--- /dev/null
+From 8dce30c89113e314d29d3b8f362aadff8087fccb Mon Sep 17 00:00:00 2001
+From: Daniel Mack <zonque@gmail.com>
+Date: Thu, 27 Sep 2012 10:26:01 +0200
+Subject: ALSA: snd-usb: fix next_packet_size calls for pause case
+
+From: Daniel Mack <zonque@gmail.com>
+
+commit 8dce30c89113e314d29d3b8f362aadff8087fccb upstream.
+
+Also fix the calls to next_packet_size() for the pause case. This was
+missed in 245baf983 ("ALSA: snd-usb: fix calls to next_packet_size").
+
+Signed-off-by: Daniel Mack <zonque@gmail.com>
+Reviewed-by: Takashi Iwai <tiwai@suse.de>
+Reported-and-tested-by: Christian Tefzer <ctrefzer@gmx.de>
+[ Taking directly because Takashi is on vacation - Linus ]
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/endpoint.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/sound/usb/endpoint.c
++++ b/sound/usb/endpoint.c
+@@ -197,7 +197,13 @@ static void prepare_outbound_urb(struct
+ /* no data provider, so send silence */
+ unsigned int offs = 0;
+ for (i = 0; i < ctx->packets; ++i) {
+- int counts = ctx->packet_size[i];
++ int counts;
++
++ if (ctx->packet_size[i])
++ counts = ctx->packet_size[i];
++ else
++ counts = snd_usb_endpoint_next_packet_size(ep);
++
+ urb->iso_frame_desc[i].offset = offs * ep->stride;
+ urb->iso_frame_desc[i].length = counts * ep->stride;
+ offs += counts;
--- /dev/null
+From d0e12f3ff3472cbd8f52d3c0e6ee07a841787c40 Mon Sep 17 00:00:00 2001
+From: Mark Brown <broonie@opensource.wolfsonmicro.com>
+Date: Wed, 26 Sep 2012 11:57:30 +0100
+Subject: ASoC: wm2000: Correct register size
+
+From: Mark Brown <broonie@opensource.wolfsonmicro.com>
+
+commit d0e12f3ff3472cbd8f52d3c0e6ee07a841787c40 upstream.
+
+Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/codecs/wm2000.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/codecs/wm2000.c
++++ b/sound/soc/codecs/wm2000.c
+@@ -675,7 +675,7 @@ static int wm2000_resume(struct snd_soc_
+ #endif
+
+ static const struct regmap_config wm2000_regmap = {
+- .reg_bits = 8,
++ .reg_bits = 16,
+ .val_bits = 8,
+ };
+
--- /dev/null
+From fcbc50da7753b210b4442ca9abc4efbd4e481f6e Mon Sep 17 00:00:00 2001
+From: Jani Nikula <jani.nikula@intel.com>
+Date: Wed, 29 Aug 2012 14:08:42 +0300
+Subject: drm/i915: only enable sdvo hotplug irq if needed
+
+From: Jani Nikula <jani.nikula@intel.com>
+
+commit fcbc50da7753b210b4442ca9abc4efbd4e481f6e upstream.
+
+Avoid constant wakeups caused by noisy irq lines when we don't even care
+about the irq. This should be particularly useful for i945g/gm where the
+hotplug has been disabled:
+
+commit 768b107e4b3be0acf6f58e914afe4f337c00932b
+Author: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Fri May 4 11:29:56 2012 +0200
+
+ drm/i915: disable sdvo hotplug on i945g/gm
+
+v2: While at it, remove the bogus hotplug_active read, and do not mask
+hotplug_active[0] before checking whether the irq is needed, per discussion
+with Daniel on IRC.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=38442
+Tested-by: Dominik Köppl <dominik@devwork.org>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_sdvo.c | 23 ++++++++++-------------
+ 1 file changed, 10 insertions(+), 13 deletions(-)
+
+--- a/drivers/gpu/drm/i915/intel_sdvo.c
++++ b/drivers/gpu/drm/i915/intel_sdvo.c
+@@ -2552,25 +2552,12 @@ bool intel_sdvo_init(struct drm_device *
+ }
+ }
+
+- if (intel_sdvo->is_sdvob)
+- dev_priv->hotplug_supported_mask |= SDVOB_HOTPLUG_INT_STATUS;
+- else
+- dev_priv->hotplug_supported_mask |= SDVOC_HOTPLUG_INT_STATUS;
+-
+ drm_encoder_helper_add(&intel_encoder->base, &intel_sdvo_helper_funcs);
+
+ /* In default case sdvo lvds is false */
+ if (!intel_sdvo_get_capabilities(intel_sdvo, &intel_sdvo->caps))
+ goto err;
+
+- /* Set up hotplug command - note paranoia about contents of reply.
