From 6f6143398620d7f77ccd1bae7a3615e0a8e1e4ef Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 11 Feb 2013 11:42:51 -0800 Subject: [PATCH] 3.7-stable patches added patches: bluetooth-fix-handling-of-unexpected-smp-pdus.patch can-c_can-set-reserved-bit-in-ifx_mask2-to-1-on-write.patch e1000e-enable-ecc-on-i217-i218-to-catch-packet-buffer-memory-errors.patch ib-qib-fix-for-broken-sparse-warning-fix.patch mwifiex-fix-incomplete-scan-in-case-of-ie-parsing-error.patch regulator-clear-state-each-invocation-of-of_regulator_match.patch regulator-max8998-fix-incorrect-min_uv-value-for-ldo10.patch regulator-s2mps11-fix-incorrect-register-for-buck10.patch revert-iwlwifi-fix-the-reclaimed-packet-tracking-upon-flush-queue.patch virtio_console-don-t-access-uninitialized-data.patch --- ...-fix-handling-of-unexpected-smp-pdus.patch | 47 ++++ ...erved-bit-in-ifx_mask2-to-1-on-write.patch | 36 ++++ ...to-catch-packet-buffer-memory-errors.patch | 204 ++++++++++++++++++ ...ib-fix-for-broken-sparse-warning-fix.patch | 50 +++++ ...ete-scan-in-case-of-ie-parsing-error.patch | 76 +++++++ ...ach-invocation-of-of_regulator_match.patch | 45 ++++ ...fix-incorrect-min_uv-value-for-ldo10.patch | 33 +++ ...11-fix-incorrect-register-for-buck10.patch | 34 +++ ...med-packet-tracking-upon-flush-queue.patch | 67 ++++++ queue-3.7/series | 10 + ...sole-don-t-access-uninitialized-data.patch | 68 ++++++ 11 files changed, 670 insertions(+) create mode 100644 queue-3.7/bluetooth-fix-handling-of-unexpected-smp-pdus.patch create mode 100644 queue-3.7/can-c_can-set-reserved-bit-in-ifx_mask2-to-1-on-write.patch create mode 100644 queue-3.7/e1000e-enable-ecc-on-i217-i218-to-catch-packet-buffer-memory-errors.patch create mode 100644 queue-3.7/ib-qib-fix-for-broken-sparse-warning-fix.patch create mode 100644 queue-3.7/mwifiex-fix-incomplete-scan-in-case-of-ie-parsing-error.patch create mode 100644 queue-3.7/regulator-clear-state-each-invocation-of-of_regulator_match.patch create mode 100644 queue-3.7/regulator-max8998-fix-incorrect-min_uv-value-for-ldo10.patch create mode 100644 queue-3.7/regulator-s2mps11-fix-incorrect-register-for-buck10.patch create mode 100644 queue-3.7/revert-iwlwifi-fix-the-reclaimed-packet-tracking-upon-flush-queue.patch create mode 100644 queue-3.7/virtio_console-don-t-access-uninitialized-data.patch diff --git a/queue-3.7/bluetooth-fix-handling-of-unexpected-smp-pdus.patch b/queue-3.7/bluetooth-fix-handling-of-unexpected-smp-pdus.patch new file mode 100644 index 00000000000..5109ecadc68 --- /dev/null +++ b/queue-3.7/bluetooth-fix-handling-of-unexpected-smp-pdus.patch @@ -0,0 +1,47 @@ +From 8cf9fa1240229cbdd888236c0c43fcbad680cf00 Mon Sep 17 00:00:00 2001 +From: Johan Hedberg +Date: Tue, 29 Jan 2013 10:44:23 -0600 +Subject: Bluetooth: Fix handling of unexpected SMP PDUs + +From: Johan Hedberg + +commit 8cf9fa1240229cbdd888236c0c43fcbad680cf00 upstream. + +The conn->smp_chan pointer can be NULL if SMP PDUs arrive at unexpected +moments. To avoid NULL pointer dereferences the code should be checking +for this and disconnect if an unexpected SMP PDU arrives. This patch +fixes the issue by adding a check for conn->smp_chan for all other PDUs +except pairing request and security request (which are are the first +PDUs to come to initialize the SMP context). + +Signed-off-by: Johan Hedberg +Acked-by: Marcel Holtmann +Signed-off-by: Gustavo Padovan +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/smp.