From: Greg Kroah-Hartman Date: Tue, 5 Nov 2013 16:00:12 +0000 (-0800) Subject: 3.11-stable patches X-Git-Tag: v3.4.69~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2ea78f01c0ec45e6d13009213390d6888000f825;p=thirdparty%2Fkernel%2Fstable-queue.git 3.11-stable patches added patches: clockevents-sanitize-ticks-to-nsec-conversion.patch ecryptfs-fix-32-bit-corruption-issue.patch ecryptfs-fix-memory-leakage-in-keystore.c.patch libata-make-ata_eh_qc_retry-bump-scmd-allowed-on-bogus-failures.patch md-avoid-deadlock-when-md_set_badblocks.patch md-fix-skipping-recovery-for-read-only-arrays.patch parisc-do-not-crash-64bit-smp-kernels-on-machines-with-4gb-ram.patch raid5-avoid-finding-discard-stripe.patch raid5-set-bio-bi_vcnt-0-for-discard-request.patch revert-epoll-use-freezable-blocking-call.patch revert-rt2x00pci-use-pci-msis-whenever-possible.patch revert-select-use-freezable-blocking-call.patch target-fix-assignment-of-lun-in-tracepoints.patch target-pscsi-fix-return-value-check.patch vhost-scsi-fix-incorrect-usage-of-get_user_pages_fast-write-parameter.patch --- diff --git a/queue-3.11/clockevents-sanitize-ticks-to-nsec-conversion.patch b/queue-3.11/clockevents-sanitize-ticks-to-nsec-conversion.patch new file mode 100644 index 00000000000..73ed71acc51 --- /dev/null +++ b/queue-3.11/clockevents-sanitize-ticks-to-nsec-conversion.patch @@ -0,0 +1,162 @@ +From 97b9410643475d6557d2517c2aff9fd2221141a9 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Tue, 24 Sep 2013 21:50:23 +0200 +Subject: clockevents: Sanitize ticks to nsec conversion + +From: Thomas Gleixner + +commit 97b9410643475d6557d2517c2aff9fd2221141a9 upstream. + +Marc Kleine-Budde pointed out, that commit 77cc982 "clocksource: use +clockevents_config_and_register() where possible" caused a regression +for some of the converted subarchs. + +The reason is, that the clockevents core code converts the minimal +hardware tick delta to a nanosecond value for core internal +usage. This conversion is affected by integer math rounding loss, so +the backwards conversion to hardware ticks will likely result in a +value which is less than the configured hardware limitation. The +affected subarchs used their own workaround (SIGH!) which got lost in +the conversion. + +The solution for the issue at hand is simple: adding evt->mult - 1 to +the shifted value before the integer divison in the core conversion +function takes care of it. But this only works for the case where for +the scaled math mult/shift pair "mult <= 1 << shift" is true. For the +case where "mult > 1 << shift" we can apply the rounding add only for +the minimum delta value to make sure that the backward conversion is +not less than the given hardware limit. For the upper bound we need to +omit the rounding add, because the backwards conversion is always +larger than the original latch value. That would violate the upper +bound of the hardware device. + +Though looking closer at the details of that function reveals another +bogosity: The upper bounds check is broken as well. Checking for a +resulting "clc" value greater than KTIME_MAX after the conversion is +pointless. The conversion does: + + u64 clc = (latch << evt->shift) / evt->mult; + +So there is no sanity check for (latch << evt->shift) exceeding the +64bit boundary. The latch argument is "unsigned long", so on a 64bit +arch the handed in argument could easily lead to an unnoticed shift +overflow. With the above rounding fix applied the calculation before +the divison is: + + u64 clc = (latch << evt->shift) + evt->mult - 1; + +So we need to make sure, that neither the shift nor the rounding add +is overflowing the u64 boundary. + +[ukl: move assignment to rnd after eventually changing mult, fix build + issue and correct comment with the right math] + +Signed-off-by: Thomas Gleixner +Cc: Russell King - ARM Linux +Cc: Marc Kleine-Budde +Cc: nicolas.ferre@atmel.com +Cc: Marc Pignat +Cc: john.stultz@linaro.org +Cc: kernel@pengutronix.de +Cc: Ronald Wahl +Cc: LAK +Cc: Ludovic Desroches +Link: http://lkml.kernel.org/r/1380052223-24139-1-git-send-email-u.kleine-koenig@pengutronix.de +Signed-off-by: Uwe Kleine-König +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/clockevents.c | 65 +++++++++++++++++++++++++++++++++++----------- + 1 file changed, 50 insertions(+), 15 deletions(-) + +--- a/kernel/time/clockevents.c ++++ b/kernel/time/clockevents.c +@@ -33,29 +33,64 @@ struct ce_unbind { + int res; + }; + +-/** +- * clockevents_delta2ns - Convert a latch value (device ticks) to nanoseconds +- * @latch: value to convert +- * @evt: pointer to clock event device descriptor +- * +- * Math helper, returns latch value converted to nanoseconds (bound checked) +- */ +-u64 clockevent_delta2ns(unsigned long latch, struct clock_event_device *evt) ++static u64 cev_delta2ns(unsigned long latch, struct clock_event_device *evt, ++ bool ismax) + { + u64 clc = (u64) latch << evt->shift; ++ u64 rnd; + + if (unlikely(!evt->mult)) { + evt->mult = 1; + WARN_ON(1); + } ++ rnd = (u64) evt->mult - 1; ++ ++ /* ++ * Upper bound sanity check. If the backwards conversion is ++ * not equal latch, we know that the above shift overflowed. ++ */ ++ if ((clc >> evt->shift) != (u64)latch) ++ clc = ~0ULL; ++ ++ /* ++ * Scaled math oddities: ++ * ++ * For mult <= (1 << shift) we can safely add mult - 1 to ++ * prevent integer rounding loss. So the backwards conversion ++ * from nsec to device ticks will be correct. ++ * ++ * For mult > (1 << shift), i.e. device frequency is > 1GHz we ++ * need to be careful. Adding mult - 1 will result in a value ++ * which when converted back to device ticks can be larger ++ * than latch by up to (mult - 1) >> shift. For the min_delta ++ * calculation we still want to apply this in order to stay ++ * above the minimum device ticks limit. For the upper limit ++ * we would end up with a latch value larger than the upper ++ * limit of the device, so we omit the add to stay below the ++ * device upper boundary. ++ * ++ * Also omit the add if it would overflow the u64 boundary. ++ */ ++ if ((~0ULL - clc > rnd) && ++ (!ismax || evt->mult <= (1U << evt->shift))) ++ clc += rnd; + + do_div(clc, evt->mult); +- if (clc < 1000) +- clc = 1000; +- if (clc > KTIME_MAX) +- clc = KTIME_MAX; + +- return clc; ++ /* Deltas less than 1usec are pointless noise */ ++ return clc > 1000 ? clc : 1000; ++} ++ ++/** ++ * clockevents_delta2ns - Convert a latch value (device ticks) to nanoseconds ++ * @latch: value to convert ++ * @evt: pointer to clock event device descriptor ++ * ++ * Math helper, returns latch value converted to nanoseconds (bound checked) ++ */ ++u64 clockevent_delta2ns(unsigned long latch, struct clock_event_device *evt) ++{ ++ return cev_delta2ns(latch, evt, false); + } + EXPORT_SYMBOL_GPL(clockevent_delta2ns); + +@@ -380,8 +415,8 @@ void clockevents_config(struct clock_eve + sec = 600; + + clockevents_calc_mult_shift(dev, freq, sec); +- dev->min_delta_ns = clockevent_delta2ns(dev->min_delta_ticks, dev); +- dev->max_delta_ns = clockevent_delta2ns(dev->max_delta_ticks, dev); ++ dev->min_delta_ns = cev_delta2ns(dev->min_delta_ticks, dev, false); ++ dev->max_delta_ns = cev_delta2ns(dev->max_delta_ticks, dev, true); + } + + /** diff --git a/queue-3.11/ecryptfs-fix-32-bit-corruption-issue.patch b/queue-3.11/ecryptfs-fix-32-bit-corruption-issue.patch new file mode 100644 index 00000000000..d5095bdcf33 --- /dev/null +++ b/queue-3.11/ecryptfs-fix-32-bit-corruption-issue.patch @@ -0,0 +1,34 @@ +From 43b7c6c6a4e3916edd186ceb61be0c67d1e0969e Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Thu, 24 Oct 2013 14:08:07 +0000 +Subject: eCryptfs: fix 32 bit corruption issue + +From: Colin Ian King + +commit 43b7c6c6a4e3916edd186ceb61be0c67d1e0969e upstream. + +Shifting page->index on 32 bit systems was overflowing, causing +data corruption of > 4GB files. Fix this by casting it first. + +https://launchpad.net/bugs/1243636 + +Signed-off-by: Colin Ian King +Reported-by: Lars Duesing +Signed-off-by: Tyler Hicks +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/crypto.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ecryptfs/crypto.c ++++ b/fs/ecryptfs/crypto.c +@@ -408,7 +408,7 @@ static loff_t lower_offset_for_page(stru + struct page *page) + { + return ecryptfs_lower_header_size(crypt_stat) + +- (page->index << PAGE_CACHE_SHIFT); ++ ((loff_t)page->index << PAGE_CACHE_SHIFT); + } + + /** diff --git a/queue-3.11/ecryptfs-fix-memory-leakage-in-keystore.c.patch b/queue-3.11/ecryptfs-fix-memory-leakage-in-keystore.c.patch new file mode 100644 index 00000000000..e0971376c19 --- /dev/null +++ b/queue-3.11/ecryptfs-fix-memory-leakage-in-keystore.c.patch @@ -0,0 +1,40 @@ +From 3edc8376c06133e3386265a824869cad03a4efd4 Mon Sep 17 00:00:00 2001 +From: "Geyslan G. Bem" +Date: Fri, 11 Oct 2013 16:49:16 -0300 +Subject: ecryptfs: Fix memory leakage in keystore.c + +From: "Geyslan G. Bem" + +commit 3edc8376c06133e3386265a824869cad03a4efd4 upstream. + +In 'decrypt_pki_encrypted_session_key' function: + +Initializes 'payload' pointer and releases it on exit. + +Signed-off-by: Geyslan G. Bem +Signed-off-by: Tyler Hicks +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/keystore.