Pull networking update from David Miller:
 "A couple weeks of bug fixing in there.  The largest chunk is all the
  broken crap Amerigo Wang found in the netpoll layer."

 1) netpoll and it's users has several serious bugs:
    a) uses GFP_KERNEL with locks held
    b) interfaces requiring interrupts disabled are called with them
       enabled
    c) and vice versa
    d) VLAN tag demuxing, as per all other RX packet input paths, is not
       applied

    All from Amerigo Wang.

 2) Hopefully cure the ipv4 mapped ipv6 address TCP early demux bugs for
    good, from Neal Cardwell.

 3) Unlike AF_UNIX, AF_PACKET sockets don't set a default credentials
    when the user doesn't specify one explicitly during sendmsg().
    Instead we attach an empty (zero) SCM credential block which is
    definitely not what we want.  Fix from Eric Dumazet.

 4) IPv6 illegally invokes netdevice notifiers with RCU lock held, fix
    from Ben Hutchings.

 5) inet_csk_route_child_sock() checks wrong inet options pointer, fix
    from Christoph Paasch.

 6) When AF_PACKET is used for transmit, packet loopback doesn't behave
    properly when a socket fanout is enabled, from Eric Leblond.

 7) On bluetooth l2cap channel create failure, we leak the socket, from
    Jaganath Kanakkassery.

 8) Fix all the netprio file handling bugs found by Al Viro, from John
    Fastabend.

 9) Several error return and NULL deref bug fixes in networking drivers
    from Julia Lawall.

10) A large smattering of struct padding et al.  kernel memory leaks to
    userspace found of Mathias Krause.

11) Conntrack expections in netfilter can access an uninitialized timer,
    fix from Pablo Neira Ayuso.

12) Several netfilter SIP tracker bug fixes from Patrick McHardy.

13) IPSEC ipv6 routes are not initialized correctly all the time,
    resulting in an OOPS in inet_putpeer().  Also from Patrick McHardy.

14) Bridging does rcu_dereference() outside of RCU protected area, from
    Stephen Hemminger.

15) Fix routing cache removal performance regression when looking up
    output routes that have a local destination.  From Zheng Yan.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (87 commits)
  af_netlink: force credentials passing [CVE-2012-3520]
  ipv4: fix ip header ident selection in __ip_make_skb()
  ipv4: Use newinet->inet_opt in inet_csk_route_child_sock()
  tcp: fix possible socket refcount problem
  net: tcp: move sk_rx_dst_set call after tcp_create_openreq_child()
  net/core/dev.c: fix kernel-doc warning
  netconsole: remove a redundant netconsole_target_put()
  net: ipv6: fix oops in inet_putpeer()
  net/stmmac: fix issue of clk_get for Loongson1B.
  caif: Do not dereference NULL in chnl_recv_cb()
  af_packet: don't emit packet on orig fanout group
  drivers/net/irda: fix error return code
  drivers/net/wan/dscc4.c: fix error return code
  drivers/net/wimax/i2400m/fw.c: fix error return code
  smsc75xx: add missing entry to MAINTAINERS
  net: qmi_wwan: new devices: UML290 and K5006-Z
  net: sh_eth: Add eth support for R8A7779 device
  netdev/phy: skip disabled mdio-mux nodes
  dt: introduce for_each_available_child_of_node, of_get_next_available_child
  net: netprio: fix cgrp create and write priomap race
  ...

Pablo Neira Ayuso discovered that avahi and
potentially NetworkManager accept spoofed Netlink messages because of a
kernel bug.  The kernel passes all-zero SCM_CREDENTIALS ancillary data
to the receiver if the sender did not provide such data, instead of not
including any such data at all or including the correct data from the
peer (as it is the case with AF_UNIX).

This bug was introduced in commit 16e57262
(af_unix: dont send SCM_CREDENTIALS by default)

This patch forces passing credentials for netlink, as
before the regression.

Another fix would be to not add SCM_CREDENTIALS in
netlink messages if not provided by the sender, but it
might break some programs.

With help from Florian Weimer & Petr Matousek

This issue is designated as CVE-2012-3520
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Petr Matousek <pmatouse@redhat.com>
Cc: Florian Weimer <fweimer@redhat.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

Christian Casteyde reported a kmemcheck 32-bit read from uninitialized
memory in __ip_select_ident().

It turns out that __ip_make_skb() called ip_select_ident() before
properly initializing iph->daddr.

This is a bug uncovered by commit 1d861aa4 (inet: Minimize use of
cached route inetpeer.)