+- * We assume that the hardware is in a sane state, and only touch
+- * the bits we think we understand.
+- */
+- intel_sdvo_get_value(intel_sdvo, SDVO_CMD_GET_ACTIVE_HOT_PLUG,
+- &intel_sdvo->hotplug_active, 2);
+- intel_sdvo->hotplug_active[0] &= ~0x3;
+-
+ if (intel_sdvo_output_setup(intel_sdvo,
+ intel_sdvo->caps.output_flags) != true) {
+ DRM_DEBUG_KMS("SDVO output failed to setup on %s\n",
+@@ -2578,6 +2565,16 @@ bool intel_sdvo_init(struct drm_device *
+ goto err;
+ }
+
++ /* Only enable the hotplug irq if we need it, to work around noisy
++ * hotplug lines.
++ */
++ if (intel_sdvo->hotplug_active[0]) {
++ if (intel_sdvo->is_sdvob)
++ dev_priv->hotplug_supported_mask |= SDVOB_HOTPLUG_INT_STATUS;
++ else
++ dev_priv->hotplug_supported_mask |= SDVOC_HOTPLUG_INT_STATUS;
++ }
++
+ intel_sdvo_select_ddc_bus(dev_priv, intel_sdvo, sdvo_reg);
+
+ /* Set the input timing to the screen. Assume always input 0. */
--- /dev/null
+From 3a75885848996baab5276ff37ebf7295c3c753f0 Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@redhat.com>
+Date: Tue, 25 Sep 2012 16:17:43 +1000
+Subject: drm/udl: limit modes to the sku pixel limits.
+
+From: Dave Airlie <airlied@redhat.com>
+
+commit 3a75885848996baab5276ff37ebf7295c3c753f0 upstream.
+
+Otherwise when X starts we commonly get a black screen scanning
+out nothing, its wierd dpms on/off from userspace brings it back,
+
+With this on F18, multi-seat works again with my 1920x1200 monitor
+which is above the sku limit for the device I have.
+
+Reviewed-by: Alex Deucher <alexander.deucher@gmail.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/udl/udl_connector.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/gpu/drm/udl/udl_connector.c
++++ b/drivers/gpu/drm/udl/udl_connector.c
+@@ -69,6 +69,13 @@ static int udl_get_modes(struct drm_conn
+ static int udl_mode_valid(struct drm_connector *connector,
+ struct drm_display_mode *mode)
+ {
++ struct udl_device *udl = connector->dev->dev_private;
++ if (!udl->sku_pixel_limit)
++ return 0;
++
++ if (mode->vdisplay * mode->hdisplay > udl->sku_pixel_limit)
++ return MODE_VIRTUAL_Y;
++
+ return 0;
+ }
+
--- /dev/null
+From b1268d3737c6316016026245eef276eda6b0a621 Mon Sep 17 00:00:00 2001
+From: Roland Stigge <stigge@antcom.de>
+Date: Thu, 20 Sep 2012 10:48:03 +0200
+Subject: gpio-lpc32xx: Fix value handling of gpio_direction_output()
+
+From: Roland Stigge <stigge@antcom.de>
+
+commit b1268d3737c6316016026245eef276eda6b0a621 upstream.
+
+For GPIOs of gpio-lpc32xx, gpio_direction_output() ignores the value argument
+(initial value of output). This patch fixes this by setting the level
+accordingly.
