commit 8432d2280bd7558fde3a0385d1b35c947197d754
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Thu Jul 12 04:32:21 2012 +0100

    Linux 3.2.23

commit f6d2d473ca73cb30cf25a6940b1dff3cc78b513f
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Sat Jul 7 10:17:00 2012 -0700

    vfs: make O_PATH file descriptors usable for 'fchdir()'
    
    commit 332a2e1244bd08b9e3ecd378028513396a004a24 upstream.
    
    We already use them for openat() and friends, but fchdir() also wants to
    be able to use O_PATH file descriptors.  This should make it comparable
    to the O_SEARCH of Solaris.  In particular, O_PATH allows you to access
    (not-quite-open) a directory you don't have read persmission to, only
    execute permission.
    
    Noticed during development of multithread support for ksh93.
    
    Reported-by: ольга крыжановская <olga.kryzhanovska@gmail.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit 90f81e29765bd976bf083b239ad04e7f64ab5269
Author: Mark Rustad <mark.d.rustad@intel.com>
Date:   Tue Jun 26 15:57:30 2012 -0700

    tcm_fc: Resolve suspicious RCU usage warnings
    
    commit 863555be0c81558b1af277addcf68acb8f778860 upstream.
    
    Use rcu_dereference_protected to tell rcu that the ft_lport_lock
    is held during ft_lport_create. This resolved "suspicious RCU usage"
    warnings when debugging options are turned on.
    
    Signed-off-by: Mark Rustad <mark.d.rustad@intel.com>
    Tested-by: Ross Brattain <ross.b.brattain@intel.com>
    Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit 1935549ba38cf30ebe8748ccb88fb99d009241d4
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Thu Jul 5 16:00:11 2012 -0700

    mm: Hold a file reference in madvise_remove
    
    commit 9ab4233dd08036fe34a89c7dc6f47a8bf2eb29eb upstream.
    
    Otherwise the code races with munmap (causing a use-after-free
    of the vma) or with close (causing a use-after-free of the struct
    file).
    
    The bug was introduced by commit 90ed52ebe481 ("[PATCH] holepunch: fix
    mmap_sem i_mutex deadlock")
    
    Cc: Hugh Dickins <hugh@veritas.com>
    Cc: Miklos Szeredi <mszeredi@suse.cz>
    Cc: Badari Pulavarty <pbadari@us.ibm.com>
    Cc: Nick Piggin <npiggin@suse.de>
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    [bwh: Backported to 3.2:
     - Adjust context
     - madvise_remove() calls vmtruncate_range(), not do_fallocate()]
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit 6d60474a0f04010b7b9446abe68bcf2fb772c9bd
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Sat Jun 9 19:08:25 2012 +0300

    mtd: cafe_nand: fix an & vs | mistake
    
    commit 48f8b641297df49021093763a3271119a84990a2 upstream.
    
    The intent here was clearly to set result to true if the 0x40000000 flag
    was set.  But instead there was a | vs & typo and we always set result
    to true.
    
    Artem: check the spec at
    wiki.laptop.org/images/5/5c/88ALP01_Datasheet_July_2007.pdf
    and this fix looks correct.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit 18a72053c4361bbecf7d33eb394e0dfe43d7f253
Author: Junxiao Bi <junxiao.bi@oracle.com>
Date:   Wed Jun 27 17:09:54 2012 +0800

    aio: make kiocb->private NUll in init_sync_kiocb()
    
    commit 2dfd06036ba7ae8e7be2daf5a2fff1dac42390bf upstream.
    
    Ocfs2 uses kiocb.*private as a flag of unsigned long size. In
    commit a11f7e6 ocfs2: serialize unaligned aio, the unaligned
    io flag is involved in it to serialize the unaligned aio. As
    *private is not initialized in init_sync_kiocb() of do_sync_write(),
    this unaligned io flag may be unexpectly set in an aligned dio.
    And this will cause OCFS2_I(inode)->ip_unaligned_aio decreased
    to -1 in ocfs2_dio_end_io(), thus the following unaligned dio
    will hang forever at ocfs2_aiodio_wait() in ocfs2_file_aio_write().
    
    Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
    Acked-by: Jeff Moyer <jmoyer@redhat.com>
    Signed-off-by: Joel Becker <jlbec@evilplan.org>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit 1a5d75eb4a42279e5e652376fc0d0d885876d2b3
Author: Junxiao Bi <junxiao.bi@oracle.com>
Date:   Wed Jun 27 17:09:55 2012 +0800

    ocfs2: clear unaligned io flag when dio fails
    
    commit 3e5d3c35a68c9a933bdbdd8685bd1a205b57e806 upstream.
    
    The unaligned io flag is set in the kiocb when an unaligned
    dio is issued, it should be cleared even when the dio fails,
    or it may affect the following io which are using the same
    kiocb.
    
    Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
    Signed-off-by: Joel Becker <jlbec@evilplan.org>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit a606d577a42b8d3333fb604cb93959e421d4bef3
Author: Jeff Layton <jlayton@redhat.com>
Date:   Mon Jul 2 07:24:25 2012 -0400

    cifs: when server doesn't set CAP_LARGE_READ_X, cap default rsize at MaxBufferSize
    
    commit ec01d738a1691dfc85b96b9f796020267a7be577 upstream.
    
    When the server doesn't advertise CAP_LARGE_READ_X, then MS-CIFS states
    that you must cap the size of the read at the client's MaxBufferSize.
    Unfortunately, testing with many older servers shows that they often
    can't service a read larger than their own MaxBufferSize.
    
    Since we can't assume what the server will do in this situation, we must
    be conservative here for the default. When the server can't do large
    reads, then assume that it can't satisfy any read larger than its
    MaxBufferSize either.
    
    Luckily almost all modern servers can do large reads, so this won't
    affect them. This is really just for older win9x and OS/2 era servers.
    Also, note that this patch just governs the default rsize. The admin can
    always override this if he so chooses.
    
