When writing files to afs I sometimes hit a BUG:

kernel BUG at fs/afs/rxrpc.c:179!

With a backtrace of:

	afs_free_call
	afs_make_call
	afs_fs_store_data
	afs_vnode_store_data
	afs_write_back_from_locked_page
	afs_writepages_region
	afs_writepages

The cause is:

	ASSERT(skb_queue_empty(&call->rx_queue));

Looking at a tcpdump of the session the abort happens because we
are exceeding our disk quota:

	rx abort fs reply store-data error diskquota exceeded (32)

So the abort error is valid. We hit the BUG because we haven't
freed all the resources for the call.

By freeing any skbs in call->rx_queue before calling afs_free_call
we avoid hitting leaking memory and avoid hitting the BUG.
Signed-off-by: NAnton Blanchard <anton@samba.org>
Signed-off-by: NDavid Howells <dhowells@redhat.com>
Cc: <stable@kernel.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

A read of a large file on an afs mount failed:

# cat junk.file > /dev/null
cat: junk.file: Bad message

Looking at the trace, call->offset wrapped since it is only an
unsigned short. In afs_extract_data:

        _enter("{%u},{%zu},%d,,%zu", call->offset, len, last, count);
...

        if (call->offset < count) {
                if (last) {
                        _leave(" = -EBADMSG [%d < %zu]", call->offset, count);
                        return -EBADMSG;
                }

Which matches the trace:

[cat   ] ==> afs_extract_data({65132},{524},1,,65536)
[cat   ] <== afs_extract_data() = -EBADMSG [0 < 65536]

call->offset went from 65132 to 0. Fix this by making call->offset an
unsigned int.
Signed-off-by: NAnton Blanchard <anton@samba.org>
Signed-off-by: NDavid Howells <dhowells@redhat.com>
Cc: <stable@kernel.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Merge patches from Andrew Morton:
 "Nine patches - some bug fixes and some MAINTAINERS fiddling."

* emailed from Andrew Morton <akpm@linux-foundation.org>:
  drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
  MAINTAINERS: add entry for exynos mipi display drivers
  MAINTAINERS: fix link to Gustavo Padovans tree
  MAINTAINERS: add Johan to Bluetooth maintainers
  MAINTAINERS: Gustavo has moved
  prctl: use CAP_SYS_RESOURCE for PR_SET_MM option
  rapidio/tsi721: fix bug in register offset definitions
  MAINTAINERS: update ST's Mailing list for SPEAr
  memcg: free mem_cgroup by RCU to fix oops

Pull i2c subsystem fixes from Jean Delvare.

* 'i2c-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging:
  i2c-algo-bit: Fix spurious SCL timeouts under heavy load
  i2c-core: Comment says "transmitted" but means "received"

Pull hwmon fixes from Guenter Roeck.

* tag 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
  hwmon: (zl6100) Enable interval between chip accesses for all chips
  hwmon: (w83627ehf) Describe undocumented pwm attributes
  hwmon: (w83627ehf) Fix temp2 source for W83627UHG
  hwmon: (w83627ehf) Fix memory leak in probe function
  hwmon: (w83627ehf) Fix writing into fan_stop_time for NCT6775F/NCT6776F

Pull drm exynos/intel updates from Dave Airlie:
 "Two minor updates from Jesse for Intel SNB fixes, and a few fixes from
  Samsung for exynos.  The pull req has Alan's commit in it since Intel
  based their tree on my tree at that time, but it all seems fine wrt
  merging."

* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
  drm exynos: use drm_fb_helper_set_par directly
  drm/exynos: Fix fb_videomode <-> drm_mode_modeinfo conversion
  drm/exynos: fix runtime_pm fimd device state on probe
  drm/exynos: use correct 'exynos-drm' name for platform device
  drm/i915: support 32 bit BGR formats in sprite planes
  drm/i915: fix color order for BGR formats on SNB
  drm/gma500: Fix Cedarview boot failures in 3.3-rc

Pull media fixes from Mauro Carvalho Chehab:
 "For 4 fixes for 3.3 (all trivial):
       - uvc video driver: fixes a division by zero;
       - davinci: add module.h to fix compilation;
       - smsusb: fix the delivery system setting;
       - smsdvb: the get_frontend implementation there is broken.

