--- /dev/null
+From f0a56c480196a98479760862468cc95879df3de0 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Tue, 23 Jul 2013 20:01:23 +0200
+Subject: amd64_edac: Fix single-channel setups
+
+From: Borislav Petkov <bp@suse.de>
+
+commit f0a56c480196a98479760862468cc95879df3de0 upstream.
+
+It can happen that configurations are running in a single-channel mode
+even with a dual-channel memory controller, by, say, putting the DIMMs
+only on the one channel and leaving the other empty. This causes a
+problem in init_csrows which implicitly assumes that when the second
+channel is enabled, i.e. channel 1, the struct dimm hierarchy will be
+present. Which is not.
+
+So always allocate two channels unconditionally.
+
+This provides for the nice side effect that the data structures are
+initialized so some day, when memory hotplug is supported, it should
+just work out of the box when all of a sudden a second channel appears.
+
+Reported-and-tested-by: Roger Leigh <rleigh@debian.org>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/edac/amd64_edac.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/edac/amd64_edac.c
++++ b/drivers/edac/amd64_edac.c
+@@ -2470,8 +2470,15 @@ static int amd64_init_one_instance(struc
+ layers[0].size = pvt->csels[0].b_cnt;
+ layers[0].is_virt_csrow = true;
+ layers[1].type = EDAC_MC_LAYER_CHANNEL;
+- layers[1].size = pvt->channel_count;
++
++ /*
++ * Always allocate two channels since we can have setups with DIMMs on
++ * only one channel. Also, this simplifies handling later for the price
++ * of a couple of KBs tops.
++ */
++ layers[1].size = 2;
+ layers[1].is_virt_csrow = false;
++
+ mci = edac_mc_alloc(nid, ARRAY_SIZE(layers), layers, 0);
+ if (!mci)
+ goto err_siblings;
--- /dev/null
+From bbb651e469d99f0088e286fdeb54acca7bb4ad4e Mon Sep 17 00:00:00 2001
+From: Stefan Behrens <sbehrens@giantdisaster.de>
+Date: Mon, 19 Aug 2013 18:51:13 +0200
+Subject: Btrfs: don't allow the replace procedure on read only filesystems
+
+From: Stefan Behrens <sbehrens@giantdisaster.de>
+
+commit bbb651e469d99f0088e286fdeb54acca7bb4ad4e upstream.
+
+If you start the replace procedure on a read only filesystem, at
+the end the procedure fails to write the updated dev_items to the
+chunk tree. The problem is that this error is not indicated except
+for a WARN_ON(). If the user now thinks that everything was done
+as expected and destroys the source device (with mkfs or with a
+hammer). The next mount fails with "failed to read chunk root" and
+the filesystem is gone.
+
+This commit adds code to fail the attempt to start the replace
+procedure if the filesystem is mounted read-only.
+
+Signed-off-by: Stefan Behrens <sbehrens@giantdisaster.de>
+Signed-off-by: Josef Bacik <jbacik@fusionio.com>
+Signed-off-by: Chris Mason <chris.mason@fusionio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/ioctl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -3299,6 +3299,9 @@ static long btrfs_ioctl_dev_replace(stru
+
+ switch (p->cmd) {
+ case BTRFS_IOCTL_DEV_REPLACE_CMD_START:
++ if (root->fs_info->sb->s_flags & MS_RDONLY)
++ return -EROFS;
++
+ if (atomic_xchg(
+ &root->fs_info->mutually_exclusive_operation_running,
+ 1)) {
--- /dev/null
+From 494ddd11be3e2621096bb425eed2886f8e8446d4 Mon Sep 17 00:00:00 2001
+From: majianpeng <majianpeng@gmail.com>
+Date: Tue, 16 Jul 2013 19:36:21 +0800
+Subject: ceph: Don't forget the 'up_read(&osdc->map_sem)' if met error.
+
+From: majianpeng <majianpeng@gmail.com>
+
+commit 494ddd11be3e2621096bb425eed2886f8e8446d4 upstream.
+
+Signed-off-by: Jianpeng Ma <majianpeng@gmail.com>
+Reviewed-by: Sage Weil <sage@inktank.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/ioctl.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/ceph/ioctl.c
++++ b/fs/ceph/ioctl.c
+@@ -196,8 +196,10 @@ static long ceph_ioctl_get_dataloc(struc
+ r = ceph_calc_file_object_mapping(&ci->i_layout, dl.file_offset, len,
+ &dl.object_no, &dl.object_offset,
+ &olen);
+- if (r < 0)
++ if (r < 0) {
++ up_read(&osdc->map_sem);
+ return -EIO;
++ }
+ dl.file_offset -= dl.object_offset;
+ dl.object_size = ceph_file_layout_object_size(ci->i_layout);
+ dl.block_size = ceph_file_layout_su(ci->i_layout);
--- /dev/null
+From 08442ce993deeb15a070c14cc3f3459e87d111e0 Mon Sep 17 00:00:00 2001
+From: Mark Brown <broonie@linaro.org>
+Date: Thu, 29 Aug 2013 12:21:01 +0100
+Subject: clk: wm831x: Initialise wm831x pointer on init
+
+From: Mark Brown <broonie@linaro.org>
+
+commit 08442ce993deeb15a070c14cc3f3459e87d111e0 upstream.
+
+Otherwise any attempt to interact with the hardware will crash. This is
+what happens when drivers get written blind.
+
+Signed-off-by: Mark Brown <broonie@linaro.org>
+Signed-off-by: Mike Turquette <mturquette@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/clk-wm831x.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/clk/clk-wm831x.c
++++ b/drivers/clk/clk-wm831x.c
+@@ -360,6 +360,8 @@ static int wm831x_clk_probe(struct platf
+ if (!clkdata)
+ return -ENOMEM;
+
++ clkdata->wm831x = wm831x;
++
+ /* XTAL_ENA can only be set via OTP/InstantConfig so just read once */
+ ret = wm831x_reg_read(wm831x, WM831X_CLOCK_CONTROL_2);
+ if (ret < 0) {
--- /dev/null
+From 118bdbd86b39dbb843155054021d2c59058f1e05 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Mon, 12 Aug 2013 11:04:29 -0400
+Subject: drm/edid: add quirk for Medion MD30217PG
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 118bdbd86b39dbb843155054021d2c59058f1e05 upstream.
+
+This LCD monitor (1280x1024 native) has a completely
+bogus detailed timing (640x350@70hz). User reports that
+1280x1024@60 has waves so prefer 1280x1024@75.
+
+Manufacturer: MED Model: 7b8 Serial#: 99188
+Year: 2005 Week: 5
+EDID Version: 1.3
+Analog Display Input, Input Voltage Level: 0.700/0.700 V
+Sync: Separate
+Max Image Size [cm]: horiz.: 34 vert.: 27
+Gamma: 2.50
+DPMS capabilities: Off; RGB/Color Display
+First detailed timing is preferred mode
+redX: 0.645 redY: 0.348 greenX: 0.280 greenY: 0.605
+blueX: 0.142 blueY: 0.071 whiteX: 0.313 whiteY: 0.329
+Supported established timings:
+720x400@70Hz
+640x480@60Hz
+640x480@72Hz
+640x480@75Hz
+800x600@56Hz
+800x600@60Hz
+800x600@72Hz
+800x600@75Hz
+1024x768@60Hz
+1024x768@70Hz
+1024x768@75Hz
+1280x1024@75Hz
+Manufacturer's mask: 0
+Supported standard timings:
+Supported detailed timing:
+clock: 25.2 MHz Image Size: 337 x 270 mm
+h_active: 640 h_sync: 688 h_sync_end 784 h_blank_end 800 h_border: 0
+v_active: 350 v_sync: 350 v_sync_end 352 v_blanking: 449 v_border: 0
+Monitor name: MD30217PG
+Ranges: V min: 56 V max: 76 Hz, H min: 30 H max: 83 kHz, PixClock max 145 MHz
+Serial No: 501099188
+EDID (in hex):
+ 00ffffffffffff0034a4b80774830100
+ 050f010368221b962a0c55a559479b24
+ 125054afcf00310a0101010101018180
+ 000000000000d60980a0205e63103060
+ 0200510e1100001e000000fc004d4433
+ 3032313750470a202020000000fd0038
+ 4c1e530e000a202020202020000000ff
+ 003530313039393138380a2020200078
+
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Reported-by: friedrich@mailstation.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_edid.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/drm_edid.c
++++ b/drivers/gpu/drm/drm_edid.c
+@@ -125,6 +125,9 @@ static struct edid_quirk {
+
+ /* ViewSonic VA2026w */
+ { "VSC", 5020, EDID_QUIRK_FORCE_REDUCED_BLANKING },
++
++ /* Medion MD 30217 PG */
++ { "MED", 0x7b8, EDID_QUIRK_PREFER_LARGE_75 },
+ };
+
+ /*
--- /dev/null
+From 06a7c3c2781409af95000c60a5df743fd4e2f8b4 Mon Sep 17 00:00:00 2001
+From: Maxim Patlasov <MPatlasov@parallels.com>
+Date: Fri, 30 Aug 2013 17:06:04 +0400
+Subject: fuse: hotfix truncate_pagecache() issue
+
+From: Maxim Patlasov <MPatlasov@parallels.com>
+
+commit 06a7c3c2781409af95000c60a5df743fd4e2f8b4 upstream.
+
+The way how fuse calls truncate_pagecache() from fuse_change_attributes()
+is completely wrong. Because, w/o i_mutex held, we never sure whether
+'oldsize' and 'attr->size' are valid by the time of execution of
+truncate_pagecache(inode, oldsize, attr->size). In fact, as soon as we
+released fc->lock in the middle of fuse_change_attributes(), we completely
+loose control of actions which may happen with given inode until we reach
+truncate_pagecache. The list of potentially dangerous actions includes
+mmap-ed reads and writes, ftruncate(2) and write(2) extending file size.
+
+The typical outcome of doing truncate_pagecache() with outdated arguments
+is data corruption from user point of view. This is (in some sense)
+acceptable in cases when the issue is triggered by a change of the file on
+the server (i.e. externally wrt fuse operation), but it is absolutely
+intolerable in scenarios when a single fuse client modifies a file without
+any external intervention. A real life case I discovered by fsx-linux
+looked like this:
+
+1. Shrinking ftruncate(2) comes to fuse_do_setattr(). The latter sends
+FUSE_SETATTR to the server synchronously, but before getting fc->lock ...
+2. fuse_dentry_revalidate() is asynchronously called. It sends FUSE_LOOKUP
+to the server synchronously, then calls fuse_change_attributes(). The
+latter updates i_size, releases fc->lock, but before comparing oldsize vs
+attr->size..
+3. fuse_do_setattr() from the first step proceeds by acquiring fc->lock and
+updating attributes and i_size, but now oldsize is equal to
+outarg.attr.size because i_size has just been updated (step 2). Hence,
+fuse_do_setattr() returns w/o calling truncate_pagecache().
+4. As soon as ftruncate(2) completes, the user extends file size by
+write(2) making a hole in the middle of file, then reads data from the hole
+either by read(2) or mmap-ed read. The user expects to get zero data from
+the hole, but gets stale data because truncate_pagecache() is not executed
+yet.
+
+The scenario above illustrates one side of the problem: not truncating the
+page cache even though we should. Another side corresponds to truncating
+page cache too late, when the state of inode changed significantly.
+Theoretically, the following is possible:
+
+1. As in the previous scenario fuse_dentry_revalidate() discovered that
+i_size changed (due to our own fuse_do_setattr()) and is going to call
+truncate_pagecache() for some 'new_size' it believes valid right now. But
+by the time that particular truncate_pagecache() is called ...
+2. fuse_do_setattr() returns (either having called truncate_pagecache() or
+not -- it doesn't matter).
+3. The file is extended either by write(2) or ftruncate(2) or fallocate(2).
+4. mmap-ed write makes a page in the extended region dirty.
+
+The result will be the lost of data user wrote on the fourth step.
+
+The patch is a hotfix resolving the issue in a simplistic way: let's skip
+dangerous i_size update and truncate_pagecache if an operation changing
+file size is in progress. This simplistic approach looks correct for the
+cases w/o external changes. And to handle them properly, more sophisticated
+and intrusive techniques (e.g. NFS-like one) would be required. I'd like to
+postpone it until the issue is well discussed on the mailing list(s).
+
+Changed in v2:
+ - improved patch description to cover both sides of the issue.
