From: Greg Kroah-Hartman Date: Mon, 23 Sep 2013 21:21:20 +0000 (-0700) Subject: 3.10-stable patches X-Git-Tag: v3.0.97~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=97bd542cc15d1f004374519aaec5aaf4e3e1f242;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: arm64-perf-fix-armv8-evtype_mask-to-include-nsh-bit.patch arm64-perf-fix-group-validation-when-using-enable_on_exec.patch arm-dts-add-missing-cpu-address-cell-values.patch arm-dts-at91-cpus-cpu-node-dts-updates.patch arm-dts-sunxi-cpus-cpu-nodes-dts-updates.patch arm-kvm-fix-64-bit-coprocessor-handling.patch arm-pci-versatile-fix-map_irq-function-to-match-hardware.patch arm-pci-versatile-fix-pci-i-o.patch arm-pci-versatile-fix-smap-register-offsets.patch cifs-ensure-that-srv_mutex-is-held-when-dealing-with-ssocket-pointer.patch cifs-fix-a-memory-leak-when-a-lease-break-comes.patch cifs-fix-missing-lease-break.patch cpuidle-coupled-abort-idle-if-pokes-are-pending.patch cpuidle-coupled-fix-race-condition-between-pokes-and-safe-state.patch iio-mxs-lradc-fix-misuse-of-iio-trig.patch iio-mxs-lradc-remove-useless-check-in-read_raw.patch kvm-ppc-book3s-fix-compile-error-in-xics-emulation.patch net-check-the-correct-namespace-when-spoofing-pid-over-scm_rights.patch staging-comedi-dt282x-dt282x_ai_insn_read-always-fails.patch tty-disassociate_ctty-sends-the-extra-sigcont.patch usb-dwc3-gadget-don-t-request-irqs-in-atomic.patch usb-ohci-allow-runtime-pm-without-system-sleep.patch usb-xhci-disable-runtime-pm-suspend-for-quirky-controllers.patch xhci-plat-don-t-enable-legacy-pci-interrupts.patch --- diff --git a/queue-3.10/arm-dts-add-missing-cpu-address-cell-values.patch b/queue-3.10/arm-dts-add-missing-cpu-address-cell-values.patch new file mode 100644 index 00000000000..1a849e922ac --- /dev/null +++ b/queue-3.10/arm-dts-add-missing-cpu-address-cell-values.patch @@ -0,0 +1,60 @@ +From 8b2efa896cc618e055e90c9d9600e7c8388ae3b7 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 10 Jun 2013 16:48:36 +0200 +Subject: ARM: dts: add missing cpu #address-cell values + +From: Arnd Bergmann + +commit 8b2efa896cc618e055e90c9d9600e7c8388ae3b7 upstream. + +A recent series has added CPU numbers to a lot of dts files, +but unfortunately in a few cases the #address-cells +and #size-cells values are missing, which causes build warnings. +This adds the missing ones for sunxi and sama5 that I found +through build testing. + +Signed-off-by: Arnd Bergmann +Cc: Lorenzo Pieralisi +Cc: Maxime Ripard +Cc: Nicolas Ferre +Signed-off-by: Greg Kroah-Hartman + +diff --git a/arch/arm/boot/dts/sama5d3.dtsi b/arch/arm/boot/dts/sama5d3.dtsi +index abdf1c83..f57ffbc9 100644 +--- a/arch/arm/boot/dts/sama5d3.dtsi ++++ b/arch/arm/boot/dts/sama5d3.dtsi +@@ -38,6 +38,8 @@ + ssc1 = &ssc1; + }; + cpus { ++ #address-cells = <1>; ++ #size-cells = <0>; + cpu@0 { + device_type = "cpu"; + compatible = "arm,cortex-a5"; +diff --git a/arch/arm/boot/dts/sun4i-a10.dtsi b/arch/arm/boot/dts/sun4i-a10.dtsi +index 39a8f615..06ef8b62 100644 +--- a/arch/arm/boot/dts/sun4i-a10.dtsi ++++ b/arch/arm/boot/dts/sun4i-a10.dtsi +@@ -16,6 +16,8 @@ + interrupt-parent = <&intc>; + + cpus { ++ #address-cells = <1>; ++ #size-cells = <0>; + cpu@0 { + device_type = "cpu"; + compatible = "arm,cortex-a8"; +diff --git a/arch/arm/boot/dts/sun5i-a13.dtsi b/arch/arm/boot/dts/sun5i-a13.dtsi +index 00a2637d..d2852547 100644 +--- a/arch/arm/boot/dts/sun5i-a13.dtsi ++++ b/arch/arm/boot/dts/sun5i-a13.dtsi +@@ -17,6 +17,8 @@ + interrupt-parent = <&intc>; + + cpus { ++ #address-cells = <1>; ++ #size-cells = <0>; + cpu@0 { + device_type = "cpu"; + compatible = "arm,cortex-a8"; diff --git a/queue-3.10/arm-dts-at91-cpus-cpu-node-dts-updates.patch b/queue-3.10/arm-dts-at91-cpus-cpu-node-dts-updates.patch new file mode 100644 index 00000000000..9abcc2d0b1c --- /dev/null +++ b/queue-3.10/arm-dts-at91-cpus-cpu-node-dts-updates.patch @@ -0,0 +1,139 @@ +From e757a6ee3e6fc1583b12b156588e8583f798d35c Mon Sep 17 00:00:00 2001 +From: Lorenzo Pieralisi +Date: Thu, 18 Apr 2013 18:31:35 +0100 +Subject: ARM: dts: at91: cpus/cpu node dts updates + +From: Lorenzo Pieralisi + +commit e757a6ee3e6fc1583b12b156588e8583f798d35c upstream. + +This patch updates the in-kernel dts files according to the latest cpus +and cpu bindings updates for ARM. + +Signed-off-by: Lorenzo Pieralisi +Acked-by: Nicolas Ferre +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/at91rm9200.dtsi | 6 +++++- + arch/arm/boot/dts/at91sam9260.dtsi | 8 ++++++-- + arch/arm/boot/dts/at91sam9263.dtsi | 8 ++++++-- + arch/arm/boot/dts/at91sam9g45.dtsi | 8 ++++++-- + arch/arm/boot/dts/at91sam9n12.dtsi | 8 ++++++-- + arch/arm/boot/dts/at91sam9x5.dtsi | 8 ++++++-- + arch/arm/boot/dts/sama5d3.dtsi | 2 ++ + 7 files changed, 37 insertions(+), 11 deletions(-) + +--- a/arch/arm/boot/dts/at91rm9200.dtsi ++++ b/arch/arm/boot/dts/at91rm9200.dtsi +@@ -35,8 +35,12 @@ + ssc2 = &ssc2; + }; + cpus { +- cpu@0 { ++ #address-cells = <0>; ++ #size-cells = <0>; ++ ++ cpu { + compatible = "arm,arm920t"; ++ device_type = "cpu"; + }; + }; + +--- a/arch/arm/boot/dts/at91sam9260.dtsi ++++ b/arch/arm/boot/dts/at91sam9260.dtsi +@@ -32,8 +32,12 @@ + ssc0 = &ssc0; + }; + cpus { +- cpu@0 { +- compatible = "arm,arm926ejs"; ++ #address-cells = <0>; ++ #size-cells = <0>; ++ ++ cpu { ++ compatible = "arm,arm926ej-s"; ++ device_type = "cpu"; + }; + }; + +--- a/arch/arm/boot/dts/at91sam9263.dtsi ++++ b/arch/arm/boot/dts/at91sam9263.dtsi +@@ -29,8 +29,12 @@ + ssc1 = &ssc1; + }; + cpus { +- cpu@0 { +- compatible = "arm,arm926ejs"; ++ #address-cells = <0>; ++ #size-cells = <0>; ++ ++ cpu { ++ compatible = "arm,arm926ej-s"; ++ device_type = "cpu"; + }; + }; + +--- a/arch/arm/boot/dts/at91sam9g45.dtsi ++++ b/arch/arm/boot/dts/at91sam9g45.dtsi +@@ -35,8 +35,12 @@ + ssc1 = &ssc1; + }; + cpus { +- cpu@0 { +- compatible = "arm,arm926ejs"; ++ #address-cells = <0>; ++ #size-cells = <0>; ++ ++ cpu { ++ compatible = "arm,arm926ej-s"; ++ device_type = "cpu"; + }; + }; + +--- a/arch/arm/boot/dts/at91sam9n12.dtsi ++++ b/arch/arm/boot/dts/at91sam9n12.dtsi +@@ -31,8 +31,12 @@ + ssc0 = &ssc0; + }; + cpus { +- cpu@0 { +- compatible = "arm,arm926ejs"; ++ #address-cells = <0>; ++ #size-cells = <0>; ++ ++ cpu { ++ compatible = "arm,arm926ej-s"; ++ device_type = "cpu"; + }; + }; + +--- a/arch/arm/boot/dts/at91sam9x5.dtsi ++++ b/arch/arm/boot/dts/at91sam9x5.dtsi +@@ -33,8 +33,12 @@ + ssc0 = &ssc0; + }; + cpus { +- cpu@0 { +- compatible = "arm,arm926ejs"; ++ #address-cells = <0>; ++ #size-cells = <0>; ++ ++ cpu { ++ compatible = "arm,arm926ej-s"; ++ device_type = "cpu"; + }; + }; + +--- a/arch/arm/boot/dts/sama5d3.dtsi ++++ b/arch/arm/boot/dts/sama5d3.dtsi +@@ -36,7 +36,9 @@ + }; + cpus { + cpu@0 { ++ device_type = "cpu"; + compatible = "arm,cortex-a5"; ++ reg = <0x0>; + }; + }; + diff --git a/queue-3.10/arm-dts-sunxi-cpus-cpu-nodes-dts-updates.patch b/queue-3.10/arm-dts-sunxi-cpus-cpu-nodes-dts-updates.patch new file mode 100644 index 00000000000..bdd7d493f46 --- /dev/null +++ b/queue-3.10/arm-dts-sunxi-cpus-cpu-nodes-dts-updates.patch @@ -0,0 +1,45 @@ +From 14c44aa541744d4cf06db89c27a1e6df293c64d5 Mon Sep 17 00:00:00 2001 +From: Lorenzo Pieralisi +Date: Thu, 18 Apr 2013 18:41:57 +0100 +Subject: ARM: dts: sunxi: cpus/cpu nodes dts updates + +From: Lorenzo Pieralisi + +commit 14c44aa541744d4cf06db89c27a1e6df293c64d5 upstream. + +This patch updates the in-kernel dts files according to the latest cpus +and cpu bindings updates for ARM. + +Signed-off-by: Lorenzo Pieralisi +Acked-by: Maxime Ripard +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/sun4i-a10.dtsi | 2 ++ + arch/arm/boot/dts/sun5i-a13.dtsi | 2 ++ + 2 files changed, 4 insertions(+) + +--- a/arch/arm/boot/dts/sun4i-a10.dtsi ++++ b/arch/arm/boot/dts/sun4i-a10.dtsi +@@ -17,7 +17,9 @@ + + cpus { + cpu@0 { ++ device_type = "cpu"; + compatible = "arm,cortex-a8"; ++ reg = <0x0>; + }; + }; + +--- a/arch/arm/boot/dts/sun5i-a13.dtsi ++++ b/arch/arm/boot/dts/sun5i-a13.dtsi +@@ -18,7 +18,9 @@ + + cpus { + cpu@0 { ++ device_type = "cpu"; + compatible = "arm,cortex-a8"; ++ reg = <0x0>; + }; + }; + diff --git a/queue-3.10/arm-kvm-fix-64-bit-coprocessor-handling.patch b/queue-3.10/arm-kvm-fix-64-bit-coprocessor-handling.patch new file mode 100644 index 00000000000..8df058aae10 --- /dev/null +++ b/queue-3.10/arm-kvm-fix-64-bit-coprocessor-handling.patch @@ -0,0 +1,145 @@ +From 240e99cbd00aa541b572480e3ea7ecb0d480bc79 Mon Sep 17 00:00:00 2001 +From: Christoffer Dall +Date: Mon, 5 Aug 2013 18:08:41 -0700 +Subject: ARM: KVM: Fix 64-bit coprocessor handling + +From: Christoffer Dall + +commit 240e99cbd00aa541b572480e3ea7ecb0d480bc79 upstream. + +The PAR was exported as CRn == 7 and CRm == 0, but in fact the primary +coprocessor register number was determined by CRm for 64-bit coprocessor +registers as the user space API was modeled after the coprocessor +access instructions (see the ARM ARM rev. C - B3-1445). + +However, just changing the CRn to CRm breaks the sorting check when +booting the kernel, because the internal kernel logic always treats CRn +as the primary register number, and it makes the table sorting +impossible to understand for