--- /dev/null
+From a41a9ad3bbf61fae0b6bfb232153da60d14fdbd9 Mon Sep 17 00:00:00 2001
+From: Mike Christie <michaelc@cs.wisc.edu>
+Date: Mon, 29 Sep 2014 13:55:41 -0500
+Subject: be2iscsi: check ip buffer before copying
+
+From: Mike Christie <michaelc@cs.wisc.edu>
+
+commit a41a9ad3bbf61fae0b6bfb232153da60d14fdbd9 upstream.
+
+Dan Carpenter found a issue where be2iscsi would copy the ip
+from userspace to the driver buffer before checking the len
+of the data being copied:
+http://marc.info/?l=linux-scsi&m=140982651504251&w=2
+
+This patch just has us only copy what we the driver buffer
+can support.
+
+Tested-by: John Soni Jose <sony.john-n@emulex.com>
+Signed-off-by: Mike Christie <michaelc@cs.wisc.edu>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/be2iscsi/be_mgmt.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/scsi/be2iscsi/be_mgmt.c
++++ b/drivers/scsi/be2iscsi/be_mgmt.c
+@@ -812,17 +812,20 @@ mgmt_static_ip_modify(struct beiscsi_hba
+
+ if (ip_action == IP_ACTION_ADD) {
+ memcpy(req->ip_params.ip_record.ip_addr.addr, ip_param->value,
+- ip_param->len);
++ sizeof(req->ip_params.ip_record.ip_addr.addr));
+
+ if (subnet_param)
+ memcpy(req->ip_params.ip_record.ip_addr.subnet_mask,
+- subnet_param->value, subnet_param->len);
++ subnet_param->value,
++ sizeof(req->ip_params.ip_record.ip_addr.subnet_mask));
+ } else {
+ memcpy(req->ip_params.ip_record.ip_addr.addr,
+- if_info->ip_addr.addr, ip_param->len);
++ if_info->ip_addr.addr,
++ sizeof(req->ip_params.ip_record.ip_addr.addr));
+
+ memcpy(req->ip_params.ip_record.ip_addr.subnet_mask,
+- if_info->ip_addr.subnet_mask, ip_param->len);
++ if_info->ip_addr.subnet_mask,
++ sizeof(req->ip_params.ip_record.ip_addr.subnet_mask));
+ }
+
+ rc = mgmt_exec_nonemb_cmd(phba, &nonemb_cmd, NULL, 0);
+@@ -850,7 +853,7 @@ static int mgmt_modify_gateway(struct be
+ req->action = gtway_action;
+ req->ip_addr.ip_type = BE2_IPV4;
+
+- memcpy(req->ip_addr.addr, gt_addr, param_len);
++ memcpy(req->ip_addr.addr, gt_addr, sizeof(req->ip_addr.addr));
+
+ return mgmt_exec_nonemb_cmd(phba, &nonemb_cmd, NULL, 0);
+ }
--- /dev/null
+From 6e4a2a83f95826201bbd89f55522537ea52d1d67 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Date: Mon, 29 Sep 2014 14:42:21 +0200
+Subject: dmaengine: pl330: Fix NULL pointer dereference on driver unbind
+
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+
+commit 6e4a2a83f95826201bbd89f55522537ea52d1d67 upstream.
