--- /dev/null
+From 3d3c8f93a237b64580c5c5e138edeb1377e98230 Mon Sep 17 00:00:00 2001
+From: Michel Lespinasse <walken@google.com>
+Date: Mon, 19 Dec 2011 17:12:06 -0800
+Subject: binary_sysctl(): fix memory leak
+
+From: Michel Lespinasse <walken@google.com>
+
+commit 3d3c8f93a237b64580c5c5e138edeb1377e98230 upstream.
+
+binary_sysctl() calls sysctl_getname() which allocates from names_cache
+slab usin __getname()
+
+The matching function to free the name is __putname(), and not putname()
+which should be used only to match getname() allocations.
+
+This is because when auditing is enabled, putname() calls audit_putname
+*instead* (not in addition) to __putname(). Then, if a syscall is in
+progress, audit_putname does not release the name - instead, it expects
+the name to get released when the syscall completes, but that will happen
+only if audit_getname() was called previously, i.e. if the name was
+allocated with getname() rather than the naked __getname(). So,
+__getname() followed by putname() ends up leaking memory.
+
+Signed-off-by: Michel Lespinasse <walken@google.com>
+Acked-by: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Christoph Hellwig <hch@infradead.org>
+Cc: Eric Paris <eparis@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/sysctl_binary.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/sysctl_binary.c
++++ b/kernel/sysctl_binary.c
+@@ -1354,7 +1354,7 @@ static ssize_t binary_sysctl(const int *
+
+ fput(file);
+ out_putname:
+- putname(pathname);
++ __putname(pathname);
+ out:
+ return result;
+ }
--- /dev/null
+From 5151412dd4338b273afdb107c3772528e9e67d92 Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@redhat.com>
+Date: Wed, 23 Nov 2011 10:59:13 +0100
+Subject: block: initialize request_queue's numa node during
+
+From: Mike Snitzer <snitzer@redhat.com>
+
+commit 5151412dd4338b273afdb107c3772528e9e67d92 upstream.
+
+struct request_queue is allocated with __GFP_ZERO so its "node" field is
+zero before initialization. This causes an oops if node 0 is offline in
+the page allocator because its zonelists are not initialized. From Dave
+Young's dmesg:
+
+ SRAT: Node 1 PXM 2 0-d0000000
+ SRAT: Node 1 PXM 2 100000000-330000000
+ SRAT: Node 0 PXM 1 330000000-630000000
+ Initmem setup node 1 0000000000000000-000000000affb000
+ ...
+ Built 1 zonelists in Node order, mobility grouping on.
+ ...
+ BUG: unable to handle kernel paging request at 0000000000001c08
+ IP: [<ffffffff8111c355>] __alloc_pages_nodemask+0xb5/0x870
+
+and __alloc_pages_nodemask+0xb5 translates to a NULL pointer on
+zonelist->_zonerefs.
+
+The fix is to initialize q->node at the time of allocation so the correct
+node is passed to the slab allocator later.
+
+Since blk_init_allocated_queue_node() is no longer needed, merge it with
+blk_init_allocated_queue().
+
+[rientjes@google.com: changelog, initializing q->node]
+Reported-by: Dave Young <dyoung@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: David Rientjes <rientjes@google.com>
+Tested-by: Dave Young <dyoung@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ block/blk-core.c | 14 +++-----------
+ include/linux/blkdev.h | 3 ---
+ 2 files changed, 3 insertions(+), 14 deletions(-)
+
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -418,6 +418,7 @@ struct request_queue *blk_alloc_queue_no
+ q->backing_dev_info.state = 0;
+ q->backing_dev_info.capabilities = BDI_CAP_MAP_COPY;
+ q->backing_dev_info.name = "block";
++ q->node = node_id;
+
+ err = bdi_init(&q->backing_dev_info);
+ if (err) {
+@@ -502,7 +503,7 @@ blk_init_queue_node(request_fn_proc *rfn
+ if (!uninit_q)
+ return NULL;
+
+- q = blk_init_allocated_queue_node(uninit_q, rfn, lock, node_id);
++ q = blk_init_allocated_queue(uninit_q, rfn, lock);
+ if (!q)
+ blk_cleanup_queue(uninit_q);
+
+@@ -514,18 +515,9 @@ struct request_queue *
+ blk_init_allocated_queue(struct request_queue *q, request_fn_proc *rfn,
+ spinlock_t *lock)
+ {