humans. + +Alternatively we could change the logic to always have CRn == CRm, but +that becomes unclear in the number of ways we do look up of a coprocessor +register. We could also have a separate 64-bit table but that feels +somewhat over-engineered. Instead, keep CRn the primary representation +of the primary coproc. register number in-kernel and always export the +primary number as CRm as per the existing user space ABI. + +Note: The TTBR registers just magically worked because they happened to +follow the CRn(0) regs and were considered CRn(0) in the in-kernel +representation. + +Signed-off-by: Christoffer Dall +Signed-off-by: Kim Phillips +Cc: Gleb Natapov +Cc: Paolo Bonzini +Cc: Russell King +Cc: Jonghwan Choi +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kvm/coproc.c | 26 +++++++++++++++++++------- + arch/arm/kvm/coproc.h | 3 +++ + arch/arm/kvm/coproc_a15.c | 6 +++++- + 3 files changed, 27 insertions(+), 8 deletions(-) + +--- a/arch/arm/kvm/coproc.c ++++ b/arch/arm/kvm/coproc.c +@@ -146,7 +146,11 @@ static bool pm_fake(struct kvm_vcpu *vcp + #define access_pmintenclr pm_fake + + /* Architected CP15 registers. +- * Important: Must be sorted ascending by CRn, CRM, Op1, Op2 ++ * CRn denotes the primary register number, but is copied to the CRm in the ++ * user space API for 64-bit register access in line with the terminology used ++ * in the ARM ARM. ++ * Important: Must be sorted ascending by CRn, CRM, Op1, Op2 and with 64-bit ++ * registers preceding 32-bit ones. + */ + static const struct coproc_reg cp15_regs[] = { + /* CSSELR: swapped by interrupt.S. */ +@@ -154,8 +158,8 @@ static const struct coproc_reg cp15_regs + NULL, reset_unknown, c0_CSSELR }, + + /* TTBR0/TTBR1: swapped by interrupt.S. */ +- { CRm( 2), Op1( 0), is64, NULL, reset_unknown64, c2_TTBR0 }, +- { CRm( 2), Op1( 1), is64, NULL, reset_unknown64, c2_TTBR1 }, ++ { CRm64( 2), Op1( 0), is64, NULL, reset_unknown64, c2_TTBR0 }, ++ { CRm64( 2), Op1( 1), is64, NULL, reset_unknown64, c2_TTBR1 }, + + /* TTBCR: swapped by interrupt.S. */ + { CRn( 2), CRm( 0), Op1( 0), Op2( 2), is32, +@@ -182,7 +186,7 @@ static const struct coproc_reg cp15_regs + NULL, reset_unknown, c6_IFAR }, + + /* PAR swapped by interrupt.S */ +- { CRn( 7), Op1( 0), is64, NULL, reset_unknown64, c7_PAR }, ++ { CRm64( 7), Op1( 0), is64, NULL, reset_unknown64, c7_PAR }, + + /* + * DC{C,I,CI}SW operations: +@@ -399,12 +403,13 @@ static bool index_to_params(u64 id, stru + | KVM_REG_ARM_OPC1_MASK)) + return false; + params->is_64bit = true; +- params->CRm = ((id & KVM_REG_ARM_CRM_MASK) ++ /* CRm to CRn: see cp15_to_index for details */ ++ params->CRn = ((id & KVM_REG_ARM_CRM_MASK) + >> KVM_REG_ARM_CRM_SHIFT); + params->Op1 = ((id & KVM_REG_ARM_OPC1_MASK) + >> KVM_REG_ARM_OPC1_SHIFT); + params->Op2 = 0; +- params->CRn = 0; ++ params->CRm = 0; + return true; + default: + return false; +@@ -898,7 +903,14 @@ static u64 cp15_to_index(const struct co + if (reg->is_64) { + val |= KVM_REG_SIZE_U64; + val |= (reg->Op1 << KVM_REG_ARM_OPC1_SHIFT); +- val |= (reg->CRm << KVM_REG_ARM_CRM_SHIFT); ++ /* ++ * CRn always denotes the primary coproc. reg. nr. for the ++ * in-kernel representation, but the user space API uses the ++ * CRm for the encoding, because it is modelled after the ++ * MRRC/MCRR instructions: see the ARM ARM rev. c page ++ * B3-1445 ++ */ ++ val |= (reg->CRn << KVM_REG_ARM_CRM_SHIFT); + } else { + val |= KVM_REG_SIZE_U32; + val |= (reg->Op1 << KVM_REG_ARM_OPC1_SHIFT); +--- a/arch/arm/kvm/coproc.h ++++ b/arch/arm/kvm/coproc.h +@@ -135,6 +135,8 @@ static inline int cmp_reg(const struct c + return -1; + if (i1->CRn != i2->CRn) + return i1->CRn - i2->CRn; ++ if (i1->is_64 != i2->is_64) ++ return i2->is_64 - i1->is_64; + if (i1->CRm != i2->CRm) + return i1->CRm - i2->CRm; + if (i1->Op1 != i2->Op1) +@@ -145,6 +147,7 @@ static inline int cmp_reg(const struct c + + #define CRn(_x) .CRn = _x + #define CRm(_x) .CRm = _x ++#define CRm64(_x) .CRn = _x, .CRm = 0 + #define Op1(_x) .Op1 = _x + #define Op2(_x) .Op2 = _x + #define is64 .is_64 = true +--- a/arch/arm/kvm/coproc_a15.c ++++ b/arch/arm/kvm/coproc_a15.c +@@ -114,7 +114,11 @@ static bool access_l2ectlr(struct kvm_vc + + /* + * A15-specific CP15 registers. +- * Important: Must be sorted ascending by CRn, CRM, Op1, Op2 ++ * CRn denotes the primary register number, but is copied to the CRm in the ++ * user space API for 64-bit register access in line with the terminology used ++ * in the ARM ARM. ++ * Important: Must be sorted ascending by CRn, CRM, Op1, Op2 and with 64-bit ++ * registers preceding 32-bit ones. + */ + static const struct coproc_reg a15_regs[] = { + /* MPIDR: we use VMPIDR for guest access. */ diff --git a/queue-3.10/arm-pci-versatile-fix-map_irq-function-to-match-hardware.patch b/queue-3.10/arm-pci-versatile-fix-map_irq-function-to-match-hardware.patch new file mode 100644 index 00000000000..df7d0b2a3b3 --- /dev/null +++ b/queue-3.10/arm-pci-versatile-fix-map_irq-function-to-match-hardware.patch @@ -0,0 +1,101 @@ +From f9b71fef12f0d6ac5c7051cfd87f7700f78c56b6 Mon Sep 17 00:00:00 2001 +From: Peter Maydell +Date: Thu, 22 Aug 2013 17:47:48 +0100 +Subject: ARM: PCI: versatile: Fix map_irq function to match hardware + +From: Peter Maydell + +commit f9b71fef12f0d6ac5c7051cfd87f7700f78c56b6 upstream. + +The PCI controller code for the Versatile board has never had the +correct IRQ mapping for hardware. For many years it had an odd +mapping ("all interrupts are int 27") which aligned with the +equivalent bug in QEMU. However as of commit 1bc39ac5dab265 +the mapping changed and no longer matched either hardware or QEMU, +with the result that any PCI card beyond the first in QEMU would +not have functioning interrupts; for example a boot with a SCSI +controller would time out as follows: + + ------------ + sym0: <895a> rev 0x0 at pci 0000:00:0d.0 irq 92 + sym0: SCSI BUS has been reset. + scsi0 : sym-2.2.3 + [...] + scsi 0:0:0:0: ABORT operation started + scsi 0:0:0:0: ABORT operation timed-out. + scsi 0:0:0:0: DEVICE RESET operation started + scsi 0:0:0:0: DEVICE RESET operation timed-out. + scsi 0:0:0:0: BUS RESET operation started + scsi 0:0:0:0: BUS RESET operation timed-out. + scsi 0:0:0:0: HOST RESET operation started + sym0: SCSI BUS has been reset + ------------ + +Fix the mapping so that it matches real hardware (checked against the +schematics for PB926 and backplane, and tested against the hardware). +This allows PCI cards using interrupts to work on hardware for the +first time; this change will also work with QEMU 1.5 or later, where +the equivalent bugs in the modelling of the hardware have been fixed. + +Although QEMU will attempt to autodetect whether the kernel is +expecting the long-standing "everything is int 27" mapping or the one +hardware has, for certainty we force it into "definitely behave like +hardware mode"; this will avoid unexpected surprises later if we +implement sparse irqs. This is harmless on hardware. + +Thanks to Paul Gortmaker for bisecting the problem and finding an initial +solution, to Russell King for providing the correct interrupt mapping, +and to Guenter Roeck for providing an initial version of this patch +and prodding me into relocating the hardware and retesting everything. + +Signed-off-by: Peter Maydell +Reviewed-by: Linus Walleij +Signed-off-by: Kevin Hilman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-versatile/pci.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +--- a/arch/arm/mach-versatile/pci.c ++++ b/arch/arm/mach-versatile/pci.c +@@ -295,6 +295,19 @@ int __init pci_versatile_setup(int nr, s + __raw_writel(PHYS_OFFSET, local_pci_cfg_base + PCI_BASE_ADDRESS_2); + + /* ++ * For many years the kernel and QEMU were symbiotically buggy ++ * in that they both assumed the same broken IRQ mapping. ++ * QEMU therefore attempts to auto-detect old broken kernels ++ * so that they still work on newer QEMU as they did on old ++ * QEMU. Since we now use the correct (ie matching-hardware) ++ * IRQ mapping we write a definitely different value to a ++ * PCI_INTERRUPT_LINE register to tell QEMU that we expect ++ * real hardware behaviour and it need not be backwards ++ * compatible for us. This write is harmless on real hardware. ++ */ ++ __raw_writel(0, VERSATILE_PCI_VIRT_BASE+PCI_INTERRUPT_LINE); ++ ++ /* + * Do not to map Versatile FPGA PCI device into memory space + */ + pci_slot_ignore |= (1 << myslot); +@@ -327,13 +340,13 @@ static int __init versatile_map_irq(cons + { + int irq; + +- /* slot, pin, irq +- * 24 1 IRQ_SIC_PCI0 +- * 25 1 IRQ_SIC_PCI1 +- * 26 1 IRQ_SIC_PCI2 +- * 27 1 IRQ_SIC_PCI3 ++ /* ++ * Slot INTA INTB INTC INTD ++ * 31 PCI1 PCI2 PCI3 PCI0 ++ * 30 PCI0 PCI1 PCI2 PCI3 ++ * 29 PCI3 PCI0 PCI1 PCI2 + */ +- irq = IRQ_SIC_PCI0 + ((slot - 24 + pin - 1) & 3); ++ irq = IRQ_SIC_PCI0 + ((slot + 2 + pin - 1) & 3); + + return irq; + } diff --git a/queue-3.10/arm-pci-versatile-fix-pci-i-o.patch b/queue-3.10/arm-pci-versatile-fix-pci-i-o.patch new file mode 100644 index 00000000000..6cf9e4a84b1 --- /dev/null +++ b/queue-3.10/arm-pci-versatile-fix-pci-i-o.patch @@ -0,0 +1,102 @@ +From 829f9fedee30cde2ec15e88d57ec11074db791e2 