+
+Fix a NULL pointer dereference after unbinding the driver, if channel
+resources were not yet allocated (no call to
+pl330_alloc_chan_resources()):
+$ echo 12850000.mdma > /sys/bus/amba/drivers/dma-pl330/unbind
+[ 13.606533] DMA pl330_control: removing pch: eeab6800, chan: eeab6814, thread: (null)
+[ 13.614472] Unable to handle kernel NULL pointer dereference at virtual address 0000000c
+[ 13.622537] pgd = ee284000
+[ 13.625228] [0000000c] *pgd=6e1e4831, *pte=00000000, *ppte=00000000
+[ 13.631482] Internal error: Oops: 17 [#1] PREEMPT SMP ARM
+[ 13.636859] Modules linked in:
+[ 13.639903] CPU: 0 PID: 1 Comm: sh Not tainted 3.17.0-rc3-next-20140904-00004-g7020ffc33ca3-dirty #420
+[ 13.649187] task: ee80a800 ti: ee888000 task.ti: ee888000
+[ 13.654589] PC is at _stop+0x8/0x2c8
+[ 13.658131] LR is at pl330_control+0x70/0x2e8
+[ 13.662468] pc : [<c0206028>] lr : [<c020649c>] psr: 60000093
+[ 13.662468] sp : ee889e58 ip : 00000001 fp : 000bab70
+[ 13.673922] r10: eeab6814 r9 : ee16debc r8 : 00000000
+[ 13.679131] r7 : eeab685c r6 : 60000013 r5 : ee16de10 r4 : eeab6800
+[ 13.685641] r3 : 00000002 r2 : 00000000 r1 : 00010000 r0 : 00000000
+[ 13.692153] Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user
+[ 13.699357] Control: 10c5387d Table: 6e28404a DAC: 00000015
+[ 13.705085] Process sh (pid: 1, stack limit = 0xee888240)
+[ 13.710466] Stack: (0xee889e58 to 0xee88a000)
+[ 13.714808] 9e40: 00000002 eeab6800
+[ 13.722969] 9e60: ee16de10 eeab6800 ee16de10 60000013 eeab685c c020649c 00000000 c040280c
+[ 13.731128] 9e80: ee889e80 ee889e80 ee16de18 ee16de10 eeab6880 eeab6814 00200200 eeab68a8
+[ 13.739287] 9ea0: 00100100 c0208048 00000000 c0409fc4 eea80800 eea808f8 c0605c44 0000000e
+[ 13.747446] 9ec0: 0000000e eeb3960c eeb39600 c0203c48 eea80800 c0605c44 c0605a8c c023f694
+[ 13.755605] 9ee0: ee80a800 eea80834 eea80800 c023f704 ee80a800 eea80800 c0605c44 c023e8ec
+[ 13.763764] 9f00: 0000000e ee149780 ee29e580 ee889f80 ee29e580 c023e19c 0000000e c01167e4
+[ 13.771923] 9f20: c01167a0 00000000 00000000 c0115e88 00000000 00000000 ee0b1a00 0000000e
+[ 13.780082] 9f40: b6f48000 ee889f80 0000000e ee888000 b6f48000 c00bfadc 00000000 00000003
+[ 13.788241] 9f60: 00000000 00000000 00000000 ee0b1a00 ee0b1a00 0000000e b6f48000 c00bfdf4
+[ 13.796401] 9f80: 00000000 00000000 ffffffff 0000000e b6f48000 b6edc5d0 00000004 c000e7a4
+[ 13.804560] 9fa0: 00000000 c000e620 0000000e b6f48000 00000001 b6f48000 0000000e 00000000
+[ 13.812719] 9fc0: 0000000e b6f48000 b6edc5d0 00000004 0000000e b6f4c8c0 000c3470 000bab70
+[ 13.820879] 9fe0: 00000000 bed2aa50 b6e18bdc b6e6b52c 60000010 00000001 c0c0c0c0 c0c0c0c0
+[ 13.829058] [<c0206028>] (_stop) from [<c020649c>] (pl330_control+0x70/0x2e8)
+[ 13.836165] [<c020649c>] (pl330_control) from [<c0208048>] (pl330_remove+0xb0/0xdc)
+[ 13.843800] [<c0208048>] (pl330_remove) from [<c0203c48>] (amba_remove+0x24/0xc0)
+[ 13.851272] [<c0203c48>] (amba_remove) from [<c023f694>] (__device_release_driver+0x70/0xc4)
+[ 13.859685] [<c023f694>] (__device_release_driver) from [<c023f704>] (device_release_driver+0x1c/0x28)
+[ 13.868971] [<c023f704>] (device_release_driver) from [<c023e8ec>] (unbind_store+0x58/0x90)
+[ 13.877303] [<c023e8ec>] (unbind_store) from [<c023e19c>] (drv_attr_store+0x20/0x2c)
+[ 13.885036] [<c023e19c>] (drv_attr_store) from [<c01167e4>] (sysfs_kf_write+0x44/0x48)
+[ 13.892928] [<c01167e4>] (sysfs_kf_write) from [<c0115e88>] (kernfs_fop_write+0xc0/0x17c)
+[ 13.901090] [<c0115e88>] (kernfs_fop_write) from [<c00bfadc>] (vfs_write+0xa0/0x1a8)
+[ 13.908812] [<c00bfadc>] (vfs_write) from [<c00bfdf4>] (SyS_write+0x40/0x8c)
+[ 13.915850] [<c00bfdf4>] (SyS_write) from [<c000e620>] (ret_fast_syscall+0x0/0x30)
+[ 13.923392] Code: e5813010 e12fff1e e92d40f0 e24dd00c (e590200c)
+[ 13.929467] ---[ end trace 10064e15a5929cf8 ]---
+
+Terminate the thread and free channel resource only if channel resources
+were allocated (thread is not NULL).
