--- /dev/null
+From 084c7189acb3f969c855536166042e27f5dd703f Mon Sep 17 00:00:00 2001
+From: Bing Zhao <bzhao@marvell.com>
+Date: Fri, 15 Mar 2013 18:47:07 -0700
+Subject: mwifiex: cancel cmd timer and free curr_cmd in shutdown process
+
+From: Bing Zhao <bzhao@marvell.com>
+
+commit 084c7189acb3f969c855536166042e27f5dd703f upstream.
+
+curr_cmd points to the command that is in processing or waiting
+for its command response from firmware. If the function shutdown
+happens to occur at this time we should cancel the cmd timer and
+put the command back to free queue.
+
+Tested-by: Marco Cesarano <marco@marvell.com>
+Signed-off-by: Bing Zhao <bzhao@marvell.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/init.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/net/wireless/mwifiex/init.c
++++ b/drivers/net/wireless/mwifiex/init.c
+@@ -584,6 +584,14 @@ mwifiex_shutdown_drv(struct mwifiex_adap
+ return ret;
+ }
+
++ /* cancel current command */
++ if (adapter->curr_cmd) {
++ dev_warn(adapter->dev, "curr_cmd is still in processing\n");
++ del_timer(&adapter->cmd_timer);
++ mwifiex_insert_cmd_to_free_q(adapter, adapter->curr_cmd);
++ adapter->curr_cmd = NULL;
++ }
++
+ /* shut down mwifiex */
+ dev_dbg(adapter->dev, "info: shutdown mwifiex...\n");
+
--- /dev/null
+From 896ee0eee6261e30c3623be931c3f621428947df Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 20 Mar 2013 05:19:24 +0000
+Subject: net/irda: add missing error path release_sock call
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 896ee0eee6261e30c3623be931c3f621428947df upstream.
+
+This makes sure that release_sock is called for all error conditions in
+irda_getsockopt.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reported-by: Brad Spengler <spender@grsecurity.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/irda/af_irda.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -2584,8 +2584,10 @@ bed:
+ NULL, NULL, NULL);
+
+ /* Check if the we got some results */
+- if (!self->cachedaddr)
+- return -EAGAIN; /* Didn't find any devices */
++ if (!self->cachedaddr) {
++ err = -EAGAIN; /* Didn't find any devices */
++ goto out;
++ }
+ daddr = self->cachedaddr;
+ /* Cleanup */
+ self->cachedaddr = 0;
--- /dev/null
+From 4376c94618c26225e69e17b7c91169c45a90b292 Mon Sep 17 00:00:00 2001
+From: fanchaoting <fanchaoting@cn.fujitsu.com>
+Date: Thu, 21 Mar 2013 09:15:30 +0800
+Subject: pnfs-block: removing DM device maybe cause oops when call dev_remove
+
+From: fanchaoting <fanchaoting@cn.fujitsu.com>
+
+commit 4376c94618c26225e69e17b7c91169c45a90b292 upstream.
+
+when pnfs block using device mapper,if umounting later,it maybe
+cause oops. we apply "1 + sizeof(bl_umount_request)" memory for
+msg->data, the memory maybe overflow when we do "memcpy(&dataptr
+[sizeof(bl_msg)], &bl_umount_request, sizeof(bl_umount_request))",
+because the size of bl_msg is more than 1 byte.