    Reported-by: David H. Durgee <dhdurgee@acm.org>
    Signed-off-by: Jeff Layton <jlayton@redhat.com>
    Signed-off-by: Steven French <sfrench@w500smf.(none)>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit 518c75d289bfd41eadf8c55df1dc96a8e1779232
Author: Chris Mason <chris.mason@fusionio.com>
Date:   Mon Jul 2 15:29:53 2012 -0400

    Btrfs: run delayed directory updates during log replay
    
    commit b6305567e7d31b0bec1b8cb9ec0cadd7f7086f5f upstream.
    
    While we are resolving directory modifications in the
    tree log, we are triggering delayed metadata updates to
    the filesystem btrees.
    
    This commit forces the delayed updates to run so the
    replay code can find any modifications done.  It stops
    us from crashing because the directory deleltion replay
    expects items to be removed immediately from the tree.
    
    Signed-off-by: Chris Mason <chris.mason@fusionio.com>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit 2abafc06328d22a3cc486b060ae1d20d19430141
Author: stephen hemminger <shemminger@vyatta.com>
Date:   Tue Jun 26 05:48:45 2012 +0000

    bridge: Assign rtnl_link_ops to bridge devices created via ioctl (v2)
    
    [ Upstream commit 149ddd83a92b02c658d6c61f3276eb6500d585e8 ]
    
    This ensures that bridges created with brctl(8) or ioctl(2) directly
    also carry IFLA_LINKINFO when dumped over netlink. This also allows
    to create a bridge with ioctl(2) and delete it with RTM_DELLINK.
    
    Signed-off-by: Thomas Graf <tgraf@suug.ch>
    Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit bb6c2337ae71d5eb2e0c8106d6be2a209f2599df
Author: Thomas Graf <tgraf@suug.ch>
Date:   Mon Jun 18 12:08:33 2012 +0000

    ipv6: Move ipv6 proc file registration to end of init order
    
    [ Upstream commit d189634ecab947c10f6f832258b103d0bbfe73cc ]
    
    /proc/net/ipv6_route reflects the contents of fib_table_hash. The proc
    handler is installed in ip6_route_net_init() whereas fib_table_hash is
    allocated in fib6_net_init() _after_ the proc handler has been installed.
    
    This opens up a short time frame to access fib_table_hash with its pants
    down.
    
    Move the registration of the proc files to a later point in the init
    order to avoid the race.
    
    Tested :-)
    
    Signed-off-by: Thomas Graf <tgraf@suug.ch>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit b83d32ea5e66121fcf169ac1629836f87658fdcf
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Jun 12 19:30:21 2012 +0000

    netpoll: fix netpoll_send_udp() bugs
    
    [ Upstream commit 954fba0274058d27c7c07b5ea07c41b3b7477894 ]
    
    Bogdan Hamciuc diagnosed and fixed following bug in netpoll_send_udp() :
    
    "skb->len += len;" instead of "skb_put(skb, len);"
    
    Meaning that _if_ a network driver needs to call skb_realloc_headroom(),
    only packet headers would be copied, leaving garbage in the payload.
    
    However the skb_realloc_headroom() must be avoided as much as possible
    since it requires memory and netpoll tries hard to work even if memory
    is exhausted (using a pool of preallocated skbs)
    
    It appears netpoll_send_udp() reserved 16 bytes for the ethernet header,
    which happens to work for typicall drivers but not all.
    
    Right thing is to use LL_RESERVED_SPACE(dev)
    (And also add dev->needed_tailroom of tailroom)
    
    This patch combines both fixes.
    
    Many thanks to Bogdan for raising this issue.
    
    Reported-by: Bogdan Hamciuc <bogdan.hamciuc@freescale.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Tested-by: Bogdan Hamciuc <bogdan.hamciuc@freescale.com>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Cc: Neil Horman <nhorman@tuxdriver.com>
    Reviewed-by: Neil Horman <nhorman@tuxdriver.com>
    Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit dad3f9c2bef47dd67cc930eea826af2814a7c568
Author: Michał Mirosław <mirq-linux@rere.qmqm.pl>
Date:   Sun Jan 22 00:20:40 2012 +0000

    ethtool: allow ETHTOOL_GSSET_INFO for users
    
    [ Upstream commit f80400a26a2e8bff541de12834a1134358bb6642 ]
    
    Allow ETHTOOL_GSSET_INFO ethtool ioctl() for unprivileged users.
    ETHTOOL_GSTRINGS is already allowed, but is unusable without this one.
    
    Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
    Acked-by: Ben Hutchings <bhutchings@solarflare.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit 75d5e3d1cf4caf4091b5ee17d748016f04fdced4
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Jun 12 06:03:51 2012 +0000

    bonding: Fix corrupted queue_mapping
    
    [ Upstream commit 5ee31c6898ea5537fcea160999d60dc63bc0c305 ]
    
    In the transmit path of the bonding driver, skb->cb is used to
    stash the skb->queue_mapping so that the bonding device can set its
    own queue mapping.  This value becomes corrupted since the skb->cb is
    also used in __dev_xmit_skb.
    
    When transmitting through bonding driver, bond_select_queue is
    called from dev_queue_xmit.  In bond_select_queue the original
    skb->queue_mapping is copied into skb->cb (via bond_queue_mapping)
    and skb->queue_mapping is overwritten with the bond driver queue.
    
    Subsequently in dev_queue_xmit, __dev_xmit_skb is called which writes
    the packet length into skb->cb, thereby overwriting the stashed
    queue mappping.  In bond_dev_queue_xmit (called from hard_start_xmit),
    the queue mapping for the skb is set to the stashed value which is now
    the skb length and hence is an invalid queue for the slave device.
    
    If we want to save skb->queue_mapping into skb->cb[], best place is to
    add a field in struct qdisc_skb_cb, to make sure it wont conflict with
    other layers (eg : Qdiscc, Infiniband...)
    
    This patchs also makes sure (struct qdisc_skb_cb)->data is aligned on 8
    bytes :
    
    netem qdisc for example assumes it can store an u64 in it, without
    misalignment penalty.
    
    Note : we only have 20 bytes left in (struct qdisc_skb_cb)->data[].
    The largest user is CHOKe and it fills it.
    
