--- /dev/null
+From ca499fc87ed945094d952da0eb7eea7dbeb1feec Mon Sep 17 00:00:00 2001
+From: Toshi Kani <toshi.kani@hp.com>
+Date: Wed, 20 Nov 2013 14:25:34 +0100
+Subject: ACPI / hotplug: Fix conflicted PCI bridge notify handlers
+
+From: Toshi Kani <toshi.kani@hp.com>
+
+commit ca499fc87ed945094d952da0eb7eea7dbeb1feec upstream.
+
+The PCI host bridge scan handler installs its own notify handler,
+handle_hotplug_event_root(), by itself. Nevertheless, the ACPI
+hotplug framework also installs the common notify handler,
+acpi_hotplug_notify_cb(), for PCI root bridges. This causes
+acpi_hotplug_notify_cb() to call _OST method with unsupported
+error as hotplug.enabled is not set.
+
+To address this issue, introduce hotplug.ignore flag, which
+indicates that the scan handler installs its own notify handler by
+itself. The ACPI hotplug framework does not install the common
+notify handler when this flag is set.
+
+Signed-off-by: Toshi Kani <toshi.kani@hp.com>
+[rjw: Changed the name of the new flag]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/pci_root.c | 3 +++
+ drivers/acpi/scan.c | 2 +-
+ include/acpi/acpi_bus.h | 1 +
+ 3 files changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/pci_root.c
++++ b/drivers/acpi/pci_root.c
+@@ -63,6 +63,9 @@ static struct acpi_scan_handler pci_root
+ .ids = root_device_ids,
+ .attach = acpi_pci_root_add,
+ .detach = acpi_pci_root_remove,
++ .hotplug = {
++ .ignore = true,
++ },
+ };
+
+ /* Lock to protect both acpi_pci_roots lists */
+--- a/drivers/acpi/scan.c
++++ b/drivers/acpi/scan.c
+@@ -1790,7 +1790,7 @@ static void acpi_scan_init_hotplug(acpi_
+ */
+ list_for_each_entry(hwid, &pnp.ids, list) {
+ handler = acpi_scan_match_handler(hwid->id, NULL);
+- if (handler) {
++ if (handler && !handler->hotplug.ignore) {
+ acpi_install_notify_handler(handle, ACPI_SYSTEM_NOTIFY,
+ acpi_hotplug_notify_cb, handler);
+ break;
+--- a/include/acpi/acpi_bus.h
++++ b/include/acpi/acpi_bus.h
+@@ -97,6 +97,7 @@ enum acpi_hotplug_mode {
+ struct acpi_hotplug_profile {
+ struct kobject kobj;
+ bool enabled:1;
++ bool ignore:1;
+ enum acpi_hotplug_mode mode;
+ };
+
--- /dev/null
+From 14e972b4517128ac8e30e3de2ee4fbd995084223 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Wed, 8 May 2013 10:25:58 -0400
+Subject: audit: add child record before the create to handle case where create fails
+
+From: Jeff Layton <jlayton@redhat.com>
+
+commit 14e972b4517128ac8e30e3de2ee4fbd995084223 upstream.
+
+Historically, when a syscall that creates a dentry fails, you get an audit
+record that looks something like this (when trying to create a file named
+"new" in "/tmp/tmp.SxiLnCcv63"):
+
+ type=PATH msg=audit(1366128956.279:965): item=0 name="/tmp/tmp.SxiLnCcv63/new" inode=2138308 dev=fd:02 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:user_tmp_t:s15:c0.c1023
+
+This record makes no sense since it's associating the inode information for
+"/tmp/tmp.SxiLnCcv63" with the path "/tmp/tmp.SxiLnCcv63/new". The recent
+patch I posted to fix the audit_inode call in do_last fixes this, by making it
+look more like this:
+
+ type=PATH msg=audit(1366128765.989:13875): item=0 name="/tmp/tmp.DJ1O8V3e4f/" inode=141 dev=fd:02 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:user_tmp_t:s15:c0.c1023
+
+While this is more correct, if the creation of the file fails, then we
+have no record of the filename that the user tried to create.
+
+This patch adds a call to audit_inode_child to may_create. This creates
+an AUDIT_TYPE_CHILD_CREATE record that will sit in place until the
+create succeeds. When and if the create does succeed, then this record
+will be updated with the correct inode info from the create.
+
+This fixes what was broken in commit bfcec708.
+Commit 79f6530c should also be backported to stable v3.7+.
+
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Eric Paris <eparis@redhat.com>
+Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Eric Paris <eparis@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namei.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -2263,6 +2263,7 @@ static int may_delete(struct inode *dir,
+ */
+ static inline int may_create(struct inode *dir, struct dentry *child)
+ {
++ audit_inode_child(dir, child, AUDIT_TYPE_CHILD_CREATE);
+ if (child->d_inode)
+ return -EEXIST;
+ if (IS_DEADDIR(dir))
--- /dev/null
+From 64fbff9ae0a0a843365d922e0057fc785f23f0e3 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Mon, 30 Sep 2013 22:04:24 +0200
+Subject: audit: fix info leak in AUDIT_GET requests
+
+From: Mathias Krause <minipli@googlemail.com>
+
+commit 64fbff9ae0a0a843365d922e0057fc785f23f0e3 upstream.
+
+We leak 4 bytes of kernel stack in response to an AUDIT_GET request as
+we miss to initialize the mask member of status_set. Fix that.
+
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Eric Paris <eparis@redhat.com>
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Eric Paris <eparis@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/audit.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -659,6 +659,7 @@ static int audit_receive_msg(struct sk_b
+
+ switch (msg_type) {
+ case AUDIT_GET:
++ status_set.mask = 0;
+ status_set.enabled = audit_enabled;
+ status_set.failure = audit_failure;
+ status_set.pid = audit_pid;
--- /dev/null
+From 79f6530cb59e2a0af6953742a33cc29e98ca631c Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Mon, 8 Jul 2013 15:59:36 -0700
+Subject: audit: fix mq_open and mq_unlink to add the MQ root as a hidden parent audit_names record
+
+From: Jeff Layton <jlayton@redhat.com>
+
+commit 79f6530cb59e2a0af6953742a33cc29e98ca631c upstream.
