--- /dev/null
+From 596ab5ec3bf10a22be30d7cb1d903a4b83fd607c Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@openwrt.org>
+Date: Mon, 10 Dec 2012 16:40:41 +0100
+Subject: ath5k: fix tx path skb leaks
+
+From: Felix Fietkau <nbd@openwrt.org>
+
+commit 596ab5ec3bf10a22be30d7cb1d903a4b83fd607c upstream.
+
+ieee80211_free_txskb() needs to be used instead of dev_kfree_skb_any for
+tx packets passed to the driver from mac80211
+
+Signed-off-by: Felix Fietkau <nbd@openwrt.org>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath5k/base.c | 4 ++--
+ drivers/net/wireless/ath/ath5k/mac80211-ops.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath5k/base.c
++++ b/drivers/net/wireless/ath/ath5k/base.c
+@@ -848,7 +848,7 @@ ath5k_txbuf_free_skb(struct ath5k_hw *ah
+ return;
+ dma_unmap_single(ah->dev, bf->skbaddr, bf->skb->len,
+ DMA_TO_DEVICE);
+- dev_kfree_skb_any(bf->skb);
++ ieee80211_free_txskb(ah->hw, bf->skb);
+ bf->skb = NULL;
+ bf->skbaddr = 0;
+ bf->desc->ds_data = 0;
+@@ -1575,7 +1575,7 @@ ath5k_tx_queue(struct ieee80211_hw *hw,
+ return;
+
+ drop_packet:
+- dev_kfree_skb_any(skb);
++ ieee80211_free_txskb(hw, skb);
+ }
+
+ static void
+--- a/drivers/net/wireless/ath/ath5k/mac80211-ops.c
++++ b/drivers/net/wireless/ath/ath5k/mac80211-ops.c
+@@ -62,7 +62,7 @@ ath5k_tx(struct ieee80211_hw *hw, struct
+ u16 qnum = skb_get_queue_mapping(skb);
+
+ if (WARN_ON(qnum >= ah->ah_capabilities.cap_queues.q_tx_num)) {
+- dev_kfree_skb_any(skb);
++ ieee80211_free_txskb(hw, skb);
+ return;
+ }
+
--- /dev/null
+From cbbc0138efe1dcd5426b8fc5d87741f5057aee72 Mon Sep 17 00:00:00 2001
+From: Rafał Miłecki <zajec5@gmail.com>
+Date: Mon, 10 Dec 2012 07:53:56 +0100
+Subject: bcma: mips: fix clearing device IRQ
+
+From: Rafał Miłecki <zajec5@gmail.com>
+
+commit cbbc0138efe1dcd5426b8fc5d87741f5057aee72 upstream.
+
+We were using wrong IRQ number so clearing wasn't working at all.
+Depending on a platform this could result in a one device having two
+interrupts assigned. On BCM4706 this resulted in all IRQs being broken.
+
+Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
+Cc: Hauke Mehrtens <hauke@hauke-m.de>
+Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bcma/driver_mips.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/bcma/driver_mips.c
++++ b/drivers/bcma/driver_mips.c
+@@ -115,7 +115,7 @@ static void bcma_core_mips_set_irq(struc
+ bcma_read32(mdev, BCMA_MIPS_MIPS74K_INTMASK(0)) &
+ ~(1 << irqflag));
+ else
+- bcma_write32(mdev, BCMA_MIPS_MIPS74K_INTMASK(irq), 0);
++ bcma_write32(mdev, BCMA_MIPS_MIPS74K_INTMASK(oldirq), 0);
+
+ /* assign the new one */
+ if (irq == 0) {
--- /dev/null
+From 25a172655f837bdb032e451f95441bb4acec51bb Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Wed, 28 Nov 2012 10:51:34 +0200
+Subject: iwlwifi: don't handle masked interrupt
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 25a172655f837bdb032e451f95441bb4acec51bb upstream.
+
+This can lead to a panic if the driver isn't ready to
+handle them. Since our interrupt line is shared, we can get
+an interrupt at any time (and CONFIG_DEBUG_SHIRQ checks
+that even when the interrupt is being freed).
+
+If the op_mode has gone away, we musn't call it. To avoid
+this the transport disables the interrupts when the hw is
+stopped and the op_mode is leaving.
+If there is an event that would cause an interrupt the INTA
+register is updated regardless of the enablement of the
+interrupts: even if the interrupts are disabled, the INTA
+will be changed, but the device won't issue an interrupt.
+But the ISR can be called at any time, so we ought ignore
+the value in the INTA otherwise we can call the op_mode
+after it was freed.
+
+I found this bug when the op_mode_start failed, and called
+iwl_trans_stop_hw(trans, true). Then I played with the
+RFKILL button, and removed the module.
+While removing the module, the IRQ is freed, and the ISR is
+called (CONFIG_DEBUG_SHIRQ enabled). Panic.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Reviewed-by: Gregory Greenman <gregory.greenman@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/iwlwifi/pcie/rx.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/iwlwifi/pcie/rx.c
++++ b/drivers/net/wireless/iwlwifi/pcie/rx.c
+@@ -927,12 +927,20 @@ static irqreturn_t iwl_isr(int irq, void
+ * back-to-back ISRs and sporadic interrupts from our NIC.
+ * If we have something to service, the tasklet will re-enable ints.
