From: Greg Kroah-Hartman Date: Wed, 25 Sep 2013 00:15:23 +0000 (-0700) Subject: 3.11-stable patches X-Git-Tag: v3.0.97~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=47b04e91606a459a5c60abc6a5d03bcc6bd6d801;p=thirdparty%2Fkernel%2Fstable-queue.git 3.11-stable patches added patches: amd64_edac-fix-single-channel-setups.patch btrfs-don-t-allow-the-replace-procedure-on-read-only-filesystems.patch ceph-don-t-forget-the-up_read-osdc-map_sem-if-met-error.patch clk-wm831x-initialise-wm831x-pointer-on-init.patch drm-edid-add-quirk-for-medion-md30217pg.patch fuse-hotfix-truncate_pagecache-issue.patch fuse-invalidate-inode-attributes-on-xattr-modification.patch fuse-postpone-end_page_writeback-in-fuse_writepage_locked.patch fuse-readdir-check-for-slash-in-names.patch intel-iommu-fix-leaks-in-pagetable-freeing.patch isofs-refuse-rw-mount-of-the-filesystem-instead-of-making-it-ro.patch leds-wm831x-status-request-a-reg-resource.patch libceph-unregister-request-in-__map_request-failed-and-nofail-false.patch libceph-use-pg_num_mask-instead-of-pgp_num_mask-for-pg.seed-calc.patch media-cx88-fix-regression-cx88_audio_wm8775-can-t-be-0.patch media-exynos4-is-fix-entity-unregistration-on-error-path.patch media-exynos4-is-fix-fimc-lite-bayer-formats.patch media-exynos-gsc-register-v4l2-device.patch media-mb86a20s-fix-ts-parallel-mode.patch media-siano-fix-divide-error-on-0-counters.patch memcg-fix-multiple-large-threshold-notifications.patch mips-ath79-fix-ar933x-watchdog-clock.patch mmc-tmio_mmc_dma-fix-pio-fallback-on-sdhi.patch mm-huge_memory.c-fix-potential-null-pointer-dereference.patch mtd-nand-fix-nand_buswidth_auto-for-x16-devices.patch ocfs2-fix-the-end-cluster-offset-of-fiemap.patch of-fix-missing-memory-initialization-on-fdt-unflattening.patch pidns-fix-hang-in-zap_pid_ns_processes-by-sending-a-potentially-extra-wakeup.patch pidns-fix-vfork-after-unshare-clone_newpid.patch proc-restrict-mounting-the-proc-filesystem.patch rbd-fix-i-o-error-propagation-for-reads.patch target-fix-v3.9-regression-in-pr-aptpl-alua-metadata-write-out.patch um-implement-probe_kernel_read.patch uprobes-fix-utask-depth-accounting-in-handle_trampoline.patch --- diff --git a/queue-3.11/amd64_edac-fix-single-channel-setups.patch b/queue-3.11/amd64_edac-fix-single-channel-setups.patch new file mode 100644 index 00000000000..f4beee70f93 --- /dev/null +++ b/queue-3.11/amd64_edac-fix-single-channel-setups.patch @@ -0,0 +1,49 @@ +From f0a56c480196a98479760862468cc95879df3de0 Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Tue, 23 Jul 2013 20:01:23 +0200 +Subject: amd64_edac: Fix single-channel setups + +From: Borislav Petkov + +commit f0a56c480196a98479760862468cc95879df3de0 upstream. + +It can happen that configurations are running in a single-channel mode +even with a dual-channel memory controller, by, say, putting the DIMMs +only on the one channel and leaving the other empty. This causes a +problem in init_csrows which implicitly assumes that when the second +channel is enabled, i.e. channel 1, the struct dimm hierarchy will be +present. Which is not. + +So always allocate two channels unconditionally. + +This provides for the nice side effect that the data structures are +initialized so some day, when memory hotplug is supported, it should +just work out of the box when all of a sudden a second channel appears. + +Reported-and-tested-by: Roger Leigh +Signed-off-by: Borislav Petkov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/edac/amd64_edac.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/edac/amd64_edac.c ++++ b/drivers/edac/amd64_edac.c +@@ -2470,8 +2470,15 @@ static int amd64_init_one_instance(struc + layers[0].size = pvt->csels[0].b_cnt; + layers[0].is_virt_csrow = true; + layers[1].type = EDAC_MC_LAYER_CHANNEL; +- layers[1].size = pvt->channel_count; ++ ++ /* ++ * Always allocate two channels since we can have setups with DIMMs on ++ * only one channel. Also, this simplifies handling later for the price ++ * of a couple of KBs tops. ++ */ ++ layers[1].size = 2; + layers[1].is_virt_csrow = false; ++ + mci = edac_mc_alloc(nid, ARRAY_SIZE(layers), layers, 0); + if (!mci) + goto err_siblings; diff --git a/queue-3.11/btrfs-don-t-allow-the-replace-procedure-on-read-only-filesystems.patch b/queue-3.11/btrfs-don-t-allow-the-replace-procedure-on-read-only-filesystems.patch new file mode 100644 index 00000000000..b9528bbcc7c --- /dev/null +++ b/queue-3.11/btrfs-don-t-allow-the-replace-procedure-on-read-only-filesystems.patch @@ -0,0 +1,41 @@ +From bbb651e469d99f0088e286fdeb54acca7bb4ad4e Mon Sep 17 00:00:00 2001 +From: Stefan Behrens +Date: Mon, 19 Aug 2013 18:51:13 +0200 +Subject: Btrfs: don't allow the replace procedure on read only filesystems + +From: Stefan Behrens + +commit bbb651e469d99f0088e286fdeb54acca7bb4ad4e upstream. + +If you start the replace procedure on a read only filesystem, at +the end the procedure fails to write the updated dev_items to the +chunk tree. The problem is that this error is not indicated except +for a WARN_ON(). If the user now thinks that everything was done +as expected and destroys the source device (with mkfs or with a +hammer). The next mount fails with "failed to read chunk root" and +the filesystem is gone. + +This commit adds code to fail the attempt to start the replace +procedure if the filesystem is mounted read-only. + +Signed-off-by: Stefan Behrens +Signed-off-by: Josef Bacik +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/ioctl.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -3312,6 +3312,9 @@ static long btrfs_ioctl_dev_replace(stru + + switch (p->cmd) { + case BTRFS_IOCTL_DEV_REPLACE_CMD_START: ++ if (root->fs_info->sb->s_flags & MS_RDONLY) ++ return -EROFS; ++ + if (atomic_xchg( + &root->fs_info->mutually_exclusive_operation_running, + 1)) { diff --git a/queue-3.11/ceph-don-t-forget-the-up_read-osdc-map_sem-if-met-error.patch b/queue-3.11/ceph-don-t-forget-the-up_read-osdc-map_sem-if-met-error.patch new file mode 100644 index 00000000000..1106d164f40 --- /dev/null +++ b/queue-3.11/ceph-don-t-forget-the-up_read-osdc-map_sem-if-met-error.patch @@ -0,0 +1,31 @@ +From 494ddd11be3e2621096bb425eed2886f8e8446d4 Mon Sep 17 00:00:00 2001 +From: majianpeng +Date: Tue, 16 Jul 2013 19:36:21 +0800 +Subject: ceph: Don't forget the 'up_read(&osdc->map_sem)' if met error. + +From: majianpeng + +commit 494ddd11be3e2621096bb425eed2886f8e8446d4 upstream. + +Signed-off-by: Jianpeng Ma +Reviewed-by: Sage Weil +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/ioctl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/ceph/ioctl.c ++++ b/fs/ceph/ioctl.c +@@ -196,8 +196,10 @@ static long ceph_ioctl_get_dataloc(struc + r = ceph_calc_file_object_mapping(&ci->i_layout, dl.file_offset, len, + &dl.object_no, &dl.object_offset, + &olen); +- if (r < 0) ++ if (r < 0) { ++ up_read(&osdc->map_sem); + return -EIO; ++ } + dl.file_offset -= dl.object_offset; + dl.object_size = ceph_file_layout_object_size(ci->i_layout); + dl.block_size = ceph_file_layout_su(ci->i_layout); diff --git a/queue-3.11/clk-wm831x-initialise-wm831x-pointer-on-init.patch b/queue-3.11/clk-wm831x-initialise-wm831x-pointer-on-init.patch new file mode 100644 index 00000000000..44116394dc4 --- /dev/null +++ b/queue-3.11/clk-wm831x-initialise-wm831x-pointer-on-init.patch @@ -0,0 +1,31 @@ +From 08442ce993deeb15a070c14cc3f3459e87d111e0 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Thu, 29 Aug 2013 12:21:01 +0100 +Subject: clk: wm831x: Initialise wm831x pointer on init + +From: Mark Brown + +commit 08442ce993deeb15a070c14cc3f3459e87d111e0 upstream. + +Otherwise any attempt to interact with the hardware will crash. This is +what happens when drivers get written blind. + +Signed-off-by: Mark Brown +Signed-off-by: Mike Turquette +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/clk-wm831x.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/clk/clk-wm831x.c ++++ b/drivers/clk/clk-wm831x.c +@@ -360,6 +360,8 @@ static int wm831x_clk_probe(struct platf + if (!clkdata) + return -ENOMEM; + ++ clkdata->wm831x = wm831x; ++ + /* XTAL_ENA can only be set via OTP/InstantConfig so just read once */ + ret = wm831x_reg_read(wm831x, WM831X_CLOCK_CONTROL_2); + if (ret < 0) { diff --git a/queue-3.11/drm-edid-add-quirk-for-medion-md30217pg.patch b/queue-3.11/drm-edid-add-quirk-for-medion-md30217pg.patch new file mode 100644 index 00000000000..868e2855b3b --- /dev/null +++ b/queue-3.11/drm-edid-add-quirk-for-medion-md30217pg.patch @@ -0,0 +1,76 @@ +From 118bdbd86b39dbb843155054021d2c59058f1e05 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 12 Aug 2013 11:04:29 -0400 +Subject: drm/edid: add quirk for Medion MD30217PG + +From: Alex Deucher + +commit 118bdbd86b39dbb843155054021d2c59058f1e05 upstream. + +This LCD monitor (1280x1024 native) has a completely +bogus detailed timing (640x350@70hz). User reports that +1280x1024@60 has waves so prefer 1280x1024@75. + +Manufacturer: MED Model: 7b8 Serial#: 99188 +Year: 2005 Week: 5 +EDID Version: 1.3 +Analog Display Input, Input Voltage Level: 0.700/0.700 V +Sync: Separate +Max Image Size [cm]: horiz.: 34 vert.: 27 +Gamma: 2.50 +DPMS capabilities: Off; RGB/Color Display +First detailed timing is preferred mode +redX: 0.645 redY: 0.348 greenX: 0.280 greenY: 0.605 +blueX: 0.142 blueY: 0.071 whiteX: 0.313 whiteY: 0.329 +Supported established timings: +720x400@70Hz +640x480@60Hz +640x480@72Hz +640x480@75Hz +800x600@56Hz +800x600@60Hz +800x600@72Hz +800x600@75Hz +1024x768@60Hz +1024x768@70Hz +1024x768@75Hz +1280x1024@75Hz +Manufacturer's mask: 0 +Supported standard timings: +Supported detailed timing: +clock: 25.2 MHz Image Size: 337 x 270 mm +h_active: 640 h_sync: 688 h_sync_end 784 h_blank_end 800 h_border: 0 +v_active: 350 v_sync: 350 v_sync_end 352 v_blanking: 449 v_border: 0 +Monitor name: MD30217PG +Ranges: V min: 56 V max: 76 Hz, H min: 30 H max: 83 kHz, PixClock max 145 MHz +Serial No: 501099188 +EDID (in hex): + 00ffffffffffff0034a4b80774830100 + 050f010368221b962a0c55a559479b24 + 125054afcf00310a0101010101018180 + 000000000000d60980a0205e63103060 + 0200510e1100001e000000fc004d4433 + 3032313750470a202020000000fd0038 + 4c1e530e000a202020202020000000ff + 003530313039393138380a2020200078 + +Signed-off-by: Alex Deucher +Reported-by: friedrich@mailstation.de +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_edid.