Addresses https://bugzilla.kernel.org/show_bug.cgi?id=46131Reported-by: Christian Casteyde <casteyde.christian@free.fr>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Since 0e734419 ("ipv4: Use inet_csk_route_child_sock() in DCCP and
TCP."), inet_csk_route_child_sock() is called instead of
inet_csk_route_req().

However, after creating the child-sock in tcp/dccp_v4_syn_recv_sock(),
ireq->opt is set to NULL, before calling inet_csk_route_child_sock().
Thus, inside inet_csk_route_child_sock() opt is always NULL and the
SRR-options are not respected anymore.
Packets sent by the server won't have the correct destination-IP.

This patch fixes it by accessing newinet->inet_opt instead of ireq->opt
inside inet_csk_route_child_sock().
Reported-by: Luca Boccassi <luca.boccassi@gmail.com>
Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
Signed-off-by: David S. Miller <davem@davemloft.net>

Commit 6f458dfb (tcp: improve latencies of timer triggered events)
added bug leading to following trace :

[ 2866.131281] IPv4: Attempt to release TCP socket in state 1 ffff880019ec0000
[ 2866.131726]
[ 2866.132188] =========================
[ 2866.132281] [ BUG: held lock freed! ]
[ 2866.132281] 3.6.0-rc1+ #622 Not tainted
[ 2866.132281] -------------------------
[ 2866.132281] kworker/0:1/652 is freeing memory ffff880019ec0000-ffff880019ec0a1f, with a lock still held there!
[ 2866.132281]  (sk_lock-AF_INET-RPC){+.+...}, at: [<ffffffff81903619>] tcp_sendmsg+0x29/0xcc6
[ 2866.132281] 4 locks held by kworker/0:1/652:
[ 2866.132281]  #0:  (rpciod){.+.+.+}, at: [<ffffffff81083567>] process_one_work+0x1de/0x47f
[ 2866.132281]  #1:  ((&task->u.tk_work)){+.+.+.}, at: [<ffffffff81083567>] process_one_work+0x1de/0x47f
[ 2866.132281]  #2:  (sk_lock-AF_INET-RPC){+.+...}, at: [<ffffffff81903619>] tcp_sendmsg+0x29/0xcc6
[ 2866.132281]  #3:  (&icsk->icsk_retransmit_timer){+.-...}, at: [<ffffffff81078017>] run_timer_softirq+0x1ad/0x35f
[ 2866.132281]
[ 2866.132281] stack backtrace:
[ 2866.132281] Pid: 652, comm: kworker/0:1 Not tainted 3.6.0-rc1+ #622
[ 2866.132281] Call Trace:
[ 2866.132281]  <IRQ>  [<ffffffff810bc527>] debug_check_no_locks_freed+0x112/0x159
[ 2866.132281]  [<ffffffff818a0839>] ? __sk_free+0xfd/0x114
[ 2866.132281]  [<ffffffff811549fa>] kmem_cache_free+0x6b/0x13a
[ 2866.132281]  [<ffffffff818a0839>] __sk_free+0xfd/0x114
[ 2866.132281]  [<ffffffff818a08c0>] sk_free+0x1c/0x1e
[ 2866.132281]  [<ffffffff81911e1c>] tcp_write_timer+0x51/0x56
[ 2866.132281]  [<ffffffff81078082>] run_timer_softirq+0x218/0x35f
[ 2866.132281]  [<ffffffff81078017>] ? run_timer_softirq+0x1ad/0x35f
[ 2866.132281]  [<ffffffff810f5831>] ? rb_commit+0x58/0x85
[ 2866.132281]  [<ffffffff81911dcb>] ? tcp_write_timer_handler+0x148/0x148
[ 2866.132281]  [<ffffffff81070bd6>] __do_softirq+0xcb/0x1f9
[ 2866.132281]  [<ffffffff81a0a00c>] ? _raw_spin_unlock+0x29/0x2e
[ 2866.132281]  [<ffffffff81a1227c>] call_softirq+0x1c/0x30
[ 2866.132281]  [<ffffffff81039f38>] do_softirq+0x4a/0xa6
[ 2866.132281]  [<ffffffff81070f2b>] irq_exit+0x51/0xad
[ 2866.132281]  [<ffffffff81a129cd>] do_IRQ+0x9d/0xb4
[ 2866.132281]  [<ffffffff81a0a3ef>] common_interrupt+0x6f/0x6f
