4.9-stable patches

added patches:
	bcm63xx_enet-correct-clock-usage.patch
	bcm63xx_enet-do-not-write-to-random-dma-channel-on-bcm6345.patch
	crypto-crypto4xx-fix-crypto4xx_build_pdr-crypto4xx_build_sdr-leak.patch
	crypto-crypto4xx-remove-bad-list_del.patch
	mtd-m25p80-consider-max-message-size-in-m25p80_read.patch
	ocfs2-ip_alloc_sem-should-be-taken-in-ocfs2_get_block.patch
	ocfs2-subsystem.su_mutex-is-required-while-accessing-the-item-ci_parent.patch
	spi-bcm63xx-fix-typo-in-bcm63xx_spi_max_length-breaking-compilation.patch
	spi-bcm63xx-make-spi-subsystem-aware-of-message-size-limits.patch

diff --git a/queue-4.9/bcm63xx_enet-correct-clock-usage.patch b/queue-4.9/bcm63xx_enet-correct-clock-usage.patch
new file mode 100644 (file)
index 0000000..34ab2ec
--- /dev/null
+++ b/queue-4.9/bcm63xx_enet-correct-clock-usage.patch
@@ -0,0 +1,109 @@
+From 9c86b846ce02f7e35d7234cf090b80553eba5389 Mon Sep 17 00:00:00 2001
+From: Jonas Gorski <jonas.gorski@gmail.com>
+Date: Sun, 1 Oct 2017 13:02:15 +0200
+Subject: bcm63xx_enet: correct clock usage
+
+From: Jonas Gorski <jonas.gorski@gmail.com>
+
+commit 9c86b846ce02f7e35d7234cf090b80553eba5389 upstream.
+
+Check the return code of prepare_enable and change one last instance of
+enable only to prepare_enable. Also properly disable and release the
+clock in error paths and on remove for enetsw.
+
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/broadcom/bcm63xx_enet.c |   31 ++++++++++++++++++++-------
+ 1 file changed, 23 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bcm63xx_enet.c
++++ b/drivers/net/ethernet/broadcom/bcm63xx_enet.c
+@@ -1790,7 +1790,9 @@ static int bcm_enet_probe(struct platfor
+               ret = PTR_ERR(priv->mac_clk);
+               goto out;
+       }
+-      clk_prepare_enable(priv->mac_clk);
++      ret = clk_prepare_enable(priv->mac_clk);
++      if (ret)
++              goto out_put_clk_mac;
+ 
+       /* initialize default and fetch platform data */
+       priv->rx_ring_size = BCMENET_DEF_RX_DESC;
+@@ -1822,9 +1824,11 @@ static int bcm_enet_probe(struct platfor
+               if (IS_ERR(priv->phy_clk)) {
+                       ret = PTR_ERR(priv->phy_clk);
+                       priv->phy_clk = NULL;
+-                      goto out_put_clk_mac;
++                      goto out_disable_clk_mac;
+               }
+-              clk_prepare_enable(priv->phy_clk);
++              ret = clk_prepare_enable(priv->phy_clk);
++              if (ret)
++                      goto out_put_clk_phy;
+       }
+ 
+       /* do minimal hardware init to be able to probe mii bus */
+@@ -1915,13 +1919,16 @@ out_free_mdio:
+ out_uninit_hw:
+       /* turn off mdc clock */
+       enet_writel(priv, 0, ENET_MIISC_REG);
+-      if (priv->phy_clk) {
++      if (priv->phy_clk)
+               clk_disable_unprepare(priv->phy_clk);
++
++out_put_clk_phy:
++      if (priv->phy_clk)
+               clk_put(priv->phy_clk);
+-      }
+ 
+-out_put_clk_mac:
++out_disable_clk_mac:
+       clk_disable_unprepare(priv->mac_clk);
++out_put_clk_mac:
+       clk_put(priv->mac_clk);
+ out:
+       free_netdev(dev);
+@@ -2766,7 +2773,9 @@ static int bcm_enetsw_probe(struct platf
+               ret = PTR_ERR(priv->mac_clk);
+               goto out_unmap;
+       }
+-      clk_enable(priv->mac_clk);
++      ret = clk_prepare_enable(priv->mac_clk);
++      if (ret)
