--- /dev/null
+From d19f503e22316a84c39bc19445e0e4fdd49b3532 Mon Sep 17 00:00:00 2001
+From: Toshi Kani <toshi.kani@hp.com>
+Date: Wed, 10 Jul 2013 10:47:13 -0600
+Subject: ACPI / memhotplug: Fix a stale pointer in error path
+
+From: Toshi Kani <toshi.kani@hp.com>
+
+commit d19f503e22316a84c39bc19445e0e4fdd49b3532 upstream.
+
+device->driver_data needs to be cleared when releasing its data,
+mem_device, in an error path of acpi_memory_device_add().
+
+The function evaluates the _CRS of memory device objects, and fails
+when it gets an unexpected resource or cannot allocate memory. A
+kernel crash or data corruption may occur when the kernel accesses
+the stale pointer.
+
+Signed-off-by: Toshi Kani <toshi.kani@hp.com>
+Reviewed-by: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/acpi_memhotplug.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/acpi/acpi_memhotplug.c
++++ b/drivers/acpi/acpi_memhotplug.c
+@@ -283,6 +283,7 @@ static int acpi_memory_device_add(struct
+ /* Get the range from the _CRS */
+ result = acpi_memory_get_device_resources(mem_device);
+ if (result) {
++ device->driver_data = NULL;
+ kfree(mem_device);
+ return result;
+ }
--- /dev/null
+From 8832f7e43fa7f0f19bd54e13766a825dd1ed4d6f Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Mon, 8 Jul 2013 02:01:53 +0200
+Subject: ACPI / scan: Always call acpi_bus_scan() for bus check notifications
+
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+
+commit 8832f7e43fa7f0f19bd54e13766a825dd1ed4d6f upstream.
+
+An ACPI_NOTIFY_BUS_CHECK notification means that we should scan the
+entire namespace starting from the given handle even if the device
+represented by that handle is present (other devices below it may
+just have appeared).
+
+For this reason, modify acpi_scan_bus_device_check() to always run
+acpi_bus_scan() if the notification being handled is of type
+ACPI_NOTIFY_BUS_CHECK.
+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Toshi Kani <toshi.kani@hp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/scan.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/acpi/scan.c
++++ b/drivers/acpi/scan.c
+@@ -237,10 +237,12 @@ static void acpi_scan_bus_device_check(a
+
+ mutex_lock(&acpi_scan_lock);
+
+- acpi_bus_get_device(handle, &device);
+- if (device) {
+- dev_warn(&device->dev, "Attempt to re-insert\n");
+- goto out;
++ if (ost_source != ACPI_NOTIFY_BUS_CHECK) {
++ acpi_bus_get_device(handle, &device);
++ if (device) {
++ dev_warn(&device->dev, "Attempt to re-insert\n");
++ goto out;
++ }
+ }
+ acpi_evaluate_hotplug_ost(handle, ost_source,
+ ACPI_OST_SC_INSERT_IN_PROGRESS, NULL);
--- /dev/null
+From 3a391a39593b48341f0908511590a6c0e55cc069 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Fri, 12 Jul 2013 13:45:59 +0200
+Subject: ACPI / scan: Do not try to attach scan handlers to devices having them
+
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+
+commit 3a391a39593b48341f0908511590a6c0e55cc069 upstream.
+
+In acpi_bus_device_attach(), if there is an ACPI device object
+for the given handle and that device object has a scan handler
+attached to it already, there's nothing more to do for that handle.
+Moreover, if acpi_scan_attach_handler() is called then, it may
+execute the .attach() callback of the ACPI scan handler already
+attached to the device object and that may lead to interesting
+breakage.
+
+For this reason, make acpi_bus_device_attach() return success
+immediately when the handle's device object has a scan handler
+attached to it.
+
+Reported-by: Toshi Kani <toshi.kani@hp.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Toshi Kani <toshi.kani@hp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/scan.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/acpi/scan.c
++++ b/drivers/acpi/scan.c
+@@ -1892,6 +1892,9 @@ static acpi_status acpi_bus_device_attac
+ if (acpi_bus_get_device(handle, &device))
+ return AE_CTRL_DEPTH;
+
++ if (device->handler)
++ return AE_OK;
++
+ ret = acpi_scan_attach_handler(device);
+ if (ret)
+ return ret > 0 ? AE_OK : AE_CTRL_DEPTH;
--- /dev/null
+From 9657a565a476d517451c10b0bcc106e300785aff Mon Sep 17 00:00:00 2001
+From: Lan Tianyu <tianyu.lan@intel.com>
+Date: Tue, 16 Jul 2013 10:07:21 +0800
+Subject: ACPI / video: ignore BIOS initial backlight value for Fujitsu E753
+
+From: Lan Tianyu <tianyu.lan@intel.com>
+
+commit 9657a565a476d517451c10b0bcc106e300785aff upstream.
+
+The BIOS of FUjitsu E753 reports an incorrect initial backlight value
+for WIN8 compatible OS, causing backlight to be dark during startup.
+This change causes the incorrect initial value from BIOS to be ignored.
+
+References: https://bugzilla.kernel.org/show_bug.cgi?id=60161
+Reported-and-tested-by: Jan Hinnerk Stosch <janhinnerk.stosch@gmail.com>
+Signed-off-by: Lan Tianyu <tianyu.lan@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/video.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/acpi/video.c
++++ b/drivers/acpi/video.c
+@@ -450,6 +450,14 @@ static struct dmi_system_id video_dmi_ta
+ },
+ {
+ .callback = video_ignore_initial_backlight,
++ .ident = "Fujitsu E753",
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "FUJITSU"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK E753"),
++ },
++ },
++ {
++ .callback = video_ignore_initial_backlight,
+ .ident = "HP Pavilion dm4",
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "Hewlett-Packard"),
--- /dev/null
+From eac27f04a71e1f39f196f7e520d16dcefc955d77 Mon Sep 17 00:00:00 2001
+From: Youquan Song <youquan.song@intel.com>
+Date: Thu, 11 Jul 2013 21:15:57 -0400
+Subject: ata: Fix DVD not dectected at some platform with Wellsburg PCH
+
+From: Youquan Song <youquan.song@intel.com>
+
+commit eac27f04a71e1f39f196f7e520d16dcefc955d77 upstream.
+
+There is a patch b55f84e2d527182e7c611d466cd0bb6ddce201de "ata_piix: Fix DVD
+ not dectected at some Haswell platforms" to fix an issue of DVD not
+recognized on Haswell Desktop platform with Lynx Point.
+Recently, it is also found the same issue at some platformas with Wellsburg PCH.
+
+So deliver a similar patch to fix it by disables 32bit PIO in IDE mode.
+
+Signed-off-by: Youquan Song <youquan.song@intel.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/ata_piix.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/ata/ata_piix.c
++++ b/drivers/ata/ata_piix.c
+@@ -330,7 +330,7 @@ static const struct pci_device_id piix_p
+ /* SATA Controller IDE (Wellsburg) */
+ { 0x8086, 0x8d00, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata_snb },
+ /* SATA Controller IDE (Wellsburg) */
+- { 0x8086, 0x8d08, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
++ { 0x8086, 0x8d08, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata_snb },
+ /* SATA Controller IDE (Wellsburg) */
+ { 0x8086, 0x8d60, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata_snb },
+ /* SATA Controller IDE (Wellsburg) */
--- /dev/null
+From fec386ac1428f9c0e672df952cbca5cebd4e4e2f Mon Sep 17 00:00:00 2001
+From: Josef Bacik <jbacik@fusionio.com>
+Date: Mon, 15 Jul 2013 12:41:42 -0400
+Subject: Btrfs: fix lock leak when resuming snapshot deletion
+
+From: Josef Bacik <jbacik@fusionio.com>
+
+commit fec386ac1428f9c0e672df952cbca5cebd4e4e2f upstream.
+
+We aren't setting path->locks[level] when we resume a snapshot deletion which
+means we won't unlock the buffer when we free the path. This causes deadlocks
+if we happen to re-allocate the block before we've evicted the extent buffer
+from cache. Thanks,
+
+Reported-by: Alex Lyakas <alex.btrfs@zadarastorage.com>
+Signed-off-by: Josef Bacik <jbacik@fusionio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/extent-tree.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -7355,6 +7355,7 @@ int btrfs_drop_snapshot(struct btrfs_roo
+ while (1) {
+ btrfs_tree_lock(path->nodes[level]);
+ btrfs_set_lock_blocking(path->nodes[level]);
++ path->locks[level] = BTRFS_WRITE_LOCK_BLOCKING;
+
+ ret = btrfs_lookup_extent_info(trans, root,
+ path->nodes[level]->start,
+@@ -7370,6 +7371,7 @@ int btrfs_drop_snapshot(struct btrfs_roo
+ break;
+
+ btrfs_tree_unlock(path->nodes[level]);
++ path->locks[level] = 0;
+ WARN_ON(wc->refs[level] != 1);
+ level--;
+ }
--- /dev/null
+From 115930cb2d444a684975cf2325759cb48ebf80cc Mon Sep 17 00:00:00 2001
+From: Stefan Behrens <sbehrens@giantdisaster.de>
+Date: Thu, 4 Jul 2013 16:14:23 +0200
+Subject: Btrfs: fix wrong write offset when replacing a device
+
+From: Stefan Behrens <sbehrens@giantdisaster.de>
+
+commit 115930cb2d444a684975cf2325759cb48ebf80cc upstream.
+
+Miao Xie reported the following issue:
+
+The filesystem was corrupted after we did a device replace.
+
+Steps to reproduce:
+ # mkfs.btrfs -f -m single -d raid10 <device0>..<device3>
+ # mount <device0> <mnt>
+ # btrfs replace start -rfB 1 <device4> <mnt>
+ # umount <mnt>
+ # btrfsck <device4>
+
+The reason for the issue is that we changed the write offset by mistake,
+introduced by commit 625f1c8dc.
+
+We read the data from the source device at first, and then write the
+data into the corresponding place of the new device. In order to
+implement the "-r" option, the source location is remapped using
+btrfs_map_block(). The read takes place on the mapped location, and
+the write needs to take place on the unmapped location. Currently
+the write is using the mapped location, and this commit changes it
+back by undoing the change to the write address that the aforementioned
+commit added by mistake.
+
+Reported-by: Miao Xie <miaox@cn.fujitsu.com>
+Signed-off-by: Stefan Behrens <sbehrens@giantdisaster.de>
+Signed-off-by: Josef Bacik <jbacik@fusionio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/scrub.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/scrub.c
++++ b/fs/btrfs/scrub.c
+@@ -2501,7 +2501,7 @@ again:
+ ret = scrub_extent(sctx, extent_logical, extent_len,
+ extent_physical, extent_dev, flags,
+ generation, extent_mirror_num,
+- extent_physical);
++ extent_logical - logical + physical);
+ if (ret)
+ goto out;
+
--- /dev/null
+From d29a9f629e009c9b90e5859bce581070fd6247fc Mon Sep 17 00:00:00 2001
+From: Josef Bacik <jbacik@fusionio.com>
+Date: Wed, 17 Jul 2013 19:30:20 -0400
+Subject: Btrfs: re-add root to dead root list if we stop dropping it
+
+From: Josef Bacik <jbacik@fusionio.com>
+
+commit d29a9f629e009c9b90e5859bce581070fd6247fc upstream.
+
+If we stop dropping a root for whatever reason we need to add it back to the
+dead root list so that we will re-start the dropping next transaction commit.
+The other case this happens is if we recover a drop because we will add a root
+without adding it to the fs radix tree, so we can leak it's root and commit root
+extent buffer, adding this to the dead root list makes this cleanup happen.
+Thanks,
+
+Reported-by: Alex Lyakas <alex.btrfs@zadarastorage.com>
+Signed-off-by: Josef Bacik <jbacik@fusionio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/extent-tree.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -7298,6 +7298,7 @@ int btrfs_drop_snapshot(struct btrfs_roo
+ int err = 0;
+ int ret;
+ int level;
++ bool root_dropped = false;
+
+ path = btrfs_alloc_path();
+ if (!path) {
+@@ -7473,12 +7474,22 @@ int btrfs_drop_snapshot(struct btrfs_roo
+ free_extent_buffer(root->commit_root);
+ kfree(root);
+ }
++ root_dropped = true;
+ out_end_trans:
+ btrfs_end_transaction_throttle(trans, tree_root);
+ out_free:
+ kfree(wc);
+ btrfs_free_path(path);
+ out:
++ /*
++ * So if we need to stop dropping the snapshot for whatever reason we
++ * need to make sure to add it back to the dead root list so that we
++ * keep trying to do the work later. This also cleans up roots if we
++ * don't have it in the radix (like when we recover after a power fail
++ * or unmount) so we don't leak memory.
++ */
++ if (root_dropped == false)
++ btrfs_add_dead_root(root);
+ if (err)
+ btrfs_std_error(root->fs_info, err);
+ return err;
--- /dev/null
+From 2134ed4d614349b2b4e8d7bb593baa9179b8dd1e Mon Sep 17 00:00:00 2001
+From: Dirk Brandewie <dirk.j.brandewie@intel.com>
+Date: Thu, 18 Jul 2013 08:48:42 -0700
+Subject: cpufreq / intel_pstate: Change to scale off of max P-state
+
+From: Dirk Brandewie <dirk.j.brandewie@intel.com>
+
+commit 2134ed4d614349b2b4e8d7bb593baa9179b8dd1e upstream.
+
+Change to using max P-state instead of max turbo P-state. This
+change resolves two issues.
+
+On a quiet system intel_pstate can fail to respond to a load change.
+
+On CPU SKUs that have a limited number of P-states and no turbo range
+intel_pstate fails to select the highest available P-state.
+
+This change is suitable for stable v3.9+
+
+References: https://bugzilla.kernel.org/show_bug.cgi?id=59481
+Reported-and-tested-by: Arjan van de Ven <arjan@linux.intel.com>
+Reported-and-tested-by: dsmythies@telus.net
+Signed-off-by: Dirk Brandewie <dirk.j.brandewie@intel.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpufreq/intel_pstate.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/cpufreq/intel_pstate.c
++++ b/drivers/cpufreq/intel_pstate.c
+@@ -103,10 +103,10 @@ struct pstate_adjust_policy {
+ static struct pstate_adjust_policy default_policy = {
+ .sample_rate_ms = 10,
+ .deadband = 0,
+- .setpoint = 109,
+- .p_gain_pct = 17,
++ .setpoint = 97,
++ .p_gain_pct = 20,
+ .d_gain_pct = 0,
+- .i_gain_pct = 4,
++ .i_gain_pct = 0,
+ };
+
+ struct perf_limits {
+@@ -468,12 +468,12 @@ static inline void intel_pstate_set_samp
+ static inline int intel_pstate_get_scaled_busy(struct cpudata *cpu)
+ {
+ int32_t busy_scaled;
+- int32_t core_busy, turbo_pstate, current_pstate;
++ int32_t core_busy, max_pstate, current_pstate;
+
+ core_busy = int_tofp(cpu->samples[cpu->sample_ptr].core_pct_busy);
+- turbo_pstate = int_tofp(cpu->pstate.turbo_pstate);
++ max_pstate = int_tofp(cpu->pstate.max_pstate);
+ current_pstate = int_tofp(cpu->pstate.current_pstate);
+- busy_scaled = mul_fp(core_busy, div_fp(turbo_pstate, current_pstate));
++ busy_scaled = mul_fp(core_busy, div_fp(max_pstate, current_pstate));
+
+ return fp_toint(busy_scaled);
+ }
--- /dev/null
+From 9c23b7d3d6bda41e2a27375df705485523a96dc8 Mon Sep 17 00:00:00 2001
+From: Vakul Garg <vakul@freescale.com>
+Date: Wed, 10 Jul 2013 06:26:13 +0000
+Subject: crypto: caam - Fixed the memory out of bound overwrite issue
+
+From: Vakul Garg <vakul@freescale.com>
+
+commit 9c23b7d3d6bda41e2a27375df705485523a96dc8 upstream.
+
+When kernel is compiled with CONFIG_SLUB_DEBUG=y and
+CRYPTO_MANAGER_DISABLE_TESTS=n, during kernel bootup, the kernel
+reports error given below. The root cause is that in function
+hash_digest_key(), for allocating descriptor, insufficient memory was
+being allocated. The required number of descriptor words apart from
+input and output pointers are 8 (instead of 6).
