--- /dev/null
+From 9f961a5f6efc87a79571d7166257b36af28ffcfe Mon Sep 17 00:00:00 2001
+From: James Ralston <james.d.ralston@intel.com>
+Date: Mon, 4 Nov 2013 09:24:58 -0800
+Subject: ahci: Add Device IDs for Intel Wildcat Point-LP
+
+From: James Ralston <james.d.ralston@intel.com>
+
+commit 9f961a5f6efc87a79571d7166257b36af28ffcfe upstream.
+
+This patch adds the AHCI-mode SATA Device IDs for the Intel Wildcat Point-LP PCH.
+
+Signed-off-by: James Ralston <james.d.ralston@intel.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/ahci.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -292,6 +292,10 @@ static const struct pci_device_id ahci_p
+ { PCI_VDEVICE(INTEL, 0x8d66), board_ahci }, /* Wellsburg RAID */
+ { PCI_VDEVICE(INTEL, 0x8d6e), board_ahci }, /* Wellsburg RAID */
+ { PCI_VDEVICE(INTEL, 0x23a3), board_ahci }, /* Coleto Creek AHCI */
++ { PCI_VDEVICE(INTEL, 0x9c83), board_ahci }, /* Wildcat Point-LP AHCI */
++ { PCI_VDEVICE(INTEL, 0x9c85), board_ahci }, /* Wildcat Point-LP RAID */
++ { PCI_VDEVICE(INTEL, 0x9c87), board_ahci }, /* Wildcat Point-LP RAID */
++ { PCI_VDEVICE(INTEL, 0x9c8f), board_ahci }, /* Wildcat Point-LP RAID */
+
+ /* JMicron 360/1/3/5/6, match class to avoid IDE function */
+ { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
--- /dev/null
+From 6d5278a68a75891db1df5ae1ecf83d288fc58c65 Mon Sep 17 00:00:00 2001
+From: Samir Benmendil <samir.benmendil@gmail.com>
+Date: Sun, 17 Nov 2013 23:56:17 +0100
+Subject: ahci: add Marvell 9230 to the AHCI PCI device list
+
+From: Samir Benmendil <samir.benmendil@gmail.com>
+
+commit 6d5278a68a75891db1df5ae1ecf83d288fc58c65 upstream.
+
+Tested with a DAWICONTROL DC-624e on 3.10.10
+
+Signed-off-by: Samir Benmendil <samir.benmendil@gmail.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reviewed-by: Levente Kurusa <levex@linux.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/ahci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -435,6 +435,8 @@ static const struct pci_device_id ahci_p
+ .driver_data = board_ahci_yes_fbs }, /* 88se9172 on some Gigabyte */
+ { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x91a3),
+ .driver_data = board_ahci_yes_fbs },
++ { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9230),
++ .driver_data = board_ahci_yes_fbs },
+
+ /* Promise */
+ { PCI_VDEVICE(PROMISE, 0x3f20), board_ahci }, /* PDC42819 */
--- /dev/null
+From 89dafa20f3daab5b3e0c13d0068a28e8e64e2102 Mon Sep 17 00:00:00 2001
+From: xiangliang yu <yxlraid@gmail.com>
+Date: Sun, 27 Oct 2013 08:03:04 -0400
+Subject: ahci: disabled FBS prior to issuing software reset
+
+From: xiangliang yu <yxlraid@gmail.com>
+
+commit 89dafa20f3daab5b3e0c13d0068a28e8e64e2102 upstream.
+
+Tested with Marvell 88se9125, attached with one port mulitplier(5 ports)
+and one disk, we will get following boot log messages if using current
+code:
+
+ ata8: SATA link up 6.0 Gbps (SStatus 133 SControl 330)
+ ata8.15: Port Multiplier 1.2, 0x1b4b:0x9715 r160, 5 ports, feat 0x1/0x1f
+ ahci 0000:03:00.0: FBS is enabled
+ ata8.00: hard resetting link
+ ata8.00: SATA link down (SStatus 0 SControl 330)
+ ata8.01: hard resetting link
+ ata8.01: SATA link down (SStatus 0 SControl 330)
+ ata8.02: hard resetting link
+ ata8.02: SATA link down (SStatus 0 SControl 330)
+ ata8.03: hard resetting link
+ ata8.03: SATA link up 6.0 Gbps (SStatus 133 SControl 133)
+ ata8.04: hard resetting link
+ ata8.04: failed to resume link (SControl 133)
+ ata8.04: failed to read SCR 0 (Emask=0x40)
+ ata8.04: failed to read SCR 0 (Emask=0x40)
+ ata8.04: failed to read SCR 1 (Emask=0x40)
+ ata8.04: failed to read SCR 0 (Emask=0x40)
+ ata8.03: native sectors (2) is smaller than sectors (976773168)
+ ata8.03: ATA-8: ST3500413AS, JC4B, max UDMA/133
+ ata8.03: 976773168 sectors, multi 0: LBA48 NCQ (depth 31/32)
+ ata8.03: configured for UDMA/133
+ ata8.04: failed to IDENTIFY (I/O error, err_mask=0x100)
+ ata8.15: hard resetting link
+ ata8.15: SATA link up 6.0 Gbps (SStatus 133 SControl 330)
+ ata8.15: Port Multiplier vendor mismatch '0x1b4b' != '0x133'
+ ata8.15: PMP revalidation failed (errno=-19)
+ ata8.15: hard resetting link
+ ata8.15: SATA link up 6.0 Gbps (SStatus 133 SControl 330)
+ ata8.15: Port Multiplier vendor mismatch '0x1b4b' != '0x133'
+ ata8.15: PMP revalidation failed (errno=-19)
+ ata8.15: limiting SATA link speed to 3.0 Gbps
+ ata8.15: hard resetting link
+ ata8.15: SATA link up 3.0 Gbps (SStatus 123 SControl 320)
+ ata8.15: Port Multiplier vendor mismatch '0x1b4b' != '0x133'
+ ata8.15: PMP revalidation failed (errno=-19)
+ ata8.15: failed to recover PMP after 5 tries, giving up
+ ata8.15: Port Multiplier detaching
+ ata8.03: disabled
+ ata8.00: disabled
+ ata8: EH complete
+
+The reason is that current detection code doesn't follow AHCI spec:
+
+First,the port multiplier detection process look like this:
+
+ ahci_hardreset(link, class, deadline)
+ if (class == ATA_DEV_PMP) {
+ sata_pmp_attach(dev) /* will enable FBS */
+ sata_pmp_init_links(ap, nr_ports);
+ ata_for_each_link(link, ap, EDGE) {
+ sata_std_hardreset(link, class, deadline);
+ if (link_is_online) /* do soft reset */
+ ahci_softreset(link, class, deadline);
+ }
+ }
+But, according to chapter 9.3.9 in AHCI spec: Prior to issuing software
+reset, software shall clear PxCMD.ST to '0' and then clear PxFBS.EN to
+'0'.
+
+The patch test ok with kernel 3.11.1.
+
+tj: Patch white space contaminated, applied manually with trivial
+ updates.
+
+Signed-off-by: Xiangliang Yu <yuxiangl@marvell.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/libahci.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/ata/libahci.c
++++ b/drivers/ata/libahci.c
+@@ -1266,9 +1266,11 @@ int ahci_do_softreset(struct ata_link *l
+ {
+ struct ata_port *ap = link->ap;
+ struct ahci_host_priv *hpriv = ap->host->private_data;
++ struct ahci_port_priv *pp = ap->private_data;
+ const char *reason = NULL;
+ unsigned long now, msecs;
+ struct ata_taskfile tf;
++ bool fbs_disabled = false;
+ int rc;
+
+ DPRINTK("ENTER\n");
+@@ -1278,6 +1280,16 @@ int ahci_do_softreset(struct ata_link *l
+ if (rc && rc != -EOPNOTSUPP)
+ ata_link_warn(link, "failed to reset engine (errno=%d)\n", rc);
+
++ /*
++ * According to AHCI-1.2 9.3.9: if FBS is enable, software shall
++ * clear PxFBS.EN to '0' prior to issuing software reset to devices
++ * that is attached to port multiplier.
++ */
++ if (!ata_is_host_link(link) && pp->fbs_enabled) {
++ ahci_disable_fbs(ap);
++ fbs_disabled = true;
++ }
++
+ ata_tf_init(link->device, &tf);
+
+ /* issue the first D2H Register FIS */
+@@ -1318,6 +1330,10 @@ int ahci_do_softreset(struct ata_link *l
+ } else
+ *class = ahci_dev_classify(ap);
+
++ /* re-enable FBS if disabled before */
++ if (fbs_disabled)
++ ahci_enable_fbs(ap);
++
+ DPRINTK("EXIT, class=%u\n", *class);
+ return 0;
+
--- /dev/null
+From dcb9917ba041866686fe152850364826c4622a36 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 31 Oct 2013 23:00:24 -0400
+Subject: ext4: avoid bh leak in retry path of ext4_expand_extra_isize_ea()
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit dcb9917ba041866686fe152850364826c4622a36 upstream.
+
+Reported-by: Dave Jones <davej@redhat.com>
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/xattr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -1352,6 +1352,7 @@ retry:
+ new_extra_isize = s_min_extra_isize;
+ kfree(is); is = NULL;
+ kfree(bs); bs = NULL;
++ brelse(bh);
+ goto retry;
+ }
+ error = -1;
--- /dev/null
+From 4adcf7fb6783e354aab38824d803fa8c4f8e8a27 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Fri, 4 Oct 2013 09:29:06 -0400
+Subject: IB/ipath: Convert ipath_user_sdma_pin_pages() to use get_user_pages_fast()
+
+From: Jan Kara <jack@suse.cz>
+
+commit 4adcf7fb6783e354aab38824d803fa8c4f8e8a27 upstream.
+
+ipath_user_sdma_queue_pkts() gets called with mmap_sem held for
+writing. Except for get_user_pages() deep down in
+ipath_user_sdma_pin_pages() we don't seem to need mmap_sem at all.
