commit 27d0858dbcf199838b8c50a3e94d397bf326d986
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Wed Oct 31 09:51:59 2012 -0700

    Linux 3.0.50

commit ba90d99d5626c2dd2bb97336fd14c94b1a21eca1
Author: Sjoerd Simons <sjoerd.simons@collabora.co.uk>
Date:   Fri Jun 22 09:43:07 2012 +0200

    drm/i915: no lvds quirk for Zotac ZDBOX SD ID12/ID13
    
    commit 9756fe38d10b2bf90c81dc4d2f17d5632e135364 upstream.
    
    This box claims to have an LVDS interface but doesn't
    actually have one.
    
    Signed-off-by: Sjoerd Simons <sjoerd.simons@collabora.co.uk>
    Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5a30fddcc9593086c26cef6496f757e262059cf6
Author: Ian Abbott <abbotti@mev.co.uk>
Date:   Wed Oct 3 16:25:17 2012 +0100

    staging: comedi: amplc_pc236: fix invalid register access during detach
    
    commit aaeb61a97b7159ebe30b18a422d04eeabfa8790b upstream.
    
    `pc236_detach()` is called by the comedi core if it attempted to attach
    a device and failed.  `pc236_detach()` calls `pc236_intr_disable()` if
    the comedi device private data pointer (`devpriv`) is non-null.  This
    test is insufficient as `pc236_intr_disable()` accesses hardware
    registers and the attach routine may have failed before it has saved
    their I/O base addresses.
    
    Fix it by checking `dev->iobase` is non-zero before calling
    `pc236_intr_disable()` as that means the I/O base addresses have been
    saved and the hardware registers can be accessed.  It also implies the
    comedi device private data pointer is valid, so there is no need to
    check it.
    
    Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0ac1713daef94fa5a28947ce7149d45d4202da7d
Author: Yinghai Lu <yinghai@kernel.org>
Date:   Thu Oct 25 15:45:26 2012 -0700

    x86, mm: Undo incorrect revert in arch/x86/mm/init.c
    
    commit f82f64dd9f485e13f29f369772d4a0e868e5633a upstream.
    
    Commit
    
        844ab6f9 x86, mm: Find_early_table_space based on ranges that are actually being mapped
    
    added back some lines back wrongly that has been removed in commit
    
        7b16bbf97 Revert "x86/mm: Fix the size calculation of mapping tables"
    
    remove them again.
    
    Signed-off-by: Yinghai Lu <yinghai@kernel.org>
    Link: http://lkml.kernel.org/r/CAE9FiQW_vuaYQbmagVnxT2DGsYc=9tNeAbdBq53sYkitPOwxSQ@mail.gmail.com
    Acked-by: Jacob Shin <jacob.shin@amd.com>
    Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0582e57500558d660c9fd83c77b7a6a0dbda989f
Author: Jacob Shin <jacob.shin@amd.com>
Date:   Wed Oct 24 14:24:44 2012 -0500

    x86, mm: Find_early_table_space based on ranges that are actually being mapped
    
    commit 844ab6f993b1d32eb40512503d35ff6ad0c57030 upstream.
    
    Current logic finds enough space for direct mapping page tables from 0
    to end. Instead, we only need to find enough space to cover mr[0].start
    to mr[nr_range].end -- the range that is actually being mapped by
    init_memory_mapping()
    
    This is needed after 1bbbbe779aabe1f0768c2bf8f8c0a5583679b54a, to address
    the panic reported here:
    
      https://lkml.org/lkml/2012/10/20/160
      https://lkml.org/lkml/2012/10/21/157
    
    Signed-off-by: Jacob Shin <jacob.shin@amd.com>
    Link: http://lkml.kernel.org/r/20121024195311.GB11779@jshin-Toonie
    Tested-by: Tom Rini <trini@ti.com>
    Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit eccd54a6c29b2ddce3e03e7f77b89376dd9ee1ca
Author: Andreas Herrmann <andreas.herrmann3@amd.com>
Date:   Tue Oct 23 00:55:10 2012 +0200

    cpufreq / powernow-k8: Remove usage of smp_processor_id() in preemptible code
    
    commit e4df1cbcc1f329e53a1fff7450b2229e0addff20 upstream.
    