++              goto out_put_clk;
+ 
+       priv->rx_chan = 0;
+       priv->tx_chan = 1;
+@@ -2787,7 +2796,7 @@ static int bcm_enetsw_probe(struct platf
+ 
+       ret = register_netdev(dev);
+       if (ret)
+-              goto out_put_clk;
++              goto out_disable_clk;
+ 
+       netif_carrier_off(dev);
+       platform_set_drvdata(pdev, dev);
+@@ -2796,6 +2805,9 @@ static int bcm_enetsw_probe(struct platf
+ 
+       return 0;
+ 
++out_disable_clk:
++      clk_disable_unprepare(priv->mac_clk);
++
+ out_put_clk:
+       clk_put(priv->mac_clk);
+ 
+@@ -2827,6 +2839,9 @@ static int bcm_enetsw_remove(struct plat
+       res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+       release_mem_region(res->start, resource_size(res));
+ 
++      clk_disable_unprepare(priv->mac_clk);
++      clk_put(priv->mac_clk);
++
+       free_netdev(dev);
+       return 0;
+ }

diff --git a/queue-4.9/bcm63xx_enet-do-not-write-to-random-dma-channel-on-bcm6345.patch b/queue-4.9/bcm63xx_enet-do-not-write-to-random-dma-channel-on-bcm6345.patch
new file mode 100644 (file)
index 0000000..8346505
--- /dev/null
+++ b/queue-4.9/bcm63xx_enet-do-not-write-to-random-dma-channel-on-bcm6345.patch
@@ -0,0 +1,36 @@
+From d6213c1f2ad54a964b77471690264ed685718928 Mon Sep 17 00:00:00 2001
+From: Jonas Gorski <jonas.gorski@gmail.com>
+Date: Sun, 1 Oct 2017 13:02:16 +0200
+Subject: bcm63xx_enet: do not write to random DMA channel on BCM6345
+
+From: Jonas Gorski <jonas.gorski@gmail.com>
+
+commit d6213c1f2ad54a964b77471690264ed685718928 upstream.
+
+The DMA controller regs actually point to DMA channel 0, so the write to
+ENETDMA_CFG_REG will actually modify a random DMA channel.
+
+Since DMA controller registers do not exist on BCM6345, guard the write
+with the usual check for dma_has_sram.
+
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/broadcom/bcm63xx_enet.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/bcm63xx_enet.c
++++ b/drivers/net/ethernet/broadcom/bcm63xx_enet.c
+@@ -1063,7 +1063,8 @@ static int bcm_enet_open(struct net_devi
+       val = enet_readl(priv, ENET_CTL_REG);
+       val |= ENET_CTL_ENABLE_MASK;
+       enet_writel(priv, val, ENET_CTL_REG);
+-      enet_dma_writel(priv, ENETDMA_CFG_EN_MASK, ENETDMA_CFG_REG);
++      if (priv->dma_has_sram)
++              enet_dma_writel(priv, ENETDMA_CFG_EN_MASK, ENETDMA_CFG_REG);
+       enet_dmac_writel(priv, priv->dma_chan_en_mask,
+                        ENETDMAC_CHANCFG, priv->rx_chan);
+ 

diff --git a/queue-4.9/crypto-crypto4xx-fix-crypto4xx_build_pdr-crypto4xx_build_sdr-leak.patch b/queue-4.9/crypto-crypto4xx-fix-crypto4xx_build_pdr-crypto4xx_build_sdr-leak.patch
new file mode 100644 (file)
index 0000000..2c68b8b
--- /dev/null
+++ b/queue-4.9/crypto-crypto4xx-fix-crypto4xx_build_pdr-crypto4xx_build_sdr-leak.patch
@@ -0,0 +1,90 @@
+From 5d59ad6eea82ef8df92b4109615a0dde9d8093e9 Mon Sep 17 00:00:00 2001
+From: Christian Lamparter <chunkeey@googlemail.com>
+Date: Fri, 25 Aug 2017 15:47:24 +0200
+Subject: crypto: crypto4xx - fix crypto4xx_build_pdr, crypto4xx_build_sdr leak
+
+From: Christian Lamparter <chunkeey@googlemail.com>
+
+commit 5d59ad6eea82ef8df92b4109615a0dde9d8093e9 upstream.
+
+If one of the later memory allocations in rypto4xx_build_pdr()
+fails: dev->pdr (and/or) dev->pdr_uinfo wouldn't be freed.
+
+crypto4xx_build_sdr() has the same issue with dev->sdr.
