--- /dev/null
+From 5000c418840b309251c5887f0b56503aae30f84c Mon Sep 17 00:00:00 2001
+From: Jan Kiszka <jan.kiszka@siemens.com>
+Date: Tue, 26 Mar 2013 17:53:03 +0100
+Subject: ftrace: Consistently restore trace function on sysctl enabling
+
+From: Jan Kiszka <jan.kiszka@siemens.com>
+
+commit 5000c418840b309251c5887f0b56503aae30f84c upstream.
+
+If we reenable ftrace via syctl, we currently set ftrace_trace_function
+based on the previous simplistic algorithm. This is inconsistent with
+what update_ftrace_function does. So better call that helper instead.
+
+Link: http://lkml.kernel.org/r/5151D26F.1070702@siemens.com
+
+Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ftrace.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -4537,12 +4537,8 @@ ftrace_enable_sysctl(struct ctl_table *t
+ ftrace_startup_sysctl();
+
+ /* we are starting ftrace again */
+- if (ftrace_ops_list != &ftrace_list_end) {
+- if (ftrace_ops_list->next == &ftrace_list_end)
+- ftrace_trace_function = ftrace_ops_list->func;
+- else
+- ftrace_trace_function = ftrace_ops_list_func;
+- }
++ if (ftrace_ops_list != &ftrace_list_end)
++ update_ftrace_function();
+
+ } else {
+ /* stopping ftrace calls (just send to ftrace_stub) */
--- /dev/null
+From c10b90d85a5126d25c89cbaa50dc9fdd1c4d001a Mon Sep 17 00:00:00 2001
+From: Li Fei <fei.li@intel.com>
+Date: Fri, 5 Apr 2013 21:20:36 +0800
+Subject: hwspinlock: fix __hwspin_lock_request error path
+
+From: Li Fei <fei.li@intel.com>
+
+commit c10b90d85a5126d25c89cbaa50dc9fdd1c4d001a upstream.
+
+Even in failed case of pm_runtime_get_sync, the usage_count
+is incremented. In order to keep the usage_count with correct
+value and runtime power management to behave correctly, call
+pm_runtime_put_noidle in such case.
+
+In __hwspin_lock_request, module_put is also called before
+return in pm_runtime_get_sync failed case.
+
+Signed-off-by Liu Chuansheng <chuansheng.liu@intel.com>
+Signed-off-by: Li Fei <fei.li@intel.com>
+[edit commit log]
+Signed-off-by: Ohad Ben-Cohen <ohad@wizery.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwspinlock/hwspinlock_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/hwspinlock/hwspinlock_core.c
++++ b/drivers/hwspinlock/hwspinlock_core.c
+@@ -416,6 +416,8 @@ static int __hwspin_lock_request(struct
+ ret = pm_runtime_get_sync(dev);
+ if (ret < 0) {
+ dev_err(dev, "%s: can't power on device\n", __func__);
++ pm_runtime_put_noidle(dev);
++ module_put(dev->driver->owner);
+ return ret;
+ }
+
--- /dev/null
+From 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 25 Mar 2013 11:51:14 +0100
+Subject: mac80211: fix remain-on-channel cancel crash
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b upstream.
+
+If a ROC item is canceled just as it expires, the work
+struct may be scheduled while it is running (and waiting
+for the mutex). This results in it being run after being
+freed, which obviously crashes.
+
+To fix this don't free it when aborting is requested but
+instead mark it as "to be freed", which makes the work a
+no-op and allows freeing it outside.