+
+Signed-off-by: Roland Stigge <stigge@antcom.de>
+Acked-by: Alexandre Pereira da Silva <aletes.xgr@gmail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpio-lpc32xx.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/gpio/gpio-lpc32xx.c
++++ b/drivers/gpio/gpio-lpc32xx.c
+@@ -307,6 +307,7 @@ static int lpc32xx_gpio_dir_output_p012(
+ {
+ struct lpc32xx_gpio_chip *group = to_lpc32xx_gpio(chip);
+
++ __set_gpio_level_p012(group, pin, value);
+ __set_gpio_dir_p012(group, pin, 0);
+
+ return 0;
+@@ -317,6 +318,7 @@ static int lpc32xx_gpio_dir_output_p3(st
+ {
+ struct lpc32xx_gpio_chip *group = to_lpc32xx_gpio(chip);
+
++ __set_gpio_level_p3(group, pin, value);
+ __set_gpio_dir_p3(group, pin, 0);
+
+ return 0;
+@@ -325,6 +327,9 @@ static int lpc32xx_gpio_dir_output_p3(st
+ static int lpc32xx_gpio_dir_out_always(struct gpio_chip *chip, unsigned pin,
+ int value)
+ {
++ struct lpc32xx_gpio_chip *group = to_lpc32xx_gpio(chip);
++
++ __set_gpo_level_p3(group, pin, value);
+ return 0;
+ }
+
--- /dev/null
+From 80b4812407c6b1f66a4f2430e69747a13f010839 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.de>
+Date: Thu, 27 Sep 2012 12:35:21 +1000
+Subject: md/raid10: fix "enough" function for detecting if array is failed.
+
+From: NeilBrown <neilb@suse.de>
+
+commit 80b4812407c6b1f66a4f2430e69747a13f010839 upstream.
+
+The 'enough' function is written to work with 'near' arrays only
+in that is implicitly assumes that the offset from one 'group' of
+devices to the next is the same as the number of copies.
+In reality it is the number of 'near' copies.
+
+So change it to make this number explicit.
+
+This bug makes it possible to run arrays without enough drives
+present, which is dangerous.
+It is appropriate for an -stable kernel, but will almost certainly
+need to be modified for some of them.
+
+Reported-by: Jakub Husák <jakub@gooseman.cz>
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid10.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -1492,14 +1492,16 @@ static int _enough(struct r10conf *conf,
+ do {
+ int n = conf->copies;
+ int cnt = 0;
++ int this = first;
+ while (n--) {
+- if (conf->mirrors[first].rdev &&
+- first != ignore)
++ if (conf->mirrors[this].rdev &&
++ this != ignore)
+ cnt++;
+- first = (first+1) % geo->raid_disks;
++ this = (this+1) % geo->raid_disks;
+ }
+ if (cnt == 0)
+ return 0;
++ first = (first + geo->near_copies) % geo->raid_disks;
+ } while (first != 0);
+ return 1;
+ }
kthread_worker-reimplement-flush_kthread_work-to-allow-freeing-the-work-item-being-executed.patch
usb-chipidea-udc-fix-error-path-in-udc_start.patch
usb-chipidea-cleanup-dma_pool-if-udc_start-fails.patch
+usb-ohci-at91-fix-null-pointer-in-ohci_hcd_at91_overcurrent_irq.patch
+usb-fix-race-condition-when-removing-host-controllers.patch
+alsa-snd-usb-fix-next_packet_size-calls-for-pause-case.patch
+asoc-wm2000-correct-register-size.patch
+gpio-lpc32xx-fix-value-handling-of-gpio_direction_output.patch
+md-raid10-fix-enough-function-for-detecting-if-array-is-failed.patch
+drm-udl-limit-modes-to-the-sku-pixel-limits.patch
+drm-i915-only-enable-sdvo-hotplug-irq-if-needed.patch
+vmwgfx-corruption-in-vmw_event_fence_action_create.patch
--- /dev/null
+From 0d00dc2611abbe6ad244d50569c2ee82ce42846c Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Wed, 26 Sep 2012 13:09:53 -0400
+Subject: USB: Fix race condition when removing host controllers
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 0d00dc2611abbe6ad244d50569c2ee82ce42846c upstream.
+
+This patch (as1607) fixes a race that can occur if a USB host
+controller is removed while a process is reading the
+/sys/kernel/debug/usb/devices file.
+
+The usb_device_read() routine uses the bus->root_hub pointer to
+determine whether or not the root hub is registered. The is not a
+valid test, because the pointer is set before the root hub gets
+registered and remains set even after the root hub is unregistered and
+deallocated. As a result, usb_device_read() or usb_device_dump() can
+access freed memory, causing an oops.