+
+Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Fixes: b3040e40675e ("DMA: PL330: Add dma api driver")
+Reviewed-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/pl330.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/dma/pl330.c
++++ b/drivers/dma/pl330.c
+@@ -3094,8 +3094,10 @@ static int pl330_remove(struct amba_devi
+ list_del(&pch->chan.device_node);
+
+ /* Flush the channel */
+- pl330_control(&pch->chan, DMA_TERMINATE_ALL, 0);
+- pl330_free_chan_resources(&pch->chan);
++ if (pch->thread) {
++ pl330_control(&pch->chan, DMA_TERMINATE_ALL, 0);
++ pl330_free_chan_resources(&pch->chan);
++ }
+ }
+
+ pi = &pdmac->pif;
--- /dev/null
+From 0f5ebabdd03b471da1906f7edddc61ceb35cee02 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Date: Mon, 29 Sep 2014 14:42:20 +0200
+Subject: dmaengine: pl330: Fix NULL pointer dereference on probe failure
+
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+
+commit 0f5ebabdd03b471da1906f7edddc61ceb35cee02 upstream.
+
+If dma_async_device_register() returns error and probe should clean up
+and return error, a NULL pointer exception happens because of
+dereference of not allocated channel thread:
+
+Dmesg log (from early printk):
+dma-pl330 12680000.pdma: unable to register DMAC
+DMA pl330_control: removing pch: eeac4000, chan: eeac4014, thread: (null)
+Unable to handle kernel NULL pointer dereference at virtual address 0000000c
+pgd = c0004000
+[0000000c] *pgd=00000000
+Internal error: Oops: 5 [#1] PREEMPT SMP ARM
+Modules linked in:
+CPU: 2 PID: 1 Comm: swapper/0 Not tainted 3.17.0-rc3-next-20140904-00005-g6cc4c1937d90-dirty #427
+task: ee80a800 ti: ee888000 task.ti: ee888000
+PC is at _stop+0x8/0x2c8
+LR is at pl330_control+0x70/0x2e8
+pc : [<c0205dc8>] lr : [<c020623c>] psr: 60000193
+sp : ee889df8 ip : 00000002 fp : 00000000
+r10: eeac4014 r9 : ee0e62bc r8 : 00000000
+r7 : eeac405c r6 : 60000113 r5 : ee0e6210 r4 : eeac4000
+r3 : 00000002 r2 : 00000002 r1 : 00010000 r0 : 00000000
+Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel
+Control: 10c5387d Table: 4000404a DAC: 00000015
+Process swapper/0 (pid: 1, stack limit = 0xee888240)
+Stack: (0xee889df8 to 0xee88a000)
+9de0: 00000002 eeac4000
+9e00: ee0e6210 eeac4000 ee0e6210 60000113 eeac405c c020623c 00000000 c020725c
+9e20: ee889e20 ee889e20 ee0e6210 eeac4080 00200200 00100100 eeac4014 00000020
