From: Greg Kroah-Hartman Date: Fri, 28 Sep 2012 01:03:05 +0000 (-0700) Subject: 3.4-stable patches X-Git-Tag: v3.0.44~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a4c6421947d259a85100359f3a1a0dc5f26f14ec;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: asoc-wm2000-correct-register-size.patch drm-i915-fall-back-to-bit-banging-if-gmbus-fails-in-crt-edid-reads.patch drm-udl-limit-modes-to-the-sku-pixel-limits.patch gpio-lpc32xx-fix-value-handling-of-gpio_direction_output.patch usb-fix-race-condition-when-removing-host-controllers.patch usb-ohci-at91-fix-null-pointer-in-ohci_hcd_at91_overcurrent_irq.patch vmwgfx-corruption-in-vmw_event_fence_action_create.patch --- diff --git a/queue-3.4/asoc-wm2000-correct-register-size.patch b/queue-3.4/asoc-wm2000-correct-register-size.patch new file mode 100644 index 00000000000..8fdddeb25db --- /dev/null +++ b/queue-3.4/asoc-wm2000-correct-register-size.patch @@ -0,0 +1,27 @@ +From d0e12f3ff3472cbd8f52d3c0e6ee07a841787c40 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Wed, 26 Sep 2012 11:57:30 +0100 +Subject: ASoC: wm2000: Correct register size + +From: Mark Brown + +commit d0e12f3ff3472cbd8f52d3c0e6ee07a841787c40 upstream. + +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/wm2000.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/codecs/wm2000.c ++++ b/sound/soc/codecs/wm2000.c +@@ -692,7 +692,7 @@ static int wm2000_resume(struct snd_soc_ + #endif + + static const struct regmap_config wm2000_regmap = { +- .reg_bits = 8, ++ .reg_bits = 16, + .val_bits = 8, + }; + diff --git a/queue-3.4/drm-i915-fall-back-to-bit-banging-if-gmbus-fails-in-crt-edid-reads.patch b/queue-3.4/drm-i915-fall-back-to-bit-banging-if-gmbus-fails-in-crt-edid-reads.patch new file mode 100644 index 00000000000..3219f278944 --- /dev/null +++ b/queue-3.4/drm-i915-fall-back-to-bit-banging-if-gmbus-fails-in-crt-edid-reads.patch @@ -0,0 +1,105 @@ +From f1a2f5b7c5f0941d23eef0a095c0b99bf8d051e6 Mon Sep 17 00:00:00 2001 +From: Jani Nikula +Date: Mon, 13 Aug 2012 13:22:35 +0300 +Subject: drm/i915: fall back to bit-banging if GMBUS fails in CRT EDID reads + +From: Jani Nikula + +commit f1a2f5b7c5f0941d23eef0a095c0b99bf8d051e6 upstream. + +GMBUS was enabled over bit-banging as the default in commits: + +commit c3dfefa0a6d235bd465309e12f4c56ea16e71111 +Author: Daniel Vetter +Date: Tue Feb 14 22:37:25 2012 +0100 + + drm/i915: reenable gmbus on gen3+ again + +and + +commit 0fb3f969c8683505fb7323c06bf8a999a5a45a15 +Author: Daniel Vetter +Date: Fri Mar 2 19:38:30 2012 +0100 + + drm/i915: enable gmbus on gen2 + +Unfortunately, GMBUS seems to fail on some CRT displays. Add a bit-banging +fallback to CRT EDID reads. + +LKML-Reference: <201207251020.47637.maciej.rutecki@gmail.com> +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=45881 +Signed-off-by: Jani Nikula +Tested-by: Alex Ferrando +Cc: stable@vger.kernel.org (for 3.4+3.5) +Signed-off-by: Daniel Vetter +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/gpu/drm/i915/intel_crt.c | 36 +++++++++++++++++++++++++++++++++--- + 1 file changed, 33 