--- /dev/null
+From 1d19f7800d643b270b28d0a969c5eca455d54397 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Wed, 15 May 2013 01:30:01 -0700
+Subject: ib_srpt: Call target_sess_cmd_list_set_waiting during shutdown_session
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 1d19f7800d643b270b28d0a969c5eca455d54397 upstream.
+
+Given that srpt_release_channel_work() calls target_wait_for_sess_cmds()
+to allow outstanding se_cmd_t->cmd_kref a change to complete, the call
+to perform target_sess_cmd_list_set_waiting() needs to happen in
+srpt_shutdown_session()
+
+Also, this patch adds an explicit call to srpt_shutdown_session() within
+srpt_drain_channel() so that target_sess_cmd_list_set_waiting() will be
+called in the cases where TFO->shutdown_session() is not triggered
+directly by TCM.
+
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Cc: Joern Engel <joern@logfs.org>
+Cc: Roland Dreier <roland@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/srpt/ib_srpt.c | 32 ++++++++++++++++++++++++--------
+ drivers/infiniband/ulp/srpt/ib_srpt.h | 1 +
+ 2 files changed, 25 insertions(+), 8 deletions(-)
+
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
+@@ -2227,6 +2227,27 @@ static void srpt_close_ch(struct srpt_rd
+ }
+
+ /**
++ * srpt_shutdown_session() - Whether or not a session may be shut down.
++ */
++static int srpt_shutdown_session(struct se_session *se_sess)
++{
++ struct srpt_rdma_ch *ch = se_sess->fabric_sess_ptr;
++ unsigned long flags;
++
++ spin_lock_irqsave(&ch->spinlock, flags);
++ if (ch->in_shutdown) {
++ spin_unlock_irqrestore(&ch->spinlock, flags);
++ return true;
++ }
++
++ ch->in_shutdown = true;
++ target_sess_cmd_list_set_waiting(se_sess);
++ spin_unlock_irqrestore(&ch->spinlock, flags);
++
++ return true;
++}
++
++/**
+ * srpt_drain_channel() - Drain a channel by resetting the IB queue pair.
+ * @cm_id: Pointer to the CM ID of the channel to be drained.
+ *
+@@ -2264,6 +2285,9 @@ static void srpt_drain_channel(struct ib
+ spin_unlock_irq(&sdev->spinlock);
+
+ if (do_reset) {
++ if (ch->sess)
++ srpt_shutdown_session(ch->sess);
++
+ ret = srpt_ch_qp_err(ch);
+ if (ret < 0)
+ printk(KERN_ERR "Setting queue pair in error state"
+@@ -3467,14 +3491,6 @@ static void srpt_release_cmd(struct se_c
+ }
+
+ /**
+- * srpt_shutdown_session() - Whether or not a session may be shut down.
+- */
+-static int srpt_shutdown_session(struct se_session *se_sess)
+-{
+- return true;
+-}
+-
+-/**
+ * srpt_close_session() - Forcibly close a session.
+ *
+ * Callback function invoked by the TCM core to clean up sessions associated
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.h
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.h
+@@ -325,6 +325,7 @@ struct srpt_rdma_ch {
+ u8 sess_name[36];
+ struct work_struct release_work;
+ struct completion *release_done;
++ bool in_shutdown;
+ };
+
+ /**
--- /dev/null
+From cea4dcfdad926a27a18e188720efe0f2c9403456 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 23 May 2013 10:32:17 -0700
+Subject: iscsi-target: fix heap buffer overflow on error
+
+From: Kees Cook <keescook@chromium.org>
+
+commit cea4dcfdad926a27a18e188720efe0f2c9403456 upstream.
+
+If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
+error response packet, generated by iscsi_add_notunderstood_response(),
+would still attempt to copy the entire key into the packet, overflowing
+the structure on the heap.
+
+Remote preauthentication kernel memory corruption was possible if a
+target was configured and listening on the network.
