--- /dev/null
+From 9dd4b2944c46e1fdbd0a516c221c8a2670cbf005 Mon Sep 17 00:00:00 2001
+From: Rob Herring <rob.herring@calxeda.com>
+Date: Thu, 29 Aug 2013 07:43:52 -0500
+Subject: ARM: xen: only set pm function ptrs for Xen guests
+
+From: Rob Herring <rob.herring@calxeda.com>
+
+commit 9dd4b2944c46e1fdbd0a516c221c8a2670cbf005 upstream.
+
+xen_pm_init was unconditionally setting pm_power_off and arm_pm_restart
+function pointers. This breaks multi-platform kernels. Make this
+conditional on running as a Xen guest and make it a late_initcall to
+ensure it is setup after platform code for Dom0.
+
+Signed-off-by: Rob Herring <rob.herring@calxeda.com>
+Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/xen/enlighten.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/xen/enlighten.c
++++ b/arch/arm/xen/enlighten.c
+@@ -273,12 +273,15 @@ core_initcall(xen_guest_init);
+
+ static int __init xen_pm_init(void)
+ {
++ if (!xen_domain())
++ return -ENODEV;
++
+ pm_power_off = xen_power_off;
+ arm_pm_restart = xen_restart;
+
+ return 0;
+ }
+-subsys_initcall(xen_pm_init);
++late_initcall(xen_pm_init);
+
+ static irqreturn_t xen_arm_callback(int irq, void *arg)
+ {
--- /dev/null
+From 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Sun, 8 Sep 2013 14:33:50 +1000
+Subject: crypto: api - Fix race condition in larval lookup
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa upstream.
+
+crypto_larval_lookup should only return a larval if it created one.
+Any larval created by another entity must be processed through
+crypto_larval_wait before being returned.
+
+Otherwise this will lead to a larval being killed twice, which
+will most likely lead to a crash.
+
+Reported-by: Kees Cook <keescook@chromium.org>
+Tested-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/api.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/crypto/api.c
++++ b/crypto/api.c
+@@ -34,6 +34,8 @@ EXPORT_SYMBOL_GPL(crypto_alg_sem);
+ BLOCKING_NOTIFIER_HEAD(crypto_chain);
+ EXPORT_SYMBOL_GPL(crypto_chain);
+
++static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg);
++
+ struct crypto_alg *crypto_mod_get(struct crypto_alg *alg)
+ {
+ return try_module_get(alg->cra_module) ? crypto_alg_get(alg) : NULL;
+@@ -144,8 +146,11 @@ static struct crypto_alg *crypto_larval_
+ }
+ up_write(&crypto_alg_sem);
+
+- if (alg != &larval->alg)
++ if (alg != &larval->alg) {
+ kfree(larval);
++ if (crypto_is_larval(alg))
++ alg = crypto_larval_wait(alg);
++ }
+
+ return alg;
+ }
--- /dev/null
+From 363edbe2614aa90df706c0f19ccfa2a6c06af0be Mon Sep 17 00:00:00 2001
+From: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
+Date: Fri, 6 Sep 2013 00:25:06 +0530
+Subject: powerpc: Default arch idle could cede processor on pseries
+
+From: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
+
+commit 363edbe2614aa90df706c0f19ccfa2a6c06af0be upstream.
+
+When adding cpuidle support to pSeries, we introduced two
+regressions:
+
+ - The new cpuidle backend driver only works under hypervisors
+ supporting the "SLPLAR" option, which isn't the case of the
+ old POWER4 hypervisor and the HV "light" used on js2x blades
+
+ - The cpuidle driver registers fairly late, meaning that for
+ a significant portion of the boot process, we end up having
+ all threads spinning. This slows down the boot process and
+ increases the overall resource usage if the hypervisor has
+ shared processors.
+
+This fixes both by implementing a "default" idle that will cede
+to the hypervisor when possible, in a very simple way without
+all the bells and whisles of cpuidle.
+
+Reported-by: Paul Mackerras <paulus@samba.org>
+Signed-off-by: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
+Acked-by: Deepthi Dharwar <deepthi@linux.vnet.ibm.com>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/pseries/setup.c | 31 +++++++++++++++++++++----------
+ 1 file changed, 21 insertions(+), 10 deletions(-)
+
+--- a/arch/powerpc/platforms/pseries/setup.c
++++ b/arch/powerpc/platforms/pseries/setup.c
+@@ -354,7 +354,7 @@ static int alloc_dispatch_log_kmem_cache
+ }
+ early_initcall(alloc_dispatch_log_kmem_cache);
+
+-static void pSeries_idle(void)
++static void pseries_lpar_idle(void)
+ {
+ /* This would call on the cpuidle framework, and the back-end pseries
+ * driver to go to idle states
+@@ -362,10 +362,22 @@ static void pSeries_idle(void)
+ if (cpuidle_idle_call()) {
+ /* On error, execute default handler
+ * to go into low thread priority and possibly
+- * low power mode.
