From: Greg Kroah-Hartman Date: Fri, 28 Sep 2012 01:03:24 +0000 (-0700) Subject: 3.5-stable patches X-Git-Tag: v3.0.44~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=43c42c4fcdc649e9965133042ffd1e3556d3d6ac;p=thirdparty%2Fkernel%2Fstable-queue.git 3.5-stable patches added patches: alsa-snd-usb-fix-next_packet_size-calls-for-pause-case.patch asoc-wm2000-correct-register-size.patch drm-i915-only-enable-sdvo-hotplug-irq-if-needed.patch drm-udl-limit-modes-to-the-sku-pixel-limits.patch gpio-lpc32xx-fix-value-handling-of-gpio_direction_output.patch md-raid10-fix-enough-function-for-detecting-if-array-is-failed.patch usb-fix-race-condition-when-removing-host-controllers.patch usb-ohci-at91-fix-null-pointer-in-ohci_hcd_at91_overcurrent_irq.patch vmwgfx-corruption-in-vmw_event_fence_action_create.patch --- diff --git a/queue-3.5/alsa-snd-usb-fix-next_packet_size-calls-for-pause-case.patch b/queue-3.5/alsa-snd-usb-fix-next_packet_size-calls-for-pause-case.patch new file mode 100644 index 00000000000..2bf438c61e8 --- /dev/null +++ b/queue-3.5/alsa-snd-usb-fix-next_packet_size-calls-for-pause-case.patch @@ -0,0 +1,40 @@ +From 8dce30c89113e314d29d3b8f362aadff8087fccb Mon Sep 17 00:00:00 2001 +From: Daniel Mack +Date: Thu, 27 Sep 2012 10:26:01 +0200 +Subject: ALSA: snd-usb: fix next_packet_size calls for pause case + +From: Daniel Mack + +commit 8dce30c89113e314d29d3b8f362aadff8087fccb upstream. + +Also fix the calls to next_packet_size() for the pause case. This was +missed in 245baf983 ("ALSA: snd-usb: fix calls to next_packet_size"). + +Signed-off-by: Daniel Mack +Reviewed-by: Takashi Iwai +Reported-and-tested-by: Christian Tefzer +[ Taking directly because Takashi is on vacation - Linus ] +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/endpoint.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/sound/usb/endpoint.c ++++ b/sound/usb/endpoint.c +@@ -197,7 +197,13 @@ static void prepare_outbound_urb(struct + /* no data provider, so send silence */ + unsigned int offs = 0; + for (i = 0; i < ctx->packets; ++i) { +- int counts = ctx->packet_size[i]; ++ int counts; ++ ++ if (ctx->packet_size[i]) ++ counts = ctx->packet_size[i]; ++ else ++ counts = snd_usb_endpoint_next_packet_size(ep); ++ + urb->iso_frame_desc[i].offset = offs * ep->stride; + urb->iso_frame_desc[i].length = counts * ep->stride; + offs += counts; diff --git a/queue-3.5/asoc-wm2000-correct-register-size.patch b/queue-3.5/asoc-wm2000-correct-register-size.patch new file mode 100644 index 00000000000..5180c59e373 --- /dev/null +++ b/queue-3.5/asoc-wm2000-correct-register-size.patch @@ -0,0 +1,27 @@ +From d0e12f3ff3472cbd8f52d3c0e6ee07a841787c40 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Wed, 26 Sep 2012 11:57:30 +0100 +Subject: ASoC: wm2000: Correct register size + +From: Mark Brown + +commit d0e12f3ff3472cbd8f52d3c0e6ee07a841787c40 upstream. + +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/wm2000.