--- /dev/null
+From 7512a1fac837476d4bf5d637ecf6044f180784e0 Mon Sep 17 00:00:00 2001
+From: "David S. Miller" <davem@davemloft.net>
+Date: Thu, 1 Aug 2013 18:08:34 -0700
+Subject: esp_scsi: Fix tag state corruption when autosensing.
+
+From: "David S. Miller" <davem@davemloft.net>
+
+[ Upstream commit 21af8107f27878813d0364733c0b08813c2c192a ]
+
+Meelis Roos reports a crash in esp_free_lun_tag() in the presense
+of a disk which has died.
+
+The issue is that when we issue an autosense command, we do so by
+hijacking the original command that caused the check-condition.
+
+When we do so we clear out the ent->tag[] array when we issue it via
+find_and_prep_issuable_command(). This is so that the autosense
+command is forced to be issued non-tagged.
+
+That is problematic, because it is the value of ent->tag[] which
+determines whether we issued the original scsi command as tagged
+vs. non-tagged (see esp_alloc_lun_tag()).
+
+And that, in turn, is what trips up the sanity checks in
+esp_free_lun_tag(). That function needs the original ->tag[] values
+in order to free up the tag slot properly.
+
+Fix this by remembering the original command's tag values, and
+having esp_alloc_lun_tag() and esp_free_lun_tag() use them.
+
+Reported-by: Meelis Roos <mroos@linux.ee>
+Tested-by: Meelis Roos <mroos@linux.ee>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/esp_scsi.c | 14 ++++++++------
+ drivers/scsi/esp_scsi.h | 1 +
+ 2 files changed, 9 insertions(+), 6 deletions(-)
+
+--- a/drivers/scsi/esp_scsi.c
++++ b/drivers/scsi/esp_scsi.c
+@@ -530,7 +530,7 @@ static int esp_need_to_nego_sync(struct
+ static int esp_alloc_lun_tag(struct esp_cmd_entry *ent,
+ struct esp_lun_data *lp)
+ {
+- if (!ent->tag[0]) {
++ if (!ent->orig_tag[0]) {
+ /* Non-tagged, slot already taken? */
+ if (lp->non_tagged_cmd)
+ return -EBUSY;
+@@ -564,9 +564,9 @@ static int esp_alloc_lun_tag(struct esp_
+ return -EBUSY;
+ }
+
+- BUG_ON(lp->tagged_cmds[ent->tag[1]]);
++ BUG_ON(lp->tagged_cmds[ent->orig_tag[1]]);
+
+- lp->tagged_cmds[ent->tag[1]] = ent;
++ lp->tagged_cmds[ent->orig_tag[1]] = ent;
+ lp->num_tagged++;
+
+ return 0;
+@@ -575,9 +575,9 @@ static int esp_alloc_lun_tag(struct esp_
+ static void esp_free_lun_tag(struct esp_cmd_entry *ent,
+ struct esp_lun_data *lp)
+ {
+- if (ent->tag[0]) {
+- BUG_ON(lp->tagged_cmds[ent->tag[1]] != ent);
+- lp->tagged_cmds[ent->tag[1]] = NULL;
++ if (ent->orig_tag[0]) {
++ BUG_ON(lp->tagged_cmds[ent->orig_tag[1]] != ent);
++ lp->tagged_cmds[ent->orig_tag[1]] = NULL;
+ lp->num_tagged--;
+ } else {
+ BUG_ON(lp->non_tagged_cmd != ent);
+@@ -667,6 +667,8 @@ static struct esp_cmd_entry *find_and_pr
+ ent->tag[0] = 0;
+ ent->tag[1] = 0;
+ }
++ ent->orig_tag[0] = ent->tag[0];
++ ent->orig_tag[1] = ent->tag[1];
+
+ if (esp_alloc_lun_tag(ent, lp) < 0)
+ continue;
+--- a/drivers/scsi/esp_scsi.h
++++ b/drivers/scsi/esp_scsi.h
+@@ -271,6 +271,7 @@ struct esp_cmd_entry {
+ #define ESP_CMD_FLAG_AUTOSENSE 0x04 /* Doing automatic REQUEST_SENSE */
+
+ u8 tag[2];
++ u8 orig_tag[2];
+
+ u8 status;
+ u8 message;
--- /dev/null
+From 4c1c7be95c345cf2ad537a0c48e9aeadc7304527 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Mon, 30 Sep 2013 13:45:08 -0700
+Subject: kernel/kmod.c: check for NULL in call_usermodehelper_exec()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 4c1c7be95c345cf2ad537a0c48e9aeadc7304527 upstream.
+
+If /proc/sys/kernel/core_pattern contains only "|", a NULL pointer
+dereference happens upon core dump because argv_split("") returns
+argv[0] == NULL.
+
+This bug was once fixed by commit 264b83c07a84 ("usermodehelper: check
+subprocess_info->path != NULL") but was by error reintroduced by commit
+7f57cfa4e2aa ("usermodehelper: kill the sub_info->path[0] check").
