We have a problem where the big_key key storage implementation uses a
shmem backed inode to hold the key contents.  Because of this detail of
implementation LSM checks are being done between processes trying to
read the keys and the tmpfs backed inode.  The LSM checks are already
being handled on the key interface level and should not be enforced at
the inode level (since the inode is an implementation detail, not a
part of the security model)

This patch implements a new function shmem_kernel_file_setup() which
returns the equivalent to shmem_file_setup() only the underlying inode
has S_PRIVATE set.  This means that all LSM checks for the inode in
question are skipped.  It should only be used for kernel internal
operations where the inode is not exposed to userspace without proper
LSM checking.  It is possible that some other users of
shmem_file_setup() should use the new interface, but this has not been
explored.

Reproducing this bug is a little bit difficult.  The steps I used on
Fedora are:

 (1) Turn off selinux enforcing:

	setenforce 0

 (2) Create a huge key

	k=`dd if=/dev/zero bs=8192 count=1 | keyctl padd big_key test-key @s`

 (3) Access the key in another context:

	runcon system_u:system_r:httpd_t:s0-s0:c0.c1023 keyctl print $k >/dev/null

 (4) Examine the audit logs:

	ausearch -m AVC -i --subject httpd_t | audit2allow

If the last command's output includes a line that looks like:

	allow httpd_t user_tmpfs_t:file { open read };

There was an inode check between httpd and the tmpfs filesystem.  With
this patch no such denial will be seen.  (NOTE! you should clear your
audit log if you have tested for this previously)

(Please return you box to enforcing)
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Hugh Dickins <hughd@google.com>
cc: linux-mm@kvack.org

If a keyring contains more than 16 keyrings (the capacity of a single node in
the associative array) then those keyrings are split over multiple nodes
arranged as a tree.

If search_nested_keyrings() is called to search the keyring then it will
attempt to manually walk over just the 0 branch of the associative array tree
where all the keyring links are stored.  This works provided the key is found
before the algorithm steps from one node containing keyrings to a child node
or if there are sufficiently few keyring links that the keyrings are all in
one node.

However, if the algorithm does need to step from a node to a child node, it
doesn't change the node pointer unless a shortcut also gets transited.  This
means that the algorithm will keep scanning the same node over and over again
without terminating and without returning.

To fix this, move the internal-pointer-to-node translation from inside the
shortcut transit handler so that it applies it to node arrival as well.

This can be tested by:

	r=`keyctl newring sandbox @s`
	for ((i=0; i<=16; i++)); do keyctl newring ring$i $r; done
	for ((i=0; i<=16; i++)); do keyctl add user a$i a %:ring$i; done
	for ((i=0; i<=16; i++)); do keyctl search $r user a$i; done
	for ((i=17; i<=20; i++)); do keyctl search $r user a$i; done

The searches should all complete successfully (or with an error for 17-20),
but instead one or more of them will hang.
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Stephen Gallagher <sgallagh@redhat.com>

If sufficient keys (or keyrings) are added into a keyring such that a node in
the associative array's tree overflows (each node has a capacity N, currently
16) and such that all N+1 keys have the same index key segment for that level
of the tree (the level'th nibble of the index key), then assoc_array_insert()
calls ops->diff_objects() to indicate at which bit position the two index keys
vary.

However, __key_link_begin() passes a NULL object to assoc_array_insert() with
the intention of supplying the correct pointer later before we commit the
change.  This means that keyring_diff_objects() is given a NULL pointer as one
of its arguments which it does not expect.  This results in an oops like the
attached.

With the previous patch to fix the keyring hash function, this can be forced
much more easily by creating a keyring and only adding keyrings to it.  Add any
other sort of key and a different insertion path is taken - all 16+1 objects
must want to cluster in the same node slot.

This can be tested by:

	r=`keyctl newring sandbox @s`
	for ((i=0; i<=16; i++)); do keyctl newring ring$i $r; done

This should work fine, but oopses when the 17th keyring is added.

Since ops->diff_objects() is always called with the first pointer pointing to
the object to be inserted (ie. the NULL pointer), we can fix the problem by
changing the to-be-inserted object pointer to point to the index key passed
into assoc_array_insert() instead.