+
+Even more interestingly the function ipath_user_sdma_queue_pkts() (and
+also ipath_user_sdma_coalesce() called somewhat later) call
+copy_from_user() which can hit a page fault and we deadlock on trying
+to get mmap_sem when handling that fault. So just make
+ipath_user_sdma_pin_pages() use get_user_pages_fast() and leave
+mmap_sem locking for mm.
+
+This deadlock has actually been observed in the wild when the node
+is under memory pressure.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+[ Merged in fix for call to get_user_pages_fast from Tetsuo Handa
+ <penguin-kernel@I-love.SAKURA.ne.jp>. - Roland ]
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/ipath/ipath_user_sdma.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/drivers/infiniband/hw/ipath/ipath_user_sdma.c
++++ b/drivers/infiniband/hw/ipath/ipath_user_sdma.c
+@@ -280,9 +280,7 @@ static int ipath_user_sdma_pin_pages(con
+ int j;
+ int ret;
+
+- ret = get_user_pages(current, current->mm, addr,
+- npages, 0, 1, pages, NULL);
+-
++ ret = get_user_pages_fast(addr, npages, 0, pages);
+ if (ret != npages) {
+ int i;
+
+@@ -811,10 +809,7 @@ int ipath_user_sdma_writev(struct ipath_
+ while (dim) {
+ const int mxp = 8;
+
+- down_write(¤t->mm->mmap_sem);
+ ret = ipath_user_sdma_queue_pkts(dd, pq, &list, iov, dim, mxp);
+- up_write(¤t->mm->mmap_sem);
+-
+ if (ret <= 0)
+ goto done_unlock;
+ else {
--- /dev/null
+From 2fadd83184d58701f1116ca578465b5a75f9417c Mon Sep 17 00:00:00 2001
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Fri, 25 Oct 2013 11:17:59 -0400
+Subject: IB/qib: Fix txselect regression
+
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+
+commit 2fadd83184d58701f1116ca578465b5a75f9417c upstream.
+
+Commit 7fac33014f54("IB/qib: checkpatch fixes") was overzealous in
+removing a simple_strtoul for a parse routine, setup_txselect(). That
+routine is required to handle a multi-value string.
+
+Unwind that aspect of the fix.
+
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/qib/qib_iba7322.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/drivers/infiniband/hw/qib/qib_iba7322.c
++++ b/drivers/infiniband/hw/qib/qib_iba7322.c
+@@ -5853,21 +5853,20 @@ static int setup_txselect(const char *st
+ {
+ struct qib_devdata *dd;
+ unsigned long val;
+- int ret;
+-
++ char *n;
+ if (strlen(str) >= MAX_ATTEN_LEN) {
+ pr_info("txselect_values string too long\n");
+ return -ENOSPC;
+ }
+- ret = kstrtoul(str, 0, &val);
+- if (ret || val >= (TXDDS_TABLE_SZ + TXDDS_EXTRA_SZ +
++ val = simple_strtoul(str, &n, 0);
++ if (n == str || val >= (TXDDS_TABLE_SZ + TXDDS_EXTRA_SZ +
+ TXDDS_MFG_SZ)) {
+ pr_info("txselect_values must start with a number < %d\n",
+ TXDDS_TABLE_SZ + TXDDS_EXTRA_SZ + TXDDS_MFG_SZ);
+- return ret ? ret : -EINVAL;
++ return -EINVAL;
+ }
+-
+ strcpy(txselect_list, str);
++
+ list_for_each_entry(dd, &qib_dev_list, list)
+ if (dd->deviceid == PCI_DEVICE_ID_QLOGIC_IB_7322)
+ set_no_qsfp_atten(dd, 1);
--- /dev/null
+From cd4e38542a5c2cab94e5410fb17c1cc004a60792 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Thu, 10 Oct 2013 13:53:25 +0200
+Subject: IB/srp: Report receive errors correctly
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit cd4e38542a5c2cab94e5410fb17c1cc004a60792 upstream.
+
+The IB spec does not guarantee that the opcode is available in error
+completions. Hence do not rely on it. See also commit 948d1e889e5b
+("IB/srp: Introduce srp_handle_qp_err()").
+
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/srp/ib_srp.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/drivers/infiniband/ulp/srp/ib_srp.c
++++ b/drivers/infiniband/ulp/srp/ib_srp.c
+@@ -1300,14 +1300,13 @@ static void srp_handle_recv(struct srp_t
+ PFX "Recv failed with error code %d\n", res);
+ }
+
+-static void srp_handle_qp_err(enum ib_wc_status wc_status,
+- enum ib_wc_opcode wc_opcode,
++static void srp_handle_qp_err(enum ib_wc_status wc_status, bool send_err,
+ struct srp_target_port *target)
+ {
+ if (target->connected && !target->qp_in_error) {
+ shost_printk(KERN_ERR, target->scsi_host,
+ PFX "failed %s status %d\n",
+- wc_opcode & IB_WC_RECV ? "receive" : "send",
++ send_err ? "send" : "receive",
+ wc_status);
+ }
+ target->qp_in_error = true;
+@@ -1323,7 +1322,7 @@ static void srp_recv_completion(struct i
+ if (likely(wc.status == IB_WC_SUCCESS)) {
+ srp_handle_recv(target, &wc);
+ } else {
+- srp_handle_qp_err(wc.status, wc.opcode, target);
++ srp_handle_qp_err(wc.status, false, target);
+ }
+ }
+ }
+@@ -1339,7 +1338,7 @@ static void srp_send_completion(struct i
+ iu = (struct srp_iu *) (uintptr_t) wc.wr_id;
+ list_add(&iu->list, &target->free_tx);
+ } else {
+- srp_handle_qp_err(wc.status, wc.opcode, target);
++ srp_handle_qp_err(wc.status, true, target);
+ }
+ }
+ }
--- /dev/null
+From 4e9b45a19241354daec281d7a785739829b52359 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Tue, 12 Nov 2013 15:11:47 -0800
+Subject: ipc, msg: fix message length check for negative values
+
+From: Mathias Krause <minipli@googlemail.com>
+
+commit 4e9b45a19241354daec281d7a785739829b52359 upstream.
+
+On 64 bit systems the test for negative message sizes is bogus as the
+size, which may be positive when evaluated as a long, will get truncated
+to an int when passed to load_msg(). So a long might very well contain a
+positive value but when truncated to an int it would become negative.
+
+That in combination with a small negative value of msg_ctlmax (which will
+be promoted to an unsigned type for the comparison against msgsz, making
+it a big positive value and therefore make it pass the check) will lead to
+two problems: 1/ The kmalloc() call in alloc_msg() will allocate a too
+small buffer as the addition of alen is effectively a subtraction. 2/ The
+copy_from_user() call in load_msg() will first overflow the buffer with
+userland data and then, when the userland access generates an access
+violation, the fixup handler copy_user_handle_tail() will try to fill the
+remainder with zeros -- roughly 4GB. That almost instantly results in a
+system crash or reset.
+
+ ,-[ Reproducer (needs to be run as root) ]--
+ | #include <sys/stat.h>
+ | #include <sys/msg.h>
+ | #include <unistd.h>
+ | #include <fcntl.h>
+ |
+ | int main(void) {
+ | long msg = 1;
+ | int fd;
+ |
+ | fd = open("/proc/sys/kernel/msgmax", O_WRONLY);
+ | write(fd, "-1", 2);
+ | close(fd);
+ |
+ | msgsnd(0, &msg, 0xfffffff0, IPC_NOWAIT);
+ |
+ | return 0;
+ | }
+ '---
+
+Fix the issue by preventing msgsz from getting truncated by consistently
+using size_t for the message length. This way the size checks in
+do_msgsnd() could still be passed with a negative value for msg_ctlmax but
+we would fail on the buffer allocation in that case and error out.
+
+Also change the type of m_ts from int to size_t to avoid similar nastiness
+in other code paths -- it is used in similar constructs, i.e. signed vs.
+unsigned checks. It should never become negative under normal
+circumstances, though.
+
+Setting msg_ctlmax to a negative value is an odd configuration and should
+be prevented. As that might break existing userland, it will be handled
+in a separate commit so it could easily be reverted and reworked without
+reintroducing the above described bug.
+
+Hardening mechanisms for user copy operations would have catched that bug
+early -- e.g. checking slab object sizes on user copy operations as the
+usercopy feature of the PaX patch does. Or, for that matter, detect the
+long vs. int sign change due to truncation, as the size overflow plugin
+of the very same patch does.