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/drm_edid.c ++++ b/drivers/gpu/drm/drm_edid.c +@@ -125,6 +125,9 @@ static struct edid_quirk { + + /* ViewSonic VA2026w */ + { "VSC", 5020, EDID_QUIRK_FORCE_REDUCED_BLANKING }, ++ ++ /* Medion MD 30217 PG */ ++ { "MED", 0x7b8, EDID_QUIRK_PREFER_LARGE_75 }, + }; + + /* diff --git a/queue-3.11/fuse-hotfix-truncate_pagecache-issue.patch b/queue-3.11/fuse-hotfix-truncate_pagecache-issue.patch new file mode 100644 index 00000000000..249b1fbf7fe --- /dev/null +++ b/queue-3.11/fuse-hotfix-truncate_pagecache-issue.patch @@ -0,0 +1,176 @@ +From 06a7c3c2781409af95000c60a5df743fd4e2f8b4 Mon Sep 17 00:00:00 2001 +From: Maxim Patlasov +Date: Fri, 30 Aug 2013 17:06:04 +0400 +Subject: fuse: hotfix truncate_pagecache() issue + +From: Maxim Patlasov + +commit 06a7c3c2781409af95000c60a5df743fd4e2f8b4 upstream. + +The way how fuse calls truncate_pagecache() from fuse_change_attributes() +is completely wrong. Because, w/o i_mutex held, we never sure whether +'oldsize' and 'attr->size' are valid by the time of execution of +truncate_pagecache(inode, oldsize, attr->size). In fact, as soon as we +released fc->lock in the middle of fuse_change_attributes(), we completely +loose control of actions which may happen with given inode until we reach +truncate_pagecache. The list of potentially dangerous actions includes +mmap-ed reads and writes, ftruncate(2) and write(2) extending file size. + +The typical outcome of doing truncate_pagecache() with outdated arguments +is data corruption from user point of view. This is (in some sense) +acceptable in cases when the issue is triggered by a change of the file on +the server (i.e. externally wrt fuse operation), but it is absolutely +intolerable in scenarios when a single fuse client modifies a file without +any external intervention. A real life case I discovered by fsx-linux +looked like this: + +1. Shrinking ftruncate(2) comes to fuse_do_setattr(). The latter sends +FUSE_SETATTR to the server synchronously, but before getting fc->lock ... +2. fuse_dentry_revalidate() is asynchronously called. It sends FUSE_LOOKUP +to the server synchronously, then calls fuse_change_attributes(). The +latter updates i_size, releases fc->lock, but before comparing oldsize vs +attr->size.. +3. fuse_do_setattr() from the first step proceeds by acquiring fc->lock and +updating attributes and i_size, but now oldsize is equal to +outarg.attr.size because i_size has just been updated (step 2). Hence, +fuse_do_setattr() returns w/o calling truncate_pagecache(). +4. As soon as ftruncate(2) completes, the user extends file size by +write(2) making a hole in the middle of file, then reads data from the hole +either by read(2) or mmap-ed read. The user expects to get zero data from +the hole, but gets stale data because truncate_pagecache() is not executed +yet. + +The scenario above illustrates one side of the problem: not truncating the +page cache even though we should. Another side corresponds to truncating +page cache too late, when the state of inode changed significantly. +Theoretically, the following is possible: + +1. As in the previous scenario fuse_dentry_revalidate() discovered that +i_size changed (due to our own fuse_do_setattr()) and is going to call +truncate_pagecache() for some 'new_size' it believes valid right now. But +by the time that particular truncate_pagecache() is called ... +2. fuse_do_setattr() returns (either having called truncate_pagecache() or +not -- it doesn't matter). +3. The file is extended either by write(2) or ftruncate(2) or fallocate(2). +4. mmap-ed write makes a page in the extended region dirty. + +The result will be the lost of data user wrote on the fourth step. + +The patch is a hotfix resolving the issue in a simplistic way: let's skip +dangerous i_size update and truncate_pagecache if an operation changing +file size is in progress. This simplistic approach looks correct for the +cases w/o external changes. And to handle them properly, more sophisticated +and intrusive techniques (e.g. NFS-like one) would be required. I'd like to +postpone it until the issue is well discussed on the mailing list(s). + +Changed in v2: + - improved patch description to cover both sides of the issue. + +Signed-off-by: Maxim Patlasov +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/dir.c | 7 ++++++- + fs/fuse/file.c | 8 +++++++- + fs/fuse/fuse_i.h | 2 ++ + fs/fuse/inode.c | 3 ++- + 4 files changed, 17 insertions(+), 3 deletions(-) + +--- a/fs/fuse/dir.c ++++ b/fs/fuse/dir.c +@@ -1590,6 +1590,7 @@ int fuse_do_setattr(struct inode *inode, + struct file *file) + { + struct fuse_conn *fc = get_fuse_conn(inode); ++ struct fuse_inode *fi = get_fuse_inode(inode); + struct fuse_req *req; + struct fuse_setattr_in inarg; + struct fuse_attr_out outarg; +@@ -1617,8 +1618,10 @@ int fuse_do_setattr(struct inode *inode, + if (IS_ERR(req)) + return PTR_ERR(req); + +- if (is_truncate) ++ if (is_truncate) { + fuse_set_nowrite(inode); ++ set_bit(FUSE_I_SIZE_UNSTABLE, &fi->state); ++ } + + memset(&inarg, 0, sizeof(inarg)); + memset(&outarg, 0, sizeof(outarg)); +@@ -1680,12 +1683,14 @@ int fuse_do_setattr(struct inode *inode, + invalidate_inode_pages2(inode->i_mapping); + } + ++ clear_bit(FUSE_I_SIZE_UNSTABLE, &fi->state); + return 0; + + error: + if (is_truncate) + fuse_release_nowrite(inode); + ++ clear_bit(FUSE_I_SIZE_UNSTABLE, &fi->state); + return err; + } + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -629,7 +629,8 @@ static void fuse_read_update_size(struct + struct fuse_inode *fi = get_fuse_inode(inode); + + spin_lock(&fc->lock); +- if (attr_ver == fi->attr_version && size < inode->i_size) { ++ if (attr_ver == fi->attr_version && size < inode->i_size && ++ !test_bit(FUSE_I_SIZE_UNSTABLE, &fi->state)) { + fi->attr_version = ++fc->attr_version; + i_size_write(inode, size); + } +@@ -1032,12 +1033,16 @@ static ssize_t fuse_perform_write(struct + { + struct inode *inode = mapping->host; + struct fuse_conn *fc = get_fuse_conn(inode); ++ struct fuse_inode *fi = get_fuse_inode(inode); + int err = 0; + ssize_t res = 0; + + if (is_bad_inode(inode)) + return -EIO; + ++ if (inode->i_size < pos + iov_iter_count(ii)) ++ set_bit(FUSE_I_SIZE_UNSTABLE, &fi->state); ++ + do { + struct fuse_req *req; + ssize_t count; +@@ -1073,6 +1078,7 @@ static ssize_t fuse_perform_write(struct + if (res > 0) + fuse_write_update_size(inode, pos); + ++ clear_bit(FUSE_I_SIZE_UNSTABLE, &fi->state); + fuse_invalidate_attr(inode); + + return res > 0 ? res : err; +--- a/fs/fuse/fuse_i.h ++++ b/fs/fuse/fuse_i.h +@@ -115,6 +115,8 @@ struct fuse_inode { + enum { + /** Advise readdirplus */ + FUSE_I_ADVISE_RDPLUS, ++ /** An operation changing file size is in progress */ ++ FUSE_I_SIZE_UNSTABLE, + }; + + struct fuse_conn; +--- a/fs/fuse/inode.c ++++ b/fs/fuse/inode.c +@@ -201,7 +201,8 @@ void fuse_change_attributes(struct inode + struct timespec old_mtime; + + spin_lock(&fc->lock); +- if (attr_version != 0 && fi->attr_version > attr_version) { ++ if ((attr_version != 0 && fi->attr_version > attr_version) || ++ test_bit(FUSE_I_SIZE_UNSTABLE, &fi->state)) { + spin_unlock(&fc->lock); + return; + } diff --git a/queue-3.11/fuse-invalidate-inode-attributes-on-xattr-modification.patch b/queue-3.11/fuse-invalidate-inode-attributes-on-xattr-modification.patch new file mode 100644 index 00000000000..92f925f7b7d --- /dev/null +++ b/queue-3.11/fuse-invalidate-inode-attributes-on-xattr-modification.patch @@ -0,0 +1,41 @@ +From d331a415aef98717393dda0be69b7947da08eba3 Mon Sep 17 00:00:00 2001 +From: Anand Avati +Date: Tue, 20 Aug 2013 02:21:07 -0400 +Subject: fuse: invalidate inode attributes on xattr modification + +From: Anand Avati + +commit d331a415aef98717393dda0be69b7947da08eba3 upstream. + +Calls like setxattr and removexattr result in updation of ctime. +Therefore invalidate inode attributes to force a refresh. + +Signed-off-by: Anand Avati +Reviewed-by: Brian Foster +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/dir.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/fuse/dir.c ++++ b/fs/fuse/dir.c +@@ -1749,6 +1749,8 @@ static int fuse_setxattr(struct dentry * + fc->no_setxattr = 1; + err = -EOPNOTSUPP; + } ++ if (!err) ++ fuse_invalidate_attr(inode); + return err; + } + +@@ -1878,6 +1880,8 @@ static int fuse_removexattr(struct dentr + fc->no_removexattr = 1; + err = -EOPNOTSUPP; + } ++ if (!err) ++ fuse_invalidate_attr(inode); + return err; + } + diff --git a/queue-3.11/fuse-postpone-end_page_writeback-in-fuse_writepage_locked.patch b/queue-3.11/fuse-postpone-end_page_writeback-in-fuse_writepage_locked.patch new file mode 100644 index 00000000000..e9c0b48a8fb --- /dev/null +++ b/queue-3.11/fuse-postpone-end_page_writeback-in-fuse_writepage_locked.patch @@ -0,0 +1,59 @@ +From 4a4ac4eba1010ef9a804569058ab29e3450c0315 Mon Sep 17 00:00:00 2001 +From: Maxim Patlasov +Date: Mon, 12 Aug 2013 20:39:30 +0400 +Subject: fuse: postpone end_page_writeback() in fuse_writepage_locked() + +From: Maxim Patlasov + +commit 4a4ac4eba1010ef9a804569058ab29e3450c0315 upstream. + +The patch fixes a race between ftruncate(2), mmap-ed write and write(2): + +1) An user makes a page dirty via mmap-ed write. +2) The user performs shrinking truncate(2) intended to purge the page. +3) Before fuse_do_setattr calls truncate_pagecache, the page goes to + writeback. fuse_writepage_locked fills FUSE_WRITE request and releases + the original page by end_page_writeback. +4) fuse_do_setattr() completes and successfully returns. Since now, i_mutex + is free. +5) Ordinary write(2) extends i_size back to cover the page. Note that + fuse_send_write_pages do wait for fuse writeback, but for another + page->index. +6) fuse_writepage_locked proceeds by queueing FUSE_WRITE request. + fuse_send_writepage is supposed to crop inarg->size of the request, + but it doesn't because i_size has already been extended back. + +Moving end_page_writeback to the end of fuse_writepage_locked fixes the +race because now the fact that truncate_pagecache is successfully returned +infers that fuse_writepage_locked has already called end_page_writeback. +And this, in turn, infers that fuse_flush_writepages has already called +fuse_send_writepage, and the latter used valid (shrunk) i_size. write(2) +could not extend it because of i_mutex held by ftruncate(2). + +Signed-off-by: Maxim Patlasov +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/file.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -1529,7 +1529,6 @@ static int fuse_writepage_locked(struct + + inc_bdi_stat(mapping->backing_dev_info, BDI_WRITEBACK); + inc_zone_page_state(tmp_page, NR_WRITEBACK_TEMP); +- end_page_writeback(page); + + spin_lock(&fc->lock); + list_add(&req->writepages_entry, &fi->writepages); +@@ -1537,6 +1536,8 @@ static int fuse_writepage_locked(struct + fuse_flush_writepages(inode); + spin_unlock(&fc->lock); + ++ end_page_writeback(page); ++ + return 0; + + err_free: diff --git a/queue-3.11/fuse-readdir-check-for-slash-in-names.patch b/queue-3.11/fuse-readdir-check-for-slash-in-names.patch new file mode 100644 index 00000000000..4359af44427 --- /dev/null +++ b/queue-3.11/fuse-readdir-check-for-slash-in-names.patch @@ -0,0 +1,39 @@ +From efeb9e60d48f7778fdcad4a0f3ad9ea9b19e5dfd Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Tue, 3 Sep 2013 14:28:38 +0200 +Subject: fuse: readdir: check for slash in names + +From: Miklos Szeredi + +commit efeb9e60d48f7778fdcad4a0f3ad9ea9b19e5dfd upstream. + +Userspace can add names containing a slash character to the directory +listing. Don't allow this as it could cause all sorts of trouble. + +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/dir.