]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
4.9-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 23 Jan 2017 14:35:18 +0000 (15:35 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 23 Jan 2017 14:35:18 +0000 (15:35 +0100)
added patches:
arc-module-fix-config_arc_dw2_unwind-builds.patch
arm-8634-1-hw_breakpoint-blacklist-scorpion-cpus.patch
arm-dts-da850-evm-fix-read-access-to-spi-flash.patch
arm-dts-omap5-dra7-indicate-that-sata-port-0-is-available.patch
arm64-avoid-returning-from-bad_mode.patch
arm64-ptrace-avoid-uninitialised-struct-padding-in-fpr_set.patch
arm64-ptrace-preserve-previous-registers-for-short-regset-write-2.patch
arm64-ptrace-preserve-previous-registers-for-short-regset-write-3.patch
arm64-ptrace-preserve-previous-registers-for-short-regset-write.patch
arm64-ptrace-reject-attempts-to-set-incomplete-hardware-breakpoint-fields.patch
ceph-fix-bad-endianness-handling-in-parse_reply_info_extra.patch
clocksource-exynos_mct-clear-interrupt-when-cpu-is-shut-down.patch
fuse-clear-fr_pending-flag-when-moving-requests-out-of-pending-queue.patch
fuse-fix-time_to_jiffies-nsec-sanity-check.patch
hid-corsair-fix-control-transfer-error-handling.patch
hid-corsair-fix-dma-buffers-on-stack.patch
ibmvscsis-fix-max-transfer-length.patch
ibmvscsis-fix-sleeping-in-interrupt-context.patch
ieee802154-atusb-do-not-use-the-stack-for-buffers-to-make-them-dma-able.patch
kvm-arm-arm64-vgic-fix-deadlock-on-error-handling.patch
kvm-s390-do-not-expose-random-data-via-facility-bitmap.patch
libnvdimm-namespace-fix-pmem-namespace-leak-delete-when-size-set-to-zero.patch
mac80211-implement-multicast-forwarding-on-fast-rx-path.patch
mmc-mxs-mmc-fix-additional-cycles-after-transmission-stop.patch
mmc-sdhci-acpi-only-powered-up-enabled-acpi-child-devices.patch
mtd-nand-lpc32xx-fix-invalid-error-handling-of-a-requested-irq.patch
mtd-nand-xway-disable-module-support.patch
mtd-nand-xway-fix-build-because-of-module-functions.patch
pci-designware-check-for-iatu-unroll-only-on-platforms-that-use-atu.patch
pci-enumerate-switches-below-pci-to-pcie-bridges.patch
powerpc-icp-opal-fix-missing-kvm-case-and-harden-replay.patch
powerpc-ignore-reserved-field-in-dcsr-and-pvr-reads-and-writes.patch
powerpc-perf-fix-pm_bru_cmpl-event-code-for-power9.patch
powerpc-ptrace-preserve-previous-fprs-vsrs-on-short-regset-write.patch
powerpc-ptrace-preserve-previous-tm-fprs-vsrs-on-short-regset-write.patch
qla2xxx-fix-crash-due-to-null-pointer-access.patch
svcrdma-avoid-duplicate-dma-unmapping-during-error-recovery.patch
svcrpc-don-t-leak-contexts-on-proc_destroy.patch
ubifs-fix-journal-replay-wrt.-xattr-nodes.patch
x86-ioapic-restore-io-apic-irq_chip-retrigger-callback.patch

41 files changed:
queue-4.9/arc-module-fix-config_arc_dw2_unwind-builds.patch [new file with mode: 0644]
queue-4.9/arm-8634-1-hw_breakpoint-blacklist-scorpion-cpus.patch [new file with mode: 0644]
queue-4.9/arm-dts-da850-evm-fix-read-access-to-spi-flash.patch [new file with mode: 0644]
queue-4.9/arm-dts-omap5-dra7-indicate-that-sata-port-0-is-available.patch [new file with mode: 0644]
queue-4.9/arm64-avoid-returning-from-bad_mode.patch [new file with mode: 0644]
queue-4.9/arm64-ptrace-avoid-uninitialised-struct-padding-in-fpr_set.patch [new file with mode: 0644]
queue-4.9/arm64-ptrace-preserve-previous-registers-for-short-regset-write-2.patch [new file with mode: 0644]
queue-4.9/arm64-ptrace-preserve-previous-registers-for-short-regset-write-3.patch [new file with mode: 0644]
queue-4.9/arm64-ptrace-preserve-previous-registers-for-short-regset-write.patch [new file with mode: 0644]
queue-4.9/arm64-ptrace-reject-attempts-to-set-incomplete-hardware-breakpoint-fields.patch [new file with mode: 0644]
queue-4.9/ceph-fix-bad-endianness-handling-in-parse_reply_info_extra.patch [new file with mode: 0644]
queue-4.9/clocksource-exynos_mct-clear-interrupt-when-cpu-is-shut-down.patch [new file with mode: 0644]
queue-4.9/fuse-clear-fr_pending-flag-when-moving-requests-out-of-pending-queue.patch [new file with mode: 0644]
queue-4.9/fuse-fix-time_to_jiffies-nsec-sanity-check.patch [new file with mode: 0644]
queue-4.9/hid-corsair-fix-control-transfer-error-handling.patch [new file with mode: 0644]
queue-4.9/hid-corsair-fix-dma-buffers-on-stack.patch [new file with mode: 0644]
queue-4.9/ibmvscsis-fix-max-transfer-length.patch [new file with mode: 0644]
queue-4.9/ibmvscsis-fix-sleeping-in-interrupt-context.patch [new file with mode: 0644]
queue-4.9/ieee802154-atusb-do-not-use-the-stack-for-buffers-to-make-them-dma-able.patch [new file with mode: 0644]
queue-4.9/kvm-arm-arm64-vgic-fix-deadlock-on-error-handling.patch [new file with mode: 0644]
queue-4.9/kvm-s390-do-not-expose-random-data-via-facility-bitmap.patch [new file with mode: 0644]
queue-4.9/libnvdimm-namespace-fix-pmem-namespace-leak-delete-when-size-set-to-zero.patch [new file with mode: 0644]
queue-4.9/mac80211-implement-multicast-forwarding-on-fast-rx-path.patch [new file with mode: 0644]
queue-4.9/mmc-mxs-mmc-fix-additional-cycles-after-transmission-stop.patch [new file with mode: 0644]
queue-4.9/mmc-sdhci-acpi-only-powered-up-enabled-acpi-child-devices.patch [new file with mode: 0644]
queue-4.9/mtd-nand-lpc32xx-fix-invalid-error-handling-of-a-requested-irq.patch [new file with mode: 0644]
queue-4.9/mtd-nand-xway-disable-module-support.patch [new file with mode: 0644]
queue-4.9/mtd-nand-xway-fix-build-because-of-module-functions.patch [new file with mode: 0644]
queue-4.9/pci-designware-check-for-iatu-unroll-only-on-platforms-that-use-atu.patch [new file with mode: 0644]
queue-4.9/pci-enumerate-switches-below-pci-to-pcie-bridges.patch [new file with mode: 0644]
queue-4.9/powerpc-icp-opal-fix-missing-kvm-case-and-harden-replay.patch [new file with mode: 0644]
queue-4.9/powerpc-ignore-reserved-field-in-dcsr-and-pvr-reads-and-writes.patch [new file with mode: 0644]
queue-4.9/powerpc-perf-fix-pm_bru_cmpl-event-code-for-power9.patch [new file with mode: 0644]
queue-4.9/powerpc-ptrace-preserve-previous-fprs-vsrs-on-short-regset-write.patch [new file with mode: 0644]
queue-4.9/powerpc-ptrace-preserve-previous-tm-fprs-vsrs-on-short-regset-write.patch [new file with mode: 0644]
queue-4.9/qla2xxx-fix-crash-due-to-null-pointer-access.patch [new file with mode: 0644]
queue-4.9/series
queue-4.9/svcrdma-avoid-duplicate-dma-unmapping-during-error-recovery.patch [new file with mode: 0644]
queue-4.9/svcrpc-don-t-leak-contexts-on-proc_destroy.patch [new file with mode: 0644]
queue-4.9/ubifs-fix-journal-replay-wrt.-xattr-nodes.patch [new file with mode: 0644]
queue-4.9/x86-ioapic-restore-io-apic-irq_chip-retrigger-callback.patch [new file with mode: 0644]

diff --git a/queue-4.9/arc-module-fix-config_arc_dw2_unwind-builds.patch b/queue-4.9/arc-module-fix-config_arc_dw2_unwind-builds.patch
new file mode 100644 (file)
index 0000000..325fb1b
--- /dev/null
@@ -0,0 +1,81 @@
+From eb1357d942e5d96de6b4c20a8ffa55acf96233a2 Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <vgupta@synopsys.com>
+Date: Mon, 16 Jan 2017 10:48:09 -0800
+Subject: ARC: module: Fix !CONFIG_ARC_DW2_UNWIND builds
+
+From: Vineet Gupta <vgupta@synopsys.com>
+
+commit eb1357d942e5d96de6b4c20a8ffa55acf96233a2 upstream.
+
+commit d65283f7b695b5 added mod->arch.secstr under
+CONFIG_ARC_DW2_UNWIND, but used it unconditionally which broke builds
+when the option was disabled. Fix that by adjusting the #ifdef guard.
+
+And while at it add a missing guard (for unwinder) in module.c as well
+
+Reported-by: Waldemar Brodkorb <wbx@openadk.org>
+Fixes: d65283f7b695b5 ("ARC: module: elide loop to save reference to .eh_frame")
+Tested-by: Anton Kolesov <akolesov@synopsys.com>
+Reviewed-by: Alexey Brodkin <abrodkin@synopsys.com>
+[abrodkin: provided fixlet to Kconfig per failure in allnoconfig build]
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/Kconfig              |    2 +-
+ arch/arc/include/asm/module.h |    4 ++--
+ arch/arc/kernel/module.c      |    4 +++-
+ 3 files changed, 6 insertions(+), 4 deletions(-)
+
+--- a/arch/arc/Kconfig
++++ b/arch/arc/Kconfig
+@@ -28,7 +28,7 @@ config ARC
+       select HAVE_KPROBES
+       select HAVE_KRETPROBES
+       select HAVE_MEMBLOCK
+-      select HAVE_MOD_ARCH_SPECIFIC if ARC_DW2_UNWIND
++      select HAVE_MOD_ARCH_SPECIFIC
+       select HAVE_OPROFILE
+       select HAVE_PERF_EVENTS
+       select HANDLE_DOMAIN_IRQ
+--- a/arch/arc/include/asm/module.h
++++ b/arch/arc/include/asm/module.h
+@@ -14,13 +14,13 @@
+ #include <asm-generic/module.h>
+-#ifdef CONFIG_ARC_DW2_UNWIND
+ struct mod_arch_specific {
++#ifdef CONFIG_ARC_DW2_UNWIND
+       void *unw_info;
+       int unw_sec_idx;
++#endif
+       const char *secstr;
+ };
+-#endif
+ #define MODULE_PROC_FAMILY "ARC700"
+--- a/arch/arc/kernel/module.c
++++ b/arch/arc/kernel/module.c
+@@ -32,8 +32,8 @@ int module_frob_arch_sections(Elf_Ehdr *
+ #ifdef CONFIG_ARC_DW2_UNWIND
+       mod->arch.unw_sec_idx = 0;
+       mod->arch.unw_info = NULL;
+-      mod->arch.secstr = secstr;
+ #endif
++      mod->arch.secstr = secstr;
+       return 0;
+ }
+@@ -113,8 +113,10 @@ int apply_relocate_add(Elf32_Shdr *sechd
+       }
++#ifdef CONFIG_ARC_DW2_UNWIND
+       if (strcmp(module->arch.secstr+sechdrs[tgtsec].sh_name, ".eh_frame") == 0)
+               module->arch.unw_sec_idx = tgtsec;
++#endif
+       return 0;
diff --git a/queue-4.9/arm-8634-1-hw_breakpoint-blacklist-scorpion-cpus.patch b/queue-4.9/arm-8634-1-hw_breakpoint-blacklist-scorpion-cpus.patch
new file mode 100644 (file)
index 0000000..ea5bb53
--- /dev/null
@@ -0,0 +1,74 @@
+From ddc37832a1349f474c4532de381498020ed71d31 Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Fri, 6 Jan 2017 13:12:47 +0100
+Subject: ARM: 8634/1: hw_breakpoint: blacklist Scorpion CPUs
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit ddc37832a1349f474c4532de381498020ed71d31 upstream.
+
+On APQ8060, the kernel crashes in arch_hw_breakpoint_init, taking an
+undefined instruction trap within write_wb_reg. This is because Scorpion
+CPUs erroneously appear to set DBGPRSR.SPD when WFI is issued, even if
+the core is not powered down. When DBGPRSR.SPD is set, breakpoint and
+watchpoint registers are treated as undefined.
+
+It's possible to trigger similar crashes later on from userspace, by
+requesting the kernel to install a breakpoint or watchpoint, as we can
+go idle at any point between the reset of the debug registers and their
+later use. This has always been the case.
+
+Given that this has always been broken, no-one has complained until now,
+and there is no clear workaround, disable hardware breakpoints and
+watchpoints on Scorpion to avoid these issues.
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Reported-by: Linus Walleij <linus.walleij@linaro.org>
+Reviewed-by: Stephen Boyd <sboyd@codeaurora.org>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Cc: Russell King <linux@armlinux.org.uk>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/include/asm/cputype.h  |    3 +++
+ arch/arm/kernel/hw_breakpoint.c |   16 ++++++++++++++++
+ 2 files changed, 19 insertions(+)
+
+--- a/arch/arm/include/asm/cputype.h
++++ b/arch/arm/include/asm/cputype.h
+@@ -94,6 +94,9 @@
+ #define ARM_CPU_XSCALE_ARCH_V2                0x4000
+ #define ARM_CPU_XSCALE_ARCH_V3                0x6000
++/* Qualcomm implemented cores */
++#define ARM_CPU_PART_SCORPION         0x510002d0
++
+ extern unsigned int processor_id;
+ #ifdef CONFIG_CPU_CP15
+--- a/arch/arm/kernel/hw_breakpoint.c
++++ b/arch/arm/kernel/hw_breakpoint.c
+@@ -1066,6 +1066,22 @@ static int __init arch_hw_breakpoint_ini
+               return 0;
+       }
++      /*
++       * Scorpion CPUs (at least those in APQ8060) seem to set DBGPRSR.SPD
++       * whenever a WFI is issued, even if the core is not powered down, in
++       * violation of the architecture.  When DBGPRSR.SPD is set, accesses to
++       * breakpoint and watchpoint registers are treated as undefined, so
++       * this results in boot time and runtime failures when these are
++       * accessed and we unexpectedly take a trap.