+
+The old audit PATH records for mq_open looked like this:
+
+ type=PATH msg=audit(1366282323.982:869): item=1 name=(null) inode=6777
+ dev=00:0c mode=041777 ouid=0 ogid=0 rdev=00:00
+ obj=system_u:object_r:tmpfs_t:s15:c0.c1023
+ type=PATH msg=audit(1366282323.982:869): item=0 name="test_mq" inode=26732
+ dev=00:0c mode=0100700 ouid=0 ogid=0 rdev=00:00
+ obj=staff_u:object_r:user_tmpfs_t:s15:c0.c1023
+
+...with the audit related changes that went into 3.7, they now look like this:
+
+ type=PATH msg=audit(1366282236.776:3606): item=2 name=(null) inode=66655
+ dev=00:0c mode=0100700 ouid=0 ogid=0 rdev=00:00
+ obj=staff_u:object_r:user_tmpfs_t:s15:c0.c1023
+ type=PATH msg=audit(1366282236.776:3606): item=1 name=(null) inode=6926
+ dev=00:0c mode=041777 ouid=0 ogid=0 rdev=00:00
+ obj=system_u:object_r:tmpfs_t:s15:c0.c1023
+ type=PATH msg=audit(1366282236.776:3606): item=0 name="test_mq"
+
+Both of these look wrong to me. As Steve Grubb pointed out:
+
+ "What we need is 1 PATH record that identifies the MQ. The other PATH
+ records probably should not be there."
+
+Fix it to record the mq root as a parent, and flag it such that it
+should be hidden from view when the names are logged, since the root of
+the mq filesystem isn't terribly interesting. With this change, we get
+a single PATH record that looks more like this:
+
+ type=PATH msg=audit(1368021604.836:484): item=0 name="test_mq" inode=16914
+ dev=00:0c mode=0100644 ouid=0 ogid=0 rdev=00:00
+ obj=unconfined_u:object_r:user_tmpfs_t:s0
+
+In order to do this, a new audit_inode_parent_hidden() function is
+added. If we do it this way, then we avoid having the existing callers
+of audit_inode needing to do any sort of flag conversion if auditing is
+inactive.
+
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Reported-by: Jiri Jaburek <jjaburek@redhat.com>
+Cc: Steve Grubb <sgrubb@redhat.com>
+Cc: Eric Paris <eparis@redhat.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/audit.h | 26 ++++++++++++++++++++++----
+ ipc/mqueue.c | 2 ++
+ kernel/audit.h | 1 +
+ kernel/auditsc.c | 12 +++++++++---
+ 4 files changed, 34 insertions(+), 7 deletions(-)
+
+--- a/include/linux/audit.h
++++ b/include/linux/audit.h
+@@ -103,8 +103,11 @@ extern void __audit_syscall_exit(int ret
+ extern struct filename *__audit_reusename(const __user char *uptr);
+ extern void __audit_getname(struct filename *name);
+ extern void audit_putname(struct filename *name);
++
++#define AUDIT_INODE_PARENT 1 /* dentry represents the parent */
++#define AUDIT_INODE_HIDDEN 2 /* audit record should be hidden */
+ extern void __audit_inode(struct filename *name, const struct dentry *dentry,
+- unsigned int parent);
++ unsigned int flags);
+ extern void __audit_inode_child(const struct inode *parent,
+ const struct dentry *dentry,
+ const unsigned char type);
+@@ -148,10 +151,22 @@ static inline void audit_getname(struct
+ if (unlikely(!audit_dummy_context()))
+ __audit_getname(name);
+ }
+-static inline void audit_inode(struct filename *name, const struct dentry *dentry,
++static inline void audit_inode(struct filename *name,
++ const struct dentry *dentry,
+ unsigned int parent) {
++ if (unlikely(!audit_dummy_context())) {
++ unsigned int flags = 0;
++ if (parent)
++ flags |= AUDIT_INODE_PARENT;
++ __audit_inode(name, dentry, flags);
++ }
++}
++static inline void audit_inode_parent_hidden(struct filename *name,
++ const struct dentry *dentry)
++{
+ if (unlikely(!audit_dummy_context()))
+- __audit_inode(name, dentry, parent);
++ __audit_inode(name, dentry,
++ AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN);
+ }
+ static inline void audit_inode_child(const struct inode *parent,
+ const struct dentry *dentry,
+@@ -311,7 +326,7 @@ static inline void audit_putname(struct
+ { }
+ static inline void __audit_inode(struct filename *name,
+ const struct dentry *dentry,
+- unsigned int parent)
++ unsigned int flags)
+ { }
+ static inline void __audit_inode_child(const struct inode *parent,
+ const struct dentry *dentry,
+@@ -321,6 +336,9 @@ static inline void audit_inode(struct fi
+ const struct dentry *dentry,
+ unsigned int parent)
+ { }
++static inline void audit_inode_parent_hidden(struct filename *name,
++ const struct dentry *dentry)
++{ }
+ static inline void audit_inode_child(const struct inode *parent,
+ const struct dentry *dentry,
+ const unsigned char type)
+--- a/ipc/mqueue.c
++++ b/ipc/mqueue.c
+@@ -823,6 +823,7 @@ SYSCALL_DEFINE4(mq_open, const char __us
+ error = ro;
+ goto out;
+ }
++ audit_inode_parent_hidden(name, root);
+ filp = do_create(ipc_ns, root->d_inode,
+ &path, oflag, mode,
+ u_attr ? &attr : NULL);
+@@ -868,6 +869,7 @@ SYSCALL_DEFINE1(mq_unlink, const char __
+ if (IS_ERR(name))
+ return PTR_ERR(name);
+
++ audit_inode_parent_hidden(name, mnt->mnt_root);
+ err = mnt_want_write(mnt);
+ if (err)
+ goto out_name;
+--- a/kernel/audit.h
++++ b/kernel/audit.h
+@@ -85,6 +85,7 @@ struct audit_names {
+
+ struct filename *name;
+ int name_len; /* number of chars to log */
++ bool hidden; /* don't log this record */
+ bool name_put; /* call __putname()? */
+
+ unsigned long ino;
+--- a/kernel/auditsc.c
++++ b/kernel/auditsc.c
+@@ -1399,8 +1399,11 @@ static void audit_log_exit(struct audit_
+ }
+
+ i = 0;
+- list_for_each_entry(n, &context->names_list, list)
++ list_for_each_entry(n, &context->names_list, list) {
++ if (n->hidden)
++ continue;
+ audit_log_name(context, n, NULL, i++, &call_panic);
++ }
+
+ /* Send end of event record to help user space know we are finished */
+ ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
+@@ -1769,14 +1772,15 @@ void audit_putname(struct filename *name
+ * __audit_inode - store the inode and device from a lookup
+ * @name: name being audited
+ * @dentry: dentry being audited
+- * @parent: does this dentry represent the parent?
