From 9b50f08f6f8f7ba5c8731723d5a37c6924c26a99 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 20 Mar 2014 17:04:44 -0700 Subject: [PATCH] 3.10-stable patches added patches: alsa-oxygen-modify-adjust_dg_dac_routing-function.patch arm-7864-1-handle-64-bit-memory-in-case-of-32-bit-phys_addr_t.patch arm-ignore-memory-below-phys_offset.patch bio-integrity-fix-bio_integrity_verify-segment-start-bug.patch fix-mountpoint-reference-leakage-in-linkat.patch iscsi-iser-target-fix-isert_conn-state-hung-shutdown-issues.patch iscsi-iser-target-use-list_del_init-for-i_conn_node.patch iser-target-fix-post_send_buf_count-for-rdma-read-write.patch iwlwifi-mvm-don-t-warn-when-statistics-are-handled-late.patch jiffies-avoid-undefined-behavior-from-signed-overflow.patch mips-include-linux-types.h.patch s390-dasd-hold-request-queue-sysfs-lock-when-calling-elevator_init.patch tick-make-oneshot-broadcast-robust-vs.-cpu-offlining.patch --- ...odify-adjust_dg_dac_routing-function.patch | 44 +++ ...memory-in-case-of-32-bit-phys_addr_t.patch | 67 +++++ .../arm-ignore-memory-below-phys_offset.patch | 45 +++ ...o_integrity_verify-segment-start-bug.patch | 47 +++ ...untpoint-reference-leakage-in-linkat.patch | 38 +++ ...sert_conn-state-hung-shutdown-issues.patch | 275 ++++++++++++++++++ ...et-use-list_del_init-for-i_conn_node.patch | 152 ++++++++++ ...t_send_buf_count-for-rdma-read-write.patch | 99 +++++++ ...arn-when-statistics-are-handled-late.patch | 42 +++ ...efined-behavior-from-signed-overflow.patch | 79 +++++ queue-3.10/mips-include-linux-types.h.patch | 39 +++ ...ysfs-lock-when-calling-elevator_init.patch | 46 +++ queue-3.10/series | 13 + ...t-broadcast-robust-vs.-cpu-offlining.patch | 82 ++++++ 14 files changed, 1068 insertions(+) create mode 100644 queue-3.10/alsa-oxygen-modify-adjust_dg_dac_routing-function.patch create mode 100644 queue-3.10/arm-7864-1-handle-64-bit-memory-in-case-of-32-bit-phys_addr_t.patch create mode 100644 queue-3.10/arm-ignore-memory-below-phys_offset.patch create mode 100644 queue-3.10/bio-integrity-fix-bio_integrity_verify-segment-start-bug.patch create mode 100644 queue-3.10/fix-mountpoint-reference-leakage-in-linkat.patch create mode 100644 queue-3.10/iscsi-iser-target-fix-isert_conn-state-hung-shutdown-issues.patch create mode 100644 queue-3.10/iscsi-iser-target-use-list_del_init-for-i_conn_node.patch create mode 100644 queue-3.10/iser-target-fix-post_send_buf_count-for-rdma-read-write.patch create mode 100644 queue-3.10/iwlwifi-mvm-don-t-warn-when-statistics-are-handled-late.patch create mode 100644 queue-3.10/jiffies-avoid-undefined-behavior-from-signed-overflow.patch create mode 100644 queue-3.10/mips-include-linux-types.h.patch create mode 100644 queue-3.10/s390-dasd-hold-request-queue-sysfs-lock-when-calling-elevator_init.patch create mode 100644 queue-3.10/tick-make-oneshot-broadcast-robust-vs.-cpu-offlining.patch diff --git a/queue-3.10/alsa-oxygen-modify-adjust_dg_dac_routing-function.patch b/queue-3.10/alsa-oxygen-modify-adjust_dg_dac_routing-function.patch new file mode 100644 index 00000000000..e54d3942ab9 --- /dev/null +++ b/queue-3.10/alsa-oxygen-modify-adjust_dg_dac_routing-function.patch @@ -0,0 +1,44 @@ +From 1f91ecc14deea9461aca93273d78871ec4d98fcd Mon Sep 17 00:00:00 2001 +From: Roman Volkov +Date: Fri, 24 Jan 2014 16:18:11 +0400 +Subject: ALSA: oxygen: modify adjust_dg_dac_routing function + +From: Roman Volkov + +commit 1f91ecc14deea9461aca93273d78871ec4d98fcd upstream. + +When selecting the audio output destinations (headphones, +FP headphones, multichannel output), the channel routing +should be changed depending on what destination selected. +Also unnecessary I2S channels are digitally muted. This +function called when the user selects the destination +in the ALSA mixer. + +Signed-off-by: Roman Volkov +Signed-off-by: Clemens Ladisch +Signed-off-by: Greg Kroah-Hartman + + +--- + sound/pci/oxygen/xonar_dg.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/sound/pci/oxygen/xonar_dg.c ++++ b/sound/pci/oxygen/xonar_dg.c +@@ -294,6 +294,16 @@ static int output_switch_put(struct snd_ + oxygen_write16_masked(chip, OXYGEN_GPIO_DATA, + data->output_sel == 1 ? GPIO_HP_REAR : 0, + GPIO_HP_REAR); ++ oxygen_write8_masked(chip, OXYGEN_PLAY_ROUTING, ++ data->output_sel == 0 ? ++ OXYGEN_PLAY_MUTE01 : ++ OXYGEN_PLAY_MUTE23 | ++ OXYGEN_PLAY_MUTE45 | ++ OXYGEN_PLAY_MUTE67, ++ OXYGEN_PLAY_MUTE01 | ++ OXYGEN_PLAY_MUTE23 | ++ OXYGEN_PLAY_MUTE45 | ++ OXYGEN_PLAY_MUTE67); + } + mutex_unlock(&chip->mutex); + return changed; diff --git a/queue-3.10/arm-7864-1-handle-64-bit-memory-in-case-of-32-bit-phys_addr_t.patch b/queue-3.10/arm-7864-1-handle-64-bit-memory-in-case-of-32-bit-phys_addr_t.patch new file mode 100644 index 00000000000..0f4b50449b2 --- /dev/null +++ b/queue-3.10/arm-7864-1-handle-64-bit-memory-in-case-of-32-bit-phys_addr_t.patch @@ -0,0 +1,67 @@ +From 6d7d5da7d75c6df676c8b72d32b02ff024438f0c Mon Sep 17 00:00:00 2001 +From: Magnus Damm +Date: Tue, 22 Oct 2013 17:59:54 +0100 +Subject: ARM: 7864/1: Handle 64-bit memory in case of 32-bit phys_addr_t + +From: Magnus Damm + +commit 6d7d5da7d75c6df676c8b72d32b02ff024438f0c upstream. + +Use CONFIG_ARCH_PHYS_ADDR_T_64BIT to determine +if ignoring or truncating of memory banks is +neccessary. This may be needed in the case of +64-bit memory bank addresses but when phys_addr_t +is kept 32-bit. + +Signed-off-by: Magnus Damm +Signed-off-by: Russell King +Cc: Wang Nan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kernel/setup.