+
+=============================================================================
+BUG dma-kmalloc-32 (Not tainted): Redzone overwritten
+-----------------------------------------------------------------------------
+
+Disabling lock debugging due to kernel taint
+INFO: 0xdec5dec0-0xdec5dec3. First byte 0x0 instead of 0xcc
+INFO: Allocated in ahash_setkey+0x60/0x594 age=7 cpu=1 pid=1257
+ __kmalloc+0x154/0x1b4
+ ahash_setkey+0x60/0x594
+ test_hash+0x260/0x5a0
+ alg_test_hash+0x48/0xb0
+ alg_test+0x84/0x228
+ cryptomgr_test+0x4c/0x54
+ kthread+0x98/0x9c
+ ret_from_kernel_thread+0x64/0x6c
+INFO: Slab 0xc0bd0ba0 objects=19 used=2 fp=0xdec5d0d0 flags=0x0081
+INFO: Object 0xdec5dea0 @offset=3744 fp=0x5c200014
+
+Bytes b4 dec5de90: 00 00 00 00 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a
+........ZZZZZZZZ
+Object dec5dea0: b0 80 00 0a 84 41 00 0d f0 40 00 00 00 67 3f c0
+.....A...@...g?.
+Object dec5deb0: 00 00 00 50 2c 14 00 50 f8 40 00 00 1e c5 d0 00
+...P,..P.@......
+Redzone dec5dec0: 00 00 00 14 ....
+Padding dec5df68: 5a 5a 5a 5a 5a 5a 5a 5a
+ZZZZZZZZ
+Call Trace:
+[dec65b60] [c00071b4] show_stack+0x4c/0x168 (unreliable)
+[dec65ba0] [c00d4ec8] check_bytes_and_report+0xe4/0x11c
+[dec65bd0] [c00d507c] check_object+0x17c/0x23c
+[dec65bf0] [c0550a00] free_debug_processing+0xf4/0x294
+[dec65c20] [c0550bdc] __slab_free+0x3c/0x294
+[dec65c80] [c03f0744] ahash_setkey+0x4e0/0x594
+[dec65cd0] [c01ef138] test_hash+0x260/0x5a0
+[dec65e50] [c01ef4c0] alg_test_hash+0x48/0xb0
+[dec65e70] [c01eecc4] alg_test+0x84/0x228
+[dec65ee0] [c01ec640] cryptomgr_test+0x4c/0x54
+[dec65ef0] [c005adc0] kthread+0x98/0x9c
+[dec65f40] [c000e1ac] ret_from_kernel_thread+0x64/0x6c
+FIX dma-kmalloc-32: Restoring 0xdec5dec0-0xdec5dec3=0xcc
+
+Change-Id: I0c7a1048053e811025d1c3b487940f87345c8f5d
+Signed-off-by: Vakul Garg <vakul@freescale.com>
+Reviewed-by: Geanta Neag Horia Ioan-B05471 <horia.geanta@freescale.com>
+Reviewed-by: Fleming Andrew-AFLEMING <AFLEMING@freescale.com>
+Tested-by: Fleming Andrew-AFLEMING <AFLEMING@freescale.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/caam/caamhash.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/crypto/caam/caamhash.c
++++ b/drivers/crypto/caam/caamhash.c
+@@ -429,7 +429,7 @@ static int hash_digest_key(struct caam_h
+ dma_addr_t src_dma, dst_dma;
+ int ret = 0;
+
+- desc = kmalloc(CAAM_CMD_SZ * 6 + CAAM_PTR_SZ * 2, GFP_KERNEL | GFP_DMA);
++ desc = kmalloc(CAAM_CMD_SZ * 8 + CAAM_PTR_SZ * 2, GFP_KERNEL | GFP_DMA);
+ if (!desc) {
+ dev_err(jrdev, "unable to allocate key input memory\n");
+ return -ENOMEM;
--- /dev/null
+From 1c0e883e86ece31880fac2f84b260545d66a39e0 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 10 Jul 2013 23:41:15 +0100
+Subject: dm ioctl: set noio flag to avoid __vmalloc deadlock
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 1c0e883e86ece31880fac2f84b260545d66a39e0 upstream.
+
+Set noio flag while calling __vmalloc() because it doesn't fully respect
+gfp flags to avoid a possible deadlock (see commit
+502624bdad3dba45dfaacaf36b7d83e39e74b2d2).
+
+This should be backported to stable kernels 3.8 and newer. The kernel 3.8
+doesn't have memalloc_noio_save(), so we should set and restore process
+flag PF_MEMALLOC instead.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Alasdair G Kergon <agk@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-ioctl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/md/dm-ioctl.c
++++ b/drivers/md/dm-ioctl.c
+@@ -1644,7 +1644,10 @@ static int copy_params(struct dm_ioctl _
+ }
+
+ if (!dmi) {
++ unsigned noio_flag;
++ noio_flag = memalloc_noio_save();
+ dmi = __vmalloc(param_kernel->data_size, GFP_NOIO | __GFP_REPEAT | __GFP_HIGH, PAGE_KERNEL);
++ memalloc_noio_restore(noio_flag);
+ if (dmi)
+ *param_flags |= DM_PARAMS_VMALLOC;
+ }
--- /dev/null
+From 6c182cd88d179cbbd06f4f8a8a19b6977940753f Mon Sep 17 00:00:00 2001
+From: Hannes Reinecke <hare@suse.de>
+Date: Wed, 10 Jul 2013 23:41:15 +0100
+Subject: dm mpath: fix ioctl deadlock when no paths
+
+From: Hannes Reinecke <hare@suse.de>
+
+commit 6c182cd88d179cbbd06f4f8a8a19b6977940753f upstream.
+
+When multipath needs to retry an ioctl the reference to the
+current live table needs to be dropped. Otherwise a deadlock
+occurs when all paths are down:
+- dm_blk_ioctl takes a reference to the current table
+ and spins in multipath_ioctl().
+- A new table is being loaded, but upon resume the process
+ hangs in dm_table_destroy() waiting for references to
+ drop to zero.
+
+With this patch the reference to the old table is dropped
+prior to retry, thereby avoiding the deadlock.
+
+Signed-off-by: Hannes Reinecke <hare@suse.de>
+Cc: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Alasdair G Kergon <agk@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-mpath.c | 8 ++------
+ drivers/md/dm.c | 9 ++++++++-
+ 2 files changed, 10 insertions(+), 7 deletions(-)
+
+--- a/drivers/md/dm-mpath.c
++++ b/drivers/md/dm-mpath.c
+@@ -1561,7 +1561,6 @@ static int multipath_ioctl(struct dm_tar
+ unsigned long flags;
+ int r;
+
+-again:
+ bdev = NULL;
+ mode = 0;
+ r = 0;
+@@ -1579,7 +1578,7 @@ again:
+ }
+
+ if ((pgpath && m->queue_io) || (!pgpath && m->queue_if_no_path))
+- r = -EAGAIN;
++ r = -ENOTCONN;
+ else if (!bdev)
+ r = -EIO;
+
+@@ -1591,11 +1590,8 @@ again:
+ if (!r && ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT)
+ r = scsi_verify_blk_ioctl(NULL, cmd);
+
+- if (r == -EAGAIN && !fatal_signal_pending(current)) {
++ if (r == -ENOTCONN && !fatal_signal_pending(current))
+ queue_work(kmultipathd, &m->process_queued_ios);
+- msleep(10);
+- goto again;
+- }
+
+ return r ? : __blkdev_driver_ioctl(bdev, mode, cmd, arg);
+ }
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -386,10 +386,12 @@ static int dm_blk_ioctl(struct block_dev
+ unsigned int cmd, unsigned long arg)
+ {
+ struct mapped_device *md = bdev->bd_disk->private_data;
+- struct dm_table *map = dm_get_live_table(md);
++ struct dm_table *map;
+ struct dm_target *tgt;
+ int r = -ENOTTY;
+
++retry:
++ map = dm_get_live_table(md);
+ if (!map || !dm_table_get_size(map))
+ goto out;
+
+@@ -410,6 +412,11 @@ static int dm_blk_ioctl(struct block_dev
+ out:
+ dm_table_put(map);
+
++ if (r == -ENOTCONN) {
++ msleep(10);
++ goto retry;
++ }
++
+ return r;
+ }
+
--- /dev/null
+From b1bf2de07271932326af847a3c6a01fdfd29d4be Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 10 Jul 2013 23:41:16 +0100
+Subject: dm verity: fix inability to use a few specific devices sizes
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit b1bf2de07271932326af847a3c6a01fdfd29d4be upstream.
+
+Fix a boundary condition that caused failure for certain device sizes.
+
+The problem is reported at
+ http://code.google.com/p/cryptsetup/issues/detail?id=160
+
+For certain device sizes the number of hashes at a specific level was
+calculated incorrectly.
+
+It happens for example for a device with data and metadata block size 4096
+that has 16385 blocks and algorithm sha256.
+
+The user can test if he is affected by this bug by running the
+"veritysetup verify" command and also by activating the dm-verity kernel
+driver and reading the whole block device. If it passes without an error,
+then the user is not affected.
+
+The condition for the bug is:
+
+Split the total number of data blocks (data_block_bits) into bit strings,
+each string has hash_per_block_bits bits. hash_per_block_bits is
+rounddown(log2(metadata_block_size/hash_digest_size)). Equivalently, you
+can say that you convert data_blocks_bits to 2^hash_per_block_bits base.
+
+If there some zero bit string below the most significant bit string and at
+least one bit below this zero bit string is set, then the bug happens.
+
+The same bug exists in the userspace veritysetup tool, so you must use
+fixed veritysetup too if you want to use devices that are affected by
+this boundary condition.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: Milan Broz <gmazyland@gmail.com>
+Signed-off-by: Alasdair G Kergon <agk@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-verity.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/md/dm-verity.c
++++ b/drivers/md/dm-verity.c
+@@ -831,9 +831,8 @@ static int verity_ctr(struct dm_target *
+ for (i = v->levels - 1; i >= 0; i--) {
+ sector_t s;
+ v->hash_level_block[i] = hash_position;
+- s = verity_position_at_level(v, v->data_blocks, i);
+- s = (s >> v->hash_per_block_bits) +
+- !!(s & ((1 << v->hash_per_block_bits) - 1));
++ s = (v->data_blocks + ((sector_t)1 << ((i + 1) * v->hash_per_block_bits)) - 1)
++ >> ((i + 1) * v->hash_per_block_bits);
+ if (hash_position + s < hash_position) {
+ ti->error = "Hash device offset overflow";
+ r = -E2BIG;
--- /dev/null
+From c5e2254f8d63a6654149aa32ac5f2b7dd66a976d Mon Sep 17 00:00:00 2001
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+Date: Sun, 14 Jul 2013 22:38:12 -0700
+Subject: Drivers: hv: balloon: Do not post pressure status if interrupted
+
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+
+commit c5e2254f8d63a6654149aa32ac5f2b7dd66a976d upstream.
+
+When we are posting pressure status, we may get interrupted and handle
+the un-balloon operation. In this case just don't post the status as we
+know the pressure status is stale.
+
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/hv_balloon.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/hv/hv_balloon.c
++++ b/drivers/hv/hv_balloon.c
+@@ -975,6 +975,14 @@ static void post_status(struct hv_dynmem
+ dm->num_pages_ballooned +
+ compute_balloon_floor();
+
++ /*
++ * If our transaction ID is no longer current, just don't
++ * send the status. This can happen if we were interrupted
++ * after we picked our transaction ID.
++ */
++ if (status.hdr.trans_id != atomic_read(&trans_id))
++ return;
++
+ vmbus_sendpacket(dm->dev->channel, &status,
+ sizeof(struct dm_status),
+ (unsigned long)NULL,
--- /dev/null
+From ed07ec93e83ec471d365ce084e43ad90fd205903 Mon Sep 17 00:00:00 2001
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+Date: Sun, 14 Jul 2013 22:38:11 -0700
+Subject: Drivers: hv: balloon: Fix a bug in the hot-add code
+
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+
+commit ed07ec93e83ec471d365ce084e43ad90fd205903 upstream.
+
+As we hot-add 128 MB chunks of memory, we wait to ensure that the memory
+is onlined before attempting to hot-add the next chunk. If the udev rule for
+memory hot-add is not executed within the allowed time, we would rollback the
+state and abort further hot-add. Since the hot-add has succeeded and the only
+failure is that the memory is not onlined within the allowed time, we should not
+be rolling back the state. Fix this bug.
+
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/hv_balloon.c | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+--- a/drivers/hv/hv_balloon.c
++++ b/drivers/hv/hv_balloon.c
+@@ -562,7 +562,7 @@ static void hv_mem_hot_add(unsigned long
+ struct hv_hotadd_state *has)
+ {
+ int ret = 0;
+- int i, nid, t;
++ int i, nid;
+ unsigned long start_pfn;
+ unsigned long processed_pfn;
+ unsigned long total_pfn = pfn_count;
+@@ -607,14 +607,11 @@ static void hv_mem_hot_add(unsigned long
+
+ /*
+ * Wait for the memory block to be onlined.
++ * Since the hot add has succeeded, it is ok to
++ * proceed even if the pages in the hot added region
++ * have not been "onlined" within the allowed time.
+ */
+- t = wait_for_completion_timeout(&dm_device.ol_waitevent, 5*HZ);
+- if (t == 0) {
+- pr_info("hot_add memory timedout\n");
+- has->ha_end_pfn -= HA_CHUNK;
+- has->covered_end_pfn -= processed_pfn;
+- break;
+- }
++ wait_for_completion_timeout(&dm_device.ol_waitevent, 5*HZ);
+
+ }
+
--- /dev/null
+From bb9696192826a7d9279caf872e95b41bc26c7eff Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Mon, 22 Jul 2013 16:53:36 -0400
+Subject: libata: make it clear that sata_inic162x is experimental
+
+From: Tejun Heo <tj@kernel.org>
+
+commit bb9696192826a7d9279caf872e95b41bc26c7eff upstream.
+
+sata_inic162x never reached a state where it's reliable enough for
+production use and data corruption is a relatively common occurrence.
+Make the driver generate warning about the issues and mark the Kconfig
+option as experimental.
+
+If the situation doesn't improve, we'd be better off making it depend
+on CONFIG_BROKEN. Let's wait for several cycles and see if the kernel
+message draws any attention.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: Martin Braure de Calignon <braurede@free.fr>
+Reported-by: Ben Hutchings <ben@decadent.org.uk>
+Reported-by: risc4all@yahoo.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/Kconfig | 2 +-
+ drivers/ata/sata_inic162x.c | 14 ++++++++++++++
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+--- a/drivers/ata/Kconfig
++++ b/drivers/ata/Kconfig
+@@ -107,7 +107,7 @@ config SATA_FSL
+ If unsure, say N.
+
+ config SATA_INIC162X
+- tristate "Initio 162x SATA support"
++ tristate "Initio 162x SATA support (Very Experimental)"
+ depends on PCI
+ help
+ This option enables support for Initio 162x Serial ATA.
+--- a/drivers/ata/sata_inic162x.c
++++ b/drivers/ata/sata_inic162x.c
+@@ -6,6 +6,18 @@
+ *
+ * This file is released under GPL v2.
+ *
++ * **** WARNING ****
++ *
++ * This driver never worked properly and unfortunately data corruption is
++ * relatively common. There isn't anyone working on the driver and there's
++ * no support from the vendor. Do not use this driver in any production
++ * environment.
++ *
++ * http://thread.gmane.org/gmane.linux.debian.devel.bugs.rc/378525/focus=54491
++ * https://bugzilla.kernel.org/show_bug.cgi?id=60565
++ *
++ * *****************
++ *
+ * This controller is eccentric and easily locks up if something isn't
+ * right. Documentation is available at initio's website but it only
+ * documents registers (not programming model).