    Commit 6889125b8b4e09c5e53e6ecab3433bed1ce198c9
    (cpufreq/powernow-k8: workqueue user shouldn't migrate the kworker to another CPU)
    causes powernow-k8 to trigger a preempt warning, e.g.:
    
      BUG: using smp_processor_id() in preemptible [00000000] code: cpufreq/3776
      caller is powernowk8_target+0x20/0x49
      Pid: 3776, comm: cpufreq Not tainted 3.6.0 #9
      Call Trace:
       [<ffffffff8125b447>] debug_smp_processor_id+0xc7/0xe0
       [<ffffffff814877e7>] powernowk8_target+0x20/0x49
       [<ffffffff81482b02>] __cpufreq_driver_target+0x82/0x8a
       [<ffffffff81484fc6>] cpufreq_governor_performance+0x4e/0x54
       [<ffffffff81482c50>] __cpufreq_governor+0x8c/0xc9
       [<ffffffff81482e6f>] __cpufreq_set_policy+0x1a9/0x21e
       [<ffffffff814839af>] store_scaling_governor+0x16f/0x19b
       [<ffffffff81484f16>] ? cpufreq_update_policy+0x124/0x124
       [<ffffffff8162b4a5>] ? _raw_spin_unlock_irqrestore+0x2c/0x49
       [<ffffffff81483640>] store+0x60/0x88
       [<ffffffff811708c0>] sysfs_write_file+0xf4/0x130
       [<ffffffff8111243b>] vfs_write+0xb5/0x151
       [<ffffffff811126e0>] sys_write+0x4a/0x71
       [<ffffffff816319a9>] system_call_fastpath+0x16/0x1b
    
    Fix this by by always using work_on_cpu().
    
    Signed-off-by: Andreas Herrmann <andreas.herrmann3@amd.com>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0ff8913490f238812b4ab9f0b5cf7797f9a08aa7
Author: Piotr Haber <phaber@broadcom.com>
Date:   Thu Oct 11 14:05:15 2012 +0200

    bcma: fix unregistration of cores
    
    commit 1fffa905adffbf0d3767fc978ef09afb830275eb upstream.
    
    When cores are unregistered, entries
    need to be removed from cores list in a safe manner.
    
    Reported-by: Stanislaw Gruszka <sgruszka@redhat.com>
    Reviewed-by: Arend Van Spriel <arend@broadcom.com>
    Signed-off-by: Piotr Haber <phaber@broadcom.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0dab9d11a7900ebd2be763831e686c1da4789166
Author: Stanislaw Gruszka <sgruszka@redhat.com>
Date:   Tue Oct 2 21:34:23 2012 +0200

    mac80211: check if key has TKIP type before updating IV
    
    commit 4045f72bcf3c293c7c5932ef001742d8bb5ded76 upstream.
    
    This patch fix corruption which can manifest itself by following crash
    when switching on rfkill switch with rt2x00 driver:
    https://bugzilla.redhat.com/attachment.cgi?id=615362
    
    Pointer key->u.ccmp.tfm of group key get corrupted in:
    
    ieee80211_rx_h_michael_mic_verify():
    
            /* update IV in key information to be able to detect replays */
            rx->key->u.tkip.rx[rx->security_idx].iv32 = rx->tkip_iv32;
            rx->key->u.tkip.rx[rx->security_idx].iv16 = rx->tkip_iv16;
    
    because rt2x00 always set RX_FLAG_MMIC_STRIPPED, even if key is not TKIP.
    
    We already check type of the key in different path in
    ieee80211_rx_h_michael_mic_verify() function, so adding additional
    check here is reasonable.
    
    Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2689cd6b16f51c31a55e67fadca68971b6b0d37d
Author: Bo Shen <voice.shen@atmel.com>
Date:   Mon Oct 15 17:30:27 2012 +0800

    ARM: at91/i2c: change id to let i2c-gpio work
    
    commit 7840487cd6298f9f931103b558290d8d98d41c49 upstream.
    
    The i2c core driver will turn the platform device ID to busnum
    When using platfrom device ID as -1, it means dynamically assigned
    the busnum. When writing code, we need to make sure the busnum,
    and call i2c_register_board_info(int busnum, ...) to register device
    if using -1, we do not know the value of busnum
    
    In order to solve this issue, set the platform device ID as a fix number
    Here using 0 to match the busnum used in i2c_regsiter_board_info()
    
    Signed-off-by: Bo Shen <voice.shen@atmel.com>
    Acked-by: Jean Delvare <khali@linux-fr.org>
    Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
    Acked-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
    Acked-by: Ludovic Desroches <ludovic.desroches@atmel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 83dab4684482147564c9f3219f58e45d11765875
Author: Michael S. Tsirkin <mst@redhat.com>
Date:   Wed Oct 24 20:37:51 2012 +0200

    vhost: fix mergeable bufs on BE hosts
    
    commit 910a578f7e9400a78a3b13aba0b4d2df16a2cb05 upstream.
    
    We copy head count to a 16 bit field, this works by chance on LE but on
    BE guest gets 0. Fix it up.
    
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Tested-by: Alexander Graf <agraf@suse.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 713b9c260ba25938606ab794a1dfc438c727eb2c
Author: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Date:   Tue Oct 16 13:17:43 2012 -0700

    xhci: Fix potential NULL ptr deref in command cancellation.
    
    commit 43a09f7fb01fa1e091416a2aa49b6c666458c1ee upstream.
    
    The command cancellation code doesn't check whether find_trb_seg()
    couldn't find the segment that contains the TRB to be canceled.  This
    could cause a NULL pointer deference later in the function when next_trb
    is called.  It's unlikely to happen unless something is wrong with the
    command ring pointers, so add some debugging in case it happens.
    