+
+Signed-off-by: fanchaoting<fanchaoting@cn.fujitsu.com>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/blocklayout/blocklayoutdm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/nfs/blocklayout/blocklayoutdm.c
++++ b/fs/nfs/blocklayout/blocklayoutdm.c
+@@ -55,7 +55,8 @@ static void dev_remove(struct net *net,
+
+ bl_pipe_msg.bl_wq = &nn->bl_wq;
+ memset(msg, 0, sizeof(*msg));
+- msg->data = kzalloc(1 + sizeof(bl_umount_request), GFP_NOFS);
++ msg->len = sizeof(bl_msg) + bl_msg.totallen;
++ msg->data = kzalloc(msg->len, GFP_NOFS);
+ if (!msg->data)
+ goto out;
+
+@@ -66,7 +67,6 @@ static void dev_remove(struct net *net,
+ memcpy(msg->data, &bl_msg, sizeof(bl_msg));
+ dataptr = (uint8_t *) msg->data;
+ memcpy(&dataptr[sizeof(bl_msg)], &bl_umount_request, sizeof(bl_umount_request));
+- msg->len = sizeof(bl_msg) + bl_msg.totallen;
+
+ add_wait_queue(&nn->bl_wq, &wq);
+ if (rpc_queue_upcall(nn->bl_device_pipe, msg) < 0) {
bluetooth-add-support-for-dell_2.patch
staging-comedi-s626-fix-continuous-acquisition.patch
sysfs-fix-race-between-readdir-and-lseek.patch
-b43-n-phy-increase-initial-value-of-mind-in-rssi-calibration.patch
-b43-a-fix-for-dma-transmission-sequence-errors.patch
-b43-n-phy-use-more-bits-for-offset-in-rssi-calibration.patch
-tg3-fix-length-overflow-in-vpd-firmware-parsing.patch
-iommu-amd-make-sure-dma_ops-are-set-for-hotplug-devices.patch
sysfs-handle-failure-path-correctly-for-readdir.patch
can-sja1000-fix-define-conflict-on-sh.patch
ath9k_hw-revert-chainmask-to-user-configuration-after-calibration.patch
hid-usbhid-quirk-for-realtek-multi-card-reader.patch
rtlwifi-usb-add-missing-freeing-of-skbuff.patch
+b43-n-phy-increase-initial-value-of-mind-in-rssi-calibration.patch
+b43-a-fix-for-dma-transmission-sequence-errors.patch
+b43-n-phy-use-more-bits-for-offset-in-rssi-calibration.patch
+tg3-fix-length-overflow-in-vpd-firmware-parsing.patch
+iommu-amd-make-sure-dma_ops-are-set-for-hotplug-devices.patch
+xen-blkback-correctly-respond-to-unknown-non-native-requests.patch
+xen-blkback-fix-dispatch_rw_block_io-error-path.patch
+tty-atmel_serial_probe-index-of-atmel_ports-fix.patch
+usb-ftdi_sio-add-support-for-mitsubishi-fx-usb-aw-bd.patch
+vt-synchronize_rcu-under-spinlock-is-not-nice.patch
+mwifiex-cancel-cmd-timer-and-free-curr_cmd-in-shutdown-process.patch
+pnfs-block-removing-dm-device-maybe-cause-oops-when-call-dev_remove.patch
+net-irda-add-missing-error-path-release_sock-call.patch
+usb-ehci-fix-bug-in-itd-sitd-dma-pool-allocation.patch
+usb-xhci-fix-trb-transfer-length-macro-used-for-event-trb.patch
--- /dev/null
+From 503bded92da283b2f31d87e054c4c6d30c3c2340 Mon Sep 17 00:00:00 2001
+From: Pawel Wieczorkiewicz <wpawel@gmail.com>
+Date: Wed, 20 Feb 2013 17:26:20 +0100
+Subject: tty: atmel_serial_probe(): index of atmel_ports[] fix
+
+From: Pawel Wieczorkiewicz <wpawel@gmail.com>
+
+commit 503bded92da283b2f31d87e054c4c6d30c3c2340 upstream.
+
+Index of atmel_ports[ATMEL_MAX_UART] should be smaller
+than ATMEL_MAX_UART.
