4.9-stable patches

added patches:
	device-dax-fix-pmd-pte-fault-fallback-handling.patch
	drm-bridge-analogix-dp-fix-runtime-pm-state-on-driver-bind.patch
	libceph-don-t-set-weight-to-in-when-osd-is-destroyed.patch
	nl80211-fix-dumpit-error-path-rtnl-deadlocks.patch

diff --git a/queue-4.9/device-dax-fix-pmd-pte-fault-fallback-handling.patch b/queue-4.9/device-dax-fix-pmd-pte-fault-fallback-handling.patch
new file mode 100644 (file)
index 0000000..962c4b6
--- /dev/null
+++ b/queue-4.9/device-dax-fix-pmd-pte-fault-fallback-handling.patch
@@ -0,0 +1,101 @@
+From 0134ed4fb9e78672ee9f7b18007114404c81e63f Mon Sep 17 00:00:00 2001
+From: Dave Jiang <dave.jiang@intel.com>
+Date: Fri, 10 Mar 2017 13:24:22 -0700
+Subject: device-dax: fix pmd/pte fault fallback handling
+
+From: Dave Jiang <dave.jiang@intel.com>
+
+commit 0134ed4fb9e78672ee9f7b18007114404c81e63f upstream.
+
+Jeff Moyer reports:
+
+    With a device dax alignment of 4KB or 2MB, I get sigbus when running
+    the attached fio job file for the current kernel (4.11.0-rc1+).  If
+    I specify an alignment of 1GB, it works.
+
+    I turned on debug output, and saw that it was failing in the huge
+    fault code.
+
+     dax dax1.0: dax_open
+     dax dax1.0: dax_mmap
+     dax dax1.0: dax_dev_huge_fault: fio: write (0x7f08f0a00000 -
+     dax dax1.0: __dax_dev_pud_fault: phys_to_pgoff(0xffffffffcf60
+     dax dax1.0: dax_release
+
+    fio config for reproduce:
+    [global]
+    ioengine=dev-dax
+    direct=0
+    filename=/dev/dax0.0
+    bs=2m
+
+    [write]
+    rw=write
+
+    [read]
+    stonewall
+    rw=read
+
+The driver fails to fallback when taking a fault that is larger than
+the device alignment, or handling a larger fault when a smaller
+mapping is already established. While we could support larger
+mappings for a device with a smaller alignment, that change is
+too large for the immediate fix. The simplest change is to force
+fallback until the fault size matches the alignment.
+
+Fixes: dee410792419 ("/dev/dax, core: file operations and dax-mmap")
+Cc: <stable@vger.kernel.org>
+Reported-by: Jeff Moyer <jmoyer@redhat.com>
+Signed-off-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dax/dax.c |   15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/drivers/dax/dax.c
++++ b/drivers/dax/dax.c
+@@ -334,6 +334,7 @@ static int __dax_dev_fault(struct dax_de
+       int rc = VM_FAULT_SIGBUS;
+       phys_addr_t phys;
+       pfn_t pfn;
++      unsigned int fault_size = PAGE_SIZE;
+ 
+       if (check_vma(dax_dev, vma, __func__))
+               return VM_FAULT_SIGBUS;
+@@ -344,6 +345,9 @@ static int __dax_dev_fault(struct dax_de
+               return VM_FAULT_SIGBUS;
+       }
+ 
++      if (fault_size != dax_region->align)
++              return VM_FAULT_SIGBUS;
++
+       phys = pgoff_to_phys(dax_dev, vmf->pgoff, PAGE_SIZE);
+       if (phys == -1) {
+               dev_dbg(dev, "%s: phys_to_pgoff(%#lx) failed\n", __func__,
+@@ -389,6 +393,7 @@ static int __dax_dev_pmd_fault(struct da
+       phys_addr_t phys;
+       pgoff_t pgoff;
+       pfn_t pfn;
++      unsigned int fault_size = PMD_SIZE;
+ 
+       if (check_vma(dax_dev, vma, __func__))
+               return VM_FAULT_SIGBUS;
+@@ -405,6 +410,16 @@ static int __dax_dev_pmd_fault(struct da
+               return VM_FAULT_SIGBUS;
+       }
+ 
++      if (fault_size < dax_region->align)
++              return VM_FAULT_SIGBUS;
++      else if (fault_size > dax_region->align)
++              return VM_FAULT_FALLBACK;
++
++      /* if we are outside of the VMA */