    This patch should be backported to stable kernels as old as 3.0, that
    contain the commit b63f4053cc8aa22a98e3f9a97845afe6c15d0a0d "xHCI:
    handle command after aborting the command ring".
    
    Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 44ddc9a2fa5319e051198bc7fe9aa4b7c12b020f
Author: Johan Hovold <jhovold@gmail.com>
Date:   Thu Oct 25 18:56:33 2012 +0200

    USB: mos7840: remove invalid disconnect handling
    
    commit e681b66f2e19fadbe8a7e2a17900978cb6bc921f upstream.
    
    Remove private zombie flag used to signal disconnect and to prevent
    control urb from being submitted from interrupt urb completion handler.
    
    The control urb will not be re-submitted as both the control urb and the
    interrupt urb is killed on disconnect.
    
    Signed-off-by: Johan Hovold <jhovold@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c48cddb5a8d4a2c76101f6260d19105347059513
Author: Johan Hovold <jhovold@gmail.com>
Date:   Thu Oct 25 18:56:32 2012 +0200

    USB: mos7840: remove NULL-urb submission
    
    commit 28c3ae9a8cf45f439c9a0779ebd0256e2ae72813 upstream.
    
    The private int_urb is never allocated so the submission from the
    control completion handler will always fail. Remove this odd piece of
    broken code.
    
    Signed-off-by: Johan Hovold <jhovold@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 52fb227a7bddeb94b1e3a630755b232ddfc8a741
Author: Johan Hovold <jhovold@gmail.com>
Date:   Thu Oct 25 13:35:10 2012 +0200

    USB: mos7840: fix port-device leak in error path
    
    commit 3eb55cc4ed88eee3b5230f66abcdbd2a91639eda upstream.
    
    The driver set the usb-serial port pointers to NULL on errors in attach,
    effectively preventing usb-serial core from decrementing the port ref
    counters and releasing the port devices and associated data.
    
    Signed-off-by: Johan Hovold <jhovold@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit de3ca50ea7524819a881d841e73ffb0c2aed73f7
Author: Johan Hovold <jhovold@gmail.com>
Date:   Thu Oct 25 13:35:09 2012 +0200

    USB: mos7840: fix urb leak at release
    
    commit 65a4cdbb170e4ec1a7fa0e94936d47e24a17b0e8 upstream.
    
    Make sure control urb is freed at release.
    
    Signed-off-by: Johan Hovold <jhovold@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 25a665eeaba137ef1758ee747d0fc8f9b42bc091
Author: Johan Hovold <jhovold@gmail.com>
Date:   Thu Oct 25 10:29:18 2012 +0200

    USB: sierra: fix memory leak in probe error path
    
    commit 084817d79399ab5ccab2f90a148b0369912a8369 upstream.
    
    Move interface data allocation to attach so that it is deallocated on
    errors in usb-serial probe.
    
    Signed-off-by: Johan Hovold <jhovold@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 866cf6722ef510e21baa66f839ed3a618f303794
Author: Johan Hovold <jhovold@gmail.com>
Date:   Thu Oct 25 10:29:17 2012 +0200

    USB: sierra: fix memory leak in attach error path
    
    commit 7e41f9bcdd2e813ea2a3c40db291d87ea06b559f upstream.
    
    Make sure port private data is deallocated on errors in attach.
    
    Signed-off-by: Johan Hovold <jhovold@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3edf35acc3571092b522795f5b132fde4525b966
Author: Lennart Sorensen <lsorense@csclub.uwaterloo.ca>
Date:   Wed Oct 24 10:23:09 2012 -0400

    USB: serial: Fix memory leak in sierra_release()
    
    commit f7bc5051667b74c3861f79eed98c60d5c3b883f7 upstream.
    
    I found a memory leak in sierra_release() (well sierra_probe() I guess)
    that looses 8 bytes each time the driver releases a device.
    
    Signed-off-by: Len Sorensen <lsorense@csclub.uwaterloo.ca>
    Acked-by: Johan Hovold <jhovold@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8766126e36d14abae5f1e13df3a548ef24c605b8
Author: Johan Hovold <jhovold@gmail.com>
Date:   Thu Oct 25 10:29:12 2012 +0200

    USB: opticon: fix memory leak in error path
    
    commit acbf0e5263de563e25f7c104868e4490b9e72b13 upstream.
    
    Fix memory leak in write error path.
    
    Signed-off-by: Johan Hovold <jhovold@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 84c1f11aab59b6e56dd6cf26967127057d4665c9
Author: Johan Hovold <jhovold@gmail.com>
Date:   Thu Oct 25 10:29:11 2012 +0200

    USB: opticon: fix DMA from stack
    
    commit ea0dbebffe118724cd4df7d9b071ea8ee48d48f0 upstream.
    