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_crt.c ++++ b/drivers/gpu/drm/i915/intel_crt.c +@@ -266,6 +266,36 @@ static bool intel_crt_detect_hotplug(str + return ret; + } + ++static struct edid *intel_crt_get_edid(struct drm_connector *connector, ++ struct i2c_adapter *i2c) ++{ ++ struct edid *edid; ++ ++ edid = drm_get_edid(connector, i2c); ++ ++ if (!edid && !intel_gmbus_is_forced_bit(i2c)) { ++ DRM_DEBUG_KMS("CRT GMBUS EDID read failed, retry using GPIO bit-banging\n"); ++ intel_gmbus_force_bit(i2c, true); ++ edid = drm_get_edid(connector, i2c); ++ intel_gmbus_force_bit(i2c, false); ++ } ++ ++ return edid; ++} ++ ++/* local version of intel_ddc_get_modes() to use intel_crt_get_edid() */ ++static int intel_crt_ddc_get_modes(struct drm_connector *connector, ++ struct i2c_adapter *adapter) ++{ ++ struct edid *edid; ++ ++ edid = intel_crt_get_edid(connector, adapter); ++ if (!edid) ++ return 0; ++ ++ return intel_connector_update_modes(connector, edid); ++} ++ + static bool intel_crt_detect_ddc(struct drm_connector *connector) + { + struct intel_crt *crt = intel_attached_crt(connector); +@@ -279,7 +309,7 @@ static bool intel_crt_detect_ddc(struct + struct edid *edid; + bool is_digital = false; + +- edid = drm_get_edid(connector, ++ edid = intel_crt_get_edid(connector, + &dev_priv->gmbus[dev_priv->crt_ddc_pin].adapter); + /* + * This may be a DVI-I connector with a shared DDC +@@ -477,13 +507,13 @@ static int intel_crt_get_modes(struct dr + struct drm_i915_private *dev_priv = dev->dev_private; + int ret; + +- ret = intel_ddc_get_modes(connector, ++ ret = intel_crt_ddc_get_modes(connector, + &dev_priv->gmbus[dev_priv->crt_ddc_pin].adapter); + if (ret || !IS_G4X(dev)) + return ret; + + /* Try to probe digital port for output in DVI-I -> VGA mode. */ +- return intel_ddc_get_modes(connector, ++ return intel_crt_ddc_get_modes(connector, + &dev_priv->gmbus[GMBUS_PORT_DPB].adapter); + } + diff --git a/queue-3.4/drm-udl-limit-modes-to-the-sku-pixel-limits.patch b/queue-3.4/drm-udl-limit-modes-to-the-sku-pixel-limits.patch new file mode 100644 index 00000000000..03b4d45d2da --- /dev/null +++ b/queue-3.4/drm-udl-limit-modes-to-the-sku-pixel-limits.patch @@ -0,0 +1,39 @@ +From 3a75885848996baab5276ff37ebf7295c3c753f0 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Tue, 25 Sep 2012 16:17:43 +1000 +Subject: drm/udl: limit modes to the sku pixel limits. + +From: Dave Airlie + +commit 3a75885848996baab5276ff37ebf7295c3c753f0 upstream. + +Otherwise when X starts we commonly get a black screen scanning +out nothing, its wierd dpms on/off from userspace brings it back, + +With this on F18, multi-seat works again with my 1920x1200 monitor +which is above the sku limit for the device I have. + +Reviewed-by: Alex Deucher +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/udl/udl_connector.