/[linux-patches]/genpatches-2.6/trunk/3.4/1018_linux-3.4.19.patch
Gentoo

Contents of /genpatches-2.6/trunk/3.4/1018_linux-3.4.19.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 2254 - (show annotations) (download)
Wed Dec 19 19:51:16 2012 UTC (2 years, 1 month ago) by mpagano
File size: 92683 byte(s)
Linux patches 3.4.12 through and including 3.4.24
1 diff --git a/Makefile b/Makefile
2 index 95de447..e264929 100644
3 --- a/Makefile
4 +++ b/Makefile
5 @@ -1,6 +1,6 @@
6 VERSION = 3
7 PATCHLEVEL = 4
8 -SUBLEVEL = 18
9 +SUBLEVEL = 19
10 EXTRAVERSION =
11 NAME = Saber-toothed Squirrel
12
13 diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c
14 index 69f5857..5cb8e27 100644
15 --- a/arch/x86/xen/mmu.c
16 +++ b/arch/x86/xen/mmu.c
17 @@ -1203,6 +1203,25 @@ unsigned long xen_read_cr2_direct(void)
18 return this_cpu_read(xen_vcpu_info.arch.cr2);
19 }
20
21 +void xen_flush_tlb_all(void)
22 +{
23 + struct mmuext_op *op;
24 + struct multicall_space mcs;
25 +
26 + trace_xen_mmu_flush_tlb_all(0);
27 +
28 + preempt_disable();
29 +
30 + mcs = xen_mc_entry(sizeof(*op));
31 +
32 + op = mcs.args;
33 + op->cmd = MMUEXT_TLB_FLUSH_ALL;
34 + MULTI_mmuext_op(mcs.mc, op, 1, NULL, DOMID_SELF);
35 +
36 + xen_mc_issue(PARAVIRT_LAZY_MMU);
37 +
38 + preempt_enable();
39 +}
40 static void xen_flush_tlb(void)
41 {
42 struct mmuext_op *op;
43 @@ -2364,7 +2383,7 @@ int xen_remap_domain_mfn_range(struct vm_area_struct *vma,
44 err = 0;
45 out:
46
47 - flush_tlb_all();
48 + xen_flush_tlb_all();
49
50 return err;
51 }
52 diff --git a/drivers/gpu/drm/drm_fops.c b/drivers/gpu/drm/drm_fops.c
53 index 123de28..b90abff 100644
54 --- a/drivers/gpu/drm/drm_fops.c
55 +++ b/drivers/gpu/drm/drm_fops.c
56 @@ -139,8 +139,11 @@ int drm_open(struct inode *inode, struct file *filp)
57 retcode = drm_open_helper(inode, filp, dev);
58 if (!retcode) {
59 atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
60 - if (!dev->open_count++)
61 + if (!dev->open_count++) {
62 retcode = drm_setup(dev);
63 + if (retcode)
64 + dev->open_count--;
65 + }
66 }
67 if (!retcode) {
68 mutex_lock(&dev->struct_mutex);
69 diff --git a/drivers/gpu/drm/i915/intel_drv.h b/drivers/gpu/drm/i915/intel_drv.h
70 index 2cae72d..cd623e8 100644
71 --- a/drivers/gpu/drm/i915/intel_drv.h
72 +++ b/drivers/gpu/drm/i915/intel_drv.h
73 @@ -247,12 +247,12 @@ struct dip_infoframe {
74 uint16_t bottom_bar_start;
75 uint16_t left_bar_end;
76 uint16_t right_bar_start;
77 - } avi;
78 + } __attribute__ ((packed)) avi;
79 struct {
80 uint8_t vn[8];
81 uint8_t pd[16];
82 uint8_t sdi;
83 - } spd;
84 + } __attribute__ ((packed)) spd;
85 uint8_t payload[27];
86 } __attribute__ ((packed)) body;
87 } __attribute__((packed));
88 diff --git a/drivers/gpu/drm/i915/intel_sdvo.c b/drivers/gpu/drm/i915/intel_sdvo.c
89 index eea58c6..b96e8c8 100644
90 --- a/drivers/gpu/drm/i915/intel_sdvo.c
91 +++ b/drivers/gpu/drm/i915/intel_sdvo.c
92 @@ -868,31 +868,38 @@ static void intel_sdvo_dump_hdmi_buf(struct intel_sdvo *intel_sdvo)
93 }
94 #endif
95
96 -static bool intel_sdvo_set_avi_infoframe(struct intel_sdvo *intel_sdvo)
97 +static bool intel_sdvo_write_infoframe(struct intel_sdvo *intel_sdvo,
98 + unsigned if_index, uint8_t tx_rate,
99 + uint8_t *data, unsigned length)
100 {
101 - struct dip_infoframe avi_if = {
102 - .type = DIP_TYPE_AVI,
103 - .ver = DIP_VERSION_AVI,
104 - .len = DIP_LEN_AVI,
105 - };
106 - uint8_t tx_rate = SDVO_HBUF_TX_VSYNC;
107 - uint8_t set_buf_index[2] = { 1, 0 };
108 - uint64_t *data = (uint64_t *)&avi_if;
109 - unsigned i;
110 -
111 - intel_dip_infoframe_csum(&avi_if);
112 + uint8_t set_buf_index[2] = { if_index, 0 };
113 + uint8_t hbuf_size, tmp[8];
114 + int i;
115
116 if (!intel_sdvo_set_value(intel_sdvo,
117 SDVO_CMD_SET_HBUF_INDEX,
118 set_buf_index, 2))
119 return false;
120
121 - for (i = 0; i < sizeof(avi_if); i += 8) {
122 + if (!intel_sdvo_get_value(intel_sdvo, SDVO_CMD_GET_HBUF_INFO,
123 + &hbuf_size, 1))
124 + return false;
125 +
126 + /* Buffer size is 0 based, hooray! */
127 + hbuf_size++;
128 +
129 + DRM_DEBUG_KMS("writing sdvo hbuf: %i, hbuf_size %i, hbuf_size: %i\n",
130 + if_index, length, hbuf_size);
131 +
132 + for (i = 0; i < hbuf_size; i += 8) {
133 + memset(tmp, 0, 8);
134 + if (i < length)
135 + memcpy(tmp, data + i, min_t(unsigned, 8, length - i));
136 +
137 if (!intel_sdvo_set_value(intel_sdvo,
138 SDVO_CMD_SET_HBUF_DATA,
139 - data, 8))
140 + tmp, 8))
141 return false;
142 - data++;
143 }
144
145 return intel_sdvo_set_value(intel_sdvo,
146 @@ -900,6 +907,28 @@ static bool intel_sdvo_set_avi_infoframe(struct intel_sdvo *intel_sdvo)
147 &tx_rate, 1);
148 }
149
150 +static bool intel_sdvo_set_avi_infoframe(struct intel_sdvo *intel_sdvo)
151 +{
152 + struct dip_infoframe avi_if = {
153 + .type = DIP_TYPE_AVI,
154 + .ver = DIP_VERSION_AVI,
155 + .len = DIP_LEN_AVI,
156 + };
157 + uint8_t sdvo_data[4 + sizeof(avi_if.body.avi)];
158 +
159 + intel_dip_infoframe_csum(&avi_if);
160 +
161 + /* sdvo spec says that the ecc is handled by the hw, and it looks like
162 + * we must not send the ecc field, either. */
163 + memcpy(sdvo_data, &avi_if, 3);
164 + sdvo_data[3] = avi_if.checksum;
165 + memcpy(&sdvo_data[4], &avi_if.body, sizeof(avi_if.body.avi));
166 +
167 + return intel_sdvo_write_infoframe(intel_sdvo, SDVO_HBUF_INDEX_AVI_IF,
168 + SDVO_HBUF_TX_VSYNC,
169 + sdvo_data, sizeof(sdvo_data));
170 +}
171 +
172 static bool intel_sdvo_set_tv_format(struct intel_sdvo *intel_sdvo)
173 {
174 struct intel_sdvo_tv_format format;
175 diff --git a/drivers/gpu/drm/i915/intel_sdvo_regs.h b/drivers/gpu/drm/i915/intel_sdvo_regs.h
176 index 9d03014..770bdd6 100644
177 --- a/drivers/gpu/drm/i915/intel_sdvo_regs.h
178 +++ b/drivers/gpu/drm/i915/intel_sdvo_regs.h
179 @@ -708,6 +708,8 @@ struct intel_sdvo_enhancements_arg {
180 #define SDVO_CMD_SET_AUDIO_STAT 0x91
181 #define SDVO_CMD_GET_AUDIO_STAT 0x92
182 #define SDVO_CMD_SET_HBUF_INDEX 0x93
183 + #define SDVO_HBUF_INDEX_ELD 0
184 + #define SDVO_HBUF_INDEX_AVI_IF 1
185 #define SDVO_CMD_GET_HBUF_INDEX 0x94
186 #define SDVO_CMD_GET_HBUF_INFO 0x95
187 #define SDVO_CMD_SET_HBUF_AV_SPLIT 0x96
188 diff --git a/drivers/gpu/drm/radeon/evergreen_cs.c b/drivers/gpu/drm/radeon/evergreen_cs.c
189 index 977b22d..22c84bc 100644
190 --- a/drivers/gpu/drm/radeon/evergreen_cs.c
191 +++ b/drivers/gpu/drm/radeon/evergreen_cs.c
192 @@ -2671,6 +2671,9 @@ static bool evergreen_vm_reg_valid(u32 reg)
193 /* check config regs */
194 switch (reg) {
195 case GRBM_GFX_INDEX:
196 + case CP_STRMOUT_CNTL:
197 + case CP_COHER_CNTL:
198 + case CP_COHER_SIZE:
199 case VGT_VTX_VECT_EJECT_REG:
200 case VGT_CACHE_INVALIDATION:
201 case VGT_GS_VERTEX_REUSE:
202 diff --git a/drivers/gpu/drm/radeon/evergreend.h b/drivers/gpu/drm/radeon/evergreend.h
203 index f62ccd3..2eaaea0 100644
204 --- a/drivers/gpu/drm/radeon/evergreend.h
205 +++ b/drivers/gpu/drm/radeon/evergreend.h
206 @@ -77,6 +77,10 @@
207
208 #define CONFIG_MEMSIZE 0x5428
209
210 +#define CP_STRMOUT_CNTL 0x84FC
211 +
212 +#define CP_COHER_CNTL 0x85F0
213 +#define CP_COHER_SIZE 0x85F4
214 #define CP_COHER_BASE 0x85F8
215 #define CP_ME_CNTL 0x86D8
216 #define CP_ME_HALT (1 << 28)
217 diff --git a/drivers/gpu/drm/radeon/radeon_legacy_encoders.c b/drivers/gpu/drm/radeon/radeon_legacy_encoders.c
218 index 1461e2c..d92f483 100644
219 --- a/drivers/gpu/drm/radeon/radeon_legacy_encoders.c
220 +++ b/drivers/gpu/drm/radeon/radeon_legacy_encoders.c
221 @@ -650,6 +650,7 @@ static enum drm_connector_status radeon_legacy_primary_dac_detect(struct drm_enc
222 tmp |= RADEON_DAC_RANGE_CNTL_PS2 | RADEON_DAC_CMP_EN;
223 WREG32(RADEON_DAC_CNTL, tmp);
224
225 + tmp = dac_macro_cntl;
226 tmp &= ~(RADEON_DAC_PDWN_R |
227 RADEON_DAC_PDWN_G |
228 RADEON_DAC_PDWN_B);
229 diff --git a/drivers/gpu/drm/radeon/si.c b/drivers/gpu/drm/radeon/si.c
230 index 2af1ce6..1197f21 100644
231 --- a/drivers/gpu/drm/radeon/si.c
232 +++ b/drivers/gpu/drm/radeon/si.c
233 @@ -2593,6 +2593,7 @@ static bool si_vm_reg_valid(u32 reg)
234 /* check config regs */
235 switch (reg) {
236 case GRBM_GFX_INDEX:
237 + case CP_STRMOUT_CNTL:
238 case VGT_VTX_VECT_EJECT_REG:
239 case VGT_CACHE_INVALIDATION:
240 case VGT_ESGS_RING_SIZE:
241 diff --git a/drivers/gpu/drm/radeon/sid.h b/drivers/gpu/drm/radeon/sid.h
242 index 53ea2c4..2c2bc63 100644
243 --- a/drivers/gpu/drm/radeon/sid.h
244 +++ b/drivers/gpu/drm/radeon/sid.h
245 @@ -413,6 +413,7 @@
246 # define RDERR_INT_ENABLE (1 << 0)
247 # define GUI_IDLE_INT_ENABLE (1 << 19)
248
249 +#define CP_STRMOUT_CNTL 0x84FC
250 #define SCRATCH_REG0 0x8500
251 #define SCRATCH_REG1 0x8504
252 #define SCRATCH_REG2 0x8508
253 diff --git a/drivers/gpu/drm/udl/udl_drv.h b/drivers/gpu/drm/udl/udl_drv.h
254 index 96820d0..e760575 100644
255 --- a/drivers/gpu/drm/udl/udl_drv.h
256 +++ b/drivers/gpu/drm/udl/udl_drv.h
257 @@ -103,7 +103,7 @@ udl_fb_user_fb_create(struct drm_device *dev,
258
259 int udl_render_hline(struct drm_device *dev, int bpp, struct urb **urb_ptr,
260 const char *front, char **urb_buf_ptr,
261 - u32 byte_offset, u32 byte_width,
262 + u32 byte_offset, u32 device_byte_offset, u32 byte_width,
263 int *ident_ptr, int *sent_ptr);
264
265 int udl_dumb_create(struct drm_file *file_priv,
266 diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c
267 index 4d9c3a5..b9282cf 100644
268 --- a/drivers/gpu/drm/udl/udl_fb.c
269 +++ b/drivers/gpu/drm/udl/udl_fb.c
270 @@ -114,9 +114,10 @@ static void udlfb_dpy_deferred_io(struct fb_info *info,
271 list_for_each_entry(cur, &fbdefio->pagelist, lru) {
272
273 if (udl_render_hline(dev, (ufbdev->ufb.base.bits_per_pixel / 8),
274 - &urb, (char *) info->fix.smem_start,
275 - &cmd, cur->index << PAGE_SHIFT,
276 - PAGE_SIZE, &bytes_identical, &bytes_sent))
277 + &urb, (char *) info->fix.smem_start,
278 + &cmd, cur->index << PAGE_SHIFT,
279 + cur->index << PAGE_SHIFT,
280 + PAGE_SIZE, &bytes_identical, &bytes_sent))
281 goto error;
282 bytes_rendered += PAGE_SIZE;
283 }
284 @@ -178,10 +179,11 @@ int udl_handle_damage(struct udl_framebuffer *fb, int x, int y,
285 for (i = y; i < y + height ; i++) {
286 const int line_offset = fb->base.pitches[0] * i;
287 const int byte_offset = line_offset + (x * bpp);
288 -
289 + const int dev_byte_offset = (fb->base.width * bpp * i) + (x * bpp);
290 if (udl_render_hline(dev, bpp, &urb,
291 (char *) fb->obj->vmapping,
292 - &cmd, byte_offset, width * bpp,
293 + &cmd, byte_offset, dev_byte_offset,
294 + width * bpp,
295 &bytes_identical, &bytes_sent))
296 goto error;
297 }
298 diff --git a/drivers/gpu/drm/udl/udl_transfer.c b/drivers/gpu/drm/udl/udl_transfer.c
299 index b9320e2..fc11344 100644
300 --- a/drivers/gpu/drm/udl/udl_transfer.c
301 +++ b/drivers/gpu/drm/udl/udl_transfer.c
302 @@ -213,11 +213,12 @@ static void udl_compress_hline16(
303 */
304 int udl_render_hline(struct drm_device *dev, int bpp, struct urb **urb_ptr,
305 const char *front, char **urb_buf_ptr,
306 - u32 byte_offset, u32 byte_width,
307 + u32 byte_offset, u32 device_byte_offset,
308 + u32 byte_width,
309 int *ident_ptr, int *sent_ptr)
310 {
311 const u8 *line_start, *line_end, *next_pixel;
312 - u32 base16 = 0 + (byte_offset / bpp) * 2;
313 + u32 base16 = 0 + (device_byte_offset / bpp) * 2;
314 struct urb *urb = *urb_ptr;
315 u8 *cmd = *urb_buf_ptr;
316 u8 *cmd_end = (u8 *) urb->transfer_buffer + urb->transfer_buffer_length;
317 diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_dmabuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_dmabuf.c
318 index 3fa884d..27151f7 100644
319 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_dmabuf.c
320 +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_dmabuf.c
321 @@ -306,7 +306,7 @@ void vmw_bo_pin(struct ttm_buffer_object *bo, bool pin)
322
323 BUG_ON(!atomic_read(&bo->reserved));
324 BUG_ON(old_mem_type != TTM_PL_VRAM &&
325 - old_mem_type != VMW_PL_FLAG_GMR);
326 + old_mem_type != VMW_PL_GMR);
327
328 pl_flags = TTM_PL_FLAG_VRAM | VMW_PL_FLAG_GMR | TTM_PL_FLAG_CACHED;
329 if (pin)
330 diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
331 index 3a4b15a..db50604 100644
332 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
333 +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
334 @@ -1102,6 +1102,11 @@ static void vmw_pm_complete(struct device *kdev)
335 struct drm_device *dev = pci_get_drvdata(pdev);
336 struct vmw_private *dev_priv = vmw_priv(dev);
337
338 + mutex_lock(&dev_priv->hw_mutex);
339 + vmw_write(dev_priv, SVGA_REG_ID, SVGA_ID_2);
340 + (void) vmw_read(dev_priv, SVGA_REG_ID);
341 + mutex_unlock(&dev_priv->hw_mutex);
342 +
343 /**
344 * Reclaim 3d reference held by fbdev and potentially
345 * start fifo.
