commit 73eabc6d790066f9d77345d0c61fc6ae4736b5fc Author: Greg Kroah-Hartman Date: Mon Jun 16 13:43:06 2014 -0700 Linux 3.10.44 commit 7d872bd011c20e1efbcb95461bffabd140cf4e81 Author: Andreas Schrägle Date: Sat May 24 16:35:43 2014 +0200 ahci: add PCI ID for Marvell 88SE91A0 SATA Controller commit 754a292fe6b08196cb135c03b404444e17de520a upstream. Add support for Marvell Technology Group Ltd. 88SE91A0 SATA 6Gb/s Controller by adding its PCI ID. Signed-off-by: Andreas Schrägle Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit 18958498381a47eafd7f2850513e0fdc91e15e01 Author: Jérôme Carretero Date: Tue Jun 3 14:56:25 2014 -0400 ahci: Add Device ID for HighPoint RocketRaid 642L commit d251836508fb26cd1a22b41381739835ee23728d upstream. This device normally comes with a proprietary driver, using a web GUI to configure RAID: http://www.highpoint-tech.com/USA_new/series_rr600-download.htm But thankfully it also works out of the box with the AHCI driver, being just a Marvell 88SE9235. Devices 640L, 644L, 644LS should also be supported but not tested here. Signed-off-by: Jérôme Carretero Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit 310c6221b98ef56a77793c6c293b871898e1d9dc Author: Tomas Winkler Date: Mon May 12 12:19:40 2014 +0300 mei: me: drop harmful wait optimization commit 07cd7be3d92eeeae1f92a017f2cfe4fdd9256526 upstream. It my take time till ME_RDY will be cleared after the reset, so we cannot check the bit before we got the interrupt Signed-off-by: Tomas Winkler Signed-off-by: Alexander Usyskin Signed-off-by: Greg Kroah-Hartman commit 2290f5a6eefea72b9e32318071bc6265f13b01fe Author: Ben Collins Date: Fri Sep 13 12:46:44 2013 -0400 SCSI: megaraid: Use resource_size_t for PCI resources, not long commit 11f8a7b31f2140b0dc164bb484281235ffbe51d3 upstream. The assumption that sizeof(long) >= sizeof(resource_size_t) can lead to truncation of the PCI resource address, meaning this driver didn't work on 32-bit systems with 64-bit PCI adressing ranges. Signed-off-by: Ben Collins Acked-by: Sumit Saxena Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 553a87251dcaedc261ed34b9acebb77d2b56aa79 Author: Andy Lutomirski Date: Wed May 28 23:09:58 2014 -0400 auditsc: audit_krule mask accesses need bounds checking commit a3c54931199565930d6d84f4c3456f6440aefd41 upstream. Fixes an easy DoS and possible information disclosure. This does nothing about the broken state of x32 auditing. eparis: If the admin has enabled auditd and has specifically loaded audit rules. This bug has been around since before git. Wow... Signed-off-by: Andy Lutomirski Signed-off-by: Eric Paris Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ee7f7615f9119c1e952a0b364ec5862f37a3ada7 Author: Vlastimil Babka Date: Tue May 6 12:50:03 2014 -0700 mm/compaction: make isolate_freepages start at pageblock boundary commit 49e068f0b73dd042c186ffa9b420a9943e90389a upstream. The compaction freepage scanner implementation in isolate_freepages() starts by taking the current cc->free_pfn value as the first pfn. In a for loop, it scans from this first pfn to the end of the pageblock, and then subtracts pageblock_nr_pages from the first pfn to obtain the first pfn for the next for loop iteration. This means that when cc->free_pfn starts at offset X rather than being aligned on pageblock boundary, the scanner will start at offset X in all scanned pageblock, ignoring potentially many free pages. Currently this can happen when a) zone's end pfn is not pageblock aligned, or b) through zone->compact_cached_free_pfn with CONFIG_HOLES_IN_ZONE enabled and a hole spanning the beginning of a pageblock This patch fixes the problem by aligning the initial pfn in isolate_freepages() to pageblock boundary. This also permits replacing the end-of-pageblock