U6n74N
 5l2ZSzjO6ylWteag9pJJsfMQbybtsD8od2fOg+qa9KIl+cYtJV9NNg1WhBTnYDmG
 iiOqZW0UyIn3YuAXSDP5T1PuiBtHHlFJwmZFNYMEMRf6tbQOs1MvNw9JYokZgO8f
 j09M28yO2YafoTppBcyyYWUyLEl7iKV9lS2JaZA7OLNAlA58dmxB9Ge9RiTB4pbD
 Z665edAnzWMZS320Mg5oyLJv33u7GyuVC1jm10O1ZNonhlUkUzSOnxpOMhnObJYN
 Bfhl7MFFNqyUFu+1R6DACxeEU3Rk+CEMeOrSVvwS6bfVvWib+BFmZz/sS2YzOZyv
 Rk14JvH91UBhXfThqnQ0
 =yKFc
 -----END PGP SIGNATURE-----

Merge tag 'devicetree-for-linus' of git://git.secretlab.ca/git/linux-2.6

Pull device tree regression fix from Grant Likely:
 "Simple build regression fix for DT device drivers on Sparc.  An
  earlier change had masked out the of_iomap() helper on SPARC."

* tag 'devicetree-for-linus' of git://git.secretlab.ca/git/linux-2.6:
  of/address: sparc: Declare of_iomap as an extern function for sparc again
2012-11-23 12:36:06 -10:00
Linus Torvalds
a0543d6438 Power management update for 3.7-rc7
Fix for an incorrect error condition check in device PM QoS code
 that may lead to an Oops from Guennadi Liakhovetski.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
 iQIcBAABAgAGBQJQr+LlAAoJEKhOf7ml8uNsXkYP/1pUcPa51Afn0qR68EjEZj9e
 H+XVD+TCPsrtscK35ylQNxJ/jLB+syP5poaFKGo8vcDAEETuBwBNgJFl+71wR2a9
 r4JMkM6QfISfBAwoO2FAdrtxiAFnsKFL0GYMsmOMwb+DkUym3qGcjcu2mon2AObN
 fa8NuJ2IAcPX7kfbIyhc2En3eGjY9P/aB6UiEn3cORWmQvRxiKz4zP8tzsU++Iuf
 jjxEDqCmyflmLSuEMLdMBOhHGPSgnAfJ36/qQFCnWUAtFxB/TFxGl+YEmaZrydoG
 cPvL/sZybRbBNjsVxc5kEoOC84GaJ0a2e3EyM9ZlbzPqNVaEThQ/Vtk0tjsOq9Lf
 OBQ7BYJE9DKv2PNiwzFjlt4uJWDmhavsb20Loc/61nX9wit1k55xI7ube1nTdHhH
 3w/bbhNSYem1addzYbDdTYMj8Kj6m09/eJP1wwTuXC02hnVY7uihvdKBk4hcIBTa
 +qFkptldEEBwH3bLKkOwng2NM87kG4Wsdxvym58Gklw+drpJx1OtAQnlhTRtAsbP
 f4LKepIL4xrgkZNge5k4ZK++pK9LpBt3Gc03rh9uW8PVBnilw5cKk3/7cflkZjzT
 YERuMLvddBJbLpPucF7yC8kfpciweYRP1qbtRSS1Hs6vL//fxmlILECIWj1nclW6
 jlMOMAP6vowiZ+4mQt3A
 =uXpU
 -----END PGP SIGNATURE-----

Merge tag 'pm-for-3.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull power management update from Rafael Wysocki:
 "Fix for an incorrect error condition check in device PM QoS code that
  may lead to an Oops from Guennadi Liakhovetski."

* tag 'pm-for-3.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  PM / QoS: fix wrong error-checking condition
2012-11-23 12:16:43 -10:00
Linus Torvalds
1d838d70fb Several bug fixes for md in 3.7
- raid5 discard has problems
  - raid10 replacement devices have problems
  - bad block lock seqlock usage has problems
  - dm-raid doesn't free everything
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
 iQIVAwUAUK/PfTnsnt1WYoG5AQJlFBAAry6TrfIEed7Sz1BwY0w1Ofd5ZFt6DCN3
 CXc6yi7LQhaMAUYsMcF07BFfuphal0St68vwckFkd1jPShUgruetzsUPLdS1+cql
 AKOQZmJegN+yvpf+N6PxER8z0Ju8M0RNVCvgRZB166ujmoEHGf7A564Hby+FINpZ
 zk1d5eVtcRL05oV0NbeLaX8bNp42nNx2wwvFtM6NEVF4vwbzGzXkC9ePQ6oERJvQ
 Oqsu6F+TzqztIPYk/fbl1Yr/FPVAWXi4dR7KNxs/jHFcnWPi9vKcjjh1jrq46rNy
 xQY+y0xW6FlN0uApIKT6NC3UWutgwOGUqRdCRc4LJ1nT6aHVIn5OCIsipgRrlV0O
 da5pM+rgIMJK3kyT6NjhtuWuQZE4P4OSOmnq5q81VT9XOKADVsFOfibtrIr8cxYS
 c/8mNJVfd+cU58XNKGIEt886DsN+uzWiY8U8HZVckfeVxrBTIPas4ERXlurx+G1D
 jhXqK8TuEfi6ILNdBlWPphAr2ytFqWWpQIGXgYGHEIJp5WaUHoEoEblznl1MiRlZ
 +tYIYy0SRkcZuxs6nUNF8Or5vFidjvaIFJPjIJwSIhwgzkaV+YFad4GfI7/WgWaq
 7VU12MG7UlXLlaGN1Yadvh3jAk7L45DPzWUa/Zgvvtrvvdp3JU7VQhD8d6oc/kxD
 3IOrUdAXWxU=
 =fznK
 -----END PGP SIGNATURE-----

