From cc964eae1976a971ac026a6acb39c390129c4887 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 28 Feb 2013 16:29:49 -0800 Subject: [PATCH] 3.8-stable patches added patches: b43-fix-lockdep-splat-on-module-unload.patch block-fix-ext_devt_idr-handling.patch doc-kernel-parameters-document-console-hvc-n.patch doc-xen-mention-earlyprintk-xen-in-the-documentation.patch ftrace-call-ftrace-cleanup-module-notifier-after-all-other-notifiers.patch iommu-amd-initialize-device-table-after-dma_ops.patch ocfs2-ac-ac_allow_chain_relink-0-won-t-disable-group-relink.patch ocfs2-fix-ocfs2_init_security_and_acl-to-initialize-acl-correctly.patch ocfs2-fix-possible-use-after-free-with-aio.patch posix-timer-don-t-call-idr_find-with-out-of-range-id.patch target-add-missing-mapped_lun-bounds-checking-during-make_mappedlun-setup.patch target-fix-lookup-of-dynamic-nodeacls-during-cached-demo-mode-operation.patch ubifs-fix-double-free-of-ubifs_orphan-objects.patch ubifs-fix-use-of-freed-ubifs_orphan-objects.patch usb-dwc3-enable-usb2-lpm-only-when-connected-as-usb2.0.patch usb-dwc3-gadget-change-hird-threshold-to-12.patch usb-dwc3-gadget-fix-isoc-end-transfer-condition.patch usb-dwc3-gadget-fix-missed-isoc.patch usb-dwc3-gadget-fix-skip-link_trb-on-isoc.patch x86-apic-fix-parsing-of-the-lapic-cmdline-option.patch x86-efi-make-noefi-really-disable-efi-runtime-serivces.patch x86-make-sure-we-can-boot-in-the-case-the-bda-contains-pure-garbage.patch --- ...3-fix-lockdep-splat-on-module-unload.patch | 68 ++++++++ .../block-fix-ext_devt_idr-handling.patch | 110 ++++++++++++ ...el-parameters-document-console-hvc-n.patch | 32 ++++ ...earlyprintk-xen-in-the-documentation.patch | 44 +++++ ...e-notifier-after-all-other-notifiers.patch | 127 ++++++++++++++ ...nitialize-device-table-after-dma_ops.patch | 49 ++++++ ..._relink-0-won-t-disable-group-relink.patch | 108 ++++++++++++ ..._and_acl-to-initialize-acl-correctly.patch | 163 ++++++++++++++++++ ...fix-possible-use-after-free-with-aio.patch | 40 +++++ ...t-call-idr_find-with-out-of-range-id.patch | 54 ++++++ queue-3.8/series | 22 +++ ...checking-during-make_mappedlun-setup.patch | 43 +++++ ...ls-during-cached-demo-mode-operation.patch | 119 +++++++++++++ ...-double-free-of-ubifs_orphan-objects.patch | 78 +++++++++ ...ix-use-of-freed-ubifs_orphan-objects.patch | 94 ++++++++++ ...b2-lpm-only-when-connected-as-usb2.0.patch | 72 ++++++++ ...3-gadget-change-hird-threshold-to-12.patch | 45 +++++ ...dget-fix-isoc-end-transfer-condition.patch | 70 ++++++++ .../usb-dwc3-gadget-fix-missed-isoc.patch | 130 ++++++++++++++ ...wc3-gadget-fix-skip-link_trb-on-isoc.patch | 50 ++++++ ...-parsing-of-the-lapic-cmdline-option.patch | 39 +++++ ...-really-disable-efi-runtime-serivces.patch | 55 ++++++ ...e-case-the-bda-contains-pure-garbage.patch | 122 +++++++++++++ 23 files changed, 1734 insertions(+) create mode 100644 queue-3.8/b43-fix-lockdep-splat-on-module-unload.patch create mode 100644 queue-3.8/block-fix-ext_devt_idr-handling.patch create mode 100644 queue-3.8/doc-kernel-parameters-document-console-hvc-n.patch create mode 100644 queue-3.8/doc-xen-mention-earlyprintk-xen-in-the-documentation.patch create mode 100644 queue-3.8/ftrace-call-ftrace-cleanup-module-notifier-after-all-other-notifiers.patch create mode 100644 queue-3.8/iommu-amd-initialize-device-table-after-dma_ops.patch create mode 100644 queue-3.8/ocfs2-ac-ac_allow_chain_relink-0-won-t-disable-group-relink.patch create mode 100644 queue-3.8/ocfs2-fix-ocfs2_init_security_and_acl-to-initialize-acl-correctly.patch create mode 100644 queue-3.8/ocfs2-fix-possible-use-after-free-with-aio.patch create mode 100644 queue-3.8/posix-timer-don-t-call-idr_find-with-out-of-range-id.patch create mode 100644 queue-3.8/target-add-missing-mapped_lun-bounds-checking-during-make_mappedlun-setup.patch create mode 100644 queue-3.8/target-fix-lookup-of-dynamic-nodeacls-during-cached-demo-mode-operation.patch create mode 100644 queue-3.8/ubifs-fix-double-free-of-ubifs_orphan-objects.patch create mode 100644 queue-3.8/ubifs-fix-use-of-freed-ubifs_orphan-objects.patch create mode 100644 queue-3.8/usb-dwc3-enable-usb2-lpm-only-when-connected-as-usb2.0.patch create mode 100644 queue-3.8/usb-dwc3-gadget-change-hird-threshold-to-12.patch create mode 100644 queue-3.8/usb-dwc3-gadget-fix-isoc-end-transfer-condition.patch create mode 100644 queue-3.8/usb-dwc3-gadget-fix-missed-isoc.patch create mode 100644 queue-3.8/usb-dwc3-gadget-fix-skip-link_trb-on-isoc.patch create mode 100644 queue-3.8/x86-apic-fix-parsing-of-the-lapic-cmdline-option.patch create mode 100644 queue-3.8/x86-efi-make-noefi-really-disable-efi-runtime-serivces.patch create mode 100644 queue-3.8/x86-make-sure-we-can-boot-in-the-case-the-bda-contains-pure-garbage.patch diff --git a/queue-3.8/b43-fix-lockdep-splat-on-module-unload.patch b/queue-3.8/b43-fix-lockdep-splat-on-module-unload.patch new file mode 100644 index 00000000000..e2e807c48e3 --- /dev/null +++ b/queue-3.8/b43-fix-lockdep-splat-on-module-unload.patch @@ -0,0 +1,68 @@ +From 63a02ce1c5c59baa40b99756492e3ec8d6b51483 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Mon, 25 Feb 2013 06:09:24 +0000 +Subject: b43: Fix lockdep splat on module unload + +From: Larry Finger + +commit 63a02ce1c5c59baa40b99756492e3ec8d6b51483 upstream. + +On unload, b43 produces a lockdep warning that can be summarized in the +following way: + + ====================================================== + [ INFO: possible circular locking dependency detected ] + 3.8.0-wl+ #117 Not tainted + ------------------------------------------------------- + modprobe/5557 is trying to acquire lock: + ((&wl->firmware_load)){+.+.+.}, at: [] flush_work+0x0/0x2a0 + + but task is already holding lock: + (rtnl_mutex){+.+.+.}, at: [] rtnl_lock+0x12/0x20 + + which lock already depends on the new lock. + [ INFO: possible circular locking dependency detected ] + ====================================================== + +The full output is available at http://lkml.indiana.edu/hypermail/linux/kernel/1302.3/00060.html. +To summarize, commit 6b6fa58 added a 'cancel_work_sync(&wl->firmware_load)' +call in the wrong place. + +The fix is to move the cancel_work_sync() call to b43_bcma_remove() and +b43_ssb_remove(). Thanks to Johannes Berg and Michael Buesch for help in +diagnosing the log output. + +Signed-off-by: Larry Finger +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/b43/main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/b43/main.c ++++ b/drivers/net/wireless/b43/main.c +@@ -4214,7 +4214,6 @@ redo: + mutex_unlock(&wl->mutex); + cancel_delayed_work_sync(&dev->periodic_work); + cancel_work_sync(&wl->tx_work); +- cancel_work_sync(&wl->firmware_load); + mutex_lock(&wl->mutex); + dev = wl->current_dev; + if (!dev || b43_status(dev) < B43_STAT_STARTED) { +@@ -5434,6 +5433,7 @@ static void b43_bcma_remove(struct bcma_ + /* We must cancel any work here before unregistering from ieee80211, + * as the ieee80211 unreg will destroy the workqueue. */ + cancel_work_sync(&wldev->restart_work); ++ cancel_work_sync(&wl->firmware_load); + + B43_WARN_ON(!wl); + if (!wldev->fw.ucode.data) +@@ -5510,6 +5510,7 @@ static void b43_ssb_remove(struct ssb_de + /* We must cancel any work here before unregistering from ieee80211, + * as the ieee80211 unreg will destroy the workqueue. */ + cancel_work_sync(&wldev->restart_work); ++ cancel_work_sync(&wl->firmware_load); + + B43_WARN_ON(!wl); + if (!wldev->fw.ucode.data) diff --git a/queue-3.8/block-fix-ext_devt_idr-handling.patch b/queue-3.8/block-fix-ext_devt_idr-handling.patch new file mode 100644 index 00000000000..6cdd7a4fda0 --- /dev/null +++ b/queue-3.8/block-fix-ext_devt_idr-handling.patch @@ -0,0 +1,110 @@ +From 7b74e912785a11572da43292786ed07ada7e3e0c Mon Sep 17 00:00:00 2001 +From: Tomas Henzl +Date: Wed, 27 Feb 2013 17:03:32 -0800 +Subject: block: fix ext_devt_idr handling + +From: Tomas Henzl + +commit 7b74e912785a11572da43292786ed07ada7e3e0c upstream. + +While adding and removing a lot of disks disks and partitions this +sometimes shows up: + + WARNING: at fs/sysfs/dir.c:512 sysfs_add_one+0xc9/0x130() (Not tainted) + Hardware name: + sysfs: cannot create duplicate filename '/dev/block/259:751' + Modules linked in: raid1 autofs4 bnx2fc cnic uio fcoe libfcoe libfc 8021q scsi_transport_fc scsi_tgt garp stp llc sunrpc cpufreq_ondemand powernow_k8 