++ * @flags: attributes for this particular entry
+ */
+ void __audit_inode(struct filename *name, const struct dentry *dentry,
+- unsigned int parent)
++ unsigned int flags)
+ {
+ struct audit_context *context = current->audit_context;
+ const struct inode *inode = dentry->d_inode;
+ struct audit_names *n;
++ bool parent = flags & AUDIT_INODE_PARENT;
+
+ if (!context->in_syscall)
+ return;
+@@ -1831,6 +1835,8 @@ out:
+ if (parent) {
+ n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL;
+ n->type = AUDIT_TYPE_PARENT;
++ if (flags & AUDIT_INODE_HIDDEN)
++ n->hidden = true;
+ } else {
+ n->name_len = AUDIT_NAME_FULL;
+ n->type = AUDIT_TYPE_NORMAL;
--- /dev/null
+From d3aea84a4ace5ff9ce7fb7714cee07bebef681c2 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Wed, 8 May 2013 10:32:23 -0400
+Subject: audit: log the audit_names record type
+
+From: Jeff Layton <jlayton@redhat.com>
+
+commit d3aea84a4ace5ff9ce7fb7714cee07bebef681c2 upstream.
+
+...to make it clear what the intent behind each record's operation was.
+
+In many cases you can infer this, based on the context of the syscall
+and the result. In other cases it's not so obvious. For instance, in
+the case where you have a file being renamed over another, you'll have
+two different records with the same filename but different inode info.
+By logging this information we can clearly tell which one was created
+and which was deleted.
+
+This fixes what was broken in commit bfcec708.
+Commit 79f6530c should also be backported to stable v3.7+.
+
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Eric Paris <eparis@redhat.com>
+Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Eric Paris <eparis@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/audit.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -1537,6 +1537,26 @@ void audit_log_name(struct audit_context
+ }
+ }
+
++ /* log the audit_names record type */
++ audit_log_format(ab, " nametype=");
++ switch(n->type) {
++ case AUDIT_TYPE_NORMAL:
++ audit_log_format(ab, "NORMAL");
++ break;
++ case AUDIT_TYPE_PARENT:
++ audit_log_format(ab, "PARENT");
++ break;
++ case AUDIT_TYPE_CHILD_DELETE:
++ audit_log_format(ab, "DELETE");
++ break;
++ case AUDIT_TYPE_CHILD_CREATE:
++ audit_log_format(ab, "CREATE");
++ break;
++ default:
++ audit_log_format(ab, "UNKNOWN");
++ break;
++ }
++
+ audit_log_fcaps(ab, n);
+ audit_log_end(ab);
+ }
--- /dev/null
+From 0868a5e150bc4c47e7a003367cd755811eb41e0b Mon Sep 17 00:00:00 2001
+From: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu, 25 Jul 2013 18:02:55 -0700
+Subject: audit: printk USER_AVC messages when audit isn't enabled
+
+From: Tyler Hicks <tyhicks@canonical.com>
+
+commit 0868a5e150bc4c47e7a003367cd755811eb41e0b upstream.
+
+When the audit=1 kernel parameter is absent and auditd is not running,
+AUDIT_USER_AVC messages are being silently discarded.
+
+AUDIT_USER_AVC messages should be sent to userspace using printk(), as
+mentioned in the commit message of 4a4cd633 ("AUDIT: Optimise the
+audit-disabled case for discarding user messages").
+
+When audit_enabled is 0, audit_receive_msg() discards all user messages
+except for AUDIT_USER_AVC messages. However, audit_log_common_recv_msg()
+refuses to allocate an audit_buffer if audit_enabled is 0. The fix is to
+special case AUDIT_USER_AVC messages in both functions.
+
+It looks like commit 50397bd1 ("[AUDIT] clean up audit_receive_msg()")
+introduced this bug.
+
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Eric Paris <eparis@redhat.com>
+Cc: linux-audit@redhat.com
+Acked-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Eric Paris <eparis@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/audit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -613,7 +613,7 @@ static int audit_log_common_recv_msg(str
+ int rc = 0;
+ uid_t uid = from_kuid(&init_user_ns, current_uid());
+
+- if (!audit_enabled) {
++ if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
+ *ab = NULL;
+ return rc;
+ }
--- /dev/null
+From 4d8fe7376a12bf4524783dd95cbc00f1fece6232 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Mon, 30 Sep 2013 22:04:25 +0200
+Subject: audit: use nlmsg_len() to get message payload length
+
+From: Mathias Krause <minipli@googlemail.com>
+
+commit 4d8fe7376a12bf4524783dd95cbc00f1fece6232 upstream.
+
+Using the nlmsg_len member of the netlink header to test if the message
+is valid is wrong as it includes the size of the netlink header itself.
+Thereby allowing to send short netlink messages that pass those checks.
+
+Use nlmsg_len() instead to test for the right message length. The result
+of nlmsg_len() is guaranteed to be non-negative as the netlink message
+already passed the checks of nlmsg_ok().
+
+Also switch to min_t() to please checkpatch.pl.
+
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Eric Paris <eparis@redhat.com>
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Eric Paris <eparis@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/audit.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -670,7 +670,7 @@ static int audit_receive_msg(struct sk_b
+ &status_set, sizeof(status_set));
+ break;
+ case AUDIT_SET:
+- if (nlh->nlmsg_len < sizeof(struct audit_status))
++ if (nlmsg_len(nlh) < sizeof(struct audit_status))
+ return -EINVAL;
+ status_get = (struct audit_status *)data;
+ if (status_get->mask & AUDIT_STATUS_ENABLED) {
+@@ -832,7 +832,7 @@ static int audit_receive_msg(struct sk_b
+
+ memset(&s, 0, sizeof(s));
+ /* guard against past and future API changes */
+- memcpy(&s, data, min(sizeof(s), (size_t)nlh->nlmsg_len));
++ memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh)));
+ if ((s.enabled != 0 && s.enabled != 1) ||
+ (s.log_passwd != 0 && s.log_passwd != 1))
+ return -EINVAL;
--- /dev/null
+From d617b338bbfdd77e9cbd8e7dc949cee3dd73d575 Mon Sep 17 00:00:00 2001
+From: Andreas Bießmann <andreas@biessmann.de>
+Date: Thu, 24 Oct 2013 12:31:04 +0200
+Subject: avr32: fix out-of-range jump in large kernels
+
+From: Andreas Bießmann <andreas@biessmann.de>
+
+commit d617b338bbfdd77e9cbd8e7dc949cee3dd73d575 upstream.