+
+Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/amcc/crypto4xx_core.c |   17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/drivers/crypto/amcc/crypto4xx_core.c
++++ b/drivers/crypto/amcc/crypto4xx_core.c
+@@ -208,7 +208,7 @@ static u32 crypto4xx_build_pdr(struct cr
+                                 dev->pdr_pa);
+               return -ENOMEM;
+       }
+-      memset(dev->pdr, 0,  sizeof(struct ce_pd) * PPC4XX_NUM_PD);
++      memset(dev->pdr, 0, sizeof(struct ce_pd) * PPC4XX_NUM_PD);
+       dev->shadow_sa_pool = dma_alloc_coherent(dev->core_dev->device,
+                                  256 * PPC4XX_NUM_PD,
+                                  &dev->shadow_sa_pool_pa,
+@@ -241,13 +241,15 @@ static u32 crypto4xx_build_pdr(struct cr
+ 
+ static void crypto4xx_destroy_pdr(struct crypto4xx_device *dev)
+ {
+-      if (dev->pdr != NULL)
++      if (dev->pdr)
+               dma_free_coherent(dev->core_dev->device,
+                                 sizeof(struct ce_pd) * PPC4XX_NUM_PD,
+                                 dev->pdr, dev->pdr_pa);
++
+       if (dev->shadow_sa_pool)
+               dma_free_coherent(dev->core_dev->device, 256 * PPC4XX_NUM_PD,
+                                 dev->shadow_sa_pool, dev->shadow_sa_pool_pa);
++
+       if (dev->shadow_sr_pool)
+               dma_free_coherent(dev->core_dev->device,
+                       sizeof(struct sa_state_record) * PPC4XX_NUM_PD,
+@@ -417,12 +419,12 @@ static u32 crypto4xx_build_sdr(struct cr
+ 
+ static void crypto4xx_destroy_sdr(struct crypto4xx_device *dev)
+ {
+-      if (dev->sdr != NULL)
++      if (dev->sdr)
+               dma_free_coherent(dev->core_dev->device,
+                                 sizeof(struct ce_sd) * PPC4XX_NUM_SD,
+                                 dev->sdr, dev->sdr_pa);
+ 
+-      if (dev->scatter_buffer_va != NULL)
++      if (dev->scatter_buffer_va)
+               dma_free_coherent(dev->core_dev->device,
+                                 dev->scatter_buffer_size * PPC4XX_NUM_SD,
+                                 dev->scatter_buffer_va,
+@@ -1191,7 +1193,7 @@ static int crypto4xx_probe(struct platfo
+ 
+       rc = crypto4xx_build_gdr(core_dev->dev);
+       if (rc)
+-              goto err_build_gdr;
++              goto err_build_pdr;
+ 
+       rc = crypto4xx_build_sdr(core_dev->dev);
+       if (rc)
+@@ -1234,12 +1236,11 @@ err_iomap:
+ err_request_irq:
+       irq_dispose_mapping(core_dev->irq);
+       tasklet_kill(&core_dev->tasklet);
+-      crypto4xx_destroy_sdr(core_dev->dev);
+ err_build_sdr:
++      crypto4xx_destroy_sdr(core_dev->dev);
+       crypto4xx_destroy_gdr(core_dev->dev);
+-err_build_gdr:
+-      crypto4xx_destroy_pdr(core_dev->dev);
+ err_build_pdr:
++      crypto4xx_destroy_pdr(core_dev->dev);
+       kfree(core_dev->dev);
+ err_alloc_dev:
+       kfree(core_dev);

diff --git a/queue-4.9/crypto-crypto4xx-remove-bad-list_del.patch b/queue-4.9/crypto-crypto4xx-remove-bad-list_del.patch
new file mode 100644 (file)
index 0000000..8106d28
--- /dev/null
+++ b/queue-4.9/crypto-crypto4xx-remove-bad-list_del.patch
@@ -0,0 +1,39 @@
+From a728a196d253530f17da5c86dc7dfbe58c5f7094 Mon Sep 17 00:00:00 2001
+From: Christian Lamparter <chunkeey@googlemail.com>
+Date: Fri, 25 Aug 2017 15:47:14 +0200
+Subject: crypto: crypto4xx - remove bad list_del
+
+From: Christian Lamparter <chunkeey@googlemail.com>
+
+commit a728a196d253530f17da5c86dc7dfbe58c5f7094 upstream.
+
+alg entries are only added to the list, after the registration
+was successful. If the registration failed, it was never added
+to the list in the first place.