+@@ -807,6 +819,8 @@ static int inic_init_one(struct pci_dev
+
+ ata_print_version_once(&pdev->dev, DRV_VERSION);
+
++ dev_alert(&pdev->dev, "inic162x support is broken with common data corruption issues and will be disabled by default, contact linux-ide@vger.kernel.org if in production use\n");
++
+ /* alloc host */
+ host = ata_host_alloc_pinfo(&pdev->dev, ppi, NR_PORTS);
+ hpriv = devm_kzalloc(&pdev->dev, sizeof(*hpriv), GFP_KERNEL);
--- /dev/null
+From 30bc9b53878a9921b02e3b5bc4283ac1c6de102a Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.de>
+Date: Wed, 17 Jul 2013 15:19:29 +1000
+Subject: md/raid1: fix bio handling problems in process_checks()
+
+From: NeilBrown <neilb@suse.de>
+
+commit 30bc9b53878a9921b02e3b5bc4283ac1c6de102a upstream.
+
+Recent change to use bio_copy_data() in raid1 when repairing
+an array is faulty.
+
+The underlying may have changed the bio in various ways using
+bio_advance and these need to be undone not just for the 'sbio' which
+is being copied to, but also the 'pbio' (primary) which is being
+copied from.
+
+So perform the reset on all bios that were read from and do it early.
+
+This also ensure that the sbio->bi_io_vec[j].bv_len passed to
+memcmp is correct.
+
+This fixes a crash during a 'check' of a RAID1 array. The crash was
+introduced in 3.10 so this is suitable for 3.10-stable.
+
+Reported-by: Joe Lawrence <joe.lawrence@stratus.com>
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid1.c | 53 ++++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 30 insertions(+), 23 deletions(-)
+
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -1848,6 +1848,36 @@ static int process_checks(struct r1bio *
+ int i;
+ int vcnt;
+
++ /* Fix variable parts of all bios */
++ vcnt = (r1_bio->sectors + PAGE_SIZE / 512 - 1) >> (PAGE_SHIFT - 9);
++ for (i = 0; i < conf->raid_disks * 2; i++) {
++ int j;
++ int size;
++ struct bio *b = r1_bio->bios[i];
++ if (b->bi_end_io != end_sync_read)
++ continue;
++ /* fixup the bio for reuse */
++ bio_reset(b);
++ b->bi_vcnt = vcnt;
++ b->bi_size = r1_bio->sectors << 9;
++ b->bi_sector = r1_bio->sector +
++ conf->mirrors[i].rdev->data_offset;
++ b->bi_bdev = conf->mirrors[i].rdev->bdev;
++ b->bi_end_io = end_sync_read;
++ b->bi_private = r1_bio;
++
++ size = b->bi_size;
++ for (j = 0; j < vcnt ; j++) {
++ struct bio_vec *bi;
++ bi = &b->bi_io_vec[j];
++ bi->bv_offset = 0;
++ if (size > PAGE_SIZE)
++ bi->bv_len = PAGE_SIZE;
++ else
++ bi->bv_len = size;
++ size -= PAGE_SIZE;
++ }
++ }
+ for (primary = 0; primary < conf->raid_disks * 2; primary++)
+ if (r1_bio->bios[primary]->bi_end_io == end_sync_read &&
+ test_bit(BIO_UPTODATE, &r1_bio->bios[primary]->bi_flags)) {
+@@ -1856,12 +1886,10 @@ static int process_checks(struct r1bio *
+ break;
+ }
+ r1_bio->read_disk = primary;
+- vcnt = (r1_bio->sectors + PAGE_SIZE / 512 - 1) >> (PAGE_SHIFT - 9);
+ for (i = 0; i < conf->raid_disks * 2; i++) {
+ int j;
+ struct bio *pbio = r1_bio->bios[primary];
+ struct bio *sbio = r1_bio->bios[i];
+- int size;
+
+ if (sbio->bi_end_io != end_sync_read)
+ continue;
+@@ -1887,27 +1915,6 @@ static int process_checks(struct r1bio *
+ rdev_dec_pending(conf->mirrors[i].rdev, mddev);
+ continue;
+ }
+- /* fixup the bio for reuse */
+- bio_reset(sbio);
+- sbio->bi_vcnt = vcnt;
+- sbio->bi_size = r1_bio->sectors << 9;
+- sbio->bi_sector = r1_bio->sector +
+- conf->mirrors[i].rdev->data_offset;
+- sbio->bi_bdev = conf->mirrors[i].rdev->bdev;
+- sbio->bi_end_io = end_sync_read;
+- sbio->bi_private = r1_bio;
+-
+- size = sbio->bi_size;
+- for (j = 0; j < vcnt ; j++) {
+- struct bio_vec *bi;
+- bi = &sbio->bi_io_vec[j];
+- bi->bv_offset = 0;
+- if (size > PAGE_SIZE)
+- bi->bv_len = PAGE_SIZE;
+- else
+- bi->bv_len = size;
+- size -= PAGE_SIZE;
+- }
+
+ bio_copy_data(sbio, pbio);
+ }
--- /dev/null
+From 0eb25bb027a100f5a9df8991f2f628e7d851bc1e Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.de>
+Date: Wed, 24 Jul 2013 15:37:42 +1000
+Subject: md/raid10: remove use-after-free bug.
+
+From: NeilBrown <neilb@suse.de>
+
+commit 0eb25bb027a100f5a9df8991f2f628e7d851bc1e upstream.
+
+We always need to be careful when calling generic_make_request, as it
+can start a chain of events which might free something that we are
+using.
+
+Here is one place I wasn't careful enough. If the wbio2 is not in
+use, then it might get freed at the first generic_make_request call.
+So perform all necessary tests first.
+
+This bug was introduced in 3.3-rc3 (24afd80d99) and can cause an
+oops, so fix is suitable for any -stable since then.
+
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid10.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -2268,12 +2268,18 @@ static void recovery_request_write(struc
+ d = r10_bio->devs[1].devnum;
+ wbio = r10_bio->devs[1].bio;
+ wbio2 = r10_bio->devs[1].repl_bio;
++ /* Need to test wbio2->bi_end_io before we call
++ * generic_make_request as if the former is NULL,
++ * the latter is free to free wbio2.
++ */
++ if (wbio2 && !wbio2->bi_end_io)
++ wbio2 = NULL;
+ if (wbio->bi_end_io) {
+ atomic_inc(&conf->mirrors[d].rdev->nr_pending);
+ md_sync_acct(conf->mirrors[d].rdev->bdev, bio_sectors(wbio));
+ generic_make_request(wbio);
+ }
+- if (wbio2 && wbio2->bi_end_io) {
++ if (wbio2) {
+ atomic_inc(&conf->mirrors[d].replacement->nr_pending);
+ md_sync_acct(conf->mirrors[d].replacement->bdev,
+ bio_sectors(wbio2));
--- /dev/null
+From f94c0b6658c7edea8bc19d13be321e3860a3fa54 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.de>
+Date: Mon, 22 Jul 2013 12:57:21 +1000
+Subject: md/raid5: fix interaction of 'replace' and 'recovery'.
+
+From: NeilBrown <neilb@suse.de>
+
+commit f94c0b6658c7edea8bc19d13be321e3860a3fa54 upstream.
+
+If a device in a RAID4/5/6 is being replaced while another is being
+recovered, then the writes to the replacement device currently don't
+happen, resulting in corruption when the replacement completes and the
+new drive takes over.
+
+This is because the replacement writes are only triggered when
+'s.replacing' is set and not when the similar 's.sync' is set (which
+is the case during resync and recovery - it means all devices need to
+be read).
+
+So schedule those writes when s.replacing is set as well.
+
+In this case we cannot use "STRIPE_INSYNC" to record that the
+replacement has happened as that is needed for recording that any
+parity calculation is complete. So introduce STRIPE_REPLACED to
+record if the replacement has happened.
+
+For safety we should also check that STRIPE_COMPUTE_RUN is not set.
+This has a similar effect to the "s.locked == 0" test. The latter
+ensure that now IO has been flagged but not started. The former
+checks if any parity calculation has been flagged by not started.
+We must wait for both of these to complete before triggering the
+'replace'.
+
+Add a similar test to the subsequent check for "are we finished yet".
+This possibly isn't needed (is subsumed in the STRIPE_INSYNC test),
+but it makes it more obvious that the REPLACE will happen before we
+think we are finished.
+
+Finally if a NeedReplace device is not UPTODATE then that is an
+error. We really must trigger a warning.
+
+This bug was introduced in commit 9a3e1101b827a59ac9036a672f5fa8d5279d0fe2
+(md/raid5: detect and handle replacements during recovery.)
+which introduced replacement for raid5.
+That was in 3.3-rc3, so any stable kernel since then would benefit
+from this fix.
+
+Reported-by: qindehua <13691222965@163.com>
+Tested-by: qindehua <qindehua@163.com>
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid5.c | 15 ++++++++++-----
+ drivers/md/raid5.h | 1 +
+ 2 files changed, 11 insertions(+), 5 deletions(-)
+
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -3462,6 +3462,7 @@ static void handle_stripe(struct stripe_
+ test_and_clear_bit(STRIPE_SYNC_REQUESTED, &sh->state)) {
+ set_bit(STRIPE_SYNCING, &sh->state);
+ clear_bit(STRIPE_INSYNC, &sh->state);
++ clear_bit(STRIPE_REPLACED, &sh->state);
+ }
+ spin_unlock(&sh->stripe_lock);
+ }
+@@ -3607,19 +3608,23 @@ static void handle_stripe(struct stripe_
+ handle_parity_checks5(conf, sh, &s, disks);
+ }
+
+- if (s.replacing && s.locked == 0
+- && !test_bit(STRIPE_INSYNC, &sh->state)) {
++ if ((s.replacing || s.syncing) && s.locked == 0
++ && !test_bit(STRIPE_COMPUTE_RUN, &sh->state)
++ && !test_bit(STRIPE_REPLACED, &sh->state)) {
+ /* Write out to replacement devices where possible */
+ for (i = 0; i < conf->raid_disks; i++)
+- if (test_bit(R5_UPTODATE, &sh->dev[i].flags) &&
+- test_bit(R5_NeedReplace, &sh->dev[i].flags)) {
++ if (test_bit(R5_NeedReplace, &sh->dev[i].flags)) {
++ WARN_ON(!test_bit(R5_UPTODATE, &sh->dev[i].flags));
+ set_bit(R5_WantReplace, &sh->dev[i].flags);
+ set_bit(R5_LOCKED, &sh->dev[i].flags);
+ s.locked++;
+ }
+- set_bit(STRIPE_INSYNC, &sh->state);
++ if (s.replacing)
++ set_bit(STRIPE_INSYNC, &sh->state);
++ set_bit(STRIPE_REPLACED, &sh->state);
+ }
+ if ((s.syncing || s.replacing) && s.locked == 0 &&
++ !test_bit(STRIPE_COMPUTE_RUN, &sh->state) &&
+ test_bit(STRIPE_INSYNC, &sh->state)) {
+ md_done_sync(conf->mddev, STRIPE_SECTORS, 1);
+ clear_bit(STRIPE_SYNCING, &sh->state);
+--- a/drivers/md/raid5.h
++++ b/drivers/md/raid5.h
+@@ -306,6 +306,7 @@ enum {
+ STRIPE_SYNC_REQUESTED,
+ STRIPE_SYNCING,
+ STRIPE_INSYNC,
++ STRIPE_REPLACED,
+ STRIPE_PREREAD_ACTIVE,
+ STRIPE_DELAYED,
+ STRIPE_DEGRADED,
--- /dev/null
+From 5024c298311f3b97c85cb034f9edaa333fdb9338 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.de>
+Date: Wed, 17 Jul 2013 14:55:31 +1000
+Subject: md: Remove recent change which allows devices to skip recovery.
+
+From: NeilBrown <neilb@suse.de>
+
+commit 5024c298311f3b97c85cb034f9edaa333fdb9338 upstream.
+
+commit 7ceb17e87bde79d285a8b988cfed9eaeebe60b86
+ md: Allow devices to be re-added to a read-only array.
+
+allowed a bit more than just that. It also allows devices to be added
+to a read-write array and to end up skipping recovery.
+
+This patch removes the offending piece of code pending a rewrite for a
+subsequent release.
+
+More specifically:
+ If the array has a bitmap, then the device will still need a bitmap
+ based resync ('saved_raid_disk' is set under different conditions
+ is a bitmap is present).
+ If the array doesn't have a bitmap, then this is correct as long as
+ nothing has been written to the array since the metadata was checked
+ by ->validate_super. However there is no locking to ensure that there
+ was no write.
+
+Bug was introduced in 3.10 and causes data corruption so
+patch is suitable for 3.10-stable.
+
+Reported-by: Joe Lawrence <joe.lawrence@stratus.com>
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/md.c | 14 --------------
+ 1 file changed, 14 deletions(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -7697,20 +7697,6 @@ static int remove_and_add_spares(struct
+ continue;
+
+ rdev->recovery_offset = 0;
+- if (rdev->saved_raid_disk >= 0 && mddev->in_sync) {
+- spin_lock_irq(&mddev->write_lock);
+- if (mddev->in_sync)
+- /* OK, this device, which is in_sync,
+- * will definitely be noticed before
+- * the next write, so recovery isn't
+- * needed.
+- */
+- rdev->recovery_offset = mddev->recovery_cp;
+- spin_unlock_irq(&mddev->write_lock);
+- }
+- if (mddev->ro && rdev->recovery_offset != MaxSector)
+- /* not safe to add this disk now */
+- continue;
+ if (mddev->pers->
+ hot_add_disk(mddev, rdev) == 0) {
+ if (sysfs_link_rdev(mddev, rdev))
--- /dev/null
+From e4daf1ffbe6cc3b12aab4d604e627829e93e9914 Mon Sep 17 00:00:00 2001
+From: Harshula Jayasuriya <harshula@redhat.com>
+Date: Tue, 23 Jul 2013 14:21:35 +1000
+Subject: nfsd: nfsd_open: when dentry_open returns an error do not propagate as struct file
+
+From: Harshula Jayasuriya <harshula@redhat.com>
+
+commit e4daf1ffbe6cc3b12aab4d604e627829e93e9914 upstream.
+
+The following call chain:
+------------------------------------------------------------
+nfs4_get_vfs_file
+- nfsd_open
+ - dentry_open
+ - do_dentry_open
+ - __get_file_write_access
+ - get_write_access
+ - return atomic_inc_unless_negative(&inode->i_writecount) ? 0 : -ETXTBSY;
+------------------------------------------------------------
+
+can result in the following state:
+------------------------------------------------------------
+struct nfs4_file {
+...
+ fi_fds = {0xffff880c1fa65c80, 0xffffffffffffffe6, 0x0},
+ fi_access = {{
+ counter = 0x1
+ }, {
+ counter = 0x0
+ }},
+...
+------------------------------------------------------------
+
+1) First time around, in nfs4_get_vfs_file() fp->fi_fds[O_WRONLY] is
+NULL, hence nfsd_open() is called where we get status set to an error
+and fp->fi_fds[O_WRONLY] to -ETXTBSY. Thus we do not reach
+nfs4_file_get_access() and fi_access[O_WRONLY] is not incremented.
+
+2) Second time around, in nfs4_get_vfs_file() fp->fi_fds[O_WRONLY] is
+NOT NULL (-ETXTBSY), so nfsd_open() is NOT called, but
+nfs4_file_get_access() IS called and fi_access[O_WRONLY] is incremented.
+Thus we leave a landmine in the form of the nfs4_file data structure in
+an incorrect state.
+
+3) Eventually, when __nfs4_file_put_access() is called it finds
+fi_access[O_WRONLY] being non-zero, it decrements it and calls
+nfs4_file_put_fd() which tries to fput -ETXTBSY.
+------------------------------------------------------------
+...