+
+Reported-by: Jouni Malinen <j@w1.fi>
+Tested-by: Jouni Malinen <j@w1.fi>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/cfg.c | 6 ++++--
+ net/mac80211/ieee80211_i.h | 3 ++-
+ net/mac80211/offchannel.c | 23 +++++++++++++++++------
+ 3 files changed, 23 insertions(+), 9 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -2499,7 +2499,7 @@ static int ieee80211_cancel_roc(struct i
+ list_del(&dep->list);
+ mutex_unlock(&local->mtx);
+
+- ieee80211_roc_notify_destroy(dep);
++ ieee80211_roc_notify_destroy(dep, true);
+ return 0;
+ }
+
+@@ -2539,7 +2539,7 @@ static int ieee80211_cancel_roc(struct i
+ ieee80211_start_next_roc(local);
+ mutex_unlock(&local->mtx);
+
+- ieee80211_roc_notify_destroy(found);
++ ieee80211_roc_notify_destroy(found, true);
+ } else {
+ /* work may be pending so use it all the time */
+ found->abort = true;
+@@ -2549,6 +2549,8 @@ static int ieee80211_cancel_roc(struct i
+
+ /* work will clean up etc */
+ flush_delayed_work(&found->work);
++ WARN_ON(!found->to_be_freed);
++ kfree(found);
+ }
+
+ return 0;
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -346,6 +346,7 @@ struct ieee80211_roc_work {
+ struct ieee80211_channel *chan;
+
+ bool started, abort, hw_begun, notified;
++ bool to_be_freed;
+
+ unsigned long hw_start_time;
+
+@@ -1363,7 +1364,7 @@ void ieee80211_offchannel_return(struct
+ void ieee80211_roc_setup(struct ieee80211_local *local);
+ void ieee80211_start_next_roc(struct ieee80211_local *local);
+ void ieee80211_roc_purge(struct ieee80211_sub_if_data *sdata);
+-void ieee80211_roc_notify_destroy(struct ieee80211_roc_work *roc);
++void ieee80211_roc_notify_destroy(struct ieee80211_roc_work *roc, bool free);
+ void ieee80211_sw_roc_work(struct work_struct *work);
+ void ieee80211_handle_roc_started(struct ieee80211_roc_work *roc);
+
+--- a/net/mac80211/offchannel.c
++++ b/net/mac80211/offchannel.c
+@@ -299,10 +299,13 @@ void ieee80211_start_next_roc(struct iee
+ }
+ }
+
+-void ieee80211_roc_notify_destroy(struct ieee80211_roc_work *roc)
++void ieee80211_roc_notify_destroy(struct ieee80211_roc_work *roc, bool free)
+ {
+ struct ieee80211_roc_work *dep, *tmp;
+
++ if (WARN_ON(roc->to_be_freed))
++ return;
++
+ /* was never transmitted */
+ if (roc->frame) {
+ cfg80211_mgmt_tx_status(&roc->sdata->wdev,
+@@ -318,9 +321,12 @@ void ieee80211_roc_notify_destroy(struct
+ GFP_KERNEL);
+
+ list_for_each_entry_safe(dep, tmp, &roc->dependents, list)
+- ieee80211_roc_notify_destroy(dep);
++ ieee80211_roc_notify_destroy(dep, true);
+
+- kfree(roc);
++ if (free)
++ kfree(roc);
++ else
++ roc->to_be_freed = true;
+ }
+
+ void ieee80211_sw_roc_work(struct work_struct *work)
+@@ -333,6 +339,9 @@ void ieee80211_sw_roc_work(struct work_s
+
+ mutex_lock(&local->mtx);
+
++ if (roc->to_be_freed)
++ goto out_unlock;
++
+ if (roc->abort)
+ goto finish;
+
+@@ -372,7 +381,7 @@ void ieee80211_sw_roc_work(struct work_s
+ finish:
+ list_del(&roc->list);
+ started = roc->started;
+- ieee80211_roc_notify_destroy(roc);
++ ieee80211_roc_notify_destroy(roc, !roc->abort);
+
+ if (started) {
+ drv_flush(local, false);
+@@ -412,7 +421,7 @@ static void ieee80211_hw_roc_done(struct
+
+ list_del(&roc->list);
+
+- ieee80211_roc_notify_destroy(roc);
++ ieee80211_roc_notify_destroy(roc, true);
+
+ /* if there's another roc, start it now */
+ ieee80211_start_next_roc(local);
+@@ -462,12 +471,14 @@ void ieee80211_roc_purge(struct ieee8021
+ list_for_each_entry_safe(roc, tmp, &tmp_list, list) {
+ if (local->ops->remain_on_channel) {
+ list_del(&roc->list);
+- ieee80211_roc_notify_destroy(roc);
++ ieee80211_roc_notify_destroy(roc, true);
+ } else {
+ ieee80211_queue_delayed_work(&local->hw, &roc->work, 0);
+
+ /* work will clean up etc */
+ flush_delayed_work(&roc->work);
++ WARN_ON(!roc->to_be_freed);
++ kfree(roc);
+ }
+ }
+
--- /dev/null
+From 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f Mon Sep 17 00:00:00 2001
+From: Stone Piao <piaoyun@marvell.com>
+Date: Fri, 29 Mar 2013 19:21:21 -0700
+Subject: mwifiex: limit channel number not to overflow memory
+
+From: Stone Piao <piaoyun@marvell.com>
+
+commit 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f upstream.
