--- /dev/null
+From a134d228298c6aa9007205c6b81cae0cac0acb5d Mon Sep 17 00:00:00 2001
+From: Chris Metcalf <cmetcalf@tilera.com>
+Date: Wed, 16 May 2012 14:54:20 -0400
+Subject: arch/tile: apply commit 74fca9da0 to the compat signal handling as well
+
+From: Chris Metcalf <cmetcalf@tilera.com>
+
+commit a134d228298c6aa9007205c6b81cae0cac0acb5d upstream.
+
+This passes siginfo and mcontext to tilegx32 signal handlers that
+don't have SA_SIGINFO set just as we have been doing for tilegx64.
+
+Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/tile/kernel/compat_signal.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/arch/tile/kernel/compat_signal.c
++++ b/arch/tile/kernel/compat_signal.c
+@@ -406,19 +406,17 @@ int compat_setup_rt_frame(int sig, struc
+ * Set up registers for signal handler.
+ * Registers that we don't modify keep the value they had from
+ * user-space at the time we took the signal.
++ * We always pass siginfo and mcontext, regardless of SA_SIGINFO,
++ * since some things rely on this (e.g. glibc's debug/segfault.c).
+ */
+ regs->pc = ptr_to_compat_reg(ka->sa.sa_handler);
+ regs->ex1 = PL_ICS_EX1(USER_PL, 1); /* set crit sec in handler */
+ regs->sp = ptr_to_compat_reg(frame);
+ regs->lr = restorer;
+ regs->regs[0] = (unsigned long) usig;
+-
+- if (ka->sa.sa_flags & SA_SIGINFO) {
+- /* Need extra arguments, so mark to restore caller-saves. */
+- regs->regs[1] = ptr_to_compat_reg(&frame->info);
+- regs->regs[2] = ptr_to_compat_reg(&frame->uc);
+- regs->flags |= PT_FLAGS_CALLER_SAVES;
+- }
++ regs->regs[1] = ptr_to_compat_reg(&frame->info);
++ regs->regs[2] = ptr_to_compat_reg(&frame->uc);
++ regs->flags |= PT_FLAGS_CALLER_SAVES;
+
+ /*
+ * Notify any tracer that was single-stepping it.
--- /dev/null
+From 9b61a4d1b2064dbd0c9e61754305ac852170509f Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@arm.linux.org.uk>
+Date: Wed, 16 May 2012 15:19:20 +0100
+Subject: ARM: prevent VM_GROWSDOWN mmaps extending below FIRST_USER_ADDRESS
+
+From: Russell King <rmk+kernel@arm.linux.org.uk>
+
+commit 9b61a4d1b2064dbd0c9e61754305ac852170509f upstream.
+
+Reported-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mm/fault.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/mm/fault.c
++++ b/arch/arm/mm/fault.c
+@@ -266,7 +266,9 @@ good_area:
+ return fault;
+
+ check_stack:
+- if (vma->vm_flags & VM_GROWSDOWN && !expand_stack(vma, addr))
++ /* Don't allow expansion below FIRST_USER_ADDRESS */
++ if (vma->vm_flags & VM_GROWSDOWN &&
++ addr >= FIRST_USER_ADDRESS && !expand_stack(vma, addr))
+ goto good_area;
+ out:
+ return fault;
--- /dev/null
+From 4e6304b8420aba5311ba21fd68dab2924ae4d91a Mon Sep 17 00:00:00 2001
+From: Dan Williams <dcbw@redhat.com>
+Date: Mon, 7 May 2012 04:24:51 +0000
+Subject: cdc_ether: add Novatel USB551L device IDs for FLAG_WWAN
+
+From: Dan Williams <dcbw@redhat.com>
+
+commit 4e6304b8420aba5311ba21fd68dab2924ae4d91a upstream.
+
+Needs to be tagged with FLAG_WWAN, which since it has generic
+descriptors, won't happen if we don't override the generic
+driver info.
+
+Cc: Oliver Neukum <oliver@neukum.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dan Williams <dcbw@redhat.com>
+Acked-by: Oliver Neukum <oliver@neukum.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/usb/cdc_ether.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/net/usb/cdc_ether.c
++++ b/drivers/net/usb/cdc_ether.c
+@@ -482,6 +482,7 @@ static const struct driver_info wwan_inf
+ /*-------------------------------------------------------------------------*/
+
+ #define HUAWEI_VENDOR_ID 0x12D1
++#define NOVATEL_VENDOR_ID 0x1410
+
+ static const struct usb_device_id products [] = {
+ /*
+@@ -599,6 +600,21 @@ static const struct usb_device_id produc
+ * because of bugs/quirks in a given product (like Zaurus, above).
+ */
+ {
++ /* Novatel USB551L */
++ /* This match must come *before* the generic CDC-ETHER match so that
++ * we get FLAG_WWAN set on the device, since it's descriptors are
++ * generic CDC-ETHER.
++ */
++ .match_flags = USB_DEVICE_ID_MATCH_VENDOR
++ | USB_DEVICE_ID_MATCH_PRODUCT
++ | USB_DEVICE_ID_MATCH_INT_INFO,
++ .idVendor = NOVATEL_VENDOR_ID,
++ .idProduct = 0xB001,
++ .bInterfaceClass = USB_CLASS_COMM,
++ .bInterfaceSubClass = USB_CDC_SUBCLASS_ETHERNET,
++ .bInterfaceProtocol = USB_CDC_PROTO_NONE,
++ .driver_info = (unsigned long)&wwan_info,
++}, {
+ USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ETHERNET,
+ USB_CDC_PROTO_NONE),
+ .driver_info = (unsigned long) &cdc_info,
--- /dev/null
+From 6eddcb4c82883451aec3be1240f17793370fa62f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Thu, 26 Apr 2012 02:35:10 +0000
+Subject: cdc_ether: Ignore bogus union descriptor for RNDIS devices
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bjørn Mork <bjorn@mork.no>
+
+commit 6eddcb4c82883451aec3be1240f17793370fa62f upstream.