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/ecryptfs/keystore.c ++++ b/fs/ecryptfs/keystore.c +@@ -1149,7 +1149,7 @@ decrypt_pki_encrypted_session_key(struct + struct ecryptfs_msg_ctx *msg_ctx; + struct ecryptfs_message *msg = NULL; + char *auth_tok_sig; +- char *payload; ++ char *payload = NULL; + size_t payload_len = 0; + int rc; + +@@ -1203,6 +1203,7 @@ decrypt_pki_encrypted_session_key(struct + } + out: + kfree(msg); ++ kfree(payload); + return rc; + } + diff --git a/queue-3.11/libata-make-ata_eh_qc_retry-bump-scmd-allowed-on-bogus-failures.patch b/queue-3.11/libata-make-ata_eh_qc_retry-bump-scmd-allowed-on-bogus-failures.patch new file mode 100644 index 00000000000..66fda1e937e --- /dev/null +++ b/queue-3.11/libata-make-ata_eh_qc_retry-bump-scmd-allowed-on-bogus-failures.patch @@ -0,0 +1,49 @@ +From f13e220161e738c2710b9904dcb3cf8bb0bcce61 Mon Sep 17 00:00:00 2001 +From: Gwendal Grignou +Date: Fri, 7 Aug 2009 16:17:49 -0700 +Subject: libata: make ata_eh_qc_retry() bump scmd->allowed on bogus failures + +From: Gwendal Grignou + +commit f13e220161e738c2710b9904dcb3cf8bb0bcce61 upstream. + +libata EH decrements scmd->retries when the command failed for reasons +unrelated to the command itself so that, for example, commands aborted +due to suspend / resume cycle don't get penalized; however, +decrementing scmd->retries isn't enough for ATA passthrough commands. + +Without this fix, ATA passthrough commands are not resend to the +drive, and no error is signalled to the caller because: + +- allowed retry count is 1 +- ata_eh_qc_complete fill the sense data, so result is valid +- sense data is filled with untouched ATA registers. + +Signed-off-by: Gwendal Grignou +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-eh.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/ata/libata-eh.c ++++ b/drivers/ata/libata-eh.c +@@ -1322,14 +1322,14 @@ void ata_eh_qc_complete(struct ata_queue + * should be retried. To be used from EH. + * + * SCSI midlayer limits the number of retries to scmd->allowed. +- * scmd->retries is decremented for commands which get retried ++ * scmd->allowed is incremented for commands which get retried + * due to unrelated failures (qc->err_mask is zero). + */ + void ata_eh_qc_retry(struct ata_queued_cmd *qc) + { + struct scsi_cmnd *scmd = qc->scsicmd; +- if (!qc->err_mask && scmd->retries) +- scmd->retries--; ++ if (!qc->err_mask) ++ scmd->allowed++; + __ata_eh_qc_complete(qc); + } + diff --git a/queue-3.11/md-avoid-deadlock-when-md_set_badblocks.patch b/queue-3.11/md-avoid-deadlock-when-md_set_badblocks.patch new file mode 100644 index 00000000000..e8c3e0096e2 --- /dev/null +++ b/queue-3.11/md-avoid-deadlock-when-md_set_badblocks.patch @@ -0,0 +1,110 @@ +From 905b0297a9533d7a6ee00a01a990456636877dd6 Mon Sep 17 00:00:00 2001 +From: Bian Yu +Date: Sat, 12 Oct 2013 01:10:03 -0400 +Subject: md: avoid deadlock when md_set_badblocks. + +From: Bian Yu + +commit 905b0297a9533d7a6ee00a01a990456636877dd6 upstream. + +When operate harddisk and hit errors, md_set_badblocks is called after +scsi_restart_operations which already disabled the irq. but md_set_badblocks +will call write_sequnlock_irq and enable irq. so softirq can preempt the +current thread and that may cause a deadlock. I think this situation should +use write_sequnlock_irqsave/irqrestore instead. + +I met the situation and the call trace is below: +[ 638.919974] BUG: spinlock recursion on CPU#0, scsi_eh_13/1010 +[ 638.921923] lock: 0xffff8800d4d51fc8, .magic: dead4ead, .owner: scsi_eh_13/1010, .owner_cpu: 0 +[ 638.923890] CPU: 0 PID: 1010 Comm: scsi_eh_13 Not tainted 3.12.0-rc5+ #37 +[ 638.925844] Hardware name: To be filled by O.E.M. To be filled by O.E.M./MAHOBAY, BIOS 4.6.5 03/05/2013 +[ 638.927816] ffff880037ad4640 ffff880118c03d50 ffffffff8172ff85 0000000000000007 +[ 638.929829] ffff8800d4d51fc8 ffff880118c03d70 ffffffff81730030 ffff8800d4d51fc8 +[ 638.931848] ffffffff81a72eb0 ffff880118c03d90 ffffffff81730056 ffff8800d4d51fc8 +[ 638.933884] Call Trace: +[ 638.935867] [] dump_stack+0x55/0x76 +[ 638.937878] [] spin_dump+0x8a/0x8f +[ 638.939861] [] spin_bug+0x21/0x26 +[ 638.941836] [] do_raw_spin_lock+0xa4/0xc0 +[ 638.943801] [] _raw_spin_lock+0x66/0x80 +[ 638.945747] [] ? scsi_device_unbusy+0x9d/0xd0 +[ 638.947672] [] ? _raw_spin_unlock+0x2b/0x50 +[ 638.949595] [] scsi_device_unbusy+0x9d/0xd0 +[ 638.951504] [] scsi_finish_command+0x37/0xe0 +[ 638.953388] [] scsi_softirq_done+0xa8/0x140 +[ 638.955248] [] blk_done_softirq+0x7b/0x90 +[ 638.957116] [] __do_softirq+0xfd/0x330 +[ 638.958987] [] ? __lock_release+0x6f/0x100 +[ 638.960861] [] call_softirq+0x1c/0x30 +[ 638.962724] [] do_softirq+0x8d/0xc0 +[ 