+
+Limit the channel number in scan request, or the driver scan
+config structure memory will be overflowed.
+
+Signed-off-by: Stone Piao <piaoyun@marvell.com>
+Signed-off-by: Bing Zhao <bzhao@marvell.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/cfg80211.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/mwifiex/cfg80211.c
++++ b/drivers/net/wireless/mwifiex/cfg80211.c
+@@ -1846,7 +1846,8 @@ mwifiex_cfg80211_scan(struct wiphy *wiph
+ }
+ }
+
+- for (i = 0; i < request->n_channels; i++) {
++ for (i = 0; i < min_t(u32, request->n_channels,
++ MWIFIEX_USER_SCAN_CHAN_MAX); i++) {
+ chan = request->channels[i];
+ priv->user_scan_cfg->chan_list[i].chan_number = chan->hw_value;
+ priv->user_scan_cfg->chan_list[i].radio_type = chan->band;
--- /dev/null
+From 9fb2640159f9d4f5a2a9d60e490482d4cbecafdb Mon Sep 17 00:00:00 2001
+From: Michael Wolf <mjw@linux.vnet.ibm.com>
+Date: Fri, 5 Apr 2013 10:41:40 +0000
+Subject: powerpc: pSeries_lpar_hpte_remove fails from Adjunct partition being performed before the ANDCOND test
+
+From: Michael Wolf <mjw@linux.vnet.ibm.com>
+
+commit 9fb2640159f9d4f5a2a9d60e490482d4cbecafdb upstream.
+
+Some versions of pHyp will perform the adjunct partition test before the
+ANDCOND test. The result of this is that H_RESOURCE can be returned and
+cause the BUG_ON condition to occur. The HPTE is not removed. So add a
+check for H_RESOURCE, it is ok if this HPTE is not removed as
+pSeries_lpar_hpte_remove is looking for an HPTE to remove and not a
+specific HPTE to remove. So it is ok to just move on to the next slot
+and try again.
+
+Signed-off-by: Michael Wolf <mjw@linux.vnet.ibm.com>
+Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/pseries/lpar.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/pseries/lpar.c
++++ b/arch/powerpc/platforms/pseries/lpar.c
+@@ -186,7 +186,13 @@ static long pSeries_lpar_hpte_remove(uns
+ (0x1UL << 4), &dummy1, &dummy2);
+ if (lpar_rc == H_SUCCESS)
+ return i;
+- BUG_ON(lpar_rc != H_NOT_FOUND);
++
++ /*
++ * The test for adjunct partition is performed before the
++ * ANDCOND test. H_RESOURCE may be returned, so we need to
++ * check for that as well.
++ */
++ BUG_ON(lpar_rc != H_NOT_FOUND && lpar_rc != H_RESOURCE);
+
+ slot_offset++;
+ slot_offset &= 0x7;
--- /dev/null
+From cde42e076c1cdd69a1f955d66ff6596bad3d2105 Mon Sep 17 00:00:00 2001
+From: Sjur Brændeland <sjur.brandeland@stericsson.com>
+Date: Thu, 21 Feb 2013 18:15:32 +0100
+Subject: remoteproc: fix error path of handle_vdev
+
+From: Sjur Brændeland <sjur.brandeland@stericsson.com>
+
+commit cde42e076c1cdd69a1f955d66ff6596bad3d2105 upstream.
