--- /dev/null
+From 24ec19b0ae83a385ad9c55520716da671274b96c Mon Sep 17 00:00:00 2001
+From: Eugene Shatokhin <eugene.shatokhin@rosalab.ru>
+Date: Thu, 8 Nov 2012 15:11:11 -0500
+Subject: ext4: fix memory leak in ext4_xattr_set_acl()'s error path
+
+From: Eugene Shatokhin <eugene.shatokhin@rosalab.ru>
+
+commit 24ec19b0ae83a385ad9c55520716da671274b96c upstream.
+
+In ext4_xattr_set_acl(), if ext4_journal_start() returns an error,
+posix_acl_release() will not be called for 'acl' which may result in a
+memory leak.
+
+This patch fixes that.
+
+Reviewed-by: Lukas Czerner <lczerner@redhat.com>
+Signed-off-by: Eugene Shatokhin <eugene.shatokhin@rosalab.ru>
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/acl.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/acl.c
++++ b/fs/ext4/acl.c
+@@ -410,8 +410,10 @@ ext4_xattr_set_acl(struct dentry *dentry
+
+ retry:
+ handle = ext4_journal_start(inode, EXT4_DATA_TRANS_BLOCKS(inode->i_sb));
+- if (IS_ERR(handle))
+- return PTR_ERR(handle);
++ if (IS_ERR(handle)) {
++ error = PTR_ERR(handle);
++ goto release_and_out;
++ }
+ error = ext4_set_acl(handle, inode, type, acl);
+ ext4_journal_stop(handle);
+ if (error == -ENOSPC && ext4_should_retry_alloc(inode->i_sb, &retries))
--- /dev/null
+From aeb1e5d69a5be592e86a926be73efb38c55af404 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 29 Nov 2012 21:21:22 -0500
+Subject: ext4: fix possible use after free with metadata csum
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit aeb1e5d69a5be592e86a926be73efb38c55af404 upstream.
+
+Commit fa77dcfafeaa introduces block bitmap checksum calculation into
+ext4_new_inode() in the case that block group was uninitialized.
+However we brelse() the bitmap buffer before we attempt to checksum it
+so we have no guarantee that the buffer is still there.
+
+Fix this by releasing the buffer after the possible checksum
+computation.
+
+Signed-off-by: Lukas Czerner <lczerner@redhat.com>
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Acked-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/ialloc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/ialloc.c
++++ b/fs/ext4/ialloc.c
+@@ -734,7 +734,6 @@ got:
+
+ BUFFER_TRACE(block_bitmap_bh, "dirty block bitmap");
+ err = ext4_handle_dirty_metadata(handle, NULL, block_bitmap_bh);
+- brelse(block_bitmap_bh);
+
+ /* recheck and clear flag under lock if we still need to */
+ ext4_lock_group(sb, group);
+@@ -746,6 +745,7 @@ got:
+ gdp);
+ }
+ ext4_unlock_group(sb, group);
++ brelse(block_bitmap_bh);
+
+ if (err)
+ goto fail;
--- /dev/null
+From 3c989d7603872bf878840f7ce3ea49b73bea4c6c Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Fri, 23 Nov 2012 12:07:39 +0800
+Subject: iscsit: use GFP_ATOMIC under spin lock
+
+From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+
+commit 3c989d7603872bf878840f7ce3ea49b73bea4c6c upstream.
+
+The function iscsit_build_conn_drop_async_message() is called
+from iscsit_close_connection() with spin lock 'sess->conn_lock'
+held, so we should use GFP_ATOMIC instead of GFP_KERNEL.
+
+Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -2359,7 +2359,7 @@ static void iscsit_build_conn_drop_async
+ if (!conn_p)
+ return;
+
+- cmd = iscsit_allocate_cmd(conn_p, GFP_KERNEL);
++ cmd = iscsit_allocate_cmd(conn_p, GFP_ATOMIC);
+ if (!cmd) {
+ iscsit_dec_conn_usage_count(conn_p);
+ return;
--- /dev/null
+From 26cd4d65deba587f3cf2329b6869ce02bcbe68ec Mon Sep 17 00:00:00 2001
+From: Xiaotian Feng <xtfeng@gmail.com>
+Date: Thu, 13 Dec 2012 16:12:18 +0800
+Subject: libata: fix Null pointer dereference on disk error
+
+From: Xiaotian Feng <xtfeng@gmail.com>
+
+commit 26cd4d65deba587f3cf2329b6869ce02bcbe68ec upstream.
+
+Following oops were observed when disk error happened:
+
+[ 4272.896937] sd 0:0:0:0: [sda] Unhandled error code
+[ 4272.896939] sd 0:0:0:0: [sda] Result: hostbyte=DID_BAD_TARGET driverbyte=DRIVER_OK
+[ 4272.896942] sd 0:0:0:0: [sda] CDB: Read(10): 28 00 00 5a de a7 00 00 08 00
+[ 4272.896951] end_request: I/O error, dev sda, sector 5955239
+[ 4291.574947] BUG: unable to handle kernel NULL pointer dereference at (null)
+[ 4291.658305] IP: [] ahci_activity_show+0x1/0x40
+[ 4291.730090] PGD 76dbbc067 PUD 6c4fba067 PMD 0
+[ 4291.783408] Oops: 0000 [#1] SMP
+[ 4291.822100] last sysfs file: /sys/devices/pci0000:00/0000:00:1f.2/host0/target0:0:0/0:0:0:0/sw_activity
+[ 4291.934235] CPU 9
+[ 4291.958301] Pid: 27942, comm: hwinfo ......
