--- /dev/null
+From 34c3d1926bdaf45d3a891dd577482abcdd9faa34 Mon Sep 17 00:00:00 2001
+From: David Henningsson <david.henningsson@canonical.com>
+Date: Wed, 21 Nov 2012 10:03:10 +0100
+Subject: ALSA: hda - Cirrus: Correctly clear line_out_pins when moving to speaker
+
+From: David Henningsson <david.henningsson@canonical.com>
+
+commit 34c3d1926bdaf45d3a891dd577482abcdd9faa34 upstream.
+
+If this array is not cleared, the jack related code later might
+fail to create "Internal Speaker Phantom Jack" on Dell Inspiron 3420 and
+Dell Vostro 2420.
+
+BugLink: https://bugs.launchpad.net/bugs/1076840
+Signed-off-by: David Henningsson <david.henningsson@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_cirrus.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_cirrus.c
++++ b/sound/pci/hda/patch_cirrus.c
+@@ -413,6 +413,7 @@ static int parse_output(struct hda_codec
+ memcpy(cfg->speaker_pins, cfg->line_out_pins,
+ sizeof(cfg->speaker_pins));
+ cfg->line_outs = 0;
++ memset(cfg->line_out_pins, 0, sizeof(cfg->line_out_pins));
+ }
+
+ return 0;
--- /dev/null
+From e99ddfde6ae0dd2662bb40435696002b590e4057 Mon Sep 17 00:00:00 2001
+From: Clemens Ladisch <clemens@ladisch.de>
+Date: Wed, 31 Oct 2012 16:35:30 +0100
+Subject: ALSA: ua101, usx2y: fix broken MIDI output
+
+From: Clemens Ladisch <clemens@ladisch.de>
+
+commit e99ddfde6ae0dd2662bb40435696002b590e4057 upstream.
+
+Commit 88a8516a2128 (ALSA: usbaudio: implement USB autosuspend) added
+autosuspend code to all files making up the snd-usb-audio driver.
+However, midi.c is part of snd-usb-lib and is also used by other
+drivers, not all of which support autosuspend. Thus, calls to
+usb_autopm_get_interface() could fail, and this unexpected error would
+result in the MIDI output being completely unusable.
+
+Make it work by ignoring the error that is expected with drivers that do
+not support autosuspend.
+
+Reported-by: Colin Fletcher <colin.m.fletcher@googlemail.com>
+Reported-by: Devin Venable <venable.devin@gmail.com>
+Reported-by: Dr Nick Bailey <nicholas.bailey@glasgow.ac.uk>
+Reported-by: Jannis Achstetter <jannis_achstetter@web.de>
+Reported-by: Rui Nuno Capela <rncbc@rncbc.org>
+Cc: Oliver Neukum <oliver@neukum.org>
+Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/midi.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/sound/usb/midi.c
++++ b/sound/usb/midi.c
+@@ -147,6 +147,7 @@ struct snd_usb_midi_out_endpoint {
+ struct snd_usb_midi_out_endpoint* ep;
+ struct snd_rawmidi_substream *substream;
+ int active;
++ bool autopm_reference;
+ uint8_t cable; /* cable number << 4 */
+ uint8_t state;
+ #define STATE_UNKNOWN 0
+@@ -1059,7 +1060,8 @@ static int snd_usbmidi_output_open(struc
+ return -ENXIO;
+ }
+ err = usb_autopm_get_interface(umidi->iface);
+- if (err < 0)
++ port->autopm_reference = err >= 0;
++ if (err < 0 && err != -EACCES)
+ return -EIO;
+ substream->runtime->private_data = port;
+ port->state = STATE_UNKNOWN;
+@@ -1070,9 +1072,11 @@ static int snd_usbmidi_output_open(struc
+ static int snd_usbmidi_output_close(struct snd_rawmidi_substream *substream)
+ {
+ struct snd_usb_midi* umidi = substream->rmidi->private_data;
++ struct usbmidi_out_port *port = substream->runtime->private_data;
+
+ substream_open(substream, 0);
+- usb_autopm_put_interface(umidi->iface);
++ if (port->autopm_reference)
++ usb_autopm_put_interface(umidi->iface);
+ return 0;
+ }
+
--- /dev/null
+From a8c32a5c98943d370ea606a2e7dc04717eb92206 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Tue, 6 Nov 2012 12:24:26 +0100
+Subject: dm: fix deadlock with request based dm and queue request_fn recursion
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit a8c32a5c98943d370ea606a2e7dc04717eb92206 upstream.