+- return blk_init_allocated_queue_node(q, rfn, lock, -1);
+-}
+-EXPORT_SYMBOL(blk_init_allocated_queue);
+-
+-struct request_queue *
+-blk_init_allocated_queue_node(struct request_queue *q, request_fn_proc *rfn,
+- spinlock_t *lock, int node_id)
+-{
+ if (!q)
+ return NULL;
+
+- q->node = node_id;
+ if (blk_init_free_list(q))
+ return NULL;
+
+@@ -555,7 +547,7 @@ blk_init_allocated_queue_node(struct req
+
+ return NULL;
+ }
+-EXPORT_SYMBOL(blk_init_allocated_queue_node);
++EXPORT_SYMBOL(blk_init_allocated_queue);
+
+ int blk_get_queue(struct request_queue *q)
+ {
+--- a/include/linux/blkdev.h
++++ b/include/linux/blkdev.h
+@@ -798,9 +798,6 @@ extern void blk_unprep_request(struct re
+ */
+ extern struct request_queue *blk_init_queue_node(request_fn_proc *rfn,
+ spinlock_t *lock, int node_id);
+-extern struct request_queue *blk_init_allocated_queue_node(struct request_queue *,
+- request_fn_proc *,
+- spinlock_t *, int node_id);
+ extern struct request_queue *blk_init_queue(request_fn_proc *, spinlock_t *);
+ extern struct request_queue *blk_init_allocated_queue(struct request_queue *,
+ request_fn_proc *, spinlock_t *);
--- /dev/null
+From 8521478f67e95ada4e87970c7b41e504c724b2cf Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 12 Dec 2011 00:05:53 -0800
+Subject: Input: synaptics - fix touchpad not working after S2R on Vostro V13
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 8521478f67e95ada4e87970c7b41e504c724b2cf upstream.
+
+Synaptics touchpads on several Dell laptops, particularly Vostro V13
+systems, may not respond properly to PS/2 commands and queries immediately
+after resuming from suspend to RAM. This leads to unresponsive touchpad
+after suspend/resume cycle.
+
+Adding a 1-second delay after resetting the device allows touchpad to
+finish initializing (calibrating?) and start reacting properly.
+
+Reported-by: Daniel Manrique <daniel.manrique@canonical.com>
+Tested-by: Daniel Manrique <daniel.manrique@canonical.com>
+Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/input/mouse/synaptics.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/input/mouse/synaptics.c
++++ b/drivers/input/mouse/synaptics.c
+@@ -24,6 +24,7 @@
+ */
+
+ #include <linux/module.h>
++#include <linux/delay.h>
+ #include <linux/dmi.h>
+ #include <linux/input/mt.h>
+ #include <linux/serio.h>
+@@ -760,6 +761,16 @@ static int synaptics_reconnect(struct ps
+
+ do {
+ psmouse_reset(psmouse);
++ if (retry) {
++ /*
++ * On some boxes, right after resuming, the touchpad
++ * needs some time to finish initializing (I assume
++ * it needs time to calibrate) and start responding
++ * to Synaptics-specific queries, so let's wait a
++ * bit.
++ */
++ ssleep(1);
++ }
+ error = synaptics_detect(psmouse, 0);
+ } while (error && ++retry < 3);
+
--- /dev/null
+From 15062e6a8524f5977f2cbdf6e3eb2f144262f74e Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 7 Dec 2011 09:02:21 +0100
+Subject: mac80211: fix another race in aggregation start
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 15062e6a8524f5977f2cbdf6e3eb2f144262f74e upstream.
+
+Emmanuel noticed that when mac80211 stops the queues
+for aggregation that can leave a packet pending. This
+packet will be given to the driver after the AMPDU
+callback, but as a non-aggregated packet which messes
+up the sequence number etc.
+
+I also noticed by looking at the code that if packets
+are being processed while we clear the WANT_START bit,
+they might see it cleared already and queue up on
+tid_tx->pending. If the driver then rejects the new
+aggregation session we leak the packet.
+
+Fix both of these issues by changing this code to not
+stop the queues at all. Instead, let packets queue up
+on the tid_tx->pending queue instead of letting them
+get to the driver, and add code to recover properly
+in case the driver rejects the session.
+
+(The patch looks large because it has to move two
+functions to before their new use.)
