--- /dev/null
+From ef59a20ba375aeb97b3150a118318884743452a8 Mon Sep 17 00:00:00 2001
+From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+Date: Fri, 21 Nov 2014 15:29:00 +0100
+Subject: ARM: 8216/1: xscale: correct auxiliary register in suspend/resume
+
+From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+
+commit ef59a20ba375aeb97b3150a118318884743452a8 upstream.
+
+According to the manuals I have, XScale auxiliary register should be
+reached with opc_2 = 1 instead of crn = 1. cpu_xscale_proc_init
+correctly uses c1, c0, 1 arguments, but cpu_xscale_do_suspend and
+cpu_xscale_do_resume use c1, c1, 0. Correct suspend/resume functions to
+also use c1, c0, 1.
+
+The issue was primarily noticed thanks to qemu reporing "unsupported
+instruction" on the pxa suspend path. Confirmed in PXA210/250 and PXA255
+XScale Core manuals and in PXA270 and PXA320 Developers Guides.
+
+Harware tested by me on tosa (pxa255). Robert confirmed on pxa270 board.
+
+Tested-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+Acked-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mm/proc-xscale.S | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/mm/proc-xscale.S
++++ b/arch/arm/mm/proc-xscale.S
+@@ -535,7 +535,7 @@ ENTRY(cpu_xscale_do_suspend)
+ mrc p15, 0, r5, c15, c1, 0 @ CP access reg
+ mrc p15, 0, r6, c13, c0, 0 @ PID
+ mrc p15, 0, r7, c3, c0, 0 @ domain ID
+- mrc p15, 0, r8, c1, c1, 0 @ auxiliary control reg
++ mrc p15, 0, r8, c1, c0, 1 @ auxiliary control reg
+ mrc p15, 0, r9, c1, c0, 0 @ control reg
+ bic r4, r4, #2 @ clear frequency change bit
+ stmia r0, {r4 - r9} @ store cp regs
+@@ -552,7 +552,7 @@ ENTRY(cpu_xscale_do_resume)
+ mcr p15, 0, r6, c13, c0, 0 @ PID
+ mcr p15, 0, r7, c3, c0, 0 @ domain ID
+ mcr p15, 0, r1, c2, c0, 0 @ translation table base addr
+- mcr p15, 0, r8, c1, c1, 0 @ auxiliary control reg
++ mcr p15, 0, r8, c1, c0, 1 @ auxiliary control reg
+ mov r0, r9 @ control register
+ b cpu_resume_mmu
+ ENDPROC(cpu_xscale_do_resume)
--- /dev/null
+From 995ab5189d1d7264e79e665dfa032a19b3ac646e Mon Sep 17 00:00:00 2001
+From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Date: Tue, 25 Nov 2014 18:43:15 +0100
+Subject: ARM: 8222/1: mvebu: enable strex backoff delay
+
+From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+
+commit 995ab5189d1d7264e79e665dfa032a19b3ac646e upstream.
+
+Under extremely rare conditions, in an MPCore node consisting of at
+least 3 CPUs, two CPUs trying to perform a STREX to data on the same
+shared cache line can enter a livelock situation.
+
+This patch enables the HW mechanism that overcomes the bug. This fixes
+the incorrect setup of the STREX backoff delay bit due to a wrong
+description in the specification.
+
+Note that enabling the STREX backoff delay mechanism is done by
+leaving the bit *cleared*, while the bit was currently being set by
+the proc-v7.S code.
+
+[Thomas: adapt to latest mainline, slightly reword the commit log, add
+stable markers.]
+
+Fixes: de4901933f6d ("arm: mm: Add support for PJ4B cpu and init routines")
+
+Signed-off-by: Nadav Haklai <nadavh@marvell.com>
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Acked-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Acked-by: Jason Cooper <jason@lakedaemon.net>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mm/proc-v7.S | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/arch/arm/mm/proc-v7.S
++++ b/arch/arm/mm/proc-v7.S
+@@ -201,7 +201,6 @@ __v7_pj4b_setup:
+ /* Auxiliary Debug Modes Control 1 Register */
+ #define PJ4B_STATIC_BP (1 << 2) /* Enable Static BP */
+ #define PJ4B_INTER_PARITY (1 << 8) /* Disable Internal Parity Handling */
+-#define PJ4B_BCK_OFF_STREX (1 << 5) /* Enable the back off of STREX instr */
+ #define PJ4B_CLEAN_LINE (1 << 16) /* Disable data transfer for clean line */
+
+ /* Auxiliary Debug Modes Control 2 Register */
+@@ -224,7 +223,6 @@ __v7_pj4b_setup:
+ /* Auxiliary Debug Modes Control 1 Register */
+ mrc p15, 1, r0, c15, c1, 1
+ orr r0, r0, #PJ4B_CLEAN_LINE
+- orr r0, r0, #PJ4B_BCK_OFF_STREX
+ orr r0, r0, #PJ4B_INTER_PARITY
+ bic r0, r0, #PJ4B_STATIC_BP
+ mcr p15, 1, r0, c15, c1, 1
--- /dev/null
+From 01a4cc4d0cd6a836c7b923760e8eb1cbb6a47258 Mon Sep 17 00:00:00 2001
+From: Maurizio Lombardi <mlombard@redhat.com>
+Date: Thu, 20 Nov 2014 11:17:33 +0100
+Subject: bnx2fc: do not add shared skbs to the fcoe_rx_list
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+commit 01a4cc4d0cd6a836c7b923760e8eb1cbb6a47258 upstream.
