--- /dev/null
+From 904dad4742d211b7a8910e92695c0fa957483836 Mon Sep 17 00:00:00 2001
+From: Andy Leiserson <andy@leiserson.org>
+Date: Sun, 18 Oct 2015 00:36:29 -0400
+Subject: [PATCH] fix calculation of meta_bg descriptor backups
+
+From: Andy Leiserson <andy@leiserson.org>
+
+commit 904dad4742d211b7a8910e92695c0fa957483836 upstream.
+
+"group" is the group where the backup will be placed, and is
+initialized to zero in the declaration. This meant that backups for
+meta_bg descriptors were erroneously written to the backup block group
+descriptors in groups 1 and (desc_per_block-1).
+
+Reproduction information:
+ mke2fs -Fq -t ext4 -b 1024 -O ^resize_inode /tmp/foo.img 16G
+ truncate -s 24G /tmp/foo.img
+ losetup /dev/loop0 /tmp/foo.img
+ mount /dev/loop0 /mnt
+ resize2fs /dev/loop0
+ umount /dev/loop0
+ dd if=/dev/zero of=/dev/loop0 bs=1024 count=2
+ e2fsck -fy /dev/loop0
+ losetup -d /dev/loop0
+
+Signed-off-by: Andy Leiserson <andy@leiserson.org>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/resize.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -1030,7 +1030,7 @@ exit_free:
+ * do not copy the full number of backups at this time. The resize
+ * which changed s_groups_count will backup again.
+ */
+-static void update_backups(struct super_block *sb, int blk_off, char *data,
++static void update_backups(struct super_block *sb, sector_t blk_off, char *data,
+ int size, int meta_bg)
+ {
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
+@@ -1055,7 +1055,7 @@ static void update_backups(struct super_
+ group = ext4_list_backups(sb, &three, &five, &seven);
+ last = sbi->s_groups_count;
+ } else {
+- group = ext4_meta_bg_first_group(sb, group) + 1;
++ group = ext4_get_group_number(sb, blk_off) + 1;
+ last = (ext4_group_t)(group + EXT4_DESC_PER_BLOCK(sb) - 2);
+ }
+
--- /dev/null
+From bc23f0c8d7ccd8d924c4e70ce311288cb3e61ea8 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Tue, 24 Nov 2015 15:34:35 -0500
+Subject: jbd2: Fix unreclaimed pages after truncate in data=journal mode
+
+From: Jan Kara <jack@suse.cz>
+
+commit bc23f0c8d7ccd8d924c4e70ce311288cb3e61ea8 upstream.
+
+Ted and Namjae have reported that truncated pages don't get timely
+reclaimed after being truncated in data=journal mode. The following test
+triggers the issue easily:
+
+for (i = 0; i < 1000; i++) {
+ pwrite(fd, buf, 1024*1024, 0);
+ fsync(fd);
+ fsync(fd);
+ ftruncate(fd, 0);
+}
+
+The reason is that journal_unmap_buffer() finds that truncated buffers
+are not journalled (jh->b_transaction == NULL), they are part of
+checkpoint list of a transaction (jh->b_cp_transaction != NULL) and have
+been already written out (!buffer_dirty(bh)). We clean such buffers but
+we leave them in the checkpoint list. Since checkpoint transaction holds
+a reference to the journal head, these buffers cannot be released until
+the checkpoint transaction is cleaned up. And at that point we don't
+call release_buffer_page() anymore so pages detached from mapping are
+lingering in the system waiting for reclaim to find them and free them.
+
+Fix the problem by removing buffers from transaction checkpoint lists
+when journal_unmap_buffer() finds out they don't have to be there
+anymore.
+
+Reported-and-tested-by: Namjae Jeon <namjae.jeon@samsung.com>
+Fixes: de1b794130b130e77ffa975bb58cb843744f9ae5
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jbd2/transaction.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -2066,6 +2066,7 @@ static int journal_unmap_buffer(journal_
+
+ if (!buffer_dirty(bh)) {
+ /* bdflush has written it. We can drop it now */
++ __jbd2_journal_remove_checkpoint(jh);
+ goto zap_buffer;
+ }
+
+@@ -2095,6 +2096,7 @@ static int journal_unmap_buffer(journal_
+ /* The orphan record's transaction has
+ * committed. We can cleanse this buffer */
+ clear_buffer_jbddirty(bh);
++ __jbd2_journal_remove_checkpoint(jh);
+ goto zap_buffer;
+ }
+ }
--- /dev/null
+From d9a985883fa32453d099d6293188c11d75cef1fa Mon Sep 17 00:00:00 2001
+From: Tiffany Lin <tiffany.lin@mediatek.com>
+Date: Thu, 24 Sep 2015 06:02:36 -0300
+Subject: [media] media: vb2 dma-contig: Fully cache synchronise buffers in prepare and finish
+
+From: Tiffany Lin <tiffany.lin@mediatek.com>
+
+commit d9a985883fa32453d099d6293188c11d75cef1fa upstream.
+
+In videobuf2 dma-contig memory type the prepare and finish ops, instead of
+passing the number of entries in the original scatterlist as the "nents"
+parameter to dma_sync_sg_for_device() and dma_sync_sg_for_cpu(), the value
+returned by dma_map_sg() was used. Albeit this has been suggested in
+comments of some implementations (which have since been corrected), this
+is wrong.
+
+Fixes: 199d101efdba ("v4l: vb2-dma-contig: add prepare/finish to dma-contig allocator")
+
+Signed-off-by: Tiffany Lin <tiffany.lin@mediatek.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/videobuf2-dma-contig.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/v4l2-core/videobuf2-dma-contig.c
++++ b/drivers/media/v4l2-core/videobuf2-dma-contig.c
+@@ -117,7 +117,8 @@ static void vb2_dc_prepare(void *buf_pri
+ if (!sgt || buf->db_attach)
+ return;
+
+- dma_sync_sg_for_device(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir);
++ dma_sync_sg_for_device(buf->dev, sgt->sgl, sgt->orig_nents,
++ buf->dma_dir);
+ }
+
+ static void vb2_dc_finish(void *buf_priv)
+@@ -129,7 +130,7 @@ static void vb2_dc_finish(void *buf_priv
+ if (!sgt || buf->db_attach)
+ return;
+
+- dma_sync_sg_for_cpu(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir);
++ dma_sync_sg_for_cpu(buf->dev, sgt->sgl, sgt->orig_nents, buf->dma_dir);
+ }
+
+ /*********************************************/
--- /dev/null
+From e5bae86797141e4a95e42d825f737cb36d7b8c37 Mon Sep 17 00:00:00 2001
+From: Boris BREZILLON <boris.brezillon@free-electrons.com>
+Date: Thu, 30 Jul 2015 12:18:03 +0200
+Subject: mtd: mtdpart: fix add_mtd_partitions error path
+
+From: Boris BREZILLON <boris.brezillon@free-electrons.com>
+
+commit e5bae86797141e4a95e42d825f737cb36d7b8c37 upstream.