    Make sure to allocate the control-message buffer dynamically as some
    platforms cannot do DMA from stack.
    
    Note that only the first byte of the old buffer was used.
    
    Signed-off-by: Johan Hovold <jhovold@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a48db008e3d875c6cd33f3d3aa86344e80bab16c
Author: Johan Hovold <jhovold@gmail.com>
Date:   Thu Oct 25 10:29:01 2012 +0200

    USB: whiteheat: fix memory leak in error path
    
    commit c129197c99550d356cf5f69b046994dd53cd1b9d upstream.
    
    Make sure command buffer is deallocated in case of errors during attach.
    
    Signed-off-by: Johan Hovold <jhovold@gmail.com>
    Cc: <support@connecttech.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 974ee86a47395138c0def2639686d02e4a8af34c
Author: Octavian Purdila <octavian.purdila@intel.com>
Date:   Mon Oct 1 22:21:12 2012 +0300

    usb hub: send clear_tt_buffer_complete events when canceling TT clear work
    
    commit 3b6054da68f9b0d5ed6a7ed0f42a79e61904352c upstream.
    
    There is a race condition in the USB hub code with regard to handling
    TT clear requests that can get the HCD driver in a deadlock. Usually
    when an TT clear request is scheduled it will be executed immediately:
    
    <7>[    6.077583] usb 2-1.3: unlink qh1-0e01/f4d4db00 start 0 [1/2 us]
    <3>[    6.078041] usb 2-1: clear tt buffer port 3, a3 ep2 t04048d82
    <7>[    6.078299] hub_tt_work:731
    <7>[    9.309089] usb 2-1.5: link qh1-0e01/f4d506c0 start 0 [1/2 us]
    <7>[    9.324526] ehci_hcd 0000:00:1d.0: reused qh f4d4db00 schedule
    <7>[    9.324539] usb 2-1.3: link qh1-0e01/f4d4db00 start 0 [1/2 us]
    <7>[    9.341530] usb 1-1.1: link qh4-0e01/f397aec0 start 2 [1/2 us]
    <7>[   10.116159] usb 2-1.3: unlink qh1-0e01/f4d4db00 start 0 [1/2 us]
    <3>[   10.116459] usb 2-1: clear tt buffer port 3, a3 ep2 t04048d82
    <7>[   10.116537] hub_tt_work:731
    
    However, if a suspend operation is triggered before hub_tt_work is
    scheduled, hub_quiesce will cancel the work without notifying the HCD
    driver:
    
    <3>[   35.033941] usb 2-1: clear tt buffer port 3, a3 ep2 t04048d80
    <5>[   35.034022] sd 0:0:0:0: [sda] Stopping disk
    <7>[   35.034039] hub 2-1:1.0: hub_suspend
    <7>[   35.034067] usb 2-1: unlink qh256-0001/f3b1ab00 start 1 [1/0 us]
    <7>[   35.035085] hub 1-0:1.0: hub_suspend
    <7>[   35.035102] usb usb1: bus suspend, wakeup 0
    <7>[   35.035106] ehci_hcd 0000:00:1a.0: suspend root hub
    <7>[   35.035298] hub 2-0:1.0: hub_suspend
    <7>[   35.035313] usb usb2: bus suspend, wakeup 0
    <7>[   35.035315] ehci_hcd 0000:00:1d.0: suspend root hub
    <6>[   35.250017] PM: suspend of devices complete after 216.979 msecs
    <6>[   35.250822] PM: late suspend of devices complete after 0.799 msecs
    <7>[   35.252343] ehci_hcd 0000:00:1d.0: wakeup: 1
    <7>[   35.262923] ehci_hcd 0000:00:1d.0: --> PCI D3hot
    <7>[   35.263302] ehci_hcd 0000:00:1a.0: wakeup: 1
    <7>[   35.273912] ehci_hcd 0000:00:1a.0: --> PCI D3hot
    <6>[   35.274254] PM: noirq suspend of devices complete after 23.442 msecs
    <6>[   35.274975] ACPI: Preparing to enter system sleep state S3
    <6>[   35.292666] PM: Saving platform NVS memory
    <7>[   35.295030] Disabling non-boot CPUs ...
    <6>[   35.297351] CPU 1 is now offline
    <6>[   35.300345] CPU 2 is now offline
    <6>[   35.303929] CPU 3 is now offline
    <7>[   35.303931] lockdep: fixing up alternatives.
    <6>[   35.304825] Extended CMOS year: 2000
    
    When the device will resume the EHCI driver will get stuck in
    ehci_endpoint_disable waiting for the tt_clearing flag to reset:
    