+
+Some RNDIS devices include a bogus CDC Union descriptor pointing
+to non-existing interfaces. The RNDIS code is already prepared
+to handle devices without a CDC Union descriptor by hardwiring
+the driver to use interfaces 0 and 1, which is correct for the
+devices with the bogus descriptor as well. So we can reuse the
+existing workaround.
+
+Cc: Markus Kolb <linux-201011@tower-net.de>
+Cc: Iker Salmón San Millán <shaola@esdebian.org>
+Cc: Jonathan Nieder <jrnieder@gmail.com>
+Cc: Oliver Neukum <oliver@neukum.org>
+Cc: 655387@bugs.debian.org
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/usb/cdc_ether.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/usb/cdc_ether.c
++++ b/drivers/net/usb/cdc_ether.c
+@@ -83,6 +83,7 @@ int usbnet_generic_cdc_bind(struct usbne
+ struct cdc_state *info = (void *) &dev->data;
+ int status;
+ int rndis;
++ bool android_rndis_quirk = false;
+ struct usb_driver *driver = driver_of(intf);
+ struct usb_cdc_mdlm_desc *desc = NULL;
+ struct usb_cdc_mdlm_detail_desc *detail = NULL;
+@@ -195,6 +196,11 @@ int usbnet_generic_cdc_bind(struct usbne
+ info->control,
+ info->u->bSlaveInterface0,
+ info->data);
++ /* fall back to hard-wiring for RNDIS */
++ if (rndis) {
++ android_rndis_quirk = true;
++ goto next_desc;
++ }
+ goto bad_desc;
+ }
+ if (info->control != intf) {
+@@ -271,11 +277,15 @@ next_desc:
+ /* Microsoft ActiveSync based and some regular RNDIS devices lack the
+ * CDC descriptors, so we'll hard-wire the interfaces and not check
+ * for descriptors.
++ *
++ * Some Android RNDIS devices have a CDC Union descriptor pointing
++ * to non-existing interfaces. Ignore that and attempt the same
++ * hard-wired 0 and 1 interfaces.
+ */
+- if (rndis && !info->u) {
++ if (rndis && (!info->u || android_rndis_quirk)) {
+ info->control = usb_ifnum_to_if(dev->udev, 0);
+ info->data = usb_ifnum_to_if(dev->udev, 1);
+- if (!info->control || !info->data) {
++ if (!info->control || !info->data || info->control != intf) {
+ dev_dbg(&intf->dev,
+ "rndis: master #0/%p slave #1/%p\n",
+ info->control,
--- /dev/null
+From 1ebfefcf37a6e308266a8d786e8cfea0a454058c Mon Sep 17 00:00:00 2001
+From: Alexander Clouter <alex@digriz.org.uk>
+Date: Sat, 12 May 2012 09:45:08 +0100
+Subject: crypto: mv_cesa requires on CRYPTO_HASH to build
+
+From: Alexander Clouter <alex@digriz.org.uk>
+
+commit 1ebfefcf37a6e308266a8d786e8cfea0a454058c upstream.
+
+Without CRYPTO_HASH being selected, mv_cesa has a lot of hooks
+into undefined exports.
+----
+ MODPOST 81 modules
+ Kernel: arch/arm/boot/Image is ready
+ AS arch/arm/boot/compressed/head.o
+ GZIP arch/arm/boot/compressed/piggy.gzip
+ CC arch/arm/boot/compressed/misc.o
+ CC arch/arm/boot/compressed/decompress.o
+ERROR: "crypto_ahash_type" [drivers/crypto/mv_cesa.ko] undefined!
+ERROR: "crypto_shash_final" [drivers/crypto/mv_cesa.ko] undefined!
+ERROR: "crypto_register_ahash" [drivers/crypto/mv_cesa.ko] undefined!
+ERROR: "crypto_unregister_ahash" [drivers/crypto/mv_cesa.ko] undefined!
+ERROR: "crypto_shash_update" [drivers/crypto/mv_cesa.ko] undefined!
+ERROR: "crypto_shash_digest" [drivers/crypto/mv_cesa.ko] undefined!
+ERROR: "crypto_shash_setkey" [drivers/crypto/mv_cesa.ko] undefined!
+ERROR: "crypto_alloc_shash" [drivers/crypto/mv_cesa.ko] undefined!
+make[1]: *** [__modpost] Error 1
+make: *** [modules] Error 2
+make: *** Waiting for unfinished jobs....