+
+If we fail to allocate a partition structure in the middle of the partition
+creation process, the already allocated partitions are never removed, which
+means they are still present in the partition list and their resources are
+never freed.
+
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Brian Norris <computersforpeace@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/mtdpart.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/mtd/mtdpart.c
++++ b/drivers/mtd/mtdpart.c
+@@ -635,8 +635,10 @@ int add_mtd_partitions(struct mtd_info *
+
+ for (i = 0; i < nbparts; i++) {
+ slave = allocate_partition(master, parts + i, i, cur_offset);
+- if (IS_ERR(slave))
++ if (IS_ERR(slave)) {
++ del_mtd_partitions(master);
+ return PTR_ERR(slave);
++ }
+
+ mutex_lock(&mtd_partitions_mutex);
+ list_add(&slave->list, &mtd_partitions);
--- /dev/null
+From dcbf0d299c00ed4f82ea8d6e359ad88a5182f9b8 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sun, 22 Nov 2015 12:14:14 +0100
+Subject: parisc: Drop unused MADV_xxxK_PAGES flags from asm/mman.h
+
+From: Helge Deller <deller@gmx.de>
+
+commit dcbf0d299c00ed4f82ea8d6e359ad88a5182f9b8 upstream.
+
+Drop the MADV_xxK_PAGES flags, which were never used and were from a proposed
+API which was never integrated into the generic Linux kernel code.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/include/uapi/asm/mman.h | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+--- a/arch/parisc/include/uapi/asm/mman.h
++++ b/arch/parisc/include/uapi/asm/mman.h
+@@ -46,16 +46,6 @@
+ #define MADV_DONTFORK 10 /* don't inherit across fork */
+ #define MADV_DOFORK 11 /* do inherit across fork */
+
+-/* The range 12-64 is reserved for page size specification. */
+-#define MADV_4K_PAGES 12 /* Use 4K pages */
+-#define MADV_16K_PAGES 14 /* Use 16K pages */
+-#define MADV_64K_PAGES 16 /* Use 64K pages */
+-#define MADV_256K_PAGES 18 /* Use 256K pages */
+-#define MADV_1M_PAGES 20 /* Use 1 Megabyte pages */
+-#define MADV_4M_PAGES 22 /* Use 4 Megabyte pages */
+-#define MADV_16M_PAGES 24 /* Use 16 Megabyte pages */
+-#define MADV_64M_PAGES 26 /* Use 64 Megabyte pages */
+-
+ #define MADV_MERGEABLE 65 /* KSM may merge identical pages */
+ #define MADV_UNMERGEABLE 66 /* KSM may not merge identical pages */
+
--- /dev/null
+From e60fc5aa608eb38b47ba4ee058f306f739eb70a0 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sun, 10 Jan 2016 09:30:42 +0100
+Subject: parisc: Fix __ARCH_SI_PREAMBLE_SIZE
+
+From: Helge Deller <deller@gmx.de>
+
+commit e60fc5aa608eb38b47ba4ee058f306f739eb70a0 upstream.
+
+On a 64bit kernel build the compiler aligns the _sifields union in the
+struct siginfo_t on a 64bit address. The __ARCH_SI_PREAMBLE_SIZE define
+compensates for this alignment and thus fixes the wait testcase of the
+strace package.
+
+The symptoms of a wrong __ARCH_SI_PREAMBLE_SIZE value is that
+_sigchld.si_stime variable is missed to be copied and thus after a
+copy_siginfo() will have uninitialized values.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/include/uapi/asm/siginfo.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/parisc/include/uapi/asm/siginfo.h
++++ b/arch/parisc/include/uapi/asm/siginfo.h
+@@ -1,6 +1,10 @@
+ #ifndef _PARISC_SIGINFO_H
+ #define _PARISC_SIGINFO_H
+
++#if defined(__LP64__)
++#define __ARCH_SI_PREAMBLE_SIZE (4 * sizeof(int))
++#endif
++
+ #include <asm-generic/siginfo.h>
+
+ #undef NSIGTRAP
--- /dev/null
+From 71a71fb5374a23be36a91981b5614590b9e722c3 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Mon, 21 Dec 2015 10:03:30 +0100
+Subject: parisc: Fix syscall restarts
+
+From: Helge Deller <deller@gmx.de>
+
+commit 71a71fb5374a23be36a91981b5614590b9e722c3 upstream.
+
+On parisc syscalls which are interrupted by signals sometimes failed to
+restart and instead returned -ENOSYS which in the worst case lead to
+userspace crashes.
+A similiar problem existed on MIPS and was fixed by commit e967ef02
+("MIPS: Fix restart of indirect syscalls").
+
+On parisc the current syscall restart code assumes that all syscall
+callers load the syscall number in the delay slot of the ble
+instruction. That's how it is e.g. done in the unistd.h header file:
+ ble 0x100(%sr2, %r0)
+ ldi #syscall_nr, %r20
+Because of that assumption the current code never restored %r20 before
+returning to userspace.
+
+This assumption is at least not true for code which uses the glibc
+syscall() function, which instead uses this syntax:
+ ble 0x100(%sr2, %r0)
+ copy regX, %r20
+where regX depend on how the compiler optimizes the code and register
+usage.
+
+This patch fixes this problem by adding code to analyze how the syscall
+number is loaded in the delay branch and - if needed - copy the syscall
+number to regX prior returning to userspace for the syscall restart.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/signal.c | 64 +++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 52 insertions(+), 12 deletions(-)
+
+--- a/arch/parisc/kernel/signal.c
++++ b/arch/parisc/kernel/signal.c
+@@ -442,6 +442,55 @@ handle_signal(unsigned long sig, siginfo
+ regs->gr[28]);
+ }
+
++/*
++ * Check how the syscall number gets loaded into %r20 within
++ * the delay branch in userspace and adjust as needed.