+
+Signed-off-by: Maxim Patlasov <mpatlasov@parallels.com>
+Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dir.c | 7 ++++++-
+ fs/fuse/file.c | 8 +++++++-
+ fs/fuse/fuse_i.h | 2 ++
+ fs/fuse/inode.c | 3 ++-
+ 4 files changed, 17 insertions(+), 3 deletions(-)
+
+--- a/fs/fuse/dir.c
++++ b/fs/fuse/dir.c
+@@ -1594,6 +1594,7 @@ int fuse_do_setattr(struct inode *inode,
+ struct file *file)
+ {
+ struct fuse_conn *fc = get_fuse_conn(inode);
++ struct fuse_inode *fi = get_fuse_inode(inode);
+ struct fuse_req *req;
+ struct fuse_setattr_in inarg;
+ struct fuse_attr_out outarg;
+@@ -1621,8 +1622,10 @@ int fuse_do_setattr(struct inode *inode,
+ if (IS_ERR(req))
+ return PTR_ERR(req);
+
+- if (is_truncate)
++ if (is_truncate) {
+ fuse_set_nowrite(inode);
++ set_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
++ }
+
+ memset(&inarg, 0, sizeof(inarg));
+ memset(&outarg, 0, sizeof(outarg));
+@@ -1684,12 +1687,14 @@ int fuse_do_setattr(struct inode *inode,
+ invalidate_inode_pages2(inode->i_mapping);
+ }
+
++ clear_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
+ return 0;
+
+ error:
+ if (is_truncate)
+ fuse_release_nowrite(inode);
+
++ clear_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
+ return err;
+ }
+
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -630,7 +630,8 @@ static void fuse_read_update_size(struct
+ struct fuse_inode *fi = get_fuse_inode(inode);
+
+ spin_lock(&fc->lock);
+- if (attr_ver == fi->attr_version && size < inode->i_size) {
++ if (attr_ver == fi->attr_version && size < inode->i_size &&
++ !test_bit(FUSE_I_SIZE_UNSTABLE, &fi->state)) {
+ fi->attr_version = ++fc->attr_version;
+ i_size_write(inode, size);
+ }
+@@ -1033,12 +1034,16 @@ static ssize_t fuse_perform_write(struct
+ {
+ struct inode *inode = mapping->host;
+ struct fuse_conn *fc = get_fuse_conn(inode);
++ struct fuse_inode *fi = get_fuse_inode(inode);
+ int err = 0;
+ ssize_t res = 0;
+
+ if (is_bad_inode(inode))
+ return -EIO;
+
++ if (inode->i_size < pos + iov_iter_count(ii))
++ set_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
++
+ do {
+ struct fuse_req *req;
+ ssize_t count;
+@@ -1074,6 +1079,7 @@ static ssize_t fuse_perform_write(struct
+ if (res > 0)
+ fuse_write_update_size(inode, pos);
+
++ clear_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
+ fuse_invalidate_attr(inode);
+
+ return res > 0 ? res : err;
+--- a/fs/fuse/fuse_i.h
++++ b/fs/fuse/fuse_i.h
+@@ -115,6 +115,8 @@ struct fuse_inode {
+ enum {
+ /** Advise readdirplus */
+ FUSE_I_ADVISE_RDPLUS,
++ /** An operation changing file size is in progress */
++ FUSE_I_SIZE_UNSTABLE,
+ };
+
+ struct fuse_conn;
+--- a/fs/fuse/inode.c
++++ b/fs/fuse/inode.c
+@@ -201,7 +201,8 @@ void fuse_change_attributes(struct inode
+ struct timespec old_mtime;
+
+ spin_lock(&fc->lock);
+- if (attr_version != 0 && fi->attr_version > attr_version) {
++ if ((attr_version != 0 && fi->attr_version > attr_version) ||
++ test_bit(FUSE_I_SIZE_UNSTABLE, &fi->state)) {
+ spin_unlock(&fc->lock);
+ return;
+ }
--- /dev/null
+From d331a415aef98717393dda0be69b7947da08eba3 Mon Sep 17 00:00:00 2001
+From: Anand Avati <avati@redhat.com>
+Date: Tue, 20 Aug 2013 02:21:07 -0400
+Subject: fuse: invalidate inode attributes on xattr modification
+
+From: Anand Avati <avati@redhat.com>
+
+commit d331a415aef98717393dda0be69b7947da08eba3 upstream.
+
+Calls like setxattr and removexattr result in updation of ctime.
+Therefore invalidate inode attributes to force a refresh.
+
+Signed-off-by: Anand Avati <avati@redhat.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dir.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/fuse/dir.c
++++ b/fs/fuse/dir.c
+@@ -1753,6 +1753,8 @@ static int fuse_setxattr(struct dentry *
+ fc->no_setxattr = 1;
+ err = -EOPNOTSUPP;
+ }
++ if (!err)
++ fuse_invalidate_attr(inode);
+ return err;
+ }
+
+@@ -1882,6 +1884,8 @@ static int fuse_removexattr(struct dentr
+ fc->no_removexattr = 1;
+ err = -EOPNOTSUPP;
+ }
++ if (!err)
++ fuse_invalidate_attr(inode);
+ return err;
+ }
+
--- /dev/null
+From 4a4ac4eba1010ef9a804569058ab29e3450c0315 Mon Sep 17 00:00:00 2001
+From: Maxim Patlasov <MPatlasov@parallels.com>
+Date: Mon, 12 Aug 2013 20:39:30 +0400
+Subject: fuse: postpone end_page_writeback() in fuse_writepage_locked()
+
+From: Maxim Patlasov <MPatlasov@parallels.com>
+
+commit 4a4ac4eba1010ef9a804569058ab29e3450c0315 upstream.
+
+The patch fixes a race between ftruncate(2), mmap-ed write and write(2):
+
+1) An user makes a page dirty via mmap-ed write.
+2) The user performs shrinking truncate(2) intended to purge the page.
+3) Before fuse_do_setattr calls truncate_pagecache, the page goes to
+ writeback. fuse_writepage_locked fills FUSE_WRITE request and releases
+ the original page by end_page_writeback.
+4) fuse_do_setattr() completes and successfully returns. Since now, i_mutex
+ is free.
+5) Ordinary write(2) extends i_size back to cover the page. Note that
+ fuse_send_write_pages do wait for fuse writeback, but for another
+ page->index.
+6) fuse_writepage_locked proceeds by queueing FUSE_WRITE request.
+ fuse_send_writepage is supposed to crop inarg->size of the request,
+ but it doesn't because i_size has already been extended back.
+
+Moving end_page_writeback to the end of fuse_writepage_locked fixes the
+race because now the fact that truncate_pagecache is successfully returned
+infers that fuse_writepage_locked has already called end_page_writeback.
+And this, in turn, infers that fuse_flush_writepages has already called
+fuse_send_writepage, and the latter used valid (shrunk) i_size. write(2)
+could not extend it because of i_mutex held by ftruncate(2).
+
+Signed-off-by: Maxim Patlasov <mpatlasov@parallels.com>
+Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/file.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -1530,7 +1530,6 @@ static int fuse_writepage_locked(struct
+
+ inc_bdi_stat(mapping->backing_dev_info, BDI_WRITEBACK);
+ inc_zone_page_state(tmp_page, NR_WRITEBACK_TEMP);
+- end_page_writeback(page);
+
+ spin_lock(&fc->lock);
+ list_add(&req->writepages_entry, &fi->writepages);
+@@ -1538,6 +1537,8 @@ static int fuse_writepage_locked(struct
+ fuse_flush_writepages(inode);
+ spin_unlock(&fc->lock);
+
++ end_page_writeback(page);
++
+ return 0;
+
+ err_free:
--- /dev/null
+From efeb9e60d48f7778fdcad4a0f3ad9ea9b19e5dfd Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@suse.cz>
+Date: Tue, 3 Sep 2013 14:28:38 +0200
+Subject: fuse: readdir: check for slash in names
+
+From: Miklos Szeredi <mszeredi@suse.cz>
+
+commit efeb9e60d48f7778fdcad4a0f3ad9ea9b19e5dfd upstream.
+
+Userspace can add names containing a slash character to the directory
+listing. Don't allow this as it could cause all sorts of trouble.
+
+Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dir.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/fuse/dir.c
++++ b/fs/fuse/dir.c
+@@ -1175,6 +1175,8 @@ static int parse_dirfile(char *buf, size
+ return -EIO;
+ if (reclen > nbytes)
+ break;
++ if (memchr(dirent->name, '/', dirent->namelen) != NULL)
++ return -EIO;
+
+ over = filldir(dstbuf, dirent->name, dirent->namelen,
+ file->f_pos, dirent->ino, dirent->type);
+@@ -1323,6 +1325,8 @@ static int parse_dirplusfile(char *buf,
+ return -EIO;
+ if (reclen > nbytes)
+ break;
++ if (memchr(dirent->name, '/', dirent->namelen) != NULL)
++ return -EIO;
+
+ if (!over) {
+ /* We fill entries into dstbuf only as much as
--- /dev/null
+From 3269ee0bd6686baf86630300d528500ac5b516d7 Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Sat, 15 Jun 2013 10:27:19 -0600
+Subject: intel-iommu: Fix leaks in pagetable freeing
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit 3269ee0bd6686baf86630300d528500ac5b516d7 upstream.
+
+At best the current code only seems to free the leaf pagetables and
+the root. If you're unlucky enough to have a large gap (like any
+QEMU guest with more than 3G of memory), only the first chunk of leaf
+pagetables are freed (plus the root). This is a massive memory leak.
+This patch re-writes the pagetable freeing function to use a
+recursive algorithm and manages to not only free all the pagetables,
+but does it without any apparent performance loss versus the current
+broken version.
+
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Reviewed-by: Marcelo Tosatti <mtosatti@redhat.com>
+Signed-off-by: Joerg Roedel <joro@8bytes.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/intel-iommu.c | 74 +++++++++++++++++++++-----------------------
+ 1 file changed, 36 insertions(+), 38 deletions(-)
+
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -890,56 +890,54 @@ static int dma_pte_clear_range(struct dm
+ return order;
+ }
+
++static void dma_pte_free_level(struct dmar_domain *domain, int level,
++ struct dma_pte *pte, unsigned long pfn,
++ unsigned long start_pfn, unsigned long last_pfn)
++{
++ pfn = max(start_pfn, pfn);
++ pte = &pte[pfn_level_offset(pfn, level)];
++
++ do {
++ unsigned long level_pfn;
++ struct dma_pte *level_pte;
++
++ if (!dma_pte_present(pte) || dma_pte_superpage(pte))
++ goto next;
++
++ level_pfn = pfn & level_mask(level - 1);
++ level_pte = phys_to_virt(dma_pte_addr(pte));
++
++ if (level > 2)
++ dma_pte_free_level(domain, level - 1, level_pte,
++ level_pfn, start_pfn, last_pfn);
++
++ /* If range covers entire pagetable, free it */
++ if (!(start_pfn > level_pfn ||
++ last_pfn < level_pfn + level_size(level))) {
++ dma_clear_pte(pte);
++ domain_flush_cache(domain, pte, sizeof(*pte));
++ free_pgtable_page(level_pte);
++ }
++next:
++ pfn += level_size(level);
++ } while (!first_pte_in_page(++pte) && pfn <= last_pfn);
++}
++
+ /* free page table pages. last level pte should already be cleared */
+ static void dma_pte_free_pagetable(struct dmar_domain *domain,
+ unsigned long start_pfn,
+ unsigned long last_pfn)
+ {
+ int addr_width = agaw_to_width(domain->agaw) - VTD_PAGE_SHIFT;
+- struct dma_pte *first_pte, *pte;
+- int total = agaw_to_level(domain->agaw);
+- int level;
+- unsigned long tmp;
+- int large_page = 2;
+
+ BUG_ON(addr_width < BITS_PER_LONG && start_pfn >> addr_width);
+ BUG_ON(addr_width < BITS_PER_LONG && last_pfn >> addr_width);
+ BUG_ON(start_pfn > last_pfn);
+
+ /* We don't need lock here; nobody else touches the iova range */
+- level = 2;
+- while (level <= total) {
+- tmp = align_to_level(start_pfn, level);
+-
+- /* If we can't even clear one PTE at this level, we're done */
+- if (tmp + level_size(level) - 1 > last_pfn)
+- return;
+-
+- do {
+- large_page = level;
+- first_pte = pte = dma_pfn_level_pte(domain, tmp, level, &large_page);
+- if (large_page > level)
+- level = large_page + 1;
+- if (!pte) {
+- tmp = align_to_level(tmp + 1, level + 1);
+- continue;
+- }
+- do {
+- if (dma_pte_present(pte)) {
+- free_pgtable_page(phys_to_virt(dma_pte_addr(pte)));
+- dma_clear_pte(pte);
+- }
+- pte++;
+- tmp += level_size(level);
+- } while (!first_pte_in_page(pte) &&
+- tmp + level_size(level) - 1 <= last_pfn);
+-
+- domain_flush_cache(domain, first_pte,
+- (void *)pte - (void *)first_pte);
+-
+- } while (tmp && tmp + level_size(level) - 1 <= last_pfn);
+- level++;
+- }
++ dma_pte_free_level(domain, agaw_to_level(domain->agaw),
++ domain->pgd, 0, start_pfn, last_pfn);
++
+ /* free pgd */
+ if (start_pfn == 0 && last_pfn == DOMAIN_MAX_PFN(domain->gaw)) {
+ free_pgtable_page(domain->pgd);
--- /dev/null
+From 17b7f7cf58926844e1dd40f5eb5348d481deca6a Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 25 Jul 2013 11:49:11 +0200
+Subject: isofs: Refuse RW mount of the filesystem instead of making it RO
+
+From: Jan Kara <jack@suse.cz>
+
+commit 17b7f7cf58926844e1dd40f5eb5348d481deca6a upstream.