[ 2866.132281]  <EOI>  [<ffffffff8109d006>] ? sched_clock_cpu+0x58/0xd1
[ 2866.132281]  [<ffffffff81a0a172>] ? _raw_spin_unlock_irqrestore+0x4c/0x56
[ 2866.132281]  [<ffffffff81078692>] mod_timer+0x178/0x1a9
[ 2866.132281]  [<ffffffff818a00aa>] sk_reset_timer+0x19/0x26
[ 2866.132281]  [<ffffffff8190b2cc>] tcp_rearm_rto+0x99/0xa4
[ 2866.132281]  [<ffffffff8190dfba>] tcp_event_new_data_sent+0x6e/0x70
[ 2866.132281]  [<ffffffff8190f7ea>] tcp_write_xmit+0x7de/0x8e4
[ 2866.132281]  [<ffffffff818a565d>] ? __alloc_skb+0xa0/0x1a1
[ 2866.132281]  [<ffffffff8190f952>] __tcp_push_pending_frames+0x2e/0x8a
[ 2866.132281]  [<ffffffff81904122>] tcp_sendmsg+0xb32/0xcc6
[ 2866.132281]  [<ffffffff819229c2>] inet_sendmsg+0xaa/0xd5
[ 2866.132281]  [<ffffffff81922918>] ? inet_autobind+0x5f/0x5f
[ 2866.132281]  [<ffffffff810ee7f1>] ? trace_clock_local+0x9/0xb
[ 2866.132281]  [<ffffffff8189adab>] sock_sendmsg+0xa3/0xc4
[ 2866.132281]  [<ffffffff810f5de6>] ? rb_reserve_next_event+0x26f/0x2d5
[ 2866.132281]  [<ffffffff8103e6a9>] ? native_sched_clock+0x29/0x6f
[ 2866.132281]  [<ffffffff8103e6f8>] ? sched_clock+0x9/0xd
[ 2866.132281]  [<ffffffff810ee7f1>] ? trace_clock_local+0x9/0xb
[ 2866.132281]  [<ffffffff8189ae03>] kernel_sendmsg+0x37/0x43
[ 2866.132281]  [<ffffffff8199ce49>] xs_send_kvec+0x77/0x80
[ 2866.132281]  [<ffffffff8199cec1>] xs_sendpages+0x6f/0x1a0
[ 2866.132281]  [<ffffffff8107826d>] ? try_to_del_timer_sync+0x55/0x61
[ 2866.132281]  [<ffffffff8199d0d2>] xs_tcp_send_request+0x55/0xf1
[ 2866.132281]  [<ffffffff8199bb90>] xprt_transmit+0x89/0x1db
[ 2866.132281]  [<ffffffff81999bcd>] ? call_connect+0x3c/0x3c
[ 2866.132281]  [<ffffffff81999d92>] call_transmit+0x1c5/0x20e
[ 2866.132281]  [<ffffffff819a0d55>] __rpc_execute+0x6f/0x225
[ 2866.132281]  [<ffffffff81999bcd>] ? call_connect+0x3c/0x3c
[ 2866.132281]  [<ffffffff819a0f33>] rpc_async_schedule+0x28/0x34
[ 2866.132281]  [<ffffffff810835d6>] process_one_work+0x24d/0x47f
[ 2866.132281]  [<ffffffff81083567>] ? process_one_work+0x1de/0x47f
[ 2866.132281]  [<ffffffff819a0f0b>] ? __rpc_execute+0x225/0x225
[ 2866.132281]  [<ffffffff81083a6d>] worker_thread+0x236/0x317
[ 2866.132281]  [<ffffffff81083837>] ? process_scheduled_works+0x2f/0x2f
[ 2866.132281]  [<ffffffff8108b7b8>] kthread+0x9a/0xa2
[ 2866.132281]  [<ffffffff81a12184>] kernel_thread_helper+0x4/0x10
[ 2866.132281]  [<ffffffff81a0a4b0>] ? retint_restore_args+0x13/0x13
[ 2866.132281]  [<ffffffff8108b71e>] ? __init_kthread_worker+0x5a/0x5a
[ 2866.132281]  [<ffffffff81a12180>] ? gs_change+0x13/0x13
[ 2866.308506] IPv4: Attempt to release TCP socket in state 1 ffff880019ec0000
[ 2866.309689] =============================================================================
[ 2866.310254] BUG TCP (Not tainted): Object already free
[ 2866.310254] -----------------------------------------------------------------------------
[ 2866.310254]

The bug comes from the fact that timer set in sk_reset_timer() can run
before we actually do the sock_hold(). socket refcount reaches zero and
we free the socket too soon.

timer handler is not allowed to reduce socket refcnt if socket is owned
by the user, or we need to change sk_reset_timer() implementation.