alignment within the for loop with a simple pageblock_nr_pages increment. Signed-off-by: Vlastimil Babka Reported-by: Heesub Shin Acked-by: Minchan Kim Cc: Mel Gorman Acked-by: Joonsoo Kim Cc: Bartlomiej Zolnierkiewicz Cc: Michal Nazarewicz Cc: Naoya Horiguchi Cc: Christoph Lameter Acked-by: Rik van Riel Cc: Dongjun Shin Cc: Sunghwan Yun Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 87c4475c903e68e494facf6ddf4c2c952b46b936 Author: Vlastimil Babka Date: Tue Jan 21 15:51:09 2014 -0800 mm: compaction: detect when scanners meet in isolate_freepages commit 7ed695e069c3cbea5e1fd08f84a04536da91f584 upstream. Compaction of a zone is finished when the migrate scanner (which begins at the zone's lowest pfn) meets the free page scanner (which begins at the zone's highest pfn). This is detected in compact_zone() and in the case of direct compaction, the compact_blockskip_flush flag is set so that kswapd later resets the cached scanner pfn's, and a new compaction may again start at the zone's borders. The meeting of the scanners can happen during either scanner's activity. However, it may currently fail to be detected when it occurs in the free page scanner, due to two problems. First, isolate_freepages() keeps free_pfn at the highest block where it isolated pages from, for the purposes of not missing the pages that are returned back to allocator when migration fails. Second, failing to isolate enough free pages due to scanners meeting results in -ENOMEM being returned by migrate_pages(), which makes compact_zone() bail out immediately without calling compact_finished() that would detect scanners meeting. This failure to detect scanners meeting might result in repeated attempts at compaction of a zone that keep starting from the cached pfn's close to the meeting point, and quickly failing through the -ENOMEM path, without the cached pfns being reset, over and over. This has been observed (through additional tracepoints) in the third phase of the mmtests stress-highalloc benchmark, where the allocator runs on an otherwise idle system. The problem was observed in the DMA32 zone, which was used as a fallback to the preferred Normal zone, but on the 4GB system it was actually the largest zone. The problem is even amplified for such fallback zone - the deferred compaction logic, which could (after being fixed by a previous patch) reset the cached scanner pfn's, is only applied to the preferred zone and not for the fallbacks. The problem in the third phase of the benchmark was further amplified by commit 81c0a2bb515f ("mm: page_alloc: fair zone allocator policy") which resulted in a non-deterministic regression of the allocation success rate from ~85% to ~65%. This occurs in about half of benchmark runs, making bisection problematic. It is unlikely that the commit itself is buggy, but it should put more pressure on the DMA32 zone during phases 1 and 2, which may leave it more fragmented in phase 3 and expose the bugs that this patch fixes. The fix is to make scanners meeting in isolate_freepage() stay that way, and to check in compact_zone() for scanners meeting when migrate_pages() returns -ENOMEM. The result is that compact_finished() also detects scanners meeting and sets the compact_blockskip_flush flag to make kswapd reset the scanner pfn's. The results in stress-highalloc benchmark show that the "regression" by commit 81c0a2bb515f in phase 3 no longer occurs, and phase 1 and 2 allocation success rates are also significantly improved. Signed-off-by: Vlastimil Babka Cc: Mel Gorman Cc: Rik van Riel Cc: Joonsoo Kim Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e6798424a7cb01aa30548876e4f1e1230741906d Author: Vlastimil Babka Date: Tue Jan 21 15:51:08 2014 -0800 mm: compaction: reset cached