    Based on a previous patch from Tom Herbert.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: Tom Herbert <therbert@google.com>
    Cc: John Fastabend <john.r.fastabend@intel.com>
    Cc: Roland Dreier <roland@kernel.org>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit a4b58f97eb86a82393d6dce799c265db93a99a50
Author: Eric Dumazet <edumazet@google.com>
Date:   Sun Jun 10 21:11:57 2012 +0000

    dummy: fix rcu_sched self-detected stalls
    
    [ Upstream commit 16b0dc29c1af9df341428f4c49ada4f626258082 ]
    
    Trying to "modprobe dummy numdummies=30000" triggers :
    
    INFO: rcu_sched self-detected stall on CPU { 8} (t=60000 jiffies)
    
    After this splat, RTNL is locked and reboot is needed.
    
    We must call cond_resched() to avoid this, even holding RTNL.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit 14be92503e6e67bce5c2c8259036b88f66cafc46
Author: Eric Dumazet <edumazet@google.com>
Date:   Thu Jun 7 22:59:59 2012 +0000

    be2net: fix a race in be_xmit()
    
    [ Upstream commit cd8f76c0a0c6fce0b2cf23c9bd0123f91453f46d ]
    
    As soon as hardware is notified of a transmit, we no longer can assume
    skb can be dereferenced, as TX completion might have freed the packet.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Sathya Perla <sathya.perla@emulex.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit 2d3de9b3abd0b5ad7a2641a092e804f922cef31d
Author: stephen hemminger <shemminger@vyatta.com>
Date:   Wed Jun 6 10:01:30 2012 +0000

    sky2: fix checksum bit management on some chips
    
    [ Upstream commit 5ff0feac88ced864f44adb145142269196fa79d9 ]
    
    The newer flavors of Yukon II use a different method for receive
    checksum offload. This is indicated in the driver by the SKY2_HW_NEW_LE
    flag. On these newer chips, the BMU_ENA_RX_CHKSUM should not be set.
    
    The driver would get incorrectly toggle the bit, enabling the old
    checksum logic on these chips and cause a BUG_ON() assertion. If
    receive checksum was toggled via ethtool.
    
    Reported-by: Kirill Smelkov <kirr@mns.spb.ru>
    Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit 5b73845cd7629c3b944542999b8e69989a4dd70e
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Jun 8 06:25:00 2012 +0000

    l2tp: fix a race in l2tp_ip_sendmsg()
    
    [ Upstream commit 4399a4df98a63e30fd16e9d0cecc46ea92269e8f ]
    
    Commit 081b1b1bb27f (l2tp: fix l2tp_ip_sendmsg() route handling) added
    a race, in case IP route cache is disabled.
    
    In this case, we should not do the dst_release(&rt->dst), since it'll
    free the dst immediately, instead of waiting a RCU grace period.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: James Chapman <jchapman@katalix.com>
    Cc: Denys Fedoryshchenko <denys@visp.net.lb>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit 43f06c88b9293b6bfb5724757c0c9e7d9e2b2103
Author: Eric Dumazet <edumazet@google.com>
Date:   Thu Jun 7 00:07:20 2012 +0000

    net: l2tp_eth: fix kernel panic on rmmod l2tp_eth
    
    [ Upstream commit a06998b88b1651c5f71c0e35f528bf2057188ead ]
    
    We must prevent module unloading if some devices are still attached to
    l2tp_eth driver.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: Denys Fedoryshchenko <denys@visp.net.lb>
    Tested-by: Denys Fedoryshchenko <denys@visp.net.lb>
    Cc: James Chapman <jchapman@katalix.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit dff31bdf228689241933ea5bf62ba98de3eec42e
Author: Paul Moore <pmoore@redhat.com>
Date:   Fri Jun 1 05:54:56 2012 +0000

    cipso: handle CIPSO options correctly when NetLabel is disabled
    
    [ Upstream commit 20e2a86485967c385d7c7befc1646e4d1d39362e ]
    
    When NetLabel is not enabled, e.g. CONFIG_NETLABEL=n, and the system
    receives a CIPSO tagged packet it is dropped (cipso_v4_validate()
    returns non-zero).  In most cases this is the correct and desired
    behavior, however, in the case where we are simply forwarding the
    traffic, e.g. acting as a network bridge, this becomes a problem.
    
    This patch fixes the forwarding problem by providing the basic CIPSO
    validation code directly in ip_options_compile() without the need for
    the NetLabel or CIPSO code.  The new validation code can not perform
    any of the CIPSO option label/value verification that
    cipso_v4_validate() does, but it can verify the basic CIPSO option
    format.
    
    The behavior when NetLabel is enabled is unchanged.
    
    Signed-off-by: Paul Moore <pmoore@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit caade06b9bc468620636953b15d7d36a12d2b88e
Author: Jason Wang <jasowang@redhat.com>
Date:   Wed May 30 21:18:10 2012 +0000

    net: sock: validate data_len before allocating skb in sock_alloc_send_pskb()
    
    [ Upstream commit cc9b17ad29ecaa20bfe426a8d4dbfb94b13ff1cc ]
    
    We need to validate the number of pages consumed by data_len, otherwise frags
    array could be overflowed by userspace. So this patch validate data_len and
    return -EMSGSIZE when data_len may occupies more frags than MAX_SKB_FRAGS.
    
    Signed-off-by: Jason Wang <jasowang@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit bd00fcf3ec0c7fc0b194ba37a07564517fed11b8
Author: Russell King <rmk+kernel@arm.linux.org.uk>
Date:   Thu Jan 19 15:20:58 2012 +0000

    ARM: fix rcu stalls on SMP platforms
    
    commit 7deabca0acfe02b8e18f59a4c95676012f49a304 upstream.
    
    We can stall RCU processing on SMP platforms if a CPU sits in its idle
    loop for a long time.  This happens because we don't call irq_enter()
    and irq_exit() around generic_smp_call_function_interrupt() and
    friends.  Add the necessary calls, and remove the one from within
    ipi_timer(), so that they're all in a common place.
    
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit a9f1af04f086656246f30354fb4564ce3b08c4a0
Author: Jan Kara <jack@suse.cz>
Date:   Wed Jun 27 21:23:07 2012 +0200

    udf: Fortify loading of sparing table
    
    commit 1df2ae31c724e57be9d7ac00d78db8a5dabdd050 upstream.
    