+
+Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/amcc/crypto4xx_core.c |    6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/crypto/amcc/crypto4xx_core.c
++++ b/drivers/crypto/amcc/crypto4xx_core.c
+@@ -1034,12 +1034,10 @@ int crypto4xx_register_alg(struct crypto
+                       break;
+               }
+ 
+-              if (rc) {
+-                      list_del(&alg->entry);
++              if (rc)
+                       kfree(alg);
+-              } else {
++              else
+                       list_add_tail(&alg->entry, &sec_dev->alg_list);
+-              }
+       }
+ 
+       return 0;

diff --git a/queue-4.9/mtd-m25p80-consider-max-message-size-in-m25p80_read.patch b/queue-4.9/mtd-m25p80-consider-max-message-size-in-m25p80_read.patch
new file mode 100644 (file)
index 0000000..bcdefa4
--- /dev/null
+++ b/queue-4.9/mtd-m25p80-consider-max-message-size-in-m25p80_read.patch
@@ -0,0 +1,36 @@
+From 9e276de6a367cde07c1a63522152985d4e5cca8b Mon Sep 17 00:00:00 2001
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Fri, 28 Oct 2016 07:58:46 +0200
+Subject: mtd: m25p80: consider max message size in m25p80_read
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+commit 9e276de6a367cde07c1a63522152985d4e5cca8b upstream.
+
+Consider a message size limit when calculating the maximum amount
+of data that can be read.
+
+The message size limit has been introduced with 4.9, so cc it
+to stable.
+
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: Cyrille Pitchen <cyrille.pitchen@atmel.com>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/devices/m25p80.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/mtd/devices/m25p80.c
++++ b/drivers/mtd/devices/m25p80.c
+@@ -172,7 +172,8 @@ static ssize_t m25p80_read(struct spi_no
+ 
+       t[1].rx_buf = buf;
+       t[1].rx_nbits = m25p80_rx_nbits(nor);
+-      t[1].len = min(len, spi_max_transfer_size(spi));
++      t[1].len = min3(len, spi_max_transfer_size(spi),
++                      spi_max_message_size(spi) - t[0].len);
+       spi_message_add_tail(&t[1], &m);
+ 
+       ret = spi_sync(spi, &m);

diff --git a/queue-4.9/ocfs2-ip_alloc_sem-should-be-taken-in-ocfs2_get_block.patch b/queue-4.9/ocfs2-ip_alloc_sem-should-be-taken-in-ocfs2_get_block.patch
new file mode 100644 (file)
index 0000000..2f8a8a1
--- /dev/null
+++ b/queue-4.9/ocfs2-ip_alloc_sem-should-be-taken-in-ocfs2_get_block.patch
@@ -0,0 +1,122 @@
+From 3e4c56d41eef5595035872a2ec5a483f42e8917f Mon Sep 17 00:00:00 2001
+From: alex chen <alex.chen@huawei.com>
+Date: Wed, 15 Nov 2017 17:31:44 -0800
+Subject: ocfs2: ip_alloc_sem should be taken in ocfs2_get_block()
+
+From: alex chen <alex.chen@huawei.com>
+
+commit 3e4c56d41eef5595035872a2ec5a483f42e8917f upstream.
+
+ip_alloc_sem should be taken in ocfs2_get_block() when reading file in
+DIRECT mode to prevent concurrent access to extent tree with
+ocfs2_dio_end_io_write(), which may cause BUGON in the following
+situation:
+
+read file 'A'                                  end_io of writing file 'A'
+vfs_read
+ __vfs_read
+  ocfs2_file_read_iter
+   generic_file_read_iter
+    ocfs2_direct_IO
+     __blockdev_direct_IO
+      do_blockdev_direct_IO
+       do_direct_IO
+        get_more_blocks
+         ocfs2_get_block
+          ocfs2_extent_map_get_blocks
+           ocfs2_get_clusters
+            ocfs2_get_clusters_nocache()
+             ocfs2_search_extent_list
+              return the index of record which
+              contains the v_cluster, that is
+              v_cluster > rec[i]->e_cpos.
+                                                ocfs2_dio_end_io
+                                                 ocfs2_dio_end_io_write
+                                                  down_write(&oi->ip_alloc_sem);
+                                                  ocfs2_mark_extent_written
+                                                   ocfs2_change_extent_flag
+                                                    ocfs2_split_extent
+                                                     ...
+                                                 --> modify the rec[i]->e_cpos, resulting
+                                                     in v_cluster < rec[i]->e_cpos.