+
+Request based dm attempts to re-run the request queue off the
+request completion path. If used with a driver that potentially does
+end_io from its request_fn, we could deadlock trying to recurse
+back into request dispatch. Fix this by punting the request queue
+run to kblockd.
+
+Tested to fix a quickly reproducible deadlock in such a scenario.
+
+Acked-by: Alasdair G Kergon <agk@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -745,8 +745,14 @@ static void rq_completed(struct mapped_d
+ if (!md_in_flight(md))
+ wake_up(&md->wait);
+
++ /*
++ * Run this off this callpath, as drivers could invoke end_io while
++ * inside their request_fn (and holding the queue lock). Calling
++ * back into ->request_fn() could deadlock attempting to grab the
++ * queue lock again.
++ */
+ if (run_queue)
+- blk_run_queue(md->queue);
++ blk_run_queue_async(md->queue);
+
+ /*
+ * dm_put() must be at the end of this function. See the comment above
--- /dev/null
+From aa10990e028cac3d5e255711fb9fb47e00700e35 Mon Sep 17 00:00:00 2001
+From: Darren Hart <dvhart@linux.intel.com>
+Date: Mon, 26 Nov 2012 16:29:56 -0800
+Subject: futex: avoid wake_futex() for a PI futex_q
+
+From: Darren Hart <dvhart@linux.intel.com>
+
+commit aa10990e028cac3d5e255711fb9fb47e00700e35 upstream.
+
+Dave Jones reported a bug with futex_lock_pi() that his trinity test
+exposed. Sometime between queue_me() and taking the q.lock_ptr, the
+lock_ptr became NULL, resulting in a crash.
+
+While futex_wake() is careful to not call wake_futex() on futex_q's with
+a pi_state or an rt_waiter (which are either waiting for a
+futex_unlock_pi() or a PI futex_requeue()), futex_wake_op() and
+futex_requeue() do not perform the same test.
+
+Update futex_wake_op() and futex_requeue() to test for q.pi_state and
+q.rt_waiter and abort with -EINVAL if detected. To ensure any future
+breakage is caught, add a WARN() to wake_futex() if the same condition
+is true.
+
+This fix has seen 3 hours of testing with "trinity -c futex" on an
+x86_64 VM with 4 CPUS.
+
+[akpm@linux-foundation.org: tidy up the WARN()]
+Signed-off-by: Darren Hart <dvhart@linux.intel.com>
+Reported-by: Dave Jones <davej@redat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ingo Molnar <mingo@elte.hu>
+Cc: John Kacur <jkacur@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/futex.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -843,6 +843,9 @@ static void wake_futex(struct futex_q *q
+ {
+ struct task_struct *p = q->task;
+
++ if (WARN(q->pi_state || q->rt_waiter, "refusing to wake PI futex\n"))
++ return;
++
+ /*
+ * We set q->lock_ptr = NULL _before_ we wake up the task. If
+ * a non-futex wake up happens on another CPU then the task
+@@ -1078,6 +1081,10 @@ retry_private:
+
+ plist_for_each_entry_safe(this, next, head, list) {
+ if (match_futex (&this->key, &key1)) {
++ if (this->pi_state || this->rt_waiter) {
++ ret = -EINVAL;
++ goto out_unlock;
++ }
+ wake_futex(this);
+ if (++ret >= nr_wake)
+ break;
+@@ -1090,6 +1097,10 @@ retry_private:
+ op_ret = 0;
+ plist_for_each_entry_safe(this, next, head, list) {
+ if (match_futex (&this->key, &key2)) {
++ if (this->pi_state || this->rt_waiter) {
++ ret = -EINVAL;
++ goto out_unlock;
++ }
+ wake_futex(this);
+ if (++op_ret >= nr_wake2)
+ break;
+@@ -1098,6 +1109,7 @@ retry_private:
+ ret += op_ret;
+ }
+
++out_unlock:
+ double_unlock_hb(hb1, hb2);
+ out_put_keys:
+ put_futex_key(&key2);
+@@ -1387,9 +1399,13 @@ retry_private:
+ /*
+ * FUTEX_WAIT_REQEUE_PI and FUTEX_CMP_REQUEUE_PI should always
+ * be paired with each other and no other futex ops.
