4 years agocifs: ensure that uncached writes handle unmapped areas
Miklos Szeredi [Tue, 18 Feb 2014 09:55:55 +0000 (10:55 +0100)]
cifs: ensure that uncached writes handle unmapped areas
correctly (bnc#864025 CVE-2014-00691).

suse-commit: b9302247582d038c00cfef1bb14914f9d930ad42

4 years agox86, fpu, amd: Clear exceptions in AMD FXSAVE workaround
Borislav Petkov [Mon, 17 Feb 2014 16:02:46 +0000 (17:02 +0100)]
x86, fpu, amd: Clear exceptions in AMD FXSAVE workaround
(bnc#858638 CVE-2014-1438).

suse-commit: 388585d6fb6f25f50d465b492794a5b7a0b2dfdc

4 years agoUpdate config files: Disable TS5500-specific drivers
Jean Delvare [Fri, 14 Feb 2014 10:01:06 +0000 (11:01 +0100)]
Update config files: Disable TS5500-specific drivers

These drivers are useless without TS5500 board support: mtd-ts5500,
gpio-ts5500 and max197.

suse-commit: 92f45efa4cf5745614b3d7294c007afb20143625

4 years ago- balloon: don't crash in HVM-with-PoD guests.
Jan Beulich [Fri, 14 Feb 2014 08:44:21 +0000 (09:44 +0100)]
- balloon: don't crash in HVM-with-PoD guests.
- usbback: fix after c/s 1232:8806dfb939d4 (bnc#842553).
- hwmon: (coretemp) Fix truncated name of alarm attributes.
- Refresh other Xen patches.

suse-commit: b09fe2b2dc22f619612551418c757c83c1d34f77

4 years agoDrop outdated comment
Jean Delvare [Wed, 12 Feb 2014 15:16:23 +0000 (16:16 +0100)]
Drop outdated comment

suse-commit: 47d6ca79db81358c7661071b1671a683a1733cae

4 years agoMerge branch 'scripts' into openSUSE-13.1
Michal Marek [Tue, 11 Feb 2014 12:28:26 +0000 (13:28 +0100)]
Merge branch 'scripts' into openSUSE-13.1


suse-commit: a81a5eae24180167550979347ed3dc42b7f989f7

4 years agoMerge branch 'packaging' into openSUSE-13.1
Michal Marek [Tue, 11 Feb 2014 12:24:01 +0000 (13:24 +0100)]
Merge branch 'packaging' into openSUSE-13.1


suse-commit: dff5d3d24c1b2e621147f8521529b95466e43bad

4 years agoDelete commented out s390 configs
Michal Marek [Tue, 11 Feb 2014 12:22:09 +0000 (13:22 +0100)]
Delete commented out s390 configs

suse-commit: de76528dcdf51e81b145dada3e866939872e85e4

4 years agodrm/cirrus: Fix cirrus drm driver for fbdev + qemu (bnc#856760).
Takashi Iwai [Tue, 11 Feb 2014 11:46:43 +0000 (12:46 +0100)]
drm/cirrus: Fix cirrus drm driver for fbdev + qemu (bnc#856760).

suse-commit: 5ba4bf3348a641d82cc45950b2ef6d31abfa7236

4 years agoRefresh patches.fixes/nfs-lockd.fix.
NeilBrown [Fri, 7 Feb 2014 06:16:12 +0000 (17:16 +1100)]
Refresh patches.fixes/nfs-lockd.fix.
 bug fix

suse-commit: 32efc8aed6e2b699a332905f6130f1e689fe116a

4 years agolockd: send correct lock when granting a delayed lock
NeilBrown [Thu, 6 Feb 2014 05:32:46 +0000 (16:32 +1100)]
lockd: send correct lock when granting a delayed lock

suse-commit: 4bd71678c9e5b2b42c2e43db7edc5efa7dd4cbc8

4 years agomm/page-writeback.c: do not count anon pages as dirtyable memory
Michal Hocko [Mon, 3 Feb 2014 13:55:40 +0000 (14:55 +0100)]
mm/page-writeback.c: do not count anon pages as dirtyable memory
(reclaim stalls).

suse-commit: 73071afc676a00141e8615bc5c8f2faee5181673

4 years agomm/page-writeback.c: fix dirty_balance_reserve subtraction
Michal Hocko [Mon, 3 Feb 2014 13:55:40 +0000 (14:55 +0100)]
mm/page-writeback.c: fix dirty_balance_reserve subtraction
from dirtyable memory (reclaim stalls).

suse-commit: 8b9ca3a6cba60eba3d1a610a513b811fb6337e5d

4 years agoRefresh patches.fixes/compat_sys_recvmmsg-x32-fix.patch: add to series.conf
Jiri Kosina [Mon, 3 Feb 2014 09:41:24 +0000 (10:41 +0100)]
Refresh patches.fixes/compat_sys_recvmmsg-x32-fix.patch: add to series.conf

suse-commit: 750023e35881c0adaa8df35756c52f64ec4ab190

4 years agocompat_sys_recvmmsg X32 fix (bnc#860993 CVE-2014-0038).
Borislav Petkov [Wed, 29 Jan 2014 16:28:42 +0000 (17:28 +0100)]
compat_sys_recvmmsg X32 fix (bnc#860993 CVE-2014-0038).

suse-commit: 189968ad654917ebaa0c01b4733a66e9bb1b9aaf

4 years ago- floppy: bail out in open() if drive is not responding to block0
Jiri Kosina [Thu, 30 Jan 2014 20:20:26 +0000 (21:20 +0100)]
- floppy: bail out in open() if drive is not responding to block0
  read (bnc#773058).
- Delete

  Update upstream reference.

suse-commit: 6051fbce844295600446e7211895f4849b9e9dca

4 years agoHID: usbhid: fix sis quirk (bnc#859804).
Oliver Neukum [Fri, 24 Jan 2014 12:43:18 +0000 (13:43 +0100)]
HID: usbhid: fix sis quirk (bnc#859804).

suse-commit: 4c507e12192844eca868c1435d8254f832843219

4 years agohwmon: (coretemp) Fix truncated name of alarm attributes
Jean Delvare [Fri, 24 Jan 2014 11:51:58 +0000 (12:51 +0100)]
hwmon: (coretemp) Fix truncated name of alarm attributes

suse-commit: 7efab5be944f33d7e51e94dc389cf6f7d966652e

4 years agoHID: usbhid: quirk for Synaptics Quad HD touchscreen
Oliver Neukum [Fri, 24 Jan 2014 11:00:13 +0000 (12:00 +0100)]
HID: usbhid: quirk for Synaptics Quad HD touchscreen

suse-commit: 88a6b94707d535d21c87f3ba25c297ca2da054d4

4 years agoHID: usbhid: quirk for Synaptics HD touchscreen (bnc#859804).
Oliver Neukum [Fri, 24 Jan 2014 11:00:13 +0000 (12:00 +0100)]
HID: usbhid: quirk for Synaptics HD touchscreen (bnc#859804).

suse-commit: 10384f3211e0d8d9cdf17f9ee2bc955b27e5db13

4 years agoHID: usbhid: merge the sis quirk (bnc#859804).
Oliver Neukum [Fri, 24 Jan 2014 11:00:13 +0000 (12:00 +0100)]
HID: usbhid: merge the sis quirk (bnc#859804).

suse-commit: d9fdc80d251185872e8c6a8c5f2ee158566271cc

4 years agoHID: hid-multitouch: add support for SiS panels (bnc#859804).
Oliver Neukum [Fri, 24 Jan 2014 11:00:13 +0000 (12:00 +0100)]
HID: hid-multitouch: add support for SiS panels (bnc#859804).

suse-commit: 109bb3777bdd9b8320cd7ca76843d1b19bf66f31

4 years agoHID: usbhid: quirk for SiS Touchscreen (bnc#859804).
Oliver Neukum [Fri, 24 Jan 2014 11:00:13 +0000 (12:00 +0100)]
HID: usbhid: quirk for SiS Touchscreen (bnc#859804).