+ [exception RIP: fput+0x9]
+ RIP: ffffffff81177fa9 RSP: ffff88062e365c90 RFLAGS: 00010282
+ RAX: ffff880c2b3d99cc RBX: ffff880c2b3d9978 RCX: 0000000000000002
+ RDX: dead000000100101 RSI: 0000000000000001 RDI: ffffffffffffffe6
+ RBP: ffff88062e365c90 R8: ffff88041fe797d8 R9: ffff88062e365d58
+ R10: 0000000000000008 R11: 0000000000000000 R12: 0000000000000001
+ R13: 0000000000000007 R14: 0000000000000000 R15: 0000000000000000
+ ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
+ #9 [ffff88062e365c98] __nfs4_file_put_access at ffffffffa0562334 [nfsd]
+ #10 [ffff88062e365cc8] nfs4_file_put_access at ffffffffa05623ab [nfsd]
+ #11 [ffff88062e365ce8] free_generic_stateid at ffffffffa056634d [nfsd]
+ #12 [ffff88062e365d18] release_open_stateid at ffffffffa0566e4b [nfsd]
+ #13 [ffff88062e365d38] nfsd4_close at ffffffffa0567401 [nfsd]
+ #14 [ffff88062e365d88] nfsd4_proc_compound at ffffffffa0557f28 [nfsd]
+ #15 [ffff88062e365dd8] nfsd_dispatch at ffffffffa054543e [nfsd]
+ #16 [ffff88062e365e18] svc_process_common at ffffffffa04ba5a4 [sunrpc]
+ #17 [ffff88062e365e98] svc_process at ffffffffa04babe0 [sunrpc]
+ #18 [ffff88062e365eb8] nfsd at ffffffffa0545b62 [nfsd]
+ #19 [ffff88062e365ee8] kthread at ffffffff81090886
+ #20 [ffff88062e365f48] kernel_thread at ffffffff8100c14a
+------------------------------------------------------------
+
+Signed-off-by: Harshula Jayasuriya <harshula@redhat.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/vfs.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -802,9 +802,10 @@ nfsd_open(struct svc_rqst *rqstp, struct
+ flags = O_WRONLY|O_LARGEFILE;
+ }
+ *filp = dentry_open(&path, flags, current_cred());
+- if (IS_ERR(*filp))
++ if (IS_ERR(*filp)) {
+ host_err = PTR_ERR(*filp);
+- else {
++ *filp = NULL;
++ } else {
+ host_err = ima_file_check(*filp, may_flags);
+
+ if (may_flags & NFSD_MAY_64BIT_COOKIE)
--- /dev/null
+From 0e0ed6406e61434d3f38fb58aa8464ec4722b77e Mon Sep 17 00:00:00 2001
+From: Anton Blanchard <anton@samba.org>
+Date: Mon, 15 Jul 2013 14:04:50 +1000
+Subject: powerpc/modules: Module CRC relocation fix causes perf issues
+
+From: Anton Blanchard <anton@samba.org>
+
+commit 0e0ed6406e61434d3f38fb58aa8464ec4722b77e upstream.
+
+Module CRCs are implemented as absolute symbols that get resolved by
+a linker script. We build an intermediate .o that contains an
+unresolved symbol for each CRC. genksysms parses this .o, calculates
+the CRCs and writes a linker script that "resolves" the symbols to
+the calculated CRC.
+
+Unfortunately the ppc64 relocatable kernel sees these CRCs as symbols
+that need relocating and relocates them at boot. Commit d4703aef
+(module: handle ppc64 relocating kcrctabs when CONFIG_RELOCATABLE=y)
+added a hook to reverse the bogus relocations. Part of this patch
+created a symbol at 0x0:
+
+# head -2 /proc/kallsyms
+0000000000000000 T reloc_start
+c000000000000000 T .__start
+
+This reloc_start symbol is causing lots of confusion to perf. It
+thinks reloc_start is a massive function that stretches from 0x0 to
+0xc000000000000000 and we get various cryptic errors out of perf,
+including:
+
+problem incrementing symbol count, skipping event
+
+This patch removes the reloc_start linker script label and instead
+defines it as PHYSICAL_START. We also need to wrap it with
+CONFIG_PPC64 because the ppc32 kernel can set a non zero
+PHYSICAL_START at compile time and we wouldn't want to subtract
+it from the CRCs in that case.
+
+Signed-off-by: Anton Blanchard <anton@samba.org>
+Acked-by: Rusty Russell <rusty@rustcorp.com.au>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/module.h | 5 ++---
+ arch/powerpc/kernel/vmlinux.lds.S | 3 ---
+ 2 files changed, 2 insertions(+), 6 deletions(-)
+
+--- a/arch/powerpc/include/asm/module.h
++++ b/arch/powerpc/include/asm/module.h
+@@ -82,10 +82,9 @@ struct exception_table_entry;
+ void sort_ex_table(struct exception_table_entry *start,
+ struct exception_table_entry *finish);
+
+-#ifdef CONFIG_MODVERSIONS
++#if defined(CONFIG_MODVERSIONS) && defined(CONFIG_PPC64)
+ #define ARCH_RELOCATES_KCRCTAB
+-
+-extern const unsigned long reloc_start[];
++#define reloc_start PHYSICAL_START
+ #endif
+ #endif /* __KERNEL__ */
+ #endif /* _ASM_POWERPC_MODULE_H */
+--- a/arch/powerpc/kernel/vmlinux.lds.S
++++ b/arch/powerpc/kernel/vmlinux.lds.S
+@@ -38,9 +38,6 @@ jiffies = jiffies_64 + 4;
+ #endif
+ SECTIONS
+ {
+- . = 0;
+- reloc_start = .;
+-
+ . = KERNELBASE;
+
+ /*
--- /dev/null
+From f2e055e7c9c6084bfbaa68701e52562acf96419e Mon Sep 17 00:00:00 2001
+From: Daniel Mack <zonque@gmail.com>
+Date: Thu, 4 Jul 2013 13:11:03 +0200
+Subject: regmap: cache: bail in regmap_async_complete() for bus-less maps
+
+From: Daniel Mack <zonque@gmail.com>
+
+commit f2e055e7c9c6084bfbaa68701e52562acf96419e upstream.
+
+Commit f8bd822cb ("regmap: cache: Factor out block sync") made
+regcache_rbtree_sync() call regmap_async_complete(), which in turn does
+not check for map->bus before dereferencing it.
+
+This causes a NULL pointer dereference on bus-less maps.
+
+Signed-off-by: Daniel Mack <zonque@gmail.com>
+Signed-off-by: Mark Brown <broonie@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/regmap/regmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/base/regmap/regmap.c
++++ b/drivers/base/regmap/regmap.c
+@@ -1717,7 +1717,7 @@ int regmap_async_complete(struct regmap
+ int ret;
+
+ /* Nothing to do with no async support */
+- if (!map->bus->async_write)
++ if (!map->bus || !map->bus->async_write)
+ return 0;
+
+ trace_regmap_async_complete_start(map->dev);
--- /dev/null
+From 96f15f29038e58e1b0a96483e2b369ff446becf1 Mon Sep 17 00:00:00 2001
+From: Jeff Skirvin <jeffrey.d.skirvin@intel.com>
+Date: Thu, 11 Jul 2013 17:18:58 -0700
+Subject: SCSI: isci: Fix a race condition in the SSP task management path
+
+From: Jeff Skirvin <jeffrey.d.skirvin@intel.com>
+
+commit 96f15f29038e58e1b0a96483e2b369ff446becf1 upstream.
+
+This commit fixes a race condition in the isci driver abort task and SSP
+device task management path. The race is caused when an I/O termination
+in the SCU hardware is necessary because of an SSP target timeout condition,
+and the check of the I/O end state races against the HW-termination-driven
+end state. The failure of the race meant that no TMF was sent to the device
+to clean-up the pending I/O.
+
+Signed-off-by: Jeff Skirvin <jeffrey.d.skirvin@intel.com>
+Reviewed-by: Lukasz Dorau <lukasz.dorau@intel.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/isci/task.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/isci/task.c
++++ b/drivers/scsi/isci/task.c
+@@ -491,6 +491,7 @@ int isci_task_abort_task(struct sas_task
+ struct isci_tmf tmf;
+ int ret = TMF_RESP_FUNC_FAILED;
+ unsigned long flags;
++ int target_done_already = 0;
+
+ /* Get the isci_request reference from the task. Note that
+ * this check does not depend on the pending request list
+@@ -505,9 +506,11 @@ int isci_task_abort_task(struct sas_task
+ /* If task is already done, the request isn't valid */
+ if (!(task->task_state_flags & SAS_TASK_STATE_DONE) &&
+ (task->task_state_flags & SAS_TASK_AT_INITIATOR) &&
+- old_request)
++ old_request) {
+ idev = isci_get_device(task->dev->lldd_dev);
+-
++ target_done_already = test_bit(IREQ_COMPLETE_IN_TARGET,
++ &old_request->flags);
++ }
+ spin_unlock(&task->task_state_lock);
+ spin_unlock_irqrestore(&ihost->scic_lock, flags);
+
+@@ -561,7 +564,7 @@ int isci_task_abort_task(struct sas_task
+
+ if (task->task_proto == SAS_PROTOCOL_SMP ||
+ sas_protocol_ata(task->task_proto) ||
+- test_bit(IREQ_COMPLETE_IN_TARGET, &old_request->flags) ||
++ target_done_already ||
+ test_bit(IDEV_GONE, &idev->flags)) {
+
+ spin_unlock_irqrestore(&ihost->scic_lock, flags);
--- /dev/null
+From c3ccb1d7cf4c4549151876dd37c0944a682fd9e1 Mon Sep 17 00:00:00 2001
+From: Saurav Kashyap <saurav.kashyap@qlogic.com>
+Date: Fri, 12 Jul 2013 14:47:51 -0400
+Subject: SCSI: qla2xxx: Properly set the tagging for commands.
+
+From: Saurav Kashyap <saurav.kashyap@qlogic.com>
+
+commit c3ccb1d7cf4c4549151876dd37c0944a682fd9e1 upstream.
+
+This fixes a regression where Xyratex controllers and disks were lost by the
+driver:
+
+https://bugzilla.kernel.org/show_bug.cgi?id=59601
+
+Reported-by: Jack Hill <jackhill@jackhill.us>
+Signed-off-by: Saurav Kashyap <saurav.kashyap@qlogic.com>
+Signed-off-by: Giridhar Malavali <giridhar.malavali@qlogic.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_iocb.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_iocb.c
++++ b/drivers/scsi/qla2xxx/qla_iocb.c
+@@ -419,6 +419,8 @@ qla2x00_start_scsi(srb_t *sp)
+ __constant_cpu_to_le16(CF_SIMPLE_TAG);
+ break;
+ }
++ } else {
++ cmd_pkt->control_flags = __constant_cpu_to_le16(CF_SIMPLE_TAG);
+ }
+
+ /* Load SCSI command packet. */
+@@ -1308,11 +1310,11 @@ qla24xx_build_scsi_crc_2_iocbs(srb_t *sp
+ fcp_cmnd->task_attribute = TSK_ORDERED;
+ break;
+ default:
+- fcp_cmnd->task_attribute = 0;
++ fcp_cmnd->task_attribute = TSK_SIMPLE;
+ break;
+ }
+ } else {
+- fcp_cmnd->task_attribute = 0;
++ fcp_cmnd->task_attribute = TSK_SIMPLE;
+ }
+
+ cmd_pkt->fcp_rsp_dseg_len = 0; /* Let response come in status iocb */
+@@ -1527,7 +1529,12 @@ qla24xx_start_scsi(srb_t *sp)
+ case ORDERED_QUEUE_TAG:
+ cmd_pkt->task = TSK_ORDERED;
+ break;
++ default:
++ cmd_pkt->task = TSK_SIMPLE;
++ break;
+ }
++ } else {
++ cmd_pkt->task = TSK_SIMPLE;
+ }
+
+ /* Load SCSI command packet. */
--- /dev/null
+From 085b513f97d8d799d28491239be4b451bcd8c2c5 Mon Sep 17 00:00:00 2001
+From: "Ewan D. Milne" <emilne@redhat.com>
+Date: Fri, 2 Nov 2012 09:38:34 -0400
+Subject: SCSI: sd: fix crash when UA received on DIF enabled device
+
+From: "Ewan D. Milne" <emilne@redhat.com>
+
+commit 085b513f97d8d799d28491239be4b451bcd8c2c5 upstream.
+
+sd_prep_fn will allocate a larger CDB for the command via mempool_alloc
+for devices using DIF type 2 protection. This CDB was being freed
+in sd_done, which results in a kernel crash if the command is retried
+due to a UNIT ATTENTION. This change moves the code to free the larger
+CDB into sd_unprep_fn instead, which is invoked after the request is
+complete.
+
+It is no longer necessary to call scsi_print_command separately for
+this case as the ->cmnd will no longer be NULL in the normal code path.
+
+Also removed conditional test for DIF type 2 when freeing the larger
+CDB because the protection_type could have been changed via sysfs while
+the command was executing.
+
+Signed-off-by: Ewan D. Milne <emilne@redhat.com>
+Acked-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sd.c | 22 +++++++---------------
+ 1 file changed, 7 insertions(+), 15 deletions(-)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -828,10 +828,17 @@ static int scsi_setup_flush_cmnd(struct
+
+ static void sd_unprep_fn(struct request_queue *q, struct request *rq)
+ {
++ struct scsi_cmnd *SCpnt = rq->special;
++
+ if (rq->cmd_flags & REQ_DISCARD) {
+ free_page((unsigned long)rq->buffer);
+ rq->buffer = NULL;
+ }
++ if (SCpnt->cmnd != rq->cmd) {
++ mempool_free(SCpnt->cmnd, sd_cdb_pool);
++ SCpnt->cmnd = NULL;
++ SCpnt->cmd_len = 0;
++ }
+ }
+
+ /**
+@@ -1710,21 +1717,6 @@ static int sd_done(struct scsi_cmnd *SCp
+ if (rq_data_dir(SCpnt->request) == READ && scsi_prot_sg_count(SCpnt))
+ sd_dif_complete(SCpnt, good_bytes);
+
+- if (scsi_host_dif_capable(sdkp->device->host, sdkp->protection_type)
+- == SD_DIF_TYPE2_PROTECTION && SCpnt->cmnd != SCpnt->request->cmd) {
+-
+- /* We have to print a failed command here as the
+- * extended CDB gets freed before scsi_io_completion()
+- * is called.
+- */
+- if (result)
+- scsi_print_command(SCpnt);
+-
+- mempool_free(SCpnt->cmnd, sd_cdb_pool);
+- SCpnt->cmnd = NULL;
+- SCpnt->cmd_len = 0;
+- }
+-
+ return good_bytes;
+ }
+
asoc-tegra-correct-playback_dma_data-setup.patch
asoc-wm8962-remove-remaining-direct-register-cache-accesses.patch
arm-7722-1-zimage-convert-32bits-memory-size-and-address-from-atag-to-64bits-dtb.patch
+scsi-isci-fix-a-race-condition-in-the-ssp-task-management-path.patch
+scsi-sd-fix-crash-when-ua-received-on-dif-enabled-device.patch
+scsi-qla2xxx-properly-set-the-tagging-for-commands.patch
+tracing-fix-error-handling-to-ensure-instances-can-always-be-removed.patch
+tracing-miscellaneous-fixes-for-trace_array-ref-counting.patch
+tracing-kill-the-unbalanced-tr-ref-in-tracing_buffers_open.patch
+tracing-remove-locking-trace_types_lock-from-tracing_reset_all_online_cpus.patch
+usb-host-xhci-enable-xhci_spurious_success-for-all-controllers-with-xhci-1.0.patch
+xhci-fix-null-pointer-dereference-on-ring_doorbell_for_active_rings.patch
+xhci-avoid-null-pointer-deref-when-host-dies.patch
+usb-ehci-fix-resume-signalling-on-remote-wakeup.patch
+usb-mos7840-fix-memory-leak-in-open.patch
+usb-dwc3-fix-the-error-returned-with-usb3_phy-failure.patch
+usb-dwc3-fix-wrong-bit-mask-in-dwc3_event_type.patch
+usb-dwc3-gadget-don-t-prevent-gadget-from-being-probed-if-we-fail.patch
+usb-ti_usb_3410_5052-fix-dynamic-id-matching.patch
+usb-misc-add-manhattan-hi-speed-usb-dvi-converter-to-sisusbvga.patch
+usb-clear-both-buffers-when-clearing-a-control-transfer-tt-buffer.patch
+usb-global-suspend-and-remote-wakeup-don-t-mix.patch
+staging-comedi-fix-a-race-between-do_cmd_ioctl-and-read-write.patch
+staging-comedi-comedi_cancel-ioctl-should-wake-up-read-write.patch
+staging-android-logger-correct-write-offset-reset-on-error.patch
+cpufreq-intel_pstate-change-to-scale-off-of-max-p-state.patch
+btrfs-fix-wrong-write-offset-when-replacing-a-device.patch
+btrfs-fix-lock-leak-when-resuming-snapshot-deletion.patch
+btrfs-re-add-root-to-dead-root-list-if-we-stop-dropping-it.patch
+xen-netfront-pull-on-receive-skb-may-need-to-happen-earlier.patch
+xen-blkback-check-device-permissions-before-allowing-op_discard.patch
+x86-suspend-handle-cpus-which-fail-to-gp-on-rdmsr.patch
+x86-make-sure-idt-is-page-aligned.patch
+md-remove-recent-change-which-allows-devices-to-skip-recovery.patch
+md-raid1-fix-bio-handling-problems-in-process_checks.patch
+md-raid5-fix-interaction-of-replace-and-recovery.patch
+md-raid10-remove-use-after-free-bug.patch
+ata-fix-dvd-not-dectected-at-some-platform-with-wellsburg-pch.patch
+libata-make-it-clear-that-sata_inic162x-is-experimental.patch
+svcrdma-underflow-issue-in-decode_write_list.patch
+crypto-caam-fixed-the-memory-out-of-bound-overwrite-issue.patch
+powerpc-modules-module-crc-relocation-fix-causes-perf-issues.patch
+nfsd-nfsd_open-when-dentry_open-returns-an-error-do-not-propagate-as-struct-file.patch
+tools-hv-kvp-fix-a-bug-in-ipv6-subnet-enumeration.patch
+drivers-hv-balloon-fix-a-bug-in-the-hot-add-code.patch
+drivers-hv-balloon-do-not-post-pressure-status-if-interrupted.patch
+regmap-cache-bail-in-regmap_async_complete-for-bus-less-maps.patch
+acpi-scan-always-call-acpi_bus_scan-for-bus-check-notifications.patch
+acpi-scan-do-not-try-to-attach-scan-handlers-to-devices-having-them.patch
+acpi-memhotplug-fix-a-stale-pointer-in-error-path.patch
+acpi-video-ignore-bios-initial-backlight-value-for-fujitsu-e753.patch
+dm-mpath-fix-ioctl-deadlock-when-no-paths.patch
+dm-ioctl-set-noio-flag-to-avoid-__vmalloc-deadlock.patch
+dm-verity-fix-inability-to-use-a-few-specific-devices-sizes.patch
--- /dev/null
+From 72bb99cfe9c57d2044445fb34bbc95b4c0bae6f2 Mon Sep 17 00:00:00 2001
+From: Karlis Ogsts <karlis.ogsts@sonymobile.com>
+Date: Mon, 22 Jul 2013 13:51:42 -0700
+Subject: staging: android: logger: Correct write offset reset on error
+
+From: Karlis Ogsts <karlis.ogsts@sonymobile.com>
+
+commit 72bb99cfe9c57d2044445fb34bbc95b4c0bae6f2 upstream.
