]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
4.4-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 1 Mar 2016 22:23:12 +0000 (14:23 -0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 1 Mar 2016 22:23:12 +0000 (14:23 -0800)
added patches:
arm-at91-dt-fix-typo-in-sama5d2-pinmux-descriptions.patch
arm-omap2-fix-onenand-initialization-to-avoid-filesystem-corruption.patch
bio-return-eintr-if-copying-to-user-space-got-interrupted.patch
block-fix-use-after-free-in-dio_bio_complete.patch
cgroup-make-sure-a-parent-css-isn-t-offlined-before-its-children.patch
do_last-don-t-let-a-bogus-return-value-from-open-et.al.-to-confuse-us.patch
do_last-eloop-failure-exit-should-be-done-after-leaving-rcu-mode.patch
hpfs-don-t-truncate-the-file-when-delete-fails.patch
i2c-i801-adding-intel-lewisburg-support-for-itco.patch
kernel-resource.c-fix-muxed-resource-handling-in-__request_region.patch
kvm-arm-arm64-vgic-ensure-bitmaps-are-long-enough.patch
kvm-async_pf-do-not-warn-on-page-allocation-failures.patch
kvm-x86-fix-conversion-of-addresses-to-linear-in-32-bit-protected-mode.patch
kvm-x86-fix-missed-hardware-breakpoints.patch
kvm-x86-mmu-fix-ubsan-index-out-of-range-warning.patch
nfs-fix-nfs_size_to_loff_t.patch
nfsv4-fix-a-dentry-leak-on-alias-use.patch
of-irq-fix-msi-map-calculation-for-nonzero-rid-base.patch
phy-core-fix-wrong-err-handle-for-phy_power_on.patch
powerpc-eeh-fix-partial-hotplug-criterion.patch
should_follow_link-validate-d_seq-after-having-decided-to-follow.patch
sunrpc-cache-fix-off-by-one-in-qword_get.patch
tracing-fix-showing-function-event-in-available_events.patch
writeback-keep-superblock-pinned-during-cgroup-writeback-association-switches.patch
x86-entry-compat-add-missing-clac-to-entry_int80_32.patch
x86-mpx-fix-off-by-one-comparison-with-nr_registers.patch
xen-arm-correctly-handle-dma-mapping-of-compound-pages.patch
xen-pciback-check-pf-instead-of-vf-for-pci_command_memory.patch
xen-pciback-save-the-number-of-msi-x-entries-to-be-copied-later.patch
xen-pcifront-fix-mysterious-crashes-when-numa-locality-information-was-extracted.patch
xen-scsiback-correct-frontend-counting.patch

32 files changed:
queue-4.4/arm-at91-dt-fix-typo-in-sama5d2-pinmux-descriptions.patch [new file with mode: 0644]
queue-4.4/arm-omap2-fix-onenand-initialization-to-avoid-filesystem-corruption.patch [new file with mode: 0644]
queue-4.4/bio-return-eintr-if-copying-to-user-space-got-interrupted.patch [new file with mode: 0644]
queue-4.4/block-fix-use-after-free-in-dio_bio_complete.patch [new file with mode: 0644]
queue-4.4/cgroup-make-sure-a-parent-css-isn-t-offlined-before-its-children.patch [new file with mode: 0644]
queue-4.4/do_last-don-t-let-a-bogus-return-value-from-open-et.al.-to-confuse-us.patch [new file with mode: 0644]
queue-4.4/do_last-eloop-failure-exit-should-be-done-after-leaving-rcu-mode.patch [new file with mode: 0644]
queue-4.4/hpfs-don-t-truncate-the-file-when-delete-fails.patch [new file with mode: 0644]
queue-4.4/i2c-i801-adding-intel-lewisburg-support-for-itco.patch [new file with mode: 0644]
queue-4.4/kernel-resource.c-fix-muxed-resource-handling-in-__request_region.patch [new file with mode: 0644]
queue-4.4/kvm-arm-arm64-vgic-ensure-bitmaps-are-long-enough.patch [new file with mode: 0644]
queue-4.4/kvm-async_pf-do-not-warn-on-page-allocation-failures.patch [new file with mode: 0644]
queue-4.4/kvm-x86-fix-conversion-of-addresses-to-linear-in-32-bit-protected-mode.patch [new file with mode: 0644]
queue-4.4/kvm-x86-fix-missed-hardware-breakpoints.patch [new file with mode: 0644]
queue-4.4/kvm-x86-mmu-fix-ubsan-index-out-of-range-warning.patch [new file with mode: 0644]
queue-4.4/nfs-fix-nfs_size_to_loff_t.patch [new file with mode: 0644]
queue-4.4/nfsv4-fix-a-dentry-leak-on-alias-use.patch [new file with mode: 0644]
queue-4.4/of-irq-fix-msi-map-calculation-for-nonzero-rid-base.patch [new file with mode: 0644]
queue-4.4/phy-core-fix-wrong-err-handle-for-phy_power_on.patch [new file with mode: 0644]
queue-4.4/powerpc-eeh-fix-partial-hotplug-criterion.patch [new file with mode: 0644]
queue-4.4/series
queue-4.4/should_follow_link-validate-d_seq-after-having-decided-to-follow.patch [new file with mode: 0644]
queue-4.4/sunrpc-cache-fix-off-by-one-in-qword_get.patch [new file with mode: 0644]
queue-4.4/tracing-fix-showing-function-event-in-available_events.patch [new file with mode: 0644]
queue-4.4/writeback-keep-superblock-pinned-during-cgroup-writeback-association-switches.patch [new file with mode: 0644]
queue-4.4/x86-entry-compat-add-missing-clac-to-entry_int80_32.patch [new file with mode: 0644]
queue-4.4/x86-mpx-fix-off-by-one-comparison-with-nr_registers.patch [new file with mode: 0644]
queue-4.4/xen-arm-correctly-handle-dma-mapping-of-compound-pages.patch [new file with mode: 0644]
queue-4.4/xen-pciback-check-pf-instead-of-vf-for-pci_command_memory.patch [new file with mode: 0644]
queue-4.4/xen-pciback-save-the-number-of-msi-x-entries-to-be-copied-later.patch [new file with mode: 0644]
queue-4.4/xen-pcifront-fix-mysterious-crashes-when-numa-locality-information-was-extracted.patch [new file with mode: 0644]
queue-4.4/xen-scsiback-correct-frontend-counting.patch [new file with mode: 0644]

diff --git a/queue-4.4/arm-at91-dt-fix-typo-in-sama5d2-pinmux-descriptions.patch b/queue-4.4/arm-at91-dt-fix-typo-in-sama5d2-pinmux-descriptions.patch
new file mode 100644 (file)
index 0000000..04ff466
--- /dev/null
@@ -0,0 +1,34 @@
+From 5e45a2589d24573c564630990c88ac93659f8fe4 Mon Sep 17 00:00:00 2001
+From: Ludovic Desroches <ludovic.desroches@atmel.com>
+Date: Fri, 19 Feb 2016 20:21:17 +0100
+Subject: ARM: at91/dt: fix typo in sama5d2 pinmux descriptions
+
+From: Ludovic Desroches <ludovic.desroches@atmel.com>
+
+commit 5e45a2589d24573c564630990c88ac93659f8fe4 upstream.
+
+PIN_PA15 macro has the same value as PIN_PA14 so we were overriding PA14
+mux/configuration.
+
+Signed-off-by: Ludovic Desroches <ludovic.desroches@atmel.com>
+Reported-by: Cyrille Pitchen <cyrille.pitchen@atmel.com>
+Fixes: 7f16cb676c00 ("ARM: at91/dt: add sama5d2 pinmux")
+Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/sama5d2-pinfunc.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/sama5d2-pinfunc.h
++++ b/arch/arm/boot/dts/sama5d2-pinfunc.h
+@@ -90,7 +90,7 @@
+ #define PIN_PA14__I2SC1_MCK           PINMUX_PIN(PIN_PA14, 4, 2)
+ #define PIN_PA14__FLEXCOM3_IO2                PINMUX_PIN(PIN_PA14, 5, 1)
+ #define PIN_PA14__D9                  PINMUX_PIN(PIN_PA14, 6, 2)
+-#define PIN_PA15                      14
++#define PIN_PA15                      15
+ #define PIN_PA15__GPIO                        PINMUX_PIN(PIN_PA15, 0, 0)
+ #define PIN_PA15__SPI0_MOSI           PINMUX_PIN(PIN_PA15, 1, 1)
+ #define PIN_PA15__TF1                 PINMUX_PIN(PIN_PA15, 2, 1)
diff --git a/queue-4.4/arm-omap2-fix-onenand-initialization-to-avoid-filesystem-corruption.patch b/queue-4.4/arm-omap2-fix-onenand-initialization-to-avoid-filesystem-corruption.patch
new file mode 100644 (file)
index 0000000..7f9a549
--- /dev/null
@@ -0,0 +1,55 @@
+From 3f315c5b850fa7aff73f50de8e316b98f611a32b Mon Sep 17 00:00:00 2001
+From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
+Date: Fri, 5 Feb 2016 16:37:08 +0200
+Subject: ARM: OMAP2+: Fix onenand initialization to avoid filesystem corruption
+
+From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
+
+commit 3f315c5b850fa7aff73f50de8e316b98f611a32b upstream.
+
+Commit e7b11dc7b77b ("ARM: OMAP2+: Fix onenand rate detection to avoid
+filesystem corruption") partially fixed onenand configuration when GPMC
+module is reset. Finish the job by also providing the correct values in
+ONENAND_REG_SYS_CFG1 register.
+
+Fixes: e7b11dc7b77b ("ARM: OMAP2+: Fix onenand rate detection to avoid
+filesystem corruption")
+Signed-off-by: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
+Tested-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-omap2/gpmc-onenand.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/arm/mach-omap2/gpmc-onenand.c
++++ b/arch/arm/mach-omap2/gpmc-onenand.c
+@@ -101,10 +101,8 @@ static void omap2_onenand_set_async_mode
+ static void set_onenand_cfg(void __iomem *onenand_base)
+ {
+-      u32 reg;
++      u32 reg = ONENAND_SYS_CFG1_RDY | ONENAND_SYS_CFG1_INT;
+-      reg = readw(onenand_base + ONENAND_REG_SYS_CFG1);
+-      reg &= ~((0x7 << ONENAND_SYS_CFG1_BRL_SHIFT) | (0x7 << 9));
+       reg |=  (latency << ONENAND_SYS_CFG1_BRL_SHIFT) |
+               ONENAND_SYS_CFG1_BL_16;
+       if (onenand_flags & ONENAND_FLAG_SYNCREAD)
+@@ -123,6 +121,7 @@ static void set_onenand_cfg(void __iomem
+               reg |= ONENAND_SYS_CFG1_VHF;
+       else
+               reg &= ~ONENAND_SYS_CFG1_VHF;
++
+       writew(reg, onenand_base + ONENAND_REG_SYS_CFG1);
+ }
+@@ -289,6 +288,7 @@ static int omap2_onenand_setup_async(voi
+               }
+       }
++      onenand_async.sync_write = true;
+       omap2_onenand_calc_async_timings(&t);
+       ret = gpmc_cs_program_settings(gpmc_onenand_data->cs, &onenand_async);
diff --git a/queue-4.4/bio-return-eintr-if-copying-to-user-space-got-interrupted.patch b/queue-4.4/bio-return-eintr-if-copying-to-user-space-got-interrupted.patch
new file mode 100644 (file)
index 0000000..e4bce4c
--- /dev/null
@@ -0,0 +1,50 @@
+From 2d99b55d378c996b9692a0c93dd25f4ed5d58934 Mon Sep 17 00:00:00 2001
+From: Hannes Reinecke <hare@suse.de>
+Date: Fri, 12 Feb 2016 09:39:15 +0100
+Subject: bio: return EINTR if copying to user space got interrupted
+
+From: Hannes Reinecke <hare@suse.de>
+
+commit 2d99b55d378c996b9692a0c93dd25f4ed5d58934 upstream.
+
+Commit 35dc248383bbab0a7203fca4d722875bc81ef091 introduced a check for
+current->mm to see if we have a user space context and only copies data
+if we do. Now if an IO gets interrupted by a signal data isn't copied
+into user space any more (as we don't have a user space context) but
+user space isn't notified about it.
+
+This patch modifies the behaviour to return -EINTR from bio_uncopy_user()
+to notify userland that a signal has interrupted the syscall, otherwise
+it could lead to a situation where the caller may get a buffer with
+no data returned.
+
+This can be reproduced by issuing SG_IO ioctl()s in one thread while
+constantly sending signals to it.
