--- /dev/null
+From 2d838bb608e2d1f6cb4280e76748cb812dc822e7 Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Wed, 26 Sep 2012 12:32:02 -0500
+Subject: b43legacy: Fix crash on unload when firmware not available
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 2d838bb608e2d1f6cb4280e76748cb812dc822e7 upstream.
+
+When b43legacy is loaded without the firmware being available, a following
+unload generates a kernel NULL pointer dereference BUG as follows:
+
+[ 214.330789] BUG: unable to handle kernel NULL pointer dereference at 0000004c
+[ 214.330997] IP: [<c104c395>] drain_workqueue+0x15/0x170
+[ 214.331179] *pde = 00000000
+[ 214.331311] Oops: 0000 [#1] SMP
+[ 214.331471] Modules linked in: b43legacy(-) ssb pcmcia mac80211 cfg80211 af_packet mperf arc4 ppdev sr_mod cdrom sg shpchp yenta_socket pcmcia_rsrc pci_hotplug pcmcia_core battery parport_pc parport floppy container ac button edd autofs4 ohci_hcd ehci_hcd usbcore usb_common thermal processor scsi_dh_rdac scsi_dh_hp_sw scsi_dh_emc scsi_dh_alua scsi_dh fan thermal_sys hwmon ata_generic pata_ali libata [last unloaded: cfg80211]
+[ 214.333421] Pid: 3639, comm: modprobe Not tainted 3.6.0-rc6-wl+ #163 Source Technology VIC 9921/ALI Based Notebook
+[ 214.333580] EIP: 0060:[<c104c395>] EFLAGS: 00010246 CPU: 0
+[ 214.333687] EIP is at drain_workqueue+0x15/0x170
+[ 214.333788] EAX: c162ac40 EBX: cdfb8360 ECX: 0000002a EDX: 00002a2a
+[ 214.333890] ESI: 00000000 EDI: 00000000 EBP: cd767e7c ESP: cd767e5c
+[ 214.333957] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
+[ 214.333957] CR0: 8005003b CR2: 0000004c CR3: 0c96a000 CR4: 00000090
+[ 214.333957] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
+[ 214.333957] DR6: ffff0ff0 DR7: 00000400
+[ 214.333957] Process modprobe (pid: 3639, ti=cd766000 task=cf802e90 task.ti=cd766000)
+[ 214.333957] Stack:
+[ 214.333957] 00000292 cd767e74 c12c5e09 00000296 00000296 cdfb8360 cdfb9220 00000000
+[ 214.333957] cd767e90 c104c4fd cdfb8360 cdfb9220 cd682800 cd767ea4 d0c10184 cd682800
+[ 214.333957] cd767ea4 cba31064 cd767eb8 d0867908 cba31064 d087e09c cd96f034 cd767ec4
+[ 214.333957] Call Trace:
+[ 214.333957] [<c12c5e09>] ? skb_dequeue+0x49/0x60
+[ 214.333957] [<c104c4fd>] destroy_workqueue+0xd/0x150
+[ 214.333957] [<d0c10184>] ieee80211_unregister_hw+0xc4/0x100 [mac80211]
+[ 214.333957] [<d0867908>] b43legacy_remove+0x78/0x80 [b43legacy]
+[ 214.333957] [<d083654d>] ssb_device_remove+0x1d/0x30 [ssb]
+[ 214.333957] [<c126f15a>] __device_release_driver+0x5a/0xb0
+[ 214.333957] [<c126fb07>] driver_detach+0x87/0x90
+[ 214.333957] [<c126ef4c>] bus_remove_driver+0x6c/0xe0
+[ 214.333957] [<c1270120>] driver_unregister+0x40/0x70
+[ 214.333957] [<d083686b>] ssb_driver_unregister+0xb/0x10 [ssb]
+[ 214.333957] [<d087c488>] b43legacy_exit+0xd/0xf [b43legacy]
+[ 214.333957] [<c1089dde>] sys_delete_module+0x14e/0x2b0
+[ 214.333957] [<c110a4a7>] ? vfs_write+0xf7/0x150
+[ 214.333957] [<c1240050>] ? tty_write_lock+0x50/0x50
+[ 214.333957] [<c110a6f8>] ? sys_write+0x38/0x70
+[ 214.333957] [<c1397c55>] syscall_call+0x7/0xb
+[ 214.333957] Code: bc 27 00 00 00 00 a1 74 61 56 c1 55 89 e5 e8 a3 fc ff ff 5d c3 90 55 89 e5 57 56 89 c6 53 b8 40 ac 62 c1 83 ec 14 e8 bb b7 34 00 <8b> 46 4c 8d 50 01 85 c0 89 56 4c 75 03 83 0e 40 80 05 40 ac 62
+[ 214.333957] EIP: [<c104c395>] drain_workqueue+0x15/0x170 SS:ESP 0068:cd767e5c
+[ 214.333957] CR2: 000000000000004c
+[ 214.341110] ---[ end trace c7e90ec026d875a6 ]---Index: wireless-testing/drivers/net/wireless/b43legacy/main.c
+
+The problem is fixed by making certain that the ucode pointer is not NULL
+before deregistering the driver in mac80211.