+
+Reported-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/mac80211/agg-tx.c | 86 +++++++++++++++++++++++---------------------------
+ 1 file changed, 41 insertions(+), 45 deletions(-)
+
+--- a/net/mac80211/agg-tx.c
++++ b/net/mac80211/agg-tx.c
+@@ -304,6 +304,38 @@ ieee80211_wake_queue_agg(struct ieee8021
+ __release(agg_queue);
+ }
+
++/*
++ * splice packets from the STA's pending to the local pending,
++ * requires a call to ieee80211_agg_splice_finish later
++ */
++static void __acquires(agg_queue)
++ieee80211_agg_splice_packets(struct ieee80211_local *local,
++ struct tid_ampdu_tx *tid_tx, u16 tid)
++{
++ int queue = ieee80211_ac_from_tid(tid);
++ unsigned long flags;
++
++ ieee80211_stop_queue_agg(local, tid);
++
++ if (WARN(!tid_tx, "TID %d gone but expected when splicing aggregates"
++ " from the pending queue\n", tid))
++ return;
++
++ if (!skb_queue_empty(&tid_tx->pending)) {
++ spin_lock_irqsave(&local->queue_stop_reason_lock, flags);
++ /* copy over remaining packets */
++ skb_queue_splice_tail_init(&tid_tx->pending,
++ &local->pending[queue]);
++ spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags);
++ }
++}
++
++static void __releases(agg_queue)
++ieee80211_agg_splice_finish(struct ieee80211_local *local, u16 tid)
++{
++ ieee80211_wake_queue_agg(local, tid);
++}
++
+ void ieee80211_tx_ba_session_handle_start(struct sta_info *sta, int tid)
+ {
+ struct tid_ampdu_tx *tid_tx;
+@@ -315,19 +347,17 @@ void ieee80211_tx_ba_session_handle_star
+ tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
+
+ /*
+- * While we're asking the driver about the aggregation,
+- * stop the AC queue so that we don't have to worry
+- * about frames that came in while we were doing that,
+- * which would require us to put them to the AC pending
+- * afterwards which just makes the code more complex.
++ * Start queuing up packets for this aggregation session.
++ * We're going to release them once the driver is OK with
++ * that.
+ */
+- ieee80211_stop_queue_agg(local, tid);
+-
+ clear_bit(HT_AGG_STATE_WANT_START, &tid_tx->state);
+
+ /*
+- * make sure no packets are being processed to get
+- * valid starting sequence number
++ * Make sure no packets are being processed. This ensures that
++ * we have a valid starting sequence number and that in-flight
++ * packets have been flushed out and no packets for this TID
++ * will go into the driver during the ampdu_action call.
+ */
+ synchronize_net();
+
+@@ -341,17 +371,15 @@ void ieee80211_tx_ba_session_handle_star
+ " tid %d\n", tid);
+ #endif
+ spin_lock_bh(&sta->lock);
++ ieee80211_agg_splice_packets(local, tid_tx, tid);
+ ieee80211_assign_tid_tx(sta, tid, NULL);
++ ieee80211_agg_splice_finish(local, tid);
+ spin_unlock_bh(&sta->lock);
+
+- ieee80211_wake_queue_agg(local, tid);
+ kfree_rcu(tid_tx, rcu_head);
+ return;
+ }
+
+- /* we can take packets again now */
+- ieee80211_wake_queue_agg(local, tid);
+-
+ /* activate the timer for the recipient's addBA response */
+ mod_timer(&tid_tx->addba_resp_timer, jiffies + ADDBA_RESP_INTERVAL);
+ #ifdef CONFIG_MAC80211_HT_DEBUG
+@@ -471,38 +499,6 @@ int ieee80211_start_tx_ba_session(struct
+ }
+ EXPORT_SYMBOL(ieee80211_start_tx_ba_session);
+
+-/*
+- * splice packets from the STA's pending to the local pending,
+- * requires a call to ieee80211_agg_splice_finish later
+- */
+-static void __acquires(agg_queue)
+-ieee80211_agg_splice_packets(struct ieee80211_local *local,
+- struct tid_ampdu_tx *tid_tx, u16 tid)
+-{
+- int queue = ieee80211_ac_from_tid(tid);
+- unsigned long flags;
+-
+- ieee80211_stop_queue_agg(local, tid);
+-
+- if (WARN(!tid_tx, "TID %d gone but expected when splicing aggregates"
+- " from the pending queue\n", tid))
+- return;
+-
+- if (!skb_queue_empty(&tid_tx->pending)) {
+- spin_lock_irqsave(&local->queue_stop_reason_lock, flags);
+- /* copy over remaining packets */
+- skb_queue_splice_tail_init(&tid_tx->pending,
+- &local->pending[queue]);
+- spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags);
+- }
+-}
+-
+-static void __releases(agg_queue)
+-ieee80211_agg_splice_finish(struct ieee80211_local *local, u16 tid)
+-{
+- ieee80211_wake_queue_agg(local, tid);
+-}
+-
+ static void ieee80211_agg_tx_operational(struct ieee80211_local *local,
+ struct sta_info *sta, u16 tid)
+ {
--- /dev/null
+From c0d96aed8c6dd925afe9ea35491a0cd458642a86 Mon Sep 17 00:00:00 2001
+From: Jason Chen <jason.chen@linaro.org>
+Date: Wed, 30 Nov 2011 11:34:27 +0800
+Subject: MXC PWM: should active during DOZE/WAIT/DBG mode
+
+From: Jason Chen <jason.chen@linaro.org>
+
+commit c0d96aed8c6dd925afe9ea35491a0cd458642a86 upstream.
+
+Signed-off-by: Jason Chen <jason.chen@linaro.org>
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/arm/plat-mxc/pwm.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/plat-mxc/pwm.c
++++ b/arch/arm/plat-mxc/pwm.c
+@@ -32,6 +32,9 @@
+ #define MX3_PWMSAR 0x0C /* PWM Sample Register */
+ #define MX3_PWMPR 0x10 /* PWM Period Register */
+ #define MX3_PWMCR_PRESCALER(x) (((x - 1) & 0xFFF) << 4)
++#define MX3_PWMCR_DOZEEN (1 << 24)
++#define MX3_PWMCR_WAITEN (1 << 23)
++#define MX3_PWMCR_DBGEN (1 << 22)
+ #define MX3_PWMCR_CLKSRC_IPG_HIGH (2 << 16)
+ #define MX3_PWMCR_CLKSRC_IPG (1 << 16)
+ #define MX3_PWMCR_EN (1 << 0)
+@@ -77,7 +80,9 @@ int pwm_config(struct pwm_device *pwm, i
+ writel(duty_cycles, pwm->mmio_base + MX3_PWMSAR);
+ writel(period_cycles, pwm->mmio_base + MX3_PWMPR);
+
+- cr = MX3_PWMCR_PRESCALER(prescale) | MX3_PWMCR_EN;
++ cr = MX3_PWMCR_PRESCALER(prescale) |
++ MX3_PWMCR_DOZEEN | MX3_PWMCR_WAITEN |
++ MX3_PWMCR_DBGEN | MX3_PWMCR_EN;
+
+ if (cpu_is_mx25())
+ cr |= MX3_PWMCR_CLKSRC_IPG;
--- /dev/null
+From 9f57bd4d6dc69a4e3bf43044fa00fcd24dd363e3 Mon Sep 17 00:00:00 2001
+From: Eugene Surovegin <ebs@ebshome.net>
+Date: Thu, 15 Dec 2011 11:25:59 -0800
+Subject: percpu: fix per_cpu_ptr_to_phys() handling of non-page-aligned addresses
+
+From: Eugene Surovegin <ebs@ebshome.net>
+
+commit 9f57bd4d6dc69a4e3bf43044fa00fcd24dd363e3 upstream.
+
+per_cpu_ptr_to_phys() incorrectly rounds up its result for non-kmalloc
+case to the page boundary, which is bogus for any non-page-aligned
+address.
+
+This affects the only in-tree user of this function - sysfs handler
+for per-cpu 'crash_notes' physical address. The trouble is that the
+crash_notes per-cpu variable is not page-aligned:
+
+crash_notes = 0xc08e8ed4
+PER-CPU OFFSET VALUES:
+ CPU 0: 3711f000
+ CPU 1: 37129000
+ CPU 2: 37133000
+ CPU 3: 3713d000
+
+So, the per-cpu addresses are:
+ crash_notes on CPU 0: f7a07ed4 => phys 36b57ed4
+ crash_notes on CPU 1: f7a11ed4 => phys 36b4ded4
+ crash_notes on CPU 2: f7a1bed4 => phys 36b43ed4
+ crash_notes on CPU 3: f7a25ed4 => phys 36b39ed4
+
+However, /sys/devices/system/cpu/cpu*/crash_notes says:
+ /sys/devices/system/cpu/cpu0/crash_notes: 36b57000
+ /sys/devices/system/cpu/cpu1/crash_notes: 36b4d000
+ /sys/devices/system/cpu/cpu2/crash_notes: 36b43000
+ /sys/devices/system/cpu/cpu3/crash_notes: 36b39000
+
+As you can see, all values are rounded down to a page
+boundary. Consequently, this is where kexec sets up the NOTE segments,
+and thus where the secondary kernel is looking for them. However, when
+the first kernel crashes, it saves the notes to the unaligned
+addresses, where they are not found.
