From 81606454eabaad84c4bce2eaf38cef29f47c96cc Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 29 Jul 2015 17:46:49 -0700 Subject: [PATCH] 3.10-stable patches added patches: af9013-don-t-accept-invalid-bandwidth.patch asoc-wm8737-fixup-setting-vmid-impedance-control-register.patch asoc-wm8903-fix-define-for-wm8903_vmid_res_250k.patch asoc-wm8955-fix-setting-wrong-register-for-wm8955_k_8_0_mask-bits.patch asoc-wm8960-the-enum-of-dac-polarity-should-be-wm8960_enum.patch ath9k-fix-dma-stop-sequence-for-ar9003.patch bluetooth-btusb-fix-memory-leak-in-intel-setup-routine.patch cx24116-fix-a-buffer-overflow-when-checking-userspace-params.patch ext4-be-more-strict-when-migrating-to-non-extent-based-file.patch ext4-call-sync_blockdev-before-invalidate_bdev-in-put_super.patch ext4-correctly-migrate-a-file-with-a-hole-at-the-beginning.patch ext4-don-t-retry-file-block-mapping-on-bigalloc-fs-with-non-extent-file.patch ext4-fix-race-between-truncate-and-__ext4_journalled_writepage.patch ext4-fix-reservation-release-on-invalidatepage-for-delalloc-fs.patch ext4-replace-open-coded-nofail-allocation-in-ext4_free_blocks.patch i2c-at91-fix-a-race-condition-when-using-the-dma-controller.patch iio-dac-ad5624r_spi-fix-bit-shift-of-output-data-value.patch jbd2-fix-ocfs2-corrupt-when-updating-journal-superblock-fails.patch jbd2-use-gfp_nofs-in-jbd2_cleanup_journal_tail.patch libata-add-ata_horkage_broken_fpdma_aa-quirk-for-hp-250gb-sata-disk-vb0250eaver.patch libata-force-disable-trim-for-supersspeed-s238.patch libata-increase-the-timeout-when-setting-transfer-mode.patch s5h1420-fix-a-buffer-overflow-when-checking-userspace-params.patch saa7164-fix-querycap-warning.patch staging-rtl8712-prevent-buffer-overrun-in-recvbuf2recvframe.patch --- ...f9013-don-t-accept-invalid-bandwidth.patch | 35 ++++ ...ting-vmid-impedance-control-register.patch | 55 +++++ ...-fix-define-for-wm8903_vmid_res_250k.patch | 40 ++++ ...-register-for-wm8955_k_8_0_mask-bits.patch | 32 +++ ...f-dac-polarity-should-be-wm8960_enum.patch | 31 +++ ...h9k-fix-dma-stop-sequence-for-ar9003.patch | 42 ++++ ...x-memory-leak-in-intel-setup-routine.patch | 31 +++ ...rflow-when-checking-userspace-params.patch | 44 ++++ ...n-migrating-to-non-extent-based-file.patch | 91 ++++++++ ...-before-invalidate_bdev-in-put_super.patch | 36 ++++ ...-a-file-with-a-hole-at-the-beginning.patch | 76 +++++++ ...-on-bigalloc-fs-with-non-extent-file.patch | 35 ++++ ...cate-and-__ext4_journalled_writepage.patch | 133 ++++++++++++ ...se-on-invalidatepage-for-delalloc-fs.patch | 128 ++++++++++++ ...ofail-allocation-in-ext4_free_blocks.patch | 49 +++++ ...dition-when-using-the-dma-controller.patch | 184 ++++++++++++++++ ...i-fix-bit-shift-of-output-data-value.patch | 43 ++++ ...en-updating-journal-superblock-fails.patch | 197 ++++++++++++++++++ ...fp_nofs-in-jbd2_cleanup_journal_tail.patch | 66 ++++++ ...k-for-hp-250gb-sata-disk-vb0250eaver.patch | 40 ++++ ...ce-disable-trim-for-supersspeed-s238.patch | 33 +++ ...e-timeout-when-setting-transfer-mode.patch | 37 ++++ ...rflow-when-checking-userspace-params.patch | 31 +++ queue-3.10/saa7164-fix-querycap-warning.patch | 65 ++++++ queue-3.10/series | 25 +++ ...-buffer-overrun-in-recvbuf2recvframe.patch | 35 ++++ 26 files changed, 1614 insertions(+) create mode 100644 queue-3.10/af9013-don-t-accept-invalid-bandwidth.patch create mode 100644 queue-3.10/asoc-wm8737-fixup-setting-vmid-impedance-control-register.patch create mode 100644 queue-3.10/asoc-wm8903-fix-define-for-wm8903_vmid_res_250k.patch create mode 100644 queue-3.10/asoc-wm8955-fix-setting-wrong-register-for-wm8955_k_8_0_mask-bits.patch create mode 100644 queue-3.10/asoc-wm8960-the-enum-of-dac-polarity-should-be-wm8960_enum.patch create mode 100644 queue-3.10/ath9k-fix-dma-stop-sequence-for-ar9003.patch create mode 100644 queue-3.10/bluetooth-btusb-fix-memory-leak-in-intel-setup-routine.patch create mode 100644 queue-3.10/cx24116-fix-a-buffer-overflow-when-checking-userspace-params.patch create mode 100644 queue-3.10/ext4-be-more-strict-when-migrating-to-non-extent-based-file.patch create mode 100644 queue-3.10/ext4-call-sync_blockdev-before-invalidate_bdev-in-put_super.patch create mode 100644 queue-3.10/ext4-correctly-migrate-a-file-with-a-hole-at-the-beginning.patch create mode 100644 queue-3.10/ext4-don-t-retry-file-block-mapping-on-bigalloc-fs-with-non-extent-file.patch create mode 100644 queue-3.10/ext4-fix-race-between-truncate-and-__ext4_journalled_writepage.patch create mode 100644 queue-3.10/ext4-fix-reservation-release-on-invalidatepage-for-delalloc-fs.patch create mode 100644 queue-3.10/ext4-replace-open-coded-nofail-allocation-in-ext4_free_blocks.patch create mode 100644 queue-3.10/i2c-at91-fix-a-race-condition-when-using-the-dma-controller.patch create mode 100644 queue-3.10/iio-dac-ad5624r_spi-fix-bit-shift-of-output-data-value.patch create mode 100644 queue-3.10/jbd2-fix-ocfs2-corrupt-when-updating-journal-superblock-fails.patch create mode 100644 queue-3.10/jbd2-use-gfp_nofs-in-jbd2_cleanup_journal_tail.patch create mode 100644 queue-3.10/libata-add-ata_horkage_broken_fpdma_aa-quirk-for-hp-250gb-sata-disk-vb0250eaver.patch create mode 100644 queue-3.10/libata-force-disable-trim-for-supersspeed-s238.patch create mode 100644 queue-3.10/libata-increase-the-timeout-when-setting-transfer-mode.patch create mode 100644 queue-3.10/s5h1420-fix-a-buffer-overflow-when-checking-userspace-params.patch create mode 100644 queue-3.10/saa7164-fix-querycap-warning.patch create mode 100644 queue-3.10/staging-rtl8712-prevent-buffer-overrun-in-recvbuf2recvframe.patch diff --git a/queue-3.10/af9013-don-t-accept-invalid-bandwidth.patch b/queue-3.10/af9013-don-t-accept-invalid-bandwidth.patch new file mode 100644 index 00000000000..3c8baa2096d --- /dev/null +++ b/queue-3.10/af9013-don-t-accept-invalid-bandwidth.patch @@ -0,0 +1,35 @@ +From d7b76c91f471413de9ded837bddeca2164786571 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Tue, 28 Apr 2015 19:02:19 -0300 +Subject: [media] af9013: Don't accept invalid bandwidth + +From: Mauro Carvalho Chehab + +commit d7b76c91f471413de9ded837bddeca2164786571 upstream. + +If userspace sends an invalid bandwidth, it should either return +EINVAL or switch to auto mode. + +This driver will go past an array and program the hardware on a +wrong way if this happens. + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/dvb-frontends/af9013.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/media/dvb-frontends/af9013.c ++++ b/drivers/media/dvb-frontends/af9013.c +@@ -606,6 +606,10 @@ static int af9013_set_frontend(struct dv + } + } + ++ /* Return an error if can't find bandwidth or the right clock */ ++ if (i == ARRAY_SIZE(coeff_lut)) ++ return -EINVAL; ++ + ret = af9013_wr_regs(state, 0xae00, coeff_lut[i].val, + sizeof(coeff_lut[i].val)); + } diff --git a/queue-3.10/asoc-wm8737-fixup-setting-vmid-impedance-control-register.patch b/queue-3.10/asoc-wm8737-fixup-setting-vmid-impedance-control-register.patch new file mode 100644 index 00000000000..ce9eb934dfc --- /dev/null +++ b/queue-3.10/asoc-wm8737-fixup-setting-vmid-impedance-control-register.patch @@ -0,0 +1,55 @@ +From 14ba3ec1de043260cecd9e828ea2e3a0ad302893 Mon Sep 17 00:00:00 2001 +From: Axel Lin +Date: Sun, 10 May 2015 11:35:06 +0800 +Subject: ASoC: wm8737: Fixup setting VMID Impedance control register +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Axel Lin + +commit 14ba3ec1de043260cecd9e828ea2e3a0ad302893 upstream. + +According to the datasheet: +R10 (0Ah) VMID Impedance Control + +BIT 3:2 VMIDSEL DEFAULT 00 + +DESCRIPTION: VMID impedance selection control +00: 75kΩ output +01: 300kΩ output +10: 2.5kΩ output + +WM8737_VMIDSEL_MASK is 0xC (VMIDSEL - [3:2]), +so it needs to left shift WM8737_VMIDSEL_SHIFT bits for setting these bits. + +Signed-off-by: Axel Lin +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/wm8737.