+
+This patch fixes following error (for big kernels):
+
+---8<---
+arch/avr32/boot/u-boot/head.o: In function `no_tag_table':
+(.init.text+0x44): relocation truncated to fit: R_AVR32_22H_PCREL against symbol `panic' defined in .text.unlikely section in kernel/built-in.o
+arch/avr32/kernel/built-in.o: In function `bad_return':
+(.ex.text+0x236): relocation truncated to fit: R_AVR32_22H_PCREL against symbol `panic' defined in .text.unlikely section in kernel/built-in.o
+--->8---
+
+It comes up when the kernel increases and 'panic()' is too far away to fit in
+the +/- 2MiB range. Which in turn issues from the 21-bit displacement in
+'br{cond4}' mnemonic which is one of the two ways to do jumps (rjmp has just
+10-bit displacement and therefore a way smaller range). This fact was stated
+before in 8d29b7b9f81d6b83d869ff054e6c189d6da73f1f.
+One solution to solve this is to add a local storage for the symbol address
+and just load the $pc with that value.
+
+Signed-off-by: Andreas Bießmann <andreas@biessmann.de>
+Acked-by: Hans-Christian Egtvedt <egtvedt@samfundet.no>
+Cc: Haavard Skinnemoen <hskinnemoen@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/avr32/boot/u-boot/head.S | 5 ++++-
+ arch/avr32/kernel/entry-avr32b.S | 3 ++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+--- a/arch/avr32/boot/u-boot/head.S
++++ b/arch/avr32/boot/u-boot/head.S
+@@ -73,8 +73,11 @@ init_sr:
+ .long 0x007f0000 /* Supervisor mode, everything masked */
+ stack_addr:
+ .long init_thread_union
++panic_addr:
++ .long panic
+
+ no_tag_table:
+ sub r12, pc, (. - 2f)
+- bral panic
++ /* branch to panic() which can be far away with that construct */
++ lddpc pc, panic_addr
+ 2: .asciz "Boot loader didn't provide correct magic number\n"
+--- a/arch/avr32/kernel/entry-avr32b.S
++++ b/arch/avr32/kernel/entry-avr32b.S
+@@ -401,9 +401,10 @@ handle_critical:
+ /* We should never get here... */
+ bad_return:
+ sub r12, pc, (. - 1f)
+- bral panic
++ lddpc pc, 2f
+ .align 2
+ 1: .asciz "Return from critical exception!"
++2: .long panic
+
+ .align 1
+ do_bus_error_write:
--- /dev/null
+From 7a2a74f4b856993218aa7cdeeb6c3103101340db Mon Sep 17 00:00:00 2001
+From: Andreas Bießmann <andreas@biessmann.de>
+Date: Thu, 24 Oct 2013 12:31:03 +0200
+Subject: avr32: setup crt for early panic()
+
+From: Andreas Bießmann <andreas@biessmann.de>
+
+commit 7a2a74f4b856993218aa7cdeeb6c3103101340db upstream.
+
+Before the CRT was (fully) set up in kernel_entry (bss cleared before in
+_start, but also not before jump to panic() in no_tag_table case).
+
+This patch fixes this up to have a fully working CRT when branching to panic()
+in no_tag_table.
+
+Signed-off-by: Andreas Bießmann <andreas@biessmann.de>
+Acked-by: Hans-Christian Egtvedt <egtvedt@samfundet.no>
+Cc: Haavard Skinnemoen <hskinnemoen@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/avr32/boot/u-boot/head.S | 30 +++++++++++++++++++++++++-----
+ arch/avr32/kernel/head.S | 20 --------------------
+ 2 files changed, 25 insertions(+), 25 deletions(-)
+
+--- a/arch/avr32/boot/u-boot/head.S
++++ b/arch/avr32/boot/u-boot/head.S
+@@ -8,6 +8,8 @@
+ * published by the Free Software Foundation.
+ */
+ #include <asm/setup.h>
++#include <asm/thread_info.h>
++#include <asm/sysreg.h>
+
+ /*
+ * The kernel is loaded where we want it to be and all caches
+@@ -20,11 +22,6 @@
+ .section .init.text,"ax"
+ .global _start
+ _start:
+- /* Check if the boot loader actually provided a tag table */
+- lddpc r0, magic_number
+- cp.w r12, r0
+- brne no_tag_table
+-
+ /* Initialize .bss */
+ lddpc r2, bss_start_addr
+ lddpc r3, end_addr
+@@ -34,6 +31,25 @@ _start:
+ cp r2, r3
+ brlo 1b
+
++ /* Initialize status register */
++ lddpc r0, init_sr
++ mtsr SYSREG_SR, r0
++
++ /* Set initial stack pointer */
++ lddpc sp, stack_addr
++ sub sp, -THREAD_SIZE
++
++#ifdef CONFIG_FRAME_POINTER
++ /* Mark last stack frame */
++ mov lr, 0
++ mov r7, 0
++#endif
++
++ /* Check if the boot loader actually provided a tag table */
++ lddpc r0, magic_number
++ cp.w r12, r0
++ brne no_tag_table
++
+ /*
+ * Save the tag table address for later use. This must be done
+ * _after_ .bss has been initialized...
+@@ -53,6 +69,10 @@ bss_start_addr:
+ .long __bss_start
+ end_addr:
+ .long _end
++init_sr:
++ .long 0x007f0000 /* Supervisor mode, everything masked */
++stack_addr:
++ .long init_thread_union
+
+ no_tag_table:
+ sub r12, pc, (. - 2f)
+--- a/arch/avr32/kernel/head.S
++++ b/arch/avr32/kernel/head.S
+@@ -10,33 +10,13 @@
+ #include <linux/linkage.h>
+
+ #include <asm/page.h>
+-#include <asm/thread_info.h>
+-#include <asm/sysreg.h>
+
+ .section .init.text,"ax"
+ .global kernel_entry
+ kernel_entry:
+- /* Initialize status register */
+- lddpc r0, init_sr
+- mtsr SYSREG_SR, r0
+-
+- /* Set initial stack pointer */
+- lddpc sp, stack_addr
+- sub sp, -THREAD_SIZE
+-
+-#ifdef CONFIG_FRAME_POINTER
+- /* Mark last stack frame */
+- mov lr, 0
+- mov r7, 0
+-#endif
+-
+ /* Start the show */
+ lddpc pc, kernel_start_addr
+
+ .align 2
+-init_sr:
+- .long 0x007f0000 /* Supervisor mode, everything masked */
+-stack_addr:
+- .long init_thread_union
+ kernel_start_addr:
+ .long start_kernel
--- /dev/null
+From 8a56d7761d2d041ae5e8215d20b4167d8aa93f51 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+Date: Mon, 25 Nov 2013 20:59:46 -0500
+Subject: ftrace: Fix function graph with loading of modules
+
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+
+commit 8a56d7761d2d041ae5e8215d20b4167d8aa93f51 upstream.
