--- /dev/null
+From 6d5278a68a75891db1df5ae1ecf83d288fc58c65 Mon Sep 17 00:00:00 2001
+From: Samir Benmendil <samir.benmendil@gmail.com>
+Date: Sun, 17 Nov 2013 23:56:17 +0100
+Subject: ahci: add Marvell 9230 to the AHCI PCI device list
+
+From: Samir Benmendil <samir.benmendil@gmail.com>
+
+commit 6d5278a68a75891db1df5ae1ecf83d288fc58c65 upstream.
+
+Tested with a DAWICONTROL DC-624e on 3.10.10
+
+Signed-off-by: Samir Benmendil <samir.benmendil@gmail.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reviewed-by: Levente Kurusa <levex@linux.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/ahci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -402,6 +402,8 @@ static const struct pci_device_id ahci_p
+ .driver_data = board_ahci_yes_fbs }, /* 88se9172 on some Gigabyte */
+ { PCI_DEVICE(0x1b4b, 0x91a3),
+ .driver_data = board_ahci_yes_fbs },
++ { PCI_DEVICE(0x1b4b, 0x9230),
++ .driver_data = board_ahci_yes_fbs },
+
+ /* Promise */
+ { PCI_VDEVICE(PROMISE, 0x3f20), board_ahci }, /* PDC42819 */
--- /dev/null
+From 89dafa20f3daab5b3e0c13d0068a28e8e64e2102 Mon Sep 17 00:00:00 2001
+From: xiangliang yu <yxlraid@gmail.com>
+Date: Sun, 27 Oct 2013 08:03:04 -0400
+Subject: ahci: disabled FBS prior to issuing software reset
+
+From: xiangliang yu <yxlraid@gmail.com>
+
+commit 89dafa20f3daab5b3e0c13d0068a28e8e64e2102 upstream.
+
+Tested with Marvell 88se9125, attached with one port mulitplier(5 ports)
+and one disk, we will get following boot log messages if using current
+code:
+
+ ata8: SATA link up 6.0 Gbps (SStatus 133 SControl 330)
+ ata8.15: Port Multiplier 1.2, 0x1b4b:0x9715 r160, 5 ports, feat 0x1/0x1f
+ ahci 0000:03:00.0: FBS is enabled
+ ata8.00: hard resetting link
+ ata8.00: SATA link down (SStatus 0 SControl 330)
+ ata8.01: hard resetting link
+ ata8.01: SATA link down (SStatus 0 SControl 330)
+ ata8.02: hard resetting link
+ ata8.02: SATA link down (SStatus 0 SControl 330)
+ ata8.03: hard resetting link
+ ata8.03: SATA link up 6.0 Gbps (SStatus 133 SControl 133)
+ ata8.04: hard resetting link
+ ata8.04: failed to resume link (SControl 133)
+ ata8.04: failed to read SCR 0 (Emask=0x40)
+ ata8.04: failed to read SCR 0 (Emask=0x40)
+ ata8.04: failed to read SCR 1 (Emask=0x40)
+ ata8.04: failed to read SCR 0 (Emask=0x40)
+ ata8.03: native sectors (2) is smaller than sectors (976773168)
+ ata8.03: ATA-8: ST3500413AS, JC4B, max UDMA/133
+ ata8.03: 976773168 sectors, multi 0: LBA48 NCQ (depth 31/32)
+ ata8.03: configured for UDMA/133
+ ata8.04: failed to IDENTIFY (I/O error, err_mask=0x100)
+ ata8.15: hard resetting link
+ ata8.15: SATA link up 6.0 Gbps (SStatus 133 SControl 330)
+ ata8.15: Port Multiplier vendor mismatch '0x1b4b' != '0x133'
+ ata8.15: PMP revalidation failed (errno=-19)
+ ata8.15: hard resetting link
+ ata8.15: SATA link up 6.0 Gbps (SStatus 133 SControl 330)
+ ata8.15: Port Multiplier vendor mismatch '0x1b4b' != '0x133'
+ ata8.15: PMP revalidation failed (errno=-19)
+ ata8.15: limiting SATA link speed to 3.0 Gbps
+ ata8.15: hard resetting link
+ ata8.15: SATA link up 3.0 Gbps (SStatus 123 SControl 320)
+ ata8.15: Port Multiplier vendor mismatch '0x1b4b' != '0x133'
+ ata8.15: PMP revalidation failed (errno=-19)
+ ata8.15: failed to recover PMP after 5 tries, giving up
+ ata8.15: Port Multiplier detaching
+ ata8.03: disabled
+ ata8.00: disabled
+ ata8: EH complete
+
+The reason is that current detection code doesn't follow AHCI spec:
+
+First,the port multiplier detection process look like this:
+
+ ahci_hardreset(link, class, deadline)
+ if (class == ATA_DEV_PMP) {
+ sata_pmp_attach(dev) /* will enable FBS */
+ sata_pmp_init_links(ap, nr_ports);
+ ata_for_each_link(link, ap, EDGE) {
+ sata_std_hardreset(link, class, deadline);
+ if (link_is_online) /* do soft reset */
+ ahci_softreset(link, class, deadline);
+ }
+ }
+But, according to chapter 9.3.9 in AHCI spec: Prior to issuing software
+reset, software shall clear PxCMD.ST to '0' and then clear PxFBS.EN to
+'0'.
