commit 40e6f9362555294cf1ce8abb1981b11d622e04d6
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Sat Oct 13 05:37:00 2012 +0900

    Linux 3.0.46

commit 1434cc17865f1b212d81807057a5f69ba58f5b3c
Author: Andreas Bießmann <andreas@biessmann.de>
Date:   Fri Aug 31 13:35:42 2012 +0200

    mtd: omap2: fix module loading
    
    commit 4d3d688da8e7016f15483e9319b41311e1db9515 upstream.
    
    Unloading the omap2 nand driver missed to release the memory region which will
    result in not being able to request it again if one want to load the driver
    later on.
    
    This patch fixes following error when loading omap2 module after unloading:
    ---8<---
    ~ $ rmmod omap2
    ~ $ modprobe omap2
    [   37.420928] omap2-nand: probe of omap2-nand.0 failed with error -16
    ~ $
    --->8---
    
    This error was introduced in 67ce04bf2746f8a1f8c2a104b313d20c63f68378 which
    was the first commit of this driver.
    
    Signed-off-by: Andreas Bießmann <andreas@biessmann.de>
    Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ecd111b67df4202243a92f58eda1da8ade0429cf
Author: Andreas Bießmann <andreas@biessmann.de>
Date:   Fri Aug 31 13:35:41 2012 +0200

    mtd: omap2: fix omap_nand_remove segfault
    
    commit 7d9b110269253b1d5858cfa57d68dfc7bf50dd77 upstream.
    
    Do not kfree() the mtd_info; it is handled in the mtd subsystem and
    already freed by nand_release(). Instead kfree() the struct
    omap_nand_info allocated in omap_nand_probe which was not freed before.
    
    This patch fixes following error when unloading the omap2 module:
    
    ---8<---
    ~ $ rmmod omap2
    ------------[ cut here ]------------
    kernel BUG at mm/slab.c:3126!
    Internal error: Oops - BUG: 0 [#1] PREEMPT ARM
    Modules linked in: omap2(-)
    CPU: 0    Not tainted  (3.6.0-rc3-00230-g155e36d-dirty #3)
    PC is at cache_free_debugcheck+0x2d4/0x36c
    LR is at kfree+0xc8/0x2ac
    pc : [<c01125a0>]    lr : [<c0112efc>]    psr: 200d0193
    sp : c521fe08  ip : c0e8ef90  fp : c521fe5c
    r10: bf0001fc  r9 : c521e000  r8 : c0d99c8c
    r7 : c661ebc0  r6 : c065d5a4  r5 : c65c4060  r4 : c78005c0
    r3 : 00000000  r2 : 00001000  r1 : c65c4000  r0 : 00000001
    Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment user
    Control: 10c5387d  Table: 86694019  DAC: 00000015
    Process rmmod (pid: 549, stack limit = 0xc521e2f0)
    Stack: (0xc521fe08 to 0xc5220000)
    fe00:                   c008a874 c00bf44c c515c6d0 200d0193 c65c4860 c515c240
    fe20: c521fe3c c521fe30 c008a9c0 c008a854 c521fe5c c65c4860 c78005c0 bf0001fc
    fe40: c780ff40 a00d0113 c521e000 00000000 c521fe84 c521fe60 c0112efc c01122d8
    fe60: c65c4860 c0673778 c06737ac 00000000 00070013 00000000 c521fe9c c521fe88
    fe80: bf0001fc c0112e40 c0673778 bf001ca8 c521feac c521fea0 c02ca11c bf0001ac
    fea0: c521fec4 c521feb0 c02c82c4 c02ca100 c0673778 bf001ca8 c521fee4 c521fec8
    fec0: c02c8dd8 c02c8250 00000000 bf001ca8 bf001ca8 c0804ee0 c521ff04 c521fee8
    fee0: c02c804c c02c8d20 bf001924 00000000 bf001ca8 c521e000 c521ff1c c521ff08
    ff00: c02c950c c02c7fbc bf001d48 00000000 c521ff2c c521ff20 c02ca3a4 c02c94b8
    ff20: c521ff3c c521ff30 bf001938 c02ca394 c521ffa4 c521ff40 c009beb4 bf001930
    ff40: c521ff6c 70616d6f b6fe0032 c0014f84 70616d6f b6fe0032 00000081 60070010
    ff60: c521ff84 c521ff70 c008e1f4 c00bf328 0001a004 70616d6f c521ff94 0021ff88
    ff80: c008e368 0001a004 70616d6f b6fe0032 00000081 c0015028 00000000 c521ffa8
    ffa0: c0014dc0 c009bcd0 0001a004 70616d6f bec2ab38 00000880 bec2ab38 00000880
    ffc0: 0001a004 70616d6f b6fe0032 00000081 00000319 00000000 b6fe1000 00000000
    ffe0: bec2ab30 bec2ab20 00019f00 b6f539c0 60070010 bec2ab38 aaaaaaaa aaaaaaaa
    Backtrace:
    [<c01122cc>] (cache_free_debugcheck+0x0/0x36c) from [<c0112efc>] (kfree+0xc8/0x2ac)
    [<c0112e34>] (kfree+0x0/0x2ac) from [<bf0001fc>] (omap_nand_remove+0x5c/0x64 [omap2])
    [<bf0001a0>] (omap_nand_remove+0x0/0x64 [omap2]) from [<c02ca11c>] (platform_drv_remove+0x28/0x2c)
     r5:bf001ca8 r4:c0673778
    [<c02ca0f4>] (platform_drv_remove+0x0/0x2c) from [<c02c82c4>] (__device_release_driver+0x80/0xdc)
    [<c02c8244>] (__device_release_driver+0x0/0xdc) from [<c02c8dd8>] (driver_detach+0xc4/0xc8)
     r5:bf001ca8 r4:c0673778
    [<c02c8d14>] (driver_detach+0x0/0xc8) from [<c02c804c>] (bus_remove_driver+0x9c/0x104)
     r6:c0804ee0 r5:bf001ca8 r4:bf001ca8 r3:00000000
    [<c02c7fb0>] (bus_remove_driver+0x0/0x104) from [<c02c950c>] (driver_unregister+0x60/0x80)
     r6:c521e000 r5:bf001ca8 r4:00000000 r3:bf001924
    [<c02c94ac>] (driver_unregister+0x0/0x80) from [<c02ca3a4>] (platform_driver_unregister+0x1c/0x20)
     r5:00000000 r4:bf001d48
    [<c02ca388>] (platform_driver_unregister+0x0/0x20) from [<bf001938>] (omap_nand_driver_exit+0x14/0x1c [omap2])
    [<bf001924>] (omap_nand_driver_exit+0x0/0x1c [omap2]) from [<c009beb4>] (sys_delete_module+0x1f0/0x2ec)
    [<c009bcc4>] (sys_delete_module+0x0/0x2ec) from [<c0014dc0>] (ret_fast_syscall+0x0/0x48)
     r8:c0015028 r7:00000081 r6:b6fe0032 r5:70616d6f r4:0001a004
    Code: e1a00005 eb0d9172 e7f001f2 e7f001f2 (e7f001f2)
    ---[ end trace 6a30b24d8c0cc2ee ]---
    Segmentation fault
    --->8---
    
    This error was introduced in 67ce04bf2746f8a1f8c2a104b313d20c63f68378 which
    was the first commit of this driver.
    
    Signed-off-by: Andreas Bießmann <andreas@biessmann.de>
    Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ad9ca19aefe3f7b593ecae8255b7cf7207e32b95
Author: Shmulik Ladkani <shmulik.ladkani@gmail.com>
Date:   Sun Jun 10 13:58:12 2012 +0300

    mtd: nand: Use the mirror BBT descriptor when reading its version
    
    commit 7bb9c75436212813b38700c34df4bbb6eb82debe upstream.
    
    The code responsible for reading the version of the mirror bbt was
    incorrectly using the descriptor of the main bbt.
    
    Pass the mirror bbt descriptor to 'scan_read_raw' when reading the
    version of the mirror bbt.
    
    Signed-off-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
    Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
    Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 776a41b87e94f6942793c3268a49809a6691e4e2
Author: Richard Genoud <richard.genoud@gmail.com>
Date:   Wed Sep 12 14:26:26 2012 +0200

    mtd: nandsim: bugfix: fail if overridesize is too big
    
    commit bb0a13a13411c4ce24c48c8ff3cdf7b48d237240 upstream.
    
    If override size is too big, the module was actually loaded instead of
    failing, because retval was not set.
    
    This lead to memory corruption with the use of the freed structs nandsim
    and nand_chip.
    
    Signed-off-by: Richard Genoud <richard.genoud@gmail.com>
    Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b4f7f36c74e7d0885fca8fd18675a19b74a76b43
Author: Alexander Shiyan <shc_work@mail.ru>
Date:   Wed Aug 15 20:28:05 2012 +0400

    mtd: autcpu12-nvram: Fix compile breakage
    
    commit d1f55c680e5d021e7066f4461dd678d42af18898 upstream.
    
    Update driver autcpu12-nvram.c so it compiles; map_read32/map_write32
    no longer exist in the kernel so the driver is totally broken.
    Additionally, map_info name passed to simple_map_init is incorrect.
    
    Signed-off-by: Alexander Shiyan <shc_work@mail.ru>
    Acked-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8f48f1a28ee27909afbba8a3c2c653a15f810c3e
Author: Srivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
Date:   Thu May 24 19:46:26 2012 +0530

    CPU hotplug, cpusets, suspend: Don't modify cpusets during suspend/resume
    
    commit d35be8bab9b0ce44bed4b9453f86ebf64062721e upstream.
    
    In the event of CPU hotplug, the kernel modifies the cpusets' cpus_allowed
    masks as and when necessary to ensure that the tasks belonging to the cpusets
    have some place (online CPUs) to run on. And regular CPU hotplug is
    destructive in the sense that the kernel doesn't remember the original cpuset
    configurations set by the user, across hotplug operations.
    
    However, suspend/resume (which uses CPU hotplug) is a special case in which
    the kernel has the responsibility to restore the system (during resume), to
    exactly the same state it was in before suspend.
    
    In order to achieve that, do the following:
    
    1. Don't modify cpusets during suspend/resume. At all.
       In particular, don't move the tasks from one cpuset to another, and
       don't modify any cpuset's cpus_allowed mask. So, simply ignore cpusets
       during the CPU hotplug operations that are carried out in the
       suspend/resume path.
    
    2. However, cpusets and sched domains are related. We just want to avoid
       altering cpusets alone. So, to keep the sched domains updated, build
       a single sched domain (containing all active cpus) during each of the
       CPU hotplug operations carried out in s/r path, effectively ignoring
       the cpusets' cpus_allowed masks.
    
       (Since userspace is frozen while doing all this, it will go unnoticed.)
    