suse-commit: 63279c609cf95afa48d4129264d90846c4550ba3

4 years agoHID: usbhid: quirk for Synaptics Large Touchccreen (bnc#859804).
Oliver Neukum [Fri, 24 Jan 2014 11:00:13 +0000 (12:00 +0100)]
HID: usbhid: quirk for Synaptics Large Touchccreen (bnc#859804).

suse-commit: 62c32f3f2c3d299b928ad52d673e21d9572d343b

4 years agoRefresh
Jiri Kosina [Wed, 22 Jan 2014 09:24:28 +0000 (10:24 +0100)]
add upstream reference.

suse-commit: 178e35d502beaed248aa2e7eafc9d2e0ed06092a

4 years agodrivers: net: cpsw: fix dt probe for one port ethernet.
Takashi Iwai [Fri, 17 Jan 2014 14:31:12 +0000 (15:31 +0100)]
drivers: net: cpsw: fix dt probe for one port ethernet.

suse-commit: 186486628f9f34ffda3701f33a5b36b0b469fa86

4 years agodrivers: net: cpsw: fix for cpsw crash when build as modules.
Takashi Iwai [Fri, 17 Jan 2014 14:31:12 +0000 (15:31 +0100)]
drivers: net: cpsw: fix for cpsw crash when build as modules.

suse-commit: 742b01e5afced7a9d89fe02fb80b0b1d100d7f1d

4 years agodma: edma: Remove limits on number of slots.
Takashi Iwai [Fri, 17 Jan 2014 14:31:12 +0000 (15:31 +0100)]
dma: edma: Remove limits on number of slots.

suse-commit: 1e6e2c933a7f9789dc0befc07ce022856a3c40a1

4 years agodma: edma: Leave linked to Null slot instead of DUMMY slot.
Takashi Iwai [Fri, 17 Jan 2014 14:31:12 +0000 (15:31 +0100)]
dma: edma: Leave linked to Null slot instead of DUMMY slot.

suse-commit: a69d1b33bfa7e574c7b4d1c77386a39c53e7dfd2

4 years agodma: edma: Find missed events and issue them.
Takashi Iwai [Fri, 17 Jan 2014 14:31:12 +0000 (15:31 +0100)]
dma: edma: Find missed events and issue them.

suse-commit: 6bb77645c106a1261debd6b2255b1fa30cbf0c31

4 years agodma: edma: Write out and handle MAX_NR_SG at a given time.
Takashi Iwai [Fri, 17 Jan 2014 14:31:12 +0000 (15:31 +0100)]
dma: edma: Write out and handle MAX_NR_SG at a given time.

suse-commit: 02d0ac979b6359956d7fd40ea4755721cf9c42c5

4 years agodma: edma: Setup parameters to DMA MAX_NR_SG at a time.
Takashi Iwai [Fri, 17 Jan 2014 14:31:12 +0000 (15:31 +0100)]
dma: edma: Setup parameters to DMA MAX_NR_SG at a time.

suse-commit: 546a727f26ec5f30576d35cba11a64f68a264a64

4 years agoARM: edma: Add function to manually trigger an EDMA channel.
Takashi Iwai [Fri, 17 Jan 2014 14:31:12 +0000 (15:31 +0100)]
ARM: edma: Add function to manually trigger an EDMA channel.

suse-commit: 306dd31b19d4a75309001ac376691208f186a10c

4 years agoARM: edma: Fix clearing of unused list for DT DMA resources.
Takashi Iwai [Fri, 17 Jan 2014 14:31:12 +0000 (15:31 +0100)]
ARM: edma: Fix clearing of unused list for DT DMA resources.

suse-commit: 77bd825c0b5726558bbf7ee33a5b53c631c9dde7

4 years agoACPI: Blacklist Win8 OSI for some HP laptop 2013 models
Takashi Iwai [Fri, 17 Jan 2014 13:42:43 +0000 (14:42 +0100)]
ACPI: Blacklist Win8 OSI for some HP laptop 2013 models

suse-commit: 760d80d1602d2305c36ea977080962c2e8cd49fb

4 years agoACPI: Add Toshiba NB100 to Vista _OSI blacklist.
Takashi Iwai [Fri, 17 Jan 2014 13:59:54 +0000 (14:59 +0100)]
ACPI: Add Toshiba NB100 to Vista _OSI blacklist.

suse-commit: b557365e2d9d2a58297bff9156c83e4be0351c72

4 years agoACPI: add missing win8 OSI comment to blacklist (bnc#856294).
Takashi Iwai [Fri, 17 Jan 2014 13:59:54 +0000 (14:59 +0100)]
ACPI: add missing win8 OSI comment to blacklist (bnc#856294).

suse-commit: d906853d55e9c048b7a27fd7310f33ec518e1afa

4 years agoACPI: update win8 OSI blacklist.
Takashi Iwai [Fri, 17 Jan 2014 13:59:54 +0000 (14:59 +0100)]
ACPI: update win8 OSI blacklist.

suse-commit: 14df19b8275c00b6f26fa964fbffd0f980725e2f

4 years agoACPI: blacklist win8 OSI for buggy laptops.
Takashi Iwai [Fri, 17 Jan 2014 13:59:54 +0000 (14:59 +0100)]
ACPI: blacklist win8 OSI for buggy laptops.

suse-commit: 5b044f94e9e6c2d0bb3aa5754429d6c9346d0776

4 years agoACPI: blacklist win8 OSI for ASUS Zenbook Prime UX31A
Takashi Iwai [Fri, 17 Jan 2014 13:59:54 +0000 (14:59 +0100)]
ACPI: blacklist win8 OSI for ASUS Zenbook Prime UX31A

suse-commit: 01ec445064b8dc43ba3df00464a3f0275551d505

4 years agofloppy: bail out in open() if drive is not responding to
Jiri Kosina [Thu, 16 Jan 2014 00:38:05 +0000 (01:38 +0100)]
floppy: bail out in open() if drive is not responding to
block0 read (bnc#773058).

suse-commit: 8a6ca261735b922a48297502a28fb00708bd7c2e

4 years agoRefresh
Borislav Petkov [Fri, 10 Jan 2014 16:23:23 +0000 (17:23 +0100)]

suse-commit: b897c7dd7ac86b32b5351bcd286d4fb493d98f29

4 years agoping: prevent NULL pointer dereference on write to msg_name
Borislav Petkov [Fri, 10 Jan 2014 16:19:57 +0000 (17:19 +0100)]
ping: prevent NULL pointer dereference on write to msg_name
(bnc#854175 CVE-2013-6432).

suse-commit: 5e12cca13d668c296a0e4844439fb2bee80a3b0b

4 years ago- x86/dumpstack: Fix printk_address for direct addresses
Jiri Slaby [Wed, 8 Jan 2014 15:39:06 +0000 (16:39 +0100)]
- x86/dumpstack: Fix printk_address for direct addresses
- Refresh patches.suse/stack-unwind.
- Refresh patches.xen/xen-x86_64-dump-user-pgt.

suse-commit: df9697b979c84d679fbdc41169fe67a66d536a58

4 years agoKVM: x86: Convert vapic synchronization to _cached functions
Borislav Petkov [Tue, 7 Jan 2014 19:49:25 +0000 (20:49 +0100)]
KVM: x86: Convert vapic synchronization to _cached functions
(CVE-2013-6368) (bnc#853052 CVE-2013-6368).

suse-commit: b597eb783d0fabe549d6c1e39e431800c8aa0fc1

4 years agoKVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376)
Borislav Petkov [Sun, 22 Dec 2013 20:21:44 +0000 (21:21 +0100)]
KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376)
(bnc#853053 CVE-2013-6376).