scanner pfn's before reading them commit d3132e4b83e6bd383c74d716f7281d7c3136089c upstream. Compaction caches pfn's for its migrate and free scanners to avoid scanning the whole zone each time. In compact_zone(), the cached values are read to set up initial values for the scanners. There are several situations when these cached pfn's are reset to the first and last pfn of the zone, respectively. One of these situations is when a compaction has been deferred for a zone and is now being restarted during a direct compaction, which is also done in compact_zone(). However, compact_zone() currently reads the cached pfn's *before* resetting them. This means the reset doesn't affect the compaction that performs it, and with good chance also subsequent compactions, as update_pageblock_skip() is likely to be called and update the cached pfn's to those being processed. Another chance for a successful reset is when a direct compaction detects that migration and free scanners meet (which has its own problems addressed by another patch) and sets update_pageblock_skip flag which kswapd uses to do the reset because it goes to sleep. This is clearly a bug that results in non-deterministic behavior, so this patch moves the cached pfn reset to be performed *before* the values are read. Signed-off-by: Vlastimil Babka Acked-by: Mel Gorman Acked-by: Rik van Riel Cc: Joonsoo Kim Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 50911760bc0afc84ce85c0e26433bf3134563052 Author: Nicholas Bellinger Date: Fri Jun 6 00:52:57 2014 -0700 target: Fix alua_access_state attribute OOPs for un-configured devices commit f1453773514bb8b0bba0716301e8c8f17f8d39c7 upstream. This patch fixes a OOPs where an attempt to write to the per-device alua_access_state configfs attribute at: /sys/kernel/config/target/core/$HBA/$DEV/alua/$TG_PT_GP/alua_access_state results in an NULL pointer dereference when the backend device has not yet been configured. This patch adds an explicit check for DF_CONFIGURED, and fails with -ENODEV to avoid this case. Reported-by: Chris Boot Reported-by: Philip Gaw Cc: Chris Boot Cc: Philip Gaw Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit c39e89784d7319f6e87d6bfb17e75fd8b95e07e2 Author: Nicholas Bellinger Date: Thu Jun 5 23:37:00 2014 -0700 target: Allow READ_CAPACITY opcode in ALUA Standby access state commit e7810c2d2c37fa8e58dda74b00790dab60fe6fba upstream. This patch allows READ_CAPACITY + SAI_READ_CAPACITY_16 opcode processing to occur while the associated ALUA group is in Standby access state. This is required to avoid host side LUN probe failures during the initial scan if an ALUA group has already implicitly changed into Standby access state. This addresses a bug reported by Chris + Philip using dm-multipath + ESX hosts configured with ALUA multipath. (Drop v3.15 specific set_ascq usage - nab) Reported-by: Chris Boot Reported-by: Philip Gaw Cc: Chris Boot Cc: Philip Gaw Cc: Hannes Reinecke Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit d5c55fa31a2947ac517abddd7ca6975a17bef178 Author: Roland Dreier Date: Thu May 29 13:32:30 2014 -0700 iscsi-target: Fix wrong buffer / buffer overrun in iscsi_change_param_value() commit 79d59d08082dd0a0a18f8ceb78c99f9f321d72aa upstream. In non-leading connection login, iscsi_login_non_zero_tsih_s1() calls iscsi_change_param_value() with the buffer it uses to hold the login PDU, not a temporary buffer. This leads to the login header getting corrupted and login failing for non-leading connections in MC/S. Fix this by adding a wrapper iscsi_change_param_sprintf() that handles the temporary buffer itself to avoid confusion. Also handle sending a reject in case of failure in the wrapper, which lets the calling code get quite a bit smaller and easier to