Merge tag 'md-3.7-fixes' of git://neil.brown.name/md

Pull md fixes from NeilBrown:
 "Several bug fixes for md in 3.7:

   - raid5 discard has problems
   - raid10 replacement devices have problems
   - bad block lock seqlock usage has problems
   - dm-raid doesn't free everything"

* tag 'md-3.7-fixes' of git://neil.brown.name/md:
  md/raid10: decrement correct pending counter when writing to replacement.
  md/raid10: close race that lose writes lost when replacement completes.
  md/raid5: Make sure we clear R5_Discard when discard is finished.
  md/raid5: move resolving of reconstruct_state earlier in stripe_handle.
  md/raid5: round discard alignment up to power of 2.
  md: make sure everything is freed when dm-raid stops an array.
  md: Avoid write invalid address if read_seqretry returned true.
  md: Reassigned the parameters if read_seqretry returned true in func md_is_badblock.
2012-11-23 12:11:13 -10:00
Linus Torvalds
a8946afe5a Merge branch 'for-linus' of git://git.kernel.dk/linux-block
Pull block layer fixes from Jens Axboe:
 "Distilled down version of bug fixes for 3.7.  The patches have been
  well tested.  If you notice that commit dates are from today, it's
  because I pulled less important bits out and shuffled them into the
  3.8 mix.  Apart from that, no changes, base still the same.

  It contains:

   - Fix for aoe, don't run request_fn while it's plugged.

   - Fix for a regression in floppy since 3.6, which causes problems if
     no floppy is found.

   - Stable fix for blk_exec(), don't touch a request after it has been
     sent to the scheduler (and the device as well).

   - Five fixes for various nasties in mtip32xx."

* 'for-linus' of git://git.kernel.dk/linux-block:
  block: Don't access request after it might be freed
  mtip32xx: Fix padding issue
  aoe: avoid running request handler on plugged queue
  mtip32xx: fix potential NULL pointer dereference in mtip_timeout_function()
  mtip32xx: fix shift larger than type warning
  mtip32xx: Fix incorrect mask used for erase mode
  mtip32xx: Fix to make lba address correct in big-endian systems
  mtip32xx: fix potential crash on SEC_ERASE_UNIT
  dm: fix deadlock with request based dm and queue request_fn recursion
  floppy: destroy floppy workqueue before cleaning up the queue
2012-11-23 12:06:05 -10:00
Andreas Larsson
0e622d3919 of/address: sparc: Declare of_iomap as an extern function for sparc again
This bug-fix makes sure that of_iomap is defined extern for sparc so that the
sparc-specific implementation of_iomap is once again used when including
include/linux/of_address.h in a sparc context. OF_GPIO that is now available for
sparc relies on this.

The bug was inadvertently introduced in a850a75, "of/address: add empty static
inlines for !CONFIG_OF", that added a static dummy inline for of_iomap when
!CONFIG_OF_ADDRESS. However, CONFIG_OF_ADDRESS is never defined for sparc, but
there is a sparc-specific implementation /arch/sparc/kernel/of_device_common.c.

This fix takes the same approach as 0bce04b that solved the equivalent problem
for of_address_to_resource.

Signed-off-by: Andreas Larsson <andreas@gaisler.com>
Acked-by: David Miller <davem@davemloft.net>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
2012-11-23 22:01:15 +00:00
Linus Torvalds
f789dcc75c omapdss fixes for 3.7-rc
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQIcBAABAgAGBQJQr1wOAAoJEPo9qoy8lh71lhgP/iJhDRXhyBQ113ebm8BeGSYY
 prYrUzNFbz2qb9q8LeQejgMSNSnFgj9vvdwox/bwvbloDUSrFSEcSvHzL1blaufD
 GXMqdRxHYOs6k1Yiltf7jchSEeX20PCWRBcSlket8jDY1kzy3siOVlpc9O/53Hj9
 hnCGhwO0D53tgeUnCm4B6VtqmspjoX4eJO6AL9WRlCm/vTre4bk43/hfUNusP5uw
 7cplGxpOQMKLOQuMIIuOBsVVXMQFkVO7FK48keGrxhwWaQZMJUKf4up73625eBTn
 81WhexRPmJ8+kXFY+/qRrKy02j61xfOeJJD/Eh7J6u+FeMoqe9LyxtVzxUeOrLr8
 iV/VWyQnppBiVAc865QQLVyPBHi9OGOPkzGBcWvy/4jv8uxvmG3hiIAxHlTwGrjK
 1deLjbj/smDlgvQ5j9T43+NABiIzUQoNVgRm2iWDh12KGKORwlaBb2hU7r0BLV+D
 /q2BJFPIAkafdQ47eWMPkNvhpMOeOJx6MXv0kQ7kAgq9CcHt1sQpzYZFzZa+CeYZ
 Iq+oLj+ByLj3KbKMmSzJtYW+JLGeguSGgiegRW9s/BESxj0cNjPNLHtNMcrklpjk
 sMrCd04dNlFMJUabKr380l9yVnCRX+tNGc8wYTPRRe7iz8G1Ps9Y9cu7py2xQ5/N
 GIt8UIGa0PeY8R04N/YV
 =1jPB
 -----END PGP SIGNATURE-----

Merge tag 'omapdss-for-3.7-rc' of git://gitorious.org/linux-omap-dss2/linux

Pull omapdss fixes from Tomi Valkeinen:
 "Here are a few OMAPDSS fixes for the next -rc.  I'm sending these
  directly to you, and quite late, as the fbdev tree maintainer
  (Florian) has been busy with his work and hasn't had time to manage
  the fb patches."