++      if (pmd_addr < vma->vm_start ||
++                      (pmd_addr + PMD_SIZE) > vma->vm_end)
++              return VM_FAULT_SIGBUS;
++
+       pgoff = linear_page_index(vma, pmd_addr);
+       phys = pgoff_to_phys(dax_dev, pgoff, PMD_SIZE);
+       if (phys == -1) {

diff --git a/queue-4.9/drm-bridge-analogix-dp-fix-runtime-pm-state-on-driver-bind.patch b/queue-4.9/drm-bridge-analogix-dp-fix-runtime-pm-state-on-driver-bind.patch
new file mode 100644 (file)
index 0000000..f3ac09b
--- /dev/null
+++ b/queue-4.9/drm-bridge-analogix-dp-fix-runtime-pm-state-on-driver-bind.patch
@@ -0,0 +1,90 @@
+From f0a8b49c03d22a511a601dc54b2a3425a41e35fa Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Fri, 30 Dec 2016 10:57:46 +0100
+Subject: drm/bridge: analogix dp: Fix runtime PM state on driver bind
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+commit f0a8b49c03d22a511a601dc54b2a3425a41e35fa upstream.
+
+Analogix_dp_bind() can be called from component framework, which doesn't
+guarantee proper runtime PM state of the device during bind operation,
+so ensure that device is runtime active before doing any register access.
+This ensures that the power domain, to which DP module belongs, is turned
+on. While at it, also fix the unbalanced call to phy_power_on() in
+analogix_dp_bind() function.
+
+This patch solves the following kernel oops on Samsung Exynos5250 Snow
+board:
+
+Unhandled fault: imprecise external abort (0x406) at 0x00000000
+pgd = c0004000
+[00000000] *pgd=00000000
+Internal error: : 406 [#1] PREEMPT SMP ARM
+Modules linked in:
+CPU: 0 PID: 75 Comm: kworker/0:2 Not tainted 4.9.0 #1046
+Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
+Workqueue: events deferred_probe_work_func
+task: ee272300 task.stack: ee312000
+PC is at analogix_dp_enable_sw_function+0x18/0x2c
+LR is at analogix_dp_init_dp+0x2c/0x50
+...
+[<c03fcb38>] (analogix_dp_enable_sw_function) from [<c03fa9c4>] (analogix_dp_init_dp+0x2c/0x50)
+[<c03fa9c4>] (analogix_dp_init_dp) from [<c03fab6c>] (analogix_dp_bind+0x184/0x42c)
+[<c03fab6c>] (analogix_dp_bind) from [<c03fdb84>] (component_bind_all+0xf0/0x218)
+[<c03fdb84>] (component_bind_all) from [<c03ed64c>] (exynos_drm_load+0x134/0x200)
+[<c03ed64c>] (exynos_drm_load) from [<c03d5058>] (drm_dev_register+0xa0/0xd0)
+[<c03d5058>] (drm_dev_register) from [<c03d66b8>] (drm_platform_init+0x58/0xb0)
+[<c03d66b8>] (drm_platform_init) from [<c03fe0c4>] (try_to_bring_up_master+0x14c/0x188)
+[<c03fe0c4>] (try_to_bring_up_master) from [<c03fe188>] (component_add+0x88/0x138)
+[<c03fe188>] (component_add) from [<c0403a38>] (platform_drv_probe+0x50/0xb0)
+[<c0403a38>] (platform_drv_probe) from [<c0402470>] (driver_probe_device+0x1f0/0x2a8)
+[<c0402470>] (driver_probe_device) from [<c0400a54>] (bus_for_each_drv+0x44/0x8c)
+[<c0400a54>] (bus_for_each_drv) from [<c04021f8>] (__device_attach+0x9c/0x100)
+[<c04021f8>] (__device_attach) from [<c04018e8>] (bus_probe_device+0x84/0x8c)
+[<c04018e8>] (bus_probe_device) from [<c0401d1c>] (deferred_probe_work_func+0x60/0x8c)
+[<c0401d1c>] (deferred_probe_work_func) from [<c012fc14>] (process_one_work+0x120/0x318)
+[<c012fc14>] (process_one_work) from [<c012fe34>] (process_scheduled_works+0x28/0x38)
+[<c012fe34>] (process_scheduled_works) from [<c0130048>] (worker_thread+0x204/0x4ac)
+[<c0130048>] (worker_thread) from [<c01352c4>] (kthread+0xd8/0xf4)
+[<c01352c4>] (kthread) from [<c0107978>] (ret_from_fork+0x14/0x3c)
+Code: e59035f0 e5935018 f57ff04f e3c55001 (f57ff04e)
+---[ end trace 3d1d0d87796de344 ]---
+
+Reviewed-by: Sean Paul <seanpaul@chromium.org>