suse-commit: 016ba6545826a08b6e76fab4b89b8b218e6a9465

4 years agoBuild the KOTD against openSUSE:13.1:Update
Michal Marek [Fri, 20 Dec 2013 11:02:36 +0000 (12:02 +0100)]
Build the KOTD against openSUSE:13.1:Update

suse-commit: 5f014369b117bfe4db129a937c3618dda01cc0bf

4 years ago- xencons: generalize use of add_preferred_console() (bnc#733022,
Jan Beulich [Fri, 20 Dec 2013 09:44:17 +0000 (10:44 +0100)]
- xencons: generalize use of add_preferred_console() (bnc#733022,
- Update Xen patches to 3.11.10.
- Rename patches.xen/xen-pcpu-hotplug to patches.xen/xen-pcpu.

suse-commit: 7014b689f62cea11604fd13d859af571d976af90

4 years agoKVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367)
Borislav Petkov [Thu, 19 Dec 2013 17:20:19 +0000 (18:20 +0100)]
KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367)
(bnc#853051 CVE-2013-6367).

suse-commit: 84823430123ad079de30b8792fac92303065f3e9

4 years agoKVM: Improve create VCPU parameter (CVE-2013-4587) (bnc#853050
Borislav Petkov [Thu, 19 Dec 2013 14:15:40 +0000 (15:15 +0100)]
KVM: Improve create VCPU parameter (CVE-2013-4587) (bnc#853050

suse-commit: f1e6cee54b2e4bf84590da9038501b79455efc72

4 years agoipv6: fix headroom calculation in udp6_ufo_fragment (bnc#848042
Borislav Petkov [Wed, 18 Dec 2013 01:47:17 +0000 (02:47 +0100)]
ipv6: fix headroom calculation in udp6_ufo_fragment (bnc#848042

suse-commit: 13307756516d09b7b25231f9851f15a53b326089

4 years agonet: rework recvmsg handler msg_name and msg_namelen logic
Borislav Petkov [Tue, 17 Dec 2013 15:35:45 +0000 (16:35 +0100)]
net: rework recvmsg handler msg_name and msg_namelen logic

suse-commit: 2add4bdbd1edee07c3b5138bf5917f693d5fc404

4 years ago- patches.drivers/gpio-ucb1400-add-module_alias.patch: Update upstream reference
Jean Delvare [Thu, 12 Dec 2013 09:33:26 +0000 (10:33 +0100)]
- patches.drivers/gpio-ucb1400-add-module_alias.patch: Update upstream reference
- patches.drivers/gpio-ucb1400-can-be-built-as-a-module.patch: Update upstream reference

suse-commit: 137a69e4b4c2f8a60e66ab03aa357a5dafab584a

4 years agoDelete patches.suse/ida-remove-warning-dump-stack.patch.
Jean Delvare [Thu, 12 Dec 2013 08:43:20 +0000 (09:43 +0100)]
Delete patches.suse/ida-remove-warning-dump-stack.patch.

Already included in kernel 3.11 (WARN calls dump_stack.)

suse-commit: 5aba8aea3e0b55293ec5d98501b6f04743576a1c

4 years agoxhci: Limit the spurious wakeup fix only to HP machines
Takashi Iwai [Wed, 11 Dec 2013 11:16:43 +0000 (12:16 +0100)]
xhci: Limit the spurious wakeup fix only to HP machines

suse-commit: 589d0779f37319acc8377b0c83696031aab0b553

4 years ago- Linux 3.11.10.
Jiri Slaby [Wed, 4 Dec 2013 20:58:51 +0000 (21:58 +0100)]
- Linux 3.11.10.
- Refresh patches.xen/xen3-patch-2.6.29.
- Delete

suse-commit: cbd9143131fefb1e9b9c98707d072c2449b37ca5

4 years agoiscsi_target: race condition on shutdown (bnc#850072).
Hannes Reinecke [Mon, 9 Dec 2013 11:36:40 +0000 (12:36 +0100)]
iscsi_target: race condition on shutdown (bnc#850072).

suse-commit: 45b4a64dc31d6a7574b7f5f02e3032d74e06f49a

4 years agoAdd USB PHY support (needed to get USB and Ethernet working on beagle and panda board...
Guillaume GARDET [Thu, 21 Nov 2013 09:32:27 +0000 (10:32 +0100)]
Add USB PHY support (needed to get USB and Ethernet working on beagle and panda boards) Add CONFIG_PINCTRL_SINGLE=y to be able to use Device tree (at least for beagle and panda boards) Add ARM SoC sound support Add SPI bus support Add user-space access to I2C and SPI

Signed-off-by: Takashi Iwai <>
suse-commit: ca584ac1e56248bd960019dffec2c7c87aefb296

4 years agoSet CONFIG_GPIO_TWL4030 as built-in (instead of module) as a requirement to boot...
Guillaume GARDET [Thu, 14 Nov 2013 11:40:41 +0000 (12:40 +0100)]
Set CONFIG_GPIO_TWL4030 as built-in (instead of module) as a requirement to boot on SD card on beagleboard xM

Signed-off-by: Takashi Iwai <>
suse-commit: 7f47a73c2893a6b5fd941e2db4f0be409b1b1c77

4 years agoLinux 3.11.10
Greg Kroah-Hartman [Fri, 29 Nov 2013 18:42:37 +0000 (10:42 -0800)]
Linux 3.11.10

4 years agoexec/ptrace: fix get_dumpable() incorrect tests
Kees Cook [Tue, 12 Nov 2013 23:11:17 +0000 (15:11 -0800)]
exec/ptrace: fix get_dumpable() incorrect tests

commit d049f74f2dbe71354d43d393ac3a188947811348 upstream.

The get_dumpable() return value is not boolean.  Most users of the
function actually want to be testing for non-SUID_DUMP_USER(1) rather than
SUID_DUMP_DISABLE(0).  The SUID_DUMP_ROOT(2) is also considered a
protected state.  Almost all places did this correctly, excepting the two
places fixed in this patch.

Wrong logic:
    if (dumpable == SUID_DUMP_DISABLE) { /* be protective */ }
    if (dumpable == 0) { /* be protective */ }
    if (!dumpable) { /* be protective */ }

Correct logic:
    if (dumpable != SUID_DUMP_USER) { /* be protective */ }
    if (dumpable != 1) { /* be protective */ }

Without this patch, if the system had set the sysctl fs/suid_dumpable=2, a
user was able to ptrace attach to processes that had dropped privileges to
that user.  (This may have been partially mitigated if Yama was enabled.)

The macros have been moved into the file that declares get/set_dumpable(),
which means things like the ia64 code can see them too.


Reported-by: Vasily Kulikov <>
Signed-off-by: Kees Cook <>
Cc: "Luck, Tony" <>
Cc: Oleg Nesterov <>
Cc: "Eric W. Biederman" <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agoRevert "ima: policy for RAMFS"
Mimi Zohar [Thu, 17 Oct 2013 11:34:02 +0000 (07:34 -0400)]
Revert "ima: policy for RAMFS"

commit 08de59eb144d7c41351a467442f898d720f0f15f upstream.

This reverts commit 4c2c392763a682354fac65b6a569adec4e4b5387.

Everything in the initramfs should be measured and appraised,
but until the initramfs has extended attribute support, at
least measured.

Signed-off-by: Mimi Zohar <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agoBluetooth: revert: "Bluetooth: Add missing reset_resume dev_pm_ops"
Hans de Goede [Sat, 28 Sep 2013 13:25:39 +0000 (15:25 +0200)]
Bluetooth: revert: "Bluetooth: Add missing reset_resume dev_pm_ops"

commit b1a8014471b01dd862de9f91bbbff1296afac42d upstream.

Many btusb devices have 2 modes, a hid mode and a bluetooth hci mode. These
devices default to hid mode for BIOS use. This means that after having been
reset they will revert to HID mode, and are no longer usable as a HCI.