+
+Commit 8c4f3c3fa9681 "ftrace: Check module functions being traced on reload"
+fixed module loading and unloading with respect to function tracing, but
+it missed the function graph tracer. If you perform the following
+
+ # cd /sys/kernel/debug/tracing
+ # echo function_graph > current_tracer
+ # modprobe nfsd
+ # echo nop > current_tracer
+
+You'll get the following oops message:
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 2 PID: 2910 at /linux.git/kernel/trace/ftrace.c:1640 __ftrace_hash_rec_update.part.35+0x168/0x1b9()
+ Modules linked in: nfsd exportfs nfs_acl lockd ipt_MASQUERADE sunrpc ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables uinput snd_hda_codec_idt
+ CPU: 2 PID: 2910 Comm: bash Not tainted 3.13.0-rc1-test #7
+ Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./To be filled by O.E.M., BIOS SDBLI944.86P 05/08/2007
+ 0000000000000668 ffff8800787efcf8 ffffffff814fe193 ffff88007d500000
+ 0000000000000000 ffff8800787efd38 ffffffff8103b80a 0000000000000668
+ ffffffff810b2b9a ffffffff81a48370 0000000000000001 ffff880037aea000
+ Call Trace:
+ [<ffffffff814fe193>] dump_stack+0x4f/0x7c
+ [<ffffffff8103b80a>] warn_slowpath_common+0x81/0x9b
+ [<ffffffff810b2b9a>] ? __ftrace_hash_rec_update.part.35+0x168/0x1b9
+ [<ffffffff8103b83e>] warn_slowpath_null+0x1a/0x1c
+ [<ffffffff810b2b9a>] __ftrace_hash_rec_update.part.35+0x168/0x1b9
+ [<ffffffff81502f89>] ? __mutex_lock_slowpath+0x364/0x364
+ [<ffffffff810b2cc2>] ftrace_shutdown+0xd7/0x12b
+ [<ffffffff810b47f0>] unregister_ftrace_graph+0x49/0x78
+ [<ffffffff810c4b30>] graph_trace_reset+0xe/0x10
+ [<ffffffff810bf393>] tracing_set_tracer+0xa7/0x26a
+ [<ffffffff810bf5e1>] tracing_set_trace_write+0x8b/0xbd
+ [<ffffffff810c501c>] ? ftrace_return_to_handler+0xb2/0xde
+ [<ffffffff811240a8>] ? __sb_end_write+0x5e/0x5e
+ [<ffffffff81122aed>] vfs_write+0xab/0xf6
+ [<ffffffff8150a185>] ftrace_graph_caller+0x85/0x85
+ [<ffffffff81122dbd>] SyS_write+0x59/0x82
+ [<ffffffff8150a185>] ftrace_graph_caller+0x85/0x85
+ [<ffffffff8150a2d2>] system_call_fastpath+0x16/0x1b
+ ---[ end trace 940358030751eafb ]---
+
+The above mentioned commit didn't go far enough. Well, it covered the
+function tracer by adding checks in __register_ftrace_function(). The
+problem is that the function graph tracer circumvents that (for a slight
+efficiency gain when function graph trace is running with a function
+tracer. The gain was not worth this).
+
+The problem came with ftrace_startup() which should always be called after
+__register_ftrace_function(), if you want this bug to be completely fixed.
+
+Anyway, this solution moves __register_ftrace_function() inside of
+ftrace_startup() and removes the need to call them both.
+
+Reported-by: Dave Wysochanski <dwysocha@redhat.com>
+Fixes: ed926f9b35cd ("ftrace: Use counters to enable functions to trace")
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ftrace.c | 64 +++++++++++++++++++++++++++-----------------------
+ 1 file changed, 35 insertions(+), 29 deletions(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -367,9 +367,6 @@ static int remove_ftrace_list_ops(struct
+
+ static int __register_ftrace_function(struct ftrace_ops *ops)
+ {
+- if (unlikely(ftrace_disabled))
+- return -ENODEV;
+-
+ if (FTRACE_WARN_ON(ops == &global_ops))
+ return -EINVAL;
+
+@@ -417,9 +414,6 @@ static int __unregister_ftrace_function(
+ {
+ int ret;
+
+- if (ftrace_disabled)
+- return -ENODEV;
+-
+ if (WARN_ON(!(ops->flags & FTRACE_OPS_FL_ENABLED)))
+ return -EBUSY;
+
+@@ -2048,10 +2042,15 @@ static void ftrace_startup_enable(int co
+ static int ftrace_startup(struct ftrace_ops *ops, int command)
+ {
+ bool hash_enable = true;
++ int ret;
+
+ if (unlikely(ftrace_disabled))
+ return -ENODEV;
+
++ ret = __register_ftrace_function(ops);
++ if (ret)
++ return ret;
++
+ ftrace_start_up++;
+ command |= FTRACE_UPDATE_CALLS;
+
+@@ -2073,12 +2072,17 @@ static int ftrace_startup(struct ftrace_
+ return 0;
+ }
+
+-static void ftrace_shutdown(struct ftrace_ops *ops, int command)
++static int ftrace_shutdown(struct ftrace_ops *ops, int command)
+ {
+ bool hash_disable = true;
++ int ret;
+
+ if (unlikely(ftrace_disabled))
+- return;
++ return -ENODEV;
++
++ ret = __unregister_ftrace_function(ops);
++ if (ret)
++ return ret;
+
+ ftrace_start_up--;
+ /*
+@@ -2113,9 +2117,10 @@ static void ftrace_shutdown(struct ftrac
+ }
+
+ if (!command || !ftrace_enabled)
+- return;
++ return 0;
+
+ ftrace_run_update_code(command);
++ return 0;
+ }
+
+ static void ftrace_startup_sysctl(void)
+@@ -3020,16 +3025,13 @@ static void __enable_ftrace_function_pro
+ if (i == FTRACE_FUNC_HASHSIZE)
+ return;
+