+
+ata_scsi_find_dev could return NULL, so ata_scsi_activity_{show,store} should check if atadev is NULL.
+
+Signed-off-by: Xiaotian Feng <dannyfeng@tencent.com>
+Cc: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/libata-scsi.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -309,7 +309,8 @@ ata_scsi_activity_show(struct device *de
+ struct ata_port *ap = ata_shost_to_port(sdev->host);
+ struct ata_device *atadev = ata_scsi_find_dev(ap, sdev);
+
+- if (ap->ops->sw_activity_show && (ap->flags & ATA_FLAG_SW_ACTIVITY))
++ if (atadev && ap->ops->sw_activity_show &&
++ (ap->flags & ATA_FLAG_SW_ACTIVITY))
+ return ap->ops->sw_activity_show(atadev, buf);
+ return -EINVAL;
+ }
+@@ -324,7 +325,8 @@ ata_scsi_activity_store(struct device *d
+ enum sw_activity val;
+ int rc;
+
+- if (ap->ops->sw_activity_store && (ap->flags & ATA_FLAG_SW_ACTIVITY)) {
++ if (atadev && ap->ops->sw_activity_store &&
++ (ap->flags & ATA_FLAG_SW_ACTIVITY)) {
+ val = simple_strtoul(buf, NULL, 0);
+ switch (val) {
+ case OFF: case BLINK_ON: case BLINK_OFF:
--- /dev/null
+From 5416912af75de9cba5d1c75b99a7888b0bbbd2fb Mon Sep 17 00:00:00 2001
+From: Aaron Lu <aaron.lu@intel.com>
+Date: Mon, 3 Dec 2012 11:35:02 +0800
+Subject: libata: set dma_mode to 0xff in reset
+
+From: Aaron Lu <aaron.lu@intel.com>
+
+commit 5416912af75de9cba5d1c75b99a7888b0bbbd2fb upstream.
+
+ata_device->dma_mode's initial value is zero, which is not a valid dma
+mode, but ata_dma_enabled will return true for this value. This patch
+sets dma_mode to 0xff in reset function, so that ata_dma_enabled will
+not return true for this case, or it will cause problem for pata_acpi.
+
+The corrsponding bugzilla page is at:
+https://bugzilla.kernel.org/show_bug.cgi?id=49151
+
+Reported-by: Phillip Wood <phillip.wood@dunelm.org.uk>
+Signed-off-by: Aaron Lu <aaron.lu@intel.com>
+Tested-by: Szymon Janc <szymon@janc.net.pl>
+Tested-by: Dutra Julio <dutra.julio@gmail.com>
+Acked-by: Alan Cox <alan@linux.intel.com>
+Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/libata-core.c | 1 +
+ drivers/ata/libata-eh.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -2536,6 +2536,7 @@ int ata_bus_probe(struct ata_port *ap)
+ * bus as we may be talking too fast.
+ */
+ dev->pio_mode = XFER_PIO_0;
++ dev->dma_mode = 0xff;
+
+ /* If the controller has a pio mode setup function
+ * then use it to set the chipset to rights. Don't
+--- a/drivers/ata/libata-eh.c
++++ b/drivers/ata/libata-eh.c
+@@ -2600,6 +2600,7 @@ int ata_eh_reset(struct ata_link *link,
+ * bus as we may be talking too fast.
+ */
+ dev->pio_mode = XFER_PIO_0;
++ dev->dma_mode = 0xff;
+
+ /* If the controller has a pio mode setup function
+ * then use it to set the chipset to rights. Don't
--- /dev/null
+From b9fbb62eb61452d728c39b2e5020739c575aac53 Mon Sep 17 00:00:00 2001
+From: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
+Date: Fri, 9 Nov 2012 16:15:28 +0000
+Subject: mfd: Only unregister platform devices allocated by the mfd core
+
+From: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
+
+commit b9fbb62eb61452d728c39b2e5020739c575aac53 upstream.
+
+mfd_remove_devices would iterate over all devices sharing a parent with
+an mfd device regardless of whether they were allocated by the mfd core
+or not. This especially caused problems when the device structure was
+not contained within a platform_device, because to_platform_device is
+used on each device pointer.
+
+This patch defines a device_type for mfd devices and checks this is
+present from mfd_remove_devices_fn before processing the device.
+
+Signed-off-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
+Tested-by: Peter Tyser <ptyser@xes-inc.com>
+Reviewed-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/mfd-core.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/drivers/mfd/mfd-core.c
++++ b/drivers/mfd/mfd-core.c
+@@ -19,6 +19,10 @@
+ #include <linux/slab.h>
+ #include <linux/module.h>
+
++static struct device_type mfd_dev_type = {
++ .name = "mfd_device",
++};
++
+ int mfd_cell_enable(struct platform_device *pdev)
+ {
+ const struct mfd_cell *cell = mfd_get_cell(pdev);
+@@ -88,6 +92,7 @@ static int mfd_add_device(struct device
+ goto fail_device;
+
+ pdev->dev.parent = parent;
++ pdev->dev.type = &mfd_dev_type;
+
+ if (cell->pdata_size) {
+ ret = platform_device_add_data(pdev,
+@@ -183,10 +188,16 @@ EXPORT_SYMBOL(mfd_add_devices);
+
+ static int mfd_remove_devices_fn(struct device *dev, void *c)
+ {
+- struct platform_device *pdev = to_platform_device(dev);
+- const struct mfd_cell *cell = mfd_get_cell(pdev);
++ struct platform_device *pdev;
++ const struct mfd_cell *cell;
+ atomic_t **usage_count = c;
+
++ if (dev->type != &mfd_dev_type)
++ return 0;
++
++ pdev = to_platform_device(dev);
++ cell = mfd_get_cell(pdev);
++
+ /* find the base address of usage_count pointers (for freeing) */
+ if (!*usage_count || (cell->usage_count < *usage_count))
+ *usage_count = cell->usage_count;
--- /dev/null
+From fee546ce8cfd9dea1f53175f627e17ef5ff05df4 Mon Sep 17 00:00:00 2001
+From: Mark Brown <broonie@opensource.wolfsonmicro.com>
+Date: Fri, 23 Nov 2012 12:05:33 +0900
+Subject: mfd: wm8994: Add support for WM1811 rev E
+
+From: Mark Brown <broonie@opensource.wolfsonmicro.com>
+
+commit fee546ce8cfd9dea1f53175f627e17ef5ff05df4 upstream.