++ */
++
++static void check_syscallno_in_delay_branch(struct pt_regs *regs)
++{
++ u32 opcode, source_reg;
++ u32 __user *uaddr;
++ int err;
++
++ /* Usually we don't have to restore %r20 (the system call number)
++ * because it gets loaded in the delay slot of the branch external
++ * instruction via the ldi instruction.
++ * In some cases a register-to-register copy instruction might have
++ * been used instead, in which case we need to copy the syscall
++ * number into the source register before returning to userspace.
++ */
++
++ /* A syscall is just a branch, so all we have to do is fiddle the
++ * return pointer so that the ble instruction gets executed again.
++ */
++ regs->gr[31] -= 8; /* delayed branching */
++
++ /* Get assembler opcode of code in delay branch */
++ uaddr = (unsigned int *) ((regs->gr[31] & ~3) + 4);
++ err = get_user(opcode, uaddr);
++ if (err)
++ return;
++
++ /* Check if delay branch uses "ldi int,%r20" */
++ if ((opcode & 0xffff0000) == 0x34140000)
++ return; /* everything ok, just return */
++
++ /* Check if delay branch uses "nop" */
++ if (opcode == INSN_NOP)
++ return;
++
++ /* Check if delay branch uses "copy %rX,%r20" */
++ if ((opcode & 0xffe0ffff) == 0x08000254) {
++ source_reg = (opcode >> 16) & 31;
++ regs->gr[source_reg] = regs->gr[20];
++ return;
++ }
++
++ pr_warn("syscall restart: %s (pid %d): unexpected opcode 0x%08x\n",
++ current->comm, task_pid_nr(current), opcode);
++}
++
+ static inline void
+ syscall_restart(struct pt_regs *regs, struct k_sigaction *ka)
+ {
+@@ -464,10 +513,7 @@ syscall_restart(struct pt_regs *regs, st
+ }
+ /* fallthrough */
+ case -ERESTARTNOINTR:
+- /* A syscall is just a branch, so all
+- * we have to do is fiddle the return pointer.
+- */
+- regs->gr[31] -= 8; /* delayed branching */
++ check_syscallno_in_delay_branch(regs);
+ break;
+ }
+ }
+@@ -516,15 +562,9 @@ insert_restart_trampoline(struct pt_regs
+ }
+ case -ERESTARTNOHAND:
+ case -ERESTARTSYS:
+- case -ERESTARTNOINTR: {
+- /* Hooray for delayed branching. We don't
+- * have to restore %r20 (the system call
+- * number) because it gets loaded in the delay
+- * slot of the branch external instruction.
+- */
+- regs->gr[31] -= 8;
++ case -ERESTARTNOINTR:
++ check_syscallno_in_delay_branch(regs);
+ return;
+- }
+ default:
+ break;
+ }
--- /dev/null
+From 3460baa620685c20f5ee19afb6d99d26150c382c Mon Sep 17 00:00:00 2001
+From: Christoph Biedl <linux-kernel.bfrz@manchmal.in-ulm.de>
+Date: Wed, 23 Dec 2015 16:51:57 +0100
+Subject: PCI: Fix minimum allocation address overwrite
+
+From: Christoph Biedl <linux-kernel.bfrz@manchmal.in-ulm.de>
+
+commit 3460baa620685c20f5ee19afb6d99d26150c382c upstream.
+
+Commit 36e097a8a297 ("PCI: Split out bridge window override of minimum
+allocation address") claimed to do no functional changes but unfortunately
+did: The "min" variable is altered. At least the AVM A1 PCMCIA adapter was
+no longer detected, breaking ISDN operation.
+
+Use a local copy of "min" to restore the previous behaviour.
+
+[bhelgaas: avoid gcc "?:" extension for portability and readability]
+Fixes: 36e097a8a297 ("PCI: Split out bridge window override of minimum allocation address")
+Signed-off-by: Christoph Biedl <linux-kernel.bfrz@manchmal.in-ulm.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/bus.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/pci/bus.c
++++ b/drivers/pci/bus.c
+@@ -147,6 +147,8 @@ static int pci_bus_alloc_from_region(str
+ type_mask |= IORESOURCE_IO | IORESOURCE_MEM;
+
+ pci_bus_for_each_resource(bus, r, i) {
++ resource_size_t min_used = min;
++
+ if (!r)
+ continue;
+
+@@ -170,12 +172,12 @@ static int pci_bus_alloc_from_region(str
+ * overrides "min".
+ */
+ if (avail.start)
+- min = avail.start;
++ min_used = avail.start;
+
+ max = avail.end;
+
+ /* Ok, try it out.. */
+- ret = allocate_resource(r, res, size, min, max,
++ ret = allocate_resource(r, res, size, min_used, max,
+ align, alignf, alignf_data);
+ if (ret == 0)
+ return 0;
--- /dev/null
+From 47796938c46b943d157ac8a6f9ed4e3b98b83cf4 Mon Sep 17 00:00:00 2001
+From: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
+Date: Thu, 29 Oct 2015 10:24:23 -0200
+Subject: Revert "dm mpath: fix stalls when handling invalid ioctls"
+
+From: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
+
+commit 47796938c46b943d157ac8a6f9ed4e3b98b83cf4 upstream.
+
+This reverts commit a1989b330093578ea5470bea0a00f940c444c466.
+
+That commit introduced a regression at least for the case of the SG_IO ioctl()
+running without CAP_SYS_RAWIO capability (e.g., unprivileged users) when there
+are no active paths: the ioctl() fails with the ENOTTY errno immediately rather
+than blocking due to queue_if_no_path until a path becomes active, for example.
+
+That case happens to be exercised by QEMU KVM guests with 'scsi-block' devices
+(qemu "-device scsi-block" [1], libvirt "<disk type='block' device='lun'>" [2])
+from multipath devices; which leads to SCSI/filesystem errors in such a guest.
+
+More general scenarios can hit that regression too. The following demonstration
+employs a SG_IO ioctl() with a standard SCSI INQUIRY command for this objective
+(some output & user changes omitted for brevity and comments added for clarity).
+
+Reverting that commit restores normal operation (queueing) in failing scenarios;
+tested on linux-next (next-20151022).
+
+1) Test-case is based on sg_simple0 [3] (just SG_IO; remove SG_GET_VERSION_NUM)
+
+ $ cat sg_simple0.c
+ ... see [3] ...
+ $ sed '/SG_GET_VERSION_NUM/,/}/d' sg_simple0.c > sgio_inquiry.c
+ $ gcc sgio_inquiry.c -o sgio_inquiry
+
+2) The ioctl() works fine with active paths present.