Mon Sep 17 00:00:00 2001 +From: Peter Maydell +Date: Thu, 22 Aug 2013 17:47:49 +0100 +Subject: ARM: PCI: versatile: Fix PCI I/O + +From: Peter Maydell + +commit 829f9fedee30cde2ec15e88d57ec11074db791e2 upstream. + +The versatile PCI controller code was confused between the +PCI I/O window (at 0x43000000) and the first PCI memory +window (at 0x44000000). Pass the correct base address to +pci_remap_io() so that PCI I/O accesses work. + +Since the first PCI memory window isn't used at all (it's +an odd size), rename the associated variables and labels +so that it's clear that it isn't related to the I/O window. + +This has been tested and confirmed to fix PCI I/O accesses +both on physical PB926+PCI backplane hardware and on QEMU. + +Signed-off-by: Peter Maydell +Reviewed-by: Linus Walleij +Signed-off-by: Kevin Hilman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-versatile/include/mach/platform.h | 2 ++ + arch/arm/mach-versatile/pci.c | 16 ++++++++-------- + 2 files changed, 10 insertions(+), 8 deletions(-) + +--- a/arch/arm/mach-versatile/include/mach/platform.h ++++ b/arch/arm/mach-versatile/include/mach/platform.h +@@ -231,12 +231,14 @@ + /* PCI space */ + #define VERSATILE_PCI_BASE 0x41000000 /* PCI Interface */ + #define VERSATILE_PCI_CFG_BASE 0x42000000 ++#define VERSATILE_PCI_IO_BASE 0x43000000 + #define VERSATILE_PCI_MEM_BASE0 0x44000000 + #define VERSATILE_PCI_MEM_BASE1 0x50000000 + #define VERSATILE_PCI_MEM_BASE2 0x60000000 + /* Sizes of above maps */ + #define VERSATILE_PCI_BASE_SIZE 0x01000000 + #define VERSATILE_PCI_CFG_BASE_SIZE 0x02000000 ++#define VERSATILE_PCI_IO_BASE_SIZE 0x01000000 + #define VERSATILE_PCI_MEM_BASE0_SIZE 0x0c000000 /* 32Mb */ + #define VERSATILE_PCI_MEM_BASE1_SIZE 0x10000000 /* 256Mb */ + #define VERSATILE_PCI_MEM_BASE2_SIZE 0x10000000 /* 256Mb */ +--- a/arch/arm/mach-versatile/pci.c ++++ b/arch/arm/mach-versatile/pci.c +@@ -170,8 +170,8 @@ static struct pci_ops pci_versatile_ops + .write = versatile_write_config, + }; + +-static struct resource io_mem = { +- .name = "PCI I/O space", ++static struct resource unused_mem = { ++ .name = "PCI unused", + .start = VERSATILE_PCI_MEM_BASE0, + .end = VERSATILE_PCI_MEM_BASE0+VERSATILE_PCI_MEM_BASE0_SIZE-1, + .flags = IORESOURCE_MEM, +@@ -195,9 +195,9 @@ static int __init pci_versatile_setup_re + { + int ret = 0; + +- ret = request_resource(&iomem_resource, &io_mem); ++ ret = request_resource(&iomem_resource, &unused_mem); + if (ret) { +- printk(KERN_ERR "PCI: unable to allocate I/O " ++ printk(KERN_ERR "PCI: unable to allocate unused " + "memory region (%d)\n", ret); + goto out; + } +@@ -205,7 +205,7 @@ static int __init pci_versatile_setup_re + if (ret) { + printk(KERN_ERR "PCI: unable to allocate non-prefetchable " + "memory region (%d)\n", ret); +- goto release_io_mem; ++ goto release_unused_mem; + } + ret = request_resource(&iomem_resource, &pre_mem); + if (ret) { +@@ -225,8 +225,8 @@ static int __init pci_versatile_setup_re + + release_non_mem: + release_resource(&non_mem); +- release_io_mem: +- release_resource(&io_mem); ++ release_unused_mem: ++ release_resource(&unused_mem); + out: + return ret; + } +@@ -246,7 +246,7 @@ int __init pci_versatile_setup(int nr, s + goto out; + } + +- ret = pci_ioremap_io(0, VERSATILE_PCI_MEM_BASE0); ++ ret = pci_ioremap_io(0, VERSATILE_PCI_IO_BASE); + if (ret) + goto out; + diff --git a/queue-3.10/arm-pci-versatile-fix-smap-register-offsets.patch b/queue-3.10/arm-pci-versatile-fix-smap-register-offsets.patch new file mode 100644 index 00000000000..9188f36eb88 --- /dev/null +++ b/queue-3.10/arm-pci-versatile-fix-smap-register-offsets.patch @@ -0,0 +1,40 @@ +From 99f2b130370b904ca5300079243fdbcafa2c708b Mon Sep 17 00:00:00 2001 +From: Peter Maydell +Date: Thu, 22 Aug 2013 17:47:50 +0100 +Subject: ARM: PCI: versatile: Fix SMAP register offsets + +From: Peter Maydell + +commit 99f2b130370b904ca5300079243fdbcafa2c708b upstream. + +The SMAP register offsets in the versatile PCI controller code were +all off by four. (This didn't have any observable bad effects +because on this board PHYS_OFFSET is zero, and (a) writing zero to +the flags register at offset 0x10 has no effect and (b) the reset +value of the SMAP register is zero anyway, so failing to write SMAP2 +didn't matter.) + +Signed-off-by: Peter Maydell +Reviewed-by: Linus Walleij +Signed-off-by: Kevin Hilman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-versatile/pci.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm/mach-versatile/pci.c ++++ b/arch/arm/mach-versatile/pci.c +@@ -43,9 +43,9 @@ + #define PCI_IMAP0 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x0) + #define PCI_IMAP1 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x4) + #define PCI_IMAP2 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x8) +-#define PCI_SMAP0 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x10) +-#define PCI_SMAP1 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x14) +-#define PCI_SMAP2 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x18) ++#define PCI_SMAP0 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x14) ++#define PCI_SMAP1 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x18) ++#define PCI_SMAP2 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x1c) + #define PCI_SELFID __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0xc) + + #define DEVICE_ID_OFFSET 0x00 diff --git a/queue-3.10/arm64-perf-fix-armv8-evtype_mask-to-include-nsh-bit.patch b/queue-3.10/arm64-perf-fix-armv8-evtype_mask-to-include-nsh-bit.patch new file mode 100644 index 00000000000..301d6523e44 --- /dev/null +++ b/queue-3.10/arm64-perf-fix-armv8-evtype_mask-to-include-nsh-bit.patch @@ -0,0 +1,32 @@ +From 178cd9ce377232518ec17ff2ecab2e80fa60784c Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Tue, 20 Aug 2013 11:47:42 +0100 +Subject: arm64: perf: fix ARMv8 EVTYPE_MASK to include NSH bit + +From: Will Deacon + +commit 178cd9ce377232518ec17ff2ecab2e80fa60784c upstream. + +This is a port of f2fe09b055e2 ("ARM: 7663/1: perf: fix ARMv7 EVTYPE_MASK +to include NSH bit") to arm64, which fixes the broken evtype mask to +include the NSH bit, allowing profiling at EL2. + +Signed-off-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/perf_event.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/kernel/perf_event.c ++++ b/arch/arm64/kernel/perf_event.c +@@ -784,7 +784,7 @@ static const unsigned armv8_pmuv3_perf_c + /* + * PMXEVTYPER: Event selection reg + */ +-#define ARMV8_EVTYPE_MASK 0xc00000ff /* Mask for writable bits */ ++#define ARMV8_EVTYPE_MASK 0xc80000ff /* Mask for writable bits */ + #define ARMV8_EVTYPE_EVENT 0xff /* Mask for EVENT bits */ + + /* diff --git a/queue-3.10/arm64-perf-fix-group-validation-when-using-enable_on_exec.patch b/queue-3.10/arm64-perf-fix-group-validation-when-using-enable_on_exec.patch new file mode 100644 index 00000000000..2916afc8e13 --- /dev/null +++ b/queue-3.10/arm64-perf-fix-group-validation-when-using-enable_on_exec.patch @@ -0,0 +1,36 @@ +From 8455e6ec70f33b0e8c3ffd47067e00481f09f454 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Tue, 20 Aug 2013 11:47:41 +0100 +Subject: arm64: perf: fix group validation when using enable_on_exec + +From: Will Deacon + +commit 8455e6ec70f33b0e8c3ffd47067e00481f09f454 upstream. + +This is a port of cb2d8b342aa0 ("ARM: 7698/1: perf: fix group validation +when using enable_on_exec") to arm64, which fixes the event validation +checking so that events in the OFF state are still considered when +enable_on_exec is true. + +Signed-off-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/perf_event.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/arm64/kernel/perf_event.c ++++ b/arch/arm64/kernel/perf_event.c +@@ -325,7 +325,10 @@ validate_event(struct pmu_hw_events *hw_ + if (is_software_event(event)) + return 1; + +- if (event->pmu != leader_pmu || event->state <= PERF_EVENT_STATE_OFF) ++ if (event->pmu != leader_pmu || event->state < PERF_EVENT_STATE_OFF) ++ return 1; ++ ++ if (event->state == PERF_EVENT_STATE_OFF && !event->attr.enable_on_exec) + return 1; + + return armpmu->get_event_idx(hw_events, &fake_event) >= 0; diff --git a/queue-3.10/cifs-ensure-that-srv_mutex-is-held-when-dealing-with-ssocket-pointer.patch b/queue-3.10/cifs-ensure-that-srv_mutex-is-held-when-dealing-with-ssocket-pointer.patch new file mode 100644 index 00000000000..cff5bf2b285 --- /dev/null +++ b/queue-3.10/cifs-ensure-that-srv_mutex-is-held-when-dealing-with-ssocket-pointer.patch @@ -0,0 +1,101 @@ +From 73e216a8a42c0ef3d08071705c946c38fdbe12b0 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Thu, 5 Sep 2013 08:38:10 -0400 +Subject: cifs: ensure that srv_mutex is held when dealing with ssocket pointer + +From: Jeff Layton + +commit 73e216a8a42c0ef3d08071705c946c38fdbe12b0 upstream. + +Oleksii reported that he had seen an oops similar to this: + +BUG: unable to handle kernel NULL pointer dereference at 0000000000000088 +IP: [] sock_sendmsg+0x93/0xd0 +PGD 0 +Oops: 0000 [#1] PREEMPT SMP +Modules linked in: ipt_MASQUERADE xt_REDIRECT xt_tcpudp iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack ip_tables