++ * low power mode by cedeing processor to hypervisor
+ */
+- HMT_low();
+- HMT_very_low();
++
++ /* Indicate to hypervisor that we are idle. */
++ get_lppaca()->idle = 1;
++
++ /*
++ * Yield the processor to the hypervisor. We return if
++ * an external interrupt occurs (which are driven prior
++ * to returning here) or if a prod occurs from another
++ * processor. When returning here, external interrupts
++ * are enabled.
++ */
++ cede_processor();
++
++ get_lppaca()->idle = 0;
+ }
+ }
+
+@@ -456,15 +468,14 @@ static void __init pSeries_setup_arch(vo
+
+ pSeries_nvram_init();
+
+- if (firmware_has_feature(FW_FEATURE_SPLPAR)) {
++ if (firmware_has_feature(FW_FEATURE_LPAR)) {
+ vpa_init(boot_cpuid);
+- ppc_md.power_save = pSeries_idle;
+- }
+-
+- if (firmware_has_feature(FW_FEATURE_LPAR))
++ ppc_md.power_save = pseries_lpar_idle;
+ ppc_md.enable_pmcs = pseries_lpar_enable_pmcs;
+- else
++ } else {
++ /* No special idle routine */
+ ppc_md.enable_pmcs = power4_enable_pmcs;
++ }
+
+ ppc_md.pcibios_root_bridge_prepare = pseries_root_bridge_prepare;
+
--- /dev/null
+From 230aef7a6a23b6166bd4003bfff5af23c9bd381f Mon Sep 17 00:00:00 2001
+From: Anton Blanchard <anton@samba.org>
+Date: Wed, 7 Aug 2013 02:01:19 +1000
+Subject: powerpc: Handle unaligned ldbrx/stdbrx
+
+From: Anton Blanchard <anton@samba.org>
+
+commit 230aef7a6a23b6166bd4003bfff5af23c9bd381f upstream.
+
+Normally when we haven't implemented an alignment handler for
+a load or store instruction the process will be terminated.
+
+The alignment handler uses the DSISR (or a pseudo one) to locate
+the right handler. Unfortunately ldbrx and stdbrx overlap lfs and
+stfs so we incorrectly think ldbrx is an lfs and stdbrx is an
+stfs.
+
+This bug is particularly nasty - instead of terminating the
+process we apply an incorrect fixup and continue on.
+
+With more and more overlapping instructions we should stop
+creating a pseudo DSISR and index using the instruction directly,
+but for now add a special case to catch ldbrx/stdbrx.
+
+Signed-off-by: Anton Blanchard <anton@samba.org>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/align.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/arch/powerpc/kernel/align.c
++++ b/arch/powerpc/kernel/align.c
+@@ -764,6 +764,16 @@ int fix_alignment(struct pt_regs *regs)
+ nb = aligninfo[instr].len;
+ flags = aligninfo[instr].flags;
+
++ /* ldbrx/stdbrx overlap lfs/stfs in the DSISR unfortunately */
++ if (IS_XFORM(instruction) && ((instruction >> 1) & 0x3ff) == 532) {
++ nb = 8;
++ flags = LD+SW;
++ } else if (IS_XFORM(instruction) &&
++ ((instruction >> 1) & 0x3ff) == 660) {
++ nb = 8;
++ flags = ST+SW;
++ }
++
+ /* Byteswap little endian loads and stores */
+ swiz = 0;
+ if (regs->msr & MSR_LE) {
--- /dev/null
+From 984f1733fcee3fbc78d47e26c5096921c5d9946a Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Fri, 6 Sep 2013 11:49:51 -0400
+Subject: SCSI: sd: Fix potential out-of-bounds access
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 984f1733fcee3fbc78d47e26c5096921c5d9946a upstream.
