commit 84dfcb758ba7cce52ef475ac96861a558e1a20ca Author: Greg Kroah-Hartman Date: Fri Dec 20 07:34:35 2013 -0800 Linux 3.4.75 commit 2c64388e8bde7f654167ac2dca485e9545dd6915 Author: Roger Quadros Date: Sun Dec 8 18:39:02 2013 -0700 ARM: OMAP2+: hwmod: Fix SOFTRESET logic commit 313a76ee11cda6700548afe68499ef174a240688 upstream. In _ocp_softreset(), after _set_softreset() + write_sysconfig(), the hwmod's sysc_cache will always contain SOFTRESET bit set so all further writes to sysconfig using this cache will initiate a repeated SOFTRESET e.g. enable_sysc(). This is true for OMAP3 like platforms that have RESET_DONE status in the SYSSTATUS register and so the the SOFTRESET bit in SYSCONFIG is not automatically cleared. It is not a problem for OMAP4 like platforms that indicate RESET completion by clearing the SOFTRESET bit in the SYSCONFIG register. This repeated SOFTRESET is undesired and was the root cause of USB host issues on OMAP3 platforms when hwmod was allowed to do the SOFTRESET for the USB Host module. To fix this we clear the SOFTRESET bit and update the sysconfig register + sysc_cache using write_sysconfig(). Signed-off-by: Roger Quadros Tested-by: Tomi Valkeinen # Panda, BeagleXM [paul@pwsan.com: renamed _clr_softreset() to _clear_softreset()] Signed-off-by: Paul Walmsley Signed-off-by: Greg Kroah-Hartman commit 8670ef4f9748ce81ffb4454a4b41b3b548a39b20 Author: Greg Kroah-Hartman Date: Wed Dec 18 12:40:45 2013 -0800 Revert "net: update consumers of MSG_MORE to recognize MSG_SENDPAGE_NOTLAST" It turns out that commit: d3f7d56a7a4671d395e8af87071068a195257bf6 was applied to the tree twice, which didn't hurt anything, but it's good to fix this up. Reported-by: Veaceslav Falico Cc: David S. Miller Cc: Eric Dumazet Cc: Richard Weinberger Cc: Shawn Landden Cc: Tom Herbert Signed-off-by: Greg Kroah-Hartman commit 0e755a93423dd7f32112e50148f953245051095d Author: Mikulas Patocka Date: Sun Jun 9 01:25:57 2013 +0200 hpfs: fix warnings when the filesystem fills up commit bbd465df73f0d8ba41b8a0732766a243d0f5b356 upstream. This patch fixes warnings due to missing lock on write error path. WARNING: at fs/hpfs/hpfs_fn.h:353 hpfs_truncate+0x75/0x80 [hpfs]() Hardware name: empty Pid: 26563, comm: dd Tainted: P O 3.9.4 #12 Call Trace: hpfs_truncate+0x75/0x80 [hpfs] hpfs_write_begin+0x84/0x90 [hpfs] _hpfs_bmap+0x10/0x10 [hpfs] generic_file_buffered_write+0x121/0x2c0 __generic_file_aio_write+0x1c7/0x3f0 generic_file_aio_write+0x7c/0x100 do_sync_write+0x98/0xd0 hpfs_file_write+0xd/0x50 [hpfs] vfs_write+0xa2/0x160 sys_write+0x51/0xa0 page_fault+0x22/0x30 system_call_fastpath+0x1a/0x1f Signed-off-by: Mikulas Patocka Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 693b680339ee4641161b4a78a51ee26df50c0f6c Author: Alan Date: Wed Dec 4 15:31:52 2013 +0000 sc1200_wdt: Fix oops commit dace8bbfccfd9e4fcccfffcfbd82881fda3e756f upstream. If loaded with isapnp = 0 the driver explodes. This is catching people out now and then. What should happen in the working case is a complete mystery and the code appears terminally confused, but we can at least make the error path work properly. Signed-off-by: Alan Cox Reviewed-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Partially-Resolves-bug: https://bugzilla.kernel.org/show_bug.cgi?id=53991 Signed-off-by: Greg Kroah-Hartman commit 03a0d30fc0a2463df68ac212e1983d5ab3f9f77d Author: H Hartley Sweeten Date: Fri Aug 30 11:08:50 2013 -0700 staging: comedi: ssv_dnp: use comedi_dio_update_state() commit f6b316bcd8c421acd6fa5a6e18b4c846ecb9d965 upstream. Use comedi_dio_update_state() to handle the boilerplate code to update the subdevice s->state. Also, fix a bug where the state of the channels is returned in data[0]. The comedi core expects it to be returned in data[1]. Signed-off-by: H Hartley Sweeten Reviewed-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman commit 70a9deaa57ee1572c95dce7ec1991bf018728f3a Author: Ian Abbott Date: Tue Aug 20 11:50:19 2013 +0100 staging: comedi: pcmuio: fix possible NULL deref on detach commit 2fd2bdfccae61efe18f6b92b6a45fbf936d75b48 