+
+The patch changes the test to use the hcd->rh_registered flag, which
+does get set and cleared at the appropriate times. It also makes sure
+to hold the usb_bus_list_lock mutex while setting the flag, so that
+usb_device_read() will become aware of new root hubs as soon as they
+are registered.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Don Zickus <dzickus@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/devices.c | 2 +-
+ drivers/usb/core/hcd.c | 6 ++----
+ 2 files changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/core/devices.c
++++ b/drivers/usb/core/devices.c
+@@ -624,7 +624,7 @@ static ssize_t usb_device_read(struct fi
+ /* print devices for all busses */
+ list_for_each_entry(bus, &usb_bus_list, bus_list) {
+ /* recurse through all children of the root hub */
+- if (!bus->root_hub)
++ if (!bus_to_hcd(bus)->rh_registered)
+ continue;
+ usb_lock_device(bus->root_hub);
+ ret = usb_device_dump(&buf, &nbytes, &skip_bytes, ppos,
+--- a/drivers/usb/core/hcd.c
++++ b/drivers/usb/core/hcd.c
+@@ -1011,10 +1011,7 @@ static int register_root_hub(struct usb_
+ if (retval) {
+ dev_err (parent_dev, "can't register root hub for %s, %d\n",
+ dev_name(&usb_dev->dev), retval);
+- }
+- mutex_unlock(&usb_bus_list_lock);
+-
+- if (retval == 0) {
++ } else {
+ spin_lock_irq (&hcd_root_hub_lock);
+ hcd->rh_registered = 1;
+ spin_unlock_irq (&hcd_root_hub_lock);
+@@ -1023,6 +1020,7 @@ static int register_root_hub(struct usb_
+ if (HCD_DEAD(hcd))
+ usb_hc_died (hcd); /* This time clean up */
+ }
++ mutex_unlock(&usb_bus_list_lock);
+
+ return retval;
+ }
--- /dev/null
+From 01bb6501779ed0b6dc6c55be34b49eaa6306fdd8 Mon Sep 17 00:00:00 2001
+From: Joachim Eastwood <manabian@gmail.com>
+Date: Sun, 23 Sep 2012 22:56:00 +0200
+Subject: USB: ohci-at91: fix null pointer in ohci_hcd_at91_overcurrent_irq
+
+From: Joachim Eastwood <manabian@gmail.com>
+
+commit 01bb6501779ed0b6dc6c55be34b49eaa6306fdd8 upstream.
+
+Fixes the following NULL pointer dereference:
+[ 7.740000] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
+[ 7.810000] Unable to handle kernel NULL pointer dereference at virtual address 00000028
+[ 7.810000] pgd = c3a38000
+[ 7.810000] [00000028] *pgd=23a8c831, *pte=00000000, *ppte=00000000
+[ 7.810000] Internal error: Oops: 17 [#1] PREEMPT ARM
+[ 7.810000] Modules linked in: ohci_hcd(+) regmap_i2c snd_pcm usbcore snd_page_alloc at91_cf snd_timer pcmcia_rsrc snd soundcore gpio_keys regmap_spi pcmcia_core usb_common nls_base
+[ 7.810000] CPU: 0 Not tainted (3.6.0-rc6-mpa+ #264)
+[ 7.810000] PC is at __gpio_to_irq+0x18/0x40
+[ 7.810000] LR is at ohci_hcd_at91_overcurrent_irq+0x24/0xb4 [ohci_hcd]
+[ 7.810000] pc : [<c01392d4>] lr : [<bf08f694>] psr: 40000093
+[ 7.810000] sp : c3a11c40 ip : c3a11c50 fp : c3a11c4c
+[ 7.810000] r10: 00000000 r9 : c02dcd6e r8 : fefff400
+[ 7.810000] r7 : 00000000 r6 : c02cc928 r5 : 00000030 r4 : c02dd168