+
+Fix it by adding offset_in_page() to the translated page address.
+
+-tj: Combined Eugene's and Petr's commit messages.
+
+Signed-off-by: Eugene Surovegin <ebs@ebshome.net>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: Petr Tesarik <ptesarik@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/percpu.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/mm/percpu.c
++++ b/mm/percpu.c
+@@ -1011,9 +1011,11 @@ phys_addr_t per_cpu_ptr_to_phys(void *ad
+ if (!is_vmalloc_addr(addr))
+ return __pa(addr);
+ else
+- return page_to_phys(vmalloc_to_page(addr));
++ return page_to_phys(vmalloc_to_page(addr)) +
++ offset_in_page(addr);
+ } else
+- return page_to_phys(pcpu_addr_to_page(addr));
++ return page_to_phys(pcpu_addr_to_page(addr)) +
++ offset_in_page(addr);
+ }
+
+ /**
--- /dev/null
+From 7e1e7ead88dff75b11b86ee0d5232c4591be1326 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Fri, 11 Nov 2011 20:52:01 +0100
+Subject: SCSI: fcoe: Fix preempt count leak in fcoe_filter_frames()
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 7e1e7ead88dff75b11b86ee0d5232c4591be1326 upstream.
+
+The error exit path leaks preempt count. Add the missing put_cpu().
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Yi Zou <yi.zou@intel.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/fcoe/fcoe.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/fcoe/fcoe.c
++++ b/drivers/scsi/fcoe/fcoe.c
+@@ -1561,6 +1561,7 @@ static inline int fcoe_filter_frames(str
+ stats->InvalidCRCCount++;
+ if (stats->InvalidCRCCount < 5)
+ printk(KERN_WARNING "fcoe: dropping frame with CRC error\n");
++ put_cpu();
+ return -EINVAL;
+ }
+
--- /dev/null
+From f6a290b419a2675c4b77a6b0731cd2a64332365e Mon Sep 17 00:00:00 2001
+From: Anton Blanchard <anton@samba.org>
+Date: Mon, 7 Nov 2011 22:05:21 +1100
+Subject: SCSI: mpt2sas: _scsih_smart_predicted_fault uses GFP_KERNEL in interrupt context
+
+From: Anton Blanchard <anton@samba.org>
+
+commit f6a290b419a2675c4b77a6b0731cd2a64332365e upstream.
+
+_scsih_smart_predicted_fault is called in an interrupt and therefore
+must allocate memory using GFP_ATOMIC.
+
+Signed-off-by: Anton Blanchard <anton@samba.org>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/mpt2sas/mpt2sas_scsih.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/mpt2sas/mpt2sas_scsih.c
++++ b/drivers/scsi/mpt2sas/mpt2sas_scsih.c
+@@ -4145,7 +4145,7 @@ _scsih_smart_predicted_fault(struct MPT2
+ /* insert into event log */
+ sz = offsetof(Mpi2EventNotificationReply_t, EventData) +
+ sizeof(Mpi2EventDataSasDeviceStatusChange_t);
+- event_reply = kzalloc(sz, GFP_KERNEL);
++ event_reply = kzalloc(sz, GFP_ATOMIC);
+ if (!event_reply) {
+ printk(MPT2SAS_ERR_FMT "failure at %s:%d/%s()!\n",
+ ioc->name, __FILE__, __LINE__, __func__);
--- /dev/null
+From 44f747fff6e9f027a4866c1a6864e26ae7c510c8 Mon Sep 17 00:00:00 2001
+From: Steffen Maier <maier@linux.vnet.ibm.com>
+Date: Fri, 18 Nov 2011 20:00:40 +0100
+Subject: SCSI: zfcp: return early from slave_destroy if slave_alloc returned early
+
+From: Steffen Maier <maier@linux.vnet.ibm.com>
+
+commit 44f747fff6e9f027a4866c1a6864e26ae7c510c8 upstream.
+
+zfcp_scsi_slave_destroy erroneously always tried to finish its task
+even if the corresponding previous zfcp_scsi_slave_alloc returned
+early. This can lead to kernel page faults on accessing uninitialized
+fields of struct zfcp_scsi_dev in zfcp_erp_lun_shutdown_wait. Take the
+port field of the struct to determine if slave_alloc returned early.