+
+This bug seems to exist since 2.6.19 (the version which core dump to
+pipe was added). Depending on kernel version and config, some side
+effect might happen immediately after this oops (e.g. kernel panic with
+2.6.32-358.18.1.el6).
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/kmod.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/kernel/kmod.c
++++ b/kernel/kmod.c
+@@ -571,6 +571,10 @@ int call_usermodehelper_exec(struct subp
+ DECLARE_COMPLETION_ONSTACK(done);
+ int retval = 0;
+
++ if (!sub_info->path) {
++ call_usermodehelper_freeinfo(sub_info);
++ return -EINVAL;
++ }
+ helper_lock();
+ if (!khelper_wq || usermodehelper_disabled) {
+ retval = -EBUSY;
--- /dev/null
+From 83b2944fd2532b92db099cb3ada12df32a05b368 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Mon, 30 Sep 2013 13:45:09 -0700
+Subject: mm/bounce.c: fix a regression where MS_SNAP_STABLE (stable pages snapshotting) was ignored
+
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+
+commit 83b2944fd2532b92db099cb3ada12df32a05b368 upstream.
+
+The "force" parameter in __blk_queue_bounce was being ignored, which
+means that stable page snapshots are not always happening (on ext3).
+This of course leads to DIF disks reporting checksum errors, so fix this
+regression.
+
+The regression was introduced in commit 6bc454d15004 ("bounce: Refactor
+__blk_queue_bounce to not use bi_io_vec")
+
+Reported-by: Mel Gorman <mgorman@suse.de>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Cc: Kent Overstreet <koverstreet@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/bounce.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/mm/bounce.c
++++ b/mm/bounce.c
+@@ -204,6 +204,8 @@ static void __blk_queue_bounce(struct re
+ struct bio_vec *to, *from;
+ unsigned i;
+
++ if (force)
++ goto bounce;
+ bio_for_each_segment(from, *bio_orig, i)
+ if (page_to_pfn(from->bv_page) > queue_bounce_pfn(q))
+ goto bounce;
--- /dev/null
+From bc1f8e1407d1ffaa714066621f187180b4eddd20 Mon Sep 17 00:00:00 2001
+From: David Miller <davem@davemloft.net>
+Date: Wed, 2 Oct 2013 14:25:09 -0400
+Subject: mm: Fix generic hugetlb pte check return type.
+
+From: David Miller <davem@davemloft.net>
+
+[ Upstream commit 26794942461f438a6bc725ec7294b08a6bd782c4 ]
+
+The include/asm-generic/hugetlb.h stubs that just vector huge_pte_*()
+calls to the pte_*() implementations won't work in certain situations.
+
+x86 and sparc, for example, return "unsigned long" from the bit
+checks, and just go "return pte_val(pte) & PTE_BIT_FOO;"
+
+But since huge_pte_*() returns 'int', if any high bits on 64-bit are
+relevant, they get chopped off.
+
+The net effect is that we can loop forever trying to COW a huge page,
+because the huge_pte_write() check signals false all the time.
+
+Reported-by: Gurudas Pai <gurudas.pai@oracle.com>
+Tested-by: Gurudas Pai <gurudas.pai@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: David Rientjes <rientjes@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/asm-generic/hugetlb.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/asm-generic/hugetlb.h
++++ b/include/asm-generic/hugetlb.h
+@@ -6,12 +6,12 @@ static inline pte_t mk_huge_pte(struct p
+ return mk_pte(page, pgprot);
+ }
+
+-static inline int huge_pte_write(pte_t pte)
++static inline unsigned long huge_pte_write(pte_t pte)
+ {
+ return pte_write(pte);
+ }
+
+-static inline int huge_pte_dirty(pte_t pte)
++static inline unsigned long huge_pte_dirty(pte_t pte)
+ {
+ return pte_dirty(pte);
+ }
--- /dev/null
+From bd1c6142edce787b8ac1be15635f845aa9905333 Mon Sep 17 00:00:00 2001
+From: Amitkumar Karwar <akarwar@marvell.com>
+Date: Tue, 24 Sep 2013 19:31:24 -0700
+Subject: mwifiex: fix hang issue for USB chipsets
+
+From: Amitkumar Karwar <akarwar@marvell.com>
+
+commit bd1c6142edce787b8ac1be15635f845aa9905333 upstream.
+
+Bug 60815 - Interface hangs in mwifiex_usb
+https://bugzilla.kernel.org/show_bug.cgi?id=60815
+
+We have 4 bytes of interface header for packets delivered to SDIO
+and PCIe, but not for USB interface.
+
+In Tx AMSDU case, currently 4 bytes of garbage data is unnecessarily
+appended for USB packets. This sometimes leads to a firmware hang,
+because it may not interpret the data packet correctly.
+
+Problem is fixed by removing this redundant headroom for USB.
