diff options
author | Zefan Li <lizefan@huawei.com> | 2014-10-16 12:20:31 +0800 |
---|---|---|
committer | Zefan Li <lizefan@huawei.com> | 2014-10-17 21:02:36 +0800 |
commit | c7986cd5f198cf506f0bc2913063c647e4d96993 (patch) | |
tree | 132f6497452084d195a5e16aab1362fb51ef8fd4 | |
parent | b3b5fd7f8b5563457e38efc5fa76701e7cccf895 (diff) | |
download | linux-3.4.y-queue-c7986cd5f198cf506f0bc2913063c647e4d96993.tar.gz |
Add commits, up to 3.7
75 files changed, 4723 insertions, 0 deletions
diff --git a/patches/acpi-cpuidle-fix-deadlock-between-cpuidle_lock-and-cpu_hotplug.lock.patch b/patches/acpi-cpuidle-fix-deadlock-between-cpuidle_lock-and-cpu_hotplug.lock.patch new file mode 100644 index 0000000..b095cc7 --- /dev/null +++ b/patches/acpi-cpuidle-fix-deadlock-between-cpuidle_lock-and-cpu_hotplug.lock.patch @@ -0,0 +1,69 @@ +From 6726655dfdd2dc60c035c690d9f10cb69d7ea075 Mon Sep 17 00:00:00 2001 +From: Jiri Kosina <jkosina@suse.cz> +Date: Wed, 3 Sep 2014 15:04:28 +0200 +Subject: ACPI / cpuidle: fix deadlock between cpuidle_lock and + cpu_hotplug.lock + +commit 6726655dfdd2dc60c035c690d9f10cb69d7ea075 upstream. + +There is a following AB-BA dependency between cpu_hotplug.lock and +cpuidle_lock: + +1) cpu_hotplug.lock -> cpuidle_lock +enable_nonboot_cpus() + _cpu_up() + cpu_hotplug_begin() + LOCK(cpu_hotplug.lock) + cpu_notify() + ... + acpi_processor_hotplug() + cpuidle_pause_and_lock() + LOCK(cpuidle_lock) + +2) cpuidle_lock -> cpu_hotplug.lock +acpi_os_execute_deferred() workqueue + ... + acpi_processor_cst_has_changed() + cpuidle_pause_and_lock() + LOCK(cpuidle_lock) + get_online_cpus() + LOCK(cpu_hotplug.lock) + +Fix this by reversing the order acpi_processor_cst_has_changed() does +thigs -- let it first execute the protection against CPU hotplug by +calling get_online_cpus() and obtain the cpuidle lock only after that (and +perform the symmentric change when allowing CPUs hotplug again and +dropping cpuidle lock). + +Spotted by lockdep. + +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/acpi/processor_idle.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/acpi/processor_idle.c ++++ b/drivers/acpi/processor_idle.c +@@ -1195,9 +1195,9 @@ int acpi_processor_cst_has_changed(struc + + if (pr->id == 0 && cpuidle_get_driver() == &acpi_idle_driver) { + +- cpuidle_pause_and_lock(); + /* Protect against cpu-hotplug */ + get_online_cpus(); ++ cpuidle_pause_and_lock(); + + /* Disable all cpuidle devices */ + for_each_online_cpu(cpu) { +@@ -1222,8 +1222,8 @@ int acpi_processor_cst_has_changed(struc + cpuidle_enable_device(&_pr->power.dev); + } + } +- put_online_cpus(); + cpuidle_resume_and_unlock(); ++ put_online_cpus(); + } + + return 0; diff --git a/patches/ahci-add-device-ids-for-intel-9-series-pch.patch b/patches/ahci-add-device-ids-for-intel-9-series-pch.patch new file mode 100644 index 0000000..7510445 --- /dev/null +++ b/patches/ahci-add-device-ids-for-intel-9-series-pch.patch @@ -0,0 +1,33 @@ +From 1b071a0947dbce5c184c12262e02540fbc493457 Mon Sep 17 00:00:00 2001 +From: James Ralston <james.d.ralston@intel.com> +Date: Wed, 27 Aug 2014 14:29:07 -0700 +Subject: ahci: Add Device IDs for Intel 9 Series PCH + +commit 1b071a0947dbce5c184c12262e02540fbc493457 upstream. + +This patch adds the AHCI mode SATA Device IDs for the Intel 9 Series PCH. + +Signed-off-by: James Ralston <james.d.ralston@intel.com> +Signed-off-by: Tejun Heo <tj@kernel.org> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/ata/ahci.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -305,6 +305,14 @@ static const struct pci_device_id ahci_p + { PCI_VDEVICE(INTEL, 0x9c85), board_ahci }, /* Wildcat Point-LP RAID */ + { PCI_VDEVICE(INTEL, 0x9c87), board_ahci }, /* Wildcat Point-LP RAID */ + { PCI_VDEVICE(INTEL, 0x9c8f), board_ahci }, /* Wildcat Point-LP RAID */ ++ { PCI_VDEVICE(INTEL, 0x8c82), board_ahci }, /* 9 Series AHCI */ ++ { PCI_VDEVICE(INTEL, 0x8c83), board_ahci }, /* 9 Series AHCI */ ++ { PCI_VDEVICE(INTEL, 0x8c84), board_ahci }, /* 9 Series RAID */ ++ { PCI_VDEVICE(INTEL, 0x8c85), board_ahci }, /* 9 Series RAID */ ++ { PCI_VDEVICE(INTEL, 0x8c86), board_ahci }, /* 9 Series RAID */ ++ { PCI_VDEVICE(INTEL, 0x8c87), board_ahci }, /* 9 Series RAID */ ++ { PCI_VDEVICE(INTEL, 0x8c8e), board_ahci }, /* 9 Series RAID */ ++ { PCI_VDEVICE(INTEL, 0x8c8f), board_ahci }, /* 9 Series RAID */ + + /* JMicron 360/1/3/5/6, match class to avoid IDE function */ + { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, diff --git a/patches/ahci-add-pcid-for-marvel-0x9182-controller.patch b/patches/ahci-add-pcid-for-marvel-0x9182-controller.patch new file mode 100644 index 0000000..36e6128 --- /dev/null +++ b/patches/ahci-add-pcid-for-marvel-0x9182-controller.patch @@ -0,0 +1,32 @@ +From c5edfff9db6f4d2c35c802acb4abe0df178becee Mon Sep 17 00:00:00 2001 +From: Murali Karicheri <m-karicheri2@ti.com> +Date: Fri, 5 Sep 2014 13:21:00 -0400 +Subject: ahci: add pcid for Marvel 0x9182 controller + +commit c5edfff9db6f4d2c35c802acb4abe0df178becee upstream. + +Keystone K2E EVM uses Marvel 0x9182 controller. This requires support +for the ID in the ahci driver. + +Signed-off-by: Murali Karicheri <m-karicheri2@ti.com> +Signed-off-by: Tejun Heo <tj@kernel.org> +Cc: Santosh Shilimkar <santosh.shilimkar@ti.com> +[lizf: Backported to 3.4: + - adjust context + - s/PCI_VENDOR_ID_MARVELL_EXT/0x1b4b/] +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/ata/ahci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -443,6 +443,8 @@ static const struct pci_device_id ahci_p + .driver_data = board_ahci_yes_fbs }, /* 88se9125 */ + { PCI_DEVICE(0x1b4b, 0x917a), + .driver_data = board_ahci_yes_fbs }, /* 88se9172 */ ++ { PCI_DEVICE(0x1b4b, 0x9182), ++ .driver_data = board_ahci_yes_fbs }, /* 88se9182 */ + { PCI_DEVICE(0x1b4b, 0x9192), + .driver_data = board_ahci_yes_fbs }, /* 88se9172 on some Gigabyte */ + { PCI_DEVICE(0x1b4b, 0x91a3), diff --git a/patches/alarmtimer-do-not-signal-sigev_none-timers.patch b/patches/alarmtimer-do-not-signal-sigev_none-timers.patch new file mode 100644 index 0000000..3b1ebfd --- /dev/null +++ b/patches/alarmtimer-do-not-signal-sigev_none-timers.patch @@ -0,0 +1,49 @@ +From 265b81d23a46c39df0a735a3af4238954b41a4c2 Mon Sep 17 00:00:00 2001 +From: Richard Larocque <rlarocque@google.com> +Date: Tue, 9 Sep 2014 18:31:04 -0700 +Subject: alarmtimer: Do not signal SIGEV_NONE timers + +commit 265b81d23a46c39df0a735a3af4238954b41a4c2 upstream. + +Avoids sending a signal to alarm timers created with sigev_notify set to +SIGEV_NONE by checking for that special case in the timeout callback. + +The regular posix timers avoid sending signals to SIGEV_NONE timers by +not scheduling any callbacks for them in the first place. Although it +would be possible to do something similar for alarm timers, it's simpler +to handle this as a special case in the timeout. + +Prior to this patch, the alarm timer would ignore the sigev_notify value +and try to deliver signals to the process anyway. Even worse, the +sanity check for the value of sigev_signo is skipped when SIGEV_NONE was +specified, so the signal number could be bogus. If sigev_signo was an +unitialized value (as it often would be if SIGEV_NONE is used), then +it's hard to predict which signal will be sent. + +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: Ingo Molnar <mingo@kernel.org> +Cc: Richard Cochran <richardcochran@gmail.com> +Cc: Prarit Bhargava <prarit@redhat.com> +Cc: Sharvil Nanavati <sharvil@google.com> +Signed-off-by: Richard Larocque <rlarocque@google.com> +Signed-off-by: John Stultz <john.stultz@linaro.org> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + kernel/time/alarmtimer.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/kernel/time/alarmtimer.c ++++ b/kernel/time/alarmtimer.c +@@ -456,8 +456,10 @@ static enum alarmtimer_restart alarm_han + { + struct k_itimer *ptr = container_of(alarm, struct k_itimer, + it.alarm.alarmtimer); +- if (posix_timer_event(ptr, 0) != 0) +- ptr->it_overrun++; ++ if ((ptr->it_sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_NONE) { ++ if (posix_timer_event(ptr, 0) != 0) ++ ptr->it_overrun++; ++ } + + /* Re-add periodic timers */ + if (ptr->it.alarm.interval.tv64) { diff --git a/patches/alarmtimer-lock-k_itimer-during-timer-callback.patch b/patches/alarmtimer-lock-k_itimer-during-timer-callback.patch new file mode 100644 index 0000000..8d55f54 --- /dev/null +++ b/patches/alarmtimer-lock-k_itimer-during-timer-callback.patch @@ -0,0 +1,56 @@ +From 474e941bed9262f5fa2394f9a4a67e24499e5926 Mon Sep 17 00:00:00 2001 +From: Richard Larocque <rlarocque@google.com> +Date: Tue, 9 Sep 2014 18:31:05 -0700 +Subject: alarmtimer: Lock k_itimer during timer callback + +commit 474e941bed9262f5fa2394f9a4a67e24499e5926 upstream. + +Locks the k_itimer's it_lock member when handling the alarm timer's +expiry callback. + +The regular posix timers defined in posix-timers.c have this lock held +during timout processing because their callbacks are routed through +posix_timer_fn(). The alarm timers follow a different path, so they +ought to grab the lock somewhere else. + +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: Ingo Molnar <mingo@kernel.org> +Cc: Richard Cochran <richardcochran@gmail.com> +Cc: Prarit Bhargava <prarit@redhat.com> +Cc: Sharvil Nanavati <sharvil@google.com> +Signed-off-by: Richard Larocque <rlarocque@google.com> +Signed-off-by: John Stultz <john.stultz@linaro.org> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + kernel/time/alarmtimer.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/kernel/time/alarmtimer.c ++++ b/kernel/time/alarmtimer.c +@@ -454,8 +454,12 @@ static enum alarmtimer_type clock2alarm( + static enum alarmtimer_restart alarm_handle_timer(struct alarm *alarm, + ktime_t now) + { ++ unsigned long flags; + struct k_itimer *ptr = container_of(alarm, struct k_itimer, + it.alarm.alarmtimer); ++ enum alarmtimer_restart result = ALARMTIMER_NORESTART; ++ ++ spin_lock_irqsave(&ptr->it_lock, flags); + if ((ptr->it_sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_NONE) { + if (posix_timer_event(ptr, 0) != 0) + ptr->it_overrun++; +@@ -465,9 +469,11 @@ static enum alarmtimer_restart alarm_han + if (ptr->it.alarm.interval.tv64) { + ptr->it_overrun += alarm_forward(alarm, now, + ptr->it.alarm.interval); +- return ALARMTIMER_RESTART; ++ result = ALARMTIMER_RESTART; + } +- return ALARMTIMER_NORESTART; ++ spin_unlock_irqrestore(&ptr->it_lock, flags); ++ ++ return result; + } + + /** diff --git a/patches/alarmtimer-return-relative-times-in-timer_gettime.patch b/patches/alarmtimer-return-relative-times-in-timer_gettime.patch new file mode 100644 index 0000000..f69b4dd --- /dev/null +++ b/patches/alarmtimer-return-relative-times-in-timer_gettime.patch @@ -0,0 +1,77 @@ +From e86fea764991e00a03ff1e56409ec9cacdbda4c9 Mon Sep 17 00:00:00 2001 +From: Richard Larocque <rlarocque@google.com> +Date: Tue, 9 Sep 2014 18:31:03 -0700 +Subject: alarmtimer: Return relative times in timer_gettime + +commit e86fea764991e00a03ff1e56409ec9cacdbda4c9 upstream. + +Returns the time remaining for an alarm timer, rather than the time at +which it is scheduled to expire. If the timer has already expired or it +is not currently scheduled, the it_value's members are set to zero. + +This new behavior matches that of the other posix-timers and the POSIX +specifications. + +This is a change in user-visible behavior, and may break existing +applications. Hopefully, few users rely on the old incorrect behavior. + +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: Ingo Molnar <mingo@kernel.org> +Cc: Richard Cochran <richardcochran@gmail.com> +Cc: Prarit Bhargava <prarit@redhat.com> +Cc: Sharvil Nanavati <sharvil@google.com> +Signed-off-by: Richard Larocque <rlarocque@google.com> +[jstultz: minor style tweak] +Signed-off-by: John Stultz <john.stultz@linaro.org> +[lizf: Backported to 3.4: + - add alarm_expires_remaining() introduced by commit 6cffe00f7d4e] +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + kernel/time/alarmtimer.c | 24 +++++++++++++++++------- + 1 file changed, 17 insertions(+), 7 deletions(-) + +--- a/kernel/time/alarmtimer.c ++++ b/kernel/time/alarmtimer.c +@@ -232,6 +232,12 @@ static enum hrtimer_restart alarmtimer_f + + } + ++ktime_t alarm_expires_remaining(const struct alarm *alarm) ++{ ++ struct alarm_base *base = &alarm_bases[alarm->type]; ++ return ktime_sub(alarm->node.expires, base->gettime()); ++} ++ + #ifdef CONFIG_RTC_CLASS + /** + * alarmtimer_suspend - Suspend time callback +@@ -525,18 +531,22 @@ static int alarm_timer_create(struct k_i + * @new_timer: k_itimer pointer + * @cur_setting: itimerspec data to fill + * +- * Copies the itimerspec data out from the k_itimer ++ * Copies out the current itimerspec data + */ + static void alarm_timer_get(struct k_itimer *timr, + struct itimerspec *cur_setting) + { +- memset(cur_setting, 0, sizeof(struct itimerspec)); ++ ktime_t relative_expiry_time = ++ alarm_expires_remaining(&(timr->it.alarm.alarmtimer)); ++ ++ if (ktime_to_ns(relative_expiry_time) > 0) { ++ cur_setting->it_value = ktime_to_timespec(relative_expiry_time); ++ } else { ++ cur_setting->it_value.tv_sec = 0; ++ cur_setting->it_value.tv_nsec = 0; ++ } + +- cur_setting->it_interval = +- ktime_to_timespec(timr->it.alarm.interval); +- cur_setting->it_value = +- ktime_to_timespec(timr->it.alarm.alarmtimer.node.expires); +- return; ++ cur_setting->it_interval = ktime_to_timespec(timr->it.alarm.interval); + } + + /** diff --git a/patches/alsa-hda-fix-coef-setups-for-alc1150-codec.patch b/patches/alsa-hda-fix-coef-setups-for-alc1150-codec.patch new file mode 100644 index 0000000..c8449d2 --- /dev/null +++ b/patches/alsa-hda-fix-coef-setups-for-alc1150-codec.patch @@ -0,0 +1,37 @@ +From acf08081adb5e8fe0519eb97bb49797ef52614d6 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai <tiwai@suse.de> +Date: Tue, 2 Sep 2014 07:21:56 +0200 +Subject: ALSA: hda - Fix COEF setups for ALC1150 codec + +commit acf08081adb5e8fe0519eb97bb49797ef52614d6 upstream. + +ALC1150 codec seems to need the COEF- and PLL-setups just like its +compatible ALC882 codec. Some machines (e.g. SunMicro X10SAT) show +the problem like too low output volumes unless the COEF setup is +applied. + +Reported-and-tested-by: Dana Goyette <danagoyette@gmail.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + sound/pci/hda/patch_realtek.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -811,6 +811,7 @@ static void alc_auto_init_amp(struct hda + case 0x10ec0885: + case 0x10ec0887: + /*case 0x10ec0889:*/ /* this causes an SPDIF problem */ ++ case 0x10ec0900: + alc889_coef_init(codec); + break; + case 0x10ec0888: +@@ -5516,6 +5517,7 @@ static int patch_alc882(struct hda_codec + switch (codec->vendor_id) { + case 0x10ec0882: + case 0x10ec0885: ++ case 0x10ec0900: + break; + default: + /* ALC883 and variants */ diff --git a/patches/alsa-pcm-fix-fifo_size-frame-calculation.patch b/patches/alsa-pcm-fix-fifo_size-frame-calculation.patch new file mode 100644 index 0000000..d69383f --- /dev/null +++ b/patches/alsa-pcm-fix-fifo_size-frame-calculation.patch @@ -0,0 +1,43 @@ +From a9960e6a293e6fc3ed414643bb4e4106272e4d0a Mon Sep 17 00:00:00 2001 +From: Clemens Ladisch <clemens@ladisch.de> +Date: Sun, 21 Sep 2014 22:50:57 +0200 +Subject: ALSA: pcm: fix fifo_size frame calculation + +commit a9960e6a293e6fc3ed414643bb4e4106272e4d0a upstream. + +The calculated frame size was wrong because snd_pcm_format_physical_width() +actually returns the number of bits, not bytes. + +Use snd_pcm_format_size() instead, which not only returns bytes, but also +simplifies the calculation. + +Fixes: 8bea869c5e56 ("ALSA: PCM midlevel: improve fifo_size handling") +Signed-off-by: Clemens Ladisch <clemens@ladisch.de> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + sound/core/pcm_lib.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/sound/core/pcm_lib.c ++++ b/sound/core/pcm_lib.c +@@ -1693,14 +1693,16 @@ static int snd_pcm_lib_ioctl_fifo_size(s + { + struct snd_pcm_hw_params *params = arg; + snd_pcm_format_t format; +- int channels, width; ++ int channels; ++ ssize_t frame_size; + + params->fifo_size = substream->runtime->hw.fifo_size; + if (!(substream->runtime->hw.info & SNDRV_PCM_INFO_FIFO_IN_FRAMES)) { + format = params_format(params); + channels = params_channels(params); +- width = snd_pcm_format_physical_width(format); +- params->fifo_size /= width * channels; ++ frame_size = snd_pcm_format_size(format, channels); ++ if (frame_size > 0) ++ params->fifo_size /= (unsigned)frame_size; + } + return 0; + } diff --git a/patches/arm-8165-1-alignment-don-t-break-misaligned-neon-load-store.patch b/patches/arm-8165-1-alignment-don-t-break-misaligned-neon-load-store.patch new file mode 100644 index 0000000..71ae579 --- /dev/null +++ b/patches/arm-8165-1-alignment-don-t-break-misaligned-neon-load-store.patch @@ -0,0 +1,39 @@ +From 5ca918e5e3f9df4634077c06585c42bc6a8d699a Mon Sep 17 00:00:00 2001 +From: Robin Murphy <robin.murphy@arm.com> +Date: Thu, 25 Sep 2014 11:56:19 +0100 +Subject: ARM: 8165/1: alignment: don't break misaligned NEON load/store + +commit 5ca918e5e3f9df4634077c06585c42bc6a8d699a upstream. + +The alignment fixup incorrectly decodes faulting ARM VLDn/VSTn +instructions (where the optional alignment hint is given but incorrect) +as LDR/STR, leading to register corruption. Detect these and correctly +treat them as unhandled, so that userspace gets the fault it expects. + +Reported-by: Simon Hosie <simon.hosie@arm.com> +Signed-off-by: Robin Murphy <robin.murphy@arm.com> +Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + arch/arm/mm/alignment.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/arm/mm/alignment.c ++++ b/arch/arm/mm/alignment.c +@@ -39,6 +39,7 @@ + * This code is not portable to processors with late data abort handling. + */ + #define CODING_BITS(i) (i & 0x0e000000) ++#define COND_BITS(i) (i & 0xf0000000) + + #define LDST_I_BIT(i) (i & (1 << 26)) /* Immediate constant */ + #define LDST_P_BIT(i) (i & (1 << 24)) /* Preindex */ +@@ -813,6 +814,8 @@ do_alignment(unsigned long addr, unsigne + break; + + case 0x04000000: /* ldr or str immediate */ ++ if (COND_BITS(instr) == 0xf0000000) /* NEON VLDn, VSTn */ ++ goto bad; + offset.un = OFFSET_BITS(instr); + handler = do_alignment_ldrstr; + break; diff --git a/patches/asoc-core-fix-possible-zero_size_ptr-pointer-dereferencing-error.patch b/patches/asoc-core-fix-possible-zero_size_ptr-pointer-dereferencing-error.patch new file mode 100644 index 0000000..000c54f --- /dev/null +++ b/patches/asoc-core-fix-possible-zero_size_ptr-pointer-dereferencing-error.patch @@ -0,0 +1,33 @@ +From 6596aa047b624aeec2ea321962cfdecf9953a383 Mon Sep 17 00:00:00 2001 +From: Xiubo Li <Li.Xiubo@freescale.com> +Date: Sun, 28 Sep 2014 17:29:37 +0800 +Subject: ASoC: core: fix possible ZERO_SIZE_PTR pointer dereferencing error. + +commit 6596aa047b624aeec2ea321962cfdecf9953a383 upstream. + +Since we cannot make sure the 'params->num_regs' will always be none +zero here, and then if it equals to zero, the kmemdup() will return +ZERO_SIZE_PTR, which equals to ((void *)16). + +So this patch fix this with just doing the zero check before calling +kmemdup(). + +Signed-off-by: Xiubo Li <Li.Xiubo@freescale.com> +Signed-off-by: Mark Brown <broonie@kernel.org> +[lizf: Backported to 3.4: adjust context] +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + sound/soc/soc-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -2799,7 +2799,7 @@ int snd_soc_bytes_put(struct snd_kcontro + unsigned int val; + void *data; + +- if (!codec->using_regmap) ++ if (!codec->using_regmap || !params->num_regs) + return -EINVAL; + + data = ucontrol->value.bytes.data; diff --git a/patches/asoc-samsung-i2s-check-secondary-dai-exists-before-referencing.patch b/patches/asoc-samsung-i2s-check-secondary-dai-exists-before-referencing.patch new file mode 100644 index 0000000..c1067ee --- /dev/null +++ b/patches/asoc-samsung-i2s-check-secondary-dai-exists-before-referencing.patch @@ -0,0 +1,31 @@ +From 133c2681c4a0c1b589d138c2fdd0f131bdce20ed Mon Sep 17 00:00:00 2001 +From: Charles Keepax <ckeepax@opensource.wolfsonmicro.com> +Date: Tue, 9 Sep 2014 16:51:49 +0100 +Subject: ASoC: samsung-i2s: Check secondary DAI exists before referencing + +commit 133c2681c4a0c1b589d138c2fdd0f131bdce20ed upstream. + +In a couple of places the driver is missing a check to ensure there is a +secondary DAI before it de-references the pointer to it, causing a null +pointer de-reference. This patch adds a check to avoid this. + +Signed-off-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com> +Acked-by: Sylwester Nawrocki <s.nawrocki@samsung.com> +Signed-off-by: Mark Brown <broonie@linaro.org> +[lizf: Backported to 3.4: drop the changes to i2s_shutdown()] +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + sound/soc/samsung/i2s.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/samsung/i2s.c ++++ b/sound/soc/samsung/i2s.c +@@ -392,7 +392,7 @@ static int i2s_set_sysclk(struct snd_soc + if (dir == SND_SOC_CLOCK_IN) + rfs = 0; + +- if ((rfs && other->rfs && (other->rfs != rfs)) || ++ if ((rfs && other && other->rfs && (other->rfs != rfs)) || + (any_active(i2s) && + (((dir == SND_SOC_CLOCK_IN) + && !(mod & MOD_CDCLKCON)) || diff --git a/patches/ata_piix-add-device-ids-for-intel-9-series-pch.patch b/patches/ata_piix-add-device-ids-for-intel-9-series-pch.patch new file mode 100644 index 0000000..aef6b3f --- /dev/null +++ b/patches/ata_piix-add-device-ids-for-intel-9-series-pch.patch @@ -0,0 +1,33 @@ +From 6cad1376954e591c3c41500c4e586e183e7ffe6d Mon Sep 17 00:00:00 2001 +From: James Ralston <james.d.ralston@intel.com> +Date: Wed, 27 Aug 2014 14:31:58 -0700 +Subject: ata_piix: Add Device IDs for Intel 9 Series PCH + +commit 6cad1376954e591c3c41500c4e586e183e7ffe6d upstream. + +This patch adds the IDE mode SATA Device IDs for the Intel 9 Series PCH. + +Signed-off-by: James Ralston <james.d.ralston@intel.com> +Signed-off-by: Tejun Heo <tj@kernel.org> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/ata/ata_piix.