    Add sanity checks when loading sparing table from disk to avoid accessing
    unallocated memory or writing to it.
    
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit 007871a045112d5e4228b69d9cf0fb95b73d3d71
Author: Jan Kara <jack@suse.cz>
Date:   Wed Jun 27 20:20:22 2012 +0200

    udf: Avoid run away loop when partition table length is corrupted
    
    commit adee11b2085bee90bd8f4f52123ffb07882d6256 upstream.
    
    Check provided length of partition table so that (possibly maliciously)
    corrupted partition table cannot cause accessing data beyond current buffer.
    
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit df2a300810d3e2b049ad363aa1081657a5eda8c6
Author: Jan Kara <jack@suse.cz>
Date:   Wed Jun 27 20:08:44 2012 +0200

    udf: Use 'ret' instead of abusing 'i' in udf_load_logicalvol()
    
    commit cb14d340ef1737c24125dd663eff77734a482d47 upstream.
    
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit 83744791d4f628e83a6aa8fd2d3d694daa547204
Author: Bing Zhao <bzhao@marvell.com>
Date:   Tue Jul 3 20:43:56 2012 -0700

    mwifiex: fix wrong return values in add_virtual_intf() error cases
    
    commit 858faa57dd9e2b91f3f870fbb1185982e42f5a2b upstream
    
    backported for linux-3.2.y, linux-3.3.y, linux-3.4.y
    
    add_virtual_intf() needs to return an ERR_PTR(), instead of NULL,
    on errors, otherwise cfg80211 will crash.
    
    Reported-by: Johannes Berg <johannes@sipsolutions.net>
    Signed-off-by: Bing Zhao <bzhao@marvell.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit 907e461a4f50ca31c36575b03c14d2c07ba20df0
Author: Vaibhav Nagarnaik <vnagarnaik@google.com>
Date:   Thu May 3 18:59:52 2012 -0700

    tracing: change CPU ring buffer state from tracing_cpumask
    
    commit 71babb2705e2203a64c27ede13ae3508a0d2c16c upstream.
    
    According to Documentation/trace/ftrace.txt:
    
    tracing_cpumask:
    
            This is a mask that lets the user only trace
            on specified CPUS. The format is a hex string
            representing the CPUS.
    
    The tracing_cpumask currently doesn't affect the tracing state of
    per-CPU ring buffers.
    
    This patch enables/disables CPU recording as its corresponding bit in
    tracing_cpumask is set/unset.
    
    Link: http://lkml.kernel.org/r/1336096792-25373-3-git-send-email-vnagarnaik@google.com
    
    Cc: Frederic Weisbecker <fweisbec@gmail.com>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: Laurent Chavey <chavey@google.com>
    Cc: Justin Teravest <teravest@google.com>
    Cc: David Sharp <dhsharp@google.com>
    Signed-off-by: Vaibhav Nagarnaik <vnagarnaik@google.com>
    Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit 7d124ddf1897f66e74b0dcb7e5a22fd72a616233
Author: Takashi Iwai <tiwai@suse.de>
Date:   Tue Jun 26 17:35:10 2012 +0200

    ALSA: hda - Fix power-map regression for HP dv6 & co
    
    commit 6e1c39c6b00d9141a82c231ba7c5e5b1716974b2 upstream.
    
    The recent fix for power-map controls (commit b0791dda813) caused
    regressions on some other HP laptops.  They have fixed pins but these
    pins are exposed as jack-detectable.  Thus the driver tries to control
    the power-map dynamically per jack detection where it never gets on.
    
    This patch adds the check of connection and it assumes the no jack
    detection is available for fixed pins no matter what pin capability
    says.
    
    BugLink: http://bugs.launchpad.net/bugs/1013183
    Reported-by: Luis Henriques <luis.henriques@canonical.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit 3b4a30107e053c2cd698ffc9529870eab0b4f676
Author: Mike Snitzer <snitzer@redhat.com>
Date:   Tue Jul 3 12:55:37 2012 +0100

    dm persistent data: fix allocation failure in space map checker init
    
    commit b0239faaf87c38bb419c9264bf20817438ddc3a9 upstream.
    
    If CONFIG_DM_DEBUG_SPACE_MAPS is enabled and memory is fragmented and a
    sufficiently-large metadata device is used in a thin pool then the space
    map checker will fail to allocate the memory it requires.
    
    Switch from kmalloc to vmalloc to allow larger virtually contiguous
    allocations for the space map checker's internal count arrays.
    
    Reported-by: Vivek Goyal <vgoyal@redhat.com>
    Signed-off-by: Mike Snitzer <snitzer@redhat.com>
    Signed-off-by: Alasdair G Kergon <agk@redhat.com>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit f8789bfd8aba0184c657648ef28b38d0b9f7282d
Author: Mike Snitzer <snitzer@redhat.com>
Date:   Tue Jul 3 12:55:35 2012 +0100

    dm persistent data: handle space map checker creation failure
    
    commit 62662303e7f590fdfbb0070ab820a0ad4267c119 upstream.
    
    If CONFIG_DM_DEBUG_SPACE_MAPS is enabled and dm_sm_checker_create()
    fails, dm_tm_create_internal() would still return success even though it
    cleaned up all resources it was supposed to have created.  This will
    lead to a kernel crash:
    
    general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC
    ...
    RIP: 0010:[<ffffffff81593659>]  [<ffffffff81593659>] dm_bufio_get_block_size+0x9/0x20
    Call Trace:
      [<ffffffff81599bae>] dm_bm_block_size+0xe/0x10
      [<ffffffff8159b8b8>] sm_ll_init+0x78/0xd0
      [<ffffffff8159c1a6>] sm_ll_new_disk+0x16/0xa0
      [<ffffffff8159c98e>] dm_sm_disk_create+0xfe/0x160
      [<ffffffff815abf6e>] dm_pool_metadata_open+0x16e/0x6a0
      [<ffffffff815aa010>] pool_ctr+0x3f0/0x900
      [<ffffffff8158d565>] dm_table_add_target+0x195/0x450
      [<ffffffff815904c4>] table_load+0xe4/0x330
      [<ffffffff815917ea>] ctl_ioctl+0x15a/0x2c0
      [<ffffffff81591963>] dm_ctl_ioctl+0x13/0x20
      [<ffffffff8116a4f8>] do_vfs_ioctl+0x98/0x560
      [<ffffffff8116aa51>] sys_ioctl+0x91/0xa0
      [<ffffffff81869f52>] system_call_fastpath+0x16/0x1b
    
    Fix the space map checker code to return an appropriate ERR_PTR and have
    dm_sm_disk_create() and dm_tm_create_internal() check for it with
    IS_ERR.
    
