From: Greg Kroah-Hartman Date: Fri, 7 Nov 2014 20:27:06 +0000 (-0800) Subject: 3.14-stable patches X-Git-Tag: v3.10.60~78 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=886c9f0ac095dbd9d641bb64b7edb60f07c592f7;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: asoc-soc-dapm-fix-use-after-free.patch asoc-tlv320aic3x-fix-pll-d-configuration.patch fs-allow-open-dir-o_tmpfile-...-0-with-mode-0.patch fs-fix-theoretical-division-by-0-in-super_cache_scan.patch fs-make-cont_expand_zero-interruptible.patch libata-sff-fix-controllers-with-no-ctl-port.patch lockd-try-to-reconnect-if-statd-has-moved.patch mmc-rtsx_pci_sdmmc-fix-incorrect-last-byte-in-r2-response.patch pata_serverworks-disable-64-kb-dma-transfers-on-broadcom-osb4-ide-controller.patch revert-percpu-free-percpu-allocation-info-for-uniprocessor-system.patch sunrpc-add-missing-support-for-rpc_clnt_create_no_retrans_timeout.patch sunrpc-don-t-wake-tasks-during-connection-abort.patch ubifs-fix-a-race-condition.patch ubifs-fix-free-log-space-calculation.patch ubifs-remove-mst_mutex.patch --- diff --git a/queue-3.14/asoc-soc-dapm-fix-use-after-free.patch b/queue-3.14/asoc-soc-dapm-fix-use-after-free.patch new file mode 100644 index 00000000000..b24af7912fc --- /dev/null +++ b/queue-3.14/asoc-soc-dapm-fix-use-after-free.patch @@ -0,0 +1,88 @@ +From e5092c96c9c28f4d12811edcd02ca8eec16e748e Mon Sep 17 00:00:00 2001 +From: Daniel Mack +Date: Tue, 7 Oct 2014 13:41:24 +0200 +Subject: ASoC: soc-dapm: fix use after free + +From: Daniel Mack + +commit e5092c96c9c28f4d12811edcd02ca8eec16e748e upstream. + +Coverity spotted the following possible use-after-free condition in +dapm_create_or_share_mixmux_kcontrol(): + +If kcontrol is NULL, and (wname_in_long_name && kcname_in_long_name) +validates to true, 'name' will be set to an allocated string, and be +freed a few lines later via the 'long_name' alias. 'name', however, +is used by dev_err() in case snd_ctl_add() fails. + +Fix this by adding a jump label that frees 'long_name' at the end of +the function. + +Signed-off-by: Daniel Mack +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/soc-dapm.c | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -689,9 +689,9 @@ static int dapm_create_or_share_mixmux_k + int shared; + struct snd_kcontrol *kcontrol; + bool wname_in_long_name, kcname_in_long_name; +- char *long_name; ++ char *long_name = NULL; + const char *name; +- int ret; ++ int ret = 0; + + if (dapm->codec) + prefix = dapm->codec->name_prefix; +@@ -756,15 +756,17 @@ static int dapm_create_or_share_mixmux_k + + kcontrol = snd_soc_cnew(&w->kcontrol_news[kci], NULL, name, + prefix); +- kfree(long_name); +- if (!kcontrol) +- return -ENOMEM; ++ if (!kcontrol) { ++ ret = -ENOMEM; ++ goto exit_free; ++ } ++ + kcontrol->private_free = dapm_kcontrol_free; + + ret = dapm_kcontrol_data_alloc(w, kcontrol); + if (ret) { + snd_ctl_free_one(kcontrol); +- return ret; ++ goto exit_free; + } + + ret = snd_ctl_add(card, kcontrol); +@@ -772,17 +774,18 @@ static int dapm_create_or_share_mixmux_k + dev_err(dapm->dev, + "ASoC: failed to add widget %s dapm kcontrol %s: %d\n", + w->name, name, ret); +- return ret; ++ goto exit_free; + } + } + + ret = dapm_kcontrol_add_widget(kcontrol, w); +- if (ret) +- return ret; ++ if (ret == 0) ++ w->kcontrols[kci] = kcontrol; + +- w->kcontrols[kci] = kcontrol; ++exit_free: ++ kfree(long_name); + +- return 0; ++ return ret; + } + + /* create new dapm mixer control */ diff --git a/queue-3.14/asoc-tlv320aic3x-fix-pll-d-configuration.patch b/queue-3.14/asoc-tlv320aic3x-fix-pll-d-configuration.patch new file mode 100644 index 00000000000..4728c430855 --- /dev/null +++ b/queue-3.14/asoc-tlv320aic3x-fix-pll-d-configuration.patch @@ -0,0 +1,63 @@ +From 31d9f8faf9a54c851e835af489c82f45105a442f Mon Sep 17 00:00:00 2001 +From: Dmitry Lavnikevich +Date: Fri, 3 Oct 2014 16:18:56 +0300 +Subject: ASoC: tlv320aic3x: fix PLL D configuration + +From: Dmitry Lavnikevich + +commit 31d9f8faf9a54c851e835af489c82f45105a442f upstream. + +Current caching implementation during regcache_sync() call bypasses +all register writes of values that are already known as default +(regmap reg_defaults). Same time in TLV320AIC3x codecs register 5 +(AIC3X_PLL_PROGC_REG) write should be immediately followed by register +6 write (AIC3X_PLL_PROGD_REG) even if it was not changed. Otherwise +both registers will not be written. + +This brings to issue that appears particulary in case of 44.1kHz +playback with 19.2MHz master clock. In this case AIC3X_PLL_PROGC_REG +is 0x6e while AIC3X_PLL_PROGD_REG is 0x0 (same as register +default). Thus AIC3X_PLL_PROGC_REG also remains not written and we get +wrong playback speed. + +In this patch snd_soc_read() is used to get cached pll values and +snd_soc_write() (unlike regcache_sync() this function doesn't bypasses +hardware default values) to write them to registers. + +Signed-off-by: Dmitry Lavnikevich +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/tlv320aic3x.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/sound/soc/codecs/tlv320aic3x.c ++++ b/sound/soc/codecs/tlv320aic3x.c +@@ -1121,6 +1121,7 @@ static int aic3x_regulator_event(struct + static int aic3x_set_power(struct snd_soc_codec *codec, int power) + { + struct aic3x_priv *aic3x = snd_soc_codec_get_drvdata(codec); ++ unsigned int pll_c, pll_d; + int ret; + + if (power) { +@@ -1138,6 +1139,18 @@ static int aic3x_set_power(struct snd_so + /* Sync reg_cache with the hardware */ + regcache_cache_only(aic3x->regmap, false); + regcache_sync(aic3x->regmap); ++ ++ /* Rewrite paired PLL D registers in case cached sync skipped ++ * writing one of them and thus caused other one also not ++ * being written ++ */ ++ pll_c = snd_soc_read(codec, AIC3X_PLL_PROGC_REG); ++ pll_d = snd_soc_read(codec, AIC3X_PLL_PROGD_REG); ++ if (pll_c == aic3x_reg[AIC3X_PLL_PROGC_REG].def || ++ pll_d == aic3x_reg[AIC3X_PLL_PROGD_REG].def) { ++ snd_soc_write(codec, AIC3X_PLL_PROGC_REG, pll_c); ++ snd_soc_write(codec, AIC3X_PLL_PROGD_REG, pll_d); ++ } + } else { + /* + * Do soft reset to this codec instance in order to clear diff --git a/queue-3.14/fs-allow-open-dir-o_tmpfile-...