+----
+
+Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
+Signed-off-by: Jason Cooper <jason@lakedaemon.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/crypto/Kconfig
++++ b/drivers/crypto/Kconfig
+@@ -173,6 +173,7 @@ config CRYPTO_DEV_MV_CESA
+ select CRYPTO_ALGAPI
+ select CRYPTO_AES
+ select CRYPTO_BLKCIPHER2
++ select CRYPTO_HASH
+ help
+ This driver allows you to utilize the Cryptographic Engines and
+ Security Accelerator (CESA) which can be found on the Marvell Orion
--- /dev/null
+From 4998a6c0edce7fae9c0a5463f6ec3fa585258ee7 Mon Sep 17 00:00:00 2001
+From: Chris Metcalf <cmetcalf@tilera.com>
+Date: Thu, 10 May 2012 13:01:44 -0700
+Subject: hugetlb: prevent BUG_ON in hugetlb_fault() -> hugetlb_cow()
+
+From: Chris Metcalf <cmetcalf@tilera.com>
+
+commit 4998a6c0edce7fae9c0a5463f6ec3fa585258ee7 upstream.
+
+Commit 66aebce747eaf ("hugetlb: fix race condition in hugetlb_fault()")
+added code to avoid a race condition by elevating the page refcount in
+hugetlb_fault() while calling hugetlb_cow().
+
+However, one code path in hugetlb_cow() includes an assertion that the
+page count is 1, whereas it may now also have the value 2 in this path.
+
+The consensus is that this BUG_ON has served its purpose, so rather than
+extending it to cover both cases, we just remove it.
+
+Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
+Acked-by: Mel Gorman <mel@csn.ul.ie>
+Acked-by: Hillf Danton <dhillf@gmail.com>
+Acked-by: Hugh Dickins <hughd@google.com>
+Cc: Michal Hocko <mhocko@suse.cz>
+Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/hugetlb.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -2398,7 +2398,6 @@ retry_avoidcopy:
+ if (outside_reserve) {
+ BUG_ON(huge_pte_none(pte));
+ if (unmap_ref_private(mm, vma, old_page, address)) {
+- BUG_ON(page_count(old_page) != 1);
+ BUG_ON(huge_pte_none(pte));
+ spin_lock(&mm->page_table_lock);
+ goto retry_avoidcopy;
--- /dev/null
+From 377485f6244af255b04d662cf19cddbbc4ae4310 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <levinsasha928@gmail.com>
+Date: Sat, 5 May 2012 17:06:35 +0200
+Subject: init: don't try mounting device as nfs root unless type fully matches
+
+From: Sasha Levin <levinsasha928@gmail.com>
+
+commit 377485f6244af255b04d662cf19cddbbc4ae4310 upstream.
+
+Currently, we'll try mounting any device who's major device number is
+UNNAMED_MAJOR as NFS root. This would happen for non-NFS devices as
+well (such as 9p devices) but it wouldn't cause any issues since
+mounting the device as NFS would fail quickly and the code proceeded to
+doing the proper mount:
+
+ [ 101.522716] VFS: Unable to mount root fs via NFS, trying floppy.
+ [ 101.534499] VFS: Mounted root (9p filesystem) on device 0:18.
+
+Commit 6829a048102a ("NFS: Retry mounting NFSROOT") introduced retries
+when mounting NFS root, which means that now we don't immediately fail
+and instead it takes an additional 90+ seconds until we stop retrying,
+which has revealed the issue this patch fixes.
+
+This meant that it would take an additional 90 seconds to boot when
+we're not using a device type which gets detected in order before NFS.
+
+This patch modifies the NFS type check to require device type to be
+'Root_NFS' instead of requiring the device to have an UNNAMED_MAJOR
+major. This makes boot process cleaner since we now won't go through
+the NFS mounting code at all when the device isn't an NFS root
+("/dev/nfs").
+
+Signed-off-by: Sasha Levin <levinsasha928@gmail.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ init/do_mounts.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/init/do_mounts.c
++++ b/init/do_mounts.c
+@@ -432,7 +432,7 @@ void __init change_floppy(char *fmt, ...
+ void __init mount_root(void)
+ {
+ #ifdef CONFIG_ROOT_NFS
+- if (MAJOR(ROOT_DEV) == UNNAMED_MAJOR) {
++ if (ROOT_DEV == Root_NFS) {
+ if (mount_nfs_root())
+ return;
+
--- /dev/null
+From 226bb7df3d22bcf4a1c0fe8206c80cc427498eae Mon Sep 17 00:00:00 2001
+From: Josh Cartwright <joshc@linux.com>
+Date: Thu, 29 Mar 2012 19:34:53 -0400
+Subject: jffs2: Fix lock acquisition order bug in gc path
+
+From: Josh Cartwright <joshc@linux.com>
+
+commit 226bb7df3d22bcf4a1c0fe8206c80cc427498eae upstream.
+
+The locking policy is such that the erase_complete_block spinlock is
+nested within the alloc_sem mutex. This fixes a case in which the
+acquisition order was erroneously reversed. This issue was caught by
+the following lockdep splat:
+
+ =======================================================
+ [ INFO: possible circular locking dependency detected ]
+ 3.0.5 #1
+ -------------------------------------------------------
+ jffs2_gcd_mtd6/299 is trying to acquire lock:
+ (&c->alloc_sem){+.+.+.}, at: [<c01f7714>] jffs2_garbage_collect_pass+0x314/0x890
+
+ but task is already holding lock:
+ (&(&c->erase_completion_lock)->rlock){+.+...}, at: [<c01f7708>] jffs2_garbage_collect_pass+0x308/0x890
+
+ which lock already depends on the new lock.