+
+Signed-off-by: Pawel Wieczorkiewicz <wpawel@gmail.com>
+Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/atmel_serial.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/drivers/tty/serial/atmel_serial.c
++++ b/drivers/tty/serial/atmel_serial.c
+@@ -159,7 +159,7 @@ struct atmel_uart_port {
+ };
+
+ static struct atmel_uart_port atmel_ports[ATMEL_MAX_UART];
+-static unsigned long atmel_ports_in_use;
++static DECLARE_BITMAP(atmel_ports_in_use, ATMEL_MAX_UART);
+
+ #ifdef SUPPORT_SYSRQ
+ static struct console atmel_console;
+@@ -1785,15 +1785,14 @@ static int __devinit atmel_serial_probe(
+ if (ret < 0)
+ /* port id not found in platform data nor device-tree aliases:
+ * auto-enumerate it */
+- ret = find_first_zero_bit(&atmel_ports_in_use,
+- sizeof(atmel_ports_in_use));
++ ret = find_first_zero_bit(atmel_ports_in_use, ATMEL_MAX_UART);
+
+- if (ret > ATMEL_MAX_UART) {
++ if (ret >= ATMEL_MAX_UART) {
+ ret = -ENODEV;
+ goto err;
+ }
+
+- if (test_and_set_bit(ret, &atmel_ports_in_use)) {
++ if (test_and_set_bit(ret, atmel_ports_in_use)) {
+ /* port already in use */
+ ret = -EBUSY;
+ goto err;
+@@ -1867,7 +1866,7 @@ static int __devexit atmel_serial_remove
+
+ /* "port" is allocated statically, so we shouldn't free it */
+
+- clear_bit(port->line, &atmel_ports_in_use);
++ clear_bit(port->line, atmel_ports_in_use);
+
+ clk_put(atmel_port->clk);
+
--- /dev/null
+From 85ecd0322b9a1a9f451d9150e9460ab42fd17219 Mon Sep 17 00:00:00 2001
+From: Soeren Moch <smoch@web.de>
+Date: Fri, 22 Mar 2013 12:16:52 -0400
+Subject: USB: EHCI: fix bug in iTD/siTD DMA pool allocation
+
+From: Soeren Moch <smoch@web.de>
+
+commit 85ecd0322b9a1a9f451d9150e9460ab42fd17219 upstream.
+
+[Description written by Alan Stern]
+
+Soeren tracked down a very difficult bug in ehci-hcd's DMA pool
+management of iTD and siTD structures. Some background: ehci-hcd
+gives each isochronous endpoint its own set of active and free itd's
+(or sitd's for full-speed devices). When a new itd is needed, it is
+taken from the head of the free list, if possible. However, itd's
+must not be used twice in a single frame because the hardware
+continues to access the data structure for the entire duration of a
+frame. Therefore if the itd at the head of the free list has its
+"frame" member equal to the current value of ehci->now_frame, it
+cannot be reused and instead a new itd is allocated from the DMA pool.
+The entries on the free list are not released back to the pool until
+the endpoint is no longer in use.
+
+The bug arises from the fact that sometimes an itd can be moved back
+onto the free list before itd->frame has been set properly. In
+Soeren's case, this happened because ehci-hcd can allocate one more
+itd than it actually needs for an URB; the extra itd may or may not be
+required depending on how the transfer aligns with a frame boundary.
+For example, an URB with 8 isochronous packets will cause two itd's to
+be allocated. If the URB is scheduled to start in microframe 3 of
+frame N then it will require both itds: one for microframes 3 - 7 of
+frame N and one for microframes 0 - 2 of frame N+1. But if the URB
+had been scheduled to start in microframe 0 then it would require only
+the first itd, which could cover microframes 0 - 7 of frame N. The
+second itd would be returned to the end of the free list.
+
+The itd allocation routine initializes the entire structure to 0, so
+the extra itd ends up on the free list with itd->frame set to 0
+instead of a meaningful value. After a while the itd reaches the head
+of the list, and occasionally this happens when ehci->now_frame is
+equal to 0. Then, even though it would be okay to reuse this itd, the
+driver thinks it must get another itd from the DMA pool.
+
+For as long as the isochronous endpoint remains in use, this flaw in
+the mechanism causes more and more itd's to be taken slowly from the
+DMA pool. Since none are released back, the pool eventually becomes
+exhausted.
+
+This reuslts in memory allocation failures, which typically show up
+during a long-running audio stream. Video might suffer the same
+effect.
+
+The fix is very simple. To prevent allocations from the pool when
+they aren't needed, make sure that itd's sent back to the free list
+prematurely have itd->frame set to an invalid value which can never be
+equal to ehci->now_frame.