    <0>[   47.610967] usb 2-1.3: **** DPM device timeout ****
    <7>[   47.610972]  f2f11c60 00000092 f2f11c0c c10624a5 00000003 f4c6e880 c1c8a4c0 c1c8a4c0
    <7>[   47.610983]  15c55698 0000000b f56b34c0 f2a45b70 f4c6e880 00000082 f2a4602c f2f11c30
    <7>[   47.610993]  c10787f8 f4cac000 f2a45b70 00000000 f4cac010 f2f11c58 00000046 00000001
    <7>[   47.611004] Call Trace:
    <7>[   47.611006]  [<c10624a5>] ? sched_clock_cpu+0xf5/0x160
    <7>[   47.611019]  [<c10787f8>] ? lock_release_holdtime.part.22+0x88/0xf0
    <7>[   47.611026]  [<c103ed46>] ? lock_timer_base.isra.35+0x26/0x50
    <7>[   47.611034]  [<c17592d3>] ? schedule_timeout+0x133/0x290
    <7>[   47.611044]  [<c175b43e>] schedule+0x1e/0x50
    <7>[   47.611051]  [<c17592d8>] schedule_timeout+0x138/0x290
    <7>[   47.611057]  [<c10624a5>] ? sched_clock_cpu+0xf5/0x160
    <7>[   47.611063]  [<c103e560>] ? usleep_range+0x40/0x40
    <7>[   47.611070]  [<c1759445>] schedule_timeout_uninterruptible+0x15/0x20
    <7>[   47.611077]  [<c14935f4>] ehci_endpoint_disable+0x64/0x160
    <7>[   47.611084]  [<c147d1ee>] ? usb_hcd_flush_endpoint+0x10e/0x1d0
    <7>[   47.611092]  [<c1165663>] ? sysfs_add_file+0x13/0x20
    <7>[   47.611100]  [<c147d5a9>] usb_hcd_disable_endpoint+0x29/0x40
    <7>[   47.611107]  [<c147fafc>] usb_disable_endpoint+0x5c/0x80
    <7>[   47.611111]  [<c147fb57>] usb_disable_interface+0x37/0x50
    <7>[   47.611116]  [<c1477650>] usb_reset_and_verify_device+0x4b0/0x640
    <7>[   47.611122]  [<c1474665>] ? hub_port_status+0xb5/0x100
    <7>[   47.611129]  [<c147a975>] usb_port_resume+0xd5/0x220
    <7>[   47.611136]  [<c148877f>] generic_resume+0xf/0x30
    <7>[   47.611142]  [<c14821a3>] usb_resume+0x133/0x180
    <7>[   47.611147]  [<c1473b10>] ? usb_dev_thaw+0x10/0x10
    <7>[   47.611152]  [<c1473b1d>] usb_dev_resume+0xd/0x10
    <7>[   47.611157]  [<c13baa60>] dpm_run_callback+0x40/0xb0
    <7>[   47.611164]  [<c13bdb03>] ? pm_runtime_enable+0x43/0x70
    <7>[   47.611171]  [<c13bafc6>] device_resume+0x1a6/0x2c0
    <7>[   47.611177]  [<c13ba940>] ? dpm_show_time+0xe0/0xe0
    <7>[   47.611183]  [<c13bb0f9>] async_resume+0x19/0x40
    <7>[   47.611189]  [<c10580c4>] async_run_entry_fn+0x64/0x160
    <7>[   47.611196]  [<c104a244>] ? process_one_work+0x104/0x480
    <7>[   47.611203]  [<c104a24c>] ? process_one_work+0x10c/0x480
    <7>[   47.611209]  [<c104a2c0>] process_one_work+0x180/0x480
    <7>[   47.611215]  [<c104a244>] ? process_one_work+0x104/0x480
    <7>[   47.611220]  [<c1058060>] ? async_schedule+0x10/0x10
    <7>[   47.611226]  [<c104c15c>] worker_thread+0x11c/0x2f0
    <7>[   47.611233]  [<c104c040>] ? manage_workers.isra.27+0x1f0/0x1f0
    <7>[   47.611239]  [<c10507f8>] kthread+0x78/0x80
    <7>[   47.611244]  [<c1750000>] ? timer_cpu_notify+0xd6/0x20d
    <7>[   47.611253]  [<c1050780>] ? __init_kthread_worker+0x60/0x60
    <7>[   47.611258]  [<c176357e>] kernel_thread_helper+0x6/0xd
    <7>[   47.611283] ------------[ cut here ]------------
    
    This patch changes hub_quiesce behavior to flush the TT clear work
    instead of canceling it, to make sure that no TT clear request remains
    uncompleted before suspend.
    
    Signed-off-by: Octavian Purdila <octavian.purdila@intel.com>
    Acked-by: Alan Stern <stern@rowland.harvard.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4ed0b574c7dccce43b2abc25c39c4b4135e08428
Author: Michael Shigorin <mike@osdn.org.ua>
Date:   Mon Oct 22 12:18:56 2012 +0300

    usb-storage: add unusual_devs entry for Casio EX-N1 digital camera
    
    commit d7870af7e2e3a91b462075ec1ca669b482215187 upstream.
    
    This commit sets removable subclass for Casio EX-N1 digital camera.
    