+[ 7.810000] r3 : c02e7350 r2 : ffffffea r1 : c02cc928 r0 : 00000000
+[ 7.810000] Flags: nZcv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user
+[ 7.810000] Control: c000717f Table: 23a38000 DAC: 00000015
+[ 7.810000] Process modprobe (pid: 285, stack limit = 0xc3a10270)
+[ 7.810000] Stack: (0xc3a11c40 to 0xc3a12000)
+[ 7.810000] 1c40: c3a11c6c c3a11c50 bf08f694 c01392cc c3a11c84 c2c38b00 c3806900 00000030
+[ 7.810000] 1c60: c3a11ca4 c3a11c70 c0051264 bf08f680 c3a11cac c3a11c80 c003e764 c3806900
+[ 7.810000] 1c80: c2c38b00 c02cb05c c02cb000 fefff400 c3806930 c3a11cf4 c3a11cbc c3a11ca8
+[ 7.810000] 1ca0: c005142c c005123c c3806900 c3805a00 c3a11cd4 c3a11cc0 c0053f24 c00513e4
+[ 7.810000] 1cc0: c3a11cf4 00000030 c3a11cec c3a11cd8 c005120c c0053e88 00000000 00000000
+[ 7.810000] 1ce0: c3a11d1c c3a11cf0 c00124d0 c00511e0 01400000 00000001 00000012 00000000
+[ 7.810000] 1d00: ffffffff c3a11d94 00000030 00000000 c3a11d34 c3a11d20 c005120c c0012438
+[ 7.810000] 1d20: c001dac4 00000012 c3a11d4c c3a11d38 c0009b08 c00511e0 c00523fc 60000013
+[ 7.810000] 1d40: c3a11d5c c3a11d50 c0008510 c0009ab4 c3a11ddc c3a11d60 c0008eb4 c00084f0
+[ 7.810000] 1d60: 00000000 00000030 00000000 00000080 60000013 bf08f670 c3806900 c2c38b00
+[ 7.810000] 1d80: 00000030 c3806930 00000000 c3a11ddc c3a11d88 c3a11da8 c0054190 c00523fc
+[ 7.810000] 1da0: 60000013 ffffffff c3a11dec c3a11db8 00000000 c2c38b00 bf08f670 c3806900
+[ 7.810000] 1dc0: 00000000 00000080 c02cc928 00000030 c3a11e0c c3a11de0 c0052764 c00520d8
+[ 7.810000] 1de0: c3a11dfc 00000000 00000000 00000002 bf090f61 00000004 c02cc930 c02cc928
+[ 7.810000] 1e00: c3a11e4c c3a11e10 bf090978 c005269c bf090f61 c02cc928 bf093000 c02dd170
+[ 7.810000] 1e20: c3a11e3c c02cc930 c02cc930 bf0911d0 bf0911d0 bf093000 c3a10000 00000000
+[ 7.810000] 1e40: c3a11e5c c3a11e50 c0155b7c bf090808 c3a11e7c c3a11e60 c0154690 c0155b6c
+[ 7.810000] 1e60: c02cc930 c02cc964 bf0911d0 c3a11ea0 c3a11e9c c3a11e80 c015484c c01545e8
+[ 7.810000] 1e80: 00000000 00000000 c01547e4 bf0911d0 c3a11ec4 c3a11ea0 c0152e58 c01547f4
+[ 7.810000] 1ea0: c381b88c c384ab10 c2c10540 bf0911d0 00000000 c02d7518 c3a11ed4 c3a11ec8
+[ 7.810000] 1ec0: c01544c0 c0152e0c c3a11efc c3a11ed8 c01536cc c01544b0 bf091075 c3a11ee8
+[ 7.810000] 1ee0: bf049af0 bf09120c bf0911d0 00000000 c3a11f1c c3a11f00 c0154e9c c0153628
+[ 7.810000] 1f00: bf049af0 bf09120c 000ae190 00000000 c3a11f2c c3a11f20 c0155f58 c0154e04
+[ 7.810000] 1f20: c3a11f44 c3a11f30 bf093054 c0155f1c 00000000 00006a4f c3a11f7c c3a11f48
+[ 7.810000] 1f40: c0008638 bf093010 bf09120c 000ae190 00000000 c00093c4 00006a4f bf09120c
+[ 7.810000] 1f60: 000ae190 00000000 c00093c4 00000000 c3a11fa4 c3a11f80 c004fdc4 c000859c
+[ 7.810000] 1f80: c3a11fa4 000ae190 00006a4f 00016eb8 000ad018 00000080 00000000 c3a11fa8
+[ 7.810000] 1fa0: c0009260 c004fd58 00006a4f 00016eb8 000ae190 00006a4f 000ae100 00000000