+ * If we *don't* have something, we'll re-enable before leaving here. */
+- inta_mask = iwl_read32(trans, CSR_INT_MASK); /* just for debug */
++ inta_mask = iwl_read32(trans, CSR_INT_MASK);
+ iwl_write32(trans, CSR_INT_MASK, 0x00000000);
+
+ /* Discover which interrupts are active/pending */
+ inta = iwl_read32(trans, CSR_INT);
+
++ if (inta & (~inta_mask)) {
++ IWL_DEBUG_ISR(trans,
++ "We got a masked interrupt (0x%08x)...Ack and ignore\n",
++ inta & (~inta_mask));
++ iwl_write32(trans, CSR_INT, inta & (~inta_mask));
++ inta &= inta_mask;
++ }
++
+ /* Ignore interrupt if there's nothing in NIC to service.
+ * This may be due to IRQ shared with another device,
+ * or due to sporadic interrupts thrown from our NIC. */
+@@ -1015,7 +1023,7 @@ irqreturn_t iwl_isr_ict(int irq, void *d
+ * If we have something to service, the tasklet will re-enable ints.
+ * If we *don't* have something, we'll re-enable before leaving here.
+ */
+- inta_mask = iwl_read32(trans, CSR_INT_MASK); /* just for debug */
++ inta_mask = iwl_read32(trans, CSR_INT_MASK);
+ iwl_write32(trans, CSR_INT_MASK, 0x00000000);
+
+
--- /dev/null
+From 27edb1accf5695ff00a32c85c4a00ac7e1e7f298 Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Sun, 2 Dec 2012 09:56:44 +0200
+Subject: iwlwifi: silently ignore fw flaws in Tx path
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 27edb1accf5695ff00a32c85c4a00ac7e1e7f298 upstream.
+
+We know that we have issues with the fw in the reclaim path.
+This is why iwl_reclaim doesn't complain too loud when it
+happens since it is recoverable. Somehow, the caller of
+iwl_reclaim however WARNed when it happens. This doesn't
+make any sense.
+
+When I digged into the history of that code, I discovered
+that this bug occurs only when we receive a BA notification.
+So move the W/A in the BA notification handling code where
+it was before.
+
+This patch addresses:
+http://bugzilla.intellinuxwireless.org/show_bug.cgi?id=2387
+
+Reported-by: Florian Reitmeir <florian@reitmeir.org>
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/iwlwifi/dvm/tx.c | 49 ++++++++++++----------------------
+ 1 file changed, 18 insertions(+), 31 deletions(-)
+
+--- a/drivers/net/wireless/iwlwifi/dvm/tx.c
++++ b/drivers/net/wireless/iwlwifi/dvm/tx.c
+@@ -1100,29 +1100,6 @@ static void iwl_check_abort_status(struc
+ }
+ }
+
+-static int iwl_reclaim(struct iwl_priv *priv, int sta_id, int tid,
+- int txq_id, int ssn, struct sk_buff_head *skbs)
+-{
+- if (unlikely(txq_id >= IWLAGN_FIRST_AMPDU_QUEUE &&
+- tid != IWL_TID_NON_QOS &&
+- txq_id != priv->tid_data[sta_id][tid].agg.txq_id)) {
+- /*
+- * FIXME: this is a uCode bug which need to be addressed,
+- * log the information and return for now.
+- * Since it is can possibly happen very often and in order
+- * not to fill the syslog, don't use IWL_ERR or IWL_WARN
+- */
+- IWL_DEBUG_TX_QUEUES(priv,
+- "Bad queue mapping txq_id=%d, agg_txq[sta:%d,tid:%d]=%d\n",
+- txq_id, sta_id, tid,
+- priv->tid_data[sta_id][tid].agg.txq_id);
+- return 1;
+- }
+-
+- iwl_trans_reclaim(priv->trans, txq_id, ssn, skbs);
+- return 0;
+-}
+-
+ int iwlagn_rx_reply_tx(struct iwl_priv *priv, struct iwl_rx_cmd_buffer *rxb,
+ struct iwl_device_cmd *cmd)
+ {
+@@ -1184,9 +1161,8 @@ int iwlagn_rx_reply_tx(struct iwl_priv *
+ next_reclaimed);
+ }
+
+- /*we can free until ssn % q.n_bd not inclusive */
+- WARN_ON_ONCE(iwl_reclaim(priv, sta_id, tid,
+- txq_id, ssn, &skbs));
++ iwl_trans_reclaim(priv->trans, txq_id, ssn, &skbs);
++
+ iwlagn_check_ratid_empty(priv, sta_id, tid);
+ freed = 0;
+
+@@ -1311,16 +1287,27 @@ int iwlagn_rx_reply_compressed_ba(struct
+ return 0;
+ }
+
++ if (unlikely(scd_flow != agg->txq_id)) {
++ /*
++ * FIXME: this is a uCode bug which need to be addressed,
++ * log the information and return for now.