++ *
++ * We should never be requeueing a futex_q with a pi_state,
++ * which is awaiting a futex_unlock_pi().
+ */
+ if ((requeue_pi && !this->rt_waiter) ||
+- (!requeue_pi && this->rt_waiter)) {
++ (!requeue_pi && this->rt_waiter) ||
++ this->pi_state) {
+ ret = -EINVAL;
+ break;
+ }
--- /dev/null
+From b78a4932f5fb11fadf41e69c606a33fa6787574c Mon Sep 17 00:00:00 2001
+From: Simon Wunderlich <simon.wunderlich@s2003.tu-chemnitz.de>
+Date: Tue, 13 Nov 2012 18:43:03 +0100
+Subject: mac80211: deinitialize ibss-internals after emptiness check
+
+From: Simon Wunderlich <simon.wunderlich@s2003.tu-chemnitz.de>
+
+commit b78a4932f5fb11fadf41e69c606a33fa6787574c upstream.
+
+The check whether the IBSS is active and can be removed should be
+performed before deinitializing the fields used for the check/search.
+Otherwise, the configured BSS will not be found and removed properly.
+
+To make it more clear for the future, rename sdata->u.ibss to the
+local pointer ifibss which is used within the checks.
+
+This behaviour was introduced by
+f3209bea110cade12e2b133da8b8499689cb0e2e
+("mac80211: fix IBSS teardown race")
+
+Signed-off-by: Simon Wunderlich <siwu@hrz.tu-chemnitz.de>
+Cc: Ignacy Gawedzki <i@lri.fr>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/ibss.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/mac80211/ibss.c
++++ b/net/mac80211/ibss.c
+@@ -965,10 +965,6 @@ int ieee80211_ibss_leave(struct ieee8021
+
+ mutex_lock(&sdata->u.ibss.mtx);
+
+- sdata->u.ibss.state = IEEE80211_IBSS_MLME_SEARCH;
+- memset(sdata->u.ibss.bssid, 0, ETH_ALEN);
+- sdata->u.ibss.ssid_len = 0;
+-
+ active_ibss = ieee80211_sta_active_ibss(sdata);
+
+ if (!active_ibss && !is_zero_ether_addr(ifibss->bssid)) {
+@@ -989,6 +985,10 @@ int ieee80211_ibss_leave(struct ieee8021
+ }
+ }
+
++ ifibss->state = IEEE80211_IBSS_MLME_SEARCH;
++ memset(ifibss->bssid, 0, ETH_ALEN);
++ ifibss->ssid_len = 0;
++
+ sta_info_flush(sdata->local, sdata);
+
+ /* remove beacon */
--- /dev/null
+From c36a7ff4578ab6294885aef5ef241aeec4cdb1f0 Mon Sep 17 00:00:00 2001
+From: Jiri Engelthaler <engycz@gmail.com>
+Date: Thu, 20 Sep 2012 16:49:50 +0200
+Subject: mtd: slram: invalid checking of absolute end address
+
+From: Jiri Engelthaler <engycz@gmail.com>
+
+commit c36a7ff4578ab6294885aef5ef241aeec4cdb1f0 upstream.
+
+Fixed parsing end absolute address.
+
+Signed-off-by: Jiri Engelthaler <engycz@gmail.com>
+Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/devices/slram.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/devices/slram.c
++++ b/drivers/mtd/devices/slram.c
+@@ -266,7 +266,7 @@ static int parse_cmdline(char *devname,
+
+ if (*(szlength) != '+') {
+ devlength = simple_strtoul(szlength, &buffer, 0);
+- devlength = handle_unit(devlength, buffer) - devstart;
++ devlength = handle_unit(devlength, buffer);
+ if (devlength < devstart)
+ goto err_out;
+
--- /dev/null
+From dd321acddc3be1371263b8c9e6c6f2af89f63d57 Mon Sep 17 00:00:00 2001
+From: Bing Zhao <bzhao@marvell.com>
+Date: Thu, 15 Nov 2012 15:58:48 -0800
+Subject: mwifiex: report error to MMC core if we cannot suspend
+
+From: Bing Zhao <bzhao@marvell.com>
+
+commit dd321acddc3be1371263b8c9e6c6f2af89f63d57 upstream.
+
+When host_sleep_config command fails we should return error to
+MMC core to indicate the failure for our device.