+
+ # multipath -l 85ag56
+ 85ag56 (...) dm-19 IBM ,2145
+ size=60G features='1 queue_if_no_path' hwhandler='0' wp=rw
+ |-+- policy='service-time 0' prio=0 status=active
+ | |- 8:0:11:0 sdz 65:144 active undef running
+ | `- 9:0:9:0 sdbf 67:144 active undef running
+ `-+- policy='service-time 0' prio=0 status=enabled
+ |- 8:0:12:0 sdae 65:224 active undef running
+ `- 9:0:12:0 sdbo 68:32 active undef running
+
+ $ ./sgio_inquiry /dev/mapper/85ag56
+ Some of the INQUIRY command's response:
+ IBM 2145 0000
+ INQUIRY duration=0 millisecs, resid=0
+
+3) The ioctl() fails with ENOTTY errno with _no_ active paths present,
+ for unprivileged users (rather than blocking due to queue_if_no_path).
+
+ # for path in $(multipath -l 85ag56 | grep -o 'sd[a-z]\+'); \
+ do multipathd -k"fail path $path"; done
+
+ # multipath -l 85ag56
+ 85ag56 (...) dm-19 IBM ,2145
+ size=60G features='1 queue_if_no_path' hwhandler='0' wp=rw
+ |-+- policy='service-time 0' prio=0 status=enabled
+ | |- 8:0:11:0 sdz 65:144 failed undef running
+ | `- 9:0:9:0 sdbf 67:144 failed undef running
+ `-+- policy='service-time 0' prio=0 status=enabled
+ |- 8:0:12:0 sdae 65:224 failed undef running
+ `- 9:0:12:0 sdbo 68:32 failed undef running
+
+ $ ./sgio_inquiry /dev/mapper/85ag56
+ sg_simple0: Inquiry SG_IO ioctl error: Inappropriate ioctl for device
+
+4) dmesg shows that scsi_verify_blk_ioctl() failed for SG_IO (0x2285);
+ it returns -ENOIOCTLCMD, later replaced with -ENOTTY in vfs_ioctl().
+
+ $ dmesg
+ <...>
+ [] device-mapper: multipath: Failing path 65:144.
+ [] device-mapper: multipath: Failing path 67:144.
+ [] device-mapper: multipath: Failing path 65:224.
+ [] device-mapper: multipath: Failing path 68:32.
+ [] sgio_inquiry: sending ioctl 2285 to a partition!
+
+5) The ioctl() only works if the SYS_CAP_RAWIO capability is present
+ (then queueing happens -- in this example, queue_if_no_path is set);
+ this is due to a conditional check in scsi_verify_blk_ioctl().
+
+ # capsh --drop=cap_sys_rawio -- -c './sgio_inquiry /dev/mapper/85ag56'
+ sg_simple0: Inquiry SG_IO ioctl error: Inappropriate ioctl for device
+
+ # ./sgio_inquiry /dev/mapper/85ag56 &
+ [1] 72830
+
+ # cat /proc/72830/stack
+ [<c00000171c0df700>] 0xc00000171c0df700
+ [<c000000000015934>] __switch_to+0x204/0x350
+ [<c000000000152d4c>] msleep+0x5c/0x80
+ [<c00000000077dfb0>] dm_blk_ioctl+0x70/0x170
+ [<c000000000487c40>] blkdev_ioctl+0x2b0/0x9b0
+ [<c0000000003128e4>] block_ioctl+0x64/0xd0
+ [<c0000000002dd3b0>] do_vfs_ioctl+0x490/0x780
+ [<c0000000002dd774>] SyS_ioctl+0xd4/0xf0
+ [<c000000000009358>] system_call+0x38/0xd0
+
+6) This is the function call chain exercised in this analysis:
+
+SYSCALL_DEFINE3(ioctl, <...>) @ fs/ioctl.c
+ -> do_vfs_ioctl()
+ -> vfs_ioctl()
+ ...
+ error = filp->f_op->unlocked_ioctl(filp, cmd, arg);
+ ...
+ -> dm_blk_ioctl() @ drivers/md/dm.c
+ -> multipath_ioctl() @ drivers/md/dm-mpath.c
+ ...
+ (bdev = NULL, due to no active paths)
+ ...
+ if (!bdev || <...>) {
+ int err = scsi_verify_blk_ioctl(NULL, cmd);
+ if (err)
+ r = err;
+ }
+ ...
+ -> scsi_verify_blk_ioctl() @ block/scsi_ioctl.c
+ ...
+ if (bd && bd == bd->bd_contains) // not taken (bd = NULL)
+ return 0;
+ ...
+ if (capable(CAP_SYS_RAWIO)) // not taken (unprivileged user)
+ return 0;
+ ...
+ printk_ratelimited(KERN_WARNING
+ "%s: sending ioctl %x to a partition!\n" <...>);
+
+ return -ENOIOCTLCMD;
+ <-
+ ...
+ return r ? : <...>
+ <-
+ ...
+ if (error == -ENOIOCTLCMD)
+ error = -ENOTTY;
+ out:
+ return error;
+ ...
+
+Links:
+[1] http://git.qemu.org/?p=qemu.git;a=commit;h=336a6915bc7089fb20fea4ba99972ad9a97c5f52
+[2] https://libvirt.org/formatdomain.html#elementsDisks (see 'disk' -> 'device')
+[3] http://tldp.org/HOWTO/SCSI-Generic-HOWTO/pexample.html (Revision 1.2, 2002-05-03)
+
+Signed-off-by: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-mpath.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/drivers/md/dm-mpath.c
++++ b/drivers/md/dm-mpath.c
+@@ -1626,11 +1626,8 @@ static int multipath_ioctl(struct dm_tar
+ /*
+ * Only pass ioctls through if the device sizes match exactly.