+
+ the existing dependency chain (in reverse order) is:
+
+ -> #1 (&(&c->erase_completion_lock)->rlock){+.+...}:
+ [<c008bec4>] validate_chain+0xe6c/0x10bc
+ [<c008c660>] __lock_acquire+0x54c/0xba4
+ [<c008d240>] lock_acquire+0xa4/0x114
+ [<c046780c>] _raw_spin_lock+0x3c/0x4c
+ [<c01f744c>] jffs2_garbage_collect_pass+0x4c/0x890
+ [<c01f937c>] jffs2_garbage_collect_thread+0x1b4/0x1cc
+ [<c0071a68>] kthread+0x98/0xa0
+ [<c000f264>] kernel_thread_exit+0x0/0x8
+
+ -> #0 (&c->alloc_sem){+.+.+.}:
+ [<c008ad2c>] print_circular_bug+0x70/0x2c4
+ [<c008c08c>] validate_chain+0x1034/0x10bc
+ [<c008c660>] __lock_acquire+0x54c/0xba4
+ [<c008d240>] lock_acquire+0xa4/0x114
+ [<c0466628>] mutex_lock_nested+0x74/0x33c
+ [<c01f7714>] jffs2_garbage_collect_pass+0x314/0x890
+ [<c01f937c>] jffs2_garbage_collect_thread+0x1b4/0x1cc
+ [<c0071a68>] kthread+0x98/0xa0
+ [<c000f264>] kernel_thread_exit+0x0/0x8
+
+ other info that might help us debug this:
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&(&c->erase_completion_lock)->rlock);
+ lock(&c->alloc_sem);
+ lock(&(&c->erase_completion_lock)->rlock);
+ lock(&c->alloc_sem);
+
+ *** DEADLOCK ***
+
+ 1 lock held by jffs2_gcd_mtd6/299:
+ #0: (&(&c->erase_completion_lock)->rlock){+.+...}, at: [<c01f7708>] jffs2_garbage_collect_pass+0x308/0x890
+
+ stack backtrace:
+ [<c00155dc>] (unwind_backtrace+0x0/0x100) from [<c0463dc0>] (dump_stack+0x20/0x24)
+ [<c0463dc0>] (dump_stack+0x20/0x24) from [<c008ae84>] (print_circular_bug+0x1c8/0x2c4)
+ [<c008ae84>] (print_circular_bug+0x1c8/0x2c4) from [<c008c08c>] (validate_chain+0x1034/0x10bc)
+ [<c008c08c>] (validate_chain+0x1034/0x10bc) from [<c008c660>] (__lock_acquire+0x54c/0xba4)
+ [<c008c660>] (__lock_acquire+0x54c/0xba4) from [<c008d240>] (lock_acquire+0xa4/0x114)
+ [<c008d240>] (lock_acquire+0xa4/0x114) from [<c0466628>] (mutex_lock_nested+0x74/0x33c)
+ [<c0466628>] (mutex_lock_nested+0x74/0x33c) from [<c01f7714>] (jffs2_garbage_collect_pass+0x314/0x890)
+ [<c01f7714>] (jffs2_garbage_collect_pass+0x314/0x890) from [<c01f937c>] (jffs2_garbage_collect_thread+0x1b4/0x1cc)
+ [<c01f937c>] (jffs2_garbage_collect_thread+0x1b4/0x1cc) from [<c0071a68>] (kthread+0x98/0xa0)
+ [<c0071a68>] (kthread+0x98/0xa0) from [<c000f264>] (kernel_thread_exit+0x0/0x8)
+
+This was introduce in '81cfc9f jffs2: Fix serious write stall due to erase'.
+
+Signed-off-by: Josh Cartwright <joshc@linux.com>
+Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jffs2/gc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/jffs2/gc.c
++++ b/fs/jffs2/gc.c
+@@ -225,8 +225,8 @@ int jffs2_garbage_collect_pass(struct jf
+ return 0;
+
+ D1(printk(KERN_DEBUG "No progress from erasing blocks; doing GC anyway\n"));
+- spin_lock(&c->erase_completion_lock);
+ mutex_lock(&c->alloc_sem);
++ spin_lock(&c->erase_completion_lock);
+ }
+
+ /* First, work out which block we're garbage-collecting */
--- /dev/null
+From 100d13c3b5b9410f604b86f5e0a34da64b8cf659 Mon Sep 17 00:00:00 2001
+From: Catalin Marinas <catalin.marinas@arm.com>
+Date: Wed, 9 May 2012 16:55:19 +0100
+Subject: kmemleak: Fix the kmemleak tracking of the percpu areas with !SMP
+
+From: Catalin Marinas <catalin.marinas@arm.com>
+
+commit 100d13c3b5b9410f604b86f5e0a34da64b8cf659 upstream.
+
+Kmemleak tracks the percpu allocations via a specific API and the
+originally allocated areas must be removed from kmemleak (via
+kmemleak_free). The code was already doing this for SMP systems.
+
+Reported-by: Sami Liedes <sami.liedes@iki.fi>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Christoph Lameter <cl@linux-foundation.org>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/percpu.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/mm/percpu.c
++++ b/mm/percpu.c
+@@ -1873,6 +1873,8 @@ void __init setup_per_cpu_areas(void)
+ fc = __alloc_bootmem(unit_size, PAGE_SIZE, __pa(MAX_DMA_ADDRESS));
+ if (!ai || !fc)
+ panic("Failed to allocate memory for percpu areas.");
++ /* kmemleak tracks the percpu allocations separately */
++ kmemleak_free(fc);
+
+ ai->dyn_size = unit_size;
+ ai->unit_size = unit_size;
--- /dev/null
+From 0d9f4f135eb6dea06bdcb7065b1e4ff78274a5e9 Mon Sep 17 00:00:00 2001
+From: Jonathan Brassow <jbrassow@redhat.com>
+Date: Wed, 16 May 2012 04:06:14 -0500
+Subject: MD: Add del_timer_sync to mddev_suspend (fix nasty panic)
+
+From: Jonathan Brassow <jbrassow@redhat.com>
+
+commit 0d9f4f135eb6dea06bdcb7065b1e4ff78274a5e9 upstream.