346 diff --git a/drivers/hwmon/w83627ehf.c b/drivers/hwmon/w83627ehf.c
347 index 54922ed..88effda 100644
348 --- a/drivers/hwmon/w83627ehf.c
349 +++ b/drivers/hwmon/w83627ehf.c
350 @@ -2082,6 +2082,7 @@ static int __devinit w83627ehf_probe(struct platform_device *pdev)
351 mutex_init(&data->lock);
352 mutex_init(&data->update_lock);
353 data->name = w83627ehf_device_names[sio_data->kind];
354 + data->bank = 0xff; /* Force initial bank selection */
355 platform_set_drvdata(pdev, data);
356
357 /* 627EHG and 627EHF have 10 voltage inputs; 627DHG and 667HG have 9 */
358 diff --git a/drivers/input/touchscreen/tsc40.c b/drivers/input/touchscreen/tsc40.c
359 index 29d5ed4..80d4610 100644
360 --- a/drivers/input/touchscreen/tsc40.c
361 +++ b/drivers/input/touchscreen/tsc40.c
362 @@ -107,7 +107,6 @@ static int tsc_connect(struct serio *serio, struct serio_driver *drv)
363 __set_bit(BTN_TOUCH, input_dev->keybit);
364 input_set_abs_params(ptsc->dev, ABS_X, 0, 0x3ff, 0, 0);
365 input_set_abs_params(ptsc->dev, ABS_Y, 0, 0x3ff, 0, 0);
366 - input_set_abs_params(ptsc->dev, ABS_PRESSURE, 0, 0, 0, 0);
367
368 serio_set_drvdata(serio, ptsc);
369
370 diff --git a/drivers/mmc/host/sdhci.c b/drivers/mmc/host/sdhci.c
371 index 3c403aa..1fe0ca9 100644
372 --- a/drivers/mmc/host/sdhci.c
373 +++ b/drivers/mmc/host/sdhci.c
374 @@ -1294,16 +1294,19 @@ static void sdhci_request(struct mmc_host *mmc, struct mmc_request *mrq)
375 */
376 if ((host->flags & SDHCI_NEEDS_RETUNING) &&
377 !(present_state & (SDHCI_DOING_WRITE | SDHCI_DOING_READ))) {
378 - /* eMMC uses cmd21 while sd and sdio use cmd19 */
379 - tuning_opcode = mmc->card->type == MMC_TYPE_MMC ?
380 - MMC_SEND_TUNING_BLOCK_HS200 :
381 - MMC_SEND_TUNING_BLOCK;
382 - spin_unlock_irqrestore(&host->lock, flags);
383 - sdhci_execute_tuning(mmc, tuning_opcode);
384 - spin_lock_irqsave(&host->lock, flags);
385 -
386 - /* Restore original mmc_request structure */
387 - host->mrq = mrq;
388 + if (mmc->card) {
389 + /* eMMC uses cmd21 but sd and sdio use cmd19 */
390 + tuning_opcode =
391 + mmc->card->type == MMC_TYPE_MMC ?
392 + MMC_SEND_TUNING_BLOCK_HS200 :
393 + MMC_SEND_TUNING_BLOCK;
394 + spin_unlock_irqrestore(&host->lock, flags);
395 + sdhci_execute_tuning(mmc, tuning_opcode);
396 + spin_lock_irqsave(&host->lock, flags);
397 +
398 + /* Restore original mmc_request structure */
399 + host->mrq = mrq;
400 + }
401 }
402
403 if (mrq->sbc && !(host->flags & SDHCI_AUTO_CMD23))
404 diff --git a/drivers/net/ethernet/nxp/lpc_eth.c b/drivers/net/ethernet/nxp/lpc_eth.c
405 index 0c5edc1..077bb00 100644
406 --- a/drivers/net/ethernet/nxp/lpc_eth.c
407 +++ b/drivers/net/ethernet/nxp/lpc_eth.c
408 @@ -1523,6 +1523,7 @@ static int lpc_eth_drv_remove(struct platform_device *pdev)
409 pldat->dma_buff_base_p);
410 free_irq(ndev->irq, ndev);
411 iounmap(pldat->net_base);
412 + mdiobus_unregister(pldat->mii_bus);
413 mdiobus_free(pldat->mii_bus);
414 clk_disable(pldat->clk);
415 clk_put(pldat->clk);
416 diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
417 index b38db48..174aece 100644
418 --- a/drivers/net/usb/usbnet.c
419 +++ b/drivers/net/usb/usbnet.c
420 @@ -1158,6 +1158,7 @@ netdev_tx_t usbnet_start_xmit (struct sk_buff *skb,
421 usb_anchor_urb(urb, &dev->deferred);
422 /* no use to process more packets */
423 netif_stop_queue(net);
424 + usb_put_urb(urb);
425 spin_unlock_irqrestore(&dev->txq.lock, flags);
426 netdev_dbg(dev->net, "Delaying transmission for resumption\n");
427 goto deferred;
428 @@ -1299,6 +1300,8 @@ void usbnet_disconnect (struct usb_interface *intf)
429
430 cancel_work_sync(&dev->kevent);
431
432 + usb_scuttle_anchored_urbs(&dev->deferred);
433 +
434 if (dev->driver_info->unbind)
435 dev->driver_info->unbind (dev, intf);
436
437 diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c
438 index b78773b..12a42f2 100644
439 --- a/drivers/net/wireless/ath/ath9k/xmit.c
440 +++ b/drivers/net/wireless/ath/ath9k/xmit.c
441 @@ -337,6 +337,7 @@ static struct ath_buf *ath_tx_get_buffer(struct ath_softc *sc)
442 }
443
444 bf = list_first_entry(&sc->tx.txbuf, struct ath_buf, list);
445 + bf->bf_next = NULL;
446 list_del(&bf->list);
447
448 spin_unlock_bh(&sc->tx.txbuflock);
449 @@ -418,7 +419,7 @@ static void ath_tx_complete_aggr(struct ath_softc *sc, struct ath_txq *txq,
450 u16 seq_st = 0, acked_cnt = 0, txfail_cnt = 0, seq_first;
451 u32 ba[WME_BA_BMP_SIZE >> 5];
452 int isaggr, txfail, txpending, sendbar = 0, needreset = 0, nbad = 0;
453 - bool rc_update = true;
454 + bool rc_update = true, isba;
455 struct ieee80211_tx_rate rates[4];
456 struct ath_frame_info *fi;
457 int nframes;
458 @@ -462,13 +463,17 @@ static void ath_tx_complete_aggr(struct ath_softc *sc, struct ath_txq *txq,
459 tidno = ieee80211_get_qos_ctl(hdr)[0] & IEEE80211_QOS_CTL_TID_MASK;
460 tid = ATH_AN_2_TID(an, tidno);
461 seq_first = tid->seq_start;
462 + isba = ts->ts_flags & ATH9K_TX_BA;
463
464 /*
465 * The hardware occasionally sends a tx status for the wrong TID.
466 * In this case, the BA status cannot be considered valid and all
467 * subframes need to be retransmitted
468 + *
469 + * Only BlockAcks have a TID and therefore normal Acks cannot be
470 + * checked
471 */
472 - if (tidno != ts->tid)
473 + if (isba && tidno != ts->tid)
474 txok = false;
475
476 isaggr = bf_isaggr(bf);
477 @@ -1760,6 +1765,7 @@ static void ath_tx_send_normal(struct ath_softc *sc, struct ath_txq *txq,
478 list_add_tail(&bf->list, &bf_head);
479 bf->bf_state.bf_type = 0;
480
481 + bf->bf_next = NULL;
482 bf->bf_lastbf = bf;
483 ath_tx_fill_desc(sc, bf, txq, fi->framelen);
484 ath_tx_txqaddbuf(sc, txq, &bf_head, false);
485 diff --git a/drivers/net/wireless/rt2x00/rt2800lib.c b/drivers/net/wireless/rt2x00/rt2800lib.c
486 index 6c0a12e..2ce6bf5 100644
487 --- a/drivers/net/wireless/rt2x00/rt2800lib.c
488 +++ b/drivers/net/wireless/rt2x00/rt2800lib.c
489 @@ -2235,7 +2235,7 @@ static int rt2800_get_gain_calibration_delta(struct rt2x00_dev *rt2x00dev)
490 /*
491 * Check if temperature compensation is supported.
492 */
493 - if (tssi_bounds[4] == 0xff)
494 + if (tssi_bounds[4] == 0xff || step == 0xff)
495 return 0;
496
497 /*
498 diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
499 index 23e122a..ad202b3 100644
500 --- a/drivers/target/iscsi/iscsi_target.c
501 +++ b/drivers/target/iscsi/iscsi_target.c
502 @@ -3514,7 +3514,9 @@ restart:
503 */
504 iscsit_thread_check_cpumask(conn, current, 1);
505
506 - schedule_timeout_interruptible(MAX_SCHEDULE_TIMEOUT);
507 + wait_event_interruptible(conn->queues_wq,
508 + !iscsit_conn_all_queues_empty(conn) ||
509 + ts->status == ISCSI_THREAD_SET_RESET);
510
511 if ((ts->status == ISCSI_THREAD_SET_RESET) ||
512 signal_pending(current))
513 diff --git a/drivers/target/iscsi/iscsi_target_core.h b/drivers/target/iscsi/iscsi_target_core.h
514 index 1596aec..2e46ea4 100644
515 --- a/drivers/target/iscsi/iscsi_target_core.h
516 +++ b/drivers/target/iscsi/iscsi_target_core.h
517 @@ -491,6 +491,7 @@ struct iscsi_tmr_req {
518 };
519
520 struct iscsi_conn {
521 + wait_queue_head_t queues_wq;
522 /* Authentication Successful for this connection */
523 u8 auth_complete;
524 /* State connection is currently in */
525 diff --git a/drivers/target/iscsi/iscsi_target_login.c b/drivers/target/iscsi/iscsi_target_login.c
526 index ae30424..3cb7a4f 100644
527 --- a/drivers/target/iscsi/iscsi_target_login.c
528 +++ b/drivers/target/iscsi/iscsi_target_login.c
529 @@ -45,6 +45,7 @@ extern spinlock_t sess_idr_lock;
530
531 static int iscsi_login_init_conn(struct iscsi_conn *conn)
532 {
533 + init_waitqueue_head(&conn->queues_wq);
534 INIT_LIST_HEAD(&conn->conn_list);
535 INIT_LIST_HEAD(&conn->conn_cmd_list);
536 INIT_LIST_HEAD(&conn->immed_queue_list);
537 diff --git a/drivers/target/iscsi/iscsi_target_util.c b/drivers/target/iscsi/iscsi_target_util.c
538 index 4eba86d..4c05ed6 100644
539 --- a/drivers/target/iscsi/iscsi_target_util.c
540 +++ b/drivers/target/iscsi/iscsi_target_util.c
541 @@ -656,7 +656,7 @@ void iscsit_add_cmd_to_immediate_queue(
542 atomic_set(&conn->check_immediate_queue, 1);
543 spin_unlock_bh(&conn->immed_queue_lock);
544
545 - wake_up_process(conn->thread_set->tx_thread);
546 + wake_up(&conn->queues_wq);
547 }
548
549 struct iscsi_queue_req *iscsit_get_cmd_from_immediate_queue(struct iscsi_conn *conn)
550 @@ -730,7 +730,7 @@ void iscsit_add_cmd_to_response_queue(
551 atomic_inc(&cmd->response_queue_count);
552 spin_unlock_bh(&conn->response_queue_lock);
553
554 - wake_up_process(conn->thread_set->tx_thread);
555 + wake_up(&conn->queues_wq);
556 }
557
558 struct iscsi_queue_req *iscsit_get_cmd_from_response_queue(struct iscsi_conn *conn)
559 @@ -784,6 +784,24 @@ static void iscsit_remove_cmd_from_response_queue(
560 }
561 }
562
563 +bool iscsit_conn_all_queues_empty(struct iscsi_conn *conn)
564 +{
565 + bool empty;
566 +
567 + spin_lock_bh(&conn->immed_queue_lock);
568 + empty = list_empty(&conn->immed_queue_list);
569 + spin_unlock_bh(&conn->immed_queue_lock);
570 +
571 + if (!empty)
572 + return empty;
573 +
574 + spin_lock_bh(&conn->response_queue_lock);
575 + empty = list_empty(&conn->response_queue_list);
576 + spin_unlock_bh(&conn->response_queue_lock);
577 +
578 + return empty;
579 +}
580 +
581 void iscsit_free_queue_reqs_for_conn(struct iscsi_conn *conn)
582 {
583 struct iscsi_queue_req *qr, *qr_tmp;
584 diff --git a/drivers/target/iscsi/iscsi_target_util.h b/drivers/target/iscsi/iscsi_target_util.h
585 index 835bf7d..cfac698 100644
586 --- a/drivers/target/iscsi/iscsi_target_util.h
587 +++ b/drivers/target/iscsi/iscsi_target_util.h
588 @@ -28,6 +28,7 @@ extern struct iscsi_queue_req *iscsit_get_cmd_from_immediate_queue(struct iscsi_
589 extern void iscsit_add_cmd_to_response_queue(struct iscsi_cmd *, struct iscsi_conn *, u8);
590 extern struct iscsi_queue_req *iscsit_get_cmd_from_response_queue(struct iscsi_conn *);
591 extern void iscsit_remove_cmd_from_tx_queues(struct iscsi_cmd *, struct iscsi_conn *);
592 +extern bool iscsit_conn_all_queues_empty(struct iscsi_conn *);
593 extern void iscsit_free_queue_reqs_for_conn(struct iscsi_conn *);
594 extern void iscsit_release_cmd(struct iscsi_cmd *);
595 extern void iscsit_free_cmd(struct iscsi_cmd *);
596 diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c
597 index 3f90d4b..dbcede3 100644
598 --- a/drivers/target/target_core_configfs.c
599 +++ b/drivers/target/target_core_configfs.c
600 @@ -3197,7 +3197,8 @@ static int __init target_core_init_configfs(void)
601 if (ret < 0)
602 goto out;
603
604 - if (core_dev_setup_virtual_lun0() < 0)
605 + ret = core_dev_setup_virtual_lun0();
606 + if (ret < 0)
607 goto out;
608
609 return 0;
610 diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
611 index aa62677..4df8022 100644
612 --- a/drivers/target/target_core_device.c
613 +++ b/drivers/target/target_core_device.c
614 @@ -826,20 +826,20 @@ int se_dev_check_shutdown(struct se_device *dev)
615
616 u32 se_dev_align_max_sectors(u32 max_sectors, u32 block_size)
617 {
618 - u32 tmp, aligned_max_sectors;
619 + u32 aligned_max_sectors;
620 + u32 alignment;
621 /*
622 * Limit max_sectors to a PAGE_SIZE aligned value for modern
623 * transport_allocate_data_tasks() operation.