+
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/b43legacy/main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/wireless/b43legacy/main.c
++++ b/drivers/net/wireless/b43legacy/main.c
+@@ -3843,6 +3843,8 @@ static void b43legacy_remove(struct ssb_
+ cancel_work_sync(&wldev->restart_work);
+
+ B43legacy_WARN_ON(!wl);
++ if (!wldev->fw.ucode)
++ return; /* NULL if fw never loaded */
+ if (wl->current_dev == wldev)
+ ieee80211_unregister_hw(wl->hw);
+
--- /dev/null
+From f34f9d186df35e5c39163444c43b4fc6255e39c5 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Wed, 26 Sep 2012 11:34:50 +1000
+Subject: coredump: prevent double-free on an error path in core
+ dumper
+
+From: Denys Vlasenko <vda.linux@googlemail.com>
+
+commit f34f9d186df35e5c39163444c43b4fc6255e39c5 upstream.
+
+In !CORE_DUMP_USE_REGSET case, if elf_note_info_init fails to allocate
+memory for info->fields, it frees already allocated stuff and returns
+error to its caller, fill_note_info. Which in turn returns error to its
+caller, elf_core_dump. Which jumps to cleanup label and calls
+free_note_info, which will happily try to free all info->fields again.
+BOOM.
+
+This is the fix.
+
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Cc: Venu Byravarasu <vbyravarasu@nvidia.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/binfmt_elf.c | 19 ++++---------------
+ 1 file changed, 4 insertions(+), 15 deletions(-)
+
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -1669,30 +1669,19 @@ static int elf_note_info_init(struct elf
+ return 0;
+ info->psinfo = kmalloc(sizeof(*info->psinfo), GFP_KERNEL);
+ if (!info->psinfo)
+- goto notes_free;
++ return 0;
+ info->prstatus = kmalloc(sizeof(*info->prstatus), GFP_KERNEL);
+ if (!info->prstatus)
+- goto psinfo_free;
++ return 0;
+ info->fpu = kmalloc(sizeof(*info->fpu), GFP_KERNEL);
+ if (!info->fpu)
+- goto prstatus_free;
++ return 0;
+ #ifdef ELF_CORE_COPY_XFPREGS
+ info->xfpu = kmalloc(sizeof(*info->xfpu), GFP_KERNEL);
+ if (!info->xfpu)
+- goto fpu_free;
++ return 0;
+ #endif
+ return 1;
+-#ifdef ELF_CORE_COPY_XFPREGS
+- fpu_free:
+- kfree(info->fpu);
+-#endif
+- prstatus_free:
+- kfree(info->prstatus);
+- psinfo_free:
+- kfree(info->psinfo);
+- notes_free:
+- kfree(info->notes);
+- return 0;
+ }
+
+ static int fill_note_info(struct elfhdr *elf, int phdrs,
--- /dev/null
+From 7083909023bbe29b3176e92d2d089def1aa7aa1e Mon Sep 17 00:00:00 2001
+From: Khalid Aziz <khalid.aziz@hp.com>
+Date: Mon, 10 Sep 2012 12:52:42 -0600
+Subject: firmware: Add missing attributes to EFI variable attribute print out from sysfs
+
+From: Khalid Aziz <khalid.aziz@hp.com>
+
+commit 7083909023bbe29b3176e92d2d089def1aa7aa1e upstream.
