If doc_probe_device() returned an ERR_PTR, then we accidentally saved
that to docg3_floors[floor] = mtd; which gets derefenced in the error
handling when we call doc_release_device().

I've reworked the error handling to take care of that and hopefully
make it a little simpler.
Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
Acked-by: NRobert Jarzmik <robert.jarzmik@free.fr>
Signed-off-by: NArtem Bityutskiy <Artem.Bityutskiy@linux.intel.com>
Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com>

In ancient times it was necessary to manually initialize the bus field of an
spi_driver to spi_bus_type. These days this is done in spi_driver_register(),
so we can drop the manual assignment.

The patch was generated using the following coccinelle semantic patch:
// <smpl>
@@
identifier _driver;
@@
struct spi_driver _driver = {
	.driver = {
-		.bus = &spi_bus_type,
	},
};
// </smpl>
Signed-off-by: NLars-Peter Clausen <lars@metafoo.de>
Signed-off-by: NArtem Bityutskiy <Artem.Bityutskiy@linux.intel.com>
Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com>

As each docg3 chip has 2 protection areas (DPS0 and DPS1),
and because theses areas can prevent user access to the chip
data, add for each floor the sysfs entries which insert the
protection key into the right DPS.
Signed-off-by: NRobert Jarzmik <robert.jarzmik@free.fr>
Reviewed-by: NIvan Djelic <ivan.djelic@parrot.com>
Reviewed-by: NMike Dunn <mikedunn@newsguy.com>
Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com>

Docg3 chips can work in 3 modes : normal MLC mode, fast
mode and reliable mode. Normally, as docg3 is a MLC chip, it
should be configured to work in normal mode.

In both normal mode, each page is distinct. This
means that writing to page 12 of blocks 14,15 writes only to
that page, and reading from page 12 of blocks 14,15 reads
only from that page.

In reliable and fast modes, pages are coupled by pairs, and
are clones one of each other. This means that the available
capacity of the chip is halved. Pages are coupled in each
block, and page of index 2*n contains the same data as page
2*n+1 of the same block.

In fast mode, the reads occur a bit faster, but are a bit
less reliable that in normal mode.

When reading from page 2*n, the chip reads bytes from both
page 2*n and page 2*n+1, makes a logical and for each byte,
and returns the result. As programming a page means
"clearing bits", even if a bit was not cleared on one page
because the flash is worn out, the other page has the bit
cleared, and the result of the "AND" gives a correct result.

When writing to page 2*n, the chip writes data to both page
2*n and page 2*n+1.
Signed-off-by: NRobert Jarzmik <robert.jarzmik@free.fr>
Reviewed-by: NIvan Djelic <ivan.djelic@parrot.com>
Reviewed-by: NMike Dunn <mikedunn@newsguy.com>
Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com>

Add functions to powerdown and powerup from suspend, in
order to save power.
Signed-off-by: NRobert Jarzmik <robert.jarzmik@free.fr>
Reviewed-by: NIvan Djelic <ivan.djelic@parrot.com>
Reviewed-by: NMike Dunn <mikedunn@newsguy.com>
Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com>

Credit for discovering the BCH algorith parameters, and bit
reversing algorithm is to be give to Mike Dunn and Ivan
Djelic.

The BCH correction code relied upon the BCH library, where
all data and ECC is bit-reversed. The BCH library works
correctly when each input byte is bit-reversed, and
accordingly ECC output is also bit-reversed.
Signed-off-by: NRobert Jarzmik <robert.jarzmik@free.fr>
Reviewed-by: NIvan Djelic <ivan.djelic@parrot.com>
Reviewed-by: NMike Dunn <mikedunn@newsguy.com>
Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com>

Map the developped write and erase functions into the mtd
structure.
Signed-off-by: NRobert Jarzmik <robert.jarzmik@free.fr>
Reviewed-by: NIvan Djelic <ivan.djelic@parrot.com>
Reviewed-by: NMike Dunn <mikedunn@newsguy.com>
Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com>