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/gpu/drm/udl/udl_connector.c ++++ b/drivers/gpu/drm/udl/udl_connector.c +@@ -69,6 +69,13 @@ static int udl_get_modes(struct drm_conn + static int udl_mode_valid(struct drm_connector *connector, + struct drm_display_mode *mode) + { ++ struct udl_device *udl = connector->dev->dev_private; ++ if (!udl->sku_pixel_limit) ++ return 0; ++ ++ if (mode->vdisplay * mode->hdisplay > udl->sku_pixel_limit) ++ return MODE_VIRTUAL_Y; ++ + return 0; + } + diff --git a/queue-3.4/gpio-lpc32xx-fix-value-handling-of-gpio_direction_output.patch b/queue-3.4/gpio-lpc32xx-fix-value-handling-of-gpio_direction_output.patch new file mode 100644 index 00000000000..9094840a7df --- /dev/null +++ b/queue-3.4/gpio-lpc32xx-fix-value-handling-of-gpio_direction_output.patch @@ -0,0 +1,50 @@ +From b1268d3737c6316016026245eef276eda6b0a621 Mon Sep 17 00:00:00 2001 +From: Roland Stigge +Date: Thu, 20 Sep 2012 10:48:03 +0200 +Subject: gpio-lpc32xx: Fix value handling of gpio_direction_output() + +From: Roland Stigge + +commit b1268d3737c6316016026245eef276eda6b0a621 upstream. + +For GPIOs of gpio-lpc32xx, gpio_direction_output() ignores the value argument +(initial value of output). This patch fixes this by setting the level +accordingly. + +Signed-off-by: Roland Stigge +Acked-by: Alexandre Pereira da Silva +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpio-lpc32xx.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpio/gpio-lpc32xx.c ++++ b/drivers/gpio/gpio-lpc32xx.c +@@ -304,6 +304,7 @@ static int lpc32xx_gpio_dir_output_p012( + { + struct lpc32xx_gpio_chip *group = to_lpc32xx_gpio(chip); + ++ __set_gpio_level_p012(group, pin, value); + __set_gpio_dir_p012(group, pin, 0); + + return 0; +@@ -314,6 +315,7 @@ static int lpc32xx_gpio_dir_output_p3(st + { + struct lpc32xx_gpio_chip *group = to_lpc32xx_gpio(chip); + ++ __set_gpio_level_p3(group, pin, value); + __set_gpio_dir_p3(group, pin, 0); + + return 0; +@@ -322,6 +324,9 @@ static int lpc32xx_gpio_dir_output_p3(st + static int lpc32xx_gpio_dir_out_always(struct gpio_chip *chip, unsigned pin, + int value) + { ++ struct lpc32xx_gpio_chip *group = to_lpc32xx_gpio(chip); ++ ++ __set_gpo_level_p3(group, pin, value); + return 0; + } + diff --git a/queue-3.4/series b/queue-3.4/series index 4e7e859d7dc..c56d8a0669a 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -208,3 +208,10 @@ nfsd-set-nfsd_serv-to-null-after-service-destruction.patch kthread_worker-reorganize-to-prepare-for-flush_kthread_work-reimplementation.patch kthread_worker-reimplement-flush_kthread_work-to-allow-freeing-the-work-item-being-executed.patch lockd-pass-service-to-per-net-up-and-down-functions.patch +usb-ohci-at91-fix-null-pointer-in-ohci_hcd_at91_overcurrent_irq.patch +usb-fix-race-condition-when-removing-host-controllers.patch +asoc-wm2000-correct-register-size.patch +gpio-lpc32xx-fix-value-handling-of-gpio_direction_output.patch +drm-udl-limit-modes-to-the-sku-pixel-limits.patch +drm-i915-fall-back-to-bit-banging-if-gmbus-fails-in-crt-edid-reads.patch +vmwgfx-corruption-in-vmw_event_fence_action_create.patch diff --git a/queue-3.4/usb-fix-race-condition-when-removing-host-controllers.patch b/queue-3.4/usb-fix-race-condition-when-removing-host-controllers.patch new file mode 100644 index 00000000000..962cb6e8d19 --- /dev/null +++ b/queue-3.4/usb-fix-race-condition-when-removing-host-controllers.patch @@ -0,0 +1,68 @@ +From 0d00dc2611abbe6ad244d50569c2ee82ce42846c Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Wed, 26 Sep 2012 13:09:53 -0400 +Subject: USB: Fix race condition when removing host controllers + +From: Alan Stern + +commit 0d00dc2611abbe6ad244d50569c2ee82ce42846c upstream. + +This patch (as1607) fixes a race that can occur if a USB host +controller is removed while a process is reading the +/sys/kernel/debug/usb/devices file. + +The usb_device_read() routine uses the bus->root_hub pointer to +determine whether or not the root hub is registered. The is not a +valid test, because the pointer is set before the root hub gets +registered and remains set even after the root hub is unregistered and +deallocated. As a result, usb_device_read() or usb_device_dump() can +access freed memory, causing an oops. + +The patch changes the test to use the hcd->rh_registered flag, which +does get set and cleared at the appropriate times. It also makes sure +to hold the usb_bus_list_lock mutex while setting the flag, so that +usb_device_read() will become aware of new root hubs as soon as they +are registered. + +Signed-off-by: Alan Stern +Reported-by: Don Zickus +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/devices.c | 2 +- + drivers/usb/core/hcd.c | 6 ++---- + 2 files changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/usb/core/devices.c ++++ b/drivers/usb/core/devices.c +@@ -624,7 +624,7 @@ static ssize_t usb_device_read(struct fi + /* print devices for all busses */ + list_for_each_entry(bus, &usb_bus_list, bus_list) { + /* recurse through all children of the root hub */ +- if (!bus->root_hub) ++ if (!bus_to_hcd(bus)->rh_registered) + continue; + usb_lock_device(bus->root_hub); + ret = usb_device_dump(&buf, &nbytes, &skip_bytes, ppos, +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -1002,10 +1002,7 @@ static int register_root_hub(struct usb_ + if (retval) { + dev_err (parent_dev, "can't register root hub for %s, %d\n", + dev_name(&usb_dev->dev), retval); +- } +- mutex_unlock(&usb_bus_list_lock); +- +- if (retval == 0) { ++ } else { + spin_lock_irq (&hcd_root_hub_lock); + hcd->rh_registered = 1; + spin_unlock_irq (&hcd_root_hub_lock); +@@ -1014,6 +1011,7 @@ static int register_root_hub(struct usb_ + if (HCD_DEAD(hcd)) + usb_hc_died (hcd); /* This time clean up */ + } ++ mutex_unlock(&usb_bus_list_lock); + + return retval; + } diff --git a/queue-3.4/usb-ohci-at91-fix-null-pointer-in-ohci_hcd_at91_overcurrent_irq.patch b/queue-3.4/usb-ohci-at91-fix-null-pointer-in-ohci_hcd_at91_overcurrent_irq.patch new file mode 100644 index 00000000000..bbaf52fae05 --- /dev/null +++ b/queue-3.4/usb-ohci-at91-fix-null-pointer-in-ohci_hcd_at91_overcurrent_irq.patch @@ -0,0 +1,130 @@ +From 01bb6501779ed0b6dc6c55be34b49eaa6306fdd8 Mon Sep 17 00:00:00 2001 +From: Joachim Eastwood +Date: Sun, 23 Sep 2012 22:56:00 +0200 +Subject: USB: ohci-at91: fix null pointer in ohci_hcd_at91_overcurrent_irq + +From: Joachim Eastwood + +commit 01bb6501779ed0b6dc6c55be34b49eaa6306fdd8 upstream. + +Fixes