+- ret = __register_ftrace_function(&trace_probe_ops);
+- if (!ret)
+- ret = ftrace_startup(&trace_probe_ops, 0);
++ ret = ftrace_startup(&trace_probe_ops, 0);
+
+ ftrace_probe_registered = 1;
+ }
+
+ static void __disable_ftrace_function_probe(void)
+ {
+- int ret;
+ int i;
+
+ if (!ftrace_probe_registered)
+@@ -3042,9 +3044,7 @@ static void __disable_ftrace_function_pr
+ }
+
+ /* no more funcs left */
+- ret = __unregister_ftrace_function(&trace_probe_ops);
+- if (!ret)
+- ftrace_shutdown(&trace_probe_ops, 0);
++ ftrace_shutdown(&trace_probe_ops, 0);
+
+ ftrace_probe_registered = 0;
+ }
+@@ -4241,12 +4241,15 @@ core_initcall(ftrace_nodyn_init);
+ static inline int ftrace_init_dyn_debugfs(struct dentry *d_tracer) { return 0; }
+ static inline void ftrace_startup_enable(int command) { }
+ /* Keep as macros so we do not need to define the commands */
+-# define ftrace_startup(ops, command) \
+- ({ \
+- (ops)->flags |= FTRACE_OPS_FL_ENABLED; \
+- 0; \
++# define ftrace_startup(ops, command) \
++ ({ \
++ int ___ret = __register_ftrace_function(ops); \
++ if (!___ret) \
++ (ops)->flags |= FTRACE_OPS_FL_ENABLED; \
++ ___ret; \
+ })
+-# define ftrace_shutdown(ops, command) do { } while (0)
++# define ftrace_shutdown(ops, command) __unregister_ftrace_function(ops)
++
+ # define ftrace_startup_sysctl() do { } while (0)
+ # define ftrace_shutdown_sysctl() do { } while (0)
+
+@@ -4646,9 +4649,7 @@ int register_ftrace_function(struct ftra
+
+ mutex_lock(&ftrace_lock);
+
+- ret = __register_ftrace_function(ops);
+- if (!ret)
+- ret = ftrace_startup(ops, 0);
++ ret = ftrace_startup(ops, 0);
+
+ mutex_unlock(&ftrace_lock);
+
+@@ -4667,9 +4668,7 @@ int unregister_ftrace_function(struct ft
+ int ret;
+
+ mutex_lock(&ftrace_lock);
+- ret = __unregister_ftrace_function(ops);
+- if (!ret)
+- ftrace_shutdown(ops, 0);
++ ret = ftrace_shutdown(ops, 0);
+ mutex_unlock(&ftrace_lock);
+
+ return ret;
+@@ -4863,6 +4862,13 @@ ftrace_suspend_notifier_call(struct noti
+ return NOTIFY_DONE;
+ }
+
++/* Just a place holder for function graph */
++static struct ftrace_ops fgraph_ops __read_mostly = {
++ .func = ftrace_stub,
++ .flags = FTRACE_OPS_FL_STUB | FTRACE_OPS_FL_GLOBAL |
++ FTRACE_OPS_FL_RECURSION_SAFE,
++};
++
+ int register_ftrace_graph(trace_func_graph_ret_t retfunc,
+ trace_func_graph_ent_t entryfunc)
+ {
+@@ -4889,7 +4895,7 @@ int register_ftrace_graph(trace_func_gra
+ ftrace_graph_return = retfunc;
+ ftrace_graph_entry = entryfunc;
+
+- ret = ftrace_startup(&global_ops, FTRACE_START_FUNC_RET);
++ ret = ftrace_startup(&fgraph_ops, FTRACE_START_FUNC_RET);
+
+ out:
+ mutex_unlock(&ftrace_lock);
+@@ -4906,7 +4912,7 @@ void unregister_ftrace_graph(void)
+ ftrace_graph_active--;
+ ftrace_graph_return = (trace_func_graph_ret_t)ftrace_stub;
+ ftrace_graph_entry = ftrace_graph_entry_stub;
+- ftrace_shutdown(&global_ops, FTRACE_STOP_FUNC_RET);
++ ftrace_shutdown(&fgraph_ops, FTRACE_STOP_FUNC_RET);
+ unregister_pm_notifier(&ftrace_suspend_notifier);
+ unregister_trace_sched_switch(ftrace_graph_probe_sched_switch, NULL);
+
--- /dev/null
+From d03b4aa77e1187b77dfe37d14a923547f00baa66 Mon Sep 17 00:00:00 2001
+From: Avinash Patil <patila@marvell.com>
+Date: Tue, 5 Nov 2013 15:01:44 -0800
+Subject: mwifiex: correct packet length for packets from SDIO interface
+
+From: Avinash Patil <patila@marvell.com>
+
+commit d03b4aa77e1187b77dfe37d14a923547f00baa66 upstream.
+
+While receiving a packet on SDIO interface, we allocate skb with
+size multiple of SDIO block size. We need to resize this skb
+after RX using packet length from RX header.
+
+Signed-off-by: Avinash Patil <patila@marvell.com>
+Signed-off-by: Bing Zhao <bzhao@marvell.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/sdio.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wireless/mwifiex/sdio.c
++++ b/drivers/net/wireless/mwifiex/sdio.c
+@@ -930,7 +930,10 @@ static int mwifiex_decode_rx_packet(stru
+ struct sk_buff *skb, u32 upld_typ)
+ {
+ u8 *cmd_buf;
++ __le16 *curr_ptr = (__le16 *)skb->data;
++ u16 pkt_len = le16_to_cpu(*curr_ptr);
+
++ skb_trim(skb, pkt_len);
+ skb_pull(skb, INTF_HEADER_LEN);
+
+ switch (upld_typ) {
--- /dev/null
+From 8d93f1f309d38b65fce0b9f0de91ba6c96990c07 Mon Sep 17 00:00:00 2001
+From: Ujjal Roy <royujjal@gmail.com>
+Date: Tue, 5 Nov 2013 15:01:45 -0800
+Subject: mwifiex: fix wrong eth_hdr usage for bridged packets in AP mode
+
+From: Ujjal Roy <royujjal@gmail.com>
+
+commit 8d93f1f309d38b65fce0b9f0de91ba6c96990c07 upstream.
+
+The eth_hdr is never defined in this driver but it gets compiled
+without any warning/error because kernel has defined eth_hdr.
+
+Fix it by defining our own p_ethhdr and use it instead of eth_hdr.