+
+The patch test ok with kernel 3.11.1.
+
+tj: Patch white space contaminated, applied manually with trivial
+ updates.
+
+Signed-off-by: Xiangliang Yu <yuxiangl@marvell.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/libahci.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/ata/libahci.c
++++ b/drivers/ata/libahci.c
+@@ -1249,9 +1249,11 @@ int ahci_do_softreset(struct ata_link *l
+ {
+ struct ata_port *ap = link->ap;
+ struct ahci_host_priv *hpriv = ap->host->private_data;
++ struct ahci_port_priv *pp = ap->private_data;
+ const char *reason = NULL;
+ unsigned long now, msecs;
+ struct ata_taskfile tf;
++ bool fbs_disabled = false;
+ int rc;
+
+ DPRINTK("ENTER\n");
+@@ -1261,6 +1263,16 @@ int ahci_do_softreset(struct ata_link *l
+ if (rc && rc != -EOPNOTSUPP)
+ ata_link_warn(link, "failed to reset engine (errno=%d)\n", rc);
+
++ /*
++ * According to AHCI-1.2 9.3.9: if FBS is enable, software shall
++ * clear PxFBS.EN to '0' prior to issuing software reset to devices
++ * that is attached to port multiplier.
++ */
++ if (!ata_is_host_link(link) && pp->fbs_enabled) {
++ ahci_disable_fbs(ap);
++ fbs_disabled = true;
++ }
++
+ ata_tf_init(link->device, &tf);
+
+ /* issue the first D2H Register FIS */
+@@ -1301,6 +1313,10 @@ int ahci_do_softreset(struct ata_link *l
+ } else
+ *class = ahci_dev_classify(ap);
+
++ /* re-enable FBS if disabled before */
++ if (fbs_disabled)
++ ahci_enable_fbs(ap);
++
+ DPRINTK("EXIT, class=%u\n", *class);
+ return 0;
+
--- /dev/null
+From dcb9917ba041866686fe152850364826c4622a36 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 31 Oct 2013 23:00:24 -0400
+Subject: ext4: avoid bh leak in retry path of ext4_expand_extra_isize_ea()
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit dcb9917ba041866686fe152850364826c4622a36 upstream.
+
+Reported-by: Dave Jones <davej@redhat.com>
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/xattr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -1270,6 +1270,7 @@ retry:
+ new_extra_isize = s_min_extra_isize;
+ kfree(is); is = NULL;
+ kfree(bs); bs = NULL;
++ brelse(bh);
+ goto retry;
+ }
+ error = -1;
--- /dev/null
+From 4adcf7fb6783e354aab38824d803fa8c4f8e8a27 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Fri, 4 Oct 2013 09:29:06 -0400
+Subject: IB/ipath: Convert ipath_user_sdma_pin_pages() to use get_user_pages_fast()
+
+From: Jan Kara <jack@suse.cz>
+
+commit 4adcf7fb6783e354aab38824d803fa8c4f8e8a27 upstream.
+
+ipath_user_sdma_queue_pkts() gets called with mmap_sem held for
+writing. Except for get_user_pages() deep down in
+ipath_user_sdma_pin_pages() we don't seem to need mmap_sem at all.
+
+Even more interestingly the function ipath_user_sdma_queue_pkts() (and
+also ipath_user_sdma_coalesce() called somewhat later) call
+copy_from_user() which can hit a page fault and we deadlock on trying
+to get mmap_sem when handling that fault. So just make
+ipath_user_sdma_pin_pages() use get_user_pages_fast() and leave
+mmap_sem locking for mm.
+
+This deadlock has actually been observed in the wild when the node
+is under memory pressure.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+[ Merged in fix for call to get_user_pages_fast from Tetsuo Handa
+ <penguin-kernel@I-love.SAKURA.ne.jp>. - Roland ]
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/ipath/ipath_user_sdma.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/drivers/infiniband/hw/ipath/ipath_user_sdma.c
++++ b/drivers/infiniband/hw/ipath/ipath_user_sdma.c
+@@ -280,9 +280,7 @@ static int ipath_user_sdma_pin_pages(con
+ int j;
+ int ret;
+
+- ret = get_user_pages(current, current->mm, addr,
+- npages, 0, 1, pages, NULL);
+-
++ ret = get_user_pages_fast(addr, npages, 0, pages);
+ if (ret != npages) {
+ int i;
+
+@@ -811,10 +809,7 @@ int ipath_user_sdma_writev(struct ipath_
+ while (dim) {
+ const int mxp = 8;
+
+- down_write(¤t->mm->mmap_sem);
+ ret = ipath_user_sdma_queue_pkts(dd, pq, &list, iov, dim, mxp);
+- up_write(¤t->mm->mmap_sem);
+-
+ if (ret <= 0)
+ goto done_unlock;
+ else {
--- /dev/null
+From 86784c6bdeeef78eed94d298be7a8879f6a97ee2 Mon Sep 17 00:00:00 2001
+From: Eric Seppanen <eric@purestorage.com>
+Date: Wed, 20 Nov 2013 14:19:52 -0800
+Subject: iscsi-target: chap auth shouldn't match username with trailing garbage
+
+From: Eric Seppanen <eric@purestorage.com>
+
+commit 86784c6bdeeef78eed94d298be7a8879f6a97ee2 upstream.