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Archit Taneja <architt@codeaurora.org>
+Link: http://patchwork.freedesktop.org/patch/msgid/1483091866-1088-1-git-send-email-m.szyprowski@samsung.com
+Cc: Javier Martinez Canillas <javier@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/bridge/analogix/analogix_dp_core.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/gpu/drm/bridge/analogix/analogix_dp_core.c
++++ b/drivers/gpu/drm/bridge/analogix/analogix_dp_core.c
+@@ -1382,6 +1382,7 @@ int analogix_dp_bind(struct device *dev,
+ 
+       pm_runtime_enable(dev);
+ 
++      pm_runtime_get_sync(dev);
+       phy_power_on(dp->phy);
+ 
+       analogix_dp_init_dp(dp);
+@@ -1414,9 +1415,15 @@ int analogix_dp_bind(struct device *dev,
+               goto err_disable_pm_runtime;
+       }
+ 
++      phy_power_off(dp->phy);
++      pm_runtime_put(dev);
++
+       return 0;
+ 
+ err_disable_pm_runtime:
++
++      phy_power_off(dp->phy);
++      pm_runtime_put(dev);
+       pm_runtime_disable(dev);
+ 
+       return ret;

diff --git a/queue-4.9/libceph-don-t-set-weight-to-in-when-osd-is-destroyed.patch b/queue-4.9/libceph-don-t-set-weight-to-in-when-osd-is-destroyed.patch
new file mode 100644 (file)
index 0000000..f425801
--- /dev/null
+++ b/queue-4.9/libceph-don-t-set-weight-to-in-when-osd-is-destroyed.patch
@@ -0,0 +1,38 @@
+From b581a5854eee4b7851dedb0f8c2ceb54fb902c06 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Wed, 1 Mar 2017 17:33:27 +0100
+Subject: libceph: don't set weight to IN when OSD is destroyed
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit b581a5854eee4b7851dedb0f8c2ceb54fb902c06 upstream.
+
+Since ceph.git commit 4e28f9e63644 ("osd/OSDMap: clear osd_info,
+osd_xinfo on osd deletion"), weight is set to IN when OSD is deleted.
+This changes the result of applying an incremental for clients, not
+just OSDs.  Because CRUSH computations are obviously affected,
+pre-4e28f9e63644 servers disagree with post-4e28f9e63644 clients on
+object placement, resulting in misdirected requests.
+
+Mirrors ceph.git commit a6009d1039a55e2c77f431662b3d6cc5a8e8e63f.
+
+Fixes: 930c53286977 ("libceph: apply new_state before new_up_client on incrementals")
+Link: http://tracker.ceph.com/issues/19122
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Sage Weil <sage@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ceph/osdmap.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/net/ceph/osdmap.c
++++ b/net/ceph/osdmap.c
+@@ -1334,7 +1334,6 @@ static int decode_new_up_state_weight(vo
+               if ((map->osd_state[osd] & CEPH_OSD_EXISTS) &&
+                   (xorstate & CEPH_OSD_EXISTS)) {
+                       pr_info("osd%d does not exist\n", osd);
+-                      map->osd_weight[osd] = CEPH_OSD_IN;
+                       ret = set_primary_affinity(map, osd,
+                                                  CEPH_OSD_DEFAULT_PRIMARY_AFFINITY);
+                       if (ret)

diff --git a/queue-4.9/nl80211-fix-dumpit-error-path-rtnl-deadlocks.patch b/queue-4.9/nl80211-fix-dumpit-error-path-rtnl-deadlocks.patch
new file mode 100644 (file)
index 0000000..2b2275e
--- /dev/null
+++ b/queue-4.9/nl80211-fix-dumpit-error-path-rtnl-deadlocks.patch
@@ -0,0 +1,368 @@
+From ea90e0dc8cecba6359b481e24d9c37160f6f524f Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 15 Mar 2017 14:26:04 +0100
+Subject: nl80211: fix dumpit error path RTNL deadlocks
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit ea90e0dc8cecba6359b481e24d9c37160f6f524f upstream.