upstream. pcmuio_detach() is called by the comedi core even if pcmuio_attach() returned an error, so `dev->private` might be `NULL`. Check for that before dereferencing it. Also, as pointed out by Dan Carpenter, there is no need to check the pointer passed to `kfree()` is non-NULL, so remove that check. Signed-off-by: Ian Abbott Cc: Dan Carpenter Signed-off-by: Greg Kroah-Hartman commit e71859894bfd0ceaf65e98bf287478242d17a9ec Author: Helge Deller Date: Mon Dec 2 19:59:31 2013 +0100 nfs: fix do_div() warning by instead using sector_div() commit 3873d064b8538686bbbd4b858dc8a07db1f7f43a upstream. When compiling a 32bit kernel with CONFIG_LBDAF=n the compiler complains like shown below. Fix this warning by instead using sector_div() which is provided by the kernel.h header file. fs/nfs/blocklayout/extents.c: In function ‘normalize’: include/asm-generic/div64.h:43:28: warning: comparison of distinct pointer types lacks a cast [enabled by default] fs/nfs/blocklayout/extents.c:47:13: note: in expansion of macro ‘do_div’ nfs/blocklayout/extents.c:47:2: warning: right shift count >= width of type [enabled by default] fs/nfs/blocklayout/extents.c:47:2: warning: passing argument 1 of ‘__div64_32’ from incompatible pointer type [enabled by default] include/asm-generic/div64.h:35:17: note: expected ‘uint64_t *’ but argument is of type ‘sector_t *’ extern uint32_t __div64_32(uint64_t *dividend, uint32_t divisor); Signed-off-by: Helge Deller Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit d84ae92281ac08a47fcfd14e43a092407be45b60 Author: Mikulas Patocka Date: Fri Nov 22 19:52:06 2013 -0500 dm table: fail dm_table_create on dm_round_up overflow commit 5b2d06576c5410c10d95adfd5c4d8b24de861d87 upstream. The dm_round_up function may overflow to zero. In this case, dm_table_create() must fail rather than go on to allocate an empty array with alloc_targets(). This fixes a possible memory corruption that could be caused by passing too large a number in "param->target_count". Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit b0d16fe070836cc8090524fe16aa5ae2dfab72fc Author: Mikulas Patocka Date: Fri Nov 15 16:12:20 2013 -0500 dm delay: fix a possible deadlock due to shared workqueue commit 718822c1c112dc99e0c72c8968ee1db9d9d910f0 upstream. The dm-delay target uses a shared workqueue for multiple instances. This can cause deadlock if two or more dm-delay targets are stacked on the top of each other. This patch changes dm-delay to use a per-instance workqueue. Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit aa42ac11510cd2584a04cdd5dacb3f4bf8e82af0 Author: Mikulas Patocka Date: Thu Dec 5 17:33:29 2013 -0500 dm bufio: initialize read-only module parameters commit 4cb57ab4a2e61978f3a9b7d4f53988f30d61c27f upstream. Some module parameters in dm-bufio are read-only. These parameters inform the user about memory consumption. They are not supposed to be changed by the user. However, despite being read-only, these parameters can be set on modprobe or insmod command line, for example: modprobe dm-bufio current_allocated_bytes=12345 The kernel doesn't expect that these variables can be non-zero at module initialization and if the user sets them, it results in BUG. This patch initializes the variables in the module init routine, so that user-supplied values are ignored. Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 57ca30028c51d6aaa380b4063f13fbf61e8e5d76 Author: Matthew Garrett Date: Fri Nov 29 14:44:43 2013 -0500 x86, efi: Don't use (U)EFI time services on 32 bit commit 04bf9ba720fcc4fa313fa122b799ae0989b6cd50 upstream. UEFI time services are often broken once we're in virtual mode. We were already refusing to use them on 64-bit systems, but it turns out that they're also broken on some 32-bit firmware, including the Dell Venue. Disable them for now, we can revisit once we have the 1:1 mappings code incorporated. Signed-off-by: Matthew Garrett Link: http://lkml.kernel.org/r/1385754283-2464-1-git-send-email-matthew.garrett@nebula.com Cc: Matt Fleming Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 4f1f56b80623dd9c7c9e99040fbf5b79d28799d6 Author: Alex Deucher Date: Tue Dec 3 09:24:30 2013 -0500 drm/radeon: fixup bad vram size on SI commit 0ca223b029a261e82fb2f50c52eb85d510f4260e upstream. Some boards seem to have garbage in the upper 16 bits of the vram size register. Check for this and clamp the size properly. Fixes boards reporting bogus amounts of vram. Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 01c2b7b7c7b16d08a7b3659bb2d98d3a2034b365 Author: Johannes Berg Date: Wed Nov 20 11:28:27 2013 +0100 mac80211: don't attempt to reorder multicast frames commit 051a41fa4ee14f5c39668f0980973b9a195de560 upstream. Multicast frames can't be transmitted as part of an aggregation session (such a session couldn't even be set up) so don't try to reorder them. Trying to do so would cause the reorder to stop working correctly since multicast QoS frames (as transmitted by the Aruba APs this was found with) would cause sequence number confusion in the buffer. Reported-by: Blaise Gassend Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 2ea04e5a3d579032632c72584ea67b623321064c Author: Paul Moore Date: Wed Dec 4 16:10:51 2013 -0500 selinux: handle TCP SYN-ACK packets correctly in selinux_ip_postroute() commit 446b802437f285de68ffb8d6fac3c44c3cab5b04 upstream. In selinux_ip_postroute() we perform access checks based on the packet's security label. For locally generated traffic we get the packet's security label from the associated socket; this works in all cases except for TCP SYN-ACK packets. In the case of SYN-ACK packet's the correct security label is stored in the connection's request_sock, not the server's socket. Unfortunately, at the point in time when selinux_ip_postroute() is called we can't query the request_sock directly, we need to recreate the label using the same logic that originally labeled the associated request_sock. See the inline comments for more explanation. Reported-by: Janak Desai Tested-by: Janak Desai Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman commit 1c5d9d1527ceb57e66001fba3d84c766d89baf2e Author: Paul Moore Date: Wed Dec 4 16:10:45 2013 -0500 selinux: handle TCP SYN-ACK packets correctly in selinux_ip_output() commit 47180068276a04ed31d24fe04c673138208b07a9 upstream. In selinux_ip_output() we always label packets based on the parent socket. While this approach works in almost all cases, it doesn't work in the case of TCP SYN-ACK packets when the correct label is not the label of the parent socket, but rather the label of the larval socket represented by the request_sock struct. Unfortunately, since the request_sock isn't queued on the parent socket until *after* the SYN-ACK packet is sent, we can't lookup the request_sock to determine the correct label for the packet; at this point in time the best we can do is simply pass/NF_ACCEPT the packet. It must be said that simply passing the packet without any explicit labeling action, while far from ideal, is not terrible as the SYN-ACK packet will inherit any IP option based labeling from the initial connection request so the label *should* be correct and all our access controls remain in place so we shouldn't have to worry about information leaks. Reported-by: Janak Desai Tested-by: Janak Desai Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman commit 898341afe54f827138e9b3516ae5a456f2d5fa48 Author: Linus Pizunski Date: Thu Dec 12 17:12:23 2013 -0800 drivers/rtc/rtc-at91rm9200.c: correct alarm over day/month wrap commit eb3c227289840eed95ddfb0516046f08d8993940 upstream. Update month and day of month to the alarm month/day instead of current day/month when setting the RTC alarm mask. Signed-off-by: Linus Pizunski Signed-off-by: Nicolas Ferre Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 13970f80f2b64e819732f605e0a18f558ccb7166 Author: Christian Engelmayer Date: Tue Nov 26 18:16:17 2013 -0800 Input: usbtouchscreen - separate report and transmit buffer size handling commit 4ef38351d770cc421f4a0c7a849fd13207fc5741 upstream. This patch supports the separate handling of the USB transfer buffer length and the length