  The smsdvb patch has 127 lines, but it is trivial: instead of
  returning a cache of the set_frontend (with is wrong, as it doesn't
  have the updated values for the data, and the implementation there is
  buggy), it copies the information of the detected DVB parameters from
  the smsdvb private structures into the corresponding DVBv5 struct
  fields."

* 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
  [media] smsdvb: fix get_frontend
  [media] smsusb: fix the default delivery system setting
  [media] media: davinci: added module.h to resolve unresolved macros
  [media] [FOR,v3.3] uvcvideo: Avoid division by 0 in timestamp calculation

Pull target fixes from Nicholas Bellinger:
 "This series addresses two recently reported regression bugs related to
  legacy SCSI reservation usage in target core, and iscsi-target
  reservation conflict handling.

  The second patch in particular addresses possible data-corruption with
  SCSI reservations that is specific to iscsi-target fabric LUNs with
  multiple client writers.  Both patches need to go into v3.2 stable
  ASAP, and the branch based on the last target-pending/3.3-rc-fixes
  HEAD.

  Again, thanks to Martin Svec for his help to identify and address this
  regression bug with iscsi-target."

* '3.3-urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending:
  iscsi-target: Fix reservation conflict -EBUSY response handling bug
  target: Fix compatible reservation handling (CRH=1) with legacy RESERVE/RELEASE

strict_strtoul() writes a long but ->gamma_mode only has space to store an
int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
well.  I've changed it to use kstrtouint() instead.
Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
Acked-by: NInki Dae <inki.dae@samsung.com>
Signed-off-by: NFlorian Tobias Schandinat <FlorianSchandinat@gmx.de>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

I'd like to add Inki Dae, Donghwa Lee and Kyungmin Park as maintainers
who developers for exynos mipi display drivers for
video/driver/exynos/exynos_mipi* and include/video/exynos_mipi*.
Signed-off-by: NDonghwa Lee <dh09.lee@samsung.com>
Signed-off-by: NInki Dae <inki.dae@samsung.com>
Signed-off-by: NKyungmin Park <kyungmin.park@samsung.com>
Cc: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
Cc: Richard Purdie <rpurdie@rpsys.net>
Cc: Kukjin Kim <kgene.kim@samsung.com>
Cc: Jingoo Han <jg1.han@samsung.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Gustavo's tree is called just bluetooth.git and not bluetooth-2.6.git
anymore.
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: "Gustavo F. Padovan" <padovan@profusion.mobi>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

I've been coordinating Bluetooth patches in my tree for some time and
it's possible I'll do it in the future too, so add myself to the
Bluetooth sections as well as mention my tree there.
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: "Gustavo F. Padovan" <padovan@profusion.mobi>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

This is going to be the primary e-mail for kernel development.
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Cc: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

CAP_SYS_ADMIN is already overloaded left and right, so to have more
fine-grained access control use CAP_SYS_RESOURCE here.

The CAP_SYS_RESOUCE is chosen because this prctl option allows a current
process to adjust some fields of memory map descriptor which rather
represents what the process owns: pointers to code, data, stack
segments, command line, auxiliary vector data and etc.
Suggested-by: NMichael Kerrisk <mtk.manpages@gmail.com>
Acked-by: NKees Cook <keescook@chromium.org>
Acked-by: NMichael Kerrisk <mtk.manpages@gmail.com>
Cc: Pavel Emelyanov <xemul@parallels.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Paul Bolle <pebolle@tiscali.nl>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Signed-off-by: NCyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Fix indexed register offset definitions that use decimal (wrong) instead
of hexadecimal (correct) notation for indexing multipliers.