+
+Refuse RW mount of isofs filesystem. So far we just silently changed it
+to RO mount but when the media is writeable, block layer won't notice
+this change and thus will think device is used RW and will block eject
+button of the drive. That is unexpected by users because for
+non-writeable media eject button works just fine.
+
+Userspace mount(8) command handles this just fine and retries mounting
+with MS_RDONLY set so userspace shouldn't see any regression. Plus any
+tool mounting isofs is likely confronted with the case of read-only
+media where block layer already refuses to mount the filesystem without
+MS_RDONLY set so our behavior shouldn't be anything new for it.
+
+Reported-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/isofs/inode.c | 16 +++++-----------
+ 1 file changed, 5 insertions(+), 11 deletions(-)
+
+--- a/fs/isofs/inode.c
++++ b/fs/isofs/inode.c
+@@ -125,8 +125,8 @@ static void destroy_inodecache(void)
+
+ static int isofs_remount(struct super_block *sb, int *flags, char *data)
+ {
+- /* we probably want a lot more here */
+- *flags |= MS_RDONLY;
++ if (!(*flags & MS_RDONLY))
++ return -EROFS;
+ return 0;
+ }
+
+@@ -779,15 +779,6 @@ root_found:
+ */
+ s->s_maxbytes = 0x80000000000LL;
+
+- /*
+- * The CDROM is read-only, has no nodes (devices) on it, and since
+- * all of the files appear to be owned by root, we really do not want
+- * to allow suid. (suid or devices will not show up unless we have
+- * Rock Ridge extensions)
+- */
+-
+- s->s_flags |= MS_RDONLY /* | MS_NODEV | MS_NOSUID */;
+-
+ /* Set this for reference. Its not currently used except on write
+ which we don't have .. */
+
+@@ -1546,6 +1537,9 @@ struct inode *isofs_iget(struct super_bl
+ static struct dentry *isofs_mount(struct file_system_type *fs_type,
+ int flags, const char *dev_name, void *data)
+ {
++ /* We don't support read-write mounts */
++ if (!(flags & MS_RDONLY))
++ return ERR_PTR(-EACCES);
+ return mount_bdev(fs_type, flags, dev_name, data, isofs_fill_super);
+ }
+
--- /dev/null
+From 61abeba5222895d6900b13115f5d8eba7988d7d6 Mon Sep 17 00:00:00 2001
+From: Mark Brown <broonie@linaro.org>
+Date: Thu, 29 Aug 2013 07:18:14 -0700
+Subject: leds: wm831x-status: Request a REG resource
+
+From: Mark Brown <broonie@linaro.org>
+
+commit 61abeba5222895d6900b13115f5d8eba7988d7d6 upstream.
+
+The wm831x-status driver was not converted to use a REG resource when they
+were introduced and the rest of the wm831x drivers converted, causing it
+to fail to probe due to requesting the wrong resource type.
+
+Signed-off-by: Mark Brown <broonie@linaro.org>
+Signed-off-by: Bryan Wu <cooloney@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/leds/leds-wm831x-status.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/leds/leds-wm831x-status.c
++++ b/drivers/leds/leds-wm831x-status.c
+@@ -230,9 +230,9 @@ static int wm831x_status_probe(struct pl
+ int id = pdev->id % ARRAY_SIZE(chip_pdata->status);
+ int ret;
+
+- res = platform_get_resource(pdev, IORESOURCE_IO, 0);
++ res = platform_get_resource(pdev, IORESOURCE_REG, 0);
+ if (res == NULL) {
+- dev_err(&pdev->dev, "No I/O resource\n");
++ dev_err(&pdev->dev, "No register resource\n");
+ ret = -EINVAL;
+ goto err;
+ }
--- /dev/null
+From 73d9f7eef3d98c3920e144797cc1894c6b005a1e Mon Sep 17 00:00:00 2001
+From: majianpeng <majianpeng@gmail.com>
+Date: Tue, 16 Jul 2013 15:45:48 +0800
+Subject: libceph: unregister request in __map_request failed and nofail == false
+
+From: majianpeng <majianpeng@gmail.com>
+
+commit 73d9f7eef3d98c3920e144797cc1894c6b005a1e upstream.
+
+For nofail == false request, if __map_request failed, the caller does
+cleanup work, like releasing the relative pages. It doesn't make any sense
+to retry this request.
+
+Signed-off-by: Jianpeng Ma <majianpeng@gmail.com>
+Reviewed-by: Sage Weil <sage@inktank.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ceph/osd_client.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ceph/osd_client.c
++++ b/net/ceph/osd_client.c
+@@ -2130,6 +2130,8 @@ int ceph_osdc_start_request(struct ceph_
+ dout("osdc_start_request failed map, "
+ " will retry %lld\n", req->r_tid);
+ rc = 0;
++ } else {
++ __unregister_request(osdc, req);
+ }
+ goto out_unlock;
+ }
--- /dev/null
+From 9542cf0bf9b1a3adcc2ef271edbcbdba03abf345 Mon Sep 17 00:00:00 2001
+From: Sage Weil <sage@inktank.com>
+Date: Wed, 28 Aug 2013 17:17:29 -0700
+Subject: libceph: use pg_num_mask instead of pgp_num_mask for pg.seed calc
+
+From: Sage Weil <sage@inktank.com>
+
+commit 9542cf0bf9b1a3adcc2ef271edbcbdba03abf345 upstream.
+
+Fix a typo that used the wrong bitmask for the pg.seed calculation. This
+is normally unnoticed because in most cases pg_num == pgp_num. It is, however,
+a bug that is easily corrected.
+
+Signed-off-by: Sage Weil <sage@inktank.com>
+Reviewed-by: Alex Elder <alex.elder@linary.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ceph/osdmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ceph/osdmap.c
++++ b/net/ceph/osdmap.c
+@@ -1129,7 +1129,7 @@ static int *calc_pg_raw(struct ceph_osdm
+
+ /* pg_temp? */
+ pgid.seed = ceph_stable_mod(pgid.seed, pool->pg_num,
+- pool->pgp_num_mask);
++ pool->pg_num_mask);
+ pg = __lookup_pg_mapping(&osdmap->pg_temp, pgid);
+ if (pg) {
+ *num = pg->len;
--- /dev/null
+From 8bfd4a68ecc003c1a142f35551be846d6b13e822 Mon Sep 17 00:00:00 2001
+From: Andrzej Hajda <a.hajda@samsung.com>
+Date: Fri, 28 Jun 2013 05:34:20 -0300
+Subject: media: DocBook: upgrade media_api DocBook version to 4.2
+
+From: Andrzej Hajda <a.hajda@samsung.com>
+
+commit 8bfd4a68ecc003c1a142f35551be846d6b13e822 upstream.
+
+Fixes the last three errors of media_api DocBook validatation:
+(...)
+media_api.xml:414: element imagedata: validity error : Value "SVG" for attribute format of imagedata is not among the enumerated set
+media_api.xml:432: element imagedata: validity error : Value "SVG" for attribute format of imagedata is not among the enumerated set
+media_api.xml:452: element imagedata: validity error : Value "SVG" for attribute format of imagedata is not among the enumerated set
+(...)
+
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/DocBook/media_api.tmpl | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/Documentation/DocBook/media_api.tmpl
++++ b/Documentation/DocBook/media_api.tmpl
+@@ -1,6 +1,6 @@
+ <?xml version="1.0"?>
+-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+- "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" [
++<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
++ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+ <!ENTITY % media-entities SYSTEM "./media-entities.tmpl"> %media-entities;
+ <!ENTITY media-indices SYSTEM "./media-indices.tmpl">
+
--- /dev/null
+From d0b1c31349969973204fad21a076aecf131cc5e4 Mon Sep 17 00:00:00 2001
+From: Arun Kumar K <arun.kk@samsung.com>
+Date: Fri, 26 Jul 2013 07:28:01 -0300
+Subject: media: exynos-gsc: Register v4l2 device
+
+From: Arun Kumar K <arun.kk@samsung.com>
+
+commit d0b1c31349969973204fad21a076aecf131cc5e4 upstream.
+
+Gscaler video device registration was happening without reference to
+a parent v4l2_dev causing probe to fail. The patch creates a parent
+v4l2 device and uses it for the gsc m2m video device registration.
+This fixes regression introduced with comit commit 1c1d86a1ea07506
+[media] v4l2: always require v4l2_dev, rename parent to dev_parent
+
+Signed-off-by: Arun Kumar K <arun.kk@samsung.com>
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/exynos-gsc/gsc-core.c | 9 ++++++++-
+ drivers/media/platform/exynos-gsc/gsc-core.h | 1 +
+ drivers/media/platform/exynos-gsc/gsc-m2m.c | 1 +
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/platform/exynos-gsc/gsc-core.c
++++ b/drivers/media/platform/exynos-gsc/gsc-core.c
+@@ -1122,10 +1122,14 @@ static int gsc_probe(struct platform_dev
+ goto err_clk;
+ }
+
+- ret = gsc_register_m2m_device(gsc);
++ ret = v4l2_device_register(dev, &gsc->v4l2_dev);
+ if (ret)
+ goto err_clk;
+
++ ret = gsc_register_m2m_device(gsc);
++ if (ret)
++ goto err_v4l2;
++
+ platform_set_drvdata(pdev, gsc);
+ pm_runtime_enable(dev);
+ ret = pm_runtime_get_sync(&pdev->dev);
+@@ -1147,6 +1151,8 @@ err_pm:
+ pm_runtime_put(dev);
+ err_m2m:
+ gsc_unregister_m2m_device(gsc);
++err_v4l2:
++ v4l2_device_unregister(&gsc->v4l2_dev);
+ err_clk:
+ gsc_clk_put(gsc);
+ return ret;
+@@ -1157,6 +1163,7 @@ static int gsc_remove(struct platform_de
+ struct gsc_dev *gsc = platform_get_drvdata(pdev);
+
+ gsc_unregister_m2m_device(gsc);
++ v4l2_device_unregister(&gsc->v4l2_dev);
+
+ vb2_dma_contig_cleanup_ctx(gsc->alloc_ctx);
+ pm_runtime_disable(&pdev->dev);
+--- a/drivers/media/platform/exynos-gsc/gsc-core.h
++++ b/drivers/media/platform/exynos-gsc/gsc-core.h
+@@ -343,6 +343,7 @@ struct gsc_dev {
+ unsigned long state;
+ struct vb2_alloc_ctx *alloc_ctx;
+ struct video_device vdev;
++ struct v4l2_device v4l2_dev;
+ };
+
+ /**
+--- a/drivers/media/platform/exynos-gsc/gsc-m2m.c
++++ b/drivers/media/platform/exynos-gsc/gsc-m2m.c
+@@ -751,6 +751,7 @@ int gsc_register_m2m_device(struct gsc_d
+ gsc->vdev.release = video_device_release_empty;
+ gsc->vdev.lock = &gsc->lock;
+ gsc->vdev.vfl_dir = VFL_DIR_M2M;
++ gsc->vdev.v4l2_dev = &gsc->v4l2_dev;
+ snprintf(gsc->vdev.name, sizeof(gsc->vdev.name), "%s.%d:m2m",
+ GSC_MODULE_NAME, gsc->id);
+
--- /dev/null
+From d2b903b4427e417a73863cef36ad0796ea6b7404 Mon Sep 17 00:00:00 2001
+From: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Date: Mon, 29 Jul 2013 06:53:59 -0300
+Subject: media: exynos4-is: Fix entity unregistration on error path
+
+From: Sylwester Nawrocki <s.nawrocki@samsung.com>
+
+commit d2b903b4427e417a73863cef36ad0796ea6b7404 upstream.
