--- /dev/null
+From b54629e226d196e802abdd30c5e34f2a47cddcf2 Mon Sep 17 00:00:00 2001
+From: hahnjo <hahnjo@hahnjo.de>
+Date: Tue, 12 Nov 2013 18:19:24 +0100
+Subject: alx: Reset phy speed after resume
+
+From: hahnjo <hahnjo@hahnjo.de>
+
+commit b54629e226d196e802abdd30c5e34f2a47cddcf2 upstream.
+
+This fixes bug 62491 (https://bugzilla.kernel.org/show_bug.cgi?id=62491).
+After resuming some users got the following error flooding the kernel log:
+alx 0000:02:00.0: invalid PHY speed/duplex: 0xffff
+
+Signed-off-by: Jonas Hahnfeld <linux@hahnjo.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: hahnjo <linux@hahnjo.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/atheros/alx/main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/atheros/alx/main.c
++++ b/drivers/net/ethernet/atheros/alx/main.c
+@@ -1389,6 +1389,9 @@ static int alx_resume(struct device *dev
+ {
+ struct pci_dev *pdev = to_pci_dev(dev);
+ struct alx_priv *alx = pci_get_drvdata(pdev);
++ struct alx_hw *hw = &alx->hw;
++
++ alx_reset_phy(hw);
+
+ if (!netif_running(alx->dev))
+ return 0;
--- /dev/null
+From 4577b014d1bc3db386da3246f625888fc48083a9 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <jbacik@fusionio.com>
+Date: Fri, 27 Sep 2013 09:33:09 -0400
+Subject: Btrfs: relocate csums properly with prealloc extents
+
+From: Josef Bacik <jbacik@fusionio.com>
+
+commit 4577b014d1bc3db386da3246f625888fc48083a9 upstream.
+
+A user reported a problem where they were getting csum errors when running a
+balance and running systemd's journal. This is because systemd is awesome and
+fallocate()'s its log space and writes into it. Unfortunately we assume that
+when we read in all the csums for an extent that they are sequential starting at
+the bytenr we care about. This obviously isn't the case for prealloc extents,
+where we could have written to the middle of the prealloc extent only, which
+means the csum would be for the bytenr in the middle of our range and not the
+front of our range. Fix this by offsetting the new bytenr we are logging to
+based on the original bytenr the csum was for. With this patch I no longer see
+the csum errors I was seeing. Thanks,
+
+Reported-by: Chris Murphy <lists@colorremedies.com>
+Signed-off-by: Josef Bacik <jbacik@fusionio.com>
+Signed-off-by: Chris Mason <chris.mason@fusionio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/relocation.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -4481,6 +4481,7 @@ int btrfs_reloc_clone_csums(struct inode
+ struct btrfs_root *root = BTRFS_I(inode)->root;
+ int ret;
+ u64 disk_bytenr;
++ u64 new_bytenr;
+ LIST_HEAD(list);
+
+ ordered = btrfs_lookup_ordered_extent(inode, file_pos);
+@@ -4492,13 +4493,24 @@ int btrfs_reloc_clone_csums(struct inode
+ if (ret)
+ goto out;
+
+- disk_bytenr = ordered->start;
+ while (!list_empty(&list)) {
+ sums = list_entry(list.next, struct btrfs_ordered_sum, list);
+ list_del_init(&sums->list);
+
+- sums->bytenr = disk_bytenr;
+- disk_bytenr += sums->len;
++ /*
++ * We need to offset the new_bytenr based on where the csum is.
++ * We need to do this because we will read in entire prealloc
++ * extents but we may have written to say the middle of the
++ * prealloc extent, so we need to make sure the csum goes with
++ * the right disk offset.
++ *
++ * We can do this because the data reloc inode refers strictly
++ * to the on disk bytes, so we don't have to worry about
++ * disk_len vs real len like with real inodes since it's all
++ * disk length.