+
+The misspelled variable is also removed as it's redundant.
+
+Signed-off-by: Bing Zhao <bzhao@marvell.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/sdio.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/mwifiex/sdio.c
++++ b/drivers/net/wireless/mwifiex/sdio.c
+@@ -122,7 +122,6 @@ static int mwifiex_sdio_suspend(struct d
+ struct sdio_mmc_card *card;
+ struct mwifiex_adapter *adapter;
+ mmc_pm_flag_t pm_flag = 0;
+- int hs_actived = 0;
+ int i;
+ int ret = 0;
+
+@@ -149,12 +148,14 @@ static int mwifiex_sdio_suspend(struct d
+ adapter = card->adapter;
+
+ /* Enable the Host Sleep */
+- hs_actived = mwifiex_enable_hs(adapter);
+- if (hs_actived) {
+- pr_debug("cmd: suspend with MMC_PM_KEEP_POWER\n");
+- ret = sdio_set_host_pm_flags(func, MMC_PM_KEEP_POWER);
++ if (!mwifiex_enable_hs(adapter)) {
++ dev_err(adapter->dev, "cmd: failed to suspend\n");
++ return -EFAULT;
+ }
+
++ dev_dbg(adapter->dev, "cmd: suspend with MMC_PM_KEEP_POWER\n");
++ ret = sdio_set_host_pm_flags(func, MMC_PM_KEEP_POWER);
++
+ /* Indicate device suspended */
+ adapter->is_suspended = true;
+
--- /dev/null
+From 441a179dafc0f99fc8b3a8268eef66958621082e Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Wed, 21 Nov 2012 19:27:23 +0000
+Subject: PARISC: fix user-triggerable panic on parisc
+
+From: Al Viro <viro@ZenIV.linux.org.uk>
+
+commit 441a179dafc0f99fc8b3a8268eef66958621082e upstream.
+
+int sys32_rt_sigprocmask(int how, compat_sigset_t __user *set, compat_sigset_t __user *oset,
+ unsigned int sigsetsize)
+{
+ sigset_t old_set, new_set;
+ int ret;
+
+ if (set && get_sigset32(set, &new_set, sigsetsize))
+
+...
+static int
+get_sigset32(compat_sigset_t __user *up, sigset_t *set, size_t sz)
+{
+ compat_sigset_t s;
+ int r;
+
+ if (sz != sizeof *set) panic("put_sigset32()");
+
+In other words, rt_sigprocmask(69, (void *)69, 69) done by 32bit process
+will promptly panic the box.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/signal32.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/parisc/kernel/signal32.c
++++ b/arch/parisc/kernel/signal32.c
+@@ -67,7 +67,8 @@ put_sigset32(compat_sigset_t __user *up,
+ {
+ compat_sigset_t s;
+
+- if (sz != sizeof *set) panic("put_sigset32()");
++ if (sz != sizeof *set)
++ return -EINVAL;
+ sigset_64to32(&s, set);
+
+ return copy_to_user(up, &s, sizeof s);
+@@ -79,7 +80,8 @@ get_sigset32(compat_sigset_t __user *up,
+ compat_sigset_t s;
+ int r;
+
+- if (sz != sizeof *set) panic("put_sigset32()");
++ if (sz != sizeof *set)
++ return -EINVAL;
+
+ if ((r = copy_from_user(&s, up, sz)) == 0) {
+ sigset_32to64(set, &s);
--- /dev/null
+From 949a05d03490e39e773e8652ccab9157e6f595b4 Mon Sep 17 00:00:00 2001
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+Date: Fri, 2 Nov 2012 12:30:53 +0000
+Subject: PARISC: fix virtual aliasing issue in get_shared_area()
+
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+
+commit 949a05d03490e39e773e8652ccab9157e6f595b4 upstream.
+
+On Thu, 2012-11-01 at 16:45 -0700, Michel Lespinasse wrote:
+> Looking at the arch/parisc/kernel/sys_parisc.c implementation of
+> get_shared_area(), I do have a concern though. The function basically
+> ignores the pgoff argument, so that if one creates a shared mapping of
+> pages 0-N of a file, and then a separate shared mapping of pages 1-N
+> of that same file, both will have the same cache offset for their
+> starting address.
+>
+> This looks like this would create obvious aliasing issues. Am I
+> misreading this ? I can't understand how this could work good enough
+> to be undetected, so there must be something I'm missing here ???