We should take a reference on the socket in case TCP_DELACK_TIMER_DEFERRED
or TCP_DELACK_TIMER_DEFERRED bit are set in tsq_flags

Also fix a typo in tcp_delack_timer(), where TCP_WRITE_TIMER_DEFERRED
was used instead of TCP_DELACK_TIMER_DEFERRED.

For consistency, use same socket refcount change for TCP_MTU_REDUCED_DEFERRED,
even if not fired from a timer.
Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Tested-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Pull audit-tree fixes from Miklos Szeredi:
 "The audit subsystem maintainers (Al and Eric) are not responding to
  repeated resends.  Eric did ack them a while ago, but no response
  since then.  So I'm sending these directly to you."

* 'audit-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs:
  audit: clean up refcounting in audit-tree
  audit: fix refcounting in audit-tree
  audit: don't free_chunk() after fsnotify_add_mark()

Pull m68knommu arch fixes from Greg Ungerer:
 "This contains 2 fixes.  One fixes compilation of ColdFire clk code,
  the other makes sure we use the generic atomic64 support on all m68k
  targets."

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu:
  m68k: select CONFIG_GENERIC_ATOMIC64 for all m68k CPU types
  m68knommu: select CONFIG_HAVE_CLK for ColdFire CPU types

Merge tag 'pinctrl-fixes-v3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl

Pull pin control fixes from Linus Walleij:
 - Fixed Nomadik errorpath
 - Fixed documentation spelling errors
 - Forward-declare struct device in a header file
 - Remove some extraneous code lines when getting pinctrl states
 - Correct the i.MX51 configure register number
 - Fix the Nomadik keypad function group list

* tag 'pinctrl-fixes-v3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
  pinctrl/nomadik: add kp_b_2 keyboard function group list
  pinctrl: imx51: fix .conf_reg of MX51_PAD_SD2_CMD__CSPI_MOSI
  trivial: pinctrl core: remove extraneous code lines
  pinctrl: header: trivial: declare struct device
  Documentation/pinctrl.txt: Fix some misspelled macros
  pinctrl/nomadik: fix null in irqdomain errorpath

Pull sound fixes from Takashi Iwai:
 "This update became slightly bigger than usual for rc3, but most of the
  commits are small and trivial.  A large chunk is found for HD-audio
  ca0132 codec, which is mostly a clean up of the specific code, to make
  SPDIF working properly, and also in the new ASoC Arizona driver.

  One important fix is for usb-audio Oops fix since 3.5.  We still see
  some EHCI related bandwidth problem, but usb-audio should be more
  stabilized now.

  Other than that, a Kconfig fix is spread over files, and various
  HD-audio and ASoC fixes as usual, in addition to Julia's error path
  fixes."

* tag 'sound-3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (42 commits)
  ALSA: snd-als100: fix suspend/resume
  ALSA: hda - Fix leftover codec->power_transition
  ALSA: hda - don't create dysfunctional mixer controls for ca0132
  ALSA: sound/ppc/snd_ps3.c: fix error return code
  ALSA: sound/pci/rme9652/hdspm.c: fix error return code
  ALSA: sound/pci/sis7019.c: fix error return code
  ALSA: sound/pci/ctxfi/ctatc.c: fix error return code
  ALSA: sound/atmel/ac97c.c: fix error return code
  ALSA: sound/atmel/abdac.c: fix error return code
  ALSA: fix pcm.h kernel-doc warning and notation
  sound: oss/sb_audio: prevent divide by zero bug
  ASoC: wm9712: Fix inverted capture volume
  ASoC: wm9712: Fix microphone source selection
  ASoC: wm5102: Remove DRC2
  ALSA: hda - Don't send invalid volume knob command on IDT 92hd75bxx
  ALSA: usb-audio: Fix scheduling-while-atomic bug in PCM capture stream
  ALSA: lx6464es: Add a missing error check
  ALSA: hda - Fix 'Beep Playback Switch' with no underlying mute switch
  ASoC: jack: Always notify full jack status
  ASoC: wm5110: Add missing input PGA routes
  ...

It seems commit 4a9d4b02 ("switch fput to task_work_add") re-
introduced the problem addressed in 944be0b2 ("close_files(): add
scheduling point")

If a server process with a lot of files (say 2 million tcp sockets) is
killed, we can spend a lot of time in task_work_run() and trigger a soft
lockup.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

So we've had a fair few reports of fbcon handover breakage between
efi/vesafb and i915 surface recently, so I dedicated a couple of
days to finding the problem.