+             BUG_ON(v_cluster < le32_to_cpu(rec->e_cpos))
+
+[alex.chen@huawei.com: v3]
+  Link: http://lkml.kernel.org/r/59EF3614.6050008@huawei.com
+Link: http://lkml.kernel.org/r/59EF3614.6050008@huawei.com
+Fixes: c15471f79506 ("ocfs2: fix sparse file & data ordering issue in direct io")
+Signed-off-by: Alex Chen <alex.chen@huawei.com>
+Reviewed-by: Jun Piao <piaojun@huawei.com>
+Reviewed-by: Joseph Qi <jiangqi903@gmail.com>
+Reviewed-by: Gang He <ghe@suse.com>
+Acked-by: Changwei Ge <ge.changwei@h3c.com>
+Cc: Mark Fasheh <mfasheh@versity.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Salvatore Bonaccorso <carnil@debian.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/aops.c |   26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+--- a/fs/ocfs2/aops.c
++++ b/fs/ocfs2/aops.c
+@@ -134,6 +134,19 @@ bail:
+       return err;
+ }
+ 
++static int ocfs2_lock_get_block(struct inode *inode, sector_t iblock,
++                  struct buffer_head *bh_result, int create)
++{
++      int ret = 0;
++      struct ocfs2_inode_info *oi = OCFS2_I(inode);
++
++      down_read(&oi->ip_alloc_sem);
++      ret = ocfs2_get_block(inode, iblock, bh_result, create);
++      up_read(&oi->ip_alloc_sem);
++
++      return ret;
++}
++
+ int ocfs2_get_block(struct inode *inode, sector_t iblock,
+                   struct buffer_head *bh_result, int create)
+ {
+@@ -2120,7 +2133,7 @@ static void ocfs2_dio_free_write_ctx(str
+  * called like this: dio->get_blocks(dio->inode, fs_startblk,
+  *                                    fs_count, map_bh, dio->rw == WRITE);
+  */
+-static int ocfs2_dio_get_block(struct inode *inode, sector_t iblock,
++static int ocfs2_dio_wr_get_block(struct inode *inode, sector_t iblock,
+                              struct buffer_head *bh_result, int create)
+ {
+       struct ocfs2_super *osb = OCFS2_SB(inode->i_sb);
+@@ -2146,12 +2159,9 @@ static int ocfs2_dio_get_block(struct in
+        * while file size will be changed.
+        */
+       if (pos + total_len <= i_size_read(inode)) {
+-              down_read(&oi->ip_alloc_sem);
+-              /* This is the fast path for re-write. */
+-              ret = ocfs2_get_block(inode, iblock, bh_result, create);
+-
+-              up_read(&oi->ip_alloc_sem);
+ 
++              /* This is the fast path for re-write. */
++              ret = ocfs2_lock_get_block(inode, iblock, bh_result, create);
+               if (buffer_mapped(bh_result) &&
+                   !buffer_new(bh_result) &&
+                   ret == 0)
+@@ -2416,9 +2426,9 @@ static ssize_t ocfs2_direct_IO(struct ki
+               return 0;
+ 
+       if (iov_iter_rw(iter) == READ)
+-              get_block = ocfs2_get_block;
++              get_block = ocfs2_lock_get_block;
+       else
+-              get_block = ocfs2_dio_get_block;
++              get_block = ocfs2_dio_wr_get_block;
+ 
+       return __blockdev_direct_IO(iocb, inode, inode->i_sb->s_bdev,
+                                   iter, get_block,

diff --git a/queue-4.9/ocfs2-subsystem.su_mutex-is-required-while-accessing-the-item-ci_parent.patch b/queue-4.9/ocfs2-subsystem.su_mutex-is-required-while-accessing-the-item-ci_parent.patch
new file mode 100644 (file)
index 0000000..dcf54db
--- /dev/null
+++ b/queue-4.9/ocfs2-subsystem.su_mutex-is-required-while-accessing-the-item-ci_parent.patch
@@ -0,0 +1,208 @@
+From 853bc26a7ea39e354b9f8889ae7ad1492ffa28d2 Mon Sep 17 00:00:00 2001
+From: alex chen <alex.chen@huawei.com>
+Date: Wed, 15 Nov 2017 17:31:48 -0800
+Subject: ocfs2: subsystem.su_mutex is required while accessing the item->ci_parent
+
+From: alex chen <alex.chen@huawei.com>
+
+commit 853bc26a7ea39e354b9f8889ae7ad1492ffa28d2 upstream.