+
+In the situation that a writer fails to copy data from userspace it will reset
+the write offset to the value it had before it went to sleep. This discarding
+any messages written while aquiring the mutex.
+
+Therefore the reset offset needs to be retrieved after acquiring the mutex.
+
+Cc: Android Kernel Team <kernel-team@android.com>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@sonymobile.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/android/logger.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/android/logger.c
++++ b/drivers/staging/android/logger.c
+@@ -469,7 +469,7 @@ static ssize_t logger_aio_write(struct k
+ unsigned long nr_segs, loff_t ppos)
+ {
+ struct logger_log *log = file_get_log(iocb->ki_filp);
+- size_t orig = log->w_off;
++ size_t orig;
+ struct logger_entry header;
+ struct timespec now;
+ ssize_t ret = 0;
+@@ -490,6 +490,8 @@ static ssize_t logger_aio_write(struct k
+
+ mutex_lock(&log->mutex);
+
++ orig = log->w_off;
++
+ /*
+ * Fix up any readers, pulling them forward to the first readable
+ * entry after (what will be) the new write offset. We do this now
--- /dev/null
+From 69acbaac303e8cb948801a9ddd0ac24e86cc4a1b Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Mon, 8 Jul 2013 13:36:19 +0100
+Subject: staging: comedi: COMEDI_CANCEL ioctl should wake up read/write
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 69acbaac303e8cb948801a9ddd0ac24e86cc4a1b upstream.
+
+Comedi devices can do blocking read() or write() (or poll()) if an
+asynchronous command has been set up, blocking for data (for read()) or
+buffer space (for write()). Various events associated with the
+asynchronous command will wake up the blocked reader or writer (or
+poller). It is also possible to force the asynchronous command to
+terminate by issuing a `COMEDI_CANCEL` ioctl. That shuts down the
+asynchronous command, but does not currently wake up the blocked reader
+or writer (or poller). If the blocked task could be woken up, it would
+see that the command is no longer active and return. The caller of the
+`COMEDI_CANCEL` ioctl could attempt to wake up the blocked task by
+sending a signal, but that's a nasty workaround.
+
+Change `do_cancel_ioctl()` to wake up the wait queue after it returns
+from `do_cancel()`. `do_cancel()` can propagate an error return value
+from the low-level comedi driver's cancel routine, but it always shuts
+the command down regardless, so `do_cancel_ioctl()` can wake up he wait
+queue regardless of the return value from `do_cancel()`.
+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/comedi_fops.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/comedi_fops.c
++++ b/drivers/staging/comedi/comedi_fops.c
+@@ -1692,6 +1692,7 @@ static int do_cancel_ioctl(struct comedi
+ void *file)
+ {
+ struct comedi_subdevice *s;
++ int ret;
+
+ if (arg >= dev->n_subdevices)
+ return -EINVAL;
+@@ -1708,7 +1709,11 @@ static int do_cancel_ioctl(struct comedi
+ if (s->busy != file)
+ return -EBUSY;
+
+- return do_cancel(dev, s);
++ ret = do_cancel(dev, s);
++ if (comedi_get_subdevice_runflags(s) & SRF_USER)
++ wake_up_interruptible(&s->async->wait_head);
++
++ return ret;
+ }
+
+ /*
--- /dev/null
+From 4b18f08be01a7b3c7b6df497137b6e3cb28adaa3 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Fri, 5 Jul 2013 16:49:34 +0100
+Subject: staging: comedi: fix a race between do_cmd_ioctl() and read/write
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 4b18f08be01a7b3c7b6df497137b6e3cb28adaa3 upstream.
+
+`do_cmd_ioctl()` is called with the comedi device's mutex locked to
+process the `COMEDI_CMD` ioctl to set up comedi's asynchronous command
+handling on a comedi subdevice. `comedi_read()` and `comedi_write()`
+are the `read` and `write` handlers for the comedi device, but do not
+lock the mutex (for performance reasons, as some things can hold the
+mutex for quite a long time).
+
+There is a race condition if `comedi_read()` or `comedi_write()` is
+running at the same time and for the same file object and comedi
+subdevice as `do_cmd_ioctl()`. `do_cmd_ioctl()` sets the subdevice's
+`busy` pointer to the file object way before it sets the `SRF_RUNNING` flag
+in the subdevice's `runflags` member. `comedi_read() and
+`comedi_write()` check the subdevice's `busy` pointer is pointing to the
+current file object, then if the `SRF_RUNNING` flag is not set, will call
+`do_become_nonbusy()` to shut down the asyncronous command. Bad things
+can happen if the asynchronous command is being shutdown and set up at
+the same time.
+
+To prevent the race, don't set the `busy` pointer until
+after the `SRF_RUNNING` flag has been set. Also, make sure the mutex is
+held in `comedi_read()` and `comedi_write()` while calling
+`do_become_nonbusy()` in order to avoid moving the race condition to a
+point within that function.
+
+Change some error handling `goto cleanup` statements in `do_cmd_ioctl()`
+to simple `return -ERRFOO` statements as a result of changing when the
+`busy` pointer is set.
+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/comedi_fops.c | 25 +++++++++++++++----------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+--- a/drivers/staging/comedi/comedi_fops.c
++++ b/drivers/staging/comedi/comedi_fops.c
+@@ -1401,22 +1401,19 @@ static int do_cmd_ioctl(struct comedi_de
+ DPRINTK("subdevice busy\n");
+ return -EBUSY;
+ }
+- s->busy = file;
+
+ /* make sure channel/gain list isn't too long */
+ if (cmd.chanlist_len > s->len_chanlist) {
+ DPRINTK("channel/gain list too long %u > %d\n",
+ cmd.chanlist_len, s->len_chanlist);
+- ret = -EINVAL;
+- goto cleanup;
++ return -EINVAL;
+ }
+
+ /* make sure channel/gain list isn't too short */
+ if (cmd.chanlist_len < 1) {
+ DPRINTK("channel/gain list too short %u < 1\n",
+ cmd.chanlist_len);
+- ret = -EINVAL;
+- goto cleanup;
++ return -EINVAL;
+ }
+
+ async->cmd = cmd;
+@@ -1426,8 +1423,7 @@ static int do_cmd_ioctl(struct comedi_de
+ kmalloc(async->cmd.chanlist_len * sizeof(int), GFP_KERNEL);
+ if (!async->cmd.chanlist) {
+ DPRINTK("allocation failed\n");
+- ret = -ENOMEM;
+- goto cleanup;
++ return -ENOMEM;
+ }
+
+ if (copy_from_user(async->cmd.chanlist, user_chanlist,
+@@ -1479,6 +1475,9 @@ static int do_cmd_ioctl(struct comedi_de
+
+ comedi_set_subdevice_runflags(s, ~0, SRF_USER | SRF_RUNNING);
+
++ /* set s->busy _after_ setting SRF_RUNNING flag to avoid race with
++ * comedi_read() or comedi_write() */
++ s->busy = file;
+ ret = s->do_cmd(dev, s);
+ if (ret == 0)
+ return 0;
+@@ -2041,11 +2040,13 @@ static ssize_t comedi_write(struct file
+
+ if (!comedi_is_subdevice_running(s)) {
+ if (count == 0) {
++ mutex_lock(&dev->mutex);
+ if (comedi_is_subdevice_in_error(s))
+ retval = -EPIPE;
+ else
+ retval = 0;
+ do_become_nonbusy(dev, s);
++ mutex_unlock(&dev->mutex);
+ }
+ break;
+ }
+@@ -2144,11 +2145,13 @@ static ssize_t comedi_read(struct file *
+
+ if (n == 0) {
+ if (!comedi_is_subdevice_running(s)) {
++ mutex_lock(&dev->mutex);
+ do_become_nonbusy(dev, s);
+ if (comedi_is_subdevice_in_error(s))
+ retval = -EPIPE;
+ else
+ retval = 0;
++ mutex_unlock(&dev->mutex);
+ break;
+ }
+ if (file->f_flags & O_NONBLOCK) {
+@@ -2186,9 +2189,11 @@ static ssize_t comedi_read(struct file *
+ buf += n;
+ break; /* makes device work like a pipe */
+ }
+- if (comedi_is_subdevice_idle(s) &&
+- async->buf_read_count - async->buf_write_count == 0) {
+- do_become_nonbusy(dev, s);
++ if (comedi_is_subdevice_idle(s)) {
++ mutex_lock(&dev->mutex);
++ if (async->buf_read_count - async->buf_write_count == 0)
++ do_become_nonbusy(dev, s);
++ mutex_unlock(&dev->mutex);
+ }
+ set_current_state(TASK_RUNNING);
+ remove_wait_queue(&async->wait_head, &wait);
--- /dev/null
+From b2781e1021525649c0b33fffd005ef219da33926 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 12 Jul 2013 09:39:03 +0300
+Subject: svcrdma: underflow issue in decode_write_list()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit b2781e1021525649c0b33fffd005ef219da33926 upstream.
+
+My static checker marks everything from ntohl() as untrusted and it
+complains we could have an underflow problem doing:
+
+ return (u32 *)&ary->wc_array[nchunks];
+
+Also on 32 bit systems the upper bound check could overflow.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/xprtrdma/svc_rdma_marshal.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/net/sunrpc/xprtrdma/svc_rdma_marshal.c
++++ b/net/sunrpc/xprtrdma/svc_rdma_marshal.c
+@@ -98,6 +98,7 @@ void svc_rdma_rcl_chunk_counts(struct rp
+ */
+ static u32 *decode_write_list(u32 *va, u32 *vaend)
+ {
++ unsigned long start, end;
+ int nchunks;
+
+ struct rpcrdma_write_array *ary =
+@@ -113,9 +114,12 @@ static u32 *decode_write_list(u32 *va, u
+ return NULL;
+ }
+ nchunks = ntohl(ary->wc_nchunks);
+- if (((unsigned long)&ary->wc_array[0] +
+- (sizeof(struct rpcrdma_write_chunk) * nchunks)) >
+- (unsigned long)vaend) {
++
++ start = (unsigned long)&ary->wc_array[0];
++ end = (unsigned long)vaend;
++ if (nchunks < 0 ||
++ nchunks > (SIZE_MAX - start) / sizeof(struct rpcrdma_write_chunk) ||
++ (start + (sizeof(struct rpcrdma_write_chunk) * nchunks)) > end) {
+ dprintk("svcrdma: ary=%p, wc_nchunks=%d, vaend=%p\n",
+ ary, nchunks, vaend);
+ return NULL;
+@@ -129,6 +133,7 @@ static u32 *decode_write_list(u32 *va, u
+
+ static u32 *decode_reply_array(u32 *va, u32 *vaend)
+ {
++ unsigned long start, end;
+ int nchunks;
+ struct rpcrdma_write_array *ary =
+ (struct rpcrdma_write_array *)va;
+@@ -143,9 +148,12 @@ static u32 *decode_reply_array(u32 *va,
+ return NULL;
+ }
+ nchunks = ntohl(ary->wc_nchunks);
+- if (((unsigned long)&ary->wc_array[0] +
+- (sizeof(struct rpcrdma_write_chunk) * nchunks)) >
+- (unsigned long)vaend) {
++
++ start = (unsigned long)&ary->wc_array[0];
++ end = (unsigned long)vaend;
++ if (nchunks < 0 ||
++ nchunks > (SIZE_MAX - start) / sizeof(struct rpcrdma_write_chunk) ||
++ (start + (sizeof(struct rpcrdma_write_chunk) * nchunks)) > end) {
+ dprintk("svcrdma: ary=%p, wc_nchunks=%d, vaend=%p\n",
+ ary, nchunks, vaend);
+ return NULL;
--- /dev/null
+From ed4bb9744b41d39ba35080c2390e201575121dc7 Mon Sep 17 00:00:00 2001
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+Date: Thu, 11 Jul 2013 12:03:31 -0700
+Subject: Tools: hv: KVP: Fix a bug in IPV6 subnet enumeration
+
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+
+commit ed4bb9744b41d39ba35080c2390e201575121dc7 upstream.
+
+Each subnet string needs to be separated with a semicolon. Fix this bug.
+
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/hv/hv_kvp_daemon.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/tools/hv/hv_kvp_daemon.c
++++ b/tools/hv/hv_kvp_daemon.c
+@@ -1016,9 +1016,10 @@ kvp_get_ip_info(int family, char *if_nam
+
+ if (sn_offset == 0)
+ strcpy(sn_str, cidr_mask);
+- else
++ else {
++ strcat((char *)ip_buffer->sub_net, ";");
+ strcat(sn_str, cidr_mask);
+- strcat((char *)ip_buffer->sub_net, ";");
++ }
+ sn_offset += strlen(sn_str) + 1;
+ }
+
--- /dev/null
+From 609e85a70bcd0eedf4ec60639dbcfb1ab011e054 Mon Sep 17 00:00:00 2001
+From: Alexander Z Lam <azl@google.com>
+Date: Wed, 10 Jul 2013 17:34:34 -0700
+Subject: tracing: Fix error handling to ensure instances can always be removed
+
+From: Alexander Z Lam <azl@google.com>
+
+commit 609e85a70bcd0eedf4ec60639dbcfb1ab011e054 upstream.
+
+Remove debugfs directories for tracing instances during creation if an error
+occurs causing the trace_array for that instance to not be added to
+ftrace_trace_arrays. If the directory continues to exist after the error, it
+cannot be removed because the respective trace_array is not in
+ftrace_trace_arrays.