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/ata/ata_piix.c ++++ b/drivers/ata/ata_piix.c +@@ -362,6 +362,14 @@ static const struct pci_device_id piix_p + { 0x8086, 0x0F21, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata_byt }, + /* SATA Controller IDE (Coleto Creek) */ + { 0x8086, 0x23a6, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata }, ++ /* SATA Controller IDE (9 Series) */ ++ { 0x8086, 0x8c88, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata_snb }, ++ /* SATA Controller IDE (9 Series) */ ++ { 0x8086, 0x8c89, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata_snb }, ++ /* SATA Controller IDE (9 Series) */ ++ { 0x8086, 0x8c80, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata_snb }, ++ /* SATA Controller IDE (9 Series) */ ++ { 0x8086, 0x8c81, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata_snb }, + + { } /* terminate list */ + }; diff --git a/patches/block-fix-dev_t-minor-allocation-lifetime.patch b/patches/block-fix-dev_t-minor-allocation-lifetime.patch new file mode 100644 index 0000000..dc75aab --- /dev/null +++ b/patches/block-fix-dev_t-minor-allocation-lifetime.patch @@ -0,0 +1,118 @@ +From 2da78092dda13f1efd26edbbf99a567776913750 Mon Sep 17 00:00:00 2001 +From: Keith Busch <keith.busch@intel.com> +Date: Tue, 26 Aug 2014 09:05:36 -0600 +Subject: block: Fix dev_t minor allocation lifetime + +commit 2da78092dda13f1efd26edbbf99a567776913750 upstream. + +Releases the dev_t minor when all references are closed to prevent +another device from acquiring the same major/minor. + +Since the partition's release may be invoked from call_rcu's soft-irq +context, the ext_dev_idr's mutex had to be replaced with a spinlock so +as not so sleep. + +Signed-off-by: Keith Busch <keith.busch@intel.com> +Signed-off-by: Jens Axboe <axboe@fb.com> +[lizf: Backported to 3.4: + - adjust context + - remove idr_preload() and idr_preload_end()] +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + block/genhd.c | 18 +++++++++--------- + block/partition-generic.c | 2 +- + 2 files changed, 10 insertions(+), 10 deletions(-) + +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -27,10 +27,10 @@ struct kobject *block_depr; + /* for extended dynamic devt allocation, currently only one major is used */ + #define NR_EXT_DEVT (1 << MINORBITS) + +-/* For extended devt allocation. ext_devt_mutex prevents look up ++/* For extended devt allocation. ext_devt_lock prevents look up + * results from going away underneath its user. + */ +-static DEFINE_MUTEX(ext_devt_mutex); ++static DEFINE_SPINLOCK(ext_devt_lock); + static DEFINE_IDR(ext_devt_idr); + + static struct device_type disk_type; +@@ -420,13 +420,13 @@ int blk_alloc_devt(struct hd_struct *par + do { + if (!idr_pre_get(&ext_devt_idr, GFP_KERNEL)) + return -ENOMEM; +- mutex_lock(&ext_devt_mutex); ++ spin_lock(&ext_devt_lock); + rc = idr_get_new(&ext_devt_idr, part, &idx); + if (!rc && idx >= NR_EXT_DEVT) { + idr_remove(&ext_devt_idr, idx); + rc = -EBUSY; + } +- mutex_unlock(&ext_devt_mutex); ++ spin_unlock(&ext_devt_lock); + } while (rc == -EAGAIN); + + if (rc) +@@ -453,9 +453,9 @@ void blk_free_devt(dev_t devt) + return; + + if (MAJOR(devt) == BLOCK_EXT_MAJOR) { +- mutex_lock(&ext_devt_mutex); ++ spin_lock(&ext_devt_lock); + idr_remove(&ext_devt_idr, blk_mangle_minor(MINOR(devt))); +- mutex_unlock(&ext_devt_mutex); ++ spin_unlock(&ext_devt_lock); + } + } + +@@ -662,7 +662,6 @@ void del_gendisk(struct gendisk *disk) + if (!sysfs_deprecated) + sysfs_remove_link(block_depr, dev_name(disk_to_dev(disk))); + device_del(disk_to_dev(disk)); +- blk_free_devt(disk_to_dev(disk)->devt); + } + EXPORT_SYMBOL(del_gendisk); + +@@ -687,13 +686,13 @@ struct gendisk *get_gendisk(dev_t devt, + } else { + struct hd_struct *part; + +- mutex_lock(&ext_devt_mutex); ++ spin_lock(&ext_devt_lock); + part = idr_find(&ext_devt_idr, blk_mangle_minor(MINOR(devt))); + if (part && get_disk(part_to_disk(part))) { + *partno = part->partno; + disk = part_to_disk(part); + } +- mutex_unlock(&ext_devt_mutex); ++ spin_unlock(&ext_devt_lock); + } + + return disk; +@@ -1101,6 +1100,7 @@ static void disk_release(struct device * + { + struct gendisk *disk = dev_to_disk(dev); + ++ blk_free_devt(dev->devt); + disk_release_events(disk); + kfree(disk->random); + disk_replace_part_tbl(disk, NULL); +--- a/block/partition-generic.c ++++ b/block/partition-generic.c +@@ -211,6 +211,7 @@ static const struct attribute_group *par + static void part_release(struct device *dev) + { + struct hd_struct *p = dev_to_part(dev); ++ blk_free_devt(dev->devt); + free_part_stats(p); + free_part_info(p); + kfree(p); +@@ -253,7 +254,6 @@ void delete_partition(struct gendisk *di + rcu_assign_pointer(ptbl->last_lookup, NULL); + kobject_put(part->holder_dir); + device_del(part_to_dev(part)); +- blk_free_devt(part_devt(part)); + + hd_struct_put(part); + } diff --git a/patches/can-at91_can-add-missing-prepare-and-unprepare-of-the-clock.patch b/patches/can-at91_can-add-missing-prepare-and-unprepare-of-the-clock.patch new file mode 100644 index 0000000..26c84e2 --- /dev/null +++ b/patches/can-at91_can-add-missing-prepare-and-unprepare-of-the-clock.patch @@ -0,0 +1,52 @@ +From e77980e50bc2850599d4d9c0192b67a9ffd6daac Mon Sep 17 00:00:00 2001 +From: David Dueck <davidcdueck@googlemail.com> +Date: Wed, 17 Sep 2014 14:26:48 +0200 +Subject: can: at91_can: add missing prepare and unprepare of the clock + +commit e77980e50bc2850599d4d9c0192b67a9ffd6daac upstream. + +In order to make the driver work with the common clock framework, this patch +converts the clk_enable()/clk_disable() to +clk_prepare_enable()/clk_disable_unprepare(). While there, add the missing +error handling. + +Signed-off-by: David Dueck <davidcdueck@googlemail.com> +Signed-off-by: Anthony Harivel <anthony.harivel@emtrion.de> +Acked-by: Boris Brezillon <boris.brezillon@free-electrons.com> +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/net/can/at91_can.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/net/can/at91_can.c ++++ b/drivers/net/can/at91_can.c +@@ -1115,7 +1115,9 @@ static int at91_open(struct net_device * + struct at91_priv *priv = netdev_priv(dev); + int err; + +- clk_enable(priv->clk); ++ err = clk_prepare_enable(priv->clk); ++ if (err) ++ return err; + + /* check or determine and set bittime */ + err = open_candev(dev); +@@ -1139,7 +1141,7 @@ static int at91_open(struct net_device * + out_close: + close_candev(dev); + out: +- clk_disable(priv->clk); ++ clk_disable_unprepare(priv->clk); + + return err; + } +@@ -1156,7 +1158,7 @@ static int at91_close(struct net_device + at91_chip_stop(dev, CAN_STATE_STOPPED); + + free_irq(dev->irq, dev); +- clk_disable(priv->clk); ++ clk_disable_unprepare(priv->clk); + + close_candev(dev); + diff --git a/patches/can-flexcan-correctly-initialize-mailboxes.patch b/patches/can-flexcan-correctly-initialize-mailboxes.patch new file mode 100644 index 0000000..b9958c3 --- /dev/null +++ b/patches/can-flexcan-correctly-initialize-mailboxes.patch @@ -0,0 +1,44 @@ +From fc05b884a31dbf259cc73cc856e634ec3acbebb6 Mon Sep 17 00:00:00 2001 +From: David Jander <david@protonic.nl> +Date: Wed, 27 Aug 2014 11:58:05 +0200 +Subject: can: flexcan: correctly initialize mailboxes + +commit fc05b884a31dbf259cc73cc856e634ec3acbebb6 upstream. + +Apparently mailboxes may contain random data at startup, causing some of them +being prepared for message reception. This causes overruns being missed or even +confusing the IRQ check for trasmitted messages, increasing the transmit +counter instead of the error counter. + +This patch initializes all mailboxes after the FIFO as RX_INACTIVE. + +Signed-off-by: David Jander <david@protonic.nl> +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/net/can/flexcan.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/net/can/flexcan.c ++++ b/drivers/net/can/flexcan.c +@@ -680,6 +680,7 @@ static int flexcan_chip_start(struct net + struct flexcan_regs __iomem *regs = priv->base; + int err; + u32 reg_mcr, reg_ctrl; ++ int i; + + /* enable module */ + flexcan_chip_enable(priv); +@@ -745,6 +746,12 @@ static int flexcan_chip_start(struct net + netdev_dbg(dev, "%s: writing ctrl=0x%08x", __func__, reg_ctrl); + flexcan_write(reg_ctrl, ®s->ctrl); + ++ /* clear and invalidate all mailboxes first */ ++ for (i = FLEXCAN_TX_BUF_ID; i < ARRAY_SIZE(regs->cantxfg); i++) { ++ flexcan_write(FLEXCAN_MB_CODE_RX_INACTIVE, ++ ®s->cantxfg[i].can_ctrl); ++ } ++ + /* mark TX mailbox as INACTIVE */ + flexcan_write(FLEXCAN_MB_CODE_TX_INACTIVE, + ®s->cantxfg[FLEXCAN_TX_BUF_ID].can_ctrl); diff --git a/patches/can-flexcan-implement-workaround-for-errata-err005829.patch b/patches/can-flexcan-implement-workaround-for-errata-err005829.patch new file mode 100644 index 0000000..fc78968 --- /dev/null +++ b/patches/can-flexcan-implement-workaround-for-errata-err005829.patch @@ -0,0 +1,68 @@ +From 25e924450fcb23c11c07c95ea8964dd9f174652e Mon Sep 17 00:00:00 2001 +From: David Jander <david@protonic.nl> +Date: Wed, 3 Sep 2014 16:47:22 +0200 +Subject: can: flexcan: implement workaround for errata ERR005829 + +commit 25e924450fcb23c11c07c95ea8964dd9f174652e upstream. + +This patch implements the workaround mentioned in ERR005829: + + ERR005829: FlexCAN: FlexCAN does not transmit a message that is enabled to + be transmitted in a specific moment during the arbitration process. + +Workaround: The workaround consists of two extra steps after setting up a +message for transmission: + +Step 8: Reserve the first valid mailbox as an inactive mailbox (CODE=0b1000). +If RX FIFO is disabled, this mailbox must be message buffer 0. Otherwise, the +first valid mailbox can be found using the "RX FIFO filters" table in the +FlexCAN chapter of the chip reference manual. + +Step 9: Write twice INACTIVE code (0b1000) into the first valid mailbox. + +Signed-off-by: David Jander <david@protonic.nl> +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/net/can/flexcan.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/flexcan.c ++++ b/drivers/net/can/flexcan.c +@@ -123,7 +123,9 @@ + FLEXCAN_ESR_BOFF_INT | FLEXCAN_ESR_ERR_INT) + + /* FLEXCAN interrupt flag register (IFLAG) bits */ +-#define FLEXCAN_TX_BUF_ID 8 ++/* Errata ERR005829 step7: Reserve first valid MB */ ++#define FLEXCAN_TX_BUF_RESERVED 8 ++#define FLEXCAN_TX_BUF_ID 9 + #define FLEXCAN_IFLAG_BUF(x) BIT(x) + #define FLEXCAN_IFLAG_RX_FIFO_OVERFLOW BIT(7) + #define FLEXCAN_IFLAG_RX_FIFO_WARN BIT(6) +@@ -317,6 +319,14 @@ static int flexcan_start_xmit(struct sk_ + flexcan_write(can_id, ®s->cantxfg[FLEXCAN_TX_BUF_ID].can_id); + flexcan_write(ctrl, ®s->cantxfg[FLEXCAN_TX_BUF_ID].can_ctrl); + ++ /* Errata ERR005829 step8: ++ * Write twice INACTIVE(0x8) code to first MB. ++ */ ++ flexcan_write(FLEXCAN_MB_CODE_TX_INACTIVE, ++ ®s->cantxfg[FLEXCAN_TX_BUF_RESERVED].can_ctrl); ++ flexcan_write(FLEXCAN_MB_CODE_TX_INACTIVE, ++ ®s->cantxfg[FLEXCAN_TX_BUF_RESERVED].can_ctrl); ++ + return NETDEV_TX_OK; + } + +@@ -752,6 +762,10 @@ static int flexcan_chip_start(struct net + ®s->cantxfg[i].can_ctrl); + } + ++ /* Errata ERR005829: mark first TX mailbox as INACTIVE */ ++ flexcan_write(FLEXCAN_MB_CODE_TX_INACTIVE, ++ ®s->cantxfg[FLEXCAN_TX_BUF_RESERVED].can_ctrl); ++ + /* mark TX mailbox as INACTIVE */ + flexcan_write(FLEXCAN_MB_CODE_TX_INACTIVE, + ®s->cantxfg[FLEXCAN_TX_BUF_ID].can_ctrl); diff --git a/patches/can-flexcan-mark-tx-mailbox-as-tx_inactive.patch b/patches/can-flexcan-mark-tx-mailbox-as-tx_inactive.patch new file mode 100644 index 0000000..aa8bf2d --- /dev/null +++ b/patches/can-flexcan-mark-tx-mailbox-as-tx_inactive.patch @@ -0,0 +1,47 @@ +From c32fe4ad3e4861b2bfa1f44114c564935a123dda Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde <mkl@pengutronix.de> +Date: Tue, 16 Sep 2014 12:39:28 +0200 +Subject: can: flexcan: mark TX mailbox as TX_INACTIVE + +commit c32fe4ad3e4861b2bfa1f44114c564935a123dda upstream. + +This patch fixes the initialization of the TX mailbox. It is now correctly +initialized as TX_INACTIVE not RX_EMPTY. + +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/net/can/flexcan.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/net/can/flexcan.c ++++ b/drivers/net/can/flexcan.c +@@ -134,6 +134,17 @@ + + /* FLEXCAN message buffers */ + #define FLEXCAN_MB_CNT_CODE(x) (((x) & 0xf) << 24) ++#define FLEXCAN_MB_CODE_RX_INACTIVE (0x0 << 24) ++#define FLEXCAN_MB_CODE_RX_EMPTY (0x4 << 24) ++#define FLEXCAN_MB_CODE_RX_FULL (0x2 << 24) ++#define FLEXCAN_MB_CODE_RX_OVERRRUN (0x6 << 24) ++#define FLEXCAN_MB_CODE_RX_RANSWER (0xa << 24) ++ ++#define FLEXCAN_MB_CODE_TX_INACTIVE (0x8 << 24) ++#define FLEXCAN_MB_CODE_TX_ABORT (0x9 << 24) ++#define FLEXCAN_MB_CODE_TX_DATA (0xc << 24) ++#define FLEXCAN_MB_CODE_TX_TANSWER (0xe << 24) ++ + #define FLEXCAN_MB_CNT_SRR BIT(22) + #define FLEXCAN_MB_CNT_IDE BIT(21) + #define FLEXCAN_MB_CNT_RTR BIT(20) +@@ -734,8 +745,8 @@ static int flexcan_chip_start(struct net + netdev_dbg(dev, "%s: writing ctrl=0x%08x", __func__, reg_ctrl); + flexcan_write(reg_ctrl, ®s->ctrl); + +- /* Abort any pending TX, mark Mailbox as INACTIVE */ +- flexcan_write(FLEXCAN_MB_CNT_CODE(0x4), ++ /* mark TX mailbox as INACTIVE */ ++ flexcan_write(FLEXCAN_MB_CODE_TX_INACTIVE, + ®s->cantxfg[FLEXCAN_TX_BUF_ID].can_ctrl); + + /* acceptance mask/acceptance code (accept everything) */ diff --git a/patches/can-flexcan-put-tx-mailbox-into-tx_inactive-mode-after-tx-complete.patch b/patches/can-flexcan-put-tx-mailbox-into-tx_inactive-mode-after-tx-complete.patch new file mode 100644 index 0000000..b06b8eb --- /dev/null +++ b/patches/can-flexcan-put-tx-mailbox-into-tx_inactive-mode-after-tx-complete.patch @@ -0,0 +1,33 @@ +From de5944883ebbedbf5adc8497659772f5da7b7d72 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde <mkl@pengutronix.de> +Date: Tue, 16 Sep 2014 15:31:27 +0200 +Subject: can: flexcan: put TX mailbox into TX_INACTIVE mode after tx-complete + +commit de5944883ebbedbf5adc8497659772f5da7b7d72 upstream. + +After sending a RTR frame the TX mailbox becomes a RX_EMPTY mailbox. To avoid +side effects when the RX-FIFO is full, this patch puts the TX mailbox into +TX_INACTIVE mode in the transmission complete interrupt handler. This, of +course, leaves a race window between the actual completion of the transmission +and the handling of tx-complete interrupt. However this is the best we can do +without busy polling the tx complete interrupt. + +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> +[lizf: Backported to 3.4: adjust context] +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/net/can/flexcan.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/can/flexcan.c ++++ b/drivers/net/can/flexcan.c +@@ -633,6 +633,9 @@ static irqreturn_t flexcan_irq(int irq, + if (reg_iflag1 & (1 << FLEXCAN_TX_BUF_ID)) { + stats->tx_bytes += can_get_echo_skb(dev, 0); + stats->tx_packets++; ++ /* after sending a RTR frame mailbox is in RX mode */ ++ flexcan_write(FLEXCAN_MB_CODE_TX_INACTIVE, ++ ®s->cantxfg[FLEXCAN_TX_BUF_ID].can_ctrl); + flexcan_write((1 << FLEXCAN_TX_BUF_ID), ®s->iflag1); + netif_wake_queue(dev); + } diff --git a/patches/cgroup-reject-cgroup-names-with.patch b/patches/cgroup-reject-cgroup-names-with.patch new file mode 100644 index 0000000..2074530 --- /dev/null +++ b/patches/cgroup-reject-cgroup-names-with.patch @@ -0,0 +1,34 @@ +From 71b1fb5c4473a5b1e601d41b109bdfe001ec82e0 Mon Sep 17 00:00:00 2001 +From: Alban Crequy <alban.crequy@collabora.co.uk> +Date: Mon, 18 Aug 2014 12:20:20 +0100 +Subject: =?UTF-8?q?cgroup:=20reject=20cgroup=20names=20with=20'=0A'?= + +commit 71b1fb5c4473a5b1e601d41b109bdfe001ec82e0 upstream. + +/proc/<pid>/cgroup contains one cgroup path on each line. If cgroup names are +allowed to contain "\n", applications cannot parse /proc/<pid>/cgroup safely. + +Signed-off-by: Alban Crequy <alban.crequy@collabora.co.uk> +Signed-off-by: Tejun Heo <tj@kernel.org> +[lizf: Backported to 3.4: + - adjust context + - s/name/dentry->d_name.name/] +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + kernel/cgroup.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/kernel/cgroup.c ++++ b/kernel/cgroup.c +@@ -3838,6 +3838,11 @@ static int cgroup_mkdir(struct inode *di + { + struct cgroup *c_parent = dentry->d_parent->d_fsdata; + ++ /* Do not accept '\n' to prevent making /proc/<pid>/cgroup unparsable. ++ */ ++ if (strchr(dentry->d_name.name, '\n')) ++ return -EINVAL; ++ + /* the vfs holds inode->i_mutex already */ + return cgroup_create(c_parent, dentry, mode | S_IFDIR); + } diff --git a/patches/cpuset-pf_spread_page-and-pf_spread_slab-should-be-atomic-flags.patch b/patches/cpuset-pf_spread_page-and-pf_spread_slab-should-be-atomic-flags.patch new file mode 100644 index 0000000..53e0715 --- /dev/null +++ b/patches/cpuset-pf_spread_page-and-pf_spread_slab-should-be-atomic-flags.patch @@ -0,0 +1,158 @@ +From 2ad654bc5e2b211e92f66da1d819e47d79a866f0 Mon Sep 17 00:00:00 2001 +From: Zefan Li <lizefan@huawei.com> +Date: Thu, 25 Sep 2014 09:41:02 +0800 +Subject: cpuset: PF_SPREAD_PAGE and PF_SPREAD_SLAB should be atomic flags + +commit 2ad654bc5e2b211e92f66da1d819e47d79a866f0 upstream. + +When we change cpuset.memory_spread_{page,slab}, cpuset will flip +PF_SPREAD_{PAGE,SLAB} bit of tsk->flags for each task in that cpuset. +This should be done using atomic bitops, but currently we don't, +which is broken. + +Tetsuo reported a hard-to-reproduce kernel crash on RHEL6, which happened +when one thread tried to clear PF_USED_MATH while at the same time another +thread tried to flip PF_SPREAD_PAGE/PF_SPREAD_SLAB. They both operate on +the same task. + +Here's the full report: +https://lkml.org/lkml/2014/9/19/230 + +To fix this, we make PF_SPREAD_PAGE and PF_SPREAD_SLAB atomic flags. + +v4: +- updated mm/slab.c. (Fengguang Wu) +- updated Documentation. + +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Ingo Molnar <mingo@kernel.org> +Cc: Miao Xie <miaox@cn.fujitsu.com> +Cc: Kees Cook <keescook@chromium.org> +Fixes: 950592f7b991 ("cpusets: update tasks' page/slab spread flags in time") +Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> +Signed-off-by: Zefan Li <lizefan@huawei.com> +Signed-off-by: Tejun Heo <tj@kernel.org> +[lizf: Backported to 3.4: + - adjust context + - check current->flags & PF_MEMPOLICY rather than current->mempolicy] +--- + Documentation/cgroups/cpusets.txt | 6 +++--- + include/linux/cpuset.h | 4 ++-- + include/linux/sched.h | 12 ++++++++++-- + kernel/cpuset.c | 9 +++++---- + mm/slab.c | 4 ++-- + 5 files changed, 22 insertions(+), 13 deletions(-) + +--- a/Documentation/cgroups/cpusets.txt ++++ b/Documentation/cgroups/cpusets.txt +@@ -345,14 +345,14 @@ the named feature on. + The implementation is simple. + + Setting the flag 'cpuset.memory_spread_page' turns on a per-process flag +-PF_SPREAD_PAGE for each task that is in that cpuset or subsequently ++PFA_SPREAD_PAGE for each task that is in that cpuset or subsequently + joins that cpuset. The page allocation calls for the page cache +-is modified to perform an inline check for this PF_SPREAD_PAGE task ++is modified to perform an inline check for this PFA_SPREAD_PAGE task + flag, and if set, a call to a new routine cpuset_mem_spread_node() + returns the node to prefer for the allocation. + + Similarly, setting 'cpuset.memory_spread_slab' turns on the flag +-PF_SPREAD_SLAB, and appropriately marked slab caches will allocate ++PFA_SPREAD_SLAB, and appropriately marked slab caches will allocate + pages from the node returned by cpuset_mem_spread_node(). + + The cpuset_mem_spread_node() routine is also simple. It uses the +--- a/include/linux/cpuset.h ++++ b/include/linux/cpuset.h +@@ -74,12 +74,12 @@ extern int cpuset_slab_spread_node(void) + + static inline int cpuset_do_page_mem_spread(void) + { +- return current->flags & PF_SPREAD_PAGE; ++ return task_spread_page(current); + } + + static inline int cpuset_do_slab_mem_spread(void) + { +- return current->flags & PF_SPREAD_SLAB; ++ return task_spread_slab(current); + } + + extern int current_cpuset_is_being_rebound(void); +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -1834,8 +1834,6 @@ extern void thread_group_times(struct ta + #define PF_KTHREAD 0x00200000 /* I am a kernel thread */ + #define PF_RANDOMIZE 0x00400000 /* randomize virtual address space */ + #define PF_SWAPWRITE 0x00800000 /* Allowed to write to swap */ +-#define PF_SPREAD_PAGE 0x01000000 /* Spread page cache over cpuset */ +-#define PF_SPREAD_SLAB 0x02000000 /* Spread some slab caches over cpuset */ + #define PF_THREAD_BOUND 0x04000000 /* Thread bound to specific cpu */ + #define PF_MCE_EARLY 0x08000000 /* Early kill for mce process policy */ + #define PF_MEMPOLICY 0x10000000 /* Non-default NUMA mempolicy */ +@@ -1868,6 +1866,8 @@ extern void thread_group_times(struct ta + #define used_math() tsk_used_math(current) + + /* Per-process atomic flags. */ ++#define PFA_SPREAD_PAGE 1 /* Spread page cache over cpuset */ ++#define PFA_SPREAD_SLAB 2 /* Spread some slab caches over cpuset */ + + #define TASK_PFA_TEST(name, func) \ + static inline bool task_##func(struct task_struct *p) \ +@@ -1970,6 +1970,14 @@ static inline int set_cpus_allowed(struc + } + #endif + ++TASK_PFA_TEST(SPREAD_PAGE, spread_page) ++TASK_PFA_SET(SPREAD_PAGE, spread_page) ++TASK_PFA_CLEAR(SPREAD_PAGE, spread_page) ++ ++TASK_PFA_TEST(SPREAD_SLAB, spread_slab) ++TASK_PFA_SET(SPREAD_SLAB, spread_slab) ++TASK_PFA_CLEAR(SPREAD_SLAB, spread_slab) ++ + /* + * Do not use outside of architecture code which knows its limitations. + * +--- a/kernel/cpuset.c ++++ b/kernel/cpuset.c +@@ -326,13 +326,14 @@ static void cpuset_update_task_spread_fl + struct task_struct *tsk) + { + if (is_spread_page(cs)) +- tsk->flags |= PF_SPREAD_PAGE; ++ task_set_spread_page(tsk); + else +- tsk->flags &= ~PF_SPREAD_PAGE; ++ task_clear_spread_page(tsk); ++ + if (is_spread_slab(cs)) +- tsk->flags |= PF_SPREAD_SLAB; ++ task_set_spread_slab(tsk); + else +- tsk->flags &= ~PF_SPREAD_SLAB; ++ task_clear_spread_slab(tsk); + } + + /* +--- a/mm/slab.c ++++ b/mm/slab.c +@@ -3321,7 +3321,7 @@ static inline void *____cache_alloc(stru + + #ifdef CONFIG_NUMA + /* +- * Try allocating on another node if PF_SPREAD_SLAB|PF_MEMPOLICY. ++ * Try allocating on another node if PFA_SPREAD_SLAB|PF_MEMPOLICY. + * + * If we are in_interrupt, then process context, including cpusets and + * mempolicy, may not apply and should not be used for allocation policy. +@@ -3562,7 +3562,7 @@ __do_cache_alloc(struct kmem_cache *cach + { + void *objp; + +- if (unlikely(current->flags & (PF_SPREAD_SLAB | PF_MEMPOLICY))) { ++ if (unlikely((current->flags & PF_MEMPOLICY) || cpuset_do_slab_mem_spread())) { + objp = alternate_node_alloc(cache, flags); + if (objp) + goto out; diff --git a/patches/don-t-bugger-nd-seq-on-set_root_rcu-from-follow_dotdot_rcu.patch b/patches/don-t-bugger-nd-seq-on-set_root_rcu-from-follow_dotdot_rcu.patch new file mode 100644 index 0000000..745fd0b --- /dev/null +++ b/patches/don-t-bugger-nd-seq-on-set_root_rcu-from-follow_dotdot_rcu.patch @@ -0,0 +1,92 @@ +From 7bd88377d482e1eae3c5329b12e33cfd664fa6a9 Mon Sep 17 00:00:00 2001 +From: Al Viro <viro@zeniv.linux.org.uk> +Date: Sat, 13 Sep 2014 21:55:46 -0400 +Subject: don't bugger nd->seq on set_root_rcu() from follow_dotdot_rcu() + +commit 7bd88377d482e1eae3c5329b12e33cfd664fa6a9 upstream. + +return the value instead, and have path_init() do the assignment. Broken by +"vfs: Fix absolute RCU path walk failures due to uninitialized seq number", +which was Cc-stable with 2.6.38+ as destination. This one should go where +it went. + +To avoid dummy value returned in case when root is already set (it would do +no harm, actually, since the only caller that doesn't ignore the return value +is guaranteed to have nd->root *not* set, but it's more obvious that way), +lift the check into callers. And do the same to set_root(), to keep them +in sync. + +Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> +[lizf: Backported to 3.4: + - remove the changes to follow_link() as it doesn't call set_root()] +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + fs/namei.c | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -553,24 +553,22 @@ static int complete_walk(struct nameidat + + static __always_inline void set_root(struct nameidata *nd) + { +- if (!nd->root.mnt) +- get_fs_root(current->fs, &nd->root); ++ get_fs_root(current->fs, &nd->root); + } + + static int link_path_walk(const char *, struct nameidata *); + +-static __always_inline void set_root_rcu(struct nameidata *nd) ++static __always_inline unsigned set_root_rcu(struct nameidata *nd) + { +- if (!nd->root.mnt) { +- struct fs_struct *fs = current->fs; +- unsigned seq; ++ struct fs_struct *fs = current->fs; ++ unsigned seq, res; + +- do { +- seq = read_seqcount_begin(&fs->seq); +- nd->root = fs->root; +- nd->seq = __read_seqcount_begin(&nd->root.dentry->d_seq); +- } while (read_seqcount_retry(&fs->seq, seq)); +- } ++ do { ++ seq = read_seqcount_begin(&fs->seq); ++ nd->root = fs->root; ++ res = __read_seqcount_begin(&nd->root.dentry->d_seq); ++ } while (read_seqcount_retry(&fs->seq, seq)); ++ return res; + } + + static __always_inline int __vfs_follow_link(struct nameidata *nd, const char *link) +@@ -928,7 +926,8 @@ static void follow_mount_rcu(struct name + + static int follow_dotdot_rcu(struct nameidata *nd) + { +- set_root_rcu(nd); ++ if (!nd->root.mnt) ++ set_root_rcu(nd); + + while (1) { + if (nd->path.dentry == nd->root.dentry && +@@ -1031,7 +1030,8 @@ static void follow_mount(struct path *pa + + static void follow_dotdot(struct nameidata *nd) + { +- set_root(nd); ++ if (!nd->root.mnt) ++ set_root(nd); + + while(1) { + struct dentry *old = nd->path.dentry; +@@ -1633,7 +1633,7 @@ static int path_init(int dfd, const char + if (flags & LOOKUP_RCU) { + br_read_lock(vfsmount_lock); + rcu_read_lock(); +- set_root_rcu(nd); ++ nd->seq = set_root_rcu(nd); + } else { + set_root(nd); + path_get(&nd->root); diff --git a/patches/drm-i915-remove-bogus-__init-annotation-from-dmi-callbacks.patch b/patches/drm-i915-remove-bogus-__init-annotation-from-dmi-callbacks.patch new file mode 100644 index 0000000..5805b66 --- /dev/null +++ b/patches/drm-i915-remove-bogus-__init-annotation-from-dmi-callbacks.patch @@ -0,0 +1,75 @@ +From bbe1c2740d3a25aa1dbe5d842d2ff09cddcdde0a Mon Sep 17 00:00:00 2001 +From: Mathias Krause <minipli@googlemail.com> +Date: Wed, 27 Aug 2014 18:41:19 +0200 +Subject: drm/i915: Remove bogus __init annotation from DMI callbacks + +commit bbe1c2740d3a25aa1dbe5d842d2ff09cddcdde0a upstream. + +The __init annotations for the DMI callback functions are wrong as this +code can be called even after the module has been initialized, e.g. like +this: + + # echo 1 > /sys/bus/pci/devices/0000:00:02.0/remove + # modprobe i915 + # echo 1 > /sys/bus/pci/rescan + +The first command will remove the PCI device from the kernel's device +list so the second command won't see it right away. But as it registers +a PCI driver it'll see it on the third command. If the system happens to +match one of the DMI table entries we'll try to call a function in long +released memory and generate an Oops, at best. + +Fix this by removing the bogus annotation. + +Modpost should have caught that one but it ignores section reference +mismatches from the .rodata section. :/ + +Fixes: 25e341cfc33d ("drm/i915: quirk away broken OpRegion VBT") +Fixes: 8ca4013d702d ("CHROMIUM: i915: Add DMI override to skip CRT...") +Fixes: 425d244c8670 ("drm/i915: ignore LVDS on intel graphics systems...") +Signed-off-by: Mathias Krause <minipli@googlemail.com> +Cc: Daniel Vetter <daniel.vetter@ffwll.ch> +Cc: Duncan Laurie <dlaurie@chromium.org> +Cc: Jarod Wilson <jarod@redhat.com> +Cc: Rusty Russell <rusty@rustcorp.com.au> # Can modpost be fixed? +Signed-off-by: Jani Nikula <jani.nikula@intel.com> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/gpu/drm/i915/intel_bios.c | 2 +- + drivers/gpu/drm/i915/intel_crt.c | 2 +- + drivers/gpu/drm/i915/intel_lvds.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_bios.c ++++ b/drivers/gpu/drm/i915/intel_bios.c +@@ -651,7 +651,7 @@ init_vbt_defaults(struct drm_i915_privat + DRM_DEBUG_KMS("Set default to SSC at %dMHz\n", dev_priv->lvds_ssc_freq); + } + +-static int __init intel_no_opregion_vbt_callback(const struct dmi_system_id *id) ++static int intel_no_opregion_vbt_callback(const struct dmi_system_id *id) + { + DRM_DEBUG_KMS("Falling back to manually reading VBT from " + "VBIOS ROM for %s\n", +--- a/drivers/gpu/drm/i915/intel_crt.c ++++ b/drivers/gpu/drm/i915/intel_crt.c +@@ -564,7 +564,7 @@ static const struct drm_encoder_funcs in + .destroy = intel_encoder_destroy, + }; + +-static int __init intel_no_crt_dmi_callback(const struct dmi_system_id *id) ++static int intel_no_crt_dmi_callback(const struct dmi_system_id *id) + { + DRM_DEBUG_KMS("Skipping CRT initialization for %s\n", id->ident); + return 1; +--- a/drivers/gpu/drm/i915/intel_lvds.c ++++ b/drivers/gpu/drm/i915/intel_lvds.c +@@ -619,7 +619,7 @@ static const struct drm_encoder_funcs in + .destroy = intel_encoder_destroy, + }; + +-static int __init intel_no_lvds_dmi_callback(const struct dmi_system_id *id) ++static int intel_no_lvds_dmi_callback(const struct dmi_system_id *id) + { + DRM_DEBUG_KMS("Skipping LVDS initialization for %s\n", id->ident); + return 1; diff --git a/patches/drm-radeon-add-connector-quirk-for-fujitsu-board.patch b/patches/drm-radeon-add-connector-quirk-for-fujitsu-board.patch new file mode 100644 index 0000000..f490338 --- /dev/null +++ b/patches/drm-radeon-add-connector-quirk-for-fujitsu-board.patch @@ -0,0 +1,34 @@ +From 1952f24d0fa6292d65f886887af87ba8ac79b3ba Mon Sep 17 00:00:00 2001 +From: Alex Deucher <alexander.deucher@amd.com> +Date: Mon, 8 Sep 2014 13:55:51 -0400 +Subject: drm/radeon: add connector quirk for fujitsu board + +commit 1952f24d0fa6292d65f886887af87ba8ac79b3ba upstream. + +Vbios connector table lists non-existent VGA port. + +Bug: +https://bugs.freedesktop.org/show_bug.cgi?id=83184 + +Signed-off-by: Alex Deucher <alexander.deucher@amd.com> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/gpu/drm/radeon/radeon_atombios.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/gpu/drm/radeon/radeon_atombios.c ++++ b/drivers/gpu/drm/radeon/radeon_atombios.c +@@ -463,6 +463,13 @@ static bool radeon_atom_apply_quirks(str + } + } + ++ /* Fujitsu D3003-S2 board lists DVI-I as DVI-I and VGA */ ++ if ((dev->pdev->device == 0x9805) && ++ (dev->pdev->subsystem_vendor == 0x1734) && ++ (dev->pdev->subsystem_device == 0x11bd)) { ++ if (*connector_type == DRM_MODE_CONNECTOR_VGA) ++ return false; ++ } + + return true; + } diff --git a/patches/drm-vmwgfx-fix-a-potential-infinite-spin-waiting-for-fifo-idle.patch b/patches/drm-vmwgfx-fix-a-potential-infinite-spin-waiting-for-fifo-idle.patch new file mode 100644 index 0000000..2d803a3 --- /dev/null +++ b/patches/drm-vmwgfx-fix-a-potential-infinite-spin-waiting-for-fifo-idle.patch @@ -0,0 +1,32 @@ +From f01ea0c3d9db536c64d47922716d8b3b8f21d850 Mon Sep 17 00:00:00 2001 +From: Thomas Hellstrom <thellstrom@vmware.com> +Date: Thu, 28 Aug 2014 11:53:23 +0200 +Subject: drm/vmwgfx: Fix a potential infinite spin waiting for fifo idle + +commit f01ea0c3d9db536c64d47922716d8b3b8f21d850 upstream. + +The code waiting for fifo idle was incorrect and could possibly spin +forever under certain circumstances. + +Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> +Reported-by: Mark Sheldon <markshel@vmware.com> +Reviewed-by: Jakob Bornecrantz <jakob@vmware.com> +Reivewed-by: Mark Sheldon <markshel@vmware.com> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c +@@ -163,8 +163,9 @@ void vmw_fifo_release(struct vmw_private + + mutex_lock(&dev_priv->hw_mutex); + ++ vmw_write(dev_priv, SVGA_REG_SYNC, SVGA_SYNC_GENERIC); + while (vmw_read(dev_priv, SVGA_REG_BUSY) != 0) +- vmw_write(dev_priv, SVGA_REG_SYNC, SVGA_SYNC_GENERIC); ++ ; + + dev_priv->last_read_seqno = ioread32(fifo_mem + SVGA_FIFO_FENCE); + diff --git a/patches/fix-nasty-32-bit-overflow-bug-in-buffer-i-o-code.patch b/patches/fix-nasty-32-bit-overflow-bug-in-buffer-i-o-code.patch new file mode 100644 index 0000000..c9f4afc --- /dev/null +++ b/patches/fix-nasty-32-bit-overflow-bug-in-buffer-i-o-code.patch @@ -0,0 +1,70 @@ +From f2d5a94436cc7cc0221b9a81bba2276a25187dd3 Mon Sep 17 00:00:00 2001 +From: Anton Altaparmakov <aia21@cam.ac.uk> +Date: Mon, 22 Sep 2014 01:53:03 +0100 +Subject: Fix nasty 32-bit overflow bug in buffer i/o code. + +commit f2d5a94436cc7cc0221b9a81bba2276a25187dd3 upstream. + +On 32-bit architectures, the legacy buffer_head functions are not always +handling the sector number with the proper 64-bit types, and will thus +fail on 4TB+ disks. + +Any code that uses __getblk() (and thus bread(), breadahead(), +sb_bread(), sb_breadahead(), sb_getblk()), and calls it using a 64-bit +block on a 32-bit arch (where "long" is 32-bit) causes an inifinite loop +in __getblk_slow() with an infinite stream of errors logged to dmesg +like this: + + __find_get_block_slow() failed. block=6740375944, b_blocknr=2445408648 + b_state=0x00000020, b_size=512 + device sda1 blocksize: 512 + +Note how in hex block is 0x191C1F988 and b_blocknr is 0x91C1F988 i.e. the +top 32-bits are missing (in this case the 0x1 at the top). + +This is because grow_dev_page() is broken and has a 32-bit overflow due +to shifting the page index value (a pgoff_t - which is just 32 bits on +32-bit architectures) left-shifted as the block number. But the top +bits to get lost as the pgoff_t is not type cast to sector_t / 64-bit +before the shift. + +This patch fixes this issue by type casting "index" to sector_t before +doing the left shift. + +Note this is not a theoretical bug but has been seen in the field on a +4TiB hard drive with logical sector size 512 bytes. + +This patch has been verified to fix the infinite loop problem on 3.17-rc5 +kernel using a 4TB disk image mounted using "-o loop". Without this patch +doing a "find /nt" where /nt is an NTFS volume causes the inifinite loop +100% reproducibly whilst with the patch it works fine as expected. + +Signed-off-by: Anton Altaparmakov <aia21@cantab.net> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + fs/buffer.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/buffer.c ++++ b/fs/buffer.c +@@ -971,7 +971,8 @@ grow_dev_page(struct block_device *bdev, + bh = page_buffers(page); + if (bh->b_size == size) { + end_block = init_page_buffers(page, bdev, +- index << sizebits, size); ++ (sector_t)index << sizebits, ++ size); + goto done; + } + if (!try_to_free_buffers(page)) +@@ -992,7 +993,8 @@ grow_dev_page(struct block_device *bdev, + */ + spin_lock(&inode->i_mapping->private_lock); + link_dev_buffers(page, bh); +- end_block = init_page_buffers(page, bdev, index << sizebits, size); ++ end_block = init_page_buffers(page, bdev, (sector_t)index << sizebits, ++ size); + spin_unlock(&inode->i_mapping->private_lock); + done: + ret = (block < end_block) ? 1 : -ENXIO; diff --git a/patches/futex-unlock-hb-lock-in-futex_wait_requeue_pi-error-path.patch b/patches/futex-unlock-hb-lock-in-futex_wait_requeue_pi-error-path.patch new file mode 100644 index 0000000..58a0b62 --- /dev/null +++ b/patches/futex-unlock-hb-lock-in-futex_wait_requeue_pi-error-path.patch @@ -0,0 +1,46 @@ +From 13c42c2f43b19aab3195f2d357db00d1e885eaa8 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner <tglx@linutronix.de> +Date: Thu, 11 Sep 2014 23:44:35 +0200 +Subject: futex: Unlock hb->lock in futex_wait_requeue_pi() error path + +commit 13c42c2f43b19aab3195f2d357db00d1e885eaa8 upstream. + +futex_wait_requeue_pi() calls futex_wait_setup(). If +futex_wait_setup() succeeds it returns with hb->lock held and +preemption disabled. Now the sanity check after this does: + + if (match_futex(&q.key, &key2)) { + ret = -EINVAL; + goto out_put_keys; + } + +which releases the keys but does not release hb->lock. + +So we happily return to user space with hb->lock held and therefor +preemption disabled. + +Unlock hb->lock before taking the exit route. + +Reported-by: Dave "Trinity" Jones <davej@redhat.com> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Reviewed-by: Darren Hart <dvhart@linux.intel.com> +Reviewed-by: Davidlohr Bueso <dave@stgolabs.net> +Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> +Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1409112318500.4178@nanos +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +[lizf: Backported to 3.4: queue_unlock() takes two parameters] +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + kernel/futex.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -2460,6 +2460,7 @@ static int futex_wait_requeue_pi(u32 __u + * shared futexes. We need to compare the keys: + */ + if (match_futex(&q.key, &key2)) { ++ queue_unlock(&q, hb); + ret = -EINVAL; + goto out_put_keys; + } diff --git a/patches/get-rid-of-propagate_umount-mistakenly-treating-slaves-as-busy.patch b/patches/get-rid-of-propagate_umount-mistakenly-treating-slaves-as-busy.patch new file mode 100644 index 0000000..88f3224 --- /dev/null +++ b/patches/get-rid-of-propagate_umount-mistakenly-treating-slaves-as-busy.patch @@ -0,0 +1,55 @@ +From 88b368f27a094277143d8ecd5a056116f6a41520 Mon Sep 17 00:00:00 2001 +From: Al Viro <viro@zeniv.linux.org.uk> +Date: Mon, 18 Aug 2014 15:09:26 -0400 +Subject: get rid of propagate_umount() mistakenly treating slaves as busy. + +commit 88b368f27a094277143d8ecd5a056116f6a41520 upstream. + +The check in __propagate_umount() ("has somebody explicitly mounted +something on that slave?") is done *before* taking the already doomed +victims out of the child lists. + +Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> +[lizf: Backported to 3.4: + - adjust context + - s/hlist_for_each_entry/list_for_each_entry/] +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + fs/namespace.c | 4 +++- + fs/pnode.c | 4 +++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -1066,6 +1066,9 @@ void umount_tree(struct mount *mnt, int + for (p = mnt; p; p = next_mnt(p, mnt)) + list_move(&p->mnt_hash, &tmp_list); + ++ list_for_each_entry(p, &tmp_list, mnt_hash) ++ list_del_init(&p->mnt_child); ++ + if (propagate) + propagate_umount(&tmp_list); + +@@ -1076,7 +1079,6 @@ void umount_tree(struct mount *mnt, int + if (p->mnt_ns) + __mnt_make_shortterm(p); + p->mnt_ns = NULL; +- list_del_init(&p->mnt_child); + if (mnt_has_parent(p)) { + p->mnt_parent->mnt_ghosts++; + dentry_reset_mounted(p->mnt_mountpoint); +--- a/fs/pnode.c ++++ b/fs/pnode.c +@@ -333,8 +333,10 @@ static void __propagate_umount(struct mo + * umount the child only if the child has no + * other children + */ +- if (child && list_empty(&child->mnt_mounts)) ++ if (child && list_empty(&child->mnt_mounts)) { ++ list_del_init(&child->mnt_child); + list_move_tail(&child->mnt_hash, &mnt->mnt_hash); ++ } + } + } + diff --git a/patches/init-kconfig-hide-printk-log-config-if-config_printk-n.patch b/patches/init-kconfig-hide-printk-log-config-if-config_printk-n.patch new file mode 100644 index 0000000..3325198 --- /dev/null +++ b/patches/init-kconfig-hide-printk-log-config-if-config_printk-n.patch @@ -0,0 +1,30 @@ +From 361e9dfbaae84b0b246ed18d1ab7c82a1a41b53e Mon Sep 17 00:00:00 2001 +From: Josh Triplett <josh@joshtriplett.org> +Date: Fri, 3 Oct 2014 16:00:54 -0700 +Subject: init/Kconfig: Hide printk log config if CONFIG_PRINTK=n + +commit 361e9dfbaae84b0b246ed18d1ab7c82a1a41b53e upstream. + +The buffers sized by CONFIG_LOG_BUF_SHIFT and +CONFIG_LOG_CPU_MAX_BUF_SHIFT do not exist if CONFIG_PRINTK=n, so don't +ask about their size at all. + +Signed-off-by: Josh Triplett <josh@joshtriplett.org> +Acked-by: Randy Dunlap <rdunlap@infradead.org> +[lizf: Backported to 3.4: + - drop the change to CONFIG_LOG_CPU_MAX_BUF_SHIFT as it doesn't exist in 3.4] +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + init/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -560,6 +560,7 @@ config LOG_BUF_SHIFT + int "Kernel log buffer size (16 => 64KB, 17 => 128KB)" + range 12 21 + default 17 ++ depends on PRINTK + help + Select kernel log buffer size as a power of 2. + Examples: diff --git a/patches/input-elantech-fix-detection-of-touchpad-on-asus-s301l.patch b/patches/input-elantech-fix-detection-of-touchpad-on-asus-s301l.patch new file mode 100644 index 0000000..c0610c1 --- /dev/null +++ b/patches/input-elantech-fix-detection-of-touchpad-on-asus-s301l.patch @@ -0,0 +1,37 @@ +From 271329b3c798b2102120f5df829071c211ef00ed Mon Sep 17 00:00:00 2001 +From: Hans de Goede <hdegoede@redhat.com> +Date: Mon, 8 Sep 2014 14:39:52 -0700 +Subject: Input: elantech - fix detection of touchpad on ASUS s301l +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 271329b3c798b2102120f5df829071c211ef00ed upstream. + +Adjust Elantech signature validation to account fo rnewer models of +touchpads. + +Reported-and-tested-by: Màrius Monton <marius.monton@gmail.com> +Signed-off-by: Hans de Goede <hdegoede@redhat.com> +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/input/mouse/elantech.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/input/mouse/elantech.c ++++ b/drivers/input/mouse/elantech.c +@@ -1218,6 +1218,13 @@ static bool elantech_is_signature_valid( + if (param[1] == 0) + return true; + ++ /* ++ * Some models have a revision higher then 20. Meaning param[2] may ++ * be 10 or 20, skip the rates check for these. ++ */ ++ if (param[0] == 0x46 && (param[1] & 0xef) == 0x0f && param[2] < 40) ++ return true; ++ + for (i = 0; i < ARRAY_SIZE(rates); i++) + if (param[2] == rates[i]) + return false; diff --git a/patches/input-i8042-add-fujitsu-u574-to-no_timeout-dmi-table.patch b/patches/input-i8042-add-fujitsu-u574-to-no_timeout-dmi-table.patch new file mode 100644 index 0000000..88d0369 --- /dev/null +++ b/patches/input-i8042-add-fujitsu-u574-to-no_timeout-dmi-table.patch @@ -0,0 +1,34 @@ +From cc18a69c92d0972bc2fc5a047ee3be1e8398171b Mon Sep 17 00:00:00 2001 +From: Hans de Goede <hdegoede@redhat.com> +Date: Wed, 10 Sep 2014 13:53:37 -0700 +Subject: Input: i8042 - add Fujitsu U574 to no_timeout dmi table + +commit cc18a69c92d0972bc2fc5a047ee3be1e8398171b upstream. + +https://bugzilla.kernel.org/show_bug.cgi?id=69731 + +Reported-by: Jason Robinson <mail@jasonrobinson.me> +Signed-off-by: Hans de Goede <hdegoede@redhat.com> +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/input/serio/i8042-x86ia64io.h | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -601,6 +601,14 @@ static const struct dmi_system_id __init + DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion dv4 Notebook PC"), + }, + }, ++ { ++ /* Fujitsu U574 laptop */ ++ /* https://bugzilla.kernel.org/show_bug.cgi?id=69731 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK U574"), ++ }, ++ }, + { } + }; + diff --git a/patches/input-i8042-add-nomux-quirk-for-avatar-aviu-145a6.patch b/patches/input-i8042-add-nomux-quirk-for-avatar-aviu-145a6.patch new file mode 100644 index 0000000..6ee392d --- /dev/null +++ b/patches/input-i8042-add-nomux-quirk-for-avatar-aviu-145a6.patch @@ -0,0 +1,37 @@ +From d2682118f4bb3ceb835f91c1a694407a31bb7378 Mon Sep 17 00:00:00 2001 +From: Hans de Goede <hdegoede@redhat.com> +Date: Thu, 11 Sep 2014 10:10:26 -0700 +Subject: Input: i8042 - add nomux quirk for Avatar AVIU-145A6 + +commit d2682118f4bb3ceb835f91c1a694407a31bb7378 upstream. + +The sys_vendor / product_name are somewhat generic unfortunately, so this +may lead to some false positives. But nomux usually does no harm, where as +not having it clearly is causing problems on the Avatar AVIU-145A6. + +https://bugzilla.kernel.org/show_bug.cgi?id=77391 + +Reported-by: Hugo P <saurosii@gmail.com> +Signed-off-by: Hans de Goede <hdegoede@redhat.com> +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/input/serio/i8042-x86ia64io.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -458,6 +458,13 @@ static const struct dmi_system_id __init + DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion dv4 Notebook PC"), + }, + }, ++ { ++ /* Avatar AVIU-145A6 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Intel"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "IC4I"), ++ }, ++ }, + { } + }; + diff --git a/patches/input-serport-add-compat-handling-for-spiocstype-ioctl.patch b/patches/input-serport-add-compat-handling-for-spiocstype-ioctl.patch new file mode 100644 index 0000000..5afd826 --- /dev/null +++ b/patches/input-serport-add-compat-handling-for-spiocstype-ioctl.patch @@ -0,0 +1,102 @@ +From a80d8b02751060a178bb1f7a6b7a93645a7a308b Mon Sep 17 00:00:00 2001 +From: John Sung <penmount.touch@gmail.com> +Date: Tue, 9 Sep 2014 10:06:51 -0700 +Subject: Input: serport - add compat handling for SPIOCSTYPE ioctl + +commit a80d8b02751060a178bb1f7a6b7a93645a7a308b upstream. + +When running a 32-bit inputattach utility in a 64-bit system, there will be +error code "inputattach: can't set device type". This is caused by the +serport device driver not supporting compat_ioctl, so that SPIOCSTYPE ioctl +fails. + +Signed-off-by: John Sung <penmount.touch@gmail.com> +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/input/serio/serport.c | 45 +++++++++++++++++++++++++++++++++++------- + 1 file changed, 38 insertions(+), 7 deletions(-) + +--- a/drivers/input/serio/serport.c ++++ b/drivers/input/serio/serport.c +@@ -21,6 +21,7 @@ + #include <linux/init.h> + #include <linux/serio.h> + #include <linux/tty.h> ++#include <linux/compat.h> + + MODULE_AUTHOR("Vojtech Pavlik <vojtech@ucw.cz>"); + MODULE_DESCRIPTION("Input device TTY line discipline"); +@@ -196,28 +197,55 @@ static ssize_t serport_ldisc_read(struct + return 0; + } + ++static void serport_set_type(struct tty_struct *tty, unsigned long type) ++{ ++ struct serport *serport = tty->disc_data; ++ ++ serport->id.proto = type & 0x000000ff; ++ serport->id.id = (type & 0x0000ff00) >> 8; ++ serport->id.extra = (type & 0x00ff0000) >> 16; ++} ++ + /* + * serport_ldisc_ioctl() allows to set the port protocol, and device ID + */ + +-static int serport_ldisc_ioctl(struct tty_struct * tty, struct file * file, unsigned int cmd, unsigned long arg) ++static int serport_ldisc_ioctl(struct tty_struct *tty, struct file *file, ++ unsigned int cmd, unsigned long arg) + { +- struct serport *serport = (struct serport*) tty->disc_data; +- unsigned long type; +- + if (cmd == SPIOCSTYPE) { ++ unsigned long type; ++ + if (get_user(type, (unsigned long __user *) arg)) + return -EFAULT; + +- serport->id.proto = type & 0x000000ff; +- serport->id.id = (type & 0x0000ff00) >> 8; +- serport->id.extra = (type & 0x00ff0000) >> 16; ++ serport_set_type(tty, type); ++ return 0; ++ } ++ ++ return -EINVAL; ++} ++ ++#ifdef CONFIG_COMPAT ++#define COMPAT_SPIOCSTYPE _IOW('q', 0x01, compat_ulong_t) ++static long serport_ldisc_compat_ioctl(struct tty_struct *tty, ++ struct file *file, ++ unsigned int cmd, unsigned long arg) ++{ ++ if (cmd == COMPAT_SPIOCSTYPE) { ++ void __user *uarg = compat_ptr(arg); ++ compat_ulong_t compat_type; ++ ++ if (get_user(compat_type, (compat_ulong_t __user *)uarg)) ++ return -EFAULT; + ++ serport_set_type(tty, compat_type); + return 0; + } + + return -EINVAL; + } ++#endif + + static void serport_ldisc_write_wakeup(struct tty_struct * tty) + { +@@ -241,6 +269,9 @@ static struct tty_ldisc_ops serport_ldis + .close = serport_ldisc_close, + .read = serport_ldisc_read, + .ioctl = serport_ldisc_ioctl, ++#ifdef CONFIG_COMPAT ++ .compat_ioctl = serport_ldisc_compat_ioctl, ++#endif + .receive_buf = serport_ldisc_receive, + .write_wakeup = serport_ldisc_write_wakeup + }; diff --git a/patches/input-synaptics-add-support-for-forcepads.patch b/patches/input-synaptics-add-support-for-forcepads.patch new file mode 100644 index 0000000..989abf8 --- /dev/null +++ b/patches/input-synaptics-add-support-for-forcepads.patch @@ -0,0 +1,145 @@ +From 5715fc764f7753d464dbe094b5ef9cffa6e479a4 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Date: Sat, 30 Aug 2014 13:51:06 -0700 +Subject: Input: synaptics - add support for ForcePads + +commit 5715fc764f7753d464dbe094b5ef9cffa6e479a4 upstream. + +ForcePads are found on HP EliteBook 1040 laptops. They lack any kind of +physical buttons, instead they generate primary button click when user +presses somewhat hard on the surface of the touchpad. Unfortunately they +also report primary button click whenever there are 2 or more contacts +on the pad, messing up all multi-finger gestures (2-finger scrolling, +multi-finger tapping, etc). To cope with this behavior we introduce a +delay (currently 50 msecs) in reporting primary press in case more +contacts appear. + +Reviewed-by: Hans de Goede <hdegoede@redhat.com> +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/input/mouse/synaptics.c | 68 ++++++++++++++++++++++++++++++---------- + drivers/input/mouse/synaptics.h | 11 ++++++ + 2 files changed, 63 insertions(+), 16 deletions(-) + +--- a/drivers/input/mouse/synaptics.c ++++ b/drivers/input/mouse/synaptics.c +@@ -517,10 +517,61 @@ static int synaptics_parse_hw_state(cons + ((buf[0] & 0x04) >> 1) | + ((buf[3] & 0x04) >> 2)); + ++ if ((SYN_CAP_ADV_GESTURE(priv->ext_cap_0c) || ++ SYN_CAP_IMAGE_SENSOR(priv->ext_cap_0c)) && ++ hw->w == 2) { ++ synaptics_parse_agm(buf, priv, hw); ++ return 1; ++ } ++ ++ hw->x = (((buf[3] & 0x10) << 8) | ++ ((buf[1] & 0x0f) << 8) | ++ buf[4]); ++ hw->y = (((buf[3] & 0x20) << 7) | ++ ((buf[1] & 0xf0) << 4) | ++ buf[5]); ++ hw->z = buf[2]; ++ + hw->left = (buf[0] & 0x01) ? 