--- /dev/null
+From 771d09b3c4c45d4d534a83a68e6331b97fd82e15 Mon Sep 17 00:00:00 2001
+From: Gustavo Maciel Dias Vieira <gustavo@sagui.org>
+Date: Mon, 4 Mar 2013 15:23:37 +0000
+Subject: ACPI video: ignore BIOS backlight value for HP dm4
+
+From: Gustavo Maciel Dias Vieira <gustavo@sagui.org>
+
+commit 771d09b3c4c45d4d534a83a68e6331b97fd82e15 upstream.
+
+On a HP Pavilion dm4 laptop the BIOS sets minimum backlight on boot,
+completely dimming the screen. Ignore this initial value for this
+machine.
+
+Signed-off-by: Gustavo Maciel Dias Vieira <gustavo@sagui.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+[wyj: Backported to 3.4: adjust context]
+Signed-off-by: Yijing Wang <wangyijing@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/video.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/acpi/video.c
++++ b/drivers/acpi/video.c
+@@ -471,6 +471,14 @@ static struct dmi_system_id video_dmi_ta
+ DMI_MATCH(DMI_PRODUCT_NAME, "HP 1000 Notebook PC"),
+ },
+ },
++ {
++ .callback = video_ignore_initial_backlight,
++ .ident = "HP Pavilion dm4",
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "Hewlett-Packard"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion dm4 Notebook PC"),
++ },
++ },
+ {}
+ };
+
--- /dev/null
+From c349bf07d6c05e89c967327af0f334604826d0e4 Mon Sep 17 00:00:00 2001
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Tue, 27 Aug 2013 16:38:33 +1000
+Subject: powerpc: Don't Oops when accessing /proc/powerpc/lparcfg without hypervisor
+
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+commit f5f6cbb61610b7bf9d9d96db9c3979d62a424bab upstream.
+
+/proc/powerpc/lparcfg is an ancient facility (though still actively used)
+which allows access to some informations relative to the partition when
+running underneath a PAPR compliant hypervisor.
+
+It makes no sense on non-pseries machines. However, currently, not only
+can it be created on these if the kernel has pseries support, but accessing
+it on such a machine will crash due to trying to do hypervisor calls.
+
+In fact, it should also not do HV calls on older pseries that didn't have
+an hypervisor either.
+
+Finally, it has the plumbing to be a module but is a "bool" Kconfig option.
+
+This fixes the whole lot by turning it into a machine_device_initcall
+that is only created on pseries, and adding the necessary hypervisor
+check before calling the H_GET_EM_PARMS hypercall
+
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+[bwh: Backported to 3.2: lparcfg_cleanup() was a bit different]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Yijing Wang <wangyijing@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/lparcfg.c | 23 +++++++++--------------
+ 1 file changed, 9 insertions(+), 14 deletions(-)
+
+--- a/arch/powerpc/kernel/lparcfg.c
++++ b/arch/powerpc/kernel/lparcfg.c
+@@ -35,7 +35,13 @@
+ #include <asm/vdso_datapage.h>
+ #include <asm/vio.h>
+ #include <asm/mmu.h>
++#include <asm/machdep.h>
+
++
++/*
++ * This isn't a module but we expose that to userspace
++ * via /proc so leave the definitions here
++ */
+ #define MODULE_VERS "1.9"
+ #define MODULE_NAME "lparcfg"
+
+@@ -419,7 +425,8 @@ static void parse_em_data(struct seq_fil
+ {
+ unsigned long retbuf[PLPAR_HCALL_BUFSIZE];
+
+- if (plpar_hcall(H_GET_EM_PARMS, retbuf) == H_SUCCESS)
++ if (firmware_has_feature(FW_FEATURE_LPAR) &&
++ plpar_hcall(H_GET_EM_PARMS, retbuf) == H_SUCCESS)
+ seq_printf(m, "power_mode_data=%016lx\n", retbuf[0]);
+ }
+
+@@ -678,7 +685,6 @@ static int lparcfg_open(struct inode *in
+ }
+
+ static const struct file_operations lparcfg_fops = {
+- .owner = THIS_MODULE,
+ .read = seq_read,
+ .write = lparcfg_write,
+ .open = lparcfg_open,
+@@ -704,15 +710,4 @@ static int __init lparcfg_init(void)
+ proc_ppc64_lparcfg = ent;
+ return 0;
+ }
+-
+-static void __exit lparcfg_cleanup(void)
+-{
+- if (proc_ppc64_lparcfg)
+- remove_proc_entry("lparcfg", proc_ppc64_lparcfg->parent);
+-}
+-
+-module_init(lparcfg_init);
+-module_exit(lparcfg_cleanup);
+-MODULE_DESCRIPTION("Interface for LPAR configuration data");
+-MODULE_AUTHOR("Dave Engebretsen");
+-MODULE_LICENSE("GPL");
++machine_device_initcall(pseries, lparcfg_init);
--- /dev/null
+From e4f37de094d8c0a55af0fe63d7f715457b2de3e6 Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@samba.org>
+Date: Fri, 14 Jun 2013 20:07:41 +1000
+Subject: powerpc: Fix emulation of illegal instructions on PowerNV platform
+
+From: Paul Mackerras <paulus@samba.org>
+
+commit bf593907f7236e95698a76b7c7a2bbf8b1165327 upstream.