x_tables carl9170 ath usb_storage f2fs nfnetlink_log nfnetlink md4 cifs dns_resolver hid_generic usbhid hid af_packet uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev rfcomm btusb bnep bluetooth qmi_wwan qcserial cdc_wdm usb_wwan usbnet usbserial mii snd_hda_codec_hdmi snd_hda_codec_realtek iwldvm mac80211 coretemp intel_powerclamp kvm_intel kvm iwlwifi snd_hda_intel cfg80211 snd_hda_codec xhci_hcd e1000e ehci_pci snd_hwdep sdhci_pci snd_pcm ehci_hcd microcode psmouse sdhci thinkpad_acpi mmc_core i2c_i801 pcspkr usbcore hwmon snd_timer snd_page_alloc snd ptp rfkill pps_core soundcore evdev usb_common vboxnetflt(O) vboxdrv(O)Oops#2 Part8 + loop tun binfmt_misc fuse msr acpi_call(O) ipv6 autofs4 +CPU: 0 PID: 21612 Comm: kworker/0:1 Tainted: G W O 3.10.1SIGN #28 +Hardware name: LENOVO 2306CTO/2306CTO, BIOS G2ET92WW (2.52 ) 02/22/2013 +Workqueue: cifsiod cifs_echo_request [cifs] +task: ffff8801e1f416f0 ti: ffff880148744000 task.ti: ffff880148744000 +RIP: 0010:[] [] sock_sendmsg+0x93/0xd0 +RSP: 0000:ffff880148745b00 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: ffff880148745b78 RCX: 0000000000000048 +RDX: ffff880148745c90 RSI: ffff880181864a00 RDI: ffff880148745b78 +RBP: ffff880148745c48 R08: 0000000000000048 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: ffff880181864a00 +R13: ffff880148745c90 R14: 0000000000000048 R15: 0000000000000048 +FS: 0000000000000000(0000) GS:ffff88021e200000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000088 CR3: 000000020c42c000 CR4: 00000000001407b0 +Oops#2 Part7 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +Stack: + ffff880148745b30 ffffffff810c4af9 0000004848745b30 ffff880181864a00 + ffffffff81ffbc40 0000000000000000 ffff880148745c90 ffffffff810a5aab + ffff880148745bc0 ffffffff81ffbc40 ffff880148745b60 ffffffff815a9fb8 +Call Trace: + [] ? finish_task_switch+0x49/0xe0 + [] ? lock_timer_base.isra.36+0x2b/0x50 + [] ? _raw_spin_unlock_irqrestore+0x18/0x40 + [] ? try_to_del_timer_sync+0x4f/0x70 + [] ? _raw_spin_unlock_bh+0x1f/0x30 + [] kernel_sendmsg+0x37/0x50 + [] smb_send_kvec+0xd0/0x1d0 [cifs] + [] smb_send_rqst+0x83/0x1f0 [cifs] + [] cifs_call_async+0xec/0x1b0 [cifs] + [] ? free_rsp_buf+0x40/0x40 [cifs] +Oops#2 Part6 + [] SMB2_echo+0x8e/0xb0 [cifs] + [] cifs_echo_request+0x79/0xa0 [cifs] + [] process_one_work+0x173/0x4a0 + [] worker_thread+0x121/0x3a0 + [] ? manage_workers.isra.27+0x2b0/0x2b0 + [] kthread+0xc0/0xd0 + [] ? kthread_create_on_node+0x120/0x120 + [] ret_from_fork+0x7c/0xb0 + [] ? kthread_create_on_node+0x120/0x120 +Code: 84 24 b8 00 00 00 4c 89 f1 4c 89 ea 4c 89 e6 48 89 df 4c 89 60 18 48 c7 40 28 00 00 00 00 4c 89 68 30 44 89 70 14 49 8b 44 24 28 90 88 00 00 00 3d ef fd ff ff 74 10 48 8d 65 e0 5b 41 5c 41 + RIP [] sock_sendmsg+0x93/0xd0 + RSP +CR2: 0000000000000088 + +The client was in the middle of trying to send a frame when the +server->ssocket pointer got zeroed out. In most places, that we access +that pointer, the srv_mutex is held. There's only one spot that I see +that the server->ssocket pointer gets set and the srv_mutex isn't held. +This patch corrects that. + +The upstream bug report was here: + + https://bugzilla.kernel.org/show_bug.cgi?id=60557 + +Reported-by: Oleksii Shevchuk +Signed-off-by: Jeff Layton +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/connect.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -377,6 +377,7 @@ cifs_reconnect(struct TCP_Server_Info *s + try_to_freeze(); + + /* we should try only the port we connected to before */ ++ mutex_lock(&server->srv_mutex); + rc = generic_ip_connect(server); + if (rc) { + cifs_dbg(FYI, "reconnect error %d\n", rc); +@@ -388,6 +389,7 @@ cifs_reconnect(struct TCP_Server_Info *s + server->tcpStatus = CifsNeedNegotiate; + spin_unlock(&GlobalMid_Lock); + } ++ mutex_unlock(&server->srv_mutex); + } while (server->tcpStatus == CifsNeedReconnect); + + return rc; diff --git a/queue-3.10/cifs-fix-a-memory-leak-when-a-lease-break-comes.patch b/queue-3.10/cifs-fix-a-memory-leak-when-a-lease-break-comes.patch new file mode 100644 index 00000000000..a77204ac407 --- /dev/null +++ b/queue-3.10/cifs-fix-a-memory-leak-when-a-lease-break-comes.patch @@ -0,0 +1,31 @@ +From 1a05096de82f3cd672c76389f63964952678506f Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Thu, 5 Sep 2013 15:04:04 +0400 +Subject: CIFS: Fix a memory leak when a lease break comes + +From: Pavel Shilovsky + +commit 1a05096de82f3cd672c76389f63964952678506f upstream. + +This happens when we receive a lease break from a server, then +find an appropriate lease key in opened files and schedule the +oplock_break slow work. lw pointer isn't freed in this case. + +Signed-off-by: Pavel Shilovsky +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2misc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/cifs/smb2misc.c ++++ b/fs/cifs/smb2misc.c +@@ -469,6 +469,7 @@ smb2_is_valid_lease_break(char *buffer, + + queue_work(cifsiod_wq, &cfile->oplock_break); + ++ kfree(lw); + spin_unlock(&cifs_file_list_lock); + spin_unlock(&cifs_tcp_ses_lock); + return true; diff --git a/queue-3.10/cifs-fix-missing-lease-break.patch b/queue-3.10/cifs-fix-missing-lease-break.patch new file mode 100644 index 00000000000..ec09db91c3f --- /dev/null +++ b/queue-3.10/cifs-fix-missing-lease-break.patch @@ -0,0 +1,205 @@ +From 933d4b36576c951d0371bbfed05ec0135d516a6e Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Thu, 5 Sep 2013 15:00:07 +0400 +Subject: CIFS: Fix missing lease break + +From: Pavel Shilovsky + +commit 933d4b36576c951d0371bbfed05ec0135d516a6e upstream. + +If a server sends a lease break to a connection that doesn't have +opens with a lease key specified in the server response, we can't +find an open file to send an ack. Fix this by walking through +all connections we have. + +Signed-off-by: Pavel Shilovsky +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2misc.c | 149 ++++++++++++++++++++++++++++------------------------- + 1 file changed, 80 insertions(+), 69 deletions(-) + +--- a/fs/cifs/smb2misc.c ++++ b/fs/cifs/smb2misc.c +@@ -413,19 +413,76 @@ cifs_ses_oplock_break(struct work_struct + } + + static bool +-smb2_is_valid_lease_break(char *buffer, struct TCP_Server_Info *server) ++smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp, ++ struct smb2_lease_break_work *lw) ++{ ++ bool found; ++ __u8 lease_state; ++ struct list_head *tmp; ++ struct cifsFileInfo *cfile; ++ struct cifs_pending_open *open; ++ struct cifsInodeInfo *cinode; ++ int ack_req = le32_to_cpu(rsp->Flags & ++ SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED); ++ ++ lease_state = smb2_map_lease_to_oplock(rsp->NewLeaseState); ++ ++ list_for_each(tmp, &tcon->openFileList) { ++ cfile = list_entry(tmp, struct cifsFileInfo, tlist); ++ cinode = CIFS_I(cfile->dentry->d_inode); ++ ++ if (memcmp(cinode->lease_key, rsp->LeaseKey, ++ SMB2_LEASE_KEY_SIZE)) ++ continue; ++ ++ cifs_dbg(FYI, "found in the open list\n"); ++ cifs_dbg(FYI, "lease key match, lease break 0x%d\n", ++ le32_to_cpu(rsp->NewLeaseState)); ++ ++ smb2_set_oplock_level(cinode, lease_state); ++ ++ if (ack_req) ++ cfile->oplock_break_cancelled = false; ++ else ++ cfile->oplock_break_cancelled = true; ++ ++ queue_work(cifsiod_wq, &cfile->oplock_break); ++ kfree(lw); ++ return true; ++ } ++ ++ found = false; ++ list_for_each_entry(open, &tcon->pending_opens, olist) { ++ if (memcmp(open->lease_key, rsp->LeaseKey, ++ SMB2_LEASE_KEY_SIZE)) ++ continue; ++ ++ if (!found && ack_req) { ++ found = true; ++ memcpy(lw->lease_key, open->lease_key, ++ SMB2_LEASE_KEY_SIZE); ++ lw->tlink = cifs_get_tlink(open->tlink); ++ queue_work(cifsiod_wq, &lw->lease_break); ++ } ++ ++ cifs_dbg(FYI, "found in the pending open list\n"); ++ cifs_dbg(FYI, "lease key match, lease break 0x%d\n", ++ le32_to_cpu(rsp->NewLeaseState)); ++ ++ open->oplock = lease_state; ++ } ++ return found; ++} ++ ++static bool ++smb2_is_valid_lease_break(char *buffer) + { + struct smb2_lease_break *rsp = (struct smb2_lease_break *)buffer; + struct list_head *tmp, *tmp1, *tmp2; ++ struct TCP_Server_Info *server; + struct cifs_ses *ses; + struct cifs_tcon *tcon; +- struct cifsInodeInfo *cinode; +- struct cifsFileInfo *cfile; +- struct cifs_pending_open *open; + struct smb2_lease_break_work *lw; +- bool found; +- int ack_req = le32_to_cpu(rsp->Flags & +- SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED); + + lw = kmalloc(sizeof(struct smb2_lease_break_work), GFP_KERNEL); + if (!lw) +@@ -438,72 +495,26 @@ smb2_is_valid_lease_break(char *buffer, + + /* look up tcon based on tid & uid */ + spin_lock(&cifs_tcp_ses_lock); +- list_for_each(tmp, &server->smb_ses_list) { +- ses = list_entry(tmp, struct cifs_ses, smb_ses_list); ++ list_for_each(tmp, &cifs_tcp_ses_list) { ++ server = list_entry(tmp, struct TCP_Server_Info, tcp_ses_list); + +- spin_lock(&cifs_file_list_lock); +- list_for_each(tmp1, &ses->tcon_list) { +- tcon = list_entry(tmp1, struct cifs_tcon, tcon_list); +- +- cifs_stats_inc(&tcon->stats.cifs_stats.num_oplock_brks); +- list_for_each(tmp2, &tcon->openFileList) { +- cfile = list_entry(tmp2, struct cifsFileInfo, +- tlist); +- cinode = CIFS_I(cfile->dentry->d_inode); +- +- if (memcmp(cinode->lease_key, rsp->LeaseKey, +- SMB2_LEASE_KEY_SIZE)) +- continue; +- +- cifs_dbg(FYI, "found in the open list\n"); +- cifs_dbg(FYI, "lease key match, lease break 0x%d\n", +- le32_to_cpu(rsp->NewLeaseState)); +- +- smb2_set_oplock_level(cinode, +- smb2_map_lease_to_oplock(rsp->NewLeaseState)); +- +- if (ack_req) +- cfile->oplock_break_cancelled = false; +- else +- cfile->oplock_break_cancelled = true; +- +- queue_work(cifsiod_wq, &cfile->oplock_break); +- +- kfree(lw); +- spin_unlock(&cifs_file_list_lock); +- spin_unlock(&cifs_tcp_ses_lock); +- return true; +- } ++ list_for_each(tmp1, &server->smb_ses_list) { ++ ses = list_entry(tmp1, struct cifs_ses, smb_ses_list); + +- found = false; +- list_for_each_entry(open, &tcon->pending_opens, olist) { +- if (memcmp(open->lease_key, rsp->LeaseKey, +- SMB2_LEASE_KEY_SIZE)) +- continue; +- +- if (!found && ack_req) { +- found = true; +- memcpy(lw->lease_key, open->lease_key, +- SMB2_LEASE_KEY_SIZE); +- lw->tlink = cifs_get_tlink(open->tlink); +- queue_work(cifsiod_wq, +- &lw->lease_break); ++ spin_lock(&cifs_file_list_lock); ++ list_for_each(tmp2, &ses->tcon_list) { ++ tcon = list_entry(tmp2, struct cifs_tcon, ++ tcon_list); ++ cifs_stats_inc( ++ &tcon->stats.cifs_stats.num_oplock_brks); ++ if (smb2_tcon_has_lease(tcon, rsp, lw)) { ++ spin_unlock(&cifs_file_list_lock); ++ spin_unlock(&cifs_tcp_ses_lock); ++ return true; + } +- +- cifs_dbg(FYI, "found in the pending open list\n"); +- cifs_dbg(FYI, "lease key match, lease break 0x%d\n", +- le32_to_cpu(rsp->NewLeaseState)); +- +- open->oplock = +- smb2_map_lease_to_oplock(rsp->NewLeaseState); +- } +- if (found) { +- spin_unlock(&cifs_file_list_lock); +- spin_unlock(&cifs_tcp_ses_lock); +- return true; + } ++ spin_unlock(&cifs_file_list_lock); + } +- spin_unlock(&cifs_file_list_lock); + } + spin_unlock(&cifs_tcp_ses_lock); + kfree(lw); +@@ -529,7 +540,7 @@ smb2_is_valid_oplock_break(char *buffer, + if (rsp->StructureSize != + smb2_rsp_struct_sizes[SMB2_OPLOCK_BREAK_HE]) { + if (le16_to_cpu(rsp->StructureSize) == 44) +- return smb2_is_valid_lease_break(buffer, server); ++ return smb2_is_valid_lease_break(buffer); + else + return false; + } diff --git a/queue-3.10/cpuidle-coupled-abort-idle-if-pokes-are-pending.patch b/queue-3.10/cpuidle-coupled-abort-idle-if-pokes-are-pending.patch new file mode 100644 index 00000000000..040e261670a --- /dev/null +++ b/queue-3.10/cpuidle-coupled-abort-idle-if-pokes-are-pending.patch @@ -0,0 +1,246 @@ +From f983827bcb9d2c34c4d8935861a1e9128aec2baf Mon Sep 17 00:00:00 2001 +From: Colin Cross +Date: Wed, 28 Aug 2013 18:41:47 -0700 +Subject: cpuidle: coupled: abort idle if pokes are pending + +From: Colin Cross + +commit f983827bcb9d2c34c4d8935861a1e9128aec2baf upstream. + +Joseph Lo reported a lockup on Tegra20 caused +by a race condition in coupled cpuidle. When two or more cpus +enter idle at the same time, the first cpus to arrive may go to the +ready loop without processing pending pokes from the last cpu to +arrive. + +This patch adds a check for pending pokes once all cpus have been +synchronized in the ready loop and resets the coupled state and +retries if any cpus failed to handle their pending poke. + +Retrying on all cpus may trigger the same issue again, so this patch +also adds a check to ensure that each cpu has received at least one +poke between when it enters the waiting loop and when it moves on to +the ready loop. + +Reported-and-tested-by: Joseph Lo +Tested-by: Stephen Warren +Signed-off-by: Colin Cross +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpuidle/coupled.c | 107 +++++++++++++++++++++++++++++++++++----------- + 1 file changed, 82 insertions(+), 25 deletions(-) + +--- a/drivers/cpuidle/coupled.c ++++ b/drivers/cpuidle/coupled.c +@@ -106,6 +106,7 @@ struct cpuidle_coupled { + cpumask_t coupled_cpus; + int requested_state[NR_CPUS]; + atomic_t ready_waiting_counts; ++ atomic_t abort_barrier; + int online_count; + int refcnt; + int prevent; +@@ -122,12 +123,19 @@ static DEFINE_MUTEX(cpuidle_coupled_lock + static DEFINE_PER_CPU(struct call_single_data, cpuidle_coupled_poke_cb); + + /* +- * The cpuidle_coupled_poked_mask mask is used to avoid calling ++ * The cpuidle_coupled_poke_pending mask is used to avoid calling + * __smp_call_function_single with the per cpu call_single_data struct already + * in use. This prevents a deadlock where two cpus are waiting for each others + * call_single_data struct to be available + */ +-static cpumask_t cpuidle_coupled_poked_mask; ++static cpumask_t cpuidle_coupled_poke_pending; ++ ++/* ++ * The cpuidle_coupled_poked mask is used to ensure that each cpu has been poked ++ * once to minimize entering the ready loop with a poke pending, which would ++ * require aborting and retrying. ++ */ ++static cpumask_t cpuidle_coupled_poked; + + /** + * cpuidle_coupled_parallel_barrier - synchronize all online coupled cpus +@@ -291,10 +299,11 @@ static inline int cpuidle_coupled_get_st + return state; + } + +-static void cpuidle_coupled_poked(void *info) ++static void cpuidle_coupled_handle_poke(void *info) + { + int cpu = (unsigned long)info; +- cpumask_clear_cpu(cpu, &cpuidle_coupled_poked_mask); ++ cpumask_set_cpu(cpu, &cpuidle_coupled_poked); ++ cpumask_clear_cpu(cpu, &cpuidle_coupled_poke_pending); + } + + /** +@@ -313,7 +322,7 @@ static void cpuidle_coupled_poke(int cpu + { + struct call_single_data *csd = &per_cpu(cpuidle_coupled_poke_cb, cpu); + +- if (!cpumask_test_and_set_cpu(cpu, &cpuidle_coupled_poked_mask)) ++ if (!cpumask_test_and_set_cpu(cpu, &cpuidle_coupled_poke_pending)) + __smp_call_function_single(cpu, csd, 0); + } + +@@ -340,30 +349,19 @@ static void cpuidle_coupled_poke_others( + * @coupled: the struct coupled that contains the current cpu + * @next_state: the index in drv->states of the requested state for this cpu + * +- * Updates the requested idle state for the specified cpuidle device, +- * poking all coupled cpus out of idle if necessary to let them see the new +- * state. ++ * Updates the requested idle state for the specified cpuidle device. ++ * Returns the number of waiting cpus. + */ +-static void cpuidle_coupled_set_waiting(int cpu, ++static int cpuidle_coupled_set_waiting(int cpu, + struct cpuidle_coupled *coupled, int next_state) + { +- int w; +- + coupled->requested_state[cpu] = next_state; + + /* +- * If this is the last cpu to enter the waiting state, poke +- * all the other cpus out of their waiting state so they can +- * enter a deeper state. This can race with one of the cpus +- * exiting the waiting state due to an interrupt and +- * decrementing waiting_count, see comment below. +- * + * The atomic_inc_return provides a write barrier to order the write + * to requested_state with the later write that increments ready_count. + */ +- w = atomic_inc_return(&coupled->ready_waiting_counts) & WAITING_MASK; +- if (w == coupled->online_count) +- cpuidle_coupled_poke_others(cpu, coupled); ++ return atomic_inc_return(&coupled->ready_waiting_counts) & WAITING_MASK; + } + + /** +@@ -418,13 +416,24 @@ static void cpuidle_coupled_set_done(int + static int cpuidle_coupled_clear_pokes(int cpu) + { + local_irq_enable(); +- while (cpumask_test_cpu(cpu, &cpuidle_coupled_poked_mask)) ++ while (cpumask_test_cpu(cpu, &cpuidle_coupled_poke_pending)) + cpu_relax(); + local_irq_disable(); + + return need_resched() ? -EINTR : 0; + } + ++static bool cpuidle_coupled_any_pokes_pending(struct cpuidle_coupled *coupled) ++{ ++ cpumask_t cpus; ++ int ret; ++ ++ cpumask_and(&cpus, cpu_online_mask, &coupled->coupled_cpus); ++ ret = cpumask_and(&cpus, &cpuidle_coupled_poke_pending, &cpus); ++ ++ return ret; ++} ++ + /** + * cpuidle_enter_state_coupled - attempt to enter a state with coupled cpus + * @dev: struct cpuidle_device for the current cpu +@@ -449,6 +458,7 @@ int cpuidle_enter_state_coupled(struct c + { + int entered_state = -1; + struct cpuidle_coupled *coupled = dev->coupled; ++ int w; + + if (!coupled) + return -EINVAL; +@@ -465,14 +475,33 @@ int cpuidle_enter_state_coupled(struct c + /* Read barrier ensures online_count is read after prevent is cleared */ + smp_rmb(); + +- cpuidle_coupled_set_waiting(dev->cpu, coupled, next_state); ++reset: ++ cpumask_clear_cpu(dev->cpu, &cpuidle_coupled_poked); ++ ++ w = cpuidle_coupled_set_waiting(dev->cpu, coupled, next_state); ++ /* ++ * If this is the last cpu to enter the waiting state, poke ++ * all the other cpus out of their waiting state so they can ++ * enter a deeper state. This can race with one of the cpus ++ * exiting the waiting state due to an interrupt and ++ * decrementing waiting_count, see comment below. ++ */ ++ if (w == coupled->online_count) { ++ cpumask_set_cpu(dev->cpu, &cpuidle_coupled_poked); ++ cpuidle_coupled_poke_others(dev->cpu, coupled); ++ } + + retry: + /* + * Wait for all coupled cpus to be idle, using the deepest state +- * allowed for a single cpu. ++ * allowed for a single cpu. If this was not the poking cpu, wait ++ * for at least one poke before leaving to avoid a race where ++ * two cpus could arrive at the waiting loop at the same time, ++ * but the first of the