++       *
++       * It's not clear if/how this can be worked around, so we blacklist
++       * Scorpion CPUs to avoid these issues.
++      */
++      if (read_cpuid_part() == ARM_CPU_PART_SCORPION) {
++              pr_info("Scorpion CPU detected. Hardware breakpoints and watchpoints disabled\n");
++              return 0;
++      }
++
+       has_ossr = core_has_os_save_restore();
+       /* Determine how many BRPs/WRPs are available. */
diff --git a/queue-4.9/arm-dts-da850-evm-fix-read-access-to-spi-flash.patch b/queue-4.9/arm-dts-da850-evm-fix-read-access-to-spi-flash.patch
new file mode 100644 (file)
index 0000000..4a95012
--- /dev/null
@@ -0,0 +1,40 @@
+From 43849785e1079f6606a31cb7fda92d1200849728 Mon Sep 17 00:00:00 2001
+From: Fabien Parent <fparent@baylibre.com>
+Date: Tue, 17 Jan 2017 13:57:42 +0100
+Subject: ARM: dts: da850-evm: fix read access to SPI flash
+
+From: Fabien Parent <fparent@baylibre.com>
+
+commit 43849785e1079f6606a31cb7fda92d1200849728 upstream.
+
+Read access to the SPI flash are broken on da850-evm, i.e. the data
+read is not what is actually programmed on the flash.
+According to the datasheet for the M25P64 part present on the da850-evm,
+if the SPI frequency is higher than 20MHz then the READ command is not
+usable anymore and only the FAST_READ command can be used to read data.
+
+This commit specifies in the DTS that we should use FAST_READ command
+instead of the READ command.
+
+Tested-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Fabien Parent <fparent@baylibre.com>
+[nsekhar@ti.com: subject line adjustment]
+Signed-off-by: Sekhar Nori <nsekhar@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+Signed-off-by: Olof Johansson <olof@lixom.net>
+
+---
+ arch/arm/boot/dts/da850-evm.dts |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/boot/dts/da850-evm.dts
++++ b/arch/arm/boot/dts/da850-evm.dts
+@@ -99,6 +99,7 @@
+                               #size-cells = <1>;
+                               compatible = "m25p64";
+                               spi-max-frequency = <30000000>;
++                              m25p,fast-read;
+                               reg = <0>;
+                               partition@0 {
+                                       label = "U-Boot-SPL";
diff --git a/queue-4.9/arm-dts-omap5-dra7-indicate-that-sata-port-0-is-available.patch b/queue-4.9/arm-dts-omap5-dra7-indicate-that-sata-port-0-is-available.patch
new file mode 100644 (file)
index 0000000..b5d5557
--- /dev/null
@@ -0,0 +1,55 @@
+From 87cb12910a2ab6ed41ae951ea4d9c1cc1120199a Mon Sep 17 00:00:00 2001
+From: Jean-Jacques Hiblot <jjhiblot@ti.com>
+Date: Mon, 9 Jan 2017 13:22:15 +0100
+Subject: ARM: dts: OMAP5 / DRA7: indicate that SATA port 0 is available.
+
+From: Jean-Jacques Hiblot <jjhiblot@ti.com>
+
+commit 87cb12910a2ab6ed41ae951ea4d9c1cc1120199a upstream.
+
+AHCI provides the register PORTS_IMPL to let the software know which port
+is supported. The register must be initialized by the bootloader. However
+in some cases u-boot doesn't properly initialize this value (if it is not
+compiled with SATA support for example or if the SATA initialization fails).
+The DTS entry "ports-implemented" can be used to override the value in
+PORTS_IMPL.
+
+Without this patch the SATA will not work in the following two cases:
+
+* if there has been a failure to initialize SATA in u-boot.
+
+* if ahci_platform module has been removed and re-inserted. The reason is
+  that the content of PORTS_IMPL is lost after the module is removed.
+  I suspect that it's because the controller is reset by the hwmod.
+
+Signed-off-by: Jean-Jacques Hiblot <jjhiblot@ti.com>
+Acked-by: Roger Quadros <rogerq@ti.com>
+[tony@atomide.com: updated comments with what goes wrong]
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/dra7.dtsi  |    1 +
+ arch/arm/boot/dts/omap5.dtsi |    1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/arch/arm/boot/dts/dra7.dtsi
++++ b/arch/arm/boot/dts/dra7.dtsi
+@@ -1376,6 +1376,7 @@
+                       phy-names = "sata-phy";
+                       clocks = <&sata_ref_clk>;
+                       ti,hwmods = "sata";
++                      ports-implemented = <0x1>;
+               };
+               rtc: rtc@48838000 {
+--- a/arch/arm/boot/dts/omap5.dtsi
++++ b/arch/arm/boot/dts/omap5.dtsi
+@@ -985,6 +985,7 @@
+                       phy-names = "sata-phy";
+                       clocks = <&sata_ref_clk>;
+                       ti,hwmods = "sata";
++                      ports-implemented = <0x1>;
+               };
+               dss: dss@58000000 {
diff --git a/queue-4.9/arm64-avoid-returning-from-bad_mode.patch b/queue-4.9/arm64-avoid-returning-from-bad_mode.patch
new file mode 100644 (file)
index 0000000..e3ad951
--- /dev/null
@@ -0,0 +1,105 @@
+From 7d9e8f71b989230bc613d121ca38507d34ada849 Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Wed, 18 Jan 2017 17:23:41 +0000
+Subject: arm64: avoid returning from bad_mode
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit 7d9e8f71b989230bc613d121ca38507d34ada849 upstream.
+
+Generally, taking an unexpected exception should be a fatal event, and
+bad_mode is intended to cater for this. However, it should be possible
+to contain unexpected synchronous exceptions from EL0 without bringing
+the kernel down, by sending a SIGILL to the task.
+
+We tried to apply this approach in commit 9955ac47f4ba1c95 ("arm64:
+don't kill the kernel on a bad esr from el0"), by sending a signal for
+any bad_mode call resulting from an EL0 exception.
+
+However, this also applies to other unexpected exceptions, such as
+SError and FIQ. The entry paths for these exceptions branch to bad_mode
+without configuring the link register, and have no kernel_exit. Thus, if
+we take one of these exceptions from EL0, bad_mode will eventually
+return to the original user link register value.
+
+This patch fixes this by introducing a new bad_el0_sync handler to cater
+for the recoverable case, and restoring bad_mode to its original state,
+whereby it calls panic() and never returns. The recoverable case
+branches to bad_el0_sync with a bl, and returns to userspace via the
+usual ret_to_user mechanism.
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Fixes: 9955ac47f4ba1c95 ("arm64: don't kill the kernel on a bad esr from el0")
+Reported-by: Mark Salter <msalter@redhat.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/entry.S |    2 +-
+ arch/arm64/kernel/traps.c |   28 ++++++++++++++++++++++++----
+ 2 files changed, 25 insertions(+), 5 deletions(-)
+
+--- a/arch/arm64/kernel/entry.S
++++ b/arch/arm64/kernel/entry.S
+@@ -624,7 +624,7 @@ el0_inv:
+       mov     x0, sp
+       mov     x1, #BAD_SYNC
+       mov     x2, x25
+-      bl      bad_mode
++      bl      bad_el0_sync
+       b       ret_to_user
+ ENDPROC(el0_sync)
+--- a/arch/arm64/kernel/traps.c
++++ b/arch/arm64/kernel/traps.c
+@@ -596,17 +596,34 @@ const char *esr_get_class_string(u32 esr
+ }
+ /*
+- * bad_mode handles the impossible case in the exception vector.
++ * bad_mode handles the impossible case in the exception vector. This is always
++ * fatal.
+  */
+ asmlinkage void bad_mode(struct pt_regs *regs, int reason, unsigned int esr)
+ {
+-      siginfo_t info;
+-      void __user *pc = (void __user *)instruction_pointer(regs);
+       console_verbose();
+       pr_crit("Bad mode in %s handler detected on CPU%d, code 0x%08x -- %s\n",
+               handler[reason], smp_processor_id(), esr,
+               esr_get_class_string(esr));
++
++      die("Oops - bad mode", regs, 0);
++      local_irq_disable();
++      panic("bad mode");
++}
++
++/*
++ * bad_el0_sync handles unexpected, but potentially recoverable synchronous
++ * exceptions taken from EL0. Unlike bad_mode, this returns.
++ */
++asmlinkage void bad_el0_sync(struct pt_regs *regs, int reason, unsigned int esr)
++{
++      siginfo_t info;
++      void __user *pc = (void __user *)instruction_pointer(regs);
++      console_verbose();
++
++      pr_crit("Bad EL0 synchronous exception detected on CPU%d, code 0x%08x -- %s\n",
++              smp_processor_id(), esr, esr_get_class_string(esr));
+       __show_regs(regs);
+       info.si_signo = SIGILL;
+@@ -614,7 +631,10 @@ asmlinkage void bad_mode(struct pt_regs
+       info.si_code  = ILL_ILLOPC;
+       info.si_addr  = pc;
+-      arm64_notify_die("Oops - bad mode", regs, &info, 0);
++      current->thread.fault_address = 0;
++      current->thread.fault_code = 0;
++
++      force_sig_info(info.si_signo, &info, current);
+ }
+ void __pte_error(const char *file, int line, unsigned long val)
diff --git a/queue-4.9/arm64-ptrace-avoid-uninitialised-struct-padding-in-fpr_set.patch b/queue-4.9/arm64-ptrace-avoid-uninitialised-struct-padding-in-fpr_set.patch
new file mode 100644 (file)
index 0000000..2ee9310
--- /dev/null
@@ -0,0 +1,36 @@
+From aeb1f39d814b2e21e5e5706a48834bfd553d0059 Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Wed, 18 Jan 2017 16:25:23 +0000
+Subject: arm64/ptrace: Avoid uninitialised struct padding in fpr_set()
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit aeb1f39d814b2e21e5e5706a48834bfd553d0059 upstream.
+
+This patch adds an explicit __reserved[] field to user_fpsimd_state
+to replace what was previously unnamed padding.
+
+This ensures that data in this region are propagated across
+assignment rather than being left possibly uninitialised at the
+destination.
+
+Fixes: 60ffc30d5652 ("arm64: Exception handling")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Acked-by: Will Deacon <Will.Deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/uapi/asm/ptrace.h |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm64/include/uapi/asm/ptrace.h
++++ b/arch/arm64/include/uapi/asm/ptrace.h
+@@ -77,6 +77,7 @@ struct user_fpsimd_state {
+       __uint128_t     vregs[32];
+       __u32           fpsr;
+       __u32           fpcr;
++      __u32           __reserved[2];
+ };
+ struct user_hwdebug_state {
diff --git a/queue-4.9/arm64-ptrace-preserve-previous-registers-for-short-regset-write-2.patch b/queue-4.9/arm64-ptrace-preserve-previous-registers-for-short-regset-write-2.patch
new file mode 100644 (file)
index 0000000..3be4a3a
--- /dev/null
@@ -0,0 +1,35 @@
+From 9dd73f72f218320c6c90da5f834996e7360dc227 Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Wed, 18 Jan 2017 16:25:21 +0000
+Subject: arm64/ptrace: Preserve previous registers for short regset write - 2
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit 9dd73f72f218320c6c90da5f834996e7360dc227 upstream.
+
+Ensure that if userspace supplies insufficient data to
+PTRACE_SETREGSET to fill all the registers, the thread's old
+registers are preserved.
+
+Fixes: 766a85d7bc5d ("arm64: ptrace: add NT_ARM_SYSTEM_CALL regset")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Acked-by: Will Deacon <Will.Deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/ptrace.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/ptrace.c
++++ b/arch/arm64/kernel/ptrace.c
+@@ -676,7 +676,8 @@ static int system_call_set(struct task_s
+                          unsigned int pos, unsigned int count,
+                          const void *kbuf, const void __user *ubuf)
+ {
+-      int syscallno, ret;
++      int syscallno = task_pt_regs(target)->syscallno;
++      int ret;
+       ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &syscallno, 0, -1);
+       if (ret)
diff --git a/queue-4.9/arm64-ptrace-preserve-previous-registers-for-short-regset-write-3.patch b/queue-4.9/arm64-ptrace-preserve-previous-registers-for-short-regset-write-3.patch
new file mode 100644 (file)
index 0000000..93c1a8e
--- /dev/null
@@ -0,0 +1,34 @@
+From a672401c00f82e4e19704aff361d9bad18003714 Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Wed, 18 Jan 2017 16:25:22 +0000
+Subject: arm64/ptrace: Preserve previous registers for short regset write - 3
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit a672401c00f82e4e19704aff361d9bad18003714 upstream.
+
+Ensure that if userspace supplies insufficient data to
+PTRACE_SETREGSET to fill all the registers, the thread's old
+registers are preserved.
+
+Fixes: 5d220ff9420f ("arm64: Better native ptrace support for compat tasks")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Acked-by: Will Deacon <Will.Deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/ptrace.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/ptrace.c
++++ b/arch/arm64/kernel/ptrace.c
+@@ -949,7 +949,7 @@ static int compat_tls_set(struct task_st
+                         const void __user *ubuf)
+ {
+       int ret;
+-      compat_ulong_t tls;
++      compat_ulong_t tls = target->thread.tp_value;
+       ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &tls, 0, -1);
+       if (ret)
diff --git a/queue-4.9/arm64-ptrace-preserve-previous-registers-for-short-regset-write.patch b/queue-4.9/arm64-ptrace-preserve-previous-registers-for-short-regset-write.patch
new file mode 100644 (file)
index 0000000..1d4a8cc
--- /dev/null
@@ -0,0 +1,53 @@
+From 9a17b876b573441bfb3387ad55d98bf7184daf9d Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Wed, 18 Jan 2017 16:25:20 +0000
+Subject: arm64/ptrace: Preserve previous registers for short regset write
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit 9a17b876b573441bfb3387ad55d98bf7184daf9d upstream.
+
+Ensure that if userspace supplies insufficient data to
+PTRACE_SETREGSET to fill all the registers, the thread's old
+registers are preserved.