+ */
+- if (!bdev || ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT) {
+- int err = scsi_verify_blk_ioctl(NULL, cmd);
+- if (err)
+- r = err;
+- }
++ if (!r && ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT)
++ r = scsi_verify_blk_ioctl(NULL, cmd);
+
+ if (r == -ENOTCONN && !fatal_signal_pending(current))
+ queue_work(kmultipathd, &m->process_queued_ios);
ocfs2-dlm-ignore-cleaning-the-migration-mle-that-is-inuse.patch
ocfs2-dlm-clear-refmap-bit-of-recovery-lock-while-doing-local-recovery-cleanup.patch
sh64-fix-__nr_fgetxattr.patch
+revert-dm-mpath-fix-stalls-when-handling-invalid-ioctls.patch
+spi-atmel-fix-dma-setup-for-transfers-with-more-than-8-bits-per-word.patch
+spi-ti-qspi-fix-data-corruption-seen-on-r-w-stress-test.patch
+spi-fix-parent-device-reference-leak.patch
+wlcore-wl12xx-spi-fix-oops-on-firmware-load.patch
+wlcore-wl12xx-spi-fix-null-pointer-dereference-oops.patch
+vtpm-fix-memory-allocation-flag-for-rtce-buffer-at-kernel-boot.patch
+mtd-mtdpart-fix-add_mtd_partitions-error-path.patch
+pci-fix-minimum-allocation-address-overwrite.patch
+tracing-fix-setting-of-start_index-in-find_next.patch
+jbd2-fix-unreclaimed-pages-after-truncate-in-data-journal-mode.patch
+fix-calculation-of-meta_bg-descriptor-backups.patch
+parisc-drop-unused-madv_xxxk_pages-flags-from-asm-mman.h.patch
+parisc-fix-syscall-restarts.patch
+parisc-fix-__arch_si_preamble_size.patch
+v4l2-compat-ioctl32-fix-alignment-for-arm64.patch
+media-vb2-dma-contig-fully-cache-synchronise-buffers-in-prepare-and-finish.patch
--- /dev/null
+From 06515f83908d038d9e12ffa3dcca27a1b67f2de0 Mon Sep 17 00:00:00 2001
+From: David Mosberger-Tang <davidm@egauge.net>
+Date: Tue, 20 Oct 2015 14:26:47 +0200
+Subject: spi: atmel: Fix DMA-setup for transfers with more than 8 bits per word
+
+From: David Mosberger-Tang <davidm@egauge.net>
+
+commit 06515f83908d038d9e12ffa3dcca27a1b67f2de0 upstream.
+
+The DMA-slave configuration depends on the whether <= 8 or > 8 bits
+are transferred per word, so we need to call
+atmel_spi_dma_slave_config() with the correct value.
+
+Signed-off-by: David Mosberger <davidm@egauge.net>
+Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-atmel.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-atmel.c
++++ b/drivers/spi/spi-atmel.c
+@@ -593,7 +593,8 @@ static int atmel_spi_next_xfer_dma_submi
+
+ *plen = len;
+
+- if (atmel_spi_dma_slave_config(as, &slave_config, 8))
++ if (atmel_spi_dma_slave_config(as, &slave_config,
++ xfer->bits_per_word))
+ goto err_exit;
+
+ /* Send both scatterlists */
--- /dev/null
+From 157f38f993919b648187ba341bfb05d0e91ad2f6 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 14 Dec 2015 16:16:19 +0100
+Subject: spi: fix parent-device reference leak
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 157f38f993919b648187ba341bfb05d0e91ad2f6 upstream.
+
+Fix parent-device reference leak due to SPI-core taking an unnecessary
+reference to the parent when allocating the master structure, a
+reference that was never released.
+
+Note that driver core takes its own reference to the parent when the
+master device is registered.
+
+Fixes: 49dce689ad4e ("spi doesn't need class_device")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/spi/spi.c
++++ b/drivers/spi/spi.c
+@@ -1268,7 +1268,7 @@ struct spi_master *spi_alloc_master(stru
+ master->bus_num = -1;
+ master->num_chipselect = 1;
+ master->dev.class = &spi_master_class;
+- master->dev.parent = get_device(dev);
++ master->dev.parent = dev;
+ spi_master_set_devdata(master, &master[1]);
+
+ return master;
--- /dev/null
+From bc27a53928981662079aa243915b443370294a03 Mon Sep 17 00:00:00 2001
+From: Vignesh R <vigneshr@ti.com>
+Date: Mon, 12 Oct 2015 13:22:02 +0530
+Subject: spi: ti-qspi: Fix data corruption seen on r/w stress test
+
+From: Vignesh R <vigneshr@ti.com>
+
+commit bc27a53928981662079aa243915b443370294a03 upstream.
+
+Writing invalid command to QSPI_SPI_CMD_REG will terminate current
+transfer and de-assert the chip select. This has to be done before
+calling spi_finalize_current_message(). Because
+spi_finalize_current_message() will mark the end of current message
+transfer and schedule the next transfer. If the chipselect is not
+de-asserted before calling spi_finalize_current_message() then the next
+transfer will overlap with the previous transfer leading to data
+corruption.
+__spi_pump_message() can be called either from kthread worker context or
+directly from the calling process's context. It is possible that these
+two calls can race against each other. But race is serialized by
+checking whether master->cur_msg == NULL (pointer to msg being handled
+by transfer_one() at present). The master->cur_msg is set to NULL when
+spi_finalize_current_message() is called on that message, which means
+calling spi_finalize_current_message() allows __spi_sync() to pump next
+message in calling process context.
+Now if spi-ti-qspi calls spi_finalize_current_message() before we
+terminate transfer at hardware side, if __spi_pump_message() is called
+from process context then the successive transactions can overlap.
+
+Fix this by moving writing invalid command to QSPI_SPI_CMD_REG to
+before calling spi_finalize_current_message() call.
+
+Signed-off-by: Vignesh R <vigneshr@ti.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-ti-qspi.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/spi/spi-ti-qspi.c
++++ b/drivers/spi/spi-ti-qspi.c
+@@ -364,11 +364,10 @@ static int ti_qspi_start_transfer_one(st
+
+ mutex_unlock(&qspi->list_lock);
+
++ ti_qspi_write(qspi, qspi->cmd | QSPI_INVAL, QSPI_SPI_CMD_REG);
+ m->status = status;
+ spi_finalize_current_message(master);
+
+- ti_qspi_write(qspi, qspi->cmd | QSPI_INVAL, QSPI_SPI_CMD_REG);
+-
+ return status;
+ }
+
--- /dev/null
+From f36d1be2930ede0a1947686e1126ffda5d5ee1bb Mon Sep 17 00:00:00 2001
+From: Qiu Peiyang <peiyangx.qiu@intel.com>
+Date: Thu, 31 Dec 2015 13:11:28 +0800
+Subject: tracing: Fix setting of start_index in find_next()
+
+From: Qiu Peiyang <peiyangx.qiu@intel.com>
+
+commit f36d1be2930ede0a1947686e1126ffda5d5ee1bb upstream.
+
+When we do cat /sys/kernel/debug/tracing/printk_formats, we hit kernel
+panic at t_show.