+
+Some of the EFI variable attributes are missing from print out from
+/sys/firmware/efi/vars/*/attributes. This patch adds those in. It also
+updates code to use pre-defined constants for masking current value
+of attributes.
+
+Signed-off-by: Khalid Aziz <khalid.aziz@hp.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Acked-by: Matthew Garrett <mjg@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/efivars.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+--- a/drivers/firmware/efivars.c
++++ b/drivers/firmware/efivars.c
+@@ -400,12 +400,23 @@ efivar_attr_read(struct efivar_entry *en
+ if (status != EFI_SUCCESS)
+ return -EIO;
+
+- if (var->Attributes & 0x1)
++ if (var->Attributes & EFI_VARIABLE_NON_VOLATILE)
+ str += sprintf(str, "EFI_VARIABLE_NON_VOLATILE\n");
+- if (var->Attributes & 0x2)
++ if (var->Attributes & EFI_VARIABLE_BOOTSERVICE_ACCESS)
+ str += sprintf(str, "EFI_VARIABLE_BOOTSERVICE_ACCESS\n");
+- if (var->Attributes & 0x4)
++ if (var->Attributes & EFI_VARIABLE_RUNTIME_ACCESS)
+ str += sprintf(str, "EFI_VARIABLE_RUNTIME_ACCESS\n");
++ if (var->Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD)
++ str += sprintf(str, "EFI_VARIABLE_HARDWARE_ERROR_RECORD\n");
++ if (var->Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS)
++ str += sprintf(str,
++ "EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS\n");
++ if (var->Attributes &
++ EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS)
++ str += sprintf(str,
++ "EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS\n");
++ if (var->Attributes & EFI_VARIABLE_APPEND_WRITE)
++ str += sprintf(str, "EFI_VARIABLE_APPEND_WRITE\n");
+ return str - buf;
+ }
+
--- /dev/null
+From a6e097dfdfd189b6929af6efa1d289af61858386 Mon Sep 17 00:00:00 2001
+From: Michael Spang <spang@chromium.org>
+Date: Fri, 14 Sep 2012 13:05:49 -0400
+Subject: Increase XHCI suspend timeout to 16ms
+
+From: Michael Spang <spang@chromium.org>
+
+commit a6e097dfdfd189b6929af6efa1d289af61858386 upstream.
+
+The Intel XHCI specification says that after clearing the run/stop bit
+the controller may take up to 16ms to halt. We've seen a device take
+14ms, which with the current timeout of 10ms causes the kernel to
+abort the suspend. Increasing the timeout to the recommended value
+fixes the problem.
+
+This patch should be backported to kernels as old as 2.6.37, that
+contain the commit 5535b1d5f8885695c6ded783c692e3c0d0eda8ca "USB: xHCI:
+PCI power management implementation".
+
+Signed-off-by: Michael Spang <spang@chromium.org>
+Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -720,7 +720,7 @@ int xhci_suspend(struct xhci_hcd *xhci)
+ command &= ~CMD_RUN;
+ xhci_writel(xhci, command, &xhci->op_regs->command);
+ if (handshake(xhci, &xhci->op_regs->status,
+- STS_HALT, STS_HALT, 100*100)) {
++ STS_HALT, STS_HALT, XHCI_MAX_HALT_USEC)) {
+ xhci_warn(xhci, "WARN: xHC CMD_RUN timeout\n");
+ spin_unlock_irq(&xhci->lock);
+ return -ETIMEDOUT;
--- /dev/null
+From 5e44708f75b0f8712da715d6babb0c21089b2317 Mon Sep 17 00:00:00 2001
+From: Russ Gorby <russ.gorby@intel.com>
+Date: Mon, 13 Aug 2012 13:44:40 +0100
+Subject: n_gsm: added interlocking for gsm_data_lock for certain code paths
+
+From: Russ Gorby <russ.gorby@intel.com>
+
+commit 5e44708f75b0f8712da715d6babb0c21089b2317 upstream.