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/fuse/dir.c ++++ b/fs/fuse/dir.c +@@ -1174,6 +1174,8 @@ static int parse_dirfile(char *buf, size + return -EIO; + if (reclen > nbytes) + break; ++ if (memchr(dirent->name, '/', dirent->namelen) != NULL) ++ return -EIO; + + if (!dir_emit(ctx, dirent->name, dirent->namelen, + dirent->ino, dirent->type)) +@@ -1320,6 +1322,8 @@ static int parse_dirplusfile(char *buf, + return -EIO; + if (reclen > nbytes) + break; ++ if (memchr(dirent->name, '/', dirent->namelen) != NULL) ++ return -EIO; + + if (!over) { + /* We fill entries into dstbuf only as much as diff --git a/queue-3.11/intel-iommu-fix-leaks-in-pagetable-freeing.patch b/queue-3.11/intel-iommu-fix-leaks-in-pagetable-freeing.patch new file mode 100644 index 00000000000..c12805c2f1d --- /dev/null +++ b/queue-3.11/intel-iommu-fix-leaks-in-pagetable-freeing.patch @@ -0,0 +1,122 @@ +From 3269ee0bd6686baf86630300d528500ac5b516d7 Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Sat, 15 Jun 2013 10:27:19 -0600 +Subject: intel-iommu: Fix leaks in pagetable freeing + +From: Alex Williamson + +commit 3269ee0bd6686baf86630300d528500ac5b516d7 upstream. + +At best the current code only seems to free the leaf pagetables and +the root. If you're unlucky enough to have a large gap (like any +QEMU guest with more than 3G of memory), only the first chunk of leaf +pagetables are freed (plus the root). This is a massive memory leak. +This patch re-writes the pagetable freeing function to use a +recursive algorithm and manages to not only free all the pagetables, +but does it without any apparent performance loss versus the current +broken version. + +Signed-off-by: Alex Williamson +Reviewed-by: Marcelo Tosatti +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/intel-iommu.c | 74 +++++++++++++++++++++----------------------- + 1 file changed, 36 insertions(+), 38 deletions(-) + +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -890,56 +890,54 @@ static int dma_pte_clear_range(struct dm + return order; + } + ++static void dma_pte_free_level(struct dmar_domain *domain, int level, ++ struct dma_pte *pte, unsigned long pfn, ++ unsigned long start_pfn, unsigned long last_pfn) ++{ ++ pfn = max(start_pfn, pfn); ++ pte = &pte[pfn_level_offset(pfn, level)]; ++ ++ do { ++ unsigned long level_pfn; ++ struct dma_pte *level_pte; ++ ++ if (!dma_pte_present(pte) || dma_pte_superpage(pte)) ++ goto next; ++ ++ level_pfn = pfn & level_mask(level - 1); ++ level_pte = phys_to_virt(dma_pte_addr(pte)); ++ ++ if (level > 2) ++ dma_pte_free_level(domain, level - 1, level_pte, ++ level_pfn, start_pfn, last_pfn); ++ ++ /* If range covers entire pagetable, free it */ ++ if (!(start_pfn > level_pfn || ++ last_pfn < level_pfn + level_size(level))) { ++ dma_clear_pte(pte); ++ domain_flush_cache(domain, pte, sizeof(*pte)); ++ free_pgtable_page(level_pte); ++ } ++next: ++ pfn += level_size(level); ++ } while (!first_pte_in_page(++pte) && pfn <= last_pfn); ++} ++ + /* free page table pages. last level pte should already be cleared */ + static void dma_pte_free_pagetable(struct dmar_domain *domain, + unsigned long start_pfn, + unsigned long last_pfn) + { + int addr_width = agaw_to_width(domain->agaw) - VTD_PAGE_SHIFT; +- struct dma_pte *first_pte, *pte; +- int total = agaw_to_level(domain->agaw); +- int level; +- unsigned long tmp; +- int large_page = 2; + + BUG_ON(addr_width < BITS_PER_LONG && start_pfn >> addr_width); + BUG_ON(addr_width < BITS_PER_LONG && last_pfn >> addr_width); + BUG_ON(start_pfn > last_pfn); + + /* We don't need lock here; nobody else touches the iova range */ +- level = 2; +- while (level <= total) { +- tmp = align_to_level(start_pfn, level); +- +- /* If we can't even clear one PTE at this level, we're done */ +- if (tmp + level_size(level) - 1 > last_pfn) +- return; +- +- do { +- large_page = level; +- first_pte = pte = dma_pfn_level_pte(domain, tmp, level, &large_page); +- if (large_page > level) +- level = large_page + 1; +- if (!pte) { +- tmp = align_to_level(tmp + 1, level + 1); +- continue; +- } +- do { +- if (dma_pte_present(pte)) { +- free_pgtable_page(phys_to_virt(dma_pte_addr(pte))); +- dma_clear_pte(pte); +- } +- pte++; +- tmp += level_size(level); +- } while (!first_pte_in_page(pte) && +- tmp + level_size(level) - 1 <= last_pfn); +- +- domain_flush_cache(domain, first_pte, +- (void *)pte - (void *)first_pte); +- +- } while (tmp && tmp + level_size(level) - 1 <= last_pfn); +- level++; +- } ++ dma_pte_free_level(domain, agaw_to_level(domain->agaw), ++ domain->pgd, 0, start_pfn, last_pfn); ++ + /* free pgd */ + if (start_pfn == 0 && last_pfn == DOMAIN_MAX_PFN(domain->gaw)) { + free_pgtable_page(domain->pgd); diff --git a/queue-3.11/isofs-refuse-rw-mount-of-the-filesystem-instead-of-making-it-ro.patch b/queue-3.11/isofs-refuse-rw-mount-of-the-filesystem-instead-of-making-it-ro.patch new file mode 100644 index 00000000000..cfd042bf2ae --- /dev/null +++ b/queue-3.11/isofs-refuse-rw-mount-of-the-filesystem-instead-of-making-it-ro.patch @@ -0,0 +1,68 @@ +From 17b7f7cf58926844e1dd40f5eb5348d481deca6a Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 25 Jul 2013 11:49:11 +0200 +Subject: isofs: Refuse RW mount of the filesystem instead of making it RO + +From: Jan Kara + +commit 17b7f7cf58926844e1dd40f5eb5348d481deca6a upstream. + +Refuse RW mount of isofs filesystem. So far we just silently changed it +to RO mount but when the media is writeable, block layer won't notice +this change and thus will think device is used RW and will block eject +button of the drive. That is unexpected by users because for +non-writeable media eject button works just fine. + +Userspace mount(8) command handles this just fine and retries mounting +with MS_RDONLY set so userspace shouldn't see any regression. Plus any +tool mounting isofs is likely confronted with the case of read-only +media where block layer already refuses to mount the filesystem without +MS_RDONLY set so our behavior shouldn't be anything new for it. + +Reported-by: Hui Wang +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/isofs/inode.c | 16 +++++----------- + 1 file changed, 5 insertions(+), 11 deletions(-) + +--- a/fs/isofs/inode.c ++++ b/fs/isofs/inode.c +@@ -117,8 +117,8 @@ static void destroy_inodecache(void) + + static int isofs_remount(struct super_block *sb, int *flags, char *data) + { +- /* we probably want a lot more here */ +- *flags |= MS_RDONLY; ++ if (!(*flags & MS_RDONLY)) ++ return -EROFS; + return 0; + } + +@@ -763,15 +763,6 @@ root_found: + */ + s->s_maxbytes = 0x80000000000LL; + +- /* +- * The CDROM is read-only, has no nodes (devices) on it, and since +- * all of the files appear to be owned by root, we really do not want +- * to allow suid. (suid or devices will not show up unless we have +- * Rock Ridge extensions) +- */ +- +- s->s_flags |= MS_RDONLY /* | MS_NODEV | MS_NOSUID */; +- + /* Set this for reference. Its not currently used except on write + which we don't have .. */ + +@@ -1530,6 +1521,9 @@ struct inode *isofs_iget(struct super_bl + static struct dentry *isofs_mount(struct file_system_type *fs_type, + int flags, const char *dev_name, void *data) + { ++ /* We don't support read-write mounts */ ++ if (!(flags & MS_RDONLY)) ++ return ERR_PTR(-EACCES); + return mount_bdev(fs_type, flags, dev_name, data, isofs_fill_super); + } + diff --git a/queue-3.11/leds-wm831x-status-request-a-reg-resource.patch b/queue-3.11/leds-wm831x-status-request-a-reg-resource.patch new file mode 100644 index 00000000000..1dbc2363747 --- /dev/null +++ b/queue-3.11/leds-wm831x-status-request-a-reg-resource.patch @@ -0,0 +1,35 @@ +From 61abeba5222895d6900b13115f5d8eba7988d7d6 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Thu, 29 Aug 2013 07:18:14 -0700 +Subject: leds: wm831x-status: Request a REG resource + +From: Mark Brown + +commit 61abeba5222895d6900b13115f5d8eba7988d7d6 upstream. + +The wm831x-status driver was not converted to use a REG resource when they +were introduced and the rest of the wm831x drivers converted, causing it +to fail to probe due to requesting the wrong resource type. + +Signed-off-by: Mark Brown +Signed-off-by: Bryan Wu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/leds/leds-wm831x-status.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/leds/leds-wm831x-status.c ++++ b/drivers/leds/leds-wm831x-status.c +@@ -230,9 +230,9 @@ static int wm831x_status_probe(struct pl + int id = pdev->id % ARRAY_SIZE(chip_pdata->status); + int ret; + +- res = platform_get_resource(pdev, IORESOURCE_IO, 0); ++ res = platform_get_resource(pdev, IORESOURCE_REG, 0); + if (res == NULL) { +- dev_err(&pdev->dev, "No I/O resource\n"); ++ dev_err(&pdev->dev, "No register resource\n"); + ret = -EINVAL; + goto err; + } diff --git a/queue-3.11/libceph-unregister-request-in-__map_request-failed-and-nofail-false.patch b/queue-3.11/libceph-unregister-request-in-__map_request-failed-and-nofail-false.patch new file mode 100644 index 00000000000..153af40100a --- /dev/null +++ b/queue-3.11/libceph-unregister-request-in-__map_request-failed-and-nofail-false.patch @@ -0,0 +1,32 @@ +From 73d9f7eef3d98c3920e144797cc1894c6b005a1e Mon Sep 17 00:00:00 2001 +From: majianpeng +Date: Tue, 16 Jul 2013 15:45:48 +0800 +Subject: libceph: unregister request in __map_request failed and nofail == false + +From: majianpeng + +commit 73d9f7eef3d98c3920e144797cc1894c6b005a1e upstream. + +For nofail == false request, if __map_request failed, the caller does +cleanup work, like releasing the relative pages. It doesn't make any sense +to retry this request. + +Signed-off-by: Jianpeng Ma +Reviewed-by: Sage Weil +Signed-off-by: Greg Kroah-Hartman + +--- + net/ceph/osd_client.