638.964565] [] irq_exit+0x10e/0x150 +[ 638.966390] [] smp_apic_timer_interrupt+0x4a/0x60 +[ 638.968223] [] apic_timer_interrupt+0x6f/0x80 +[ 638.970079] [] ? __lock_release+0x6f/0x100 +[ 638.971899] [] ? _raw_spin_unlock_irq+0x3a/0x50 +[ 638.973691] [] ? _raw_spin_unlock_irq+0x30/0x50 +[ 638.975475] [] md_set_badblocks+0x1f3/0x4a0 +[ 638.977243] [] rdev_set_badblocks+0x27/0x80 +[ 638.978988] [] raid5_end_read_request+0x36b/0x4e0 [raid456] +[ 638.980723] [] bio_endio+0x1d/0x40 +[ 638.982463] [] req_bio_endio.isra.65+0x83/0xa0 +[ 638.984214] [] blk_update_request+0x7f/0x350 +[ 638.985967] [] blk_update_bidi_request+0x31/0x90 +[ 638.987710] [] __blk_end_bidi_request+0x20/0x50 +[ 638.989439] [] __blk_end_request_all+0x1f/0x30 +[ 638.991149] [] blk_peek_request+0x106/0x250 +[ 638.992861] [] ? scsi_kill_request.isra.32+0xe9/0x130 +[ 638.994561] [] scsi_request_fn+0x4a/0x3d0 +[ 638.996251] [] __blk_run_queue+0x37/0x50 +[ 638.997900] [] blk_run_queue+0x2f/0x50 +[ 638.999553] [] scsi_run_queue+0xe0/0x1c0 +[ 639.001185] [] scsi_run_host_queues+0x21/0x40 +[ 639.002798] [] scsi_restart_operations+0x177/0x200 +[ 639.004391] [] scsi_error_handler+0xc9/0xe0 +[ 639.005996] [] ? scsi_unjam_host+0xd0/0xd0 +[ 639.007600] [] kthread+0xdb/0xe0 +[ 639.009205] [] ? flush_kthread_worker+0x170/0x170 +[ 639.010821] [] ret_from_fork+0x7c/0xb0 +[ 639.012437] [] ? flush_kthread_worker+0x170/0x170 + +This bug was introduce in commit 2e8ac30312973dd20e68073653 +(the first time rdev_set_badblock was call from interrupt context), +so this patch is appropriate for 3.5 and subsequent kernels. + +Signed-off-by: Bian Yu +Reviewed-by: Jianpeng Ma +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/md.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -8093,6 +8093,7 @@ static int md_set_badblocks(struct badbl + u64 *p; + int lo, hi; + int rv = 1; ++ unsigned long flags; + + if (bb->shift < 0) + /* badblocks are disabled */ +@@ -8107,7 +8108,7 @@ static int md_set_badblocks(struct badbl + sectors = next - s; + } + +- write_seqlock_irq(&bb->lock); ++ write_seqlock_irqsave(&bb->lock, flags); + + p = bb->page; + lo = 0; +@@ -8223,7 +8224,7 @@ static int md_set_badblocks(struct badbl + bb->changed = 1; + if (!acknowledged) + bb->unacked_exist = 1; +- write_sequnlock_irq(&bb->lock); ++ write_sequnlock_irqrestore(&bb->lock, flags); + + return rv; + } diff --git a/queue-3.11/md-fix-skipping-recovery-for-read-only-arrays.patch b/queue-3.11/md-fix-skipping-recovery-for-read-only-arrays.patch new file mode 100644 index 00000000000..7acfc87b358 --- /dev/null +++ b/queue-3.11/md-fix-skipping-recovery-for-read-only-arrays.patch @@ -0,0 +1,56 @@ +From 61e4947c99c4494336254ec540c50186d186150b Mon Sep 17 00:00:00 2001 +From: Lukasz Dorau +Date: Thu, 24 Oct 2013 12:55:17 +1100 +Subject: md: Fix skipping recovery for read-only arrays. + +From: Lukasz Dorau + +commit 61e4947c99c4494336254ec540c50186d186150b upstream. + +Since: + commit 7ceb17e87bde79d285a8b988cfed9eaeebe60b86 + md: Allow devices to be re-added to a read-only array. + +spares are activated on a read-only array. In case of raid1 and raid10 +personalities it causes that not-in-sync devices are marked in-sync +without checking if recovery has been finished. + +If a read-only array is degraded and one of its devices is not in-sync +(because the array has been only partially recovered) recovery will be skipped. + +This patch adds checking if recovery has been finished before marking a device +in-sync for raid1 and raid10 personalities. In case of raid5 personality +such condition is already present (at raid5.c:6029). + +Bug was introduced in 3.10 and causes data corruption. + +Signed-off-by: Pawel Baldysiak +Signed-off-by: Lukasz Dorau +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid1.c | 1 + + drivers/md/raid10.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -1479,6 +1479,7 @@ static int raid1_spare_active(struct mdd + } + } + if (rdev ++ && rdev->recovery_offset == MaxSector + && !test_bit(Faulty, &rdev->flags) + && !test_and_set_bit(In_sync, &rdev->flags)) { + count++; +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -1782,6 +1782,7 @@ static int raid10_spare_active(struct md + } + sysfs_notify_dirent_safe(tmp->replacement->sysfs_state); + } else if (tmp->rdev ++ && tmp->rdev->recovery_offset == MaxSector + && !test_bit(Faulty, &tmp->rdev->flags) + && !test_and_set_bit(In_sync, &tmp->rdev->flags)) { + count++; diff --git a/queue-3.11/parisc-do-not-crash-64bit-smp-kernels-on-machines-with-4gb-ram.patch b/queue-3.11/parisc-do-not-crash-64bit-smp-kernels-on-machines-with-4gb-ram.patch new file mode 100644 index 