[ 000/171] 3.4.20-stable review

[ 000/171] 3.4.20-stable review

[Greg Kroah-Hartman]

This is the start of the stable review cycle for the 3.4.20 release.
There are 171 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Sat Nov 24 00:36:21 UTC 2012.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	kernel.org/pub/linux/kernel/v3.0/stable-review/patch-3.4.20-rc1.gz
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 3.4.20-rc1

Felipe Balbi <balbi@ti.com>
    Revert "serial: omap: fix software flow control"

Igor Murzov <e-mail@date.by>
    ACPI video: Ignore errors after _DOD evaluation.

Alex Elder <elder@inktank.com>
    ceph: avoid 32-bit page index overflow

Sage Weil <sage@inktank.com>
    libceph: check for invalid mapping

Yan, Zheng <zheng.z.yan@intel.com>
    ceph: Fix oops when handling mdsmap that decreases max_mds

Sage Weil <sage@inktank.com>
    libceph: avoid NULL kref_put when osd reset races with alloc_msg

Alex Elder <elder@inktank.com>
    rbd: reset BACKOFF if unable to re-queue

Alex Elder <elder@inktank.com>
    libceph: only kunmap kmapped pages

Jim Schutt <jaschut@sandia.gov>
    libceph: avoid truncation due to racing banners

Sage Weil <sage@inktank.com>
    libceph: delay debugfs initialization until we learn global_id

Sylvain Munaut <tnt@246tNt.com>
    libceph: fix crypto key null deref, memory leak

Sage Weil <sage@inktank.com>
    libceph: recheck con state after allocating incoming message

Sage Weil <sage@inktank.com>
    libceph: change ceph_con_in_msg_alloc convention to be less weird

Sage Weil <sage@inktank.com>
    libceph: avoid dropping con mutex before fault

Sage Weil <sage@inktank.com>
    libceph: verify state after retaking con lock after dispatch

Sage Weil <sage@inktank.com>
    libceph: revoke mon_client messages on session restart

Sage Weil <sage@inktank.com>
    libceph: fix handling of immediate socket connect failure

Sage Weil <sage@inktank.com>
    libceph: clear all flags on con_close

Sage Weil <sage@inktank.com>
    libceph: clean up con flags

Sage Weil <sage@inktank.com>
    libceph: replace connection state bits with states

Sage Weil <sage@inktank.com>
    libceph: drop unnecessary CLOSED check in socket state change callback

Sage Weil <sage@inktank.com>
    libceph: close socket directly from ceph_con_close()

Sage Weil <sage@inktank.com>
    libceph: drop gratuitous socket close calls in con_work

Sage Weil <sage@inktank.com>
    libceph: move ceph_con_send() closed check under the con mutex

Sage Weil <sage@inktank.com>
    libceph: move msgr clear_standby under con mutex protection

Sage Weil <sage@inktank.com>
    libceph: fix fault locking; close socket on lossy fault

Sage Weil <sage@inktank.com>
    libceph: reset connection retry on successfully negotiation

Sage Weil <sage@inktank.com>
    libceph: protect ceph_con_open() with mutex

Sage Weil <sage@inktank.com>
    libceph: (re)initialize bio_iter on start of message receive

Sage Weil <sage@inktank.com>
    libceph: resubmit linger ops when pg mapping changes

Sage Weil <sage@inktank.com>
    libceph: fix mutex coverage for ceph_con_close

Sage Weil <sage@inktank.com>
    libceph: report socket read/write error message

Guanjun He <gjhe@suse.com>
    libceph: prevent the race of incoming work during teardown

Sage Weil <sage@inktank.com>
    libceph: initialize msgpool message types

Sage Weil <sage@inktank.com>
    libceph: allow sock transition from CONNECTING to CLOSED

Sage Weil <sage@inktank.com>
    libceph: initialize mon_client con only once

Sage Weil <sage@inktank.com>
    libceph: set peer name on con_open, not init

Alex Elder <elder@inktank.com>
    libceph: add some fine ASCII art

Alex Elder <elder@inktank.com>
    libceph: small changes to messenger.c

Alex Elder <elder@inktank.com>
    libceph: distinguish two phases of connect sequence

Alex Elder <elder@inktank.com>
    libceph: separate banner and connect writes

Alex Elder <elder@inktank.com>
    libceph: define and use an explicit CONNECTED state

Alex Elder <elder@inktank.com>
    libceph: clear NEGOTIATING when done

Alex Elder <elder@inktank.com>
    libceph: clear CONNECTING in ceph_con_close()

Alex Elder <elder@inktank.com>
    libceph: don't touch con state in con_close_socket()

Alex Elder <elder@inktank.com>
    libceph: just set SOCK_CLOSED when state changes

Alex Elder <elder@inktank.com>
    libceph: don't change socket state on sock event

Alex Elder <elder@inktank.com>
    libceph: SOCK_CLOSED is a flag, not a state

Alex Elder <elder@inktank.com>
    libceph: don't use bio_iter as a flag

Alex Elder <elder@inktank.com>
    libceph: move init of bio_iter

Alex Elder <elder@inktank.com>
    libceph: move init_bio_*() functions up

Alex Elder <elder@inktank.com>
    libceph: don't mark footer complete before it is

Alex Elder <elder@inktank.com>
    libceph: encapsulate advancing msg page

Alex Elder <elder@inktank.com>
    libceph: encapsulate out message data setup

Sage Weil <sage@inktank.com>
    libceph: drop ceph_con_get/put helpers and nref member

Sage Weil <sage@inktank.com>
    libceph: use con get/put methods

Dan Carpenter <dan.carpenter@oracle.com>
    libceph: fix NULL dereference in reset_connection()

Sage Weil <sage@inktank.com>
    libceph: transition socket state prior to actual connect