+
+In some cases, the fcoe_rx_list may contains multiple instances
+of the same skb (the so called "shared skbs").
+
+the bnx2fc_l2_rcv thread is a loop that extracts a skb from the list,
+modifies (and destroys) its content and then proceed to the next one.
+The problem is that if the skb is shared, the remaining instances will
+be corrupted.
+
+The solution is to use skb_share_check() before adding the skb to the
+fcoe_rx_list.
+
+[ 6286.808725] ------------[ cut here ]------------
+[ 6286.808729] WARNING: at include/scsi/fc_frame.h:173 bnx2fc_l2_rcv_thread+0x425/0x450 [bnx2fc]()
+[ 6286.808748] Modules linked in: bnx2x(-) mdio dm_service_time bnx2fc cnic uio fcoe libfcoe 8021q garp stp mrp libfc llc scsi_transport_fc scsi_tgt sg iTCO_wdt iTCO_vendor_support coretemp kvm_intel kvm crct10dif_pclmul crc32_pclmul crc32c_intel e1000e ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper ptp cryptd hpilo serio_raw hpwdt lpc_ich pps_core ipmi_si pcspkr mfd_core ipmi_msghandler shpchp pcc_cpufreq mperf nfsd auth_rpcgss nfs_acl lockd sunrpc dm_multipath xfs libcrc32c ata_generic pata_acpi sd_mod crc_t10dif crct10dif_common mgag200 syscopyarea sysfillrect sysimgblt i2c_algo_bit ata_piix drm_kms_helper ttm drm libata i2c_core hpsa dm_mirror dm_region_hash dm_log dm_mod [last unloaded: mdio]
+[ 6286.808750] CPU: 3 PID: 1304 Comm: bnx2fc_l2_threa Not tainted 3.10.0-121.el7.x86_64 #1
+[ 6286.808750] Hardware name: HP ProLiant DL120 G7, BIOS J01 07/01/2013
+[ 6286.808752] 0000000000000000 000000000b36e715 ffff8800deba1e00 ffffffff815ec0ba
+[ 6286.808753] ffff8800deba1e38 ffffffff8105dee1 ffffffffa05618c0 ffff8801e4c81888
+[ 6286.808754] ffffe8ffff663868 ffff8801f402b180 ffff8801f56bc000 ffff8800deba1e48
+[ 6286.808754] Call Trace:
+[ 6286.808759] [<ffffffff815ec0ba>] dump_stack+0x19/0x1b
+[ 6286.808762] [<ffffffff8105dee1>] warn_slowpath_common+0x61/0x80
+[ 6286.808763] [<ffffffff8105e00a>] warn_slowpath_null+0x1a/0x20
+[ 6286.808765] [<ffffffffa054f415>] bnx2fc_l2_rcv_thread+0x425/0x450 [bnx2fc]
+[ 6286.808767] [<ffffffffa054eff0>] ? bnx2fc_disable+0x90/0x90 [bnx2fc]
+[ 6286.808769] [<ffffffff81085aef>] kthread+0xcf/0xe0
+[ 6286.808770] [<ffffffff81085a20>] ? kthread_create_on_node+0x140/0x140
+[ 6286.808772] [<ffffffff815fc76c>] ret_from_fork+0x7c/0xb0
+[ 6286.808773] [<ffffffff81085a20>] ? kthread_create_on_node+0x140/0x140
+[ 6286.808774] ---[ end trace c6cdb939184ccb4e ]---
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Acked-by: Chad Dupuis <chad.dupuis@qlogic.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/bnx2fc/bnx2fc_fcoe.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
++++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
+@@ -411,6 +411,7 @@ static int bnx2fc_rcv(struct sk_buff *sk
+ struct fc_frame_header *fh;
+ struct fcoe_rcv_info *fr;
+ struct fcoe_percpu_s *bg;
++ struct sk_buff *tmp_skb;
+ unsigned short oxid;
+
+ interface = container_of(ptype, struct bnx2fc_interface,
+@@ -423,6 +424,12 @@ static int bnx2fc_rcv(struct sk_buff *sk
+ goto err;
+ }
+
++ tmp_skb = skb_share_check(skb, GFP_ATOMIC);
++ if (!tmp_skb)
++ goto err;
++
++ skb = tmp_skb;
++
+ if (unlikely(eth_hdr(skb)->h_proto != htons(ETH_P_FCOE))) {
+ printk(KERN_ERR PFX "bnx2fc_rcv: Wrong FC type frame\n");
+ goto err;
--- /dev/null
+From 5247a589c24022ab34e780039cc8000c48f2035e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Thomas=20K=C3=B6rper?= <thomas.koerper@esd.eu>
+Date: Fri, 31 Oct 2014 07:33:54 +0100
+Subject: can: dev: avoid calling kfree_skb() from interrupt context
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Thomas=20K=C3=B6rper?= <thomas.koerper@esd.eu>
+
+commit 5247a589c24022ab34e780039cc8000c48f2035e upstream.