Essentially the last thing we saw was the conflicting framebuffer
message and that was all.

So after much tracing with direct netconsole writes (printks
under console_lock not so useful), I think I found the race.

  Thread A (driver load)    Thread B (timer thread)
    unbind_con_driver ->              |
    bind_con_driver ->                |
    vc->vc_sw->con_deinit ->          |
    fbcon_deinit ->                   |
    console_lock()                    |
        |                             |
        |                       fbcon_flashcursor timer fires
        |                       console_lock() <- blocked for A
        |
        |
  fbcon_del_cursor_timer ->
    del_timer_sync
    (BOOM)

Of course because all of this is under the console lock,
we never see anything, also since we also just unbound the active
console guess what we never see anything.

Hopefully this fixes the problem for anyone seeing vesafb->kms
driver handoff.
Signed-off-by: David Airlie <airlied@redhat.com>
Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: stable@vger.kernel.org
Tested-by: Josh Boyer <jwboyer@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

snd_card_als100_probe() does not set pcm field in struct snd_sb.
As a result, PCM is not suspended and applications don't know that they need
to resume the playback.

Tested with Labway A381-F20 card (ALS120).
Signed-off-by: Ondrej Zary <linux@rainbow-software.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

Pull PCI fixes from Bjorn Helgaas:
 "Here are two patches from Rafael Wysocki.

  One fixes an EHCI-related hibernation crash on ASUS boxes.  We fixed a
  similar suspend issue in v3.6-rc1, and this applies the same fix to
  the hibernate path.

  The other fixes D3/D3cold/D4 messages related to the D3cold support we
  merged in v3.6-rc1."

(Removed redundant top non-fast-forward merge commit from pulled branch)

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
  PCI: EHCI: Fix crash during hibernation on ASUS computers
  PCI / PM: Fix D3/D3cold/D4 messages printed by acpi_pci_set_power_state()

Pull config cleanup for ia64 from Tony Luck:
 "Clean out references to dead CONFIG_MISC_DEVICES option"

* tag 'please-pull-ia64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux:
  [IA64] defconfig: Remove CONFIG_MISC_DEVICES

Pull more USB patches from Greg Kroah-Hartman:
 "Here are 10 more USB patches for 3.6-rc3.  They all fix reported
  problems (build problems for one of them, and easily repeatable oopses
  for the others.)

  Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>"

* tag 'usb-3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
  gpu/mfd/usb: Fix USB randconfig problems
  USB: CDC ACM: Fix NULL pointer dereference
  USB: emi62: remove __devinit* from the struct usb_device_id table
  USB: winbond: remove __devinit* from the struct usb_device_id table
  USB: vt6656: remove __devinit* from the struct usb_device_id table
  USB: rtl8187: remove __devinit* from the struct usb_device_id table
  USB: p54usb: remove __devinit* from the struct usb_device_id table
  USB: spca506: remove __devinit* from the struct usb_device_id table
  USB: jl2005bcd: remove __devinit* from the struct usb_device_id table
  USB: smsusb: remove __devinit* from the struct usb_device_id table

Pull one more driver core fix from Greg Kroah-Hartman:
 "Here is one fix for the dmesg line corruption problem that the
  previous set of patches caused.

  Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>"

* tag 'driver-core-3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
  dyndbg: fix for SOH in logging messages

Pull x86 platform driver update from Matthew Garrett:
 "Some small updates for a few drivers, and some hardware enablement for
  new Ideapads and the gmux hardware in the latest Macs.

  This code won't run on older devices and has been well tested on new
  ones, so low risk of regressions."

* 'for_linus' of git://cavan.codon.org.uk/platform-drivers-x86:
  ideapad: add Lenovo IdeaPad Z570 support (part 3)
  ideapad: add Lenovo IdeaPad Z570 support (part 2)
  ideapad: add Lenovo IdeaPad Z570 support (part 1)
  classmate-laptop: always call input_sync() after input_report_switch()
  thinkpad-acpi: recognize latest V-Series using DMI_BIOS_VENDOR
  dell-laptop: Fixed typo in touchpad LED quirk
  vga_switcheroo: Don't require handler init callback
  vga_switcheroo: Remove assumptions about registration/unregistration ordering
  apple-gmux: Add display mux support
  apple-gmux: Fix kconfig dependencies
  asus-wmi: record wlan status while controlled by userapp
  apple_gmux: Fix ACPI video unregister
  apple_gmux: Add support for newer hardware
  gmux: Add generic write32 function

Pull a hwmon fix from Guenter Roeck:
 "One patch with section conflict fixes."