+
+Fixes: 478fcb2cdb23 ("arm64: Debugging support")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Acked-by: Will Deacon <Will.Deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/ptrace.c |    7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/arch/arm64/kernel/ptrace.c
++++ b/arch/arm64/kernel/ptrace.c
+@@ -595,7 +595,7 @@ static int gpr_set(struct task_struct *t
+                  const void *kbuf, const void __user *ubuf)
+ {
+       int ret;
+-      struct user_pt_regs newregs;
++      struct user_pt_regs newregs = task_pt_regs(target)->user_regs;
+       ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &newregs, 0, -1);
+       if (ret)
+@@ -625,7 +625,8 @@ static int fpr_set(struct task_struct *t
+                  const void *kbuf, const void __user *ubuf)
+ {
+       int ret;
+-      struct user_fpsimd_state newstate;
++      struct user_fpsimd_state newstate =
++              target->thread.fpsimd_state.user_fpsimd;
+       ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &newstate, 0, -1);
+       if (ret)
+@@ -649,7 +650,7 @@ static int tls_set(struct task_struct *t
+                  const void *kbuf, const void __user *ubuf)
+ {
+       int ret;
+-      unsigned long tls;
++      unsigned long tls = target->thread.tp_value;
+       ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &tls, 0, -1);
+       if (ret)
diff --git a/queue-4.9/arm64-ptrace-reject-attempts-to-set-incomplete-hardware-breakpoint-fields.patch b/queue-4.9/arm64-ptrace-reject-attempts-to-set-incomplete-hardware-breakpoint-fields.patch
new file mode 100644 (file)
index 0000000..459d098
--- /dev/null
@@ -0,0 +1,45 @@
+From ad9e202aa1ce571b1d7fed969d06f66067f8a086 Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Wed, 18 Jan 2017 16:25:24 +0000
+Subject: arm64/ptrace: Reject attempts to set incomplete hardware breakpoint fields
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit ad9e202aa1ce571b1d7fed969d06f66067f8a086 upstream.
+
+We cannot preserve partial fields for hardware breakpoints, because
+the values written by userspace to the hardware breakpoint
+registers can't subsequently be recovered intact from the hardware.
+
+So, just reject attempts to write incomplete fields with -EINVAL.
+
+Fixes: 478fcb2cdb23 ("arm64: Debugging support")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Acked-by: Will Deacon <Will.Deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/ptrace.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/arm64/kernel/ptrace.c
++++ b/arch/arm64/kernel/ptrace.c
+@@ -550,6 +550,8 @@ static int hw_break_set(struct task_stru
+       /* (address, ctrl) registers */
+       limit = regset->n * regset->size;
+       while (count && offset < limit) {
++              if (count < PTRACE_HBP_ADDR_SZ)
++                      return -EINVAL;
+               ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &addr,
+                                        offset, offset + PTRACE_HBP_ADDR_SZ);
+               if (ret)
+@@ -559,6 +561,8 @@ static int hw_break_set(struct task_stru
+                       return ret;
+               offset += PTRACE_HBP_ADDR_SZ;
++              if (!count)
++                      break;
+               ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &ctrl,
+                                        offset, offset + PTRACE_HBP_CTRL_SZ);
+               if (ret)
diff --git a/queue-4.9/ceph-fix-bad-endianness-handling-in-parse_reply_info_extra.patch b/queue-4.9/ceph-fix-bad-endianness-handling-in-parse_reply_info_extra.patch
new file mode 100644 (file)
index 0000000..403fbdd
--- /dev/null
@@ -0,0 +1,47 @@
+From 6df8c9d80a27cb587f61b4f06b57e248d8bc3f86 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Thu, 12 Jan 2017 14:42:41 -0500
+Subject: ceph: fix bad endianness handling in parse_reply_info_extra
+
+From: Jeff Layton <jlayton@redhat.com>
+
+commit 6df8c9d80a27cb587f61b4f06b57e248d8bc3f86 upstream.
+
+sparse says:
+
+    fs/ceph/mds_client.c:291:23: warning: restricted __le32 degrades to integer
+    fs/ceph/mds_client.c:293:28: warning: restricted __le32 degrades to integer
+    fs/ceph/mds_client.c:294:28: warning: restricted __le32 degrades to integer
+    fs/ceph/mds_client.c:296:28: warning: restricted __le32 degrades to integer
+
+The op value is __le32, so we need to convert it before comparing it.
+
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Reviewed-by: Sage Weil <sage@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/mds_client.c |    9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/fs/ceph/mds_client.c
++++ b/fs/ceph/mds_client.c
+@@ -288,12 +288,13 @@ static int parse_reply_info_extra(void *
+                                 struct ceph_mds_reply_info_parsed *info,
+                                 u64 features)
+ {
+-      if (info->head->op == CEPH_MDS_OP_GETFILELOCK)
++      u32 op = le32_to_cpu(info->head->op);
++
++      if (op == CEPH_MDS_OP_GETFILELOCK)
+               return parse_reply_info_filelock(p, end, info, features);
+-      else if (info->head->op == CEPH_MDS_OP_READDIR ||
+-               info->head->op == CEPH_MDS_OP_LSSNAP)
++      else if (op == CEPH_MDS_OP_READDIR || op == CEPH_MDS_OP_LSSNAP)
+               return parse_reply_info_dir(p, end, info, features);
+-      else if (info->head->op == CEPH_MDS_OP_CREATE)
++      else if (op == CEPH_MDS_OP_CREATE)
+               return parse_reply_info_create(p, end, info, features);
+       else
+               return -EIO;
diff --git a/queue-4.9/clocksource-exynos_mct-clear-interrupt-when-cpu-is-shut-down.patch b/queue-4.9/clocksource-exynos_mct-clear-interrupt-when-cpu-is-shut-down.patch
new file mode 100644 (file)
index 0000000..d4950bd
--- /dev/null
@@ -0,0 +1,49 @@
+From bc7c36eedb0c7004aa06c2afc3c5385adada8fa3 Mon Sep 17 00:00:00 2001
+From: Joonyoung Shim <jy0922.shim@samsung.com>
+Date: Tue, 17 Jan 2017 13:54:36 +0900
+Subject: clocksource/exynos_mct: Clear interrupt when cpu is shut down
+
+From: Joonyoung Shim <jy0922.shim@samsung.com>
+
+commit bc7c36eedb0c7004aa06c2afc3c5385adada8fa3 upstream.
+
+When a CPU goes offline a potentially pending timer interrupt is not
+cleared. When the CPU comes online again then the pending interrupt is
+delivered before the per cpu clockevent device is initialized. As a
+consequence the tick interrupt handler dereferences a NULL pointer.
+
+[   51.251378] Unable to handle kernel NULL pointer dereference at virtual address 00000040
+[   51.289348] task: ee942d00 task.stack: ee960000
+[   51.293861] PC is at tick_periodic+0x38/0xb0
+[   51.298102] LR is at tick_handle_periodic+0x1c/0x90
+
+Clear the pending interrupt in the cpu dying path.
+
+Fixes: 56a94f13919c ("clocksource: exynos_mct: Avoid blocking calls in the cpu hotplug notifier")
+Reported-by: Seung-Woo Kim <sw0312.kim@samsung.com>
+Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
+Cc: linux-samsung-soc@vger.kernel.org
+Cc: cw00.choi@samsung.com
+Cc: daniel.lezcano@linaro.org
+Cc: javier@osg.samsung.com
+Cc: kgene@kernel.org
+Cc: krzk@kernel.org
+Cc: linux-arm-kernel@lists.infradead.org
+Link: http://lkml.kernel.org/r/1484628876-22065-1-git-send-email-jy0922.shim@samsung.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clocksource/exynos_mct.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/clocksource/exynos_mct.c
++++ b/drivers/clocksource/exynos_mct.c
+@@ -495,6 +495,7 @@ static int exynos4_mct_dying_cpu(unsigne
+       if (mct_int_type == MCT_INT_SPI) {
+               if (evt->irq != -1)
+                       disable_irq_nosync(evt->irq);
++              exynos4_mct_write(0x1, mevt->base + MCT_L_INT_CSTAT_OFFSET);
+       } else {
+               disable_percpu_irq(mct_irqs[MCT_L0_IRQ]);
+       }
diff --git a/queue-4.9/fuse-clear-fr_pending-flag-when-moving-requests-out-of-pending-queue.patch b/queue-4.9/fuse-clear-fr_pending-flag-when-moving-requests-out-of-pending-queue.patch
new file mode 100644 (file)
index 0000000..4fa6a8c
--- /dev/null
@@ -0,0 +1,49 @@
+From a8a86d78d673b1c99fe9b0064739fde9e9774184 Mon Sep 17 00:00:00 2001
+From: Tahsin Erdogan <tahsin@google.com>
+Date: Thu, 12 Jan 2017 12:04:04 -0800
+Subject: fuse: clear FR_PENDING flag when moving requests out of pending queue
+
+From: Tahsin Erdogan <tahsin@google.com>
+
+commit a8a86d78d673b1c99fe9b0064739fde9e9774184 upstream.
+
+fuse_abort_conn() moves requests from pending list to a temporary list
+before canceling them. This operation races with request_wait_answer()
+which also tries to remove the request after it gets a fatal signal. It
+checks FR_PENDING flag to determine whether the request is still in the
+pending list.
+
+Make fuse_abort_conn() clear FR_PENDING flag so that request_wait_answer()
+does not remove the request from temporary list.
+
+This bug causes an Oops when trying to delete an already deleted list entry
+in end_requests().
+
+Fixes: ee314a870e40 ("fuse: abort: no fc->lock needed for request ending")
+Signed-off-by: Tahsin Erdogan <tahsin@google.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dev.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -2025,7 +2025,6 @@ static void end_requests(struct fuse_con
+               struct fuse_req *req;
+               req = list_entry(head->next, struct fuse_req, list);
+               req->out.h.error = -ECONNABORTED;
+-              clear_bit(FR_PENDING, &req->flags);
+               clear_bit(FR_SENT, &req->flags);
+               list_del_init(&req->list);
+               request_end(fc, req);
+@@ -2103,6 +2102,8 @@ void fuse_abort_conn(struct fuse_conn *f
+               spin_lock(&fiq->waitq.lock);
+               fiq->connected = 0;
+               list_splice_init(&fiq->pending, &to_end2);
++              list_for_each_entry(req, &to_end2, list)
++                      clear_bit(FR_PENDING, &req->flags);
+               while (forget_pending(fiq))
+                       kfree(dequeue_forget(fiq, 1, NULL));
+               wake_up_all_locked(&fiq->waitq);
diff --git a/queue-4.9/fuse-fix-time_to_jiffies-nsec-sanity-check.patch b/queue-4.9/fuse-fix-time_to_jiffies-nsec-sanity-check.patch
new file mode 100644 (file)
index 0000000..d5c4d20
--- /dev/null
@@ -0,0 +1,34 @@
+From 210675270caa33253e4c33f3c5e657e7d6060812 Mon Sep 17 00:00:00 2001
+From: David Sheets <david.sheets@docker.com>
+Date: Fri, 13 Jan 2017 15:58:30 +0000
+Subject: fuse: fix time_to_jiffies nsec sanity check
+
+From: David Sheets <david.sheets@docker.com>
+
+commit 210675270caa33253e4c33f3c5e657e7d6060812 upstream.
+
+Commit bcb6f6d2b9c2 ("fuse: use timespec64") introduced clamped nsec values
+in time_to_jiffies but used the max of nsec and NSEC_PER_SEC - 1 instead of
+the min. Because of this, dentries would stay in the cache longer than
+requested and go stale in scenarios that relied on their timely eviction.
+
+Fixes: bcb6f6d2b9c2 ("fuse: use timespec64")
+Signed-off-by: David Sheets <dsheets@docker.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dir.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/fuse/dir.c
++++ b/fs/fuse/dir.c
+@@ -68,7 +68,7 @@ static u64 time_to_jiffies(u64 sec, u32
+       if (sec || nsec) {
+               struct timespec64 ts = {
+                       sec,
+-                      max_t(u32, nsec, NSEC_PER_SEC - 1)
++                      min_t(u32, nsec, NSEC_PER_SEC - 1)
+               };
+               return get_jiffies_64() + timespec64_to_jiffies(&ts);
diff --git a/queue-4.9/hid-corsair-fix-control-transfer-error-handling.patch b/queue-4.9/hid-corsair-fix-control-transfer-error-handling.patch
new file mode 100644 (file)
index 0000000..633f552
--- /dev/null
@@ -0,0 +1,54 @@
+From 7a546af50eb78ab99840903083231eb635c8a566 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 12 Jan 2017 18:17:43 +0100
+Subject: HID: corsair: fix control-transfer error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 7a546af50eb78ab99840903083231eb635c8a566 upstream.
+
+Make sure to check for short control transfers in order to avoid parsing
+uninitialised buffer data and leaking it to user space.
+
+Note that the backlight and macro-mode buffer constraints are kept as
+loose as possible in order to avoid any regressions should the current
+buffer sizes be larger than necessary.
+
+Fixes: 6f78193ee9ea ("HID: corsair: Add Corsair Vengeance K90 driver")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-corsair.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/hid/hid-corsair.c
++++ b/drivers/hid/hid-corsair.c
+@@ -159,7 +159,7 @@ static enum led_brightness k90_backlight
+                             USB_DIR_IN | USB_TYPE_VENDOR |
+                             USB_RECIP_DEVICE, 0, 0, data, 8,
+                             USB_CTRL_SET_TIMEOUT);
+-      if (ret < 0) {
++      if (ret < 5) {
+               dev_warn(dev, "Failed to get K90 initial state (error %d).\n",
+                        ret);
+               ret = -EIO;
+@@ -274,7 +274,7 @@ static ssize_t k90_show_macro_mode(struc
+                             USB_DIR_IN | USB_TYPE_VENDOR |
+                             USB_RECIP_DEVICE, 0, 0, data, 2,
+                             USB_CTRL_SET_TIMEOUT);
+-      if (ret < 0) {
++      if (ret < 1) {
+               dev_warn(dev, "Failed to get K90 initial mode (error %d).\n",
+                        ret);
+               ret = -EIO;
+@@ -351,7 +351,7 @@ static ssize_t k90_show_current_profile(
+                             USB_DIR_IN | USB_TYPE_VENDOR |
+                             USB_RECIP_DEVICE, 0, 0, data, 8,
+                             USB_CTRL_SET_TIMEOUT);
+-      if (ret < 0) {
++      if (ret < 8) {
+               dev_warn(dev, "Failed to get K90 initial state (error %d).\n",
+                        ret);
+               ret = -EIO;
diff --git a/queue-4.9/hid-corsair-fix-dma-buffers-on-stack.patch b/queue-4.9/hid-corsair-fix-dma-buffers-on-stack.patch
new file mode 100644 (file)
index 0000000..cf5df72
--- /dev/null
@@ -0,0 +1,144 @@
+From 6d104af38b570d37aa32a5803b04c354f8ed513d Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 12 Jan 2017 18:17:42 +0100
+Subject: HID: corsair: fix DMA buffers on stack
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 6d104af38b570d37aa32a5803b04c354f8ed513d upstream.
+
+Not all platforms support DMA to the stack, and specifically since v4.9
+this is no longer supported on x86 with VMAP_STACK either.
+
+Note that the macro-mode buffer was larger than necessary.