Incorrect definitions do not affect Tsi721 driver in its current default
configuration because it uses only IDB queue 0.  Loss of inbound
doorbell functionality should be observed if queue other than 0 is used.
Signed-off-by: NAlexandre Bounine <alexandre.bounine@idt.com>
Cc: Matt Porter <mporter@kernel.crashing.org>
Cc: Chul Kim <chul.kim@idt.com>
Cc: <stable@vger.kernel.org>		[3.2+]
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

We have created a ST's Mailing list for SPEAr.  This can be accessed
from non-st email ids.  I want people to cc this list, when they have
changes specific to SPEAr.  So, its better to get this updated in
MAINTAINERS file.

linux-arm-kernel@lists.infradead.org is also added for SPEAr.
Signed-off-by: NViresh Kumar <viresh.kumar@st.com>
Cc: Russell King <rmk@arm.linux.org.uk>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

After fixing the GPF in mem_cgroup_lru_del_list(), three times one
machine running a similar load (moving and removing memcgs while
swapping) has oopsed in mem_cgroup_zone_nr_lru_pages(), when retrieving
memcg zone numbers for get_scan_count() for shrink_mem_cgroup_zone():
this is where a struct mem_cgroup is first accessed after being chosen
by mem_cgroup_iter().

Just what protects a struct mem_cgroup from being freed, in between
mem_cgroup_iter()'s css_get_next() and its css_tryget()? css_tryget()
fails once css->refcnt is zero with CSS_REMOVED set in flags, yes: but
what if that memory is freed and reused for something else, which sets
"refcnt" non-zero? Hmm, and scope for an indefinite freeze if refcnt is
left at zero but flags are cleared.

It's tempting to move the css_tryget() into css_get_next(), to make it
really "get" the css, but I don't think that actually solves anything:
the same difficulty in moving from css_id found to stable css remains.

But we already have rcu_read_lock() around the two, so it's easily fixed
if __mem_cgroup_free() just uses kfree_rcu() to free mem_cgroup.

However, a big struct mem_cgroup is allocated with vzalloc() instead of
kzalloc(), and we're not allowed to vfree() at interrupt time: there
doesn't appear to be a general vfree_rcu() to help with this, so roll
our own using schedule_work().  The compiler decently removes
vfree_work() and vfree_rcu() when the config doesn't need them.
Signed-off-by: NHugh Dickins <hughd@google.com>
Acked-by: NKAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Acked-by: NJohannes Weiner <hannes@cmpxchg.org>
Cc: Konstantin Khlebnikov <khlebnikov@openvz.org>
Cc: Tejun Heo <tj@kernel.org>
Cc: Ying Han <yinghan@google.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

When the system is under heavy load, there can be a significant delay
between the getscl() and time_after() calls inside sclhi(). That delay
may cause the time_after() check to trigger after SCL has gone high,
causing sclhi() to return -ETIMEDOUT.

To fix the problem, double check that SCL is still low after the
timeout has been reached, before deciding to return -ETIMEDOUT.
Signed-off-by: NVille Syrjala <syrjala@sci.fi>
Cc: stable@vger.kernel.org
Signed-off-by: NJean Delvare <khali@linux-fr.org>

Fix that. Also convert this and the related comment to proper commenting
style.
Signed-off-by: NWolfram Sang <w.sang@pengutronix.de>
Signed-off-by: NJean Delvare <khali@linux-fr.org>

Merge branch 'exynos-drm-fixes' of git://git.infradead.org/users/kmpark/linux-samsung into drm-fixes

* 'exynos-drm-fixes' of git://git.infradead.org/users/kmpark/linux-samsung:
  drm exynos: use drm_fb_helper_set_par directly
  drm/exynos: Fix fb_videomode <-> drm_mode_modeinfo conversion
  drm/exynos: fix runtime_pm fimd device state on probe
  drm/exynos: use correct 'exynos-drm' name for platform device

info->fix.visual already is correctly set from drm_fb_helper_fill_fix.
info->fix.line_length is also set from drm_fb_helper_fill_fix,
so drm_fb_helper_set_par directly instead of a custom
exynos_drm_fbdev_set_par.
Signed-off-by: NSascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: NInki Dae <inki.dae@samsung.com>
Signed-off-by: NKyungmin Park <kyungmin.park@samsung.com>

The fb_videomode structure stores the front porch and back porch in the
right_margin and left_margin fields respectively. right_margin should
thus be computed with hsync_start - hdisplay, and left_margin with
htotal - hsync_end. The same holds for the vertical direction.