+
+Link: http://lkml.kernel.org/r/1373502874-1706-2-git-send-email-azl@google.com
+
+Signed-off-by: Alexander Z Lam <azl@google.com>
+Cc: Vaibhav Nagarnaik <vnagarnaik@google.com>
+Cc: David Sharp <dhsharp@google.com>
+Cc: Alexander Z Lam <lambchop468@gmail.com>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -5926,8 +5926,10 @@ static int new_instance_create(const cha
+ goto out_free_tr;
+
+ ret = event_trace_add_tracer(tr->dir, tr);
+- if (ret)
++ if (ret) {
++ debugfs_remove_recursive(tr->dir);
+ goto out_free_tr;
++ }
+
+ init_tracer_debugfs(tr, tr->dir);
+
--- /dev/null
+From e70e78e3c83b536730e31231dd9b979768d8df3c Mon Sep 17 00:00:00 2001
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Fri, 19 Jul 2013 17:36:44 +0200
+Subject: tracing: Kill the unbalanced tr->ref++ in tracing_buffers_open()
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+commit e70e78e3c83b536730e31231dd9b979768d8df3c upstream.
+
+tracing_buffers_open() does trace_array_get() and then it wrongly
+inrcements tr->ref again under trace_types_lock. This means that
+every caller leaks trace_array:
+
+ # cd /sys/kernel/debug/tracing/
+ # mkdir instances/X
+ # true < instances/X/per_cpu/cpu0/trace_pipe_raw
+ # rmdir instances/X
+ rmdir: failed to remove `instances/X': Device or resource busy
+
+Link: http://lkml.kernel.org/r/20130719153644.GA18899@redhat.com
+
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -4907,8 +4907,6 @@ static int tracing_buffers_open(struct i
+
+ mutex_lock(&trace_types_lock);
+
+- tr->ref++;
+-
+ info->iter.tr = tr;
+ info->iter.cpu_file = tc->cpu;
+ info->iter.trace = tr->current_trace;
--- /dev/null
+From f77d09a384676bde6445413949d9d2c508ff3e62 Mon Sep 17 00:00:00 2001
+From: Alexander Z Lam <azl@google.com>
+Date: Thu, 18 Jul 2013 11:18:44 -0700
+Subject: tracing: Miscellaneous fixes for trace_array ref counting
+
+From: Alexander Z Lam <azl@google.com>
+
+commit f77d09a384676bde6445413949d9d2c508ff3e62 upstream.
+
+Some error paths did not handle ref counting properly, and some trace files need
+ref counting.
+
+Link: http://lkml.kernel.org/r/1374171524-11948-1-git-send-email-azl@google.com
+
+Signed-off-by: Alexander Z Lam <azl@google.com>
+Cc: Vaibhav Nagarnaik <vnagarnaik@google.com>
+Cc: David Sharp <dhsharp@google.com>
+Cc: Alexander Z Lam <lambchop468@gmail.com>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace.c | 24 ++++++++++++++++++------
+ kernel/trace/trace_events.c | 21 +++++++++++++++++++--
+ 2 files changed, 37 insertions(+), 8 deletions(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -2956,7 +2956,6 @@ static int tracing_release(struct inode
+
+ iter = m->private;
+ tr = iter->tr;
+- trace_array_put(tr);
+
+ mutex_lock(&trace_types_lock);
+
+@@ -2971,6 +2970,9 @@ static int tracing_release(struct inode
+ if (!iter->snapshot)
+ /* reenable tracing if it was previously enabled */
+ tracing_start_tr(tr);
++
++ __trace_array_put(tr);
++
+ mutex_unlock(&trace_types_lock);
+
+ mutex_destroy(&iter->mutex);
+@@ -3395,6 +3397,7 @@ tracing_trace_options_write(struct file
+ static int tracing_trace_options_open(struct inode *inode, struct file *file)
+ {
+ struct trace_array *tr = inode->i_private;
++ int ret;
+
+ if (tracing_disabled)
+ return -ENODEV;
+@@ -3402,7 +3405,11 @@ static int tracing_trace_options_open(st
+ if (trace_array_get(tr) < 0)
+ return -ENODEV;
+
+- return single_open(file, tracing_trace_options_show, inode->i_private);
++ ret = single_open(file, tracing_trace_options_show, inode->i_private);
++ if (ret < 0)
++ trace_array_put(tr);
++
++ return ret;
+ }
+
+ static const struct file_operations tracing_iter_fops = {
+@@ -3906,6 +3913,7 @@ static int tracing_open_pipe(struct inod
+ iter = kzalloc(sizeof(*iter), GFP_KERNEL);
+ if (!iter) {
+ ret = -ENOMEM;
++ __trace_array_put(tr);
+ goto out;
+ }
+
+@@ -4652,21 +4660,24 @@ static int tracing_snapshot_open(struct
+ ret = PTR_ERR(iter);
+ } else {
+ /* Writes still need the seq_file to hold the private data */
++ ret = -ENOMEM;
+ m = kzalloc(sizeof(*m), GFP_KERNEL);
+ if (!m)
+- return -ENOMEM;
++ goto out;
+ iter = kzalloc(sizeof(*iter), GFP_KERNEL);
+ if (!iter) {
+ kfree(m);
+- return -ENOMEM;
++ goto out;
+ }
++ ret = 0;
++
+ iter->tr = tr;
+ iter->trace_buffer = &tc->tr->max_buffer;
+ iter->cpu_file = tc->cpu;
+ m->private = iter;
+ file->private_data = m;
+ }
+-
++out:
+ if (ret < 0)
+ trace_array_put(tr);
+
+@@ -5276,9 +5287,10 @@ tracing_stats_read(struct file *filp, ch
+ }
+
+ static const struct file_operations tracing_stats_fops = {
+- .open = tracing_open_generic,
++ .open = tracing_open_generic_tc,
+ .read = tracing_stats_read,
+ .llseek = generic_file_llseek,
++ .release = tracing_release_generic_tc,
+ };
+
+ #ifdef CONFIG_DYNAMIC_FTRACE
+--- a/kernel/trace/trace_events.c
++++ b/kernel/trace/trace_events.c
+@@ -1221,6 +1221,7 @@ show_header(struct file *filp, char __us
+
+ static int ftrace_event_avail_open(struct inode *inode, struct file *file);
+ static int ftrace_event_set_open(struct inode *inode, struct file *file);
++static int ftrace_event_release(struct inode *inode, struct file *file);
+
+ static const struct seq_operations show_event_seq_ops = {
+ .start = t_start,
+@@ -1248,7 +1249,7 @@ static const struct file_operations ftra
+ .read = seq_read,
+ .write = ftrace_event_write,
+ .llseek = seq_lseek,
+- .release = seq_release,
++ .release = ftrace_event_release,
+ };
+
+ static const struct file_operations ftrace_enable_fops = {
+@@ -1326,6 +1327,15 @@ ftrace_event_open(struct inode *inode, s
+ return ret;
+ }
+
++static int ftrace_event_release(struct inode *inode, struct file *file)
++{
++ struct trace_array *tr = inode->i_private;
++
++ trace_array_put(tr);
++
++ return seq_release(inode, file);
++}
++
+ static int
+ ftrace_event_avail_open(struct inode *inode, struct file *file)
+ {
+@@ -1339,12 +1349,19 @@ ftrace_event_set_open(struct inode *inod
+ {
+ const struct seq_operations *seq_ops = &show_set_event_seq_ops;
+ struct trace_array *tr = inode->i_private;
++ int ret;
++
++ if (trace_array_get(tr) < 0)
++ return -ENODEV;
+
+ if ((file->f_mode & FMODE_WRITE) &&
+ (file->f_flags & O_TRUNC))
+ ftrace_clear_events(tr);
+
+- return ftrace_event_open(inode, file, seq_ops);
++ ret = ftrace_event_open(inode, file, seq_ops);
++ if (ret < 0)
++ trace_array_put(tr);
++ return ret;
+ }
+
+ static struct event_subsystem *
--- /dev/null
+From 09d8091c024ec88d1541d93eb8ddb2bd5cf10c39 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+Date: Tue, 23 Jul 2013 22:21:59 -0400
+Subject: tracing: Remove locking trace_types_lock from tracing_reset_all_online_cpus()
+
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+
+commit 09d8091c024ec88d1541d93eb8ddb2bd5cf10c39 upstream.
+
+Commit a82274151af "tracing: Protect ftrace_trace_arrays list in trace_events.c"
+added taking the trace_types_lock mutex in trace_events.c as there were
+several locations that needed it for protection. Unfortunately, it also
+encapsulated a call to tracing_reset_all_online_cpus() which also takes
+the trace_types_lock, causing a deadlock.
+
+This happens when a module has tracepoints and has been traced. When the
+module is removed, the trace events module notifier will grab the
+trace_types_lock, do a bunch of clean ups, and also clears the buffer
+by calling tracing_reset_all_online_cpus. This doesn't happen often
+which explains why it wasn't caught right away.
+
+Commit a82274151af was marked for stable, which means this must be
+sent to stable too.
+
+Link: http://lkml.kernel.org/r/51EEC646.7070306@broadcom.com
+
+Reported-by: Arend van Spril <arend@broadcom.com>
+Tested-by: Arend van Spriel <arend@broadcom.com>
+Cc: Alexander Z Lam <azl@google.com>
+Cc: Vaibhav Nagarnaik <vnagarnaik@google.com>
+Cc: David Sharp <dhsharp@google.com>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -1163,18 +1163,17 @@ void tracing_reset_current(int cpu)
+ tracing_reset(&global_trace.trace_buffer, cpu);
+ }
+
++/* Must have trace_types_lock held */
+ void tracing_reset_all_online_cpus(void)
+ {
+ struct trace_array *tr;
+
+- mutex_lock(&trace_types_lock);
+ list_for_each_entry(tr, &ftrace_trace_arrays, list) {
+ tracing_reset_online_cpus(&tr->trace_buffer);
+ #ifdef CONFIG_TRACER_MAX_TRACE
+ tracing_reset_online_cpus(&tr->max_buffer);
+ #endif
+ }
+- mutex_unlock(&trace_types_lock);
+ }
+
+ #define SAVED_CMDLINES 128
--- /dev/null
+From 2c7b871b9102c497ba8f972aa5d38532f05b654d Mon Sep 17 00:00:00 2001
+From: William Gulland <wgulland@google.com>
+Date: Thu, 27 Jun 2013 16:10:20 -0700
+Subject: usb: Clear both buffers when clearing a control transfer TT buffer.
+
+From: William Gulland <wgulland@google.com>
+
+commit 2c7b871b9102c497ba8f972aa5d38532f05b654d upstream.
+
+Control transfers have both IN and OUT (or SETUP) packets, so when
+clearing TT buffers for a control transfer it's necessary to send
+two HUB_CLEAR_TT_BUFFER requests to the hub.
+
+Signed-off-by: William Gulland <wgulland@google.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hub.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -668,6 +668,15 @@ resubmit:
+ static inline int
+ hub_clear_tt_buffer (struct usb_device *hdev, u16 devinfo, u16 tt)
+ {
++ /* Need to clear both directions for control ep */
++ if (((devinfo >> 11) & USB_ENDPOINT_XFERTYPE_MASK) ==
++ USB_ENDPOINT_XFER_CONTROL) {
++ int status = usb_control_msg(hdev, usb_sndctrlpipe(hdev, 0),
++ HUB_CLEAR_TT_BUFFER, USB_RT_PORT,
++ devinfo ^ 0x8000, tt, NULL, 0, 1000);
++ if (status)
++ return status;
++ }
+ return usb_control_msg(hdev, usb_sndctrlpipe(hdev, 0),
+ HUB_CLEAR_TT_BUFFER, USB_RT_PORT, devinfo,
+ tt, NULL, 0, 1000);
--- /dev/null
+From 315955d707b50c8aad20a32ec0dd4c9fe243cabe Mon Sep 17 00:00:00 2001
+From: Ruchika Kharwar <ruchika@ti.com>
+Date: Thu, 4 Jul 2013 00:59:34 -0500
+Subject: usb: dwc3: fix the error returned with usb3_phy failure
+
+From: Ruchika Kharwar <ruchika@ti.com>
+
+commit 315955d707b50c8aad20a32ec0dd4c9fe243cabe upstream.
+
+When there is an error with the usb3_phy probe or absence, the error returned
+is erroneously for usb2_phy.
+
+Signed-off-by: Ruchika Kharwar <ruchika@ti.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -450,7 +450,7 @@ static int dwc3_probe(struct platform_de
+ }
+
+ if (IS_ERR(dwc->usb3_phy)) {
+- ret = PTR_ERR(dwc->usb2_phy);
++ ret = PTR_ERR(dwc->usb3_phy);
+
+ /*
+ * if -ENXIO is returned, it means PHY layer wasn't
--- /dev/null
+From 1974d494dea05ea227cb42f5e918828801e237aa Mon Sep 17 00:00:00 2001
+From: Huang Rui <ray.huang@amd.com>
+Date: Thu, 27 Jun 2013 01:08:11 +0800
+Subject: usb: dwc3: fix wrong bit mask in dwc3_event_type
+
+From: Huang Rui <ray.huang@amd.com>
+
+commit 1974d494dea05ea227cb42f5e918828801e237aa upstream.
+
+Per dwc3 2.50a spec, the is_devspec bit is used to distinguish the
+Device Endpoint-Specific Event or Device-Specific Event (DEVT). If the
+bit is 1, the event is represented Device-Specific Event, then use
+[7:1] bits as Device Specific Event to marked the type. It has 7 bits,
+and we can see the reserved8_31 variable name which means from 8 to 31
+bits marked reserved, actually there are 24 bits not 25 bits between
+that. And 1 + 7 + 24 = 32, the event size is 4 byes.
+
+So in dwc3_event_type, the bit mask should be:
+is_devspec [0] 1 bit
+type [7:1] 7 bits
+reserved8_31 [31:8] 24 bits
+
+This patch should be backported to kernels as old as 3.2, that contain
+the commit 72246da40f3719af3bfd104a2365b32537c27d83 "usb: Introduce
+DesignWare USB3 DRD Driver".
+
+Signed-off-by: Huang Rui <ray.huang@amd.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/core.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/dwc3/core.h
++++ b/drivers/usb/dwc3/core.h
+@@ -759,8 +759,8 @@ struct dwc3 {
+
+ struct dwc3_event_type {
+ u32 is_devspec:1;
+- u32 type:6;
+- u32 reserved8_31:25;
++ u32 type:7;
++ u32 reserved8_31:24;
+ } __packed;
+
+ #define DWC3_DEPEVT_XFERCOMPLETE 0x01
--- /dev/null
+From cdcedd6981194e511cc206887db661d016069d68 Mon Sep 17 00:00:00 2001
+From: Felipe Balbi <balbi@ti.com>
+Date: Mon, 15 Jul 2013 12:36:35 +0300
+Subject: usb: dwc3: gadget: don't prevent gadget from being probed if we fail
+
+From: Felipe Balbi <balbi@ti.com>
+
+commit cdcedd6981194e511cc206887db661d016069d68 upstream.
+
+In case we fail our ->udc_start() callback, we
+should be ready to accept another modprobe following
+the failed one.
+
+We had forgotten to clear dwc->gadget_driver back
+to NULL and, because of that, we were preventing
+gadget driver modprobe from being retried.
+
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/gadget.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -1584,6 +1584,7 @@ err1:
+ __dwc3_gadget_ep_disable(dwc->eps[0]);
+
+ err0:
++ dwc->gadget_driver = NULL;
+ spin_unlock_irqrestore(&dwc->lock, flags);
+
+ return ret;
--- /dev/null
+From 47a64a13d54f6c669b00542848d5550be3d3310e Mon Sep 17 00:00:00 2001
+From: Roger Quadros <rogerq@ti.com>
+Date: Tue, 9 Jul 2013 17:03:50 +0300
+Subject: USB: EHCI: Fix resume signalling on remote wakeup
+
+From: Roger Quadros <rogerq@ti.com>
+
+commit 47a64a13d54f6c669b00542848d5550be3d3310e upstream.
+
+Set the ehci->resuming flag for the port we receive a remote
+wakeup on so that resume signalling can be completed.
+
+Without this, the root hub timer will not fire again to check
+if the resume was completed and there will be a never-ending wait on
+on the port.
+
+This effect is only observed if the HUB IRQ IN does not come after we
+have initiated the port resume.