freq_table mperf ipv6 dm_mirror dm_region_hash dm_log power_meter microcode dcdbas serio_raw amd64_edac_mod edac_core edac_mce_amd i2c_piix4 i2c_core k10temp bnx2 sg ixgbe dca mdio ext4 mbcache jbd2 dm_round_robin sr_mod cdrom sd_mod crc_t10dif ata_generic pata_acpi pata_atiixp ahci mptsas mptscsih mptbase scsi_transport_sas dm_multipath dm_mod [last unloaded: scsi_wait_scan] + Pid: 44103, comm: async/16 Not tainted 2.6.32-195.el6.x86_64 #1 + Call Trace: + warn_slowpath_common+0x87/0xc0 + warn_slowpath_fmt+0x46/0x50 + sysfs_add_one+0xc9/0x130 + sysfs_do_create_link+0x12b/0x170 + sysfs_create_link+0x13/0x20 + device_add+0x317/0x650 + idr_get_new+0x13/0x50 + add_partition+0x21c/0x390 + rescan_partitions+0x32b/0x470 + sd_open+0x81/0x1f0 [sd_mod] + __blkdev_get+0x1b6/0x3c0 + blkdev_get+0x10/0x20 + register_disk+0x155/0x170 + add_disk+0xa6/0x160 + sd_probe_async+0x13b/0x210 [sd_mod] + add_wait_queue+0x46/0x60 + async_thread+0x102/0x250 + default_wake_function+0x0/0x20 + async_thread+0x0/0x250 + kthread+0x96/0xa0 + child_rip+0xa/0x20 + kthread+0x0/0xa0 + child_rip+0x0/0x20 + +This most likely happens because dev_t is freed while the number is +still used and idr_get_new() is not protected on every use. The fix +adds a mutex where it wasn't before and moves the dev_t free function so +it is called after device del. + +Signed-off-by: Tomas Henzl +Cc: Jens Axboe +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + block/genhd.c | 6 +++++- + block/partition-generic.c | 2 +- + 2 files changed, 6 insertions(+), 2 deletions(-) + +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -422,14 +422,18 @@ int blk_alloc_devt(struct hd_struct *par + do { + if (!idr_pre_get(&ext_devt_idr, GFP_KERNEL)) + return -ENOMEM; ++ mutex_lock(&ext_devt_mutex); + rc = idr_get_new(&ext_devt_idr, part, &idx); ++ mutex_unlock(&ext_devt_mutex); + } while (rc == -EAGAIN); + + if (rc) + return rc; + + if (idx > MAX_EXT_DEVT) { ++ mutex_lock(&ext_devt_mutex); + idr_remove(&ext_devt_idr, idx); ++ mutex_unlock(&ext_devt_mutex); + return -EBUSY; + } + +@@ -646,7 +650,6 @@ void del_gendisk(struct gendisk *disk) + disk_part_iter_exit(&piter); + + invalidate_partition(disk, 0); +- blk_free_devt(disk_to_dev(disk)->devt); + set_capacity(disk, 0); + disk->flags &= ~GENHD_FL_UP; + +@@ -664,6 +667,7 @@ void del_gendisk(struct gendisk *disk) + if (!sysfs_deprecated) + sysfs_remove_link(block_depr, dev_name(disk_to_dev(disk))); + device_del(disk_to_dev(disk)); ++ blk_free_devt(disk_to_dev(disk)->devt); + } + EXPORT_SYMBOL(del_gendisk); + +--- a/block/partition-generic.c ++++ b/block/partition-generic.c +@@ -249,11 +249,11 @@ void delete_partition(struct gendisk *di + if (!part) + return; + +- blk_free_devt(part_devt(part)); + rcu_assign_pointer(ptbl->part[partno], NULL); + rcu_assign_pointer(ptbl->last_lookup, NULL); + kobject_put(part->holder_dir); + device_del(part_to_dev(part)); ++ blk_free_devt(part_devt(part)); + + hd_struct_put(part); + } diff --git a/queue-3.8/doc-kernel-parameters-document-console-hvc-n.patch b/queue-3.8/doc-kernel-parameters-document-console-hvc-n.patch new file mode 100644 index 00000000000..ae6818fe19d --- /dev/null +++ b/queue-3.8/doc-kernel-parameters-document-console-hvc-n.patch @@ -0,0 +1,32 @@ +From a2fd6419174470f5ae6383f5037d0ee21ed9833f Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk +Date: Mon, 25 Feb 2013 15:54:09 -0500 +Subject: doc, kernel-parameters: Document 'console=hvc' + +From: Konrad Rzeszutek Wilk + +commit a2fd6419174470f5ae6383f5037d0ee21ed9833f upstream. + +Both the PowerPC hypervisor and Xen hypervisor can utilize the +hvc driver. + +Signed-off-by: Konrad Rzeszutek Wilk +Link: http://lkml.kernel.org/r/1361825650-14031-3-git-send-email-konrad.wilk@oracle.com +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/kernel-parameters.txt | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/Documentation/kernel-parameters.txt ++++ b/Documentation/kernel-parameters.txt +@@ -564,6 +564,8 @@ bytes respectively. Such letter suffixes + UART at the specified I/O port or MMIO address, + switching to the matching ttyS device later. The + options are the same as for ttyS, above. ++ hvc Use the hypervisor console device . This is for ++ both Xen and PowerPC hypervisors. + + If the device connected to the port is not a TTY but a braille + device, prepend "brl," before the device type, for instance diff --git a/queue-3.8/doc-xen-mention-earlyprintk-xen-in-the-documentation.patch b/queue-3.8/doc-xen-mention-earlyprintk-xen-in-the-documentation.patch new file mode 100644 index 00000000000..3c6826a204d --- /dev/null +++ b/queue-3.8/doc-xen-mention-earlyprintk-xen-in-the-documentation.patch @@ -0,0 +1,44 @@ +From 2482a92e7d17187301d7313cfe5021b13393a0b4 Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk +Date: Mon, 25 Feb 2013 15:54:08 -0500 +Subject: doc, xen: Mention 'earlyprintk=xen' in the documentation. + +From: Konrad Rzeszutek Wilk + +commit 2482a92e7d17187301d7313cfe5021b13393a0b4 upstream. + +The earlyprintk for Xen PV guests utilizes a simple hypercall +(console_io) to provide output to Xen emergency console. + +Note that the Xen hypervisor should be booted with 'loglevel=all' +to output said information. + +Reported-by: H. Peter Anvin +Signed-off-by: Konrad Rzeszutek Wilk +Link: http://lkml.kernel.org/r/1361825650-14031-2-git-send-email-konrad.wilk@oracle.com +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/kernel-parameters.txt | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/Documentation/kernel-parameters.txt ++++ b/Documentation/kernel-parameters.txt +@@ -754,6 +754,7 @@ bytes respectively. Such letter suffixes + + earlyprintk= [X86,SH,BLACKFIN] + earlyprintk=vga ++ earlyprintk=xen + earlyprintk=serial[,ttySn[,baudrate]] + earlyprintk=ttySn[,baudrate] + earlyprintk=dbgp[debugController#] +@@ -771,6 +772,8 @@ bytes respectively. Such letter suffixes + The VGA output is eventually overwritten by the real + console. + ++ The xen output can only be used by Xen PV guests. ++ + ekgdboc= [X86,KGDB] Allow early kernel console debugging + ekgdboc=kbd + diff --git a/queue-3.8/ftrace-call-ftrace-cleanup-module-notifier-after-all-other-notifiers.patch b/queue-3.8/ftrace-call-ftrace-cleanup-module-notifier-after-all-other-notifiers.patch new file mode 100644 index 00000000000..bcb0d49fcc8 --- /dev/null +++ b/queue-3.8/ftrace-call-ftrace-cleanup-module-notifier-after-all-other-notifiers.patch @@ -0,0 +1,127 @@ +From 8c189ea64eea01ca20d102ddb74d6936dd16c579 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Red Hat)" +Date: Wed, 13 Feb 2013 15:18:38 -0500 +Subject: ftrace: Call ftrace cleanup module notifier after all other notifiers + +From: "Steven Rostedt (Red Hat)" + +commit 8c189ea64eea01ca20d102ddb74d6936dd16c579 upstream. + +Commit: c1bf08ac "ftrace: Be first to run code modification on modules" + +changed ftrace module notifier's priority to INT_MAX in order to +process the ftrace nops before anything else could touch them +(namely kprobes). This was the correct thing to do. + +Unfortunately, the ftrace module notifier also contains the ftrace +clean up code. As opposed to the set up code, this code should be +run *after* all the module notifiers have run in case a module is doing +correct clean-up and unregisters its ftrace hooks. Basically, ftrace +needs to do clean up on module removal, as it needs to know about code +being removed so that it doesn't try to modify that code. But after it +removes the module from its records, if a ftrace user tries to remove +a probe, that removal will fail due as the record of that code segment +no longer exists. + +Nothing really bad happens if the probe removal is called after ftrace +did the clean up, but the ftrace removal function will return an error. +Correct code (such as kprobes) will produce a WARN_ON() if it fails +to remove the probe. As people get annoyed by frivolous warnings, it's +best to do the ftrace clean up after everything else. + +By splitting the ftrace_module_notifier into two notifiers, one that +does the module load setup that is run at high priority, and the other +that is called for module clean up that is run at low priority, the +problem is solved. + +Reported-by: Frank Ch. Eigler +Acked-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ftrace.c | 46 ++++++++++++++++++++++++++++++++-------------- + 1 file changed, 32 insertions(+), 