+
+This should be applied to -stable kernels going back to 3.6.
+
+Signed-off-by: Soeren Moch <smoch@web.de>
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/ehci-sched.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/host/ehci-sched.c
++++ b/drivers/usb/host/ehci-sched.c
+@@ -1280,6 +1280,7 @@ itd_urb_transaction (
+
+ memset (itd, 0, sizeof *itd);
+ itd->itd_dma = itd_dma;
++ itd->frame = 9999; /* an invalid value */
+ list_add (&itd->itd_list, &sched->td_list);
+ }
+ spin_unlock_irqrestore (&ehci->lock, flags);
+@@ -1979,6 +1980,7 @@ sitd_urb_transaction (
+
+ memset (sitd, 0, sizeof *sitd);
+ sitd->sitd_dma = sitd_dma;
++ sitd->frame = 9999; /* an invalid value */
+ list_add (&sitd->sitd_list, &iso_sched->td_list);
+ }
+
--- /dev/null
+From 482b0b5d82bd916cc0c55a2abf65bdc69023b843 Mon Sep 17 00:00:00 2001
+From: Konstantin Holoborodko <klh.kernel@gmail.com>
+Date: Fri, 29 Mar 2013 00:06:13 +0900
+Subject: usb: ftdi_sio: Add support for Mitsubishi FX-USB-AW/-BD
+
+From: Konstantin Holoborodko <klh.kernel@gmail.com>
+
+commit 482b0b5d82bd916cc0c55a2abf65bdc69023b843 upstream.
+
+It enhances the driver for FTDI-based USB serial adapters
+to recognize Mitsubishi Electric Corp. USB/RS422 Converters
+as FT232BM chips and support them.
+https://search.meau.com/?q=FX-USB-AW
+
+Signed-off-by: Konstantin Holoborodko <klh.kernel@gmail.com>
+Tested-by: Konstantin Holoborodko <klh.kernel@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ftdi_sio.c | 1 +
+ drivers/usb/serial/ftdi_sio_ids.h | 7 +++++++
+ 2 files changed, 8 insertions(+)
+
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -648,6 +648,7 @@ static struct usb_device_id id_table_com
+ { USB_DEVICE(FTDI_VID, FTDI_RM_CANVIEW_PID) },
+ { USB_DEVICE(ACTON_VID, ACTON_SPECTRAPRO_PID) },
+ { USB_DEVICE(CONTEC_VID, CONTEC_COM1USBH_PID) },
++ { USB_DEVICE(MITSUBISHI_VID, MITSUBISHI_FXUSB_PID) },
+ { USB_DEVICE(BANDB_VID, BANDB_USOTL4_PID) },
+ { USB_DEVICE(BANDB_VID, BANDB_USTL4_PID) },
+ { USB_DEVICE(BANDB_VID, BANDB_USO9ML2_PID) },
+--- a/drivers/usb/serial/ftdi_sio_ids.h
++++ b/drivers/usb/serial/ftdi_sio_ids.h
+@@ -584,6 +584,13 @@
+ #define CONTEC_COM1USBH_PID 0x8311 /* COM-1(USB)H */
+
+ /*
++ * Mitsubishi Electric Corp. (http://www.meau.com)
++ * Submitted by Konstantin Holoborodko
++ */
++#define MITSUBISHI_VID 0x06D3
++#define MITSUBISHI_FXUSB_PID 0x0284 /* USB/RS422 converters: FX-USB-AW/-BD */
++
++/*
+ * Definitions for B&B Electronics products.
+ */
+ #define BANDB_VID 0x0856 /* B&B Electronics Vendor ID */
--- /dev/null
+From 1c11a172cb30492f5f6a82c6e118fdcd9946c34f Mon Sep 17 00:00:00 2001
+From: Vivek Gautam <gautam.vivek@samsung.com>
+Date: Thu, 21 Mar 2013 12:06:48 +0530
+Subject: usb: xhci: Fix TRB transfer length macro used for Event TRB.