+
+Tested-by: Dmitry Khromov <icechrome@gmail.com>
+Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
+Signed-off-by: Bing Zhao <bzhao@marvell.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/11n_aggr.c | 3 ++-
+ drivers/net/wireless/mwifiex/11n_aggr.h | 2 +-
+ drivers/net/wireless/mwifiex/wmm.c | 3 +--
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/mwifiex/11n_aggr.c
++++ b/drivers/net/wireless/mwifiex/11n_aggr.c
+@@ -149,7 +149,7 @@ mwifiex_11n_form_amsdu_txpd(struct mwifi
+ */
+ int
+ mwifiex_11n_aggregate_pkt(struct mwifiex_private *priv,
+- struct mwifiex_ra_list_tbl *pra_list, int headroom,
++ struct mwifiex_ra_list_tbl *pra_list,
+ int ptrindex, unsigned long ra_list_flags)
+ __releases(&priv->wmm.ra_list_spinlock)
+ {
+@@ -159,6 +159,7 @@ mwifiex_11n_aggregate_pkt(struct mwifiex
+ int pad = 0, ret;
+ struct mwifiex_tx_param tx_param;
+ struct txpd *ptx_pd = NULL;
++ int headroom = adapter->iface_type == MWIFIEX_USB ? 0 : INTF_HEADER_LEN;
+
+ skb_src = skb_peek(&pra_list->skb_head);
+ if (!skb_src) {
+--- a/drivers/net/wireless/mwifiex/11n_aggr.h
++++ b/drivers/net/wireless/mwifiex/11n_aggr.h
+@@ -26,7 +26,7 @@
+ int mwifiex_11n_deaggregate_pkt(struct mwifiex_private *priv,
+ struct sk_buff *skb);
+ int mwifiex_11n_aggregate_pkt(struct mwifiex_private *priv,
+- struct mwifiex_ra_list_tbl *ptr, int headroom,
++ struct mwifiex_ra_list_tbl *ptr,
+ int ptr_index, unsigned long flags)
+ __releases(&priv->wmm.ra_list_spinlock);
+
+--- a/drivers/net/wireless/mwifiex/wmm.c
++++ b/drivers/net/wireless/mwifiex/wmm.c
+@@ -1239,8 +1239,7 @@ mwifiex_dequeue_tx_packet(struct mwifiex
+ if (enable_tx_amsdu && mwifiex_is_amsdu_allowed(priv, tid) &&
+ mwifiex_is_11n_aggragation_possible(priv, ptr,
+ adapter->tx_buf_size))
+- mwifiex_11n_aggregate_pkt(priv, ptr, INTF_HEADER_LEN,
+- ptr_index, flags);
++ mwifiex_11n_aggregate_pkt(priv, ptr, ptr_index, flags);
+ /* ra_list_spinlock has been freed in
+ mwifiex_11n_aggregate_pkt() */
+ else
--- /dev/null
+From 346ece0b7ba2730b4d633b9e371fe55488803102 Mon Sep 17 00:00:00 2001
+From: Bing Zhao <bzhao@marvell.com>
+Date: Tue, 24 Sep 2013 19:31:25 -0700
+Subject: mwifiex: fix NULL pointer dereference in usb suspend handler
+
+From: Bing Zhao <bzhao@marvell.com>
+
+commit 346ece0b7ba2730b4d633b9e371fe55488803102 upstream.
+
+Bug 60815 - Interface hangs in mwifiex_usb
+https://bugzilla.kernel.org/show_bug.cgi?id=60815
+
+[ 2.883807] BUG: unable to handle kernel NULL pointer dereference
+ at 0000000000000048
+[ 2.883813] IP: [<ffffffff815a65e0>] pfifo_fast_enqueue+0x90/0x90
+
+[ 2.883834] CPU: 1 PID: 3220 Comm: kworker/u8:90 Not tainted
+ 3.11.1-monotone-l0 #6
+[ 2.883834] Hardware name: Microsoft Corporation Surface with
+ Windows 8 Pro/Surface with Windows 8 Pro,
+ BIOS 1.03.0450 03/29/2013
+
+On Surface Pro, suspend to ram gives a NULL pointer dereference in
+pfifo_fast_enqueue(). The stack trace reveals that the offending
+call is clearing carrier in mwifiex_usb suspend handler.
+
+Since commit 1499d9f "mwifiex: don't drop carrier flag over suspend"
+has removed the carrier flag handling over suspend/resume in SDIO
+and PCIe drivers, I'm removing it in USB driver too. This also fixes
+the bug for Surface Pro.