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ceph/osd_client.c ++++ b/net/ceph/osd_client.c +@@ -2129,6 +2129,8 @@ int ceph_osdc_start_request(struct ceph_ + dout("osdc_start_request failed map, " + " will retry %lld\n", req->r_tid); + rc = 0; ++ } else { ++ __unregister_request(osdc, req); + } + goto out_unlock; + } diff --git a/queue-3.11/libceph-use-pg_num_mask-instead-of-pgp_num_mask-for-pg.seed-calc.patch b/queue-3.11/libceph-use-pg_num_mask-instead-of-pgp_num_mask-for-pg.seed-calc.patch new file mode 100644 index 00000000000..338c2f8651b --- /dev/null +++ b/queue-3.11/libceph-use-pg_num_mask-instead-of-pgp_num_mask-for-pg.seed-calc.patch @@ -0,0 +1,32 @@ +From 9542cf0bf9b1a3adcc2ef271edbcbdba03abf345 Mon Sep 17 00:00:00 2001 +From: Sage Weil +Date: Wed, 28 Aug 2013 17:17:29 -0700 +Subject: libceph: use pg_num_mask instead of pgp_num_mask for pg.seed calc + +From: Sage Weil + +commit 9542cf0bf9b1a3adcc2ef271edbcbdba03abf345 upstream. + +Fix a typo that used the wrong bitmask for the pg.seed calculation. This +is normally unnoticed because in most cases pg_num == pgp_num. It is, however, +a bug that is easily corrected. + +Signed-off-by: Sage Weil +Reviewed-by: Alex Elder +Signed-off-by: Greg Kroah-Hartman + +--- + net/ceph/osdmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ceph/osdmap.c ++++ b/net/ceph/osdmap.c +@@ -1129,7 +1129,7 @@ static int *calc_pg_raw(struct ceph_osdm + + /* pg_temp? */ + pgid.seed = ceph_stable_mod(pgid.seed, pool->pg_num, +- pool->pgp_num_mask); ++ pool->pg_num_mask); + pg = __lookup_pg_mapping(&osdmap->pg_temp, pgid); + if (pg) { + *num = pg->len; diff --git a/queue-3.11/media-cx88-fix-regression-cx88_audio_wm8775-can-t-be-0.patch b/queue-3.11/media-cx88-fix-regression-cx88_audio_wm8775-can-t-be-0.patch new file mode 100644 index 00000000000..2a89fa8c1a2 --- /dev/null +++ b/queue-3.11/media-cx88-fix-regression-cx88_audio_wm8775-can-t-be-0.patch @@ -0,0 +1,36 @@ +From f66b2a1c7f2ae3fb0d5b67d07ab4f5055fd3cf16 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Tue, 27 Aug 2013 04:27:57 -0300 +Subject: media: cx88: Fix regression: CX88_AUDIO_WM8775 can't be 0 + +From: Hans Verkuil + +commit f66b2a1c7f2ae3fb0d5b67d07ab4f5055fd3cf16 upstream. + +Cards using the wm8775 specify that in their card struct. Those that do not +use it leave the audio_chip field to 0. Unfortunately, the CX88_AUDIO_WM8775 +enum is 0 as well, so boards that do not have the wm8775 still try to load +and use that driver. Change it to 1 to fix this. +This regression was introduced in commit facd23664f1d63c33fbc6da52261c8548ed3fbd4. + +Signed-off-by: Hans Verkuil +Reported-by: Knut Petersen +Tested-by: Knut Petersen +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/pci/cx88/cx88.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/pci/cx88/cx88.h ++++ b/drivers/media/pci/cx88/cx88.h +@@ -259,7 +259,7 @@ struct cx88_input { + }; + + enum cx88_audio_chip { +- CX88_AUDIO_WM8775, ++ CX88_AUDIO_WM8775 = 1, + CX88_AUDIO_TVAUDIO, + }; + diff --git a/queue-3.11/media-exynos-gsc-register-v4l2-device.patch b/queue-3.11/media-exynos-gsc-register-v4l2-device.patch new file mode 100644 index 00000000000..11a7cc0da2e --- /dev/null +++ b/queue-3.11/media-exynos-gsc-register-v4l2-device.patch @@ -0,0 +1,82 @@ +From d0b1c31349969973204fad21a076aecf131cc5e4 Mon Sep 17 00:00:00 2001 +From: Arun Kumar K +Date: Fri, 26 Jul 2013 07:28:01 -0300 +Subject: media: exynos-gsc: Register v4l2 device + +From: Arun Kumar K + +commit d0b1c31349969973204fad21a076aecf131cc5e4 upstream. + +Gscaler video device registration was happening without reference to +a parent v4l2_dev causing probe to fail. The patch creates a parent +v4l2 device and uses it for the gsc m2m video device registration. +This fixes regression introduced with comit commit 1c1d86a1ea07506 +[media] v4l2: always require v4l2_dev, rename parent to dev_parent + +Signed-off-by: Arun Kumar K +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Mauro Carvalho Chehab +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/exynos-gsc/gsc-core.c | 9 ++++++++- + drivers/media/platform/exynos-gsc/gsc-core.h | 1 + + drivers/media/platform/exynos-gsc/gsc-m2m.c | 1 + + 3 files changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/media/platform/exynos-gsc/gsc-core.c ++++ b/drivers/media/platform/exynos-gsc/gsc-core.c +@@ -1122,10 +1122,14 @@ static int gsc_probe(struct platform_dev + goto err_clk; + } + +- ret = gsc_register_m2m_device(gsc); ++ ret = v4l2_device_register(dev, &gsc->v4l2_dev); + if (ret) + goto err_clk; + ++ ret = gsc_register_m2m_device(gsc); ++ if (ret) ++ goto err_v4l2; ++ + platform_set_drvdata(pdev, gsc); + pm_runtime_enable(dev); + ret = pm_runtime_get_sync(&pdev->dev); +@@ -1147,6 +1151,8 @@ err_pm: + pm_runtime_put(dev); + err_m2m: + gsc_unregister_m2m_device(gsc); ++err_v4l2: ++ v4l2_device_unregister(&gsc->v4l2_dev); + err_clk: + gsc_clk_put(gsc); + return ret; +@@ -1157,6 +1163,7 @@ static int gsc_remove(struct platform_de + struct gsc_dev *gsc = platform_get_drvdata(pdev); + + gsc_unregister_m2m_device(gsc); ++ v4l2_device_unregister(&gsc->v4l2_dev); + + vb2_dma_contig_cleanup_ctx(gsc->alloc_ctx); + pm_runtime_disable(&pdev->dev); +--- a/drivers/media/platform/exynos-gsc/gsc-core.h ++++ b/drivers/media/platform/exynos-gsc/gsc-core.h +@@ -343,6 +343,7 @@ struct gsc_dev { + unsigned long state; + struct vb2_alloc_ctx *alloc_ctx; + struct video_device vdev; ++ struct v4l2_device v4l2_dev; + }; + + /** +--- a/drivers/media/platform/exynos-gsc/gsc-m2m.c ++++ b/drivers/media/platform/exynos-gsc/gsc-m2m.c +@@ -751,6 +751,7 @@ int gsc_register_m2m_device(struct gsc_d + gsc->vdev.release = video_device_release_empty; + gsc->vdev.lock = &gsc->lock; + gsc->vdev.vfl_dir = VFL_DIR_M2M; ++ gsc->vdev.v4l2_dev = &gsc->v4l2_dev; + snprintf(gsc->vdev.name, sizeof(gsc->vdev.name), "%s.%d:m2m", + GSC_MODULE_NAME, gsc->id); + diff --git a/queue-3.11/media-exynos4-is-fix-entity-unregistration-on-error-path.patch b/queue-3.11/media-exynos4-is-fix-entity-unregistration-on-error-path.patch new file mode 100644 index 00000000000..eac3188a3a1 --- /dev/null +++ b/queue-3.11/media-exynos4-is-fix-entity-unregistration-on-error-path.patch @@ -0,0 +1,70 @@ +From d2b903b4427e417a73863cef36ad0796ea6b7404 Mon Sep 17 00:00:00 2001 +From: Sylwester Nawrocki +Date: Mon, 29 Jul 2013 06:53:59 -0300 +Subject: media: exynos4-is: Fix entity unregistration on error path + +From: Sylwester Nawrocki + +commit d2b903b4427e417a73863cef36ad0796ea6b7404 upstream. + +This patch corrects media entities unregistration order to make sure +the fimc.N.capture and fimc-lite video nodes are unregistered with +fimc->lock mutex held. This prevents races between video device open() +and defered probing and NULL pointer dereference in open() callback +as follows: +[ 77.645000] Unable to handle kernel NULL pointer dereference at virtual address 00000290t +[ 77.655000] pgd = ee7a8000 +[ 77.660000] [00000290] *pgd=6e13c831, *pte=00000000, *ppte=00000000 +[ 77.665000] Internal error: Oops: 17 [#1] PREEMPT SMP ARM +[ 77.670000] Modules linked in: s5p_fimc ipv6 exynos_fimc_is exynos_fimc_lite + s5p_csis v4l2_mem2mem videobuf2_dma_contig videobuf2_memops exynos4_is_common videobuf2_core [last unloaded: s5p_fimc] +[ 77.685000] CPU: 0 PID : 2998 Comm: v4l_id Tainted: G W 3.10.0-next-20130709-00039-g39f491b-dirty #1548 +[ 77.695000] task: ee084000 ti: ee46e000 task.ti: ee46e000 +[ 77.700000] PC is at __mutex_lock_slowpath+0x54/0x368 +[ 77.705000] LR is at __mutex_lock_slowpath+0x24/0x368 +[ 77.710000] pc : [] lr : [] psr: 60000093 +[ 77.710000] sp : ee46fd70 ip : 000008c8 fp : c054e34c +[ 77.725000] r10: ee084000 r9 : 00000000 r8 : ee439480 +[ 77.730000] r7 : ee46e000 r6 : 60000013 r5 : 00000290 r4 : 0000028c +[ 77.735000] r3 : 00000000 r2 : 00000000 r1 : 20000093 r0 : 00000001 +[ 77.740000] Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user +[ 77.750000] Control: 10c5387d Table: 6e7a804a DAC: 00000015 +[ 77.755000] Process v4l_id (pid: 2998, stack limit = 0xee46e238) +[ 77.760000] Stack: (0xee46fd70 to 0xee470000) + ... +[ 77.935000] [] (__mutex_lock_slowpath+0x54/0x368) from [] (mutex_lock+0xc/0x24) +[ 77.945000] [] (mutex_lock+0xc/0x24) from [] (fimc_lite_open+0x12c/0x2bc [exynos_fimc_lite]) +[ 77.955000] [] (fimc_lite_open+0x12c/0x2bc [exynos_fimc_lite]) from [] (v4l2_open+0xa0/0xe0) +[ 77.965000] [] (v4l2_open+0xa0/0xe0) from [] (chrdev_open+0x88/0x170) +[ 77.975000] [] (chrdev_open+0x88/0x170) from [] (do_dentry_open.isra.14+0x1d8/0x258) +[ 77.985000] [] (do_dentry_open.isra.14+0x1d8/0x258) from [] (finish_open+0x20/0x38) +[ 77.995000] [] (finish_open+0x20/0x38) from [] (do_last.isra.43+0x538/0xb1c) +[ 78.000000] [] (do_last.isra.43+0x538/0xb1c) from [] (path_openat+0xb4/0x5c4) +[ 78.010000] [] (path_openat+0xb4/0x5c4) from [] (do_filp_open+0x2c/0x80) +[ 78.020000] [] (do_filp_open+0x2c/0x80) from [] (do_sys_open+0xf4/0x1a8) +[ 78.025000] [] (do_sys_open+0xf4/0x1a8) from [] (ret_fast_syscall+0x0/0x30) +[ 78.035000] Code: 1a000093 e10f6000 f10c0080 e2845004 (e1953f9f) + +Reported-by: Andrzej Hajda +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Kyungmin Park +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/exynos4-is/media-dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/platform/exynos4-is/media-dev.c ++++ b/drivers/media/platform/exynos4-is/media-dev.c +@@ -1530,9 +1530,9 @@ static int fimc_md_probe(struct platform + err_unlock: + mutex_unlock(&fmd->media_dev.graph_mutex); + err_clk: +- media_device_unregister(&fmd->media_dev); + fimc_md_put_clocks(fmd); + fimc_md_unregister_entities(fmd); ++ media_device_unregister(&fmd->media_dev); + err_md: + v4l2_device_unregister(&fmd->v4l2_dev); + return ret; diff --git a/queue-3.11/media-exynos4-is-fix-fimc-lite-bayer-formats.patch b/queue-3.11/media-exynos4-is-fix-fimc-lite-bayer-formats.patch new file mode 100644 index 00000000000..8ab7163c0ed --- /dev/null +++ b/queue-3.11/media-exynos4-is-fix-fimc-lite-bayer-formats.patch @@ -0,0 +1,44 @@ +From 3396b096c54a84603c51bd705effa88f7f5b0d76 Mon Sep 17 00:00:00 2001 +From: Arun Kumar K +Date: Mon, 15 Jul 2013 07:51:23 -0300 +Subject: media: exynos4-is: Fix fimc-lite bayer formats + +From: Arun Kumar K + +commit 3396b096c54a84603c51bd705effa88f7f5b0d76 upstream. + +The 10-bit and 12-bit Bayer output formats supported by FIMC-LITE +actually use 16 bits where the extra bits are padded with zeros. +The patch corrects buffer allocation for these two formats by +modifying the depth field. This prevents memory corruption by the +output DMA due to insufficient buffer size. + +Signed-off-by: Arun Kumar K +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/exynos4-is/fimc-lite.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/platform/exynos4-is/fimc-lite.c ++++ b/drivers/media/platform/exynos4-is/fimc-lite.c +@@ -90,7 +90,7 @@ static const struct fimc_fmt fimc_lite_f + .name = "RAW10 (GRBG)", + .fourcc = V4L2_PIX_FMT_SGRBG10, + .colorspace = V4L2_COLORSPACE_SRGB, +- .depth = { 10 }, ++ .depth = { 16 }, + .color = FIMC_FMT_RAW10, + .memplanes = 1, + .mbus_code = V4L2_MBUS_FMT_SGRBG10_1X10, +@@ -99,7 +99,7 @@ static const struct fimc_fmt fimc_lite_f + .name = "RAW12 (GRBG)", + .fourcc = V4L2_PIX_FMT_SGRBG12, + .colorspace = V4L2_COLORSPACE_SRGB, +- .depth = { 12 }, ++ .depth = { 16 }, + .color = FIMC_FMT_RAW12, + .memplanes = 1, + .mbus_code = V4L2_MBUS_FMT_SGRBG12_1X12, diff --git a/queue-3.11/media-mb86a20s-fix-ts-parallel-mode.patch b/queue-3.11/media-mb86a20s-fix-ts-parallel-mode.patch new file mode 100644 index 00000000000..21d918945d0 --- /dev/null +++ b/queue-3.11/media-mb86a20s-fix-ts-parallel-mode.patch @@ -0,0 +1,54 @@ +From 9d32069faacdc81fe1dcb5d297c32a3ac81da8f0 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Fri, 9 Aug 2013 08:53:26 -0300 +Subject: media: mb86a20s: Fix TS parallel mode + +From: Mauro Carvalho Chehab + +commit 9d32069faacdc81fe1dcb5d297c32a3ac81da8f0 upstream. + +changeset 768e6dadd74 caused a regression on using mb86a20s +in parallel mode, as the parallel mode selection got +overriden by mb86a20s_init2. + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/dvb-frontends/mb86a20s.