From: Greg Kroah-Hartman Date: Sun, 1 Dec 2013 04:51:26 +0000 (-0800) Subject: 3.12-stable patches X-Git-Tag: v3.4.72~43 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5e9f1e9d438add074e91bf84622a3f930f91e068;p=thirdparty%2Fkernel%2Fstable-queue.git 3.12-stable patches added patches: ahci-add-device-ids-for-intel-wildcat-point-lp.patch ahci-add-marvell-9230-to-the-ahci-pci-device-list.patch ahci-add-support-for-ibm-akebono-platform-device.patch ahci-disabled-fbs-prior-to-issuing-software-reset.patch ext4-avoid-bh-leak-in-retry-path-of-ext4_expand_extra_isize_ea.patch ib-ipath-convert-ipath_user_sdma_pin_pages-to-use-get_user_pages_fast.patch ib-qib-convert-qib_user_sdma_pin_pages-to-use-get_user_pages_fast.patch ib-qib-fix-txselect-regression.patch ib-srp-avoid-offlining-operational-scsi-devices.patch ib-srp-remove-target-from-list-before-freeing-scsi_host-structure.patch ib-srp-report-receive-errors-correctly.patch ipc-msg-fix-message-length-check-for-negative-values.patch iscsi-target-chap-auth-shouldn-t-match-username-with-trailing-garbage.patch iscsi-target-fix-extract_param-to-handle-buffer-length-corner-case.patch iscsi-target-fix-mutex_trylock-usage-in-iscsit_increment_maxcmdsn.patch loop-fix-crash-if-blk_alloc_queue-fails.patch loop-fix-crash-when-using-unassigned-loop-device.patch mtd-atmel_nand-fix-bug-driver-will-in-a-dead-lock-if-no-nand-detected.patch mtd-gpmi-fix-kernel-bug-due-to-racing-dma-operations.patch mtd-gpmi-fix-the-null-pointer.patch mtd-m25p80-fix-allocation-size.patch mtd-map-fixed-bug-in-64-bit-systems.patch mtd-nand-hack-onfi-for-non-power-of-2-dimensions.patch rtlwifi-fix-endian-error-in-extracting-packet-type.patch rtlwifi-rtl8188ee-fix-smatch-warning-in-rtl8188ee-hw.c.patch rtlwifi-rtl8192cu-fix-more-pointer-arithmetic-errors.patch rtlwifi-rtl8192se-fix-wrong-assignment.patch xen-blkback-fix-reference-counting.patch --- diff --git a/queue-3.12/ahci-add-device-ids-for-intel-wildcat-point-lp.patch b/queue-3.12/ahci-add-device-ids-for-intel-wildcat-point-lp.patch new file mode 100644 index 00000000000..9c6cd1d241d --- /dev/null +++ b/queue-3.12/ahci-add-device-ids-for-intel-wildcat-point-lp.patch @@ -0,0 +1,32 @@ +From 9f961a5f6efc87a79571d7166257b36af28ffcfe Mon Sep 17 00:00:00 2001 +From: James Ralston +Date: Mon, 4 Nov 2013 09:24:58 -0800 +Subject: ahci: Add Device IDs for Intel Wildcat Point-LP + +From: James Ralston + +commit 9f961a5f6efc87a79571d7166257b36af28ffcfe upstream. + +This patch adds the AHCI-mode SATA Device IDs for the Intel Wildcat Point-LP PCH. + +Signed-off-by: James Ralston +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/ahci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -292,6 +292,10 @@ static const struct pci_device_id ahci_p + { PCI_VDEVICE(INTEL, 0x8d66), board_ahci }, /* Wellsburg RAID */ + { PCI_VDEVICE(INTEL, 0x8d6e), board_ahci }, /* Wellsburg RAID */ + { PCI_VDEVICE(INTEL, 0x23a3), board_ahci }, /* Coleto Creek AHCI */ ++ { PCI_VDEVICE(INTEL, 0x9c83), board_ahci }, /* Wildcat Point-LP AHCI */ ++ { PCI_VDEVICE(INTEL, 0x9c85), board_ahci }, /* Wildcat Point-LP RAID */ ++ { PCI_VDEVICE(INTEL, 0x9c87), board_ahci }, /* Wildcat Point-LP RAID */ ++ { PCI_VDEVICE(INTEL, 0x9c8f), board_ahci }, /* Wildcat Point-LP RAID */ + + /* JMicron 360/1/3/5/6, match class to avoid IDE function */ + { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, diff --git a/queue-3.12/ahci-add-marvell-9230-to-the-ahci-pci-device-list.patch b/queue-3.12/ahci-add-marvell-9230-to-the-ahci-pci-device-list.patch new file mode 100644 index 00000000000..3fbbc58a779 --- /dev/null +++ b/queue-3.12/ahci-add-marvell-9230-to-the-ahci-pci-device-list.patch @@ -0,0 +1,31 @@ +From 6d5278a68a75891db1df5ae1ecf83d288fc58c65 Mon Sep 17 00:00:00 2001 +From: Samir Benmendil +Date: Sun, 17 Nov 2013 23:56:17 +0100 +Subject: ahci: add Marvell 9230 to the AHCI PCI device list + +From: Samir Benmendil + +commit 6d5278a68a75891db1df5ae1ecf83d288fc58c65 upstream. + +Tested with a DAWICONTROL DC-624e on 3.10.10 + +Signed-off-by: Samir Benmendil +Signed-off-by: Tejun Heo +Reviewed-by: Levente Kurusa +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/ahci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -435,6 +435,8 @@ static const struct pci_device_id ahci_p + .driver_data = board_ahci_yes_fbs }, /* 88se9172 on some Gigabyte */ + { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x91a3), + .driver_data = board_ahci_yes_fbs }, ++ { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9230), ++ .driver_data = board_ahci_yes_fbs }, + + /* Promise */ + { PCI_VDEVICE(PROMISE, 0x3f20), board_ahci }, /* PDC42819 */ diff --git a/queue-3.12/ahci-add-support-for-ibm-akebono-platform-device.patch b/queue-3.12/ahci-add-support-for-ibm-akebono-platform-device.patch new file mode 100644 index 00000000000..85a957ed7a7 --- /dev/null +++ b/queue-3.12/ahci-add-support-for-ibm-akebono-platform-device.patch @@ -0,0 +1,31 @@ +From 2435dcb98cfe13c246aa27df393e22bc24bbcd20 Mon Sep 17 00:00:00 2001 +From: Alistair Popple +Date: Fri, 22 Nov 2013 13:08:29 +1100 +Subject: ahci: add support for IBM Akebono platform device + +From: Alistair Popple + +commit 2435dcb98cfe13c246aa27df393e22bc24bbcd20 upstream. + +The new IBM Akebono board has a PPC476GTR SoC with an AHCI compliant +SATA controller. This patch adds a compatible property for the new SoC +to the AHCI platform driver. + +Signed-off-by: Alistair Popple +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/ahci_platform.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/ata/ahci_platform.c ++++ b/drivers/ata/ahci_platform.c +@@ -328,6 +328,7 @@ static SIMPLE_DEV_PM_OPS(ahci_pm_ops, ah + static const struct of_device_id ahci_of_match[] = { + { .compatible = "snps,spear-ahci", }, + { .compatible = "snps,exynos5440-ahci", }, ++ { .compatible = "ibm,476gtr-ahci", }, + {}, + }; + MODULE_DEVICE_TABLE(of, ahci_of_match); diff --git a/queue-3.12/ahci-disabled-fbs-prior-to-issuing-software-reset.patch b/queue-3.12/ahci-disabled-fbs-prior-to-issuing-software-reset.patch new file mode 100644 index 00000000000..ff019b69da3 --- /dev/null +++ b/queue-3.12/ahci-disabled-fbs-prior-to-issuing-software-reset.patch @@ -0,0 +1,127 @@ +From 89dafa20f3daab5b3e0c13d0068a28e8e64e2102 Mon Sep 17 00:00:00 2001 +From: xiangliang yu +Date: Sun, 27 Oct 2013 08:03:04 -0400 +Subject: ahci: disabled FBS prior to issuing software reset + +From: xiangliang yu + +commit 89dafa20f3daab5b3e0c13d0068a28e8e64e2102 upstream. + +Tested with Marvell 88se9125, attached with one port mulitplier(5 ports) +and one disk, we will get following boot log messages if using current +code: + + ata8: SATA link up 6.0 Gbps (SStatus 133 SControl 330) + ata8.15: Port Multiplier 1.2, 0x1b4b:0x9715 r160, 5 ports, feat 0x1/0x1f + ahci 0000:03:00.0: FBS is enabled + ata8.00: hard resetting link + ata8.00: SATA link down (SStatus 0 SControl 330) + ata8.01: hard resetting link + ata8.01: SATA link down (SStatus 0 SControl 330) + ata8.02: hard resetting link + ata8.02: SATA link down (SStatus 0 SControl 330) + ata8.03: hard resetting link + ata8.03: SATA link up 6.0 Gbps (SStatus 133 SControl 133) + ata8.04: hard resetting link + ata8.04: failed to resume link (SControl 133) + ata8.04: failed to read SCR 0 (Emask=0x40) + ata8.04: failed to read SCR 0 (Emask=0x40) + ata8.04: failed to read SCR 1 (Emask=0x40) + ata8.04: failed to read SCR 0 (Emask=0x40) + ata8.03: native sectors (2) is smaller than sectors (976773168) + ata8.03: ATA-8: ST3500413AS, JC4B, max UDMA/133 + ata8.03: 976773168 sectors, multi 0: LBA48 NCQ (depth 31/32) + ata8.03: configured for UDMA/133 + ata8.04: failed to IDENTIFY (I/O error, err_mask=0x100) + ata8.15: hard resetting link + ata8.15: SATA link up 6.0 Gbps (SStatus 133 SControl 330) + ata8.15: Port Multiplier vendor mismatch '0x1b4b' != '0x133' + ata8.15: PMP revalidation failed (errno=-19) + ata8.15: hard resetting link + ata8.15: SATA link up 6.0 Gbps (SStatus 133 SControl 330) + ata8.15: Port Multiplier vendor mismatch '0x1b4b' != '0x133' + ata8.15: PMP revalidation failed (errno=-19) + ata8.15: limiting SATA link speed to 3.0 Gbps + ata8.15: hard resetting link + ata8.15: SATA link up 3.0 Gbps (SStatus 123 SControl 320) + ata8.15: Port Multiplier vendor mismatch '0x1b4b' != '0x133' + ata8.15: PMP revalidation failed (errno=-19) + ata8.15: failed to recover PMP after 5 tries, giving up + ata8.15: Port Multiplier detaching + ata8.03: disabled + ata8.00: disabled + ata8: EH complete + +The reason is that current detection code doesn't follow AHCI spec: + +First,the port multiplier detection process look like this: + + ahci_hardreset(link, class, deadline) + if (class == ATA_DEV_PMP) { + sata_pmp_attach(dev) /* will enable FBS */ + sata_pmp_init_links(ap, nr_ports); + ata_for_each_link(link, ap, EDGE) { + sata_std_hardreset(link, class, deadline); + if (link_is_online) /* do soft reset */ + ahci_softreset(link, class, deadline); + } + } +But, according to chapter 9.3.9 in AHCI spec: Prior to issuing software +reset, software shall clear PxCMD.ST to '0' and then clear PxFBS.EN to +'0'. + +The patch test ok with kernel 3.11.1. + +tj: Patch white space contaminated, applied manually with trivial + updates. + +Signed-off-by: Xiangliang Yu +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libahci.