two to arrive could skip the loop without ++ * processing the pokes from the last to arrive. + */ +- while (!cpuidle_coupled_cpus_waiting(coupled)) { ++ while (!cpuidle_coupled_cpus_waiting(coupled) || ++ !cpumask_test_cpu(dev->cpu, &cpuidle_coupled_poked)) { + if (cpuidle_coupled_clear_pokes(dev->cpu)) { + cpuidle_coupled_set_not_waiting(dev->cpu, coupled); + goto out; +@@ -493,6 +522,12 @@ retry: + } + + /* ++ * Make sure final poke status for this cpu is visible before setting ++ * cpu as ready. ++ */ ++ smp_wmb(); ++ ++ /* + * All coupled cpus are probably idle. There is a small chance that + * one of the other cpus just became active. Increment the ready count, + * and spin until all coupled cpus have incremented the counter. Once a +@@ -511,6 +546,28 @@ retry: + cpu_relax(); + } + ++ /* ++ * Make sure read of all cpus ready is done before reading pending pokes ++ */ ++ smp_rmb(); ++ ++ /* ++ * There is a small chance that a cpu left and reentered idle after this ++ * cpu saw that all cpus were waiting. The cpu that reentered idle will ++ * have sent this cpu a poke, which will still be pending after the ++ * ready loop. The pending interrupt may be lost by the interrupt ++ * controller when entering the deep idle state. It's not possible to ++ * clear a pending interrupt without turning interrupts on and handling ++ * it, and it's too late to turn on interrupts here, so reset the ++ * coupled idle state of all cpus and retry. ++ */ ++ if (cpuidle_coupled_any_pokes_pending(coupled)) { ++ cpuidle_coupled_set_done(dev->cpu, coupled); ++ /* Wait for all cpus to see the pending pokes */ ++ cpuidle_coupled_parallel_barrier(dev, &coupled->abort_barrier); ++ goto reset; ++ } ++ + /* all cpus have acked the coupled state */ + next_state = cpuidle_coupled_get_state(dev, coupled); + +@@ -596,7 +653,7 @@ have_coupled: + coupled->refcnt++; + + csd = &per_cpu(cpuidle_coupled_poke_cb, dev->cpu); +- csd->func = cpuidle_coupled_poked; ++ csd->func = cpuidle_coupled_handle_poke; + csd->info = (void *)(unsigned long)dev->cpu; + + return 0; diff --git a/queue-3.10/cpuidle-coupled-fix-race-condition-between-pokes-and-safe-state.patch b/queue-3.10/cpuidle-coupled-fix-race-condition-between-pokes-and-safe-state.patch new file mode 100644 index 00000000000..827617828c9 --- /dev/null +++ b/queue-3.10/cpuidle-coupled-fix-race-condition-between-pokes-and-safe-state.patch @@ -0,0 +1,93 @@ +From 9e19b73c30a5fa42a53583a1f7817dd857126156 Mon Sep 17 00:00:00 2001 +From: Colin Cross +Date: Fri, 23 Aug 2013 12:45:12 -0700 +Subject: cpuidle: coupled: fix race condition between pokes and safe state + +From: Colin Cross + +commit 9e19b73c30a5fa42a53583a1f7817dd857126156 upstream. + +The coupled cpuidle waiting loop clears pending pokes before +entering the safe state. If a poke arrives just before the +pokes are cleared, but after the while loop condition checks, +the poke will be lost and the cpu will stay in the safe state +until another interrupt arrives. This may cause the cpu that +sent the poke to spin in the ready loop with interrupts off +until another cpu receives an interrupt, and if no other cpus +have interrupts routed to them it can spin forever. + +Change the return value of cpuidle_coupled_clear_pokes to +return if a poke was cleared, and move the need_resched() +checks into the callers. In the waiting loop, if +a poke was cleared restart the loop to repeat the while +condition checks. + +Reported-by: Neil Zhang +Signed-off-by: Colin Cross +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpuidle/coupled.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/drivers/cpuidle/coupled.c ++++ b/drivers/cpuidle/coupled.c +@@ -408,19 +408,22 @@ static void cpuidle_coupled_set_done(int + * been processed and the poke bit has been cleared. + * + * Other interrupts may also be processed while interrupts are enabled, so +- * need_resched() must be tested after turning interrupts off again to make sure ++ * need_resched() must be tested after this function returns to make sure + * the interrupt didn't schedule work that should take the cpu out of idle. + * +- * Returns 0 if need_resched was false, -EINTR if need_resched was true. ++ * Returns 0 if no poke was pending, 1 if a poke was cleared. + */ + static int cpuidle_coupled_clear_pokes(int cpu) + { ++ if (!cpumask_test_cpu(cpu, &cpuidle_coupled_poke_pending)) ++ return 0; ++ + local_irq_enable(); + while (cpumask_test_cpu(cpu, &cpuidle_coupled_poke_pending)) + cpu_relax(); + local_irq_disable(); + +- return need_resched() ? -EINTR : 0; ++ return 1; + } + + static bool cpuidle_coupled_any_pokes_pending(struct cpuidle_coupled *coupled) +@@ -464,7 +467,8 @@ int cpuidle_enter_state_coupled(struct c + return -EINVAL; + + while (coupled->prevent) { +- if (cpuidle_coupled_clear_pokes(dev->cpu)) { ++ cpuidle_coupled_clear_pokes(dev->cpu); ++ if (need_resched()) { + local_irq_enable(); + return entered_state; + } +@@ -502,7 +506,10 @@ retry: + */ + while (!cpuidle_coupled_cpus_waiting(coupled) || + !cpumask_test_cpu(dev->cpu, &cpuidle_coupled_poked)) { +- if (cpuidle_coupled_clear_pokes(dev->cpu)) { ++ if (cpuidle_coupled_clear_pokes(dev->cpu)) ++ continue; ++ ++ if (need_resched()) { + cpuidle_coupled_set_not_waiting(dev->cpu, coupled); + goto out; + } +@@ -516,7 +523,8 @@ retry: + dev->safe_state_index); + } + +- if (cpuidle_coupled_clear_pokes(dev->cpu)) { ++ cpuidle_coupled_clear_pokes(dev->cpu); ++ if (need_resched()) { + cpuidle_coupled_set_not_waiting(dev->cpu, coupled); + goto out; + } diff --git a/queue-3.10/iio-mxs-lradc-fix-misuse-of-iio-trig.patch b/queue-3.10/iio-mxs-lradc-fix-misuse-of-iio-trig.patch new file mode 100644 index 00000000000..9299bfe4efe --- /dev/null +++ b/queue-3.10/iio-mxs-lradc-fix-misuse-of-iio-trig.patch @@ -0,0 +1,62 @@ +From e1b1fa66a0398f0b52ae79a2bdc7de87c205d074 Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Sat, 29 Jun 2013 22:20:00 +0100 +Subject: iio: mxs-lradc: Fix misuse of iio->trig + +From: Marek Vasut + +commit e1b1fa66a0398f0b52ae79a2bdc7de87c205d074 upstream. + +The struct iio_dev .trig field is to be used only by the IIO core, +the driver shall not fill this field. This fixes ugly crash when +the driver is compiled as a module and the module is rmmod'd. + +Signed-off-by: Marek Vasut +Cc: Fabio Estevam +Cc: Jonathan Cameron +Cc: Shawn Guo +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/iio/adc/mxs-lradc.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/staging/iio/adc/mxs-lradc.c ++++ b/drivers/staging/iio/adc/mxs-lradc.c +@@ -661,12 +661,13 @@ static int mxs_lradc_trigger_init(struct + { + int ret; + struct iio_trigger *trig; ++ struct mxs_lradc *lradc = iio_priv(iio); + + trig = iio_trigger_alloc("%s-dev%i", iio->name, iio->id); + if (trig == NULL) + return -ENOMEM; + +- trig->dev.parent = iio->dev.parent; ++ trig->dev.parent = lradc->dev; + iio_trigger_set_drvdata(trig, iio); + trig->ops = &mxs_lradc_trigger_ops; + +@@ -676,15 +677,17 @@ static int mxs_lradc_trigger_init(struct + return ret; + } + +- iio->trig = trig; ++ lradc->trig = trig; + + return 0; + } + + static void mxs_lradc_trigger_remove(struct iio_dev *iio) + { +- iio_trigger_unregister(iio->trig); +- iio_trigger_free(iio->trig); ++ struct mxs_lradc *lradc = iio_priv(iio); ++ ++ iio_trigger_unregister(lradc->trig); ++ iio_trigger_free(lradc->trig); + } + + static int mxs_lradc_buffer_preenable(struct iio_dev *iio) diff --git a/queue-3.10/iio-mxs-lradc-remove-useless-check-in-read_raw.patch b/queue-3.10/iio-mxs-lradc-remove-useless-check-in-read_raw.patch new file mode 100644 index 00000000000..c1c7c68fa07 --- /dev/null +++ b/queue-3.10/iio-mxs-lradc-remove-useless-check-in-read_raw.patch @@ -0,0 +1,49 @@ +From 2a961d0995cdadbfba565b28beada59c5ae7ebae Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Wed, 3 Jul 2013 22:25:00 +0100 +Subject: iio: mxs-lradc: Remove useless check in read_raw + +From: Marek Vasut + +commit 2a961d0995cdadbfba565b28beada59c5ae7ebae upstream. + +The removed check in the read_raw implementation was always true, +therefore remove it. This also fixes a bug, by closely inspecting +the code, one can notice the iio_validate_scan_mask_onehot() will +always return 1 and therefore the subsequent condition will always +succeed, therefore making the mxs_lradc_read_raw() function always +return -EINVAL; . + +Signed-off-by: Marek Vasut +Tested-by: Otavio Salvador +Acked-by: Hector Palacios +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/iio/adc/mxs-lradc.c | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/drivers/staging/iio/adc/mxs-lradc.c ++++ b/drivers/staging/iio/adc/mxs-lradc.c +@@ -234,7 +234,6 @@ static int mxs_lradc_read_raw(struct iio + { + struct mxs_lradc *lradc = iio_priv(iio_dev); + int ret; +- unsigned long mask; + + if (m != IIO_CHAN_INFO_RAW) + return -EINVAL; +@@ -243,12 +242,6 @@ static int mxs_lradc_read_raw(struct iio + if (chan->channel > LRADC_MAX_TOTAL_CHANS) + return -EINVAL; + +- /* Validate the channel if it doesn't intersect with reserved chans. */ +- bitmap_set(&mask, chan->channel, 1); +- ret = iio_validate_scan_mask_onehot(iio_dev, &mask); +- if (ret) +- return -EINVAL; +- + /* + * See if there is no buffered operation in progess. If there is, simply + * bail out. This can be improved to support both buffered and raw IO at diff --git a/queue-3.10/kvm-ppc-book3s-fix-compile-error-in-xics-emulation.patch b/queue-3.10/kvm-ppc-book3s-fix-compile-error-in-xics-emulation.patch new file mode 100644 index 00000000000..611be208c47 --- /dev/null +++ b/queue-3.10/kvm-ppc-book3s-fix-compile-error-in-xics-emulation.patch @@ -0,0 +1,35 @@ +From 7bfa9ad55d691f2b836b576769b11eca2cf50816 Mon Sep 17 00:00:00 2001 +From: Paul Mackerras +Date: Tue, 6 Aug 2013 14:13:44 +1000 +Subject: KVM: PPC: Book3S: Fix compile error in XICS emulation + +From: Paul Mackerras + +commit 7bfa9ad55d691f2b836b576769b11eca2cf50816 upstream. + +Commit 8e44ddc3f3 ("powerpc/kvm/book3s: Add support for H_IPOLL and +H_XIRR_X in XICS emulation") added a call to get_tb() but didn't +include the header that defines it, and on some configs this means +book3s_xics.c fails to compile: + +arch/powerpc/kvm/book3s_xics.c: In function ‘kvmppc_xics_hcall’: +arch/powerpc/kvm/book3s_xics.c:812:3: error: implicit declaration of function ‘get_tb’ [-Werror=implicit-function-declaration] + +Signed-off-by: Paul Mackerras +Signed-off-by: Alexander Graf +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s_xics.