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/arch/arm/kernel/setup.c ++++ b/arch/arm/kernel/setup.c +@@ -530,6 +530,7 @@ void __init dump_machine_table(void) + int __init arm_add_memory(phys_addr_t start, phys_addr_t size) + { + struct membank *bank = &meminfo.bank[meminfo.nr_banks]; ++ u64 aligned_start; + + if (meminfo.nr_banks >= NR_BANKS) { + printk(KERN_CRIT "NR_BANKS too low, " +@@ -542,10 +543,16 @@ int __init arm_add_memory(phys_addr_t st + * Size is appropriately rounded down, start is rounded up. + */ + size -= start & ~PAGE_MASK; +- bank->start = PAGE_ALIGN(start); ++ aligned_start = PAGE_ALIGN(start); + +-#ifndef CONFIG_ARM_LPAE +- if (bank->start + size < bank->start) { ++#ifndef CONFIG_ARCH_PHYS_ADDR_T_64BIT ++ if (aligned_start > ULONG_MAX) { ++ printk(KERN_CRIT "Ignoring memory at 0x%08llx outside " ++ "32-bit physical address space\n", (long long)start); ++ return -EINVAL; ++ } ++ ++ if (aligned_start + size > ULONG_MAX) { + printk(KERN_CRIT "Truncating memory at 0x%08llx to fit in " + "32-bit physical address space\n", (long long)start); + /* +@@ -553,10 +560,11 @@ int __init arm_add_memory(phys_addr_t st + * 32 bits, we use ULONG_MAX as the upper limit rather than 4GB. + * This means we lose a page after masking. + */ +- size = ULONG_MAX - bank->start; ++ size = ULONG_MAX - aligned_start; + } + #endif + ++ bank->start = aligned_start; + bank->size = size & ~(phys_addr_t)(PAGE_SIZE - 1); + + /* diff --git a/queue-3.10/arm-ignore-memory-below-phys_offset.patch b/queue-3.10/arm-ignore-memory-below-phys_offset.patch new file mode 100644 index 00000000000..a27d3c3603b --- /dev/null +++ b/queue-3.10/arm-ignore-memory-below-phys_offset.patch @@ -0,0 +1,45 @@ +From 571b14375019c3a66ef70d4d4a7083f4238aca30 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Sat, 11 Jan 2014 11:22:18 +0000 +Subject: ARM: ignore memory below PHYS_OFFSET + +From: Russell King + +commit 571b14375019c3a66ef70d4d4a7083f4238aca30 upstream. + +If the kernel is loaded higher in physical memory than normal, and we +calculate PHYS_OFFSET higher than the start of RAM, this leads to +boot problems as we attempt to map part of this RAM into userspace. +Rather than struggle with this, just truncate the mapping. + +Signed-off-by: Russell King +Cc: Wang Nan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kernel/setup.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/arch/arm/kernel/setup.c ++++ b/arch/arm/kernel/setup.c +@@ -564,6 +564,20 @@ int __init arm_add_memory(phys_addr_t st + } + #endif + ++ if (aligned_start < PHYS_OFFSET) { ++ if (aligned_start + size <= PHYS_OFFSET) { ++ pr_info("Ignoring memory below PHYS_OFFSET: 0x%08llx-0x%08llx\n", ++ aligned_start, aligned_start + size); ++ return -EINVAL; ++ } ++ ++ pr_info("Ignoring memory below PHYS_OFFSET: 0x%08llx-0x%08llx\n", ++ aligned_start, (u64)PHYS_OFFSET); ++ ++ size -= PHYS_OFFSET - aligned_start; ++ aligned_start = PHYS_OFFSET; ++ } ++ + bank->start = aligned_start; + bank->size = size & ~(phys_addr_t)(PAGE_SIZE - 1); + diff --git a/queue-3.10/bio-integrity-fix-bio_integrity_verify-segment-start-bug.patch b/queue-3.10/bio-integrity-fix-bio_integrity_verify-segment-start-bug.patch new file mode 100644 index 00000000000..14aafe1ddd9 --- /dev/null +++ b/queue-3.10/bio-integrity-fix-bio_integrity_verify-segment-start-bug.patch @@ -0,0 +1,47 @@ +From 5837c80e870bc3b12ac6a98cdc9ce7a9522a8fb6 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Tue, 21 Jan 2014 20:32:05 -0800 +Subject: bio-integrity: Fix bio_integrity_verify segment start bug + +From: Nicholas Bellinger + +commit 5837c80e870bc3b12ac6a98cdc9ce7a9522a8fb6 upstream. + +This patch addresses a bug in bio_integrity_verify() code that has +been causing DIF READ verify operations to be silently skipped. + +The issue is that bio->bi_idx will have been incremented within +bio_advance() code in the normal blk_update_request() -> +req_bio_endio() completion path, and bio_integrity_verify() is +using bio_for_each_segment() which starts the bio segment walk +at the current bio->bi_idx. + +So instead use bio_for_each_segment_all() to always start the bio +segment walk from zero, regardless of the current bio->bi_idx +value after bio_advance() has been called. + +(Context change for v3.10.y -> v3.13.y code - nab) + +Cc: Martin K. Petersen +Cc: Jens Axboe +Cc: Christoph Hellwig +Signed-off-by: Nicholas Bellinger +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + + +--- + fs/bio-integrity.