+
+This is supported identically to the previous revisions.
+
+Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/wm8994-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mfd/wm8994-core.c
++++ b/drivers/mfd/wm8994-core.c
+@@ -541,6 +541,7 @@ static __devinit int wm8994_device_init(
+ case 1:
+ case 2:
+ case 3:
++ case 4:
+ regmap_patch = wm1811_reva_patch;
+ patch_regs = ARRAY_SIZE(wm1811_reva_patch);
+ break;
--- /dev/null
+From 3100d49d3cd236443faae9d81137c81b22d36003 Mon Sep 17 00:00:00 2001
+From: Mikael Pettersson <mikpe@it.uu.se>
+Date: Sun, 16 Sep 2012 20:53:43 +0200
+Subject: sata_promise: fix hardreset lockdep error
+
+From: Mikael Pettersson <mikpe@it.uu.se>
+
+commit 3100d49d3cd236443faae9d81137c81b22d36003 upstream.
+
+sata_promise's pdc_hard_reset_port() needs to serialize because it
+flips a port-specific bit in controller register that's shared by
+all ports. The code takes the ata host lock for this, but that's
+broken because an interrupt may arrive on our irq during the hard
+reset sequence, and that too will take the ata host lock. With
+lockdep enabled a big nasty warning is seen.
+
+Fixed by adding private state to the ata host structure, containing
+a second lock used only for serializing the hard reset sequences.
+This eliminated the lockdep warnings both on my test rig and on
+the original reporter's machine.
+
+Signed-off-by: Mikael Pettersson <mikpe@it.uu.se>
+Tested-by: Adko Branil <adkobranil@yahoo.com>
+Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/sata_promise.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/drivers/ata/sata_promise.c
++++ b/drivers/ata/sata_promise.c
+@@ -147,6 +147,10 @@ struct pdc_port_priv {
+ dma_addr_t pkt_dma;
+ };
+
++struct pdc_host_priv {
++ spinlock_t hard_reset_lock;
++};
++
+ static int pdc_sata_scr_read(struct ata_link *link, unsigned int sc_reg, u32 *val);
+ static int pdc_sata_scr_write(struct ata_link *link, unsigned int sc_reg, u32 val);
+ static int pdc_ata_init_one(struct pci_dev *pdev, const struct pci_device_id *ent);
+@@ -801,9 +805,10 @@ static void pdc_hard_reset_port(struct a
+ void __iomem *host_mmio = ap->host->iomap[PDC_MMIO_BAR];
+ void __iomem *pcictl_b1_mmio = host_mmio + PDC_PCI_CTL + 1;
+ unsigned int ata_no = pdc_ata_port_to_ata_no(ap);
++ struct pdc_host_priv *hpriv = ap->host->private_data;
+ u8 tmp;
+
+- spin_lock(&ap->host->lock);
++ spin_lock(&hpriv->hard_reset_lock);
+
+ tmp = readb(pcictl_b1_mmio);
+ tmp &= ~(0x10 << ata_no);
+@@ -814,7 +819,7 @@ static void pdc_hard_reset_port(struct a
+ writeb(tmp, pcictl_b1_mmio);
+ readb(pcictl_b1_mmio); /* flush */
+
+- spin_unlock(&ap->host->lock);
++ spin_unlock(&hpriv->hard_reset_lock);
+ }
+
+ static int pdc_sata_hardreset(struct ata_link *link, unsigned int *class,
+@@ -1182,6 +1187,7 @@ static int pdc_ata_init_one(struct pci_d
+ const struct ata_port_info *pi = &pdc_port_info[ent->driver_data];
+ const struct ata_port_info *ppi[PDC_MAX_PORTS];
+ struct ata_host *host;
++ struct pdc_host_priv *hpriv;
+ void __iomem *host_mmio;
+ int n_ports, i, rc;
+ int is_sataii_tx4;
+@@ -1218,6 +1224,11 @@ static int pdc_ata_init_one(struct pci_d
+ dev_err(&pdev->dev, "failed to allocate host\n");
+ return -ENOMEM;
+ }
++ hpriv = devm_kzalloc(&pdev->dev, sizeof *hpriv, GFP_KERNEL);
++ if (!hpriv)
++ return -ENOMEM;
++ spin_lock_init(&hpriv->hard_reset_lock);
++ host->private_data = hpriv;
+ host->iomap = pcim_iomap_table(pdev);
+
+ is_sataii_tx4 = pdc_is_sataii_tx4(pi->flags);
--- /dev/null
+From 95ab000388974d8ffef8257306b4be6e8778b768 Mon Sep 17 00:00:00 2001
+From: Jianpeng Ma <majianpeng@gmail.com>
+Date: Sat, 4 Aug 2012 10:34:14 +0800
+Subject: SCSI: mvsas: Fix oops when ata commond timeout.
+
+From: Jianpeng Ma <majianpeng@gmail.com>
+
+commit 95ab000388974d8ffef8257306b4be6e8778b768 upstream.
+
+Kernel message follows:
+
+[ 511.712011] sd 11:0:0:0: [sdf] command ffff8800a4e81400 timed out
+[ 511.712022] sas: Enter sas_scsi_recover_host busy: 1 failed: 1
+[ 511.712024] sas: trying to find task 0xffff8800a4d24c80
+[ 511.712026] sas: sas_scsi_find_task: aborting task 0xffff8800a4d24c80
+[ 511.712029] drivers/scsi/mvsas/mv_sas.c 1631:mvs_abort_task()
+mvi=ffff8800b5300000 task=ffff8800a4d24c80 slot=ffff8800b5325038
+slot_idx=x0
+[ 511.712035] BUG: unable to handle kernel NULL pointer dereference at
+0000000000000058
+[ 511.712040] IP: [<ffffffff815f8c0c>] _raw_spin_lock_irqsave+0xc/0x30
+[ 511.712047] PGD 0
+[ 511.712049] Oops: 0002 [#1] SMP
+[ 511.712052] Modules linked in: mvsas libsas scsi_transport_sas
+raid456 async_pq async_xor xor async_memcpy async_raid6_recov raid6_pq
+async_tx [last unloaded: mvsas]
+[ 511.712062] CPU 3
+[ 511.712066] Pid: 7322, comm: scsi_eh_11 Not tainted 3.5.0+ #106 To Be
+Filled By O.E.M. To Be Filled By O.E.M./To be filled by O.E.M.
+[ 511.712068] RIP: 0010:[<ffffffff815f8c0c>] [<ffffffff815f8c0c>]
+_raw_spin_lock_irqsave+0xc/0x30
+[ 511.712073] RSP: 0018:ffff880098d3bcb0 EFLAGS: 00010086
+[ 511.712074] RAX: 0000000000000286 RBX: 0000000000000058 RCX:
+00000000000000c3
+[ 511.712076] RDX: 0000000000000100 RSI: 0000000000000046 RDI:
+0000000000000058
+[ 511.712078] RBP: ffff880098d3bcb0 R08: 000000000000000a R09:
+0000000000000000
+[ 511.712080] R10: 00000000000004e8 R11: 00000000000004e7 R12:
+ffff8800a4d24c80
+[ 511.712082] R13: 0000000000000050 R14: ffff8800b5325038 R15:
+ffff8800a4eafe00
+[ 511.712084] FS: 0000000000000000(0000) GS:ffff8800bdb80000(0000)
+knlGS:0000000000000000
+[ 511.712086] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+[ 511.712088] CR2: 0000000000000058 CR3: 00000000a4ce6000 CR4:
+00000000000407e0
+[ 511.712090] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
+0000000000000000
+[ 511.712091] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
+0000000000000400
+[ 511.712093] Process scsi_eh_11 (pid: 7322, threadinfo
+ffff880098d3a000, task ffff8800a61dde40)
+[ 511.712095] Stack:
+[ 511.712096] ffff880098d3bce0 ffffffff81060683 ffff880000000000
+0000000000000000
+[ 511.712099] ffff8800a4d24c80 ffff8800b5300000 ffff880098d3bcf0
+ffffffffa0076a88
+[ 511.712102] ffff880098d3bd50 ffffffffa0079bb5 ffff880000000000
+ffff880000000018
+[ 511.712106] Call Trace:
+[ 511.712110] [<ffffffff81060683>] complete+0x23/0x60
+[ 511.712115] [<ffffffffa0076a88>] mvs_tmf_timedout+0x18/0x20 [mvsas]
+[ 511.712119] [<ffffffffa0079bb5>] mvs_slot_complete+0x765/0x7d0
+[mvsas]
+[ 511.712125] [<ffffffffa005a17d>] sas_scsi_recover_host+0x55d/0xdb0
+[libsas]
+[ 511.712128] [<ffffffff8106d600>] ? idle_balance+0xe0/0x130
+[ 511.712133] [<ffffffff813b150c>] scsi_error_handler+0xcc/0x470
+[ 511.712136] [<ffffffff815f7ad0>] ? __schedule+0x370/0x730
+[ 511.712139] [<ffffffff8105f728>] ? __wake_up_common+0x58/0x90
+[ 511.712142] [<ffffffff813b1440>] ? scsi_eh_get_sense+0x110/0x110
+[ 511.712146] [<ffffffff810571be>] kthread+0x8e/0xa0
+[ 511.712150] [<ffffffff816015f4>] kernel_thread_helper+0x4/0x10
+[ 511.712153] [<ffffffff81057130>] ? flush_kthread_work+0x120/0x120
+[ 511.712156] [<ffffffff816015f0>] ? gs_change+0xb/0xb
+[ 511.712157] Code: 8a 00 01 00 00 89 d0 f0 66 0f b1 0f 66 39 d0 0f 94
+c0 0f b6 c0 5d c3 0f 1f 84 00 00 00 00 00 55 48 89 e5 9c 58 fa ba 00 01
+00 00 <f0> 66 0f c1 17 0f b6 ce 38 d1 74 11 0f 1f 84 00 00 00 00 00 f3
+[ 511.712191] RIP [<ffffffff815f8c0c>] _raw_spin_lock_irqsave+0xc/0x30
+[ 511.712194] RSP <ffff880098d3bcb0>
+[ 511.712196] CR2: 0000000000000058
+[ 511.712198] ---[ end trace a781c7b1e65db92c ]---
+
+Signed-off-by: Jianpeng Ma <majianpeng@gmail.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Cc: CAI Qian <caiqian@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/mvsas/mv_sas.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/mvsas/mv_sas.c
++++ b/drivers/scsi/mvsas/mv_sas.c
+@@ -1629,7 +1629,7 @@ int mvs_abort_task(struct sas_task *task
+ mv_dprintk("mvs_abort_task() mvi=%p task=%p "
+ "slot=%p slot_idx=x%x\n",
+ mvi, task, slot, slot_idx);
+- mvs_tmf_timedout((unsigned long)task);
++ task->task_state_flags |= SAS_TASK_STATE_ABORTED;
+ mvs_slot_task_free(mvi, task, slot, slot_idx);
+ rc = TMF_RESP_FUNC_COMPLETE;
+ goto out;
--- /dev/null
+From beecadea1b8d67f591b13f7099559f32f3fd601d Mon Sep 17 00:00:00 2001
+From: Xi Wang <xi.wang@gmail.com>
+Date: Fri, 16 Nov 2012 14:40:03 -0500
+Subject: SCSI: mvsas: fix undefined bit shift
+
+From: Xi Wang <xi.wang@gmail.com>
+
+commit beecadea1b8d67f591b13f7099559f32f3fd601d upstream.
+
+The macro bit(n) is defined as ((u32)1 << n), and thus it doesn't work
+with n >= 32, such as in mvs_94xx_assign_reg_set():
+
+ if (i >= 32) {
+ mvi->sata_reg_set |= bit(i);
+ ...
+ }
+
+The shift ((u32)1 << n) with n >= 32 also leads to undefined behavior.
+The result varies depending on the architecture.
+
+This patch changes bit(n) to do a 64-bit shift. It also simplifies
+mv_ffc64() using __ffs64(), since invoking ffz() with ~0 is undefined.
+
+Signed-off-by: Xi Wang <xi.wang@gmail.com>
+Acked-by: Xiangliang Yu <yuxiangl@marvell.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/mvsas/mv_94xx.h | 14 ++------------
+ drivers/scsi/mvsas/mv_sas.h | 2 +-
+ 2 files changed, 3 insertions(+), 13 deletions(-)
+
+--- a/drivers/scsi/mvsas/mv_94xx.h
++++ b/drivers/scsi/mvsas/mv_94xx.h
+@@ -258,21 +258,11 @@ enum sas_sata_phy_regs {
+ #define SPI_ADDR_VLD_94XX (1U << 1)
+ #define SPI_CTRL_SpiStart_94XX (1U << 0)
+
+-#define mv_ffc(x) ffz(x)
+-
+ static inline int
+ mv_ffc64(u64 v)
+ {
+- int i;
+- i = mv_ffc((u32)v);
+- if (i >= 0)
+- return i;
+- i = mv_ffc((u32)(v>>32));
+-
+- if (i != 0)
+- return 32 + i;
+-
+- return -1;
++ u64 x = ~v;
++ return x ? __ffs64(x) : -1;
+ }
+
+ #define r_reg_set_enable(i) \
+--- a/drivers/scsi/mvsas/mv_sas.h
++++ b/drivers/scsi/mvsas/mv_sas.h
+@@ -69,7 +69,7 @@ extern struct kmem_cache *mvs_task_list_
+ #define DEV_IS_EXPANDER(type) \
+ ((type == EDGE_DEV) || (type == FANOUT_DEV))
+
+-#define bit(n) ((u32)1 << n)
++#define bit(n) ((u64)1 << n)
+
+ #define for_each_phy(__lseq_mask, __mc, __lseq) \
+ for ((__mc) = (__lseq_mask), (__lseq) = 0; \
--- /dev/null
+From 072f19b4bea31cdd482d79f805413f2f9ac9e233 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sasha.levin@oracle.com>
+Date: Thu, 15 Nov 2012 15:51:46 -0500
+Subject: SCSI: prevent stack buffer overflow in host_reset
+
+From: Sasha Levin <sasha.levin@oracle.com>
+
+commit 072f19b4bea31cdd482d79f805413f2f9ac9e233 upstream.
+
+store_host_reset() has tried to re-invent the wheel to compare sysfs strings.