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/sound/soc/codecs/wm8737.c ++++ b/sound/soc/codecs/wm8737.c +@@ -494,7 +494,8 @@ static int wm8737_set_bias_level(struct + + /* Fast VMID ramp at 2*2.5k */ + snd_soc_update_bits(codec, WM8737_MISC_BIAS_CONTROL, +- WM8737_VMIDSEL_MASK, 0x4); ++ WM8737_VMIDSEL_MASK, ++ 2 << WM8737_VMIDSEL_SHIFT); + + /* Bring VMID up */ + snd_soc_update_bits(codec, WM8737_POWER_MANAGEMENT, +@@ -508,7 +509,8 @@ static int wm8737_set_bias_level(struct + + /* VMID at 2*300k */ + snd_soc_update_bits(codec, WM8737_MISC_BIAS_CONTROL, +- WM8737_VMIDSEL_MASK, 2); ++ WM8737_VMIDSEL_MASK, ++ 1 << WM8737_VMIDSEL_SHIFT); + + break; + diff --git a/queue-3.10/asoc-wm8903-fix-define-for-wm8903_vmid_res_250k.patch b/queue-3.10/asoc-wm8903-fix-define-for-wm8903_vmid_res_250k.patch new file mode 100644 index 00000000000..9bfacf18a69 --- /dev/null +++ b/queue-3.10/asoc-wm8903-fix-define-for-wm8903_vmid_res_250k.patch @@ -0,0 +1,40 @@ +From ebb6ad73e645b8f2d098dd3c41d2ff0da4146a02 Mon Sep 17 00:00:00 2001 +From: Axel Lin +Date: Mon, 11 May 2015 09:04:06 +0800 +Subject: ASoC: wm8903: Fix define for WM8903_VMID_RES_250K +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Axel Lin + +commit ebb6ad73e645b8f2d098dd3c41d2ff0da4146a02 upstream. + +VMID Control 0 BIT[2:1] is VMID Divider Enable and Select + +00 = VMID disabled (for OFF mode) +01 = 2 x 50kΩ divider (for normal operation) +10 = 2 x 250kΩ divider (for low power standby) +11 = 2 x 5kΩ divider (for fast start-up) + +So WM8903_VMID_RES_250K should be 2 << 1, which is 4. + +Signed-off-by: Axel Lin +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/wm8903.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/codecs/wm8903.h ++++ b/sound/soc/codecs/wm8903.h +@@ -172,7 +172,7 @@ extern int wm8903_mic_detect(struct snd_ + #define WM8903_VMID_BUF_ENA_WIDTH 1 /* VMID_BUF_ENA */ + + #define WM8903_VMID_RES_50K 2 +-#define WM8903_VMID_RES_250K 3 ++#define WM8903_VMID_RES_250K 4 + #define WM8903_VMID_RES_5K 6 + + /* diff --git a/queue-3.10/asoc-wm8955-fix-setting-wrong-register-for-wm8955_k_8_0_mask-bits.patch b/queue-3.10/asoc-wm8955-fix-setting-wrong-register-for-wm8955_k_8_0_mask-bits.patch new file mode 100644 index 00000000000..4dd447fc38f --- /dev/null +++ b/queue-3.10/asoc-wm8955-fix-setting-wrong-register-for-wm8955_k_8_0_mask-bits.patch @@ -0,0 +1,32 @@ +From 12c350050538c7dc779c083b7342bfd20f74949c Mon Sep 17 00:00:00 2001 +From: Axel Lin +Date: Fri, 15 May 2015 09:15:16 +0800 +Subject: ASoC: wm8955: Fix setting wrong register for WM8955_K_8_0_MASK bits + +From: Axel Lin + +commit 12c350050538c7dc779c083b7342bfd20f74949c upstream. + +WM8955_K_8_0_MASK bits is controlled by WM8955_PLL_CONTROL_3 rather than +WM8955_PLL_CONTROL_2. + +Signed-off-by: Axel Lin +Acked-by: Charles Keepax +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/wm8955.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/codecs/wm8955.c ++++ b/sound/soc/codecs/wm8955.c +@@ -298,7 +298,7 @@ static int wm8955_configure_clocking(str + snd_soc_update_bits(codec, WM8955_PLL_CONTROL_2, + WM8955_K_17_9_MASK, + (pll.k >> 9) & WM8955_K_17_9_MASK); +- snd_soc_update_bits(codec, WM8955_PLL_CONTROL_2, ++ snd_soc_update_bits(codec, WM8955_PLL_CONTROL_3, + WM8955_K_8_0_MASK, + pll.k & WM8955_K_8_0_MASK); + if (pll.k) diff --git a/queue-3.10/asoc-wm8960-the-enum-of-dac-polarity-should-be-wm8960_enum.patch b/queue-3.10/asoc-wm8960-the-enum-of-dac-polarity-should-be-wm8960_enum.patch new file mode 100644 index 00000000000..19611a2c877 --- /dev/null +++ b/queue-3.10/asoc-wm8960-the-enum-of-dac-polarity-should-be-wm8960_enum.patch @@ -0,0 +1,31 @@ +From a077e81ec61e07a7f86997d045109f06719fbffe Mon Sep 17 00:00:00 2001 +From: Zidan Wang +Date: Thu, 11 Jun 2015 19:14:36 +0800 +Subject: ASoC: wm8960: the enum of "DAC Polarity" should be wm8960_enum[1] + +From: Zidan Wang + +commit a077e81ec61e07a7f86997d045109f06719fbffe upstream. + +the enum of "DAC Polarity" should be wm8960_enum[1]. + +Signed-off-by: Zidan Wang +Acked-by: Charles Keepax +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/wm8960.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/codecs/wm8960.c ++++ b/sound/soc/codecs/wm8960.c +@@ -242,7 +242,7 @@ SOC_SINGLE("PCM Playback -6dB Switch", W + SOC_ENUM("ADC Polarity", wm8960_enum[0]), + SOC_SINGLE("ADC High Pass Filter Switch", WM8960_DACCTL1, 0, 1, 0), + +-SOC_ENUM("DAC Polarity", wm8960_enum[2]), ++SOC_ENUM("DAC Polarity", wm8960_enum[1]), + SOC_SINGLE_BOOL_EXT("DAC Deemphasis Switch", 0, + wm8960_get_deemph, wm8960_put_deemph), + diff --git a/queue-3.10/ath9k-fix-dma-stop-sequence-for-ar9003.patch b/queue-3.10/ath9k-fix-dma-stop-sequence-for-ar9003.patch new file mode 100644 index 00000000000..a67eb2fc169 --- /dev/null +++ b/queue-3.10/ath9k-fix-dma-stop-sequence-for-ar9003.patch @@ -0,0 +1,42 @@ +From 300f77c08ded96d33f492aaa02549103852f0c12 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Tue, 2 Jun 2015 10:38:32 +0200 +Subject: ath9k: fix DMA stop sequence for AR9003+ + +From: Felix Fietkau + +commit 300f77c08ded96d33f492aaa02549103852f0c12 upstream. + +AR93xx and newer needs to stop rx before tx to avoid getting the DMA +engine or MAC into a stuck state. +This should reduce/fix the occurence of "Failed to stop Tx DMA" logspam. + +Signed-off-by: Felix Fietkau +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/main.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -195,11 +195,13 @@ static bool ath_prepare_reset(struct ath + ath9k_debug_samp_bb_mac(sc); + ath9k_hw_disable_interrupts(ah); + +- if (!ath_drain_all_txq(sc)) +- ret = false; +- +- if (!ath_stoprecv(sc)) +- ret = false; ++ if (AR_SREV_9300_20_OR_LATER(ah)) { ++ ret &= ath_stoprecv(sc); ++ ret &= ath_drain_all_txq(sc); ++ } else { ++ ret &= ath_drain_all_txq(sc); ++ ret &= ath_stoprecv(sc); ++ } + + return ret; + } diff --git a/queue-3.10/bluetooth-btusb-fix-memory-leak-in-intel-setup-routine.patch b/queue-3.10/bluetooth-btusb-fix-memory-leak-in-intel-setup-routine.patch new file mode 100644 index 00000000000..e08929bd15d --- /dev/null +++ b/queue-3.10/bluetooth-btusb-fix-memory-leak-in-intel-setup-routine.patch @@ -0,0 +1,31 @@ +From ecffc80478cdce122f0ecb6a4e4f909132dd5c47 Mon Sep 17 00:00:00 2001 +From: Marcel Holtmann +Date: Sun, 7 Jun 2015 09:42:19 +0200 +Subject: Bluetooth: btusb: Fix memory leak in Intel setup routine + +From: Marcel Holtmann + +commit ecffc80478cdce122f0ecb6a4e4f909132dd5c47 upstream. + +The SKB returned from the Intel specific version information command is +missing a kfree_skb. + +Signed-off-by: Marcel Holtmann +Signed-off-by: Johan Hedberg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/btusb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -1234,6 +1234,8 @@ static int btusb_setup_intel(struct hci_ + } + fw_ptr = fw->data; + ++ kfree_skb(skb); ++ + /* This Intel specific command enables the manufacturer mode of the + * controller. + * diff --git a/queue-3.10/cx24116-fix-a-buffer-overflow-when-checking-userspace-params.patch b/queue-3.10/cx24116-fix-a-buffer-overflow-when-checking-userspace-params.patch new file mode 100644 index 00000000000..65d0649e46c --- /dev/null +++ b/queue-3.10/cx24116-fix-a-buffer-overflow-when-checking-userspace-params.patch @@ -0,0 +1,44 @@ +From 1fa2337a315a2448c5434f41e00d56b01a22283c Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Tue, 28 Apr 2015 18:51:17 -0300 +Subject: [media] cx24116: fix a buffer overflow when checking userspace params + +From: Mauro Carvalho Chehab + +commit 1fa2337a315a2448c5434f41e00d56b01a22283c upstream. + +The maximum size for a DiSEqC command is 6, according to the +userspace API. However, the code allows to write up much more values: + drivers/media/dvb-frontends/cx24116.c:983 cx24116_send_diseqc_msg() error: buffer overflow 'd->msg' 6 <= 23 + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/dvb-frontends/cx24116.