    The patch has been tested within an ALT Linux kernel:
    http://git.altlinux.org/people/led/packages/?p=kernel-image-3.0.git;a=commitdiff;h=c0fd891836e89fe0c93a4d536a59216d90e4e3e7
    
    See also https://bugzilla.kernel.org/show_bug.cgi?id=49221
    
    Signed-off-by: Oleksandr Chumachenko <ledest@gmail.com>
    Signed-off-by: Michael Shigorin <mike@osdn.org.ua>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 299697673bce44a4af03faa31abf1266c160b459
Author: Anisse Astier <anisse@astier.eu>
Date:   Tue Oct 9 12:22:37 2012 +0200

    ehci: Add yet-another Lucid nohandoff pci quirk
    
    commit 8daf8b6086f9d575200cd0aa3797e26137255609 upstream.
    
    Board name changed on another shipping Lucid tablet.
    
    Signed-off-by: Anisse Astier <anisse@astier.eu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3f89e7a23865b5a4de6175097dc9e6162d875cff
Author: Anisse Astier <anisse@astier.eu>
Date:   Tue Oct 9 12:22:36 2012 +0200

    ehci: fix Lucid nohandoff pci quirk to be more generic with BIOS versions
    
    commit c323dc023b9501e5d09582ec7efd1d40a9001d99 upstream.
    
    BIOS vendors keep changing the BIOS versions. Only match the beginning
    of the string to match all Lucid tablets with board name M11JB.
    
    Signed-off-by: Anisse Astier <anisse@astier.eu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e17ce2ec38fd766e8f9707701e47f4332d8bb630
Author: Geert Uytterhoeven <geert@linux-m68k.org>
Date:   Sat Sep 29 22:23:19 2012 +0200

    sysfs: sysfs_pathname/sysfs_add_one: Use strlcat() instead of strcat()
    
    commit 66081a72517a131430dcf986775f3268aafcb546 upstream.
    
    The warning check for duplicate sysfs entries can cause a buffer overflow
    when printing the warning, as strcat() doesn't check buffer sizes.
    Use strlcat() instead.
    
    Since strlcat() doesn't return a pointer to the passed buffer, unlike
    strcat(), I had to convert the nested concatenation in sysfs_add_one() to
    an admittedly more obscure comma operator construct, to avoid emitting code
    for the concatenation if CONFIG_BUG is disabled.
    
    Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 910e425b29da7b601a99f49e81da666ab8ed5920
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Tue Oct 23 17:50:07 2012 -0400

    SUNRPC: Prevent races in xs_abort_connection()
    
    commit 4bc1e68ed6a8b59be8a79eb719be515a55c7bc68 upstream.
    
    The call to xprt_disconnect_done() that is triggered by a successful
    connection reset will trigger another automatic wakeup of all tasks
    on the xprt->pending rpc_wait_queue. In particular it will cause an
    early wake up of the task that called xprt_connect().
    
    All we really want to do here is clear all the socket-specific state
    flags, so we split that functionality out of xs_sock_mark_closed()
    into a helper that can be called by xs_abort_connection()
    
    Reported-by: Chris Perl <chris.perl@gmail.com>
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Tested-by: Chris Perl <chris.perl@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 16b7109680b1a0c8b3ea6271645c5853f0ffaa3f
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Tue Oct 23 11:40:02 2012 -0400

    Revert "SUNRPC: Ensure we close the socket on EPIPE errors too..."
    
    commit b9d2bb2ee537424a7f855e1f93eed44eb9ee0854 upstream.
    
    This reverts commit 55420c24a0d4d1fce70ca713f84aa00b6b74a70e.
    Now that we clear the connected flag when entering TCP_CLOSE_WAIT,
    the deadlock described in this commit is no longer possible.
    Instead, the resulting call to xs_tcp_shutdown() can interfere
    with pending reconnection attempts.
    
    Reported-by: Chris Perl <chris.perl@gmail.com>
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Tested-by: Chris Perl <chris.perl@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5acfec95af2aa4a9982534557e3ad035e3e5ea86
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Tue Oct 23 11:35:47 2012 -0400

    SUNRPC: Clear the connect flag when socket state is TCP_CLOSE_WAIT
    
    commit d0bea455dd48da1ecbd04fedf00eb89437455fdc upstream.
    
    This is needed to ensure that we call xprt_connect() upon the next
    call to call_connect().
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Tested-by: Chris Perl <chris.perl@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5b34d96acadef305c862006ce5d079dfb6526ee8
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Mon Oct 22 17:14:36 2012 -0400

    SUNRPC: Get rid of the xs_error_report socket callback
    
    commit f878b657ce8e7d3673afe48110ec208a29e38c4a upstream.
    
    Chris Perl reports that we're seeing races between the wakeup call in
    xs_error_report and the connect attempts. Basically, Chris has shown
    that in certain circumstances, the call to xs_error_report causes the
    rpc_task that is responsible for reconnecting to wake up early, thus
    triggering a disconnect and retry.
    
