From: Greg Kroah-Hartman Date: Mon, 30 Jan 2017 13:33:46 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.4.46~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=174fd63604a8a94229be68c221c089aeb0ece9cf;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: arc-handle-unaligned-access-delay-slot-corner-case.patch arc-udelay-fix-inline-assembler-by-adding-lp_count-to-clobber-list.patch can-c_can_pci-fix-null-pointer-deref-in-c_can_start-set-device-pointer.patch can-ti_hecc-add-missing-prepare-and-unprepare-of-the-clock.patch drm-i915-check-for-null-atomic-state-in-intel_crtc_disable_noatomic.patch drm-i915-clear-ret-before-unbinding-in-i915_gem_evict_something.patch drm-i915-don-t-init-hpd-polling-for-vlv-and-chv-from-runtime_suspend.patch drm-i915-don-t-leak-edid-in-intel_crt_detect_ddc.patch drm-i915-fix-calculation-of-rotated-x-and-y-offsets-for-planar-formats.patch drm-i915-prevent-crash-with-.disable_display-parameter.patch ib-cxgb3-fix-misspelling-in-header-guard.patch ib-iser-fix-sg_tablesize-calculation.patch ib-srp-fix-invalid-indirect_sg_entries-parameter-value.patch ib-srp-fix-mr-allocation-when-the-device-supports-sg-gaps.patch iw_cxgb4-free-eq-queue-memory-on-last-deref.patch nfs-don-t-increment-lock-sequence-id-after-nfs4err_moved.patch nfsv4.0-always-send-mode-in-setattr-after-exclusive4.patch nfsv4.1-fix-a-deadlock-in-layoutget.patch parisc-don-t-use-bits_per_long-in-userspace-exported-swab.h-header.patch pctv452e-move-buffer-to-heap-no-mutex.patch rdma-cma-fix-unknown-symbol-when-config_ipv6-is-not-enabled.patch s390-mm-fix-cmma-unused-transfer-from-pgste-into-pte.patch s390-ptrace-preserve-previous-registers-for-short-regset-write.patch sunrpc-cleanup-ida-information-when-removing-sunrpc-module.patch v4l-tvp5150-don-t-override-output-pinmuxing-at-stream-on-off-time.patch v4l-tvp5150-fix-comment-regarding-output-pin-muxing.patch v4l-tvp5150-reset-device-at-probe-time-not-in-get-set-format-handlers.patch --- diff --git a/queue-4.9/arc-handle-unaligned-access-delay-slot-corner-case.patch b/queue-4.9/arc-handle-unaligned-access-delay-slot-corner-case.patch new file mode 100644 index 00000000000..6571414864a --- /dev/null +++ b/queue-4.9/arc-handle-unaligned-access-delay-slot-corner-case.patch @@ -0,0 +1,41 @@ +From 9aed02feae57bf7a40cb04ea0e3017cb7a998db4 Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Fri, 27 Jan 2017 10:45:27 -0800 +Subject: ARC: [arcompact] handle unaligned access delay slot corner case + +From: Vineet Gupta + +commit 9aed02feae57bf7a40cb04ea0e3017cb7a998db4 upstream. + +After emulating an unaligned access in delay slot of a branch, we +pretend as the delay slot never happened - so return back to actual +branch target (or next PC if branch was not taken). + +Curently we did this by handling STATUS32.DE, we also need to clear the +BTA.T bit, which is disregarded when returning from original misaligned +exception, but could cause weirdness if it took the interrupt return +path (in case interrupt was acive too) + +One ARC700 customer ran into this when enabling unaligned access fixup +for kernel mode accesses as well + +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/kernel/unaligned.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arc/kernel/unaligned.c ++++ b/arch/arc/kernel/unaligned.c +@@ -241,8 +241,9 @@ int misaligned_fixup(unsigned long addre + if (state.fault) + goto fault; + ++ /* clear any remanants of delay slot */ + if (delay_mode(regs)) { +- regs->ret = regs->bta; ++ regs->ret = regs->bta ~1U; + regs->status32 &= ~STATUS_DE_MASK; + } else { + regs->ret += state.instr_len; diff --git a/queue-4.9/arc-udelay-fix-inline-assembler-by-adding-lp_count-to-clobber-list.patch b/queue-4.9/arc-udelay-fix-inline-assembler-by-adding-lp_count-to-clobber-list.patch new file mode 100644 index 00000000000..51960a25a4b --- /dev/null +++ b/queue-4.9/arc-udelay-fix-inline-assembler-by-adding-lp_count-to-clobber-list.patch @@ -0,0 +1,67 @@ +From 36425cd67052e3becf325fd4d3ba5691791ef7e4 Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Tue, 24 Jan 2017 10:23:42 -0800 +Subject: ARC: udelay: fix inline assembler by adding LP_COUNT to clobber list + +From: Vineet Gupta + +commit 36425cd67052e3becf325fd4d3ba5691791ef7e4 upstream. + +commit 3c7c7a2fc8811bc ("ARC: Don't use "+l" inline asm constraint") +modified the inline assembly to setup LP_COUNT register manually and NOT +rely on gcc to do it (with the +l inline assembler contraint hint, now +being retired in the compiler) + +However the fix was flawed as we didn't add LP_COUNT to asm clobber list, +meaning gcc doesn't know that LP_COUNT or zero-delay-loops are in action +in the inline asm. + +This resulted in some fun - as nested ZOL loops were being generared + +| mov lp_count,250000 ;16 # tmp235, +| lp .L__GCC__LP14 # <======= OUTER LOOP (gcc generated) +| .L14: +| ld r2, [r5] # MEM[(volatile u32 *)prephitmp_43], w +| dmb 1 +| breq r2, -1, @.L21 #, w,, +| bbit0 r2,1,@.L13 # w,, +| ld r4,[r7] ;25 # loops_per_jiffy, loops_per_jiffy +| mpymu r3,r4,r6 #, loops_per_jiffy, tmp234 +| +| mov lp_count, r3 # <====== INNER LOOP (from inline asm) +| lp 1f +| nop +| 1: +| nop_s +| .L__GCC__LP14: ; loop end, start is @.L14 #, + +This caused issues with drivers relying on sane behaviour of udelay +friends. + +With LP_COUNT added to clobber list, gcc doesn't generate the outer +loop in say above case. + +Addresses STAR 9001146134 + +Reported-by: Joao Pinto +Fixes: 3c7c7a2fc8811bc ("ARC: Don't use "+l" inline asm constraint") +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/include/asm/delay.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/arc/include/asm/delay.h ++++ b/arch/arc/include/asm/delay.h +@@ -26,7 +26,9 @@ static inline void __delay(unsigned long + " lp 1f \n" + " nop \n" + "1: \n" +- : : "r"(loops)); ++ : ++ : "r"(loops) ++ : "lp_count"); + } + + extern void __bad_udelay(void); diff --git a/queue-4.9/can-c_can_pci-fix-null-pointer-deref-in-c_can_start-set-device-pointer.patch b/queue-4.9/can-c_can_pci-fix-null-pointer-deref-in-c_can_start-set-device-pointer.patch new file mode 100644 index 00000000000..564ba4b5e49 --- /dev/null +++ b/queue-4.9/can-c_can_pci-fix-null-pointer-deref-in-c_can_start-set-device-pointer.patch @@ -0,0 +1,39 @@ +From c97c52be78b8463ac5407f1cf1f22f8f6cf93a37 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Einar=20J=C3=B3n?= +Date: Fri, 12 Aug 2016 13:50:41 +0200 +Subject: can: c_can_pci: fix null-pointer-deref in c_can_start() - set device pointer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Einar Jón + +commit c97c52be78b8463ac5407f1cf1f22f8f6cf93a37 upstream. + +The priv->device pointer for c_can_pci is never set, but it is used +without a NULL check in c_can_start(). Setting it in c_can_pci_probe() +like c_can_plat_probe() prevents c_can_pci.ko from crashing, with and +without CONFIG_PM. + +This might also cause the pm_runtime_*() functions in c_can.c to +actually be executed for c_can_pci devices - they are the only other +place where priv->device is used, but they all contain a null check. + +Signed-off-by: Einar Jón +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/c_can/c_can_pci.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/can/c_can/c_can_pci.c ++++ b/drivers/net/can/c_can/c_can_pci.c +@@ -161,6 +161,7 @@ static int c_can_pci_probe(struct pci_de + + dev->irq = pdev->irq; + priv->base = addr; ++ priv->device = &pdev->dev; + + if (!c_can_pci_data->freq) { + dev_err(&pdev->dev, "no clock frequency defined\n"); diff --git a/queue-4.9/can-ti_hecc-add-missing-prepare-and-unprepare-of-the-clock.patch b/queue-4.9/can-ti_hecc-add-missing-prepare-and-unprepare-of-the-clock.patch new file mode 100644 index 00000000000..d7b15c47f9f --- /dev/null +++ b/queue-4.9/can-ti_hecc-add-missing-prepare-and-unprepare-of-the-clock.patch @@ -0,0 +1,70 @@ +From befa60113ce7ea270cb51eada28443ca2756f480 Mon Sep 17 00:00:00 2001 +From: Yegor Yefremov +Date: Wed, 18 Jan 2017 11:35:57 +0100 +Subject: can: ti_hecc: add missing prepare and unprepare of the clock + +From: Yegor Yefremov + +commit befa60113ce7ea270cb51eada28443ca2756f480 upstream. + +In order to make the driver work with the common clock framework, this +patch converts the clk_enable()/clk_disable() to +clk_prepare_enable()/clk_disable_unprepare(). + +Also add error checking for clk_prepare_enable(). + +Signed-off-by: Yegor Yefremov +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/ti_hecc.