+
+CVE-2013-2850
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target_parameters.c | 8 +++-----
+ drivers/target/iscsi/iscsi_target_parameters.h | 4 +++-
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target_parameters.c
++++ b/drivers/target/iscsi/iscsi_target_parameters.c
+@@ -712,9 +712,9 @@ static int iscsi_add_notunderstood_respo
+ }
+ INIT_LIST_HEAD(&extra_response->er_list);
+
+- strncpy(extra_response->key, key, strlen(key) + 1);
+- strncpy(extra_response->value, NOTUNDERSTOOD,
+- strlen(NOTUNDERSTOOD) + 1);
++ strlcpy(extra_response->key, key, sizeof(extra_response->key));
++ strlcpy(extra_response->value, NOTUNDERSTOOD,
++ sizeof(extra_response->value));
+
+ list_add_tail(&extra_response->er_list,
+ ¶m_list->extra_response_list);
+@@ -1583,8 +1583,6 @@ int iscsi_decode_text_input(
+
+ if (phase & PHASE_SECURITY) {
+ if (iscsi_check_for_auth_key(key) > 0) {
+- char *tmpptr = key + strlen(key);
+- *tmpptr = '=';
+ kfree(tmpbuf);
+ return 1;
+ }
+--- a/drivers/target/iscsi/iscsi_target_parameters.h
++++ b/drivers/target/iscsi/iscsi_target_parameters.h
+@@ -1,8 +1,10 @@
+ #ifndef ISCSI_PARAMETERS_H
+ #define ISCSI_PARAMETERS_H
+
++#include <scsi/iscsi_proto.h>
++
+ struct iscsi_extra_response {
+- char key[64];
++ char key[KEY_MAXLEN];
+ char value[32];
+ struct list_head er_list;
+ } ____cacheline_aligned;
--- /dev/null
+From f448badd34700ae728a32ba024249626d49c10e1 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Wed, 29 May 2013 15:36:40 -0400
+Subject: NFSv4: Fix a thinko in nfs4_try_open_cached
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+commit f448badd34700ae728a32ba024249626d49c10e1 upstream.
+
+We need to pass the full open mode flags to nfs_may_open() when doing
+a delegated open.
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -1022,7 +1022,7 @@ static struct nfs4_state *nfs4_try_open_
+ struct nfs4_state *state = opendata->state;
+ struct nfs_inode *nfsi = NFS_I(state->inode);
+ struct nfs_delegation *delegation;
+- int open_mode = opendata->o_arg.open_flags & (O_EXCL|O_TRUNC);
++ int open_mode = opendata->o_arg.open_flags;
+ fmode_t fmode = opendata->o_arg.fmode;
+ nfs4_stateid stateid;
+ int ret = -EAGAIN;
--- /dev/null
+From f7b3367774f92a688d39ed767f0ae9b93af7873a Mon Sep 17 00:00:00 2001
+From: Priyanka Jain <Priyanka.Jain@freescale.com>
+Date: Fri, 31 May 2013 01:20:02 +0000
+Subject: powerpc/32bit:Store temporary result in r0 instead of r8
+
+From: Priyanka Jain <Priyanka.Jain@freescale.com>
+
+commit f7b3367774f92a688d39ed767f0ae9b93af7873a upstream.
+
+Commit a9c4e541ea9b22944da356f2a9258b4eddcc953b
+"powerpc/kprobe: Complete kprobe and migrate exception frame"
+introduced a regression:
+
+While returning from exception handling in case of PREEMPT enabled,
+_TIF_NEED_RESCHED bit is checked in TI_FLAGS (thread_info flag) of current
+task. Only if this bit is set, it should continue with the process of
+calling preempt_schedule_irq() to schedule highest priority task if
+available.
+
+Current code assumes that r8 contains TI_FLAGS and check this for
+_TIF_NEED_RESCHED, but as r8 is modified in the code which executes before
+this check, r8 no longer contains the expected TI_FLAGS information.
+
+As a result check for comparison with _TIF_NEED_RESCHED was failing even if
+NEED_RESCHED bit is set in the current thread_info flag. Due to this,
+preempt_schedule_irq() and in turn scheduler was not getting called even if
+highest priority task is ready for execution.
+
+So, store temporary results in r0 instead of r8 to prevent r8 from getting
+modified as subsequent code is dependent on its value.