00000000000..8c0780acb1a --- /dev/null +++ b/queue-3.11/parisc-do-not-crash-64bit-smp-kernels-on-machines-with-4gb-ram.patch @@ -0,0 +1,70 @@ +From 54e181e073fc1415e41917d725ebdbd7de956455 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sat, 26 Oct 2013 23:19:25 +0200 +Subject: parisc: Do not crash 64bit SMP kernels on machines with >= 4GB RAM + +From: Helge Deller + +commit 54e181e073fc1415e41917d725ebdbd7de956455 upstream. + +Since the beginning of the parisc-linux port, sometimes 64bit SMP kernels were +not able to bring up other CPUs than the monarch CPU and instead crashed the +kernel. The reason was unclear, esp. since it involved various machines (e.g. +J5600, J6750 and SuperDome). Testing showed, that those crashes didn't happened +when less than 4GB were installed, or if a 32bit Linux kernel was booted. + +In the end, the fix for those SMP problems is trivial: +During the early phase of the initialization of the CPUs, including the monarch +CPU, the PDC_PSW firmware function to enable WIDE (=64bit) mode is called. +It's documented that this firmware function may clobber various registers, and +one one of those possibly clobbered registers is %cr30 which holds the task +thread info pointer. + +Now, if %cr30 would always have been clobbered, then this bug would have been +detected much earlier. But lots of testing finally showed, that - at least for +%cr30 - on some machines only the upper 32bits of the 64bit register suddenly +turned zero after the firmware call. + +So, after finding the root cause, the explanation for the various crashes +became clear: +- On 32bit SMP Linux kernels all upper 32bit were zero, so we didn't faced this + problem. +- Monarch CPUs in 64bit mode always booted sucessfully, because the inital task + thread info pointer was below 4GB. +- Secondary CPUs booted sucessfully on machines with less than 4GB RAM because + the upper 32bit were zero anyay. +- Secondary CPus failed to boot if we had more than 4GB RAM and the task thread + info pointer was located above the 4GB boundary. + +Finally, the patch to fix this problem is trivial by saving the %cr30 register +before the firmware call and restoring it afterwards. + +Signed-off-by: Helge Deller +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/head.S | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/parisc/kernel/head.S ++++ b/arch/parisc/kernel/head.S +@@ -195,6 +195,8 @@ common_stext: + ldw MEM_PDC_HI(%r0),%r6 + depd %r6, 31, 32, %r3 /* move to upper word */ + ++ mfctl %cr30,%r6 /* PCX-W2 firmware bug */ ++ + ldo PDC_PSW(%r0),%arg0 /* 21 */ + ldo PDC_PSW_SET_DEFAULTS(%r0),%arg1 /* 2 */ + ldo PDC_PSW_WIDE_BIT(%r0),%arg2 /* 2 */ +@@ -203,6 +205,8 @@ common_stext: + copy %r0,%arg3 + + stext_pdc_ret: ++ mtctl %r6,%cr30 /* restore task thread info */ ++ + /* restore rfi target address*/ + ldd TI_TASK-THREAD_SZ_ALGN(%sp), %r10 + tophys_r1 %r10 diff --git a/queue-3.11/raid5-avoid-finding-discard-stripe.patch b/queue-3.11/raid5-avoid-finding-discard-stripe.patch new file mode 100644 index 00000000000..fc48f6dab4b --- /dev/null +++ b/queue-3.11/raid5-avoid-finding-discard-stripe.patch @@ -0,0 +1,41 @@ +From d47648fcf0611812286f68131b40251c6fa54f5e Mon Sep 17 00:00:00 2001 +From: Shaohua Li +Date: Sat, 19 Oct 2013 14:51:42 +0800 +Subject: raid5: avoid finding "discard" stripe + +From: Shaohua Li + +commit d47648fcf0611812286f68131b40251c6fa54f5e upstream. + +SCSI discard will damage discard stripe bio setting, eg, some fields are +changed. If the stripe is reused very soon, we have wrong bios setting. We +remove discard stripe from hash list, so next time the strip will be fully +initialized. + +Suitable for backport to 3.7+. + +Signed-off-by: Shaohua Li +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid5.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -2812,6 +2812,14 @@ static void handle_stripe_clean_event(st + } + /* now that discard is done we can proceed with any sync */ + clear_bit(STRIPE_DISCARD, &sh->state); ++ /* ++ * SCSI discard will change some bio fields and the stripe has ++ * no updated data, so remove it from hash list and the stripe ++ * will be reinitialized ++ */ ++ spin_lock_irq(&conf->device_lock); ++ remove_hash(sh); ++ spin_unlock_irq(&conf->device_lock); + if (test_bit(STRIPE_SYNC_REQUESTED, &sh->state)) + set_bit(STRIPE_HANDLE, &sh->state); + diff --git a/queue-3.11/raid5-set-bio-bi_vcnt-0-for-discard-request.patch b/queue-3.11/raid5-set-bio-bi_vcnt-0-for-discard-request.patch new file mode 100644 index 00000000000..7f1d018001d --- /dev/null +++ b/queue-3.11/raid5-set-bio-bi_vcnt-0-for-discard-request.patch @@ -0,0 +1,53 @@ +From 37c61ff31e9b5e3fcf3cc6579f5c68f6ad40c4b1 Mon Sep 17 00:00:00 2001 +From: Shaohua Li +Date: Sat, 19 Oct 2013 14:50:28 +0800 +Subject: raid5: set bio bi_vcnt 0 for discard request + +From: Shaohua Li + +commit 37c61ff31e9b5e3fcf3cc6579f5c68f6ad40c4b1 upstream. + +SCSI layer will add new payload for discard request. If two bios are merged +to one, the second bio has bi_vcnt 1 which is set in raid5. This will confuse +SCSI and cause oops. + +Suitable for backport to 3.7+ + +Reported-by: Jes Sorensen +Signed-off-by: Shaohua Li +Signed-off-by: NeilBrown +Acked-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid5.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -668,6 +668,12 @@ static void ops_run_io(struct stripe_hea + bi->bi_io_vec[0].bv_len = STRIPE_SIZE; + bi->bi_io_vec[0].bv_offset = 0; + bi->bi_size = STRIPE_SIZE; ++ /* ++ * If this is discard request, set bi_vcnt 0. We don't ++ * want to confuse SCSI because SCSI will replace payload ++ */ ++ if (rw & REQ_DISCARD) ++ bi->bi_vcnt = 0; + if (rrdev) + set_bit(R5_DOUBLE_LOCKED, &sh->dev[i].flags); + +@@ -706,6 +712,12 @@ static void ops_run_io(struct stripe_hea + rbi->bi_io_vec[0].bv_len = STRIPE_SIZE; + rbi->bi_io_vec[0].bv_offset = 0; + rbi->bi_size = STRIPE_SIZE; ++ /* ++ * If this is discard request, set bi_vcnt 0. We don't ++ * want to confuse SCSI because SCSI will replace payload ++ */ ++ if (rw & REQ_DISCARD) ++ rbi->bi_vcnt = 0; + if (conf->mddev->gendisk) + trace_block_bio_remap(bdev_get_queue(rbi->bi_bdev), + rbi, disk_devt(conf->mddev->gendisk), diff --git a/queue-3.11/revert-epoll-use-freezable-blocking-call.patch b/queue-3.11/revert-epoll-use-freezable-blocking-call.patch new file mode 100644 index 00000000000..ae33d8fe9df --- /dev/null +++ b/queue-3.11/revert-epoll-use-freezable-blocking-call.patch @@ -0,0 +1,49 @@ +From c511851de162e8ec03d62e7d7feecbdf590d881d Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Tue, 29 Oct 2013 13:12:56 +0100 +Subject: Revert "epoll: use freezable blocking call" + +From: "Rafael J. Wysocki" + +commit c511851de162e8ec03d62e7d7feecbdf590d881d upstream. + +This reverts commit 1c441e921201 (epoll: use freezable blocking call) +which is reported to cause user space memory corruption to happen +after suspend to RAM. + +Since it appears to be extremely difficult to root cause this +problem, it is best to revert the offending commit and try to address +the original issue in a better way later. + +References: https://bugzilla.kernel.org/show_bug.cgi?id=61781 +Reported-by: Natrio +Reported-by: Jeff Pohlmeyer +Bisected-by: Leo Wolf +Fixes: 1c441e921201 (epoll: use freezable blocking call) +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + fs/eventpoll.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -34,7 +34,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -1603,8 +1602,7 @@ fetch_events: + } + + spin_unlock_irqrestore(&ep->lock, flags); +- if (!freezable_schedule_hrtimeout_range(to, slack, +- HRTIMER_MODE_ABS)) ++ if (!schedule_hrtimeout_range(to, slack, HRTIMER_MODE_ABS)) + timed_out = 1; + + spin_lock_irqsave(&ep->lock, flags); diff --git a/queue-3.11/revert-rt2x00pci-use-pci-msis-whenever-possible.patch b/queue-3.11/revert-rt2x00pci-use-pci-msis-whenever-possible.patch new file mode 100644 index 00000000000..510f626e76e --- /dev/null +++ b/queue-3.11/revert-rt2x00pci-use-pci-msis-whenever-possible.patch @@ -0,0 +1,63 @@ +From dfb6b7c109a7f98d324a759599d1b4616f02c79f Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka +Date: Mon, 23 Sep 2013 04:08:13 +0200 +Subject: Revert "rt2x00pci: Use PCI MSIs whenever possible" + +From: Stanislaw Gruszka + +commit dfb6b7c109a7f98d324a759599d1b4616f02c79f upstream. + +This reverts commit 9483f40d8d01918b399b4e24d0c1111db0afffeb. + +Some devices stop to connect with above commit, see: +https://bugzilla.kernel.org/show_bug.cgi?id=61621 + +Since there is no clear benefit of having MSI enabled, just revert +change to fix the problem. + +Signed-off-by: Stanislaw Gruszka +Acked-by: Jakub Kicinski +Acked-by: Gertjan van Wingerde +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rt2x00/rt2x00pci.