+[ 7.810000] 1fc0: 00006a4f 00016eb8 000ad018 00000080 000adba0 000ad208 00000000 000ad3d8
+[ 7.810000] 1fe0: beaf7ae8 beaf7ad8 000172b8 b6e4e940 20000010 000ae190 00000000 00000000
+[ 7.810000] Backtrace:
+[ 7.810000] [<c01392bc>] (__gpio_to_irq+0x0/0x40) from [<bf08f694>] (ohci_hcd_at91_overcurrent_irq+0x24/0xb4 [ohci_hcd])
+[ 7.810000] [<bf08f670>] (ohci_hcd_at91_overcurrent_irq+0x0/0xb4 [ohci_hcd]) from [<c0051264>] (handle_irq_event_percpu+0x38/0x1a8)
+[ 7.810000] r6:00000030 r5:c3806900 r4:c2c38b00
+[ 7.810000] [<c005122c>] (handle_irq_event_percpu+0x0/0x1a8) from [<c005142c>] (handle_irq_event+0x58/0x7c)
+[ 7.810000] [<c00513d4>] (handle_irq_event+0x0/0x7c) from [<c0053f24>] (handle_simple_irq+0xac/0xd8)
+[ 7.810000] r5:c3805a00 r4:c3806900
+[ 7.810000] [<c0053e78>] (handle_simple_irq+0x0/0xd8) from [<c005120c>] (generic_handle_irq+0x3c/0x48)
+[ 7.810000] r4:00000030
+[ 7.810000] [<c00511d0>] (generic_handle_irq+0x0/0x48) from [<c00124d0>] (gpio_irq_handler+0xa8/0xfc)
+[ 7.810000] r4:00000000
+[ 7.810000] [<c0012428>] (gpio_irq_handler+0x0/0xfc) from [<c005120c>] (generic_handle_irq+0x3c/0x48)
+[ 7.810000] [<c00511d0>] (generic_handle_irq+0x0/0x48) from [<c0009b08>] (handle_IRQ+0x64/0x88)
+[ 7.810000] r4:00000012
+[ 7.810000] [<c0009aa4>] (handle_IRQ+0x0/0x88) from [<c0008510>] (at91_aic_handle_irq+0x30/0x38)
+[ 7.810000] r5:60000013 r4:c00523fc
+[ 7.810000] [<c00084e0>] (at91_aic_handle_irq+0x0/0x38) from [<c0008eb4>] (__irq_svc+0x34/0x60)
+[ 7.810000] Exception stack(0xc3a11d60 to 0xc3a11da8)
+[ 7.810000] 1d60: 00000000 00000030 00000000 00000080 60000013 bf08f670 c3806900 c2c38b00
+[ 7.810000] 1d80: 00000030 c3806930 00000000 c3a11ddc c3a11d88 c3a11da8 c0054190 c00523fc
+[ 7.810000] 1da0: 60000013 ffffffff
+[ 7.810000] [<c00520c8>] (__setup_irq+0x0/0x458) from [<c0052764>] (request_threaded_irq+0xd8/0x134)
+[ 7.810000] [<c005268c>] (request_threaded_irq+0x0/0x134) from [<bf090978>] (ohci_hcd_at91_drv_probe+0x180/0x41c [ohci_hcd])
+[ 7.810000] [<bf0907f8>] (ohci_hcd_at91_drv_probe+0x0/0x41c [ohci_hcd]) from [<c0155b7c>] (platform_drv_probe+0x20/0x24)
+[ 7.810000] [<c0155b5c>] (platform_drv_probe+0x0/0x24) from [<c0154690>] (driver_probe_device+0xb8/0x20c)
+[ 7.810000] [<c01545d8>] (driver_probe_device+0x0/0x20c) from [<c015484c>] (__driver_attach+0x68/0x88)
+[ 7.810000] r7:c3a11ea0 r6:bf0911d0 r5:c02cc964 r4:c02cc930
+[ 7.810000] [<c01547e4>] (__driver_attach+0x0/0x88) from [<c0152e58>] (bus_for_each_dev+0x5c/0x9c)
+[ 7.810000] r6:bf0911d0 r5:c01547e4 r4:00000000
+[ 7.810000] [<c0152dfc>] (bus_for_each_dev+0x0/0x9c) from [<c01544c0>] (driver_attach+0x20/0x28)
+[ 7.810000] r7:c02d7518 r6:00000000 r5:bf0911d0 r4:c2c10540
+[ 7.810000] [<c01544a0>] (driver_attach+0x0/0x28) from [<c01536cc>] (bus_add_driver+0xb4/0x22c)
+[ 7.810000] [<c0153618>] (bus_add_driver+0x0/0x22c) from [<c0154e9c>] (driver_register+0xa8/0x144)