+
+Fixes: 6f78193ee9ea ("HID: corsair: Add Corsair Vengeance K90 driver")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-corsair.c |   54 +++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 42 insertions(+), 12 deletions(-)
+
+--- a/drivers/hid/hid-corsair.c
++++ b/drivers/hid/hid-corsair.c
+@@ -148,7 +148,11 @@ static enum led_brightness k90_backlight
+       struct usb_interface *usbif = to_usb_interface(dev->parent);
+       struct usb_device *usbdev = interface_to_usbdev(usbif);
+       int brightness;
+-      char data[8];
++      char *data;
++
++      data = kmalloc(8, GFP_KERNEL);
++      if (!data)
++              return -ENOMEM;
+       ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0),
+                             K90_REQUEST_STATUS,
+@@ -158,16 +162,22 @@ static enum led_brightness k90_backlight
+       if (ret < 0) {
+               dev_warn(dev, "Failed to get K90 initial state (error %d).\n",
+                        ret);
+-              return -EIO;
++              ret = -EIO;
++              goto out;
+       }
+       brightness = data[4];
+       if (brightness < 0 || brightness > 3) {
+               dev_warn(dev,
+                        "Read invalid backlight brightness: %02hhx.\n",
+                        data[4]);
+-              return -EIO;
++              ret = -EIO;
++              goto out;
+       }
+-      return brightness;
++      ret = brightness;
++out:
++      kfree(data);
++
++      return ret;
+ }
+ static enum led_brightness k90_record_led_get(struct led_classdev *led_cdev)
+@@ -253,7 +263,11 @@ static ssize_t k90_show_macro_mode(struc
+       struct usb_interface *usbif = to_usb_interface(dev->parent);
+       struct usb_device *usbdev = interface_to_usbdev(usbif);
+       const char *macro_mode;
+-      char data[8];
++      char *data;
++
++      data = kmalloc(2, GFP_KERNEL);
++      if (!data)
++              return -ENOMEM;
+       ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0),
+                             K90_REQUEST_GET_MODE,
+@@ -263,7 +277,8 @@ static ssize_t k90_show_macro_mode(struc
+       if (ret < 0) {
+               dev_warn(dev, "Failed to get K90 initial mode (error %d).\n",
+                        ret);
+-              return -EIO;
++              ret = -EIO;
++              goto out;
+       }
+       switch (data[0]) {
+@@ -277,10 +292,15 @@ static ssize_t k90_show_macro_mode(struc
+       default:
+               dev_warn(dev, "K90 in unknown mode: %02hhx.\n",
+                        data[0]);
+-              return -EIO;
++              ret = -EIO;
++              goto out;
+       }
+-      return snprintf(buf, PAGE_SIZE, "%s\n", macro_mode);
++      ret = snprintf(buf, PAGE_SIZE, "%s\n", macro_mode);
++out:
++      kfree(data);
++
++      return ret;
+ }
+ static ssize_t k90_store_macro_mode(struct device *dev,
+@@ -320,7 +340,11 @@ static ssize_t k90_show_current_profile(
+       struct usb_interface *usbif = to_usb_interface(dev->parent);
+       struct usb_device *usbdev = interface_to_usbdev(usbif);
+       int current_profile;
+-      char data[8];
++      char *data;
++
++      data = kmalloc(8, GFP_KERNEL);
++      if (!data)
++              return -ENOMEM;
+       ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0),
+                             K90_REQUEST_STATUS,
+@@ -330,16 +354,22 @@ static ssize_t k90_show_current_profile(
+       if (ret < 0) {
+               dev_warn(dev, "Failed to get K90 initial state (error %d).\n",
+                        ret);
+-              return -EIO;
++              ret = -EIO;
++              goto out;
+       }
+       current_profile = data[7];
+       if (current_profile < 1 || current_profile > 3) {
+               dev_warn(dev, "Read invalid current profile: %02hhx.\n",
+                        data[7]);
+-              return -EIO;
++              ret = -EIO;
++              goto out;
+       }
+-      return snprintf(buf, PAGE_SIZE, "%d\n", current_profile);
++      ret = snprintf(buf, PAGE_SIZE, "%d\n", current_profile);
++out:
++      kfree(data);
++
++      return ret;
+ }
+ static ssize_t k90_store_current_profile(struct device *dev,
diff --git a/queue-4.9/ibmvscsis-fix-max-transfer-length.patch b/queue-4.9/ibmvscsis-fix-max-transfer-length.patch
new file mode 100644 (file)
index 0000000..2efea43
--- /dev/null
@@ -0,0 +1,41 @@
+From 387b978cb0d12cf3720ecb17e652e0a9991a08e2 Mon Sep 17 00:00:00 2001
+From: "Bryant G. Ly" <bryantly@linux.vnet.ibm.com>
+Date: Wed, 11 Jan 2017 13:52:27 -0600
+Subject: ibmvscsis: Fix max transfer length
+
+From: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
+
+commit 387b978cb0d12cf3720ecb17e652e0a9991a08e2 upstream.
+
+Current code incorrectly calculates the max transfer length, since
+it is assuming a 4k page table, but ppc64 all run on 64k page tables.
+
+Reported-by: Steven Royer <seroyer@linux.vnet.ibm.com>
+Tested-by: Steven Royer <seroyer@linux.vnet.ibm.com>
+Signed-off-by: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
+Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
++++ b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
+@@ -45,6 +45,7 @@
+ #define       INITIAL_SRP_LIMIT       800
+ #define       DEFAULT_MAX_SECTORS     256
++#define MAX_TXU                       1024 * 1024
+ static uint max_vdma_size = MAX_H_COPY_RDMA;
+@@ -1291,7 +1292,7 @@ static long ibmvscsis_adapter_info(struc
+       info->mad_version = cpu_to_be32(MAD_VERSION_1);
+       info->os_type = cpu_to_be32(LINUX);
+       memset(&info->port_max_txu[0], 0, sizeof(info->port_max_txu));
+-      info->port_max_txu[0] = cpu_to_be32(128 * PAGE_SIZE);
++      info->port_max_txu[0] = cpu_to_be32(MAX_TXU);
+       dma_wmb();
+       rc = h_copy_rdma(sizeof(*info), vscsi->dds.window[LOCAL].liobn,
diff --git a/queue-4.9/ibmvscsis-fix-sleeping-in-interrupt-context.patch b/queue-4.9/ibmvscsis-fix-sleeping-in-interrupt-context.patch
new file mode 100644 (file)
index 0000000..1d4474a
--- /dev/null
@@ -0,0 +1,43 @@
+From a5b0e4062fb225155189e593699bbfcd0597f8b5 Mon Sep 17 00:00:00 2001
+From: "Bryant G. Ly" <bryantly@linux.vnet.ibm.com>
+Date: Wed, 11 Jan 2017 13:16:42 -0600
+Subject: ibmvscsis: Fix sleeping in interrupt context
+
+From: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
+
+commit a5b0e4062fb225155189e593699bbfcd0597f8b5 upstream.
+
+Currently, dma_alloc_coherent is being called with a GFP_KERNEL
+flag which allows it to sleep in an interrupt context, need to
+change to GFP_ATOMIC.
+
+Tested-by: Steven Royer <seroyer@linux.vnet.ibm.com>
+Reviewed-by: Michael Cyr <mikecyr@linux.vnet.ibm.com>
+Signed-off-by: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
+Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
++++ b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
+@@ -1239,7 +1239,7 @@ static long ibmvscsis_adapter_info(struc
+       }
+       info = dma_alloc_coherent(&vscsi->dma_dev->dev, sizeof(*info), &token,
+-                                GFP_KERNEL);
++                                GFP_ATOMIC);
+       if (!info) {
+               dev_err(&vscsi->dev, "bad dma_alloc_coherent %p\n",
+                       iue->target);
+@@ -1357,7 +1357,7 @@ static int ibmvscsis_cap_mad(struct scsi
+       }
+       cap = dma_alloc_coherent(&vscsi->dma_dev->dev, olen, &token,
+-                               GFP_KERNEL);
++                               GFP_ATOMIC);
+       if (!cap) {
+               dev_err(&vscsi->dev, "bad dma_alloc_coherent %p\n",
+                       iue->target);
diff --git a/queue-4.9/ieee802154-atusb-do-not-use-the-stack-for-buffers-to-make-them-dma-able.patch b/queue-4.9/ieee802154-atusb-do-not-use-the-stack-for-buffers-to-make-them-dma-able.patch
new file mode 100644 (file)
index 0000000..10a0783
--- /dev/null
@@ -0,0 +1,98 @@
+From 05a974efa4bdf6e2a150e3f27dc6fcf0a9ad5655 Mon Sep 17 00:00:00 2001
+From: Stefan Schmidt <stefan@osg.samsung.com>
+Date: Thu, 15 Dec 2016 18:40:14 +0100
+Subject: ieee802154: atusb: do not use the stack for buffers to make them DMA able
+
+From: Stefan Schmidt <stefan@osg.samsung.com>
+
+commit 05a974efa4bdf6e2a150e3f27dc6fcf0a9ad5655 upstream.
+
+From 4.9 we should really avoid using the stack here as this will not be DMA
+able on various platforms. This changes the buffers already being present in
+time of 4.9 being released. This should go into stable as well.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ieee802154/atusb.c |   31 +++++++++++++++++++++++++++----
+ 1 file changed, 27 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ieee802154/atusb.c
++++ b/drivers/net/ieee802154/atusb.c
+@@ -112,13 +112,26 @@ static int atusb_read_reg(struct atusb *
+ {
+       struct usb_device *usb_dev = atusb->usb_dev;
+       int ret;
++      uint8_t *buffer;
+       uint8_t value;
++      buffer = kmalloc(1, GFP_KERNEL);
++      if (!buffer)
++              return -ENOMEM;
++
+       dev_dbg(&usb_dev->dev, "atusb: reg = 0x%x\n", reg);
+       ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0),
+                               ATUSB_REG_READ, ATUSB_REQ_FROM_DEV,
+-                              0, reg, &value, 1, 1000);
+-      return ret >= 0 ? value : ret;
++                              0, reg, buffer, 1, 1000);
++
++      if (ret >= 0) {
++              value = buffer[0];
++              kfree(buffer);
++              return value;
++      } else {
++              kfree(buffer);
++              return ret;
++      }
+ }
+ static int atusb_write_subreg(struct atusb *atusb, uint8_t reg, uint8_t mask,
+@@ -587,9 +600,13 @@ static struct ieee802154_ops atusb_ops =
+ static int atusb_get_and_show_revision(struct atusb *atusb)
+ {
+       struct usb_device *usb_dev = atusb->usb_dev;
+-      unsigned char buffer[3];
++      unsigned char *buffer;
+       int ret;
++      buffer = kmalloc(3, GFP_KERNEL);
++      if (!buffer)
++              return -ENOMEM;
++
+       /* Get a couple of the ATMega Firmware values */
+       ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0),
+                               ATUSB_ID, ATUSB_REQ_FROM_DEV, 0, 0,
+@@ -605,15 +622,20 @@ static int atusb_get_and_show_revision(s
+               dev_info(&usb_dev->dev, "Please update to version 0.2 or newer");
+       }
++      kfree(buffer);
+       return ret;
+ }
+ static int atusb_get_and_show_build(struct atusb *atusb)
+ {
+       struct usb_device *usb_dev = atusb->usb_dev;
+-      char build[ATUSB_BUILD_SIZE + 1];
++      char *build;
+       int ret;
++      build = kmalloc(ATUSB_BUILD_SIZE + 1, GFP_KERNEL);
++      if (!build)
++              return -ENOMEM;
++
+       ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0),
+                               ATUSB_BUILD, ATUSB_REQ_FROM_DEV, 0, 0,
+                               build, ATUSB_BUILD_SIZE, 1000);
+@@ -622,6 +644,7 @@ static int atusb_get_and_show_build(stru
+               dev_info(&usb_dev->dev, "Firmware: build %s\n", build);
+       }
++      kfree(build);
+       return ret;
+ }
diff --git a/queue-4.9/kvm-arm-arm64-vgic-fix-deadlock-on-error-handling.patch b/queue-4.9/kvm-arm-arm64-vgic-fix-deadlock-on-error-handling.patch
new file mode 100644 (file)
index 0000000..79bd7d7
--- /dev/null
@@ -0,0 +1,104 @@
+From 1193e6aeecb36c74c48c7cd0f641acbbed9ddeef Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Thu, 12 Jan 2017 09:21:56 +0000
+Subject: KVM: arm/arm64: vgic: Fix deadlock on error handling
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit 1193e6aeecb36c74c48c7cd0f641acbbed9ddeef upstream.
+
+Dmitry Vyukov reported that the syzkaller fuzzer triggered a
+deadlock in the vgic setup code when an error was detected, as
+the cleanup code tries to take a lock that is already held by
+the setup code.
+
+The fix is to avoid retaking the lock when cleaning up, by
+telling the cleanup function that we already hold it.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/arm/vgic/vgic-init.c |   18 +++++++++++++-----
+ virt/kvm/arm/vgic/vgic-v2.c   |    2 --
+ virt/kvm/arm/vgic/vgic-v3.c   |    2 --
+ 3 files changed, 13 insertions(+), 9 deletions(-)
+
+--- a/virt/kvm/arm/vgic/vgic-init.c
++++ b/virt/kvm/arm/vgic/vgic-init.c
+@@ -268,15 +268,11 @@ static void kvm_vgic_dist_destroy(struct
+ {
+       struct vgic_dist *dist = &kvm->arch.vgic;
+-      mutex_lock(&kvm->lock);
+-
+       dist->ready = false;
+       dist->initialized = false;
+       kfree(dist->spis);
+       dist->nr_spis = 0;
+-
+-      mutex_unlock(&kvm->lock);
+ }
+ void kvm_vgic_vcpu_destroy(struct kvm_vcpu *vcpu)
+@@ -286,7 +282,8 @@ void kvm_vgic_vcpu_destroy(struct kvm_vc
+       INIT_LIST_HEAD(&vgic_cpu->ap_list_head);
+ }
+-void kvm_vgic_destroy(struct kvm *kvm)
++/* To be called with kvm->lock held */
++static void __kvm_vgic_destroy(struct kvm *kvm)
+ {
+       struct kvm_vcpu *vcpu;
+       int i;
+@@ -297,6 +294,13 @@ void kvm_vgic_destroy(struct kvm *kvm)
+               kvm_vgic_vcpu_destroy(vcpu);
+ }
++void kvm_vgic_destroy(struct kvm *kvm)
++{
++      mutex_lock(&kvm->lock);
++      __kvm_vgic_destroy(kvm);
++      mutex_unlock(&kvm->lock);
++}
++
+ /**
+  * vgic_lazy_init: Lazy init is only allowed if the GIC exposed to the guest
+  * is a GICv2. A GICv3 must be explicitly initialized by the guest using the
+@@ -348,6 +352,10 @@ int kvm_vgic_map_resources(struct kvm *k
+               ret = vgic_v2_map_resources(kvm);
+       else
+               ret = vgic_v3_map_resources(kvm);
++
++      if (ret)
++              __kvm_vgic_destroy(kvm);
++
+ out:
+       mutex_unlock(&kvm->lock);
+       return ret;
+--- a/virt/kvm/arm/vgic/vgic-v2.c
++++ b/virt/kvm/arm/vgic/vgic-v2.c
+@@ -293,8 +293,6 @@ int vgic_v2_map_resources(struct kvm *kv
+       dist->ready = true;
+ out:
+-      if (ret)
+-              kvm_vgic_destroy(kvm);
+       return ret;
+ }
+--- a/virt/kvm/arm/vgic/vgic-v3.c
++++ b/virt/kvm/arm/vgic/vgic-v3.c
+@@ -302,8 +302,6 @@ int vgic_v3_map_resources(struct kvm *kv
+       dist->ready = true;
+ out:
+-      if (ret)
+-              kvm_vgic_destroy(kvm);
+       return ret;
+ }
diff --git a/queue-4.9/kvm-s390-do-not-expose-random-data-via-facility-bitmap.patch b/queue-4.9/kvm-s390-do-not-expose-random-data-via-facility-bitmap.patch
new file mode 100644 (file)
index 0000000..2c308af
--- /dev/null
@@ -0,0 +1,54 @@
+From 04478197416e3a302e9ebc917ba1aa884ef9bfab Mon Sep 17 00:00:00 2001
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+Date: Thu, 12 Jan 2017 16:25:15 +0100
+Subject: KVM: s390: do not expose random data via facility bitmap
+
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+
+commit 04478197416e3a302e9ebc917ba1aa884ef9bfab upstream.