624 */
625 - tmp = rounddown((max_sectors * block_size), PAGE_SIZE);
626 - aligned_max_sectors = (tmp / block_size);
627 - if (max_sectors != aligned_max_sectors) {
628 - printk(KERN_INFO "Rounding down aligned max_sectors from %u"
629 - " to %u\n", max_sectors, aligned_max_sectors);
630 - return aligned_max_sectors;
631 - }
632 + alignment = max(1ul, PAGE_SIZE / block_size);
633 + aligned_max_sectors = rounddown(max_sectors, alignment);
634 +
635 + if (max_sectors != aligned_max_sectors)
636 + pr_info("Rounding down aligned max_sectors from %u to %u\n",
637 + max_sectors, aligned_max_sectors);
638
639 - return max_sectors;
640 + return aligned_max_sectors;
641 }
642
643 void se_dev_set_default_attribs(
644 diff --git a/drivers/target/target_core_tmr.c b/drivers/target/target_core_tmr.c
645 index f015839..4a5c6d7 100644
646 --- a/drivers/target/target_core_tmr.c
647 +++ b/drivers/target/target_core_tmr.c
648 @@ -140,15 +140,15 @@ void core_tmr_abort_task(
649 printk("ABORT_TASK: Found referenced %s task_tag: %u\n",
650 se_cmd->se_tfo->get_fabric_name(), ref_tag);
651
652 - spin_lock_irq(&se_cmd->t_state_lock);
653 + spin_lock(&se_cmd->t_state_lock);
654 if (se_cmd->transport_state & CMD_T_COMPLETE) {
655 printk("ABORT_TASK: ref_tag: %u already complete, skipping\n", ref_tag);
656 - spin_unlock_irq(&se_cmd->t_state_lock);
657 + spin_unlock(&se_cmd->t_state_lock);
658 spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags);
659 goto out;
660 }
661 se_cmd->transport_state |= CMD_T_ABORTED;
662 - spin_unlock_irq(&se_cmd->t_state_lock);
663 + spin_unlock(&se_cmd->t_state_lock);
664
665 list_del_init(&se_cmd->se_cmd_list);
666 kref_get(&se_cmd->cmd_kref);
667 diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
668 index 0179d34..c854235 100644
669 --- a/drivers/usb/serial/mos7840.c
670 +++ b/drivers/usb/serial/mos7840.c
671 @@ -2581,7 +2581,6 @@ error:
672 static void mos7840_disconnect(struct usb_serial *serial)
673 {
674 int i;
675 - unsigned long flags;
676 struct moschip_port *mos7840_port;
677 dbg("%s", " disconnect :entering..........");
678
679 diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
680 index 7f12416..9a113b7 100644
681 --- a/drivers/xen/gntdev.c
682 +++ b/drivers/xen/gntdev.c
683 @@ -105,6 +105,21 @@ static void gntdev_print_maps(struct gntdev_priv *priv,
684 #endif
685 }
686
687 +static void gntdev_free_map(struct grant_map *map)
688 +{
689 + if (map == NULL)
690 + return;
691 +
692 + if (map->pages)
693 + free_xenballooned_pages(map->count, map->pages);
694 + kfree(map->pages);
695 + kfree(map->grants);
696 + kfree(map->map_ops);
697 + kfree(map->unmap_ops);
698 + kfree(map->kmap_ops);
699 + kfree(map);
700 +}
701 +
702 static struct grant_map *gntdev_alloc_map(struct gntdev_priv *priv, int count)
703 {
704 struct grant_map *add;
705 @@ -142,12 +157,7 @@ static struct grant_map *gntdev_alloc_map(struct gntdev_priv *priv, int count)
706 return add;
707
708 err:
709 - kfree(add->pages);
710 - kfree(add->grants);
711 - kfree(add->map_ops);
712 - kfree(add->unmap_ops);
713 - kfree(add->kmap_ops);
714 - kfree(add);
715 + gntdev_free_map(add);
716 return NULL;
717 }
718
719 @@ -198,17 +208,9 @@ static void gntdev_put_map(struct grant_map *map)
720 evtchn_put(map->notify.event);
721 }
722
723 - if (map->pages) {
724 - if (!use_ptemod)
725 - unmap_grant_pages(map, 0, map->count);
726 -
727 - free_xenballooned_pages(map->count, map->pages);
728 - }
729 - kfree(map->pages);
730 - kfree(map->grants);
731 - kfree(map->map_ops);
732 - kfree(map->unmap_ops);
733 - kfree(map);
734 + if (map->pages && !use_ptemod)
735 + unmap_grant_pages(map, 0, map->count);
736 + gntdev_free_map(map);
737 }
738
739 /* ------------------------------------------------------------------ */
740 diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
741 index 8789210..53ad9d1 100644
742 --- a/fs/nfs/dir.c
743 +++ b/fs/nfs/dir.c
744 @@ -1103,7 +1103,7 @@ static int nfs_lookup_revalidate(struct dentry *dentry, struct nameidata *nd)
745 struct nfs_fattr *fattr = NULL;
746 int error;
747
748 - if (nd->flags & LOOKUP_RCU)
749 + if (nd && (nd->flags & LOOKUP_RCU))
750 return -ECHILD;
751
752 parent = dget_parent(dentry);
753 @@ -1502,7 +1502,7 @@ static int nfs_open_revalidate(struct dentry *dentry, struct nameidata *nd)
754 struct iattr attr;
755 int openflags, ret = 0;
756
757 - if (nd->flags & LOOKUP_RCU)
758 + if (nd && (nd->flags & LOOKUP_RCU))
759 return -ECHILD;
760
761 inode = dentry->d_inode;
762 diff --git a/fs/nfs/dns_resolve.c b/fs/nfs/dns_resolve.c
763 index b3924b8..786cd65 100644
764 --- a/fs/nfs/dns_resolve.c
765 +++ b/fs/nfs/dns_resolve.c
766 @@ -214,7 +214,7 @@ static int nfs_dns_parse(struct cache_detail *cd, char *buf, int buflen)
767 {
768 char buf1[NFS_DNS_HOSTNAME_MAXLEN+1];
769 struct nfs_dns_ent key, *item;
770 - unsigned long ttl;
771 + unsigned int ttl;
772 ssize_t len;
773 int ret = -EINVAL;
774
775 @@ -237,7 +237,8 @@ static int nfs_dns_parse(struct cache_detail *cd, char *buf, int buflen)
776 key.namelen = len;
777 memset(&key.h, 0, sizeof(key.h));
778
779 - ttl = get_expiry(&buf);
780 + if (get_uint(&buf, &ttl) < 0)
781 + goto out;
782 if (ttl == 0)
783 goto out;
784 key.h.expiry_time = ttl + seconds_since_boot();
785 diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h
786 index b777bda..33aa76f 100644
787 --- a/fs/nfs/internal.h
788 +++ b/fs/nfs/internal.h
789 @@ -277,8 +277,9 @@ extern void nfs_sb_active(struct super_block *sb);
790 extern void nfs_sb_deactive(struct super_block *sb);
791
792 /* namespace.c */
793 +#define NFS_PATH_CANONICAL 1
794 extern char *nfs_path(char **p, struct dentry *dentry,
795 - char *buffer, ssize_t buflen);
796 + char *buffer, ssize_t buflen, unsigned flags);
797 extern struct vfsmount *nfs_d_automount(struct path *path);
798 #ifdef CONFIG_NFS_V4
799 rpc_authflavor_t nfs_find_best_sec(struct nfs4_secinfo_flavors *);
800 @@ -371,7 +372,7 @@ static inline char *nfs_devname(struct dentry *dentry,
801 char *buffer, ssize_t buflen)
802 {
803 char *dummy;
804 - return nfs_path(&dummy, dentry, buffer, buflen);
805 + return nfs_path(&dummy, dentry, buffer, buflen, NFS_PATH_CANONICAL);
806 }
807
808 /*
809 diff --git a/fs/nfs/mount_clnt.c b/fs/nfs/mount_clnt.c
810 index 8e65c7f..015f71f 100644
811 --- a/fs/nfs/mount_clnt.c
812 +++ b/fs/nfs/mount_clnt.c
813 @@ -181,7 +181,7 @@ int nfs_mount(struct nfs_mount_request *info)
814 else
815 msg.rpc_proc = &mnt_clnt->cl_procinfo[MOUNTPROC_MNT];
816
817 - status = rpc_call_sync(mnt_clnt, &msg, 0);
818 + status = rpc_call_sync(mnt_clnt, &msg, RPC_TASK_SOFT|RPC_TASK_TIMEOUT);
819 rpc_shutdown_client(mnt_clnt);
820
821 if (status < 0)
822 diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c
823 index d51868e..2257d1f 100644
824 --- a/fs/nfs/namespace.c
825 +++ b/fs/nfs/namespace.c
826 @@ -37,6 +37,7 @@ static struct vfsmount *nfs_do_submount(struct dentry *dentry,
827 * @dentry - pointer to dentry
828 * @buffer - result buffer
829 * @buflen - length of buffer
830 + * @flags - options (see below)
831 *
832 * Helper function for constructing the server pathname
833 * by arbitrary hashed dentry.
834 @@ -44,8 +45,14 @@ static struct vfsmount *nfs_do_submount(struct dentry *dentry,
835 * This is mainly for use in figuring out the path on the
836 * server side when automounting on top of an existing partition
837 * and in generating /proc/mounts and friends.
838 + *
839 + * Supported flags:
840 + * NFS_PATH_CANONICAL: ensure there is exactly one slash after
841 + * the original device (export) name
842 + * (if unset, the original name is returned verbatim)
843 */
844 -char *nfs_path(char **p, struct dentry *dentry, char *buffer, ssize_t buflen)
845 +char *nfs_path(char **p, struct dentry *dentry, char *buffer, ssize_t buflen,
846 + unsigned flags)
847 {
848 char *end;
849 int namelen;
850 @@ -78,7 +85,7 @@ rename_retry:
851 rcu_read_unlock();
852 goto rename_retry;
853 }
854 - if (*end != '/') {
855 + if ((flags & NFS_PATH_CANONICAL) && *end != '/') {
856 if (--buflen < 0) {
857 spin_unlock(&dentry->d_lock);
858 rcu_read_unlock();
859 @@ -95,9 +102,11 @@ rename_retry:
860 return end;
861 }
862 namelen = strlen(base);
863 - /* Strip off excess slashes in base string */
864 - while (namelen > 0 && base[namelen - 1] == '/')
865 - namelen--;
866 + if (flags & NFS_PATH_CANONICAL) {
867 + /* Strip off excess slashes in base string */
868 + while (namelen > 0 && base[namelen - 1] == '/')
869 + namelen--;
870 + }
871 buflen -= namelen;
872 if (buflen < 0) {
873 spin_unlock(&dentry->d_lock);
874 diff --git a/fs/nfs/nfs4namespace.c b/fs/nfs/nfs4namespace.c
875 index a7f3ded..b604be2 100644
876 --- a/fs/nfs/nfs4namespace.c
877 +++ b/fs/nfs/nfs4namespace.c
878 @@ -81,7 +81,8 @@ static char *nfs_path_component(const char *nfspath, const char *end)
879 static char *nfs4_path(struct dentry *dentry, char *buffer, ssize_t buflen)
880 {
881 char *limit;
882 - char *path = nfs_path(&limit, dentry, buffer, buflen);
883 + char *path = nfs_path(&limit, dentry, buffer, buflen,
884 + NFS_PATH_CANONICAL);
885 if (!IS_ERR(path)) {
886 char *path_component = nfs_path_component(path, limit);
887 if (path_component)
888 diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
889 index b106b97..5e80180 100644
890 --- a/fs/nfs/nfs4proc.c
891 +++ b/fs/nfs/nfs4proc.c
892 @@ -1478,9 +1478,11 @@ static void nfs4_open_prepare(struct rpc_task *task, void *calldata)
893 data->timestamp = jiffies;
894 if (nfs4_setup_sequence(data->o_arg.server,
895 &data->o_arg.seq_args,
896 - &data->o_res.seq_res, task))
897 - return;
898 - rpc_call_start(task);
899 + &data->o_res.seq_res,
900 + task) != 0)
901 + nfs_release_seqid(data->o_arg.seqid);
902 + else
903 + rpc_call_start(task);
904 return;
905 unlock_no_action:
906 rcu_read_unlock();
907 @@ -2097,9 +2099,10 @@ static void nfs4_close_prepare(struct rpc_task *task, void *data)
908 if (nfs4_setup_sequence(NFS_SERVER(calldata->inode),
909 &calldata->arg.seq_args,
910 &calldata->res.seq_res,
911 - task))
912 - goto out;
913 - rpc_call_start(task);
914 + task) != 0)
915 + nfs_release_seqid(calldata->arg.seqid);
916 + else
917 + rpc_call_start(task);
918 out:
919 dprintk("%s: done!\n", __func__);
920 }
921 @@ -4306,6 +4309,7 @@ static void nfs4_locku_done(struct rpc_task *task, void *data)
922 if (nfs4_async_handle_error(task, calldata->server, NULL) == -EAGAIN)
923 rpc_restart_call_prepare(task);
924 }
925 + nfs_release_seqid(calldata->arg.seqid);
926 }
927
928 static void nfs4_locku_prepare(struct rpc_task *task, void *data)
929 @@ -4322,9 +4326,11 @@ static void nfs4_locku_prepare(struct rpc_task *task, void *data)
930 calldata->timestamp = jiffies;
931 if (nfs4_setup_sequence(calldata->server,
932 &calldata->arg.seq_args,
933 - &calldata->res.seq_res, task))
934 - return;
935 - rpc_call_start(task);
936 + &calldata->res.seq_res,
937 + task) != 0)
938 + nfs_release_seqid(calldata->arg.seqid);
939 + else
940 + rpc_call_start(task);
941 }
942
943 static const struct rpc_call_ops nfs4_locku_ops = {
944 @@ -4469,7 +4475,7 @@ static void nfs4_lock_prepare(struct rpc_task *task, void *calldata)
945 /* Do we need to do an open_to_lock_owner? */
946 if (!(data->arg.lock_seqid->sequence->flags & NFS_SEQID_CONFIRMED)) {
947 if (nfs_wait_on_sequence(data->arg.open_seqid, task) != 0)
948 - return;
949 + goto out_release_lock_seqid;
950 data->arg.open_stateid = &state->stateid;
951 data->arg.new_lock_owner = 1;
952 data->res.open_seqid = data->arg.open_seqid;
953 @@ -4478,10 +4484,15 @@ static void nfs4_lock_prepare(struct rpc_task *task, void *calldata)
954 data->timestamp = jiffies;
955 if (nfs4_setup_sequence(data->server,
956 &data->arg.seq_args,
957 - &data->res.seq_res, task))
958 + &data->res.seq_res,
959 + task) == 0) {
960 + rpc_call_start(task);
961 return;
962 - rpc_call_start(task);
963 - dprintk("%s: done!, ret = %d\n", __func__, data->rpc_status);
964 + }
965 + nfs_release_seqid(data->arg.open_seqid);
966 +out_release_lock_seqid:
967 + nfs_release_seqid(data->arg.lock_seqid);
968 + dprintk("%s: done!, ret = %d\n", __func__, task->tk_status);
969 }
970
971 static void nfs4_recover_lock_prepare(struct rpc_task *task, void *calldata)
972 diff --git a/fs/nfs/super.c b/fs/nfs/super.c
973 index 5976e24..feabe7a 100644
974 --- a/fs/nfs/super.c
975 +++ b/fs/nfs/super.c
976 @@ -812,7 +812,7 @@ static int nfs_show_devname(struct seq_file *m, struct dentry *root)
977 int err = 0;
978 if (!page)
979 return -ENOMEM;
980 - devname = nfs_path(&dummy, root, page, PAGE_SIZE);
981 + devname = nfs_path(&dummy, root, page, PAGE_SIZE, 0);
982 if (IS_ERR(devname))
983 err = PTR_ERR(devname);
984 else
985 diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
986 index 8e9689a..e9a020f 100644
987 --- a/fs/nfsd/export.c
988 +++ b/fs/nfsd/export.c
989 @@ -401,7 +401,7 @@ fsloc_parse(char **mesg, char *buf, struct nfsd4_fs_locations *fsloc)
990 int migrated, i, err;
991
992 /* listsize */
993 - err = get_int(mesg, &fsloc->locations_count);
994 + err = get_uint(mesg, &fsloc->locations_count);
995 if (err)
996 return err;
997 if (fsloc->locations_count > MAX_FS_LOCATIONS)
998 @@ -459,7 +459,7 @@ static int secinfo_parse(char **mesg, char *buf, struct svc_export *exp)
999 return -EINVAL;
1000
1001 for (f = exp->ex_flavors; f < exp->ex_flavors + listsize; f++) {
1002 - err = get_int(mesg, &f->pseudoflavor);
1003 + err = get_uint(mesg, &f->pseudoflavor);
1004 if (err)
1005 return err;
1006 /*
1007 @@ -468,7 +468,7 @@ static int secinfo_parse(char **mesg, char *buf, struct svc_export *exp)
1008 * problem at export time instead of when a client fails
1009 * to authenticate.