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/codecs/wm2000.c ++++ b/sound/soc/codecs/wm2000.c +@@ -675,7 +675,7 @@ static int wm2000_resume(struct snd_soc_ + #endif + + static const struct regmap_config wm2000_regmap = { +- .reg_bits = 8, ++ .reg_bits = 16, + .val_bits = 8, + }; + diff --git a/queue-3.5/drm-i915-only-enable-sdvo-hotplug-irq-if-needed.patch b/queue-3.5/drm-i915-only-enable-sdvo-hotplug-irq-if-needed.patch new file mode 100644 index 00000000000..07491dbcb93 --- /dev/null +++ b/queue-3.5/drm-i915-only-enable-sdvo-hotplug-irq-if-needed.patch @@ -0,0 +1,78 @@ +From fcbc50da7753b210b4442ca9abc4efbd4e481f6e Mon Sep 17 00:00:00 2001 +From: Jani Nikula +Date: Wed, 29 Aug 2012 14:08:42 +0300 +Subject: drm/i915: only enable sdvo hotplug irq if needed + +From: Jani Nikula + +commit fcbc50da7753b210b4442ca9abc4efbd4e481f6e upstream. + +Avoid constant wakeups caused by noisy irq lines when we don't even care +about the irq. This should be particularly useful for i945g/gm where the +hotplug has been disabled: + +commit 768b107e4b3be0acf6f58e914afe4f337c00932b +Author: Daniel Vetter +Date: Fri May 4 11:29:56 2012 +0200 + + drm/i915: disable sdvo hotplug on i945g/gm + +v2: While at it, remove the bogus hotplug_active read, and do not mask +hotplug_active[0] before checking whether the irq is needed, per discussion +with Daniel on IRC. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=38442 +Tested-by: Dominik Köppl +Signed-off-by: Jani Nikula +Signed-off-by: Daniel Vetter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_sdvo.c | 23 ++++++++++------------- + 1 file changed, 10 insertions(+), 13 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_sdvo.c ++++ b/drivers/gpu/drm/i915/intel_sdvo.c +@@ -2552,25 +2552,12 @@ bool intel_sdvo_init(struct drm_device * + } + } + +- if (intel_sdvo->is_sdvob) +- dev_priv->hotplug_supported_mask |= SDVOB_HOTPLUG_INT_STATUS; +- else +- dev_priv->hotplug_supported_mask |= SDVOC_HOTPLUG_INT_STATUS; +- + drm_encoder_helper_add(&intel_encoder->base, &intel_sdvo_helper_funcs); + + /* In default case sdvo lvds is false */ + if (!intel_sdvo_get_capabilities(intel_sdvo, &intel_sdvo->caps)) + goto err; + +- /* Set up hotplug command - note paranoia about contents of reply. +- * We assume that the hardware is in a sane state, and only touch +- * the bits we think we understand. +- */ +- intel_sdvo_get_value(intel_sdvo, SDVO_CMD_GET_ACTIVE_HOT_PLUG, +- &intel_sdvo->hotplug_active, 2); +- intel_sdvo->hotplug_active[0] &= ~0x3; +- + if (intel_sdvo_output_setup(intel_sdvo, + intel_sdvo->caps.output_flags) != true) { + DRM_DEBUG_KMS("SDVO output failed to setup on %s\n", +@@ -2578,6 +2565,16 @@ bool intel_sdvo_init(struct drm_device * + goto err; + } + ++ /* Only enable the hotplug irq if we need it, to work around noisy ++ * hotplug lines. ++ */ ++ if (intel_sdvo->hotplug_active[0]) { ++ if (intel_sdvo->is_sdvob) ++ dev_priv->hotplug_supported_mask |= SDVOB_HOTPLUG_INT_STATUS; ++ else ++ dev_priv->hotplug_supported_mask |= SDVOC_HOTPLUG_INT_STATUS; ++ } ++ + intel_sdvo_select_ddc_bus(dev_priv, intel_sdvo, sdvo_reg); + + /* Set the input timing to the screen. Assume always input 0. */ diff --git