+
+Signed-off-by: Priyanka Jain <Priyanka.Jain@freescale.com>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/entry_32.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/entry_32.S
++++ b/arch/powerpc/kernel/entry_32.S
+@@ -851,7 +851,7 @@ resume_kernel:
+ /* check current_thread_info, _TIF_EMULATE_STACK_STORE */
+ CURRENT_THREAD_INFO(r9, r1)
+ lwz r8,TI_FLAGS(r9)
+- andis. r8,r8,_TIF_EMULATE_STACK_STORE@h
++ andis. r0,r8,_TIF_EMULATE_STACK_STORE@h
+ beq+ 1f
+
+ addi r8,r1,INT_FRAME_SIZE /* Get the kprobed function entry */
--- /dev/null
+From 6ce6c629fd8254b3177650de99699682ff7f6707 Mon Sep 17 00:00:00 2001
+From: Michael Neuling <mikey@neuling.org>
+Date: Sun, 26 May 2013 18:09:39 +0000
+Subject: powerpc/tm: Abort on emulation and alignment faults
+
+From: Michael Neuling <mikey@neuling.org>
+
+commit 6ce6c629fd8254b3177650de99699682ff7f6707 upstream.
+
+If we are emulating an instruction inside an active user transaction that
+touches memory, the kernel can't emulate it as it operates in transactional
+suspend context. We need to abort these transactions and send them back to
+userspace for the hardware to rollback.
+
+We can service these if the user transaction is in suspend mode, since the
+kernel will operate in the same suspend context.
+
+This adds a check to all alignment faults and to specific instruction
+emulations (only string instructions for now). If the user process is in an
+active (non-suspended) transaction, we abort the transaction go back to
+userspace allowing the HW to roll back the transaction and tell the user of the
+failure. This also adds new tm abort cause codes to report the reason of the
+persistent error to the user.
+
+Crappy test case here http://neuling.org/devel/junkcode/aligntm.c
+
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/powerpc/transactional_memory.txt | 7 ++++--
+ arch/powerpc/include/asm/reg.h | 2 +
+ arch/powerpc/kernel/traps.c | 29 +++++++++++++++++++++++++
+ 3 files changed, 36 insertions(+), 2 deletions(-)
+
+--- a/Documentation/powerpc/transactional_memory.txt
++++ b/Documentation/powerpc/transactional_memory.txt
+@@ -180,9 +180,12 @@ kernel aborted a transaction:
+ transactions for consistency will use this.
+ TM_CAUSE_SIGNAL Signal delivered.
+ TM_CAUSE_MISC Currently unused.
++ TM_CAUSE_ALIGNMENT Alignment fault.
++ TM_CAUSE_EMULATE Emulation that touched memory.
+
+-These can be checked by the user program's abort handler as TEXASR[0:7].
+-
++These can be checked by the user program's abort handler as TEXASR[0:7]. If
++bit 7 is set, it indicates that the error is consider persistent. For example
++a TM_CAUSE_ALIGNMENT will be persistent while a TM_CAUSE_RESCHED will not.q
+
+ GDB
+ ===
+--- a/arch/powerpc/include/asm/reg.h
++++ b/arch/powerpc/include/asm/reg.h
+@@ -122,6 +122,8 @@
+ #define TM_CAUSE_SYSCALL 0xd8 /* future use */
+ #define TM_CAUSE_MISC 0xd6 /* future use */
+ #define TM_CAUSE_SIGNAL 0xd4
++#define TM_CAUSE_ALIGNMENT 0xd2
++#define TM_CAUSE_EMULATE 0xd0
+
+ #if defined(CONFIG_PPC_BOOK3S_64)
+ #define MSR_64BIT MSR_SF
+--- a/arch/powerpc/kernel/traps.c
++++ b/arch/powerpc/kernel/traps.c
+@@ -52,6 +52,7 @@
+ #ifdef CONFIG_PPC64
+ #include <asm/firmware.h>
+ #include <asm/processor.h>
++#include <asm/tm.h>
+ #endif
+ #include <asm/kexec.h>
+ #include <asm/ppc-opcode.h>
+@@ -913,6 +914,28 @@ static int emulate_isel(struct pt_regs *
+ return 0;
+ }
+
++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
++static inline bool tm_abort_check(struct pt_regs *regs, int cause)
++{
++ /* If we're emulating a load/store in an active transaction, we cannot
++ * emulate it as the kernel operates in transaction suspended context.
++ * We need to abort the transaction. This creates a persistent TM
++ * abort so tell the user what caused it with a new code.