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/net/can/ti_hecc.c ++++ b/drivers/net/can/ti_hecc.c +@@ -948,7 +948,12 @@ static int ti_hecc_probe(struct platform + netif_napi_add(ndev, &priv->napi, ti_hecc_rx_poll, + HECC_DEF_NAPI_WEIGHT); + +- clk_enable(priv->clk); ++ err = clk_prepare_enable(priv->clk); ++ if (err) { ++ dev_err(&pdev->dev, "clk_prepare_enable() failed\n"); ++ goto probe_exit_clk; ++ } ++ + err = register_candev(ndev); + if (err) { + dev_err(&pdev->dev, "register_candev() failed\n"); +@@ -981,7 +986,7 @@ static int ti_hecc_remove(struct platfor + struct ti_hecc_priv *priv = netdev_priv(ndev); + + unregister_candev(ndev); +- clk_disable(priv->clk); ++ clk_disable_unprepare(priv->clk); + clk_put(priv->clk); + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + iounmap(priv->base); +@@ -1006,7 +1011,7 @@ static int ti_hecc_suspend(struct platfo + hecc_set_bit(priv, HECC_CANMC, HECC_CANMC_PDR); + priv->can.state = CAN_STATE_SLEEPING; + +- clk_disable(priv->clk); ++ clk_disable_unprepare(priv->clk); + + return 0; + } +@@ -1015,8 +1020,11 @@ static int ti_hecc_resume(struct platfor + { + struct net_device *dev = platform_get_drvdata(pdev); + struct ti_hecc_priv *priv = netdev_priv(dev); ++ int err; + +- clk_enable(priv->clk); ++ err = clk_prepare_enable(priv->clk); ++ if (err) ++ return err; + + hecc_clear_bit(priv, HECC_CANMC, HECC_CANMC_PDR); + priv->can.state = CAN_STATE_ERROR_ACTIVE; diff --git a/queue-4.9/drm-i915-check-for-null-atomic-state-in-intel_crtc_disable_noatomic.patch b/queue-4.9/drm-i915-check-for-null-atomic-state-in-intel_crtc_disable_noatomic.patch new file mode 100644 index 00000000000..75a410daccf --- /dev/null +++ b/queue-4.9/drm-i915-check-for-null-atomic-state-in-intel_crtc_disable_noatomic.patch @@ -0,0 +1,47 @@ +From 6d1d427a4e24c403b4adf928d61994bdaa0ca03a Mon Sep 17 00:00:00 2001 +From: Ander Conselvan de Oliveira +Date: Fri, 20 Jan 2017 16:28:45 +0200 +Subject: drm/i915: Check for NULL atomic state in intel_crtc_disable_noatomic() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ander Conselvan de Oliveira + +commit 6d1d427a4e24c403b4adf928d61994bdaa0ca03a upstream. + +In intel_crtc_disable_noatomic(), bail on a failure to allocate an +atomic state to avoid a NULL pointer dereference. + +Fixes: 4a80655827af ("drm/i915: Pass atomic state to crtc enable/disable functions") +Cc: Maarten Lankhorst +Cc: Daniel Vetter +Cc: Daniel Vetter +Cc: Jani Nikula +Cc: intel-gfx@lists.freedesktop.org +Signed-off-by: Ander Conselvan de Oliveira +Reviewed-by: Ville Syrjälä +Link: http://patchwork.freedesktop.org/patch/msgid/1484922525-6131-4-git-send-email-ander.conselvan.de.oliveira@intel.com +(cherry picked from commit 31bb2ef97ea9db343348f9b5ccaa9bb6f48fc655) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_display.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -6869,6 +6869,12 @@ static void intel_crtc_disable_noatomic( + } + + state = drm_atomic_state_alloc(crtc->dev); ++ if (!state) { ++ DRM_DEBUG_KMS("failed to disable [CRTC:%d:%s], out of memory", ++ crtc->base.id, crtc->name); ++ return; ++ } ++ + state->acquire_ctx = crtc->dev->mode_config.acquire_ctx; + + /* Everything's already locked, -EDEADLK can't happen. */ diff --git a/queue-4.9/drm-i915-clear-ret-before-unbinding-in-i915_gem_evict_something.patch b/queue-4.9/drm-i915-clear-ret-before-unbinding-in-i915_gem_evict_something.patch new file mode 100644 index 00000000000..9385060a16f --- /dev/null +++ b/queue-4.9/drm-i915-clear-ret-before-unbinding-in-i915_gem_evict_something.patch @@ -0,0 +1,36 @@ +From e88893fea17996018b2d68a22e677ea04f3baadf Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Thu, 5 Jan 2017 15:59:40 +0000 +Subject: drm/i915: Clear ret before unbinding in i915_gem_evict_something() + +From: Chris Wilson + +commit e88893fea17996018b2d68a22e677ea04f3baadf upstream. + +Missed when rebasing patches, I failed to set ret to zero before +starting the unbind loop (which depends upon ret being zero). + +Reported-by: Matthew Auld +Fixes: 9332f3b1b99a ("drm/i915: Combine loops within i915_gem_evict_something") +Signed-off-by: Chris Wilson +Cc: Matthew Auld +Link: http://patchwork.freedesktop.org/patch/msgid/20170105155940.10033-1-chris@chris-wilson.co.uk +Reviewed-by: Matthew Auld +(cherry picked from commit 121dfbb2a2ef1c5f49e15c38ccc47ff0beb59446) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_gem_evict.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/i915/i915_gem_evict.c ++++ b/drivers/gpu/drm/i915/i915_gem_evict.c +@@ -194,6 +194,7 @@ found: + } + + /* Unbinding will emit any required flushes */ ++ ret = 0; + while (!list_empty(&eviction_list)) { + vma = list_first_entry(&eviction_list, + struct i915_vma, diff --git a/queue-4.9/drm-i915-don-t-init-hpd-polling-for-vlv-and-chv-from-runtime_suspend.patch b/queue-4.9/drm-i915-don-t-init-hpd-polling-for-vlv-and-chv-from-runtime_suspend.patch new file mode 100644 index 00000000000..537ef170efe --- /dev/null +++ b/queue-4.9/drm-i915-don-t-init-hpd-polling-for-vlv-and-chv-from-runtime_suspend.patch @@ -0,0 +1,45 @@ +From 21d6e0bde50713922a6520ef84e5fd245b05d468 Mon Sep 17 00:00:00 2001 +From: Ander Conselvan de Oliveira +Date: Fri, 20 Jan 2017 16:28:43 +0200 +Subject: drm/i915: Don't init hpd polling for vlv and chv from runtime_suspend() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ander Conselvan de Oliveira + +commit 21d6e0bde50713922a6520ef84e5fd245b05d468 upstream. + +An error in the condition for avoiding the call to intel_hpd_poll_init() +for valleyview and cherryview from intel_runtime_suspend() caused it to +be called unconditionally. Fix it. + +Fixes: 19625e85c6ec ("drm/i915: Enable polling when we don't have hpd") +Cc: Ville Syrjälä +Cc: Daniel Vetter +Cc: Lyude +Cc: Daniel Vetter +Cc: Jani Nikula +Cc: intel-gfx@lists.freedesktop.org +Signed-off-by: Ander Conselvan de Oliveira +Reviewed-by: Ville Syrjälä +Link: http://patchwork.freedesktop.org/patch/msgid/1484922525-6131-2-git-send-email-ander.conselvan.de.oliveira@intel.com +(cherry picked from commit 04313b00b79405f86d815100f85c47a2ee5b8ca0) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/i915_drv.c ++++ b/drivers/gpu/drm/i915/i915_drv.c +@@ -2372,7 +2372,7 @@ static int intel_runtime_suspend(struct + + assert_forcewakes_inactive(dev_priv); + +- if (!IS_VALLEYVIEW(dev_priv) || !IS_CHERRYVIEW(dev_priv)) ++ if (!IS_VALLEYVIEW(dev_priv) && !IS_CHERRYVIEW(dev_priv)) + intel_hpd_poll_init(dev_priv); + + DRM_DEBUG_KMS("Device suspended\n"); diff --git a/queue-4.9/drm-i915-don-t-leak-edid-in-intel_crt_detect_ddc.patch b/queue-4.9/drm-i915-don-t-leak-edid-in-intel_crt_detect_ddc.patch new file mode 100644 index 00000000000..dcf4b2574a8 --- /dev/null +++ b/queue-4.9/drm-i915-don-t-leak-edid-in-intel_crt_detect_ddc.patch @@ -0,0 +1,65 @@ +From c34f078675f505c4437919bb1897b1351f16a050 Mon Sep 17 00:00:00 2001 +From: Ander Conselvan de Oliveira +Date: Fri, 20 Jan 2017 16:28:42 +0200 +Subject: drm/i915: Don't leak edid in intel_crt_detect_ddc() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ander Conselvan de Oliveira + +commit c34f078675f505c4437919bb1897b1351f16a050 upstream. + +In the path where intel_crt_detect_ddc() detects a CRT, if would return +true without freeing the edid. + +Fixes: a2bd1f541f19 ("drm/i915: check whether we actually received an edid in detect_ddc") +Cc: Chris Wilson +Cc: Daniel Vetter +Cc: Daniel Vetter +Cc: Jani Nikula +Cc: intel-gfx@lists.freedesktop.org +Signed-off-by: Ander Conselvan de Oliveira +Reviewed-by: Ville Syrjälä +Reviewed-by: Jani Nikula +Link: http://patchwork.freedesktop.org/patch/msgid/1484922525-6131-1-git-send-email-ander.conselvan.de.oliveira@intel.com +(cherry picked from commit c96b63a6a7ac4bd670ec2e663793a9a31418b790) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_crt.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_crt.c ++++ b/drivers/gpu/drm/i915/intel_crt.c +@@ -499,6 +499,7 @@ static bool intel_crt_detect_ddc(struct + struct drm_i915_private *dev_priv = to_i915(crt->base.base.dev); + struct edid *edid; + struct i2c_adapter *i2c; ++ bool ret = false; + + BUG_ON(crt->base.type != INTEL_OUTPUT_ANALOG); + +@@ -515,17 +516,17 @@ static bool intel_crt_detect_ddc(struct + */ + if (!is_digital) { + DRM_DEBUG_KMS("CRT detected via DDC:0x50 [EDID]\n"); +- return true; ++ ret = true; ++ } else { ++ DRM_DEBUG_KMS("CRT not detected via DDC:0x50 [EDID reports a digital panel]\n"); + } +- +- DRM_DEBUG_KMS("CRT not detected via DDC:0x50 [EDID reports a digital panel]\n"); + } else { + DRM_DEBUG_KMS("CRT not detected via DDC:0x50 [no valid EDID found]\n"); + } + + kfree(edid); + +- return false; ++ return ret; + } + + static enum drm_connector_status diff --git a/queue-4.9/drm-i915-fix-calculation-of-rotated-x-and-y-offsets-for-planar-formats.patch b/queue-4.9/drm-i915-fix-calculation-of-rotated-x-and-y-offsets-for-planar-formats.patch new file mode 100644 index 00000000000..e33b1a9251a --- /dev/null +++ b/queue-4.9/drm-i915-fix-calculation-of-rotated-x-and-y-offsets-for-planar-formats.patch @@ -0,0 +1,53 @@ +From 3781bd6e7d64d5f5bea9fdee11ab9460a700c0e4 Mon Sep 17 00:00:00 2001 +From: Ander Conselvan de Oliveira +Date: Fri, 20 Jan 2017 16:28:44 +0200 +Subject: drm/i915: Fix calculation of rotated x and y offsets for planar formats +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ander Conselvan de Oliveira + +commit 3781bd6e7d64d5f5bea9fdee11ab9460a700c0e4 upstream. + +Parameters tile_size, tile_width and tile_height were passed in the +wrong order to _intel_adjust_tile_offset() when calculating the rotated +offsets. + +This doesn't fix any user visible bug, since for packed formats new +and old offset are the same and the rotated offsets are within a tile +before they are fed to _intel_adjust_tile_offset(). In that case, the +offsets are unchanged. That is not true for planar formats, but those +are currently not supported. + +Fixes: 66a2d927cb0e ("drm/i915: Make intel_adjust_tile_offset() work for linear buffers") +Cc: Ville Syrjälä +Cc: Sivakumar Thulasimani +Cc: Daniel Vetter +Cc: Jani Nikula +Cc: intel-gfx@lists.freedesktop.org +Signed-off-by: Ander Conselvan de Oliveira +Reviewed-by: Ville Syrjälä +Link: http://patchwork.freedesktop.org/patch/msgid/1484922525-6131-3-git-send-email-ander.conselvan.de.oliveira@intel.com +(cherry picked from commit 46a1bd289507dfcc428fb9daf65421ed6be6af8b) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_display.