+
+Normally, the kernel emulates a few instructions that are unimplemented
+on some processors (e.g. the old dcba instruction), or privileged (e.g.
+mfpvr). The emulation of unimplemented instructions is currently not
+working on the PowerNV platform. The reason is that on these machines,
+unimplemented and illegal instructions cause a hypervisor emulation
+assist interrupt, rather than a program interrupt as on older CPUs.
+Our vector for the emulation assist interrupt just calls
+program_check_exception() directly, without setting the bit in SRR1
+that indicates an illegal instruction interrupt. This fixes it by
+making the emulation assist interrupt set that bit before calling
+program_check_interrupt(). With this, old programs that use no-longer
+implemented instructions such as dcba now work again.
+
+Signed-off-by: Paul Mackerras <paulus@samba.org>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+[bwh: Backported to 3.2: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Yijing Wang <wangyijing@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/exceptions-64s.S | 2 +-
+ arch/powerpc/kernel/traps.c | 10 ++++++++++
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/exceptions-64s.S
++++ b/arch/powerpc/kernel/exceptions-64s.S
+@@ -491,7 +491,7 @@ machine_check_common:
+ STD_EXCEPTION_COMMON(0xb00, trap_0b, .unknown_exception)
+ STD_EXCEPTION_COMMON(0xd00, single_step, .single_step_exception)
+ STD_EXCEPTION_COMMON(0xe00, trap_0e, .unknown_exception)
+- STD_EXCEPTION_COMMON(0xe40, emulation_assist, .program_check_exception)
++ STD_EXCEPTION_COMMON(0xe40, emulation_assist, .emulation_assist_interrupt)
+ STD_EXCEPTION_COMMON(0xe60, hmi_exception, .unknown_exception)
+ STD_EXCEPTION_COMMON_ASYNC(0xf00, performance_monitor, .performance_monitor_exception)
+ STD_EXCEPTION_COMMON(0x1300, instruction_breakpoint, .instruction_breakpoint_exception)
+--- a/arch/powerpc/kernel/traps.c
++++ b/arch/powerpc/kernel/traps.c
+@@ -1074,6 +1074,16 @@ void __kprobes program_check_exception(s
+ _exception(SIGILL, regs, ILL_ILLOPC, regs->nip);
+ }
+
++/*
++ * This occurs when running in hypervisor mode on POWER6 or later
++ * and an illegal instruction is encountered.
++ */
++void __kprobes emulation_assist_interrupt(struct pt_regs *regs)
++{
++ regs->msr |= REASON_ILLEGAL;
++ program_check_exception(regs);
++}
++
+ void alignment_exception(struct pt_regs *regs)
+ {
+ int sig, code, fixed = 0;
--- /dev/null
+From 36d04a55f34ab580aab001e497b97410f0ad5079 Mon Sep 17 00:00:00 2001
+From: Anton Blanchard <anton@samba.org>
+Date: Sun, 17 Nov 2013 11:39:05 +1100
+Subject: powerpc/pseries: Duplicate dtl entries sometimes sent to userspace
+
+From: Anton Blanchard <anton@samba.org>
+
+commit 84b073868b9d9e754ae48b828337633d1b386482 upstream.
+
+When reading from the dispatch trace log (dtl) userspace interface, I
+sometimes see duplicate entries. One example:
+
+# hexdump -C dtl.out
+
+00000000 07 04 00 0c 00 00 48 44 00 00 00 00 00 00 00 00
+00000010 00 0c a0 b4 16 83 6d 68 00 00 00 00 00 00 00 00
+00000020 00 00 00 00 10 00 13 50 80 00 00 00 00 00 d0 32
+
+00000030 07 04 00 0c 00 00 48 44 00 00 00 00 00 00 00 00
+00000040 00 0c a0 b4 16 83 6d 68 00 00 00 00 00 00 00 00
+00000050 00 00 00 00 10 00 13 50 80 00 00 00 00 00 d0 32
+
+The problem is in scan_dispatch_log() where we call dtl_consumer()
+but bail out before incrementing the index.
+
+To fix this I moved dtl_consumer() after the timebase comparison.
