--- /dev/null
+From dbfe8ef5599a5370abc441fcdbb382b656563eb4 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Fri, 8 May 2015 15:23:55 -0400
+Subject: ahci: avoton port-disable reset-quirk
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit dbfe8ef5599a5370abc441fcdbb382b656563eb4 upstream.
+
+Avoton AHCI occasionally sees drive probe timeouts at driver load time.
+When this happens SCR_STATUS indicates device detected, but no D2H FIS
+reception. Reset the internal link state machines by bouncing
+port-enable in the PCS register when this occurs.
+
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/ahci.c | 103 ++++++++++++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 95 insertions(+), 8 deletions(-)
+
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -66,6 +66,7 @@ enum board_ids {
+ board_ahci_yes_fbs,
+
+ /* board IDs for specific chipsets in alphabetical order */
++ board_ahci_avn,
+ board_ahci_mcp65,
+ board_ahci_mcp77,
+ board_ahci_mcp89,
+@@ -84,6 +85,8 @@ enum board_ids {
+ static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent);
+ static int ahci_vt8251_hardreset(struct ata_link *link, unsigned int *class,
+ unsigned long deadline);
++static int ahci_avn_hardreset(struct ata_link *link, unsigned int *class,
++ unsigned long deadline);
+ static void ahci_mcp89_apple_enable(struct pci_dev *pdev);
+ static bool is_mcp89_apple(struct pci_dev *pdev);
+ static int ahci_p5wdh_hardreset(struct ata_link *link, unsigned int *class,
+@@ -107,6 +110,11 @@ static struct ata_port_operations ahci_p
+ .hardreset = ahci_p5wdh_hardreset,
+ };
+
++static struct ata_port_operations ahci_avn_ops = {
++ .inherits = &ahci_ops,
++ .hardreset = ahci_avn_hardreset,
++};
++
+ static const struct ata_port_info ahci_port_info[] = {
+ /* by features */
+ [board_ahci] = {
+@@ -151,6 +159,12 @@ static const struct ata_port_info ahci_p
+ .port_ops = &ahci_ops,
+ },
+ /* by chipsets */
++ [board_ahci_avn] = {
++ .flags = AHCI_FLAG_COMMON,
++ .pio_mask = ATA_PIO4,
++ .udma_mask = ATA_UDMA6,
++ .port_ops = &ahci_avn_ops,
++ },
+ [board_ahci_mcp65] = {
+ AHCI_HFLAGS (AHCI_HFLAG_NO_FPDMA_AA | AHCI_HFLAG_NO_PMP |
+ AHCI_HFLAG_YES_NCQ),
+@@ -290,14 +304,14 @@ static const struct pci_device_id ahci_p
+ { PCI_VDEVICE(INTEL, 0x1f27), board_ahci }, /* Avoton RAID */
+ { PCI_VDEVICE(INTEL, 0x1f2e), board_ahci }, /* Avoton RAID */
+ { PCI_VDEVICE(INTEL, 0x1f2f), board_ahci }, /* Avoton RAID */
+- { PCI_VDEVICE(INTEL, 0x1f32), board_ahci }, /* Avoton AHCI */
+- { PCI_VDEVICE(INTEL, 0x1f33), board_ahci }, /* Avoton AHCI */
+- { PCI_VDEVICE(INTEL, 0x1f34), board_ahci }, /* Avoton RAID */
+- { PCI_VDEVICE(INTEL, 0x1f35), board_ahci }, /* Avoton RAID */
+- { PCI_VDEVICE(INTEL, 0x1f36), board_ahci }, /* Avoton RAID */
+- { PCI_VDEVICE(INTEL, 0x1f37), board_ahci }, /* Avoton RAID */
+- { PCI_VDEVICE(INTEL, 0x1f3e), board_ahci }, /* Avoton RAID */
+- { PCI_VDEVICE(INTEL, 0x1f3f), board_ahci }, /* Avoton RAID */
++ { PCI_VDEVICE(INTEL, 0x1f32), board_ahci_avn }, /* Avoton AHCI */
++ { PCI_VDEVICE(INTEL, 0x1f33), board_ahci_avn }, /* Avoton AHCI */
++ { PCI_VDEVICE(INTEL, 0x1f34), board_ahci_avn }, /* Avoton RAID */
++ { PCI_VDEVICE(INTEL, 0x1f35), board_ahci_avn }, /* Avoton RAID */
++ { PCI_VDEVICE(INTEL, 0x1f36), board_ahci_avn }, /* Avoton RAID */
++ { PCI_VDEVICE(INTEL, 0x1f37), board_ahci_avn }, /* Avoton RAID */
++ { PCI_VDEVICE(INTEL, 0x1f3e), board_ahci_avn }, /* Avoton RAID */
++ { PCI_VDEVICE(INTEL, 0x1f3f), board_ahci_avn }, /* Avoton RAID */
+ { PCI_VDEVICE(INTEL, 0x2823), board_ahci }, /* Wellsburg RAID */
+ { PCI_VDEVICE(INTEL, 0x2827), board_ahci }, /* Wellsburg RAID */
+ { PCI_VDEVICE(INTEL, 0x8d02), board_ahci }, /* Wellsburg AHCI */
+@@ -670,6 +684,79 @@ static int ahci_p5wdh_hardreset(struct a
+ return rc;
+ }
+
++/*
++ * ahci_avn_hardreset - attempt more aggressive recovery of Avoton ports.
++ *
++ * It has been observed with some SSDs that the timing of events in the
++ * link synchronization phase can leave the port in a state that can not
++ * be recovered by a SATA-hard-reset alone. The failing signature is
++ * SStatus.DET stuck at 1 ("Device presence detected but Phy
++ * communication not established"). It was found that unloading and
++ * reloading the driver when this problem occurs allows the drive
++ * connection to be recovered (DET advanced to 0x3). The critical
++ * component of reloading the driver is that the port state machines are
++ * reset by bouncing "port enable" in the AHCI PCS configuration
++ * register. So, reproduce that effect by bouncing a port whenever we
++ * see DET==1 after a reset.
++ */
++static int ahci_avn_hardreset(struct ata_link *link, unsigned int *class,
++ unsigned long deadline)
++{
++ const unsigned long *timing = sata_ehc_deb_timing(&link->eh_context);
++ struct ata_port *ap = link->ap;
++ struct ahci_port_priv *pp = ap->private_data;
++ struct ahci_host_priv *hpriv = ap->host->private_data;
++ u8 *d2h_fis = pp->rx_fis + RX_FIS_D2H_REG;
++ unsigned long tmo = deadline - jiffies;
++ struct ata_taskfile tf;
++ bool online;
++ int rc, i;
++
++ DPRINTK("ENTER\n");
++
++ ahci_stop_engine(ap);
++
++ for (i = 0; i < 2; i++) {
++ u16 val;
++ u32 sstatus;
++ int port = ap->port_no;
++ struct ata_host *host = ap->host;
++ struct pci_dev *pdev = to_pci_dev(host->dev);
++
++ /* clear D2H reception area to properly wait for D2H FIS */
++ ata_tf_init(link->device, &tf);
++ tf.command = ATA_BUSY;
++ ata_tf_to_fis(&tf, 0, 0, d2h_fis);
++
++ rc = sata_link_hardreset(link, timing, deadline, &online,
++ ahci_check_ready);
++
++ if (sata_scr_read(link, SCR_STATUS, &sstatus) != 0 ||
++ (sstatus & 0xf) != 1)
++ break;
++
++ ata_link_printk(link, KERN_INFO, "avn bounce port%d\n",
++ port);
++
++ pci_read_config_word(pdev, 0x92, &val);
++ val &= ~(1 << port);
++ pci_write_config_word(pdev, 0x92, val);
++ ata_msleep(ap, 1000);
++ val |= 1 << port;
++ pci_write_config_word(pdev, 0x92, val);
++ deadline += tmo;
++ }
++
++ hpriv->start_engine(ap);
++
++ if (online)
++ *class = ahci_dev_classify(ap);
++
++ DPRINTK("EXIT, rc=%d, class=%u\n", rc, *class);
++ return rc;
++}
++
++
+ #ifdef CONFIG_PM
+ static int ahci_pci_device_suspend(struct pci_dev *pdev, pm_message_t mesg)
+ {
--- /dev/null
+From 1e4df6b7208140f3c49f316d33a409d3a161f350 Mon Sep 17 00:00:00 2001
+From: Xi Wang <xi.wang@gmail.com>
+Date: Fri, 8 May 2015 06:39:51 +0100
+Subject: arm64: bpf: fix signedness bug in loading 64-bit immediate
+
+From: Xi Wang <xi.wang@gmail.com>
+
+commit 1e4df6b7208140f3c49f316d33a409d3a161f350 upstream.
+
+Consider "(u64)insn1.imm << 32 | imm" in the arm64 JIT. Since imm is
+signed 32-bit, it is sign-extended to 64-bit, losing the high 32 bits.
+The fix is to convert imm to u32 first, which will be zero-extended to
+u64 implicitly.
+
+Cc: Zi Shen Lim <zlim.lnx@gmail.com>
+Cc: Alexei Starovoitov <ast@plumgrid.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Fixes: 30d3d94cc3d5 ("arm64: bpf: add 'load 64-bit immediate' instruction")
+Signed-off-by: Xi Wang <xi.wang@gmail.com>
+[will: removed non-arm64 bits and redundant casting]
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/net/bpf_jit_comp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/net/bpf_jit_comp.c
++++ b/arch/arm64/net/bpf_jit_comp.c
+@@ -487,7 +487,7 @@ emit_cond_jmp:
+ return -EINVAL;
+ }
+
+- imm64 = (u64)insn1.imm << 32 | imm;
++ imm64 = (u64)insn1.imm << 32 | (u32)imm;
+ emit_a64_mov_i64(dst, imm64, ctx);
+
+ return 1;
--- /dev/null
+From 2f974865ffdfe7b9f46a9940836c8b167342563d Mon Sep 17 00:00:00 2001
+From: Eryu Guan <guaneryu@gmail.com>
+Date: Thu, 14 May 2015 19:00:45 -0400
+Subject: ext4: check for zero length extent explicitly
+
+From: Eryu Guan <guaneryu@gmail.com>
+
+commit 2f974865ffdfe7b9f46a9940836c8b167342563d upstream.
+
+The following commit introduced a bug when checking for zero length extent
+
+5946d08 ext4: check for overlapping extents in ext4_valid_extent_entries()
+
+Zero length extent could pass the check if lblock is zero.
+
+Adding the explicit check for zero length back.
+
+Signed-off-by: Eryu Guan <guaneryu@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/extents.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -377,7 +377,7 @@ static int ext4_valid_extent(struct inod
+ ext4_lblk_t lblock = le32_to_cpu(ext->ee_block);
+ ext4_lblk_t last = lblock + len - 1;
+
+- if (lblock > last)
++ if (len == 0 || lblock > last)
+ return 0;
+ return ext4_data_block_valid(EXT4_SB(inode->i_sb), block, len);
+ }
--- /dev/null
+From 8f4d855839179f410fa910a26eb81d646d628f26 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 14 May 2015 18:19:01 -0400
+Subject: ext4: fix lazytime optimization
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 8f4d855839179f410fa910a26eb81d646d628f26 upstream.
+
+We had a fencepost error in the lazytime optimization which means that
+timestamp would get written to the wrong inode.
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -4233,7 +4233,7 @@ static void ext4_update_other_inodes_tim
+ int inode_size = EXT4_INODE_SIZE(sb);
+
+ oi.orig_ino = orig_ino;
+- ino = orig_ino & ~(inodes_per_block - 1);
++ ino = (orig_ino & ~(inodes_per_block - 1)) + 1;
+ for (i = 0; i < inodes_per_block; i++, ino++, buf += inode_size) {
+ if (ino == orig_ino)
+ continue;
--- /dev/null
+From 9d506594069355d1fb2de3f9104667312ff08ed3 Mon Sep 17 00:00:00 2001
+From: Lukas Czerner <lczerner@redhat.com>
+Date: Thu, 14 May 2015 18:55:18 -0400
+Subject: ext4: fix NULL pointer dereference when journal restart fails
+
+From: Lukas Czerner <lczerner@redhat.com>
+
+commit 9d506594069355d1fb2de3f9104667312ff08ed3 upstream.
+
+Currently when journal restart fails, we'll have the h_transaction of
+the handle set to NULL to indicate that the handle has been effectively
+aborted. We handle this situation quietly in the jbd2_journal_stop() and just
+free the handle and exit because everything else has been done before we
+attempted (and failed) to restart the journal.
+
+Unfortunately there are a number of problems with that approach
+introduced with commit
+
+41a5b913197c "jbd2: invalidate handle if jbd2_journal_restart()
+fails"
+
+First of all in ext4 jbd2_journal_stop() will be called through
+__ext4_journal_stop() where we would try to get a hold of the superblock
+by dereferencing h_transaction which in this case would lead to NULL
+pointer dereference and crash.
+
+In addition we're going to free the handle regardless of the refcount
+which is bad as well, because others up the call chain will still
+reference the handle so we might potentially reference already freed
+memory.
+
+Moreover it's expected that we'll get aborted handle as well as detached
+handle in some of the journalling function as the error propagates up
+the stack, so it's unnecessary to call WARN_ON every time we get
+detached handle.
+
+And finally we might leak some memory by forgetting to free reserved
+handle in jbd2_journal_stop() in the case where handle was detached from
+the transaction (h_transaction is NULL).
+
+Fix the NULL pointer dereference in __ext4_journal_stop() by just
+calling jbd2_journal_stop() quietly as suggested by Jan Kara. Also fix
+the potential memory leak in jbd2_journal_stop() and use proper
+handle refcounting before we attempt to free it to avoid use-after-free
+issues.
+
+And finally remove all WARN_ON(!transaction) from the code so that we do
+not get random traces when something goes wrong because when journal
+restart fails we will get to some of those functions.
+
+Signed-off-by: Lukas Czerner <lczerner@redhat.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/ext4_jbd2.c | 6 ++++++
+ fs/jbd2/transaction.c | 25 ++++++++++++++++---------
+ 2 files changed, 22 insertions(+), 9 deletions(-)
+
+--- a/fs/ext4/ext4_jbd2.c
++++ b/fs/ext4/ext4_jbd2.c
+@@ -87,6 +87,12 @@ int __ext4_journal_stop(const char *wher
+ ext4_put_nojournal(handle);
+ return 0;
+ }
++
++ if (!handle->h_transaction) {
++ err = jbd2_journal_stop(handle);
++ return handle->h_err ? handle->h_err : err;
++ }
++
+ sb = handle->h_transaction->t_journal->j_private;
+ err = handle->h_err;
+ rc = jbd2_journal_stop(handle);
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -551,7 +551,6 @@ int jbd2_journal_extend(handle_t *handle
+ int result;
+ int wanted;
+
+- WARN_ON(!transaction);
+ if (is_handle_aborted(handle))
+ return -EROFS;
+ journal = transaction->t_journal;
+@@ -627,7 +626,6 @@ int jbd2__journal_restart(handle_t *hand
+ tid_t tid;
+ int need_to_start, ret;
+
+- WARN_ON(!transaction);
+ /* If we've had an abort of any type, don't even think about
+ * actually doing the restart! */
+ if (is_handle_aborted(handle))
+@@ -785,7 +783,6 @@ do_get_write_access(handle_t *handle, st
+ int need_copy = 0;
+ unsigned long start_lock, time_lock;
+
+- WARN_ON(!transaction);
+ if (is_handle_aborted(handle))
+ return -EROFS;
+ journal = transaction->t_journal;
+@@ -1051,7 +1048,6 @@ int jbd2_journal_get_create_access(handl
+ int err;
+
+ jbd_debug(5, "journal_head %p\n", jh);
+- WARN_ON(!transaction);
+ err = -EROFS;
+ if (is_handle_aborted(handle))
+ goto out;
+@@ -1266,7 +1262,6 @@ int jbd2_journal_dirty_metadata(handle_t
+ struct journal_head *jh;
+ int ret = 0;
+
+- WARN_ON(!transaction);
+ if (is_handle_aborted(handle))
+ return -EROFS;
+ journal = transaction->t_journal;
+@@ -1397,7 +1392,6 @@ int jbd2_journal_forget (handle_t *handl
+ int err = 0;
+ int was_modified = 0;
+
+- WARN_ON(!transaction);
+ if (is_handle_aborted(handle))
+ return -EROFS;
+ journal = transaction->t_journal;
+@@ -1530,8 +1524,22 @@ int jbd2_journal_stop(handle_t *handle)
+ tid_t tid;
+ pid_t pid;
+
+- if (!transaction)
+- goto free_and_exit;
++ if (!transaction) {
++ /*
++ * Handle is already detached from the transaction so
++ * there is nothing to do other than decrease a refcount,
++ * or free the handle if refcount drops to zero
++ */
++ if (--handle->h_ref > 0) {
++ jbd_debug(4, "h_ref %d -> %d\n", handle->h_ref + 1,
++ handle->h_ref);
++ return err;
++ } else {
++ if (handle->h_rsv_handle)
++ jbd2_free_handle(handle->h_rsv_handle);
++ goto free_and_exit;
++ }
++ }
+ journal = transaction->t_journal;
+
+ J_ASSERT(journal_current_handle() == handle);
+@@ -2373,7 +2381,6 @@ int jbd2_journal_file_inode(handle_t *ha
+ transaction_t *transaction = handle->h_transaction;
+ journal_t *journal;
+
+- WARN_ON(!transaction);
+ if (is_handle_aborted(handle))
+ return -EROFS;
+ journal = transaction->t_journal;
--- /dev/null
+From e531d0bceb402e643a4499de40dd3fa39d8d2e43 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Thu, 14 May 2015 19:11:50 -0400
+Subject: jbd2: fix r_count overflows leading to buffer overflow in journal recovery
+
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+
+commit e531d0bceb402e643a4499de40dd3fa39d8d2e43 upstream.
+
+The journal revoke block recovery code does not check r_count for
+sanity, which means that an evil value of r_count could result in
+the kernel reading off the end of the revoke table and into whatever
+garbage lies beyond. This could crash the kernel, so fix that.
+
+However, in testing this fix, I discovered that the code to write
+out the revoke tables also was not correctly checking to see if the
+block was full -- the current offset check is fine so long as the
+revoke table space size is a multiple of the record size, but this
+is not true when either journal_csum_v[23] are set.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jbd2/recovery.c | 10 +++++++++-
+ fs/jbd2/revoke.c | 18 ++++++++++--------
+ 2 files changed, 19 insertions(+), 9 deletions(-)
+
+--- a/fs/jbd2/recovery.c
++++ b/fs/jbd2/recovery.c
+@@ -842,15 +842,23 @@ static int scan_revoke_records(journal_t
+ {
+ jbd2_journal_revoke_header_t *header;
+ int offset, max;
++ int csum_size = 0;
++ __u32 rcount;
+ int record_len = 4;
+
+ header = (jbd2_journal_revoke_header_t *) bh->b_data;
+ offset = sizeof(jbd2_journal_revoke_header_t);
+- max = be32_to_cpu(header->r_count);
++ rcount = be32_to_cpu(header->r_count);
+
+ if (!jbd2_revoke_block_csum_verify(journal, header))
+ return -EINVAL;
+
++ if (jbd2_journal_has_csum_v2or3(journal))
++ csum_size = sizeof(struct jbd2_journal_revoke_tail);
++ if (rcount > journal->j_blocksize - csum_size)
++ return -EINVAL;
++ max = rcount;
++
+ if (JBD2_HAS_INCOMPAT_FEATURE(journal, JBD2_FEATURE_INCOMPAT_64BIT))
+ record_len = 8;
+
+--- a/fs/jbd2/revoke.c
++++ b/fs/jbd2/revoke.c
+@@ -577,7 +577,7 @@ static void write_one_revoke_record(jour
+ {
+ int csum_size = 0;
+ struct buffer_head *descriptor;
+- int offset;
++ int sz, offset;
+ journal_header_t *header;
+
+ /* If we are already aborting, this all becomes a noop. We
+@@ -594,9 +594,14 @@ static void write_one_revoke_record(jour
+ if (jbd2_journal_has_csum_v2or3(journal))
+ csum_size = sizeof(struct jbd2_journal_revoke_tail);
+
++ if (JBD2_HAS_INCOMPAT_FEATURE(journal, JBD2_FEATURE_INCOMPAT_64BIT))
++ sz = 8;
++ else
++ sz = 4;
++
+ /* Make sure we have a descriptor with space left for the record */
+ if (descriptor) {
+- if (offset >= journal->j_blocksize - csum_size) {
++ if (offset + sz > journal->j_blocksize - csum_size) {
+ flush_descriptor(journal, descriptor, offset, write_op);
+ descriptor = NULL;
+ }
+@@ -619,16 +624,13 @@ static void write_one_revoke_record(jour
+ *descriptorp = descriptor;
+ }
+
+- if (JBD2_HAS_INCOMPAT_FEATURE(journal, JBD2_FEATURE_INCOMPAT_64BIT)) {
++ if (JBD2_HAS_INCOMPAT_FEATURE(journal, JBD2_FEATURE_INCOMPAT_64BIT))
+ * ((__be64 *)(&descriptor->b_data[offset])) =
+ cpu_to_be64(record->blocknr);
+- offset += 8;
+-
+- } else {
++ else
+ * ((__be32 *)(&descriptor->b_data[offset])) =
+ cpu_to_be32(record->blocknr);
+- offset += 4;
+- }
++ offset += sz;
+
+ *offsetp = offset;
+ }
--- /dev/null
+From 8393b811f38acdf7fd8da2028708edad3e68ce1f Mon Sep 17 00:00:00 2001
+From: Gabriele Mazzotta <gabriele.mzt@gmail.com>
+Date: Sat, 25 Apr 2015 19:52:36 +0200
+Subject: libata: Add helper to determine when PHY events should be ignored
+
+From: Gabriele Mazzotta <gabriele.mzt@gmail.com>
+
+commit 8393b811f38acdf7fd8da2028708edad3e68ce1f upstream.
+
+This is a preparation commit that will allow to add other criteria
+according to which PHY events should be dropped.
+
+Signed-off-by: Gabriele Mazzotta <gabriele.mzt@gmail.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/libahci.c | 3 +--
+ drivers/ata/libata-core.c | 19 +++++++++++++++++++
+ include/linux/libata.h | 1 +
+ 3 files changed, 21 insertions(+), 2 deletions(-)
+
+--- a/drivers/ata/libahci.c
++++ b/drivers/ata/libahci.c
+@@ -1707,8 +1707,7 @@ static void ahci_handle_port_interrupt(s
+ if (unlikely(resetting))
+ status &= ~PORT_IRQ_BAD_PMP;
+
+- /* if LPM is enabled, PHYRDY doesn't mean anything */
+- if (ap->link.lpm_policy > ATA_LPM_MAX_POWER) {
++ if (sata_lpm_ignore_phy_events(&ap->link)) {
+ status &= ~PORT_IRQ_PHYRDY;
+ ahci_scr_write(&ap->link, SCR_ERROR, SERR_PHYRDY_CHG);
+ }
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -6728,6 +6728,25 @@ u32 ata_wait_register(struct ata_port *a
+ return tmp;
+ }
+
++/**
++ * sata_lpm_ignore_phy_events - test if PHY event should be ignored
++ * @link: Link receiving the event
++ *
++ * Test whether the received PHY event has to be ignored or not.
++ *
++ * LOCKING:
++ * None:
++ *
++ * RETURNS:
++ * True if the event has to be ignored.
++ */
++bool sata_lpm_ignore_phy_events(struct ata_link *link)
++{
++ /* if LPM is enabled, PHYRDY doesn't mean anything */
++ return !!(link->lpm_policy > ATA_LPM_MAX_POWER);
++}
++EXPORT_SYMBOL_GPL(sata_lpm_ignore_phy_events);
++
+ /*
+ * Dummy port_ops
+ */
+--- a/include/linux/libata.h
++++ b/include/linux/libata.h
+@@ -1202,6 +1202,7 @@ extern struct ata_device *ata_dev_pair(s
+ extern int ata_do_set_mode(struct ata_link *link, struct ata_device **r_failed_dev);
+ extern void ata_scsi_port_error_handler(struct Scsi_Host *host, struct ata_port *ap);
+ extern void ata_scsi_cmd_error_handler(struct Scsi_Host *host, struct ata_port *ap, struct list_head *eh_q);
++extern bool sata_lpm_ignore_phy_events(struct ata_link *link);
+
+ extern int ata_cable_40wire(struct ata_port *ap);
+ extern int ata_cable_80wire(struct ata_port *ap);
--- /dev/null
+From 9a9324d3969678d44b330e1230ad2c8ae67acf81 Mon Sep 17 00:00:00 2001
+From: "Martin K. Petersen" <martin.petersen@oracle.com>
+Date: Mon, 4 May 2015 12:20:29 -0400
+Subject: libata: Blacklist queued TRIM on all Samsung 800-series
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: "Martin K. Petersen" <martin.petersen@oracle.com>
+
+commit 9a9324d3969678d44b330e1230ad2c8ae67acf81 upstream.
+
+The queued TRIM problems appear to be generic to Samsung's firmware and
+not tied to a particular model. A recent update to the 840 EVO firmware
+introduced the same issue as we saw on 850 Pro.
+
+Blacklist queued TRIM on all 800-series drives while we work this issue
+with Samsung.
+
+Reported-by: Günter Waller <g.wal@web.de>
+Reported-by: Sven Köhler <sven.koehler@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/libata-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -4214,7 +4214,7 @@ static const struct ata_blacklist_entry
+ ATA_HORKAGE_ZERO_AFTER_TRIM, },
+ { "Crucial_CT*MX100*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM |
+ ATA_HORKAGE_ZERO_AFTER_TRIM, },
+- { "Samsung SSD 850 PRO*", NULL, ATA_HORKAGE_NO_NCQ_TRIM |
++ { "Samsung SSD 8*", NULL, ATA_HORKAGE_NO_NCQ_TRIM |
+ ATA_HORKAGE_ZERO_AFTER_TRIM, },
+
+ /*
--- /dev/null
+From 09c5b4803a80a5451d950d6a539d2eb311dc0fb1 Mon Sep 17 00:00:00 2001
+From: Gabriele Mazzotta <gabriele.mzt@gmail.com>
+Date: Sat, 25 Apr 2015 19:52:37 +0200
+Subject: libata: Ignore spurious PHY event on LPM policy change
+
+From: Gabriele Mazzotta <gabriele.mzt@gmail.com>
+
+commit 09c5b4803a80a5451d950d6a539d2eb311dc0fb1 upstream.
+
+When the LPM policy is set to ATA_LPM_MAX_POWER, the device might
+generate a spurious PHY event that cuases errors on the link.
+Ignore this event if it occured within 10s after the policy change.
+
+The timeout was chosen observing that on a Dell XPS13 9333 these
+spurious events can occur up to roughly 6s after the policy change.
+
+Link: http://lkml.kernel.org/g/3352987.ugV1Ipy7Z5@xps13
+Signed-off-by: Gabriele Mazzotta <gabriele.mzt@gmail.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/libata-core.c | 15 ++++++++++++++-
+ drivers/ata/libata-eh.c | 3 +++
+ include/linux/libata.h | 9 +++++++++
+ 3 files changed, 26 insertions(+), 1 deletion(-)
+
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -6742,8 +6742,21 @@ u32 ata_wait_register(struct ata_port *a
+ */
+ bool sata_lpm_ignore_phy_events(struct ata_link *link)
+ {
++ unsigned long lpm_timeout = link->last_lpm_change +
++ msecs_to_jiffies(ATA_TMOUT_SPURIOUS_PHY);
++
+ /* if LPM is enabled, PHYRDY doesn't mean anything */
+- return !!(link->lpm_policy > ATA_LPM_MAX_POWER);
++ if (link->lpm_policy > ATA_LPM_MAX_POWER)
++ return true;
++
++ /* ignore the first PHY event after the LPM policy changed
++ * as it is might be spurious
++ */
++ if ((link->flags & ATA_LFLAG_CHANGED) &&
++ time_before(jiffies, lpm_timeout))
++ return true;
++
++ return false;
+ }
+ EXPORT_SYMBOL_GPL(sata_lpm_ignore_phy_events);
+
+--- a/drivers/ata/libata-eh.c
++++ b/drivers/ata/libata-eh.c
+@@ -3489,6 +3489,9 @@ static int ata_eh_set_lpm(struct ata_lin
+ }
+ }
+
++ link->last_lpm_change = jiffies;
++ link->flags |= ATA_LFLAG_CHANGED;
++
+ return 0;
+
+ fail:
+--- a/include/linux/libata.h
++++ b/include/linux/libata.h
+@@ -205,6 +205,7 @@ enum {
+ ATA_LFLAG_SW_ACTIVITY = (1 << 7), /* keep activity stats */
+ ATA_LFLAG_NO_LPM = (1 << 8), /* disable LPM on this link */
+ ATA_LFLAG_RST_ONCE = (1 << 9), /* limit recovery to one reset */
++ ATA_LFLAG_CHANGED = (1 << 10), /* LPM state changed on this link */
+
+ /* struct ata_port flags */
+ ATA_FLAG_SLAVE_POSS = (1 << 0), /* host supports slave dev */
+@@ -310,6 +311,12 @@ enum {
+ */
+ ATA_TMOUT_PMP_SRST_WAIT = 5000,
+
++ /* When the LPM policy is set to ATA_LPM_MAX_POWER, there might
++ * be a spurious PHY event, so ignore the first PHY event that
++ * occurs within 10s after the policy change.
++ */
++ ATA_TMOUT_SPURIOUS_PHY = 10000,
++
+ /* ATA bus states */
+ BUS_UNKNOWN = 0,
+ BUS_DMA = 1,
+@@ -789,6 +796,8 @@ struct ata_link {
+ struct ata_eh_context eh_context;
+
+ struct ata_device device[ATA_MAX_DEVICES];
++
++ unsigned long last_lpm_change; /* when last LPM change happened */
+ };
+ #define ATA_LINK_CLEAR_BEGIN offsetof(struct ata_link, active_tag)
+ #define ATA_LINK_CLEAR_END offsetof(struct ata_link, device[0])
--- /dev/null
+From 60c8f783a18feb95ad967c87e9660caf09fb4700 Mon Sep 17 00:00:00 2001
+From: Ludovic Desroches <ludovic.desroches@atmel.com>
+Date: Wed, 6 May 2015 15:16:46 +0200
+Subject: mmc: atmel-mci: fix bad variable type for clkdiv
+
+From: Ludovic Desroches <ludovic.desroches@atmel.com>
+
+commit 60c8f783a18feb95ad967c87e9660caf09fb4700 upstream.
+
+clkdiv is declared as an u32 but it can be set to a negative value
+causing a huge divisor value. Change its type to int to avoid this case.
+
+Signed-off-by: Ludovic Desroches <ludovic.desroches@atmel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/atmel-mci.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/mmc/host/atmel-mci.c
++++ b/drivers/mmc/host/atmel-mci.c
+@@ -1304,7 +1304,7 @@ static void atmci_set_ios(struct mmc_hos
+
+ if (ios->clock) {
+ unsigned int clock_min = ~0U;
+- u32 clkdiv;
++ int clkdiv;
+
+ spin_lock_bh(&host->lock);
+ if (!host->mode_reg) {
+@@ -1328,7 +1328,12 @@ static void atmci_set_ios(struct mmc_hos
+ /* Calculate clock divider */
+ if (host->caps.has_odd_clk_div) {
+ clkdiv = DIV_ROUND_UP(host->bus_hz, clock_min) - 2;
+- if (clkdiv > 511) {
++ if (clkdiv < 0) {
++ dev_warn(&mmc->class_dev,
++ "clock %u too fast; using %lu\n",
++ clock_min, host->bus_hz / 2);
++ clkdiv = 0;
++ } else if (clkdiv > 511) {
+ dev_warn(&mmc->class_dev,
+ "clock %u too slow; using %lu\n",
+ clock_min, host->bus_hz / (511 + 2));
--- /dev/null
+From 5e95235ccd5442d4a4fe11ec4eb99ba1b7959368 Mon Sep 17 00:00:00 2001
+From: Anton Blanchard <anton@samba.org>
+Date: Thu, 14 May 2015 14:45:40 +1000
+Subject: powerpc: Align TOC to 256 bytes
+
+From: Anton Blanchard <anton@samba.org>
+
+commit 5e95235ccd5442d4a4fe11ec4eb99ba1b7959368 upstream.
+
+Recent toolchains force the TOC to be 256 byte aligned. We need
+to enforce this alignment in our linker script, otherwise pointers
+to our TOC variables (__toc_start, __prom_init_toc_start) could
+be incorrect.
+
+If they are bad, we die a few hundred instructions into boot.
+
+Signed-off-by: Anton Blanchard <anton@samba.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/vmlinux.lds.S | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/powerpc/kernel/vmlinux.lds.S
++++ b/arch/powerpc/kernel/vmlinux.lds.S
+@@ -213,6 +213,7 @@ SECTIONS
+ *(.opd)
+ }
+
++ . = ALIGN(256);
+ .got : AT(ADDR(.got) - LOAD_OFFSET) {
+ __toc_start = .;
+ #ifndef CONFIG_RELOCATABLE
--- /dev/null
+From ffb2d78eca08a1451137583d4e435aecfd6af809 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 12 May 2015 13:23:59 +1000
+Subject: powerpc/mce: fix off by one errors in mce event handling
+
+From: Daniel Axtens <dja@axtens.net>
+
+commit ffb2d78eca08a1451137583d4e435aecfd6af809 upstream.
+
+Before 69111bac42f5 ("powerpc: Replace __get_cpu_var uses"), in
+save_mce_event, index got the value of mce_nest_count, and
+mce_nest_count was incremented *after* index was set.
+
+However, that patch changed the behaviour so that mce_nest count was
+incremented *before* setting index.
+
+This causes an off-by-one error, as get_mce_event sets index as
+mce_nest_count - 1 before reading mce_event. Thus get_mce_event reads
+bogus data, causing warnings like
+"Machine Check Exception, Unknown event version 0 !"
+and breaking MCEs handling.
+
+Restore the old behaviour and unbreak MCE handling by subtracting one
+from the newly incremented value.
+
+The same broken change occured in machine_check_queue_event (which set
+a queue read by machine_check_process_queued_event). Fix that too,
+unbreaking printing of MCE information.
+
+Fixes: 69111bac42f5 ("powerpc: Replace __get_cpu_var uses")
+CC: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+CC: Christoph Lameter <cl@linux.com>
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/mce.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/kernel/mce.c
++++ b/arch/powerpc/kernel/mce.c
+@@ -73,7 +73,7 @@ void save_mce_event(struct pt_regs *regs
+ uint64_t nip, uint64_t addr)
+ {
+ uint64_t srr1;
+- int index = __this_cpu_inc_return(mce_nest_count);
++ int index = __this_cpu_inc_return(mce_nest_count) - 1;
+ struct machine_check_event *mce = this_cpu_ptr(&mce_event[index]);
+
+ /*
+@@ -184,7 +184,7 @@ void machine_check_queue_event(void)
+ if (!get_mce_event(&evt, MCE_EVENT_RELEASE))
+ return;
+
+- index = __this_cpu_inc_return(mce_queue_count);
++ index = __this_cpu_inc_return(mce_queue_count) - 1;
+ /* If queue is full, just return for now. */
+ if (index >= MAX_MC_EVT) {
+ __this_cpu_dec(mce_queue_count);
--- /dev/null
+From 1a48632ffed61352a7810ce089dc5a8bcd505a60 Mon Sep 17 00:00:00 2001
+From: Peter Hurley <peter@hurleysoftware.com>
+Date: Mon, 13 Apr 2015 13:24:34 -0400
+Subject: pty: Fix input race when closing
+
+From: Peter Hurley <peter@hurleysoftware.com>
+
+commit 1a48632ffed61352a7810ce089dc5a8bcd505a60 upstream.
+
+A read() from a pty master may mistakenly indicate EOF (errno == -EIO)
+after the pty slave has closed, even though input data remains to be read.
+For example,
+
+ pty slave | input worker | pty master
+ | |
+ | | n_tty_read()
+pty_write() | | input avail? no
+ add data | | sleep
+ schedule worker --->| | .
+ |---> flush_to_ldisc() | .
+pty_close() | fill read buffer | .
+ wait for worker | wakeup reader --->| .
+ | read buffer full? |---> input avail ? yes
+ |<--- yes - exit worker | copy 4096 bytes to user
+ TTY_OTHER_CLOSED <---| |<--- kick worker
+ | |
+
+ **** New read() before worker starts ****
+
+ | | n_tty_read()
+ | | input avail? no
+ | | TTY_OTHER_CLOSED? yes
+ | | return -EIO
+
+Several conditions are required to trigger this race:
+1. the ldisc read buffer must become full so the input worker exits
+2. the read() count parameter must be >= 4096 so the ldisc read buffer
+ is empty
+3. the subsequent read() occurs before the kicked worker has processed
+ more input
+
+However, the underlying cause of the race is that data is pipelined, while
+tty state is not; ie., data already written by the pty slave end is not
+yet visible to the pty master end, but state changes by the pty slave end
+are visible to the pty master end immediately.
+
+Pipeline the TTY_OTHER_CLOSED state through input worker to the reader.
+1. Introduce TTY_OTHER_DONE which is set by the input worker when
+ TTY_OTHER_CLOSED is set and either the input buffers are flushed or
+ input processing has completed. Readers/polls are woken when
+ TTY_OTHER_DONE is set.
+2. Reader/poll checks TTY_OTHER_DONE instead of TTY_OTHER_CLOSED.
+3. A new input worker is started from pty_close() after setting
+ TTY_OTHER_CLOSED, which ensures the TTY_OTHER_DONE state will be
+ set if the last input worker is already finished (or just about to
+ exit).
+
+Remove tty_flush_to_ldisc(); no in-tree callers.
+
+Fixes: 52bce7f8d4fc ("pty, n_tty: Simplify input processing on final close")
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=96311
+BugLink: http://bugs.launchpad.net/bugs/1429756
+Reported-by: Andy Whitcroft <apw@canonical.com>
+Reported-by: H.J. Lu <hjl.tools@gmail.com>
+Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/serial/tty.txt | 3 +++
+ drivers/tty/n_hdlc.c | 4 ++--
+ drivers/tty/n_tty.c | 22 ++++++++++++++++++----
+ drivers/tty/pty.c | 5 +++--
+ drivers/tty/tty_buffer.c | 41 +++++++++++++++++++++++++++--------------
+ include/linux/tty.h | 2 +-
+ 6 files changed, 54 insertions(+), 23 deletions(-)
+
+--- a/Documentation/serial/tty.txt
++++ b/Documentation/serial/tty.txt
+@@ -198,6 +198,9 @@ TTY_IO_ERROR If set, causes all subsequ
+
+ TTY_OTHER_CLOSED Device is a pty and the other side has closed.
+
++TTY_OTHER_DONE Device is a pty and the other side has closed and
++ all pending input processing has been completed.
++
+ TTY_NO_WRITE_SPLIT Prevent driver from splitting up writes into
+ smaller chunks.
+
+--- a/drivers/tty/n_hdlc.c
++++ b/drivers/tty/n_hdlc.c
+@@ -600,7 +600,7 @@ static ssize_t n_hdlc_tty_read(struct tt
+ add_wait_queue(&tty->read_wait, &wait);
+
+ for (;;) {
+- if (test_bit(TTY_OTHER_CLOSED, &tty->flags)) {
++ if (test_bit(TTY_OTHER_DONE, &tty->flags)) {
+ ret = -EIO;
+ break;
+ }
+@@ -828,7 +828,7 @@ static unsigned int n_hdlc_tty_poll(stru
+ /* set bits for operations that won't block */
+ if (n_hdlc->rx_buf_list.head)
+ mask |= POLLIN | POLLRDNORM; /* readable */
+- if (test_bit(TTY_OTHER_CLOSED, &tty->flags))
++ if (test_bit(TTY_OTHER_DONE, &tty->flags))
+ mask |= POLLHUP;
+ if (tty_hung_up_p(filp))
+ mask |= POLLHUP;
+--- a/drivers/tty/n_tty.c
++++ b/drivers/tty/n_tty.c
+@@ -1949,6 +1949,18 @@ static inline int input_available_p(stru
+ return ldata->commit_head - ldata->read_tail >= amt;
+ }
+
++static inline int check_other_done(struct tty_struct *tty)
++{
++ int done = test_bit(TTY_OTHER_DONE, &tty->flags);
++ if (done) {
++ /* paired with cmpxchg() in check_other_closed(); ensures
++ * read buffer head index is not stale
++ */
++ smp_mb__after_atomic();
++ }
++ return done;
++}
++
+ /**
+ * copy_from_read_buf - copy read data directly
+ * @tty: terminal device
+@@ -2167,7 +2179,7 @@ static ssize_t n_tty_read(struct tty_str
+ struct n_tty_data *ldata = tty->disc_data;
+ unsigned char __user *b = buf;
+ DEFINE_WAIT_FUNC(wait, woken_wake_function);
+- int c;
++ int c, done;
+ int minimum, time;
+ ssize_t retval = 0;
+ long timeout;
+@@ -2235,8 +2247,10 @@ static ssize_t n_tty_read(struct tty_str
+ ((minimum - (b - buf)) >= 1))
+ ldata->minimum_to_wake = (minimum - (b - buf));
+
++ done = check_other_done(tty);
++
+ if (!input_available_p(tty, 0)) {
+- if (test_bit(TTY_OTHER_CLOSED, &tty->flags)) {
++ if (done) {
+ retval = -EIO;
+ break;
+ }
+@@ -2443,12 +2457,12 @@ static unsigned int n_tty_poll(struct tt
+
+ poll_wait(file, &tty->read_wait, wait);
+ poll_wait(file, &tty->write_wait, wait);
++ if (check_other_done(tty))
++ mask |= POLLHUP;
+ if (input_available_p(tty, 1))
+ mask |= POLLIN | POLLRDNORM;
+ if (tty->packet && tty->link->ctrl_status)
+ mask |= POLLPRI | POLLIN | POLLRDNORM;
+- if (test_bit(TTY_OTHER_CLOSED, &tty->flags))
+- mask |= POLLHUP;
+ if (tty_hung_up_p(file))
+ mask |= POLLHUP;
+ if (!(mask & (POLLHUP | POLLIN | POLLRDNORM))) {
+--- a/drivers/tty/pty.c
++++ b/drivers/tty/pty.c
+@@ -53,9 +53,8 @@ static void pty_close(struct tty_struct
+ /* Review - krefs on tty_link ?? */
+ if (!tty->link)
+ return;
+- tty_flush_to_ldisc(tty->link);
+ set_bit(TTY_OTHER_CLOSED, &tty->link->flags);
+- wake_up_interruptible(&tty->link->read_wait);
++ tty_flip_buffer_push(tty->link->port);
+ wake_up_interruptible(&tty->link->write_wait);
+ if (tty->driver->subtype == PTY_TYPE_MASTER) {
+ set_bit(TTY_OTHER_CLOSED, &tty->flags);
+@@ -243,7 +242,9 @@ static int pty_open(struct tty_struct *t
+ goto out;
+
+ clear_bit(TTY_IO_ERROR, &tty->flags);
++ /* TTY_OTHER_CLOSED must be cleared before TTY_OTHER_DONE */
+ clear_bit(TTY_OTHER_CLOSED, &tty->link->flags);
++ clear_bit(TTY_OTHER_DONE, &tty->link->flags);
+ set_bit(TTY_THROTTLED, &tty->flags);
+ return 0;
+
+--- a/drivers/tty/tty_buffer.c
++++ b/drivers/tty/tty_buffer.c
+@@ -37,6 +37,28 @@
+
+ #define TTY_BUFFER_PAGE (((PAGE_SIZE - sizeof(struct tty_buffer)) / 2) & ~0xFF)
+
++/*
++ * If all tty flip buffers have been processed by flush_to_ldisc() or
++ * dropped by tty_buffer_flush(), check if the linked pty has been closed.
++ * If so, wake the reader/poll to process
++ */
++static inline void check_other_closed(struct tty_struct *tty)
++{
++ unsigned long flags, old;
++
++ /* transition from TTY_OTHER_CLOSED => TTY_OTHER_DONE must be atomic */
++ for (flags = ACCESS_ONCE(tty->flags);
++ test_bit(TTY_OTHER_CLOSED, &flags);
++ ) {
++ old = flags;
++ __set_bit(TTY_OTHER_DONE, &flags);
++ flags = cmpxchg(&tty->flags, old, flags);
++ if (old == flags) {
++ wake_up_interruptible(&tty->read_wait);
++ break;
++ }
++ }
++}
+
+ /**
+ * tty_buffer_lock_exclusive - gain exclusive access to buffer
+@@ -229,6 +251,8 @@ void tty_buffer_flush(struct tty_struct
+ if (ld && ld->ops->flush_buffer)
+ ld->ops->flush_buffer(tty);
+
++ check_other_closed(tty);
++
+ atomic_dec(&buf->priority);
+ mutex_unlock(&buf->lock);
+ }
+@@ -471,8 +495,10 @@ static void flush_to_ldisc(struct work_s
+ smp_rmb();
+ count = head->commit - head->read;
+ if (!count) {
+- if (next == NULL)
++ if (next == NULL) {
++ check_other_closed(tty);
+ break;
++ }
+ buf->head = next;
+ tty_buffer_free(port, head);
+ continue;
+@@ -489,19 +515,6 @@ static void flush_to_ldisc(struct work_s
+ }
+
+ /**
+- * tty_flush_to_ldisc
+- * @tty: tty to push
+- *
+- * Push the terminal flip buffers to the line discipline.
+- *
+- * Must not be called from IRQ context.
+- */
+-void tty_flush_to_ldisc(struct tty_struct *tty)
+-{
+- flush_work(&tty->port->buf.work);
+-}
+-
+-/**
+ * tty_flip_buffer_push - terminal
+ * @port: tty port to push
+ *
+--- a/include/linux/tty.h
++++ b/include/linux/tty.h
+@@ -339,6 +339,7 @@ struct tty_file_private {
+ #define TTY_EXCLUSIVE 3 /* Exclusive open mode */
+ #define TTY_DEBUG 4 /* Debugging */
+ #define TTY_DO_WRITE_WAKEUP 5 /* Call write_wakeup after queuing new */
++#define TTY_OTHER_DONE 6 /* Closed pty has completed input processing */
+ #define TTY_LDISC_OPEN 11 /* Line discipline is open */
+ #define TTY_PTY_LOCK 16 /* pty private */
+ #define TTY_NO_WRITE_SPLIT 17 /* Preserve write boundaries to driver */
+@@ -462,7 +463,6 @@ extern int tty_hung_up_p(struct file *fi
+ extern void do_SAK(struct tty_struct *tty);
+ extern void __do_SAK(struct tty_struct *tty);
+ extern void no_tty(void);
+-extern void tty_flush_to_ldisc(struct tty_struct *tty);
+ extern void tty_buffer_free_all(struct tty_port *port);
+ extern void tty_buffer_flush(struct tty_struct *tty, struct tty_ldisc *ld);
+ extern void tty_buffer_init(struct tty_port *port);
--- /dev/null
+From ea345c145ff23197eab34d0c4d0c8a93d7bea8c6 Mon Sep 17 00:00:00 2001
+From: Scott Branden <sbranden@broadcom.com>
+Date: Mon, 16 Mar 2015 10:59:52 -0700
+Subject: rt2x00: add new rt2800usb device DWA 130
+
+From: Scott Branden <sbranden@broadcom.com>
+
+commit ea345c145ff23197eab34d0c4d0c8a93d7bea8c6 upstream.
+
+Add the USB Id to link the D-Link DWA 130 USB Wifi adapter
+to the rt2830 driver.
+
+Signed-off-by: Scott Branden <sbranden@broadcom.com>
+Signed-off-by: Pieter Truter <ptruter@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Cc: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rt2x00/rt2800usb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/rt2x00/rt2800usb.c
++++ b/drivers/net/wireless/rt2x00/rt2800usb.c
+@@ -1040,6 +1040,7 @@ static struct usb_device_id rt2800usb_de
+ { USB_DEVICE(0x07d1, 0x3c17) },
+ { USB_DEVICE(0x2001, 0x3317) },
+ { USB_DEVICE(0x2001, 0x3c1b) },
++ { USB_DEVICE(0x2001, 0x3c25) },
+ /* Draytek */
+ { USB_DEVICE(0x07fa, 0x7712) },
+ /* DVICO */
staging-vt6655-vnt_tx_packet-correct-tx-order-of-owned_by_nic.patch
staging-vt6655-lock-macvwritebssidaddress.patch
perf-x86-rapl-enable-broadwell-u-rapl-support.patch
+target-pscsi-don-t-leak-scsi_host-if-hba-is-virtual_host.patch
+xhci-fix-isoc-endpoint-dequeue-from-advancing-too-far-on-transaction-error.patch
+xhci-solve-full-event-ring-by-increasing-trbs_per_segment-to-256.patch
+xhci-gracefully-handle-xhci_irq-dead-device.patch
+usb-visor-match-i330-phone-more-precisely.patch
+usb-pl2303-remove-support-for-samsung-i330.patch
+usb-cp210x-add-id-for-kcf-technologies-prn-device.patch
+usb-storage-add-no_wp_detect-quirk-for-lacie-059f-0651-devices.patch
+usb-gadget-configfs-fix-interfaces-array-null-termination.patch
+powerpc-mce-fix-off-by-one-errors-in-mce-event-handling.patch
+powerpc-align-toc-to-256-bytes.patch
+mmc-atmel-mci-fix-bad-variable-type-for-clkdiv.patch
+tty-n_gsm.c-fix-a-memory-leak-when-gsmtty-is-removed.patch
+pty-fix-input-race-when-closing.patch
+ext4-fix-lazytime-optimization.patch
+ext4-fix-null-pointer-dereference-when-journal-restart-fails.patch
+ext4-check-for-zero-length-extent-explicitly.patch
+jbd2-fix-r_count-overflows-leading-to-buffer-overflow-in-journal-recovery.patch
+ahci-avoton-port-disable-reset-quirk.patch
+libata-add-helper-to-determine-when-phy-events-should-be-ignored.patch
+libata-ignore-spurious-phy-event-on-lpm-policy-change.patch
+libata-blacklist-queued-trim-on-all-samsung-800-series.patch
+arm64-bpf-fix-signedness-bug-in-loading-64-bit-immediate.patch
+rt2x00-add-new-rt2800usb-device-dwa-130.patch
--- /dev/null
+From 5a7125c64def3b21f8147eca8b54949a60963942 Mon Sep 17 00:00:00 2001
+From: Andy Grover <agrover@redhat.com>
+Date: Fri, 22 May 2015 14:07:44 -0700
+Subject: target/pscsi: Don't leak scsi_host if hba is VIRTUAL_HOST
+
+From: Andy Grover <agrover@redhat.com>
+
+commit 5a7125c64def3b21f8147eca8b54949a60963942 upstream.
+
+See https://bugzilla.redhat.com/show_bug.cgi?id=1025672
+
+We need to put() the reference to the scsi host that we got in
+pscsi_configure_device(). In VIRTUAL_HOST mode it is associated with
+the dev_virt, not the hba_virt.
+
+Signed-off-by: Andy Grover <agrover@redhat.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_pscsi.c | 3 +++
+ drivers/target/target_core_pscsi.h | 1 +
+ 2 files changed, 4 insertions(+)
+
+--- a/drivers/target/target_core_pscsi.c
++++ b/drivers/target/target_core_pscsi.c
+@@ -521,6 +521,7 @@ static int pscsi_configure_device(struct
+ " pdv_host_id: %d\n", pdv->pdv_host_id);
+ return -EINVAL;
+ }
++ pdv->pdv_lld_host = sh;
+ }
+ } else {
+ if (phv->phv_mode == PHV_VIRTUAL_HOST_ID) {
+@@ -603,6 +604,8 @@ static void pscsi_free_device(struct se_
+ if ((phv->phv_mode == PHV_LLD_SCSI_HOST_NO) &&
+ (phv->phv_lld_host != NULL))
+ scsi_host_put(phv->phv_lld_host);
++ else if (pdv->pdv_lld_host)
++ scsi_host_put(pdv->pdv_lld_host);
+
+ if ((sd->type == TYPE_DISK) || (sd->type == TYPE_ROM))
+ scsi_device_put(sd);
+--- a/drivers/target/target_core_pscsi.h
++++ b/drivers/target/target_core_pscsi.h
+@@ -45,6 +45,7 @@ struct pscsi_dev_virt {
+ int pdv_lun_id;
+ struct block_device *pdv_bd;
+ struct scsi_device *pdv_sd;
++ struct Scsi_Host *pdv_lld_host;
+ } ____cacheline_aligned;
+
+ typedef enum phv_modes {
--- /dev/null
+From 8f9cfeed3eae86c70d3b04445a6f2036b27b6304 Mon Sep 17 00:00:00 2001
+From: Pan Xinhui <xinhuix.pan@intel.com>
+Date: Sat, 28 Mar 2015 10:42:56 +0800
+Subject: tty/n_gsm.c: fix a memory leak when gsmtty is removed
+
+From: Pan Xinhui <xinhuix.pan@intel.com>
+
+commit 8f9cfeed3eae86c70d3b04445a6f2036b27b6304 upstream.
+
+when gsmtty_remove put dlci, it will cause memory leak if dlci->port's refcount is zero.
+So we do the cleanup work in .cleanup callback instead.
+
+dlci will be last put in two call chains.
+1) gsmld_close -> gsm_cleanup_mux -> gsm_dlci_release -> dlci_put
+2) gsmld_remove -> dlci_put
+so there is a race. the memory leak depends on the race.
+
+In call chain 2. we hit the memory leak. below comment tells.
+
+release_tty -> tty_driver_remove_tty -> gsmtty_remove -> dlci_put -> tty_port_destructor (WARN_ON(port->itty) and return directly)
+ |
+ tty->port->itty = NULL;
+ |
+ tty_kref_put ---> release_one_tty -> gsmtty_cleanup (added by our patch)
+
+So our patch fix the memory leak by doing the cleanup work after tty core did.
+
+Signed-off-by: Pan Xinhui <xinhuix.pan@intel.com>
+Fixes: dfabf7ffa30585
+Acked-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/n_gsm.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -3170,7 +3170,7 @@ static int gsmtty_break_ctl(struct tty_s
+ return gsmtty_modem_update(dlci, encode);
+ }
+
+-static void gsmtty_remove(struct tty_driver *driver, struct tty_struct *tty)
++static void gsmtty_cleanup(struct tty_struct *tty)
+ {
+ struct gsm_dlci *dlci = tty->driver_data;
+ struct gsm_mux *gsm = dlci->gsm;
+@@ -3178,7 +3178,6 @@ static void gsmtty_remove(struct tty_dri
+ dlci_put(dlci);
+ dlci_put(gsm->dlci[0]);
+ mux_put(gsm);
+- driver->ttys[tty->index] = NULL;
+ }
+
+ /* Virtual ttys for the demux */
+@@ -3199,7 +3198,7 @@ static const struct tty_operations gsmtt
+ .tiocmget = gsmtty_tiocmget,
+ .tiocmset = gsmtty_tiocmset,
+ .break_ctl = gsmtty_break_ctl,
+- .remove = gsmtty_remove,
++ .cleanup = gsmtty_cleanup,
+ };
+
+
--- /dev/null
+From c735ed74d83f8ecb45c4c4c95a16853c9c3c8157 Mon Sep 17 00:00:00 2001
+From: Mark Edwards <sonofaforester@gmail.com>
+Date: Tue, 14 Apr 2015 08:52:34 -0400
+Subject: USB: cp210x: add ID for KCF Technologies PRN device
+
+From: Mark Edwards <sonofaforester@gmail.com>
+
+commit c735ed74d83f8ecb45c4c4c95a16853c9c3c8157 upstream.
+
+Added the USB serial console device ID for KCF Technologies PRN device
+which has a USB port for its serial console.
+
+Signed-off-by: Mark Edwards <sonofaforester@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/cp210x.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -127,6 +127,7 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(0x10C4, 0x88A5) }, /* Planet Innovation Ingeni ZigBee USB Device */
+ { USB_DEVICE(0x10C4, 0x8946) }, /* Ketra N1 Wireless Interface */
+ { USB_DEVICE(0x10C4, 0x8977) }, /* CEL MeshWorks DevKit Device */
++ { USB_DEVICE(0x10C4, 0x8998) }, /* KCF Technologies PRN */
+ { USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs factory default */
+ { USB_DEVICE(0x10C4, 0xEA61) }, /* Silicon Labs factory default */
+ { USB_DEVICE(0x10C4, 0xEA70) }, /* Silicon Labs factory default */
--- /dev/null
+From 903124fe1aa284f61745a9dd4fbfa0184e569fff Mon Sep 17 00:00:00 2001
+From: Krzysztof Opasiak <k.opasiak@samsung.com>
+Date: Fri, 20 Mar 2015 15:48:56 +0100
+Subject: usb: gadget: configfs: Fix interfaces array NULL-termination
+
+From: Krzysztof Opasiak <k.opasiak@samsung.com>
+
+commit 903124fe1aa284f61745a9dd4fbfa0184e569fff upstream.
+
+memset() to 0 interfaces array before reusing
+usb_configuration structure.
+
+This commit fix bug:
+
+ln -s functions/acm.1 configs/c.1
+ln -s functions/acm.2 configs/c.1
+ln -s functions/acm.3 configs/c.1
+echo "UDC name" > UDC
+echo "" > UDC
+rm configs/c.1/acm.*
+rmdir functions/*
+mkdir functions/ecm.usb0
+ln -s functions/ecm.usb0 configs/c.1
+echo "UDC name" > UDC
+
+[ 82.220969] Unable to handle kernel NULL pointer dereference at virtual address 00000000
+[ 82.229009] pgd = c0004000
+[ 82.231698] [00000000] *pgd=00000000
+[ 82.235260] Internal error: Oops: 17 [#1] PREEMPT SMP ARM
+[ 82.240638] Modules linked in:
+[ 82.243681] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.0.0-rc2 #39
+[ 82.249926] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
+[ 82.256003] task: c07cd2f0 ti: c07c8000 task.ti: c07c8000
+[ 82.261393] PC is at composite_setup+0xe3c/0x1674
+[ 82.266073] LR is at composite_setup+0xf20/0x1674
+[ 82.270760] pc : [<c03510d4>] lr : [<c03511b8>] psr: 600001d3
+[ 82.270760] sp : c07c9df0 ip : c0806448 fp : ed8c9c9c
+[ 82.282216] r10: 00000001 r9 : 00000000 r8 : edaae918
+[ 82.287425] r7 : ed551cc0 r6 : 00007fff r5 : 00000000 r4 : ed799634
+[ 82.293934] r3 : 00000003 r2 : 00010002 r1 : edaae918 r0 : 0000002e
+[ 82.300446] Flags: nZCv IRQs off FIQs off Mode SVC_32 ISA ARM Segment kernel
+[ 82.307910] Control: 10c5387d Table: 6bc1804a DAC: 00000015
+[ 82.313638] Process swapper/0 (pid: 0, stack limit = 0xc07c8210)
+[ 82.319627] Stack: (0xc07c9df0 to 0xc07ca000)
+[ 82.323969] 9de0: 00000000 c06e65f4 00000000 c07c9f68
+[ 82.332130] 9e00: 00000067 c07c59ac 000003f7 edaae918 ed8c9c98 ed799690 eca2f140 200001d3
+[ 82.340289] 9e20: ee79a2d8 c07c9e88 c07c5304 ffff55db 00010002 edaae810 edaae860 eda96d50
+[ 82.348448] 9e40: 00000009 ee264510 00000007 c07ca444 edaae860 c0340890 c0827a40 ffff55e0
+[ 82.356607] 9e60: c0827a40 eda96e40 ee264510 edaae810 00000000 edaae860 00000007 c07ca444
+[ 82.364766] 9e80: edaae860 c0354170 c03407dc c033db4c edaae810 00000000 00000000 00000010
+[ 82.372925] 9ea0: 00000032 c0341670 00000000 00000000 00000001 eda96e00 00000000 00000000
+[ 82.381084] 9ec0: 00000000 00000032 c0803a23 ee1aa840 00000001 c005d54c 249e2450 00000000
+[ 82.389244] 9ee0: 200001d3 ee1aa840 ee1aa8a0 ed84f4c0 00000000 c07c9f68 00000067 c07c59ac
+[ 82.397403] 9f00: 00000000 c005d688 ee1aa840 ee1aa8a0 c07db4b4 c006009c 00000032 00000000
+[ 82.405562] 9f20: 00000001 c005ce20 c07c59ac c005cf34 f002000c c07ca780 c07c9f68 00000057
+[ 82.413722] 9f40: f0020000 413fc090 00000001 c00086b4 c000f804 60000053 ffffffff c07c9f9c
+[ 82.421880] 9f60: c0803a20 c0011fc0 00000000 00000000 c07c9fb8 c001bee0 c07ca4f0 c057004c
+[ 82.430040] 9f80: c07ca4fc c0803a20 c0803a20 413fc090 00000001 00000000 01000000 c07c9fb0
+[ 82.438199] 9fa0: c000f800 c000f804 60000053 ffffffff 00000000 c0050e70 c0803bc0 c0783bd8
+[ 82.446358] 9fc0: ffffffff ffffffff c0783664 00000000 00000000 c07b13e8 00000000 c0803e54
+[ 82.454517] 9fe0: c07ca480 c07b13e4 c07ce40c 4000406a 00000000 40008074 00000000 00000000
+[ 82.462689] [<c03510d4>] (composite_setup) from [<c0340890>] (s3c_hsotg_complete_setup+0xb4/0x418)
+[ 82.471626] [<c0340890>] (s3c_hsotg_complete_setup) from [<c0354170>] (usb_gadget_giveback_request+0xc/0x10)
+[ 82.481429] [<c0354170>] (usb_gadget_giveback_request) from [<c033db4c>] (s3c_hsotg_complete_request+0xcc/0x12c)
+[ 82.491583] [<c033db4c>] (s3c_hsotg_complete_request) from [<c0341670>] (s3c_hsotg_irq+0x4fc/0x558)
+[ 82.500614] [<c0341670>] (s3c_hsotg_irq) from [<c005d54c>] (handle_irq_event_percpu+0x50/0x150)
+[ 82.509291] [<c005d54c>] (handle_irq_event_percpu) from [<c005d688>] (handle_irq_event+0x3c/0x5c)
+[ 82.518145] [<c005d688>] (handle_irq_event) from [<c006009c>] (handle_fasteoi_irq+0xd4/0x18c)
+[ 82.526650] [<c006009c>] (handle_fasteoi_irq) from [<c005ce20>] (generic_handle_irq+0x20/0x30)
+[ 82.535242] [<c005ce20>] (generic_handle_irq) from [<c005cf34>] (__handle_domain_irq+0x6c/0xdc)
+[ 82.543923] [<c005cf34>] (__handle_domain_irq) from [<c00086b4>] (gic_handle_irq+0x2c/0x6c)
+[ 82.552256] [<c00086b4>] (gic_handle_irq) from [<c0011fc0>] (__irq_svc+0x40/0x74)
+[ 82.559716] Exception stack(0xc07c9f68 to 0xc07c9fb0)
+[ 82.564753] 9f60: 00000000 00000000 c07c9fb8 c001bee0 c07ca4f0 c057004c
+[ 82.572913] 9f80: c07ca4fc c0803a20 c0803a20 413fc090 00000001 00000000 01000000 c07c9fb0
+[ 82.581069] 9fa0: c000f800 c000f804 60000053 ffffffff
+[ 82.586113] [<c0011fc0>] (__irq_svc) from [<c000f804>] (arch_cpu_idle+0x30/0x3c)
+[ 82.593491] [<c000f804>] (arch_cpu_idle) from [<c0050e70>] (cpu_startup_entry+0x128/0x1a4)
+[ 82.601740] [<c0050e70>] (cpu_startup_entry) from [<c0783bd8>] (start_kernel+0x350/0x3bc)
+[ 82.609890] Code: 0a000002 e3530005 05975010 15975008 (e5953000)
+[ 82.615965] ---[ end trace f57d5f599a5f1bfa ]---
+
+Most of kernel code assume that interface array in
+struct usb_configuration is NULL terminated.
+
+When gadget is composed with configfs configuration
+structure may be reused for different functions set.
+
+This bug happens because purge_configs_funcs() sets
+only next_interface_id to 0. Interface array still
+contains pointers to already freed interfaces. If in
+second try we add less interfaces than earlier we
+may access unallocated memory when trying to get
+interface descriptors.
+
+Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/configfs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/gadget/configfs.c
++++ b/drivers/usb/gadget/configfs.c
+@@ -1295,6 +1295,7 @@ static void purge_configs_funcs(struct g
+ }
+ }
+ c->next_interface_id = 0;
++ memset(c->interface, 0, sizeof(c->interface));
+ c->superspeed = 0;
+ c->highspeed = 0;
+ c->fullspeed = 0;
--- /dev/null
+From 48ef23a4f686b1e4519d4193c20d26834ff810ff Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Wed, 22 Apr 2015 14:35:08 +0200
+Subject: USB: pl2303: Remove support for Samsung I330
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 48ef23a4f686b1e4519d4193c20d26834ff810ff upstream.
+
+This phone is already supported by the visor driver.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/pl2303.c | 1 -
+ drivers/usb/serial/pl2303.h | 4 ----
+ 2 files changed, 5 deletions(-)
+
+--- a/drivers/usb/serial/pl2303.c
++++ b/drivers/usb/serial/pl2303.c
+@@ -61,7 +61,6 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(DCU10_VENDOR_ID, DCU10_PRODUCT_ID) },
+ { USB_DEVICE(SITECOM_VENDOR_ID, SITECOM_PRODUCT_ID) },
+ { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_ID) },
+- { USB_DEVICE(SAMSUNG_VENDOR_ID, SAMSUNG_PRODUCT_ID) },
+ { USB_DEVICE(SIEMENS_VENDOR_ID, SIEMENS_PRODUCT_ID_SX1),
+ .driver_info = PL2303_QUIRK_UART_STATE_IDX0 },
+ { USB_DEVICE(SIEMENS_VENDOR_ID, SIEMENS_PRODUCT_ID_X65),
+--- a/drivers/usb/serial/pl2303.h
++++ b/drivers/usb/serial/pl2303.h
+@@ -62,10 +62,6 @@
+ #define ALCATEL_VENDOR_ID 0x11f7
+ #define ALCATEL_PRODUCT_ID 0x02df
+
+-/* Samsung I330 phone cradle */
+-#define SAMSUNG_VENDOR_ID 0x04e8
+-#define SAMSUNG_PRODUCT_ID 0x8001
+-
+ #define SIEMENS_VENDOR_ID 0x11f5
+ #define SIEMENS_PRODUCT_ID_SX1 0x0001
+ #define SIEMENS_PRODUCT_ID_X65 0x0003
--- /dev/null
+From 172115090f5e739660b97694618a2ba86457063a Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Thu, 30 Apr 2015 11:09:44 +0200
+Subject: usb-storage: Add NO_WP_DETECT quirk for Lacie 059f:0651 devices
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 172115090f5e739660b97694618a2ba86457063a upstream.
+
+Without this flag some versions of these enclosures do not work.
+
+Reported-and-tested-by: Christian Schaller <cschalle@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/storage/unusual_devs.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/storage/unusual_devs.h
++++ b/drivers/usb/storage/unusual_devs.h
+@@ -766,6 +766,13 @@ UNUSUAL_DEV( 0x059f, 0x0643, 0x0000, 0x
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_GO_SLOW ),
+
++/* Reported by Christian Schaller <cschalle@redhat.com> */
++UNUSUAL_DEV( 0x059f, 0x0651, 0x0000, 0x0000,
++ "LaCie",
++ "External HDD",
++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
++ US_FL_NO_WP_DETECT ),
++
+ /* Submitted by Joel Bourquard <numlock@freesurf.ch>
+ * Some versions of this device need the SubClass and Protocol overrides
+ * while others don't.
--- /dev/null
+From 82ee3aeb9295c5fc37fd2ddf20f13ac2b40ec97d Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Wed, 22 Apr 2015 14:35:09 +0200
+Subject: USB: visor: Match I330 phone more precisely
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 82ee3aeb9295c5fc37fd2ddf20f13ac2b40ec97d upstream.
+
+Samsung has just released a portable USB3 SSD, coming in a very small
+and nice form factor. It's USB ID is 04e8:8001, which unfortunately is
+already used by the Palm Visor driver for the Samsung I330 phone cradle.
+Having pl2303 or visor pick up this device ID results in conflicts with
+the usb-storage driver, which handles the newly released portable USB3
+SSD.
+
+To work around this conflict, I've dug up a mailing list post [1] from a
+long time ago, in which a user posts the full USB descriptor
+information. The most specific value in this appears to be the interface
+class, which has value 255 (0xff). Since usb-storage requires an
+interface class of 0x8, I believe it's correct to disambiguate the two
+devices by matching on 0xff inside visor.
+
+[1] http://permalink.gmane.org/gmane.linux.usb.user/4264
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/visor.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/visor.c
++++ b/drivers/usb/serial/visor.c
+@@ -95,7 +95,7 @@ static const struct usb_device_id id_tab
+ .driver_info = (kernel_ulong_t)&palm_os_4_probe },
+ { USB_DEVICE(ACER_VENDOR_ID, ACER_S10_ID),
+ .driver_info = (kernel_ulong_t)&palm_os_4_probe },
+- { USB_DEVICE(SAMSUNG_VENDOR_ID, SAMSUNG_SCH_I330_ID),
++ { USB_DEVICE_INTERFACE_CLASS(SAMSUNG_VENDOR_ID, SAMSUNG_SCH_I330_ID, 0xff),
+ .driver_info = (kernel_ulong_t)&palm_os_4_probe },
+ { USB_DEVICE(SAMSUNG_VENDOR_ID, SAMSUNG_SPH_I500_ID),
+ .driver_info = (kernel_ulong_t)&palm_os_4_probe },
--- /dev/null
+From d104d0152a97fade389f47635b73a9ccc7295d0b Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Thu, 30 Apr 2015 17:16:02 +0300
+Subject: xhci: fix isoc endpoint dequeue from advancing too far on transaction error
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit d104d0152a97fade389f47635b73a9ccc7295d0b upstream.
+
+Isoc TDs usually consist of one TRB, sometimes two. When all goes well we
+receive only one success event for a TD, and move the dequeue pointer to
+the next TD.
+
+This fails if the TD consists of two TRBs and we get a transfer error
+on the first TRB, we will then see two events for that TD.
+
+Fix this by making sure the event we get is for the last TRB in that TD
+before moving the dequeue pointer to the next TD. This will resolve some
+of the uvc and dvb issues with the
+"ERROR Transfer event TRB DMA ptr not part of current TD" error message
+
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-ring.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -2026,8 +2026,13 @@ static int process_isoc_td(struct xhci_h
+ break;
+ case COMP_DEV_ERR:
+ case COMP_STALL:
++ frame->status = -EPROTO;
++ skip_td = true;
++ break;
+ case COMP_TX_ERR:
+ frame->status = -EPROTO;
++ if (event_trb != td->last_trb)
++ return 0;
+ skip_td = true;
+ break;
+ case COMP_STOP:
--- /dev/null
+From 948fa13504f80b9765d2b753691ab94c83a10341 Mon Sep 17 00:00:00 2001
+From: Joe Lawrence <joe.lawrence@stratus.com>
+Date: Thu, 30 Apr 2015 17:16:04 +0300
+Subject: xhci: gracefully handle xhci_irq dead device
+
+From: Joe Lawrence <joe.lawrence@stratus.com>
+
+commit 948fa13504f80b9765d2b753691ab94c83a10341 upstream.
+
+If the xHCI host controller has died (ie, device removed) or suffered
+other serious fatal error (STS_FATAL), then xhci_irq should handle this
+condition with IRQ_HANDLED instead of -ESHUTDOWN.
+
+Signed-off-by: Joe Lawrence <joe.lawrence@stratus.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-ring.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -2645,7 +2645,7 @@ irqreturn_t xhci_irq(struct usb_hcd *hcd
+ xhci_halt(xhci);
+ hw_died:
+ spin_unlock(&xhci->lock);
+- return -ESHUTDOWN;
++ return IRQ_HANDLED;
+ }
+
+ /*
--- /dev/null
+From 18cc2f4cbbaf825a4fedcf2d60fd388d291e0a38 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Thu, 30 Apr 2015 17:16:03 +0300
+Subject: xhci: Solve full event ring by increasing TRBS_PER_SEGMENT to 256
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit 18cc2f4cbbaf825a4fedcf2d60fd388d291e0a38 upstream.
+
+Our event ring consists of only one segment, and we risk filling
+the event ring in case we get isoc transfers with short intervals
+such as webcams that fill a TD every microframe (125us)
+
+With 64 TRB segment size one usb camera could fill the event ring in 8ms.
+A setup with several cameras and other devices can fill up the
+event ring as it is shared between all devices.
+This has occurred when uvcvideo queues 5 * 32TD URBs which then
+get cancelled when the video mode changes. The cancelled URBs are returned
+in the xhci interrupt context and blocks the interrupt handler from
+handling the new events.
+
+A full event ring will block xhci from scheduling traffic and affect all
+devices conneted to the xhci, will see errors such as Missed Service
+Intervals for isoc devices, and and Split transaction errors for LS/FS
+interrupt devices.
+
+Increasing the TRB_PER_SEGMENT will also increase the default endpoint ring
+size, which is welcome as for most isoc transfer we had to dynamically
+expand the endpoint ring anyway to be able to queue the 5 * 32TDs uvcvideo
+queues.
+
+The default size used to be 64 TRBs per segment
+
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci.h
++++ b/drivers/usb/host/xhci.h
+@@ -1267,7 +1267,7 @@ union xhci_trb {
+ * since the command ring is 64-byte aligned.
+ * It must also be greater than 16.
+ */
+-#define TRBS_PER_SEGMENT 64
++#define TRBS_PER_SEGMENT 256
+ /* Allow two commands + a link TRB, along with any reserved command TRBs */
+ #define MAX_RSVD_CMD_TRBS (TRBS_PER_SEGMENT - 3)
+ #define TRB_SEGMENT_SIZE (TRBS_PER_SEGMENT*16)
projects / thirdparty / kernel / stable-queue.git / commitdiff