14 deletions(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -3970,37 +3970,51 @@ static void ftrace_init_module(struct mo + ftrace_process_locs(mod, start, end); + } + +-static int ftrace_module_notify(struct notifier_block *self, +- unsigned long val, void *data) ++static int ftrace_module_notify_enter(struct notifier_block *self, ++ unsigned long val, void *data) + { + struct module *mod = data; + +- switch (val) { +- case MODULE_STATE_COMING: ++ if (val == MODULE_STATE_COMING) + ftrace_init_module(mod, mod->ftrace_callsites, + mod->ftrace_callsites + + mod->num_ftrace_callsites); +- break; +- case MODULE_STATE_GOING: ++ return 0; ++} ++ ++static int ftrace_module_notify_exit(struct notifier_block *self, ++ unsigned long val, void *data) ++{ ++ struct module *mod = data; ++ ++ if (val == MODULE_STATE_GOING) + ftrace_release_mod(mod); +- break; +- } + + return 0; + } + #else +-static int ftrace_module_notify(struct notifier_block *self, +- unsigned long val, void *data) ++static int ftrace_module_notify_enter(struct notifier_block *self, ++ unsigned long val, void *data) ++{ ++ return 0; ++} ++static int ftrace_module_notify_exit(struct notifier_block *self, ++ unsigned long val, void *data) + { + return 0; + } + #endif /* CONFIG_MODULES */ + +-struct notifier_block ftrace_module_nb = { +- .notifier_call = ftrace_module_notify, ++struct notifier_block ftrace_module_enter_nb = { ++ .notifier_call = ftrace_module_notify_enter, + .priority = INT_MAX, /* Run before anything that can use kprobes */ + }; + ++struct notifier_block ftrace_module_exit_nb = { ++ .notifier_call = ftrace_module_notify_exit, ++ .priority = INT_MIN, /* Run after anything that can remove kprobes */ ++}; ++ + extern unsigned long __start_mcount_loc[]; + extern unsigned long __stop_mcount_loc[]; + +@@ -4032,9 +4046,13 @@ void __init ftrace_init(void) + __start_mcount_loc, + __stop_mcount_loc); + +- ret = register_module_notifier(&ftrace_module_nb); ++ ret = register_module_notifier(&ftrace_module_enter_nb); ++ if (ret) ++ pr_warning("Failed to register trace ftrace module enter notifier\n"); ++ ++ ret = register_module_notifier(&ftrace_module_exit_nb); + if (ret) +- pr_warning("Failed to register trace ftrace module notifier\n"); ++ pr_warning("Failed to register trace ftrace module exit notifier\n"); + + set_ftrace_early_filters(); + diff --git a/queue-3.8/iommu-amd-initialize-device-table-after-dma_ops.patch b/queue-3.8/iommu-amd-initialize-device-table-after-dma_ops.patch new file mode 100644 index 00000000000..b0eb3d643f6 --- /dev/null +++ b/queue-3.8/iommu-amd-initialize-device-table-after-dma_ops.patch @@ -0,0 +1,49 @@ +From f528d980c17b8714aedc918ba86e058af914d66b Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Wed, 6 Feb 2013 12:55:23 +0100 +Subject: iommu/amd: Initialize device table after dma_ops + +From: Joerg Roedel + +commit f528d980c17b8714aedc918ba86e058af914d66b upstream. + +When dma_ops are initialized the unity mappings are +created. The init_device_table_dma() function makes sure DMA +from all devices is blocked by default. This opens a short +window in time where DMA to unity mapped regions is blocked +by the IOMMU. Make sure this does not happen by initializing +the device table after dma_ops. + +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/amd_iommu_init.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/iommu/amd_iommu_init.c ++++ b/drivers/iommu/amd_iommu_init.c +@@ -1876,11 +1876,6 @@ static int amd_iommu_init_dma(void) + struct amd_iommu *iommu; + int ret; + +- init_device_table_dma(); +- +- for_each_iommu(iommu) +- iommu_flush_all_caches(iommu); +- + if (iommu_pass_through) + ret = amd_iommu_init_passthrough(); + else +@@ -1889,6 +1884,11 @@ static int amd_iommu_init_dma(void) + if (ret) + return ret; + ++ init_device_table_dma(); ++ ++ for_each_iommu(iommu) ++ iommu_flush_all_caches(iommu); ++ + amd_iommu_init_api(); + + amd_iommu_init_notifier(); diff --git a/queue-3.8/ocfs2-ac-ac_allow_chain_relink-0-won-t-disable-group-relink.patch b/queue-3.8/ocfs2-ac-ac_allow_chain_relink-0-won-t-disable-group-relink.patch new file mode 100644 index 00000000000..41bf7b7eb4d --- /dev/null +++ b/queue-3.8/ocfs2-ac-ac_allow_chain_relink-0-won-t-disable-group-relink.patch @@ -0,0 +1,108 @@ +From 309a85b6861fedbb48a22d45e0e079d1be993b3a Mon Sep 17 00:00:00 2001 +From: "Xiaowei.Hu" +Date: Wed, 27 Feb 2013 17:02:49 -0800 +Subject: ocfs2: ac->ac_allow_chain_relink=0 won't disable group relink + +From: "Xiaowei.Hu" + +commit 309a85b6861fedbb48a22d45e0e079d1be993b3a upstream. + +ocfs2_block_group_alloc_discontig() disables chain relink by setting +ac->ac_allow_chain_relink = 0 because it grabs clusters from multiple +cluster groups. + +It doesn't keep the credits for all chain relink,but +ocfs2_claim_suballoc_bits overrides this in this call trace: +ocfs2_block_group_claim_bits()->ocfs2_claim_clusters()-> +__ocfs2_claim_clusters()->ocfs2_claim_suballoc_bits() +ocfs2_claim_suballoc_bits set ac->ac_allow_chain_relink = 1; then call +ocfs2_search_chain() one time and disable it again, and then we run out +of credits. + +Fix is to allow relink by default and disable it in +ocfs2_block_group_alloc_discontig. + +Without this patch, End-users will run into a crash due to run out of +credits, backtrace like this: + + RIP: 0010:[] [] + jbd2_journal_dirty_metadata+0x164/0x170 [jbd2] + RSP: 0018:ffff8801b919b5b8 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: ffff88022139ddc0 RCX: ffff880159f652d0 + RDX: ffff880178aa3000 RSI: ffff880159f652d0 RDI: ffff880087f09bf8 + RBP: ffff8801b919b5e8 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000001e00 R11: 00000000000150b0 R12: ffff880159f652d0 + R13: ffff8801a0cae908 R14: ffff880087f09bf8 R15: ffff88018d177800 + FS: 00007fc9b0b6b6e0(0000) GS:ffff88022fd40000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b + CR2: 000000000040819c CR3: 0000000184017000 CR4: 00000000000006e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 + Process dd (pid: 9945, threadinfo ffff8801b919a000, task ffff880149a264c0) + Call Trace: + ocfs2_journal_dirty+0x2f/0x70 [ocfs2] + ocfs2_relink_block_group+0x111/0x480 [ocfs2] + ocfs2_search_chain+0x455/0x9a0 [ocfs2] + ... + +Signed-off-by: Xiaowei.Hu +Reviewed-by: Srinivas Eeda +Cc: Mark Fasheh +Cc: Joel Becker +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/suballoc.c | 7 +++---- + fs/ocfs2/suballoc.h | 2 +- + 2 files changed, 4 insertions(+), 5 deletions(-) + +--- a/fs/ocfs2/suballoc.c ++++ b/fs/ocfs2/suballoc.c +@@ -642,7 +642,7 @@ ocfs2_block_group_alloc_discontig(handle + * cluster groups will be staying in cache for the duration of + * this operation. + */ +- ac->ac_allow_chain_relink = 0; ++ ac->ac_disable_chain_relink = 1; + + /* Claim the first region */ + status = ocfs2_block_group_claim_bits(osb, handle, ac, min_bits, +@@ -1823,7 +1823,7 @@ static int ocfs2_search_chain(struct ocf + * Do this *after* figuring out how many bits we're taking out + * of our target group. + */ +- if (ac->ac_allow_chain_relink && ++ if (!ac->ac_disable_chain_relink && + (prev_group_bh) && + (ocfs2_block_group_reasonably_empty(bg, res->sr_bits))) { + status = ocfs2_relink_block_group(handle, alloc_inode, +@@ -1928,7 +1928,6 @@ static int ocfs2_claim_suballoc_bits(str + + victim = ocfs2_find_victim_chain(cl); + ac->ac_chain = victim; +- ac->ac_allow_chain_relink = 1; + + status = ocfs2_search_chain(ac, handle, bits_wanted, min_bits, + res, &bits_left); +@@ -1947,7 +1946,7 @@ static int ocfs2_claim_suballoc_bits(str + * searching each chain in order. Don't allow chain relinking + * because we only calculate enough journal credits for one + * relink per alloc. */ +- ac->ac_allow_chain_relink = 0; ++ ac->ac_disable_chain_relink = 1; + for (i = 0; i < le16_to_cpu(cl->cl_next_free_rec); i ++) { + if (i == victim) + continue; +--- a/fs/ocfs2/suballoc.h ++++ b/fs/ocfs2/suballoc.h +@@ -49,7 +49,7 @@ struct ocfs2_alloc_context { + + /* these are used by the chain search */ + u16 ac_chain; +- int ac_allow_chain_relink; ++ int ac_disable_chain_relink; + group_search_t *ac_group_search; + + u64 ac_last_group; diff --git a/queue-3.8/ocfs2-fix-ocfs2_init_security_and_acl-to-initialize-acl-correctly.patch b/queue-3.8/ocfs2-fix-ocfs2_init_security_and_acl-to-initialize-acl-correctly.patch new file mode 100644 index 00000000000..31ce9c24a9b --- /dev/null +++ b/queue-3.8/ocfs2-fix-ocfs2_init_security_and_acl-to-initialize-acl-correctly.patch @@ -0,0 +1,163 @@ +From 32918dd9f19e5960af4cdfa41190bb843fb2247b Mon Sep 17 00:00:00 2001 +From: Jeff Liu +Date: Wed, 27 Feb 2013 17:02:48 -0800 +Subject: ocfs2: fix ocfs2_init_security_and_acl() to initialize acl correctly + +From: Jeff Liu + +commit 32918dd9f19e5960af4cdfa41190bb843fb2247b upstream. + +We need to re-initialize the security for a new reflinked inode with its +parent dirs if it isn't specified to be preserved for ocfs2_reflink(). +However, the code logic is broken at ocfs2_init_security_and_acl() +although ocfs2_init_security_get() succeed. As a result, +ocfs2_acl_init() does not involked and therefore the default ACL of +parent dir was missing on the new inode. + +Note this was introduced by 9d8f13ba3 ("security: new +security_inode_init_security API adds function callback") + +To reproduce: + + set default ACL for the parent dir(ocfs2 in this case): + $ setfacl -m default:user:jeff:rwx ../ocfs2/ + $ getfacl ../ocfs2/ + # file: ../ocfs2/ + # owner: jeff + # group: jeff + user::rwx + group::r-x + other::r-x + default:user::rwx + default:user:jeff:rwx + default:group::r-x + default:mask::rwx + default:other::r-x + + $ touch a + $ getfacl a + # file: a + # owner: jeff + # group: jeff + user::rw- + group::rw- + other::r-- + +Before patching, create reflink file b from a, the user +default ACL entry(user:jeff:rwx)was missing: + + $ ./ocfs2_reflink a b + $ getfacl b + # file: b + # owner: jeff + # group: jeff + user::rw- + group::rw- + other::r-- + +In this case, the end user can also observed an error message at syslog: + + (ocfs2_reflink,3229,2):ocfs2_init_security_and_acl:7193 ERROR: status = 0 + +After applying this patch, create reflink file c from a: + + $ ./ocfs2_reflink a c + $ getfacl c + # file: c + # owner: jeff + # group: jeff + user::rw- + user:jeff:rwx #effective:rw- + group::r-x #effective:r-- + mask::rw- + other::r-- + +Test program: +/* Usage: reflink */ +#include +#include +#include +#include +#include +#include +#include +#include +#include + +static int +reflink_file(char const *src_name, char const *dst_name, + bool preserve_attrs) +{ + int fd; + +#ifndef REFLINK_ATTR_NONE +# define REFLINK_ATTR_NONE 0 +#endif +#ifndef REFLINK_ATTR_PRESERVE +# define REFLINK_ATTR_PRESERVE 1 +#endif +#ifndef OCFS2_IOC_REFLINK + struct reflink_arguments { + uint64_t old_path; + uint64_t new_path; + uint64_t preserve; + }; + +# define OCFS2_IOC_REFLINK _IOW ('o', 4, struct reflink_arguments) +#endif + struct reflink_arguments args = { + .old_path = (unsigned long) src_name, + .new_path = (unsigned long) dst_name, + .preserve = preserve_attrs ? REFLINK_ATTR_PRESERVE : + REFLINK_ATTR_NONE, + }; + + fd = open(src_name, O_RDONLY); + if (fd < 0) { + fprintf(stderr, "Failed to open %s: %s\n", + src_name, strerror(errno)); + return -1; + } + + if (ioctl(fd, OCFS2_IOC_REFLINK, &args) < 0) { + fprintf(stderr, "Failed to reflink %s to %s: %s\n", + src_name, dst_name, strerror(errno)); + return -1; + } +} + +int +main(int argc, char *argv[]) +{ + if (argc != 3) { + fprintf(stdout, "Usage: %s source dest\n", argv[0]); + return 1; + } + + return reflink_file(argv[1], argv[2], 0); +} + +Signed-off-by: Jie Liu +Reviewed-by: Tao Ma +Cc: Mimi Zohar +Cc: Joel Becker +Cc: Mark Fasheh +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/xattr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ocfs2/xattr.c ++++ b/fs/ocfs2/xattr.c +@@ -7189,7 +7189,7 @@ int ocfs2_init_security_and_acl(struct i + struct buffer_head *dir_bh = NULL; + + ret = ocfs2_init_security_get(inode, dir, qstr, NULL); +- if (!ret) { ++ if (ret) { + mlog_errno(ret); + goto leave; + } diff --git a/queue-3.8/ocfs2-fix-possible-use-after-free-with-aio.patch b/queue-3.8/ocfs2-fix-possible-use-after-free-with-aio.patch new file mode 100644 index 00000000000..e91ab9b788d --- /dev/null +++ b/queue-3.8/ocfs2-fix-possible-use-after-free-with-aio.patch @@ -0,0 +1,40 @@ +From 9b171e0c74ca0549d0610990a862dd895870f04a Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 20 Feb 2013 13:16:39 +1100 +Subject: ocfs2: fix possible use-after-free with AIO + +From: Jan Kara + +commit 9b171e0c74ca0549d0610990a862dd895870f04a upstream. + +Running AIO is pinning inode in memory using file reference. Once AIO +is completed using aio_complete(), file reference is put and inode can +be freed from memory. So we have to be sure that calling aio_complete() +is the last thing we do with the inode. + +Signed-off-by: Jan Kara +Acked-by: Jeff Moyer +Acked-by: Joel Becker +Cc: Mark Fasheh +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/aops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ocfs2/aops.c ++++ b/fs/ocfs2/aops.c +@@ -593,9 +593,9 @@ static void ocfs2_dio_end_io(struct kioc + level = ocfs2_iocb_rw_locked_level(iocb); + ocfs2_rw_unlock(inode, level); + ++ inode_dio_done(inode); + if (is_async) + aio_complete(iocb, ret, 0); +- inode_dio_done(inode); + } + + /* diff --git a/queue-3.8/posix-timer-don-t-call-idr_find-with-out-of-range-id.patch b/queue-3.8/posix-timer-don-t-call-idr_find-with-out-of-range-id.patch new file mode 100644 index 00000000000..c7818a213bd --- /dev/null +++ b/queue-3.8/posix-timer-don-t-call-idr_find-with-out-of-range-id.patch @@ -0,0 +1,54 @@ +From e182bb38d7db7494fa5dcd82da17fe0dedf60ecf Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Wed, 20 Feb 2013 15:24:12 -0800 +Subject: posix-timer: Don't call idr_find() with out-of-range ID + +From: Tejun Heo + +commit e182bb38d7db7494fa5dcd82da17fe0dedf60ecf upstream. + +When idr_find() was fed a negative ID, it used to look up the ID +ignoring the sign bit before recent ("idr: remove MAX_IDR_MASK and +move left MAX_IDR_* into idr.c") patch. Now a negative ID triggers +a WARN_ON_ONCE(). + +__lock_timer() feeds timer_id from userland directly to idr_find() +without sanitizing it which can trigger the above malfunctions. Add a +range check on @timer_id before invoking idr_find() in __lock_timer(). + +While timer_t is defined as int by all archs at the moment, Andrew +worries that it may be defined as a larger type later on. Make the +test cover larger integers too so that it at least is guaranteed to +not return the wrong timer. + +Note that WARN_ON_ONCE() in idr_find() on id < 0 is transitional +precaution while moving away from ignoring MSB. Once it's gone we can +remove the guard as long as timer_t isn't larger than int. + +Signed-off-by: Tejun Heo nnn +Reported-by: Sasha Levin +Cc: Andrew Morton +Link: http://lkml.kernel.org/r/20130220232412.GL3570@htj.dyndns.org +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/posix-timers.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/kernel/posix-timers.c ++++ b/kernel/posix-timers.c +@@ -639,6 +639,13 @@ static struct k_itimer *__lock_timer(tim + { + struct k_itimer *timr; + ++ /* ++ * timer_t could be any type >= int and we want to make sure any ++ * @timer_id outside positive int range fails lookup. ++ */ ++ if ((unsigned long long)timer_id > INT_MAX) ++ return NULL; ++ + rcu_read_lock(); + timr = idr_find(&posix_timers_id, (int)timer_id); + if (timr) { diff --git a/queue-3.8/series b/queue-3.8/series index b790f178baf..fc1e7472a19 100644 --- a/queue-3.8/series +++ b/queue-3.8/series @@ -8,3 +8,25 @@ ib-srp-avoid-sending-a-task-management-function-needlessly.patch ib-srp-avoid-endless-scsi-error-handling-loop.patch ib-srp-fail-i-o-requests-if-the-transport-is-offline.patch quota-autoload-the-quota_v2-module-for-qfmt_vfs_v1-quota-format.patch +usb-dwc3-enable-usb2-lpm-only-when-connected-as-usb2.0.patch +usb-dwc3-gadget-fix-missed-isoc.patch +usb-dwc3-gadget-fix-isoc-end-transfer-condition.patch +usb-dwc3-gadget-fix-skip-link_trb-on-isoc.patch +usb-dwc3-gadget-change-hird-threshold-to-12.patch +b43-fix-lockdep-splat-on-module-unload.patch +ubifs-fix-use-of-freed-ubifs_orphan-objects.patch +ubifs-fix-double-free-of-ubifs_orphan-objects.patch +iommu-amd-initialize-device-table-after-dma_ops.patch +posix-timer-don-t-call-idr_find-with-out-of-range-id.patch +ftrace-call-ftrace-cleanup-module-notifier-after-all-other-notifiers.patch +x86-apic-fix-parsing-of-the-lapic-cmdline-option.patch +x86-efi-make-noefi-really-disable-efi-runtime-serivces.patch +doc-xen-mention-earlyprintk-xen-in-the-documentation.patch +doc-kernel-parameters-document-console-hvc-n.patch +x86-make-sure-we-can-boot-in-the-case-the-bda-contains-pure-garbage.patch +target-fix-lookup-of-dynamic-nodeacls-during-cached-demo-mode-operation.patch +target-add-missing-mapped_lun-bounds-checking-during-make_mappedlun-setup.patch +ocfs2-fix-possible-use-after-free-with-aio.patch +ocfs2-fix-ocfs2_init_security_and_acl-to-initialize-acl-correctly.patch +ocfs2-ac-ac_allow_chain_relink-0-won-t-disable-group-relink.patch +block-fix-ext_devt_idr-handling.patch diff --git a/queue-3.8/target-add-missing-mapped_lun-bounds-checking-during-make_mappedlun-setup.patch b/queue-3.8/target-add-missing-mapped_lun-bounds-checking-during-make_mappedlun-setup.patch new file mode 100644 index 00000000000..236c3642a26 --- /dev/null +++ b/queue-3.8/target-add-missing-mapped_lun-bounds-checking-during-make_mappedlun-setup.patch @@ -0,0 +1,43 @@ +From fbbf8555a986ed31e54f006b6cc637ea4ff1425b Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Mon, 18 Feb 2013 18:31:37 -0800 +Subject: target: Add missing mapped_lun bounds checking during make_mappedlun setup + +From: Nicholas Bellinger + +commit fbbf8555a986ed31e54f006b6cc637ea4ff1425b upstream. + +This patch adds missing bounds checking for the configfs provided +mapped_lun value during target_fabric_make_mappedlun() setup ahead +of se_lun_acl initialization. + +This addresses a potential OOPs when using a mapped_lun value that +exceeds the hardcoded TRANSPORT_MAX_LUNS_PER_TPG-1 value within +se_node_acl->device_list[]. + +Reported-by: Jan Engelhardt +Cc: Jan Engelhardt +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_fabric_configfs.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/target/target_core_fabric_configfs.c ++++ b/drivers/target/target_core_fabric_configfs.c +@@ -354,6 +354,14 @@ static struct config_group *target_fabri + ret = -EINVAL; + goto out; + } ++ if (mapped_lun > (TRANSPORT_MAX_LUNS_PER_TPG-1)) { ++ pr_err("Mapped LUN: %lu exceeds TRANSPORT_MAX_LUNS_PER_TPG" ++ "-1: %u for Target Portal Group: %u\n", mapped_lun, ++ TRANSPORT_MAX_LUNS_PER_TPG-1, ++ se_tpg->se_tpg_tfo->tpg_get_tag(se_tpg)); ++ ret = -EINVAL; ++ goto out; ++ } + + lacl = core_dev_init_initiator_node_lun_acl(se_tpg, se_nacl, + mapped_lun, &ret); diff --git a/queue-3.8/target-fix-lookup-of-dynamic-nodeacls-during-cached-demo-mode-operation.patch b/queue-3.8/target-fix-lookup-of-dynamic-nodeacls-during-cached-demo-mode-operation.patch new file mode 100644 index 00000000000..9552a22e6f0 --- /dev/null +++ b/queue-3.8/target-fix-lookup-of-dynamic-nodeacls-during-cached-demo-mode-operation.patch @@ -0,0 +1,119 @@ +From fcf29481fb8e106daad6688f2e898226ee928992 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Mon, 18 Feb 2013 18:00:33 -0800 +Subject: target: Fix lookup of dynamic NodeACLs during cached demo-mode operation + +From: Nicholas Bellinger + +commit fcf29481fb8e106daad6688f2e898226ee928992 upstream. + +This patch fixes a bug in core_tpg_check_initiator_node_acl() -> +core_tpg_get_initiator_node_acl() where a dynamically created +se_node_acl generated during session login would be skipped during +subsequent lookup due to the '!acl->dynamic_node_acl' check, causing +a new se_node_acl to be created with a duplicate ->initiatorname. + +This would occur when a fabric endpoint was configured with +TFO->tpg_check_demo_mode()=1 + TPF->tpg_check_demo_mode_cache()=1 +preventing the release of an existing se_node_acl during se_session +shutdown. + +Also, drop the unnecessary usage of core_tpg_get_initiator_node_acl() +within core_dev_init_initiator_node_lun_acl() that originally +required the extra '!acl->dynamic_node_acl' check, and just pass +the configfs provided se_node_acl pointer instead. + +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_device.c | 13 ++++--------- + drivers/target/target_core_fabric_configfs.c | 4 ++-- + drivers/target/target_core_internal.h | 2 +- + drivers/target/target_core_tpg.c | 10 ++-------- + 4 files changed, 9 insertions(+), 20 deletions(-) + +--- a/drivers/target/target_core_device.c ++++ b/drivers/target/target_core_device.c +@@ -1182,24 +1182,18 @@ static struct se_lun *core_dev_get_lun(s + + struct se_lun_acl *core_dev_init_initiator_node_lun_acl( + struct se_portal_group *tpg, ++ struct se_node_acl *nacl, + u32 mapped_lun, +- char *initiatorname, + int *ret) + { + struct se_lun_acl *lacl; +- struct se_node_acl *nacl; + +- if (strlen(initiatorname) >= TRANSPORT_IQN_LEN) { ++ if (strlen(nacl->initiatorname) >= TRANSPORT_IQN_LEN) { + pr_err("%s InitiatorName exceeds maximum size.\n", + tpg->se_tpg_tfo->get_fabric_name()); + *ret = -EOVERFLOW; + return NULL; + } +- nacl = core_tpg_get_initiator_node_acl(tpg, initiatorname); +- if (!nacl) { +- *ret = -EINVAL; +- return NULL; +- } + lacl = kzalloc(sizeof(struct se_lun_acl), GFP_KERNEL); + if (!lacl) { + pr_err("Unable to allocate memory for struct se_lun_acl.\n"); +@@ -1210,7 +1204,8 @@ struct se_lun_acl *core_dev_init_initiat + INIT_LIST_HEAD(&lacl->lacl_list); + lacl->mapped_lun = mapped_lun; + lacl->se_lun_nacl = nacl; +- snprintf(lacl->initiatorname, TRANSPORT_IQN_LEN, "%s", initiatorname); ++ snprintf(lacl->initiatorname, TRANSPORT_IQN_LEN, "%s", ++ nacl->initiatorname); + + return lacl; + } +--- a/drivers/target/target_core_fabric_configfs.c ++++ b/drivers/target/target_core_fabric_configfs.c +@@ -355,8 +355,8 @@ static struct config_group *target_fabri + goto out; + } + +- lacl = core_dev_init_initiator_node_lun_acl(se_tpg, mapped_lun, +- config_item_name(acl_ci), &ret); ++ lacl = core_dev_init_initiator_node_lun_acl(se_tpg, se_nacl, ++ mapped_lun, &ret); + if (!lacl) { + ret = -EINVAL; + goto out; +--- a/drivers/target/target_core_internal.h ++++ b/drivers/target/target_core_internal.h +@@ -45,7 +45,7 @@ struct se_lun *core_dev_add_lun(struct s + int core_dev_del_lun(struct se_portal_group *, u32); + struct se_lun *core_get_lun_from_tpg(struct se_portal_group *, u32); + struct se_lun_acl *core_dev_init_initiator_node_lun_acl(struct se_portal_group *, +- u32, char *, int *); ++ struct se_node_acl *, u32, int *); + int core_dev_add_initiator_node_lun_acl(struct se_portal_group *, + struct se_lun_acl *, u32, u32); + int core_dev_del_initiator_node_lun_acl(struct se_portal_group *, +--- a/drivers/target/target_core_tpg.c ++++ b/drivers/target/target_core_tpg.c +@@ -111,16 +111,10 @@ struct se_node_acl *core_tpg_get_initiat + struct se_node_acl *acl; + + spin_lock_irq(&tpg->acl_node_lock); +- list_for_each_entry(acl, &tpg->acl_node_list, acl_list) { +- if (!strcmp(acl->initiatorname, initiatorname) && +- !acl->dynamic_node_acl) { +- spin_unlock_irq(&tpg->acl_node_lock); +- return acl; +- } +- } ++ acl = __core_tpg_get_initiator_node_acl(tpg, initiatorname); + spin_unlock_irq(&tpg->acl_node_lock); + +- return NULL; ++ return acl; + } + + /* core_tpg_add_node_to_devs(): diff --git a/queue-3.8/ubifs-fix-double-free-of-ubifs_orphan-objects.patch b/queue-3.8/ubifs-fix-double-free-of-ubifs_orphan-objects.patch new file mode 100644 index 00000000000..7d89aa14c5b --- /dev/null +++ b/queue-3.8/ubifs-fix-double-free-of-ubifs_orphan-objects.patch @@ -0,0 +1,78 @@ +From 8afd500cb52a5d00bab4525dd5a560d199f979b9 Mon Sep 17 00:00:00 2001 +From: Adam Thomas +Date: Sat, 2 Feb 2013 22:35:08 +0000 +Subject: UBIFS: fix double free of ubifs_orphan objects + +From: Adam Thomas + +commit 8afd500cb52a5d00bab4525dd5a560d199f979b9 upstream. + +The last orphan in the dnext list has its dnext set to NULL. Because +of that, ubifs_delete_orphan assumes that it is not on the dnext list +and frees it immediately instead ignoring it as a second delete. The +orphan is later freed again by erase_deleted. + +This change adds an explicit flag to ubifs_orphan indicating whether +it is pending delete. + +Signed-off-by: Adam Thomas +Signed-off-by: Artem Bityutskiy +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/orphan.c | 5 ++++- + fs/ubifs/ubifs.h | 2 ++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/ubifs/orphan.c ++++ b/fs/ubifs/orphan.c +@@ -126,13 +126,14 @@ void ubifs_delete_orphan(struct ubifs_in + else if (inum > o->inum) + p = p->rb_right; + else { +- if (o->dnext) { ++ if (o->del) { + spin_unlock(&c->orphan_lock); + dbg_gen("deleted twice ino %lu", + (unsigned long)inum); + return; + } + if (o->cmt) { ++ o->del = 1; + o->dnext = c->orph_dnext; + c->orph_dnext = o; + spin_unlock(&c->orphan_lock); +@@ -447,6 +448,7 @@ static void erase_deleted(struct ubifs_i + orphan = dnext; + dnext = orphan->dnext; + ubifs_assert(!orphan->new); ++ ubifs_assert(orphan->del); + rb_erase(&orphan->rb, &c->orph_tree); + list_del(&orphan->list); + c->tot_orphans -= 1; +@@ -536,6 +538,7 @@ static int insert_dead_orphan(struct ubi + rb_link_node(&orphan->rb, parent, p); + rb_insert_color(&orphan->rb, &c->orph_tree); + list_add_tail(&orphan->list, &c->orph_list); ++ orphan->del = 1; + orphan->dnext = c->orph_dnext; + c->orph_dnext = orphan; + dbg_mnt("ino %lu, new %d, tot %d", (unsigned long)inum, +--- a/fs/ubifs/ubifs.h ++++ b/fs/ubifs/ubifs.h +@@ -905,6 +905,7 @@ struct ubifs_budget_req { + * @inum: inode number + * @new: %1 => added since the last commit, otherwise %0 + * @cmt: %1 => commit pending, otherwise %0 ++ * @del: %1 => delete pending, otherwise %0 + */ + struct ubifs_orphan { + struct rb_node rb; +@@ -915,6 +916,7 @@ struct ubifs_orphan { + ino_t inum; + unsigned new:1; + unsigned cmt:1; ++ unsigned del:1; + }; + + /** diff --git a/queue-3.8/ubifs-fix-use-of-freed-ubifs_orphan-objects.patch b/queue-3.8/ubifs-fix-use-of-freed-ubifs_orphan-objects.patch new file mode 100644 index 00000000000..8b0abd0df40 --- /dev/null +++ b/queue-3.8/ubifs-fix-use-of-freed-ubifs_orphan-objects.patch @@ -0,0 +1,94 @@ +From 2928f0d0c5ebd6c9605c0d98207a44376387c298 Mon Sep 17 00:00:00 2001 +From: Adam Thomas +Date: Sat, 2 Feb 2013 22:32:31 +0000 +Subject: UBIFS: fix use of freed ubifs_orphan objects + +From: Adam Thomas + +commit 2928f0d0c5ebd6c9605c0d98207a44376387c298 upstream. + +The last orphan in the cnext list has its cnext set to NULL. Because +of that, ubifs_delete_orphan assumes that it is not on the cnext list +and frees it immediately instead of adding it to the dnext list. The +freed orphan is later modified by write_orph_node. + +This can cause various inconsistencies including directory entries +that cannot be removed and this error: + +UBIFS error (pid 20685): layout_cnodes: LPT out of space at LEB 14:129009 needing 17, done_ltab 1, done_lsave 1 + +This is a regression introduced by +"7074e5eb UBIFS: remove invalid reference to list iterator variable". + +This change adds an explicit flag to ubifs_orphan indicating whether +it is pending commit. + +Signed-off-by: Adam Thomas +Reviewed-by: Adrian Hunter +Signed-off-by: Artem Bityutskiy +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/orphan.c | 7 ++++++- + fs/ubifs/ubifs.h | 4 +++- + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/fs/ubifs/orphan.c ++++ b/fs/ubifs/orphan.c +@@ -132,7 +132,7 @@ void ubifs_delete_orphan(struct ubifs_in + (unsigned long)inum); + return; + } +- if (o->cnext) { ++ if (o->cmt) { + o->dnext = c->orph_dnext; + c->orph_dnext = o; + spin_unlock(&c->orphan_lock); +@@ -172,7 +172,9 @@ int ubifs_orphan_start_commit(struct ubi + last = &c->orph_cnext; + list_for_each_entry(orphan, &c->orph_new, new_list) { + ubifs_assert(orphan->new); ++ ubifs_assert(!orphan->cmt); + orphan->new = 0; ++ orphan->cmt = 1; + *last = orphan; + last = &orphan->cnext; + } +@@ -299,7 +301,9 @@ static int write_orph_node(struct ubifs_ + cnext = c->orph_cnext; + for (i = 0; i < cnt; i++) { + orphan = cnext; ++ ubifs_assert(orphan->cmt); + orph->inos[i] = cpu_to_le64(orphan->inum); ++ orphan->cmt = 0; + cnext = orphan->cnext; + orphan->cnext = NULL; + } +@@ -378,6 +382,7 @@ static int consolidate(struct ubifs_info + list_for_each_entry(orphan, &c->orph_list, list) { + if (orphan->new) + continue; ++ orphan->cmt = 1; + *last = orphan; + last = &orphan->cnext; + cnt += 1; +--- a/fs/ubifs/ubifs.h ++++ b/fs/ubifs/ubifs.h +@@ -904,6 +904,7 @@ struct ubifs_budget_req { + * @dnext: next orphan to delete + * @inum: inode number + * @new: %1 => added since the last commit, otherwise %0 ++ * @cmt: %1 => commit pending, otherwise %0 + */ + struct ubifs_orphan { + struct rb_node rb; +@@ -912,7 +913,8 @@ struct ubifs_orphan { + struct ubifs_orphan *cnext; + struct ubifs_orphan *dnext; + ino_t inum; +- int new; ++ unsigned new:1; ++ unsigned cmt:1; + }; + + /** diff --git a/queue-3.8/usb-dwc3-enable-usb2-lpm-only-when-connected-as-usb2.0.patch b/queue-3.8/usb-dwc3-enable-usb2-lpm-only-when-connected-as-usb2.0.patch new file mode 100644 index 00000000000..065e5f16039 --- /dev/null +++ b/queue-3.8/usb-dwc3-enable-usb2-lpm-only-when-connected-as-usb2.0.patch @@ -0,0 +1,72 @@ +From 2b758350af19db9a5c98241cf222c2e211d7a912 Mon Sep 17 00:00:00 2001 +From: Pratyush Anand +Date: Mon, 14 Jan 2013 15:59:31 +0530 +Subject: usb: dwc3: Enable usb2 LPM only when connected as usb2.0 + +From: Pratyush Anand + +commit 2b758350af19db9a5c98241cf222c2e211d7a912 upstream. + +Synopsys says: +The HIRD Threshold field must be set to ‘0’ when the device core is +operating in super speed mode. + +This patch implements above statement. + +Acked-by: Paul Zimmerman +Signed-off-by: Pratyush Anand +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/gadget.c | 31 ++++++++++++++++++------------- + 1 file changed, 18 insertions(+), 13 deletions(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -2157,6 +2157,23 @@ static void dwc3_gadget_conndone_interru + break; + } + ++ /* Enable USB2 LPM Capability */ ++ ++ if ((dwc->revision > DWC3_REVISION_194A) ++ && (speed != DWC3_DCFG_SUPERSPEED)) { ++ reg = dwc3_readl(dwc->regs, DWC3_DCFG); ++ reg |= DWC3_DCFG_LPM_CAP; ++ dwc3_writel(dwc->regs, DWC3_DCFG, reg); ++ ++ reg = dwc3_readl(dwc->regs, DWC3_DCTL); ++ reg &= ~(DWC3_DCTL_HIRD_THRES_MASK | DWC3_DCTL_L1_HIBER_EN); ++ ++ /* TODO: This should be configurable */ ++ reg |= DWC3_DCTL_HIRD_THRES(28); ++ ++ dwc3_writel(dwc->regs, DWC3_DCTL, reg); ++ } ++ + /* Recent versions support automatic phy suspend and don't need this */ + if (dwc->revision < DWC3_REVISION_194A) { + /* Suspend unneeded PHY */ +@@ -2463,20 +2480,8 @@ int dwc3_gadget_init(struct dwc3 *dwc) + DWC3_DEVTEN_DISCONNEVTEN); + dwc3_writel(dwc->regs, DWC3_DEVTEN, reg); + +- /* Enable USB2 LPM and automatic phy suspend only on recent versions */ ++ /* automatic phy suspend only on recent versions */ + if (dwc->revision >= DWC3_REVISION_194A) { +- reg = dwc3_readl(dwc->regs, DWC3_DCFG); +- reg |= DWC3_DCFG_LPM_CAP; +- dwc3_writel(dwc->regs, DWC3_DCFG, reg); +- +- reg = dwc3_readl(dwc->regs, DWC3_DCTL); +- reg &= ~(DWC3_DCTL_HIRD_THRES_MASK | DWC3_DCTL_L1_HIBER_EN); +- +- /* TODO: This should be configurable */ +- reg |= DWC3_DCTL_HIRD_THRES(28); +- +- dwc3_writel(dwc->regs, DWC3_DCTL, reg); +- + dwc3_gadget_usb2_phy_suspend(dwc, false); + dwc3_gadget_usb3_phy_suspend(dwc, false); + } diff --git a/queue-3.8/usb-dwc3-gadget-change-hird-threshold-to-12.patch b/queue-3.8/usb-dwc3-gadget-change-hird-threshold-to-12.patch new file mode 100644 index 00000000000..1a7cbdff210 --- /dev/null +++ b/queue-3.8/usb-dwc3-gadget-change-hird-threshold-to-12.patch @@ -0,0 +1,45 @@ +From 1a947746dbe1486d0e305ab512ddf085b7874cb3 Mon Sep 17 00:00:00 2001 +From: Felipe Balbi +Date: Thu, 24 Jan 2013 11:56:11 +0200 +Subject: usb: dwc3: gadget: change HIRD threshold to 12 + +From: Felipe Balbi + +commit 1a947746dbe1486d0e305ab512ddf085b7874cb3 upstream. + +First of all, that 28 value makes no sense as +HIRD threshold is a 4-bit value, second of all +it's causing issues for OMAP5. + +Using 12 because commit cbc725b3 (usb: dwc3: +keep default hird threshold value as 4b1100) +had the intention of setting the maximum allowed +value of 0xc. + +Also, original code has been wrong forever, so +this should be backported as far back as +possible. + +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/gadget.