+
+This patch corrects media entities unregistration order to make sure
+the fimc.N.capture and fimc-lite video nodes are unregistered with
+fimc->lock mutex held. This prevents races between video device open()
+and defered probing and NULL pointer dereference in open() callback
+as follows:
+[ 77.645000] Unable to handle kernel NULL pointer dereference at virtual address 00000290t
+[ 77.655000] pgd = ee7a8000
+[ 77.660000] [00000290] *pgd=6e13c831, *pte=00000000, *ppte=00000000
+[ 77.665000] Internal error: Oops: 17 [#1] PREEMPT SMP ARM
+[ 77.670000] Modules linked in: s5p_fimc ipv6 exynos_fimc_is exynos_fimc_lite
+ s5p_csis v4l2_mem2mem videobuf2_dma_contig videobuf2_memops exynos4_is_common videobuf2_core [last unloaded: s5p_fimc]
+[ 77.685000] CPU: 0 PID : 2998 Comm: v4l_id Tainted: G W 3.10.0-next-20130709-00039-g39f491b-dirty #1548
+[ 77.695000] task: ee084000 ti: ee46e000 task.ti: ee46e000
+[ 77.700000] PC is at __mutex_lock_slowpath+0x54/0x368
+[ 77.705000] LR is at __mutex_lock_slowpath+0x24/0x368
+[ 77.710000] pc : [<c038dc10>] lr : [<c038dbe0>] psr: 60000093
+[ 77.710000] sp : ee46fd70 ip : 000008c8 fp : c054e34c
+[ 77.725000] r10: ee084000 r9 : 00000000 r8 : ee439480
+[ 77.730000] r7 : ee46e000 r6 : 60000013 r5 : 00000290 r4 : 0000028c
+[ 77.735000] r3 : 00000000 r2 : 00000000 r1 : 20000093 r0 : 00000001
+[ 77.740000] Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user
+[ 77.750000] Control: 10c5387d Table: 6e7a804a DAC: 00000015
+[ 77.755000] Process v4l_id (pid: 2998, stack limit = 0xee46e238)
+[ 77.760000] Stack: (0xee46fd70 to 0xee470000)
+ ...
+[ 77.935000] [<c038dc10>] (__mutex_lock_slowpath+0x54/0x368) from [<c038df30>] (mutex_lock+0xc/0x24)
+[ 77.945000] [<c038df30>] (mutex_lock+0xc/0x24) from [<bf03fa90>] (fimc_lite_open+0x12c/0x2bc [exynos_fimc_lite])
+[ 77.955000] [<bf03fa90>] (fimc_lite_open+0x12c/0x2bc [exynos_fimc_lite]) from [<c02ab11c>] (v4l2_open+0xa0/0xe0)
+[ 77.965000] [<c02ab11c>] (v4l2_open+0xa0/0xe0) from [<c00b1de4>] (chrdev_open+0x88/0x170)
+[ 77.975000] [<c00b1de4>] (chrdev_open+0x88/0x170) from [<c00ac710>] (do_dentry_open.isra.14+0x1d8/0x258)
+[ 77.985000] [<c00ac710>] (do_dentry_open.isra.14+0x1d8/0x258) from [<c00ac860>] (finish_open+0x20/0x38)
+[ 77.995000] [<c00ac860>] (finish_open+0x20/0x38) from [<c00ba658>] (do_last.isra.43+0x538/0xb1c)
+[ 78.000000] [<c00ba658>] (do_last.isra.43+0x538/0xb1c) from [<c00bacf0>] (path_openat+0xb4/0x5c4)
+[ 78.010000] [<c00bacf0>] (path_openat+0xb4/0x5c4) from [<c00bb4b4>] (do_filp_open+0x2c/0x80)
+[ 78.020000] [<c00bb4b4>] (do_filp_open+0x2c/0x80) from [<c00ad744>] (do_sys_open+0xf4/0x1a8)
+[ 78.025000] [<c00ad744>] (do_sys_open+0xf4/0x1a8) from [<c000e320>] (ret_fast_syscall+0x0/0x30)
+[ 78.035000] Code: 1a000093 e10f6000 f10c0080 e2845004 (e1953f9f)
+
+Reported-by: Andrzej Hajda <a.hajda@samsung.com>
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/exynos4-is/media-dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/platform/exynos4-is/media-dev.c
++++ b/drivers/media/platform/exynos4-is/media-dev.c
+@@ -1441,9 +1441,9 @@ static int fimc_md_probe(struct platform
+ err_unlock:
+ mutex_unlock(&fmd->media_dev.graph_mutex);
+ err_clk:
+- media_device_unregister(&fmd->media_dev);
+ fimc_md_put_clocks(fmd);
+ fimc_md_unregister_entities(fmd);
++ media_device_unregister(&fmd->media_dev);
+ err_md:
+ v4l2_device_unregister(&fmd->v4l2_dev);
+ return ret;
--- /dev/null
+From 2e923a0527ac439e135b9961e58d3acd876bba10 Mon Sep 17 00:00:00 2001
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Wed, 3 Jul 2013 16:17:34 -0300
+Subject: media: hdpvr: fix iteration over uninitialized lists in hdpvr_probe()
+
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+
+commit 2e923a0527ac439e135b9961e58d3acd876bba10 upstream.
+
+free_buff_list and rec_buff_list are initialized in the middle of hdpvr_probe(),
+but if something bad happens before that, error handling code calls hdpvr_delete(),
+which contains iteration over the lists (via hdpvr_free_buffers()).
+The patch moves the lists initialization to the beginning and by the way fixes
+goto label in error handling of registering videodev.
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/hdpvr/hdpvr-core.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/media/usb/hdpvr/hdpvr-core.c
++++ b/drivers/media/usb/hdpvr/hdpvr-core.c
+@@ -311,6 +311,11 @@ static int hdpvr_probe(struct usb_interf
+
+ dev->workqueue = 0;
+
++ /* init video transfer queues first of all */
++ /* to prevent oops in hdpvr_delete() on error paths */
++ INIT_LIST_HEAD(&dev->free_buff_list);
++ INIT_LIST_HEAD(&dev->rec_buff_list);
++
+ /* register v4l2_device early so it can be used for printks */
+ if (v4l2_device_register(&interface->dev, &dev->v4l2_dev)) {
+ dev_err(&interface->dev, "v4l2_device_register failed\n");
+@@ -333,10 +338,6 @@ static int hdpvr_probe(struct usb_interf
+ if (!dev->workqueue)
+ goto error;
+
+- /* init video transfer queues */
+- INIT_LIST_HEAD(&dev->free_buff_list);
+- INIT_LIST_HEAD(&dev->rec_buff_list);
+-
+ dev->options = hdpvr_default_options;
+
+ if (default_video_input < HDPVR_VIDEO_INPUTS)
+@@ -413,7 +414,7 @@ static int hdpvr_probe(struct usb_interf
+ video_nr[atomic_inc_return(&dev_nr)]);
+ if (retval < 0) {
+ v4l2_err(&dev->v4l2_dev, "registering videodev failed\n");
+- goto error;
++ goto reg_fail;
+ }
+
+ /* let the user know what node this device is now attached to */
--- /dev/null
+From 9d32069faacdc81fe1dcb5d297c32a3ac81da8f0 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Date: Fri, 9 Aug 2013 08:53:26 -0300
+Subject: media: mb86a20s: Fix TS parallel mode
+
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+
+commit 9d32069faacdc81fe1dcb5d297c32a3ac81da8f0 upstream.
+
+changeset 768e6dadd74 caused a regression on using mb86a20s
+in parallel mode, as the parallel mode selection got
+overriden by mb86a20s_init2.
+
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/dvb-frontends/mb86a20s.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+--- a/drivers/media/dvb-frontends/mb86a20s.c
++++ b/drivers/media/dvb-frontends/mb86a20s.c
+@@ -157,7 +157,6 @@ static struct regdata mb86a20s_init2[] =
+ { 0x45, 0x04 }, /* CN symbol 4 */
+ { 0x48, 0x04 }, /* CN manual mode */
+
+- { 0x50, 0xd5 }, { 0x51, 0x01 }, /* Serial */
+ { 0x50, 0xd6 }, { 0x51, 0x1f },
+ { 0x50, 0xd2 }, { 0x51, 0x03 },
+ { 0x50, 0xd7 }, { 0x51, 0xbf },
+@@ -1860,16 +1859,15 @@ static int mb86a20s_initfe(struct dvb_fr
+ dev_dbg(&state->i2c->dev, "%s: IF=%d, IF reg=0x%06llx\n",
+ __func__, state->if_freq, (long long)pll);
+
+- if (!state->config->is_serial) {
++ if (!state->config->is_serial)
+ regD5 &= ~1;
+
+- rc = mb86a20s_writereg(state, 0x50, 0xd5);
+- if (rc < 0)
+- goto err;
+- rc = mb86a20s_writereg(state, 0x51, regD5);
+- if (rc < 0)
+- goto err;
+- }
++ rc = mb86a20s_writereg(state, 0x50, 0xd5);
++ if (rc < 0)
++ goto err;
++ rc = mb86a20s_writereg(state, 0x51, regD5);
++ if (rc < 0)
++ goto err;
+
+ rc = mb86a20s_writeregdata(state, mb86a20s_init2);
+ if (rc < 0)
--- /dev/null
+From 7b0dd9e60e714951b5400dd0740b3c4c3c3cb76f Mon Sep 17 00:00:00 2001
+From: Alexander Shiyan <shc_work@mail.ru>
+Date: Sat, 15 Jun 2013 08:09:57 -0300
+Subject: media: media: coda: Fix DT driver data pointer for i.MX27
+
+From: Alexander Shiyan <shc_work@mail.ru>
+
+commit 7b0dd9e60e714951b5400dd0740b3c4c3c3cb76f upstream.
+
+The data pointer should point to DT data, and not to the ID
+array.
+
+Signed-off-by: Alexander Shiyan <shc_work@mail.ru>
+Signed-off-by: Kamil Debski <k.debski@samsung.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/coda.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/platform/coda.c
++++ b/drivers/media/platform/coda.c
+@@ -1933,7 +1933,7 @@ MODULE_DEVICE_TABLE(platform, coda_platf
+
+ #ifdef CONFIG_OF
+ static const struct of_device_id coda_dt_ids[] = {
+- { .compatible = "fsl,imx27-vpu", .data = &coda_platform_ids[CODA_IMX27] },
++ { .compatible = "fsl,imx27-vpu", .data = &coda_devdata[CODA_IMX27] },
+ { .compatible = "fsl,imx53-vpu", .data = &coda_devdata[CODA_IMX53] },
+ { /* sentinel */ }
+ };
--- /dev/null
+From 8a09a4cc9bd9389dc6a3b5b2dd3a7d64d2fab7e1 Mon Sep 17 00:00:00 2001
+From: Sachin Kamat <sachin.kamat@linaro.org>
+Date: Mon, 15 Jul 2013 02:36:23 -0300
+Subject: media: s5p-g2d: Fix registration failure
+
+From: Sachin Kamat <sachin.kamat@linaro.org>
+
+commit 8a09a4cc9bd9389dc6a3b5b2dd3a7d64d2fab7e1 upstream.
+
+Commit 1c1d86a1ea ("[media] v4l2: always require v4l2_dev,
+rename parent to dev_parent") expects v4l2_dev to be always set.
+It converted most of the drivers using the parent field of video_device
+to v4l2_dev field. G2D driver did not set the parent field. Hence it got
+left out. Without this patch we get the following boot warning and G2D
+driver fails to register the video device.