of the buffer used for multi packet support. For devices supporting multiple report or diagnostic packets, the USB transfer size is now limited to the USB endpoints wMaxPacketSize - otherwise it defaults to the configured report packet size as before. This fixes an issue where event reporting can be delayed for an arbitrary time for multi packet devices. For instance the report size for eGalax devices is defined to the 16 byte maximum diagnostic packet size as opposed to the 5 byte report packet size. In case the driver requests 16 byte from the USB interrupt endpoint, the USB host controller driver needs to split up the request into 2 accesses according to the endpoints wMaxPacketSize of 8 byte. When the first transfer is answered by the eGalax device with not less than the full 8 byte requested, the host controller has got no way of knowing whether the touch controller has got additional data queued and will issue the second transfer. If per example a liftoff event finishes at such a wMaxPacketSize boundary, the data will not be available to the usbtouch driver until a further event is triggered and transfered to the host. From user perspective the BTN_TOUCH release event in this case is stuck until the next touch down event. Signed-off-by: Christian Engelmayer Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 6905bdb16b8d9eaaa352a9405e72888b4c36b0a1 Author: Fangxiaozhi (Franko) Date: Mon Dec 2 09:00:11 2013 +0000 USB: option: support new huawei devices commit 2bf308d7bc5e8cdd69672199f59532f35339133c upstream. Add new supporting declarations to option.c, to support Huawei new devices with new bInterfaceProtocol value. Signed-off-by: fangxiaozhi Signed-off-by: Greg Kroah-Hartman commit 7ad54c63867ec0fe0d1496bc4bd3631f655f2bcb Author: Gustavo Zacarias Date: Mon Nov 11 09:59:15 2013 -0300 USB: serial: option: blacklist interface 1 for Huawei E173s-6 commit 8f173e22abf2258ddfa73f46eadbb6a6c29f1631 upstream. Interface 1 on this device isn't for option to bind to otherwise an oops on usb_wwan with log flooding will happen when accessing the port: tty_release: ttyUSB1: read/write wait queue active! It doesn't seem to respond to QMI if it's added to qmi_wwan so don't add it there - it's likely used by the card reader. Signed-off-by: Gustavo Zacarias Signed-off-by: Greg Kroah-Hartman commit 4470dc52a72c1e8c06546f923f6a817cff4a34a7 Author: Michael Grzeschik Date: Mon Nov 11 23:43:32 2013 +0100 usb: gadget: composite: reset delayed_status on reset_config commit 2bac51a1827a18821150ed8c9f9752c02f9c2b02 upstream. The delayed_status value is used to keep track of status response packets on ep0. It needs to be reset or the set_config function would still delay the answer, if the usb device got unplugged while waiting for setup_continue to be called. Signed-off-by: Michael Grzeschik Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit f7557c7fdd92577c7f31359fa92403ab81f5d72d Author: Alan Stern Date: Fri Nov 1 12:05:12 2013 -0400 usb: dwc3: fix implementation of endpoint wedge commit a535d81c92615b8ffb99b7e1fd1fb01effaed1af upstream. The dwc3 UDC driver doesn't implement endpoint wedging correctly. When an endpoint is wedged, the gadget driver should be allowed to clear the wedge by calling usb_ep_clear_halt(). Only the host is prevented from resetting the endpoint. This patch fixes the implementation. Signed-off-by: Alan Stern Tested-by: Pratyush Anand Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 325be9564c80026b3ca6c1025e2fbb074bdd27a2 Author: Julius Werner Date: Thu Nov 7 10:59:14 2013 -0800 usb: hub: Use correct reset for wedged USB3 devices that are NOTATTACHED commit 2d51f3cd11f414c56a87dc018196b85fd50b04a4 upstream. This patch adds a check for USB_STATE_NOTATTACHED to the hub_port_warm_reset_required() workaround for ports that end up in Compliance Mode in hub_events() when trying to decide which reset function to use. Trying to call usb_reset_device() with a NOTATTACHED device will just fail and leave the port broken. Signed-off-by: Julius Werner Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit ee4bb2579e1182fa013694e429e6a418d6a3bb78 Author: Linus Torvalds Date: Thu Dec 12 09:38:42 2013 -0800 futex: fix handling of read-only-mapped hugepages commit f12d5bfceb7e1f9051563381ec047f7f13956c3c upstream. The hugepage code had the exact same bug that regular pages had in commit 7485d0d3758e ("futexes: Remove rw parameter from get_futex_key()"). The regular page case was fixed by commit 9ea71503a8ed ("futex: Fix regression with read only mappings"), but the transparent hugepage case (added in a5b338f2b0b1: "thp: update futex compound knowledge") case remained broken. Found by Dave Jones and his trinity tool. Reported-and-tested-by: Dave Jones Acked-by: Thomas Gleixner Cc: Mel Gorman Cc: Darren Hart Cc: Andrea Arcangeli Cc: Oleg Nesterov Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 894a160626d09198b104ea6702d688eca90623ad Author: Dan Carpenter Date: Thu Oct 31 21:00:10 2013 +0300 xfs: underflow bug in xfs_attrlist_by_handle() commit 31978b5cc66b8ba8a7e8eef60b12395d41b7b890 upstream. If we allocate less than sizeof(struct attrlist) then we end up corrupting memory or doing a ZERO_PTR_SIZE dereference. This can only be triggered with CAP_SYS_ADMIN. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Reviewed-by: Dave Chinner Signed-off-by: Ben Myers Signed-off-by: Greg Kroah-Hartman commit 433b0da5d2248024c21cf39ebfc7a02d0b1acf01 Author: Brian Carnes Date: Thu Dec 12 08:05:32 2013 +0100 hwmon: (w83l786ng) Fix fan speed control mode setting and reporting commit cf7559bc053471f32373d71d04a9aa19e0b48d59 upstream. The wrong mask is used, which causes some fan speed control modes (pwmX_enable) to be incorrectly reported, and some modes to be impossible to set. [JD: add subject and description.] Signed-off-by: Brian Carnes Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit f843edd53fec967be6d41c81b1426ec82728934b Author: Andy Honig Date: Mon Nov 18 16:09:22 2013 -0800 KVM: Improve create VCPU parameter (CVE-2013-4587) commit 338c7dbadd2671189cec7faf64c84d01071b3f96 upstream. In multiple functions the vcpu_id is used as an offset into a bitfield. Ag malicious user could specify a vcpu_id greater than 255 in order to set or clear bits in kernel memory. This could be used to elevate priveges in the kernel. This patch verifies that the vcpu_id provided is less than 255. The api documentation already specifies that the vcpu_id must be less than max_vcpus, but this is currently not checked. Reported-by: Andrew Honig Signed-off-by: Andrew Honig Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 47131c7c78b82c3b67020ee99834841ec6f096b5 Author: Konstantin Khlebnikov Date: Thu Dec 5 14:23:48 2013 +0100 ARM: 7913/1: fix framepointer check in unwind_frame commit 3abb6671a9c04479c4bd026798a05f857393b7e2 upstream. This patch fixes corner case when (fp + 4) overflows unsigned long, for example: fp = 0xFFFFFFFF -> fp + 4 == 3. Signed-off-by: Konstantin Khlebnikov Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit fa2ea62aebfc642b13e0bd02c693c35cc910605c Author: Konstantin Khlebnikov Date: Thu Dec 5 14:21:36 2013 +0100 ARM: 7912/1: check stack pointer in get_wchan commit 1b15ec7a7427d4188ba91b9bbac696250a059d22 upstream. get_wchan() is lockless. Task may wakeup at any time and change its own stack, thus each next stack frame may be overwritten and filled with random stuff. /proc/$pid/stack interface had been disabled for non-current tasks, see [1] But 'wchan' still allows to trigger stack frame unwinding on volatile stack. This patch fixes oops in unwind_frame() by adding stack pointer validation on each step (as x86 code do), unwind_frame() already checks frame pointer. Also I've found another report of this oops on stackoverflow (irony). Link: http://www.spinics.net/lists/arm-kernel/msg110589.html [1] Link: http://stackoverflow.com/questions/18479894/unwind-frame-cause-a-kernel-paging-error Signed-off-by: Konstantin Khlebnikov Acked-by: Will Deacon Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit c68cc16363bf6d92d8c7e017becec8bfb76f040b Author: Roger Quadros Date: Sun Dec 8 18:39:02 