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/bio-integrity.c ++++ b/fs/bio-integrity.c +@@ -458,7 +458,7 @@ static int bio_integrity_verify(struct b + bix.disk_name = bio->bi_bdev->bd_disk->disk_name; + bix.sector_size = bi->sector_size; + +- bio_for_each_segment(bv, bio, i) { ++ bio_for_each_segment_all(bv, bio, i) { + void *kaddr = kmap_atomic(bv->bv_page); + bix.data_buf = kaddr + bv->bv_offset; + bix.data_size = bv->bv_len; diff --git a/queue-3.10/fix-mountpoint-reference-leakage-in-linkat.patch b/queue-3.10/fix-mountpoint-reference-leakage-in-linkat.patch new file mode 100644 index 00000000000..a580a441929 --- /dev/null +++ b/queue-3.10/fix-mountpoint-reference-leakage-in-linkat.patch @@ -0,0 +1,38 @@ +From d22e6338db7f613dd4f6095c190682fcc519e4b7 Mon Sep 17 00:00:00 2001 +From: Oleg Drokin +Date: Fri, 31 Jan 2014 15:41:58 -0500 +Subject: Fix mountpoint reference leakage in linkat + +From: Oleg Drokin + +commit d22e6338db7f613dd4f6095c190682fcc519e4b7 upstream. + +Recent changes to retry on ESTALE in linkat +(commit 442e31ca5a49e398351b2954b51f578353fdf210) +introduced a mountpoint reference leak and a small memory +leak in case a filesystem link operation returns ESTALE +which is pretty normal for distributed filesystems like +lustre, nfs and so on. +Free old_path in such a case. + +[AV: there was another missing path_put() nearby - on the previous +goto retry] + +Signed-off-by: Oleg Drokin: +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/namei.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -3655,6 +3655,7 @@ retry: + out_dput: + done_path_create(&new_path, new_dentry); + if (retry_estale(error, how)) { ++ path_put(&old_path); + how |= LOOKUP_REVAL; + goto retry; + } diff --git a/queue-3.10/iscsi-iser-target-fix-isert_conn-state-hung-shutdown-issues.patch b/queue-3.10/iscsi-iser-target-fix-isert_conn-state-hung-shutdown-issues.patch new file mode 100644 index 00000000000..7ad9e96f044 --- /dev/null +++ b/queue-3.10/iscsi-iser-target-fix-isert_conn-state-hung-shutdown-issues.patch @@ -0,0 +1,275 @@ +From defd884845297fd5690594bfe89656b01f16d87e Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Mon, 3 Feb 2014 12:54:39 -0800 +Subject: iscsi/iser-target: Fix isert_conn->state hung shutdown issues + +From: Nicholas Bellinger + +commit defd884845297fd5690594bfe89656b01f16d87e upstream. + +This patch addresses a couple of different hug shutdown issues +related to wait_event() + isert_conn->state. First, it changes +isert_conn->conn_wait + isert_conn->conn_wait_comp_err from +waitqueues to completions, and sets ISER_CONN_TERMINATING from +within isert_disconnect_work(). + +Second, it splits isert_free_conn() into isert_wait_conn() that +is called earlier in iscsit_close_connection() to ensure that +all outstanding commands have completed before continuing. + +Finally, it breaks isert_cq_comp_err() into seperate TX / RX +related code, and adds logic in isert_cq_rx_comp_err() to wait +for outstanding commands to complete before setting ISER_CONN_DOWN +and calling complete(&isert_conn->conn_wait_comp_err). + +Acked-by: Sagi Grimberg +Cc: Or Gerlitz +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/infiniband/ulp/isert/ib_isert.c | 104 ++++++++++++++------------------ + drivers/infiniband/ulp/isert/ib_isert.h | 4 - + drivers/target/iscsi/iscsi_target.c | 4 + + include/target/iscsi/iscsi_transport.h | 1 + 4 files changed, 53 insertions(+), 60 deletions(-) + +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -392,8 +392,8 @@ isert_connect_request(struct rdma_cm_id + isert_conn->state = ISER_CONN_INIT; + INIT_LIST_HEAD(&isert_conn->conn_accept_node); + init_completion(&isert_conn->conn_login_comp); +- init_waitqueue_head(&isert_conn->conn_wait); +- init_waitqueue_head(&isert_conn->conn_wait_comp_err); ++ init_completion(&isert_conn->conn_wait); ++ init_completion(&isert_conn->conn_wait_comp_err); + kref_init(&isert_conn->conn_kref); + kref_get(&isert_conn->conn_kref); + mutex_init(&isert_conn->conn_mutex); +@@ -550,11 +550,11 @@ isert_disconnect_work(struct work_struct + + pr_debug("isert_disconnect_work(): >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"); + mutex_lock(&isert_conn->conn_mutex); +- isert_conn->state = ISER_CONN_DOWN; ++ if (isert_conn->state == ISER_CONN_UP) ++ isert_conn->state = ISER_CONN_TERMINATING; + + if (isert_conn->post_recv_buf_count == 0 && + atomic_read(&isert_conn->post_send_buf_count) == 0) { +- pr_debug("Calling wake_up(&isert_conn->conn_wait);\n"); + mutex_unlock(&isert_conn->conn_mutex); + goto wake_up; + } +@@ -574,7 +574,7 @@ isert_disconnect_work(struct work_struct + mutex_unlock(&isert_conn->conn_mutex); + + wake_up: +- wake_up(&isert_conn->conn_wait); ++ complete(&isert_conn->conn_wait); + isert_put_conn(isert_conn); + } + +@@ -1348,7 +1348,7 @@ isert_do_control_comp(struct work_struct + pr_debug("Calling iscsit_logout_post_handler >>>>>>>>>>>>>>\n"); + /* + * Call atomic_dec(&isert_conn->post_send_buf_count) +- * from isert_free_conn() ++ * from isert_wait_conn() + */ + isert_conn->logout_posted = true; + iscsit_logout_post_handler(cmd, cmd->conn); +@@ -1426,31 +1426,38 @@ isert_send_completion(struct iser_tx_des + } + + static void +-isert_cq_comp_err(struct iser_tx_desc *tx_desc, struct isert_conn *isert_conn) ++isert_cq_tx_comp_err(struct iser_tx_desc *tx_desc, struct isert_conn *isert_conn) + { + struct ib_device *ib_dev = isert_conn->conn_cm_id->device; ++ struct isert_cmd *isert_cmd = tx_desc->isert_cmd; + +- if (tx_desc) { +- struct isert_cmd *isert_cmd = tx_desc->isert_cmd; ++ if (!isert_cmd) ++ isert_unmap_tx_desc(tx_desc, ib_dev); ++ else ++ isert_completion_put(tx_desc, isert_cmd, ib_dev); ++} + +- if (!isert_cmd) +- isert_unmap_tx_desc(tx_desc, ib_dev); +- else +- isert_completion_put(tx_desc, isert_cmd, ib_dev); ++static void ++isert_cq_rx_comp_err(struct isert_conn *isert_conn) ++{ ++ struct