+
+In iSCSI negotiations with initiator CHAP enabled, usernames with
+trailing garbage are permitted, because the string comparison only
+checks the strlen of the configured username.
+
+e.g. "usernameXXXXX" will be permitted to match "username".
+
+Just check one more byte so the trailing null char is also matched.
+
+Signed-off-by: Eric Seppanen <eric@purestorage.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target_auth.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/target/iscsi/iscsi_target_auth.c
++++ b/drivers/target/iscsi/iscsi_target_auth.c
+@@ -174,6 +174,7 @@ static int chap_server_compute_md5(
+ unsigned char client_digest[MD5_SIGNATURE_SIZE];
+ unsigned char server_digest[MD5_SIGNATURE_SIZE];
+ unsigned char chap_n[MAX_CHAP_N_SIZE], chap_r[MAX_RESPONSE_LENGTH];
++ size_t compare_len;
+ struct iscsi_chap *chap = conn->auth_protocol;
+ struct crypto_hash *tfm;
+ struct hash_desc desc;
+@@ -212,7 +213,9 @@ static int chap_server_compute_md5(
+ goto out;
+ }
+
+- if (memcmp(chap_n, auth->userid, strlen(auth->userid)) != 0) {
++ /* Include the terminating NULL in the compare */
++ compare_len = strlen(auth->userid) + 1;
++ if (strncmp(chap_n, auth->userid, compare_len) != 0) {
+ pr_err("CHAP_N values do not match!\n");
+ goto out;
+ }
--- /dev/null
+From 369653e4fb511928511b0ce81f41c812ff1f28b6 Mon Sep 17 00:00:00 2001
+From: Eric Seppanen <eric@purestorage.com>
+Date: Wed, 20 Nov 2013 14:19:51 -0800
+Subject: iscsi-target: fix extract_param to handle buffer length corner case
+
+From: Eric Seppanen <eric@purestorage.com>
+
+commit 369653e4fb511928511b0ce81f41c812ff1f28b6 upstream.
+
+extract_param() is called with max_length set to the total size of the
+output buffer. It's not safe to allow a parameter length equal to the
+buffer size as the terminating null would be written one byte past the
+end of the output buffer.
+
+Signed-off-by: Eric Seppanen <eric@purestorage.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target_nego.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/target/iscsi/iscsi_target_nego.c
++++ b/drivers/target/iscsi/iscsi_target_nego.c
+@@ -89,7 +89,7 @@ int extract_param(
+ if (len < 0)
+ return -1;
+
+- if (len > max_length) {
++ if (len >= max_length) {
+ pr_err("Length of input: %d exceeds max_length:"
+ " %d\n", len, max_length);
+ return -1;
--- /dev/null
+From 3ec981e30fae1f3c8728a05c730acaa1f627bcfb Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Mon, 14 Oct 2013 12:12:24 -0400
+Subject: loop: fix crash if blk_alloc_queue fails
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 3ec981e30fae1f3c8728a05c730acaa1f627bcfb upstream.
+
+loop: fix crash if blk_alloc_queue fails
+
+If blk_alloc_queue fails, loop_add cleans up, but it doesn't clean up the
+identifier allocated with idr_alloc. That causes crash on module unload in
+idr_for_each(&loop_index_idr, &loop_exit_cb, NULL); where we attempt to
+remove non-existed device with that id.
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000380
+IP: [<ffffffff812057c9>] del_gendisk+0x19/0x2d0
+PGD 43d399067 PUD 43d0ad067 PMD 0
+Oops: 0000 [#1] PREEMPT SMP
+Modules linked in: loop(-) dm_snapshot dm_zero dm_mirror dm_region_hash dm_log dm_loop dm_mod ip6table_filter ip6_tables uvesafb cfbcopyarea cfbimgblt cfbfillrect fbcon font bitblit fbcon_rotate fbcon_cw fbcon_ud fbcon_ccw softcursor fb fbdev msr ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_conntrack_ipv4 nf_defrag_ipv4 xt_state ipt_REJECT xt_tcpudp iptable_filter ip_tables x_tables bridge stp llc tun ipv6 cpufreq_userspace cpufreq_stats cpufreq_ondemand cpufreq_conservative cpufreq_powersave spadfs fuse hid_generic usbhid hid raid0 md_mod dmi_sysfs nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack snd_usb_audio snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc lm85 hwmon_vid snd_hwdep snd_usbmidi_lib snd_rawmidi snd soundcore acpi_cpufreq ohci_hcd freq_table tg3 ehci_pci mperf ehci_hcd kvm_amd kvm sata_svw serverworks libphy libata ide_core k10temp usbcore hwmon microcode ptp pcspkr pps_core e100 skge mii usb_common i2c_piix4 floppy evdev rtc_cmos i2c_core processor but!