+
+Remove the vdev entry from the list before freeing it,
+otherwise rproc->vdevs will explode.
+
+Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com>
+Acked-by: Ido Yariv <ido@wizery.com>
+[edit subject, minor commit log edit, cc stable]
+Signed-off-by: Ohad Ben-Cohen <ohad@wizery.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/remoteproc/remoteproc_core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/remoteproc/remoteproc_core.c
++++ b/drivers/remoteproc/remoteproc_core.c
+@@ -370,10 +370,12 @@ static int rproc_handle_vdev(struct rpro
+ /* it is now safe to add the virtio device */
+ ret = rproc_add_virtio_dev(rvdev, rsc->id);
+ if (ret)
+- goto free_rvdev;
++ goto remove_rvdev;
+
+ return 0;
+
++remove_rvdev:
++ list_del(&rvdev->node);
+ free_rvdev:
+ kfree(rvdev);
+ return ret;
--- /dev/null
+From c7426bce5933d16b492a34e42ae77e26fceddff6 Mon Sep 17 00:00:00 2001
+From: Robert Tivy <rtivy@ti.com>
+Date: Thu, 28 Mar 2013 18:41:43 -0700
+Subject: remoteproc: fix FW_CONFIG typo
+
+From: Robert Tivy <rtivy@ti.com>
+
+commit c7426bce5933d16b492a34e42ae77e26fceddff6 upstream.
+
+Fix obvious typo introduced in commit e121aefa7d9f10eee5cf26ed47129237a05d940b
+("remoteproc: fix missing CONFIG_FW_LOADER configurations").
+
+Signed-off-by: Robert Tivy <rtivy@ti.com>
+[cc stable, slight subject change]
+Signed-off-by: Ohad Ben-Cohen <ohad@wizery.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/remoteproc/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/remoteproc/Kconfig
++++ b/drivers/remoteproc/Kconfig
+@@ -5,7 +5,7 @@ config REMOTEPROC
+ tristate
+ depends on EXPERIMENTAL
+ depends on HAS_DMA
+- select FW_CONFIG
++ select FW_LOADER
+ select VIRTIO
+
+ config OMAP_REMOTEPROC
--- /dev/null
+From 1cd425b660bd5b4f41b9175b0b7bf3828ce88144 Mon Sep 17 00:00:00 2001
+From: Dmitry Tarnyagin <dmitry.tarnyagin@stericsson.com>
+Date: Sun, 10 Feb 2013 12:39:04 +0100
+Subject: remoteproc/ste: fix memory leak on shutdown
+
+From: Dmitry Tarnyagin <dmitry.tarnyagin@stericsson.com>
+
+commit 1cd425b660bd5b4f41b9175b0b7bf3828ce88144 upstream.
+
+Fixes coherent memory leakage, caused by non-deallocated
+firmware image chunk.