+9e40: ee0e6218 c0208374 00000000 ee9bb340 ee0e6210 00000000 00000000 c0605cd8
+9e60: ee970000 c0605c84 ee9700f8 00000000 c05c4270 00000000 00000000 c0203b3c
+9e80: ee970000 c06624a8 00000000 c0605c84 00000000 c023f890 ee970000 c0605c84
+9ea0: ee970034 00000000 c05b23d0 c023fa3c 00000000 c0605c84 c023f9b0 c023e0d4
+9ec0: ee947e78 ee9b9440 c0605c84 eea1e780 c0605acc c023f094 c0513b50 c0605c84
+9ee0: c05ecbd8 c0605c84 c05ecbd8 ee11ba40 c0626500 c0240064 00000000 c05ecbd8
+9f00: c05ecbd8 c0008964 c040f13c 0000009f c0626500 c057465c ee80a800 60000113
+9f20: 00000000 c05efdb0 60000113 00000000 ef7fc89d c0421168 0000008f c003787c
+9f40: c0573d6c 00000006 ef7fc8bb 00000006 c05efd50 ef7fc800 c05dfbc4 00000006
+9f60: c05c4264 c0626500 0000008f c05c4270 c059b518 c059bcb4 00000006 00000006
+9f80: c059b518 c003c08c 00000000 c040091c 00000000 00000000 00000000 00000000
+9fa0: 00000000 c0400924 00000000 c000e7b8 00000000 00000000 00000000 00000000
+9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+9fe0: 00000000 00000000 00000000 00000000 00000013 00000000 c0c0c0c0 c0c0c0c0
+[<c0205dc8>] (_stop) from [<c020623c>] (pl330_control+0x70/0x2e8)
+[<c020623c>] (pl330_control) from [<c0208374>] (pl330_probe+0x594/0x75c)
+[<c0208374>] (pl330_probe) from [<c0203b3c>] (amba_probe+0xb8/0x120)
+[<c0203b3c>] (amba_probe) from [<c023f890>] (driver_probe_device+0x10c/0x22c)
+[<c023f890>] (driver_probe_device) from [<c023fa3c>] (__driver_attach+0x8c/0x90)
+[<c023fa3c>] (__driver_attach) from [<c023e0d4>] (bus_for_each_dev+0x54/0x88)
+[<c023e0d4>] (bus_for_each_dev) from [<c023f094>] (bus_add_driver+0xd4/0x1d0)
+[<c023f094>] (bus_add_driver) from [<c0240064>] (driver_register+0x78/0xf4)
+[<c0240064>] (driver_register) from [<c0008964>] (do_one_initcall+0x80/0x1d0)
+[<c0008964>] (do_one_initcall) from [<c059bcb4>] (kernel_init_freeable+0x108/0x1d4)
+[<c059bcb4>] (kernel_init_freeable) from [<c0400924>] (kernel_init+0x8/0xec)
+[<c0400924>] (kernel_init) from [<c000e7b8>] (ret_from_fork+0x14/0x3c)
+Code: e5813010 e12fff1e e92d40f0 e24dd00c (e590200c)
+---[ end trace c94b2f4f38dff3bf ]---
+
+This happens because the necessary resources were not yet allocated - no
+call to pl330_alloc_chan_resources().
+
+Terminate the thread and free channel resource only if channel thread is not NULL.