+
+Signed-off-by: Anton Blanchard <anton@samba.org>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+[bwh: Backported to 3.2: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Yijing Wang <wangyijing@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/time.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/kernel/time.c
++++ b/arch/powerpc/kernel/time.c
+@@ -212,8 +212,6 @@ static u64 scan_dispatch_log(u64 stop_tb
+ if (i == vpa->dtl_idx)
+ return 0;
+ while (i < vpa->dtl_idx) {
+- if (dtl_consumer)
+- dtl_consumer(dtl, i);
+ dtb = dtl->timebase;
+ tb_delta = dtl->enqueue_to_dispatch_time +
+ dtl->ready_to_enqueue_time;
+@@ -226,6 +224,8 @@ static u64 scan_dispatch_log(u64 stop_tb
+ }
+ if (dtb > stop_tb)
+ break;
++ if (dtl_consumer)
++ dtl_consumer(dtl, i);
+ stolen += tb_delta;
+ ++i;
+ ++dtl;
--- /dev/null
+From 8f0ce108f5e1c6a443548746b6f01b450f71a407 Mon Sep 17 00:00:00 2001
+From: Chen Gang <gang.chen@asianux.com>
+Date: Mon, 22 Apr 2013 17:12:54 +0000
+Subject: powerpc/pseries/lparcfg: Fix possible overflow are more than 1026
+
+From: Chen Gang <gang.chen@asianux.com>
+
+commit 5676005acf26ab7e924a8438ea4746e47d405762 upstream.
+
+need set '\0' for 'local_buffer'.
+
+SPLPAR_MAXLENGTH is 1026, RTAS_DATA_BUF_SIZE is 4096. so the contents of
+rtas_data_buf may truncated in memcpy.
+
+if contents are really truncated.
+ the splpar_strlen is more than 1026. the next while loop checking will
+ not find the end of buffer. that will cause memory access violation.
+
+Signed-off-by: Chen Gang <gang.chen@asianux.com>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Yijing Wang <wangyijing@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/lparcfg.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/powerpc/kernel/lparcfg.c
++++ b/arch/powerpc/kernel/lparcfg.c
+@@ -307,6 +307,7 @@ static void parse_system_parameter_strin
+ __pa(rtas_data_buf),
+ RTAS_DATA_BUF_SIZE);
+ memcpy(local_buffer, rtas_data_buf, SPLPAR_MAXLENGTH);
++ local_buffer[SPLPAR_MAXLENGTH - 1] = '\0';
+ spin_unlock(&rtas_data_buf_lock);
+
+ if (call_status != 0) {
--- /dev/null
+From 0b2d10f8f2e686c9f4b718251765f09f77ee8088 Mon Sep 17 00:00:00 2001
+From: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
+Date: Tue, 1 Oct 2013 17:11:35 +1000
+Subject: powerpc: Restore registers on error exit from csum_partial_copy_generic()
+
+From: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
+
+commit 8f21bd0090052e740944f9397e2be5ac7957ded7 upstream.
+
+The csum_partial_copy_generic() function saves the PowerPC non-volatile
+r14, r15, and r16 registers for the main checksum-and-copy loop.
+Unfortunately, it fails to restore them upon error exit from this loop,
+which results in silent corruption of these registers in the presumably
+rare event of an access exception within that loop.
+
+This commit therefore restores these register on error exit from the loop.
+
+Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Signed-off-by: Anton Blanchard <anton@samba.org>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+[bwh: Backported to 3.2: register name macros use lower-case 'r']
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Yijing Wang <wangyijing@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/lib/checksum_64.S | 54 ++++++++++++++++++++++++++++++-----------
+ 1 file changed, 40 insertions(+), 14 deletions(-)
+
+--- a/arch/powerpc/lib/checksum_64.S
++++ b/arch/powerpc/lib/checksum_64.S
+@@ -229,19 +229,35 @@ _GLOBAL(csum_partial)
+ blr
+
+
+- .macro source
++ .macro srcnr
+ 100:
+ .section __ex_table,"a"
+ .align 3
+- .llong 100b,.Lsrc_error
++ .llong 100b,.Lsrc_error_nr
+ .previous
+ .endm
+
+- .macro dest
++ .macro source
++150:
++ .section __ex_table,"a"
++ .align 3
++ .llong 150b,.Lsrc_error
++ .previous
++ .endm
++
++ .macro dstnr
+ 200:
+ .section __ex_table,"a"
+ .align 3
+- .llong 200b,.Ldest_error
++ .llong 200b,.Ldest_error_nr
++ .previous
++ .endm
++
++ .macro dest
++250:
++ .section __ex_table,"a"
++ .align 3
++ .llong 250b,.Ldest_error
+ .previous
+ .endm
+
+@@ -277,11 +293,11 @@ _GLOBAL(csum_partial_copy_generic)
+ mtctr r6