+
+Tested-by: Dmitry Khromov <icechrome@gmail.com>
+Signed-off-by: Bing Zhao <bzhao@marvell.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/usb.c | 7 -------
+ 1 file changed, 7 deletions(-)
+
+--- a/drivers/net/wireless/mwifiex/usb.c
++++ b/drivers/net/wireless/mwifiex/usb.c
+@@ -446,9 +446,6 @@ static int mwifiex_usb_suspend(struct us
+ */
+ adapter->is_suspended = true;
+
+- for (i = 0; i < adapter->priv_num; i++)
+- netif_carrier_off(adapter->priv[i]->netdev);
+-
+ if (atomic_read(&card->rx_cmd_urb_pending) && card->rx_cmd.urb)
+ usb_kill_urb(card->rx_cmd.urb);
+
+@@ -508,10 +505,6 @@ static int mwifiex_usb_resume(struct usb
+ MWIFIEX_RX_CMD_BUF_SIZE);
+ }
+
+- for (i = 0; i < adapter->priv_num; i++)
+- if (adapter->priv[i]->media_connected)
+- netif_carrier_on(adapter->priv[i]->netdev);
+-
+ /* Disable Host Sleep */
+ if (adapter->hs_activated)
+ mwifiex_cancel_hs(mwifiex_get_priv(adapter,
--- /dev/null
+From b7be1522def9a9988b67afd0be999c50a96394b5 Mon Sep 17 00:00:00 2001
+From: Bing Zhao <bzhao@marvell.com>
+Date: Fri, 20 Sep 2013 19:56:45 -0700
+Subject: mwifiex: fix PCIe hs_cfg cancel cmd timeout
+
+From: Bing Zhao <bzhao@marvell.com>
+
+commit b7be1522def9a9988b67afd0be999c50a96394b5 upstream.
+
+For pcie8897, the hs_cfg cancel command (0xe5) times out when host
+comes out of suspend. This is caused by an incompleted host sleep
+handshake between driver and firmware.
+
+Like SDIO interface, PCIe also needs to go through firmware power
+save events to complete the handshake for host sleep configuration.
+Only USB interface doesn't require power save events for hs_cfg.
+
+Signed-off-by: Bing Zhao <bzhao@marvell.com>
+Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/cmdevt.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/mwifiex/cmdevt.c
++++ b/drivers/net/wireless/mwifiex/cmdevt.c
+@@ -1155,7 +1155,7 @@ int mwifiex_ret_802_11_hs_cfg(struct mwi
+ uint32_t conditions = le32_to_cpu(phs_cfg->params.hs_config.conditions);
+
+ if (phs_cfg->action == cpu_to_le16(HS_ACTIVATE) &&
+- adapter->iface_type == MWIFIEX_SDIO) {
++ adapter->iface_type != MWIFIEX_USB) {
+ mwifiex_hs_activated_event(priv, true);
+ return 0;
+ } else {
+@@ -1167,8 +1167,7 @@ int mwifiex_ret_802_11_hs_cfg(struct mwi
+ }
+ if (conditions != HS_CFG_CANCEL) {
+ adapter->is_hs_configured = true;
+- if (adapter->iface_type == MWIFIEX_USB ||
+- adapter->iface_type == MWIFIEX_PCIE)
++ if (adapter->iface_type == MWIFIEX_USB)
+ mwifiex_hs_activated_event(priv, true);
+ } else {
+ adapter->is_hs_configured = false;
--- /dev/null
+From 52b26a3e1bb3e065c32b3febdac1e1f117d88e15 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Thu, 26 Sep 2013 14:08:36 -0400
+Subject: NFSv4.1: nfs4_fl_prepare_ds - fix bugs when the connect attempt fails
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+commit 52b26a3e1bb3e065c32b3febdac1e1f117d88e15 upstream.
+
+- Fix an Oops when nfs4_ds_connect() returns an error.
+- Always check the device status after waiting for a connect to complete.
+
+Reported-by: Andy Adamson <andros@netapp.com>
+Reported-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4filelayoutdev.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/fs/nfs/nfs4filelayoutdev.c
++++ b/fs/nfs/nfs4filelayoutdev.c
+@@ -801,34 +801,34 @@ nfs4_fl_prepare_ds(struct pnfs_layout_se
+ struct nfs4_file_layout_dsaddr *dsaddr = FILELAYOUT_LSEG(lseg)->dsaddr;
+ struct nfs4_pnfs_ds *ds = dsaddr->ds_list[ds_idx];
+ struct nfs4_deviceid_node *devid = FILELAYOUT_DEVID_NODE(lseg);
+-
+- if (filelayout_test_devid_unavailable(devid))
+- return NULL;
++ struct nfs4_pnfs_ds *ret = ds;
+
+ if (ds == NULL) {
+ printk(KERN_ERR "NFS: %s: No data server for offset index %d\n",
+ __func__, ds_idx);
+ filelayout_mark_devid_invalid(devid);
+- return NULL;
++ goto out;
+ }
+ if (ds->ds_clp)
+- return ds;
++ goto out_test_devid;
+
+ if (test_and_set_bit(NFS4DS_CONNECTING, &ds->ds_state) == 0) {
+ struct nfs_server *s = NFS_SERVER(lseg->pls_layout->plh_inode);
+ int err;
+
+ err = nfs4_ds_connect(s, ds);
+- if (err) {
++ if (err)
+ nfs4_mark_deviceid_unavailable(devid);
+- ds = NULL;
+- }
+ nfs4_clear_ds_conn_bit(ds);