+
+[akpm@linux-foundation.org: fix i386 min() warnings]
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Pax Team <pageexec@freemail.hu>
+Cc: Davidlohr Bueso <davidlohr@hp.com>
+Cc: Brad Spengler <spender@grsecurity.net>
+Cc: Manfred Spraul <manfred@colorfullife.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/msg.h | 6 +++---
+ ipc/msgutil.c | 20 ++++++++++----------
+ ipc/util.h | 4 ++--
+ 3 files changed, 15 insertions(+), 15 deletions(-)
+
+--- a/include/linux/msg.h
++++ b/include/linux/msg.h
+@@ -6,9 +6,9 @@
+
+ /* one msg_msg structure for each message */
+ struct msg_msg {
+- struct list_head m_list;
+- long m_type;
+- int m_ts; /* message text size */
++ struct list_head m_list;
++ long m_type;
++ size_t m_ts; /* message text size */
+ struct msg_msgseg* next;
+ void *security;
+ /* the actual message follows immediately */
+--- a/ipc/msgutil.c
++++ b/ipc/msgutil.c
+@@ -41,15 +41,15 @@ struct msg_msgseg {
+ /* the next part of the message follows immediately */
+ };
+
+-#define DATALEN_MSG (int)(PAGE_SIZE-sizeof(struct msg_msg))
+-#define DATALEN_SEG (int)(PAGE_SIZE-sizeof(struct msg_msgseg))
++#define DATALEN_MSG ((size_t)PAGE_SIZE-sizeof(struct msg_msg))
++#define DATALEN_SEG ((size_t)PAGE_SIZE-sizeof(struct msg_msgseg))
+
+
+-static struct msg_msg *alloc_msg(int len)
++static struct msg_msg *alloc_msg(size_t len)
+ {
+ struct msg_msg *msg;
+ struct msg_msgseg **pseg;
+- int alen;
++ size_t alen;
+
+ alen = min(len, DATALEN_MSG);
+ msg = kmalloc(sizeof(*msg) + alen, GFP_KERNEL);
+@@ -80,12 +80,12 @@ out_err:
+ return NULL;
+ }
+
+-struct msg_msg *load_msg(const void __user *src, int len)
++struct msg_msg *load_msg(const void __user *src, size_t len)
+ {
+ struct msg_msg *msg;
+ struct msg_msgseg *seg;
+ int err = -EFAULT;
+- int alen;
++ size_t alen;
+
+ msg = alloc_msg(len);
+ if (msg == NULL)
+@@ -117,8 +117,8 @@ out_err:
+ struct msg_msg *copy_msg(struct msg_msg *src, struct msg_msg *dst)
+ {
+ struct msg_msgseg *dst_pseg, *src_pseg;
+- int len = src->m_ts;
+- int alen;
++ size_t len = src->m_ts;
++ size_t alen;
+
+ BUG_ON(dst == NULL);
+ if (src->m_ts > dst->m_ts)
+@@ -147,9 +147,9 @@ struct msg_msg *copy_msg(struct msg_msg
+ return ERR_PTR(-ENOSYS);
+ }
+ #endif
+-int store_msg(void __user *dest, struct msg_msg *msg, int len)
++int store_msg(void __user *dest, struct msg_msg *msg, size_t len)
+ {
+- int alen;
++ size_t alen;
+ struct msg_msgseg *seg;
+
+ alen = min(len, DATALEN_MSG);
+--- a/ipc/util.h
++++ b/ipc/util.h
+@@ -148,9 +148,9 @@ int ipc_parse_version (int *cmd);
+ #endif
+
+ extern void free_msg(struct msg_msg *msg);
+-extern struct msg_msg *load_msg(const void __user *src, int len);
++extern struct msg_msg *load_msg(const void __user *src, size_t len);
+ extern struct msg_msg *copy_msg(struct msg_msg *src, struct msg_msg *dst);
+-extern int store_msg(void __user *dest, struct msg_msg *msg, int len);
++extern int store_msg(void __user *dest, struct msg_msg *msg, size_t len);
+
+ extern void recompute_msgmni(struct ipc_namespace *);
+
--- /dev/null
+From 9bf76ca325d5e9208eb343f7bd4cc666f703ed30 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 3 Nov 2013 12:36:28 +0100
+Subject: ipc, msg: forbid negative values for "msg{max,mnb,mni}"
+
+From: Mathias Krause <minipli@googlemail.com>
+
+commit 9bf76ca325d5e9208eb343f7bd4cc666f703ed30 upstream.
+
+Negative message lengths make no sense -- so don't do negative queue
+lenghts or identifier counts. Prevent them from getting negative.
+
+Also change the underlying data types to be unsigned to avoid hairy
+surprises with sign extensions in cases where those variables get
+evaluated in unsigned expressions with bigger data types, e.g size_t.
+
+In case a user still wants to have "unlimited" sizes she could just use
+INT_MAX instead.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/ipc_namespace.h | 6 +++---
+ ipc/ipc_sysctl.c | 20 ++++++++++++--------
+ 2 files changed, 15 insertions(+), 11 deletions(-)
+
+--- a/include/linux/ipc_namespace.h
++++ b/include/linux/ipc_namespace.h
+@@ -34,9 +34,9 @@ struct ipc_namespace {
+ int sem_ctls[4];
+ int used_sems;
+
+- int msg_ctlmax;
+- int msg_ctlmnb;
+- int msg_ctlmni;
++ unsigned int msg_ctlmax;
++ unsigned int msg_ctlmnb;
++ unsigned int msg_ctlmni;
+ atomic_t msg_bytes;
+ atomic_t msg_hdrs;
+ int auto_msgmni;
+--- a/ipc/ipc_sysctl.c
++++ b/ipc/ipc_sysctl.c
+@@ -62,7 +62,7 @@ static int proc_ipc_dointvec_minmax_orph
+ return err;
+ }
+
+-static int proc_ipc_callback_dointvec(ctl_table *table, int write,
++static int proc_ipc_callback_dointvec_minmax(ctl_table *table, int write,
+ void __user *buffer, size_t *lenp, loff_t *ppos)
+ {
+ struct ctl_table ipc_table;
+@@ -72,7 +72,7 @@ static int proc_ipc_callback_dointvec(ct
+ memcpy(&ipc_table, table, sizeof(ipc_table));
+ ipc_table.data = get_ipc(table);
+
+- rc = proc_dointvec(&ipc_table, write, buffer, lenp, ppos);
++ rc = proc_dointvec_minmax(&ipc_table, write, buffer, lenp, ppos);
+
+ if (write && !rc && lenp_bef == *lenp)
+ /*
+@@ -152,15 +152,13 @@ static int proc_ipcauto_dointvec_minmax(
+ #define proc_ipc_dointvec NULL
+ #define proc_ipc_dointvec_minmax NULL
+ #define proc_ipc_dointvec_minmax_orphans NULL
+-#define proc_ipc_callback_dointvec NULL
++#define proc_ipc_callback_dointvec_minmax NULL
+ #define proc_ipcauto_dointvec_minmax NULL
+ #endif
+
+ static int zero;
+ static int one = 1;
+-#ifdef CONFIG_CHECKPOINT_RESTORE
+ static int int_max = INT_MAX;
+-#endif
+
+ static struct ctl_table ipc_kern_table[] = {
+ {
+@@ -198,21 +196,27 @@ static struct ctl_table ipc_kern_table[]
+ .data = &init_ipc_ns.msg_ctlmax,
+ .maxlen = sizeof (init_ipc_ns.msg_ctlmax),
+ .mode = 0644,
+- .proc_handler = proc_ipc_dointvec,
++ .proc_handler = proc_ipc_dointvec_minmax,
++ .extra1 = &zero,
++ .extra2 = &int_max,
+ },
+ {
+ .procname = "msgmni",
+ .data = &init_ipc_ns.msg_ctlmni,
+ .maxlen = sizeof (init_ipc_ns.msg_ctlmni),
+ .mode = 0644,
+- .proc_handler = proc_ipc_callback_dointvec,
++ .proc_handler = proc_ipc_callback_dointvec_minmax,
++ .extra1 = &zero,
++ .extra2 = &int_max,
+ },
+ {
+ .procname = "msgmnb",
+ .data = &init_ipc_ns.msg_ctlmnb,
+ .maxlen = sizeof (init_ipc_ns.msg_ctlmnb),
+ .mode = 0644,
+- .proc_handler = proc_ipc_dointvec,
++ .proc_handler = proc_ipc_dointvec_minmax,
++ .extra1 = &zero,
++ .extra2 = &int_max,
+ },
+ {
+ .procname = "sem",
--- /dev/null
+From 6e224f94597842c5eb17f1fc2208d20b6f7f7d49 Mon Sep 17 00:00:00 2001
+From: Manfred Spraul <manfred@colorfullife.com>
+Date: Wed, 16 Oct 2013 13:46:45 -0700
+Subject: ipc/sem.c: synchronize semop and semctl with IPC_RMID
+
+From: Manfred Spraul <manfred@colorfullife.com>
+
+commit 6e224f94597842c5eb17f1fc2208d20b6f7f7d49 upstream.
+
+After acquiring the semlock spinlock, operations must test that the
+array is still valid.
+
+ - semctl() and exit_sem() would walk stale linked lists (ugly, but
+ should be ok: all lists are empty)
+
+ - semtimedop() would sleep forever - and if woken up due to a signal -
+ access memory after free.
+
+The patch also:
+ - standardizes the tests for .deleted, so that all tests in one
+ function leave the function with the same approach.
+ - unconditionally tests for .deleted immediately after every call to
+ sem_lock - even it it means that for semctl(GETALL), .deleted will be
+ tested twice.
+
+Both changes make the review simpler: After every sem_lock, there must
+be a test of .deleted, followed by a goto to the cleanup code (if the
+function uses "goto cleanup").
+
+The only exception is semctl_down(): If sem_ids().rwsem is locked, then
+the presence in ids->ipcs_idr is equivalent to !.deleted, thus no
+additional test is required.