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -2190,8 +2190,11 @@ static void dwc3_gadget_conndone_interru + reg = dwc3_readl(dwc->regs, DWC3_DCTL); + reg &= ~(DWC3_DCTL_HIRD_THRES_MASK | DWC3_DCTL_L1_HIBER_EN); + +- /* TODO: This should be configurable */ +- reg |= DWC3_DCTL_HIRD_THRES(28); ++ /* ++ * TODO: This should be configurable. For now using ++ * maximum allowed HIRD threshold value of 0b1100 ++ */ ++ reg |= DWC3_DCTL_HIRD_THRES(12); + + dwc3_writel(dwc->regs, DWC3_DCTL, reg); + } diff --git a/queue-3.8/usb-dwc3-gadget-fix-isoc-end-transfer-condition.patch b/queue-3.8/usb-dwc3-gadget-fix-isoc-end-transfer-condition.patch new file mode 100644 index 00000000000..7c8daec5440 --- /dev/null +++ b/queue-3.8/usb-dwc3-gadget-fix-isoc-end-transfer-condition.patch @@ -0,0 +1,70 @@ +From cdc359dd87ab6c39a67dab724fd0b61c16e6f08b Mon Sep 17 00:00:00 2001 +From: Pratyush Anand +Date: Mon, 14 Jan 2013 15:59:34 +0530 +Subject: usb: dwc3: gadget: fix isoc END TRANSFER Condition + +From: Pratyush Anand + +commit cdc359dd87ab6c39a67dab724fd0b61c16e6f08b upstream. + +There were still some corner cases where isoc transfer was not able to +restart, specially when missed isoc does not happen , and in fact gadget does +not queue any new request during giveback. + +Cleanup function calls giveback first, which provides a way to queue +another request to gadget. But gadget did not had any data. So , it did +not call ep_queue. To twist it further, gadget did not queue till +cleanup for last queued TRB is called. If we ever reach this scenario, +we must call END TRANSFER, so that we receive a new xfernotready with +information about current microframe number. + +Also insure that there is no request submitted to core when issuing END +TRANSFER. + +Signed-off-by: Pratyush Anand +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/gadget.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1091,7 +1091,10 @@ static int __dwc3_gadget_ep_queue(struct + * notion of current microframe. + */ + if (usb_endpoint_xfer_isoc(dep->endpoint.desc)) { +- dwc3_stop_active_transfer(dwc, dep->number); ++ if (list_empty(&dep->req_queued)) { ++ dwc3_stop_active_transfer(dwc, dep->number); ++ dep->flags = DWC3_EP_ENABLED; ++ } + return 0; + } + +@@ -1728,10 +1731,20 @@ static int dwc3_cleanup_done_reqs(struct + break; + } while (1); + +- if (list_empty(&dep->req_queued) && +- (dep->flags & DWC3_EP_MISSED_ISOC)) { +- dwc3_stop_active_transfer(dwc, dep->number); +- dep->flags &= ~DWC3_EP_MISSED_ISOC; ++ if (usb_endpoint_xfer_isoc(dep->endpoint.desc) && ++ list_empty(&dep->req_queued)) { ++ if (list_empty(&dep->request_list)) { ++ /* ++ * If there is no entry in request list then do ++ * not issue END TRANSFER now. Just set PENDING ++ * flag, so that END TRANSFER is issued when an ++ * entry is added into request list. ++ */ ++ dep->flags = DWC3_EP_PENDING_REQUEST; ++ } else { ++ dwc3_stop_active_transfer(dwc, dep->number); ++ dep->flags = DWC3_EP_ENABLED; ++ } + return 1; + } + diff --git a/queue-3.8/usb-dwc3-gadget-fix-missed-isoc.patch b/queue-3.8/usb-dwc3-gadget-fix-missed-isoc.patch new file mode 100644 index 00000000000..52f1a964bb6 --- /dev/null +++ b/queue-3.8/usb-dwc3-gadget-fix-missed-isoc.patch @@ -0,0 +1,130 @@ +From 7efea86c2868b8fd9df65e589e33aebe498ce21d Mon Sep 17 00:00:00 2001 +From: Pratyush Anand +Date: Mon, 14 Jan 2013 15:59:32 +0530 +Subject: usb: dwc3: gadget: fix missed isoc + +From: Pratyush Anand + +commit 7efea86c2868b8fd9df65e589e33aebe498ce21d upstream. + +There are two reasons to generate missed isoc. + +1. when the host does not poll for all the data. +2. because of application-side delays that prevent all the data from +being transferred in programmed microframe. + +Current code was able to handle first case only. This patch handles +scenario 2 as well.Scenario 2 sometime may occur with complex gadget +application, however it can be easily reproduced for testing purpose as +follows: + +a. use isoc binterval as 1 in f_sourcesink. +b. use pattern=0 +c. introduce a delay of 150us deliberately in source_sink_complete, so +that after few frames it lands into scenario 2. +d. now run testusb 16 (isoc in test). You will notice that if this +patch is not applied then isoc transfer is not able to recover after +first missed. + +Current patch's approach is as under: + +If missed isoc occurs and there is no request queued then issue END +TRANSFER, so that core generates next xfernotready and we will issue a +fresh START TRANSFER. +If there are still queued request then wait, do not issue either END or +UPDATE TRANSFER, just attach next request in request_list during giveback. +If any future queued request is successfully transferred then we will issue +UPDATE TRANSFER for all request in the request_list. + +Signed-off-by: Pratyush Anand +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/core.h | 2 -- + drivers/usb/dwc3/gadget.c | 36 ++++++++++++++++++++++++------------ + 2 files changed, 24 insertions(+), 14 deletions(-) + +--- a/drivers/usb/dwc3/core.h ++++ b/drivers/usb/dwc3/core.h +@@ -405,7 +405,6 @@ struct dwc3_event_buffer { + * @number: endpoint number (1 - 15) + * @type: set to bmAttributes & USB_ENDPOINT_XFERTYPE_MASK + * @resource_index: Resource transfer index +- * @current_uf: Current uf received through last event parameter + * @interval: the intervall on which the ISOC transfer is started + * @name: a human readable name e.g. ep1out-bulk + * @direction: true for TX, false for RX +@@ -439,7 +438,6 @@ struct dwc3_ep { + u8 number; + u8 type; + u8 resource_index; +- u16 current_uf; + u32 interval; + + char name[20]; +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1117,16 +1117,6 @@ static int __dwc3_gadget_ep_queue(struct + dep->name); + } + +- /* +- * 3. Missed ISOC Handling. We need to start isoc transfer on the saved +- * uframe number. +- */ +- if (usb_endpoint_xfer_isoc(dep->endpoint.desc) && +- (dep->flags & DWC3_EP_MISSED_ISOC)) { +- __dwc3_gadget_start_isoc(dwc, dep, dep->current_uf); +- dep->flags &= ~DWC3_EP_MISSED_ISOC; +- } +- + return 0; + } + +@@ -1689,14 +1679,29 @@ static int dwc3_cleanup_done_reqs(struct + if (trb_status == DWC3_TRBSTS_MISSED_ISOC) { + dev_dbg(dwc->dev, "incomplete IN transfer %s\n", + dep->name); +- dep->current_uf = event->parameters & +- ~(dep->interval - 1); ++ /* ++ * If missed isoc occurred and there is ++ * no request queued then issue END ++ * TRANSFER, so that core generates ++ * next xfernotready and we will issue ++ * a fresh START TRANSFER. ++ * If there are still queued request ++ * then wait, do not issue either END ++ * or UPDATE TRANSFER, just attach next ++ * request in request_list during ++ * giveback.If any future queued request ++ * is successfully transferred then we ++ * will issue UPDATE TRANSFER for all ++ * request in the request_list. ++ */ + dep->flags |= DWC3_EP_MISSED_ISOC; + } else { + dev_err(dwc->dev, "incomplete IN transfer %s\n", + dep->name); + status = -ECONNRESET; + } ++ } else { ++ dep->flags &= ~DWC3_EP_MISSED_ISOC; + } + } else { + if (count && (event->status & DEPEVT_STATUS_SHORT)) +@@ -1723,6 +1728,13 @@ static int dwc3_cleanup_done_reqs(struct + break; + } while (1); + ++ if (list_empty(&dep->req_queued) && ++ (dep->flags & DWC3_EP_MISSED_ISOC)) { ++ dwc3_stop_active_transfer(dwc, dep->number); ++ dep->flags &= ~DWC3_EP_MISSED_ISOC; ++ return 1; ++ } ++ + if ((event->status & DEPEVT_STATUS_IOC) && + (trb->ctrl & DWC3_TRB_CTRL_IOC)) + return 0; diff --git a/queue-3.8/usb-dwc3-gadget-fix-skip-link_trb-on-isoc.patch b/queue-3.8/usb-dwc3-gadget-fix-skip-link_trb-on-isoc.patch new file mode 100644 index 00000000000..e0da84b0d49 --- /dev/null +++ b/queue-3.8/usb-dwc3-gadget-fix-skip-link_trb-on-isoc.patch @@ -0,0 +1,50 @@ +From 915e202aeeb59e272992a6364c910aaef3073544 Mon Sep 17 00:00:00 2001 +From: Pratyush Anand +Date: Mon, 14 Jan 2013 15:59:35 +0530 +Subject: usb: dwc3: gadget: fix skip LINK_TRB on ISOC + +From: Pratyush Anand + +commit 915e202aeeb59e272992a6364c910aaef3073544 upstream. + +When we reach to link trb, we just need to increase free_slot and then +calculate TRB. Return is not correct, as it will cause wrong TRB DMA +address to fetch in case of update transfer. + +Signed-off-by: Pratyush Anand +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/gadget.