Add erase capability to the docg3 driver. The erase block is
made of 2 physical blocks, as both share all 64 pages. That
makes an erase block of at least 64 kBytes.
Signed-off-by: NRobert Jarzmik <robert.jarzmik@free.fr>
Reviewed-by: NIvan Djelic <ivan.djelic@parrot.com>
Reviewed-by: NMike Dunn <mikedunn@newsguy.com>
Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com>

Add write capability to the docg3 driver. The writes are
possible on a single page (512 bytes + 16 bytes), even if
that page is split on 2 physical pages on 2 blocks (each on
one plane).
Signed-off-by: NRobert Jarzmik <robert.jarzmik@free.fr>
Reviewed-by: NIvan Djelic <ivan.djelic@parrot.com>
Reviewed-by: NMike Dunn <mikedunn@newsguy.com>
Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com>

Add OOB buffer area to store the OOB data until the actual
page is written, so that it can be completed by hardware ECC
generator.
Signed-off-by: NRobert Jarzmik <robert.jarzmik@free.fr>
Reviewed-by: NIvan Djelic <ivan.djelic@parrot.com>
Reviewed-by: NMike Dunn <mikedunn@newsguy.com>
Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com>

Add the required registers and commands to erase and write
flash pages / blocks.
Signed-off-by: NRobert Jarzmik <robert.jarzmik@free.fr>
Reviewed-by: NIvan Djelic <ivan.djelic@parrot.com>
Reviewed-by: NMike Dunn <mikedunn@newsguy.com>
Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com>

Add OOB layout description for docg3, so that userspace can
use this information to setup the data for write_oob().
Signed-off-by: NRobert Jarzmik <robert.jarzmik@free.fr>
Reviewed-by: NIvan Djelic <ivan.djelic@parrot.com>
Reviewed-by: NMike Dunn <mikedunn@newsguy.com>
Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com>

Add support for multiple floors, ie. cascaded docg3
chips. There might be 4 docg3 chips cascaded, sharing the
same address space, and providing up to 4 times the storage
capacity of a unique chip.

Each floor will be seen as an independant mtd device.
Signed-off-by: NRobert Jarzmik <robert.jarzmik@free.fr>
Reviewed-by: NIvan Djelic <ivan.djelic@parrot.com>
Reviewed-by: NMike Dunn <mikedunn@newsguy.com>
Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com>

Fix the docg3 reads to be able to cope with all possible
data buffer / oob buffer / file mode combinations from
docg3_read_oob().
This especially ensures that raw reads do not use ECC
corrections, and AUTOOOB and PLACEOOB do use ECC
correction.

The approach is to empty docg3_read() and make it a wrapper
to docg3_read_oob(). As docg3_read_oob() handles all the
funny cases (no data buffer but oob buffer, data buffer but
no oob buffer, ...), docg3_read() is just a special use of
docg3_read_oob().
Signed-off-by: NRobert Jarzmik <robert.jarzmik@free.fr>
Reviewed-by: NIvan Djelic <ivan.djelic@parrot.com>
Reviewed-by: NMike Dunn <mikedunn@newsguy.com>
Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com>

BCH registers are contiguous, not on every byte. Fix the
register definitions.
Signed-off-by: NRobert Jarzmik <robert.jarzmik@free.fr>
Reviewed-by: NIvan Djelic <ivan.djelic@parrot.com>
Reviewed-by: NMike Dunn <mikedunn@newsguy.com>
Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com>

The protection areas boundaries were on 16bit registers, not
8bit. This is consistent with block numbers, which can
extend up to 4096 on bigger chips (and is 2048 on the
docg3).
Signed-off-by: NRobert Jarzmik <robert.jarzmik@free.fr>
Reviewed-by: NIvan Djelic <ivan.djelic@parrot.com>
Reviewed-by: NMike Dunn <mikedunn@newsguy.com>
Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com>