++ */
++ if (MSR_TM_TRANSACTIONAL(regs->msr)) {
++ tm_enable();
++ tm_abort(cause);
++ return true;
++ }
++ return false;
++}
++#else
++static inline bool tm_abort_check(struct pt_regs *regs, int reason)
++{
++ return false;
++}
++#endif
++
+ static int emulate_instruction(struct pt_regs *regs)
+ {
+ u32 instword;
+@@ -952,6 +975,9 @@ static int emulate_instruction(struct pt
+
+ /* Emulate load/store string insn. */
+ if ((instword & PPC_INST_STRING_GEN_MASK) == PPC_INST_STRING) {
++ if (tm_abort_check(regs,
++ TM_CAUSE_EMULATE | TM_CAUSE_PERSISTENT))
++ return -EINVAL;
+ PPC_WARN_EMULATED(string, regs);
+ return emulate_string_inst(regs, instword);
+ }
+@@ -1124,6 +1150,9 @@ void alignment_exception(struct pt_regs
+ if (!arch_irq_disabled_regs(regs))
+ local_irq_enable();
+
++ if (tm_abort_check(regs, TM_CAUSE_ALIGNMENT | TM_CAUSE_PERSISTENT))
++ goto bail;
++
+ /* we don't implement logging of alignment exceptions */
+ if (!(current->thread.align_ctl & PR_UNALIGN_SIGBUS))
+ fixed = fix_alignment(regs);
--- /dev/null
+From 2b3f8e87cf99a33fb6faf5026d7147748bbd77b6 Mon Sep 17 00:00:00 2001
+From: Michael Neuling <mikey@neuling.org>
+Date: Sun, 26 May 2013 18:09:41 +0000
+Subject: powerpc/tm: Fix userspace stack corruption on signal delivery for active transactions
+
+From: Michael Neuling <mikey@neuling.org>
+
+commit 2b3f8e87cf99a33fb6faf5026d7147748bbd77b6 upstream.
+
+When in an active transaction that takes a signal, we need to be careful with
+the stack. It's possible that the stack has moved back up after the tbegin.
+The obvious case here is when the tbegin is called inside a function that
+returns before a tend. In this case, the stack is part of the checkpointed
+transactional memory state. If we write over this non transactionally or in
+suspend, we are in trouble because if we get a tm abort, the program counter
+and stack pointer will be back at the tbegin but our in memory stack won't be
+valid anymore.
+
+To avoid this, when taking a signal in an active transaction, we need to use
+the stack pointer from the checkpointed state, rather than the speculated
+state. This ensures that the signal context (written tm suspended) will be
+written below the stack required for the rollback. The transaction is aborted
+becuase of the treclaim, so any memory written between the tbegin and the
+signal will be rolled back anyway.
+
+For signals taken in non-TM or suspended mode, we use the
+normal/non-checkpointed stack pointer.
+
+Tested with 64 and 32 bit signals
+
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/powerpc/transactional_memory.txt | 19 +++++++++++
+ arch/powerpc/include/asm/processor.h | 13 ++------
+ arch/powerpc/include/asm/signal.h | 3 +
+ arch/powerpc/kernel/signal.c | 40 +++++++++++++++++++++++--
+ arch/powerpc/kernel/signal.h | 2 -
+ arch/powerpc/kernel/signal_32.c | 10 +-----
+ arch/powerpc/kernel/signal_64.c | 23 ++++----------
+ 7 files changed, 74 insertions(+), 36 deletions(-)
+
+--- a/Documentation/powerpc/transactional_memory.txt
++++ b/Documentation/powerpc/transactional_memory.txt
+@@ -147,6 +147,25 @@ Example signal handler:
+ fix_the_problem(ucp->dar);
+ }
+
++When in an active transaction that takes a signal, we need to be careful with
++the stack. It's possible that the stack has moved back up after the tbegin.
++The obvious case here is when the tbegin is called inside a function that
++returns before a tend. In this case, the stack is part of the checkpointed
++transactional memory state. If we write over this non transactionally or in
++suspend, we are in trouble because if we get a tm abort, the program counter and
++stack pointer will be back at the tbegin but our in memory stack won't be valid
++anymore.
++
++To avoid this, when taking a signal in an active transaction, we need to use
++the stack pointer from the checkpointed state, rather than the speculated
++state. This ensures that the signal context (written tm suspended) will be
++written below the stack required for the rollback. The transaction is aborted
++becuase of the treclaim, so any memory written between the tbegin and the
++signal will be rolled back anyway.