+
+Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Fixes: 0b94c5771705 ("DMA: PL330: Add check if device tree compatible")
+Reviewed-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/pl330.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/dma/pl330.c
++++ b/drivers/dma/pl330.c
+@@ -3057,8 +3057,10 @@ probe_err3:
+ list_del(&pch->chan.device_node);
+
+ /* Flush the channel */
+- pl330_control(&pch->chan, DMA_TERMINATE_ALL, 0);
+- pl330_free_chan_resources(&pch->chan);
++ if (pch->thread) {
++ pl330_control(&pch->chan, DMA_TERMINATE_ALL, 0);
++ pl330_free_chan_resources(&pch->chan);
++ }
+ }
+ probe_err2:
+ pl330_del(pi);
--- /dev/null
+From 72c6b71c245dac8f371167d97ef471b367d0b66b Mon Sep 17 00:00:00 2001
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+Date: Wed, 27 Aug 2014 16:25:34 -0700
+Subject: Drivers: hv: vmbus: Cleanup vmbus_establish_gpadl()
+
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+
+commit 72c6b71c245dac8f371167d97ef471b367d0b66b upstream.
+
+Eliminate the call to BUG_ON() by waiting for the host to respond. We are
+trying to reclaim the ownership of memory that was given to the host and so
+we will have to wait until the host responds.
+
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Tested-by: Sitsofe Wheeler <sitsofe@yahoo.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/channel.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/hv/channel.c
++++ b/drivers/hv/channel.c
+@@ -392,7 +392,6 @@ int vmbus_establish_gpadl(struct vmbus_c
+ u32 next_gpadl_handle;
+ unsigned long flags;
+ int ret = 0;
+- int t;
+
+ next_gpadl_handle = atomic_read(&vmbus_connection.next_gpadl_handle);
+ atomic_inc(&vmbus_connection.next_gpadl_handle);
+@@ -439,9 +438,7 @@ int vmbus_establish_gpadl(struct vmbus_c
+
+ }
+ }
+- t = wait_for_completion_timeout(&msginfo->waitevent, 5*HZ);
+- BUG_ON(t == 0);
+-
++ wait_for_completion(&msginfo->waitevent);
+
+ /* At this point, we received the gpadl created msg */
+ *gpadl_handle = gpadlmsg->gpadl;
--- /dev/null
+From fdeebcc62279119dbeafbc1a2e39e773839025fd Mon Sep 17 00:00:00 2001
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+Date: Wed, 27 Aug 2014 16:25:31 -0700
+Subject: Drivers: hv: vmbus: Cleanup vmbus_post_msg()
+
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+
+commit fdeebcc62279119dbeafbc1a2e39e773839025fd upstream.
+
+Posting messages to the host can fail because of transient resource
+related failures. Correctly deal with these failures and increase the
+number of attempts to post the message before giving up.
+
+In this version of the patch, I have normalized the error code to
+Linux error code.
+
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Tested-by: Sitsofe Wheeler <sitsofe@yahoo.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/connection.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+--- a/drivers/hv/connection.c
++++ b/drivers/hv/connection.c
+@@ -393,10 +393,21 @@ int vmbus_post_msg(void *buffer, size_t
+ * insufficient resources. Retry the operation a couple of
+ * times before giving up.
+ */
+- while (retries < 3) {
+- ret = hv_post_message(conn_id, 1, buffer, buflen);
+- if (ret != HV_STATUS_INSUFFICIENT_BUFFERS)
++ while (retries < 10) {
++ ret = hv_post_message(conn_id, 1, buffer, buflen);
++
++ switch (ret) {
++ case HV_STATUS_INSUFFICIENT_BUFFERS:
++ ret = -ENOMEM;
++ case -ENOMEM:
++ break;
++ case HV_STATUS_SUCCESS:
+ return ret;
++ default:
++ pr_err("hv_post_msg() failed; error code:%d\n", ret);
++ return -EINVAL;
++ }
++
+ retries++;
+ msleep(100);
+ }
--- /dev/null
+From 66be653083057358724d56d817e870e53fb81ca7 Mon Sep 17 00:00:00 2001
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+Date: Wed, 27 Aug 2014 16:25:32 -0700
+Subject: Drivers: hv: vmbus: Cleanup vmbus_teardown_gpadl()
+
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+
+commit 66be653083057358724d56d817e870e53fb81ca7 upstream.