    Since the sk->sk_error_report() calls in the socket layer are always
    followed by a tcp_done() in the cases where we care about waking up
    the rpc_tasks, just let the state_change callbacks take responsibility
    for those wake ups.
    
    Reported-by: Chris Perl <chris.perl@gmail.com>
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Tested-by: Chris Perl <chris.perl@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 387373e6448530b13056d4e32dfe2a5bf15c9aaf
Author: Will Deacon <will.deacon@arm.com>
Date:   Fri Oct 19 17:53:01 2012 +0100

    ARM: 7559/1: smp: switch away from the idmap before updating init_mm.mm_count
    
    commit 5f40b909728ad784eb43aa309d3c4e9bdf050781 upstream.
    
    When booting a secondary CPU, the primary CPU hands two sets of page
    tables via the secondary_data struct:
    
    	(1) swapper_pg_dir: a normal, cacheable, shared (if SMP) mapping
    	    of the kernel image (i.e. the tables used by init_mm).
    
    	(2) idmap_pgd: an uncached mapping of the .idmap.text ELF
    	    section.
    
    The idmap is generally used when enabling and disabling the MMU, which
    includes early CPU boot. In this case, the secondary CPU switches to
    swapper as soon as it enters C code:
    
    	struct mm_struct *mm = &init_mm;
    	unsigned int cpu = smp_processor_id();
    
    	/*
    	 * All kernel threads share the same mm context; grab a
    	 * reference and switch to it.
    	 */
    	atomic_inc(&mm->mm_count);
    	current->active_mm = mm;
    	cpumask_set_cpu(cpu, mm_cpumask(mm));
    	cpu_switch_mm(mm->pgd, mm);
    
    This causes a problem on ARMv7, where the identity mapping is treated as
    strongly-ordered leading to architecturally UNPREDICTABLE behaviour of
    exclusive accesses, such as those used by atomic_inc.
    
    This patch re-orders the secondary_start_kernel function so that we
    switch to swapper before performing any exclusive accesses.
    
    Reported-by: Gilles Chanteperdrix <gilles.chanteperdrix@xenomai.org>
    Cc: David McKay <david.mckay@st.com>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b6d1ac718d04a5bd36b7b9eb8663850ede719d15
Author: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
Date:   Thu Oct 25 13:37:51 2012 -0700

    genalloc: stop crashing the system when destroying a pool
    
    commit eedce141cd2dad8d0cefc5468ef41898949a7031 upstream.
    
    The genalloc code uses the bitmap API from include/linux/bitmap.h and
    lib/bitmap.c, which is based on long values.  Both bitmap_set from
    lib/bitmap.c and bitmap_set_ll, which is the lockless version from
    genalloc.c, use BITMAP_LAST_WORD_MASK to set the first bits in a long in
    the bitmap.
    
    That one uses (1 << bits) - 1, 0b111, if you are setting the first three
    bits.  This means that the API counts from the least significant bits
    (LSB from now on) to the MSB.  The LSB in the first long is bit 0, then.
    The same works for the lookup functions.
    
    The genalloc code uses longs for the bitmap, as it should.  In
    include/linux/genalloc.h, struct gen_pool_chunk has unsigned long
    bits[0] as its last member.  When allocating the struct, genalloc should
    reserve enough space for the bitmap.  This should be a proper number of
    longs that can fit the amount of bits in the bitmap.
    
    However, genalloc allocates an integer number of bytes that fit the
    amount of bits, but may not be an integer amount of longs.  9 bytes, for
    example, could be allocated for 70 bits.
    
    This is a problem in itself if the Least Significat Bit in a long is in
    the byte with the largest address, which happens in Big Endian machines.
    This means genalloc is not allocating the byte in which it will try to
    set or check for a bit.
    
    This may end up in memory corruption, where genalloc will try to set the
    bits it has not allocated.  In fact, genalloc may not set these bits
    because it may find them already set, because they were not zeroed since
    they were not allocated.  And that's what causes a BUG when
    gen_pool_destroy is called and check for any set bits.
    
    What really happens is that genalloc uses kmalloc_node with __GFP_ZERO
    on gen_pool_add_virt.  With SLAB and SLUB, this means the whole slab
    will be cleared, not only the requested bytes.  Since struct
    gen_pool_chunk has a size that is a multiple of 8, and slab sizes are
    multiples of 8, we get lucky and allocate and clear the right amount of
    bytes.
    
    Hower, this is not the case with SLOB or with older code that did memset
    after allocating instead of using __GFP_ZERO.
    
    So, a simple module as this (running 3.6.0), will cause a crash when
    rmmod'ed.
    