+
+The subsystem.su_mutex is required while accessing the item->ci_parent,
+otherwise, NULL pointer dereference to the item->ci_parent will be
+triggered in the following situation:
+
+add node                     delete node
+sys_write
+ vfs_write
+  configfs_write_file
+   o2nm_node_store
+    o2nm_node_local_write
+                             do_rmdir
+                              vfs_rmdir
+                               configfs_rmdir
+                                mutex_lock(&subsys->su_mutex);
+                                unlink_obj
+                                 item->ci_group = NULL;
+                                 item->ci_parent = NULL;
+        to_o2nm_cluster_from_node
+         node->nd_item.ci_parent->ci_parent
+         BUG since of NULL pointer dereference to nd_item.ci_parent
+
+Moreover, the o2nm_cluster also should be protected by the
+subsystem.su_mutex.
+
+[alex.chen@huawei.com: v2]
+  Link: http://lkml.kernel.org/r/59EEAA69.9080703@huawei.com
+Link: http://lkml.kernel.org/r/59E9B36A.10700@huawei.com
+Signed-off-by: Alex Chen <alex.chen@huawei.com>
+Reviewed-by: Jun Piao <piaojun@huawei.com>
+Reviewed-by: Joseph Qi <jiangqi903@gmail.com>
+Cc: Mark Fasheh <mfasheh@versity.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Salvatore Bonaccorso <carnil@debian.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/cluster/nodemanager.c |   63 +++++++++++++++++++++++++++++++++++------
+ 1 file changed, 55 insertions(+), 8 deletions(-)
+
+--- a/fs/ocfs2/cluster/nodemanager.c
++++ b/fs/ocfs2/cluster/nodemanager.c
+@@ -40,6 +40,9 @@ char *o2nm_fence_method_desc[O2NM_FENCE_
+               "panic",        /* O2NM_FENCE_PANIC */
+ };
+ 
++static inline void o2nm_lock_subsystem(void);
++static inline void o2nm_unlock_subsystem(void);
++
+ struct o2nm_node *o2nm_get_node_by_num(u8 node_num)
+ {
+       struct o2nm_node *node = NULL;
+@@ -181,7 +184,10 @@ static struct o2nm_cluster *to_o2nm_clus
+ {
+       /* through the first node_set .parent
+        * mycluster/nodes/mynode == o2nm_cluster->o2nm_node_group->o2nm_node */
+-      return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent);
++      if (node->nd_item.ci_parent)
++              return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent);
++      else
++              return NULL;
+ }
+ 
+ enum {
+@@ -194,7 +200,7 @@ static ssize_t o2nm_node_num_store(struc
+                                  size_t count)
+ {
+       struct o2nm_node *node = to_o2nm_node(item);
+-      struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
++      struct o2nm_cluster *cluster;
+       unsigned long tmp;
+       char *p = (char *)page;
+       int ret = 0;
+@@ -214,6 +220,13 @@ static ssize_t o2nm_node_num_store(struc
+           !test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes))
+               return -EINVAL; /* XXX */
+ 
++      o2nm_lock_subsystem();
++      cluster = to_o2nm_cluster_from_node(node);
++      if (!cluster) {
++              o2nm_unlock_subsystem();
++              return -EINVAL;
++      }
++
+       write_lock(&cluster->cl_nodes_lock);
+       if (cluster->cl_nodes[tmp])
+               ret = -EEXIST;
+@@ -226,6 +239,8 @@ static ssize_t o2nm_node_num_store(struc
+               set_bit(tmp, cluster->cl_nodes_bitmap);
+       }
+       write_unlock(&cluster->cl_nodes_lock);
++      o2nm_unlock_subsystem();
++
+       if (ret)
+               return ret;
+ 
+@@ -269,7 +284,7 @@ static ssize_t o2nm_node_ipv4_address_st
+                                           size_t count)
+ {
+       struct o2nm_node *node = to_o2nm_node(item);
+-      struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
++      struct o2nm_cluster *cluster;
+       int ret, i;
+       struct rb_node **p, *parent;
+       unsigned int octets[4];
+@@ -286,6 +301,13 @@ static ssize_t o2nm_node_ipv4_address_st
+               be32_add_cpu(&ipv4_addr, octets[i] << (i * 8));
+       }
+ 
++      o2nm_lock_subsystem();
++      cluster = to_o2nm_cluster_from_node(node);
++      if (!cluster) {
++              o2nm_unlock_subsystem();
++              return -EINVAL;
++      }
++
+       ret = 0;
+       write_lock(&cluster->cl_nodes_lock);
+       if (o2nm_node_ip_tree_lookup(cluster, ipv4_addr, &p, &parent))