    Reported-by: Vivek Goyal <vgoyal@redhat.com>
    Signed-off-by: Mike Snitzer <snitzer@redhat.com>
    Signed-off-by: Alasdair G Kergon <agk@redhat.com>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit ee294c7066c9c056a28c6d7b4b024ddf18a80f12
Author: Mike Snitzer <snitzer@redhat.com>
Date:   Tue Jul 3 12:55:33 2012 +0100

    dm persistent data: fix shadow_info_leak on dm_tm_destroy
    
    commit 25d7cd6faa7ae6ed2565617c3ee2500ccb8a9f7f upstream.
    
    Cleanup the shadow table before destroying the transaction manager.
    
    Reference: leak was identified with kmemleak when running
    test_discard_random_sectors in the thinp-test-suite.
    
    Signed-off-by: Mike Snitzer <snitzer@redhat.com>
    Signed-off-by: Alasdair G Kergon <agk@redhat.com>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit be2c05493abc0f6d85a5c46f78df73d60a65d752
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date:   Sun Jul 1 17:09:42 2012 +0200

    drm/i915: kick any firmware framebuffers before claiming the gtt
    
    commit 9f846a16d213523fbe6daea17e20df6b8ac5a1e5 upstream.
    
    Especially vesafb likes to map everything as uc- (yikes), and if that
    mapping hangs around still while we try to map the gtt as wc the
    kernel will downgrade our request to uc-, resulting in abyssal
    performance.
    
    Unfortunately we can't do this as early as readon does (i.e. as the
    first thing we do when initializing the hw) because our fb/mmio space
    region moves around on a per-gen basis. So I've had to move it below
    the gtt initialization, but that seems to work, too. The important
    thing is that we do this before we set up the gtt wc mapping.
    
    Now an altogether different question is why people compile their
    kernels with vesafb enabled, but I guess making things just work isn't
    bad per se ...
    
    v2:
    - s/radeondrmfb/inteldrmfb/
    - fix up error handling
    
    v3: Kill #ifdef X86, this is Intel after all. Noticed by Ben Widawsky.
    
    v4: Jani Nikula complained about the pointless bool primary
    initialization.
    
    v5: Don't oops if we can't allocate, noticed by Chris Wilson.
    
    v6: Resolve conflicts with agp rework and fixup whitespace.
    
    This is commit e188719a2891f01b3100d in drm-next.
    
    Backport to 3.5 -fixes queue requested by Dave Airlie - due to grub
    using vesa on fedora their initrd seems to load vesafb before loading
    the real kms driver. So tons more people actually experience a
    dead-slow gpu. Hence also the Cc: stable.
    
    Reported-and-tested-by: "Kilarski, Bernard R" <bernard.r.kilarski@intel.com>
    Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
    Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    [bwh: Backported to 3.2: adjust context]
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit 0cc5b5c40fccdbf7b872ae167db30a4aeb413d89
Author: NeilBrown <neilb@suse.de>
Date:   Tue Jul 3 15:55:33 2012 +1000

    md/raid10: fix failure when trying to repair a read error.
    
    commit 055d3747dbf00ce85c6872ecca4d466638e80c22 upstream.
    
    commit 58c54fcca3bac5bf9290cfed31c76e4c4bfbabaf
         md/raid10: handle further errors during fix_read_error better.
    
    in 3.1 added "r10_sync_page_io" which takes an IO size in sectors.
    But we were passing the IO size in bytes!!!
    This resulting in bio_add_page failing, and empty request being sent
    down, and a consequent BUG_ON in scsi_lib.
    
    [fix missing space in error message at same time]
    
    This fix is suitable for 3.1.y and later.
    
    Reported-by: Christian Balzer <chibi@gol.com>
    Signed-off-by: NeilBrown <neilb@suse.de>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit 6b295c456aff465a7710259b2a6b5f06e654f850
Author: majianpeng <majianpeng@gmail.com>
Date:   Tue Jul 3 12:11:54 2012 +1000

    md/raid5: In ops_run_io, inc nr_pending before calling md_wait_for_blocked_rdev
    
    commit 1850753d2e6d9ca7856581ca5d3cf09521e6a5d7 upstream.
    
    In ops_run_io(), the call to md_wait_for_blocked_rdev will decrement
    nr_pending so we lose the reference we hold on the rdev.
    So atomic_inc it first to maintain the reference.
    
    This bug was introduced by commit  73e92e51b7969ef5477d
        md/raid5.  Don't write to known bad block on doubtful devices.
    
    which appeared in 3.0, so patch is suitable for stable kernels since
    then.
    
    Signed-off-by: majianpeng <majianpeng@gmail.com>
    Signed-off-by: NeilBrown <neilb@suse.de>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit ebfdf3076402b08d6fd97141ac40149ff13f70ea
Author: majianpeng <majianpeng@gmail.com>
Date:   Tue Jun 12 08:31:10 2012 +0800

    md/raid5: Do not add data_offset before call to is_badblock
    
    commit 6c0544e255dd6582a9899572e120fb55d9f672a4 upstream.
    
    In chunk_aligned_read() we are adding data_offset before calling
    is_badblock.  But is_badblock also adds data_offset, so that is bad.
    
    So move the addition of data_offset to after the call to
    is_badblock.
    