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +--- a/drivers/media/dvb-frontends/mb86a20s.c ++++ b/drivers/media/dvb-frontends/mb86a20s.c +@@ -157,7 +157,6 @@ static struct regdata mb86a20s_init2[] = + { 0x45, 0x04 }, /* CN symbol 4 */ + { 0x48, 0x04 }, /* CN manual mode */ + +- { 0x50, 0xd5 }, { 0x51, 0x01 }, /* Serial */ + { 0x50, 0xd6 }, { 0x51, 0x1f }, + { 0x50, 0xd2 }, { 0x51, 0x03 }, + { 0x50, 0xd7 }, { 0x51, 0xbf }, +@@ -1860,16 +1859,15 @@ static int mb86a20s_initfe(struct dvb_fr + dev_dbg(&state->i2c->dev, "%s: IF=%d, IF reg=0x%06llx\n", + __func__, state->if_freq, (long long)pll); + +- if (!state->config->is_serial) { ++ if (!state->config->is_serial) + regD5 &= ~1; + +- rc = mb86a20s_writereg(state, 0x50, 0xd5); +- if (rc < 0) +- goto err; +- rc = mb86a20s_writereg(state, 0x51, regD5); +- if (rc < 0) +- goto err; +- } ++ rc = mb86a20s_writereg(state, 0x50, 0xd5); ++ if (rc < 0) ++ goto err; ++ rc = mb86a20s_writereg(state, 0x51, regD5); ++ if (rc < 0) ++ goto err; + + rc = mb86a20s_writeregdata(state, mb86a20s_init2); + if (rc < 0) diff --git a/queue-3.11/media-siano-fix-divide-error-on-0-counters.patch b/queue-3.11/media-siano-fix-divide-error-on-0-counters.patch new file mode 100644 index 00000000000..147c07070a1 --- /dev/null +++ b/queue-3.11/media-siano-fix-divide-error-on-0-counters.patch @@ -0,0 +1,98 @@ +From ec532503209053bbee0c7dac410031e50835e01a Mon Sep 17 00:00:00 2001 +From: Bjørn Mork +Date: Wed, 14 Aug 2013 05:24:39 -0300 +Subject: media: siano: fix divide error on 0 counters + +From: Bjørn Mork + +commit ec532503209053bbee0c7dac410031e50835e01a upstream. + +GIT_AUTHOR_DATE=1376465691 +I took a quick look at the code and wonder if the problem is caused by +an initial zero statistics message? This is all just a wild guess, but +if it is correct, then the attached untested patch might fix it... +Bjørn +>From d78a0599d5b5d4da384eae08bf7da316389dfbe5 Mon Sep 17 00:00:00 2001 +ts_packets and ets_packets counters can be 0. Don't fall over +if they are. Fixes: +[ 846.851711] divide error: 0000 [#1] SMP +[ 846.851806] Modules linked in: smsdvb dvb_core ir_lirc_codec lirc_dev ir_sanyo_decoder ir_mce_kbd_decoder ir_sony_decoder ir_jvc_decoder ir_rc6_decoder ir_rc5_decoder ir_nec_decoder rc_hauppauge smsusb smsmdtv rc_core pci_stub vboxpci(O) vboxnetadp(O) vboxnetflt(O) vboxdrv(O) parport_pc ppdev lp parport cpufreq_userspace cpufreq_powersave cpufreq_stats cpufreq_conservative rfcomm bnep binfmt_misc uinput nfsd auth_rpcgss oid_registry nfs_acl nfs lockd dns_resolver fscache sunrpc ext4 jbd2 fuse tp_smapi(O) thinkpad_ec(O) loop firewire_sbp2 dm_crypt snd_hda_codec_conexant snd_hda_intel snd_hda_codec snd_hwdep snd_pcm_oss snd_mixer_oss snd_pcm thinkpad_acpi nvram snd_page_alloc hid_generic snd_seq_midi snd_seq_midi_event arc4 usbhid snd_rawmidi uvcvideo hid iwldvm coretemp kvm_intel mac8021 + 1 cdc_wdm +[ 846.853477] cdc_acm snd_seq videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media kvm radeon r852 ttm joydev cdc_ether usbnet pcmcia mii sm_common nand btusb drm_kms_helper tpm_tis acpi_cpufreq bluetooth iwlwifi nand_ecc drm nand_ids i2c_i801 mtd snd_seq_device iTCO_wdt iTCO_vendor_support r592 memstick lpc_ich mperf tpm yenta_socket pcmcia_rsrc pcmcia_core cfg80211 snd_timer snd pcspkr i2c_algo_bit crc16 i2c_core tpm_bios processor mfd_core wmi psmouse mei_me rfkill mei serio_raw soundcore evdev battery button video ac microcode ext3 mbcache jbd md_mod dm_mirror dm_region_hash dm_log dm_mod sg sr_mod sd_mod cdrom crc_t10dif firewire_ohci sdhci_pci sdhci mmc_core firewire_core crc_itu_t thermal thermal_sys ahci libahci ehci_pci uhci_hcd ehci_hcd libata scsi_mod usbcore e1000 + e usb_common +[ 846.855310] ptp pps_core +[ 846.855356] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 3.10-2-amd64 #1 Debian 3.10.5-1 +[ 846.855490] Hardware name: LENOVO 4061WFA/4061WFA, BIOS 6FET92WW (3.22 ) 12/14/2011 +[ 846.855609] task: ffffffff81613400 ti: ffffffff81600000 task.ti: ffffffff81600000 +[ 846.855636] RIP: 0010:[] [] smsdvb_onresponse+0x264/0xa86 [smsdvb] +[ 846.863906] RSP: 0018:ffff88013bc03cf0 EFLAGS: 00010046 +[ 846.863906] RAX: 0000000000000000 RBX: ffff880133bf6000 RCX: 0000000000000000 +[ 846.863906] RDX: 0000000000000000 RSI: ffff88005d3b58c0 RDI: ffff880133bf6000 +[ 846.863906] RBP: ffff88005d1da000 R08: 0000000000000058 R09: 0000000000000015 +[ 846.863906] R10: 0000000000001a0d R11: 000000000000021a R12: ffff88005d3b58c0 +[ 846.863906] R13: ffff88005d1da008 R14: 00000000ffffff8d R15: ffff880036cf5060 +[ 846.863906] FS: 0000000000000000(0000) GS:ffff88013bc00000(0000) knlGS:0000000000000000 +[ 846.863906] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[ 846.863906] CR2: 00007f3a4b69ae50 CR3: 0000000036dac000 CR4: 00000000000407f0 +[ 846.863906] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 846.863906] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +[ 846.863906] Stack: +[ 846.863906] ffff88007a102000 ffff88005d1da000 ffff88005d3b58c0 0000000000085824 +[ 846.863906] ffffffffa08c5aa3 ffff88005d1da000 ffff8800a6907390 ffff8800a69073b0 +[ 846.863906] ffff8800a6907000 ffffffffa08b642c 000000000000021a ffff8800a69073b0 +[ 846.863906] Call Trace: +[ 846.863906] +[ 846.863906] +[ 846.863906] [] ? smscore_onresponse+0x1d5/0x353 [smsmdtv] +[ 846.863906] [] ? smsusb_onresponse+0x146/0x192 [smsusb] +[ 846.863906] [] ? usb_hcd_giveback_urb+0x6c/0xac [usbcore] +[ 846.863906] [] ? ehci_urb_done+0x62/0x72 [ehci_hcd] +[ 846.863906] [] ? qh_completions+0x91/0x364 [ehci_hcd] +[ 846.863906] [] ? ehci_work+0x8a/0x68e [ehci_hcd] +[ 846.863906] [] ? timekeeping_get_ns.constprop.10+0xd/0x31 +[ 846.863906] [] ? update_cfs_rq_blocked_load+0xde/0xec +[ 846.863906] [] ? run_posix_cpu_timers+0x25/0x575 +[ 846.863906] [] ? ehci_irq+0x211/0x23d [ehci_hcd] +[ 846.863906] [] ? usb_hcd_irq+0x31/0x48 [usbcore] +[ 846.863906] [] ? handle_irq_event_percpu+0x49/0x1a4 +[ 846.863906] [] ? handle_irq_event+0x32/0x4b +[ 846.863906] [] ? handle_fasteoi_irq+0x80/0xb6 +[ 846.863906] [] ? handle_irq+0x18/0x20 +[ 846.863906] [] ? do_IRQ+0x40/0x95 +[ 846.863906] [] ? common_interrupt+0x6d/0x6d +[ 846.863906] +[ 846.863906] +[ 846.863906] [] ? arch_local_irq_enable+0x4/0x8 +[ 846.863906] [] ? cpuidle_enter_state+0x52/0xc1 +[ 846.863906] [] ? cpuidle_idle_call+0xd4/0x143 +[ 846.863906] [] ? arch_cpu_idle+0x5/0x17 +[ 846.863906] [] ? cpu_startup_entry+0x10d/0x187 +[ 846.863906] [] ? start_kernel+0x3e8/0x3f3 +[ 846.863906] [] ? repair_env_string+0x54/0x54 +[ 846.863906] [] ? x86_64_start_kernel+0xf2/0xfd +[ 846.863906] Code: 25 09 00 00 c6 83 da 08 00 00 03 8b 45 54 48 01 83 b6 08 00 00 8b 45 50 48 01 83 db 08 00 00 8b 4d 18 69 c1 ff ff 00 00 03 4d 14 <48> f7 f1 89 83 a8 09 00 00 e9 68 fe ff ff 48 8b 7f 10 e8 79 92 +[ 846.863906] RIP [] smsdvb_onresponse+0x264/0xa86 [smsdvb] +[ 846.863906] RSP +Reference: http://bugs.debian.org/719623 + +Reported-by: Johannes Rohr +Signed-off-by: Bjørn Mork +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/common/siano/smsdvb-main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/common/siano/smsdvb-main.c ++++ b/drivers/media/common/siano/smsdvb-main.c +@@ -276,7 +276,8 @@ static void smsdvb_update_per_slices(str + + /* Legacy PER/BER */ + tmp = p->ets_packets * 65535; +- do_div(tmp, p->ts_packets + p->ets_packets); ++ if (p->ts_packets + p->ets_packets) ++ do_div(tmp, p->ts_packets + p->ets_packets); + client->legacy_per = tmp; + } + diff --git a/queue-3.11/memcg-fix-multiple-large-threshold-notifications.patch b/queue-3.11/memcg-fix-multiple-large-threshold-notifications.patch new file mode 100644 index 00000000000..7cd5e448b71 --- /dev/null +++ b/queue-3.11/memcg-fix-multiple-large-threshold-notifications.patch @@ -0,0 +1,73 @@ +From 2bff24a3707093c435ab3241c47dcdb5f16e432b Mon Sep 17 00:00:00 2001 +From: Greg Thelen +Date: Wed, 11 Sep 2013 14:23:08 -0700 +Subject: memcg: fix multiple large threshold notifications + +From: Greg Thelen + +commit 2bff24a3707093c435ab3241c47dcdb5f16e432b upstream. + +A memory cgroup with (1) multiple threshold notifications and (2) at least +one threshold >=2G was not reliable. Specifically the notifications would +either not fire or would not fire in the proper order. + +The __mem_cgroup_threshold() signaling logic depends on keeping 64 bit +thresholds in sorted order. mem_cgroup_usage_register_event() sorts them +with compare_thresholds(), which returns the difference of two 64 bit +thresholds as an int. If the difference is positive but has bit[31] set, +then sort() treats the difference as negative and breaks sort order. + +This fix compares the two arbitrary 64 bit thresholds returning the +classic -1, 0, 1 result. + +The test below sets two notifications (at 0x1000 and 0x81001000): + cd /sys/fs/cgroup/memory + mkdir x + for x in 4096 2164264960; do + cgroup_event_listener x/memory.usage_in_bytes $x | sed "s/^/$x listener:/" & + done + echo $$ > x/cgroup.procs + anon_leaker 500M + +v3.11-rc7 fails to signal the 4096 event listener: + Leaking... + Done leaking pages. + +Patched v3.11-rc7 properly notifies: + Leaking... + 4096 listener:2013:8:31:14:13:36 + Done leaking pages. + +The fixed bug is old. It appears to date back to the introduction of +memcg threshold notifications in v2.6.34-rc1-116-g2e72b6347c94 "memcg: +implement memory thresholds" + +Signed-off-by: Greg Thelen +Acked-by: Michal Hocko +Acked-by: Kirill A. Shutemov +Acked-by: Johannes Weiner +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memcontrol.