+ ton unix
+CPU: 7 PID: 2735 Comm: rmmod Tainted: G W 3.10.15-devel #15
+Hardware name: empty empty/S3992-E, BIOS 'V1.06 ' 06/09/2009
+task: ffff88043d38e780 ti: ffff88043d21e000 task.ti: ffff88043d21e000
+RIP: 0010:[<ffffffff812057c9>] [<ffffffff812057c9>] del_gendisk+0x19/0x2d0
+RSP: 0018:ffff88043d21fe10 EFLAGS: 00010282
+RAX: ffffffffa05102e0 RBX: 0000000000000000 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: ffff88043ea82800 RDI: 0000000000000000
+RBP: ffff88043d21fe48 R08: 0000000000000000 R09: 0000000000000001
+R10: 0000000000000001 R11: 0000000000000000 R12: 00000000000000ff
+R13: 0000000000000080 R14: 0000000000000000 R15: ffff88043ea82800
+FS: 00007ff646534700(0000) GS:ffff880447000000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+CR2: 0000000000000380 CR3: 000000043e9bf000 CR4: 00000000000007e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+Stack:
+ ffffffff8100aba4 0000000000000092 ffff88043d21fe48 ffff88043ea82800
+ 00000000000000ff ffff88043d21fe98 0000000000000000 ffff88043d21fe60
+ ffffffffa05102b4 0000000000000000 ffff88043d21fe70 ffffffffa05102ec
+Call Trace:
+ [<ffffffff8100aba4>] ? native_sched_clock+0x24/0x80
+ [<ffffffffa05102b4>] loop_remove+0x14/0x40 [loop]
+ [<ffffffffa05102ec>] loop_exit_cb+0xc/0x10 [loop]
+ [<ffffffff81217b74>] idr_for_each+0x104/0x190
+ [<ffffffffa05102e0>] ? loop_remove+0x40/0x40 [loop]
+ [<ffffffff8109adc5>] ? trace_hardirqs_on_caller+0x105/0x1d0
+ [<ffffffffa05135dc>] loop_exit+0x34/0xa58 [loop]
+ [<ffffffff810a98ea>] SyS_delete_module+0x13a/0x260
+ [<ffffffff81221d5e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
+ [<ffffffff813cff16>] system_call_fastpath+0x1a/0x1f
+Code: f0 4c 8b 6d f8 c9 c3 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 56 41 55 4c 8d af 80 00 00 00 41 54 53 48 89 fb 48 83 ec 18 <48> 83 bf 80 03 00
+00 00 74 4d e8 98 fe ff ff 31 f6 48 c7 c7 20
+RIP [<ffffffff812057c9>] del_gendisk+0x19/0x2d0
+ RSP <ffff88043d21fe10>
+CR2: 0000000000000380
+---[ end trace 64ec069ec70f1309 ]---
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/loop.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -1636,7 +1636,7 @@ static int loop_add(struct loop_device *
+
+ lo->lo_queue = blk_alloc_queue(GFP_KERNEL);
+ if (!lo->lo_queue)
+- goto out_free_dev;
++ goto out_free_idr;
+
+ disk = lo->lo_disk = alloc_disk(1 << part_shift);
+ if (!disk)
+@@ -1680,6 +1680,8 @@ static int loop_add(struct loop_device *
+
+ out_free_queue:
+ blk_cleanup_queue(lo->lo_queue);
++out_free_idr:
++ idr_remove(&loop_index_idr, i);
+ out_free_dev:
+ kfree(lo);
+ out:
--- /dev/null
+From 7b3d2fb92067bcb29f0f085a9fa9fa64920a6646 Mon Sep 17 00:00:00 2001
+From: Huang Shijie <b32955@freescale.com>
+Date: Mon, 11 Nov 2013 12:13:45 +0800
+Subject: mtd: gpmi: fix kernel BUG due to racing DMA operations
+
+From: Huang Shijie <b32955@freescale.com>
+
+commit 7b3d2fb92067bcb29f0f085a9fa9fa64920a6646 upstream.
+
+[1] The gpmi uses the nand_command_lp to issue the commands to NAND chips.
+ The gpmi issues a DMA operation with gpmi_cmd_ctrl when it handles
+ a NAND_CMD_NONE control command. So when we read a page(NAND_CMD_READ0)
+ from the NAND, we may send two DMA operations back-to-back.