      [root@phantom-lp2 foo]# cat foo.c
      #include <linux/kernel.h>
      #include <linux/module.h>
      #include <linux/init.h>
      #include <linux/genalloc.h>
    
      MODULE_LICENSE("GPL");
      MODULE_VERSION("0.1");
    
      static struct gen_pool *foo_pool;
    
      static __init int foo_init(void)
      {
              int ret;
              foo_pool = gen_pool_create(10, -1);
              if (!foo_pool)
                      return -ENOMEM;
              ret = gen_pool_add(foo_pool, 0xa0000000, 32 << 10, -1);
              if (ret) {
                      gen_pool_destroy(foo_pool);
                      return ret;
              }
              return 0;
      }
    
      static __exit void foo_exit(void)
      {
              gen_pool_destroy(foo_pool);
      }
    
      module_init(foo_init);
      module_exit(foo_exit);
      [root@phantom-lp2 foo]# zcat /proc/config.gz | grep SLOB
      CONFIG_SLOB=y
      [root@phantom-lp2 foo]# insmod ./foo.ko
      [root@phantom-lp2 foo]# rmmod foo
      ------------[ cut here ]------------
      kernel BUG at lib/genalloc.c:243!
      cpu 0x4: Vector: 700 (Program Check) at [c0000000bb0e7960]
          pc: c0000000003cb50c: .gen_pool_destroy+0xac/0x110
          lr: c0000000003cb4fc: .gen_pool_destroy+0x9c/0x110
          sp: c0000000bb0e7be0
         msr: 8000000000029032
        current = 0xc0000000bb0e0000
        paca    = 0xc000000006d30e00   softe: 0        irq_happened: 0x01
          pid   = 13044, comm = rmmod
      kernel BUG at lib/genalloc.c:243!
      [c0000000bb0e7ca0] d000000004b00020 .foo_exit+0x20/0x38 [foo]
      [c0000000bb0e7d20] c0000000000dff98 .SyS_delete_module+0x1a8/0x290
      [c0000000bb0e7e30] c0000000000097d4 syscall_exit+0x0/0x94
      --- Exception: c00 (System Call) at 000000800753d1a0
      SP (fffd0b0e640) is in userspace
    
    Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
    Cc: Paul Gortmaker <paul.gortmaker@windriver.com>
    Cc: Benjamin Gaignard <benjamin.gaignard@stericsson.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 681c9b8479378186e919c5e2ff4c114ecdee67af
Author: Jan Luebbe <jlu@pengutronix.de>
Date:   Thu Oct 25 13:38:11 2012 -0700

    drivers/rtc/rtc-imxdi.c: add missing spin lock initialization
    
    commit fee0de7791f967c2c5f0d43eb7b7261761b45e64 upstream.
    
    Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
    Cc: Alessandro Zummo <a.zummo@towertech.it>
    Cc: Roland Stigge <stigge@antcom.de>
    Cc: Grant Likely <grant.likely@secretlab.ca>
    Tested-by: Roland Stigge <stigge@antcom.de>
    Cc: Sascha Hauer <kernel@pengutronix.de>
    Cc: Russell King <linux@arm.linux.org.uk>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ab41bb2e47540a714271dfa2943566b1fd4afa9c
Author: Kees Cook <keescook@chromium.org>
Date:   Thu Oct 25 13:38:16 2012 -0700

    fs/compat_ioctl.c: VIDEO_SET_SPU_PALETTE missing error check
    
    commit 12176503366885edd542389eed3aaf94be163fdb upstream.
    
    The compat ioctl for VIDEO_SET_SPU_PALETTE was missing an error check
    while converting ioctl arguments.  This could lead to leaking kernel
    stack contents into userspace.
    
    Patch extracted from existing fix in grsecurity.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: David Miller <davem@davemloft.net>
    Cc: Brad Spengler <spender@grsecurity.net>
    Cc: PaX Team <pageexec@freemail.hu>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ed12438d94ded9c028570776898418adbb497f58
Author: Kees Cook <keescook@chromium.org>
Date:   Thu Oct 25 13:38:14 2012 -0700

    gen_init_cpio: avoid stack overflow when expanding
    
    commit 20f1de659b77364d55d4e7fad2ef657e7730323f upstream.
    
    Fix possible overflow of the buffer used for expanding environment
    variables when building file list.
    
    In the extremely unlikely case of an attacker having control over the
    environment variables visible to gen_init_cpio, control over the
    contents of the file gen_init_cpio parses, and gen_init_cpio was built
    without compiler hardening, the attacker can gain arbitrary execution
    control via a stack buffer overflow.
    
      $ cat usr/crash.list
      file foo ${BIG}${BIG}${BIG}${BIG}${BIG}${BIG} 0755 0 0
      $ BIG=$(perl -e 'print "A" x 4096;') ./usr/gen_init_cpio usr/crash.list
      *** buffer overflow detected ***: ./usr/gen_init_cpio terminated
    
    This also replaces the space-indenting with tabs.
    
    Patch based on existing fix extracted from grsecurity.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: Michal Marek <mmarek@suse.cz>
    Cc: Brad Spengler <spender@grsecurity.net>
    Cc: PaX Team <pageexec@freemail.hu>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>