+ } else {
+ /* Either ds is connected, or ds is NULL */
+ nfs4_wait_ds_connect(ds);
+ }
+- return ds;
++out_test_devid:
++ if (filelayout_test_devid_unavailable(devid))
++ ret = NULL;
++out:
++ return ret;
+ }
+
+ module_param(dataserver_retrans, uint, 0644);
ipc-sem.c-fix-race-in-sem_lock.patch
ipc-msg-prevent-race-with-rmid-in-msgsnd-msgrcv.patch
ipc-fix-race-with-lsms.patch
+sparc64-fix-buggy-strlcpy-conversion-in-ldom_reboot.patch
+sparc-fix-ldom_reboot-buffer-overflow-harder.patch
+sparc64-remove-rwsem-export-leftovers.patch
+sparc64-fix-itlb-handler-of-null-page.patch
+esp_scsi-fix-tag-state-corruption-when-autosensing.patch
+sparc64-fix-off-by-one-in-trampoline-tlb-mapping-installation-loop.patch
+sparc64-fix-not-sra-ed-o5-in-32-bit-traced-syscall.patch
+sparc32-fix-exit-flag-passed-from-traced-sys_sigreturn.patch
+mm-fix-generic-hugetlb-pte-check-return-type.patch
+mm-bounce.c-fix-a-regression-where-ms_snap_stable-stable-pages-snapshotting-was-ignored.patch
+kernel-kmod.c-check-for-null-in-call_usermodehelper_exec.patch
+staging-comedi-ni_65xx-bug-fix-confine-insn_bits-to-one-subdevice.patch
+nfsv4.1-nfs4_fl_prepare_ds-fix-bugs-when-the-connect-attempt-fails.patch
+mwifiex-fix-null-pointer-dereference-in-usb-suspend-handler.patch
+mwifiex-fix-hang-issue-for-usb-chipsets.patch
+mwifiex-fix-pcie-hs_cfg-cancel-cmd-timeout.patch
+usb-chipidea-add-intel-clovertrail-pci-id.patch
+usb-serial-option-ignore-card-reader-interface-on-huawei-e1750.patch
--- /dev/null
+From fbfeacb4aec8cd77f876a318113290bd33e9ce43 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Tue, 1 Oct 2013 22:13:34 -0700
+Subject: sparc: fix ldom_reboot buffer overflow harder
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 20928bd3f08afb036c096d9559d581926b895918 ]
+
+The length argument to strlcpy was still wrong. It could overflow the end of
+full_boot_str by 5 bytes. Instead of strcat and strlcpy, just use snprint.
+
+Reported-by: Brad Spengler <spender@grsecurity.net>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sparc/kernel/ds.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/arch/sparc/kernel/ds.c
++++ b/arch/sparc/kernel/ds.c
+@@ -849,9 +849,8 @@ void ldom_reboot(const char *boot_comman
+ if (boot_command && strlen(boot_command)) {
+ unsigned long len;
+
+- strcpy(full_boot_str, "boot ");
+- strlcpy(full_boot_str + strlen("boot "), boot_command,
+- sizeof(full_boot_str));
++ snprintf(full_boot_str, sizeof(full_boot_str), "boot %s",
++ boot_command);
+ len = strlen(full_boot_str);
+
+ if (reboot_data_supported) {
--- /dev/null
+From c5955ada10b89904ed1f5ed166f3678773365d7d Mon Sep 17 00:00:00 2001
+From: Kirill Tkhai <tkhai@yandex.ru>
+Date: Fri, 26 Jul 2013 01:17:15 +0400
+Subject: sparc32: Fix exit flag passed from traced sys_sigreturn
+
+From: Kirill Tkhai <tkhai@yandex.ru>
+
+[ Upstream commit 7a3b0f89e3fea680f93932691ca41a68eee7ab5e ]
+
+Pass 1 in %o1 to indicate that syscall_trace accounts exit.
+
+Signed-off-by: Kirill Tkhai <tkhai@yandex.ru>
+CC: David Miller <davem@davemloft.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sparc/kernel/entry.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/sparc/kernel/entry.S
++++ b/arch/sparc/kernel/entry.S
+@@ -839,7 +839,7 @@ sys_sigreturn:
+ nop
+
+ call syscall_trace
+- nop
++ mov 1, %o1
+
+ 1:
+ /* We don't want to muck with user registers like a
--- /dev/null
+From f0c4d4cc6927e6d3c01106688dd65a9ffd303a3f Mon Sep 17 00:00:00 2001
+From: "David S. Miller" <davem@davemloft.net>
+Date: Fri, 27 Sep 2013 13:46:04 -0700
+Subject: sparc64: Fix buggy strlcpy() conversion in ldom_reboot().
+
+From: "David S. Miller" <davem@davemloft.net>
+
+[ Upstream commit 2bd161a605f1f84a5fc8a4fe8410113a94f79355 ]
+
+Commit 117a0c5fc9c2d06045bd217385b2b39ea426b5a6 ("sparc: kernel: using
+strlcpy() instead of strcpy()") added a bug to ldom_reboot in
+arch/sparc/kernel/ds.c
+
+- strcpy(full_boot_str + strlen("boot "), boot_command);
++ strlcpy(full_boot_str + strlen("boot "), boot_command,
++ sizeof(full_boot_str + strlen("boot ")));
+
+That last sizeof() expression evaluates to sizeof(size_t) which is
+not what was intended.
+
+Also even the corrected:
+
+ sizeof(full_boot_str) + strlen("boot ")
+
+is not right as the destination buffer length is just plain
+"sizeof(full_boot_str)" and that's what the final argument
+should be.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sparc/kernel/ds.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/sparc/kernel/ds.c
++++ b/arch/sparc/kernel/ds.c
+@@ -851,7 +851,7 @@ void ldom_reboot(const char *boot_comman
+
+ strcpy(full_boot_str, "boot ");
+ strlcpy(full_boot_str + strlen("boot "), boot_command,
+- sizeof(full_boot_str + strlen("boot ")));
++ sizeof(full_boot_str));
+ len = strlen(full_boot_str);
+
+ if (reboot_data_supported) {
--- /dev/null
+From c4a28599110ba4b8e2741ba2af364b5634c57813 Mon Sep 17 00:00:00 2001
+From: Kirill Tkhai <tkhai@yandex.ru>
+Date: Fri, 2 Aug 2013 19:23:18 +0400
+Subject: sparc64: Fix ITLB handler of null page
+
+From: Kirill Tkhai <tkhai@yandex.ru>
+
+[ Upstream commit 1c2696cdaad84580545a2e9c0879ff597880b1a9 ]
+
+1)Use kvmap_itlb_longpath instead of kvmap_dtlb_longpath.
+
+2)Handle page #0 only, don't handle page #1: bleu -> blu
+
+ (KERNBASE is 0x400000, so #1 does not exist too. But everything
+ is possible in the future. Fix to not to have problems later.)
+
+3)Remove unused kvmap_itlb_nonlinear.
+
+Signed-off-by: Kirill Tkhai <tkhai@yandex.ru>
+CC: David Miller <davem@davemloft.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sparc/kernel/ktlb.S | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/sparc/kernel/ktlb.S
++++ b/arch/sparc/kernel/ktlb.S
+@@ -25,11 +25,10 @@ kvmap_itlb:
+ */
+ kvmap_itlb_4v:
+
+-kvmap_itlb_nonlinear:
+ /* Catch kernel NULL pointer calls. */
+ sethi %hi(PAGE_SIZE), %g5
+ cmp %g4, %g5
+- bleu,pn %xcc, kvmap_dtlb_longpath
++ blu,pn %xcc, kvmap_itlb_longpath
+ nop
+
+ KERN_TSB_LOOKUP_TL1(%g4, %g6, %g5, %g1, %g2, %g3, kvmap_itlb_load)
--- /dev/null
+From 91895e4091ffbf1721f82ced43ab99c8e9c93aec Mon Sep 17 00:00:00 2001
+From: Kirill Tkhai <tkhai@yandex.ru>
+Date: Fri, 26 Jul 2013 17:21:12 +0400
+Subject: sparc64: Fix not SRA'ed %o5 in 32-bit traced syscall
+
+From: Kirill Tkhai <tkhai@yandex.ru>
+
+[ Upstream commit ab2abda6377723e0d5fbbfe5f5aa16a5523344d1 ]
+
+(From v1 to v2: changed comment)
+
+On the way linux_sparc_syscall32->linux_syscall_trace32->goto 2f,
+register %o5 doesn't clear its second 32-bit.
+
+Fix that.
+
+Signed-off-by: Kirill Tkhai <tkhai@yandex.ru>
+CC: David Miller <davem@davemloft.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sparc/kernel/syscalls.S | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/sparc/kernel/syscalls.S
++++ b/arch/sparc/kernel/syscalls.S
+@@ -152,7 +152,7 @@ linux_syscall_trace32:
+ srl %i4, 0, %o4
+ srl %i1, 0, %o1
+ srl %i2, 0, %o2
+- ba,pt %xcc, 2f
++ ba,pt %xcc, 5f
+ srl %i3, 0, %o3
+
+ linux_syscall_trace:
+@@ -182,13 +182,13 @@ linux_sparc_syscall32:
+ srl %i1, 0, %o1 ! IEU0 Group
+ ldx [%g6 + TI_FLAGS], %l0 ! Load
+
+- srl %i5, 0, %o5 ! IEU1
++ srl %i3, 0, %o3 ! IEU0
+ srl %i2, 0, %o2 ! IEU0 Group
+ andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %g0
+ bne,pn %icc, linux_syscall_trace32 ! CTI
+ mov %i0, %l5 ! IEU1
+- call %l7 ! CTI Group brk forced
+- srl %i3, 0, %o3 ! IEU0
++5: call %l7 ! CTI Group brk forced
++ srl %i5, 0, %o5 ! IEU1
+ ba,a,pt %xcc, 3f
+
+ /* Linux native system calls enter here... */
--- /dev/null
+From 2e3cc5277574ee80c2ceea5269c7d4e6b2ae3145 Mon Sep 17 00:00:00 2001
+From: "David S. Miller" <davem@davemloft.net>
+Date: Thu, 22 Aug 2013 16:38:46 -0700
+Subject: sparc64: Fix off by one in trampoline TLB mapping installation loop.
+
+From: "David S. Miller" <davem@davemloft.net>
+
+[ Upstream commit 63d499662aeec1864ec36d042aca8184ea6a938e ]
+
+Reported-by: Kirill Tkhai <tkhai@yandex.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sparc/kernel/trampoline_64.S | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/arch/sparc/kernel/trampoline_64.S
++++ b/arch/sparc/kernel/trampoline_64.S
+@@ -129,7 +129,6 @@ startup_continue:
+ clr %l5
+ sethi %hi(num_kernel_image_mappings), %l6
+ lduw [%l6 + %lo(num_kernel_image_mappings)], %l6
+- add %l6, 1, %l6
+
+ mov 15, %l7
+ BRANCH_IF_ANY_CHEETAH(g1,g5,2f)
+@@ -222,7 +221,6 @@ niagara_lock_tlb:
+ clr %l5
+ sethi %hi(num_kernel_image_mappings), %l6
+ lduw [%l6 + %lo(num_kernel_image_mappings)], %l6
+- add %l6, 1, %l6
+
+ 1:
+ mov HV_FAST_MMU_MAP_PERM_ADDR, %o5
--- /dev/null
+From dc0f903242255161a7c644da79b6115f34b7df57 Mon Sep 17 00:00:00 2001
+From: Kirill Tkhai <tkhai@yandex.ru>
+Date: Mon, 12 Aug 2013 16:02:24 +0400
+Subject: sparc64: Remove RWSEM export leftovers
+
+From: Kirill Tkhai <tkhai@yandex.ru>
+
+[ Upstream commit 61d9b9355b0d427bd1e732bd54628ff9103e496f ]
+
+The functions
+
+ __down_read
+ __down_read_trylock
+ __down_write
+ __down_write_trylock
+ __up_read
+ __up_write
+ __downgrade_write
+
+are implemented inline, so remove corresponding EXPORT_SYMBOLs
+(They lead to compile errors on RT kernel).
+
+Signed-off-by: Kirill Tkhai <tkhai@yandex.ru>
+CC: David Miller <davem@davemloft.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sparc/lib/ksyms.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+--- a/arch/sparc/lib/ksyms.c
++++ b/arch/sparc/lib/ksyms.c
+@@ -98,15 +98,6 @@ EXPORT_SYMBOL(___copy_from_user);
+ EXPORT_SYMBOL(___copy_in_user);
+ EXPORT_SYMBOL(__clear_user);
+
+-/* RW semaphores */
+-EXPORT_SYMBOL(__down_read);
+-EXPORT_SYMBOL(__down_read_trylock);
+-EXPORT_SYMBOL(__down_write);
+-EXPORT_SYMBOL(__down_write_trylock);
+-EXPORT_SYMBOL(__up_read);
+-EXPORT_SYMBOL(__up_write);
+-EXPORT_SYMBOL(__downgrade_write);
+-
+ /* Atomic counter implementation. */
+ EXPORT_SYMBOL(atomic_add);
+ EXPORT_SYMBOL(atomic_add_ret);
--- /dev/null
+From 677a31565692d596ef42ea589b53ba289abf4713 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Wed, 2 Oct 2013 14:57:51 +0100
+Subject: staging: comedi: ni_65xx: (bug fix) confine insn_bits to one subdevice
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 677a31565692d596ef42ea589b53ba289abf4713 upstream.
+
+The `insn_bits` handler `ni_65xx_dio_insn_bits()` has a `for` loop that
+currently writes (optionally) and reads back up to 5 "ports" consisting
+of 8 channels each. It reads up to 32 1-bit channels but can only read
+and write a whole port at once - it needs to handle up to 5 ports as the
+first channel it reads might not be aligned on a port boundary. It
+breaks out of the loop early if the next port it handles is beyond the
+final port on the card. It also breaks out early on the 5th port in the
+loop if the first channel was aligned. Unfortunately, it doesn't check
+that the current port it is dealing with belongs to the comedi subdevice
+the `insn_bits` handler is acting on. That's a bug.
+
+Redo the `for` loop to terminate after the final port belonging to the
+subdevice, changing the loop variable in the process to simplify things
+a bit. The `for` loop could now try and handle more than 5 ports if the
+subdevice has more than 40 channels, but the test `if (bitshift >= 32)`
+ensures it will break out early after 4 or 5 ports (depending on whether
+the first channel is aligned on a port boundary). (`bitshift` will be
+between -7 and 7 inclusive on the first iteration, increasing by 8 for
+each subsequent operation.)
+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/drivers/ni_65xx.c | 25 ++++++++++---------------
+ 1 file changed, 10 insertions(+), 15 deletions(-)
+
+--- a/drivers/staging/comedi/drivers/ni_65xx.c
++++ b/drivers/staging/comedi/drivers/ni_65xx.c
+@@ -369,28 +369,23 @@ static int ni_65xx_dio_insn_bits(struct
+ {
+ const struct ni_65xx_board *board = comedi_board(dev);
+ struct ni_65xx_private *devpriv = dev->private;
+- unsigned base_bitfield_channel;
+- const unsigned max_ports_per_bitfield = 5;
++ int base_bitfield_channel;
+ unsigned read_bits = 0;
+- unsigned j;
++ int last_port_offset = ni_65xx_port_by_channel(s->n_chan - 1);
++ int port_offset;
+
+ base_bitfield_channel = CR_CHAN(insn->chanspec);
+- for (j = 0; j < max_ports_per_bitfield; ++j) {
+- const unsigned port_offset =
+- ni_65xx_port_by_channel(base_bitfield_channel) + j;
+- const unsigned port =
+- sprivate(s)->base_port + port_offset;
+- unsigned base_port_channel;
++ for (port_offset = ni_65xx_port_by_channel(base_bitfield_channel);
++ port_offset <= last_port_offset; port_offset++) {
++ unsigned port = sprivate(s)->base_port + port_offset;
++ int base_port_channel = port_offset * ni_65xx_channels_per_port;
+ unsigned port_mask, port_data, port_read_bits;
+- int bitshift;
+- if (port >= ni_65xx_total_num_ports(board))
++ int bitshift = base_port_channel - base_bitfield_channel;
++
++ if (bitshift >= 32)
+ break;
+- base_port_channel = port_offset * ni_65xx_channels_per_port;
+ port_mask = data[0];
+ port_data = data[1];
+- bitshift = base_port_channel - base_bitfield_channel;
+- if (bitshift >= 32 || bitshift <= -32)
+- break;
+ if (bitshift > 0) {
+ port_mask >>= bitshift;
+ port_data >>= bitshift;
--- /dev/null
+From a214339d764a07b99dc0418685d6cc8a0a1970d5 Mon Sep 17 00:00:00 2001
+From: David Cohen <david.a.cohen@linux.intel.com>
+Date: Tue, 1 Oct 2013 14:32:58 -0700
+Subject: usb: chipidea: add Intel Clovertrail pci id
+
+From: David Cohen <david.a.cohen@linux.intel.com>
+
+commit a214339d764a07b99dc0418685d6cc8a0a1970d5 upstream.
+
+Also clean up the last item of the pci id list to be "cleaner".
+
+Signed-off-by: David Cohen <david.a.cohen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/chipidea/ci_hdrc_pci.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/chipidea/ci_hdrc_pci.c
++++ b/drivers/usb/chipidea/ci_hdrc_pci.c
+@@ -129,7 +129,12 @@ static DEFINE_PCI_DEVICE_TABLE(ci_hdrc_p
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x0829),
+ .driver_data = (kernel_ulong_t)&penwell_pci_platdata,
+ },
+- { 0, 0, 0, 0, 0, 0, 0 /* end: all zeroes */ }
++ {
++ /* Intel Clovertrail */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xe006),
++ .driver_data = (kernel_ulong_t)&penwell_pci_platdata,
++ },
++ { 0 } /* end: all zeroes */
+ };
+ MODULE_DEVICE_TABLE(pci, ci_hdrc_pci_id_table);
+
--- /dev/null
+From eb2addd4044b4b2ce77693bde5bc810536dd96ee Mon Sep 17 00:00:00 2001
+From: Michal Malý <madcatxster@prifuk.cz>
+Date: Sat, 28 Sep 2013 19:50:27 +0200
+Subject: USB: serial: option: Ignore card reader interface on Huawei E1750
+
+From: Michal Malý <madcatxster@prifuk.cz>
+
+commit eb2addd4044b4b2ce77693bde5bc810536dd96ee upstream.
+
+Hi,
+
+my Huawei 3G modem has an embedded Smart Card reader which causes
+trouble when the modem is being detected (a bunch of "<warn> (ttyUSBx):
+open blocked by driver for more than 7 seconds!" in messages.log). This
+trivial patch corrects the problem for me. The modem identifies itself
+as "12d1:1406 Huawei Technologies Co., Ltd. E1750" in lsusb although the
+description on the body says "Model E173u-1"
+
+Signed-off-by: Michal Malý <madcatxster@prifuk.cz>
+Cc: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/option.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -81,6 +81,7 @@ static void option_instat_callback(struc
+
+ #define HUAWEI_VENDOR_ID 0x12D1
+ #define HUAWEI_PRODUCT_E173 0x140C
++#define HUAWEI_PRODUCT_E1750 0x1406
+ #define HUAWEI_PRODUCT_K4505 0x1464
+ #define HUAWEI_PRODUCT_K3765 0x1465
+ #define HUAWEI_PRODUCT_K4605 0x14C6
+@@ -567,6 +568,8 @@ static const struct usb_device_id option
+ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1c23, USB_CLASS_COMM, 0x02, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E173, 0xff, 0xff, 0xff),
+ .driver_info = (kernel_ulong_t) &net_intf1_blacklist },
++ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E1750, 0xff, 0xff, 0xff),
++ .driver_info = (kernel_ulong_t) &net_intf2_blacklist },
+ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1441, USB_CLASS_COMM, 0x02, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1442, USB_CLASS_COMM, 0x02, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_K4505, 0xff, 0xff, 0xff),
projects / thirdparty / kernel / stable-queue.git / commitdiff