+
+ikfree_skb() is Called in can_free_echo_skb(), which might be called from (TX
+Error) interrupt, which triggers the folloing warning:
+
+[ 1153.360705] ------------[ cut here ]------------
+[ 1153.360715] WARNING: CPU: 0 PID: 31 at net/core/skbuff.c:563 skb_release_head_state+0xb9/0xd0()
+[ 1153.360772] Call Trace:
+[ 1153.360778] [<c167906f>] dump_stack+0x41/0x52
+[ 1153.360782] [<c105bb7e>] warn_slowpath_common+0x7e/0xa0
+[ 1153.360784] [<c158b909>] ? skb_release_head_state+0xb9/0xd0
+[ 1153.360786] [<c158b909>] ? skb_release_head_state+0xb9/0xd0
+[ 1153.360788] [<c105bc42>] warn_slowpath_null+0x22/0x30
+[ 1153.360791] [<c158b909>] skb_release_head_state+0xb9/0xd0
+[ 1153.360793] [<c158be90>] skb_release_all+0x10/0x30
+[ 1153.360795] [<c158bf06>] kfree_skb+0x36/0x80
+[ 1153.360799] [<f8486938>] ? can_free_echo_skb+0x28/0x40 [can_dev]
+[ 1153.360802] [<f8486938>] can_free_echo_skb+0x28/0x40 [can_dev]
+[ 1153.360805] [<f849a12c>] esd_pci402_interrupt+0x34c/0x57a [esd402]
+[ 1153.360809] [<c10a75b5>] handle_irq_event_percpu+0x35/0x180
+[ 1153.360811] [<c10a7623>] ? handle_irq_event_percpu+0xa3/0x180
+[ 1153.360813] [<c10a7731>] handle_irq_event+0x31/0x50
+[ 1153.360816] [<c10a9c7f>] handle_fasteoi_irq+0x6f/0x120
+[ 1153.360818] [<c10a9c10>] ? handle_edge_irq+0x110/0x110
+[ 1153.360822] [<c1011b61>] handle_irq+0x71/0x90
+[ 1153.360823] <IRQ> [<c168152c>] do_IRQ+0x3c/0xd0
+[ 1153.360829] [<c1680b6c>] common_interrupt+0x2c/0x34
+[ 1153.360834] [<c107d277>] ? finish_task_switch+0x47/0xf0
+[ 1153.360836] [<c167c27b>] __schedule+0x35b/0x7e0
+[ 1153.360839] [<c10a5334>] ? console_unlock+0x2c4/0x4d0
+[ 1153.360842] [<c13df500>] ? n_tty_receive_buf_common+0x890/0x890
+[ 1153.360845] [<c10707b6>] ? process_one_work+0x196/0x370
+[ 1153.360847] [<c167c723>] schedule+0x23/0x60
+[ 1153.360849] [<c1070de1>] worker_thread+0x161/0x460
+[ 1153.360852] [<c1090fcf>] ? __wake_up_locked+0x1f/0x30
+[ 1153.360854] [<c1070c80>] ? rescuer_thread+0x2f0/0x2f0
+[ 1153.360856] [<c1074f01>] kthread+0xa1/0xc0
+[ 1153.360859] [<c1680401>] ret_from_kernel_thread+0x21/0x30
+[ 1153.360861] [<c1074e60>] ? kthread_create_on_node+0x110/0x110
+[ 1153.360863] ---[ end trace 5ff83639cbb74b35 ]---
+
+This patch replaces the kfree_skb() by dev_kfree_skb_any().
+
+Signed-off-by: Thomas Körper <thomas.koerper@esd.eu>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -385,7 +385,7 @@ void can_free_echo_skb(struct net_device
+ BUG_ON(idx >= priv->echo_skb_max);
+
+ if (priv->echo_skb[idx]) {
+- kfree_skb(priv->echo_skb[idx]);
++ dev_kfree_skb_any(priv->echo_skb[idx]);
+ priv->echo_skb[idx] = NULL;
+ }
+ }
--- /dev/null
+From a1f9a4072655843fc03186acbad65990cc05dd2d Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Tue, 25 Nov 2014 00:38:17 -0800
+Subject: Input: xpad - use proper endpoint type
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit a1f9a4072655843fc03186acbad65990cc05dd2d upstream.