+
+This turns out to be correct and we need to pay attention to the pgoff as
+well as the address when creating the virtual address for the area.
+Fortunately, the bug is rarely triggered as most applications which use pgoff
+tend to use large values (git being the primary one, and it uses pgoff in
+multiples of 16MB) which are larger than our cache coherency modulus, so the
+problem isn't often seen in practise.
+
+Reported-by: Michel Lespinasse <walken@google.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/sys_parisc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/parisc/kernel/sys_parisc.c
++++ b/arch/parisc/kernel/sys_parisc.c
+@@ -73,6 +73,8 @@ static unsigned long get_shared_area(str
+ struct vm_area_struct *vma;
+ int offset = mapping ? get_offset(mapping) : 0;
+
++ offset = (offset + (pgoff << PAGE_SHIFT)) & 0x3FF000;
++
+ addr = DCACHE_ALIGN(addr - offset) + offset;
+
+ for (vma = find_vma(current->mm, addr); ; vma = vma->vm_next) {
--- /dev/null
+From 45171002b01b2e2ec4f991eca81ffd8430fd0aec Mon Sep 17 00:00:00 2001
+From: Paul Bolle <pebolle@tiscali.nl>
+Date: Mon, 19 Nov 2012 21:17:31 +0100
+Subject: radeon: add AGPMode 1 quirk for RV250
+
+From: Paul Bolle <pebolle@tiscali.nl>
+
+commit 45171002b01b2e2ec4f991eca81ffd8430fd0aec upstream.
+
+The Intel 82855PM host bridge / Mobility FireGL 9000 RV250 combination
+in an (outdated) ThinkPad T41 needs AGPMode 1 for suspend/resume (under
+KMS, that is). So add a quirk for it.
+
+(Change R250 to RV250 in comment for preceding quirk too.)
+
+Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/radeon_agp.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/radeon/radeon_agp.c
++++ b/drivers/gpu/drm/radeon/radeon_agp.c
+@@ -70,9 +70,12 @@ static struct radeon_agpmode_quirk radeo
+ /* Intel 82830 830 Chipset Host Bridge / Mobility M6 LY Needs AGPMode 2 (fdo #17360)*/
+ { PCI_VENDOR_ID_INTEL, 0x3575, PCI_VENDOR_ID_ATI, 0x4c59,
+ PCI_VENDOR_ID_DELL, 0x00e3, 2},
+- /* Intel 82852/82855 host bridge / Mobility FireGL 9000 R250 Needs AGPMode 1 (lp #296617) */
++ /* Intel 82852/82855 host bridge / Mobility FireGL 9000 RV250 Needs AGPMode 1 (lp #296617) */
+ { PCI_VENDOR_ID_INTEL, 0x3580, PCI_VENDOR_ID_ATI, 0x4c66,
+ PCI_VENDOR_ID_DELL, 0x0149, 1},
++ /* Intel 82855PM host bridge / Mobility FireGL 9000 RV250 Needs AGPMode 1 for suspend/resume */
++ { PCI_VENDOR_ID_INTEL, 0x3340, PCI_VENDOR_ID_ATI, 0x4c66,
++ PCI_VENDOR_ID_IBM, 0x0531, 1},
+ /* Intel 82852/82855 host bridge / Mobility 9600 M10 RV350 Needs AGPMode 1 (deb #467460) */
+ { PCI_VENDOR_ID_INTEL, 0x3580, PCI_VENDOR_ID_ATI, 0x4e50,
+ 0x1025, 0x0061, 1},
--- /dev/null
+From a485e827f07bfdd0762059386e6e787bed6e81ee Mon Sep 17 00:00:00 2001
+From: Albert Pool <albertpool@solcon.nl>
+Date: Tue, 30 Oct 2012 20:58:06 +0100
+Subject: rtlwifi: rtl8192cu: Add new USB ID
+
+From: Albert Pool <albertpool@solcon.nl>
+
+commit a485e827f07bfdd0762059386e6e787bed6e81ee upstream.
+
+This is an ISY IWL 2000. Probably a clone of Belkin F7D1102 050d:1102.
+Its FCC ID is the same.