+
+Fixes: 35dc248 [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal
+Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/bio.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/block/bio.c
++++ b/block/bio.c
+@@ -1090,9 +1090,12 @@ int bio_uncopy_user(struct bio *bio)
+       if (!bio_flagged(bio, BIO_NULL_MAPPED)) {
+               /*
+                * if we're in a workqueue, the request is orphaned, so
+-               * don't copy into a random user address space, just free.
++               * don't copy into a random user address space, just free
++               * and return -EINTR so user space doesn't expect any data.
+                */
+-              if (current->mm && bio_data_dir(bio) == READ)
++              if (!current->mm)
++                      ret = -EINTR;
++              else if (bio_data_dir(bio) == READ)
+                       ret = bio_copy_to_iter(bio, bmd->iter);
+               if (bmd->is_our_pages)
+                       bio_free_pages(bio);
diff --git a/queue-4.4/block-fix-use-after-free-in-dio_bio_complete.patch b/queue-4.4/block-fix-use-after-free-in-dio_bio_complete.patch
new file mode 100644 (file)
index 0000000..d67c237
--- /dev/null
@@ -0,0 +1,95 @@
+From 7ddc971f86aa0a4cee9f6886c356a052461957ae Mon Sep 17 00:00:00 2001
+From: Mike Krinkin <krinkin.m.u@gmail.com>
+Date: Sat, 30 Jan 2016 19:09:59 +0300
+Subject: block: fix use-after-free in dio_bio_complete
+
+From: Mike Krinkin <krinkin.m.u@gmail.com>
+
+commit 7ddc971f86aa0a4cee9f6886c356a052461957ae upstream.
+
+kasan reported the following error when i ran xfstest:
+
+[  701.826854] ==================================================================
+[  701.826864] BUG: KASAN: use-after-free in dio_bio_complete+0x41a/0x600 at addr ffff880080b95f94
+[  701.826870] Read of size 4 by task loop2/3874
+[  701.826879] page:ffffea000202e540 count:0 mapcount:0 mapping:          (null) index:0x0
+[  701.826890] flags: 0x100000000000000()
+[  701.826895] page dumped because: kasan: bad access detected
+[  701.826904] CPU: 3 PID: 3874 Comm: loop2 Tainted: G    B   W    L  4.5.0-rc1-next-20160129 #83
+[  701.826910] Hardware name: LENOVO 23205NG/23205NG, BIOS G2ET95WW (2.55 ) 07/09/2013
+[  701.826917]  ffff88008fadf800 ffff88008fadf758 ffffffff81ca67bb 0000000041b58ab3
+[  701.826941]  ffffffff830d1e74 ffffffff81ca6724 ffff88008fadf748 ffffffff8161c05c
+[  701.826963]  0000000000000282 ffff88008fadf800 ffffed0010172bf2 ffffea000202e540
+[  701.826987] Call Trace:
+[  701.826997]  [<ffffffff81ca67bb>] dump_stack+0x97/0xdc
+[  701.827005]  [<ffffffff81ca6724>] ? _atomic_dec_and_lock+0xc4/0xc4
+[  701.827014]  [<ffffffff8161c05c>] ? __dump_page+0x32c/0x490
+[  701.827023]  [<ffffffff816b0d03>] kasan_report_error+0x5f3/0x8b0
+[  701.827033]  [<ffffffff817c302a>] ? dio_bio_complete+0x41a/0x600
+[  701.827040]  [<ffffffff816b1119>] __asan_report_load4_noabort+0x59/0x80
+[  701.827048]  [<ffffffff817c302a>] ? dio_bio_complete+0x41a/0x600
+[  701.827053]  [<ffffffff817c302a>] dio_bio_complete+0x41a/0x600
+[  701.827057]  [<ffffffff81bd19c8>] ? blk_queue_exit+0x108/0x270
+[  701.827060]  [<ffffffff817c32b0>] dio_bio_end_aio+0xa0/0x4d0
+[  701.827063]  [<ffffffff817c3210>] ? dio_bio_complete+0x600/0x600
+[  701.827067]  [<ffffffff81bd2806>] ? blk_account_io_completion+0x316/0x5d0
+[  701.827070]  [<ffffffff81bafe89>] bio_endio+0x79/0x200
+[  701.827074]  [<ffffffff81bd2c9f>] blk_update_request+0x1df/0xc50
+[  701.827078]  [<ffffffff81c02c27>] blk_mq_end_request+0x57/0x120
+[  701.827081]  [<ffffffff81c03670>] __blk_mq_complete_request+0x310/0x590
+[  701.827084]  [<ffffffff812348d8>] ? set_next_entity+0x2f8/0x2ed0
+[  701.827088]  [<ffffffff8124b34d>] ? put_prev_entity+0x22d/0x2a70
+[  701.827091]  [<ffffffff81c0394b>] blk_mq_complete_request+0x5b/0x80
+[  701.827094]  [<ffffffff821e2a33>] loop_queue_work+0x273/0x19d0
+[  701.827098]  [<ffffffff811f6578>] ? finish_task_switch+0x1c8/0x8e0
+[  701.827101]  [<ffffffff8129d058>] ? trace_hardirqs_on_caller+0x18/0x6c0
+[  701.827104]  [<ffffffff821e27c0>] ? lo_read_simple+0x890/0x890
+[  701.827108]  [<ffffffff8129dd60>] ? debug_check_no_locks_freed+0x350/0x350
+[  701.827111]  [<ffffffff811f63b0>] ? __hrtick_start+0x130/0x130
+[  701.827115]  [<ffffffff82a0c8f6>] ? __schedule+0x936/0x20b0
+[  701.827118]  [<ffffffff811dd6bd>] ? kthread_worker_fn+0x3ed/0x8d0
+[  701.827121]  [<ffffffff811dd4ed>] ? kthread_worker_fn+0x21d/0x8d0
+[  701.827125]  [<ffffffff8129d058>] ? trace_hardirqs_on_caller+0x18/0x6c0
+[  701.827128]  [<ffffffff811dd57f>] kthread_worker_fn+0x2af/0x8d0
+[  701.827132]  [<ffffffff811dd2d0>] ? __init_kthread_worker+0x170/0x170
+[  701.827135]  [<ffffffff82a1ea46>] ? _raw_spin_unlock_irqrestore+0x36/0x60
+[  701.827138]  [<ffffffff811dd2d0>] ? __init_kthread_worker+0x170/0x170
+[  701.827141]  [<ffffffff811dd2d0>] ? __init_kthread_worker+0x170/0x170
+[  701.827144]  [<ffffffff811dd00b>] kthread+0x24b/0x3a0
+[  701.827148]  [<ffffffff811dcdc0>] ? kthread_create_on_node+0x4c0/0x4c0
+[  701.827151]  [<ffffffff8129d70d>] ? trace_hardirqs_on+0xd/0x10
+[  701.827155]  [<ffffffff8116d41d>] ? do_group_exit+0xdd/0x350
+[  701.827158]  [<ffffffff811dcdc0>] ? kthread_create_on_node+0x4c0/0x4c0
+[  701.827161]  [<ffffffff82a1f52f>] ret_from_fork+0x3f/0x70
+[  701.827165]  [<ffffffff811dcdc0>] ? kthread_create_on_node+0x4c0/0x4c0
+[  701.827167] Memory state around the buggy address:
+[  701.827170]  ffff880080b95e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[  701.827172]  ffff880080b95f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[  701.827175] >ffff880080b95f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[  701.827177]                          ^
+[  701.827179]  ffff880080b96000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[  701.827182]  ffff880080b96080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[  701.827183] ==================================================================
+
+The problem is that bio_check_pages_dirty calls bio_put, so we must
+not access bio fields after bio_check_pages_dirty.
+
+Fixes: 9b81c842355ac96097ba ("block: don't access bio->bi_error after bio_put()").
+Signed-off-by: Mike Krinkin <krinkin.m.u@gmail.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+diff --git a/fs/direct-io.c b/fs/direct-io.c
+index 1b2f7ffc8b84..d6a9012d42ad 100644
+--- a/fs/direct-io.c
++++ b/fs/direct-io.c
+@@ -472,8 +472,8 @@ static int dio_bio_complete(struct dio *dio, struct bio *bio)
+               dio->io_error = -EIO;
+       if (dio->is_async && dio->rw == READ && dio->should_dirty) {
+-              bio_check_pages_dirty(bio);     /* transfers ownership */
+               err = bio->bi_error;
++              bio_check_pages_dirty(bio);     /* transfers ownership */
+       } else {
+               bio_for_each_segment_all(bvec, bio, i) {
+                       struct page *page = bvec->bv_page;
diff --git a/queue-4.4/cgroup-make-sure-a-parent-css-isn-t-offlined-before-its-children.patch b/queue-4.4/cgroup-make-sure-a-parent-css-isn-t-offlined-before-its-children.patch
new file mode 100644 (file)
index 0000000..03b69f4
--- /dev/null
@@ -0,0 +1,106 @@
+From aa226ff4a1ce79f229c6b7a4c0a14e17fececd01 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Thu, 21 Jan 2016 15:31:11 -0500
+Subject: cgroup: make sure a parent css isn't offlined before its children
+
+From: Tejun Heo <tj@kernel.org>
+
+commit aa226ff4a1ce79f229c6b7a4c0a14e17fececd01 upstream.
+
+There are three subsystem callbacks in css shutdown path -
+css_offline(), css_released() and css_free().  Except for
+css_released(), cgroup core didn't guarantee the order of invocation.
+css_offline() or css_free() could be called on a parent css before its
+children.  This behavior is unexpected and led to bugs in cpu and
+memory controller.
+
+This patch updates offline path so that a parent css is never offlined
+before its children.  Each css keeps online_cnt which reaches zero iff
+itself and all its children are offline and offline_css() is invoked
+only after online_cnt reaches zero.
+
+This fixes the memory controller bug and allows the fix for cpu
+controller.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-and-tested-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Reported-by: Brian Christiansen <brian.o.christiansen@gmail.com>
+Link: http://lkml.kernel.org/g/5698A023.9070703@de.ibm.com
+Link: http://lkml.kernel.org/g/CAKB58ikDkzc8REt31WBkD99+hxNzjK4+FBmhkgS+NVrC9vjMSg@mail.gmail.com
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/cgroup-defs.h |    6 ++++++
+ kernel/cgroup.c             |   22 +++++++++++++++++-----
+ 2 files changed, 23 insertions(+), 5 deletions(-)
+
+--- a/include/linux/cgroup-defs.h
++++ b/include/linux/cgroup-defs.h
+@@ -133,6 +133,12 @@ struct cgroup_subsys_state {
+        */
+       u64 serial_nr;
++      /*
++       * Incremented by online self and children.  Used to guarantee that
++       * parents are not offlined before their children.
++       */
++      atomic_t online_cnt;
++
+       /* percpu_ref killing and RCU release */
+       struct rcu_head rcu_head;
+       struct work_struct destroy_work;
+--- a/kernel/cgroup.c
++++ b/kernel/cgroup.c
+@@ -4784,6 +4784,7 @@ static void init_and_link_css(struct cgr
+       INIT_LIST_HEAD(&css->sibling);
+       INIT_LIST_HEAD(&css->children);
+       css->serial_nr = css_serial_nr_next++;
++      atomic_set(&css->online_cnt, 0);
+       if (cgroup_parent(cgrp)) {
+               css->parent = cgroup_css(cgroup_parent(cgrp), ss);
+@@ -4806,6 +4807,10 @@ static int online_css(struct cgroup_subs
+       if (!ret) {
+               css->flags |= CSS_ONLINE;
+               rcu_assign_pointer(css->cgroup->subsys[ss->id], css);
++
++              atomic_inc(&css->online_cnt);
++              if (css->parent)
++                      atomic_inc(&css->parent->online_cnt);
+       }
+       return ret;
+ }
+@@ -5037,10 +5042,15 @@ static void css_killed_work_fn(struct wo
+               container_of(work, struct cgroup_subsys_state, destroy_work);
+       mutex_lock(&cgroup_mutex);
+-      offline_css(css);
+-      mutex_unlock(&cgroup_mutex);
+-      css_put(css);
++      do {
++              offline_css(css);
++              css_put(css);
++              /* @css can't go away while we're holding cgroup_mutex */
++              css = css->parent;
++      } while (css && atomic_dec_and_test(&css->online_cnt));
++
++      mutex_unlock(&cgroup_mutex);
+ }
+ /* css kill confirmation processing requires process context, bounce */
+@@ -5049,8 +5059,10 @@ static void css_killed_ref_fn(struct per
+       struct cgroup_subsys_state *css =
+               container_of(ref, struct cgroup_subsys_state, refcnt);
+-      INIT_WORK(&css->destroy_work, css_killed_work_fn);
+-      queue_work(cgroup_destroy_wq, &css->destroy_work);
++      if (atomic_dec_and_test(&css->online_cnt)) {
++              INIT_WORK(&css->destroy_work, css_killed_work_fn);
++              queue_work(cgroup_destroy_wq, &css->destroy_work);
++      }
+ }
+ /**
diff --git a/queue-4.4/do_last-don-t-let-a-bogus-return-value-from-open-et.al.-to-confuse-us.patch b/queue-4.4/do_last-don-t-let-a-bogus-return-value-from-open-et.al.-to-confuse-us.patch
new file mode 100644 (file)
index 0000000..aa67d8d
--- /dev/null
@@ -0,0 +1,35 @@
+From c80567c82ae4814a41287618e315a60ecf513be6 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 27 Feb 2016 19:17:33 -0500
+Subject: do_last(): don't let a bogus return value from ->open() et.al. to confuse us
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit c80567c82ae4814a41287618e315a60ecf513be6 upstream.