-0-with-mode-0.patch b/queue-3.14/fs-allow-open-dir-o_tmpfile-...-0-with-mode-0.patch new file mode 100644 index 00000000000..4d16997b43c --- /dev/null +++ b/queue-3.14/fs-allow-open-dir-o_tmpfile-...-0-with-mode-0.patch @@ -0,0 +1,87 @@ +From 69a91c237ab0ebe4e9fdeaf6d0090c85275594ec Mon Sep 17 00:00:00 2001 +From: Eric Rannaud +Date: Thu, 30 Oct 2014 01:51:01 -0700 +Subject: fs: allow open(dir, O_TMPFILE|..., 0) with mode 0 + +From: Eric Rannaud + +commit 69a91c237ab0ebe4e9fdeaf6d0090c85275594ec upstream. + +The man page for open(2) indicates that when O_CREAT is specified, the +'mode' argument applies only to future accesses to the file: + + Note that this mode applies only to future accesses of the newly + created file; the open() call that creates a read-only file + may well return a read/write file descriptor. + +The man page for open(2) implies that 'mode' is treated identically by +O_CREAT and O_TMPFILE. + +O_TMPFILE, however, behaves differently: + + int fd = open("/tmp", O_TMPFILE | O_RDWR, 0); + assert(fd == -1); + assert(errno == EACCES); + + int fd = open("/tmp", O_TMPFILE | O_RDWR, 0600); + assert(fd > 0); + +For O_CREAT, do_last() sets acc_mode to MAY_OPEN only: + + if (*opened & FILE_CREATED) { + /* Don't check for write permission, don't truncate */ + open_flag &= ~O_TRUNC; + will_truncate = false; + acc_mode = MAY_OPEN; + path_to_nameidata(path, nd); + goto finish_open_created; + } + +But for O_TMPFILE, do_tmpfile() passes the full op->acc_mode to +may_open(). + +This patch lines up the behavior of O_TMPFILE with O_CREAT. After the +inode is created, may_open() is called with acc_mode = MAY_OPEN, in +do_tmpfile(). + +A different, but related glibc bug revealed the discrepancy: +https://sourceware.org/bugzilla/show_bug.cgi?id=17523 + +The glibc lazily loads the 'mode' argument of open() and openat() using +va_arg() only if O_CREAT is present in 'flags' (to support both the 2 +argument and the 3 argument forms of open; same idea for openat()). +However, the glibc ignores the 'mode' argument if O_TMPFILE is in +'flags'. + +On x86_64, for open(), it magically works anyway, as 'mode' is in +RDX when entering open(), and is still in RDX on SYSCALL, which is where +the kernel looks for the 3rd argument of a syscall. + +But openat() is not quite so lucky: 'mode' is in RCX when entering the +glibc wrapper for openat(), while the kernel looks for the 4th argument +of a syscall in R10. Indeed, the syscall calling convention differs from +the regular calling convention in this respect on x86_64. So the kernel +sees mode = 0 when trying to use glibc openat() with O_TMPFILE, and +fails with EACCES. + +Signed-off-by: Eric Rannaud +Acked-by: Andy Lutomirski +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/namei.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -3128,7 +3128,8 @@ static int do_tmpfile(int dfd, struct fi + if (error) + goto out2; + audit_inode(pathname, nd->path.dentry, 0); +- error = may_open(&nd->path, op->acc_mode, op->open_flag); ++ /* Don't check for other permissions, the inode was just created */ ++ error = may_open(&nd->path, MAY_OPEN, op->open_flag); + if (error) + goto out2; + file->f_path.mnt = nd->path.mnt; diff --git a/queue-3.14/fs-fix-theoretical-division-by-0-in-super_cache_scan.patch b/queue-3.14/fs-fix-theoretical-division-by-0-in-super_cache_scan.patch new file mode 100644 index 00000000000..103a1dd7741 --- /dev/null +++ b/queue-3.14/fs-fix-theoretical-division-by-0-in-super_cache_scan.patch @@ -0,0 +1,37 @@ +From 475d0db742e3755c6b267f48577ff7cbb7dfda0d Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Sat, 17 May 2014 20:56:38 +0900 +Subject: fs: Fix theoretical division by 0 in super_cache_scan(). + +From: Tetsuo Handa + +commit 475d0db742e3755c6b267f48577ff7cbb7dfda0d upstream. + +total_objects could be 0 and is used as a denom. + +While total_objects is a "long", total_objects == 0 unlikely happens for +3.12 and later kernels because 32-bit architectures would not be able to +hold (1 << 32) objects. However, total_objects == 0 may happen for kernels +between 3.1 and 3.11 because total_objects in prune_super() was an "int" +and (e.g.) x86_64 architecture might be able to hold (1 << 32) objects. + +Signed-off-by: Tetsuo Handa +Reviewed-by: Christoph Hellwig +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/super.