++
++For signals taken in non-TM or suspended mode, we use the
++normal/non-checkpointed stack pointer.
++
+
+ Failure cause codes used by kernel
+ ==================================
+--- a/arch/powerpc/include/asm/processor.h
++++ b/arch/powerpc/include/asm/processor.h
+@@ -407,21 +407,16 @@ static inline void prefetchw(const void
+ #endif
+
+ #ifdef CONFIG_PPC64
+-static inline unsigned long get_clean_sp(struct pt_regs *regs, int is_32)
++static inline unsigned long get_clean_sp(unsigned long sp, int is_32)
+ {
+- unsigned long sp;
+-
+ if (is_32)
+- sp = regs->gpr[1] & 0x0ffffffffUL;
+- else
+- sp = regs->gpr[1];
+-
++ return sp & 0x0ffffffffUL;
+ return sp;
+ }
+ #else
+-static inline unsigned long get_clean_sp(struct pt_regs *regs, int is_32)
++static inline unsigned long get_clean_sp(unsigned long sp, int is_32)
+ {
+- return regs->gpr[1];
++ return sp;
+ }
+ #endif
+
+--- a/arch/powerpc/include/asm/signal.h
++++ b/arch/powerpc/include/asm/signal.h
+@@ -3,5 +3,8 @@
+
+ #define __ARCH_HAS_SA_RESTORER
+ #include <uapi/asm/signal.h>
++#include <uapi/asm/ptrace.h>
++
++extern unsigned long get_tm_stackpointer(struct pt_regs *regs);
+
+ #endif /* _ASM_POWERPC_SIGNAL_H */
+--- a/arch/powerpc/kernel/signal.c
++++ b/arch/powerpc/kernel/signal.c
+@@ -17,6 +17,7 @@
+ #include <asm/uaccess.h>
+ #include <asm/unistd.h>
+ #include <asm/debug.h>
++#include <asm/tm.h>
+
+ #include "signal.h"
+
+@@ -29,13 +30,13 @@ int show_unhandled_signals = 0;
+ /*
+ * Allocate space for the signal frame
+ */
+-void __user * get_sigframe(struct k_sigaction *ka, struct pt_regs *regs,
++void __user * get_sigframe(struct k_sigaction *ka, unsigned long sp,
+ size_t frame_size, int is_32)
+ {
+ unsigned long oldsp, newsp;
+
+ /* Default to using normal stack */
+- oldsp = get_clean_sp(regs, is_32);
++ oldsp = get_clean_sp(sp, is_32);
+
+ /* Check for alt stack */
+ if ((ka->sa.sa_flags & SA_ONSTACK) &&
+@@ -170,3 +171,38 @@ void do_notify_resume(struct pt_regs *re
+ tracehook_notify_resume(regs);
+ }
+ }
++
++unsigned long get_tm_stackpointer(struct pt_regs *regs)
++{
++ /* When in an active transaction that takes a signal, we need to be
++ * careful with the stack. It's possible that the stack has moved back
++ * up after the tbegin. The obvious case here is when the tbegin is
++ * called inside a function that returns before a tend. In this case,
++ * the stack is part of the checkpointed transactional memory state.
++ * If we write over this non transactionally or in suspend, we are in
++ * trouble because if we get a tm abort, the program counter and stack
++ * pointer will be back at the tbegin but our in memory stack won't be
++ * valid anymore.
++ *
++ * To avoid this, when taking a signal in an active transaction, we
++ * need to use the stack pointer from the checkpointed state, rather
++ * than the speculated state. This ensures that the signal context
++ * (written tm suspended) will be written below the stack required for
++ * the rollback. The transaction is aborted becuase of the treclaim,
++ * so any memory written between the tbegin and the signal will be
++ * rolled back anyway.
++ *
++ * For signals taken in non-TM or suspended mode, we use the
++ * normal/non-checkpointed stack pointer.