+
+kvm_s390_get_machine() populates the facility bitmap by copying bytes
+from the host results that are stored in a 256 byte array in the prefix
+page. The KVM code does use the size of the target buffer (2k), thus
+copying and exposing unrelated kernel memory (mostly machine check
+related logout data).
+
+Let's use the size of the source buffer instead.  This is ok, as the
+target buffer will always be greater or equal than the source buffer as
+the KVM internal buffers (and thus S390_ARCH_FAC_LIST_SIZE_BYTE) cover
+the maximum possible size that is allowed by STFLE, which is 256
+doublewords. All structures are zero allocated so we can leave bytes
+256-2047 unchanged.
+
+Add a similar fix for kvm_arch_init_vm().
+
+Reported-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+[found with smatch]
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/kvm-s390.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -916,7 +916,7 @@ static int kvm_s390_get_machine(struct k
+       memcpy(&mach->fac_mask, kvm->arch.model.fac_mask,
+              S390_ARCH_FAC_LIST_SIZE_BYTE);
+       memcpy((unsigned long *)&mach->fac_list, S390_lowcore.stfle_fac_list,
+-             S390_ARCH_FAC_LIST_SIZE_BYTE);
++             sizeof(S390_lowcore.stfle_fac_list));
+       if (copy_to_user((void __user *)attr->addr, mach, sizeof(*mach)))
+               ret = -EFAULT;
+       kfree(mach);
+@@ -1437,7 +1437,7 @@ int kvm_arch_init_vm(struct kvm *kvm, un
+       /* Populate the facility mask initially. */
+       memcpy(kvm->arch.model.fac_mask, S390_lowcore.stfle_fac_list,
+-             S390_ARCH_FAC_LIST_SIZE_BYTE);
++             sizeof(S390_lowcore.stfle_fac_list));
+       for (i = 0; i < S390_ARCH_FAC_LIST_SIZE_U64; i++) {
+               if (i < kvm_s390_fac_list_mask_size())
+                       kvm->arch.model.fac_mask[i] &= kvm_s390_fac_list_mask[i];
diff --git a/queue-4.9/libnvdimm-namespace-fix-pmem-namespace-leak-delete-when-size-set-to-zero.patch b/queue-4.9/libnvdimm-namespace-fix-pmem-namespace-leak-delete-when-size-set-to-zero.patch
new file mode 100644 (file)
index 0000000..deceaaf
--- /dev/null
@@ -0,0 +1,71 @@
+From 1f19b983a8877f81763fab3e693c6befe212736d Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Mon, 9 Jan 2017 17:30:49 -0800
+Subject: libnvdimm, namespace: fix pmem namespace leak, delete when size set to zero
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit 1f19b983a8877f81763fab3e693c6befe212736d upstream.
+
+Commit 98a29c39dc68 ("libnvdimm, namespace: allow creation of multiple
+pmem-namespaces per region") added support for establishing additional
+pmem namespace beyond the seed device, similar to blk namespaces.
+However, it neglected to delete the namespace when the size is set to
+zero.
+
+Fixes: 98a29c39dc68 ("libnvdimm, namespace: allow creation of multiple pmem-namespaces per region")
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/namespace_devs.c |   23 ++++++++++-------------
+ 1 file changed, 10 insertions(+), 13 deletions(-)
+
+--- a/drivers/nvdimm/namespace_devs.c
++++ b/drivers/nvdimm/namespace_devs.c
+@@ -957,6 +957,7 @@ static ssize_t __size_store(struct devic
+ {
+       resource_size_t allocated = 0, available = 0;
+       struct nd_region *nd_region = to_nd_region(dev->parent);
++      struct nd_namespace_common *ndns = to_ndns(dev);
+       struct nd_mapping *nd_mapping;
+       struct nvdimm_drvdata *ndd;
+       struct nd_label_id label_id;
+@@ -964,7 +965,7 @@ static ssize_t __size_store(struct devic
+       u8 *uuid = NULL;
+       int rc, i;
+-      if (dev->driver || to_ndns(dev)->claim)
++      if (dev->driver || ndns->claim)
+               return -EBUSY;
+       if (is_namespace_pmem(dev)) {
+@@ -1034,20 +1035,16 @@ static ssize_t __size_store(struct devic
+               nd_namespace_pmem_set_resource(nd_region, nspm,
+                               val * nd_region->ndr_mappings);
+-      } else if (is_namespace_blk(dev)) {
+-              struct nd_namespace_blk *nsblk = to_nd_namespace_blk(dev);
+-
+-              /*
+-               * Try to delete the namespace if we deleted all of its
+-               * allocation, this is not the seed device for the
+-               * region, and it is not actively claimed by a btt
+-               * instance.
+-               */
+-              if (val == 0 && nd_region->ns_seed != dev
+-                              && !nsblk->common.claim)
+-                      nd_device_unregister(dev, ND_ASYNC);
+       }
++      /*
++       * Try to delete the namespace if we deleted all of its
++       * allocation, this is not the seed device for the region, and
++       * it is not actively claimed by a btt instance.
++       */
++      if (val == 0 && nd_region->ns_seed != dev && !ndns->claim)
++              nd_device_unregister(dev, ND_ASYNC);
++
+       return rc;
+ }
diff --git a/queue-4.9/mac80211-implement-multicast-forwarding-on-fast-rx-path.patch b/queue-4.9/mac80211-implement-multicast-forwarding-on-fast-rx-path.patch
new file mode 100644 (file)
index 0000000..1068bf3
--- /dev/null
@@ -0,0 +1,71 @@
+From eeb0d56fab4cd7848cf2be6704fa48900dbc1381 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 14 Dec 2016 16:47:43 +0100
+Subject: mac80211: implement multicast forwarding on fast-RX path
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit eeb0d56fab4cd7848cf2be6704fa48900dbc1381 upstream.
+
+In AP (or VLAN) mode, when unicast 802.11 packets are received,
+they might actually be multicast after conversion. In this case
+the fast-RX path didn't handle them properly to send them back
+to the wireless medium. Implement that by copying the SKB and
+sending it back out.
+
+The possible alternative would be to just punt the packet back
+to the regular (slow) RX path, but since we have almost all of
+the required code here already it's not so complicated to add
+here. Punting it back would also mean acquiring the spinlock,
+which would be bad for the stated purpose of the fast-RX path,
+to enable well-performing parallel RX.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rx.c |   26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -3939,21 +3939,31 @@ static bool ieee80211_invoke_fast_rx(str
+       u64_stats_update_end(&stats->syncp);
+       if (fast_rx->internal_forward) {
+-              struct sta_info *dsta = sta_info_get(rx->sdata, skb->data);
++              struct sk_buff *xmit_skb = NULL;
++              bool multicast = is_multicast_ether_addr(skb->data);
+-              if (dsta) {
++              if (multicast) {
++                      xmit_skb = skb_copy(skb, GFP_ATOMIC);
++              } else if (sta_info_get(rx->sdata, skb->data)) {
++                      xmit_skb = skb;
++                      skb = NULL;
++              }
++
++              if (xmit_skb) {
+                       /*
+                        * Send to wireless media and increase priority by 256
+                        * to keep the received priority instead of
+                        * reclassifying the frame (see cfg80211_classify8021d).
+                        */
+-                      skb->priority += 256;
+-                      skb->protocol = htons(ETH_P_802_3);
+-                      skb_reset_network_header(skb);
+-                      skb_reset_mac_header(skb);
+-                      dev_queue_xmit(skb);
+-                      return true;
++                      xmit_skb->priority += 256;
++                      xmit_skb->protocol = htons(ETH_P_802_3);
++                      skb_reset_network_header(xmit_skb);
++                      skb_reset_mac_header(xmit_skb);
++                      dev_queue_xmit(xmit_skb);
+               }
++
++              if (!skb)
++                      return true;
+       }
+       /* deliver to local stack */
diff --git a/queue-4.9/mmc-mxs-mmc-fix-additional-cycles-after-transmission-stop.patch b/queue-4.9/mmc-mxs-mmc-fix-additional-cycles-after-transmission-stop.patch
new file mode 100644 (file)
index 0000000..628de43
--- /dev/null
@@ -0,0 +1,45 @@
+From 01167c7b9cbf099c69fe411a228e4e9c7104e123 Mon Sep 17 00:00:00 2001
+From: Stefan Wahren <stefan.wahren@i2se.com>
+Date: Thu, 5 Jan 2017 19:24:04 +0000
+Subject: mmc: mxs-mmc: Fix additional cycles after transmission stop
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+commit 01167c7b9cbf099c69fe411a228e4e9c7104e123 upstream.
+
+According to the code the intention is to append 8 SCK cycles
+instead of 4 at end of a MMC_STOP_TRANSMISSION command. But this
+will never happened because it's an AC command not an ADTC command.
+So fix this by moving the statement into the right function.
+
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Fixes: e4243f13d10e (mmc: mxs-mmc: add mmc host driver for i.MX23/28)
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/mxs-mmc.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/mmc/host/mxs-mmc.c
++++ b/drivers/mmc/host/mxs-mmc.c
+@@ -309,6 +309,9 @@ static void mxs_mmc_ac(struct mxs_mmc_ho
+       cmd0 = BF_SSP(cmd->opcode, CMD0_CMD);
+       cmd1 = cmd->arg;
++      if (cmd->opcode == MMC_STOP_TRANSMISSION)
++              cmd0 |= BM_SSP_CMD0_APPEND_8CYC;
++
+       if (host->sdio_irq_en) {
+               ctrl0 |= BM_SSP_CTRL0_SDIO_IRQ_CHECK;
+               cmd0 |= BM_SSP_CMD0_CONT_CLKING_EN | BM_SSP_CMD0_SLOW_CLKING_EN;
+@@ -417,8 +420,7 @@ static void mxs_mmc_adtc(struct mxs_mmc_
+                      ssp->base + HW_SSP_BLOCK_SIZE);
+       }
+-      if ((cmd->opcode == MMC_STOP_TRANSMISSION) ||
+-          (cmd->opcode == SD_IO_RW_EXTENDED))
++      if (cmd->opcode == SD_IO_RW_EXTENDED)
+               cmd0 |= BM_SSP_CMD0_APPEND_8CYC;
+       cmd1 = cmd->arg;
diff --git a/queue-4.9/mmc-sdhci-acpi-only-powered-up-enabled-acpi-child-devices.patch b/queue-4.9/mmc-sdhci-acpi-only-powered-up-enabled-acpi-child-devices.patch
new file mode 100644 (file)
index 0000000..cfb301a
--- /dev/null
@@ -0,0 +1,47 @@
+From e1d070c3793a2766122865a7c2142853b48808c5 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 21 Dec 2016 00:19:19 +0100
+Subject: mmc: sdhci-acpi: Only powered up enabled acpi child devices
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit e1d070c3793a2766122865a7c2142853b48808c5 upstream.
+
+Commit e5bbf30733f9 ("mmc: sdhci-acpi: Ensure connected devices are
+powered when probing") introduced code to powerup any acpi child
+nodes listed in the dstd. But some dstd-s list all possible devices
+used on some board variants, while reporting if the device is actually
+present and enabled in the status field of the device.
+
+So we end up calling the acpi _PS0 (power-on) method for devices which
+are not actually present. This does not always end well, e.g. on my
+cube iwork8 air tablet, this results in freezing the entire tablet as
+soon as the r8723bs module is loaded.
+
+This commit fixes this by checking the child device's status.present
+and status.enabled bits and only call acpi_device_fix_up_power()
+if both are set.
+
+Fixes: e5bbf30733f9 ("mmc: sdhci-acpi: Ensure connected devices are powered when probing")
+BugLink: https://github.com/hadess/rtl8723bs/issues/80
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-acpi.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/sdhci-acpi.c
++++ b/drivers/mmc/host/sdhci-acpi.c
+@@ -394,7 +394,8 @@ static int sdhci_acpi_probe(struct platf
+       /* Power on the SDHCI controller and its children */
+       acpi_device_fix_up_power(device);
+       list_for_each_entry(child, &device->children, node)
+-              acpi_device_fix_up_power(child);
++              if (child->status.present && child->status.enabled)
++                      acpi_device_fix_up_power(child);
+       if (acpi_bus_get_status(device) || !device->status.present)
+               return -ENODEV;
diff --git a/queue-4.9/mtd-nand-lpc32xx-fix-invalid-error-handling-of-a-requested-irq.patch b/queue-4.9/mtd-nand-lpc32xx-fix-invalid-error-handling-of-a-requested-irq.patch
new file mode 100644 (file)
index 0000000..cb972e2
--- /dev/null
@@ -0,0 +1,39 @@
+From cf9e1672a66c49ed8903c01b4c380a2f2dc91b40 Mon Sep 17 00:00:00 2001
+From: Vladimir Zapolskiy <vz@mleia.com>
+Date: Mon, 5 Dec 2016 03:47:10 +0200
+Subject: mtd: nand: lpc32xx: fix invalid error handling of a requested irq
+
+From: Vladimir Zapolskiy <vz@mleia.com>
+
+commit cf9e1672a66c49ed8903c01b4c380a2f2dc91b40 upstream.