2013 -0700 ARM: OMAP3: hwmod data: Don't prevent RESET of USB Host module commit 7f4d3641e2548d1ac5dee837ff434df668a2810c upstream. Unlike what the comment states, errata i660 does not state that we can't RESET the USB host module. Instead it states that RESET is the only way to recover from a deadlock situation. RESET ensures that the module is in a known good state irrespective of what bootloader does with the module, so it must be done at boot. Signed-off-by: Roger Quadros Tested-by: Tomi Valkeinen # Panda, BeagleXM Fixes: de231388cb80 ("ARM: OMAP: USB: EHCI and OHCI hwmod structures for OMAP3") Signed-off-by: Paul Walmsley Signed-off-by: Greg Kroah-Hartman commit 921f3429bb9c9e3f20592c740ee356de9702e2ba Author: Dmitry Eremin-Solenikov Date: Sat Nov 16 16:47:50 2013 +0400 ARM: pxa: tosa: fix keys mapping commit 506cac15ac86f204b83e3cfccde73eeb4e7c5f34 upstream. When converting from tosa-keyboard driver to matrix keyboard, tosa keys received extra 1 column shift. Replace that with correct values to make keyboard work again. Fixes: f69a6548c9d5 ('[ARM] pxa/tosa: make use of the matrix keypad driver') Signed-off-by: Dmitry Eremin-Solenikov Signed-off-by: Haojian Zhuang Signed-off-by: Olof Johansson Signed-off-by: Greg Kroah-Hartman commit 50a715f272de5c786e76607a3cd21489388c5a03 Author: Stefano Panella Date: Tue Dec 10 14:20:28 2013 +0000 ALSA: memalloc.h - fix wrong truncation of dma_addr_t commit 932e9dec380c67ec15ac3eb073bb55797d8b4801 upstream. When running a 32bit kernel the hda_intel driver is still reporting a 64bit dma_mask if the HW supports it. From sound/pci/hda/hda_intel.c: /* allow 64bit DMA address if supported by H/W */ if ((gcap & ICH6_GCAP_64OK) && !pci_set_dma_mask(pci, DMA_BIT_MASK(64))) pci_set_consistent_dma_mask(pci, DMA_BIT_MASK(64)); else { pci_set_dma_mask(pci, DMA_BIT_MASK(32)); pci_set_consistent_dma_mask(pci, DMA_BIT_MASK(32)); } which means when there is a call to dma_alloc_coherent from snd_malloc_dev_pages a machine address bigger than 32bit can be returned. This can be true in particular if running the 32bit kernel as a pv dom0 under the Xen Hypervisor or PAE on bare metal. The problem is that when calling setup_bdle to program the BLE the dma_addr_t returned from the dma_alloc_coherent is wrongly truncated from snd_sgbuf_get_addr if running a 32bit kernel: static inline dma_addr_t snd_sgbuf_get_addr(struct snd_dma_buffer *dmab, size_t offset) { struct snd_sg_buf *sgbuf = dmab->private_data; dma_addr_t addr = sgbuf->table[offset >> PAGE_SHIFT].addr; addr &= PAGE_MASK; return addr + offset % PAGE_SIZE; } where PAGE_MASK in a 32bit kernel is zeroing the upper 32bit af addr. Without this patch the HW will fetch the 32bit truncated address, which is not the one obtained from dma_alloc_coherent and will result to a non working audio but can corrupt host memory at a random location. The current patch apply to v3.13-rc3-74-g6c843f5 Signed-off-by: Stefano Panella Reviewed-by: Frediano Ziglio Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit a6079a371fbd4e9cb4489b8a484b559427b97fe1 Author: Jim Quinlan Date: Tue Aug 27 16:57:51 2013 -0400 MIPS: DMA: For BMIPS5000 cores flush region just like non-coherent R10000 commit f86f55d3ad21b21b736bdeb29bee0f0937b77138 upstream. The BMIPS5000 (Zephyr) processor utilizes instruction speculation. A stale misprediction address in either the JTB or the CRS may trigger a prefetch inside a region that is currently being used by a DMA engine, which is not IO-coherent. This prefetch will fetch a line into the scache, and that line will soon become stale (ie wrong) during/after the DMA. Mayhem ensues. In dma-default.c, the r10000 is handled as a special case in the same way that we want to handle Zephyr. So we generalize the exception cases into a function, and include Zephyr as one of the processors that needs this special care. Signed-off-by: Jim Quinlan Cc: linux-mips@linux-mips.org Cc: cernekee@gmail.com Patchwork: https://patchwork.linux-mips.org/patch/5776/ Signed-off-by: Ralf Baechle Cc: John Ulvr Signed-off-by: Greg Kroah-Hartman