+
+Signed-off-by: Ujjal Roy <royujjal@gmail.com>
+Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
+Signed-off-by: Bing Zhao <bzhao@marvell.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/uap_txrx.c | 29 ++++++++++++++++++++++++++---
+ 1 file changed, 26 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/mwifiex/uap_txrx.c
++++ b/drivers/net/wireless/mwifiex/uap_txrx.c
+@@ -34,6 +34,7 @@ static void mwifiex_uap_queue_bridged_pk
+ struct mwifiex_txinfo *tx_info;
+ int hdr_chop;
+ struct timeval tv;
++ struct ethhdr *p_ethhdr;
+ u8 rfc1042_eth_hdr[ETH_ALEN] = { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 };
+
+ uap_rx_pd = (struct uap_rxpd *)(skb->data);
+@@ -48,14 +49,36 @@ static void mwifiex_uap_queue_bridged_pk
+ }
+
+ if (!memcmp(&rx_pkt_hdr->rfc1042_hdr,
+- rfc1042_eth_hdr, sizeof(rfc1042_eth_hdr)))
++ rfc1042_eth_hdr, sizeof(rfc1042_eth_hdr))) {
++ /* Replace the 803 header and rfc1042 header (llc/snap) with
++ * an Ethernet II header, keep the src/dst and snap_type
++ * (ethertype).
++ *
++ * The firmware only passes up SNAP frames converting all RX
++ * data from 802.11 to 802.2/LLC/SNAP frames.
++ *
++ * To create the Ethernet II, just move the src, dst address
++ * right before the snap_type.
++ */
++ p_ethhdr = (struct ethhdr *)
++ ((u8 *)(&rx_pkt_hdr->eth803_hdr)
++ + sizeof(rx_pkt_hdr->eth803_hdr)
++ + sizeof(rx_pkt_hdr->rfc1042_hdr)
++ - sizeof(rx_pkt_hdr->eth803_hdr.h_dest)
++ - sizeof(rx_pkt_hdr->eth803_hdr.h_source)
++ - sizeof(rx_pkt_hdr->rfc1042_hdr.snap_type));
++ memcpy(p_ethhdr->h_source, rx_pkt_hdr->eth803_hdr.h_source,
++ sizeof(p_ethhdr->h_source));
++ memcpy(p_ethhdr->h_dest, rx_pkt_hdr->eth803_hdr.h_dest,
++ sizeof(p_ethhdr->h_dest));
+ /* Chop off the rxpd + the excess memory from
+ * 802.2/llc/snap header that was removed.
+ */
+- hdr_chop = (u8 *)eth_hdr - (u8 *)uap_rx_pd;
+- else
++ hdr_chop = (u8 *)p_ethhdr - (u8 *)uap_rx_pd;
++ } else {
+ /* Chop off the rxpd */
+ hdr_chop = (u8 *)&rx_pkt_hdr->eth803_hdr - (u8 *)uap_rx_pd;
++ }
+
+ /* Chop off the leading header bytes so the it points
+ * to the start of either the reconstructed EthII frame
--- /dev/null
+From e7cc5cf74544d97d7b69e2701595037474db1f96 Mon Sep 17 00:00:00 2001
+From: Yinghai Lu <yinghai@kernel.org>
+Date: Mon, 18 Nov 2013 17:02:45 -0700
+Subject: PCI: Remove duplicate pci_disable_device() from pcie_portdrv_remove()
+
+From: Yinghai Lu <yinghai@kernel.org>
+
+commit e7cc5cf74544d97d7b69e2701595037474db1f96 upstream.
+
+The pcie_portdrv .probe() method calls pci_enable_device() once, in
+pcie_port_device_register(), but the .remove() method calls
+pci_disable_device() twice, in pcie_port_device_remove() and in
+pcie_portdrv_remove().
+
+That causes a "disabling already-disabled device" warning when removing a
+PCIe port device. This happens all the time when removing Thunderbolt
+devices, but is also easy to reproduce with, e.g.,
+"echo 0000:00:1c.3 > /sys/bus/pci/drivers/pcieport/unbind"
+
+This patch removes the disable from pcie_portdrv_remove().
+
+[bhelgaas: changelog, tag for stable]
+Reported-by: David Bulkow <David.Bulkow@stratus.com>
+Reported-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Yinghai Lu <yinghai@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/pcie/portdrv_pci.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/pci/pcie/portdrv_pci.c
++++ b/drivers/pci/pcie/portdrv_pci.c
+@@ -223,7 +223,6 @@ static int pcie_portdrv_probe(struct pci
+ static void pcie_portdrv_remove(struct pci_dev *dev)
+ {
+ pcie_port_device_remove(dev);
+- pci_disable_device(dev);
+ }
+
+ static int error_detected_iter(struct device *device, void *data)
--- /dev/null
+From 8e3ffa471091c560deb6738ed9ab7445b7a5fd04 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dcbw@redhat.com>
+Date: Fri, 8 Nov 2013 13:39:44 -0600
+Subject: prism54: set netdev type to "wlan"
+
+From: Dan Williams <dcbw@redhat.com>
+
+commit 8e3ffa471091c560deb6738ed9ab7445b7a5fd04 upstream.
+
+Userspace uses the netdev devtype for stuff like device naming and type
+detection. Be nice and set it. Remove the pointless #if/#endif around
+SET_NETDEV_DEV too.
+
+Signed-off-by: Dan Williams <dcbw@redhat.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/prism54/islpci_dev.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/prism54/islpci_dev.c
++++ b/drivers/net/wireless/prism54/islpci_dev.c
+@@ -811,6 +811,10 @@ static const struct net_device_ops islpc
+ .ndo_validate_addr = eth_validate_addr,
+ };
+
++static struct device_type wlan_type = {
++ .name = "wlan",
++};
++
+ struct net_device *
+ islpci_setup(struct pci_dev *pdev)
+ {
+@@ -821,9 +825,8 @@ islpci_setup(struct pci_dev *pdev)
+ return ndev;
+
+ pci_set_drvdata(pdev, ndev);
+-#if defined(SET_NETDEV_DEV)
+ SET_NETDEV_DEV(ndev, &pdev->dev);
+-#endif
++ SET_NETDEV_DEVTYPE(ndev, &wlan_type);
+
+ /* setup the structure members */
+ ndev->base_addr = pci_resource_start(pdev, 0);
--- /dev/null
+From cc87509d87696d7cd393882f5dedea01e03e41a9 Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@redhat.com>
+Date: Mon, 4 Nov 2013 16:38:08 +1000
+Subject: qxl: avoid an oops in the deferred io code.