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -2587,8 +2587,9 @@ intel_fill_fb_info(struct drm_i915_priva + * We only keep the x/y offsets, so push all of the + * gtt offset into the x/y offsets. + */ +- _intel_adjust_tile_offset(&x, &y, tile_size, +- tile_width, tile_height, pitch_tiles, ++ _intel_adjust_tile_offset(&x, &y, ++ tile_width, tile_height, ++ tile_size, pitch_tiles, + gtt_offset_rotated * tile_size, 0); + + gtt_offset_rotated += rot_info->plane[i].width * rot_info->plane[i].height; diff --git a/queue-4.9/drm-i915-prevent-crash-with-.disable_display-parameter.patch b/queue-4.9/drm-i915-prevent-crash-with-.disable_display-parameter.patch new file mode 100644 index 00000000000..fa367a3045b --- /dev/null +++ b/queue-4.9/drm-i915-prevent-crash-with-.disable_display-parameter.patch @@ -0,0 +1,45 @@ +From 27892bbdc9233f33bf0f44e08aab8f12e0dec142 Mon Sep 17 00:00:00 2001 +From: Clint Taylor +Date: Wed, 18 Jan 2017 13:38:43 -0800 +Subject: drm/i915: prevent crash with .disable_display parameter + +From: Clint Taylor + +commit 27892bbdc9233f33bf0f44e08aab8f12e0dec142 upstream. + +The .disable_display parameter was causing a fatal crash when fbdev +was dereferenced during driver init. + +V1: protection in i915_drv.c +V2: Moved protection to intel_fbdev.c + +Fixes: 43cee314345a ("drm/i915/fbdev: Limit the global async-domain synchronization") +Testcase: igt/drv_module_reload/basic-no-display +Cc: Chris Wilson +Signed-off-by: Clint Taylor +Link: http://patchwork.freedesktop.org/patch/msgid/1484775523-29428-1-git-send-email-clinton.a.taylor@intel.com +Reviewed-by: Chris Wilson +Cc: Lukas Wunner +Cc: Daniel Vetter +Cc: Jani Nikula +Signed-off-by: Chris Wilson +(cherry picked from commit 5b8cd0755f8a06a851c436a013e7be0823fb155a) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_fbdev.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/i915/intel_fbdev.c ++++ b/drivers/gpu/drm/i915/intel_fbdev.c +@@ -745,6 +745,9 @@ void intel_fbdev_initial_config_async(st + { + struct intel_fbdev *ifbdev = to_i915(dev)->fbdev; + ++ if (!ifbdev) ++ return; ++ + ifbdev->cookie = async_schedule(intel_fbdev_initial_config, ifbdev); + } + diff --git a/queue-4.9/ib-cxgb3-fix-misspelling-in-header-guard.patch b/queue-4.9/ib-cxgb3-fix-misspelling-in-header-guard.patch new file mode 100644 index 00000000000..5789aa96ea4 --- /dev/null +++ b/queue-4.9/ib-cxgb3-fix-misspelling-in-header-guard.patch @@ -0,0 +1,33 @@ +From b1a27eac7fefff33ccf6acc919fc0725bf9815fb Mon Sep 17 00:00:00 2001 +From: Nicolas Iooss +Date: Sun, 22 Jan 2017 14:41:22 +0100 +Subject: IB/cxgb3: fix misspelling in header guard + +From: Nicolas Iooss + +commit b1a27eac7fefff33ccf6acc919fc0725bf9815fb upstream. + +Use CXGB3_... instead of CXBG3_... + +Fixes: a85fb3383340 ("IB/cxgb3: Move user vendor structures") +Signed-off-by: Nicolas Iooss +Reviewed-by: Leon Romanovsky +Acked-by: Steve Wise +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + include/uapi/rdma/cxgb3-abi.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/uapi/rdma/cxgb3-abi.h ++++ b/include/uapi/rdma/cxgb3-abi.h +@@ -30,7 +30,7 @@ + * SOFTWARE. + */ + #ifndef CXGB3_ABI_USER_H +-#define CXBG3_ABI_USER_H ++#define CXGB3_ABI_USER_H + + #include + diff --git a/queue-4.9/ib-iser-fix-sg_tablesize-calculation.patch b/queue-4.9/ib-iser-fix-sg_tablesize-calculation.patch new file mode 100644 index 00000000000..2afbf8226b5 --- /dev/null +++ b/queue-4.9/ib-iser-fix-sg_tablesize-calculation.patch @@ -0,0 +1,42 @@ +From 1e5db6c31ade4150c2e2b1a21e39f776c38fea39 Mon Sep 17 00:00:00 2001 +From: Max Gurtovoy +Date: Wed, 18 Jan 2017 00:40:39 +0200 +Subject: IB/iser: Fix sg_tablesize calculation + +From: Max Gurtovoy + +commit 1e5db6c31ade4150c2e2b1a21e39f776c38fea39 upstream. + +For devices that can register page list that is bigger than +USHRT_MAX, we actually take the wrong value for sg_tablesize. +E.g: for CX4 max_fast_reg_page_list_len is 65536 (bigger than USHRT_MAX) +so we set sg_tablesize to 0 by mistake. Therefore, each IO that is +bigger than 4k splitted to "< 4k" chunks that cause performance degredation. +Remove wrong sg_tablesize assignment, and use the value that was set during +address resolution handler with the needed casting. + +Signed-off-by: Max Gurtovoy +Reviewed-by: Sagi Grimberg +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/iser/iscsi_iser.c | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/drivers/infiniband/ulp/iser/iscsi_iser.c ++++ b/drivers/infiniband/ulp/iser/iscsi_iser.c +@@ -651,13 +651,6 @@ iscsi_iser_session_create(struct iscsi_e + SHOST_DIX_GUARD_CRC); + } + +- /* +- * Limit the sg_tablesize and max_sectors based on the device +- * max fastreg page list length. +- */ +- shost->sg_tablesize = min_t(unsigned short, shost->sg_tablesize, +- ib_conn->device->ib_device->attrs.max_fast_reg_page_list_len); +- + if (iscsi_host_add(shost, + ib_conn->device->ib_device->dma_device)) { + mutex_unlock(&iser_conn->state_mutex); diff --git a/queue-4.9/ib-srp-fix-invalid-indirect_sg_entries-parameter-value.patch b/queue-4.9/ib-srp-fix-invalid-indirect_sg_entries-parameter-value.patch new file mode 100644 index 00000000000..7e20f58691d --- /dev/null +++ b/queue-4.9/ib-srp-fix-invalid-indirect_sg_entries-parameter-value.patch @@ -0,0 +1,43 @@ +From 0a475ef4226e305bdcffe12b401ca1eab06c4913 Mon Sep 17 00:00:00 2001 +From: Israel Rukshin +Date: Wed, 4 Jan 2017 15:59:37 +0200 +Subject: IB/srp: fix invalid indirect_sg_entries parameter value + +From: Israel Rukshin + +commit 0a475ef4226e305bdcffe12b401ca1eab06c4913 upstream. + +After setting indirect_sg_entries module_param to huge value (e.g 500,000), +srp_alloc_req_data() fails to allocate indirect descriptors for the request +ring (kmalloc fails). This commit enforces the maximum value of +indirect_sg_entries to be SG_MAX_SEGMENTS as signified in module param +description. + +Fixes: 65e8617fba17 (scsi: rename SCSI_MAX_{SG, SG_CHAIN}_SEGMENTS) +Fixes: c07d424d6118 (IB/srp: add support for indirect tables that don't fit in SRP_CMD) +Signed-off-by: Israel Rukshin +Signed-off-by: Max Gurtovoy +Reviewed-by: Laurence Oberman +Reviewed-by: Bart Van Assche -- +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/srp/ib_srp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -3683,6 +3683,12 @@ static int __init srp_init_module(void) + indirect_sg_entries = cmd_sg_entries; + } + ++ if (indirect_sg_entries > SG_MAX_SEGMENTS) { ++ pr_warn("Clamping indirect_sg_entries to %u\n", ++ SG_MAX_SEGMENTS); ++ indirect_sg_entries = SG_MAX_SEGMENTS; ++ } ++ + srp_remove_wq = create_workqueue("srp_remove"); + if (!srp_remove_wq) { + ret = -ENOMEM; diff --git a/queue-4.9/ib-srp-fix-mr-allocation-when-the-device-supports-sg-gaps.patch b/queue-4.9/ib-srp-fix-mr-allocation-when-the-device-supports-sg-gaps.patch new file mode 100644 index 00000000000..6ab303ad7ba --- /dev/null +++ b/queue-4.9/ib-srp-fix-mr-allocation-when-the-device-supports-sg-gaps.patch @@ -0,0 +1,53 @@ +From ad8e66b4a80182174f73487ed25fd2140cf43361 Mon Sep 17 00:00:00 2001 +From: Israel Rukshin +Date: Wed, 28 Dec 2016 12:48:28 +0200 +Subject: IB/srp: fix mr allocation when the device supports sg gaps + +From: Israel Rukshin + +commit ad8e66b4a80182174f73487ed25fd2140cf43361 upstream. + +If the device support arbitrary sg list mapping (device cap +IB_DEVICE_SG_GAPS_REG set) we allocate the memory regions with +IB_MR_TYPE_SG_GAPS. + +Fixes: 509c5f33f4f6 ("IB/srp: Prevent mapping failures") +Signed-off-by: Israel Rukshin +Signed-off-by: Max Gurtovoy +Reviewed-by: Leon Romanovsky +Reviewed-by: Mark Bloch +Reviewed-by: Yuval Shaia +Reviewed-by: Bart Van Assche +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/srp/ib_srp.