+
+Sowmini pointed out Dmitry's RTNL deadlock report to me, and it turns out
+to be perfectly accurate - there are various error paths that miss unlock
+of the RTNL.
+
+To fix those, change the locking a bit to not be conditional in all those
+nl80211_prepare_*_dump() functions, but make those require the RTNL to
+start with, and fix the buggy error paths. This also let me use sparse
+(by appropriately overriding the rtnl_lock/rtnl_unlock functions) to
+validate the changes.
+
+Reported-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c |  133 ++++++++++++++++++++++---------------------------
+ 1 file changed, 60 insertions(+), 73 deletions(-)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -548,21 +548,17 @@ static int nl80211_prepare_wdev_dump(str
+ {
+       int err;
+ 
+-      rtnl_lock();
+-
+       if (!cb->args[0]) {
+               err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
+                                 nl80211_fam.attrbuf, nl80211_fam.maxattr,
+                                 nl80211_policy);
+               if (err)
+-                      goto out_unlock;
++                      return err;
+ 
+               *wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk),
+                                                  nl80211_fam.attrbuf);
+-              if (IS_ERR(*wdev)) {
+-                      err = PTR_ERR(*wdev);
+-                      goto out_unlock;
+-              }
++              if (IS_ERR(*wdev))
++                      return PTR_ERR(*wdev);
+               *rdev = wiphy_to_rdev((*wdev)->wiphy);
+               /* 0 is the first index - add 1 to parse only once */
+               cb->args[0] = (*rdev)->wiphy_idx + 1;
+@@ -572,10 +568,8 @@ static int nl80211_prepare_wdev_dump(str
+               struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
+               struct wireless_dev *tmp;
+ 
+-              if (!wiphy) {
+-                      err = -ENODEV;
+-                      goto out_unlock;
+-              }
++              if (!wiphy)
++                      return -ENODEV;
+               *rdev = wiphy_to_rdev(wiphy);
+               *wdev = NULL;
+ 
+@@ -586,21 +580,11 @@ static int nl80211_prepare_wdev_dump(str
+                       }
+               }
+ 
+-              if (!*wdev) {
+-                      err = -ENODEV;
+-                      goto out_unlock;
+-              }
++              if (!*wdev)
++                      return -ENODEV;
+       }
+ 
+       return 0;
+- out_unlock:
+-      rtnl_unlock();
+-      return err;
+-}
+-
+-static void nl80211_finish_wdev_dump(struct cfg80211_registered_device *rdev)
+-{
+-      rtnl_unlock();
+ }
+ 
+ /* IE validation */
+@@ -2584,17 +2568,17 @@ static int nl80211_dump_interface(struct
+       int filter_wiphy = -1;
+       struct cfg80211_registered_device *rdev;
+       struct wireless_dev *wdev;
++      int ret;
+ 
+       rtnl_lock();
+       if (!cb->args[2]) {
+               struct nl80211_dump_wiphy_state state = {
+                       .filter_wiphy = -1,
+               };
+-              int ret;
+ 
+               ret = nl80211_dump_wiphy_parse(skb, cb, &state);
+               if (ret)
+-                      return ret;
++                      goto out_unlock;
+ 
+               filter_wiphy = state.filter_wiphy;
+ 
+@@ -2639,12 +2623,14 @@ static int nl80211_dump_interface(struct
+               wp_idx++;
+       }
+  out:
+-      rtnl_unlock();
+-
+       cb->args[0] = wp_idx;
+       cb->args[1] = if_idx;
+ 
+-      return skb->len;
++      ret = skb->len;
++ out_unlock:
++      rtnl_unlock();
++
++      return ret;
+ }
+ 
+ static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
+@@ -4371,9 +4357,10 @@ static int nl80211_dump_station(struct s
+       int sta_idx = cb->args[2];
+       int err;
+ 
++      rtnl_lock();
+       err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
+       if (err)
+-              return err;
++              goto out_err;
+ 
+       if (!wdev->netdev) {