* tag 'omapdss-for-3.7-rc' of git://gitorious.org/linux-omap-dss2/linux:
  OMAPDSS: do not fail if dpll4_m4_ck is missing
  OMAPFB: Fix possible null pointer dereferencing
  OMAPDSS: HDMI: fix missing unlock on error in hdmi_dump_regs()
  omapdss: dss: Fix clocks on OMAP363x
  OMAPDSS: DSI: fix dsi_get_dsidev_from_id()
2012-11-23 12:01:02 -10:00
Linus Torvalds
33f1459340 Merge branch 'i2c-embedded/for-current' of git://git.pengutronix.de/git/wsa/linux
Pull i2c fixes from Wolfram Sang:
 "Bugfixes for the i2c subsystem.

  Except for a few one-liners, there is mainly one revert because of an
  overlooked dependency.  Since there is no linux-next at the moment, I
  did some extra testing, and all was fine for me."

* 'i2c-embedded/for-current' of git://git.pengutronix.de/git/wsa/linux:
  i2c: mxs: Handle i2c DMA failure properly
  i2c: s3c2410: Fix code to free gpios
  i2c: omap: ensure writes to dev->buf_len are ordered
  Revert "ARM: OMAP: convert I2C driver to PM QoS for MPU latency constraints"
  i2c: at91: fix SMBus quick command
2012-11-23 11:59:26 -10:00
Linus Torvalds
f470b8c258 Sound fixes for 3.7-rc7
The highlight of this update is the fixes for ASoC kirkwood by Russell.
 In addition to that, a couple of regression fixes for HD-audio due to
 the runtime PM support on 3.7, and other driver-specific regression
 fixes like USB MIDI on non-standard USB audio drivers.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
 iQIcBAABAgAGBQJQrzbsAAoJEGwxgFQ9KSmk8ZUP+QEw/yuIThjnkpQyLOVOBOnR
 r/skbaKiZ9CcPRLmRyCWL+16BnXIVi4mATlUzCUtR6ftiQ9wG0FhbeZbyZi856PO
 FDA2TAbrdSUTxixgC0G0N0MpxD33qyYUFUZ9Yz9StpRoIplkDtvCPfRAkir8AGNI
 p5/mDOTtN8c5lZt4HZFUDs3GgnFMtLGcV13dECM4Spq1HXimdfQcOlQR5NuM9ZaS
 BbAG7nf+7SWLmFdmfMxgy+SZXcnEZXkOK5oi3tzJ/LctZSXKWoaFsu9nkd20a4BK
 fG4pNbD8Tct/Z4I8vnc8EScqNyhtFp52F4qmZL+xK8cj2xU1XbhTJafDbnR2ZRlv
 rIdVaE4PkfMBz21Nhzq54ue3M4GOqOljvRTtNIxi/9rEyyK1+1GJnWk2Bc3tDiZ6
 zOK+24us4NKT4YL6m/Y199Ax1t2TlvHzd7bvakbHrtS9j+E4enO8maLVrnt6a7U+
 c9coVL9/zK98lxPny5CsjUkZarTARw3gCuddJ+NdFqkS0obLosnAgc3fu/0XVAM2
 ybN7OPEPsW4LVeaa+T93ZtNvUOc7/h+CY5FXi33U24CzPoK9jG8sGTbRqInXShgn
 uDUP2wO3bKBTKwtMX6JpDrSgTX4RkKHN6USLpgUuDTZKzcr/jyxJ/vsN20CT3zIZ
 K3nDzmvbLuhGS4i0Adwu
 =wOVN
 -----END PGP SIGNATURE-----

Merge tag 'sound-3.7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "The highlight of this update is the fixes for ASoC kirkwood by
  Russell.  In addition to that, a couple of regression fixes for
  HD-audio due to the runtime PM support on 3.7, and other driver-
  specific regression fixes like USB MIDI on non-standard USB audio
  drivers."

* tag 'sound-3.7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: snd-usb: properly initialize the sync endpoint
  ALSA: hda - Cirrus: Correctly clear line_out_pins when moving to speaker
  ALSA: hda - Add support for Realtek ALC292
  ASoC: kirkwood-i2s: more pause-mode fixes
  ASoC: kirkwood-i2s: fix DMA underruns
  ASoC: kirkwood-i2s: fix DCO lock detection
  ASoC: kirkwood-dma: don't ignore other irq causes on error
  ASoC: kirkwood-dma: fix use of virt_to_phys()
  ALSA: hda - Limit runtime PM support only to known Intel chips
  ALSA: hda - Fix recursive suspend/resume call
  ALSA: ua101, usx2y: fix broken MIDI output
  ASoC: arizona: Fix typo - Swap value in 48k_rates[] and 44k1_rates[]
  ASoC: bells: Fix up git patch application failure
  ASoC: cs4271: free allocated GPIO
2012-11-23 11:58:28 -10:00
Linus Torvalds
eb5aaedd8b Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networkign fixes from David Miller:
 "Networking bug fixes, Cacio e Pepe edition:

  1) BNX2X accidently accesses chip rev specific registers without an
     appropriate guard, fix from Ariel Elior.

  2) When we removed the routing cache, we set ip_rt_max_size to ~0 just
     to keep reporting a value to userspace via sysfs.  But the ipv4
     IPSEC layer was using this to tune itself which is completely bogus
     to now do.  Fix from Steffen Klassert.

  3) Missing initialization in netfilter ipset code from Jozsef
     Kadlecsik.

  4) Check CTA_TIMEOUT_NAME length properly in netfilter cttimeout code,
     fix from Florian Westphal.

  5) After removing the routing cache, we inadvertantly are caching
     multicast routes that end up looping back locally, we cannot do
     that legitimately any more.  Fix from Julian Anastasov.

  6) Revert a race fix for 8139cp qemu/kvm that doesn't actually work
     properly on real hardware.  From Francois Romieu.

  7) Fixup errors in example command lines in VXLAN device docs."

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
  bnx2x: remove redundant warning log
  vxlan: fix command usage in its doc
  8139cp: revert "set ring address before enabling receiver"
  ipv4: do not cache looped multicasts
  netfilter: cttimeout: fix buffer overflow
  netfilter: ipset: Fix range bug in hash:ip,port,net
  xfrm: Fix the gc threshold value for ipv4
2012-11-23 11:55:49 -10:00
Linus Torvalds
f3a443af9e Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc
Pull sparc fix from David Miller:
 "Bug fix from Al Viro"

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
  sparc64: not any error from do_sigaltstack() should fail rt_sigreturn()
2012-11-23 11:55:09 -10:00
Linus Torvalds
45aaff0679 ARM: SoC fixes for 3.7
I missed one pull request from Samsung with one fix in the previous
 batch. Here it is -- a dma driver fix for an early version of silicon
 that they still support.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQIcBAABAgAGBQJQryb2AAoJEIwa5zzehBx376QP/0dN0vu+OAqmE74nl6/1wgoe
 f2bS2G7rv3RL6Grr6M8sJyex0+BXU3bRa9jvHvlNZksgKWZh3QZpe0BfePVY0noP
 0CDYjGxmnSFjo71vDnz2IrkrRVeFYcrnTENzzX3W9ym0yNkAM4Qf9XADHmFMk9uJ
 B0v5+I5DV4J72L3ZEIcGv7xzuoMLFNXGTxLizsId7CzlAqqp1zUgAjDWFbRnkY1x
 MnwqRBSAYijNNw5ddPZxz6LDDzUFyrUuCosF9Y4C2wngaCUXNVpo4N0hZxsVSBNO
 dIiAYI1ARWWc8B8qN6UOapMUrwKK+vJ5BsNwJX+mwpSIQjo0tX86PuIDkMqngvOK
 0/R1bnvyBeSKOvnYcW4oXAl+JHusEXKl1yYIUtoXCv7w2anR774Ocb+ctFTJFtfj
 KsPSJUMo05U/AY2F/4b7k2SWy52SgZ4/ZlRXp16IJKZv7y2qr/R9eEZeNZuovK/y
 j2iNbRY/ZXAuAf8vm25mL0RpxdBtKGCRGYiB37uYWrNtrkUjPlWldVqte0grX29I
 B+igzsptf8oi3/rBHov2drx/vcQsWHmJOpt+mKdrAK/trrmylsmklxTxmWIamz7f
 +1ILpLqnm1fxwHgIPWboV4DEX/oXpsRXZdcIn6cOa6t9pmldt31RvfKMtA8mCX85
 01+SsGhNJxlEAotW49qv
 =bSmr
 -----END PGP SIGNATURE-----

Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc

Pull one more ARM SoC fix from Olof Johansson:
 "I missed one pull request from Samsung with one fix in the previous
  batch.  Here it is -- a dma driver fix for an early version of silicon
  that they still support."

* tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
  ARM: EXYNOS: PL330 MDMA1 fix for revision 0 of Exynos4210 SOC
2012-11-23 11:54:22 -10:00
Guennadi Liakhovetski
a7227a0faa PM / QoS: fix wrong error-checking condition
dev_pm_qos_add_request() can return 0, 1, or a negative error code,
therefore the correct error test is "if (error < 0)." Checking just for
non-zero return code leads to erroneous setting of the req->dev pointer
to NULL, which then leads to a repeated call to
dev_pm_qos_add_ancestor_request() in st1232_ts_irq_handler(). This in turn
leads to an Oops, when the I2C host adapter is unloaded and reloaded again
because of the inconsistent state of its QoS request list.

Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2012-11-23 20:55:06 +01:00
Ariel Elior
4a25417c20 bnx2x: remove redundant warning log
fix bug where a register which was only meant to be read in 578xx/57712
devices causes a bogus error message to be logged when read from other
devices.

Signed-off-by: Ariel Elior <ariele@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-23 14:17:36 -05:00
Zhi Yong Wu
cc9b310165 vxlan: fix command usage in its doc
Some commands don't work in its example doc. The patch will fix it.

Signed-off-by: Zhi Yong Wu <wuzhy@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-23 14:03:04 -05:00
françois romieu
b26623dab7 8139cp: revert "set ring address before enabling receiver"
This patch reverts b01af4579e.

The original patch was tested with emulated hardware. Real
hardware chokes.

Fixes https://bugzilla.kernel.org/show_bug.cgi?id=47041

Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
Acked-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-23 13:59:43 -05:00
Roland Dreier
893d290f1d block: Don't access request after it might be freed
After we've done __elv_add_request() and __blk_run_queue() in
blk_execute_rq_nowait(), the request might finish and be freed
immediately.  Therefore checking if the type is REQ_TYPE_PM_RESUME
isn't safe afterwards, because if it isn't, rq might be gone.
Instead, check beforehand and stash the result in a temporary.

This fixes crashes in blk_execute_rq_nowait() I get occasionally when
running with lots of memory debugging options enabled -- I think this
race is usually harmless because the window for rq to be reallocated
is so small.

Signed-off-by: Roland Dreier <roland@purestorage.com>
Cc: stable@kernel.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2012-11-23 14:32:55 +01:00
Selvan Mani
836413e8c7 mtip32xx: Fix padding issue
Hi Jens,

Another tiny patch.

Removed __packed before the struct smart_attr and added __packed at end of
the structure to fix padding issue.

Signed-off-by: Selvan Mani  <smani@micron.com>
Signed-off-by: Asai Thambi S P <asamymuthupa@micron.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2012-11-23 14:32:55 +01:00
Ed Cashin
11cfb6ff73 aoe: avoid running request handler on plugged queue
Calling the request handler directly on a plugged queue defeats
the performance improvements provided by the plugging mechanism.
Use the __blk_run_queue function instead of calling the request
handler directly, so that we don't interfere with the block
layer's ability to plug the queue.

Signed-off-by: Ed Cashin <ecashin@coraid.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2012-11-23 14:32:55 +01:00
Wei Yongjun
298d80152c mtip32xx: fix potential NULL pointer dereference in mtip_timeout_function()
The dereference to port should be moved below the NULL test.

dpatch engine is used to auto generate this patch.
(https://github.com/weiyj/dpatch)

Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2012-11-23 14:32:55 +01:00
Jens Axboe
7c5d62388e mtip32xx: fix shift larger than type warning
If we're building a 32-bit kernel and CONFIG_LBADF isn't set,
sector_t is 32-bits wide. The shifts by 32 and 40 are thus
larger than we support.

Cast the sector offset to a u64 to avoid these warnings.

Signed-off-by: Jens Axboe <axboe@kernel.dk>
2012-11-23 14:32:55 +01:00
Selvan Mani
4b9e884523 mtip32xx: Fix incorrect mask used for erase mode
Previous commit use value 3 for erasemode mask.
Changing the mask to correct value to 2

Signed-off-by: Selvan Mani <smani@micron.com>
Signed-off-by: Asai Thambi S P <asamymuthupa@micron.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2012-11-23 14:32:55 +01:00
Selvan Mani
eda4531492 mtip32xx: Fix to make lba address correct in big-endian systems
Earlier lba address was assigned directly to lba_low and lba_low_ex,
which would result in a different number (bytes reversed) in
big-endian systems. Now assigning lba address byte-by-byte to fis.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Selvan Mani <smani@micron.com>
Signed-off-by: Asai Thambi S P <asamymuthupa@micron.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2012-11-23 14:32:55 +01:00
Selvan Mani
3208795e61 mtip32xx: fix potential crash on SEC_ERASE_UNIT
The mtip driver lifted this code from elsewhere and then added a special
handling check for SEC_ERASE_UNIT. If the caller tries to do a security
erase but passes no output data for the command then outbuf is not
allocated and the driver duly explodes.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Selvan Mani <smani@micron.com>
Signed-off-by: Asai Thambi S P <asamymuthupa@micron.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2012-11-23 14:32:54 +01:00
Jens Axboe
a8c32a5c98 dm: fix deadlock with request based dm and queue request_fn recursion
Request based dm attempts to re-run the request queue off the
request completion path. If used with a driver that potentially does
end_io from its request_fn, we could deadlock trying to recurse
back into request dispatch. Fix this by punting the request queue
run to kblockd.

Tested to fix a quickly reproducible deadlock in such a scenario.

Cc: stable@kernel.org
Acked-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2012-11-23 14:32:54 +01:00
Jiri Kosina
eac7cc52c6 floppy: destroy floppy workqueue before cleaning up the queue
We need to first destroy the floppy_wq workqueue before cleaning up
the queue. Otherwise we might race with still pending work with the
workqueue, but all the block queue already gone. This might lead to
various oopses, such as

