--- /dev/null
+From 909e481e2467f202b97d42beef246e8829416a85 Mon Sep 17 00:00:00 2001
+From: Sudeep Holla <sudeep.holla@arm.com>
+Date: Wed, 16 Nov 2016 17:31:31 +0000
+Subject: arm64: dts: juno: fix cluster sleep state entry latency on all SoC versions
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+commit 909e481e2467f202b97d42beef246e8829416a85 upstream.
+
+The core and the cluster sleep state entry latencies can't be same as
+cluster sleep involves more work compared to core level e.g. shared
+cache maintenance.
+
+Experiments have shown on an average about 100us more latency for the
+cluster sleep state compared to the core level sleep. This patch fixes
+the entry latency for the cluster sleep state.
+
+Fixes: 28e10a8f3a03 ("arm64: dts: juno: Add idle-states to device tree")
+Cc: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Cc: "Jon Medhurst (Tixy)" <tixy@linaro.org>
+Reviewed-by: Liviu Dudau <Liviu.Dudau@arm.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/boot/dts/arm/juno-r1.dts | 2 +-
+ arch/arm64/boot/dts/arm/juno-r2.dts | 2 +-
+ arch/arm64/boot/dts/arm/juno.dts | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/arm64/boot/dts/arm/juno-r1.dts
++++ b/arch/arm64/boot/dts/arm/juno-r1.dts
+@@ -76,7 +76,7 @@
+ compatible = "arm,idle-state";
+ arm,psci-suspend-param = <0x1010000>;
+ local-timer-stop;
+- entry-latency-us = <300>;
++ entry-latency-us = <400>;
+ exit-latency-us = <1200>;
+ min-residency-us = <2500>;
+ };
+--- a/arch/arm64/boot/dts/arm/juno-r2.dts
++++ b/arch/arm64/boot/dts/arm/juno-r2.dts
+@@ -76,7 +76,7 @@
+ compatible = "arm,idle-state";
+ arm,psci-suspend-param = <0x1010000>;
+ local-timer-stop;
+- entry-latency-us = <300>;
++ entry-latency-us = <400>;
+ exit-latency-us = <1200>;
+ min-residency-us = <2500>;
+ };
+--- a/arch/arm64/boot/dts/arm/juno.dts
++++ b/arch/arm64/boot/dts/arm/juno.dts
+@@ -76,7 +76,7 @@
+ compatible = "arm,idle-state";
+ arm,psci-suspend-param = <0x1010000>;
+ local-timer-stop;
+- entry-latency-us = <300>;
++ entry-latency-us = <400>;
+ exit-latency-us = <1200>;
+ min-residency-us = <2500>;
+ };
--- /dev/null
+From e13258f38e927b61cdb5f4ad25309450d3b127d1 Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sat, 29 Oct 2016 09:18:43 +0200
+Subject: batman-adv: Detect missing primaryif during tp_send as error
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit e13258f38e927b61cdb5f4ad25309450d3b127d1 upstream.
+
+The throughput meter detects different situations as problems for the
+current test. It stops the test after these and reports it to userspace.
+This also has to be done when the primary interface disappeared during the
+test.
+
+Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
+Reported-by: Joe Perches <joe@perches.com>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/batman-adv/tp_meter.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/batman-adv/tp_meter.c
++++ b/net/batman-adv/tp_meter.c
+@@ -837,6 +837,7 @@ static int batadv_tp_send(void *arg)
+ primary_if = batadv_primary_if_get_selected(bat_priv);
+ if (unlikely(!primary_if)) {
+ err = BATADV_TP_REASON_DST_UNREACHABLE;
++ tp_vars->reason = err;
+ goto out;
+ }
+
--- /dev/null
+From ac95330b96376550ae7a533d1396272d675adfa2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?St=C3=A9phan=20Rafin?= <stephan@soliotek.com>
+Date: Fri, 4 Nov 2016 00:53:56 +0100
+Subject: clk: sunxi: Fix M factor computation for APB1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Stéphan Rafin <stephan@soliotek.com>
+
+commit ac95330b96376550ae7a533d1396272d675adfa2 upstream.
+
+commit cfa636886033 ("clk: sunxi: factors: Consolidate get_factors
+parameters into a struct") introduced a regression for m factor
+computation in sun4i_get_apb1_factors function.
+
+The old code reassigned the "parent_rate" parameter to the targeted
+divisor value and was buggy for the returned frequency but not for the
+computed factors. Now, returned frequency is good but m factor is
+incorrectly computed (its max value 31 is always set resulting in a
+significantly slower frequency than the requested one...)
+
+This patch simply restores the original proper computation for m while
+keeping the good changes for returned rate.
+
+Fixes: cfa636886033 ("clk: sunxi: factors: Consolidate get_factors parameters into a struct")
+Signed-off-by: Stéphan Rafin <stephan@soliotek.com>
+Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/sunxi/clk-sunxi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/sunxi/clk-sunxi.c
++++ b/drivers/clk/sunxi/clk-sunxi.c
+@@ -373,7 +373,7 @@ static void sun4i_get_apb1_factors(struc
+ else
+ calcp = 3;
+
+- calcm = (req->parent_rate >> calcp) - 1;
++ calcm = (div >> calcp) - 1;
+
+ req->rate = (req->parent_rate >> calcp) / (calcm + 1);
+ req->m = calcm;
--- /dev/null
+From 5ad45307d990020b25a8f7486178b6e033790f70 Mon Sep 17 00:00:00 2001
+From: Matthias Brugger <matthias.bgg@gmail.com>
+Date: Fri, 18 Nov 2016 11:06:10 +0100
+Subject: drm/mediatek: fix null pointer dereference
+
+From: Matthias Brugger <matthias.bgg@gmail.com>
+
+commit 5ad45307d990020b25a8f7486178b6e033790f70 upstream.
+
+The probe function requests the interrupt before initializing
+the ddp component. Which leads to a null pointer dereference at boot.
+Fix this by requesting the interrput after all components got
+initialized properly.
+
+Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.")
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+Change-Id: I57193a7ab554dfb37c35a455900689333adf511c
+
+---
+ drivers/gpu/drm/mediatek/mtk_disp_ovl.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/gpu/drm/mediatek/mtk_disp_ovl.c
++++ b/drivers/gpu/drm/mediatek/mtk_disp_ovl.c
+@@ -249,13 +249,6 @@ static int mtk_disp_ovl_probe(struct pla
+ if (irq < 0)
+ return irq;
+
+- ret = devm_request_irq(dev, irq, mtk_disp_ovl_irq_handler,
+- IRQF_TRIGGER_NONE, dev_name(dev), priv);
+- if (ret < 0) {
+- dev_err(dev, "Failed to request irq %d: %d\n", irq, ret);
+- return ret;
+- }
+-
+ comp_id = mtk_ddp_comp_get_id(dev->of_node, MTK_DISP_OVL);
+ if (comp_id < 0) {
+ dev_err(dev, "Failed to identify by alias: %d\n", comp_id);
+@@ -271,6 +264,13 @@ static int mtk_disp_ovl_probe(struct pla
+
+ platform_set_drvdata(pdev, priv);
+
++ ret = devm_request_irq(dev, irq, mtk_disp_ovl_irq_handler,
++ IRQF_TRIGGER_NONE, dev_name(dev), priv);
++ if (ret < 0) {
++ dev_err(dev, "Failed to request irq %d: %d\n", irq, ret);
++ return ret;
++ }
++
+ ret = component_add(dev, &mtk_disp_ovl_component_ops);
+ if (ret)
+ dev_err(dev, "Failed to add component: %d\n", ret);
--- /dev/null
+From a0f1d21c1ccb1da66629627a74059dd7f5ac9c61 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 30 Nov 2016 22:21:05 +0300
+Subject: KVM: use after free in kvm_ioctl_create_device()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit a0f1d21c1ccb1da66629627a74059dd7f5ac9c61 upstream.
+
+We should move the ops->destroy(dev) after the list_del(&dev->vm_node)
+so that we don't use "dev" after freeing it.
+
+Fixes: a28ebea2adc4 ("KVM: Protect device ops->create and list_add with kvm->lock")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/kvm_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -2852,10 +2852,10 @@ static int kvm_ioctl_create_device(struc
+
+ ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC);
+ if (ret < 0) {
+- ops->destroy(dev);
+ mutex_lock(&kvm->lock);
+ list_del(&dev->vm_node);
+ mutex_unlock(&kvm->lock);
++ ops->destroy(dev);
+ return ret;
+ }
+
--- /dev/null
+From ae31fe51a3cceaa0cabdb3058f69669ecb47f12e Mon Sep 17 00:00:00 2001
+From: Johannes Weiner <hannes@cmpxchg.org>
+Date: Tue, 22 Nov 2016 10:57:42 +0100
+Subject: perf/x86: Restore TASK_SIZE check on frame pointer
+
+From: Johannes Weiner <hannes@cmpxchg.org>
+
+commit ae31fe51a3cceaa0cabdb3058f69669ecb47f12e upstream.
+
+The following commit:
+
+ 75925e1ad7f5 ("perf/x86: Optimize stack walk user accesses")
+
+... switched from copy_from_user_nmi() to __copy_from_user_nmi() with a manual
+access_ok() check.
+
+Unfortunately, copy_from_user_nmi() does an explicit check against TASK_SIZE,
+whereas the access_ok() uses whatever the current address limit of the task is.
+
+We are getting NMIs when __probe_kernel_read() has switched to KERNEL_DS, and
+then see vmalloc faults when we access what looks like pointers into vmalloc
+space:
+
+ [] WARNING: CPU: 3 PID: 3685731 at arch/x86/mm/fault.c:435 vmalloc_fault+0x289/0x290
+ [] CPU: 3 PID: 3685731 Comm: sh Tainted: G W 4.6.0-5_fbk1_223_gdbf0f40 #1
+ [] Call Trace:
+ [] <NMI> [<ffffffff814717d1>] dump_stack+0x4d/0x6c
+ [] [<ffffffff81076e43>] __warn+0xd3/0xf0
+ [] [<ffffffff81076f2d>] warn_slowpath_null+0x1d/0x20
+ [] [<ffffffff8104a899>] vmalloc_fault+0x289/0x290
+ [] [<ffffffff8104b5a0>] __do_page_fault+0x330/0x490
+ [] [<ffffffff8104b70c>] do_page_fault+0xc/0x10
+ [] [<ffffffff81794e82>] page_fault+0x22/0x30
+ [] [<ffffffff81006280>] ? perf_callchain_user+0x100/0x2a0
+ [] [<ffffffff8115124f>] get_perf_callchain+0x17f/0x190
+ [] [<ffffffff811512c7>] perf_callchain+0x67/0x80
+ [] [<ffffffff8114e750>] perf_prepare_sample+0x2a0/0x370
+ [] [<ffffffff8114e840>] perf_event_output+0x20/0x60
+ [] [<ffffffff8114aee7>] ? perf_event_update_userpage+0xc7/0x130
+ [] [<ffffffff8114ea01>] __perf_event_overflow+0x181/0x1d0
+ [] [<ffffffff8114f484>] perf_event_overflow+0x14/0x20
+ [] [<ffffffff8100a6e3>] intel_pmu_handle_irq+0x1d3/0x490
+ [] [<ffffffff8147daf7>] ? copy_user_enhanced_fast_string+0x7/0x10
+ [] [<ffffffff81197191>] ? vunmap_page_range+0x1a1/0x2f0
+ [] [<ffffffff811972f1>] ? unmap_kernel_range_noflush+0x11/0x20
+ [] [<ffffffff814f2056>] ? ghes_copy_tofrom_phys+0x116/0x1f0
+ [] [<ffffffff81040d1d>] ? x2apic_send_IPI_self+0x1d/0x20
+ [] [<ffffffff8100411d>] perf_event_nmi_handler+0x2d/0x50
+ [] [<ffffffff8101ea31>] nmi_handle+0x61/0x110
+ [] [<ffffffff8101ef94>] default_do_nmi+0x44/0x110
+ [] [<ffffffff8101f13b>] do_nmi+0xdb/0x150
+ [] [<ffffffff81795187>] end_repeat_nmi+0x1a/0x1e
+ [] [<ffffffff8147daf7>] ? copy_user_enhanced_fast_string+0x7/0x10
+ [] [<ffffffff8147daf7>] ? copy_user_enhanced_fast_string+0x7/0x10
+ [] [<ffffffff8147daf7>] ? copy_user_enhanced_fast_string+0x7/0x10
+ [] <<EOE>> <IRQ> [<ffffffff8115d05e>] ? __probe_kernel_read+0x3e/0xa0
+
+Fix this by moving the valid_user_frame() check to before the uaccess
+that loads the return address and the pointer to the next frame.
+
+Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: linux-kernel@vger.kernel.org
+Fixes: 75925e1ad7f5 ("perf/x86: Optimize stack walk user accesses")
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/events/core.c | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/events/core.c
++++ b/arch/x86/events/core.c
+@@ -2344,7 +2344,7 @@ perf_callchain_user32(struct pt_regs *re
+ frame.next_frame = 0;
+ frame.return_address = 0;
+
+- if (!access_ok(VERIFY_READ, fp, 8))
++ if (!valid_user_frame(fp, sizeof(frame)))
+ break;
+
+ bytes = __copy_from_user_nmi(&frame.next_frame, fp, 4);
+@@ -2354,9 +2354,6 @@ perf_callchain_user32(struct pt_regs *re
+ if (bytes != 0)
+ break;
+
+- if (!valid_user_frame(fp, sizeof(frame)))
+- break;
+-
+ perf_callchain_store(entry, cs_base + frame.return_address);
+ fp = compat_ptr(ss_base + frame.next_frame);
+ }
+@@ -2405,7 +2402,7 @@ perf_callchain_user(struct perf_callchai
+ frame.next_frame = NULL;
+ frame.return_address = 0;
+
+- if (!access_ok(VERIFY_READ, fp, sizeof(*fp) * 2))
++ if (!valid_user_frame(fp, sizeof(frame)))
+ break;
+
+ bytes = __copy_from_user_nmi(&frame.next_frame, fp, sizeof(*fp));
+@@ -2415,9 +2412,6 @@ perf_callchain_user(struct perf_callchai
+ if (bytes != 0)
+ break;
+
+- if (!valid_user_frame(fp, sizeof(frame)))
+- break;
+-
+ perf_callchain_store(entry, frame.return_address);
+ fp = (void __user *)frame.next_frame;
+ }
--- /dev/null
+From 0e1614ac84f1719d87bed577963bb8140d0c9ce8 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 1 Nov 2016 11:46:39 +0100
+Subject: pwm: Fix device reference leak
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 0e1614ac84f1719d87bed577963bb8140d0c9ce8 upstream.
+
+Make sure to drop the reference to the parent device taken by
+class_find_device() after "unexporting" any children when deregistering
+a PWM chip.
+
+Fixes: 0733424c9ba9 ("pwm: Unexport children before chip removal")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pwm/sysfs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/pwm/sysfs.c
++++ b/drivers/pwm/sysfs.c
+@@ -425,6 +425,8 @@ void pwmchip_sysfs_unexport_children(str
+ if (test_bit(PWMF_EXPORTED, &pwm->flags))
+ pwm_unexport_child(parent, pwm);
+ }
++
++ put_device(parent);
+ }
+
+ static int __init pwm_sysfs_init(void)
drm-radeon-fix-power-state-when-port-pm-is-unavailable-v2.patch
drm-amdgpu-fix-check-for-port-pm-availability.patch
drm-radeon-fix-check-for-port-pm-availability.patch
+arm64-dts-juno-fix-cluster-sleep-state-entry-latency-on-all-soc-versions.patch
+kvm-use-after-free-in-kvm_ioctl_create_device.patch
+pwm-fix-device-reference-leak.patch
+drm-mediatek-fix-null-pointer-dereference.patch
+perf-x86-restore-task_size-check-on-frame-pointer.patch
+clk-sunxi-fix-m-factor-computation-for-apb1.patch
+batman-adv-detect-missing-primaryif-during-tp_send-as-error.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