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/ata/libahci.c ++++ b/drivers/ata/libahci.c +@@ -1275,9 +1275,11 @@ int ahci_do_softreset(struct ata_link *l + { + struct ata_port *ap = link->ap; + struct ahci_host_priv *hpriv = ap->host->private_data; ++ struct ahci_port_priv *pp = ap->private_data; + const char *reason = NULL; + unsigned long now, msecs; + struct ata_taskfile tf; ++ bool fbs_disabled = false; + int rc; + + DPRINTK("ENTER\n"); +@@ -1287,6 +1289,16 @@ int ahci_do_softreset(struct ata_link *l + if (rc && rc != -EOPNOTSUPP) + ata_link_warn(link, "failed to reset engine (errno=%d)\n", rc); + ++ /* ++ * According to AHCI-1.2 9.3.9: if FBS is enable, software shall ++ * clear PxFBS.EN to '0' prior to issuing software reset to devices ++ * that is attached to port multiplier. ++ */ ++ if (!ata_is_host_link(link) && pp->fbs_enabled) { ++ ahci_disable_fbs(ap); ++ fbs_disabled = true; ++ } ++ + ata_tf_init(link->device, &tf); + + /* issue the first D2H Register FIS */ +@@ -1327,6 +1339,10 @@ int ahci_do_softreset(struct ata_link *l + } else + *class = ahci_dev_classify(ap); + ++ /* re-enable FBS if disabled before */ ++ if (fbs_disabled) ++ ahci_enable_fbs(ap); ++ + DPRINTK("EXIT, class=%u\n", *class); + return 0; + diff --git a/queue-3.12/ext4-avoid-bh-leak-in-retry-path-of-ext4_expand_extra_isize_ea.patch b/queue-3.12/ext4-avoid-bh-leak-in-retry-path-of-ext4_expand_extra_isize_ea.patch new file mode 100644 index 00000000000..ef960443767 --- /dev/null +++ b/queue-3.12/ext4-avoid-bh-leak-in-retry-path-of-ext4_expand_extra_isize_ea.patch @@ -0,0 +1,27 @@ +From dcb9917ba041866686fe152850364826c4622a36 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Thu, 31 Oct 2013 23:00:24 -0400 +Subject: ext4: avoid bh leak in retry path of ext4_expand_extra_isize_ea() + +From: Theodore Ts'o + +commit dcb9917ba041866686fe152850364826c4622a36 upstream. + +Reported-by: Dave Jones +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/xattr.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1352,6 +1352,7 @@ retry: + new_extra_isize = s_min_extra_isize; + kfree(is); is = NULL; + kfree(bs); bs = NULL; ++ brelse(bh); + goto retry; + } + error = -1; diff --git a/queue-3.12/ib-ipath-convert-ipath_user_sdma_pin_pages-to-use-get_user_pages_fast.patch b/queue-3.12/ib-ipath-convert-ipath_user_sdma_pin_pages-to-use-get_user_pages_fast.patch new file mode 100644 index 00000000000..6f4e7a3a15d --- /dev/null +++ b/queue-3.12/ib-ipath-convert-ipath_user_sdma_pin_pages-to-use-get_user_pages_fast.patch @@ -0,0 +1,58 @@ +From 4adcf7fb6783e354aab38824d803fa8c4f8e8a27 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 4 Oct 2013 09:29:06 -0400 +Subject: IB/ipath: Convert ipath_user_sdma_pin_pages() to use get_user_pages_fast() + +From: Jan Kara + +commit 4adcf7fb6783e354aab38824d803fa8c4f8e8a27 upstream. + +ipath_user_sdma_queue_pkts() gets called with mmap_sem held for +writing. Except for get_user_pages() deep down in +ipath_user_sdma_pin_pages() we don't seem to need mmap_sem at all. + +Even more interestingly the function ipath_user_sdma_queue_pkts() (and +also ipath_user_sdma_coalesce() called somewhat later) call +copy_from_user() which can hit a page fault and we deadlock on trying +to get mmap_sem when handling that fault. So just make +ipath_user_sdma_pin_pages() use get_user_pages_fast() and leave +mmap_sem locking for mm. + +This deadlock has actually been observed in the wild when the node +is under memory pressure. + +Signed-off-by: Jan Kara +Signed-off-by: Mike Marciniszyn +[ Merged in fix for call to get_user_pages_fast from Tetsuo Handa + . - Roland ] +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/ipath/ipath_user_sdma.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +--- a/drivers/infiniband/hw/ipath/ipath_user_sdma.c ++++ b/drivers/infiniband/hw/ipath/ipath_user_sdma.c +@@ -280,9 +280,7 @@ static int ipath_user_sdma_pin_pages(con + int j; + int ret; + +- ret = get_user_pages(current, current->mm, addr, +- npages, 0, 1, pages, NULL); +- ++ ret = get_user_pages_fast(addr, npages, 0, pages); + if (ret != npages) { + int i; + +@@ -811,10 +809,7 @@ int ipath_user_sdma_writev(struct ipath_ + while (dim) { + const int mxp = 8; + +- down_write(¤t->mm->mmap_sem); + ret = ipath_user_sdma_queue_pkts(dd, pq, &list, iov, dim, mxp); +- up_write(¤t->mm->mmap_sem); +- + if (ret <= 0) + goto done_unlock; + else { diff --git a/queue-3.12/ib-qib-convert-qib_user_sdma_pin_pages-to-use-get_user_pages_fast.patch b/queue-3.12/ib-qib-convert-qib_user_sdma_pin_pages-to-use-get_user_pages_fast.patch new file mode 100644 index 00000000000..13c010aac51 --- /dev/null +++ b/queue-3.12/ib-qib-convert-qib_user_sdma_pin_pages-to-use-get_user_pages_fast.patch @@ -0,0 +1,56 @@ +From 603e7729920e42b3c2f4dbfab9eef4878cb6e8fa Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 4 Oct 2013 09:29:12 -0400 +Subject: IB/qib: Convert qib_user_sdma_pin_pages() to use get_user_pages_fast() + +From: Jan Kara + +commit 603e7729920e42b3c2f4dbfab9eef4878cb6e8fa upstream. + +qib_user_sdma_queue_pkts() gets called with mmap_sem held for +writing. Except for get_user_pages() deep down in +qib_user_sdma_pin_pages() we don't seem to need mmap_sem at all. Even +more interestingly the function qib_user_sdma_queue_pkts() (and also +qib_user_sdma_coalesce() called somewhat later) call copy_from_user() +which can hit a page fault and we deadlock on trying to get mmap_sem +when handling that fault. + +So just make qib_user_sdma_pin_pages() use get_user_pages_fast() and +leave mmap_sem locking for mm. + +This deadlock has actually been observed in the wild when the node +is under memory pressure. + +Reviewed-by: Mike Marciniszyn +Signed-off-by: Jan Kara +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/qib/qib_user_sdma.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/infiniband/hw/qib/qib_user_sdma.c ++++ b/drivers/infiniband/hw/qib/qib_user_sdma.c +@@ -594,8 +594,7 @@ static int qib_user_sdma_pin_pages(const + else + j = npages; + +- ret = get_user_pages(current, current->mm, addr, +- j, 0, 1, pages, NULL); ++ ret = get_user_pages_fast(addr, j, 0, pages); + if (ret != j) { + i = 0; + j = ret; +@@ -1294,11 +1293,8 @@ int qib_user_sdma_writev(struct qib_ctxt + int mxp = 8; + int ndesc = 0; + +- down_write(¤t->mm->mmap_sem); + ret = qib_user_sdma_queue_pkts(dd, ppd, pq, + iov, dim, &list, &mxp, &ndesc); +- up_write(¤t->mm->mmap_sem); +- + if (ret < 0) + goto done_unlock; + else { diff --git a/queue-3.12/ib-qib-fix-txselect-regression.patch b/queue-3.12/ib-qib-fix-txselect-regression.patch new file mode 100644 index 00000000000..3a14b85f6a6 --- /dev/null +++ b/queue-3.12/ib-qib-fix-txselect-regression.patch @@ -0,0 +1,52 @@ +From 2fadd83184d58701f1116ca578465b5a75f9417c Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Fri, 25 Oct 2013 11:17:59 -0400 +Subject: IB/qib: Fix txselect regression + +From: Mike Marciniszyn + +commit 2fadd83184d58701f1116ca578465b5a75f9417c upstream. + +Commit 7fac33014f54("IB/qib: checkpatch fixes") was overzealous in +removing a simple_strtoul for a parse routine, setup_txselect(). That +routine is required to handle a multi-value string. + +Unwind that aspect of the fix. + +Signed-off-by: Mike Marciniszyn +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/qib/qib_iba7322.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/infiniband/hw/qib/qib_iba7322.c ++++ b/drivers/infiniband/hw/qib/qib_iba7322.c +@@ -6190,21 +6190,20 @@ static int setup_txselect(const char *st + { + struct qib_devdata *dd; + unsigned long val; +- int ret; +- ++ char *n; + if (strlen(str) >= MAX_ATTEN_LEN) { + pr_info("txselect_values string too long\n"); + return -ENOSPC; + } +- ret = kstrtoul(str, 0, &val); +- if (ret || val >= (TXDDS_TABLE_SZ + TXDDS_EXTRA_SZ + ++ val = simple_strtoul(str, &n, 0); ++ if (n == str || val >= (TXDDS_TABLE_SZ + TXDDS_EXTRA_SZ + + TXDDS_MFG_SZ)) { + pr_info("txselect_values must start with a number < %d\n", + TXDDS_TABLE_SZ + TXDDS_EXTRA_SZ + TXDDS_MFG_SZ); +- return ret ? ret : -EINVAL; ++ return -EINVAL; + } +- + strcpy(txselect_list, str); ++ + list_for_each_entry(dd, &qib_dev_list, list) + if (dd->deviceid == PCI_DEVICE_ID_QLOGIC_IB_7322) + set_no_qsfp_atten(dd, 1); diff --git a/queue-3.12/ib-srp-avoid-offlining-operational-scsi-devices.patch b/queue-3.12/ib-srp-avoid-offlining-operational-scsi-devices.patch new file mode 100644 index 00000000000..d8f7bdb8437 --- /dev/null +++ b/queue-3.12/ib-srp-avoid-offlining-operational-scsi-devices.patch @@ -0,0 +1,39 @@ +From 99b6697a50c2acbe3ca2772d359fc9a28835dc84 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Thu, 10 Oct 2013 13:52:33 +0200 +Subject: IB/srp: Avoid offlining operational SCSI devices + +From: Bart Van Assche + +commit 99b6697a50c2acbe3ca2772d359fc9a28835dc84 upstream. + +If SCSI commands are submitted with a SCSI request timeout that is +lower than the the IB RC timeout, it can happen that the SCSI error +handler has already started device recovery before transport layer +error handling starts. So it can happen that the SCSI error handler +tries to abort a SCSI command after it has been reset by +srp_rport_reconnect(). + +Tell the SCSI error handler that such commands have finished and that +it is not necessary to continue its recovery strategy for commands +that have been reset by srp_rport_reconnect(). + +Signed-off-by: Bart Van Assche +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/srp/ib_srp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -1752,7 +1752,7 @@ static int srp_abort(struct scsi_cmnd *s + shost_printk(KERN_ERR, target->scsi_host, "SRP abort called\n"); + + if (!req || !srp_claim_req(target, req, scmnd)) +- return FAILED; ++ return SUCCESS; + if (srp_send_tsk_mgmt(target, req->index, scmnd->device->lun, + SRP_TSK_ABORT_TASK) == 0) + ret = SUCCESS; diff --git a/queue-3.12/ib-srp-remove-target-from-list-before-freeing-scsi_host-structure.patch b/queue-3.12/ib-srp-remove-target-from-list-before-freeing-scsi_host-structure.patch new file mode 100644 index 00000000000..fdeec482c3e --- /dev/null +++ b/queue-3.12/ib-srp-remove-target-from-list-before-freeing-scsi_host-structure.patch @@ -0,0 +1,61 @@ +From 65d7dd2f3479ef5aec1d9ddd1481cb7851c11af6 Mon Sep 17 00:00:00 2001 +From: Vu Pham +Date: Thu, 10 Oct 2013 13:50:29 +0200 +Subject: IB/srp: Remove target from list before freeing Scsi_Host structure + +From: Vu Pham + +commit 65d7dd2f3479ef5aec1d9ddd1481cb7851c11af6 upstream. + +Remove an SRP target from the SRP target list before invoking the last +scsi_host_put() call. This change is necessary because that last put +frees the memory that holds the srp_target_port structure. + +This patch prevents the following kernel oops: + + RIP: 0010:[] __lock_acquire+0x500/0x1570 + Call Trace: + [] lock_acquire+0xa4/0x120 + [] _spin_lock+0x36/0x70 + [] srp_remove_work+0xef/0x180 [ib_srp] + [] worker_thread+0x21c/0x3d0 + [] kthread+0x96/0xa0 + [] child_rip+0xa/0x20 + +Signed-off-by: Vu Pham +Signed-off-by: Greg Kroah-Hartman + +[ bvanassche - Modified path description and CC'ed stable. ] + +Signed-off-by: Bart Van Assche +Signed-off-by: Roland Dreier + +--- + drivers/infiniband/ulp/srp/ib_srp.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -534,6 +534,11 @@ static void srp_remove_target(struct srp + ib_destroy_cm_id(target->cm_id); + srp_free_target_ib(target); + srp_free_req_data(target); ++ ++ spin_lock(&target->srp_host->target_lock); ++ list_del(&target->list); ++ spin_unlock(&target->srp_host->target_lock); ++ + scsi_host_put(target->scsi_host); + } + +@@ -545,10 +550,6 @@ static void srp_remove_work(struct work_ + WARN_ON_ONCE(target->state != SRP_TARGET_REMOVED); + + srp_remove_target(target); +- +- spin_lock(&target->srp_host->target_lock); +- list_del(&target->list); +- spin_unlock(&target->srp_host->target_lock); + } + + static void srp_rport_delete(struct srp_rport *rport) diff --git a/queue-3.12/ib-srp-report-receive-errors-correctly.patch b/queue-3.12/ib-srp-report-receive-errors-correctly.patch new file mode 100644 index 00000000000..ddc01beb2cd --- /dev/null +++ b/queue-3.12/ib-srp-report-receive-errors-correctly.patch @@ -0,0 +1,58 @@ +From cd4e38542a5c2cab94e5410fb17c1cc004a60792 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Thu, 10 Oct 2013 13:53:25 +0200 +Subject: IB/srp: Report receive errors correctly + +From: Bart Van Assche + +commit cd4e38542a5c2cab94e5410fb17c1cc004a60792 upstream. + +The IB spec does not guarantee that the opcode is available in error +completions. Hence do not rely on it. See also commit 948d1e889e5b +("IB/srp: Introduce srp_handle_qp_err()"). + +Signed-off-by: Bart Van Assche +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/srp/ib_srp.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -1303,14 +1303,13 @@ static void srp_handle_recv(struct srp_t + PFX "Recv failed with error code %d\n", res); + } + +-static void srp_handle_qp_err(enum ib_wc_status wc_status, +- enum ib_wc_opcode wc_opcode, ++static void srp_handle_qp_err(enum ib_wc_status wc_status, bool send_err, + struct srp_target_port *target) + { + if (target->connected && !target->qp_in_error) { + shost_printk(KERN_ERR, target->scsi_host, + PFX "failed %s status %d\n", +- wc_opcode & IB_WC_RECV ? "receive" : "send", ++ send_err ? "send" : "receive", + wc_status); + } + target->qp_in_error = true; +@@ -1326,7 +1325,7 @@ static void srp_recv_completion(struct i + if (likely(wc.status == IB_WC_SUCCESS)) { + srp_handle_recv(target, &wc); + } else { +- srp_handle_qp_err(wc.status, wc.opcode, target); ++ srp_handle_qp_err(wc.status, false, target); + } + } + } +@@ -1342,7 +1341,7 @@ static void srp_send_completion(struct i + iu = (struct srp_iu *) (uintptr_t) wc.wr_id; + list_add(&iu->list, &target->free_tx); + } else { +- srp_handle_qp_err(wc.status, wc.opcode, target); ++ srp_handle_qp_err(wc.status, true, target); + } + } + } diff --git a/queue-3.12/ipc-msg-fix-message-length-check-for-negative-values.patch b/queue-3.12/ipc-msg-fix-message-length-check-for-negative-values.patch new file mode 100644 index 00000000000..3e7e969bfc8 --- /dev/null +++ b/queue-3.12/ipc-msg-fix-message-length-check-for-negative-values.patch @@ -0,0 +1,171 @@ +From 4e9b45a19241354daec281d7a785739829b52359 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Tue, 12 Nov 2013 15:11:47 -0800 +Subject: ipc, msg: fix message length check for negative values + +From: Mathias Krause + +commit 4e9b45a19241354daec281d7a785739829b52359 upstream. + +On 64 bit systems the test for negative message sizes is bogus as the +size, which may be positive when evaluated as a long, will get truncated +to an int when passed to load_msg(). So a long might very well contain a +positive value but when truncated to an int it would become negative. + +That in combination with a small negative value of msg_ctlmax (which will +be promoted to an unsigned type for the comparison against msgsz, making +it a big positive value and therefore make it pass the check) will lead to +two problems: 1/ The kmalloc() call in alloc_msg() will allocate a too +small buffer as the addition of alen is effectively a subtraction. 2/ The +copy_from_user() call in load_msg() will first overflow the buffer with +userland data and then, when the userland access generates an access +violation, the fixup handler copy_user_handle_tail() will try to fill the +remainder with zeros -- roughly 4GB. That almost instantly results in a +system crash or reset. + + ,-[ Reproducer (needs to be run as root) ]-- + | #include + | #include + | #include + | #include + | + | int main(void) { + | long msg = 1; + | int fd; + | + | fd = open("/proc/sys/kernel/msgmax", O_WRONLY); + | write(fd, "-1", 2); + | close(fd); + | + | msgsnd(0, &msg, 0xfffffff0, IPC_NOWAIT); + | + | return 0; + | } + '--- + +Fix the issue by preventing msgsz from getting truncated by consistently +using size_t for the message length. This way the size checks in +do_msgsnd() could still be passed with a negative value for msg_ctlmax but +we would fail on the buffer allocation in that case and error out. + +Also change the type of m_ts from int to size_t to avoid similar nastiness +in other code paths -- it is used in similar constructs, i.e. signed vs. +unsigned checks. It should never become negative under normal +circumstances, though. + +Setting msg_ctlmax to a negative value is an odd configuration and should +be prevented. As that might break existing userland, it will be handled +in a separate commit so it could easily be reverted and reworked without +reintroducing the above described bug. + +Hardening mechanisms for user copy operations would have catched that bug +early -- e.g. checking slab object sizes on user copy operations as the +usercopy feature of the PaX patch does. Or, for that matter, detect the +long vs. int sign change due to truncation, as the size overflow plugin +of the very same patch does. + +[akpm@linux-foundation.org: fix i386 min() warnings] +Signed-off-by: Mathias Krause +Cc: Pax Team +Cc: Davidlohr Bueso +Cc: Brad Spengler +Cc: Manfred Spraul +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/msg.h | 6 +++--- + ipc/msgutil.c | 20 ++++++++++---------- + ipc/util.h | 4 ++-- + 3 files changed, 15 insertions(+), 15 deletions(-) + +--- a/include/linux/msg.h ++++ b/include/linux/msg.h +@@ -6,9 +6,9 @@ + + /* one msg_msg structure for each message */ + struct msg_msg { +- struct list_head m_list; +- long m_type; +- int m_ts; /* message text size */ ++ struct list_head m_list; ++ long m_type; ++ size_t m_ts; /* message text size */ + struct msg_msgseg* next; + void *security; + /* the actual message follows immediately */ +--- a/ipc/msgutil.c ++++ b/ipc/msgutil.c +@@ -41,15 +41,15 @@ struct msg_msgseg { + /* the next part of the message follows immediately */ + }; + +-#define DATALEN_MSG (int)(PAGE_SIZE-sizeof(struct msg_msg)) +-#define DATALEN_SEG (int)(PAGE_SIZE-sizeof(struct msg_msgseg)) ++#define DATALEN_MSG ((size_t)PAGE_SIZE-sizeof(struct msg_msg)) ++#define DATALEN_SEG ((size_t)PAGE_SIZE-sizeof(struct msg_msgseg)) + + +-static struct msg_msg *alloc_msg(int len) ++static struct msg_msg *alloc_msg(size_t len) + { + struct msg_msg *msg; + struct msg_msgseg **pseg; +- int alen; ++ size_t alen; + + alen = min(len, DATALEN_MSG); + msg = kmalloc(sizeof(*msg) + alen, GFP_KERNEL); +@@ -80,12 +80,12 @@ out_err: + return NULL; + } + +-struct msg_msg *load_msg(const void __user *src, int len) ++struct msg_msg *load_msg(const void __user *src, size_t len) + { + struct msg_msg *msg; + struct msg_msgseg *seg; + int err = -EFAULT; +- int alen; ++ size_t alen; + + msg = alloc_msg(len); + if (msg == NULL) +@@ -117,8 +117,8 @@ out_err: + struct msg_msg *copy_msg(struct msg_msg *src, struct msg_msg *dst) + { + struct msg_msgseg *dst_pseg, *src_pseg; +- int len = src->m_ts; +- int alen; ++ size_t len = src->m_ts; ++ size_t alen; + + BUG_ON(dst == NULL); + if (src->m_ts > dst->m_ts) +@@ -147,9 +147,9 @@ struct msg_msg *copy_msg(struct msg_msg + return ERR_PTR(-ENOSYS); + } + #endif +-int store_msg(void __user *dest, struct msg_msg *msg, int len) ++int store_msg(void __user *dest, struct msg_msg *msg, size_t len) + { +- int alen; ++ size_t alen; + struct msg_msgseg *seg; + + alen = min(len, DATALEN_MSG); +--- a/ipc/util.h ++++ b/ipc/util.h +@@ -148,9 +148,9 @@ int ipc_parse_version (int *cmd); + #endif + + extern void free_msg(struct msg_msg *msg); +-extern struct msg_msg *load_msg(const void __user *src, int len); ++extern struct msg_msg *load_msg(const void __user *src, size_t len); + extern struct msg_msg *copy_msg(struct msg_msg *src, struct msg_msg *dst); +-extern int store_msg(void __user *dest, struct msg_msg *msg, int len); ++extern int store_msg(void __user *dest, struct msg_msg *msg, size_t len); + + extern void recompute_msgmni(struct ipc_namespace *); + diff --git a/queue-3.12/iscsi-target-chap-auth-shouldn-t-match-username-with-trailing-garbage.patch b/queue-3.12/iscsi-target-chap-auth-shouldn-t-match-username-with-trailing-garbage.patch new file mode 100644 index 00000000000..1a3ccfb4f73 --- /dev/null +++ b/queue-3.12/iscsi-target-chap-auth-shouldn-t-match-username-with-trailing-garbage.patch @@ -0,0 +1,46 @@ +From 86784c6bdeeef78eed94d298be7a8879f6a97ee2 Mon Sep 17 00:00:00 2001 +From: Eric Seppanen +Date: Wed, 20 Nov 2013 14:19:52 -0800 +Subject: iscsi-target: chap auth shouldn't match username with trailing garbage + +From: Eric Seppanen + +commit 86784c6bdeeef78eed94d298be7a8879f6a97ee2 upstream. + +In iSCSI negotiations with initiator CHAP enabled, usernames with +trailing garbage are permitted, because the string comparison only +checks the strlen of the configured username. + +e.g. "usernameXXXXX" will be permitted to match "username". + +Just check one more byte so the trailing null char is also matched. + +Signed-off-by: Eric Seppanen +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target_auth.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/target/iscsi/iscsi_target_auth.c ++++ b/drivers/target/iscsi/iscsi_target_auth.c +@@ -146,6 +146,7 @@ static int chap_server_compute_md5( + unsigned char client_digest[MD5_SIGNATURE_SIZE]; + unsigned char server_digest[MD5_SIGNATURE_SIZE]; + unsigned char chap_n[MAX_CHAP_N_SIZE], chap_r[MAX_RESPONSE_LENGTH]; ++ size_t compare_len; + struct iscsi_chap *chap = conn->auth_protocol; + struct crypto_hash *tfm; + struct hash_desc desc; +@@ -184,7 +185,9 @@ static int chap_server_compute_md5( + goto out; + } + +- if (memcmp(chap_n, auth->userid, strlen(auth->userid)) != 0) { ++ /* Include the terminating NULL in the compare */ ++ compare_len = strlen(auth->userid) + 1; ++ if (strncmp(chap_n, auth->userid, compare_len) != 0) { + pr_err("CHAP_N values do not match!\n"); + goto out; + } diff --git a/queue-3.12/iscsi-target-fix-extract_param-to-handle-buffer-length-corner-case.patch b/queue-3.12/iscsi-target-fix-extract_param-to-handle-buffer-length-corner-case.patch new file mode 100644 index 00000000000..d8f9187bcc8 --- /dev/null +++ b/queue-3.12/iscsi-target-fix-extract_param-to-handle-buffer-length-corner-case.patch @@ -0,0 +1,33 @@ +From 369653e4fb511928511b0ce81f41c812ff1f28b6 Mon Sep 17 00:00:00 2001 +From: Eric Seppanen +Date: Wed, 20 Nov 2013 14:19:51 -0800 +Subject: iscsi-target: fix extract_param to handle buffer length corner case + +From: Eric Seppanen + +commit 369653e4fb511928511b0ce81f41c812ff1f28b6 upstream. + +extract_param() is called with max_length set to the total size of the +output buffer. It's not safe to allow a parameter length equal to the +buffer size as the terminating null would be written one byte past the +end of the output buffer. + +Signed-off-by: Eric Seppanen +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target_nego.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/target/iscsi/iscsi_target_nego.c ++++ b/drivers/target/iscsi/iscsi_target_nego.c +@@ -88,7 +88,7 @@ int extract_param( + if (len < 0) + return -1; + +- if (len > max_length) { ++ if (len >= max_length) { + pr_err("Length of input: %d exceeds max_length:" + " %d\n", len, max_length); + return -1; diff --git a/queue-3.12/iscsi-target-fix-mutex_trylock-usage-in-iscsit_increment_maxcmdsn.patch b/queue-3.12/iscsi-target-fix-mutex_trylock-usage-in-iscsit_increment_maxcmdsn.patch new file mode 100644 index 00000000000..d1ccb8f5747 --- /dev/null +++ b/queue-3.12/iscsi-target-fix-mutex_trylock-usage-in-iscsit_increment_maxcmdsn.patch @@ -0,0 +1,64 @@ +From 5e8e6b4b3adebf01a9d97056cbbfd8c44330df99 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Tue, 12 Nov 2013 17:54:56 -0800 +Subject: iscsi-target: Fix mutex_trylock usage in iscsit_increment_maxcmdsn + +From: Nicholas Bellinger + +commit 5e8e6b4b3adebf01a9d97056cbbfd8c44330df99 upstream. + +This patch fixes a >= v3.10 regression bug with mutex_trylock() usage +within iscsit_increment_maxcmdsn(), that was originally added to allow +for a special case where ->cmdsn_mutex was already held from the +iscsit_execute_cmd() exception path for ib_isert. + +When !mutex_trylock() was occuring under contention during normal RX/TX +process context codepaths, the bug was manifesting itself as the following +protocol error: + + Received CmdSN: 0x000fcbb7 is greater than MaxCmdSN: 0x000fcbb6, protocol error. + Received CmdSN: 0x000fcbb8 is greater than MaxCmdSN: 0x000fcbb6, protocol error. + +This patch simply avoids the direct ib_isert callback in lio_queue_status() +for the special iscsi_execute_cmd() exception cases, that allows the problematic +mutex_trylock() usage in iscsit_increment_maxcmdsn() to go away. + +Reported-by: Moussa Ba +Tested-by: Moussa Ba +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target_configfs.c | 5 +++++ + drivers/target/iscsi/iscsi_target_device.c | 6 +----- + 2 files changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target_configfs.c ++++ b/drivers/target/iscsi/iscsi_target_configfs.c +@@ -1784,6 +1784,11 @@ static int lio_queue_status(struct se_cm + struct iscsi_cmd *cmd = container_of(se_cmd, struct iscsi_cmd, se_cmd); + + cmd->i_state = ISTATE_SEND_STATUS; ++ ++ if (cmd->se_cmd.scsi_status || cmd->sense_reason) { ++ iscsit_add_cmd_to_response_queue(cmd, cmd->conn, cmd->i_state); ++ return 0; ++ } + cmd->conn->conn_transport->iscsit_queue_status(cmd->conn, cmd); + + return 0; +--- a/drivers/target/iscsi/iscsi_target_device.c ++++ b/drivers/target/iscsi/iscsi_target_device.c +@@ -58,11 +58,7 @@ void iscsit_increment_maxcmdsn(struct is + + cmd->maxcmdsn_inc = 1; + +- if (!mutex_trylock(&sess->cmdsn_mutex)) { +- sess->max_cmd_sn += 1; +- pr_debug("Updated MaxCmdSN to 0x%08x\n", sess->max_cmd_sn); +- return; +- } ++ mutex_lock(&sess->cmdsn_mutex); + sess->max_cmd_sn += 1; + pr_debug("Updated MaxCmdSN to 0x%08x\n", sess->max_cmd_sn); + mutex_unlock(&sess->cmdsn_mutex); diff --git a/queue-3.12/loop-fix-crash-if-blk_alloc_queue-fails.patch b/queue-3.12/loop-fix-crash-if-blk_alloc_queue-fails.patch new file mode 100644 index 00000000000..02e3495fd93 --- /dev/null +++ b/queue-3.12/loop-fix-crash-if-blk_alloc_queue-fails.patch @@ -0,0 +1,88 @@ +From 3ec981e30fae1f3c8728a05c730acaa1f627bcfb Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 14 Oct 2013 12:12:24 -0400 +Subject: loop: fix crash if blk_alloc_queue fails + +From: Mikulas Patocka + +commit 3ec981e30fae1f3c8728a05c730acaa1f627bcfb upstream. + +loop: fix crash if blk_alloc_queue fails + +If blk_alloc_queue fails, loop_add cleans up, but it doesn't clean up the +identifier allocated with idr_alloc. That causes crash on module unload in +idr_for_each(&loop_index_idr, &loop_exit_cb, NULL); where we attempt to +remove non-existed device with that id. + +BUG: unable to handle kernel NULL pointer dereference at 0000000000000380 +IP: [] del_gendisk+0x19/0x2d0 +PGD 43d399067 PUD 43d0ad067 PMD 0 +Oops: 0000 [#1] PREEMPT SMP +Modules linked in: loop(-) dm_snapshot dm_zero dm_mirror dm_region_hash dm_log dm_loop dm_mod ip6table_filter ip6_tables uvesafb cfbcopyarea cfbimgblt cfbfillrect fbcon font bitblit fbcon_rotate fbcon_cw fbcon_ud fbcon_ccw softcursor fb fbdev msr ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_conntrack_ipv4 nf_defrag_ipv4 xt_state ipt_REJECT xt_tcpudp iptable_filter ip_tables x_tables bridge stp llc tun ipv6 cpufreq_userspace cpufreq_stats cpufreq_ondemand cpufreq_conservative cpufreq_powersave spadfs fuse hid_generic usbhid hid raid0 md_mod dmi_sysfs nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack snd_usb_audio snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc lm85 hwmon_vid snd_hwdep snd_usbmidi_lib snd_rawmidi snd soundcore acpi_cpufreq ohci_hcd freq_table tg3 ehci_pci mperf ehci_hcd kvm_amd kvm sata_svw serverworks libphy libata ide_core k10temp usbcore hwmon microcode ptp pcspkr pps_core e100 skge mii usb_common i2c_piix4 floppy evdev rtc_cmos i2c_core processor but! + ton unix +CPU: 7 PID: 2735 Comm: rmmod Tainted: G W 3.10.15-devel #15 +Hardware name: empty empty/S3992-E, BIOS 'V1.06 ' 06/09/2009 +task: ffff88043d38e780 ti: ffff88043d21e000 task.ti: ffff88043d21e000 +RIP: 0010:[] [] del_gendisk+0x19/0x2d0 +RSP: 0018:ffff88043d21fe10 EFLAGS: 00010282 +RAX: ffffffffa05102e0 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: ffff88043ea82800 RDI: 0000000000000000 +RBP: ffff88043d21fe48 R08: 0000000000000000 R09: 0000000000000001 +R10: 0000000000000001 R11: 0000000000000000 R12: 00000000000000ff +R13: 0000000000000080 R14: 0000000000000000 R15: ffff88043ea82800 +FS: 00007ff646534700(0000) GS:ffff880447000000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +CR2: 0000000000000380 CR3: 000000043e9bf000 CR4: 00000000000007e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +Stack: + ffffffff8100aba4 0000000000000092 ffff88043d21fe48 ffff88043ea82800 + 00000000000000ff ffff88043d21fe98 0000000000000000 ffff88043d21fe60 + ffffffffa05102b4 0000000000000000 ffff88043d21fe70 ffffffffa05102ec +Call Trace: + [] ? native_sched_clock+0x24/0x80 + [] loop_remove+0x14/0x40 [loop] + [] loop_exit_cb+0xc/0x10 [loop] + [] idr_for_each+0x104/0x190 + [] ? loop_remove+0x40/0x40 [loop] + [] ? trace_hardirqs_on_caller+0x105/0x1d0 + [] loop_exit+0x34/0xa58 [loop] + [] SyS_delete_module+0x13a/0x260 + [] ? trace_hardirqs_on_thunk+0x3a/0x3f + [] system_call_fastpath+0x1a/0x1f +Code: f0 4c 8b 6d f8 c9 c3 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 56 41 55 4c 8d af 80 00 00 00 41 54 53 48 89 fb 48 83 ec 18 <48> 83 bf 80 03 00 +00 00 74 4d e8 98 fe ff ff 31 f6 48 c7 c7 20 +RIP [] del_gendisk+0x19/0x2d0 + RSP +CR2: 0000000000000380 +---[ end trace 64ec069ec70f1309 ]--- + +Signed-off-by: Mikulas Patocka +Acked-by: Tejun Heo +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/loop.