From: Greg Kroah-Hartman Date: Thu, 18 Aug 2016 09:11:10 +0000 (+0200) Subject: 4.7-stable patches X-Git-Tag: v3.14.77~34 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=19117199cb27e29867e16f6d97b3663f80e73491;p=thirdparty%2Fkernel%2Fstable-queue.git 4.7-stable patches added patches: arc-dma-fix-address-translation-in-arc_dma_free.patch arc-mm-don-t-loose-pte_special-in-pte_modify.patch bcma-add-pci-id-for-foxconn-s-bcm43142-device.patch bluetooth-add-support-of-13d3-3490-ar3012-device.patch bluetooth-fix-l2cap_sock_setsockopt-with-optname-bt_rcvmtu.patch brcmfmac-restore-stopping-netdev-queue-when-bus-clogs-up.patch dm-fix-second-blk_delay_queue-parameter-to-be-in-msec-units-not-jiffies.patch dm-set-dmf_suspended-_before_-clearing-dmf_noflush_suspending.patch dm-verity-fec-fix-block-calculation.patch edac-correct-channel-count-limit.patch fix-rc5-decoding-with-fintek-cir-chipset.patch hid-uhid-fix-timeout-when-probe-races-with-io.patch hp-wmi-fix-wifi-cannot-be-hard-unblocked.patch i2c-efm32-fix-a-failure-path-in-efm32_i2c_probe.patch iwlwifi-add-new-8260-pci-ids.patch iwlwifi-add-new-8265.patch iwlwifi-pcie-enable-interrupts-before-releasing-the-nic-s-cpu.patch iwlwifi-pcie-fix-a-race-in-firmware-loading-flow.patch jbd2-make-journal-y2038-safe.patch media-dvb_ringbuffer-add-memory-barriers.patch media-usbtv-prevent-access-to-free-d-resources.patch megaraid_sas-do-not-fire-mr_dcmd_pd_list_query-to-controllers-which-do-not-support-it.patch ovl-disallow-overlayfs-as-upperdir.patch rc-nuvoton-fix-hang-if-chip-is-configured-for-alternative-efm-io-address.patch regulator-s2mps11-fix-the-voltage-linear-range-for-s2mps15.patch remoteproc-fix-potential-race-condition-in-rproc_add.patch s5p-mfc-add-release-callback-for-memory-region-devs.patch s5p-mfc-set-device-name-for-reserved-memory-region-devs.patch spi-pxa2xx-clear-all-rft-bits-in-reset_sccr1-on-intel-quark.patch sur40-fix-occasional-oopses-on-device-close.patch sur40-lower-poll-interval-to-fix-occasional-fps-drops-to-56-fps.patch vb2-core-skip-planes-array-verification-if-pb-is-null.patch videobuf2-v4l2-verify-planes-array-in-buffer-dequeueing.patch xfs-bufferhead-chains-are-invalid-after-end_page_writeback.patch --- diff --git a/queue-4.7/arc-dma-fix-address-translation-in-arc_dma_free.patch b/queue-4.7/arc-dma-fix-address-translation-in-arc_dma_free.patch new file mode 100644 index 00000000000..00daa1e47b7 --- /dev/null +++ b/queue-4.7/arc-dma-fix-address-translation-in-arc_dma_free.patch @@ -0,0 +1,38 @@ +From b4dff2874006e54b60ce4f4dbcfec9ab81c6aff4 Mon Sep 17 00:00:00 2001 +From: Vladimir Kondratiev +Date: Sun, 3 Jul 2016 10:07:48 +0300 +Subject: ARC: dma: fix address translation in arc_dma_free + +From: Vladimir Kondratiev + +commit b4dff2874006e54b60ce4f4dbcfec9ab81c6aff4 upstream. + +page should be calculated using physical address. +If platform uses non-trivial dma-to-phys memory translation, +dma_handle should be converted to physicval address before +calculation of page. + +Failing to do so results in struct page * pointing to +wrong or non-existent memory. + +Fixes: f2e3d55397ff ("ARC: dma: reintroduce platform specific dma<->phys") +Signed-off-by: Vladimir Kondratiev +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/mm/dma.