+
+Signed-off-by: Manfred Spraul <manfred@colorfullife.com>
+Cc: Mike Galbraith <efault@gmx.de>
+Acked-by: Davidlohr Bueso <davidlohr@hp.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ ipc/sem.c | 42 +++++++++++++++++++++++++++++-------------
+ 1 file changed, 29 insertions(+), 13 deletions(-)
+
+--- a/ipc/sem.c
++++ b/ipc/sem.c
+@@ -1282,6 +1282,12 @@ static int semctl_setval(struct ipc_name
+
+ sem_lock(sma, NULL, -1);
+
++ if (sma->sem_perm.deleted) {
++ sem_unlock(sma, -1);
++ rcu_read_unlock();
++ return -EIDRM;
++ }
++
+ curr = &sma->sem_base[semnum];
+
+ ipc_assert_locked_object(&sma->sem_perm);
+@@ -1336,12 +1342,14 @@ static int semctl_main(struct ipc_namesp
+ int i;
+
+ sem_lock(sma, NULL, -1);
++ if (sma->sem_perm.deleted) {
++ err = -EIDRM;
++ goto out_unlock;
++ }
+ if(nsems > SEMMSL_FAST) {
+ if (!ipc_rcu_getref(sma)) {
+- sem_unlock(sma, -1);
+- rcu_read_unlock();
+ err = -EIDRM;
+- goto out_free;
++ goto out_unlock;
+ }
+ sem_unlock(sma, -1);
+ rcu_read_unlock();
+@@ -1354,10 +1362,8 @@ static int semctl_main(struct ipc_namesp
+ rcu_read_lock();
+ sem_lock_and_putref(sma);
+ if (sma->sem_perm.deleted) {
+- sem_unlock(sma, -1);
+- rcu_read_unlock();
+ err = -EIDRM;
+- goto out_free;
++ goto out_unlock;
+ }
+ }
+ for (i = 0; i < sma->sem_nsems; i++)
+@@ -1375,8 +1381,8 @@ static int semctl_main(struct ipc_namesp
+ struct sem_undo *un;
+
+ if (!ipc_rcu_getref(sma)) {
+- rcu_read_unlock();
+- return -EIDRM;
++ err = -EIDRM;
++ goto out_rcu_wakeup;
+ }
+ rcu_read_unlock();
+
+@@ -1404,10 +1410,8 @@ static int semctl_main(struct ipc_namesp
+ rcu_read_lock();
+ sem_lock_and_putref(sma);
+ if (sma->sem_perm.deleted) {
+- sem_unlock(sma, -1);
+- rcu_read_unlock();
+ err = -EIDRM;
+- goto out_free;
++ goto out_unlock;
+ }
+
+ for (i = 0; i < nsems; i++)
+@@ -1431,6 +1435,10 @@ static int semctl_main(struct ipc_namesp
+ goto out_rcu_wakeup;
+
+ sem_lock(sma, NULL, -1);
++ if (sma->sem_perm.deleted) {
++ err = -EIDRM;
++ goto out_unlock;
++ }
+ curr = &sma->sem_base[semnum];
+
+ switch (cmd) {
+@@ -1836,6 +1844,10 @@ SYSCALL_DEFINE4(semtimedop, int, semid,
+ if (error)
+ goto out_rcu_wakeup;
+
++ error = -EIDRM;
++ locknum = sem_lock(sma, sops, nsops);
++ if (sma->sem_perm.deleted)
++ goto out_unlock_free;
+ /*
+ * semid identifiers are not unique - find_alloc_undo may have
+ * allocated an undo structure, it was invalidated by an RMID
+@@ -1843,8 +1855,6 @@ SYSCALL_DEFINE4(semtimedop, int, semid,
+ * This case can be detected checking un->semid. The existence of
+ * "un" itself is guaranteed by rcu.
+ */
+- error = -EIDRM;
+- locknum = sem_lock(sma, sops, nsops);
+ if (un && un->semid == -1)
+ goto out_unlock_free;
+
+@@ -2057,6 +2067,12 @@ void exit_sem(struct task_struct *tsk)
+ }
+
+ sem_lock(sma, NULL, -1);
++ /* exit_sem raced with IPC_RMID, nothing to do */
++ if (sma->sem_perm.deleted) {
++ sem_unlock(sma, -1);
++ rcu_read_unlock();
++ continue;
++ }
+ un = __lookup_undo(ulp, semid);
+ if (un == NULL) {
+ /* exit_sem raced with IPC_RMID+semget() that created
--- /dev/null
+From 18ccee263c7e250a57f01c9434658f11f4118a64 Mon Sep 17 00:00:00 2001
+From: Davidlohr Bueso <davidlohr@hp.com>
+Date: Wed, 16 Oct 2013 13:46:45 -0700
+Subject: ipc: update locking scheme comments
+
+From: Davidlohr Bueso <davidlohr@hp.com>
+
+commit 18ccee263c7e250a57f01c9434658f11f4118a64 upstream.
+
+The initial documentation was a bit incomplete, update accordingly.
+
+[akpm@linux-foundation.org: make it more readable in 80 columns]
+Signed-off-by: Davidlohr Bueso <davidlohr@hp.com>
+Acked-by: Manfred Spraul <manfred@colorfullife.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ ipc/util.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+--- a/ipc/util.c
++++ b/ipc/util.c
+@@ -17,12 +17,27 @@
+ * Pavel Emelianov <xemul@openvz.org>
+ *
+ * General sysv ipc locking scheme:
+- * when doing ipc id lookups, take the ids->rwsem
+- * rcu_read_lock()
+- * obtain the ipc object (kern_ipc_perm)
+- * perform security, capabilities, auditing and permission checks, etc.
+- * acquire the ipc lock (kern_ipc_perm.lock) throught ipc_lock_object()
+- * perform data updates (ie: SET, RMID, LOCK/UNLOCK commands)
++ * rcu_read_lock()
++ * obtain the ipc object (kern_ipc_perm) by looking up the id in an idr
++ * tree.
++ * - perform initial checks (capabilities, auditing and permission,
++ * etc).
++ * - perform read-only operations, such as STAT, INFO commands.
++ * acquire the ipc lock (kern_ipc_perm.lock) through
++ * ipc_lock_object()
++ * - perform data updates, such as SET, RMID commands and
++ * mechanism-specific operations (semop/semtimedop,
++ * msgsnd/msgrcv, shmat/shmdt).
++ * drop the ipc lock, through ipc_unlock_object().
++ * rcu_read_unlock()
++ *
++ * The ids->rwsem must be taken when:
++ * - creating, removing and iterating the existing entries in ipc
++ * identifier sets.
++ * - iterating through files under /proc/sysvipc/
++ *
++ * Note that sems have a special fast path that avoids kern_ipc_perm.lock -
++ * see sem_lock().
+ */
+
+ #include <linux/mm.h>
--- /dev/null
+From 86784c6bdeeef78eed94d298be7a8879f6a97ee2 Mon Sep 17 00:00:00 2001
+From: Eric Seppanen <eric@purestorage.com>
+Date: Wed, 20 Nov 2013 14:19:52 -0800
+Subject: iscsi-target: chap auth shouldn't match username with trailing garbage
+
+From: Eric Seppanen <eric@purestorage.com>
+
+commit 86784c6bdeeef78eed94d298be7a8879f6a97ee2 upstream.
+
+In iSCSI negotiations with initiator CHAP enabled, usernames with
+trailing garbage are permitted, because the string comparison only
+checks the strlen of the configured username.
+
+e.g. "usernameXXXXX" will be permitted to match "username".
+
+Just check one more byte so the trailing null char is also matched.
+
+Signed-off-by: Eric Seppanen <eric@purestorage.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target_auth.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/target/iscsi/iscsi_target_auth.c
++++ b/drivers/target/iscsi/iscsi_target_auth.c
+@@ -148,6 +148,7 @@ static int chap_server_compute_md5(
+ unsigned char client_digest[MD5_SIGNATURE_SIZE];
+ unsigned char server_digest[MD5_SIGNATURE_SIZE];
+ unsigned char chap_n[MAX_CHAP_N_SIZE], chap_r[MAX_RESPONSE_LENGTH];
++ size_t compare_len;
+ struct iscsi_chap *chap = conn->auth_protocol;
+ struct crypto_hash *tfm;
+ struct hash_desc desc;
+@@ -186,7 +187,9 @@ static int chap_server_compute_md5(
+ goto out;
+ }
+
+- if (memcmp(chap_n, auth->userid, strlen(auth->userid)) != 0) {
++ /* Include the terminating NULL in the compare */
++ compare_len = strlen(auth->userid) + 1;
++ if (strncmp(chap_n, auth->userid, compare_len) != 0) {
+ pr_err("CHAP_N values do not match!\n");
+ goto out;
+ }
--- /dev/null
+From 369653e4fb511928511b0ce81f41c812ff1f28b6 Mon Sep 17 00:00:00 2001
+From: Eric Seppanen <eric@purestorage.com>
+Date: Wed, 20 Nov 2013 14:19:51 -0800
+Subject: iscsi-target: fix extract_param to handle buffer length corner case
+
+From: Eric Seppanen <eric@purestorage.com>
+
+commit 369653e4fb511928511b0ce81f41c812ff1f28b6 upstream.
+
+extract_param() is called with max_length set to the total size of the
+output buffer. It's not safe to allow a parameter length equal to the
+buffer size as the terminating null would be written one byte past the
+end of the output buffer.
+
+Signed-off-by: Eric Seppanen <eric@purestorage.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target_nego.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/target/iscsi/iscsi_target_nego.c
++++ b/drivers/target/iscsi/iscsi_target_nego.c
+@@ -90,7 +90,7 @@ int extract_param(
+ if (len < 0)
+ return -1;
+
+- if (len > max_length) {
++ if (len >= max_length) {
+ pr_err("Length of input: %d exceeds max_length:"
+ " %d\n", len, max_length);
+ return -1;
--- /dev/null
+From 5e8e6b4b3adebf01a9d97056cbbfd8c44330df99 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Tue, 12 Nov 2013 17:54:56 -0800
+Subject: iscsi-target: Fix mutex_trylock usage in iscsit_increment_maxcmdsn
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 5e8e6b4b3adebf01a9d97056cbbfd8c44330df99 upstream.
+
+This patch fixes a >= v3.10 regression bug with mutex_trylock() usage
+within iscsit_increment_maxcmdsn(), that was originally added to allow
+for a special case where ->cmdsn_mutex was already held from the
+iscsit_execute_cmd() exception path for ib_isert.
+
+When !mutex_trylock() was occuring under contention during normal RX/TX
+process context codepaths, the bug was manifesting itself as the following
+protocol error:
+
+ Received CmdSN: 0x000fcbb7 is greater than MaxCmdSN: 0x000fcbb6, protocol error.
+ Received CmdSN: 0x000fcbb8 is greater than MaxCmdSN: 0x000fcbb6, protocol error.
+
+This patch simply avoids the direct ib_isert callback in lio_queue_status()
+for the special iscsi_execute_cmd() exception cases, that allows the problematic
+mutex_trylock() usage in iscsit_increment_maxcmdsn() to go away.
+
+Reported-by: Moussa Ba <moussaba@micron.com>
+Tested-by: Moussa Ba <moussaba@micron.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target_configfs.c | 5 +++++
+ drivers/target/iscsi/iscsi_target_device.c | 6 +-----
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target_configfs.c
++++ b/drivers/target/iscsi/iscsi_target_configfs.c
+@@ -1650,6 +1650,11 @@ static int lio_queue_status(struct se_cm
+ struct iscsi_cmd *cmd = container_of(se_cmd, struct iscsi_cmd, se_cmd);
+
+ cmd->i_state = ISTATE_SEND_STATUS;
++
++ if (cmd->se_cmd.scsi_status || cmd->sense_reason) {
++ iscsit_add_cmd_to_response_queue(cmd, cmd->conn, cmd->i_state);
++ return 0;
++ }
+ cmd->conn->conn_transport->iscsit_queue_status(cmd->conn, cmd);
+
+ return 0;
+--- a/drivers/target/iscsi/iscsi_target_device.c
++++ b/drivers/target/iscsi/iscsi_target_device.c
+@@ -60,11 +60,7 @@ void iscsit_increment_maxcmdsn(struct is
+
+ cmd->maxcmdsn_inc = 1;
+
+- if (!mutex_trylock(&sess->cmdsn_mutex)) {
+- sess->max_cmd_sn += 1;
+- pr_debug("Updated MaxCmdSN to 0x%08x\n", sess->max_cmd_sn);
+- return;
+- }
++ mutex_lock(&sess->cmdsn_mutex);
+ sess->max_cmd_sn += 1;
+ pr_debug("Updated MaxCmdSN to 0x%08x\n", sess->max_cmd_sn);
+ mutex_unlock(&sess->cmdsn_mutex);
--- /dev/null
+From 3ec981e30fae1f3c8728a05c730acaa1f627bcfb Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Mon, 14 Oct 2013 12:12:24 -0400
+Subject: loop: fix crash if blk_alloc_queue fails
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 3ec981e30fae1f3c8728a05c730acaa1f627bcfb upstream.
+
+loop: fix crash if blk_alloc_queue fails
+
+If blk_alloc_queue fails, loop_add cleans up, but it doesn't clean up the
+identifier allocated with idr_alloc. That causes crash on module unload in
+idr_for_each(&loop_index_idr, &loop_exit_cb, NULL); where we attempt to
+remove non-existed device with that id.
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000380
+IP: [<ffffffff812057c9>] del_gendisk+0x19/0x2d0
+PGD 43d399067 PUD 43d0ad067 PMD 0
+Oops: 0000 [#1] PREEMPT SMP
+Modules linked in: loop(-) dm_snapshot dm_zero dm_mirror dm_region_hash dm_log dm_loop dm_mod ip6table_filter ip6_tables uvesafb cfbcopyarea cfbimgblt cfbfillrect fbcon font bitblit fbcon_rotate fbcon_cw fbcon_ud fbcon_ccw softcursor fb fbdev msr ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_conntrack_ipv4 nf_defrag_ipv4 xt_state ipt_REJECT xt_tcpudp iptable_filter ip_tables x_tables bridge stp llc tun ipv6 cpufreq_userspace cpufreq_stats cpufreq_ondemand cpufreq_conservative cpufreq_powersave spadfs fuse hid_generic usbhid hid raid0 md_mod dmi_sysfs nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack snd_usb_audio snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc lm85 hwmon_vid snd_hwdep snd_usbmidi_lib snd_rawmidi snd soundcore acpi_cpufreq ohci_hcd freq_table tg3 ehci_pci mperf ehci_hcd kvm_amd kvm sata_svw serverworks libphy libata ide_core k10temp usbcore hwmon microcode ptp pcspkr pps_core e100 skge mii usb_common i2c_piix4 floppy evdev rtc_cmos i2c_core processor but!
+ ton unix
+CPU: 7 PID: 2735 Comm: rmmod Tainted: G W 3.10.15-devel #15
+Hardware name: empty empty/S3992-E, BIOS 'V1.06 ' 06/09/2009
+task: ffff88043d38e780 ti: ffff88043d21e000 task.ti: ffff88043d21e000
+RIP: 0010:[<ffffffff812057c9>] [<ffffffff812057c9>] del_gendisk+0x19/0x2d0
+RSP: 0018:ffff88043d21fe10 EFLAGS: 00010282
+RAX: ffffffffa05102e0 RBX: 0000000000000000 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: ffff88043ea82800 RDI: 0000000000000000
+RBP: ffff88043d21fe48 R08: 0000000000000000 R09: 0000000000000001
+R10: 0000000000000001 R11: 0000000000000000 R12: 00000000000000ff
+R13: 0000000000000080 R14: 0000000000000000 R15: ffff88043ea82800
+FS: 00007ff646534700(0000) GS:ffff880447000000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+CR2: 0000000000000380 CR3: 000000043e9bf000 CR4: 00000000000007e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+Stack:
+ ffffffff8100aba4 0000000000000092 ffff88043d21fe48 ffff88043ea82800
+ 00000000000000ff ffff88043d21fe98 0000000000000000 ffff88043d21fe60
+ ffffffffa05102b4 0000000000000000 ffff88043d21fe70 ffffffffa05102ec
+Call Trace:
+ [<ffffffff8100aba4>] ? native_sched_clock+0x24/0x80
+ [<ffffffffa05102b4>] loop_remove+0x14/0x40 [loop]
+ [<ffffffffa05102ec>] loop_exit_cb+0xc/0x10 [loop]
+ [<ffffffff81217b74>] idr_for_each+0x104/0x190
+ [<ffffffffa05102e0>] ? loop_remove+0x40/0x40 [loop]
+ [<ffffffff8109adc5>] ? trace_hardirqs_on_caller+0x105/0x1d0
+ [<ffffffffa05135dc>] loop_exit+0x34/0xa58 [loop]
+ [<ffffffff810a98ea>] SyS_delete_module+0x13a/0x260
+ [<ffffffff81221d5e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
+ [<ffffffff813cff16>] system_call_fastpath+0x1a/0x1f
+Code: f0 4c 8b 6d f8 c9 c3 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 56 41 55 4c 8d af 80 00 00 00 41 54 53 48 89 fb 48 83 ec 18 <48> 83 bf 80 03 00
+00 00 74 4d e8 98 fe ff ff 31 f6 48 c7 c7 20
+RIP [<ffffffff812057c9>] del_gendisk+0x19/0x2d0
+ RSP <ffff88043d21fe10>
+CR2: 0000000000000380
+---[ end trace 64ec069ec70f1309 ]---
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/loop.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -1633,7 +1633,7 @@ static int loop_add(struct loop_device *
+ err = -ENOMEM;
+ lo->lo_queue = blk_alloc_queue(GFP_KERNEL);
+ if (!lo->lo_queue)
+- goto out_free_dev;
++ goto out_free_idr;
+
+ disk = lo->lo_disk = alloc_disk(1 << part_shift);
+ if (!disk)
+@@ -1678,6 +1678,8 @@ static int loop_add(struct loop_device *
+
+ out_free_queue:
+ blk_cleanup_queue(lo->lo_queue);
++out_free_idr:
++ idr_remove(&loop_index_idr, i);
+ out_free_dev:
+ kfree(lo);
+ out:
--- /dev/null
+From ef7e7c82e02b602f29c2b87f42dcd6143a6777da Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Tue, 15 Oct 2013 14:14:38 -0600
+Subject: loop: fix crash when using unassigned loop device
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit ef7e7c82e02b602f29c2b87f42dcd6143a6777da upstream.
+
+When the loop module is loaded, it creates 8 loop devices /dev/loop[0-7].
+The devices have no request routine and thus, when they are used without
+being assigned, a crash happens.
+
+For example, these commands cause crash (assuming there are no used loop
+devices):
+
+Kernel Fault: Code=26 regs=000000007f420980 (Addr=0000000000000010)
+CPU: 1 PID: 50 Comm: kworker/1:1 Not tainted 3.11.0 #1
+Workqueue: ksnaphd do_metadata [dm_snapshot]
+task: 000000007fcf4078 ti: 000000007f420000 task.ti: 000000007f420000
+[ 116.319988]
+ YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI
+PSW: 00001000000001001111111100001111 Not tainted
+r00-03 000000ff0804ff0f 00000000408bf5d0 00000000402d8204 000000007b7ff6c0
+r04-07 00000000408a95d0 000000007f420950 000000007b7ff6c0 000000007d06c930
+r08-11 000000007f4205c0 0000000000000001 000000007f4205c0 000000007f4204b8
+r12-15 0000000000000010 0000000000000000 0000000000000000 0000000000000000
+r16-19 000000001108dd48 000000004061cd7c 000000007d859800 000000000800000f
+r20-23 0000000000000000 0000000000000008 0000000000000000 0000000000000000
+r24-27 00000000ffffffff 000000007b7ff6c0 000000007d859800 00000000408a95d0
+r28-31 0000000000000000 000000007f420950 000000007f420980 000000007f4208e8
+sr00-03 0000000000000000 0000000000000000 0000000000000000 0000000000303000
+sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+[ 117.549988]
+IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000402d82fc 00000000402d8300
+ IIR: 53820020 ISR: 0000000000000000 IOR: 0000000000000010
+ CPU: 1 CR30: 000000007f420000 CR31: ffffffffffffffff
+ ORIG_R28: 0000000000000001
+ IAOQ[0]: generic_make_request+0x11c/0x1a0
+ IAOQ[1]: generic_make_request+0x120/0x1a0
+ RP(r2): generic_make_request+0x24/0x1a0
+Backtrace:
+ [<00000000402d83f0>] submit_bio+0x70/0x140
+ [<0000000011087c4c>] dispatch_io+0x234/0x478 [dm_mod]
+ [<0000000011087f44>] sync_io+0xb4/0x190 [dm_mod]
+ [<00000000110883bc>] dm_io+0x2c4/0x310 [dm_mod]
+ [<00000000110bfcd0>] do_metadata+0x28/0xb0 [dm_snapshot]
+ [<00000000401591d8>] process_one_work+0x160/0x460
+ [<0000000040159bc0>] worker_thread+0x300/0x478
+ [<0000000040161a70>] kthread+0x118/0x128
+ [<0000000040104020>] end_fault_vector+0x20/0x28
+ [<0000000040177220>] task_tick_fair+0x420/0x4d0
+ [<00000000401aa048>] invoke_rcu_core+0x50/0x60
+ [<00000000401ad5b8>] rcu_check_callbacks+0x210/0x8d8
+ [<000000004014aaa0>] update_process_times+0xa8/0xc0
+ [<00000000401ab86c>] rcu_process_callbacks+0x4b4/0x598
+ [<0000000040142408>] __do_softirq+0x250/0x2c0
+ [<00000000401789d0>] find_busiest_group+0x3c0/0xc70
+[ 119.379988]
+Kernel panic - not syncing: Kernel Fault
+Rebooting in 1 seconds..