    3. During the last CPU online operation during resume, build the sched
       domains by looking up the (unaltered) cpusets' cpus_allowed masks.
       That will bring back the system to the same original state as it was in
       before suspend.
    
    Ultimately, this will not only solve the cpuset problem related to suspend
    resume (ie., restores the cpusets to exactly what it was before suspend, by
    not touching it at all) but also speeds up suspend/resume because we avoid
    running cpuset update code for every CPU being offlined/onlined.
    
    Signed-off-by: Srivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
    Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Link: http://lkml.kernel.org/r/20120524141611.3692.20155.stgit@srivatsabhat.in.ibm.com
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Preeti U Murthy <preeti@linux.vnet.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d08719c499bb9996ea6edd30e2342b3bbb3826b4
Author: Mel Gorman <mgorman@suse.de>
Date:   Mon Oct 8 16:29:20 2012 -0700

    mempolicy: fix a memory corruption by refcount imbalance in alloc_pages_vma()
    
    commit 00442ad04a5eac08a98255697c510e708f6082e2 upstream.
    
    Commit cc9a6c877661 ("cpuset: mm: reduce large amounts of memory barrier
    related damage v3") introduced a potential memory corruption.
    shmem_alloc_page() uses a pseudo vma and it has one significant unique
    combination, vma->vm_ops=NULL and vma->policy->flags & MPOL_F_SHARED.
    
    get_vma_policy() does NOT increase a policy ref when vma->vm_ops=NULL
    and mpol_cond_put() DOES decrease a policy ref when a policy has
    MPOL_F_SHARED.  Therefore, when a cpuset update race occurs,
    alloc_pages_vma() falls in 'goto retry_cpuset' path, decrements the
    reference count and frees the policy prematurely.
    
    Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Signed-off-by: Mel Gorman <mgorman@suse.de>
    Reviewed-by: Christoph Lameter <cl@linux.com>
    Cc: Josh Boyer <jwboyer@gmail.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 29715fe22f6e7ea5d84c2872fd5dd2d407ed5083
Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Date:   Mon Oct 8 16:29:19 2012 -0700

    mempolicy: fix refcount leak in mpol_set_shared_policy()
    
    commit 63f74ca21f1fad36d075e063f06dcc6d39fe86b2 upstream.
    
    When shared_policy_replace() fails to allocate new->policy is not freed
    correctly by mpol_set_shared_policy().  The problem is that shared
    mempolicy code directly call kmem_cache_free() in multiple places where
    it is easy to make a mistake.
    
    This patch creates an sp_free wrapper function and uses it. The bug was
    introduced pre-git age (IOW, before 2.6.12-rc2).
    
    [mgorman@suse.de: Editted changelog]
    Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Signed-off-by: Mel Gorman <mgorman@suse.de>
    Reviewed-by: Christoph Lameter <cl@linux.com>
    Cc: Josh Boyer <jwboyer@gmail.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cedd186e31dacfb400ec74e0cdd59b02c3d55da8
Author: Mel Gorman <mgorman@suse.de>
Date:   Mon Oct 8 16:29:17 2012 -0700

    mempolicy: fix a race in shared_policy_replace()
    
    commit b22d127a39ddd10d93deee3d96e643657ad53a49 upstream.
    
    shared_policy_replace() use of sp_alloc() is unsafe.  1) sp_node cannot
    be dereferenced if sp->lock is not held and 2) another thread can modify
    sp_node between spin_unlock for allocating a new sp node and next
    spin_lock.  The bug was introduced before 2.6.12-rc2.
    
    Kosaki's original patch for this problem was to allocate an sp node and
    policy within shared_policy_replace and initialise it when the lock is
    reacquired.  I was not keen on this approach because it partially
    duplicates sp_alloc().  As the paths were sp->lock is taken are not that
    performance critical this patch converts sp->lock to sp->mutex so it can
    sleep when calling sp_alloc().
    
    [kosaki.motohiro@jp.fujitsu.com: Original patch]
    Signed-off-by: Mel Gorman <mgorman@suse.de>
    Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Reviewed-by: Christoph Lameter <cl@linux.com>
    Cc: Josh Boyer <jwboyer@gmail.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e12681ffb14f5c3bcd25ace39b9fac3941ad6961
Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Date:   Mon Oct 8 16:29:16 2012 -0700

    mempolicy: remove mempolicy sharing
    
    commit 869833f2c5c6e4dd09a5378cfc665ffb4615e5d2 upstream.
    
    Dave Jones' system call fuzz testing tool "trinity" triggered the
    following bug error with slab debugging enabled
    
        =============================================================================
        BUG numa_policy (Not tainted): Poison overwritten
        -----------------------------------------------------------------------------
    
        INFO: 0xffff880146498250-0xffff880146498250. First byte 0x6a instead of 0x6b
        INFO: Allocated in mpol_new+0xa3/0x140 age=46310 cpu=6 pid=32154
         __slab_alloc+0x3d3/0x445
         kmem_cache_alloc+0x29d/0x2b0
         mpol_new+0xa3/0x140
         sys_mbind+0x142/0x620
         system_call_fastpath+0x16/0x1b
    
        INFO: Freed in __mpol_put+0x27/0x30 age=46268 cpu=6 pid=32154
         __slab_free+0x2e/0x1de
         kmem_cache_free+0x25a/0x260
         __mpol_put+0x27/0x30
         remove_vma+0x68/0x90
         exit_mmap+0x118/0x140
         mmput+0x73/0x110
         exit_mm+0x108/0x130
         do_exit+0x162/0xb90
         do_group_exit+0x4f/0xc0
         sys_exit_group+0x17/0x20
         system_call_fastpath+0x16/0x1b
    
        INFO: Slab 0xffffea0005192600 objects=27 used=27 fp=0x          (null) flags=0x20000000004080
        INFO: Object 0xffff880146498250 @offset=592 fp=0xffff88014649b9d0
    
    The problem is that the structure is being prematurely freed due to a
    reference count imbalance. In the following case mbind(addr, len) should
    replace the memory policies of both vma1 and vma2 and thus they will
    become to share the same mempolicy and the new mempolicy will have the
    MPOL_F_SHARED flag.
    
      +-------------------+-------------------+
      |     vma1          |     vma2(shmem)   |
      +-------------------+-------------------+
      |                                       |
     addr                                 addr+len
    
    alloc_pages_vma() uses get_vma_policy() and mpol_cond_put() pair for
    maintaining the mempolicy reference count.  The current rule is that
    get_vma_policy() only increments refcount for shmem VMA and
    mpol_conf_put() only decrements refcount if the policy has
    MPOL_F_SHARED.
    
    In above case, vma1 is not shmem vma and vma->policy has MPOL_F_SHARED!
    The reference count will be decreased even though was not increased
    whenever alloc_page_vma() is called.  This has been broken since commit
    [52cd3b07: mempolicy: rework mempolicy Reference Counting] in 2008.
    
    There is another serious bug with the sharing of memory policies.
    Currently, mempolicy rebind logic (it is called from cpuset rebinding)
    ignores a refcount of mempolicy and override it forcibly.  Thus, any
    mempolicy sharing may cause mempolicy corruption.  The bug was
    introduced by commit [68860ec1: cpusets: automatic numa mempolicy
    rebinding].
    
    Ideally, the shared policy handling would be rewritten to either
    properly handle COW of the policy structures or at least reference count
    MPOL_F_SHARED based exclusively on information within the policy.
    However, this patch takes the easier approach of disabling any policy
    sharing between VMAs.  Each new range allocated with sp_alloc will
    allocate a new policy, set the reference count to 1 and drop the
    reference count of the old policy.  This increases the memory footprint
    but is not expected to be a major problem as mbind() is unlikely to be
    used for fine-grained ranges.  It is also inefficient because it means
    we allocate a new policy even in cases where mbind_range() could use the
    new_policy passed to it.  However, it is more straight-forward and the
    change should be invisible to the user.
    
    [mgorman@suse.de: Edited changelog]
    Reported-by: Dave Jones <davej@redhat.com>
    Cc: Christoph Lameter <cl@linux.com>
    Reviewed-by: Christoph Lameter <cl@linux.com>
    Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Signed-off-by: Mel Gorman <mgorman@suse.de>
    Cc: Josh Boyer <jwboyer@gmail.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bdd779425e01c7247230b23051b1ab2144f9226d
Author: KOSAKI Motohiro <kosaki.motohiro@gmail.com>
Date:   Mon Oct 8 16:29:14 2012 -0700

    revert "mm: mempolicy: Let vma_merge and vma_split handle vma->vm_policy linkages"
    
    commit 8d34694c1abf29df1f3c7317936b7e3e2e308d9b upstream.
    
    Commit 05f144a0d5c2 ("mm: mempolicy: Let vma_merge and vma_split handle
    vma->vm_policy linkages") removed vma->vm_policy updates code but it is
    the purpose of mbind_range().  Now, mbind_range() is virtually a no-op
    and while it does not allow memory corruption it is not the right fix.
    This patch is a revert.
    
    [mgorman@suse.de: Edited changelog]
    Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Signed-off-by: Mel Gorman <mgorman@suse.de>
    Cc: Christoph Lameter <cl@linux.com>
    Cc: Josh Boyer <jwboyer@gmail.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f074e600bf3cd644c3bdbcbc238dce53952d34cb
Author: Devendra Naga <devendra.aaru@gmail.com>
Date:   Fri Oct 5 23:29:21 2012 +0200

    r8169: call netif_napi_del at errpaths and at driver unload
    
    commit ad1be8d345416a794dea39761a374032aa471a76 upstream.
    
    When register_netdev fails, the init'ed NAPIs by netif_napi_add must be
    deleted with netif_napi_del, and also when driver unloads, it should
    delete the NAPI before unregistering netdevice using unregister_netdev.
    
    Signed-off-by: Devendra Naga <devendra.aaru@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c90334077ffa833ecf89f1645d21f0b9d5d51553
Author: Julien Ducourthial <jducourt@free.fr>
Date:   Fri Oct 5 23:29:20 2012 +0200

    r8169: fix unsigned int wraparound with TSO
    
    commit 477206a018f902895bfcd069dd820bfe94c187b1 upstream.
    
    The r8169 may get stuck or show bad behaviour after activating TSO :
    the net_device is not stopped when it has no more TX descriptors.
    This problem comes from TX_BUFS_AVAIL which may reach -1 when all
    transmit descriptors are in use. The patch simply tries to keep positive
    values.
    
    Tested with 8111d(onboard) on a D510MO, and with 8111e(onboard) on a
    Zotac 890GXITX.
    