a/queue-3.5/drm-udl-limit-modes-to-the-sku-pixel-limits.patch b/queue-3.5/drm-udl-limit-modes-to-the-sku-pixel-limits.patch new file mode 100644 index 00000000000..03b4d45d2da --- /dev/null +++ b/queue-3.5/drm-udl-limit-modes-to-the-sku-pixel-limits.patch @@ -0,0 +1,39 @@ +From 3a75885848996baab5276ff37ebf7295c3c753f0 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Tue, 25 Sep 2012 16:17:43 +1000 +Subject: drm/udl: limit modes to the sku pixel limits. + +From: Dave Airlie + +commit 3a75885848996baab5276ff37ebf7295c3c753f0 upstream. + +Otherwise when X starts we commonly get a black screen scanning +out nothing, its wierd dpms on/off from userspace brings it back, + +With this on F18, multi-seat works again with my 1920x1200 monitor +which is above the sku limit for the device I have. + +Reviewed-by: Alex Deucher +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/udl/udl_connector.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/gpu/drm/udl/udl_connector.c ++++ b/drivers/gpu/drm/udl/udl_connector.c +@@ -69,6 +69,13 @@ static int udl_get_modes(struct drm_conn + static int udl_mode_valid(struct drm_connector *connector, + struct drm_display_mode *mode) + { ++ struct udl_device *udl = connector->dev->dev_private; ++ if (!udl->sku_pixel_limit) ++ return 0; ++ ++ if (mode->vdisplay * mode->hdisplay > udl->sku_pixel_limit) ++ return MODE_VIRTUAL_Y; ++ + return 0; + } + diff --git a/queue-3.5/gpio-lpc32xx-fix-value-handling-of-gpio_direction_output.patch b/queue-3.5/gpio-lpc32xx-fix-value-handling-of-gpio_direction_output.patch new file mode 100644 index 00000000000..7e8ffbe45f9 --- /dev/null +++ b/queue-3.5/gpio-lpc32xx-fix-value-handling-of-gpio_direction_output.patch @@ -0,0 +1,50 @@ +From b1268d3737c6316016026245eef276eda6b0a621 Mon Sep 17 00:00:00 2001 +From: Roland Stigge +Date: Thu, 20 Sep 2012 10:48:03 +0200 +Subject: gpio-lpc32xx: Fix value handling of gpio_direction_output() + +From: Roland Stigge + +commit b1268d3737c6316016026245eef276eda6b0a621 upstream. + +For GPIOs of gpio-lpc32xx, gpio_direction_output() ignores the value argument +(initial value of output). This patch fixes this by setting the level +accordingly. + +Signed-off-by: Roland Stigge +Acked-by: Alexandre Pereira da Silva +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpio-lpc32xx.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpio/gpio-lpc32xx.c ++++ b/drivers/gpio/gpio-lpc32xx.c +@@ -307,6 +307,7 @@ static int lpc32xx_gpio_dir_output_p012( + { + struct lpc32xx_gpio_chip *group = to_lpc32xx_gpio(chip); + ++ __set_gpio_level_p012(group, pin, value); + __set_gpio_dir_p012(group, pin, 0); + + return 0; +@@ -317,6 +318,7 @@ static int lpc32xx_gpio_dir_output_p3(st + { + struct lpc32xx_gpio_chip *group = to_lpc32xx_gpio(chip); + ++ __set_gpio_level_p3(group, pin, value); + __set_gpio_dir_p3(group, pin, 0); + + return 0; +@@ -325,6 +327,9 @@ static int lpc32xx_gpio_dir_output_p3(st + static int lpc32xx_gpio_dir_out_always(struct gpio_chip *chip, unsigned pin, + int value) + { ++ struct lpc32xx_gpio_chip *group = to_lpc32xx_gpio(chip); ++ ++ __set_gpo_level_p3(group, pin, value); + return 0; + } + diff --git a/queue-3.5/md-raid10-fix-enough-function-for-detecting-if-array-is-failed.patch b/queue-3.5/md-raid10-fix-enough-function-for-detecting-if-array-is-failed.patch new file mode 100644 index 00000000000..ad8187eff45 --- /dev/null +++ b/queue-3.5/md-raid10-fix-enough-function-for-detecting-if-array-is-failed.patch @@ -0,0 +1,51 @@ +From 80b4812407c6b1f66a4f2430e69747a13f010839 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Thu, 27 Sep 2012 12:35:21 +1000 +Subject: md/raid10: fix "enough" function for detecting if array is failed. + +From: NeilBrown + +commit 80b4812407c6b1f66a4f2430e69747a13f010839 upstream. + +The 'enough' function is written to work with 'near' arrays only +in that is implicitly assumes that the offset from one 'group' of +devices to the next is the same as the number of copies. +In reality it is the number of 'near' copies. + +So change it to make this number explicit. + +This bug makes it possible to run arrays without enough drives +present, which is dangerous. +It is appropriate for an -stable kernel, but will almost certainly +need to be modified for some of them. + +Reported-by: Jakub Husák +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid10.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -1492,14 +1492,16 @@ static int _enough(struct r10conf *conf, + do { + int n = conf->copies; + int cnt = 0; ++ int this = first; + while (n--) { +- if (conf->mirrors[first].rdev && +- first != ignore) ++ if (conf->mirrors[this].rdev && ++ this != ignore) + cnt++; +- first = (first+1) % geo->raid_disks; ++ this = (this+1) % geo->raid_disks; + } + if (cnt == 0) + return 0; ++ first = (first + geo->near_copies) % geo->raid_disks; + } while (first != 0); + return 1; + } diff --git a/queue-3.5/series b/queue-3.5/series index 76ad686c1b3..0500021f027 100644 --- a/queue-3.5/series +++ b/queue-3.5/series @@ -251,3 +251,12 @@ kthread_worker-reorganize-to-prepare-for-flush_kthread_work-reimplementation.pat kthread_worker-reimplement-flush_kthread_work-to-allow-freeing-the-work-item-being-executed.patch usb-chipidea-udc-fix-error-path-in-udc_start.patch usb-chipidea-cleanup-dma_pool-if-udc_start-fails.patch +usb-ohci-at91-fix-null-pointer-in-ohci_hcd_at91_overcurrent_irq.patch +usb-fix-race-condition-when-removing-host-controllers.patch +alsa-snd-usb-fix-next_packet_size-calls-for-pause-case.patch +asoc-wm2000-correct-register-size.patch +gpio-lpc32xx-fix-value-handling-of-gpio_direction_output.patch +md-raid10-fix-enough-function-for-detecting-if-array-is-failed.patch +drm-udl-limit-modes-to-the-sku-pixel-limits.patch +drm-i915-only-enable-sdvo-hotplug-irq-if-needed.patch +vmwgfx-corruption-in-vmw_event_fence_action_create.patch diff --git a/queue-3.5/usb-fix-race-condition-when-removing-host-controllers.patch b/queue-3.5/usb-fix-race-condition-when-removing-host-controllers.patch new file mode 100644 index 00000000000..c489d0c7837 --- /dev/null +++ b/queue-3.5/usb-fix-race-condition-when-removing-host-controllers.patch @@ -0,0 +1,68 @@ +From 