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/super.c ++++ b/fs/super.c +@@ -81,6 +81,8 @@ static unsigned long super_cache_scan(st + inodes = list_lru_count_node(&sb->s_inode_lru, sc->nid); + dentries = list_lru_count_node(&sb->s_dentry_lru, sc->nid); + total_objects = dentries + inodes + fs_objects + 1; ++ if (!total_objects) ++ total_objects = 1; + + /* proportion the scan between the caches */ + dentries = mult_frac(sc->nr_to_scan, dentries, total_objects); diff --git a/queue-3.14/fs-make-cont_expand_zero-interruptible.patch b/queue-3.14/fs-make-cont_expand_zero-interruptible.patch new file mode 100644 index 00000000000..b1a6d4181bb --- /dev/null +++ b/queue-3.14/fs-make-cont_expand_zero-interruptible.patch @@ -0,0 +1,42 @@ +From c2ca0fcd202863b14bd041a7fece2e789926c225 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sun, 27 Jul 2014 13:00:41 -0400 +Subject: fs: make cont_expand_zero interruptible + +From: Mikulas Patocka + +commit c2ca0fcd202863b14bd041a7fece2e789926c225 upstream. + +This patch makes it possible to kill a process looping in +cont_expand_zero. A process may spend a lot of time in this function, so +it is desirable to be able to kill it. + +It happened to me that I wanted to copy a piece data from the disk to a +file. By mistake, I used the "seek" parameter to dd instead of "skip". Due +to the "seek" parameter, dd attempted to extend the file and became stuck +doing so - the only possibility was to reset the machine or wait many +hours until the filesystem runs out of space and cont_expand_zero fails. +We need this patch to be able to terminate the process. + +Signed-off-by: Mikulas Patocka +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/buffer.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/buffer.c ++++ b/fs/buffer.c +@@ -2313,6 +2313,11 @@ static int cont_expand_zero(struct file + err = 0; + + balance_dirty_pages_ratelimited(mapping); ++ ++ if (unlikely(fatal_signal_pending(current))) { ++ err = -EINTR; ++ goto out; ++ } + } + + /* page covers the boundary, find the boundary offset */ diff --git a/queue-3.14/libata-sff-fix-controllers-with-no-ctl-port.patch b/queue-3.14/libata-sff-fix-controllers-with-no-ctl-port.patch new file mode 100644 index 00000000000..38869228756 --- /dev/null +++ b/queue-3.14/libata-sff-fix-controllers-with-no-ctl-port.patch @@ -0,0 +1,110 @@ +From 6d8ca28fa688a9354bc9fbc935bdaeb3651b6677 Mon Sep 17 00:00:00 2001 +From: Ondrej Zary +Date: Sat, 27 Sep 2014 00:04:46 +0200 +Subject: libata-sff: Fix controllers with no ctl port + +From: Ondrej Zary + +commit 6d8ca28fa688a9354bc9fbc935bdaeb3651b6677 upstream. + +Currently, ata_sff_softreset is skipped for controllers with no ctl port. +But that also skips ata_sff_dev_classify required for device detection. +This means that libata is currently broken on controllers with no ctl port. + +No device connected: +[ 1.872480] pata_isapnp 01:01.02: activated +[ 1.889823] scsi2 : pata_isapnp +[ 1.890109] ata3: PATA max PIO0 cmd 0x1e8 ctl 0x0 irq 11 +[ 6.888110] ata3.01: qc timeout (cmd 0xec) +[ 6.888179] ata3.01: failed to IDENTIFY (I/O error, err_mask=0x5) +[ 16.888085] ata3.01: qc timeout (cmd 0xec) +[ 16.888147] ata3.01: failed to IDENTIFY (I/O error, err_mask=0x5) +[ 46.888086] ata3.01: qc timeout (cmd 0xec) +[ 46.888148] ata3.01: failed to IDENTIFY (I/O error, err_mask=0x5) +[ 51.888100] ata3.00: qc timeout (cmd 0xec) +[ 51.888160] ata3.00: failed to IDENTIFY (I/O error, err_mask=0x5) +[ 61.888079] ata3.00: qc timeout (cmd 0xec) +[ 61.888141] ata3.00: failed to IDENTIFY (I/O error, err_mask=0x5) +[ 91.888089] ata3.00: qc timeout (cmd 0xec) +[ 91.888152] ata3.00: failed to IDENTIFY (I/O error, err_mask=0x5) + +ATAPI device connected: +[ 1.882061] pata_isapnp 01:01.02: activated +[ 1.893430] scsi2 : pata_isapnp +[ 1.893719] ata3: PATA max PIO0 cmd 0x1e8 ctl 0x0 irq 11 +[ 6.892107] ata3.01: qc timeout (cmd 0xec) +[ 6.892171] ata3.01: failed to IDENTIFY (I/O error, err_mask=0x5) +[ 16.892079] ata3.01: qc timeout (cmd 0xec) +[ 16.892138] ata3.01: failed to IDENTIFY (I/O error, err_mask=0x5) +[ 46.892079] ata3.01: qc timeout (cmd 0xec) +[ 46.892138] ata3.01: failed to IDENTIFY (I/O error, err_mask=0x5) +[ 46.908586] ata3.00: ATAPI: ACER CD-767E/O, V1.5X, max PIO2, CDB intr +[ 46.924570] ata3.00: configured for PIO0 (device error ignored) +[ 46.926295] scsi 2:0:0:0: CD-ROM ACER CD-767E/O 1.5X PQ: 0 ANSI: 5 +[ 46.984519] sr0: scsi3-mmc drive: 6x/6x xa/form2 tray +[ 46.984592] cdrom: Uniform CD-ROM driver Revision: 3.20 + +So don't skip ata_sff_softreset, just skip the reset part of ata_bus_softreset +if the ctl port is not available. + +This makes IDE port on ES968 behave correctly: + +No device connected: +[ 4.670888] pata_isapnp 01:01.02: activated +[ 4.673207] scsi host2: pata_isapnp +[ 4.673675] ata3: PATA max PIO0 cmd 0x1e8 ctl 0x0 irq 11 +[ 7.081840] Adding 2541652k swap on /dev/sda2. Priority:-1 extents:1 across:2541652k + +ATAPI device connected: +[ 4.704362] pata_isapnp 01:01.02: activated +[ 4.706620] scsi host2: pata_isapnp +[ 4.706877] ata3: PATA max PIO0 cmd 0x1e8 ctl 0x0 irq 11 +[ 4.872782] ata3.00: ATAPI: ACER CD-767E/O, V1.5X, max PIO2, CDB intr +[ 4.888673] ata3.00: configured for PIO0 (device error ignored) +[ 4.893984] scsi 2:0:0:0: CD-ROM ACER CD-767E/O 1.5X PQ: 0 ANSI: 5 +[ 7.015578] Adding 2541652k swap on /dev/sda2. Priority:-1 extents:1 across:2541652k + +Signed-off-by: Ondrej Zary +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-sff.c | 20 +++++++++----------- + 1 file changed, 9 insertions(+), 11 deletions(-) + +--- a/drivers/ata/libata-sff.c ++++ b/drivers/ata/libata-sff.c +@@ -2008,13 +2008,15 @@ static int ata_bus_softreset(struct ata_ + + DPRINTK("ata%u: bus reset via SRST\n", ap->print_id); + +- /* software reset. causes dev0 to be selected */ +- iowrite8(ap->ctl, ioaddr->ctl_addr); +- udelay(20); /* FIXME: flush */ +- iowrite8(ap->ctl | ATA_SRST, ioaddr->ctl_addr); +- udelay(20); /* FIXME: flush */ +- iowrite8(ap->ctl, ioaddr->ctl_addr); +- ap->last_ctl = ap->ctl; ++ if (ap->ioaddr.ctl_addr) { ++ /* software reset. causes dev0 to be selected */ ++ iowrite8(ap->ctl, ioaddr->ctl_addr); ++ udelay(20); /* FIXME: flush */ ++ iowrite8(ap->ctl | ATA_SRST, ioaddr->ctl_addr); ++ udelay(20); /* FIXME: flush */ ++ iowrite8(ap->ctl, ioaddr->ctl_addr); ++ ap->last_ctl = ap->ctl; ++ } + + /* wait the port to become ready */ + return ata_sff_wait_after_reset(&ap->link, devmask, deadline); +@@ -2215,10 +2217,6 @@ void ata_sff_error_handler(struct ata_po + + spin_unlock_irqrestore(ap->lock, flags); + +- /* ignore ata_sff_softreset if ctl isn't accessible */ +- if (softreset == ata_sff_softreset && !ap->ioaddr.ctl_addr) +- softreset = NULL; +- + /* ignore built-in hardresets if SCR access is not available */ + if ((hardreset == sata_std_hardreset || + hardreset == sata_sff_hardreset) && !sata_scr_valid(&ap->link)) diff --git a/queue-3.14/lockd-try-to-reconnect-if-statd-has-moved.patch b/queue-3.14/lockd-try-to-reconnect-if-statd-has-moved.patch new file mode 100644 index 00000000000..352c4fdd4c5 --- /dev/null +++ b/queue-3.14/lockd-try-to-reconnect-if-statd-has-moved.patch @@ -0,0 +1,36 @@ +From 173b3afceebe76fa2205b2c8808682d5b541fe3c Mon Sep 17 00:00:00 2001 +From: Benjamin Coddington +Date: Tue, 23 Sep 2014 12:26:20 -0400 +Subject: lockd: Try to reconnect if statd has moved + +From: Benjamin Coddington + +commit 173b3afceebe76fa2205b2c8808682d5b541fe3c upstream. + +If rpc.statd is restarted, upcalls to monitor hosts can fail with +ECONNREFUSED. In that case force a lookup of statd's new port and retry the +upcall. + +Signed-off-by: Benjamin Coddington +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/lockd/mon.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/lockd/mon.c ++++ b/fs/lockd/mon.c +@@ -159,6 +159,12 @@ static int nsm_mon_unmon(struct nsm_hand + + msg.rpc_proc = &clnt->cl_procinfo[proc]; + status = rpc_call_sync(clnt, &msg, RPC_TASK_SOFTCONN); ++ if (status == -ECONNREFUSED) { ++ dprintk("lockd: NSM upcall RPC failed, status=%d, forcing rebind\n", ++ status); ++ rpc_force_rebind(clnt); ++ status = rpc_call_sync(clnt, &msg, RPC_TASK_SOFTCONN); ++ } + if (status < 0) + dprintk("lockd: NSM upcall RPC failed, status=%d\n", + status); diff --git a/queue-3.14/mmc-rtsx_pci_sdmmc-fix-incorrect-last-byte-in-r2-response.patch b/queue-3.14/mmc-rtsx_pci_sdmmc-fix-incorrect-last-byte-in-r2-response.patch new file mode 100644 index 00000000000..3d0bb0f9b7c --- /dev/null +++ b/queue-3.14/mmc-rtsx_pci_sdmmc-fix-incorrect-last-byte-in-r2-response.patch @@ -0,0 +1,42 @@ +From d1419d50c1bf711e9fd27b516a739c86b23f7cf9 Mon Sep 17 00:00:00 2001 +From: Roger Tseng +Date: Fri, 15 Aug 2014 14:06:00 +0800 +Subject: mmc: rtsx_pci_sdmmc: fix incorrect last byte in R2 response + +From: Roger Tseng + +commit d1419d50c1bf711e9fd27b516a739c86b23f7cf9 upstream. + +Current code erroneously fill the last byte of R2 response with an undefined +value. In addition, the controller actually 'offloads' the last byte +(CRC7, end bit) while receiving R2 response and thus it's impossible to get the +actual value. This could cause mmc stack to obtain inconsistent CID from the +same card after resume and misidentify it as a different card. + +Fix by assigning dummy CRC and end bit: {7'b0, 1} = 0x1 to the last byte of R2. + +Fixes: ff984e57d36e ("mmc: Add realtek pcie sdmmc host driver") +Signed-off-by: Roger Tseng +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/rtsx_pci_sdmmc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/mmc/host/rtsx_pci_sdmmc.c ++++ b/drivers/mmc/host/rtsx_pci_sdmmc.c +@@ -342,6 +342,13 @@ static void sd_send_cmd_get_rsp(struct r + } + + if (rsp_type == SD_RSP_TYPE_R2) { ++ /* ++ * The controller offloads the last byte {CRC-7, end bit 1'b1} ++ * of response type R2. Assign dummy CRC, 0, and end bit to the ++ * byte(ptr[16], goes into the LSB of resp[3] later). ++ */ ++ ptr[16] = 1; ++ + for (i = 0; i < 4; i++) { + cmd->resp[i] = get_unaligned_be32(ptr + 1 + i * 4); + dev_dbg(sdmmc_dev(host), "cmd->resp[%d] = 0x%08x\n", diff --git a/queue-3.14/pata_serverworks-disable-64-kb-dma-transfers-on-broadcom-osb4-ide-controller.patch b/queue-3.14/pata_serverworks-disable-64-kb-dma-transfers-on-broadcom-osb4-ide-controller.patch new file mode 100644 index 00000000000..628d42268b2 --- /dev/null +++ b/queue-3.14/pata_serverworks-disable-64-kb-dma-transfers-on-broadcom-osb4-ide-controller.patch @@ -0,0 +1,162 @@ +From 37017ac6849e772e67dd187ba2fbd056c4afa533 Mon Sep 17 00:00:00 2001 +From: Scott Carter +Date: Wed, 24 Sep 2014 18:13:09 -0700 +Subject: pata_serverworks: disable 64-KB DMA transfers on Broadcom OSB4 IDE Controller + +From: Scott Carter + +commit 37017ac6849e772e67dd187ba2fbd056c4afa533 upstream. + +The Broadcom OSB4 IDE Controller (vendor and device IDs: 1166:0211) +does not support 64-KB DMA transfers. +Whenever a 64-KB DMA transfer is attempted, +the transfer fails and messages similar to the following +are written to the console log: + + [ 2431.851125] sr 0:0:0:0: [sr0] Unhandled sense code + [ 2431.851139] sr 0:0:0:0: [sr0] Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE + [ 2431.851152] sr 0:0:0:0: [sr0] Sense Key : Hardware Error [current] + [ 2431.851166] sr 0:0:0:0: [sr0] Add. Sense: Logical unit communication time-out + [ 2431.851182] sr 0:0:0:0: [sr0] CDB: Read(10): 28 00 00 00 76 f4 00 00 40 00 + [ 2431.851210] end_request: I/O error, dev sr0, sector 121808 + +When the libata and pata_serverworks modules +are recompiled with ATA_DEBUG and ATA_VERBOSE_DEBUG defined in libata.h, +the 64-KB transfer size in the scatter-gather list can be seen +in the console log: + + [ 2664.897267] sr 9:0:0:0: [sr0] Send: + [ 2664.897274] 0xf63d85e0 + [ 2664.897283] sr 9:0:0:0: [sr0] CDB: + [ 2664.897288] Read(10): 28 00 00 00 7f b4 00 00 40 00 + [ 