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arc/mm/dma.c ++++ b/arch/arc/mm/dma.c +@@ -92,7 +92,8 @@ static void *arc_dma_alloc(struct device + static void arc_dma_free(struct device *dev, size_t size, void *vaddr, + dma_addr_t dma_handle, struct dma_attrs *attrs) + { +- struct page *page = virt_to_page(dma_handle); ++ phys_addr_t paddr = plat_dma_to_phys(dev, dma_handle); ++ struct page *page = virt_to_page(paddr); + int is_non_coh = 1; + + is_non_coh = dma_get_attr(DMA_ATTR_NON_CONSISTENT, attrs) || diff --git a/queue-4.7/arc-mm-don-t-loose-pte_special-in-pte_modify.patch b/queue-4.7/arc-mm-don-t-loose-pte_special-in-pte_modify.patch new file mode 100644 index 00000000000..adecbdaabfc --- /dev/null +++ b/queue-4.7/arc-mm-don-t-loose-pte_special-in-pte_modify.patch @@ -0,0 +1,47 @@ +From 3925a16ae980c79d1a8fd182d7f9487da1edd4dc Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Thu, 28 Jul 2016 11:35:50 -0700 +Subject: ARC: mm: don't loose PTE_SPECIAL in pte_modify() + +From: Vineet Gupta + +commit 3925a16ae980c79d1a8fd182d7f9487da1edd4dc upstream. + +LTP madvise05 was generating mm splat + +| [ARCLinux]# /sd/ltp/testcases/bin/madvise05 +| BUG: Bad page map in process madvise05 pte:80e08211 pmd:9f7d4000 +| page:9fdcfc90 count:1 mapcount:-1 mapping: (null) index:0x0 flags: 0x404(referenced|reserved) +| page dumped because: bad pte +| addr:200b8000 vm_flags:00000070 anon_vma: (null) mapping: (null) index:1005c +| file: (null) fault: (null) mmap: (null) readpage: (null) +| CPU: 2 PID: 6707 Comm: madvise05 + +And for newer kernels, the system was rendered unusable afterwards. + +The problem was mprotect->pte_modify() clearing PTE_SPECIAL (which is +set to identify the special zero page wired to the pte). +When pte was finally unmapped, special casing for zero page was not +done, and instead it was treated as a "normal" page, tripping on the +map counts etc. + +This fixes ARC STAR 9001053308 + +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/include/asm/pgtable.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arc/include/asm/pgtable.h ++++ b/arch/arc/include/asm/pgtable.h +@@ -110,7 +110,7 @@ + #define ___DEF (_PAGE_PRESENT | _PAGE_CACHEABLE) + + /* Set of bits not changed in pte_modify */ +-#define _PAGE_CHG_MASK (PAGE_MASK | _PAGE_ACCESSED | _PAGE_DIRTY) ++#define _PAGE_CHG_MASK (PAGE_MASK | _PAGE_ACCESSED | _PAGE_DIRTY | _PAGE_SPECIAL) + + /* More Abbrevaited helpers */ + #define PAGE_U_NONE __pgprot(___DEF) diff --git a/queue-4.7/bcma-add-pci-id-for-foxconn-s-bcm43142-device.patch b/queue-4.7/bcma-add-pci-id-for-foxconn-s-bcm43142-device.patch new file mode 100644 index 00000000000..a8c7efe42fc --- /dev/null +++ b/queue-4.7/bcma-add-pci-id-for-foxconn-s-bcm43142-device.patch @@ -0,0 +1,43 @@ +From 1bea0512c3394965de28a152149b90afd686fae5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= +Date: Mon, 11 Jul 2016 23:01:36 +0200 +Subject: bcma: add PCI ID for Foxconn's BCM43142 device +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +commit 1bea0512c3394965de28a152149b90afd686fae5 upstream. + +After discovering there are 2 very different 14e4:4365 PCI devices we +made ID tables less generic. Back then we believed there are only 2 such +devices: +1) 14e4:4365 1028:0016 with SoftMAC BCM43142 chipset +2) 14e4:4365 14e4:4365 with FullMAC BCM4366 chipset + +>From the recent report it appears there is also 14e4:4365 105b:e092 +which should be claimed by bcma. Add back support for it. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=121881 +Fixes: 515b399c9a20 ("bcma: claim only 14e4:4365 PCI Dell card with SoftMAC BCM43142") +Reported-by: Igor Mammedov +Signed-off-by: Rafał Miłecki +Tested-by: Igor Mammedov +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bcma/host_pci.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/bcma/host_pci.c ++++ b/drivers/bcma/host_pci.c +@@ -295,6 +295,7 @@ static const struct pci_device_id bcma_p + { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x4359) }, + { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x4360) }, + { PCI_DEVICE_SUB(PCI_VENDOR_ID_BROADCOM, 0x4365, PCI_VENDOR_ID_DELL, 0x0016) }, ++ { PCI_DEVICE_SUB(PCI_VENDOR_ID_BROADCOM, 0x4365, PCI_VENDOR_ID_FOXCONN, 0xe092) }, + { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x43a0) }, + { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x43a9) }, + { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x43aa) }, diff --git a/queue-4.7/bluetooth-add-support-of-13d3-3490-ar3012-device.patch b/queue-4.7/bluetooth-add-support-of-13d3-3490-ar3012-device.patch new file mode 100644 index 00000000000..f3c56b4477f --- /dev/null +++ b/queue-4.7/bluetooth-add-support-of-13d3-3490-ar3012-device.patch @@ -0,0 +1,55 @@ +From 12d868964f7352e8b18e755488f7265a93431de1 Mon Sep 17 00:00:00 2001 +From: Dmitry Tunin +Date: Tue, 12 Jul 2016 01:35:18 +0300 +Subject: Bluetooth: Add support of 13d3:3490 AR3012 device + +From: Dmitry Tunin + +commit 12d868964f7352e8b18e755488f7265a93431de1 upstream. + +T: Bus=01 Lev=01 Prnt=01 Port=07 Cnt=05 Dev#= 5 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=13d3 ProdID=3490 Rev=00.01 +C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb + +BugLink: https://bugs.launchpad.net/bugs/1600623 + +Signed-off-by: Dmitry Tunin +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/ath3k.c | 2 ++ + drivers/bluetooth/btusb.c | 1 + + 2 files changed, 3 insertions(+) + +--- a/drivers/bluetooth/ath3k.c ++++ b/drivers/bluetooth/ath3k.c +@@ -123,6 +123,7 @@ static const struct usb_device_id ath3k_ + { USB_DEVICE(0x13d3, 0x3472) }, + { USB_DEVICE(0x13d3, 0x3474) }, + { USB_DEVICE(0x13d3, 0x3487) }, ++ { USB_DEVICE(0x13d3, 0x3490) }, + + /* Atheros AR5BBU12 with sflash firmware */ + { USB_DEVICE(0x0489, 0xE02C) }, +@@ -190,6 +191,7 @@ static const struct usb_device_id ath3k_ + { USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3487), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x13d3, 0x3490), .driver_info = BTUSB_ATH3012 }, + + /* Atheros AR5BBU22 with sflash firmware */ + { USB_DEVICE(0x0489, 0xE036), .driver_info = BTUSB_ATH3012 }, +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -237,6 +237,7 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3487), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x13d3, 0x3490), .driver_info = BTUSB_ATH3012 }, + + /* Atheros AR5BBU12 with sflash firmware */ + { USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE }, diff --git a/queue-4.7/bluetooth-fix-l2cap_sock_setsockopt-with-optname-bt_rcvmtu.patch b/queue-4.7/bluetooth-fix-l2cap_sock_setsockopt-with-optname-bt_rcvmtu.patch new file mode 100644 index 00000000000..239ecfb7ab2 --- /dev/null +++ b/queue-4.7/bluetooth-fix-l2cap_sock_setsockopt-with-optname-bt_rcvmtu.patch @@ -0,0 +1,36 @@ +From 23bc6ab0a0912146fd674a0becc758c3162baabc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?