--- /dev/null
+From 045c47ca306acf30c740c285a77a4b4bda6be7c5 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
+Date: Mon, 16 Feb 2015 17:16:45 -0200
+Subject: blk-throttle: check stats_cpu before reading it from sysfs
+
+From: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
+
+commit 045c47ca306acf30c740c285a77a4b4bda6be7c5 upstream.
+
+When reading blkio.throttle.io_serviced in a recently created blkio
+cgroup, it's possible to race against the creation of a throttle policy,
+which delays the allocation of stats_cpu.
+
+Like other functions in the throttle code, just checking for a NULL
+stats_cpu prevents the following oops caused by that race.
+
+[ 1117.285199] Unable to handle kernel paging request for data at address 0x7fb4d0020
+[ 1117.285252] Faulting instruction address: 0xc0000000003efa2c
+[ 1137.733921] Oops: Kernel access of bad area, sig: 11 [#1]
+[ 1137.733945] SMP NR_CPUS=2048 NUMA PowerNV
+[ 1137.734025] Modules linked in: bridge stp llc kvm_hv kvm binfmt_misc autofs4
+[ 1137.734102] CPU: 3 PID: 5302 Comm: blkcgroup Not tainted 3.19.0 #5
+[ 1137.734132] task: c000000f1d188b00 ti: c000000f1d210000 task.ti: c000000f1d210000
+[ 1137.734167] NIP: c0000000003efa2c LR: c0000000003ef9f0 CTR: c0000000003ef980
+[ 1137.734202] REGS: c000000f1d213500 TRAP: 0300 Not tainted (3.19.0)
+[ 1137.734230] MSR: 9000000000009032 <SF,HV,EE,ME,IR,DR,RI> CR: 42008884 XER: 20000000
+[ 1137.734325] CFAR: 0000000000008458 DAR: 00000007fb4d0020 DSISR: 40000000 SOFTE: 0
+GPR00: c0000000003ed3a0 c000000f1d213780 c000000000c59538 0000000000000000
+GPR04: 0000000000000800 0000000000000000 0000000000000000 0000000000000000
+GPR08: ffffffffffffffff 00000007fb4d0020 00000007fb4d0000 c000000000780808
+GPR12: 0000000022000888 c00000000fdc0d80 0000000000000000 0000000000000000
+GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+GPR20: 000001003e120200 c000000f1d5b0cc0 0000000000000200 0000000000000000
+GPR24: 0000000000000001 c000000000c269e0 0000000000000020 c000000f1d5b0c80
+GPR28: c000000000ca3a08 c000000000ca3dec c000000f1c667e00 c000000f1d213850
+[ 1137.734886] NIP [c0000000003efa2c] .tg_prfill_cpu_rwstat+0xac/0x180
+[ 1137.734915] LR [c0000000003ef9f0] .tg_prfill_cpu_rwstat+0x70/0x180
+[ 1137.734943] Call Trace:
+[ 1137.734952] [c000000f1d213780] [d000000005560520] 0xd000000005560520 (unreliable)
+[ 1137.734996] [c000000f1d2138a0] [c0000000003ed3a0] .blkcg_print_blkgs+0xe0/0x1a0
+[ 1137.735039] [c000000f1d213960] [c0000000003efb50] .tg_print_cpu_rwstat+0x50/0x70
+[ 1137.735082] [c000000f1d2139e0] [c000000000104b48] .cgroup_seqfile_show+0x58/0x150
+[ 1137.735125] [c000000f1d213a70] [c0000000002749dc] .kernfs_seq_show+0x3c/0x50
+[ 1137.735161] [c000000f1d213ae0] [c000000000218630] .seq_read+0xe0/0x510
+[ 1137.735197] [c000000f1d213bd0] [c000000000275b04] .kernfs_fop_read+0x164/0x200
+[ 1137.735240] [c000000f1d213c80] [c0000000001eb8e0] .__vfs_read+0x30/0x80
+[ 1137.735276] [c000000f1d213cf0] [c0000000001eb9c4] .vfs_read+0x94/0x1b0
+[ 1137.735312] [c000000f1d213d90] [c0000000001ebb38] .SyS_read+0x58/0x100
+[ 1137.735349] [c000000f1d213e30] [c000000000009218] syscall_exit+0x0/0x98
+[ 1137.735383] Instruction dump:
+[ 1137.735405] 7c6307b4 7f891800 409d00b8 60000000 60420000 3d420004 392a63b0 786a1f24
+[ 1137.735471] 7d49502a e93e01c8 7d495214 7d2ad214 <7cead02a> e9090008 e9490010 e9290018
+
+And here is one code that allows to easily reproduce this, although this
+has first been found by running docker.
+
+void run(pid_t pid)
+{
+ int n;
+ int status;
+ int fd;
+ char *buffer;
+ buffer = memalign(BUFFER_ALIGN, BUFFER_SIZE);
+ n = snprintf(buffer, BUFFER_SIZE, "%d\n", pid);
+ fd = open(CGPATH "/test/tasks", O_WRONLY);
+ write(fd, buffer, n);
+ close(fd);
+ if (fork() > 0) {
+ fd = open("/dev/sda", O_RDONLY | O_DIRECT);
+ read(fd, buffer, 512);
+ close(fd);
+ wait(&status);
+ } else {
+ fd = open(CGPATH "/test/blkio.throttle.io_serviced", O_RDONLY);
+ n = read(fd, buffer, BUFFER_SIZE);
+ close(fd);
+ }
+ free(buffer);
+ exit(0);
+}
+
+void test(void)
+{
+ int status;
+ mkdir(CGPATH "/test", 0666);
+ if (fork() > 0)
+ wait(&status);
+ else
+ run(getpid());
+ rmdir(CGPATH "/test");
+}
+
+int main(int argc, char **argv)
+{
+ int i;
+ for (i = 0; i < NR_TESTS; i++)
+ test();
+ return 0;
+}
+
+Reported-by: Ricardo Marin Matinata <rmm@br.ibm.com>
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-throttle.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/block/blk-throttle.c
++++ b/block/blk-throttle.c
+@@ -1292,6 +1292,9 @@ static u64 tg_prfill_cpu_rwstat(struct s
+ struct blkg_rwstat rwstat = { }, tmp;
+ int i, cpu;
+
++ if (tg->stats_cpu == NULL)
++ return 0;
++
+ for_each_possible_cpu(cpu) {
+ struct tg_stats_cpu *sc = per_cpu_ptr(tg->stats_cpu, cpu);
+
--- /dev/null
+From 1a4bcf470c886b955adf36486f4c86f2441d85cb Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Fri, 13 Feb 2015 12:30:56 +0000
+Subject: Btrfs: fix fsync data loss after adding hard link to inode
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 1a4bcf470c886b955adf36486f4c86f2441d85cb upstream.
+
+We have a scenario where after the fsync log replay we can lose file data
+that had been previously fsync'ed if we added an hard link for our inode
+and after that we sync'ed the fsync log (for example by fsync'ing some
+other file or directory).
+
+This is because when adding an hard link we updated the inode item in the
+log tree with an i_size value of 0. At that point the new inode item was
+in memory only and a subsequent fsync log replay would not make us lose
+the file data. However if after adding the hard link we sync the log tree
+to disk, by fsync'ing some other file or directory for example, we ended
+up losing the file data after log replay, because the inode item in the
+persisted log tree had an an i_size of zero.
+
+This is easy to reproduce, and the following excerpt from my test for
+xfstests shows this:
+
+ _scratch_mkfs >> $seqres.full 2>&1
+ _init_flakey
+ _mount_flakey
+
+ # Create one file with data and fsync it.
+ # This made the btrfs fsync log persist the data and the inode metadata with
+ # a correct inode->i_size (4096 bytes).
+ $XFS_IO_PROG -f -c "pwrite -S 0xaa -b 4K 0 4K" -c "fsync" \
+ $SCRATCH_MNT/foo | _filter_xfs_io
+
+ # Now add one hard link to our file. This made the btrfs code update the fsync
+ # log, in memory only, with an inode metadata having a size of 0.
+ ln $SCRATCH_MNT/foo $SCRATCH_MNT/foo_link
+
+ # Now force persistence of the fsync log to disk, for example, by fsyncing some
+ # other file.
+ touch $SCRATCH_MNT/bar
+ $XFS_IO_PROG -c "fsync" $SCRATCH_MNT/bar
+
+ # Before a power loss or crash, we could read the 4Kb of data from our file as
+ # expected.
+ echo "File content before:"
+ od -t x1 $SCRATCH_MNT/foo
+
+ # Simulate a crash/power loss.
+ _load_flakey_table $FLAKEY_DROP_WRITES
+ _unmount_flakey
+
+ _load_flakey_table $FLAKEY_ALLOW_WRITES
+ _mount_flakey
+
+ # After the fsync log replay, because the fsync log had a value of 0 for our
+ # inode's i_size, we couldn't read anymore the 4Kb of data that we previously
+ # wrote and fsync'ed. The size of the file became 0 after the fsync log replay.
+ echo "File content after:"
+ od -t x1 $SCRATCH_MNT/foo
+
+Another alternative test, that doesn't need to fsync an inode in the same
+transaction it was created, is:
+
+ _scratch_mkfs >> $seqres.full 2>&1
+ _init_flakey
+ _mount_flakey
+
+ # Create our test file with some data.
+ $XFS_IO_PROG -f -c "pwrite -S 0xaa -b 8K 0 8K" \
+ $SCRATCH_MNT/foo | _filter_xfs_io
+
+ # Make sure the file is durably persisted.
+ sync
+
+ # Append some data to our file, to increase its size.
+ $XFS_IO_PROG -f -c "pwrite -S 0xcc -b 4K 8K 4K" \
+ $SCRATCH_MNT/foo | _filter_xfs_io
+
+ # Fsync the file, so from this point on if a crash/power failure happens, our
+ # new data is guaranteed to be there next time the fs is mounted.
+ $XFS_IO_PROG -c "fsync" $SCRATCH_MNT/foo
+
+ # Add one hard link to our file. This made btrfs write into the in memory fsync
+ # log a special inode with generation 0 and an i_size of 0 too. Note that this
+ # didn't update the inode in the fsync log on disk.
+ ln $SCRATCH_MNT/foo $SCRATCH_MNT/foo_link
+
+ # Now make sure the in memory fsync log is durably persisted.
+ # Creating and fsync'ing another file will do it.
+ touch $SCRATCH_MNT/bar
+ $XFS_IO_PROG -c "fsync" $SCRATCH_MNT/bar
+
+ # As expected, before the crash/power failure, we should be able to read the
+ # 12Kb of file data.
+ echo "File content before:"
+ od -t x1 $SCRATCH_MNT/foo
+
+ # Simulate a crash/power loss.
+ _load_flakey_table $FLAKEY_DROP_WRITES
+ _unmount_flakey
+
+ _load_flakey_table $FLAKEY_ALLOW_WRITES
+ _mount_flakey
+
+ # After mounting the fs again, the fsync log was replayed.
+ # The btrfs fsync log replay code didn't update the i_size of the persisted
+ # inode because the inode item in the log had a special generation with a
+ # value of 0 (and it couldn't know the correct i_size, since that inode item
+ # had a 0 i_size too). This made the last 4Kb of file data inaccessible and
+ # effectively lost.
+ echo "File content after:"
+ od -t x1 $SCRATCH_MNT/foo
+
+This isn't a new issue/regression. This problem has been around since the
+log tree code was added in 2008:
+
+ Btrfs: Add a write ahead tree log to optimize synchronous operations
+ (commit e02119d5a7b4396c5a872582fddc8bd6d305a70a)
+
+Test cases for xfstests follow soon.
+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/tree-log.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 73 insertions(+), 9 deletions(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -488,8 +488,20 @@ insert:
+ src_item = (struct btrfs_inode_item *)src_ptr;
+ dst_item = (struct btrfs_inode_item *)dst_ptr;
+
+- if (btrfs_inode_generation(eb, src_item) == 0)
++ if (btrfs_inode_generation(eb, src_item) == 0) {
++ struct extent_buffer *dst_eb = path->nodes[0];
++
++ if (S_ISREG(btrfs_inode_mode(eb, src_item)) &&
++ S_ISREG(btrfs_inode_mode(dst_eb, dst_item))) {
++ struct btrfs_map_token token;
++ u64 ino_size = btrfs_inode_size(eb, src_item);
++
++ btrfs_init_map_token(&token);
++ btrfs_set_token_inode_size(dst_eb, dst_item,
++ ino_size, &token);
++ }
+ goto no_copy;
++ }
+
+ if (overwrite_root &&
+ S_ISDIR(btrfs_inode_mode(eb, src_item)) &&
+@@ -3228,7 +3240,8 @@ static int drop_objectid_items(struct bt
+ static void fill_inode_item(struct btrfs_trans_handle *trans,
+ struct extent_buffer *leaf,
+ struct btrfs_inode_item *item,
+- struct inode *inode, int log_inode_only)
++ struct inode *inode, int log_inode_only,
++ u64 logged_isize)
+ {
+ struct btrfs_map_token token;
+
+@@ -3241,7 +3254,7 @@ static void fill_inode_item(struct btrfs
+ * to say 'update this inode with these values'
+ */
+ btrfs_set_token_inode_generation(leaf, item, 0, &token);
+- btrfs_set_token_inode_size(leaf, item, 0, &token);
++ btrfs_set_token_inode_size(leaf, item, logged_isize, &token);
+ } else {
+ btrfs_set_token_inode_generation(leaf, item,
+ BTRFS_I(inode)->generation,
+@@ -3293,7 +3306,7 @@ static int log_inode_item(struct btrfs_t
+ return ret;
+ inode_item = btrfs_item_ptr(path->nodes[0], path->slots[0],
+ struct btrfs_inode_item);
+- fill_inode_item(trans, path->nodes[0], inode_item, inode, 0);
++ fill_inode_item(trans, path->nodes[0], inode_item, inode, 0, 0);
+ btrfs_release_path(path);
+ return 0;
+ }
+@@ -3302,7 +3315,8 @@ static noinline int copy_items(struct bt
+ struct inode *inode,
+ struct btrfs_path *dst_path,
+ struct btrfs_path *src_path, u64 *last_extent,
+- int start_slot, int nr, int inode_only)
++ int start_slot, int nr, int inode_only,
++ u64 logged_isize)
+ {
+ unsigned long src_offset;
+ unsigned long dst_offset;
+@@ -3359,7 +3373,8 @@ static noinline int copy_items(struct bt
+ dst_path->slots[0],
+ struct btrfs_inode_item);
+ fill_inode_item(trans, dst_path->nodes[0], inode_item,
+- inode, inode_only == LOG_INODE_EXISTS);
++ inode, inode_only == LOG_INODE_EXISTS,
++ logged_isize);
+ } else {
+ copy_extent_buffer(dst_path->nodes[0], src, dst_offset,
+ src_offset, ins_sizes[i]);
+@@ -3911,6 +3926,33 @@ process:
+ return ret;
+ }
+
++static int logged_inode_size(struct btrfs_root *log, struct inode *inode,
++ struct btrfs_path *path, u64 *size_ret)
++{
++ struct btrfs_key key;
++ int ret;
++
++ key.objectid = btrfs_ino(inode);
++ key.type = BTRFS_INODE_ITEM_KEY;
++ key.offset = 0;
++
++ ret = btrfs_search_slot(NULL, log, &key, path, 0, 0);
++ if (ret < 0) {
++ return ret;
++ } else if (ret > 0) {
++ *size_ret = i_size_read(inode);
++ } else {
++ struct btrfs_inode_item *item;
++
++ item = btrfs_item_ptr(path->nodes[0], path->slots[0],
++ struct btrfs_inode_item);
++ *size_ret = btrfs_inode_size(path->nodes[0], item);
++ }
++
++ btrfs_release_path(path);
++ return 0;
++}
++
+ /* log a single inode in the tree log.
+ * At least one parent directory for this inode must exist in the tree
+ * or be logged already.
+@@ -3948,6 +3990,7 @@ static int btrfs_log_inode(struct btrfs_
+ bool fast_search = false;
+ u64 ino = btrfs_ino(inode);
+ struct extent_map_tree *em_tree = &BTRFS_I(inode)->extent_tree;
++ u64 logged_isize = 0;
+
+ path = btrfs_alloc_path();
+ if (!path)
+@@ -4001,6 +4044,25 @@ static int btrfs_log_inode(struct btrfs_
+ max_key_type = BTRFS_XATTR_ITEM_KEY;
+ ret = drop_objectid_items(trans, log, path, ino, max_key_type);
+ } else {
++ if (inode_only == LOG_INODE_EXISTS) {
++ /*
++ * Make sure the new inode item we write to the log has
++ * the same isize as the current one (if it exists).
++ * This is necessary to prevent data loss after log
++ * replay, and also to prevent doing a wrong expanding
++ * truncate - for e.g. create file, write 4K into offset
++ * 0, fsync, write 4K into offset 4096, add hard link,
++ * fsync some other file (to sync log), power fail - if
++ * we use the inode's current i_size, after log replay
++ * we get a 8Kb file, with the last 4Kb extent as a hole
++ * (zeroes), as if an expanding truncate happened,
++ * instead of getting a file of 4Kb only.
++ */
++ err = logged_inode_size(log, inode, path,
++ &logged_isize);
++ if (err)
++ goto out_unlock;
++ }
+ if (test_and_clear_bit(BTRFS_INODE_NEEDS_FULL_SYNC,
+ &BTRFS_I(inode)->runtime_flags)) {
+ clear_bit(BTRFS_INODE_COPY_EVERYTHING,
+@@ -4056,7 +4118,8 @@ again:
+ }
+
+ ret = copy_items(trans, inode, dst_path, path, &last_extent,
+- ins_start_slot, ins_nr, inode_only);
++ ins_start_slot, ins_nr, inode_only,
++ logged_isize);
+ if (ret < 0) {
+ err = ret;
+ goto out_unlock;
+@@ -4080,7 +4143,7 @@ next_slot:
+ if (ins_nr) {
+ ret = copy_items(trans, inode, dst_path, path,
+ &last_extent, ins_start_slot,
+- ins_nr, inode_only);
++ ins_nr, inode_only, logged_isize);
+ if (ret < 0) {
+ err = ret;
+ goto out_unlock;
+@@ -4101,7 +4164,8 @@ next_slot:
+ }
+ if (ins_nr) {
+ ret = copy_items(trans, inode, dst_path, path, &last_extent,
+- ins_start_slot, ins_nr, inode_only);
++ ins_start_slot, ins_nr, inode_only,
++ logged_isize);
+ if (ret < 0) {
+ err = ret;
+ goto out_unlock;
--- /dev/null
+From 381cf6587f8a8a8e981bc0c1aaaa8859b51dc756 Mon Sep 17 00:00:00 2001
+From: David Sterba <dsterba@suse.cz>
+Date: Fri, 2 Jan 2015 18:45:16 +0100
+Subject: btrfs: fix leak of path in btrfs_find_item
+
+From: David Sterba <dsterba@suse.cz>
+
+commit 381cf6587f8a8a8e981bc0c1aaaa8859b51dc756 upstream.
+
+If btrfs_find_item is called with NULL path it allocates one locally but
+does not free it. Affected paths are inserting an orphan item for a file
+and for a subvol root.
+
+Move the path allocation to the callers.
+
+Fixes: 3f870c289900 ("btrfs: expand btrfs_find_item() to include find_orphan_item functionality")
+Signed-off-by: David Sterba <dsterba@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/ctree.c | 17 ++++-------------
+ fs/btrfs/disk-io.c | 9 ++++++++-
+ fs/btrfs/tree-log.c | 11 ++++++++++-
+ 3 files changed, 22 insertions(+), 15 deletions(-)
+
+--- a/fs/btrfs/ctree.c
++++ b/fs/btrfs/ctree.c
+@@ -2609,32 +2609,23 @@ static int key_search(struct extent_buff
+ return 0;
+ }
+
+-int btrfs_find_item(struct btrfs_root *fs_root, struct btrfs_path *found_path,
++int btrfs_find_item(struct btrfs_root *fs_root, struct btrfs_path *path,
+ u64 iobjectid, u64 ioff, u8 key_type,
+ struct btrfs_key *found_key)
+ {
+ int ret;
+ struct btrfs_key key;
+ struct extent_buffer *eb;
+- struct btrfs_path *path;
++
++ ASSERT(path);
+
+ key.type = key_type;
+ key.objectid = iobjectid;
+ key.offset = ioff;
+
+- if (found_path == NULL) {
+- path = btrfs_alloc_path();
+- if (!path)
+- return -ENOMEM;
+- } else
+- path = found_path;
+-
+ ret = btrfs_search_slot(NULL, fs_root, &key, path, 0, 0);
+- if ((ret < 0) || (found_key == NULL)) {
+- if (path != found_path)
+- btrfs_free_path(path);
++ if ((ret < 0) || (found_key == NULL))
+ return ret;
+- }
+
+ eb = path->nodes[0];
+ if (ret && path->slots[0] >= btrfs_header_nritems(eb)) {
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -1630,6 +1630,7 @@ struct btrfs_root *btrfs_get_fs_root(str
+ bool check_ref)
+ {
+ struct btrfs_root *root;
++ struct btrfs_path *path;
+ int ret;
+
+ if (location->objectid == BTRFS_ROOT_TREE_OBJECTID)
+@@ -1669,8 +1670,14 @@ again:
+ if (ret)
+ goto fail;
+
+- ret = btrfs_find_item(fs_info->tree_root, NULL, BTRFS_ORPHAN_OBJECTID,
++ path = btrfs_alloc_path();
++ if (!path) {
++ ret = -ENOMEM;
++ goto fail;
++ }
++ ret = btrfs_find_item(fs_info->tree_root, path, BTRFS_ORPHAN_OBJECTID,
+ location->objectid, BTRFS_ORPHAN_ITEM_KEY, NULL);
++ btrfs_free_path(path);
+ if (ret < 0)
+ goto fail;
+ if (ret == 0)
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -1257,10 +1257,19 @@ static int insert_orphan_item(struct btr
+ struct btrfs_root *root, u64 offset)
+ {
+ int ret;
+- ret = btrfs_find_item(root, NULL, BTRFS_ORPHAN_OBJECTID,
++ struct btrfs_path *path;
++
++ path = btrfs_alloc_path();
++ if (!path)
++ return -ENOMEM;
++
++ ret = btrfs_find_item(root, path, BTRFS_ORPHAN_OBJECTID,
+ offset, BTRFS_ORPHAN_ITEM_KEY, NULL);
+ if (ret > 0)
+ ret = btrfs_insert_orphan_item(trans, root, offset);
++
++ btrfs_free_path(path);
++
+ return ret;
+ }
+
--- /dev/null
+From 5efa0490cc94aee06cd8d282683e22a8ce0a0026 Mon Sep 17 00:00:00 2001
+From: David Sterba <dsterba@suse.cz>
+Date: Fri, 19 Dec 2014 18:38:47 +0100
+Subject: btrfs: set proper message level for skinny metadata
+
+From: David Sterba <dsterba@suse.cz>
+
+commit 5efa0490cc94aee06cd8d282683e22a8ce0a0026 upstream.
+
+This has been confusing people for too long, the message is really just
+informative.
+
+Signed-off-by: David Sterba <dsterba@suse.cz>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/disk-io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -2498,7 +2498,7 @@ int open_ctree(struct super_block *sb,
+ features |= BTRFS_FEATURE_INCOMPAT_COMPRESS_LZO;
+
+ if (features & BTRFS_FEATURE_INCOMPAT_SKINNY_METADATA)
+- printk(KERN_ERR "BTRFS: has skinny extents\n");
++ printk(KERN_INFO "BTRFS: has skinny extents\n");
+
+ /*
+ * flag our filesystem as having big metadata blocks if
--- /dev/null
+From d4a19eb3b15a4ba98f627182f48d5bc0cffae670 Mon Sep 17 00:00:00 2001
+From: Matthias Brugger <matthias.bgg@gmail.com>
+Date: Thu, 19 Feb 2015 11:41:33 +0100
+Subject: clocksource: mtk: Fix race conditions in probe code
+
+From: Matthias Brugger <matthias.bgg@gmail.com>
+
+commit d4a19eb3b15a4ba98f627182f48d5bc0cffae670 upstream.
+
+We have two race conditions in the probe code which could lead to a null
+pointer dereference in the interrupt handler.
+
+The interrupt handler accesses the clockevent device, which may not yet be
+registered.
+
+First race condition happens when the interrupt handler gets registered before
+the interrupts get disabled. The second race condition happens when the
+interrupts get enabled, but the clockevent device is not yet registered.
+
+Fix that by disabling the interrupts before we register the interrupt and enable
+the interrupts after the clockevent device got registered.
+
+Reported-by: Gongbae Park <yongbae2@gmail.com>
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clocksource/mtk_timer.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/clocksource/mtk_timer.c
++++ b/drivers/clocksource/mtk_timer.c
+@@ -224,6 +224,8 @@ static void __init mtk_timer_init(struct
+ }
+ rate = clk_get_rate(clk);
+
++ mtk_timer_global_reset(evt);
++
+ if (request_irq(evt->dev.irq, mtk_timer_interrupt,
+ IRQF_TIMER | IRQF_IRQPOLL, "mtk_timer", evt)) {
+ pr_warn("failed to setup irq %d\n", evt->dev.irq);
+@@ -232,8 +234,6 @@ static void __init mtk_timer_init(struct
+
+ evt->ticks_per_jiffy = DIV_ROUND_UP(rate, HZ);
+
+- mtk_timer_global_reset(evt);
+-
+ /* Configure clock source */
+ mtk_timer_setup(evt, GPT_CLK_SRC, TIMER_CTRL_OP_FREERUN);
+ clocksource_mmio_init(evt->gpt_base + TIMER_CNT_REG(GPT_CLK_SRC),
+@@ -241,10 +241,11 @@ static void __init mtk_timer_init(struct
+
+ /* Configure clock event */
+ mtk_timer_setup(evt, GPT_CLK_EVT, TIMER_CTRL_OP_REPEAT);
+- mtk_timer_enable_irq(evt, GPT_CLK_EVT);
+-
+ clockevents_config_and_register(&evt->dev, rate, 0x3,
+ 0xffffffff);
++
++ mtk_timer_enable_irq(evt, GPT_CLK_EVT);
++
+ return;
+
+ err_clk_disable:
--- /dev/null
+From 0c510cc83bdbaac8406f4f7caef34f4da0ba35ea Mon Sep 17 00:00:00 2001
+From: Daniel J Blueman <daniel@numascale.com>
+Date: Tue, 17 Feb 2015 11:34:38 +0800
+Subject: EDAC, amd64_edac: Prevent OOPS with >16 memory controllers
+
+From: Daniel J Blueman <daniel@numascale.com>
+
+commit 0c510cc83bdbaac8406f4f7caef34f4da0ba35ea upstream.
+
+When DRAM errors occur on memory controllers after EDAC_MAX_MCS (16),
+the kernel fatally dereferences unallocated structures, see splat below;
+this occurs on at least NumaConnect systems.
+
+Fix by checking if a memory controller info structure was found.
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000320
+IP: [<ffffffff819f714f>] decode_bus_error+0x2f/0x2b0
+PGD 2f8b5a3067 PUD 2f8b5a2067 PMD 0
+Oops: 0000 [#2] SMP
+Modules linked in:
+CPU: 224 PID: 11930 Comm: stream_c.exe.gn Tainted: G D 3.19.0 #1
+Hardware name: Supermicro H8QGL/H8QGL, BIOS 3.5b 01/28/2015
+task: ffff8807dbfb8c00 ti: ffff8807dd16c000 task.ti: ffff8807dd16c000
+RIP: 0010:[<ffffffff819f714f>] [<ffffffff819f714f>] decode_bus_error+0x2f/0x2b0
+RSP: 0000:ffff8907dfc03c48 EFLAGS: 00010297
+RAX: 0000000000000001 RBX: 9c67400010080a13 RCX: 0000000000001dc6
+RDX: 000000001dc61dc6 RSI: ffff8907dfc03df0 RDI: 000000000000001c
+RBP: ffff8907dfc03ce8 R08: 0000000000000000 R09: 0000000000000022
+R10: ffff891fffa30380 R11: 00000000001cfc90 R12: 0000000000000008
+R13: 0000000000000000 R14: 000000000000001c R15: 00009c6740001000
+FS: 00007fa97ee18700(0000) GS:ffff8907dfc00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000320 CR3: 0000003f889b8000 CR4: 00000000000407e0
+Stack:
+ 0000000000000000 ffff8907dfc03df0 0000000000000008 9c67400010080a13
+ 000000000000001c 00009c6740001000 ffff8907dfc03c88 ffffffff810e4f9a
+ ffff8907dfc03ce8 ffffffff81b375b9 0000000000000000 0000000000000010
+Call Trace:
+ <IRQ>
+ ? vprintk_default
+ ? printk
+ amd_decode_mce
+ notifier_call_chain
+ atomic_notifier_call_chain
+ mce_log
+ machine_check_poll
+ mce_timer_fn
+ ? mce_cpu_restart
+ call_timer_fn.isra.29
+ run_timer_softirq
+ __do_softirq
+ irq_exit
+ smp_apic_timer_interrupt
+ apic_timer_interrupt
+ <EOI>
+ ? down_read_trylock
+ __do_page_fault
+ ? __schedule
+ do_page_fault
+ page_fault
+
+Signed-off-by: Daniel J Blueman <daniel@numascale.com>
+Link: http://lkml.kernel.org/r/1424144078-24589-1-git-send-email-daniel@numascale.com
+[ Boris: massage commit message ]
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/edac/amd64_edac.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/edac/amd64_edac.c
++++ b/drivers/edac/amd64_edac.c
+@@ -2174,14 +2174,20 @@ static void __log_bus_error(struct mem_c
+
+ static inline void decode_bus_error(int node_id, struct mce *m)
+ {
+- struct mem_ctl_info *mci = mcis[node_id];
+- struct amd64_pvt *pvt = mci->pvt_info;
++ struct mem_ctl_info *mci;
++ struct amd64_pvt *pvt;
+ u8 ecc_type = (m->status >> 45) & 0x3;
+ u8 xec = XEC(m->status, 0x1f);
+ u16 ec = EC(m->status);
+ u64 sys_addr;
+ struct err_info err;
+
++ mci = edac_mc_find(node_id);
++ if (!mci)
++ return;
++
++ pvt = mci->pvt_info;
++
+ /* Bail out early if this was an 'observed' error */
+ if (PP(ec) == NBSL_PP_OBS)
+ return;
--- /dev/null
+From 2f97c20e5f7c3582c7310f65a04465bfb0fd0e85 Mon Sep 17 00:00:00 2001
+From: Nicolas Saenz Julienne <nicolassaenzj@gmail.com>
+Date: Thu, 19 Feb 2015 01:52:25 +0000
+Subject: gpio: tps65912: fix wrong container_of arguments
+
+From: Nicolas Saenz Julienne <nicolassaenzj@gmail.com>
+
+commit 2f97c20e5f7c3582c7310f65a04465bfb0fd0e85 upstream.
+
+The gpio_chip operations receive a pointer the gpio_chip struct which is
+contained in the driver's private struct, yet the container_of call in those
+functions point to the mfd struct defined in include/linux/mfd/tps65912.h.
+
+Signed-off-by: Nicolas Saenz Julienne <nicolassaenzj@gmail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpio-tps65912.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpio/gpio-tps65912.c
++++ b/drivers/gpio/gpio-tps65912.c
+@@ -26,9 +26,12 @@ struct tps65912_gpio_data {
+ struct gpio_chip gpio_chip;
+ };
+
++#define to_tgd(gc) container_of(gc, struct tps65912_gpio_data, gpio_chip)
++
+ static int tps65912_gpio_get(struct gpio_chip *gc, unsigned offset)
+ {
+- struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio);
++ struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc);
++ struct tps65912 *tps65912 = tps65912_gpio->tps65912;
+ int val;
+
+ val = tps65912_reg_read(tps65912, TPS65912_GPIO1 + offset);
+@@ -42,7 +45,8 @@ static int tps65912_gpio_get(struct gpio
+ static void tps65912_gpio_set(struct gpio_chip *gc, unsigned offset,
+ int value)
+ {
+- struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio);
++ struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc);
++ struct tps65912 *tps65912 = tps65912_gpio->tps65912;
+
+ if (value)
+ tps65912_set_bits(tps65912, TPS65912_GPIO1 + offset,
+@@ -55,7 +59,8 @@ static void tps65912_gpio_set(struct gpi
+ static int tps65912_gpio_output(struct gpio_chip *gc, unsigned offset,
+ int value)
+ {
+- struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio);
++ struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc);
++ struct tps65912 *tps65912 = tps65912_gpio->tps65912;
+
+ /* Set the initial value */
+ tps65912_gpio_set(gc, offset, value);
+@@ -66,7 +71,8 @@ static int tps65912_gpio_output(struct g
+
+ static int tps65912_gpio_input(struct gpio_chip *gc, unsigned offset)
+ {
+- struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio);
++ struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc);
++ struct tps65912 *tps65912 = tps65912_gpio->tps65912;
+
+ return tps65912_clear_bits(tps65912, TPS65912_GPIO1 + offset,
+ GPIO_CFG_MASK);
--- /dev/null
+From 9cf75e9e4ddd587ac12e88e8751c358b7b27e95f Mon Sep 17 00:00:00 2001
+From: Hans Holmberg <hans.holmberg@intel.com>
+Date: Tue, 10 Feb 2015 09:48:27 +0100
+Subject: gpiolib: of: allow of_gpiochip_find_and_xlate to find more than one chip per node
+
+From: Hans Holmberg <hans.holmberg@intel.com>
+
+commit 9cf75e9e4ddd587ac12e88e8751c358b7b27e95f upstream.
+
+The change:
+
+7b8792bbdffdff3abda704f89c6a45ea97afdc62
+gpiolib: of: Correct error handling in of_get_named_gpiod_flags
+
+assumed that only one gpio-chip is registred per of-node.
+Some drivers register more than one chip per of-node, so
+adjust the matching function of_gpiochip_find_and_xlate to
+not stop looking for chips if a node-match is found and
+the translation fails.
+
+Fixes: 7b8792bbdffd ("gpiolib: of: Correct error handling in of_get_named_gpiod_flags")
+Signed-off-by: Hans Holmberg <hans.holmberg@intel.com>
+Acked-by: Alexandre Courbot <acourbot@nvidia.com>
+Tested-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Tested-by: Tyler Hall <tylerwhall@gmail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpiolib-of.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpio/gpiolib-of.c
++++ b/drivers/gpio/gpiolib-of.c
+@@ -46,12 +46,13 @@ static int of_gpiochip_find_and_xlate(st
+
+ ret = gc->of_xlate(gc, &gg_data->gpiospec, gg_data->flags);
+ if (ret < 0) {
+- /* We've found the gpio chip, but the translation failed.
+- * Return true to stop looking and return the translation
+- * error via out_gpio
++ /* We've found a gpio chip, but the translation failed.
++ * Store translation error in out_gpio.
++ * Return false to keep looking, as more than one gpio chip
++ * could be registered per of-node.
+ */
+ gg_data->out_gpio = ERR_PTR(ret);
+- return true;
++ return false;
+ }
+
+ gg_data->out_gpio = gpiochip_get_desc(gc, ret);
--- /dev/null
+From 164c24063a3eadee11b46575c5482b2f1417be49 Mon Sep 17 00:00:00 2001
+From: Chen Jie <chenjie6@huawei.com>
+Date: Tue, 10 Feb 2015 12:49:48 -0800
+Subject: jffs2: fix handling of corrupted summary length
+
+From: Chen Jie <chenjie6@huawei.com>
+
+commit 164c24063a3eadee11b46575c5482b2f1417be49 upstream.
+
+sm->offset maybe wrong but magic maybe right, the offset do not have CRC.
+
+Badness at c00c7580 [verbose debug info unavailable]
+NIP: c00c7580 LR: c00c718c CTR: 00000014
+REGS: df07bb40 TRAP: 0700 Not tainted (2.6.34.13-WR4.3.0.0_standard)
+MSR: 00029000 <EE,ME,CE> CR: 22084f84 XER: 00000000
+TASK = df84d6e0[908] 'mount' THREAD: df07a000
+GPR00: 00000001 df07bbf0 df84d6e0 00000000 00000001 00000000 df07bb58 00000041
+GPR08: 00000041 c0638860 00000000 00000010 22084f88 100636c8 df814ff8 00000000
+GPR16: df84d6e0 dfa558cc c05adb90 00000048 c0452d30 00000000 000240d0 000040d0
+GPR24: 00000014 c05ae734 c05be2e0 00000000 00000001 00000000 00000000 c05ae730
+NIP [c00c7580] __alloc_pages_nodemask+0x4d0/0x638
+LR [c00c718c] __alloc_pages_nodemask+0xdc/0x638
+Call Trace:
+[df07bbf0] [c00c718c] __alloc_pages_nodemask+0xdc/0x638 (unreliable)
+[df07bc90] [c00c7708] __get_free_pages+0x20/0x48
+[df07bca0] [c00f4a40] __kmalloc+0x15c/0x1ec
+[df07bcd0] [c01fc880] jffs2_scan_medium+0xa58/0x14d0
+[df07bd70] [c01ff38c] jffs2_do_mount_fs+0x1f4/0x6b4
+[df07bdb0] [c020144c] jffs2_do_fill_super+0xa8/0x260
+[df07bdd0] [c020230c] jffs2_fill_super+0x104/0x184
+[df07be00] [c0335814] get_sb_mtd_aux+0x9c/0xec
+[df07be20] [c033596c] get_sb_mtd+0x84/0x1e8
+[df07be60] [c0201ed0] jffs2_get_sb+0x1c/0x2c
+[df07be70] [c0103898] vfs_kern_mount+0x78/0x1e8
+[df07bea0] [c0103a58] do_kern_mount+0x40/0x100
+[df07bec0] [c011fe90] do_mount+0x240/0x890
+[df07bf10] [c0120570] sys_mount+0x90/0xd8
+[df07bf40] [c00110d8] ret_from_syscall+0x0/0x4
+
+=== Exception: c01 at 0xff61a34
+ LR = 0x100135f0
+Instruction dump:
+38800005 38600000 48010f41 4bfffe1c 4bfc2d15 4bfffe8c 72e90200 4082fc28
+3d20c064 39298860 8809000d 68000001 <0f000000> 2f800000 419efc0c 38000001
+mount: mounting /dev/mtdblock3 on /common failed: Input/output error
+
+Signed-off-by: Chen Jie <chenjie6@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jffs2/scan.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/jffs2/scan.c
++++ b/fs/jffs2/scan.c
+@@ -510,6 +510,10 @@ static int jffs2_scan_eraseblock (struct
+ sumlen = c->sector_size - je32_to_cpu(sm->offset);
+ sumptr = buf + buf_size - sumlen;
+
++ /* sm->offset maybe wrong but MAGIC maybe right */
++ if (sumlen > c->sector_size)
++ goto full_scan;
++
+ /* Now, make sure the summary itself is available */
+ if (sumlen > buf_size) {
+ /* Need to kmalloc for this. */
+@@ -544,6 +548,7 @@ static int jffs2_scan_eraseblock (struct
+ }
+ }
+
++full_scan:
+ buf_ofs = jeb->offset;
+
+ if (!buf_size) {
--- /dev/null
+From 7eb71e0351fbb1b242ae70abb7bb17107fe2f792 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Tue, 17 Feb 2015 19:37:15 +0300
+Subject: libceph: fix double __remove_osd() problem
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit 7eb71e0351fbb1b242ae70abb7bb17107fe2f792 upstream.
+
+It turns out it's possible to get __remove_osd() called twice on the
+same OSD. That doesn't sit well with rb_erase() - depending on the
+shape of the tree we can get a NULL dereference, a soft lockup or
+a random crash at some point in the future as we end up touching freed
+memory. One scenario that I was able to reproduce is as follows:
+
+ <osd3 is idle, on the osd lru list>
+<con reset - osd3>
+con_fault_finish()
+ osd_reset()
+ <osdmap - osd3 down>
+ ceph_osdc_handle_map()
+ <takes map_sem>
+ kick_requests()
+ <takes request_mutex>
+ reset_changed_osds()
+ __reset_osd()
+ __remove_osd()
+ <releases request_mutex>
+ <releases map_sem>
+ <takes map_sem>
+ <takes request_mutex>
+ __kick_osd_requests()
+ __reset_osd()
+ __remove_osd() <-- !!!
+
+A case can be made that osd refcounting is imperfect and reworking it
+would be a proper resolution, but for now Sage and I decided to fix
+this by adding a safe guard around __remove_osd().
+
+Fixes: http://tracker.ceph.com/issues/8087
+
+Cc: Sage Weil <sage@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Sage Weil <sage@redhat.com>
+Reviewed-by: Alex Elder <elder@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ceph/osd_client.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+--- a/net/ceph/osd_client.c
++++ b/net/ceph/osd_client.c
+@@ -1048,14 +1048,24 @@ static void put_osd(struct ceph_osd *osd
+ */
+ static void __remove_osd(struct ceph_osd_client *osdc, struct ceph_osd *osd)
+ {
+- dout("__remove_osd %p\n", osd);
++ dout("%s %p osd%d\n", __func__, osd, osd->o_osd);
+ WARN_ON(!list_empty(&osd->o_requests));
+ WARN_ON(!list_empty(&osd->o_linger_requests));
+
+- rb_erase(&osd->o_node, &osdc->osds);
+ list_del_init(&osd->o_osd_lru);
+- ceph_con_close(&osd->o_con);
+- put_osd(osd);
++ rb_erase(&osd->o_node, &osdc->osds);
++ RB_CLEAR_NODE(&osd->o_node);
++}
++
++static void remove_osd(struct ceph_osd_client *osdc, struct ceph_osd *osd)
++{
++ dout("%s %p osd%d\n", __func__, osd, osd->o_osd);
++
++ if (!RB_EMPTY_NODE(&osd->o_node)) {
++ ceph_con_close(&osd->o_con);
++ __remove_osd(osdc, osd);
++ put_osd(osd);
++ }
+ }
+
+ static void remove_all_osds(struct ceph_osd_client *osdc)
+@@ -1065,7 +1075,7 @@ static void remove_all_osds(struct ceph_
+ while (!RB_EMPTY_ROOT(&osdc->osds)) {
+ struct ceph_osd *osd = rb_entry(rb_first(&osdc->osds),
+ struct ceph_osd, o_node);
+- __remove_osd(osdc, osd);
++ remove_osd(osdc, osd);
+ }
+ mutex_unlock(&osdc->request_mutex);
+ }
+@@ -1106,7 +1116,7 @@ static void remove_old_osds(struct ceph_
+ list_for_each_entry_safe(osd, nosd, &osdc->osd_lru, o_osd_lru) {
+ if (time_before(jiffies, osd->lru_ttl))
+ break;
+- __remove_osd(osdc, osd);
++ remove_osd(osdc, osd);
+ }
+ mutex_unlock(&osdc->request_mutex);
+ }
+@@ -1121,8 +1131,7 @@ static int __reset_osd(struct ceph_osd_c
+ dout("__reset_osd %p osd%d\n", osd, osd->o_osd);
+ if (list_empty(&osd->o_requests) &&
+ list_empty(&osd->o_linger_requests)) {
+- __remove_osd(osdc, osd);
+-
++ remove_osd(osdc, osd);
+ return -ENODEV;
+ }
+
+@@ -1926,6 +1935,7 @@ static void reset_changed_osds(struct ce
+ {
+ struct rb_node *p, *n;
+
++ dout("%s %p\n", __func__, osdc);
+ for (p = rb_first(&osdc->osds); p; p = n) {
+ struct ceph_osd *osd = rb_entry(p, struct ceph_osd, o_node);
+
--- /dev/null
+From d1901ef099c38afd11add4cfb3312c02ef21ec4a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hodek?= <tomas.hodek@volny.cz>
+Date: Mon, 23 Feb 2015 11:00:38 +1100
+Subject: md/raid1: fix read balance when a drive is write-mostly.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hodek?= <tomas.hodek@volny.cz>
+
+commit d1901ef099c38afd11add4cfb3312c02ef21ec4a upstream.
+
+When a drive is marked write-mostly it should only be the
+target of reads if there is no other option.
+
+This behaviour was broken by
+
+commit 9dedf60313fa4dddfd5b9b226a0ef12a512bf9dc
+ md/raid1: read balance chooses idlest disk for SSD
+
+which causes a write-mostly device to be *preferred* is some cases.
+
+Restore correct behaviour by checking and setting
+best_dist_disk and best_pending_disk rather than best_disk.
+
+We only need to test one of these as they are both changed
+from -1 or >=0 at the same time.
+
+As we leave min_pending and best_dist unchanged, any non-write-mostly
+device will appear better than the write-mostly device.
+
+Reported-by: Tomáš Hodek <tomas.hodek@volny.cz>
+Reported-by: Dark Penguin <darkpenguin@yandex.ru>
+Signed-off-by: NeilBrown <neilb@suse.de>
+Link: http://marc.info/?l=linux-raid&m=135982797322422
+Fixes: 9dedf60313fa4dddfd5b9b226a0ef12a512bf9dc
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid1.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -560,7 +560,7 @@ static int read_balance(struct r1conf *c
+ if (test_bit(WriteMostly, &rdev->flags)) {
+ /* Don't balance among write-mostly, just
+ * use the first as a last resort */
+- if (best_disk < 0) {
++ if (best_dist_disk < 0) {
+ if (is_badblock(rdev, this_sector, sectors,
+ &first_bad, &bad_sectors)) {
+ if (first_bad < this_sector)
+@@ -569,7 +569,8 @@ static int read_balance(struct r1conf *c
+ best_good_sectors = first_bad - this_sector;
+ } else
+ best_good_sectors = sectors;
+- best_disk = disk;
++ best_dist_disk = disk;
++ best_pending_disk = disk;
+ }
+ continue;
+ }
--- /dev/null
+From 26ac107378c4742978216be1005b7291b799c7b2 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.de>
+Date: Wed, 18 Feb 2015 11:35:14 +1100
+Subject: md/raid5: Fix livelock when array is both resyncing and degraded.
+
+From: NeilBrown <neilb@suse.de>
+
+commit 26ac107378c4742978216be1005b7291b799c7b2 upstream.
+
+Commit a7854487cd7128a30a7f4f5259de9f67d5efb95f:
+ md: When RAID5 is dirty, force reconstruct-write instead of read-modify-write.
+
+Causes an RCW cycle to be forced even when the array is degraded.
+A degraded array cannot support RCW as that requires reading all data
+blocks, and one may be missing.
+
+Forcing an RCW when it is not possible causes a live-lock and the code
+spins, repeatedly deciding to do something that cannot succeed.
+
+So change the condition to only force RCW on non-degraded arrays.
+
+Reported-by: Manibalan P <pmanibalan@amiindia.co.in>
+Bisected-by: Jes Sorensen <Jes.Sorensen@redhat.com>
+Tested-by: Jes Sorensen <Jes.Sorensen@redhat.com>
+Signed-off-by: NeilBrown <neilb@suse.de>
+Fixes: a7854487cd7128a30a7f4f5259de9f67d5efb95f
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid5.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -3102,7 +3102,8 @@ static void handle_stripe_dirtying(struc
+ * generate correct data from the parity.
+ */
+ if (conf->max_degraded == 2 ||
+- (recovery_cp < MaxSector && sh->sector >= recovery_cp)) {
++ (recovery_cp < MaxSector && sh->sector >= recovery_cp &&
++ s->failed == 0)) {
+ /* Calculate the real rcw later - for now make it
+ * look like rcw is cheaper
+ */
--- /dev/null
+From c2996cb29bfb73927a79dc96e598a718e843f01a Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Tue, 24 Feb 2015 12:25:25 +0000
+Subject: metag: Fix KSTK_EIP() and KSTK_ESP() macros
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit c2996cb29bfb73927a79dc96e598a718e843f01a upstream.
+
+The KSTK_EIP() and KSTK_ESP() macros should return the user program
+counter (PC) and stack pointer (A0StP) of the given task. These are used
+to determine which VMA corresponds to the user stack in
+/proc/<pid>/maps, and for the user PC & A0StP in /proc/<pid>/stat.
+
+However for Meta the PC & A0StP from the task's kernel context are used,
+resulting in broken output. For example in following /proc/<pid>/maps
+output, the 3afff000-3b021000 VMA should be described as the stack:
+
+ # cat /proc/self/maps
+ ...
+ 100b0000-100b1000 rwxp 00000000 00:00 0 [heap]
+ 3afff000-3b021000 rwxp 00000000 00:00 0
+
+And in the following /proc/<pid>/stat output, the PC is in kernel code
+(1074234964 = 0x40078654) and the A0StP is in the kernel heap
+(1335981392 = 0x4fa17550):
+
+ # cat /proc/self/stat
+ 51 (cat) R ... 1335981392 1074234964 ...
+
+Fix the definitions of KSTK_EIP() and KSTK_ESP() to use
+task_pt_regs(tsk)->ctx rather than (tsk)->thread.kernel_context. This
+gets the registers from the user context stored after the thread info at
+the base of the kernel stack, which is from the last entry into the
+kernel from userland, regardless of where in the kernel the task may
+have been interrupted, which results in the following more correct
+/proc/<pid>/maps output:
+
+ # cat /proc/self/maps
+ ...
+ 0800b000-08070000 r-xp 00000000 00:02 207 /lib/libuClibc-0.9.34-git.so
+ ...
+ 100b0000-100b1000 rwxp 00000000 00:00 0 [heap]
+ 3afff000-3b021000 rwxp 00000000 00:00 0 [stack]
+
+And /proc/<pid>/stat now correctly reports the PC in libuClibc
+(134320308 = 0x80190b4) and the A0StP in the [stack] region (989864576 =
+0x3b002280):
+
+ # cat /proc/self/stat
+ 51 (cat) R ... 989864576 134320308 ...
+
+Reported-by: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
+Reported-by: Vineet Gupta <Vineet.Gupta1@synopsys.com>
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: linux-metag@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/metag/include/asm/processor.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/metag/include/asm/processor.h
++++ b/arch/metag/include/asm/processor.h
+@@ -149,8 +149,8 @@ extern void exit_thread(void);
+
+ unsigned long get_wchan(struct task_struct *p);
+
+-#define KSTK_EIP(tsk) ((tsk)->thread.kernel_context->CurrPC)
+-#define KSTK_ESP(tsk) ((tsk)->thread.kernel_context->AX[0].U0)
++#define KSTK_EIP(tsk) (task_pt_regs(tsk)->ctx.CurrPC)
++#define KSTK_ESP(tsk) (task_pt_regs(tsk)->ctx.AX[0].U0)
+
+ #define user_stack_pointer(regs) ((regs)->ctx.AX[0].U0)
+
--- /dev/null
+From 48536c9195ae8c2a00fd8f400bac72ab613feaab Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Tue, 24 Feb 2015 13:20:59 +0200
+Subject: perf tools: Fix probing for PERF_FLAG_FD_CLOEXEC flag
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 48536c9195ae8c2a00fd8f400bac72ab613feaab upstream.
+
+Commit f6edb53c4993ffe92ce521fb449d1c146cea6ec2 converted the probe to
+a CPU wide event first (pid == -1). For kernels that do not support
+the PERF_FLAG_FD_CLOEXEC flag the probe fails with EINVAL. Since this
+errno is not handled pid is not reset to 0 and the subsequent use of
+pid = -1 as an argument brings in an additional failure path if
+perf_event_paranoid > 0:
+
+$ perf record -- sleep 1
+perf_event_open(..., 0) failed unexpectedly with error 13 (Permission denied)
+[ perf record: Woken up 1 times to write data ]
+[ perf record: Captured and wrote 0.007 MB /tmp/perf.data (11 samples) ]
+
+Also, ensure the fd of the confirmation check is closed and comment why
+pid = -1 is used.
+
+Needs to go to 3.18 stable tree as well.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Based-on-patch-by: David Ahern <david.ahern@oracle.com>
+Acked-by: David Ahern <david.ahern@oracle.com>
+Cc: David Ahern <dsahern@gmail.com>
+Link: http://lkml.kernel.org/r/54EC610C.8000403@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/util/cloexec.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+--- a/tools/perf/util/cloexec.c
++++ b/tools/perf/util/cloexec.c
+@@ -25,6 +25,10 @@ static int perf_flag_probe(void)
+ if (cpu < 0)
+ cpu = 0;
+
++ /*
++ * Using -1 for the pid is a workaround to avoid gratuitous jump label
++ * changes.
++ */
+ while (1) {
+ /* check cloexec flag */
+ fd = sys_perf_event_open(&attr, pid, cpu, -1,
+@@ -47,16 +51,24 @@ static int perf_flag_probe(void)
+ err, strerror_r(err, sbuf, sizeof(sbuf)));
+
+ /* not supported, confirm error related to PERF_FLAG_FD_CLOEXEC */
+- fd = sys_perf_event_open(&attr, pid, cpu, -1, 0);
++ while (1) {
++ fd = sys_perf_event_open(&attr, pid, cpu, -1, 0);
++ if (fd < 0 && pid == -1 && errno == EACCES) {
++ pid = 0;
++ continue;
++ }
++ break;
++ }
+ err = errno;
+
++ if (fd >= 0)
++ close(fd);
++
+ if (WARN_ONCE(fd < 0 && err != EBUSY,
+ "perf_event_open(..., 0) failed unexpectedly with error %d (%s)\n",
+ err, strerror_r(err, sbuf, sizeof(sbuf))))
+ return -1;
+
+- close(fd);
+-
+ return 0;
+ }
+
--- /dev/null
+From 4690555e13c48fef07f2762f6b0cd6b181e326d0 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Fri, 9 Jan 2015 15:10:01 +0100
+Subject: samsung-laptop: Add use_native_backlight quirk, and enable it on some models
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 4690555e13c48fef07f2762f6b0cd6b181e326d0 upstream.
+
+Since kernel 3.14 the backlight control has been broken on various Samsung
+Atom based netbooks. This has been bisected and this problem happens since
+commit b35684b8fa94 ("drm/i915: do full backlight setup at enable time")
+
+This has been reported and discussed in detail here:
+http://lists.freedesktop.org/archives/intel-gfx/2014-July/049395.html
+
+Unfortunately no-one has been able to fix this. This only affects Samsung
+Atom netbooks, and the Linux kernel and the BIOS of those laptops have never
+worked well together. All affected laptops already have a quirk to avoid using
+the standard acpi-video interface and instead use the samsung specific SABI
+interface which samsung-laptop uses. It seems that recent fixes to the i915
+driver have also broken backlight control through the SABI interface.
+
+The intel_backlight driver OTOH works fine, and also allows for finer grained
+backlight control. So add a new use_native_backlight quirk, and replace the
+broken_acpi_video quirk with this quirk for affected models. This new quirk
+disables acpi-video as before and also stops samsung-laptop from registering
+the SABI based samsung_laptop backlight interface, leaving only the working
+intel_backlight interface.
+
+This commit enables this new quirk for 3 models which are known to be affected,
+chances are that it needs to be used on other models too.
+
+BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1094948 # N145P
+BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1115713 # N250P
+Reported-by: Bertrik Sikken <bertrik@sikken.nl> # N150P
+Cc: stable@vger.kernel.org # 3.16
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Darren Hart <dvhart@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/platform/x86/samsung-laptop.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+--- a/drivers/platform/x86/samsung-laptop.c
++++ b/drivers/platform/x86/samsung-laptop.c
+@@ -353,6 +353,7 @@ struct samsung_quirks {
+ bool broken_acpi_video;
+ bool four_kbd_backlight_levels;
+ bool enable_kbd_backlight;
++ bool use_native_backlight;
+ };
+
+ static struct samsung_quirks samsung_unknown = {};
+@@ -361,6 +362,10 @@ static struct samsung_quirks samsung_bro
+ .broken_acpi_video = true,
+ };
+
++static struct samsung_quirks samsung_use_native_backlight = {
++ .use_native_backlight = true,
++};
++
+ static struct samsung_quirks samsung_np740u3e = {
+ .four_kbd_backlight_levels = true,
+ .enable_kbd_backlight = true,
+@@ -1507,7 +1512,7 @@ static struct dmi_system_id __initdata s
+ DMI_MATCH(DMI_PRODUCT_NAME, "N150P"),
+ DMI_MATCH(DMI_BOARD_NAME, "N150P"),
+ },
+- .driver_data = &samsung_broken_acpi_video,
++ .driver_data = &samsung_use_native_backlight,
+ },
+ {
+ .callback = samsung_dmi_matched,
+@@ -1517,7 +1522,7 @@ static struct dmi_system_id __initdata s
+ DMI_MATCH(DMI_PRODUCT_NAME, "N145P/N250P/N260P"),
+ DMI_MATCH(DMI_BOARD_NAME, "N145P/N250P/N260P"),
+ },
+- .driver_data = &samsung_broken_acpi_video,
++ .driver_data = &samsung_use_native_backlight,
+ },
+ {
+ .callback = samsung_dmi_matched,
+@@ -1557,7 +1562,7 @@ static struct dmi_system_id __initdata s
+ DMI_MATCH(DMI_PRODUCT_NAME, "N250P"),
+ DMI_MATCH(DMI_BOARD_NAME, "N250P"),
+ },
+- .driver_data = &samsung_broken_acpi_video,
++ .driver_data = &samsung_use_native_backlight,
+ },
+ {
+ .callback = samsung_dmi_matched,
+@@ -1616,6 +1621,15 @@ static int __init samsung_init(void)
+ pr_info("Disabling ACPI video driver\n");
+ acpi_video_unregister();
+ }
++
++ if (samsung->quirks->use_native_backlight) {
++ pr_info("Using native backlight driver\n");
++ /* Tell acpi-video to not handle the backlight */
++ acpi_video_dmi_promote_vendor();
++ acpi_video_unregister();
++ /* And also do not handle it ourselves */
++ samsung->handle_backlight = false;
++ }
+ #endif
+
+ ret = samsung_platform_init(samsung);
--- /dev/null
+From 11249e73992981e31fd50e7231da24fad68e3320 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Thu, 5 Feb 2015 12:39:36 +0100
+Subject: sb_edac: Fix detection on SNB machines
+
+From: Borislav Petkov <bp@suse.de>
+
+commit 11249e73992981e31fd50e7231da24fad68e3320 upstream.
+
+d0585cd815fa ("sb_edac: Claim a different PCI device") changed the
+probing of sb_edac to look for PCI device 0x3ca0:
+
+3f:0e.0 System peripheral: Intel Corporation Xeon E5/Core i7 Processor Home Agent (rev 07)
+00: 86 80 a0 3c 00 00 00 00 07 00 80 08 00 00 80 00
+...
+
+but we're matching for 0x3ca8, i.e. PCI_DEVICE_ID_INTEL_SBRIDGE_IMC_TA
+in sbridge_probe() therefore the probing fails.
+
+Changing it to probe for 0x3ca0 (PCI_DEVICE_ID_INTEL_SBRIDGE_IMC_HA0),
+.i.e., the 14.0 device, fixes the issue and driver loads successfully
+again:
+
+[ 2449.013120] EDAC DEBUG: sbridge_init:
+[ 2449.017029] EDAC sbridge: Seeking for: PCI ID 8086:3ca0
+[ 2449.022368] EDAC DEBUG: sbridge_get_onedevice: Detected 8086:3ca0
+[ 2449.028498] EDAC sbridge: Seeking for: PCI ID 8086:3ca0
+[ 2449.033768] EDAC sbridge: Seeking for: PCI ID 8086:3ca8
+[ 2449.039028] EDAC DEBUG: sbridge_get_onedevice: Detected 8086:3ca8
+[ 2449.045155] EDAC sbridge: Seeking for: PCI ID 8086:3ca8
+...
+
+Add a debug printk while at it to be able to catch the failure in the
+future and dump driver version on successful load.
+
+Fixes: d0585cd815fa ("sb_edac: Claim a different PCI device")
+Acked-by: Aristeu Rozanski <aris@redhat.com>
+Cc: Tony Luck <tony.luck@intel.com>
+Acked-by: Andy Lutomirski <luto@amacapital.net>
+Acked-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/edac/sb_edac.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/edac/sb_edac.c
++++ b/drivers/edac/sb_edac.c
+@@ -2447,7 +2447,7 @@ static int sbridge_probe(struct pci_dev
+ rc = sbridge_get_all_devices(&num_mc, pci_dev_descr_ibridge_table);
+ type = IVY_BRIDGE;
+ break;
+- case PCI_DEVICE_ID_INTEL_SBRIDGE_IMC_TA:
++ case PCI_DEVICE_ID_INTEL_SBRIDGE_IMC_HA0:
+ rc = sbridge_get_all_devices(&num_mc, pci_dev_descr_sbridge_table);
+ type = SANDY_BRIDGE;
+ break;
+@@ -2460,8 +2460,11 @@ static int sbridge_probe(struct pci_dev
+ type = BROADWELL;
+ break;
+ }
+- if (unlikely(rc < 0))
++ if (unlikely(rc < 0)) {
++ edac_dbg(0, "couldn't get all devices for 0x%x\n", pdev->device);
+ goto fail0;
++ }
++
+ mc = 0;
+
+ list_for_each_entry(sbridge_dev, &sbridge_edac_list, list) {
+@@ -2474,7 +2477,7 @@ static int sbridge_probe(struct pci_dev
+ goto fail1;
+ }
+
+- sbridge_printk(KERN_INFO, "Driver loaded.\n");
++ sbridge_printk(KERN_INFO, "%s\n", SBRIDGE_REVISION);
+
+ mutex_unlock(&sbridge_edac_lock);
+ return 0;
kvm-s390-avoid-memory-leaks-if-__inject_vm-fails.patch
hx4700-regulator-declare-full-constraints.patch
arm64-compat-fix-siginfo_t-compat_siginfo_t-conversion-on-big-endian.patch
+gpiolib-of-allow-of_gpiochip_find_and_xlate-to-find-more-than-one-chip-per-node.patch
+gpio-tps65912-fix-wrong-container_of-arguments.patch
+xfs-fix-quota-type-in-quota-structures-when-reusing-quota-file.patch
+metag-fix-kstk_eip-and-kstk_esp-macros.patch
+clocksource-mtk-fix-race-conditions-in-probe-code.patch
+perf-tools-fix-probing-for-perf_flag_fd_cloexec-flag.patch
+md-raid5-fix-livelock-when-array-is-both-resyncing-and-degraded.patch
+md-raid1-fix-read-balance-when-a-drive-is-write-mostly.patch
+sb_edac-fix-detection-on-snb-machines.patch
+edac-amd64_edac-prevent-oops-with-16-memory-controllers.patch
+jffs2-fix-handling-of-corrupted-summary-length.patch
+samsung-laptop-add-use_native_backlight-quirk-and-enable-it-on-some-models.patch
+libceph-fix-double-__remove_osd-problem.patch
+btrfs-set-proper-message-level-for-skinny-metadata.patch
+btrfs-fix-leak-of-path-in-btrfs_find_item.patch
+btrfs-fix-fsync-data-loss-after-adding-hard-link-to-inode.patch
+blk-throttle-check-stats_cpu-before-reading-it-from-sysfs.patch
+x86-efi-avoid-triple-faults-during-efi-mixed-mode-calls.patch
+x86-mm-aslr-fix-stack-randomization-on-64-bit-systems.patch
+x86-irq-fix-regression-caused-by-commit-b568b8601f05.patch
+x86-pmc-atom-assign-debugfs-node-as-soon-as-possible.patch
--- /dev/null
+From 96738c69a7fcdbf0d7c9df0c8a27660011e82a7b Mon Sep 17 00:00:00 2001
+From: Matt Fleming <matt.fleming@intel.com>
+Date: Tue, 13 Jan 2015 15:25:00 +0000
+Subject: x86/efi: Avoid triple faults during EFI mixed mode calls
+
+From: Matt Fleming <matt.fleming@intel.com>
+
+commit 96738c69a7fcdbf0d7c9df0c8a27660011e82a7b upstream.
+
+Andy pointed out that if an NMI or MCE is received while we're in the
+middle of an EFI mixed mode call a triple fault will occur. This can
+happen, for example, when issuing an EFI mixed mode call while running
+perf.
+
+The reason for the triple fault is that we execute the mixed mode call
+in 32-bit mode with paging disabled but with 64-bit kernel IDT handlers
+installed throughout the call.
+
+At Andy's suggestion, stop playing the games we currently do at runtime,
+such as disabling paging and installing a 32-bit GDT for __KERNEL_CS. We
+can simply switch to the __KERNEL32_CS descriptor before invoking
+firmware services, and run in compatibility mode. This way, if an
+NMI/MCE does occur the kernel IDT handler will execute correctly, since
+it'll jump to __KERNEL_CS automatically.
+
+However, this change is only possible post-ExitBootServices(). Before
+then the firmware "owns" the machine and expects for its 32-bit IDT
+handlers to be left intact to service interrupts, etc.
+
+So, we now need to distinguish between early boot and runtime
+invocations of EFI services. During early boot, we need to restore the
+GDT that the firmware expects to be present. We can only jump to the
+__KERNEL32_CS code segment for mixed mode calls after ExitBootServices()
+has been invoked.
+
+A liberal sprinkling of comments in the thunking code should make the
+differences in early and late environments more apparent.
+
+Reported-by: Andy Lutomirski <luto@amacapital.net>
+Tested-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Matt Fleming <matt.fleming@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/boot/compressed/Makefile | 1
+ arch/x86/boot/compressed/efi_stub_64.S | 25 ----
+ arch/x86/boot/compressed/efi_thunk_64.S | 196 ++++++++++++++++++++++++++++++++
+ arch/x86/platform/efi/efi_stub_64.S | 161 --------------------------
+ arch/x86/platform/efi/efi_thunk_64.S | 121 ++++++++++++++++---
+ 5 files changed, 301 insertions(+), 203 deletions(-)
+
+--- a/arch/x86/boot/compressed/Makefile
++++ b/arch/x86/boot/compressed/Makefile
+@@ -49,6 +49,7 @@ $(obj)/eboot.o: KBUILD_CFLAGS += -fshort
+
+ vmlinux-objs-$(CONFIG_EFI_STUB) += $(obj)/eboot.o $(obj)/efi_stub_$(BITS).o \
+ $(objtree)/drivers/firmware/efi/libstub/lib.a
++vmlinux-objs-$(CONFIG_EFI_MIXED) += $(obj)/efi_thunk_$(BITS).o
+
+ $(obj)/vmlinux: $(vmlinux-objs-y) FORCE
+ $(call if_changed,ld)
+--- a/arch/x86/boot/compressed/efi_stub_64.S
++++ b/arch/x86/boot/compressed/efi_stub_64.S
+@@ -3,28 +3,3 @@
+ #include <asm/processor-flags.h>
+
+ #include "../../platform/efi/efi_stub_64.S"
+-
+-#ifdef CONFIG_EFI_MIXED
+- .code64
+- .text
+-ENTRY(efi64_thunk)
+- push %rbp
+- push %rbx
+-
+- subq $16, %rsp
+- leaq efi_exit32(%rip), %rax
+- movl %eax, 8(%rsp)
+- leaq efi_gdt64(%rip), %rax
+- movl %eax, 4(%rsp)
+- movl %eax, 2(%rax) /* Fixup the gdt base address */
+- leaq efi32_boot_gdt(%rip), %rax
+- movl %eax, (%rsp)
+-
+- call __efi64_thunk
+-
+- addq $16, %rsp
+- pop %rbx
+- pop %rbp
+- ret
+-ENDPROC(efi64_thunk)
+-#endif /* CONFIG_EFI_MIXED */
+--- /dev/null
++++ b/arch/x86/boot/compressed/efi_thunk_64.S
+@@ -0,0 +1,196 @@
++/*
++ * Copyright (C) 2014, 2015 Intel Corporation; author Matt Fleming
++ *
++ * Early support for invoking 32-bit EFI services from a 64-bit kernel.
++ *
++ * Because this thunking occurs before ExitBootServices() we have to
++ * restore the firmware's 32-bit GDT before we make EFI serivce calls,
++ * since the firmware's 32-bit IDT is still currently installed and it
++ * needs to be able to service interrupts.
++ *
++ * On the plus side, we don't have to worry about mangling 64-bit
++ * addresses into 32-bits because we're executing with an identify
++ * mapped pagetable and haven't transitioned to 64-bit virtual addresses
++ * yet.
++ */
++
++#include <linux/linkage.h>
++#include <asm/msr.h>
++#include <asm/page_types.h>
++#include <asm/processor-flags.h>
++#include <asm/segment.h>
++
++ .code64
++ .text
++ENTRY(efi64_thunk)
++ push %rbp
++ push %rbx
++
++ subq $8, %rsp
++ leaq efi_exit32(%rip), %rax
++ movl %eax, 4(%rsp)
++ leaq efi_gdt64(%rip), %rax
++ movl %eax, (%rsp)
++ movl %eax, 2(%rax) /* Fixup the gdt base address */
++
++ movl %ds, %eax
++ push %rax
++ movl %es, %eax
++ push %rax
++ movl %ss, %eax
++ push %rax
++
++ /*
++ * Convert x86-64 ABI params to i386 ABI
++ */
++ subq $32, %rsp
++ movl %esi, 0x0(%rsp)
++ movl %edx, 0x4(%rsp)
++ movl %ecx, 0x8(%rsp)
++ movq %r8, %rsi
++ movl %esi, 0xc(%rsp)
++ movq %r9, %rsi
++ movl %esi, 0x10(%rsp)
++
++ sgdt save_gdt(%rip)
++
++ leaq 1f(%rip), %rbx
++ movq %rbx, func_rt_ptr(%rip)
++
++ /*
++ * Switch to gdt with 32-bit segments. This is the firmware GDT
++ * that was installed when the kernel started executing. This
++ * pointer was saved at the EFI stub entry point in head_64.S.
++ */
++ leaq efi32_boot_gdt(%rip), %rax
++ lgdt (%rax)
++
++ pushq $__KERNEL_CS
++ leaq efi_enter32(%rip), %rax
++ pushq %rax
++ lretq
++
++1: addq $32, %rsp
++
++ lgdt save_gdt(%rip)
++
++ pop %rbx
++ movl %ebx, %ss
++ pop %rbx
++ movl %ebx, %es
++ pop %rbx
++ movl %ebx, %ds
++
++ /*
++ * Convert 32-bit status code into 64-bit.
++ */
++ test %rax, %rax
++ jz 1f
++ movl %eax, %ecx
++ andl $0x0fffffff, %ecx
++ andl $0xf0000000, %eax
++ shl $32, %rax
++ or %rcx, %rax
++1:
++ addq $8, %rsp
++ pop %rbx
++ pop %rbp
++ ret
++ENDPROC(efi64_thunk)
++
++ENTRY(efi_exit32)
++ movq func_rt_ptr(%rip), %rax
++ push %rax
++ mov %rdi, %rax
++ ret
++ENDPROC(efi_exit32)
++
++ .code32
++/*
++ * EFI service pointer must be in %edi.
++ *
++ * The stack should represent the 32-bit calling convention.
++ */
++ENTRY(efi_enter32)
++ movl $__KERNEL_DS, %eax
++ movl %eax, %ds
++ movl %eax, %es
++ movl %eax, %ss
++
++ /* Reload pgtables */
++ movl %cr3, %eax
++ movl %eax, %cr3
++
++ /* Disable paging */
++ movl %cr0, %eax
++ btrl $X86_CR0_PG_BIT, %eax
++ movl %eax, %cr0
++
++ /* Disable long mode via EFER */
++ movl $MSR_EFER, %ecx
++ rdmsr
++ btrl $_EFER_LME, %eax
++ wrmsr
++
++ call *%edi
++
++ /* We must preserve return value */
++ movl %eax, %edi
++
++ /*
++ * Some firmware will return with interrupts enabled. Be sure to
++ * disable them before we switch GDTs.
++ */
++ cli
++
++ movl 56(%esp), %eax
++ movl %eax, 2(%eax)
++ lgdtl (%eax)
++
++ movl %cr4, %eax
++ btsl $(X86_CR4_PAE_BIT), %eax
++ movl %eax, %cr4
++
++ movl %cr3, %eax
++ movl %eax, %cr3
++
++ movl $MSR_EFER, %ecx
++ rdmsr
++ btsl $_EFER_LME, %eax
++ wrmsr
++
++ xorl %eax, %eax
++ lldt %ax
++
++ movl 60(%esp), %eax
++ pushl $__KERNEL_CS
++ pushl %eax
++
++ /* Enable paging */
++ movl %cr0, %eax
++ btsl $X86_CR0_PG_BIT, %eax
++ movl %eax, %cr0
++ lret
++ENDPROC(efi_enter32)
++
++ .data
++ .balign 8
++ .global efi32_boot_gdt
++efi32_boot_gdt: .word 0
++ .quad 0
++
++save_gdt: .word 0
++ .quad 0
++func_rt_ptr: .quad 0
++
++ .global efi_gdt64
++efi_gdt64:
++ .word efi_gdt64_end - efi_gdt64
++ .long 0 /* Filled out by user */
++ .word 0
++ .quad 0x0000000000000000 /* NULL descriptor */
++ .quad 0x00af9a000000ffff /* __KERNEL_CS */
++ .quad 0x00cf92000000ffff /* __KERNEL_DS */
++ .quad 0x0080890000000000 /* TS descriptor */
++ .quad 0x0000000000000000 /* TS continued */
++efi_gdt64_end:
+--- a/arch/x86/platform/efi/efi_stub_64.S
++++ b/arch/x86/platform/efi/efi_stub_64.S
+@@ -91,167 +91,6 @@ ENTRY(efi_call)
+ ret
+ ENDPROC(efi_call)
+
+-#ifdef CONFIG_EFI_MIXED
+-
+-/*
+- * We run this function from the 1:1 mapping.
+- *
+- * This function must be invoked with a 1:1 mapped stack.
+- */
+-ENTRY(__efi64_thunk)
+- movl %ds, %eax
+- push %rax
+- movl %es, %eax
+- push %rax
+- movl %ss, %eax
+- push %rax
+-
+- subq $32, %rsp
+- movl %esi, 0x0(%rsp)
+- movl %edx, 0x4(%rsp)
+- movl %ecx, 0x8(%rsp)
+- movq %r8, %rsi
+- movl %esi, 0xc(%rsp)
+- movq %r9, %rsi
+- movl %esi, 0x10(%rsp)
+-
+- sgdt save_gdt(%rip)
+-
+- leaq 1f(%rip), %rbx
+- movq %rbx, func_rt_ptr(%rip)
+-
+- /* Switch to gdt with 32-bit segments */
+- movl 64(%rsp), %eax
+- lgdt (%rax)
+-
+- leaq efi_enter32(%rip), %rax
+- pushq $__KERNEL_CS
+- pushq %rax
+- lretq
+-
+-1: addq $32, %rsp
+-
+- lgdt save_gdt(%rip)
+-
+- pop %rbx
+- movl %ebx, %ss
+- pop %rbx
+- movl %ebx, %es
+- pop %rbx
+- movl %ebx, %ds
+-
+- /*
+- * Convert 32-bit status code into 64-bit.
+- */
+- test %rax, %rax
+- jz 1f
+- movl %eax, %ecx
+- andl $0x0fffffff, %ecx
+- andl $0xf0000000, %eax
+- shl $32, %rax
+- or %rcx, %rax
+-1:
+- ret
+-ENDPROC(__efi64_thunk)
+-
+-ENTRY(efi_exit32)
+- movq func_rt_ptr(%rip), %rax
+- push %rax
+- mov %rdi, %rax
+- ret
+-ENDPROC(efi_exit32)
+-
+- .code32
+-/*
+- * EFI service pointer must be in %edi.
+- *
+- * The stack should represent the 32-bit calling convention.
+- */
+-ENTRY(efi_enter32)
+- movl $__KERNEL_DS, %eax
+- movl %eax, %ds
+- movl %eax, %es
+- movl %eax, %ss
+-
+- /* Reload pgtables */
+- movl %cr3, %eax
+- movl %eax, %cr3
+-
+- /* Disable paging */
+- movl %cr0, %eax
+- btrl $X86_CR0_PG_BIT, %eax
+- movl %eax, %cr0
+-
+- /* Disable long mode via EFER */
+- movl $MSR_EFER, %ecx
+- rdmsr
+- btrl $_EFER_LME, %eax
+- wrmsr
+-
+- call *%edi
+-
+- /* We must preserve return value */
+- movl %eax, %edi
+-
+- /*
+- * Some firmware will return with interrupts enabled. Be sure to
+- * disable them before we switch GDTs.
+- */
+- cli
+-
+- movl 68(%esp), %eax
+- movl %eax, 2(%eax)
+- lgdtl (%eax)
+-
+- movl %cr4, %eax
+- btsl $(X86_CR4_PAE_BIT), %eax
+- movl %eax, %cr4
+-
+- movl %cr3, %eax
+- movl %eax, %cr3
+-
+- movl $MSR_EFER, %ecx
+- rdmsr
+- btsl $_EFER_LME, %eax
+- wrmsr
+-
+- xorl %eax, %eax
+- lldt %ax
+-
+- movl 72(%esp), %eax
+- pushl $__KERNEL_CS
+- pushl %eax
+-
+- /* Enable paging */
+- movl %cr0, %eax
+- btsl $X86_CR0_PG_BIT, %eax
+- movl %eax, %cr0
+- lret
+-ENDPROC(efi_enter32)
+-
+- .data
+- .balign 8
+- .global efi32_boot_gdt
+-efi32_boot_gdt: .word 0
+- .quad 0
+-
+-save_gdt: .word 0
+- .quad 0
+-func_rt_ptr: .quad 0
+-
+- .global efi_gdt64
+-efi_gdt64:
+- .word efi_gdt64_end - efi_gdt64
+- .long 0 /* Filled out by user */
+- .word 0
+- .quad 0x0000000000000000 /* NULL descriptor */
+- .quad 0x00af9a000000ffff /* __KERNEL_CS */
+- .quad 0x00cf92000000ffff /* __KERNEL_DS */
+- .quad 0x0080890000000000 /* TS descriptor */
+- .quad 0x0000000000000000 /* TS continued */
+-efi_gdt64_end:
+-#endif /* CONFIG_EFI_MIXED */
+-
+ .data
+ ENTRY(efi_scratch)
+ .fill 3,8,0
+--- a/arch/x86/platform/efi/efi_thunk_64.S
++++ b/arch/x86/platform/efi/efi_thunk_64.S
+@@ -1,9 +1,26 @@
+ /*
+ * Copyright (C) 2014 Intel Corporation; author Matt Fleming
++ *
++ * Support for invoking 32-bit EFI runtime services from a 64-bit
++ * kernel.
++ *
++ * The below thunking functions are only used after ExitBootServices()
++ * has been called. This simplifies things considerably as compared with
++ * the early EFI thunking because we can leave all the kernel state
++ * intact (GDT, IDT, etc) and simply invoke the the 32-bit EFI runtime
++ * services from __KERNEL32_CS. This means we can continue to service
++ * interrupts across an EFI mixed mode call.
++ *
++ * We do however, need to handle the fact that we're running in a full
++ * 64-bit virtual address space. Things like the stack and instruction
++ * addresses need to be accessible by the 32-bit firmware, so we rely on
++ * using the identity mappings in the EFI page table to access the stack
++ * and kernel text (see efi_setup_page_tables()).
+ */
+
+ #include <linux/linkage.h>
+ #include <asm/page_types.h>
++#include <asm/segment.h>
+
+ .text
+ .code64
+@@ -33,14 +50,6 @@ ENTRY(efi64_thunk)
+ leaq efi_exit32(%rip), %rbx
+ subq %rax, %rbx
+ movl %ebx, 8(%rsp)
+- leaq efi_gdt64(%rip), %rbx
+- subq %rax, %rbx
+- movl %ebx, 2(%ebx)
+- movl %ebx, 4(%rsp)
+- leaq efi_gdt32(%rip), %rbx
+- subq %rax, %rbx
+- movl %ebx, 2(%ebx)
+- movl %ebx, (%rsp)
+
+ leaq __efi64_thunk(%rip), %rbx
+ subq %rax, %rbx
+@@ -52,14 +61,92 @@ ENTRY(efi64_thunk)
+ retq
+ ENDPROC(efi64_thunk)
+
+- .data
+-efi_gdt32:
+- .word efi_gdt32_end - efi_gdt32
+- .long 0 /* Filled out above */
+- .word 0
+- .quad 0x0000000000000000 /* NULL descriptor */
+- .quad 0x00cf9a000000ffff /* __KERNEL_CS */
+- .quad 0x00cf93000000ffff /* __KERNEL_DS */
+-efi_gdt32_end:
++/*
++ * We run this function from the 1:1 mapping.
++ *
++ * This function must be invoked with a 1:1 mapped stack.
++ */
++ENTRY(__efi64_thunk)
++ movl %ds, %eax
++ push %rax
++ movl %es, %eax
++ push %rax
++ movl %ss, %eax
++ push %rax
++
++ subq $32, %rsp
++ movl %esi, 0x0(%rsp)
++ movl %edx, 0x4(%rsp)
++ movl %ecx, 0x8(%rsp)
++ movq %r8, %rsi
++ movl %esi, 0xc(%rsp)
++ movq %r9, %rsi
++ movl %esi, 0x10(%rsp)
++
++ leaq 1f(%rip), %rbx
++ movq %rbx, func_rt_ptr(%rip)
++
++ /* Switch to 32-bit descriptor */
++ pushq $__KERNEL32_CS
++ leaq efi_enter32(%rip), %rax
++ pushq %rax
++ lretq
++
++1: addq $32, %rsp
++
++ pop %rbx
++ movl %ebx, %ss
++ pop %rbx
++ movl %ebx, %es
++ pop %rbx
++ movl %ebx, %ds
+
++ /*
++ * Convert 32-bit status code into 64-bit.
++ */
++ test %rax, %rax
++ jz 1f
++ movl %eax, %ecx
++ andl $0x0fffffff, %ecx
++ andl $0xf0000000, %eax
++ shl $32, %rax
++ or %rcx, %rax
++1:
++ ret
++ENDPROC(__efi64_thunk)
++
++ENTRY(efi_exit32)
++ movq func_rt_ptr(%rip), %rax
++ push %rax
++ mov %rdi, %rax
++ ret
++ENDPROC(efi_exit32)
++
++ .code32
++/*
++ * EFI service pointer must be in %edi.
++ *
++ * The stack should represent the 32-bit calling convention.
++ */
++ENTRY(efi_enter32)
++ movl $__KERNEL_DS, %eax
++ movl %eax, %ds
++ movl %eax, %es
++ movl %eax, %ss
++
++ call *%edi
++
++ /* We must preserve return value */
++ movl %eax, %edi
++
++ movl 72(%esp), %eax
++ pushl $__KERNEL_CS
++ pushl %eax
++
++ lret
++ENDPROC(efi_enter32)
++
++ .data
++ .balign 8
++func_rt_ptr: .quad 0
+ efi_saved_sp: .quad 0
--- /dev/null
+From 1ea76fbadd667b19c4fa4466f3a3b55a505e83d9 Mon Sep 17 00:00:00 2001
+From: Jiang Liu <jiang.liu@linux.intel.com>
+Date: Mon, 16 Feb 2015 10:11:13 +0800
+Subject: x86/irq: Fix regression caused by commit b568b8601f05
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jiang Liu <jiang.liu@linux.intel.com>
+
+commit 1ea76fbadd667b19c4fa4466f3a3b55a505e83d9 upstream.
+
+Commit b568b8601f05 ("Treat SCI interrupt as normal GSI interrupt")
+accidently removes support of legacy PIC interrupt when fixing a
+regression for Xen, which causes a nasty regression on HP/Compaq
+nc6000 where we fail to register the ACPI interrupt, and thus
+lose eg. thermal notifications leading a potentially overheated
+machine.
+
+So reintroduce support of legacy PIC based ACPI SCI interrupt.
+
+Reported-by: Ville Syrjälä <syrjala@sci.fi>
+Tested-by: Ville Syrjälä <syrjala@sci.fi>
+Signed-off-by: Jiang Liu <jiang.liu@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Pavel Machek <pavel@ucw.cz>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Len Brown <len.brown@intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Rafael J. Wysocki <rjw@rjwysocki.net>
+Cc: Sander Eikelenboom <linux@eikelenboom.it>
+Cc: linux-pm@vger.kernel.org
+Link: http://lkml.kernel.org/r/1424052673-22974-1-git-send-email-jiang.liu@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/acpi/boot.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/x86/kernel/acpi/boot.c
++++ b/arch/x86/kernel/acpi/boot.c
+@@ -613,6 +613,11 @@ int acpi_gsi_to_irq(u32 gsi, unsigned in
+ {
+ int rc, irq, trigger, polarity;
+
++ if (acpi_irq_model == ACPI_IRQ_MODEL_PIC) {
++ *irqp = gsi;
++ return 0;
++ }
++
+ rc = acpi_get_override_irq(gsi, &trigger, &polarity);
+ if (rc == 0) {
+ trigger = trigger ? ACPI_LEVEL_SENSITIVE : ACPI_EDGE_SENSITIVE;
--- /dev/null
+From 4e7c22d447bb6d7e37bfe39ff658486ae78e8d77 Mon Sep 17 00:00:00 2001
+From: Hector Marco-Gisbert <hecmargi@upv.es>
+Date: Sat, 14 Feb 2015 09:33:50 -0800
+Subject: x86, mm/ASLR: Fix stack randomization on 64-bit systems
+
+From: Hector Marco-Gisbert <hecmargi@upv.es>
+
+commit 4e7c22d447bb6d7e37bfe39ff658486ae78e8d77 upstream.
+
+The issue is that the stack for processes is not properly randomized on
+64 bit architectures due to an integer overflow.
+
+The affected function is randomize_stack_top() in file
+"fs/binfmt_elf.c":
+
+ static unsigned long randomize_stack_top(unsigned long stack_top)
+ {
+ unsigned int random_variable = 0;
+
+ if ((current->flags & PF_RANDOMIZE) &&
+ !(current->personality & ADDR_NO_RANDOMIZE)) {
+ random_variable = get_random_int() & STACK_RND_MASK;
+ random_variable <<= PAGE_SHIFT;
+ }
+ return PAGE_ALIGN(stack_top) + random_variable;
+ return PAGE_ALIGN(stack_top) - random_variable;
+ }
+
+Note that, it declares the "random_variable" variable as "unsigned int".
+Since the result of the shifting operation between STACK_RND_MASK (which
+is 0x3fffff on x86_64, 22 bits) and PAGE_SHIFT (which is 12 on x86_64):
+
+ random_variable <<= PAGE_SHIFT;
+
+then the two leftmost bits are dropped when storing the result in the
+"random_variable". This variable shall be at least 34 bits long to hold
+the (22+12) result.
+
+These two dropped bits have an impact on the entropy of process stack.
+Concretely, the total stack entropy is reduced by four: from 2^28 to
+2^30 (One fourth of expected entropy).
+
+This patch restores back the entropy by correcting the types involved
+in the operations in the functions randomize_stack_top() and
+stack_maxrandom_size().
+
+The successful fix can be tested with:
+
+ $ for i in `seq 1 10`; do cat /proc/self/maps | grep stack; done
+ 7ffeda566000-7ffeda587000 rw-p 00000000 00:00 0 [stack]
+ 7fff5a332000-7fff5a353000 rw-p 00000000 00:00 0 [stack]
+ 7ffcdb7a1000-7ffcdb7c2000 rw-p 00000000 00:00 0 [stack]
+ 7ffd5e2c4000-7ffd5e2e5000 rw-p 00000000 00:00 0 [stack]
+ ...
+
+Once corrected, the leading bytes should be between 7ffc and 7fff,
+rather than always being 7fff.
+
+Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
+Signed-off-by: Ismael Ripoll <iripoll@upv.es>
+[ Rebased, fixed 80 char bugs, cleaned up commit message, added test example and CVE ]
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Fixes: CVE-2015-1593
+Link: http://lkml.kernel.org/r/20150214173350.GA18393@www.outflux.net
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/mm/mmap.c | 6 +++---
+ fs/binfmt_elf.c | 5 +++--
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/mm/mmap.c
++++ b/arch/x86/mm/mmap.c
+@@ -35,12 +35,12 @@ struct va_alignment __read_mostly va_ali
+ .flags = -1,
+ };
+
+-static unsigned int stack_maxrandom_size(void)
++static unsigned long stack_maxrandom_size(void)
+ {
+- unsigned int max = 0;
++ unsigned long max = 0;
+ if ((current->flags & PF_RANDOMIZE) &&
+ !(current->personality & ADDR_NO_RANDOMIZE)) {
+- max = ((-1U) & STACK_RND_MASK) << PAGE_SHIFT;
++ max = ((-1UL) & STACK_RND_MASK) << PAGE_SHIFT;
+ }
+
+ return max;
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -645,11 +645,12 @@ out:
+
+ static unsigned long randomize_stack_top(unsigned long stack_top)
+ {
+- unsigned int random_variable = 0;
++ unsigned long random_variable = 0;
+
+ if ((current->flags & PF_RANDOMIZE) &&
+ !(current->personality & ADDR_NO_RANDOMIZE)) {
+- random_variable = get_random_int() & STACK_RND_MASK;
++ random_variable = (unsigned long) get_random_int();
++ random_variable &= STACK_RND_MASK;
+ random_variable <<= PAGE_SHIFT;
+ }
+ #ifdef CONFIG_STACK_GROWSUP
--- /dev/null
+From 1b43d7125f3b6f7d46e72da64f65f3187a83b66b Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Wed, 14 Jan 2015 18:39:31 +0200
+Subject: x86: pmc-atom: Assign debugfs node as soon as possible
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit 1b43d7125f3b6f7d46e72da64f65f3187a83b66b upstream.
+
+pmc_dbgfs_unregister() will be called when pmc->dbgfs_dir is unconditionally
+NULL on error path in pmc_dbgfs_register(). To prevent this we move the
+assignment to where is should be.
+
+Fixes: f855911c1f48 (x86/pmc_atom: Expose PMC device state and platform sleep state)
+Reported-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Aubrey Li <aubrey.li@linux.intel.com>
+Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Cc: Kumar P. Mahesh <mahesh.kumar.p@intel.com>
+Link: http://lkml.kernel.org/r/1421253575-22509-2-git-send-email-andriy.shevchenko@linux.intel.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/pmc_atom.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/pmc_atom.c
++++ b/arch/x86/kernel/pmc_atom.c
+@@ -217,6 +217,8 @@ static int pmc_dbgfs_register(struct pmc
+ if (!dir)
+ return -ENOMEM;
+
++ pmc->dbgfs_dir = dir;
++
+ f = debugfs_create_file("dev_state", S_IFREG | S_IRUGO,
+ dir, pmc, &pmc_dev_state_ops);
+ if (!f) {
+@@ -229,7 +231,7 @@ static int pmc_dbgfs_register(struct pmc
+ dev_err(&pdev->dev, "sleep_state register failed\n");
+ goto err;
+ }
+- pmc->dbgfs_dir = dir;
++
+ return 0;
+ err:
+ pmc_dbgfs_unregister(pmc);
--- /dev/null
+From dfcc70a8c868fe03276fa59864149708fb41930b Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 23 Feb 2015 22:34:17 +1100
+Subject: xfs: Fix quota type in quota structures when reusing quota file
+
+From: Jan Kara <jack@suse.cz>
+
+commit dfcc70a8c868fe03276fa59864149708fb41930b upstream.
+
+For filesystems without separate project quota inode field in the
+superblock we just reuse project quota file for group quotas (and vice
+versa) if project quota file is allocated and we need group quota file.
+When we reuse the file, quota structures on disk suddenly have wrong
+type stored in d_flags though. Nobody really cares about this (although
+structure type reported to userspace was wrong as well) except
+that after commit 14bf61ffe6ac (quota: Switch ->get_dqblk() and
+->set_dqblk() to use bytes as space units) assertion in
+xfs_qm_scall_getquota() started to trigger on xfs/106 test (apparently I
+was testing without XFS_DEBUG so I didn't notice when submitting the
+above commit).
+
+Fix the problem by properly resetting ddq->d_flags when running quotacheck
+for a quota file.
+
+Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Dave Chinner <dchinner@redhat.com>
+Signed-off-by: Dave Chinner <david@fromorbit.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xfs/xfs_qm.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/xfs/xfs_qm.c
++++ b/fs/xfs/xfs_qm.c
+@@ -842,6 +842,11 @@ xfs_qm_reset_dqcounts(
+ */
+ xfs_dqcheck(mp, ddq, id+j, type, XFS_QMOPT_DQREPAIR,
+ "xfs_quotacheck");
++ /*
++ * Reset type in case we are reusing group quota file for
++ * project quotas or vice versa
++ */
++ ddq->d_flags = type;
+ ddq->d_bcount = 0;
+ ddq->d_icount = 0;
+ ddq->d_rtbcount = 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