the following NULL pointer dereference: +[ 7.740000] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver +[ 7.810000] Unable to handle kernel NULL pointer dereference at virtual address 00000028 +[ 7.810000] pgd = c3a38000 +[ 7.810000] [00000028] *pgd=23a8c831, *pte=00000000, *ppte=00000000 +[ 7.810000] Internal error: Oops: 17 [#1] PREEMPT ARM +[ 7.810000] Modules linked in: ohci_hcd(+) regmap_i2c snd_pcm usbcore snd_page_alloc at91_cf snd_timer pcmcia_rsrc snd soundcore gpio_keys regmap_spi pcmcia_core usb_common nls_base +[ 7.810000] CPU: 0 Not tainted (3.6.0-rc6-mpa+ #264) +[ 7.810000] PC is at __gpio_to_irq+0x18/0x40 +[ 7.810000] LR is at ohci_hcd_at91_overcurrent_irq+0x24/0xb4 [ohci_hcd] +[ 7.810000] pc : [] lr : [] psr: 40000093 +[ 7.810000] sp : c3a11c40 ip : c3a11c50 fp : c3a11c4c +[ 7.810000] r10: 00000000 r9 : c02dcd6e r8 : fefff400 +[ 7.810000] r7 : 00000000 r6 : c02cc928 r5 : 00000030 r4 : c02dd168 +[ 7.810000] r3 : c02e7350 r2 : ffffffea r1 : c02cc928 r0 : 00000000 +[ 7.810000] Flags: nZcv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user +[ 7.810000] Control: c000717f Table: 23a38000 DAC: 00000015 +[ 7.810000] Process modprobe (pid: 285, stack limit = 0xc3a10270) +[ 7.810000] Stack: (0xc3a11c40 to 0xc3a12000) +[ 7.810000] 1c40: c3a11c6c c3a11c50 bf08f694 c01392cc c3a11c84 c2c38b00 c3806900 00000030 +[ 7.810000] 1c60: c3a11ca4 c3a11c70 c0051264 bf08f680 c3a11cac c3a11c80 c003e764 c3806900 +[ 7.810000] 1c80: c2c38b00 c02cb05c c02cb000 fefff400 c3806930 c3a11cf4 c3a11cbc c3a11ca8 +[ 7.810000] 1ca0: c005142c c005123c c3806900 c3805a00 c3a11cd4 c3a11cc0 c0053f24 c00513e4 +[ 7.810000] 1cc0: c3a11cf4 00000030 c3a11cec c3a11cd8 c005120c c0053e88 00000000 00000000 +[ 7.810000] 1ce0: c3a11d1c c3a11cf0 c00124d0 c00511e0 01400000 00000001 00000012 00000000 +[ 7.810000] 1d00: ffffffff c3a11d94 00000030 00000000 c3a11d34 c3a11d20 c005120c c0012438 +[ 7.810000] 1d20: c001dac4 00000012 c3a11d4c c3a11d38 c0009b08 c00511e0 c00523fc 60000013 +[ 7.810000] 1d40: c3a11d5c c3a11d50 c0008510 c0009ab4 c3a11ddc c3a11d60 c0008eb4 c00084f0 +[ 7.810000] 1d60: 00000000 00000030 00000000 00000080 60000013 bf08f670 c3806900 c2c38b00 +[ 7.810000] 1d80: 00000030 c3806930 00000000 c3a11ddc c3a11d88 c3a11da8 c0054190 c00523fc +[ 7.810000] 1da0: 60000013 ffffffff c3a11dec c3a11db8 00000000 c2c38b00 bf08f670 c3806900 +[ 7.810000] 1dc0: 00000000 00000080 c02cc928 00000030 c3a11e0c c3a11de0 c0052764 c00520d8 +[ 7.810000] 1de0: c3a11dfc 00000000 00000000 00000002 bf090f61 00000004 c02cc930 c02cc928 +[ 7.810000] 1e00: c3a11e4c c3a11e10 bf090978 c005269c bf090f61 c02cc928 bf093000 c02dd170 +[ 7.810000] 1e20: c3a11e3c c02cc930 c02cc930 bf0911d0 bf0911d0 bf093000 c3a10000 00000000 +[ 7.810000] 1e40: c3a11e5c c3a11e50 c0155b7c bf090808 c3a11e7c c3a11e60 c0154690 c0155b6c +[ 7.810000] 1e60: c02cc930 c02cc964 bf0911d0 c3a11ea0 c3a11e9c c3a11e80 c015484c c01545e8 +[ 7.810000] 1e80: 00000000 00000000 c01547e4 bf0911d0 c3a11ec4 c3a11ea0 c0152e58 c01547f4 +[ 7.810000] 1ea0: c381b88c c384ab10 c2c10540 bf0911d0 00000000 c02d7518 c3a11ed4 c3a11ec8 +[ 7.810000] 