++ */
++ new_bytenr = ordered->start + (sums->bytenr - disk_bytenr);
++ sums->bytenr = new_bytenr;
+
+ btrfs_add_ordered_sum(inode, ordered, sums);
+ }
--- /dev/null
+From 5d0f801a2ccec3b1fdabc3392c8d99ed0413d216 Mon Sep 17 00:00:00 2001
+From: Markus Pargmann <mpa@pengutronix.de>
+Date: Mon, 28 Oct 2013 09:54:40 +0100
+Subject: can: c_can: Fix RX message handling, handle lost message before EOB
+
+From: Markus Pargmann <mpa@pengutronix.de>
+
+commit 5d0f801a2ccec3b1fdabc3392c8d99ed0413d216 upstream.
+
+If we handle end of block messages with higher priority than a lost message,
+we can run into an endless interrupt loop.
+
+This is reproducable with a am335x processor and "cansequence -r" at 1Mbit.
+As soon as we loose a packet we can't escape from an interrupt loop.
+
+This patch fixes the problem by handling lost packets before EOB packets.
+
+Signed-off-by: Markus Pargmann <mpa@pengutronix.de>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/c_can/c_can.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/can/c_can/c_can.c
++++ b/drivers/net/can/c_can/c_can.c
+@@ -814,9 +814,6 @@ static int c_can_do_rx_poll(struct net_d
+ msg_ctrl_save = priv->read_reg(priv,
+ C_CAN_IFACE(MSGCTRL_REG, 0));
+
+- if (msg_ctrl_save & IF_MCONT_EOB)
+- return num_rx_pkts;
+-
+ if (msg_ctrl_save & IF_MCONT_MSGLST) {
+ c_can_handle_lost_msg_obj(dev, 0, msg_obj);
+ num_rx_pkts++;
+@@ -824,6 +821,9 @@ static int c_can_do_rx_poll(struct net_d
+ continue;
+ }
+
++ if (msg_ctrl_save & IF_MCONT_EOB)
++ return num_rx_pkts;
++
+ if (!(msg_ctrl_save & IF_MCONT_NEWDAT))
+ continue;
+
--- /dev/null
+From 714b33d15130cbb5ab426456d4e3de842d6c5b8a Mon Sep 17 00:00:00 2001
+From: Neil Horman <nhorman@tuxdriver.com>
+Date: Tue, 17 Sep 2013 08:33:11 -0400
+Subject: crypto: ansi_cprng - Fix off by one error in non-block size request
+
+From: Neil Horman <nhorman@tuxdriver.com>
+
+commit 714b33d15130cbb5ab426456d4e3de842d6c5b8a upstream.
+
+Stephan Mueller reported to me recently a error in random number generation in
+the ansi cprng. If several small requests are made that are less than the
+instances block size, the remainder for loop code doesn't increment
+rand_data_valid in the last iteration, meaning that the last bytes in the
+rand_data buffer gets reused on the subsequent smaller-than-a-block request for
+random data.
+
+The fix is pretty easy, just re-code the for loop to make sure that
+rand_data_valid gets incremented appropriately
+
+Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+Reported-by: Stephan Mueller <stephan.mueller@atsec.com>
+CC: Stephan Mueller <stephan.mueller@atsec.com>
+CC: Petr Matousek <pmatouse@redhat.com>
+CC: Herbert Xu <herbert@gondor.apana.org.au>
+CC: "David S. Miller" <davem@davemloft.net>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: Luis Henriques <luis.henriques@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/ansi_cprng.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/crypto/ansi_cprng.c
++++ b/crypto/ansi_cprng.c
+@@ -230,11 +230,11 @@ remainder:
+ */
+ if (byte_count < DEFAULT_BLK_SZ) {
+ empty_rbuf:
+- for (; ctx->rand_data_valid < DEFAULT_BLK_SZ;
+- ctx->rand_data_valid++) {
++ while (ctx->rand_data_valid < DEFAULT_BLK_SZ) {
+ *ptr = ctx->rand_data[ctx->rand_data_valid];
+ ptr++;
+ byte_count--;
++ ctx->rand_data_valid++;
+ if (byte_count == 0)
+ goto done;
+ }
--- /dev/null
+From f262f0f5cad0c9eca61d1d383e3b67b57dcbe5ea Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Tue, 5 Nov 2013 19:36:27 +0800
+Subject: crypto: s390 - Fix aes-cbc IV corruption
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit f262f0f5cad0c9eca61d1d383e3b67b57dcbe5ea upstream.