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -366,6 +366,7 @@ static struct srp_fr_pool *srp_create_fr + struct srp_fr_desc *d; + struct ib_mr *mr; + int i, ret = -EINVAL; ++ enum ib_mr_type mr_type; + + if (pool_size <= 0) + goto err; +@@ -379,9 +380,13 @@ static struct srp_fr_pool *srp_create_fr + spin_lock_init(&pool->lock); + INIT_LIST_HEAD(&pool->free_list); + ++ if (device->attrs.device_cap_flags & IB_DEVICE_SG_GAPS_REG) ++ mr_type = IB_MR_TYPE_SG_GAPS; ++ else ++ mr_type = IB_MR_TYPE_MEM_REG; ++ + for (i = 0, d = &pool->desc[0]; i < pool->size; i++, d++) { +- mr = ib_alloc_mr(pd, IB_MR_TYPE_MEM_REG, +- max_page_list_len); ++ mr = ib_alloc_mr(pd, mr_type, max_page_list_len); + if (IS_ERR(mr)) { + ret = PTR_ERR(mr); + goto destroy_pool; diff --git a/queue-4.9/iw_cxgb4-free-eq-queue-memory-on-last-deref.patch b/queue-4.9/iw_cxgb4-free-eq-queue-memory-on-last-deref.patch new file mode 100644 index 00000000000..67cfb0d4152 --- /dev/null +++ b/queue-4.9/iw_cxgb4-free-eq-queue-memory-on-last-deref.patch @@ -0,0 +1,251 @@ +From c12a67fec8d99bb554e8d4e99120d418f1a39c87 Mon Sep 17 00:00:00 2001 +From: Steve Wise +Date: Thu, 22 Dec 2016 07:40:36 -0800 +Subject: iw_cxgb4: free EQ queue memory on last deref + +From: Steve Wise + +commit c12a67fec8d99bb554e8d4e99120d418f1a39c87 upstream. + +Commit ad61a4c7a9b7 ("iw_cxgb4: don't block in destroy_qp awaiting +the last deref") introduced a bug where the RDMA QP EQ queue memory +(and QIDs) are possibly freed before the underlying connection has been +fully shutdown. The result being a possible DMA read issued by HW after +the queue memory has been unmapped and freed. This results in possible +WR corruption in the worst case, system bus errors if an IOMMU is in use, +and SGE "bad WR" errors reported in the very least. The fix is to defer +unmap/free of queue memory and QID resources until the QP struct has +been fully dereferenced. To do this, the c4iw_ucontext must also be kept +around until the last QP that references it is fully freed. In addition, +since the last QP deref can happen in an IRQ disabled context, we need +a new workqueue thread to do the final unmap/free of the EQ queue memory. + +Fixes: ad61a4c7a9b7 ("iw_cxgb4: don't block in destroy_qp awaiting the last deref") +Signed-off-by: Steve Wise +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/cxgb4/device.c | 9 ++++++++ + drivers/infiniband/hw/cxgb4/iw_cxgb4.h | 18 ++++++++++++++++ + drivers/infiniband/hw/cxgb4/provider.c | 20 +++++++++++++++--- + drivers/infiniband/hw/cxgb4/qp.c | 35 ++++++++++++++++++++++++--------- + 4 files changed, 69 insertions(+), 13 deletions(-) + +--- a/drivers/infiniband/hw/cxgb4/device.c ++++ b/drivers/infiniband/hw/cxgb4/device.c +@@ -848,9 +848,17 @@ static int c4iw_rdev_open(struct c4iw_rd + } + } + ++ rdev->free_workq = create_singlethread_workqueue("iw_cxgb4_free"); ++ if (!rdev->free_workq) { ++ err = -ENOMEM; ++ goto err_free_status_page; ++ } ++ + rdev->status_page->db_off = 0; + + return 0; ++err_free_status_page: ++ free_page((unsigned long)rdev->status_page); + destroy_ocqp_pool: + c4iw_ocqp_pool_destroy(rdev); + destroy_rqtpool: +@@ -864,6 +872,7 @@ destroy_resource: + + static void c4iw_rdev_close(struct c4iw_rdev *rdev) + { ++ destroy_workqueue(rdev->free_workq); + kfree(rdev->wr_log); + free_page((unsigned long)rdev->status_page); + c4iw_pblpool_destroy(rdev); +--- a/drivers/infiniband/hw/cxgb4/iw_cxgb4.h ++++ b/drivers/infiniband/hw/cxgb4/iw_cxgb4.h +@@ -45,6 +45,7 @@ + #include + #include + #include ++#include + + #include + +@@ -107,6 +108,7 @@ struct c4iw_dev_ucontext { + struct list_head qpids; + struct list_head cqids; + struct mutex lock; ++ struct kref kref; + }; + + enum c4iw_rdev_flags { +@@ -183,6 +185,7 @@ struct c4iw_rdev { + atomic_t wr_log_idx; + struct wr_log_entry *wr_log; + int wr_log_size; ++ struct workqueue_struct *free_workq; + }; + + static inline int c4iw_fatal_error(struct c4iw_rdev *rdev) +@@ -482,6 +485,8 @@ struct c4iw_qp { + int sq_sig_all; + struct completion rq_drained; + struct completion sq_drained; ++ struct work_struct free_work; ++ struct c4iw_ucontext *ucontext; + }; + + static inline struct c4iw_qp *to_c4iw_qp(struct ib_qp *ibqp) +@@ -495,6 +500,7 @@ struct c4iw_ucontext { + u32 key; + spinlock_t mmap_lock; + struct list_head mmaps; ++ struct kref kref; + }; + + static inline struct c4iw_ucontext *to_c4iw_ucontext(struct ib_ucontext *c) +@@ -502,6 +508,18 @@ static inline struct c4iw_ucontext *to_c + return container_of(c, struct c4iw_ucontext, ibucontext); + } + ++void _c4iw_free_ucontext(struct kref *kref); ++ ++static inline void c4iw_put_ucontext(struct c4iw_ucontext *ucontext) ++{ ++ kref_put(&ucontext->kref, _c4iw_free_ucontext); ++} ++ ++static inline void c4iw_get_ucontext(struct c4iw_ucontext *ucontext) ++{ ++ kref_get(&ucontext->kref); ++} ++ + struct c4iw_mm_entry { + struct list_head entry; + u64 addr; +--- a/drivers/infiniband/hw/cxgb4/provider.c ++++ b/drivers/infiniband/hw/cxgb4/provider.c +@@ -91,17 +91,28 @@ static int c4iw_process_mad(struct ib_de + return -ENOSYS; + } + +-static int c4iw_dealloc_ucontext(struct ib_ucontext *context) ++void _c4iw_free_ucontext(struct kref *kref) + { +- struct c4iw_dev *rhp = to_c4iw_dev(context->device); +- struct c4iw_ucontext *ucontext = to_c4iw_ucontext(context); ++ struct c4iw_ucontext *ucontext; ++ struct c4iw_dev *rhp; + struct c4iw_mm_entry *mm, *tmp; + +- PDBG("%s context %p\n", __func__, context); ++ ucontext = container_of(kref, struct c4iw_ucontext, kref); ++ rhp = to_c4iw_dev(ucontext->ibucontext.device); ++ ++ PDBG("%s ucontext %p\n", __func__, ucontext); + list_for_each_entry_safe(mm, tmp, &ucontext->mmaps, entry) + kfree(mm); + c4iw_release_dev_ucontext(&rhp->rdev, &ucontext->uctx); + kfree(ucontext); ++} ++ ++static int c4iw_dealloc_ucontext(struct ib_ucontext *context) ++{ ++ struct c4iw_ucontext *ucontext = to_c4iw_ucontext(context); ++ ++ PDBG("%s context %p\n", __func__, context); ++ c4iw_put_ucontext(ucontext); + return 0; + } + +@@ -125,6 +136,7 @@ static struct ib_ucontext *c4iw_alloc_uc + c4iw_init_dev_ucontext(&rhp->rdev, &context->uctx); + INIT_LIST_HEAD(&context->mmaps); + spin_lock_init(&context->mmap_lock); ++ kref_init(&context->kref); + + if (udata->outlen < sizeof(uresp) - sizeof(uresp.reserved)) { + if (!warned++) +--- a/drivers/infiniband/hw/cxgb4/qp.c ++++ b/drivers/infiniband/hw/cxgb4/qp.c +@@ -714,13 +714,32 @@ static int build_inv_stag(union t4_wr *w + return 0; + } + +-static void _free_qp(struct kref *kref) ++static void free_qp_work(struct work_struct *work) ++{ ++ struct c4iw_ucontext *ucontext; ++ struct c4iw_qp *qhp; ++ struct c4iw_dev *rhp; ++ ++ qhp = container_of(work, struct c4iw_qp, free_work); ++ ucontext = qhp->ucontext; ++ rhp = qhp->rhp; ++ ++ PDBG("%s qhp %p ucontext %p\n", __func__, qhp, ucontext); ++ destroy_qp(&rhp->rdev, &qhp->wq, ++ ucontext ? &ucontext->uctx : &rhp->rdev.uctx); ++ ++ if (ucontext) ++ c4iw_put_ucontext(ucontext); ++ kfree(qhp); ++} ++ ++static void queue_qp_free(struct kref *kref) + { + struct c4iw_qp *qhp; + + qhp = container_of(kref, struct c4iw_qp, kref); + PDBG("%s qhp %p\n", __func__, qhp); +- kfree(qhp); ++ queue_work(qhp->rhp->rdev.free_workq, &qhp->free_work); + } + + void c4iw_qp_add_ref(struct ib_qp *qp) +@@ -732,7 +751,7 @@ void c4iw_qp_add_ref(struct ib_qp *qp) + void c4iw_qp_rem_ref(struct ib_qp *qp) + { + PDBG("%s ib_qp %p\n", __func__, qp); +- kref_put(&to_c4iw_qp(qp)->kref, _free_qp); ++ kref_put(&to_c4iw_qp(qp)->kref, queue_qp_free); + } + + static void add_to_fc_list(struct list_head *head, struct list_head *entry) +@@ -1642,7 +1661,6 @@ int c4iw_destroy_qp(struct ib_qp *ib_qp) + struct c4iw_dev *rhp; + struct c4iw_qp *qhp; + struct c4iw_qp_attributes attrs; +- struct c4iw_ucontext *ucontext; + + qhp = to_c4iw_qp(ib_qp); + rhp = qhp->rhp; +@@ -1662,11 +1680,6 @@ int c4iw_destroy_qp(struct ib_qp *ib_qp) + spin_unlock_irq(&rhp->lock); + free_ird(rhp, qhp->attr.max_ird); + +- ucontext = ib_qp->uobject ? +- to_c4iw_ucontext(ib_qp->uobject->context) : NULL; +- destroy_qp(&rhp->rdev, &qhp->wq, +- ucontext ? &ucontext->uctx : &rhp->rdev.uctx); +- + c4iw_qp_rem_ref(ib_qp); + + PDBG("%s ib_qp %p qpid 0x%0x\n", __func__, ib_qp, qhp->wq.sq.qid); +@@ -1767,6 +1780,7 @@ struct ib_qp *c4iw_create_qp(struct ib_p + mutex_init(&qhp->mutex); + init_waitqueue_head(&qhp->wait); + kref_init(&qhp->kref); ++ INIT_WORK(&qhp->free_work, free_qp_work); + + ret = insert_handle(rhp, &rhp->qpidr, qhp, qhp->wq.sq.qid); + if (ret) +@@ -1853,6 +1867,9 @@ struct ib_qp *c4iw_create_qp(struct ib_p + ma_sync_key_mm->len = PAGE_SIZE; + insert_mmap(ucontext, ma_sync_key_mm); + } ++ ++ c4iw_get_ucontext(ucontext); ++ qhp->ucontext = ucontext; + } + qhp->ibqp.qp_num = qhp->wq.sq.qid; + init_timer(&(qhp->timer)); diff --git a/queue-4.9/nfs-don-t-increment-lock-sequence-id-after-nfs4err_moved.patch b/queue-4.9/nfs-don-t-increment-lock-sequence-id-after-nfs4err_moved.patch new file mode 100644 index 00000000000..ab4433aecf0 --- /dev/null +++ b/queue-4.9/nfs-don-t-increment-lock-sequence-id-after-nfs4err_moved.patch @@ -0,0 +1,54 @@ +From 059aa734824165507c65fd30a55ff000afd14983 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Sun, 22 Jan 2017 14:04:29 -0500 +Subject: nfs: Don't increment lock sequence ID after NFS4ERR_MOVED + +From: Chuck Lever + +commit 059aa734824165507c65fd30a55ff000afd14983 upstream. + +Xuan Qi reports that the Linux NFSv4 client failed to lock a file +that was migrated. The steps he observed on the wire: + +1. The client sent a LOCK request to the source server +2. The source server replied NFS4ERR_MOVED +3. The client switched to the destination server +4. The client sent the same LOCK request to the destination + server with a bumped lock sequence ID +5. The destination server rejected the LOCK request with + NFS4ERR_BAD_SEQID + +RFC 3530 section 8.1.5 provides a list of NFS errors which do not +bump a lock sequence ID. + +However, RFC 3530 is now obsoleted by RFC 7530. In RFC 7530 section +9.1.7, this list has been updated by the addition of NFS4ERR_MOVED. + +Reported-by: Xuan Qi +Signed-off-by: Chuck Lever +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/nfs4.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/include/linux/nfs4.h ++++ b/include/linux/nfs4.h +@@ -282,7 +282,7 @@ enum nfsstat4 { + + static inline bool seqid_mutating_err(u32 err) + { +- /* rfc 3530 section 8.1.5: */ ++ /* See RFC 7530, section 9.1.7 */ + switch (err) { + case NFS4ERR_STALE_CLIENTID: + case NFS4ERR_STALE_STATEID: +@@ -291,6 +291,7 @@ static inline bool seqid_mutating_err(u3 + case NFS4ERR_BADXDR: + case NFS4ERR_RESOURCE: + case NFS4ERR_NOFILEHANDLE: ++ case NFS4ERR_MOVED: + return false; + }; + return true; diff --git a/queue-4.9/nfsv4.0-always-send-mode-in-setattr-after-exclusive4.patch b/queue-4.9/nfsv4.0-always-send-mode-in-setattr-after-exclusive4.patch new file mode 100644 index 00000000000..84e9f0ad481 --- /dev/null +++ b/queue-4.9/nfsv4.0-always-send-mode-in-setattr-after-exclusive4.patch @@ -0,0 +1,35 @@ +From a430607b2ef7c3be090f88c71cfcb1b3988aa7c0 Mon Sep 17 00:00:00 2001 +From: Benjamin Coddington +Date: Tue, 24 Jan 2017 11:34:20 -0500 +Subject: NFSv4.0: always send mode in SETATTR after EXCLUSIVE4 + +From: Benjamin Coddington + +commit a430607b2ef7c3be090f88c71cfcb1b3988aa7c0 upstream. + +Some nfsv4.0 servers may return a mode for the verifier following an open +with EXCLUSIVE4 createmode, but this does not mean the client should skip +setting the mode in the following SETATTR. It should only do that for +EXCLUSIVE4_1 or UNGAURDED createmode. + +Fixes: 5334c5bdac92 ("NFS: Send attributes in OPEN request for NFS4_CREATE_EXCLUSIVE4_1") +Signed-off-by: Benjamin Coddington +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -2678,7 +2678,8 @@ static inline void nfs4_exclusive_attrse + sattr->ia_valid |= ATTR_MTIME; + + /* Except MODE, it seems harmless of setting twice. */ +- if ((attrset[1] & FATTR4_WORD1_MODE)) ++ if (opendata->o_arg.createmode != NFS4_CREATE_EXCLUSIVE && ++ attrset[1] & FATTR4_WORD1_MODE) + sattr->ia_valid &= ~ATTR_MODE; + + if (attrset[2] & FATTR4_WORD2_SECURITY_LABEL) diff --git a/queue-4.9/nfsv4.1-fix-a-deadlock-in-layoutget.patch b/queue-4.9/nfsv4.1-fix-a-deadlock-in-layoutget.patch new file mode 100644 index 00000000000..5679f3506c1 --- /dev/null +++ b/queue-4.9/nfsv4.1-fix-a-deadlock-in-layoutget.patch @@ -0,0 +1,32 @@ +From 8ac092519ad91931c96d306c4bfae2c6587c325f Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 23 Jan 2017 22:44:12 -0500 +Subject: NFSv4.1: Fix a deadlock in layoutget + +From: Trond Myklebust + +commit 8ac092519ad91931c96d306c4bfae2c6587c325f upstream. + +We cannot call nfs4_handle_exception() without first ensuring that the +slot has been freed. If not, we end up deadlocking with the process +waiting for recovery to complete, and recovery waiting for the slot +table to drain. + +Fixes: 2e80dbe7ac51 ("NFSv4.1: Close callback races for OPEN, LAYOUTGET...") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -8371,6 +8371,7 @@ nfs4_layoutget_handle_exception(struct r + goto out; + } + ++ nfs4_sequence_free_slot(&lgp->res.seq_res); + err = nfs4_handle_exception(server, nfs4err, exception); + if (!status) { + if (exception->retry) diff --git a/queue-4.9/parisc-don-t-use-bits_per_long-in-userspace-exported-swab.h-header.patch b/queue-4.9/parisc-don-t-use-bits_per_long-in-userspace-exported-swab.h-header.patch new file mode 100644 index 00000000000..9cb3a9519a3 --- /dev/null +++ b/queue-4.9/parisc-don-t-use-bits_per_long-in-userspace-exported-swab.h-header.patch @@ -0,0 +1,92 @@ +From 2ad5d52d42810bed95100a3d912679d8864421ec Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sat, 28 Jan 2017 11:52:02 +0100 +Subject: parisc: Don't use BITS_PER_LONG in userspace-exported swab.h header + +From: Helge Deller + +commit 2ad5d52d42810bed95100a3d912679d8864421ec upstream. + +In swab.h the "#if BITS_PER_LONG > 32" breaks compiling userspace programs if +BITS_PER_LONG is #defined by userspace with the sizeof() compiler builtin. + +Solve this problem by using __BITS_PER_LONG instead. Since we now +#include asm/bitsperlong.h avoid further potential userspace pollution +by moving the #define of SHIFT_PER_LONG to bitops.h which is not +exported to userspace. + +This patch unbreaks compiling qemu on hppa/parisc. + +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/include/asm/bitops.h | 8 +++++++- + arch/parisc/include/uapi/asm/bitsperlong.h | 2 -- + arch/parisc/include/uapi/asm/swab.h | 5 +++-- + 3 files changed, 10 insertions(+), 5 deletions(-) + +--- a/arch/parisc/include/asm/bitops.h ++++ b/arch/parisc/include/asm/bitops.h +@@ -6,7 +6,7 @@ + #endif + + #include +-#include /* for BITS_PER_LONG/SHIFT_PER_LONG */ ++#include + #include + #include + #include +@@ -17,6 +17,12 @@ + * to include/asm-i386/bitops.h or kerneldoc + */ + ++#if __BITS_PER_LONG == 64 ++#define SHIFT_PER_LONG 6 ++#else ++#define SHIFT_PER_LONG 5 ++#endif ++ + #define CHOP_SHIFTCOUNT(x) (((unsigned long) (x)) & (BITS_PER_LONG - 1)) + + +--- a/arch/parisc/include/uapi/asm/bitsperlong.h ++++ b/arch/parisc/include/uapi/asm/bitsperlong.h +@@ -3,10 +3,8 @@ + + #if defined(__LP64__) + #define __BITS_PER_LONG 64 +-#define SHIFT_PER_LONG 6 + #else + #define __BITS_PER_LONG 32 +-#define SHIFT_PER_LONG 5 + #endif + + #include +--- a/arch/parisc/include/uapi/asm/swab.h ++++ b/arch/parisc/include/uapi/asm/swab.h +@@ -1,6 +1,7 @@ + #ifndef _PARISC_SWAB_H + #define _PARISC_SWAB_H + ++#include + #include + #include + +@@ -38,7 +39,7 @@ static inline __attribute_const__ __u32 + } + #define __arch_swab32 __arch_swab32 + +-#if BITS_PER_LONG > 32 ++#if __BITS_PER_LONG > 32 + /* + ** From "PA-RISC 2.0 Architecture", HP Professional Books. + ** See Appendix I page 8 , "Endian Byte Swapping". +@@ -61,6 +62,6 @@ static inline __attribute_const__ __u64 + return x; + } + #define __arch_swab64 __arch_swab64 +-#endif /* BITS_PER_LONG > 32 */ ++#endif /* __BITS_PER_LONG > 32 */ + + #endif /* _PARISC_SWAB_H */ diff --git a/queue-4.9/pctv452e-move-buffer-to-heap-no-mutex.patch b/queue-4.9/pctv452e-move-buffer-to-heap-no-mutex.patch new file mode 100644 index 00000000000..f2dacc763f4 --- /dev/null +++ b/queue-4.9/pctv452e-move-buffer-to-heap-no-mutex.patch @@ -0,0 +1,305 @@ +From 48775cb73c2e26b7ca9d679875a6e570c8b8e124 Mon Sep 17 00:00:00 2001 +From: Max Kellermann +Date: Thu, 15 Dec 2016 19:51:07 -0200 +Subject: [media] pctv452e: move buffer to heap, no mutex + +From: Max Kellermann + +commit 48775cb73c2e26b7ca9d679875a6e570c8b8e124 upstream. + +commit 73d5c5c864f4 ("[media] pctv452e: don't do DMA on stack") caused +a NULL pointer dereference which occurs when dvb_usb_init() +calls dvb_usb_device_power_ctrl() for the first time, before the +frontend has been attached. It also caused a recursive deadlock because +tt3650_ci_msg_locked() has already locked the mutex. + +So, partially revert it, but move the buffer to the heap +(DMA capable), not to the stack (may not be DMA capable). +Instead of sharing one buffer which needs mutex protection, +do a new heap allocation for each call. + +Fixes: commit 73d5c5c864f4 ("[media] pctv452e: don't do DMA on stack") + +Signed-off-by: Max Kellermann +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb/pctv452e.c | 133 ++++++++++++++++++----------------- + 1 file changed, 72 insertions(+), 61 deletions(-) + +--- a/drivers/media/usb/dvb-usb/pctv452e.c ++++ b/drivers/media/usb/dvb-usb/pctv452e.c +@@ -97,14 +97,13 @@ struct pctv452e_state { + u8 c; /* transaction counter, wraps around... */ + u8 initialized; /* set to 1 if 0x15 has been sent */ + u16 last_rc_key; +- +- unsigned char data[80]; + }; + + static int tt3650_ci_msg(struct dvb_usb_device *d, u8 cmd, u8 *data, + unsigned int write_len, unsigned int read_len) + { + struct pctv452e_state *state = (struct pctv452e_state *)d->priv; ++ u8 *buf; + u8 id; + unsigned int rlen; + int ret; +@@ -114,36 +113,39 @@ static int tt3650_ci_msg(struct dvb_usb_ + return -EIO; + } + +- mutex_lock(&state->ca_mutex); ++ buf = kmalloc(64, GFP_KERNEL); ++ if (!buf) ++ return -ENOMEM; ++ + id = state->c++; + +- state->data[0] = SYNC_BYTE_OUT; +- state->data[1] = id; +- state->data[2] = cmd; +- state->data[3] = write_len; ++ buf[0] = SYNC_BYTE_OUT; ++ buf[1] = id; ++ buf[2] = cmd; ++ buf[3] = write_len; + +- memcpy(state->data + 4, data, write_len); ++ memcpy(buf + 4, data, write_len); + + rlen = (read_len > 0) ? 