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/media/dvb-frontends/cx24116.c ++++ b/drivers/media/dvb-frontends/cx24116.c +@@ -963,6 +963,10 @@ static int cx24116_send_diseqc_msg(struc + struct cx24116_state *state = fe->demodulator_priv; + int i, ret; + ++ /* Validate length */ ++ if (d->msg_len > sizeof(d->msg)) ++ return -EINVAL; ++ + /* Dump DiSEqC message */ + if (debug) { + printk(KERN_INFO "cx24116: %s(", __func__); +@@ -974,10 +978,6 @@ static int cx24116_send_diseqc_msg(struc + printk(") toneburst=%d\n", toneburst); + } + +- /* Validate length */ +- if (d->msg_len > (CX24116_ARGLEN - CX24116_DISEQC_MSGOFS)) +- return -EINVAL; +- + /* DiSEqC message */ + for (i = 0; i < d->msg_len; i++) + state->dsec_cmd.args[CX24116_DISEQC_MSGOFS + i] = d->msg[i]; diff --git a/queue-3.10/ext4-be-more-strict-when-migrating-to-non-extent-based-file.patch b/queue-3.10/ext4-be-more-strict-when-migrating-to-non-extent-based-file.patch new file mode 100644 index 00000000000..9c762fcdb1b --- /dev/null +++ b/queue-3.10/ext4-be-more-strict-when-migrating-to-non-extent-based-file.patch @@ -0,0 +1,91 @@ +From d6f123a9297496ad0b6335fe881504c4b5b2a5e5 Mon Sep 17 00:00:00 2001 +From: Eryu Guan +Date: Fri, 3 Jul 2015 23:56:50 -0400 +Subject: ext4: be more strict when migrating to non-extent based file + +From: Eryu Guan + +commit d6f123a9297496ad0b6335fe881504c4b5b2a5e5 upstream. + +Currently the check in ext4_ind_migrate() is not enough before doing the +real conversion: + +a) delayed allocated extents could bypass the check on eh->eh_entries + and eh->eh_depth + +This can be demonstrated by this script + + xfs_io -fc "pwrite 0 4k" -c "pwrite 8k 4k" /mnt/ext4/testfile + chattr -e /mnt/ext4/testfile + +where testfile has two extents but still be converted to non-extent +based file format. + +b) only extent length is checked but not the offset, which would result + in data lose (delalloc) or fs corruption (nodelalloc), because + non-extent based file only supports at most (12 + 2^10 + 2^20 + 2^30) + blocks + +This can be demostrated by + + xfs_io -fc "pwrite 5T 4k" /mnt/ext4/testfile + chattr -e /mnt/ext4/testfile + sync + +If delalloc is enabled, dmesg prints + EXT4-fs warning (device dm-4): ext4_block_to_path:105: block 1342177280 > max in inode 53 + EXT4-fs (dm-4): Delayed block allocation failed for inode 53 at logical offset 1342177280 with max blocks 1 with error 5 + EXT4-fs (dm-4): This should not happen!! Data will be lost + +If delalloc is disabled, e2fsck -nf shows corruption + Inode 53, i_size is 5497558142976, should be 4096. Fix? no + +Fix the two issues by + +a) forcing all delayed allocation blocks to be allocated before checking + eh->eh_depth and eh->eh_entries +b) limiting the last logical block of the extent is within direct map + +Signed-off-by: Eryu Guan +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/migrate.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/fs/ext4/migrate.c ++++ b/fs/ext4/migrate.c +@@ -616,6 +616,7 @@ int ext4_ind_migrate(struct inode *inode + struct ext4_inode_info *ei = EXT4_I(inode); + struct ext4_extent *ex; + unsigned int i, len; ++ ext4_lblk_t end; + ext4_fsblk_t blk; + handle_t *handle; + int ret; +@@ -629,6 +630,14 @@ int ext4_ind_migrate(struct inode *inode + EXT4_FEATURE_RO_COMPAT_BIGALLOC)) + return -EOPNOTSUPP; + ++ /* ++ * In order to get correct extent info, force all delayed allocation ++ * blocks to be allocated, otherwise delayed allocation blocks may not ++ * be reflected and bypass the checks on extent header. ++ */ ++ if (test_opt(inode->i_sb, DELALLOC)) ++ ext4_alloc_da_blocks(inode); ++ + handle = ext4_journal_start(inode, EXT4_HT_MIGRATE, 1); + if (IS_ERR(handle)) + return PTR_ERR(handle); +@@ -650,7 +659,8 @@ int ext4_ind_migrate(struct inode *inode + else { + len = le16_to_cpu(ex->ee_len); + blk = ext4_ext_pblock(ex); +- if (len > EXT4_NDIR_BLOCKS) { ++ end = le32_to_cpu(ex->ee_block) + len - 1; ++ if (end >= EXT4_NDIR_BLOCKS) { + ret = -EOPNOTSUPP; + goto errout; + } diff --git a/queue-3.10/ext4-call-sync_blockdev-before-invalidate_bdev-in-put_super.patch b/queue-3.10/ext4-call-sync_blockdev-before-invalidate_bdev-in-put_super.patch new file mode 100644 index 00000000000..687ca95cb91 --- /dev/null +++ b/queue-3.10/ext4-call-sync_blockdev-before-invalidate_bdev-in-put_super.patch @@ -0,0 +1,36 @@ +From 89d96a6f8e6491f24fc8f99fd6ae66820e85c6c1 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sat, 20 Jun 2015 22:50:33 -0400 +Subject: ext4: call sync_blockdev() before invalidate_bdev() in put_super() + +From: Theodore Ts'o + +commit 89d96a6f8e6491f24fc8f99fd6ae66820e85c6c1 upstream. + +Normally all of the buffers will have been forced out to disk before +we call invalidate_bdev(), but there will be some cases, where a file +system operation was aborted due to an ext4_error(), where there may +still be some dirty buffers in the buffer cache for the device. So +try to force them out to memory before calling invalidate_bdev(). + +This fixes a warning triggered by generic/081: + +WARNING: CPU: 1 PID: 3473 at /usr/projects/linux/ext4/fs/block_dev.c:56 __blkdev_put+0xb5/0x16f() + +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/super.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -803,6 +803,7 @@ static void ext4_put_super(struct super_ + dump_orphan_list(sb, sbi); + J_ASSERT(list_empty(&sbi->s_orphan)); + ++ sync_blockdev(sb->s_bdev); + invalidate_bdev(sb->s_bdev); + if (sbi->journal_bdev && sbi->journal_bdev != sb->s_bdev) { + /* diff --git a/queue-3.10/ext4-correctly-migrate-a-file-with-a-hole-at-the-beginning.patch b/queue-3.10/ext4-correctly-migrate-a-file-with-a-hole-at-the-beginning.patch new file mode 100644 index 00000000000..e0ba9208ea8 --- /dev/null +++ b/queue-3.10/ext4-correctly-migrate-a-file-with-a-hole-at-the-beginning.patch @@ -0,0 +1,76 @@ +From 8974fec7d72e3e02752fe0f27b4c3719c78d9a15 Mon Sep 17 00:00:00 2001 +From: Eryu Guan +Date: Sat, 4 Jul 2015 00:03:44 -0400 +Subject: ext4: correctly migrate a file with a hole at the beginning + +From: Eryu Guan + +commit 8974fec7d72e3e02752fe0f27b4c3719c78d9a15 upstream. + +Currently ext4_ind_migrate() doesn't correctly handle a file which +contains a hole at the beginning of the file. This caused the migration +to be done incorrectly, and then if there is a subsequent following +delayed allocation write to the "hole", this would reclaim the same data +blocks again and results in fs corruption. + + # assmuing 4k block size ext4, with delalloc enabled + # skip the first block and write to the second block + xfs_io -fc "pwrite 4k 4k" -c "fsync" /mnt/ext4/testfile + + # converting to indirect-mapped file, which would move the data blocks + # to the beginning of the file, but extent status cache still marks + # that region as a hole + chattr -e /mnt/ext4/testfile + + # delayed allocation writes to the "hole", reclaim the same data block + # again, results in i_blocks corruption + xfs_io -c "pwrite 0 4k" /mnt/ext4/testfile + umount /mnt/ext4 + e2fsck -nf /dev/sda6 + ... + Inode 53, i_blocks is 16, should be 8. Fix? no + ... + +Signed-off-by: Eryu Guan +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/migrate.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/fs/ext4/migrate.c ++++ b/fs/ext4/migrate.c +@@ -616,7 +616,7 @@ int ext4_ind_migrate(struct inode *inode + struct ext4_inode_info *ei = EXT4_I(inode); + struct ext4_extent *ex; + unsigned int i, len; +- ext4_lblk_t end; ++ ext4_lblk_t start, end; + ext4_fsblk_t blk; + handle_t *handle; + int ret; +@@ -655,11 +655,12 @@ int ext4_ind_migrate(struct inode *inode + goto errout; + } + if (eh->eh_entries == 0) +- blk = len = 0; ++ blk = len = start = end = 0; + else { + len = le16_to_cpu(ex->ee_len); + blk = ext4_ext_pblock(ex); +- end = le32_to_cpu(ex->ee_block) + len - 1; ++ start = le32_to_cpu(ex->ee_block); ++ end = start + len - 1; + if (end >= EXT4_NDIR_BLOCKS) { + ret = -EOPNOTSUPP; + goto errout; +@@ -668,7 +669,7 @@ int ext4_ind_migrate(struct inode *inode + + ext4_clear_inode_flag(inode, EXT4_INODE_EXTENTS); + memset(ei->i_data, 0, sizeof(ei->i_data)); +- for (i=0; i < len; i++) ++ for (i = start; i <= end; i++) + ei->i_data[i] = cpu_to_le32(blk++); + ext4_mark_inode_dirty(handle, inode); + errout: diff --git a/queue-3.10/ext4-don-t-retry-file-block-mapping-on-bigalloc-fs-with-non-extent-file.patch b/queue-3.10/ext4-don-t-retry-file-block-mapping-on-bigalloc-fs-with-non-extent-file.patch new file mode 100644 index 00000000000..e7c7eea5382 --- /dev/null +++ b/queue-3.10/ext4-don-t-retry-file-block-mapping-on-bigalloc-fs-with-non-extent-file.patch @@ -0,0 +1,35 @@ +From 292db1bc6c105d86111e858859456bcb11f90f91 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Sun, 21 Jun 2015 21:10:51 -0400 +Subject: ext4: don't retry file block mapping on bigalloc fs with non-extent file + +From: "Darrick J. Wong" + +commit 