+
+The cbc-aes-s390 algorithm incorrectly places the IV in the tfm
+data structure. As the tfm is shared between multiple threads,
+this introduces a possibility of data corruption.
+
+This patch fixes this by moving the parameter block containing
+the IV and key onto the stack (the block is 48 bytes long).
+
+The same bug exists elsewhere in the s390 crypto system and they
+will be fixed in subsequent patches.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/crypto/aes_s390.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/arch/s390/crypto/aes_s390.c
++++ b/arch/s390/crypto/aes_s390.c
+@@ -35,7 +35,6 @@ static u8 *ctrblk;
+ static char keylen_flag;
+
+ struct s390_aes_ctx {
+- u8 iv[AES_BLOCK_SIZE];
+ u8 key[AES_MAX_KEY_SIZE];
+ long enc;
+ long dec;
+@@ -441,30 +440,36 @@ static int cbc_aes_set_key(struct crypto
+ return aes_set_key(tfm, in_key, key_len);
+ }
+
+-static int cbc_aes_crypt(struct blkcipher_desc *desc, long func, void *param,
++static int cbc_aes_crypt(struct blkcipher_desc *desc, long func,
+ struct blkcipher_walk *walk)
+ {
++ struct s390_aes_ctx *sctx = crypto_blkcipher_ctx(desc->tfm);
+ int ret = blkcipher_walk_virt(desc, walk);
+ unsigned int nbytes = walk->nbytes;
++ struct {
++ u8 iv[AES_BLOCK_SIZE];
++ u8 key[AES_MAX_KEY_SIZE];
++ } param;
+
+ if (!nbytes)
+ goto out;
+
+- memcpy(param, walk->iv, AES_BLOCK_SIZE);
++ memcpy(param.iv, walk->iv, AES_BLOCK_SIZE);
++ memcpy(param.key, sctx->key, sctx->key_len);
+ do {
+ /* only use complete blocks */
+ unsigned int n = nbytes & ~(AES_BLOCK_SIZE - 1);
+ u8 *out = walk->dst.virt.addr;
+ u8 *in = walk->src.virt.addr;
+
+- ret = crypt_s390_kmc(func, param, out, in, n);
++ ret = crypt_s390_kmc(func, ¶m, out, in, n);
+ if (ret < 0 || ret != n)
+ return -EIO;
+
+ nbytes &= AES_BLOCK_SIZE - 1;
+ ret = blkcipher_walk_done(desc, walk, nbytes);
+ } while ((nbytes = walk->nbytes));
+- memcpy(walk->iv, param, AES_BLOCK_SIZE);
++ memcpy(walk->iv, param.iv, AES_BLOCK_SIZE);
+
+ out:
+ return ret;
+@@ -481,7 +486,7 @@ static int cbc_aes_encrypt(struct blkcip
+ return fallback_blk_enc(desc, dst, src, nbytes);
+
+ blkcipher_walk_init(&walk, dst, src, nbytes);
+- return cbc_aes_crypt(desc, sctx->enc, sctx->iv, &walk);
++ return cbc_aes_crypt(desc, sctx->enc, &walk);
+ }
+
+ static int cbc_aes_decrypt(struct blkcipher_desc *desc,
+@@ -495,7 +500,7 @@ static int cbc_aes_decrypt(struct blkcip
+ return fallback_blk_dec(desc, dst, src, nbytes);
+
+ blkcipher_walk_init(&walk, dst, src, nbytes);
+- return cbc_aes_crypt(desc, sctx->dec, sctx->iv, &walk);
++ return cbc_aes_crypt(desc, sctx->dec, &walk);
+ }
+
+ static struct crypto_alg cbc_aes_alg = {
--- /dev/null
+From 13d2b35a065399fb447c84e80368927e5f8bf086 Mon Sep 17 00:00:00 2001
+From: Ben Skeggs <bskeggs@redhat.com>
+Date: Tue, 5 Nov 2013 09:28:26 +1000
+Subject: drm/nvc0-/gr: fix a number of missing explicit array terminators...