+WARNING: CPU: 0 PID: 1 at drivers/media/v4l2-core/v4l2-dev.c:775 __video_register_device+0xfc0/0x1028()
+Modules linked in:
+CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.11.0-rc1-00001-g1c3e372-dirty #9
+[<c0014b7c>] (unwind_backtrace+0x0/0xf4) from [<c0011524>] (show_stack+0x10/0x14)
+[<c0011524>] (show_stack+0x10/0x14) from [<c041d7a8>] (dump_stack+0x7c/0xb0)
+[<c041d7a8>] (dump_stack+0x7c/0xb0) from [<c001dc94>] (warn_slowpath_common+0x6c/0x88)
+[<c001dc94>] (warn_slowpath_common+0x6c/0x88) from [<c001dd4c>] (warn_slowpath_null+0x1c/0x24)
+[<c001dd4c>] (warn_slowpath_null+0x1c/0x24) from [<c02cf8d4>] (__video_register_device+0xfc0/0x1028)
+[<c02cf8d4>] (__video_register_device+0xfc0/0x1028) from [<c0311a94>] (g2d_probe+0x1f8/0x398)
+[<c0311a94>] (g2d_probe+0x1f8/0x398) from [<c0247d54>] (platform_drv_probe+0x14/0x18)
+[<c0247d54>] (platform_drv_probe+0x14/0x18) from [<c0246b10>] (driver_probe_device+0x108/0x220)
+[<c0246b10>] (driver_probe_device+0x108/0x220) from [<c0246cf8>] (__driver_attach+0x8c/0x90)
+[<c0246cf8>] (__driver_attach+0x8c/0x90) from [<c0245050>] (bus_for_each_dev+0x60/0x94)
+[<c0245050>] (bus_for_each_dev+0x60/0x94) from [<c02462c8>] (bus_add_driver+0x1c0/0x24c)
+[<c02462c8>] (bus_add_driver+0x1c0/0x24c) from [<c02472d0>] (driver_register+0x78/0x140)
+[<c02472d0>] (driver_register+0x78/0x140) from [<c00087c8>] (do_one_initcall+0xf8/0x144)
+[<c00087c8>] (do_one_initcall+0xf8/0x144) from [<c05b29e8>] (kernel_init_freeable+0x13c/0x1d8)
+[<c05b29e8>] (kernel_init_freeable+0x13c/0x1d8) from [<c041a108>] (kernel_init+0xc/0x160)
+[<c041a108>] (kernel_init+0xc/0x160) from [<c000e2f8>] (ret_from_fork+0x14/0x3c)
+---[ end trace 4e0ec028b0028e02 ]---
+s5p-g2d 12800000.g2d: Failed to register video device
+s5p-g2d: probe of 12800000.g2d failed with error -22
+
+Signed-off-by: Sachin Kamat <sachin.kamat@linaro.org>
+Cc: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Kamil Debski <k.debski@samsung.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/s5p-g2d/g2d.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/media/platform/s5p-g2d/g2d.c
++++ b/drivers/media/platform/s5p-g2d/g2d.c
+@@ -784,6 +784,7 @@ static int g2d_probe(struct platform_dev
+ }
+ *vfd = g2d_videodev;
+ vfd->lock = &dev->mutex;
++ vfd->v4l2_dev = &dev->v4l2_dev;
+ ret = video_register_device(vfd, VFL_TYPE_GRABBER, 0);
+ if (ret) {
+ v4l2_err(&dev->v4l2_dev, "Failed to register video device\n");
--- /dev/null
+From ec532503209053bbee0c7dac410031e50835e01a Mon Sep 17 00:00:00 2001
+From: Bjørn Mork <bjorn@mork.no>
+Date: Wed, 14 Aug 2013 05:24:39 -0300
+Subject: media: siano: fix divide error on 0 counters
+
+From: Bjørn Mork <bjorn@mork.no>
+
+commit ec532503209053bbee0c7dac410031e50835e01a upstream.
+
+GIT_AUTHOR_DATE=1376465691
+I took a quick look at the code and wonder if the problem is caused by
+an initial zero statistics message? This is all just a wild guess, but
+if it is correct, then the attached untested patch might fix it...
+Bjørn
+>From d78a0599d5b5d4da384eae08bf7da316389dfbe5 Mon Sep 17 00:00:00 2001
+ts_packets and ets_packets counters can be 0. Don't fall over
+if they are. Fixes:
+[ 846.851711] divide error: 0000 [#1] SMP
+[ 846.851806] Modules linked in: smsdvb dvb_core ir_lirc_codec lirc_dev ir_sanyo_decoder ir_mce_kbd_decoder ir_sony_decoder ir_jvc_decoder ir_rc6_decoder ir_rc5_decoder ir_nec_decoder rc_hauppauge smsusb smsmdtv rc_core pci_stub vboxpci(O) vboxnetadp(O) vboxnetflt(O) vboxdrv(O) parport_pc ppdev lp parport cpufreq_userspace cpufreq_powersave cpufreq_stats cpufreq_conservative rfcomm bnep binfmt_misc uinput nfsd auth_rpcgss oid_registry nfs_acl nfs lockd dns_resolver fscache sunrpc ext4 jbd2 fuse tp_smapi(O) thinkpad_ec(O) loop firewire_sbp2 dm_crypt snd_hda_codec_conexant snd_hda_intel snd_hda_codec snd_hwdep snd_pcm_oss snd_mixer_oss snd_pcm thinkpad_acpi nvram snd_page_alloc hid_generic snd_seq_midi snd_seq_midi_event arc4 usbhid snd_rawmidi uvcvideo hid iwldvm coretemp kvm_intel mac8021
+ 1 cdc_wdm
+[ 846.853477] cdc_acm snd_seq videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media kvm radeon r852 ttm joydev cdc_ether usbnet pcmcia mii sm_common nand btusb drm_kms_helper tpm_tis acpi_cpufreq bluetooth iwlwifi nand_ecc drm nand_ids i2c_i801 mtd snd_seq_device iTCO_wdt iTCO_vendor_support r592 memstick lpc_ich mperf tpm yenta_socket pcmcia_rsrc pcmcia_core cfg80211 snd_timer snd pcspkr i2c_algo_bit crc16 i2c_core tpm_bios processor mfd_core wmi psmouse mei_me rfkill mei serio_raw soundcore evdev battery button video ac microcode ext3 mbcache jbd md_mod dm_mirror dm_region_hash dm_log dm_mod sg sr_mod sd_mod cdrom crc_t10dif firewire_ohci sdhci_pci sdhci mmc_core firewire_core crc_itu_t thermal thermal_sys ahci libahci ehci_pci uhci_hcd ehci_hcd libata scsi_mod usbcore e1000
+ e usb_common
+[ 846.855310] ptp pps_core
+[ 846.855356] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 3.10-2-amd64 #1 Debian 3.10.5-1
+[ 846.855490] Hardware name: LENOVO 4061WFA/4061WFA, BIOS 6FET92WW (3.22 ) 12/14/2011
+[ 846.855609] task: ffffffff81613400 ti: ffffffff81600000 task.ti: ffffffff81600000
+[ 846.855636] RIP: 0010:[<ffffffffa092be0c>] [<ffffffffa092be0c>] smsdvb_onresponse+0x264/0xa86 [smsdvb]
+[ 846.863906] RSP: 0018:ffff88013bc03cf0 EFLAGS: 00010046
+[ 846.863906] RAX: 0000000000000000 RBX: ffff880133bf6000 RCX: 0000000000000000
+[ 846.863906] RDX: 0000000000000000 RSI: ffff88005d3b58c0 RDI: ffff880133bf6000
+[ 846.863906] RBP: ffff88005d1da000 R08: 0000000000000058 R09: 0000000000000015
+[ 846.863906] R10: 0000000000001a0d R11: 000000000000021a R12: ffff88005d3b58c0
+[ 846.863906] R13: ffff88005d1da008 R14: 00000000ffffff8d R15: ffff880036cf5060
+[ 846.863906] FS: 0000000000000000(0000) GS:ffff88013bc00000(0000) knlGS:0000000000000000
+[ 846.863906] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+[ 846.863906] CR2: 00007f3a4b69ae50 CR3: 0000000036dac000 CR4: 00000000000407f0
+[ 846.863906] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 846.863906] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+[ 846.863906] Stack:
+[ 846.863906] ffff88007a102000 ffff88005d1da000 ffff88005d3b58c0 0000000000085824
+[ 846.863906] ffffffffa08c5aa3 ffff88005d1da000 ffff8800a6907390 ffff8800a69073b0
+[ 846.863906] ffff8800a6907000 ffffffffa08b642c 000000000000021a ffff8800a69073b0
+[ 846.863906] Call Trace:
+[ 846.863906] <IRQ>
+[ 846.863906]
+[ 846.863906] [<ffffffffa08c5aa3>] ? smscore_onresponse+0x1d5/0x353 [smsmdtv]
+[ 846.863906] [<ffffffffa08b642c>] ? smsusb_onresponse+0x146/0x192 [smsusb]
+[ 846.863906] [<ffffffffa004cb1a>] ? usb_hcd_giveback_urb+0x6c/0xac [usbcore]
+[ 846.863906] [<ffffffffa0217be1>] ? ehci_urb_done+0x62/0x72 [ehci_hcd]
+[ 846.863906] [<ffffffffa0217c82>] ? qh_completions+0x91/0x364 [ehci_hcd]
+[ 846.863906] [<ffffffffa0219bba>] ? ehci_work+0x8a/0x68e [ehci_hcd]
+[ 846.863906] [<ffffffff8107336c>] ? timekeeping_get_ns.constprop.10+0xd/0x31
+[ 846.863906] [<ffffffff81064d41>] ? update_cfs_rq_blocked_load+0xde/0xec
+[ 846.863906] [<ffffffff81058ec2>] ? run_posix_cpu_timers+0x25/0x575
+[ 846.863906] [<ffffffffa021aa46>] ? ehci_irq+0x211/0x23d [ehci_hcd]
+[ 846.863906] [<ffffffffa004c0c1>] ? usb_hcd_irq+0x31/0x48 [usbcore]
+[ 846.863906] [<ffffffff810996fd>] ? handle_irq_event_percpu+0x49/0x1a4
+[ 846.863906] [<ffffffff8109988a>] ? handle_irq_event+0x32/0x4b
+[ 846.863906] [<ffffffff8109bd76>] ? handle_fasteoi_irq+0x80/0xb6
+[ 846.863906] [<ffffffff8100e93e>] ? handle_irq+0x18/0x20
+[ 846.863906] [<ffffffff8100e657>] ? do_IRQ+0x40/0x95
+[ 846.863906] [<ffffffff813883ed>] ? common_interrupt+0x6d/0x6d
+[ 846.863906] <EOI>
+[ 846.863906]
+[ 846.863906] [<ffffffff812a011c>] ? arch_local_irq_enable+0x4/0x8
+[ 846.863906] [<ffffffff812a04f3>] ? cpuidle_enter_state+0x52/0xc1
+[ 846.863906] [<ffffffff812a0636>] ? cpuidle_idle_call+0xd4/0x143
+[ 846.863906] [<ffffffff8101398c>] ? arch_cpu_idle+0x5/0x17
+[ 846.863906] [<ffffffff81072571>] ? cpu_startup_entry+0x10d/0x187
+[ 846.863906] [<ffffffff816b3d3d>] ? start_kernel+0x3e8/0x3f3
+[ 846.863906] [<ffffffff816b3777>] ? repair_env_string+0x54/0x54
+[ 846.863906] [<ffffffff816b3598>] ? x86_64_start_kernel+0xf2/0xfd
+[ 846.863906] Code: 25 09 00 00 c6 83 da 08 00 00 03 8b 45 54 48 01 83 b6 08 00 00 8b 45 50 48 01 83 db 08 00 00 8b 4d 18 69 c1 ff ff 00 00 03 4d 14 <48> f7 f1 89 83 a8 09 00 00 e9 68 fe ff ff 48 8b 7f 10 e8 79 92
+[ 846.863906] RIP [<ffffffffa092be0c>] smsdvb_onresponse+0x264/0xa86 [smsdvb]
+[ 846.863906] RSP <ffff88013bc03cf0>
+Reference: http://bugs.debian.org/719623
+
+Reported-by: Johannes Rohr <jorohr@gmail.com>
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/common/siano/smsdvb-main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/common/siano/smsdvb-main.c
++++ b/drivers/media/common/siano/smsdvb-main.c
+@@ -275,7 +275,8 @@ static void smsdvb_update_per_slices(str
+
+ /* Legacy PER/BER */
+ tmp = p->ets_packets * 65535;
+- do_div(tmp, p->ts_packets + p->ets_packets);
++ if (p->ts_packets + p->ets_packets)
++ do_div(tmp, p->ts_packets + p->ets_packets);
+ client->legacy_per = tmp;
+ }
+
--- /dev/null
+From a19dec6ea94c036af68c31930c1c92681f55af41 Mon Sep 17 00:00:00 2001
+From: Andrzej Hajda <a.hajda@samsung.com>
+Date: Fri, 28 Jun 2013 05:44:22 -0300
+Subject: media: v4l2: added missing mutex.h include to v4l2-ctrls.h
+
+From: Andrzej Hajda <a.hajda@samsung.com>
+
+commit a19dec6ea94c036af68c31930c1c92681f55af41 upstream.
+
+This patch fixes following error:
+include/media/v4l2-ctrls.h:193:15: error: field ‘_lock’ has incomplete type
+include/media/v4l2-ctrls.h: In function ‘v4l2_ctrl_lock’:
+include/media/v4l2-ctrls.h:570:2: error: implicit declaration of
+ function ‘mutex_lock’ [-Werror=implicit-function-declaration]
+include/media/v4l2-ctrls.h: In function ‘v4l2_ctrl_unlock’:
+include/media/v4l2-ctrls.h:579:2: error: implicit declaration of
+ function ‘mutex_unlock’ [-Werror=implicit-function-declaration]
+
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/media/v4l2-ctrls.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/media/v4l2-ctrls.h
++++ b/include/media/v4l2-ctrls.h
+@@ -22,6 +22,7 @@
+ #define _V4L2_CTRLS_H
+
+ #include <linux/list.h>
++#include <linux/mutex.h>
+ #include <linux/videodev2.h>
+
+ /* forward references */
--- /dev/null
+From 2bff24a3707093c435ab3241c47dcdb5f16e432b Mon Sep 17 00:00:00 2001
+From: Greg Thelen <gthelen@google.com>
+Date: Wed, 11 Sep 2013 14:23:08 -0700
+Subject: memcg: fix multiple large threshold notifications
+
+From: Greg Thelen <gthelen@google.com>
+
+commit 2bff24a3707093c435ab3241c47dcdb5f16e432b upstream.