292db1bc6c105d86111e858859456bcb11f90f91 upstream. + +ext4 isn't willing to map clusters to a non-extent file. Don't signal +this with an out of space error, since the FS will retry the +allocation (which didn't fail) forever. Instead, return EUCLEAN so +that the operation will fail immediately all the way back to userspace. + +(The fix is either to run e2fsck -E bmap2extent, or to chattr +e the file.) + +Signed-off-by: Darrick J. Wong +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/indirect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/indirect.c ++++ b/fs/ext4/indirect.c +@@ -577,7 +577,7 @@ int ext4_ind_map_blocks(handle_t *handle + EXT4_FEATURE_RO_COMPAT_BIGALLOC)) { + EXT4_ERROR_INODE(inode, "Can't allocate blocks for " + "non-extent mapped inodes with bigalloc"); +- return -ENOSPC; ++ return -EUCLEAN; + } + + goal = ext4_find_goal(inode, map->m_lblk, partial); diff --git a/queue-3.10/ext4-fix-race-between-truncate-and-__ext4_journalled_writepage.patch b/queue-3.10/ext4-fix-race-between-truncate-and-__ext4_journalled_writepage.patch new file mode 100644 index 00000000000..52f432057bf --- /dev/null +++ b/queue-3.10/ext4-fix-race-between-truncate-and-__ext4_journalled_writepage.patch @@ -0,0 +1,133 @@ +From bdf96838aea6a265f2ae6cbcfb12a778c84a0b8e Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Fri, 12 Jun 2015 23:45:33 -0400 +Subject: ext4: fix race between truncate and __ext4_journalled_writepage() + +From: Theodore Ts'o + +commit bdf96838aea6a265f2ae6cbcfb12a778c84a0b8e upstream. + +The commit cf108bca465d: "ext4: Invert the locking order of page_lock +and transaction start" caused __ext4_journalled_writepage() to drop +the page lock before the page was written back, as part of changing +the locking order to jbd2_journal_start -> page_lock. However, this +introduced a potential race if there was a truncate racing with the +data=journalled writeback mode. + +Fix this by grabbing the page lock after starting the journal handle, +and then checking to see if page had gotten truncated out from under +us. + +This fixes a number of different warnings or BUG_ON's when running +xfstests generic/086 in data=journalled mode, including: + +jbd2_journal_dirty_metadata: vdc-8: bad jh for block 115643: transaction (ee3fe7 +c0, 164), jh->b_transaction ( (null), 0), jh->b_next_transaction ( (null), 0), jlist 0 + + - and - + +kernel BUG at /usr/projects/linux/ext4/fs/jbd2/transaction.c:2200! + ... +Call Trace: + [] ? __ext4_journalled_invalidatepage+0x117/0x117 + [] __ext4_journalled_invalidatepage+0x10f/0x117 + [] ? __ext4_journalled_invalidatepage+0x117/0x117 + [] ? lock_buffer+0x36/0x36 + [] ext4_journalled_invalidatepage+0xd/0x22 + [] do_invalidatepage+0x22/0x26 + [] truncate_inode_page+0x5b/0x85 + [] truncate_inode_pages_range+0x156/0x38c + [] truncate_inode_pages+0x11/0x15 + [] truncate_pagecache+0x55/0x71 + [] ext4_setattr+0x4a9/0x560 + [] ? current_kernel_time+0x10/0x44 + [] notify_change+0x1c7/0x2be + [] do_truncate+0x65/0x85 + [] ? file_ra_state_init+0x12/0x29 + + - and - + +WARNING: CPU: 1 PID: 1331 at /usr/projects/linux/ext4/fs/jbd2/transaction.c:1396 +irty_metadata+0x14a/0x1ae() + ... +Call Trace: + [] ? console_unlock+0x3a1/0x3ce + [] dump_stack+0x48/0x60 + [] warn_slowpath_common+0x89/0xa0 + [] ? jbd2_journal_dirty_metadata+0x14a/0x1ae + [] warn_slowpath_null+0x14/0x18 + [] jbd2_journal_dirty_metadata+0x14a/0x1ae + [] __ext4_handle_dirty_metadata+0xd4/0x19d + [] write_end_fn+0x40/0x53 + [] ext4_walk_page_buffers+0x4e/0x6a + [] ext4_writepage+0x354/0x3b8 + [] ? mpage_release_unused_pages+0xd4/0xd4 + [] ? wait_on_buffer+0x2c/0x2c + [] ? ext4_writepage+0x3b8/0x3b8 + [] __writepage+0x10/0x2e + [] write_cache_pages+0x22d/0x32c + [] ? ext4_writepage+0x3b8/0x3b8 + [] ext4_writepages+0x102/0x607 + [] ? sched_clock_local+0x10/0x10e + [] ? __lock_is_held+0x2e/0x44 + [] ? lock_is_held+0x43/0x51 + [] do_writepages+0x1c/0x29 + [] __writeback_single_inode+0xc3/0x545 + [] writeback_sb_inodes+0x21f/0x36d + ... + +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inode.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -2099,19 +2099,32 @@ static int __ext4_journalled_writepage(s + ext4_walk_page_buffers(handle, page_bufs, 0, len, + NULL, bget_one); + } +- /* As soon as we unlock the page, it can go away, but we have +- * references to buffers so we are safe */ ++ /* ++ * We need to release the page lock before we start the ++ * journal, so grab a reference so the page won't disappear ++ * out from under us. ++ */ ++ get_page(page); + unlock_page(page); + + handle = ext4_journal_start(inode, EXT4_HT_WRITE_PAGE, + ext4_writepage_trans_blocks(inode)); + if (IS_ERR(handle)) { + ret = PTR_ERR(handle); +- goto out; ++ put_page(page); ++ goto out_no_pagelock; + } +- + BUG_ON(!ext4_handle_valid(handle)); + ++ lock_page(page); ++ put_page(page); ++ if (page->mapping != mapping) { ++ /* The page got truncated from under us */ ++ ext4_journal_stop(handle); ++ ret = 0; ++ goto out; ++ } ++ + if (inline_data) { + ret = ext4_journal_get_write_access(handle, inode_bh); + +@@ -2136,6 +2149,8 @@ static int __ext4_journalled_writepage(s + NULL, bput_one); + ext4_set_inode_state(inode, EXT4_STATE_JDATA); + out: ++ unlock_page(page); ++out_no_pagelock: + brelse(inode_bh); + return ret; + } diff --git a/queue-3.10/ext4-fix-reservation-release-on-invalidatepage-for-delalloc-fs.patch b/queue-3.10/ext4-fix-reservation-release-on-invalidatepage-for-delalloc-fs.patch new file mode 100644 index 00000000000..d16dc9df49d --- /dev/null +++ b/queue-3.10/ext4-fix-reservation-release-on-invalidatepage-for-delalloc-fs.patch @@ -0,0 +1,128 @@ +From 9705acd63b125dee8b15c705216d7186daea4625 Mon Sep 17 00:00:00 2001 +From: Lukas Czerner +Date: Fri, 3 Jul 2015 21:13:55 -0400 +Subject: ext4: fix reservation release on invalidatepage for delalloc fs + +From: Lukas Czerner + +commit 9705acd63b125dee8b15c705216d7186daea4625 upstream. + +On delalloc enabled file system on invalidatepage operation +in ext4_da_page_release_reservation() we want to clear the delayed +buffer and remove the extent covering the delayed buffer from the extent +status tree. + +However currently there is a bug where on the systems with page size > +block size we will always remove extents from the start of the page +regardless where the actual delayed buffers are positioned in the page. +This leads to the errors like this: + +EXT4-fs warning (device loop0): ext4_da_release_space:1225: +ext4_da_release_space: ino 13, to_free 1 with only 0 reserved data +blocks + +This however can cause data loss on writeback time if the file system is +in ENOSPC condition because we're releasing reservation for someones +else delayed buffer. + +Fix this by only removing extents that corresponds to the part of the +page we want to invalidate. + +This problem is reproducible by the following fio receipt (however I was +only able to reproduce it with fio-2.1 or older. + +[global] +bs=8k +iodepth=1024 +iodepth_batch=60 +randrepeat=1 +size=1m +directory=/mnt/test +numjobs=20 +[job1] +ioengine=sync +bs=1k +direct=1 +rw=randread +filename=file1:file2 +[job2] +ioengine=libaio +rw=randwrite +direct=1 +filename=file1:file2 +[job3] +bs=1k +ioengine=posixaio +rw=randwrite +direct=1 +filename=file1:file2 +[job5] +bs=1k +ioengine=sync +rw=randread +filename=file1:file2 +[job7] +ioengine=libaio +rw=randwrite +filename=file1:file2 +[job8] +ioengine=posixaio +rw=randwrite +filename=file1:file2 +[job10] +ioengine=mmap +rw=randwrite +bs=1k +filename=file1:file2 +[job11] +ioengine=mmap +rw=randwrite +direct=1 +filename=file1:file2 + +Signed-off-by: Lukas Czerner +Signed-off-by: Theodore Ts'o +Reviewed-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inode.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -1412,7 +1412,7 @@ static void ext4_da_release_space(struct + static void ext4_da_page_release_reservation(struct page *page, + unsigned long offset) + { +- int to_release = 0; ++ int to_release = 0, contiguous_blks = 0; + struct buffer_head *head, *bh; + unsigned int curr_off = 0; + struct inode *inode = page->mapping->host; +@@ -1427,14 +1427,23 @@ static void ext4_da_page_release_reserva + + if ((offset <= curr_off) && (buffer_delay(bh))) { + to_release++; ++ contiguous_blks++; + clear_buffer_delay(bh); ++ } else if (contiguous_blks) { ++ lblk = page->index << ++ (PAGE_CACHE_SHIFT - inode->i_blkbits); ++ lblk += (curr_off >> inode->i_blkbits) - ++ contiguous_blks; ++ ext4_es_remove_extent(inode, lblk, contiguous_blks); ++ contiguous_blks = 0; + } + curr_off = next_off; + } while ((bh = bh->b_this_page) != head); + +- if (to_release) { ++ if (contiguous_blks) { + lblk = page->index << (PAGE_CACHE_SHIFT - inode->i_blkbits); +- ext4_es_remove_extent(inode, lblk, to_release); ++ lblk += (curr_off >> inode->i_blkbits) - contiguous_blks; ++ ext4_es_remove_extent(inode, lblk, contiguous_blks); + } + + /* If we have released all the blocks belonging to a cluster, then we diff --git a/queue-3.10/ext4-replace-open-coded-nofail-allocation-in-ext4_free_blocks.patch b/queue-3.10/ext4-replace-open-coded-nofail-allocation-in-ext4_free_blocks.patch new file mode 100644 index 00000000000..de0744bcc27 --- /dev/null +++ b/queue-3.10/ext4-replace-open-coded-nofail-allocation-in-ext4_free_blocks.patch @@ -0,0 +1,49 @@ +From 7444a072c387a93ebee7066e8aee776954ab0e41 Mon Sep 17 00:00:00 2001 +From: Michal Hocko +Date: Sun, 5 Jul 2015 12:33:44 -0400 +Subject: ext4: replace open coded nofail allocation in ext4_free_blocks() + +From: Michal Hocko + +commit 7444a072c387a93ebee7066e8aee776954ab0e41 upstream. + +ext4_free_blocks is looping around the allocation request and mimics +__GFP_NOFAIL behavior without any allocation fallback strategy. Let's +remove the open coded loop and replace it with __GFP_NOFAIL. Without the +flag the allocator has no way to find out never-fail requirement and +cannot help in any way. + +Signed-off-by: Michal Hocko +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/mballoc.c | 16 +++++----------- + 1 file changed, 5 insertions(+), 11 deletions(-) + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -4764,18 +4764,12 @@ do_more: + /* + * blocks being freed are metadata. these blocks shouldn't + * be used until this transaction is committed ++ * ++ * We use __GFP_NOFAIL because ext4_free_blocks() is not allowed ++ * to fail. + */ +- retry: +- new_entry = kmem_cache_alloc(ext4_free_data_cachep, GFP_NOFS); +- if (!new_entry) { +- /* +- * We use a retry loop because +- * ext4_free_blocks() is not allowed to fail. +- */ +- cond_resched(); +- congestion_wait(BLK_RW_ASYNC, HZ/50); +- goto retry; +- } ++ new_entry = kmem_cache_alloc(ext4_free_data_cachep, ++ GFP_NOFS|__GFP_NOFAIL); + new_entry->efd_start_cluster = bit; + new_entry->efd_group = block_group; + new_entry->efd_count = count_clusters; diff --git a/queue-3.10/i2c-at91-fix-a-race-condition-when-using-the-dma-controller.patch b/queue-3.10/i2c-at91-fix-a-race-condition-when-using-the-dma-controller.patch new file mode 100644 index 00000000000..403962a9f95 --- /dev/null +++ b/queue-3.10/i2c-at91-fix-a-race-condition-when-using-the-dma-controller.patch @@ -0,0 +1,184 @@ +From 93563a6a71bb69dd324fc7354c60fb05f84aae6b Mon Sep 17 00:00:00 2001 +From: Cyrille Pitchen +Date: Tue, 9 Jun 2015 18:22:14 +0200 +Subject: i2c: at91: fix a race condition when using the DMA controller + +From: Cyrille Pitchen + +commit 93563a6a71bb69dd324fc7354c60fb05f84aae6b upstream. + +For TX transactions, the TXCOMP bit in the Status Register is cleared +when the first data is written into the Transmit Holding Register. + +In the lines from at91_do_twi_transfer(): +at91_twi_write_data_dma(dev); +at91_twi_write(dev, AT91_TWI_IER, AT91_TWI_TXCOMP); + +the TXCOMP interrupt may be enabled before the DMA controller has +actually started to write into the THR. In such a case, the TXCOMP bit +is still set into the Status Register so the interrupt is triggered +immediately. The driver understands that a transaction completion has +occurred but this transaction hasn't started yet. Hence the TXCOMP +interrupt is no longer enabled by at91_do_twi_transfer() but instead +by at91_twi_write_data_dma_callback(). + +Also, the TXCOMP bit in the Status Register in not a clear on read flag +but a snapshot of the transmission state at the time the Status +Register is read. +When a NACK error is dectected by the I2C controller, the TXCOMP, NACK +and TXRDY bits are set together to 1 in the SR. If enabled, the TXCOMP +interrupt is triggered at the same time. Also setting the TXRDY to 1 +triggers the DMA controller to write the next data into the THR. Such +a write resets the TXCOMP bit to 0 in the SR. So depending on when the +interrupt handler reads the SR, it may fail to detect the NACK error +if it relies on the TXCOMP bit. The NACK bit and its interrupt should +be used instead. + +For RX transactions, the TXCOMP bit in the Status Register is cleared +when the START bit is set into the Control Register. However to unify +the management of the TXCOMP bit when the DMA controller is used, the +TXCOMP interrupt is now enabled by the DMA callbacks for both TX and +RX transfers. + +Signed-off-by: Cyrille Pitchen +Acked-by: Ludovic Desroches +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-at91.c | 70 +++++++++++++++++++++++++++++++----------- + 1 file changed, 53 insertions(+), 17 deletions(-) + +--- a/drivers/i2c/busses/i2c-at91.c ++++ b/drivers/i2c/busses/i2c-at91.c +@@ -63,6 +63,9 @@ + #define AT91_TWI_UNRE 0x0080 /* Underrun Error */ + #define AT91_TWI_NACK 0x0100 /* Not Acknowledged */ + ++#define AT91_TWI_INT_MASK \ ++ (AT91_TWI_TXCOMP | AT91_TWI_RXRDY | AT91_TWI_TXRDY | AT91_TWI_NACK) ++ + #define AT91_TWI_IER 0x0024 /* Interrupt Enable Register */ + #define AT91_TWI_IDR 0x0028 /* Interrupt Disable Register */ + #define AT91_TWI_IMR 0x002c /* Interrupt Mask Register */ +@@ -118,13 +121,12 @@ static void at91_twi_write(struct at91_t + + static void at91_disable_twi_interrupts(struct at91_twi_dev *dev) + { +- at91_twi_write(dev, AT91_TWI_IDR, +- AT91_TWI_TXCOMP | AT91_TWI_RXRDY | AT91_TWI_TXRDY); ++ at91_twi_write(dev, AT91_TWI_IDR, AT91_TWI_INT_MASK); + } + + static void at91_twi_irq_save(struct at91_twi_dev *dev) + { +- dev->imr = at91_twi_read(dev, AT91_TWI_IMR) & 0x7; ++ dev->imr = at91_twi_read(dev, AT91_TWI_IMR) & AT91_TWI_INT_MASK; + at91_disable_twi_interrupts(dev); + } + +@@ -214,6 +216,14 @@ static void at91_twi_write_data_dma_call + dma_unmap_single(dev->dev, sg_dma_address(&dev->dma.sg), + dev->buf_len, DMA_TO_DEVICE); + ++ /* ++ * When this callback is called, THR/TX FIFO is likely not to be empty ++ * yet. So we have to wait for TXCOMP or NACK bits to be set into the ++ * Status Register to be sure that the STOP bit has been sent and the ++ * transfer is completed. The NACK interrupt has already been enabled, ++ * we just have to enable TXCOMP one. ++ */ ++ at91_twi_write(dev, AT91_TWI_IER, AT91_TWI_TXCOMP); + at91_twi_write(dev, AT91_TWI_CR, AT91_TWI_STOP); + } + +@@ -308,7 +318,7 @@ static void at91_twi_read_data_dma_callb + /* The last two bytes have to be read without using dma */ + dev->buf += dev->buf_len - 2; + dev->buf_len = 2; +- at91_twi_write(dev, AT91_TWI_IER, AT91_TWI_RXRDY); ++ at91_twi_write(dev, AT91_TWI_IER, AT91_TWI_RXRDY | AT91_TWI_TXCOMP); + } + + static void at91_twi_read_data_dma(struct at91_twi_dev *dev) +@@ -369,7 +379,7 @@ static irqreturn_t atmel_twi_interrupt(i + /* catch error flags */ + dev->transfer_status |= status; + +- if (irqstatus & AT91_TWI_TXCOMP) { ++ if (irqstatus & (AT91_TWI_TXCOMP | AT91_TWI_NACK)) { + at91_disable_twi_interrupts(dev); + complete(&dev->cmd_complete); + } +@@ -382,6 +392,34 @@ static int at91_do_twi_transfer(struct a + int ret; + bool has_unre_flag = dev->pdata->has_unre_flag; + ++ /* ++ * WARNING: the TXCOMP bit in the Status Register is NOT a clear on ++ * read flag but shows the state of the transmission at the time the ++ * Status Register is read. According to the programmer datasheet, ++ * TXCOMP is set when both holding register and internal shifter are ++ * empty and STOP condition has been sent. ++ * Consequently, we should enable NACK interrupt rather than TXCOMP to ++ * detect transmission failure. ++ * ++ * Besides, the TXCOMP bit is already set before the i2c transaction ++ * has been started. For read transactions, this bit is cleared when ++ * writing the START bit into the Control Register. So the ++ * corresponding interrupt can safely be enabled just after. ++ * However for write transactions managed by the CPU, we first write ++ * into THR, so TXCOMP is cleared. Then we can safely enable TXCOMP ++ * interrupt. If TXCOMP interrupt were enabled before writing into THR, ++ * the interrupt handler would be called immediately and the i2c command ++ * would be reported as completed. ++ * Also when a write transaction is managed by the DMA controller, ++ * enabling the TXCOMP interrupt in this function may lead to a race ++ * condition since we don't know whether the TXCOMP interrupt is enabled ++ * before or after the DMA has started to write into THR. So the TXCOMP ++ * interrupt is enabled later by at91_twi_write_data_dma_callback(). ++ * Immediately after in that DMA callback, we still need to send the ++ * STOP condition manually writing the corresponding bit into the ++ * Control Register. ++ */ ++ + dev_dbg(dev->dev, "transfer: %s %d bytes.