+
+From: Ben Skeggs <bskeggs@redhat.com>
+
+commit 13d2b35a065399fb447c84e80368927e5f8bf086 upstream.
+
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Cc: Ilia Mirkin <imirkin@alum.mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/nouveau/core/engine/graph/ctxnvc1.c | 4 ++++
+ drivers/gpu/drm/nouveau/core/engine/graph/ctxnvd7.c | 1 +
+ drivers/gpu/drm/nouveau/core/engine/graph/ctxnvd9.c | 1 +
+ 3 files changed, 6 insertions(+)
+
+--- a/drivers/gpu/drm/nouveau/core/engine/graph/ctxnvc1.c
++++ b/drivers/gpu/drm/nouveau/core/engine/graph/ctxnvc1.c
+@@ -587,6 +587,7 @@ nvc1_grctx_init_unk58xx[] = {
+ { 0x405870, 4, 0x04, 0x00000001 },
+ { 0x405a00, 2, 0x04, 0x00000000 },
+ { 0x405a18, 1, 0x04, 0x00000000 },
++ {}
+ };
+
+ static struct nvc0_graph_init
+@@ -598,6 +599,7 @@ nvc1_grctx_init_rop[] = {
+ { 0x408904, 1, 0x04, 0x62000001 },
+ { 0x408908, 1, 0x04, 0x00c80929 },
+ { 0x408980, 1, 0x04, 0x0000011d },
++ {}
+ };
+
+ static struct nvc0_graph_init
+@@ -671,6 +673,7 @@ nvc1_grctx_init_gpc_0[] = {
+ { 0x419000, 1, 0x04, 0x00000780 },
+ { 0x419004, 2, 0x04, 0x00000000 },
+ { 0x419014, 1, 0x04, 0x00000004 },
++ {}
+ };
+
+ static struct nvc0_graph_init
+@@ -717,6 +720,7 @@ nvc1_grctx_init_tpc[] = {
+ { 0x419e98, 1, 0x04, 0x00000000 },
+ { 0x419ee0, 1, 0x04, 0x00011110 },
+ { 0x419f30, 11, 0x04, 0x00000000 },
++ {}
+ };
+
+ void
+--- a/drivers/gpu/drm/nouveau/core/engine/graph/ctxnvd7.c
++++ b/drivers/gpu/drm/nouveau/core/engine/graph/ctxnvd7.c
+@@ -258,6 +258,7 @@ nvd7_grctx_init_hub[] = {
+ nvc0_grctx_init_unk78xx,
+ nvc0_grctx_init_unk80xx,
+ nvd9_grctx_init_rop,
++ NULL
+ };
+
+ struct nvc0_graph_init *
+--- a/drivers/gpu/drm/nouveau/core/engine/graph/ctxnvd9.c
++++ b/drivers/gpu/drm/nouveau/core/engine/graph/ctxnvd9.c
+@@ -466,6 +466,7 @@ nvd9_grctx_init_hub[] = {
+ nvc0_grctx_init_unk78xx,
+ nvc0_grctx_init_unk80xx,
+ nvd9_grctx_init_rop,
++ NULL
+ };
+
+ struct nvc0_graph_init *
--- /dev/null
+From 0a5a5499ad886dde4a032203d01e324cfe593f99 Mon Sep 17 00:00:00 2001
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Date: Tue, 29 Oct 2013 18:20:58 +0100
+Subject: drm: shmobile: Add dependency on BACKLIGHT_CLASS_DEVICE
+
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+
+commit 0a5a5499ad886dde4a032203d01e324cfe593f99 upstream.
+
+The driver registers a backlight device and thus requires
+BACKLIGHT_CLASS_DEVICE to be selected to avoid compilation breakages.
+
+Reported-by: Russell King <linux@arm.linux.org.uk>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/shmobile/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/shmobile/Kconfig
++++ b/drivers/gpu/drm/shmobile/Kconfig
+@@ -1,6 +1,7 @@
+ config DRM_SHMOBILE
+ tristate "DRM Support for SH Mobile"
+ depends on DRM && (ARM || SUPERH)
++ select BACKLIGHT_CLASS_DEVICE
+ select DRM_KMS_HELPER
+ select DRM_KMS_CMA_HELPER
+ select DRM_GEM_CMA_HELPER
--- /dev/null
+From 3a72660b07d86d60457ca32080b1ce8c2b628ee2 Mon Sep 17 00:00:00 2001
+From: Jesper Nilsson <jesper.nilsson@axis.com>
+Date: Thu, 21 Nov 2013 14:32:08 -0800
+Subject: ipc,shm: correct error return value in shmctl (SHM_UNLOCK)
+
+From: Jesper Nilsson <jesper.nilsson@axis.com>
+
+commit 3a72660b07d86d60457ca32080b1ce8c2b628ee2 upstream.
+
+Commit 2caacaa82a51 ("ipc,shm: shorten critical region for shmctl")
+restructured the ipc shm to shorten critical region, but introduced a
+path where the return value could be -EPERM, even if the operation
+actually was performed.
+
+Before the commit, the err return value was reset by the return value
+from security_shm_shmctl() after the if (!ns_capable(...)) statement.
+
+Now, we still exit the if statement with err set to -EPERM, and in the
+case of SHM_UNLOCK, it is not reset at all, and used as the return value
+from shmctl.
+
+To fix this, we only set err when errors occur, leaving the fallthrough
+case alone.
+
+Signed-off-by: Jesper Nilsson <jesper.nilsson@axis.com>
+Cc: Davidlohr Bueso <davidlohr@hp.com>
+Cc: Rik van Riel <riel@redhat.com>
+Cc: Michel Lespinasse <walken@google.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ ipc/shm.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/ipc/shm.c
++++ b/ipc/shm.c
+@@ -974,12 +974,15 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int,
+ ipc_lock_object(&shp->shm_perm);
+ if (!ns_capable(ns->user_ns, CAP_IPC_LOCK)) {
+ kuid_t euid = current_euid();
+- err = -EPERM;
+ if (!uid_eq(euid, shp->shm_perm.uid) &&
+- !uid_eq(euid, shp->shm_perm.cuid))
++ !uid_eq(euid, shp->shm_perm.cuid)) {
++ err = -EPERM;
+ goto out_unlock0;
+- if (cmd == SHM_LOCK && !rlimit(RLIMIT_MEMLOCK))
++ }
++ if (cmd == SHM_LOCK && !rlimit(RLIMIT_MEMLOCK)) {
++ err = -EPERM;
+ goto out_unlock0;
++ }
+ }
+
+ shm_file = shp->shm_file;
--- /dev/null
+From a399b29dfbaaaf91162b2dc5a5875dd51bbfa2a1 Mon Sep 17 00:00:00 2001
+From: Greg Thelen <gthelen@google.com>
+Date: Thu, 21 Nov 2013 14:32:00 -0800
+Subject: ipc,shm: fix shm_file deletion races
+
+From: Greg Thelen <gthelen@google.com>
+
+commit a399b29dfbaaaf91162b2dc5a5875dd51bbfa2a1 upstream.
+
+When IPC_RMID races with other shm operations there's potential for
+use-after-free of the shm object's associated file (shm_file).
+
+Here's the race before this patch:
+
+ TASK 1 TASK 2
+ ------ ------
+ shm_rmid()
+ ipc_lock_object()
+ shmctl()
+ shp = shm_obtain_object_check()
+
+ shm_destroy()
+ shum_unlock()
+ fput(shp->shm_file)
+ ipc_lock_object()
+ shmem_lock(shp->shm_file)
+ <OOPS>
+
+The oops is caused because shm_destroy() calls fput() after dropping the
+ipc_lock. fput() clears the file's f_inode, f_path.dentry, and
+f_path.mnt, which causes various NULL pointer references in task 2. I
+reliably see the oops in task 2 if with shmlock, shmu
+
+This patch fixes the races by:
+1) set shm_file=NULL in shm_destroy() while holding ipc_object_lock().
+2) modify at risk operations to check shm_file while holding
+ ipc_object_lock().
+
+Example workloads, which each trigger oops...