1 : 0; + hw->right = (buf[0] & 0x02) ? 1 : 0; + +- if (SYN_CAP_CLICKPAD(priv->ext_cap_0c)) { ++ if (SYN_CAP_FORCEPAD(priv->ext_cap_0c)) { ++ /* ++ * ForcePads, like Clickpads, use middle button ++ * bits to report primary button clicks. ++ * Unfortunately they report primary button not ++ * only when user presses on the pad above certain ++ * threshold, but also when there are more than one ++ * finger on the touchpad, which interferes with ++ * out multi-finger gestures. ++ */ ++ if (hw->z == 0) { ++ /* No contacts */ ++ priv->press = priv->report_press = false; ++ } else if (hw->w >= 4 && ((buf[0] ^ buf[3]) & 0x01)) { ++ /* ++ * Single-finger touch with pressure above ++ * the threshold. If pressure stays long ++ * enough, we'll start reporting primary ++ * button. We rely on the device continuing ++ * sending data even if finger does not ++ * move. ++ */ ++ if (!priv->press) { ++ priv->press_start = jiffies; ++ priv->press = true; ++ } else if (time_after(jiffies, ++ priv->press_start + ++ msecs_to_jiffies(50))) { ++ priv->report_press = true; ++ } ++ } else { ++ priv->press = false; ++ } ++ ++ hw->left = priv->report_press; ++ ++ } else if (SYN_CAP_CLICKPAD(priv->ext_cap_0c)) { + /* + * Clickpad's button is transmitted as middle button, + * however, since it is primary button, we will report +@@ -539,21 +590,6 @@ static int synaptics_parse_hw_state(cons + hw->down = ((buf[0] ^ buf[3]) & 0x02) ? 1 : 0; + } + +- if ((SYN_CAP_ADV_GESTURE(priv->ext_cap_0c) || +- SYN_CAP_IMAGE_SENSOR(priv->ext_cap_0c)) && +- hw->w == 2) { +- synaptics_parse_agm(buf, priv, hw); +- return 1; +- } +- +- hw->x = (((buf[3] & 0x10) << 8) | +- ((buf[1] & 0x0f) << 8) | +- buf[4]); +- hw->y = (((buf[3] & 0x20) << 7) | +- ((buf[1] & 0xf0) << 4) | +- buf[5]); +- hw->z = buf[2]; +- + if (SYN_CAP_MULTI_BUTTON_NO(priv->ext_cap) && + ((buf[0] ^ buf[3]) & 0x02)) { + switch (SYN_CAP_MULTI_BUTTON_NO(priv->ext_cap) & ~0x01) { +--- a/drivers/input/mouse/synaptics.h ++++ b/drivers/input/mouse/synaptics.h +@@ -77,6 +77,11 @@ + * 2 0x08 image sensor image sensor tracks 5 fingers, but only + * reports 2. + * 2 0x20 report min query 0x0f gives min coord reported ++ * 2 0x80 forcepad forcepad is a variant of clickpad that ++ * does not have physical buttons but rather ++ * uses pressure above certain threshold to ++ * report primary clicks. Forcepads also have ++ * clickpad bit set. + */ + #define SYN_CAP_CLICKPAD(ex0c) ((ex0c) & 0x100000) /* 1-button ClickPad */ + #define SYN_CAP_CLICKPAD2BTN(ex0c) ((ex0c) & 0x000100) /* 2-button ClickPad */ +@@ -85,6 +90,7 @@ + #define SYN_CAP_ADV_GESTURE(ex0c) ((ex0c) & 0x080000) + #define SYN_CAP_REDUCED_FILTERING(ex0c) ((ex0c) & 0x000400) + #define SYN_CAP_IMAGE_SENSOR(ex0c) ((ex0c) & 0x000800) ++#define SYN_CAP_FORCEPAD(ex0c) ((ex0c) & 0x008000) + + /* synaptics modes query bits */ + #define SYN_MODE_ABSOLUTE(m) ((m) & (1 << 7)) +@@ -174,6 +180,11 @@ struct synaptics_data { + */ + struct synaptics_hw_state agm; + bool agm_pending; /* new AGM packet received */ ++ ++ /* ForcePad handling */ ++ unsigned long press_start; ++ bool press; ++ bool report_press; + }; + + void synaptics_module_init(void); diff --git a/patches/iscsi-target-avoid-null-pointer-in-iscsi_copy_param_list-failure.patch b/patches/iscsi-target-avoid-null-pointer-in-iscsi_copy_param_list-failure.patch new file mode 100644 index 0000000..e586c76 --- /dev/null +++ b/patches/iscsi-target-avoid-null-pointer-in-iscsi_copy_param_list-failure.patch @@ -0,0 +1,34 @@ +From 8ae757d09c45102b347a1bc2867f54ffc1ab8fda Mon Sep 17 00:00:00 2001 +From: Joern Engel <joern@logfs.org> +Date: Tue, 2 Sep 2014 17:49:54 -0400 +Subject: iscsi-target: avoid NULL pointer in iscsi_copy_param_list failure + +commit 8ae757d09c45102b347a1bc2867f54ffc1ab8fda upstream. + +In iscsi_copy_param_list() a failed iscsi_param_list memory allocation +currently invokes iscsi_release_param_list() to cleanup, and will promptly +trigger a NULL pointer dereference. + +Instead, go ahead and return for the first iscsi_copy_param_list() +failure case. + +Found by coverity. + +Signed-off-by: Joern Engel <joern@logfs.org> +Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/target/iscsi/iscsi_target_parameters.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/target/iscsi/iscsi_target_parameters.c ++++ b/drivers/target/iscsi/iscsi_target_parameters.c +@@ -552,7 +552,7 @@ int iscsi_copy_param_list( + param_list = kzalloc(sizeof(struct iscsi_param_list), GFP_KERNEL); + if (!param_list) { + pr_err("Unable to allocate memory for struct iscsi_param_list.\n"); +- goto err_out; ++ return -1; + } + INIT_LIST_HEAD(¶m_list->param_list); + INIT_LIST_HEAD(¶m_list->extra_response_list); diff --git a/patches/iscsi-target-fix-memory-corruption-in-iscsit_logout_post_handler_diffcid.patch b/patches/iscsi-target-fix-memory-corruption-in-iscsit_logout_post_handler_diffcid.patch new file mode 100644 index 0000000..afff802 --- /dev/null +++ b/patches/iscsi-target-fix-memory-corruption-in-iscsit_logout_post_handler_diffcid.patch @@ -0,0 +1,47 @@ +From b53b0d99d6fbf7d44330395349a895521cfdbc96 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger <nab@linux-iscsi.org> +Date: Wed, 17 Sep 2014 11:45:17 -0700 +Subject: iscsi-target: Fix memory corruption in + iscsit_logout_post_handler_diffcid + +commit b53b0d99d6fbf7d44330395349a895521cfdbc96 upstream. + +This patch fixes a bug in iscsit_logout_post_handler_diffcid() where +a pointer used as storage for list_for_each_entry() was incorrectly +being used to determine if no matching entry had been found. + +This patch changes iscsit_logout_post_handler_diffcid() to key off +bool conn_found to determine if the function needs to exit early. + +Reported-by: Joern Engel <joern@logfs.org> +Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/target/iscsi/iscsi_target.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -4297,6 +4297,7 @@ static void iscsit_logout_post_handler_d + { + struct iscsi_conn *l_conn; + struct iscsi_session *sess = conn->sess; ++ bool conn_found = false; + + if (!sess) + return; +@@ -4305,12 +4306,13 @@ static void iscsit_logout_post_handler_d + list_for_each_entry(l_conn, &sess->sess_conn_list, conn_list) { + if (l_conn->cid == cid) { + iscsit_inc_conn_usage_count(l_conn); ++ conn_found = true; + break; + } + } + spin_unlock_bh(&sess->conn_lock); + +- if (!l_conn) ++ if (!conn_found) + return; + + if (l_conn->sock) diff --git a/patches/jiffies-fix-timeval-conversion-to-jiffies.patch b/patches/jiffies-fix-timeval-conversion-to-jiffies.patch new file mode 100644 index 0000000..9351429 --- /dev/null +++ b/patches/jiffies-fix-timeval-conversion-to-jiffies.patch @@ -0,0 +1,204 @@ +From d78c9300c51d6ceed9f6d078d4e9366f259de28c Mon Sep 17 00:00:00 2001 +From: Andrew Hunter <ahh@google.com> +Date: Thu, 4 Sep 2014 14:17:16 -0700 +Subject: jiffies: Fix timeval conversion to jiffies + +commit d78c9300c51d6ceed9f6d078d4e9366f259de28c upstream. + +timeval_to_jiffies tried to round a timeval up to an integral number +of jiffies, but the logic for doing so was incorrect: intervals +corresponding to exactly N jiffies would become N+1. This manifested +itself particularly repeatedly stopping/starting an itimer: + +setitimer(ITIMER_PROF, &val, NULL); +setitimer(ITIMER_PROF, NULL, &val); + +would add a full tick to val, _even if it was exactly representable in +terms of jiffies_ (say, the result of a previous rounding.) Doing +this repeatedly would cause unbounded growth in val. So fix the math. + +Here's what was wrong with the conversion: we essentially computed +(eliding seconds) + +jiffies = usec * (NSEC_PER_USEC/TICK_NSEC) + +by using scaling arithmetic, which took the best approximation of +NSEC_PER_USEC/TICK_NSEC with denominator of 2^USEC_JIFFIE_SC = +x/(2^USEC_JIFFIE_SC), and computed: + +jiffies = (usec * x) >> USEC_JIFFIE_SC + +and rounded this calculation up in the intermediate form (since we +can't necessarily exactly represent TICK_NSEC in usec.) But the +scaling arithmetic is a (very slight) *over*approximation of the true +value; that is, instead of dividing by (1 usec/ 1 jiffie), we +effectively divided by (1 usec/1 jiffie)-epsilon (rounding +down). This would normally be fine, but we want to round timeouts up, +and we did so by adding 2^USEC_JIFFIE_SC - 1 before the shift; this +would be fine if our division was exact, but dividing this by the +slightly smaller factor was equivalent to adding just _over_ 1 to the +final result (instead of just _under_ 1, as desired.) + +In particular, with HZ=1000, we consistently computed that 10000 usec +was 11 jiffies; the same was true for any exact multiple of +TICK_NSEC. + +We could possibly still round in the intermediate form, adding +something less than 2^USEC_JIFFIE_SC - 1, but easier still is to +convert usec->nsec, round in nanoseconds, and then convert using +time*spec*_to_jiffies. This adds one constant multiplication, and is +not observably slower in microbenchmarks on recent x86 hardware. + +Tested: the following program: + +int main() { + struct itimerval zero = {{0, 0}, {0, 0}}; + /* Initially set to 10 ms. */ + struct itimerval initial = zero; + initial.it_interval.tv_usec = 10000; + setitimer(ITIMER_PROF, &initial, NULL); + /* Save and restore several times. */ + for (size_t i = 0; i < 10; ++i) { + struct itimerval prev; + setitimer(ITIMER_PROF, &zero, &prev); + /* on old kernels, this goes up by TICK_USEC every iteration */ + printf("previous value: %ld %ld %ld %ld\n", + prev.it_interval.tv_sec, prev.it_interval.tv_usec, + prev.it_value.tv_sec, prev.it_value.tv_usec); + setitimer(ITIMER_PROF, &prev, NULL); + } + return 0; +} + +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: Ingo Molnar <mingo@redhat.com> +Cc: Paul Turner <pjt@google.com> +Cc: Richard Cochran <richardcochran@gmail.com> +Cc: Prarit Bhargava <prarit@redhat.com> +Reviewed-by: Paul Turner <pjt@google.com> +Reported-by: Aaron Jacobs <jacobsa@google.com> +Signed-off-by: Andrew Hunter <ahh@google.com> +[jstultz: Tweaked to apply to 3.17-rc] +Signed-off-by: John Stultz <john.stultz@linaro.org> +[lizf: Backported to 3.4: adjust filename] +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + include/linux/jiffies.h | 12 ---------- + kernel/time.c | 54 ++++++++++++++++++++++++++---------------------- + 2 files changed, 30 insertions(+), 36 deletions(-) + +--- a/include/linux/jiffies.h ++++ b/include/linux/jiffies.h +@@ -259,23 +259,11 @@ extern unsigned long preset_lpj; + #define SEC_JIFFIE_SC (32 - SHIFT_HZ) + #endif + #define NSEC_JIFFIE_SC (SEC_JIFFIE_SC + 29) +-#define USEC_JIFFIE_SC (SEC_JIFFIE_SC + 19) + #define SEC_CONVERSION ((unsigned long)((((u64)NSEC_PER_SEC << SEC_JIFFIE_SC) +\ + TICK_NSEC -1) / (u64)TICK_NSEC)) + + #define NSEC_CONVERSION ((unsigned long)((((u64)1 << NSEC_JIFFIE_SC) +\ + TICK_NSEC -1) / (u64)TICK_NSEC)) +-#define USEC_CONVERSION \ +- ((unsigned long)((((u64)NSEC_PER_USEC << USEC_JIFFIE_SC) +\ +- TICK_NSEC -1) / (u64)TICK_NSEC)) +-/* +- * USEC_ROUND is used in the timeval to jiffie conversion. See there +- * for more details. It is the scaled resolution rounding value. Note +- * that it is a 64-bit value. Since, when it is applied, we are already +- * in jiffies (albit scaled), it is nothing but the bits we will shift +- * off. +- */ +-#define USEC_ROUND (u64)(((u64)1 << USEC_JIFFIE_SC) - 1) + /* + * The maximum jiffie value is (MAX_INT >> 1). Here we translate that + * into seconds. The 64-bit case will overflow if we are not careful, +--- a/kernel/time.c ++++ b/kernel/time.c +@@ -487,17 +487,20 @@ EXPORT_SYMBOL(usecs_to_jiffies); + * that a remainder subtract here would not do the right thing as the + * resolution values don't fall on second boundries. I.e. the line: + * nsec -= nsec % TICK_NSEC; is NOT a correct resolution rounding. ++ * Note that due to the small error in the multiplier here, this ++ * rounding is incorrect for sufficiently large values of tv_nsec, but ++ * well formed timespecs should have tv_nsec < NSEC_PER_SEC, so we're ++ * OK. + * + * Rather, we just shift the bits off the right. + * + * The >> (NSEC_JIFFIE_SC - SEC_JIFFIE_SC) converts the scaled nsec + * value to a scaled second value. + */ +-unsigned long +-timespec_to_jiffies(const struct timespec *value) ++static unsigned long ++__timespec_to_jiffies(unsigned long sec, long nsec) + { +- unsigned long sec = value->tv_sec; +- long nsec = value->tv_nsec + TICK_NSEC - 1; ++ nsec = nsec + TICK_NSEC - 1; + + if (sec >= MAX_SEC_IN_JIFFIES){ + sec = MAX_SEC_IN_JIFFIES; +@@ -508,6 +511,13 @@ timespec_to_jiffies(const struct timespe + (NSEC_JIFFIE_SC - SEC_JIFFIE_SC))) >> SEC_JIFFIE_SC; + + } ++ ++unsigned long ++timespec_to_jiffies(const struct timespec *value) ++{ ++ return __timespec_to_jiffies(value->tv_sec, value->tv_nsec); ++} ++ + EXPORT_SYMBOL(timespec_to_jiffies); + + void +@@ -524,31 +534,27 @@ jiffies_to_timespec(const unsigned long + } + EXPORT_SYMBOL(jiffies_to_timespec); + +-/* Same for "timeval" ++/* ++ * We could use a similar algorithm to timespec_to_jiffies (with a ++ * different multiplier for usec instead of nsec). But this has a ++ * problem with rounding: we can't exactly add TICK_NSEC - 1 to the ++ * usec value, since it's not necessarily integral. ++ * ++ * We could instead round in the intermediate scaled representation ++ * (i.e. in units of 1/2^(large scale) jiffies) but that's also ++ * perilous: the scaling introduces a small positive error, which ++ * combined with a division-rounding-upward (i.e. adding 2^(scale) - 1 ++ * units to the intermediate before shifting) leads to accidental ++ * overflow and overestimates. + * +- * Well, almost. The problem here is that the real system resolution is +- * in nanoseconds and the value being converted is in micro seconds. +- * Also for some machines (those that use HZ = 1024, in-particular), +- * there is a LARGE error in the tick size in microseconds. +- +- * The solution we use is to do the rounding AFTER we convert the +- * microsecond part. Thus the USEC_ROUND, the bits to be shifted off. +- * Instruction wise, this should cost only an additional add with carry +- * instruction above the way it was done above. ++ * At the cost of one additional multiplication by a constant, just ++ * use the timespec implementation. + */ + unsigned long + timeval_to_jiffies(const struct timeval *value) + { +- unsigned long sec = value->tv_sec; +- long usec = value->tv_usec; +- +- if (sec >= MAX_SEC_IN_JIFFIES){ +- sec = MAX_SEC_IN_JIFFIES; +- usec = 0; +- } +- return (((u64)sec * SEC_CONVERSION) + +- (((u64)usec * USEC_CONVERSION + USEC_ROUND) >> +- (USEC_JIFFIE_SC - SEC_JIFFIE_SC))) >> SEC_JIFFIE_SC; ++ return __timespec_to_jiffies(value->tv_sec, ++ value->tv_usec * NSEC_PER_USEC); + } + EXPORT_SYMBOL(timeval_to_jiffies); + diff --git a/patches/kvm-s390-fix-user-triggerable-bug-in-dead-code.patch b/patches/kvm-s390-fix-user-triggerable-bug-in-dead-code.patch new file mode 100644 index 0000000..753c626 --- /dev/null +++ b/patches/kvm-s390-fix-user-triggerable-bug-in-dead-code.patch @@ -0,0 +1,48 @@ +From 614a80e474b227cace52fd6e3c790554db8a396e Mon Sep 17 00:00:00 2001 +From: Christian Borntraeger <borntraeger@de.ibm.com> +Date: Wed, 6 Aug 2014 16:17:58 +0200 +Subject: KVM: s390: Fix user triggerable bug in dead code + +commit 614a80e474b227cace52fd6e3c790554db8a396e upstream. + +In the early days, we had some special handling for the +KVM_EXIT_S390_SIEIC exit, but this was gone in 2009 with commit +d7b0b5eb3000 (KVM: s390: Make psw available on all exits, not +just a subset). + +Now this switch statement is just a sanity check for userspace +not messing with the kvm_run structure. Unfortunately, this +allows userspace to trigger a kernel BUG. Let's just remove +this switch statement. + +Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> +Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com> +Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com> +[lizf: Backported to 3.4: + - adjust context + - no KVM_EXIT_S390_TSCH and KVM_EXIT_DEBUG in 3.4] +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + arch/s390/kvm/kvm-s390.c | 11 ----------- + 1 file changed, 11 deletions(-) + +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -566,17 +566,6 @@ rerun_vcpu: + + BUG_ON(vcpu->kvm->arch.float_int.local_int[vcpu->vcpu_id] == NULL); + +- switch (kvm_run->exit_reason) { +- case KVM_EXIT_S390_SIEIC: +- case KVM_EXIT_UNKNOWN: +- case KVM_EXIT_INTR: +- case KVM_EXIT_S390_RESET: +- case KVM_EXIT_S390_UCONTROL: +- break; +- default: +- BUG(); +- } +- + vcpu->arch.sie_block->gpsw.mask = kvm_run->psw_mask; + vcpu->arch.sie_block->gpsw.addr = kvm_run->psw_addr; + if (kvm_run->kvm_dirty_regs & KVM_SYNC_PREFIX) { diff --git a/patches/libceph-add-process_one_ticket-helper.patch b/patches/libceph-add-process_one_ticket-helper.patch new file mode 100644 index 0000000..37cf62a --- /dev/null +++ b/patches/libceph-add-process_one_ticket-helper.patch @@ -0,0 +1,275 @@ +From 597cda357716a3cf8d994cb11927af917c8d71fa Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov <ilya.dryomov@inktank.com> +Date: Mon, 8 Sep 2014 17:25:34 +0400 +Subject: libceph: add process_one_ticket() helper + +commit 597cda357716a3cf8d994cb11927af917c8d71fa upstream. + +Add a helper for processing individual cephx auth tickets. Needed for +the next commit, which deals with allocating ticket buffers. (Most of +the diff here is whitespace - view with git diff -b). + +Signed-off-by: Ilya Dryomov <ilya.dryomov@inktank.com> +Reviewed-by: Sage Weil <sage@redhat.com> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + net/ceph/auth_x.c | 228 +++++++++++++++++++++++++++++------------------------- + 1 file changed, 124 insertions(+), 104 deletions(-) + +--- a/net/ceph/auth_x.c ++++ b/net/ceph/auth_x.c +@@ -129,17 +129,131 @@ static void remove_ticket_handler(struct + kfree(th); + } + ++static int process_one_ticket(struct ceph_auth_client *ac, ++ struct ceph_crypto_key *secret, ++ void **p, void *end, ++ void *dbuf, void *ticket_buf) ++{ ++ struct ceph_x_info *xi = ac->private; ++ int type; ++ u8 tkt_struct_v, blob_struct_v; ++ struct ceph_x_ticket_handler *th; ++ void *dp, *dend; ++ int dlen; ++ char is_enc; ++ struct timespec validity; ++ struct ceph_crypto_key old_key; ++ void *tp, *tpend; ++ struct ceph_timespec new_validity; ++ struct ceph_crypto_key new_session_key; ++ struct ceph_buffer *new_ticket_blob; ++ unsigned long new_expires, new_renew_after; ++ u64 new_secret_id; ++ int ret; ++ ++ ceph_decode_need(p, end, sizeof(u32) + 1, bad); ++ ++ type = ceph_decode_32(p); ++ dout(" ticket type %d %s\n", type, ceph_entity_type_name(type)); ++ ++ tkt_struct_v = ceph_decode_8(p); ++ if (tkt_struct_v != 1) ++ goto bad; ++ ++ th = get_ticket_handler(ac, type); ++ if (IS_ERR(th)) { ++ ret = PTR_ERR(th); ++ goto out; ++ } ++ ++ /* blob for me */ ++ dlen = ceph_x_decrypt(secret, p, end, dbuf, ++ TEMP_TICKET_BUF_LEN); ++ if (dlen <= 0) { ++ ret = dlen; ++ goto out; ++ } ++ dout(" decrypted %d bytes\n", dlen); ++ dp = dbuf; ++ dend = dp + dlen; ++ ++ tkt_struct_v = ceph_decode_8(&dp); ++ if (tkt_struct_v != 1) ++ goto bad; ++ ++ memcpy(&old_key, &th->session_key, sizeof(old_key)); ++ ret = ceph_crypto_key_decode(&new_session_key, &dp, dend); ++ if (ret) ++ goto out; ++ ++ ceph_decode_copy(&dp, &new_validity, sizeof(new_validity)); ++ ceph_decode_timespec(&validity, &new_validity); ++ new_expires = get_seconds() + validity.tv_sec; ++ new_renew_after = new_expires - (validity.tv_sec / 4); ++ dout(" expires=%lu renew_after=%lu\n", new_expires, ++ new_renew_after); ++ ++ /* ticket blob for service */ ++ ceph_decode_8_safe(p, end, is_enc, bad); ++ tp = ticket_buf; ++ if (is_enc) { ++ /* encrypted */ ++ dout(" encrypted ticket\n"); ++ dlen = ceph_x_decrypt(&old_key, p, end, ticket_buf, ++ TEMP_TICKET_BUF_LEN); ++ if (dlen < 0) { ++ ret = dlen; ++ goto out; ++ } ++ dlen = ceph_decode_32(&tp); ++ } else { ++ /* unencrypted */ ++ ceph_decode_32_safe(p, end, dlen, bad); ++ ceph_decode_need(p, end, dlen, bad); ++ ceph_decode_copy(p, ticket_buf, dlen); ++ } ++ tpend = tp + dlen; ++ dout(" ticket blob is %d bytes\n", dlen); ++ ceph_decode_need(&tp, tpend, 1 + sizeof(u64), bad); ++ blob_struct_v = ceph_decode_8(&tp); ++ new_secret_id = ceph_decode_64(&tp); ++ ret = ceph_decode_buffer(&new_ticket_blob, &tp, tpend); ++ if (ret) ++ goto out; ++ ++ /* all is well, update our ticket */ ++ ceph_crypto_key_destroy(&th->session_key); ++ if (th->ticket_blob) ++ ceph_buffer_put(th->ticket_blob); ++ th->session_key = new_session_key; ++ th->ticket_blob = new_ticket_blob; ++ th->validity = new_validity; ++ th->secret_id = new_secret_id; ++ th->expires = new_expires; ++ th->renew_after = new_renew_after; ++ dout(" got ticket service %d (%s) secret_id %lld len %d\n", ++ type, ceph_entity_type_name(type), th->secret_id, ++ (int)th->ticket_blob->vec.iov_len); ++ xi->have_keys |= th->service; ++ ++out: ++ return ret; ++ ++bad: ++ ret = -EINVAL; ++ goto out; ++} ++ + static int ceph_x_proc_ticket_reply(struct ceph_auth_client *ac, + struct ceph_crypto_key *secret, + void *buf, void *end) + { +- struct ceph_x_info *xi = ac->private; +- int num; + void *p = buf; +- int ret; + char *dbuf; + char *ticket_buf; + u8 reply_struct_v; ++ u32 num; ++ int ret; + + dbuf = kmalloc(TEMP_TICKET_BUF_LEN, GFP_NOFS); + if (!dbuf) +@@ -150,112 +264,18 @@ static int ceph_x_proc_ticket_reply(stru + if (!ticket_buf) + goto out_dbuf; + +- ceph_decode_need(&p, end, 1 + sizeof(u32), bad); +- reply_struct_v = ceph_decode_8(&p); ++ ceph_decode_8_safe(&p, end, reply_struct_v, bad); + if (reply_struct_v != 1) +- goto bad; +- num = ceph_decode_32(&p); +- dout("%d tickets\n", num); +- while (num--) { +- int type; +- u8 tkt_struct_v, blob_struct_v; +- struct ceph_x_ticket_handler *th; +- void *dp, *dend; +- int dlen; +- char is_enc; +- struct timespec validity; +- struct ceph_crypto_key old_key; +- void *tp, *tpend; +- struct ceph_timespec new_validity; +- struct ceph_crypto_key new_session_key; +- struct ceph_buffer *new_ticket_blob; +- unsigned long new_expires, new_renew_after; +- u64 new_secret_id; +- +- ceph_decode_need(&p, end, sizeof(u32) + 1, bad); +- +- type = ceph_decode_32(&p); +- dout(" ticket type %d %s\n", type, ceph_entity_type_name(type)); +- +- tkt_struct_v = ceph_decode_8(&p); +- if (tkt_struct_v != 1) +- goto bad; +- +- th = get_ticket_handler(ac, type); +- if (IS_ERR(th)) { +- ret = PTR_ERR(th); +- goto out; +- } +- +- /* blob for me */ +- dlen = ceph_x_decrypt(secret, &p, end, dbuf, +- TEMP_TICKET_BUF_LEN); +- if (dlen <= 0) { +- ret = dlen; +- goto out; +- } +- dout(" decrypted %d bytes\n", dlen); +- dend = dbuf + dlen; +- dp = dbuf; +- +- tkt_struct_v = ceph_decode_8(&dp); +- if (tkt_struct_v != 1) +- goto bad; ++ return -EINVAL; + +- memcpy(&old_key, &th->session_key, sizeof(old_key)); +- ret = ceph_crypto_key_decode(&new_session_key, &dp, dend); +- if (ret) +- goto out; ++ ceph_decode_32_safe(&p, end, num, bad); ++ dout("%d tickets\n", num); + +- ceph_decode_copy(&dp, &new_validity, sizeof(new_validity)); +- ceph_decode_timespec(&validity, &new_validity); +- new_expires = get_seconds() + validity.tv_sec; +- new_renew_after = new_expires - (validity.tv_sec / 4); +- dout(" expires=%lu renew_after=%lu\n", new_expires, +- new_renew_after); +- +- /* ticket blob for service */ +- ceph_decode_8_safe(&p, end, is_enc, bad); +- tp = ticket_buf; +- if (is_enc) { +- /* encrypted */ +- dout(" encrypted ticket\n"); +- dlen = ceph_x_decrypt(&old_key, &p, end, ticket_buf, +- TEMP_TICKET_BUF_LEN); +- if (dlen < 0) { +- ret = dlen; +- goto out; +- } +- dlen = ceph_decode_32(&tp); +- } else { +- /* unencrypted */ +- ceph_decode_32_safe(&p, end, dlen, bad); +- ceph_decode_need(&p, end, dlen, bad); +- ceph_decode_copy(&p, ticket_buf, dlen); +- } +- tpend = tp + dlen; +- dout(" ticket blob is %d bytes\n", dlen); +- ceph_decode_need(&tp, tpend, 1 + sizeof(u64), bad); +- blob_struct_v = ceph_decode_8(&tp); +- new_secret_id = ceph_decode_64(&tp); +- ret = ceph_decode_buffer(&new_ticket_blob, &tp, tpend); ++ while (num--) { ++ ret = process_one_ticket(ac, secret, &p, end, ++ dbuf, ticket_buf); + if (ret) + goto out; +- +- /* all is well, update our ticket */ +- ceph_crypto_key_destroy(&th->session_key); +- if (th->ticket_blob) +- ceph_buffer_put(th->ticket_blob); +- th->session_key = new_session_key; +- th->ticket_blob = new_ticket_blob; +- th->validity = new_validity; +- th->secret_id = new_secret_id; +- th->expires = new_expires; +- th->renew_after = new_renew_after; +- dout(" got ticket service %d (%s) secret_id %lld len %d\n", +- type, ceph_entity_type_name(type), th->secret_id, +- (int)th->ticket_blob->vec.iov_len); +- xi->have_keys |= th->service; + } + + ret = 0; diff --git a/patches/libceph-do-not-hard-code-max-auth-ticket-len.patch b/patches/libceph-do-not-hard-code-max-auth-ticket-len.patch new file mode 100644 index 0000000..5c5c15d --- /dev/null +++ b/patches/libceph-do-not-hard-code-max-auth-ticket-len.patch @@ -0,0 +1,195 @@ +From c27a3e4d667fdcad3db7b104f75659478e0c68d8 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov <ilya.dryomov@inktank.com> +Date: Tue, 9 Sep 2014 19:39:15 +0400 +Subject: libceph: do not hard code max auth ticket len + +commit c27a3e4d667fdcad3db7b104f75659478e0c68d8 upstream. + +We hard code cephx auth ticket buffer size to 256 bytes. This isn't +enough for any moderate setups and, in case tickets themselves are not +encrypted, leads to buffer overflows (ceph_x_decrypt() errors out, but +ceph_decode_copy() doesn't - it's just a memcpy() wrapper). Since the +buffer is allocated dynamically anyway, allocated it a bit later, at +the point where we know how much is going to be needed. + +Fixes: http://tracker.ceph.com/issues/8979 + +Signed-off-by: Ilya Dryomov <ilya.dryomov@inktank.com> +Reviewed-by: Sage Weil <sage@redhat.com> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + net/ceph/auth_x.c | 64 ++++++++++++++++++++++++------------------------------ + 1 file changed, 29 insertions(+), 35 deletions(-) + +--- a/net/ceph/auth_x.c ++++ b/net/ceph/auth_x.c +@@ -13,8 +13,6 @@ + #include "auth_x.h" + #include "auth_x_protocol.h" + +-#define TEMP_TICKET_BUF_LEN 256 +- + static void ceph_x_validate_tickets(struct ceph_auth_client *ac, int *pneed); + + static int ceph_x_is_authenticated(struct ceph_auth_client *ac) +@@ -64,7 +62,7 @@ static int ceph_x_encrypt(struct ceph_cr + } + + static int ceph_x_decrypt(struct ceph_crypto_key *secret, +- void **p, void *end, void *obuf, size_t olen) ++ void **p, void *end, void **obuf, size_t olen) + { + struct ceph_x_encrypt_header head; + size_t head_len = sizeof(head); +@@ -75,8 +73,14 @@ static int ceph_x_decrypt(struct ceph_cr + return -EINVAL; + + dout("ceph_x_decrypt len %d\n", len); +- ret = ceph_decrypt2(secret, &head, &head_len, obuf, &olen, +- *p, len); ++ if (*obuf == NULL) { ++ *obuf = kmalloc(len, GFP_NOFS); ++ if (!*obuf) ++ return -ENOMEM; ++ olen = len; ++ } ++ ++ ret = ceph_decrypt2(secret, &head, &head_len, *obuf, &olen, *p, len); + if (ret) + return ret; + if (head.struct_v != 1 || le64_to_cpu(head.magic) != CEPHX_ENC_MAGIC) +@@ -131,18 +135,19 @@ static void remove_ticket_handler(struct + + static int process_one_ticket(struct ceph_auth_client *ac, + struct ceph_crypto_key *secret, +- void **p, void *end, +- void *dbuf, void *ticket_buf) ++ void **p, void *end) + { + struct ceph_x_info *xi = ac->private; + int type; + u8 tkt_struct_v, blob_struct_v; + struct ceph_x_ticket_handler *th; ++ void *dbuf = NULL; + void *dp, *dend; + int dlen; + char is_enc; + struct timespec validity; + struct ceph_crypto_key old_key; ++ void *ticket_buf = NULL; + void *tp, *tpend; + struct ceph_timespec new_validity; + struct ceph_crypto_key new_session_key; +@@ -167,8 +172,7 @@ static int process_one_ticket(struct cep + } + + /* blob for me */ +- dlen = ceph_x_decrypt(secret, p, end, dbuf, +- TEMP_TICKET_BUF_LEN); ++ dlen = ceph_x_decrypt(secret, p, end, &dbuf, 0); + if (dlen <= 0) { + ret = dlen; + goto out; +@@ -195,20 +199,25 @@ static int process_one_ticket(struct cep + + /* ticket blob for service */ + ceph_decode_8_safe(p, end, is_enc, bad); +- tp = ticket_buf; + if (is_enc) { + /* encrypted */ + dout(" encrypted ticket\n"); +- dlen = ceph_x_decrypt(&old_key, p, end, ticket_buf, +- TEMP_TICKET_BUF_LEN); ++ dlen = ceph_x_decrypt(&old_key, p, end, &ticket_buf, 0); + if (dlen < 0) { + ret = dlen; + goto out; + } ++ tp = ticket_buf; + dlen = ceph_decode_32(&tp); + } else { + /* unencrypted */ + ceph_decode_32_safe(p, end, dlen, bad); ++ ticket_buf = kmalloc(dlen, GFP_NOFS); ++ if (!ticket_buf) { ++ ret = -ENOMEM; ++ goto out; ++ } ++ tp = ticket_buf; + ceph_decode_need(p, end, dlen, bad); + ceph_decode_copy(p, ticket_buf, dlen); + } +@@ -237,6 +246,8 @@ static int process_one_ticket(struct cep + xi->have_keys |= th->service; + + out: ++ kfree(ticket_buf); ++ kfree(dbuf); + return ret; + + bad: +@@ -249,21 +260,10 @@ static int ceph_x_proc_ticket_reply(stru + void *buf, void *end) + { + void *p = buf; +- char *dbuf; +- char *ticket_buf; + u8 reply_struct_v; + u32 num; + int ret; + +- dbuf = kmalloc(TEMP_TICKET_BUF_LEN, GFP_NOFS); +- if (!dbuf) +- return -ENOMEM; +- +- ret = -ENOMEM; +- ticket_buf = kmalloc(TEMP_TICKET_BUF_LEN, GFP_NOFS); +- if (!ticket_buf) +- goto out_dbuf; +- + ceph_decode_8_safe(&p, end, reply_struct_v, bad); + if (reply_struct_v != 1) + return -EINVAL; +@@ -272,22 +272,15 @@ static int ceph_x_proc_ticket_reply(stru + dout("%d tickets\n", num); + + while (num--) { +- ret = process_one_ticket(ac, secret, &p, end, +- dbuf, ticket_buf); ++ ret = process_one_ticket(ac, secret, &p, end); + if (ret) +- goto out; ++ return ret; + } + +- ret = 0; +-out: +- kfree(ticket_buf); +-out_dbuf: +- kfree(dbuf); +- return ret; ++ return 0; + + bad: +- ret = -EINVAL; +- goto out; ++ return -EINVAL; + } + + static int ceph_x_build_authorizer(struct ceph_auth_client *ac, +@@ -603,13 +596,14 @@ static int ceph_x_verify_authorizer_repl + struct ceph_x_ticket_handler *th; + int ret = 0; + struct ceph_x_authorize_reply reply; ++ void *preply = &reply; + void *p = au->reply_buf; + void *end = p + sizeof(au->reply_buf); + + th = get_ticket_handler(ac, au->service); + if (IS_ERR(th)) + return PTR_ERR(th); +- ret = ceph_x_decrypt(&th->session_key, &p, end, &reply, sizeof(reply)); ++ ret = ceph_x_decrypt(&th->session_key, &p, end, &preply, sizeof(reply)); + if (ret < 0) + return ret; + if (ret != sizeof(reply)) diff --git a/patches/libceph-gracefully-handle-large-reply-messages-from-the-mon.patch b/patches/libceph-gracefully-handle-large-reply-messages-from-the-mon.patch new file mode 100644 index 0000000..f137ece --- /dev/null +++ b/patches/libceph-gracefully-handle-large-reply-messages-from-the-mon.patch @@ -0,0 +1,37 @@ +From 73c3d4812b4c755efeca0140f606f83772a39ce4 Mon Sep 17 00:00:00 2001 +From: Sage Weil <sage@redhat.com> +Date: Mon, 4 Aug 2014 07:01:54 -0700 +Subject: libceph: gracefully handle large reply messages from the mon + +commit 73c3d4812b4c755efeca0140f606f83772a39ce4 upstream. + +We preallocate a few of the message types we get back from the mon. If we +get a larger message than we are expecting, fall back to trying to allocate +a new one instead of blindly using the one we have. + +Signed-off-by: Sage Weil <sage@redhat.com> +Reviewed-by: Ilya Dryomov <ilya.dryomov@inktank.com> +[lizf: Backported to 3.4: s/front_alloc_len/front_max/g] +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + net/ceph/mon_client.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/ceph/mon_client.c ++++ b/net/ceph/mon_client.c +@@ -1042,7 +1042,15 @@ static struct ceph_msg *mon_alloc_msg(st + if (!m) { + pr_info("alloc_msg unknown type %d\n", type); + *skip = 1; ++ } else if (front_len > m->front_max) { ++ pr_warning("mon_alloc_msg front %d > prealloc %d (%u#%llu)\n", ++ front_len, m->front_max, ++ (unsigned int)con->peer_name.type, ++ le64_to_cpu(con->peer_name.num)); ++ ceph_msg_put(m); ++ m = ceph_msg_new(type, front_len, GFP_NOFS, false); + } ++ + return m; + } + diff --git a/patches/libiscsi-fix-potential-buffer-overrun-in-__iscsi_conn_send_pdu.patch b/patches/libiscsi-fix-potential-buffer-overrun-in-__iscsi_conn_send_pdu.patch new file mode 100644 index 0000000..8e1b66b --- /dev/null +++ b/patches/libiscsi-fix-potential-buffer-overrun-in-__iscsi_conn_send_pdu.patch @@ -0,0 +1,49 @@ +From db9bfd64b14a3a8f1868d2164518fdeab1b26ad1 Mon Sep 17 00:00:00 2001 +From: Mike Christie <michaelc@cs.wisc.edu> +Date: Wed, 3 Sep 2014 00:00:39 -0500 +Subject: libiscsi: fix potential buffer overrun in __iscsi_conn_send_pdu + +commit db9bfd64b14a3a8f1868d2164518fdeab1b26ad1 upstream. + +This patches fixes a potential buffer overrun in __iscsi_conn_send_pdu. +This function is used by iscsi drivers and userspace to send iscsi PDUs/ +commands. For login commands, we have a set buffer size. For all other +commands we do not support data buffers. + +This was reported by Dan Carpenter here: +http://www.spinics.net/lists/linux-scsi/msg66838.html + +Reported-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Mike Christie <michaelc@cs.wisc.edu> +Reviewed-by: Sagi Grimberg <sagig@mellanox.com> +Signed-off-by: Christoph Hellwig <hch@lst.de> +Signed-off-by: James Bottomley <JBottomley@Parallels.com> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/scsi/libiscsi.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -718,11 +718,21 @@ __iscsi_conn_send_pdu(struct iscsi_conn + return NULL; + } + ++ if (data_size > ISCSI_DEF_MAX_RECV_SEG_LEN) { ++ iscsi_conn_printk(KERN_ERR, conn, "Invalid buffer len of %u for login task. Max len is %u\n", data_size, ISCSI_DEF_MAX_RECV_SEG_LEN); ++ return NULL; ++ } ++ + task = conn->login_task; + } else { + if (session->state != ISCSI_STATE_LOGGED_IN) + return NULL; + ++ if (data_size != 0) { ++ iscsi_conn_printk(KERN_ERR, conn, "Can not send data buffer of len %u for op 0x%x\n", data_size, opcode); ++ return NULL; ++ } ++ + BUG_ON(conn->c_stage == ISCSI_CONN_INITIAL_STAGE); + BUG_ON(conn->c_stage == ISCSI_CONN_STOPPED); + diff --git a/patches/mips-mcount-adjust-stack-pointer-for-static-trace-in-mips32.patch b/patches/mips-mcount-adjust-stack-pointer-for-static-trace-in-mips32.patch new file mode 100644 index 0000000..d86b655 --- /dev/null +++ b/patches/mips-mcount-adjust-stack-pointer-for-static-trace-in-mips32.patch @@ -0,0 +1,68 @@ +From 8a574cfa2652545eb95595d38ac2a0bb501af0ae Mon Sep 17 00:00:00 2001 +From: Markos Chandras <markos.chandras@imgtec.com> +Date: Tue, 16 Sep 2014 15:55:12 +0100 +Subject: MIPS: mcount: Adjust stack pointer for static trace in MIPS32 + +commit 8a574cfa2652545eb95595d38ac2a0bb501af0ae upstream. + +Every mcount() call in the MIPS 32-bit kernel is done as follows: + +[...] +move at, ra +jal _mcount +addiu sp, sp, -8 +[...] + +but upon returning from the mcount() function, the stack pointer +is not adjusted properly. This is explained in details in 58b69401c797 +(MIPS: Function tracer: Fix broken function tracing). + +Commit ad8c396936e3 ("MIPS: Unbreak function tracer for 64-bit kernel.) +fixed the stack manipulation for 64-bit but it didn't fix it completely +for MIPS32. + +Signed-off-by: Markos Chandras <markos.chandras@imgtec.com> +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/7792/ +Signed-off-by: Ralf Baechle <ralf@linux-mips.org> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + arch/mips/kernel/mcount.S | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/arch/mips/kernel/mcount.S ++++ b/arch/mips/kernel/mcount.S +@@ -119,7 +119,11 @@ NESTED(_mcount, PT_SIZE, ra) + nop + #endif + b ftrace_stub ++#ifdef CONFIG_32BIT ++ addiu sp, sp, 8 ++#else + nop ++#endif + + static_trace: + MCOUNT_SAVE_REGS +@@ -129,6 +133,9 @@ static_trace: + move a1, AT /* arg2: parent's return address */ + + MCOUNT_RESTORE_REGS ++#ifdef CONFIG_32BIT ++ addiu sp, sp, 8 ++#endif + .globl ftrace_stub + ftrace_stub: + RETURN_BACK +@@ -177,6 +184,11 @@ NESTED(ftrace_graph_caller, PT_SIZE, ra) + jal prepare_ftrace_return + nop + MCOUNT_RESTORE_REGS ++#ifndef CONFIG_DYNAMIC_FTRACE ++#ifdef CONFIG_32BIT ++ addiu sp, sp, 8 ++#endif ++#endif + RETURN_BACK + END(ftrace_graph_caller) + diff --git a/patches/mips-zboot-add-missing-linux-string.h-include.patch b/patches/mips-zboot-add-missing-linux-string.h-include.patch new file mode 100644 index 0000000..1b856a3 --- /dev/null +++ b/patches/mips-zboot-add-missing-linux-string.h-include.patch @@ -0,0 +1,49 @@ +From 29593fd5a8149462ed6fad0d522234facdaee6c8 Mon Sep 17 00:00:00 2001 +From: Aurelien Jarno <aurelien@aurel32.net> +Date: Sun, 20 Jul 2014 19:58:23 +0200 +Subject: MIPS: ZBOOT: add missing <linux/string.h> include + +commit 29593fd5a8149462ed6fad0d522234facdaee6c8 upstream. + +Commit dc4d7b37 (MIPS: ZBOOT: gather string functions into string.c) +moved the string related functions into a separate file, which might +cause the following build error, depending on the configuration: + +| CC arch/mips/boot/compressed/decompress.o +| In file included from linux/arch/mips/boot/compressed/../../../../lib/decompress_unxz.c:234:0, +| from linux/arch/mips/boot/compressed/decompress.c:67: +| linux/arch/mips/boot/compressed/../../../../lib/xz/xz_dec_stream.c: In function 'fill_temp': +| linux/arch/mips/boot/compressed/../../../../lib/xz/xz_dec_stream.c:162:2: error: implicit declaration of function 'memcpy' [-Werror=implicit-function-declaration] +| cc1: some warnings being treated as errors +| linux/scripts/Makefile.build:308: recipe for target 'arch/mips/boot/compressed/decompress.o' failed +| make[6]: *** [arch/mips/boot/compressed/decompress.o] Error 1 +| linux/arch/mips/Makefile:308: recipe for target 'vmlinuz' failed + +It does not fail with the standard configuration, as when +CONFIG_DYNAMIC_DEBUG is not enabled <linux/string.h> gets included in +include/linux/dynamic_debug.h. There might be other ways for it to +get indirectly included. + +We can't add the include directly in xz_dec_stream.c as some +architectures might want to use a different version for the boot/ +directory (see for example arch/x86/boot/string.h). + +Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/7420/ +Signed-off-by: Ralf Baechle <ralf@linux-mips.org> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + arch/mips/boot/compressed/decompress.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/mips/boot/compressed/decompress.c ++++ b/arch/mips/boot/compressed/decompress.c +@@ -13,6 +13,7 @@ + + #include <linux/types.h> + #include <linux/kernel.h> ++#include <linux/string.h> + + #include <asm/addrspace.h> + diff --git a/patches/mm-migrate-close-race-between-migration-completion-and-mprotect.patch b/patches/mm-migrate-close-race-between-migration-completion-and-mprotect.patch new file mode 100644 index 0000000..c41c5fd --- /dev/null +++ b/patches/mm-migrate-close-race-between-migration-completion-and-mprotect.patch @@ -0,0 +1,42 @@ +From d3cb8bf6081b8b7a2dabb1264fe968fd870fa595 Mon Sep 17 00:00:00 2001 +From: Mel Gorman <mgorman@suse.de> +Date: Thu, 2 Oct 2014 19:47:41 +0100 +Subject: mm: migrate: Close race between migration completion and mprotect + +commit d3cb8bf6081b8b7a2dabb1264fe968fd870fa595 upstream. + +A migration entry is marked as write if pte_write was true at the time the +entry was created. The VMA protections are not double checked when migration +entries are being removed as mprotect marks write-migration-entries as +read. It means that potentially we take a spurious fault to mark PTEs write +again but it's straight-forward. However, there is a race between write +migrations being marked read and migrations finishing. This potentially +allows a PTE to be write that should have been read. Close this race by +double checking the VMA permissions using maybe_mkwrite when migration +completes. + +[torvalds@linux-foundation.org: use maybe_mkwrite] +Signed-off-by: Mel Gorman <mgorman@suse.de> +Acked-by: Rik van Riel <riel@redhat.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +[lizf: Backported to 3.4: adjust context] +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + mm/migrate.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -139,8 +139,11 @@ static int remove_migration_pte(struct p + + get_page(new); + pte = pte_mkold(mk_pte(new, vma->vm_page_prot)); ++ ++ /* Recheck VMA as permissions can change since migration started */ + if (is_write_migration_entry(entry)) +- pte = pte_mkwrite(pte); ++ pte = maybe_mkwrite(pte, vma); ++ + #ifdef CONFIG_HUGETLB_PAGE + if (PageHuge(new)) + pte = pte_mkhuge(pte); diff --git a/patches/nfsv4-fix-another-bug-in-the-close-open_downgrade-code.patch b/patches/nfsv4-fix-another-bug-in-the-close-open_downgrade-code.patch new file mode 100644 index 0000000..a104b88 --- /dev/null +++ b/patches/nfsv4-fix-another-bug-in-the-close-open_downgrade-code.patch @@ -0,0 +1,63 @@ +From cd9288ffaea4359d5cfe2b8d264911506aed26a4 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust <trond.myklebust@primarydata.com> +Date: Thu, 18 Sep 2014 11:51:32 -0400 +Subject: NFSv4: Fix another bug in the close/open_downgrade code + +commit cd9288ffaea4359d5cfe2b8d264911506aed26a4 upstream. + +James Drew reports another bug whereby the NFS client is now sending +an OPEN_DOWNGRADE in a situation where it should really have sent a +CLOSE: the client is opening the file for O_RDWR, but then trying to +do a downgrade to O_RDONLY, which is not allowed by the NFSv4 spec. + +Reported-by: James Drews <drews@engr.wisc.edu> +Link: http://lkml.kernel.org/r/541AD7E5.8020409@engr.wisc.edu +Fixes: aee7af356e15 (NFSv4: Fix problems with close in the presence...) +Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com> +[lizf: Backported to 3.4: adjust context] +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + fs/nfs/nfs4proc.c | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -2063,23 +2063,23 @@ static void nfs4_close_prepare(struct rp + is_rdwr = test_bit(NFS_O_RDWR_STATE, &state->flags); + is_rdonly = test_bit(NFS_O_RDONLY_STATE, &state->flags); + is_wronly = test_bit(NFS_O_WRONLY_STATE, &state->flags); +- /* Calculate the current open share mode */ +- calldata->arg.fmode = 0; +- if (is_rdonly || is_rdwr) +- calldata->arg.fmode |= FMODE_READ; +- if (is_wronly || is_rdwr) +- calldata->arg.fmode |= FMODE_WRITE; + /* Calculate the change in open mode */ ++ calldata->arg.fmode = 0; + if (state->n_rdwr == 0) { +- if (state->n_rdonly == 0) { +- call_close |= is_rdonly || is_rdwr; +- calldata->arg.fmode &= ~FMODE_READ; +- } +- if (state->n_wronly == 0) { +- call_close |= is_wronly || is_rdwr; +- calldata->arg.fmode &= ~FMODE_WRITE; +- } +- } ++ if (state->n_rdonly == 0) ++ call_close |= is_rdonly; ++ else if (is_rdonly) ++ calldata->arg.fmode |= FMODE_READ; ++ if (state->n_wronly == 0) ++ call_close |= is_wronly; ++ else if (is_wronly) ++ calldata->arg.fmode |= FMODE_WRITE; ++ } else if (is_rdwr) ++ calldata->arg.fmode |= FMODE_READ|FMODE_WRITE; ++ ++ if (calldata->arg.fmode == 0) ++ call_close |= is_rdwr; ++ + spin_unlock(&state->owner->so_lock); + + if (!call_close) { diff --git a/patches/nilfs2-fix-data-loss-with-mmap.patch b/patches/nilfs2-fix-data-loss-with-mmap.patch new file mode 100644 index 0000000..e9b81a1 --- /dev/null +++ b/patches/nilfs2-fix-data-loss-with-mmap.patch @@ -0,0 +1,112 @@ +From 56d7acc792c0d98f38f22058671ee715ff197023 Mon Sep 17 00:00:00 2001 +From: Andreas Rohner <andreas.rohner@gmx.net> +Date: Thu, 25 Sep 2014 16:05:14 -0700 +Subject: nilfs2: fix data loss with mmap() + +commit 56d7acc792c0d98f38f22058671ee715ff197023 upstream. + +This bug leads to reproducible silent data loss, despite the use of +msync(), sync() and a clean unmount of the file system. It is easily +reproducible with the following script: + + ----------------[BEGIN SCRIPT]-------------------- + mkfs.nilfs2 -f /dev/sdb + mount /dev/sdb /mnt + + dd if=/dev/zero bs=1M count=30 of=/mnt/testfile + + umount /mnt + mount /dev/sdb /mnt + CHECKSUM_BEFORE="$(md5sum /mnt/testfile)" + + /root/mmaptest/mmaptest /mnt/testfile 30 10 5 + + sync + CHECKSUM_AFTER="$(md5sum /mnt/testfile)" + umount /mnt + mount /dev/sdb /mnt + CHECKSUM_AFTER_REMOUNT="$(md5sum /mnt/testfile)" + umount /mnt + + echo "BEFORE MMAP:\t$CHECKSUM_BEFORE" + echo "AFTER MMAP:\t$CHECKSUM_AFTER" + echo "AFTER REMOUNT:\t$CHECKSUM_AFTER_REMOUNT" + ----------------[END SCRIPT]-------------------- + +The mmaptest tool looks something like this (very simplified, with +error checking removed): + + ----------------[BEGIN mmaptest]-------------------- + data = mmap(NULL, file_size - file_offset, PROT_READ | PROT_WRITE, + MAP_SHARED, fd, file_offset); + + for (i = 0; i < write_count; ++i) { + memcpy(data + i * 4096, buf, sizeof(buf)); + msync(data, file_size - file_offset, MS_SYNC)) + } + ----------------[END mmaptest]-------------------- + +The output of the script looks something like this: + + BEFORE MMAP: 281ed1d5ae50e8419f9b978aab16de83 /mnt/testfile + AFTER MMAP: 6604a1c31f10780331a6850371b3a313 /mnt/testfile + AFTER REMOUNT: 281ed1d5ae50e8419f9b978aab16de83 /mnt/testfile + +So it is clear, that the changes done using mmap() do not survive a +remount. This can be reproduced a 100% of the time. The problem was +introduced in commit 136e8770cd5d ("nilfs2: fix issue of +nilfs_set_page_dirty() for page at EOF boundary"). + +If the page was read with mpage_readpage() or mpage_readpages() for +example, then it has no buffers attached to it. In that case +page_has_buffers(page) in nilfs_set_page_dirty() will be false. +Therefore nilfs_set_file_dirty() is never called and the pages are never +collected and never written to disk. + +This patch fixes the problem by also calling nilfs_set_file_dirty() if the +page has no buffers attached to it. + +[akpm@linux-foundation.org: s/PAGE_SHIFT/PAGE_CACHE_SHIFT/] +Signed-off-by: Andreas Rohner <andreas.rohner@gmx.net> +Tested-by: Andreas Rohner <andreas.rohner@gmx.net> +Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + fs/nilfs2/inode.