 CPU 0
 Pid: 6, comm: kworker/u:0 Not tainted 3.7.0-rc4 #1 Bochs Bochs
 RIP: 0010:[<ffffffff8134eef5>]  [<ffffffff8134eef5>] blk_peek_request+0xd5/0x1c0
 RSP: 0000:ffff88000dc7dd88  EFLAGS: 00010092
 RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000
 RDX: ffff88000f602688 RSI: ffffffff81fd95d8 RDI: 6b6b6b6b6b6b6b6b
 RBP: ffff88000dc7dd98 R08: ffffffff81fd95c8 R09: 0000000000000000
 R10: ffffffff81fd9480 R11: 0000000000000001 R12: 6b6b6b6b6b6b6b6b
 R13: ffff88000dc7dfd8 R14: ffff88000dc7dfd8 R15: 0000000000000000
 FS:  0000000000000000(0000) GS:ffffffff81e21000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
 CR2: 0000000000000000 CR3: 0000000001e11000 CR4: 00000000000006f0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
 Process kworker/u:0 (pid: 6, threadinfo ffff88000dc7c000, task ffff88000dc5ecc0)
 Stack:
  0000000000000000 0000000000000000 ffff88000dc7ddb8 ffffffff8134efee
  ffff88000dc7ddb8 0000000000000000 ffff88000dc7dde8 ffffffff814aef3c
  ffffffff81e75d80 ffff88000dc0c640 ffff88000fbfb000 ffffffff814aed90
 Call Trace:
  [<ffffffff8134efee>] blk_fetch_request+0xe/0x30
  [<ffffffff814aef3c>] redo_fd_request+0x1ac/0x400
  [<ffffffff814aed90>] ? start_motor+0x130/0x130
  [<ffffffff8106b526>] process_one_work+0x136/0x450
  [<ffffffff8106af65>] ? manage_workers+0x205/0x2e0
  [<ffffffff8106bb6d>] worker_thread+0x14d/0x420
  [<ffffffff8106ba20>] ? rescuer_thread+0x1a0/0x1a0
  [<ffffffff8107075a>] kthread+0xba/0xc0
  [<ffffffff810706a0>] ? __kthread_parkme+0x80/0x80
  [<ffffffff818b553a>] ret_from_fork+0x7a/0xb0
  [<ffffffff810706a0>] ? __kthread_parkme+0x80/0x80
 Code: 0f 84 c0 00 00 00 83 f8 01 0f 85 e2 00 00 00 81 4b 40 00 00 80 00 48 89 df e8 58 f8 ff ff be fb ff ff ff
 fe ff ff <49> 8b 1c 24 49 39 dc 0f 85 2e ff ff ff 41 0f b6 84 24 28 04 00
 RIP  [<ffffffff8134eef5>] blk_peek_request+0xd5/0x1c0
  RSP <ffff88000dc7dd88>

Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Tested-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2012-11-23 14:32:54 +01:00
Linus Torvalds
26d29d06ea Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
Pull input updates from Dmitry Torokhov:
 "This fixes recent regression where /dev/input/mice got assigned wrong
  device node which messed up setups with static /dev, and a regression
  in ads7846 GPIO debounce setup."

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  ARM - OMAP: ads7846: fix pendown debounce setting
  Input: ads7846 - enable pendown GPIO debounce time setting
  Input: mousedev - move /dev/input/mice to the correct minor
  Input: MT - document new 'flags' argument of input_mt_init_slots()
2012-11-22 21:45:34 -10:00
Olof Johansson
c667f757f3 Merge branch 'v3.7-samsung-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/kgene/linux-samsung into fixes
From Kukjin Kim:

Here is Samsung fixes for v3.7 and it is for fixing of mdma1 address
for exynos4210 rev0 SoC.

* 'v3.7-samsung-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/kgene/linux-samsung:
  ARM: EXYNOS: PL330 MDMA1 fix for revision 0 of Exynos4210 SOC

Signed-off-by: Olof Johansson <olof@lixom.net>
2012-11-22 20:43:37 -08:00
Marek Vasut
958f988995 i2c: mxs: Handle i2c DMA failure properly
Properly terminate the DMA transfer in case the DMA PIO transfer
or setup fails for any reason.

Signed-off-by: Marek Vasut <marex@denx.de>
Signed-off-by: Wolfram Sang <w.sang@pengutronix.de>
2012-11-22 23:03:34 +01:00
Julian Anastasov
636174219b ipv4: do not cache looped multicasts
Starting from 3.6 we cache output routes for
multicasts only when using route to 224/4. For local receivers
we can set RTCF_LOCAL flag depending on the membership but
in such case we use maddr and saddr which are not caching
keys as before. Additionally, we can not use same place to
cache routes that differ in RTCF_LOCAL flag value.

	Fix it by caching only RTCF_MULTICAST entries
without RTCF_LOCAL (send-only, no loopback). As a side effect,
we avoid unneeded lookup for fnhe when not caching because
multicasts are not redirected and they do not learn PMTU.

	Thanks to Maxime Bizon for showing the caching
problems in __mkroute_output for 3.6 kernels: different
RTCF_LOCAL flag in cache can lead to wrong ip_mc_output or
ip_output call and the visible problem is that traffic can
not reach local receivers via loopback.

Reported-by: Maxime Bizon <mbizon@freebox.fr>
Tested-by: Maxime Bizon <mbizon@freebox.fr>
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-22 16:06:49 -05:00
David S. Miller
84ec95b047 Merge branch 'master' of git://1984.lsi.us.es/nf
Pablo Neira Ayuso says:

====================
The following patchset contains two Netfilter fixes:

* Fix buffer overflow in the name of the timeout policy object
  in the cttimeout infrastructure, from Florian Westphal.

* Fix a bug in the hash set in case that IP ranges are
  specified, from Jozsef Kadlecsik.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-22 15:27:18 -05:00
David S. Miller
5e7873d145 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec
Steffen Klassert says:

====================
This pull request is intended for 3.7 and contains a single patch to
fix the IPsec gc threshold value for ipv4.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-22 15:24:30 -05:00
Daniel Mack
947d299686 ALSA: snd-usb: properly initialize the sync endpoint
Jeffrey Barish reported an obvious bug in the pcm part of the usb-audio
driver which causes the code to not initialize the sync endpoint from
configure_endpoint().