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -1633,7 +1633,7 @@ static int loop_add(struct loop_device * + err = -ENOMEM; + lo->lo_queue = blk_alloc_queue(GFP_KERNEL); + if (!lo->lo_queue) +- goto out_free_dev; ++ goto out_free_idr; + + disk = lo->lo_disk = alloc_disk(1 << part_shift); + if (!disk) +@@ -1678,6 +1678,8 @@ static int loop_add(struct loop_device * + + out_free_queue: + blk_cleanup_queue(lo->lo_queue); ++out_free_idr: ++ idr_remove(&loop_index_idr, i); + out_free_dev: + kfree(lo); + out: diff --git a/queue-3.12/loop-fix-crash-when-using-unassigned-loop-device.patch b/queue-3.12/loop-fix-crash-when-using-unassigned-loop-device.patch new file mode 100644 index 00000000000..ffbbf6e58e3 --- /dev/null +++ b/queue-3.12/loop-fix-crash-when-using-unassigned-loop-device.patch @@ -0,0 +1,108 @@ +From ef7e7c82e02b602f29c2b87f42dcd6143a6777da Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 15 Oct 2013 14:14:38 -0600 +Subject: loop: fix crash when using unassigned loop device + +From: Mikulas Patocka + +commit ef7e7c82e02b602f29c2b87f42dcd6143a6777da upstream. + +When the loop module is loaded, it creates 8 loop devices /dev/loop[0-7]. +The devices have no request routine and thus, when they are used without +being assigned, a crash happens. + +For example, these commands cause crash (assuming there are no used loop +devices): + +Kernel Fault: Code=26 regs=000000007f420980 (Addr=0000000000000010) +CPU: 1 PID: 50 Comm: kworker/1:1 Not tainted 3.11.0 #1 +Workqueue: ksnaphd do_metadata [dm_snapshot] +task: 000000007fcf4078 ti: 000000007f420000 task.ti: 000000007f420000 +[ 116.319988] + YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI +PSW: 00001000000001001111111100001111 Not tainted +r00-03 000000ff0804ff0f 00000000408bf5d0 00000000402d8204 000000007b7ff6c0 +r04-07 00000000408a95d0 000000007f420950 000000007b7ff6c0 000000007d06c930 +r08-11 000000007f4205c0 0000000000000001 000000007f4205c0 000000007f4204b8 +r12-15 0000000000000010 0000000000000000 0000000000000000 0000000000000000 +r16-19 000000001108dd48 000000004061cd7c 000000007d859800 000000000800000f +r20-23 0000000000000000 0000000000000008 0000000000000000 0000000000000000 +r24-27 00000000ffffffff 000000007b7ff6c0 000000007d859800 00000000408a95d0 +r28-31 0000000000000000 000000007f420950 000000007f420980 000000007f4208e8 +sr00-03 0000000000000000 0000000000000000 0000000000000000 0000000000303000 +sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +[ 117.549988] +IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000402d82fc 00000000402d8300 + IIR: 53820020 ISR: 0000000000000000 IOR: 0000000000000010 + CPU: 1 CR30: 000000007f420000 CR31: ffffffffffffffff + ORIG_R28: 0000000000000001 + IAOQ[0]: generic_make_request+0x11c/0x1a0 + IAOQ[1]: generic_make_request+0x120/0x1a0 + RP(r2): generic_make_request+0x24/0x1a0 +Backtrace: + [<00000000402d83f0>] submit_bio+0x70/0x140 + [<0000000011087c4c>] dispatch_io+0x234/0x478 [dm_mod] + [<0000000011087f44>] sync_io+0xb4/0x190 [dm_mod] + [<00000000110883bc>] dm_io+0x2c4/0x310 [dm_mod] + [<00000000110bfcd0>] do_metadata+0x28/0xb0 [dm_snapshot] + [<00000000401591d8>] process_one_work+0x160/0x460 + [<0000000040159bc0>] worker_thread+0x300/0x478 + [<0000000040161a70>] kthread+0x118/0x128 + [<0000000040104020>] end_fault_vector+0x20/0x28 + [<0000000040177220>] task_tick_fair+0x420/0x4d0 + [<00000000401aa048>] invoke_rcu_core+0x50/0x60 + [<00000000401ad5b8>] rcu_check_callbacks+0x210/0x8d8 + [<000000004014aaa0>] update_process_times+0xa8/0xc0 + [<00000000401ab86c>] rcu_process_callbacks+0x4b4/0x598 + [<0000000040142408>] __do_softirq+0x250/0x2c0 + [<00000000401789d0>] find_busiest_group+0x3c0/0xc70 +[ 119.379988] +Kernel panic - not syncing: Kernel Fault +Rebooting in 1 seconds.. + +Signed-off-by: Mikulas Patocka +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/loop.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -894,13 +894,6 @@ static int loop_set_fd(struct loop_devic + + bio_list_init(&lo->lo_bio_list); + +- /* +- * set queue make_request_fn, and add limits based on lower level +- * device +- */ +- blk_queue_make_request(lo->lo_queue, loop_make_request); +- lo->lo_queue->queuedata = lo; +- + if (!(lo_flags & LO_FLAGS_READ_ONLY) && file->f_op->fsync) + blk_queue_flush(lo->lo_queue, REQ_FLUSH); + +@@ -1618,6 +1611,8 @@ static int loop_add(struct loop_device * + if (!lo) + goto out; + ++ lo->lo_state = Lo_unbound; ++ + /* allocate id, if @id >= 0, we're requesting that specific id */ + if (i >= 0) { + err = idr_alloc(&loop_index_idr, lo, i, i + 1, GFP_KERNEL); +@@ -1635,6 +1630,12 @@ static int loop_add(struct loop_device * + if (!lo->lo_queue) + goto out_free_idr; + ++ /* ++ * set queue make_request_fn ++ */ ++ blk_queue_make_request(lo->lo_queue, loop_make_request); ++ lo->lo_queue->queuedata = lo; ++ + disk = lo->lo_disk = alloc_disk(1 << part_shift); + if (!disk) + goto out_free_queue; diff --git a/queue-3.12/mtd-atmel_nand-fix-bug-driver-will-in-a-dead-lock-if-no-nand-detected.patch b/queue-3.12/mtd-atmel_nand-fix-bug-driver-will-in-a-dead-lock-if-no-nand-detected.patch new file mode 100644 index 00000000000..cc0ea66e1ce --- /dev/null +++ b/queue-3.12/mtd-atmel_nand-fix-bug-driver-will-in-a-dead-lock-if-no-nand-detected.patch @@ -0,0 +1,52 @@ +From a749d13acd8e079ed4c77a9456d842dc94af8f17 Mon Sep 17 00:00:00 2001 +From: Josh Wu +Date: Tue, 5 Nov 2013 17:59:07 +0800 +Subject: mtd: atmel_nand: fix bug driver will in a dead lock if no nand detected + +From: Josh Wu + +commit a749d13acd8e079ed4c77a9456d842dc94af8f17 upstream. + +In the atmel driver probe function, the code shows like following: + atmel_nand_probe(...) { + ... + + err_nand_ioremap: + platform_driver_unregister(&atmel_nand_nfc_driver); + return res; + } + +If no nand flash detected, the driver probe function will goto +err_nand_ioremap label. +Then platform_driver_unregister() will be called. It will get the +lock of atmel_nand device since it is parent of nfc_device. The +problem is the lock is already hold by atmel_nand_probe itself. +So system will be in a dead lock. + +This patch just simply removed to platform_driver_unregister() call. +When atmel_nand driver is quit the platform_driver_unregister() will +be called in atmel_nand_remove(). + +[Brian: the NAND platform probe really has no business + registering/unregistering another driver; this fixes the deadlock, but + we should follow up the likely racy behavior here with a better + architecture] + +Signed-off-by: Josh Wu +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/atmel_nand.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/mtd/nand/atmel_nand.c ++++ b/drivers/mtd/nand/atmel_nand.c +@@ -2177,7 +2177,6 @@ err_no_card: + if (host->dma_chan) + dma_release_channel(host->dma_chan); + err_nand_ioremap: +- platform_driver_unregister(&atmel_nand_nfc_driver); + return res; + } + diff --git a/queue-3.12/mtd-gpmi-fix-kernel-bug-due-to-racing-dma-operations.patch b/queue-3.12/mtd-gpmi-fix-kernel-bug-due-to-racing-dma-operations.patch new file mode 100644 index 00000000000..e2327d46dce --- /dev/null +++ b/queue-3.12/mtd-gpmi-fix-kernel-bug-due-to-racing-dma-operations.patch @@ -0,0 +1,110 @@ +From 7b3d2fb92067bcb29f0f085a9fa9fa64920a6646 Mon Sep 17 00:00:00 2001 +From: Huang Shijie +Date: Mon, 11 Nov 2013 12:13:45 +0800 +Subject: mtd: gpmi: fix kernel BUG due to racing DMA operations + +From: Huang Shijie + +commit 7b3d2fb92067bcb29f0f085a9fa9fa64920a6646 upstream. + +[1] The gpmi uses the nand_command_lp to issue the commands to NAND chips. + The gpmi issues a DMA operation with gpmi_cmd_ctrl when it handles + a NAND_CMD_NONE control command. So when we read a page(NAND_CMD_READ0) + from the NAND, we may send two DMA operations back-to-back. + + If we do not serialize the two DMA operations, we will meet a bug when + + 1.1) we enable CONFIG_DMA_API_DEBUG, CONFIG_DMADEVICES_DEBUG, + and CONFIG_DEBUG_SG. + + 1.2) Use the following commands in an UART console and a SSH console: + cmd 1: while true;do dd if=/dev/mtd0 of=/dev/null;done + cmd 1: while true;do dd if=/dev/mmcblk0 of=/dev/null;done + + The kernel log shows below: + ----------------------------------------------------------------- + kernel BUG at lib/scatterlist.c:28! + Unable to handle kernel NULL pointer dereference at virtual address 00000000 + ......................... + [<80044a0c>] (__bug+0x18/0x24) from [<80249b74>] (sg_next+0x48/0x4c) + [<80249b74>] (sg_next+0x48/0x4c) from [<80255398>] (debug_dma_unmap_sg+0x170/0x1a4) + [<80255398>] (debug_dma_unmap_sg+0x170/0x1a4) from [<8004af58>] (dma_unmap_sg+0x14/0x6c) + [<8004af58>] (dma_unmap_sg+0x14/0x6c) from [<8027e594>] (mxs_dma_tasklet+0x18/0x1c) + [<8027e594>] (mxs_dma_tasklet+0x18/0x1c) from [<8007d444>] (tasklet_action+0x114/0x164) + ----------------------------------------------------------------- + + 1.3) Assume the two DMA operations is X (first) and Y (second). + + The root cause of the bug: + Assume process P issues DMA X, and sleep on the completion + @this->dma_done. X's tasklet callback is dma_irq_callback. It firstly + wake up the process sleeping on the completion @this->dma_done, + and then trid to unmap the scatterlist S. The waked process P will + issue Y in another ARM core. Y initializes S->sg_magic to zero + with sg_init_one(), while dma_irq_callback is unmapping S at the same + time. + + See the diagram: + + ARM core 0 | ARM core 1 + ------------------------------------------------------------- + (P issues DMA X, then sleep) --> | + | + (X's tasklet wakes P) --> | + | + | <-- (P begin to issue DMA Y) + | + (X's tasklet unmap the | + scatterlist S with dma_unmap_sg) --> | <-- (Y calls sg_init_one() to init + | scatterlist S) + | + +[2] This patch serialize both the X and Y in the following way: + Unmap the DMA scatterlist S firstly, and wake up the process at the end + of the DMA callback, in such a way, Y will be executed after X. + + After this patch: + + ARM core 0 | ARM core 1 + ------------------------------------------------------------- + (P issues DMA X, then sleep) --> | + | + (X's tasklet unmap the | + scatterlist S with dma_unmap_sg) --> | + | + (X's tasklet wakes P) --> | + | + | <-- (P begin to issue DMA Y) + | + | <-- (Y calls sg_init_one() to init + | scatterlist S) + | + +Signed-off-by: Huang Shijie +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/gpmi-nand/gpmi-nand.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c ++++ b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c +@@ -392,8 +392,6 @@ static void dma_irq_callback(void *param + struct gpmi_nand_data *this = param; + struct completion *dma_c = &this->dma_done; + +- complete(dma_c); +- + switch (this->dma_type) { + case DMA_FOR_COMMAND: + dma_unmap_sg(this->dev, &this->cmd_sgl, 1, DMA_TO_DEVICE); +@@ -418,6 +416,8 @@ static void dma_irq_callback(void *param + default: + pr_err("in wrong DMA operation.\n"); + } ++ ++ complete(dma_c); + } + + int start_dma_without_bch_irq(struct gpmi_nand_data *this, diff --git a/queue-3.12/mtd-gpmi-fix-the-null-pointer.patch b/queue-3.12/mtd-gpmi-fix-the-null-pointer.patch new file mode 100644 index 00000000000..820bdce0d0d --- /dev/null +++ b/queue-3.12/mtd-gpmi-fix-the-null-pointer.patch @@ -0,0 +1,93 @@ +From 885d71e5838f68d5dbee92ab952cc90ad6c1dc6b Mon Sep 17 00:00:00 2001 +From: Huang Shijie +Date: Tue, 12 Nov 2013 12:23:08 +0800 +Subject: mtd: gpmi: fix the NULL pointer + +From: Huang Shijie + +commit 885d71e5838f68d5dbee92ab952cc90ad6c1dc6b upstream. + +The imx23 board will check the fingerprint, so it will call the +mx23_check_transcription_stamp. This function will use @chip->buffers->databuf +as its buffer which is allocated in the nand_scan_tail(). + +Unfortunately, the mx23_check_transcription_stamp is called before the +nand_scan_tail(). So we will meet a NULL pointer bug: + +-------------------------------------------------------------------- +[ 1.150000] NAND device: Manufacturer ID: 0xec, Chip ID: 0xd7 (Samsung NAND 4GiB 3,3V 8-bit), 4096MiB, page size: 4096, OOB size: 8 +[ 1.160000] Unable to handle kernel NULL pointer dereference at virtual address 000005d0 +[ 1.170000] pgd = c0004000 +[ 1.170000] [000005d0] *pgd=00000000 +[ 1.180000] Internal error: Oops: 5 [#1] ARM +[ 1.180000] Modules linked in: +[ 1.180000] CPU: 0 PID: 1 Comm: swapper Not tainted 3.12.0 #89 +[ 1.180000] task: c7440000 ti: c743a000 task.ti: c743a000 +[ 1.180000] PC is at memcmp+0x10/0x54 +[ 1.180000] LR is at gpmi_nand_probe+0x42c/0x894 +[ 1.180000] pc : [] lr : [] psr: 20000053 +[ 1.180000] sp : c743be2c ip : 600000d3 fp : ffffffff +[ 1.180000] r10: 000005d0 r9 : c02f5f08 r8 : 00000000 +[ 1.180000] r7 : c75858a8 r6 : c75858a8 r5 : c7585b18 r4 : c7585800 +[ 1.180000] r3 : 000005d0 r2 : 00000004 r1 : c05c33e4 r0 : 000005d0 +[ 1.180000] Flags: nzCv IRQs on FIQs off Mode SVC_32 ISA ARM Segment kernel +[ 1.180000] Control: 0005317f Table: 40004000 DAC: 00000017 +[ 1.180000] Process swapper (pid: 1, stack limit = 0xc743a1c0) +-------------------------------------------------------------------- + +This patch rearrange the init procedure: + Set the NAND_SKIP_BBTSCAN to skip the nand scan firstly, and after we + set the proper settings, we will call the chip->scan_bbt() manually. + +Signed-off-by: Huang Shijie +Reported-by: Fabio Estevam +Tested-by: Fabio Estevam +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/gpmi-nand/gpmi-nand.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c ++++ b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c +@@ -1568,8 +1568,6 @@ static int gpmi_set_geometry(struct gpmi + + static int gpmi_pre_bbt_scan(struct gpmi_nand_data *this) + { +- int ret; +- + /* Set up swap_block_mark, must be set before the gpmi_set_geometry() */ + if (GPMI_IS_MX23(this)) + this->swap_block_mark = false; +@@ -1577,12 +1575,8 @@ static int gpmi_pre_bbt_scan(struct gpmi + this->swap_block_mark = true; + + /* Set up the medium geometry */ +- ret = gpmi_set_geometry(this); +- if (ret) +- return ret; ++ return gpmi_set_geometry(this); + +- /* NAND boot init, depends on the gpmi_set_geometry(). */ +- return nand_boot_init(this); + } + + static void gpmi_nfc_exit(struct gpmi_nand_data *this) +@@ -1672,10 +1666,16 @@ static int gpmi_nfc_init(struct gpmi_nan + if (ret) + goto err_out; + ++ chip->options |= NAND_SKIP_BBTSCAN; + ret = nand_scan_tail(mtd); + if (ret) + goto err_out; + ++ ret = nand_boot_init(this); ++ if (ret) ++ goto err_out; ++ chip->scan_bbt(mtd); ++ + ppdata.of_node = this->pdev->dev.of_node; + ret = mtd_device_parse_register(mtd, NULL, &ppdata, NULL, 0); + if (ret) diff --git a/queue-3.12/mtd-m25p80-fix-allocation-size.patch b/queue-3.12/mtd-m25p80-fix-allocation-size.patch new file mode 100644 index 00000000000..544d90dc330 --- /dev/null +++ b/queue-3.12/mtd-m25p80-fix-allocation-size.patch @@ -0,0 +1,82 @@ +From 778d226a1462572b51d6777cdb1d611543410cb4 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Wed, 24 Jul 2013 18:32:07 -0700 +Subject: mtd: m25p80: fix allocation size + +From: Brian Norris + +commit 778d226a1462572b51d6777cdb1d611543410cb4 upstream. + +This patch fixes two memory errors: + +1. During a probe failure (in mtd_device_parse_register?) the command + buffer would not be freed. + +2. The command buffer's size is determined based on the 'fast_read' + boolean, but the assignment of fast_read is made after this + allocation. Thus, the buffer may be allocated "too small". + +To fix the first, just switch to the devres version of kzalloc. + +To fix the second, increase MAX_CMD_SIZE unconditionally. It's not worth +saving a byte to fiddle around with the conditions here. + +This problem was reported by Yuhang Wang a while back. + +Signed-off-by: Brian Norris +Reported-by: Yuhang Wang +Reviewed-by: Sourav Poddar +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/devices/m25p80.c | 20 +++++++------------- + 1 file changed, 7 insertions(+), 13 deletions(-) + +--- a/drivers/mtd/devices/m25p80.c ++++ b/drivers/mtd/devices/m25p80.c +@@ -78,7 +78,7 @@ + + /* Define max times to check status register before we give up. */ + #define MAX_READY_WAIT_JIFFIES (40 * HZ) /* M25P16 specs 40s max chip erase */ +-#define MAX_CMD_SIZE 5 ++#define MAX_CMD_SIZE 6 + + #define JEDEC_MFR(_jedec_id) ((_jedec_id) >> 16) + +@@ -992,15 +992,13 @@ static int m25p_probe(struct spi_device + } + } + +- flash = kzalloc(sizeof *flash, GFP_KERNEL); ++ flash = devm_kzalloc(&spi->dev, sizeof(*flash), GFP_KERNEL); + if (!flash) + return -ENOMEM; +- flash->command = kmalloc(MAX_CMD_SIZE + (flash->fast_read ? 1 : 0), +- GFP_KERNEL); +- if (!flash->command) { +- kfree(flash); ++ ++ flash->command = devm_kzalloc(&spi->dev, MAX_CMD_SIZE, GFP_KERNEL); ++ if (!flash->command) + return -ENOMEM; +- } + + flash->spi = spi; + mutex_init(&flash->lock); +@@ -1133,14 +1131,10 @@ static int m25p_probe(struct spi_device + static int m25p_remove(struct spi_device *spi) + { + struct m25p *flash = spi_get_drvdata(spi); +- int status; + + /* Clean up MTD stuff. */ +- status = mtd_device_unregister(&flash->mtd); +- if (status == 0) { +- kfree(flash->command); +- kfree(flash); +- } ++ mtd_device_unregister(&flash->mtd); ++ + return 0; + } + diff --git a/queue-3.12/mtd-map-fixed-bug-in-64-bit-systems.patch b/queue-3.12/mtd-map-fixed-bug-in-64-bit-systems.patch new file mode 100644 index 00000000000..3eea60323a6 --- /dev/null +++ b/queue-3.12/mtd-map-fixed-bug-in-64-bit-systems.patch @@ -0,0 +1,71 @@ +From a4d62babf988fe5dfde24437fa135ef147bc7aa0 Mon Sep 17 00:00:00 2001 +From: Wang Haitao +Date: Thu, 22 Aug 2013 19:32:38 +0800 +Subject: mtd: map: fixed bug in 64-bit systems + +From: Wang Haitao + +commit a4d62babf988fe5dfde24437fa135ef147bc7aa0 upstream. + +Hardware: + CPU: XLP832,the 64-bit OS + NOR Flash:S29GL128S 128M +Software: + Kernel:2.6.32.41 + Filesystem:JFFS2 +When writing files, errors appear: + Write len 182 but return retlen 180 + Write of 182 bytes at 0x072c815c failed. returned -5, retlen 180 + Write len 186 but return retlen 184 + Write of 186 bytes at 0x072caff4 failed. returned -5, retlen 184 +These errors exist only in 64-bit systems,not in 32-bit systems. After analysis, we +found that the left shift operation is wrong in map_word_load_partial. For instance: + unsigned char buf[3] ={0x9e,0x3a,0xea}; + map_bankwidth(map) is 4; + for (i=0; i < 3; i++) { + int bitpos; + bitpos = (map_bankwidth(map)-1-i)*8; + orig.x[0] &= ~(0xff << bitpos); + orig.x[0] |= buf[i] << bitpos; + } + +The value of orig.x[0] is expected to be 0x9e3aeaff, but in this situation(64-bit +System) we'll get the wrong value of 0xffffffff9e3aeaff due to the 64-bit sign +extension: +buf[i] is defined as "unsigned char" and the left-shift operation will convert it +to the type of "signed int", so when left-shift buf[i] by 24 bits, the final result +will get the wrong value: 0xffffffff9e3aeaff. + +If the left-shift bits are less than 24, then sign extension will not occur. Whereas +the bankwidth of the nor flash we used is 4, therefore this BUG emerges. + +Signed-off-by: Pang Xunlei +Signed-off-by: Zhang Yi +Signed-off-by: Lu Zhongjun +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/mtd/map.