iscsi_conn *conn = isert_conn->conn; ++ ++ if (isert_conn->post_recv_buf_count) ++ return; ++ ++ if (conn->sess) { ++ target_sess_cmd_list_set_waiting(conn->sess->se_sess); ++ target_wait_for_sess_cmds(conn->sess->se_sess); + } + +- if (isert_conn->post_recv_buf_count == 0 && +- atomic_read(&isert_conn->post_send_buf_count) == 0) { +- pr_debug("isert_cq_comp_err >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"); +- pr_debug("Calling wake_up from isert_cq_comp_err\n"); ++ while (atomic_read(&isert_conn->post_send_buf_count)) ++ msleep(3000); + +- mutex_lock(&isert_conn->conn_mutex); +- if (isert_conn->state != ISER_CONN_DOWN) +- isert_conn->state = ISER_CONN_TERMINATING; +- mutex_unlock(&isert_conn->conn_mutex); ++ mutex_lock(&isert_conn->conn_mutex); ++ isert_conn->state = ISER_CONN_DOWN; ++ mutex_unlock(&isert_conn->conn_mutex); + +- wake_up(&isert_conn->conn_wait_comp_err); +- } ++ complete(&isert_conn->conn_wait_comp_err); + } + + static void +@@ -1475,7 +1482,7 @@ isert_cq_tx_work(struct work_struct *wor + pr_debug("TX wc.status != IB_WC_SUCCESS >>>>>>>>>>>>>>\n"); + pr_debug("TX wc.status: 0x%08x\n", wc.status); + atomic_dec(&isert_conn->post_send_buf_count); +- isert_cq_comp_err(tx_desc, isert_conn); ++ isert_cq_tx_comp_err(tx_desc, isert_conn); + } + } + +@@ -1517,7 +1524,7 @@ isert_cq_rx_work(struct work_struct *wor + pr_debug("RX wc.status: 0x%08x\n", wc.status); + + isert_conn->post_recv_buf_count--; +- isert_cq_comp_err(NULL, isert_conn); ++ isert_cq_rx_comp_err(isert_conn); + } + } + +@@ -2218,22 +2225,11 @@ isert_free_np(struct iscsi_np *np) + kfree(isert_np); + } + +-static int isert_check_state(struct isert_conn *isert_conn, int state) +-{ +- int ret; +- +- mutex_lock(&isert_conn->conn_mutex); +- ret = (isert_conn->state == state); +- mutex_unlock(&isert_conn->conn_mutex); +- +- return ret; +-} +- +-static void isert_free_conn(struct iscsi_conn *conn) ++static void isert_wait_conn(struct iscsi_conn *conn) + { + struct isert_conn *isert_conn = conn->context; + +- pr_debug("isert_free_conn: Starting \n"); ++ pr_debug("isert_wait_conn: Starting \n"); + /* + * Decrement post_send_buf_count for special case when called + * from isert_do_control_comp() -> iscsit_logout_post_handler() +@@ -2243,38 +2239,29 @@ static void isert_free_conn(struct iscsi + atomic_dec(&isert_conn->post_send_buf_count); + + if (isert_conn->conn_cm_id && isert_conn->state != ISER_CONN_DOWN) { +- pr_debug("Calling rdma_disconnect from isert_free_conn\n"); ++ pr_debug("Calling rdma_disconnect from isert_wait_conn\n"); + rdma_disconnect(isert_conn->conn_cm_id); + } + /* + * Only wait for conn_wait_comp_err if the isert_conn made it + * into full feature phase.. + */ +- if (isert_conn->state == ISER_CONN_UP) { +- pr_debug("isert_free_conn: Before wait_event comp_err %d\n", +- isert_conn->state); +- mutex_unlock(&isert_conn->conn_mutex); +- +- wait_event(isert_conn->conn_wait_comp_err, +- (isert_check_state(isert_conn, ISER_CONN_TERMINATING))); +- +- wait_event(isert_conn->conn_wait, +- (isert_check_state(isert_conn, ISER_CONN_DOWN))); +- +- isert_put_conn(isert_conn); +- return; +- } + if (isert_conn->state == ISER_CONN_INIT) { + mutex_unlock(&isert_conn->conn_mutex); +- isert_put_conn(isert_conn); + return; + } +- pr_debug("isert_free_conn: wait_event conn_wait %d\n", +- isert_conn->state); ++ if (isert_conn->state == ISER_CONN_UP) ++ isert_conn->state = ISER_CONN_TERMINATING; + mutex_unlock(&isert_conn->conn_mutex); + +- wait_event(isert_conn->conn_wait, +- (isert_check_state(isert_conn, ISER_CONN_DOWN))); ++ wait_for_completion(&isert_conn->conn_wait_comp_err); ++ ++ wait_for_completion(&isert_conn->conn_wait); ++} ++ ++static void isert_free_conn(struct iscsi_conn *conn) ++{ ++ struct isert_conn *isert_conn = conn->context; + + isert_put_conn(isert_conn); + } +@@ -2286,6 +2273,7 @@ static struct iscsit_transport iser_targ + .iscsit_setup_np = isert_setup_np, + .iscsit_accept_np = isert_accept_np, + .iscsit_free_np = isert_free_np, ++ .iscsit_wait_conn = isert_wait_conn, + .iscsit_free_conn = isert_free_conn, + .iscsit_alloc_cmd = isert_alloc_cmd, + .iscsit_get_login_rx = isert_get_login_rx, +--- a/drivers/infiniband/ulp/isert/ib_isert.h ++++ b/drivers/infiniband/ulp/isert/ib_isert.h +@@ -103,8 +103,8 @@ struct isert_conn { + struct isert_device *conn_device; + struct work_struct conn_logout_work; + struct mutex conn_mutex; +- wait_queue_head_t conn_wait; +- wait_queue_head_t conn_wait_comp_err; ++ struct completion conn_wait; ++ struct completion conn_wait_comp_err; + struct kref conn_kref; + }; + +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -4144,6 +4144,10 @@ int iscsit_close_connection( + iscsit_stop_timers_for_cmds(conn); + iscsit_stop_nopin_response_timer(conn); + iscsit_stop_nopin_timer(conn); ++ ++ if (conn->conn_transport->iscsit_wait_conn) ++ conn->conn_transport->iscsit_wait_conn(conn); ++ + iscsit_free_queue_reqs_for_conn(conn); + + /* +--- a/include/target/iscsi/iscsi_transport.h ++++ b/include/target/iscsi/iscsi_transport.h +@@ -11,6 +11,7 @@ struct iscsit_transport { + int (*iscsit_setup_np)(struct iscsi_np *, struct __kernel_sockaddr_storage *); + int (*iscsit_accept_np)(struct iscsi_np *, struct iscsi_conn *); + void (*iscsit_free_np)(struct iscsi_np *); ++ void (*iscsit_wait_conn)(struct