--- /dev/null
+From 766a78882ddf79b162243649d7dfdbac1fb6fb88 Mon Sep 17 00:00:00 2001
+From: Joe Thornber <ejt@redhat.com>
+Date: Wed, 28 Jan 2015 12:07:46 +0000
+Subject: dm cache: fix missing ERR_PTR returns and handling
+
+From: Joe Thornber <ejt@redhat.com>
+
+commit 766a78882ddf79b162243649d7dfdbac1fb6fb88 upstream.
+
+Commit 9b1cc9f251 ("dm cache: share cache-metadata object across
+inactive and active DM tables") mistakenly ignored the use of ERR_PTR
+returns. Restore missing IS_ERR checks and ERR_PTR returns where
+appropriate.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Joe Thornber <ejt@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-cache-metadata.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/md/dm-cache-metadata.c
++++ b/drivers/md/dm-cache-metadata.c
+@@ -683,7 +683,7 @@ static struct dm_cache_metadata *metadat
+ cmd = kzalloc(sizeof(*cmd), GFP_KERNEL);
+ if (!cmd) {
+ DMERR("could not allocate metadata struct");
+- return NULL;
++ return ERR_PTR(-ENOMEM);
+ }
+
+ atomic_set(&cmd->ref_count, 1);
+@@ -745,7 +745,7 @@ static struct dm_cache_metadata *lookup_
+ return cmd;
+
+ cmd = metadata_open(bdev, data_block_size, may_format_device, policy_hint_size);
+- if (cmd) {
++ if (!IS_ERR(cmd)) {
+ mutex_lock(&table_lock);
+ cmd2 = lookup(bdev);
+ if (cmd2) {
+@@ -780,9 +780,10 @@ struct dm_cache_metadata *dm_cache_metad
+ {
+ struct dm_cache_metadata *cmd = lookup_or_open(bdev, data_block_size,
+ may_format_device, policy_hint_size);
+- if (cmd && !same_params(cmd, data_block_size)) {
++
++ if (!IS_ERR(cmd) && !same_params(cmd, data_block_size)) {
+ dm_cache_metadata_close(cmd);
+- return NULL;
++ return ERR_PTR(-EINVAL);
+ }
+
+ return cmd;
--- /dev/null
+From 2a7eaea02b99b6e267b1e89c79acc6e9a51cee3b Mon Sep 17 00:00:00 2001
+From: Joe Thornber <ejt@redhat.com>
+Date: Mon, 26 Jan 2015 11:38:21 +0000
+Subject: dm thin: don't allow messages to be sent to a pool target in READ_ONLY or FAIL mode
+
+From: Joe Thornber <ejt@redhat.com>
+
+commit 2a7eaea02b99b6e267b1e89c79acc6e9a51cee3b upstream.
+
+You can't modify the metadata in these modes. It's better to fail these
+messages immediately than let the block-manager deny write locks on
+metadata blocks. Otherwise these failed metadata changes will trigger
+'needs_check' to get set in the metadata superblock -- requiring repair
+using the thin_check utility.
+
+Signed-off-by: Joe Thornber <ejt@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-thin.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/md/dm-thin.c
++++ b/drivers/md/dm-thin.c
+@@ -2744,6 +2744,12 @@ static int pool_message(struct dm_target
+ struct pool_c *pt = ti->private;
+ struct pool *pool = pt->pool;
+
++ if (get_pool_mode(pool) >= PM_READ_ONLY) {
++ DMERR("%s: unable to service pool target messages in READ_ONLY or FAIL mode",
++ dm_device_name(pool->pool_md));
++ return -EINVAL;
++ }
++
+ if (!strcasecmp(argv[0], "create_thin"))
+ r = process_create_thin_mesg(argc, argv, pool);
+
--- /dev/null
+From 02a54164c52ed6eca3089a0d402170fbf34d6cf5 Mon Sep 17 00:00:00 2001
+From: Mugunthan V N <mugunthanvnm@ti.com>
+Date: Thu, 22 Jan 2015 15:19:22 +0530
+Subject: drivers: net: cpsw: discard dual emac default vlan configuration
+
+From: Mugunthan V N <mugunthanvnm@ti.com>
+
+commit 02a54164c52ed6eca3089a0d402170fbf34d6cf5 upstream.
+
+In Dual EMAC, the default VLANs are used to segregate Rx packets between
+the ports, so adding the same default VLAN to the switch will affect the
+normal packet transfers. So returning error on addition of dual EMAC
+default VLANs.
+
+Even if EMAC 0 default port VLAN is added to EMAC 1, it will lead to
+break dual EMAC port separations.