* tag 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
  sections: Fix section conflicts in drivers/hwmon

Pull spi fixes from Mark Brown:
 "Grant is still away so another pull request with some fairly minor
  fixes, the most notable of which are several fixes for some common
  error patterns with the reference counting spi_master_get/put do."

* tag 'spi-3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/misc:
  spi/coldfire-qspi: Drop extra calls to spi_master_get in suspend/resume functions
  spi: spi-coldfire-qspi: Drop extra spi_master_put in device remove function
  spi/pl022: fix spi-pl022 pm enable at probe
  spi/bcm63xx: Ensure that memory is freed only after it is no longer used
  spi: omap2-mcspi: Fix the error handling in probe
  spi/s3c64xx: Add missing static storage class specifiers

commit 7c5763b8 (drivers:misc: Remove MISC_DEVICES config option) removed
CONFIG_MISC_DEVICES option, so remove the occurrences from the config files
as well.
Signed-off-by: Fabio Estevam <fabio.estevam@freescale.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>

Pull regulator fixes from Mark Brown:
 "A bunch of fixes which are a combination of minor fixes that have been
  shaken down due to greater testing exposure, the biggest block of
  which are for the Palmas driver which hadn't had all the changes
  required for mainline properly tested when it was merged."

* tag 'regulator-3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
  regulator: twl-regulator: fix up VINTANA1/VINTANA2
  regulator: core: request only valid gpio pins for regulator enable
  regulator: twl: Remove references to the twl4030 regulator
  regulator: gpio-regulator: Split setting of voltages and currents
  regulator: ab3100: add missing voltage table
  regulator: anatop: Fix wrong mask used in anatop_get_voltage_sel
  regulator: tps6586x: correct vin pin for sm0/sm1/sm2
  regulator: palmas: Fix palmas_probe error handling
  regulator: palmas: Call palmas_ldo_[read|write] in palmas_ldo_init
  regulator: palmas: Fix regmap offsets for PALMAS_REG_SMPS10 vsel_reg
  regulator: palmas: Fix calculating selector in palmas_map_voltage_ldo

Pull IOMMU fixes from Joerg Roedel:
 "Two fixes are necessary.  One patch fixes a boot crash on MacBook Air
  with interrupt remapping enabled and the other patch fixes a
  regression (which causes a boot crash on AMD IOMMUv2 systems too) in
  the init code of the AMD IOMMU driver."

* tag 'iommu-fixes-v3.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
  iommu/amd: Fix wrong check for ARRAY_SIZE()
  irq_remap: disable IRQ remapping if any IOAPIC lacks an IOMMU

When the codec turn-on operation is canceled by the immediate
power-on, the driver left the power_transition flag as is.
This caused the persistent avoidance of power-save behavior.

Cc: <stable@vger.kernel.org> [v3.5+]
Signed-off-by: Takashi Iwai <tiwai@suse.de>

ASoC: Additional updates for 3.6

A batch more bugfixes, all driver-specific and fairly small and
unremarkable in a global context.  The biggest batch are for the newly
added Arizona drivers.

Fix config warning:

warning: ( ... && DRM_USB) selects USB which has unmet direct dependencies
(USB_SUPPORT && USB_ARCH_HAS_HCD)

and build error:
ERROR: "usb_speed_string" [drivers/usb/core/usbcore.ko] undefined!

by adding the missing dependency on USB_ARCH_HAS_HCD to DRM_UDL and DRM_USB.

This exposes:
drivers/video/Kconfig:36:error: recursive dependency detected!
drivers/video/Kconfig:36:       symbol FB is selected by DRM_KMS_HELPER
drivers/gpu/drm/Kconfig:28:     symbol DRM_KMS_HELPER is selected by DRM_UDL
drivers/gpu/drm/udl/Kconfig:1:  symbol DRM_UDL depends on USB_ARCH_HAS_HCD
drivers/usb/Kconfig:78: symbol USB_ARCH_HAS_HCD depends on USB_ARCH_HAS_OHCI
drivers/usb/Kconfig:16: symbol USB_ARCH_HAS_OHCI depends on I2C
drivers/i2c/Kconfig:5:  symbol I2C is selected by FB_DDC
drivers/video/Kconfig:86:       symbol FB_DDC is selected by FB_CYBER2000_DDC
drivers/video/Kconfig:385:      symbol FB_CYBER2000_DDC depends on FB_CYBER2000
drivers/video/Kconfig:373:      symbol FB_CYBER2000 depends on FB

which is due to drivers/usb/Kconfig:
config USB_ARCH_HAS_OHCI
	...
	default y if ARCH_PNX4008 && I2C

Fix by dropping I2C from the above dependency; logic is that this is not a
platform dependency but a configuration dependency: the _architecture_ still
supports USB even is I2C is not selected.