= + +Date: Thu, 14 Jul 2016 10:50:23 +0200 +Subject: Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Amadeusz Sławiński + +commit 23bc6ab0a0912146fd674a0becc758c3162baabc upstream. + +When we retrieve imtu value from userspace we should use 16 bit pointer +cast instead of 32 as it's defined that way in headers. Fixes setsockopt +calls on big-endian platforms. + +Signed-off-by: Amadeusz Sławiński +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/l2cap_sock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -927,7 +927,7 @@ static int l2cap_sock_setsockopt(struct + break; + } + +- if (get_user(opt, (u32 __user *) optval)) { ++ if (get_user(opt, (u16 __user *) optval)) { + err = -EFAULT; + break; + } diff --git a/queue-4.7/brcmfmac-restore-stopping-netdev-queue-when-bus-clogs-up.patch b/queue-4.7/brcmfmac-restore-stopping-netdev-queue-when-bus-clogs-up.patch new file mode 100644 index 00000000000..500cec59cd4 --- /dev/null +++ b/queue-4.7/brcmfmac-restore-stopping-netdev-queue-when-bus-clogs-up.patch @@ -0,0 +1,61 @@ +From 82bc9ab6a8f577d2174a736c33f3d4ecf7d9ef47 Mon Sep 17 00:00:00 2001 +From: Arend Van Spriel +Date: Fri, 15 Jul 2016 12:16:12 +0200 +Subject: brcmfmac: restore stopping netdev queue when bus clogs up +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arend Van Spriel + +commit 82bc9ab6a8f577d2174a736c33f3d4ecf7d9ef47 upstream. + +When the host-interface bus has hard time handling transmit packets +it informs higher layer about this and it would stop the netdev +queue when needed. However, since commit 9cd18359d31e ("brcmfmac: +Make FWS queueing configurable.") this was broken. With this patch +the behaviour is restored. + +Fixes: 9cd18359d31e ("brcmfmac: Make FWS queueing configurable.") +Tested-by: Per Förlin +Reviewed-by: Hante Meuleman +Reviewed-by: Pieter-Paul Giesberts +Reviewed-by: Franky Lin +Signed-off-by: Arend van Spriel +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c | 22 +++++++++--- + 1 file changed, 17 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c +@@ -2469,10 +2469,22 @@ void brcmf_fws_bustxfail(struct brcmf_fw + void brcmf_fws_bus_blocked(struct brcmf_pub *drvr, bool flow_blocked) + { + struct brcmf_fws_info *fws = drvr->fws; ++ struct brcmf_if *ifp; ++ int i; + +- fws->bus_flow_blocked = flow_blocked; +- if (!flow_blocked) +- brcmf_fws_schedule_deq(fws); +- else +- fws->stats.bus_flow_block++; ++ if (fws->avoid_queueing) { ++ for (i = 0; i < BRCMF_MAX_IFS; i++) { ++ ifp = drvr->iflist[i]; ++ if (!ifp || !ifp->ndev) ++ continue; ++ brcmf_txflowblock_if(ifp, BRCMF_NETIF_STOP_REASON_FLOW, ++ flow_blocked); ++ } ++ } else { ++ fws->bus_flow_blocked = flow_blocked; ++ if (!flow_blocked) ++ brcmf_fws_schedule_deq(fws); ++ else ++ fws->stats.bus_flow_block++; ++ } + } diff --git a/queue-4.7/dm-fix-second-blk_delay_queue-parameter-to-be-in-msec-units-not-jiffies.patch b/queue-4.7/dm-fix-second-blk_delay_queue-parameter-to-be-in-msec-units-not-jiffies.patch new file mode 100644 index 00000000000..76051d43cfb --- /dev/null +++ b/queue-4.7/dm-fix-second-blk_delay_queue-parameter-to-be-in-msec-units-not-jiffies.patch @@ -0,0 +1,34 @@ +From bd9f55ea1cf6e14eb054b06ea877d2d1fa339514 Mon Sep 17 00:00:00 2001 +From: Tahsin Erdogan +Date: Fri, 15 Jul 2016 06:27:08 -0700 +Subject: dm: fix second blk_delay_queue() parameter to be in msec units