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/loop.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -894,13 +894,6 @@ static int loop_set_fd(struct loop_devic
+
+ bio_list_init(&lo->lo_bio_list);
+
+- /*
+- * set queue make_request_fn, and add limits based on lower level
+- * device
+- */
+- blk_queue_make_request(lo->lo_queue, loop_make_request);
+- lo->lo_queue->queuedata = lo;
+-
+ if (!(lo_flags & LO_FLAGS_READ_ONLY) && file->f_op->fsync)
+ blk_queue_flush(lo->lo_queue, REQ_FLUSH);
+
+@@ -1618,6 +1611,8 @@ static int loop_add(struct loop_device *
+ if (!lo)
+ goto out;
+
++ lo->lo_state = Lo_unbound;
++
+ /* allocate id, if @id >= 0, we're requesting that specific id */
+ if (i >= 0) {
+ err = idr_alloc(&loop_index_idr, lo, i, i + 1, GFP_KERNEL);
+@@ -1635,6 +1630,12 @@ static int loop_add(struct loop_device *
+ if (!lo->lo_queue)
+ goto out_free_idr;
+
++ /*
++ * set queue make_request_fn
++ */
++ blk_queue_make_request(lo->lo_queue, loop_make_request);
++ lo->lo_queue->queuedata = lo;
++
+ disk = lo->lo_disk = alloc_disk(1 << part_shift);
+ if (!disk)
+ goto out_free_queue;
--- /dev/null
+From 7b3d2fb92067bcb29f0f085a9fa9fa64920a6646 Mon Sep 17 00:00:00 2001
+From: Huang Shijie <b32955@freescale.com>
+Date: Mon, 11 Nov 2013 12:13:45 +0800
+Subject: mtd: gpmi: fix kernel BUG due to racing DMA operations
+
+From: Huang Shijie <b32955@freescale.com>
+
+commit 7b3d2fb92067bcb29f0f085a9fa9fa64920a6646 upstream.
+
+[1] The gpmi uses the nand_command_lp to issue the commands to NAND chips.
+ The gpmi issues a DMA operation with gpmi_cmd_ctrl when it handles
+ a NAND_CMD_NONE control command. So when we read a page(NAND_CMD_READ0)
+ from the NAND, we may send two DMA operations back-to-back.
+
+ If we do not serialize the two DMA operations, we will meet a bug when
+
+ 1.1) we enable CONFIG_DMA_API_DEBUG, CONFIG_DMADEVICES_DEBUG,
+ and CONFIG_DEBUG_SG.
+
+ 1.2) Use the following commands in an UART console and a SSH console:
+ cmd 1: while true;do dd if=/dev/mtd0 of=/dev/null;done
+ cmd 1: while true;do dd if=/dev/mmcblk0 of=/dev/null;done
+
+ The kernel log shows below:
+ -----------------------------------------------------------------
+ kernel BUG at lib/scatterlist.c:28!
+ Unable to handle kernel NULL pointer dereference at virtual address 00000000
+ .........................
+ [<80044a0c>] (__bug+0x18/0x24) from [<80249b74>] (sg_next+0x48/0x4c)
+ [<80249b74>] (sg_next+0x48/0x4c) from [<80255398>] (debug_dma_unmap_sg+0x170/0x1a4)
+ [<80255398>] (debug_dma_unmap_sg+0x170/0x1a4) from [<8004af58>] (dma_unmap_sg+0x14/0x6c)
+ [<8004af58>] (dma_unmap_sg+0x14/0x6c) from [<8027e594>] (mxs_dma_tasklet+0x18/0x1c)
+ [<8027e594>] (mxs_dma_tasklet+0x18/0x1c) from [<8007d444>] (tasklet_action+0x114/0x164)
+ -----------------------------------------------------------------
+
+ 1.3) Assume the two DMA operations is X (first) and Y (second).
+
+ The root cause of the bug:
+ Assume process P issues DMA X, and sleep on the completion
+ @this->dma_done. X's tasklet callback is dma_irq_callback. It firstly
+ wake up the process sleeping on the completion @this->dma_done,
+ and then trid to unmap the scatterlist S. The waked process P will
+ issue Y in another ARM core. Y initializes S->sg_magic to zero
+ with sg_init_one(), while dma_irq_callback is unmapping S at the same
+ time.
+
+ See the diagram:
+
+ ARM core 0 | ARM core 1
+ -------------------------------------------------------------
+ (P issues DMA X, then sleep) --> |
+ |
+ (X's tasklet wakes P) --> |
+ |
+ | <-- (P begin to issue DMA Y)
+ |
+ (X's tasklet unmap the |
+ scatterlist S with dma_unmap_sg) --> | <-- (Y calls sg_init_one() to init
+ | scatterlist S)
+ |
+
+[2] This patch serialize both the X and Y in the following way:
+ Unmap the DMA scatterlist S firstly, and wake up the process at the end
+ of the DMA callback, in such a way, Y will be executed after X.
+
+ After this patch:
+
+ ARM core 0 | ARM core 1
+ -------------------------------------------------------------
+ (P issues DMA X, then sleep) --> |
+ |
+ (X's tasklet unmap the |
+ scatterlist S with dma_unmap_sg) --> |
+ |
+ (X's tasklet wakes P) --> |
+ |
+ | <-- (P begin to issue DMA Y)
+ |
+ | <-- (Y calls sg_init_one() to init
+ | scatterlist S)
+ |
+
+Signed-off-by: Huang Shijie <b32955@freescale.com>
+Signed-off-by: Brian Norris <computersforpeace@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/gpmi-nand/gpmi-nand.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
++++ b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
+@@ -264,8 +264,6 @@ static void dma_irq_callback(void *param
+ struct gpmi_nand_data *this = param;
+ struct completion *dma_c = &this->dma_done;
+
+- complete(dma_c);
+-
+ switch (this->dma_type) {
+ case DMA_FOR_COMMAND:
+ dma_unmap_sg(this->dev, &this->cmd_sgl, 1, DMA_TO_DEVICE);
+@@ -290,6 +288,8 @@ static void dma_irq_callback(void *param
+ default:
+ pr_err("in wrong DMA operation.\n");
+ }
++
++ complete(dma_c);
+ }
+
+ int start_dma_without_bch_irq(struct gpmi_nand_data *this,
--- /dev/null
+From a4d62babf988fe5dfde24437fa135ef147bc7aa0 Mon Sep 17 00:00:00 2001
+From: Wang Haitao <wang.haitao1@zte.com.cn>
+Date: Thu, 22 Aug 2013 19:32:38 +0800
+Subject: mtd: map: fixed bug in 64-bit systems
+
+From: Wang Haitao <wang.haitao1@zte.com.cn>
+
+commit a4d62babf988fe5dfde24437fa135ef147bc7aa0 upstream.
+
+Hardware:
+ CPU: XLP832,the 64-bit OS
+ NOR Flash:S29GL128S 128M
+Software:
+ Kernel:2.6.32.41
+ Filesystem:JFFS2
+When writing files, errors appear:
+ Write len 182 but return retlen 180
+ Write of 182 bytes at 0x072c815c failed. returned -5, retlen 180
+ Write len 186 but return retlen 184
+ Write of 186 bytes at 0x072caff4 failed. returned -5, retlen 184
+These errors exist only in 64-bit systems,not in 32-bit systems. After analysis, we
+found that the left shift operation is wrong in map_word_load_partial. For instance:
+ unsigned char buf[3] ={0x9e,0x3a,0xea};
+ map_bankwidth(map) is 4;
+ for (i=0; i < 3; i++) {
+ int bitpos;
+ bitpos = (map_bankwidth(map)-1-i)*8;
+ orig.x[0] &= ~(0xff << bitpos);
+ orig.x[0] |= buf[i] << bitpos;
+ }
+
+The value of orig.x[0] is expected to be 0x9e3aeaff, but in this situation(64-bit
+System) we'll get the wrong value of 0xffffffff9e3aeaff due to the 64-bit sign
+extension:
+buf[i] is defined as "unsigned char" and the left-shift operation will convert it
+to the type of "signed int", so when left-shift buf[i] by 24 bits, the final result
+will get the wrong value: 0xffffffff9e3aeaff.
+
+If the left-shift bits are less than 24, then sign extension will not occur. Whereas
+the bankwidth of the nor flash we used is 4, therefore this BUG emerges.
+
+Signed-off-by: Pang Xunlei <pang.xunlei@zte.com.cn>
+Signed-off-by: Zhang Yi <zhang.yi20@zte.com.cn>
+Signed-off-by: Lu Zhongjun <lu.zhongjun@zte.com.cn>
+Signed-off-by: Brian Norris <computersforpeace@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/mtd/map.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/mtd/map.h
++++ b/include/linux/mtd/map.h
+@@ -365,7 +365,7 @@ static inline map_word map_word_load_par
+ bitpos = (map_bankwidth(map)-1-i)*8;
+ #endif
+ orig.x[0] &= ~(0xff << bitpos);
+- orig.x[0] |= buf[i-start] << bitpos;
++ orig.x[0] |= (unsigned long)buf[i-start] << bitpos;
+ }
+ }
+ return orig;
+@@ -384,7 +384,7 @@ static inline map_word map_word_ff(struc
+
+ if (map_bankwidth(map) < MAP_FF_LIMIT) {
+ int bw = 8 * map_bankwidth(map);
+- r.x[0] = (1 << bw) - 1;
++ r.x[0] = (1UL << bw) - 1;
+ } else {
+ for (i=0; i<map_words(map); i++)
+ r.x[i] = ~0UL;
--- /dev/null
+From 4355b70cf48363c50a9de450b01178c83aba8f6a Mon Sep 17 00:00:00 2001
+From: Brian Norris <computersforpeace@gmail.com>
+Date: Tue, 27 Aug 2013 18:45:10 -0700
+Subject: mtd: nand: hack ONFI for non-power-of-2 dimensions
+
+From: Brian Norris <computersforpeace@gmail.com>
+
+commit 4355b70cf48363c50a9de450b01178c83aba8f6a upstream.