Xi Wang <xi.wang@gmail.com>
    libceph: fix overflow in osdmap_apply_incremental()

Xi Wang <xi.wang@gmail.com>
    libceph: fix overflow in osdmap_decode()

Xi Wang <xi.wang@gmail.com>
    libceph: fix overflow in __decode_pool_names()

Alex Elder <elder@inktank.com>
    libceph: make ceph_con_revoke_message() a msg op

Alex Elder <elder@inktank.com>
    libceph: make ceph_con_revoke() a msg operation

Alex Elder <elder@inktank.com>
    libceph: have messages take a connection reference

Alex Elder <elder@inktank.com>
    libceph: have messages point to their connection

Alex Elder <elder@inktank.com>
    libceph: tweak ceph_alloc_msg()

Alex Elder <elder@inktank.com>
    libceph: fully initialize connection in con_init()

Alex Elder <elder@inktank.com>
    libceph: init monitor connection when opening

Sage Weil <sage@inktank.com>
    libceph: drop connection refcounting for mon_client

Alex Elder <elder@inktank.com>
    libceph: embed ceph connection structure in mon_client

Alex Elder <elder@inktank.com>
    libceph: set CLOSED state bit in con_init

Alex Elder <elder@inktank.com>
    libceph: provide osd number when creating osd

Alex Elder <elder@inktank.com>
    libceph: start tracking connection socket state

Alex Elder <elder@inktank.com>
    libceph: start separating connection flags from state

Alex Elder <elder@inktank.com>
    libceph: embed ceph messenger structure in ceph_client

Alex Elder <elder@inktank.com>
    libceph: rename kvec_reset and kvec_add functions

Alex Elder <elder@inktank.com>
    libceph: rename socket callbacks

Alex Elder <elder@inktank.com>
    libceph: kill bad_proto ceph connection op

Alex Elder <elder@inktank.com>
    libceph: eliminate connection state "DEAD"

Yan, Zheng <zheng.z.yan@intel.com>
    ceph: check PG_Private flag before accessing page->private

Yan, Zheng <zheng.z.yan@intel.com>
    rbd: Fix ceph_snap_context size calculation

Josh Durgin <josh.durgin@dreamhost.com>
    rbd: store snapshot id instead of index

Josh Durgin <josh.durgin@dreamhost.com>
    rbd: protect read of snapshot sequence number

Alex Elder <elder@dreamhost.com>
    rbd: don't hold spinlock during messenger flush

Sage Weil <sage@inktank.com>
    libceph: fix messenger retry

Sage Weil <sage@inktank.com>
    libceph: flush msgr queue during mon_client shutdown

Yan, Zheng <zheng.z.yan@intel.com>
    rbd: Clear ceph_msg->bio_iter for retransmitted message

Sage Weil <sage@inktank.com>
    libceph: use con get/put ops from osd_client

Alex Elder <elder@inktank.com>
    libceph: osd_client: don't drop reply reference too early

Sage Weil <sage@inktank.com>
    libceph: fix pg_temp updates

Sage Weil <sage@inktank.com>
    libceph: avoid unregistering osd request when not registered

Alex Elder <elder@inktank.com>
    ceph: add auth buf in prepare_write_connect()

Alex Elder <elder@inktank.com>
    ceph: rename prepare_connect_authorizer()

Alex Elder <elder@inktank.com>
    ceph: return pointer from prepare_connect_authorizer()

Alex Elder <elder@inktank.com>
    ceph: use info returned by get_authorizer

Alex Elder <elder@inktank.com>
    ceph: have get_authorizer methods return pointers

Alex Elder <elder@inktank.com>
    ceph: ensure auth ops are defined before use

Alex Elder <elder@inktank.com>
    ceph: messenger: reduce args to create_authorizer

Alex Elder <elder@inktank.com>
    ceph: define ceph_auth_handshake type

Alex Elder <elder@inktank.com>
    ceph: messenger: check return from get_authorizer

Alex Elder <elder@inktank.com>
    ceph: messenger: rework prepare_connect_authorizer()

Alex Elder <elder@inktank.com>
    ceph: messenger: check prepare_write_connect() result

Alex Elder <elder@inktank.com>
    ceph: don't set WRITE_PENDING too early

Alex Elder <elder@inktank.com>
    ceph: drop msgr argument from prepare_write_connect()

Alex Elder <elder@inktank.com>
    ceph: messenger: send banner in process_connect()

Alex Elder <elder@inktank.com>
    ceph: messenger: reset connection kvec caller

Alex Elder <elder@inktank.com>
    libceph: don't reset kvec in prepare_write_banner()

Alex Elder <elder@inktank.com>
    ceph: messenger: change read_partial() to take "end" arg

Alex Elder <elder@inktank.com>
    ceph: messenger: update "to" in read_partial() caller

Alex Elder <elder@inktank.com>
    ceph: messenger: use read_partial() in read_partial_message()

Alex Elder <elder@dreawmhost.com>
    ceph: osd_client: fix endianness bug in osd_req_encode_op()

Sage Weil <sage@inktank.com>
    crush: fix memory leak when destroying tree buckets

Sage Weil <sage@inktank.com>
    crush: fix tree node weight lookup

Sage Weil <sage@inktank.com>
    crush: be more tolerant of nonsensical crush maps

Sage Weil <sage@inktank.com>
    crush: adjust local retry threshold

Sage Weil <sage@inktank.com>
    crush: clean up types, const-ness

Dave Jones <davej@redhat.com>
    selinux: fix sel_netnode_insert() suspicious rcu dereference

Jan Kara <jack@suse.cz>
    reiserfs: Protect reiserfs_quota_write() with write lock