+
+The xpad wireless endpoint is not a bulk endpoint on my devices, but
+rather an interrupt one, so the USB core complains when it is submitted.
+I'm guessing that the author really did mean that this should be an
+interrupt urb, but as there are a zillion different xpad devices out
+there, let's cover out bases and handle both bulk and interrupt
+endpoints just as easily.
+
+Signed-off-by: "Pierre-Loup A. Griffais" <pgriffais@valvesoftware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/joystick/xpad.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+--- a/drivers/input/joystick/xpad.c
++++ b/drivers/input/joystick/xpad.c
+@@ -1002,9 +1002,19 @@ static int xpad_probe(struct usb_interfa
+ }
+
+ ep_irq_in = &intf->cur_altsetting->endpoint[1].desc;
+- usb_fill_bulk_urb(xpad->bulk_out, udev,
+- usb_sndbulkpipe(udev, ep_irq_in->bEndpointAddress),
+- xpad->bdata, XPAD_PKT_LEN, xpad_bulk_out, xpad);
++ if (usb_endpoint_is_bulk_out(ep_irq_in)) {
++ usb_fill_bulk_urb(xpad->bulk_out, udev,
++ usb_sndbulkpipe(udev,
++ ep_irq_in->bEndpointAddress),
++ xpad->bdata, XPAD_PKT_LEN,
++ xpad_bulk_out, xpad);
++ } else {
++ usb_fill_int_urb(xpad->bulk_out, udev,
++ usb_sndintpipe(udev,
++ ep_irq_in->bEndpointAddress),
++ xpad->bdata, XPAD_PKT_LEN,
++ xpad_bulk_out, xpad, 0);
++ }
+
+ /*
+ * Submit the int URB immediately rather than waiting for open
--- /dev/null
+From 3b726ae2de02a406cc91903f80132daee37b6f1b Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagig@dev.mellanox.co.il>
+Date: Tue, 28 Oct 2014 13:45:03 -0700
+Subject: iser-target: Handle DEVICE_REMOVAL event on network portal listener correctly
+
+From: Sagi Grimberg <sagig@dev.mellanox.co.il>
+
+commit 3b726ae2de02a406cc91903f80132daee37b6f1b upstream.
+
+In this case the cm_id->context is the isert_np, and the cm_id->qp
+is NULL, so use that to distinct the cases.
+
+Since we don't expect any other events on this cm_id we can
+just return -1 for explicit termination of the cm_id by the
+cma layer.
+
+Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/isert/ib_isert.c | 29 +++++++++++++++++++----------
+ 1 file changed, 19 insertions(+), 10 deletions(-)
+
+--- a/drivers/infiniband/ulp/isert/ib_isert.c
++++ b/drivers/infiniband/ulp/isert/ib_isert.c
+@@ -585,14 +585,25 @@ wake_up:
+ complete(&isert_conn->conn_wait);
+ }
+
+-static void
++static int
+ isert_disconnected_handler(struct rdma_cm_id *cma_id, bool disconnect)
+ {
+- struct isert_conn *isert_conn = (struct isert_conn *)cma_id->context;
++ struct isert_conn *isert_conn;
++
++ if (!cma_id->qp) {
++ struct isert_np *isert_np = cma_id->context;
++
++ isert_np->np_cm_id = NULL;
++ return -1;
++ }
++
++ isert_conn = (struct isert_conn *)cma_id->context;
+
+ isert_conn->disconnect = disconnect;
+ INIT_WORK(&isert_conn->conn_logout_work, isert_disconnect_work);
+ schedule_work(&isert_conn->conn_logout_work);
++
++ return 0;
+ }
+
+ static int
+@@ -607,6 +618,9 @@ isert_cma_handler(struct rdma_cm_id *cma
+ switch (event->event) {
+ case RDMA_CM_EVENT_CONNECT_REQUEST:
+ ret = isert_connect_request(cma_id, event);
++ if (ret)
++ pr_err("isert_cma_handler failed RDMA_CM_EVENT: 0x%08x %d\n",
++ event->event, ret);
+ break;
+ case RDMA_CM_EVENT_ESTABLISHED:
+ isert_connected_handler(cma_id);
+@@ -616,7 +630,7 @@ isert_cma_handler(struct rdma_cm_id *cma
+ case RDMA_CM_EVENT_DEVICE_REMOVAL: /* FALLTHRU */
+ disconnect = true;
+ case RDMA_CM_EVENT_TIMEWAIT_EXIT: /* FALLTHRU */
+- isert_disconnected_handler(cma_id, disconnect);
++ ret = isert_disconnected_handler(cma_id, disconnect);
+ break;
+ case RDMA_CM_EVENT_CONNECT_ERROR:
+ default:
+@@ -624,12 +638,6 @@ isert_cma_handler(struct rdma_cm_id *cma
+ break;
+ }
+
+- if (ret != 0) {
+- pr_err("isert_cma_handler failed RDMA_CM_EVENT: 0x%08x %d\n",
+- event->event, ret);
+- dump_stack();
+- }
+-
+ return ret;
+ }
+
+@@ -2233,7 +2241,8 @@ isert_free_np(struct iscsi_np *np)
+ {
+ struct isert_np *isert_np = (struct isert_np *)np->np_context;
+
+- rdma_destroy_id(isert_np->np_cm_id);
++ if (isert_np->np_cm_id)
++ rdma_destroy_id(isert_np->np_cm_id);
+
+ np->np_context = NULL;
+ kfree(isert_np);
--- /dev/null
+From c6c15e1ed303ffc47e696ea1c9a9df1761c1f603 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Wed, 19 Nov 2014 12:47:50 -0500
+Subject: nfsd: Fix slot wake up race in the nfsv4.1 callback code
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit c6c15e1ed303ffc47e696ea1c9a9df1761c1f603 upstream.