+
+... into returning a positive to path_openat(), which would interpret that
+as "symlink had been encountered" and proceed to corrupt memory, etc.
+It can only happen due to a bug in some ->open() instance or in some LSM
+hook, etc., so we report any such event *and* make sure it doesn't trick
+us into further unpleasantness.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namei.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -3210,6 +3210,10 @@ opened:
+                       goto exit_fput;
+       }
+ out:
++      if (unlikely(error > 0)) {
++              WARN_ON(1);
++              error = -EINVAL;
++      }
+       if (got_write)
+               mnt_drop_write(nd->path.mnt);
+       path_put(&save_parent);
diff --git a/queue-4.4/do_last-eloop-failure-exit-should-be-done-after-leaving-rcu-mode.patch b/queue-4.4/do_last-eloop-failure-exit-should-be-done-after-leaving-rcu-mode.patch
new file mode 100644 (file)
index 0000000..b5d000b
--- /dev/null
@@ -0,0 +1,43 @@
+From 5129fa482b16615fd4464d2f5d23acb1b7056c66 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 27 Feb 2016 19:37:37 -0500
+Subject: do_last(): ELOOP failure exit should be done after leaving RCU mode
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 5129fa482b16615fd4464d2f5d23acb1b7056c66 upstream.
+
+... or we risk seeing a bogus value of d_is_symlink() there.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namei.c |    9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -3149,11 +3149,6 @@ finish_lookup:
+       if (unlikely(error))
+               return error;
+-      if (unlikely(d_is_symlink(path.dentry)) && !(open_flag & O_PATH)) {
+-              path_to_nameidata(&path, nd);
+-              return -ELOOP;
+-      }
+-
+       if ((nd->flags & LOOKUP_RCU) || nd->path.mnt != path.mnt) {
+               path_to_nameidata(&path, nd);
+       } else {
+@@ -3172,6 +3167,10 @@ finish_open:
+               return error;
+       }
+       audit_inode(nd->name, nd->path.dentry, 0);
++      if (unlikely(d_is_symlink(nd->path.dentry)) && !(open_flag & O_PATH)) {
++              error = -ELOOP;
++              goto out;
++      }
+       error = -EISDIR;
+       if ((open_flag & O_CREAT) && d_is_dir(nd->path.dentry))
+               goto out;
diff --git a/queue-4.4/hpfs-don-t-truncate-the-file-when-delete-fails.patch b/queue-4.4/hpfs-don-t-truncate-the-file-when-delete-fails.patch
new file mode 100644 (file)
index 0000000..a972358
--- /dev/null
@@ -0,0 +1,86 @@
+From b6853f78e763d42c7a158d8de3549c9827c604ab Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mikulas@twibright.com>
+Date: Thu, 25 Feb 2016 18:17:38 +0100
+Subject: hpfs: don't truncate the file when delete fails
+
+From: Mikulas Patocka <mikulas@twibright.com>
+
+commit b6853f78e763d42c7a158d8de3549c9827c604ab upstream.
+
+The delete opration can allocate additional space on the HPFS filesystem
+due to btree split. The HPFS driver checks in advance if there is
+available space, so that it won't corrupt the btree if we run out of space
+during splitting.
+
+If there is not enough available space, the HPFS driver attempted to
+truncate the file, but this results in a deadlock since the commit
+7dd29d8d865efdb00c0542a5d2c87af8c52ea6c7 ("HPFS: Introduce a global mutex
+and lock it on every callback from VFS").
+
+This patch removes the code that tries to truncate the file and -ENOSPC is
+returned instead. If the user hits -ENOSPC on delete, he should try to
+delete other files (that are stored in a leaf btree node), so that the
+delete operation will make some space for deleting the file stored in
+non-leaf btree node.
+
+Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
+Signed-off-by: Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/hpfs/namei.c |   31 +++----------------------------
+ 1 file changed, 3 insertions(+), 28 deletions(-)
+
+--- a/fs/hpfs/namei.c
++++ b/fs/hpfs/namei.c
+@@ -375,12 +375,11 @@ static int hpfs_unlink(struct inode *dir
+       struct inode *inode = d_inode(dentry);
+       dnode_secno dno;
+       int r;
+-      int rep = 0;
+       int err;
+       hpfs_lock(dir->i_sb);
+       hpfs_adjust_length(name, &len);
+-again:
++
+       err = -ENOENT;
+       de = map_dirent(dir, hpfs_i(dir)->i_dno, name, len, &dno, &qbh);
+       if (!de)
+@@ -400,33 +399,9 @@ again:
+               hpfs_error(dir->i_sb, "there was error when removing dirent");
+               err = -EFSERROR;
+               break;
+-      case 2:         /* no space for deleting, try to truncate file */
+-
++      case 2:         /* no space for deleting */
+               err = -ENOSPC;
+-              if (rep++)
+-                      break;
+-
+-              dentry_unhash(dentry);
+-              if (!d_unhashed(dentry)) {
+-                      hpfs_unlock(dir->i_sb);
+-                      return -ENOSPC;
+-              }
+-              if (generic_permission(inode, MAY_WRITE) ||
+-                  !S_ISREG(inode->i_mode) ||
+-                  get_write_access(inode)) {
+-                      d_rehash(dentry);
+-              } else {
+-                      struct iattr newattrs;
+-                      /*pr_info("truncating file before delete.\n");*/
+-                      newattrs.ia_size = 0;
+-                      newattrs.ia_valid = ATTR_SIZE | ATTR_CTIME;
+-                      err = notify_change(dentry, &newattrs, NULL);
+-                      put_write_access(inode);
+-                      if (!err)
+-                              goto again;
+-              }
+-              hpfs_unlock(dir->i_sb);
+-              return -ENOSPC;
++              break;
+       default:
+               drop_nlink(inode);
+               err = 0;
diff --git a/queue-4.4/i2c-i801-adding-intel-lewisburg-support-for-itco.patch b/queue-4.4/i2c-i801-adding-intel-lewisburg-support-for-itco.patch
new file mode 100644 (file)
index 0000000..48478f7
--- /dev/null
@@ -0,0 +1,38 @@
+From 1a1503c5396eb7f2edf4b8ef6067853014478c0c Mon Sep 17 00:00:00 2001
+From: Alexandra Yates <alexandra.yates@linux.intel.com>
+Date: Wed, 17 Feb 2016 18:21:21 -0800
+Subject: i2c: i801: Adding Intel Lewisburg support for iTCO
+
+From: Alexandra Yates <alexandra.yates@linux.intel.com>
+
+commit 1a1503c5396eb7f2edf4b8ef6067853014478c0c upstream.
+
+Starting from Intel Sunrisepoint (Skylake PCH) the iTCO watchdog
+resources have been moved to reside under the i801 SMBus host
+controller whereas previously they were under the LPC device.
+
+This patch adds Intel lewisburg SMBus support for iTCO device.
+It allows to load watchdog dynamically when the hardware is
+present.
+
+Fixes: cdc5a3110e7c ("i2c: i801: add Intel Lewisburg device IDs")
+Reviewed-by: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: Alexandra Yates <alexandra.yates@linux.intel.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-i801.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/i2c/busses/i2c-i801.c
++++ b/drivers/i2c/busses/i2c-i801.c
+@@ -1271,6 +1271,8 @@ static int i801_probe(struct pci_dev *de
+       switch (dev->device) {
+       case PCI_DEVICE_ID_INTEL_SUNRISEPOINT_H_SMBUS:
+       case PCI_DEVICE_ID_INTEL_SUNRISEPOINT_LP_SMBUS:
++      case PCI_DEVICE_ID_INTEL_LEWISBURG_SMBUS:
++      case PCI_DEVICE_ID_INTEL_LEWISBURG_SSKU_SMBUS:
+       case PCI_DEVICE_ID_INTEL_DNV_SMBUS:
+               priv->features |= FEATURE_I2C_BLOCK_READ;
+               priv->features |= FEATURE_IRQ;
diff --git a/queue-4.4/kernel-resource.c-fix-muxed-resource-handling-in-__request_region.patch b/queue-4.4/kernel-resource.c-fix-muxed-resource-handling-in-__request_region.patch
new file mode 100644 (file)
index 0000000..776cb44
--- /dev/null
@@ -0,0 +1,53 @@
+From 59ceeaaf355fa0fb16558ef7c24413c804932ada Mon Sep 17 00:00:00 2001
+From: Simon Guinot <simon.guinot@sequanux.org>
+Date: Thu, 10 Sep 2015 00:15:18 +0200
+Subject: kernel/resource.c: fix muxed resource handling in __request_region()
+
+From: Simon Guinot <simon.guinot@sequanux.org>
+
+commit 59ceeaaf355fa0fb16558ef7c24413c804932ada upstream.
+
+In __request_region, if a conflict with a BUSY and MUXED resource is
+detected, then the caller goes to sleep and waits for the resource to be
+released.  A pointer on the conflicting resource is kept.  At wake-up
+this pointer is used as a parent to retry to request the region.
+
+A first problem is that this pointer might well be invalid (if for
+example the conflicting resource have already been freed).  Another
+problem is that the next call to __request_region() fails to detect a
+remaining conflict.  The previously conflicting resource is passed as a
+parameter and __request_region() will look for a conflict among the
+children of this resource and not at the resource itself.  It is likely
+to succeed anyway, even if there is still a conflict.
+
+Instead, the parent of the conflicting resource should be passed to
+__request_region().
+
+As a fix, this patch doesn't update the parent resource pointer in the
+case we have to wait for a muxed region right after.
+
+Reported-and-tested-by: Vincent Pelletier <plr.vincent@gmail.com>
+Signed-off-by: Simon Guinot <simon.guinot@sequanux.org>
+Tested-by: Vincent Donnefort <vdonnefort@gmail.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/resource.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/kernel/resource.c
++++ b/kernel/resource.c
+@@ -1083,9 +1083,10 @@ struct resource * __request_region(struc
+               if (!conflict)
+                       break;
+               if (conflict != parent) {
+-                      parent = conflict;
+-                      if (!(conflict->flags & IORESOURCE_BUSY))
++                      if (!(conflict->flags & IORESOURCE_BUSY)) {
++                              parent = conflict;
+                               continue;
++                      }
+               }
+               if (conflict->flags & flags & IORESOURCE_MUXED) {
+                       add_wait_queue(&muxed_resource_wait, &wait);
diff --git a/queue-4.4/kvm-arm-arm64-vgic-ensure-bitmaps-are-long-enough.patch b/queue-4.4/kvm-arm-arm64-vgic-ensure-bitmaps-are-long-enough.patch
new file mode 100644 (file)
index 0000000..e418cf0
--- /dev/null
@@ -0,0 +1,93 @@
+From 236cf17c2502007a9d2dda3c39fb0d9a6bd03cc2 Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Tue, 16 Feb 2016 14:47:31 +0000
+Subject: KVM: arm/arm64: vgic: Ensure bitmaps are long enough
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit 236cf17c2502007a9d2dda3c39fb0d9a6bd03cc2 upstream.
+
+When we allocate bitmaps in vgic_vcpu_init_maps, we divide the number of
+bits we need by 8 to figure out how many bytes to allocate. However,
+bitmap elements are always accessed as unsigned longs, and if we didn't
+happen to allocate a size such that size % sizeof(unsigned long) == 0,
+bitmap accesses may go past the end of the allocation.
+
+When using KASAN (which does byte-granular access checks), this results
+in a continuous stream of BUGs whenever these bitmaps are accessed:
+
+=============================================================================
+BUG kmalloc-128 (Tainted: G    B          ): kasan: bad access detected
+-----------------------------------------------------------------------------
+
+INFO: Allocated in vgic_init.part.25+0x55c/0x990 age=7493 cpu=3 pid=1730
+INFO: Slab 0xffffffbde6d5da40 objects=16 used=15 fp=0xffffffc935769700 flags=0x4000000000000080
+INFO: Object 0xffffffc935769500 @offset=1280 fp=0x          (null)
+
+Bytes b4 ffffffc9357694f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+Object ffffffc935769500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+Object ffffffc935769510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+Object ffffffc935769520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+Object ffffffc935769530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+Object ffffffc935769540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+Object ffffffc935769550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+Object ffffffc935769560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+Object ffffffc935769570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+Padding ffffffc9357695b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+Padding ffffffc9357695c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+Padding ffffffc9357695d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+Padding ffffffc9357695e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+Padding ffffffc9357695f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+CPU: 3 PID: 1740 Comm: kvm-vcpu-0 Tainted: G    B           4.4.0+ #17
+Hardware name: ARM Juno development board (r1) (DT)
+Call trace:
+[<ffffffc00008e770>] dump_backtrace+0x0/0x280
+[<ffffffc00008ea04>] show_stack+0x14/0x20
+[<ffffffc000726360>] dump_stack+0x100/0x188
+[<ffffffc00030d324>] print_trailer+0xfc/0x168
+[<ffffffc000312294>] object_err+0x3c/0x50
+[<ffffffc0003140fc>] kasan_report_error+0x244/0x558
+[<ffffffc000314548>] __asan_report_load8_noabort+0x48/0x50
+[<ffffffc000745688>] __bitmap_or+0xc0/0xc8
+[<ffffffc0000d9e44>] kvm_vgic_flush_hwstate+0x1bc/0x650
+[<ffffffc0000c514c>] kvm_arch_vcpu_ioctl_run+0x2ec/0xa60
+[<ffffffc0000b9a6c>] kvm_vcpu_ioctl+0x474/0xa68
+[<ffffffc00036b7b0>] do_vfs_ioctl+0x5b8/0xcb0
+[<ffffffc00036bf34>] SyS_ioctl+0x8c/0xa0
+[<ffffffc000086cb0>] el0_svc_naked+0x24/0x28
+Memory state around the buggy address:
+ ffffffc935769400: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffffffc935769480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+>ffffffc935769500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+                   ^
+ ffffffc935769580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffffffc935769600: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
+==================================================================
+
+Fix the issue by always allocating a multiple of sizeof(unsigned long),
+as we do elsewhere in the vgic code.
+
+Fixes: c1bfb577a ("arm/arm64: KVM: vgic: switch to dynamic allocation")
+Acked-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/arm/vgic.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/virt/kvm/arm/vgic.c
++++ b/virt/kvm/arm/vgic.c
+@@ -1875,8 +1875,8 @@ void kvm_vgic_vcpu_destroy(struct kvm_vc
+ static int vgic_vcpu_init_maps(struct kvm_vcpu *vcpu, int nr_irqs)
+ {
+       struct vgic_cpu *vgic_cpu = &vcpu->arch.vgic_cpu;
+-
+-      int sz = (nr_irqs - VGIC_NR_PRIVATE_IRQS) / 8;
++      int nr_longs = BITS_TO_LONGS(nr_irqs - VGIC_NR_PRIVATE_IRQS);
++      int sz = nr_longs * sizeof(unsigned long);
+       vgic_cpu->pending_shared = kzalloc(sz, GFP_KERNEL);
+       vgic_cpu->active_shared = kzalloc(sz, GFP_KERNEL);
+       vgic_cpu->pend_act_shared = kzalloc(sz, GFP_KERNEL);
diff --git a/queue-4.4/kvm-async_pf-do-not-warn-on-page-allocation-failures.patch b/queue-4.4/kvm-async_pf-do-not-warn-on-page-allocation-failures.patch
new file mode 100644 (file)
index 0000000..e49c815
--- /dev/null
@@ -0,0 +1,52 @@
+From d7444794a02ff655eda87e3cc54e86b940e7736f Mon Sep 17 00:00:00 2001
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+Date: Fri, 19 Feb 2016 13:11:46 +0100
+Subject: KVM: async_pf: do not warn on page allocation failures
+
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+
+commit d7444794a02ff655eda87e3cc54e86b940e7736f upstream.
+
+In async_pf we try to allocate with NOWAIT to get an element quickly
+or fail. This code also handle failures gracefully. Lets silence
+potential page allocation failures under load.
+
+qemu-system-s39: page allocation failure: order:0,mode:0x2200000
+[...]
+Call Trace:
+([<00000000001146b8>] show_trace+0xf8/0x148)
+[<000000000011476a>] show_stack+0x62/0xe8
+[<00000000004a36b8>] dump_stack+0x70/0x98
+[<0000000000272c3a>] warn_alloc_failed+0xd2/0x148
+[<000000000027709e>] __alloc_pages_nodemask+0x94e/0xb38
+[<00000000002cd36a>] new_slab+0x382/0x400
+[<00000000002cf7ac>] ___slab_alloc.constprop.30+0x2dc/0x378
+[<00000000002d03d0>] kmem_cache_alloc+0x160/0x1d0
+[<0000000000133db4>] kvm_setup_async_pf+0x6c/0x198
+[<000000000013dee8>] kvm_arch_vcpu_ioctl_run+0xd48/0xd58
+[<000000000012fcaa>] kvm_vcpu_ioctl+0x372/0x690
+[<00000000002f66f6>] do_vfs_ioctl+0x3be/0x510
+[<00000000002f68ec>] SyS_ioctl+0xa4/0xb8
+[<0000000000781c5e>] system_call+0xd6/0x264
+[<000003ffa24fa06a>] 0x3ffa24fa06a
+
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Reviewed-by: Dominik Dingel <dingel@linux.vnet.ibm.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/async_pf.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/virt/kvm/async_pf.c
++++ b/virt/kvm/async_pf.c
+@@ -173,7 +173,7 @@ int kvm_setup_async_pf(struct kvm_vcpu *
+        * do alloc nowait since if we are going to sleep anyway we
+        * may as well sleep faulting in page
+        */
+-      work = kmem_cache_zalloc(async_pf_cache, GFP_NOWAIT);
++      work = kmem_cache_zalloc(async_pf_cache, GFP_NOWAIT | __GFP_NOWARN);
+       if (!work)
+               return 0;
diff --git a/queue-4.4/kvm-x86-fix-conversion-of-addresses-to-linear-in-32-bit-protected-mode.patch b/queue-4.4/kvm-x86-fix-conversion-of-addresses-to-linear-in-32-bit-protected-mode.patch
new file mode 100644 (file)
index 0000000..5e4178d
--- /dev/null
@@ -0,0 +1,57 @@
+From 0c1d77f4ba5cc9c05a29adca3d6466cdf4969b70 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Fri, 19 Feb 2016 18:07:21 +0100
+Subject: KVM: x86: fix conversion of addresses to linear in 32-bit protected mode
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 0c1d77f4ba5cc9c05a29adca3d6466cdf4969b70 upstream.
+
+Commit e8dd2d2d641c ("Silence compiler warning in arch/x86/kvm/emulate.c",
+2015-09-06) broke boot of the Hurd.  The bug is that the "default:"
+case actually could modify "la", but after the patch this change is
+not reflected in *linear.
+
+The bug is visible whenever a non-zero segment base causes the linear
+address to wrap around the 4GB mark.
+
+Fixes: e8dd2d2d641cb2724ee10e76c0ad02e04289c017
+Reported-by: Aurelien Jarno <aurelien@aurel32.net>
+Tested-by: Aurelien Jarno <aurelien@aurel32.net>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/emulate.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -650,10 +650,10 @@ static __always_inline int __linearize(s
+       u16 sel;
+       la = seg_base(ctxt, addr.seg) + addr.ea;
+-      *linear = la;
+       *max_size = 0;
+       switch (mode) {
+       case X86EMUL_MODE_PROT64:
++              *linear = la;
+               if (is_noncanonical_address(la))
+                       goto bad;
+@@ -662,6 +662,7 @@ static __always_inline int __linearize(s
+                       goto bad;
+               break;
+       default:
++              *linear = la = (u32)la;
+               usable = ctxt->ops->get_segment(ctxt, &sel, &desc, NULL,
+                                               addr.seg);
+               if (!usable)
+@@ -689,7 +690,6 @@ static __always_inline int __linearize(s
+                       if (size > *max_size)
+                               goto bad;
+               }
+-              la &= (u32)-1;
+               break;
+       }
+       if (insn_aligned(ctxt, size) && ((la & (size - 1)) != 0))
diff --git a/queue-4.4/kvm-x86-fix-missed-hardware-breakpoints.patch b/queue-4.4/kvm-x86-fix-missed-hardware-breakpoints.patch
new file mode 100644 (file)
index 0000000..347e1a3
--- /dev/null
@@ -0,0 +1,130 @@
+From 172b2386ed16a9143d9a456aae5ec87275c61489 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 10 Feb 2016 17:50:23 +0100
+Subject: KVM: x86: fix missed hardware breakpoints
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 172b2386ed16a9143d9a456aae5ec87275c61489 upstream.
+
+Sometimes when setting a breakpoint a process doesn't stop on it.
+This is because the debug registers are not loaded correctly on
+VCPU load.
+
+The following simple reproducer from Oleg Nesterov tries using debug
+registers in two threads.  To see the bug, run a 2-VCPU guest with
+"taskset -c 0" and run "./bp 0 1" inside the guest.
+
+    #include <unistd.h>
+    #include <signal.h>
+    #include <stdlib.h>
+    #include <stdio.h>
+    #include <sys/wait.h>
+    #include <sys/ptrace.h>
+    #include <sys/user.h>
+    #include <asm/debugreg.h>
+    #include <assert.h>
+
+    #define offsetof(TYPE, MEMBER) ((size_t) &((TYPE *)0)->MEMBER)
+
+    unsigned long encode_dr7(int drnum, int enable, unsigned int type, unsigned int len)
+    {
+        unsigned long dr7;
+
+        dr7 = ((len | type) & 0xf)
+            << (DR_CONTROL_SHIFT + drnum * DR_CONTROL_SIZE);
+        if (enable)
+            dr7 |= (DR_GLOBAL_ENABLE << (drnum * DR_ENABLE_SIZE));
+
+        return dr7;
+    }
+
+    int write_dr(int pid, int dr, unsigned long val)
+    {
+        return ptrace(PTRACE_POKEUSER, pid,
+                offsetof (struct user, u_debugreg[dr]),
+                val);
+    }
+
+    void set_bp(pid_t pid, void *addr)
+    {
+        unsigned long dr7;
+        assert(write_dr(pid, 0, (long)addr) == 0);
+        dr7 = encode_dr7(0, 1, DR_RW_EXECUTE, DR_LEN_1);
+        assert(write_dr(pid, 7, dr7) == 0);
+    }
+
+    void *get_rip(int pid)
+    {
+        return (void*)ptrace(PTRACE_PEEKUSER, pid,
+                offsetof(struct user, regs.rip), 0);
+    }
+
+    void test(int nr)
+    {
+        void *bp_addr = &&label + nr, *bp_hit;
+        int pid;
+
+        printf("test bp %d\n", nr);
+        assert(nr < 16); // see 16 asm nops below
+
+        pid = fork();
+        if (!pid) {
+            assert(ptrace(PTRACE_TRACEME, 0,0,0) == 0);
+            kill(getpid(), SIGSTOP);
+            for (;;) {
+                label: asm (
+                    "nop; nop; nop; nop;"
+                    "nop; nop; nop; nop;"
+                    "nop; nop; nop; nop;"
+                    "nop; nop; nop; nop;"
+                );
+            }
+        }
+
+        assert(pid == wait(NULL));
+        set_bp(pid, bp_addr);
+
+        for (;;) {
+            assert(ptrace(PTRACE_CONT, pid, 0, 0) == 0);
+            assert(pid == wait(NULL));
+
+            bp_hit = get_rip(pid);
+            if (bp_hit != bp_addr)
+                fprintf(stderr, "ERR!! hit wrong bp %ld != %d\n",
+                    bp_hit - &&label, nr);
+        }
+    }
+
+    int main(int argc, const char *argv[])
+    {
+        while (--argc) {
+            int nr = atoi(*++argv);
+            if (!fork())
+                test(nr);
+        }
+
+        while (wait(NULL) > 0)
+            ;
+        return 0;
+    }
+
+Suggested-by: Nadav Amit <namit@cs.technion.ac.il>
+Reported-by: Andrey Wagin <avagin@gmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -2736,6 +2736,7 @@ void kvm_arch_vcpu_load(struct kvm_vcpu
+       }
+       kvm_make_request(KVM_REQ_STEAL_UPDATE, vcpu);
++      vcpu->arch.switch_db_regs |= KVM_DEBUGREG_RELOAD;
+ }
+ void kvm_arch_vcpu_put(struct kvm_vcpu *vcpu)
diff --git a/queue-4.4/kvm-x86-mmu-fix-ubsan-index-out-of-range-warning.patch b/queue-4.4/kvm-x86-mmu-fix-ubsan-index-out-of-range-warning.patch
new file mode 100644 (file)
index 0000000..c8368dd
--- /dev/null
@@ -0,0 +1,100 @@
+From 17e4bce0ae63c7e03f3c7fa8d80890e7af3d4971 Mon Sep 17 00:00:00 2001
+From: Mike Krinkin <krinkin.m.u@gmail.com>
+Date: Wed, 24 Feb 2016 21:02:31 +0300
+Subject: KVM: x86: MMU: fix ubsan index-out-of-range warning
+
+From: Mike Krinkin <krinkin.m.u@gmail.com>
+
+commit 17e4bce0ae63c7e03f3c7fa8d80890e7af3d4971 upstream.
+
+Ubsan reports the following warning due to a typo in
+update_accessed_dirty_bits template, the patch fixes
+the typo:
+
+[  168.791851] ================================================================================
+[  168.791862] UBSAN: Undefined behaviour in arch/x86/kvm/paging_tmpl.h:252:15
+[  168.791866] index 4 is out of range for type 'u64 [4]'
+[  168.791871] CPU: 0 PID: 2950 Comm: qemu-system-x86 Tainted: G           O L  4.5.0-rc5-next-20160222 #7
+[  168.791873] Hardware name: LENOVO 23205NG/23205NG, BIOS G2ET95WW (2.55 ) 07/09/2013
+[  168.791876]  0000000000000000 ffff8801cfcaf208 ffffffff81c9f780 0000000041b58ab3
+[  168.791882]  ffffffff82eb2cc1 ffffffff81c9f6b4 ffff8801cfcaf230 ffff8801cfcaf1e0
+[  168.791886]  0000000000000004 0000000000000001 0000000000000000 ffffffffa1981600
+[  168.791891] Call Trace:
+[  168.791899]  [<ffffffff81c9f780>] dump_stack+0xcc/0x12c
+[  168.791904]  [<ffffffff81c9f6b4>] ? _atomic_dec_and_lock+0xc4/0xc4
+[  168.791910]  [<ffffffff81da9e81>] ubsan_epilogue+0xd/0x8a
+[  168.791914]  [<ffffffff81daafa2>] __ubsan_handle_out_of_bounds+0x15c/0x1a3
+[  168.791918]  [<ffffffff81daae46>] ? __ubsan_handle_shift_out_of_bounds+0x2bd/0x2bd
+[  168.791922]  [<ffffffff811287ef>] ? get_user_pages_fast+0x2bf/0x360
+[  168.791954]  [<ffffffffa1794050>] ? kvm_largepages_enabled+0x30/0x30 [kvm]
+[  168.791958]  [<ffffffff81128530>] ? __get_user_pages_fast+0x360/0x360
+[  168.791987]  [<ffffffffa181b818>] paging64_walk_addr_generic+0x1b28/0x2600 [kvm]
+[  168.792014]  [<ffffffffa1819cf0>] ? init_kvm_mmu+0x1100/0x1100 [kvm]
+[  168.792019]  [<ffffffff8129e350>] ? debug_check_no_locks_freed+0x350/0x350
+[  168.792044]  [<ffffffffa1819cf0>] ? init_kvm_mmu+0x1100/0x1100 [kvm]
+[  168.792076]  [<ffffffffa181c36d>] paging64_gva_to_gpa+0x7d/0x110 [kvm]
+[  168.792121]  [<ffffffffa181c2f0>] ? paging64_walk_addr_generic+0x2600/0x2600 [kvm]
+[  168.792130]  [<ffffffff812e848b>] ? debug_lockdep_rcu_enabled+0x7b/0x90
+[  168.792178]  [<ffffffffa17d9a4a>] emulator_read_write_onepage+0x27a/0x1150 [kvm]
+[  168.792208]  [<ffffffffa1794d44>] ? __kvm_read_guest_page+0x54/0x70 [kvm]
+[  168.792234]  [<ffffffffa17d97d0>] ? kvm_task_switch+0x160/0x160 [kvm]
+[  168.792238]  [<ffffffff812e848b>] ? debug_lockdep_rcu_enabled+0x7b/0x90
+[  168.792263]  [<ffffffffa17daa07>] emulator_read_write+0xe7/0x6d0 [kvm]
+[  168.792290]  [<ffffffffa183b620>] ? em_cr_write+0x230/0x230 [kvm]
+[  168.792314]  [<ffffffffa17db005>] emulator_write_emulated+0x15/0x20 [kvm]
+[  168.792340]  [<ffffffffa18465f8>] segmented_write+0xf8/0x130 [kvm]
+[  168.792367]  [<ffffffffa1846500>] ? em_lgdt+0x20/0x20 [kvm]
+[  168.792374]  [<ffffffffa14db512>] ? vmx_read_guest_seg_ar+0x42/0x1e0 [kvm_intel]
+[  168.792400]  [<ffffffffa1846d82>] writeback+0x3f2/0x700 [kvm]
+[  168.792424]  [<ffffffffa1846990>] ? em_sidt+0xa0/0xa0 [kvm]
+[  168.792449]  [<ffffffffa185554d>] ? x86_decode_insn+0x1b3d/0x4f70 [kvm]
+[  168.792474]  [<ffffffffa1859032>] x86_emulate_insn+0x572/0x3010 [kvm]
+[  168.792499]  [<ffffffffa17e71dd>] x86_emulate_instruction+0x3bd/0x2110 [kvm]
+[  168.792524]  [<ffffffffa17e6e20>] ? reexecute_instruction.part.110+0x2e0/0x2e0 [kvm]
+[  168.792532]  [<ffffffffa14e9a81>] handle_ept_misconfig+0x61/0x460 [kvm_intel]
+[  168.792539]  [<ffffffffa14e9a20>] ? handle_pause+0x450/0x450 [kvm_intel]
+[  168.792546]  [<ffffffffa15130ea>] vmx_handle_exit+0xd6a/0x1ad0 [kvm_intel]
+[  168.792572]  [<ffffffffa17f6a6c>] ? kvm_arch_vcpu_ioctl_run+0xbdc/0x6090 [kvm]
+[  168.792597]  [<ffffffffa17f6bcd>] kvm_arch_vcpu_ioctl_run+0xd3d/0x6090 [kvm]
+[  168.792621]  [<ffffffffa17f6a6c>] ? kvm_arch_vcpu_ioctl_run+0xbdc/0x6090 [kvm]
+[  168.792627]  [<ffffffff8293b530>] ? __ww_mutex_lock_interruptible+0x1630/0x1630
+[  168.792651]  [<ffffffffa17f5e90>] ? kvm_arch_vcpu_runnable+0x4f0/0x4f0 [kvm]
+[  168.792656]  [<ffffffff811eeb30>] ? preempt_notifier_unregister+0x190/0x190
+[  168.792681]  [<ffffffffa17e0447>] ? kvm_arch_vcpu_load+0x127/0x650 [kvm]
+[  168.792704]  [<ffffffffa178e9a3>] kvm_vcpu_ioctl+0x553/0xda0 [kvm]
+[  168.792727]  [<ffffffffa178e450>] ? vcpu_put+0x40/0x40 [kvm]
+[  168.792732]  [<ffffffff8129e350>] ? debug_check_no_locks_freed+0x350/0x350
+[  168.792735]  [<ffffffff82946087>] ? _raw_spin_unlock+0x27/0x40
+[  168.792740]  [<ffffffff8163a943>] ? handle_mm_fault+0x1673/0x2e40
+[  168.792744]  [<ffffffff8129daa8>] ? trace_hardirqs_on_caller+0x478/0x6c0
+[  168.792747]  [<ffffffff8129dcfd>] ? trace_hardirqs_on+0xd/0x10
+[  168.792751]  [<ffffffff812e848b>] ? debug_lockdep_rcu_enabled+0x7b/0x90
+[  168.792756]  [<ffffffff81725a80>] do_vfs_ioctl+0x1b0/0x12b0
+[  168.792759]  [<ffffffff817258d0>] ? ioctl_preallocate+0x210/0x210
+[  168.792763]  [<ffffffff8174aef3>] ? __fget+0x273/0x4a0
+[  168.792766]  [<ffffffff8174acd0>] ? __fget+0x50/0x4a0
+[  168.792770]  [<ffffffff8174b1f6>] ? __fget_light+0x96/0x2b0
+[  168.792773]  [<ffffffff81726bf9>] SyS_ioctl+0x79/0x90
+[  168.792777]  [<ffffffff82946880>] entry_SYSCALL_64_fastpath+0x23/0xc1
+[  168.792780] ================================================================================
+
+Signed-off-by: Mike Krinkin <krinkin.m.u@gmail.com>
+Reviewed-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/paging_tmpl.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/paging_tmpl.h
++++ b/arch/x86/kvm/paging_tmpl.h
+@@ -249,7 +249,7 @@ static int FNAME(update_accessed_dirty_b
+                       return ret;
+               kvm_vcpu_mark_page_dirty(vcpu, table_gfn);
+-              walker->ptes[level] = pte;
++              walker->ptes[level - 1] = pte;
+       }
+       return 0;
+ }
diff --git a/queue-4.4/nfs-fix-nfs_size_to_loff_t.patch b/queue-4.4/nfs-fix-nfs_size_to_loff_t.patch
new file mode 100644 (file)
index 0000000..63ee07d
--- /dev/null
@@ -0,0 +1,39 @@
+From 50ab8ec74a153eb30db26529088bc57dd700b24c Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Mon, 8 Feb 2016 21:11:50 +0100
+Subject: nfs: fix nfs_size_to_loff_t
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit 50ab8ec74a153eb30db26529088bc57dd700b24c upstream.
+
+See http: //www.infradead.org/rpr.html
+X-Evolution-Source: 1451162204.2173.11@leira.trondhjem.org
+Content-Transfer-Encoding: 8bit
+Mime-Version: 1.0
+
+We support OFFSET_MAX just fine, so don't round down below it.  Also
+switch to using min_t to make the helper more readable.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Fixes: 433c92379d9c ("NFS: Clean up nfs_size_to_loff_t()")
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/nfs_fs.h |    4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/include/linux/nfs_fs.h
++++ b/include/linux/nfs_fs.h
+@@ -544,9 +544,7 @@ extern int  nfs_readpage_async(struct nf
+ static inline loff_t nfs_size_to_loff_t(__u64 size)
+ {
+-      if (size > (__u64) OFFSET_MAX - 1)
+-              return OFFSET_MAX - 1;
+-      return (loff_t) size;
++      return min_t(u64, size, OFFSET_MAX);
+ }
+ static inline ino_t
diff --git a/queue-4.4/nfsv4-fix-a-dentry-leak-on-alias-use.patch b/queue-4.4/nfsv4-fix-a-dentry-leak-on-alias-use.patch
new file mode 100644 (file)
index 0000000..8c2e2d2
--- /dev/null
@@ -0,0 +1,36 @@
+From d9dfd8d741683347ee159d25f5b50c346a0df557 Mon Sep 17 00:00:00 2001
+From: Benjamin Coddington <bcodding@redhat.com>
+Date: Wed, 17 Feb 2016 10:41:41 -0500
+Subject: NFSv4: Fix a dentry leak on alias use
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+commit d9dfd8d741683347ee159d25f5b50c346a0df557 upstream.
+
+In the case where d_add_unique() finds an appropriate alias to use it will
+have already incremented the reference count.  An additional dget() to swap
+the open context's dentry is unnecessary and will leak a reference.
+
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Fixes: 275bb307865a3 ("NFSv4: Move dentry instantiation into the NFSv4-...")
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -2461,9 +2461,9 @@ static int _nfs4_open_and_get_state(stru
+               dentry = d_add_unique(dentry, igrab(state->inode));
+               if (dentry == NULL) {
+                       dentry = opendata->dentry;
+-              } else if (dentry != ctx->dentry) {
++              } else {
+                       dput(ctx->dentry);
+-                      ctx->dentry = dget(dentry);
++                      ctx->dentry = dentry;
+               }
+               nfs_set_verifier(dentry,
+                               nfs_save_change_attribute(d_inode(opendata->dir)));
diff --git a/queue-4.4/of-irq-fix-msi-map-calculation-for-nonzero-rid-base.patch b/queue-4.4/of-irq-fix-msi-map-calculation-for-nonzero-rid-base.patch
new file mode 100644 (file)
index 0000000..62eabf6
--- /dev/null
@@ -0,0 +1,54 @@
+From 5d589d81acf974d23af98044aac56c6339d659f8 Mon Sep 17 00:00:00 2001
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Tue, 9 Feb 2016 11:04:45 +0000
+Subject: of/irq: Fix msi-map calculation for nonzero rid-base
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+commit 5d589d81acf974d23af98044aac56c6339d659f8 upstream.
+
+The existing msi-map code is fine for shifting the entire RID space
+upwards, but attempting finer-grained remapping reveals a bug. It turns
+out that we are mistakenly treating the msi-base part as an offset, not
+as a new base to remap onto, so things get squiffy when rid-base is
+nonzero. Fix this, and at the same time add a sanity check against
+having msi-map-mask clash with a nonzero rid-base, as that's another
+thing one can easily get wrong.
+
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
+Tested-by: Stuart Yoder <stuart.yoder@nxp.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Acked-by: David Daney <david.daney@cavium.com>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/of/irq.c |    9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/of/irq.c
++++ b/drivers/of/irq.c
+@@ -636,6 +636,13 @@ static u32 __of_msi_map_rid(struct devic
+               msi_base = be32_to_cpup(msi_map + 2);
+               rid_len = be32_to_cpup(msi_map + 3);
++              if (rid_base & ~map_mask) {
++                      dev_err(parent_dev,
++                              "Invalid msi-map translation - msi-map-mask (0x%x) ignores rid-base (0x%x)\n",
++                              map_mask, rid_base);
++                      return rid_out;
++              }
++
+               msi_controller_node = of_find_node_by_phandle(phandle);
+               matched = (masked_rid >= rid_base &&
+@@ -655,7 +662,7 @@ static u32 __of_msi_map_rid(struct devic
+       if (!matched)
+               return rid_out;
+-      rid_out = masked_rid + msi_base;
++      rid_out = masked_rid - rid_base + msi_base;
+       dev_dbg(dev,
+               "msi-map at: %s, using mask %08x, rid-base: %08x, msi-base: %08x, length: %08x, rid: %08x -> %08x\n",
+               dev_name(parent_dev), map_mask, rid_base, msi_base,
diff --git a/queue-4.4/phy-core-fix-wrong-err-handle-for-phy_power_on.patch b/queue-4.4/phy-core-fix-wrong-err-handle-for-phy_power_on.patch
new file mode 100644 (file)
index 0000000..5bac63f
--- /dev/null
@@ -0,0 +1,77 @@
+From b82fcabe212a11698fd4b3e604d2f81d929d22f6 Mon Sep 17 00:00:00 2001
+From: Shawn Lin <shawn.lin@rock-chips.com>
+Date: Thu, 28 Jan 2016 16:14:18 +0800
+Subject: phy: core: fix wrong err handle for phy_power_on
+
+From: Shawn Lin <shawn.lin@rock-chips.com>
+
+commit b82fcabe212a11698fd4b3e604d2f81d929d22f6 upstream.
+
+If phy_pm_runtime_get_sync failed but we already
+enable regulator, current code return directly without
+doing regulator_disable. This patch fix this problem
+and cleanup err handle of phy_power_on to be more readable.
+
+Fixes: 3be88125d85d ("phy: core: Support regulator ...")
+Cc: Roger Quadros <rogerq@ti.com>
+Cc: Axel Lin <axel.lin@ingics.com>
+Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/phy/phy-core.c |   16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/drivers/phy/phy-core.c
++++ b/drivers/phy/phy-core.c
+@@ -275,20 +275,21 @@ EXPORT_SYMBOL_GPL(phy_exit);
+ int phy_power_on(struct phy *phy)
+ {
+-      int ret;
++      int ret = 0;
+       if (!phy)
+-              return 0;
++              goto out;
+       if (phy->pwr) {
+               ret = regulator_enable(phy->pwr);
+               if (ret)
+-                      return ret;
++                      goto out;
+       }
+       ret = phy_pm_runtime_get_sync(phy);
+       if (ret < 0 && ret != -ENOTSUPP)
+-              return ret;
++              goto err_pm_sync;
++
+       ret = 0; /* Override possible ret == -ENOTSUPP */
+       mutex_lock(&phy->mutex);
+@@ -296,19 +297,20 @@ int phy_power_on(struct phy *phy)
+               ret = phy->ops->power_on(phy);
+               if (ret < 0) {
+                       dev_err(&phy->dev, "phy poweron failed --> %d\n", ret);
+-                      goto out;
++                      goto err_pwr_on;
+               }
+       }
+       ++phy->power_count;
+       mutex_unlock(&phy->mutex);
+       return 0;
+-out:
++err_pwr_on:
+       mutex_unlock(&phy->mutex);
+       phy_pm_runtime_put_sync(phy);
++err_pm_sync:
+       if (phy->pwr)
+               regulator_disable(phy->pwr);
+-
++out:
+       return ret;
+ }
+ EXPORT_SYMBOL_GPL(phy_power_on);
diff --git a/queue-4.4/powerpc-eeh-fix-partial-hotplug-criterion.patch b/queue-4.4/powerpc-eeh-fix-partial-hotplug-criterion.patch
new file mode 100644 (file)
index 0000000..26c6938
--- /dev/null
@@ -0,0 +1,44 @@
+From f6bf0fa14cf848ae770e0b7842c9b11ce2f01645 Mon Sep 17 00:00:00 2001
+From: Gavin Shan <gwshan@linux.vnet.ibm.com>
+Date: Fri, 12 Feb 2016 16:03:05 +1100
+Subject: powerpc/eeh: Fix partial hotplug criterion
+
+From: Gavin Shan <gwshan@linux.vnet.ibm.com>
+
+commit f6bf0fa14cf848ae770e0b7842c9b11ce2f01645 upstream.
+
+During error recovery, the device could be removed as part of the
+partial hotplug. The criterion used to come with partial hotplug
+is: if the device driver provides error_detected(), slot_reset()
+and resume() callbacks, it's immune from hotplug. Otherwise,
+it's going to experience partial hotplug during EEH recovery. But
+the criterion isn't correct enough: mlx4_core driver for Mellanox
+adapters provides error_detected(), slot_reset() callbacks, but
+resume() isn't there. Those Mellanox adapters won't be to involved
+in the partial hotplug.
+
+This fixes the criterion to a practical one: adpater with driver
+that provides error_detected(), slot_reset() will be immune from
+partial hotplug. resume() isn't mandatory.
+
+Fixes: f2da4ccf ("powerpc/eeh: More relaxed hotplug criterion")
+Signed-off-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/eeh_driver.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/powerpc/kernel/eeh_driver.c
++++ b/arch/powerpc/kernel/eeh_driver.c
+@@ -418,8 +418,7 @@ static void *eeh_rmv_device(void *data,
+               eeh_pcid_put(dev);
+               if (driver->err_handler &&
+                   driver->err_handler->error_detected &&
+-                  driver->err_handler->slot_reset &&
+-                  driver->err_handler->resume)
++                  driver->err_handler->slot_reset)
+                       return NULL;
+       }
index 11889c1980945c24ed831fb5eea9bc324686f286..dad0c3c90dc8ff08bb1acad00014221e53a0473e 100644 (file)
@@ -288,3 +288,34 @@ arcv2-star-9000950267-handle-return-from-intr-to-delay-slot-2.patch
 arcv2-smp-emulate-ipi-to-self-using-software-triggered-interrupt.patch
 pci-aer-flush-workqueue-on-device-remove-to-avoid-use-after-free.patch
 cpuset-make-mm-migration-asynchronous.patch
+cgroup-make-sure-a-parent-css-isn-t-offlined-before-its-children.patch
+writeback-keep-superblock-pinned-during-cgroup-writeback-association-switches.patch
+phy-core-fix-wrong-err-handle-for-phy_power_on.patch
+i2c-i801-adding-intel-lewisburg-support-for-itco.patch
+bio-return-eintr-if-copying-to-user-space-got-interrupted.patch
+block-fix-use-after-free-in-dio_bio_complete.patch
+nfs-fix-nfs_size_to_loff_t.patch
+nfsv4-fix-a-dentry-leak-on-alias-use.patch
+of-irq-fix-msi-map-calculation-for-nonzero-rid-base.patch
+kvm-async_pf-do-not-warn-on-page-allocation-failures.patch
+kvm-arm-arm64-vgic-ensure-bitmaps-are-long-enough.patch
+kvm-x86-fix-missed-hardware-breakpoints.patch
+kvm-x86-fix-conversion-of-addresses-to-linear-in-32-bit-protected-mode.patch
+kvm-x86-mmu-fix-ubsan-index-out-of-range-warning.patch
+powerpc-eeh-fix-partial-hotplug-criterion.patch
+tracing-fix-showing-function-event-in-available_events.patch
+sunrpc-cache-fix-off-by-one-in-qword_get.patch
+kernel-resource.c-fix-muxed-resource-handling-in-__request_region.patch
+do_last-don-t-let-a-bogus-return-value-from-open-et.al.-to-confuse-us.patch
+arm-omap2-fix-onenand-initialization-to-avoid-filesystem-corruption.patch
+arm-at91-dt-fix-typo-in-sama5d2-pinmux-descriptions.patch
+xen-arm-correctly-handle-dma-mapping-of-compound-pages.patch
+xen-scsiback-correct-frontend-counting.patch
+xen-pciback-check-pf-instead-of-vf-for-pci_command_memory.patch
+xen-pciback-save-the-number-of-msi-x-entries-to-be-copied-later.patch
+xen-pcifront-fix-mysterious-crashes-when-numa-locality-information-was-extracted.patch
+should_follow_link-validate-d_seq-after-having-decided-to-follow.patch
+do_last-eloop-failure-exit-should-be-done-after-leaving-rcu-mode.patch
+hpfs-don-t-truncate-the-file-when-delete-fails.patch
+x86-mpx-fix-off-by-one-comparison-with-nr_registers.patch
+x86-entry-compat-add-missing-clac-to-entry_int80_32.patch
diff --git a/queue-4.4/should_follow_link-validate-d_seq-after-having-decided-to-follow.patch b/queue-4.4/should_follow_link-validate-d_seq-after-having-decided-to-follow.patch
new file mode 100644 (file)
index 0000000..a274f1f
--- /dev/null
@@ -0,0 +1,33 @@
+From a7f775428b8f5808815c0e3004020cedb94cbe3b Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 27 Feb 2016 19:31:01 -0500
+Subject: should_follow_link(): validate ->d_seq after having decided to follow
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit a7f775428b8f5808815c0e3004020cedb94cbe3b upstream.
+
+... otherwise d_is_symlink() above might have nothing to do with
+the inode value we've got.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namei.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -1711,6 +1711,11 @@ static inline int should_follow_link(str
+               return 0;
+       if (!follow)
+               return 0;
++      /* make sure that d_is_symlink above matches inode */
++      if (nd->flags & LOOKUP_RCU) {
++              if (read_seqcount_retry(&link->dentry->d_seq, seq))
++                      return -ECHILD;
++      }
+       return pick_link(nd, link, inode, seq);
+ }
diff --git a/queue-4.4/sunrpc-cache-fix-off-by-one-in-qword_get.patch b/queue-4.4/sunrpc-cache-fix-off-by-one-in-qword_get.patch
new file mode 100644 (file)
index 0000000..e2e99a2
--- /dev/null
@@ -0,0 +1,48 @@
+From b7052cd7bcf3c1478796e93e3dff2b44c9e82943 Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Thu, 18 Feb 2016 18:55:54 +0000
+Subject: sunrpc/cache: fix off-by-one in qword_get()
+
+From: Stefan Hajnoczi <stefanha@redhat.com>
+
+commit b7052cd7bcf3c1478796e93e3dff2b44c9e82943 upstream.
+
+The qword_get() function NUL-terminates its output buffer.  If the input
+string is in hex format \xXXXX... and the same length as the output
+buffer, there is an off-by-one:
+
+  int qword_get(char **bpp, char *dest, int bufsize)
+  {
+      ...
+      while (len < bufsize) {
+          ...
+          *dest++ = (h << 4) | l;
+          len++;
+      }
+      ...
+      *dest = '\0';
+      return len;
+  }
+
+This patch ensures the NUL terminator doesn't fall outside the output
+buffer.