+
+ If we do not serialize the two DMA operations, we will meet a bug when
+
+ 1.1) we enable CONFIG_DMA_API_DEBUG, CONFIG_DMADEVICES_DEBUG,
+ and CONFIG_DEBUG_SG.
+
+ 1.2) Use the following commands in an UART console and a SSH console:
+ cmd 1: while true;do dd if=/dev/mtd0 of=/dev/null;done
+ cmd 1: while true;do dd if=/dev/mmcblk0 of=/dev/null;done
+
+ The kernel log shows below:
+ -----------------------------------------------------------------
+ kernel BUG at lib/scatterlist.c:28!
+ Unable to handle kernel NULL pointer dereference at virtual address 00000000
+ .........................
+ [<80044a0c>] (__bug+0x18/0x24) from [<80249b74>] (sg_next+0x48/0x4c)
+ [<80249b74>] (sg_next+0x48/0x4c) from [<80255398>] (debug_dma_unmap_sg+0x170/0x1a4)
+ [<80255398>] (debug_dma_unmap_sg+0x170/0x1a4) from [<8004af58>] (dma_unmap_sg+0x14/0x6c)
+ [<8004af58>] (dma_unmap_sg+0x14/0x6c) from [<8027e594>] (mxs_dma_tasklet+0x18/0x1c)
+ [<8027e594>] (mxs_dma_tasklet+0x18/0x1c) from [<8007d444>] (tasklet_action+0x114/0x164)
+ -----------------------------------------------------------------
+
+ 1.3) Assume the two DMA operations is X (first) and Y (second).
+
+ The root cause of the bug:
+ Assume process P issues DMA X, and sleep on the completion
+ @this->dma_done. X's tasklet callback is dma_irq_callback. It firstly
+ wake up the process sleeping on the completion @this->dma_done,
+ and then trid to unmap the scatterlist S. The waked process P will
+ issue Y in another ARM core. Y initializes S->sg_magic to zero
+ with sg_init_one(), while dma_irq_callback is unmapping S at the same
+ time.
+
+ See the diagram:
+
+ ARM core 0 | ARM core 1
+ -------------------------------------------------------------
+ (P issues DMA X, then sleep) --> |
+ |
+ (X's tasklet wakes P) --> |
+ |
+ | <-- (P begin to issue DMA Y)
+ |
+ (X's tasklet unmap the |
+ scatterlist S with dma_unmap_sg) --> | <-- (Y calls sg_init_one() to init
+ | scatterlist S)
+ |
+
+[2] This patch serialize both the X and Y in the following way:
+ Unmap the DMA scatterlist S firstly, and wake up the process at the end
+ of the DMA callback, in such a way, Y will be executed after X.
+
+ After this patch:
+
+ ARM core 0 | ARM core 1
+ -------------------------------------------------------------
+ (P issues DMA X, then sleep) --> |
+ |
+ (X's tasklet unmap the |
+ scatterlist S with dma_unmap_sg) --> |
+ |
+ (X's tasklet wakes P) --> |
+ |
+ | <-- (P begin to issue DMA Y)
+ |
+ | <-- (Y calls sg_init_one() to init
+ | scatterlist S)
+ |
+
+Signed-off-by: Huang Shijie <b32955@freescale.com>
+Signed-off-by: Brian Norris <computersforpeace@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/gpmi-nand/gpmi-nand.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
++++ b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
+@@ -227,8 +227,6 @@ static void dma_irq_callback(void *param
+ struct gpmi_nand_data *this = param;
+ struct completion *dma_c = &this->dma_done;
+
+- complete(dma_c);
+-
+ switch (this->dma_type) {
+ case DMA_FOR_COMMAND:
+ dma_unmap_sg(this->dev, &this->cmd_sgl, 1, DMA_TO_DEVICE);
+@@ -253,6 +251,8 @@ static void dma_irq_callback(void *param
+ default:
+ pr_err("in wrong DMA operation.\n");
+ }
++
++ complete(dma_c);
+ }
+
+ int start_dma_without_bch_irq(struct gpmi_nand_data *this,
--- /dev/null
+From a4d62babf988fe5dfde24437fa135ef147bc7aa0 Mon Sep 17 00:00:00 2001
+From: Wang Haitao <wang.haitao1@zte.com.cn>
+Date: Thu, 22 Aug 2013 19:32:38 +0800
+Subject: mtd: map: fixed bug in 64-bit systems
+
+From: Wang Haitao <wang.haitao1@zte.com.cn>
+
+commit a4d62babf988fe5dfde24437fa135ef147bc7aa0 upstream.