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +--- a/drivers/net/wireless/rt2x00/rt2x00pci.c ++++ b/drivers/net/wireless/rt2x00/rt2x00pci.c +@@ -105,13 +105,11 @@ int rt2x00pci_probe(struct pci_dev *pci_ + goto exit_release_regions; + } + +- pci_enable_msi(pci_dev); +- + hw = ieee80211_alloc_hw(sizeof(struct rt2x00_dev), ops->hw); + if (!hw) { + rt2x00_probe_err("Failed to allocate hardware\n"); + retval = -ENOMEM; +- goto exit_disable_msi; ++ goto exit_release_regions; + } + + pci_set_drvdata(pci_dev, hw); +@@ -152,9 +150,6 @@ exit_free_reg: + exit_free_device: + ieee80211_free_hw(hw); + +-exit_disable_msi: +- pci_disable_msi(pci_dev); +- + exit_release_regions: + pci_release_regions(pci_dev); + +@@ -179,8 +174,6 @@ void rt2x00pci_remove(struct pci_dev *pc + rt2x00pci_free_reg(rt2x00dev); + ieee80211_free_hw(hw); + +- pci_disable_msi(pci_dev); +- + /* + * Free the PCI device data. + */ diff --git a/queue-3.11/revert-select-use-freezable-blocking-call.patch b/queue-3.11/revert-select-use-freezable-blocking-call.patch new file mode 100644 index 00000000000..ebeb4ddf100 --- /dev/null +++ b/queue-3.11/revert-select-use-freezable-blocking-call.patch @@ -0,0 +1,55 @@ +From 59612d187912750f416fbffe0c00bc0811c54ab5 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Tue, 29 Oct 2013 23:43:08 +0100 +Subject: Revert "select: use freezable blocking call" + +From: "Rafael J. Wysocki" + +commit 59612d187912750f416fbffe0c00bc0811c54ab5 upstream. + +This reverts commit 9745cdb36da8 (select: use freezable blocking call) +that triggers problems during resume from suspend to RAM on Paul Bolle's +32-bit x86 machines. Paul says: + + Ever since I tried running (release candidates of) v3.11 on the two + working i686s I still have lying around I ran into issues on resuming + from suspend. Reverting 9745cdb36da8 (select: use freezable blocking + call) resolves those issues. + + Resuming from suspend on i686 on (release candidates of) v3.11 and + later triggers issues like: + + traps: systemd[1] general protection ip:b738e490 sp:bf882fc0 error:0 in libc-2.16.so[b731c000+1b0000] + + and + + traps: rtkit-daemon[552] general protection ip:804d6e5 sp:b6cb32f0 error:0 in rtkit-daemon[8048000+d000] + + Once I hit the systemd error I can only get out of the mess that the + system is at that point by power cycling it. + +Since we are reverting another freezer-related change causing similar +problems to happen, this one should be reverted as well. + +References: https://lkml.org/lkml/2013/10/29/583 +Reported-by: Paul Bolle +Fixes: 9745cdb36da8 (select: use freezable blocking call) +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + fs/select.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/select.c ++++ b/fs/select.c +@@ -238,8 +238,7 @@ int poll_schedule_timeout(struct poll_wq + + set_current_state(state); + if (!pwq->triggered) +- rc = freezable_schedule_hrtimeout_range(expires, slack, +- HRTIMER_MODE_ABS); ++ rc = schedule_hrtimeout_range(expires, slack, HRTIMER_MODE_ABS); + __set_current_state(TASK_RUNNING); + + /* diff --git a/queue-3.11/series b/queue-3.11/series index 70dfbae5114..0fa3ee535b0 100644 --- a/queue-3.11/series +++ b/queue-3.11/series @@ -30,3 +30,18 @@ can-flexcan-fix-mx28-detection-by-rearanging-of-match-table.patch can-flexcan-flexcan_chip_start-fix-regression-mark-one-mb-for-tx-and-abort-pending-tx.patch scsi-buslogic-fix-an-oops-when-intializing-multimaster-adapter.patch scsi-sd-call-blk_pm_runtime_init-before-add_disk.patch +ecryptfs-fix-memory-leakage-in-keystore.c.patch +ecryptfs-fix-32-bit-corruption-issue.patch +raid5-set-bio-bi_vcnt-0-for-discard-request.patch +raid5-avoid-finding-discard-stripe.patch +libata-make-ata_eh_qc_retry-bump-scmd-allowed-on-bogus-failures.patch +revert-rt2x00pci-use-pci-msis-whenever-possible.patch +revert-epoll-use-freezable-blocking-call.patch +revert-select-use-freezable-blocking-call.patch +md-avoid-deadlock-when-md_set_badblocks.patch +md-fix-skipping-recovery-for-read-only-arrays.patch +target-fix-assignment-of-lun-in-tracepoints.patch +target-pscsi-fix-return-value-check.patch +vhost-scsi-fix-incorrect-usage-of-get_user_pages_fast-write-parameter.patch +clockevents-sanitize-ticks-to-nsec-conversion.patch +parisc-do-not-crash-64bit-smp-kernels-on-machines-with-4gb-ram.patch diff --git a/queue-3.11/target-fix-assignment-of-lun-in-tracepoints.patch b/queue-3.11/target-fix-assignment-of-lun-in-tracepoints.patch new file mode 100644 index 00000000000..96767078a6b --- /dev/null +++ b/queue-3.11/target-fix-assignment-of-lun-in-tracepoints.patch @@ -0,0 +1,50 @@ +From 2053a1db41193c2b5e1f47a91aaba0fd63ba7102 Mon Sep 17 00:00:00 2001 +From: Roland Dreier +Date: Tue, 8 Oct 2013 09:47:22 -0700 +Subject: target: Fix assignment of LUN in tracepoints + +From: Roland Dreier + +commit 2053a1db41193c2b5e1f47a91aaba0fd63ba7102 upstream. + +The unpacked_lun field in the SCSI target tracepoints should be +initialized with cmd->orig_fe_lun rather than cmd->se_lun->unpacked_lun +for two reasons: + + - most importantly, if we are in the cmd_complete tracepoint + returning a check condition due to no LUN found, cmd->se_lun will + be NULL and we'll crash trying to dereference it. + + - also, in any case, cmd->se_lun->unpacked_lun is an internal index + into the target's internal set of LUNs; cmd->orig_fe_lun is much + more useful and interesting, since it's the value the initiator + actually sent. + +Signed-off-by: Roland Dreier +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + include/trace/events/target.