+
+From: Vivek Gautam <gautam.vivek@samsung.com>
+
+commit 1c11a172cb30492f5f6a82c6e118fdcd9946c34f upstream.
+
+Use proper macro while extracting TRB transfer length from
+Transfer event TRBs. Adding a macro EVENT_TRB_LEN (bits 0:23)
+for the same, and use it instead of TRB_LEN (bits 0:16) in
+case of event TRBs.
+
+This patch should be backported to kernels as old as 2.6.31, that
+contain the commit b10de142119a676552df3f0d2e3a9d647036c26a "USB: xhci:
+Bulk transfer support". This patch will have issues applying to older
+kernels.
+
+Signed-off-by: Vivek gautam <gautam.vivek@samsung.com>
+Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-ring.c | 24 ++++++++++++------------
+ drivers/usb/host/xhci.h | 4 ++++
+ 2 files changed, 16 insertions(+), 12 deletions(-)
+
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -2027,8 +2027,8 @@ static int process_ctrl_td(struct xhci_h
+ if (event_trb != ep_ring->dequeue &&
+ event_trb != td->last_trb)
+ td->urb->actual_length =
+- td->urb->transfer_buffer_length
+- - TRB_LEN(le32_to_cpu(event->transfer_len));
++ td->urb->transfer_buffer_length -
++ EVENT_TRB_LEN(le32_to_cpu(event->transfer_len));
+ else
+ td->urb->actual_length = 0;
+
+@@ -2060,7 +2060,7 @@ static int process_ctrl_td(struct xhci_h
+ /* Maybe the event was for the data stage? */
+ td->urb->actual_length =
+ td->urb->transfer_buffer_length -
+- TRB_LEN(le32_to_cpu(event->transfer_len));
++ EVENT_TRB_LEN(le32_to_cpu(event->transfer_len));
+ xhci_dbg(xhci, "Waiting for status "
+ "stage event\n");
+ return 0;
+@@ -2096,7 +2096,7 @@ static int process_isoc_td(struct xhci_h
+ /* handle completion code */
+ switch (trb_comp_code) {
+ case COMP_SUCCESS:
+- if (TRB_LEN(le32_to_cpu(event->transfer_len)) == 0) {
++ if (EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)) == 0) {
+ frame->status = 0;
+ break;
+ }
+@@ -2141,7 +2141,7 @@ static int process_isoc_td(struct xhci_h
+ len += TRB_LEN(le32_to_cpu(cur_trb->generic.field[2]));
+ }
+ len += TRB_LEN(le32_to_cpu(cur_trb->generic.field[2])) -
+- TRB_LEN(le32_to_cpu(event->transfer_len));
++ EVENT_TRB_LEN(le32_to_cpu(event->transfer_len));
+
+ if (trb_comp_code != COMP_STOP_INVAL) {
+ frame->actual_length = len;
+@@ -2199,7 +2199,7 @@ static int process_bulk_intr_td(struct x
+ case COMP_SUCCESS:
+ /* Double check that the HW transferred everything. */
+ if (event_trb != td->last_trb ||
+- TRB_LEN(le32_to_cpu(event->transfer_len)) != 0) {
++ EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)) != 0) {
+ xhci_warn(xhci, "WARN Successful completion "
+ "on short TX\n");
+ if (td->urb->transfer_flags & URB_SHORT_NOT_OK)
+@@ -2227,18 +2227,18 @@ static int process_bulk_intr_td(struct x
+ "%d bytes untransferred\n",
+ td->urb->ep->desc.bEndpointAddress,
+ td->urb->transfer_buffer_length,
+- TRB_LEN(le32_to_cpu(event->transfer_len)));
++ EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)));
+ /* Fast path - was this the last TRB in the TD for this URB? */
+ if (event_trb == td->last_trb) {
+- if (TRB_LEN(le32_to_cpu(event->transfer_len)) != 0) {
++ if (EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)) != 0) {