+
+The currect code for nfsd41_cb_get_slot() and nfsd4_cb_done() has no
+locking in order to guarantee atomicity, and so allows for races of
+the form.
+
+Task 1 Task 2
+====== ======
+if (test_and_set_bit(0) != 0) {
+ clear_bit(0)
+ rpc_wake_up_next(queue)
+ rpc_sleep_on(queue)
+ return false;
+}
+
+This patch breaks the race condition by adding a retest of the bit
+after the call to rpc_sleep_on().
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4callback.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/fs/nfsd/nfs4callback.c
++++ b/fs/nfsd/nfs4callback.c
+@@ -784,8 +784,12 @@ static bool nfsd41_cb_get_slot(struct nf
+ {
+ if (test_and_set_bit(0, &clp->cl_cb_slot_busy) != 0) {
+ rpc_sleep_on(&clp->cl_cb_waitq, task, NULL);
+- dprintk("%s slot is busy\n", __func__);
+- return false;
++ /* Race breaker */
++ if (test_and_set_bit(0, &clp->cl_cb_slot_busy) != 0) {
++ dprintk("%s slot is busy\n", __func__);
++ return false;
++ }
++ rpc_wake_up_queued_task(&clp->cl_cb_waitq, task);
+ }
+ return true;
+ }
--- /dev/null
+From bf7bd3e98be5c74813bee6ad496139fb0a011b3b Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Thu, 15 Aug 2013 16:55:26 -0400
+Subject: nfsd4: fix leak of inode reference on delegation failure
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: "J. Bruce Fields" <bfields@redhat.com>
+
+commit bf7bd3e98be5c74813bee6ad496139fb0a011b3b upstream.
+
+This fixes a regression from 68a3396178e6688ad7367202cdf0af8ed03c8727
+"nfsd4: shut down more of delegation earlier".
+
+After that commit, nfs4_set_delegation() failures result in
+nfs4_put_delegation being called, but nfs4_put_delegation doesn't free
+the nfs4_file that has already been set by alloc_init_deleg().
+
+This can result in an oops on later unmounting the exported filesystem.
+
+Note also delaying the fi_had_conflict check we're able to return a
+better error (hence give 4.1 clients a better idea why the delegation
+failed; though note CONFLICT isn't an exact match here, as that's
+supposed to indicate a current conflict, but all we know here is that
+there was one recently).
+
+Reported-by: Toralf Förster <toralf.foerster@gmx.de>
+Tested-by: Toralf Förster <toralf.foerster@gmx.de>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+[tuomasjjrasanen: backported to 3.10
+ Conflicts fs/nfsd/nfs4state.c:
+ Delegation type flags have been removed from upstream code. In 3.10-series,
+ they still exists and therefore the commit caused few conflicts in function
+ signatures.