+
+There were some locking holes in the management of the MUX's
+message queue for 2 code paths:
+1) gsmld_write_wakeup
+2) receipt of CMD_FCON flow-control message
+In both cases gsm_data_kick is called w/o locking so it can collide
+with other other instances of gsm_data_kick (pulling messages tx_tail)
+or potentially other instances of __gsm_data_queu (adding messages to tx_head)
+
+Changed to take the tx_lock in these 2 cases
+
+Signed-off-by: Russ Gorby <russ.gorby@intel.com>
+Tested-by: Yin, Fengwei <fengwei.yin@intel.com>
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/n_gsm.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -1152,6 +1152,8 @@ static void gsm_control_message(struct g
+ u8 *data, int clen)
+ {
+ u8 buf[1];
++ unsigned long flags;
++
+ switch (command) {
+ case CMD_CLD: {
+ struct gsm_dlci *dlci = gsm->dlci[0];
+@@ -1177,7 +1179,9 @@ static void gsm_control_message(struct g
+ gsm->constipated = 0;
+ gsm_control_reply(gsm, CMD_FCOFF, NULL, 0);
+ /* Kick the link in case it is idling */
++ spin_lock_irqsave(&gsm->tx_lock, flags);
+ gsm_data_kick(gsm);
++ spin_unlock_irqrestore(&gsm->tx_lock, flags);
+ break;
+ case CMD_MSC:
+ /* Out of band modem line change indicator for a DLCI */
+@@ -2269,12 +2273,12 @@ static void gsmld_write_wakeup(struct tt
+
+ /* Queue poll */
+ clear_bit(TTY_DO_WRITE_WAKEUP, &tty->flags);
++ spin_lock_irqsave(&gsm->tx_lock, flags);
+ gsm_data_kick(gsm);
+ if (gsm->tx_bytes < TX_THRESH_LO) {
+- spin_lock_irqsave(&gsm->tx_lock, flags);
+ gsm_dlci_data_sweep(gsm);
+- spin_unlock_irqrestore(&gsm->tx_lock, flags);
+ }
++ spin_unlock_irqrestore(&gsm->tx_lock, flags);
+ }
+
+ /**
--- /dev/null
+From 88ed2a60610974443335c924d7cb8e5dcf9dbdc1 Mon Sep 17 00:00:00 2001
+From: Russ Gorby <russ.gorby@intel.com>
+Date: Mon, 13 Aug 2012 13:45:30 +0100
+Subject: n_gsm: memory leak in uplink error path
+
+From: Russ Gorby <russ.gorby@intel.com>
+
+commit 88ed2a60610974443335c924d7cb8e5dcf9dbdc1 upstream.
+
+Uplink (TX) network data will go through gsm_dlci_data_output_framed
+there is a bug where if memory allocation fails, the skb which
+has already been pulled off the list will be lost.
+
+In addition TX skbs were being processed in LIFO order
+
+Fixed the memory leak, and changed to FIFO order processing
+
+Signed-off-by: Russ Gorby <russ.gorby@intel.com>
+Tested-by: Kappel, LaurentX <laurentx.kappel@intel.com>
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/n_gsm.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -842,7 +842,7 @@ static int gsm_dlci_data_output_framed(s
+
+ /* dlci->skb is locked by tx_lock */
+ if (dlci->skb == NULL) {
+- dlci->skb = skb_dequeue(&dlci->skb_list);
++ dlci->skb = skb_dequeue_tail(&dlci->skb_list);
+ if (dlci->skb == NULL)
+ return 0;
+ first = 1;
+@@ -866,8 +866,11 @@ static int gsm_dlci_data_output_framed(s
+
+ /* FIXME: need a timer or something to kick this so it can't
+ get stuck with no work outstanding and no buffer free */
+- if (msg == NULL)
++ if (msg == NULL) {
++ skb_queue_tail(&dlci->skb_list, dlci->skb);
++ dlci->skb = NULL;
+ return -ENOMEM;
++ }
+ dp = msg->data;
+
+ if (dlci->adaption == 4) { /* Interruptible framed (Packetised Data) */
tty-ttyprintk-don-t-touch-behind-tty-write_buf.patch
serial-pl011-handle-corruption-at-high-clock-speeds.patch
serial-set-correct-baud_base-for-exsys-ex-41092-dual-16950.patch
+b43legacy-fix-crash-on-unload-when-firmware-not-available.patch
+firmware-add-missing-attributes-to-efi-variable-attribute-print-out-from-sysfs.patch
+xhci-intel-panther-point-bei-quirk.patch
+n_gsm-added-interlocking-for-gsm_data_lock-for-certain-code-paths.patch
+coredump-prevent-double-free-on-an-error-path-in-core.patch
+increase-xhci-suspend-timeout-to-16ms.patch
+n_gsm-memory-leak-in-uplink-error-path.patch
--- /dev/null
+From 80fab3b244a22e0ca539d2439bdda50e81e5666f Mon Sep 17 00:00:00 2001
+From: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+Date: Wed, 19 Sep 2012 16:27:26 -0700
+Subject: xhci: Intel Panther Point BEI quirk.