+
+Fixes: d9ba8f9e6298 (driver: net: ethernet: cpsw: dual emac interface implementation)
+Reported-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Mugunthan V N <mugunthanvnm@ti.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/ti/cpsw.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+--- a/drivers/net/ethernet/ti/cpsw.c
++++ b/drivers/net/ethernet/ti/cpsw.c
+@@ -1610,6 +1610,19 @@ static int cpsw_ndo_vlan_rx_add_vid(stru
+ if (vid == priv->data.default_vlan)
+ return 0;
+
++ if (priv->data.dual_emac) {
++ /* In dual EMAC, reserved VLAN id should not be used for
++ * creating VLAN interfaces as this can break the dual
++ * EMAC port separation
++ */
++ int i;
++
++ for (i = 0; i < priv->data.slaves; i++) {
++ if (vid == priv->slaves[i].port_vlan)
++ return -EINVAL;
++ }
++ }
++
+ dev_info(priv->dev, "Adding vlanid %d to vlan filter\n", vid);
+ return cpsw_add_vlan_ale_entry(priv, vid);
+ }
+@@ -1623,6 +1636,15 @@ static int cpsw_ndo_vlan_rx_kill_vid(str
+ if (vid == priv->data.default_vlan)
+ return 0;
+
++ if (priv->data.dual_emac) {
++ int i;
++
++ for (i = 0; i < priv->data.slaves; i++) {
++ if (vid == priv->slaves[i].port_vlan)
++ return -EINVAL;
++ }
++ }
++
+ dev_info(priv->dev, "removing vlanid %d from vlan filter\n", vid);
+ ret = cpsw_ale_del_vlan(priv->ale, vid, 0);
+ if (ret != 0)
--- /dev/null
+From 0fa7b39131576dd1baa6ca17fca53c65d7f62249 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 23 Jan 2015 11:10:12 +0100
+Subject: nl80211: fix per-station group key get/del and memory leak
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 0fa7b39131576dd1baa6ca17fca53c65d7f62249 upstream.
+
+In case userspace attempts to obtain key information for or delete a
+unicast key, this is currently erroneously rejected unless the driver
+sets the WIPHY_FLAG_IBSS_RSN flag. Apparently enough drivers do so it
+was never noticed.
+
+Fix that, and while at it fix a potential memory leak: the error path
+in the get_key() function was placed after allocating a message but
+didn't free it - move it to a better place. Luckily admin permissions
+are needed to call this operation.
+
+Fixes: e31b82136d1ad ("cfg80211/mac80211: allow per-station GTKs")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -2697,6 +2697,9 @@ static int nl80211_get_key(struct sk_buf
+ if (!rdev->ops->get_key)
+ return -EOPNOTSUPP;
+
++ if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
++ return -ENOENT;
++
+ msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+ if (!msg)
+ return -ENOMEM;
+@@ -2716,10 +2719,6 @@ static int nl80211_get_key(struct sk_buf
+ nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
+ goto nla_put_failure;
+
+- if (pairwise && mac_addr &&
+- !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
+- return -ENOENT;
+-
+ err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
+ get_key_callback);
+
+@@ -2890,7 +2889,7 @@ static int nl80211_del_key(struct sk_buf
+ wdev_lock(dev->ieee80211_ptr);
+ err = nl80211_key_allowed(dev->ieee80211_ptr);
+
+- if (key.type == NL80211_KEYTYPE_PAIRWISE && mac_addr &&
++ if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
+ !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
+ err = -ENOENT;
+
--- /dev/null
+From 83b0302d347a49f951e904184afe57ac3723476e Mon Sep 17 00:00:00 2001
+From: Ashay Jaiswal <ashayj@codeaurora.org>
+Date: Thu, 8 Jan 2015 18:54:25 +0530
+Subject: regulator: core: fix race condition in regulator_put()
+
+From: Ashay Jaiswal <ashayj@codeaurora.org>
+
+commit 83b0302d347a49f951e904184afe57ac3723476e upstream.
+
+The regulator framework maintains a list of consumer regulators
+for a regulator device and protects it from concurrent access using
+the regulator device's mutex lock.
+
+In the case of regulator_put() the consumer is removed and regulator
+device's parameters are updated without holding the regulator device's
+mutex. This would lead to a race condition between the regulator_put()
+and any function which traverses the consumer list or modifies regulator
+device's parameters.
+Fix this race condition by holding the regulator device's mutex in case
+of regulator_put.
+
+Signed-off-by: Ashay Jaiswal <ashayj@codeaurora.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/regulator/core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -1479,7 +1479,7 @@ struct regulator *regulator_get_optional
+ }
+ EXPORT_SYMBOL_GPL(regulator_get_optional);
+
+-/* Locks held by regulator_put() */
++/* regulator_list_mutex lock held by regulator_put() */
+ static void _regulator_put(struct regulator *regulator)
+ {
+ struct regulator_dev *rdev;
+@@ -1494,12 +1494,14 @@ static void _regulator_put(struct regula
+ /* remove any sysfs entries */
+ if (regulator->dev)
+ sysfs_remove_link(&rdev->dev.kobj, regulator->supply_name);
++ mutex_lock(&rdev->mutex);
+ kfree(regulator->supply_name);
+ list_del(®ulator->list);
+ kfree(regulator);
+
+ rdev->open_count--;
+ rdev->exclusive = 0;
++ mutex_unlock(&rdev->mutex);
+
+ module_put(rdev->owner);
+ }
nfs-fix-dio-deadlock-when-o_direct-flag-is-flipped.patch
nfsv4.1-fix-an-oops-in-nfs41_walk_client_list.patch
mac80211-properly-set-cck-flag-in-radiotap.patch
+nl80211-fix-per-station-group-key-get-del-and-memory-leak.patch
+dm-thin-don-t-allow-messages-to-be-sent-to-a-pool-target-in-read_only-or-fail-mode.patch
+dm-cache-fix-missing-err_ptr-returns-and-handling.patch
+spi-pxa2xx-clear-cur_chip-pointer-before-starting-next-message.patch
+regulator-core-fix-race-condition-in-regulator_put.patch
+drivers-net-cpsw-discard-dual-emac-default-vlan-configuration.patch
--- /dev/null
+From c957e8f084e0d21febcd6b8a0ea9631eccc92f36 Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Mon, 29 Dec 2014 10:33:36 +0200
+Subject: spi/pxa2xx: Clear cur_chip pointer before starting next message
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+commit c957e8f084e0d21febcd6b8a0ea9631eccc92f36 upstream.