read. Finally, bump the size of the temporary buffer from 32 to 64 bytes to be safe, since "MaxRecvDataSegmentLength=" by itself is 25 bytes; with a trailing NUL, a value >= 1M will lead to a buffer overrun. (This isn't the default but we don't need to run right at the ragged edge here) (Fix up context changes for v3.10.y - nab) Reported-by: Santosh Kulkarni Signed-off-by: Roland Dreier Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 96f27d2649c1d7252144d693ba76fa263732ffa2 Author: Nicholas Bellinger Date: Tue Jun 3 18:27:52 2014 -0700 iser-target: Fix multi network portal shutdown regression commit 2363d196686e44c0158929e7cf96c8589a24a81b upstream. This patch fixes a iser-target specific regression introduced in v3.15-rc6 with: commit 14f4b54fe38f3a8f8392a50b951c8aa43b63687a Author: Sagi Grimberg Date: Tue Apr 29 13:13:47 2014 +0300 Target/iscsi,iser: Avoid accepting transport connections during stop stage where the change to set iscsi_np->enabled = false within iscsit_clear_tpg_np_login_thread() meant that a iscsi_np with two iscsi_tpg_np exports would have it's parent iscsi_np set to a disabled state, even if other iscsi_tpg_np exports still existed. This patch changes iscsit_clear_tpg_np_login_thread() to only set iscsi_np->enabled = false when shutdown = true, and also changes iscsit_del_np() to set iscsi_np->enabled = true when iscsi_np->np_exports is non zero. (Fix up context changes for v3.10.y - nab) Cc: Sagi Grimberg Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit c2334086a4bb352c85c4dc9bb18d23586329fb08 Author: Sagi Grimberg Date: Tue Apr 29 13:13:47 2014 +0300 Target/iscsi,iser: Avoid accepting transport connections during stop stage commit 14f4b54fe38f3a8f8392a50b951c8aa43b63687a upstream. When the target is in stop stage, iSER transport initiates RDMA disconnects. The iSER initiator may wish to establish a new connection over the still existing network portal. In this case iSER transport should not accept and resume new RDMA connections. In order to learn that, iscsi_np is added with enabled flag so the iSER transport can check when deciding weather to accept and resume a new connection request. The iscsi_np is enabled after successful transport setup, and disabled before iscsi_np login threads are cleaned up. (Fix up context changes for v3.10.y - nab) Signed-off-by: Sagi Grimberg Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit ed6b7164b4a932f91630da7dadaa1aeb33029d25 Author: Florian Westphal Date: Fri May 2 15:32:16 2014 +0200 netfilter: ipv4: defrag: set local_df flag on defragmented skb commit 895162b1101b3ea5db08ca6822ae9672717efec0 upstream. else we may fail to forward skb even if original fragments do fit outgoing link mtu: 1. remote sends 2k packets in two 1000 byte frags, DF set 2. we want to forward but only see '2k > mtu and DF set' 3. we then send icmp error saying that outgoing link is 1500 But original sender never sent a packet that would not fit the outgoing link. Setting local_df makes outgoing path test size vs. IPCB(skb)->frag_max_size, so we will still send the correct error in case the largest original size did not fit outgoing link mtu. Reported-by: Maxime Bizon Suggested-by: Maxime Bizon Fixes: 5f2d04f1f9 (ipv4: fix path MTU discovery with connection tracking) Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Cc: Jiri Slaby Signed-off-by: Greg Kroah-Hartman commit 3f3a34d420f0d08d81379c03cc7d258f2f42dc3f Author: Thomas Petazzoni Date: Mon Apr 14 17:29:21 2014 +0200 ARM: mvebu: fix NOR bus-width in Armada XP OpenBlocks AX3 Device Tree commit 6e20bae8a39c40d4e03698e4160bad2d2629062b upstream. The mvebu-devbus driver had a serious bug, which lead to a 8 bits bus width declared in the Device Tree being considered as a 16 bits bus width when