+ td->urb->actual_length =
+ td->urb->transfer_buffer_length -
+- TRB_LEN(le32_to_cpu(event->transfer_len));
++ EVENT_TRB_LEN(le32_to_cpu(event->transfer_len));
+ if (td->urb->transfer_buffer_length <
+ td->urb->actual_length) {
+ xhci_warn(xhci, "HC gave bad length "
+ "of %d bytes left\n",
+- TRB_LEN(le32_to_cpu(event->transfer_len)));
++ EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)));
+ td->urb->actual_length = 0;
+ if (td->urb->transfer_flags & URB_SHORT_NOT_OK)
+ *status = -EREMOTEIO;
+@@ -2280,7 +2280,7 @@ static int process_bulk_intr_td(struct x
+ if (trb_comp_code != COMP_STOP_INVAL)
+ td->urb->actual_length +=
+ TRB_LEN(le32_to_cpu(cur_trb->generic.field[2])) -
+- TRB_LEN(le32_to_cpu(event->transfer_len));
++ EVENT_TRB_LEN(le32_to_cpu(event->transfer_len));
+ }
+
+ return finish_td(xhci, td, event_trb, event, ep, status, false);
+@@ -2366,7 +2366,7 @@ static int handle_tx_event(struct xhci_h
+ * transfer type
+ */
+ case COMP_SUCCESS:
+- if (TRB_LEN(le32_to_cpu(event->transfer_len)) == 0)
++ if (EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)) == 0)
+ break;
+ if (xhci->quirks & XHCI_TRUST_TX_LENGTH)
+ trb_comp_code = COMP_SHORT_TX;
+--- a/drivers/usb/host/xhci.h
++++ b/drivers/usb/host/xhci.h
+@@ -968,6 +968,10 @@ struct xhci_transfer_event {
+ __le32 flags;
+ };
+
++/* Transfer event TRB length bit mask */
++/* bits 0:23 */
++#define EVENT_TRB_LEN(p) ((p) & 0xffffff)
++
+ /** Transfer Event bit fields **/
+ #define TRB_TO_EP_ID(p) (((p) >> 16) & 0x1f)
+
--- /dev/null
+From e8cd81693bbbb15db57d3c9aa7dd90eda4842874 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Tue, 26 Mar 2013 20:30:17 -0400
+Subject: vt: synchronize_rcu() under spinlock is not nice...
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit e8cd81693bbbb15db57d3c9aa7dd90eda4842874 upstream.
+
+vcs_poll_data_free() calls unregister_vt_notifier(), which calls
+atomic_notifier_chain_unregister(), which calls synchronize_rcu().
+Do it *after* we'd dropped ->f_lock.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/vt/vc_screen.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/vt/vc_screen.c
++++ b/drivers/tty/vt/vc_screen.c
+@@ -93,7 +93,7 @@ vcs_poll_data_free(struct vcs_poll_data
+ static struct vcs_poll_data *
+ vcs_poll_data_get(struct file *file)
+ {
+- struct vcs_poll_data *poll = file->private_data;
++ struct vcs_poll_data *poll = file->private_data, *kill = NULL;
+
+ if (poll)
+ return poll;
+@@ -122,10 +122,12 @@ vcs_poll_data_get(struct file *file)
+ file->private_data = poll;
+ } else {
+ /* someone else raced ahead of us */
+- vcs_poll_data_free(poll);
++ kill = poll;
+ poll = file->private_data;
+ }
+ spin_unlock(&file->f_lock);
++ if (kill)
++ vcs_poll_data_free(kill);
+
+ return poll;
+ }
--- /dev/null
+From 0e367ae46503cfe7791460c8ba8434a5d60b2bd5 Mon Sep 17 00:00:00 2001
+From: David Vrabel <david.vrabel@citrix.com>
+Date: Thu, 7 Mar 2013 17:32:01 +0000
+Subject: xen/blkback: correctly respond to unknown, non-native requests
+
+From: David Vrabel <david.vrabel@citrix.com>
+
+commit 0e367ae46503cfe7791460c8ba8434a5d60b2bd5 upstream.
