From: Greg Kroah-Hartman Date: Wed, 6 Dec 2017 16:31:26 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v3.18.87~19 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=16b381ff1ba24692573883c0b66b3d4128faf575;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: arm-omap1-dma-correct-the-number-of-logical-channels.patch dmaengine-pl330-fix-double-lock.patch drm-exynos-decon5433-set-standalone_update_f-on-output-enablement.patch edac-sb_edac-fix-missing-break-in-switch.patch ima-fix-hash-algorithm-initialization.patch kprobes-x86-disable-preemption-in-ftrace-based-jprobes.patch kvm-arm-arm64-fix-occasional-warning-from-the-timer-work-function.patch mm-avoid-returning-vm_fault_retry-from-page_mkwrite-handlers.patch net-appletalk-fix-kernel-memory-disclosure.patch net-fec-fix-multicast-filtering-hardware-setup.patch net-sctp-fix-array-overrun-read-on-sctp_timer_tbl.patch net-systemport-pad-packet-before-inserting-tsb.patch net-systemport-utilize-skb_put_padto.patch nfs-don-t-take-a-reference-on-fl-fl_file-for-lock-operation.patch nfsv4-fix-client-recovery-when-server-reboots-multiple-times.patch perf-test-attr-fix-ignored-test-case-result.patch ravb-remove-rx-overflow-log-messages.patch s390-pci-do-not-require-ais-facility.patch selftests-x86-ldt_get-add-a-few-additional-tests-for-limits.patch serial-8250-preserve-dld-for-port_xr17v35x.patch serial-8250_fintek-fix-rs485-disablement-on-invalid-ioctl.patch spi-sh-msiof-fix-dma-transfer-size-check.patch sysrq-fix-show-regs-call-trace-on-arm.patch tcp-correct-memory-barrier-usage-in-tcp_check_space.patch tipc-fix-cleanup-at-module-unload.patch usb-dwc2-error-out-of-dwc2_hsotg_ep_disable-if-we-re-in-host-mode.patch usb-dwc2-fix-udc-state-tracking.patch usb-phy-tahvo-fix-error-handling-in-tahvo_usb_probe.patch usb-serial-option-add-quectel-bg96-id.patch usbip-tools-install-all-headers-needed-for-libusbip-development.patch vti6-fix-device-register-to-report-ifla_info_kind.patch x86-entry-use-syscall_define-macros-for-sys_modify_ldt.patch xen-netfront-improve-error-handling-during-initialization.patch --- diff --git a/queue-4.4/arm-omap1-dma-correct-the-number-of-logical-channels.patch b/queue-4.4/arm-omap1-dma-correct-the-number-of-logical-channels.patch new file mode 100644 index 00000000000..dbfc963fbfb --- /dev/null +++ b/queue-4.4/arm-omap1-dma-correct-the-number-of-logical-channels.patch @@ -0,0 +1,70 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: Peter Ujfalusi +Date: Tue, 3 Jan 2017 13:22:34 +0200 +Subject: ARM: OMAP1: DMA: Correct the number of logical channels + +From: Peter Ujfalusi + + +[ Upstream commit 657279778af54f35e54b07b6687918f254a2992c ] + +OMAP1510, OMAP5910 and OMAP310 have only 9 logical channels. +OMAP1610, OMAP5912, OMAP1710, OMAP730, and OMAP850 have 16 logical channels +available. + +The wired 17 for the lch_count must have been used to cover the 16 + 1 +dedicated LCD channel, in reality we can only use 9 or 16 channels. + +The d->chan_count is not used by the omap-dma stack, so we can skip the +setup. chan_count was configured to the number of logical channels and not +the actual number of physical channels anyways. + +Signed-off-by: Peter Ujfalusi +Acked-by: Aaro Koskinen +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-omap1/dma.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +--- a/arch/arm/mach-omap1/dma.c ++++ b/arch/arm/mach-omap1/dma.c +@@ -31,7 +31,6 @@ + #include "soc.h" + + #define OMAP1_DMA_BASE (0xfffed800) +-#define OMAP1_LOGICAL_DMA_CH_COUNT 17 + + static u32 enable_1510_mode; + +@@ -311,8 +310,6 @@ static int __init omap1_system_dma_init( + goto exit_iounmap; + } + +- d->lch_count = OMAP1_LOGICAL_DMA_CH_COUNT; +- + /* Valid attributes for omap1 plus processors */ + if (cpu_is_omap15xx()) + d->dev_caps = ENABLE_1510_MODE; +@@ -329,13 +326,14 @@ static int __init omap1_system_dma_init( + d->dev_caps |= CLEAR_CSR_ON_READ; + d->dev_caps |= IS_WORD_16; + +- if (cpu_is_omap15xx()) +- d->chan_count = 9; +- else if (cpu_is_omap16xx() || cpu_is_omap7xx()) { +- if (!(d->dev_caps & ENABLE_1510_MODE)) +- d->chan_count = 16; ++ /* available logical channels */ ++ if (cpu_is_omap15xx()) { ++ d->lch_count = 9; ++ } else { ++ if (d->dev_caps & ENABLE_1510_MODE) ++ d->lch_count = 9; + else +- d->chan_count = 9; ++ d->lch_count = 16; + } + + p = dma_plat_info; diff --git a/queue-4.4/dmaengine-pl330-fix-double-lock.patch b/queue-4.4/dmaengine-pl330-fix-double-lock.patch new file mode 100644 index 00000000000..e9c104fc129 --- /dev/null +++ b/queue-4.4/dmaengine-pl330-fix-double-lock.patch @@ -0,0 +1,145 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: Iago Abal +Date: Wed, 11 Jan 2017 14:00:21 +0100 +Subject: dmaengine: pl330: fix double lock + +From: Iago Abal + + +[ Upstream commit 91539eb1fda2d530d3b268eef542c5414e54bf1a ] + +The static bug finder EBA (http://www.iagoabal.eu/eba/) reported the +following double-lock bug: + + Double lock: + 1. spin_lock_irqsave(pch->lock, flags) at pl330_free_chan_resources:2236; + 2. call to function `pl330_release_channel' immediately after; + 3. call to function `dma_pl330_rqcb' in line 1753; + 4. spin_lock_irqsave(pch->lock, flags) at dma_pl330_rqcb:1505. + +I have fixed it as suggested by Marek Szyprowski. + +First, I have replaced `pch->lock' with `pl330->lock' in functions +`pl330_alloc_chan_resources' and `pl330_free_chan_resources'. This avoids +the double-lock by acquiring a different lock than `dma_pl330_rqcb'. + +NOTE that, as a result, `pl330_free_chan_resources' executes +`list_splice_tail_init' on `pch->work_list' under lock `pl330->lock', +whereas in the rest of the code `pch->work_list' is protected by +`pch->lock'. I don't know if this may cause race conditions. Similarly +`pch->cyclic' is written by `pl330_alloc_chan_resources' under +`pl330->lock' but read by `pl330_tx_submit' under `pch->lock'. + +Second, I have removed locking from `pl330_request_channel' and +`pl330_release_channel' functions. Function `pl330_request_channel' is +only called from `pl330_alloc_chan_resources', so the lock is already +held. Function `pl330_release_channel' is called from +`pl330_free_chan_resources', which already holds the lock, and from +`pl330_del'. Function `pl330_del' is called in an error path of +`pl330_probe' and at the end of `pl330_remove', but I assume that there +cannot be concurrent accesses to the protected data at those points. + +Signed-off-by: Iago Abal +Reviewed-by: Marek Szyprowski +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/pl330.c | 19 ++++++------------- + 1 file changed, 6 insertions(+), 13 deletions(-) + +--- a/drivers/dma/pl330.c ++++ b/drivers/dma/pl330.c +@@ -1657,7 +1657,6 @@ static bool _chan_ns(const struct pl330_ + static struct pl330_thread *pl330_request_channel(struct pl330_dmac *pl330) + { + struct pl330_thread *thrd = NULL; +- unsigned long flags; + int chans, i; + + if (pl330->state == DYING) +@@ -1665,8 +1664,6 @@ static struct pl330_thread *pl330_reques + + chans = pl330->pcfg.num_chan; + +- spin_lock_irqsave(&pl330->lock, flags); +- + for (i = 0; i < chans; i++) { + thrd = &pl330->channels[i]; + if ((thrd->free) && (!_manager_ns(thrd) || +@@ -1684,8 +1681,6 @@ static struct pl330_thread *pl330_reques + thrd = NULL; + } + +- spin_unlock_irqrestore(&pl330->lock, flags); +- + return thrd; + } + +@@ -1703,7 +1698,6 @@ static inline void _free_event(struct pl + static void pl330_release_channel(struct pl330_thread *thrd) + { + struct pl330_dmac *pl330; +- unsigned long flags; + + if (!thrd || thrd->free) + return; +@@ -1715,10 +1709,8 @@ static void pl330_release_channel(struct + + pl330 = thrd->dmac; + +- spin_lock_irqsave(&pl330->lock, flags); + _free_event(thrd, thrd->ev); + thrd->free = true; +- spin_unlock_irqrestore(&pl330->lock, flags); + } + + /* Initialize the structure for PL330 configuration, that can be used +@@ -2085,20 +2077,20 @@ static int pl330_alloc_chan_resources(st + struct pl330_dmac *pl330 = pch->dmac; + unsigned long flags; + +- spin_lock_irqsave(&pch->lock, flags); ++ spin_lock_irqsave(&pl330->lock, flags); + + dma_cookie_init(chan); + pch->cyclic = false; + + pch->thread = pl330_request_channel(pl330); + if (!pch->thread) { +- spin_unlock_irqrestore(&pch->lock, flags); ++ spin_unlock_irqrestore(&pl330->lock, flags); + return -ENOMEM; + } + + tasklet_init(&pch->task, pl330_tasklet, (unsigned long) pch); + +- spin_unlock_irqrestore(&pch->lock, flags); ++ spin_unlock_irqrestore(&pl330->lock, flags); + + return 1; + } +@@ -2201,12 +2193,13 @@ static int pl330_pause(struct dma_chan * + static void pl330_free_chan_resources(struct dma_chan *chan) + { + struct dma_pl330_chan *pch = to_pchan(chan); ++ struct pl330_dmac *pl330 = pch->dmac; + unsigned long flags; + + tasklet_kill(&pch->task); + + pm_runtime_get_sync(pch->dmac->ddma.dev); +- spin_lock_irqsave(&pch->lock, flags); ++ spin_lock_irqsave(&pl330->lock, flags); + + pl330_release_channel(pch->thread); + pch->thread = NULL; +@@ -2214,7 +2207,7 @@ static void pl330_free_chan_resources(st + if (pch->cyclic) + list_splice_tail_init(&pch->work_list, &pch->dmac->desc_pool); + +- spin_unlock_irqrestore(&pch->lock, flags); ++ spin_unlock_irqrestore(&pl330->lock, flags); + pm_runtime_mark_last_busy(pch->dmac->ddma.dev); + pm_runtime_put_autosuspend(pch->dmac->ddma.dev); + } diff --git a/queue-4.4/drm-exynos-decon5433-set-standalone_update_f-on-output-enablement.patch b/queue-4.4/drm-exynos-decon5433-set-standalone_update_f-on-output-enablement.patch new file mode 100644 index 00000000000..0127dd58f43 --- /dev/null +++ b/queue-4.4/drm-exynos-decon5433-set-standalone_update_f-on-output-enablement.patch @@ -0,0 +1,32 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: Andrzej Hajda +Date: Tue, 17 Jan 2017 15:15:20 +0100 +Subject: drm/exynos/decon5433: set STANDALONE_UPDATE_F on output enablement + +From: Andrzej Hajda + + +[ Upstream commit 11d8bcef7a0399e1d2519f207fd575fc404306b4 ] + +DECON_TV requires STANDALONE_UPDATE after output enabling, otherwise it does +not start. This change is neutral for DECON. + +Signed-off-by: Andrzej Hajda +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/exynos/exynos5433_drm_decon.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/exynos/exynos5433_drm_decon.c ++++ b/drivers/gpu/drm/exynos/exynos5433_drm_decon.c +@@ -180,6 +180,8 @@ static void decon_commit(struct exynos_d + + /* enable output and display signal */ + decon_set_bits(ctx, DECON_VIDCON0, VIDCON0_ENVID | VIDCON0_ENVID_F, ~0); ++ ++ decon_set_bits(ctx, DECON_UPDATE, STANDALONE_UPDATE_F, ~0); + } + + static void decon_win_set_pixfmt(struct decon_context *ctx, unsigned int win, diff --git a/queue-4.4/edac-sb_edac-fix-missing-break-in-switch.patch b/queue-4.4/edac-sb_edac-fix-missing-break-in-switch.patch new file mode 100644 index 00000000000..34205f7da8d --- /dev/null +++ b/queue-4.4/edac-sb_edac-fix-missing-break-in-switch.patch @@ -0,0 +1,34 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: "Gustavo A. R. Silva" +Date: Mon, 16 Oct 2017 12:40:29 -0500 +Subject: EDAC, sb_edac: Fix missing break in switch + +From: "Gustavo A. R. Silva" + + +[ Upstream commit a8e9b186f153a44690ad0363a56716e7077ad28c ] + +Add missing break statement in order to prevent the code from falling +through. + +Signed-off-by: Gustavo A. R. Silva +Cc: Qiuxu Zhuo +Cc: linux-edac +Link: http://lkml.kernel.org/r/20171016174029.GA19757@embeddedor.com +Signed-off-by: Borislav Petkov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/edac/sb_edac.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/edac/sb_edac.c ++++ b/drivers/edac/sb_edac.c +@@ -1773,6 +1773,7 @@ static int ibridge_mci_bind_devs(struct + break; + case PCI_DEVICE_ID_INTEL_IBRIDGE_IMC_HA0_TA: + pvt->pci_ta = pdev; ++ break; + case PCI_DEVICE_ID_INTEL_IBRIDGE_IMC_HA0_RAS: + pvt->pci_ras = pdev; + break; diff --git a/queue-4.4/ima-fix-hash-algorithm-initialization.patch b/queue-4.4/ima-fix-hash-algorithm-initialization.patch new file mode 100644 index 00000000000..b53ded6e263 --- /dev/null +++ b/queue-4.4/ima-fix-hash-algorithm-initialization.patch @@ -0,0 +1,45 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: Boshi Wang +Date: Fri, 20 Oct 2017 16:01:03 +0800 +Subject: ima: fix hash algorithm initialization + +From: Boshi Wang + + +[ Upstream commit ebe7c0a7be92bbd34c6ff5b55810546a0ee05bee ] + +The hash_setup function always sets the hash_setup_done flag, even +when the hash algorithm is invalid. This prevents the default hash +algorithm defined as CONFIG_IMA_DEFAULT_HASH from being used. + +This patch sets hash_setup_done flag only for valid hash algorithms. + +Fixes: e7a2ad7eb6f4 "ima: enable support for larger default filedata hash algorithms" +Signed-off-by: Boshi Wang +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/ima/ima_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/security/integrity/ima/ima_main.c ++++ b/security/integrity/ima/ima_main.c +@@ -52,6 +52,8 @@ static int __init hash_setup(char *str) + ima_hash_algo = HASH_ALGO_SHA1; + else if (strncmp(str, "md5", 3) == 0) + ima_hash_algo = HASH_ALGO_MD5; ++ else ++ return 1; + goto out; + } + +@@ -61,6 +63,8 @@ static int __init hash_setup(char *str) + break; + } + } ++ if (i == HASH_ALGO__LAST) ++ return 1; + out: + hash_setup_done = 1; + return 1; diff --git a/queue-4.4/kprobes-x86-disable-preemption-in-ftrace-based-jprobes.patch b/queue-4.4/kprobes-x86-disable-preemption-in-ftrace-based-jprobes.patch new file mode 100644 index 00000000000..abc266165bf --- /dev/null +++ b/queue-4.4/kprobes-x86-disable-preemption-in-ftrace-based-jprobes.patch @@ -0,0 +1,93 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: Masami Hiramatsu +Date: Tue, 19 Sep 2017 19:01:40 +0900 +Subject: kprobes/x86: Disable preemption in ftrace-based jprobes + +From: Masami Hiramatsu + + +[ Upstream commit 5bb4fc2d8641219732eb2bb654206775a4219aca ] + +Disable preemption in ftrace-based jprobe handlers as +described in Documentation/kprobes.txt: + + "Probe handlers are run with preemption disabled." + +This will fix jprobes behavior when CONFIG_PREEMPT=y. + +Signed-off-by: Masami Hiramatsu +Cc: Alexei Starovoitov +Cc: Alexei Starovoitov +Cc: Ananth N Mavinakayanahalli +Cc: Linus Torvalds +Cc: Paul E . McKenney +Cc: Peter Zijlstra +Cc: Steven Rostedt +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/150581530024.32348.9863783558598926771.stgit@devbox +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/kprobes/ftrace.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +--- a/arch/x86/kernel/kprobes/ftrace.c ++++ b/arch/x86/kernel/kprobes/ftrace.c +@@ -26,7 +26,7 @@ + #include "common.h" + + static nokprobe_inline +-int __skip_singlestep(struct kprobe *p, struct pt_regs *regs, ++void __skip_singlestep(struct kprobe *p, struct pt_regs *regs, + struct kprobe_ctlblk *kcb, unsigned long orig_ip) + { + /* +@@ -41,20 +41,21 @@ int __skip_singlestep(struct kprobe *p, + __this_cpu_write(current_kprobe, NULL); + if (orig_ip) + regs->ip = orig_ip; +- return 1; + } + + int skip_singlestep(struct kprobe *p, struct pt_regs *regs, + struct kprobe_ctlblk *kcb) + { +- if (kprobe_ftrace(p)) +- return __skip_singlestep(p, regs, kcb, 0); +- else +- return 0; ++ if (kprobe_ftrace(p)) { ++ __skip_singlestep(p, regs, kcb, 0); ++ preempt_enable_no_resched(); ++ return 1; ++ } ++ return 0; + } + NOKPROBE_SYMBOL(skip_singlestep); + +-/* Ftrace callback handler for kprobes */ ++/* Ftrace callback handler for kprobes -- called under preepmt disabed */ + void kprobe_ftrace_handler(unsigned long ip, unsigned long parent_ip, + struct ftrace_ops *ops, struct pt_regs *regs) + { +@@ -77,13 +78,17 @@ void kprobe_ftrace_handler(unsigned long + /* Kprobe handler expects regs->ip = ip + 1 as breakpoint hit */ + regs->ip = ip + sizeof(kprobe_opcode_t); + ++ /* To emulate trap based kprobes, preempt_disable here */ ++ preempt_disable(); + __this_cpu_write(current_kprobe, p); + kcb->kprobe_status = KPROBE_HIT_ACTIVE; +- if (!p->pre_handler || !p->pre_handler(p, regs)) ++ if (!p->pre_handler || !p->pre_handler(p, regs)) { + __skip_singlestep(p, regs, kcb, orig_ip); ++ preempt_enable_no_resched(); ++ } + /* + * If pre_handler returns !0, it sets regs->ip and +- * resets current kprobe. ++ * resets current kprobe, and keep preempt count +1. + */ + } + end: diff --git a/queue-4.4/kvm-arm-arm64-fix-occasional-warning-from-the-timer-work-function.patch b/queue-4.4/kvm-arm-arm64-fix-occasional-warning-from-the-timer-work-function.patch new file mode 100644 index 00000000000..0298a242ecc --- /dev/null +++ b/queue-4.4/kvm-arm-arm64-fix-occasional-warning-from-the-timer-work-function.patch @@ -0,0 +1,58 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: Christoffer Dall +Date: Mon, 9 Jan 2017 12:18:56 +0100 +Subject: KVM: arm/arm64: Fix occasional warning from the timer work function + +From: Christoffer Dall + + +[ Upstream commit 63e41226afc3f7a044b70325566fa86ac3142538 ] + +When a VCPU blocks (WFI) and has programmed the vtimer, we program a +soft timer to expire in the future to wake up the vcpu thread when +appropriate. Because such as wake up involves a vcpu kick, and the +timer expire function can get called from interrupt context, and the +kick may sleep, we have to schedule the kick in the work function. + +The work function currently has a warning that gets raised if it turns +out that the timer shouldn't fire when it's run, which was added because +the idea was that in that case the work should never have been cancelled. + +However, it turns out that this whole thing is racy and we can get +spurious warnings. The problem is that we clear the armed flag in the +work function, which may run in parallel with the +kvm_timer_unschedule->timer_disarm() call. This results in a possible +situation where the timer_disarm() call does not call +cancel_work_sync(), which effectively synchronizes the completion of the +work function with running the VCPU. As a result, the VCPU thread +proceeds before the work function completees, causing changes to the +timer state such that kvm_timer_should_fire(vcpu) returns false in the +work function. + +All we do in the work function is to kick the VCPU, and an occasional +rare extra kick never harmed anyone. Since the race above is extremely +rare, we don't bother checking if the race happens but simply remove the +check and the clearing of the armed flag from the work function. + +Reported-by: Matthias Brugger +Reviewed-by: Marc Zyngier +Signed-off-by: Christoffer Dall +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/arm/arch_timer.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/virt/kvm/arm/arch_timer.c ++++ b/virt/kvm/arm/arch_timer.c +@@ -84,9 +84,6 @@ static void kvm_timer_inject_irq_work(st + struct kvm_vcpu *vcpu; + + vcpu = container_of(work, struct kvm_vcpu, arch.timer_cpu.expired); +- vcpu->arch.timer_cpu.armed = false; +- +- WARN_ON(!kvm_timer_should_fire(vcpu)); + + /* + * If the vcpu is blocked we want to wake it up so that it will see diff --git a/queue-4.4/mm-avoid-returning-vm_fault_retry-from-page_mkwrite-handlers.patch b/queue-4.4/mm-avoid-returning-vm_fault_retry-from-page_mkwrite-handlers.patch new file mode 100644 index 00000000000..b1662c1b702 --- /dev/null +++ b/queue-4.4/mm-avoid-returning-vm_fault_retry-from-page_mkwrite-handlers.patch @@ -0,0 +1,70 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: Jan Kara +Date: Wed, 8 Feb 2017 14:30:53 -0800 +Subject: mm: avoid returning VM_FAULT_RETRY from ->page_mkwrite handlers + +From: Jan Kara + + +[ Upstream commit 0911d0041c22922228ca52a977d7b0b0159fee4b ] + +Some ->page_mkwrite handlers may return VM_FAULT_RETRY as its return +code (GFS2 or Lustre can definitely do this). However VM_FAULT_RETRY +from ->page_mkwrite is completely unhandled by the mm code and results +in locking and writeably mapping the page which definitely is not what +the caller wanted. + +Fix Lustre and block_page_mkwrite_ret() used by other filesystems +(notably GFS2) to return VM_FAULT_NOPAGE instead which results in +bailing out from the fault code, the CPU then retries the access, and we +fault again effectively doing what the handler wanted. + +Link: http://lkml.kernel.org/r/20170203150729.15863-1-jack@suse.cz +Signed-off-by: Jan Kara +Reported-by: Al Viro +Reviewed-by: Jinshan Xiong +Cc: Matthew Wilcox +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/lustre/lustre/llite/llite_mmap.c | 4 +--- + include/linux/buffer_head.h | 4 +--- + 2 files changed, 2 insertions(+), 6 deletions(-) + +--- a/drivers/staging/lustre/lustre/llite/llite_mmap.c ++++ b/drivers/staging/lustre/lustre/llite/llite_mmap.c +@@ -402,15 +402,13 @@ static int ll_page_mkwrite(struct vm_are + result = VM_FAULT_LOCKED; + break; + case -ENODATA: ++ case -EAGAIN: + case -EFAULT: + result = VM_FAULT_NOPAGE; + break; + case -ENOMEM: + result = VM_FAULT_OOM; + break; +- case -EAGAIN: +- result = VM_FAULT_RETRY; +- break; + default: + result = VM_FAULT_SIGBUS; + break; +--- a/include/linux/buffer_head.h ++++ b/include/linux/buffer_head.h +@@ -234,12 +234,10 @@ static inline int block_page_mkwrite_ret + { + if (err == 0) + return VM_FAULT_LOCKED; +- if (err == -EFAULT) ++ if (err == -EFAULT || err == -EAGAIN) + return VM_FAULT_NOPAGE; + if (err == -ENOMEM) + return VM_FAULT_OOM; +- if (err == -EAGAIN) +- return VM_FAULT_RETRY; + /* -ENOSPC, -EDQUOT, -EIO ... */ + return VM_FAULT_SIGBUS; + } diff --git a/queue-4.4/net-appletalk-fix-kernel-memory-disclosure.patch b/queue-4.4/net-appletalk-fix-kernel-memory-disclosure.patch new file mode 100644 index 00000000000..7cba84f9308 --- /dev/null +++ b/queue-4.4/net-appletalk-fix-kernel-memory-disclosure.patch @@ -0,0 +1,34 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: Vlad Tsyrklevich +Date: Mon, 9 Jan 2017 20:57:48 +0700 +Subject: net/appletalk: Fix kernel memory disclosure + +From: Vlad Tsyrklevich + + +[ Upstream commit ce7e40c432ba84da104438f6799d460a4cad41bc ] + +ipddp_route structs contain alignment padding so kernel heap memory +is leaked when they are copied to user space in +ipddp_ioctl(SIOCFINDIPDDPRT). Change kmalloc() to kzalloc() to clear +that memory. + +Signed-off-by: Vlad Tsyrklevich +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/appletalk/ipddp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/appletalk/ipddp.c ++++ b/drivers/net/appletalk/ipddp.c +@@ -191,7 +191,7 @@ static netdev_tx_t ipddp_xmit(struct sk_ + */ + static int ipddp_create(struct ipddp_route *new_rt) + { +- struct ipddp_route *rt = kmalloc(sizeof(*rt), GFP_KERNEL); ++ struct ipddp_route *rt = kzalloc(sizeof(*rt), GFP_KERNEL); + + if (rt == NULL) + return -ENOMEM; diff --git a/queue-4.4/net-fec-fix-multicast-filtering-hardware-setup.patch b/queue-4.4/net-fec-fix-multicast-filtering-hardware-setup.patch new file mode 100644 index 00000000000..d4e61716c6b --- /dev/null +++ b/queue-4.4/net-fec-fix-multicast-filtering-hardware-setup.patch @@ -0,0 +1,71 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: Rui Sousa +Date: Mon, 13 Feb 2017 10:01:25 +0800 +Subject: net: fec: fix multicast filtering hardware setup + +From: Rui Sousa + + +[ Upstream commit 01f8902bcf3ff124d0aeb88a774180ebcec20ace ] + +Fix hardware setup of multicast address hash: +- Never clear the hardware hash (to avoid packet loss) +- Construct the hash register values in software and then write once +to hardware + +Signed-off-by: Rui Sousa +Signed-off-by: Fugang Duan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/fec_main.c | 23 +++++++++-------------- + 1 file changed, 9 insertions(+), 14 deletions(-) + +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -2968,6 +2968,7 @@ static void set_multicast_list(struct ne + struct netdev_hw_addr *ha; + unsigned int i, bit, data, crc, tmp; + unsigned char hash; ++ unsigned int hash_high = 0, hash_low = 0; + + if (ndev->flags & IFF_PROMISC) { + tmp = readl(fep->hwp + FEC_R_CNTRL); +@@ -2990,11 +2991,7 @@ static void set_multicast_list(struct ne + return; + } + +- /* Clear filter and add the addresses in hash register +- */ +- writel(0, fep->hwp + FEC_GRP_HASH_TABLE_HIGH); +- writel(0, fep->hwp + FEC_GRP_HASH_TABLE_LOW); +- ++ /* Add the addresses in hash register */ + netdev_for_each_mc_addr(ha, ndev) { + /* calculate crc32 value of mac address */ + crc = 0xffffffff; +@@ -3012,16 +3009,14 @@ static void set_multicast_list(struct ne + */ + hash = (crc >> (32 - HASH_BITS)) & 0x3f; + +- if (hash > 31) { +- tmp = readl(fep->hwp + FEC_GRP_HASH_TABLE_HIGH); +- tmp |= 1 << (hash - 32); +- writel(tmp, fep->hwp + FEC_GRP_HASH_TABLE_HIGH); +- } else { +- tmp = readl(fep->hwp + FEC_GRP_HASH_TABLE_LOW); +- tmp |= 1 << hash; +- writel(tmp, fep->hwp + FEC_GRP_HASH_TABLE_LOW); +- } ++ if (hash > 31) ++ hash_high |= 1 << (hash - 32); ++ else ++ hash_low |= 1 << hash; + } ++ ++ writel(hash_high, fep->hwp + FEC_GRP_HASH_TABLE_HIGH); ++ writel(hash_low, fep->hwp + FEC_GRP_HASH_TABLE_LOW); + } + + /* Set a MAC change in hardware. */ diff --git a/queue-4.4/net-sctp-fix-array-overrun-read-on-sctp_timer_tbl.patch b/queue-4.4/net-sctp-fix-array-overrun-read-on-sctp_timer_tbl.patch new file mode 100644 index 00000000000..ac1c03393a0 --- /dev/null +++ b/queue-4.4/net-sctp-fix-array-overrun-read-on-sctp_timer_tbl.patch @@ -0,0 +1,36 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: Colin Ian King +Date: Fri, 20 Jan 2017 13:01:57 +0000 +Subject: net: sctp: fix array overrun read on sctp_timer_tbl + +From: Colin Ian King + + +[ Upstream commit 0e73fc9a56f22f2eec4d2b2910c649f7af67b74d ] + +The comparison on the timeout can lead to an array overrun +read on sctp_timer_tbl because of an off-by-one error. Fix +this by using < instead of <= and also compare to the array +size rather than SCTP_EVENT_TIMEOUT_MAX. + +Fixes CoverityScan CID#1397639 ("Out-of-bounds read") + +Signed-off-by: Colin Ian King +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/debug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sctp/debug.c ++++ b/net/sctp/debug.c +@@ -166,7 +166,7 @@ static const char *const sctp_timer_tbl[ + /* Lookup timer debug name. */ + const char *sctp_tname(const sctp_subtype_t id) + { +- if (id.timeout <= SCTP_EVENT_TIMEOUT_MAX) ++ if (id.timeout < ARRAY_SIZE(sctp_timer_tbl)) + return sctp_timer_tbl[id.timeout]; + return "unknown_timer"; + } diff --git a/queue-4.4/net-systemport-pad-packet-before-inserting-tsb.patch b/queue-4.4/net-systemport-pad-packet-before-inserting-tsb.patch new file mode 100644 index 00000000000..64e8699718e --- /dev/null +++ b/queue-4.4/net-systemport-pad-packet-before-inserting-tsb.patch @@ -0,0 +1,65 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: Florian Fainelli +Date: Tue, 3 Jan 2017 16:34:49 -0800 +Subject: net: systemport: Pad packet before inserting TSB + +From: Florian Fainelli + + +[ Upstream commit 38e5a85562a6cd911fc26d951d576551a688574c ] + +Inserting the TSB means adding an extra 8 bytes in front the of packet +that is going to be used as metadata information by the TDMA engine, but +stripped off, so it does not really help with the packet padding. + +For some odd packet sizes that fall below the 60 bytes payload (e.g: ARP) +we can end-up padding them after the TSB insertion, thus making them 64 +bytes, but with the TDMA stripping off the first 8 bytes, they could +still be smaller than 64 bytes which is required to ingress the switch. + +Fix this by swapping the padding and TSB insertion, guaranteeing that +the packets have the right sizes. + +Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bcmsysport.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -1045,15 +1045,6 @@ static netdev_tx_t bcm_sysport_xmit(stru + goto out; + } + +- /* Insert TSB and checksum infos */ +- if (priv->tsb_en) { +- skb = bcm_sysport_insert_tsb(skb, dev); +- if (!skb) { +- ret = NETDEV_TX_OK; +- goto out; +- } +- } +- + /* The Ethernet switch we are interfaced with needs packets to be at + * least 64 bytes (including FCS) otherwise they will be discarded when + * they enter the switch port logic. When Broadcom tags are enabled, we +@@ -1066,6 +1057,15 @@ static netdev_tx_t bcm_sysport_xmit(stru + goto out; + } + ++ /* Insert TSB and checksum infos */ ++ if (priv->tsb_en) { ++ skb = bcm_sysport_insert_tsb(skb, dev); ++ if (!skb) { ++ ret = NETDEV_TX_OK; ++ goto out; ++ } ++ } ++ + skb_len = skb->len; + + mapping = dma_map_single(kdev, skb->data, skb_len, DMA_TO_DEVICE); diff --git a/queue-4.4/net-systemport-utilize-skb_put_padto.patch b/queue-4.4/net-systemport-utilize-skb_put_padto.patch new file mode 100644 index 00000000000..8027ea6d733 --- /dev/null +++ b/queue-4.4/net-systemport-utilize-skb_put_padto.patch @@ -0,0 +1,40 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: Florian Fainelli +Date: Tue, 3 Jan 2017 16:34:48 -0800 +Subject: net: systemport: Utilize skb_put_padto() + +From: Florian Fainelli + + +[ Upstream commit bb7da333d0a9f3bddc08f84187b7579a3f68fd24 ] + +Since we need to pad our packets, utilize skb_put_padto() which +increases skb->len by how much we need to pad, allowing us to eliminate +the test on skb->len right below. + +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bcmsysport.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -1061,13 +1061,12 @@ static netdev_tx_t bcm_sysport_xmit(stru + * (including FCS and tag) because the length verification is done after + * the Broadcom tag is stripped off the ingress packet. + */ +- if (skb_padto(skb, ETH_ZLEN + ENET_BRCM_TAG_LEN)) { ++ if (skb_put_padto(skb, ETH_ZLEN + ENET_BRCM_TAG_LEN)) { + ret = NETDEV_TX_OK; + goto out; + } + +- skb_len = skb->len < ETH_ZLEN + ENET_BRCM_TAG_LEN ? +- ETH_ZLEN + ENET_BRCM_TAG_LEN : skb->len; ++ skb_len = skb->len; + + mapping = dma_map_single(kdev, skb->data, skb_len, DMA_TO_DEVICE); + if (dma_mapping_error(kdev, mapping)) { diff --git a/queue-4.4/nfs-don-t-take-a-reference-on-fl-fl_file-for-lock-operation.patch b/queue-4.4/nfs-don-t-take-a-reference-on-fl-fl_file-for-lock-operation.patch new file mode 100644 index 00000000000..3a2e7ce306f --- /dev/null +++ b/queue-4.4/nfs-don-t-take-a-reference-on-fl-fl_file-for-lock-operation.patch @@ -0,0 +1,56 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: Benjamin Coddington +Date: Thu, 5 Jan 2017 10:20:16 -0500 +Subject: nfs: Don't take a reference on fl->fl_file for LOCK operation + +From: Benjamin Coddington + + +[ Upstream commit 4b09ec4b14a168bf2c687e1f598140c3c11e9222 ] + +I have reports of a crash that look like __fput() was called twice for +a NFSv4.0 file. It seems possible that the state manager could try to +reclaim a lock and take a reference on the fl->fl_file at the same time the +file is being released if, during the close(), a signal interrupts the wait +for outstanding IO while removing locks which then skips the removal +of that lock. + +Since 83bfff23e9ed ("nfs4: have do_vfs_lock take an inode pointer") has +removed the need to traverse fl->fl_file->f_inode in nfs4_lock_done(), +taking that reference is no longer necessary. + +Signed-off-by: Benjamin Coddington +Reviewed-by: Jeff Layton +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4proc.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -38,7 +38,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -5738,7 +5737,6 @@ static struct nfs4_lockdata *nfs4_alloc_ + p->server = server; + atomic_inc(&lsp->ls_count); + p->ctx = get_nfs_open_context(ctx); +- get_file(fl->fl_file); + memcpy(&p->fl, fl, sizeof(p->fl)); + return p; + out_free_seqid: +@@ -5851,7 +5849,6 @@ static void nfs4_lock_release(void *call + nfs_free_seqid(data->arg.lock_seqid); + nfs4_put_lock_state(data->lsp); + put_nfs_open_context(data->ctx); +- fput(data->fl.fl_file); + kfree(data); + dprintk("%s: done!\n", __func__); + } diff --git a/queue-4.4/nfsv4-fix-client-recovery-when-server-reboots-multiple-times.patch b/queue-4.4/nfsv4-fix-client-recovery-when-server-reboots-multiple-times.patch new file mode 100644 index 00000000000..d4484c35e92 --- /dev/null +++ b/queue-4.4/nfsv4-fix-client-recovery-when-server-reboots-multiple-times.patch @@ -0,0 +1,34 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: Trond Myklebust +Date: Fri, 13 Jan 2017 13:31:32 -0500 +Subject: NFSv4: Fix client recovery when server reboots multiple times + +From: Trond Myklebust + + +[ Upstream commit c6180a6237174f481dc856ed6e890d8196b6f0fb ] + +If the server reboots multiple times, the client should rely on the +server to tell it that it cannot reclaim state as per section 9.6.3.4 +in RFC7530 and section 8.4.2.1 in RFC5661. +Currently, the client is being to conservative, and is assuming that +if the server reboots while state recovery is in progress, then it must +ignore state that was not recovered before the reboot. + +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4state.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -1680,7 +1680,6 @@ static int nfs4_recovery_handle_error(st + break; + case -NFS4ERR_STALE_CLIENTID: + set_bit(NFS4CLNT_LEASE_EXPIRED, &clp->cl_state); +- nfs4_state_clear_reclaim_reboot(clp); + nfs4_state_start_reclaim_reboot(clp); + break; + case -NFS4ERR_EXPIRED: diff --git a/queue-4.4/perf-test-attr-fix-ignored-test-case-result.patch b/queue-4.4/perf-test-attr-fix-ignored-test-case-result.patch new file mode 100644 index 00000000000..2455ae23c86 --- /dev/null +++ b/queue-4.4/perf-test-attr-fix-ignored-test-case-result.patch @@ -0,0 +1,68 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: Thomas Richter +Date: Wed, 13 Sep 2017 10:12:09 +0200 +Subject: perf test attr: Fix ignored test case result + +From: Thomas Richter + + +[ Upstream commit 22905582f6dd4bbd0c370fe5732c607452010c04 ] + +Command perf test -v 16 (Setup struct perf_event_attr test) always +reports success even if the test case fails. It works correctly if you +also specify -F (for don't fork). + + root@s35lp76 perf]# ./perf test -v 16 + 15: Setup struct perf_event_attr : + --- start --- + running './tests/attr/test-record-no-delay' + [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 0.002 MB /tmp/tmp4E1h7R/perf.data + (1 samples) ] + expected task=0, got 1 + expected precise_ip=0, got 3 + expected wakeup_events=1, got 0 + FAILED './tests/attr/test-record-no-delay' - match failure + test child finished with 0 + ---- end ---- + Setup struct perf_event_attr: Ok + +The reason for the wrong error reporting is the return value of the +system() library call. It is called in run_dir() file tests/attr.c and +returns the exit status, in above case 0xff00. + +This value is given as parameter to the exit() function which can only +handle values 0-0xff. + +The child process terminates with exit value of 0 and the parent does +not detect any error. + +This patch corrects the error reporting and prints the correct test +result. + +Signed-off-by: Thomas-Mich Richter +Acked-by: Jiri Olsa +Cc: Heiko Carstens +Cc: Hendrik Brueckner +Cc: Martin Schwidefsky +Cc: Thomas-Mich Richter +LPU-Reference: 20170913081209.39570-2-tmricht@linux.vnet.ibm.com +Link: http://lkml.kernel.org/n/tip-rdube6rfcjsr1nzue72c7lqn@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/attr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/tests/attr.c ++++ b/tools/perf/tests/attr.c +@@ -150,7 +150,7 @@ static int run_dir(const char *d, const + snprintf(cmd, 3*PATH_MAX, PYTHON " %s/attr.py -d %s/attr/ -p %s %.*s", + d, d, perf, vcnt, v); + +- return system(cmd); ++ return system(cmd) ? TEST_FAIL : TEST_OK; + } + + int test__attr(void) diff --git a/queue-4.4/ravb-remove-rx-overflow-log-messages.patch b/queue-4.4/ravb-remove-rx-overflow-log-messages.patch new file mode 100644 index 00000000000..8c11d7fed86 --- /dev/null +++ b/queue-4.4/ravb-remove-rx-overflow-log-messages.patch @@ -0,0 +1,45 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: Kazuya Mizuguchi +Date: Thu, 12 Jan 2017 13:21:06 +0100 +Subject: ravb: Remove Rx overflow log messages + +From: Kazuya Mizuguchi + + +[ Upstream commit 18a3ed59d09cf81a6447aadf6931bf0c9ffec5e0 ] + +Remove Rx overflow log messages as in an environment where logging results +in network traffic logging may cause further overflows. + +Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") +Signed-off-by: Kazuya Mizuguchi +[simon: reworked changelog] +Signed-off-by: Simon Horman +Acked-by: Sergei Shtylyov +Signed-off-by: David S. Miller + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/renesas/ravb_main.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -831,14 +831,10 @@ static int ravb_poll(struct napi_struct + /* Receive error message handling */ + priv->rx_over_errors = priv->stats[RAVB_BE].rx_over_errors; + priv->rx_over_errors += priv->stats[RAVB_NC].rx_over_errors; +- if (priv->rx_over_errors != ndev->stats.rx_over_errors) { ++ if (priv->rx_over_errors != ndev->stats.rx_over_errors) + ndev->stats.rx_over_errors = priv->rx_over_errors; +- netif_err(priv, rx_err, ndev, "Receive Descriptor Empty\n"); +- } +- if (priv->rx_fifo_errors != ndev->stats.rx_fifo_errors) { ++ if (priv->rx_fifo_errors != ndev->stats.rx_fifo_errors) + ndev->stats.rx_fifo_errors = priv->rx_fifo_errors; +- netif_err(priv, rx_err, ndev, "Receive FIFO Overflow\n"); +- } + out: + return budget - quota; + } diff --git a/queue-4.4/s390-pci-do-not-require-ais-facility.patch b/queue-4.4/s390-pci-do-not-require-ais-facility.patch new file mode 100644 index 00000000000..ec87f7487bd --- /dev/null +++ b/queue-4.4/s390-pci-do-not-require-ais-facility.patch @@ -0,0 +1,92 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: Christian Borntraeger +Date: Mon, 30 Oct 2017 14:38:58 +0100 +Subject: s390/pci: do not require AIS facility + +From: Christian Borntraeger + + +[ Upstream commit 48070c73058be6de9c0d754d441ed7092dfc8f12 ] + +As of today QEMU does not provide the AIS facility to its guest. This +prevents Linux guests from using PCI devices as the ais facility is +checked during init. As this is just a performance optimization, we can +move the ais check into the code where we need it (calling the SIC +instruction). This is used at initialization and on interrupt. Both +places do not require any serialization, so we can simply skip the +instruction. + +Since we will now get all interrupts, we can also avoid the 2nd scan. +As we can have multiple interrupts in parallel we might trigger spurious +irqs more often for the non-AIS case but the core code can handle that. + +Signed-off-by: Christian Borntraeger +Reviewed-by: Pierre Morel +Reviewed-by: Halil Pasic +Acked-by: Sebastian Ott +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/pci_insn.h | 2 +- + arch/s390/pci/pci.c | 5 +++-- + arch/s390/pci/pci_insn.c | 6 +++++- + 3 files changed, 9 insertions(+), 4 deletions(-) + +--- a/arch/s390/include/asm/pci_insn.h ++++ b/arch/s390/include/asm/pci_insn.h +@@ -81,6 +81,6 @@ int zpci_refresh_trans(u64 fn, u64 addr, + int zpci_load(u64 *data, u64 req, u64 offset); + int zpci_store(u64 data, u64 req, u64 offset); + int zpci_store_block(const u64 *data, u64 req, u64 offset); +-void zpci_set_irq_ctrl(u16 ctl, char *unused, u8 isc); ++int zpci_set_irq_ctrl(u16 ctl, char *unused, u8 isc); + + #endif +--- a/arch/s390/pci/pci.c ++++ b/arch/s390/pci/pci.c +@@ -359,7 +359,8 @@ static void zpci_irq_handler(struct airq + /* End of second scan with interrupts on. */ + break; + /* First scan complete, reenable interrupts. */ +- zpci_set_irq_ctrl(SIC_IRQ_MODE_SINGLE, NULL, PCI_ISC); ++ if (zpci_set_irq_ctrl(SIC_IRQ_MODE_SINGLE, NULL, PCI_ISC)) ++ break; + si = 0; + continue; + } +@@ -921,7 +922,7 @@ static int __init pci_base_init(void) + if (!s390_pci_probe) + return 0; + +- if (!test_facility(69) || !test_facility(71) || !test_facility(72)) ++ if (!test_facility(69) || !test_facility(71)) + return 0; + + rc = zpci_debug_init(); +--- a/arch/s390/pci/pci_insn.c ++++ b/arch/s390/pci/pci_insn.c +@@ -7,6 +7,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -91,11 +92,14 @@ int zpci_refresh_trans(u64 fn, u64 addr, + } + + /* Set Interruption Controls */ +-void zpci_set_irq_ctrl(u16 ctl, char *unused, u8 isc) ++int zpci_set_irq_ctrl(u16 ctl, char *unused, u8 isc) + { ++ if (!test_facility(72)) ++ return -EIO; + asm volatile ( + " .insn rsy,0xeb00000000d1,%[ctl],%[isc],%[u]\n" + : : [ctl] "d" (ctl), [isc] "d" (isc << 27), [u] "Q" (*unused)); ++ return 0; + } + + /* PCI Load */ diff --git a/queue-4.4/selftests-x86-ldt_get-add-a-few-additional-tests-for-limits.patch b/queue-4.4/selftests-x86-ldt_get-add-a-few-additional-tests-for-limits.patch new file mode 100644 index 00000000000..823660964ca --- /dev/null +++ b/queue-4.4/selftests-x86-ldt_get-add-a-few-additional-tests-for-limits.patch @@ -0,0 +1,58 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: Andy Lutomirski +Date: Sat, 4 Nov 2017 04:19:52 -0700 +Subject: selftests/x86/ldt_get: Add a few additional tests for limits + +From: Andy Lutomirski + + +[ Upstream commit fec8f5ae1715a01c72ad52cb2ecd8aacaf142302 ] + +We weren't testing the .limit and .limit_in_pages fields very well. +Add more tests. + +This addition seems to trigger the "bits 16:19 are undefined" issue +that was fixed in an earlier patch. I think that, at least on my +CPU, the high nibble of the limit ends in LAR bits 16:19. + +Signed-off-by: Andy Lutomirski +Cc: Borislav Petkov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/5601c15ea9b3113d288953fd2838b18bedf6bc67.1509794321.git.luto@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/ldt_gdt.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/tools/testing/selftests/x86/ldt_gdt.c ++++ b/tools/testing/selftests/x86/ldt_gdt.c +@@ -351,9 +351,24 @@ static void do_simple_tests(void) + install_invalid(&desc, false); + + desc.seg_not_present = 0; +- desc.read_exec_only = 0; + desc.seg_32bit = 1; ++ desc.read_exec_only = 0; ++ desc.limit = 0xfffff; ++ + install_valid(&desc, AR_DPL3 | AR_TYPE_RWDATA | AR_S | AR_P | AR_DB); ++ ++ desc.limit_in_pages = 1; ++ ++ install_valid(&desc, AR_DPL3 | AR_TYPE_RWDATA | AR_S | AR_P | AR_DB | AR_G); ++ desc.read_exec_only = 1; ++ install_valid(&desc, AR_DPL3 | AR_TYPE_RODATA | AR_S | AR_P | AR_DB | AR_G); ++ desc.contents = 1; ++ desc.read_exec_only = 0; ++ install_valid(&desc, AR_DPL3 | AR_TYPE_RWDATA_EXPDOWN | AR_S | AR_P | AR_DB | AR_G); ++ desc.read_exec_only = 1; ++ install_valid(&desc, AR_DPL3 | AR_TYPE_RODATA_EXPDOWN | AR_S | AR_P | AR_DB | AR_G); ++ ++ desc.limit = 0; + install_invalid(&desc, true); + } + diff --git a/queue-4.4/serial-8250-preserve-dld-for-port_xr17v35x.patch b/queue-4.4/serial-8250-preserve-dld-for-port_xr17v35x.patch new file mode 100644 index 00000000000..200aa3dca2a --- /dev/null +++ b/queue-4.4/serial-8250-preserve-dld-for-port_xr17v35x.patch @@ -0,0 +1,38 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: Aaron Sierra +Date: Wed, 4 Oct 2017 10:01:28 -0500 +Subject: serial: 8250: Preserve DLD[7:4] for PORT_XR17V35X + +From: Aaron Sierra + + +[ Upstream commit 0ab84da2e076948c49d36197ee7d254125c53eab ] + +The upper four bits of the XR17V35x fractional divisor register (DLD) +control general chip function (RS-485 direction pin polarity, multidrop +mode, XON/XOFF parity check, and fast IR mode). Don't allow these bits +to be clobbered when setting the baudrate. + +Signed-off-by: Aaron Sierra +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_port.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -2223,8 +2223,11 @@ static void serial8250_set_divisor(struc + serial_dl_write(up, quot); + + /* XR17V35x UARTs have an extra fractional divisor register (DLD) */ +- if (up->port.type == PORT_XR17V35X) ++ if (up->port.type == PORT_XR17V35X) { ++ /* Preserve bits not related to baudrate; DLD[7:4]. */ ++ quot_frac |= serial_port_in(port, 0x2) & 0xf0; + serial_port_out(port, 0x2, quot_frac); ++ } + } + + static unsigned int diff --git a/queue-4.4/serial-8250_fintek-fix-rs485-disablement-on-invalid-ioctl.patch b/queue-4.4/serial-8250_fintek-fix-rs485-disablement-on-invalid-ioctl.patch new file mode 100644 index 00000000000..71b16a570d8 --- /dev/null +++ b/queue-4.4/serial-8250_fintek-fix-rs485-disablement-on-invalid-ioctl.patch @@ -0,0 +1,42 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: Lukas Wunner +Date: Sat, 28 Oct 2017 11:35:49 +0200 +Subject: serial: 8250_fintek: Fix rs485 disablement on invalid ioctl() + +From: Lukas Wunner + + +[ Upstream commit 3236a965486ba0c6043cf2c7b51943d8b382ae29 ] + +This driver's ->rs485_config callback checks if SER_RS485_RTS_ON_SEND +and SER_RS485_RTS_AFTER_SEND have the same value. If they do, it means +the user has passed in invalid data with the TIOCSRS485 ioctl() +since RTS must have a different polarity when sending and when not +sending. In this case, rs485 mode is not enabled (the RS485_URA bit +is not set in the RS485 Enable Register) and this is supposed to be +signaled back to the user by clearing the SER_RS485_ENABLED bit in +struct serial_rs485 ... except a missing tilde character is preventing +that from happening. + +Fixes: 28e3fb6c4dce ("serial: Add support for Fintek F81216A LPC to 4 UART") +Cc: Ricardo Ribalda Delgado +Cc: "Ji-Ze Hong (Peter Hong)" +Signed-off-by: Lukas Wunner +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_fintek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/8250/8250_fintek.c ++++ b/drivers/tty/serial/8250/8250_fintek.c +@@ -117,7 +117,7 @@ static int fintek_8250_rs485_config(stru + + if ((!!(rs485->flags & SER_RS485_RTS_ON_SEND)) == + (!!(rs485->flags & SER_RS485_RTS_AFTER_SEND))) +- rs485->flags &= SER_RS485_ENABLED; ++ rs485->flags &= ~SER_RS485_ENABLED; + else + config |= RS485_URA; + diff --git a/queue-4.4/series b/queue-4.4/series index 72e95f958f9..104d26aad1d 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -4,3 +4,36 @@ uas-always-apply-us_fl_no_ata_1x-quirk-to-seagate-devices.patch usb-quirks-add-no-lpm-quirk-for-ky-688-usb-3.1-type-c-hub.patch serial-8250_pci-add-amazon-pci-serial-device-id.patch s390-runtime-instrumentation-simplify-task-exit-handling.patch +usb-serial-option-add-quectel-bg96-id.patch +ima-fix-hash-algorithm-initialization.patch +s390-pci-do-not-require-ais-facility.patch +selftests-x86-ldt_get-add-a-few-additional-tests-for-limits.patch +serial-8250_fintek-fix-rs485-disablement-on-invalid-ioctl.patch +spi-sh-msiof-fix-dma-transfer-size-check.patch +usb-dwc2-fix-udc-state-tracking.patch +usb-dwc2-error-out-of-dwc2_hsotg_ep_disable-if-we-re-in-host-mode.patch +usb-phy-tahvo-fix-error-handling-in-tahvo_usb_probe.patch +serial-8250-preserve-dld-for-port_xr17v35x.patch +x86-entry-use-syscall_define-macros-for-sys_modify_ldt.patch +edac-sb_edac-fix-missing-break-in-switch.patch +sysrq-fix-show-regs-call-trace-on-arm.patch +usbip-tools-install-all-headers-needed-for-libusbip-development.patch +perf-test-attr-fix-ignored-test-case-result.patch +kprobes-x86-disable-preemption-in-ftrace-based-jprobes.patch +net-systemport-utilize-skb_put_padto.patch +net-systemport-pad-packet-before-inserting-tsb.patch +arm-omap1-dma-correct-the-number-of-logical-channels.patch +vti6-fix-device-register-to-report-ifla_info_kind.patch +net-appletalk-fix-kernel-memory-disclosure.patch +ravb-remove-rx-overflow-log-messages.patch +nfs-don-t-take-a-reference-on-fl-fl_file-for-lock-operation.patch +kvm-arm-arm64-fix-occasional-warning-from-the-timer-work-function.patch +nfsv4-fix-client-recovery-when-server-reboots-multiple-times.patch +drm-exynos-decon5433-set-standalone_update_f-on-output-enablement.patch +net-sctp-fix-array-overrun-read-on-sctp_timer_tbl.patch +tipc-fix-cleanup-at-module-unload.patch +dmaengine-pl330-fix-double-lock.patch +tcp-correct-memory-barrier-usage-in-tcp_check_space.patch +mm-avoid-returning-vm_fault_retry-from-page_mkwrite-handlers.patch +xen-netfront-improve-error-handling-during-initialization.patch +net-fec-fix-multicast-filtering-hardware-setup.patch diff --git a/queue-4.4/spi-sh-msiof-fix-dma-transfer-size-check.patch b/queue-4.4/spi-sh-msiof-fix-dma-transfer-size-check.patch new file mode 100644 index 00000000000..dddf3eff67f --- /dev/null +++ b/queue-4.4/spi-sh-msiof-fix-dma-transfer-size-check.patch @@ -0,0 +1,36 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: Hiromitsu Yamasaki +Date: Thu, 2 Nov 2017 10:32:36 +0100 +Subject: spi: sh-msiof: Fix DMA transfer size check + +From: Hiromitsu Yamasaki + + +[ Upstream commit 36735783fdb599c94b9c86824583df367c65900b ] + +DMA supports 32-bit words only, +even if BITLEN1 of SITMDR2 register is 16bit. + +Fixes: b0d0ce8b6b91 ("spi: sh-msiof: Add DMA support") +Signed-off-by: Hiromitsu Yamasaki +Signed-off-by: Simon Horman +Acked-by: Geert Uytterhoeven +Acked-by: Dirk Behme +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-sh-msiof.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi-sh-msiof.c ++++ b/drivers/spi/spi-sh-msiof.c +@@ -863,7 +863,7 @@ static int sh_msiof_transfer_one(struct + break; + copy32 = copy_bswap32; + } else if (bits <= 16) { +- if (l & 1) ++ if (l & 3) + break; + copy32 = copy_wswap32; + } else { diff --git a/queue-4.4/sysrq-fix-show-regs-call-trace-on-arm.patch b/queue-4.4/sysrq-fix-show-regs-call-trace-on-arm.patch new file mode 100644 index 00000000000..2bc99d48b42 --- /dev/null +++ b/queue-4.4/sysrq-fix-show-regs-call-trace-on-arm.patch @@ -0,0 +1,77 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: Jibin Xu +Date: Sun, 10 Sep 2017 20:11:42 -0700 +Subject: sysrq : fix Show Regs call trace on ARM + +From: Jibin Xu + + +[ Upstream commit b00bebbc301c8e1f74f230dc82282e56b7e7a6db ] + +When kernel configuration SMP,PREEMPT and DEBUG_PREEMPT are enabled, +echo 1 >/proc/sys/kernel/sysrq +echo p >/proc/sysrq-trigger +kernel will print call trace as below: + +sysrq: SysRq : Show Regs +BUG: using __this_cpu_read() in preemptible [00000000] code: sh/435 +caller is __this_cpu_preempt_check+0x18/0x20 +Call trace: +[] dump_backtrace+0x0/0x1d0 +[] show_stack+0x24/0x30 +[] dump_stack+0x90/0xb0 +[] check_preemption_disabled+0x100/0x108 +[] __this_cpu_preempt_check+0x18/0x20 +[] sysrq_handle_showregs+0x1c/0x40 +[] __handle_sysrq+0x12c/0x1a0 +[] write_sysrq_trigger+0x60/0x70 +[] proc_reg_write+0x90/0xd0 +[] __vfs_write+0x48/0x90 +[] vfs_write+0xa4/0x190 +[] SyS_write+0x54/0xb0 +[] el0_svc_naked+0x24/0x28 + +This can be seen on a common board like an r-pi3. +This happens because when echo p >/proc/sysrq-trigger, +get_irq_regs() is called outside of IRQ context, +if preemption is enabled in this situation,kernel will +print the call trace. Since many prior discussions on +the mailing lists have made it clear that get_irq_regs +either just returns NULL or stale data when used outside +of IRQ context,we simply avoid calling it outside of +IRQ context. + +Signed-off-by: Jibin Xu +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/sysrq.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/tty/sysrq.c ++++ b/drivers/tty/sysrq.c +@@ -237,8 +237,10 @@ static void sysrq_handle_showallcpus(int + * architecture has no support for it: + */ + if (!trigger_all_cpu_backtrace()) { +- struct pt_regs *regs = get_irq_regs(); ++ struct pt_regs *regs = NULL; + ++ if (in_irq()) ++ regs = get_irq_regs(); + if (regs) { + pr_info("CPU%d:\n", smp_processor_id()); + show_regs(regs); +@@ -257,7 +259,10 @@ static struct sysrq_key_op sysrq_showall + + static void sysrq_handle_showregs(int key) + { +- struct pt_regs *regs = get_irq_regs(); ++ struct pt_regs *regs = NULL; ++ ++ if (in_irq()) ++ regs = get_irq_regs(); + if (regs) + show_regs(regs); + perf_event_print_debug(); diff --git a/queue-4.4/tcp-correct-memory-barrier-usage-in-tcp_check_space.patch b/queue-4.4/tcp-correct-memory-barrier-usage-in-tcp_check_space.patch new file mode 100644 index 00000000000..672e4902fd3 --- /dev/null +++ b/queue-4.4/tcp-correct-memory-barrier-usage-in-tcp_check_space.patch @@ -0,0 +1,37 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: Jason Baron +Date: Tue, 24 Jan 2017 21:49:41 -0500 +Subject: tcp: correct memory barrier usage in tcp_check_space() + +From: Jason Baron + + +[ Upstream commit 56d806222ace4c3aeae516cd7a855340fb2839d8 ] + +sock_reset_flag() maps to __clear_bit() not the atomic version clear_bit(). +Thus, we need smp_mb(), smp_mb__after_atomic() is not sufficient. + +Fixes: 3c7151275c0c ("tcp: add memory barriers to write space paths") +Cc: Eric Dumazet +Cc: Oleg Nesterov +Signed-off-by: Jason Baron +Acked-by: Eric Dumazet +Reported-by: Oleg Nesterov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -4942,7 +4942,7 @@ static void tcp_check_space(struct sock + if (sock_flag(sk, SOCK_QUEUE_SHRUNK)) { + sock_reset_flag(sk, SOCK_QUEUE_SHRUNK); + /* pairs with tcp_poll() */ +- smp_mb__after_atomic(); ++ smp_mb(); + if (sk->sk_socket && + test_bit(SOCK_NOSPACE, &sk->sk_socket->flags)) + tcp_new_space(sk); diff --git a/queue-4.4/tipc-fix-cleanup-at-module-unload.patch b/queue-4.4/tipc-fix-cleanup-at-module-unload.patch new file mode 100644 index 00000000000..7a5915ca52d --- /dev/null +++ b/queue-4.4/tipc-fix-cleanup-at-module-unload.patch @@ -0,0 +1,45 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: Parthasarathy Bhuvaragan +Date: Tue, 24 Jan 2017 13:00:48 +0100 +Subject: tipc: fix cleanup at module unload + +From: Parthasarathy Bhuvaragan + + +[ Upstream commit 35e22e49a5d6a741ebe7f2dd280b2052c3003ef7 ] + +In tipc_server_stop(), we iterate over the connections with limiting +factor as server's idr_in_use. We ignore the fact that this variable +is decremented in tipc_close_conn(), leading to premature exit. + +In this commit, we iterate until the we have no connections left. + +Acked-by: Ying Xue +Acked-by: Jon Maloy +Tested-by: John Thompson +Signed-off-by: Parthasarathy Bhuvaragan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/server.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/net/tipc/server.c ++++ b/net/tipc/server.c +@@ -618,14 +618,12 @@ int tipc_server_start(struct tipc_server + void tipc_server_stop(struct tipc_server *s) + { + struct tipc_conn *con; +- int total = 0; + int id; + + spin_lock_bh(&s->idr_lock); +- for (id = 0; total < s->idr_in_use; id++) { ++ for (id = 0; s->idr_in_use; id++) { + con = idr_find(&s->conn_idr, id); + if (con) { +- total++; + spin_unlock_bh(&s->idr_lock); + tipc_close_conn(con); + spin_lock_bh(&s->idr_lock); diff --git a/queue-4.4/usb-dwc2-error-out-of-dwc2_hsotg_ep_disable-if-we-re-in-host-mode.patch b/queue-4.4/usb-dwc2-error-out-of-dwc2_hsotg_ep_disable-if-we-re-in-host-mode.patch new file mode 100644 index 00000000000..879040d7d77 --- /dev/null +++ b/queue-4.4/usb-dwc2-error-out-of-dwc2_hsotg_ep_disable-if-we-re-in-host-mode.patch @@ -0,0 +1,109 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: John Stultz +Date: Mon, 23 Oct 2017 14:32:49 -0700 +Subject: usb: dwc2: Error out of dwc2_hsotg_ep_disable() if we're in host mode + +From: John Stultz + + +[ Upstream commit 9b481092c2a31a6b630aff9c28f0145bf6683787 ] + +We've found that while in host mode, using Android, if one runs +the command: + stop adbd + +The existing usb devices being utilized in host mode are disconnected. +This is most visible with usb networking devices. + +This seems to be due to adbd closing the file: + /dev/usb-ffs/adb/ep0 +Which calls ffs_ep0_release() and the following backtrace: + +[] dwc2_hsotg_ep_disable+0x148/0x150 +[] dwc2_hsotg_udc_stop+0x60/0x110 +[] usb_gadget_remove_driver+0x58/0x78 +[] usb_gadget_unregister_driver+0x74/0xe8 +[] unregister_gadget+0x28/0x58 +[] unregister_gadget_item+0x2c/0x40 +[] ffs_data_clear+0xe8/0xf8 +[] ffs_data_reset+0x20/0x58 +[] ffs_data_closed+0x98/0xe8 +[] ffs_ep0_release+0x20/0x30 + +Then when dwc2_hsotg_ep_disable() is called, we call +kill_all_requests() which causes a bunch of the following +messages: + +dwc2 f72c0000.usb: Mode Mismatch Interrupt: currently in Host mode +dwc2 f72c0000.usb: Mode Mismatch Interrupt: currently in Host mode +dwc2 f72c0000.usb: Mode Mismatch Interrupt: currently in Host mode +dwc2 f72c0000.usb: Mode Mismatch Interrupt: currently in Host mode +dwc2 f72c0000.usb: Mode Mismatch Interrupt: currently in Host mode +dwc2 f72c0000.usb: Mode Mismatch Interrupt: currently in Host mode +dwc2 f72c0000.usb: Mode Mismatch Interrupt: currently in Host mode +dwc2 f72c0000.usb: Mode Mismatch Interrupt: currently in Host mode +init: Service 'adbd' (pid 1915) killed by signal 9 +init: Sending signal 9 to service 'adbd' (pid 1915) process group... +init: Successfully killed process cgroup uid 0 pid 1915 in 0ms +init: processing action (init.svc.adbd=stopped) from (/init.usb.configfs.rc:15) +dwc2 f72c0000.usb: dwc2_hc_chhltd_intr_dma: Channel 8 - ChHltd set, but reason is unknown +dwc2 f72c0000.usb: hcint 0x00000002, intsts 0x04200029 +dwc2 f72c0000.usb: dwc2_hc_chhltd_intr_dma: Channel 12 - ChHltd set, but reason is unknown +dwc2 f72c0000.usb: hcint 0x00000002, intsts 0x04200029 +dwc2 f72c0000.usb: dwc2_hc_chhltd_intr_dma: Channel 15 - ChHltd set, but reason is unknown +dwc2 f72c0000.usb: hcint 0x00000002, intsts 0x04200029 +dwc2 f72c0000.usb: dwc2_hc_chhltd_intr_dma: Channel 3 - ChHltd set, but reason is unknown +dwc2 f72c0000.usb: hcint 0x00000002, intsts 0x04200029 +dwc2 f72c0000.usb: dwc2_hc_chhltd_intr_dma: Channel 4 - ChHltd set, but reason is unknown +dwc2 f72c0000.usb: hcint 0x00000002, intsts 0x04200029 +dwc2 f72c0000.usb: dwc2_update_urb_state_abn(): trimming xfer length + +And the usb devices connected are basically hung at this point. + +It seems like if we're in host mode, we probably shouldn't run +the dwc2_hostg_ep_disable logic, so this patch returns an error +in that case. + +With this patch (along with the previous patch in this set), we avoid +the mismatched interrupts and connected usb devices continue to function. + +I'm not sure if some other solution would be better here, but this seems +to work, so I wanted to send it out for input on what the right approach +should be. + +Cc: Wei Xu +Cc: Guodong Xu +Cc: Amit Pundir +Cc: YongQin Liu +Cc: John Youn +Cc: Minas Harutyunyan +Cc: Douglas Anderson +Cc: Chen Yu +Cc: Felipe Balbi +Cc: Greg Kroah-Hartman +Cc: linux-usb@vger.kernel.org +Acked-by: Minas Harutyunyan +Tested-by: Minas Harutyunyan +Reported-by: YongQin Liu +Signed-off-by: John Stultz +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc2/gadget.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/dwc2/gadget.c ++++ b/drivers/usb/dwc2/gadget.c +@@ -2834,6 +2834,11 @@ static int dwc2_hsotg_ep_disable(struct + return -EINVAL; + } + ++ if (hsotg->op_state != OTG_STATE_B_PERIPHERAL) { ++ dev_err(hsotg->dev, "%s: called in host mode?\n", __func__); ++ return -EINVAL; ++ } ++ + epctrl_reg = dir_in ? DIEPCTL(index) : DOEPCTL(index); + + spin_lock_irqsave(&hsotg->lock, flags); diff --git a/queue-4.4/usb-dwc2-fix-udc-state-tracking.patch b/queue-4.4/usb-dwc2-fix-udc-state-tracking.patch new file mode 100644 index 00000000000..a12604b2d7d --- /dev/null +++ b/queue-4.4/usb-dwc2-fix-udc-state-tracking.patch @@ -0,0 +1,55 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: John Stultz +Date: Mon, 23 Oct 2017 14:32:50 -0700 +Subject: usb: dwc2: Fix UDC state tracking + +From: John Stultz + + +[ Upstream commit ce2b21a4e5ce042c0a42c9db8fa9e0f849427d5e ] + +It has been noticed that the dwc2 udc state reporting doesn't +seem to work (at least on HiKey boards). Where after the initial +setup, the sysfs /sys/class/udc/f72c0000.usb/state file would +report "configured" no matter the state of the OTG port. + +This patch adds a call so that we report to the UDC layer when +the gadget device is disconnected. + +This patch does depend on the previous patch ("usb: dwc2: +Improve gadget state disconnection handling") in this patch set +in order to properly work. + +Cc: Wei Xu +Cc: Guodong Xu +Cc: Amit Pundir +Cc: YongQin Liu +Cc: John Youn +Cc: Minas Harutyunyan +Cc: Douglas Anderson +Cc: Chen Yu +Cc: Felipe Balbi +Cc: Greg Kroah-Hartman +Cc: linux-usb@vger.kernel.org +Acked-by: Minas Harutyunyan +Tested-by: Minas Harutyunyan +Reported-by: Amit Pundir +Signed-off-by: John Stultz +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc2/gadget.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/dwc2/gadget.c ++++ b/drivers/usb/dwc2/gadget.c +@@ -2206,6 +2206,8 @@ void dwc2_hsotg_disconnect(struct dwc2_h + + call_gadget(hsotg, disconnect); + hsotg->lx_state = DWC2_L3; ++ ++ usb_gadget_set_state(&hsotg->gadget, USB_STATE_NOTATTACHED); + } + + /** diff --git a/queue-4.4/usb-phy-tahvo-fix-error-handling-in-tahvo_usb_probe.patch b/queue-4.4/usb-phy-tahvo-fix-error-handling-in-tahvo_usb_probe.patch new file mode 100644 index 00000000000..ecda9100755 --- /dev/null +++ b/queue-4.4/usb-phy-tahvo-fix-error-handling-in-tahvo_usb_probe.patch @@ -0,0 +1,35 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: Alexey Khoroshilov +Date: Sat, 21 Oct 2017 01:02:07 +0300 +Subject: usb: phy: tahvo: fix error handling in tahvo_usb_probe() + +From: Alexey Khoroshilov + + +[ Upstream commit ce035409bfa892a2fabb89720b542e1b335c3426 ] + +If devm_extcon_dev_allocate() fails, we should disable clk before return. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Fixes: 860d2686fda7 ("usb: phy: tahvo: Use devm_extcon_dev_[allocate|register]() and replace deprecated API") +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/phy/phy-tahvo.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/phy/phy-tahvo.c ++++ b/drivers/usb/phy/phy-tahvo.c +@@ -368,7 +368,8 @@ static int tahvo_usb_probe(struct platfo + tu->extcon = devm_extcon_dev_allocate(&pdev->dev, tahvo_cable); + if (IS_ERR(tu->extcon)) { + dev_err(&pdev->dev, "failed to allocate memory for extcon\n"); +- return -ENOMEM; ++ ret = PTR_ERR(tu->extcon); ++ goto err_disable_clk; + } + + ret = devm_extcon_dev_register(&pdev->dev, tu->extcon); diff --git a/queue-4.4/usb-serial-option-add-quectel-bg96-id.patch b/queue-4.4/usb-serial-option-add-quectel-bg96-id.patch new file mode 100644 index 00000000000..92aadf41d4a --- /dev/null +++ b/queue-4.4/usb-serial-option-add-quectel-bg96-id.patch @@ -0,0 +1,41 @@ +From c654b21ede93845863597de9ad774fd30db5f2ab Mon Sep 17 00:00:00 2001 +From: Sebastian Sjoholm +Date: Mon, 20 Nov 2017 19:29:32 +0100 +Subject: USB: serial: option: add Quectel BG96 id + +From: Sebastian Sjoholm + +commit c654b21ede93845863597de9ad774fd30db5f2ab upstream. + +Quectel BG96 is an Qualcomm MDM9206 based IoT modem, supporting both +CAT-M and NB-IoT. Tested hardware is BG96 mounted on Quectel +development board (EVB). The USB id is added to option.c to allow +DIAG,GPS,AT and modem communication with the BG96. + +Signed-off-by: Sebastian Sjoholm +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -241,6 +241,7 @@ static void option_instat_callback(struc + /* These Quectel products use Quectel's vendor ID */ + #define QUECTEL_PRODUCT_EC21 0x0121 + #define QUECTEL_PRODUCT_EC25 0x0125 ++#define QUECTEL_PRODUCT_BG96 0x0296 + + #define CMOTECH_VENDOR_ID 0x16d8 + #define CMOTECH_PRODUCT_6001 0x6001 +@@ -1185,6 +1186,8 @@ static const struct usb_device_id option + .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, + { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC25), + .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_BG96), ++ .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6003), diff --git a/queue-4.4/usbip-tools-install-all-headers-needed-for-libusbip-development.patch b/queue-4.4/usbip-tools-install-all-headers-needed-for-libusbip-development.patch new file mode 100644 index 00000000000..ed85850079e --- /dev/null +++ b/queue-4.4/usbip-tools-install-all-headers-needed-for-libusbip-development.patch @@ -0,0 +1,35 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: Ben Hutchings +Date: Sun, 1 Oct 2017 02:18:37 +0100 +Subject: usbip: tools: Install all headers needed for libusbip development + +From: Ben Hutchings + + +[ Upstream commit c15562c0dcb2c7f26e891923b784cf1926b8c833 ] + +usbip_host_driver.h now depends on several additional headers, which +need to be installed along with it. + +Fixes: 021aed845303 ("staging: usbip: userspace: migrate usbip_host_driver ...") +Fixes: 3391ba0e2792 ("usbip: tools: Extract generic code to be shared with ...") +Signed-off-by: Ben Hutchings +Acked-by: Shuah Khan +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/usb/usbip/Makefile.am | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/tools/usb/usbip/Makefile.am ++++ b/tools/usb/usbip/Makefile.am +@@ -1,6 +1,7 @@ + SUBDIRS := libsrc src + includedir = @includedir@/usbip + include_HEADERS := $(addprefix libsrc/, \ +- usbip_common.h vhci_driver.h usbip_host_driver.h) ++ usbip_common.h vhci_driver.h usbip_host_driver.h \ ++ list.h sysfs_utils.h usbip_host_common.h) + + dist_man_MANS := $(addprefix doc/, usbip.8 usbipd.8) diff --git a/queue-4.4/vti6-fix-device-register-to-report-ifla_info_kind.patch b/queue-4.4/vti6-fix-device-register-to-report-ifla_info_kind.patch new file mode 100644 index 00000000000..2c6135bd84a --- /dev/null +++ b/queue-4.4/vti6-fix-device-register-to-report-ifla_info_kind.patch @@ -0,0 +1,38 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: David Forster +Date: Fri, 6 Jan 2017 10:27:59 +0000 +Subject: vti6: fix device register to report IFLA_INFO_KIND + +From: David Forster + + +[ Upstream commit 93e246f783e6bd1bc64fdfbfe68b18161f69b28e ] + +vti6 interface is registered before the rtnl_link_ops block +is attached. As a result the resulting RTM_NEWLINK is missing +IFLA_INFO_KIND. Re-order attachment of rtnl_link_ops block to fix. + +Signed-off-by: Dave Forster +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_vti.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/ip6_vti.c ++++ b/net/ipv6/ip6_vti.c +@@ -189,12 +189,12 @@ static int vti6_tnl_create2(struct net_d + struct vti6_net *ip6n = net_generic(net, vti6_net_id); + int err; + ++ dev->rtnl_link_ops = &vti6_link_ops; + err = register_netdevice(dev); + if (err < 0) + goto out; + + strcpy(t->parms.name, dev->name); +- dev->rtnl_link_ops = &vti6_link_ops; + + dev_hold(dev); + vti6_tnl_link(ip6n, t); diff --git a/queue-4.4/x86-entry-use-syscall_define-macros-for-sys_modify_ldt.patch b/queue-4.4/x86-entry-use-syscall_define-macros-for-sys_modify_ldt.patch new file mode 100644 index 00000000000..2678524a604 --- /dev/null +++ b/queue-4.4/x86-entry-use-syscall_define-macros-for-sys_modify_ldt.patch @@ -0,0 +1,112 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: Dave Hansen +Date: Wed, 18 Oct 2017 10:21:07 -0700 +Subject: x86/entry: Use SYSCALL_DEFINE() macros for sys_modify_ldt() + +From: Dave Hansen + + +[ Upstream commit da20ab35180780e4a6eadc804544f1fa967f3567 ] + +We do not have tracepoints for sys_modify_ldt() because we define +it directly instead of using the normal SYSCALL_DEFINEx() macros. + +However, there is a reason sys_modify_ldt() does not use the macros: +it has an 'int' return type instead of 'unsigned long'. This is +a bug, but it's a bug cemented in the ABI. + +What does this mean? If we return -EINVAL from a function that +returns 'int', we have 0x00000000ffffffea in %rax. But, if we +return -EINVAL from a function returning 'unsigned long', we end +up with 0xffffffffffffffea in %rax, which is wrong. + +To work around this and maintain the 'int' behavior while using +the SYSCALL_DEFINEx() macros, so we add a cast to 'unsigned int' +in both implementations of sys_modify_ldt(). + +Signed-off-by: Dave Hansen +Reviewed-by: Andy Lutomirski +Reviewed-by: Brian Gerst +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20171018172107.1A79C532@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/syscalls.h | 2 +- + arch/x86/kernel/ldt.c | 16 +++++++++++++--- + arch/x86/um/ldt.c | 7 +++++-- + 3 files changed, 19 insertions(+), 6 deletions(-) + +--- a/arch/x86/include/asm/syscalls.h ++++ b/arch/x86/include/asm/syscalls.h +@@ -21,7 +21,7 @@ asmlinkage long sys_ioperm(unsigned long + asmlinkage long sys_iopl(unsigned int); + + /* kernel/ldt.c */ +-asmlinkage int sys_modify_ldt(int, void __user *, unsigned long); ++asmlinkage long sys_modify_ldt(int, void __user *, unsigned long); + + /* kernel/signal.c */ + asmlinkage long sys_rt_sigreturn(void); +--- a/arch/x86/kernel/ldt.c ++++ b/arch/x86/kernel/ldt.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -271,8 +272,8 @@ out: + return error; + } + +-asmlinkage int sys_modify_ldt(int func, void __user *ptr, +- unsigned long bytecount) ++SYSCALL_DEFINE3(modify_ldt, int , func , void __user * , ptr , ++ unsigned long , bytecount) + { + int ret = -ENOSYS; + +@@ -290,5 +291,14 @@ asmlinkage int sys_modify_ldt(int func, + ret = write_ldt(ptr, bytecount, 0); + break; + } +- return ret; ++ /* ++ * The SYSCALL_DEFINE() macros give us an 'unsigned long' ++ * return type, but tht ABI for sys_modify_ldt() expects ++ * 'int'. This cast gives us an int-sized value in %rax ++ * for the return code. The 'unsigned' is necessary so ++ * the compiler does not try to sign-extend the negative ++ * return codes into the high half of the register when ++ * taking the value from int->long. ++ */ ++ return (unsigned int)ret; + } +--- a/arch/x86/um/ldt.c ++++ b/arch/x86/um/ldt.c +@@ -6,6 +6,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -369,7 +370,9 @@ void free_ldt(struct mm_context *mm) + mm->arch.ldt.entry_count = 0; + } + +-int sys_modify_ldt(int func, void __user *ptr, unsigned long bytecount) ++SYSCALL_DEFINE3(modify_ldt, int , func , void __user * , ptr , ++ unsigned long , bytecount) + { +- return do_modify_ldt_skas(func, ptr, bytecount); ++ /* See non-um modify_ldt() for why we do this cast */ ++ return (unsigned int)do_modify_ldt_skas(func, ptr, bytecount); + } diff --git a/queue-4.4/xen-netfront-improve-error-handling-during-initialization.patch b/queue-4.4/xen-netfront-improve-error-handling-during-initialization.patch new file mode 100644 index 00000000000..c41562a8d87 --- /dev/null +++ b/queue-4.4/xen-netfront-improve-error-handling-during-initialization.patch @@ -0,0 +1,85 @@ +From foo@baz Wed Dec 6 16:43:17 CET 2017 +From: Ross Lagerwall +Date: Wed, 8 Feb 2017 10:57:37 +0000 +Subject: xen-netfront: Improve error handling during initialization + +From: Ross Lagerwall + + +[ Upstream commit e2e004acc7cbe3c531e752a270a74e95cde3ea48 ] + +This fixes a crash when running out of grant refs when creating many +queues across many netdevs. + +* If creating queues fails (i.e. there are no grant refs available), +call xenbus_dev_fatal() to ensure that the xenbus device is set to the +closed state. +* If no queues are created, don't call xennet_disconnect_backend as +netdev->real_num_tx_queues will not have been set correctly. +* If setup_netfront() fails, ensure that all the queues created are +cleaned up, not just those that have been set up. +* If any queues were set up and an error occurs, call +xennet_destroy_queues() to clean up the napi context. +* If any fatal error occurs, unregister and destroy the netdev to avoid +leaving around a half setup network device. + +Signed-off-by: Ross Lagerwall +Reviewed-by: Boris Ostrovsky +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netfront.c | 29 +++++++++++------------------ + 1 file changed, 11 insertions(+), 18 deletions(-) + +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -1840,27 +1840,19 @@ static int talk_to_netback(struct xenbus + xennet_destroy_queues(info); + + err = xennet_create_queues(info, &num_queues); +- if (err < 0) +- goto destroy_ring; ++ if (err < 0) { ++ xenbus_dev_fatal(dev, err, "creating queues"); ++ kfree(info->queues); ++ info->queues = NULL; ++ goto out; ++ } + + /* Create shared ring, alloc event channel -- for each queue */ + for (i = 0; i < num_queues; ++i) { + queue = &info->queues[i]; + err = setup_netfront(dev, queue, feature_split_evtchn); +- if (err) { +- /* setup_netfront() will tidy up the current +- * queue on error, but we need to clean up +- * those already allocated. +- */ +- if (i > 0) { +- rtnl_lock(); +- netif_set_real_num_tx_queues(info->netdev, i); +- rtnl_unlock(); +- goto destroy_ring; +- } else { +- goto out; +- } +- } ++ if (err) ++ goto destroy_ring; + } + + again: +@@ -1950,9 +1942,10 @@ abort_transaction_no_dev_fatal: + xenbus_transaction_end(xbt, 1); + destroy_ring: + xennet_disconnect_backend(info); +- kfree(info->queues); +- info->queues = NULL; ++ xennet_destroy_queues(info); + out: ++ unregister_netdev(info->netdev); ++ xennet_free_netdev(info->netdev); + return err; + } +