+
+Signed-off-by: Albert Pool <albertpool@solcon.nl>
+Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/rtl8192cu/sw.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
+@@ -295,6 +295,7 @@ static struct usb_device_id rtl8192c_usb
+ /*=== Customer ID ===*/
+ /****** 8188CU ********/
+ {RTL_USB_DEVICE(0x050d, 0x1102, rtl92cu_hal_cfg)}, /*Belkin - Edimax*/
++ {RTL_USB_DEVICE(0x050d, 0x11f2, rtl92cu_hal_cfg)}, /*Belkin - ISY*/
+ {RTL_USB_DEVICE(0x06f8, 0xe033, rtl92cu_hal_cfg)}, /*Hercules - Edimax*/
+ {RTL_USB_DEVICE(0x07b8, 0x8188, rtl92cu_hal_cfg)}, /*Abocom - Abocom*/
+ {RTL_USB_DEVICE(0x07b8, 0x8189, rtl92cu_hal_cfg)}, /*Funai - Abocom*/
--- /dev/null
+From 49bd665c5407a453736d3232ee58f2906b42e83c Mon Sep 17 00:00:00 2001
+From: Maciej Patelczyk <maciej.patelczyk@intel.com>
+Date: Mon, 15 Oct 2012 14:29:03 +0200
+Subject: SCSI: isci: copy fis 0x34 response into proper buffer
+
+From: Maciej Patelczyk <maciej.patelczyk@intel.com>
+
+commit 49bd665c5407a453736d3232ee58f2906b42e83c upstream.
+
+SATA MICROCODE DOWNALOAD fails on isci driver. After receiving Register
+Device to Host (FIS 0x34) frame Initiator resets phy.
+In the frame handler routine response (FIS 0x34) was copied into wrong
+buffer and upper layer did not receive any answer which resulted in
+timeout and reset.
+This patch corrects this bug.
+
+Signed-off-by: Maciej Patelczyk <maciej.patelczyk@intel.com>
+Signed-off-by: Lukasz Dorau <lukasz.dorau@intel.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/isci/request.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/isci/request.c
++++ b/drivers/scsi/isci/request.c
+@@ -1693,7 +1693,7 @@ sci_io_request_frame_handler(struct isci
+ frame_index,
+ (void **)&frame_buffer);
+
+- sci_controller_copy_sata_response(&ireq->stp.req,
++ sci_controller_copy_sata_response(&ireq->stp.rsp,
+ frame_header,
+ frame_buffer);
+
drivers-block-dac960-fix-wuninitialized-warning.patch
riva-fbdev-fix-several-wuninitialized.patch
ifenslave-fix-unused-variable-warnings.patch
+x86-32-fix-invalid-stack-address-while-in-softirq.patch
+x86-microcode-amd-add-support-for-family-16h-processors.patch
+rtlwifi-rtl8192cu-add-new-usb-id.patch
+mwifiex-report-error-to-mmc-core-if-we-cannot-suspend.patch
+scsi-isci-copy-fis-0x34-response-into-proper-buffer.patch
+alsa-ua101-usx2y-fix-broken-midi-output.patch
+alsa-hda-cirrus-correctly-clear-line_out_pins-when-moving-to-speaker.patch
+parisc-fix-virtual-aliasing-issue-in-get_shared_area.patch
+parisc-fix-user-triggerable-panic-on-parisc.patch
+mtd-slram-invalid-checking-of-absolute-end-address.patch
+dm-fix-deadlock-with-request-based-dm-and-queue-request_fn-recursion.patch
+futex-avoid-wake_futex-for-a-pi-futex_q.patch
+mac80211-deinitialize-ibss-internals-after-emptiness-check.patch
+radeon-add-agpmode-1-quirk-for-rv250.patch
--- /dev/null
+From 1022623842cb72ee4d0dbf02f6937f38c92c3f41 Mon Sep 17 00:00:00 2001
+From: Robert Richter <robert.richter@amd.com>
+Date: Mon, 3 Sep 2012 20:54:48 +0200
+Subject: x86-32: Fix invalid stack address while in softirq
+
+From: Robert Richter <robert.richter@amd.com>
+
+commit 1022623842cb72ee4d0dbf02f6937f38c92c3f41 upstream.
+
+In 32 bit the stack address provided by kernel_stack_pointer() may
+point to an invalid range causing NULL pointer access or page faults
+while in NMI (see trace below). This happens if called in softirq
+context and if the stack is empty. The address at ®s->sp is then
+out of range.