+
+From: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+
+commit 80fab3b244a22e0ca539d2439bdda50e81e5666f upstream.
+
+When a device with an isochronous endpoint is behind a hub plugged into
+the Intel Panther Point xHCI host controller, and the driver submits
+multiple frames per URB, the xHCI driver will set the Block Event
+Interrupt (BEI) flag on all but the last TD for the URB. This causes
+the host controller to place an event on the event ring, but not send an
+interrupt. When the last TD for the URB completes, BEI is cleared, and
+we get an interrupt for the whole URB.
+
+However, under a Panther Point xHCI host controller, if the parent hub
+is unplugged when one or more events from transfers with BEI set are on
+the event ring, a port status change event is placed on the event ring,
+but no interrupt is generated. This means URBs stop completing, and the
+USB device disconnect is not noticed. Something like a USB headset will
+cause mplayer to hang when the device is disconnected.
+
+If another transfer is sent (such as running `sudo lsusb -v`), the next
+transfer event seems to "unstick" the event ring, the xHCI driver gets
+an interrupt, and the disconnect is reported to the USB core.
+
+The fix is not to use the BEI flag under the Panther Point xHCI host.
+This will impact power consumption and system responsiveness, because
+the xHCI driver will receive an interrupt for every frame in all
+isochronous URBs instead of once per URB.
+
+Intel chipset developers confirm that this bug will be hit if the BEI
+flag is used on any endpoint, not just ones that are behind a hub.
+
+This patch should be backported to kernels as old as 3.0, that contain
+the commit 69e848c2090aebba5698a1620604c7dccb448684 "Intel xhci: Support
+EHCI/xHCI port switching."
+
+Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-pci.c | 1 +
+ drivers/usb/host/xhci-ring.c | 4 +++-
+ drivers/usb/host/xhci.h | 1 +
+ 3 files changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -149,6 +149,7 @@ static int xhci_pci_setup(struct usb_hcd
+ * PPT chipsets.
+ */
+ xhci->quirks |= XHCI_SPURIOUS_REBOOT;
++ xhci->quirks |= XHCI_AVOID_BEI;
+ }
+ if (pdev->vendor == PCI_VENDOR_ID_ETRON &&
+ pdev->device == PCI_DEVICE_ID_ASROCK_P67) {
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -3365,7 +3365,9 @@ static int xhci_queue_isoc_tx(struct xhc
+ } else {
+ td->last_trb = ep_ring->enqueue;
+ field |= TRB_IOC;
+- if (xhci->hci_version == 0x100) {
++ if (xhci->hci_version == 0x100 &&
++ !(xhci->quirks &
++ XHCI_AVOID_BEI)) {
+ /* Set BEI bit except for the last td */
+ if (i < num_tds - 1)
+ field |= TRB_BEI;
+--- a/drivers/usb/host/xhci.h
++++ b/drivers/usb/host/xhci.h
+@@ -1317,6 +1317,7 @@ struct xhci_hcd {
+ #define XHCI_AMD_0x96_HOST (1 << 9)
+ #define XHCI_TRUST_TX_LENGTH (1 << 10)
+ #define XHCI_SPURIOUS_REBOOT (1 << 13)
++#define XHCI_AVOID_BEI (1 << 15)
+ unsigned int num_active_eps;
+ unsigned int limit_active_eps;
+ /* There are two roothubs to keep track of bus suspend info for */
projects / thirdparty / kernel / stable-queue.git / commitdiff