+
+If the frontend is using a non-native protocol (e.g., a 64-bit
+frontend with a 32-bit backend) and it sent an unrecognized request,
+the request was not translated and the response would have the
+incorrect ID. This may cause the frontend driver to behave
+incorrectly or crash.
+
+Since the ID field in the request is always in the same place,
+regardless of the request type we can get the correct ID and make a
+valid response (which will report BLKIF_RSP_EOPNOTSUPP).
+
+This bug affected 64-bit SLES 11 guests when using a 32-bit backend.
+This guest does a BLKIF_OP_RESERVED_1 (BLKIF_OP_PACKET in the SLES
+source) and would crash in blkif_int() as the ID in the response would
+be invalid.
+
+Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/xen-blkback/blkback.c | 31 +++++++++++++++++++++++++++----
+ drivers/block/xen-blkback/common.h | 25 +++++++++++++++++++++++++
+ include/xen/interface/io/blkif.h | 10 ++++++++++
+ 3 files changed, 62 insertions(+), 4 deletions(-)
+
+--- a/drivers/block/xen-blkback/blkback.c
++++ b/drivers/block/xen-blkback/blkback.c
+@@ -422,6 +422,16 @@ static int dispatch_discard_io(struct xe
+ return err;
+ }
+
++static int dispatch_other_io(struct xen_blkif *blkif,
++ struct blkif_request *req,
++ struct pending_req *pending_req)
++{
++ free_req(pending_req);
++ make_response(blkif, req->u.other.id, req->operation,
++ BLKIF_RSP_EOPNOTSUPP);
++ return -EIO;
++}
++
+ static void xen_blk_drain_io(struct xen_blkif *blkif)
+ {
+ atomic_set(&blkif->drain, 1);
+@@ -543,17 +553,30 @@ __do_block_io_op(struct xen_blkif *blkif
+
+ /* Apply all sanity checks to /private copy/ of request. */
+ barrier();
+- if (unlikely(req.operation == BLKIF_OP_DISCARD)) {
++
++ switch (req.operation) {
++ case BLKIF_OP_READ:
++ case BLKIF_OP_WRITE:
++ case BLKIF_OP_WRITE_BARRIER:
++ case BLKIF_OP_FLUSH_DISKCACHE:
++ if (dispatch_rw_block_io(blkif, &req, pending_req))
++ goto done;
++ break;
++ case BLKIF_OP_DISCARD:
+ free_req(pending_req);
+ if (dispatch_discard_io(blkif, &req))
+- break;
+- } else if (dispatch_rw_block_io(blkif, &req, pending_req))
++ goto done;
+ break;
++ default:
++ if (dispatch_other_io(blkif, &req, pending_req))
++ goto done;
++ break;
++ }
+
+ /* Yield point for this unbounded loop. */
+ cond_resched();
+ }
+-
++done:
+ return more_to_do;
+ }
+
+--- a/drivers/block/xen-blkback/common.h
++++ b/drivers/block/xen-blkback/common.h
+@@ -76,11 +76,18 @@ struct blkif_x86_32_request_discard {
+ uint64_t nr_sectors;
+ } __attribute__((__packed__));
+
++struct blkif_x86_32_request_other {
++ uint8_t _pad1;
++ blkif_vdev_t _pad2;
++ uint64_t id; /* private guest value, echoed in resp */
++} __attribute__((__packed__));
++
+ struct blkif_x86_32_request {
+ uint8_t operation; /* BLKIF_OP_??? */
+ union {
+ struct blkif_x86_32_request_rw rw;
+ struct blkif_x86_32_request_discard discard;
++ struct blkif_x86_32_request_other other;
+ } u;
+ } __attribute__((__packed__));
+
+@@ -112,11 +119,19 @@ struct blkif_x86_64_request_discard {
+ uint64_t nr_sectors;
+ } __attribute__((__packed__));
+
++struct blkif_x86_64_request_other {
++ uint8_t _pad1;
++ blkif_vdev_t _pad2;
++ uint32_t _pad3; /* offsetof(blkif_..,u.discard.id)==8 */
++ uint64_t id; /* private guest value, echoed in resp */
++} __attribute__((__packed__));
++
+ struct blkif_x86_64_request {
+ uint8_t operation; /* BLKIF_OP_??? */
+ union {
+ struct blkif_x86_64_request_rw rw;
+ struct blkif_x86_64_request_discard discard;
++ struct blkif_x86_64_request_other other;
+ } u;
+ } __attribute__((__packed__));
+
+@@ -262,6 +277,11 @@ static inline void blkif_get_x86_32_req(
+ dst->u.discard.nr_sectors = src->u.discard.nr_sectors;
+ break;
+ default:
++ /*
++ * Don't know how to translate this op. Only get the
++ * ID so failure can be reported to the frontend.