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/nilfs2/inode.c ++++ b/fs/nilfs2/inode.c +@@ -24,6 +24,7 @@ + #include <linux/buffer_head.h> + #include <linux/gfp.h> + #include <linux/mpage.h> ++#include <linux/pagemap.h> + #include <linux/writeback.h> + #include <linux/uio.h> + #include "nilfs.h" +@@ -195,10 +196,10 @@ static int nilfs_writepage(struct page * + + static int nilfs_set_page_dirty(struct page *page) + { ++ struct inode *inode = page->mapping->host; + int ret = __set_page_dirty_nobuffers(page); + + if (page_has_buffers(page)) { +- struct inode *inode = page->mapping->host; + unsigned nr_dirty = 0; + struct buffer_head *bh, *head; + +@@ -221,6 +222,10 @@ static int nilfs_set_page_dirty(struct p + + if (nr_dirty) + nilfs_set_file_dirty(inode, nr_dirty); ++ } else if (ret) { ++ unsigned nr_dirty = 1 << (PAGE_CACHE_SHIFT - inode->i_blkbits); ++ ++ nilfs_set_file_dirty(inode, nr_dirty); + } + return ret; + } diff --git a/patches/ocfs2-dlm-do-not-get-resource-spinlock-if-lockres-is-new.patch b/patches/ocfs2-dlm-do-not-get-resource-spinlock-if-lockres-is-new.patch new file mode 100644 index 0000000..4a84451 --- /dev/null +++ b/patches/ocfs2-dlm-do-not-get-resource-spinlock-if-lockres-is-new.patch @@ -0,0 +1,73 @@ +From 5760a97c7143c208fa3a8f8cad0ed7dd672ebd28 Mon Sep 17 00:00:00 2001 +From: Joseph Qi <joseph.qi@huawei.com> +Date: Thu, 25 Sep 2014 16:05:16 -0700 +Subject: ocfs2/dlm: do not get resource spinlock if lockres is new + +commit 5760a97c7143c208fa3a8f8cad0ed7dd672ebd28 upstream. + +There is a deadlock case which reported by Guozhonghua: + https://oss.oracle.com/pipermail/ocfs2-devel/2014-September/010079.html + +This case is caused by &res->spinlock and &dlm->master_lock +misordering in different threads. + +It was introduced by commit 8d400b81cc83 ("ocfs2/dlm: Clean up refmap +helpers"). Since lockres is new, it doesn't not require the +&res->spinlock. So remove it. + +Fixes: 8d400b81cc83 ("ocfs2/dlm: Clean up refmap helpers") +Signed-off-by: Joseph Qi <joseph.qi@huawei.com> +Reviewed-by: joyce.xue <xuejiufei@huawei.com> +Reported-by: Guozhonghua <guozhonghua@h3c.com> +Cc: Joel Becker <jlbec@evilplan.org> +Cc: Mark Fasheh <mfasheh@suse.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + fs/ocfs2/dlm/dlmmaster.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +--- a/fs/ocfs2/dlm/dlmmaster.c ++++ b/fs/ocfs2/dlm/dlmmaster.c +@@ -653,12 +653,9 @@ void dlm_lockres_clear_refmap_bit(struct + clear_bit(bit, res->refmap); + } + +- +-void dlm_lockres_grab_inflight_ref(struct dlm_ctxt *dlm, ++static void __dlm_lockres_grab_inflight_ref(struct dlm_ctxt *dlm, + struct dlm_lock_resource *res) + { +- assert_spin_locked(&res->spinlock); +- + res->inflight_locks++; + + mlog(0, "%s: res %.*s, inflight++: now %u, %ps()\n", dlm->name, +@@ -666,6 +663,13 @@ void dlm_lockres_grab_inflight_ref(struc + __builtin_return_address(0)); + } + ++void dlm_lockres_grab_inflight_ref(struct dlm_ctxt *dlm, ++ struct dlm_lock_resource *res) ++{ ++ assert_spin_locked(&res->spinlock); ++ __dlm_lockres_grab_inflight_ref(dlm, res); ++} ++ + void dlm_lockres_drop_inflight_ref(struct dlm_ctxt *dlm, + struct dlm_lock_resource *res) + { +@@ -855,10 +859,8 @@ lookup: + /* finally add the lockres to its hash bucket */ + __dlm_insert_lockres(dlm, res); + +- /* Grab inflight ref to pin the resource */ +- spin_lock(&res->spinlock); +- dlm_lockres_grab_inflight_ref(dlm, res); +- spin_unlock(&res->spinlock); ++ /* since this lockres is new it doesn't not require the spinlock */ ++ __dlm_lockres_grab_inflight_ref(dlm, res); + + /* get an extra ref on the mle in case this is a BLOCK + * if so, the creator of the BLOCK may try to put the last diff --git a/patches/parisc-only-use-mfast-indirect-calls-option-for-32-bit-kernel-builds.patch b/patches/parisc-only-use-mfast-indirect-calls-option-for-32-bit-kernel-builds.patch new file mode 100644 index 0000000..2c4fe66 --- /dev/null +++ b/patches/parisc-only-use-mfast-indirect-calls-option-for-32-bit-kernel-builds.patch @@ -0,0 +1,47 @@ +From d26a7730b5874a5fa6779c62f4ad7c5065a94723 Mon Sep 17 00:00:00 2001 +From: John David Anglin <dave.anglin@bell.net> +Date: Mon, 22 Sep 2014 20:54:50 -0400 +Subject: parisc: Only use -mfast-indirect-calls option for 32-bit kernel + builds + +commit d26a7730b5874a5fa6779c62f4ad7c5065a94723 upstream. + +In spite of what the GCC manual says, the -mfast-indirect-calls has +never been supported in the 64-bit parisc compiler. Indirect calls have +always been done using function descriptors irrespective of the +-mfast-indirect-calls option. + +Recently, it was noticed that a function descriptor was always requested +when the -mfast-indirect-calls option was specified. This caused +problems when the option was used in application code and doesn't make +any sense because the whole point of the option is to avoid using a +function descriptor for indirect calls. + +Fixing this broke 64-bit kernel builds. + +I will fix GCC but for now we need the attached change. This results in +the same kernel code as before. + +Signed-off-by: John David Anglin <dave.anglin@bell.net> +Signed-off-by: Helge Deller <deller@gmx.de> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + arch/parisc/Makefile | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/parisc/Makefile ++++ b/arch/parisc/Makefile +@@ -51,7 +51,12 @@ cflags-y := -pipe + + # These flags should be implied by an hppa-linux configuration, but they + # are not in gcc 3.2. +-cflags-y += -mno-space-regs -mfast-indirect-calls ++cflags-y += -mno-space-regs ++ ++# -mfast-indirect-calls is only relevant for 32-bit kernels. ++ifndef CONFIG_64BIT ++cflags-y += -mfast-indirect-calls ++endif + + # Currently we save and restore fpregs on all kernel entry/interruption paths. + # If that gets optimized, we might need to disable the use of fpregs in the diff --git a/patches/percpu-fix-pcpu_alloc_pages-failure-path.patch b/patches/percpu-fix-pcpu_alloc_pages-failure-path.patch new file mode 100644 index 0000000..eeeaa0d --- /dev/null +++ b/patches/percpu-fix-pcpu_alloc_pages-failure-path.patch @@ -0,0 +1,71 @@ +From 065935a8a960d8896f2fc29dc265452ca0b2f880 Mon Sep 17 00:00:00 2001 +From: Tejun Heo <tj@kernel.org> +Date: Fri, 15 Aug 2014 16:06:06 -0400 +Subject: percpu: fix pcpu_alloc_pages() failure path + +commit f0d279654dea22b7a6ad34b9334aee80cda62cde upstream. +From f0d279654dea22b7a6ad34b9334aee80cda62cde Mon Sep 17 00:00:00 2001 + +When pcpu_alloc_pages() fails midway, pcpu_free_pages() is invoked to +free what has already been allocated. The invocation is across the +whole requested range and pcpu_free_pages() will try to free all +non-NULL pages; unfortunately, this is incorrect as +pcpu_get_pages_and_bitmap(), unlike what its comment suggests, doesn't +clear the pages array and thus the array may have entries from the +previous invocations making the partial failure path free incorrect +pages. + +Fix it by open-coding the partial freeing of the already allocated +pages. + +Signed-off-by: Tejun Heo <tj@kernel.org> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + mm/percpu-vm.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/mm/percpu-vm.c b/mm/percpu-vm.c +index 405d331..6c055e4 100644 +--- a/mm/percpu-vm.c ++++ b/mm/percpu-vm.c +@@ -108,7 +108,7 @@ static int pcpu_alloc_pages(struct pcpu_chunk *chunk, + int page_start, int page_end) + { + const gfp_t gfp = GFP_KERNEL | __GFP_HIGHMEM | __GFP_COLD; +- unsigned int cpu; ++ unsigned int cpu, tcpu; + int i; + + for_each_possible_cpu(cpu) { +@@ -116,14 +116,23 @@ static int pcpu_alloc_pages(struct pcpu_chunk *chunk, + struct page **pagep = &pages[pcpu_page_idx(cpu, i)]; + + *pagep = alloc_pages_node(cpu_to_node(cpu), gfp, 0); +- if (!*pagep) { +- pcpu_free_pages(chunk, pages, populated, +- page_start, page_end); +- return -ENOMEM; +- } ++ if (!*pagep) ++ goto err; + } + } + return 0; ++ ++err: ++ while (--i >= page_start) ++ __free_page(pages[pcpu_page_idx(cpu, i)]); ++ ++ for_each_possible_cpu(tcpu) { ++ if (tcpu == cpu) ++ break; ++ for (i = page_start; i < page_end; i++) ++ __free_page(pages[pcpu_page_idx(tcpu, i)]); ++ } ++ return -ENOMEM; + } + + /** +-- +1.9.1 + diff --git a/patches/percpu-free-percpu-allocation-info-for-uniprocessor-system.patch b/patches/percpu-free-percpu-allocation-info-for-uniprocessor-system.patch new file mode 100644 index 0000000..d1cee06 --- /dev/null +++ b/patches/percpu-free-percpu-allocation-info-for-uniprocessor-system.patch @@ -0,0 +1,29 @@ +From 3189eddbcafcc4d827f7f19facbeddec4424eba8 Mon Sep 17 00:00:00 2001 +From: Honggang Li <enjoymindful@gmail.com> +Date: Tue, 12 Aug 2014 21:36:15 +0800 +Subject: percpu: free percpu allocation info for uniprocessor system + +commit 3189eddbcafcc4d827f7f19facbeddec4424eba8 upstream. + +Currently, only SMP system free the percpu allocation info. +Uniprocessor system should free it too. For example, one x86 UML +virtual machine with 256MB memory, UML kernel wastes one page memory. + +Signed-off-by: Honggang Li <enjoymindful@gmail.com> +Signed-off-by: Tejun Heo <tj@kernel.org> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + mm/percpu.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/mm/percpu.c ++++ b/mm/percpu.c +@@ -1907,6 +1907,8 @@ void __init setup_per_cpu_areas(void) + + if (pcpu_setup_first_chunk(ai, fc) < 0) + panic("Failed to initialize percpu areas."); ++ ++ pcpu_free_alloc_info(ai); + } + + #endif /* CONFIG_SMP */ diff --git a/patches/percpu-perform-tlb-flush-after-pcpu_map_pages-failure.patch b/patches/percpu-perform-tlb-flush-after-pcpu_map_pages-failure.patch new file mode 100644 index 0000000..f1a7182 --- /dev/null +++ b/patches/percpu-perform-tlb-flush-after-pcpu_map_pages-failure.patch @@ -0,0 +1,31 @@ +From 849f5169097e1ba35b90ac9df76b5bb6f9c0aabd Mon Sep 17 00:00:00 2001 +From: Tejun Heo <tj@kernel.org> +Date: Fri, 15 Aug 2014 16:06:10 -0400 +Subject: percpu: perform tlb flush after pcpu_map_pages() failure + +commit 849f5169097e1ba35b90ac9df76b5bb6f9c0aabd upstream. + +If pcpu_map_pages() fails midway, it unmaps the already mapped pages. +Currently, it doesn't flush tlb after the partial unmapping. This may +be okay in most cases as the established mapping hasn't been used at +that point but it can go wrong and when it goes wrong it'd be +extremely difficult to track down. + +Flush tlb after the partial unmapping. + +Signed-off-by: Tejun Heo <tj@kernel.org> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + mm/percpu-vm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/percpu-vm.c ++++ b/mm/percpu-vm.c +@@ -272,6 +272,7 @@ err: + __pcpu_unmap_pages(pcpu_chunk_addr(chunk, tcpu, page_start), + page_end - page_start); + } ++ pcpu_post_unmap_tlb_flush(chunk, page_start, page_end); + return err; + } + diff --git a/patches/perf-fix-a-race-condition-in-perf_remove_from_context.patch b/patches/perf-fix-a-race-condition-in-perf_remove_from_context.patch new file mode 100644 index 0000000..1ef3742 --- /dev/null +++ b/patches/perf-fix-a-race-condition-in-perf_remove_from_context.patch @@ -0,0 +1,53 @@ +From 3577af70a2ce4853d58e57d832e687d739281479 Mon Sep 17 00:00:00 2001 +From: Cong Wang <cwang@twopensource.com> +Date: Tue, 2 Sep 2014 15:27:20 -0700 +Subject: perf: Fix a race condition in perf_remove_from_context() + +commit 3577af70a2ce4853d58e57d832e687d739281479 upstream. + +We saw a kernel soft lockup in perf_remove_from_context(), +it looks like the `perf` process, when exiting, could not go +out of the retry loop. Meanwhile, the target process was forking +a child. So either the target process should execute the smp +function call to deactive the event (if it was running) or it should +do a context switch which deactives the event. + +It seems we optimize out a context switch in perf_event_context_sched_out(), +and what's more important, we still test an obsolete task pointer when +retrying, so no one actually would deactive that event in this situation. +Fix it directly by reloading the task pointer in perf_remove_from_context(). + +This should cure the above soft lockup. + +Signed-off-by: Cong Wang <cwang@twopensource.com> +Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> +Signed-off-by: Peter Zijlstra <peterz@infradead.org> +Cc: Paul Mackerras <paulus@samba.org> +Cc: Arnaldo Carvalho de Melo <acme@kernel.org> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Link: http://lkml.kernel.org/r/1409696840-843-1-git-send-email-xiyou.wangcong@gmail.com +Signed-off-by: Ingo Molnar <mingo@kernel.org> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + kernel/events/core.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -1702,6 +1702,16 @@ retry: + */ + if (ctx->is_active) { + raw_spin_unlock_irq(&ctx->lock); ++ /* ++ * Reload the task pointer, it might have been changed by ++ * a concurrent perf_event_context_sched_out(). ++ */ ++ task = ctx->task; ++ /* ++ * Reload the task pointer, it might have been changed by ++ * a concurrent perf_event_context_sched_out(). ++ */ ++ task = ctx->task; + goto retry; + } + diff --git a/patches/perf-fix-perf-bug-in-fork.patch b/patches/perf-fix-perf-bug-in-fork.patch new file mode 100644 index 0000000..18bc661 --- /dev/null +++ b/patches/perf-fix-perf-bug-in-fork.patch @@ -0,0 +1,62 @@ +From 6c72e3501d0d62fc064d3680e5234f3463ec5a86 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra <peterz@infradead.org> +Date: Thu, 2 Oct 2014 16:17:02 -0700 +Subject: perf: fix perf bug in fork() + +commit 6c72e3501d0d62fc064d3680e5234f3463ec5a86 upstream. + +Oleg noticed that a cleanup by Sylvain actually uncovered a bug; by +calling perf_event_free_task() when failing sched_fork() we will not yet +have done the memset() on ->perf_event_ctxp[] and will therefore try and +'free' the inherited contexts, which are still in use by the parent +process. This is bad.. + +Suggested-by: Oleg Nesterov <oleg@redhat.com> +Reported-by: Oleg Nesterov <oleg@redhat.com> +Reported-by: Sylvain 'ythier' Hitier <sylvain.hitier@gmail.com> +Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Cc: Ingo Molnar <mingo@kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + kernel/events/core.c | 4 +++- + kernel/fork.c | 5 +++-- + 2 files changed, 6 insertions(+), 3 deletions(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -7127,8 +7127,10 @@ int perf_event_init_task(struct task_str + + for_each_task_context_nr(ctxn) { + ret = perf_event_init_context(child, ctxn); +- if (ret) ++ if (ret) { ++ perf_event_free_task(child); + return ret; ++ } + } + + return 0; +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -1285,7 +1285,7 @@ static struct task_struct *copy_process( + goto bad_fork_cleanup_policy; + retval = audit_alloc(p); + if (retval) +- goto bad_fork_cleanup_policy; ++ goto bad_fork_cleanup_perf; + /* copy all the process information */ + retval = copy_semundo(clone_flags, p); + if (retval) +@@ -1480,8 +1480,9 @@ bad_fork_cleanup_semundo: + exit_sem(p); + bad_fork_cleanup_audit: + audit_free(p); +-bad_fork_cleanup_policy: ++bad_fork_cleanup_perf: + perf_event_free_task(p); ++bad_fork_cleanup_policy: + #ifdef CONFIG_NUMA + mpol_put(p->mempolicy); + bad_fork_cleanup_cgroup: diff --git a/patches/regmap-fix-handling-of-volatile-registers-for-format_write-chips.patch b/patches/regmap-fix-handling-of-volatile-registers-for-format_write-chips.patch new file mode 100644 index 0000000..89b5618 --- /dev/null +++ b/patches/regmap-fix-handling-of-volatile-registers-for-format_write-chips.patch @@ -0,0 +1,36 @@ +From 5844a8b9d98ec11ce1d77610daacf3f0a0e14715 Mon Sep 17 00:00:00 2001 +From: Mark Brown <broonie@linaro.org> +Date: Tue, 26 Aug 2014 12:12:17 +0100 +Subject: regmap: Fix handling of volatile registers for format_write() chips + +commit 5844a8b9d98ec11ce1d77610daacf3f0a0e14715 upstream. + +A previous over-zealous factorisation of code means that we only treat +registers as volatile if they are readable. For most devices this is fine +since normally most registers can be read and volatility implies +readability but for format_write() devices where there is no readback from +the hardware and we use volatility to mean simply uncacheability this means +that we end up treating all registers as cacheble. + +A bigger refactoring of the code to clarify this is in order but as a fix +make a minimal change and only check readability when checking volatility +if there is no format_write() operation defined for the device. + +Signed-off-by: Mark Brown <broonie@linaro.org> +Tested-by: Lars-Peter Clausen <lars@metafoo.de> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/base/regmap/regmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -48,7 +48,7 @@ bool regmap_readable(struct regmap *map, + + bool regmap_volatile(struct regmap *map, unsigned int reg) + { +- if (!regmap_readable(map, reg)) ++ if (!map->format.format_write && !regmap_readable(map, reg)) + return false; + + if (map->volatile_reg) diff --git a/patches/regulatory-add-nul-to-alpha2.patch b/patches/regulatory-add-nul-to-alpha2.patch new file mode 100644 index 0000000..4e98ed8 --- /dev/null +++ b/patches/regulatory-add-nul-to-alpha2.patch @@ -0,0 +1,33 @@ +From a5fe8e7695dc3f547e955ad2b662e3e72969e506 Mon Sep 17 00:00:00 2001 +From: Eliad Peller <eliad@wizery.com> +Date: Wed, 11 Jun 2014 10:23:35 +0300 +Subject: regulatory: add NUL to alpha2 + +commit a5fe8e7695dc3f547e955ad2b662e3e72969e506 upstream. + +alpha2 is defined as 2-chars array, but is used in multiple +places as string (e.g. with nla_put_string calls), which +might leak kernel data. + +Solve it by simply adding an extra char for the NULL +terminator, making such operations safe. + +Signed-off-by: Eliad Peller <eliadx.peller@intel.com> +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +[lizf: Backported to 3.4: adjust context] +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + include/net/regulatory.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/regulatory.h ++++ b/include/net/regulatory.h +@@ -97,7 +97,7 @@ struct ieee80211_reg_rule { + + struct ieee80211_regdomain { + u32 n_reg_rules; +- char alpha2[2]; ++ char alpha2[3]; + u8 dfs_region; + struct ieee80211_reg_rule reg_rules[]; + }; diff --git a/patches/rtlwifi-rtl8192cu-add-new-id.patch b/patches/rtlwifi-rtl8192cu-add-new-id.patch new file mode 100644 index 0000000..d7b04e2 --- /dev/null +++ b/patches/rtlwifi-rtl8192cu-add-new-id.patch @@ -0,0 +1,28 @@ +From c66517165610b911e4c6d268f28d8c640832dbd1 Mon Sep 17 00:00:00 2001 +From: Larry Finger <Larry.Finger@lwfinger.net> +Date: Sun, 24 Aug 2014 17:49:43 -0500 +Subject: rtlwifi: rtl8192cu: Add new ID + +commit c66517165610b911e4c6d268f28d8c640832dbd1 upstream. + +The Sitecom WLA-2102 adapter uses this driver. + +Reported-by: Nico Baggus <nico-linux@noci.xs4all.nl> +Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> +Cc: Nico Baggus <nico-linux@noci.xs4all.nl> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/net/wireless/rtlwifi/rtl8192cu/sw.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c +@@ -306,6 +306,7 @@ static struct usb_device_id rtl8192c_usb + {RTL_USB_DEVICE(0x0bda, 0x5088, rtl92cu_hal_cfg)}, /*Thinkware-CC&C*/ + {RTL_USB_DEVICE(0x0df6, 0x0052, rtl92cu_hal_cfg)}, /*Sitecom - Edimax*/ + {RTL_USB_DEVICE(0x0df6, 0x005c, rtl92cu_hal_cfg)}, /*Sitecom - Edimax*/ ++ {RTL_USB_DEVICE(0x0df6, 0x0070, rtl92cu_hal_cfg)}, /*Sitecom - 150N */ + {RTL_USB_DEVICE(0x0df6, 0x0077, rtl92cu_hal_cfg)}, /*Sitecom-WLA2100V2*/ + {RTL_USB_DEVICE(0x0eb0, 0x9071, rtl92cu_hal_cfg)}, /*NO Brand - Etop*/ + {RTL_USB_DEVICE(0x4856, 0x0091, rtl92cu_hal_cfg)}, /*NetweeN - Feixun*/ diff --git a/patches/sched-add-macros-to-define-bitops-for-task-atomic-flags.patch b/patches/sched-add-macros-to-define-bitops-for-task-atomic-flags.patch new file mode 100644 index 0000000..88968c8 --- /dev/null +++ b/patches/sched-add-macros-to-define-bitops-for-task-atomic-flags.patch @@ -0,0 +1,88 @@ +From e0e5070b20e01f0321f97db4e4e174f3f6b49e50 Mon Sep 17 00:00:00 2001 +From: Zefan Li <lizefan@huawei.com> +Date: Thu, 25 Sep 2014 09:40:40 +0800 +Subject: sched: add macros to define bitops for task atomic flags + +commit e0e5070b20e01f0321f97db4e4e174f3f6b49e50 upstream. + +This will simplify code when we add new flags. + +v3: +- Kees pointed out that no_new_privs should never be cleared, so we +shouldn't define task_clear_no_new_privs(). we define 3 macros instead +of a single one. + +v2: +- updated scripts/tags.sh, suggested by Peter + +Cc: Ingo Molnar <mingo@kernel.org> +Cc: Miao Xie <miaox@cn.fujitsu.com> +Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> +Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Acked-by: Kees Cook <keescook@chromium.org> +Signed-off-by: Zefan Li <lizefan@huawei.com> +Signed-off-by: Tejun Heo <tj@kernel.org> +[lizf: Backported to 3.4: + - adjust context + - remove no_new_priv code + - add atomic_flags to struct task_struct] +--- + include/linux/sched.h | 13 +++++++++++++ + scripts/tags.sh | 10 ++++++++-- + 2 files changed, 21 insertions(+), 2 deletions(-) + +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -1359,6 +1359,7 @@ struct task_struct { + /* IRQ handler threads */ + unsigned irq_thread:1; + #endif ++ unsigned long atomic_flags; /* Flags needing atomic access. */ + + pid_t pid; + pid_t tgid; +@@ -1866,6 +1867,18 @@ extern void thread_group_times(struct ta + #define tsk_used_math(p) ((p)->flags & PF_USED_MATH) + #define used_math() tsk_used_math(current) + ++/* Per-process atomic flags. */ ++ ++#define TASK_PFA_TEST(name, func) \ ++ static inline bool task_##func(struct task_struct *p) \ ++ { return test_bit(PFA_##name, &p->atomic_flags); } ++#define TASK_PFA_SET(name, func) \ ++ static inline void task_set_##func(struct task_struct *p) \ ++ { set_bit(PFA_##name, &p->atomic_flags); } ++#define TASK_PFA_CLEAR(name, func) \ ++ static inline void task_clear_##func(struct task_struct *p) \ ++ { clear_bit(PFA_##name, &p->atomic_flags); } ++ + /* + * task->jobctl flags + */ +--- a/scripts/tags.sh ++++ b/scripts/tags.sh +@@ -153,7 +153,10 @@ exuberant() + --regex-c++='/CLEARPAGEFLAG_NOOP\(([^,)]*).