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/mtd/map.h ++++ b/include/linux/mtd/map.h +@@ -365,7 +365,7 @@ static inline map_word map_word_load_par + bitpos = (map_bankwidth(map)-1-i)*8; + #endif + orig.x[0] &= ~(0xff << bitpos); +- orig.x[0] |= buf[i-start] << bitpos; ++ orig.x[0] |= (unsigned long)buf[i-start] << bitpos; + } + } + return orig; +@@ -384,7 +384,7 @@ static inline map_word map_word_ff(struc + + if (map_bankwidth(map) < MAP_FF_LIMIT) { + int bw = 8 * map_bankwidth(map); +- r.x[0] = (1 << bw) - 1; ++ r.x[0] = (1UL << bw) - 1; + } else { + for (i=0; i +Date: Tue, 27 Aug 2013 18:45:10 -0700 +Subject: mtd: nand: hack ONFI for non-power-of-2 dimensions + +From: Brian Norris + +commit 4355b70cf48363c50a9de450b01178c83aba8f6a upstream. + +Some bright specification writers decided to write this in the ONFI spec +(from ONFI 3.0, Section 3.1): + + "The number of blocks and number of pages per block is not required to + be a power of two. In the case where one of these values is not a + power of two, the corresponding address shall be rounded to an + integral number of bits such that it addresses a range up to the + subsequent power of two value. The host shall not access upper + addresses in a range that is shown as not supported." + +This breaks every assumption MTD makes about NAND block/chip-size +dimensions -- they *must* be a power of two! + +And of course, an enterprising manufacturer has made use of this lovely +freedom. Exhibit A: Micron MT29F32G08CBADAWP + + "- Plane size: 2 planes x 1064 blocks per plane + - Device size: 32Gb: 2128 blockss [sic]" + +This quickly hits a BUG() in nand_base.c, since the extra dimensions +overflow so we think it's a second chip (on my single-chip setup): + + ONFI param page 0 valid + ONFI flash detected + NAND device: Manufacturer ID: 0x2c, Chip ID: 0x44 (Micron MT29F32G08CBADAWP), 4256MiB, page size: 8192, OOB size: 744 + ------------[ cut here ]------------ + kernel BUG at drivers/mtd/nand/nand_base.c:203! + Internal error: Oops - BUG: 0 [#1] SMP ARM + [... trim ...] + [] (nand_select_chip+0x18/0x2c) from [] (nand_do_read_ops+0x90/0x424) + [] (nand_do_read_ops+0x90/0x424) from [] (nand_read+0x54/0x78) + [] (nand_read+0x54/0x78) from [] (mtd_read+0x84/0xbc) + [] (mtd_read+0x84/0xbc) from [] (scan_read.clone.4+0x4c/0x64) + [] (scan_read.clone.4+0x4c/0x64) from [] (search_bbt+0x148/0x290) + [] (search_bbt+0x148/0x290) from [] (nand_scan_bbt+0xd4/0x5c0) + [... trim ...] + ---[ end trace 0c9363860d865ff2 ]--- + +So to fix this, just truncate these dimensions down to the greatest +power-of-2 dimension that is less than or equal to the specified +dimension. + +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/nand_base.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/nand/nand_base.c ++++ b/drivers/mtd/nand/nand_base.c +@@ -2981,10 +2981,21 @@ static int nand_flash_detect_onfi(struct + sanitize_string(p->model, sizeof(p->model)); + if (!mtd->name) + mtd->name = p->model; ++ + mtd->writesize = le32_to_cpu(p->byte_per_page); +- mtd->erasesize = le32_to_cpu(p->pages_per_block) * mtd->writesize; ++ ++ /* ++ * pages_per_block and blocks_per_lun may not be a power-of-2 size ++ * (don't ask me who thought of this...). MTD assumes that these ++ * dimensions will be power-of-2, so just truncate the remaining area. ++ */ ++ mtd->erasesize = 1 << (fls(le32_to_cpu(p->pages_per_block)) - 1); ++ mtd->erasesize *= mtd->writesize; ++ + mtd->oobsize = le16_to_cpu(p->spare_bytes_per_page); +- chip->chipsize = le32_to_cpu(p->blocks_per_lun); ++ ++ /* See erasesize comment */ ++ chip->chipsize = 1 << (fls(le32_to_cpu(p->blocks_per_lun)) - 1); + chip->chipsize *= (uint64_t)mtd->erasesize * p->lun_count; + + if (onfi_feature(chip) & ONFI_FEATURE_16_BIT_BUS) diff --git a/queue-3.12/rtlwifi-fix-endian-error-in-extracting-packet-type.patch b/queue-3.12/rtlwifi-fix-endian-error-in-extracting-packet-type.patch new file mode 100644 index 00000000000..a169ab7c1b4 --- /dev/null +++ b/queue-3.12/rtlwifi-fix-endian-error-in-extracting-packet-type.patch @@ -0,0 +1,163 @@ +From 0c5d63f0ab6728f05ddefa25aff55e31297f95e6 Mon Sep 17 00:00:00 2001 +From: Mark Cave-Ayland +Date: Sat, 2 Nov 2013 14:28:35 -0500 +Subject: rtlwifi: Fix endian error in extracting packet type + +From: Mark Cave-Ayland + +commit 0c5d63f0ab6728f05ddefa25aff55e31297f95e6 upstream. + +All of the rtlwifi drivers have an error in the routine that tests if +the data is "special". If it is, the subsequant transmission will be +at the lowest rate to enhance reliability. The 16-bit quantity is +big-endian, but was being extracted in native CPU mode. One of the +effects of this bug is to inhibit association under some conditions +as the TX rate is too high. + +Based on suggestions by Joe Perches, the entire routine is rewritten. + +One of the local headers contained duplicates of some of the ETH_P_XXX +definitions. These are deleted. + +Signed-off-by: Larry Finger +Cc: Mark Cave-Ayland +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtlwifi/base.c | 97 +++++++++++++++--------------------- + drivers/net/wireless/rtlwifi/wifi.h | 6 -- + 2 files changed, 44 insertions(+), 59 deletions(-) + +--- a/drivers/net/wireless/rtlwifi/base.c ++++ b/drivers/net/wireless/rtlwifi/base.c +@@ -37,6 +37,7 @@ + + #include + #include ++#include + + /* + *NOTICE!!!: This file will be very big, we should +@@ -1074,64 +1075,52 @@ u8 rtl_is_special_data(struct ieee80211_ + if (!ieee80211_is_data(fc)) + return false; + ++ ip = (const struct iphdr *)(skb->data + mac_hdr_len + ++ SNAP_SIZE + PROTOC_TYPE_SIZE); ++ ether_type = be16_to_cpup((__be16 *) ++ (skb->data + mac_hdr_len + SNAP_SIZE)); ++ ++ switch (ether_type) { ++ case ETH_P_IP: { ++ struct udphdr *udp; ++ u16 src; ++ u16 dst; ++ ++ if (ip->protocol != IPPROTO_UDP) ++ return false; ++ udp = (struct udphdr *)((u8 *)ip + (ip->ihl << 2)); ++ src = be16_to_cpu(udp->source); ++ dst = be16_to_cpu(udp->dest); ++ ++ /* If this case involves port 68 (UDP BOOTP client) connecting ++ * with port 67 (UDP BOOTP server), then return true so that ++ * the lowest speed is used. ++ */ ++ if (!((src == 68 && dst == 67) || (src == 67 && dst == 68))) ++ return false; + +- ip = (struct iphdr *)((u8 *) skb->data + mac_hdr_len + +- SNAP_SIZE + PROTOC_TYPE_SIZE); +- ether_type = *(u16 *) ((u8 *) skb->data + mac_hdr_len + SNAP_SIZE); +- /* ether_type = ntohs(ether_type); */ +- +- if (ETH_P_IP == ether_type) { +- if (IPPROTO_UDP == ip->protocol) { +- struct udphdr *udp = (struct udphdr *)((u8 *) ip + +- (ip->ihl << 2)); +- if (((((u8 *) udp)[1] == 68) && +- (((u8 *) udp)[3] == 67)) || +- ((((u8 *) udp)[1] == 67) && +- (((u8 *) udp)[3] == 68))) { +- /* +- * 68 : UDP BOOTP client +- * 67 : UDP BOOTP server +- */ +- RT_TRACE(rtlpriv, (COMP_SEND | COMP_RECV), +- DBG_DMESG, "dhcp %s !!\n", +- is_tx ? "Tx" : "Rx"); +- +- if (is_tx) { +- rtlpriv->enter_ps = false; +- schedule_work(&rtlpriv-> +- works.lps_change_work); +- ppsc->last_delaylps_stamp_jiffies = +- jiffies; +- } +- +- return true; +- } +- } +- } else if (ETH_P_ARP == ether_type) { +- if (is_tx) { +- rtlpriv->enter_ps = false; +- schedule_work(&rtlpriv->works.lps_change_work); +- ppsc->last_delaylps_stamp_jiffies = jiffies; +- } +- +- return true; +- } else if (ETH_P_PAE == ether_type) { ++ RT_TRACE(rtlpriv, (COMP_SEND | COMP_RECV), DBG_DMESG, ++ "dhcp %s !!\n", is_tx ? "Tx" : "Rx"); ++ break; ++ } ++ case ETH_P_ARP: ++ break; ++ case ETH_P_PAE: + RT_TRACE(rtlpriv, (COMP_SEND | COMP_RECV), DBG_DMESG, + "802.1X %s EAPOL pkt!!