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/kvm/book3s_xics.c ++++ b/arch/powerpc/kvm/book3s_xics.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + + #include + #include diff --git a/queue-3.10/net-check-the-correct-namespace-when-spoofing-pid-over-scm_rights.patch b/queue-3.10/net-check-the-correct-namespace-when-spoofing-pid-over-scm_rights.patch new file mode 100644 index 00000000000..c33dd3c2998 --- /dev/null +++ b/queue-3.10/net-check-the-correct-namespace-when-spoofing-pid-over-scm_rights.patch @@ -0,0 +1,34 @@ +From d661684cf6820331feae71146c35da83d794467e Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Thu, 22 Aug 2013 11:39:15 -0700 +Subject: net: Check the correct namespace when spoofing pid over SCM_RIGHTS + +From: Andy Lutomirski + +commit d661684cf6820331feae71146c35da83d794467e upstream. + +This is a security bug. + +The follow-up will fix nsproxy to discourage this type of issue from +happening again. + +Signed-off-by: Andy Lutomirski +Reviewed-by: "Eric W. Biederman" +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/scm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/scm.c ++++ b/net/core/scm.c +@@ -54,7 +54,7 @@ static __inline__ int scm_check_creds(st + return -EINVAL; + + if ((creds->pid == task_tgid_vnr(current) || +- ns_capable(current->nsproxy->pid_ns->user_ns, CAP_SYS_ADMIN)) && ++ ns_capable(task_active_pid_ns(current)->user_ns, CAP_SYS_ADMIN)) && + ((uid_eq(uid, cred->uid) || uid_eq(uid, cred->euid) || + uid_eq(uid, cred->suid)) || nsown_capable(CAP_SETUID)) && + ((gid_eq(gid, cred->gid) || gid_eq(gid, cred->egid) || diff --git a/queue-3.10/series b/queue-3.10/series index 97e8307e5d3..f1e046fc246 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -6,3 +6,27 @@ powerpc-handle-unaligned-ldbrx-stdbrx.patch powerpc-default-arch-idle-could-cede-processor-on-pseries.patch xen-gnt-prevent-adding-duplicate-gnt-callbacks.patch arm-xen-only-set-pm-function-ptrs-for-xen-guests.patch +cpuidle-coupled-abort-idle-if-pokes-are-pending.patch +cpuidle-coupled-fix-race-condition-between-pokes-and-safe-state.patch +arm-dts-at91-cpus-cpu-node-dts-updates.patch +arm-dts-sunxi-cpus-cpu-nodes-dts-updates.patch +arm-dts-add-missing-cpu-address-cell-values.patch +arm-kvm-fix-64-bit-coprocessor-handling.patch +arm64-perf-fix-group-validation-when-using-enable_on_exec.patch +arm64-perf-fix-armv8-evtype_mask-to-include-nsh-bit.patch +arm-pci-versatile-fix-map_irq-function-to-match-hardware.patch +arm-pci-versatile-fix-pci-i-o.patch +arm-pci-versatile-fix-smap-register-offsets.patch +kvm-ppc-book3s-fix-compile-error-in-xics-emulation.patch +xhci-plat-don-t-enable-legacy-pci-interrupts.patch +usb-xhci-disable-runtime-pm-suspend-for-quirky-controllers.patch +usb-dwc3-gadget-don-t-request-irqs-in-atomic.patch +tty-disassociate_ctty-sends-the-extra-sigcont.patch +cifs-ensure-that-srv_mutex-is-held-when-dealing-with-ssocket-pointer.patch +cifs-fix-a-memory-leak-when-a-lease-break-comes.patch +cifs-fix-missing-lease-break.patch +usb-ohci-allow-runtime-pm-without-system-sleep.patch +net-check-the-correct-namespace-when-spoofing-pid-over-scm_rights.patch +staging-comedi-dt282x-dt282x_ai_insn_read-always-fails.patch +iio-mxs-lradc-fix-misuse-of-iio-trig.patch +iio-mxs-lradc-remove-useless-check-in-read_raw.patch diff --git a/queue-3.10/staging-comedi-dt282x-dt282x_ai_insn_read-always-fails.patch b/queue-3.10/staging-comedi-dt282x-dt282x_ai_insn_read-always-fails.patch new file mode 100644 index 00000000000..49eaf04894c --- /dev/null +++ b/queue-3.10/staging-comedi-dt282x-dt282x_ai_insn_read-always-fails.patch @@ -0,0 +1,35 @@ +From 2c4283ca7cdcc6605859c836fc536fcd83a4525f Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 20 Aug 2013 11:57:35 +0300 +Subject: staging: comedi: dt282x: dt282x_ai_insn_read() always fails + +From: Dan Carpenter + +commit 2c4283ca7cdcc6605859c836fc536fcd83a4525f upstream. + +In dt282x_ai_insn_read() we call this macro like: +wait_for(!mux_busy(), comedi_error(dev, "timeout\n"); return -ETIME;); +Because the if statement doesn't have curly braces it means we always +return -ETIME and the function never succeeds. + +Signed-off-by: Dan Carpenter +Acked-by: Ian Abbott +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/dt282x.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/staging/comedi/drivers/dt282x.c ++++ b/drivers/staging/comedi/drivers/dt282x.c +@@ -269,8 +269,9 @@ struct dt282x_private { + } \ + udelay(5); \ + } \ +- if (_i) \ ++ if (_i) { \ + b \ ++ } \ + } while (0) + + static int prep_ai_dma(struct comedi_device *dev, int chan, int size); diff --git a/queue-3.10/tty-disassociate_ctty-sends-the-extra-sigcont.patch b/queue-3.10/tty-disassociate_ctty-sends-the-extra-sigcont.patch new file mode 100644 index 00000000000..dc467b8c54d --- /dev/null +++ b/queue-3.10/tty-disassociate_ctty-sends-the-extra-sigcont.patch @@ -0,0 +1,48 @@ +From 03e1261778cca782d41a3d8e3945ca88cf93e01e Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Sun, 15 Sep 2013 17:50:26 +0200 +Subject: tty: disassociate_ctty() sends the extra SIGCONT + +From: Oleg Nesterov + +commit 03e1261778cca782d41a3d8e3945ca88cf93e01e upstream. + +Starting from v3.10 (probably commit f91e2590410b: "tty: Signal +foreground group processes in hangup") disassociate_ctty() sends SIGCONT +if tty && on_exit. This breaks LSB test-suite, in particular test8 in +_exit.c and test40 in sigcon5.c. + +Put the "!on_exit" check back to restore the old behaviour. + +Review by Peter Hurley: + "Yes, this regression was introduced by me in that commit. The effect + of the regression is that ptys will receive a SIGCONT when, in similar + circumstances, ttys would not. + + The fact that two test vectors accidentally tripped over this + regression suggests that some other apps may as well. + + Thanks for catching this" + +Signed-off-by: Oleg Nesterov +Reported-by: Karel Srot +Reviewed-by: Peter Hurley +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/tty_io.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -850,7 +850,8 @@ void disassociate_ctty(int on_exit) + struct pid *tty_pgrp = tty_get_pgrp(tty); + if (tty_pgrp) { + kill_pgrp(tty_pgrp, SIGHUP, on_exit); +- kill_pgrp(tty_pgrp, SIGCONT, on_exit); ++ if (!on_exit) ++ kill_pgrp(tty_pgrp, SIGCONT, on_exit); + put_pid(tty_pgrp); + } + } diff --git a/queue-3.10/usb-dwc3-gadget-don-t-request-irqs-in-atomic.patch b/queue-3.10/usb-dwc3-gadget-don-t-request-irqs-in-atomic.patch new file mode 100644 index 00000000000..45ac69bf6e6 --- /dev/null +++ b/queue-3.10/usb-dwc3-gadget-don-t-request-irqs-in-atomic.patch @@ -0,0 +1,120 @@ +From b0d7ffd44ba9cd2dfbf299674418193a5f9ed21a Mon Sep 17 00:00:00 2001 +From: Felipe Balbi +Date: Thu, 27 Jun 2013 10:00:18 +0300 +Subject: usb: dwc3: gadget: don't request IRQs in atomic + +From: Felipe Balbi + +commit b0d7ffd44ba9cd2dfbf299674418193a5f9ed21a upstream. + +We cannot request an IRQ with spinlocks held +as that would trigger a sleeping inside +spinlock warning. + +Reported-by: Stephen Boyd +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/gadget.c | 39 ++++++++++++++++++++++----------------- + 1 file changed, 22 insertions(+), 17 deletions(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1508,6 +1508,15 @@ static int dwc3_gadget_start(struct usb_ + int irq; + u32 reg; + ++ irq = platform_get_irq(to_platform_device(dwc->dev), 0); ++ ret = request_threaded_irq(irq, dwc3_interrupt, dwc3_thread_interrupt, ++ IRQF_SHARED | IRQF_ONESHOT, "dwc3", dwc); ++ if (ret) { ++ dev_err(dwc->dev, "failed to request irq #%d --> %d\n", ++ irq, ret); ++ goto err0; ++ } ++ + spin_lock_irqsave(&dwc->lock, flags); + + if (dwc->gadget_driver) { +@@ -1515,7 +1524,7 @@ static int dwc3_gadget_start(struct usb_ + dwc->gadget.name, + dwc->gadget_driver->driver.name); + ret = -EBUSY; +- goto err0; ++ goto err1; + } + + dwc->gadget_driver = driver; +@@ -1551,42 +1560,38 @@ static int dwc3_gadget_start(struct usb_ + ret = __dwc3_gadget_ep_enable(dep, &dwc3_gadget_ep0_desc, NULL, false); + if (ret) { + dev_err(dwc->dev, "failed to enable %s\n", dep->name); +- goto err0; ++ goto err2; + } + + dep = dwc->eps[1]; + ret = __dwc3_gadget_ep_enable(dep, &dwc3_gadget_ep0_desc, NULL, false); + if (ret) { + dev_err(dwc->dev, "failed to enable %s\n", dep->name); +- goto err1; ++ goto err3; + } + + /* begin to receive SETUP packets */ + dwc->ep0state = EP0_SETUP_PHASE; + dwc3_ep0_out_start(dwc); + +- irq = platform_get_irq(to_platform_device(dwc->dev), 0); +- ret = request_threaded_irq(irq, dwc3_interrupt, dwc3_thread_interrupt, +- IRQF_SHARED | IRQF_ONESHOT, "dwc3", dwc); +- if (ret) { +- dev_err(dwc->dev, "failed to request irq #%d --> %d\n", +- irq, ret); +- goto err1; +- } +- + dwc3_gadget_enable_irq(dwc); + + spin_unlock_irqrestore(&dwc->lock, flags); + + return 0; + +-err1: ++err3: + __dwc3_gadget_ep_disable(dwc->eps[0]); + +-err0: ++err2: + dwc->gadget_driver = NULL; ++ ++err1: + spin_unlock_irqrestore(&dwc->lock, flags); + ++ free_irq(irq, dwc); ++ ++err0: + return ret; + } + +@@ -1600,9 +1605,6 @@ static int dwc3_gadget_stop(struct usb_g + spin_lock_irqsave(&dwc->lock, flags); + + dwc3_gadget_disable_irq(dwc); +- irq = platform_get_irq(to_platform_device(dwc->dev), 0); +- free_irq(irq, dwc); +- + __dwc3_gadget_ep_disable(dwc->eps[0]); + __dwc3_gadget_ep_disable(dwc->eps[1]); + +@@ -1610,6 +1612,9 @@ static int dwc3_gadget_stop(struct usb_g + + spin_unlock_irqrestore(&dwc->lock, flags); + ++ irq = platform_get_irq(to_platform_device(dwc->dev), 0); ++ free_irq(irq, dwc); ++ + return 0; + } + diff --git a/queue-3.10/usb-ohci-allow-runtime-pm-without-system-sleep.patch b/queue-3.10/usb-ohci-allow-runtime-pm-without-system-sleep.patch new file mode 100644 index 00000000000..7e8e31bf864 --- /dev/null +++ b/queue-3.10/usb-ohci-allow-runtime-pm-without-system-sleep.patch @@ -0,0 +1,34 @@ +From 69820e01aa756b8d228143d997f71523c1e97984 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 26 Aug 2013 15:01:40 -0400 +Subject: USB: OHCI: Allow runtime PM without system sleep + +From: Alan Stern + +commit 69820e01aa756b8d228143d997f71523c1e97984 upstream. + +Since ohci-hcd supports runtime PM, the .pm field in its pci_driver +structure should be protected by CONFIG_PM rather than +CONFIG_PM_SLEEP. + +Without this change, OHCI controllers won't do runtime suspend if +system suspend or hibernation isn't enabled. + +Signed-off-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ohci-pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/ohci-pci.c ++++ b/drivers/usb/host/ohci-pci.c +@@ -371,7 +371,7 @@ static struct pci_driver ohci_pci_driver + .remove = usb_hcd_pci_remove, + .shutdown = usb_hcd_pci_shutdown, + +-#ifdef CONFIG_PM_SLEEP ++#ifdef CONFIG_PM + .driver = { + .pm = &usb_hcd_pci_pm_ops + }, diff --git a/queue-3.10/usb-xhci-disable-runtime-pm-suspend-for-quirky-controllers.patch b/queue-3.10/usb-xhci-disable-runtime-pm-suspend-for-quirky-controllers.patch new file mode 100644 index 00000000000..c6e2f7ef92c --- /dev/null +++ b/queue-3.10/usb-xhci-disable-runtime-pm-suspend-for-quirky-controllers.patch @@ -0,0 +1,79 @@ +From c8476fb855434c733099079063990e5bfa7ecad6 Mon Sep 17 00:00:00 2001 +From: Shawn Nematbakhsh +Date: Mon, 19 Aug 2013 10:36:13 -0700 +Subject: usb: xhci: Disable runtime PM suspend for quirky controllers + +From: Shawn Nematbakhsh + +commit c8476fb855434c733099079063990e5bfa7ecad6 upstream. + +If a USB controller with XHCI_RESET_ON_RESUME goes to runtime suspend, +a reset will be performed upon runtime resume. Any previously suspended +devices attached to the controller will be re-enumerated at this time. +This will cause problems, for example, if an open system call on the +device triggered the resume (the open call will fail). + +Note that this change is only relevant when persist_enabled is not set +for USB devices. + +This patch should be backported to kernels as old as 3.0, that +contain the commit c877b3b2ad5cb9d4fe523c5496185cc328ff3ae9 "xhci: Add +reset on resume quirk for asrock p67 host". + +Signed-off-by: Shawn Nematbakhsh +Signed-off-by: Sarah Sharp +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -3511,10 +3511,21 @@ void xhci_free_dev(struct usb_hcd *hcd, + { + struct xhci_hcd *xhci = hcd_to_xhci(hcd); + struct xhci_virt_device *virt_dev; ++ struct device *dev = hcd->self.controller; + unsigned long flags; + u32 state; + int i, ret; + ++#ifndef CONFIG_USB_DEFAULT_PERSIST ++ /* ++ * We called pm_runtime_get_noresume when the device was attached. ++ * Decrement the counter here to allow controller to runtime suspend ++ * if no devices remain. ++ */ ++ if (xhci->quirks & XHCI_RESET_ON_RESUME) ++ pm_runtime_put_noidle(dev); ++#endif ++ + ret = xhci_check_args(hcd, udev, NULL, 0, true, __func__); + /* If the host is halted due to driver unload, we still need to free the + * device. +@@ -3586,6 +3597,7 @@ static int xhci_reserve_host_control_ep_ + int xhci_alloc_dev(struct usb_hcd *hcd, struct usb_device *udev) + { + struct xhci_hcd *xhci = hcd_to_xhci(hcd); ++ struct device *dev = hcd->self.controller; + unsigned long flags; + int timeleft; + int ret; +@@ -3638,6 +3650,16 @@ int xhci_alloc_dev(struct usb_hcd *hcd, + goto disable_slot; + } + udev->slot_id = xhci->slot_id; ++ ++#ifndef CONFIG_USB_DEFAULT_PERSIST ++ /* ++ * If resetting upon resume, we can't put the controller into runtime ++ * suspend if there is a device attached. ++ */ ++ if (xhci->quirks & XHCI_RESET_ON_RESUME) ++ pm_runtime_get_noresume(dev); ++#endif ++ + /* Is this a LS or FS device under a HS hub? */ + /* Hub or peripherial? */ + return 1; diff --git a/queue-3.10/xhci-plat-don-t-enable-legacy-pci-interrupts.patch b/queue-3.10/xhci-plat-don-t-enable-legacy-pci-interrupts.patch new file mode 100644 index 00000000000..68bcb20131b --- /dev/null +++ b/queue-3.10/xhci-plat-don-t-enable-legacy-pci-interrupts.patch @@ -0,0 +1,83 @@ +From 52fb61250a7a132b0cfb9f4a1060a1f3c49e5a25 Mon Sep 17 00:00:00 2001 +From: Sarah Sharp +Date: Thu, 8 Aug 2013 10:08:34 -0700 +Subject: xhci-plat: Don't enable legacy PCI interrupts. + +From: Sarah Sharp + +commit 52fb61250a7a132b0cfb9f4a1060a1f3c49e5a25 upstream. + +The xHCI platform driver calls into usb_add_hcd to register the irq for +its platform device. It does not want the xHCI generic driver to +register an interrupt for it at all. The original code did that by +setting the XHCI_BROKEN_MSI quirk, which tells the xHCI driver to not +enable MSI or MSI-X for a PCI host. + +Unfortunately, if CONFIG_PCI is enabled, and CONFIG_USB_DW3 is enabled, +the xHCI generic driver will attempt to register a legacy PCI interrupt +for the xHCI platform device in xhci_try_enable_msi(). This will result +in a bogus irq being registered, since the underlying device is a +platform_device, not a pci_device, and thus the pci_device->irq pointer +will be bogus. + +Add a new quirk, XHCI_PLAT, so that the xHCI generic driver can +distinguish between a PCI device that can't handle MSI or MSI-X, and a +platform device that should not have its interrupts touched at all. +This quirk may be useful in the future, in case other corner cases like +this arise. + +This patch should be backported to kernels as old as 3.9, that +contain the commit 00eed9c814cb8f281be6f0f5d8f45025dc0a97eb "USB: xhci: +correctly enable interrupts". + +Signed-off-by: Sarah Sharp +Reported-by: Yu Y Wang +Tested-by: Yu Y Wang +Reviewed-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-plat.c | 2 +- + drivers/usb/host/xhci.c | 7 ++++++- + drivers/usb/host/xhci.h | 1 + + 3 files changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/usb/host/xhci-plat.c ++++ b/drivers/usb/host/xhci-plat.c +@@ -24,7 +24,7 @@ static void xhci_plat_quirks(struct devi + * here that the generic code does not try to make a pci_dev from our + * dev struct in order to setup MSI + */ +- xhci->quirks |= XHCI_BROKEN_MSI; ++ xhci->quirks |= XHCI_PLAT; + } + + /* called during probe() after chip reset completes */ +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -342,9 +342,14 @@ static void xhci_msix_sync_irqs(struct x + static int xhci_try_enable_msi(struct usb_hcd *hcd) + { + struct xhci_hcd *xhci = hcd_to_xhci(hcd); +- struct pci_dev *pdev = to_pci_dev(xhci_to_hcd(xhci)->self.controller); ++ struct pci_dev *pdev; + int ret; + ++ /* The xhci platform device has set up IRQs through usb_add_hcd. */ ++ if (xhci->quirks & XHCI_PLAT) ++ return 0; ++ ++ pdev = to_pci_dev(xhci_to_hcd(xhci)->self.controller); + /* + * Some Fresco Logic host controllers advertise MSI, but fail to + * generate interrupts. Don't even try to enable MSI. +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -1516,6 +1516,7 @@ struct xhci_hcd { + #define XHCI_SPURIOUS_REBOOT (1 << 13) + #define XHCI_COMP_MODE_QUIRK (1 << 14) + #define XHCI_AVOID_BEI (1 << 15) ++#define XHCI_PLAT (1 << 16) + unsigned int num_active_eps; + unsigned int limit_active_eps; + /* There are two roothubs to keep track of bus suspend info for */