       Active               Front           Sync            Back
       Region               Porch                           Porch
<-------------------><----------------><-------------><---------------->

  //////////////////|
 ////////////////// |
//////////////////  |..................               ..................
                                       _______________

<------ xres -------><- right_margin -><- hsync_len -><- left_margin -->

<---- hdisplay ----->
<------------ hsync_start ------------>
<--------------------- hsync_end -------------------->
<--------------------------------- htotal ----------------------------->

Fix the fb_videomode <-> drm_mode_modeinfo conversion functions
accordingly.
Signed-off-by: NLaurent Pinchart <laurent.pinchart@ideasonboard.com>
Acked-by: NJoonyoung Shim <jy0922.shim@samsung.com>
Signed-off-by: NInki Dae <inki.dae@samsung.com>
Signed-off-by: NKyungmin Park <kyungmin.park@samsung.com>

A call to pm_runtime_set_active() forces device to be at the active
state and skips calling its runtime suspend/resume callbacks. This
results in a freeze with a new power domain code based on gen_pd. Fimd
driver does all required runtime power management calls, so this
pm_runtime_set_active call is buggy. This patch removes it and corrects
clock management in probe function (clocks are now enabled by
pm_runtime_get_sync() call).
Signed-off-by: NMarek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: NInki Dae <inki.dae@samsung.com>
Signed-off-by: NKyungmin Park <kyungmin.park@samsung.com>

Currently Exynos DRM driver uses DRIVER_NAME ('exynos') name for the
core platform device. This is confusing, because it doesn't refer to the
function the platform device is performing. This patch renames the
platform device to the 'exynos-drm', which matches the convention for
naming the platform devices. The name used inside DRM subsystem has not
been changed.
Signed-off-by: NMarek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: NInki Dae <inki.dae@samsung.com>
Signed-off-by: NKyungmin Park <kyungmin.park@samsung.com>

Pull block fixes from Jens Axboe:
 "Been sitting on this for a while, but lets get this out the door.
  This fixes various important bugs for 3.3 final, along with a few more
  trivial ones.  Please pull!"

* 'for-linus' of git://git.kernel.dk/linux-block:
  block: fix ioc leak in put_io_context
  block, sx8: fix pointer math issue getting fw version
  Block: use a freezable workqueue for disk-event polling
  drivers/block/DAC960: fix -Wuninitialized warning
  drivers/block/DAC960: fix DAC960_V2_IOCTL_Opcode_T -Wenum-compare warning
  block: fix __blkdev_get and add_disk race condition
  block: Fix setting bio flags in drivers (sd_dif/floppy)
  block: Fix NULL pointer dereference in sd_revalidate_disk
  block: exit_io_context() should call elevator_exit_icq_fn()
  block: simplify ioc_release_fn()
  block: replace icq->changed with icq->flags

Pull regulator fixes from Mark Brown:
 "Another small batch of driver specific bug fixes, a couple more errors
  in the da9052 driver and a bad return value in the tps6524x driver."

* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
  regulator: da9052: Ensure the selected voltage falls within the specified range
  regulator: Set n_voltages for da9052 regulators
  regulator: Fix setting selector in tps6524x set_voltage function

Pull arch/tile update to run "make minconfig" on the tile defconfigs
from Chris Metcalf.

This removes almost three thousand lines of inane defconfig chatter.