Writeb was incorrectly traced as a 16 bits write, instead of
a 8 bits write. Fix it by tracing the correct width.
Signed-off-by: NRobert Jarzmik <robert.jarzmik@free.fr>
Reviewed-by: NIvan Djelic <ivan.djelic@parrot.com>
Reviewed-by: NMike Dunn <mikedunn@newsguy.com>
Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com>

Change the NOP debug log verbosity to very verbose to
unburden log analysis.
Signed-off-by: NRobert Jarzmik <robert.jarzmik@free.fr>
Reviewed-by: NIvan Djelic <ivan.djelic@parrot.com>
Reviewed-by: NMike Dunn <mikedunn@newsguy.com>
Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com>

Making  MTD_NAND_OMAP2 depend on ARCH_OMAP2PLUS instead of
oring with ARCH2/3/4.
Reported-by: NRussell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: NShubhrajyoti D <shubhrajyoti@ti.com>
Signed-off-by: NArtem Bityutskiy <Artem.Bityutskiy@linux.intel.com>
Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com>

This patch allows each CFI device map to use its own endianness. The
globally defined CFI endianness (CONFIG_MTD_CFI_NOSWAP,
CONFIG_MTD_CFI_BE_BYTE_SWAP or CONFIG_MTD_CFI_LE_BYTE_SWAP) becomes the
default value which can be overridden by a driver for a particular device.
Signed-off-by: NAaron Sierra <asierra@xes-inc.com>
Signed-off-by: NArtem Bityutskiy <Artem.Bityutskiy@linux.intel.com>
Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com>

Some error paths in mtd_blkdevs were fixed in the following commit:

    commit 94735ec4
    mtd: mtd_blkdevs: fix error path in blktrans_open

But on these error paths, the block device's `dev->open' count is
already incremented before we check for errors. This meant that, while
the error path was handled correctly on the first time through
blktrans_open(), the device is erroneously considered already open on
the second time through.

This problem can be seen, for instance, when a UBI volume is
simultaneously mounted as a UBIFS partition and read through its
corresponding gluebi mtdblockX device. This results in blktrans_open()
passing its error checks (with `dev->open > 0') without actually having
a handle on the device. Here's a summarized log of the actions and
results with nandsim:

    # modprobe nandsim
    # modprobe mtdblock
    # modprobe gluebi
    # modprobe ubifs
    # ubiattach /dev/ubi_ctrl -m 0
    ...
    # ubimkvol /dev/ubi0 -N test -s 16MiB
    ...
    # mount -t ubifs ubi0:test /mnt
    # ls /dev/mtdblock*
    /dev/mtdblock0  /dev/mtdblock1
    # cat /dev/mtdblock1 > /dev/null
    cat: can't open '/dev/mtdblock4': Device or resource busy
    # cat /dev/mtdblock1 > /dev/null

    CPU 0 Unable to handle kernel paging request at virtual address
    fffffff0, epc == 8031536c, ra == 8031f280
    Oops[#1]:
    ...
    Call Trace:
    [<8031536c>] ubi_leb_read+0x14/0x164
    [<8031f280>] gluebi_read+0xf0/0x148
    [<802edba8>] mtdblock_readsect+0x64/0x198
    [<802ecfe4>] mtd_blktrans_thread+0x330/0x3f4
    [<8005be98>] kthread+0x88/0x90
    [<8000bc04>] kernel_thread_helper+0x10/0x18

Cc: stable@kernel.org [3.0+]
Signed-off-by: NBrian Norris <computersforpeace@gmail.com>
Signed-off-by: NArtem Bityutskiy <Artem.Bityutskiy@linux.intel.com>
Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com>

Signed-off-by: NBrian Norris <computersforpeace@gmail.com>
Signed-off-by: NArtem Bityutskiy <Artem.Bityutskiy@linux.intel.com>
Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com>

Macronix MX30LF1208AA is a 512 Mbit NAND with device code 0xF0.
Signed-off-by: NBrian Norris <computersforpeace@gmail.com>
Signed-off-by: NArtem Bityutskiy <Artem.Bityutskiy@linux.intel.com>
Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com>

Macronix is produing SLC NAND MX30LF1208AA, so add their manufacturer
code to the manufacturer lists.
Signed-off-by: NBrian Norris <computersforpeace@gmail.com>
Signed-off-by: NArtem Bityutskiy <Artem.Bityutskiy@linux.intel.com>
Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com>

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  VFS: Fix race between CPU hotplug and lglocks

for linus: writeback reason binary tracing format fix

* tag 'writeback' of git://git.kernel.org/pub/scm/linux/kernel/git/wfg/linux:
  writeback: show writeback reason with __print_symbolic

* 'rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild:
  kconfig: adapt update-po-config to new UML layout

* 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
  [media] omap3isp: Fix crash caused by subdevs now having a pointer to devnodes

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
  Btrfs: call d_instantiate after all ops are setup
  Btrfs: fix worker lock misuse in find_worker

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
  sparc64: Fix MSIQ HV call ordering in pci_sun4v_msiq_build_irq().

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
  netfilter: xt_connbytes: handle negation correctly
  net: relax rcvbuf limits
  rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
  net: introduce DST_NOPEER dst flag
  mqprio: Avoid panic if no options are provided
  bridge: provide a mtu() method for fake_dst_ops

"! --connbytes 23:42" should match if the packet/byte count is not in range.

As there is no explict "invert match" toggle in the match structure,
userspace swaps the from and to arguments
(i.e., as if "--connbytes 42:23" were given).

However, "what <= 23 && what >= 42" will always be false.

Change things so we use "||" in case "from" is larger than "to".

This change may look like it breaks backwards compatibility when "to" is 0.
However, older iptables binaries will refuse "connbytes 42:0",
and current releases treat it to mean "! --connbytes 0:42",
so we should be fine.
Signed-off-by: NFlorian Westphal <fw@strlen.de>
Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>

This closes races where btrfs is calling d_instantiate too soon during
inode creation.  All of the callers of btrfs_add_nondir are updated to
instantiate after the inode is fully setup in memory.
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
Signed-off-by: NChris Mason <chris.mason@oracle.com>

Dan Carpenter noticed that we were doing a double unlock on the worker
lock, and sometimes picking a worker thread without the lock held.

This fixes both errors.
Signed-off-by: NChris Mason <chris.mason@oracle.com>
Reported-by: NDan Carpenter <dan.carpenter@oracle.com>

skb->truesize might be big even for a small packet.

Its even bigger after commit 87fb4b7b (net: more accurate skb
truesize) and big MTU.

We should allow queueing at least one packet per receiver, even with a
low RCVBUF setting.
Reported-by: NMichal Simek <monstr@monstr.eu>
Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
cause a kernel oops due to insufficient bounds checking.

	if (count > 1<<30) {
		/* Enforce a limit to prevent overflow */
		return -EINVAL;
	}
	count = roundup_pow_of_two(count);
	table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));

Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:

	... + (count * sizeof(struct rps_dev_flow))

where sizeof(struct rps_dev_flow) is 8.  (1 << 30) * 8 will overflow
32 bits.

This patch replaces the magic number (1 << 30) with a symbolic bound.
Suggested-by: NEric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: NXi Wang <xi.wang@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Chris Boot reported crashes occurring in ipv6_select_ident().

