From: Greg Kroah-Hartman Date: Thu, 24 May 2012 17:13:56 +0000 (+0900) Subject: 3.4-stable patches X-Git-Tag: v3.0.33~34 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6693e0901adf8c91fadc24d7379e984470556385;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: cfg80211-warn-if-db.txt-is-empty-with-config_cfg80211_internal_regdb.patch drivers-staging-comedi-comedi_fops.c-add-missing-vfree.patch fbdev-sh_mobile_lcdc-don-t-confuse-line-size-with-pitch.patch fix-blocking-allocations-called-very-early-during-bootup.patch ib-core-fix-mismatch-between-locked-and-pinned-pages.patch isci-fix-oem-parameter-validation-on-single-controller-skus.patch iwlwifi-use-6000g2b-for-6030-device-series.patch iwlwifi-use-correct-released-ucode-version.patch keys-use-the-compat-keyctl-syscall-wrapper-on-sparc64-for-sparc32-compat.patch net-wireless-ipw2200-fix-warn_on-occurring-in-wiphy_register-called-by-ipw_pci_probe.patch perf-x86-update-event-scheduling-constraints-for-amd-family-15h-models.patch powerpc-fix-broken-cpu_idle_wait-implementation.patch rdma-cxgb4-always-wake-up-waiters-in-c4iw_peer_abort_intr.patch rdma-cxgb4-drop-peer_abort-when-no-endpoint-found.patch rdma-cxgb4-use-dst-parameter-in-import_ep.patch regulator-core-release-regulator-regulator-supplies-on-error.patch s390-pfault-fix-task-state-race.patch scsi-mpt2sas-fix-for-panic-happening-because-of-improper-memory-allocation.patch selinux-if-sel_make_bools-errors-don-t-leave-inconsistent-state.patch --- diff --git a/queue-3.4/cfg80211-warn-if-db.txt-is-empty-with-config_cfg80211_internal_regdb.patch b/queue-3.4/cfg80211-warn-if-db.txt-is-empty-with-config_cfg80211_internal_regdb.patch new file mode 100644 index 00000000000..f1a6813cda8 --- /dev/null +++ b/queue-3.4/cfg80211-warn-if-db.txt-is-empty-with-config_cfg80211_internal_regdb.patch @@ -0,0 +1,83 @@ +From 80007efeff0568375b08faf93c7aad65602cb97e Mon Sep 17 00:00:00 2001 +From: "Luis R. Rodriguez" +Date: Fri, 23 Mar 2012 07:23:31 -0700 +Subject: cfg80211: warn if db.txt is empty with CONFIG_CFG80211_INTERNAL_REGDB + +From: "Luis R. Rodriguez" + +commit 80007efeff0568375b08faf93c7aad65602cb97e upstream. + +It has happened twice now where elaborate troubleshooting has +undergone on systems where CONFIG_CFG80211_INTERNAL_REGDB [0] +has been set but yet net/wireless/db.txt was not updated. + +Despite the documentation on this it seems system integrators could +use some more help with this, so throw out a kernel warning at boot time +when their database is empty. + +This does mean that the error-prone system integrator won't likely +realize the issue until they boot the machine but -- it does not seem +to make sense to enable a build bug breaking random build testing. + +[0] http://wireless.kernel.org/en/developers/Regulatory/CRDA#CONFIG_CFG80211_INTERNAL_REGDB + +Cc: Stephen Rothwell +Cc: Youngsin Lee +Cc: Raja Mani +Cc: Senthil Kumar Balasubramanian +Cc: Vipin Mehta +Cc: yahuan@qca.qualcomm.com +Cc: jjan@qca.qualcomm.com +Cc: vthiagar@qca.qualcomm.com +Cc: henrykim@qualcomm.com +Cc: jouni@qca.qualcomm.com +Cc: athiruve@qca.qualcomm.com +Cc: cjkim@qualcomm.com +Cc: philipk@qca.qualcomm.com +Cc: sunnykim@qualcomm.com +Cc: sskwak@qualcomm.com +Cc: kkim@qualcomm.com +Cc: mattbyun@qualcomm.com +Cc: ryanlee@qualcomm.com +Cc: simbap@qualcomm.com +Cc: krislee@qualcomm.com +Cc: conner@qualcomm.com +Cc: hojinkim@qualcomm.com +Cc: honglee@qualcomm.com +Cc: johnwkim@qualcomm.com +Cc: jinyong@qca.qualcomm.com +Signed-off-by: Luis R. Rodriguez +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/reg.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -388,7 +388,15 @@ static void reg_regdb_query(const char * + + schedule_work(®_regdb_work); + } ++ ++/* Feel free to add any other sanity checks here */ ++static void reg_regdb_size_check(void) ++{ ++ /* We should ideally BUILD_BUG_ON() but then random builds would fail */ ++ WARN_ONCE(!reg_regdb_size, "db.txt is empty, you should update it..."); ++} + #else ++static inline void reg_regdb_size_check(void) {} + static inline void reg_regdb_query(const char *alpha2) {} + #endif /* CONFIG_CFG80211_INTERNAL_REGDB */ + +@@ -2322,6 +2330,8 @@ int __init regulatory_init(void) + spin_lock_init(®_requests_lock); + spin_lock_init(®_pending_beacons_lock); + ++ reg_regdb_size_check(); ++ + cfg80211_regdomain = cfg80211_world_regdom; + + user_alpha2[0] = '9'; diff --git a/queue-3.4/drivers-staging-comedi-comedi_fops.c-add-missing-vfree.patch b/queue-3.4/drivers-staging-comedi-comedi_fops.c-add-missing-vfree.patch new file mode 100644 index 00000000000..9c6ffec68fa --- /dev/null +++ b/queue-3.4/drivers-staging-comedi-comedi_fops.c-add-missing-vfree.patch @@ -0,0 +1,30 @@ +From abae41e6438b798e046d721b6ccdd55b4a398170 Mon Sep 17 00:00:00 2001 +From: Julia Lawall +Date: Sun, 22 Apr 2012 13:37:09 +0200 +Subject: drivers/staging/comedi/comedi_fops.c: add missing vfree + +From: Julia Lawall + +commit abae41e6438b798e046d721b6ccdd55b4a398170 upstream. + +aux_free is freed on all other exits from the function. By removing the +return, we can benefit from the vfree already at the end of the function. + +Signed-off-by: Julia Lawall +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/comedi_fops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/comedi/comedi_fops.c ++++ b/drivers/staging/comedi/comedi_fops.c +@@ -280,7 +280,7 @@ static int do_devconfig_ioctl(struct com + if (ret == 0) { + if (!try_module_get(dev->driver->module)) { + comedi_device_detach(dev); +- return -ENOSYS; ++ ret = -ENOSYS; + } + } + diff --git a/queue-3.4/fbdev-sh_mobile_lcdc-don-t-confuse-line-size-with-pitch.patch b/queue-3.4/fbdev-sh_mobile_lcdc-don-t-confuse-line-size-with-pitch.patch new file mode 100644 index 00000000000..962db363a48 --- /dev/null +++ b/queue-3.4/fbdev-sh_mobile_lcdc-don-t-confuse-line-size-with-pitch.patch @@ -0,0 +1,61 @@ +From 72c04af9a2d57b7945cf3de8e71461bd80695d50 Mon Sep 17 00:00:00 2001 +From: Laurent Pinchart +Date: Fri, 18 May 2012 10:58:26 +0200 +Subject: fbdev: sh_mobile_lcdc: Don't confuse line size with pitch + +From: Laurent Pinchart + +commit 72c04af9a2d57b7945cf3de8e71461bd80695d50 upstream. + +When using the MERAM the LCDC line size needs to be programmed with a +MERAM-specific value different than the real frame buffer pitch. Fix it. + +Reported-by: Guennadi Liakhovetski +Signed-off-by: Laurent Pinchart +Acked-by: Florian Tobias Schandinat +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/sh_mobile_lcdcfb.c | 5 +++-- + drivers/video/sh_mobile_lcdcfb.h | 1 + + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/video/sh_mobile_lcdcfb.c ++++ b/drivers/video/sh_mobile_lcdcfb.c +@@ -758,7 +758,7 @@ static void __sh_mobile_lcdc_start(struc + } + + lcdc_write_chan(ch, LDDFR, tmp); +- lcdc_write_chan(ch, LDMLSR, ch->pitch); ++ lcdc_write_chan(ch, LDMLSR, ch->line_size); + lcdc_write_chan(ch, LDSA1R, ch->base_addr_y); + if (ch->format->yuv) + lcdc_write_chan(ch, LDSA2R, ch->base_addr_c); +@@ -847,6 +847,7 @@ static int sh_mobile_lcdc_start(struct s + + ch->base_addr_y = ch->dma_handle; + ch->base_addr_c = ch->base_addr_y + ch->xres * ch->yres_virtual; ++ ch->line_size = ch->pitch; + + /* Enable MERAM if possible. */ + if (mdev == NULL || mdev->ops == NULL || +@@ -882,7 +883,7 @@ static int sh_mobile_lcdc_start(struct s + + meram = mdev->ops->meram_register(mdev, ch->cfg->meram_cfg, + ch->pitch, ch->yres, pixelformat, +- &ch->pitch); ++ &ch->line_size); + if (!IS_ERR(meram)) { + mdev->ops->meram_update(mdev, meram, + ch->base_addr_y, ch->base_addr_c, +--- a/drivers/video/sh_mobile_lcdcfb.h ++++ b/drivers/video/sh_mobile_lcdcfb.h +@@ -84,6 +84,7 @@ struct sh_mobile_lcdc_chan { + + unsigned long base_addr_y; + unsigned long base_addr_c; ++ unsigned int line_size; + + int (*notify)(struct sh_mobile_lcdc_chan *ch, + enum sh_mobile_lcdc_entity_event event, diff --git a/queue-3.4/fix-blocking-allocations-called-very-early-during-bootup.patch b/queue-3.4/fix-blocking-allocations-called-very-early-during-bootup.patch new file mode 100644 index 00000000000..86a9fcadc05 --- /dev/null +++ b/queue-3.4/fix-blocking-allocations-called-very-early-during-bootup.patch @@ -0,0 +1,66 @@ +From 31a67102f4762df5544bc2dfb34a931233d2a5b2 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Mon, 21 May 2012 12:52:42 -0700 +Subject: Fix blocking allocations called very early during bootup + +From: Linus Torvalds + +commit 31a67102f4762df5544bc2dfb34a931233d2a5b2 upstream. + +During early boot, when the scheduler hasn't really been fully set up, +we really can't do blocking allocations because with certain (dubious) +configurations the "might_resched()" calls can actually result in +scheduling events. + +We could just make such users always use GFP_ATOMIC, but quite often the +code that does the allocation isn't really aware of the fact that the +scheduler isn't up yet, and forcing that kind of random knowledge on the +initialization code is just annoying and not good for anybody. + +And we actually have a the 'gfp_allowed_mask' exactly for this reason: +it's just that the kernel init sequence happens to set it to allow +blocking allocations much too early. + +So move the 'gfp_allowed_mask' initialization from 'start_kernel()' +(which is some of the earliest init code, and runs with preemption +disabled for good reasons) into 'kernel_init()'. kernel_init() is run +in the newly created thread that will become the 'init' process, as +opposed to the early startup code that runs within the context of what +will be the first idle thread. + +So by the time we reach 'kernel_init()', we know that the scheduler must +be at least limping along, because we've already scheduled from the idle +thread into the init thread. + +Reported-by: Steven Rostedt +Cc: David Rientjes +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + init/main.