+
+From: Dave Airlie <airlied@redhat.com>
+
+commit cc87509d87696d7cd393882f5dedea01e03e41a9 upstream.
+
+If we are using deferred io due to plymouth or X.org fbdev driver
+we will oops in memcpy due to this pointless multiply here,
+
+removing it fixes fbdev to start and not oops.
+
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/qxl/qxl_fb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/qxl/qxl_fb.c
++++ b/drivers/gpu/drm/qxl/qxl_fb.c
+@@ -91,7 +91,7 @@ static void qxl_fb_dirty_flush(struct fb
+ u32 x1, x2, y1, y2;
+
+ /* TODO: hard coding 32 bpp */
+- int stride = qfbdev->qfb.base.pitches[0] * 4;
++ int stride = qfbdev->qfb.base.pitches[0];
+
+ x1 = qfbdev->dirty.x1;
+ x2 = qfbdev->dirty.x2;
--- /dev/null
+From 42d64e1add3a1ce8a787116036163b8724362145 Mon Sep 17 00:00:00 2001
+From: Paul Moore <pmoore@redhat.com>
+Date: Thu, 26 Sep 2013 17:00:46 -0400
+Subject: selinux: correct locking in selinux_netlbl_socket_connect)
+
+From: Paul Moore <pmoore@redhat.com>
+
+commit 42d64e1add3a1ce8a787116036163b8724362145 upstream.
+
+The SELinux/NetLabel glue code has a locking bug that affects systems
+with NetLabel enabled, see the kernel error message below. This patch
+corrects this problem by converting the bottom half socket lock to a
+more conventional, and correct for this call-path, lock_sock() call.
+
+ ===============================
+ [ INFO: suspicious RCU usage. ]
+ 3.11.0-rc3+ #19 Not tainted
+ -------------------------------
+ net/ipv4/cipso_ipv4.c:1928 suspicious rcu_dereference_protected() usage!
+
+ other info that might help us debug this:
+
+ rcu_scheduler_active = 1, debug_locks = 0
+ 2 locks held by ping/731:
+ #0: (slock-AF_INET/1){+.-...}, at: [...] selinux_netlbl_socket_connect
+ #1: (rcu_read_lock){.+.+..}, at: [<...>] netlbl_conn_setattr
+
+ stack backtrace:
+ CPU: 1 PID: 731 Comm: ping Not tainted 3.11.0-rc3+ #19
+ Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+ 0000000000000001 ffff88006f659d28 ffffffff81726b6a ffff88003732c500
+ ffff88006f659d58 ffffffff810e4457 ffff88006b845a00 0000000000000000
+ 000000000000000c ffff880075aa2f50 ffff88006f659d90 ffffffff8169bec7
+ Call Trace:
+ [<ffffffff81726b6a>] dump_stack+0x54/0x74
+ [<ffffffff810e4457>] lockdep_rcu_suspicious+0xe7/0x120
+ [<ffffffff8169bec7>] cipso_v4_sock_setattr+0x187/0x1a0
+ [<ffffffff8170f317>] netlbl_conn_setattr+0x187/0x190
+ [<ffffffff8170f195>] ? netlbl_conn_setattr+0x5/0x190
+ [<ffffffff8131ac9e>] selinux_netlbl_socket_connect+0xae/0xc0
+ [<ffffffff81303025>] selinux_socket_connect+0x135/0x170
+ [<ffffffff8119d127>] ? might_fault+0x57/0xb0
+ [<ffffffff812fb146>] security_socket_connect+0x16/0x20
+ [<ffffffff815d3ad3>] SYSC_connect+0x73/0x130
+ [<ffffffff81739a85>] ? sysret_check+0x22/0x5d
+ [<ffffffff810e5e2d>] ? trace_hardirqs_on_caller+0xfd/0x1c0
+ [<ffffffff81373d4e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
+ [<ffffffff815d52be>] SyS_connect+0xe/0x10
+ [<ffffffff81739a59>] system_call_fastpath+0x16/0x1b
+
+Signed-off-by: Paul Moore <pmoore@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/netlabel.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/security/selinux/netlabel.c
++++ b/security/selinux/netlabel.c
+@@ -442,8 +442,7 @@ int selinux_netlbl_socket_connect(struct
+ sksec->nlbl_state != NLBL_CONNLABELED)
+ return 0;
+
+- local_bh_disable();
+- bh_lock_sock_nested(sk);
++ lock_sock(sk);
+
+ /* connected sockets are allowed to disconnect when the address family
+ * is set to AF_UNSPEC, if that is what is happening we want to reset
+@@ -464,7 +463,6 @@ int selinux_netlbl_socket_connect(struct
+ sksec->nlbl_state = NLBL_CONNLABELED;
+
+ socket_connect_return:
+- bh_unlock_sock(sk);
+- local_bh_enable();
++ release_sock(sk);
+ return rc;
+ }
blk-core-fix-memory-corruption-if-blkcg_init_queue-fails.patch
pm-hibernate-avoid-overflow-in-hibernate_preallocate_memory.patch
pm-runtime-use-pm_runtime_put_sync-in-__device_release_driver.patch
+qxl-avoid-an-oops-in-the-deferred-io-code.patch
+mwifiex-correct-packet-length-for-packets-from-sdio-interface.patch
+mwifiex-fix-wrong-eth_hdr-usage-for-bridged-packets-in-ap-mode.patch
+audit-printk-user_avc-messages-when-audit-isn-t-enabled.patch
+audit-use-nlmsg_len-to-get-message-payload-length.patch
+audit-fix-info-leak-in-audit_get-requests.patch
+audit-fix-mq_open-and-mq_unlink-to-add-the-mq-root-as-a-hidden-parent-audit_names-record.patch
+audit-add-child-record-before-the-create-to-handle-case-where-create-fails.patch
+audit-log-the-audit_names-record-type.patch
+pci-remove-duplicate-pci_disable_device-from-pcie_portdrv_remove.patch
+acpi-hotplug-fix-conflicted-pci-bridge-notify-handlers.patch
+selinux-correct-locking-in-selinux_netlbl_socket_connect.patch
+avr32-setup-crt-for-early-panic.patch
+avr32-fix-out-of-range-jump-in-large-kernels.patch
+prism54-set-netdev-type-to-wlan.patch
+ftrace-fix-function-graph-with-loading-of-modules.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