+
+Signed-off-by: Roger Quadros <rogerq@ti.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/ehci-hub.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/host/ehci-hub.c
++++ b/drivers/usb/host/ehci-hub.c
+@@ -858,6 +858,7 @@ static int ehci_hub_control (
+ ehci->reset_done[wIndex] = jiffies
+ + msecs_to_jiffies(20);
+ usb_hcd_start_port_resume(&hcd->self, wIndex);
++ set_bit(wIndex, &ehci->resuming_ports);
+ /* check the port again */
+ mod_timer(&ehci_to_hcd(ehci)->rh_timer,
+ ehci->reset_done[wIndex]);
--- /dev/null
+From e583d9db9960cf40e0bc8afee4946baa9d71596e Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Thu, 11 Jul 2013 14:58:04 -0400
+Subject: USB: global suspend and remote wakeup don't mix
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit e583d9db9960cf40e0bc8afee4946baa9d71596e upstream.
+
+The hub driver was recently changed to use "global" suspend for system
+suspend transitions on non-SuperSpeed buses. This means that we don't
+suspend devices individually by setting the suspend feature on the
+upstream hub port; instead devices all go into suspend automatically
+when the root hub stops transmitting packets. The idea was to save
+time and to avoid certain kinds of wakeup races.
+
+Now it turns out that many hubs are buggy; they don't relay wakeup
+requests from a downstream port to their upstream port if the
+downstream port's suspend feature is not set (depending on the speed
+of the downstream port, whether or not the hub is enabled for remote
+wakeup, and possibly other factors).
+
+We can't have hubs dropping wakeup requests. Therefore this patch
+goes partway back to the old policy: It sets the suspend feature for a
+port if the device attached to that port or any of its descendants is
+enabled for wakeup. People will still be able to benefit from the
+time savings if they don't care about wakeup and leave it disabled on
+all their devices.
+
+In order to accomplish this, the patch adds a new field to the usb_hub
+structure: wakeup_enabled_descendants is a count of how many devices
+below a suspended hub are enabled for remote wakeup. A corresponding
+new subroutine determines the number of wakeup-enabled devices at or
+below an arbitrary suspended USB device.
+
+This should be applied to the 3.10 stable kernel.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-and-tested-by: Toralf Förster <toralf.foerster@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hub.c | 39 +++++++++++++++++++++++++++++++--------
+ drivers/usb/core/hub.h | 3 +++
+ 2 files changed, 34 insertions(+), 8 deletions(-)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -2855,6 +2855,15 @@ static int usb_disable_function_remotewa
+ USB_CTRL_SET_TIMEOUT);
+ }
+
++/* Count of wakeup-enabled devices at or below udev */
++static unsigned wakeup_enabled_descendants(struct usb_device *udev)
++{
++ struct usb_hub *hub = usb_hub_to_struct_hub(udev);
++
++ return udev->do_remote_wakeup +
++ (hub ? hub->wakeup_enabled_descendants : 0);
++}
++
+ /*
+ * usb_port_suspend - suspend a usb device's upstream port
+ * @udev: device that's no longer in active use, not a root hub
+@@ -2895,8 +2904,8 @@ static int usb_disable_function_remotewa
+ * Linux (2.6) currently has NO mechanisms to initiate that: no khubd
+ * timer, no SRP, no requests through sysfs.
+ *
+- * If Runtime PM isn't enabled or used, non-SuperSpeed devices really get
+- * suspended only when their bus goes into global suspend (i.e., the root
++ * If Runtime PM isn't enabled or used, non-SuperSpeed devices may not get
++ * suspended until their bus goes into global suspend (i.e., the root
+ * hub is suspended). Nevertheless, we change @udev->state to
+ * USB_STATE_SUSPENDED as this is the device's "logical" state. The actual
+ * upstream port setting is stored in @udev->port_is_suspended.
+@@ -2967,15 +2976,21 @@ int usb_port_suspend(struct usb_device *
+ /* see 7.1.7.6 */
+ if (hub_is_superspeed(hub->hdev))
+ status = hub_set_port_link_state(hub, port1, USB_SS_PORT_LS_U3);
+- else if (PMSG_IS_AUTO(msg))
+- status = set_port_feature(hub->hdev, port1,
+- USB_PORT_FEAT_SUSPEND);
++
+ /*
+ * For system suspend, we do not need to enable the suspend feature
+ * on individual USB-2 ports. The devices will automatically go
+ * into suspend a few ms after the root hub stops sending packets.
+ * The USB 2.0 spec calls this "global suspend".
++ *
++ * However, many USB hubs have a bug: They don't relay wakeup requests
++ * from a downstream port if the port's suspend feature isn't on.
++ * Therefore we will turn on the suspend feature if udev or any of its
++ * descendants is enabled for remote wakeup.
+ */
++ else if (PMSG_IS_AUTO(msg) || wakeup_enabled_descendants(udev) > 0)
++ status = set_port_feature(hub->hdev, port1,
++ USB_PORT_FEAT_SUSPEND);
+ else {
+ really_suspend = false;
+ status = 0;
+@@ -3010,15 +3025,16 @@ int usb_port_suspend(struct usb_device *
+ if (!PMSG_IS_AUTO(msg))
+ status = 0;
+ } else {
+- /* device has up to 10 msec to fully suspend */
+ dev_dbg(&udev->dev, "usb %ssuspend, wakeup %d\n",
+ (PMSG_IS_AUTO(msg) ? "auto-" : ""),
+ udev->do_remote_wakeup);
+- usb_set_device_state(udev, USB_STATE_SUSPENDED);
+ if (really_suspend) {
+ udev->port_is_suspended = 1;
++
++ /* device has up to 10 msec to fully suspend */
+ msleep(10);
+ }
++ usb_set_device_state(udev, USB_STATE_SUSPENDED);
+ }
+
+ /*
+@@ -3300,7 +3316,11 @@ static int hub_suspend(struct usb_interf
+ unsigned port1;
+ int status;
+
+- /* Warn if children aren't already suspended */
++ /*
++ * Warn if children aren't already suspended.
++ * Also, add up the number of wakeup-enabled descendants.
++ */
++ hub->wakeup_enabled_descendants = 0;
+ for (port1 = 1; port1 <= hdev->maxchild; port1++) {
+ struct usb_device *udev;
+
+@@ -3310,6 +3330,9 @@ static int hub_suspend(struct usb_interf
+ if (PMSG_IS_AUTO(msg))
+ return -EBUSY;
+ }
++ if (udev)
++ hub->wakeup_enabled_descendants +=
++ wakeup_enabled_descendants(udev);
+ }
+
+ if (hdev->do_remote_wakeup && hub->quirk_check_port_auto_suspend) {
+--- a/drivers/usb/core/hub.h
++++ b/drivers/usb/core/hub.h
+@@ -59,6 +59,9 @@ struct usb_hub {
+ struct usb_tt tt; /* Transaction Translator */
+
+ unsigned mA_per_port; /* current for each child */
++#ifdef CONFIG_PM
++ unsigned wakeup_enabled_descendants;
++#endif
+
+ unsigned limited_power:1;
+ unsigned quiescing:1;
--- /dev/null
+From 07f3cb7c28bf3f4dd80bfb136cf45810c46ac474 Mon Sep 17 00:00:00 2001
+From: George Cherian <george.cherian@ti.com>
+Date: Mon, 1 Jul 2013 10:59:12 +0530
+Subject: usb: host: xhci: Enable XHCI_SPURIOUS_SUCCESS for all controllers with xhci 1.0
+
+From: George Cherian <george.cherian@ti.com>
+
+commit 07f3cb7c28bf3f4dd80bfb136cf45810c46ac474 upstream.
+
+Xhci controllers with hci_version > 0.96 gives spurious success
+events on short packet completion. During webcam capture the
+"ERROR Transfer event TRB DMA ptr not part of current TD" was observed.
+The same application works fine with synopsis controllers hci_version 0.96.
+The same issue is seen with Intel Pantherpoint xhci controller. So enabling
+this quirk in xhci_gen_setup if controller verion is greater than 0.96.
+For xhci-pci move the quirk to much generic place xhci_gen_setup.
+
+Note from Sarah:
+
+The xHCI 1.0 spec changed how hardware handles short packets. The HW
+will notify SW of the TRB where the short packet occurred, and it will
+also give a successful status for the last TRB in a TD (the one with the
+IOC flag set). On the second successful status, that warning will be
+triggered in the driver.
+
+Software is now supposed to not assume the TD is not completed until it
+gets that last successful status. That means we have a slight race
+condition, although it should have little practical impact. This patch
+papers over that issue.
+
+It's on my long-term to-do list to fix this race condition, but it is a
+much more involved patch that will probably be too big for stable. This
+patch is needed for stable to avoid serious log spam.
+
+This patch should be backported to kernels as old as 3.0, that
+contain the commit ad808333d8201d53075a11bc8dd83b81f3d68f0b "Intel xhci:
+Ignore spurious successful event."
+
+The patch will have to be modified for kernels older than 3.2, since
+that kernel added the xhci_gen_setup function for xhci platform devices.
+The correct conflict resolution for kernels older than 3.2 is to set
+XHCI_SPURIOUS_SUCCESS in xhci_pci_quirks for all xHCI 1.0 hosts.
+
+Signed-off-by: George Cherian <george.cherian@ti.com>
+Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-pci.c | 1 -
+ drivers/usb/host/xhci.c | 7 +++++++
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -93,7 +93,6 @@ static void xhci_pci_quirks(struct devic
+ }
+ if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
+ pdev->device == PCI_DEVICE_ID_INTEL_PANTHERPOINT_XHCI) {
+- xhci->quirks |= XHCI_SPURIOUS_SUCCESS;
+ xhci->quirks |= XHCI_EP_LIMIT_QUIRK;
+ xhci->limit_active_eps = 64;
+ xhci->quirks |= XHCI_SW_BW_CHECKING;
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -4697,6 +4697,13 @@ int xhci_gen_setup(struct usb_hcd *hcd,
+
+ get_quirks(dev, xhci);
+
++ /* In xhci controllers which follow xhci 1.0 spec gives a spurious
++ * success event after a short transfer. This quirk will ignore such
++ * spurious event.
++ */
++ if (xhci->hci_version > 0x96)
++ xhci->quirks |= XHCI_SPURIOUS_SUCCESS;
++
+ /* Make sure the HC is halted. */
+ retval = xhci_halt(xhci);
+ if (retval)
--- /dev/null
+From 58fc90db8261b571c026bb8bf23aad48a7233118 Mon Sep 17 00:00:00 2001
+From: Jóhann B. Guðmundsson <johannbg@fedoraproject.org>
+Date: Thu, 4 Jul 2013 21:47:52 +0000
+Subject: USB: misc: Add Manhattan Hi-Speed USB DVI Converter to sisusbvga
+
+From: Jóhann B. Guðmundsson <johannbg@fedoraproject.org>
+
+commit 58fc90db8261b571c026bb8bf23aad48a7233118 upstream.
+
+Signed-off-by: Jóhann B. Guðmundsson <johannbg@fedoraproject.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/sisusbvga/sisusb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/misc/sisusbvga/sisusb.c
++++ b/drivers/usb/misc/sisusbvga/sisusb.c
+@@ -3247,6 +3247,7 @@ static const struct usb_device_id sisusb
+ { USB_DEVICE(0x0711, 0x0903) },
+ { USB_DEVICE(0x0711, 0x0918) },
+ { USB_DEVICE(0x0711, 0x0920) },
++ { USB_DEVICE(0x0711, 0x0950) },
+ { USB_DEVICE(0x182d, 0x021c) },
+ { USB_DEVICE(0x182d, 0x0269) },
+ { }
--- /dev/null
+From 5f8a2e68b679b41cc8e9b642f2f5aa45dd678641 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <jhovold@gmail.com>
+Date: Mon, 1 Jul 2013 14:03:33 +0200
+Subject: USB: mos7840: fix memory leak in open
+
+From: Johan Hovold <jhovold@gmail.com>
+
+commit 5f8a2e68b679b41cc8e9b642f2f5aa45dd678641 upstream.
+
+Allocated urbs and buffers were never freed on errors in open.
+
+Signed-off-by: Johan Hovold <jhovold@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/mos7840.c | 25 +++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+--- a/drivers/usb/serial/mos7840.c
++++ b/drivers/usb/serial/mos7840.c
+@@ -914,20 +914,20 @@ static int mos7840_open(struct tty_struc
+ status = mos7840_get_reg_sync(port, mos7840_port->SpRegOffset, &Data);
+ if (status < 0) {
+ dev_dbg(&port->dev, "Reading Spreg failed\n");
+- return -1;
++ goto err;
+ }
+ Data |= 0x80;
+ status = mos7840_set_reg_sync(port, mos7840_port->SpRegOffset, Data);
+ if (status < 0) {
+ dev_dbg(&port->dev, "writing Spreg failed\n");
+- return -1;
++ goto err;
+ }
+
+ Data &= ~0x80;
+ status = mos7840_set_reg_sync(port, mos7840_port->SpRegOffset, Data);
+ if (status < 0) {
+ dev_dbg(&port->dev, "writing Spreg failed\n");
+- return -1;
++ goto err;
+ }
+ /* End of block to be checked */
+
+@@ -936,7 +936,7 @@ static int mos7840_open(struct tty_struc
+ &Data);
+ if (status < 0) {
+ dev_dbg(&port->dev, "Reading Controlreg failed\n");
+- return -1;
++ goto err;
+ }
+ Data |= 0x08; /* Driver done bit */
+ Data |= 0x20; /* rx_disable */
+@@ -944,7 +944,7 @@ static int mos7840_open(struct tty_struc
+ mos7840_port->ControlRegOffset, Data);
+ if (status < 0) {
+ dev_dbg(&port->dev, "writing Controlreg failed\n");
+- return -1;
++ goto err;
+ }
+ /* do register settings here */
+ /* Set all regs to the device default values. */
+@@ -955,21 +955,21 @@ static int mos7840_open(struct tty_struc
+ status = mos7840_set_uart_reg(port, INTERRUPT_ENABLE_REGISTER, Data);
+ if (status < 0) {
+ dev_dbg(&port->dev, "disabling interrupts failed\n");
+- return -1;
++ goto err;
+ }
+ /* Set FIFO_CONTROL_REGISTER to the default value */
+ Data = 0x00;
+ status = mos7840_set_uart_reg(port, FIFO_CONTROL_REGISTER, Data);
+ if (status < 0) {
+ dev_dbg(&port->dev, "Writing FIFO_CONTROL_REGISTER failed\n");
+- return -1;
++ goto err;
+ }
+
+ Data = 0xcf;
+ status = mos7840_set_uart_reg(port, FIFO_CONTROL_REGISTER, Data);
+ if (status < 0) {
+ dev_dbg(&port->dev, "Writing FIFO_CONTROL_REGISTER failed\n");
+- return -1;
++ goto err;
+ }
+
+ Data = 0x03;
+@@ -1114,6 +1114,15 @@ static int mos7840_open(struct tty_struc
+ /* mos7840_change_port_settings(mos7840_port,old_termios); */
+
+ return 0;
++err:
++ for (j = 0; j < NUM_URBS; ++j) {
++ urb = mos7840_port->write_urb_pool[j];
++ if (!urb)
++ continue;
++ kfree(urb->transfer_buffer);
++ usb_free_urb(urb);
++ }
++ return status;
+ }
+
+ /*****************************************************************************
--- /dev/null
+From 1fad56424f5ad3ce4973505a357212b2e2282b3f Mon Sep 17 00:00:00 2001
+From: Johan Hovold <jhovold@gmail.com>
+Date: Fri, 28 Jun 2013 12:24:26 +0200
+Subject: USB: ti_usb_3410_5052: fix dynamic-id matching
+
+From: Johan Hovold <jhovold@gmail.com>
+
+commit 1fad56424f5ad3ce4973505a357212b2e2282b3f upstream.
+
+The driver failed to take the dynamic ids into account when determining
+the device type and therefore all devices were detected as 2-port
+devices when using the dynamic-id interface.
+
+Match on the usb-serial-driver field instead of doing redundant id-table
+searches.