+
+Eliminate calls to BUG_ON() by properly handling errors. In cases where
+rollback is possible, we will return the appropriate error to have the
+calling code decide how to rollback state. In the case where we are
+transferring ownership of the guest physical pages to the host,
+we will wait for the host to respond.
+
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Tested-by: Sitsofe Wheeler <sitsofe@yahoo.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/channel.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/hv/channel.c
++++ b/drivers/hv/channel.c
+@@ -464,7 +464,7 @@ int vmbus_teardown_gpadl(struct vmbus_ch
+ struct vmbus_channel_gpadl_teardown *msg;
+ struct vmbus_channel_msginfo *info;
+ unsigned long flags;
+- int ret, t;
++ int ret;
+
+ info = kmalloc(sizeof(*info) +
+ sizeof(struct vmbus_channel_gpadl_teardown), GFP_KERNEL);
+@@ -486,11 +486,12 @@ int vmbus_teardown_gpadl(struct vmbus_ch
+ ret = vmbus_post_msg(msg,
+ sizeof(struct vmbus_channel_gpadl_teardown));
+
+- BUG_ON(ret != 0);
+- t = wait_for_completion_timeout(&info->waitevent, 5*HZ);
+- BUG_ON(t == 0);
++ if (ret)
++ goto post_msg_err;
+
+- /* Received a torndown response */
++ wait_for_completion(&info->waitevent);
++
++post_msg_err:
+ spin_lock_irqsave(&vmbus_connection.channelmsg_lock, flags);
+ list_del(&info->msglistentry);
+ spin_unlock_irqrestore(&vmbus_connection.channelmsg_lock, flags);
--- /dev/null
+From 45d727cee9e200f5b351528b9fb063b69cf702c8 Mon Sep 17 00:00:00 2001
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+Date: Wed, 27 Aug 2014 16:25:35 -0700
+Subject: Drivers: hv: vmbus: Fix a bug in vmbus_open()
+
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+
+commit 45d727cee9e200f5b351528b9fb063b69cf702c8 upstream.
+
+Fix a bug in vmbus_open() and properly propagate the error. I would
+like to thank Dexuan Cui <decui@microsoft.com> for identifying the
+issue.
+
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Tested-by: Sitsofe Wheeler <sitsofe@yahoo.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/channel.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/hv/channel.c
++++ b/drivers/hv/channel.c
+@@ -199,8 +199,10 @@ int vmbus_open(struct vmbus_channel *new
+ ret = vmbus_post_msg(open_msg,
+ sizeof(struct vmbus_channel_open_channel));
+
+- if (ret != 0)
++ if (ret != 0) {
++ err = ret;
+ goto error1;
++ }
+
+ t = wait_for_completion_timeout(&open_info->waitevent, 5*HZ);
+ if (t == 0) {
--- /dev/null
+From 471b095dfe0d693a8d624cbc716d1ee4d74eb437 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 18 Sep 2014 11:25:37 -0700
+Subject: firmware_class: make sure fw requests contain a name
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 471b095dfe0d693a8d624cbc716d1ee4d74eb437 upstream.
+
+An empty firmware request name will trigger warnings when building
+device names. Make sure this is caught earlier and rejected.
+
+The warning was visible via the test_firmware.ko module interface:
+
+echo -ne "\x00" > /sys/devices/virtual/misc/test_firmware/trigger_request
+
+Reported-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Tested-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/firmware_class.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/base/firmware_class.c
++++ b/drivers/base/firmware_class.c
+@@ -1021,6 +1021,9 @@ _request_firmware(const struct firmware
+ if (!firmware_p)
+ return -EINVAL;
+
++ if (!name || name[0] == '\0')
++ return -EINVAL;
++
+ ret = _request_firmware_prepare(&fw, name, device);
+ if (ret <= 0) /* error or already assigned */
+ goto out;
--- /dev/null
+From 4089b71cc820a426d601283c92fcd4ffeb5139c2 Mon Sep 17 00:00:00 2001
+From: Chris J Arges <chris.j.arges@canonical.com>
+Date: Tue, 23 Sep 2014 09:22:25 -0500
+Subject: mptfusion: enable no_write_same for vmware scsi disks
+
+From: Chris J Arges <chris.j.arges@canonical.com>
+
+commit 4089b71cc820a426d601283c92fcd4ffeb5139c2 upstream.