\n", is_tx ? "Tx" : "Rx"); +- +- if (is_tx) { +- rtlpriv->enter_ps = false; +- schedule_work(&rtlpriv->works.lps_change_work); +- ppsc->last_delaylps_stamp_jiffies = jiffies; +- } +- +- return true; +- } else if (ETH_P_IPV6 == ether_type) { +- /* IPv6 */ +- return true; ++ break; ++ case ETH_P_IPV6: ++ /* TODO: Is this right? */ ++ return false; ++ default: ++ return false; + } +- +- return false; ++ if (is_tx) { ++ rtlpriv->enter_ps = false; ++ schedule_work(&rtlpriv->works.lps_change_work); ++ ppsc->last_delaylps_stamp_jiffies = jiffies; ++ } ++ return true; + } + EXPORT_SYMBOL_GPL(rtl_is_special_data); + +--- a/drivers/net/wireless/rtlwifi/wifi.h ++++ b/drivers/net/wireless/rtlwifi/wifi.h +@@ -77,11 +77,7 @@ + #define RTL_SLOT_TIME_9 9 + #define RTL_SLOT_TIME_20 20 + +-/*related with tcp/ip. */ +-/*if_ehther.h*/ +-#define ETH_P_PAE 0x888E /*Port Access Entity (IEEE 802.1X) */ +-#define ETH_P_IP 0x0800 /*Internet Protocol packet */ +-#define ETH_P_ARP 0x0806 /*Address Resolution packet */ ++/*related to tcp/ip. */ + #define SNAP_SIZE 6 + #define PROTOC_TYPE_SIZE 2 + diff --git a/queue-3.12/rtlwifi-rtl8188ee-fix-smatch-warning-in-rtl8188ee-hw.c.patch b/queue-3.12/rtlwifi-rtl8188ee-fix-smatch-warning-in-rtl8188ee-hw.c.patch new file mode 100644 index 00000000000..6b6afe00795 --- /dev/null +++ b/queue-3.12/rtlwifi-rtl8188ee-fix-smatch-warning-in-rtl8188ee-hw.c.patch @@ -0,0 +1,35 @@ +From dab3df5e88b979f8d09860f873ccfaa7a55758d2 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Wed, 25 Sep 2013 12:57:48 -0500 +Subject: rtlwifi: rtl8188ee: Fix smatch warning in rtl8188ee/hw.c + +From: Larry Finger + +commit dab3df5e88b979f8d09860f873ccfaa7a55758d2 upstream. + +Smatch lists the following: + CHECK drivers/net/wireless/rtlwifi/rtl8188ee/hw.c +drivers/net/wireless/rtlwifi/rtl8188ee/hw.c:149 _rtl88ee_set_fw_clock_on() info: ignoring unreachable code. +drivers/net/wireless/rtlwifi/rtl8188ee/hw.c:149 _rtl88ee_set_fw_clock_on() info: ignoring unreachable code. + +This info message is the result of a real error due to a missing break statement +in a "while (1)" loop. + +Signed-off-by: Larry Finger +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtlwifi/rtl8188ee/hw.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/rtlwifi/rtl8188ee/hw.c ++++ b/drivers/net/wireless/rtlwifi/rtl8188ee/hw.c +@@ -143,6 +143,7 @@ static void _rtl88ee_set_fw_clock_on(str + } else { + rtlhal->fw_clk_change_in_progress = false; + spin_unlock_bh(&rtlpriv->locks.fw_ps_lock); ++ break; + } + } + diff --git a/queue-3.12/rtlwifi-rtl8192cu-fix-more-pointer-arithmetic-errors.patch b/queue-3.12/rtlwifi-rtl8192cu-fix-more-pointer-arithmetic-errors.patch new file mode 100644 index 00000000000..bc0b07a08fe --- /dev/null +++ b/queue-3.12/rtlwifi-rtl8192cu-fix-more-pointer-arithmetic-errors.patch @@ -0,0 +1,73 @@ +From eafbdde9c5629bea58df07275c5917eb42afbbe7 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Sun, 10 Nov 2013 22:11:16 -0600 +Subject: rtlwifi: rtl8192cu: Fix more pointer arithmetic errors + +From: Larry Finger + +commit eafbdde9c5629bea58df07275c5917eb42afbbe7 upstream. + +This driver uses a number of macros to get and set various fields in the +RX and TX descriptors. To work correctly, a u8 pointer to the descriptor +must be used; however, in some cases a descriptor structure pointer is used +instead. In addition, a duplicated statement is removed. + +Signed-off-by: Larry Finger +Reported-by: Mark Cave-Ayland +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtlwifi/rtl8192cu/mac.c | 6 +++--- + drivers/net/wireless/rtlwifi/rtl8192cu/trx.c | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/rtlwifi/rtl8192cu/mac.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/mac.c +@@ -778,7 +778,7 @@ static long _rtl92c_signal_scale_mapping + + static void _rtl92c_query_rxphystatus(struct ieee80211_hw *hw, + struct rtl_stats *pstats, +- struct rx_desc_92c *pdesc, ++ struct rx_desc_92c *p_desc, + struct rx_fwinfo_92c *p_drvinfo, + bool packet_match_bssid, + bool packet_toself, +@@ -793,11 +793,11 @@ static void _rtl92c_query_rxphystatus(st + u32 rssi, total_rssi = 0; + bool in_powersavemode = false; + bool is_cck_rate; ++ u8 *pdesc = (u8 *)p_desc; + +- is_cck_rate = RX_HAL_IS_CCK_RATE(pdesc); ++ is_cck_rate = RX_HAL_IS_CCK_RATE(p_desc); + pstats->packet_matchbssid = packet_match_bssid; + pstats->packet_toself = packet_toself; +- pstats->is_cck = is_cck_rate; + pstats->packet_beacon = packet_beacon; + pstats->is_cck = is_cck_rate; + pstats->RX_SIGQ[0] = -1; +--- a/drivers/net/wireless/rtlwifi/rtl8192cu/trx.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/trx.c +@@ -303,10 +303,10 @@ out: + bool rtl92cu_rx_query_desc(struct ieee80211_hw *hw, + struct rtl_stats *stats, + struct ieee80211_rx_status *rx_status, +- u8 *p_desc, struct sk_buff *skb) ++ u8 *pdesc, struct sk_buff *skb) + { + struct rx_fwinfo_92c *p_drvinfo; +- struct rx_desc_92c *pdesc = (struct rx_desc_92c *)p_desc; ++ struct rx_desc_92c *p_desc = (struct rx_desc_92c *)pdesc; + u32 phystatus = GET_RX_DESC_PHY_STATUS(pdesc); + + stats->length = (u16) GET_RX_DESC_PKT_LEN(pdesc); +@@ -345,7 +345,7 @@ bool rtl92cu_rx_query_desc(struct ieee80 + if (phystatus) { + p_drvinfo = (struct rx_fwinfo_92c *)(skb->data + + stats->rx_bufshift); +- rtl92c_translate_rx_signal_stuff(hw, skb, stats, pdesc, ++ rtl92c_translate_rx_signal_stuff(hw, skb, stats, p_desc, + p_drvinfo); + } + /*rx_status->qual = stats->signal; */ diff --git a/queue-3.12/rtlwifi-rtl8192se-fix-wrong-assignment.patch b/queue-3.12/rtlwifi-rtl8192se-fix-wrong-assignment.patch new file mode 100644 index 00000000000..be56bf6700e --- /dev/null +++ b/queue-3.12/rtlwifi-rtl8192se-fix-wrong-assignment.patch @@ -0,0 +1,33 @@ +From 3aef7dde8dcf09e0124f0a2665845a507331972b Mon Sep 17 00:00:00 2001 +From: Felipe Pena +Date: Fri, 18 Oct 2013 21:52:40 -0300 +Subject: rtlwifi: rtl8192se: Fix wrong assignment + +From: Felipe Pena + +commit 3aef7dde8dcf09e0124f0a2665845a507331972b upstream. + +There is a typo in the struct member name on assignment when checking +rtlphy->current_chan_bw == HT_CHANNEL_WIDTH_20_40, the check uses pwrgroup_ht40 +for bound limit and uses pwrgroup_ht20 when assigning instead. + +Signed-off-by: Felipe Pena +Acked-by: Larry Finger +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtlwifi/rtl8192se/rf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/rtlwifi/rtl8192se/rf.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192se/rf.c +@@ -265,7 +265,7 @@ static void _rtl92s_get_txpower_writeval + rtlefuse->pwrgroup_ht40 + [RF90_PATH_A][chnl - 1]) { + pwrdiff_limit[i] = +- rtlefuse->pwrgroup_ht20 ++ rtlefuse->pwrgroup_ht40 + [RF90_PATH_A][chnl - 1]; + } + } else { diff --git a/queue-3.12/series b/queue-3.12/series index e0952a79eb7..698c29978f9 100644 --- a/queue-3.12/series +++ b/queue-3.12/series @@ -45,3 +45,31 @@ gpio-rcar-null-dereference-on-error-in-probe.patch libata-fix-display-of-sata-speed.patch drivers-libata-set-max-sector-to-65535-for-slimtype-dvd-a-ds8a9sh-drive.patch vsprintf-check-real-user-group-id-for-pk.patch +rtlwifi-rtl8188ee-fix-smatch-warning-in-rtl8188ee-hw.c.patch +rtlwifi-fix-endian-error-in-extracting-packet-type.patch +rtlwifi-rtl8192se-fix-wrong-assignment.patch +rtlwifi-rtl8192cu-fix-more-pointer-arithmetic-errors.patch +ipc-msg-fix-message-length-check-for-negative-values.patch +ahci-add-device-ids-for-intel-wildcat-point-lp.patch +ahci-disabled-fbs-prior-to-issuing-software-reset.patch +ahci-add-marvell-9230-to-the-ahci-pci-device-list.patch +ahci-add-support-for-ibm-akebono-platform-device.patch +iscsi-target-fix-mutex_trylock-usage-in-iscsit_increment_maxcmdsn.patch +iscsi-target-fix-extract_param-to-handle-buffer-length-corner-case.patch +iscsi-target-chap-auth-shouldn-t-match-username-with-trailing-garbage.patch +ib-ipath-convert-ipath_user_sdma_pin_pages-to-use-get_user_pages_fast.patch +ib-qib-convert-qib_user_sdma_pin_pages-to-use-get_user_pages_fast.patch +ib-qib-fix-txselect-regression.patch +ib-srp-remove-target-from-list-before-freeing-scsi_host-structure.patch +ib-srp-avoid-offlining-operational-scsi-devices.patch +ib-srp-report-receive-errors-correctly.patch +loop-fix-crash-if-blk_alloc_queue-fails.patch +loop-fix-crash-when-using-unassigned-loop-device.patch +mtd-nand-hack-onfi-for-non-power-of-2-dimensions.patch +mtd-m25p80-fix-allocation-size.patch +mtd-map-fixed-bug-in-64-bit-systems.patch +mtd-atmel_nand-fix-bug-driver-will-in-a-dead-lock-if-no-nand-detected.patch +mtd-gpmi-fix-kernel-bug-due-to-racing-dma-operations.patch +mtd-gpmi-fix-the-null-pointer.patch +ext4-avoid-bh-leak-in-retry-path-of-ext4_expand_extra_isize_ea.patch +xen-blkback-fix-reference-counting.patch diff --git a/queue-3.12/xen-blkback-fix-reference-counting.patch b/queue-3.12/xen-blkback-fix-reference-counting.patch new file mode 100644 index 00000000000..ec1cb79b850 --- /dev/null +++ b/queue-3.12/xen-blkback-fix-reference-counting.patch @@ -0,0 +1,44 @@ +From ea5ec76d76da9279d12027c1828544c5ccbe7932 Mon Sep 17 00:00:00 2001 +From: Vegard Nossum +Date: Thu, 5 Sep 2013 13:00:14 +0200 +Subject: xen/blkback: fix reference counting + +From: Vegard Nossum + +commit ea5ec76d76da9279d12027c1828544c5ccbe7932 upstream. + +If the permission check fails, we drop a reference to the blkif without +having taken it in the first place. The bug was introduced in commit +604c499cbbcc3d5fe5fb8d53306aa0fae1990109 (xen/blkback: Check device +permissions before allowing OP_DISCARD). + +Cc: Jan Beulich +Cc: Konrad Rzeszutek Wilk +Signed-off-by: Vegard Nossum +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/xen-blkback/blkback.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/block/xen-blkback/blkback.c ++++ b/drivers/block/xen-blkback/blkback.c +@@ -887,6 +887,8 @@ static int dispatch_discard_io(struct xe + unsigned long secure; + struct phys_req preq; + ++ xen_blkif_get(blkif); ++ + preq.sector_number = req->u.discard.sector_number; + preq.nr_sects = req->u.discard.nr_sectors; + +@@ -899,7 +901,6 @@ static int dispatch_discard_io(struct xe + } + blkif->st_ds_req++; + +- xen_blkif_get(blkif); + secure = (blkif->vbd.discard_secure && + (req->u.discard.flag & BLKIF_DISCARD_SECURE)) ? + BLKDEV_DISCARD_SECURE : 0;