+]
+Signed-off-by: Tuomas Räsänen <tuomasjjrasanen@opinsys.fi>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4state.c | 31 ++++++++++++++++++++-----------
+ 1 file changed, 20 insertions(+), 11 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -367,7 +367,6 @@ static struct nfs4_delegation *
+ alloc_init_deleg(struct nfs4_client *clp, struct nfs4_ol_stateid *stp, struct svc_fh *current_fh, u32 type)
+ {
+ struct nfs4_delegation *dp;
+- struct nfs4_file *fp = stp->st_file;
+
+ dprintk("NFSD alloc_init_deleg\n");
+ /*
+@@ -377,8 +376,6 @@ alloc_init_deleg(struct nfs4_client *clp
+ */
+ if (type != NFS4_OPEN_DELEGATE_READ)
+ return NULL;
+- if (fp->fi_had_conflict)
+- return NULL;
+ if (num_delegations > max_delegations)
+ return NULL;
+ dp = delegstateid(nfs4_alloc_stid(clp, deleg_slab));
+@@ -395,8 +392,7 @@ alloc_init_deleg(struct nfs4_client *clp
+ INIT_LIST_HEAD(&dp->dl_perfile);
+ INIT_LIST_HEAD(&dp->dl_perclnt);
+ INIT_LIST_HEAD(&dp->dl_recall_lru);
+- get_nfs4_file(fp);
+- dp->dl_file = fp;
++ dp->dl_file = NULL;
+ dp->dl_type = type;
+ fh_copy_shallow(&dp->dl_fh, ¤t_fh->fh_handle);
+ dp->dl_time = 0;
+@@ -2965,22 +2961,35 @@ static int nfs4_setlease(struct nfs4_del
+ return 0;
+ }
+
+-static int nfs4_set_delegation(struct nfs4_delegation *dp, int flag)
++static int nfs4_set_delegation(struct nfs4_delegation *dp, int flag, struct nfs4_file *fp)
+ {
+- struct nfs4_file *fp = dp->dl_file;
++ int status;
+
+- if (!fp->fi_lease)
+- return nfs4_setlease(dp, flag);
++ if (fp->fi_had_conflict)
++ return -EAGAIN;
++ get_nfs4_file(fp);
++ dp->dl_file = fp;
++ if (!fp->fi_lease) {
++ status = nfs4_setlease(dp, flag);
++ if (status)
++ goto out_free;
++ return 0;
++ }
+ spin_lock(&recall_lock);
+ if (fp->fi_had_conflict) {
+ spin_unlock(&recall_lock);
+- return -EAGAIN;
++ status = -EAGAIN;
++ goto out_free;
+ }
+ atomic_inc(&fp->fi_delegees);
+ list_add(&dp->dl_perfile, &fp->fi_delegations);
+ spin_unlock(&recall_lock);
+ list_add(&dp->dl_perclnt, &dp->dl_stid.sc_client->cl_delegations);
+ return 0;
++out_free:
++ put_nfs4_file(fp);
++ dp->dl_file = fp;
++ return status;
+ }
+
+ static void nfsd4_open_deleg_none_ext(struct nfsd4_open *open, int status)
+@@ -3046,7 +3055,7 @@ nfs4_open_delegation(struct net *net, st
+ dp = alloc_init_deleg(oo->oo_owner.so_client, stp, fh, flag);
+ if (dp == NULL)
+ goto out_no_deleg;
+- status = nfs4_set_delegation(dp, flag);
++ status = nfs4_set_delegation(dp, flag, stp->st_file);
+ if (status)
+ goto out_free;
+
--- /dev/null
+From cfd9167af14eb4ec21517a32911d460083ee3d59 Mon Sep 17 00:00:00 2001
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+Date: Tue, 11 Nov 2014 14:28:47 +0100
+Subject: rt2x00: do not align payload on modern H/W
+
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+
+commit cfd9167af14eb4ec21517a32911d460083ee3d59 upstream.
+
+RT2800 and newer hardware require padding between header and payload if
+header length is not multiple of 4.
+
+For historical reasons we also align payload to to 4 bytes boundary, but
+such alignment is not needed on modern H/W.
+
+Patch fixes skb_under_panic problems reported from time to time:
+
+https://bugzilla.kernel.org/show_bug.cgi?id=84911
+https://bugzilla.kernel.org/show_bug.cgi?id=72471
+http://marc.info/?l=linux-wireless&m=139108549530402&w=2
+https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1087591
+
+Panic happened because we eat 4 bytes of skb headroom on each
+(re)transmission when sending frame without the payload and the header
+length not being multiple of 4 (i.e. QoS header has 26 bytes). On such
+case because paylad_aling=2 is bigger than header_align=0 we increase
+header_align by 4 bytes. To prevent that we could change the check to:
+
+ if (payload_length && payload_align > header_align)
+ header_align += 4;
+
+but not aligning payload at all is more effective and alignment is not
+really needed by H/W (that has been tested on OpenWrt project for few
+years now).
+
+Reported-and-tested-by: Antti S. Lankila <alankila@bel.fi>
+Debugged-by: Antti S. Lankila <alankila@bel.fi>
+Reported-by: Henrik Asp <solenskiner@gmail.com>
+Originally-From: Helmut Schaa <helmut.schaa@googlemail.com>
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rt2x00/rt2x00queue.c | 50 +++++++-----------------------
+ 1 file changed, 12 insertions(+), 38 deletions(-)
+
+--- a/drivers/net/wireless/rt2x00/rt2x00queue.c
++++ b/drivers/net/wireless/rt2x00/rt2x00queue.c
+@@ -160,55 +160,29 @@ void rt2x00queue_align_frame(struct sk_b
+ skb_trim(skb, frame_length);
+ }
+
+-void rt2x00queue_insert_l2pad(struct sk_buff *skb, unsigned int header_length)
++/*
++ * H/W needs L2 padding between the header and the paylod if header size
++ * is not 4 bytes aligned.