not jiffies + +From: Tahsin Erdogan + +commit bd9f55ea1cf6e14eb054b06ea877d2d1fa339514 upstream. + +Commit d548b34b062 ("dm: reduce the queue delay used in dm_request_fn +from 100ms to 10ms") always intended the value to be 10 msecs -- it +just expressed it in jiffies because earlier commit 7eaceaccab ("block: +remove per-queue plugging") did. + +Signed-off-by: Tahsin Erdogan +Signed-off-by: Mike Snitzer +Fixes: d548b34b062 ("dm: reduce the queue delay used in dm_request_fn from 100ms to 10ms") +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -2175,7 +2175,7 @@ static void dm_request_fn(struct request + md_in_flight(md) && rq->bio && rq->bio->bi_vcnt == 1 && + md->last_rq_pos == pos && md->last_rq_rw == rq_data_dir(rq)) || + (ti->type->busy && ti->type->busy(ti))) { +- blk_delay_queue(q, HZ / 100); ++ blk_delay_queue(q, 10); + return; + } + diff --git a/queue-4.7/dm-set-dmf_suspended-_before_-clearing-dmf_noflush_suspending.patch b/queue-4.7/dm-set-dmf_suspended-_before_-clearing-dmf_noflush_suspending.patch new file mode 100644 index 00000000000..339e0c08494 --- /dev/null +++ b/queue-4.7/dm-set-dmf_suspended-_before_-clearing-dmf_noflush_suspending.patch @@ -0,0 +1,72 @@ +From eaf9a7361f47727b166688a9f2096854eef60fbe Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Tue, 2 Aug 2016 13:07:20 -0400 +Subject: dm: set DMF_SUSPENDED* _before_ clearing DMF_NOFLUSH_SUSPENDING + +From: Mike Snitzer + +commit eaf9a7361f47727b166688a9f2096854eef60fbe upstream. + +Otherwise, there is potential for both DMF_SUSPENDED* and +DMF_NOFLUSH_SUSPENDING to not be set during dm_suspend() -- which is +definitely _not_ a valid state. + +This fix, in conjuction with "dm rq: fix the starting and stopping of +blk-mq queues", addresses the potential for request-based DM multipath's +__multipath_map() to see !dm_noflush_suspending() during suspend. + +Reported-by: Bart Van Assche +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -3128,7 +3128,8 @@ static void unlock_fs(struct mapped_devi + * Caller must hold md->suspend_lock + */ + static int __dm_suspend(struct mapped_device *md, struct dm_table *map, +- unsigned suspend_flags, int interruptible) ++ unsigned suspend_flags, int interruptible, ++ int dmf_suspended_flag) + { + bool do_lockfs = suspend_flags & DM_SUSPEND_LOCKFS_FLAG; + bool noflush = suspend_flags & DM_SUSPEND_NOFLUSH_FLAG; +@@ -3195,6 +3196,8 @@ static int __dm_suspend(struct mapped_de + * to finish. + */ + r = dm_wait_for_completion(md, interruptible); ++ if (!r) ++ set_bit(dmf_suspended_flag, &md->flags); + + if (noflush) + clear_bit(DMF_NOFLUSH_SUSPENDING, &md->flags); +@@ -3256,12 +3259,10 @@ retry: + + map = rcu_dereference_protected(md->map, lockdep_is_held(&md->suspend_lock)); + +- r = __dm_suspend(md, map, suspend_flags, TASK_INTERRUPTIBLE); ++ r = __dm_suspend(md, map, suspend_flags, TASK_INTERRUPTIBLE, DMF_SUSPENDED); + if (r) + goto out_unlock; + +- set_bit(DMF_SUSPENDED, &md->flags); +- + dm_table_postsuspend_targets(map); + + out_unlock: +@@ -3355,9 +3356,8 @@ static void __dm_internal_suspend(struct + * would require changing .presuspend to return an error -- avoid this + * until there is a need for more elaborate variants of internal suspend. + */ +- (void) __dm_suspend(md, map, suspend_flags, TASK_UNINTERRUPTIBLE); +- +- set_bit(DMF_SUSPENDED_INTERNALLY, &md->flags); ++ (void) __dm_suspend(md, map, suspend_flags, TASK_UNINTERRUPTIBLE, ++ DMF_SUSPENDED_INTERNALLY); + + dm_table_postsuspend_targets(map); + } diff --git a/queue-4.7/dm-verity-fec-fix-block-calculation.patch b/queue-4.7/dm-verity-fec-fix-block-calculation.patch new file mode 100644 index 00000000000..d4ec705b4e1 --- /dev/null +++ b/queue-4.7/dm-verity-fec-fix-block-calculation.patch @@ -0,0 +1,34 @@ +From 602d1657c603eedd7379a8bcde1ad3a2972ecc5f Mon Sep 17 00:00:00 2001 +From: Sami Tolvanen +Date: Tue, 21 Jun 2016 11:02:42 -0700 +Subject: dm verity fec: fix block calculation + +From: Sami Tolvanen + +commit 602d1657c603eedd7379a8bcde1ad3a2972ecc5f upstream. + +do_div was replaced with div64_u64 at some point, causing a bug with +block calculation due to incompatible semantics of the two functions. + +Signed-off-by: Sami Tolvanen +Fixes: a739ff3f543a ("dm verity: add support for forward error correction") +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-verity-fec.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/md/dm-verity-fec.c ++++ b/drivers/md/dm-verity-fec.c +@@ -453,9 +453,7 @@ int verity_fec_decode(struct dm_verity * + */ + + offset = block << v->data_dev_block_bits; +- +- res = offset; +- div64_u64(res, v->fec->rounds << v->data_dev_block_bits); ++ res = div64_u64(offset, v->fec->rounds << v->data_dev_block_bits); + + /* + * The base RS block we can feed to the interleaver to find out all diff --git a/queue-4.7/edac-correct-channel-count-limit.patch b/queue-4.7/edac-correct-channel-count-limit.patch new file mode 100644 index 00000000000..d811b45b7da --- /dev/null +++ b/queue-4.7/edac-correct-channel-count-limit.patch @@ -0,0 +1,107 @@ +From bba142957e04c400440d2df83c1b3b2dfc42e220 Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Fri, 10 Jun 2016 10:28:38 +0200 +Subject: EDAC: Correct channel count limit + +From: Borislav Petkov + +commit bba142957e04c400440d2df83c1b3b2dfc42e220 upstream. + +c44696fff04f ("EDAC: Remove arbitrary limit on number of channels") +lifted the arbitrary limit on memory controller channels in EDAC. +However, the dynamic channel attributes dynamic_csrow_dimm_attr and +dynamic_csrow_ce_count_attr remained 6. + +This wasn't a problem except channels 6 and 7 weren't visible in sysfs +on machines with more than 6 channels after the conversion to static +attr groups with + + 2c1946b6d629 ("EDAC: Use static attribute groups for managing sysfs entries") + + [ without that, we're exploding in edac_create_sysfs_mci_device() + because we're dereferencing out of the bounds of the + dynamic_csrow_dimm_attr array. ] + +Add attributes for channels 6 and 7 along with a guard for the +future, should more channels be required and/or to sanity check for +misconfigured machines. + +We still need to check against the number of channels present on the MC +first, as Thor reported. + +Signed-off-by: Borislav Petkov +Reported-by: Hironobu Ishii +Tested-by: Thor Thayer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/edac/edac_mc_sysfs.