+
+A memory cgroup with (1) multiple threshold notifications and (2) at least
+one threshold >=2G was not reliable. Specifically the notifications would
+either not fire or would not fire in the proper order.
+
+The __mem_cgroup_threshold() signaling logic depends on keeping 64 bit
+thresholds in sorted order. mem_cgroup_usage_register_event() sorts them
+with compare_thresholds(), which returns the difference of two 64 bit
+thresholds as an int. If the difference is positive but has bit[31] set,
+then sort() treats the difference as negative and breaks sort order.
+
+This fix compares the two arbitrary 64 bit thresholds returning the
+classic -1, 0, 1 result.
+
+The test below sets two notifications (at 0x1000 and 0x81001000):
+ cd /sys/fs/cgroup/memory
+ mkdir x
+ for x in 4096 2164264960; do
+ cgroup_event_listener x/memory.usage_in_bytes $x | sed "s/^/$x listener:/" &
+ done
+ echo $$ > x/cgroup.procs
+ anon_leaker 500M
+
+v3.11-rc7 fails to signal the 4096 event listener:
+ Leaking...
+ Done leaking pages.
+
+Patched v3.11-rc7 properly notifies:
+ Leaking...
+ 4096 listener:2013:8:31:14:13:36
+ Done leaking pages.
+
+The fixed bug is old. It appears to date back to the introduction of
+memcg threshold notifications in v2.6.34-rc1-116-g2e72b6347c94 "memcg:
+implement memory thresholds"
+
+Signed-off-by: Greg Thelen <gthelen@google.com>
+Acked-by: Michal Hocko <mhocko@suse.cz>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/memcontrol.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -5584,7 +5584,13 @@ static int compare_thresholds(const void
+ const struct mem_cgroup_threshold *_a = a;
+ const struct mem_cgroup_threshold *_b = b;
+
+- return _a->threshold - _b->threshold;
++ if (_a->threshold > _b->threshold)
++ return 1;
++
++ if (_a->threshold < _b->threshold)
++ return -1;
++
++ return 0;
+ }
+
+ static int mem_cgroup_oom_notify_cb(struct mem_cgroup *memcg)
--- /dev/null
+From a1191927ace7e6f827132aa9e062779eb3f11fa5 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@openwrt.org>
+Date: Wed, 28 Aug 2013 10:41:42 +0200
+Subject: MIPS: ath79: Fix ar933x watchdog clock
+
+From: Felix Fietkau <nbd@openwrt.org>
+
+commit a1191927ace7e6f827132aa9e062779eb3f11fa5 upstream.
+
+The watchdog device on the AR933x is connected to
+the AHB clock, however the current code uses the
+reference clock. Due to the wrong rate, the watchdog
+driver can't calculate correct register values for
+a given timeout value and the watchdog unexpectedly
+restarts the system.
+
+The code uses the wrong value since the initial
+commit 04225e1d227c8e68d685936ecf42ac175fec0e54
+(MIPS: ath79: add AR933X specific clock init)
+
+The patch fixes the code to use the correct clock
+rate to avoid the problem.
+
+Signed-off-by: Felix Fietkau <nbd@openwrt.org>
+Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/5777/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/ath79/clock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/ath79/clock.c
++++ b/arch/mips/ath79/clock.c
+@@ -164,7 +164,7 @@ static void __init ar933x_clocks_init(vo
+ ath79_ahb_clk.rate = freq / t;
+ }
+
+- ath79_wdt_clk.rate = ath79_ref_clk.rate;
++ ath79_wdt_clk.rate = ath79_ahb_clk.rate;
+ ath79_uart_clk.rate = ath79_ref_clk.rate;
+ }
+
--- /dev/null
+From a8f531ebc33052642b4bd7b812eedf397108ce64 Mon Sep 17 00:00:00 2001
+From: Libin <huawei.libin@huawei.com>
+Date: Wed, 11 Sep 2013 14:20:38 -0700
+Subject: mm/huge_memory.c: fix potential NULL pointer dereference
+
+From: Libin <huawei.libin@huawei.com>
+
+commit a8f531ebc33052642b4bd7b812eedf397108ce64 upstream.
+
+In collapse_huge_page() there is a race window between releasing the
+mmap_sem read lock and taking the mmap_sem write lock, so find_vma() may
+return NULL. So check the return value to avoid NULL pointer dereference.
+
+collapse_huge_page
+ khugepaged_alloc_page
+ up_read(&mm->mmap_sem)
+ down_write(&mm->mmap_sem)
+ vma = find_vma(mm, address)
+
+Signed-off-by: Libin <huawei.libin@huawei.com>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Reviewed-by: Wanpeng Li <liwanp@linux.vnet.ibm.com>
+Reviewed-by: Michal Hocko <mhocko@suse.cz>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/huge_memory.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -2286,6 +2286,8 @@ static void collapse_huge_page(struct mm
+ goto out;
+
+ vma = find_vma(mm, address);
++ if (!vma)
++ goto out;
+ hstart = (vma->vm_start + ~HPAGE_PMD_MASK) & HPAGE_PMD_MASK;
+ hend = vma->vm_end & HPAGE_PMD_MASK;
+ if (address < hstart || address + HPAGE_PMD_SIZE > hend)
--- /dev/null
+From f936f9b67b7f8c2eae01dd303a0e90bd777c4679 Mon Sep 17 00:00:00 2001
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Date: Sat, 24 Aug 2013 23:38:15 -0400
+Subject: mmc: tmio_mmc_dma: fix PIO fallback on SDHI
+
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+
+commit f936f9b67b7f8c2eae01dd303a0e90bd777c4679 upstream.
+
+I'm testing SH-Mobile SDHI driver in DMA mode with a new DMA controller using
+'bonnie++' and getting DMA error after which the tmio_mmc_dma.c code falls back
+to PIO but all commands time out after that. It turned out that the fallback
+code calls tmio_mmc_enable_dma() with RX/TX channels already freed and pointers
+to them cleared, so that the function bails out early instead of clearing the
+DMA bit in the CTL_DMA_ENABLE register. The regression was introduced by commit
+162f43e31c5a376ec16336e5d0ac973373d54c89 (mmc: tmio: fix a deadlock).
+Moving tmio_mmc_enable_dma() calls to the top of the PIO fallback code in
+tmio_mmc_start_dma_{rx|tx}() helps.
+
+Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Acked-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
+Signed-off-by: Chris Ball <cjb@laptop.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/tmio_mmc_dma.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/mmc/host/tmio_mmc_dma.c
++++ b/drivers/mmc/host/tmio_mmc_dma.c
+@@ -104,6 +104,7 @@ static void tmio_mmc_start_dma_rx(struct
+ pio:
+ if (!desc) {
+ /* DMA failed, fall back to PIO */
++ tmio_mmc_enable_dma(host, false);
+ if (ret >= 0)
+ ret = -EIO;
+ host->chan_rx = NULL;
+@@ -116,7 +117,6 @@ pio:
+ }
+ dev_warn(&host->pdev->dev,
+ "DMA failed: %d, falling back to PIO\n", ret);
+- tmio_mmc_enable_dma(host, false);
+ }
+
+ dev_dbg(&host->pdev->dev, "%s(): desc %p, cookie %d, sg[%d]\n", __func__,
+@@ -185,6 +185,7 @@ static void tmio_mmc_start_dma_tx(struct
+ pio:
+ if (!desc) {
+ /* DMA failed, fall back to PIO */
++ tmio_mmc_enable_dma(host, false);
+ if (ret >= 0)
+ ret = -EIO;
+ host->chan_tx = NULL;
+@@ -197,7 +198,6 @@ pio:
+ }
+ dev_warn(&host->pdev->dev,
+ "DMA failed: %d, falling back to PIO\n", ret);
+- tmio_mmc_enable_dma(host, false);
+ }
+
+ dev_dbg(&host->pdev->dev, "%s(): desc %p, cookie %d\n", __func__,
--- /dev/null
+From 68e8078072e802e77134664f11d2ffbfbd2f8fbe Mon Sep 17 00:00:00 2001
+From: Brian Norris <computersforpeace@gmail.com>
+Date: Thu, 18 Jul 2013 01:17:02 -0700
+Subject: mtd: nand: fix NAND_BUSWIDTH_AUTO for x16 devices
+
+From: Brian Norris <computersforpeace@gmail.com>
+
+commit 68e8078072e802e77134664f11d2ffbfbd2f8fbe upstream.
+
+The code for NAND_BUSWIDTH_AUTO is broken. According to Alexander:
+
+ "I have a problem with attach NAND UBI in 16 bit mode.
+ NAND works fine if I specify NAND_BUSWIDTH_16 option, but not
+ working with NAND_BUSWIDTH_AUTO option. In second case NAND
+ chip is identifyed with ONFI."
+
+See his report for the rest of the details:
+
+ http://lists.infradead.org/pipermail/linux-mtd/2013-July/047515.html
+
+Anyway, the problem is that nand_set_defaults() is called twice, we
+intend it to reset the chip functions to their x16 buswidth verions
+if the buswidth changed from x8 to x16; however, nand_set_defaults()
+does exactly nothing if called a second time.
+
+Fix this by hacking nand_set_defaults() to reset the buswidth-dependent
+functions if they were set to the x8 version the first time. Note that
+this does not do anything to reset from x16 to x8, but that's not the
+supported use case for NAND_BUSWIDTH_AUTO anyway.
+
+Signed-off-by: Brian Norris <computersforpeace@gmail.com>
+Reported-by: Alexander Shiyan <shc_work@mail.ru>
+Tested-by: Alexander Shiyan <shc_work@mail.ru>
+Cc: Matthieu Castet <matthieu.castet@parrot.com>
+Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/nand_base.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/mtd/nand/nand_base.c
++++ b/drivers/mtd/nand/nand_base.c
+@@ -2793,7 +2793,9 @@ static void nand_set_defaults(struct nan
+
+ if (!chip->select_chip)
+ chip->select_chip = nand_select_chip;
+- if (!chip->read_byte)
++
++ /* If called twice, pointers that depend on busw may need to be reset */
++ if (!chip->read_byte || chip->read_byte == nand_read_byte)
+ chip->read_byte = busw ? nand_read_byte16 : nand_read_byte;
+ if (!chip->read_word)
+ chip->read_word = nand_read_word;
+@@ -2801,9 +2803,9 @@ static void nand_set_defaults(struct nan
+ chip->block_bad = nand_block_bad;
+ if (!chip->block_markbad)
+ chip->block_markbad = nand_default_block_markbad;
+- if (!chip->write_buf)
++ if (!chip->write_buf || chip->write_buf == nand_write_buf)
+ chip->write_buf = busw ? nand_write_buf16 : nand_write_buf;
+- if (!chip->read_buf)
++ if (!chip->read_buf || chip->read_buf == nand_read_buf)
+ chip->read_buf = busw ? nand_read_buf16 : nand_read_buf;
+ if (!chip->scan_bbt)
+ chip->scan_bbt = nand_default_bbt;
--- /dev/null
+From 28e8be31803b19d0d8f76216cb11b480b8a98bec Mon Sep 17 00:00:00 2001
+From: Jie Liu <jeff.liu@oracle.com>
+Date: Wed, 11 Sep 2013 14:20:05 -0700
+Subject: ocfs2: fix the end cluster offset of FIEMAP
+
+From: Jie Liu <jeff.liu@oracle.com>
+
+commit 28e8be31803b19d0d8f76216cb11b480b8a98bec upstream.
+
+Call fiemap ioctl(2) with given start offset as well as an desired mapping
+range should show extents if possible. However, we somehow figure out the
+end offset of mapping via 'mapping_end -= cpos' before iterating the
+extent records which would cause problems if the given fiemap length is
+too small to a cluster size, e.g,
+
+Cluster size 4096:
+debugfs.ocfs2 1.6.3
+ Block Size Bits: 12 Cluster Size Bits: 12
+
+The extended fiemap test utility From David:
+https://gist.github.com/anonymous/6172331
+
+# dd if=/dev/urandom of=/ocfs2/test_file bs=1M count=1000
+# ./fiemap /ocfs2/test_file 4096 10
+start: 4096, length: 10
+File /ocfs2/test_file has 0 extents:
+# Logical Physical Length Flags
+ ^^^^^ <-- No extent is shown
+
+In this case, at ocfs2_fiemap(): cpos == mapping_end == 1. Hence the
+loop of searching extent records was not executed at all.