    This bug was introduced by commit 31c176ecdf3563140e639
         md/raid5: avoid reading from known bad blocks.
    which first appeared in 3.0.  So that patch is suitable for any
    -stable kernel from 3.0.y onwards.  However it will need minor
    revision for most of those (as the comment didn't appear until
    recently).
    
    Signed-off-by: majianpeng <majianpeng@gmail.com>
    Signed-off-by: NeilBrown <neilb@suse.de>
    [bwh: Backported to 3.2: ignored missing comment]
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit 2e9e8f43671774f754629eda8489946bf09fe4fc
Author: NeilBrown <neilb@suse.de>
Date:   Tue Jul 3 10:37:30 2012 +1000

    md/raid10: Don't try to recovery unmatched (and unused) chunks.
    
    commit fc448a18ae6219af9a73257b1fbcd009efab4a81 upstream.
    
    If a RAID10 has an odd number of chunks - as might happen when there
    are an odd number of devices - the last chunk has no pair and so is
    not mirrored.  We don't store data there, but when recovering the last
    device in an array we retry to recover that last chunk from a
    non-existent location.  This results in an error, and the recovery
    aborts.
    
    When we get to that last chunk we should just stop - there is nothing
    more to do anyway.
    
    This bug has been present since the introduction of RAID10, so the
    patch is appropriate for any -stable kernel.
    
    Reported-by: Christian Balzer <chibi@gol.com>
    Tested-by: Christian Balzer <chibi@gol.com>
    Signed-off-by: NeilBrown <neilb@suse.de>
    [bwh: Backported to 3.2: adjust context]
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit 6f00b2dd2b9224f7ca8b57ab012b8050813533d0
Author: Michael Neuling <mikey@neuling.org>
Date:   Mon Jun 25 13:33:11 2012 +0000

    powerpc/kvm: sldi should be sld
    
    commit 2f584a146a2965b82fce89b8d2f95dc5cfe468d0 upstream.
    
    Since we are taking a registers, this should never have been an sldi.
    Talking to paulus offline, this is the correct fix.
    
    Was introduced by:
     commit 19ccb76a1938ab364a412253daec64613acbf3df
     Author: Paul Mackerras <paulus@samba.org>
     Date:   Sat Jul 23 17:42:46 2011 +1000
    
    Talking to paulus, this shouldn't be a literal.
    
    Signed-off-by: Michael Neuling <mikey@neuling.org>
    Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit 6ff38e97bd02e4b975f2217a64482749f1b487b0
Author: Anton Blanchard <anton@samba.org>
Date:   Thu Jun 28 19:28:57 2012 +0000

    powerpc/xmon: Use cpumask iterator to avoid warning
    
    commit bc1d7702910c7c7e88eb60b58429dbfe293683ce upstream.
    
    We have a bug report where the kernel hits a warning in the cpumask
    code:
    
    WARNING: at include/linux/cpumask.h:107
    
    Which is:
            WARN_ON_ONCE(cpu >= nr_cpumask_bits);
    
    The backtrace is:
            cpu_cmd
            cmds
            xmon_core
            xmon
            die
    
    xmon is iterating through 0 to NR_CPUS. I'm not sure why we are still
    open coding this but iterating above nr_cpu_ids is definitely a bug.
    
    This patch iterates through all possible cpus, in case we issue a
    system reset and CPUs in an offline state call in.
    
    Perhaps the old code was trying to handle CPUs that were in the
    partition but were never started (eg kexec into a kernel with an
    nr_cpus= boot option). They are going to die way before we get into
    xmon since we haven't set any kernel state up for them.
    
    Signed-off-by: Anton Blanchard <anton@samba.org>
    Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit 5440ea00d6cc186b509e4585f6f9a04029b62232
Author: Hebbar, Gururaja <gururaja.hebbar@ti.com>
Date:   Tue Jun 26 19:25:11 2012 +0530

    ASoC: tlv320aic3x: Fix codec pll configure bug
    
    commit c9fe573a6584034670c1a55ee8162d623519cbbf upstream.
    
    In sound/soc/codecs/tlv320aic3x.c
    
            data = snd_soc_read(codec, AIC3X_PLL_PROGA_REG);
            snd_soc_write(codec, AIC3X_PLL_PROGA_REG,
                          data | (pll_p << PLLP_SHIFT));
    
    In the above code, pll-p value is OR'ed with previous value without
    clearing it. Bug is not seen if pll-p value doesn't change across
    Sampling frequency.
    
    However on some platforms (like AM335x EVM-SK), pll-p may have different
    values across different sampling frequencies. In such case, above code
    configures the pll with a wrong value.
    Because of this bug, when a audio stream is played with pll value
    different from previous stream, audio is heard as differently(like its
    stretched).
    
    Signed-off-by: Hebbar, Gururaja <gururaja.hebbar@ti.com>
    Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit 8be32365c9c09080daebc88c354dbbed9ec161f5
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Wed Jun 27 15:38:56 2012 +0200

    mac80211: correct behaviour on unrecognised action frames
    
    commit 4b5ebccc40843104d980f0714bc86bfcd5568941 upstream.
    
    When receiving an "individually addressed" action frame, the
    receiver is required to return it to the sender. mac80211
    gets this wrong as it also returns group addressed (mcast)
    frames to the sender. Fix this and update the reference to
    the new 802.11 standards version since things were shuffled
    around significantly.
    
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit 8055d02bb133e222610f3eb494a4641f95683c8c
Author: Panayiotis Karabassis <panayk@gmail.com>
Date:   Tue Jun 26 23:37:17 2012 +0300

    ath9k: enable serialize_regmode for non-PCIE AR9287
    
    commit 7508b657967cf664b5aa0f6367d05016e7e3bc2a upstream.
    
    https://bugzilla.kernel.org/show_bug.cgi?id=42903
    
    Based on the work of <fynivx@gmail.com>
    
    Signed-off-by: Panayiotis Karabassis <panayk@gmail.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit 9eec182c06a3d48667526d080b5ee3481f762302
Author: Larry Finger <Larry.Finger@lwfinger.net>
Date:   Mon Jun 25 18:01:12 2012 -0500

    rtlwifi: rtl8192cu: New USB IDs
    
    commit f63d7dabd5da9ef41f28f6d69b29bc084db0ca5a upstream.
    