+
+Hardware:
+ CPU: XLP832,the 64-bit OS
+ NOR Flash:S29GL128S 128M
+Software:
+ Kernel:2.6.32.41
+ Filesystem:JFFS2
+When writing files, errors appear:
+ Write len 182 but return retlen 180
+ Write of 182 bytes at 0x072c815c failed. returned -5, retlen 180
+ Write len 186 but return retlen 184
+ Write of 186 bytes at 0x072caff4 failed. returned -5, retlen 184
+These errors exist only in 64-bit systems,not in 32-bit systems. After analysis, we
+found that the left shift operation is wrong in map_word_load_partial. For instance:
+ unsigned char buf[3] ={0x9e,0x3a,0xea};
+ map_bankwidth(map) is 4;
+ for (i=0; i < 3; i++) {
+ int bitpos;
+ bitpos = (map_bankwidth(map)-1-i)*8;
+ orig.x[0] &= ~(0xff << bitpos);
+ orig.x[0] |= buf[i] << bitpos;
+ }
+
+The value of orig.x[0] is expected to be 0x9e3aeaff, but in this situation(64-bit
+System) we'll get the wrong value of 0xffffffff9e3aeaff due to the 64-bit sign
+extension:
+buf[i] is defined as "unsigned char" and the left-shift operation will convert it
+to the type of "signed int", so when left-shift buf[i] by 24 bits, the final result
+will get the wrong value: 0xffffffff9e3aeaff.
+
+If the left-shift bits are less than 24, then sign extension will not occur. Whereas
+the bankwidth of the nor flash we used is 4, therefore this BUG emerges.
+
+Signed-off-by: Pang Xunlei <pang.xunlei@zte.com.cn>
+Signed-off-by: Zhang Yi <zhang.yi20@zte.com.cn>
+Signed-off-by: Lu Zhongjun <lu.zhongjun@zte.com.cn>
+Signed-off-by: Brian Norris <computersforpeace@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/mtd/map.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/mtd/map.h
++++ b/include/linux/mtd/map.h
+@@ -362,7 +362,7 @@ static inline map_word map_word_load_par
+ bitpos = (map_bankwidth(map)-1-i)*8;
+ #endif
+ orig.x[0] &= ~(0xff << bitpos);
+- orig.x[0] |= buf[i-start] << bitpos;
++ orig.x[0] |= (unsigned long)buf[i-start] << bitpos;
+ }
+ }
+ return orig;
+@@ -381,7 +381,7 @@ static inline map_word map_word_ff(struc
+
+ if (map_bankwidth(map) < MAP_FF_LIMIT) {
+ int bw = 8 * map_bankwidth(map);
+- r.x[0] = (1 << bw) - 1;
++ r.x[0] = (1UL << bw) - 1;
+ } else {
+ for (i=0; i<map_words(map); i++)
+ r.x[i] = ~0UL;
--- /dev/null
+From 4355b70cf48363c50a9de450b01178c83aba8f6a Mon Sep 17 00:00:00 2001
+From: Brian Norris <computersforpeace@gmail.com>
+Date: Tue, 27 Aug 2013 18:45:10 -0700
+Subject: mtd: nand: hack ONFI for non-power-of-2 dimensions
+
+From: Brian Norris <computersforpeace@gmail.com>
+
+commit 4355b70cf48363c50a9de450b01178c83aba8f6a upstream.
+
+Some bright specification writers decided to write this in the ONFI spec
+(from ONFI 3.0, Section 3.1):
+
+ "The number of blocks and number of pages per block is not required to
+ be a power of two. In the case where one of these values is not a
+ power of two, the corresponding address shall be rounded to an
+ integral number of bits such that it addresses a range up to the
+ subsequent power of two value. The host shall not access upper
+ addresses in a range that is shown as not supported."
+
+This breaks every assumption MTD makes about NAND block/chip-size
+dimensions -- they *must* be a power of two!
+
+And of course, an enterprising manufacturer has made use of this lovely
+freedom. Exhibit A: Micron MT29F32G08CBADAWP
+
+ "- Plane size: 2 planes x 1064 blocks per plane
+ - Device size: 32Gb: 2128 blockss [sic]"
+
+This quickly hits a BUG() in nand_base.c, since the extra dimensions
+overflow so we think it's a second chip (on my single-chip setup):
+
+ ONFI param page 0 valid
+ ONFI flash detected
+ NAND device: Manufacturer ID: 0x2c, Chip ID: 0x44 (Micron MT29F32G08CBADAWP), 4256MiB, page size: 8192, OOB size: 744
+ ------------[ cut here ]------------
+ kernel BUG at drivers/mtd/nand/nand_base.c:203!
+ Internal error: Oops - BUG: 0 [#1] SMP ARM
+ [... trim ...]
+ [<c02cf3e4>] (nand_select_chip+0x18/0x2c) from [<c02d25c0>] (nand_do_read_ops+0x90/0x424)
+ [<c02d25c0>] (nand_do_read_ops+0x90/0x424) from [<c02d2dd8>] (nand_read+0x54/0x78)
+ [<c02d2dd8>] (nand_read+0x54/0x78) from [<c02ad2c8>] (mtd_read+0x84/0xbc)
+ [<c02ad2c8>] (mtd_read+0x84/0xbc) from [<c02d4b28>] (scan_read.clone.4+0x4c/0x64)
+ [<c02d4b28>] (scan_read.clone.4+0x4c/0x64) from [<c02d4c88>] (search_bbt+0x148/0x290)
+ [<c02d4c88>] (search_bbt+0x148/0x290) from [<c02d4ea4>] (nand_scan_bbt+0xd4/0x5c0)
+ [... trim ...]