+
+This patch remove the in question 'mapping_end -= cpos', and loops
+until the cpos is larger than the mapping_end as usual.
+
+# ./fiemap /ocfs2/test_file 4096 10
+start: 4096, length: 10
+File /ocfs2/test_file has 1 extents:
+# Logical Physical Length Flags
+0: 0000000000000000 0000000056a01000 0000000006a00000 0000
+
+Signed-off-by: Jie Liu <jeff.liu@oracle.com>
+Reported-by: David Weber <wb@munzinger.de>
+Tested-by: David Weber <wb@munzinger.de>
+Cc: Sunil Mushran <sunil.mushran@gmail.com>
+Cc: Mark Fashen <mfasheh@suse.de>
+Cc: Joel Becker <jlbec@evilplan.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/extent_map.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/fs/ocfs2/extent_map.c
++++ b/fs/ocfs2/extent_map.c
+@@ -781,7 +781,6 @@ int ocfs2_fiemap(struct inode *inode, st
+ cpos = map_start >> osb->s_clustersize_bits;
+ mapping_end = ocfs2_clusters_for_bytes(inode->i_sb,
+ map_start + map_len);
+- mapping_end -= cpos;
+ is_last = 0;
+ while (cpos < mapping_end && !is_last) {
+ u32 fe_flags;
--- /dev/null
+From 0640332e073be9207f0784df43595c0c39716e42 Mon Sep 17 00:00:00 2001
+From: Grant Likely <grant.likely@linaro.org>
+Date: Wed, 28 Aug 2013 21:24:17 +0100
+Subject: of: Fix missing memory initialization on FDT unflattening
+
+From: Grant Likely <grant.likely@linaro.org>
+
+commit 0640332e073be9207f0784df43595c0c39716e42 upstream.
+
+Any calls to dt_alloc() need to be zeroed. This is a temporary fix, but
+the allocation function itself needs to zero memory before returning
+it. This is a follow up to patch 9e4012752, "of: fdt: fix memory
+initialization for expanded DT" which fixed one call site but missed
+another.
+
+Signed-off-by: Grant Likely <grant.likely@linaro.org>
+Acked-by: Wladislav Wiebe <wladislav.kw@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/of/base.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/of/base.c
++++ b/drivers/of/base.c
+@@ -1629,6 +1629,7 @@ void of_alias_scan(void * (*dt_alloc)(u6
+ ap = dt_alloc(sizeof(*ap) + len + 1, 4);
+ if (!ap)
+ continue;
++ memset(ap, 0, sizeof(*ap) + len + 1);
+ ap->alias = start;
+ of_alias_add(ap, np, id, start, len);
+ }
--- /dev/null
+From a606488513543312805fab2b93070cefe6a3016c Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Thu, 29 Aug 2013 13:56:50 -0700
+Subject: pidns: Fix hang in zap_pid_ns_processes by sending a potentially extra wakeup
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+commit a606488513543312805fab2b93070cefe6a3016c upstream.
+
+Serge Hallyn <serge.hallyn@ubuntu.com> writes:
+
+> Since commit af4b8a83add95ef40716401395b44a1b579965f4 it's been
+> possible to get into a situation where a pidns reaper is
+> <defunct>, reparented to host pid 1, but never reaped. How to
+> reproduce this is documented at
+>
+> https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1168526
+> (and see
+> https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1168526/comments/13)
+> In short, run repeated starts of a container whose init is
+>
+> Process.exit(0);
+>
+> sysrq-t when such a task is playing zombie shows:
+>
+> [ 131.132978] init x ffff88011fc14580 0 2084 2039 0x00000000
+> [ 131.132978] ffff880116e89ea8 0000000000000002 ffff880116e89fd8 0000000000014580
+> [ 131.132978] ffff880116e89fd8 0000000000014580 ffff8801172a0000 ffff8801172a0000
+> [ 131.132978] ffff8801172a0630 ffff88011729fff0 ffff880116e14650 ffff88011729fff0
+> [ 131.132978] Call Trace:
+> [ 131.132978] [<ffffffff816f6159>] schedule+0x29/0x70
+> [ 131.132978] [<ffffffff81064591>] do_exit+0x6e1/0xa40
+> [ 131.132978] [<ffffffff81071eae>] ? signal_wake_up_state+0x1e/0x30
+> [ 131.132978] [<ffffffff8106496f>] do_group_exit+0x3f/0xa0
+> [ 131.132978] [<ffffffff810649e4>] SyS_exit_group+0x14/0x20
+> [ 131.132978] [<ffffffff8170102f>] tracesys+0xe1/0xe6
+>
+> Further debugging showed that every time this happened, zap_pid_ns_processes()
+> started with nr_hashed being 3, while we were expecting it to drop to 2.
+> Any time it didn't happen, nr_hashed was 1 or 2. So the reaper was
+> waiting for nr_hashed to become 2, but free_pid() only wakes the reaper
+> if nr_hashed hits 1.
+
+The issue is that when the task group leader of an init process exits
+before other tasks of the init process when the init process finally
+exits it will be a secondary task sleeping in zap_pid_ns_processes and
+waiting to wake up when the number of hashed pids drops to two. This
+case waits forever as free_pid only sends a wake up when the number of
+hashed pids drops to 1.
+
+To correct this the simple strategy of sending a possibly unncessary
+wake up when the number of hashed pids drops to 2 is adopted.
+
+Sending one extraneous wake up is relatively harmless, at worst we
+waste a little cpu time in the rare case when a pid namespace
+appropaches exiting.
+
+We can detect the case when the pid namespace drops to just two pids
+hashed race free in free_pid.
+
+Dereferencing pid_ns->child_reaper with the pidmap_lock held is safe
+without out the tasklist_lock because it is guaranteed that the
+detach_pid will be called on the child_reaper before it is freed and
+detach_pid calls __change_pid which calls free_pid which takes the
+pidmap_lock. __change_pid only calls free_pid if this is the
+last use of the pid. For a thread that is not the thread group leader
+the threads pid will only ever have one user because a threads pid
+is not allowed to be the pid of a process, of a process group or
+a session. For a thread that is a thread group leader all of
+the other threads of that process will be reaped before it is allowed
+for the thread group leader to be reaped ensuring there will only
+be one user of the threads pid as a process pid. Furthermore
+because the thread is the init process of a pid namespace all of the
+other processes in the pid namespace will have also been already freed
+leading to the fact that the pid will not be used as a session pid or
+a process group pid for any other running process.
+
+Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
+Tested-by: Serge Hallyn <serge.hallyn@canonical.com>
+Reported-by: Serge Hallyn <serge.hallyn@ubuntu.com>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/pid.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/pid.c
++++ b/kernel/pid.c
+@@ -264,6 +264,7 @@ void free_pid(struct pid *pid)
+ struct pid_namespace *ns = upid->ns;
+ hlist_del_rcu(&upid->pid_chain);
+ switch(--ns->nr_hashed) {
++ case 2:
+ case 1:
+ /* When all that is left in the pid namespace
+ * is the reaper wake up the reaper. The reaper
--- /dev/null
+From e79f525e99b04390ca4d2366309545a836c03bf1 Mon Sep 17 00:00:00 2001
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Wed, 11 Sep 2013 14:19:38 -0700
+Subject: pidns: fix vfork() after unshare(CLONE_NEWPID)
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+commit e79f525e99b04390ca4d2366309545a836c03bf1 upstream.
+
+Commit 8382fcac1b81 ("pidns: Outlaw thread creation after
+unshare(CLONE_NEWPID)") nacks CLONE_VM if the forking process unshared
+pid_ns, this obviously breaks vfork:
+
+ int main(void)
+ {
+ assert(unshare(CLONE_NEWUSER | CLONE_NEWPID) == 0);
+ assert(vfork() >= 0);
+ _exit(0);
+ return 0;
+ }
+
+fails without this patch.
+
+Change this check to use CLONE_SIGHAND instead. This also forbids
+CLONE_THREAD automatically, and this is what the comment implies.
+
+We could probably even drop CLONE_SIGHAND and use CLONE_THREAD, but it
+would be safer to not do this. The current check denies CLONE_SIGHAND
+implicitely and there is no reason to change this.
+
+Eric said "CLONE_SIGHAND is fine. CLONE_THREAD would be even better.
+Having shared signal handling between two different pid namespaces is
+the case that we are fundamentally guarding against."
+
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Reported-by: Colin Walters <walters@redhat.com>
+Acked-by: Andy Lutomirski <luto@amacapital.net>
+Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/fork.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -1171,10 +1171,11 @@ static struct task_struct *copy_process(
+ return ERR_PTR(-EINVAL);
+
+ /*
+- * If the new process will be in a different pid namespace
+- * don't allow the creation of threads.
++ * If the new process will be in a different pid namespace don't
++ * allow it to share a thread group or signal handlers with the
++ * forking task.
+ */
+- if ((clone_flags & (CLONE_VM|CLONE_NEWPID)) &&
++ if ((clone_flags & (CLONE_SIGHAND | CLONE_NEWPID)) &&
+ (task_active_pid_ns(current) != current->nsproxy->pid_ns))
+ return ERR_PTR(-EINVAL);
+
--- /dev/null
+From aee1c13dd0f6c2fc56e0e492b349ee8ac655880f Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Mon, 25 Mar 2013 19:57:10 -0700
+Subject: proc: Restrict mounting the proc filesystem
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+commit aee1c13dd0f6c2fc56e0e492b349ee8ac655880f upstream.
+
+Don't allow mounting the proc filesystem unless the caller has
+CAP_SYS_ADMIN rights over the pid namespace. The principle here is if
+you create or have capabilities over it you can mount it, otherwise
+you get to live with what other people have mounted.
+
+Andy pointed out that this is needed to prevent users in a user
+namespace from remounting proc and specifying different hidepid and gid
+options on already existing proc mounts.
+
+Reported-by: Andy Lutomirski <luto@amacapital.net>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/proc/root.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/proc/root.c
++++ b/fs/proc/root.c
+@@ -110,7 +110,8 @@ static struct dentry *proc_mount(struct
+ ns = task_active_pid_ns(current);
+ options = data;
+
+- if (!current_user_ns()->may_mount_proc)
++ if (!current_user_ns()->may_mount_proc ||
++ !ns_capable(ns->user_ns, CAP_SYS_ADMIN))
+ return ERR_PTR(-EPERM);
+ }
+
--- /dev/null
+From 17c1cc1d9293a568a00545469078e29555cc7f39 Mon Sep 17 00:00:00 2001
+From: Josh Durgin <josh.durgin@inktank.com>
+Date: Mon, 26 Aug 2013 17:55:38 -0700
+Subject: rbd: fix I/O error propagation for reads
+
+From: Josh Durgin <josh.durgin@inktank.com>
+
+commit 17c1cc1d9293a568a00545469078e29555cc7f39 upstream.
+
+When a request returns an error, the driver needs to report the entire
+extent of the request as completed. Writes already did this, since
+they always set xferred = length, but reads were skipping that step if
+an error other than -ENOENT occurred. Instead, rbd would end up
+passing 0 xferred to blk_end_request(), which would always report
+needing more data. This resulted in an assert failing when more data
+was required by the block layer, but all the object requests were
+done:
+
+[ 1868.719077] rbd: obj_request read result -108 xferred 0
+[ 1868.719077]
+[ 1868.719518] end_request: I/O error, dev rbd1, sector 0
+[ 1868.719739]
+[ 1868.719739] Assertion failure in rbd_img_obj_callback() at line 1736:
+[ 1868.719739]
+[ 1868.719739] rbd_assert(more ^ (which == img_request->obj_request_count));
+
+Without this assert, reads that hit errors would hang forever, since
+the block layer considered them incomplete.
+
+Fixes: http://tracker.ceph.com/issues/5647
+Signed-off-by: Josh Durgin <josh.durgin@inktank.com>
+Reviewed-by: Alex Elder <alex.elder@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/rbd.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/block/rbd.c
++++ b/drivers/block/rbd.c
+@@ -1565,11 +1565,12 @@ rbd_img_obj_request_read_callback(struct
+ obj_request, obj_request->img_request, obj_request->result,
+ xferred, length);
+ /*
+- * ENOENT means a hole in the image. We zero-fill the
+- * entire length of the request. A short read also implies
+- * zero-fill to the end of the request. Either way we
+- * update the xferred count to indicate the whole request
+- * was satisfied.
++ * ENOENT means a hole in the image. We zero-fill the entire
++ * length of the request. A short read also implies zero-fill
++ * to the end of the request. An error requires the whole
++ * length of the request to be reported finished with an error
++ * to the block layer. In each case we update the xferred
++ * count to indicate the whole request was satisfied.