+
+ 1:
+-source; lhz r6,0(r3) /* align to doubleword */
++srcnr; lhz r6,0(r3) /* align to doubleword */
+ subi r5,r5,2
+ addi r3,r3,2
+ adde r0,r0,r6
+-dest; sth r6,0(r4)
++dstnr; sth r6,0(r4)
+ addi r4,r4,2
+ bdnz 1b
+
+@@ -395,10 +411,10 @@ dest; std r16,56(r4)
+
+ mtctr r6
+ 3:
+-source; ld r6,0(r3)
++srcnr; ld r6,0(r3)
+ addi r3,r3,8
+ adde r0,r0,r6
+-dest; std r6,0(r4)
++dstnr; std r6,0(r4)
+ addi r4,r4,8
+ bdnz 3b
+
+@@ -408,10 +424,10 @@ dest; std r6,0(r4)
+ srdi. r6,r5,2
+ beq .Lcopy_tail_halfword
+
+-source; lwz r6,0(r3)
++srcnr; lwz r6,0(r3)
+ addi r3,r3,4
+ adde r0,r0,r6
+-dest; stw r6,0(r4)
++dstnr; stw r6,0(r4)
+ addi r4,r4,4
+ subi r5,r5,4
+
+@@ -419,10 +435,10 @@ dest; stw r6,0(r4)
+ srdi. r6,r5,1
+ beq .Lcopy_tail_byte
+
+-source; lhz r6,0(r3)
++srcnr; lhz r6,0(r3)
+ addi r3,r3,2
+ adde r0,r0,r6
+-dest; sth r6,0(r4)
++dstnr; sth r6,0(r4)
+ addi r4,r4,2
+ subi r5,r5,2
+
+@@ -430,10 +446,10 @@ dest; sth r6,0(r4)
+ andi. r6,r5,1
+ beq .Lcopy_finish
+
+-source; lbz r6,0(r3)
++srcnr; lbz r6,0(r3)
+ sldi r9,r6,8 /* Pad the byte out to 16 bits */
+ adde r0,r0,r9
+-dest; stb r6,0(r4)
++dstnr; stb r6,0(r4)
+
+ .Lcopy_finish:
+ addze r0,r0 /* add in final carry */
+@@ -443,6 +459,11 @@ dest; stb r6,0(r4)
+ blr
+
+ .Lsrc_error:
++ ld r14,STK_REG(r14)(r1)
++ ld r15,STK_REG(r15)(r1)
++ ld r16,STK_REG(r16)(r1)
++ addi r1,r1,STACKFRAMESIZE
++.Lsrc_error_nr:
+ cmpdi 0,r7,0
+ beqlr
+ li r6,-EFAULT
+@@ -450,6 +471,11 @@ dest; stb r6,0(r4)
+ blr
+
+ .Ldest_error:
++ ld r14,STK_REG(r14)(r1)
++ ld r15,STK_REG(r15)(r1)
++ ld r16,STK_REG(r16)(r1)
++ addi r1,r1,STACKFRAMESIZE
++.Ldest_error_nr:
+ cmpdi 0,r8,0
+ beqlr
+ li r6,-EFAULT
--- /dev/null
+From 1aa33199c5969b6a062727438ba0795864dd3fbe Mon Sep 17 00:00:00 2001
+From: Chen Gang <gang.chen@asianux.com>
+Date: Wed, 20 Mar 2013 14:30:12 +0800
+Subject: powerpc/smp: Section mismatch from smp_release_cpus to __initdata spinning_secondaries
+
+From: Chen Gang <gang.chen@asianux.com>
+
+commit 8246aca7058f3f2c2ae503081777965cd8df7b90 upstream.
+
+the smp_release_cpus is a normal funciton and called in normal environments,
+ but it calls the __initdata spinning_secondaries.
+ need modify spinning_secondaries to match smp_release_cpus.
+
+the related warning:
+ (the linker report boot_paca.33377, but it should be spinning_secondaries)
+
+-----------------------------------------------------------------------------
+
+WARNING: arch/powerpc/kernel/built-in.o(.text+0x23176): Section mismatch in reference from the function .smp_release_cpus() to the variable .init.data:boot_paca.33377
+The function .smp_release_cpus() references
+the variable __initdata boot_paca.33377.
+This is often because .smp_release_cpus lacks a __initdata
+annotation or the annotation of boot_paca.33377 is wrong.
+
+WARNING: arch/powerpc/kernel/built-in.o(.text+0x231fe): Section mismatch in reference from the function .smp_release_cpus() to the variable .init.data:boot_paca.33377
+The function .smp_release_cpus() references
+the variable __initdata boot_paca.33377.
+This is often because .smp_release_cpus lacks a __initdata
+annotation or the annotation of boot_paca.33377 is wrong.
+
+-----------------------------------------------------------------------------
+
+Signed-off-by: Chen Gang <gang.chen@asianux.com>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Yijing Wang <wangyijing@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/setup_64.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/setup_64.c
++++ b/arch/powerpc/kernel/setup_64.c
+@@ -76,7 +76,7 @@
+ #endif
+
+ int boot_cpuid = 0;
+-int __initdata spinning_secondaries;
++int spinning_secondaries;
+ u64 ppc64_pft_size;
+
+ /* Pick defaults since we might want to patch instructions
--- /dev/null
+From d1211af3049f4c9c1d8d4eb8f8098cc4f4f0d0c7 Mon Sep 17 00:00:00 2001
+From: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+Date: Wed, 2 Oct 2013 00:34:10 +0530
+Subject: powerpc/sysfs: Disable writing to PURR in guest mode
+
+From: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+
+commit d1211af3049f4c9c1d8d4eb8f8098cc4f4f0d0c7 upstream.