+
+This patch fixes an out-of-bounds error in sd_read_cache_type(), found
+by Google's AddressSanitizer tool. When the loop ends, we know that
+"offset" lies beyond the end of the data in the buffer, so no Caching
+mode page was found. In theory it may be present, but the buffer size
+is limited to 512 bytes.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sd.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -2409,14 +2409,9 @@ sd_read_cache_type(struct scsi_disk *sdk
+ }
+ }
+
+- if (modepage == 0x3F) {
+- sd_printk(KERN_ERR, sdkp, "No Caching mode page "
+- "present\n");
+- goto defaults;
+- } else if ((buffer[offset] & 0x3f) != modepage) {
+- sd_printk(KERN_ERR, sdkp, "Got wrong page\n");
+- goto defaults;
+- }
++ sd_printk(KERN_ERR, sdkp, "No Caching mode page found\n");
++ goto defaults;
++
+ Page_found:
+ if (modepage == 8) {
+ sdkp->WCE = ((buffer[offset + 2] & 0x04) != 0);
scsi-allow-mpt-fusion-sas-3.0-driver-to-be-built-into-the-kernel.patch
+ubi-fix-peb-leak-in-wear_leveling_worker.patch
+scsi-sd-fix-potential-out-of-bounds-access.patch
+crypto-api-fix-race-condition-in-larval-lookup.patch
+powerpc-handle-unaligned-ldbrx-stdbrx.patch
+powerpc-default-arch-idle-could-cede-processor-on-pseries.patch
+xen-gnt-prevent-adding-duplicate-gnt-callbacks.patch
+arm-xen-only-set-pm-function-ptrs-for-xen-guests.patch
--- /dev/null
+From 5ef4414f4bc26a19cfd5cd11aee9697a863e4d51 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Mon, 19 Aug 2013 08:48:12 +0200
+Subject: UBI: Fix PEB leak in wear_leveling_worker()
+
+From: Richard Weinberger <richard@nod.at>
+
+commit 5ef4414f4bc26a19cfd5cd11aee9697a863e4d51 upstream.
+
+get_peb_for_wl() removes the PEB from the free list.
+If the WL subsystem detects that no wear leveling is needed
+it cancels the operation and drops the gained PEB.
+In this case we have to put the PEB back into the free list.
+
+This issue was introduced with commit ed4b7021c
+(UBI: remove PEB from free tree in get_peb_for_wl()).
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/ubi/wl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/mtd/ubi/wl.c
++++ b/drivers/mtd/ubi/wl.c
+@@ -1069,6 +1069,9 @@ static int wear_leveling_worker(struct u
+ if (!(e2->ec - e1->ec >= UBI_WL_THRESHOLD)) {
+ dbg_wl("no WL needed: min used EC %d, max free EC %d",
+ e1->ec, e2->ec);
++
++ /* Give the unused PEB back */
++ wl_tree_add(e2, &ubi->free);
+ goto out_cancel;
+ }
+ self_check_in_wl_tree(ubi, e1, &ubi->used);
--- /dev/null
+From 5f338d9001094a56cf87bd8a280b4e7ff953bb59 Mon Sep 17 00:00:00 2001
+From: Roger Pau Monne <roger.pau@citrix.com>
+Date: Wed, 31 Jul 2013 17:00:42 +0200
+Subject: xen-gnt: prevent adding duplicate gnt callbacks
+
+From: Roger Pau Monne <roger.pau@citrix.com>
+
+commit 5f338d9001094a56cf87bd8a280b4e7ff953bb59 upstream.
+
+With the current implementation, the callback in the tail of the list
+can be added twice, because the check done in
+gnttab_request_free_callback is bogus, callback->next can be NULL if
+it is the last callback in the list. If we add the same callback twice
+we end up with an infinite loop, were callback == callback->next.
+
+Replace this check with a proper one that iterates over the list to
+see if the callback has already been added.
+
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Cc: David Vrabel <david.vrabel@citrix.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Acked-by: Matt Wilson <msw@amazon.com>
+Reviewed-by: David Vrabel <david.vrabel@citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/grant-table.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/xen/grant-table.c
++++ b/drivers/xen/grant-table.c
+@@ -729,9 +729,18 @@ void gnttab_request_free_callback(struct
+ void (*fn)(void *), void *arg, u16 count)
+ {
+ unsigned long flags;
++ struct gnttab_free_callback *cb;
++
+ spin_lock_irqsave(&gnttab_list_lock, flags);
+- if (callback->next)
+- goto out;
++
++ /* Check if the callback is already on the list */
++ cb = gnttab_free_callback_list;
++ while (cb) {
++ if (cb == callback)
++ goto out;
++ cb = cb->next;
++ }
++
+ callback->fn = fn;
+ callback->arg = arg;
+ callback->count = count;
projects / thirdparty / kernel / stable-queue.git / commitdiff