64 : 0; +- ret = dvb_usb_generic_rw(d, state->data, 4 + write_len, +- state->data, rlen, /* delay_ms */ 0); ++ ret = dvb_usb_generic_rw(d, buf, 4 + write_len, ++ buf, rlen, /* delay_ms */ 0); + if (0 != ret) + goto failed; + + ret = -EIO; +- if (SYNC_BYTE_IN != state->data[0] || id != state->data[1]) ++ if (SYNC_BYTE_IN != buf[0] || id != buf[1]) + goto failed; + +- memcpy(data, state->data + 4, read_len); ++ memcpy(data, buf + 4, read_len); + +- mutex_unlock(&state->ca_mutex); ++ kfree(buf); + return 0; + + failed: + err("CI error %d; %02X %02X %02X -> %*ph.", +- ret, SYNC_BYTE_OUT, id, cmd, 3, state->data); ++ ret, SYNC_BYTE_OUT, id, cmd, 3, buf); + +- mutex_unlock(&state->ca_mutex); ++ kfree(buf); + return ret; + } + +@@ -410,53 +412,57 @@ static int pctv452e_i2c_msg(struct dvb_u + u8 *rcv_buf, u8 rcv_len) + { + struct pctv452e_state *state = (struct pctv452e_state *)d->priv; ++ u8 *buf; + u8 id; + int ret; + +- mutex_lock(&state->ca_mutex); ++ buf = kmalloc(64, GFP_KERNEL); ++ if (!buf) ++ return -ENOMEM; ++ + id = state->c++; + + ret = -EINVAL; + if (snd_len > 64 - 7 || rcv_len > 64 - 7) + goto failed; + +- state->data[0] = SYNC_BYTE_OUT; +- state->data[1] = id; +- state->data[2] = PCTV_CMD_I2C; +- state->data[3] = snd_len + 3; +- state->data[4] = addr << 1; +- state->data[5] = snd_len; +- state->data[6] = rcv_len; ++ buf[0] = SYNC_BYTE_OUT; ++ buf[1] = id; ++ buf[2] = PCTV_CMD_I2C; ++ buf[3] = snd_len + 3; ++ buf[4] = addr << 1; ++ buf[5] = snd_len; ++ buf[6] = rcv_len; + +- memcpy(state->data + 7, snd_buf, snd_len); ++ memcpy(buf + 7, snd_buf, snd_len); + +- ret = dvb_usb_generic_rw(d, state->data, 7 + snd_len, +- state->data, /* rcv_len */ 64, ++ ret = dvb_usb_generic_rw(d, buf, 7 + snd_len, ++ buf, /* rcv_len */ 64, + /* delay_ms */ 0); + if (ret < 0) + goto failed; + + /* TT USB protocol error. */ + ret = -EIO; +- if (SYNC_BYTE_IN != state->data[0] || id != state->data[1]) ++ if (SYNC_BYTE_IN != buf[0] || id != buf[1]) + goto failed; + + /* I2C device didn't respond as expected. */ + ret = -EREMOTEIO; +- if (state->data[5] < snd_len || state->data[6] < rcv_len) ++ if (buf[5] < snd_len || buf[6] < rcv_len) + goto failed; + +- memcpy(rcv_buf, state->data + 7, rcv_len); +- mutex_unlock(&state->ca_mutex); ++ memcpy(rcv_buf, buf + 7, rcv_len); + ++ kfree(buf); + return rcv_len; + + failed: + err("I2C error %d; %02X %02X %02X %02X %02X -> %*ph", + ret, SYNC_BYTE_OUT, id, addr << 1, snd_len, rcv_len, +- 7, state->data); ++ 7, buf); + +- mutex_unlock(&state->ca_mutex); ++ kfree(buf); + return ret; + } + +@@ -505,7 +511,7 @@ static u32 pctv452e_i2c_func(struct i2c_ + static int pctv452e_power_ctrl(struct dvb_usb_device *d, int i) + { + struct pctv452e_state *state = (struct pctv452e_state *)d->priv; +- u8 *rx; ++ u8 *b0, *rx; + int ret; + + info("%s: %d\n", __func__, i); +@@ -516,11 +522,12 @@ static int pctv452e_power_ctrl(struct dv + if (state->initialized) + return 0; + +- rx = kmalloc(PCTV_ANSWER_LEN, GFP_KERNEL); +- if (!rx) ++ b0 = kmalloc(5 + PCTV_ANSWER_LEN, GFP_KERNEL); ++ if (!b0) + return -ENOMEM; + +- mutex_lock(&state->ca_mutex); ++ rx = b0 + 5; ++ + /* hmm where shoud this should go? */ + ret = usb_set_interface(d->udev, 0, ISOC_INTERFACE_ALTERNATIVE); + if (ret != 0) +@@ -528,66 +535,70 @@ static int pctv452e_power_ctrl(struct dv + __func__, ret); + + /* this is a one-time initialization, dont know where to put */ +- state->data[0] = 0xaa; +- state->data[1] = state->c++; +- state->data[2] = PCTV_CMD_RESET; +- state->data[3] = 1; +- state->data[4] = 0; ++ b0[0] = 0xaa; ++ b0[1] = state->c++; ++ b0[2] = PCTV_CMD_RESET; ++ b0[3] = 1; ++ b0[4] = 0; + /* reset board */ +- ret = dvb_usb_generic_rw(d, state->data, 5, rx, PCTV_ANSWER_LEN, 0); ++ ret = dvb_usb_generic_rw(d, b0, 5, rx, PCTV_ANSWER_LEN, 0); + if (ret) + goto ret; + +- state->data[1] = state->c++; +- state->data[4] = 1; ++ b0[1] = state->c++; ++ b0[4] = 1; + /* reset board (again?) */ +- ret = dvb_usb_generic_rw(d, state->data, 5, rx, PCTV_ANSWER_LEN, 0); ++ ret = dvb_usb_generic_rw(d, b0, 5, rx, PCTV_ANSWER_LEN, 0); + if (ret) + goto ret; + + state->initialized = 1; + + ret: +- mutex_unlock(&state->ca_mutex); +- kfree(rx); ++ kfree(b0); + return ret; + } + + static int pctv452e_rc_query(struct dvb_usb_device *d) + { + struct pctv452e_state *state = (struct pctv452e_state *)d->priv; ++ u8 *b, *rx; + int ret, i; + u8 id; + +- mutex_lock(&state->ca_mutex); ++ b = kmalloc(CMD_BUFFER_SIZE + PCTV_ANSWER_LEN, GFP_KERNEL); ++ if (!b) ++ return -ENOMEM; ++ ++ rx = b + CMD_BUFFER_SIZE; ++ + id = state->c++; + + /* prepare command header */ +- state->data[0] = SYNC_BYTE_OUT; +- state->data[1] = id; +- state->data[2] = PCTV_CMD_IR; +- state->data[3] = 0; ++ b[0] = SYNC_BYTE_OUT; ++ b[1] = id; ++ b[2] = PCTV_CMD_IR; ++ b[3] = 0; + + /* send ir request */ +- ret = dvb_usb_generic_rw(d, state->data, 4, +- state->data, PCTV_ANSWER_LEN, 0); ++ ret = dvb_usb_generic_rw(d, b, 4, rx, PCTV_ANSWER_LEN, 0); + if (ret != 0) + goto ret; + + if (debug > 3) { +- info("%s: read: %2d: %*ph: ", __func__, ret, 3, state->data); +- for (i = 0; (i < state->data[3]) && ((i + 3) < PCTV_ANSWER_LEN); i++) +- info(" %02x", state->data[i + 3]); ++ info("%s: read: %2d: %*ph: ", __func__, ret, 3, rx); ++ for (i = 0; (i < rx[3]) && ((i+3) < PCTV_ANSWER_LEN); i++) ++ info(" %02x", rx[i+3]); + + info("\n"); + } + +- if ((state->data[3] == 9) && (state->data[12] & 0x01)) { ++ if ((rx[3] == 9) && (rx[12] & 0x01)) { + /* got a "press" event */ +- state->last_rc_key = RC_SCANCODE_RC5(state->data[7], state->data[6]); ++ state->last_rc_key = RC_SCANCODE_RC5(rx[7], rx[6]); + if (debug > 2) + info("%s: cmd=0x%02x sys=0x%02x\n", +- __func__, state->data[6], state->data[7]); ++ __func__, rx[6], rx[7]); + + rc_keydown(d->rc_dev, RC_TYPE_RC5, state->last_rc_key, 0); + } else if (state->last_rc_key) { +@@ -595,7 +606,7 @@ static int pctv452e_rc_query(struct dvb_ + state->last_rc_key = 0; + } + ret: +- mutex_unlock(&state->ca_mutex); ++ kfree(b); + return ret; + } + diff --git a/queue-4.9/rdma-cma-fix-unknown-symbol-when-config_ipv6-is-not-enabled.patch b/queue-4.9/rdma-cma-fix-unknown-symbol-when-config_ipv6-is-not-enabled.patch new file mode 100644 index 00000000000..f813cecb26d --- /dev/null +++ b/queue-4.9/rdma-cma-fix-unknown-symbol-when-config_ipv6-is-not-enabled.patch @@ -0,0 +1,43 @@ +From b4cfe3971f6eab542dd7ecc398bfa1aeec889934 Mon Sep 17 00:00:00 2001 +From: Jack Morgenstein +Date: Sun, 15 Jan 2017 20:15:00 +0200 +Subject: RDMA/cma: Fix unknown symbol when CONFIG_IPV6 is not enabled + +From: Jack Morgenstein + +commit b4cfe3971f6eab542dd7ecc398bfa1aeec889934 upstream. + +If IPV6 has not been enabled in the underlying kernel, we must avoid +calling IPV6 procedures in rdma_cm.ko. + +This requires using "IS_ENABLED(CONFIG_IPV6)" in "if" statements +surrounding any code which calls external IPV6 procedures. + +In the instance fixed here, procedure cma_bind_addr() called +ipv6_addr_type() -- which resulted in calling external procedure +__ipv6_addr_type(). + +Fixes: 6c26a77124ff ("RDMA/cma: fix IPv6 address resolution") +Cc: Spencer Baugh +Signed-off-by: Jack Morgenstein +Reviewed-by: Moni Shoua +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/cma.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -2768,7 +2768,8 @@ static int cma_bind_addr(struct rdma_cm_ + if (!src_addr || !src_addr->sa_family) { + src_addr = (struct sockaddr *) &id->route.addr.src_addr; + src_addr->sa_family = dst_addr->sa_family; +- if (dst_addr->sa_family == AF_INET6) { ++ if (IS_ENABLED(CONFIG_IPV6) && ++ dst_addr->sa_family == AF_INET6) { + struct sockaddr_in6 *src_addr6 = (struct sockaddr_in6 *) src_addr; + struct sockaddr_in6 *dst_addr6 = (struct sockaddr_in6 *) dst_addr; + src_addr6->sin6_scope_id = dst_addr6->sin6_scope_id; diff --git a/queue-4.9/s390-mm-fix-cmma-unused-transfer-from-pgste-into-pte.patch b/queue-4.9/s390-mm-fix-cmma-unused-transfer-from-pgste-into-pte.patch new file mode 100644 index 00000000000..60d7372e779 --- /dev/null +++ b/queue-4.9/s390-mm-fix-cmma-unused-transfer-from-pgste-into-pte.patch @@ -0,0 +1,61 @@ +From 0d6da872d3e4a60f43c295386d7ff9a4cdcd57e9 Mon Sep 17 00:00:00 2001 +From: Christian Borntraeger +Date: Mon, 23 Jan 2017 22:59:44 +0100 +Subject: s390/mm: Fix cmma unused transfer from pgste into pte + +From: Christian Borntraeger + +commit 0d6da872d3e4a60f43c295386d7ff9a4cdcd57e9 upstream. + +The last pgtable rework silently disabled the CMMA unused state by +setting a local pte variable (a parameter) instead of propagating it +back into the caller. Fix it. + +Fixes: ebde765c0e85 ("s390/mm: uninline ptep_xxx functions from pgtable.h") +Cc: Martin Schwidefsky +Cc: Claudio Imbrenda +Signed-off-by: Christian Borntraeger +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/mm/pgtable.