Reported-by: Jeffrey Barish <jeff_barish@earthlink.net>
Signed-off-by: Daniel Mack <zonque@gmail.com>
Cc: stable@kernel.org [3.5+]
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2012-11-22 21:22:33 +01:00
Linus Torvalds
5a903166dd ARM: SoC fixes for 3.7
A few more fixes for final 3.7. Two dealing with pinmux setup on OMAP, and
 one dealing with TV output on DaVinci. And one small MAINTAINER update.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQIcBAABAgAGBQJQrWG6AAoJEIwa5zzehBx3NyoP/0GKwGZAPnCCWuzdMc/8geQu
 QfPuZqmaRiJXp58CfuOi/2kyw1EPkSVwg7I2i3q+ki9U/H7UlvBPBVIiqnvGwg6o
 oNRHHGyfp2EtLCU01+faLZTPHXh7BPRzuq5Mp7puPDnNMhgBWjHi3Qmpcf7HX8Gb
 SkY3WBlMiH0xmWA2vNTRMslHbs3/CXYRzQ82KdttV4qoAbWyt7OAv7UbhKCKuAE7
 R1gtH7oVnKPrRjp6G1PvxWfCzSDz+XYWZnSGTGtBPEVUWg9p1J/SV0MhQxvlVG9a
 8ABLPGUQXn1ElsblSjyvFJSpVDTa+PxbfYXUGfC8xppmP+Q/fI/Ycp0dwnSvXYsN
 Pvm6ONQAbkWCrNXMFjz2de9C0/4VcPIArirV7vPW0PwBdPfaKMDSw28obrAoamG1
 taJy1fJvUetVaGN2u7LcQfvwecHevHyJBo2fgqukqKrapAmqKINU7MBjYATW371K
 Ean7vVH/HzSfEkFl8mT/azTZYeWp4zhMyXKQ+KbhEWYLUSGmeUEqlJIvu6QzQ/Y3
 JBx8bJ9mwaCx9JMjyaEqbixKr6ceiseOcO3moduAg2UIWNAa3fwRN1VkZB4vzxQ2
 VZswVg2/tTVVZ03cqnR78vi6mKDBwBbvwRL1WyGP4oWubFtBj8DpkO1rqfW5Pqgo
 4c1u/OuUOascJ2baJy2v
 =FhMC
 -----END PGP SIGNATURE-----

Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc

Pull ARM SoC fixes from Olof Johansson:
 "A few more fixes for final 3.7.  Two dealing with pinmux setup on
  OMAP, and one dealing with TV output on DaVinci.  And one small
  MAINTAINER update."

* tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
  ARM: davinci: dm644x: fix out range signal for ED
  ARM: OMAP4: TWL: mux sys_drm_msecure as output for PMIC
  ARM: OMAP3: igep0020: Set WIFI/BT GPIO pins in correct mux mode
  ARM: OMAP: Add maintainer entry for IGEP machines
2012-11-22 09:22:13 -10:00
Linus Torvalds
b80d60e1c3 PARISC fixes on 20121122
This is two bug fixes: one fixes a loophole where rt_sigprocmask() with the
 wrong values panics the box (Denial of Service) and the other fixes an
 aliasing problem with get_shared_area() which could cause data corruption.
 
 Signed-off-by: James Bottomley <JBottomley@Parallels.com>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
 iQEcBAABAgAGBQJQrfisAAoJEDeqqVYsXL0MabcIALeL/hMtLSdwo01AG47Z6v6u
 jNuQIE6v3mvsaoJ5zxhM570/SZc+waDojfNpax+RjJc4vppDHq40xhI19RHczCvo
 AIASYIZynMHF1kqXsFpWfDtOGUzRtFjn8g60rfX593ghtpuliTXm+WgYCl43SyYm
 Ee1rLAFrEiXKAHyTO+QXi/EiTHPDGxw84fZdypIC7Bxi0JZg7SX5g/KXwGC2JT7M
 fRW2SmrfgFOLMvmYYbyk4BWvZ4dneikcUhOJGiLcpSy++MJF6ccjbfiCD4i6gD9e
 cM57jLnHnV2U+qp4e2Rcosi9AQwfSYRkr7j37/OT0KoCLmSRZbwqpF1RMjMKyGM=
 =ckHH
 -----END PGP SIGNATURE-----

Merge tag 'parisc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/parisc-2.6

Pull PARISC fixes from James Bottomley:
 "This is two bug fixes: one fixes a loophole where rt_sigprocmask()
  with the wrong values panics the box (Denial of Service) and the other
  fixes an aliasing problem with get_shared_area() which could cause
  data corruption.

  Signed-off-by: James Bottomley <JBottomley@Parallels.com>"

* tag 'parisc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/parisc-2.6:
  [PARISC] fix user-triggerable panic on parisc
  [PARISC] fix virtual aliasing issue in get_shared_area()
2012-11-22 09:16:29 -10:00
Linus Torvalds
a2d2eda7bf SCSI fixes on 20121122
This is a set of four bug fixes.  The isci one is an obvious thinko (using
 request buffer instead of response buffer) which causes a command to fail.
 The three others are DIF/DIX updates which are required because they're part
 of a series of ten patches, the other seven of which went into the block layer
 during the merge window meaning our current DIF/DIX implementation is broken
 without these three.
 