[  461.457562] RIP: 0010:[<ffffffff812dde61>]  [<ffffffff812dde61>]
ipv6_select_ident+0x31/0xa7

[  461.578229] Call Trace:
[  461.580742] <IRQ>
[  461.582870]  [<ffffffff812efa7f>] ? udp6_ufo_fragment+0x124/0x1a2
[  461.589054]  [<ffffffff812dbfe0>] ? ipv6_gso_segment+0xc0/0x155
[  461.595140]  [<ffffffff812700c6>] ? skb_gso_segment+0x208/0x28b
[  461.601198]  [<ffffffffa03f236b>] ? ipv6_confirm+0x146/0x15e
[nf_conntrack_ipv6]
[  461.608786]  [<ffffffff81291c4d>] ? nf_iterate+0x41/0x77
[  461.614227]  [<ffffffff81271d64>] ? dev_hard_start_xmit+0x357/0x543
[  461.620659]  [<ffffffff81291cf6>] ? nf_hook_slow+0x73/0x111
[  461.626440]  [<ffffffffa0379745>] ? br_parse_ip_options+0x19a/0x19a
[bridge]
[  461.633581]  [<ffffffff812722ff>] ? dev_queue_xmit+0x3af/0x459
[  461.639577]  [<ffffffffa03747d2>] ? br_dev_queue_push_xmit+0x72/0x76
[bridge]
[  461.646887]  [<ffffffffa03791e3>] ? br_nf_post_routing+0x17d/0x18f
[bridge]
[  461.653997]  [<ffffffff81291c4d>] ? nf_iterate+0x41/0x77
[  461.659473]  [<ffffffffa0374760>] ? br_flood+0xfa/0xfa [bridge]
[  461.665485]  [<ffffffff81291cf6>] ? nf_hook_slow+0x73/0x111
[  461.671234]  [<ffffffffa0374760>] ? br_flood+0xfa/0xfa [bridge]
[  461.677299]  [<ffffffffa0379215>] ?
nf_bridge_update_protocol+0x20/0x20 [bridge]
[  461.684891]  [<ffffffffa03bb0e5>] ? nf_ct_zone+0xa/0x17 [nf_conntrack]
[  461.691520]  [<ffffffffa0374760>] ? br_flood+0xfa/0xfa [bridge]
[  461.697572]  [<ffffffffa0374812>] ? NF_HOOK.constprop.8+0x3c/0x56
[bridge]
[  461.704616]  [<ffffffffa0379031>] ?
nf_bridge_push_encap_header+0x1c/0x26 [bridge]
[  461.712329]  [<ffffffffa037929f>] ? br_nf_forward_finish+0x8a/0x95
[bridge]
[  461.719490]  [<ffffffffa037900a>] ?
nf_bridge_pull_encap_header+0x1c/0x27 [bridge]
[  461.727223]  [<ffffffffa0379974>] ? br_nf_forward_ip+0x1c0/0x1d4 [bridge]
[  461.734292]  [<ffffffff81291c4d>] ? nf_iterate+0x41/0x77
[  461.739758]  [<ffffffffa03748cc>] ? __br_deliver+0xa0/0xa0 [bridge]
[  461.746203]  [<ffffffff81291cf6>] ? nf_hook_slow+0x73/0x111
[  461.751950]  [<ffffffffa03748cc>] ? __br_deliver+0xa0/0xa0 [bridge]
[  461.758378]  [<ffffffffa037533a>] ? NF_HOOK.constprop.4+0x56/0x56
[bridge]

This is caused by bridge netfilter special dst_entry (fake_rtable), a
special shared entry, where attaching an inetpeer makes no sense.

Problem is present since commit 87c48fa3 (ipv6: make fragment
identifications less predictable)

Introduce DST_NOPEER dst flag and make sure ipv6_select_ident() and
__ip_select_ident() fallback to the 'no peer attached' handling.
Reported-by: NChris Boot <bootc@bootc.net>
Tested-by: NChris Boot <bootc@bootc.net>
Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Userspace may not provide TCA_OPTIONS, in fact tc currently does
so not do so if no arguments are specified on the command line.
Return EINVAL instead of panicing.
Signed-off-by: NThomas Graf <tgraf@redhat.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>