--- /dev/null
+From 7e9e148af01ef388efb6e2490805970be4622792 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Fri, 28 Feb 2014 14:52:01 +0100
+Subject: can: flexcan: flexcan_open(): fix error path if flexcan_chip_start() fails
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 7e9e148af01ef388efb6e2490805970be4622792 upstream.
+
+If flexcan_chip_start() in flexcan_open() fails, the interrupt is not freed,
+this patch adds the missing cleanup.
+
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/flexcan.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/flexcan.c
++++ b/drivers/net/can/flexcan.c
+@@ -862,7 +862,7 @@ static int flexcan_open(struct net_devic
+ /* start chip and queuing */
+ err = flexcan_chip_start(dev);
+ if (err)
+- goto out_close;
++ goto out_free_irq;
+
+ can_led_event(dev, CAN_LED_EVENT_OPEN);
+
+@@ -871,6 +871,8 @@ static int flexcan_open(struct net_devic
+
+ return 0;
+
++ out_free_irq:
++ free_irq(dev->irq, dev);
+ out_close:
+ close_candev(dev);
+ out:
--- /dev/null
+From 0a13404dd3bf4ea870e3d96270b5a382edca85c0 Mon Sep 17 00:00:00 2001
+From: Anton Blanchard <anton@samba.org>
+Date: Wed, 5 Mar 2014 14:29:58 +1100
+Subject: net: unix socket code abuses csum_partial
+
+From: Anton Blanchard <anton@samba.org>
+
+commit 0a13404dd3bf4ea870e3d96270b5a382edca85c0 upstream.
+
+The unix socket code is using the result of csum_partial to
+hash into a lookup table:
+
+ unix_hash_fold(csum_partial(sunaddr, len, 0));
+
+csum_partial is only guaranteed to produce something that can be
+folded into a checksum, as its prototype explains:
+
+ * returns a 32-bit number suitable for feeding into itself
+ * or csum_tcpudp_magic
+
+The 32bit value should not be used directly.
+
+Depending on the alignment, the ppc64 csum_partial will return
+different 32bit partial checksums that will fold into the same
+16bit checksum.
+
+This difference causes the following testcase (courtesy of
+Gustavo) to sometimes fail:
+
+#include <sys/socket.h>
+#include <stdio.h>
+
+int main()
+{
+ int fd = socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0);
+
+ int i = 1;
+ setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &i, 4);
+
+ struct sockaddr addr;
+ addr.sa_family = AF_LOCAL;
+ bind(fd, &addr, 2);
+
+ listen(fd, 128);
+
+ struct sockaddr_storage ss;
+ socklen_t sslen = (socklen_t)sizeof(ss);
+ getsockname(fd, (struct sockaddr*)&ss, &sslen);
+
+ fd = socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0);
+
+ if (connect(fd, (struct sockaddr*)&ss, sslen) == -1){
+ perror(NULL);
+ return 1;
+ }
+ printf("OK\n");
+ return 0;
+}
+
+As suggested by davem, fix this by using csum_fold to fold the
+partial 32bit checksum into a 16bit checksum before using it.
+
+Signed-off-by: Anton Blanchard <anton@samba.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/unix/af_unix.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -160,9 +160,8 @@ static inline void unix_set_secdata(stru
+
+ static inline unsigned int unix_hash_fold(__wsum n)
+ {
+- unsigned int hash = (__force unsigned int)n;
++ unsigned int hash = (__force unsigned int)csum_fold(n);
+
+- hash ^= hash>>16;
+ hash ^= hash>>8;
+ return hash&(UNIX_HASH_SIZE-1);
+ }
--- /dev/null
+From c59053a23d586675c25d789a7494adfdc02fba57 Mon Sep 17 00:00:00 2001
+From: Lukasz Dorau <lukasz.dorau@intel.com>
+Date: Thu, 6 Feb 2014 12:23:20 -0800
+Subject: SCSI: isci: correct erroneous for_each_isci_host macro
+
+From: Lukasz Dorau <lukasz.dorau@intel.com>
+
+commit c59053a23d586675c25d789a7494adfdc02fba57 upstream.
+
+In the first place, the loop 'for' in the macro 'for_each_isci_host'
+(drivers/scsi/isci/host.h:314) is incorrect, because it accesses
+the 3rd element of 2 element array. After the 2nd iteration it executes
+the instruction:
+ ihost = to_pci_info(pdev)->hosts[2]
+(while the size of the 'hosts' array equals 2) and reads an
+out of range element.
+
+In the second place, this loop is incorrectly optimized by GCC v4.8
+(see http://marc.info/?l=linux-kernel&m=138998871911336&w=2).
+As a result, on platforms with two SCU controllers,
+the loop is executed more times than it can be (for i=0,1 and 2).