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +--- a/drivers/edac/edac_mc_sysfs.c ++++ b/drivers/edac/edac_mc_sysfs.c +@@ -313,7 +313,6 @@ static struct device_type csrow_attr_typ + * possible dynamic channel DIMM Label attribute files + * + */ +- + DEVICE_CHANNEL(ch0_dimm_label, S_IRUGO | S_IWUSR, + channel_dimm_label_show, channel_dimm_label_store, 0); + DEVICE_CHANNEL(ch1_dimm_label, S_IRUGO | S_IWUSR, +@@ -326,6 +325,10 @@ DEVICE_CHANNEL(ch4_dimm_label, S_IRUGO | + channel_dimm_label_show, channel_dimm_label_store, 4); + DEVICE_CHANNEL(ch5_dimm_label, S_IRUGO | S_IWUSR, + channel_dimm_label_show, channel_dimm_label_store, 5); ++DEVICE_CHANNEL(ch6_dimm_label, S_IRUGO | S_IWUSR, ++ channel_dimm_label_show, channel_dimm_label_store, 6); ++DEVICE_CHANNEL(ch7_dimm_label, S_IRUGO | S_IWUSR, ++ channel_dimm_label_show, channel_dimm_label_store, 7); + + /* Total possible dynamic DIMM Label attribute file table */ + static struct attribute *dynamic_csrow_dimm_attr[] = { +@@ -335,6 +338,8 @@ static struct attribute *dynamic_csrow_d + &dev_attr_legacy_ch3_dimm_label.attr.attr, + &dev_attr_legacy_ch4_dimm_label.attr.attr, + &dev_attr_legacy_ch5_dimm_label.attr.attr, ++ &dev_attr_legacy_ch6_dimm_label.attr.attr, ++ &dev_attr_legacy_ch7_dimm_label.attr.attr, + NULL + }; + +@@ -351,6 +356,10 @@ DEVICE_CHANNEL(ch4_ce_count, S_IRUGO, + channel_ce_count_show, NULL, 4); + DEVICE_CHANNEL(ch5_ce_count, S_IRUGO, + channel_ce_count_show, NULL, 5); ++DEVICE_CHANNEL(ch6_ce_count, S_IRUGO, ++ channel_ce_count_show, NULL, 6); ++DEVICE_CHANNEL(ch7_ce_count, S_IRUGO, ++ channel_ce_count_show, NULL, 7); + + /* Total possible dynamic ce_count attribute file table */ + static struct attribute *dynamic_csrow_ce_count_attr[] = { +@@ -360,6 +369,8 @@ static struct attribute *dynamic_csrow_c + &dev_attr_legacy_ch3_ce_count.attr.attr, + &dev_attr_legacy_ch4_ce_count.attr.attr, + &dev_attr_legacy_ch5_ce_count.attr.attr, ++ &dev_attr_legacy_ch6_ce_count.attr.attr, ++ &dev_attr_legacy_ch7_ce_count.attr.attr, + NULL + }; + +@@ -371,9 +382,16 @@ static umode_t csrow_dev_is_visible(stru + + if (idx >= csrow->nr_channels) + return 0; ++ ++ if (idx >= ARRAY_SIZE(dynamic_csrow_ce_count_attr) - 1) { ++ WARN_ONCE(1, "idx: %d\n", idx); ++ return 0; ++ } ++ + /* Only expose populated DIMMs */ + if (!csrow->channels[idx]->dimm->nr_pages) + return 0; ++ + return attr->mode; + } + diff --git a/queue-4.7/fix-rc5-decoding-with-fintek-cir-chipset.patch b/queue-4.7/fix-rc5-decoding-with-fintek-cir-chipset.patch new file mode 100644 index 00000000000..bbc08b6d3a6 --- /dev/null +++ b/queue-4.7/fix-rc5-decoding-with-fintek-cir-chipset.patch @@ -0,0 +1,45 @@ +From bbdb34c90aeb8b2253eae88029788ebe1d7f2fd4 Mon Sep 17 00:00:00 2001 +From: Jonathan McDowell +Date: Sat, 14 May 2016 14:01:26 -0300 +Subject: [media] Fix RC5 decoding with Fintek CIR chipset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan McDowell + +commit bbdb34c90aeb8b2253eae88029788ebe1d7f2fd4 upstream. + +Fix RC5 decoding with Fintek CIR chipset + +Commit e87b540be2dd02552fb9244d50ae8b4e4619a34b tightened up the RC5 +decoding by adding a check for trailing silence to ensure a valid RC5 +command had been received. Unfortunately the trailer length checked was +10 units and the Fintek CIR device does not want to provide details of a +space longer than 6350us. This meant that RC5 remotes working on a +Fintek setup on 3.16 failed on 3.17 and later. Fix this by shortening +the trailer check to 6 units (allowing for a previous space in the +received remote command). + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=117221 + +Signed-off-by: Jonathan McDowell +Signed-off-by: David Härdeman +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/rc/ir-rc5-decoder.