+@@ -298,6 +320,8 @@ static ssize_t o2nm_node_ipv4_address_st
+               rb_insert_color(&node->nd_ip_node, &cluster->cl_node_ip_tree);
+       }
+       write_unlock(&cluster->cl_nodes_lock);
++      o2nm_unlock_subsystem();
++
+       if (ret)
+               return ret;
+ 
+@@ -315,7 +339,7 @@ static ssize_t o2nm_node_local_store(str
+                                    size_t count)
+ {
+       struct o2nm_node *node = to_o2nm_node(item);
+-      struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
++      struct o2nm_cluster *cluster;
+       unsigned long tmp;
+       char *p = (char *)page;
+       ssize_t ret;
+@@ -333,17 +357,26 @@ static ssize_t o2nm_node_local_store(str
+           !test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes))
+               return -EINVAL; /* XXX */
+ 
++      o2nm_lock_subsystem();
++      cluster = to_o2nm_cluster_from_node(node);
++      if (!cluster) {
++              ret = -EINVAL;
++              goto out;
++      }
++
+       /* the only failure case is trying to set a new local node
+        * when a different one is already set */
+       if (tmp && tmp == cluster->cl_has_local &&
+-          cluster->cl_local_node != node->nd_num)
+-              return -EBUSY;
++          cluster->cl_local_node != node->nd_num) {
++              ret = -EBUSY;
++              goto out;
++      }
+ 
+       /* bring up the rx thread if we're setting the new local node. */
+       if (tmp && !cluster->cl_has_local) {
+               ret = o2net_start_listening(node);
+               if (ret)
+-                      return ret;
++                      goto out;
+       }
+ 
+       if (!tmp && cluster->cl_has_local &&
+@@ -358,7 +391,11 @@ static ssize_t o2nm_node_local_store(str
+               cluster->cl_local_node = node->nd_num;
+       }
+ 
+-      return count;
++      ret = count;
++
++out:
++      o2nm_unlock_subsystem();
++      return ret;
+ }
+ 
+ CONFIGFS_ATTR(o2nm_node_, num);
+@@ -738,6 +775,16 @@ static struct o2nm_cluster_group o2nm_cl
+       },
+ };
+ 
++static inline void o2nm_lock_subsystem(void)
++{
++      mutex_lock(&o2nm_cluster_group.cs_subsys.su_mutex);
++}
++
++static inline void o2nm_unlock_subsystem(void)
++{
++      mutex_unlock(&o2nm_cluster_group.cs_subsys.su_mutex);
++}
++
+ int o2nm_depend_item(struct config_item *item)
+ {
+       return configfs_depend_item(&o2nm_cluster_group.cs_subsys, item);

diff --git a/queue-4.9/series b/queue-4.9/series
index 4318a594f3c2e8c352efb6bd4580f1da93e43d21..8d1de19a2519516cadbbe030be563eb59b063024 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -5,3 +5,12 @@ compiler-clang-always-inline-when-config_optimize_inlining-is-disabled.patch
 compiler-gcc.h-add-__attribute__-gnu_inline-to-all-inline-declarations.patch
 x86-asm-add-_asm_arg-constants-for-argument-registers-to-asm-asm.h.patch
 x86-paravirt-make-native_save_fl-extern-inline.patch
+ocfs2-subsystem.su_mutex-is-required-while-accessing-the-item-ci_parent.patch
+ocfs2-ip_alloc_sem-should-be-taken-in-ocfs2_get_block.patch
+mtd-m25p80-consider-max-message-size-in-m25p80_read.patch
+spi-bcm63xx-make-spi-subsystem-aware-of-message-size-limits.patch
+spi-bcm63xx-fix-typo-in-bcm63xx_spi_max_length-breaking-compilation.patch
+bcm63xx_enet-correct-clock-usage.patch
+bcm63xx_enet-do-not-write-to-random-dma-channel-on-bcm6345.patch
+crypto-crypto4xx-remove-bad-list_del.patch
+crypto-crypto4xx-fix-crypto4xx_build_pdr-crypto4xx_build_sdr-leak.patch

diff --git a/queue-4.9/spi-bcm63xx-fix-typo-in-bcm63xx_spi_max_length-breaking-compilation.patch b/queue-4.9/spi-bcm63xx-fix-typo-in-bcm63xx_spi_max_length-breaking-compilation.patch
new file mode 100644 (file)
index 0000000..a199fcf
--- /dev/null
+++ b/queue-4.9/spi-bcm63xx-fix-typo-in-bcm63xx_spi_max_length-breaking-compilation.patch
@@ -0,0 +1,42 @@
+From ccd0657c33b2c3701c5b14725284b7e671d3fb93 Mon Sep 17 00:00:00 2001
+From: Jonas Gorski <jonas.gorski@gmail.com>
+Date: Wed, 22 Feb 2017 00:30:40 +0100
+Subject: spi/bcm63xx: fix typo in bcm63xx_spi_max_length breaking compilation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonas Gorski <jonas.gorski@gmail.com>
+
+commit ccd0657c33b2c3701c5b14725284b7e671d3fb93 upstream.