+It causes kernel panic during entering the S3 state
+and the following oops after 'rmmod isci':
+
+BUG: unable to handle kernel NULL pointer dereference at (null)
+IP: [<ffffffff8131360b>] __list_add+0x1b/0xc0
+Oops: 0000 [#1] SMP
+RIP: 0010:[<ffffffff8131360b>] [<ffffffff8131360b>] __list_add+0x1b/0xc0
+Call Trace:
+ [<ffffffff81661b84>] __mutex_lock_slowpath+0x114/0x1b0
+ [<ffffffff81661c3f>] mutex_lock+0x1f/0x30
+ [<ffffffffa03e97cb>] sas_disable_events+0x1b/0x50 [libsas]
+ [<ffffffffa03e9818>] sas_unregister_ha+0x18/0x60 [libsas]
+ [<ffffffffa040316e>] isci_unregister+0x1e/0x40 [isci]
+ [<ffffffffa0403efd>] isci_pci_remove+0x5d/0x100 [isci]
+ [<ffffffff813391cb>] pci_device_remove+0x3b/0xb0
+ [<ffffffff813fbf7f>] __device_release_driver+0x7f/0xf0
+ [<ffffffff813fc8f8>] driver_detach+0xa8/0xb0
+ [<ffffffff813fbb8b>] bus_remove_driver+0x9b/0x120
+ [<ffffffff813fcf2c>] driver_unregister+0x2c/0x50
+ [<ffffffff813381f3>] pci_unregister_driver+0x23/0x80
+ [<ffffffffa04152f8>] isci_exit+0x10/0x1e [isci]
+ [<ffffffff810d199b>] SyS_delete_module+0x16b/0x2d0
+ [<ffffffff81012a21>] ? do_notify_resume+0x61/0xa0
+ [<ffffffff8166ce29>] system_call_fastpath+0x16/0x1b
+
+The loop has been corrected.
+This patch fixes kernel panic during entering the S3 state
+and the above oops.
+
+Signed-off-by: Lukasz Dorau <lukasz.dorau@intel.com>
+Reviewed-by: Maciej Patelczyk <maciej.patelczyk@intel.com>
+Tested-by: Lukasz Dorau <lukasz.dorau@intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/isci/host.h | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/isci/host.h
++++ b/drivers/scsi/isci/host.h
+@@ -311,9 +311,8 @@ static inline struct Scsi_Host *to_shost
+ }
+
+ #define for_each_isci_host(id, ihost, pdev) \
+- for (id = 0, ihost = to_pci_info(pdev)->hosts[id]; \
+- id < ARRAY_SIZE(to_pci_info(pdev)->hosts) && ihost; \
+- ihost = to_pci_info(pdev)->hosts[++id])
++ for (id = 0; id < SCI_MAX_CONTROLLERS && \
++ (ihost = to_pci_info(pdev)->hosts[id]); id++)
+
+ static inline void wait_for_start(struct isci_host *ihost)
+ {
--- /dev/null
+From ddfadd7736b677de2d4ca2cd5b4b655368c85a7a Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Thu, 6 Feb 2014 12:23:01 -0800
+Subject: SCSI: isci: fix reset timeout handling
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit ddfadd7736b677de2d4ca2cd5b4b655368c85a7a upstream.
+
+Remove an erroneous BUG_ON() in the case of a hard reset timeout. The
+reset timeout handler puts the port into the "awaiting link-up" state.
+The timeout causes the device to be disconnected and we need to be in
+the awaiting link-up state to re-connect the port. The BUG_ON() made
+the incorrect assumption that resets never timeout and we always
+complete the reset in the "resetting" state.
+
+Testing this patch also uncovered that libata continues to attempt to
+reset the port long after the driver has torn down the context. Once
+the driver has committed to abandoning the link it must indicate to
+libata that recovery ends by returning -ENODEV from
+->lldd_I_T_nexus_reset().
+
+Acked-by: Lukasz Dorau <lukasz.dorau@intel.com>
+Reported-by: David Milburn <dmilburn@redhat.com>
+Reported-by: Xun Ni <xun.ni@intel.com>
+Tested-by: Xun Ni <xun.ni@intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/isci/port_config.c | 7 -------
+ drivers/scsi/isci/task.c | 2 +-
+ 2 files changed, 1 insertion(+), 8 deletions(-)
+
+--- a/drivers/scsi/isci/port_config.c
++++ b/drivers/scsi/isci/port_config.c
+@@ -615,13 +615,6 @@ static void sci_apc_agent_link_up(struct
+ SCIC_SDS_APC_WAIT_LINK_UP_NOTIFICATION);
+ } else {
+ /* the phy is already the part of the port */
+- u32 port_state = iport->sm.current_state_id;
+-
+- /* if the PORT'S state is resetting then the link up is from
+- * port hard reset in this case, we need to tell the port
+- * that link up is recieved
+- */
+- BUG_ON(port_state != SCI_PORT_RESETTING);
+ port_agent->phy_ready_mask |= 1 << phy_index;
+ sci_port_link_up(iport, iphy);
+ }
+--- a/drivers/scsi/isci/task.c
++++ b/drivers/scsi/isci/task.c
+@@ -801,7 +801,7 @@ int isci_task_I_T_nexus_reset(struct dom
+ /* XXX: need to cleanup any ireqs targeting this
+ * domain_device
+ */
+- ret = TMF_RESP_FUNC_COMPLETE;
++ ret = -ENODEV;
+ goto out;
+ }
+
--- /dev/null
+From b77ed25c9f8402e8b3e49e220edb4ef09ecfbb53 Mon Sep 17 00:00:00 2001
+From: Giridhar Malavali <giridhar.malavali@qlogic.com>
+Date: Wed, 26 Feb 2014 04:15:12 -0500
+Subject: SCSI: qla2xxx: Poll during initialization for ISP25xx and ISP83xx
+
+From: Giridhar Malavali <giridhar.malavali@qlogic.com>
+
+commit b77ed25c9f8402e8b3e49e220edb4ef09ecfbb53 upstream.
+
+Signed-off-by: Giridhar Malavali <giridhar.malavali@qlogic.com>
+Signed-off-by: Saurav Kashyap <saurav.kashyap@qlogic.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_def.h | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_def.h
++++ b/drivers/scsi/qla2xxx/qla_def.h
+@@ -2980,8 +2980,7 @@ struct qla_hw_data {
+ IS_QLA25XX(ha) || IS_QLA81XX(ha) || \
+ IS_QLA82XX(ha) || IS_QLA83XX(ha))
+ #define IS_MSIX_NACK_CAPABLE(ha) (IS_QLA81XX(ha) || IS_QLA83XX(ha))
+-#define IS_NOPOLLING_TYPE(ha) ((IS_QLA25XX(ha) || IS_QLA81XX(ha) || \
+- IS_QLA83XX(ha)) && (ha)->flags.msix_enabled)
++#define IS_NOPOLLING_TYPE(ha) (IS_QLA81XX(ha) && (ha)->flags.msix_enabled)
+ #define IS_FAC_REQUIRED(ha) (IS_QLA81XX(ha) || IS_QLA83XX(ha))
+ #define IS_NOCACHE_VPD_TYPE(ha) (IS_QLA81XX(ha) || IS_QLA83XX(ha))
+ #define IS_ALOGIO_CAPABLE(ha) (IS_QLA23XX(ha) || IS_FWI2_CAPABLE(ha))
--- /dev/null
+From b12bb60d6c350b348a4e1460cd68f97ccae9822e Mon Sep 17 00:00:00 2001
+From: Ales Novak <alnovak@suse.cz>
+Date: Thu, 27 Feb 2014 11:03:30 +0100
+Subject: SCSI: storvsc: NULL pointer dereference fix
+
+From: Ales Novak <alnovak@suse.cz>
+
+commit b12bb60d6c350b348a4e1460cd68f97ccae9822e upstream.
+
+If the initialization of storvsc fails, the storvsc_device_destroy()
+causes NULL pointer dereference.
+
+storvsc_bus_scan()
+ scsi_scan_target()
+ __scsi_scan_target()
+ scsi_probe_and_add_lun(hostdata=NULL)
+ scsi_alloc_sdev(hostdata=NULL)
+
+ sdev->hostdata = hostdata
+
+ now the host allocation fails
+
+ __scsi_remove_device(sdev)
+
+ calls sdev->host->hostt->slave_destroy() ==
+ storvsc_device_destroy(sdev)
+ access of sdev->hostdata->request_mempool
+
+Signed-off-by: Ales Novak <alnovak@suse.cz>
+Signed-off-by: Thomas Abraham <tabraham@suse.com>
+Reviewed-by: Jiri Kosina <jkosina@suse.cz>
+Acked-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/storvsc_drv.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/scsi/storvsc_drv.c
++++ b/drivers/scsi/storvsc_drv.c
+@@ -1189,6 +1189,9 @@ static void storvsc_device_destroy(struc
+ {
+ struct stor_mem_pools *memp = sdevice->hostdata;
+
++ if (!memp)
++ return;
++
+ mempool_destroy(memp->request_mempool);
+ kmem_cache_destroy(memp->request_pool);
+ kfree(memp);
mm-compaction-break-out-of-loop-on-pagebuddy-in-isolate_freepages_block.patch
dm-cache-fix-truncation-bug-when-copying-a-block-to-from-2tb-fast-device.patch
dm-cache-fix-access-beyond-end-of-origin-device.patch
+net-unix-socket-code-abuses-csum_partial.patch
+can-flexcan-flexcan_open-fix-error-path-if-flexcan_chip_start-fails.patch
+scsi-isci-fix-reset-timeout-handling.patch
+scsi-isci-correct-erroneous-for_each_isci_host-macro.patch
+scsi-qla2xxx-poll-during-initialization-for-isp25xx-and-isp83xx.patch
+scsi-storvsc-null-pointer-dereference-fix.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