+
+Workload 1:
+ while true; do
+ id=$(shmget 1 4096)
+ shm_rmid $id &
+ shmlock $id &
+ wait
+ done
+
+ The oops stack shows accessing NULL f_inode due to racing fput:
+ _raw_spin_lock
+ shmem_lock
+ SyS_shmctl
+
+Workload 2:
+ while true; do
+ id=$(shmget 1 4096)
+ shmat $id 4096 &
+ shm_rmid $id &
+ wait
+ done
+
+ The oops stack is similar to workload 1 due to NULL f_inode:
+ touch_atime
+ shmem_mmap
+ shm_mmap
+ mmap_region
+ do_mmap_pgoff
+ do_shmat
+ SyS_shmat
+
+Workload 3:
+ while true; do
+ id=$(shmget 1 4096)
+ shmlock $id
+ shm_rmid $id &
+ shmunlock $id &
+ wait
+ done
+
+ The oops stack shows second fput tripping on an NULL f_inode. The
+ first fput() completed via from shm_destroy(), but a racing thread did
+ a get_file() and queued this fput():
+ locks_remove_flock
+ __fput
+ ____fput
+ task_work_run
+ do_notify_resume
+ int_signal
+
+Fixes: c2c737a0461e ("ipc,shm: shorten critical region for shmat")
+Fixes: 2caacaa82a51 ("ipc,shm: shorten critical region for shmctl")
+Signed-off-by: Greg Thelen <gthelen@google.com>
+Cc: Davidlohr Bueso <davidlohr@hp.com>
+Cc: Rik van Riel <riel@redhat.com>
+Cc: Manfred Spraul <manfred@colorfullife.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ ipc/shm.c | 28 +++++++++++++++++++++++-----
+ 1 file changed, 23 insertions(+), 5 deletions(-)
+
+--- a/ipc/shm.c
++++ b/ipc/shm.c
+@@ -208,15 +208,18 @@ static void shm_open(struct vm_area_stru
+ */
+ static void shm_destroy(struct ipc_namespace *ns, struct shmid_kernel *shp)
+ {
++ struct file *shm_file;
++
++ shm_file = shp->shm_file;
++ shp->shm_file = NULL;
+ ns->shm_tot -= (shp->shm_segsz + PAGE_SIZE - 1) >> PAGE_SHIFT;
+ shm_rmid(ns, shp);
+ shm_unlock(shp);
+- if (!is_file_hugepages(shp->shm_file))
+- shmem_lock(shp->shm_file, 0, shp->mlock_user);
++ if (!is_file_hugepages(shm_file))
++ shmem_lock(shm_file, 0, shp->mlock_user);
+ else if (shp->mlock_user)
+- user_shm_unlock(file_inode(shp->shm_file)->i_size,
+- shp->mlock_user);
+- fput (shp->shm_file);
++ user_shm_unlock(file_inode(shm_file)->i_size, shp->mlock_user);
++ fput(shm_file);
+ ipc_rcu_putref(shp, shm_rcu_free);
+ }
+
+@@ -986,6 +989,13 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int,
+ }
+
+ shm_file = shp->shm_file;
++
++ /* check if shm_destroy() is tearing down shp */
++ if (shm_file == NULL) {
++ err = -EIDRM;
++ goto out_unlock0;
++ }
++
+ if (is_file_hugepages(shm_file))
+ goto out_unlock0;
+
+@@ -1104,6 +1114,14 @@ long do_shmat(int shmid, char __user *sh
+ goto out_unlock;
+
+ ipc_lock_object(&shp->shm_perm);
++
++ /* check if shm_destroy() is tearing down shp */
++ if (shp->shm_file == NULL) {
++ ipc_unlock_object(&shp->shm_perm);
++ err = -EIDRM;
++ goto out_unlock;
++ }
++
+ path = shp->shm_file->f_path;
+ path_get(&path);
+ shp->shm_nattch++;
xfs-be-more-forgiving-of-a-v4-secondary-sb-w-junk-in-v5-fields.patch
usb-mos7840-fix-tiocmget-error-handling.patch
can-kvaser_usb-fix-usb-endpoints-detection.patch
+btrfs-relocate-csums-properly-with-prealloc-extents.patch
+crypto-ansi_cprng-fix-off-by-one-error-in-non-block-size-request.patch
+crypto-s390-fix-aes-cbc-iv-corruption.patch
+can-c_can-fix-rx-message-handling-handle-lost-message-before-eob.patch
+alx-reset-phy-speed-after-resume.patch
+ipc-shm-correct-error-return-value-in-shmctl-shm_unlock.patch
+ipc-shm-fix-shm_file-deletion-races.patch
+drm-shmobile-add-dependency-on-backlight_class_device.patch
+staging-ashmem-fix-ashmem_purge_all_caches-return-value.patch
+drm-nvc0-gr-fix-a-number-of-missing-explicit-array-terminators.patch
+thinkpad_acpi-fix-build-error-when-config_snd_max_cards-32.patch
--- /dev/null
+From 5957324045ba2c127c9401fa3ac61ac52e043ca8 Mon Sep 17 00:00:00 2001
+From: John Stultz <john.stultz@linaro.org>
+Date: Mon, 21 Oct 2013 09:58:07 -0700
+Subject: staging: ashmem: Fix ASHMEM_PURGE_ALL_CACHES return value
+
+From: John Stultz <john.stultz@linaro.org>
+
+commit 5957324045ba2c127c9401fa3ac61ac52e043ca8 upstream.