+Unfortunately it did so poorly and never bothered to check the input from
+userspace before overwriting stack with it, so something simple as:
+
+echo "WoopsieWoopsie" >
+/sys/devices/pseudo_0/adapter0/host0/scsi_host/host0/host_reset
+
+would result in:
+
+[ 316.310101] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81f5bac7
+[ 316.310101]
+[ 316.320051] Pid: 6655, comm: sh Tainted: G W 3.7.0-rc5-next-20121114-sasha-00016-g5c9d68d-dirty #129
+[ 316.320051] Call Trace:
+[ 316.340058] pps pps0: PPS event at 1352918752.620355751
+[ 316.340062] pps pps0: capture assert seq #303
+[ 316.320051] [<ffffffff83b3856b>] panic+0xcd/0x1f4
+[ 316.320051] [<ffffffff81f5bac7>] ? store_host_reset+0xd7/0x100
+[ 316.320051] [<ffffffff8110b996>] __stack_chk_fail+0x16/0x20
+[ 316.320051] [<ffffffff81f5bac7>] store_host_reset+0xd7/0x100
+[ 316.320051] [<ffffffff81e55bb3>] dev_attr_store+0x13/0x30
+[ 316.320051] [<ffffffff812f7db1>] sysfs_write_file+0x101/0x170
+[ 316.320051] [<ffffffff8127acc8>] vfs_write+0xb8/0x180
+[ 316.320051] [<ffffffff8127ae80>] sys_write+0x50/0xa0
+[ 316.320051] [<ffffffff83c03418>] tracesys+0xe1/0xe6
+
+Fix this by uninventing whatever was going on there and just use sysfs_streq.
+
+Bug introduced by 29443691 ("[SCSI] scsi: Added support for adapter and
+firmware reset").
+
+[jejb: added necessary const to prevent compile warnings]
+Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_sysfs.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+--- a/drivers/scsi/scsi_sysfs.c
++++ b/drivers/scsi/scsi_sysfs.c
+@@ -246,11 +246,11 @@ show_shost_active_mode(struct device *de
+
+ static DEVICE_ATTR(active_mode, S_IRUGO | S_IWUSR, show_shost_active_mode, NULL);
+
+-static int check_reset_type(char *str)
++static int check_reset_type(const char *str)
+ {
+- if (strncmp(str, "adapter", 10) == 0)
++ if (sysfs_streq(str, "adapter"))
+ return SCSI_ADAPTER_RESET;
+- else if (strncmp(str, "firmware", 10) == 0)
++ else if (sysfs_streq(str, "firmware"))
+ return SCSI_FIRMWARE_RESET;
+ else
+ return 0;
+@@ -263,12 +263,9 @@ store_host_reset(struct device *dev, str
+ struct Scsi_Host *shost = class_to_shost(dev);
+ struct scsi_host_template *sht = shost->hostt;
+ int ret = -EINVAL;
+- char str[10];
+ int type;
+
+- sscanf(buf, "%s", str);
+- type = check_reset_type(str);
+-
++ type = check_reset_type(buf);
+ if (!type)
+ goto exit_store_host_reset;
+
--- /dev/null
+From a394aac88506159e047630fc90dc2242568382d8 Mon Sep 17 00:00:00 2001
+From: David Jeffery <djeffery@redhat.com>
+Date: Wed, 21 Nov 2012 02:39:54 -0500
+Subject: SCSI: qla2xxx: Test and clear FCPORT_UPDATE_NEEDED atomically.
+
+From: David Jeffery <djeffery@redhat.com>
+
+commit a394aac88506159e047630fc90dc2242568382d8 upstream.
+
+When the qla2xxx driver loses access to multiple, remote ports, there is a race
+condition which can occur which will keep the request stuck on a scsi request
+queue indefinitely.
+
+This bad state occurred do to a race condition with how the FCPORT_UPDATE_NEEDED
+bit is set in qla2x00_schedule_rport_del(), and how it is cleared in
+qla2x00_do_dpc(). The problem port has its drport pointer set, but it has never
+been processed by the driver to inform the fc transport that the port has been
+lost. qla2x00_schedule_rport_del() sets drport, and then sets the
+FCPORT_UPDATE_NEEDED bit. In qla2x00_do_dpc(), the port lists are walked and
+any drport pointer is handled and the fc transport informed of the port loss,
+then the FCPORT_UPDATE_NEEDED bit is cleared. This leaves a race where the
+dpc thread is processing one port removal, another port removal is marked
+with a call to qla2x00_schedule_rport_del(), and the dpc thread clears the
+bit for both removals, even though only the first removal was actually
+handled. Until another event occurs to set FCPORT_UPDATE_NEEDED, the later
+port removal is never finished and qla2xxx stays in a bad state which causes
+requests to become stuck on request queues.
+
+This patch updates the driver to test and clear FCPORT_UPDATE_NEEDED
+atomically. This ensures the port state changes are processed and not lost.
+
+Signed-off-by: David Jeffery <djeffery@redhat.com>
+Signed-off-by: Chad Dupuis <chad.dupuis@qlogic.com>
+Signed-off-by: Saurav Kashyap <saurav.kashyap@qlogic.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_os.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -3735,9 +3735,9 @@ qla2x00_do_dpc(void *data)
+ "ISP abort end.\n");
+ }
+
+- if (test_bit(FCPORT_UPDATE_NEEDED, &base_vha->dpc_flags)) {
++ if (test_and_clear_bit(FCPORT_UPDATE_NEEDED,
++ &base_vha->dpc_flags)) {
+ qla2x00_update_fcports(base_vha);
+- clear_bit(FCPORT_UPDATE_NEEDED, &base_vha->dpc_flags);
+ }
+
+ if (test_bit(ISP_QUIESCE_NEEDED, &base_vha->dpc_flags)) {
ath9k_hw-fix-signal-strength-channel-noise-reporting.patch
firewire-net-fix-handling-of-fragmented-multicast-broadcast-packets.patch
asoc-sigmadsp-fix-endianness-conversion-issue.patch
+scsi-mvsas-fix-oops-when-ata-commond-timeout.patch
+scsi-mvsas-fix-undefined-bit-shift.patch
+scsi-prevent-stack-buffer-overflow-in-host_reset.patch
+scsi-qla2xxx-test-and-clear-fcport_update_needed-atomically.patch
+iscsit-use-gfp_atomic-under-spin-lock.patch
+sata_promise-fix-hardreset-lockdep-error.patch
+libata-set-dma_mode-to-0xff-in-reset.patch
+libata-fix-null-pointer-dereference-on-disk-error.patch
+target-tcm_fc-fix-the-lockdep-warning-due-to-inconsistent-lock-state.patch
+mfd-wm8994-add-support-for-wm1811-rev-e.patch
+mfd-only-unregister-platform-devices-allocated-by-the-mfd-core.patch
+ext4-fix-memory-leak-in-ext4_xattr_set_acl-s-error-path.patch
+ext4-fix-possible-use-after-free-with-metadata-csum.patch
--- /dev/null
+From 9f4ad44b264f8bb61ffdd607148215566568430d Mon Sep 17 00:00:00 2001
+From: Yi Zou <yi.zou@intel.com>
+Date: Mon, 10 Dec 2012 17:04:00 -0800
+Subject: target/tcm_fc: fix the lockdep warning due to inconsistent lock state
+
+From: Yi Zou <yi.zou@intel.com>
+
+commit 9f4ad44b264f8bb61ffdd607148215566568430d upstream.