Whilst we're at it, we also switch the arguments so that they are the same as
for ->compare_object().

BUG: unable to handle kernel NULL pointer dereference at 0000000000000088
IP: [<ffffffff81191ee4>] hash_key_type_and_desc+0x18/0xb0
...
RIP: 0010:[<ffffffff81191ee4>] hash_key_type_and_desc+0x18/0xb0
...
Call Trace:
 [<ffffffff81191f9d>] keyring_diff_objects+0x21/0xd2
 [<ffffffff811f09ef>] assoc_array_insert+0x3b6/0x908
 [<ffffffff811929a7>] __key_link_begin+0x78/0xe5
 [<ffffffff81191a2e>] key_create_or_update+0x17d/0x36a
 [<ffffffff81192e0a>] SyS_add_key+0x123/0x183
 [<ffffffff81400ddb>] tracesys+0xdd/0xe2
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Stephen Gallagher <sgallagh@redhat.com>

The keyring hash function (used by the associative array) is supposed to clear
the bottommost nibble of the index key (where the hash value resides) for
keyrings and make sure it is non-zero for non-keyrings.  This is done to make
keyrings cluster together on one branch of the tree separately to other keys.

Unfortunately, the wrong mask is used, so only the bottom two bits are
examined and cleared and not the whole bottom nibble.  This means that keys
and keyrings can still be successfully searched for under most circumstances
as the hash is consistent in its miscalculation, but if a keyring's
associative array bottom node gets filled up then approx 75% of the keyrings
will not be put into the 0 branch.

The consequence of this is that a key in a keyring linked to by another
keyring, ie.

	keyring A -> keyring B -> key

may not be found if the search starts at keyring A and then descends into
keyring B because search_nested_keyrings() only searches up the 0 branch (as it
"knows" all keyrings must be there and not elsewhere in the tree).

The fix is to use the right mask.

This can be tested with:

	r=`keyctl newring sandbox @s`
	for ((i=0; i<=16; i++)); do keyctl newring ring$i $r; done
	for ((i=0; i<=16; i++)); do keyctl add user a$i a %:ring$i; done
	for ((i=0; i<=16; i++)); do keyctl search $r user a$i; done

This creates a sandbox keyring, then creates 17 keyrings therein (labelled
ring0..ring16).  This causes the root node of the sandbox's associative array
to overflow and for the tree to have extra nodes inserted.

Each keyring then is given a user key (labelled aN for ringN) for us to search
for.

We then search for the user keys we added, starting from the sandbox.  If
working correctly, it should return the same ordered list of key IDs as
for...keyctl add... did.  Without this patch, it reports ENOKEY "Required key
not available" for some of the keys.  Just which keys get this depends as the
kernel pointer to the key type forms part of the hash function.
Reported-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Stephen Gallagher <sgallagh@redhat.com>

The second word of key->payload does not get initialised in key_alloc(), but
the big_key type is relying on it having been cleared.  The problem comes when
big_key fails to instantiate a large key and doesn't then set the payload.  The
big_key_destroy() op is called from the garbage collector and this assumes that
the dentry pointer stored in the second word will be NULL if instantiation did
not complete.

Therefore just pre-clear the entire struct key on allocation rather than trying
to be clever and only initialising to 0 only those bits that aren't otherwise
initialised.

The lack of initialisation can lead to a bug report like the following if
big_key failed to initialise its file:

	general protection fault: 0000 [#1] SMP
	Modules linked in: ...
	CPU: 0 PID: 51 Comm: kworker/0:1 Not tainted 3.10.0-53.el7.x86_64 #1
	Hardware name: Dell Inc. PowerEdge 1955/0HC513, BIOS 1.4.4 12/09/2008
	Workqueue: events key_garbage_collector
	task: ffff8801294f5680 ti: ffff8801296e2000 task.ti: ffff8801296e2000
	RIP: 0010:[<ffffffff811b4a51>] dput+0x21/0x2d0
	...
	Call Trace:
	 [<ffffffff811a7b06>] path_put+0x16/0x30
	 [<ffffffff81235604>] big_key_destroy+0x44/0x60
	 [<ffffffff8122dc4b>] key_gc_unused_keys.constprop.2+0x5b/0xe0
	 [<ffffffff8122df2f>] key_garbage_collector+0x1df/0x3c0
	 [<ffffffff8107759b>] process_one_work+0x17b/0x460
	 [<ffffffff8107834b>] worker_thread+0x11b/0x400
	 [<ffffffff81078230>] ? rescuer_thread+0x3e0/0x3e0
	 [<ffffffff8107eb00>] kthread+0xc0/0xd0
	 [<ffffffff8107ea40>] ? kthread_create_on_node+0x110/0x110
	 [<ffffffff815c4bec>] ret_from_fork+0x7c/0xb0
	 [<ffffffff8107ea40>] ? kthread_create_on_node+0x110/0x110
Reported-by: Patrik Kis <pkis@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

This patch stores the address of the 'template_fmt_copy' variable in a new
variable, called 'template_fmt_ptr', so that the latter is passed as an
argument of strsep() instead of the former. This modification is needed
in order to correctly free the memory area referenced by
'template_fmt_copy' (strsep() modifies the pointer of the passed string).
Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>

Pull ARM64 fixes from Catalin Marinas:
 - Remove preempt_count modifications in the arm64 IRQ handling code
   since that's already dealt with in generic irq_enter/irq_exit
 - PTE_PROT_NONE bit moved higher up to avoid overlapping with the
   hardware bits (for PROT_NONE mappings which are pte_present)
 - Big-endian fixes for ptrace support
 - Asynchronous aborts unmasking while in the kernel
 - pgprot_writecombine() change to create Normal NonCacheable memory
   rather than Device GRE

* tag 'arm64-stable' of git://git.kernel.org/pub/scm/linux/kernel/git/cmarinas/linux-aarch64:
  arm64: Move PTE_PROT_NONE higher up
  arm64: Use Normal NonCacheable memory for writecombine
  arm64: debug: make aarch32 bkpt checking endian clean
  arm64: ptrace: fix compat registes get/set to be endian clean
  arm64: Unmask asynchronous aborts when in kernel mode
  arm64: dts: Reserve the memory used for secondary CPU release address
  arm64: let the core code deal with preempt_count

Pull s390 updates from Martin Schwidefsky:
 "One performance improvement and a few bug fixes.  Two of the fixes
  deal with the clock related problems we have seen on recent kernels"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
  s390/mm: handle asce-type exceptions as normal page fault
  s390,time: revert direct ktime path for s390 clockevent device
  s390/time,vdso: convert to the new update_vsyscall interface
  s390/uaccess: add missing page table walk range check
  s390/mm: optimize copy_page
  s390/dasd: validate request size before building CCW/TCW request
  s390/signal: always restore saved runtime instrumentation psw bit

Pull i2c fixes from Wolfram Sang:
 "Some easy but needed fixes for i2c drivers since rc1"

* 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
  i2c: bcm2835: Linking platform nodes to adapter nodes
  i2c: omap: raw read and write endian fix
  i2c: i2c-bcm-kona: Fix module build
  i2c: i2c-diolan-u2c: different usb endpoints for DLN-2-U2C
  i2c: bcm-kona: remove duplicated include
  i2c: davinci: raw read and write endian fix

Pull workqueue fixes from Tejun Heo:
 "This contains one important fix.  The NUMA support added a while back
  broke ordering guarantees on ordered workqueues.  It was enforced by
  having single frontend interface with @max_active == 1 but the NUMA
  support puts multiple interfaces on unbound workqueues on NUMA
  machines thus breaking the ordered guarantee.  This is fixed by
  disabling NUMA support on ordered workqueues.

  The above and a couple other patches were sitting in for-3.12-fixes
  but I forgot to push that out, so they ended up waiting a bit too
  long.  My aplogies.

  Other fixes are minor"

* 'for-3.13-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq:
  workqueue: fix pool ID allocation leakage and remove BUILD_BUG_ON() in init_workqueues
  workqueue: fix comment typo for __queue_work()
  workqueue: fix ordered workqueues in NUMA setups
  workqueue: swap set_cpus_allowed_ptr() and PF_NO_SETAFFINITY

Pull libata fixes from Tejun Heo:
 "libata device removal path was removing parent device node before its
  child, which is mostly harmless but triggers warning after recent
  sysfs changes.  Rafael's patch fixes the order.

  Other than that, minor controller-specific fixes and device ID
  additions"

* 'for-3.13-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata:
  ATA: Fix port removal ordering
  ahci: add Marvell 9230 to the AHCI PCI device list
  ata: fix acpi_bus_get_device() return value check
  pata_arasan_cf: add missing clk_disable_unprepare() on error path
  ahci: add support for IBM Akebono platform device

Pull cgroup fixes from Tejun Heo:
 "Fixes for three issues.

   - cgroup destruction path could swamp system_wq possibly leading to
     deadlock.  This actually seems to happen in the wild with memcg
     because memcg destruction path adds nested dependency on system_wq.

     Resolved by isolating cgroup destruction work items on its
     dedicated workqueue.

   - Possible locking context deadlock through seqcount reported by
     lockdep

   - Memory leak under certain conditions"

* 'for-3.13-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
  cgroup: fix cgroup_subsys_state leak for seq_files
  cpuset: Fix memory allocator deadlock
  cgroup: use a dedicated workqueue for cgroup destruction

Pull sound fixes from Takashi Iwai:
 "Quite a few HD-Audio fixes, a WUSB audio fix and a fix for FireWire
  audio.  The HD-audio part contains a couple of fixes for the generic
  parser, and these are the only intrusive fixes.  The rest are mostly
  device-specific fixes"

* tag 'sound-3.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: hda - Add LFE chmap to ASUS ET2700
  ALSA: hda - Initialize missing bass speaker pin for ASUS AIO ET2700
  ALSA: hda - limit mic boost on Asus UX31[A,E]
  ALSA: hda - Check leaf nodes to find aamix amps
  ALSA: hda - Fix hp-mic mode without VREF bits
  ALSA: hda - Create Headhpone Mic Jack Mode when really needed
  ALSA: usb: use multiple packets per urb for Wireless USB inbound audio
  ALSA: hda - Enable mute/mic-mute LEDs for more Thinkpads with Conexant codec
  ALSA: hda - Drop bus->avoid_link_reset flag
  ALSA: hda/realtek - Set pcbeep amp for ALC668
  ALSA: hda/realtek - Add support of ALC231 codec
  ALSA: firewire-lib: fix wrong value for FDF field as an empty packet

Pull vfs dentry reference count fix from Al Viro.

This fixes a possible inode_permission NULL pointer dereference (and
other problems) that were due to the root dentry count being decremented
too much.  In commit 48a066e7 ("RCU'd vfsmounts") the placement of
clearing the LOOKUP_RCU bit changed, and we then returned failure of
incrementing the lockref on the parent dentry with LOOKUP_RCU cleared.

But that meant we needed to go through the same cleanup routines that
the later failures did wrt LOOKUP_ROOT and nd->root.

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  fix bogus path_put() of nd->root after some unlazy_walk() failures

Pull drm qxl leak fix from Dave Airlie:
 "As usual 5 mins after I send a trivial pull fix I find a real bug!

  This fixes a memory leak and I'd like to get it into stable queue
  asap"

* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
  drm/qxl: fix memory leak in release list handling

PTE_PROT_NONE means that a pte is present but does not have any
read/write attributes. However, setting the memory type like
pgprot_writecombine() is allowed and such bits overlap with
PTE_PROT_NONE. This causes mmap/munmap issues in drivers that change the
vma->vm_pg_prot on PROT_NONE mappings.

This patch reverts the PTE_FILE/PTE_PROT_NONE shift in commit
59911ca4 (ARM64: mm: Move PTE_PROT_NONE bit) and moves PTE_PROT_NONE
together with the other software bits.
Signed-off-by: Steve Capper <steve.capper@linaro.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Tested-by: Steve Capper <steve.capper@linaro.org>
Cc: <stable@vger.kernel.org> # 3.11+

This provides better performance compared to Device GRE and also allows
unaligned accesses. Such memory is intended to be used with standard RAM
(e.g. framebuffers) and not I/O.
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>

Failure to grab reference to parent dentry should go through the
same cleanup as nd->seq mismatch.  As it is, we might end up with
caller thinking it needs to path_put() nd->root, with obvious
nasty results once we'd hit that bug enough times to drive the
refcount of root dentry all the way to zero...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

wow no idea how I got this far without seeing this,
leaking the entries in the list makes kmalloc-64 slab grow.

References: https://bugzilla.kernel.org/show_bug.cgi?id=65121
Cc: stable@vger.kernel.org
Reported-by: Matthew Stapleton <matthew4196@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

The current breakpoint instruction checking code for A32 is not endian
clean. Fix this with appropriate byte-swapping when retrieving
instructions.
Signed-off-by: Matthew Leach <matthew.leach@arm.com>
Reviewed-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>

On a BE system the wrong half of the X registers is retrieved/written
when attempting to get/set the value of aarch32 registers through
ptrace.

Ensure that types are the correct width so that the relevant
casting occurs.
Signed-off-by: Matthew Leach <matthew.leach@arm.com>
Reviewed-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>

Pull GPIO fixes from Linus Walleij:
 "Here us a bunch of patches for the v3.13 series.  Most important stuff
  is related to fixes and documentation for the new GPIO descriptor API.
  If the diffstat is scary you'll notice most of it is to
  Documentation/*:

   - A big slew of documentation for the gpiod transition that happened
     in the merge window, no semantic effect, but we should provide
     proper documentation with the new API.

   - Fix flags related to the new API.

   - Fix to the find_chip_by_name() lookup function related to the new
     API.

   - Fix of_find_gpio() when not using device tree.

   - Bug fix for the TB10x direction setting.

   - Error path fixes from Dan Carpenter.

   - Nasty IRQdomain bug relating to taking an unitialized spinlock.

   - Minor fixes here and there"

* tag 'gpio-v3.13-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
  gpio: bcm281xx: Fix return value of bcm_kona_gpio_get()
  gpio: pl061: move irqdomain initialization
  gpio: ucb1400: Add MODULE_ALIAS
  gpiolib: fix of_find_gpio() when OF not defined
  gpio: fix memory leak in error path
  gpio: rcar: NULL dereference on error in probe()
  gpio: msm: make msm_gpio.summary_irq signed for error handling
  gpio: mvebu: make mvchip->irqbase signed for error handling
  gpiolib: use dedicated flags for GPIO properties
  gpiolib: fix find_chip_by_name()
  Documentation: gpiolib: document new interface
  gpio: tb10x: Set output value before setting direction to output

Pull md fixes from Neil Brown:
 "Three bug fixes for md in 3.13-rc

  All recent regressions, one in 3.12 so marked for -stable"

* tag 'md/3.13-fixes' of git://neil.brown.name/md:
  md/raid5: fix newly-broken locking in get_active_stripe.
  md: test mddev->flags more safely in md_check_recovery.
  md/raid5: fix new memory-reference bug in alloc_thread_groups.

Pull cifs fixes from Steve French:
 "SMB3 "validate negotiate" is needed to prevent certain types of
  downgrade attacks.

  Also changes SMB2/SMB3 copy offload from using the BTRFS copy ioctl
  (BTRFS_IOC_CLONE) to a cifs specific ioctl (CIFS_IOC_COPYCHUNK_FILE)
  to address Christoph's comment that there are semantic differences
  between requesting copy offload in which copy-on-write is mandatory
  (as in the BTRFS ioctl) and optional in the SMB2/SMB3 case.  Also
  fixes SMB2/SMB3 copychunk for large files"

* 'for-next' of git://git.samba.org/sfrench/cifs-2.6:
  [CIFS] Do not use btrfs refcopy ioctl for SMB2 copy offload
  Check SMB3 dialects against downgrade attacks
  Removed duplicated (and unneeded) goto
  CIFS: Fix SMB2/SMB3 Copy offload support (refcopy) for large files

The init_kernel_text() and core_kernel_text() functions should not
include the labels _einittext and _etext when checking if an address is
inside the .text or .init sections.
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

As the previous commit 1f0bbf03 added the pin config for the bass
speaker, this patch adds the corresponding LFE-only channel map on
ASUS ET2700.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=65961Signed-off-by: Takashi Iwai <tiwai@suse.de>

Add a fixup entry for the missing bass speaker pin 0x16 on ASUS ET2700
AiO desktop.  The channel map will be added in the next patch, so that
this can be backported easily to stable kernels.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=65961
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

This both devices need limit for internal dmic.

[cosmetic change; renamed fixup name by tiwai]
Signed-off-by: Oleksij Rempel <linux@rempel-privat.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

The current generic parser assumes blindly that the volume and mute
amps are found in the aamix node itself.  But on some codecs,
typically Analog Devices ones, the aamix amps are separately
implemented in each leaf node of the aamix node, and the current
driver can't establish the correct amp controls.  This is a regression
compared with the previous static quirks.

This patch extends the search for the amps to the leaf nodes for
allowing the aamix controls again on such codecs.
In this implementation, I didn't code to loop through the whole paths,
since usually one depth should suffice, and we can't search too
deeply, as it may result in the conflicting control assignments.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=65641
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

In order to find I2C devices in the device tree, the platform nodes
have to be known by the I2C core. This requires setting the
dev.of_node parameter of the adapter.
Signed-off-by: Florian Meier <florian.meier@koalo.de>
Tested-by: Stephen Warren <swarren@wwwdotorg.org>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>

Pull drm fixes from Dave Airlie:
 "Just two minor fixes as people keep resending since they are so low
  hanging"

* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
  drm/nouveau/hwmon: fix compilation without CONFIG_HWMON
  drm/sysfs: fix OOM verification

Pull tty/serial fixes from Greg KH:
 "Here are some tty/serial driver fixes for reported issues in 3.13-rc2.

  The n_gsm "fix" was reverted as it was found to not be correct.
  Hopefully this will be resolved in a future pull request, but as
  there's really only one user of this line setting, it's not a big
  deal..."

* tag 'tty-3.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
  Revert "n_gsm: race between ld close and gsmtty open"
  n_tty: Protect minimum_to_wake reset for concurrent readers
  tty: Reset hupped state on open
  TTY: amiserial, add missing platform check
  TTY: pmac_zilog, check existence of ports in pmz_console_init()
  n_gsm: race between ld close and gsmtty open
  tty/serial/8250: fix typo in help text
  n_tty: Fix 4096-byte canonical reads
  n_tty: Fix echo overrun tail computation
  n_tty: Ensure reader restarts worker for next reader

Pull staging fixes from Greg KH:
 "Here are a number of staging, and IIO driver, fixes for 3.13-rc2 that
  resolve issues that have been reported for 3.13-rc1.  All of these
  have been in linux-next for a bit this week"

* tag 'staging-3.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: (25 commits)
  Staging: tidspbridge: disable driver
  staging: zsmalloc: Ensure handle is never 0 on success
  staging/lustre/ptlrpc: fix ptlrpc_stop_pinger logic
  staging: r8188eu: Fix AP mode
  Staging: btmtk_usb: Add hdev parameter to hdev->send driver callback
  Staging: go7007: fix up some remaining go->dev issues
  staging: imx-drm: Fix modular build of DRM_IMX_IPUV3
  staging: ft1000: fix use of potentially uninitialized variable
  Revert "staging:media: Use dev_dbg() instead of pr_debug()"
  Staging: zram: Fix memory leak by refcount mismatch
  staging: vt6656: [BUG] Fix for TX USB resets from vendors driver.
  staging: nvec: potential NULL dereference on error path
  Staging: vt6655-6: potential NULL dereference in hostap_disable_hostapd()
  staging: comedi: s626: fix value written by s626_set_dac()
  Staging: comedi: pcl730: fix some bitwise vs logical AND bugs
  staging: comedi: fix potentially uninitialised variable
  iio:accel:kxsd9 fix missing mutex unlock
  iio: adc: ti_am335x_adc: avoid double free of buffer.
  staging:iio: Fix hmc5843 Kconfig dependencies
  iio: Fix tcs3472 Kconfig dependencies
  ...