 Signed-off-by: James Bottomley <JBottomley@Parallels.com>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
 iQEcBAABAgAGBQJQre/4AAoJEDeqqVYsXL0MrxwH/A+b3aYvany+ZPg+elAFBCFm
 3qHJ2Bys+M/kTkb0Fqb/l1KQfGFjooqcozm6eTgIeZ67bK947pxzu4Txy4JmeXvC
 cHQ2lzEzcIFjiyVqV0tQ/wxMCnHTeqDx1WX02aw3T6e5JxObe+gC1pAEoMz2unSk
 kpsSvFKBfCBMY6bmbVY5c2vpFTgD4UKtBiKn/GKtLtIDvynRx0P5e7/TNawxUB64
 QZ/tu3Z2Ov5g9VWod+LpQwjVI+bIBlBEV4Of+91zou64aocrqXtSoky+ae9mwfPy
 7KLLZzz5Fzc5KwT8ynEECtU2iFQXJ/zXNDRh7gBffc0ReljpuouOvIgqdZEW8d0=
 =kQyb
 -----END PGP SIGNATURE-----

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:
 "This is a set of four bug fixes.

  The isci one is an obvious thinko (using request buffer instead of
  response buffer) which causes a command to fail.

  The three others are DIF/DIX updates which are required because
  they're part of a series of ten patches, the other seven of which went
  into the block layer during the merge window meaning our current
  DIF/DIX implementation is broken without these three.

  Signed-off-by: James Bottomley <JBottomley@Parallels.com>"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  [SCSI] sd: Implement support for WRITE SAME
  [SCSI] sd: Permit merged discard requests
  [SCSI] Add a report opcode helper
  [SCSI] isci: copy fis 0x34 response into proper buffer
2012-11-22 09:14:54 -10:00
Linus Torvalds
0e0f092ef0 Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Pull drm fixes from Dave Airlie.

Small fixes for (mostly Nouveau, some radeon) regressions.

* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
  drm/nouveau: use the correct fence implementation for nv50
  drm/radeon: add new SI pci id
  radeon: add AGPMode 1 quirk for RV250
  drm/radeon: properly track the crtc not_enabled case evergreen_mc_stop()
  drm/nouveau/bios: fix DCB v1.5 parsing
  drm/nouveau: add missing pll_calc calls
  drm/nouveau: fix crash with noaccel=1
  drm/nv40: allocate ctxprog with kmalloc
  drm/nvc0/disp: fix thinko in vblank regression fix..
2012-11-22 09:14:24 -10:00
Aaro Koskinen
8ad9375f8b OMAPDSS: do not fail if dpll4_m4_ck is missing
Do not fail if dpll4_m4_ck is missing. The clock is not there on omap24xx,
so this should not be a hard error.

The patch retains the functionality before the commit 185bae10 (OMAPDSS:
DSS: Cleanup cpu_is_xxxx checks).

Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
2012-11-22 17:23:12 +02:00
Al Viro
441a179daf [PARISC] fix user-triggerable panic on parisc
int sys32_rt_sigprocmask(int how, compat_sigset_t __user *set, compat_sigset_t __user *oset,
                                    unsigned int sigsetsize)
{
        sigset_t old_set, new_set;
        int ret;

        if (set && get_sigset32(set, &new_set, sigsetsize))

...
static int
get_sigset32(compat_sigset_t __user *up, sigset_t *set, size_t sz)
{
        compat_sigset_t s;
        int r;

        if (sz != sizeof *set) panic("put_sigset32()");

In other words, rt_sigprocmask(69, (void *)69, 69) done by 32bit process
will promptly panic the box.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: <stable@vger.kernel.org>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
2012-11-22 09:33:12 +00:00
NeilBrown
884162df2a md/raid10: decrement correct pending counter when writing to replacement.
When a write to a replacement device completes, we carefully
and correctly found the rdev that the write actually went to
and the blithely called rdev_dec_pending on the primary rdev,
even if this write was to the replacement.

This means that any writes to an array while a replacement
was ongoing would cause the nr_pending count for the primary
device to go negative, so it could never be removed.

This bug has been present since replacement was introduced in
3.3, so it is suitable for any -stable kernel since then.

Reported-by: "George Spelvin" <linux@horizon.com>
Cc: stable@vger.kernel.org
Signed-off-by: NeilBrown <neilb@suse.de>
2012-11-22 15:12:42 +11:00
NeilBrown
e7c0c3fa29 md/raid10: close race that lose writes lost when replacement completes.
When a replacement operation completes there is a small window
when the original device is marked 'faulty' and the replacement
still looks like a replacement.  The faulty should be removed and
the replacement moved in place very quickly, bit it isn't instant.

So the code write out to the array must handle the possibility that
the only working device for some slot in the replacement - but it
doesn't.  If the primary device is faulty it just gives up.  This
can lead to corruption.

So make the code more robust: if either  the primary or the
replacement is present and working, write to them.  Only when
neither are present do we give up.

This bug has been present since replacement was introduced in
3.3, so it is suitable for any -stable kernel since then.

Reported-by: "George Spelvin" <linux@horizon.com>
Cc: stable@vger.kernel.org
Signed-off-by: NeilBrown <neilb@suse.de>
2012-11-22 15:12:36 +11:00