+
+arch/powerpc/kernel/sysfs.c exports PURR with write permission.
+This may be valid for kernel in phyp mode. But writing to
+the file in guest mode causes crash due to a priviledge violation
+
+Signed-off-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+[Backported to 3.4: adjust context]
+Signed-off-by: Yijing Wang <wangyijing@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/sysfs.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/kernel/sysfs.c
++++ b/arch/powerpc/kernel/sysfs.c
+@@ -17,6 +17,7 @@
+ #include <asm/machdep.h>
+ #include <asm/smp.h>
+ #include <asm/pmc.h>
++#include <asm/firmware.h>
+
+ #include "cacheinfo.h"
+
+@@ -179,15 +180,25 @@ SYSFS_PMCSETUP(spurr, SPRN_SPURR);
+ SYSFS_PMCSETUP(dscr, SPRN_DSCR);
+ SYSFS_PMCSETUP(pir, SPRN_PIR);
+
++/*
++ Lets only enable read for phyp resources and
++ enable write when needed with a separate function.
++ Lets be conservative and default to pseries.
++ */
+ static DEVICE_ATTR(mmcra, 0600, show_mmcra, store_mmcra);
+ static DEVICE_ATTR(spurr, 0600, show_spurr, NULL);
+ static DEVICE_ATTR(dscr, 0600, show_dscr, store_dscr);
+-static DEVICE_ATTR(purr, 0600, show_purr, store_purr);
++static DEVICE_ATTR(purr, 0400, show_purr, store_purr);
+ static DEVICE_ATTR(pir, 0400, show_pir, NULL);
+
+ unsigned long dscr_default = 0;
+ EXPORT_SYMBOL(dscr_default);
+
++static void add_write_permission_dev_attr(struct device_attribute *attr)
++{
++ attr->attr.mode |= 0200;
++}
++
+ static ssize_t show_dscr_default(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
+@@ -394,8 +405,11 @@ static void __cpuinit register_cpu_onlin
+ if (cpu_has_feature(CPU_FTR_MMCRA))
+ device_create_file(s, &dev_attr_mmcra);
+
+- if (cpu_has_feature(CPU_FTR_PURR))
++ if (cpu_has_feature(CPU_FTR_PURR)) {
++ if (!firmware_has_feature(FW_FEATURE_LPAR))
++ add_write_permission_dev_attr(&dev_attr_purr);
+ device_create_file(s, &dev_attr_purr);
++ }
+
+ if (cpu_has_feature(CPU_FTR_SPURR))
+ device_create_file(s, &dev_attr_spurr);
acpi-video-add-asus-ul30a-to-acpi-video-detect-blacklist.patch
acpi-video-ignore-bios-initial-backlight-value-for-hp-1000.patch
staging-comedi-das08-correct-ai-encoding-for-das08jr-16-ao.patch
+staging-comedi-fix-a-race-between-do_cmd_ioctl-and-read-write.patch
+staging-wlags49_h2-buffer-overflow-setting-station-name.patch
+staging-bcm-create-and-initialize-new-device-id-in-interfaceinit.patch
+staging-bcm-add-two-products-and-remove-an-existing-product.patch
+powerpc-fix-emulation-of-illegal-instructions-on-powernv-platform.patch
+powerpc-smp-section-mismatch-from-smp_release_cpus-to-__initdata-spinning_secondaries.patch
+powerpc-don-t-oops-when-accessing-proc-powerpc-lparcfg-without-hypervisor.patch
+powerpc-restore-registers-on-error-exit-from-csum_partial_copy_generic.patch
+powerpc-pseries-lparcfg-fix-possible-overflow-are-more-than-1026.patch
+powerpc-pseries-duplicate-dtl-entries-sometimes-sent-to-userspace.patch
+acpi-video-ignore-bios-backlight-value-for-hp-dm4.patch
+powerpc-sysfs-disable-writing-to-purr-in-guest-mode.patch
--- /dev/null
+From fc5884d265e78f15915f650585cfb28c9aa5aca6 Mon Sep 17 00:00:00 2001
+From: Kevin McKinney <klmckinney1@gmail.com>
+Date: Mon, 12 Nov 2012 22:20:30 -0500
+Subject: Staging: bcm: Add two products and remove an existing product.
+
+From: Kevin McKinney <klmckinney1@gmail.com>
+
+commit 4f29ef050848245f7c180b95ccf67dfcd76b1fd8 upstream.
+
+This patch adds two new products and modifies
+the device id table to include them. In addition,
+product of 0xbccd - BCM_USB_PRODUCT_ID_SM250 is
+removed because Beceem, ZTE, Sprint use this id
+for block devices.