+
+This zfcp bug is exposed by 4e6c82b (in turn fixing f7c9c6b to be
+compatible with 21208ae) which can call slave_destroy for a
+corresponding previous slave_alloc that did not finish.
+
+This patch is based on James Bottomley's fix suggestion in
+http://www.spinics.net/lists/linux-scsi/msg55449.html.
+
+Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/s390/scsi/zfcp_scsi.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/s390/scsi/zfcp_scsi.c
++++ b/drivers/s390/scsi/zfcp_scsi.c
+@@ -57,6 +57,10 @@ static void zfcp_scsi_slave_destroy(stru
+ {
+ struct zfcp_scsi_dev *zfcp_sdev = sdev_to_zfcp(sdev);
+
++ /* if previous slave_alloc returned early, there is nothing to do */
++ if (!zfcp_sdev->port)
++ return;
++
+ zfcp_erp_lun_shutdown_wait(sdev, "scssd_1");
+ put_device(&zfcp_sdev->port->dev);
+ }
drm-i915-prevent-division-by-zero-when-asking-for-chipset-power.patch
cfq-iosched-free-cic_index-if-blkio_alloc_blkg_stats-fails.patch
cfq-iosched-fix-cfq_cic_link-race-confition.patch
+scsi-zfcp-return-early-from-slave_destroy-if-slave_alloc-returned-early.patch
+scsi-mpt2sas-_scsih_smart_predicted_fault-uses-gfp_kernel-in-interrupt-context.patch
+scsi-fcoe-fix-preempt-count-leak-in-fcoe_filter_frames.patch
+mac80211-fix-another-race-in-aggregation-start.patch
+block-initialize-request_queue-s-numa-node-during.patch
+ssb-fix-init-regression-with-socs.patch
+mxc-pwm-should-active-during-doze-wait-dbg-mode.patch
+input-synaptics-fix-touchpad-not-working-after-s2r-on-vostro-v13.patch
+percpu-fix-per_cpu_ptr_to_phys-handling-of-non-page-aligned-addresses.patch
+binary_sysctl-fix-memory-leak.patch
--- /dev/null
+From 329456d1ffb416c220813725b7363cda9975c9aa Mon Sep 17 00:00:00 2001
+From: Hauke Mehrtens <hauke@hauke-m.de>
+Date: Mon, 5 Dec 2011 23:19:51 +0100
+Subject: ssb: fix init regression with SoCs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hauke Mehrtens <hauke@hauke-m.de>
+
+commit 329456d1ffb416c220813725b7363cda9975c9aa upstream.
+
+This fixes a Data bus error on some SoCs. The first fix for this
+problem did not solve it on all devices.
+ commit 6ae8ec27868bfdbb815287bee8146acbefaee867
+ Author: Rafał Miłecki <zajec5@gmail.com>
+ Date: Tue Jul 5 17:25:32 2011 +0200
+ ssb: fix init regression of hostmode PCI core
+
+In ssb_pcicore_fix_sprom_core_index() the sprom on the PCI core is
+accessed, but the sprom only exists when the ssb bus is connected over
+a PCI bus to the rest of the system and not when the SSB Bus is the
+main system bus. SoCs sometimes have a PCI host controller and there
+this code will not be executed, but there are some old SoCs with an PCI
+controller in client mode around and ssb_pcicore_fix_sprom_core_index()
+should not be called on these devices too. The PCI controller on these
+devices are unused, but without this fix it results in an Data bus
+error when it gets initialized.
+
+Cc: Michael Buesch <m@bues.ch>
+Cc: Rafał Miłecki <zajec5@gmail.com>
+Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ssb/driver_pcicore.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/ssb/driver_pcicore.c
++++ b/drivers/ssb/driver_pcicore.c
+@@ -516,10 +516,14 @@ static void ssb_pcicore_pcie_setup_worka
+
+ static void ssb_pcicore_init_clientmode(struct ssb_pcicore *pc)
+ {
+- ssb_pcicore_fix_sprom_core_index(pc);
++ struct ssb_device *pdev = pc->dev;
++ struct ssb_bus *bus = pdev->bus;
++
++ if (bus->bustype == SSB_BUSTYPE_PCI)
++ ssb_pcicore_fix_sprom_core_index(pc);
+
+ /* Disable PCI interrupts. */
+- ssb_write32(pc->dev, SSB_INTVEC, 0);
++ ssb_write32(pdev, SSB_INTVEC, 0);
+
+ /* Additional PCIe always once-executed workarounds */
+ if (pc->dev->id.coreid == SSB_DEV_PCIE) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