\n", + (dev->msg->flags & I2C_M_RD) ? "read" : "write", dev->buf_len); + +@@ -412,26 +450,24 @@ static int at91_do_twi_transfer(struct a + * seems to be the best solution. + */ + if (dev->use_dma && (dev->buf_len > AT91_I2C_DMA_THRESHOLD)) { ++ at91_twi_write(dev, AT91_TWI_IER, AT91_TWI_NACK); + at91_twi_read_data_dma(dev); +- /* +- * It is important to enable TXCOMP irq here because +- * doing it only when transferring the last two bytes +- * will mask NACK errors since TXCOMP is set when a +- * NACK occurs. +- */ +- at91_twi_write(dev, AT91_TWI_IER, +- AT91_TWI_TXCOMP); +- } else ++ } else { + at91_twi_write(dev, AT91_TWI_IER, +- AT91_TWI_TXCOMP | AT91_TWI_RXRDY); ++ AT91_TWI_TXCOMP | ++ AT91_TWI_NACK | ++ AT91_TWI_RXRDY); ++ } + } else { + if (dev->use_dma && (dev->buf_len > AT91_I2C_DMA_THRESHOLD)) { ++ at91_twi_write(dev, AT91_TWI_IER, AT91_TWI_NACK); + at91_twi_write_data_dma(dev); +- at91_twi_write(dev, AT91_TWI_IER, AT91_TWI_TXCOMP); + } else { + at91_twi_write_next_byte(dev); + at91_twi_write(dev, AT91_TWI_IER, +- AT91_TWI_TXCOMP | AT91_TWI_TXRDY); ++ AT91_TWI_TXCOMP | ++ AT91_TWI_NACK | ++ AT91_TWI_TXRDY); + } + } + diff --git a/queue-3.10/iio-dac-ad5624r_spi-fix-bit-shift-of-output-data-value.patch b/queue-3.10/iio-dac-ad5624r_spi-fix-bit-shift-of-output-data-value.patch new file mode 100644 index 00000000000..a372f620271 --- /dev/null +++ b/queue-3.10/iio-dac-ad5624r_spi-fix-bit-shift-of-output-data-value.patch @@ -0,0 +1,43 @@ +From adfa969850ae93beca57f7527f0e4dc10cbe1309 Mon Sep 17 00:00:00 2001 +From: JM Friedt +Date: Fri, 19 Jun 2015 14:48:06 +0200 +Subject: iio: DAC: ad5624r_spi: fix bit shift of output data value + +From: JM Friedt + +commit adfa969850ae93beca57f7527f0e4dc10cbe1309 upstream. + +The value sent on the SPI bus is shifted by an erroneous number of bits. +The shift value was already computed in the iio_chan_spec structure and +hence subtracting this argument to 16 yields an erroneous data position +in the SPI stream. + +Signed-off-by: JM Friedt +Acked-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/dac/ad5624r_spi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/dac/ad5624r_spi.c ++++ b/drivers/iio/dac/ad5624r_spi.c +@@ -22,7 +22,7 @@ + #include "ad5624r.h" + + static int ad5624r_spi_write(struct spi_device *spi, +- u8 cmd, u8 addr, u16 val, u8 len) ++ u8 cmd, u8 addr, u16 val, u8 shift) + { + u32 data; + u8 msg[3]; +@@ -35,7 +35,7 @@ static int ad5624r_spi_write(struct spi_ + * 14-, 12-bit input code followed by 0, 2, or 4 don't care bits, + * for the AD5664R, AD5644R, and AD5624R, respectively. + */ +- data = (0 << 22) | (cmd << 19) | (addr << 16) | (val << (16 - len)); ++ data = (0 << 22) | (cmd << 19) | (addr << 16) | (val << shift); + msg[0] = data >> 16; + msg[1] = data >> 8; + msg[2] = data; diff --git a/queue-3.10/jbd2-fix-ocfs2-corrupt-when-updating-journal-superblock-fails.patch b/queue-3.10/jbd2-fix-ocfs2-corrupt-when-updating-journal-superblock-fails.patch new file mode 100644 index 00000000000..e9386b83e90 --- /dev/null +++ b/queue-3.10/jbd2-fix-ocfs2-corrupt-when-updating-journal-superblock-fails.patch @@ -0,0 +1,197 @@ +From 6f6a6fda294506dfe0e3e0a253bb2d2923f28f0a Mon Sep 17 00:00:00 2001 +From: Joseph Qi +Date: Mon, 15 Jun 2015 14:36:01 -0400 +Subject: jbd2: fix ocfs2 corrupt when updating journal superblock fails + +From: Joseph Qi + +commit 6f6a6fda294506dfe0e3e0a253bb2d2923f28f0a upstream. + +If updating journal superblock fails after journal data has been +flushed, the error is omitted and this will mislead the caller as a +normal case. In ocfs2, the checkpoint will be treated successfully +and the other node can get the lock to update. Since the sb_start is +still pointing to the old log block, it will rewrite the journal data +during journal recovery by the other node. Thus the new updates will +be overwritten and ocfs2 corrupts. So in above case we have to return +the error, and ocfs2_commit_cache will take care of the error and +prevent the other node to do update first. And only after recovering +journal it can do the new updates. + +The issue discussion mail can be found at: +https://oss.oracle.com/pipermail/ocfs2-devel/2015-June/010856.html +http://comments.gmane.org/gmane.comp.file-systems.ext4/48841 + +[ Fixed bug in patch which allowed a non-negative error return from + jbd2_cleanup_journal_tail() to leak out of jbd2_fjournal_flush(); this + was causing xfstests ext4/306 to fail. -- Ted ] + +Reported-by: Yiwen Jiang +Signed-off-by: Joseph Qi +Signed-off-by: Theodore Ts'o +Tested-by: Yiwen Jiang +Cc: Junxiao Bi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jbd2/checkpoint.c | 5 ++--- + fs/jbd2/journal.c | 38 +++++++++++++++++++++++++++++++------- + include/linux/jbd2.h | 4 ++-- + 3 files changed, 35 insertions(+), 12 deletions(-) + +--- a/fs/jbd2/checkpoint.c ++++ b/fs/jbd2/checkpoint.c +@@ -440,7 +440,7 @@ int jbd2_cleanup_journal_tail(journal_t + unsigned long blocknr; + + if (is_journal_aborted(journal)) +- return 1; ++ return -EIO; + + if (!jbd2_journal_get_log_tail(journal, &first_tid, &blocknr)) + return 1; +@@ -457,8 +457,7 @@ int jbd2_cleanup_journal_tail(journal_t + if (journal->j_flags & JBD2_BARRIER) + blkdev_issue_flush(journal->j_fs_dev, GFP_NOFS, NULL); + +- __jbd2_update_log_tail(journal, first_tid, blocknr); +- return 0; ++ return __jbd2_update_log_tail(journal, first_tid, blocknr); + } + + +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -869,9 +869,10 @@ int jbd2_journal_get_log_tail(journal_t + * + * Requires j_checkpoint_mutex + */ +-void __jbd2_update_log_tail(journal_t *journal, tid_t tid, unsigned long block) ++int __jbd2_update_log_tail(journal_t *journal, tid_t tid, unsigned long block) + { + unsigned long freed; ++ int ret; + + BUG_ON(!mutex_is_locked(&journal->j_checkpoint_mutex)); + +@@ -881,7 +882,10 @@ void __jbd2_update_log_tail(journal_t *j + * space and if we lose sb update during power failure we'd replay + * old transaction with possibly newly overwritten data. + */ +- jbd2_journal_update_sb_log_tail(journal, tid, block, WRITE_FUA); ++ ret = jbd2_journal_update_sb_log_tail(journal, tid, block, WRITE_FUA); ++ if (ret) ++ goto out; ++ + write_lock(&journal->j_state_lock); + freed = block - journal->j_tail; + if (block < journal->j_tail) +@@ -897,6 +901,9 @@ void __jbd2_update_log_tail(journal_t *j + journal->j_tail_sequence = tid; + journal->j_tail = block; + write_unlock(&journal->j_state_lock); ++ ++out: ++ return ret; + } + + /* +@@ -1315,7 +1322,7 @@ static int journal_reset(journal_t *jour + return jbd2_journal_start_thread(journal); + } + +-static void jbd2_write_superblock(journal_t *journal, int write_op) ++static int jbd2_write_superblock(journal_t *journal, int write_op) + { + struct buffer_head *bh = journal->j_sb_buffer; + journal_superblock_t *sb = journal->j_superblock; +@@ -1354,7 +1361,10 @@ static void jbd2_write_superblock(journa + printk(KERN_ERR "JBD2: Error %d detected when updating " + "journal superblock for %s.\n", ret, + journal->j_devname); ++ jbd2_journal_abort(journal, ret); + } ++ ++ return ret; + } + + /** +@@ -1367,10 +1377,11 @@ static void jbd2_write_superblock(journa + * Update a journal's superblock information about log tail and write it to + * disk, waiting for the IO to complete. + */ +-void jbd2_journal_update_sb_log_tail(journal_t *journal, tid_t tail_tid, ++int jbd2_journal_update_sb_log_tail(journal_t *journal, tid_t tail_tid, + unsigned long tail_block, int write_op) + { + journal_superblock_t *sb = journal->j_superblock; ++ int ret; + + BUG_ON(!mutex_is_locked(&journal->j_checkpoint_mutex)); + jbd_debug(1, "JBD2: updating superblock (start %lu, seq %u)\n", +@@ -1379,13 +1390,18 @@ void jbd2_journal_update_sb_log_tail(jou + sb->s_sequence = cpu_to_be32(tail_tid); + sb->s_start = cpu_to_be32(tail_block); + +- jbd2_write_superblock(journal, write_op); ++ ret = jbd2_write_superblock(journal, write_op); ++ if (ret) ++ goto out; + + /* Log is no longer empty */ + write_lock(&journal->j_state_lock); + WARN_ON(!sb->s_sequence); + journal->j_flags &= ~JBD2_FLUSHED; + write_unlock(&journal->j_state_lock); ++ ++out: ++ return ret; + } + + /** +@@ -1922,7 +1938,14 @@ int jbd2_journal_flush(journal_t *journa + return -EIO; + + mutex_lock(&journal->j_checkpoint_mutex); +- jbd2_cleanup_journal_tail(journal); ++ if (!err) { ++ err = jbd2_cleanup_journal_tail(journal); ++ if (err < 0) { ++ mutex_unlock(&journal->j_checkpoint_mutex); ++ goto out; ++ } ++ err = 0; ++ } + + /* Finally, mark the journal as really needing no recovery. + * This sets s_start==0 in the underlying superblock, which is +@@ -1938,7 +1961,8 @@ int jbd2_journal_flush(journal_t *journa + J_ASSERT(journal->j_head == journal->j_tail); + J_ASSERT(journal->j_tail_sequence == journal->j_transaction_sequence); + write_unlock(&journal->j_state_lock); +- return 0; ++out: ++ return err; + } + + /** +--- a/include/linux/jbd2.h ++++ b/include/linux/jbd2.h +@@ -997,7 +997,7 @@ extern struct journal_head * jbd2_journa + int jbd2_journal_next_log_block(journal_t *, unsigned long long *); + int jbd2_journal_get_log_tail(journal_t *journal, tid_t *tid, + unsigned long *block); +-void __jbd2_update_log_tail(journal_t *journal, tid_t tid, unsigned long block); ++int __jbd2_update_log_tail(journal_t *journal, tid_t tid, unsigned long block); + void jbd2_update_log_tail(journal_t *journal, tid_t tid, unsigned long block); + + /* Commit management */ +@@ -1116,7 +1116,7 @@ extern int jbd2_journal_recover (j + extern int jbd2_journal_wipe (journal_t *, int); + extern int jbd2_journal_skip_recovery (journal_t *); + extern void jbd2_journal_update_sb_errno(journal_t *); +-extern void jbd2_journal_update_sb_log_tail (journal_t *, tid_t, ++extern int jbd2_journal_update_sb_log_tail (journal_t *, tid_t, + unsigned long, int); + extern void __jbd2_journal_abort_hard (journal_t *); + extern void jbd2_journal_abort (journal_t *, int); diff --git a/queue-3.10/jbd2-use-gfp_nofs-in-jbd2_cleanup_journal_tail.patch b/queue-3.10/jbd2-use-gfp_nofs-in-jbd2_cleanup_journal_tail.patch new file mode 100644 index 00000000000..882d2207721 --- /dev/null +++ b/queue-3.10/jbd2-use-gfp_nofs-in-jbd2_cleanup_journal_tail.patch @@ -0,0 +1,66 @@ +From b4f1afcd068f6e533230dfed00782cd8a907f96b Mon Sep 17 00:00:00 2001 +From: Dmitry Monakhov +Date: Mon, 15 Jun 2015 00:18:02 -0400 +Subject: jbd2: use GFP_NOFS in jbd2_cleanup_journal_tail() + +From: Dmitry Monakhov + +commit b4f1afcd068f6e533230dfed00782cd8a907f96b upstream. + +jbd2_cleanup_journal_tail() can be invoked by jbd2__journal_start() +So allocations should be done with GFP_NOFS + +[Full stack trace snipped from 3.10-rh7] +[] dump_stack+0x19/0x1b +[] warn_slowpath_common+0x61/0x80 +[] warn_slowpath_null+0x1a/0x20 +[] slab_pre_alloc_hook.isra.31.part.32+0x15/0x17 +[] kmem_cache_alloc+0x55/0x210 +[] ? mempool_alloc_slab+0x15/0x20 +[] mempool_alloc_slab+0x15/0x20 +[] mempool_alloc+0x69/0x170 +[] ? _raw_spin_unlock_irq+0xe/0x20 +[] ? finish_task_switch+0x5d/0x150 +[] bio_alloc_bioset+0x1be/0x2e0 +[] blkdev_issue_flush+0x99/0x120 +[] jbd2_cleanup_journal_tail+0x93/0xa0 [jbd2] -->GFP_KERNEL +[] jbd2_log_do_checkpoint+0x221/0x4a0 [jbd2] +[] __jbd2_log_wait_for_space+0xa7/0x1e0 [jbd2] +[] start_this_handle+0x2d8/0x550 [jbd2] +[] ? __memcg_kmem_put_cache+0x29/0x30 +[] ? kmem_cache_alloc+0x130/0x210 +[] jbd2__journal_start+0xba/0x190 [jbd2] +[] ? lru_cache_add+0xe/0x10 +[] ? ext4_da_write_begin+0xf9/0x330 [ext4] +[] __ext4_journal_start_sb+0x77/0x160 [ext4] +[] ext4_da_write_begin+0xf9/0x330 [ext4] +[] generic_file_buffered_write_iter+0x10c/0x270 +[] __generic_file_write_iter+0x178/0x390 +[] __generic_file_aio_write+0x8b/0xb0 +[] generic_file_aio_write+0x5d/0xc0 +[] ext4_file_write+0xa9/0x450 [ext4] +[] ? pipe_read+0x379/0x4f0 +[] do_sync_write+0x90/0xe0 +[] vfs_write+0xbd/0x1e0 +[] SyS_write+0x58/0xb0 +[] system_call_fastpath+0x16/0x1b + +Signed-off-by: Dmitry Monakhov +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jbd2/checkpoint.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/jbd2/checkpoint.c ++++ b/fs/jbd2/checkpoint.c +@@ -455,7 +455,7 @@ int jbd2_cleanup_journal_tail(journal_t + * jbd2_cleanup_journal_tail() doesn't get called all that often. + */ + if (journal->j_flags & JBD2_BARRIER) +- blkdev_issue_flush(journal->j_fs_dev, GFP_KERNEL, NULL); ++ blkdev_issue_flush(journal->j_fs_dev, GFP_NOFS, NULL); + + __jbd2_update_log_tail(journal, first_tid, blocknr); + return 0; diff --git a/queue-3.10/libata-add-ata_horkage_broken_fpdma_aa-quirk-for-hp-250gb-sata-disk-vb0250eaver.patch b/queue-3.10/libata-add-ata_horkage_broken_fpdma_aa-quirk-for-hp-250gb-sata-disk-vb0250eaver.patch new file mode 100644 index 00000000000..12568f46c85 --- /dev/null +++ b/queue-3.10/libata-add-ata_horkage_broken_fpdma_aa-quirk-for-hp-250gb-sata-disk-vb0250eaver.patch @@ -0,0 +1,40 @@ +From 08c85d2a599d967ede38a847f5594447b6100642 Mon Sep 17 00:00:00 2001 +From: Aleksei Mamlin +Date: Wed, 1 Jul 2015 13:48:30 +0300 +Subject: libata: add ATA_HORKAGE_BROKEN_FPDMA_AA quirk for HP 250GB SATA disk VB0250EAVER + +From: Aleksei Mamlin + +commit 08c85d2a599d967ede38a847f5594447b6100642 upstream. + +Enabling AA on HP 250GB SATA disk VB0250EAVER causes errors: + +[ 3.788362] ata3.00: failed to enable AA (error_mask=0x1) +[ 3.789243] ata3.00: failed to enable AA (error_mask=0x1) + +Add the ATA_HORKAGE_BROKEN_FPDMA_AA for this specific harddisk. + +tj: Collected FPDMA_AA entries and updated comment. + +Signed-off-by: Aleksei Mamlin +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4150,9 +4150,10 @@ static const struct ata_blacklist_entry + { "ST3320[68]13AS", "SD1[5-9]", ATA_HORKAGE_NONCQ | + ATA_HORKAGE_FIRMWARE_WARN }, + +- /* Seagate Momentus SpinPoint M8 seem to have FPMDA_AA issues */ ++ /* drives which fail FPDMA_AA activation (some may freeze afterwards) */ + { "ST1000LM024 HN-M101MBB", "2AR10001", ATA_HORKAGE_BROKEN_FPDMA_AA }, + { "ST1000LM024 HN-M101MBB", "2BA30001", ATA_HORKAGE_BROKEN_FPDMA_AA }, ++ { "VB0250EAVER", "HPG7", ATA_HORKAGE_BROKEN_FPDMA_AA }, + + /* Blacklist entries taken from Silicon Image 3124/3132 + Windows driver .inf file - also several Linux problem reports */ diff --git a/queue-3.10/libata-force-disable-trim-for-supersspeed-s238.patch b/queue-3.10/libata-force-disable-trim-for-supersspeed-s238.patch new file mode 100644 index 00000000000..8c18a520ddc --- /dev/null +++ b/queue-3.10/libata-force-disable-trim-for-supersspeed-s238.patch @@ -0,0 +1,33 @@ +From cda57b1b05cf7b8b99ab4b732bea0b05b6c015cc Mon Sep 17 00:00:00 2001 +From: Arne Fitzenreiter +Date: Wed, 15 Jul 2015 13:54:37 +0200 +Subject: libata: force disable trim for SuperSSpeed S238 + +From: Arne Fitzenreiter + +commit cda57b1b05cf7b8b99ab4b732bea0b05b6c015cc upstream. + +This device loses blocks, often the partition table area, on trim. +Disable TRIM. +http://pcengines.ch/msata16a.htm + +Signed-off-by: Arne Fitzenreiter +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4201,6 +4201,9 @@ static const struct ata_blacklist_entry + { "PIONEER DVD-RW DVR-212D", NULL, ATA_HORKAGE_NOSETXFER }, + { "PIONEER DVD-RW DVR-216D", NULL, ATA_HORKAGE_NOSETXFER }, + ++ /* devices that don't properly handle TRIM commands */ ++ { "SuperSSpeed S238*", NULL, ATA_HORKAGE_NOTRIM, }, ++ + /* + * Some WD SATA-I drives spin up and down erratically when the link + * is put into the slumber mode. We don't have full list of the diff --git a/queue-3.10/libata-increase-the-timeout-when-setting-transfer-mode.patch b/queue-3.10/libata-increase-the-timeout-when-setting-transfer-mode.patch new file mode 100644 index 00000000000..600e3b5ebe8 --- /dev/null +++ b/queue-3.10/libata-increase-the-timeout-when-setting-transfer-mode.patch @@ -0,0 +1,37 @@ +From d531be2ca2f27cca5f041b6a140504999144a617 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 8 Jul 2015 13:06:12 -0400 +Subject: libata: increase the timeout when setting transfer mode + +From: Mikulas Patocka + +commit d531be2ca2f27cca5f041b6a140504999144a617 upstream. + +I have a ST4000DM000 disk. If Linux is booted while the disk is spun down, +the command that sets transfer mode causes the disk to spin up. The +spin-up takes longer than the default 5s timeout, so the command fails and +timeout is reported. + +Fix this by increasing the timeout to 15s, which is enough for the disk to +spin up. + +Signed-off-by: Mikulas Patocka +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4505,7 +4505,8 @@ static unsigned int ata_dev_set_xfermode + else /* In the ancient relic department - skip all of this */ + return 0; + +- err_mask = ata_exec_internal(dev, &tf, NULL, DMA_NONE, NULL, 0, 0); ++ /* On some disks, this command causes spin-up, so we need longer timeout */ ++ err_mask = ata_exec_internal(dev, &tf, NULL, DMA_NONE, NULL, 0, 15000); + + DPRINTK("EXIT, err_mask=%x\n", err_mask); + return err_mask; diff --git a/queue-3.10/s5h1420-fix-a-buffer-overflow-when-checking-userspace-params.patch b/queue-3.10/s5h1420-fix-a-buffer-overflow-when-checking-userspace-params.patch new file mode 100644 index 00000000000..88375cea18e --- /dev/null +++ b/queue-3.10/s5h1420-fix-a-buffer-overflow-when-checking-userspace-params.patch @@ -0,0 +1,31 @@ +From 12f4543f5d6811f864e6c4952eb27253c7466c02 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Tue, 28 Apr 2015 18:34:40 -0300 +Subject: [media] s5h1420: fix a buffer overflow when checking userspace params + +From: Mauro Carvalho Chehab + +commit 12f4543f5d6811f864e6c4952eb27253c7466c02 upstream. + +The maximum size for a DiSEqC command is 6, according to the +userspace API. However, the code allows to write up to 7 values: + drivers/media/dvb-frontends/s5h1420.c:193 s5h1420_send_master_cmd() error: buffer overflow 'cmd->msg' 6 <= 7 + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/dvb-frontends/s5h1420.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/dvb-frontends/s5h1420.c ++++ b/drivers/media/dvb-frontends/s5h1420.c +@@ -180,7 +180,7 @@ static int s5h1420_send_master_cmd (stru + int result = 0; + + dprintk("enter %s\n", __func__); +- if (cmd->msg_len > 8) ++ if (cmd->msg_len > sizeof(cmd->msg)) + return -EINVAL; + + /* setup for DISEQC */ diff --git a/queue-3.10/saa7164-fix-querycap-warning.patch b/queue-3.10/saa7164-fix-querycap-warning.patch new file mode 100644 index 00000000000..85844588223 --- /dev/null +++ b/queue-3.10/saa7164-fix-querycap-warning.patch @@ -0,0 +1,65 @@ +From 534bc3e2ee93835badca753bedce8073c67caa92 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Fri, 27 Mar 2015 15:17:56 -0300 +Subject: [media] saa7164: fix querycap warning + +From: Hans Verkuil + +commit 534bc3e2ee93835badca753bedce8073c67caa92 upstream. + +Fix the VIDIOC_QUERYCAP warning due to the missing device_caps. Don't fill +in the version field, the V4L2 core will do that for you. + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/pci/saa7164/saa7164-encoder.c | 11 ++++++----- + drivers/media/pci/saa7164/saa7164-vbi.c | 11 ++++++----- + 2 files changed, 12 insertions(+), 10 deletions(-) + +--- a/drivers/media/pci/saa7164/saa7164-encoder.c ++++ b/drivers/media/pci/saa7164/saa7164-encoder.c +@@ -711,13 +711,14 @@ static int vidioc_querycap(struct file * + sizeof(cap->card)); + sprintf(cap->bus_info, "PCI:%s", pci_name(dev->pci)); + +- cap->capabilities = ++ cap->device_caps = + V4L2_CAP_VIDEO_CAPTURE | +- V4L2_CAP_READWRITE | +- 0; ++ V4L2_CAP_READWRITE | ++ V4L2_CAP_TUNER; + +- cap->capabilities |= V4L2_CAP_TUNER; +- cap->version = 0; ++ cap->capabilities = cap->device_caps | ++ V4L2_CAP_VBI_CAPTURE | ++ V4L2_CAP_DEVICE_CAPS; + + return 0; + } +--- a/drivers/media/pci/saa7164/saa7164-vbi.c ++++ b/drivers/media/pci/saa7164/saa7164-vbi.c +@@ -650,13 +650,14 @@ static int vidioc_querycap(struct file * + sizeof(cap->card)); + sprintf(cap->bus_info, "PCI:%s", pci_name(dev->pci)); + +- cap->capabilities = ++ cap->device_caps = + V4L2_CAP_VBI_CAPTURE | +- V4L2_CAP_READWRITE | +- 0; ++ V4L2_CAP_READWRITE | ++ V4L2_CAP_TUNER; + +- cap->capabilities |= V4L2_CAP_TUNER; +- cap->version = 0; ++ cap->capabilities = cap->device_caps | ++ V4L2_CAP_VIDEO_CAPTURE | ++ V4L2_CAP_DEVICE_CAPS; + + return 0; + } diff --git a/queue-3.10/series b/queue-3.10/series index 675f41ca90c..6268af99d83 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -16,3 +16,28 @@ pinctrl-mvebu-armada-370-fix-spi0-pin-description.patch pinctrl-mvebu-armada-xp-remove-non-existing-nand-pins.patch pinctrl-mvebu-armada-xp-remove-non-existing-vdd-cpu_pd-functions.patch pinctrl-mvebu-armada-xp-fix-functions-of-mpp48.patch +bluetooth-btusb-fix-memory-leak-in-intel-setup-routine.patch +ath9k-fix-dma-stop-sequence-for-ar9003.patch +staging-rtl8712-prevent-buffer-overrun-in-recvbuf2recvframe.patch +ext4-fix-race-between-truncate-and-__ext4_journalled_writepage.patch +ext4-call-sync_blockdev-before-invalidate_bdev-in-put_super.patch +ext4-don-t-retry-file-block-mapping-on-bigalloc-fs-with-non-extent-file.patch +ext4-fix-reservation-release-on-invalidatepage-for-delalloc-fs.patch +ext4-be-more-strict-when-migrating-to-non-extent-based-file.patch +ext4-correctly-migrate-a-file-with-a-hole-at-the-beginning.patch +ext4-replace-open-coded-nofail-allocation-in-ext4_free_blocks.patch +jbd2-use-gfp_nofs-in-jbd2_cleanup_journal_tail.patch +jbd2-fix-ocfs2-corrupt-when-updating-journal-superblock-fails.patch +i2c-at91-fix-a-race-condition-when-using-the-dma-controller.patch +iio-dac-ad5624r_spi-fix-bit-shift-of-output-data-value.patch +af9013-don-t-accept-invalid-bandwidth.patch +saa7164-fix-querycap-warning.patch +s5h1420-fix-a-buffer-overflow-when-checking-userspace-params.patch +cx24116-fix-a-buffer-overflow-when-checking-userspace-params.patch +asoc-wm8737-fixup-setting-vmid-impedance-control-register.patch +asoc-wm8955-fix-setting-wrong-register-for-wm8955_k_8_0_mask-bits.patch +asoc-wm8903-fix-define-for-wm8903_vmid_res_250k.patch +asoc-wm8960-the-enum-of-dac-polarity-should-be-wm8960_enum.patch +libata-add-ata_horkage_broken_fpdma_aa-quirk-for-hp-250gb-sata-disk-vb0250eaver.patch +libata-increase-the-timeout-when-setting-transfer-mode.patch +libata-force-disable-trim-for-supersspeed-s238.patch diff --git a/queue-3.10/staging-rtl8712-prevent-buffer-overrun-in-recvbuf2recvframe.patch b/queue-3.10/staging-rtl8712-prevent-buffer-overrun-in-recvbuf2recvframe.patch new file mode 100644 index 00000000000..aa3e5fa9b6c --- /dev/null +++ b/queue-3.10/staging-rtl8712-prevent-buffer-overrun-in-recvbuf2recvframe.patch @@ -0,0 +1,35 @@ +From cab462140f8a183e3cca0b51c8b59ef715cb6148 Mon Sep 17 00:00:00 2001 +From: Haggai Eran +Date: Sat, 23 May 2015 23:13:51 +0300 +Subject: staging: rtl8712: prevent buffer overrun in recvbuf2recvframe + +From: Haggai Eran + +commit cab462140f8a183e3cca0b51c8b59ef715cb6148 upstream. + +With an RTL8191SU USB adaptor, sometimes the hints for a fragmented +packet are set, but the packet length is too large. Allocate enough +space to prevent memory corruption and a resulting kernel panic [1]. + +[1] http://www.spinics.net/lists/linux-wireless/msg136546.html + +Signed-off-by: Haggai Eran +ACKed-by: Larry Finger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8712/rtl8712_recv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/staging/rtl8712/rtl8712_recv.c ++++ b/drivers/staging/rtl8712/rtl8712_recv.c +@@ -1075,7 +1075,8 @@ static int recvbuf2recvframe(struct _ada + /* for first fragment packet, driver need allocate 1536 + + * drvinfo_sz + RXDESC_SIZE to defrag packet. */ + if ((mf == 1) && (frag == 0)) +- alloc_sz = 1658;/*1658+6=1664, 1664 is 128 alignment.*/ ++ /*1658+6=1664, 1664 is 128 alignment.*/ ++ alloc_sz = max_t(u16, tmp_len, 1658); + else + alloc_sz = tmp_len; + /* 2 is for IP header 4 bytes alignment in QoS packet case. -- 2.47.3