+
+Reported-by: Muhammad Minhazul Haque <mdminhazulhaque@gmail.com>
+Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
+[bwh: Backported to 3.2: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Yijing Wang <wangyijing@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/bcm/InterfaceInit.c | 3 ++-
+ drivers/staging/bcm/InterfaceInit.h | 2 +-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/bcm/InterfaceInit.c
++++ b/drivers/staging/bcm/InterfaceInit.c
+@@ -4,11 +4,12 @@ static struct usb_device_id InterfaceUsb
+ { USB_DEVICE(BCM_USB_VENDOR_ID_T3, BCM_USB_PRODUCT_ID_T3) },
+ { USB_DEVICE(BCM_USB_VENDOR_ID_T3, BCM_USB_PRODUCT_ID_T3B) },
+ { USB_DEVICE(BCM_USB_VENDOR_ID_T3, BCM_USB_PRODUCT_ID_T3L) },
+- { USB_DEVICE(BCM_USB_VENDOR_ID_T3, BCM_USB_PRODUCT_ID_SM250) },
++ { USB_DEVICE(BCM_USB_VENDOR_ID_T3, BCM_USB_PRODUCT_ID_SYM) },
+ { USB_DEVICE(BCM_USB_VENDOR_ID_ZTE, BCM_USB_PRODUCT_ID_226) },
+ { USB_DEVICE(BCM_USB_VENDOR_ID_FOXCONN, BCM_USB_PRODUCT_ID_1901) },
+ { USB_DEVICE(BCM_USB_VENDOR_ID_ZTE, BCM_USB_PRODUCT_ID_ZTE_TU25) },
+ { USB_DEVICE(BCM_USB_VENDOR_ID_ZTE, BCM_USB_PRODUCT_ID_ZTE_226) },
++ { USB_DEVICE(BCM_USB_VENDOR_ID_ZTE, BCM_USB_PRODUCT_ID_ZTE_326) },
+ { }
+ };
+ MODULE_DEVICE_TABLE(usb, InterfaceUsbtable);
+--- a/drivers/staging/bcm/InterfaceInit.h
++++ b/drivers/staging/bcm/InterfaceInit.h
+@@ -8,11 +8,11 @@
+ #define BCM_USB_PRODUCT_ID_T3 0x0300
+ #define BCM_USB_PRODUCT_ID_T3B 0x0210
+ #define BCM_USB_PRODUCT_ID_T3L 0x0220
+-#define BCM_USB_PRODUCT_ID_SM250 0xbccd
+ #define BCM_USB_PRODUCT_ID_SYM 0x15E
+ #define BCM_USB_PRODUCT_ID_1901 0xe017
+ #define BCM_USB_PRODUCT_ID_226 0x0132 /* not sure if this is valid */
+ #define BCM_USB_PRODUCT_ID_ZTE_226 0x172
++#define BCM_USB_PRODUCT_ID_ZTE_326 0x173 /* ZTE AX326 */
+ #define BCM_USB_PRODUCT_ID_ZTE_TU25 0x0007
+
+ #define BCM_USB_MINOR_BASE 192
--- /dev/null
+From bf78d71280f1caa4b266c8ca430b68308bfd4db0 Mon Sep 17 00:00:00 2001
+From: Kevin McKinney <klmckinney1@gmail.com>
+Date: Tue, 11 Sep 2012 22:19:06 -0400
+Subject: Staging: bcm: Create and initialize new device id in InterfaceInit
+
+From: Kevin McKinney <klmckinney1@gmail.com>
+
+commit e66fc1fba248738d32f3b64508f9ef1176d9e767 upstream.
+
+This patch create and initalizes a new device
+id of 0x172 as reported by Rinat Camalov
+<richman1000000d@gmail.com>. In addition, a
+comment is added to the potential invalid
+existing device id.