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/s390/mm/pgtable.c ++++ b/arch/s390/mm/pgtable.c +@@ -202,7 +202,7 @@ static inline pgste_t ptep_xchg_start(st + return pgste; + } + +-static inline void ptep_xchg_commit(struct mm_struct *mm, ++static inline pte_t ptep_xchg_commit(struct mm_struct *mm, + unsigned long addr, pte_t *ptep, + pgste_t pgste, pte_t old, pte_t new) + { +@@ -220,6 +220,7 @@ static inline void ptep_xchg_commit(stru + } else { + *ptep = new; + } ++ return old; + } + + pte_t ptep_xchg_direct(struct mm_struct *mm, unsigned long addr, +@@ -231,7 +232,7 @@ pte_t ptep_xchg_direct(struct mm_struct + preempt_disable(); + pgste = ptep_xchg_start(mm, addr, ptep); + old = ptep_flush_direct(mm, addr, ptep); +- ptep_xchg_commit(mm, addr, ptep, pgste, old, new); ++ old = ptep_xchg_commit(mm, addr, ptep, pgste, old, new); + preempt_enable(); + return old; + } +@@ -246,7 +247,7 @@ pte_t ptep_xchg_lazy(struct mm_struct *m + preempt_disable(); + pgste = ptep_xchg_start(mm, addr, ptep); + old = ptep_flush_lazy(mm, addr, ptep); +- ptep_xchg_commit(mm, addr, ptep, pgste, old, new); ++ old = ptep_xchg_commit(mm, addr, ptep, pgste, old, new); + preempt_enable(); + return old; + } diff --git a/queue-4.9/s390-ptrace-preserve-previous-registers-for-short-regset-write.patch b/queue-4.9/s390-ptrace-preserve-previous-registers-for-short-regset-write.patch new file mode 100644 index 00000000000..8290dd63353 --- /dev/null +++ b/queue-4.9/s390-ptrace-preserve-previous-registers-for-short-regset-write.patch @@ -0,0 +1,51 @@ +From 9dce990d2cf57b5ed4e71a9cdbd7eae4335111ff Mon Sep 17 00:00:00 2001 +From: Martin Schwidefsky +Date: Tue, 24 Jan 2017 08:05:52 +0100 +Subject: s390/ptrace: Preserve previous registers for short regset write + +From: Martin Schwidefsky + +commit 9dce990d2cf57b5ed4e71a9cdbd7eae4335111ff upstream. + +Ensure that if userspace supplies insufficient data to +PTRACE_SETREGSET to fill all the registers, the thread's old +registers are preserved. + +convert_vx_to_fp() is adapted to handle only a specified number of +registers rather than unconditionally handling all of them: other +callers of this function are adapted appropriately. + +Based on an initial patch by Dave Martin. + +Reported-by: Dave Martin +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/ptrace.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/arch/s390/kernel/ptrace.c ++++ b/arch/s390/kernel/ptrace.c +@@ -963,6 +963,11 @@ static int s390_fpregs_set(struct task_s + if (target == current) + save_fpu_regs(); + ++ if (MACHINE_HAS_VX) ++ convert_vx_to_fp(fprs, target->thread.fpu.vxrs); ++ else ++ memcpy(&fprs, target->thread.fpu.fprs, sizeof(fprs)); ++ + /* If setting FPC, must validate it first. */ + if (count > 0 && pos < offsetof(s390_fp_regs, fprs)) { + u32 ufpc[2] = { target->thread.fpu.fpc, 0 }; +@@ -1067,6 +1072,9 @@ static int s390_vxrs_low_set(struct task + if (target == current) + save_fpu_regs(); + ++ for (i = 0; i < __NUM_VXRS_LOW; i++) ++ vxrs[i] = *((__u64 *)(target->thread.fpu.vxrs + i) + 1); ++ + rc = user_regset_copyin(&pos, &count, &kbuf, &ubuf, vxrs, 0, -1); + if (rc == 0) + for (i = 0; i < __NUM_VXRS_LOW; i++) diff --git a/queue-4.9/series b/queue-4.9/series index 46684bbdc12..0a3f55cfc2e 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -23,3 +23,30 @@ isdn-eicon-silence-misleading-array-bounds-warning.patch btrfs-remove-old-tree_root-case-in-btrfs_read_locked_inode.patch btrfs-disable-xattr-operations-on-subvolume-directories.patch btrfs-remove-get-set-_acl-from-btrfs_dir_ro_inode_operations.patch +rdma-cma-fix-unknown-symbol-when-config_ipv6-is-not-enabled.patch +s390-mm-fix-cmma-unused-transfer-from-pgste-into-pte.patch +s390-ptrace-preserve-previous-registers-for-short-regset-write.patch +ib-cxgb3-fix-misspelling-in-header-guard.patch +ib-iser-fix-sg_tablesize-calculation.patch +ib-srp-fix-mr-allocation-when-the-device-supports-sg-gaps.patch +ib-srp-fix-invalid-indirect_sg_entries-parameter-value.patch +can-c_can_pci-fix-null-pointer-deref-in-c_can_start-set-device-pointer.patch +can-ti_hecc-add-missing-prepare-and-unprepare-of-the-clock.patch +arc-udelay-fix-inline-assembler-by-adding-lp_count-to-clobber-list.patch +arc-handle-unaligned-access-delay-slot-corner-case.patch +parisc-don-t-use-bits_per_long-in-userspace-exported-swab.h-header.patch +nfs-don-t-increment-lock-sequence-id-after-nfs4err_moved.patch +nfsv4.1-fix-a-deadlock-in-layoutget.patch +nfsv4.0-always-send-mode-in-setattr-after-exclusive4.patch +sunrpc-cleanup-ida-information-when-removing-sunrpc-module.patch +iw_cxgb4-free-eq-queue-memory-on-last-deref.patch +pctv452e-move-buffer-to-heap-no-mutex.patch +v4l-tvp5150-reset-device-at-probe-time-not-in-get-set-format-handlers.patch +v4l-tvp5150-fix-comment-regarding-output-pin-muxing.patch +v4l-tvp5150-don-t-override-output-pinmuxing-at-stream-on-off-time.patch +drm-i915-clear-ret-before-unbinding-in-i915_gem_evict_something.patch +drm-i915-prevent-crash-with-.disable_display-parameter.patch +drm-i915-don-t-leak-edid-in-intel_crt_detect_ddc.patch +drm-i915-don-t-init-hpd-polling-for-vlv-and-chv-from-runtime_suspend.patch +drm-i915-fix-calculation-of-rotated-x-and-y-offsets-for-planar-formats.patch +drm-i915-check-for-null-atomic-state-in-intel_crtc_disable_noatomic.patch diff --git a/queue-4.9/sunrpc-cleanup-ida-information-when-removing-sunrpc-module.patch b/queue-4.9/sunrpc-cleanup-ida-information-when-removing-sunrpc-module.patch new file mode 100644 index 00000000000..896f8f66d3c --- /dev/null +++ b/queue-4.9/sunrpc-cleanup-ida-information-when-removing-sunrpc-module.patch @@ -0,0 +1,79 @@ +From c929ea0b910355e1876c64431f3d5802f95b3d75 Mon Sep 17 00:00:00 2001 +From: Kinglong Mee +Date: Fri, 20 Jan 2017 16:48:39 +0800 +Subject: SUNRPC: cleanup ida information when removing sunrpc module + +From: Kinglong Mee + +commit c929ea0b910355e1876c64431f3d5802f95b3d75 upstream. + +After removing sunrpc module, I get many kmemleak information as, +unreferenced object 0xffff88003316b1e0 (size 544): + comm "gssproxy", pid 2148, jiffies 4294794465 (age 4200.081s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kmemleak_alloc+0x4a/0xa0 + [] kmem_cache_alloc+0x15e/0x1f0 + [] ida_pre_get+0xaa/0x150 + [] ida_simple_get+0xad/0x180 + [] nlmsvc_lookup_host+0x4ab/0x7f0 [lockd] + [] lockd+0x4d/0x270 [lockd] + [] param_set_timeout+0x55/0x100 [lockd] + [] svc_defer+0x114/0x3f0 [sunrpc] + [] svc_defer+0x2d7/0x3f0 [sunrpc] + [] rpc_show_info+0x8a/0x110 [sunrpc] + [] proc_reg_write+0x7f/0xc0 + [] __vfs_write+0xdf/0x3c0 + [] vfs_write+0xef/0x240 + [] SyS_write+0xad/0x130 + [] entry_SYSCALL_64_fastpath+0x1a/0xa9 + [] 0xffffffffffffffff + +I found, the ida information (dynamic memory) isn't cleanup. + +Signed-off-by: Kinglong Mee +Fixes: 2f048db4680a ("SUNRPC: Add an identifier for struct rpc_clnt") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/sunrpc/clnt.h | 1 + + net/sunrpc/clnt.c | 5 +++++ + net/sunrpc/sunrpc_syms.c | 1 + + 3 files changed, 7 insertions(+) + +--- a/include/linux/sunrpc/clnt.h ++++ b/include/linux/sunrpc/clnt.h +@@ -216,5 +216,6 @@ void rpc_clnt_xprt_switch_put(struct rpc + void rpc_clnt_xprt_switch_add_xprt(struct rpc_clnt *, struct rpc_xprt *); + bool rpc_clnt_xprt_switch_has_addr(struct rpc_clnt *clnt, + const struct sockaddr *sap); ++void rpc_cleanup_clids(void); + #endif /* __KERNEL__ */ + #endif /* _LINUX_SUNRPC_CLNT_H */ +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -336,6 +336,11 @@ out: + + static DEFINE_IDA(rpc_clids); + ++void rpc_cleanup_clids(void) ++{ ++ ida_destroy(&rpc_clids); ++} ++ + static int rpc_alloc_clid(struct rpc_clnt *clnt) + { + int clid; +--- a/net/sunrpc/sunrpc_syms.c ++++ b/net/sunrpc/sunrpc_syms.c +@@ -119,6 +119,7 @@ out: + static void __exit + cleanup_sunrpc(void) + { ++ rpc_cleanup_clids(); + rpcauth_remove_module(); + cleanup_socket_xprt(); + svc_cleanup_xprt_sock(); diff --git a/queue-4.9/v4l-tvp5150-don-t-override-output-pinmuxing-at-stream-on-off-time.patch b/queue-4.9/v4l-tvp5150-don-t-override-output-pinmuxing-at-stream-on-off-time.patch new file mode 100644 index 00000000000..0e887a09709 --- /dev/null +++ b/queue-4.9/v4l-tvp5150-don-t-override-output-pinmuxing-at-stream-on-off-time.patch @@ -0,0 +1,70 @@ +From 79d6205a3f741c9fb89cfc47dfa0eddb1526726d Mon Sep 17 00:00:00 2001 +From: Laurent Pinchart +Date: Fri, 9 Dec 2016 09:47:19 -0200 +Subject: [media] v4l: tvp5150: Don't override output pinmuxing at stream on/off time + +From: Laurent Pinchart + +commit 79d6205a3f741c9fb89cfc47dfa0eddb1526726d upstream. + +The s_stream() handler incorrectly writes the whole MISC_CTL register to +enable or disable the