1010 */
1011 - err = get_int(mesg, &f->flags);
1012 + err = get_uint(mesg, &f->flags);
1013 if (err)
1014 return err;
1015 /* Only some flags are allowed to differ between flavors: */
1016 diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c
1017 index 8ecad5b..0abb162 100644
1018 --- a/fs/xfs/xfs_log_recover.c
1019 +++ b/fs/xfs/xfs_log_recover.c
1020 @@ -3514,7 +3514,7 @@ xlog_do_recovery_pass(
1021 * - order is important.
1022 */
1023 error = xlog_bread_offset(log, 0,
1024 - bblks - split_bblks, hbp,
1025 + bblks - split_bblks, dbp,
1026 offset + BBTOB(split_bblks));
1027 if (error)
1028 goto bread_err2;
1029 diff --git a/include/linux/sunrpc/cache.h b/include/linux/sunrpc/cache.h
1030 index f5fd616..dd2bb84 100644
1031 --- a/include/linux/sunrpc/cache.h
1032 +++ b/include/linux/sunrpc/cache.h
1033 @@ -228,6 +228,22 @@ static inline int get_int(char **bpp, int *anint)
1034 return 0;
1035 }
1036
1037 +static inline int get_uint(char **bpp, unsigned int *anint)
1038 +{
1039 + char buf[50];
1040 + int len = qword_get(bpp, buf, sizeof(buf));
1041 +
1042 + if (len < 0)
1043 + return -EINVAL;
1044 + if (len == 0)
1045 + return -ENOENT;
1046 +
1047 + if (kstrtouint(buf, 0, anint))
1048 + return -EINVAL;
1049 +
1050 + return 0;
1051 +}
1052 +
1053 /*
1054 * timestamps kept in the cache are expressed in seconds
1055 * since boot. This is the best for measuring differences in
1056 diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
1057 index 83d800c..b4de194 100644
1058 --- a/include/net/cfg80211.h
1059 +++ b/include/net/cfg80211.h
1060 @@ -2480,6 +2480,15 @@ unsigned int ieee80211_get_hdrlen_from_skb(const struct sk_buff *skb);
1061 unsigned int __attribute_const__ ieee80211_hdrlen(__le16 fc);
1062
1063 /**
1064 + * ieee80211_get_mesh_hdrlen - get mesh extension header length
1065 + * @meshhdr: the mesh extension header, only the flags field
1066 + * (first byte) will be accessed
1067 + * Returns the length of the extension header, which is always at
1068 + * least 6 bytes and at most 18 if address 5 and 6 are present.
1069 + */
1070 +unsigned int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr);
1071 +
1072 +/**
1073 * DOC: Data path helpers
1074 *
1075 * In addition to generic utilities, cfg80211 also offers
1076 diff --git a/include/sound/core.h b/include/sound/core.h
1077 index bc05668..93896ad 100644
1078 --- a/include/sound/core.h
1079 +++ b/include/sound/core.h
1080 @@ -132,6 +132,7 @@ struct snd_card {
1081 int shutdown; /* this card is going down */
1082 int free_on_last_close; /* free in context of file_release */
1083 wait_queue_head_t shutdown_sleep;
1084 + atomic_t refcount; /* refcount for disconnection */
1085 struct device *dev; /* device assigned to this card */
1086 struct device *card_dev; /* cardX object for sysfs */
1087
1088 @@ -189,6 +190,7 @@ struct snd_minor {
1089 const struct file_operations *f_ops; /* file operations */
1090 void *private_data; /* private data for f_ops->open */
1091 struct device *dev; /* device for sysfs */
1092 + struct snd_card *card_ptr; /* assigned card instance */
1093 };
1094
1095 /* return a device pointer linked to each sound device as a parent */
1096 @@ -295,6 +297,7 @@ int snd_card_info_done(void);
1097 int snd_component_add(struct snd_card *card, const char *component);
1098 int snd_card_file_add(struct snd_card *card, struct file *file);
1099 int snd_card_file_remove(struct snd_card *card, struct file *file);
1100 +void snd_card_unref(struct snd_card *card);
1101
1102 #define snd_card_set_dev(card, devptr) ((card)->dev = (devptr))
1103
1104 diff --git a/include/trace/events/xen.h b/include/trace/events/xen.h
1105 index 92f1a79..348c4fe 100644
1106 --- a/include/trace/events/xen.h
1107 +++ b/include/trace/events/xen.h
1108 @@ -377,6 +377,14 @@ DECLARE_EVENT_CLASS(xen_mmu_pgd,
1109 DEFINE_XEN_MMU_PGD_EVENT(xen_mmu_pgd_pin);
1110 DEFINE_XEN_MMU_PGD_EVENT(xen_mmu_pgd_unpin);
1111
1112 +TRACE_EVENT(xen_mmu_flush_tlb_all,
1113 + TP_PROTO(int x),
1114 + TP_ARGS(x),
1115 + TP_STRUCT__entry(__array(char, x, 0)),
1116 + TP_fast_assign((void)x),
1117 + TP_printk("%s", "")
1118 + );
1119 +
1120 TRACE_EVENT(xen_mmu_flush_tlb,
1121 TP_PROTO(int x),
1122 TP_ARGS(x),
1123 diff --git a/kernel/futex.c b/kernel/futex.c
1124 index 3717e7b..20ef219 100644
1125 --- a/kernel/futex.c
1126 +++ b/kernel/futex.c
1127 @@ -716,7 +716,7 @@ static int futex_lock_pi_atomic(u32 __user *uaddr, struct futex_hash_bucket *hb,
1128 struct futex_pi_state **ps,
1129 struct task_struct *task, int set_waiters)
1130 {
1131 - int lock_taken, ret, ownerdied = 0;
1132 + int lock_taken, ret, force_take = 0;
1133 u32 uval, newval, curval, vpid = task_pid_vnr(task);
1134
1135 retry:
1136 @@ -755,17 +755,15 @@ retry:
1137 newval = curval | FUTEX_WAITERS;
1138
1139 /*
1140 - * There are two cases, where a futex might have no owner (the
1141 - * owner TID is 0): OWNER_DIED. We take over the futex in this
1142 - * case. We also do an unconditional take over, when the owner
1143 - * of the futex died.
1144 - *
1145 - * This is safe as we are protected by the hash bucket lock !
1146 + * Should we force take the futex? See below.
1147 */
1148 - if (unlikely(ownerdied || !(curval & FUTEX_TID_MASK))) {
1149 - /* Keep the OWNER_DIED bit */
1150 + if (unlikely(force_take)) {
1151 + /*
1152 + * Keep the OWNER_DIED and the WAITERS bit and set the
1153 + * new TID value.
1154 + */
1155 newval = (curval & ~FUTEX_TID_MASK) | vpid;
1156 - ownerdied = 0;
1157 + force_take = 0;
1158 lock_taken = 1;
1159 }
1160
1161 @@ -775,7 +773,7 @@ retry:
1162 goto retry;
1163
1164 /*
1165 - * We took the lock due to owner died take over.
1166 + * We took the lock due to forced take over.
1167 */
1168 if (unlikely(lock_taken))
1169 return 1;
1170 @@ -790,20 +788,25 @@ retry:
1171 switch (ret) {
1172 case -ESRCH:
1173 /*
1174 - * No owner found for this futex. Check if the
1175 - * OWNER_DIED bit is set to figure out whether
1176 - * this is a robust futex or not.
1177 + * We failed to find an owner for this
1178 + * futex. So we have no pi_state to block
1179 + * on. This can happen in two cases:
1180 + *
1181 + * 1) The owner died
1182 + * 2) A stale FUTEX_WAITERS bit
1183 + *
1184 + * Re-read the futex value.
1185 */
1186 if (get_futex_value_locked(&curval, uaddr))
1187 return -EFAULT;
1188
1189 /*
1190 - * We simply start over in case of a robust
1191 - * futex. The code above will take the futex
1192 - * and return happy.
1193 + * If the owner died or we have a stale
1194 + * WAITERS bit the owner TID in the user space
1195 + * futex is 0.
1196 */
1197 - if (curval & FUTEX_OWNER_DIED) {
1198 - ownerdied = 1;
1199 + if (!(curval & FUTEX_TID_MASK)) {
1200 + force_take = 1;
1201 goto retry;
1202 }
1203 default:
1204 diff --git a/net/core/dev.c b/net/core/dev.c
1205 index 82ca51b..24a21f3 100644
1206 --- a/net/core/dev.c
1207 +++ b/net/core/dev.c
1208 @@ -1643,7 +1643,7 @@ static inline int deliver_skb(struct sk_buff *skb,
1209
1210 static inline bool skb_loop_sk(struct packet_type *ptype, struct sk_buff *skb)
1211 {
1212 - if (ptype->af_packet_priv == NULL)
1213 + if (!ptype->af_packet_priv || !skb->sk)
1214 return false;
1215
1216 if (ptype->id_match)
1217 diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
1218 index 8f8db72..dda5383 100644
1219 --- a/net/ipv4/inet_diag.c
1220 +++ b/net/ipv4/inet_diag.c
1221 @@ -875,13 +875,16 @@ static int __inet_diag_dump(struct sk_buff *skb, struct netlink_callback *cb,
1222 struct inet_diag_req_v2 *r, struct nlattr *bc)
1223 {
1224 const struct inet_diag_handler *handler;
1225 + int err = 0;
1226
1227 handler = inet_diag_lock_handler(r->sdiag_protocol);
1228 if (!IS_ERR(handler))
1229 handler->dump(skb, cb, r, bc);
1230 + else
1231 + err = PTR_ERR(handler);
1232 inet_diag_unlock_handler(handler);
1233
1234 - return skb->len;
1235 + return err ? : skb->len;
1236 }
1237
1238 static int inet_diag_dump(struct sk_buff *skb, struct netlink_callback *cb)
1239 diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
1240 index 8fbe2e2..01870bd 100644
1241 --- a/net/ipv4/tcp.c
1242 +++ b/net/ipv4/tcp.c
1243 @@ -481,14 +481,12 @@ int tcp_ioctl(struct sock *sk, int cmd, unsigned long arg)
1244 !tp->urg_data ||
1245 before(tp->urg_seq, tp->copied_seq) ||
1246 !before(tp->urg_seq, tp->rcv_nxt)) {
1247 - struct sk_buff *skb;
1248
1249 answ = tp->rcv_nxt - tp->copied_seq;
1250
1251 - /* Subtract 1, if FIN is in queue. */
1252 - skb = skb_peek_tail(&sk->sk_receive_queue);
1253 - if (answ && skb)
1254 - answ -= tcp_hdr(skb)->fin;
1255 + /* Subtract 1, if FIN was received */
1256 + if (answ && sock_flag(sk, SOCK_DONE))
1257 + answ--;
1258 } else
1259 answ = tp->urg_seq - tp->copied_seq;
1260 release_sock(sk);
1261 diff --git a/net/ipv4/tcp_illinois.c b/net/ipv4/tcp_illinois.c
1262 index 813b43a..834857f 100644
1263 --- a/net/ipv4/tcp_illinois.c
1264 +++ b/net/ipv4/tcp_illinois.c
1265 @@ -313,11 +313,13 @@ static void tcp_illinois_info(struct sock *sk, u32 ext,
1266 .tcpv_rttcnt = ca->cnt_rtt,
1267 .tcpv_minrtt = ca->base_rtt,
1268 };
1269 - u64 t = ca->sum_rtt;
1270
1271 - do_div(t, ca->cnt_rtt);
1272 - info.tcpv_rtt = t;
1273 + if (info.tcpv_rttcnt > 0) {
1274 + u64 t = ca->sum_rtt;
1275
1276 + do_div(t, info.tcpv_rttcnt);
1277 + info.tcpv_rtt = t;
1278 + }
1279 nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info);
1280 }
1281 }
1282 diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
1283 index 176b469..843d6eb 100644
1284 --- a/net/ipv6/ndisc.c
1285 +++ b/net/ipv6/ndisc.c
1286 @@ -593,7 +593,7 @@ static void ndisc_send_unsol_na(struct net_device *dev)
1287 {
1288 struct inet6_dev *idev;
1289 struct inet6_ifaddr *ifa;
1290 - struct in6_addr mcaddr;
1291 + struct in6_addr mcaddr = IN6ADDR_LINKLOCAL_ALLNODES_INIT;
1292
1293 idev = in6_dev_get(dev);
1294 if (!idev)
1295 @@ -601,7 +601,6 @@ static void ndisc_send_unsol_na(struct net_device *dev)
1296
1297 read_lock_bh(&idev->lock);
1298 list_for_each_entry(ifa, &idev->addr_list, if_list) {
1299 - addrconf_addr_solict_mult(&ifa->addr, &mcaddr);
1300 ndisc_send_na(dev, NULL, &mcaddr, &ifa->addr,
1301 /*router=*/ !!idev->cnf.forwarding,
1302 /*solicited=*/ false, /*override=*/ true,
1303 diff --git a/net/ipv6/route.c b/net/ipv6/route.c
1304 index 2796b37..b84cba1 100644
1305 --- a/net/ipv6/route.c
1306 +++ b/net/ipv6/route.c
1307 @@ -203,7 +203,7 @@ static struct dst_ops ip6_dst_blackhole_ops = {
1308 };
1309
1310 static const u32 ip6_template_metrics[RTAX_MAX] = {
1311 - [RTAX_HOPLIMIT - 1] = 255,
1312 + [RTAX_HOPLIMIT - 1] = 0,
1313 };
1314
1315 static struct rt6_info ip6_null_entry_template = {
1316 @@ -1135,7 +1135,7 @@ struct dst_entry *icmp6_dst_alloc(struct net_device *dev,
1317 rt->rt6i_dst.addr = fl6->daddr;
1318 rt->rt6i_dst.plen = 128;
1319 rt->rt6i_idev = idev;
1320 - dst_metric_set(&rt->dst, RTAX_HOPLIMIT, 255);
1321 + dst_metric_set(&rt->dst, RTAX_HOPLIMIT, 0);
1322
1323 spin_lock_bh(&icmp6_dst_lock);
1324 rt->dst.next = icmp6_dst_gc_list;
1325 diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c
1326 index 5c82907..ab9a293 100644
1327 --- a/net/l2tp/l2tp_eth.c
1328 +++ b/net/l2tp/l2tp_eth.c
1329 @@ -269,6 +269,7 @@ static int l2tp_eth_create(struct net *net, u32 tunnel_id, u32 session_id, u32 p
1330
1331 out_del_dev:
1332 free_netdev(dev);
1333 + spriv->dev = NULL;
1334 out_del_session:
1335 l2tp_session_delete(session);
1336 out:
1337 diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
1338 index cef7c29..4a3666b 100644
1339 --- a/net/mac80211/ibss.c
1340 +++ b/net/mac80211/ibss.c
1341 @@ -1110,7 +1110,7 @@ int ieee80211_ibss_join(struct ieee80211_sub_if_data *sdata,
1342 sdata->u.ibss.state = IEEE80211_IBSS_MLME_SEARCH;
1343 sdata->u.ibss.ibss_join_req = jiffies;
1344
1345 - memcpy(sdata->u.ibss.ssid, params->ssid, IEEE80211_MAX_SSID_LEN);
1346 + memcpy(sdata->u.ibss.ssid, params->ssid, params->ssid_len);
1347 sdata->u.ibss.ssid_len = params->ssid_len;
1348
1349 mutex_unlock(&sdata->u.ibss.mtx);
1350 diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
1351 index c9b508e..8ce9feb 100644
1352 --- a/net/mac80211/rx.c
1353 +++ b/net/mac80211/rx.c
1354 @@ -513,6 +513,11 @@ ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
1355
1356 if (ieee80211_is_action(hdr->frame_control)) {
1357 u8 category;
1358 +
1359 + /* make sure category field is present */
1360 + if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE)
1361 + return RX_DROP_MONITOR;
1362 +
1363 mgmt = (struct ieee80211_mgmt *)hdr;
1364 category = mgmt->u.action.category;
1365 if (category != WLAN_CATEGORY_MESH_ACTION &&
1366 @@ -869,14 +874,16 @@ ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
1367 */
1368 if (rx->sta && rx->sdata->vif.type == NL80211_IFTYPE_STATION &&
1369 ieee80211_is_data_present(hdr->frame_control)) {
1370 - u16 ethertype;
1371 - u8 *payload;
1372 -
1373 - payload = rx->skb->data +
1374 - ieee80211_hdrlen(hdr->frame_control);
1375 - ethertype = (payload[6] << 8) | payload[7];
1376 - if (cpu_to_be16(ethertype) ==
1377 - rx->sdata->control_port_protocol)
1378 + unsigned int hdrlen;
1379 + __be16 ethertype;
1380 +
1381 + hdrlen = ieee80211_hdrlen(hdr->frame_control);
1382 +
1383 + if (rx->skb->len < hdrlen + 8)
1384 + return RX_DROP_MONITOR;
1385 +
1386 + skb_copy_bits(rx->skb, hdrlen + 6, &ethertype, 2);
1387 + if (ethertype == rx->sdata->control_port_protocol)
1388 return RX_CONTINUE;
1389 }
1390
1391 @@ -1465,11 +1472,14 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
1392
1393 hdr = (struct ieee80211_hdr *)rx->skb->data;
1394 fc = hdr->frame_control;
1395 +
1396 + if (ieee80211_is_ctl(fc))
1397 + return RX_CONTINUE;
1398 +
1399 sc = le16_to_cpu(hdr->seq_ctrl);
1400 frag = sc & IEEE80211_SCTL_FRAG;
1401
1402 if (likely((!ieee80211_has_morefrags(fc) && frag == 0) ||
1403 - (rx->skb)->len < 24 ||
1404 is_multicast_ether_addr(hdr->addr1))) {
1405 /* not fragmented */
1406 goto out;
1407 @@ -1892,6 +1902,20 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
1408
1409 hdr = (struct ieee80211_hdr *) skb->data;
1410 hdrlen = ieee80211_hdrlen(hdr->frame_control);
1411 +
1412 + /* make sure fixed part of mesh header is there, also checks skb len */
1413 + if (!pskb_may_pull(rx->skb, hdrlen + 6))
1414 + return RX_DROP_MONITOR;
1415 +
1416 + mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
1417 +
1418 + /* make sure full mesh header is there, also checks skb len */
1419 + if (!pskb_may_pull(rx->skb,
1420 + hdrlen + ieee80211_get_mesh_hdrlen(mesh_hdr)))
1421 + return RX_DROP_MONITOR;
1422 +
1423 + /* reload pointers */
1424 + hdr = (struct ieee80211_hdr *) skb->data;
1425 mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