    Signed-off-by: Julien Ducourthial <jducourt@free.fr>
    Acked-by: Francois Romieu <romieu@fr.zoreil.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 768551e1212290b6f662d30a80b4b0dc0889be95
Author: Francois Romieu <romieu@fr.zoreil.com>
Date:   Fri Oct 5 23:29:19 2012 +0200

    r8169: 8168c and later require bit 0x20 to be set in Config2 for PME signaling.
    
    commit d387b427c973974dd619a33549c070ac5d0e089f upstream.
    
    The new 84xx stopped flying below the radars.
    
    Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
    Cc: Hayes Wang <hayeswang@realtek.com>
    Acked-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 68c93387c8081fcb359a3d2d37f3504e03be0e5b
Author: Francois Romieu <romieu@fr.zoreil.com>
Date:   Fri Oct 5 23:29:18 2012 +0200

    r8169: Config1 is read-only on 8168c and later.
    
    commit 851e60221926a53344b4227879858bef841b0477 upstream.
    
    Suggested by Hayes.
    
    Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
    Cc: Hayes Wang <hayeswang@realtek.com>
    Acked-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f6e16b72069fc70195174a86e73c04c8dd4cca3b
Author: françois romieu <romieu@fr.zoreil.com>
Date:   Fri Oct 5 23:29:17 2012 +0200

    r8169: runtime resume before shutdown.
    
    commit 2a15cd2ff488a9fdb55e5e34060f499853b27c77 upstream.
    
    With runtime PM, if the ethernet cable is disconnected, the device is
    transitioned to D3 state to conserve energy. If the system is shutdown
    in this state, any register accesses in rtl_shutdown are dropped on
    the floor. As the device was programmed by .runtime_suspend() to wake
    on link changes, it is thus brought back up as soon as the link recovers.
    
    Resuming every suspended device through the driver core would slow things
    down and it is not clear how many devices really need it now.
    
    Original report and D0 transition patch by Sameer Nanda. Patch has been
    changed to comply with advices by Rafael J. Wysocki and the PM folks.
    
    Reported-by: Sameer Nanda <snanda@chromium.org>
    Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
    Cc: Rafael J. Wysocki <rjw@sisk.pl>
    Cc: Hayes Wang <hayeswang@realtek.com>
    Cc: Alan Stern <stern@rowland.harvard.edu>
    Acked-by: Rafael J. Wysocki <rjw@sisk.pl>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1854f0eec5e072f33d3dc3c47170975b87b1016c
Author: Francois Romieu <romieu@fr.zoreil.com>
Date:   Fri Oct 5 23:29:16 2012 +0200

    r8169: missing barriers.
    
    commit 1e874e041fc7c222cbd85b20c4406070be1f687a upstream.
    
    Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
    Cc: Hayes Wang <hayeswang@realtek.com>
    Acked-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8ffd1cb75b0d422f4ee723c79d9eccc81b6442f6
Author: françois romieu <romieu@fr.zoreil.com>
Date:   Fri Oct 5 23:29:15 2012 +0200

    r8169: fix Config2 MSIEnable bit setting.
    
    commit 2ca6cf06d988fea21e812a86be79353352677c9c upstream.
    
    The MSIEnable bit is only available for the 8169.
    
    Avoid Config2 writes for the post-8169 8168 and 810x.
    
    Reported-by: Su Kang Yin <cantona@cantona.net>
    Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
    Cc: Hayes Wang <hayeswang@realtek.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 85ce02207e7728d82cc6183d34c2bdd9e1999b2e
Author: Francois Romieu <romieu@fr.zoreil.com>
Date:   Fri Oct 5 23:29:14 2012 +0200

    r8169: Rx FIFO overflow fixes.
    
    commit 811fd3010cf512f2e23e6c4c912aad54516dc706 upstream.
    
    Realtek has specified that the post 8168c gigabit chips and the post
    8105e fast ethernet chips recover automatically from a Rx FIFO overflow.
    The driver does not need to clear the RxFIFOOver bit of IntrStatus and
    it should rather avoid messing it.
    
    The implementation deserves some explanation:
    1. events outside of the intr_event bit mask are now ignored. It enforces
       a no-processing policy for the events that either should not be there
       or should be ignored.
    
    2. RxFIFOOver was already ignored in rtl_cfg_infos[RTL_CFG_1] for the
       whole 8168 line of chips with two exceptions:
       - RTL_GIGA_MAC_VER_22 since b5ba6d12bdac21bc0620a5089e0f24e362645efd
         ("use RxFIFO overflow workaround for 8168c chipset.").
         This one should now be correctly handled.
       - RTL_GIGA_MAC_VER_11 (8168b) which requires a different Rx FIFO
         overflow processing.
    
       Though it does not conform to Realtek suggestion above, the updated
       driver includes no change for RTL_GIGA_MAC_VER_12 and RTL_GIGA_MAC_VER_17.
       Both are 8168b. RTL_GIGA_MAC_VER_12 is common and a bit old so I'd rather
       wait for experimental evidence that the change suggested by Realtek really
       helps or does not hurt in unexpected ways.
    
       Removed case statements in rtl8169_interrupt are only 8168 relevant.
    
    3. RxFIFOOver is masked for post 8105e 810x chips, namely the sole 8105e
       (RTL_GIGA_MAC_VER_30) itself.
    
    Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
    Cc: hayeswang <hayeswang@realtek.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c43209e91508d1dbfa21203dc491ba67e0d30579
Author: hayeswang <hayeswang@realtek.com>
Date:   Fri Oct 5 23:29:13 2012 +0200

    r8169: increase the delay parameter of pm_schedule_suspend
    
    commit 10953db8e1a278742ef7e64a3d1491802bcfa98b upstream
    The link down would occur when reseting PHY. And it would take about 2 ~ 5
    seconds from link down to link up. If the delay of pm_schedule_suspend is
    not long enough, the device would enter runtime_suspend before link up.
    After link up, the device would wake up and reset PHY again. Then, you
    would find the driver keep in a loop of runtime_suspend and rumtime_resume.
    
    Signed-off-by: Hayes Wang <hayeswang@realtek.com>
    Acked-by: Francois Romieu <romieu@fr.zoreil.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 11bd9becc350ab8adbb7f749c10536741d617d8a
Author: Francois Romieu <romieu@fr.zoreil.com>
Date:   Fri Oct 5 23:29:12 2012 +0200

    r8169: expand received packet length indication.
    
    commit deb9d93c89d311714a60809b28160e538e1cbb43 upstream.
    
    8168d and above allow jumbo frames beyond 8k. Bump the received
    packet length check before enabling jumbo frames on these chipsets.
    
    Frame length indication covers bits 0..13 of the first Rx descriptor
    32 bits for the 8169 and 8168. I only have authoritative documentation
    for the allowed use of the extra (13) bit with the 8169 and 8168c.
    Realtek's drivers use the same mask for the 816x and the fast ethernet
    only 810x.
    
    Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
    Acked-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cc669c37ba4a9c5c54c7842d0c9428aab64d62d7
Author: Francois Romieu <romieu@fr.zoreil.com>
Date:   Fri Oct 5 23:29:11 2012 +0200

    r8169: jumbo fixes.
    
    commit d58d46b5d85139d18eb939aa7279c160bab70484 upstream.
    
    - fix features : jumbo frames and checksumming can not be used at the
      same time.
    
    - introduce hw_jumbo_{enable / disable} helpers. Their content has been
      creatively extracted from Realtek's own drivers. As an illustration,
      it would be nice to know how/if the MaxTxPacketSize register operates
      when the device can work with a 9k jumbo frame as its documentation
      (8168c) can not be applied beyond ~7k.
    
    - rtl_tx_performance_tweak is moved forward. No change.
    
    Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
    Acked-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit da2b1b750acd667cdd23bfd129a5b042e8b49988
Author: Francois Romieu <romieu@fr.zoreil.com>
Date:   Fri Oct 5 23:29:10 2012 +0200

    r8169: remove erroneous processing of always set bit.
    
    commit e03f33af79f0772156e1a1a1e36bdddf8012b2e4 upstream.
    
    When set, RxFOVF (resp. RxBOVF) is always 1 (resp. 0).
    
    Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
    Cc: Hayes <hayeswang@realtek.com>
    Acked-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 567660504db3899c076acdd7e466b6c1d6d46592
Author: Hayes Wang <hayeswang@realtek.com>
Date:   Fri Oct 5 23:29:09 2012 +0200

    r8169: don't enable rx when shutdown.
    
    commit aaa89c08d9ffa3739c93d65d98b73ec2aa2e93a5 upstream.
    
    Only 8111b needs to enable rx when shutdowning with WoL.
    
    Signed-off-by: Hayes Wang <hayeswang@realtek.com>
    Acked-by: Francois Romieu <romieu@fr.zoreil.com>
    Acked-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 39ee3305297e471046d932b088190e54e1552fda
Author: Hayes Wang <hayeswang@realtek.com>
Date:   Fri Oct 5 23:29:08 2012 +0200

    r8169: fix wake on lan setting for non-8111E.
    
    commit d4ed95d796e5126bba51466dc07e287cebc8bd19 upstream.
    
    Only 8111E needs enable RxConfig bit 0 ~ 3 when suspending or
    shutdowning for wake on lan.
    
    Signed-off-by: Hayes Wang <hayeswang@realtek.com>
    Acked-by: Francois Romieu <romieu@fr.zoreil.com>
    Acked-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3f6ea7b4b5adbb6ee9271d48dd63dd98645e505b
Author: Paul E. McKenney <paul.mckenney@linaro.org>
Date:   Sat Sep 22 13:55:30 2012 -0700

    rcu: Fix day-one dyntick-idle stall-warning bug
    
    commit a10d206ef1a83121ab7430cb196e0376a7145b22 upstream.
    
    Each grace period is supposed to have at least one callback waiting
    for that grace period to complete.  However, if CONFIG_NO_HZ=n, an
    extra callback-free grace period is no big problem -- it will chew up
    a tiny bit of CPU time, but it will complete normally.  In contrast,
    CONFIG_NO_HZ=y kernels have the potential for all the CPUs to go to
    sleep indefinitely, in turn indefinitely delaying completion of the
    callback-free grace period.  Given that nothing is waiting on this grace
    period, this is also not a problem.
    
    That is, unless RCU CPU stall warnings are also enabled, as they are
    in recent kernels.  In this case, if a CPU wakes up after at least one
    minute of inactivity, an RCU CPU stall warning will result.  The reason
    that no one noticed until quite recently is that most systems have enough
    OS noise that they will never remain absolutely idle for a full minute.
    But there are some embedded systems with cut-down userspace configurations
    that consistently get into this situation.
    
    All this begs the question of exactly how a callback-free grace period
    gets started in the first place.  This can happen due to the fact that
    CPUs do not necessarily agree on which grace period is in progress.
    If a CPU still believes that the grace period that just completed is
    still ongoing, it will believe that it has callbacks that need to wait for
    another grace period, never mind the fact that the grace period that they
    were waiting for just completed.  This CPU can therefore erroneously
    decide to start a new grace period.  Note that this can happen in
    TREE_RCU and TREE_PREEMPT_RCU even on a single-CPU system:  Deadlock
    considerations mean that the CPU that detected the end of the grace
    period is not necessarily officially informed of this fact for some time.
    
    Once this CPU notices that the earlier grace period completed, it will
    invoke its callbacks.  It then won't have any callbacks left.  If no
    other CPU has any callbacks, we now have a callback-free grace period.
    
    This commit therefore makes CPUs check more carefully before starting a
    new grace period.  This new check relies on an array of tail pointers
    into each CPU's list of callbacks.  If the CPU is up to date on which
    grace periods have completed, it checks to see if any callbacks follow
    the RCU_DONE_TAIL segment, otherwise it checks to see if any callbacks
    follow the RCU_WAIT_TAIL segment.  The reason that this works is that
    the RCU_WAIT_TAIL segment will be promoted to the RCU_DONE_TAIL segment
    as soon as the CPU is officially notified that the old grace period
    has ended.
    
    This change is to cpu_needs_another_gp(), which is called in a number
    of places.  The only one that really matters is in rcu_start_gp(), where
    the root rcu_node structure's ->lock is held, which prevents any
    other CPU from starting or completing a grace period, so that the
    comparison that determines whether the CPU is missing the completion
    of a grace period is stable.
    
    Reported-by: Becky Bruce <bgillbruce@gmail.com>
    Reported-by: Subodh Nijsure <snijsure@grid-net.com>
    Reported-by: Paul Walmsley <paul@pwsan.com>
    Signed-off-by: Paul E. McKenney <paul.mckenney@linaro.org>
    Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
    Tested-by: Paul Walmsley <paul@pwsan.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a0e49be3b9bb651376b12682bd57212d1033ef36
Author: Alex Deucher <alexander.deucher@amd.com>
Date:   Wed Sep 26 12:40:45 2012 -0400

    drm/radeon: force MSIs on RS690 asics
    
    commit fb6ca6d154cdcd53e7f27f8dbba513830372699b upstream.
    
    There are so many quirks, lets just try and force
    this for all RS690s.  See:
    https://bugs.freedesktop.org/show_bug.cgi?id=37679
    
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 32a9bbd0b9e36b1793e5941dc801137d7ab9f7aa
Author: Alex Deucher <alexander.deucher@amd.com>
Date:   Wed Sep 26 12:31:45 2012 -0400

    drm/radeon: Add MSI quirk for gateway RS690
    
    commit 3a6d59df80897cc87812b6826d70085905bed013 upstream.
    
    Fixes another system on:
    https://bugs.freedesktop.org/show_bug.cgi?id=37679
    
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6a971dedc857dea1de7b5394f502c7644f1d8bc6
Author: Alex Deucher <alexander.deucher@amd.com>
Date:   Fri Sep 14 10:59:26 2012 -0400

    drm/radeon: only adjust default clocks on NI GPUs
    
    commit 2e3b3b105ab3bb5b6a37198da4f193cd13781d13 upstream.
    
    SI asics store voltage information differently so we
    don't have a way to deal with it properly yet.
    
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 70deff084ca28ae74786764fd8d882947b5a31a4
Author: Marko Friedemann <mfr@bmx-chemnitz.de>
Date:   Mon Sep 3 10:12:40 2012 +0200

    ALSA: USB: Support for (original) Xbox Communicator
    
    commit c05fce586d4da2dfe0309bef3795a8586e967bc3 upstream.
    
    Added support for Xbox Communicator to USB quirks.
    
    Signed-off-by: Marko Friedemann <mfr@bmx-chemnitz.de>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8f5f4d275fd3b6cfd772b1d583f60c9d26818173
Author: David Henningsson <david.henningsson@canonical.com>
Date:   Thu Sep 20 10:20:41 2012 +0200

    ALSA: usb - disable broken hw volume for Tenx TP6911
    
    commit c10514394ef9e8de93a4ad8c8904d71dcd82c122 upstream.
    
    While going through Ubuntu bugs, I discovered this patch being
    posted and a confirmation that the patch works as expected.
    
    Finding out how the hw volume really works would be preferrable
    to just disabling the broken one, but this would be better than
    nothing.
    
    Credit: sndfnsdfin (qawsnews)
    BugLink: https://bugs.launchpad.net/bugs/559939
    Signed-off-by: David Henningsson <david.henningsson@canonical.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7aa79b178e05175b39ae94f28289e036f37ac455
Author: Omair Mohammed Abdullah <omair.m.abdullah@linux.intel.com>
Date:   Sat Sep 29 12:24:05 2012 +0530

    ALSA: aloop - add locking to timer access
    
    commit d4f1e48bd11e3df6a26811f7a1f06c4225d92f7d upstream.
    
    When the loopback timer handler is running, calling del_timer() (for STOP
    trigger) will not wait for the handler to complete before deactivating the
    timer. The timer gets rescheduled in the handler as usual. Then a subsequent
    START trigger will try to start the timer using add_timer() with a timer pending
    leading to a kernel panic.
    
    Serialize the calls to add_timer() and del_timer() using a spin lock to avoid
    this.
    
    Signed-off-by: Omair Mohammed Abdullah <omair.m.abdullah@linux.intel.com>
    Signed-off-by: Vinod Koul <vinod.koul@linux.intel.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6c06bd661d429a77863ed7171ef66728f9d8d46b
Author: Andrea Arcangeli <aarcange@redhat.com>
Date:   Mon Oct 8 16:33:27 2012 -0700

    mm: thp: fix pmd_present for split_huge_page and PROT_NONE with THP
    
    commit 027ef6c87853b0a9df53175063028edb4950d476 upstream.
    
    In many places !pmd_present has been converted to pmd_none.  For pmds
    that's equivalent and pmd_none is quicker so using pmd_none is better.
    
    However (unless we delete pmd_present) we should provide an accurate
    pmd_present too.  This will avoid the risk of code thinking the pmd is non
    present because it's under __split_huge_page_map, see the pmd_mknotpresent
    there and the comment above it.
    
    If the page has been mprotected as PROT_NONE, it would also lead to a
    pmd_present false negative in the same way as the race with
    split_huge_page.
    
    Because the PSE bit stays on at all times (both during split_huge_page and
    when the _PAGE_PROTNONE bit get set), we could only check for the PSE bit,
    but checking the PROTNONE bit too is still good to remember pmd_present
    must always keep PROT_NONE into account.
    
    This explains a not reproducible BUG_ON that was seldom reported on the
    lists.
    
    The same issue is in pmd_large, it would go wrong with both PROT_NONE and
    if it races with split_huge_page.
    
    Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
    Acked-by: Rik van Riel <riel@redhat.com>
    Cc: Johannes Weiner <jweiner@redhat.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Mel Gorman <mgorman@suse.de>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 49996738e9a7a8d0192c80d210b3a08853cd1f6c
Author: Hugh Dickins <hughd@google.com>
Date:   Mon Oct 8 16:33:14 2012 -0700

    mm: fix invalidate_complete_page2() lock ordering
    
    commit ec4d9f626d5908b6052c2973f37992f1db52e967 upstream.
    
    In fuzzing with trinity, lockdep protested "possible irq lock inversion
    dependency detected" when isolate_lru_page() reenabled interrupts while
    still holding the supposedly irq-safe tree_lock:
    
    invalidate_inode_pages2
      invalidate_complete_page2
        spin_lock_irq(&mapping->tree_lock)
        clear_page_mlock
          isolate_lru_page
            spin_unlock_irq(&zone->lru_lock)
    
    isolate_lru_page() is correct to enable interrupts unconditionally:
    invalidate_complete_page2() is incorrect to call clear_page_mlock() while
    holding tree_lock, which is supposed to nest inside lru_lock.
    
    Both truncate_complete_page() and invalidate_complete_page() call
    clear_page_mlock() before taking tree_lock to remove page from radix_tree.
     I guess invalidate_complete_page2() preferred to test PageDirty (again)
    under tree_lock before committing to the munlock; but since the page has
    already been unmapped, its state is already somewhat inconsistent, and no
    worse if clear_page_mlock() moved up.
    
    Reported-by: Sasha Levin <levinsasha928@gmail.com>
    Deciphered-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Acked-by: Mel Gorman <mel@csn.ul.ie>
    Cc: Rik van Riel <riel@redhat.com>
    Cc: Johannes Weiner <hannes@cmpxchg.org>
    Cc: Michel Lespinasse <walken@google.com>
    Cc: Ying Han <yinghan@google.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0e3f2bdb4c8f929dfb933a587553d16141861aaf
Author: Mark Brown <broonie@opensource.wolfsonmicro.com>
Date:   Tue Jul 31 18:37:29 2012 +0100

    ASoC: wm9712: Fix name of Capture Switch
    
    commit 689185b78ba6fbe0042f662a468b5565909dff7a upstream.
    
    Help UIs associate it with the matching gain control.
    
    Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a6c0070c1f5a6c7b0bba5bb5be44b1dabe88af56
Author: Jan Kara <jack@suse.cz>
Date:   Wed Sep 26 21:52:20 2012 -0400

    ext4: fix fdatasync() for files with only i_size changes
    
    commit b71fc079b5d8f42b2a52743c8d2f1d35d655b1c5 upstream.
    
    Code tracking when transaction needs to be committed on fdatasync(2) forgets
    to handle a situation when only inode's i_size is changed. Thus in such
    situations fdatasync(2) doesn't force transaction with new i_size to disk
    and that can result in wrong i_size after a crash.
    
    Fix the issue by updating inode's i_datasync_tid whenever its size is
    updated.
    
    Reported-by: Kristian Nielsen <knielsen@knielsen-hq.org>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 985f704d74944dc66b5185aa9ccebcb936f2b8e0
Author: Bernd Schubert <bernd.schubert@itwm.fraunhofer.de>
Date:   Wed Sep 26 21:24:57 2012 -0400

    ext4: always set i_op in ext4_mknod()
    
    commit 6a08f447facb4f9e29fcc30fb68060bb5a0d21c2 upstream.
    
    ext4_special_inode_operations have their own ifdef CONFIG_EXT4_FS_XATTR
    to mask those methods. And ext4_iget also always sets it, so there is
    an inconsistency.
    
    Signed-off-by: Bernd Schubert <bernd.schubert@itwm.fraunhofer.de>
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 48fa0772b93d6e2482d23a41a9c6474cfa2e5e35
Author: Dmitry Monakhov <dmonakhov@openvz.org>
Date:   Wed Sep 26 12:32:54 2012 -0400

    ext4: online defrag is not supported for journaled files
    
    commit f066055a3449f0e5b0ae4f3ceab4445bead47638 upstream.
    
    Proper block swap for inodes with full journaling enabled is
    truly non obvious task. In order to be on a safe side let's
    explicitly disable it for now.
    
    Signed-off-by: Dmitry Monakhov <dmonakhov@openvz.org>
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7f5397abbbc042002fc1b786b76419b0cf65f921
Author: Yinghai Lu <yinghai@kernel.org>
Date:   Mon Sep 10 17:19:33 2012 -0700

    PCI: Check P2P bridge for invalid secondary/subordinate range
    
    commit 1965f66e7db08d1ebccd24a59043eba826cc1ce8 upstream.
    
    For bridges with "secondary > subordinate", i.e., invalid bus number
    apertures, we don't enumerate anything behind the bridge unless the
    user specified "pci=assign-busses".
    
    This patch makes us automatically try to reassign the downstream bus
    numbers in this case (just for that bridge, not for all bridges as
    "pci=assign-busses" does).
    
    We don't discover all the devices on the Intel DP43BF motherboard
    without this change (or "pci=assign-busses") because its BIOS configures
    a bridge as:
    
        pci 0000:00:1e.0: PCI bridge to [bus 20-08] (subtractive decode)
    
    [bhelgaas: changelog, change message to dev_info]
    Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=18412
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=625754
    Reported-by: Brian C. Huffman <bhuffman@graze.net>
    Reported-by: VL <vl.homutov@gmail.com>
    Tested-by: VL <vl.homutov@gmail.com>
    Signed-off-by: Yinghai Lu <yinghai@kernel.org>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>

commit e4fdc6c38448878b53dff155020778df4de997d3
Author: Martin Peschke <mpeschke@linux.vnet.ibm.com>
Date:   Tue Sep 4 15:23:36 2012 +0200

    SCSI: zfcp: only access zfcp_scsi_dev for valid scsi_device
    
    commit d436de8ce25f53a8a880a931886821f632247943 upstream.
    
    __scsi_remove_device (e.g. due to dev_loss_tmo) calls
    zfcp_scsi_slave_destroy which in turn sends a close LUN FSF request to
    the adapter. After 30 seconds without response,
    zfcp_erp_timeout_handler kicks the ERP thread failing the close LUN
    ERP action. zfcp_erp_wait in zfcp_erp_lun_shutdown_wait and thus
    zfcp_scsi_slave_destroy returns and then scsi_device is no longer
    valid. Sometime later the response to the close LUN FSF request may
    finally come in. However, commit
    b62a8d9b45b971a67a0f8413338c230e3117dff5
    "[SCSI] zfcp: Use SCSI device data zfcp_scsi_dev instead of zfcp_unit"
    introduced a number of attempts to unconditionally access struct
    zfcp_scsi_dev through struct scsi_device causing a use-after-free.
    This leads to an Oops due to kernel page fault in one of:
    zfcp_fsf_abort_fcp_command_handler, zfcp_fsf_open_lun_handler,
    zfcp_fsf_close_lun_handler, zfcp_fsf_req_trace,
    zfcp_fsf_fcp_handler_common.
    Move dereferencing of zfcp private data zfcp_scsi_dev allocated in
    scsi_device via scsi_transport_reserve_device after the check for
    potentially aborted FSF request and thus no longer valid scsi_device.
    Only then assign sdev_to_zfcp(sdev) to the local auto variable struct
    zfcp_scsi_dev *zfcp_sdev.
    
    Signed-off-by: Martin Peschke <mpeschke@linux.vnet.ibm.com>
    Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com>
    Signed-off-by: James Bottomley <JBottomley@Parallels.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9745d6cb3feb21fd6d9098317a92f2f5c1371519
Author: Steffen Maier <maier@linux.vnet.ibm.com>
Date:   Tue Sep 4 15:23:34 2012 +0200

    SCSI: zfcp: restore refcount check on port_remove
    
    commit d99b601b63386f3395dc26a699ae703a273d9982 upstream.
    
    Upstream commit f3450c7b917201bb49d67032e9f60d5125675d6a
    "[SCSI] zfcp: Replace local reference counting with common kref"
    accidentally dropped a reference count check before tearing down
    zfcp_ports that are potentially in use by zfcp_units.
    Even remote ports in use can be removed causing
    unreachable garbage objects zfcp_ports with zfcp_units.
    Thus units won't come back even after a manual port_rescan.
    The kref of zfcp_port->dev.kobj is already used by the driver core.
    We cannot re-use it to track the number of zfcp_units.
    Re-introduce our own counter for units per port
    and check on port_remove.
    
    Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com>
    Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: James Bottomley <JBottomley@Parallels.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2e54c4fb47ffcc687457f9bcd9bba895f2a84963
Author: Julia Lawall <Julia.Lawall@lip6.fr>
Date:   Tue Sep 4 15:23:33 2012 +0200

    SCSI: zfcp: remove invalid reference to list iterator variable
    
    commit ca579c9f136af4274ccfd1bcaee7f38a29a0e2e9 upstream.
    
    If list_for_each_entry, etc complete a traversal of the list, the iterator
    variable ends up pointing to an address at an offset from the list head,
    and not a meaningful structure.  Thus this value should not be used after
    the end of the iterator.  Replace port->adapter->scsi_host by
    adapter->scsi_host.
    
    This problem was found using Coccinelle (http://coccinelle.lip6.fr/).
    
    Oversight in upsteam commit of v2.6.37
    a1ca48319a9aa1c5b57ce142f538e76050bb8972
    "[SCSI] zfcp: Move ACL/CFDC code to zfcp_cfdc.c"
    which merged the content of zfcp_erp_port_access_changed().
    
    Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
    Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com>
    Reviewed-by: Martin Peschke <mpeschke@linux.vnet.ibm.com>
    Signed-off-by: James Bottomley <JBottomley@Parallels.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e120cc4284dd532d5e9a44a4682eb4370e283619
Author: Steffen Maier <maier@linux.vnet.ibm.com>
Date:   Tue Sep 4 15:23:32 2012 +0200

    SCSI: zfcp: Do not wakeup while suspended
    
    commit cb45214960bc989af8b911ebd77da541c797717d upstream.
    
    If the mapping of FCP device bus ID and corresponding subchannel
    is modified while the Linux image is suspended, the resume of FCP
    devices can fail. During resume, zfcp gets callbacks from cio regarding
    the modified subchannels but they can be arbitrarily mixed with the
    restore/resume callback. Since the cio callbacks would trigger
    adapter recovery, zfcp could wakeup before the resume callback.
    Therefore, ignore the cio callbacks regarding subchannels while
    being suspended. We can safely do so, since zfcp does not deal itself
    with subchannels. For problem determination purposes, we still trace the
    ignored callback events.
    
    The following kernel messages could be seen on resume:
    
    kernel: <WWPN>: parent <FCP device bus ID> should not be sleeping
    
    As part of adapter reopen recovery, zfcp performs auto port scanning
    which can erroneously try to register new remote ports with
    scsi_transport_fc and the device core code complains about the parent
    (adapter) still sleeping.
    
    kernel: zfcp.3dff9c: <FCP device bus ID>:\
     Setting up the QDIO connection to the FCP adapter failed
    <last kernel message repeated 3 more times>
    kernel: zfcp.574d43: <FCP device bus ID>:\
     ERP cannot recover an error on the FCP device
    
    In such cases, the adapter gave up recovery and remained blocked along
    with its child objects: remote ports and LUNs/scsi devices. Even the
    adapter shutdown as part of giving up recovery failed because the ccw
    device state remained disconnected. Later, the corresponding remote
    ports ran into dev_loss_tmo. As a result, the LUNs were erroneously
    not available again after resume.
    
    Even a manually triggered adapter recovery (e.g. sysfs attribute
    failed, or device offline/online via sysfs) could not recover the
    adapter due to the remaining disconnected state of the corresponding
    ccw device.
    
    Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com>
    Signed-off-by: James Bottomley <JBottomley@Parallels.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c25b5413a4cc591f8a0bf6a84aaccfc242895223
Author: Steffen Maier <maier@linux.vnet.ibm.com>
Date:   Tue Sep 4 15:23:30 2012 +0200

    SCSI: zfcp: Make trace record tags unique
    
    commit 0100998dbfe6dfcd90a6e912ca7ed6f255d48f25 upstream.
    
    Duplicate fssrh_2 from a54ca0f62f953898b05549391ac2a8a4dad6482b
    "[SCSI] zfcp: Redesign of the debug tracing for HBA records."
    complicates distinction of generic status read response from
    local link up.
    Duplicate fsscth1 from 2c55b750a884b86dea8b4cc5f15e1484cc47a25c
    "[SCSI] zfcp: Redesign of the debug tracing for SAN records."
    complicates distinction of good common transport response from
    invalid port handle.
    
    Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com>
    Reviewed-by: Martin Peschke <mpeschke@linux.vnet.ibm.com>
    Signed-off-by: James Bottomley <JBottomley@Parallels.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2cf80ae81389f34d8a1b241f3b9dbc1a3bf6a204
Author: Matt Carlson <mcarlson@broadcom.com>
Date:   Mon Nov 28 09:41:03 2011 +0000

    tg3: Fix TSO CAP for 5704 devs w / ASF enabled
    
    [ Upstream commit cf9ecf4b631f649a964fa611f1a5e8874f2a76db ]
    
    On the earliest TSO capable devices, TSO was accomplished through
    firmware.  The TSO cannot coexist with ASF management firmware though.
    The tg3 driver determines whether or not ASF is enabled by calling
    tg3_get_eeprom_hw_cfg(), which checks a particular bit of NIC memory.
    Commit dabc5c670d3f86d15ee4f42ab38ec5bd2682487d, entitled "tg3: Move
    TSO_CAPABLE assignment", accidentally moved the code that determines
    TSO capabilities earlier than the call to tg3_get_eeprom_hw_cfg().  As a
    consequence, the driver was attempting to determine TSO capabilities
    before it had all the data it needed to make the decision.
    
    This patch fixes the problem by revisiting and reevaluating the decision
    after tg3_get_eeprom_hw_cfg() is called.
    
    Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
    Signed-off-by: Michael Chan <mchan@broadcom.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit dbbfb5ca2953d1b7b62a16000e1842f62cfe0b09
Author: Ed Cashin <ecashin@coraid.com>
Date:   Wed Sep 19 15:46:39 2012 +0000

    aoe: assert AoE packets marked as requiring no checksum
    
    [ Upstream commit 8babe8cc6570ed896b7b596337eb8fe730c3ff45 ]
    
    In order for the network layer to see that AoE requires
    no checksumming in a generic way, the packets must be
    marked as requiring no checksum, so we make this requirement
    explicit with the assertion.
    