+
+general protection fault: 0000 [#1] PREEMPT SMP
+CPU: 0 PID: 2957 Comm: sh Tainted: G W O 3.14.55-x86_64-01062-gd4acdc7 #2
+RIP: 0010:[<ffffffff811375b2>]
+ [<ffffffff811375b2>] t_show+0x22/0xe0
+RSP: 0000:ffff88002b4ebe80 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004
+RDX: 0000000000000004 RSI: ffffffff81fd26a6 RDI: ffff880032f9f7b1
+RBP: ffff88002b4ebe98 R08: 0000000000001000 R09: 000000000000ffec
+R10: 0000000000000000 R11: 000000000000000f R12: ffff880004d9b6c0
+R13: 7365725f6d706400 R14: ffff880004d9b6c0 R15: ffffffff82020570
+FS: 0000000000000000(0000) GS:ffff88003aa00000(0063) knlGS:00000000f776bc40
+CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
+CR2: 00000000f6c02ff0 CR3: 000000002c2b3000 CR4: 00000000001007f0
+Call Trace:
+ [<ffffffff811dc076>] seq_read+0x2f6/0x3e0
+ [<ffffffff811b749b>] vfs_read+0x9b/0x160
+ [<ffffffff811b7f69>] SyS_read+0x49/0xb0
+ [<ffffffff81a3a4b9>] ia32_do_call+0x13/0x13
+ ---[ end trace 5bd9eb630614861e ]---
+Kernel panic - not syncing: Fatal exception
+
+When the first time find_next calls find_next_mod_format, it should
+iterate the trace_bprintk_fmt_list to find the first print format of
+the module. However in current code, start_index is smaller than *pos
+at first, and code will not iterate the list. Latter container_of will
+get the wrong address with former v, which will cause mod_fmt be a
+meaningless object and so is the returned mod_fmt->fmt.
+
+This patch will fix it by correcting the start_index. After fixed,
+when the first time calls find_next_mod_format, start_index will be
+equal to *pos, and code will iterate the trace_bprintk_fmt_list to
+get the right module printk format, so is the returned mod_fmt->fmt.
+
+Link: http://lkml.kernel.org/r/5684B900.9000309@intel.com
+
+Fixes: 102c9323c35a8 "tracing: Add __tracepoint_string() to export string pointers"
+Signed-off-by: Qiu Peiyang <peiyangx.qiu@intel.com>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_printk.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/trace/trace_printk.c
++++ b/kernel/trace/trace_printk.c
+@@ -269,6 +269,7 @@ static const char **find_next(void *v, l
+ if (*pos < last_index + start_index)
+ return __start___tracepoint_str + (*pos - last_index);
+
++ start_index += last_index;
+ return find_next_mod_format(start_index, v, fmt, pos);
+ }
+
--- /dev/null
+From 655e9780ab913a3a06d4a164d55e3b755524186d Mon Sep 17 00:00:00 2001
+From: Andrzej Hajda <a.hajda@samsung.com>
+Date: Mon, 31 Aug 2015 08:56:15 -0300
+Subject: [media] v4l2-compat-ioctl32: fix alignment for ARM64
+
+From: Andrzej Hajda <a.hajda@samsung.com>
+
+commit 655e9780ab913a3a06d4a164d55e3b755524186d upstream.
+
+Alignment/padding rules on AMD64 and ARM64 differs. To allow properly match
+compatible ioctls on ARM64 kernels without breaking AMD64 some fields
+should be aligned using compat_s64 type and in one case struct should be
+unpacked.
+
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+[hans.verkuil@cisco.com: use compat_u64 instead of compat_s64 in v4l2_input32]
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+
+---
+ drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+@@ -264,7 +264,7 @@ static int put_v4l2_create32(struct v4l2
+
+ struct v4l2_standard32 {
+ __u32 index;
+- __u32 id[2]; /* __u64 would get the alignment wrong */
++ compat_u64 id;
+ __u8 name[24];
+ struct v4l2_fract frameperiod; /* Frames, not fields */
+ __u32 framelines;
+@@ -284,7 +284,7 @@ static int put_v4l2_standard32(struct v4
+ {
+ if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_standard32)) ||
+ put_user(kp->index, &up->index) ||
+- copy_to_user(up->id, &kp->id, sizeof(__u64)) ||
++ put_user(kp->id, &up->id) ||
+ copy_to_user(up->name, kp->name, 24) ||
+ copy_to_user(&up->frameperiod, &kp->frameperiod, sizeof(kp->frameperiod)) ||
+ put_user(kp->framelines, &up->framelines) ||
+@@ -576,10 +576,10 @@ struct v4l2_input32 {
+ __u32 type; /* Type of input */
+ __u32 audioset; /* Associated audios (bitfield) */
+ __u32 tuner; /* Associated tuner */
+- v4l2_std_id std;
++ compat_u64 std;
+ __u32 status;
+ __u32 reserved[4];
+-} __attribute__ ((packed));
++};
+
+ /* The 64-bit v4l2_input struct has extra padding at the end of the struct.
+ Otherwise it is identical to the 32-bit version. */
+@@ -719,6 +719,7 @@ static int put_v4l2_ext_controls32(struc
+ struct v4l2_event32 {
+ __u32 type;
+ union {
++ compat_s64 value64;
+ __u8 data[64];
+ } u;
+ __u32 pending;
--- /dev/null
+From 60ecd86c4d985750efa0ea3d8610972b09951715 Mon Sep 17 00:00:00 2001
+From: "Hon Ching \\(Vicky\\) Lo" <honclo@linux.vnet.ibm.com>
+Date: Wed, 7 Oct 2015 20:11:51 -0400
+Subject: vTPM: fix memory allocation flag for rtce buffer at kernel boot
+
+From: Hon Ching \(Vicky\) Lo <honclo@linux.vnet.ibm.com>
+
+commit 60ecd86c4d985750efa0ea3d8610972b09951715 upstream.
+
+At ibm vtpm initialzation, tpm_ibmvtpm_probe() registers its interrupt
+handler, ibmvtpm_interrupt, which calls ibmvtpm_crq_process to allocate
+memory for rtce buffer. The current code uses 'GFP_KERNEL' as the
+type of kernel memory allocation, which resulted a warning at
+kernel/lockdep.c. This patch uses 'GFP_ATOMIC' instead so that the
+allocation is high-priority and does not sleep.