++ */
++void rt2x00queue_insert_l2pad(struct sk_buff *skb, unsigned int hdr_len)
+ {
+- unsigned int payload_length = skb->len - header_length;
+- unsigned int header_align = ALIGN_SIZE(skb, 0);
+- unsigned int payload_align = ALIGN_SIZE(skb, header_length);
+- unsigned int l2pad = payload_length ? L2PAD_SIZE(header_length) : 0;
+-
+- /*
+- * Adjust the header alignment if the payload needs to be moved more
+- * than the header.
+- */
+- if (payload_align > header_align)
+- header_align += 4;
++ unsigned int l2pad = (skb->len > hdr_len) ? L2PAD_SIZE(hdr_len) : 0;
+
+- /* There is nothing to do if no alignment is needed */
+- if (!header_align)
++ if (!l2pad)
+ return;
+
+- /* Reserve the amount of space needed in front of the frame */
+- skb_push(skb, header_align);
+-
+- /*
+- * Move the header.
+- */
+- memmove(skb->data, skb->data + header_align, header_length);
+-
+- /* Move the payload, if present and if required */
+- if (payload_length && payload_align)
+- memmove(skb->data + header_length + l2pad,
+- skb->data + header_length + l2pad + payload_align,
+- payload_length);
+-
+- /* Trim the skb to the correct size */
+- skb_trim(skb, header_length + l2pad + payload_length);
++ skb_push(skb, l2pad);
++ memmove(skb->data, skb->data + l2pad, hdr_len);
+ }
+
+-void rt2x00queue_remove_l2pad(struct sk_buff *skb, unsigned int header_length)
++void rt2x00queue_remove_l2pad(struct sk_buff *skb, unsigned int hdr_len)
+ {
+- /*
+- * L2 padding is only present if the skb contains more than just the
+- * IEEE 802.11 header.
+- */
+- unsigned int l2pad = (skb->len > header_length) ?
+- L2PAD_SIZE(header_length) : 0;
++ unsigned int l2pad = (skb->len > hdr_len) ? L2PAD_SIZE(hdr_len) : 0;
+
+ if (!l2pad)
+ return;
+
+- memmove(skb->data + l2pad, skb->data, header_length);
++ memmove(skb->data + l2pad, skb->data, hdr_len);
+ skb_pull(skb, l2pad);
+ }
+
usb-xhci-don-t-start-a-halted-endpoint-before-its-new-dequeue-is-set.patch
can-esd_usb2-fix-memory-leak-on-disconnect.patch
alsa-usb-audio-add-ctrl-message-delay-quirk-for.patch
+arm-8216-1-xscale-correct-auxiliary-register-in-suspend-resume.patch
+arm-8222-1-mvebu-enable-strex-backoff-delay.patch
+input-xpad-use-proper-endpoint-type.patch
+srp-target-retry-when-qp-creation-fails-with-enomem.patch
+target-don-t-call-tfo-write_pending-if-data_length-0.patch
+iser-target-handle-device_removal-event-on-network-portal-listener-correctly.patch
+spi-dw-fix-dynamic-speed-change.patch
+can-dev-avoid-calling-kfree_skb-from-interrupt-context.patch
+rt2x00-do-not-align-payload-on-modern-h-w.patch
+nfsd-fix-slot-wake-up-race-in-the-nfsv4.1-callback-code.patch
+nfsd4-fix-leak-of-inode-reference-on-delegation-failure.patch
+bnx2fc-do-not-add-shared-skbs-to-the-fcoe_rx_list.patch
--- /dev/null
+From 0a8727e69778683495058852f783eeda141a754e Mon Sep 17 00:00:00 2001
+From: Thor Thayer <tthayer@opensource.altera.com>
+Date: Thu, 6 Nov 2014 13:54:27 -0600
+Subject: spi: dw: Fix dynamic speed change.
+
+From: Thor Thayer <tthayer@opensource.altera.com>
+
+commit 0a8727e69778683495058852f783eeda141a754e upstream.
+
+An IOCTL call that calls spi_setup() and then dw_spi_setup() will
+overwrite the persisted last transfer speed. On each transfer, the
+SPI speed is compared to the last transfer speed to determine if the
+clock divider registers need to be updated (did the speed change?).
+This bug was observed with the spidev driver using spi-config to
+update the max transfer speed.
+
+This fix: Don't overwrite the persisted last transaction clock speed
+when updating the SPI parameters in dw_spi_setup(). On the next
+transaction, the new speed won't match the persisted last speed
+and the hardware registers will be updated.