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -5616,7 +5616,13 @@ static int compare_thresholds(const void + const struct mem_cgroup_threshold *_a = a; + const struct mem_cgroup_threshold *_b = b; + +- return _a->threshold - _b->threshold; ++ if (_a->threshold > _b->threshold) ++ return 1; ++ ++ if (_a->threshold < _b->threshold) ++ return -1; ++ ++ return 0; + } + + static int mem_cgroup_oom_notify_cb(struct mem_cgroup *memcg) diff --git a/queue-3.11/mips-ath79-fix-ar933x-watchdog-clock.patch b/queue-3.11/mips-ath79-fix-ar933x-watchdog-clock.patch new file mode 100644 index 00000000000..491003a5746 --- /dev/null +++ b/queue-3.11/mips-ath79-fix-ar933x-watchdog-clock.patch @@ -0,0 +1,45 @@ +From a1191927ace7e6f827132aa9e062779eb3f11fa5 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Wed, 28 Aug 2013 10:41:42 +0200 +Subject: MIPS: ath79: Fix ar933x watchdog clock + +From: Felix Fietkau + +commit a1191927ace7e6f827132aa9e062779eb3f11fa5 upstream. + +The watchdog device on the AR933x is connected to +the AHB clock, however the current code uses the +reference clock. Due to the wrong rate, the watchdog +driver can't calculate correct register values for +a given timeout value and the watchdog unexpectedly +restarts the system. + +The code uses the wrong value since the initial +commit 04225e1d227c8e68d685936ecf42ac175fec0e54 +(MIPS: ath79: add AR933X specific clock init) + +The patch fixes the code to use the correct clock +rate to avoid the problem. + +Signed-off-by: Felix Fietkau +Signed-off-by: Gabor Juhos +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/5777/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/ath79/clock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/ath79/clock.c ++++ b/arch/mips/ath79/clock.c +@@ -164,7 +164,7 @@ static void __init ar933x_clocks_init(vo + ath79_ahb_clk.rate = freq / t; + } + +- ath79_wdt_clk.rate = ath79_ref_clk.rate; ++ ath79_wdt_clk.rate = ath79_ahb_clk.rate; + ath79_uart_clk.rate = ath79_ref_clk.rate; + } + diff --git a/queue-3.11/mm-huge_memory.c-fix-potential-null-pointer-dereference.patch b/queue-3.11/mm-huge_memory.c-fix-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..a98f544c248 --- /dev/null +++ b/queue-3.11/mm-huge_memory.c-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,42 @@ +From a8f531ebc33052642b4bd7b812eedf397108ce64 Mon Sep 17 00:00:00 2001 +From: Libin +Date: Wed, 11 Sep 2013 14:20:38 -0700 +Subject: mm/huge_memory.c: fix potential NULL pointer dereference + +From: Libin + +commit a8f531ebc33052642b4bd7b812eedf397108ce64 upstream. + +In collapse_huge_page() there is a race window between releasing the +mmap_sem read lock and taking the mmap_sem write lock, so find_vma() may +return NULL. So check the return value to avoid NULL pointer dereference. + +collapse_huge_page + khugepaged_alloc_page + up_read(&mm->mmap_sem) + down_write(&mm->mmap_sem) + vma = find_vma(mm, address) + +Signed-off-by: Libin +Acked-by: Kirill A. Shutemov +Reviewed-by: Wanpeng Li +Reviewed-by: Michal Hocko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/huge_memory.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -2296,6 +2296,8 @@ static void collapse_huge_page(struct mm + goto out; + + vma = find_vma(mm, address); ++ if (!vma) ++ goto out; + hstart = (vma->vm_start + ~HPAGE_PMD_MASK) & HPAGE_PMD_MASK; + hend = vma->vm_end & HPAGE_PMD_MASK; + if (address < hstart || address + HPAGE_PMD_SIZE > hend) diff --git a/queue-3.11/mmc-tmio_mmc_dma-fix-pio-fallback-on-sdhi.patch b/queue-3.11/mmc-tmio_mmc_dma-fix-pio-fallback-on-sdhi.patch new file mode 100644 index 00000000000..28c619e5d65 --- /dev/null +++ b/queue-3.11/mmc-tmio_mmc_dma-fix-pio-fallback-on-sdhi.patch @@ -0,0 +1,62 @@ +From f936f9b67b7f8c2eae01dd303a0e90bd777c4679 Mon Sep 17 00:00:00 2001 +From: Sergei Shtylyov +Date: Sat, 24 Aug 2013 23:38:15 -0400 +Subject: mmc: tmio_mmc_dma: fix PIO fallback on SDHI + +From: Sergei Shtylyov + +commit f936f9b67b7f8c2eae01dd303a0e90bd777c4679 upstream. + +I'm testing SH-Mobile SDHI driver in DMA mode with a new DMA controller using +'bonnie++' and getting DMA error after which the tmio_mmc_dma.c code falls back +to PIO but all commands time out after that. It turned out that the fallback +code calls tmio_mmc_enable_dma() with RX/TX channels already freed and pointers +to them cleared, so that the function bails out early instead of clearing the +DMA bit in the CTL_DMA_ENABLE register. The regression was introduced by commit +162f43e31c5a376ec16336e5d0ac973373d54c89 (mmc: tmio: fix a deadlock). +Moving tmio_mmc_enable_dma() calls to the top of the PIO fallback code in +tmio_mmc_start_dma_{rx|tx}() helps. + +Signed-off-by: Sergei Shtylyov +Acked-by: Guennadi Liakhovetski +Signed-off-by: Chris Ball +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/tmio_mmc_dma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/host/tmio_mmc_dma.c ++++ b/drivers/mmc/host/tmio_mmc_dma.c +@@ -104,6 +104,7 @@ static void tmio_mmc_start_dma_rx(struct + pio: + if (!desc) { + /* DMA failed, fall back to PIO */ ++ tmio_mmc_enable_dma(host, false); + if (ret >= 0) + ret = -EIO; + host->chan_rx = NULL; +@@ -116,7 +117,6 @@ pio: + } + dev_warn(&host->pdev->dev, + "DMA failed: %d, falling back to PIO\n", ret); +- tmio_mmc_enable_dma(host, false); + } + + dev_dbg(&host->pdev->dev, "%s(): desc %p, cookie %d, sg[%d]\n", __func__, +@@ -185,6 +185,7 @@ static void tmio_mmc_start_dma_tx(struct + pio: + if (!desc) { + /* DMA failed, fall back to PIO */ ++ tmio_mmc_enable_dma(host, false); + if (ret >= 0) + ret = -EIO; + host->chan_tx = NULL; +@@ -197,7 +198,6 @@ pio: + } + dev_warn(&host->pdev->dev, + "DMA failed: %d, falling back to PIO\n", ret); +- tmio_mmc_enable_dma(host, false); + } + + dev_dbg(&host->pdev->dev, "%s(): desc %p, cookie %d\n", __func__, diff --git a/queue-3.11/mtd-nand-fix-nand_buswidth_auto-for-x16-devices.patch b/queue-3.11/mtd-nand-fix-nand_buswidth_auto-for-x16-devices.patch new file mode 100644 index 00000000000..b59282ab5b5 --- /dev/null +++ b/queue-3.11/mtd-nand-fix-nand_buswidth_auto-for-x16-devices.patch @@ -0,0 +1,67 @@ +From 68e8078072e802e77134664f11d2ffbfbd2f8fbe Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Thu, 18 Jul 2013 01:17:02 -0700 +Subject: mtd: nand: fix NAND_BUSWIDTH_AUTO for x16 devices + +From: Brian Norris + +commit 68e8078072e802e77134664f11d2ffbfbd2f8fbe upstream. + +The code for NAND_BUSWIDTH_AUTO is broken. According to Alexander: + + "I have a problem with attach NAND UBI in 16 bit mode. + NAND works fine if I specify NAND_BUSWIDTH_16 option, but not + working with NAND_BUSWIDTH_AUTO option. In second case NAND + chip is identifyed with ONFI." + +See his report for the rest of the details: + + http://lists.infradead.org/pipermail/linux-mtd/2013-July/047515.html + +Anyway, the problem is that nand_set_defaults() is called twice, we +intend it to reset the chip functions to their x16 buswidth verions +if the buswidth changed from x8 to x16; however, nand_set_defaults() +does exactly nothing if called a second time. + +Fix this by hacking nand_set_defaults() to reset the buswidth-dependent +functions if they were set to the x8 version the first time. Note that +this does not do anything to reset from x16 to x8, but that's not the +supported use case for NAND_BUSWIDTH_AUTO anyway. + +Signed-off-by: Brian Norris +Reported-by: Alexander Shiyan +Tested-by: Alexander Shiyan +Cc: Matthieu Castet +Signed-off-by: Artem Bityutskiy +Signed-off-by: David Woodhouse +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/nand_base.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/mtd/nand/nand_base.c ++++ b/drivers/mtd/nand/nand_base.c +@@ -2793,7 +2793,9 @@ static void nand_set_defaults(struct nan + + if (!chip->select_chip) + chip->select_chip = nand_select_chip; +- if (!chip->read_byte) ++ ++ /* If called twice, pointers that depend on busw may need to be reset */ ++ if (!chip->read_byte || chip->read_byte == nand_read_byte) + chip->read_byte = busw ? nand_read_byte16 : nand_read_byte; + if (!chip->read_word) + chip->read_word = nand_read_word; +@@ -2801,9 +2803,9 @@ static void nand_set_defaults(struct nan + chip->block_bad = nand_block_bad; + if (!chip->block_markbad) + chip->block_markbad = nand_default_block_markbad; +- if (!chip->write_buf) ++ if (!chip->write_buf || chip->write_buf == nand_write_buf) + chip->write_buf = busw ? nand_write_buf16 : nand_write_buf; +- if (!chip->read_buf) ++ if (!chip->read_buf || chip->read_buf == nand_read_buf) + chip->read_buf = busw ? nand_read_buf16 : nand_read_buf; + if (!chip->scan_bbt) + chip->scan_bbt = nand_default_bbt; diff --git a/queue-3.11/ocfs2-fix-the-end-cluster-offset-of-fiemap.patch b/queue-3.11/ocfs2-fix-the-end-cluster-offset-of-fiemap.patch new file mode 100644 index 00000000000..abd74d57f69 --- /dev/null +++ b/queue-3.11/ocfs2-fix-the-end-cluster-offset-of-fiemap.patch @@ -0,0 +1,65 @@ +From 28e8be31803b19d0d8f76216cb11b480b8a98bec Mon Sep 17 00:00:00 2001 +From: Jie Liu +Date: Wed, 11 Sep 2013 14:20:05 -0700 +Subject: ocfs2: fix the end cluster offset of FIEMAP + +From: Jie Liu + +commit 28e8be31803b19d0d8f76216cb11b480b8a98bec upstream. + +Call fiemap ioctl(2) with given start offset as well as an desired mapping +range should show extents if possible. However, we somehow figure out the +end offset of mapping via 'mapping_end -= cpos' before iterating the +extent records which would cause problems if the given fiemap length is +too small to a cluster size, e.g, + +Cluster size 4096: +debugfs.ocfs2 1.6.3 + Block Size Bits: 12 Cluster Size Bits: 12 + +The extended fiemap test utility From David: +https://gist.github.com/anonymous/6172331 + +# dd if=/dev/urandom of=/ocfs2/test_file bs=1M count=1000 +# ./fiemap /ocfs2/test_file 4096 10 +start: 4096, length: 10 +File /ocfs2/test_file has 0 extents: +# Logical Physical Length Flags + ^^^^^ <-- No extent is shown + +In this case, at ocfs2_fiemap(): cpos == mapping_end == 1. Hence the +loop of searching extent records was not executed at all. + +This patch remove the in question 'mapping_end -= cpos', and loops +until the cpos is larger than the mapping_end as usual. + +# ./fiemap /ocfs2/test_file 4096 10 +start: 4096, length: 10 +File /ocfs2/test_file has 1 extents: +# Logical Physical Length Flags +0: 0000000000000000 0000000056a01000 0000000006a00000 0000 + +Signed-off-by: Jie Liu +Reported-by: David Weber +Tested-by: David Weber +Cc: Sunil Mushran +Cc: Mark Fashen +Cc: Joel Becker +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/extent_map.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/ocfs2/extent_map.c ++++ b/fs/ocfs2/extent_map.c +@@ -781,7 +781,6 @@ int ocfs2_fiemap(struct inode *inode, st + cpos = map_start >> osb->s_clustersize_bits; + mapping_end = ocfs2_clusters_for_bytes(inode->i_sb, + map_start + map_len); +- mapping_end -= cpos; + is_last = 0; + while (cpos < mapping_end && !is_last) { + u32 fe_flags; diff --git a/queue-3.11/of-fix-missing-memory-initialization-on-fdt-unflattening.patch b/queue-3.11/of-fix-missing-memory-initialization-on-fdt-unflattening.patch new file mode 100644 index 00000000000..d1ed7bfc450 --- /dev/null +++ b/queue-3.11/of-fix-missing-memory-initialization-on-fdt-unflattening.patch @@ -0,0 +1,33 @@ +From 0640332e073be9207f0784df43595c0c39716e42 Mon Sep 17 00:00:00 2001 +From: Grant Likely +Date: Wed, 28 Aug 2013 21:24:17 +0100 +Subject: of: Fix missing memory initialization on FDT unflattening + +From: Grant Likely + +commit 0640332e073be9207f0784df43595c0c39716e42 upstream. + +Any calls to dt_alloc() need to be zeroed. This is a temporary fix, but +the allocation function itself needs to zero memory before returning +it. This is a follow up to patch 9e4012752, "of: fdt: fix memory +initialization for expanded DT" which fixed one call site but missed +another. + +Signed-off-by: Grant Likely +Acked-by: Wladislav Wiebe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/of/base.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/of/base.c ++++ b/drivers/of/base.c +@@ -1629,6 +1629,7 @@ void of_alias_scan(void * (*dt_alloc)(u6 + ap = dt_alloc(sizeof(*ap) + len + 1, 4); + if (!ap) + continue; ++ memset(ap, 0, sizeof(*ap) + len + 1); + ap->alias = start; + of_alias_add(ap, np, id, start, len); + } diff --git a/queue-3.11/pidns-fix-hang-in-zap_pid_ns_processes-by-sending-a-potentially-extra-wakeup.patch b/queue-3.11/pidns-fix-hang-in-zap_pid_ns_processes-by-sending-a-potentially-extra-wakeup.patch new file mode 100644 index 00000000000..9c412ce3f0e --- /dev/null +++ b/queue-3.11/pidns-fix-hang-in-zap_pid_ns_processes-by-sending-a-potentially-extra-wakeup.patch @@ -0,0 +1,97 @@ +From a606488513543312805fab2b93070cefe6a3016c Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Thu, 29 Aug 2013 13:56:50 -0700 +Subject: pidns: Fix hang in zap_pid_ns_processes by sending a potentially extra wakeup + +From: "Eric W. Biederman" + +commit a606488513543312805fab2b93070cefe6a3016c upstream. + +Serge Hallyn writes: + +> Since commit af4b8a83add95ef40716401395b44a1b579965f4 it's been +> possible to get into a situation where a pidns reaper is +> , reparented to host pid 1, but never reaped. How to +> reproduce this is documented at +> +> https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1168526 +> (and see +> https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1168526/comments/13) +> In short, run repeated starts of a container whose init is +> +> Process.exit(0); +> +> sysrq-t when such a task is playing zombie shows: +> +> [ 131.132978] init x ffff88011fc14580 0 2084 2039 0x00000000 +> [ 131.132978] ffff880116e89ea8 0000000000000002 ffff880116e89fd8 0000000000014580 +> [ 131.132978] ffff880116e89fd8 0000000000014580 ffff8801172a0000 ffff8801172a0000 +> [ 131.132978] ffff8801172a0630 ffff88011729fff0 ffff880116e14650 ffff88011729fff0 +> [ 131.132978] Call Trace: +> [ 131.132978] [] schedule+0x29/0x70 +> [ 131.132978] [] do_exit+0x6e1/0xa40 +> [ 131.132978] [] ? signal_wake_up_state+0x1e/0x30 +> [ 131.132978] [] do_group_exit+0x3f/0xa0 +> [ 131.132978] [] SyS_exit_group+0x14/0x20 +> [ 131.132978] [] tracesys+0xe1/0xe6 +> +> Further debugging showed that every time this happened, zap_pid_ns_processes() +> started with nr_hashed being 3, while we were expecting it to drop to 2. +> Any time it didn't happen, nr_hashed was 1 or 2. So the reaper was +> waiting for nr_hashed to become 2, but free_pid() only wakes the reaper +> if nr_hashed hits 1. + +The issue is that when the task group leader of an init process exits +before other tasks of the init process when the init process finally +exits it will be a secondary task sleeping in zap_pid_ns_processes and +waiting to wake up when the number of hashed pids drops to two. This +case waits forever as free_pid only sends a wake up when the number of +hashed pids drops to 1. + +To correct this the simple strategy of sending a possibly unncessary +wake up when the number of hashed pids drops to 2 is adopted. + +Sending one extraneous wake up is relatively harmless, at worst we +waste a little cpu time in the rare case when a pid namespace +appropaches exiting. + +We can detect the case when the pid namespace drops to just two pids +hashed race free in free_pid. + +Dereferencing pid_ns->child_reaper with the pidmap_lock held is safe +without out the tasklist_lock because it is guaranteed that the +detach_pid will be called on the child_reaper before it is freed and +detach_pid calls __change_pid which calls free_pid which takes the +pidmap_lock. __change_pid only calls free_pid if this is the +last use of the pid. For a thread that is not the thread group leader +the threads pid will only ever have one user because a threads pid +is not allowed to be the pid of a process, of a process group or +a session. For a thread that is a thread group leader all of +the other threads of that process will be reaped before it is allowed +for the thread group leader to be reaped ensuring there will only +be one user of the threads pid as a process pid. Furthermore +because the thread is the init process of a pid namespace all of the +other processes in the pid namespace will have also been already freed +leading to the fact that the pid will not be used as a session pid or +a process group pid for any other running process. + +Acked-by: Serge Hallyn +Tested-by: Serge Hallyn +Reported-by: Serge Hallyn +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/pid.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/pid.c ++++ b/kernel/pid.c +@@ -265,6 +265,7 @@ void free_pid(struct pid *pid) + struct pid_namespace *ns = upid->ns; + hlist_del_rcu(&upid->pid_chain); + switch(--ns->nr_hashed) { ++ case 2: + case 1: + /* When all that is left in the pid namespace + * is the reaper wake up the reaper. The reaper diff --git a/queue-3.11/pidns-fix-vfork-after-unshare-clone_newpid.patch b/queue-3.11/pidns-fix-vfork-after-unshare-clone_newpid.patch new file mode 100644 index 00000000000..d3ae63c76b4 --- /dev/null +++ b/queue-3.11/pidns-fix-vfork-after-unshare-clone_newpid.patch @@ -0,0 +1,63 @@ +From e79f525e99b04390ca4d2366309545a836c03bf1 Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Wed, 11 Sep 2013 14:19:38 -0700 +Subject: pidns: fix vfork() after unshare(CLONE_NEWPID) + +From: Oleg Nesterov + +commit e79f525e99b04390ca4d2366309545a836c03bf1 upstream. + +Commit 8382fcac1b81 ("pidns: Outlaw thread creation after +unshare(CLONE_NEWPID)") nacks CLONE_VM if the forking process unshared +pid_ns, this obviously breaks vfork: + + int main(void) + { + assert(unshare(CLONE_NEWUSER | CLONE_NEWPID) == 0); + assert(vfork() >= 0); + _exit(0); + return 0; + } + +fails without this patch. + +Change this check to use CLONE_SIGHAND instead. This also forbids +CLONE_THREAD automatically, and this is what the comment implies. + +We could probably even drop CLONE_SIGHAND and use CLONE_THREAD, but it +would be safer to not do this. The current check denies CLONE_SIGHAND +implicitely and there is no reason to change this. + +Eric said "CLONE_SIGHAND is fine. CLONE_THREAD would be even better. +Having shared signal handling between two different pid namespaces is +the case that we are fundamentally guarding against." + +Signed-off-by: Oleg Nesterov +Reported-by: Colin Walters +Acked-by: Andy Lutomirski +Reviewed-by: "Eric W. Biederman" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/fork.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -1173,10 +1173,11 @@ static struct task_struct *copy_process( + return ERR_PTR(-EINVAL); + + /* +- * If the new process will be in a different pid namespace +- * don't allow the creation of threads. ++ * If the new process will be in a different pid namespace don't ++ * allow it to share a thread group or signal handlers with the ++ * forking task. + */ +- if ((clone_flags & (CLONE_VM|CLONE_NEWPID)) && ++ if ((clone_flags & (CLONE_SIGHAND | CLONE_NEWPID)) && + (task_active_pid_ns(current) != + current->nsproxy->pid_ns_for_children)) + return ERR_PTR(-EINVAL); diff --git a/queue-3.11/proc-restrict-mounting-the-proc-filesystem.patch b/queue-3.11/proc-restrict-mounting-the-proc-filesystem.patch new file mode 100644 index 00000000000..c8dbbbbc797 --- /dev/null +++ b/queue-3.11/proc-restrict-mounting-the-proc-filesystem.patch @@ -0,0 +1,38 @@ +From aee1c13dd0f6c2fc56e0e492b349ee8ac655880f Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Mon, 25 Mar 2013 19:57:10 -0700 +Subject: proc: Restrict mounting the proc filesystem + +From: "Eric W. Biederman" + +commit aee1c13dd0f6c2fc56e0e492b349ee8ac655880f upstream. + +Don't allow mounting the proc filesystem unless the caller has +CAP_SYS_ADMIN rights over the pid namespace. The principle here is if +you create or have capabilities over it you can mount it, otherwise +you get to live with what other people have mounted. + +Andy pointed out that this is needed to prevent users in a user +namespace from remounting proc and specifying different hidepid and gid +options on already existing proc mounts. + +Reported-by: Andy Lutomirski +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/root.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/proc/root.c ++++ b/fs/proc/root.c +@@ -110,7 +110,8 @@ static struct dentry *proc_mount(struct + ns = task_active_pid_ns(current); + options = data; + +- if (!current_user_ns()->may_mount_proc) ++ if (!current_user_ns()->may_mount_proc || ++ !ns_capable(ns->user_ns, CAP_SYS_ADMIN)) + return ERR_PTR(-EPERM); + } + diff --git a/queue-3.11/rbd-fix-i-o-error-propagation-for-reads.patch b/queue-3.11/rbd-fix-i-o-error-propagation-for-reads.patch new file mode 100644 index 00000000000..fff9246a380 --- /dev/null +++ b/queue-3.11/rbd-fix-i-o-error-propagation-for-reads.patch @@ -0,0 +1,74 @@ +From 17c1cc1d9293a568a00545469078e29555cc7f39 Mon Sep 17 00:00:00 2001 +From: Josh Durgin +Date: Mon, 26 Aug 2013 17:55:38 -0700 +Subject: rbd: fix I/O error propagation for reads + +From: Josh Durgin + +commit 17c1cc1d9293a568a00545469078e29555cc7f39 upstream. + +When a request returns an error, the driver needs to report the entire +extent of the request as completed. Writes already did this, since +they always set xferred = length, but reads were skipping that step if +an error other than -ENOENT occurred. Instead, rbd would end up +passing 0 xferred to blk_end_request(), which would always report +needing more data. This resulted in an assert failing when more data +was required by the block layer, but all the object requests were +done: + +[ 1868.719077] rbd: obj_request read result -108 xferred 0 +[ 1868.719077] +[ 1868.719518] end_request: I/O error, dev rbd1, sector 0 +[ 1868.719739] +[ 1868.719739] Assertion failure in rbd_img_obj_callback() at line 1736: +[ 1868.719739] +[ 1868.719739] rbd_assert(more ^ (which == img_request->obj_request_count)); + +Without this assert, reads that hit errors would hang forever, since +the block layer considered them incomplete. + +Fixes: http://tracker.ceph.com/issues/5647 +Signed-off-by: Josh Durgin +Reviewed-by: Alex Elder +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/rbd.