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/net/bluetooth/smp.c ++++ b/net/bluetooth/smp.c +@@ -859,6 +859,19 @@ int smp_sig_channel(struct l2cap_conn *c + + skb_pull(skb, sizeof(code)); + ++ /* ++ * The SMP context must be initialized for all other PDUs except ++ * pairing and security requests. If we get any other PDU when ++ * not initialized simply disconnect (done if this function ++ * returns an error). ++ */ ++ if (code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ && ++ !conn->smp_chan) { ++ BT_ERR("Unexpected SMP command 0x%02x. Disconnecting.", code); ++ kfree_skb(skb); ++ return -ENOTSUPP; ++ } ++ + switch (code) { + case SMP_CMD_PAIRING_REQ: + reason = smp_cmd_pairing_req(conn, skb); diff --git a/queue-3.7/can-c_can-set-reserved-bit-in-ifx_mask2-to-1-on-write.patch b/queue-3.7/can-c_can-set-reserved-bit-in-ifx_mask2-to-1-on-write.patch new file mode 100644 index 00000000000..4cc2b03e21d --- /dev/null +++ b/queue-3.7/can-c_can-set-reserved-bit-in-ifx_mask2-to-1-on-write.patch @@ -0,0 +1,36 @@ +From 2bd3bc4e8472424f1a6009825397639a8968920a Mon Sep 17 00:00:00 2001 +From: Alexander Stein +Date: Thu, 13 Dec 2012 10:06:10 +0100 +Subject: can: c_can: Set reserved bit in IFx_MASK2 to 1 on write + +From: Alexander Stein + +commit 2bd3bc4e8472424f1a6009825397639a8968920a upstream. + +According to C_CAN documentation, the reserved bit in IFx_MASK2 register is +fixed 1. + +Signed-off-by: Alexander Stein +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/c_can/c_can.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/c_can/c_can.c ++++ b/drivers/net/can/c_can/c_can.c +@@ -482,8 +482,12 @@ static void c_can_setup_receive_object(s + + priv->write_reg(priv, C_CAN_IFACE(MASK1_REG, iface), + IFX_WRITE_LOW_16BIT(mask)); ++ ++ /* According to C_CAN documentation, the reserved bit ++ * in IFx_MASK2 register is fixed 1 ++ */ + priv->write_reg(priv, C_CAN_IFACE(MASK2_REG, iface), +- IFX_WRITE_HIGH_16BIT(mask)); ++ IFX_WRITE_HIGH_16BIT(mask) | BIT(13)); + + priv->write_reg(priv, C_CAN_IFACE(ARB1_REG, iface), + IFX_WRITE_LOW_16BIT(id)); diff --git a/queue-3.7/e1000e-enable-ecc-on-i217-i218-to-catch-packet-buffer-memory-errors.patch b/queue-3.7/e1000e-enable-ecc-on-i217-i218-to-catch-packet-buffer-memory-errors.patch new file mode 100644 index 00000000000..1b01efe4182 --- /dev/null +++ b/queue-3.7/e1000e-enable-ecc-on-i217-i218-to-catch-packet-buffer-memory-errors.patch @@ -0,0 +1,204 @@ +From 286003048aaef49b26bb9d93611dc69085e8982e Mon Sep 17 00:00:00 2001 +From: Bruce Allan +Date: Mon, 28 Jan 2013 00:43:48 +0000 +Subject: e1000e: enable ECC on I217/I218 to catch packet buffer memory errors + +From: Bruce Allan + +commit 286003048aaef49b26bb9d93611dc69085e8982e upstream. + +In rare instances, memory errors have been detected in the internal packet +buffer memory on I217/I218 when stressed under certain environmental +conditions. Enable Error Correcting Code (ECC) in hardware to catch both +correctable and uncorrectable errors. Correctable errors will be handled +by the hardware. Uncorrectable errors in the packet buffer will cause the +packet to be received with an error indication in the buffer descriptor +causing the packet to be discarded. If the uncorrectable error is in the +descriptor itself, the hardware will stop and interrupt the driver +indicating the error. The driver will then reset the hardware in order to +clear the error and restart. + +Both types of errors will be accounted for in statistics counters. + +Signed-off-by: Bruce Allan +Tested-by: Jeff Pieper +Signed-off-by: Jeff Kirsher +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/intel/e1000e/defines.h | 9 +++++ + drivers/net/ethernet/intel/e1000e/e1000.h | 2 + + drivers/net/ethernet/intel/e1000e/ethtool.c | 2 + + drivers/net/ethernet/intel/e1000e/hw.h | 1 + drivers/net/ethernet/intel/e1000e/ich8lan.c | 11 ++++++ + drivers/net/ethernet/intel/e1000e/netdev.c | 46 ++++++++++++++++++++++++++++ + 6 files changed, 71 insertions(+) + +--- a/drivers/net/ethernet/intel/e1000e/defines.h ++++ b/drivers/net/ethernet/intel/e1000e/defines.h +@@ -233,6 +233,7 @@ + #define E1000_CTRL_FRCDPX 0x00001000 /* Force Duplex */ + #define E1000_CTRL_LANPHYPC_OVERRIDE 0x00010000 /* SW control of LANPHYPC */ + #define E1000_CTRL_LANPHYPC_VALUE 0x00020000 /* SW value of LANPHYPC */ ++#define E1000_CTRL_MEHE 0x00080000 /* Memory Error Handling Enable */ + #define E1000_CTRL_SWDPIN0 0x00040000 /* SWDPIN 0 value */ + #define E1000_CTRL_SWDPIN1 0x00080000 /* SWDPIN 1 value */ + #define E1000_CTRL_SWDPIO0 0x00400000 /* SWDPIN 0 Input or output */ +@@ -391,6 +392,12 @@ + + #define E1000_PBS_16K E1000_PBA_16K + ++/* Uncorrectable/correctable ECC Error counts and enable bits */ ++#define E1000_PBECCSTS_CORR_ERR_CNT_MASK 0x000000FF ++#define E1000_PBECCSTS_UNCORR_ERR_CNT_MASK 0x0000FF00 ++#define E1000_PBECCSTS_UNCORR_ERR_CNT_SHIFT 8 ++#define E1000_PBECCSTS_ECC_ENABLE 0x00010000 ++ + #define IFS_MAX 80 + #define IFS_MIN 40 + #define IFS_RATIO 4 +@@ -410,6 +417,7 @@ + #define E1000_ICR_RXSEQ 0x00000008 /* Rx sequence error */ + #define E1000_ICR_RXDMT0 0x00000010 /* Rx desc min. threshold (0) */ + #define E1000_ICR_RXT0 0x00000080 /* Rx timer intr (ring 0) */ ++#define E1000_ICR_ECCER 0x00400000 /* Uncorrectable ECC Error */ + #define E1000_ICR_INT_ASSERTED 0x80000000 /* If this bit asserted, the driver should claim the interrupt */ + #define E1000_ICR_RXQ0 0x00100000 /* Rx Queue 0 Interrupt */ + #define E1000_ICR_RXQ1 0x00200000 /* Rx Queue 1 Interrupt */ +@@ -446,6 +454,7 @@ + #define E1000_IMS_RXSEQ E1000_ICR_RXSEQ /* Rx sequence error */ + #define E1000_IMS_RXDMT0 E1000_ICR_RXDMT0 /* Rx desc min. threshold */ + #define E1000_IMS_RXT0 E1000_ICR_RXT0 /* Rx timer intr */ ++#define E1000_IMS_ECCER E1000_ICR_ECCER /* Uncorrectable ECC Error */ + #define E1000_IMS_RXQ0 E1000_ICR_RXQ0 /* Rx Queue 0 Interrupt */ + #define E1000_IMS_RXQ1 E1000_ICR_RXQ1 /* Rx Queue 1 Interrupt */ + #define E1000_IMS_TXQ0 E1000_ICR_TXQ0 /* Tx Queue 0 Interrupt */ +--- a/drivers/net/ethernet/intel/e1000e/e1000.h ++++ b/drivers/net/ethernet/intel/e1000e/e1000.h +@@ -314,6 +314,8 @@ struct e1000_adapter { + + struct napi_struct napi; + ++ unsigned int uncorr_errors; /* uncorrectable ECC errors */ ++ unsigned int corr_errors; /* correctable ECC errors */ + unsigned int restart_queue; + u32 txd_cmd; + +--- a/drivers/net/ethernet/intel/e1000e/ethtool.c ++++ b/drivers/net/ethernet/intel/e1000e/ethtool.c +@@ -108,6 +108,8 @@ static const struct e1000_stats e1000_gs + E1000_STAT("dropped_smbus", stats.mgpdc), + E1000_STAT("rx_dma_failed", rx_dma_failed), + E1000_STAT("tx_dma_failed", tx_dma_failed), ++ E1000_STAT("uncorr_ecc_errors", uncorr_errors), ++ E1000_STAT("corr_ecc_errors", corr_errors), + }; + + #define E1000_GLOBAL_STATS_LEN ARRAY_SIZE(e1000_gstrings_stats) +--- a/drivers/net/ethernet/intel/e1000e/hw.h ++++ b/drivers/net/ethernet/intel/e1000e/hw.h +@@ -77,6 +77,7 @@ enum e1e_registers { + #define E1000_POEMB E1000_PHY_CTRL /* PHY OEM Bits */ + E1000_PBA = 0x01000, /* Packet Buffer Allocation - RW */ + E1000_PBS = 0x01008, /* Packet Buffer Size */ ++ E1000_PBECCSTS = 0x0100C, /* Packet Buffer ECC Status - RW */ + E1000_EEMNGCTL = 0x01010, /* MNG EEprom Control */ + E1000_EEWR = 0x0102C, /* EEPROM Write Register - RW */ + E1000_FLOP = 0x0103C, /* FLASH Opcode Register */ +--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c ++++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c +@@ -3690,6 +3690,17 @@ static void e1000_initialize_hw_bits_ich + if (hw->mac.type == e1000_ich8lan) + reg |= (E1000_RFCTL_IPV6_EX_DIS | E1000_RFCTL_NEW_IPV6_EXT_DIS); + ew32(RFCTL, reg); ++ ++ /* Enable ECC on Lynxpoint */ ++ if (hw->mac.type == e1000_pch_lpt) { ++ reg = er32(PBECCSTS); ++ reg |= E1000_PBECCSTS_ECC_ENABLE; ++ ew32(PBECCSTS, reg); ++ ++ reg = er32(CTRL); ++ reg |= E1000_CTRL_MEHE; ++ ew32(CTRL, reg); ++ } + } + + /** +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -1687,6 +1687,23 @@ static irqreturn_t e1000_intr_msi(int ir + mod_timer(&adapter->watchdog_timer, jiffies + 1); + } + ++ /* Reset on uncorrectable ECC error */ ++ if ((icr & E1000_ICR_ECCER) && (hw->mac.type == e1000_pch_lpt)) { ++ u32 pbeccsts = er32(PBECCSTS); ++ ++ adapter->corr_errors += ++ pbeccsts & E1000_PBECCSTS_CORR_ERR_CNT_MASK; ++ adapter->uncorr_errors += ++ (pbeccsts & E1000_PBECCSTS_UNCORR_ERR_CNT_MASK) >> ++ E1000_PBECCSTS_UNCORR_ERR_CNT_SHIFT; ++ ++ /* Do the reset outside of interrupt context */ ++ schedule_work(&adapter->reset_task); ++ ++ /* return immediately since reset is imminent */ ++ return IRQ_HANDLED; ++ } ++ + if (napi_schedule_prep(&adapter->napi)) { + adapter->total_tx_bytes = 0; + adapter->total_tx_packets = 0; +@@ -1754,6 +1771,23 @@ static irqreturn_t e1000_intr(int irq, v + mod_timer(&adapter->watchdog_timer, jiffies + 1); + } + ++ /* Reset on uncorrectable ECC error */ ++ if ((icr & E1000_ICR_ECCER) && (hw->mac.type == e1000_pch_lpt)) { ++ u32 pbeccsts = er32(PBECCSTS); ++ ++ adapter->corr_errors += ++ pbeccsts & E1000_PBECCSTS_CORR_ERR_CNT_MASK; ++ adapter->uncorr_errors += ++ (pbeccsts & E1000_PBECCSTS_UNCORR_ERR_CNT_MASK) >> ++ E1000_PBECCSTS_UNCORR_ERR_CNT_SHIFT; ++ ++ /* Do the reset outside of interrupt context */ ++ schedule_work(&adapter->reset_task); ++ ++ /* return immediately since reset is imminent */ ++ return IRQ_HANDLED; ++ } ++ + if (napi_schedule_prep(&adapter->napi)) { + adapter->total_tx_bytes = 0; + adapter->total_tx_packets = 0; +@@ -2117,6 +2151,8 @@ static void e1000_irq_enable(struct e100 + if (adapter->msix_entries) { + ew32(EIAC_82574, adapter->eiac_mask & E1000_EIAC_MASK_82574); + ew32(IMS, adapter->eiac_mask | E1000_IMS_OTHER | E1000_IMS_LSC); ++ } else if (hw->mac.type == e1000_pch_lpt) { ++ ew32(IMS, IMS_ENABLE_MASK | E1000_IMS_ECCER); + } else { + ew32(IMS, IMS_ENABLE_MASK); + } +@@ -4297,6 +4333,16 @@ static void e1000e_update_stats(struct e + adapter->stats.mgptc += er32(MGTPTC); + adapter->stats.mgprc += er32(MGTPRC); + adapter->stats.mgpdc += er32(MGTPDC); ++ ++ /* Correctable ECC Errors */ ++ if (hw->mac.type == e1000_pch_lpt) { ++ u32 pbeccsts = er32(PBECCSTS); ++ adapter->corr_errors += ++ pbeccsts & E1000_PBECCSTS_CORR_ERR_CNT_MASK; ++ adapter->uncorr_errors += ++ (pbeccsts & E1000_PBECCSTS_UNCORR_ERR_CNT_MASK) >> ++ E1000_PBECCSTS_UNCORR_ERR_CNT_SHIFT; ++ } + } + + /** diff --git a/queue-3.7/ib-qib-fix-for-broken-sparse-warning-fix.patch b/queue-3.7/ib-qib-fix-for-broken-sparse-warning-fix.patch new file mode 100644 index 00000000000..1714ee4ad66 --- /dev/null +++ b/queue-3.7/ib-qib-fix-for-broken-sparse-warning-fix.patch @@ -0,0 +1,50 @@ +From d359f35430c4ea4dd4e24d809aeaeff1fa54c314 Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Thu, 24 Jan 2013 18:59:34 +0000 +Subject: IB/qib: Fix for broken sparse warning fix + +From: Mike Marciniszyn + +commit d359f35430c4ea4dd4e24d809aeaeff1fa54c314 upstream. + +Commit 1fb9fed6d489 ("IB/qib: Fix QP RCU sparse warning") broke QP +hash list deletion in qp_remove() badly. + +This patch restores the former for loop behavior, while still fixing +the sparse warnings. + +Reviewed-by: Gary Leshner +Signed-off-by: Mike Marciniszyn +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/qib/qib_qp.