1426
1427 /* frame is in RMC, don't forward */
1428 @@ -1900,7 +1924,8 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
1429 mesh_rmc_check(hdr->addr3, mesh_hdr, rx->sdata))
1430 return RX_DROP_MONITOR;
1431
1432 - if (!ieee80211_is_data(hdr->frame_control))
1433 + if (!ieee80211_is_data(hdr->frame_control) ||
1434 + !(status->rx_flags & IEEE80211_RX_RA_MATCH))
1435 return RX_CONTINUE;
1436
1437 if (!mesh_hdr->ttl)
1438 @@ -1914,9 +1939,12 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
1439 if (is_multicast_ether_addr(hdr->addr1)) {
1440 mpp_addr = hdr->addr3;
1441 proxied_addr = mesh_hdr->eaddr1;
1442 - } else {
1443 + } else if (mesh_hdr->flags & MESH_FLAGS_AE_A5_A6) {
1444 + /* has_a4 already checked in ieee80211_rx_mesh_check */
1445 mpp_addr = hdr->addr4;
1446 proxied_addr = mesh_hdr->eaddr2;
1447 + } else {
1448 + return RX_DROP_MONITOR;
1449 }
1450
1451 rcu_read_lock();
1452 @@ -1944,9 +1972,6 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
1453 }
1454 skb_set_queue_mapping(skb, q);
1455
1456 - if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
1457 - goto out;
1458 -
1459 if (!--mesh_hdr->ttl) {
1460 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl);
1461 return RX_DROP_MONITOR;
1462 @@ -2361,6 +2386,10 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
1463 }
1464 break;
1465 case WLAN_CATEGORY_SELF_PROTECTED:
1466 + if (len < (IEEE80211_MIN_ACTION_SIZE +
1467 + sizeof(mgmt->u.action.u.self_prot.action_code)))
1468 + break;
1469 +
1470 switch (mgmt->u.action.u.self_prot.action_code) {
1471 case WLAN_SP_MESH_PEERING_OPEN:
1472 case WLAN_SP_MESH_PEERING_CLOSE:
1473 @@ -2379,6 +2408,10 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
1474 }
1475 break;
1476 case WLAN_CATEGORY_MESH_ACTION:
1477 + if (len < (IEEE80211_MIN_ACTION_SIZE +
1478 + sizeof(mgmt->u.action.u.mesh_action.action_code)))
1479 + break;
1480 +
1481 if (!ieee80211_vif_is_mesh(&sdata->vif))
1482 break;
1483 if (mesh_action_is_path_sel(mgmt) &&
1484 @@ -2927,10 +2960,15 @@ static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
1485 test_bit(SCAN_SW_SCANNING, &local->scanning)))
1486 status->rx_flags |= IEEE80211_RX_IN_SCAN;
1487
1488 - if (ieee80211_is_mgmt(fc))
1489 - err = skb_linearize(skb);
1490 - else
1491 + if (ieee80211_is_mgmt(fc)) {
1492 + /* drop frame if too short for header */
1493 + if (skb->len < ieee80211_hdrlen(fc))
1494 + err = -ENOBUFS;
1495 + else
1496 + err = skb_linearize(skb);
1497 + } else {
1498 err = !pskb_may_pull(skb, ieee80211_hdrlen(fc));
1499 + }
1500
1501 if (err) {
1502 dev_kfree_skb(skb);
1503 diff --git a/net/mac80211/util.c b/net/mac80211/util.c
1504 index eb9d7c0..266d092 100644
1505 --- a/net/mac80211/util.c
1506 +++ b/net/mac80211/util.c
1507 @@ -592,13 +592,38 @@ u32 ieee802_11_parse_elems_crc(u8 *start, size_t len,
1508 break;
1509 }
1510
1511 - if (id != WLAN_EID_VENDOR_SPECIFIC &&
1512 - id != WLAN_EID_QUIET &&
1513 - test_bit(id, seen_elems)) {
1514 - elems->parse_error = true;
1515 - left -= elen;
1516 - pos += elen;
1517 - continue;
1518 + switch (id) {
1519 + case WLAN_EID_SSID:
1520 + case WLAN_EID_SUPP_RATES:
1521 + case WLAN_EID_FH_PARAMS:
1522 + case WLAN_EID_DS_PARAMS:
1523 + case WLAN_EID_CF_PARAMS:
1524 + case WLAN_EID_TIM:
1525 + case WLAN_EID_IBSS_PARAMS:
1526 + case WLAN_EID_CHALLENGE:
1527 + case WLAN_EID_RSN:
1528 + case WLAN_EID_ERP_INFO:
1529 + case WLAN_EID_EXT_SUPP_RATES:
1530 + case WLAN_EID_HT_CAPABILITY:
1531 + case WLAN_EID_MESH_ID:
1532 + case WLAN_EID_MESH_CONFIG:
1533 + case WLAN_EID_PEER_MGMT:
1534 + case WLAN_EID_PREQ:
1535 + case WLAN_EID_PREP:
1536 + case WLAN_EID_PERR:
1537 + case WLAN_EID_RANN:
1538 + case WLAN_EID_CHANNEL_SWITCH:
1539 + case WLAN_EID_EXT_CHANSWITCH_ANN:
1540 + case WLAN_EID_COUNTRY:
1541 + case WLAN_EID_PWR_CONSTRAINT:
1542 + case WLAN_EID_TIMEOUT_INTERVAL:
1543 + if (test_bit(id, seen_elems)) {
1544 + elems->parse_error = true;
1545 + left -= elen;
1546 + pos += elen;
1547 + continue;
1548 + }
1549 + break;
1550 }
1551
1552 if (calc_crc && id < 64 && (filter & (1ULL << id)))
1553 diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
1554 index edce424..9017e3e 100644
1555 --- a/net/netlink/af_netlink.c
1556 +++ b/net/netlink/af_netlink.c
1557 @@ -137,6 +137,8 @@ static void netlink_destroy_callback(struct netlink_callback *cb);
1558 static DEFINE_RWLOCK(nl_table_lock);
1559 static atomic_t nl_table_users = ATOMIC_INIT(0);
1560
1561 +#define nl_deref_protected(X) rcu_dereference_protected(X, lockdep_is_held(&nl_table_lock));
1562 +
1563 static ATOMIC_NOTIFIER_HEAD(netlink_chain);
1564
1565 static inline u32 netlink_group_mask(u32 group)
1566 @@ -332,6 +334,11 @@ netlink_update_listeners(struct sock *sk)
1567 struct hlist_node *node;
1568 unsigned long mask;
1569 unsigned int i;
1570 + struct listeners *listeners;
1571 +
1572 + listeners = nl_deref_protected(tbl->listeners);
1573 + if (!listeners)
1574 + return;
1575
1576 for (i = 0; i < NLGRPLONGS(tbl->groups); i++) {
1577 mask = 0;
1578 @@ -339,7 +346,7 @@ netlink_update_listeners(struct sock *sk)
1579 if (i < NLGRPLONGS(nlk_sk(sk)->ngroups))
1580 mask |= nlk_sk(sk)->groups[i];
1581 }
1582 - tbl->listeners->masks[i] = mask;
1583 + listeners->masks[i] = mask;
1584 }
1585 /* this function is only called with the netlink table "grabbed", which
1586 * makes sure updates are visible before bind or setsockopt return. */
1587 @@ -520,7 +527,11 @@ static int netlink_release(struct socket *sock)
1588 if (netlink_is_kernel(sk)) {
1589 BUG_ON(nl_table[sk->sk_protocol].registered == 0);
1590 if (--nl_table[sk->sk_protocol].registered == 0) {
1591 - kfree(nl_table[sk->sk_protocol].listeners);
1592 + struct listeners *old;
1593 +
1594 + old = nl_deref_protected(nl_table[sk->sk_protocol].listeners);
1595 + RCU_INIT_POINTER(nl_table[sk->sk_protocol].listeners, NULL);
1596 + kfree_rcu(old, rcu);
1597 nl_table[sk->sk_protocol].module = NULL;
1598 nl_table[sk->sk_protocol].registered = 0;
1599 }
1600 @@ -950,7 +961,7 @@ int netlink_has_listeners(struct sock *sk, unsigned int group)
1601 rcu_read_lock();
1602 listeners = rcu_dereference(nl_table[sk->sk_protocol].listeners);
1603
1604 - if (group - 1 < nl_table[sk->sk_protocol].groups)
1605 + if (listeners && group - 1 < nl_table[sk->sk_protocol].groups)
1606 res = test_bit(group - 1, listeners->masks);
1607
1608 rcu_read_unlock();
1609 @@ -1582,7 +1593,7 @@ int __netlink_change_ngroups(struct sock *sk, unsigned int groups)
1610 new = kzalloc(sizeof(*new) + NLGRPSZ(groups), GFP_ATOMIC);
1611 if (!new)
1612 return -ENOMEM;
1613 - old = rcu_dereference_protected(tbl->listeners, 1);
1614 + old = nl_deref_protected(tbl->listeners);
1615 memcpy(new->masks, old->masks, NLGRPSZ(tbl->groups));
1616 rcu_assign_pointer(tbl->listeners, new);
1617
1618 diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
1619 index 1ff51c9..2fdb05d 100644
1620 --- a/net/sctp/sm_sideeffect.c
1621 +++ b/net/sctp/sm_sideeffect.c
1622 @@ -1610,8 +1610,9 @@ static int sctp_cmd_interpreter(sctp_event_t event_type,
1623 asoc->outqueue.outstanding_bytes;
1624 sackh.num_gap_ack_blocks = 0;
1625 sackh.num_dup_tsns = 0;
1626 + chunk->subh.sack_hdr = &sackh;
1627 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK,
1628 - SCTP_SACKH(&sackh));
1629 + SCTP_CHUNK(chunk));
1630 break;
1631
1632 case SCTP_CMD_DISCARD_PACKET:
1633 diff --git a/net/wireless/core.c b/net/wireless/core.c
1634 index bb5302d..7917c74 100644
1635 --- a/net/wireless/core.c
1636 +++ b/net/wireless/core.c
1637 @@ -552,8 +552,7 @@ int wiphy_register(struct wiphy *wiphy)
1638 for (i = 0; i < sband->n_channels; i++) {
1639 sband->channels[i].orig_flags =
1640 sband->channels[i].flags;
1641 - sband->channels[i].orig_mag =
1642 - sband->channels[i].max_antenna_gain;
1643 + sband->channels[i].orig_mag = INT_MAX;
1644 sband->channels[i].orig_mpwr =
1645 sband->channels[i].max_power;
1646 sband->channels[i].band = band;
1647 diff --git a/net/wireless/util.c b/net/wireless/util.c
1648 index d835377..d22dce7 100644
1649 --- a/net/wireless/util.c
1650 +++ b/net/wireless/util.c
1651 @@ -290,23 +290,21 @@ unsigned int ieee80211_get_hdrlen_from_skb(const struct sk_buff *skb)
1652 }
1653 EXPORT_SYMBOL(ieee80211_get_hdrlen_from_skb);
1654
1655 -static int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr)
1656 +unsigned int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr)
1657 {
1658 int ae = meshhdr->flags & MESH_FLAGS_AE;
1659 - /* 7.1.3.5a.2 */
1660 + /* 802.11-2012, 8.2.4.7.3 */
1661 switch (ae) {
1662 + default:
1663 case 0:
1664 return 6;
1665 case MESH_FLAGS_AE_A4:
1666 return 12;
1667 case MESH_FLAGS_AE_A5_A6:
1668 return 18;
1669 - case (MESH_FLAGS_AE_A4 | MESH_FLAGS_AE_A5_A6):
1670 - return 24;
1671 - default:
1672 - return 6;
1673 }
1674 }
1675 +EXPORT_SYMBOL(ieee80211_get_mesh_hdrlen);
1676
1677 int ieee80211_data_to_8023(struct sk_buff *skb, const u8 *addr,
1678 enum nl80211_iftype iftype)
1679 @@ -354,6 +352,8 @@ int ieee80211_data_to_8023(struct sk_buff *skb, const u8 *addr,
1680 /* make sure meshdr->flags is on the linear part */
1681 if (!pskb_may_pull(skb, hdrlen + 1))
1682 return -1;
1683 + if (meshdr->flags & MESH_FLAGS_AE_A4)
1684 + return -1;
1685 if (meshdr->flags & MESH_FLAGS_AE_A5_A6) {
1686 skb_copy_bits(skb, hdrlen +
1687 offsetof(struct ieee80211s_hdr, eaddr1),
1688 @@ -378,6 +378,8 @@ int ieee80211_data_to_8023(struct sk_buff *skb, const u8 *addr,
1689 /* make sure meshdr->flags is on the linear part */
1690 if (!pskb_may_pull(skb, hdrlen + 1))
1691 return -1;
1692 + if (meshdr->flags & MESH_FLAGS_AE_A5_A6)
1693 + return -1;
1694 if (meshdr->flags & MESH_FLAGS_AE_A4)
1695 skb_copy_bits(skb, hdrlen +
1696 offsetof(struct ieee80211s_hdr, eaddr1),
1697 diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
1698 index a68aed7..a58cf35 100644
1699 --- a/sound/core/compress_offload.c
1700 +++ b/sound/core/compress_offload.c
1701 @@ -102,12 +102,15 @@ static int snd_compr_open(struct inode *inode, struct file *f)
1702
1703 if (dirn != compr->direction) {
1704 pr_err("this device doesn't support this direction\n");
1705 + snd_card_unref(compr->card);
1706 return -EINVAL;
1707 }
1708
1709 data = kzalloc(sizeof(*data), GFP_KERNEL);
1710 - if (!data)
1711 + if (!data) {
1712 + snd_card_unref(compr->card);
1713 return -ENOMEM;
1714 + }
1715 data->stream.ops = compr->ops;
1716 data->stream.direction = dirn;
1717 data->stream.private_data = compr->private_data;
1718 @@ -115,6 +118,7 @@ static int snd_compr_open(struct inode *inode, struct file *f)
1719 runtime = kzalloc(sizeof(*runtime), GFP_KERNEL);
1720 if (!runtime) {
1721 kfree(data);
1722 + snd_card_unref(compr->card);
1723 return -ENOMEM;
1724 }
1725 runtime->state = SNDRV_PCM_STATE_OPEN;
1726 @@ -128,7 +132,8 @@ static int snd_compr_open(struct inode *inode, struct file *f)
1727 kfree(runtime);
1728 kfree(data);
1729 }
1730 - return ret;
1731 + snd_card_unref(compr->card);
1732 + return 0;
1733 }
1734
1735 static int snd_compr_free(struct inode *inode, struct file *f)
1736 diff --git a/sound/core/control.c b/sound/core/control.c
1737 index 2487a6b..daa4fc8 100644
1738 --- a/sound/core/control.c
1739 +++ b/sound/core/control.c
1740 @@ -86,6 +86,7 @@ static int snd_ctl_open(struct inode *inode, struct file *file)
1741 write_lock_irqsave(&card->ctl_files_rwlock, flags);
1742 list_add_tail(&ctl->list, &card->ctl_files);
1743 write_unlock_irqrestore(&card->ctl_files_rwlock, flags);
1744 + snd_card_unref(card);
1745 return 0;
1746
1747 __error:
1748 @@ -93,6 +94,8 @@ static int snd_ctl_open(struct inode *inode, struct file *file)
1749 __error2:
1750 snd_card_file_remove(card, file);
1751 __error1:
1752 + if (card)
1753 + snd_card_unref(card);
1754 return err;
1755 }
1756
1757 @@ -1433,6 +1436,8 @@ static ssize_t snd_ctl_read(struct file *file, char __user *buffer,
1758 spin_unlock_irq(&ctl->read_lock);
1759 schedule();
1760 remove_wait_queue(&ctl->change_sleep, &wait);
1761 + if (ctl->card->shutdown)
1762 + return -ENODEV;
1763 if (signal_pending(current))
1764 return -ERESTARTSYS;
1765 spin_lock_irq(&ctl->read_lock);
1766 diff --git a/sound/core/hwdep.c b/sound/core/hwdep.c
1767 index 75ea16f..3f7f662 100644
1768 --- a/sound/core/hwdep.c
1769 +++ b/sound/core/hwdep.c
1770 @@ -100,8 +100,10 @@ static int snd_hwdep_open(struct inode *inode, struct file * file)
1771 if (hw == NULL)
1772 return -ENODEV;
1773
1774 - if (!try_module_get(hw->card->module))
1775 + if (!try_module_get(hw->card->module)) {
1776 + snd_card_unref(hw->card);
1777 return -EFAULT;
1778 + }
1779
1780 init_waitqueue_entry(&wait, current);
1781 add_wait_queue(&hw->open_wait, &wait);
1782 @@ -129,6 +131,10 @@ static int snd_hwdep_open(struct inode *inode, struct file * file)
1783 mutex_unlock(&hw->open_mutex);
1784 schedule();
1785 mutex_lock(&hw->open_mutex);
1786 + if (hw->card->shutdown) {
1787 + err = -ENODEV;
1788 + break;
1789 + }
1790 if (signal_pending(current)) {
1791 err = -ERESTARTSYS;
1792 break;
1793 @@ -148,6 +154,7 @@ static int snd_hwdep_open(struct inode *inode, struct file * file)
1794 mutex_unlock(&hw->open_mutex);
1795 if (err < 0)
1796 module_put(hw->card->module);
1797 + snd_card_unref(hw->card);
1798 return err;
1799 }
1800
1801 @@ -459,12 +466,15 @@ static int snd_hwdep_dev_disconnect(struct snd_device *device)
1802 mutex_unlock(&register_mutex);
1803 return -EINVAL;
1804 }
1805 + mutex_lock(&hwdep->open_mutex);
1806 + wake_up(&hwdep->open_wait);
1807 #ifdef CONFIG_SND_OSSEMUL
1808 if (hwdep->ossreg)
1809 snd_unregister_oss_device(hwdep->oss_type, hwdep->card, hwdep->device);
1810 #endif
1811 snd_unregister_device(SNDRV_DEVICE_TYPE_HWDEP, hwdep->card, hwdep->device);
1812 list_del_init(&hwdep->list);
1813 + mutex_unlock(&hwdep->open_mutex);
1814 mutex_unlock(&register_mutex);
1815 return 0;
1816 }
1817 diff --git a/sound/core/init.c b/sound/core/init.c
1818 index d8ec849..7b012d1 100644
1819 --- a/sound/core/init.c
1820 +++ b/sound/core/init.c
1821 @@ -213,6 +213,7 @@ int snd_card_create(int idx, const char *xid,
1822 spin_lock_init(&card->files_lock);
1823 INIT_LIST_HEAD(&card->files_list);
1824 init_waitqueue_head(&card->shutdown_sleep);
1825 + atomic_set(&card->refcount, 0);
1826 #ifdef CONFIG_PM
1827 mutex_init(&card->power_lock);
1828 init_waitqueue_head(&card->power_sleep);
1829 @@ -446,21 +447,36 @@ static int snd_card_do_free(struct snd_card *card)
1830 return 0;
1831 }
1832
1833 +/**
1834 + * snd_card_unref - release the reference counter
1835 + * @card: the card instance
1836 + *
1837 + * Decrements the reference counter. When it reaches to zero, wake up
1838 + * the sleeper and call the destructor if needed.