2664.897319] buffer = 0xf6d6fbc0, bufflen = 131072, queuecommand 0xf81b7700 + [ 2664.897331] ata_scsi_dump_cdb: CDB (1:0,0,0) 28 00 00 00 7f b4 00 00 40 + [ 2664.897338] ata_scsi_translate: ENTER + [ 2664.897345] ata_sg_setup: ENTER, ata1 + [ 2664.897356] ata_sg_setup: 3 sg elements mapped + [ 2664.897364] ata_bmdma_fill_sg: PRD[0] = (0x66FD2000, 0xE000) + [ 2664.897371] ata_bmdma_fill_sg: PRD[1] = (0x65000000, 0x10000) + ------------------------------------------------------> ======= + [ 2664.897378] ata_bmdma_fill_sg: PRD[2] = (0x66A10000, 0x2000) + [ 2664.897386] ata1: ata_dev_select: ENTER, device 0, wait 1 + [ 2664.897422] ata_sff_tf_load: feat 0x1 nsect 0x0 lba 0x0 0x0 0xFC + [ 2664.897428] ata_sff_tf_load: device 0xA0 + [ 2664.897448] ata_sff_exec_command: ata1: cmd 0xA0 + [ 2664.897457] ata_scsi_translate: EXIT + [ 2664.897462] leaving scsi_dispatch_cmnd() + [ 2664.897497] Doing sr request, dev = sr0, block = 0 + [ 2664.897507] sr0 : reading 64/256 512 byte blocks. + [ 2664.897553] ata_sff_hsm_move: ata1: protocol 7 task_state 1 (dev_stat 0x58) + [ 2664.897560] atapi_send_cdb: send cdb + [ 2666.910058] ata_bmdma_port_intr: ata1: host_stat 0x64 + [ 2666.910079] __ata_sff_port_intr: ata1: protocol 7 task_state 3 + [ 2666.910093] ata_sff_hsm_move: ata1: protocol 7 task_state 3 (dev_stat 0x51) + [ 2666.910101] ata_sff_hsm_move: ata1: protocol 7 task_state 4 (dev_stat 0x51) + [ 2666.910129] sr 9:0:0:0: [sr0] Done: + [ 2666.910136] 0xf63d85e0 TIMEOUT + +lspci shows that the driver used for the Broadcom OSB4 IDE Controller is +pata_serverworks: + + 00:0f.1 IDE interface: Broadcom OSB4 IDE Controller (prog-if 8e [Master SecP SecO PriP]) + Flags: bus master, medium devsel, latency 64 + [virtual] Memory at 000001f0 (32-bit, non-prefetchable) [size=8] + [virtual] Memory at 000003f0 (type 3, non-prefetchable) [size=1] + I/O ports at 0170 [size=8] + I/O ports at 0374 [size=4] + I/O ports at 1440 [size=16] + Kernel driver in use: pata_serverworks + +The pata_serverworks driver supports five distinct device IDs, +one being the OSB4 and the other four belonging to the CSB series. +The CSB series appears to support 64-KB DMA transfers, +as tests on a machine with an SAI2 motherboard +containing a Broadcom CSB5 IDE Controller (vendor and device IDs: 1166:0212) +showed no problems with 64-KB DMA transfers. + +This problem was first discovered when attempting to install openSUSE +from a DVD on a machine with an STL2 motherboard. +Using the pata_serverworks module, +older releases of openSUSE will not install at all due to the timeouts. +Releases of openSUSE prior to 11.3 can be installed by disabling +the pata_serverworks module using the brokenmodules boot parameter, +which causes the serverworks module to be used instead. +Recent releases of openSUSE (12.2 and later) include better error recovery and +will install, though very slowly. +On all openSUSE releases, the problem can be recreated +on a machine containing a Broadcom OSB4 IDE Controller +by mounting an install DVD and running a command similar to the following: + + find /mnt -type f -print | xargs cat > /dev/null + +The patch below corrects the problem. +Similar to the other ATA drivers that do not support 64-KB DMA transfers, +the patch changes the ata_port_operations qc_prep vector to point to a routine +that breaks any 64-KB segment into two 32-KB segments and +changes the scsi_host_template sg_tablesize element to reduce by half +the number of scatter/gather elements allowed. +These two changes affect only the OSB4. + +Signed-off-by: Scott Carter +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/pata_serverworks.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/ata/pata_serverworks.c ++++ b/drivers/ata/pata_serverworks.c +@@ -252,12 +252,18 @@ static void serverworks_set_dmamode(stru + pci_write_config_byte(pdev, 0x54, ultra_cfg); + } + +-static struct scsi_host_template serverworks_sht = { ++static struct scsi_host_template serverworks_osb4_sht = { ++ ATA_BMDMA_SHT(DRV_NAME), ++ .sg_tablesize = LIBATA_DUMB_MAX_PRD, ++}; ++ ++static struct scsi_host_template serverworks_csb_sht = { + ATA_BMDMA_SHT(DRV_NAME), + }; + + static struct ata_port_operations serverworks_osb4_port_ops = { + .inherits = &ata_bmdma_port_ops, ++ .qc_prep = ata_bmdma_dumb_qc_prep, + .cable_detect = serverworks_cable_detect, + .mode_filter = serverworks_osb4_filter, + .set_piomode = serverworks_set_piomode, +@@ -266,6 +272,7 @@ static struct ata_port_operations server + + static struct ata_port_operations serverworks_csb_port_ops = { + .inherits = &serverworks_osb4_port_ops, ++ .qc_prep = ata_bmdma_qc_prep, + .mode_filter = serverworks_csb_filter, + }; + +@@ -405,6 +412,7 @@ static int serverworks_init_one(struct p + } + }; + const struct ata_port_info *ppi[] = { &info[id->driver_data], NULL }; ++ struct scsi_host_template *sht = &serverworks_csb_sht; + int rc; + + rc = pcim_enable_device(pdev); +@@ -418,6 +426,7 @@ static int serverworks_init_one(struct p + /* Select non UDMA capable OSB4 if we can't do fixups */ + if (rc < 0) + ppi[0] = &info[1]; ++ sht = &serverworks_osb4_sht; + } + /* setup CSB5/CSB6 : South Bridge and IDE option RAID */ + else if ((pdev->device == PCI_DEVICE_ID_SERVERWORKS_CSB5IDE) || +@@ -434,7 +443,7 @@ static int serverworks_init_one(struct p + ppi[1] = &ata_dummy_port_info; + } + +- return ata_pci_bmdma_init_one(pdev, ppi, &serverworks_sht, NULL, 0); ++ return ata_pci_bmdma_init_one(pdev, ppi, sht, NULL, 0); + } + + #ifdef CONFIG_PM diff --git a/queue-3.14/revert-percpu-free-percpu-allocation-info-for-uniprocessor-system.patch