+
+The lockdep warning below is in theory correct but it will be in really weird
+rare situation that ends up that deadlock since the tcm fc session is hashed
+based the rport id. Nonetheless, the complaining below is about rcu callback
+that does the transport_deregister_session() is happening in softirq, where
+transport_register_session() that happens earlier is not. This triggers the
+lockdep warning below. So, just fix this to make lockdep happy by disabling
+the soft irq before calling transport_register_session() in ft_prli.
+
+BTW, this was found in FCoE VN2VN over two VMs, couple of create and destroy
+would get this triggered.
+
+v1: was enforcing register to be in softirq context which was not righ. See,
+http://www.spinics.net/lists/target-devel/msg03614.html
+
+v2: following comments from Roland&Nick (thanks), it seems we don't have to
+do transport_deregister_session() in rcu callback, so move it into ft_sess_free()
+but still do kfree() of the corresponding ft_sess struct in rcu callback to
+make sure the ft_sess is not freed till the rcu callback.
+
+...
+[ 1328.370592] scsi2 : FCoE Driver
+[ 1328.383429] fcoe: No FDMI support.
+[ 1328.384509] host2: libfc: Link up on port (000000)
+[ 1328.934229] host2: Assigned Port ID 00a292
+[ 1357.232132] host2: rport 00a393: Remove port
+[ 1357.232568] host2: rport 00a393: Port sending LOGO from Ready state
+[ 1357.233692] host2: rport 00a393: Delete port
+[ 1357.234472] host2: rport 00a393: work event 3
+[ 1357.234969] host2: rport 00a393: callback ev 3
+[ 1357.235979] host2: rport 00a393: Received a LOGO response closed
+[ 1357.236706] host2: rport 00a393: work delete
+[ 1357.237481]
+[ 1357.237631] =================================
+[ 1357.238064] [ INFO: inconsistent lock state ]
+[ 1357.238450] 3.7.0-rc7-yikvm+ #3 Tainted: G O
+[ 1357.238450] ---------------------------------
+[ 1357.238450] inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
+[ 1357.238450] ksoftirqd/0/3 [HC0[0]:SC1[1]:HE0:SE0] takes:
+[ 1357.238450] (&(&se_tpg->session_lock)->rlock){+.?...}, at: [<ffffffffa01eacd4>] transport_deregister_session+0x41/0x148 [target_core_mod]
+[ 1357.238450] {SOFTIRQ-ON-W} state was registered at:
+[ 1357.238450] [<ffffffff810834f5>] mark_held_locks+0x6d/0x95
+[ 1357.238450] [<ffffffff8108364a>] trace_hardirqs_on_caller+0x12d/0x197
+[ 1357.238450] [<ffffffff810836c1>] trace_hardirqs_on+0xd/0xf
+[ 1357.238450] [<ffffffff8149caba>] _raw_spin_unlock_irq+0x2d/0x45
+[ 1357.238450] [<ffffffffa01e8d10>] __transport_register_session+0xb8/0x122 [target_core_mod]
+[ 1357.238450] [<ffffffffa01e8dbe>] transport_register_session+0x44/0x5a [target_core_mod]
+[ 1357.238450] [<ffffffffa018e32c>] ft_prli+0x1e3/0x275 [tcm_fc]
+[ 1357.238450] [<ffffffffa0160e8d>] fc_rport_recv_req+0x95e/0xdc5 [libfc]
+[ 1357.238450] [<ffffffffa015be88>] fc_lport_recv_els_req+0xc4/0xd5 [libfc]
+[ 1357.238450] [<ffffffffa015c778>] fc_lport_recv_req+0x12f/0x18f [libfc]
+[ 1357.238450] [<ffffffffa015a6d7>] fc_exch_recv+0x8ba/0x981 [libfc]
+[ 1357.238450] [<ffffffffa0176d7a>] fcoe_percpu_receive_thread+0x47a/0x4e2 [fcoe]
+[ 1357.238450] [<ffffffff810549f1>] kthread+0xb1/0xb9
+[ 1357.238450] [<ffffffff814a40ec>] ret_from_fork+0x7c/0xb0
+[ 1357.238450] irq event stamp: 275411
+[ 1357.238450] hardirqs last enabled at (275410): [<ffffffff810bb6a0>] rcu_process_callbacks+0x229/0x42a
+[ 1357.238450] hardirqs last disabled at (275411): [<ffffffff8149c2f7>] _raw_spin_lock_irqsave+0x22/0x8e
+[ 1357.238450] softirqs last enabled at (275394): [<ffffffff8103d669>] __do_softirq+0x246/0x26f
+[ 1357.238450] softirqs last disabled at (275399): [<ffffffff8103d6bb>] run_ksoftirqd+0x29/0x62
+[ 1357.238450]
+[ 1357.238450] other info that might help us debug this:
+[ 1357.238450] Possible unsafe locking scenario:
+[ 1357.238450]
+[ 1357.238450] CPU0
+[ 1357.238450] ----
+[ 1357.238450] lock(&(&se_tpg->session_lock)->rlock);
+[ 1357.238450] <Interrupt>
+[ 1357.238450] lock(&(&se_tpg->session_lock)->rlock);
+[ 1357.238450]
+[ 1357.238450] *** DEADLOCK ***
+[ 1357.238450]
+[ 1357.238450] no locks held by ksoftirqd/0/3.