This exposes:
drivers/video/Kconfig:36:error: recursive dependency detected!
drivers/video/Kconfig:36:       symbol FB is selected by DRM_KMS_HELPER
drivers/gpu/drm/Kconfig:28:     symbol DRM_KMS_HELPER is selected by DRM_UDL
drivers/gpu/drm/udl/Kconfig:1:  symbol DRM_UDL depends on USB_ARCH_HAS_HCD
drivers/usb/Kconfig:78: symbol USB_ARCH_HAS_HCD depends on USB_ARCH_HAS_OHCI
drivers/usb/Kconfig:17: symbol USB_ARCH_HAS_OHCI depends on MFD_TC6393XB
drivers/mfd/Kconfig:396:        symbol MFD_TC6393XB depends on GPIOLIB
drivers/gpio/Kconfig:35:        symbol GPIOLIB is selected by FB_VIA
drivers/video/Kconfig:1560:     symbol FB_VIA depends on FB

which can be fixed by having MFD_TC6393XB select GPIOLIB instead of depending on
it.
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Pull x86 fixes from Ingo Molnar.

A x32 socket ABI fix with a -stable backport tag among other fixes.

* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x32: Use compat shims for {g,s}etsockopt
  Revert "x86-64/efi: Use EFI to deal with platform wall clock"
  x86, apic: fix broken legacy interrupts in the logical apic mode
  x86, build: Globally set -fno-pic
  x86, avx: don't use avx instructions with "noxsave" boot param

Pull scheduler fixes from Ingo Molnar.

* 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  sched: Fix migration thread runtime bogosity
  sched,rt: fix isolated CPUs leaving root_task_group indefinitely throttled
  sched,cgroup: Fix up task_groups list
  sched: fix divide by zero at {thread_group,task}_times
  sched, cgroup: Reduce rq->lock hold times for large cgroup hierarchies

Pull x86 perf fixes from Ingo Molnar.

* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  perf/x86: disable PEBS on a guest entry.
  perf/x86: Add Intel Westmere-EX uncore support
  perf/x86: Fixes for Nehalem-EX uncore driver
  perf, x86: Fix uncore_types_exit section mismatch

Pull a mutex fix from Ingo Molnar.

Fix the fastpath_lock failure contention flag for xchg-based mutexes.

* 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  mutex: Place lock in contended state after fastpath_lock failure

compat_sys_{read,write}v() need the same "pass a copy of file->f_pos" thing
as sys_{read,write}{,v}().
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

The patch adds support for Lenovo IdeaPad Z570 laptop. It makes all special
keys working, adds possibility to control fan like Windows does, controls
Touchpad Disabled LED, toggles touchpad state via keyboard controller and
corrects touchpad behavior on resume from suspend. It is new, modified
version of patch. Now it does not depend on psmouse and does not need patching
of input subsystem.
Signed-off-by: Maxim Mikityanskiy <maxtram95@gmail.com>

This is the part 3 for fan control
Signed-off-by: Ike Panhc <ike.pan@canonical.com>
Signed-off-by: Matthew Garrett <mjg@redhat.com>

The patch adds support for Lenovo IdeaPad Z570 laptop. It makes all special
keys working, adds possibility to control fan like Windows does, controls
Touchpad Disabled LED, toggles touchpad state via keyboard controller and
corrects touchpad behavior on resume from suspend. It is new, modified
version of patch. Now it does not depend on psmouse and does not need patching
of input subsystem.
Signed-off-by: Maxim Mikityanskiy <maxtram95@gmail.com>

This is part 2 for touchpad toggle
Signed-off-by: Ike Panhc <ike.pan@canonical.com>
Signed-off-by: Matthew Garrett <mjg@redhat.com>

The patch adds support for Lenovo IdeaPad Z570 laptop. It makes all special
keys working, adds possibility to control fan like Windows does, controls
Touchpad Disabled LED, toggles touchpad state via keyboard controller and
corrects touchpad behavior on resume from suspend. It is new, modified
version of patch. Now it does not depend on psmouse and does not need patching
of input subsystem.
Signed-off-by: Maxim Mikityanskiy <maxtram95@gmail.com>

This is part 1 for special button handling.
Signed-off-by: Ike Panhc <ike.pan@canonical.com>
Signed-off-by: Matthew Garrett <mjg@redhat.com>

This commit removes the sk_rx_dst_set calls from
tcp_create_openreq_child(), because at that point the icsk_af_ops
field of ipv6_mapped TCP sockets has not been set to its proper final
value.