+
+When using a virtual SCSI disk in a VMWare VM if blkdev_issue_zeroout is used
+data can be improperly zeroed out using the mptfusion driver. This patch
+disables write_same for this driver and the vmware subsystem_vendor which
+ensures that manual zeroing out is used instead.
+
+BugLink: http://bugs.launchpad.net/bugs/1371591
+Reported-by: Bruce Lucas <bruce.lucas@mongodb.com>
+Tested-by: Chris J Arges <chris.j.arges@canonical.com>
+Signed-off-by: Chris J Arges <chris.j.arges@canonical.com>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/message/fusion/mptspi.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/message/fusion/mptspi.c
++++ b/drivers/message/fusion/mptspi.c
+@@ -1422,6 +1422,11 @@ mptspi_probe(struct pci_dev *pdev, const
+ goto out_mptspi_probe;
+ }
+
++ /* VMWare emulation doesn't properly implement WRITE_SAME
++ */
++ if (pdev->subsystem_vendor == 0x15AD)
++ sh->no_write_same = 1;
++
+ spin_lock_irqsave(&ioc->FreeQlock, flags);
+
+ /* Attach the SCSI Host to the IOC structure
--- /dev/null
+From 75554b68ac1e018bca00d68a430b92ada8ab52dd Mon Sep 17 00:00:00 2001
+From: Arun Easi <arun.easi@qlogic.com>
+Date: Thu, 25 Sep 2014 06:14:45 -0400
+Subject: qla2xxx: Use correct offset to req-q-out for reserve calculation
+
+From: Arun Easi <arun.easi@qlogic.com>
+
+commit 75554b68ac1e018bca00d68a430b92ada8ab52dd upstream.
+
+Signed-off-by: Arun Easi <arun.easi@qlogic.com>
+Signed-off-by: Saurav Kashyap <saurav.kashyap@qlogic.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_target.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_target.c
++++ b/drivers/scsi/qla2xxx/qla_target.c
+@@ -1514,12 +1514,10 @@ static inline void qlt_unmap_sg(struct s
+ static int qlt_check_reserve_free_req(struct scsi_qla_host *vha,
+ uint32_t req_cnt)
+ {
+- struct qla_hw_data *ha = vha->hw;
+- device_reg_t __iomem *reg = ha->iobase;
+ uint32_t cnt;
+
+ if (vha->req->cnt < (req_cnt + 2)) {
+- cnt = (uint16_t)RD_REG_DWORD(®->isp24.req_q_out);
++ cnt = (uint16_t)RD_REG_DWORD(vha->req->req_q_out);
+
+ ql_dbg(ql_dbg_tgt, vha, 0xe00a,
+ "Request ring circled: cnt=%d, vha->->ring_index=%d, "
--- /dev/null
+From 2c98e0c1cc6b8e86f1978286c3d4e0769ee9d733 Mon Sep 17 00:00:00 2001
+From: Xiubo Li <Li.Xiubo@freescale.com>
+Date: Sun, 28 Sep 2014 11:35:25 +0800
+Subject: regmap: debugfs: fix possbile NULL pointer dereference
+
+From: Xiubo Li <Li.Xiubo@freescale.com>
+
+commit 2c98e0c1cc6b8e86f1978286c3d4e0769ee9d733 upstream.
+
+If 'map->dev' is NULL and there will lead dev_name() to be NULL pointer
+dereference. So before dev_name(), we need to have check of the map->dev
+pionter.
+
+We also should make sure that the 'name' pointer shouldn't be NULL for
+debugfs_create_dir(). So here using one default "dummy" debugfs name when
+the 'name' pointer and 'map->dev' are both NULL.