Merge tag 'driver-core-3.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core

Pull driver core fixes from Greg KH:
 "Here are 3 patches for sysfs issues that have been reported.  Well, 1
  patch really, the first one is reverted as it's not really needed (the
  correct fix is coming in through the different driver subsystems
  instead)

  But that 1 sysfs fix is needed, so this is still a good thing to pull
  in now"
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

* tag 'driver-core-3.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
  Revert "sysfs: handle duplicate removal attempts in sysfs_remove_group()"
  sysfs: use a separate locking class for open files depending on mmap
  sysfs: handle duplicate removal attempts in sysfs_remove_group()

Pull HID fixes from Jiri Kosina:
 - fix compat ioctl leak in uhid, by David Herrmann
 - fix scheduling in atomic context (causing actual lockups in real
   world) in hid-sony driver, by Sven Eckelmann
 - revert patch introducing VID/PID conflict, by Jiri Kosina
 - support from various new device IDs by Benjamin Tissoires and
   KaiChung Cheng

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
  HID: uhid: fix leak for 64/32 UHID_CREATE
  HID: kye: fix unresponsive keyboard
  HID: kye: Add report fixup for Genius Manticore Keyboard
  HID: multicouh: add PID VID to support 1 new Wistron optical touch device
  HID: appleir: force input to be set
  Revert "HID: wiimote: add LEGO-wiimote VID"
  HID: sony: Send FF commands in non-atomic context

Pull ACPI and power management fixes from Rafael Wysocki:

 - Fix for a recent regression in the Tegra cpufreq driver causing
   excess error messages to be printed from Stephen Warren

 - ACPI-based device hotplug fix to prevent conflicting notify handlers
   from being installed for PCI host bridge objects.  From Toshi Kani

 - ACPICA update to upstream version 20131115.  This contains bug fixes
   mostly (loop termination fix for the get AML length function, fixes
   related to namespace node removal and debug output).  From Bob Moore,
   Tomasz Nowicki and Lv Zheng

 - Removal of incorrect inclusions of internal ACPICA header files by
   non-ACPICA code from Lv Zheng

 - Fixes for the ACPI sysfs interface exposing tables to user space from
   Daisuke Hatayama and Jeremy Compostella

 - Assorted ACPI and cpufreq cleanups from Sachin Kamat and Al Stone

 - cpupower tool fix and man page from Thomas Renninger

* tag 'pm+acpi-3.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  ACPI: Clean up incorrect inclusions of ACPICA headers
  tools: cpupower: fix wrong err msg not supported vs not available
  tools: cpupower: Add cpupower-idle-set(1) manpage
  ACPI / sysfs: Fix incorrect ACPI tables walk in acpi_tables_sysfs_init()
  ACPI / sysfs: Set file size for each exposed ACPI table
  ACPICA: Update version to 20131115.
  ACPICA: Add support to delete all objects attached to the root namespace node.
  ACPICA: Delete all attached data objects during namespace node deletion.
  ACPICA: Resources: Fix loop termination for the get AML length function.
  ACPICA: Tests: Add CHECKSUM_ABORT protection for test utilities.
  ACPICA: Debug output: Do not emit function nesting level for kernel build.
  ACPI / sleep: clean up compiler warning about uninitialized field
  cpufreq: exynos: Remove unwanted EXPORT_SYMBOL
  cpufreq: tegra: don't error target() when suspended
  ACPI / hotplug: Fix conflicted PCI bridge notify handlers

Since commit 7a6354e2 ("sched: Move wait.c into kernel/sched/"), the
path of this file has changed.
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Acked-by: Randy Dunlap <rdunlap@infradead.org>
Acked-by: Andy Whitcroft <apw@canonical.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Reported-by: Jim Davis <jim.epost@gmail.com>
Tested-by: Jim Davis <jim.epost@gmail.com>
Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu>
Signed-off-by: Dave Airlie <airlied@redhat.com>

arch_mutex_cpu_relax is already conditionally defined in mutex.h, so
simply include that header rather than replicate the code here.
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>