+
+Semantics of NR_IRQS is different on machines with SPARSE_IRQ option
+disabled or enabled, in the latter case IRQs are allocated starting
+at least from the value specified by NR_IRQS and going upwards, so
+the check of (irq >= NR_IRQ) to decide about an error code returned by
+platform_get_irq() is completely invalid, don't attempt to overrule
+irq subsystem in the driver.
+
+The change fixes LPC32xx NAND MLC driver initialization on boot.
+
+Fixes: 8cb17b5ed017 ("irqchip: Add LPC32xx interrupt controller driver")
+Signed-off-by: Vladimir Zapolskiy <vz@mleia.com>
+Acked-by: Sylvain Lemieux <slemieux.tyco@gmail.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/lpc32xx_mlc.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/lpc32xx_mlc.c
++++ b/drivers/mtd/nand/lpc32xx_mlc.c
+@@ -776,7 +776,7 @@ static int lpc32xx_nand_probe(struct pla
+       init_completion(&host->comp_controller);
+       host->irq = platform_get_irq(pdev, 0);
+-      if ((host->irq < 0) || (host->irq >= NR_IRQS)) {
++      if (host->irq < 0) {
+               dev_err(&pdev->dev, "failed to get platform irq\n");
+               res = -EINVAL;
+               goto err_exit3;
diff --git a/queue-4.9/mtd-nand-xway-disable-module-support.patch b/queue-4.9/mtd-nand-xway-disable-module-support.patch
new file mode 100644 (file)
index 0000000..0fe140d
--- /dev/null
@@ -0,0 +1,34 @@
+From 73529c872a189c747bdb528ce9b85b67b0e28dec Mon Sep 17 00:00:00 2001
+From: Hauke Mehrtens <hauke@hauke-m.de>
+Date: Mon, 5 Dec 2016 22:14:36 +0100
+Subject: mtd: nand: xway: disable module support
+
+From: Hauke Mehrtens <hauke@hauke-m.de>
+
+commit 73529c872a189c747bdb528ce9b85b67b0e28dec upstream.
+
+The xway_nand driver accesses the ltq_ebu_membase symbol which is not
+exported. This also should not get exported and we should handle the
+EBU interface in a better way later. This quick fix just deactivated
+support for building as module.
+
+Fixes: 99f2b107924c ("mtd: lantiq: Add NAND support on Lantiq XWAY SoC.")
+Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/Kconfig |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/Kconfig
++++ b/drivers/mtd/nand/Kconfig
+@@ -537,7 +537,7 @@ config MTD_NAND_FSMC
+         Flexible Static Memory Controller (FSMC)
+ config MTD_NAND_XWAY
+-      tristate "Support for NAND on Lantiq XWAY SoC"
++      bool "Support for NAND on Lantiq XWAY SoC"
+       depends on LANTIQ && SOC_TYPE_XWAY
+       help
+         Enables support for NAND Flash chips on Lantiq XWAY SoCs. NAND is attached
diff --git a/queue-4.9/mtd-nand-xway-fix-build-because-of-module-functions.patch b/queue-4.9/mtd-nand-xway-fix-build-because-of-module-functions.patch
new file mode 100644 (file)
index 0000000..85f4eda
--- /dev/null
@@ -0,0 +1,39 @@
+From a2724663494f7313f53da10d8c0a729c5e3c4dea Mon Sep 17 00:00:00 2001
+From: Hauke Mehrtens <hauke@hauke-m.de>
+Date: Mon, 5 Dec 2016 22:14:37 +0100
+Subject: mtd: nand: xway: fix build because of module functions
+
+From: Hauke Mehrtens <hauke@hauke-m.de>
+
+commit a2724663494f7313f53da10d8c0a729c5e3c4dea upstream.
+
+Remove the usage of modules functions to make this driver compile
+again. Otherwise an include of linux/modules.h would be needed.
+
+Fixes: 024366750c2e ("mtd: nand: xway: convert to normal platform driver")
+Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/xway_nand.c |    5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/mtd/nand/xway_nand.c
++++ b/drivers/mtd/nand/xway_nand.c
+@@ -232,7 +232,6 @@ static const struct of_device_id xway_na
+       { .compatible = "lantiq,nand-xway" },
+       {},
+ };
+-MODULE_DEVICE_TABLE(of, xway_nand_match);
+ static struct platform_driver xway_nand_driver = {
+       .probe  = xway_nand_probe,
+@@ -243,6 +242,4 @@ static struct platform_driver xway_nand_
+       },
+ };
+-module_platform_driver(xway_nand_driver);
+-
+-MODULE_LICENSE("GPL");
++builtin_platform_driver(xway_nand_driver);
diff --git a/queue-4.9/pci-designware-check-for-iatu-unroll-only-on-platforms-that-use-atu.patch b/queue-4.9/pci-designware-check-for-iatu-unroll-only-on-platforms-that-use-atu.patch
new file mode 100644 (file)
index 0000000..948a1b1
--- /dev/null
@@ -0,0 +1,68 @@
+From a782b5f986c3fa1cfa7f2b57941200c6a5809242 Mon Sep 17 00:00:00 2001
+From: Murali Karicheri <m-karicheri2@ti.com>
+Date: Wed, 4 Jan 2017 14:32:30 -0500
+Subject: PCI: designware: Check for iATU unroll only on platforms that use ATU
+
+From: Murali Karicheri <m-karicheri2@ti.com>
+
+commit a782b5f986c3fa1cfa7f2b57941200c6a5809242 upstream.
+
+Previously we checked for iATU unroll support by reading PCIE_ATU_VIEWPORT
+even on platforms, e.g., Keystone, that do not have ATU ports.  This can
+cause bad behavior such as asynchronous external aborts:
+
+  OF: PCI:   MEM 0x60000000..0x6fffffff -> 0x60000000
+  Unhandled fault: asynchronous external abort (0x1211) at 0x00000000
+  pgd = c0003000
+  [00000000] *pgd=80000800004003, *pmd=00000000
+  Internal error: : 1211 [#1] PREEMPT SMP ARM
+  Modules linked in:
+  CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.9.0-00009-g6ff59d2-dirty #7
+  Hardware name: Keystone
+  task: eb878000 task.stack: eb866000
+  PC is at dw_pcie_setup_rc+0x24/0x380
+  LR is at ks_pcie_host_init+0x10/0x170
+
+Move the dw_pcie_iatu_unroll_enabled() check so we only call it on
+platforms that do not use the ATU.  These platforms supply their own
+->rd_other_conf() and ->wr_other_conf() methods.
+
+[bhelgaas: changelog]
+Fixes: a0601a470537 ("PCI: designware: Add iATU Unroll feature")
+Fixes: 416379f9ebde ("PCI: designware: Check for iATU unroll support after initializing host")
+Tested-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Murali Karicheri <m-karicheri2@ti.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Acked-By: Joao Pinto <jpinto@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/host/pcie-designware.c |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/pci/host/pcie-designware.c
++++ b/drivers/pci/host/pcie-designware.c
+@@ -807,11 +807,6 @@ void dw_pcie_setup_rc(struct pcie_port *
+ {
+       u32 val;
+-      /* get iATU unroll support */
+-      pp->iatu_unroll_enabled = dw_pcie_iatu_unroll_enabled(pp);
+-      dev_dbg(pp->dev, "iATU unroll: %s\n",
+-              pp->iatu_unroll_enabled ? "enabled" : "disabled");
+-
+       /* set the number of lanes */
+       val = dw_pcie_readl_rc(pp, PCIE_PORT_LINK_CONTROL);
+       val &= ~PORT_LINK_MODE_MASK;
+@@ -882,6 +877,11 @@ void dw_pcie_setup_rc(struct pcie_port *
+        * we should not program the ATU here.
+        */
+       if (!pp->ops->rd_other_conf) {
++              /* get iATU unroll support */
++              pp->iatu_unroll_enabled = dw_pcie_iatu_unroll_enabled(pp);
++              dev_dbg(pp->dev, "iATU unroll: %s\n",
++                      pp->iatu_unroll_enabled ? "enabled" : "disabled");
++
+               dw_pcie_prog_outbound_atu(pp, PCIE_ATU_REGION_INDEX0,
+                                         PCIE_ATU_TYPE_MEM, pp->mem_base,
+                                         pp->mem_bus_addr, pp->mem_size);
diff --git a/queue-4.9/pci-enumerate-switches-below-pci-to-pcie-bridges.patch b/queue-4.9/pci-enumerate-switches-below-pci-to-pcie-bridges.patch
new file mode 100644 (file)
index 0000000..86640ec
--- /dev/null
@@ -0,0 +1,81 @@
+From 51ebfc92b72b4f7dac1ab45683bf56741e454b8c Mon Sep 17 00:00:00 2001
+From: Bjorn Helgaas <bhelgaas@google.com>
+Date: Wed, 11 Jan 2017 09:11:53 -0600
+Subject: PCI: Enumerate switches below PCI-to-PCIe bridges
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+commit 51ebfc92b72b4f7dac1ab45683bf56741e454b8c upstream.
+
+A PCI-to-PCIe bridge (a "reverse bridge") has a PCI or PCI-X primary
+interface and a PCI Express secondary interface.  The PCIe interface is a
+Downstream Port that originates a Link.  See the "PCI Express to PCI/PCI-X
+Bridge Specification", rev 1.0, sections 1.2 and A.6.
+
+The bug report below involves a PCI-to-PCIe bridge and a PCIe switch below
+the bridge:
+
+  00:1e.0 Intel 82801 PCI Bridge to [bus 01-0a]
+  01:00.0 Pericom PI7C9X111SL PCIe-to-PCI Reversible Bridge to [bus 02-0a]
+  02:00.0 Pericom Device 8608 [PCIe Upstream Port] to [bus 03-0a]
+  03:01.0 Pericom Device 8608 [PCIe Downstream Port] to [bus 0a]
+
+01:00.0 is configured as a PCI-to-PCIe bridge (despite the name printed by
+lspci).  As we traverse a PCIe hierarchy, device connections alternate
+between PCIe Links and internal Switch logic.  Previously we did not
+recognize that 01:00.0 had a secondary link, so we thought the 02:00.0
+Upstream Port *did* have a secondary link.  In fact, it's the other way
+around: 01:00.0 has a secondary link, and 02:00.0 has internal Switch logic
+on its secondary side.
+
+When we thought 02:00.0 had a secondary link, the pci_scan_slot() ->
+only_one_child() path assumed 02:00.0 could have only one child, so 03:00.0
+was the only possible downstream device.  But 03:00.0 doesn't exist, so we
+didn't look for any other devices on bus 03.
+
+Booting with "pci=pcie_scan_all" is a workaround, but we don't want users
+to have to do that.
+
+Recognize that PCI-to-PCIe bridges originate links on their secondary
+interfaces.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=189361
+Fixes: d0751b98dfa3 ("PCI: Add dev->has_secondary_link to track downstream PCIe links")
+Tested-by: Blake Moore <blake.moore@men.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/probe.c |   12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -1050,6 +1050,7 @@ void set_pcie_port_type(struct pci_dev *
+       pos = pci_find_capability(pdev, PCI_CAP_ID_EXP);
+       if (!pos)
+               return;
++
+       pdev->pcie_cap = pos;
+       pci_read_config_word(pdev, pos + PCI_EXP_FLAGS, &reg16);
+       pdev->pcie_flags_reg = reg16;
+@@ -1057,13 +1058,14 @@ void set_pcie_port_type(struct pci_dev *
+       pdev->pcie_mpss = reg16 & PCI_EXP_DEVCAP_PAYLOAD;
+       /*
+-       * A Root Port is always the upstream end of a Link.  No PCIe
+-       * component has two Links.  Two Links are connected by a Switch
+-       * that has a Port on each Link and internal logic to connect the
+-       * two Ports.
++       * A Root Port or a PCI-to-PCIe bridge is always the upstream end
++       * of a Link.  No PCIe component has two Links.  Two Links are
++       * connected by a Switch that has a Port on each Link and internal
++       * logic to connect the two Ports.
+        */
+       type = pci_pcie_type(pdev);
+-      if (type == PCI_EXP_TYPE_ROOT_PORT)
++      if (type == PCI_EXP_TYPE_ROOT_PORT ||
++          type == PCI_EXP_TYPE_PCIE_BRIDGE)
+               pdev->has_secondary_link = 1;
+       else if (type == PCI_EXP_TYPE_UPSTREAM ||
+                type == PCI_EXP_TYPE_DOWNSTREAM) {
diff --git a/queue-4.9/powerpc-icp-opal-fix-missing-kvm-case-and-harden-replay.patch b/queue-4.9/powerpc-icp-opal-fix-missing-kvm-case-and-harden-replay.patch
new file mode 100644 (file)
index 0000000..e247c6a
--- /dev/null
@@ -0,0 +1,87 @@
+From 9728a7c8ab2f7a1c8d5c95278d2e4f4ac1285385 Mon Sep 17 00:00:00 2001
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Mon, 16 Jan 2017 11:58:53 -0600
+Subject: powerpc/icp-opal: Fix missing KVM case and harden replay
+
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+commit 9728a7c8ab2f7a1c8d5c95278d2e4f4ac1285385 upstream.
+
+The icp-opal call is missing the code from icp-native to recover
+interrupts snatched by KVM. Without that, when running KVM, we can
+get into a situation where an interrupt is lost and the CPU stuck
+with an elevated CPPR.
+
+Also harden replay by always checking the return from opal_int_eoi().
+
+Fixes: d74361881f0d ("powerpc/xics: Add ICP OPAL backend")
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/sysdev/xics/icp-opal.c |   31 ++++++++++++++++++++++++-------
+ 1 file changed, 24 insertions(+), 7 deletions(-)
+
+--- a/arch/powerpc/sysdev/xics/icp-opal.c
++++ b/arch/powerpc/sysdev/xics/icp-opal.c
+@@ -20,6 +20,7 @@
+ #include <asm/xics.h>
+ #include <asm/io.h>
+ #include <asm/opal.h>
++#include <asm/kvm_ppc.h>
+ static void icp_opal_teardown_cpu(void)
+ {
+@@ -39,7 +40,26 @@ static void icp_opal_flush_ipi(void)
+        * Should we be flagging idle loop instead?
+        * Or creating some task to be scheduled?