+
+Signed-off-by: Xiubo Li <Li.Xiubo@freescale.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/regmap/regmap-debugfs.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/base/regmap/regmap-debugfs.c
++++ b/drivers/base/regmap/regmap-debugfs.c
+@@ -460,16 +460,20 @@ void regmap_debugfs_init(struct regmap *
+ {
+ struct rb_node *next;
+ struct regmap_range_node *range_node;
++ const char *devname = "dummy";
+
+ INIT_LIST_HEAD(&map->debugfs_off_cache);
+ mutex_init(&map->cache_lock);
+
++ if (map->dev)
++ devname = dev_name(map->dev);
++
+ if (name) {
+ map->debugfs_name = kasprintf(GFP_KERNEL, "%s-%s",
+- dev_name(map->dev), name);
++ devname, name);
+ name = map->debugfs_name;
+ } else {
+- name = dev_name(map->dev);
++ name = devname;
+ }
+
+ map->debugfs = debugfs_create_dir(name, regmap_debugfs_root);
--- /dev/null
+From 5336be8416a71b5568d2cf54a2f2066abe9f2a53 Mon Sep 17 00:00:00 2001
+From: Pankaj Dubey <pankaj.dubey@samsung.com>
+Date: Sat, 27 Sep 2014 09:47:55 +0530
+Subject: regmap: fix NULL pointer dereference in _regmap_write/read
+
+From: Pankaj Dubey <pankaj.dubey@samsung.com>
+
+commit 5336be8416a71b5568d2cf54a2f2066abe9f2a53 upstream.
+
+If LOG_DEVICE is defined and map->dev is NULL it will lead to NULL
+pointer dereference. This patch fixes this issue by adding check for
+dev->NULL in all such places in regmap.c
+
+Signed-off-by: Pankaj Dubey <pankaj.dubey@samsung.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/regmap/regmap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/base/regmap/regmap.c
++++ b/drivers/base/regmap/regmap.c
+@@ -1177,7 +1177,7 @@ int _regmap_write(struct regmap *map, un
+ }
+
+ #ifdef LOG_DEVICE
+- if (strcmp(dev_name(map->dev), LOG_DEVICE) == 0)
++ if (map->dev && strcmp(dev_name(map->dev), LOG_DEVICE) == 0)
+ dev_info(map->dev, "%x <= %x\n", reg, val);
+ #endif
+
+@@ -1437,7 +1437,7 @@ static int _regmap_read(struct regmap *m
+ ret = map->reg_read(context, reg, val);
+ if (ret == 0) {
+ #ifdef LOG_DEVICE
+- if (strcmp(dev_name(map->dev), LOG_DEVICE) == 0)
++ if (map->dev && strcmp(dev_name(map->dev), LOG_DEVICE) == 0)
+ dev_info(map->dev, "%x => %x\n", reg, *val);
+ #endif
+
x86-intel-quark-switch-off-cr4.pge-so-tlb-flush-uses-cr3-instead.patch
spi-dw-mid-respect-8-bit-mode.patch
spi-dw-mid-check-that-dma-was-inited-before-exit.patch
+regmap-debugfs-fix-possbile-null-pointer-dereference.patch
+regmap-fix-null-pointer-dereference-in-_regmap_write-read.patch
+be2iscsi-check-ip-buffer-before-copying.patch
+mptfusion-enable-no_write_same-for-vmware-scsi-disks.patch
+qla2xxx-use-correct-offset-to-req-q-out-for-reserve-calculation.patch
+dmaengine-pl330-fix-null-pointer-dereference-on-probe-failure.patch
+dmaengine-pl330-fix-null-pointer-dereference-on-driver-unbind.patch
+firmware_class-make-sure-fw-requests-contain-a-name.patch
+drivers-hv-vmbus-cleanup-vmbus_post_msg.patch
+drivers-hv-vmbus-cleanup-vmbus_teardown_gpadl.patch
+drivers-hv-vmbus-cleanup-vmbus_establish_gpadl.patch
+drivers-hv-vmbus-fix-a-bug-in-vmbus_open.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