configuring the hardware. This bug in mvebu-devbus driver was compensated by a symetric mistake in the Armada XP OpenBlocks AX3 Device Tree: a 8 bits bus width was declared, even though the hardware actually has a 16 bits bus width connection with the NOR flash. Now that we have fixed the mvebu-devbus driver to behave according to its Device Tree binding, this commit fixes the problematic Device Tree files as well. This bug was introduced in commit a7d4f81821f7eec3175f8e23dd6949c71ab2da43 ('ARM: mvebu: Add support for NOR flash device on Openblocks AX3 board') which was merged in v3.10. Signed-off-by: Thomas Petazzoni Link: https://lkml.kernel.org/r/1397489361-5833-5-git-send-email-thomas.petazzoni@free-electrons.com Fixes: a7d4f81821f7 ('ARM: mvebu: Add support for NOR flash device on Openblocks AX3 board') Cc: stable@vger.kernel.org # v3.10+ Acked-by: Ezequiel Garcia Acked-by: Gregory CLEMENT Signed-off-by: Jason Cooper Signed-off-by: Greg Kroah-Hartman commit d45ce2e25e992f1574cad76dabe0a129fc8901f7 Author: Thomas Petazzoni Date: Mon Apr 14 17:29:19 2014 +0200 ARM: mvebu: fix NOR bus-width in Armada XP GP Device Tree commit 1a88f809ccb5db1509a7514b187c00b3a995fc82 upstream. The mvebu-devbus driver had a serious bug, which lead to a 8 bits bus width declared in the Device Tree being considered as a 16 bits bus width when configuring the hardware. This bug in mvebu-devbus driver was compensated by a symetric mistake in the Armada XP GP Device Tree: a 8 bits bus width was declared, even though the hardware actually has a 16 bits bus width connection with the NOR flash. Now that we have fixed the mvebu-devbus driver to behave according to its Device Tree binding, this commit fixes the problematic Device Tree files as well. This bug was introduced in commit da8d1b38356853c37116f9afa29f15648d7fb159 ('ARM: mvebu: Add support for NOR flash device on Armada XP-GP board') which was merged in v3.10. Signed-off-by: Thomas Petazzoni Link: https://lkml.kernel.org/r/1397489361-5833-3-git-send-email-thomas.petazzoni@free-electrons.com Fixes: da8d1b383568 ('ARM: mvebu: Add support for NOR flash device on Armada XP-GP board') Cc: stable@vger.kernel.org # v3.10+ Acked-by: Ezequiel Garcia Acked-by: Gregory CLEMENT Signed-off-by: Jason Cooper Signed-off-by: Greg Kroah-Hartman commit 868c257ab2ea3bea5900a16b502b74c09cff2f55 Author: Chris Mason Date: Tue Apr 15 18:09:24 2014 -0400 mlx4_en: don't use napi_synchronize inside mlx4_en_netpoll commit c98235cb8584a72e95786e17d695a8e5fafcd766 upstream. The mlx4 driver is triggering schedules while atomic inside mlx4_en_netpoll: spin_lock_irqsave(&cq->lock, flags); napi_synchronize(&cq->napi); ^^^^^ msleep here mlx4_en_process_rx_cq(dev, cq, 0); spin_unlock_irqrestore(&cq->lock, flags); This was part of a patch by Alexander Guller from Mellanox in 2011, but it still isn't upstream. Signed-off-by: Chris Mason Acked-By: Amir Vadai Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby Cc: Masoud Sharbiani Signed-off-by: Greg Kroah-Hartman commit 4f80c6c1825a91cecf3b3bd19c824e768d98fe48 Author: Andy Lutomirski Date: Tue Jun 10 12:45:42 2014 -0700 fs,userns: Change inode_capable to capable_wrt_inode_uidgid commit 23adbe12ef7d3d4195e80800ab36b37bee28cd03 upstream. The kernel has no concept of capabilities with respect to inodes; inodes exist independently of namespaces. For example, inode_capable(inode, CAP_LINUX_IMMUTABLE) would be nonsense. This patch changes inode_capable to check for uid and gid mappings and renames it to capable_wrt_inode_uidgid, which should make it more obvious what it does. Fixes CVE-2014-4014. Cc: Theodore Ts'o Cc: Serge Hallyn Cc: "Eric W. Biederman" Cc: Dave Chinner Signed-off-by: Andy Lutomirski Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman