--- /dev/null
+From f61bd0585dfc7d99db4936d7467de4ca8e2f7ea0 Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Fri, 21 Sep 2012 15:09:47 +0800
+Subject: can: mscan-mpc5xxx: fix return value check in mpc512x_can_get_clock()
+
+From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+
+commit f61bd0585dfc7d99db4936d7467de4ca8e2f7ea0 upstream.
+
+In case of error, the function clk_get() returns ERR_PTR()
+and never returns NULL pointer. The NULL test in the error
+handling should be replaced with IS_ERR().
+
+dpatch engine is used to auto generated this patch.
+(https://github.com/weiyj/dpatch)
+
+Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Acked-by: Wolfgang Grandegger <wg@grandegger.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/mscan/mpc5xxx_can.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/can/mscan/mpc5xxx_can.c
++++ b/drivers/net/can/mscan/mpc5xxx_can.c
+@@ -181,7 +181,7 @@ static u32 __devinit mpc512x_can_get_clo
+
+ if (!clock_name || !strcmp(clock_name, "sys")) {
+ sys_clk = clk_get(&ofdev->dev, "sys_clk");
+- if (!sys_clk) {
++ if (IS_ERR(sys_clk)) {
+ dev_err(&ofdev->dev, "couldn't get sys_clk\n");
+ goto exit_unmap;
+ }
+@@ -204,7 +204,7 @@ static u32 __devinit mpc512x_can_get_clo
+
+ if (clocksrc < 0) {
+ ref_clk = clk_get(&ofdev->dev, "ref_clk");
+- if (!ref_clk) {
++ if (IS_ERR(ref_clk)) {
+ dev_err(&ofdev->dev, "couldn't get ref_clk\n");
+ goto exit_unmap;
+ }
--- /dev/null
+From c00aaa1a0221a22153071fcb2f320e2ebaecc2fd Mon Sep 17 00:00:00 2001
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Fri, 28 Sep 2012 17:33:52 +0000
+Subject: IB/qib: Fix local access validation for user MRs
+
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+
+commit c00aaa1a0221a22153071fcb2f320e2ebaecc2fd upstream.
+
+Commit 8aac4cc3a9d7 ("IB/qib: RCU locking for MR validation") introduced
+a bug that broke user post sends. The proper validation of the MR
+was lost in the patch.
+
+This patch corrects that validation.
+
+Reviewed-by: Dean Luick <dean.luick@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/qib/qib_keys.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/qib/qib_keys.c
++++ b/drivers/infiniband/hw/qib/qib_keys.c
+@@ -186,8 +186,9 @@ int qib_lkey_ok(struct qib_lkey_table *r
+ goto bail;
+
+ off = sge->addr - mr->user_base;
+- if (unlikely(sge->addr < mr->iova || off + sge->length > mr->length ||
+- (mr->access_flags & acc) == 0))
++ if (unlikely(sge->addr < mr->user_base ||
++ off + sge->length > mr->length ||
++ (mr->access_flags & acc) != acc))
+ goto bail;
+ if (unlikely(!atomic_inc_not_zero(&mr->refcount)))
+ goto bail;
--- /dev/null
+From d8536670916a685df116b5c2cb256573fd25e4e3 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Fri, 24 Aug 2012 10:29:11 +0000
+Subject: IB/srp: Avoid having aborted requests hang
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit d8536670916a685df116b5c2cb256573fd25e4e3 upstream.
+
+We need to call scsi_done() for commands after we abort them.
+
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Acked-by: David Dillow <dillowda@ornl.gov>
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/srp/ib_srp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/infiniband/ulp/srp/ib_srp.c
++++ b/drivers/infiniband/ulp/srp/ib_srp.c
+@@ -1687,6 +1687,7 @@ static int srp_abort(struct scsi_cmnd *s
+ SRP_TSK_ABORT_TASK);
+ srp_free_req(target, req, scmnd, 0);
+ scmnd->result = DID_ABORT << 16;
++ scmnd->scsi_done(scmnd);
+
+ return SUCCESS;
+ }
--- /dev/null
+From 9b796d06d5d1b1e85ae2316a283ea11dd739ef96 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Fri, 24 Aug 2012 10:27:54 +0000
+Subject: IB/srp: Fix use-after-free in srp_reset_req()
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit 9b796d06d5d1b1e85ae2316a283ea11dd739ef96 upstream.
+
+srp_free_req() uses the scsi_cmnd structure contents to unmap
+buffers, so we must invoke srp_free_req() before we release
+ownership of that structure.
+
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Acked-by: David Dillow <dillowda@ornl.gov>
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/srp/ib_srp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/ulp/srp/ib_srp.c
++++ b/drivers/infiniband/ulp/srp/ib_srp.c
+@@ -638,9 +638,9 @@ static void srp_reset_req(struct srp_tar
+ struct scsi_cmnd *scmnd = srp_claim_req(target, req, NULL);
+
+ if (scmnd) {
++ srp_free_req(target, req, scmnd, 0);
+ scmnd->result = DID_RESET << 16;
+ scmnd->scsi_done(scmnd);
+- srp_free_req(target, req, scmnd, 0);
+ }
+ }
+
--- /dev/null
+From 824efd37415961d38821ecbd9694e213fb2e8b32 Mon Sep 17 00:00:00 2001
+From: Seth Forshee <seth.forshee@canonical.com>
+Date: Fri, 28 Sep 2012 10:29:21 -0700
+Subject: Input: synaptics - adjust threshold for treating position values as negative
+
+From: Seth Forshee <seth.forshee@canonical.com>
+
+commit 824efd37415961d38821ecbd9694e213fb2e8b32 upstream.
+
+Commit c039450 (Input: synaptics - handle out of bounds values from the
+hardware) caused any hardware reported values over 7167 to be treated as
+a wrapped-around negative value. It turns out that some firmware uses
+the value 8176 to indicate a finger near the edge of the touchpad whose
+actual position cannot be determined. This value now gets treated as
+negative, which can cause pointer jumps and broken edge scrolling on
+these machines.
+
+I only know of one touchpad which reports negative values, and this
+hardware never reports any value lower than -8 (i.e. 8184). Moving the
+threshold for treating a value as negative up to 8176 should work fine
+then for any hardware we currently know about, and since we're dealing
+with unspecified behavior it's probably the best we can do. The special
+8176 value is also likely to result in sudden jumps in position, so
+let's also clamp this to the maximum specified value for the axis.
+
+BugLink: http://bugs.launchpad.net/bugs/1046512
+https://bugzilla.kernel.org/show_bug.cgi?id=46371
+
+Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
+Reviewed-by: Daniel Kurtz <djkurtz@chromium.org>
+Tested-by: Alan Swanson <swanson@ukfsn.org>
+Tested-by: Arteom <arutemus@gmail.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/synaptics.c | 31 +++++++++++++++++++++++--------
+ 1 file changed, 23 insertions(+), 8 deletions(-)
+
+--- a/drivers/input/mouse/synaptics.c
++++ b/drivers/input/mouse/synaptics.c
+@@ -53,14 +53,19 @@
+ #define ABS_POS_BITS 13
+
+ /*
+- * Any position values from the hardware above the following limits are
+- * treated as "wrapped around negative" values that have been truncated to
+- * the 13-bit reporting range of the hardware. These are just reasonable
+- * guesses and can be adjusted if hardware is found that operates outside
+- * of these parameters.
++ * These values should represent the absolute maximum value that will
++ * be reported for a positive position value. Some Synaptics firmware
++ * uses this value to indicate a finger near the edge of the touchpad
++ * whose precise position cannot be determined.
++ *
++ * At least one touchpad is known to report positions in excess of this
++ * value which are actually negative values truncated to the 13-bit
++ * reporting range. These values have never been observed to be lower
++ * than 8184 (i.e. -8), so we treat all values greater than 8176 as
++ * negative and any other value as positive.
+ */
+-#define X_MAX_POSITIVE (((1 << ABS_POS_BITS) + XMAX) / 2)
+-#define Y_MAX_POSITIVE (((1 << ABS_POS_BITS) + YMAX) / 2)
++#define X_MAX_POSITIVE 8176
++#define Y_MAX_POSITIVE 8176
+
+ /*****************************************************************************
+ * Stuff we need even when we do not want native Synaptics support
+@@ -604,11 +609,21 @@ static int synaptics_parse_hw_state(cons
+ hw->right = (buf[0] & 0x02) ? 1 : 0;
+ }
+
+- /* Convert wrap-around values to negative */
++ /*
++ * Convert wrap-around values to negative. (X|Y)_MAX_POSITIVE
++ * is used by some firmware to indicate a finger at the edge of
++ * the touchpad whose precise position cannot be determined, so
++ * convert these values to the maximum axis value.
++ */
+ if (hw->x > X_MAX_POSITIVE)
+ hw->x -= 1 << ABS_POS_BITS;
++ else if (hw->x == X_MAX_POSITIVE)
++ hw->x = XMAX;
++
+ if (hw->y > Y_MAX_POSITIVE)
+ hw->y -= 1 << ABS_POS_BITS;
++ else if (hw->y == Y_MAX_POSITIVE)
++ hw->y = YMAX;
+
+ return 0;
+ }
--- /dev/null
+From bea1e22df494a729978e7f2c54f7bda328f74bc3 Mon Sep 17 00:00:00 2001
+From: Patrick McHardy <kaber@trash.net>
+Date: Thu, 30 Aug 2012 07:01:30 +0000
+Subject: IPoIB: Fix use-after-free of multicast object
+
+From: Patrick McHardy <kaber@trash.net>
+
+commit bea1e22df494a729978e7f2c54f7bda328f74bc3 upstream.
+
+Fix a crash in ipoib_mcast_join_task(). (with help from Or Gerlitz)
+
+Commit c8c2afe360b7 ("IPoIB: Use rtnl lock/unlock when changing device
+flags") added a call to rtnl_lock() in ipoib_mcast_join_task(), which
+is run from the ipoib_workqueue, and hence the workqueue can't be
+flushed from the context of ipoib_stop().
+
+In the current code, ipoib_stop() (which doesn't flush the workqueue)
+calls ipoib_mcast_dev_flush(), which goes and deletes all the
+multicast entries. This takes place without any synchronization with
+a possible running instance of ipoib_mcast_join_task() for the same
+ipoib device, leading to a crash due to NULL pointer dereference.
+
+Fix this by making sure that the workqueue is flushed before
+ipoib_mcast_dev_flush() is called. To make that possible, we move the
+RTNL-lock wrapped code to ipoib_mcast_join_finish().
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/ipoib/ipoib_main.c | 2 +-
+ drivers/infiniband/ulp/ipoib/ipoib_multicast.c | 19 ++++++++++---------
+ 2 files changed, 11 insertions(+), 10 deletions(-)
+
+--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
+@@ -150,7 +150,7 @@ static int ipoib_stop(struct net_device
+
+ netif_stop_queue(dev);
+
+- ipoib_ib_dev_down(dev, 0);
++ ipoib_ib_dev_down(dev, 1);
+ ipoib_ib_dev_stop(dev, 0);
+
+ if (!test_bit(IPOIB_FLAG_SUBINTERFACE, &priv->flags)) {
+--- a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
+@@ -175,7 +175,9 @@ static int ipoib_mcast_join_finish(struc
+
+ mcast->mcmember = *mcmember;
+
+- /* Set the cached Q_Key before we attach if it's the broadcast group */
++ /* Set the multicast MTU and cached Q_Key before we attach if it's
++ * the broadcast group.
++ */
+ if (!memcmp(mcast->mcmember.mgid.raw, priv->dev->broadcast + 4,
+ sizeof (union ib_gid))) {
+ spin_lock_irq(&priv->lock);
+@@ -183,10 +185,17 @@ static int ipoib_mcast_join_finish(struc
+ spin_unlock_irq(&priv->lock);
+ return -EAGAIN;
+ }
++ priv->mcast_mtu = IPOIB_UD_MTU(ib_mtu_enum_to_int(priv->broadcast->mcmember.mtu));
+ priv->qkey = be32_to_cpu(priv->broadcast->mcmember.qkey);
+ spin_unlock_irq(&priv->lock);
+ priv->tx_wr.wr.ud.remote_qkey = priv->qkey;
+ set_qkey = 1;
++
++ if (!ipoib_cm_admin_enabled(dev)) {
++ rtnl_lock();
++ dev_set_mtu(dev, min(priv->mcast_mtu, priv->admin_mtu));
++ rtnl_unlock();
++ }
+ }
+
+ if (!test_bit(IPOIB_MCAST_FLAG_SENDONLY, &mcast->flags)) {
+@@ -574,14 +583,6 @@ void ipoib_mcast_join_task(struct work_s
+ return;
+ }
+
+- priv->mcast_mtu = IPOIB_UD_MTU(ib_mtu_enum_to_int(priv->broadcast->mcmember.mtu));
+-
+- if (!ipoib_cm_admin_enabled(dev)) {
+- rtnl_lock();
+- dev_set_mtu(dev, min(priv->mcast_mtu, priv->admin_mtu));
+- rtnl_unlock();
+- }
+-
+ ipoib_dbg_mcast(priv, "successfully joined all multicast groups\n");
+
+ clear_bit(IPOIB_MCAST_RUN, &priv->flags);
--- /dev/null
+From 6d70a74ffd616073a68ae0974d98819bfa8e6da6 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Fri, 22 Jun 2012 11:31:14 -0700
+Subject: isci: fix isci_pci_probe() generates warning on efi failure path
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit 6d70a74ffd616073a68ae0974d98819bfa8e6da6 upstream.
+
+The oem parameter image embedded in the efi variable is at an offset
+from the start of the variable. However, in the failure path we try to
+free the 'orom' pointer which is only valid when the paramaters are
+being read from the legacy option-rom space.
+
+Since failure to load the oem parameters is unlikely and we keep the
+memory around in the success case just defer all de-allocation to devm.
+
+Reported-by: Don Morris <don.morris@hp.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/isci/init.c | 1 -
+ drivers/scsi/isci/probe_roms.c | 1 -
+ 2 files changed, 2 deletions(-)
+
+--- a/drivers/scsi/isci/init.c
++++ b/drivers/scsi/isci/init.c
+@@ -644,7 +644,6 @@ static int __devinit isci_pci_probe(stru
+ orom->hdr.version)) {
+ dev_warn(&pdev->dev,
+ "[%d]: invalid oem parameters detected, falling back to firmware\n", i);
+- devm_kfree(&pdev->dev, orom);
+ orom = NULL;
+ break;
+ }
+--- a/drivers/scsi/isci/probe_roms.c
++++ b/drivers/scsi/isci/probe_roms.c
+@@ -104,7 +104,6 @@ struct isci_orom *isci_request_oprom(str
+
+ if (i >= len) {
+ dev_err(&pdev->dev, "oprom parse error\n");
+- devm_kfree(&pdev->dev, rom);
+ rom = NULL;
+ }
+ pci_unmap_biosrom(oprom);
--- /dev/null
+From 7168d914a782086e217214c57ddfc7cc4b738c0c Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 25 Sep 2012 10:01:56 +0300
+Subject: remoteproc: fix a potential NULL-dereference on cleanup
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 7168d914a782086e217214c57ddfc7cc4b738c0c upstream.
+
+We only need to allocate mapping if there is an IOMMU domain.
+
+Otherwise, when the mappings are released, the assumption that
+an IOMMU domain is there will crash and burn.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+[ohad: revise commit log]
+Signed-off-by: Ohad Ben-Cohen <ohad@wizery.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/remoteproc/remoteproc_core.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+--- a/drivers/remoteproc/remoteproc_core.c
++++ b/drivers/remoteproc/remoteproc_core.c
+@@ -545,17 +545,10 @@ static int rproc_handle_carveout(struct
+ dev_dbg(dev, "carveout rsc: da %x, pa %x, len %x, flags %x\n",
+ rsc->da, rsc->pa, rsc->len, rsc->flags);
+
+- mapping = kzalloc(sizeof(*mapping), GFP_KERNEL);
+- if (!mapping) {
+- dev_err(dev, "kzalloc mapping failed\n");
+- return -ENOMEM;
+- }
+-
+ carveout = kzalloc(sizeof(*carveout), GFP_KERNEL);
+ if (!carveout) {
+ dev_err(dev, "kzalloc carveout failed\n");
+- ret = -ENOMEM;
+- goto free_mapping;
++ return -ENOMEM;
+ }
+
+ va = dma_alloc_coherent(dev->parent, rsc->len, &dma, GFP_KERNEL);
+@@ -585,11 +578,18 @@ static int rproc_handle_carveout(struct
+ * physical address in this case.
+ */
+ if (rproc->domain) {
++ mapping = kzalloc(sizeof(*mapping), GFP_KERNEL);
++ if (!mapping) {
++ dev_err(dev, "kzalloc mapping failed\n");
++ ret = -ENOMEM;
++ goto dma_free;
++ }
++
+ ret = iommu_map(rproc->domain, rsc->da, dma, rsc->len,
+ rsc->flags);
+ if (ret) {
+ dev_err(dev, "iommu_map failed: %d\n", ret);
+- goto dma_free;
++ goto free_mapping;
+ }
+
+ /*
+@@ -634,12 +634,12 @@ static int rproc_handle_carveout(struct
+
+ return 0;
+
++free_mapping:
++ kfree(mapping);
+ dma_free:
+ dma_free_coherent(dev->parent, rsc->len, va, dma);
+ free_carv:
+ kfree(carveout);
+-free_mapping:
+- kfree(mapping);
+ return ret;
+ }
+
--- /dev/null
+From 2ed6d29c725c4aead510b5c23f563795b265acf5 Mon Sep 17 00:00:00 2001
+From: Ohad Ben-Cohen <ohad@wizery.com>
+Date: Sun, 30 Sep 2012 10:25:34 +0200
+Subject: remoteproc: select VIRTIO to avoid build breakage
+
+From: Ohad Ben-Cohen <ohad@wizery.com>
+
+commit 2ed6d29c725c4aead510b5c23f563795b265acf5 upstream.
+
+drivers/built-in.o: In function `rproc_virtio_finalize_features':
+remoteproc_virtio.c:(.text+0x2f9a02): undefined reference to `vring_transport_features'
+drivers/built-in.o: In function `rproc_virtio_del_vqs':
+remoteproc_virtio.c:(.text+0x2f9a74): undefined reference to `vring_del_virtqueue'
+drivers/built-in.o: In function `rproc_virtio_find_vqs':
+remoteproc_virtio.c:(.text+0x2f9c44): undefined reference to `vring_new_virtqueue'
+drivers/built-in.o: In function `rproc_add_virtio_dev':
+(.text+0x2f9e2c): undefined reference to `register_virtio_device'
+drivers/built-in.o: In function `rproc_vq_interrupt':
+(.text+0x2f9db7): undefined reference to `vring_interrupt'
+drivers/built-in.o: In function `rproc_remove_virtio_dev':
+(.text+0x2f9e9f): undefined reference to `unregister_virtio_device'
+
+Reported-by: Randy Dunlap <rdunlap@xenotime.net>
+Signed-off-by: Ohad Ben-Cohen <ohad@wizery.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/remoteproc/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/remoteproc/Kconfig
++++ b/drivers/remoteproc/Kconfig
+@@ -5,6 +5,7 @@ config REMOTEPROC
+ tristate
+ depends on EXPERIMENTAL
+ select FW_CONFIG
++ select VIRTIO
+
+ config OMAP_REMOTEPROC
+ tristate "OMAP remoteproc support"
--- /dev/null
+From 21e89afd325849eb38adccf382df16cc895911f9 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron@beardog.cce.hp.com>
+Date: Thu, 26 Jul 2012 11:34:10 -0500
+Subject: SCSI: hpsa: Use LUN reset instead of target reset
+
+From: "Stephen M. Cameron" <scameron@beardog.cce.hp.com>
+
+commit 21e89afd325849eb38adccf382df16cc895911f9 upstream.
+
+It turns out Smart Array logical drives do not support target
+reset and when the target reset fails, the logical drive will
+be taken off line. Symptoms look like this:
+
+hpsa 0000:03:00.0: Abort request on C1:B0:T0:L0
+hpsa 0000:03:00.0: resetting device 1:0:0:0
+hpsa 0000:03:00.0: cp ffff880037c56000 is reported invalid (probably means target device no longer present)
+hpsa 0000:03:00.0: resetting device failed.
+sd 1:0:0:0: Device offlined - not ready after error recovery
+sd 1:0:0:0: rejecting I/O to offline device
+EXT3-fs error (device sdb1): read_block_bitmap:
+
+LUN reset is supported though, and is what we should be using.
+Target reset is also disruptive in shared SAS situations,
+for example, an external MSA1210m which does support target
+reset attached to Smart Arrays in multiple hosts -- a target
+reset from one host is disruptive to other hosts as all LUNs
+on the target will be reset and will abort all outstanding i/os
+back to all the attached hosts. So we should use LUN reset,
+not target reset.
+
+Tested this with Smart Array logical drives and with tape drives.
+Not sure how this bug survived since 2009, except it must be very
+rare for a Smart Array to require more than 30s to complete a request.
+
+Signed-off-by: Stephen M. Cameron <scameron@beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/hpsa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3266,7 +3266,7 @@ static void fill_cmd(struct CommandList
+ c->Request.Timeout = 0; /* Don't time out */
+ memset(&c->Request.CDB[0], 0, sizeof(c->Request.CDB));
+ c->Request.CDB[0] = cmd;
+- c->Request.CDB[1] = 0x03; /* Reset target above */
++ c->Request.CDB[1] = HPSA_RESET_TYPE_LUN;
+ /* If bytes 4-7 are zero, it means reset the */
+ /* LunID device */
+ c->Request.CDB[4] = 0x00;
--- /dev/null
+From 225c56960fcafeccc2b6304f96cd3f0dbf42a16a Mon Sep 17 00:00:00 2001
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Mon, 30 Jul 2012 11:33:05 +1000
+Subject: SCSI: ibmvscsi: Fix host config length field overflow
+
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+commit 225c56960fcafeccc2b6304f96cd3f0dbf42a16a upstream.
+
+The length field in the host config packet is only 16-bit long, so
+passing it 0x10000 (64K which is our standard PAGE_SIZE) doesn't
+work and result in an empty config from the server.
+
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Acked-by: Robert Jennings <rcj@linux.vnet.ibm.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/ibmvscsi/ibmvscsi.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/scsi/ibmvscsi/ibmvscsi.c
++++ b/drivers/scsi/ibmvscsi/ibmvscsi.c
+@@ -1541,6 +1541,9 @@ static int ibmvscsi_do_host_config(struc
+
+ host_config = &evt_struct->iu.mad.host_config;
+
++ /* The transport length field is only 16-bit */
++ length = min(0xffff, length);
++
+ /* Set up a lun reset SRP command */
+ memset(host_config, 0x00, sizeof(*host_config));
+ host_config->common.type = VIOSRP_HOST_CONFIG_TYPE;
n_gsm-uplink-skbs-accumulate-on-list.patch
n_gsm-added-interlocking-for-gsm_data_lock-for-certain-code-paths.patch
n_gsm-memory-leak-in-uplink-error-path.patch
+ubi-fix-autoresize-handling-in-r-o-mode.patch
+ubi-erase-free-peb-with-bitflip-in-ec-header.patch
+yama-handle-32-bit-userspace-prctl.patch
+scsi-ibmvscsi-fix-host-config-length-field-overflow.patch
+scsi-hpsa-use-lun-reset-instead-of-target-reset.patch
+can-mscan-mpc5xxx-fix-return-value-check-in-mpc512x_can_get_clock.patch
+input-synaptics-adjust-threshold-for-treating-position-values-as-negative.patch
+remoteproc-select-virtio-to-avoid-build-breakage.patch
+remoteproc-fix-a-potential-null-dereference-on-cleanup.patch
+ipoib-fix-use-after-free-of-multicast-object.patch
+ib-srp-fix-use-after-free-in-srp_reset_req.patch
+ib-srp-avoid-having-aborted-requests-hang.patch
+ib-qib-fix-local-access-validation-for-user-mrs.patch
+isci-fix-isci_pci_probe-generates-warning-on-efi-failure-path.patch
--- /dev/null
+From 193819cf2e6e395b1e1be2d36785dc5563a6edca Mon Sep 17 00:00:00 2001
+From: Matthieu CASTET <matthieu.castet@parrot.com>
+Date: Wed, 22 Aug 2012 16:03:46 +0200
+Subject: UBI: erase free PEB with bitflip in EC header
+
+From: Matthieu CASTET <matthieu.castet@parrot.com>
+
+commit 193819cf2e6e395b1e1be2d36785dc5563a6edca upstream.