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/init/main.c ++++ b/init/main.c +@@ -560,9 +560,6 @@ asmlinkage void __init start_kernel(void + early_boot_irqs_disabled = false; + local_irq_enable(); + +- /* Interrupts are enabled now so all GFP allocations are safe. */ +- gfp_allowed_mask = __GFP_BITS_MASK; +- + kmem_cache_init_late(); + + /* +@@ -842,6 +839,10 @@ static int __init kernel_init(void * unu + * Wait until kthreadd is all set-up. + */ + wait_for_completion(&kthreadd_done); ++ ++ /* Now the scheduler is fully set up and can do blocking allocations */ ++ gfp_allowed_mask = __GFP_BITS_MASK; ++ + /* + * init can allocate pages on any node + */ diff --git a/queue-3.4/ib-core-fix-mismatch-between-locked-and-pinned-pages.patch b/queue-3.4/ib-core-fix-mismatch-between-locked-and-pinned-pages.patch new file mode 100644 index 00000000000..70c26256f37 --- /dev/null +++ b/queue-3.4/ib-core-fix-mismatch-between-locked-and-pinned-pages.patch @@ -0,0 +1,35 @@ +From c4870eb874ac16dccef40e1bc7a002c7e9156adc Mon Sep 17 00:00:00 2001 +From: Yishai Hadas +Date: Thu, 10 May 2012 23:28:05 +0300 +Subject: IB/core: Fix mismatch between locked and pinned pages + +From: Yishai Hadas + +commit c4870eb874ac16dccef40e1bc7a002c7e9156adc upstream. + +Commit bc3e53f682d9 ("mm: distinguish between mlocked and pinned +pages") introduced a separate counter for pinned pages and used it in +the IB stack. However, in ib_umem_get() the pinned counter is +incremented, but ib_umem_release() wrongly decrements the locked +counter. Fix this. + +Signed-off-by: Yishai Hadas +Reviewed-by: Christoph Lameter +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/umem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/core/umem.c ++++ b/drivers/infiniband/core/umem.c +@@ -269,7 +269,7 @@ void ib_umem_release(struct ib_umem *ume + } else + down_write(&mm->mmap_sem); + +- current->mm->locked_vm -= diff; ++ current->mm->pinned_vm -= diff; + up_write(&mm->mmap_sem); + mmput(mm); + kfree(umem); diff --git a/queue-3.4/isci-fix-oem-parameter-validation-on-single-controller-skus.patch b/queue-3.4/isci-fix-oem-parameter-validation-on-single-controller-skus.patch new file mode 100644 index 00000000000..7d6b7cc1d13 --- /dev/null +++ b/queue-3.4/isci-fix-oem-parameter-validation-on-single-controller-skus.patch @@ -0,0 +1,41 @@ +From fc25f79af321c01a739150ba2c09435cf977a63d Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Mon, 30 Apr 2012 11:57:44 -0700 +Subject: isci: fix oem parameter validation on single controller skus + +From: Dan Williams + +commit fc25f79af321c01a739150ba2c09435cf977a63d upstream. + +OEM parameters [1] are parsed from the platform option-rom / efi +driver. By default the driver was validating the parameters for the +dual-controller case, but in single-controller case only the first set +of parameters may be valid. + +Limit the validation to the number of actual controllers detected +otherwise the driver may fail to parse the valid parameters leading to +driver-load or runtime failures. + +[1] the platform specific set of phy address, configuration,and analog + tuning values + +Reported-by: Dave Jiang +Tested-by: Dave Jiang +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/isci/init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/isci/init.c ++++ b/drivers/scsi/isci/init.c +@@ -476,7 +476,7 @@ static int __devinit isci_pci_probe(stru + if (!orom) + orom = isci_request_oprom(pdev); + +- for (i = 0; orom && i < ARRAY_SIZE(orom->ctrl); i++) { ++ for (i = 0; orom && i < num_controllers(pdev); i++) { + if (sci_oem_parameters_validate(&orom->ctrl[i], + orom->hdr.version)) { + dev_warn(&pdev->dev, diff --git a/queue-3.4/iwlwifi-use-6000g2b-for-6030-device-series.patch b/queue-3.4/iwlwifi-use-6000g2b-for-6030-device-series.patch new file mode 100644 index 00000000000..5a83e7d4337 --- /dev/null +++ b/queue-3.4/iwlwifi-use-6000g2b-for-6030-device-series.patch @@ -0,0 +1,32 @@ +From 35e7adaaf6932c5ffb22c6ec521734434c65adc5 Mon Sep 17 00:00:00 2001 +From: Wey-Yi Guy +Date: Wed, 25 Apr 2012 08:10:08 -0700 +Subject: iwlwifi: use 6000G2B for 6030 device series + +From: Wey-Yi Guy + +commit 35e7adaaf6932c5ffb22c6ec521734434c65adc5 upstream. + +"iwlwifi: use correct released ucode version" change +the ucode api ok from 6000G2 to 6000G2B, but it shall belong +to 6030 device series, not the 6005 device series. Fix it + +Signed-off-by: Wey-Yi Guy +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/iwl-6000.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/iwlwifi/iwl-6000.c ++++ b/drivers/net/wireless/iwlwifi/iwl-6000.c +@@ -390,7 +390,7 @@ const struct iwl_cfg iwl6005_2agn_mow2_c + #define IWL_DEVICE_6030 \ + .fw_name_pre = IWL6030_FW_PRE, \ + .ucode_api_max = IWL6000G2_UCODE_API_MAX, \ +- .ucode_api_ok = IWL6000G2B_UCODE_API_OK, \ ++ .ucode_api_ok = IWL6000G2_UCODE_API_OK, \ + .ucode_api_min = IWL6000G2_UCODE_API_MIN, \ + .max_inst_size = IWL60_RTC_INST_SIZE, \ + .max_data_size = IWL60_RTC_DATA_SIZE, \ diff --git a/queue-3.4/iwlwifi-use-correct-released-ucode-version.patch b/queue-3.4/iwlwifi-use-correct-released-ucode-version.patch new file mode 100644 index 00000000000..ab15ae02bd8 --- /dev/null +++ b/queue-3.4/iwlwifi-use-correct-released-ucode-version.patch @@ -0,0 +1,33 @@ +From e377a4fc768d7d477e58888bdbddd0103d6238bf Mon Sep 17 00:00:00 2001 +From: Meenakshi Venkataraman +Date: Sun, 22 Apr 2012 07:55:27 -0700 +Subject: iwlwifi: use correct released ucode version + +From: Meenakshi Venkataraman + +commit e377a4fc768d7d477e58888bdbddd0103d6238bf upstream. + +Report correctly the latest released version +of the iwlwifi firmware for all +iwlwifi-supported devices. + +Signed-off-by: Meenakshi Venkataraman +Signed-off-by: Wey-Yi Guy +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/iwl-6000.