+
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/cache.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sunrpc/cache.c
++++ b/net/sunrpc/cache.c
+@@ -1225,7 +1225,7 @@ int qword_get(char **bpp, char *dest, in
+       if (bp[0] == '\\' && bp[1] == 'x') {
+               /* HEX STRING */
+               bp += 2;
+-              while (len < bufsize) {
++              while (len < bufsize - 1) {
+                       int h, l;
+                       h = hex_to_bin(bp[0]);
diff --git a/queue-4.4/tracing-fix-showing-function-event-in-available_events.patch b/queue-4.4/tracing-fix-showing-function-event-in-available_events.patch
new file mode 100644 (file)
index 0000000..c181ff2
--- /dev/null
@@ -0,0 +1,54 @@
+From d045437a169f899dfb0f6f7ede24cc042543ced9 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+Date: Wed, 24 Feb 2016 09:04:24 -0500
+Subject: tracing: Fix showing function event in available_events
+
+From: Steven Rostedt (Red Hat) <rostedt@goodmis.org>
+
+commit d045437a169f899dfb0f6f7ede24cc042543ced9 upstream.
+
+The ftrace:function event is only displayed for parsing the function tracer
+data. It is not used to enable function tracing, and does not include an
+"enable" file in its event directory.
+
+Originally, this event was kept separate from other events because it did
+not have a ->reg parameter. But perf added a "reg" parameter for its use
+which caused issues, because it made the event available to functions where
+it was not compatible for.
+
+Commit 9b63776fa3ca9 "tracing: Do not enable function event with enable"
+added a TRACE_EVENT_FL_IGNORE_ENABLE flag that prevented the function event
+from being enabled by normal trace events. But this commit missed keeping
+the function event from being displayed by the "available_events" directory,
+which is used to show what events can be enabled by set_event.
+
+One documented way to enable all events is to:
+
+ cat available_events > set_event
+
+But because the function event is displayed in the available_events, this
+now causes an INVALID error:
+
+ cat: write error: Invalid argument
+
+Reported-by: Chunyu Hu <chuhu@redhat.com>
+Fixes: 9b63776fa3ca9 "tracing: Do not enable function event with enable"
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_events.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_events.c
++++ b/kernel/trace/trace_events.c
+@@ -869,7 +869,8 @@ t_next(struct seq_file *m, void *v, loff
+                * The ftrace subsystem is for showing formats only.
+                * They can not be enabled or disabled via the event files.
+                */
+-              if (call->class && call->class->reg)
++              if (call->class && call->class->reg &&
++                  !(call->flags & TRACE_EVENT_FL_IGNORE_ENABLE))
+                       return file;
+       }
diff --git a/queue-4.4/writeback-keep-superblock-pinned-during-cgroup-writeback-association-switches.patch b/queue-4.4/writeback-keep-superblock-pinned-during-cgroup-writeback-association-switches.patch
new file mode 100644 (file)
index 0000000..88f7b0e
--- /dev/null
@@ -0,0 +1,95 @@
+From 5ff8eaac1636bf6deae86491f4818c4c69d1a9ac Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Tue, 16 Feb 2016 11:34:07 -0700
+Subject: writeback: keep superblock pinned during cgroup writeback association switches
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 5ff8eaac1636bf6deae86491f4818c4c69d1a9ac upstream.
+
+If cgroup writeback is in use, an inode is associated with a cgroup
+for writeback.  If the inode's main dirtier changes to another cgroup,
+the association gets updated asynchronously.  Nothing was pinning the
+superblock while such switches are in progress and superblock could go
+away while async switching is pending or in progress leading to
+crashes like the following.
+
+ kernel BUG at fs/jbd2/transaction.c:319!
+ invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC
+ CPU: 1 PID: 29158 Comm: kworker/1:10 Not tainted 4.5.0-rc3 #51
+ Hardware name: Google Google, BIOS Google 01/01/2011
+ Workqueue: events inode_switch_wbs_work_fn
+ task: ffff880213dbbd40 ti: ffff880209264000 task.ti: ffff880209264000
+ RIP: 0010:[<ffffffff803e6922>]  [<ffffffff803e6922>] start_this_handle+0x382/0x3e0
+ RSP: 0018:ffff880209267c30  EFLAGS: 00010202
+ ...
+ Call Trace:
+  [<ffffffff803e6be4>] jbd2__journal_start+0xf4/0x190
+  [<ffffffff803cfc7e>] __ext4_journal_start_sb+0x4e/0x70
+  [<ffffffff803b31ec>] ext4_evict_inode+0x12c/0x3d0
+  [<ffffffff8035338b>] evict+0xbb/0x190
+  [<ffffffff80354190>] iput+0x130/0x190
+  [<ffffffff80360223>] inode_switch_wbs_work_fn+0x343/0x4c0
+  [<ffffffff80279819>] process_one_work+0x129/0x300
+  [<ffffffff80279b16>] worker_thread+0x126/0x480
+  [<ffffffff8027ed14>] kthread+0xc4/0xe0
+  [<ffffffff809771df>] ret_from_fork+0x3f/0x70
+
+Fix it by bumping s_active while cgroup association switching is in
+flight.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-and-tested-by: Tahsin Erdogan <tahsin@google.com>
+Link: http://lkml.kernel.org/g/CAAeU0aNCq7LGODvVGRU-oU_o-6enii5ey0p1c26D1ZzYwkDc5A@mail.gmail.com
+Fixes: d10c80955265 ("writeback: implement foreign cgroup inode bdi_writeback switching")
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
+index 6915c950e6e8..1f76d8950a57 100644
+--- a/fs/fs-writeback.c
++++ b/fs/fs-writeback.c
+@@ -317,6 +317,7 @@ static void inode_switch_wbs_work_fn(struct work_struct *work)
+       struct inode_switch_wbs_context *isw =
+               container_of(work, struct inode_switch_wbs_context, work);
+       struct inode *inode = isw->inode;
++      struct super_block *sb = inode->i_sb;
+       struct address_space *mapping = inode->i_mapping;
+       struct bdi_writeback *old_wb = inode->i_wb;
+       struct bdi_writeback *new_wb = isw->new_wb;
+@@ -423,6 +424,7 @@ skip_switch:
+       wb_put(new_wb);
+       iput(inode);
++      deactivate_super(sb);
+       kfree(isw);
+ }
+@@ -469,11 +471,14 @@ static void inode_switch_wbs(struct inode *inode, int new_wb_id)
+       /* while holding I_WB_SWITCH, no one else can update the association */
+       spin_lock(&inode->i_lock);
++
+       if (inode->i_state & (I_WB_SWITCH | I_FREEING) ||
+-          inode_to_wb(inode) == isw->new_wb) {
+-              spin_unlock(&inode->i_lock);
+-              goto out_free;
+-      }
++          inode_to_wb(inode) == isw->new_wb)
++              goto out_unlock;
++
++      if (!atomic_inc_not_zero(&inode->i_sb->s_active))
++              goto out_unlock;
++
+       inode->i_state |= I_WB_SWITCH;
+       spin_unlock(&inode->i_lock);
+@@ -489,6 +494,8 @@ static void inode_switch_wbs(struct inode *inode, int new_wb_id)
+       call_rcu(&isw->rcu_head, inode_switch_wbs_rcu_fn);
+       return;
++out_unlock:
++      spin_unlock(&inode->i_lock);
+ out_free:
+       if (isw->new_wb)
+               wb_put(isw->new_wb);
diff --git a/queue-4.4/x86-entry-compat-add-missing-clac-to-entry_int80_32.patch b/queue-4.4/x86-entry-compat-add-missing-clac-to-entry_int80_32.patch
new file mode 100644 (file)
index 0000000..e0f5e4c
--- /dev/null
@@ -0,0 +1,46 @@
+From 3d44d51bd339766f0178f0cf2e8d048b4a4872aa Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Wed, 24 Feb 2016 12:18:49 -0800
+Subject: x86/entry/compat: Add missing CLAC to entry_INT80_32
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit 3d44d51bd339766f0178f0cf2e8d048b4a4872aa upstream.
+
+This doesn't seem to fix a regression -- I don't think the CLAC was
+ever there.
+
+I double-checked in a debugger: entries through the int80 gate do
+not automatically clear AC.
+
+Stable maintainers: I can provide a backport to 4.3 and earlier if
+needed.  This needs to be backported all the way to 3.10.
+
+Reported-by: Brian Gerst <brgerst@gmail.com>
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 63bcff2a307b ("x86, smap: Add STAC and CLAC instructions to control user space access")
+Link: http://lkml.kernel.org/r/b02b7e71ae54074be01fc171cbd4b72517055c0e.1456345086.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/entry/entry_64_compat.S |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/entry/entry_64_compat.S
++++ b/arch/x86/entry/entry_64_compat.S
+@@ -267,6 +267,7 @@ ENTRY(entry_INT80_compat)
+        * Interrupts are off on entry.
+        */
+       PARAVIRT_ADJUST_EXCEPTION_FRAME
++      ASM_CLAC                        /* Do this early to minimize exposure */
+       SWAPGS
+       /*
diff --git a/queue-4.4/x86-mpx-fix-off-by-one-comparison-with-nr_registers.patch b/queue-4.4/x86-mpx-fix-off-by-one-comparison-with-nr_registers.patch
new file mode 100644 (file)
index 0000000..b7a6457
--- /dev/null
@@ -0,0 +1,37 @@
+From 9bf148cb0812595bfdf5100bd2c07e9bec9c6ef5 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Fri, 26 Feb 2016 18:55:31 +0000
+Subject: x86/mpx: Fix off-by-one comparison with nr_registers
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 9bf148cb0812595bfdf5100bd2c07e9bec9c6ef5 upstream.
+
+In the unlikely event that regno == nr_registers then we get an array
+overrun on regoff because the invalid register check is currently
+off-by-one. Fix this with a check that regno is >= nr_registers instead.
+
+Detected with static analysis using CoverityScan.
+
+Fixes: fcc7ffd67991 "x86, mpx: Decode MPX instruction to get bound violation information"
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
+Link: http://lkml.kernel.org/r/1456512931-3388-1-git-send-email-colin.king@canonical.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c
+index b2fd67da1701..ef05755a1900 100644
+--- a/arch/x86/mm/mpx.c
++++ b/arch/x86/mm/mpx.c
+@@ -123,7 +123,7 @@ static int get_reg_offset(struct insn *insn, struct pt_regs *regs,
+               break;
+       }
+-      if (regno > nr_registers) {
++      if (regno >= nr_registers) {
+               WARN_ONCE(1, "decoded an instruction with an invalid register");
+               return -EINVAL;
+       }
diff --git a/queue-4.4/xen-arm-correctly-handle-dma-mapping-of-compound-pages.patch b/queue-4.4/xen-arm-correctly-handle-dma-mapping-of-compound-pages.patch
new file mode 100644 (file)
index 0000000..93e386b
--- /dev/null
@@ -0,0 +1,69 @@
+From 52ba0746b3b44c86aee121babf3b2fd9b8f84090 Mon Sep 17 00:00:00 2001
+From: Ian Campbell <ian.campbell@citrix.com>
+Date: Mon, 8 Feb 2016 16:02:06 +0000
+Subject: xen/arm: correctly handle DMA mapping of compound pages
+
+From: Ian Campbell <ian.campbell@citrix.com>
+
+commit 52ba0746b3b44c86aee121babf3b2fd9b8f84090 upstream.
+
+Currently xen_dma_map_page concludes that DMA to anything other than
+the head page of a compound page must be foreign, since the PFN of the
+page is that of the head.
+
+Fix the check to instead consider the whole of a compound page to be
+local if the PFN of the head passes the 1:1 check.
+
+We can never see a compound page which is a mixture of foreign and
+local sub-pages.
+
+The comment already correctly described the intention, but fixup the
+spelling and some grammar.
+
+This fixes the various SSH protocol errors which we have been seeing
+on the cubietrucks in our automated test infrastructure.
+
+This has been broken since commit 3567258d281b ("xen/arm: use
+hypercall to flush caches in map_page"), which was in v3.19-rc1.
+
+NB arch/arm64/.../xen/page-coherent.h also includes this file.
+
+Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
+Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+Cc: xen-devel@lists.xenproject.org
+Cc: linux-arm-kernel@lists.infradead.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+diff --git a/arch/arm/include/asm/xen/page-coherent.h b/arch/arm/include/asm/xen/page-coherent.h
+index 0375c8caa061..9408a994cc91 100644
+--- a/arch/arm/include/asm/xen/page-coherent.h
++++ b/arch/arm/include/asm/xen/page-coherent.h
+@@ -35,14 +35,21 @@ static inline void xen_dma_map_page(struct device *hwdev, struct page *page,
+            dma_addr_t dev_addr, unsigned long offset, size_t size,
+            enum dma_data_direction dir, struct dma_attrs *attrs)
+ {
+-      bool local = XEN_PFN_DOWN(dev_addr) == page_to_xen_pfn(page);
++      unsigned long page_pfn = page_to_xen_pfn(page);
++      unsigned long dev_pfn = XEN_PFN_DOWN(dev_addr);
++      unsigned long compound_pages =
++              (1<<compound_order(page)) * XEN_PFN_PER_PAGE;
++      bool local = (page_pfn <= dev_pfn) &&
++              (dev_pfn - page_pfn < compound_pages);
++
+       /*
+-       * Dom0 is mapped 1:1, while the Linux page can be spanned accross
+-       * multiple Xen page, it's not possible to have a mix of local and
+-       * foreign Xen page. So if the first xen_pfn == mfn the page is local
+-       * otherwise it's a foreign page grant-mapped in dom0. If the page is
+-       * local we can safely call the native dma_ops function, otherwise we
+-       * call the xen specific function.
++       * Dom0 is mapped 1:1, while the Linux page can span across
++       * multiple Xen pages, it's not possible for it to contain a
++       * mix of local and foreign Xen pages. So if the first xen_pfn
++       * == mfn the page is local otherwise it's a foreign page
++       * grant-mapped in dom0. If the page is local we can safely
++       * call the native dma_ops function, otherwise we call the xen
++       * specific function.
+        */
+       if (local)
+               __generic_dma_ops(hwdev)->map_page(hwdev, page, offset, size, dir, attrs);
diff --git a/queue-4.4/xen-pciback-check-pf-instead-of-vf-for-pci_command_memory.patch b/queue-4.4/xen-pciback-check-pf-instead-of-vf-for-pci_command_memory.patch
new file mode 100644 (file)
index 0000000..8b17113
--- /dev/null
@@ -0,0 +1,38 @@
+From 8d47065f7d1980dde52abb874b301054f3013602 Mon Sep 17 00:00:00 2001
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Date: Thu, 11 Feb 2016 16:10:23 -0500
+Subject: xen/pciback: Check PF instead of VF for PCI_COMMAND_MEMORY
+
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+
+commit 8d47065f7d1980dde52abb874b301054f3013602 upstream.
+
+Commit 408fb0e5aa7fda0059db282ff58c3b2a4278baa0 (xen/pciback: Don't
+allow MSI-X ops if PCI_COMMAND_MEMORY is not set) prevented enabling
+MSI-X on passed-through virtual functions, because it checked the VF
+for PCI_COMMAND_MEMORY but this is not a valid bit for VFs.
+
+Instead, check the physical function for PCI_COMMAND_MEMORY.
+
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/xen-pciback/pciback_ops.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/xen/xen-pciback/pciback_ops.c
++++ b/drivers/xen/xen-pciback/pciback_ops.c
+@@ -227,8 +227,9 @@ int xen_pcibk_enable_msix(struct xen_pci
+       /*
+        * PCI_COMMAND_MEMORY must be enabled, otherwise we may not be able
+        * to access the BARs where the MSI-X entries reside.
++       * But VF devices are unique in which the PF needs to be checked.
+        */
+-      pci_read_config_word(dev, PCI_COMMAND, &cmd);
++      pci_read_config_word(pci_physfn(dev), PCI_COMMAND, &cmd);
+       if (dev->msi_enabled || !(cmd & PCI_COMMAND_MEMORY))
+               return -ENXIO;
diff --git a/queue-4.4/xen-pciback-save-the-number-of-msi-x-entries-to-be-copied-later.patch b/queue-4.4/xen-pciback-save-the-number-of-msi-x-entries-to-be-copied-later.patch
new file mode 100644 (file)
index 0000000..6fbd338
--- /dev/null
@@ -0,0 +1,56 @@
+From d159457b84395927b5a52adb72f748dd089ad5e5 Mon Sep 17 00:00:00 2001
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Date: Thu, 11 Feb 2016 16:10:24 -0500
+Subject: xen/pciback: Save the number of MSI-X entries to be copied later.
+
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+
+commit d159457b84395927b5a52adb72f748dd089ad5e5 upstream.
+
+Commit 8135cf8b092723dbfcc611fe6fdcb3a36c9951c5 (xen/pciback: Save
+xen_pci_op commands before processing it) broke enabling MSI-X because
+it would never copy the resulting vectors into the response.  The
+number of vectors requested was being overwritten by the return value
+(typically zero for success).
+
+Save the number of vectors before processing the op, so the correct
+number of vectors are copied afterwards.
+
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/xen-pciback/pciback_ops.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/xen/xen-pciback/pciback_ops.c
++++ b/drivers/xen/xen-pciback/pciback_ops.c
+@@ -333,6 +333,9 @@ void xen_pcibk_do_op(struct work_struct
+       struct xen_pcibk_dev_data *dev_data = NULL;
+       struct xen_pci_op *op = &pdev->op;
+       int test_intx = 0;
++#ifdef CONFIG_PCI_MSI
++      unsigned int nr = 0;
++#endif
+       *op = pdev->sh_info->op;
+       barrier();
+@@ -361,6 +364,7 @@ void xen_pcibk_do_op(struct work_struct
+                       op->err = xen_pcibk_disable_msi(pdev, dev, op);
+                       break;
+               case XEN_PCI_OP_enable_msix:
++                      nr = op->value;
+                       op->err = xen_pcibk_enable_msix(pdev, dev, op);
+                       break;
+               case XEN_PCI_OP_disable_msix:
+@@ -383,7 +387,7 @@ void xen_pcibk_do_op(struct work_struct
+       if (op->cmd == XEN_PCI_OP_enable_msix && op->err == 0) {
+               unsigned int i;
+-              for (i = 0; i < op->value; i++)
++              for (i = 0; i < nr; i++)
+                       pdev->sh_info->op.msix_entries[i].vector =
+                               op->msix_entries[i].vector;
+       }
diff --git a/queue-4.4/xen-pcifront-fix-mysterious-crashes-when-numa-locality-information-was-extracted.patch b/queue-4.4/xen-pcifront-fix-mysterious-crashes-when-numa-locality-information-was-extracted.patch
new file mode 100644 (file)
index 0000000..7dba38f
--- /dev/null
@@ -0,0 +1,111 @@
+From 4d8c8bd6f2062c9988817183a91fe2e623c8aa5e Mon Sep 17 00:00:00 2001
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Date: Thu, 11 Feb 2016 16:10:26 -0500
+Subject: xen/pcifront: Fix mysterious crashes when NUMA locality information was extracted.
+
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+
+commit 4d8c8bd6f2062c9988817183a91fe2e623c8aa5e upstream.
+
+Occasionaly PV guests would crash with:
+
+pciback 0000:00:00.1: Xen PCI mapped GSI0 to IRQ16
+BUG: unable to handle kernel paging request at 0000000d1a8c0be0
+.. snip..
+  <ffffffff8139ce1b>] find_next_bit+0xb/0x10
+  [<ffffffff81387f22>] cpumask_next_and+0x22/0x40
+  [<ffffffff813c1ef8>] pci_device_probe+0xb8/0x120
+  [<ffffffff81529097>] ? driver_sysfs_add+0x77/0xa0
+  [<ffffffff815293e4>] driver_probe_device+0x1a4/0x2d0
+  [<ffffffff813c1ddd>] ? pci_match_device+0xdd/0x110
+  [<ffffffff81529657>] __device_attach_driver+0xa7/0xb0
+  [<ffffffff815295b0>] ? __driver_attach+0xa0/0xa0
+  [<ffffffff81527622>] bus_for_each_drv+0x62/0x90
+  [<ffffffff8152978d>] __device_attach+0xbd/0x110
+  [<ffffffff815297fb>] device_attach+0xb/0x10
+  [<ffffffff813b75ac>] pci_bus_add_device+0x3c/0x70
+  [<ffffffff813b7618>] pci_bus_add_devices+0x38/0x80
+  [<ffffffff813dc34e>] pcifront_scan_root+0x13e/0x1a0
+  [<ffffffff817a0692>] pcifront_backend_changed+0x262/0x60b
+  [<ffffffff814644c6>] ? xenbus_gather+0xd6/0x160
+  [<ffffffff8120900f>] ? put_object+0x2f/0x50
+  [<ffffffff81465c1d>] xenbus_otherend_changed+0x9d/0xa0
+  [<ffffffff814678ee>] backend_changed+0xe/0x10
+  [<ffffffff81463a28>] xenwatch_thread+0xc8/0x190
+  [<ffffffff810f22f0>] ? woken_wake_function+0x10/0x10
+
+which was the result of two things:
+
+When we call pci_scan_root_bus we would pass in 'sd' (sysdata)
+pointer which was an 'pcifront_sd' structure. However in the
+pci_device_add it expects that the 'sd' is 'struct sysdata' and
+sets the dev->node to what is in sd->node (offset 4):
+
+set_dev_node(&dev->dev, pcibus_to_node(bus));
+
+ __pcibus_to_node(const struct pci_bus *bus)
+{
+        const struct pci_sysdata *sd = bus->sysdata;
+
+        return sd->node;
+}
+
+However our structure was pcifront_sd which had nothing at that
+offset:
+
+struct pcifront_sd {
+        int                        domain;    /*     0     4 */
+        /* XXX 4 bytes hole, try to pack */
+        struct pcifront_device *   pdev;      /*     8     8 */
+}
+
+That is an hole - filled with garbage as we used kmalloc instead of
+kzalloc (the second problem).
+
+This patch fixes the issue by:
+ 1) Use kzalloc to initialize to a well known state.
+ 2) Put 'struct pci_sysdata' at the start of 'pcifront_sd'. That
+    way access to the 'node' will access the right offset.
+
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/xen-pcifront.c |   10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/pci/xen-pcifront.c
++++ b/drivers/pci/xen-pcifront.c
+@@ -53,7 +53,7 @@ struct pcifront_device {
+ };
+ struct pcifront_sd {
+-      int domain;
++      struct pci_sysdata sd;
+       struct pcifront_device *pdev;
+ };
+@@ -67,7 +67,9 @@ static inline void pcifront_init_sd(stru
+                                   unsigned int domain, unsigned int bus,
+                                   struct pcifront_device *pdev)
+ {
+-      sd->domain = domain;
++      /* Because we do not expose that information via XenBus. */
++      sd->sd.node = first_online_node;
++      sd->sd.domain = domain;
+       sd->pdev = pdev;
+ }
+@@ -468,8 +470,8 @@ static int pcifront_scan_root(struct pci
+       dev_info(&pdev->xdev->dev, "Creating PCI Frontend Bus %04x:%02x\n",
+                domain, bus);
+-      bus_entry = kmalloc(sizeof(*bus_entry), GFP_KERNEL);
+-      sd = kmalloc(sizeof(*sd), GFP_KERNEL);
++      bus_entry = kzalloc(sizeof(*bus_entry), GFP_KERNEL);
++      sd = kzalloc(sizeof(*sd), GFP_KERNEL);
+       if (!bus_entry || !sd) {
+               err = -ENOMEM;
+               goto err_out;
diff --git a/queue-4.4/xen-scsiback-correct-frontend-counting.patch b/queue-4.4/xen-scsiback-correct-frontend-counting.patch
new file mode 100644 (file)
index 0000000..cb27e1f
--- /dev/null
@@ -0,0 +1,43 @@
+From f285aa8db7cc4432c1a03f8b55ff34fe96317c11 Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Mon, 8 Feb 2016 15:30:18 +0100
+Subject: xen/scsiback: correct frontend counting
+
+From: Juergen Gross <jgross@suse.com>
+
+commit f285aa8db7cc4432c1a03f8b55ff34fe96317c11 upstream.
+
+When adding a new frontend to xen-scsiback don't decrement the number
+of active frontends in case of no error. Doing so results in a failure
+when trying to remove the xen-pvscsi nexus even if no domain is using
+it.
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/xen-scsiback.c |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/xen/xen-scsiback.c
++++ b/drivers/xen/xen-scsiback.c
+@@ -939,12 +939,12 @@ out:
+       spin_unlock_irqrestore(&info->v2p_lock, flags);
+ out_free:
+-      mutex_lock(&tpg->tv_tpg_mutex);
+-      tpg->tv_tpg_fe_count--;
+-      mutex_unlock(&tpg->tv_tpg_mutex);
+-
+-      if (err)
++      if (err) {
++              mutex_lock(&tpg->tv_tpg_mutex);
++              tpg->tv_tpg_fe_count--;
++              mutex_unlock(&tpg->tv_tpg_mutex);
+               kfree(new);
++      }
+       return err;
+ }