1839 + */
1840 +void snd_card_unref(struct snd_card *card)
1841 +{
1842 + if (atomic_dec_and_test(&card->refcount)) {
1843 + wake_up(&card->shutdown_sleep);
1844 + if (card->free_on_last_close)
1845 + snd_card_do_free(card);
1846 + }
1847 +}
1848 +EXPORT_SYMBOL(snd_card_unref);
1849 +
1850 int snd_card_free_when_closed(struct snd_card *card)
1851 {
1852 - int free_now = 0;
1853 - int ret = snd_card_disconnect(card);
1854 - if (ret)
1855 - return ret;
1856 + int ret;
1857
1858 - spin_lock(&card->files_lock);
1859 - if (list_empty(&card->files_list))
1860 - free_now = 1;
1861 - else
1862 - card->free_on_last_close = 1;
1863 - spin_unlock(&card->files_lock);
1864 + atomic_inc(&card->refcount);
1865 + ret = snd_card_disconnect(card);
1866 + if (ret) {
1867 + atomic_dec(&card->refcount);
1868 + return ret;
1869 + }
1870
1871 - if (free_now)
1872 + card->free_on_last_close = 1;
1873 + if (atomic_dec_and_test(&card->refcount))
1874 snd_card_do_free(card);
1875 return 0;
1876 }
1877 @@ -474,7 +490,7 @@ int snd_card_free(struct snd_card *card)
1878 return ret;
1879
1880 /* wait, until all devices are ready for the free operation */
1881 - wait_event(card->shutdown_sleep, list_empty(&card->files_list));
1882 + wait_event(card->shutdown_sleep, !atomic_read(&card->refcount));
1883 snd_card_do_free(card);
1884 return 0;
1885 }
1886 @@ -886,6 +902,7 @@ int snd_card_file_add(struct snd_card *card, struct file *file)
1887 return -ENODEV;
1888 }
1889 list_add(&mfile->list, &card->files_list);
1890 + atomic_inc(&card->refcount);
1891 spin_unlock(&card->files_lock);
1892 return 0;
1893 }
1894 @@ -908,7 +925,6 @@ EXPORT_SYMBOL(snd_card_file_add);
1895 int snd_card_file_remove(struct snd_card *card, struct file *file)
1896 {
1897 struct snd_monitor_file *mfile, *found = NULL;
1898 - int last_close = 0;
1899
1900 spin_lock(&card->files_lock);
1901 list_for_each_entry(mfile, &card->files_list, list) {
1902 @@ -923,19 +939,13 @@ int snd_card_file_remove(struct snd_card *card, struct file *file)
1903 break;
1904 }
1905 }
1906 - if (list_empty(&card->files_list))
1907 - last_close = 1;
1908 spin_unlock(&card->files_lock);
1909 - if (last_close) {
1910 - wake_up(&card->shutdown_sleep);
1911 - if (card->free_on_last_close)
1912 - snd_card_do_free(card);
1913 - }
1914 if (!found) {
1915 snd_printk(KERN_ERR "ALSA card file remove problem (%p)\n", file);
1916 return -ENOENT;
1917 }
1918 kfree(found);
1919 + snd_card_unref(card);
1920 return 0;
1921 }
1922
1923 diff --git a/sound/core/oss/mixer_oss.c b/sound/core/oss/mixer_oss.c
1924 index 18297f7..c353768 100644
1925 --- a/sound/core/oss/mixer_oss.c
1926 +++ b/sound/core/oss/mixer_oss.c
1927 @@ -52,14 +52,19 @@ static int snd_mixer_oss_open(struct inode *inode, struct file *file)
1928 SNDRV_OSS_DEVICE_TYPE_MIXER);
1929 if (card == NULL)
1930 return -ENODEV;
1931 - if (card->mixer_oss == NULL)
1932 + if (card->mixer_oss == NULL) {
1933 + snd_card_unref(card);
1934 return -ENODEV;
1935 + }
1936 err = snd_card_file_add(card, file);
1937 - if (err < 0)
1938 + if (err < 0) {
1939 + snd_card_unref(card);
1940 return err;
1941 + }
1942 fmixer = kzalloc(sizeof(*fmixer), GFP_KERNEL);
1943 if (fmixer == NULL) {
1944 snd_card_file_remove(card, file);
1945 + snd_card_unref(card);
1946 return -ENOMEM;
1947 }
1948 fmixer->card = card;
1949 @@ -68,8 +73,10 @@ static int snd_mixer_oss_open(struct inode *inode, struct file *file)
1950 if (!try_module_get(card->module)) {
1951 kfree(fmixer);
1952 snd_card_file_remove(card, file);
1953 + snd_card_unref(card);
1954 return -EFAULT;
1955 }
1956 + snd_card_unref(card);
1957 return 0;
1958 }
1959
1960 diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c
1961 index 08fde00..4c1cc51 100644
1962 --- a/sound/core/oss/pcm_oss.c
1963 +++ b/sound/core/oss/pcm_oss.c
1964 @@ -2441,6 +2441,10 @@ static int snd_pcm_oss_open(struct inode *inode, struct file *file)
1965 mutex_unlock(&pcm->open_mutex);
1966 schedule();
1967 mutex_lock(&pcm->open_mutex);
1968 + if (pcm->card->shutdown) {
1969 + err = -ENODEV;
1970 + break;
1971 + }
1972 if (signal_pending(current)) {
1973 err = -ERESTARTSYS;
1974 break;
1975 @@ -2450,6 +2454,7 @@ static int snd_pcm_oss_open(struct inode *inode, struct file *file)
1976 mutex_unlock(&pcm->open_mutex);
1977 if (err < 0)
1978 goto __error;
1979 + snd_card_unref(pcm->card);
1980 return err;
1981
1982 __error:
1983 @@ -2457,6 +2462,8 @@ static int snd_pcm_oss_open(struct inode *inode, struct file *file)
1984 __error2:
1985 snd_card_file_remove(pcm->card, file);
1986 __error1:
1987 + if (pcm)
1988 + snd_card_unref(pcm->card);
1989 return err;
1990 }
1991
1992 diff --git a/sound/core/pcm.c b/sound/core/pcm.c
1993 index 1a3070b..e30e1be 100644
1994 --- a/sound/core/pcm.c
1995 +++ b/sound/core/pcm.c
1996 @@ -1086,11 +1086,19 @@ static int snd_pcm_dev_disconnect(struct snd_device *device)
1997 if (list_empty(&pcm->list))
1998 goto unlock;
1999
2000 + mutex_lock(&pcm->open_mutex);
2001 + wake_up(&pcm->open_wait);
2002 list_del_init(&pcm->list);
2003 for (cidx = 0; cidx < 2; cidx++)
2004 - for (substream = pcm->streams[cidx].substream; substream; substream = substream->next)
2005 - if (substream->runtime)
2006 + for (substream = pcm->streams[cidx].substream; substream; substream = substream->next) {
2007 + snd_pcm_stream_lock_irq(substream);
2008 + if (substream->runtime) {
2009 substream->runtime->status->state = SNDRV_PCM_STATE_DISCONNECTED;
2010 + wake_up(&substream->runtime->sleep);
2011 + wake_up(&substream->runtime->tsleep);
2012 + }
2013 + snd_pcm_stream_unlock_irq(substream);
2014 + }
2015 list_for_each_entry(notify, &snd_pcm_notify_list, list) {
2016 notify->n_disconnect(pcm);
2017 }
2018 @@ -1106,6 +1114,7 @@ static int snd_pcm_dev_disconnect(struct snd_device *device)
2019 }
2020 snd_unregister_device(devtype, pcm->card, pcm->device);
2021 }
2022 + mutex_unlock(&pcm->open_mutex);
2023 unlock:
2024 mutex_unlock(&register_mutex);
2025 return 0;
2026 diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
2027 index 3fe99e6..d535b34 100644
2028 --- a/sound/core/pcm_native.c
2029 +++ b/sound/core/pcm_native.c
2030 @@ -369,6 +369,14 @@ static int period_to_usecs(struct snd_pcm_runtime *runtime)
2031 return usecs;
2032 }
2033
2034 +static void snd_pcm_set_state(struct snd_pcm_substream *substream, int state)
2035 +{
2036 + snd_pcm_stream_lock_irq(substream);
2037 + if (substream->runtime->status->state != SNDRV_PCM_STATE_DISCONNECTED)
2038 + substream->runtime->status->state = state;
2039 + snd_pcm_stream_unlock_irq(substream);
2040 +}
2041 +
2042 static int snd_pcm_hw_params(struct snd_pcm_substream *substream,
2043 struct snd_pcm_hw_params *params)
2044 {
2045 @@ -452,7 +460,7 @@ static int snd_pcm_hw_params(struct snd_pcm_substream *substream,
2046 runtime->boundary *= 2;
2047
2048 snd_pcm_timer_resolution_change(substream);
2049 - runtime->status->state = SNDRV_PCM_STATE_SETUP;
2050 + snd_pcm_set_state(substream, SNDRV_PCM_STATE_SETUP);
2051
2052 if (pm_qos_request_active(&substream->latency_pm_qos_req))
2053 pm_qos_remove_request(&substream->latency_pm_qos_req);
2054 @@ -464,7 +472,7 @@ static int snd_pcm_hw_params(struct snd_pcm_substream *substream,
2055 /* hardware might be unusable from this time,
2056 so we force application to retry to set
2057 the correct hardware parameter settings */
2058 - runtime->status->state = SNDRV_PCM_STATE_OPEN;
2059 + snd_pcm_set_state(substream, SNDRV_PCM_STATE_OPEN);
2060 if (substream->ops->hw_free != NULL)
2061 substream->ops->hw_free(substream);
2062 return err;
2063 @@ -512,7 +520,7 @@ static int snd_pcm_hw_free(struct snd_pcm_substream *substream)
2064 return -EBADFD;
2065 if (substream->ops->hw_free)
2066 result = substream->ops->hw_free(substream);
2067 - runtime->status->state = SNDRV_PCM_STATE_OPEN;
2068 + snd_pcm_set_state(substream, SNDRV_PCM_STATE_OPEN);
2069 pm_qos_remove_request(&substream->latency_pm_qos_req);
2070 return result;
2071 }
2072 @@ -1320,7 +1328,7 @@ static void snd_pcm_post_prepare(struct snd_pcm_substream *substream, int state)
2073 {
2074 struct snd_pcm_runtime *runtime = substream->runtime;
2075 runtime->control->appl_ptr = runtime->status->hw_ptr;
2076 - runtime->status->state = SNDRV_PCM_STATE_PREPARED;
2077 + snd_pcm_set_state(substream, SNDRV_PCM_STATE_PREPARED);
2078 }
2079
2080 static struct action_ops snd_pcm_action_prepare = {
2081 @@ -1500,6 +1508,10 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream,
2082 down_read(&snd_pcm_link_rwsem);
2083 snd_pcm_stream_lock_irq(substream);
2084 remove_wait_queue(&to_check->sleep, &wait);
2085 + if (card->shutdown) {
2086 + result = -ENODEV;
2087 + break;
2088 + }
2089 if (tout == 0) {
2090 if (substream->runtime->status->state == SNDRV_PCM_STATE_SUSPENDED)
2091 result = -ESTRPIPE;
2092 @@ -1623,6 +1635,7 @@ static int snd_pcm_link(struct snd_pcm_substream *substream, int fd)
2093 write_unlock_irq(&snd_pcm_link_rwlock);
2094 up_write(&snd_pcm_link_rwsem);
2095 _nolock:
2096 + snd_card_unref(substream1->pcm->card);
2097 fput(file);
2098 if (res < 0)
2099 kfree(group);
2100 @@ -2097,7 +2110,10 @@ static int snd_pcm_playback_open(struct inode *inode, struct file *file)
2101 return err;
2102 pcm = snd_lookup_minor_data(iminor(inode),
2103 SNDRV_DEVICE_TYPE_PCM_PLAYBACK);
2104 - return snd_pcm_open(file, pcm, SNDRV_PCM_STREAM_PLAYBACK);
2105 + err = snd_pcm_open(file, pcm, SNDRV_PCM_STREAM_PLAYBACK);
2106 + if (pcm)
2107 + snd_card_unref(pcm->card);
2108 + return err;
2109 }
2110
2111 static int snd_pcm_capture_open(struct inode *inode, struct file *file)
2112 @@ -2108,7 +2124,10 @@ static int snd_pcm_capture_open(struct inode *inode, struct file *file)
2113 return err;
2114 pcm = snd_lookup_minor_data(iminor(inode),
2115 SNDRV_DEVICE_TYPE_PCM_CAPTURE);
2116 - return snd_pcm_open(file, pcm, SNDRV_PCM_STREAM_CAPTURE);
2117 + err = snd_pcm_open(file, pcm, SNDRV_PCM_STREAM_CAPTURE);
2118 + if (pcm)
2119 + snd_card_unref(pcm->card);
2120 + return err;
2121 }
2122
2123 static int snd_pcm_open(struct file *file, struct snd_pcm *pcm, int stream)
2124 @@ -2145,6 +2164,10 @@ static int snd_pcm_open(struct file *file, struct snd_pcm *pcm, int stream)
2125 mutex_unlock(&pcm->open_mutex);
2126 schedule();
2127 mutex_lock(&pcm->open_mutex);
2128 + if (pcm->card->shutdown) {
2129 + err = -ENODEV;
2130 + break;
2131 + }
2132 if (signal_pending(current)) {
2133 err = -ERESTARTSYS;
2134 break;
2135 diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
2136 index ebf6e49..1bb95ae 100644
2137 --- a/sound/core/rawmidi.c
2138 +++ b/sound/core/rawmidi.c
2139 @@ -379,8 +379,10 @@ static int snd_rawmidi_open(struct inode *inode, struct file *file)
2140 if (rmidi == NULL)
2141 return -ENODEV;
2142
2143 - if (!try_module_get(rmidi->card->module))
2144 + if (!try_module_get(rmidi->card->module)) {
2145 + snd_card_unref(rmidi->card);
2146 return -ENXIO;
2147 + }
2148
2149 mutex_lock(&rmidi->open_mutex);
2150 card = rmidi->card;
2151 @@ -422,6 +424,10 @@ static int snd_rawmidi_open(struct inode *inode, struct file *file)
2152 mutex_unlock(&rmidi->open_mutex);
2153 schedule();
2154 mutex_lock(&rmidi->open_mutex);
2155 + if (rmidi->card->shutdown) {
2156 + err = -ENODEV;
2157 + break;
2158 + }
2159 if (signal_pending(current)) {
2160 err = -ERESTARTSYS;
2161 break;
2162 @@ -440,6 +446,7 @@ static int snd_rawmidi_open(struct inode *inode, struct file *file)
2163 #endif
2164 file->private_data = rawmidi_file;
2165 mutex_unlock(&rmidi->open_mutex);
2166 + snd_card_unref(rmidi->card);
2167 return 0;
2168
2169 __error:
2170 @@ -447,6 +454,7 @@ static int snd_rawmidi_open(struct inode *inode, struct file *file)
2171 __error_card:
2172 mutex_unlock(&rmidi->open_mutex);
2173 module_put(rmidi->card->module);
2174 + snd_card_unref(rmidi->card);
2175 return err;
2176 }
2177
2178 @@ -991,6 +999,8 @@ static ssize_t snd_rawmidi_read(struct file *file, char __user *buf, size_t coun
2179 spin_unlock_irq(&runtime->lock);
2180 schedule();
2181 remove_wait_queue(&runtime->sleep, &wait);
2182 + if (rfile->rmidi->card->shutdown)
2183 + return -ENODEV;
2184 if (signal_pending(current))
2185 return result > 0 ? result : -ERESTARTSYS;
2186 if (!runtime->avail)
2187 @@ -1234,6 +1244,8 @@ static ssize_t snd_rawmidi_write(struct file *file, const char __user *buf,
2188 spin_unlock_irq(&runtime->lock);
2189 timeout = schedule_timeout(30 * HZ);
2190 remove_wait_queue(&runtime->sleep, &wait);
2191 + if (rfile->rmidi->card->shutdown)
2192 + return -ENODEV;
2193 if (signal_pending(current))
2194 return result > 0 ? result : -ERESTARTSYS;
2195 if (!runtime->avail && !timeout)
2196 @@ -1609,9 +1621,20 @@ static int snd_rawmidi_dev_register(struct snd_device *device)
2197 static int snd_rawmidi_dev_disconnect(struct snd_device *device)
2198 {
2199 struct snd_rawmidi *rmidi = device->device_data;
2200 + int dir;
2201
2202 mutex_lock(&register_mutex);
2203 + mutex_lock(&rmidi->open_mutex);
2204 + wake_up(&rmidi->open_wait);
2205 list_del_init(&rmidi->list);
2206 + for (dir = 0; dir < 2; dir++) {
2207 + struct snd_rawmidi_substream *s;
2208 + list_for_each_entry(s, &rmidi->streams[dir].substreams, list) {
2209 + if (s->runtime)
2210 + wake_up(&s->runtime->sleep);
2211 + }
2212 + }
2213 +
2214 #ifdef CONFIG_SND_OSSEMUL
2215 if (rmidi->ossreg) {
2216 if ((int)rmidi->device == midi_map[rmidi->card->number]) {
2217 @@ -1626,6 +1649,7 @@ static int snd_rawmidi_dev_disconnect(struct snd_device *device)
2218 }
2219 #endif /* CONFIG_SND_OSSEMUL */
2220 snd_unregister_device(SNDRV_DEVICE_TYPE_RAWMIDI, rmidi->card, rmidi->device);
2221 + mutex_unlock(&rmidi->open_mutex);
2222 mutex_unlock(&register_mutex);
2223 return 0;
2224 }
2225 diff --git a/sound/core/sound.c b/sound/core/sound.c
2226 index 28f3559..3700d96 100644
2227 --- a/sound/core/sound.c
2228 +++ b/sound/core/sound.c
2229 @@ -99,6 +99,10 @@ static void snd_request_other(int minor)
2230 *
2231 * Checks that a minor device with the specified type is registered, and returns
2232 * its user data pointer.
2233 + *
2234 + * This function increments the reference counter of the card instance
2235 + * if an associated instance with the given minor number and type is found.
2236 + * The caller must call snd_card_unref() appropriately later.
2237 */
2238 void *snd_lookup_minor_data(unsigned int minor, int type)
2239 {
2240 @@ -109,9 +113,11 @@ void *snd_lookup_minor_data(unsigned int minor, int type)
2241 return NULL;
2242 mutex_lock(&sound_mutex);
2243 mreg = snd_minors[minor];
2244 - if (mreg && mreg->type == type)
2245 + if (mreg && mreg->type == type) {
2246 private_data = mreg->private_data;
2247 - else
2248 + if (private_data && mreg->card_ptr)
2249 + atomic_inc(&mreg->card_ptr->refcount);
2250 + } else
2251 private_data = NULL;
2252 mutex_unlock(&sound_mutex);
2253 return private_data;
2254 @@ -276,6 +282,7 @@ int snd_register_device_for_dev(int type, struct snd_card *card, int dev,
2255 preg->device = dev;
2256 preg->f_ops = f_ops;
2257 preg->private_data = private_data;
2258 + preg->card_ptr = card;
2259 mutex_lock(&sound_mutex);
2260 #ifdef CONFIG_SND_DYNAMIC_MINORS
2261 minor = snd_find_free_minor(type);
2262 diff --git a/sound/core/sound_oss.c b/sound/core/sound_oss.c
2263 index c700920..ec86009 100644
2264 --- a/sound/core/sound_oss.c
2265 +++ b/sound/core/sound_oss.c
2266 @@ -40,6 +40,9 @@
2267 static struct snd_minor *snd_oss_minors[SNDRV_OSS_MINORS];
2268 static DEFINE_MUTEX(sound_oss_mutex);
2269
2270 +/* NOTE: This function increments the refcount of the associated card like
2271 + * snd_lookup_minor_data(); the caller must call snd_card_unref() appropriately
2272 + */
2273 void *snd_lookup_oss_minor_data(unsigned int minor, int type)
2274 {
2275 struct snd_minor *mreg;
2276 @@ -49,9 +52,11 @@ void *snd_lookup_oss_minor_data(unsigned int minor, int type)
2277 return NULL;
2278 mutex_lock(&sound_oss_mutex);
2279 mreg = snd_oss_minors[minor];
2280 - if (mreg && mreg->type == type)
2281 + if (mreg && mreg->type == type) {
2282 private_data = mreg->private_data;
2283 - else
2284 + if (private_data && mreg->card_ptr)
2285 + atomic_inc(&mreg->card_ptr->refcount);
2286 + } else
2287 private_data = NULL;
2288 mutex_unlock(&sound_oss_mutex);
2289 return private_data;
2290 @@ -123,6 +128,7 @@ int snd_register_oss_device(int type, struct snd_card *card, int dev,
2291 preg->device = dev;
2292 preg->f_ops = f_ops;
2293 preg->private_data = private_data;
2294 + preg->card_ptr = card;
2295 mutex_lock(&sound_oss_mutex);
2296 snd_oss_minors[minor] = preg;
2297 minor_unit = SNDRV_MINOR_OSS_DEVICE(minor);
2298 diff --git a/sound/usb/card.c b/sound/usb/card.c
2299 index 4a7be7b..388460d 100644
2300 --- a/sound/usb/card.c
2301 +++ b/sound/usb/card.c
2302 @@ -336,7 +336,7 @@ static int snd_usb_audio_create(struct usb_device *dev, int idx,
2303 return -ENOMEM;
2304 }
2305
2306 - mutex_init(&chip->shutdown_mutex);
2307 + init_rwsem(&chip->shutdown_rwsem);
2308 chip->index = idx;
2309 chip->dev = dev;
2310 chip->card = card;
2311 @@ -555,9 +555,11 @@ static void snd_usb_audio_disconnect(struct usb_device *dev,
2312 return;
2313
2314 card = chip->card;
2315 - mutex_lock(&register_mutex);
2316 - mutex_lock(&chip->shutdown_mutex);
2317 + down_write(&chip->shutdown_rwsem);
2318 chip->shutdown = 1;
2319 + up_write(&chip->shutdown_rwsem);
2320 +
2321 + mutex_lock(&register_mutex);
2322 chip->num_interfaces--;
2323 if (chip->num_interfaces <= 0) {
2324 snd_card_disconnect(card);
2325 @@ -574,11 +576,9 @@ static void snd_usb_audio_disconnect(struct usb_device *dev,
2326 snd_usb_mixer_disconnect(p);
2327 }
2328 usb_chip[chip->index] = NULL;
2329 - mutex_unlock(&chip->shutdown_mutex);
2330 mutex_unlock(&register_mutex);
2331 snd_card_free_when_closed(card);
2332 } else {
2333 - mutex_unlock(&chip->shutdown_mutex);
2334 mutex_unlock(&register_mutex);
2335 }
2336 }
2337 @@ -610,16 +610,20 @@ int snd_usb_autoresume(struct snd_usb_audio *chip)
2338 {
2339 int err = -ENODEV;
2340
2341 + down_read(&chip->shutdown_rwsem);
2342 if (!chip->shutdown && !chip->probing)
2343 err = usb_autopm_get_interface(chip->pm_intf);
2344 + up_read(&chip->shutdown_rwsem);
2345
2346 return err;
2347 }
2348
2349 void snd_usb_autosuspend(struct snd_usb_audio *chip)
2350 {
2351 + down_read(&chip->shutdown_rwsem);
2352 if (!chip->shutdown && !chip->probing)
2353 usb_autopm_put_interface(chip->pm_intf);
2354 + up_read(&chip->shutdown_rwsem);
2355 }
2356
2357 static int usb_audio_suspend(struct usb_interface *intf, pm_message_t message)
2358 diff --git a/sound/usb/card.h b/sound/usb/card.h
2359 index da5fa1a..7932b2a 100644
2360 --- a/sound/usb/card.h
2361 +++ b/sound/usb/card.h
2362 @@ -87,6 +87,7 @@ struct snd_usb_substream {
2363 struct snd_urb_ctx syncurb[SYNC_URBS]; /* sync urb table */
2364 char *syncbuf; /* sync buffer for all sync URBs */
2365 dma_addr_t sync_dma; /* DMA address of syncbuf */
2366 + unsigned int speed; /* USB_SPEED_XXX */
2367
2368 u64 formats; /* format bitmasks (all or'ed) */
2369 unsigned int num_formats; /* number of supported audio formats (list) */
2370 diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
2371 index 08dcce5..24c5114 100644
2372 --- a/sound/usb/endpoint.c
2373 +++ b/sound/usb/endpoint.c
2374 @@ -148,8 +148,10 @@ void snd_usb_release_substream_urbs(struct snd_usb_substream *subs, int force)
2375 int i;
2376
2377 /* stop urbs (to be sure) */
2378 - deactivate_urbs(subs, force, 1);
2379 - wait_clear_urbs(subs);
2380 + if (!subs->stream->chip->shutdown) {
2381 + deactivate_urbs(subs, force, 1);
2382 + wait_clear_urbs(subs);
2383 + }
2384
2385 for (i = 0; i < MAX_URBS; i++)
2386 release_urb_ctx(&subs->dataurb[i]);
2387 @@ -895,7 +897,8 @@ void snd_usb_init_substream(struct snd_usb_stream *as,
2388 subs->dev = as->chip->dev;
2389 subs->txfr_quirk = as->chip->txfr_quirk;
2390 subs->ops = audio_urb_ops[stream];
2391 - if (snd_usb_get_speed(subs->dev) >= USB_SPEED_HIGH)
2392 + subs->speed = snd_usb_get_speed(subs->dev);
2393 + if (subs->speed >= USB_SPEED_HIGH)
2394 subs->ops.prepare_sync = prepare_capture_sync_urb_hs;
2395
2396 snd_usb_set_pcm_ops(as->pcm, stream);
2397 diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
2398 index 8a818a4..29ae209 100644
2399 --- a/sound/usb/mixer.c
2400 +++ b/sound/usb/mixer.c
2401 @@ -287,25 +287,32 @@ static int get_ctl_value_v1(struct usb_mixer_elem_info *cval, int request, int v
2402 unsigned char buf[2];
2403 int val_len = cval->val_type >= USB_MIXER_S16 ? 2 : 1;
2404 int timeout = 10;
2405 - int err;
2406 + int idx = 0, err;
2407
2408 err = snd_usb_autoresume(cval->mixer->chip);
2409 if (err < 0)
2410 return -EIO;
2411 + down_read(&chip->shutdown_rwsem);
2412 while (timeout-- > 0) {
2413 + if (chip->shutdown)
2414 + break;
2415 + idx = snd_usb_ctrl_intf(chip) | (cval->id << 8);
2416 if (snd_usb_ctl_msg(chip->dev, usb_rcvctrlpipe(chip->dev, 0), request,
2417 USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_IN,
2418 - validx, snd_usb_ctrl_intf(chip) | (cval->id << 8),
2419 - buf, val_len) >= val_len) {
2420 + validx, idx, buf, val_len) >= val_len) {
2421 *value_ret = convert_signed_value(cval, snd_usb_combine_bytes(buf, val_len));
2422 - snd_usb_autosuspend(cval->mixer->chip);
2423 - return 0;
2424 + err = 0;
2425 + goto out;
2426 }
2427 }
2428 - snd_usb_autosuspend(cval->mixer->chip);
2429 snd_printdd(KERN_ERR "cannot get ctl value: req = %#x, wValue = %#x, wIndex = %#x, type = %d\n",
2430 - request, validx, snd_usb_ctrl_intf(chip) | (cval->id << 8), cval->val_type);
2431 - return -EINVAL;
2432 + request, validx, idx, cval->val_type);
2433 + err = -EINVAL;
2434 +
2435 + out:
2436 + up_read(&chip->shutdown_rwsem);
2437 + snd_usb_autosuspend(cval->mixer->chip);
2438 + return err;
2439 }
2440
2441 static int get_ctl_value_v2(struct usb_mixer_elem_info *cval, int request, int validx, int *value_ret)
2442 @@ -313,7 +320,7 @@ static int get_ctl_value_v2(struct usb_mixer_elem_info *cval, int request, int v
2443 struct snd_usb_audio *chip = cval->mixer->chip;
2444 unsigned char buf[2 + 3*sizeof(__u16)]; /* enough space for one range */
2445 unsigned char *val;
2446 - int ret, size;
2447 + int idx = 0, ret, size;
2448 __u8 bRequest;
2449
2450 if (request == UAC_GET_CUR) {
2451 @@ -330,16 +337,22 @@ static int get_ctl_value_v2(struct usb_mixer_elem_info *cval, int request, int v
2452 if (ret)
2453 goto error;
2454
2455 - ret = snd_usb_ctl_msg(chip->dev, usb_rcvctrlpipe(chip->dev, 0), bRequest,
2456 + down_read(&chip->shutdown_rwsem);
2457 + if (chip->shutdown)
2458 + ret = -ENODEV;
2459 + else {
2460 + idx = snd_usb_ctrl_intf(chip) | (cval->id << 8);
2461 + ret = snd_usb_ctl_msg(chip->dev, usb_rcvctrlpipe(chip->dev, 0), bRequest,
2462 USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_IN,
2463 - validx, snd_usb_ctrl_intf(chip) | (cval->id << 8),
2464 - buf, size);
2465 + validx, idx, buf, size);
2466 + }
2467 + up_read(&chip->shutdown_rwsem);
2468 snd_usb_autosuspend(chip);
2469
2470 if (ret < 0) {
2471 error:
2472 snd_printk(KERN_ERR "cannot get ctl value: req = %#x, wValue = %#x, wIndex = %#x, type = %d\n",
2473 - request, validx, snd_usb_ctrl_intf(chip) | (cval->id << 8), cval->val_type);
2474 + request, validx, idx, cval->val_type);
2475 return ret;
2476 }
2477
2478 @@ -417,7 +430,7 @@ int snd_usb_mixer_set_ctl_value(struct usb_mixer_elem_info *cval,
2479 {