    Signed-off-by: Ed Cashin <ecashin@coraid.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 70875a0484cf2ce1864dab9f453bcc072f4b71c7
Author: Ed Cashin <ecashin@coraid.com>
Date:   Wed Sep 19 15:49:00 2012 +0000

    net: do not disable sg for packets requiring no checksum
    
    [ Upstream commit c0d680e577ff171e7b37dbdb1b1bf5451e851f04 ]
    
    A change in a series of VLAN-related changes appears to have
    inadvertently disabled the use of the scatter gather feature of
    network cards for transmission of non-IP ethernet protocols like ATA
    over Ethernet (AoE).  Below is a reference to the commit that
    introduces a "harmonize_features" function that turns off scatter
    gather when the NIC does not support hardware checksumming for the
    ethernet protocol of an sk buff.
    
      commit f01a5236bd4b140198fbcc550f085e8361fd73fa
      Author: Jesse Gross <jesse@nicira.com>
      Date:   Sun Jan 9 06:23:31 2011 +0000
    
          net offloading: Generalize netif_get_vlan_features().
    
    The can_checksum_protocol function is not equipped to consider a
    protocol that does not require checksumming.  Calling it for a
    protocol that requires no checksum is inappropriate.
    
    The patch below has harmonize_features call can_checksum_protocol when
    the protocol needs a checksum, so that the network layer is not forced
    to perform unnecessary skb linearization on the transmission of AoE
    packets.  Unnecessary linearization results in decreased performance
    and increased memory pressure, as reported here:
    
      http://www.spinics.net/lists/linux-mm/msg15184.html
    
    The problem has probably not been widely experienced yet, because
    only recently has the kernel.org-distributed aoe driver acquired the
    ability to use payloads of over a page in size, with the patchset
    recently included in the mm tree:
    
      https://lkml.org/lkml/2012/8/28/140
    
    The coraid.com-distributed aoe driver already could use payloads of
    greater than a page in size, but its users generally do not use the
    newest kernels.
    
    Signed-off-by: Ed Cashin <ecashin@coraid.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6a992a944a1c283359959745cb5e1f1dbca40a16
Author: Alan Cox <alan@linux.intel.com>
Date:   Tue Sep 4 04:13:18 2012 +0000

    netrom: copy_datagram_iovec can fail
    
    [ Upstream commit 6cf5c951175abcec4da470c50565cc0afe6cd11d ]
    
    Check for an error from this and if so bail properly.
    
    Signed-off-by: Alan Cox <alan@linux.intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 60e6a188d4cb2ef0fb9865cd7b3d4fca7cf7213e
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Sep 4 15:54:55 2012 -0400

    l2tp: fix a typo in l2tp_eth_dev_recv()
    
    [ Upstream commit c0cc88a7627c333de50b07b7c60b1d49d9d2e6cc ]
    
    While investigating l2tp bug, I hit a bug in eth_type_trans(),
    because not enough bytes were pulled in skb head.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 92da074473066d572bc39761a16e44299e104546
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Sep 25 22:01:28 2012 +0200

    ipv6: mip6: fix mip6_mh_filter()
    
    [ Upstream commit 96af69ea2a83d292238bdba20e4508ee967cf8cb ]
    
    mip6_mh_filter() should not modify its input, or else its caller
    would need to recompute ipv6_hdr() if skb->head is reallocated.
    
    Use skb_header_pointer() instead of pskb_may_pull()
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 27ab68c347da3242fc9f98bea187946e444a5f75
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Sep 25 07:03:40 2012 +0000

    ipv6: raw: fix icmpv6_filter()
    
    [ Upstream commit 1b05c4b50edbddbdde715c4a7350629819f6655e ]
    
    icmpv6_filter() should not modify its input, or else its caller
    would need to recompute ipv6_hdr() if skb->head is reallocated.
    
    Use skb_header_pointer() instead of pskb_may_pull() and
    change the prototype to make clear both sk and skb are const.
    
    Also, if icmpv6 header cannot be found, do not deliver the packet,
    as we do in IPv4.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a1b995a2f5c69ae3088b153ed5d095561ded6eb4
Author: Eric Dumazet <edumazet@google.com>
Date:   Sat Sep 22 00:08:29 2012 +0000

    ipv4: raw: fix icmp_filter()
    
    [ Upstream commit ab43ed8b7490cb387782423ecf74aeee7237e591 ]
    
    icmp_filter() should not modify its input, or else its caller
    would need to recompute ip_hdr() if skb->head is reallocated.
    
    Use skb_header_pointer() instead of pskb_may_pull() and
    change the prototype to make clear both sk and skb are const.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1a6b2c9da08fe3dc1fa825dfefcc70010c088a35
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Sep 24 07:00:11 2012 +0000

    net: guard tcp_set_keepalive() to tcp sockets
    
    [ Upstream commit 3e10986d1d698140747fcfc2761ec9cb64c1d582 ]
    
    Its possible to use RAW sockets to get a crash in
    tcp_set_keepalive() / sk_reset_timer()
    
    Fix is to make sure socket is a SOCK_STREAM one.
    
    Reported-by: Dave Jones <davej@redhat.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 74665a9b4fca3420c07f1e583242a477b2eb34b0
Author: Chema Gonzalez <chema@google.com>
Date:   Fri Sep 7 13:40:50 2012 +0000

    net: small bug on rxhash calculation
    
    [ Upstream commit 6862234238e84648c305526af2edd98badcad1e0 ]
    
    In the current rxhash calculation function, while the
    sorting of the ports/addrs is coherent (you get the
    same rxhash for packets sharing the same 4-tuple, in
    both directions), ports and addrs are sorted
    independently. This implies packets from a connection
    between the same addresses but crossed ports hash to
    the same rxhash.
    
    For example, traffic between A=S:l and B=L:s is hashed
    (in both directions) from {L, S, {s, l}}. The same
    rxhash is obtained for packets between C=S:s and D=L:l.
    
    This patch ensures that you either swap both addrs and ports,
    or you swap none. Traffic between A and B, and traffic
    between C and D, get their rxhash from different sources
    ({L, S, {l, s}} for A<->B, and {L, S, {s, l}} for C<->D)
    
    The patch is co-written with Eric Dumazet <edumazet@google.com>
    
    Signed-off-by: Chema Gonzalez <chema@google.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0ddaf88b27c6c942d3e921a2b0a7d8cae6d5be19
Author: Xiaodong Xu <stid.smth@gmail.com>
Date:   Sat Sep 22 00:09:32 2012 +0000

    pppoe: drop PPPOX_ZOMBIEs in pppoe_release
    
    [ Upstream commit 2b018d57ff18e5405823e5cb59651a5b4d946d7b ]
    
    When PPPOE is running over a virtual ethernet interface (e.g., a
    bonding interface) and the user tries to delete the interface in case
    the PPPOE state is ZOMBIE, the kernel will loop forever while
    unregistering net_device for the reference count is not decreased to
    zero which should have been done with dev_put().
    
    Signed-off-by: Xiaodong Xu <stid.smth@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 126268e1d7790725c2bb0e394652c70ced6ee2ea
Author: Thomas Graf <tgraf@suug.ch>
Date:   Mon Sep 3 04:27:42 2012 +0000

    sctp: Don't charge for data in sndbuf again when transmitting packet
    
    [ Upstream commit 4c3a5bdae293f75cdf729c6c00124e8489af2276 ]
    
    SCTP charges wmem_alloc via sctp_set_owner_w() in sctp_sendmsg() and via
    skb_set_owner_w() in sctp_packet_transmit(). If a sender runs out of
    sndbuf it will sleep in sctp_wait_for_sndbuf() and expects to be waken up
    by __sctp_write_space().
    
    Buffer space charged via sctp_set_owner_w() is released in sctp_wfree()
    which calls __sctp_write_space() directly.
    
    Buffer space charged via skb_set_owner_w() is released via sock_wfree()
    which calls sk->sk_write_space() _if_ SOCK_USE_WRITE_QUEUE is not set.
    sctp_endpoint_init() sets SOCK_USE_WRITE_QUEUE on all sockets.
    
    Therefore if sctp_packet_transmit() manages to queue up more than sndbuf
    bytes, sctp_wait_for_sndbuf() will never be woken up again unless it is
    interrupted by a signal.
    
    This could be fixed by clearing the SOCK_USE_WRITE_QUEUE flag but ...
    
    Charging for the data twice does not make sense in the first place, it
    leads to overcharging sndbuf by a factor 2. Therefore this patch only
    charges a single byte in wmem_alloc when transmitting an SCTP packet to
    ensure that the socket stays alive until the packet has been released.
    
    This means that control chunks are no longer accounted for in wmem_alloc
    which I believe is not a problem as skb->truesize will typically lead
    to overcharging anyway and thus compensates for any control overhead.
    
    Signed-off-by: Thomas Graf <tgraf@suug.ch>
    CC: Vlad Yasevich <vyasevic@redhat.com>
    CC: Neil Horman <nhorman@tuxdriver.com>
    CC: David Miller <davem@davemloft.net>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 75cb41f8ea4e0fc3b6292eb8d7fcddfeafb4f718
Author: Michal Kubeček <mkubecek@suse.cz>
Date:   Fri Sep 14 04:59:52 2012 +0000

    tcp: flush DMA queue before sk_wait_data if rcv_wnd is zero
    
    [ Upstream commit 15c041759bfcd9ab0a4e43f1c16e2644977d0467 ]
    
    If recv() syscall is called for a TCP socket so that
      - IOAT DMA is used
      - MSG_WAITALL flag is used
      - requested length is bigger than sk_rcvbuf
      - enough data has already arrived to bring rcv_wnd to zero
    then when tcp_recvmsg() gets to calling sk_wait_data(), receive
    window can be still zero while sk_async_wait_queue exhausts
    enough space to keep it zero. As this queue isn't cleaned until
    the tcp_service_net_dma() call, sk_wait_data() cannot receive
    any data and blocks forever.
    
    If zero receive window and non-empty sk_async_wait_queue is
    detected before calling sk_wait_data(), process the queue first.
    
    Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 61c7891cbfa587d9cdcede0e5441c3900e862df9
Author: Gao feng <gaofeng@cn.fujitsu.com>
Date:   Wed Sep 19 19:25:34 2012 +0000

    ipv6: release reference of ip6_null_entry's dst entry in __ip6_del_rt
    
    [ Upstream commit 6825a26c2dc21eb4f8df9c06d3786ddec97cf53b ]
    
    as we hold dst_entry before we call __ip6_del_rt,
    so we should alse call dst_release not only return
    -ENOENT when the rt6_info is ip6_null_entry.
    
    and we already hold the dst entry, so I think it's
    safe to call dst_release out of the write-read lock.
    
    Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4ea3465a8c4f9aee60d5aee02715f04423d0da01
Author: Antonio Quartulli <ordex@autistici.org>
Date:   Tue Oct 2 06:14:17 2012 +0000

    8021q: fix mac_len recomputation in vlan_untag()
    
    [ Upstream commit 5316cf9a5197eb80b2800e1acadde287924ca975 ]
    
    skb_reset_mac_len() relies on the value of the skb->network_header pointer,
    therefore we must wait for such pointer to be recalculated before computing
    the new mac_len value.
    
    Signed-off-by: Antonio Quartulli <ordex@autistici.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1af3bea6c3e3afbc033c2ab5917430d5192c84a3
Author: Lennart Sorensen <lsorense@csclub.uwaterloo.ca>
Date:   Fri Sep 7 12:14:02 2012 +0000

    sierra_net: Endianess bug fix.
    
    [ Upstream commit 2120c52da6fe741454a60644018ad2a6abd957ac ]
    
    I discovered I couldn't get sierra_net to work on a powerpc.  Turns out
    the firmware attribute check assumes the system is little endian and
    hence fails because the attributes is a 16 bit value.
    
    Signed-off-by: Len Sorensen <lsorense@csclub.uwaterloo.ca>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3f99feef88eb867056bd4459e4cf68da33af8861
Author: Paolo Valente <paolo.valente@unimore.it>
Date:   Sat Sep 15 00:41:35 2012 +0000

    pkt_sched: fix virtual-start-time update in QFQ
    
    [ Upstream commit 71261956973ba9e0637848a5adb4a5819b4bae83 ]
    
    If the old timestamps of a class, say cl, are stale when the class
    becomes active, then QFQ may assign to cl a much higher start time
    than the maximum value allowed. This may happen when QFQ assigns to
    the start time of cl the finish time of a group whose classes are
    characterized by a higher value of the ratio
    max_class_pkt/weight_of_the_class with respect to that of
    cl. Inserting a class with a too high start time into the bucket list
    corrupts the data structure and may eventually lead to crashes.
    This patch limits the maximum start time assigned to a class.
    
    Signed-off-by: Paolo Valente <paolo.valente@unimore.it>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 829f2161f7057a511df7a41e52c5a43cbf5a49d7
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Sep 11 13:11:12 2012 +0000

    net-sched: sch_cbq: avoid infinite loop
    
    [ Upstream commit bdfc87f7d1e253e0a61e2fc6a75ea9d76f7fc03a ]
    
    Its possible to setup a bad cbq configuration leading to
    an infinite loop in cbq_classify()
    
    DEV_OUT=eth0
    ICMP="match ip protocol 1 0xff"
    U32="protocol ip u32"
    DST="match ip dst"
    tc qdisc add dev $DEV_OUT root handle 1: cbq avpkt 1000 \
    	bandwidth 100mbit
    tc class add dev $DEV_OUT parent 1: classid 1:1 cbq \
    	rate 512kbit allot 1500 prio 5 bounded isolated
    tc filter add dev $DEV_OUT parent 1: prio 3 $U32 \
    	$ICMP $DST 192.168.3.234 flowid 1:
    
    Reported-by: Denys Fedoryschenko <denys@visp.net.lb>
    Tested-by: Denys Fedoryschenko <denys@visp.net.lb>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b89ea13784c385483ef3a47a992f92842171f5c1
Author: Nikolay Aleksandrov <nikolay@redhat.com>
Date:   Fri Sep 14 05:50:03 2012 +0000

    netxen: check for root bus in netxen_mask_aer_correctable
    
    [ Upstream commit e4d1aa40e363ed3e0486aeeeb0d173f7f822737e ]
    
    Add a check if pdev->bus->self == NULL (root bus). When attaching
    a netxen NIC to a VM it can be on the root bus and the guest would
    crash in netxen_mask_aer_correctable() because of a NULL pointer
    dereference if CONFIG_PCIEAER is present.
    
    Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c56a0fd7b6d69ef122a01b9b1db83ba62c9f6622
Author: Florian Fainelli <florian@openwrt.org>
Date:   Mon Sep 10 14:06:58 2012 +0200

    ixp4xx_hss: fix build failure due to missing linux/module.h inclusion
    
    [ Upstream commit 0b836ddde177bdd5790ade83772860940bd481ea ]
    
    Commit 36a1211970193ce215de50ed1e4e1272bc814df1 (netprio_cgroup.h:
    dont include module.h from other includes) made the following build
    error on ixp4xx_hss pop up:
    
      CC [M]  drivers/net/wan/ixp4xx_hss.o
     drivers/net/wan/ixp4xx_hss.c:1412:20: error: expected ';', ',' or ')'
     before string constant
     drivers/net/wan/ixp4xx_hss.c:1413:25: error: expected ';', ',' or ')'
     before string constant
     drivers/net/wan/ixp4xx_hss.c:1414:21: error: expected ';', ',' or ')'
     before string constant
     drivers/net/wan/ixp4xx_hss.c:1415:19: error: expected ';', ',' or ')'
     before string constant
     make[8]: *** [drivers/net/wan/ixp4xx_hss.o] Error 1
    
    This was previously hidden because ixp4xx_hss includes linux/hdlc.h which
    includes linux/netdevice.h which includes linux/netprio_cgroup.h which
    used to include linux/module.h. The real issue was actually present since
    the initial commit that added this driver since it uses macros from
    linux/module.h without including this file.
    
    Signed-off-by: Florian Fainelli <florian@openwrt.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 46462f22698f72a9085cc6bb20737a8d79ef23ca
Author: htbegin <hotforest@gmail.com>
Date:   Mon Oct 1 16:42:43 2012 +0000

    net: ethernet: davinci_cpdma: decrease the desc count when cleaning up the remaining packets
    
    [ Upstream commit ffb5ba90017505a19e238e986e6d33f09e4df765 ]
    
    chan->count is used by rx channel. If the desc count is not updated by
    the clean up loop in cpdma_chan_stop, the value written to the rxfree
    register in cpdma_chan_start will be incorrect.
    
    Signed-off-by: Tao Hou <hotforest@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3d39c3b09b4ef1fd7febdcf88f6bb9437cf4c141
Author: Mathias Krause <minipli@googlemail.com>
Date:   Thu Sep 20 10:01:49 2012 +0000

    xfrm_user: ensure user supplied esn replay window is valid
    
    [ Upstream commit ecd7918745234e423dd87fcc0c077da557909720 ]
    
    The current code fails to ensure that the netlink message actually
    contains as many bytes as the header indicates. If a user creates a new
    state or updates an existing one but does not supply the bytes for the
    whole ESN replay window, the kernel copies random heap bytes into the
    replay bitmap, the ones happen to follow the XFRMA_REPLAY_ESN_VAL
    netlink attribute. This leads to following issues:
    
    1. The replay window has random bits set confusing the replay handling
       code later on.
    
    2. A malicious user could use this flaw to leak up to ~3.5kB of heap
       memory when she has access to the XFRM netlink interface (requires
       CAP_NET_ADMIN).
    
    Known users of the ESN replay window are strongSwan and Steffen's
    iproute2 patch (<http://patchwork.ozlabs.org/patch/85962/>). The latter
    uses the interface with a bitmap supplied while the former does not.
    strongSwan is therefore prone to run into issue 1.
    
    To fix both issues without breaking existing userland allow using the
    XFRMA_REPLAY_ESN_VAL netlink attribute with either an empty bitmap or a
    fully specified one. For the former case we initialize the in-kernel
    bitmap with zero, for the latter we copy the user supplied bitmap. For
    state updates the full bitmap must be supplied.
    
    To prevent overflows in the bitmap length calculation the maximum size
    of bmp_len is limited to 128 by this patch -- resulting in a maximum
    replay window of 4096 packets. This should be sufficient for all real
    life scenarios (RFC 4303 recommends a default replay window size of 64).
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Cc: Martin Willi <martin@revosec.ch>
    Cc: Ben Hutchings <bhutchings@solarflare.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cc4d0d8d729d4195bb22bff0de4139a3050a8c4f
Author: Mathias Krause <minipli@googlemail.com>
Date:   Wed Sep 19 11:33:43 2012 +0000

    xfrm_user: don't copy esn replay window twice for new states
    
    [ Upstream commit e3ac104d41a97b42316915020ba228c505447d21 ]
    
    The ESN replay window was already fully initialized in
    xfrm_alloc_replay_state_esn(). No need to copy it again.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c33fcb85ee97f354c5fbdb841b0be01a9c90f9b5
Author: Mathias Krause <minipli@googlemail.com>
Date:   Wed Sep 19 11:33:41 2012 +0000

    xfrm_user: fix info leak in copy_to_user_tmpl()
    
    [ Upstream commit 1f86840f897717f86d523a13e99a447e6a5d2fa5 ]
    
    The memory used for the template copy is a local stack variable. As
    struct xfrm_user_tmpl contains multiple holes added by the compiler for
    alignment, not initializing the memory will lead to leaking stack bytes
    to userland. Add an explicit memset(0) to avoid the info leak.
    
    Initial version of the patch by Brad Spengler.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    Cc: Brad Spengler <spender@grsecurity.net>
    Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a601da719c73cedba80c788719594990e30a972f
Author: Mathias Krause <minipli@googlemail.com>
Date:   Wed Sep 19 11:33:40 2012 +0000

    xfrm_user: fix info leak in copy_to_user_policy()
    
    [ Upstream commit 7b789836f434c87168eab067cfbed1ec4783dffd ]
    
    The memory reserved to dump the xfrm policy includes multiple padding
    bytes added by the compiler for alignment (padding bytes in struct
    xfrm_selector and struct xfrm_userpolicy_info). Add an explicit
    memset(0) before filling the buffer to avoid the heap info leak.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2f21f42628061faa605c76c53449a325597137a7
Author: Mathias Krause <minipli@googlemail.com>
Date:   Wed Sep 19 11:33:39 2012 +0000

    xfrm_user: fix info leak in copy_to_user_state()
    
    [ Upstream commit f778a636713a435d3a922c60b1622a91136560c1 ]
    
    The memory reserved to dump the xfrm state includes the padding bytes of
    struct xfrm_usersa_info added by the compiler for alignment (7 for
    amd64, 3 for i386). Add an explicit memset(0) before filling the buffer
    to avoid the info leak.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2ed1aeaca76644bf96d32fdd491e0d18afdcadbd
Author: Mathias Krause <minipli@googlemail.com>
Date:   Wed Sep 19 11:33:38 2012 +0000

    xfrm_user: fix info leak in copy_to_user_auth()
    
    [ Upstream commit 4c87308bdea31a7b4828a51f6156e6f721a1fcc9 ]
    
    copy_to_user_auth() fails to initialize the remainder of alg_name and
    therefore discloses up to 54 bytes of heap memory via netlink to
    userland.
    