+ ---[ end trace 0c9363860d865ff2 ]---
+
+So to fix this, just truncate these dimensions down to the greatest
+power-of-2 dimension that is less than or equal to the specified
+dimension.
+
+Signed-off-by: Brian Norris <computersforpeace@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/nand_base.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/drivers/mtd/nand/nand_base.c
++++ b/drivers/mtd/nand/nand_base.c
+@@ -2888,10 +2888,21 @@ static int nand_flash_detect_onfi(struct
+ sanitize_string(p->model, sizeof(p->model));
+ if (!mtd->name)
+ mtd->name = p->model;
++
+ mtd->writesize = le32_to_cpu(p->byte_per_page);
+- mtd->erasesize = le32_to_cpu(p->pages_per_block) * mtd->writesize;
++
++ /*
++ * pages_per_block and blocks_per_lun may not be a power-of-2 size
++ * (don't ask me who thought of this...). MTD assumes that these
++ * dimensions will be power-of-2, so just truncate the remaining area.
++ */
++ mtd->erasesize = 1 << (fls(le32_to_cpu(p->pages_per_block)) - 1);
++ mtd->erasesize *= mtd->writesize;
++
+ mtd->oobsize = le16_to_cpu(p->spare_bytes_per_page);
+- chip->chipsize = le32_to_cpu(p->blocks_per_lun);
++
++ /* See erasesize comment */
++ chip->chipsize = 1 << (fls(le32_to_cpu(p->blocks_per_lun)) - 1);
+ chip->chipsize *= (uint64_t)mtd->erasesize * p->lun_count;
+ *busw = 0;
+ if (le16_to_cpu(p->features) & 1)
--- /dev/null
+From eafbdde9c5629bea58df07275c5917eb42afbbe7 Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Sun, 10 Nov 2013 22:11:16 -0600
+Subject: rtlwifi: rtl8192cu: Fix more pointer arithmetic errors
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit eafbdde9c5629bea58df07275c5917eb42afbbe7 upstream.
+
+This driver uses a number of macros to get and set various fields in the
+RX and TX descriptors. To work correctly, a u8 pointer to the descriptor
+must be used; however, in some cases a descriptor structure pointer is used
+instead. In addition, a duplicated statement is removed.
+
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Reported-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/rtl8192cu/mac.c | 6 +++---
+ drivers/net/wireless/rtlwifi/rtl8192cu/trx.c | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wireless/rtlwifi/rtl8192cu/mac.c
++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/mac.c
+@@ -762,7 +762,7 @@ static long _rtl92c_signal_scale_mapping
+
+ static void _rtl92c_query_rxphystatus(struct ieee80211_hw *hw,
+ struct rtl_stats *pstats,
+- struct rx_desc_92c *pdesc,
++ struct rx_desc_92c *p_desc,
+ struct rx_fwinfo_92c *p_drvinfo,
+ bool packet_match_bssid,
+ bool packet_toself,
+@@ -777,11 +777,11 @@ static void _rtl92c_query_rxphystatus(st
+ u32 rssi, total_rssi = 0;
+ bool in_powersavemode = false;
+ bool is_cck_rate;
++ u8 *pdesc = (u8 *)p_desc;
+
+- is_cck_rate = RX_HAL_IS_CCK_RATE(pdesc);
++ is_cck_rate = RX_HAL_IS_CCK_RATE(p_desc);
+ pstats->packet_matchbssid = packet_match_bssid;
+ pstats->packet_toself = packet_toself;
+- pstats->is_cck = is_cck_rate;
+ pstats->packet_beacon = packet_beacon;
+ pstats->is_cck = is_cck_rate;
+ pstats->RX_SIGQ[0] = -1;
+--- a/drivers/net/wireless/rtlwifi/rtl8192cu/trx.c
++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/trx.c
+@@ -303,10 +303,10 @@ out:
+ bool rtl92cu_rx_query_desc(struct ieee80211_hw *hw,
+ struct rtl_stats *stats,
+ struct ieee80211_rx_status *rx_status,
+- u8 *p_desc, struct sk_buff *skb)
++ u8 *pdesc, struct sk_buff *skb)
+ {
+ struct rx_fwinfo_92c *p_drvinfo;
+- struct rx_desc_92c *pdesc = (struct rx_desc_92c *)p_desc;
++ struct rx_desc_92c *p_desc = (struct rx_desc_92c *)pdesc;
+ u32 phystatus = GET_RX_DESC_PHY_STATUS(pdesc);
+
+ stats->length = (u16) GET_RX_DESC_PKT_LEN(pdesc);
+@@ -345,7 +345,7 @@ bool rtl92cu_rx_query_desc(struct ieee80
+ if (phystatus) {
+ p_drvinfo = (struct rx_fwinfo_92c *)(skb->data +
+ stats->rx_bufshift);
+- rtl92c_translate_rx_signal_stuff(hw, skb, stats, pdesc,
++ rtl92c_translate_rx_signal_stuff(hw, skb, stats, p_desc,
+ p_drvinfo);
+ }
+ /*rx_status->qual = stats->signal; */
--- /dev/null
+From 3aef7dde8dcf09e0124f0a2665845a507331972b Mon Sep 17 00:00:00 2001
+From: Felipe Pena <felipensp@gmail.com>
+Date: Fri, 18 Oct 2013 21:52:40 -0300
+Subject: rtlwifi: rtl8192se: Fix wrong assignment
+
+From: Felipe Pena <felipensp@gmail.com>
+
+commit 3aef7dde8dcf09e0124f0a2665845a507331972b upstream.