+
+Use del_timer_sync to remove timer before mddev_suspend finishes.
+
+We don't want a timer going off after an mddev_suspend is called. This is
+especially true with device-mapper, since it can call the destructor function
+immediately following a suspend. This results in the removal (kfree) of the
+structures upon which the timer depends - resulting in a very ugly panic.
+Therefore, we add a del_timer_sync to mddev_suspend to prevent this.
+
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/md.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -348,6 +348,8 @@ void mddev_suspend(mddev_t *mddev)
+ synchronize_rcu();
+ wait_event(mddev->sb_wait, atomic_read(&mddev->active_io) == 0);
+ mddev->pers->quiesce(mddev, 1);
++
++ del_timer_sync(&mddev->safemode_timer);
+ }
+ EXPORT_SYMBOL_GPL(mddev_suspend);
+
--- /dev/null
+From 9ef449c6b31bb6a8e6dedc24de475a3b8c79be20 Mon Sep 17 00:00:00 2001
+From: Luis Henriques <luis.henriques@canonical.com>
+Date: Sat, 21 Apr 2012 12:25:21 -0300
+Subject: media: rc: Postpone ISR registration
+
+From: Luis Henriques <luis.henriques@canonical.com>
+
+commit 9ef449c6b31bb6a8e6dedc24de475a3b8c79be20 upstream.
+
+An early registration of an ISR was causing a crash to several users (for
+example, with the ite-cir driver: http://bugs.launchpad.net/bugs/972723).
+The reason was that IRQs were being triggered before a driver
+initialisation was completed.
+
+This patch fixes this by moving the invocation to request_irq() and to
+request_region() to a later stage on the driver probe function.
+
+Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
+Acked-by: Jarod Wilson <jarod@redhat.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/rc/ene_ir.c | 32 ++++++++--------
+ drivers/media/rc/fintek-cir.c | 20 +++++-----
+ drivers/media/rc/ite-cir.c | 20 +++++-----
+ drivers/media/rc/nuvoton-cir.c | 36 +++++++++---------
+ drivers/media/rc/winbond-cir.c | 78 ++++++++++++++++++++---------------------
+ 5 files changed, 93 insertions(+), 93 deletions(-)
+
+--- a/drivers/media/rc/ene_ir.c
++++ b/drivers/media/rc/ene_ir.c
+@@ -1017,22 +1017,6 @@ static int ene_probe(struct pnp_dev *pnp
+
+ spin_lock_init(&dev->hw_lock);
+
+- /* claim the resources */
+- error = -EBUSY;
+- dev->hw_io = pnp_port_start(pnp_dev, 0);
+- if (!request_region(dev->hw_io, ENE_IO_SIZE, ENE_DRIVER_NAME)) {
+- dev->hw_io = -1;
+- dev->irq = -1;
+- goto error;
+- }
+-
+- dev->irq = pnp_irq(pnp_dev, 0);
+- if (request_irq(dev->irq, ene_isr,
+- IRQF_SHARED, ENE_DRIVER_NAME, (void *)dev)) {
+- dev->irq = -1;
+- goto error;
+- }
+-
+ pnp_set_drvdata(pnp_dev, dev);
+ dev->pnp_dev = pnp_dev;
+
+@@ -1085,6 +1069,22 @@ static int ene_probe(struct pnp_dev *pnp
+ device_set_wakeup_capable(&pnp_dev->dev, true);
+ device_set_wakeup_enable(&pnp_dev->dev, true);
+
++ /* claim the resources */
++ error = -EBUSY;
++ dev->hw_io = pnp_port_start(pnp_dev, 0);
++ if (!request_region(dev->hw_io, ENE_IO_SIZE, ENE_DRIVER_NAME)) {
++ dev->hw_io = -1;
++ dev->irq = -1;
++ goto error;
++ }
++
++ dev->irq = pnp_irq(pnp_dev, 0);
++ if (request_irq(dev->irq, ene_isr,
++ IRQF_SHARED, ENE_DRIVER_NAME, (void *)dev)) {
++ dev->irq = -1;
++ goto error;
++ }
++
+ error = rc_register_device(rdev);
+ if (error < 0)
+ goto error;
+--- a/drivers/media/rc/fintek-cir.c
++++ b/drivers/media/rc/fintek-cir.c
+@@ -504,16 +504,6 @@ static int fintek_probe(struct pnp_dev *
+
+ spin_lock_init(&fintek->fintek_lock);
+
+- ret = -EBUSY;
+- /* now claim resources */
+- if (!request_region(fintek->cir_addr,
+- fintek->cir_port_len, FINTEK_DRIVER_NAME))
+- goto failure;
+-
+- if (request_irq(fintek->cir_irq, fintek_cir_isr, IRQF_SHARED,
+- FINTEK_DRIVER_NAME, (void *)fintek))
+- goto failure;
+-
+ pnp_set_drvdata(pdev, fintek);
+ fintek->pdev = pdev;
+
+@@ -548,6 +538,16 @@ static int fintek_probe(struct pnp_dev *
+ /* rx resolution is hardwired to 50us atm, 1, 25, 100 also possible */
+ rdev->rx_resolution = US_TO_NS(CIR_SAMPLE_PERIOD);
+
++ ret = -EBUSY;