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -1557,11 +1557,12 @@ rbd_img_obj_request_read_callback(struct + obj_request, obj_request->img_request, obj_request->result, + xferred, length); + /* +- * ENOENT means a hole in the image. We zero-fill the +- * entire length of the request. A short read also implies +- * zero-fill to the end of the request. Either way we +- * update the xferred count to indicate the whole request +- * was satisfied. ++ * ENOENT means a hole in the image. We zero-fill the entire ++ * length of the request. A short read also implies zero-fill ++ * to the end of the request. An error requires the whole ++ * length of the request to be reported finished with an error ++ * to the block layer. In each case we update the xferred ++ * count to indicate the whole request was satisfied. + */ + rbd_assert(obj_request->type != OBJ_REQUEST_NODATA); + if (obj_request->result == -ENOENT) { +@@ -1570,14 +1571,13 @@ rbd_img_obj_request_read_callback(struct + else + zero_pages(obj_request->pages, 0, length); + obj_request->result = 0; +- obj_request->xferred = length; + } else if (xferred < length && !obj_request->result) { + if (obj_request->type == OBJ_REQUEST_BIO) + zero_bio_chain(obj_request->bio_list, xferred); + else + zero_pages(obj_request->pages, xferred, length); +- obj_request->xferred = length; + } ++ obj_request->xferred = length; + obj_request_done_set(obj_request); + } + diff --git a/queue-3.11/series b/queue-3.11/series index 85c50e846f0..5b63b52e501 100644 --- a/queue-3.11/series +++ b/queue-3.11/series @@ -81,3 +81,37 @@ hid-battery-don-t-do-dma-from-stack.patch hid-hidraw-correctly-deallocate-memory-on-device-disconnect.patch hid-check-for-null-field-when-setting-values.patch hid-usbhid-quirk-for-n-trig-duosense-touch-screen.patch +media-exynos4-is-fix-fimc-lite-bayer-formats.patch +media-exynos-gsc-register-v4l2-device.patch +media-exynos4-is-fix-entity-unregistration-on-error-path.patch +media-cx88-fix-regression-cx88_audio_wm8775-can-t-be-0.patch +media-mb86a20s-fix-ts-parallel-mode.patch +media-siano-fix-divide-error-on-0-counters.patch +btrfs-don-t-allow-the-replace-procedure-on-read-only-filesystems.patch +uprobes-fix-utask-depth-accounting-in-handle_trampoline.patch +leds-wm831x-status-request-a-reg-resource.patch +mips-ath79-fix-ar933x-watchdog-clock.patch +target-fix-v3.9-regression-in-pr-aptpl-alua-metadata-write-out.patch +intel-iommu-fix-leaks-in-pagetable-freeing.patch +pidns-fix-hang-in-zap_pid_ns_processes-by-sending-a-potentially-extra-wakeup.patch +pidns-fix-vfork-after-unshare-clone_newpid.patch +ocfs2-fix-the-end-cluster-offset-of-fiemap.patch +memcg-fix-multiple-large-threshold-notifications.patch +mm-huge_memory.c-fix-potential-null-pointer-dereference.patch +proc-restrict-mounting-the-proc-filesystem.patch +isofs-refuse-rw-mount-of-the-filesystem-instead-of-making-it-ro.patch +amd64_edac-fix-single-channel-setups.patch +drm-edid-add-quirk-for-medion-md30217pg.patch +um-implement-probe_kernel_read.patch +libceph-unregister-request-in-__map_request-failed-and-nofail-false.patch +libceph-use-pg_num_mask-instead-of-pgp_num_mask-for-pg.seed-calc.patch +ceph-don-t-forget-the-up_read-osdc-map_sem-if-met-error.patch +rbd-fix-i-o-error-propagation-for-reads.patch +mmc-tmio_mmc_dma-fix-pio-fallback-on-sdhi.patch +of-fix-missing-memory-initialization-on-fdt-unflattening.patch +mtd-nand-fix-nand_buswidth_auto-for-x16-devices.patch +clk-wm831x-initialise-wm831x-pointer-on-init.patch +fuse-postpone-end_page_writeback-in-fuse_writepage_locked.patch +fuse-invalidate-inode-attributes-on-xattr-modification.patch +fuse-hotfix-truncate_pagecache-issue.patch +fuse-readdir-check-for-slash-in-names.patch diff --git a/queue-3.11/target-fix-v3.9-regression-in-pr-aptpl-alua-metadata-write-out.patch b/queue-3.11/target-fix-v3.9-regression-in-pr-aptpl-alua-metadata-write-out.patch new file mode 100644 index 00000000000..23ba54a6a73 --- /dev/null +++ b/queue-3.11/target-fix-v3.9-regression-in-pr-aptpl-alua-metadata-write-out.patch @@ -0,0 +1,69 @@ +From f730f9158f6ee7b5c4d892af6b51a72194445ea4 Mon Sep 17 00:00:00 2001 +From: Gera Kazakov +Date: Mon, 9 Sep 2013 15:47:06 -0700 +Subject: target: Fix >= v3.9+ regression in PR APTPL + ALUA metadata write-out + +From: Gera Kazakov + +commit f730f9158f6ee7b5c4d892af6b51a72194445ea4 upstream. + +This patch fixes a >= v3.9+ regression in __core_scsi3_write_aptpl_to_file() ++ core_alua_write_tpg_metadata() write-out, where a return value of -EIO was +incorrectly being returned upon success. + +This bug was originally introduced in: + +commit 0e9b10a90f1c30f25dd6f130130240745ab14010 +Author: Al Viro +Date: Sat Feb 23 15:22:43 2013 -0500 + + target: writev() on single-element vector is pointless + +However, given that the return of core_scsi3_update_and_write_aptpl() +was not used to determine if a command should be returned with non GOOD +status, this bug was not being triggered in PR logic until v3.11-rc1 by +commit: + +commit 459f213ba162bd13e113d6f92a8fa6c780fd67ed +Author: Andy Grover +Date: Thu May 16 10:41:02 2013 -0700 + + target: Allocate aptpl_buf inside update_and_write_aptpl() + +So, go ahead and only return -EIO if kernel_write() returned a +negative value. + +Reported-by: Gera Kazakov +Signed-off-by: Gera Kazakov +Cc: Al Viro +Cc: Andy Grover +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_alua.c | 2 +- + drivers/target/target_core_pr.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/target/target_core_alua.c ++++ b/drivers/target/target_core_alua.c +@@ -730,7 +730,7 @@ static int core_alua_write_tpg_metadata( + if (ret < 0) + pr_err("Error writing ALUA metadata file: %s\n", path); + fput(file); +- return ret ? -EIO : 0; ++ return (ret < 0) ? -EIO : 0; + } + + /* +--- a/drivers/target/target_core_pr.c ++++ b/drivers/target/target_core_pr.c +@@ -1949,7 +1949,7 @@ static int __core_scsi3_write_aptpl_to_f + pr_debug("Error writing APTPL metadata file: %s\n", path); + fput(file); + +- return ret ? -EIO : 0; ++ return (ret < 0) ? -EIO : 0; + } + + /* diff --git a/queue-3.11/um-implement-probe_kernel_read.patch b/queue-3.11/um-implement-probe_kernel_read.patch new file mode 100644 index 00000000000..307623e21e3 --- /dev/null +++ b/queue-3.11/um-implement-probe_kernel_read.patch @@ -0,0 +1,147 @@ +From f75b1b1bedfb498cc43a992ce4d7ed8df3b1e770 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Sat, 17 Aug 2013 18:46:00 +0200 +Subject: um: Implement probe_kernel_read() + +From: Richard Weinberger + +commit f75b1b1bedfb498cc43a992ce4d7ed8df3b1e770 upstream. + +UML needs it's own probe_kernel_read() to handle kernel +mode faults correctly. +The implementation uses mincore() on the host side to detect +whether a page is owned by the UML kernel process. + +This fixes also a possible crash when sysrq-t is used. +Starting with 3.10 sysrq-t calls probe_kernel_read() to +read details from the kernel workers. As kernel worker are +completely async pointers may turn NULL while reading them. + +Signed-off-by: Richard Weinberger +Cc: +Cc: +Signed-off-by: Greg Kroah-Hartman + +--- + arch/um/include/shared/os.h | 1 + arch/um/kernel/Makefile | 2 - + arch/um/kernel/maccess.c | 24 ++++++++++++++++++++ + arch/um/os-Linux/process.c | 52 ++++++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 78 insertions(+), 1 deletion(-) + +--- a/arch/um/include/shared/os.h ++++ b/arch/um/include/shared/os.h +@@ -200,6 +200,7 @@ extern int os_unmap_memory(void *addr, i + extern int os_drop_memory(void *addr, int length); + extern int can_drop_memory(void); + extern void os_flush_stdout(void); ++extern int os_mincore(void *addr, unsigned long len); + + /* execvp.c */ + extern int execvp_noalloc(char *buf, const char *file, char *const argv[]); +--- a/arch/um/kernel/Makefile ++++ b/arch/um/kernel/Makefile +@@ -13,7 +13,7 @@ clean-files := + obj-y = config.o exec.o exitcode.o irq.o ksyms.o mem.o \ + physmem.o process.o ptrace.o reboot.o sigio.o \ + signal.o smp.o syscall.o sysrq.o time.o tlb.o trap.o \ +- um_arch.o umid.o skas/ ++ um_arch.o umid.o maccess.o skas/ + + obj-$(CONFIG_BLK_DEV_INITRD) += initrd.o + obj-$(CONFIG_GPROF) += gprof_syms.o +--- /dev/null ++++ b/arch/um/kernel/maccess.c +@@ -0,0 +1,24 @@ ++/* ++ * Copyright (C) 2013 Richard Weinberger ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License version 2 as ++ * published by the Free Software Foundation. ++ */ ++ ++#include ++#include ++#include ++ ++long probe_kernel_read(void *dst, const void *src, size_t size) ++{ ++ void *psrc = (void *)rounddown((unsigned long)src, PAGE_SIZE); ++ ++ if ((unsigned long)src < PAGE_SIZE || size <= 0) ++ return -EFAULT; ++ ++ if (os_mincore(psrc, size + src - psrc) <= 0) ++ return -EFAULT; ++ ++ return __probe_kernel_read(dst, src, size); ++} +--- a/arch/um/os-Linux/process.c ++++ b/arch/um/os-Linux/process.c +@@ -4,6 +4,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -232,6 +233,57 @@ out: + return ok; + } + ++static int os_page_mincore(void *addr) ++{ ++ char vec[2]; ++ int ret; ++ ++ ret = mincore(addr, UM_KERN_PAGE_SIZE, vec); ++ if (ret < 0) { ++ if (errno == ENOMEM || errno == EINVAL) ++ return 0; ++ else ++ return -errno; ++ } ++ ++ return vec[0] & 1; ++} ++ ++int os_mincore(void *addr, unsigned long len) ++{ ++ char *vec; ++ int ret, i; ++ ++ if (len <= UM_KERN_PAGE_SIZE) ++ return os_page_mincore(addr); ++ ++ vec = calloc(1, (len + UM_KERN_PAGE_SIZE - 1) / UM_KERN_PAGE_SIZE); ++ if (!vec) ++ return -ENOMEM; ++ ++ ret = mincore(addr, UM_KERN_PAGE_SIZE, vec); ++ if (ret < 0) { ++ if (errno == ENOMEM || errno == EINVAL) ++ ret = 0; ++ else ++ ret = -errno; ++ ++ goto out; ++ } ++ ++ for (i = 0; i < ((len + UM_KERN_PAGE_SIZE - 1) / UM_KERN_PAGE_SIZE); i++) { ++ if (!(vec[i] & 1)) { ++ ret = 0; ++ goto out; ++ } ++ } ++ ++ ret = 1; ++out: ++ free(vec); ++ return ret; ++} ++ + void init_new_thread_signals(void) + { + set_handler(SIGSEGV); diff --git a/queue-3.11/uprobes-fix-utask-depth-accounting-in-handle_trampoline.patch b/queue-3.11/uprobes-fix-utask-depth-accounting-in-handle_trampoline.patch new file mode 100644 index 00000000000..bda0d8a427f --- /dev/null +++ b/queue-3.11/uprobes-fix-utask-depth-accounting-in-handle_trampoline.patch @@ -0,0 +1,49 @@ +From 878b5a6efd38030c7a90895dc8346e8fb1e09b4c Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Wed, 11 Sep 2013 17:47:26 +0200 +Subject: uprobes: Fix utask->depth accounting in handle_trampoline() + +From: Oleg Nesterov + +commit 878b5a6efd38030c7a90895dc8346e8fb1e09b4c upstream. + +Currently utask->depth is simply the number of allocated/pending +return_instance's in uprobe_task->return_instances list. + +handle_trampoline() should decrement this counter every time we +handle/free an instance, but due to typo it does this only if +->chained == T. This means that in the likely case this counter +is never decremented and the probed task can't report more than +MAX_URETPROBE_DEPTH events. + +Reported-by: Mikhail Kulemin +Reported-by: Hemant Kumar Shaw +Signed-off-by: Oleg Nesterov +Acked-by: Anton Arapov +Cc: masami.hiramatsu.pt@hitachi.com +Cc: srikar@linux.vnet.ibm.com +Cc: systemtap@sourceware.org +Link: http://lkml.kernel.org/r/20130911154726.GA8093@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/uprobes.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/kernel/events/uprobes.c ++++ b/kernel/events/uprobes.c +@@ -1682,12 +1682,10 @@ static bool handle_trampoline(struct pt_ + tmp = ri; + ri = ri->next; + kfree(tmp); ++ utask->depth--; + + if (!chained) + break; +- +- utask->depth--; +- + BUG_ON(!ri); + } +