+
+There is a typo in the struct member name on assignment when checking
+rtlphy->current_chan_bw == HT_CHANNEL_WIDTH_20_40, the check uses pwrgroup_ht40
+for bound limit and uses pwrgroup_ht20 when assigning instead.
+
+Signed-off-by: Felipe Pena <felipensp@gmail.com>
+Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/rtl8192se/rf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/rtlwifi/rtl8192se/rf.c
++++ b/drivers/net/wireless/rtlwifi/rtl8192se/rf.c
+@@ -268,7 +268,7 @@ static void _rtl92s_get_txpower_writeval
+ rtlefuse->pwrgroup_ht40
+ [RF90_PATH_A][chnl - 1]) {
+ pwrdiff_limit[i] =
+- rtlefuse->pwrgroup_ht20
++ rtlefuse->pwrgroup_ht40
+ [RF90_PATH_A][chnl - 1];
+ }
+ } else {
libata-fix-display-of-sata-speed.patch
drivers-libata-set-max-sector-to-65535-for-slimtype-dvd-a-ds8a9sh-drive.patch
vsprintf-check-real-user-group-id-for-pk.patch
+rtlwifi-rtl8192se-fix-wrong-assignment.patch
+rtlwifi-rtl8192cu-fix-more-pointer-arithmetic-errors.patch
+ahci-disabled-fbs-prior-to-issuing-software-reset.patch
+ahci-add-marvell-9230-to-the-ahci-pci-device-list.patch
+iscsi-target-fix-extract_param-to-handle-buffer-length-corner-case.patch
+iscsi-target-chap-auth-shouldn-t-match-username-with-trailing-garbage.patch
+ib-ipath-convert-ipath_user_sdma_pin_pages-to-use-get_user_pages_fast.patch
+loop-fix-crash-if-blk_alloc_queue-fails.patch
+mtd-nand-hack-onfi-for-non-power-of-2-dimensions.patch
+mtd-map-fixed-bug-in-64-bit-systems.patch
+mtd-gpmi-fix-kernel-bug-due-to-racing-dma-operations.patch
+ext4-avoid-bh-leak-in-retry-path-of-ext4_expand_extra_isize_ea.patch
+xen-blkback-fix-reference-counting.patch
--- /dev/null
+From ea5ec76d76da9279d12027c1828544c5ccbe7932 Mon Sep 17 00:00:00 2001
+From: Vegard Nossum <vegard.nossum@oracle.com>
+Date: Thu, 5 Sep 2013 13:00:14 +0200
+Subject: xen/blkback: fix reference counting
+
+From: Vegard Nossum <vegard.nossum@oracle.com>
+
+commit ea5ec76d76da9279d12027c1828544c5ccbe7932 upstream.
+
+If the permission check fails, we drop a reference to the blkif without
+having taken it in the first place. The bug was introduced in commit
+604c499cbbcc3d5fe5fb8d53306aa0fae1990109 (xen/blkback: Check device
+permissions before allowing OP_DISCARD).
+
+Cc: Jan Beulich <JBeulich@suse.com>
+Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/xen-blkback/blkback.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/xen-blkback/blkback.c
++++ b/drivers/block/xen-blkback/blkback.c
+@@ -401,6 +401,8 @@ static int dispatch_discard_io(struct xe
+ unsigned long secure;
+ struct phys_req preq;
+
++ xen_blkif_get(blkif);
++
+ preq.sector_number = req->u.discard.sector_number;
+ preq.nr_sects = req->u.discard.nr_sectors;
+
+@@ -413,7 +415,6 @@ static int dispatch_discard_io(struct xe
+ }
+ blkif->st_ds_req++;
+
+- xen_blkif_get(blkif);
+ secure = (blkif->vbd.discard_secure &&
+ (req->u.discard.flag & BLKIF_DISCARD_SECURE)) ?
+ BLKDEV_DISCARD_SECURE : 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