+
+Reported-by: Rinat Camalov <richman1000000d@gmail.com>
+Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[bwh: Backported to 3.2: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Yijing Wang <wangyijing@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/bcm/InterfaceInit.c | 1 +
+ drivers/staging/bcm/InterfaceInit.h | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/bcm/InterfaceInit.c
++++ b/drivers/staging/bcm/InterfaceInit.c
+@@ -8,6 +8,7 @@ static struct usb_device_id InterfaceUsb
+ { USB_DEVICE(BCM_USB_VENDOR_ID_ZTE, BCM_USB_PRODUCT_ID_226) },
+ { USB_DEVICE(BCM_USB_VENDOR_ID_FOXCONN, BCM_USB_PRODUCT_ID_1901) },
+ { USB_DEVICE(BCM_USB_VENDOR_ID_ZTE, BCM_USB_PRODUCT_ID_ZTE_TU25) },
++ { USB_DEVICE(BCM_USB_VENDOR_ID_ZTE, BCM_USB_PRODUCT_ID_ZTE_226) },
+ { }
+ };
+ MODULE_DEVICE_TABLE(usb, InterfaceUsbtable);
+--- a/drivers/staging/bcm/InterfaceInit.h
++++ b/drivers/staging/bcm/InterfaceInit.h
+@@ -11,7 +11,8 @@
+ #define BCM_USB_PRODUCT_ID_SM250 0xbccd
+ #define BCM_USB_PRODUCT_ID_SYM 0x15E
+ #define BCM_USB_PRODUCT_ID_1901 0xe017
+-#define BCM_USB_PRODUCT_ID_226 0x0132
++#define BCM_USB_PRODUCT_ID_226 0x0132 /* not sure if this is valid */
++#define BCM_USB_PRODUCT_ID_ZTE_226 0x172
+ #define BCM_USB_PRODUCT_ID_ZTE_TU25 0x0007
+
+ #define BCM_USB_MINOR_BASE 192
--- /dev/null
+From 1f8adde06e866835fafa1b34fcea9b1dab82bb78 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Fri, 5 Jul 2013 16:49:34 +0100
+Subject: staging: comedi: fix a race between do_cmd_ioctl() and read/write
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 4b18f08be01a7b3c7b6df497137b6e3cb28adaa3 upstream.
+
+`do_cmd_ioctl()` is called with the comedi device's mutex locked to
+process the `COMEDI_CMD` ioctl to set up comedi's asynchronous command
+handling on a comedi subdevice. `comedi_read()` and `comedi_write()`
+are the `read` and `write` handlers for the comedi device, but do not
+lock the mutex (for performance reasons, as some things can hold the
+mutex for quite a long time).
+
+There is a race condition if `comedi_read()` or `comedi_write()` is
+running at the same time and for the same file object and comedi
+subdevice as `do_cmd_ioctl()`. `do_cmd_ioctl()` sets the subdevice's
+`busy` pointer to the file object way before it sets the `SRF_RUNNING` flag
+in the subdevice's `runflags` member. `comedi_read() and
+`comedi_write()` check the subdevice's `busy` pointer is pointing to the
+current file object, then if the `SRF_RUNNING` flag is not set, will call
+`do_become_nonbusy()` to shut down the asyncronous command. Bad things
+can happen if the asynchronous command is being shutdown and set up at
+the same time.
+
+To prevent the race, don't set the `busy` pointer until
+after the `SRF_RUNNING` flag has been set. Also, make sure the mutex is
+held in `comedi_read()` and `comedi_write()` while calling
+`do_become_nonbusy()` in order to avoid moving the race condition to a
+point within that function.
+
+Change some error handling `goto cleanup` statements in `do_cmd_ioctl()`
+to simple `return -ERRFOO` statements as a result of changing when the
+`busy` pointer is set.
+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+[bwh: Backported to 3.2: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Yijing Wang <wangyijing@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/comedi_fops.c | 25 +++++++++++++++----------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+--- a/drivers/staging/comedi/comedi_fops.c
++++ b/drivers/staging/comedi/comedi_fops.c
+@@ -1078,22 +1078,19 @@ static int do_cmd_ioctl(struct comedi_de
+ DPRINTK("subdevice busy\n");
+ return -EBUSY;
+ }
+- s->busy = file;
+
+ /* make sure channel/gain list isn't too long */
+ if (user_cmd.chanlist_len > s->len_chanlist) {
+ DPRINTK("channel/gain list too long %u > %d\n",
+ user_cmd.chanlist_len, s->len_chanlist);
+- ret = -EINVAL;
+- goto cleanup;
++ return -EINVAL;
+ }
+
+ /* make sure channel/gain list isn't too short */
+ if (user_cmd.chanlist_len < 1) {
+ DPRINTK("channel/gain list too short %u < 1\n",
+ user_cmd.chanlist_len);
+- ret = -EINVAL;
+- goto cleanup;
++ return -EINVAL;
+ }
+
+ async->cmd = user_cmd;
+@@ -1103,8 +1100,7 @@ static int do_cmd_ioctl(struct comedi_de