    The latest Realtek driver for the RTL8188CU and RTL8192CU chips adds three
    new USB IDs.
    
    Reported-by: Xose Vazquez Perez <xose.vazquez@gmail.com>
    Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit b82b566a46ef61f26f461f0c55e6588b2cc93384
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Jun 12 00:47:58 2012 +0200

    NFC: Return from rawsock_release when sk is NULL
    
    commit 03e934f620101ca2cfc9383bd76172dd3e1f8567 upstream.
    
    Sasha Levin reported following panic :
    
    [ 2136.383310] BUG: unable to handle kernel NULL pointer dereference at
    00000000000003b0
    [ 2136.384022] IP: [<ffffffff8114e400>] __lock_acquire+0xc0/0x4b0
    [ 2136.384022] PGD 131c4067 PUD 11c0c067 PMD 0
    [ 2136.388106] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
    [ 2136.388106] CPU 1
    [ 2136.388106] Pid: 24855, comm: trinity-child1 Tainted: G        W
    3.5.0-rc2-sasha-00015-g7b268f7 #374
    [ 2136.388106] RIP: 0010:[<ffffffff8114e400>]  [<ffffffff8114e400>]
    __lock_acquire+0xc0/0x4b0
    [ 2136.388106] RSP: 0018:ffff8800130b3ca8  EFLAGS: 00010046
    [ 2136.388106] RAX: 0000000000000086 RBX: ffff88001186b000 RCX:
    0000000000000000
    [ 2136.388106] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
    0000000000000000
    [ 2136.388106] RBP: ffff8800130b3d08 R08: 0000000000000001 R09:
    0000000000000000
    [ 2136.388106] R10: 0000000000000000 R11: 0000000000000001 R12:
    0000000000000002
    [ 2136.388106] R13: 00000000000003b0 R14: 0000000000000000 R15:
    0000000000000000
    [ 2136.388106] FS:  00007fa5b1bd4700(0000) GS:ffff88001b800000(0000)
    knlGS:0000000000000000
    [ 2136.388106] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [ 2136.388106] CR2: 00000000000003b0 CR3: 0000000011d1f000 CR4:
    00000000000406e0
    [ 2136.388106] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
    0000000000000000
    [ 2136.388106] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
    0000000000000400
    [ 2136.388106] Process trinity-child1 (pid: 24855, threadinfo
    ffff8800130b2000, task ffff88001186b000)
    [ 2136.388106] Stack:
    [ 2136.388106]  ffff8800130b3cd8 ffffffff81121785 ffffffff81236774
    000080d000000001
    [ 2136.388106]  ffff88001b9d6c00 00000000001d6c00 ffffffff130b3d08
    ffff88001186b000
    [ 2136.388106]  0000000000000000 0000000000000002 0000000000000000
    0000000000000000
    [ 2136.388106] Call Trace:
    [ 2136.388106]  [<ffffffff81121785>] ? sched_clock_local+0x25/0x90
    [ 2136.388106]  [<ffffffff81236774>] ? get_empty_filp+0x74/0x220
    [ 2136.388106]  [<ffffffff8114e97a>] lock_acquire+0x18a/0x1e0
    [ 2136.388106]  [<ffffffff836b37df>] ? rawsock_release+0x4f/0xa0
    [ 2136.388106]  [<ffffffff837c0ef0>] _raw_write_lock_bh+0x40/0x80
    [ 2136.388106]  [<ffffffff836b37df>] ? rawsock_release+0x4f/0xa0
    [ 2136.388106]  [<ffffffff836b37df>] rawsock_release+0x4f/0xa0
    [ 2136.388106]  [<ffffffff8321cfe8>] sock_release+0x18/0x70
    [ 2136.388106]  [<ffffffff8321d069>] sock_close+0x29/0x30
    [ 2136.388106]  [<ffffffff81236bca>] __fput+0x11a/0x2c0
    [ 2136.388106]  [<ffffffff81236d85>] fput+0x15/0x20
    [ 2136.388106]  [<ffffffff8321de34>] sys_accept4+0x1b4/0x200
    [ 2136.388106]  [<ffffffff837c165c>] ? _raw_spin_unlock_irq+0x4c/0x80
    [ 2136.388106]  [<ffffffff837c1669>] ? _raw_spin_unlock_irq+0x59/0x80
    [ 2136.388106]  [<ffffffff837c2565>] ? sysret_check+0x22/0x5d
    [ 2136.388106]  [<ffffffff8321de8b>] sys_accept+0xb/0x10
    [ 2136.388106]  [<ffffffff837c2539>] system_call_fastpath+0x16/0x1b
    [ 2136.388106] Code: ec 04 00 0f 85 ea 03 00 00 be d5 0b 00 00 48 c7 c7
    8a c1 40 84 e8 b1 a5 f8 ff 31 c0 e9 d4 03 00 00 66 2e 0f 1f 84 00 00 00
    00 00 <49> 81 7d 00 60 73 5e 85 b8 01 00 00 00 44 0f 44 e0 83 fe 01 77
    [ 2136.388106] RIP  [<ffffffff8114e400>] __lock_acquire+0xc0/0x4b0
    [ 2136.388106]  RSP <ffff8800130b3ca8>
    [ 2136.388106] CR2: 00000000000003b0
    [ 2136.388106] ---[ end trace 6d450e935ee18982 ]---
    [ 2136.388106] Kernel panic - not syncing: Fatal exception in interrupt
    
    rawsock_release() should test if sock->sk is NULL before calling
    sock_orphan()/sock_put()
    
    Reported-by: Sasha Levin <levinsasha928@gmail.com>
    Tested-by: Sasha Levin <levinsasha928@gmail.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
    [bwh: Backported to 3.2: keep using nfc_dbg(), not pr_debug()]
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit e087c0136ef1d53213a5cbdc4187c15a88f55996
Author: Felix Fietkau <nbd@openwrt.org>
Date:   Sat Jun 23 19:23:31 2012 +0200

    ath9k: fix dynamic WEP related regression
    
    commit bed3d9c0b71f9afbfec905cb6db3b9f16be29d4d upstream.
    
    commit 7a532fe7131216a02c81a6c1b1f8632da1195a58
    ath9k_hw: fix interpretation of the rx KeyMiss flag
    
    This commit used the rx key miss indication to detect packets that were
    passed from the hardware without being decrypted, however it seems that
    this bit is not only undefined in the static WEP case, but also for
    dynamically allocated WEP keys. This caused a regression when using
    WEP-LEAP.
    