++ */
++
++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
++ if (MSR_TM_ACTIVE(regs->msr)) {
++ tm_enable();
++ tm_reclaim(¤t->thread, regs->msr, TM_CAUSE_SIGNAL);
++ if (MSR_TM_TRANSACTIONAL(regs->msr))
++ return current->thread.ckpt_regs.gpr[1];
++ }
++#endif
++ return regs->gpr[1];
++}
+--- a/arch/powerpc/kernel/signal.h
++++ b/arch/powerpc/kernel/signal.h
+@@ -12,7 +12,7 @@
+
+ extern void do_notify_resume(struct pt_regs *regs, unsigned long thread_info_flags);
+
+-extern void __user * get_sigframe(struct k_sigaction *ka, struct pt_regs *regs,
++extern void __user * get_sigframe(struct k_sigaction *ka, unsigned long sp,
+ size_t frame_size, int is_32);
+
+ extern int handle_signal32(unsigned long sig, struct k_sigaction *ka,
+--- a/arch/powerpc/kernel/signal_32.c
++++ b/arch/powerpc/kernel/signal_32.c
+@@ -503,12 +503,6 @@ static int save_tm_user_regs(struct pt_r
+ {
+ unsigned long msr = regs->msr;
+
+- /* tm_reclaim rolls back all reg states, updating thread.ckpt_regs,
+- * thread.transact_fpr[], thread.transact_vr[], etc.
+- */
+- tm_enable();
+- tm_reclaim(¤t->thread, msr, TM_CAUSE_SIGNAL);
+-
+ /* Make sure floating point registers are stored in regs */
+ flush_fp_to_thread(current);
+
+@@ -965,7 +959,7 @@ int handle_rt_signal32(unsigned long sig
+
+ /* Set up Signal Frame */
+ /* Put a Real Time Context onto stack */
+- rt_sf = get_sigframe(ka, regs, sizeof(*rt_sf), 1);
++ rt_sf = get_sigframe(ka, get_tm_stackpointer(regs), sizeof(*rt_sf), 1);
+ addr = rt_sf;
+ if (unlikely(rt_sf == NULL))
+ goto badframe;
+@@ -1403,7 +1397,7 @@ int handle_signal32(unsigned long sig, s
+ unsigned long tramp;
+
+ /* Set up Signal Frame */
+- frame = get_sigframe(ka, regs, sizeof(*frame), 1);
++ frame = get_sigframe(ka, get_tm_stackpointer(regs), sizeof(*frame), 1);
+ if (unlikely(frame == NULL))
+ goto badframe;
+ sc = (struct sigcontext __user *) &frame->sctx;
+--- a/arch/powerpc/kernel/signal_64.c
++++ b/arch/powerpc/kernel/signal_64.c
+@@ -154,11 +154,12 @@ static long setup_sigcontext(struct sigc
+ * As above, but Transactional Memory is in use, so deliver sigcontexts
+ * containing checkpointed and transactional register states.
+ *
+- * To do this, we treclaim to gather both sets of registers and set up the
+- * 'normal' sigcontext registers with rolled-back register values such that a
+- * simple signal handler sees a correct checkpointed register state.
+- * If interested, a TM-aware sighandler can examine the transactional registers
+- * in the 2nd sigcontext to determine the real origin of the signal.
++ * To do this, we treclaim (done before entering here) to gather both sets of
++ * registers and set up the 'normal' sigcontext registers with rolled-back
++ * register values such that a simple signal handler sees a correct
++ * checkpointed register state. If interested, a TM-aware sighandler can
++ * examine the transactional registers in the 2nd sigcontext to determine the
++ * real origin of the signal.
+ */
+ static long setup_tm_sigcontexts(struct sigcontext __user *sc,
+ struct sigcontext __user *tm_sc,
+@@ -184,16 +185,6 @@ static long setup_tm_sigcontexts(struct
+
+ BUG_ON(!MSR_TM_ACTIVE(regs->msr));
+
+- /* tm_reclaim rolls back all reg states, saving checkpointed (older)
+- * GPRs to thread.ckpt_regs and (if used) FPRs to (newer)
+- * thread.transact_fp and/or VRs to (newer) thread.transact_vr.
+- * THEN we save out FP/VRs, if necessary, to the checkpointed (older)
+- * thread.fr[]/vr[]s. The transactional (newer) GPRs are on the
+- * stack, in *regs.