++ */
++ dst->u.other.id = src->u.other.id;
+ break;
+ }
+ }
+@@ -293,6 +313,11 @@ static inline void blkif_get_x86_64_req(
+ dst->u.discard.nr_sectors = src->u.discard.nr_sectors;
+ break;
+ default:
++ /*
++ * Don't know how to translate this op. Only get the
++ * ID so failure can be reported to the frontend.
++ */
++ dst->u.other.id = src->u.other.id;
+ break;
+ }
+ }
+--- a/include/xen/interface/io/blkif.h
++++ b/include/xen/interface/io/blkif.h
+@@ -138,11 +138,21 @@ struct blkif_request_discard {
+ uint8_t _pad3;
+ } __attribute__((__packed__));
+
++struct blkif_request_other {
++ uint8_t _pad1;
++ blkif_vdev_t _pad2; /* only for read/write requests */
++#ifdef CONFIG_X86_64
++ uint32_t _pad3; /* offsetof(blkif_req..,u.other.id)==8*/
++#endif
++ uint64_t id; /* private guest value, echoed in resp */
++} __attribute__((__packed__));
++
+ struct blkif_request {
+ uint8_t operation; /* BLKIF_OP_??? */
+ union {
+ struct blkif_request_rw rw;
+ struct blkif_request_discard discard;
++ struct blkif_request_other other;
+ } u;
+ } __attribute__((__packed__));
+
--- /dev/null
+From 0e5e098ac22dae38f957e951b70d3cf73beff0f7 Mon Sep 17 00:00:00 2001
+From: Jan Beulich <JBeulich@suse.com>
+Date: Mon, 11 Mar 2013 09:39:55 +0000
+Subject: xen-blkback: fix dispatch_rw_block_io() error path
+
+From: Jan Beulich <JBeulich@suse.com>
+
+commit 0e5e098ac22dae38f957e951b70d3cf73beff0f7 upstream.
+
+Commit 7708992 ("xen/blkback: Seperate the bio allocation and the bio
+submission") consolidated the pendcnt updates to just a single write,
+neglecting the fact that the error path relied on it getting set to 1
+up front (such that the decrement in __end_block_io_op() would actually
+drop the count to zero, triggering the necessary cleanup actions).
+
+Also remove a misleading and a stale (after said commit) comment.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/xen-blkback/blkback.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/drivers/block/xen-blkback/blkback.c
++++ b/drivers/block/xen-blkback/blkback.c
+@@ -742,13 +742,7 @@ static int dispatch_rw_block_io(struct x
+ bio->bi_end_io = end_block_io_op;
+ }
+
+- /*
+- * We set it one so that the last submit_bio does not have to call
+- * atomic_inc.
+- */
+ atomic_set(&pending_req->pendcnt, nbio);
+-
+- /* Get a reference count for the disk queue and start sending I/O */
+ blk_start_plug(&plug);
+
+ for (i = 0; i < nbio; i++)
+@@ -776,6 +770,7 @@ static int dispatch_rw_block_io(struct x
+ fail_put_bio:
+ for (i = 0; i < nbio; i++)
+ bio_put(biolist[i]);
++ atomic_set(&pending_req->pendcnt, 1);
+ __end_block_io_op(pending_req, -EINVAL);
+ msleep(1); /* back off a bit */
+ return -EIO;
projects / thirdparty / kernel / stable-queue.git / commitdiff