outputs, overriding the output pinmuxing +configuration. Fix it to only touch the output enable bits. + +The CONF_SHARED_PIN register is also written by the same function, +resulting in muxing the INTREQ signal instead of the VBLK/GPCL signal on +the INTREQ/GPCL/VBLK pin. As the driver doesn't support interrupts this +is obviously incorrect, and breaks operation on other devices. Fix it by +removing the write. + +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/i2c/tvp5150.c | 31 ++++++++++++++++++------------- + 1 file changed, 18 insertions(+), 13 deletions(-) + +--- a/drivers/media/i2c/tvp5150.c ++++ b/drivers/media/i2c/tvp5150.c +@@ -1055,22 +1055,27 @@ static const struct media_entity_operati + static int tvp5150_s_stream(struct v4l2_subdev *sd, int enable) + { + struct tvp5150 *decoder = to_tvp5150(sd); +- /* Output format: 8-bit ITU-R BT.656 with embedded syncs */ +- int val = TVP5150_MISC_CTL_YCBCR_OE | TVP5150_MISC_CTL_CLOCK_OE; ++ int val; + +- /* Output format: 8-bit 4:2:2 YUV with discrete sync */ +- if (decoder->mbus_type == V4L2_MBUS_PARALLEL) +- val = TVP5150_MISC_CTL_YCBCR_OE | TVP5150_MISC_CTL_SYNC_OE +- | TVP5150_MISC_CTL_CLOCK_OE; ++ /* Enable or disable the video output signals. */ ++ val = tvp5150_read(sd, TVP5150_MISC_CTL); ++ if (val < 0) ++ return val; + +- /* Initializes TVP5150 to its default values */ +- /* # set PCLK (27MHz) */ +- tvp5150_write(sd, TVP5150_CONF_SHARED_PIN, 0x00); ++ val &= ~(TVP5150_MISC_CTL_YCBCR_OE | TVP5150_MISC_CTL_SYNC_OE | ++ TVP5150_MISC_CTL_CLOCK_OE); + +- if (enable) +- tvp5150_write(sd, TVP5150_MISC_CTL, val); +- else +- tvp5150_write(sd, TVP5150_MISC_CTL, 0x00); ++ if (enable) { ++ /* ++ * Enable the YCbCr and clock outputs. In discrete sync mode ++ * (non-BT.656) additionally enable the the sync outputs. ++ */ ++ val |= TVP5150_MISC_CTL_YCBCR_OE | TVP5150_MISC_CTL_CLOCK_OE; ++ if (decoder->mbus_type == V4L2_MBUS_PARALLEL) ++ val |= TVP5150_MISC_CTL_SYNC_OE; ++ } ++ ++ tvp5150_write(sd, TVP5150_MISC_CTL, val); + + return 0; + } diff --git a/queue-4.9/v4l-tvp5150-fix-comment-regarding-output-pin-muxing.patch b/queue-4.9/v4l-tvp5150-fix-comment-regarding-output-pin-muxing.patch new file mode 100644 index 00000000000..43e78bf3eb7 --- /dev/null +++ b/queue-4.9/v4l-tvp5150-fix-comment-regarding-output-pin-muxing.patch @@ -0,0 +1,103 @@ +From b4b2de386bbb6589d81596999d4a924928dc119b Mon Sep 17 00:00:00 2001 +From: Laurent Pinchart +Date: Fri, 9 Dec 2016 09:47:18 -0200 +Subject: [media] v4l: tvp5150: Fix comment regarding output pin muxing + +From: Laurent Pinchart + +commit b4b2de386bbb6589d81596999d4a924928dc119b upstream. + +The FID/GLCO/VLK/HVLK and INTREQ/GPCL/VBLK pins are muxed differently +depending on whether the input is an S-Video or composite signal. The +comment that explains the logic doesn't reflect the code. It appears +that the comment is incorrect, as disabling the output data bus in +composite mode makes no sense. Update the comment to match the code. + +While at it define macros for the MISC_CTL register bits, the code is +too confusing with numerical values. + +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/i2c/tvp5150.c | 24 +++++++++++++++++------- + drivers/media/i2c/tvp5150_reg.h | 9 +++++++++ + 2 files changed, 26 insertions(+), 7 deletions(-) + +--- a/drivers/media/i2c/tvp5150.c ++++ b/drivers/media/i2c/tvp5150.c +@@ -288,8 +288,12 @@ static inline void tvp5150_selmux(struct + tvp5150_write(sd, TVP5150_OP_MODE_CTL, opmode); + tvp5150_write(sd, TVP5150_VD_IN_SRC_SEL_1, input); + +- /* Svideo should enable YCrCb output and disable GPCL output +- * For Composite and TV, it should be the reverse ++ /* ++ * Setup the FID/GLCO/VLK/HVLK and INTREQ/GPCL/VBLK output signals. For ++ * S-Video we output the vertical lock (VLK) signal on FID/GLCO/VLK/HVLK ++ * and set INTREQ/GPCL/VBLK to logic 0. For composite we output the ++ * field indicator (FID) signal on FID/GLCO/VLK/HVLK and set ++ * INTREQ/GPCL/VBLK to logic 1. + */ + val = tvp5150_read(sd, TVP5150_MISC_CTL); + if (val < 0) { +@@ -298,9 +302,9 @@ static inline void tvp5150_selmux(struct + } + + if (decoder->input == TVP5150_SVIDEO) +- val = (val & ~0x40) | 0x10; ++ val = (val & ~TVP5150_MISC_CTL_GPCL) | TVP5150_MISC_CTL_HVLK; + else +- val = (val & ~0x10) | 0x40; ++ val = (val & ~TVP5150_MISC_CTL_HVLK) | TVP5150_MISC_CTL_GPCL; + tvp5150_write(sd, TVP5150_MISC_CTL, val); + }; + +@@ -452,7 +456,12 @@ static const struct i2c_reg_value tvp515 + },{ /* Automatic offset and AGC enabled */ + TVP5150_ANAL_CHL_CTL, 0x15 + },{ /* Activate YCrCb output 0x9 or 0xd ? */ +- TVP5150_MISC_CTL, 0x6f ++ TVP5150_MISC_CTL, TVP5150_MISC_CTL_GPCL | ++ TVP5150_MISC_CTL_INTREQ_OE | ++ TVP5150_MISC_CTL_YCBCR_OE | ++ TVP5150_MISC_CTL_SYNC_OE | ++ TVP5150_MISC_CTL_VBLANK | ++ TVP5150_MISC_CTL_CLOCK_OE, + },{ /* Activates video std autodetection for all standards */ + TVP5150_AUTOSW_MSK, 0x0 + },{ /* Default format: 0x47. For 4:2:2: 0x40 */ +@@ -1047,11 +1056,12 @@ static int tvp5150_s_stream(struct v4l2_ + { + struct tvp5150 *decoder = to_tvp5150(sd); + /* Output format: 8-bit ITU-R BT.656 with embedded syncs */ +- int val = 0x09; ++ int val = TVP5150_MISC_CTL_YCBCR_OE | TVP5150_MISC_CTL_CLOCK_OE; + + /* Output format: 8-bit 4:2:2 YUV with discrete sync */ + if (decoder->mbus_type == V4L2_MBUS_PARALLEL) +- val = 0x0d; ++ val = TVP5150_MISC_CTL_YCBCR_OE | TVP5150_MISC_CTL_SYNC_OE ++ | TVP5150_MISC_CTL_CLOCK_OE; + + /* Initializes TVP5150 to its default values */ + /* # set PCLK (27MHz) */ +--- a/drivers/media/i2c/tvp5150_reg.h ++++ b/drivers/media/i2c/tvp5150_reg.h +@@ -9,6 +9,15 @@ + #define TVP5150_ANAL_CHL_CTL 0x01 /* Analog channel controls */ + #define TVP5150_OP_MODE_CTL 0x02 /* Operation mode controls */ + #define TVP5150_MISC_CTL 0x03 /* Miscellaneous controls */ ++#define TVP5150_MISC_CTL_VBLK_GPCL BIT(7) ++#define TVP5150_MISC_CTL_GPCL BIT(6) ++#define TVP5150_MISC_CTL_INTREQ_OE BIT(5) ++#define TVP5150_MISC_CTL_HVLK BIT(4) ++#define TVP5150_MISC_CTL_YCBCR_OE BIT(3) ++#define TVP5150_MISC_CTL_SYNC_OE BIT(2) ++#define TVP5150_MISC_CTL_VBLANK BIT(1) ++#define TVP5150_MISC_CTL_CLOCK_OE BIT(0) ++ + #define TVP5150_AUTOSW_MSK 0x04 /* Autoswitch mask: TVP5150A / TVP5150AM */ + + /* Reserved 05h */ diff --git a/queue-4.9/v4l-tvp5150-reset-device-at-probe-time-not-in-get-set-format-handlers.patch b/queue-4.9/v4l-tvp5150-reset-device-at-probe-time-not-in-get-set-format-handlers.patch new file mode 100644 index 00000000000..27a4a7271b5 --- /dev/null +++ b/queue-4.9/v4l-tvp5150-reset-device-at-probe-time-not-in-get-set-format-handlers.patch @@ -0,0 +1,66 @@ +From aff808e813fc2d311137754165cf53d4ee6ddcc2 Mon Sep 17 00:00:00 2001 +From: Laurent Pinchart +Date: Fri, 9 Dec 2016 09:47:17 -0200 +Subject: [media] v4l: tvp5150: Reset device at probe time, not in get/set format handlers + +From: Laurent Pinchart + +commit aff808e813fc2d311137754165cf53d4ee6ddcc2 upstream. + +The tvp5150 doesn't support format setting through the subdev pad API +and thus implements the set format handler as a get format operation. +The single handler, tvp5150_fill_fmt(), resets the device by calling +tvp5150_reset(). This causes malfunction as the device can be reset at +will, possibly from userspace when the subdev userspace API is enabled. + +The reset call was added in commit ec2c4f3f93cb ("[media] media: +tvp5150: Add mbus_fmt callbacks"), probably as an attempt to set the +device to a known state before detecting the current TV standard. +However, the get format handler doesn't access the hardware to get the +TV standard since commit 963ddc63e20d ("[media] media: tvp5150: Add +cropping support"). There is thus no need to reset the device when +getting the format. + +However, removing the tvp5150_reset() from the get/set format handlers +results in the function not being called at all if the bridge driver +doesn't use the .reset() operation. The operation is nowadays abused and +shouldn't be used, so shouldn't expect bridge drivers to call it. To +make sure the device is properly initialize, move the reset call from +the format handlers to the probe function. + +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/i2c/tvp5150.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/media/i2c/tvp5150.c ++++ b/drivers/media/i2c/tvp5150.c +@@ -858,8 +858,6 @@ static int tvp5150_fill_fmt(struct v4l2_ + + f = &format->format; + +- tvp5150_reset(sd, 0); +- + f->width = decoder->rect.width; + f->height = decoder->rect.height / 2; + +@@ -1521,7 +1519,6 @@ static int tvp5150_probe(struct i2c_clie + res = core->hdl.error; + goto err; + } +- v4l2_ctrl_handler_setup(&core->hdl); + + /* Default is no cropping */ + core->rect.top = 0; +@@ -1532,6 +1529,8 @@ static int tvp5150_probe(struct i2c_clie + core->rect.left = 0; + core->rect.width = TVP5150_H_MAX; + ++ tvp5150_reset(sd, 0); /* Calls v4l2_ctrl_handler_setup() */ ++ + res = v4l2_async_register_subdev(sd); + if (res < 0) + goto err;