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -754,21 +754,18 @@ static void dwc3_prepare_one_trb(struct + struct dwc3 *dwc = dep->dwc; + struct dwc3_trb *trb; + +- unsigned int cur_slot; +- + dev_vdbg(dwc->dev, "%s: req %p dma %08llx length %d%s%s\n", + dep->name, req, (unsigned long long) dma, + length, last ? " last" : "", + chain ? " chain" : ""); + +- trb = &dep->trb_pool[dep->free_slot & DWC3_TRB_MASK]; +- cur_slot = dep->free_slot; +- dep->free_slot++; +- + /* Skip the LINK-TRB on ISOC */ +- if (((cur_slot & DWC3_TRB_MASK) == DWC3_TRB_NUM - 1) && ++ if (((dep->free_slot & DWC3_TRB_MASK) == DWC3_TRB_NUM - 1) && + usb_endpoint_xfer_isoc(dep->endpoint.desc)) +- return; ++ dep->free_slot++; ++ ++ trb = &dep->trb_pool[dep->free_slot & DWC3_TRB_MASK]; ++ dep->free_slot++; + + if (!req->trb) { + dwc3_gadget_move_request_queued(req); diff --git a/queue-3.8/x86-apic-fix-parsing-of-the-lapic-cmdline-option.patch b/queue-3.8/x86-apic-fix-parsing-of-the-lapic-cmdline-option.patch new file mode 100644 index 00000000000..87b30a31c97 --- /dev/null +++ b/queue-3.8/x86-apic-fix-parsing-of-the-lapic-cmdline-option.patch @@ -0,0 +1,39 @@ +From 27cf929845b10043f2257693c7d179a9e0b1980e Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Tue, 19 Feb 2013 20:47:07 +0100 +Subject: x86/apic: Fix parsing of the 'lapic' cmdline option + +From: Mathias Krause + +commit 27cf929845b10043f2257693c7d179a9e0b1980e upstream. + +Including " lapic " in the kernel cmdline on an x86-64 kernel +makes it panic while parsing early params -- e.g. with no user +visible output. + +Fix this bug by ensuring arg is non-NULL before passing it to +strncmp(). + +Reported-by: PaX Team +Signed-off-by: Mathias Krause +Acked-by: David Rientjes +Cc: Suresh Siddha +Link: http://lkml.kernel.org/r/1361303227-13174-1-git-send-email-minipli@googlemail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/apic/apic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -131,7 +131,7 @@ static int __init parse_lapic(char *arg) + { + if (config_enabled(CONFIG_X86_32) && !arg) + force_enable_local_apic = 1; +- else if (!strncmp(arg, "notscdeadline", 13)) ++ else if (arg && !strncmp(arg, "notscdeadline", 13)) + setup_clear_cpu_cap(X86_FEATURE_TSC_DEADLINE_TIMER); + return 0; + } diff --git a/queue-3.8/x86-efi-make-noefi-really-disable-efi-runtime-serivces.patch b/queue-3.8/x86-efi-make-noefi-really-disable-efi-runtime-serivces.patch new file mode 100644 index 00000000000..657095a42fa --- /dev/null +++ b/queue-3.8/x86-efi-make-noefi-really-disable-efi-runtime-serivces.patch @@ -0,0 +1,55 @@ +From fb834c7acc5e140cf4f9e86da93a66de8c0514da Mon Sep 17 00:00:00 2001 +From: Matt Fleming +Date: Wed, 20 Feb 2013 20:36:12 +0000 +Subject: x86, efi: Make "noefi" really disable EFI runtime serivces + +From: Matt Fleming + +commit fb834c7acc5e140cf4f9e86da93a66de8c0514da upstream. + +commit 1de63d60cd5b ("efi: Clear EFI_RUNTIME_SERVICES rather than +EFI_BOOT by "noefi" boot parameter") attempted to make "noefi" true to +its documentation and disable EFI runtime services to prevent the +bricking bug described in commit e0094244e41c ("samsung-laptop: +Disable on EFI hardware"). However, it's not possible to clear +EFI_RUNTIME_SERVICES from an early param function because +EFI_RUNTIME_SERVICES is set in efi_init() *after* parse_early_param(). + +This resulted in "noefi" effectively becoming a no-op and no longer +providing users with a way to disable EFI, which is bad for those +users that have buggy machines. + +Reported-by: Walt Nelson Jr +Cc: Satoru Takeuchi +Signed-off-by: Matt Fleming +Link: http://lkml.kernel.org/r/1361392572-25657-1-git-send-email-matt@console-pimps.org +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/platform/efi/efi.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/x86/platform/efi/efi.c ++++ b/arch/x86/platform/efi/efi.c +@@ -85,9 +85,10 @@ int efi_enabled(int facility) + } + EXPORT_SYMBOL(efi_enabled); + ++static bool disable_runtime = false; + static int __init setup_noefi(char *arg) + { +- clear_bit(EFI_RUNTIME_SERVICES, &x86_efi_facility); ++ disable_runtime = true; + return 0; + } + early_param("noefi", setup_noefi); +@@ -734,7 +735,7 @@ void __init efi_init(void) + if (!efi_is_native()) + pr_info("No EFI runtime due to 32/64-bit mismatch with kernel\n"); + else { +- if (efi_runtime_init()) ++ if (disable_runtime || efi_runtime_init()) + return; + set_bit(EFI_RUNTIME_SERVICES, &x86_efi_facility); + } diff --git a/queue-3.8/x86-make-sure-we-can-boot-in-the-case-the-bda-contains-pure-garbage.patch b/queue-3.8/x86-make-sure-we-can-boot-in-the-case-the-bda-contains-pure-garbage.patch new file mode 100644 index 00000000000..f763efa2402 --- /dev/null +++ b/queue-3.8/x86-make-sure-we-can-boot-in-the-case-the-bda-contains-pure-garbage.patch @@ -0,0 +1,122 @@ +From 7c10093692ed2e6f318387d96b829320aa0ca64c Mon Sep 17 00:00:00 2001 +From: "H. Peter Anvin" +Date: Wed, 27 Feb 2013 12:46:40 -0800 +Subject: x86: Make sure we can boot in the case the BDA contains pure garbage + +From: "H. Peter Anvin" + +commit 7c10093692ed2e6f318387d96b829320aa0ca64c upstream. + +On non-BIOS platforms it is possible that the BIOS data area contains +garbage instead of being zeroed or something equivalent (firmware +people: we are talking of 1.5K here, so please do the sane thing.) + +We need on the order of 20-30K of low memory in order to boot, which +may grow up to < 64K in the future. We probably want to avoid the +lowest of the low memory. At the same time, it seems extremely +unlikely that a legitimate EBDA would ever reach down to the 128K +(which would require it to be over half a megabyte in size.) Thus, +pick 128K as the cutoff for "this is insane, ignore." We may still +end up reserving a bunch of extra memory on the low megabyte, but that +is not really a major issue these days. In the worst case we lose +512K of RAM. + +This code really should be merged with trim_bios_range() in +arch/x86/kernel/setup.c, but that is a bigger patch for a later merge +window. + +Reported-by: Darren Hart +Signed-off-by: H. Peter Anvin +Cc: Matt Fleming +Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/head.c | 57 ++++++++++++++++++++++++++++++------------------- + 1 file changed, 36 insertions(+), 21 deletions(-) + +--- a/arch/x86/kernel/head.c ++++ b/arch/x86/kernel/head.c +@@ -5,8 +5,6 @@ + #include + #include + +-#define BIOS_LOWMEM_KILOBYTES 0x413 +- + /* + * The BIOS places the EBDA/XBDA at the top of conventional + * memory, and usually decreases the reported amount of +@@ -16,17 +14,30 @@ + * chipset: reserve a page before VGA to prevent PCI prefetch + * into it (errata #56). Usually the page is reserved anyways, + * unless you have no PS/2 mouse plugged in. ++ * ++ * This functions is deliberately very conservative. Losing ++ * memory in the bottom megabyte is rarely a problem, as long ++ * as we have enough memory to install the trampoline. Using ++ * memory that is in use by the BIOS or by some DMA device ++ * the BIOS didn't shut down *is* a big problem. + */ ++ ++#define BIOS_LOWMEM_KILOBYTES 0x413 ++#define LOWMEM_CAP 0x9f000U /* Absolute maximum */ ++#define INSANE_CUTOFF 0x20000U /* Less than this = insane */ ++ + void __init reserve_ebda_region(void) + { + unsigned int lowmem, ebda_addr; + +- /* To determine the position of the EBDA and the */ +- /* end of conventional memory, we need to look at */ +- /* the BIOS data area. In a paravirtual environment */ +- /* that area is absent. We'll just have to assume */ +- /* that the paravirt case can handle memory setup */ +- /* correctly, without our help. */ ++ /* ++ * To determine the position of the EBDA and the ++ * end of conventional memory, we need to look at ++ * the BIOS data area. In a paravirtual environment ++ * that area is absent. We'll just have to assume ++ * that the paravirt case can handle memory setup ++ * correctly, without our help. ++ */ + if (paravirt_enabled()) + return; + +@@ -37,19 +48,23 @@ void __init reserve_ebda_region(void) + /* start of EBDA area */ + ebda_addr = get_bios_ebda(); + +- /* Fixup: bios puts an EBDA in the top 64K segment */ +- /* of conventional memory, but does not adjust lowmem. */ +- if ((lowmem - ebda_addr) <= 0x10000) +- lowmem = ebda_addr; +- +- /* Fixup: bios does not report an EBDA at all. */ +- /* Some old Dells seem to need 4k anyhow (bugzilla 2990) */ +- if ((ebda_addr == 0) && (lowmem >= 0x9f000)) +- lowmem = 0x9f000; +- +- /* Paranoia: should never happen, but... */ +- if ((lowmem == 0) || (lowmem >= 0x100000)) +- lowmem = 0x9f000; ++ /* ++ * Note: some old Dells seem to need 4k EBDA without ++ * reporting so, so just consider the memory above 0x9f000 ++ * to be off limits (bugzilla 2990). ++ */ ++ ++ /* If the EBDA address is below 128K, assume it is bogus */ ++ if (ebda_addr < INSANE_CUTOFF) ++ ebda_addr = LOWMEM_CAP; ++ ++ /* If lowmem is less than 128K, assume it is bogus */ ++ if (lowmem < INSANE_CUTOFF) ++ lowmem = LOWMEM_CAP; ++ ++ /* Use the lower of the lowmem and EBDA markers as the cutoff */ ++ lowmem = min(lowmem, ebda_addr); ++ lowmem = min(lowmem, LOWMEM_CAP); /* Absolute cap */ + + /* reserve all memory between lowmem and the 1MB mark */ + memblock_reserve(lowmem, 0x100000 - lowmem); -- 2.47.3