+        */
+-      opal_int_eoi((0x00 << 24) | XICS_IPI);
++      if (opal_int_eoi((0x00 << 24) | XICS_IPI) > 0)
++              force_external_irq_replay();
++}
++
++static unsigned int icp_opal_get_xirr(void)
++{
++      unsigned int kvm_xirr;
++      __be32 hw_xirr;
++      int64_t rc;
++
++      /* Handle an interrupt latched by KVM first */
++      kvm_xirr = kvmppc_get_xics_latch();
++      if (kvm_xirr)
++              return kvm_xirr;
++
++      /* Then ask OPAL */
++      rc = opal_int_get_xirr(&hw_xirr, false);
++      if (rc < 0)
++              return 0;
++      return be32_to_cpu(hw_xirr);
+ }
+ static unsigned int icp_opal_get_irq(void)
+@@ -47,12 +67,8 @@ static unsigned int icp_opal_get_irq(voi
+       unsigned int xirr;
+       unsigned int vec;
+       unsigned int irq;
+-      int64_t rc;
+-      rc = opal_int_get_xirr(&xirr, false);
+-      if (rc < 0)
+-              return 0;
+-      xirr = be32_to_cpu(xirr);
++      xirr = icp_opal_get_xirr();
+       vec = xirr & 0x00ffffff;
+       if (vec == XICS_IRQ_SPURIOUS)
+               return 0;
+@@ -67,7 +83,8 @@ static unsigned int icp_opal_get_irq(voi
+       xics_mask_unknown_vec(vec);
+       /* We might learn about it later, so EOI it */
+-      opal_int_eoi(xirr);
++      if (opal_int_eoi(xirr) > 0)
++              force_external_irq_replay();
+       return 0;
+ }
diff --git a/queue-4.9/powerpc-ignore-reserved-field-in-dcsr-and-pvr-reads-and-writes.patch b/queue-4.9/powerpc-ignore-reserved-field-in-dcsr-and-pvr-reads-and-writes.patch
new file mode 100644 (file)
index 0000000..643edaa
--- /dev/null
@@ -0,0 +1,60 @@
+From 178f358208ceb8b38e5cff3f815e0db4a6a70a07 Mon Sep 17 00:00:00 2001
+From: Anton Blanchard <anton@samba.org>
+Date: Thu, 19 Jan 2017 14:19:10 +1100
+Subject: powerpc: Ignore reserved field in DCSR and PVR reads and writes
+
+From: Anton Blanchard <anton@samba.org>
+
+commit 178f358208ceb8b38e5cff3f815e0db4a6a70a07 upstream.
+
+IBM bit 31 (for the rest of us - bit 0) is a reserved field in the
+instruction definition of mtspr and mfspr. Hardware is encouraged to
+(and does) ignore it.
+
+As a result, if userspace executes an mtspr DSCR with the reserved bit
+set, we get a DSCR facility unavailable exception. The kernel fails to
+match against the expected value/mask, and we silently return to
+userspace to try and re-execute the same mtspr DSCR instruction. We
+loop forever until the process is killed.
+
+We should do something here, and it seems mirroring what hardware does
+is the better option vs killing the process. While here, relax the
+matching of mfspr PVR too.
+
+Signed-off-by: Anton Blanchard <anton@samba.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/ppc-opcode.h |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/arch/powerpc/include/asm/ppc-opcode.h
++++ b/arch/powerpc/include/asm/ppc-opcode.h
+@@ -157,7 +157,7 @@
+ #define PPC_INST_MCRXR                        0x7c000400
+ #define PPC_INST_MCRXR_MASK           0xfc0007fe
+ #define PPC_INST_MFSPR_PVR            0x7c1f42a6
+-#define PPC_INST_MFSPR_PVR_MASK               0xfc1fffff
++#define PPC_INST_MFSPR_PVR_MASK               0xfc1ffffe
+ #define PPC_INST_MFTMR                        0x7c0002dc
+ #define PPC_INST_MSGSND                       0x7c00019c
+ #define PPC_INST_MSGCLR                       0x7c0001dc
+@@ -174,13 +174,13 @@
+ #define PPC_INST_RFDI                 0x4c00004e
+ #define PPC_INST_RFMCI                        0x4c00004c
+ #define PPC_INST_MFSPR_DSCR           0x7c1102a6
+-#define PPC_INST_MFSPR_DSCR_MASK      0xfc1fffff
++#define PPC_INST_MFSPR_DSCR_MASK      0xfc1ffffe
+ #define PPC_INST_MTSPR_DSCR           0x7c1103a6
+-#define PPC_INST_MTSPR_DSCR_MASK      0xfc1fffff
++#define PPC_INST_MTSPR_DSCR_MASK      0xfc1ffffe
+ #define PPC_INST_MFSPR_DSCR_USER      0x7c0302a6
+-#define PPC_INST_MFSPR_DSCR_USER_MASK 0xfc1fffff
++#define PPC_INST_MFSPR_DSCR_USER_MASK 0xfc1ffffe
+ #define PPC_INST_MTSPR_DSCR_USER      0x7c0303a6
+-#define PPC_INST_MTSPR_DSCR_USER_MASK 0xfc1fffff
++#define PPC_INST_MTSPR_DSCR_USER_MASK 0xfc1ffffe
+ #define PPC_INST_MFVSRD                       0x7c000066
+ #define PPC_INST_MTVSRD                       0x7c000166
+ #define PPC_INST_SLBFEE                       0x7c0007a7
diff --git a/queue-4.9/powerpc-perf-fix-pm_bru_cmpl-event-code-for-power9.patch b/queue-4.9/powerpc-perf-fix-pm_bru_cmpl-event-code-for-power9.patch
new file mode 100644 (file)
index 0000000..3096ae2
--- /dev/null
@@ -0,0 +1,32 @@
+From d89f473ff6f84872e761419f7233d6e00f99c340 Mon Sep 17 00:00:00 2001
+From: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+Date: Mon, 9 Jan 2017 19:00:15 +0530
+Subject: powerpc/perf: Fix PM_BRU_CMPL event code for power9
+
+From: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+
+commit d89f473ff6f84872e761419f7233d6e00f99c340 upstream.
+
+Use 0x10012 event code for PM_BRU_CMPL event in power9 event list
+instead of current 0x40060.
+
+Fixes: 34922527a2bcb ('powerpc/perf: Add power9 event list macros for generic and cache events')
+Signed-off-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/perf/power9-events-list.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/perf/power9-events-list.h
++++ b/arch/powerpc/perf/power9-events-list.h
+@@ -16,7 +16,7 @@ EVENT(PM_CYC,                                        0x0001e)
+ EVENT(PM_ICT_NOSLOT_CYC,                      0x100f8)
+ EVENT(PM_CMPLU_STALL,                         0x1e054)
+ EVENT(PM_INST_CMPL,                           0x00002)
+-EVENT(PM_BRU_CMPL,                            0x40060)
++EVENT(PM_BRU_CMPL,                            0x10012)
+ EVENT(PM_BR_MPRED_CMPL,                               0x400f6)
+ /* All L1 D cache load references counted at finish, gated by reject */
diff --git a/queue-4.9/powerpc-ptrace-preserve-previous-fprs-vsrs-on-short-regset-write.patch b/queue-4.9/powerpc-ptrace-preserve-previous-fprs-vsrs-on-short-regset-write.patch
new file mode 100644 (file)
index 0000000..7f1b318
--- /dev/null
@@ -0,0 +1,44 @@
+From 99dfe80a2a246c600440a815741fd2e74a8b4977 Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Thu, 5 Jan 2017 16:50:57 +0000
+Subject: powerpc/ptrace: Preserve previous fprs/vsrs on short regset write
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit 99dfe80a2a246c600440a815741fd2e74a8b4977 upstream.
+
+Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
+to fill all the registers, the thread's old registers are preserved.
+
+Fixes: c6e6771b87d4 ("powerpc: Introduce VSX thread_struct and CONFIG_VSX")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/ptrace.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/arch/powerpc/kernel/ptrace.c
++++ b/arch/powerpc/kernel/ptrace.c
+@@ -463,6 +463,10 @@ static int fpr_set(struct task_struct *t
+       flush_fp_to_thread(target);
++      for (i = 0; i < 32 ; i++)
++              buf[i] = target->thread.TS_FPR(i);
++      buf[32] = target->thread.fp_state.fpscr;
++
+       /* copy to local buffer then write that out */
+       i = user_regset_copyin(&pos, &count, &kbuf, &ubuf, buf, 0, -1);
+       if (i)
+@@ -672,6 +676,9 @@ static int vsr_set(struct task_struct *t
+       flush_altivec_to_thread(target);
+       flush_vsx_to_thread(target);
++      for (i = 0; i < 32 ; i++)
++              buf[i] = target->thread.fp_state.fpr[i][TS_VSRLOWOFFSET];
++
+       ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
+                                buf, 0, 32 * sizeof(double));
+       if (!ret)
diff --git a/queue-4.9/powerpc-ptrace-preserve-previous-tm-fprs-vsrs-on-short-regset-write.patch b/queue-4.9/powerpc-ptrace-preserve-previous-tm-fprs-vsrs-on-short-regset-write.patch
new file mode 100644 (file)
index 0000000..26d0713
--- /dev/null
@@ -0,0 +1,46 @@
+From b34ca60148c53971d373643195cc5c4d5d20be78 Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Thu, 5 Jan 2017 16:50:57 +0000
+Subject: powerpc/ptrace: Preserve previous TM fprs/vsrs on short regset write
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit b34ca60148c53971d373643195cc5c4d5d20be78 upstream.
+
+Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
+to fill all the check pointed registers, the thread's old check pointed
+registers are preserved.
+
+Fixes: 9d3918f7c0e5 ("powerpc/ptrace: Enable support for NT_PPC_CVSX")
+Fixes: 19cbcbf75a0c ("powerpc/ptrace: Enable support for NT_PPC_CFPR")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/ptrace.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/arch/powerpc/kernel/ptrace.c
++++ b/arch/powerpc/kernel/ptrace.c
+@@ -1026,6 +1026,10 @@ static int tm_cfpr_set(struct task_struc
+       flush_fp_to_thread(target);
+       flush_altivec_to_thread(target);
++      for (i = 0; i < 32; i++)
++              buf[i] = target->thread.TS_CKFPR(i);
++      buf[32] = target->thread.ckfp_state.fpscr;
++
+       /* copy to local buffer then write that out */
+       i = user_regset_copyin(&pos, &count, &kbuf, &ubuf, buf, 0, -1);
+       if (i)
+@@ -1290,6 +1294,9 @@ static int tm_cvsx_set(struct task_struc
+       flush_altivec_to_thread(target);
+       flush_vsx_to_thread(target);
++      for (i = 0; i < 32 ; i++)
++              buf[i] = target->thread.ckfp_state.fpr[i][TS_VSRLOWOFFSET];
++
+       ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
+                                buf, 0, 32 * sizeof(double));
+       if (!ret)
diff --git a/queue-4.9/qla2xxx-fix-crash-due-to-null-pointer-access.patch b/queue-4.9/qla2xxx-fix-crash-due-to-null-pointer-access.patch
new file mode 100644 (file)
index 0000000..bd706d5
--- /dev/null
@@ -0,0 +1,96 @@
+From fc1ffd6cb38a1c1af625b9833c41928039e733f5 Mon Sep 17 00:00:00 2001
+From: Quinn Tran <quinn.tran@cavium.com>
+Date: Fri, 23 Dec 2016 18:06:10 -0800
+Subject: qla2xxx: Fix crash due to null pointer access
+
+From: Quinn Tran <quinn.tran@cavium.com>
+
+commit fc1ffd6cb38a1c1af625b9833c41928039e733f5 upstream.
+
+During code inspection, while investigating following stack trace
+seen on one of the test setup, we found out there was possibility
+of memory leak becuase driver was not unwinding the stack properly.
+
+This issue has not been reproduced in a test environment or on a
+customer setup.
+
+Here's stack trace that was seen.
+
+[1469877.797315] Call Trace:
+[1469877.799940]  [<ffffffffa03ab6e9>] qla2x00_mem_alloc+0xb09/0x10c0 [qla2xxx]
+[1469877.806980]  [<ffffffffa03ac50a>] qla2x00_probe_one+0x86a/0x1b50 [qla2xxx]
+[1469877.814013]  [<ffffffff813b6d01>] ? __pm_runtime_resume+0x51/0xa0
+[1469877.820265]  [<ffffffff8157c1f5>] ? _raw_spin_lock_irqsave+0x25/0x90
+[1469877.826776]  [<ffffffff8157cd2d>] ? _raw_spin_unlock_irqrestore+0x6d/0x80
+[1469877.833720]  [<ffffffff810741d1>] ? preempt_count_sub+0xb1/0x100
+[1469877.839885]  [<ffffffff8157cd0c>] ? _raw_spin_unlock_irqrestore+0x4c/0x80
+[1469877.846830]  [<ffffffff81319b9c>] local_pci_probe+0x4c/0xb0
+[1469877.852562]  [<ffffffff810741d1>] ? preempt_count_sub+0xb1/0x100
+[1469877.858727]  [<ffffffff81319c89>] pci_call_probe+0x89/0xb0
+
+Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+[ bvanassche: Fixed spelling in patch description ]
+Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_os.c |   16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -3489,7 +3489,7 @@ qla2x00_mem_alloc(struct qla_hw_data *ha
+                               sizeof(struct ct6_dsd), 0,
+                               SLAB_HWCACHE_ALIGN, NULL);
+                       if (!ctx_cachep)
+-                              goto fail_free_gid_list;
++                              goto fail_free_srb_mempool;
+               }
+               ha->ctx_mempool = mempool_create_slab_pool(SRB_MIN_REQ,
+                       ctx_cachep);
+@@ -3642,7 +3642,7 @@ qla2x00_mem_alloc(struct qla_hw_data *ha
+       ha->loop_id_map = kzalloc(BITS_TO_LONGS(LOOPID_MAP_SIZE) * sizeof(long),
+           GFP_KERNEL);
+       if (!ha->loop_id_map)
+-              goto fail_async_pd;
++              goto fail_loop_id_map;
+       else {
+               qla2x00_set_reserved_loop_ids(ha);
+               ql_dbg_pci(ql_dbg_init, ha->pdev, 0x0123,
+@@ -3651,6 +3651,8 @@ qla2x00_mem_alloc(struct qla_hw_data *ha
+       return 0;
++fail_loop_id_map:
++      dma_pool_free(ha->s_dma_pool, ha->async_pd, ha->async_pd_dma);
+ fail_async_pd:
+       dma_pool_free(ha->s_dma_pool, ha->ex_init_cb, ha->ex_init_cb_dma);
+ fail_ex_init_cb:
+@@ -3678,6 +3680,10 @@ fail_free_ms_iocb:
+       dma_pool_free(ha->s_dma_pool, ha->ms_iocb, ha->ms_iocb_dma);
+       ha->ms_iocb = NULL;
+       ha->ms_iocb_dma = 0;
++
++      if (ha->sns_cmd)
++              dma_free_coherent(&ha->pdev->dev, sizeof(struct sns_cmd_pkt),
++                  ha->sns_cmd, ha->sns_cmd_dma);
+ fail_dma_pool:
+       if (IS_QLA82XX(ha) || ql2xenabledif) {
+               dma_pool_destroy(ha->fcp_cmnd_dma_pool);
+@@ -3695,10 +3701,12 @@ fail_free_nvram:
+       kfree(ha->nvram);
+       ha->nvram = NULL;
+ fail_free_ctx_mempool:
+-      mempool_destroy(ha->ctx_mempool);
++      if (ha->ctx_mempool)
++              mempool_destroy(ha->ctx_mempool);
+       ha->ctx_mempool = NULL;
+ fail_free_srb_mempool:
+-      mempool_destroy(ha->srb_mempool);
++      if (ha->srb_mempool)
++              mempool_destroy(ha->srb_mempool);
+       ha->srb_mempool = NULL;
+ fail_free_gid_list:
+       dma_free_coherent(&ha->pdev->dev, qla2x00_gid_list_size(ha),
index c030b2248920b601489cad728076c5dad045ed2a..78983c6ad0094c4f1fe364e12378aa442860a3b5 100644 (file)
@@ -32,3 +32,43 @@ x86-pci-ignore-_crs-on-supermicro-x8dth-i-6-if-6f.patch
 rcu-remove-cond_resched-from-tiny-synchronize_sched.patch
 rcu-narrow-early-boot-window-of-illegal-synchronous-grace-periods.patch
 sunrpc-don-t-call-sleeping-functions-from-the-notifier-block-callbacks.patch
+svcrpc-don-t-leak-contexts-on-proc_destroy.patch
+libnvdimm-namespace-fix-pmem-namespace-leak-delete-when-size-set-to-zero.patch
+arc-module-fix-config_arc_dw2_unwind-builds.patch
+fuse-clear-fr_pending-flag-when-moving-requests-out-of-pending-queue.patch
+fuse-fix-time_to_jiffies-nsec-sanity-check.patch
+pci-designware-check-for-iatu-unroll-only-on-platforms-that-use-atu.patch
+pci-enumerate-switches-below-pci-to-pcie-bridges.patch
+hid-corsair-fix-dma-buffers-on-stack.patch
+hid-corsair-fix-control-transfer-error-handling.patch
+mmc-sdhci-acpi-only-powered-up-enabled-acpi-child-devices.patch
+mmc-mxs-mmc-fix-additional-cycles-after-transmission-stop.patch
+ieee802154-atusb-do-not-use-the-stack-for-buffers-to-make-them-dma-able.patch
+mtd-nand-lpc32xx-fix-invalid-error-handling-of-a-requested-irq.patch
+mtd-nand-xway-disable-module-support.patch
+mtd-nand-xway-fix-build-because-of-module-functions.patch
+kvm-s390-do-not-expose-random-data-via-facility-bitmap.patch
+kvm-arm-arm64-vgic-fix-deadlock-on-error-handling.patch
+powerpc-icp-opal-fix-missing-kvm-case-and-harden-replay.patch
+powerpc-perf-fix-pm_bru_cmpl-event-code-for-power9.patch
+powerpc-ptrace-preserve-previous-fprs-vsrs-on-short-regset-write.patch
+powerpc-ptrace-preserve-previous-tm-fprs-vsrs-on-short-regset-write.patch
+powerpc-ignore-reserved-field-in-dcsr-and-pvr-reads-and-writes.patch
+x86-ioapic-restore-io-apic-irq_chip-retrigger-callback.patch
+qla2xxx-fix-crash-due-to-null-pointer-access.patch
+mac80211-implement-multicast-forwarding-on-fast-rx-path.patch
+ubifs-fix-journal-replay-wrt.-xattr-nodes.patch
+clocksource-exynos_mct-clear-interrupt-when-cpu-is-shut-down.patch
+svcrdma-avoid-duplicate-dma-unmapping-during-error-recovery.patch
+arm-8634-1-hw_breakpoint-blacklist-scorpion-cpus.patch
+ibmvscsis-fix-sleeping-in-interrupt-context.patch
+ibmvscsis-fix-max-transfer-length.patch
+ceph-fix-bad-endianness-handling-in-parse_reply_info_extra.patch
+arm-dts-omap5-dra7-indicate-that-sata-port-0-is-available.patch
+arm-dts-da850-evm-fix-read-access-to-spi-flash.patch
+arm64-avoid-returning-from-bad_mode.patch
+arm64-ptrace-preserve-previous-registers-for-short-regset-write.patch
+arm64-ptrace-preserve-previous-registers-for-short-regset-write-2.patch
+arm64-ptrace-preserve-previous-registers-for-short-regset-write-3.patch
+arm64-ptrace-avoid-uninitialised-struct-padding-in-fpr_set.patch
+arm64-ptrace-reject-attempts-to-set-incomplete-hardware-breakpoint-fields.patch
diff --git a/queue-4.9/svcrdma-avoid-duplicate-dma-unmapping-during-error-recovery.patch b/queue-4.9/svcrdma-avoid-duplicate-dma-unmapping-during-error-recovery.patch
new file mode 100644 (file)
index 0000000..77cb232
--- /dev/null
@@ -0,0 +1,39 @@
+From ce1ca7d2d140a1f4aaffd297ac487f246963dd2f Mon Sep 17 00:00:00 2001
+From: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com>
+Date: Mon, 9 Jan 2017 16:00:44 +0530
+Subject: svcrdma: avoid duplicate dma unmapping during error recovery
+
+From: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com>
+
+commit ce1ca7d2d140a1f4aaffd297ac487f246963dd2f upstream.
+
+In rdma_read_chunk_frmr() when ib_post_send() fails, the error code path
+invokes ib_dma_unmap_sg() to unmap the sg list. It then invokes
+svc_rdma_put_frmr() which in turn tries to unmap the same sg list through
+ib_dma_unmap_sg() again. This second unmap is invalid and could lead to
+problems when the iova being unmapped is subsequently reused. Remove
+the call to unmap in rdma_read_chunk_frmr() and let svc_rdma_put_frmr()
+handle it.
+
+Fixes: 412a15c0fe53 ("svcrdma: Port to new memory registration API")
+Signed-off-by: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com>
+Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
+Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/xprtrdma/svc_rdma_recvfrom.c |    2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
++++ b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
+@@ -348,8 +348,6 @@ int rdma_read_chunk_frmr(struct svcxprt_
+       atomic_inc(&rdma_stat_read);
+       return ret;
+  err:
+-      ib_dma_unmap_sg(xprt->sc_cm_id->device,
+-                      frmr->sg, frmr->sg_nents, frmr->direction);
+       svc_rdma_put_context(ctxt, 0);
+       svc_rdma_put_frmr(xprt, frmr);
+       return ret;
diff --git a/queue-4.9/svcrpc-don-t-leak-contexts-on-proc_destroy.patch b/queue-4.9/svcrpc-don-t-leak-contexts-on-proc_destroy.patch
new file mode 100644 (file)
index 0000000..416bb0f
--- /dev/null
@@ -0,0 +1,37 @@
+From 78794d1890708cf94e3961261e52dcec2cc34722 Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Mon, 9 Jan 2017 17:15:18 -0500
+Subject: svcrpc: don't leak contexts on PROC_DESTROY
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+commit 78794d1890708cf94e3961261e52dcec2cc34722 upstream.
+
+Context expiry times are in units of seconds since boot, not unix time.
+
+The use of get_seconds() here therefore sets the expiry time decades in
+the future.  This prevents timely freeing of contexts destroyed by
+client RPC_GSS_PROC_DESTROY requests.  We'd still free them eventually
+(when the module is unloaded or the container shut down), but a lot of
+contexts could pile up before then.
+
+Fixes: c5b29f885afe "sunrpc: use seconds since boot in expiry cache"
+Reported-by: Andy Adamson <andros@netapp.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/auth_gss/svcauth_gss.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sunrpc/auth_gss/svcauth_gss.c
++++ b/net/sunrpc/auth_gss/svcauth_gss.c
+@@ -1489,7 +1489,7 @@ svcauth_gss_accept(struct svc_rqst *rqst
+       case RPC_GSS_PROC_DESTROY:
+               if (gss_write_verf(rqstp, rsci->mechctx, gc->gc_seq))
+                       goto auth_err;
+-              rsci->h.expiry_time = get_seconds();
++              rsci->h.expiry_time = seconds_since_boot();
+               set_bit(CACHE_NEGATIVE, &rsci->h.flags);
+               if (resv->iov_len + 4 > PAGE_SIZE)
+                       goto drop;
diff --git a/queue-4.9/ubifs-fix-journal-replay-wrt.-xattr-nodes.patch b/queue-4.9/ubifs-fix-journal-replay-wrt.-xattr-nodes.patch
new file mode 100644 (file)
index 0000000..5e298d6
--- /dev/null
@@ -0,0 +1,85 @@
+From 1cb51a15b576ee325d527726afff40947218fd5e Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Tue, 10 Jan 2017 11:49:40 +0100
+Subject: ubifs: Fix journal replay wrt. xattr nodes
+
+From: Richard Weinberger <richard@nod.at>
+
+commit 1cb51a15b576ee325d527726afff40947218fd5e upstream.
+
+When replaying the journal it can happen that a journal entry points to
+a garbage collected node.
+This is the case when a power-cut occurred between a garbage collect run
+and a commit. In such a case nodes have to be read using the failable
+read functions to detect whether the found node matches what we expect.
+
+One corner case was forgotten, when the journal contains an entry to
+remove an inode all xattrs have to be removed too. UBIFS models xattr
+like directory entries, so the TNC code iterates over
+all xattrs of the inode and removes them too. This code re-uses the
+functions for walking directories and calls ubifs_tnc_next_ent().
+ubifs_tnc_next_ent() expects to be used only after the journal and
+aborts when a node does not match the expected result. This behavior can
+render an UBIFS volume unmountable after a power-cut when xattrs are
+used.
+
+Fix this issue by using failable read functions in ubifs_tnc_next_ent()
+too when replaying the journal.
+Fixes: 1e51764a3c2ac05a ("UBIFS: add new flash file system")
+Reported-by: Rock Lee <rockdotlee@gmail.com>
+Reviewed-by: David Gstir <david@sigma-star.at>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/tnc.c |   25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+--- a/fs/ubifs/tnc.c
++++ b/fs/ubifs/tnc.c
+@@ -34,6 +34,11 @@
+ #include <linux/slab.h>
+ #include "ubifs.h"
++static int try_read_node(const struct ubifs_info *c, void *buf, int type,
++                       int len, int lnum, int offs);
++static int fallible_read_node(struct ubifs_info *c, const union ubifs_key *key,
++                            struct ubifs_zbranch *zbr, void *node);
++
+ /*
+  * Returned codes of 'matches_name()' and 'fallible_matches_name()' functions.
+  * @NAME_LESS: name corresponding to the first argument is less than second
+@@ -402,7 +407,19 @@ static int tnc_read_node_nm(struct ubifs
+               return 0;
+       }
+-      err = ubifs_tnc_read_node(c, zbr, node);
++      if (c->replaying) {
++              err = fallible_read_node(c, &zbr->key, zbr, node);
++              /*
++               * When the node was not found, return -ENOENT, 0 otherwise.
++               * Negative return codes stay as-is.
++               */
++              if (err == 0)
++                      err = -ENOENT;
++              else if (err == 1)
++                      err = 0;
++      } else {
++              err = ubifs_tnc_read_node(c, zbr, node);
++      }
+       if (err)
+               return err;
+@@ -2766,7 +2783,11 @@ struct ubifs_dent_node *ubifs_tnc_next_e
+       if (nm->name) {
+               if (err) {
+                       /* Handle collisions */
+-                      err = resolve_collision(c, key, &znode, &n, nm);
++                      if (c->replaying)
++                              err = fallible_resolve_collision(c, key, &znode, &n,
++                                                       nm, 0);
++                      else
++                              err = resolve_collision(c, key, &znode, &n, nm);
+                       dbg_tnc("rc returned %d, znode %p, n %d",
+                               err, znode, n);
+                       if (unlikely(err < 0))
diff --git a/queue-4.9/x86-ioapic-restore-io-apic-irq_chip-retrigger-callback.patch b/queue-4.9/x86-ioapic-restore-io-apic-irq_chip-retrigger-callback.patch
new file mode 100644 (file)
index 0000000..663fe41
--- /dev/null
@@ -0,0 +1,49 @@
+From 020eb3daaba2857b32c4cf4c82f503d6a00a67de Mon Sep 17 00:00:00 2001
+From: Ruslan Ruslichenko <rruslich@cisco.com>
+Date: Tue, 17 Jan 2017 16:13:52 +0200
+Subject: x86/ioapic: Restore IO-APIC irq_chip retrigger callback
+
+From: Ruslan Ruslichenko <rruslich@cisco.com>
+
+commit 020eb3daaba2857b32c4cf4c82f503d6a00a67de upstream.
+
+commit d32932d02e18 removed the irq_retrigger callback from the IO-APIC
+chip and did not add it to the new IO-APIC-IR irq chip.
+
+Unfortunately the software resend fallback is not enabled on X86, so edge
+interrupts which are received during the lazy disabled state of the
+interrupt line are not retriggered and therefor lost.
+
+Restore the callbacks.
+
+[ tglx: Massaged changelog ]
+
+Fixes: d32932d02e18  ("x86/irq: Convert IOAPIC to use hierarchical irqdomain interfaces")
+Signed-off-by: Ruslan Ruslichenko <rruslich@cisco.com>
+Cc: xe-linux-external@cisco.com
+Link: http://lkml.kernel.org/r/1484662432-13580-1-git-send-email-rruslich@cisco.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/apic/io_apic.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kernel/apic/io_apic.c
++++ b/arch/x86/kernel/apic/io_apic.c
+@@ -1876,6 +1876,7 @@ static struct irq_chip ioapic_chip __rea
+       .irq_ack                = irq_chip_ack_parent,
+       .irq_eoi                = ioapic_ack_level,
+       .irq_set_affinity       = ioapic_set_affinity,
++      .irq_retrigger          = irq_chip_retrigger_hierarchy,
+       .flags                  = IRQCHIP_SKIP_SET_WAKE,
+ };
+@@ -1887,6 +1888,7 @@ static struct irq_chip ioapic_ir_chip __
+       .irq_ack                = irq_chip_ack_parent,
+       .irq_eoi                = ioapic_ir_ack_level,
+       .irq_set_affinity       = ioapic_set_affinity,
++      .irq_retrigger          = irq_chip_retrigger_hierarchy,
+       .flags                  = IRQCHIP_SKIP_SET_WAKE,
+ };