+               err = -EINVAL;
+@@ -4408,7 +4395,7 @@ static int nl80211_dump_station(struct s
+       cb->args[2] = sta_idx;
+       err = skb->len;
+  out_err:
+-      nl80211_finish_wdev_dump(rdev);
++      rtnl_unlock();
+ 
+       return err;
+ }
+@@ -5179,9 +5166,10 @@ static int nl80211_dump_mpath(struct sk_
+       int path_idx = cb->args[2];
+       int err;
+ 
++      rtnl_lock();
+       err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
+       if (err)
+-              return err;
++              goto out_err;
+ 
+       if (!rdev->ops->dump_mpath) {
+               err = -EOPNOTSUPP;
+@@ -5214,7 +5202,7 @@ static int nl80211_dump_mpath(struct sk_
+       cb->args[2] = path_idx;
+       err = skb->len;
+  out_err:
+-      nl80211_finish_wdev_dump(rdev);
++      rtnl_unlock();
+       return err;
+ }
+ 
+@@ -5374,9 +5362,10 @@ static int nl80211_dump_mpp(struct sk_bu
+       int path_idx = cb->args[2];
+       int err;
+ 
++      rtnl_lock();
+       err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
+       if (err)
+-              return err;
++              goto out_err;
+ 
+       if (!rdev->ops->dump_mpp) {
+               err = -EOPNOTSUPP;
+@@ -5409,7 +5398,7 @@ static int nl80211_dump_mpp(struct sk_bu
+       cb->args[2] = path_idx;
+       err = skb->len;
+  out_err:
+-      nl80211_finish_wdev_dump(rdev);
++      rtnl_unlock();
+       return err;
+ }
+ 
+@@ -7556,9 +7545,12 @@ static int nl80211_dump_scan(struct sk_b
+       int start = cb->args[2], idx = 0;
+       int err;
+ 
++      rtnl_lock();
+       err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
+-      if (err)
++      if (err) {
++              rtnl_unlock();
+               return err;
++      }
+ 
+       wdev_lock(wdev);
+       spin_lock_bh(&rdev->bss_lock);
+@@ -7581,7 +7573,7 @@ static int nl80211_dump_scan(struct sk_b
+       wdev_unlock(wdev);
+ 
+       cb->args[2] = idx;
+-      nl80211_finish_wdev_dump(rdev);
++      rtnl_unlock();
+ 
+       return skb->len;
+ }
+@@ -7665,9 +7657,10 @@ static int nl80211_dump_survey(struct sk
+       int res;
+       bool radio_stats;
+ 
++      rtnl_lock();
+       res = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
+       if (res)
+-              return res;
++              goto out_err;
+ 
+       /* prepare_wdev_dump parsed the attributes */
+       radio_stats = nl80211_fam.attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
+@@ -7708,7 +7701,7 @@ static int nl80211_dump_survey(struct sk
+       cb->args[2] = survey_idx;
+       res = skb->len;
+  out_err:
+-      nl80211_finish_wdev_dump(rdev);
++      rtnl_unlock();
+       return res;
+ }
+ 
+@@ -11299,17 +11292,13 @@ static int nl80211_prepare_vendor_dump(s
+       void *data = NULL;
+       unsigned int data_len = 0;
+ 
+-      rtnl_lock();
+-
+       if (cb->args[0]) {
+               /* subtract the 1 again here */
+               struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
+               struct wireless_dev *tmp;
+ 
+-              if (!wiphy) {
+-                      err = -ENODEV;
+-                      goto out_unlock;
+-              }
++              if (!wiphy)
++                      return -ENODEV;
+               *rdev = wiphy_to_rdev(wiphy);
+               *wdev = NULL;
+ 
+@@ -11330,13 +11319,11 @@ static int nl80211_prepare_vendor_dump(s
+                         nl80211_fam.attrbuf, nl80211_fam.maxattr,
+                         nl80211_policy);
+       if (err)
+-              goto out_unlock;
++              return err;
+ 
+       if (!nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_ID] ||
+-          !nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
+-              err = -EINVAL;
+-              goto out_unlock;
+-      }
++          !nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_SUBCMD])
++              return -EINVAL;
+ 
+       *wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk),
+                                          nl80211_fam.attrbuf);