2480 struct snd_usb_audio *chip = cval->mixer->chip;
2481 unsigned char buf[2];
2482 - int val_len, err, timeout = 10;
2483 + int idx = 0, val_len, err, timeout = 10;
2484
2485 if (cval->mixer->protocol == UAC_VERSION_1) {
2486 val_len = cval->val_type >= USB_MIXER_S16 ? 2 : 1;
2487 @@ -440,19 +453,27 @@ int snd_usb_mixer_set_ctl_value(struct usb_mixer_elem_info *cval,
2488 err = snd_usb_autoresume(chip);
2489 if (err < 0)
2490 return -EIO;
2491 - while (timeout-- > 0)
2492 + down_read(&chip->shutdown_rwsem);
2493 + while (timeout-- > 0) {
2494 + if (chip->shutdown)
2495 + break;
2496 + idx = snd_usb_ctrl_intf(chip) | (cval->id << 8);
2497 if (snd_usb_ctl_msg(chip->dev,
2498 usb_sndctrlpipe(chip->dev, 0), request,
2499 USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_OUT,
2500 - validx, snd_usb_ctrl_intf(chip) | (cval->id << 8),
2501 - buf, val_len) >= 0) {
2502 - snd_usb_autosuspend(chip);
2503 - return 0;
2504 + validx, idx, buf, val_len) >= 0) {
2505 + err = 0;
2506 + goto out;
2507 }
2508 - snd_usb_autosuspend(chip);
2509 + }
2510 snd_printdd(KERN_ERR "cannot set ctl value: req = %#x, wValue = %#x, wIndex = %#x, type = %d, data = %#x/%#x\n",
2511 - request, validx, snd_usb_ctrl_intf(chip) | (cval->id << 8), cval->val_type, buf[0], buf[1]);
2512 - return -EINVAL;
2513 + request, validx, idx, cval->val_type, buf[0], buf[1]);
2514 + err = -EINVAL;
2515 +
2516 + out:
2517 + up_read(&chip->shutdown_rwsem);
2518 + snd_usb_autosuspend(chip);
2519 + return err;
2520 }
2521
2522 static int set_cur_ctl_value(struct usb_mixer_elem_info *cval, int validx, int value)
2523 diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c
2524 index ab125ee..38a607a 100644
2525 --- a/sound/usb/mixer_quirks.c
2526 +++ b/sound/usb/mixer_quirks.c
2527 @@ -186,6 +186,11 @@ static int snd_audigy2nx_led_put(struct snd_kcontrol *kcontrol, struct snd_ctl_e
2528 if (value > 1)
2529 return -EINVAL;
2530 changed = value != mixer->audigy2nx_leds[index];
2531 + down_read(&mixer->chip->shutdown_rwsem);
2532 + if (mixer->chip->shutdown) {
2533 + err = -ENODEV;
2534 + goto out;
2535 + }
2536 if (mixer->chip->usb_id == USB_ID(0x041e, 0x3042))
2537 err = snd_usb_ctl_msg(mixer->chip->dev,
2538 usb_sndctrlpipe(mixer->chip->dev, 0), 0x24,
2539 @@ -202,6 +207,8 @@ static int snd_audigy2nx_led_put(struct snd_kcontrol *kcontrol, struct snd_ctl_e
2540 usb_sndctrlpipe(mixer->chip->dev, 0), 0x24,
2541 USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_OTHER,
2542 value, index + 2, NULL, 0);
2543 + out:
2544 + up_read(&mixer->chip->shutdown_rwsem);
2545 if (err < 0)
2546 return err;
2547 mixer->audigy2nx_leds[index] = value;
2548 @@ -295,11 +302,16 @@ static void snd_audigy2nx_proc_read(struct snd_info_entry *entry,
2549
2550 for (i = 0; jacks[i].name; ++i) {
2551 snd_iprintf(buffer, "%s: ", jacks[i].name);
2552 - err = snd_usb_ctl_msg(mixer->chip->dev,
2553 + down_read(&mixer->chip->shutdown_rwsem);
2554 + if (mixer->chip->shutdown)
2555 + err = 0;
2556 + else
2557 + err = snd_usb_ctl_msg(mixer->chip->dev,
2558 usb_rcvctrlpipe(mixer->chip->dev, 0),
2559 UAC_GET_MEM, USB_DIR_IN | USB_TYPE_CLASS |
2560 USB_RECIP_INTERFACE, 0,
2561 jacks[i].unitid << 8, buf, 3);
2562 + up_read(&mixer->chip->shutdown_rwsem);
2563 if (err == 3 && (buf[0] == 3 || buf[0] == 6))
2564 snd_iprintf(buffer, "%02x %02x\n", buf[1], buf[2]);
2565 else
2566 @@ -329,10 +341,15 @@ static int snd_xonar_u1_switch_put(struct snd_kcontrol *kcontrol,
2567 else
2568 new_status = old_status & ~0x02;
2569 changed = new_status != old_status;
2570 - err = snd_usb_ctl_msg(mixer->chip->dev,
2571 + down_read(&mixer->chip->shutdown_rwsem);
2572 + if (mixer->chip->shutdown)
2573 + err = -ENODEV;
2574 + else
2575 + err = snd_usb_ctl_msg(mixer->chip->dev,
2576 usb_sndctrlpipe(mixer->chip->dev, 0), 0x08,
2577 USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_OTHER,
2578 50, 0, &new_status, 1);
2579 + up_read(&mixer->chip->shutdown_rwsem);
2580 if (err < 0)
2581 return err;
2582 mixer->xonar_u1_status = new_status;
2583 @@ -371,11 +388,17 @@ static int snd_nativeinstruments_control_get(struct snd_kcontrol *kcontrol,
2584 u8 bRequest = (kcontrol->private_value >> 16) & 0xff;
2585 u16 wIndex = kcontrol->private_value & 0xffff;
2586 u8 tmp;
2587 + int ret;
2588
2589 - int ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), bRequest,
2590 + down_read(&mixer->chip->shutdown_rwsem);
2591 + if (mixer->chip->shutdown)
2592 + ret = -ENODEV;
2593 + else
2594 + ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), bRequest,
2595 USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
2596 0, cpu_to_le16(wIndex),
2597 &tmp, sizeof(tmp), 1000);
2598 + up_read(&mixer->chip->shutdown_rwsem);
2599
2600 if (ret < 0) {
2601 snd_printk(KERN_ERR
2602 @@ -396,11 +419,17 @@ static int snd_nativeinstruments_control_put(struct snd_kcontrol *kcontrol,
2603 u8 bRequest = (kcontrol->private_value >> 16) & 0xff;
2604 u16 wIndex = kcontrol->private_value & 0xffff;
2605 u16 wValue = ucontrol->value.integer.value[0];
2606 + int ret;
2607
2608 - int ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), bRequest,
2609 + down_read(&mixer->chip->shutdown_rwsem);
2610 + if (mixer->chip->shutdown)
2611 + ret = -ENODEV;
2612 + else
2613 + ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), bRequest,
2614 USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
2615 cpu_to_le16(wValue), cpu_to_le16(wIndex),
2616 NULL, 0, 1000);
2617 + up_read(&mixer->chip->shutdown_rwsem);
2618
2619 if (ret < 0) {
2620 snd_printk(KERN_ERR
2621 diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c
2622 index 67a4d6d..4a99f6c 100644
2623 --- a/sound/usb/pcm.c
2624 +++ b/sound/usb/pcm.c
2625 @@ -67,6 +67,8 @@ static snd_pcm_uframes_t snd_usb_pcm_pointer(struct snd_pcm_substream *substream
2626 unsigned int hwptr_done;
2627
2628 subs = (struct snd_usb_substream *)substream->runtime->private_data;
2629 + if (subs->stream->chip->shutdown)
2630 + return SNDRV_PCM_POS_XRUN;
2631 spin_lock(&subs->lock);
2632 hwptr_done = subs->hwptr_done;
2633 substream->runtime->delay = snd_usb_pcm_delay(subs,
2634 @@ -373,8 +375,14 @@ static int snd_usb_hw_params(struct snd_pcm_substream *substream,
2635 changed = subs->cur_audiofmt != fmt ||
2636 subs->period_bytes != params_period_bytes(hw_params) ||
2637 subs->cur_rate != rate;
2638 +
2639 + down_read(&subs->stream->chip->shutdown_rwsem);
2640 + if (subs->stream->chip->shutdown) {
2641 + ret = -ENODEV;
2642 + goto unlock;
2643 + }
2644 if ((ret = set_format(subs, fmt)) < 0)
2645 - return ret;
2646 + goto unlock;
2647
2648 if (subs->cur_rate != rate) {
2649 struct usb_host_interface *alts;
2650 @@ -383,12 +391,11 @@ static int snd_usb_hw_params(struct snd_pcm_substream *substream,
2651 alts = &iface->altsetting[fmt->altset_idx];
2652 ret = snd_usb_init_sample_rate(subs->stream->chip, subs->interface, alts, fmt, rate);
2653 if (ret < 0)
2654 - return ret;
2655 + goto unlock;
2656 subs->cur_rate = rate;
2657 }
2658
2659 if (changed) {
2660 - mutex_lock(&subs->stream->chip->shutdown_mutex);
2661 /* format changed */
2662 snd_usb_release_substream_urbs(subs, 0);
2663 /* influenced: period_bytes, channels, rate, format, */
2664 @@ -396,9 +403,10 @@ static int snd_usb_hw_params(struct snd_pcm_substream *substream,
2665 params_rate(hw_params),
2666 snd_pcm_format_physical_width(params_format(hw_params)) *
2667 params_channels(hw_params));
2668 - mutex_unlock(&subs->stream->chip->shutdown_mutex);
2669 }
2670
2671 +unlock:
2672 + up_read(&subs->stream->chip->shutdown_rwsem);
2673 return ret;
2674 }
2675
2676 @@ -414,9 +422,9 @@ static int snd_usb_hw_free(struct snd_pcm_substream *substream)
2677 subs->cur_audiofmt = NULL;
2678 subs->cur_rate = 0;
2679 subs->period_bytes = 0;
2680 - mutex_lock(&subs->stream->chip->shutdown_mutex);
2681 + down_read(&subs->stream->chip->shutdown_rwsem);
2682 snd_usb_release_substream_urbs(subs, 0);
2683 - mutex_unlock(&subs->stream->chip->shutdown_mutex);
2684 + up_read(&subs->stream->chip->shutdown_rwsem);
2685 return snd_pcm_lib_free_vmalloc_buffer(substream);
2686 }
2687
2688 @@ -429,12 +437,18 @@ static int snd_usb_pcm_prepare(struct snd_pcm_substream *substream)
2689 {
2690 struct snd_pcm_runtime *runtime = substream->runtime;
2691 struct snd_usb_substream *subs = runtime->private_data;
2692 + int ret = 0;
2693
2694 if (! subs->cur_audiofmt) {
2695 snd_printk(KERN_ERR "usbaudio: no format is specified!\n");
2696 return -ENXIO;
2697 }
2698
2699 + down_read(&subs->stream->chip->shutdown_rwsem);
2700 + if (subs->stream->chip->shutdown) {
2701 + ret = -ENODEV;
2702 + goto unlock;
2703 + }
2704 /* some unit conversions in runtime */
2705 subs->maxframesize = bytes_to_frames(runtime, subs->maxpacksize);
2706 subs->curframesize = bytes_to_frames(runtime, subs->curpacksize);
2707 @@ -447,7 +461,10 @@ static int snd_usb_pcm_prepare(struct snd_pcm_substream *substream)
2708 subs->last_frame_number = 0;
2709 runtime->delay = 0;
2710
2711 - return snd_usb_substream_prepare(subs, runtime);
2712 + ret = snd_usb_substream_prepare(subs, runtime);
2713 + unlock:
2714 + up_read(&subs->stream->chip->shutdown_rwsem);
2715 + return ret;
2716 }
2717
2718 static struct snd_pcm_hardware snd_usb_hardware =
2719 @@ -500,7 +517,7 @@ static int hw_check_valid_format(struct snd_usb_substream *subs,
2720 return 0;
2721 }
2722 /* check whether the period time is >= the data packet interval */
2723 - if (snd_usb_get_speed(subs->dev) != USB_SPEED_FULL) {
2724 + if (subs->speed != USB_SPEED_FULL) {
2725 ptime = 125 * (1 << fp->datainterval);
2726 if (ptime > pt->max || (ptime == pt->max && pt->openmax)) {
2727 hwc_debug(" > check: ptime %u > max %u\n", ptime, pt->max);
2728 @@ -778,7 +795,7 @@ static int setup_hw_info(struct snd_pcm_runtime *runtime, struct snd_usb_substre
2729 return err;
2730
2731 param_period_time_if_needed = SNDRV_PCM_HW_PARAM_PERIOD_TIME;
2732 - if (snd_usb_get_speed(subs->dev) == USB_SPEED_FULL)
2733 + if (subs->speed == USB_SPEED_FULL)
2734 /* full speed devices have fixed data packet interval */
2735 ptmin = 1000;
2736 if (ptmin == 1000)
2737 diff --git a/sound/usb/proc.c b/sound/usb/proc.c
2738 index 961c9a2..aef03db 100644
2739 --- a/sound/usb/proc.c
2740 +++ b/sound/usb/proc.c
2741 @@ -107,7 +107,7 @@ static void proc_dump_substream_formats(struct snd_usb_substream *subs, struct s
2742 }
2743 snd_iprintf(buffer, "\n");
2744 }
2745 - if (snd_usb_get_speed(subs->dev) != USB_SPEED_FULL)
2746 + if (subs->speed != USB_SPEED_FULL)
2747 snd_iprintf(buffer, " Data packet interval: %d us\n",
2748 125 * (1 << fp->datainterval));
2749 // snd_iprintf(buffer, " Max Packet Size = %d\n", fp->maxpacksize);
2750 @@ -128,7 +128,7 @@ static void proc_dump_substream_status(struct snd_usb_substream *subs, struct sn
2751 snd_iprintf(buffer, "]\n");
2752 snd_iprintf(buffer, " Packet Size = %d\n", subs->curpacksize);
2753 snd_iprintf(buffer, " Momentary freq = %u Hz (%#x.%04x)\n",
2754 - snd_usb_get_speed(subs->dev) == USB_SPEED_FULL
2755 + subs->speed == USB_SPEED_FULL
2756 ? get_full_speed_hz(subs->freqm)
2757 : get_high_speed_hz(subs->freqm),
2758 subs->freqm >> 16, subs->freqm & 0xffff);
2759 diff --git a/sound/usb/usbaudio.h b/sound/usb/usbaudio.h
2760 index 3e2b035..6c805a5 100644
2761 --- a/sound/usb/usbaudio.h
2762 +++ b/sound/usb/usbaudio.h
2763 @@ -36,7 +36,7 @@ struct snd_usb_audio {
2764 struct snd_card *card;
2765 struct usb_interface *pm_intf;
2766 u32 usb_id;
2767 - struct mutex shutdown_mutex;
2768 + struct rw_semaphore shutdown_rwsem;
2769 unsigned int shutdown:1;
2770 unsigned int probing:1;
2771 unsigned int autosuspended:1;

  ViewVC Help
Powered by ViewVC 1.1.20