+
+Hopefully this isn't too late for 3.12.
+
+In commit 7dc19d5aff (convert shrinkers to new count/scan API)
+the return value to PURGE_ALL_CACHES was dropped, causing -EPERM
+to always be returned.
+
+This patch re-adds the ret assignment, setting it to the the
+ashmem_shrink_count(), which is the lru_count.
+
+(Sorry this was missed in the review!)
+
+Fixes: 7dc19d5affd7 ("convert shrinkers to new count/scan API")
+Cc: Colin Cross <ccross@android.com>
+Cc: Android Kernel Team <kernel-team@android.com>
+Cc: Glauber Costa <glommer@openvz.org>
+Reported-by: YongQin Liu <yongqin.liu@linaro.org>
+Signed-off-by: John Stultz <john.stultz@linaro.org>
+Acked-by: Dave Chinner <dchinner@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/android/ashmem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/android/ashmem.c
++++ b/drivers/staging/android/ashmem.c
+@@ -706,7 +706,7 @@ static long ashmem_ioctl(struct file *fi
+ .gfp_mask = GFP_KERNEL,
+ .nr_to_scan = LONG_MAX,
+ };
+-
++ ret = ashmem_shrink_count(&ashmem_shrinker, &sc);
+ nodes_setall(sc.nodes_to_scan);
+ ashmem_shrink_scan(&ashmem_shrinker, &sc);
+ }
--- /dev/null
+From cab6661344f14a09d7aecdf821a40f68ef9b18cc Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 24 Oct 2013 16:06:32 +0200
+Subject: thinkpad_acpi: Fix build error when CONFIG_SND_MAX_CARDS > 32
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit cab6661344f14a09d7aecdf821a40f68ef9b18cc upstream.
+
+SNDRV_CARDS can be specified via Kconfig since 3.11 kernel, so this
+can be over 32bit integer range, which leads to a build error.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/platform/x86/thinkpad_acpi.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/platform/x86/thinkpad_acpi.c
++++ b/drivers/platform/x86/thinkpad_acpi.c
+@@ -6420,7 +6420,12 @@ static struct ibm_struct brightness_driv
+ #define TPACPI_ALSA_SHRTNAME "ThinkPad Console Audio Control"
+ #define TPACPI_ALSA_MIXERNAME TPACPI_ALSA_SHRTNAME
+
+-static int alsa_index = ~((1 << (SNDRV_CARDS - 3)) - 1); /* last three slots */
++#if SNDRV_CARDS <= 32
++#define DEFAULT_ALSA_IDX ~((1 << (SNDRV_CARDS - 3)) - 1)
++#else
++#define DEFAULT_ALSA_IDX ~((1 << (32 - 3)) - 1)
++#endif
++static int alsa_index = DEFAULT_ALSA_IDX; /* last three slots */
+ static char *alsa_id = "ThinkPadEC";
+ static bool alsa_enable = SNDRV_DEFAULT_ENABLE1;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