+@@ -11345,10 +11332,8 @@ static int nl80211_prepare_vendor_dump(s
+ 
+       *rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk),
+                                          nl80211_fam.attrbuf);
+-      if (IS_ERR(*rdev)) {
+-              err = PTR_ERR(*rdev);
+-              goto out_unlock;
+-      }
++      if (IS_ERR(*rdev))
++              return PTR_ERR(*rdev);
+ 
+       vid = nla_get_u32(nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_ID]);
+       subcmd = nla_get_u32(nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
+@@ -11361,19 +11346,15 @@ static int nl80211_prepare_vendor_dump(s
+               if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
+                       continue;
+ 
+-              if (!vcmd->dumpit) {
+-                      err = -EOPNOTSUPP;
+-                      goto out_unlock;
+-              }
++              if (!vcmd->dumpit)
++                      return -EOPNOTSUPP;
+ 
+               vcmd_idx = i;
+               break;
+       }
+ 
+-      if (vcmd_idx < 0) {
+-              err = -EOPNOTSUPP;
+-              goto out_unlock;
+-      }
++      if (vcmd_idx < 0)
++              return -EOPNOTSUPP;
+ 
+       if (nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_DATA]) {
+               data = nla_data(nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_DATA]);
+@@ -11390,9 +11371,6 @@ static int nl80211_prepare_vendor_dump(s
+ 
+       /* keep rtnl locked in successful case */
+       return 0;
+- out_unlock:
+-      rtnl_unlock();
+-      return err;
+ }
+ 
+ static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
+@@ -11407,9 +11385,10 @@ static int nl80211_vendor_cmd_dump(struc
+       int err;
+       struct nlattr *vendor_data;
+ 
++      rtnl_lock();
+       err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
+       if (err)
+-              return err;
++              goto out;
+ 
+       vcmd_idx = cb->args[2];
+       data = (void *)cb->args[3];
+@@ -11418,18 +11397,26 @@ static int nl80211_vendor_cmd_dump(struc
+ 
+       if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
+                          WIPHY_VENDOR_CMD_NEED_NETDEV)) {
+-              if (!wdev)
+-                      return -EINVAL;
++              if (!wdev) {
++                      err = -EINVAL;
++                      goto out;
++              }
+               if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
+-                  !wdev->netdev)
+-                      return -EINVAL;
++                  !wdev->netdev) {
++                      err = -EINVAL;
++                      goto out;
++              }
+ 
+               if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
+                       if (wdev->netdev &&
+-                          !netif_running(wdev->netdev))
+-                              return -ENETDOWN;
+-                      if (!wdev->netdev && !wdev->p2p_started)
+-                              return -ENETDOWN;
++                          !netif_running(wdev->netdev)) {
++                              err = -ENETDOWN;
++                              goto out;
++                      }
++                      if (!wdev->netdev && !wdev->p2p_started) {
++                              err = -ENETDOWN;
++                              goto out;
++                      }
+               }
+       }
+ 

diff --git a/queue-4.9/series b/queue-4.9/series
index d128e1c84b690903f4316e73372eaaf7c2018dc3..79867b0a75b728435525d3ac656862f5b429023b 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -79,3 +79,7 @@ jbd2-don-t-leak-memory-if-setting-up-journal-fails.patch
 intel_th-don-t-leak-module-refcount-on-failure-to-activate.patch
 drivers-hv-vmbus-don-t-leak-channel-ids.patch
 drivers-hv-vmbus-don-t-leak-memory-when-a-channel-is-rescinded.patch
+libceph-don-t-set-weight-to-in-when-osd-is-destroyed.patch
+device-dax-fix-pmd-pte-fault-fallback-handling.patch
+drm-bridge-analogix-dp-fix-runtime-pm-state-on-driver-bind.patch
+nl80211-fix-dumpit-error-path-rtnl-deadlocks.patch