Therefor it is a very bad idea to just blindly make reset_resume point to
the regular resume handler. Note that the btusb driver has no clue how to
switch these devices from hid to hci mode, this is done in userspace through
udev rules, so the proper way to deal with this is to not have a reset-resume
handler and instead let the usb-system re-enumerate the device, and re-run
the udev rules.

I must also note, that the commit message for the commit causing this
problem has a very weak motivation for the change:

"Add missing reset_resume dev_pm_ops. Missing reset_resume results in the
following message after power management device test. This change sets
reset_resume to btusb_resume().

[ 2506.936134] btusb 1-1.5:1.0: no reset_resume for driver btusb?
[ 2506.936137] btusb 1-1.5:1.1: no reset_resume for driver btusb?"

Making a change solely to silence a warning while also changing important
behavior (normal resume handling versus re-enumeration) requires a commit
message with a proper explanation why it is safe to do so, which clearly lacks
here, and unsurprisingly it turns out to not be safe to make this change.

Reverting the commit in question fixes bt no longer working on my Dell
E6430 after a suspend/resume, and I believe it likely also fixes the
following bugs:

This reverts commit 502f769662978a2fe99d0caed5e53e3006107381.

Cc: Shuah Khan <>
Cc: Gustavo Padovan <>
Signed-off-by: Hans de Goede <>
Signed-off-by: Gustavo Padovan <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agort2x00: fix HT TX descriptor settings regression
Stanislaw Gruszka [Thu, 31 Oct 2013 10:23:57 +0000 (11:23 +0100)]
rt2x00: fix HT TX descriptor settings regression

commit 3d8bfe141be8e5c21261fc63da8e7964d44f2645 upstream.


commit 36323f817af0376c78612cfdab714b0feb05fea5
Author: Thomas Huehn <>
Date:   Mon Jul 23 21:33:42 2012 +0200

    mac80211: move TX station pointer and restructure TX

we do not pass sta pointer to rt2x00queue_create_tx_descriptor_ht(),
hence we do not correctly set station WCID and AMPDU density parameters.

Signed-off-by: Stanislaw Gruszka <>
Acked-by: Gertjan van Wingerde <>
Signed-off-by: John W. Linville <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agort2x00: rt2800lib: fix VGC adjustment for RT5592
Gabor Juhos [Thu, 3 Oct 2013 18:00:40 +0000 (20:00 +0200)]
rt2x00: rt2800lib: fix VGC adjustment for RT5592

commit 0beb1bbf19c72f17809e42b8f33522a55c2cc18c upstream.

In commit 3d81535ea5940446510a8a5cee1c6ad23c90c753
(rt2800: 5592: add chip specific vgc calculations)
the rt2800_link_tuner function has been modified to
adjust VGC level for the RT5592 chipset.

On the RT5592 chipset, the VGC level must be adjusted
only if rssi is greater than -65. However the current
code adjusts the VGC value by 0x10 regardless of the
actual chipset if the rssi value is between -80 and

Fix the broken behaviour by reordering the if-else

Signed-off-by: Gabor Juhos <>
Acked-by: Stanislaw Gruszka <>
Signed-off-by: John W. Linville <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agort2x00: check if device is still available on rt2x00mac_flush()
Stanislaw Gruszka [Tue, 15 Oct 2013 12:31:12 +0000 (14:31 +0200)]
rt2x00: check if device is still available on rt2x00mac_flush()

commit 5671ab05cf2a579218985ef56595387932d78ee4 upstream.

Fix random kernel panic with below messages when remove dongle.

[ 2212.355447] BUG: unable to handle kernel NULL pointer dereference at 0000000000000250
[ 2212.355527] IP: [<ffffffffa02667f2>] rt2x00usb_kick_tx_entry+0x12/0x160 [rt2x00usb]
[ 2212.355599] PGD 0
[ 2212.355626] Oops: 0000 [#1] SMP
[ 2212.355664] Modules linked in: rt2800usb rt2x00usb rt2800lib crc_ccitt rt2x00lib mac80211 cfg80211 tun arc4 fuse rfcomm bnep snd_hda_codec_realtek snd_hda_intel snd_hda_codec btusb uvcvideo bluetooth snd_hwdep x86_pkg_temp_thermal snd_seq coretemp aesni_intel aes_x86_64 snd_seq_device glue_helper snd_pcm ablk_helper videobuf2_vmalloc sdhci_pci videobuf2_memops videobuf2_core sdhci videodev mmc_core serio_raw snd_page_alloc microcode i2c_i801 snd_timer hid_multitouch thinkpad_acpi lpc_ich mfd_core snd tpm_tis wmi tpm tpm_bios soundcore acpi_cpufreq i915 i2c_algo_bit drm_kms_helper drm i2c_core video [last unloaded: cfg80211]
[ 2212.356224] CPU: 0 PID: 34 Comm: khubd Not tainted 3.12.0-rc3-wl+ #3
[ 2212.356268] Hardware name: LENOVO 3444CUU/3444CUU, BIOS G6ET93WW (2.53 ) 02/04/2013
[ 2212.356319] task: ffff880212f687c0 ti: ffff880212f66000 task.ti: ffff880212f66000
[ 2212.356392] RIP: 0010:[<ffffffffa02667f2>]  [<ffffffffa02667f2>] rt2x00usb_kick_tx_entry+0x12/0x160 [rt2x00usb]
[ 2212.356481] RSP: 0018:ffff880212f67750  EFLAGS: 00010202
[ 2212.356519] RAX: 000000000000000c RBX: 000000000000000c RCX: 0000000000000293
[ 2212.356568] RDX: ffff8801f4dc219a RSI: 0000000000000000 RDI: 0000000000000240
[ 2212.356617] RBP: ffff880212f67778 R08: ffffffffa02667e0 R09: 0000000000000002
[ 2212.356665] R10: 0001f95254ab4b40 R11: ffff880212f675be R12: ffff8801f4dc2150
[ 2212.356712] R13: 0000000000000000 R14: ffffffffa02667e0 R15: 000000000000000d
[ 2212.356761] FS:  0000000000000000(0000) GS:ffff88021e200000(0000) knlGS:0000000000000000
[ 2212.356813] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2212.356852] CR2: 0000000000000250 CR3: 0000000001a0c000 CR4: 00000000001407f0
[ 2212.356899] Stack:
[ 2212.356917]  000000000000000c ffff8801f4dc2150 0000000000000000 ffffffffa02667e0
[ 2212.356980]  000000000000000d ffff880212f677b8 ffffffffa03a31ad ffff8801f4dc219a
[ 2212.357038]  ffff8801f4dc2150 0000000000000000 ffff8800b93217a0 ffff8801f49bc800
[ 2212.357099] Call Trace:
[ 2212.357122]  [<ffffffffa02667e0>] ? rt2x00usb_interrupt_txdone+0x90/0x90 [rt2x00usb]
[ 2212.357174]  [<ffffffffa03a31ad>] rt2x00queue_for_each_entry+0xed/0x170 [rt2x00lib]
[ 2212.357244]  [<ffffffffa026701c>] rt2x00usb_kick_queue+0x5c/0x60 [rt2x00usb]
[ 2212.357314]  [<ffffffffa03a3682>] rt2x00queue_flush_queue+0x62/0xa0 [rt2x00lib]
[ 2212.357386]  [<ffffffffa03a2930>] rt2x00mac_flush+0x30/0x70 [rt2x00lib]
[ 2212.357470]  [<ffffffffa04edded>] ieee80211_flush_queues+0xbd/0x140 [mac80211]
[ 2212.357555]  [<ffffffffa0502e52>] ieee80211_set_disassoc+0x2d2/0x3d0 [mac80211]
[ 2212.357645]  [<ffffffffa0506da3>] ieee80211_mgd_deauth+0x1d3/0x240 [mac80211]
[ 2212.357718]  [<ffffffff8108b17c>] ? try_to_wake_up+0xec/0x290
[ 2212.357788]  [<ffffffffa04dbd18>] ieee80211_deauth+0x18/0x20 [mac80211]
[ 2212.357872]  [<ffffffffa0418ddc>] cfg80211_mlme_deauth+0x9c/0x140 [cfg80211]
[ 2212.357913]  [<ffffffffa041907c>] cfg80211_mlme_down+0x5c/0x60 [cfg80211]
[ 2212.357962]  [<ffffffffa041cd18>] cfg80211_disconnect+0x188/0x1a0 [cfg80211]
[ 2212.358014]  [<ffffffffa04013bc>] ? __cfg80211_stop_sched_scan+0x1c/0x130 [cfg80211]
[ 2212.358067]  [<ffffffffa03f8954>] cfg80211_leave+0xc4/0xe0 [cfg80211]
[ 2212.358124]  [<ffffffffa03f8d1b>] cfg80211_netdev_notifier_call+0x3ab/0x5e0 [cfg80211]
[ 2212.358177]  [<ffffffff815140f8>] ? inetdev_event+0x38/0x510
[ 2212.358217]  [<ffffffff81085a94>] ? __wake_up+0x44/0x50
[ 2212.358254]  [<ffffffff8155995c>] notifier_call_chain+0x4c/0x70
[ 2212.358293]  [<ffffffff81081156>] raw_notifier_call_chain+0x16/0x20
[ 2212.358361]  [<ffffffff814b6dd5>] call_netdevice_notifiers_info+0x35/0x60
[ 2212.358429]  [<ffffffff814b6ec9>] __dev_close_many+0x49/0xd0
[ 2212.358487]  [<ffffffff814b7028>] dev_close_many+0x88/0x100
[ 2212.358546]  [<ffffffff814b8150>] rollback_registered_many+0xb0/0x220
[ 2212.358612]  [<ffffffff814b8319>] unregister_netdevice_many+0x19/0x60
[ 2212.358694]  [<ffffffffa04d8eb2>] ieee80211_remove_interfaces+0x112/0x190 [mac80211]
[ 2212.358791]  [<ffffffffa04c585f>] ieee80211_unregister_hw+0x4f/0x100 [mac80211]
[ 2212.361994]  [<ffffffffa03a1221>] rt2x00lib_remove_dev+0x161/0x1a0 [rt2x00lib]
[ 2212.365240]  [<ffffffffa0266e2e>] rt2x00usb_disconnect+0x2e/0x70 [rt2x00usb]
[ 2212.368470]  [<ffffffff81419ce4>] usb_unbind_interface+0x64/0x1c0
[ 2212.371734]  [<ffffffff813b446f>] __device_release_driver+0x7f/0xf0
[ 2212.374999]  [<ffffffff813b4503>] device_release_driver+0x23/0x30
[ 2212.378131]  [<ffffffff813b3c98>] bus_remove_device+0x108/0x180
[ 2212.381358]  [<ffffffff813b0565>] device_del+0x135/0x1d0
[ 2212.384454]  [<ffffffff81417760>] usb_disable_device+0xb0/0x270
[ 2212.387451]  [<ffffffff8140d9cd>] usb_disconnect+0xad/0x1d0
[ 2212.390294]  [<ffffffff8140f6cd>] hub_thread+0x63d/0x1660
[ 2212.393034]  [<ffffffff8107c860>] ? wake_up_atomic_t+0x30/0x30
[ 2212.395728]  [<ffffffff8140f090>] ? hub_port_debounce+0x130/0x130
[ 2212.398412]  [<ffffffff8107baa0>] kthread+0xc0/0xd0
[ 2212.401058]  [<ffffffff8107b9e0>] ? insert_kthread_work+0x40/0x40
[ 2212.403639]  [<ffffffff8155de3c>] ret_from_fork+0x7c/0xb0
[ 2212.406193]  [<ffffffff8107b9e0>] ? insert_kthread_work+0x40/0x40
[ 2212.408732] Code: 24 58 08 00 00 bf 80 00 00 00 e8 3a c3 e0 e0 5b 41 5c 5d c3 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 <48> 8b 47 10 48 89 fb 4c 8b 6f 28 4c 8b 20 49 8b 04 24 4c 8b 30
[ 2212.414671] RIP  [<ffffffffa02667f2>] rt2x00usb_kick_tx_entry+0x12/0x160 [rt2x00usb]
[ 2212.417646]  RSP <ffff880212f67750>
[ 2212.420547] CR2: 0000000000000250
[ 2212.441024] ---[ end trace 5442918f33832bce ]---

Signed-off-by: Stanislaw Gruszka <>
Acked-by: Helmut Schaa <>
Signed-off-by: John W. Linville <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agort2x00: fix a crash bug in the HT descriptor handling fix
Felix Fietkau [Thu, 14 Nov 2013 20:33:15 +0000 (21:33 +0100)]
rt2x00: fix a crash bug in the HT descriptor handling fix

commit b4089d6d8e71a7293e2192025dfa507a04f661c4 upstream.

Commit "rt2x00: fix HT TX descriptor settings regression"
assumes that the control parameter to rt2x00mac_tx is always non-NULL.
There is an internal call in rt2x00lib_bc_buffer_iter where NULL is
passed. Fix the resulting crash by adding an initialized dummy on-stack
ieee80211_tx_control struct.

Signed-off-by: Felix Fietkau <>
Acked-by: Gertjan van Wingerde <>
Signed-off-by: John W. Linville <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agoDrivers: hv: vmbus: Fix a bug in channel rescind code
K. Y. Srinivasan [Thu, 17 Oct 2013 02:27:19 +0000 (19:27 -0700)]
Drivers: hv: vmbus: Fix a bug in channel rescind code

commit 565ce6422ff92f5af71e4d5a09f78215433b2695 upstream.

Rescind of subchannels were not being correctly handled. Fix the bug.

Signed-off-by: K. Y. Srinivasan <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agostaging: comedi: avoid memleak for subdevice private
Ian Abbott [Mon, 7 Oct 2013 14:51:58 +0000 (15:51 +0100)]
staging: comedi: avoid memleak for subdevice private

commit 67aa4acbc97f6a55b328e4e2305ef19cbe949d85 upstream.

`comedi_alloc_spriv()` allocates private storage for a comedi subdevice
and sets the `SRF_FREE_SPRIV` flag in the `runflags` member of the
subdevice to allow the private storage to be automatically freed when
the comedi device is being cleaned up.  Unfortunately, the flag gets
clobbered by `do_cmd_ioctl()` which calls
`comedi_set_subdevice_runflags()` with a mask value `~0` and only the
`SRF_USER` and `SRF_RUNNING` flags set, all the other SRF flags being

Change the calls to `comedi_set_subdevice_runflags()` that currently use
a mask value of `~0` to use a more relevant mask value.  For
`do_cmd_ioctl()`, the relevant SRF flags are `SRF_USER`, `SRF_ERROR` and
`SRF_RUNNING`.  (At one time, `SRF_RT` would be included in that set of
flags, but it is no longer used.)  For `comedi_alloc_spriv()` replace
the call to `comedi_set_subdevice_runflags()` with a simple
OR-assignment to avoid unnecessary use of a spin-lock.

Signed-off-by: Ian Abbott <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agoStaging: zram: Fix access of NULL pointer
Rashika Kheria [Wed, 30 Oct 2013 13:06:32 +0000 (18:36 +0530)]
Staging: zram: Fix access of NULL pointer

commit 46a51c80216cb891f271ad021f59009f34677499 upstream.

This patch fixes the bug in reset_store caused by accessing NULL pointer.

The bdev gets its value from bdget_disk() which could fail when memory
pressure is severe and hence can return NULL because allocation of
inode in bdget could fail.

Hence, this patch introduces a check for bdev to prevent reference to a
NULL pointer in the later part of the code. It also removes unnecessary
check of bdev for fsync_bdev().

Acked-by: Jerome Marchand <>
Signed-off-by: Rashika Kheria <>
Acked-by: Minchan Kim <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agoACPI / hotplug: Do not execute "insert in progress" _OST
Rafael J. Wysocki [Thu, 7 Nov 2013 00:42:17 +0000 (01:42 +0100)]
ACPI / hotplug: Do not execute "insert in progress" _OST

commit 176a88d79d6b5aebabaff16734e8b3107efcaaad upstream.

According to the ACPI spec (5.0, Section 6.3.5), the "Device
insertion in progress (pending)" (0x80) _OST status code is
reserved for the "Insertion Processing" (0x200) source event
which is "a result of an OSPM action".  Specifically, it is not
a notification, so that status code should not be used during
notification processing, which unfortunately is done by

For this reason, drop the ACPI_OST_SC_INSERT_IN_PROGRESS _OST
status evaluation from there (it was a mistake to put it in there
in the first place).

Signed-off-by: Rafael J. Wysocki <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agoACPI / hotplug: Fix handle_root_bridge_removal()
Rafael J. Wysocki [Thu, 7 Nov 2013 00:41:27 +0000 (01:41 +0100)]
ACPI / hotplug: Fix handle_root_bridge_removal()

commit 2441191a19039002b2c454a261fb45986df15184 upstream.

It is required to do get_device() on the struct acpi_device in
question before passing it to acpi_bus_hot_remove_device() through
acpi_os_hotplug_execute(), because acpi_bus_hot_remove_device()
calls acpi_scan_hot_remove() that does put_device() on that

The ACPI PCI root removal routine, handle_root_bridge_removal(),
doesn't do that, which may lead to premature freeing of the
device object or to executing put_device() on an object that
has been freed already.

Fix this problem by making handle_root_bridge_removal() use
get_device() as appropriate.

Signed-off-by: Rafael J. Wysocki <>
Acked-by: Toshi Kani <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agoACPI / video: Quirk initial backlight level 0
Aaron Lu [Wed, 6 Nov 2013 01:07:10 +0000 (09:07 +0800)]
ACPI / video: Quirk initial backlight level 0

commit 2c62333a408f5badd2d2ffd7177f95deeccc5ca4 upstream.

Some firmware doesn't initialize initial backlight level to a proper
value and _BQC will return 0 on first time evaluation. We used to be
able to detect such incorrect value with our code logic, as value 0
normally isn't a valid value in _BCL. But with the introduction of Win8,
firmware begins to fill _BCL with values from 0 to 100, now 0 becomes
a valid value but that value will make user's screen black. This patch
test initial _BQC for value 0, if such a value is returned, do not use

Reported-by: Qingshuai Tian <>
Tested-by: Aaron Lu <> # on "Idealpad u330p"
Reported-and-tested-by: <> # on "Acer Aspire V5-573G"
Reported-and-tested-by: Kirill Tkhai <> # on "HP 250 G1"
Signed-off-by: Aaron Lu <>
Signed-off-by: Rafael J. Wysocki <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agoACPI / EC: Ensure lock is acquired before accessing ec struct members
Puneet Kumar [Fri, 15 Nov 2013 19:41:29 +0000 (11:41 -0800)]
ACPI / EC: Ensure lock is acquired before accessing ec struct members

commit 36b15875a7819a2ec4cb5748ff7096ad7bd86cbb upstream.

A bug was introduced by commit b76b51ba0cef ('ACPI / EC: Add more debug
info and trivial code cleanup') that erroneously caused the struct member
to be accessed before acquiring the required lock.  This change fixes
it by ensuring the lock acquisition is done first.

Found by Aaron Durbin <>

Fixes: b76b51ba0cef ('ACPI / EC: Add more debug info and trivial code cleanup')
Signed-off-by: Puneet Kumar <>
Reviewed-by: Aaron Durbin <>
[olof: Commit message reworded a bit]
Signed-off-by: Olof Johansson <>
Signed-off-by: Rafael J. Wysocki <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agoperf/ftrace: Fix paranoid level for enabling function tracer
Steven Rostedt [Tue, 5 Nov 2013 17:51:11 +0000 (12:51 -0500)]
perf/ftrace: Fix paranoid level for enabling function tracer

commit 12ae030d54ef250706da5642fc7697cc60ad0df7 upstream.

The current default perf paranoid level is "1" which has
"perf_paranoid_kernel()" return false, and giving any operations that
use it, access to normal users. Unfortunately, this includes function
tracing and normal users should not be allowed to enable function
tracing by default.

The proper level is defined at "-1" (full perf access), which
"perf_paranoid_tracepoint_raw()" will only give access to. Use that
check instead for enabling function tracing.

Reported-by: Dave Jones <>
Reported-by: Vince Weaver <>
Tested-by: Vince Weaver <>
Cc: Peter Zijlstra <>
Cc: Ingo Molnar <>
Cc: Jiri Olsa <>
Cc: Frederic Weisbecker <>
CVE: CVE-2013-2930
Fixes: ced39002f5ea ("ftrace, perf: Add support to use function tracepoint in perf")
Signed-off-by: Steven Rostedt <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agoPCI: Support PCIe Capability Slot registers only for ports with slots
Bjorn Helgaas [Wed, 28 Aug 2013 18:01:03 +0000 (12:01 -0600)]
PCI: Support PCIe Capability Slot registers only for ports with slots

commit 6d3a1741f1e648cfbd5a0cc94477a0d5004c6f5e upstream.

Previously we allowed callers to access Slot Capabilities, Status, and
Control for Root Ports even if the Root Port did not implement a slot.
This seems dubious because the spec only requires these registers if a
slot is implemented.

It's true that even Root Ports without slots must have *space* for these
slot registers, because the Root Capabilities, Status, and Control
registers are after the slot registers in the capability.  However,
for a v1 PCIe Capability, the *semantics* of the slot registers are
undefined unless a slot is implemented.

Signed-off-by: Bjorn Helgaas <>
Reviewed-By: Jiang Liu <>
Acked-by: Myron Stowe <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agoPCI: Remove PCIe Capability version checks
Bjorn Helgaas [Wed, 28 Aug 2013 17:33:53 +0000 (11:33 -0600)]
PCI: Remove PCIe Capability version checks

commit c8b303d0206b28c4ff3aecada47108d1655ae00f upstream.

Previously we relied on the PCIe r3.0, sec 7.8, spec language that says
"For Functions that do not implement the [Link, Slot, Root] registers,
these spaces must be hardwired to 0b," which means that for v2 PCIe
capabilities, we don't need to check the device type at all.

But it's simpler if we don't need to check the capability version at all,
and I think the spec is explicit enough about which registers are required
for which types that we can remove the version checks.

Signed-off-by: Bjorn Helgaas <>
Reviewed-By: Jiang Liu <>
Acked-by: Myron Stowe <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agoPCI: Allow PCIe Capability link-related register access for switches
Bjorn Helgaas [Tue, 27 Aug 2013 15:54:40 +0000 (09:54 -0600)]
PCI: Allow PCIe Capability link-related register access for switches

commit d3694d4fa3f44f6a295f8ab064937c8a1549d174 upstream.

Every PCIe device has a link, except Root Complex Integrated Endpoints
and Root Complex Event Collectors.  Previously we didn't give access
to PCIe capability link-related registers for Upstream Ports, Downstream
Ports, and Bridges, so attempts to read PCI_EXP_LNKCTL incorrectly
returned zero.  See PCIe spec r3.0, sec 7.8 and

Reported-by: Yuval Mintz <>
Signed-off-by: Bjorn Helgaas <>
Reviewed-By: Jiang Liu <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agosched, idle: Fix the idle polling state logic
Peter Zijlstra [Wed, 11 Sep 2013 10:43:13 +0000 (12:43 +0200)]
sched, idle: Fix the idle polling state logic

commit ea8117478918a4734586d35ff530721b682425be upstream.

Mike reported that commit 7d1a9417 ("x86: Use generic idle loop")
regressed several workloads and caused excessive reschedule

The patch in question failed to notice that the x86 code had an
inverted sense of the polling state versus the new generic code (x86:
default polling, generic: default !polling).

Fix the two prominent x86 mwait based idle drivers and introduce a few
new generic polling helpers (fixing the wrong smp_mb__after_clear_bit

Also switch the idle routines to using tif_need_resched() which is an
immediate TIF_NEED_RESCHED test as opposed to need_resched which will
end up being slightly different.

Reported-by: Mike Galbraith <>
Signed-off-by: Peter Zijlstra <>
Signed-off-by: Ingo Molnar <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agoSUNRPC: don't map EKEYEXPIRED to EACCES in call_refreshresult
Andy Adamson [Wed, 14 Aug 2013 15:59:13 +0000 (11:59 -0400)]
SUNRPC: don't map EKEYEXPIRED to EACCES in call_refreshresult

commit f1ff0c27fd9987c59d707cd1a6b6c1fc3ae0a250 upstream.

The NFS layer needs to know when a key has expired.
This change also returns -EKEYEXPIRED to the application, and the informative
"Key has expired" error message is displayed. The user then knows that
credential renewal is required.

Signed-off-by: Andy Adamson <>
Signed-off-by: Trond Myklebust <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agothinkpad_acpi: Fix build error when CONFIG_SND_MAX_CARDS > 32
Takashi Iwai [Thu, 24 Oct 2013 14:06:32 +0000 (16:06 +0200)]
thinkpad_acpi: Fix build error when CONFIG_SND_MAX_CARDS > 32

commit cab6661344f14a09d7aecdf821a40f68ef9b18cc upstream.

SNDRV_CARDS can be specified via Kconfig since 3.11 kernel, so this
can be over 32bit integer range, which leads to a build error.

Signed-off-by: Takashi Iwai <>
Signed-off-by: Matthew Garrett <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agodrm/nvc0-/gr: fix a number of missing explicit array terminators...
Ben Skeggs [Mon, 4 Nov 2013 23:28:26 +0000 (09:28 +1000)]
drm/nvc0-/gr: fix a number of missing explicit array terminators...

commit 13d2b35a065399fb447c84e80368927e5f8bf086 upstream.

Signed-off-by: Ben Skeggs <>
Cc: Ilia Mirkin <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agoipc,shm: fix shm_file deletion races
Greg Thelen [Thu, 21 Nov 2013 22:32:00 +0000 (14:32 -0800)]
ipc,shm: fix shm_file deletion races

commit a399b29dfbaaaf91162b2dc5a5875dd51bbfa2a1 upstream.

When IPC_RMID races with other shm operations there's potential for
use-after-free of the shm object's associated file (shm_file).

Here's the race before this patch:

  TASK 1                     TASK 2
  ------                     ------
                             shp = shm_obtain_object_check()


The oops is caused because shm_destroy() calls fput() after dropping the
ipc_lock.  fput() clears the file's f_inode, f_path.dentry, and
f_path.mnt, which causes various NULL pointer references in task 2.  I
reliably see the oops in task 2 if with shmlock, shmu

This patch fixes the races by:
1) set shm_file=NULL in shm_destroy() while holding ipc_object_lock().
2) modify at risk operations to check shm_file while holding

Example workloads, which each trigger oops...

Workload 1:
  while true; do
    id=$(shmget 1 4096)
    shm_rmid $id &
    shmlock $id &

  The oops stack shows accessing NULL f_inode due to racing fput:

Workload 2:
  while true; do
    id=$(shmget 1 4096)
    shmat $id 4096 &
    shm_rmid $id &

  The oops stack is similar to workload 1 due to NULL f_inode:

Workload 3:
  while true; do
    id=$(shmget 1 4096)
    shmlock $id
    shm_rmid $id &
    shmunlock $id &

  The oops stack shows second fput tripping on an NULL f_inode.  The
  first fput() completed via from shm_destroy(), but a racing thread did
  a get_file() and queued this fput():

Fixes: c2c737a0461e ("ipc,shm: shorten critical region for shmat")
Fixes: 2caacaa82a51 ("ipc,shm: shorten critical region for shmctl")
Signed-off-by: Greg Thelen <>
Cc: Davidlohr Bueso <>
Cc: Rik van Riel <>
Cc: Manfred Spraul <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agoipc,shm: correct error return value in shmctl (SHM_UNLOCK)
Jesper Nilsson [Thu, 21 Nov 2013 22:32:08 +0000 (14:32 -0800)]
ipc,shm: correct error return value in shmctl (SHM_UNLOCK)

commit 3a72660b07d86d60457ca32080b1ce8c2b628ee2 upstream.

Commit 2caacaa82a51 ("ipc,shm: shorten critical region for shmctl")
restructured the ipc shm to shorten critical region, but introduced a
path where the return value could be -EPERM, even if the operation
actually was performed.

Before the commit, the err return value was reset by the return value
from security_shm_shmctl() after the if (!ns_capable(...)) statement.

Now, we still exit the if statement with err set to -EPERM, and in the
case of SHM_UNLOCK, it is not reset at all, and used as the return value
from shmctl.

To fix this, we only set err when errors occur, leaving the fallthrough
case alone.

Signed-off-by: Jesper Nilsson <>
Cc: Davidlohr Bueso <>
Cc: Rik van Riel <>
Cc: Michel Lespinasse <>
Cc: Al Viro <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agoalx: Reset phy speed after resume
hahnjo [Tue, 12 Nov 2013 17:19:24 +0000 (18:19 +0100)]
alx: Reset phy speed after resume

commit b54629e226d196e802abdd30c5e34f2a47cddcf2 upstream.

This fixes bug 62491 (
After resuming some users got the following error flooding the kernel log:
alx 0000:02:00.0: invalid PHY speed/duplex: 0xffff

Signed-off-by: Jonas Hahnfeld <>
Signed-off-by: David S. Miller <>
Cc: hahnjo <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agocan: c_can: Fix RX message handling, handle lost message before EOB
Markus Pargmann [Mon, 28 Oct 2013 08:54:40 +0000 (09:54 +0100)]
can: c_can: Fix RX message handling, handle lost message before EOB

commit 5d0f801a2ccec3b1fdabc3392c8d99ed0413d216 upstream.

If we handle end of block messages with higher priority than a lost message,
we can run into an endless interrupt loop.

This is reproducable with a am335x processor and "cansequence -r" at 1Mbit.
As soon as we loose a packet we can't escape from an interrupt loop.

This patch fixes the problem by handling lost packets before EOB packets.

Signed-off-by: Markus Pargmann <>
Signed-off-by: Marc Kleine-Budde <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agocrypto: s390 - Fix aes-cbc IV corruption
Herbert Xu [Tue, 5 Nov 2013 11:36:27 +0000 (19:36 +0800)]
crypto: s390 - Fix aes-cbc IV corruption

commit f262f0f5cad0c9eca61d1d383e3b67b57dcbe5ea upstream.

The cbc-aes-s390 algorithm incorrectly places the IV in the tfm
data structure.  As the tfm is shared between multiple threads,
this introduces a possibility of data corruption.

This patch fixes this by moving the parameter block containing
the IV and key onto the stack (the block is 48 bytes long).

The same bug exists elsewhere in the s390 crypto system and they
will be fixed in subsequent patches.

Signed-off-by: Herbert Xu <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agocrypto: ansi_cprng - Fix off by one error in non-block size request
Neil Horman [Tue, 17 Sep 2013 12:33:11 +0000 (08:33 -0400)]
crypto: ansi_cprng - Fix off by one error in non-block size request

commit 714b33d15130cbb5ab426456d4e3de842d6c5b8a upstream.

Stephan Mueller reported to me recently a error in random number generation in
the ansi cprng. If several small requests are made that are less than the
instances block size, the remainder for loop code doesn't increment
rand_data_valid in the last iteration, meaning that the last bytes in the
rand_data buffer gets reused on the subsequent smaller-than-a-block request for
random data.

The fix is pretty easy, just re-code the for loop to make sure that
rand_data_valid gets incremented appropriately

Signed-off-by: Neil Horman <>
Reported-by: Stephan Mueller <>
CC: Stephan Mueller <>
CC: Petr Matousek <>
CC: Herbert Xu <>
CC: "David S. Miller" <>
Signed-off-by: Herbert Xu <>
Cc: Luis Henriques <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agoBtrfs: relocate csums properly with prealloc extents
Josef Bacik [Fri, 27 Sep 2013 13:33:09 +0000 (09:33 -0400)]
Btrfs: relocate csums properly with prealloc extents

commit 4577b014d1bc3db386da3246f625888fc48083a9 upstream.

A user reported a problem where they were getting csum errors when running a
balance and running systemd's journal.  This is because systemd is awesome and
fallocate()'s its log space and writes into it.  Unfortunately we assume that
when we read in all the csums for an extent that they are sequential starting at
the bytenr we care about.  This obviously isn't the case for prealloc extents,
where we could have written to the middle of the prealloc extent only, which
means the csum would be for the bytenr in the middle of our range and not the
front of our range.  Fix this by offsetting the new bytenr we are logging to
based on the original bytenr the csum was for.  With this patch I no longer see
the csum errors I was seeing.  Thanks,

Reported-by: Chris Murphy <>
Signed-off-by: Josef Bacik <>
Signed-off-by: Chris Mason <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agocan: kvaser_usb: fix usb endpoints detection
Olivier Sobrie [Sun, 27 Oct 2013 21:07:53 +0000 (22:07 +0100)]
can: kvaser_usb: fix usb endpoints detection

commit 896e23bd04ea50a146dffd342e2f96180f0812a5 upstream.

Some devices, like the Kvaser Memorator Professional, have several bulk in
endpoints. Only the first one found must be used by the driver. The same holds
for the bulk out endpoint. The official Kvaser driver (leaf) was used as
reference for this patch.

Signed-off-by: Olivier Sobrie <>
Signed-off-by: Marc Kleine-Budde <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agoUSB: mos7840: fix tiocmget error handling
Johan Hovold [Wed, 9 Oct 2013 15:01:09 +0000 (17:01 +0200)]
USB: mos7840: fix tiocmget error handling

commit a91ccd26e75235d86248d018fe3779732bcafd8d upstream.

Make sure to return errors from tiocmget rather than rely on
uninitialised stack data.

Signed-off-by: Johan Hovold <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agoACPICA: Fix for a Store->ArgX when ArgX contains a reference to a field.
Bob Moore [Fri, 6 Sep 2013 06:27:15 +0000 (14:27 +0800)]
ACPICA: Fix for a Store->ArgX when ArgX contains a reference to a field.

commit 4be4be8fee2ee99a52f94f90d03d2f287ee1db86 upstream.

This change fixes a problem where a Store operation to an ArgX object
that contained a reference to a field object did not complete the
automatic dereference and then write to the actual field object.
Instead, the object type of the field object was inadvertently changed
to match the type of the source operand. The new behavior will actually
write to the field object (buffer field or field unit), thus matching
the correct ACPI-defined behavior.

Signed-off-by: Bob Moore <>
Signed-off-by: Rafael J. Wysocki <>
Signed-off-by: Lv Zheng <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agoACPICA: Return error if DerefOf resolves to a null package element.
Bob Moore [Thu, 8 Aug 2013 07:29:58 +0000 (15:29 +0800)]
ACPICA: Return error if DerefOf resolves to a null package element.

commit a50abf4842dd7d603a2ad6dcc7f1467fd2a66f03 upstream.

Disallow the dereference of a reference (via index) to an uninitialized
package element. Provides compatibility with other ACPI
implementations. ACPICA BZ 1003.

Signed-off-by: Bob Moore <>
Signed-off-by: Lv Zheng <>
Signed-off-by: Rafael J. Wysocki <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agoaacraid: prevent invalid pointer dereference
Mahesh Rajashekhara [Thu, 31 Oct 2013 08:31:02 +0000 (14:01 +0530)]
aacraid: prevent invalid pointer dereference

commit b4789b8e6be3151a955ade74872822f30e8cd914 upstream.

It appears that driver runs into a problem here if fibsize is too small
because we allocate user_srbcmd with fibsize size only but later we
access it until user_srbcmd->sg.count to copy it over to srbcmd.

It is not correct to test (fibsize < sizeof(*user_srbcmd)) because this
structure already includes one sg element and this is not needed for
commands without data.  So, we would recommend to add the following
(instead of test for fibsize == 0).

Signed-off-by: Mahesh Rajashekhara <>
Reported-by: Nico Golde <>
Reported-by: Fabian Yamaguchi <>
Signed-off-by: Linus Torvalds <>
Cc: Kees Cook <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agolibertas: potential oops in debugfs
Dan Carpenter [Wed, 30 Oct 2013 17:12:51 +0000 (20:12 +0300)]
libertas: potential oops in debugfs

commit a497e47d4aec37aaf8f13509f3ef3d1f6a717d88 upstream.

If we do a zero size allocation then it will oops.  Also we can't be
sure the user passes us a NUL terminated string so I've added a

This code can only be triggered by root.

Reported-by: Nico Golde <>
Reported-by: Fabian Yamaguchi <>
Signed-off-by: Dan Carpenter <>
Acked-by: Dan Williams <>
Signed-off-by: John W. Linville <>
Cc: Kees Cook <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agoACPICA: DeRefOf operator: Update to fully resolve FieldUnit and BufferField refs.
Bob Moore [Thu, 8 Aug 2013 07:29:32 +0000 (15:29 +0800)]
ACPICA: DeRefOf operator: Update to fully resolve FieldUnit and BufferField refs.

commit 63660e05ec719613b518547b40a1c501c10f0bc4 upstream.

Previously, references to these objects were resolved only to the actual
FieldUnit or BufferField object. The correct behavior is to resolve these
references to an actual value.
The problem is that DerefOf did not resolve these objects to actual
values.  An "Integer" object is simple, return the value.  But a field in
an operation region will require a read operation.  For a BufferField, the
appropriate data must be extracted from the parent buffer.

NOTE: It appears that this issues is present in Windows7 but not

Signed-off-by: Bob Moore <>
Signed-off-by: Lv Zheng <>
Signed-off-by: Rafael J. Wysocki <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agopatches.drivers/xhci-Fix-spurious-wakeups-after-S5-on-Haswell.patch:
Takashi Iwai [Fri, 29 Nov 2013 11:33:47 +0000 (12:33 +0100)]

suse-commit: d127271bed3918fec39f9dbd0543afa0a01ae0b8

4 years agoBuild mei and mei_me as modules (bnc#852656)
Takashi Iwai [Fri, 29 Nov 2013 10:37:11 +0000 (11:37 +0100)]
Build mei and mei_me as modules (bnc#852656)

suse-commit: e33e7726f506f47851298989f7a0f828111404e8

4 years agoLinux 3.11.9.
Jiri Slaby [Thu, 21 Nov 2013 10:36:29 +0000 (11:36 +0100)]
Linux 3.11.9.

suse-commit: 1602f8173244b9a37a0d4473a99f844a4c362285

4 years ago- Linux 3.11.8 (CVE-2013-4511 bnc#846529 bnc#849021).
Jiri Slaby [Thu, 21 Nov 2013 10:13:36 +0000 (11:13 +0100)]
- Linux 3.11.8 (CVE-2013-4511 bnc#846529 bnc#849021).
- Delete patches.drivers/ALSA-hda-Add-a-fixup-for-ASUS-N76VZ.
- Delete

suse-commit: 3058dcf4a884f3569b8f64205ef4978bcbe691fc