Jan Kara <jack@suse.cz>
    reiserfs: Move quota calls out of write lock

Jan Kara <jack@suse.cz>
    reiserfs: Protect reiserfs_quota_on() with write lock

Jan Kara <jack@suse.cz>
    reiserfs: Fix lock ordering during remount

Bryan Schumaker <bjschuma@netapp.com>
    NFS: Wait for session recovery to finish before returning

Daniel Vetter <daniel.vetter@ffwll.ch>
    drm/i915: fix overlay on i830M

Martin Schwidefsky <schwidefsky@de.ibm.com>
    s390/signal: set correct address space control

Mirko Lindner <mlindner@marvell.com>
    sky2: Fix for interrupt handler

Tim Sally <tsally@atomicpeace.com>
    eCryptfs: check for eCryptfs cipher support at mount

Tyler Hicks <tyhicks@canonical.com>
    eCryptfs: Copy up POSIX ACL and read-only flags from lower mount

Jan Safrata <jan.nikitenko@gmail.com>
    usb: use usb_serial_put in usb_serial_probe errors

Ulrich Weber <ulrich.weber@sophos.com>
    netfilter: nf_nat: don't check for port change on ICMP tuples

Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
    netfilter: Mark SYN/ACK packets as invalid from original direction

Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
    netfilter: Validate the sequence number of dataless ACK packets as well

Nathan Walp <faceprint@faceprint.com>
    r8169: allow multicast packets on sub-8168f chipset.

Cyril Brulebois <kibi@debian.org>
    r8169: Fix WoL on RTL8168d/8111d.

Mojiong Qiu <qiumojiong@gmail.com>
    xen/events: fix RCU warning, or Call idle notifier after irq_enter()

Michal Schmidt <mschmidt@redhat.com>
    r8169: use unlimited DMA burst for TX

Hugh Dickins <hughd@google.com>
    tmpfs: change final i_blocks BUG to WARNING

Tom Herbert <therbert@google.com>
    net-rps: Fix brokeness causing OOO packets

Jiri Pirko <jiri@resnulli.us>
    net: correct check in dev_addr_del()

Hannes Frederic Sowa <hannes@stressinduktion.org>
    ipv6: setsockopt(IPIPPROTO_IPV6, IPV6_MINHOPCOUNT) forgot to set return value

Xi Wang <xi.wang@gmail.com>
    ipv4: avoid undefined behavior in do_ip_setsockopt()

Andreas Schwab <schwab@linux-m68k.org>
    m68k: fix sigset_t accessor functions

Johannes Berg <johannes.berg@intel.com>
    wireless: allow 40 MHz on world roaming channels 12/13

Michal Hocko <mhocko@suse.cz>
    memcg: oom: fix totalpages calculation for memory.swappiness==0

Zhao Yakui <yakui.zhao@intel.com>
    ttm: Clear the ttm page allocated from high memory zone correctly

Alex Deucher <alexander.deucher@amd.com>
    drm/radeon: fix logic error in atombios_encoders.c

Dan Williams <dcbw@redhat.com>
    USB: option: add Alcatel X220/X500D USB IDs

Dan Williams <dcbw@redhat.com>
    USB: option: add Novatel E362 and Dell Wireless 5800 USB IDs

Heiko Carstens <heiko.carstens@de.ibm.com>
    s390/gup: add missing TASK_SIZE check to get_user_pages_fast()

Colin Cross <ccross@android.com>
    Revert "Staging: Android alarm: IOCTL command encoding fix"

Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    UBIFS: introduce categorized lprops counter

Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    UBIFS: fix mounting problems after power cuts

Misael Lopez Cruz <misael.lopez@ti.com>
    ASoC: dapm: Use card_list during DAPM shutdown

Eric Millbrandt <emillbrandt@dekaresearch.com>
    ASoC: wm8978: pll incorrectly configured when codec is master

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Add a missing quirk entry for iMac 9,1

Kailang Yang <kailang@realtek.com>
    ALSA: hda - Add new codec ALC668 and ALC900 (default name ALC1150)

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Fix invalid connections in VT1802 codec

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Fix empty DAC filling in patch_via.c

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Force to reset IEC958 status bits for AD codecs

Daniel J Blueman <daniel@quora.org>
    ALSA: HDA: Fix digital microphone on CS420x

Alexander Stein <alexander.stein@systec-electronic.com>
    ALSA: hda: Cirrus: Fix coefficient index for beep configuration

Jacob Keller <jacob.e.keller@intel.com>
    ptp: update adjfreq callback description

Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
    crypto: cryptd - disable softirqs in cryptd_queue_worker to prevent data corruption

Jeff Layton <jlayton@redhat.com>
    cifs: fix potential buffer overrun in cifs.idmap handling code

Rusty Russell <rusty@rustcorp.com.au>
    module: fix out-by-one error in kallsyms

Eric Paris <eparis@redhat.com>
    fanotify: fix missing break

Huang Ying <ying.huang@intel.com>
    PCI/PM: Fix deadlock when unbinding device if parent in D3cold

Felix Fietkau <nbd@openwrt.org>
    mac80211: call skb_dequeue/ieee80211_free_txskb instead of __skb_queue_purge

Johannes Berg <johannes.berg@intel.com>
    mac80211: don't send null data packet when not associated

Arik Nemtsov <arik@wizery.com>
    mac80211: sync acccess to tx_filtered/ps_tx_buf queues

Dave Chinner <dchinner@redhat.com>
    xfs: drop buffer io reference when a bad bio is built

Takamori Yamaguchi <takamori.yamaguchi@jp.sony.com>
    mm: bugfix: set current->reclaim_state to NULL while returning from kswapd()


-------------

Diffstat:

 Documentation/cgroups/memory.txt              |    4 +
 Makefile                                      |    4 +-
 arch/arm/plat-omap/include/plat/omap-serial.h |    4 +-
 arch/m68k/include/asm/signal.h                |    6 +-
 arch/s390/include/asm/compat.h                |    2 +-
 arch/s390/include/asm/ptrace.h                |    4 +-
 arch/s390/kernel/compat_signal.c              |   14 +-
 arch/s390/kernel/signal.c                     |   14 +-
 arch/s390/mm/gup.c                            |    2 +-
 crypto/cryptd.c                               |   11 +-
 drivers/acpi/video.c                          |   11 +-
 drivers/block/rbd.c                           |   37 +-
 drivers/gpu/drm/i915/intel_overlay.c          |   14 +-
 drivers/gpu/drm/radeon/atombios_encoders.c    |    2 +-
 drivers/gpu/drm/ttm/ttm_page_alloc.c          |    5 +-
 drivers/net/ethernet/marvell/sky2.c           |    4 +-
 drivers/net/ethernet/realtek/r8169.c          |    7 +-
 drivers/pci/bus.c                             |    3 -
 drivers/pci/pcie/aer/aerdrv_core.c            |   20 +-
 drivers/staging/android/android_alarm.h       |    4 +-
 drivers/tty/serial/omap-serial.c              |   12 +-
 drivers/usb/serial/option.c                   |    9 +
 drivers/usb/serial/usb-serial.c               |    6 +-
 drivers/xen/events.c                          |    2 +-
 fs/ceph/addr.c                                |   32 +-
 fs/ceph/debugfs.c                             |    1 +
 fs/ceph/mds_client.c                          |   67 +-
 fs/ceph/mds_client.h                          |    5 +-
 fs/cifs/cifsacl.c                             |   49 +-
 fs/ecryptfs/main.c                            |   23 +-
 fs/nfs/nfs4proc.c                             |    3 +-
 fs/notify/fanotify/fanotify.c                 |    1 +
 fs/reiserfs/inode.c                           |   10 +-
 fs/reiserfs/stree.c                           |    4 +
 fs/reiserfs/super.c                           |   60 +-
 fs/ubifs/find.c                               |   12 +-
 fs/ubifs/lprops.c                             |    6 +
 fs/ubifs/ubifs.h                              |    3 +
 fs/xfs/xfs_buf.c                              |   14 +-
 include/linux/ceph/auth.h                     |   12 +-
 include/linux/ceph/libceph.h                  |    2 +-
 include/linux/ceph/messenger.h                |   76 +-
 include/linux/ceph/mon_client.h               |    2 +-
 include/linux/ceph/msgpool.h                  |    3 +-
 include/linux/ceph/osd_client.h               |   13 +-
 include/linux/ceph/osdmap.h                   |    6 +-
 include/linux/crush/crush.h                   |    7 +-
 include/linux/crush/mapper.h                  |    6 +-
 include/linux/ptp_clock_kernel.h              |    3 +-
 kernel/module.c                               |   27 +-
 mm/memcontrol.c                               |   21 +-
 mm/shmem.c                                    |    2 +-
 mm/vmscan.c                                   |    2 +
 net/ceph/auth_none.c                          |   15 +-
 net/ceph/auth_x.c                             |   15 +-
 net/ceph/ceph_common.c                        |   28 +-
 net/ceph/crush/crush.c                        |   14 +-
 net/ceph/crush/mapper.c                       |   66 +-
 net/ceph/crypto.c                             |    1 +
 net/ceph/crypto.h                             |    3 +-
 net/ceph/debugfs.c                            |    4 +
 net/ceph/messenger.c                          | 1103 +++++++++++++++----------
 net/ceph/mon_client.c                         |  135 ++-
 net/ceph/msgpool.c                            |    7 +-
 net/ceph/osd_client.c                         |  175 ++--
 net/ceph/osdmap.c                             |   44 +-
 net/core/dev.c                                |    4 +-
 net/core/dev_addr_lists.c                     |    3 +-
 net/ipv4/ip_sockglue.c                        |   35 +-
 net/ipv4/netfilter/nf_nat_standalone.c        |    6 +-
 net/ipv6/ipv6_sockglue.c                      |    1 +
 net/mac80211/ieee80211_i.h                    |    2 +
 net/mac80211/sta_info.c                       |   11 +-
 net/mac80211/status.c                         |    9 +
 net/mac80211/tx.c                             |    9 +-
 net/mac80211/util.c                           |    2 +
 net/netfilter/nf_conntrack_proto_tcp.c        |   29 +-
 net/wireless/reg.c                            |    5 +-
 security/selinux/netnode.c                    |    3 +-
 sound/pci/hda/patch_analog.c                  |    1 +
 sound/pci/hda/patch_cirrus.c                  |   16 +-
 sound/pci/hda/patch_realtek.c                 |    3 +
 sound/pci/hda/patch_via.c                     |   25 +-
 sound/soc/codecs/wm8978.c                     |    2 +-
 sound/soc/soc-dapm.c                          |    2 +-
 85 files changed, 1506 insertions(+), 945 deletions(-)

[ 001/171] mm: bugfix: set current->reclaim_state to NULL while returning from kswapd()

[Greg Kroah-Hartman]

3.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takamori Yamaguchi <takamori.yamaguchi@jp.sony.com>

commit b0a8cc58e6b9aaae3045752059e5e6260c0b94bc upstream.

In kswapd(), set current->reclaim_state to NULL before returning, as
current->reclaim_state holds reference to variable on kswapd()'s stack.

In rare cases, while returning from kswapd() during memory offlining,
__free_slab() and freepages() can access the dangling pointer of
current->reclaim_state.

Signed-off-by: Takamori Yamaguchi <takamori.yamaguchi@jp.sony.com>
Signed-off-by: Aaditya Kumar <aaditya.kumar@ap.sony.com>
Acked-by: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/vmscan.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/mm/vmscan.c
+++ b/mm/vmscan.c
@@ -3128,6 +3128,8 @@ static int kswapd(void *p)
 						&balanced_classzone_idx);
 		}
 	}
+
+	current->reclaim_state = NULL;
 	return 0;
 }
 

[ 002/171] xfs: drop buffer io reference when a bad bio is built

[Greg Kroah-Hartman]

3.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dave Chinner <dchinner@redhat.com>

commit d69043c42d8c6414fa28ad18d99973aa6c1c2e24 upstream.

Error handling in xfs_buf_ioapply_map() does not handle IO reference
counts correctly. We increment the b_io_remaining count before
building the bio, but then fail to decrement it in the failure case.
This leads to the buffer never running IO completion and releasing
the reference that the IO holds, so at unmount we can leak the
buffer. This leak is captured by this assert failure during unmount:

XFS: Assertion failed: atomic_read(&pag->pag_ref) == 0, file: fs/xfs/xfs_mount.c, line: 273

This is not a new bug - the b_io_remaining accounting has had this
problem for a long, long time - it's just very hard to get a
zero length bio being built by this code...

Further, the buffer IO error can be overwritten on a multi-segment
buffer by subsequent bio completions for partial sections of the
buffer. Hence we should only set the buffer error status if the
buffer is not already carrying an error status. This ensures that a
partial IO error on a multi-segment buffer will not be lost. This
part of the problem is a regression, however.

Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Mark Tinguely <tinguely@sgi.com>
Signed-off-by: Ben Myers <bpm@sgi.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/xfs/xfs_buf.c |   14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

--- a/fs/xfs/xfs_buf.c
+++ b/fs/xfs/xfs_buf.c
@@ -1165,9 +1165,14 @@ xfs_buf_bio_end_io(
 {
 	xfs_buf_t		*bp = (xfs_buf_t *)bio->bi_private;
 
-	xfs_buf_ioerror(bp, -error);
+	/*
+	 * don't overwrite existing errors - otherwise we can lose errors on
+	 * buffers that require multiple bios to complete.
+	 */
+	if (!bp->b_error)
+		xfs_buf_ioerror(bp, -error);
 
-	if (!error && xfs_buf_is_vmapped(bp) && (bp->b_flags & XBF_READ))
+	if (!bp->b_error && xfs_buf_is_vmapped(bp) && (bp->b_flags & XBF_READ))
 		invalidate_kernel_vmap_range(bp->b_addr, xfs_buf_vmap_len(bp));
 
 	_xfs_buf_ioend(bp, 1);
@@ -1243,6 +1248,11 @@ next_chunk:
 		if (size)
 			goto next_chunk;
 	} else {
+		/*
+		 * This is guaranteed not to be the last io reference count
+		 * because the caller (xfs_buf_iorequest) holds a count itself.
+		 */
+		atomic_dec(&bp->b_io_remaining);
 		xfs_buf_ioerror(bp, EIO);
 		bio_put(bio);
 	}

[ 003/171] mac80211: sync acccess to tx_filtered/ps_tx_buf queues

[Greg Kroah-Hartman]

3.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Arik Nemtsov <arik@wizery.com>

commit 987c285c2ae2e4e32aca3a9b3252d28171c75711 upstream.

These are accessed without a lock when ending STA PSM. If the
sta_cleanup timer accesses these lists at the same time, we might crash.

This may fix some mysterious crashes we had during
ieee80211_sta_ps_deliver_wakeup.

Signed-off-by: Arik Nemtsov <arik@wizery.com>
Signed-off-by: Ido Yariv <ido@wizery.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/mac80211/sta_info.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -959,6 +959,7 @@ void ieee80211_sta_ps_deliver_wakeup(str
 	struct ieee80211_local *local = sdata->local;
 	struct sk_buff_head pending;
 	int filtered = 0, buffered = 0, ac;
+	unsigned long flags;
 
 	clear_sta_flag(sta, WLAN_STA_SP);
 
@@ -974,12 +975,16 @@ void ieee80211_sta_ps_deliver_wakeup(str
 	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
 		int count = skb_queue_len(&pending), tmp;
 
+		spin_lock_irqsave(&sta->tx_filtered[ac].lock, flags);
 		skb_queue_splice_tail_init(&sta->tx_filtered[ac], &pending);
+		spin_unlock_irqrestore(&sta->tx_filtered[ac].lock, flags);
 		tmp = skb_queue_len(&pending);
 		filtered += tmp - count;
 		count = tmp;
 
+		spin_lock_irqsave(&sta->ps_tx_buf[ac].lock, flags);
 		skb_queue_splice_tail_init(&sta->ps_tx_buf[ac], &pending);
+		spin_unlock_irqrestore(&sta->ps_tx_buf[ac].lock, flags);
 		tmp = skb_queue_len(&pending);
 		buffered += tmp - count;
 	}

[ 004/171] mac80211: dont send null data packet when not associated

[Greg Kroah-Hartman]

3.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johannes Berg <johannes.berg@intel.com>

commit 20f544eea03db4b498942558b882d463ce575c3e upstream.

On resume or firmware recovery, mac80211 sends a null
data packet to see if the AP is still around and hasn't
disconnected us. However, it always does this even if
it wasn't even connected before, leading to a warning
in the new channel context code. Fix this by checking
that it's associated.

Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/mac80211/util.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1341,6 +1341,8 @@ int ieee80211_reconfig(struct ieee80211_
 		list_for_each_entry(sdata, &local->interfaces, list) {
 			if (sdata->vif.type != NL80211_IFTYPE_STATION)
 				continue;
+			if (!sdata->u.mgd.associated)
+				continue;
 
 			ieee80211_send_nullfunc(local, sdata, 0);
 		}

[ 005/171] mac80211: call skb_dequeue/ieee80211_free_txskb instead of __skb_queue_purge

[Greg Kroah-Hartman]

3.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Felix Fietkau <nbd@openwrt.org>

commit 1f98ab7fef48a2968f37f422c256c9fbd978c3f0 upstream.

Fixes more wifi status skb leaks, leading to hostapd/wpa_supplicant hangs.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/mac80211/ieee80211_i.h |    2 ++
 net/mac80211/sta_info.c    |    6 +++---
 net/mac80211/status.c      |    9 +++++++++
 net/mac80211/tx.c          |    9 ++++++---
 4 files changed, 20 insertions(+), 6 deletions(-)

--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -1297,6 +1297,8 @@ netdev_tx_t ieee80211_monitor_start_xmit
 					 struct net_device *dev);
 netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
 				       struct net_device *dev);
+void ieee80211_purge_tx_queue(struct ieee80211_hw *hw,
+			      struct sk_buff_head *skbs);
 
 /* HT */
 bool ieee80111_cfg_override_disables_ht40(struct ieee80211_sub_if_data *sdata);
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -738,8 +738,8 @@ int __must_check __sta_info_destroy(stru
 
 	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
 		local->total_ps_buffered -= skb_queue_len(&sta->ps_tx_buf[ac]);
-		__skb_queue_purge(&sta->ps_tx_buf[ac]);
-		__skb_queue_purge(&sta->tx_filtered[ac]);
+		ieee80211_purge_tx_queue(&local->hw, &sta->ps_tx_buf[ac]);
+		ieee80211_purge_tx_queue(&local->hw, &sta->tx_filtered[ac]);
 	}
 
 #ifdef CONFIG_MAC80211_MESH
@@ -774,7 +774,7 @@ int __must_check __sta_info_destroy(stru
 		tid_tx = rcu_dereference_raw(sta->ampdu_mlme.tid_tx[i]);
 		if (!tid_tx)
 			continue;
-		__skb_queue_purge(&tid_tx->pending);
+		ieee80211_purge_tx_queue(&local->hw, &tid_tx->pending);
 		kfree(tid_tx);
 	}
 
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -660,3 +660,12 @@ void ieee80211_free_txskb(struct ieee802
 	dev_kfree_skb_any(skb);
 }
 EXPORT_SYMBOL(ieee80211_free_txskb);
+
+void ieee80211_purge_tx_queue(struct ieee80211_hw *hw,
+			      struct sk_buff_head *skbs)
+{
+	struct sk_buff *skb;
+
+	while ((skb = __skb_dequeue(skbs)))
+		ieee80211_free_txskb(hw, skb);
+}
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1357,7 +1357,7 @@ static int invoke_tx_handlers(struct iee
 		if (tx->skb)
 			dev_kfree_skb(tx->skb);
 		else
-			__skb_queue_purge(&tx->skbs);
+			ieee80211_purge_tx_queue(&tx->local->hw, &tx->skbs);
 		return -1;
 	} else if (unlikely(res == TX_QUEUED)) {
 		I802_DEBUG_INC(tx->local->tx_handlers_queued);
@@ -2126,10 +2126,13 @@ netdev_tx_t ieee80211_subif_start_xmit(s
  */
 void ieee80211_clear_tx_pending(struct ieee80211_local *local)
 {
+	struct sk_buff *skb;
 	int i;
 
-	for (i = 0; i < local->hw.queues; i++)
-		skb_queue_purge(&local->pending[i]);
+	for (i = 0; i < local->hw.queues; i++) {
+		while ((skb = skb_dequeue(&local->pending[i])) != NULL)
+			ieee80211_free_txskb(&local->hw, skb);
+	}
 }
 
 /*

[ 006/171] PCI/PM: Fix deadlock when unbinding device if parent in D3cold

[Greg Kroah-Hartman]

3.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Huang Ying <ying.huang@intel.com>

commit 90b5c1d7c45eeb622302680ff96ed30c1a2b6f0e upstream.

If a PCI device and its parents are put into D3cold, unbinding the
device will trigger deadlock as follow:

- driver_unbind
  - device_release_driver
    - device_lock(dev)				<--- previous lock here
    - __device_release_driver
      - pm_runtime_get_sync
        ...
          - rpm_resume(dev)
            - rpm_resume(dev->parent)
              ...
                - pci_pm_runtime_resume
                  ...
                  - pci_set_power_state
                    - __pci_start_power_transition
                      - pci_wakeup_bus(dev->parent->subordinate)
                        - pci_walk_bus
                          - device_lock(dev)	<--- deadlock here


If we do not do device_lock in pci_walk_bus, we can avoid deadlock.
Device_lock in pci_walk_bus is introduced in commit:
d71374dafbba7ec3f67371d3b7e9f6310a588808, corresponding email thread
is: https://lkml.org/lkml/2006/5/26/38.  The patch author Zhang Yanmin
said device_lock is added to pci_walk_bus because:

  Some error handling functions call pci_walk_bus. For example, PCIe
  aer. Here we lock the device, so the driver wouldn't detach from the
  device, as the cb might call driver's callback function.

So I fixed the deadlock as follows:

- remove device_lock from pci_walk_bus
- add device_lock into callback if callback will call driver's callback

I checked pci_walk_bus users one by one, and found only PCIe aer needs
device lock.

Signed-off-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
CC: Zhang Yanmin <yanmin.zhang@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pci/bus.c                  |    3 ---
 drivers/pci/pcie/aer/aerdrv_core.c |   20 ++++++++++++++++----
 2 files changed, 16 insertions(+), 7 deletions(-)

--- a/drivers/pci/bus.c
+++ b/drivers/pci/bus.c
@@ -314,10 +314,7 @@ void pci_walk_bus(struct pci_bus *top, i
 		} else
 			next = dev->bus_list.next;
 
-		/* Run device routines with the device locked */
-		device_lock(&dev->dev);
 		retval = cb(dev, userdata);
-		device_unlock(&dev->dev);
 		if (retval)
 			break;
 	}
--- a/drivers/pci/pcie/aer/aerdrv_core.c
+++ b/drivers/pci/pcie/aer/aerdrv_core.c
@@ -244,6 +244,7 @@ static int report_error_detected(struct
 	struct aer_broadcast_data *result_data;
 	result_data = (struct aer_broadcast_data *) data;
 
+	device_lock(&dev->dev);
 	dev->error_state = result_data->state;
 
 	if (!dev->driver ||
@@ -262,12 +263,14 @@ static int report_error_detected(struct
 				   dev->driver ?
 				   "no AER-aware driver" : "no driver");
 		}
-		return 0;
+		goto out;
 	}
 
 	err_handler = dev->driver->err_handler;
 	vote = err_handler->error_detected(dev, result_data->state);
 	result_data->result = merge_result(result_data->result, vote);
+out:
+	device_unlock(&dev->dev);
 	return 0;
 }
 
@@ -278,14 +281,17 @@ static int report_mmio_enabled(struct pc
 	struct aer_broadcast_data *result_data;
 	result_data = (struct aer_broadcast_data *) data;
 
+	device_lock(&dev->dev);
 	if (!dev->driver ||
 		!dev->driver->err_handler ||
 		!dev->driver->err_handler->mmio_enabled)
-		return 0;
+		goto out;
 
 	err_handler = dev->driver->err_handler;
 	vote = err_handler->mmio_enabled(dev);
 	result_data->result = merge_result(result_data->result, vote);
+out:
+	device_unlock(&dev->dev);
 	return 0;
 }
 
@@ -296,14 +302,17 @@ static int report_slot_reset(struct pci_
 	struct aer_broadcast_data *result_data;
 	result_data = (struct aer_broadcast_data *) data;
 
+	device_lock(&dev->dev);
 	if (!dev->driver ||
 		!dev->driver->err_handler ||
 		!dev->driver->err_handler->slot_reset)
-		return 0;
+		goto out;
 
 	err_handler = dev->driver->err_handler;
 	vote = err_handler->slot_reset(dev);
 	result_data->result = merge_result(result_data->result, vote);
+out:
+	device_unlock(&dev->dev);
 	return 0;
 }
 
@@ -311,15 +320,18 @@ static int report_resume(struct pci_dev
 {
 	struct pci_error_handlers *err_handler;
 
+	device_lock(&dev->dev);
 	dev->error_state = pci_channel_io_normal;
 
 	if (!dev->driver ||
 		!dev->driver->err_handler ||
 		!dev->driver->err_handler->resume)
-		return 0;
+		goto out;
 
 	err_handler = dev->driver->err_handler;
 	err_handler->resume(dev);
+out:
+	device_unlock(&dev->dev);
 	return 0;
 }
 

[ 007/171] fanotify: fix missing break

[Greg Kroah-Hartman]

3.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Paris <eparis@redhat.com>

commit 848561d368751a1c0f679b9f045a02944506a801 upstream.

Anders Blomdell noted in 2010 that Fanotify lost events and provided a
test case.  Eric Paris confirmed it was a bug and posted a fix to the
list

  https://groups.google.com/forum/?fromgroups=#!topic/linux.kernel/RrJfTfyW2BE

but never applied it.  Repeated attempts over time to actually get him
to apply it have never had a reply from anyone who has raised it

So apply it anyway

Signed-off-by: Alan Cox <alan@linux.intel.com>
Reported-by: Anders Blomdell <anders.blomdell@control.lth.se>
Cc: Eric Paris <eparis@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/notify/fanotify/fanotify.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/notify/fanotify/fanotify.c
+++ b/fs/notify/fanotify/fanotify.c
@@ -21,6 +21,7 @@ static bool should_merge(struct fsnotify
 			if ((old->path.mnt == new->path.mnt) &&
 			    (old->path.dentry == new->path.dentry))
 				return true;
+			break;
 		case (FSNOTIFY_EVENT_NONE):
 			return true;
 		default:

[ 008/171] module: fix out-by-one error in kallsyms

[Greg Kroah-Hartman]

3.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Rusty Russell <rusty@rustcorp.com.au>

commit 59ef28b1f14899b10d6b2682c7057ca00a9a3f47 upstream.

Masaki found and patched a kallsyms issue: the last symbol in a
module's symtab wasn't transferred.  This is because we manually copy
the zero'th entry (which is always empty) then copy the rest in a loop
starting at 1, though from src[0].  His fix was minimal, I prefer to
rewrite the loops in more standard form.

There are two loops: one to get the size, and one to copy.  Make these
identical: always count entry 0 and any defined symbol in an allocated
non-init section.

This bug exists since the following commit was introduced.
   module: reduce symbol table for loaded modules (v2)
   commit: 4a4962263f07d14660849ec134ee42b63e95ea9a

LKML: http://lkml.org/lkml/2012/10/24/27
Reported-by: Masaki Kimura <masaki.kimura.kz@hitachi.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/module.c |   27 ++++++++++++++++-----------
 1 file changed, 16 insertions(+), 11 deletions(-)

--- a/kernel/module.c
+++ b/kernel/module.c
@@ -2273,12 +2273,17 @@ static void layout_symtab(struct module
 	src = (void *)info->hdr + symsect->sh_offset;
 	nsrc = symsect->sh_size / sizeof(*src);
 
+	/* strtab always starts with a nul, so offset 0 is the empty string. */
+	strtab_size = 1;
+
 	/* Compute total space required for the core symbols' strtab. */
-	for (ndst = i = strtab_size = 1; i < nsrc; ++i, ++src)
-		if (is_core_symbol(src, info->sechdrs, info->hdr->e_shnum)) {
-			strtab_size += strlen(&info->strtab[src->st_name]) + 1;
+	for (ndst = i = 0; i < nsrc; i++) {
+		if (i == 0 ||
+		    is_core_symbol(src+i, info->sechdrs, info->hdr->e_shnum)) {
+			strtab_size += strlen(&info->strtab[src[i].st_name])+1;
 			ndst++;
 		}
+	}
 
 	/* Append room for core symbols at end of core part. */
 	info->symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
@@ -2312,15 +2317,15 @@ static void add_kallsyms(struct module *
 	mod->core_symtab = dst = mod->module_core + info->symoffs;
 	mod->core_strtab = s = mod->module_core + info->stroffs;
 	src = mod->symtab;
-	*dst = *src;
 	*s++ = 0;
-	for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
-		if (!is_core_symbol(src, info->sechdrs, info->hdr->e_shnum))
-			continue;
-
-		dst[ndst] = *src;
-		dst[ndst++].st_name = s - mod->core_strtab;
-		s += strlcpy(s, &mod->strtab[src->st_name], KSYM_NAME_LEN) + 1;
+	for (ndst = i = 0; i < mod->num_symtab; i++) {
+		if (i == 0 ||
+		    is_core_symbol(src+i, info->sechdrs, info->hdr->e_shnum)) {
+			dst[ndst] = src[i];
+			dst[ndst++].st_name = s - mod->core_strtab;
+			s += strlcpy(s, &mod->strtab[src[i].st_name],
+				     KSYM_NAME_LEN) + 1;
+		}
 	}
 	mod->core_num_syms = ndst;
 }

[ 009/171] cifs: fix potential buffer overrun in cifs.idmap handling code

[Greg Kroah-Hartman]

3.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jeff Layton <jlayton@redhat.com>

commit 36960e440ccf94349c09fb944930d3bfe4bc473f upstream.

The userspace cifs.idmap program generally works with the wbclient libs
to generate binary SIDs in userspace. That program defines the struct
that holds these values as having a max of 15 subauthorities. The kernel
idmapping code however limits that value to 5.

When the kernel copies those values around though, it doesn't sanity
check the num_subauths value handed back from userspace or from the
server. It's possible therefore for userspace to hand us back a bogus
num_subauths value (or one that's valid, but greater than 5) that could
cause the kernel to walk off the end of the cifs_sid->sub_auths array.

Fix this by defining a new routine for copying sids and using that in
all of the places that copy it. If we end up with a sid that's longer
than expected then this approach will just lop off the "extra" subauths,
but that's basically what the code does today already. Better approaches
might be to fix this code to reject SIDs with >5 subauths, or fix it
to handle the subauths array dynamically.

At the same time, change the kernel to check the length of the data
returned by userspace. If it's shorter than struct cifs_sid, reject it
and return -EIO. If that happens we'll end up with fields that are
basically uninitialized.

Long term, it might make sense to redefine cifs_sid using a flexarray at
the end, to allow for variable-length subauth lists, and teach the code
to handle the case where the subauths array being passed in from
userspace is shorter than 5 elements.

Note too, that I don't consider this a security issue since you'd need
a compromised cifs.idmap program. If you have that, you can do all sorts
of nefarious stuff. Still, this is probably reasonable for stable.

Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/cifsacl.c |   49 ++++++++++++++++++++-----------------------------
 1 file changed, 20 insertions(+), 29 deletions(-)

--- a/fs/cifs/cifsacl.c
+++ b/fs/cifs/cifsacl.c
@@ -225,6 +225,13 @@ sid_to_str(struct cifs_sid *sidptr, char
 }
 
 static void
+cifs_copy_sid(struct cifs_sid *dst, const struct cifs_sid *src)
+{
+	memcpy(dst, src, sizeof(*dst));
+	dst->num_subauth = min_t(u8, src->num_subauth, NUM_SUBAUTHS);
+}
+
+static void
 id_rb_insert(struct rb_root *root, struct cifs_sid *sidptr,
 		struct cifs_sid_id **psidid, char *typestr)
 {
@@ -248,7 +255,7 @@ id_rb_insert(struct rb_root *root, struc
 		}
 	}
 
-	memcpy(&(*psidid)->sid, sidptr, sizeof(struct cifs_sid));
+	cifs_copy_sid(&(*psidid)->sid, sidptr);
 	(*psidid)->time = jiffies - (SID_MAP_RETRY + 1);
 	(*psidid)->refcount = 0;
 
@@ -354,7 +361,7 @@ id_to_sid(unsigned long cid, uint sidtyp
 	 * any fields of the node after a reference is put .
 	 */
 	if (test_bit(SID_ID_MAPPED, &psidid->state)) {
-		memcpy(ssid, &psidid->sid, sizeof(struct cifs_sid));
+		cifs_copy_sid(ssid, &psidid->sid);
 		psidid->time = jiffies; /* update ts for accessing */
 		goto id_sid_out;
 	}
@@ -370,14 +377,14 @@ id_to_sid(unsigned long cid, uint sidtyp
 		if (IS_ERR(sidkey)) {
 			rc = -EINVAL;
 			cFYI(1, "%s: Can't map and id to a SID", __func__);
+		} else if (sidkey->datalen < sizeof(struct cifs_sid)) {
+			rc = -EIO;
+			cFYI(1, "%s: Downcall contained malformed key "
+				"(datalen=%hu)", __func__