iscsi_conn *); + void (*iscsit_free_conn)(struct iscsi_conn *); + struct iscsi_cmd *(*iscsit_alloc_cmd)(struct iscsi_conn *, gfp_t); + int (*iscsit_get_login_rx)(struct iscsi_conn *, struct iscsi_login *); diff --git a/queue-3.10/iscsi-iser-target-use-list_del_init-for-i_conn_node.patch b/queue-3.10/iscsi-iser-target-use-list_del_init-for-i_conn_node.patch new file mode 100644 index 00000000000..5291f4c57ef --- /dev/null +++ b/queue-3.10/iscsi-iser-target-use-list_del_init-for-i_conn_node.patch @@ -0,0 +1,152 @@ +From 5159d763f60af693a3fcec45dce2021f66e528a4 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Mon, 3 Feb 2014 12:53:51 -0800 +Subject: iscsi/iser-target: Use list_del_init for ->i_conn_node + +From: Nicholas Bellinger + +commit 5159d763f60af693a3fcec45dce2021f66e528a4 upstream. + +There are a handful of uses of list_empty() for cmd->i_conn_node +within iser-target code that expect to return false once a cmd +has been removed from the per connect list. + +This patch changes all uses of list_del -> list_del_init in order +to ensure that list_empty() returns false as expected. + +Acked-by: Sagi Grimberg +Cc: Or Gerlitz +Cc: #3.10+ +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/infiniband/ulp/isert/ib_isert.c | 6 +++--- + drivers/target/iscsi/iscsi_target.c | 4 ++-- + drivers/target/iscsi/iscsi_target_erl2.c | 16 ++++++++-------- + 3 files changed, 13 insertions(+), 13 deletions(-) + +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -1213,7 +1213,7 @@ isert_put_cmd(struct isert_cmd *isert_cm + case ISCSI_OP_SCSI_CMD: + spin_lock_bh(&conn->cmd_lock); + if (!list_empty(&cmd->i_conn_node)) +- list_del(&cmd->i_conn_node); ++ list_del_init(&cmd->i_conn_node); + spin_unlock_bh(&conn->cmd_lock); + + if (cmd->data_direction == DMA_TO_DEVICE) +@@ -1225,7 +1225,7 @@ isert_put_cmd(struct isert_cmd *isert_cm + case ISCSI_OP_SCSI_TMFUNC: + spin_lock_bh(&conn->cmd_lock); + if (!list_empty(&cmd->i_conn_node)) +- list_del(&cmd->i_conn_node); ++ list_del_init(&cmd->i_conn_node); + spin_unlock_bh(&conn->cmd_lock); + + transport_generic_free_cmd(&cmd->se_cmd, 0); +@@ -1234,7 +1234,7 @@ isert_put_cmd(struct isert_cmd *isert_cm + case ISCSI_OP_NOOP_OUT: + spin_lock_bh(&conn->cmd_lock); + if (!list_empty(&cmd->i_conn_node)) +- list_del(&cmd->i_conn_node); ++ list_del_init(&cmd->i_conn_node); + spin_unlock_bh(&conn->cmd_lock); + + /* +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -3653,7 +3653,7 @@ iscsit_immediate_queue(struct iscsi_conn + break; + case ISTATE_REMOVE: + spin_lock_bh(&conn->cmd_lock); +- list_del(&cmd->i_conn_node); ++ list_del_init(&cmd->i_conn_node); + spin_unlock_bh(&conn->cmd_lock); + + iscsit_free_cmd(cmd, false); +@@ -4099,7 +4099,7 @@ static void iscsit_release_commands_from + spin_lock_bh(&conn->cmd_lock); + list_for_each_entry_safe(cmd, cmd_tmp, &conn->conn_cmd_list, i_conn_node) { + +- list_del(&cmd->i_conn_node); ++ list_del_init(&cmd->i_conn_node); + spin_unlock_bh(&conn->cmd_lock); + + iscsit_increment_maxcmdsn(cmd, sess); +--- a/drivers/target/iscsi/iscsi_target_erl2.c ++++ b/drivers/target/iscsi/iscsi_target_erl2.c +@@ -140,7 +140,7 @@ void iscsit_free_connection_recovery_ent + list_for_each_entry_safe(cmd, cmd_tmp, + &cr->conn_recovery_cmd_list, i_conn_node) { + +- list_del(&cmd->i_conn_node); ++ list_del_init(&cmd->i_conn_node); + cmd->conn = NULL; + spin_unlock(&cr->conn_recovery_cmd_lock); + iscsit_free_cmd(cmd, true); +@@ -162,7 +162,7 @@ void iscsit_free_connection_recovery_ent + list_for_each_entry_safe(cmd, cmd_tmp, + &cr->conn_recovery_cmd_list, i_conn_node) { + +- list_del(&cmd->i_conn_node); ++ list_del_init(&cmd->i_conn_node); + cmd->conn = NULL; + spin_unlock(&cr->conn_recovery_cmd_lock); + iscsit_free_cmd(cmd, true); +@@ -218,7 +218,7 @@ int iscsit_remove_cmd_from_connection_re + } + cr = cmd->cr; + +- list_del(&cmd->i_conn_node); ++ list_del_init(&cmd->i_conn_node); + return --cr->cmd_count; + } + +@@ -299,7 +299,7 @@ int iscsit_discard_unacknowledged_ooo_cm + if (!(cmd->cmd_flags & ICF_OOO_CMDSN)) + continue; + +- list_del(&cmd->i_conn_node); ++ list_del_init(&cmd->i_conn_node); + + spin_unlock_bh(&conn->cmd_lock); + iscsit_free_cmd(cmd, true); +@@ -337,7 +337,7 @@ int iscsit_prepare_cmds_for_realligance( + /* + * Only perform connection recovery on ISCSI_OP_SCSI_CMD or + * ISCSI_OP_NOOP_OUT opcodes. For all other opcodes call +- * list_del(&cmd->i_conn_node); to release the command to the ++ * list_del_init(&cmd->i_conn_node); to release the command to the + * session pool and remove it from the connection's list. + * + * Also stop the DataOUT timer, which will be restarted after +@@ -353,7 +353,7 @@ int iscsit_prepare_cmds_for_realligance( + " CID: %hu\n", cmd->iscsi_opcode, + cmd->init_task_tag, cmd->cmd_sn, conn->cid); + +- list_del(&cmd->i_conn_node); ++ list_del_init(&cmd->i_conn_node); + spin_unlock_bh(&conn->cmd_lock); + iscsit_free_cmd(cmd, true); + spin_lock_bh(&conn->cmd_lock); +@@ -373,7 +373,7 @@ int iscsit_prepare_cmds_for_realligance( + */ + if (!(cmd->cmd_flags & ICF_OOO_CMDSN) && !cmd->immediate_cmd && + iscsi_sna_gte(cmd->cmd_sn, conn->sess->exp_cmd_sn)) { +- list_del(&cmd->i_conn_node); ++ list_del_init(&cmd->i_conn_node); + spin_unlock_bh(&conn->cmd_lock); + iscsit_free_cmd(cmd, true); + spin_lock_bh(&conn->cmd_lock); +@@ -395,7 +395,7 @@ int iscsit_prepare_cmds_for_realligance( + + cmd->sess = conn->sess; + +- list_del(&cmd->i_conn_node); ++ list_del_init(&cmd->i_conn_node); + spin_unlock_bh(&conn->cmd_lock); + + iscsit_free_all_datain_reqs(cmd); diff --git a/queue-3.10/iser-target-fix-post_send_buf_count-for-rdma-read-write.patch b/queue-3.10/iser-target-fix-post_send_buf_count-for-rdma-read-write.patch new file mode 100644 index 00000000000..483bf0effa9 --- /dev/null +++ b/queue-3.10/iser-target-fix-post_send_buf_count-for-rdma-read-write.patch @@ -0,0 +1,99 @@ +From b6b87a1df604678ed1be40158080db012a99ccca Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Thu, 27 Feb 2014 09:05:03 -0800 +Subject: iser-target: Fix post_send_buf_count for RDMA READ/WRITE + +From: Nicholas Bellinger + +commit b6b87a1df604678ed1be40158080db012a99ccca upstream. + +This patch fixes the incorrect setting of ->post_send_buf_count +related to RDMA WRITEs + READs where isert_rdma_rw->send_wr_num +was not being taken into account. + +This includes incrementing ->post_send_buf_count within +isert_put_datain() + isert_get_dataout(), decrementing within +__isert_send_completion() + isert_response_completion(), and +clearing wr->send_wr_num within isert_completion_rdma_read() + +This is necessary because even though IB_SEND_SIGNALED is +not set for RDMA WRITEs + READs, during a QP failure event +the work requests will be returned with exception status +from the TX completion queue. + +Acked-by: Sagi Grimberg +Cc: Or Gerlitz +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/infiniband/ulp/isert/ib_isert.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -1308,6 +1308,7 @@ isert_completion_rdma_read(struct iser_t + } + + cmd->write_data_done = se_cmd->data_length; ++ wr->send_wr_num = 0; + + pr_debug("isert_do_rdma_read_comp, calling target_execute_cmd\n"); + spin_lock_bh(&cmd->istate_lock); +@@ -1367,6 +1368,7 @@ isert_response_completion(struct iser_tx + struct ib_device *ib_dev) + { + struct iscsi_cmd *cmd = &isert_cmd->iscsi_cmd; ++ struct isert_rdma_wr *wr = &isert_cmd->rdma_wr; + + if (cmd->i_state == ISTATE_SEND_TASKMGTRSP || + cmd->i_state == ISTATE_SEND_LOGOUTRSP || +@@ -1377,7 +1379,7 @@ isert_response_completion(struct iser_tx + queue_work(isert_comp_wq, &isert_cmd->comp_work); + return; + } +- atomic_dec(&isert_conn->post_send_buf_count); ++ atomic_sub(wr->send_wr_num + 1, &isert_conn->post_send_buf_count); + + cmd->i_state = ISTATE_SENT_STATUS; + isert_completion_put(tx_desc, isert_cmd, ib_dev); +@@ -1415,7 +1417,7 @@ isert_send_completion(struct iser_tx_des + case ISER_IB_RDMA_READ: + pr_debug("isert_send_completion: Got ISER_IB_RDMA_READ:\n"); + +- atomic_dec(&isert_conn->post_send_buf_count); ++ atomic_sub(wr->send_wr_num, &isert_conn->post_send_buf_count); + isert_completion_rdma_read(tx_desc, isert_cmd); + break; + default: +@@ -1834,12 +1836,12 @@ isert_put_datain(struct iscsi_conn *conn + isert_init_tx_hdrs(isert_conn, &isert_cmd->tx_desc); + isert_init_send_wr(isert_cmd, &isert_cmd->tx_desc.send_wr); + +- atomic_inc(&isert_conn->post_send_buf_count); ++ atomic_add(wr->send_wr_num + 1, &isert_conn->post_send_buf_count); + + rc = ib_post_send(isert_conn->conn_qp, wr->send_wr, &wr_failed); + if (rc) { + pr_warn("ib_post_send() failed for IB_WR_RDMA_WRITE\n"); +- atomic_dec(&isert_conn->post_send_buf_count); ++ atomic_sub(wr->send_wr_num + 1, &isert_conn->post_send_buf_count); + } + pr_debug("Posted RDMA_WRITE + Response for iSER Data READ\n"); + return 1; +@@ -1942,12 +1944,12 @@ isert_get_dataout(struct iscsi_conn *con + data_left -= data_len; + } + +- atomic_inc(&isert_conn->post_send_buf_count); ++ atomic_add(wr->send_wr_num, &isert_conn->post_send_buf_count); + + rc = ib_post_send(isert_conn->conn_qp, wr->send_wr, &wr_failed); + if (rc) { + pr_warn("ib_post_send() failed for IB_WR_RDMA_READ\n"); +- atomic_dec(&isert_conn->post_send_buf_count); ++ atomic_sub(wr->send_wr_num, &isert_conn->post_send_buf_count); + } + pr_debug("Posted RDMA_READ memory for ISER Data WRITE\n"); + return 0; diff --git a/queue-3.10/iwlwifi-mvm-don-t-warn-when-statistics-are-handled-late.patch b/queue-3.10/iwlwifi-mvm-don-t-warn-when-statistics-are-handled-late.patch new file mode 100644 index 00000000000..5b0ae17a7a3 --- /dev/null +++ b/queue-3.10/iwlwifi-mvm-don-t-warn-when-statistics-are-handled-late.patch @@ -0,0 +1,42 @@ +From 1e9291996c4eedf79883f47ec635235e39d3d6cd Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Tue, 4 Mar 2014 10:28:23 +0200 +Subject: iwlwifi: mvm: don't WARN when statistics are handled late + +From: Emmanuel Grumbach + +commit 1e9291996c4eedf79883f47ec635235e39d3d6cd upstream. + +Since the statistics handler is asynchrous, it can very well +be that we will handle the statistics (hence the RSSI +fluctuation) when we already disassociated. +Don't WARN on this case. + +This solves: https://bugzilla.redhat.com/show_bug.cgi?id=1071998 + +Fixes: 2b76ef13086f ("iwlwifi: mvm: implement reduced Tx power") +Reviewed-by: Johannes Berg +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/net/wireless/iwlwifi/mvm/bt-coex.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/iwlwifi/mvm/bt-coex.c ++++ b/drivers/net/wireless/iwlwifi/mvm/bt-coex.c +@@ -523,8 +523,11 @@ void iwl_mvm_bt_rssi_event(struct iwl_mv + + mutex_lock(&mvm->mutex); + +- /* Rssi update while not associated ?! */ +- if (WARN_ON_ONCE(mvmvif->ap_sta_id == IWL_MVM_STATION_COUNT)) ++ /* ++ * Rssi update while not associated - can happen since the statistics ++ * are handled asynchronously ++ */ ++ if (mvmvif->ap_sta_id == IWL_MVM_STATION_COUNT) + goto out_unlock; + + /* No open connection - reports should be disabled */ diff --git a/queue-3.10/jiffies-avoid-undefined-behavior-from-signed-overflow.patch b/queue-3.10/jiffies-avoid-undefined-behavior-from-signed-overflow.patch new file mode 100644 index 00000000000..706cadf3b70 --- /dev/null +++ b/queue-3.10/jiffies-avoid-undefined-behavior-from-signed-overflow.patch @@ -0,0 +1,79 @@ +From 5a581b367b5df0531265311fc681c2abd377e5e6 Mon Sep 17 00:00:00 2001 +From: "Paul E. McKenney" +Date: Sat, 27 Jul 2013 03:53:54 -0700 +Subject: jiffies: Avoid undefined behavior from signed overflow + +From: "Paul E. McKenney" + +commit 5a581b367b5df0531265311fc681c2abd377e5e6 upstream. + +According to the C standard 3.4.3p3, overflow of a signed integer results +in undefined behavior. This commit therefore changes the definitions +of time_after(), time_after_eq(), time_after64(), and time_after_eq64() +to avoid this undefined behavior. The trick is that the subtraction +is done using unsigned arithmetic, which according to 6.2.5p9 cannot +overflow because it is defined as modulo arithmetic. This has the added +(though admittedly quite small) benefit of shortening four lines of code +by four characters each. + +Note that the C standard considers the cast from unsigned to +signed to be implementation-defined, see 6.3.1.3p3. However, on a +two's-complement system, an implementation that defines anything other +than a reinterpretation of the bits is free to come to me, and I will be +happy to act as a witness for its being committed to an insane asylum. +(Although I have nothing against saturating arithmetic or signals in some +cases, these things really should not be the default when compiling an +operating-system kernel.) + +Signed-off-by: Paul E. McKenney +Cc: John Stultz +Cc: "David S. Miller" +Cc: Arnd Bergmann +Cc: Ingo Molnar +Cc: Linus Torvalds +Cc: Eric Dumazet +Cc: Kevin Easton +[ paulmck: Included time_after64() and time_after_eq64(), as suggested + by Eric Dumazet, also fixed commit message.] +Reviewed-by: Josh Triplett +Ruchi Kandoi +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/jiffies.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/include/linux/jiffies.h ++++ b/include/linux/jiffies.h +@@ -101,13 +101,13 @@ static inline u64 get_jiffies_64(void) + #define time_after(a,b) \ + (typecheck(unsigned long, a) && \ + typecheck(unsigned long, b) && \ +- ((long)(b) - (long)(a) < 0)) ++ ((long)((b) - (a)) < 0)) + #define time_before(a,b) time_after(b,a) + + #define time_after_eq(a,b) \ + (typecheck(unsigned long, a) && \ + typecheck(unsigned long, b) && \ +- ((long)(a) - (long)(b) >= 0)) ++ ((long)((a) - (b)) >= 0)) + #define time_before_eq(a,b) time_after_eq(b,a) + + /* +@@ -130,13 +130,13 @@ static inline u64 get_jiffies_64(void) + #define time_after64(a,b) \ + (typecheck(__u64, a) && \ + typecheck(__u64, b) && \ +- ((__s64)(b) - (__s64)(a) < 0)) ++ ((__s64)((b) - (a)) < 0)) + #define time_before64(a,b) time_after64(b,a) + + #define time_after_eq64(a,b) \ + (typecheck(__u64, a) && \ + typecheck(__u64, b) && \ +- ((__s64)(a) - (__s64)(b) >= 0)) ++ ((__s64)((a) - (b)) >= 0)) + #define time_before_eq64(a,b) time_after_eq64(b,a) + + /* diff --git a/queue-3.10/mips-include-linux-types.h.patch b/queue-3.10/mips-include-linux-types.h.patch new file mode 100644 index 00000000000..bcec16253c1 --- /dev/null +++ b/queue-3.10/mips-include-linux-types.h.patch @@ -0,0 +1,39 @@ +From 87c99203fea897fbdd84b681ad9fced2517dcf98 Mon Sep 17 00:00:00 2001 +From: Qais Yousef +Date: Mon, 9 Dec 2013 09:49:45 +0000 +Subject: MIPS: include linux/types.h +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Qais Yousef + +commit 87c99203fea897fbdd84b681ad9fced2517dcf98 upstream. + +The file uses u16 type but doesn't include its definition explicitly + +I was getting this error when including this header in my driver: + + arch/mips/include/asm/mipsregs.h:644:33: error: unknown type name ‘u16’ + +Signed-off-by: Qais Yousef +Reviewed-by: Steven J. Hill +Acked-by: David Daney +Signed-off-by: John Crispin +Patchwork: http://patchwork.linux-mips.org/patch/6212/ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/mipsregs.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/mips/include/asm/mipsregs.h ++++ b/arch/mips/include/asm/mipsregs.h +@@ -14,6 +14,7 @@ + #define _ASM_MIPSREGS_H + + #include ++#include + #include + #include + diff --git a/queue-3.10/s390-dasd-hold-request-queue-sysfs-lock-when-calling-elevator_init.patch b/queue-3.10/s390-dasd-hold-request-queue-sysfs-lock-when-calling-elevator_init.patch new file mode 100644 index 00000000000..b751d0f6013 --- /dev/null +++ b/queue-3.10/s390-dasd-hold-request-queue-sysfs-lock-when-calling-elevator_init.patch @@ -0,0 +1,46 @@ +From ef0899410ff630b2e75306da49996dbbfa318165 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Thu, 31 Oct 2013 13:24:28 +0100 +Subject: s390/dasd: hold request queue sysfs lock when calling elevator_init() + +From: Heiko Carstens + +commit ef0899410ff630b2e75306da49996dbbfa318165 upstream. + +"elevator: Fix a race in elevator switching and md device initialization" +changed the semantics of elevator_init() in a way that now enforces to hold +the corresponding request queue's sysfs_lock when calling elevator_init() +to fix a race. +The patch did not convert the s390 dasd device driver which is the only +device driver which also calls elevator_init(). So add the missing locking. + +Cc: Tomoki Sekiyama +Cc: Jens Axboe +Signed-off-by: Heiko Carstens +Signed-off-by: Jens Axboe +Cc: Christian Borntraeger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/block/dasd.