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/iwlwifi/iwl-6000.c ++++ b/drivers/net/wireless/iwlwifi/iwl-6000.c +@@ -336,7 +336,7 @@ static const struct iwl_bt_params iwl600 + #define IWL_DEVICE_6005 \ + .fw_name_pre = IWL6005_FW_PRE, \ + .ucode_api_max = IWL6000G2_UCODE_API_MAX, \ +- .ucode_api_ok = IWL6000G2_UCODE_API_OK, \ ++ .ucode_api_ok = IWL6000G2B_UCODE_API_OK, \ + .ucode_api_min = IWL6000G2_UCODE_API_MIN, \ + .max_inst_size = IWL60_RTC_INST_SIZE, \ + .max_data_size = IWL60_RTC_DATA_SIZE, \ diff --git a/queue-3.4/keys-use-the-compat-keyctl-syscall-wrapper-on-sparc64-for-sparc32-compat.patch b/queue-3.4/keys-use-the-compat-keyctl-syscall-wrapper-on-sparc64-for-sparc32-compat.patch new file mode 100644 index 00000000000..f0886dc30f2 --- /dev/null +++ b/queue-3.4/keys-use-the-compat-keyctl-syscall-wrapper-on-sparc64-for-sparc32-compat.patch @@ -0,0 +1,55 @@ +From 45de6767dc51358a188f75dc4ad9dfddb7fb9480 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Fri, 11 May 2012 10:56:56 +0100 +Subject: KEYS: Use the compat keyctl() syscall wrapper on Sparc64 for Sparc32 compat + +From: David Howells + +commit 45de6767dc51358a188f75dc4ad9dfddb7fb9480 upstream. + +Use the 32-bit compat keyctl() syscall wrapper on Sparc64 for Sparc32 binary +compatibility. + +Without this, keyctl(KEYCTL_INSTANTIATE_IOV) is liable to malfunction as it +uses an iovec array read from userspace - though the kernel should survive this +as it checks pointers and sizes anyway. + +I think all the other keyctl() function should just work, provided (a) the top +32-bits of each 64-bit argument register are cleared prior to invoking the +syscall routine, and the 32-bit address space is right at the 0-end of the +64-bit address space. Most of the arguments are 32-bit anyway, and so for +those clearing is not required. + +Signed-off-by: David Howells +cc: sparclinux@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/sparc/Kconfig | 3 +++ + arch/sparc/kernel/systbls_64.S | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/sparc/Kconfig ++++ b/arch/sparc/Kconfig +@@ -584,6 +584,9 @@ config SYSVIPC_COMPAT + depends on COMPAT && SYSVIPC + default y + ++config KEYS_COMPAT ++ def_bool y if COMPAT && KEYS ++ + endmenu + + source "net/Kconfig" +--- a/arch/sparc/kernel/systbls_64.S ++++ b/arch/sparc/kernel/systbls_64.S +@@ -74,7 +74,7 @@ sys_call_table32: + .word sys_timer_delete, compat_sys_timer_create, sys_ni_syscall, compat_sys_io_setup, sys_io_destroy + /*270*/ .word sys32_io_submit, sys_io_cancel, compat_sys_io_getevents, sys32_mq_open, sys_mq_unlink + .word compat_sys_mq_timedsend, compat_sys_mq_timedreceive, compat_sys_mq_notify, compat_sys_mq_getsetattr, compat_sys_waitid +-/*280*/ .word sys32_tee, sys_add_key, sys_request_key, sys_keyctl, compat_sys_openat ++/*280*/ .word sys32_tee, sys_add_key, sys_request_key, compat_sys_keyctl, compat_sys_openat + .word sys_mkdirat, sys_mknodat, sys_fchownat, compat_sys_futimesat, compat_sys_fstatat64 + /*290*/ .word sys_unlinkat, sys_renameat, sys_linkat, sys_symlinkat, sys_readlinkat + .word sys_fchmodat, sys_faccessat, compat_sys_pselect6, compat_sys_ppoll, sys_unshare diff --git a/queue-3.4/net-wireless-ipw2200-fix-warn_on-occurring-in-wiphy_register-called-by-ipw_pci_probe.patch b/queue-3.4/net-wireless-ipw2200-fix-warn_on-occurring-in-wiphy_register-called-by-ipw_pci_probe.patch new file mode 100644 index 00000000000..b920db2cf30 --- /dev/null +++ b/queue-3.4/net-wireless-ipw2200-fix-warn_on-occurring-in-wiphy_register-called-by-ipw_pci_probe.patch @@ -0,0 +1,110 @@ +From 7ed85b65ab611ba841d508ae4ff8c45fa0c48c80 Mon Sep 17 00:00:00 2001 +From: Stanislav Yakovlev +Date: Mon, 16 Apr 2012 06:38:30 -0400 +Subject: net/wireless: ipw2200: Fix WARN_ON occurring in wiphy_register called by ipw_pci_probe + +From: Stanislav Yakovlev + +commit 7ed85b65ab611ba841d508ae4ff8c45fa0c48c80 upstream. + +The problem was found by Stefan Lippers-Hollmann +http://marc.info/?l=linux-wireless&m=132720334512946&w=2 + +WARNING: at /tmp/buildd/linux-aptosid-3.2/debian/build/source_i386_none/net/wireless/core.c:562 wiphy_register+0x45/0x38d [cfg80211]() +Hardware name: TravelMate 290 \xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff +Modules linked in: ipw2200(+) iTCO_wdt libipw joydev drm snd_seq snd_timer snd_seq_device iTCO_vendor_support yenta_socket snd intel_agp i2c_i801 pcmcia_rsrc cfg80211 soundcore parport_pc psmouse parport rng_core snd_page_alloc serio_raw pcspkr i2c_algo_bit intel_gtt pcmcia_core evdev irda crc_ccitt rfkill lib80211 processor container ac battery shpchp pci_hotplug button ext4 mbcache jbd2 crc16 dm_mod sd_mod sr_mod crc_t10dif cdrom ata_generic pata_acpi ata_piix libata scsi_mod firewire_ohci firewire_core crc_itu_t 8139too 8139cp mii uhci_hcd ehci_hcd usbcore usb_common [last unloaded: scsi_wait_scan] +Pid: 328, comm: modprobe Not tainted 3.2-1.slh.4-aptosid-686 #1 +Call Trace: +[] ? warn_slowpath_common+0x7c/0x8f +[] ? wiphy_register+0x45/0x38d [cfg80211] +[] ? wiphy_register+0x45/0x38d [cfg80211] +[] ? warn_slowpath_null+0x1b/0x1f +[] ? wiphy_register+0x45/0x38d [cfg80211] +[] ? internal_create_group+0xf5/0xff +[] ? ipw_pci_probe+0xa9a/0xbd0 [ipw2200] +[] ? arch_local_irq_save+0xf/0x14 +[] ? pci_device_probe+0x53/0x9a +[] ? driver_probe_device+0x94/0x124 +[] ? pci_match_id+0x15/0x34 +[] ? __driver_attach+0x40/0x5b +[] ? bus_for_each_dev+0x37/0x60 +[] ? driver_attach+0x17/0x1a +[] ? driver_probe_device+0x124/0x124 +[] ? bus_add_driver+0x92/0x1d1 +[] ? 