+- */
+- tm_enable();
+- tm_reclaim(¤t->thread, msr, TM_CAUSE_SIGNAL);
+-
+ flush_fp_to_thread(current);
+
+ #ifdef CONFIG_ALTIVEC
+@@ -711,7 +702,7 @@ int handle_rt_signal64(int signr, struct
+ unsigned long newsp = 0;
+ long err = 0;
+
+- frame = get_sigframe(ka, regs, sizeof(*frame), 0);
++ frame = get_sigframe(ka, get_tm_stackpointer(regs), sizeof(*frame), 0);
+ if (unlikely(frame == NULL))
+ goto badframe;
+
--- /dev/null
+From 35f7097fcedec63fcba1852dbee96f74a2d90878 Mon Sep 17 00:00:00 2001
+From: Michael Neuling <mikey@neuling.org>
+Date: Sun, 26 May 2013 18:09:37 +0000
+Subject: powerpc/tm: Make room for hypervisor in abort cause codes
+
+From: Michael Neuling <mikey@neuling.org>
+
+commit 35f7097fcedec63fcba1852dbee96f74a2d90878 upstream.
+
+PAPR carves out 0xff-0xe0 for hypervisor use of transactional memory software
+abort cause codes. Unfortunately we don't respect this currently.
+
+Below fixes this to move our cause codes to below this region.
+
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/reg.h | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+--- a/arch/powerpc/include/asm/reg.h
++++ b/arch/powerpc/include/asm/reg.h
+@@ -113,14 +113,15 @@
+
+ /* Reason codes describing kernel causes for transaction aborts. By
+ convention, bit0 is copied to TEXASR[56] (IBM bit 7) which is set if
+- the failure is persistent.
++ the failure is persistent. PAPR saves 0xff-0xe0 for the hypervisor.
+ */
+-#define TM_CAUSE_RESCHED 0xfe
+-#define TM_CAUSE_TLBI 0xfc
+-#define TM_CAUSE_FAC_UNAV 0xfa
+-#define TM_CAUSE_SYSCALL 0xf9 /* Persistent */
+-#define TM_CAUSE_MISC 0xf6
+-#define TM_CAUSE_SIGNAL 0xf4
++#define TM_CAUSE_PERSISTENT 0x01
++#define TM_CAUSE_RESCHED 0xde
++#define TM_CAUSE_TLBI 0xdc
++#define TM_CAUSE_FAC_UNAV 0xda
++#define TM_CAUSE_SYSCALL 0xd8 /* future use */
++#define TM_CAUSE_MISC 0xd6 /* future use */
++#define TM_CAUSE_SIGNAL 0xd4
+
+ #if defined(CONFIG_PPC_BOOK3S_64)
+ #define MSR_64BIT MSR_SF
--- /dev/null
+From b75c100ef24894bd2c8b52e123bcc5f191c5d9fd Mon Sep 17 00:00:00 2001
+From: Michael Neuling <mikey@neuling.org>
+Date: Sun, 26 May 2013 18:30:56 +0000
+Subject: powerpc/tm: Move TM abort cause codes to uapi
+
+From: Michael Neuling <mikey@neuling.org>
+
+commit b75c100ef24894bd2c8b52e123bcc5f191c5d9fd upstream.
+
+These cause codes are usable by userspace, so let's export to uapi.
+
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/reg.h | 14 --------------
+ arch/powerpc/include/asm/tm.h | 2 ++
+ arch/powerpc/include/uapi/asm/Kbuild | 1 +
+ arch/powerpc/include/uapi/asm/tm.h | 18 ++++++++++++++++++
+ 4 files changed, 21 insertions(+), 14 deletions(-)
+
+--- a/arch/powerpc/include/asm/reg.h
++++ b/arch/powerpc/include/asm/reg.h
+@@ -111,20 +111,6 @@
+ #define MSR_TM_TRANSACTIONAL(x) (((x) & MSR_TS_MASK) == MSR_TS_T)
+ #define MSR_TM_SUSPENDED(x) (((x) & MSR_TS_MASK) == MSR_TS_S)
+
+-/* Reason codes describing kernel causes for transaction aborts. By
+- convention, bit0 is copied to TEXASR[56] (IBM bit 7) which is set if
+- the failure is persistent. PAPR saves 0xff-0xe0 for the hypervisor.