+
+Signed-off-by: Hon Ching(Vicky) Lo <honclo@linux.vnet.ibm.com>
+Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/tpm/tpm_ibmvtpm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/tpm/tpm_ibmvtpm.c
++++ b/drivers/char/tpm/tpm_ibmvtpm.c
+@@ -490,7 +490,7 @@ static void ibmvtpm_crq_process(struct i
+ }
+ ibmvtpm->rtce_size = be16_to_cpu(crq->len);
+ ibmvtpm->rtce_buf = kmalloc(ibmvtpm->rtce_size,
+- GFP_KERNEL);
++ GFP_ATOMIC);
+ if (!ibmvtpm->rtce_buf) {
+ dev_err(ibmvtpm->dev, "Failed to allocate memory for rtce buffer\n");
+ return;
--- /dev/null
+From e47301b06d5a65678690f04c2248fd181db1e59a Mon Sep 17 00:00:00 2001
+From: Uri Mashiach <uri.mashiach@compulab.co.il>
+Date: Thu, 24 Dec 2015 16:05:00 +0200
+Subject: wlcore/wl12xx: spi: fix NULL pointer dereference (Oops)
+
+From: Uri Mashiach <uri.mashiach@compulab.co.il>
+
+commit e47301b06d5a65678690f04c2248fd181db1e59a upstream.
+
+Fix the below Oops when trying to modprobe wlcore_spi.
+The oops occurs because the wl1271_power_{off,on}()
+function doesn't check the power() function pointer.
+
+[ 23.401447] Unable to handle kernel NULL pointer dereference at
+virtual address 00000000
+[ 23.409954] pgd = c0004000
+[ 23.412922] [00000000] *pgd=00000000
+[ 23.416693] Internal error: Oops: 80000007 [#1] SMP ARM
+[ 23.422168] Modules linked in: wl12xx wlcore mac80211 cfg80211
+musb_dsps musb_hdrc usbcore usb_common snd_soc_simple_card evdev joydev
+omap_rng wlcore_spi snd_soc_tlv320aic23_i2c rng_core snd_soc_tlv320aic23
+c_can_platform c_can can_dev snd_soc_davinci_mcasp snd_soc_edma
+snd_soc_omap omap_wdt musb_am335x cpufreq_dt thermal_sys hwmon
+[ 23.453253] CPU: 0 PID: 36 Comm: kworker/0:2 Not tainted
+4.2.0-00002-g951efee-dirty #233
+[ 23.461720] Hardware name: Generic AM33XX (Flattened Device Tree)
+[ 23.468123] Workqueue: events request_firmware_work_func
+[ 23.473690] task: de32efc0 ti: de4ee000 task.ti: de4ee000
+[ 23.479341] PC is at 0x0
+[ 23.482112] LR is at wl12xx_set_power_on+0x28/0x124 [wlcore]
+[ 23.488074] pc : [<00000000>] lr : [<bf2581f0>] psr: 60000013
+[ 23.488074] sp : de4efe50 ip : 00000002 fp : 00000000
+[ 23.500162] r10: de7cdd00 r9 : dc848800 r8 : bf27af00
+[ 23.505663] r7 : bf27a1a8 r6 : dcbd8a80 r5 : dce0e2e0 r4 :
+dce0d2e0
+[ 23.512536] r3 : 00000000 r2 : 00000000 r1 : 00000001 r0 :
+dc848810
+[ 23.519412] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM
+Segment kernel
+[ 23.527109] Control: 10c5387d Table: 9cb78019 DAC: 00000015
+[ 23.533160] Process kworker/0:2 (pid: 36, stack limit = 0xde4ee218)
+[ 23.539760] Stack: (0xde4efe50 to 0xde4f0000)
+
+[...]
+
+[ 23.665030] [<bf2581f0>] (wl12xx_set_power_on [wlcore]) from
+[<bf25f7ac>] (wlcore_nvs_cb+0x118/0xa4c [wlcore])
+[ 23.675604] [<bf25f7ac>] (wlcore_nvs_cb [wlcore]) from [<c04387ec>]
+(request_firmware_work_func+0x30/0x58)
+[ 23.685784] [<c04387ec>] (request_firmware_work_func) from
+[<c0058e2c>] (process_one_work+0x1b4/0x4b4)
+[ 23.695591] [<c0058e2c>] (process_one_work) from [<c0059168>]
+(worker_thread+0x3c/0x4a4)
+[ 23.704124] [<c0059168>] (worker_thread) from [<c005ee68>]
+(kthread+0xd4/0xf0)
+[ 23.711747] [<c005ee68>] (kthread) from [<c000f598>]
+(ret_from_fork+0x14/0x3c)
+[ 23.719357] Code: bad PC value
+[ 23.722760] ---[ end trace 981be8510db9b3a9 ]---
+
+Prevent oops by validationg power() pointer value before
+calling the function.
+
+Signed-off-by: Uri Mashiach <uri.mashiach@compulab.co.il>
+Acked-by: Igor Grinberg <grinberg@compulab.co.il>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ti/wlcore/io.h | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/ti/wlcore/io.h
++++ b/drivers/net/wireless/ti/wlcore/io.h
+@@ -203,19 +203,23 @@ static inline int __must_check wlcore_wr
+
+ static inline void wl1271_power_off(struct wl1271 *wl)
+ {
+- int ret;
++ int ret = 0;
+
+ if (!test_bit(WL1271_FLAG_GPIO_POWER, &wl->flags))
+ return;
+
+- ret = wl->if_ops->power(wl->dev, false);
++ if (wl->if_ops->power)
++ ret = wl->if_ops->power(wl->dev, false);
+ if (!ret)
+ clear_bit(WL1271_FLAG_GPIO_POWER, &wl->flags);
+ }
+
+ static inline int wl1271_power_on(struct wl1271 *wl)
+ {
+- int ret = wl->if_ops->power(wl->dev, true);
++ int ret = 0;
++
++ if (wl->if_ops->power)
++ ret = wl->if_ops->power(wl->dev, true);
+ if (ret == 0)
+ set_bit(WL1271_FLAG_GPIO_POWER, &wl->flags);
+
--- /dev/null
+From 9b2761cb72dc41e1948c8a5512b4efd384eda130 Mon Sep 17 00:00:00 2001
+From: Uri Mashiach <uri.mashiach@compulab.co.il>
+Date: Thu, 10 Dec 2015 15:12:56 +0200
+Subject: wlcore/wl12xx: spi: fix oops on firmware load
+
+From: Uri Mashiach <uri.mashiach@compulab.co.il>
+
+commit 9b2761cb72dc41e1948c8a5512b4efd384eda130 upstream.