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/trace/events/target.h ++++ b/include/trace/events/target.h +@@ -144,7 +144,7 @@ TRACE_EVENT(target_sequencer_start, + ), + + TP_fast_assign( +- __entry->unpacked_lun = cmd->se_lun->unpacked_lun; ++ __entry->unpacked_lun = cmd->orig_fe_lun; + __entry->opcode = cmd->t_task_cdb[0]; + __entry->data_length = cmd->data_length; + __entry->task_attribute = cmd->sam_task_attr; +@@ -182,7 +182,7 @@ TRACE_EVENT(target_cmd_complete, + ), + + TP_fast_assign( +- __entry->unpacked_lun = cmd->se_lun->unpacked_lun; ++ __entry->unpacked_lun = cmd->orig_fe_lun; + __entry->opcode = cmd->t_task_cdb[0]; + __entry->data_length = cmd->data_length; + __entry->task_attribute = cmd->sam_task_attr; diff --git a/queue-3.11/target-pscsi-fix-return-value-check.patch b/queue-3.11/target-pscsi-fix-return-value-check.patch new file mode 100644 index 00000000000..8a8c74de4a9 --- /dev/null +++ b/queue-3.11/target-pscsi-fix-return-value-check.patch @@ -0,0 +1,49 @@ +From 58932e96e438cd78f75e765d7b87ef39d3533d15 Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Fri, 25 Oct 2013 21:53:33 +0800 +Subject: target/pscsi: fix return value check + +From: Wei Yongjun + +commit 58932e96e438cd78f75e765d7b87ef39d3533d15 upstream. + +In case of error, the function scsi_host_lookup() returns NULL +pointer not ERR_PTR(). The IS_ERR() test in the return value check +should be replaced with NULL test. + +Signed-off-by: Wei Yongjun +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_pscsi.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/target/target_core_pscsi.c ++++ b/drivers/target/target_core_pscsi.c +@@ -134,10 +134,10 @@ static int pscsi_pmode_enable_hba(struct + * pSCSI Host ID and enable for phba mode + */ + sh = scsi_host_lookup(phv->phv_host_id); +- if (IS_ERR(sh)) { ++ if (!sh) { + pr_err("pSCSI: Unable to locate SCSI Host for" + " phv_host_id: %d\n", phv->phv_host_id); +- return PTR_ERR(sh); ++ return -EINVAL; + } + + phv->phv_lld_host = sh; +@@ -515,10 +515,10 @@ static int pscsi_configure_device(struct + sh = phv->phv_lld_host; + } else { + sh = scsi_host_lookup(pdv->pdv_host_id); +- if (IS_ERR(sh)) { ++ if (!sh) { + pr_err("pSCSI: Unable to locate" + " pdv_host_id: %d\n", pdv->pdv_host_id); +- return PTR_ERR(sh); ++ return -EINVAL; + } + } + } else { diff --git a/queue-3.11/vhost-scsi-fix-incorrect-usage-of-get_user_pages_fast-write-parameter.patch b/queue-3.11/vhost-scsi-fix-incorrect-usage-of-get_user_pages_fast-write-parameter.patch new file mode 100644 index 00000000000..79e10ce90d6 --- /dev/null +++ b/queue-3.11/vhost-scsi-fix-incorrect-usage-of-get_user_pages_fast-write-parameter.patch @@ -0,0 +1,43 @@ +From 60a01f558af9c48b0bb31f303c479e32721add3f Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Fri, 25 Oct 2013 10:44:15 -0700 +Subject: vhost/scsi: Fix incorrect usage of get_user_pages_fast write parameter + +From: Nicholas Bellinger + +commit 60a01f558af9c48b0bb31f303c479e32721add3f upstream. + +This patch addresses a long-standing bug where the get_user_pages_fast() +write parameter used for setting the underlying page table entry permission +bits was incorrectly set to write=1 for data_direction=DMA_TO_DEVICE, and +passed into get_user_pages_fast() via vhost_scsi_map_iov_to_sgl(). + +However, this parameter is intended to signal WRITEs to pinned userspace +PTEs for the virtio-scsi DMA_FROM_DEVICE -> READ payload case, and *not* +for the virtio-scsi DMA_TO_DEVICE -> WRITE payload case. + +This bug would manifest itself as random process segmentation faults on +KVM host after repeated vhost starts + stops and/or with lots of vhost +endpoints + LUNs. + +Cc: Stefan Hajnoczi +Cc: Michael S. Tsirkin +Cc: Asias He +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vhost/scsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/vhost/scsi.c ++++ b/drivers/vhost/scsi.c +@@ -1030,7 +1030,7 @@ vhost_scsi_handle_vq(struct vhost_scsi * + if (data_direction != DMA_NONE) { + ret = vhost_scsi_map_iov_to_sgl(cmd, + &vq->iov[data_first], data_num, +- data_direction == DMA_TO_DEVICE); ++ data_direction == DMA_FROM_DEVICE); + if (unlikely(ret)) { + vq_err(vq, "Failed to map iov to sgl\n"); + goto err_free;