+
+Signed-off-by: Dmitry Tarnyagin <dmitry.tarnyagin@stericsson.com>
+Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com>
+Acked-by: Ido Yariv <ido@wizery.com>
+[slightly edit subject and commit log]
+Signed-off-by: Ohad Ben-Cohen <ohad@wizery.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/remoteproc/ste_modem_rproc.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/remoteproc/ste_modem_rproc.c
++++ b/drivers/remoteproc/ste_modem_rproc.c
+@@ -240,6 +240,8 @@ static int sproc_drv_remove(struct platf
+
+ /* Unregister as remoteproc device */
+ rproc_del(sproc->rproc);
++ dma_free_coherent(sproc->rproc->dev.parent, SPROC_FW_SIZE,
++ sproc->fw_addr, sproc->fw_dma_addr);
+ rproc_put(sproc->rproc);
+
+ mdev->drv_data = NULL;
+@@ -297,10 +299,13 @@ static int sproc_probe(struct platform_d
+ /* Register as a remoteproc device */
+ err = rproc_add(rproc);
+ if (err)
+- goto free_rproc;
++ goto free_mem;
+
+ return 0;
+
++free_mem:
++ dma_free_coherent(rproc->dev.parent, SPROC_FW_SIZE,
++ sproc->fw_addr, sproc->fw_dma_addr);
+ free_rproc:
+ /* Reset device data upon error */
+ mdev->drv_data = NULL;
pci-acpi-always-resume-devices-on-acpi-wakeup-notifications.patch
pci-pm-disable-runtime-pm-of-pcie-ports.patch
ata_piix-fix-dvd-not-dectected-at-some-haswell-platforms.patch
+ftrace-consistently-restore-trace-function-on-sysctl-enabling.patch
+powerpc-pseries_lpar_hpte_remove-fails-from-adjunct-partition-being-performed-before-the-andcond-test.patch
+mwifiex-limit-channel-number-not-to-overflow-memory.patch
+mac80211-fix-remain-on-channel-cancel-crash.patch
+x86-remove-the-x32-syscall-bitmask-from-syscall_get_nr.patch
+hwspinlock-fix-__hwspin_lock_request-error-path.patch
+remoteproc-ste-fix-memory-leak-on-shutdown.patch
+remoteproc-fix-error-path-of-handle_vdev.patch
+remoteproc-fix-fw_config-typo.patch
--- /dev/null
+From 8b4b9f27e57584f3d90e0bb84cf800ad81cfe3a1 Mon Sep 17 00:00:00 2001
+From: Paul Moore <pmoore@redhat.com>
+Date: Fri, 15 Feb 2013 12:21:43 -0500
+Subject: x86: remove the x32 syscall bitmask from syscall_get_nr()
+
+From: Paul Moore <pmoore@redhat.com>
+
+commit 8b4b9f27e57584f3d90e0bb84cf800ad81cfe3a1 upstream.
+
+Commit fca460f95e928bae373daa8295877b6905bc62b8 simplified the x32
+implementation by creating a syscall bitmask, equal to 0x40000000, that
+could be applied to x32 syscalls such that the masked syscall number
+would be the same as a x86_64 syscall. While that patch was a nice
+way to simplify the code, it went a bit too far by adding the mask to
+syscall_get_nr(); returning the masked syscall numbers can cause
+confusion with callers that expect syscall numbers matching the x32
+ABI, e.g. unmasked syscall numbers.
+
+This patch fixes this by simply removing the mask from syscall_get_nr()
+while preserving the other changes from the original commit. While
+there are several syscall_get_nr() callers in the kernel, most simply
+check that the syscall number is greater than zero, in this case this
+patch will have no effect. Of those remaining callers, they appear
+to be few, seccomp and ftrace, and from my testing of seccomp without
+this patch the original commit definitely breaks things; the seccomp
+filter does not correctly filter the syscalls due to the difference in
+syscall numbers in the BPF filter and the value from syscall_get_nr().
+Applying this patch restores the seccomp BPF filter functionality on
+x32.
+
+I've tested this patch with the seccomp BPF filters as well as ftrace
+and everything looks reasonable to me; needless to say general usage
+seemed fine as well.
+
+Signed-off-by: Paul Moore <pmoore@redhat.com>
+Link: http://lkml.kernel.org/r/20130215172143.12549.10292.stgit@localhost
+Cc: Will Drewry <wad@chromium.org>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/syscall.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/include/asm/syscall.h
++++ b/arch/x86/include/asm/syscall.h
+@@ -29,13 +29,13 @@ extern const unsigned long sys_call_tabl
+ */
+ static inline int syscall_get_nr(struct task_struct *task, struct pt_regs *regs)
+ {
+- return regs->orig_ax & __SYSCALL_MASK;
++ return regs->orig_ax;
+ }
+
+ static inline void syscall_rollback(struct task_struct *task,
+ struct pt_regs *regs)
+ {
+- regs->ax = regs->orig_ax & __SYSCALL_MASK;
++ regs->ax = regs->orig_ax;
+ }
+
+ static inline long syscall_get_error(struct task_struct *task,
projects / thirdparty / kernel / stable-queue.git / commitdiff