+[ 7.810000] r7:00000000 r6:bf0911d0 r5:bf09120c r4:bf049af0
+[ 7.810000] [<c0154df4>] (driver_register+0x0/0x144) from [<c0155f58>] (platform_driver_register+0x4c/0x60)
+[ 7.810000] r7:00000000 r6:000ae190 r5:bf09120c r4:bf049af0
+[ 7.810000] [<c0155f0c>] (platform_driver_register+0x0/0x60) from [<bf093054>] (ohci_hcd_mod_init+0x54/0x8c [ohci_hcd])
+[ 7.810000] [<bf093000>] (ohci_hcd_mod_init+0x0/0x8c [ohci_hcd]) from [<c0008638>] (do_one_initcall+0xac/0x174)
+[ 7.810000] r4:00006a4f
+[ 7.810000] [<c000858c>] (do_one_initcall+0x0/0x174) from [<c004fdc4>] (sys_init_module+0x7c/0x1a0)
+[ 7.810000] [<c004fd48>] (sys_init_module+0x0/0x1a0) from [<c0009260>] (ret_fast_syscall+0x0/0x2c)
+[ 7.810000] r7:00000080 r6:000ad018 r5:00016eb8 r4:00006a4f
+[ 7.810000] Code: e24cb004 e59f3028 e1a02000 e7930180 (e5903028)
+[ 7.810000] ---[ end trace 85aa37ed128143b5 ]---
+[ 7.810000] Kernel panic - not syncing: Fatal exception in interrupt
+
+Commit 6fffb77c (USB: ohci-at91: fix PIO handling in relation with number of
+ports) started setting unused pins to EINVAL. But this exposed a bug in the
+ohci_hcd_at91_overcurrent_irq function where the gpio was used without being
+checked to see if it is valid.
+
+This patches fixed the issue by adding the gpio valid check.
+
+Signed-off-by: Joachim Eastwood <joachim.eastwood@jotron.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/ohci-at91.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/ohci-at91.c
++++ b/drivers/usb/host/ohci-at91.c
+@@ -467,7 +467,8 @@ static irqreturn_t ohci_hcd_at91_overcur
+ /* From the GPIO notifying the over-current situation, find
+ * out the corresponding port */
+ at91_for_each_port(port) {
+- if (gpio_to_irq(pdata->overcurrent_pin[port]) == irq) {
++ if (gpio_is_valid(pdata->overcurrent_pin[port]) &&
++ gpio_to_irq(pdata->overcurrent_pin[port]) == irq) {
+ gpio = pdata->overcurrent_pin[port];
+ break;
+ }
--- /dev/null
+From 68c4fce737c4b963e336435f225621dc21138397 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Sun, 23 Sep 2012 19:33:55 +0300
+Subject: vmwgfx: corruption in vmw_event_fence_action_create()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 68c4fce737c4b963e336435f225621dc21138397 upstream.
+
+We don't allocate enough data for this struct. As soon as we start
+modifying event->event on the next lines, then we're going beyond the
+end of the memory we allocated.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Dave Airlie <airlied@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_fence.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c
+@@ -1018,7 +1018,7 @@ int vmw_event_fence_action_create(struct
+ }
+
+
+- event = kzalloc(sizeof(event->event), GFP_KERNEL);
++ event = kzalloc(sizeof(*event), GFP_KERNEL);
+ if (unlikely(event == NULL)) {
+ DRM_ERROR("Failed to allocate an event.\n");
+ ret = -ENOMEM;
projects / thirdparty / kernel / stable-queue.git / commitdiff