+
+Some bright specification writers decided to write this in the ONFI spec
+(from ONFI 3.0, Section 3.1):
+
+ "The number of blocks and number of pages per block is not required to
+ be a power of two. In the case where one of these values is not a
+ power of two, the corresponding address shall be rounded to an
+ integral number of bits such that it addresses a range up to the
+ subsequent power of two value. The host shall not access upper
+ addresses in a range that is shown as not supported."
+
+This breaks every assumption MTD makes about NAND block/chip-size
+dimensions -- they *must* be a power of two!
+
+And of course, an enterprising manufacturer has made use of this lovely
+freedom. Exhibit A: Micron MT29F32G08CBADAWP
+
+ "- Plane size: 2 planes x 1064 blocks per plane
+ - Device size: 32Gb: 2128 blockss [sic]"
+
+This quickly hits a BUG() in nand_base.c, since the extra dimensions
+overflow so we think it's a second chip (on my single-chip setup):
+
+ ONFI param page 0 valid
+ ONFI flash detected
+ NAND device: Manufacturer ID: 0x2c, Chip ID: 0x44 (Micron MT29F32G08CBADAWP), 4256MiB, page size: 8192, OOB size: 744
+ ------------[ cut here ]------------
+ kernel BUG at drivers/mtd/nand/nand_base.c:203!
+ Internal error: Oops - BUG: 0 [#1] SMP ARM
+ [... trim ...]
+ [<c02cf3e4>] (nand_select_chip+0x18/0x2c) from [<c02d25c0>] (nand_do_read_ops+0x90/0x424)
+ [<c02d25c0>] (nand_do_read_ops+0x90/0x424) from [<c02d2dd8>] (nand_read+0x54/0x78)
+ [<c02d2dd8>] (nand_read+0x54/0x78) from [<c02ad2c8>] (mtd_read+0x84/0xbc)
+ [<c02ad2c8>] (mtd_read+0x84/0xbc) from [<c02d4b28>] (scan_read.clone.4+0x4c/0x64)
+ [<c02d4b28>] (scan_read.clone.4+0x4c/0x64) from [<c02d4c88>] (search_bbt+0x148/0x290)
+ [<c02d4c88>] (search_bbt+0x148/0x290) from [<c02d4ea4>] (nand_scan_bbt+0xd4/0x5c0)
+ [... trim ...]
+ ---[ end trace 0c9363860d865ff2 ]---
+
+So to fix this, just truncate these dimensions down to the greatest
+power-of-2 dimension that is less than or equal to the specified
+dimension.
+
+Signed-off-by: Brian Norris <computersforpeace@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/nand_base.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/drivers/mtd/nand/nand_base.c
++++ b/drivers/mtd/nand/nand_base.c
+@@ -2904,10 +2904,21 @@ static int nand_flash_detect_onfi(struct
+ sanitize_string(p->model, sizeof(p->model));
+ if (!mtd->name)
+ mtd->name = p->model;
++
+ mtd->writesize = le32_to_cpu(p->byte_per_page);
+- mtd->erasesize = le32_to_cpu(p->pages_per_block) * mtd->writesize;
++
++ /*
++ * pages_per_block and blocks_per_lun may not be a power-of-2 size
++ * (don't ask me who thought of this...). MTD assumes that these
++ * dimensions will be power-of-2, so just truncate the remaining area.
++ */
++ mtd->erasesize = 1 << (fls(le32_to_cpu(p->pages_per_block)) - 1);
++ mtd->erasesize *= mtd->writesize;
++
+ mtd->oobsize = le16_to_cpu(p->spare_bytes_per_page);
+- chip->chipsize = le32_to_cpu(p->blocks_per_lun);
++
++ /* See erasesize comment */
++ chip->chipsize = 1 << (fls(le32_to_cpu(p->blocks_per_lun)) - 1);
+ chip->chipsize *= (uint64_t)mtd->erasesize * p->lun_count;
+ *busw = 0;
+ if (le16_to_cpu(p->features) & 1)
--- /dev/null
+From 0c5d63f0ab6728f05ddefa25aff55e31297f95e6 Mon Sep 17 00:00:00 2001
+From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+Date: Sat, 2 Nov 2013 14:28:35 -0500
+Subject: rtlwifi: Fix endian error in extracting packet type
+
+From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+
+commit 0c5d63f0ab6728f05ddefa25aff55e31297f95e6 upstream.
+
+All of the rtlwifi drivers have an error in the routine that tests if
+the data is "special". If it is, the subsequant transmission will be
+at the lowest rate to enhance reliability. The 16-bit quantity is
+big-endian, but was being extracted in native CPU mode. One of the
+effects of this bug is to inhibit association under some conditions
+as the TX rate is too high.
+
+Based on suggestions by Joe Perches, the entire routine is rewritten.
+
+One of the local headers contained duplicates of some of the ETH_P_XXX
+definitions. These are deleted.
+
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Cc: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/base.c | 97 +++++++++++++++---------------------
+ drivers/net/wireless/rtlwifi/wifi.h | 6 --
+ 2 files changed, 44 insertions(+), 59 deletions(-)
+
+--- a/drivers/net/wireless/rtlwifi/base.c
++++ b/drivers/net/wireless/rtlwifi/base.c
+@@ -37,6 +37,7 @@
+
+ #include <linux/ip.h>
+ #include <linux/module.h>
++#include <linux/udp.h>
+
+ /*
+ *NOTICE!!!: This file will be very big, we should
+@@ -1066,64 +1067,52 @@ u8 rtl_is_special_data(struct ieee80211_
+ if (!ieee80211_is_data(fc))
+ return false;
+
++ ip = (const struct iphdr *)(skb->data + mac_hdr_len +
++ SNAP_SIZE + PROTOC_TYPE_SIZE);
++ ether_type = be16_to_cpup((__be16 *)
++ (skb->data + mac_hdr_len + SNAP_SIZE));
++
++ switch (ether_type) {
++ case ETH_P_IP: {
++ struct udphdr *udp;
++ u16 src;
++ u16 dst;
++
++ if (ip->protocol != IPPROTO_UDP)
++ return false;
++ udp = (struct udphdr *)((u8 *)ip + (ip->ihl << 2));
++ src = be16_to_cpu(udp->source);
++ dst = be16_to_cpu(udp->dest);
++
++ /* If this case involves port 68 (UDP BOOTP client) connecting
++ * with port 67 (UDP BOOTP server), then return true so that
++ * the lowest speed is used.
++ */
++ if (!((src == 68 && dst == 67) || (src == 67 && dst == 68)))
++ return false;
+
+- ip = (struct iphdr *)((u8 *) skb->data + mac_hdr_len +
+- SNAP_SIZE + PROTOC_TYPE_SIZE);
+- ether_type = *(u16 *) ((u8 *) skb->data + mac_hdr_len + SNAP_SIZE);
+- /* ether_type = ntohs(ether_type); */
+-
+- if (ETH_P_IP == ether_type) {
+- if (IPPROTO_UDP == ip->protocol) {
+- struct udphdr *udp = (struct udphdr *)((u8 *) ip +
+- (ip->ihl << 2));
+- if (((((u8 *) udp)[1] == 68) &&
+- (((u8 *) udp)[3] == 67)) ||
+- ((((u8 *) udp)[1] == 67) &&
+- (((u8 *) udp)[3] == 68))) {
+- /*
+- * 68 : UDP BOOTP client
+- * 67 : UDP BOOTP server
+- */
+- RT_TRACE(rtlpriv, (COMP_SEND | COMP_RECV),
+- DBG_DMESG, "dhcp %s !!\n",
+- is_tx ? "Tx" : "Rx");
+-
+- if (is_tx) {
+- rtlpriv->enter_ps = false;
+- schedule_work(&rtlpriv->
+- works.lps_change_work);
+- ppsc->last_delaylps_stamp_jiffies =
+- jiffies;
+- }
+-
+- return true;
+- }
+- }
+- } else if (ETH_P_ARP == ether_type) {
+- if (is_tx) {
+- rtlpriv->enter_ps = false;
+- schedule_work(&rtlpriv->works.lps_change_work);
+- ppsc->last_delaylps_stamp_jiffies = jiffies;
+- }
+-
+- return true;
+- } else if (ETH_P_PAE == ether_type) {
++ RT_TRACE(rtlpriv, (COMP_SEND | COMP_RECV), DBG_DMESG,
++ "dhcp %s !!\n", is_tx ? "Tx" : "Rx");
++ break;
++ }
++ case ETH_P_ARP:
++ break;
++ case ETH_P_PAE:
+ RT_TRACE(rtlpriv, (COMP_SEND | COMP_RECV), DBG_DMESG,
+ "802.1X %s EAPOL pkt!!\n", is_tx ? "Tx" : "Rx");
+-
+- if (is_tx) {
+- rtlpriv->enter_ps = false;
+- schedule_work(&rtlpriv->works.lps_change_work);
+- ppsc->last_delaylps_stamp_jiffies = jiffies;
+- }
+-
+- return true;
+- } else if (ETH_P_IPV6 == ether_type) {
+- /* IPv6 */
+- return true;
++ break;
++ case ETH_P_IPV6:
++ /* TODO: Is this right? */
++ return false;
++ default:
++ return false;
+ }
+-
+- return false;
++ if (is_tx) {
++ rtlpriv->enter_ps = false;
++ schedule_work(&rtlpriv->works.lps_change_work);
++ ppsc->last_delaylps_stamp_jiffies = jiffies;
++ }
++ return true;
+ }
+
+ /*********************************************************
+--- a/drivers/net/wireless/rtlwifi/wifi.h
++++ b/drivers/net/wireless/rtlwifi/wifi.h
+@@ -77,11 +77,7 @@
+ #define RTL_SLOT_TIME_9 9
+ #define RTL_SLOT_TIME_20 20
+
+-/*related with tcp/ip. */
+-/*if_ehther.h*/
+-#define ETH_P_PAE 0x888E /*Port Access Entity (IEEE 802.1X) */
+-#define ETH_P_IP 0x0800 /*Internet Protocol packet */
+-#define ETH_P_ARP 0x0806 /*Address Resolution packet */
++/*related to tcp/ip. */
+ #define SNAP_SIZE 6
+ #define PROTOC_TYPE_SIZE 2
+
--- /dev/null
+From dab3df5e88b979f8d09860f873ccfaa7a55758d2 Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Wed, 25 Sep 2013 12:57:48 -0500
+Subject: rtlwifi: rtl8188ee: Fix smatch warning in rtl8188ee/hw.c
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit dab3df5e88b979f8d09860f873ccfaa7a55758d2 upstream.