*/ClearPage\1/' \ + --regex-c++='/__CLEARPAGEFLAG_NOOP\(([^,)]*).*/__ClearPage\1/' \ + --regex-c++='/TESTCLEARFLAG_FALSE\(([^,)]*).*/TestClearPage\1/' \ +- --regex-c++='/__TESTCLEARFLAG_FALSE\(([^,)]*).*/__TestClearPage\1/' ++ --regex-c++='/__TESTCLEARFLAG_FALSE\(([^,)]*).*/__TestClearPage\1/'\ ++ --regex-c++='/TASK_PFA_TEST\([^,]*,\s*([^)]*)\)/task_\1/' \ ++ --regex-c++='/TASK_PFA_SET\([^,]*,\s*([^)]*)\)/task_set_\1/' \ ++ --regex-c++='/TASK_PFA_CLEAR\([^,]*,\s*([^)]*)\)/task_clear_\1/' + + all_kconfigs | xargs $1 -a \ + --langdef=kconfig --language-force=kconfig \ +@@ -195,7 +198,10 @@ emacs() + --regex='/CLEARPAGEFLAG_NOOP\(([^,)]*).*/ClearPage\1/' \ + --regex='/__CLEARPAGEFLAG_NOOP\(([^,)]*).*/__ClearPage\1/' \ + --regex='/TESTCLEARFLAG_FALSE\(([^,)]*).*/TestClearPage\1/' \ +- --regex='/__TESTCLEARFLAG_FALSE\(([^,)]*).*/__TestClearPage\1/' ++ --regex='/__TESTCLEARFLAG_FALSE\(([^,)]*).*/__TestClearPage\1/'\ ++ --regex='/TASK_PFA_TEST\([^,]*,\s*([^)]*)\)/task_\1/' \ ++ --regex='/TASK_PFA_SET\([^,]*,\s*([^)]*)\)/task_set_\1/' \ ++ --regex='/TASK_PFA_CLEAR\([^,]*,\s*([^)]*)\)/task_clear_\1/' + + all_kconfigs | xargs $1 -a \ + --regex='/^[ \t]*\(\(menu\)*config\)[ \t]+\([a-zA-Z0-9_]+\)/\3/' diff --git a/patches/sched-fix-unreleased-llc_shared_mask-bit-during-cpu-hotplug.patch b/patches/sched-fix-unreleased-llc_shared_mask-bit-during-cpu-hotplug.patch new file mode 100644 index 0000000..fe392c8 --- /dev/null +++ b/patches/sched-fix-unreleased-llc_shared_mask-bit-during-cpu-hotplug.patch @@ -0,0 +1,117 @@ +From 03bd4e1f7265548832a76e7919a81f3137c44fd1 Mon Sep 17 00:00:00 2001 +From: Wanpeng Li <wanpeng.li@linux.intel.com> +Date: Wed, 24 Sep 2014 16:38:05 +0800 +Subject: sched: Fix unreleased llc_shared_mask bit during CPU hotplug + +commit 03bd4e1f7265548832a76e7919a81f3137c44fd1 upstream. + +The following bug can be triggered by hot adding and removing a large number of +xen domain0's vcpus repeatedly: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000004 IP: [..] find_busiest_group + PGD 5a9d5067 PUD 13067 PMD 0 + Oops: 0000 [#3] SMP + [...] + Call Trace: + load_balance + ? _raw_spin_unlock_irqrestore + idle_balance + __schedule + schedule + schedule_timeout + ? lock_timer_base + schedule_timeout_uninterruptible + msleep + lock_device_hotplug_sysfs + online_store + dev_attr_store + sysfs_write_file + vfs_write + SyS_write + system_call_fastpath + +Last level cache shared mask is built during CPU up and the +build_sched_domain() routine takes advantage of it to setup +the sched domain CPU topology. + +However, llc_shared_mask is not released during CPU disable, +which leads to an invalid sched domainCPU topology. + +This patch fix it by releasing the llc_shared_mask correctly +during CPU disable. + +Yasuaki also reported that this can happen on real hardware: + + https://lkml.org/lkml/2014/7/22/1018 + +His case is here: + + == + Here is an example on my system. + My system has 4 sockets and each socket has 15 cores and HT is + enabled. In this case, each core of sockes is numbered as + follows: + + | CPU# + Socket#0 | 0-14 , 60-74 + Socket#1 | 15-29, 75-89 + Socket#2 | 30-44, 90-104 + Socket#3 | 45-59, 105-119 + + Then llc_shared_mask of CPU#30 has 0x3fff80000001fffc0000000. + + It means that last level cache of Socket#2 is shared with + CPU#30-44 and 90-104. + + When hot-removing socket#2 and #3, each core of sockets is + numbered as follows: + + | CPU# + Socket#0 | 0-14 , 60-74 + Socket#1 | 15-29, 75-89 + + But llc_shared_mask is not cleared. So llc_shared_mask of CPU#30 + remains having 0x3fff80000001fffc0000000. + + After that, when hot-adding socket#2 and #3, each core of + sockets is numbered as follows: + + | CPU# + Socket#0 | 0-14 , 60-74 + Socket#1 | 15-29, 75-89 + Socket#2 | 30-59 + Socket#3 | 90-119 + + Then llc_shared_mask of CPU#30 becomes + 0x3fff8000fffffffc0000000. It means that last level cache of + Socket#2 is shared with CPU#30-59 and 90-104. So the mask has + the wrong value. + +Signed-off-by: Wanpeng Li <wanpeng.li@linux.intel.com> +Tested-by: Linn Crosetto <linn@hp.com> +Reviewed-by: Borislav Petkov <bp@suse.de> +Reviewed-by: Toshi Kani <toshi.kani@hp.com> +Reviewed-by: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com> +Cc: David Rientjes <rientjes@google.com> +Cc: Prarit Bhargava <prarit@redhat.com> +Cc: Steven Rostedt <srostedt@redhat.com> +Cc: Peter Zijlstra <peterz@infradead.org> +Link: http://lkml.kernel.org/r/1411547885-48165-1-git-send-email-wanpeng.li@linux.intel.com +Signed-off-by: Ingo Molnar <mingo@kernel.org> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + arch/x86/kernel/smpboot.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/kernel/smpboot.c ++++ b/arch/x86/kernel/smpboot.c +@@ -1248,6 +1248,9 @@ static void remove_siblinginfo(int cpu) + + for_each_cpu(sibling, cpu_sibling_mask(cpu)) + cpumask_clear_cpu(cpu, cpu_sibling_mask(sibling)); ++ for_each_cpu(sibling, cpu_llc_shared_mask(cpu)) ++ cpumask_clear_cpu(cpu, cpu_llc_shared_mask(sibling)); ++ cpumask_clear(cpu_llc_shared_mask(cpu)); + cpumask_clear(cpu_sibling_mask(cpu)); + cpumask_clear(cpu_core_mask(cpu)); + c->phys_proc_id = 0; diff --git a/patches/series b/patches/series new file mode 100644 index 0000000..7414bc1 --- /dev/null +++ b/patches/series @@ -0,0 +1,74 @@ +kvm-s390-fix-user-triggerable-bug-in-dead-code.patch +regmap-fix-handling-of-volatile-registers-for-format_write-chips.patch +drm-i915-remove-bogus-__init-annotation-from-dmi-callbacks.patch +get-rid-of-propagate_umount-mistakenly-treating-slaves-as-busy.patch +drm-vmwgfx-fix-a-potential-infinite-spin-waiting-for-fifo-idle.patch +xfs-don-t-dirty-buffers-beyond-eof.patch +alsa-hda-fix-coef-setups-for-alc1150-codec.patch +acpi-cpuidle-fix-deadlock-between-cpuidle_lock-and-cpu_hotplug.lock.patch +regulatory-add-nul-to-alpha2.patch +percpu-fix-pcpu_alloc_pages-failure-path.patch +percpu-perform-tlb-flush-after-pcpu_map_pages-failure.patch +percpu-free-percpu-allocation-info-for-uniprocessor-system.patch +cgroup-reject-cgroup-names-with.patch +rtlwifi-rtl8192cu-add-new-id.patch +ahci-add-device-ids-for-intel-9-series-pch.patch +ata_piix-add-device-ids-for-intel-9-series-pch.patch +usb-ftdi_sio-add-support-for-novitus-bono-e-thermal-printer.patch +usb-sierra-avoid-cdc-class-functions-on-68a3-devices.patch +usb-sierra-add-1199-68aa-device-id.patch +xen-manage-always-freeze-thaw-processes-when-suspend-resuming.patch +block-fix-dev_t-minor-allocation-lifetime.patch +usb-dwc3-core-fix-order-of-pm-runtime-calls.patch +ahci-add-pcid-for-marvel-0x9182-controller.patch +drm-radeon-add-connector-quirk-for-fujitsu-board.patch +usb-host-xhci-fix-compliance-mode-workaround.patch +input-elantech-fix-detection-of-touchpad-on-asus-s301l.patch +usb-ftdi_sio-add-support-for-ge-healthcare-nemo-tracker-device.patch +uwb-init-beacon-cache-entry-before-registering-uwb-device.patch +input-synaptics-add-support-for-forcepads.patch +libceph-gracefully-handle-large-reply-messages-from-the-mon.patch +libceph-add-process_one_ticket-helper.patch +libceph-do-not-hard-code-max-auth-ticket-len.patch +input-serport-add-compat-handling-for-spiocstype-ioctl.patch +usb-hub-take-hub-hdev-reference-when-processing-from-eventlist.patch +storage-add-single-lun-quirk-for-jaz-usb-adapter.patch +xhci-fix-null-pointer-dereference-if-xhci-initialization-fails.patch +futex-unlock-hb-lock-in-futex_wait_requeue_pi-error-path.patch +alarmtimer-return-relative-times-in-timer_gettime.patch +alarmtimer-do-not-signal-sigev_none-timers.patch +alarmtimer-lock-k_itimer-during-timer-callback.patch +don-t-bugger-nd-seq-on-set_root_rcu-from-follow_dotdot_rcu.patch +jiffies-fix-timeval-conversion-to-jiffies.patch +mips-zboot-add-missing-linux-string.h-include.patch +perf-fix-a-race-condition-in-perf_remove_from_context.patch +asoc-samsung-i2s-check-secondary-dai-exists-before-referencing.patch +input-i8042-add-fujitsu-u574-to-no_timeout-dmi-table.patch +input-i8042-add-nomux-quirk-for-avatar-aviu-145a6.patch +iscsi-target-fix-memory-corruption-in-iscsit_logout_post_handler_diffcid.patch +iscsi-target-avoid-null-pointer-in-iscsi_copy_param_list-failure.patch +nfsv4-fix-another-bug-in-the-close-open_downgrade-code.patch +libiscsi-fix-potential-buffer-overrun-in-__iscsi_conn_send_pdu.patch +usb-storage-add-quirk-for-adaptec-usbconnect-2000-usb-to-scsi-adapter.patch +usb-storage-add-quirk-for-ariston-technologies-iconnect-usb-to-scsi-adapter.patch +usb-storage-add-quirks-for-entrega-xircom-usb-to-scsi-converters.patch +can-flexcan-mark-tx-mailbox-as-tx_inactive.patch +can-flexcan-correctly-initialize-mailboxes.patch +can-flexcan-implement-workaround-for-errata-err005829.patch +can-flexcan-put-tx-mailbox-into-tx_inactive-mode-after-tx-complete.patch +can-at91_can-add-missing-prepare-and-unprepare-of-the-clock.patch +alsa-pcm-fix-fifo_size-frame-calculation.patch +fix-nasty-32-bit-overflow-bug-in-buffer-i-o-code.patch +parisc-only-use-mfast-indirect-calls-option-for-32-bit-kernel-builds.patch +sched-fix-unreleased-llc_shared_mask-bit-during-cpu-hotplug.patch +sched-add-macros-to-define-bitops-for-task-atomic-flags.patch +cpuset-pf_spread_page-and-pf_spread_slab-should-be-atomic-flags.patch +mips-mcount-adjust-stack-pointer-for-static-trace-in-mips32.patch +nilfs2-fix-data-loss-with-mmap.patch +ocfs2-dlm-do-not-get-resource-spinlock-if-lockres-is-new.patch +shmem-fix-nlink-for-rename-overwrite-directory.patch +arm-8165-1-alignment-don-t-break-misaligned-neon-load-store.patch +asoc-core-fix-possible-zero_size_ptr-pointer-dereferencing-error.patch +mm-migrate-close-race-between-migration-completion-and-mprotect.patch +perf-fix-perf-bug-in-fork.patch +init-kconfig-hide-printk-log-config-if-config_printk-n.patch diff --git a/patches/shmem-fix-nlink-for-rename-overwrite-directory.patch b/patches/shmem-fix-nlink-for-rename-overwrite-directory.patch new file mode 100644 index 0000000..b7c3b84 --- /dev/null +++ b/patches/shmem-fix-nlink-for-rename-overwrite-directory.patch @@ -0,0 +1,74 @@ +From b928095b0a7cff7fb9fcf4c706348ceb8ab2c295 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi <mszeredi@suse.cz> +Date: Wed, 24 Sep 2014 17:56:17 +0200 +Subject: shmem: fix nlink for rename overwrite directory + +commit b928095b0a7cff7fb9fcf4c706348ceb8ab2c295 upstream. + +If overwriting an empty directory with rename, then need to drop the extra +nlink. + +Test prog: + +#include <stdio.h> +#include <fcntl.h> +#include <err.h> +#include <sys/stat.h> + +int main(void) +{ + const char *test_dir1 = "test-dir1"; + const char *test_dir2 = "test-dir2"; + int res; + int fd; + struct stat statbuf; + + res = mkdir(test_dir1, 0777); + if (res == -1) + err(1, "mkdir(\"%s\")", test_dir1); + + res = mkdir(test_dir2, 0777); + if (res == -1) + err(1, "mkdir(\"%s\")", test_dir2); + + fd = open(test_dir2, O_RDONLY); + if (fd == -1) + err(1, "open(\"%s\")", test_dir2); + + res = rename(test_dir1, test_dir2); + if (res == -1) + err(1, "rename(\"%s\", \"%s\")", test_dir1, test_dir2); + + res = fstat(fd, &statbuf); + if (res == -1) + err(1, "fstat(%i)", fd); + + if (statbuf.st_nlink != 0) { + fprintf(stderr, "nlink is %lu, should be 0\n", statbuf.st_nlink); + return 1; + } + + return 0; +} + +Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> +Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + mm/shmem.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -1725,8 +1725,10 @@ static int shmem_rename(struct inode *ol + + if (new_dentry->d_inode) { + (void) shmem_unlink(new_dir, new_dentry); +- if (they_are_dirs) ++ if (they_are_dirs) { ++ drop_nlink(new_dentry->d_inode); + drop_nlink(old_dir); ++ } + } else if (they_are_dirs) { + drop_nlink(old_dir); + inc_nlink(new_dir); diff --git a/patches/storage-add-single-lun-quirk-for-jaz-usb-adapter.patch b/patches/storage-add-single-lun-quirk-for-jaz-usb-adapter.patch new file mode 100644 index 0000000..d486e09 --- /dev/null +++ b/patches/storage-add-single-lun-quirk-for-jaz-usb-adapter.patch @@ -0,0 +1,39 @@ +From c66f1c62e85927357e7b3f4c701614dcb5c498a2 Mon Sep 17 00:00:00 2001 +From: Mark <markk@clara.co.uk> +Date: Thu, 11 Sep 2014 13:15:45 +0100 +Subject: storage: Add single-LUN quirk for Jaz USB Adapter + +commit c66f1c62e85927357e7b3f4c701614dcb5c498a2 upstream. + +The Iomega Jaz USB Adapter is a SCSI-USB converter cable. The hardware +seems to be identical to e.g. the Microtech XpressSCSI, using a Shuttle/ +SCM chip set. However its firmware restricts it to only work with Jaz +drives. + +On connecting the cable a message like this appears four times in the log: + reset full speed USB device number 4 using uhci_hcd + +That's non-fatal but the US_FL_SINGLE_LUN quirk fixes it. + +Signed-off-by: Mark Knibbs <markk@clara.co.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/usb/storage/unusual_devs.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -733,6 +733,12 @@ UNUSUAL_DEV( 0x059b, 0x0001, 0x0100, 0x + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_SINGLE_LUN ), + ++UNUSUAL_DEV( 0x059b, 0x0040, 0x0100, 0x0100, ++ "Iomega", ++ "Jaz USB Adapter", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_SINGLE_LUN ), ++ + /* Reported by <Hendryk.Pfeiffer@gmx.de> */ + UNUSUAL_DEV( 0x059f, 0x0643, 0x0000, 0x0000, + "LaCie", diff --git a/patches/usb-dwc3-core-fix-order-of-pm-runtime-calls.patch b/patches/usb-dwc3-core-fix-order-of-pm-runtime-calls.patch new file mode 100644 index 0000000..359ad11 --- /dev/null +++ b/patches/usb-dwc3-core-fix-order-of-pm-runtime-calls.patch @@ -0,0 +1,47 @@ +From fed33afce0eda44a46ae24d93aec1b5198c0bac4 Mon Sep 17 00:00:00 2001 +From: Felipe Balbi <balbi@ti.com> +Date: Tue, 2 Sep 2014 14:57:20 -0500 +Subject: usb: dwc3: core: fix order of PM runtime calls + +commit fed33afce0eda44a46ae24d93aec1b5198c0bac4 upstream. + +Currently, we disable pm_runtime before all register +accesses are done, this is dangerous and might lead +to abort exceptions due to the driver trying to access +a register which is clocked by a clock which was long +gated. + +Fix that by moving pm_runtime_put_sync() and pm_runtime_disable() +as the last thing we do before returning from our ->remove() +method. + +Fixes: 72246da (usb: Introduce DesignWare USB3 DRD Driver) +Signed-off-by: Felipe Balbi <balbi@ti.com> +[lizf: Backported to 3.4: adjust context] +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/usb/dwc3/core.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -563,9 +563,6 @@ static int __devexit dwc3_remove(struct + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + +- pm_runtime_put(&pdev->dev); +- pm_runtime_disable(&pdev->dev); +- + dwc3_debugfs_exit(dwc); + + switch (dwc->mode) { +@@ -586,6 +583,9 @@ static int __devexit dwc3_remove(struct + + dwc3_core_exit(dwc); + ++ pm_runtime_put(&pdev->dev); ++ pm_runtime_disable(&pdev->dev); ++ + return 0; + } + diff --git a/patches/usb-ftdi_sio-add-support-for-ge-healthcare-nemo-tracker-device.patch b/patches/usb-ftdi_sio-add-support-for-ge-healthcare-nemo-tracker-device.patch new file mode 100644 index 0000000..fa8259a --- /dev/null +++ b/patches/usb-ftdi_sio-add-support-for-ge-healthcare-nemo-tracker-device.patch @@ -0,0 +1,40 @@ +From 9c491c372d677b6420e0f8c6361fe422791662cc Mon Sep 17 00:00:00 2001 +From: Taylor Braun-Jones <taylor.braun-jones@ge.com> +Date: Thu, 7 Aug 2014 14:25:06 -0400 +Subject: USB: ftdi_sio: Add support for GE Healthcare Nemo Tracker device + +commit 9c491c372d677b6420e0f8c6361fe422791662cc upstream. + +Signed-off-by: Taylor Braun-Jones <taylor.braun-jones@ge.com> +Cc: Johan Hovold <johan@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[lizf: Backported to 3.4: adjust context] +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/usb/serial/ftdi_sio.c | 2 ++ + drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++ + 2 files changed, 8 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -960,6 +960,8 @@ static struct usb_device_id id_table_com + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_842_4_PID) }, + /* ekey Devices */ + { USB_DEVICE(FTDI_VID, FTDI_EKEY_CONV_USB_PID) }, ++ /* GE Healthcare devices */ ++ { USB_DEVICE(GE_HEALTHCARE_VID, GE_HEALTHCARE_NEMO_TRACKER_PID) }, + { }, /* Optional parameter entry */ + { } /* Terminating entry */ + }; +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -1382,3 +1382,9 @@ + * ekey biometric systems GmbH (http://ekey.net/) + */ + #define FTDI_EKEY_CONV_USB_PID 0xCB08 /* Converter USB */ ++ ++/* ++ * GE Healthcare devices ++ */ ++#define GE_HEALTHCARE_VID 0x1901 ++#define GE_HEALTHCARE_NEMO_TRACKER_PID 0x0015 diff --git a/patches/usb-ftdi_sio-add-support-for-novitus-bono-e-thermal-printer.patch b/patches/usb-ftdi_sio-add-support-for-novitus-bono-e-thermal-printer.patch new file mode 100644 index 0000000..22bba54 --- /dev/null +++ b/patches/usb-ftdi_sio-add-support-for-novitus-bono-e-thermal-printer.patch @@ -0,0 +1,42 @@ +From ee444609dbae8afee420c3243ce4c5f442efb622 Mon Sep 17 00:00:00 2001 +From: Johan Hovold <johan@kernel.org> +Date: Mon, 18 Aug 2014 18:33:11 +0200 +Subject: USB: ftdi_sio: add support for NOVITUS Bono E thermal printer + +commit ee444609dbae8afee420c3243ce4c5f442efb622 upstream. + +Add device id for NOVITUS Bono E thermal printer. + +Reported-by: Emanuel Koczwara <poczta@emanuelkoczwara.pl> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/usb/serial/ftdi_sio.c | 1 + + drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++ + 2 files changed, 7 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -750,6 +750,7 @@ static struct usb_device_id id_table_com + { USB_DEVICE(FTDI_VID, FTDI_NDI_AURORA_SCU_PID), + .driver_info = (kernel_ulong_t)&ftdi_NDI_device_quirk }, + { USB_DEVICE(TELLDUS_VID, TELLDUS_TELLSTICK_PID) }, ++ { USB_DEVICE(NOVITUS_VID, NOVITUS_BONO_E_PID) }, + { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_S03_PID) }, + { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_59_PID) }, + { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_57A_PID) }, +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -828,6 +828,12 @@ + #define TELLDUS_TELLSTICK_PID 0x0C30 /* RF control dongle 433 MHz using FT232RL */ + + /* ++ * NOVITUS printers ++ */ ++#define NOVITUS_VID 0x1a28 ++#define NOVITUS_BONO_E_PID 0x6010 ++ ++/* + * RT Systems programming cables for various ham radios + */ + #define RTSYSTEMS_VID 0x2100 /* Vendor ID */ diff --git a/patches/usb-host-xhci-fix-compliance-mode-workaround.patch b/patches/usb-host-xhci-fix-compliance-mode-workaround.patch new file mode 100644 index 0000000..fef2073 --- /dev/null +++ b/patches/usb-host-xhci-fix-compliance-mode-workaround.patch @@ -0,0 +1,78 @@ +From 96908589a8b2584b1185f834d365f5cc360e8226 Mon Sep 17 00:00:00 2001 +From: Felipe Balbi <balbi@ti.com> +Date: Wed, 27 Aug 2014 16:38:04 -0500 +Subject: usb: host: xhci: fix compliance mode workaround + +commit 96908589a8b2584b1185f834d365f5cc360e8226 upstream. + +Commit 71c731a (usb: host: xhci: Fix Compliance Mode +on SN65LVP3502CP Hardware) implemented a workaround +for a known issue with Texas Instruments' USB 3.0 +redriver IC but it left a condition where any xHCI +host would be taken out of reset if port was placed +in compliance mode and there was no device connected +to the port. + +That condition would trigger a fake connection to a +non-existent device so that usbcore would trigger a +warm reset of the port, thus taking the link out of +reset. + +This has the side-effect of preventing any xHCI host +connected to a Linux machine from starting and running +the USB 3.0 Electrical Compliance Suite because the +port will mysteriously taken out of compliance mode +and, thus, xHCI won't step through the necessary +compliance patterns for link validation. + +This patch fixes the issue by just adding a missing +check for XHCI_COMP_MODE_QUIRK inside +xhci_hub_report_usb3_link_state() when PORT_CAS isn't +set. + +This patch should be backported to all kernels containing +commit 71c731a. + +Fixes: 71c731a (usb: host: xhci: Fix Compliance Mode on SN65LVP3502CP Hardware) +Cc: Alexis R. Cortes <alexis.cortes@ti.com> +Signed-off-by: Felipe Balbi <balbi@ti.com> +Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[lizf: Backported to 3.4: + - s/xhci_hub_report_usb3_link_state/xhci_hub_report_link_state/] +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/usb/host/xhci-hub.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -463,7 +463,8 @@ void xhci_test_and_clear_bit(struct xhci + } + + /* Updates Link Status for super Speed port */ +-static void xhci_hub_report_link_state(u32 *status, u32 status_reg) ++static void xhci_hub_report_link_state(struct xhci_hcd *xhci, ++ u32 *status, u32 status_reg) + { + u32 pls = status_reg & PORT_PLS_MASK; + +@@ -502,7 +503,8 @@ static void xhci_hub_report_link_state(u + * in which sometimes the port enters compliance mode + * caused by a delay on the host-device negotiation. + */ +- if (pls == USB_SS_PORT_LS_COMP_MOD) ++ if ((xhci->quirks & XHCI_COMP_MODE_QUIRK) && ++ (pls == USB_SS_PORT_LS_COMP_MOD)) + pls |= USB_PORT_STAT_CONNECTION; + } + +@@ -680,7 +682,7 @@ int xhci_hub_control(struct usb_hcd *hcd + } + /* Update Port Link State for super speed ports*/ + if (hcd->speed == HCD_USB3) { +- xhci_hub_report_link_state(&status, temp); ++ xhci_hub_report_link_state(xhci, &status, temp); + /* + * Verify if all USB3 Ports Have entered U0 already. + * Delete Compliance Mode Timer if so. diff --git a/patches/usb-hub-take-hub-hdev-reference-when-processing-from-eventlist.patch b/patches/usb-hub-take-hub-hdev-reference-when-processing-from-eventlist.patch new file mode 100644 index 0000000..9b91c7f --- /dev/null +++ b/patches/usb-hub-take-hub-hdev-reference-when-processing-from-eventlist.patch @@ -0,0 +1,45 @@ +From c605f3cdff53a743f6d875b76956b239deca1272 Mon Sep 17 00:00:00 2001 +From: Joe Lawrence <joe.lawrence@stratus.com> +Date: Wed, 10 Sep 2014 15:07:50 -0400 +Subject: usb: hub: take hub->hdev reference when processing from eventlist + +commit c605f3cdff53a743f6d875b76956b239deca1272 upstream. + +During surprise device hotplug removal tests, it was observed that +hub_events may try to call usb_lock_device on a device that has already +been freed. Protect the usb_device by taking out a reference (under the +hub_event_lock) when hub_events pulls it off the list, returning the +reference after hub_events is finished using it. + +Signed-off-by: Joe Lawrence <joe.lawrence@stratus.com> +Suggested-by: David Bulkow <david.bulkow@stratus.com> for using kref +Suggested-by: Alan Stern <stern@rowland.harvard.edu> for placement +Acked-by: Alan Stern <stern@rowland.harvard.edu> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/usb/core/hub.