linux/include, branch v3.4

Merge branch 'for-linus' of git://git.kernel.dk/linux-block

2012-05-19T17:12:17Z

Pull block layer fixes from Jens Axboe: "A few small, but important fixes. Most of them are marked for stable as well - Fix failure to release a semaphore on error path in mtip32xx. - Fix crashable condition in bio_get_nr_vecs(). - Don't mark end-of-disk buffers as mapped, limit it to i_size. - Fix for build problem with CONFIG_BLOCK=n on arm at least. - Fix for a buffer overlow on UUID partition printing. - Trivial removal of unused variables in dac960." * 'for-linus' of git://git.kernel.dk/linux-block: block: fix buffer overflow when printing partition UUIDs Fix blkdev.h build errors when BLOCK=n bio allocation failure due to bio_get_nr_vecs() block: don't mark buffers beyond end of disk as mapped mtip32xx: release the semaphore on an error path dac960: Remove unused variables from DAC960_CreateProcEntries()

Merge branches 'perf-urgent-for-linus', 'x86-urgent-for-linus' and 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

2012-05-17T16:35:17Z

Pull perf, x86 and scheduler updates from Ingo Molnar. * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: tracing: Do not enable function event with enable perf stat: handle ENXIO error for perf_event_open perf: Turn off compiler warnings for flex and bison generated files perf stat: Fix case where guest/host monitoring is not supported by kernel perf build-id: Fix filename size calculation * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86, kvm: KVM paravirt kernels don't check for CPUID being unavailable x86: Fix section annotation of acpi_map_cpu2node() x86/microcode: Ensure that module is only loaded on supported Intel CPUs * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: sched: Fix KVM and ia64 boot crash due to sched_groups circular linked list assumption

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

2012-05-16T20:14:52Z

Pull networking tree from David Miller: 1) ptp_pch driver build broke during this merge window due to missing slab.h header, fix from Geery Uytterhoeven. 2) If ipset passes in a bogus hash table size we crash because the size is not validated properly. Compounding this, gcc-4.7 can miscompile ipset such that even when the user specifies legitimate parameters the tool passes in an out-of-range size to the kernel. Fix from Jozsef Kadlecsik. 3) Users have reported that the netdev watchdog can trigger with pch_gbe devices, and it turns out this is happening because of races in the TX path of the driver leading to the transmitter hanging. Fix from Eric Dumazet, reported and tested by Andy Cress. 4) Novatel USB551L devices match the generic class entries for the cdc ethernet USB driver, but they don't work because they have generic descriptors and thus need FLAG_WWAN to function properly. Add the necessary ID table entry to fix this, from Dan Williams. 5) A recursive locking fix in the USBNET driver added a new problem, in that packet list traversal is now racy and we can thus access unlinked SKBs and crash. Avoid this situation by adding some extra state tracking, from Ming Lei. 6) The rtlwifi conversion to asynchronous firmware loading is racy, fix by reordering the probe procedure. From Larry Finger. Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=43187 7) Fix regressions with bluetooth keyboards by notifying userland properly when the security level changes, from Gustavo Padovan. 8) Bluetooth needs to make sure device connected events are emitted before other kinds of events, otherwise userspace will think there is no baseband link yet and therefore abort the sockets associated with that connection. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: netfilter: ipset: fix hash size checking in kernel ptp_pch: Add missing #include pch_gbe: fix transmit races cdc_ether: add Novatel USB551L device IDs for FLAG_WWAN usbnet: fix skb traversing races during unlink(v2) Bluetooth: mgmt: Fix device_connected sending order Bluetooth: notify userspace of security level change rtlwifi: fix for race condition when firmware is cached

netfilter: ipset: fix hash size checking in kernel

2012-05-16T19:38:49Z

The hash size must fit both into u32 (jhash) and the max value of size_t. The missing checking could lead to kernel crash, bug reported by Seblu. Signed-off-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso Signed-off-by: David S. Miller

Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless

2012-05-16T05:04:07Z

John Linville says: Here are three more fixes that some of my developers are desperate to see included in 3.4... Johan Hedberg went to some length justifyng the inclusion of these two Bluetooth fixes: "The device_connected fix should be quite self-explanatory, but it's actually a wider issue than just for keyboards. All profiles that do incoming connection authorization (e.g. headsets) will break without it with specific hardware. The reason it wasn't caught earlier is that it only occurs with specific Bluetooth adapters. As for the security level patch, this fixes L2CAP socket based security level elevation during a connection. The HID profile needs this (for keyboards) and it is the only way to achieve the security level elevation when using the management interface to talk to the kernel (hence the management enabling patch being the one that exposes this" The rtlwifi fix addresses a regression related to firmware loading, as described in kernel.org bug 43187. It basically just moves a hunk of code to a more appropriate place. Signed-off-by: David S. Miller

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem

2012-05-15T20:38:00Z

usbnet: fix skb traversing races during unlink(v2)

2012-05-15T17:41:42Z

Commit 4231d47e6fe69f061f96c98c30eaf9fb4c14b96d(net/usbnet: avoid recursive locking in usbnet_stop()) fixes the recursive locking problem by releasing the skb queue lock before unlink, but may cause skb traversing races: - after URB is unlinked and the queue lock is released, the refered skb and skb->next may be moved to done queue, even be released - in skb_queue_walk_safe, the next skb is still obtained by next pointer of the last skb - so maybe trigger oops or other problems This patch extends the usage of entry->state to describe 'start_unlink' state, so always holding the queue(rx/tx) lock to change the state if the referd skb is in rx or tx queue because we need to know if the refered urb has been started unlinking in unlink_urbs. The other part of this patch is based on Huajun's patch: always traverse from head of the tx/rx queue to get skb which is to be unlinked but not been started unlinking. Signed-off-by: Huajun Li Signed-off-by: Ming Lei Cc: Oliver Neukum Cc: stable@kernel.org Signed-off-by: David S. Miller

block: fix buffer overflow when printing partition UUIDs

2012-05-15T06:22:04Z

6d1d8050b4bc8 "block, partition: add partition_meta_info to hd_struct" added part_unpack_uuid() which assumes that the passed in buffer has enough space for sprintfing "%pU" - 37 characters including '\0'. Unfortunately, b5af921ec0233 "init: add support for root devices specified by partition UUID" supplied 33 bytes buffer to the function leading to the following panic with stackprotector enabled. Kernel panic - not syncing: stack-protector: Kernel stack corrupted in: ffffffff81b14c7e [] panic+0xba/0x1c6 [] ? printk_all_partitions+0x259/0x26xb [] __stack_chk_fail+0x1b/0x20 [] printk_all_paritions+0x259/0x26xb [] mount_block_root+0x1bc/0x27f [] mount_root+0x57/0x5b [] prepare_namespace+0x13d/0x176 [] ? release_tgcred.isra.4+0x330/0x30 [] kernel_init+0x155/0x15a [] ? schedule_tail+0x27/0xb0 [] kernel_thread_helper+0x5/0x10 [] ? start_kernel+0x3c5/0x3c5 [] ? gs_change+0x13/0x13 Increase the buffer size, remove the dangerous part_unpack_uuid() and use snprintf() directly from printk_all_partitions(). Signed-off-by: Tejun Heo Reported-by: Szymon Gruszczynski Cc: Will Drewry Cc: stable@vger.kernel.org Signed-off-by: Jens Axboe

Merge branch 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media

2012-05-14T18:23:37Z

Pull media fixes from Mauro Carvalho Chehab: "For a some fix patches for v3.4, including a regression fix at DVB core" Fix up trivial conflicts in Documentation/feature-removal-schedule.txt * 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: [media] gspca - sonixj: Fix a zero divide in isoc interrupt [media] media: videobuf2-dma-contig: include header for exported symbols [media] media: videobuf2-dma-contig: quiet sparse noise about plain integer as NULL pointer [media] media: vb2-memops: Export vb2_get_vma symbol [media] s5p-fimc: Correct memory allocation for VIDIOC_CREATE_BUFS [media] s5p-fimc: Fix locking in subdev set_crop op [media] dvb_frontend: fix a regression with DVB-S zig-zag [media] fintek-cir: change || to && [media] V4L: Schedule V4L2_CID_HCENTER, V4L2_CID_VCENTER controls for removal [media] rc: Postpone ISR registration [media] marvell-cam: fix an ARM build error [media] V4L: soc-camera: protect hosts during probing from overzealous user-space

Bluetooth: notify userspace of security level change

2012-05-14T17:51:25Z

It fixes L2CAP socket based security level elevation during a connection. The HID profile needs this (for keyboards) and it is the only way to achieve the security level elevation when using the management interface to talk to the kernel (hence the management enabling patch being the one that exposes this issue). It enables the userspace a security level change when the socket is already connected and create a way to notify the socket the result of the request. At the moment of the request the socket is made non writable, if the request fails the connections closes, otherwise the socket is made writable again, POLL_OUT is emmited. Signed-off-by: Gustavo Padovan Acked-by: Marcel Holtmann Signed-off-by: Johan Hedberg Signed-off-by: John W. Linville