+-*/
+-#define TM_CAUSE_PERSISTENT 0x01
+-#define TM_CAUSE_RESCHED 0xde
+-#define TM_CAUSE_TLBI 0xdc
+-#define TM_CAUSE_FAC_UNAV 0xda
+-#define TM_CAUSE_SYSCALL 0xd8 /* future use */
+-#define TM_CAUSE_MISC 0xd6 /* future use */
+-#define TM_CAUSE_SIGNAL 0xd4
+-#define TM_CAUSE_ALIGNMENT 0xd2
+-#define TM_CAUSE_EMULATE 0xd0
+-
+ #if defined(CONFIG_PPC_BOOK3S_64)
+ #define MSR_64BIT MSR_SF
+
+--- a/arch/powerpc/include/asm/tm.h
++++ b/arch/powerpc/include/asm/tm.h
+@@ -5,6 +5,8 @@
+ * Copyright 2012 Matt Evans & Michael Neuling, IBM Corporation.
+ */
+
++#include <uapi/asm/tm.h>
++
+ #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+ extern void do_load_up_transact_fpu(struct thread_struct *thread);
+ extern void do_load_up_transact_altivec(struct thread_struct *thread);
+--- a/arch/powerpc/include/uapi/asm/Kbuild
++++ b/arch/powerpc/include/uapi/asm/Kbuild
+@@ -40,6 +40,7 @@ header-y += statfs.h
+ header-y += swab.h
+ header-y += termbits.h
+ header-y += termios.h
++header-y += tm.h
+ header-y += types.h
+ header-y += ucontext.h
+ header-y += unistd.h
+--- /dev/null
++++ b/arch/powerpc/include/uapi/asm/tm.h
+@@ -0,0 +1,18 @@
++#ifndef _ASM_POWERPC_TM_H
++#define _ASM_POWERPC_TM_H
++
++/* Reason codes describing kernel causes for transaction aborts. By
++ * convention, bit0 is copied to TEXASR[56] (IBM bit 7) which is set if
++ * the failure is persistent. PAPR saves 0xff-0xe0 for the hypervisor.
++ */
++#define TM_CAUSE_PERSISTENT 0x01
++#define TM_CAUSE_RESCHED 0xde
++#define TM_CAUSE_TLBI 0xdc
++#define TM_CAUSE_FAC_UNAV 0xda
++#define TM_CAUSE_SYSCALL 0xd8 /* future use */
++#define TM_CAUSE_MISC 0xd6 /* future use */
++#define TM_CAUSE_SIGNAL 0xd4
++#define TM_CAUSE_ALIGNMENT 0xd2
++#define TM_CAUSE_EMULATE 0xd0
++
++#endif
--- /dev/null
+From 24b92375dc4ec8a15262e8aaaab60b7404d4b1e7 Mon Sep 17 00:00:00 2001
+From: Michael Neuling <mikey@neuling.org>
+Date: Sun, 26 May 2013 18:09:38 +0000
+Subject: powerpc/tm: Update cause codes documentation
+
+From: Michael Neuling <mikey@neuling.org>
+
+commit 24b92375dc4ec8a15262e8aaaab60b7404d4b1e7 upstream.
+
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/powerpc/transactional_memory.txt | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/Documentation/powerpc/transactional_memory.txt
++++ b/Documentation/powerpc/transactional_memory.txt
+@@ -155,6 +155,7 @@ These are defined in <asm/reg.h>, and di
+ kernel aborted a transaction:
+
+ TM_CAUSE_RESCHED Thread was rescheduled.
++ TM_CAUSE_TLBI Software TLB invalide.
+ TM_CAUSE_FAC_UNAV FP/VEC/VSX unavailable trap.
+ TM_CAUSE_SYSCALL Currently unused; future syscalls that must abort
+ transactions for consistency will use this.
drm-radeon-fix-card_posted-check-for-newer-asics.patch
crypto-caam-fix-inconsistent-assoc-dma-mapping-direction.patch
cifs-fix-potential-buffer-overrun-when-composing-a-new-options-string.patch
+powerpc-32bit-store-temporary-result-in-r0-instead-of-r8.patch
+powerpc-tm-make-room-for-hypervisor-in-abort-cause-codes.patch
+powerpc-tm-update-cause-codes-documentation.patch
+powerpc-tm-fix-userspace-stack-corruption-on-signal-delivery-for-active-transactions.patch
+powerpc-tm-abort-on-emulation-and-alignment-faults.patch
+powerpc-tm-move-tm-abort-cause-codes-to-uapi.patch
+iscsi-target-fix-heap-buffer-overflow-on-error.patch
+ib_srpt-call-target_sess_cmd_list_set_waiting-during-shutdown_session.patch
+nfsv4-fix-a-thinko-in-nfs4_try_open_cached.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