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -3729,9 +3729,10 @@ static void hub_events(void) + + hub = list_entry(tmp, struct usb_hub, event_list); + kref_get(&hub->kref); ++ hdev = hub->hdev; ++ usb_get_dev(hdev); + spin_unlock_irq(&hub_event_lock); + +- hdev = hub->hdev; + hub_dev = hub->intfdev; + intf = to_usb_interface(hub_dev); + dev_dbg(hub_dev, "state %d ports %d chg %04x evt %04x\n", +@@ -3946,6 +3947,7 @@ static void hub_events(void) + usb_autopm_put_interface(intf); + loop_disconnected: + usb_unlock_device(hdev); ++ usb_put_dev(hdev); + kref_put(&hub->kref, hub_release); + + } /* end while (1) */ diff --git a/patches/usb-sierra-add-1199-68aa-device-id.patch b/patches/usb-sierra-add-1199-68aa-device-id.patch new file mode 100644 index 0000000..293871f --- /dev/null +++ b/patches/usb-sierra-add-1199-68aa-device-id.patch @@ -0,0 +1,33 @@ +From 5b3da69285c143b7ea76b3b9f73099ff1093ab73 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no> +Date: Thu, 28 Aug 2014 15:08:16 +0200 +Subject: USB: sierra: add 1199:68AA device ID +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 5b3da69285c143b7ea76b3b9f73099ff1093ab73 upstream. + +This VID:PID is used for some Direct IP devices behaving +identical to the already supported 0F3D:68AA devices. + +Reported-by: Lars Melin <larsm17@gmail.com> +Signed-off-by: Bjørn Mork <bjorn@mork.no> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/usb/serial/sierra.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/serial/sierra.c ++++ b/drivers/usb/serial/sierra.c +@@ -300,6 +300,9 @@ static const struct usb_device_id id_tab + { USB_DEVICE_AND_INTERFACE_INFO(0x1199, 0x68A3, 0xFF, 0xFF, 0xFF), + .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist + }, ++ { USB_DEVICE_AND_INTERFACE_INFO(0x1199, 0x68AA, 0xFF, 0xFF, 0xFF), ++ .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist ++ }, + /* AT&T Direct IP LTE modems */ + { USB_DEVICE_AND_INTERFACE_INFO(0x0F3D, 0x68AA, 0xFF, 0xFF, 0xFF), + .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist diff --git a/patches/usb-sierra-avoid-cdc-class-functions-on-68a3-devices.patch b/patches/usb-sierra-avoid-cdc-class-functions-on-68a3-devices.patch new file mode 100644 index 0000000..ea53370 --- /dev/null +++ b/patches/usb-sierra-avoid-cdc-class-functions-on-68a3-devices.patch @@ -0,0 +1,51 @@ +From 049255f51644c1105775af228396d187402a5934 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no> +Date: Thu, 28 Aug 2014 14:11:23 +0200 +Subject: USB: sierra: avoid CDC class functions on "68A3" devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 049255f51644c1105775af228396d187402a5934 upstream. + +Sierra Wireless Direct IP devices using the 68A3 product ID +can be configured for modes including a CDC ECM class function. +The known example uses interface numbers 12 and 13 for the ECM +control and data interfaces respectively, consistent with CDC +MBIM function interface numbering on other Sierra devices. + +It seems cleaner to restrict this driver to the ff/ff/ff +vendor specific interfaces rather than increasing the already +long interface number blacklist. This should be more future +proof if Sierra adds more class functions using interface +numbers not yet in the blacklist. + +Signed-off-by: Bjørn Mork <bjorn@mork.no> +Signed-off-by: Johan Hovold <johan@kernel.org> +[lizf: Backported to 3.4: adjust context] +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/usb/serial/sierra.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/usb/serial/sierra.c ++++ b/drivers/usb/serial/sierra.c +@@ -296,14 +296,16 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x1199, 0x68A2), /* Sierra Wireless MC77xx in QMI mode */ + .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist + }, +- { USB_DEVICE(0x1199, 0x68A3), /* Sierra Wireless Direct IP modems */ ++ /* Sierra Wireless Direct IP modems */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x1199, 0x68A3, 0xFF, 0xFF, 0xFF), + .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist + }, + /* AT&T Direct IP LTE modems */ + { USB_DEVICE_AND_INTERFACE_INFO(0x0F3D, 0x68AA, 0xFF, 0xFF, 0xFF), + .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist + }, +- { USB_DEVICE(0x0f3d, 0x68A3), /* Airprime/Sierra Wireless Direct IP modems */ ++ /* Airprime/Sierra Wireless Direct IP modems */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x0F3D, 0x68A3, 0xFF, 0xFF, 0xFF), + .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist + }, + diff --git a/patches/usb-storage-add-quirk-for-adaptec-usbconnect-2000-usb-to-scsi-adapter.patch b/patches/usb-storage-add-quirk-for-adaptec-usbconnect-2000-usb-to-scsi-adapter.patch new file mode 100644 index 0000000..35b11f1 --- /dev/null +++ b/patches/usb-storage-add-quirk-for-adaptec-usbconnect-2000-usb-to-scsi-adapter.patch @@ -0,0 +1,39 @@ +From 67d365a57a51fb9dece6a5ceb504aa381cae1e5b Mon Sep 17 00:00:00 2001 +From: Mark <markk@clara.co.uk> +Date: Tue, 16 Sep 2014 16:22:50 +0100 +Subject: USB: storage: Add quirk for Adaptec USBConnect 2000 USB-to-SCSI + Adapter + +commit 67d365a57a51fb9dece6a5ceb504aa381cae1e5b upstream. + +The Adaptec USBConnect 2000 is another SCSI-USB converter which uses +Shuttle Technology/SCM Microsystems chips. The US_FL_SCM_MULT_TARG quirk is +required to use SCSI devices with ID other than 0. + +I don't have a USBConnect 2000, but based on the other entries for Shuttle/ +SCM-based converters this patch is very likely correct. I used 0x0000 and +0x9999 for bcdDeviceMin and bcdDeviceMax because I'm not sure which +bcdDevice value the product uses. + +Signed-off-by: Mark Knibbs <markk@clara.co.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/usb/storage/unusual_devs.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -93,6 +93,12 @@ UNUSUAL_DEV( 0x03f0, 0x4002, 0x0001, 0x + "PhotoSmart R707", + USB_SC_DEVICE, USB_PR_DEVICE, NULL, US_FL_FIX_CAPACITY), + ++UNUSUAL_DEV( 0x03f3, 0x0001, 0x0000, 0x9999, ++ "Adaptec", ++ "USBConnect 2000", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_euscsi_init, ++ US_FL_SCM_MULT_TARG ), ++ + /* Reported by Sebastian Kapfer <sebastian_kapfer@gmx.net> + * and Olaf Hering <olh@suse.de> (different bcd's, same vendor/product) + * for USB floppies that need the SINGLE_LUN enforcement. diff --git a/patches/usb-storage-add-quirk-for-ariston-technologies-iconnect-usb-to-scsi-adapter.patch b/patches/usb-storage-add-quirk-for-ariston-technologies-iconnect-usb-to-scsi-adapter.patch new file mode 100644 index 0000000..9525969 --- /dev/null +++ b/patches/usb-storage-add-quirk-for-ariston-technologies-iconnect-usb-to-scsi-adapter.patch @@ -0,0 +1,43 @@ +From b6a3ed677991558ce09046397a7c4d70530d15b3 Mon Sep 17 00:00:00 2001 +From: Mark <markk@clara.co.uk> +Date: Tue, 16 Sep 2014 16:51:41 +0100 +Subject: USB: storage: Add quirk for Ariston Technologies iConnect USB to SCSI + adapter + +commit b6a3ed677991558ce09046397a7c4d70530d15b3 upstream. + +Hi, + +The Ariston Technologies iConnect 025 and iConnect 050 (also known as e.g. +iSCSI-50) are SCSI-USB converters which use Shuttle Technology/SCM +Microsystems chips. Only the connectors differ; both have the same USB ID. +The US_FL_SCM_MULT_TARG quirk is required to use SCSI devices with ID other +than 0. + +I don't have one of these, but based on the other entries for Shuttle/ +SCM-based converters this patch is very likely correct. I used 0x0000 and +0x9999 for bcdDeviceMin and bcdDeviceMax because I'm not sure which +bcdDevice value the products use. + +Signed-off-by: Mark Knibbs <markk@clara.co.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/usb/storage/unusual_devs.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -1952,6 +1952,12 @@ UNUSUAL_DEV( 0x177f, 0x0400, 0x0000, 0x + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_BULK_IGNORE_TAG | US_FL_MAX_SECTORS_64 ), + ++UNUSUAL_DEV( 0x1822, 0x0001, 0x0000, 0x9999, ++ "Ariston Technologies", ++ "iConnect USB to SCSI adapter", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_euscsi_init, ++ US_FL_SCM_MULT_TARG ), ++ + /* Reported by Hans de Goede <hdegoede@redhat.com> + * These Appotech controllers are found in Picture Frames, they provide a + * (buggy) emulation of a cdrom drive which contains the windows software diff --git a/patches/usb-storage-add-quirks-for-entrega-xircom-usb-to-scsi-converters.patch b/patches/usb-storage-add-quirks-for-entrega-xircom-usb-to-scsi-converters.patch new file mode 100644 index 0000000..5595b88 --- /dev/null +++ b/patches/usb-storage-add-quirks-for-entrega-xircom-usb-to-scsi-converters.patch @@ -0,0 +1,77 @@ +From c80b4495c61636edc58fe1ce300f09f24db28e10 Mon Sep 17 00:00:00 2001 +From: Mark <markk@clara.co.uk> +Date: Wed, 17 Sep 2014 19:15:43 +0100 +Subject: USB: storage: Add quirks for Entrega/Xircom USB to SCSI converters + +commit c80b4495c61636edc58fe1ce300f09f24db28e10 upstream. + +This patch adds quirks for Entrega Technologies (later Xircom PortGear) USB- +SCSI converters. They use Shuttle Technology EUSB-01/EUSB-S1 chips. The +US_FL_SCM_MULT_TARG quirk is needed to allow multiple devices on the SCSI +chain to be accessed. Without it only the (single) device with SCSI ID 0 +can be used. + +The standalone converter sold by Entrega had model number U1-SC25. Xircom +acquired Entrega and re-branded the product line PortGear. The PortGear USB +to SCSI Converter (model PGSCSI) is internally identical to the Entrega +product, but later models may use a different USB ID. The Entrega-branded +units have USB ID 1645:0007, as does my Xircom PGSCSI, but the Windows and +Macintosh drivers also support 085A:0028. + +Entrega also sold the "Mac USB Dock", which provides two USB ports, a Mac +(8-pin mini-DIN) serial port and a SCSI port. It appears to the computer as +a four-port hub, USB-serial, and USB-SCSI converters. The USB-SCSI part may +have initially used the same ID as the standalone U1-SC25 (1645:0007), but +later production used 085A:0026. + +My Xircom PortGear PGSCSI has bcdDevice=0x0100. Units with bcdDevice=0x0133 +probably also exist. + +This patch adds quirks for 1645:0007, 085A:0026 and 085A:0028. The Windows +driver INF file also mentions 085A:0032 "PortStation SCSI Module", but I +couldn't find any mention of that actually existing in the wild; perhaps it +was cancelled before release? + +Signed-off-by: Mark Knibbs <markk@clara.co.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/usb/storage/unusual_devs.h | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -1117,6 +1117,18 @@ UNUSUAL_DEV( 0x0851, 0x1543, 0x0200, 0x + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_NOT_LOCKABLE), + ++UNUSUAL_DEV( 0x085a, 0x0026, 0x0100, 0x0133, ++ "Xircom", ++ "PortGear USB-SCSI (Mac USB Dock)", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_euscsi_init, ++ US_FL_SCM_MULT_TARG ), ++ ++UNUSUAL_DEV( 0x085a, 0x0028, 0x0100, 0x0133, ++ "Xircom", ++ "PortGear USB to SCSI Converter", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_euscsi_init, ++ US_FL_SCM_MULT_TARG ), ++ + /* Submitted by Jan De Luyck <lkml@kcore.org> */ + UNUSUAL_DEV( 0x08bd, 0x1100, 0x0000, 0x0000, + "CITIZEN", +@@ -1937,6 +1949,14 @@ UNUSUAL_DEV( 0x152d, 0x2329, 0x0100, 0x + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_IGNORE_RESIDUE | US_FL_SANE_SENSE ), + ++/* Entrega Technologies U1-SC25 (later Xircom PortGear PGSCSI) ++ * and Mac USB Dock USB-SCSI */ ++UNUSUAL_DEV( 0x1645, 0x0007, 0x0100, 0x0133, ++ "Entrega Technologies", ++ "USB to SCSI Converter", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_euscsi_init, ++ US_FL_SCM_MULT_TARG ), ++ + /* Reported by Robert Schedel <r.schedel@yahoo.de> + * Note: this is a 'super top' device like the above 14cd/6600 device */ + UNUSUAL_DEV( 0x1652, 0x6600, 0x0201, 0x0201, diff --git a/patches/uwb-init-beacon-cache-entry-before-registering-uwb-device.patch b/patches/uwb-init-beacon-cache-entry-before-registering-uwb-device.patch new file mode 100644 index 0000000..ece62df --- /dev/null +++ b/patches/uwb-init-beacon-cache-entry-before-registering-uwb-device.patch @@ -0,0 +1,56 @@ +From 675f0ab2fe5a0f7325208e60b617a5f32b86d72c Mon Sep 17 00:00:00 2001 +From: Thomas Pugliese <thomas.pugliese@gmail.com> +Date: Thu, 7 Aug 2014 15:45:35 -0500 +Subject: uwb: init beacon cache entry before registering uwb device + +commit 675f0ab2fe5a0f7325208e60b617a5f32b86d72c upstream. + +Make sure the uwb_dev->bce entry is set before calling uwb_dev_add in +uwbd_dev_onair so that usermode will only see the device after it is +properly initialized. This fixes a kernel panic that can occur if +usermode tries to access the IEs sysfs attribute of a UWB device before +the driver has had a chance to set the beacon cache entry. + +Signed-off-by: Thomas Pugliese <thomas.pugliese@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[lizf: Backported to 3.4: adjust context] +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/uwb/lc-dev.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/uwb/lc-dev.c ++++ b/drivers/uwb/lc-dev.c +@@ -441,16 +441,19 @@ void uwbd_dev_onair(struct uwb_rc *rc, s + uwb_dev->mac_addr = *bce->mac_addr; + uwb_dev->dev_addr = bce->dev_addr; + dev_set_name(&uwb_dev->dev, macbuf); ++ ++ /* plug the beacon cache */ ++ bce->uwb_dev = uwb_dev; ++ uwb_dev->bce = bce; ++ uwb_bce_get(bce); /* released in uwb_dev_sys_release() */ ++ + result = uwb_dev_add(uwb_dev, &rc->uwb_dev.dev, rc); + if (result < 0) { + dev_err(dev, "new device %s: cannot instantiate device\n", + macbuf); + goto error_dev_add; + } +- /* plug the beacon cache */ +- bce->uwb_dev = uwb_dev; +- uwb_dev->bce = bce; +- uwb_bce_get(bce); /* released in uwb_dev_sys_release() */ ++ + dev_info(dev, "uwb device (mac %s dev %s) connected to %s %s\n", + macbuf, devbuf, rc->uwb_dev.dev.parent->bus->name, + dev_name(rc->uwb_dev.dev.parent)); +@@ -458,6 +461,8 @@ void uwbd_dev_onair(struct uwb_rc *rc, s + return; + + error_dev_add: ++ bce->uwb_dev = NULL; ++ uwb_bce_put(bce); + kfree(uwb_dev); + return; + } diff --git a/patches/xen-manage-always-freeze-thaw-processes-when-suspend-resuming.patch b/patches/xen-manage-always-freeze-thaw-processes-when-suspend-resuming.patch new file mode 100644 index 0000000..1b61d94 --- /dev/null +++ b/patches/xen-manage-always-freeze-thaw-processes-when-suspend-resuming.patch @@ -0,0 +1,57 @@ +From 61a734d305e16944b42730ef582a7171dc733321 Mon Sep 17 00:00:00 2001 +From: Ross Lagerwall <ross.lagerwall@citrix.com> +Date: Mon, 18 Aug 2014 10:41:36 +0100 +Subject: xen/manage: Always freeze/thaw processes when suspend/resuming + +commit 61a734d305e16944b42730ef582a7171dc733321 upstream. + +Always freeze processes when suspending and thaw processes when resuming +to prevent a race noticeable with HVM guests. + +This prevents a deadlock where the khubd kthread (which is designed to +be freezable) acquires a usb device lock and then tries to allocate +memory which requires the disk which hasn't been resumed yet. +Meanwhile, the xenwatch thread deadlocks waiting for the usb device +lock. + +Freezing processes fixes this because the khubd thread is only thawed +after the xenwatch thread finishes resuming all the devices. + +Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com> +Signed-off-by: David Vrabel <david.vrabel@citrix.com> +[lizf: Backported to 3.4: adjust context] +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/xen/manage.c | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/drivers/xen/manage.c ++++ b/drivers/xen/manage.c +@@ -109,16 +109,11 @@ static void do_suspend(void) + + shutting_down = SHUTDOWN_SUSPEND; + +-#ifdef CONFIG_PREEMPT +- /* If the kernel is preemptible, we need to freeze all the processes +- to prevent them from being in the middle of a pagetable update +- during suspend. */ + err = freeze_processes(); + if (err) { + printk(KERN_ERR "xen suspend: freeze failed %d\n", err); + goto out; + } +-#endif + + err = dpm_suspend_start(PMSG_FREEZE); + if (err) { +@@ -170,10 +165,8 @@ out_resume: + clock_was_set(); + + out_thaw: +-#ifdef CONFIG_PREEMPT + thaw_processes(); + out: +-#endif + shutting_down = SHUTDOWN_INVALID; + } + #endif /* CONFIG_HIBERNATE_CALLBACKS */ diff --git a/patches/xfs-don-t-dirty-buffers-beyond-eof.patch b/patches/xfs-don-t-dirty-buffers-beyond-eof.patch new file mode 100644 index 0000000..1ac7ef1 --- /dev/null +++ b/patches/xfs-don-t-dirty-buffers-beyond-eof.patch @@ -0,0 +1,132 @@ +From 22e757a49cf010703fcb9c9b4ef793248c39b0c2 Mon Sep 17 00:00:00 2001 +From: Dave Chinner <dchinner@redhat.com> +Date: Tue, 2 Sep 2014 12:12:51 +1000 +Subject: xfs: don't dirty buffers beyond EOF + +commit 22e757a49cf010703fcb9c9b4ef793248c39b0c2 upstream. + +generic/263 is failing fsx at this point with a page spanning +EOF that cannot be invalidated. The operations are: + +1190 mapwrite 0x52c00 thru 0x5e569 (0xb96a bytes) +1191 mapread 0x5c000 thru 0x5d636 (0x1637 bytes) +1192 write 0x5b600 thru 0x771ff (0x1bc00 bytes) + +where 1190 extents EOF from 0x54000 to 0x5e569. When the direct IO +write attempts to invalidate the cached page over this range, it +fails with -EBUSY and so any attempt to do page invalidation fails. + +The real question is this: Why can't that page be invalidated after +it has been written to disk and cleaned? + +Well, there's data on the first two buffers in the page (1k block +size, 4k page), but the third buffer on the page (i.e. beyond EOF) +is failing drop_buffers because it's bh->b_state == 0x3, which is +BH_Uptodate | BH_Dirty. IOWs, there's dirty buffers beyond EOF. Say +what? + +OK, set_buffer_dirty() is called on all buffers from +__set_page_buffers_dirty(), regardless of whether the buffer is +beyond EOF or not, which means that when we get to ->writepage, +we have buffers marked dirty beyond EOF that we need to clean. +So, we need to implement our own .set_page_dirty method that +doesn't dirty buffers beyond EOF. + +This is messy because the buffer code is not meant to be shared +and it has interesting locking issues on the buffer dirty bits. +So just copy and paste it and then modify it to suit what we need. + +Note: the solutions the other filesystems and generic block code use +of marking the buffers clean in ->writepage does not work for XFS. +It still leaves dirty buffers beyond EOF and invalidations still +fail. Hence rather than play whack-a-mole, this patch simply +prevents those buffers from being dirtied in the first place. + +Signed-off-by: Dave Chinner <dchinner@redhat.com> +Reviewed-by: Brian Foster <bfoster@redhat.com> +Signed-off-by: Dave Chinner <david@fromorbit.com> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + fs/xfs/xfs_aops.c | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 61 insertions(+) + +diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c +index 7a978c7..f8c4780 100644 +--- a/fs/xfs/xfs_aops.c ++++ b/fs/xfs/xfs_aops.c +@@ -1502,11 +1502,72 @@ xfs_vm_readpages( + return mpage_readpages(mapping, pages, nr_pages, xfs_get_blocks); + } + ++/* ++ * This is basically a copy of __set_page_dirty_buffers() with one ++ * small tweak: buffers beyond EOF do not get marked dirty. If we mark them ++ * dirty, we'll never be able to clean them because we don't write buffers ++ * beyond EOF, and that means we can't invalidate pages that span EOF ++ * that have been marked dirty. Further, the dirty state can leak into ++ * the file interior if the file is extended, resulting in all sorts of ++ * bad things happening as the state does not match the underlying data. ++ * ++ * XXX: this really indicates that bufferheads in XFS need to die. Warts like ++ * this only exist because of bufferheads and how the generic code manages them. ++ */ ++STATIC int ++xfs_vm_set_page_dirty( ++ struct page *page) ++{ ++ struct address_space *mapping = page->mapping; ++ struct inode *inode = mapping->host; ++ loff_t end_offset; ++ loff_t offset; ++ int newly_dirty; ++ ++ if (unlikely(!mapping)) ++ return !TestSetPageDirty(page); ++ ++ end_offset = i_size_read(inode); ++ offset = page_offset(page); ++ ++ spin_lock(&mapping->private_lock); ++ if (page_has_buffers(page)) { ++ struct buffer_head *head = page_buffers(page); ++ struct buffer_head *bh = head; ++ ++ do { ++ if (offset < end_offset) ++ set_buffer_dirty(bh); ++ bh = bh->b_this_page; ++ offset += 1 << inode->i_blkbits; ++ } while (bh != head); ++ } ++ newly_dirty = !TestSetPageDirty(page); ++ spin_unlock(&mapping->private_lock); ++ ++ if (newly_dirty) { ++ /* sigh - __set_page_dirty() is static, so copy it here, too */ ++ unsigned long flags; ++ ++ spin_lock_irqsave(&mapping->tree_lock, flags); ++ if (page->mapping) { /* Race with truncate? */ ++ WARN_ON_ONCE(!PageUptodate(page)); ++ account_page_dirtied(page, mapping); ++ radix_tree_tag_set(&mapping->page_tree, ++ page_index(page), PAGECACHE_TAG_DIRTY); ++ } ++ spin_unlock_irqrestore(&mapping->tree_lock, flags); ++ __mark_inode_dirty(mapping->host, I_DIRTY_PAGES); ++ } ++ return newly_dirty; ++} ++ + const struct address_space_operations xfs_address_space_operations = { + .readpage = xfs_vm_readpage, + .readpages = xfs_vm_readpages, + .writepage = xfs_vm_writepage, + .writepages = xfs_vm_writepages, ++ .set_page_dirty = xfs_vm_set_page_dirty, + .releasepage = xfs_vm_releasepage, + .invalidatepage = xfs_vm_invalidatepage, + .write_begin = xfs_vm_write_begin, +-- +1.9.1 + diff --git a/patches/xhci-fix-null-pointer-dereference-if-xhci-initialization-fails.patch b/patches/xhci-fix-null-pointer-dereference-if-xhci-initialization-fails.patch new file mode 100644 index 0000000..af0b0af --- /dev/null +++ b/patches/xhci-fix-null-pointer-dereference-if-xhci-initialization-fails.patch @@ -0,0 +1,30 @@ +From c207e7c50f31113c24a9f536fcab1e8a256985d7 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman <mathias.nyman@linux.intel.com> +Date: Thu, 11 Sep 2014 13:55:48 +0300 +Subject: xhci: Fix null pointer dereference if xhci initialization fails + +commit c207e7c50f31113c24a9f536fcab1e8a256985d7 upstream. + +If xhci initialization fails before the roothub bandwidth +domains (xhci->rh_bw[i]) are allocated it will oops when +trying to access rh_bw members in xhci_mem_cleanup(). + +Reported-by: Manuel Reimer <manuel.reimer@gmx.de> +Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + drivers/usb/host/xhci-mem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -1813,7 +1813,7 @@ void xhci_mem_cleanup(struct xhci_hcd *x + } + + num_ports = HCS_MAX_PORTS(xhci->hcs_params1); +- for (i = 0; i < num_ports; i++) { ++ for (i = 0; i < num_ports && xhci->rh_bw; i++) { + struct xhci_interval_bw_table *bwt = &xhci->rh_bw[i].bw_table; + for (j = 0; j < XHCI_MAX_INTERVAL; j++) { + struct list_head *ep = &bwt->interval_bw[j].endpoints; |