+On initialization, the persisted last transaction clock
+speed will be 0 but will be updated after the first SPI
+transaction.
+
+Move zeroed clock divider check into clock change test because
+chip->clk_div is zero on startup and would cause a divide-by-zero
+error. The calculation was wrong as well (can't support odd #).
+
+Reported-by: Vlastimil Setka <setka@vsis.cz>
+Signed-off-by: Vlastimil Setka <setka@vsis.cz>
+Signed-off-by: Thor Thayer <tthayer@opensource.altera.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-dw.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/drivers/spi/spi-dw.c
++++ b/drivers/spi/spi-dw.c
+@@ -394,9 +394,6 @@ static void pump_transfers(unsigned long
+ chip = dws->cur_chip;
+ spi = message->spi;
+
+- if (unlikely(!chip->clk_div))
+- chip->clk_div = dws->max_freq / chip->speed_hz;
+-
+ if (message->state == ERROR_STATE) {
+ message->status = -EIO;
+ goto early_exit;
+@@ -438,7 +435,7 @@ static void pump_transfers(unsigned long
+ if (transfer->speed_hz) {
+ speed = chip->speed_hz;
+
+- if (transfer->speed_hz != speed) {
++ if ((transfer->speed_hz != speed) || (!chip->clk_div)) {
+ speed = transfer->speed_hz;
+ if (speed > dws->max_freq) {
+ printk(KERN_ERR "MRST SPI0: unsupported"
+@@ -677,7 +674,6 @@ static int dw_spi_setup(struct spi_devic
+ dev_err(&spi->dev, "No max speed HZ parameter\n");
+ return -EINVAL;
+ }
+- chip->speed_hz = spi->max_speed_hz;
+
+ chip->tmode = 0; /* Tx & Rx */
+ /* Default SPI mode is SCPOL = 0, SCPH = 0 */
--- /dev/null
+From ab477c1ff5e0a744c072404bf7db51bfe1f05b6e Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Sun, 19 Oct 2014 18:05:33 +0300
+Subject: srp-target: Retry when QP creation fails with ENOMEM
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit ab477c1ff5e0a744c072404bf7db51bfe1f05b6e upstream.
+
+It is not guaranteed to that srp_sq_size is supported
+by the HCA. So if we failed to create the QP with ENOMEM,
+try with a smaller srp_sq_size. Keep it up until we hit
+MIN_SRPT_SQ_SIZE, then fail the connection.
+
+Reported-by: Mark Lehrer <lehrer@gmail.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/srpt/ib_srpt.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
+@@ -2101,6 +2101,7 @@ static int srpt_create_ch_ib(struct srpt
+ if (!qp_init)
+ goto out;
+
++retry:
+ ch->cq = ib_create_cq(sdev->device, srpt_completion, NULL, ch,
+ ch->rq_size + srp_sq_size, 0);
+ if (IS_ERR(ch->cq)) {
+@@ -2124,6 +2125,13 @@ static int srpt_create_ch_ib(struct srpt
+ ch->qp = ib_create_qp(sdev->pd, qp_init);
+ if (IS_ERR(ch->qp)) {
+ ret = PTR_ERR(ch->qp);
++ if (ret == -ENOMEM) {
++ srp_sq_size /= 2;
++ if (srp_sq_size >= MIN_SRPT_SQ_SIZE) {
++ ib_destroy_cq(ch->cq);
++ goto retry;
++ }
++ }
+ printk(KERN_ERR "failed to create_qp ret= %d\n", ret);
+ goto err_destroy_cq;
+ }
--- /dev/null
+From 885e7b0e181c14e4d0ddd26c688bad2b84c1ada9 Mon Sep 17 00:00:00 2001
+From: Roland Dreier <roland@purestorage.com>
+Date: Tue, 14 Oct 2014 14:16:24 -0700
+Subject: target: Don't call TFO->write_pending if data_length == 0
+
+From: Roland Dreier <roland@purestorage.com>
+
+commit 885e7b0e181c14e4d0ddd26c688bad2b84c1ada9 upstream.
+
+If an initiator sends a zero-length command (e.g. TEST UNIT READY) but
+sets the transfer direction in the transport layer to indicate a
+data-out phase, we still shouldn't try to transfer data. At best it's
+a NOP, and depending on the transport, we might crash on an
+uninitialized sg list.
+
+Reported-by: Craig Watson <craig.watson@vanguard-rugged.com>
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_transport.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -2128,7 +2128,7 @@ transport_generic_new_cmd(struct se_cmd
+ * and let it call back once the write buffers are ready.
+ */
+ target_add_to_state_list(cmd);
+- if (cmd->data_direction != DMA_TO_DEVICE) {
++ if (cmd->data_direction != DMA_TO_DEVICE || cmd->data_length == 0) {
+ target_execute_cmd(cmd);
+ return 0;
+ }