0xe099cfff +[] ? driver_register+0x7d/0xd4 +[] ? jump_label_module_notify+0xec/0x167 +[] ? 0xe099cfff +[] ? __pci_register_driver+0x32/0x87 +[] ? 0xe099cfff +[] ? ipw_init+0x2e/0x72 [ipw2200] +[] ? do_one_initcall+0x7d/0x132 +[] ? __blocking_notifier_call_chain+0x47/0x4f +[] ? sys_init_module+0x13a4/0x159c +[] ? sysenter_do_call+0x12/0x28 + +This warning appears only if we apply Ben Hutchings' fix +http://marc.info/?l=linux-wireless&m=132720195012653&w=2 +for the bug reported by Cesare Leonardi +http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=656813 +with cfg80211 warning during device registration +("cfg80211: failed to add phy80211 symlink to netdev!"). + +We separate device bring up and registration with network stack +to avoid the problem. + +After that Ben Hutchings' fix can be applied to fix the bug. + +Signed-off-by: Stanislav Yakovlev +Tested-by: Stefan Lippers-Hollmann +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ipw2x00/ipw2200.c | 21 ++++++--------------- + 1 file changed, 6 insertions(+), 15 deletions(-) + +--- a/drivers/net/wireless/ipw2x00/ipw2200.c ++++ b/drivers/net/wireless/ipw2x00/ipw2200.c +@@ -11443,20 +11443,6 @@ static void ipw_bg_down(struct work_stru + mutex_unlock(&priv->mutex); + } + +-/* Called by register_netdev() */ +-static int ipw_net_init(struct net_device *dev) +-{ +- int rc = 0; +- struct ipw_priv *priv = libipw_priv(dev); +- +- mutex_lock(&priv->mutex); +- if (ipw_up(priv)) +- rc = -EIO; +- mutex_unlock(&priv->mutex); +- +- return rc; +-} +- + static int ipw_wdev_init(struct net_device *dev) + { + int i, rc = 0; +@@ -11722,7 +11708,6 @@ static void ipw_prom_free(struct ipw_pri + #endif + + static const struct net_device_ops ipw_netdev_ops = { +- .ndo_init = ipw_net_init, + .ndo_open = ipw_net_open, + .ndo_stop = ipw_net_stop, + .ndo_set_rx_mode = ipw_net_set_multicast_list, +@@ -11849,6 +11834,12 @@ static int __devinit ipw_pci_probe(struc + goto out_release_irq; + } + ++ if (ipw_up(priv)) { ++ mutex_unlock(&priv->mutex); ++ err = -EIO; ++ goto out_remove_sysfs; ++ } ++ + mutex_unlock(&priv->mutex); + err = register_netdev(net_dev); + if (err) { diff --git a/queue-3.4/perf-x86-update-event-scheduling-constraints-for-amd-family-15h-models.patch b/queue-3.4/perf-x86-update-event-scheduling-constraints-for-amd-family-15h-models.patch new file mode 100644 index 00000000000..ff8167b3081 --- /dev/null +++ b/queue-3.4/perf-x86-update-event-scheduling-constraints-for-amd-family-15h-models.patch @@ -0,0 +1,59 @@ +From 5bcdf5e4fee3c45e1281c25e4941f2163cb28c65 Mon Sep 17 00:00:00 2001 +From: Robert Richter +Date: Fri, 18 May 2012 12:40:42 +0200 +Subject: perf/x86: Update event scheduling constraints for AMD family 15h models + +From: Robert Richter + +commit 5bcdf5e4fee3c45e1281c25e4941f2163cb28c65 upstream. + +This update is for newer family 15h cpu models from 0x02 to 0x1f. + +Signed-off-by: Robert Richter +Acked-by: Peter Zijlstra +Cc: Stephane Eranian +Link: http://lkml.kernel.org/r/1337337642-1621-1-git-send-email-robert.richter@amd.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/perf_event_amd.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/perf_event_amd.c ++++ b/arch/x86/kernel/cpu/perf_event_amd.c +@@ -493,6 +493,7 @@ static __initconst const struct x86_pmu + * 0x023 DE PERF_CTL[2:0] + * 0x02D LS PERF_CTL[3] + * 0x02E LS PERF_CTL[3,0] ++ * 0x031 LS PERF_CTL[2:0] (**) + * 0x043 CU PERF_CTL[2:0] + * 0x045 CU PERF_CTL[2:0] + * 0x046 CU PERF_CTL[2:0] +@@ -506,10 +507,12 @@ static __initconst const struct x86_pmu + * 0x0DD LS PERF_CTL[5:0] + * 0x0DE LS PERF_CTL[5:0] + * 0x0DF LS PERF_CTL[5:0] ++ * 0x1C0 EX PERF_CTL[5:3] + * 0x1D6 EX PERF_CTL[5:0] + * 0x1D8 EX PERF_CTL[5:0] + * +- * (*) depending on the umask all FPU counters may be used ++ * (*) depending on the umask all FPU counters may be used ++ * (**) only one unitmask enabled at a time + */ + + static struct event_constraint amd_f15_PMC0 = EVENT_CONSTRAINT(0, 0x01, 0); +@@ -559,6 +562,12 @@ amd_get_event_constraints_f15h(struct cp + return &amd_f15_PMC3; + case 0x02E: + return &amd_f15_PMC30; ++ case 0x031: ++ if (hweight_long(hwc->config & ARCH_PERFMON_EVENTSEL_UMASK) <= 1) ++ return &amd_f15_PMC20; ++ return &emptyconstraint; ++ case 0x1C0: ++ return &amd_f15_PMC53; + default: + return &amd_f15_PMC50; + } diff --git a/queue-3.4/powerpc-fix-broken-cpu_idle_wait-implementation.patch b/queue-3.4/powerpc-fix-broken-cpu_idle_wait-implementation.patch new file mode 100644 index 00000000000..3dda57a1850 --- /dev/null +++ b/queue-3.4/powerpc-fix-broken-cpu_idle_wait-implementation.patch @@ -0,0 +1,76 @@ +From 9cd75e13de2dcf32ecc21c7f277cff3c0ced059e Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Mon, 7 May 2012 17:59:47 +0000 +Subject: powerpc: Fix broken cpu_idle_wait() implementation + +From: Thomas Gleixner + +commit 