+
+Fixing this by checking if regs and ®s->sp are in the same stack
+context. Otherwise return the previous stack pointer stored in struct
+thread_info. If that address is invalid too, return address of regs.
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000a
+ IP: [<c1004237>] print_context_stack+0x6e/0x8d
+ *pde = 00000000
+ Oops: 0000 [#1] SMP
+ Modules linked in:
+ Pid: 4434, comm: perl Not tainted 3.6.0-rc3-oprofile-i386-standard-g4411a05 #4 Hewlett-Packard HP xw9400 Workstation/0A1Ch
+ EIP: 0060:[<c1004237>] EFLAGS: 00010093 CPU: 0
+ EIP is at print_context_stack+0x6e/0x8d
+ EAX: ffffe000 EBX: 0000000a ECX: f4435f94 EDX: 0000000a
+ ESI: f4435f94 EDI: f4435f94 EBP: f5409ec0 ESP: f5409ea0
+ DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
+ CR0: 8005003b CR2: 0000000a CR3: 34ac9000 CR4: 000007d0
+ DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
+ DR6: ffff0ff0 DR7: 00000400
+ Process perl (pid: 4434, ti=f5408000 task=f5637850 task.ti=f4434000)
+ Stack:
+ 000003e8 ffffe000 00001ffc f4e39b00 00000000 0000000a f4435f94 c155198c
+ f5409ef0 c1003723 c155198c f5409f04 00000000 f5409edc 00000000 00000000
+ f5409ee8 f4435f94 f5409fc4 00000001 f5409f1c c12dce1c 00000000 c155198c
+ Call Trace:
+ [<c1003723>] dump_trace+0x7b/0xa1
+ [<c12dce1c>] x86_backtrace+0x40/0x88
+ [<c12db712>] ? oprofile_add_sample+0x56/0x84
+ [<c12db731>] oprofile_add_sample+0x75/0x84
+ [<c12ddb5b>] op_amd_check_ctrs+0x46/0x260
+ [<c12dd40d>] profile_exceptions_notify+0x23/0x4c
+ [<c1395034>] nmi_handle+0x31/0x4a
+ [<c1029dc5>] ? ftrace_define_fields_irq_handler_entry+0x45/0x45
+ [<c13950ed>] do_nmi+0xa0/0x2ff
+ [<c1029dc5>] ? ftrace_define_fields_irq_handler_entry+0x45/0x45
+ [<c13949e5>] nmi_stack_correct+0x28/0x2d
+ [<c1029dc5>] ? ftrace_define_fields_irq_handler_entry+0x45/0x45
+ [<c1003603>] ? do_softirq+0x4b/0x7f
+ <IRQ>
+ [<c102a06f>] irq_exit+0x35/0x5b
+ [<c1018f56>] smp_apic_timer_interrupt+0x6c/0x7a
+ [<c1394746>] apic_timer_interrupt+0x2a/0x30
+ Code: 89 fe eb 08 31 c9 8b 45 0c ff 55 ec 83 c3 04 83 7d 10 00 74 0c 3b 5d 10 73 26 3b 5d e4 73 0c eb 1f 3b 5d f0 76 1a 3b 5d e8 73 15 <8b> 13 89 d0 89 55 e0 e8 ad 42 03 00 85 c0 8b 55 e0 75 a6 eb cc
+ EIP: [<c1004237>] print_context_stack+0x6e/0x8d SS:ESP 0068:f5409ea0
+ CR2: 000000000000000a
+ ---[ end trace 62afee3481b00012 ]---
+ Kernel panic - not syncing: Fatal exception in interrupt
+
+V2:
+* add comments to kernel_stack_pointer()
+* always return a valid stack address by falling back to the address
+ of regs
+
+Reported-by: Yang Wei <wei.yang@windriver.com>
+Signed-off-by: Robert Richter <robert.richter@amd.com>
+Link: http://lkml.kernel.org/r/20120912135059.GZ8285@erda.amd.com
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Cc: Jun Zhang <jun.zhang@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/ptrace.h | 15 ++++-----------
+ arch/x86/kernel/ptrace.c | 28 ++++++++++++++++++++++++++++
+ 2 files changed, 32 insertions(+), 11 deletions(-)
+
+--- a/arch/x86/include/asm/ptrace.h
++++ b/arch/x86/include/asm/ptrace.h
+@@ -187,21 +187,14 @@ static inline int v8086_mode(struct pt_r
+ #endif
+ }
+
+-/*
+- * X86_32 CPUs don't save ss and esp if the CPU is already in kernel mode
+- * when it traps. The previous stack will be directly underneath the saved
+- * registers, and 'sp/ss' won't even have been saved. Thus the '®s->sp'.