+
+Without this patch, these PEB are not scrubbed until we put data in them.
+Bitflip can accumulate latter and we can loose the EC header (but VID header
+should be intact and allow to recover data).
+
+Signed-off-by: Matthieu Castet <matthieu.castet@parrot.com>
+Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/ubi/attach.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/ubi/attach.c
++++ b/drivers/mtd/ubi/attach.c
+@@ -975,7 +975,7 @@ static int scan_peb(struct ubi_device *u
+ return err;
+ goto adjust_mean_ec;
+ case UBI_IO_FF:
+- if (ec_err)
++ if (ec_err || bitflips)
+ err = add_to_list(ai, pnum, UBI_UNKNOWN,
+ UBI_UNKNOWN, ec, 1, &ai->erase);
+ else
--- /dev/null
+From abb3e01103eb4e2ea5c15e6fedbc74e08bd4cc2b Mon Sep 17 00:00:00 2001
+From: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Date: Sat, 18 Aug 2012 14:11:42 +0200
+Subject: UBI: fix autoresize handling in R/O mode
+
+From: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+
+commit abb3e01103eb4e2ea5c15e6fedbc74e08bd4cc2b upstream.
+
+Currently UBI fails in autoresize when it is in R/O mode (e.g., because the
+underlying MTD device is R/O). This patch fixes the issue - we just skip
+autoresize and print a warning.
+
+Reported-by: Pali Rohár <pali.rohar@gmail.com>
+Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/ubi/build.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/mtd/ubi/build.c
++++ b/drivers/mtd/ubi/build.c
+@@ -759,6 +759,11 @@ static int autoresize(struct ubi_device
+ struct ubi_volume *vol = ubi->volumes[vol_id];
+ int err, old_reserved_pebs = vol->reserved_pebs;
+
++ if (ubi->ro_mode) {
++ ubi_warn("skip auto-resize because of R/O mode");
++ return 0;
++ }
++
+ /*
+ * Clear the auto-resize flag in the volume in-memory copy of the
+ * volume table, and 'ubi_resize_volume()' will propagate this change
--- /dev/null
+From 2e4930eb7c8fb20a39dfb5f8a8f80402710dcea8 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 27 Aug 2012 11:38:13 -0700
+Subject: Yama: handle 32-bit userspace prctl
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 2e4930eb7c8fb20a39dfb5f8a8f80402710dcea8 upstream.
+
+When running a 64-bit kernel and receiving prctls from a 32-bit
+userspace, the "-1" used as an unsigned long will end up being
+misdetected. The kernel is looking for 0xffffffffffffffff instead of
+0xffffffff. Since prctl lacks a distinct compat interface, Yama needs
+to handle this translation itself. As such, support either value as
+meaning PR_SET_PTRACER_ANY, to avoid breaking the ABI for 64-bit.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Acked-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/yama/yama_lsm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/yama/yama_lsm.c
++++ b/security/yama/yama_lsm.c
+@@ -143,7 +143,7 @@ static int yama_task_prctl(int option, u
+ if (arg2 == 0) {
+ yama_ptracer_del(NULL, myself);
+ rc = 0;
+- } else if (arg2 == PR_SET_PTRACER_ANY) {
++ } else if (arg2 == PR_SET_PTRACER_ANY || (int)arg2 == -1) {
+ rc = yama_ptracer_add(NULL, myself);
+ } else {
+ struct task_struct *tracer;
projects / thirdparty / kernel / stable-queue.git / commitdiff