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +--- a/drivers/infiniband/hw/qib/qib_qp.c ++++ b/drivers/infiniband/hw/qib/qib_qp.c +@@ -263,20 +263,15 @@ static void remove_qp(struct qib_ibdev * + struct qib_qp __rcu **qpp; + + qpp = &dev->qp_table[n]; +- q = rcu_dereference_protected(*qpp, +- lockdep_is_held(&dev->qpt_lock)); +- for (; q; qpp = &q->next) { ++ for (; (q = rcu_dereference_protected(*qpp, ++ lockdep_is_held(&dev->qpt_lock))) != NULL; ++ qpp = &q->next) + if (q == qp) { + atomic_dec(&qp->refcount); + *qpp = qp->next; + rcu_assign_pointer(qp->next, NULL); +- q = rcu_dereference_protected(*qpp, +- lockdep_is_held(&dev->qpt_lock)); + break; + } +- q = rcu_dereference_protected(*qpp, +- lockdep_is_held(&dev->qpt_lock)); +- } + } + + spin_unlock_irqrestore(&dev->qpt_lock, flags); diff --git a/queue-3.7/mwifiex-fix-incomplete-scan-in-case-of-ie-parsing-error.patch b/queue-3.7/mwifiex-fix-incomplete-scan-in-case-of-ie-parsing-error.patch new file mode 100644 index 00000000000..bda747cd806 --- /dev/null +++ b/queue-3.7/mwifiex-fix-incomplete-scan-in-case-of-ie-parsing-error.patch @@ -0,0 +1,76 @@ +From 8a7d7cbf7b5ff9912ef50b3e94c9ad9f37b1c75f Mon Sep 17 00:00:00 2001 +From: Bing Zhao +Date: Tue, 29 Jan 2013 14:38:02 -0800 +Subject: mwifiex: fix incomplete scan in case of IE parsing error + +From: Bing Zhao + +commit 8a7d7cbf7b5ff9912ef50b3e94c9ad9f37b1c75f upstream. + +A scan request is split into multiple scan commands queued in +scan_pending_q. Each scan command will be sent to firmware and +its response is handlded one after another. + +If any error is detected while parsing IE in command response +buffer the remaining data will be ignored and error is returned. + +We should check if there is any more scan commands pending in +the queue before returning error. This ensures that we will call +cfg80211_scan_done if this is the last scan command, or send +next scan command in scan_pending_q to firmware. + +Signed-off-by: Bing Zhao +Signed-off-by: Amitkumar Karwar +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mwifiex/scan.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/mwifiex/scan.c ++++ b/drivers/net/wireless/mwifiex/scan.c +@@ -1555,7 +1555,7 @@ int mwifiex_ret_802_11_scan(struct mwifi + dev_err(adapter->dev, "SCAN_RESP: too many AP returned (%d)\n", + scan_rsp->number_of_sets); + ret = -1; +- goto done; ++ goto check_next_scan; + } + + bytes_left = le16_to_cpu(scan_rsp->bss_descript_size); +@@ -1626,7 +1626,8 @@ int mwifiex_ret_802_11_scan(struct mwifi + if (!beacon_size || beacon_size > bytes_left) { + bss_info += bytes_left; + bytes_left = 0; +- return -1; ++ ret = -1; ++ goto check_next_scan; + } + + /* Initialize the current working beacon pointer for this BSS +@@ -1682,7 +1683,7 @@ int mwifiex_ret_802_11_scan(struct mwifi + dev_err(priv->adapter->dev, + "%s: bytes left < IE length\n", + __func__); +- goto done; ++ goto check_next_scan; + } + if (element_id == WLAN_EID_DS_PARAMS) { + channel = *(current_ptr + sizeof(struct ieee_types_header)); +@@ -1745,6 +1746,7 @@ int mwifiex_ret_802_11_scan(struct mwifi + } + } + ++check_next_scan: + spin_lock_irqsave(&adapter->scan_pending_q_lock, flags); + if (list_empty(&adapter->scan_pending_q)) { + spin_unlock_irqrestore(&adapter->scan_pending_q_lock, flags); +@@ -1792,7 +1794,6 @@ int mwifiex_ret_802_11_scan(struct mwifi + } + } + +-done: + return ret; + } + diff --git a/queue-3.7/regulator-clear-state-each-invocation-of-of_regulator_match.patch b/queue-3.7/regulator-clear-state-each-invocation-of-of_regulator_match.patch new file mode 100644 index 00000000000..cd3a945c9c4 --- /dev/null +++ b/queue-3.7/regulator-clear-state-each-invocation-of-of_regulator_match.patch @@ -0,0 +1,45 @@ +From a2f95c363701deba2205f81929b40222ea6f4f80 Mon Sep 17 00:00:00 2001 +From: Stephen Warren +Date: Tue, 29 Jan 2013 12:01:13 -0700 +Subject: regulator: clear state each invocation of of_regulator_match + +From: Stephen Warren + +commit a2f95c363701deba2205f81929b40222ea6f4f80 upstream. + +of_regulator_match() saves some dynamcially allocated state into the +match table that's passed to it. By implementation and not contract, for +each match table entry, if non-NULL state is already present, +of_regulator_match() will not overwrite it. of_regulator_match() is +typically called each time a regulator is probe()d. This means it is +called with the same match table over and over again if a regulator +triggers deferred probe. This results in stale, kfree()d data being left +in the match table from probe to probe, which causes a variety of crashes +or use of invalid data. + +Explicitly free all output state from of_regulator_match() before +generating new results in order to avoid this. + +Signed-off-by: Stephen Warren +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/regulator/of_regulator.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/regulator/of_regulator.c ++++ b/drivers/regulator/of_regulator.c +@@ -120,6 +120,12 @@ int of_regulator_match(struct device *de + if (!dev || !node) + return -EINVAL; + ++ for (i = 0; i < num_matches; i++) { ++ struct of_regulator_match *match = &matches[i]; ++ match->init_data = NULL; ++ match->of_node = NULL; ++ } ++ + for_each_child_of_node(node, child) { + name = of_get_property(child, + "regulator-compatible", NULL); diff --git a/queue-3.7/regulator-max8998-fix-incorrect-min_uv-value-for-ldo10.patch b/queue-3.7/regulator-max8998-fix-incorrect-min_uv-value-for-ldo10.patch new file mode 100644 index 00000000000..b9c6ad87bb1 --- /dev/null +++ b/queue-3.7/regulator-max8998-fix-incorrect-min_uv-value-for-ldo10.patch @@ -0,0 +1,33 @@ +From 36a6f8c035760dcbd0c3acb4c2fd56268588a9cb Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Fri, 25 Jan 2013 09:25:40 +0100 +Subject: regulator: max8998: fix incorrect min_uV value for ldo10 + +From: Marek Szyprowski + +commit 36a6f8c035760dcbd0c3acb4c2fd56268588a9cb upstream. + +Correct value for minimal voltage for ldo10 output is 950000 uV. This +patch fixes the typo introduced by patch adf6178ad5552a7f2f742a8c85343c50 +("regulator: max8998: Use uV in voltage_map_desc"), what solves broken +probe of max8998 in v3.8-rc4. + +Signed-off-by: Marek Szyprowski +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/regulator/max8998.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/regulator/max8998.c ++++ b/drivers/regulator/max8998.c +@@ -65,7 +65,7 @@ static const struct voltage_map_desc ldo + .min = 2800000, .step = 100000, .max = 3100000, + }; + static const struct voltage_map_desc ldo10_voltage_map_desc = { +- .min = 95000, .step = 50000, .max = 1300000, ++ .min = 950000, .step = 50000, .max = 1300000, + }; + static const struct voltage_map_desc ldo1213_voltage_map_desc = { + .min = 800000, .step = 100000, .max = 3300000, diff --git a/queue-3.7/regulator-s2mps11-fix-incorrect-register-for-buck10.patch b/queue-3.7/regulator-s2mps11-fix-incorrect-register-for-buck10.patch new file mode 100644 index 00000000000..07d862e9e19 --- /dev/null +++ b/queue-3.7/regulator-s2mps11-fix-incorrect-register-for-buck10.patch @@ -0,0 +1,34 @@ +From c76edd52bf19c9d01da7edc4ff04d3707c299779 Mon Sep 17 00:00:00 2001 +From: Alim Akhtar +Date: Wed, 30 Jan 2013 08:02:27 -0500 +Subject: regulator: s2mps11: fix incorrect register for buck10 + +From: Alim Akhtar + +commit c76edd52bf19c9d01da7edc4ff04d3707c299779 upstream. + +For BUCK10 the control registers are wrongly set as buck9 control register +This patch corrects the control registers for buck10 + +Signed-off-by: Alim Akhtar +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/regulator/s2mps11.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/regulator/s2mps11.c ++++ b/drivers/regulator/s2mps11.c +@@ -174,9 +174,9 @@ static struct regulator_ops s2mps11_buck + .min_uV = S2MPS11_BUCK_MIN2, \ + .uV_step = S2MPS11_BUCK_STEP2, \ + .n_voltages = S2MPS11_BUCK_N_VOLTAGES, \ +- .vsel_reg = S2MPS11_REG_B9CTRL2, \ ++ .vsel_reg = S2MPS11_REG_B10CTRL2, \ + .vsel_mask = S2MPS11_BUCK_VSEL_MASK, \ +- .enable_reg = S2MPS11_REG_B9CTRL1, \ ++ .enable_reg = S2MPS11_REG_B10CTRL1, \ + .enable_mask = S2MPS11_ENABLE_MASK \ + } + diff --git a/queue-3.7/revert-iwlwifi-fix-the-reclaimed-packet-tracking-upon-flush-queue.patch b/queue-3.7/revert-iwlwifi-fix-the-reclaimed-packet-tracking-upon-flush-queue.patch new file mode 100644 index 00000000000..cfea1a51d19 --- /dev/null +++ b/queue-3.7/revert-iwlwifi-fix-the-reclaimed-packet-tracking-upon-flush-queue.patch @@ -0,0 +1,67 @@ +From ae023b2795d36f0f077e157428eb7eafa29ee412 Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Mon, 21 Jan 2013 13:12:57 +0200 +Subject: Revert "iwlwifi: fix the reclaimed packet tracking upon flush queue" + +From: Emmanuel Grumbach + +commit ae023b2795d36f0f077e157428eb7eafa29ee412 upstream. + +This reverts commit f590dcec944552f9a4a61155810f3abd17d6465d +which has been reported to cause issues. + +See https://lkml.org/lkml/2013/1/20/4 for further details. + +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/dvm/tx.c | 24 +++++++----------------- + 1 file changed, 7 insertions(+), 17 deletions(-) + +--- a/drivers/net/wireless/iwlwifi/dvm/tx.c ++++ b/drivers/net/wireless/iwlwifi/dvm/tx.c +@@ -1154,6 +1154,13 @@ int iwlagn_rx_reply_tx(struct iwl_priv * + next_reclaimed = ssn; + } + ++ if (tid != IWL_TID_NON_QOS) { ++ priv->tid_data[sta_id][tid].next_reclaimed = ++ next_reclaimed; ++ IWL_DEBUG_TX_REPLY(priv, "Next reclaimed packet:%d\n", ++ next_reclaimed); ++ } ++ + iwl_trans_reclaim(priv->trans, txq_id, ssn, &skbs); + + iwlagn_check_ratid_empty(priv, sta_id, tid); +@@ -1204,28 +1211,11 @@ int iwlagn_rx_reply_tx(struct iwl_priv * + if (!is_agg) + iwlagn_non_agg_tx_status(priv, ctx, hdr->addr1); + +- /* +- * W/A for FW bug - the seq_ctl isn't updated when the +- * queues are flushed. Fetch it from the packet itself +- */ +- if (!is_agg && status == TX_STATUS_FAIL_FIFO_FLUSHED) { +- next_reclaimed = le16_to_cpu(hdr->seq_ctrl); +- next_reclaimed = +- SEQ_TO_SN(next_reclaimed + 0x10); +- } +- + is_offchannel_skb = + (info->flags & IEEE80211_TX_CTL_TX_OFFCHAN); + freed++; + } + +- if (tid != IWL_TID_NON_QOS) { +- priv->tid_data[sta_id][tid].next_reclaimed = +- next_reclaimed; +- IWL_DEBUG_TX_REPLY(priv, "Next reclaimed packet:%d\n", +- next_reclaimed); +- } +- + WARN_ON(!is_agg && freed != 1); + + /* diff --git a/queue-3.7/series b/queue-3.7/series index 980c122805e..ce102a1391e 100644 --- a/queue-3.7/series +++ b/queue-3.7/series @@ -1,2 +1,12 @@ rtlwifi-fix-the-usage-of-the-wrong-variable-in-usb.c.patch rtlwifi-fix-scheduling-while-atomic-bug.patch +regulator-max8998-fix-incorrect-min_uv-value-for-ldo10.patch +regulator-clear-state-each-invocation-of-of_regulator_match.patch +regulator-s2mps11-fix-incorrect-register-for-buck10.patch +ib-qib-fix-for-broken-sparse-warning-fix.patch +virtio_console-don-t-access-uninitialized-data.patch +bluetooth-fix-handling-of-unexpected-smp-pdus.patch +revert-iwlwifi-fix-the-reclaimed-packet-tracking-upon-flush-queue.patch +can-c_can-set-reserved-bit-in-ifx_mask2-to-1-on-write.patch +mwifiex-fix-incomplete-scan-in-case-of-ie-parsing-error.patch +e1000e-enable-ecc-on-i217-i218-to-catch-packet-buffer-memory-errors.patch diff --git a/queue-3.7/virtio_console-don-t-access-uninitialized-data.patch b/queue-3.7/virtio_console-don-t-access-uninitialized-data.patch new file mode 100644 index 00000000000..88da6c230ef --- /dev/null +++ b/queue-3.7/virtio_console-don-t-access-uninitialized-data.patch @@ -0,0 +1,68 @@ +From aded024a12b32fc1ed9a80639681daae2d07ec25 Mon Sep 17 00:00:00 2001 +From: Sjur Brændeland +Date: Tue, 22 Jan 2013 09:50:26 +1030 +Subject: virtio_console: Don't access uninitialized data. + +From: Sjur Brændeland + +commit aded024a12b32fc1ed9a80639681daae2d07ec25 upstream. + +Don't access uninitialized work-queue when removing device. +The work queue is initialized only if the device multi-queue. +So don't call cancel_work unless this is a multi-queue device. + +This fixes the following panic: + +Kernel panic - not syncing: BUG! +Call Trace: +62031b28: [<6026085d>] panic+0x16b/0x2d3 +62031b30: [<6004ef5e>] flush_work+0x0/0x1d7 +62031b60: [<602606f2>] panic+0x0/0x2d3 +62031b68: [<600333b0>] memcpy+0x0/0x140 +62031b80: [<6002d58a>] unblock_signals+0x0/0x84 +62031ba0: [<602609c5>] printk+0x0/0xa0 +62031bd8: [<60264e51>] __mutex_unlock_slowpath+0x13d/0x148 +62031c10: [<6004ef5e>] flush_work+0x0/0x1d7 +62031c18: [<60050234>] try_to_grab_pending+0x0/0x17e +62031c38: [<6004e984>] get_work_gcwq+0x71/0x8f +62031c48: [<60050539>] __cancel_work_timer+0x5b/0x115 +62031c78: [<628acc85>] unplug_port+0x0/0x191 [virtio_console] +62031c98: [<6005061c>] cancel_work_sync+0x12/0x14 +62031ca8: [<628ace96>] virtcons_remove+0x80/0x15c [virtio_console] +62031ce8: [<628191de>] virtio_dev_remove+0x1e/0x7e [virtio] +62031d08: [<601cf242>] __device_release_driver+0x75/0xe4 +62031d28: [<601cf2dd>] device_release_driver+0x2c/0x40 +62031d48: [<601ce0dd>] driver_unbind+0x7d/0xc6 +62031d88: [<601cd5d9>] drv_attr_store+0x27/0x29 +62031d98: [<60115f61>] sysfs_write_file+0x100/0x14d +62031df8: [<600b737d>] vfs_write+0xcb/0x184 +62031e08: [<600b58b8>] filp_close+0x88/0x94 +62031e38: [<600b7686>] sys_write+0x59/0x88 +62031e88: [<6001ced1>] handle_syscall+0x5d/0x80 +62031ea8: [<60030a74>] userspace+0x405/0x531 +62031f08: [<600d32cc>] sys_dup+0x0/0x5e +62031f28: [<601b11d6>] strcpy+0x0/0x18 +62031f38: [<600be46c>] do_execve+0x10/0x12 +62031f48: [<600184c7>] run_init_process+0x43/0x45 +62031fd8: [<60019a91>] new_thread_handler+0xba/0xbc + +Signed-off-by: Sjur Brændeland +Signed-off-by: Rusty Russell +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/virtio_console.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -1966,7 +1966,8 @@ static void virtcons_remove(struct virti + /* Disable interrupts for vqs */ + vdev->config->reset(vdev); + /* Finish up work that's lined up */ +- cancel_work_sync(&portdev->control_work); ++ if (use_multiport(portdev)) ++ cancel_work_sync(&portdev->control_work); + + list_for_each_entry_safe(port, port2, &portdev->ports, list) + unplug_port(port); -- 2.47.3