+[ 1357.238450]
+[ 1357.238450] stack backtrace:
+[ 1357.238450] Pid: 3, comm: ksoftirqd/0 Tainted: G O 3.7.0-rc7-yikvm+ #3
+[ 1357.238450] Call Trace:
+[ 1357.238450] [<ffffffff8149399a>] print_usage_bug+0x1f5/0x206
+[ 1357.238450] [<ffffffff8100da59>] ? save_stack_trace+0x2c/0x49
+[ 1357.238450] [<ffffffff81082aae>] ? print_irq_inversion_bug.part.14+0x1ae/0x1ae
+[ 1357.238450] [<ffffffff81083336>] mark_lock+0x106/0x258
+[ 1357.238450] [<ffffffff81084e34>] __lock_acquire+0x2e7/0xe53
+[ 1357.238450] [<ffffffff8102903d>] ? pvclock_clocksource_read+0x48/0xb4
+[ 1357.238450] [<ffffffff810ba6a3>] ? rcu_process_gp_end+0xc0/0xc9
+[ 1357.238450] [<ffffffffa01eacd4>] ? transport_deregister_session+0x41/0x148 [target_core_mod]
+[ 1357.238450] [<ffffffff81085ef1>] lock_acquire+0x119/0x143
+[ 1357.238450] [<ffffffffa01eacd4>] ? transport_deregister_session+0x41/0x148 [target_core_mod]
+[ 1357.238450] [<ffffffff8149c329>] _raw_spin_lock_irqsave+0x54/0x8e
+[ 1357.238450] [<ffffffffa01eacd4>] ? transport_deregister_session+0x41/0x148 [target_core_mod]
+[ 1357.238450] [<ffffffffa01eacd4>] transport_deregister_session+0x41/0x148 [target_core_mod]
+[ 1357.238450] [<ffffffff810bb6a0>] ? rcu_process_callbacks+0x229/0x42a
+[ 1357.238450] [<ffffffffa018ddc5>] ft_sess_rcu_free+0x17/0x24 [tcm_fc]
+[ 1357.238450] [<ffffffffa018ddae>] ? ft_sess_free+0x1b/0x1b [tcm_fc]
+[ 1357.238450] [<ffffffff810bb6d7>] rcu_process_callbacks+0x260/0x42a
+[ 1357.238450] [<ffffffff8103d55d>] __do_softirq+0x13a/0x26f
+[ 1357.238450] [<ffffffff8149b34e>] ? __schedule+0x65f/0x68e
+[ 1357.238450] [<ffffffff8103d6bb>] run_ksoftirqd+0x29/0x62
+[ 1357.238450] [<ffffffff8105c83c>] smpboot_thread_fn+0x1a5/0x1aa
+[ 1357.238450] [<ffffffff8105c697>] ? smpboot_unregister_percpu_thread+0x47/0x47
+[ 1357.238450] [<ffffffff810549f1>] kthread+0xb1/0xb9
+[ 1357.238450] [<ffffffff8149b49d>] ? wait_for_common+0xbb/0x10a
+[ 1357.238450] [<ffffffff81054940>] ? __init_kthread_worker+0x59/0x59
+[ 1357.238450] [<ffffffff814a40ec>] ret_from_fork+0x7c/0xb0
+[ 1357.238450] [<ffffffff81054940>] ? __init_kthread_worker+0x59/0x59
+[ 1417.440099] rport-2:0-0: blocked FC remote port time out: removing rport
+
+Signed-off-by: Yi Zou <yi.zou@intel.com>
+Cc: Open-FCoE <devel@open-fcoe.org>
+Cc: Nicholas A. Bellinger <nab@risingtidesystems.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/tcm_fc/tfc_sess.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/target/tcm_fc/tfc_sess.c
++++ b/drivers/target/tcm_fc/tfc_sess.c
+@@ -431,7 +431,6 @@ static void ft_sess_rcu_free(struct rcu_
+ {
+ struct ft_sess *sess = container_of(rcu, struct ft_sess, rcu);
+
+- transport_deregister_session(sess->se_sess);
+ kfree(sess);
+ }
+
+@@ -439,6 +438,7 @@ static void ft_sess_free(struct kref *kr
+ {
+ struct ft_sess *sess = container_of(kref, struct ft_sess, kref);
+
++ transport_deregister_session(sess->se_sess);
+ call_rcu(&sess->rcu, ft_sess_rcu_free);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