++ * Since it is can possibly happen very often and in order
++ * not to fill the syslog, don't use IWL_ERR or IWL_WARN
++ */
++ IWL_DEBUG_TX_QUEUES(priv,
++ "Bad queue mapping txq_id=%d, agg_txq[sta:%d,tid:%d]=%d\n",
++ scd_flow, sta_id, tid, agg->txq_id);
++ spin_unlock(&priv->sta_lock);
++ return 0;
++ }
++
+ __skb_queue_head_init(&reclaimed_skbs);
+
+ /* Release all TFDs before the SSN, i.e. all TFDs in front of
+ * block-ack window (we assume that they've been successfully
+ * transmitted ... if not, it's too late anyway). */
+- if (iwl_reclaim(priv, sta_id, tid, scd_flow,
+- ba_resp_scd_ssn, &reclaimed_skbs)) {
+- spin_unlock(&priv->sta_lock);
+- return 0;
+- }
++ iwl_trans_reclaim(priv->trans, scd_flow, ba_resp_scd_ssn,
++ &reclaimed_skbs);
+
+ IWL_DEBUG_TX_REPLY(priv, "REPLY_COMPRESSED_BA [%d] Received from %pM, "
+ "sta_id = %d\n",
--- /dev/null
+From 5419369ed6bd4cf711fdda5e52a5999b940413f5 Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Thu, 29 Nov 2012 14:07:59 -0700
+Subject: KVM: Fix user memslot overlap check
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit 5419369ed6bd4cf711fdda5e52a5999b940413f5 upstream.
+
+Prior to memory slot sorting this loop compared all of the user memory
+slots for overlap with new entries. With memory slot sorting, we're
+just checking some number of entries in the array that may or may not
+be user slots. Instead, walk all the slots with kvm_for_each_memslot,
+which has the added benefit of terminating early when we hit the first
+empty slot, and skip comparison to private slots.
+
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/kvm_main.c | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -709,8 +709,7 @@ int __kvm_set_memory_region(struct kvm *
+ int r;
+ gfn_t base_gfn;
+ unsigned long npages;
+- unsigned long i;
+- struct kvm_memory_slot *memslot;
++ struct kvm_memory_slot *memslot, *slot;
+ struct kvm_memory_slot old, new;
+ struct kvm_memslots *slots, *old_memslots;
+
+@@ -761,13 +760,11 @@ int __kvm_set_memory_region(struct kvm *
+
+ /* Check for overlaps */
+ r = -EEXIST;
+- for (i = 0; i < KVM_MEMORY_SLOTS; ++i) {
+- struct kvm_memory_slot *s = &kvm->memslots->memslots[i];
+-
+- if (s == memslot || !s->npages)
++ kvm_for_each_memslot(slot, kvm->memslots) {
++ if (slot->id >= KVM_MEMORY_SLOTS || slot == memslot)
+ continue;
+- if (!((base_gfn + npages <= s->base_gfn) ||
+- (base_gfn >= s->base_gfn + s->npages)))
++ if (!((base_gfn + npages <= slot->base_gfn) ||
++ (base_gfn >= slot->base_gfn + slot->npages)))
+ goto out_free;
+ }
+
--- /dev/null
+From e400e72f250d2567e89c9bafb47ab91e8d9a15a2 Mon Sep 17 00:00:00 2001
+From: Scott Wood <scottwood@freescale.com>
+Date: Wed, 22 Aug 2012 15:04:23 +0000
+Subject: KVM: PPC: e500: fix allocation size error on g2h_tlb1_map
+
+From: Scott Wood <scottwood@freescale.com>
+
+commit e400e72f250d2567e89c9bafb47ab91e8d9a15a2 upstream.
+
+We were only allocating half the bytes we need, which was made more
+obvious by a recent fix to the memset in clear_tlb1_bitmap().
+
+Signed-off-by: Scott Wood <scottwood@freescale.com>
+Signed-off-by: Alexander Graf <agraf@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kvm/e500_tlb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/kvm/e500_tlb.c
++++ b/arch/powerpc/kvm/e500_tlb.c
+@@ -1332,7 +1332,7 @@ int kvmppc_e500_tlb_init(struct kvmppc_v
+ if (!vcpu_e500->gtlb_priv[1])
+ goto err;
+
+- vcpu_e500->g2h_tlb1_map = kzalloc(sizeof(unsigned int) *
++ vcpu_e500->g2h_tlb1_map = kzalloc(sizeof(u64) *
+ vcpu_e500->gtlb_params[1].entries,
+ GFP_KERNEL);
+ if (!vcpu_e500->g2h_tlb1_map)
--- /dev/null
+From 8add1ecb81f541ef2fcb0b85a5470ad9ecfb4a84 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Mon, 13 Aug 2012 20:52:24 +0800
+Subject: MIPS: Fix poweroff failure when HOTPLUG_CPU configured.
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit 8add1ecb81f541ef2fcb0b85a5470ad9ecfb4a84 upstream.
+
+When poweroff machine, kernel_power_off() call disable_nonboot_cpus().
+And if we have HOTPLUG_CPU configured, disable_nonboot_cpus() is not an
+empty function but attempt to actually disable the nonboot cpus. Since
+system state is SYSTEM_POWER_OFF, play_dead() won't be called and thus
+disable_nonboot_cpus() hangs. Therefore, we make this patch to avoid
+poweroff failure.
+
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Signed-off-by: Hongliang Tao <taohl@lemote.com>
+Signed-off-by: Hua Yan <yanh@lemote.com>
+Cc: Yong Zhang <yong.zhang@windriver.com>
+Cc: Fuxin Zhang <zhangfx@lemote.com>
+Cc: Zhangjin Wu <wuzhangjin@gmail.com>
+Patchwork: https://patchwork.linux-mips.org/patch/4211/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/process.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/arch/mips/kernel/process.c
++++ b/arch/mips/kernel/process.c
+@@ -72,9 +72,7 @@ void __noreturn cpu_idle(void)
+ }
+ }
+ #ifdef CONFIG_HOTPLUG_CPU
+- if (!cpu_online(cpu) && !cpu_isset(cpu, cpu_callin_map) &&
+- (system_state == SYSTEM_RUNNING ||
+- system_state == SYSTEM_BOOTING))
++ if (!cpu_online(cpu) && !cpu_isset(cpu, cpu_callin_map))
+ play_dead();
+ #endif
+ rcu_idle_exit();
--- /dev/null
+From e6449c9b2d90c1bd9a5985bf05ddebfd1631cd6b Mon Sep 17 00:00:00 2001
+From: Gabor Juhos <juhosg@openwrt.org>
+Date: Thu, 20 Dec 2012 03:44:28 +0000
+Subject: powerpc: Add missing NULL terminator to avoid boot panic on PPC40x
+
+From: Gabor Juhos <juhosg@openwrt.org>
+
+commit e6449c9b2d90c1bd9a5985bf05ddebfd1631cd6b upstream.
+
+The missing NULL terminator can cause a panic on
+PPC405 boards during boot:
+
+ Linux/PowerPC load: console=ttyS0,115200 root=/dev/mtdblock1 rootfstype=squashfs,jffs2 noinitrd init=/etc/preinit
+ Finalizing device tree... flat tree at 0x6a5160
+ bootconsole [udbg0] enabled
+ Page fault in user mode with in_atomic() = 1 mm = (null)
+ NIP = c0275f50 MSR = fffffffe
+ Oops: Weird page fault, sig: 11 [#1]
+ PowerPC 40x Platform
+ Modules linked in:
+ NIP: c0275f50 LR: c0275f60 CTR: c0280000
+ REGS: c0275eb0 TRAP: 636f7265 Not tainted (3.7.1)
+ MSR: fffffffe <VEC,VSX,EE,PR,FP,ME,SE,BE,IR,DR,PMM,RI> CR: c06a6190 XER: 00000001
+ TASK = c02662a8[0] 'swapper' THREAD: c0274000
+ GPR00: c0275ec0 c000c658 c027c4bf 00000000 c0275ee0 c000a0ec c020a1a8 c020a1f0
+ GPR08: c020f631 c020f404 c025f078 c025f080 c0275f10
+ Call Trace:
+ ---[ end trace 31fd0ba7d8756001 ]---
+
+ Kernel panic - not syncing: Attempted to kill the idle task!
+
+The panic happens since commit 9597abe00c1bab2aedce6b49866bf6d1e81c9eed
+(sections: fix section conflicts in arch/powerpc), however the root
+cause of this is that the NULL terminator were not added in commit
+a4f740cf33f7f6c164bbde3c0cdbcc77b0c4997c (of/flattree: Add of_flat_dt_match()
+helper function).
+
+Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
+Cc: Grant Likely <grant.likely@secretlab.ca>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/40x/ppc40x_simple.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/40x/ppc40x_simple.c
++++ b/arch/powerpc/platforms/40x/ppc40x_simple.c
+@@ -57,7 +57,8 @@ static const char * const board[] __init
+ "amcc,makalu",
+ "apm,klondike",
+ "est,hotfoot",
+- "plathome,obs600"
++ "plathome,obs600",
++ NULL
+ };
+
+ static int __init ppc40x_probe(void)
--- /dev/null
+From 11ee7e99f35ecb15f59b21da6a82d96d2cd3fcc8 Mon Sep 17 00:00:00 2001
+From: Anton Blanchard <anton@samba.org>
+Date: Sun, 11 Nov 2012 19:01:05 +0000
+Subject: powerpc: Fix CONFIG_RELOCATABLE=y CONFIG_CRASH_DUMP=n build
+
+From: Anton Blanchard <anton@samba.org>
+
+commit 11ee7e99f35ecb15f59b21da6a82d96d2cd3fcc8 upstream.
+
+If we build a kernel with CONFIG_RELOCATABLE=y CONFIG_CRASH_DUMP=n,
+the kernel fails when we run at a non zero offset. It turns out
+we were incorrectly wrapping some of the relocatable kernel code
+with CONFIG_CRASH_DUMP.
+
+Signed-off-by: Anton Blanchard <anton@samba.org>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/head_64.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/head_64.S
++++ b/arch/powerpc/kernel/head_64.S
+@@ -422,7 +422,7 @@ _STATIC(__after_prom_start)
+ tovirt(r6,r6) /* on booke, we already run at PAGE_OFFSET */
+ #endif
+
+-#ifdef CONFIG_CRASH_DUMP
++#ifdef CONFIG_RELOCATABLE
+ /*
+ * Check if the kernel has to be running as relocatable kernel based on the
+ * variable __run_at_load, if it is set the kernel is treated as relocatable
--- /dev/null
+From ce73ec6db47af84d1466402781ae0872a9e7873c Mon Sep 17 00:00:00 2001
+From: Shan Hai <shan.hai@windriver.com>
+Date: Thu, 8 Nov 2012 15:57:49 +0000
+Subject: powerpc/vdso: Remove redundant locking in update_vsyscall_tz()
+
+From: Shan Hai <shan.hai@windriver.com>
+
+commit ce73ec6db47af84d1466402781ae0872a9e7873c upstream.
+
+The locking in update_vsyscall_tz() is not only unnecessary because the vdso
+code copies the data unproteced in __kernel_gettimeofday() but also
+introduces a hard to reproduce race condition between update_vsyscall()
+and update_vsyscall_tz(), which causes user space process to loop
+forever in vdso code.
+
+The following patch removes the locking from update_vsyscall_tz().
+
+Locking is not only unnecessary because the vdso code copies the data
+unprotected in __kernel_gettimeofday() but also erroneous because updating
+the tb_update_count is not atomic and introduces a hard to reproduce race
+condition between update_vsyscall() and update_vsyscall_tz(), which further
+causes user space process to loop forever in vdso code.
+
+The below scenario describes the race condition,
+x==0 Boot CPU other CPU
+ proc_P: x==0
+ timer interrupt
+ update_vsyscall
+x==1 x++;sync settimeofday
+ update_vsyscall_tz
+x==2 x++;sync
+x==3 sync;x++
+ sync;x++
+ proc_P: x==3 (loops until x becomes even)
+
+Because the ++ operator would be implemented as three instructions and not
+atomic on powerpc.
+
+A similar change was made for x86 in commit 6c260d58634
+("x86: vdso: Remove bogus locking in update_vsyscall_tz")
+
+Signed-off-by: Shan Hai <shan.hai@windriver.com>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/time.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/arch/powerpc/kernel/time.c
++++ b/arch/powerpc/kernel/time.c
+@@ -774,13 +774,8 @@ void update_vsyscall_old(struct timespec
+
+ void update_vsyscall_tz(void)
+ {
+- /* Make userspace gettimeofday spin until we're done. */
+- ++vdso_data->tb_update_count;
+- smp_mb();
+ vdso_data->tz_minuteswest = sys_tz.tz_minuteswest;
+ vdso_data->tz_dsttime = sys_tz.tz_dsttime;
+- smp_mb();
+- ++vdso_data->tb_update_count;
+ }
+
+ static void __init clocksource_init(void)
--- /dev/null
+From 13ae633cf729b0ecb677b75b04886ff8fada8fad Mon Sep 17 00:00:00 2001
+From: Mark Brown <broonie@opensource.wolfsonmicro.com>
+Date: Tue, 20 Nov 2012 10:02:06 +0900
+Subject: regulator: wm831x: Set the new rather than old value for DVS VSEL
+
+From: Mark Brown <broonie@opensource.wolfsonmicro.com>
+
+commit 13ae633cf729b0ecb677b75b04886ff8fada8fad upstream.
+
+Reported-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
+Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/regulator/wm831x-dcdc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/regulator/wm831x-dcdc.c
++++ b/drivers/regulator/wm831x-dcdc.c
+@@ -290,7 +290,7 @@ static int wm831x_buckv_set_voltage_sel(
+ if (vsel > dcdc->dvs_vsel) {
+ ret = wm831x_set_bits(wm831x, dvs_reg,
+ WM831X_DC1_DVS_VSEL_MASK,
+- dcdc->dvs_vsel);
++ vsel);
+ if (ret == 0)
+ dcdc->dvs_vsel = vsel;
+ else
--- /dev/null
+From ab9d6e4ffe192427ce9e93d4f927b0faaa8a941e Mon Sep 17 00:00:00 2001
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+Date: Mon, 3 Dec 2012 12:59:04 +0100
+Subject: Revert: "rt2x00: Don't let mac80211 send a BAR when an AMPDU subframe fails"
+
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+
+commit ab9d6e4ffe192427ce9e93d4f927b0faaa8a941e upstream.
+
+This revert:
+
+commit be03d4a45c09ee5100d3aaaedd087f19bc20d01f
+Author: Andreas Hartmann <andihartmann@01019freenet.de>
+Date: Tue Apr 17 00:25:28 2012 +0200
+
+ rt2x00: Don't let mac80211 send a BAR when an AMPDU subframe fails
+
+To fix problem workaround by above commit use
+IEEE80211_HW_TEARDOWN_AGGR_ON_BAR_FAIL flag (see change log for
+"mac80211: introduce IEEE80211_HW_TEARDOWN_AGGR_ON_BAR_FAIL" patch).
+
+Resolve: https://bugzilla.kernel.org/show_bug.cgi?id=42828
+Bisected-by: Francisco Pina Martins <f.pinamartins@gmail.com>
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rt2x00/rt2800lib.c | 3 ++-
+ drivers/net/wireless/rt2x00/rt2x00dev.c | 7 +++----
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/rt2x00/rt2800lib.c
++++ b/drivers/net/wireless/rt2x00/rt2800lib.c
+@@ -5036,7 +5036,8 @@ static int rt2800_probe_hw_mode(struct r
+ IEEE80211_HW_SUPPORTS_PS |
+ IEEE80211_HW_PS_NULLFUNC_STACK |
+ IEEE80211_HW_AMPDU_AGGREGATION |
+- IEEE80211_HW_REPORTS_TX_ACK_STATUS;
++ IEEE80211_HW_REPORTS_TX_ACK_STATUS |
++ IEEE80211_HW_TEARDOWN_AGGR_ON_BAR_FAIL;
+
+ /*
+ * Don't set IEEE80211_HW_HOST_BROADCAST_PS_BUFFERING for USB devices
+--- a/drivers/net/wireless/rt2x00/rt2x00dev.c
++++ b/drivers/net/wireless/rt2x00/rt2x00dev.c
+@@ -391,10 +391,9 @@ void rt2x00lib_txdone(struct queue_entry
+ tx_info->flags |= IEEE80211_TX_STAT_AMPDU;
+ tx_info->status.ampdu_len = 1;
+ tx_info->status.ampdu_ack_len = success ? 1 : 0;
+- /*
+- * TODO: Need to tear down BA session here
+- * if not successful.
+- */
++
++ if (!success)
++ tx_info->flags |= IEEE80211_TX_STAT_AMPDU_NO_BACK;
+ }
+
+ if (rate_flags & IEEE80211_TX_RC_USE_RTS_CTS) {
--- /dev/null
+From f5685ba675449b072feab6a5391a9ef9f604bc94 Mon Sep 17 00:00:00 2001
+From: Helmut Schaa <helmut.schaa@googlemail.com>
+Date: Mon, 3 Dec 2012 22:35:39 +0100
+Subject: rt2x00: Only specify interface combinations if more then one interface is possible
+
+From: Helmut Schaa <helmut.schaa@googlemail.com>
+
+commit f5685ba675449b072feab6a5391a9ef9f604bc94 upstream.
+
+Otherwise rt2500* triggers a warning in cfg80211, from net/wireless/core.c:
+
+ /* Combinations with just one interface aren't real */
+ if (WARN_ON(c->max_interfaces < 2))
+
+This was introduced in commit 55d2e9da744ba11eae900b4bfc2da72eace3c1e1:
+rt2x00: Replace open coded interface checking with interface combinations.
+
+Reported-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
+Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
+Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
+Acked-by: Gertjan van Wingerde <gwingerde@gmail.com>
+Acked-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rt2x00/rt2x00dev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wireless/rt2x00/rt2x00dev.c
++++ b/drivers/net/wireless/rt2x00/rt2x00dev.c
+@@ -1122,6 +1122,9 @@ static inline void rt2x00lib_set_if_comb
+ struct ieee80211_iface_limit *if_limit;
+ struct ieee80211_iface_combination *if_combination;
+
++ if (rt2x00dev->ops->max_ap_intf < 2)
++ return;
++
+ /*
+ * Build up AP interface limits structure.
+ */
--- /dev/null
+From d99e79ec5574fc556c988f613ed6175f6de66f4a Mon Sep 17 00:00:00 2001
+From: Sebastian Ott <sebott@linux.vnet.ibm.com>
+Date: Fri, 30 Nov 2012 16:48:59 +0100
+Subject: s390/cio: fix pgid reserved check
+
+From: Sebastian Ott <sebott@linux.vnet.ibm.com>
+
+commit d99e79ec5574fc556c988f613ed6175f6de66f4a upstream.
+
+The check to whom a device is reserved is done by checking the path
+state of the affected channel paths. If it turns out that one path is
+flagged as reserved by someone else the whole device is marked as such.
+
+However the meaning of the RESVD_ELSE bit is that the addressed device
+is reserved to a different pathgroup (and not reserved to a different
+LPAR). If we do this test on a path which is currently not a member of
+the pathgroup we could erroneously mark the device as reserved to
+someone else.
+
+To fix this collect the reserved state for all potential members of the
+pathgroup and only mark the device as reserved if all of those potential
+members have the RESVD_ELSE bit set.
+
+Acked-by: Peter Oberparleiter <peter.oberparleiter@de.ibm.com>
+Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/cio/device_pgid.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/s390/cio/device_pgid.c
++++ b/drivers/s390/cio/device_pgid.c
+@@ -234,7 +234,7 @@ static int pgid_cmp(struct pgid *p1, str
+ * Determine pathgroup state from PGID data.
+ */
+ static void pgid_analyze(struct ccw_device *cdev, struct pgid **p,
+- int *mismatch, int *reserved, u8 *reset)
++ int *mismatch, u8 *reserved, u8 *reset)
+ {
+ struct pgid *pgid = &cdev->private->pgid[0];
+ struct pgid *first = NULL;
+@@ -248,7 +248,7 @@ static void pgid_analyze(struct ccw_devi
+ if ((cdev->private->pgid_valid_mask & lpm) == 0)
+ continue;
+ if (pgid->inf.ps.state2 == SNID_STATE2_RESVD_ELSE)
+- *reserved = 1;
++ *reserved |= lpm;
+ if (pgid_is_reset(pgid)) {
+ *reset |= lpm;
+ continue;
+@@ -316,14 +316,14 @@ static void snid_done(struct ccw_device
+ struct subchannel *sch = to_subchannel(cdev->dev.parent);
+ struct pgid *pgid;
+ int mismatch = 0;
+- int reserved = 0;
++ u8 reserved = 0;
+ u8 reset = 0;
+ u8 donepm;
+
+ if (rc)
+ goto out;
+ pgid_analyze(cdev, &pgid, &mismatch, &reserved, &reset);
+- if (reserved)
++ if (reserved == cdev->private->pgid_valid_mask)
+ rc = -EUSERS;
+ else if (mismatch)
+ rc = -EOPNOTSUPP;
+@@ -336,7 +336,7 @@ static void snid_done(struct ccw_device
+ }
+ out:
+ CIO_MSG_EVENT(2, "snid: device 0.%x.%04x: rc=%d pvm=%02x vpm=%02x "
+- "todo=%02x mism=%d rsvd=%d reset=%02x\n", id->ssid,
++ "todo=%02x mism=%d rsvd=%02x reset=%02x\n", id->ssid,
+ id->devno, rc, cdev->private->pgid_valid_mask, sch->vpm,
+ cdev->private->pgid_todo_mask, mismatch, reserved, reset);
+ switch (rc) {
--- /dev/null
+From 87cac8f879a5ecd7109dbe688087e8810b3364eb Mon Sep 17 00:00:00 2001
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+Date: Tue, 2 Oct 2012 16:25:38 +0200
+Subject: s390/kvm: dont announce RRBM support
+
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+
+commit 87cac8f879a5ecd7109dbe688087e8810b3364eb upstream.
+
+Newer kernels (linux-next with the transparent huge page patches)
+use rrbm if the feature is announced via feature bit 66.
+RRBM will cause intercepts, so KVM does not handle it right now,
+causing an illegal instruction in the guest.
+The easy solution is to disable the feature bit for the guest.
+
+This fixes bugs like:
+Kernel BUG at 0000000000124c2a [verbose debug info unavailable]
+illegal operation: 0001 [#1] SMP
+Modules linked in: virtio_balloon virtio_net ipv6 autofs4
+CPU: 0 Not tainted 3.5.4 #1
+Process fmempig (pid: 659, task: 000000007b712fd0, ksp: 000000007bed3670)
+Krnl PSW : 0704d00180000000 0000000000124c2a (pmdp_clear_flush_young+0x5e/0x80)
+ R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 EA:3
+ 00000000003cc000 0000000000000004 0000000000000000 0000000079800000
+ 0000000000040000 0000000000000000 000000007bed3918 000000007cf40000
+ 0000000000000001 000003fff7f00000 000003d281a94000 000000007bed383c
+ 000000007bed3918 00000000005ecbf8 00000000002314a6 000000007bed36e0
+ Krnl Code:>0000000000124c2a: b9810025 ogr %r2,%r5
+ 0000000000124c2e: 41343000 la %r3,0(%r4,%r3)
+ 0000000000124c32: a716fffa brct %r1,124c26
+ 0000000000124c36: b9010022 lngr %r2,%r2
+ 0000000000124c3a: e3d0f0800004 lg %r13,128(%r15)
+ 0000000000124c40: eb22003f000c srlg %r2,%r2,63
+[ 2150.713198] Call Trace:
+[ 2150.713223] ([<00000000002312c4>] page_referenced_one+0x6c/0x27c)
+[ 2150.713749] [<0000000000233812>] page_referenced+0x32a/0x410
+[...]
+
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+CC: Alex Graf <agraf@suse.de>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/kvm-s390.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -997,7 +997,7 @@ static int __init kvm_s390_init(void)
+ }
+ memcpy(facilities, S390_lowcore.stfle_fac_list, 16);
+ facilities[0] &= 0xff00fff3f47c0000ULL;
+- facilities[1] &= 0x201c000000000000ULL;
++ facilities[1] &= 0x001c000000000000ULL;
+ return 0;
+ }
+
--- /dev/null
+From ce6a04ac1b759beafc88dbc443ae5da867579eeb Mon Sep 17 00:00:00 2001
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+Date: Thu, 15 Nov 2012 09:35:16 +0100
+Subject: s390/kvm: Fix address space mixup
+
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+
+commit ce6a04ac1b759beafc88dbc443ae5da867579eeb upstream.
+
+I was chasing down a bug of random validity intercepts on s390.
+(guest prefix page not mapped in the host virtual aspace). Turns out
+that the problem was a wrong address space control element. The
+cause was quite complex:
+
+During paging activity a DAT protection during SIE caused a program
+interrupt. Normally, the sie retry loop tries to catch all
+interrupts during and shortly before sie to rerun the setup. The
+problem is now that protection causes a suppressing program interrupt,
+causing the PSW to point to the instruction AFTER SIE in case of DAT
+protection. This confused the logic of the retry loop to not trigger,
+instead we jumped directly back to SIE after return from
+the program interrupt. (the protection fault handler itself did
+a rewind of the psw). This usually works quite well, but:
+
+If now the protection fault handler has to wait, another program
+might be scheduled in. Later on the sie process will be schedules
+in again. In that case the content of CR1 (primary address space)
+will be wrong because switch_to will put the user space ASCE into CR1
+and not the guest ASCE.
+
+In addition the program parameter is also wrong for every protection
+fault of a guest, since we dont issue the SPP instruction.
+
+So lets also check for PSW == instruction after SIE in the program
+check handler. Instead of expensively checking all program
+interruption codes that might be suppressing we assume that a program
+interrupt pointing after SIE was always a program interrupt in SIE.
+(Otherwise we have a kernel bug anyway).
+
+We also have to compensate the rewinding, since the C-level handlers
+will do that. Therefore we need to add a nop with the same length
+as SIE before the sie_loop.
+
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+CC: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kernel/entry64.S | 25 ++++++++++++++++++++-----
+ 1 file changed, 20 insertions(+), 5 deletions(-)
+
+--- a/arch/s390/kernel/entry64.S
++++ b/arch/s390/kernel/entry64.S
+@@ -80,14 +80,21 @@ _TIF_EXIT_SIE = (_TIF_SIGPENDING | _TIF_
+ #endif
+ .endm
+
+- .macro HANDLE_SIE_INTERCEPT scratch
++ .macro HANDLE_SIE_INTERCEPT scratch,pgmcheck
+ #if defined(CONFIG_KVM) || defined(CONFIG_KVM_MODULE)
+ tmhh %r8,0x0001 # interrupting from user ?
+ jnz .+42
+ lgr \scratch,%r9
+ slg \scratch,BASED(.Lsie_loop)
+ clg \scratch,BASED(.Lsie_length)
++ .if \pgmcheck
++ # Some program interrupts are suppressing (e.g. protection).
++ # We must also check the instruction after SIE in that case.
++ # do_protection_exception will rewind to rewind_pad
++ jh .+22
++ .else
+ jhe .+22
++ .endif
+ lg %r9,BASED(.Lsie_loop)
+ SPP BASED(.Lhost_id) # set host id
+ #endif
+@@ -391,7 +398,7 @@ ENTRY(pgm_check_handler)
+ lg %r12,__LC_THREAD_INFO
+ larl %r13,system_call
+ lmg %r8,%r9,__LC_PGM_OLD_PSW
+- HANDLE_SIE_INTERCEPT %r14
++ HANDLE_SIE_INTERCEPT %r14,1
+ tmhh %r8,0x0001 # test problem state bit
+ jnz 1f # -> fault in user space
+ tmhh %r8,0x4000 # PER bit set in old PSW ?
+@@ -467,7 +474,7 @@ ENTRY(io_int_handler)
+ lg %r12,__LC_THREAD_INFO
+ larl %r13,system_call
+ lmg %r8,%r9,__LC_IO_OLD_PSW
+- HANDLE_SIE_INTERCEPT %r14
++ HANDLE_SIE_INTERCEPT %r14,0
+ SWITCH_ASYNC __LC_SAVE_AREA_ASYNC,__LC_ASYNC_STACK,STACK_SHIFT
+ tmhh %r8,0x0001 # interrupting from user?
+ jz io_skip
+@@ -613,7 +620,7 @@ ENTRY(ext_int_handler)
+ lg %r12,__LC_THREAD_INFO
+ larl %r13,system_call
+ lmg %r8,%r9,__LC_EXT_OLD_PSW
+- HANDLE_SIE_INTERCEPT %r14
++ HANDLE_SIE_INTERCEPT %r14,0
+ SWITCH_ASYNC __LC_SAVE_AREA_ASYNC,__LC_ASYNC_STACK,STACK_SHIFT
+ tmhh %r8,0x0001 # interrupting from user ?
+ jz ext_skip
+@@ -661,7 +668,7 @@ ENTRY(mcck_int_handler)
+ lg %r12,__LC_THREAD_INFO
+ larl %r13,system_call
+ lmg %r8,%r9,__LC_MCK_OLD_PSW
+- HANDLE_SIE_INTERCEPT %r14
++ HANDLE_SIE_INTERCEPT %r14,0
+ tm __LC_MCCK_CODE,0x80 # system damage?
+ jo mcck_panic # yes -> rest of mcck code invalid
+ lghi %r14,__LC_CPU_TIMER_SAVE_AREA
+@@ -960,6 +967,13 @@ ENTRY(sie64a)
+ stg %r3,__SF_EMPTY+8(%r15) # save guest register save area
+ xc __SF_EMPTY+16(8,%r15),__SF_EMPTY+16(%r15) # host id == 0
+ lmg %r0,%r13,0(%r3) # load guest gprs 0-13
++# some program checks are suppressing. C code (e.g. do_protection_exception)
++# will rewind the PSW by the ILC, which is 4 bytes in case of SIE. Other
++# instructions in the sie_loop should not cause program interrupts. So
++# lets use a nop (47 00 00 00) as a landing pad.
++# See also HANDLE_SIE_INTERCEPT
++rewind_pad:
++ nop 0
+ sie_loop:
+ lg %r14,__LC_THREAD_INFO # pointer thread_info struct
+ tm __TI_flags+7(%r14),_TIF_EXIT_SIE
+@@ -999,6 +1013,7 @@ sie_fault:
+ .Lhost_id:
+ .quad 0
+
++ EX_TABLE(rewind_pad,sie_fault)
+ EX_TABLE(sie_loop,sie_fault)
+ #endif
+
--- /dev/null
+regulator-wm831x-set-the-new-rather-than-old-value-for-dvs-vsel.patch
+ath5k-fix-tx-path-skb-leaks.patch
+iwlwifi-don-t-handle-masked-interrupt.patch
+iwlwifi-silently-ignore-fw-flaws-in-tx-path.patch
+bcma-mips-fix-clearing-device-irq.patch
+revert-rt2x00-don-t-let-mac80211-send-a-bar-when-an-ampdu-subframe-fails.patch
+rt2x00-only-specify-interface-combinations-if-more-then-one-interface-is-possible.patch
+s390-kvm-dont-announce-rrbm-support.patch
+s390-kvm-fix-address-space-mixup.patch
+powerpc-fix-config_relocatable-y-config_crash_dump-n-build.patch
+powerpc-vdso-remove-redundant-locking-in-update_vsyscall_tz.patch
+powerpc-add-missing-null-terminator-to-avoid-boot-panic-on-ppc40x.patch
+kvm-ppc-e500-fix-allocation-size-error-on-g2h_tlb1_map.patch
+kvm-fix-user-memslot-overlap-check.patch
+s390-cio-fix-pgid-reserved-check.patch
+mips-fix-poweroff-failure-when-hotplug_cpu-configured.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