9cd75e13de2dcf32ecc21c7f277cff3c0ced059e upstream. + +commit 771dae818 (powerpc/cpuidle: Add cpu_idle_wait() to allow +switching of idle routines) implemented cpu_idle_wait() for powerpc. + +The changelog says: + "The equivalent routine for x86 is in arch/x86/kernel/process.c + but the powerpc implementation is different.": + +Unfortunately the changelog is completely useless as it does not tell +_WHY_ it is different. + +Aside of being different the implementation is patently wrong. + +The rescheduling IPI is async. That means that there is no guarantee, +that the other cores have executed the IPI when cpu_idle_wait() +returns. But that's the whole purpose of this function: to guarantee +that no CPU uses the old idle handler anymore. + +Use the smp_functional_call() based implementation, which fulfils the +requirements. + +[ This code is going to replaced by a core version to remove all the + pointless copies in arch/*, but this one should go to stable ] + +Signed-off-by: Thomas Gleixner +Acked-by: Peter Zijlstra +Cc: Deepthi Dharwar +Cc: Trinabh Gupta +Cc: Arun R Bharadwaj +Acked-by: Benjamin Herrenschmidt +Link: http://lkml.kernel.org/r/20120507175651.980164748@linutronix.de +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/idle.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +--- a/arch/powerpc/kernel/idle.c ++++ b/arch/powerpc/kernel/idle.c +@@ -113,6 +113,9 @@ void cpu_idle(void) + } + } + ++static void do_nothing(void *unused) ++{ ++} + + /* + * cpu_idle_wait - Used to ensure that all the CPUs come out of the old +@@ -123,16 +126,9 @@ void cpu_idle(void) + */ + void cpu_idle_wait(void) + { +- int cpu; + smp_mb(); +- +- /* kick all the CPUs so that they exit out of old idle routine */ +- get_online_cpus(); +- for_each_online_cpu(cpu) { +- if (cpu != smp_processor_id()) +- smp_send_reschedule(cpu); +- } +- put_online_cpus(); ++ /* kick all the CPUs so that they exit out of pm_idle */ ++ smp_call_function(do_nothing, NULL, 1); + } + EXPORT_SYMBOL_GPL(cpu_idle_wait); + diff --git a/queue-3.4/rdma-cxgb4-always-wake-up-waiters-in-c4iw_peer_abort_intr.patch b/queue-3.4/rdma-cxgb4-always-wake-up-waiters-in-c4iw_peer_abort_intr.patch new file mode 100644 index 00000000000..5d49ab3d4dd --- /dev/null +++ b/queue-3.4/rdma-cxgb4-always-wake-up-waiters-in-c4iw_peer_abort_intr.patch @@ -0,0 +1,35 @@ +From 0f1dcfae6bc5563424346ad3a03282b8235a4c33 Mon Sep 17 00:00:00 2001 +From: Steve Wise +Date: Fri, 27 Apr 2012 09:59:16 -0500 +Subject: RDMA/cxgb4: Always wake up waiters in c4iw_peer_abort_intr() + +From: Steve Wise + +commit 0f1dcfae6bc5563424346ad3a03282b8235a4c33 upstream. + +This fixes a race where an ingress abort fails to wake up the thread +blocked in rdma_init() causing the app to hang. + +Signed-off-by: Steve Wise +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/cxgb4/cm.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -2667,11 +2667,8 @@ static int peer_abort_intr(struct c4iw_d + + /* + * Wake up any threads in rdma_init() or rdma_fini(). +- * However, this is not needed if com state is just +- * MPA_REQ_SENT + */ +- if (ep->com.state != MPA_REQ_SENT) +- c4iw_wake_up(&ep->com.wr_wait, -ECONNRESET); ++ c4iw_wake_up(&ep->com.wr_wait, -ECONNRESET); + sched(dev, skb); + return 0; + } diff --git a/queue-3.4/rdma-cxgb4-drop-peer_abort-when-no-endpoint-found.patch b/queue-3.4/rdma-cxgb4-drop-peer_abort-when-no-endpoint-found.patch new file mode 100644 index 00000000000..9804de74d4e --- /dev/null +++ b/queue-3.4/rdma-cxgb4-drop-peer_abort-when-no-endpoint-found.patch @@ -0,0 +1,35 @@ +From 14b9222808bb8bfefc71f72bc0dbdcf3b2f0140f Mon Sep 17 00:00:00 2001 +From: Steve Wise +Date: Mon, 30 Apr 2012 15:31:29 -0500 +Subject: RDMA/cxgb4: Drop peer_abort when no endpoint found + +From: Steve Wise + +commit 14b9222808bb8bfefc71f72bc0dbdcf3b2f0140f upstream. + +Log a warning and drop the abort message. Otherwise we will do a +bogus wake_up() and crash. + +Signed-off-by: Steve Wise +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/cxgb4/cm.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -2656,6 +2656,12 @@ static int peer_abort_intr(struct c4iw_d + unsigned int tid = GET_TID(req); + + ep = lookup_tid(t, tid); ++ if (!ep) { ++ printk(KERN_WARNING MOD ++ "Abort on non-existent endpoint, tid %d\n", tid); ++ kfree_skb(skb); ++ return 0; ++ } + if (is_neg_adv_abort(req->status)) { + PDBG("%s neg_adv_abort ep %p tid %u\n", __func__, ep, + ep->hwtid); diff --git a/queue-3.4/rdma-cxgb4-use-dst-parameter-in-import_ep.patch b/queue-3.4/rdma-cxgb4-use-dst-parameter-in-import_ep.patch new file mode 100644 index 00000000000..02e78d9ef8e --- /dev/null +++ b/queue-3.4/rdma-cxgb4-use-dst-parameter-in-import_ep.patch @@ -0,0 +1,32 @@ +From bd61baaf59669accae2720799394a51fecabe5d9 Mon Sep 17 00:00:00 2001 +From: Steve Wise +Date: Fri, 27 Apr 2012 10:24:33 -0500 +Subject: RDMA/cxgb4: Use dst parameter in import_ep() + +From: Steve Wise + +commit bd61baaf59669accae2720799394a51fecabe5d9 upstream. + +Function import_ep() is incorrectly using ep->dst instead of the dst +ptr passed in. This causes a crash when accepting new rdma connections +becase ep->dst is not initialized yet. + +Signed-off-by: Steve Wise +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/cxgb4/cm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -1593,7 +1593,7 @@ static int import_ep(struct c4iw_ep *ep, + n, n->dev, 0); + if (!ep->l2t) + goto out; +- ep->mtu = dst_mtu(ep->dst); ++ ep->mtu = dst_mtu(dst); + ep->tx_chan = cxgb4_port_chan(n->dev); + ep->smac_idx = (cxgb4_port_viid(n->dev) & 0x7F) << 1; + step = cdev->rdev.lldi.ntxq / diff --git a/queue-3.4/regulator-core-release-regulator-regulator-supplies-on-error.patch b/queue-3.4/regulator-core-release-regulator-regulator-supplies-on-error.patch new file mode 100644 index 00000000000..887f1d9eb66 --- /dev/null +++ b/queue-3.4/regulator-core-release-regulator-regulator-supplies-on-error.patch @@ -0,0 +1,31 @@ +From e81dba85c6388dfabcb76cbc2b8bd02836a53ae5 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Sun, 13 May 2012 18:35:56 +0100 +Subject: regulator: core: Release regulator-regulator supplies on error + +From: Mark Brown + +commit e81dba85c6388dfabcb76cbc2b8bd02836a53ae5 upstream. + +If we fail while registering a regulator make sure we release the supply +for the regulator if there is one. + +Signed-off-by: Mark Brown +Acked-by: Liam Girdwood +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/regulator/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -2971,6 +2971,8 @@ unset_supplies: + unset_regulator_supplies(rdev); + + scrub: ++ if (rdev->supply) ++ regulator_put(rdev->supply); + kfree(rdev->constraints); + device_unregister(&rdev->dev); + /* device core frees rdev */ diff --git a/queue-3.4/s390-pfault-fix-task-state-race.patch b/queue-3.4/s390-pfault-fix-task-state-race.patch new file mode 100644 index 00000000000..31680bca975 --- /dev/null +++ b/queue-3.4/s390-pfault-fix-task-state-race.patch @@ -0,0 +1,80 @@ +From d5e50a51ccbda36b379aba9d1131a852eb908dda Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Wed, 9 May 2012 09:37:30 +0200 +Subject: s390/pfault: fix task state race + +From: Heiko Carstens + +commit d5e50a51ccbda36b379aba9d1131a852eb908dda upstream. + +When setting the current task state to TASK_UNINTERRUPTIBLE this can +race with a different cpu. The other cpu could set the task state after +it inspected it (while it was still TASK_RUNNING) to TASK_RUNNING which +would change the state from TASK_UNINTERRUPTIBLE to TASK_RUNNING again. + +This race was always present in the pfault interrupt code but didn't +cause anything harmful before commit f2db2e6c "[S390] pfault: cpu hotplug +vs missing completion interrupts" which relied on the fact that after +setting the task state to TASK_UNINTERRUPTIBLE the task would really +sleep. +Since this is not necessarily the case the result may be a list corruption +of the pfault_list or, as observed, a use-after-free bug while trying to +access the task_struct of a task which terminated itself already. + +To fix this, we need to get a reference of the affected task when receiving +the initial pfault interrupt and add special handling if we receive yet +another initial pfault interrupt when the task is already enqueued in the +pfault list. + +Signed-off-by: Heiko Carstens +Reviewed-by: Martin Schwidefsky +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/mm/fault.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/arch/s390/mm/fault.c ++++ b/arch/s390/mm/fault.c +@@ -574,6 +574,7 @@ static void pfault_interrupt(struct ext_ + tsk->thread.pfault_wait = 0; + list_del(&tsk->thread.list); + wake_up_process(tsk); ++ put_task_struct(tsk); + } else { + /* Completion interrupt was faster than initial + * interrupt. Set pfault_wait to -1 so the initial +@@ -588,14 +589,22 @@ static void pfault_interrupt(struct ext_ + put_task_struct(tsk); + } else { + /* signal bit not set -> a real page is missing. */ +- if (tsk->thread.pfault_wait == -1) { ++ if (tsk->thread.pfault_wait == 1) { ++ /* Already on the list with a reference: put to sleep */ ++ set_task_state(tsk, TASK_UNINTERRUPTIBLE); ++ set_tsk_need_resched(tsk); ++ } else if (tsk->thread.pfault_wait == -1) { + /* Completion interrupt was faster than the initial + * interrupt (pfault_wait == -1). Set pfault_wait + * back to zero and exit. */ + tsk->thread.pfault_wait = 0; + } else { + /* Initial interrupt arrived before completion +- * interrupt. Let the task sleep. */ ++ * interrupt. Let the task sleep. ++ * An extra task reference is needed since a different ++ * cpu may set the task state to TASK_RUNNING again ++ * before the scheduler is reached. */ ++ get_task_struct(tsk); + tsk->thread.pfault_wait = 1; + list_add(&tsk->thread.list, &pfault_list); + set_task_state(tsk, TASK_UNINTERRUPTIBLE); +@@ -620,6 +629,7 @@ static int __cpuinit pfault_cpu_notify(s + list_del(&thread->list); + tsk = container_of(thread, struct task_struct, thread); + wake_up_process(tsk); ++ put_task_struct(tsk); + } + spin_unlock_irq(&pfault_lock); + break; diff --git a/queue-3.4/scsi-mpt2sas-fix-for-panic-happening-because-of-improper-memory-allocation.patch b/queue-3.4/scsi-mpt2sas-fix-for-panic-happening-because-of-improper-memory-allocation.patch new file mode 100644 index 00000000000..445140ecde3 --- /dev/null +++ b/queue-3.4/scsi-mpt2sas-fix-for-panic-happening-because-of-improper-memory-allocation.patch @@ -0,0 +1,57 @@ +From e42fafc25fa86c61824e8d4c5e7582316415d24f Mon Sep 17 00:00:00 2001 +From: "nagalakshmi.nandigama@lsi.com" +Date: Tue, 20 Mar 2012 12:10:01 +0530 +Subject: SCSI: mpt2sas: Fix for panic happening because of improper memory allocation + +From: "nagalakshmi.nandigama@lsi.com" + +commit e42fafc25fa86c61824e8d4c5e7582316415d24f upstream. + +The ioc->pfacts member in the IOC structure is getting set to zero +following a call to _base_get_ioc_facts due to the memset in that routine. +So if the ioc->pfacts was read after a host reset, there would be a NULL +pointer dereference. The routine _base_get_ioc_facts is called from context +of host reset. The problem in _base_get_ioc_facts is the size of +Mpi2IOCFactsReply is 64, whereas the sizeof "struct mpt2sas_facts" is 60, +so there is a four byte overflow resulting from the memset. + +Also, there is memset in _base_get_port_facts using the incorrect structure, +it should be "struct mpt2sas_port_facts" instead of Mpi2PortFactsReply. + +Signed-off-by: Nagalakshmi Nandigama +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/mpt2sas/mpt2sas_base.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/mpt2sas/mpt2sas_base.c ++++ b/drivers/scsi/mpt2sas/mpt2sas_base.c +@@ -3343,7 +3343,7 @@ _base_get_port_facts(struct MPT2SAS_ADAP + } + + pfacts = &ioc->pfacts[port]; +- memset(pfacts, 0, sizeof(Mpi2PortFactsReply_t)); ++ memset(pfacts, 0, sizeof(struct mpt2sas_port_facts)); + pfacts->PortNumber = mpi_reply.PortNumber; + pfacts->VP_ID = mpi_reply.VP_ID; + pfacts->VF_ID = mpi_reply.VF_ID; +@@ -3385,7 +3385,7 @@ _base_get_ioc_facts(struct MPT2SAS_ADAPT + } + + facts = &ioc->facts; +- memset(facts, 0, sizeof(Mpi2IOCFactsReply_t)); ++ memset(facts, 0, sizeof(struct mpt2sas_facts)); + facts->MsgVersion = le16_to_cpu(mpi_reply.MsgVersion); + facts->HeaderVersion = le16_to_cpu(mpi_reply.HeaderVersion); + facts->VP_ID = mpi_reply.VP_ID; +@@ -4262,7 +4262,7 @@ mpt2sas_base_attach(struct MPT2SAS_ADAPT + goto out_free_resources; + + ioc->pfacts = kcalloc(ioc->facts.NumberOfPorts, +- sizeof(Mpi2PortFactsReply_t), GFP_KERNEL); ++ sizeof(struct mpt2sas_port_facts), GFP_KERNEL); + if (!ioc->pfacts) { + r = -ENOMEM; + goto out_free_resources; diff --git a/queue-3.4/selinux-if-sel_make_bools-errors-don-t-leave-inconsistent-state.patch b/queue-3.4/selinux-if-sel_make_bools-errors-don-t-leave-inconsistent-state.patch new file mode 100644 index 00000000000..e1d26b55b9f --- /dev/null +++ b/queue-3.4/selinux-if-sel_make_bools-errors-don-t-leave-inconsistent-state.patch @@ -0,0 +1,31 @@ +From 154c50ca4eb9ae472f50b6a481213e21ead4457d Mon Sep 17 00:00:00 2001 +From: Eric Paris +Date: Wed, 4 Apr 2012 13:47:11 -0400 +Subject: SELinux: if sel_make_bools errors don't leave inconsistent state + +From: Eric Paris + +commit 154c50ca4eb9ae472f50b6a481213e21ead4457d upstream. + +We reset the bool names and values array to NULL, but do not reset the +number of entries in these arrays to 0. If we error out and then get back +into this function we will walk these NULL pointers based on the belief +that they are non-zero length. + +Signed-off-by: Eric Paris +Signed-off-by: Greg Kroah-Hartman + +--- + security/selinux/selinuxfs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/security/selinux/selinuxfs.c ++++ b/security/selinux/selinuxfs.c +@@ -1232,6 +1232,7 @@ static int sel_make_bools(void) + kfree(bool_pending_names[i]); + kfree(bool_pending_names); + kfree(bool_pending_values); ++ bool_num = 0; + bool_pending_names = NULL; + bool_pending_values = NULL; + diff --git a/queue-3.4/series b/queue-3.4/series index fb435f9f4ca..a569b9ad092 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -2,3 +2,22 @@ isdn-gigaset-ratelimit-capi-message-dumps.patch isdn-gigaset-fix-capi-disconnect-b3-handling.patch isdn-gigaset-improve-error-handling-querying-firmware-version.patch vfs-make-aio-use-the-proper-rw_verify_area-area-helpers.patch +iwlwifi-use-6000g2b-for-6030-device-series.patch +iwlwifi-use-correct-released-ucode-version.patch +net-wireless-ipw2200-fix-warn_on-occurring-in-wiphy_register-called-by-ipw_pci_probe.patch +cfg80211-warn-if-db.txt-is-empty-with-config_cfg80211_internal_regdb.patch +regulator-core-release-regulator-regulator-supplies-on-error.patch +fix-blocking-allocations-called-very-early-during-bootup.patch +s390-pfault-fix-task-state-race.patch +scsi-mpt2sas-fix-for-panic-happening-because-of-improper-memory-allocation.patch +isci-fix-oem-parameter-validation-on-single-controller-skus.patch +rdma-cxgb4-always-wake-up-waiters-in-c4iw_peer_abort_intr.patch +rdma-cxgb4-use-dst-parameter-in-import_ep.patch +rdma-cxgb4-drop-peer_abort-when-no-endpoint-found.patch +powerpc-fix-broken-cpu_idle_wait-implementation.patch +keys-use-the-compat-keyctl-syscall-wrapper-on-sparc64-for-sparc32-compat.patch +selinux-if-sel_make_bools-errors-don-t-leave-inconsistent-state.patch +fbdev-sh_mobile_lcdc-don-t-confuse-line-size-with-pitch.patch +ib-core-fix-mismatch-between-locked-and-pinned-pages.patch +drivers-staging-comedi-comedi_fops.c-add-missing-vfree.patch +perf-x86-update-event-scheduling-constraints-for-amd-family-15h-models.patch