    This patch fixes the regression by keeping track of which key indexes
    refer to CCMP keys and only using the key miss indication for those.
    
    Reported-by: Stanislaw Gruszka <sgruszka@redhat.com>
    Signed-off-by: Felix Fietkau <nbd@openwrt.org>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit ec5b2b02eedb2c3471d5a87ba0f72d11b04c2af1
Author: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Date:   Mon Jun 25 16:05:27 2012 +0200

    NFC: Prevent multiple buffer overflows in NCI
    
    commit 67de956ff5dc1d4f321e16cfbd63f5be3b691b43 upstream.
    
    Fix multiple remotely-exploitable stack-based buffer overflows due to
    the NCI code pulling length fields directly from incoming frames and
    copying too much data into statically-sized arrays.
    
    Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
    Cc: security@kernel.org
    Cc: Lauro Ramos Venancio <lauro.venancio@openbossa.org>
    Cc: Aloisio Almeida Jr <aloisio.almeida@openbossa.org>
    Cc: Samuel Ortiz <sameo@linux.intel.com>
    Cc: David S. Miller <davem@davemloft.net>
    Acked-by: Ilan Elias <ilane@ti.com>
    Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
    [bwh: Backported to 3.2:
     - Drop changes to parsing of tech B and tech F parameters
     - Various renaming]
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit a49edd1239c7940218aad7366d0dbd5a61bae556
Author: Stone Piao <piaoyun@marvell.com>
Date:   Wed Jun 20 20:21:11 2012 -0700

    mwifiex: fix WPS eapol handshake failure
    
    commit f03ba7e9a24e5e9efaad56bd1713b994ea556b16 upstream.
    
    After association, STA will go through eapol handshake with WPS
    enabled AP. It's observed that WPS handshake fails with some 11n
    AP. The reason for the failure is that the eapol packet is sent
    via 11n frame aggregation.
    
    The eapol packet should be sent directly without 11n aggregation.
    
    This patch fixes the problem by adding WPS session control while
    dequeuing Tx packets for transmission.
    
    Signed-off-by: Stone Piao <piaoyun@marvell.com>
    Signed-off-by: Avinash Patil <patila@marvell.com>
    Signed-off-by: Bing Zhao <bzhao@marvell.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    [bwh: Backported to 3.2: reformat the if-statement per earlier
     upstream commit c65a30f35f938b421ac67c34a9e70b0e49e6019a]
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit 7b6d20c196b397562cb9ebee6291c8010aeece78
Author: Stone Piao <piaoyun@marvell.com>
Date:   Wed Jun 20 20:21:10 2012 -0700

    mwifiex: fix 11n rx packet drop issue
    
    commit 925839243dc9aa4ef25305f5afd10ed18258a4ac upstream.
    
    Currently we check the sequence number of last packet received
    against start_win. If a sequence hole is detected, start_win is
    updated to next sequence number.
    
    Since the rx sequence number is initialized to 0, a corner case
    exists when BA setup happens immediately after association. As
    0 is a valid sequence number, start_win gets increased to 1
    incorrectly. This causes the first packet with sequence number 0
    being dropped.
    
    Initialize rx sequence number as 0xffff and skip adjusting
    start_win if the sequence number remains 0xffff. The sequence
    number will be updated once the first packet is received.
    
    Signed-off-by: Stone Piao <piaoyun@marvell.com>
    Signed-off-by: Avinash Patil <patila@marvell.com>
    Signed-off-by: Kiran Divekar <dkiran@marvell.com>
    Signed-off-by: Bing Zhao <bzhao@marvell.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit a7afeb907a0418b5645187b5ac4f37e7ae3906e3
Author: Tao Guo <glorioustao@gmail.com>
Date:   Wed Jun 13 21:17:21 2012 +0200

    umem: fix up unplugging
    
    commit 32587371ad3db2f9d335de10dbd8cffd4fff5669 upstream.
    
    Fix a regression introduced by 7eaceaccab5f40 ("block: remove per-queue
    plugging").  In that patch, Jens removed the whole mm_unplug_device()
    function, which used to be the trigger to make umem start to work.
    
    We need to implement unplugging to make umem start to work, or I/O will
    never be triggered.
    
    Signed-off-by: Tao Guo <Tao.Guo@emc.com>
    Cc: Neil Brown <neilb@suse.de>
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: Shaohua Li <shli@kernel.org>
    Acked-by: NeilBrown <neilb@suse.de>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

commit 9558b2ab1db5e94fcb7d5ab111a32e423a016c09
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Jun 12 15:24:40 2012 +0200

    splice: fix racy pipe->buffers uses
    
    commit 047fe3605235888f3ebcda0c728cb31937eadfe6 upstream.
    
    Dave Jones reported a kernel BUG at mm/slub.c:3474! triggered
    by splice_shrink_spd() called from vmsplice_to_pipe()
    
    commit 35f3d14dbbc5 (pipe: add support for shrinking and growing pipes)
    added capability to adjust pipe->buffers.
    
    Problem is some paths don't hold pipe mutex and assume pipe->buffers
    doesn't change for their duration.
    
    Fix this by adding nr_pages_max field in struct splice_pipe_desc, and
    use it in place of pipe->buffers where appropriate.
    
    splice_shrink_spd() loses its struct pipe_inode_info argument.
    
    Reported-by: Dave Jones <davej@redhat.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: Alexander Viro <viro@zeniv.linux.org.uk>
    Cc: Tom Herbert <therbert@google.com>
    Tested-by: Dave Jones <davej@redhat.com>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    [bwh: Backported to 3.2:
     - Adjust context in vmsplice_to_pipe()
     - Update one more call to splice_shrink_spd(), from skb_splice_bits()]
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>