++ /* now claim resources */
++ if (!request_region(fintek->cir_addr,
++ fintek->cir_port_len, FINTEK_DRIVER_NAME))
++ goto failure;
++
++ if (request_irq(fintek->cir_irq, fintek_cir_isr, IRQF_SHARED,
++ FINTEK_DRIVER_NAME, (void *)fintek))
++ goto failure;
++
+ ret = rc_register_device(rdev);
+ if (ret)
+ goto failure;
+--- a/drivers/media/rc/ite-cir.c
++++ b/drivers/media/rc/ite-cir.c
+@@ -1519,16 +1519,6 @@ static int ite_probe(struct pnp_dev *pde
+ /* initialize raw event */
+ init_ir_raw_event(&itdev->rawir);
+
+- ret = -EBUSY;
+- /* now claim resources */
+- if (!request_region(itdev->cir_addr,
+- dev_desc->io_region_size, ITE_DRIVER_NAME))
+- goto failure;
+-
+- if (request_irq(itdev->cir_irq, ite_cir_isr, IRQF_SHARED,
+- ITE_DRIVER_NAME, (void *)itdev))
+- goto failure;
+-
+ /* set driver data into the pnp device */
+ pnp_set_drvdata(pdev, itdev);
+ itdev->pdev = pdev;
+@@ -1604,6 +1594,16 @@ static int ite_probe(struct pnp_dev *pde
+ rdev->driver_name = ITE_DRIVER_NAME;
+ rdev->map_name = RC_MAP_RC6_MCE;
+
++ ret = -EBUSY;
++ /* now claim resources */
++ if (!request_region(itdev->cir_addr,
++ dev_desc->io_region_size, ITE_DRIVER_NAME))
++ goto failure;
++
++ if (request_irq(itdev->cir_irq, ite_cir_isr, IRQF_SHARED,
++ ITE_DRIVER_NAME, (void *)itdev))
++ goto failure;
++
+ ret = rc_register_device(rdev);
+ if (ret)
+ goto failure;
+--- a/drivers/media/rc/nuvoton-cir.c
++++ b/drivers/media/rc/nuvoton-cir.c
+@@ -1027,24 +1027,6 @@ static int nvt_probe(struct pnp_dev *pde
+ spin_lock_init(&nvt->nvt_lock);
+ spin_lock_init(&nvt->tx.lock);
+
+- ret = -EBUSY;
+- /* now claim resources */
+- if (!request_region(nvt->cir_addr,
+- CIR_IOREG_LENGTH, NVT_DRIVER_NAME))
+- goto failure;
+-
+- if (request_irq(nvt->cir_irq, nvt_cir_isr, IRQF_SHARED,
+- NVT_DRIVER_NAME, (void *)nvt))
+- goto failure;
+-
+- if (!request_region(nvt->cir_wake_addr,
+- CIR_IOREG_LENGTH, NVT_DRIVER_NAME))
+- goto failure;
+-
+- if (request_irq(nvt->cir_wake_irq, nvt_cir_wake_isr, IRQF_SHARED,
+- NVT_DRIVER_NAME, (void *)nvt))
+- goto failure;
+-
+ pnp_set_drvdata(pdev, nvt);
+ nvt->pdev = pdev;
+
+@@ -1091,6 +1073,24 @@ static int nvt_probe(struct pnp_dev *pde
+ rdev->tx_resolution = XYZ;
+ #endif
+
++ ret = -EBUSY;
++ /* now claim resources */
++ if (!request_region(nvt->cir_addr,
++ CIR_IOREG_LENGTH, NVT_DRIVER_NAME))
++ goto failure;
++
++ if (request_irq(nvt->cir_irq, nvt_cir_isr, IRQF_SHARED,
++ NVT_DRIVER_NAME, (void *)nvt))
++ goto failure;
++
++ if (!request_region(nvt->cir_wake_addr,
++ CIR_IOREG_LENGTH, NVT_DRIVER_NAME))
++ goto failure;
++
++ if (request_irq(nvt->cir_wake_irq, nvt_cir_wake_isr, IRQF_SHARED,
++ NVT_DRIVER_NAME, (void *)nvt))
++ goto failure;
++
+ ret = rc_register_device(rdev);
+ if (ret)
+ goto failure;
+--- a/drivers/media/rc/winbond-cir.c
++++ b/drivers/media/rc/winbond-cir.c
+@@ -1003,39 +1003,10 @@ wbcir_probe(struct pnp_dev *device, cons
+ "(w: 0x%lX, e: 0x%lX, s: 0x%lX, i: %u)\n",
+ data->wbase, data->ebase, data->sbase, data->irq);
+
+- if (!request_region(data->wbase, WAKEUP_IOMEM_LEN, DRVNAME)) {
+- dev_err(dev, "Region 0x%lx-0x%lx already in use!\n",
+- data->wbase, data->wbase + WAKEUP_IOMEM_LEN - 1);
+- err = -EBUSY;
+- goto exit_free_data;
+- }
+-
+- if (!request_region(data->ebase, EHFUNC_IOMEM_LEN, DRVNAME)) {
+- dev_err(dev, "Region 0x%lx-0x%lx already in use!\n",
+- data->ebase, data->ebase + EHFUNC_IOMEM_LEN - 1);
+- err = -EBUSY;
+- goto exit_release_wbase;
+- }
+-
+- if (!request_region(data->sbase, SP_IOMEM_LEN, DRVNAME)) {
+- dev_err(dev, "Region 0x%lx-0x%lx already in use!\n",
+- data->sbase, data->sbase + SP_IOMEM_LEN - 1);
+- err = -EBUSY;
+- goto exit_release_ebase;
+- }
+-
+- err = request_irq(data->irq, wbcir_irq_handler,
+- IRQF_DISABLED, DRVNAME, device);
+- if (err) {
+- dev_err(dev, "Failed to claim IRQ %u\n", data->irq);
+- err = -EBUSY;
+- goto exit_release_sbase;
+- }
+-
+ led_trigger_register_simple("cir-tx", &data->txtrigger);
+ if (!data->txtrigger) {