+
+Once the current message is finished, the driver notifies SPI core about
+this by calling spi_finalize_current_message(). This function queues next
+message to be transferred. If there are more messages in the queue, it is
+possible that the driver is asked to transfer the next message at this
+point.
+
+When spi_finalize_current_message() returns the driver clears the
+drv_data->cur_chip pointer to NULL. The problem is that if the driver
+already started the next message clearing drv_data->cur_chip will cause
+NULL pointer dereference which crashes the kernel like:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000048
+ IP: [<ffffffffa0022bc8>] cs_deassert+0x18/0x70 [spi_pxa2xx_platform]
+ PGD 78bb8067 PUD 37712067 PMD 0
+ Oops: 0000 [#1] SMP
+ Modules linked in:
+ CPU: 1 PID: 11 Comm: ksoftirqd/1 Tainted: G O 3.18.0-rc4-mjo #5
+ Hardware name: Intel Corp. VALLEYVIEW B3 PLATFORM/NOTEBOOK, BIOS MNW2CRB1.X64.0071.R30.1408131301 08/13/2014
+ task: ffff880077f9f290 ti: ffff88007a820000 task.ti: ffff88007a820000
+ RIP: 0010:[<ffffffffa0022bc8>] [<ffffffffa0022bc8>] cs_deassert+0x18/0x70 [spi_pxa2xx_platform]
+ RSP: 0018:ffff88007a823d08 EFLAGS: 00010202
+ RAX: 0000000000000008 RBX: ffff8800379a4430 RCX: 0000000000000026
+ RDX: 0000000000000000 RSI: 0000000000000246 RDI: ffff8800379a4430
+ RBP: ffff88007a823d18 R08: 00000000ffffffff R09: 000000007a9bc65a
+ R10: 000000000000028f R11: 0000000000000005 R12: ffff880070123e98
+ R13: ffff880070123de8 R14: 0000000000000100 R15: ffffc90004888000
+ FS: 0000000000000000(0000) GS:ffff880079a80000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+ CR2: 0000000000000048 CR3: 000000007029b000 CR4: 00000000001007e0
+ Stack:
+ ffff88007a823d58 ffff8800379a4430 ffff88007a823d48 ffffffffa0022c89
+ 0000000000000000 ffff8800379a4430 0000000000000000 0000000000000006
+ ffff88007a823da8 ffffffffa0023be0 ffff88007a823dd8 ffffffff81076204
+ Call Trace:
+ [<ffffffffa0022c89>] giveback+0x69/0xa0 [spi_pxa2xx_platform]
+ [<ffffffffa0023be0>] pump_transfers+0x710/0x740 [spi_pxa2xx_platform]
+ [<ffffffff81076204>] ? pick_next_task_fair+0x744/0x830
+ [<ffffffff81049679>] tasklet_action+0xa9/0xe0
+ [<ffffffff81049a0e>] __do_softirq+0xee/0x280
+ [<ffffffff81049bc0>] run_ksoftirqd+0x20/0x40
+ [<ffffffff810646df>] smpboot_thread_fn+0xff/0x1b0
+ [<ffffffff810645e0>] ? SyS_setgroups+0x150/0x150
+ [<ffffffff81060f9d>] kthread+0xcd/0xf0
+ [<ffffffff81060ed0>] ? kthread_create_on_node+0x180/0x180
+ [<ffffffff8187a82c>] ret_from_fork+0x7c/0xb0
+
+Fix this by clearing drv_data->cur_chip before we call spi_finalize_current_message().
+
+Reported-by: Martin Oldfield <m@mjoldfield.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Acked-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-pxa2xx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-pxa2xx.c
++++ b/drivers/spi/spi-pxa2xx.c
+@@ -400,8 +400,8 @@ static void giveback(struct driver_data
+ cs_deassert(drv_data);
+ }
+
+- spi_finalize_current_message(drv_data->master);
+ drv_data->cur_chip = NULL;
++ spi_finalize_current_message(drv_data->master);
+ }
+
+ static void reset_sccr1(struct driver_data *drv_data)
projects / thirdparty / kernel / stable-queue.git / commitdiff