* 'stable' of git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile:
  arch/tile/configs: convert to minimal configs via "make savedefconfig"

Signed-off-by: NChris Metcalf <cmetcalf@tilera.com>

Merge branch 'drm-intel-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/keithp/linux into drm-fixes

* 'drm-intel-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/keithp/linux:
  drm/i915: support 32 bit BGR formats in sprite planes
  drm/i915: fix color order for BGR formats on SNB
  drm/gma500: Fix Cedarview boot failures in 3.3-rc

Intersil reports that all chips supported by the zl6100 driver require
an interval between chip accesses, even ZL2004 and ZL6105 which were thought
to be safe.
Reported-by: NVivek Gani <vgani@intersil.com>
Cc: stable@vger.kernel.org # 3.2+
Signed-off-by: NGuenter Roeck <guenter.roeck@ericsson.com>

When put_io_context is called, if ioc->icq_list is empty and refcount
is 1, kernel will not free the ioc.

This is caught by following kmemleak:

unreferenced object 0xffff880036349fe0 (size 216):
  comm "sh", pid 2137, jiffies 4294931140 (age 290579.412s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    01 00 01 00 ad 4e ad de ff ff ff ff 00 00 00 00  .....N..........
  backtrace:
    [<ffffffff8169f926>] kmemleak_alloc+0x26/0x50
    [<ffffffff81195a9c>] kmem_cache_alloc_node+0x1cc/0x2a0
    [<ffffffff81356b67>] create_io_context_slowpath+0x27/0x130
    [<ffffffff81356d2b>] get_task_io_context+0xbb/0xf0
    [<ffffffff81055f0e>] copy_process+0x188e/0x18b0
    [<ffffffff8105609b>] do_fork+0x11b/0x420
    [<ffffffff810247f8>] sys_clone+0x28/0x30
    [<ffffffff816d3373>] stub_clone+0x13/0x20
    [<ffffffffffffffff>] 0xffffffffffffffff

ioc should be freed if ioc->icq_list is empty.
Signed-off-by: NXiaotian Feng <dannyfeng@tencent.com>
Acked-by: NVivek Goyal <vgoyal@redhat.com>
Acked-by: NTejun Heo <tj@kernel.org>
Signed-off-by: NJens Axboe <axboe@kernel.dk>

This patch addresses a iscsi-target specific bug related to reservation conflict
handling in iscsit_handle_scsi_cmd() that has been causing reservation conflicts
to complete and not fail as expected due to incorrect errno checking.  The problem
occured with the change to return -EBUSY from transport_generic_cmd_sequencer() ->
transport_generic_allocate_tasks() failures, that broke iscsit_handle_scsi_cmd()
checking for -EINVAL in order to invoke a non GOOD status response.

This was manifesting itself as data corruption with legacy SPC-2 reservations,
but also effects iscsi-target LUNs with SPC-3 persistent reservations.

This bug was originally introduced in lio-core commit:

commit 03e98c9e
Author: Nicholas Bellinger <nab@linux-iscsi.org>
Date:   Fri Nov 4 02:36:16 2011 -0700

    target: Address legacy PYX_TRANSPORT_* return code breakage
Reported-by: NMartin Svec <martin.svec@zoner.cz>
Cc: Martin Svec <martin.svec@zoner.cz>
Cc: Christoph Hellwig <hch@lst.de>
Cc: stable@vger.kernel.org
Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>

This patch addresses a bug with target_check_scsi2_reservation_conflict()
return checking in target_scsi2_reservation_[reserve,release]() that was
preventing CRH=1 operation from silently succeeding in the two special
cases defined by SPC-3, and not failing with reservation conflict status
when dealing with legacy RESERVE/RELEASE + active SPC-3 PR logic.

Also explictly set cmd->scsi_status = SAM_STAT_RESERVATION_CONFLICT during
the early non reservation holder failure from pr_ops->t10_seq_non_holder()
check in transport_generic_cmd_sequencer() for fabrics that already expect
it to be set.

This bug was originally introduced in mainline commit:

commit eacac00c
Author: Christoph Hellwig <hch@infradead.org>
Date:   Thu Nov 3 17:50:40 2011 -0400

    target: split core_scsi2_emulate_crh
Reported-by: NMartin Svec <martin.svec@zoner.cz>
Cc: Martin Svec <martin.svec@zoner.cz>
Cc: Christoph Hellwig <hch@lst.de>
Cc: stable@vger.kernel.org
Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>

Pull sparc updates from David Miller:
 "Please pull to get this fix for the sparc32 build when using a more
  recent binutils."

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
  sparc32: Add -Av8 to assembler command line.

Newer version of binutils are more strict about specifying the
correct options to enable certain classes of instructions.

The sparc32 build is done for v7 in order to support sun4c systems
which lack hardware integer multiply and divide instructions.

So we have to pass -Av8 when building the assembler routines that
use these instructions and get patched into the kernel when we find
out that we have a v8 capable cpu.
Reported-by: NPaul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Pull networking changes from David Miller:
 "The most important bit here is the TCP syncookies issue, which seems
  to have been busted for some time.  That fix has been verified in
  production by the reporter.

  1) Persistent TUN devices erroneously hold on to the network namespace
     in such a way that it cannot be shutdown.  Fix from Stanislav
     Kinsbursky with help from Eric Dumazet.

  2) TCP SYN cookies have been broken for a while due to how the route
     lookup flow key is managed, connections can be delayed by as much
     as 20 seconds due to this bug.  Fix from Eric Dumazet.

  3) Missing jiffies.h include in lib/dynamic_queue_limits.c can break
     the build, from Tom Herbert.

  4) Add USB device ID for Sitecom LN-031, from Joerg Neikes.

  5) Fix OOPS in delayed workqueue in iwlegacy, from Stanislaw Gruszka.

  6) rt2x00 TX queue can be disabled forever due to races, fix by
     synchronizing pause/unpause with a lock.  Also from Stanislaw
     Gruszka.

  7) Statistics and endian fix in bnx2x driver from Yuval Mintz, Eilon
     Greenstein, and Ariel Elior."

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
  tun: don't hold network namespace by tun sockets
  bnx2x: FCoE statistics id fixed
  bnx2x: dcb bit indices flags used as bits
  bnx2x: added cpu_to_le16 when preparing ramrod's data
  bnx2x: pfc statistics counts pfc events twice
  rt2x00: fix random stalls
  iwl3945: fix possible il->txq NULL pointer dereference in delayed works
  dql: Fix undefined jiffies
  tcp: fix syncookie regression
  usb: asix: Patch for Sitecom LN-031

Pull arch/tile update from Chris Metcalf
 "These include a couple of queued-up minor bug fixes from the
  community, a fix to unbreak the sysfs hooks in tile, and syncing up
  the defconfigs."

Ugh.  defconfigs updates without "make minconfig".  Tons of ugly
pointless lines there, I suspect.

* 'stable' of git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile:
  tile: Use set_current_blocked() and block_sigmask()
  arch/tile: misplaced parens near likely
  arch/tile: sync up the defconfig files to the tip
  arch/tile: Fix up from commit 8a25a2fd

Pull perf fixes from Ingo Molnar.

* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  perf record: Fix buffer overrun bug in tracepoint_id_to_path()
  perf/x86: Fix local vs remote memory events for NHM/WSM

Pull CIFS fixes from Steve French.

* git://git.samba.org/sfrench/cifs-2.6:
  CIFS: Do not kmalloc under the flocks spinlock
  cifs: possible memory leak in xattr.

Pull vfs fixes from Al Viro:
 "A bunch of assorted fixes; Jan's freezing stuff still _not_ in there
  and neither is mm fun ;-/"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  restore smp_mb() in unlock_new_inode()
  vfs: fix return value from do_last()
  vfs: fix double put after complete_walk()
  udf: Fix deadlock in udf_release_file()
  vfs: Correctly set the dir i_mutex lockdep class