    Use strncpy() instead of strcpy() to fill the trailing bytes of alg_name
    with null bytes.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 72ab84bd1945bb593047564680ea919b8e13beeb
Author: Li RongQing <roy.qing.li@gmail.com>
Date:   Mon Sep 17 22:40:10 2012 +0000

    xfrm: fix a read lock imbalance in make_blackhole
    
    [ Upstream commit 433a19548061bb5457b6ab77ed7ea58ca6e43ddb ]
    
    if xfrm_policy_get_afinfo returns 0, it has already released the read
    lock, xfrm_policy_put_afinfo should not be called again.
    
    Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 182d22d51bc2f57cded9eed61dbbcfb82b87da1c
Author: Mathias Krause <minipli@googlemail.com>
Date:   Fri Sep 14 09:58:32 2012 +0000

    xfrm_user: return error pointer instead of NULL #2
    
    [ Upstream commit c25463722509fef0ed630b271576a8c9a70236f3 ]
    
    When dump_one_policy() returns an error, e.g. because of a too small
    buffer to dump the whole xfrm policy, xfrm_policy_netlink() returns
    NULL instead of an error pointer. But its caller expects an error
    pointer and therefore continues to operate on a NULL skbuff.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 66c41c804c27187c20f1c29aed3216caf69cca4f
Author: Mathias Krause <minipli@googlemail.com>
Date:   Thu Sep 13 11:41:26 2012 +0000

    xfrm_user: return error pointer instead of NULL
    
    [ Upstream commit 864745d291b5ba80ea0bd0edcbe67273de368836 ]
    
    When dump_one_state() returns an error, e.g. because of a too small
    buffer to dump the whole xfrm state, xfrm_state_netlink() returns NULL
    instead of an error pointer. But its callers expect an error pointer
    and therefore continue to operate on a NULL skbuff.
    
    This could lead to a privilege escalation (execution of user code in
    kernel context) if the attacker has CAP_NET_ADMIN and is able to map
    address 0.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7218addc4b8bec641937e8236099f52974cf5687
Author: Steffen Klassert <steffen.klassert@secunet.com>
Date:   Tue Sep 4 00:03:29 2012 +0000

    xfrm: Workaround incompatibility of ESN and async crypto
    
    [ Upstream commit 3b59df46a449ec9975146d71318c4777ad086744 ]
    
    ESN for esp is defined in RFC 4303. This RFC assumes that the
    sequence number counters are always up to date. However,
    this is not true if an async crypto algorithm is employed.
    
    If the sequence number counters are not up to date on sequence
    number check, we may incorrectly update the upper 32 bit of
    the sequence number. This leads to a DOS.
    
    We workaround this by comparing the upper sequence number,
    (used for authentication) with the upper sequence number
    computed after the async processing. We drop the packet
    if these numbers are different.
    
    To do this, we introduce a recheck function that does this
    check in the ESN case.
    
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
    Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 21de4eb26ec0b1b9c484da823fbcd1d3a48afec9
Author: Tejun Heo <tj@kernel.org>
Date:   Fri Aug 3 10:30:45 2012 -0700

    workqueue: add missing smp_wmb() in process_one_work()
    
    commit 959d1af8cffc8fd38ed53e8be1cf4ab8782f9c00 upstream.
    
    WORK_STRUCT_PENDING is used to claim ownership of a work item and
    process_one_work() releases it before starting execution.  When
    someone else grabs PENDING, all pre-release updates to the work item
    should be visible and all updates made by the new owner should happen
    afterwards.
    
    Grabbing PENDING uses test_and_set_bit() and thus has a full barrier;
    however, clearing doesn't have a matching wmb.  Given the preceding
    spin_unlock and use of clear_bit, I don't believe this can be a
    problem on an actual machine and there hasn't been any related report
    but it still is theretically possible for clear_pending to permeate
    upwards and happen before work->entry update.
    
    Add an explicit smp_wmb() before work_clear_pending().
    
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fe77d1bb93b50233d9d2932d348c1a78214ea485
Author: Martin Michlmayr <tbm@cyrius.com>
Date:   Thu Oct 4 17:11:25 2012 -0700

    drivers/scsi/atp870u.c: fix bad use of udelay
    
    commit 0f6d93aa9d96cc9022b51bd10d462b03296be146 upstream.
    
    The ACARD driver calls udelay() with a value > 2000, which leads to to
    the following compilation error on ARM:
    
      ERROR: "__bad_udelay" [drivers/scsi/atp870u.ko] undefined!
      make[1]: *** [__modpost] Error 1
    
    This is because udelay is defined on ARM, roughly speaking, as
    
    	#define udelay(n) ((n) > 2000 ? __bad_udelay() : \
    		__const_udelay((n) * ((2199023U*HZ)>>11)))
    
    The argument to __const_udelay is the number of jiffies to wait divided
    by 4, but this does not work unless the multiplication does not
    overflow, and that is what the build error is designed to prevent.  The
    intended behavior can be achieved by using mdelay to call udelay
    multiple times in a loop.
    
    [jrnieder@gmail.com: adding context]
    Signed-off-by: Martin Michlmayr <tbm@cyrius.com>
    Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
    Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit faaeea39363ad54b3dfe23cc982e484f6e54aa5a
Author: Shawn Guo <shawn.guo@linaro.org>
Date:   Thu Oct 4 17:12:23 2012 -0700

    kernel/sys.c: call disable_nonboot_cpus() in kernel_restart()
    
    commit f96972f2dc6365421cf2366ebd61ee4cf060c8d5 upstream.
    
    As kernel_power_off() calls disable_nonboot_cpus(), we may also want to
    have kernel_restart() call disable_nonboot_cpus().  Doing so can help
    machines that require boot cpu be the last alive cpu during reboot to
    survive with kernel restart.
    
    This fixes one reboot issue seen on imx6q (Cortex-A9 Quad).  The machine
    requires that the restart routine be run on the primary cpu rather than
    secondary ones.  Otherwise, the secondary core running the restart
    routine will fail to come to online after reboot.
    
    Signed-off-by: Shawn Guo <shawn.guo@linaro.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7151b69f69f84e66c550b3033f4e2cc301b66f86
Author: Davidlohr Bueso <dave@gnu.org>
Date:   Thu Oct 4 17:13:18 2012 -0700

    lib/gcd.c: prevent possible div by 0
    
    commit e96875677fb2b7cb739c5d7769824dff7260d31d upstream.
    
    Account for all properties when a and/or b are 0:
    gcd(0, 0) = 0
    gcd(a, 0) = a
    gcd(0, b) = b
    
    Fixes no known problems in current kernels.
    
    Signed-off-by: Davidlohr Bueso <dave@gnu.org>
    Cc: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 073c05b26374bcd3a7b033fa88087d721b080a75
Author: Bjorn Helgaas <bhelgaas@google.com>
Date:   Wed Jun 20 16:18:29 2012 -0600

    PCI: acpiphp: check whether _ADR evaluation succeeded
    
    commit dfb117b3e50c52c7b3416db4a4569224b8db80bb upstream.
    
    Check whether we evaluated _ADR successfully.  Previously we ignored
    failure, so we would have used garbage data from the stack as the device
    and function number.
    
    We return AE_OK so that we ignore only this slot and continue looking
    for other slots.
    
    Found by Coverity (CID 113981).
    
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    [bwh: Backported to 2.6.32/3.0: adjust context]
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6aca02ab8bca4488b697a00bec2bdfad79b84f68
Author: Lin Ming <ming.m.lin@intel.com>
Date:   Mon Jul 16 16:30:21 2012 +0800

    ACPI: run _OSC after ACPI_FULL_INITIALIZATION
    
    commit fc54ab72959edbf229b65ac74b2f122d799ca002 upstream.
    
    The _OSC method may exist in module level code,
    so it must be called after ACPI_FULL_INITIALIZATION
    
    On some new platforms with Zero-Power-Optical-Disk-Drive (ZPODD)
    support, this fix is necessary to save power.
    
    Signed-off-by: Lin Ming <ming.m.lin@intel.com>
    Tested-by: Aaron Lu <aaron.lu@intel.com>
    Signed-off-by: Len Brown <len.brown@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8a6c264be08d9df60b86af8b35ae56336bd625d7
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Sun Aug 19 19:32:27 2012 -0300

    media: rc: ite-cir: Initialise ite_dev::rdev earlier
    
    commit 4b961180ef275035b1538317ffd0e21e80e63e77 upstream.
    
    ite_dev::rdev is currently initialised in ite_probe() after
    rc_register_device() returns.  If a newly registered device is opened
    quickly enough, we may enable interrupts and try to use ite_dev::rdev
    before it has been initialised.  Move it up to the earliest point we
    can, right after calling rc_allocate_device().
    
    Reported-and-tested-by: YunQiang Su <wzssyqa@gmail.com>
    
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 58e6b5c499e4544164a7ffea278511e32fa488e5
Author: Sascha Hauer <s.hauer@pengutronix.de>
Date:   Thu Oct 4 17:11:17 2012 -0700

    kbuild: make: fix if_changed when command contains backslashes
    
    commit c353acba28fb3fa1fd05fd6b85a9fc7938330f9c upstream.
    
    The call if_changed mechanism does not work when the command contains
    backslashes.  This basically is an issue with lzo and bzip2 compressed
    kernels.  The compressed binaries do not contain the uncompressed image
    size, so these use size_append to append the size.  This results in
    backslashes in the executed command.  With this if_changed always
    detects a change in the command and rebuilds the compressed image even
    if nothing has changed.
    
    Fix this by escaping backslashes in make-cmd
    
    Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
    Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
    Cc: Sam Ravnborg <sam@ravnborg.org>
    Cc: Bernhard Walle <bernhard@bwalle.de>
    Cc: Michal Marek <mmarek@suse.cz>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 36cc7838f9d8ccec782f6e44f2131ef446438cd4
Author: Geert Uytterhoeven <geert@linux-m68k.org>
Date:   Thu Oct 4 17:11:13 2012 -0700

    mn10300: only add -mmem-funcs to KBUILD_CFLAGS if gcc supports it
    
    commit 9957423f035c2071f6d1c5d2f095cdafbeb25ad7 upstream.
    
    It seems the current (gcc 4.6.3) no longer provides this so make it
    conditional.
    
    As reported by Tony before, the mn10300 architecture cross-compiles with
    gcc-4.6.3 if -mmem-funcs is not added to KBUILD_CFLAGS.
    
    Reported-by: Tony Breeds <tony@bakeyournoodle.com>
    Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
    Cc: David Howells <dhowells@redhat.com>
    Cc: Koichi Yasutake <yasutake.koichi@jp.panasonic.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>