+
+Reported-by: Anders Hammarquist <iko@iko.pp.se>
+Signed-off-by: Johan Hovold <jhovold@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ti_usb_3410_5052.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/ti_usb_3410_5052.c
++++ b/drivers/usb/serial/ti_usb_3410_5052.c
+@@ -371,7 +371,7 @@ static int ti_startup(struct usb_serial
+ usb_set_serial_data(serial, tdev);
+
+ /* determine device type */
+- if (usb_match_id(serial->interface, ti_id_table_3410))
++ if (serial->type == &ti_1port_device)
+ tdev->td_is_3410 = 1;
+ dev_dbg(&dev->dev, "%s - device type is %s\n", __func__,
+ tdev->td_is_3410 ? "3410" : "5052");
--- /dev/null
+From keescook@chromium.org Thu Aug 1 11:10:06 2013
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 15 Jul 2013 11:50:45 -0700
+Subject: x86: make sure IDT is page aligned
+To: linux-kernel@vger.kernel.org
+Cc: Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>, x86@kernel.org, Yinghai Lu <yinghai@kernel.org>, Seiji Aguchi <seiji.aguchi@hds.com>, Fenghua Yu <fenghua.yu@intel.com>, PaX Team <pageexec@gmail.com>
+Message-ID: <20130715185045.GA24133@www.outflux.net>
+
+From: Kees Cook <keescook@chromium.org>
+
+based on 4df05f361937ee86e5a8c9ead8aeb6a19ea9b7d7 upstream.
+
+Since the IDT is referenced from a fixmap, make sure it is page aligned.
+This avoids the risk of the IDT ever being moved in the bss and having
+the mapping be offset, resulting in calling incorrect handlers. In the
+current upstream kernel this is not a manifested bug, but heavily patched
+kernels (such as those using the PaX patch series) did encounter this bug.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reported-by: PaX Team <pageexec@gmail.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Yinghai Lu <yinghai@kernel.org>
+Cc: Seiji Aguchi <seiji.aguchi@hds.com>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/head_64.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/head_64.S
++++ b/arch/x86/kernel/head_64.S
+@@ -513,7 +513,7 @@ ENTRY(phys_base)
+ #include "../../x86/xen/xen-head.S"
+
+ .section .bss, "aw", @nobits
+- .align L1_CACHE_BYTES
++ .align PAGE_SIZE
+ ENTRY(idt_table)
+ .skip IDT_ENTRIES * 16
+
--- /dev/null
+From 5ff560fd48d5b3d82fa0c3aff625c9da1a301911 Mon Sep 17 00:00:00 2001
+From: "H. Peter Anvin" <hpa@linux.intel.com>
+Date: Fri, 12 Jul 2013 16:48:12 -0700
+Subject: x86, suspend: Handle CPUs which fail to #GP on RDMSR
+
+From: "H. Peter Anvin" <hpa@linux.intel.com>
+
+commit 5ff560fd48d5b3d82fa0c3aff625c9da1a301911 upstream.
+
+There are CPUs which have errata causing RDMSR of a nonexistent MSR to
+not fault. We would then try to WRMSR to restore the value of that
+MSR, causing a crash. Specifically, some Pentium M variants would
+have this problem trying to save and restore the non-existent EFER,
+causing a crash on resume.
+
+Work around this by making sure we can write back the result at
+suspend time.
+
+Huge thanks to Christian Sünkenberg for finding the offending erratum
+that finally deciphered the mystery.
+
+Reported-and-tested-by: Johan Heinrich <onny@project-insanity.org>
+Debugged-by: Christian Sünkenberg <christian.suenkenberg@student.kit.edu>
+Acked-by: Rafael J. Wysocki <rjw@sisk.pl>
+Link: http://lkml.kernel.org/r/51DDC972.3010005@student.kit.edu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/acpi/sleep.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/acpi/sleep.c
++++ b/arch/x86/kernel/acpi/sleep.c
+@@ -48,9 +48,20 @@ int acpi_suspend_lowlevel(void)
+ #ifndef CONFIG_64BIT
+ native_store_gdt((struct desc_ptr *)&header->pmode_gdt);
+
++ /*
++ * We have to check that we can write back the value, and not
++ * just read it. At least on 90 nm Pentium M (Family 6, Model
++ * 13), reading an invalid MSR is not guaranteed to trap, see
++ * Erratum X4 in "Intel Pentium M Processor on 90 nm Process
++ * with 2-MB L2 Cache and Intel® Processor A100 and A110 on 90
++ * nm process with 512-KB L2 Cache Specification Update".
++ */
+ if (!rdmsr_safe(MSR_EFER,
+ &header->pmode_efer_low,
+- &header->pmode_efer_high))
++ &header->pmode_efer_high) &&
++ !wrmsr_safe(MSR_EFER,
++ header->pmode_efer_low,
++ header->pmode_efer_high))
+ header->pmode_behavior |= (1 << WAKEUP_BEHAVIOR_RESTORE_EFER);
+ #endif /* !CONFIG_64BIT */
+
+@@ -61,7 +72,10 @@ int acpi_suspend_lowlevel(void)
+ }
+ if (!rdmsr_safe(MSR_IA32_MISC_ENABLE,
+ &header->pmode_misc_en_low,
+- &header->pmode_misc_en_high))
++ &header->pmode_misc_en_high) &&
++ !wrmsr_safe(MSR_IA32_MISC_ENABLE,
++ header->pmode_misc_en_low,
++ header->pmode_misc_en_high))
+ header->pmode_behavior |=
+ (1 << WAKEUP_BEHAVIOR_RESTORE_MISC_ENABLE);
+ header->realmode_flags = acpi_realmode_flags;
--- /dev/null
+From 604c499cbbcc3d5fe5fb8d53306aa0fae1990109 Mon Sep 17 00:00:00 2001
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Date: Wed, 16 Jan 2013 11:33:52 -0500
+Subject: xen/blkback: Check device permissions before allowing OP_DISCARD
+
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+
+commit 604c499cbbcc3d5fe5fb8d53306aa0fae1990109 upstream.
+
+We need to make sure that the device is not RO or that
+the request is not past the number of sectors we want to
+issue the DISCARD operation for.
+
+This fixes CVE-2013-2140.
+
+Acked-by: Jan Beulich <JBeulich@suse.com>
+Acked-by: Ian Campbell <Ian.Campbell@citrix.com>
+[v1: Made it pr_warn instead of pr_debug]
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/xen-blkback/blkback.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/xen-blkback/blkback.c
++++ b/drivers/block/xen-blkback/blkback.c
+@@ -647,7 +647,18 @@ static int dispatch_discard_io(struct xe
+ int status = BLKIF_RSP_OKAY;
+ struct block_device *bdev = blkif->vbd.bdev;
+ unsigned long secure;
++ struct phys_req preq;
+
++ preq.sector_number = req->u.discard.sector_number;
++ preq.nr_sects = req->u.discard.nr_sectors;
++
++ err = xen_vbd_translate(&preq, blkif, WRITE);
++ if (err) {
++ pr_warn(DRV_PFX "access denied: DISCARD [%llu->%llu] on dev=%04x\n",
++ preq.sector_number,
++ preq.sector_number + preq.nr_sects, blkif->vbd.pdevice);
++ goto fail_response;
++ }
+ blkif->st_ds_req++;
+
+ xen_blkif_get(blkif);
+@@ -658,7 +669,7 @@ static int dispatch_discard_io(struct xe
+ err = blkdev_issue_discard(bdev, req->u.discard.sector_number,
+ req->u.discard.nr_sectors,
+ GFP_KERNEL, secure);
+-
++fail_response:
+ if (err == -EOPNOTSUPP) {
+ pr_debug(DRV_PFX "discard op failed, not supported\n");
+ status = BLKIF_RSP_EOPNOTSUPP;
--- /dev/null
+From 093b9c71b6e450e375f4646ba86faed0195ec7df Mon Sep 17 00:00:00 2001
+From: Jan Beulich <JBeulich@suse.com>
+Date: Wed, 17 Jul 2013 08:09:37 +0100
+Subject: xen-netfront: pull on receive skb may need to happen earlier
+
+From: Jan Beulich <JBeulich@suse.com>
+
+commit 093b9c71b6e450e375f4646ba86faed0195ec7df upstream.
+
+Due to commit 3683243b ("xen-netfront: use __pskb_pull_tail to ensure
+linear area is big enough on RX") xennet_fill_frags() may end up
+filling MAX_SKB_FRAGS + 1 fragments in a receive skb, and only reduce
+the fragment count subsequently via __pskb_pull_tail(). That's a
+result of xennet_get_responses() allowing a maximum of one more slot to
+be consumed (and intermediately transformed into a fragment) if the
+head slot has a size less than or equal to RX_COPY_THRESHOLD.
+
+Hence we need to adjust xennet_fill_frags() to pull earlier if we
+reached the maximum fragment count - due to the described behavior of
+xennet_get_responses() this guarantees that at least the first fragment
+will get completely consumed, and hence the fragment count reduced.
+
+In order to not needlessly call __pskb_pull_tail() twice, make the
+original call conditional upon the pull target not having been reached
+yet, and defer the newly added one as much as possible (an alternative
+would have been to always call the function right before the call to
+xennet_fill_frags(), but that would imply more frequent cases of
+needing to call it twice).
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Wei Liu <wei.liu2@citrix.com>
+Cc: Ian Campbell <ian.campbell@citrix.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/xen-netfront.c | 31 +++++++++++++------------------
+ 1 file changed, 13 insertions(+), 18 deletions(-)
+
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -276,8 +276,7 @@ no_skb:
+ break;
+ }
+
+- __skb_fill_page_desc(skb, 0, page, 0, 0);
+- skb_shinfo(skb)->nr_frags = 1;
++ skb_add_rx_frag(skb, 0, page, 0, 0, PAGE_SIZE);
+ __skb_queue_tail(&np->rx_batch, skb);
+ }
+
+@@ -822,7 +821,6 @@ static RING_IDX xennet_fill_frags(struct
+ struct sk_buff_head *list)
+ {
+ struct skb_shared_info *shinfo = skb_shinfo(skb);
+- int nr_frags = shinfo->nr_frags;
+ RING_IDX cons = np->rx.rsp_cons;
+ struct sk_buff *nskb;
+
+@@ -831,19 +829,21 @@ static RING_IDX xennet_fill_frags(struct
+ RING_GET_RESPONSE(&np->rx, ++cons);
+ skb_frag_t *nfrag = &skb_shinfo(nskb)->frags[0];
+
+- __skb_fill_page_desc(skb, nr_frags,
+- skb_frag_page(nfrag),
+- rx->offset, rx->status);
++ if (shinfo->nr_frags == MAX_SKB_FRAGS) {
++ unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to;
+
+- skb->data_len += rx->status;
++ BUG_ON(pull_to <= skb_headlen(skb));
++ __pskb_pull_tail(skb, pull_to - skb_headlen(skb));
++ }
++ BUG_ON(shinfo->nr_frags >= MAX_SKB_FRAGS);
++
++ skb_add_rx_frag(skb, shinfo->nr_frags, skb_frag_page(nfrag),
++ rx->offset, rx->status, PAGE_SIZE);
+
+ skb_shinfo(nskb)->nr_frags = 0;
+ kfree_skb(nskb);
+-
+- nr_frags++;
+ }
+
+- shinfo->nr_frags = nr_frags;
+ return cons;
+ }
+
+@@ -929,7 +929,8 @@ static int handle_incoming_queue(struct
+ while ((skb = __skb_dequeue(rxq)) != NULL) {
+ int pull_to = NETFRONT_SKB_CB(skb)->pull_to;
+
+- __pskb_pull_tail(skb, pull_to - skb_headlen(skb));
++ if (pull_to > skb_headlen(skb))
++ __pskb_pull_tail(skb, pull_to - skb_headlen(skb));
+
+ /* Ethernet work: Delayed to here as it peeks the header. */
+ skb->protocol = eth_type_trans(skb, dev);
+@@ -1015,16 +1016,10 @@ err:
+ skb_shinfo(skb)->frags[0].page_offset = rx->offset;
+ skb_frag_size_set(&skb_shinfo(skb)->frags[0], rx->status);
+ skb->data_len = rx->status;
++ skb->len += rx->status;
+
+ i = xennet_fill_frags(np, skb, &tmpq);
+
+- /*
+- * Truesize is the actual allocation size, even if the
+- * allocation is only partially used.
+- */
+- skb->truesize += PAGE_SIZE * skb_shinfo(skb)->nr_frags;
+- skb->len += skb->data_len;
+-
+ if (rx->flags & XEN_NETRXF_csum_blank)
+ skb->ip_summed = CHECKSUM_PARTIAL;
+ else if (rx->flags & XEN_NETRXF_data_validated)
--- /dev/null
+From 203a86613fb3bf2767335659513fa98563a3eb71 Mon Sep 17 00:00:00 2001
+From: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+Date: Wed, 24 Jul 2013 10:27:13 -0700
+Subject: xhci: Avoid NULL pointer deref when host dies.
+
+From: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+
+commit 203a86613fb3bf2767335659513fa98563a3eb71 upstream.
+
+When the host controller fails to respond to an Enable Slot command, and
+the host fails to respond to the register write to abort the command
+ring, the xHCI driver will assume the host is dead, and call
+usb_hc_died().
+
+The USB device's slot_id is still set to zero, and the pointer stored at
+xhci->devs[0] will always be NULL. The call to xhci_check_args in
+xhci_free_dev should have caught the NULL virt_dev pointer.
+
+However, xhci_free_dev is designed to free the xhci_virt_device
+structures, even if the host is dead, so that we don't leak kernel
+memory. xhci_free_dev checks the return value from the generic
+xhci_check_args function. If the return value is -ENODEV, it carries on
+trying to free the virtual device.
+
+The issue is that xhci_check_args looks at the host controller state
+before it looks at the xhci_virt_device pointer. It will return -ENIVAL
+because the host is dead, and xhci_free_dev will ignore the return
+value, and happily dereference the NULL xhci_virt_device pointer.
+
+The fix is to make sure that xhci_check_args checks the xhci_virt_device
+pointer before it checks the host state.
+
+See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1203453 for
+further details. This patch doesn't solve the underlying issue, but
+will ensure we don't see any more NULL pointer dereferences because of
+the issue.
+
+This patch should be backported to kernels as old as 3.1, that
+contain the commit 7bd89b4017f46a9b92853940fd9771319acb578a "xhci: Don't
+submit commands or URBs to halted hosts."
+
+Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+Reported-by: Vincent Thiele <vincentthiele@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -1171,9 +1171,6 @@ static int xhci_check_args(struct usb_hc
+ }
+
+ xhci = hcd_to_xhci(hcd);
+- if (xhci->xhc_state & XHCI_STATE_HALTED)
+- return -ENODEV;
+-
+ if (check_virt_dev) {
+ if (!udev->slot_id || !xhci->devs[udev->slot_id]) {
+ printk(KERN_DEBUG "xHCI %s called with unaddressed "
+@@ -1189,6 +1186,9 @@ static int xhci_check_args(struct usb_hc
+ }
+ }
+
++ if (xhci->xhc_state & XHCI_STATE_HALTED)
++ return -ENODEV;
++
+ return 1;
+ }
+
--- /dev/null
+From d66eaf9f89502971fddcb0de550b01fa6f409d83 Mon Sep 17 00:00:00 2001
+From: Oleksij Rempel <linux@rempel-privat.de>
+Date: Sun, 21 Jul 2013 15:36:19 +0200
+Subject: xhci: fix null pointer dereference on ring_doorbell_for_active_rings
+
+From: Oleksij Rempel <linux@rempel-privat.de>
+
+commit d66eaf9f89502971fddcb0de550b01fa6f409d83 upstream.
+
+in some cases where device is attched to xhci port and do not responding,
+for example ath9k_htc with stalled firmware, kernel will
+crash on ring_doorbell_for_active_rings.
+This patch check if pointer exist before it is used.
+
+This patch should be backported to kernels as old as 2.6.35, that
+contain the commit e9df17eb1408cfafa3d1844bfc7f22c7237b31b8 "USB: xhci:
+Correct assumptions about number of rings per endpoint"
+
+Signed-off-by: Oleksij Rempel <linux@rempel-privat.de>
+Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-ring.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -434,7 +434,7 @@ static void ring_doorbell_for_active_rin
+
+ /* A ring has pending URBs if its TD list is not empty */
+ if (!(ep->ep_state & EP_HAS_STREAMS)) {
+- if (!(list_empty(&ep->ring->td_list)))
++ if (ep->ring && !(list_empty(&ep->ring->td_list)))
+ xhci_ring_ep_doorbell(xhci, slot_id, ep_index, 0);
+ return;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