+ */
+ rbd_assert(obj_request->type != OBJ_REQUEST_NODATA);
+ if (obj_request->result == -ENOENT) {
+@@ -1578,14 +1579,13 @@ rbd_img_obj_request_read_callback(struct
+ else
+ zero_pages(obj_request->pages, 0, length);
+ obj_request->result = 0;
+- obj_request->xferred = length;
+ } else if (xferred < length && !obj_request->result) {
+ if (obj_request->type == OBJ_REQUEST_BIO)
+ zero_bio_chain(obj_request->bio_list, xferred);
+ else
+ zero_pages(obj_request->pages, xferred, length);
+- obj_request->xferred = length;
+ }
++ obj_request->xferred = length;
+ obj_request_done_set(obj_request);
+ }
+
hid-hidraw-correctly-deallocate-memory-on-device-disconnect.patch
hid-check-for-null-field-when-setting-values.patch
hid-usbhid-quirk-for-n-trig-duosense-touch-screen.patch
+media-exynos-gsc-register-v4l2-device.patch
+media-exynos4-is-fix-entity-unregistration-on-error-path.patch
+media-s5p-g2d-fix-registration-failure.patch
+media-docbook-upgrade-media_api-docbook-version-to-4.2.patch
+media-hdpvr-fix-iteration-over-uninitialized-lists-in-hdpvr_probe.patch
+media-v4l2-added-missing-mutex.h-include-to-v4l2-ctrls.h.patch
+media-media-coda-fix-dt-driver-data-pointer-for-i.mx27.patch
+media-mb86a20s-fix-ts-parallel-mode.patch
+media-siano-fix-divide-error-on-0-counters.patch
+btrfs-don-t-allow-the-replace-procedure-on-read-only-filesystems.patch
+uprobes-fix-utask-depth-accounting-in-handle_trampoline.patch
+leds-wm831x-status-request-a-reg-resource.patch
+mips-ath79-fix-ar933x-watchdog-clock.patch
+target-fix-v3.9-regression-in-pr-aptpl-alua-metadata-write-out.patch
+intel-iommu-fix-leaks-in-pagetable-freeing.patch
+pidns-fix-hang-in-zap_pid_ns_processes-by-sending-a-potentially-extra-wakeup.patch
+pidns-fix-vfork-after-unshare-clone_newpid.patch
+ocfs2-fix-the-end-cluster-offset-of-fiemap.patch
+memcg-fix-multiple-large-threshold-notifications.patch
+mm-huge_memory.c-fix-potential-null-pointer-dereference.patch
+proc-restrict-mounting-the-proc-filesystem.patch
+isofs-refuse-rw-mount-of-the-filesystem-instead-of-making-it-ro.patch
+amd64_edac-fix-single-channel-setups.patch
+drm-edid-add-quirk-for-medion-md30217pg.patch
+um-implement-probe_kernel_read.patch
+libceph-unregister-request-in-__map_request-failed-and-nofail-false.patch
+libceph-use-pg_num_mask-instead-of-pgp_num_mask-for-pg.seed-calc.patch
+ceph-don-t-forget-the-up_read-osdc-map_sem-if-met-error.patch
+rbd-fix-i-o-error-propagation-for-reads.patch
+mmc-tmio_mmc_dma-fix-pio-fallback-on-sdhi.patch
+of-fix-missing-memory-initialization-on-fdt-unflattening.patch
+mtd-nand-fix-nand_buswidth_auto-for-x16-devices.patch
+clk-wm831x-initialise-wm831x-pointer-on-init.patch
+fuse-postpone-end_page_writeback-in-fuse_writepage_locked.patch
+fuse-invalidate-inode-attributes-on-xattr-modification.patch
+fuse-hotfix-truncate_pagecache-issue.patch
+fuse-readdir-check-for-slash-in-names.patch
--- /dev/null
+From f730f9158f6ee7b5c4d892af6b51a72194445ea4 Mon Sep 17 00:00:00 2001
+From: Gera Kazakov <gkazakov@msn.com>
+Date: Mon, 9 Sep 2013 15:47:06 -0700
+Subject: target: Fix >= v3.9+ regression in PR APTPL + ALUA metadata write-out
+
+From: Gera Kazakov <gkazakov@msn.com>
+
+commit f730f9158f6ee7b5c4d892af6b51a72194445ea4 upstream.
+
+This patch fixes a >= v3.9+ regression in __core_scsi3_write_aptpl_to_file()
++ core_alua_write_tpg_metadata() write-out, where a return value of -EIO was
+incorrectly being returned upon success.
+
+This bug was originally introduced in:
+
+commit 0e9b10a90f1c30f25dd6f130130240745ab14010
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat Feb 23 15:22:43 2013 -0500
+
+ target: writev() on single-element vector is pointless
+
+However, given that the return of core_scsi3_update_and_write_aptpl()
+was not used to determine if a command should be returned with non GOOD
+status, this bug was not being triggered in PR logic until v3.11-rc1 by
+commit:
+
+commit 459f213ba162bd13e113d6f92a8fa6c780fd67ed
+Author: Andy Grover <agrover@redhat.com>
+Date: Thu May 16 10:41:02 2013 -0700
+
+ target: Allocate aptpl_buf inside update_and_write_aptpl()
+
+So, go ahead and only return -EIO if kernel_write() returned a
+negative value.
+
+Reported-by: Gera Kazakov <gkazakov@msn.com>
+Signed-off-by: Gera Kazakov <gkazakov@msn.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Andy Grover <agrover@redhat.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_alua.c | 2 +-
+ drivers/target/target_core_pr.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/target/target_core_alua.c
++++ b/drivers/target/target_core_alua.c
+@@ -730,7 +730,7 @@ static int core_alua_write_tpg_metadata(
+ if (ret < 0)
+ pr_err("Error writing ALUA metadata file: %s\n", path);
+ fput(file);
+- return ret ? -EIO : 0;
++ return (ret < 0) ? -EIO : 0;
+ }
+
+ /*
+--- a/drivers/target/target_core_pr.c
++++ b/drivers/target/target_core_pr.c
+@@ -1987,7 +1987,7 @@ static int __core_scsi3_write_aptpl_to_f
+ pr_debug("Error writing APTPL metadata file: %s\n", path);
+ fput(file);
+
+- return ret ? -EIO : 0;
++ return (ret < 0) ? -EIO : 0;
+ }
+
+ static int
--- /dev/null
+From f75b1b1bedfb498cc43a992ce4d7ed8df3b1e770 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Sat, 17 Aug 2013 18:46:00 +0200
+Subject: um: Implement probe_kernel_read()
+
+From: Richard Weinberger <richard@nod.at>
+
+commit f75b1b1bedfb498cc43a992ce4d7ed8df3b1e770 upstream.
+
+UML needs it's own probe_kernel_read() to handle kernel
+mode faults correctly.
+The implementation uses mincore() on the host side to detect
+whether a page is owned by the UML kernel process.
+
+This fixes also a possible crash when sysrq-t is used.
+Starting with 3.10 sysrq-t calls probe_kernel_read() to
+read details from the kernel workers. As kernel worker are
+completely async pointers may turn NULL while reading them.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Cc: <stian@nixia.no>
+Cc: <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/um/include/shared/os.h | 1
+ arch/um/kernel/Makefile | 2 -
+ arch/um/kernel/maccess.c | 24 ++++++++++++++++++++
+ arch/um/os-Linux/process.c | 52 ++++++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 78 insertions(+), 1 deletion(-)
+
+--- a/arch/um/include/shared/os.h
++++ b/arch/um/include/shared/os.h
+@@ -200,6 +200,7 @@ extern int os_unmap_memory(void *addr, i
+ extern int os_drop_memory(void *addr, int length);
+ extern int can_drop_memory(void);
+ extern void os_flush_stdout(void);
++extern int os_mincore(void *addr, unsigned long len);
+
+ /* execvp.c */
+ extern int execvp_noalloc(char *buf, const char *file, char *const argv[]);
+--- a/arch/um/kernel/Makefile
++++ b/arch/um/kernel/Makefile
+@@ -13,7 +13,7 @@ clean-files :=
+ obj-y = config.o exec.o exitcode.o irq.o ksyms.o mem.o \
+ physmem.o process.o ptrace.o reboot.o sigio.o \
+ signal.o smp.o syscall.o sysrq.o time.o tlb.o trap.o \
+- um_arch.o umid.o skas/
++ um_arch.o umid.o maccess.o skas/
+
+ obj-$(CONFIG_BLK_DEV_INITRD) += initrd.o
+ obj-$(CONFIG_GPROF) += gprof_syms.o
+--- /dev/null
++++ b/arch/um/kernel/maccess.c
+@@ -0,0 +1,24 @@
++/*
++ * Copyright (C) 2013 Richard Weinberger <richrd@nod.at>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License version 2 as
++ * published by the Free Software Foundation.
++ */
++
++#include <linux/uaccess.h>
++#include <linux/kernel.h>
++#include <os.h>
++
++long probe_kernel_read(void *dst, const void *src, size_t size)
++{
++ void *psrc = (void *)rounddown((unsigned long)src, PAGE_SIZE);
++
++ if ((unsigned long)src < PAGE_SIZE || size <= 0)
++ return -EFAULT;
++
++ if (os_mincore(psrc, size + src - psrc) <= 0)
++ return -EFAULT;
++
++ return __probe_kernel_read(dst, src, size);
++}
+--- a/arch/um/os-Linux/process.c
++++ b/arch/um/os-Linux/process.c
+@@ -4,6 +4,7 @@
+ */
+
+ #include <stdio.h>
++#include <stdlib.h>
+ #include <unistd.h>
+ #include <errno.h>
+ #include <signal.h>
+@@ -232,6 +233,57 @@ out:
+ return ok;
+ }
+
++static int os_page_mincore(void *addr)
++{
++ char vec[2];
++ int ret;
++
++ ret = mincore(addr, UM_KERN_PAGE_SIZE, vec);
++ if (ret < 0) {
++ if (errno == ENOMEM || errno == EINVAL)
++ return 0;
++ else
++ return -errno;
++ }
++
++ return vec[0] & 1;
++}
++
++int os_mincore(void *addr, unsigned long len)
++{
++ char *vec;
++ int ret, i;
++
++ if (len <= UM_KERN_PAGE_SIZE)
++ return os_page_mincore(addr);
++
++ vec = calloc(1, (len + UM_KERN_PAGE_SIZE - 1) / UM_KERN_PAGE_SIZE);
++ if (!vec)
++ return -ENOMEM;
++
++ ret = mincore(addr, UM_KERN_PAGE_SIZE, vec);
++ if (ret < 0) {
++ if (errno == ENOMEM || errno == EINVAL)
++ ret = 0;
++ else
++ ret = -errno;
++
++ goto out;
++ }
++
++ for (i = 0; i < ((len + UM_KERN_PAGE_SIZE - 1) / UM_KERN_PAGE_SIZE); i++) {
++ if (!(vec[i] & 1)) {
++ ret = 0;
++ goto out;
++ }
++ }
++
++ ret = 1;
++out:
++ free(vec);
++ return ret;
++}
++
+ void init_new_thread_signals(void)
+ {
+ set_handler(SIGSEGV);
--- /dev/null
+From 878b5a6efd38030c7a90895dc8346e8fb1e09b4c Mon Sep 17 00:00:00 2001
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Wed, 11 Sep 2013 17:47:26 +0200
+Subject: uprobes: Fix utask->depth accounting in handle_trampoline()
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+commit 878b5a6efd38030c7a90895dc8346e8fb1e09b4c upstream.
+
+Currently utask->depth is simply the number of allocated/pending
+return_instance's in uprobe_task->return_instances list.
+
+handle_trampoline() should decrement this counter every time we
+handle/free an instance, but due to typo it does this only if
+->chained == T. This means that in the likely case this counter
+is never decremented and the probed task can't report more than
+MAX_URETPROBE_DEPTH events.
+
+Reported-by: Mikhail Kulemin <Mikhail.Kulemin@ru.ibm.com>
+Reported-by: Hemant Kumar Shaw <hkshaw@linux.vnet.ibm.com>
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Acked-by: Anton Arapov <anton@redhat.com>
+Cc: masami.hiramatsu.pt@hitachi.com
+Cc: srikar@linux.vnet.ibm.com
+Cc: systemtap@sourceware.org
+Link: http://lkml.kernel.org/r/20130911154726.GA8093@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/uprobes.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/kernel/events/uprobes.c
++++ b/kernel/events/uprobes.c
+@@ -1682,12 +1682,10 @@ static bool handle_trampoline(struct pt_
+ tmp = ri;
+ ri = ri->next;
+ kfree(tmp);
++ utask->depth--;
+
+ if (!chained)
+ break;
+-
+- utask->depth--;
+-
+ BUG_ON(!ri);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