+
+The maximum chunks used by the function is
+(SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE + 1).
+The original commands array had space for
+(SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE) commands.
+When the last chunk is used (len > 4 * WSPI_MAX_CHUNK_SIZE), the last
+command is stored outside the bounds of the commands array.
+
+Oops 5 (page fault) is generated during current wl1271 firmware load
+attempt:
+
+root@debian-armhf:~# ifconfig wlan0 up
+[ 294.312399] Unable to handle kernel paging request at virtual address
+00203fc4
+[ 294.320173] pgd = de528000
+[ 294.323028] [00203fc4] *pgd=00000000
+[ 294.326916] Internal error: Oops: 5 [#1] SMP ARM
+[ 294.331789] Modules linked in: bnep rfcomm bluetooth ipv6 arc4 wl12xx
+wlcore mac80211 musb_dsps cfg80211 musb_hdrc usbcore usb_common
+wlcore_spi omap_rng rng_core musb_am335x omap_wdt cpufreq_dt thermal_sys
+hwmon
+[ 294.351838] CPU: 0 PID: 1827 Comm: ifconfig Not tainted
+4.2.0-00002-g3e9ad27-dirty #78
+[ 294.360154] Hardware name: Generic AM33XX (Flattened Device Tree)
+[ 294.366557] task: dc9d6d40 ti: de550000 task.ti: de550000
+[ 294.372236] PC is at __spi_validate+0xa8/0x2ac
+[ 294.376902] LR is at __spi_sync+0x78/0x210
+[ 294.381200] pc : [<c049c760>] lr : [<c049ebe0>] psr: 60000013
+[ 294.381200] sp : de551998 ip : de5519d8 fp : 00200000
+[ 294.393242] r10: de551c8c r9 : de5519d8 r8 : de3a9000
+[ 294.398730] r7 : de3a9258 r6 : de3a9400 r5 : de551a48 r4 :
+00203fbc
+[ 294.405577] r3 : 00000000 r2 : 00000000 r1 : 00000000 r0 :
+de3a9000
+[ 294.412420] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM
+Segment user
+[ 294.419918] Control: 10c5387d Table: 9e528019 DAC: 00000015
+[ 294.425954] Process ifconfig (pid: 1827, stack limit = 0xde550218)
+[ 294.432437] Stack: (0xde551998 to 0xde552000)
+
+...
+
+[ 294.883613] [<c049c760>] (__spi_validate) from [<c049ebe0>]
+(__spi_sync+0x78/0x210)
+[ 294.891670] [<c049ebe0>] (__spi_sync) from [<bf036598>]
+(wl12xx_spi_raw_write+0xfc/0x148 [wlcore_spi])
+[ 294.901661] [<bf036598>] (wl12xx_spi_raw_write [wlcore_spi]) from
+[<bf21c694>] (wlcore_boot_upload_firmware+0x1ec/0x458 [wlcore])
+[ 294.914038] [<bf21c694>] (wlcore_boot_upload_firmware [wlcore]) from
+[<bf24532c>] (wl12xx_boot+0xc10/0xfac [wl12xx])
+[ 294.925161] [<bf24532c>] (wl12xx_boot [wl12xx]) from [<bf20d5cc>]
+(wl1271_op_add_interface+0x5b0/0x910 [wlcore])
+[ 294.936364] [<bf20d5cc>] (wl1271_op_add_interface [wlcore]) from
+[<bf15c4ac>] (ieee80211_do_open+0x44c/0xf7c [mac80211])
+[ 294.947963] [<bf15c4ac>] (ieee80211_do_open [mac80211]) from
+[<c0537978>] (__dev_open+0xa8/0x110)
+[ 294.957307] [<c0537978>] (__dev_open) from [<c0537bf8>]
+(__dev_change_flags+0x88/0x148)
+[ 294.965713] [<c0537bf8>] (__dev_change_flags) from [<c0537cd0>]
+(dev_change_flags+0x18/0x48)
+[ 294.974576] [<c0537cd0>] (dev_change_flags) from [<c05a55a0>]
+(devinet_ioctl+0x6b4/0x7d0)
+[ 294.983191] [<c05a55a0>] (devinet_ioctl) from [<c0517040>]
+(sock_ioctl+0x1e4/0x2bc)
+[ 294.991244] [<c0517040>] (sock_ioctl) from [<c017d378>]
+(do_vfs_ioctl+0x420/0x6b0)
+[ 294.999208] [<c017d378>] (do_vfs_ioctl) from [<c017d674>]
+(SyS_ioctl+0x6c/0x7c)
+[ 295.006880] [<c017d674>] (SyS_ioctl) from [<c000f4c0>]
+(ret_fast_syscall+0x0/0x54)
+[ 295.014835] Code: e1550004 e2444034 0a00007d e5953018 (e5942008)
+[ 295.021544] ---[ end trace 66ed188198f4e24e ]---
+
+Signed-off-by: Uri Mashiach <uri.mashiach@compulab.co.il>
+Acked-by: Igor Grinberg <grinberg@compulab.co.il>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ti/wlcore/spi.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/ti/wlcore/spi.c
++++ b/drivers/net/wireless/ti/wlcore/spi.c
+@@ -72,7 +72,10 @@
+ */
+ #define SPI_AGGR_BUFFER_SIZE (4 * PAGE_SIZE)
+
+-#define WSPI_MAX_NUM_OF_CHUNKS (SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE)
++/* Maximum number of SPI write chunks */
++#define WSPI_MAX_NUM_OF_CHUNKS \
++ ((SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE) + 1)
++
+
+ struct wl12xx_spi_glue {
+ struct device *dev;
+@@ -270,9 +273,10 @@ static int __must_check wl12xx_spi_raw_w
+ void *buf, size_t len, bool fixed)
+ {
+ struct wl12xx_spi_glue *glue = dev_get_drvdata(child->parent);
+- struct spi_transfer t[2 * (WSPI_MAX_NUM_OF_CHUNKS + 1)];
++ /* SPI write buffers - 2 for each chunk */
++ struct spi_transfer t[2 * WSPI_MAX_NUM_OF_CHUNKS];
+ struct spi_message m;
+- u32 commands[WSPI_MAX_NUM_OF_CHUNKS];
++ u32 commands[WSPI_MAX_NUM_OF_CHUNKS]; /* 1 command per chunk */
+ u32 *cmd;
+ u32 chunk_len;
+ int i;
projects / thirdparty / kernel / stable-queue.git / commitdiff