b/queue-3.14/revert-percpu-free-percpu-allocation-info-for-uniprocessor-system.patch new file mode 100644 index 00000000000..94e6a5e797a --- /dev/null +++ b/queue-3.14/revert-percpu-free-percpu-allocation-info-for-uniprocessor-system.patch @@ -0,0 +1,38 @@ +From bb2e226b3bef596dd56be97df655d857b4603923 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Sun, 21 Sep 2014 15:04:53 -0700 +Subject: Revert "percpu: free percpu allocation info for uniprocessor system" + +From: Guenter Roeck + +commit bb2e226b3bef596dd56be97df655d857b4603923 upstream. + +This reverts commit 3189eddbcafc ("percpu: free percpu allocation info for +uniprocessor system"). + +The commit causes a hang with a crisv32 image. This may be an architecture +problem, but at least for now the revert is necessary to be able to boot a +crisv32 image. + +Cc: Tejun Heo +Cc: Honggang Li +Signed-off-by: Guenter Roeck +Signed-off-by: Tejun Heo +Fixes: 3189eddbcafc ("percpu: free percpu allocation info for uniprocessor system") +Signed-off-by: Greg Kroah-Hartman + +--- + mm/percpu.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/mm/percpu.c ++++ b/mm/percpu.c +@@ -1917,8 +1917,6 @@ void __init setup_per_cpu_areas(void) + + if (pcpu_setup_first_chunk(ai, fc) < 0) + panic("Failed to initialize percpu areas."); +- +- pcpu_free_alloc_info(ai); + } + + #endif /* CONFIG_SMP */ diff --git a/queue-3.14/series b/queue-3.14/series index 940f8a1fdfa..50b04753845 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -11,3 +11,18 @@ ipv4-dst_entry-leak-in-ip_send_unicast_reply.patch drivers-net-disable-ufo-through-virtio.patch drivers-net-ipv6-select-ipv6-fragment-idents-for-virtio-ufo-packets.patch drivers-net-macvtap-and-tun-depend-on-inet.patch +lockd-try-to-reconnect-if-statd-has-moved.patch +sunrpc-don-t-wake-tasks-during-connection-abort.patch +sunrpc-add-missing-support-for-rpc_clnt_create_no_retrans_timeout.patch +revert-percpu-free-percpu-allocation-info-for-uniprocessor-system.patch +pata_serverworks-disable-64-kb-dma-transfers-on-broadcom-osb4-ide-controller.patch +libata-sff-fix-controllers-with-no-ctl-port.patch +asoc-soc-dapm-fix-use-after-free.patch +asoc-tlv320aic3x-fix-pll-d-configuration.patch +mmc-rtsx_pci_sdmmc-fix-incorrect-last-byte-in-r2-response.patch +fs-make-cont_expand_zero-interruptible.patch +fs-fix-theoretical-division-by-0-in-super_cache_scan.patch +fs-allow-open-dir-o_tmpfile-...-0-with-mode-0.patch +ubifs-remove-mst_mutex.patch +ubifs-fix-a-race-condition.patch +ubifs-fix-free-log-space-calculation.patch diff --git a/queue-3.14/sunrpc-add-missing-support-for-rpc_clnt_create_no_retrans_timeout.patch b/queue-3.14/sunrpc-add-missing-support-for-rpc_clnt_create_no_retrans_timeout.patch new file mode 100644 index 00000000000..a197d03b86a --- /dev/null +++ b/queue-3.14/sunrpc-add-missing-support-for-rpc_clnt_create_no_retrans_timeout.patch @@ -0,0 +1,45 @@ +From 2aca5b869ace67a63aab895659e5dc14c33a4d6e Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Wed, 24 Sep 2014 22:35:58 -0400 +Subject: SUNRPC: Add missing support for RPC_CLNT_CREATE_NO_RETRANS_TIMEOUT + +From: Trond Myklebust + +commit 2aca5b869ace67a63aab895659e5dc14c33a4d6e upstream. + +The flag RPC_CLNT_CREATE_NO_RETRANS_TIMEOUT was intended introduced in +order to allow NFSv4 clients to disable resend timeouts. Since those +cause the RPC layer to break the connection, they mess up the duplicate +reply caches that remain indexed on the port number in NFSv4.. + +This patch includes the code that was missing in the original to +set the appropriate flag in struct rpc_clnt, when the caller of +rpc_create() sets RPC_CLNT_CREATE_NO_RETRANS_TIMEOUT. + +Fixes: 8a19a0b6cb2e (SUNRPC: Add RPC task and client level options to...) +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/clnt.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -533,6 +533,8 @@ struct rpc_clnt *rpc_create(struct rpc_c + + if (args->flags & RPC_CLNT_CREATE_AUTOBIND) + clnt->cl_autobind = 1; ++ if (args->flags & RPC_CLNT_CREATE_NO_RETRANS_TIMEOUT) ++ clnt->cl_noretranstimeo = 1; + if (args->flags & RPC_CLNT_CREATE_DISCRTRY) + clnt->cl_discrtry = 1; + if (!(args->flags & RPC_CLNT_CREATE_QUIET)) +@@ -571,6 +573,7 @@ static struct rpc_clnt *__rpc_clone_clie + /* Turn off autobind on clones */ + new->cl_autobind = 0; + new->cl_softrtry = clnt->cl_softrtry; ++ new->cl_noretranstimeo = clnt->cl_noretranstimeo; + new->cl_discrtry = clnt->cl_discrtry; + new->cl_chatty = clnt->cl_chatty; + return new; diff --git a/queue-3.14/sunrpc-don-t-wake-tasks-during-connection-abort.patch b/queue-3.14/sunrpc-don-t-wake-tasks-during-connection-abort.patch new file mode 100644 index 00000000000..9f470f1a98b --- /dev/null +++ b/queue-3.14/sunrpc-don-t-wake-tasks-during-connection-abort.patch @@ -0,0 +1,56 @@ +From a743419f420a64d442280845c0377a915b76644f Mon Sep 17 00:00:00 2001 +From: Benjamin Coddington +Date: Tue, 23 Sep 2014 12:26:19 -0400 +Subject: SUNRPC: Don't wake tasks during connection abort + +From: Benjamin Coddington + +commit a743419f420a64d442280845c0377a915b76644f upstream. + +When aborting a connection to preserve source ports, don't wake the task in +xs_error_report. This allows tasks with RPC_TASK_SOFTCONN to succeed if the +connection needs to be re-established since it preserves the task's status +instead of setting it to the status of the aborting kernel_connect(). + +This may also avoid a potential conflict on the socket's lock. + +Signed-off-by: Benjamin Coddington +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/sunrpc/xprt.h | 1 + + net/sunrpc/xprtsock.c | 4 ++++ + 2 files changed, 5 insertions(+) + +--- a/include/linux/sunrpc/xprt.h ++++ b/include/linux/sunrpc/xprt.h +@@ -340,6 +340,7 @@ int xs_swapper(struct rpc_xprt *xprt, + #define XPRT_CONNECTION_ABORT (7) + #define XPRT_CONNECTION_CLOSE (8) + #define XPRT_CONGESTED (9) ++#define XPRT_CONNECTION_REUSE (10) + + static inline void xprt_set_connected(struct rpc_xprt *xprt) + { +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -842,6 +842,8 @@ static void xs_error_report(struct sock + dprintk("RPC: xs_error_report client %p, error=%d...