+ kmalloc(async->cmd.chanlist_len * sizeof(int), GFP_KERNEL);
+ if (!async->cmd.chanlist) {
+ DPRINTK("allocation failed\n");
+- ret = -ENOMEM;
+- goto cleanup;
++ return -ENOMEM;
+ }
+
+ if (copy_from_user(async->cmd.chanlist, user_cmd.chanlist,
+@@ -1156,6 +1152,9 @@ static int do_cmd_ioctl(struct comedi_de
+
+ comedi_set_subdevice_runflags(s, ~0, SRF_USER | SRF_RUNNING);
+
++ /* set s->busy _after_ setting SRF_RUNNING flag to avoid race with
++ * comedi_read() or comedi_write() */
++ s->busy = file;
+ ret = s->do_cmd(dev, s);
+ if (ret == 0)
+ return 0;
+@@ -1658,6 +1657,7 @@ static ssize_t comedi_write(struct file
+
+ if (!(comedi_get_subdevice_runflags(s) & SRF_RUNNING)) {
+ if (count == 0) {
++ mutex_lock(&dev->mutex);
+ if (comedi_get_subdevice_runflags(s) &
+ SRF_ERROR) {
+ retval = -EPIPE;
+@@ -1665,6 +1665,7 @@ static ssize_t comedi_write(struct file
+ retval = 0;
+ }
+ do_become_nonbusy(dev, s);
++ mutex_unlock(&dev->mutex);
+ }
+ break;
+ }
+@@ -1779,6 +1780,7 @@ static ssize_t comedi_read(struct file *
+
+ if (n == 0) {
+ if (!(comedi_get_subdevice_runflags(s) & SRF_RUNNING)) {
++ mutex_lock(&dev->mutex);
+ do_become_nonbusy(dev, s);
+ if (comedi_get_subdevice_runflags(s) &
+ SRF_ERROR) {
+@@ -1786,6 +1788,7 @@ static ssize_t comedi_read(struct file *
+ } else {
+ retval = 0;
+ }
++ mutex_unlock(&dev->mutex);
+ break;
+ }
+ if (file->f_flags & O_NONBLOCK) {
+@@ -1823,9 +1826,11 @@ static ssize_t comedi_read(struct file *
+ buf += n;
+ break; /* makes device work like a pipe */
+ }
+- if (!(comedi_get_subdevice_runflags(s) & (SRF_ERROR | SRF_RUNNING)) &&
+- async->buf_read_count - async->buf_write_count == 0) {
+- do_become_nonbusy(dev, s);
++ if (!(comedi_get_subdevice_runflags(s) & (SRF_ERROR | SRF_RUNNING))) {
++ mutex_lock(&dev->mutex);
++ if (async->buf_read_count - async->buf_write_count == 0)
++ do_become_nonbusy(dev, s);
++ mutex_unlock(&dev->mutex);
+ }
+ set_current_state(TASK_RUNNING);
+ remove_wait_queue(&async->wait_head, &wait);
--- /dev/null
+From 840834b578803d8153b6fd8526d23e615916208b Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 29 Oct 2013 23:00:15 +0300
+Subject: staging: wlags49_h2: buffer overflow setting station name
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit b5e2f339865fb443107e5b10603e53bbc92dc054 upstream.
+
+We need to check the length parameter before doing the memcpy(). I've
+actually changed it to strlcpy() as well so that it's NUL terminated.
+
+You need CAP_NET_ADMIN to trigger these so it's not the end of the
+world.
+
+Reported-by: Nico Golde <nico@ngolde.de>
+Reported-by: Fabian Yamaguchi <fabs@goesec.de>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+[bwh: Backported to 3.2: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Yijing Wang <wangyijing@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/wlags49_h2/wl_priv.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/wlags49_h2/wl_priv.c
++++ b/drivers/staging/wlags49_h2/wl_priv.c
+@@ -570,6 +570,7 @@ int wvlan_uil_put_info( struct uilreq *u
+ ltv_t *pLtv;
+ bool_t ltvAllocated = FALSE;
+ ENCSTRCT sEncryption;
++ size_t len;
+
+ #ifdef USE_WDS
+ hcf_16 hcfPort = HCF_PORT_0;
+@@ -686,7 +687,8 @@ int wvlan_uil_put_info( struct uilreq *u
+ break;
+ case CFG_CNF_OWN_NAME:
+ memset( lp->StationName, 0, sizeof( lp->StationName ));
+- memcpy( (void *)lp->StationName, (void *)&pLtv->u.u8[2], (size_t)pLtv->u.u16[0]);
++ len = min_t(size_t, pLtv->u.u16[0], sizeof(lp->StationName));
++ strlcpy(lp->StationName, &pLtv->u.u8[2], len);
+ pLtv->u.u16[0] = CNV_INT_TO_LITTLE( pLtv->u.u16[0] );
+ break;
+ case CFG_CNF_LOAD_BALANCING:
+@@ -1800,6 +1802,7 @@ int wvlan_set_station_nickname(struct ne
+ {
+ struct wl_private *lp = wl_priv(dev);
+ unsigned long flags;
++ size_t len;
+ int ret = 0;
+ /*------------------------------------------------------------------------*/
+
+@@ -1810,8 +1813,8 @@ int wvlan_set_station_nickname(struct ne
+ wl_lock(lp, &flags);
+
+ memset( lp->StationName, 0, sizeof( lp->StationName ));
+-
+- memcpy( lp->StationName, extra, wrqu->data.length);
++ len = min_t(size_t, wrqu->data.length, sizeof(lp->StationName));
++ strlcpy(lp->StationName, extra, len);
+
+ /* Commit the adapter parameters */
+ wl_apply( lp );
projects / thirdparty / kernel / stable-queue.git / commitdiff