+
+Fix compilation by renaming argument dev to spi as expected by the code.
+
+Fixes the following error:
+
+drivers/spi/spi-bcm63xx.c: In function ‘bcm63xx_spi_max_length’:
+drivers/spi/spi-bcm63xx.c:434:50: error: ‘spi’ undeclared (first use in this function)
+  struct bcm63xx_spi *bs = spi_master_get_devdata(spi->master);
+                                                  ^~~
+
+Fixes: 0135c03df914 ("spi/bcm63xx: make spi subsystem aware of message size limits")
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-bcm63xx.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-bcm63xx.c
++++ b/drivers/spi/spi-bcm63xx.c
+@@ -428,7 +428,7 @@ static irqreturn_t bcm63xx_spi_interrupt
+       return IRQ_HANDLED;
+ }
+ 
+-static size_t bcm63xx_spi_max_length(struct spi_device *dev)
++static size_t bcm63xx_spi_max_length(struct spi_device *spi)
+ {
+       struct bcm63xx_spi *bs = spi_master_get_devdata(spi->master);
+ 

diff --git a/queue-4.9/spi-bcm63xx-make-spi-subsystem-aware-of-message-size-limits.patch b/queue-4.9/spi-bcm63xx-make-spi-subsystem-aware-of-message-size-limits.patch
new file mode 100644 (file)
index 0000000..463ea75
--- /dev/null
+++ b/queue-4.9/spi-bcm63xx-make-spi-subsystem-aware-of-message-size-limits.patch
@@ -0,0 +1,49 @@
+From 0135c03df914f0481c61f097c78d37cece84f330 Mon Sep 17 00:00:00 2001
+From: Jonas Gorski <jonas.gorski@gmail.com>
+Date: Mon, 20 Feb 2017 11:50:09 +0100
+Subject: spi/bcm63xx: make spi subsystem aware of message size limits
+
+From: Jonas Gorski <jonas.gorski@gmail.com>
+
+commit 0135c03df914f0481c61f097c78d37cece84f330 upstream.
+
+The bcm63xx SPI controller does not allow manual control of the CS
+lines and will toggle it automatically before and after sending data,
+so we are limited to messages that fit in the FIFO buffer. Since the CS
+lines aren't available as GPIOs either, we will need to make slave
+drivers aware of this limitation so they can handle them accordingly.
+
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-bcm63xx.c |    9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/spi/spi-bcm63xx.c
++++ b/drivers/spi/spi-bcm63xx.c
+@@ -428,6 +428,13 @@ static irqreturn_t bcm63xx_spi_interrupt
+       return IRQ_HANDLED;
+ }
+ 
++static size_t bcm63xx_spi_max_length(struct spi_device *dev)
++{
++      struct bcm63xx_spi *bs = spi_master_get_devdata(spi->master);
++
++      return bs->fifo_size;
++}
++
+ static const unsigned long bcm6348_spi_reg_offsets[] = {
+       [SPI_CMD]               = SPI_6348_CMD,
+       [SPI_INT_STATUS]        = SPI_6348_INT_STATUS,
+@@ -541,6 +548,8 @@ static int bcm63xx_spi_probe(struct plat
+       master->transfer_one_message = bcm63xx_spi_transfer_one;
+       master->mode_bits = MODEBITS;
+       master->bits_per_word_mask = SPI_BPW_MASK(8);
++      master->max_transfer_size = bcm63xx_spi_max_length;
++      master->max_message_size = bcm63xx_spi_max_length;
+       master->auto_runtime_pm = true;
+       bs->msg_type_shift = bs->reg_offsets[SPI_MSG_TYPE_SHIFT];
+       bs->msg_ctl_width = bs->reg_offsets[SPI_MSG_CTL_WIDTH];