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/s390/block/dasd.c ++++ b/drivers/s390/block/dasd.c +@@ -2879,12 +2879,12 @@ static int dasd_alloc_queue(struct dasd_ + + elevator_exit(block->request_queue->elevator); + block->request_queue->elevator = NULL; ++ mutex_lock(&block->request_queue->sysfs_lock); + rc = elevator_init(block->request_queue, "deadline"); +- if (rc) { ++ if (rc) + blk_cleanup_queue(block->request_queue); +- return rc; +- } +- return 0; ++ mutex_unlock(&block->request_queue->sysfs_lock); ++ return rc; + } + + /* diff --git a/queue-3.10/series b/queue-3.10/series index c7ae4eeede1..9012c8f18ef 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -70,3 +70,16 @@ scsi-qla2xxx-poll-during-initialization-for-isp25xx-and-isp83xx.patch scsi-storvsc-null-pointer-dereference-fix.patch x86-fpu-check-tsk_used_math-in-kernel_fpu_end-for-eager-fpu.patch btrfs-fix-data-corruption-when-reading-updating-compressed-extents.patch +alsa-oxygen-modify-adjust_dg_dac_routing-function.patch +jiffies-avoid-undefined-behavior-from-signed-overflow.patch +s390-dasd-hold-request-queue-sysfs-lock-when-calling-elevator_init.patch +fix-mountpoint-reference-leakage-in-linkat.patch +mips-include-linux-types.h.patch +bio-integrity-fix-bio_integrity_verify-segment-start-bug.patch +tick-make-oneshot-broadcast-robust-vs.-cpu-offlining.patch +iwlwifi-mvm-don-t-warn-when-statistics-are-handled-late.patch +arm-7864-1-handle-64-bit-memory-in-case-of-32-bit-phys_addr_t.patch +arm-ignore-memory-below-phys_offset.patch +iscsi-iser-target-use-list_del_init-for-i_conn_node.patch +iscsi-iser-target-fix-isert_conn-state-hung-shutdown-issues.patch +iser-target-fix-post_send_buf_count-for-rdma-read-write.patch diff --git a/queue-3.10/tick-make-oneshot-broadcast-robust-vs.-cpu-offlining.patch b/queue-3.10/tick-make-oneshot-broadcast-robust-vs.-cpu-offlining.patch new file mode 100644 index 00000000000..d105f6056dc --- /dev/null +++ b/queue-3.10/tick-make-oneshot-broadcast-robust-vs.-cpu-offlining.patch @@ -0,0 +1,82 @@ +From c9b5a266b103af873abb9ac03bc3d067702c8f4b Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Wed, 26 Jun 2013 12:17:32 +0200 +Subject: tick: Make oneshot broadcast robust vs. CPU offlining + +From: Thomas Gleixner + +commit c9b5a266b103af873abb9ac03bc3d067702c8f4b upstream. + +In periodic mode we remove offline cpus from the broadcast propagation +mask. In oneshot mode we fail to do so. This was not a problem so far, +but the recent changes to the broadcast propagation introduced a +constellation which can result in a NULL pointer dereference. + +What happens is: + +CPU0 CPU1 + idle() + arch_idle() + tick_broadcast_oneshot_control(OFF); + set cpu1 in tick_broadcast_force_mask + if (cpu_offline()) + arch_cpu_dead() + +cpu_dead_cleanup(cpu1) + cpu1 tickdevice pointer = NULL + +broadcast interrupt + dereference cpu1 tickdevice pointer -> OOPS + +We dereference the pointer because cpu1 is still set in +tick_broadcast_force_mask and tick_do_broadcast() expects a valid +cpumask and therefor lacks any further checks. + +Remove the cpu from the tick_broadcast_force_mask before we set the +tick device pointer to NULL. Also add a sanity check to the oneshot +broadcast function, so we can detect such issues w/o crashing the +machine. + +Reported-by: Prarit Bhargava +Cc: athorlton@sgi.com +Cc: CAI Qian +Link: http://lkml.kernel.org/r/alpine.DEB.2.02.1306261303260.4013@ionos.tec.linutronix.de +Signed-off-by: Thomas Gleixner +Signed-off-by: Preeti U Murthy +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/tick-broadcast.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/kernel/time/tick-broadcast.c ++++ b/kernel/time/tick-broadcast.c +@@ -594,6 +594,13 @@ again: + cpumask_clear(tick_broadcast_force_mask); + + /* ++ * Sanity check. Catch the case where we try to broadcast to ++ * offline cpus. ++ */ ++ if (WARN_ON_ONCE(!cpumask_subset(tmpmask, cpu_online_mask))) ++ cpumask_and(tmpmask, tmpmask, cpu_online_mask); ++ ++ /* + * Wakeup the cpus which have an expired event. + */ + tick_do_broadcast(tmpmask); +@@ -834,10 +841,12 @@ void tick_shutdown_broadcast_oneshot(uns + raw_spin_lock_irqsave(&tick_broadcast_lock, flags); + + /* +- * Clear the broadcast mask flag for the dead cpu, but do not +- * stop the broadcast device! ++ * Clear the broadcast masks for the dead cpu, but do not stop ++ * the broadcast device! + */ + cpumask_clear_cpu(cpu, tick_broadcast_oneshot_mask); ++ cpumask_clear_cpu(cpu, tick_broadcast_pending_mask); ++ cpumask_clear_cpu(cpu, tick_broadcast_force_mask); + + raw_spin_unlock_irqrestore(&tick_broadcast_lock, flags); + } -- 2.47.3