+ err = -ENOMEM;
+- goto exit_free_irq;
++ goto exit_free_data;
+ }
+
+ led_trigger_register_simple("cir-rx", &data->rxtrigger);
+@@ -1074,9 +1045,38 @@ wbcir_probe(struct pnp_dev *device, cons
+ data->dev->priv = data;
+ data->dev->dev.parent = &device->dev;
+
++ if (!request_region(data->wbase, WAKEUP_IOMEM_LEN, DRVNAME)) {
++ dev_err(dev, "Region 0x%lx-0x%lx already in use!\n",
++ data->wbase, data->wbase + WAKEUP_IOMEM_LEN - 1);
++ err = -EBUSY;
++ goto exit_free_rc;
++ }
++
++ if (!request_region(data->ebase, EHFUNC_IOMEM_LEN, DRVNAME)) {
++ dev_err(dev, "Region 0x%lx-0x%lx already in use!\n",
++ data->ebase, data->ebase + EHFUNC_IOMEM_LEN - 1);
++ err = -EBUSY;
++ goto exit_release_wbase;
++ }
++
++ if (!request_region(data->sbase, SP_IOMEM_LEN, DRVNAME)) {
++ dev_err(dev, "Region 0x%lx-0x%lx already in use!\n",
++ data->sbase, data->sbase + SP_IOMEM_LEN - 1);
++ err = -EBUSY;
++ goto exit_release_ebase;
++ }
++
++ err = request_irq(data->irq, wbcir_irq_handler,
++ IRQF_DISABLED, DRVNAME, device);
++ if (err) {
++ dev_err(dev, "Failed to claim IRQ %u\n", data->irq);
++ err = -EBUSY;
++ goto exit_release_sbase;
++ }
++
+ err = rc_register_device(data->dev);
+ if (err)
+- goto exit_free_rc;
++ goto exit_free_irq;
+
+ device_init_wakeup(&device->dev, 1);
+
+@@ -1084,14 +1084,6 @@ wbcir_probe(struct pnp_dev *device, cons
+
+ return 0;
+
+-exit_free_rc:
+- rc_free_device(data->dev);
+-exit_unregister_led:
+- led_classdev_unregister(&data->led);
+-exit_unregister_rxtrigger:
+- led_trigger_unregister_simple(data->rxtrigger);
+-exit_unregister_txtrigger:
+- led_trigger_unregister_simple(data->txtrigger);
+ exit_free_irq:
+ free_irq(data->irq, device);
+ exit_release_sbase:
+@@ -1100,6 +1092,14 @@ exit_release_ebase:
+ release_region(data->ebase, EHFUNC_IOMEM_LEN);
+ exit_release_wbase:
+ release_region(data->wbase, WAKEUP_IOMEM_LEN);
++exit_free_rc:
++ rc_free_device(data->dev);
++exit_unregister_led:
++ led_classdev_unregister(&data->led);
++exit_unregister_rxtrigger:
++ led_trigger_unregister_simple(data->rxtrigger);
++exit_unregister_txtrigger:
++ led_trigger_unregister_simple(data->txtrigger);
+ exit_free_data:
+ kfree(data);
+ pnp_set_drvdata(device, NULL);
--- /dev/null
+From 6bc2e853c6b46a6041980d58200ad9b0a73a60ff Mon Sep 17 00:00:00 2001
+From: Russ Anderson <rja@sgi.com>
+Date: Thu, 10 May 2012 13:01:46 -0700
+Subject: mm: nobootmem: fix sign extend problem in __free_pages_memory()
+
+From: Russ Anderson <rja@sgi.com>
+
+commit 6bc2e853c6b46a6041980d58200ad9b0a73a60ff upstream.
+
+Systems with 8 TBytes of memory or greater can hit a problem where only
+the the first 8 TB of memory shows up. This is due to "int i" being
+smaller than "unsigned long start_aligned", causing the high bits to be
+dropped.
+
+The fix is to change `i' to unsigned long to match start_aligned
+and end_aligned.
+
+Thanks to Jack Steiner for assistance tracking this down.
+
+Signed-off-by: Russ Anderson <rja@sgi.com>
+Cc: Jack Steiner <steiner@sgi.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Yinghai Lu <yinghai@kernel.org>
+Cc: Gavin Shan <shangw@linux.vnet.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/nobootmem.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/mm/nobootmem.c
++++ b/mm/nobootmem.c
+@@ -83,8 +83,7 @@ void __init free_bootmem_late(unsigned l
+
+ static void __init __free_pages_memory(unsigned long start, unsigned long end)
+ {
+- int i;
+- unsigned long start_aligned, end_aligned;
++ unsigned long i, start_aligned, end_aligned;
+ int order = ilog2(BITS_PER_LONG);
+
+ start_aligned = (start + (BITS_PER_LONG - 1)) & ~(BITS_PER_LONG - 1);
--- /dev/null
+From 42b64281453249dac52861f9b97d18552a7ec62b Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Fri, 27 Apr 2012 08:42:53 -0700
+Subject: percpu: pcpu_embed_first_chunk() should free unused parts after all allocs are complete
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 42b64281453249dac52861f9b97d18552a7ec62b upstream.