Instead, to make sure we get the right sk_rx_dst_set variant
appropriate for the address family of the new connection, we have
tcp_v{4,6}_syn_recv_sock() directly call the appropriate function
shortly after the call to tcp_create_openreq_child() returns.

This also moves inet6_sk_rx_dst_set() to avoid a forward declaration
with the new approach.
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Reported-by: Artem Savkov <artem.savkov@gmail.com>
Cc: Eric Dumazet <edumazet@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Fix kernel-doc warning:

Warning(net/core/dev.c:5745): No description found for parameter 'dev'
Signed-off-by: Randy Dunlap <rdunlap@xenotime.net>
Cc:	"David S. Miller" <davem@davemloft.net>
Cc:	netdev@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>

This netconsole_target_put() is obviously redundant, and it
causes a kernel segfault when removing a bridge device which has
netconsole running on it.

This is caused by:

	commit 8d8fc29d
	Author: Amerigo Wang <amwang@redhat.com>
	Date:   Thu May 19 21:39:10 2011 +0000

	    netpoll: disable netpoll when enslave a device

Cc: David Miller <davem@davemloft.net>
 (for all 3.x stable releases)
Cc: stable@vger.kernel.org
Signed-off-by: Cong Wang <amwang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Commit 97bab73f (inet: Hide route peer accesses behind helpers.) introduced
a bug in xfrm6_policy_destroy(). The xfrm_dst's _rt6i_peer member is not
initialized, causing a false positive result from inetpeer_ptr_is_peer(),
which in turn causes a NULL pointer dereference in inet_putpeer().

Pid: 314, comm: kworker/0:1 Not tainted 3.6.0-rc1+ #17 To Be Filled By O.E.M. To Be Filled By O.E.M./P4S800D-X
EIP: 0060:[<c03abf93>] EFLAGS: 00010246 CPU: 0
EIP is at inet_putpeer+0xe/0x16
EAX: 00000000 EBX: f3481700 ECX: 00000000 EDX: 000dd641
ESI: f3481700 EDI: c05e949c EBP: f551def4 ESP: f551def4
 DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068
CR0: 8005003b CR2: 00000070 CR3: 3243d000 CR4: 00000750
DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
DR6: ffff0ff0 DR7: 00000400
 f551df04 c0423de1 00000000 f3481700 f551df18 c038d5f7 f254b9f8 f551df28
 f34f85d8 f551df20 c03ef48d f551df3c c0396870 f30697e8 f24e1738 c05e98f4
 f5509540 c05cd2b4 f551df7c c0142d2b c043feb5 f5509540 00000000 c05cd2e8
 [<c0423de1>] xfrm6_dst_destroy+0x42/0xdb
 [<c038d5f7>] dst_destroy+0x1d/0xa4
 [<c03ef48d>] xfrm_bundle_flo_delete+0x2b/0x36
 [<c0396870>] flow_cache_gc_task+0x85/0x9f
 [<c0142d2b>] process_one_work+0x122/0x441
 [<c043feb5>] ? apic_timer_interrupt+0x31/0x38
 [<c03967eb>] ? flow_cache_new_hashrnd+0x2b/0x2b
 [<c0143e2d>] worker_thread+0x113/0x3cc

Fix by adding a init_dst() callback to struct xfrm_policy_afinfo to
properly initialize the dst's peer pointer.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

When getting clock, give a chance to the CPUs without DT support,
which use Common Clock Framework, such as Loongson1B.
Signed-off-by: Kelvin Cheung <keguang.zhang@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

In net/caif/chnl_net.c::chnl_recv_cb() we call skb_header_pointer()
which may return NULL, but we do not check for a NULL pointer before
dereferencing it.
This patch adds such a NULL check and properly free's allocated memory
and return an error (-EINVAL) on failure - much better than crashing..
Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Acked-by: Sjur Brændeland <sjur.brandeland@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Pable Neira Ayuso says:

====================
The following five patches contain fixes for 3.6-rc, they are:

* Two fixes for message parsing in the SIP conntrack helper, from
  Patrick McHardy.

* One fix for the SIP helper introduced in the user-space cthelper
  infrastructure, from Patrick McHardy.

* fix missing appropriate locking while modifying one conntrack entry
  from the nfqueue integration code, from myself.

* fix possible access to uninitiliazed timer in the nf_conntrack
  expectation infrastructure, from myself.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>