+
+Smatch lists the following:
+ CHECK drivers/net/wireless/rtlwifi/rtl8188ee/hw.c
+drivers/net/wireless/rtlwifi/rtl8188ee/hw.c:149 _rtl88ee_set_fw_clock_on() info: ignoring unreachable code.
+drivers/net/wireless/rtlwifi/rtl8188ee/hw.c:149 _rtl88ee_set_fw_clock_on() info: ignoring unreachable code.
+
+This info message is the result of a real error due to a missing break statement
+in a "while (1)" loop.
+
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/rtl8188ee/hw.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/rtlwifi/rtl8188ee/hw.c
++++ b/drivers/net/wireless/rtlwifi/rtl8188ee/hw.c
+@@ -143,6 +143,7 @@ static void _rtl88ee_set_fw_clock_on(str
+ } else {
+ rtlhal->fw_clk_change_in_progress = false;
+ spin_unlock_bh(&rtlpriv->locks.fw_ps_lock);
++ break;
+ }
+ }
+
--- /dev/null
+From eafbdde9c5629bea58df07275c5917eb42afbbe7 Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Sun, 10 Nov 2013 22:11:16 -0600
+Subject: rtlwifi: rtl8192cu: Fix more pointer arithmetic errors
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit eafbdde9c5629bea58df07275c5917eb42afbbe7 upstream.
+
+This driver uses a number of macros to get and set various fields in the
+RX and TX descriptors. To work correctly, a u8 pointer to the descriptor
+must be used; however, in some cases a descriptor structure pointer is used
+instead. In addition, a duplicated statement is removed.
+
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Reported-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/rtl8192cu/mac.c | 6 +++---
+ drivers/net/wireless/rtlwifi/rtl8192cu/trx.c | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wireless/rtlwifi/rtl8192cu/mac.c
++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/mac.c
+@@ -778,7 +778,7 @@ static long _rtl92c_signal_scale_mapping
+
+ static void _rtl92c_query_rxphystatus(struct ieee80211_hw *hw,
+ struct rtl_stats *pstats,
+- struct rx_desc_92c *pdesc,
++ struct rx_desc_92c *p_desc,
+ struct rx_fwinfo_92c *p_drvinfo,
+ bool packet_match_bssid,
+ bool packet_toself,
+@@ -793,11 +793,11 @@ static void _rtl92c_query_rxphystatus(st
+ u32 rssi, total_rssi = 0;
+ bool in_powersavemode = false;
+ bool is_cck_rate;
++ u8 *pdesc = (u8 *)p_desc;
+
+- is_cck_rate = RX_HAL_IS_CCK_RATE(pdesc);
++ is_cck_rate = RX_HAL_IS_CCK_RATE(p_desc);
+ pstats->packet_matchbssid = packet_match_bssid;
+ pstats->packet_toself = packet_toself;
+- pstats->is_cck = is_cck_rate;
+ pstats->packet_beacon = packet_beacon;
+ pstats->is_cck = is_cck_rate;
+ pstats->RX_SIGQ[0] = -1;
+--- a/drivers/net/wireless/rtlwifi/rtl8192cu/trx.c
++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/trx.c
+@@ -303,10 +303,10 @@ out:
+ bool rtl92cu_rx_query_desc(struct ieee80211_hw *hw,
+ struct rtl_stats *stats,
+ struct ieee80211_rx_status *rx_status,
+- u8 *p_desc, struct sk_buff *skb)
++ u8 *pdesc, struct sk_buff *skb)
+ {
+ struct rx_fwinfo_92c *p_drvinfo;
+- struct rx_desc_92c *pdesc = (struct rx_desc_92c *)p_desc;
++ struct rx_desc_92c *p_desc = (struct rx_desc_92c *)pdesc;
+ u32 phystatus = GET_RX_DESC_PHY_STATUS(pdesc);
+
+ stats->length = (u16) GET_RX_DESC_PKT_LEN(pdesc);
+@@ -345,7 +345,7 @@ bool rtl92cu_rx_query_desc(struct ieee80
+ if (phystatus) {
+ p_drvinfo = (struct rx_fwinfo_92c *)(skb->data +
+ stats->rx_bufshift);
+- rtl92c_translate_rx_signal_stuff(hw, skb, stats, pdesc,
++ rtl92c_translate_rx_signal_stuff(hw, skb, stats, p_desc,
+ p_drvinfo);
+ }
+ /*rx_status->qual = stats->signal; */
--- /dev/null
+From 3aef7dde8dcf09e0124f0a2665845a507331972b Mon Sep 17 00:00:00 2001
+From: Felipe Pena <felipensp@gmail.com>
+Date: Fri, 18 Oct 2013 21:52:40 -0300
+Subject: rtlwifi: rtl8192se: Fix wrong assignment
+
+From: Felipe Pena <felipensp@gmail.com>
+
+commit 3aef7dde8dcf09e0124f0a2665845a507331972b upstream.
+
+There is a typo in the struct member name on assignment when checking
+rtlphy->current_chan_bw == HT_CHANNEL_WIDTH_20_40, the check uses pwrgroup_ht40
+for bound limit and uses pwrgroup_ht20 when assigning instead.
+
+Signed-off-by: Felipe Pena <felipensp@gmail.com>
+Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/rtl8192se/rf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/rtlwifi/rtl8192se/rf.c
++++ b/drivers/net/wireless/rtlwifi/rtl8192se/rf.c
+@@ -265,7 +265,7 @@ static void _rtl92s_get_txpower_writeval
+ rtlefuse->pwrgroup_ht40
+ [RF90_PATH_A][chnl - 1]) {
+ pwrdiff_limit[i] =
+- rtlefuse->pwrgroup_ht20
++ rtlefuse->pwrgroup_ht40
+ [RF90_PATH_A][chnl - 1];
+ }
+ } else {
libata-fix-display-of-sata-speed.patch
drivers-libata-set-max-sector-to-65535-for-slimtype-dvd-a-ds8a9sh-drive.patch
vsprintf-check-real-user-group-id-for-pk.patch
+rtlwifi-rtl8188ee-fix-smatch-warning-in-rtl8188ee-hw.c.patch
+rtlwifi-fix-endian-error-in-extracting-packet-type.patch
+rtlwifi-rtl8192se-fix-wrong-assignment.patch
+rtlwifi-rtl8192cu-fix-more-pointer-arithmetic-errors.patch
+ipc-msg-fix-message-length-check-for-negative-values.patch
+ipc-msg-forbid-negative-values-for-msg-max-mnb-mni.patch
+ipc-update-locking-scheme-comments.patch
+ipc-sem.c-synchronize-semop-and-semctl-with-ipc_rmid.patch
+ahci-add-device-ids-for-intel-wildcat-point-lp.patch
+ahci-disabled-fbs-prior-to-issuing-software-reset.patch
+ahci-add-marvell-9230-to-the-ahci-pci-device-list.patch
+iscsi-target-fix-mutex_trylock-usage-in-iscsit_increment_maxcmdsn.patch
+iscsi-target-fix-extract_param-to-handle-buffer-length-corner-case.patch
+iscsi-target-chap-auth-shouldn-t-match-username-with-trailing-garbage.patch
+ib-ipath-convert-ipath_user_sdma_pin_pages-to-use-get_user_pages_fast.patch
+ib-qib-fix-txselect-regression.patch
+ib-srp-report-receive-errors-correctly.patch
+loop-fix-crash-if-blk_alloc_queue-fails.patch
+loop-fix-crash-when-using-unassigned-loop-device.patch
+mtd-nand-hack-onfi-for-non-power-of-2-dimensions.patch
+mtd-map-fixed-bug-in-64-bit-systems.patch
+mtd-gpmi-fix-kernel-bug-due-to-racing-dma-operations.patch
+ext4-avoid-bh-leak-in-retry-path-of-ext4_expand_extra_isize_ea.patch
+xen-blkback-fix-reference-counting.patch
--- /dev/null
+From ea5ec76d76da9279d12027c1828544c5ccbe7932 Mon Sep 17 00:00:00 2001
+From: Vegard Nossum <vegard.nossum@oracle.com>
+Date: Thu, 5 Sep 2013 13:00:14 +0200
+Subject: xen/blkback: fix reference counting
+
+From: Vegard Nossum <vegard.nossum@oracle.com>
+
+commit ea5ec76d76da9279d12027c1828544c5ccbe7932 upstream.
+
+If the permission check fails, we drop a reference to the blkif without
+having taken it in the first place. The bug was introduced in commit
+604c499cbbcc3d5fe5fb8d53306aa0fae1990109 (xen/blkback: Check device
+permissions before allowing OP_DISCARD).
+
+Cc: Jan Beulich <JBeulich@suse.com>
+Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/xen-blkback/blkback.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/xen-blkback/blkback.c
++++ b/drivers/block/xen-blkback/blkback.c
+@@ -649,6 +649,8 @@ static int dispatch_discard_io(struct xe
+ unsigned long secure;
+ struct phys_req preq;
+
++ xen_blkif_get(blkif);
++
+ preq.sector_number = req->u.discard.sector_number;
+ preq.nr_sects = req->u.discard.nr_sectors;
+
+@@ -661,7 +663,6 @@ static int dispatch_discard_io(struct xe
+ }
+ blkif->st_ds_req++;
+
+- xen_blkif_get(blkif);
+ secure = (blkif->vbd.discard_secure &&
+ (req->u.discard.flag & BLKIF_DISCARD_SECURE)) ?
+ BLKDEV_DISCARD_SECURE : 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