+
+pcpu_embed_first_chunk() allocates memory for each node, copies percpu
+data and frees unused portions of it before proceeding to the next
+group. This assumes that allocations for different nodes doesn't
+overlap; however, depending on memory topology, the bootmem allocator
+may end up allocating memory from a different node than the requested
+one which may overlap with the portion freed from one of the previous
+percpu areas. This leads to percpu groups for different nodes
+overlapping which is a serious bug.
+
+This patch separates out copy & partial free from the allocation loop
+such that all allocations are complete before partial frees happen.
+
+This also fixes overlapping frees which could happen on allocation
+failure path - out_free_areas path frees whole groups but the groups
+could have portions freed at that point.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: "Pavel V. Panteleev" <pp_84@mail.ru>
+Tested-by: "Pavel V. Panteleev" <pp_84@mail.ru>
+LKML-Reference: <E1SNhwY-0007ui-V7.pp_84-mail-ru@f220.mail.ru>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/percpu.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/mm/percpu.c
++++ b/mm/percpu.c
+@@ -1630,6 +1630,16 @@ int __init pcpu_embed_first_chunk(size_t
+ areas[group] = ptr;
+
+ base = min(ptr, base);
++ }
++
++ /*
++ * Copy data and free unused parts. This should happen after all
++ * allocations are complete; otherwise, we may end up with
++ * overlapping groups.
++ */
++ for (group = 0; group < ai->nr_groups; group++) {
++ struct pcpu_group_info *gi = &ai->groups[group];
++ void *ptr = areas[group];
+
+ for (i = 0; i < gi->nr_units; i++, ptr += ai->unit_size) {
+ if (gi->cpu_map[i] == NR_CPUS) {
usbnet-fix-skb-traversing-races-during-unlink-v2.patch
namespaces-pid_ns-fix-leakage-on-fork-failure.patch
sparc64-do-not-clobber-g2-in-xcall_fetch_glob_regs.patch
+arm-prevent-vm_growsdown-mmaps-extending-below-first_user_address.patch
+media-rc-postpone-isr-registration.patch
+cdc_ether-ignore-bogus-union-descriptor-for-rndis-devices.patch
+cdc_ether-add-novatel-usb551l-device-ids-for-flag_wwan.patch
+percpu-pcpu_embed_first_chunk-should-free-unused-parts-after-all-allocs-are-complete.patch
+kmemleak-fix-the-kmemleak-tracking-of-the-percpu-areas-with-smp.patch
+hugetlb-prevent-bug_on-in-hugetlb_fault-hugetlb_cow.patch
+mm-nobootmem-fix-sign-extend-problem-in-__free_pages_memory.patch
+jffs2-fix-lock-acquisition-order-bug-in-gc-path.patch
+arch-tile-apply-commit-74fca9da0-to-the-compat-signal-handling-as-well.patch
+crypto-mv_cesa-requires-on-crypto_hash-to-build.patch
+md-add-del_timer_sync-to-mddev_suspend-fix-nasty-panic.patch
+tcp-do_tcp_sendpages-must-try-to-push-data-out-on-oom-conditions.patch
+init-don-t-try-mounting-device-as-nfs-root-unless-type-fully-matches.patch
--- /dev/null
+From bad115cfe5b509043b684d3a007ab54b80090aa1 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Thu, 17 May 2012 11:14:14 +0000
+Subject: tcp: do_tcp_sendpages() must try to push data out on oom conditions
+
+From: Willy Tarreau <w@1wt.eu>
+
+commit bad115cfe5b509043b684d3a007ab54b80090aa1 upstream.
+
+Since recent changes on TCP splicing (starting with commits 2f533844
+"tcp: allow splice() to build full TSO packets" and 35f9c09f "tcp:
+tcp_sendpages() should call tcp_push() once"), I started seeing
+massive stalls when forwarding traffic between two sockets using
+splice() when pipe buffers were larger than socket buffers.
+
+Latest changes (net: netdev_alloc_skb() use build_skb()) made the
+problem even more apparent.
+
+The reason seems to be that if do_tcp_sendpages() fails on out of memory
+condition without being able to send at least one byte, tcp_push() is not
+called and the buffers cannot be flushed.
+
+After applying the attached patch, I cannot reproduce the stalls at all
+and the data rate it perfectly stable and steady under any condition
+which previously caused the problem to be permanent.
+
+The issue seems to have been there since before the kernel migrated to
+git, which makes me think that the stalls I occasionally experienced
+with tux during stress-tests years ago were probably related to the
+same issue.
+
+This issue was first encountered on 3.0.31 and 3.2.17, so please backport
+to -stable.
+
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/tcp.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -850,8 +850,7 @@ new_segment:
+ wait_for_sndbuf:
+ set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
+ wait_for_memory:
+- if (copied)
+- tcp_push(sk, flags & ~MSG_MORE, mss_now, TCP_NAGLE_PUSH);
++ tcp_push(sk, flags & ~MSG_MORE, mss_now, TCP_NAGLE_PUSH);
+
+ if ((err = sk_stream_wait_memory(sk, &timeo)) != 0)
+ goto do_error;
projects / thirdparty / kernel / stable-queue.git / commitdiff