1ec0: c01544c0 c0152e0c c3a11efc c3a11ed8 c01536cc c01544b0 bf091075 c3a11ee8 +[ 7.810000] 1ee0: bf049af0 bf09120c bf0911d0 00000000 c3a11f1c c3a11f00 c0154e9c c0153628 +[ 7.810000] 1f00: bf049af0 bf09120c 000ae190 00000000 c3a11f2c c3a11f20 c0155f58 c0154e04 +[ 7.810000] 1f20: c3a11f44 c3a11f30 bf093054 c0155f1c 00000000 00006a4f c3a11f7c c3a11f48 +[ 7.810000] 1f40: c0008638 bf093010 bf09120c 000ae190 00000000 c00093c4 00006a4f bf09120c +[ 7.810000] 1f60: 000ae190 00000000 c00093c4 00000000 c3a11fa4 c3a11f80 c004fdc4 c000859c +[ 7.810000] 1f80: c3a11fa4 000ae190 00006a4f 00016eb8 000ad018 00000080 00000000 c3a11fa8 +[ 7.810000] 1fa0: c0009260 c004fd58 00006a4f 00016eb8 000ae190 00006a4f 000ae100 00000000 +[ 7.810000] 1fc0: 00006a4f 00016eb8 000ad018 00000080 000adba0 000ad208 00000000 000ad3d8 +[ 7.810000] 1fe0: beaf7ae8 beaf7ad8 000172b8 b6e4e940 20000010 000ae190 00000000 00000000 +[ 7.810000] Backtrace: +[ 7.810000] [] (__gpio_to_irq+0x0/0x40) from [] (ohci_hcd_at91_overcurrent_irq+0x24/0xb4 [ohci_hcd]) +[ 7.810000] [] (ohci_hcd_at91_overcurrent_irq+0x0/0xb4 [ohci_hcd]) from [] (handle_irq_event_percpu+0x38/0x1a8) +[ 7.810000] r6:00000030 r5:c3806900 r4:c2c38b00 +[ 7.810000] [] (handle_irq_event_percpu+0x0/0x1a8) from [] (handle_irq_event+0x58/0x7c) +[ 7.810000] [] (handle_irq_event+0x0/0x7c) from [] (handle_simple_irq+0xac/0xd8) +[ 7.810000] r5:c3805a00 r4:c3806900 +[ 7.810000] [] (handle_simple_irq+0x0/0xd8) from [] (generic_handle_irq+0x3c/0x48) +[ 7.810000] r4:00000030 +[ 7.810000] [] (generic_handle_irq+0x0/0x48) from [] (gpio_irq_handler+0xa8/0xfc) +[ 7.810000] r4:00000000 +[ 7.810000] [] (gpio_irq_handler+0x0/0xfc) from [] (generic_handle_irq+0x3c/0x48) +[ 7.810000] [] (generic_handle_irq+0x0/0x48) from [] (handle_IRQ+0x64/0x88) +[ 7.810000] r4:00000012 +[ 7.810000] [] (handle_IRQ+0x0/0x88) from [] (at91_aic_handle_irq+0x30/0x38) +[ 7.810000] r5:60000013 r4:c00523fc +[ 7.810000] [] (at91_aic_handle_irq+0x0/0x38) from [] (__irq_svc+0x34/0x60) +[ 7.810000] Exception stack(0xc3a11d60 to 0xc3a11da8) +[ 7.810000] 1d60: 00000000 00000030 00000000 00000080 60000013 bf08f670 c3806900 c2c38b00 +[ 7.810000] 1d80: 00000030 c3806930 00000000 c3a11ddc c3a11d88 c3a11da8 c0054190 c00523fc +[ 7.810000] 1da0: 60000013 ffffffff +[ 7.810000] [] (__setup_irq+0x0/0x458) from [] (request_threaded_irq+0xd8/0x134) +[ 7.810000] [] (request_threaded_irq+0x0/0x134) from [] (ohci_hcd_at91_drv_probe+0x180/0x41c [ohci_hcd]) +[ 7.810000] [] (ohci_hcd_at91_drv_probe+0x0/0x41c [ohci_hcd]) from [] (platform_drv_probe+0x20/0x24) +[ 7.810000] [] (platform_drv_probe+0x0/0x24) from [] (driver_probe_device+0xb8/0x20c) +[ 7.810000] [] (driver_probe_device+0x0/0x20c) from [] (__driver_attach+0x68/0x88) +[ 7.810000] r7:c3a11ea0 r6:bf0911d0 r5:c02cc964 r4:c02cc930 +[ 7.810000] [] (__driver_attach+0x0/0x88) from [] (bus_for_each_dev+0x5c/0x9c) +[ 7.810000] r6:bf0911d0 r5:c01547e4 r4:00000000 +[ 7.810000] [] (bus_for_each_dev+0x0/0x9c) from [] (driver_attach+0x20/0x28) +[ 7.810000] r7:c02d7518 r6:00000000 r5:bf0911d0 r4:c2c10540 +[ 7.810000] [] (driver_attach+0x0/0x28) from [] (bus_add_driver+0xb4/0x22c) +[ 7.810000] [] (bus_add_driver+0x0/0x22c) from [] (driver_register+0xa8/0x144) +[ 7.810000] r7:00000000 r6:bf0911d0 r5:bf09120c r4:bf049af0 +[ 7.810000] [] (driver_register+0x0/0x144) from [] (platform_driver_register+0x4c/0x60) +[ 7.810000] r7:00000000 r6:000ae190 r5:bf09120c r4:bf049af0 +[ 7.810000] [] (platform_driver_register+0x0/0x60) from [] (ohci_hcd_mod_init+0x54/0x8c [ohci_hcd]) +[ 7.810000] [] (ohci_hcd_mod_init+0x0/0x8c [ohci_hcd]) from [] (do_one_initcall+0xac/0x174) +[ 7.810000] r4:00006a4f +[ 7.810000] [] (do_one_initcall+0x0/0x174) from [] (sys_init_module+0x7c/0x1a0) +[ 7.810000] [] (sys_init_module+0x0/0x1a0) from [] (ret_fast_syscall+0x0/0x2c) +[ 7.810000] r7:00000080 r6:000ad018 r5:00016eb8 r4:00006a4f +[ 7.810000] Code: e24cb004 e59f3028 e1a02000 e7930180 (e5903028) +[ 7.810000] ---[ end trace 85aa37ed128143b5 ]--- +[ 7.810000] Kernel panic - not syncing: Fatal exception in interrupt + +Commit 6fffb77c (USB: ohci-at91: fix PIO handling in relation with number of +ports) started setting unused pins to EINVAL. But this exposed a bug in the +ohci_hcd_at91_overcurrent_irq function where the gpio was used without being +checked to see if it is valid. + +This patches fixed the issue by adding the gpio valid check. + +Signed-off-by: Joachim Eastwood +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ohci-at91.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/ohci-at91.c ++++ b/drivers/usb/host/ohci-at91.c +@@ -466,7 +466,8 @@ static irqreturn_t ohci_hcd_at91_overcur + /* From the GPIO notifying the over-current situation, find + * out the corresponding port */ + at91_for_each_port(port) { +- if (gpio_to_irq(pdata->overcurrent_pin[port]) == irq) { ++ if (gpio_is_valid(pdata->overcurrent_pin[port]) && ++ gpio_to_irq(pdata->overcurrent_pin[port]) == irq) { + gpio = pdata->overcurrent_pin[port]; + break; + } diff --git a/queue-3.4/vmwgfx-corruption-in-vmw_event_fence_action_create.patch b/queue-3.4/vmwgfx-corruption-in-vmw_event_fence_action_create.patch new file mode 100644 index 00000000000..6a8d960d6cd --- /dev/null +++ b/queue-3.4/vmwgfx-corruption-in-vmw_event_fence_action_create.patch @@ -0,0 +1,32 @@ +From 68c4fce737c4b963e336435f225621dc21138397 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Sun, 23 Sep 2012 19:33:55 +0300 +Subject: vmwgfx: corruption in vmw_event_fence_action_create() + +From: Dan Carpenter + +commit 68c4fce737c4b963e336435f225621dc21138397 upstream. + +We don't allocate enough data for this struct. As soon as we start +modifying event->event on the next lines, then we're going beyond the +end of the memory we allocated. + +Signed-off-by: Dan Carpenter +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vmwgfx/vmwgfx_fence.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c +@@ -1018,7 +1018,7 @@ int vmw_event_fence_action_create(struct + } + + +- event = kzalloc(sizeof(event->event), GFP_KERNEL); ++ event = kzalloc(sizeof(*event), GFP_KERNEL); + if (unlikely(event == NULL)) { + DRM_ERROR("Failed to allocate an event.\n"); + ret = -ENOMEM;