0d00dc2611abbe6ad244d50569c2ee82ce42846c Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Wed, 26 Sep 2012 13:09:53 -0400 +Subject: USB: Fix race condition when removing host controllers + +From: Alan Stern + +commit 0d00dc2611abbe6ad244d50569c2ee82ce42846c upstream. + +This patch (as1607) fixes a race that can occur if a USB host +controller is removed while a process is reading the +/sys/kernel/debug/usb/devices file. + +The usb_device_read() routine uses the bus->root_hub pointer to +determine whether or not the root hub is registered. The is not a +valid test, because the pointer is set before the root hub gets +registered and remains set even after the root hub is unregistered and +deallocated. As a result, usb_device_read() or usb_device_dump() can +access freed memory, causing an oops. + +The patch changes the test to use the hcd->rh_registered flag, which +does get set and cleared at the appropriate times. It also makes sure +to hold the usb_bus_list_lock mutex while setting the flag, so that +usb_device_read() will become aware of new root hubs as soon as they +are registered. + +Signed-off-by: Alan Stern +Reported-by: Don Zickus +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/devices.c | 2 +- + drivers/usb/core/hcd.c | 6 ++---- + 2 files changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/usb/core/devices.c ++++ b/drivers/usb/core/devices.c +@@ -624,7 +624,7 @@ static ssize_t usb_device_read(struct fi + /* print devices for all busses */ + list_for_each_entry(bus, &usb_bus_list, bus_list) { + /* recurse through all children of the root hub */ +- if (!bus->root_hub) ++ if (!bus_to_hcd(bus)->rh_registered) + continue; + usb_lock_device(bus->root_hub); + ret = usb_device_dump(&buf, &nbytes, &skip_bytes, ppos, +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -1011,10 +1011,7 @@ static int register_root_hub(struct usb_ + if (retval) { + dev_err (parent_dev, "can't register root hub for %s, %d\n", + dev_name(&usb_dev->dev), retval); +- } +- mutex_unlock(&usb_bus_list_lock); +- +- if (retval == 0) { ++ } else { + spin_lock_irq (&hcd_root_hub_lock); + hcd->rh_registered = 1; + spin_unlock_irq (&hcd_root_hub_lock); +@@ -1023,6 +1020,7 @@ static int register_root_hub(struct usb_ + if (HCD_DEAD(hcd)) + usb_hc_died (hcd); /* This time clean up */ + } ++ mutex_unlock(&usb_bus_list_lock); + + return retval; + } diff --git a/queue-3.5/usb-ohci-at91-fix-null-pointer-in-ohci_hcd_at91_overcurrent_irq.patch b/queue-3.5/usb-ohci-at91-fix-null-pointer-in-ohci_hcd_at91_overcurrent_irq.patch new file mode 100644 index 00000000000..4c41a048d78 --- /dev/null +++ b/queue-3.5/usb-ohci-at91-fix-null-pointer-in-ohci_hcd_at91_overcurrent_irq.patch @@ -0,0 +1,130 @@ +From 01bb6501779ed0b6dc6c55be34b49eaa6306fdd8 Mon Sep 17 00:00:00 2001 +From: Joachim Eastwood +Date: Sun, 23 Sep 2012 22:56:00 +0200 +Subject: USB: ohci-at91: fix null pointer in ohci_hcd_at91_overcurrent_irq + +From: Joachim Eastwood + +commit 01bb6501779ed0b6dc6c55be34b49eaa6306fdd8 upstream. + +Fixes the following NULL pointer dereference: +[ 7.740000] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver +[ 7.810000] Unable to handle kernel NULL pointer dereference at virtual address 00000028 +[ 7.810000] pgd = c3a38000 +[ 7.810000] [00000028] *pgd=23a8c831, *pte=00000000, *ppte=00000000 +[ 7.810000] Internal error: Oops: 17 [#1] PREEMPT ARM +[ 7.810000] Modules linked in: ohci_hcd(+) regmap_i2c snd_pcm usbcore snd_page_alloc at91_cf snd_timer pcmcia_rsrc snd soundcore gpio_keys regmap_spi pcmcia_core usb_common nls_base +[ 7.810000] CPU: 0 Not tainted (3.6.0-rc6-mpa+ #264) +[ 7.810000] PC is at __gpio_to_irq+0x18/0x40 +[ 7.810000] LR is at ohci_hcd_at91_overcurrent_irq+0x24/0xb4 [ohci_hcd] +[ 7.810000] pc : [] lr : [] psr: 40000093 +[ 7.810000] sp : c3a11c40 ip : c3a11c50 fp : c3a11c4c +[ 7.810000] r10: 00000000 r9 : c02dcd6e r8 : fefff400 +[ 7.810000] r7 : 00000000 r6 : c02cc928 r5 : 00000030 r4 : c02dd168 +[ 7.810000] r3 : c02e7350 r2 : ffffffea r1 : c02cc928 r0 : 00000000 +[ 7.810000] Flags: nZcv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user +[ 7.810000] Control: c000717f Table: 23a38000 DAC: 00000015 +[ 7.810000] Process modprobe (pid: 285, stack limit = 0xc3a10270) +[ 7.810000] Stack: (0xc3a11c40 to 0xc3a12000) +[ 7.810000] 1c40: c3a11c6c c3a11c50 bf08f694 c01392cc c3a11c84 c2c38b00 c3806900 00000030 +[ 7.810000] 1c60: c3a11ca4 c3a11c70 c0051264 bf08f680 c3a11cac c3a11c80 c003e764 c3806900 +[ 7.810000] 1c80: c2c38b00 c02cb05c c02cb000 fefff400 c3806930 c3a11cf4 c3a11cbc c3a11ca8 +[ 7.810000] 1ca0: c005142c c005123c c3806900 c3805a00 c3a11cd4 c3a11cc0 c0053f24 c00513e4 +[ 7.810000] 1cc0: c3a11cf4 00000030 c3a11cec c3a11cd8 c005120c c0053e88 00000000 00000000 +[ 7.810000] 1ce0: c3a11d1c c3a11cf0 c00124d0 c00511e0 01400000 00000001 00000012 00000000 +[ 7.810000] 1d00: ffffffff c3a11d94 00000030 00000000 c3a11d34 c3a11d20 c005120c c0012438 +[ 7.810000] 1d20: c001dac4 00000012 c3a11d4c c3a11d38 c0009b08 c00511e0 c00523fc 60000013 +[ 7.810000] 1d40: c3a11d5c c3a11d50 c0008510 c0009ab4 c3a11ddc c3a11d60 c0008eb4 c00084f0 +[ 7.810000] 1d60: 00000000 00000030 00000000 00000080 60000013 bf08f670 c3806900 c2c38b00 +[ 7.810000] 1d80: 00000030 c3806930 00000000 c3a11ddc c3a11d88 c3a11da8 c0054190 c00523fc +[ 7.810000] 1da0: 60000013 ffffffff c3a11dec c3a11db8 00000000 c2c38b00 bf08f670 c3806900 +[ 7.810000] 1dc0: 00000000 00000080 c02cc928 00000030 c3a11e0c c3a11de0 c0052764 c00520d8 +[ 7.810000] 1de0: c3a11dfc 00000000 00000000 00000002 bf090f61 00000004 c02cc930 c02cc928 +[ 7.810000] 1e00: c3a11e4c c3a11e10 bf090978 c005269c bf090f61 c02cc928 bf093000 c02dd170 +[ 7.810000] 1e20: c3a11e3c c02cc930 c02cc930 bf0911d0 bf0911d0 bf093000 c3a10000 00000000 +[ 7.810000] 1e40: c3a11e5c c3a11e50 c0155b7c bf090808 c3a11e7c c3a11e60 c0154690 c0155b6c +[ 7.810000] 1e60: c02cc930 c02cc964 bf0911d0 c3a11ea0 c3a11e9c c3a11e80 c015484c c01545e8 +[ 7.810000] 1e80: 00000000 00000000 c01547e4 bf0911d0 c3a11ec4 c3a11ea0 c0152e58 c01547f4 +[ 7.810000] 1ea0: c381b88c c384ab10 c2c10540 bf0911d0 00000000 c02d7518 c3a11ed4 c3a11ec8 +[ 7.810000] 1ec0: c01544c0 c0152e0c c3a11efc c3a11ed8 c01536cc c01544b0 bf091075 c3a11ee8 +[ 7.810000] 1ee0: bf049af0 bf09120c bf0911d0 00000000 c3a11f1c c3a11f00 c0154e9c c0153628 +[ 7.810000] 1f00: bf049af0 bf09120c 000ae190 00000000 c3a11f2c c3a11f20 c0155f58 c0154e04 +[ 7.810000] 1f20: c3a11f44 c3a11f30 bf093054 c0155f1c 00000000 00006a4f c3a11f7c c3a11f48 +[ 7.810000] 1f40: c0008638 bf093010 bf09120c 000ae190 00000000 c00093c4 00006a4f bf09120c +[ 7.810000] 1f60: 000ae190 00000000 c00093c4 00000000 c3a11fa4 c3a11f80 c004fdc4 c000859c +[ 7.810000] 1f80: c3a11fa4 000ae190 00006a4f 00016eb8 000ad018 00000080 00000000 c3a11fa8 +[ 7.810000] 1fa0: c0009260 c004fd58 00006a4f 00016eb8 000ae190 00006a4f 000ae100 00000000 +[ 7.810000] 1fc0: 00006a4f 00016eb8 000ad018 00000080 000adba0 000ad208 00000000 000ad3d8 +[ 7.810000] 1fe0: beaf7ae8 beaf7ad8 000172b8 b6e4e940 20000010 000ae190 00000000 00000000 +[ 7.810000] Backtrace: +[ 7.810000] [] (__gpio_to_irq+0x0/0x40) from [] (ohci_hcd_at91_overcurrent_irq+0x24/0xb4 [ohci_hcd]) +[ 7.810000] [] (ohci_hcd_at91_overcurrent_irq+0x0/0xb4 [ohci_hcd]) from [] (handle_irq_event_percpu+0x38/0x1a8) +[ 7.810000] r6:00000030 r5:c3806900 r4:c2c38b00 +[ 7.810000] [] (handle_irq_event_percpu+0x0/0x1a8) from [] (handle_irq_event+0x58/0x7c) +[ 7.810000] [] (handle_irq_event+0x0/0x7c) from [] (handle_simple_irq+0xac/0xd8) +[ 7.810000] r5:c3805a00 r4:c3806900 +[ 7.810000] [] (handle_simple_irq+0x0/0xd8) from [] (generic_handle_irq+0x3c/0x48) +[ 7.810000] r4:00000030 +[ 7.810000] [] (generic_handle_irq+0x0/0x48) from [] (gpio_irq_handler+0xa8/0xfc) +[ 7.810000] r4:00000000 +[ 7.810000] [] (gpio_irq_handler+0x0/0xfc) from [] (generic_handle_irq+0x3c/0x48) +[ 7.810000] [] (generic_handle_irq+0x0/0x48) from [] (handle_IRQ+0x64/0x88) +[ 7.810000] r4:00000012 +[ 7.810000] [] (handle_IRQ+0x0/0x88) from [] (at91_aic_handle_irq+0x30/0x38) +[ 7.810000] r5:60000013 r4:c00523fc +[ 7.810000] [] (at91_aic_handle_irq+0x0/0x38) from [] (__irq_svc+0x34/0x60) +[ 7.810000] Exception stack(0xc3a11d60 to 0xc3a11da8) +[ 7.810000] 1d60: 00000000 00000030 00000000 00000080 60000013 bf08f670 c3806900 c2c38b00 +[ 7.810000] 1d80: 00000030 c3806930 00000000 c3a11ddc c3a11d88 c3a11da8 c0054190 c00523fc +[ 7.810000] 1da0: 60000013 ffffffff +[ 7.810000] [] (__setup_irq+0x0/0x458) from [] (request_threaded_irq+0xd8/0x134) +[ 7.810000] [] (request_threaded_irq+0x0/0x134) from [] (ohci_hcd_at91_drv_probe+0x180/0x41c [ohci_hcd]) +[ 7.810000] [] (ohci_hcd_at91_drv_probe+0x0/0x41c [ohci_hcd]) from [] (platform_drv_probe+0x20/0x24) +[ 7.810000] [] (platform_drv_probe+0x0/0x24) from [] (driver_probe_device+0xb8/0x20c) +[ 7.810000] [] (driver_probe_device+0x0/0x20c) from [] (__driver_attach+0x68/0x88) +[ 7.810000] r7:c3a11ea0 r6:bf0911d0 r5:c02cc964 r4:c02cc930 +[ 7.810000] [] (__driver_attach+0x0/0x88) from [] (bus_for_each_dev+0x5c/0x9c) +[ 7.810000] r6:bf0911d0 r5:c01547e4 r4:00000000 +[ 7.810000] [] (bus_for_each_dev+0x0/0x9c) from [] (driver_attach+0x20/0x28) +[ 7.810000] r7:c02d7518 r6:00000000 r5:bf0911d0 r4:c2c10540 +[ 7.810000] [] (driver_attach+0x0/0x28) from [] (bus_add_driver+0xb4/0x22c) +[ 7.810000] [] (bus_add_driver+0x0/0x22c) from [] (driver_register+0xa8/0x144) +[ 7.810000] r7:00000000 r6:bf0911d0 r5:bf09120c r4:bf049af0 +[ 7.810000] [] (driver_register+0x0/0x144) from [] (platform_driver_register+0x4c/0x60) +[ 7.810000] r7:00000000 r6:000ae190 r5:bf09120c r4:bf049af0 +[ 7.810000] [] (platform_driver_register+0x0/0x60) from [] (ohci_hcd_mod_init+0x54/0x8c [ohci_hcd]) +[ 7.810000] [] (ohci_hcd_mod_init+0x0/0x8c [ohci_hcd]) from [] (do_one_initcall+0xac/0x174) +[ 7.810000] r4:00006a4f +[ 7.810000] [] (do_one_initcall+0x0/0x174) from [] (sys_init_module+0x7c/0x1a0) +[ 7.810000] [] (sys_init_module+0x0/0x1a0) from [] (ret_fast_syscall+0x0/0x2c) +[ 7.810000] r7:00000080 r6:000ad018 r5:00016eb8 r4:00006a4f +[ 7.810000] Code: e24cb004 e59f3028 e1a02000 e7930180 (e5903028) +[ 7.810000] ---[ end trace 85aa37ed128143b5 ]--- +[ 7.810000] Kernel panic - not syncing: Fatal exception in interrupt + +Commit 6fffb77c (USB: ohci-at91: fix PIO handling in relation with number of +ports) started setting unused pins to EINVAL. But this exposed a bug in the +ohci_hcd_at91_overcurrent_irq function where the gpio was used without being +checked to see if it is valid. + +This patches fixed the issue by adding the gpio valid check. + +Signed-off-by: Joachim Eastwood +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ohci-at91.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/ohci-at91.c ++++ b/drivers/usb/host/ohci-at91.c +@@ -467,7 +467,8 @@ static irqreturn_t ohci_hcd_at91_overcur + /* From the GPIO notifying the over-current situation, find + * out the corresponding port */ + at91_for_each_port(port) { +- if (gpio_to_irq(pdata->overcurrent_pin[port]) == irq) { ++ if (gpio_is_valid(pdata->overcurrent_pin[port]) && ++ gpio_to_irq(pdata->overcurrent_pin[port]) == irq) { + gpio = pdata->overcurrent_pin[port]; + break; + } diff --git a/queue-3.5/vmwgfx-corruption-in-vmw_event_fence_action_create.patch b/queue-3.5/vmwgfx-corruption-in-vmw_event_fence_action_create.patch new file mode 100644 index 00000000000..6a8d960d6cd --- /dev/null +++ b/queue-3.5/vmwgfx-corruption-in-vmw_event_fence_action_create.patch @@ -0,0 +1,32 @@ +From 68c4fce737c4b963e336435f225621dc21138397 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Sun, 23 Sep 2012 19:33:55 +0300 +Subject: vmwgfx: corruption in vmw_event_fence_action_create() + +From: Dan Carpenter + +commit 68c4fce737c4b963e336435f225621dc21138397 upstream. + +We don't allocate enough data for this struct. As soon as we start +modifying event->event on the next lines, then we're going beyond the +end of the memory we allocated. + +Signed-off-by: Dan Carpenter +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vmwgfx/vmwgfx_fence.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c +@@ -1018,7 +1018,7 @@ int vmw_event_fence_action_create(struct + } + + +- event = kzalloc(sizeof(event->event), GFP_KERNEL); ++ event = kzalloc(sizeof(*event), GFP_KERNEL); + if (unlikely(event == NULL)) { + DRM_ERROR("Failed to allocate an event.\n"); + ret = -ENOMEM;