+- *
+- * This is valid only for kernel mode traps.
+- */
+-static inline unsigned long kernel_stack_pointer(struct pt_regs *regs)
+-{
+ #ifdef CONFIG_X86_32
+- return (unsigned long)(®s->sp);
++extern unsigned long kernel_stack_pointer(struct pt_regs *regs);
+ #else
++static inline unsigned long kernel_stack_pointer(struct pt_regs *regs)
++{
+ return regs->sp;
+-#endif
+ }
++#endif
+
+ #define GET_IP(regs) ((regs)->ip)
+ #define GET_FP(regs) ((regs)->bp)
+--- a/arch/x86/kernel/ptrace.c
++++ b/arch/x86/kernel/ptrace.c
+@@ -164,6 +164,34 @@ static inline bool invalid_selector(u16
+
+ #define FLAG_MASK FLAG_MASK_32
+
++/*
++ * X86_32 CPUs don't save ss and esp if the CPU is already in kernel mode
++ * when it traps. The previous stack will be directly underneath the saved
++ * registers, and 'sp/ss' won't even have been saved. Thus the '®s->sp'.
++ *
++ * Now, if the stack is empty, '®s->sp' is out of range. In this
++ * case we try to take the previous stack. To always return a non-null
++ * stack pointer we fall back to regs as stack if no previous stack
++ * exists.
++ *
++ * This is valid only for kernel mode traps.
++ */
++unsigned long kernel_stack_pointer(struct pt_regs *regs)
++{
++ unsigned long context = (unsigned long)regs & ~(THREAD_SIZE - 1);
++ unsigned long sp = (unsigned long)®s->sp;
++ struct thread_info *tinfo;
++
++ if (context == (sp & ~(THREAD_SIZE - 1)))
++ return sp;
++
++ tinfo = (struct thread_info *)context;
++ if (tinfo->previous_esp)
++ return tinfo->previous_esp;
++
++ return (unsigned long)regs;
++}
++
+ static unsigned long *pt_regs_access(struct pt_regs *regs, unsigned long regno)
+ {
+ BUILD_BUG_ON(offsetof(struct pt_regs, bx) != 0);
--- /dev/null
+From 36c46ca4f322a7bf89aad5462a3a1f61713edce7 Mon Sep 17 00:00:00 2001
+From: Boris Ostrovsky <boris.ostrovsky@amd.com>
+Date: Thu, 15 Nov 2012 13:41:50 -0500
+Subject: x86, microcode, AMD: Add support for family 16h processors
+
+From: Boris Ostrovsky <boris.ostrovsky@amd.com>
+
+commit 36c46ca4f322a7bf89aad5462a3a1f61713edce7 upstream.
+
+Add valid patch size for family 16h processors.
+
+[ hpa: promoting to urgent/stable since it is hw enabling and trivial ]
+
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@amd.com>
+Acked-by: Andreas Herrmann <herrmann.der.user@googlemail.com>
+Link: http://lkml.kernel.org/r/1353004910-2204-1-git-send-email-boris.ostrovsky@amd.com
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/microcode_amd.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/x86/kernel/microcode_amd.c
++++ b/arch/x86/kernel/microcode_amd.c
+@@ -162,6 +162,7 @@ static unsigned int verify_ucode_size(in
+ #define F1XH_MPB_MAX_SIZE 2048
+ #define F14H_MPB_MAX_SIZE 1824
+ #define F15H_MPB_MAX_SIZE 4096
++#define F16H_MPB_MAX_SIZE 3458
+
+ switch (c->x86) {
+ case 0x14:
+@@ -170,6 +171,9 @@ static unsigned int verify_ucode_size(in
+ case 0x15:
+ max_size = F15H_MPB_MAX_SIZE;
+ break;
++ case 0x16:
++ max_size = F16H_MPB_MAX_SIZE;
++ break;
+ default:
+ max_size = F1XH_MPB_MAX_SIZE;
+ break;
projects / thirdparty / kernel / stable-queue.git / commitdiff