\n", + xprt, -err); + trace_rpc_socket_error(xprt, sk->sk_socket, err); ++ if (test_bit(XPRT_CONNECTION_REUSE, &xprt->state)) ++ goto out; + xprt_wake_pending_tasks(xprt, err); + out: + read_unlock_bh(&sk->sk_callback_lock); +@@ -2251,7 +2253,9 @@ static void xs_tcp_setup_socket(struct w + abort_and_exit = test_and_clear_bit(XPRT_CONNECTION_ABORT, + &xprt->state); + /* "close" the socket, preserving the local port */ ++ set_bit(XPRT_CONNECTION_REUSE, &xprt->state); + xs_tcp_reuse_connection(transport); ++ clear_bit(XPRT_CONNECTION_REUSE, &xprt->state); + + if (abort_and_exit) + goto out_eagain; diff --git a/queue-3.14/ubifs-fix-a-race-condition.patch b/queue-3.14/ubifs-fix-a-race-condition.patch new file mode 100644 index 00000000000..d7977cf9828 --- /dev/null +++ b/queue-3.14/ubifs-fix-a-race-condition.patch @@ -0,0 +1,124 @@ +From 052c28073ff26f771d44ef33952a41d18dadd255 Mon Sep 17 00:00:00 2001 +From: Artem Bityutskiy +Date: Sun, 29 Jun 2014 17:00:45 +0300 +Subject: UBIFS: fix a race condition + +From: Artem Bityutskiy + +commit 052c28073ff26f771d44ef33952a41d18dadd255 upstream. + +Hu (hujianyang@huawei.com) discovered a race condition which may lead to a +situation when UBIFS is unable to mount the file-system after an unclean +reboot. The problem is theoretical, though. + +In UBIFS, we have the log, which basically a set of LEBs in a certain area. The +log has the tail and the head. + +Every time user writes data to the file-system, the UBIFS journal grows, and +the log grows as well, because we append new reference nodes to the head of the +log. So the head moves forward all the time, while the log tail stays at the +same position. + +At any time, the UBIFS master node points to the tail of the log. When we mount +the file-system, we scan the log, and we always start from its tail, because +this is where the master node points to. The only occasion when the tail of the +log changes is the commit operation. + +The commit operation has 2 phases - "commit start" and "commit end". The former +is relatively short, and does not involve much I/O. During this phase we mostly +just build various in-memory lists of the things which have to be written to +the flash media during "commit end" phase. + +During the commit start phase, what we do is we "clean" the log. Indeed, the +commit operation will index all the data in the journal, so the entire journal +"disappears", and therefore the data in the log become unneeded. So we just +move the head of the log to the next LEB, and write the CS node there. This LEB +will be the tail of the new log when the commit operation finishes. + +When the "commit start" phase finishes, users may write more data to the +file-system, in parallel with the ongoing "commit end" operation. At this point +the log tail was not changed yet, it is the same as it had been before we +started the commit. The log head keeps moving forward, though. + +The commit operation now needs to write the new master node, and the new master +node should point to the new log tail. After this the LEBs between the old log +tail and the new log tail can be unmapped and re-used again. + +And here is the possible problem. We do 2 operations: (a) We first update the +log tail position in memory (see 'ubifs_log_end_commit()'). (b) And then we +write the master node (see the big lock of code in 'do_commit()'). + +But nothing prevents the log head from moving forward between (a) and (b), and +the log head may "wrap" now to the old log tail. And when the "wrap" happens, +the contends of the log tail gets erased. Now a power cut happens and we are in +trouble. We end up with the old master node pointing to the old tail, which was +erased. And replay fails because it expects the master node to point to the +correct log tail at all times. + +This patch merges the abovementioned (a) and (b) operations by moving the master +node change code to the 'ubifs_log_end_commit()' function, so that it runs with +the log mutex locked, which will prevent the log from being changed benween +operations (a) and (b). + +Reported-by: hujianyang +Tested-by: hujianyang +Signed-off-by: Artem Bityutskiy +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/commit.c | 8 +++----- + fs/ubifs/log.c | 11 ++++++++--- + 2 files changed, 11 insertions(+), 8 deletions(-) + +--- a/fs/ubifs/commit.c ++++ b/fs/ubifs/commit.c +@@ -166,10 +166,6 @@ static int do_commit(struct ubifs_info * + err = ubifs_orphan_end_commit(c); + if (err) + goto out; +- old_ltail_lnum = c->ltail_lnum; +- err = ubifs_log_end_commit(c, new_ltail_lnum); +- if (err) +- goto out; + err = dbg_check_old_index(c, &zroot); + if (err) + goto out; +@@ -202,7 +198,9 @@ static int do_commit(struct ubifs_info * + c->mst_node->flags |= cpu_to_le32(UBIFS_MST_NO_ORPHS); + else + c->mst_node->flags &= ~cpu_to_le32(UBIFS_MST_NO_ORPHS); +- err = ubifs_write_master(c); ++ ++ old_ltail_lnum = c->ltail_lnum; ++ err = ubifs_log_end_commit(c, new_ltail_lnum); + if (err) + goto out; + +--- a/fs/ubifs/log.c ++++ b/fs/ubifs/log.c +@@ -447,9 +447,9 @@ out: + * @ltail_lnum: new log tail LEB number + * + * This function is called on when the commit operation was finished. It +- * moves log tail to new position and unmaps LEBs which contain obsolete data. +- * Returns zero in case of success and a negative error code in case of +- * failure. ++ * moves log tail to new position and updates the master node so that it stores ++ * the new log tail LEB number. Returns zero in case of success and a negative ++ * error code in case of failure. + */ + int ubifs_log_end_commit(struct ubifs_info *c, int ltail_lnum) + { +@@ -477,7 +477,12 @@ int ubifs_log_end_commit(struct ubifs_in + spin_unlock(&c->buds_lock); + + err = dbg_check_bud_bytes(c); ++ if (err) ++ goto out; + ++ err = ubifs_write_master(c); ++ ++out: + mutex_unlock(&c->log_mutex); + return err; + } diff --git a/queue-3.14/ubifs-fix-free-log-space-calculation.patch b/queue-3.14/ubifs-fix-free-log-space-calculation.patch new file mode 100644 index 00000000000..88cc912da11 --- /dev/null +++ b/queue-3.14/ubifs-fix-free-log-space-calculation.patch @@ -0,0 +1,51 @@ +From ba29e721eb2df6df8f33c1f248388bb037a47914 Mon Sep 17 00:00:00 2001 +From: Artem Bityutskiy +Date: Wed, 16 Jul 2014 15:22:29 +0300 +Subject: UBIFS: fix free log space calculation + +From: Artem Bityutskiy + +commit ba29e721eb2df6df8f33c1f248388bb037a47914 upstream. + +Hu (hujianyang ) discovered an issue in the +'empty_log_bytes()' function, which calculates how many bytes are left in the +log: + +" +If 'c->lhead_lnum + 1 == c->ltail_lnum' and 'c->lhead_offs == c->leb_size', 'h' +would equalent to 't' and 'empty_log_bytes()' would return 'c->log_bytes' +instead of 0. +" + +At this point it is not clear what would be the consequences of this, and +whether this may lead to any problems, but this patch addresses the issue just +in case. + +Tested-by: hujianyang +Reported-by: hujianyang +Signed-off-by: Artem Bityutskiy +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/log.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/ubifs/log.c ++++ b/fs/ubifs/log.c +@@ -106,10 +106,14 @@ static inline long long empty_log_bytes( + h = (long long)c->lhead_lnum * c->leb_size + c->lhead_offs; + t = (long long)c->ltail_lnum * c->leb_size; + +- if (h >= t) ++ if (h > t) + return c->log_bytes - h + t; +- else ++ else if (h != t) + return t - h; ++ else if (c->lhead_lnum != c->ltail_lnum) ++ return 0; ++ else ++ return c->log_bytes; + } + + /** diff --git a/queue-3.14/ubifs-remove-mst_mutex.patch b/queue-3.14/ubifs-remove-mst_mutex.patch new file mode 100644 index 00000000000..f37ac440a3f --- /dev/null +++ b/queue-3.14/ubifs-remove-mst_mutex.patch @@ -0,0 +1,86 @@ +From 07e19dff63e3d5d6500d831e36554ac9b1b0560e Mon Sep 17 00:00:00 2001 +From: Artem Bityutskiy +Date: Sun, 29 Jun 2014 16:55:02 +0300 +Subject: UBIFS: remove mst_mutex + +From: Artem Bityutskiy + +commit 07e19dff63e3d5d6500d831e36554ac9b1b0560e upstream. + +The 'mst_mutex' is not needed since because 'ubifs_write_master()' is only +called on the mount path and commit path. The mount path is sequential and +there is no parallelism, and the commit path is also serialized - there is only +one commit going on at a time. + +Signed-off-by: Artem Bityutskiy +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/commit.c | 2 -- + fs/ubifs/master.c | 7 +++---- + fs/ubifs/super.c | 1 - + fs/ubifs/ubifs.h | 2 -- + 4 files changed, 3 insertions(+), 9 deletions(-) + +--- a/fs/ubifs/commit.c ++++ b/fs/ubifs/commit.c +@@ -174,7 +174,6 @@ static int do_commit(struct ubifs_info * + if (err) + goto out; + +- mutex_lock(&c->mst_mutex); + c->mst_node->cmt_no = cpu_to_le64(c->cmt_no); + c->mst_node->log_lnum = cpu_to_le32(new_ltail_lnum); + c->mst_node->root_lnum = cpu_to_le32(zroot.lnum); +@@ -204,7 +203,6 @@ static int do_commit(struct ubifs_info * + else + c->mst_node->flags &= ~cpu_to_le32(UBIFS_MST_NO_ORPHS); + err = ubifs_write_master(c); +- mutex_unlock(&c->mst_mutex); + if (err) + goto out; + +--- a/fs/ubifs/master.c ++++ b/fs/ubifs/master.c +@@ -352,10 +352,9 @@ int ubifs_read_master(struct ubifs_info + * ubifs_write_master - write master node. + * @c: UBIFS file-system description object + * +- * This function writes the master node. The caller has to take the +- * @c->mst_mutex lock before calling this function. Returns zero in case of +- * success and a negative error code in case of failure. The master node is +- * written twice to enable recovery. ++ * This function writes the master node. Returns zero in case of success and a ++ * negative error code in case of failure. The master node is written twice to ++ * enable recovery. + */ + int ubifs_write_master(struct ubifs_info *c) + { +--- a/fs/ubifs/super.c ++++ b/fs/ubifs/super.c +@@ -1957,7 +1957,6 @@ static struct ubifs_info *alloc_ubifs_in + mutex_init(&c->lp_mutex); + mutex_init(&c->tnc_mutex); + mutex_init(&c->log_mutex); +- mutex_init(&c->mst_mutex); + mutex_init(&c->umount_mutex); + mutex_init(&c->bu_mutex); + mutex_init(&c->write_reserve_mutex); +--- a/fs/ubifs/ubifs.h ++++ b/fs/ubifs/ubifs.h +@@ -1042,7 +1042,6 @@ struct ubifs_debug_info; + * + * @mst_node: master node + * @mst_offs: offset of valid master node +- * @mst_mutex: protects the master node area, @mst_node, and @mst_offs + * + * @max_bu_buf_len: maximum bulk-read buffer length + * @bu_mutex: protects the pre-allocated bulk-read buffer and @c->bu +@@ -1282,7 +1281,6 @@ struct ubifs_info { + + struct ubifs_mst_node *mst_node; + int mst_offs; +- struct mutex mst_mutex; + + int max_bu_buf_len; + struct mutex bu_mutex;