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/rc/ir-rc5-decoder.c ++++ b/drivers/media/rc/ir-rc5-decoder.c +@@ -29,7 +29,7 @@ + #define RC5_BIT_START (1 * RC5_UNIT) + #define RC5_BIT_END (1 * RC5_UNIT) + #define RC5X_SPACE (4 * RC5_UNIT) +-#define RC5_TRAILER (10 * RC5_UNIT) /* In reality, approx 100 */ ++#define RC5_TRAILER (6 * RC5_UNIT) /* In reality, approx 100 */ + + enum rc5_state { + STATE_INACTIVE, diff --git a/queue-4.7/hid-uhid-fix-timeout-when-probe-races-with-io.patch b/queue-4.7/hid-uhid-fix-timeout-when-probe-races-with-io.patch new file mode 100644 index 00000000000..880bd1c2cdd --- /dev/null +++ b/queue-4.7/hid-uhid-fix-timeout-when-probe-races-with-io.patch @@ -0,0 +1,116 @@ +From 67f8ecc550b5bda03335f845dc869b8501d25fd0 Mon Sep 17 00:00:00 2001 +From: Roderick Colenbrander +Date: Wed, 18 May 2016 13:11:09 -0700 +Subject: HID: uhid: fix timeout when probe races with IO + +From: Roderick Colenbrander + +commit 67f8ecc550b5bda03335f845dc869b8501d25fd0 upstream. + +Many devices use userspace bluetooth stacks like BlueZ or Bluedroid in combination +with uhid. If any of these stacks is used with a HID device for which the driver +performs a HID request as part .probe (or technically another HID operation), +this results in a deadlock situation. The deadlock results in a 5 second timeout +for I/O operations in HID drivers, so isn't fatal, but none of the I/O operations +have a chance of succeeding. + +The root cause for the problem is that uhid only allows for one request to be +processed at a time per uhid instance and locks out other operations. This means +that if a user space is creating a new HID device through 'UHID_CREATE', which +ultimately triggers '.probe' through the HID layer. Then any HID request e.g. a +read for calibration data would trigger a HID operation on uhid again, but it +won't go out to userspace, because it is still stuck in UHID_CREATE. +In addition bluetooth stacks are typically single threaded, so they wouldn't be +able to handle any requests while waiting on uhid. + +Lucikly the UHID spec is somewhat flexible and allows for fixing the issue, +without breaking user space. The idea which the patch implements as discussed +with David Herrmann is to decouple adding of a hid device (which triggers .probe) +from UHID_CREATE. The work will kick off roughly once UHID_CREATE completed (or +else will wait a tiny bit of time in .probe for a lock). A HID driver has to call +HID to call 'hid_hw_start()' as part of .probe once it is ready for I/O, which +triggers UHID_START to user space. Any HID operations should function now within +.probe and won't deadlock because userspace is stuck on UHID_CREATE. + +We verified this patch on Bluedroid with Android 6.0 and on desktop Linux with +BlueZ stacks. Prior to the patch they had the deadlock issue. + +[jkosina@suse.cz: reword subject] +Signed-off-by: Roderick Colenbrander +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/uhid.c | 33 ++++++++++++++++++++++++--------- + 1 file changed, 24 insertions(+), 9 deletions(-) + +--- a/drivers/hid/uhid.c ++++ b/drivers/hid/uhid.c +@@ -51,10 +51,26 @@ struct uhid_device { + u32 report_id; + u32 report_type; + struct uhid_event report_buf; ++ struct work_struct worker; + }; + + static struct miscdevice uhid_misc; + ++static void uhid_device_add_worker(struct work_struct *work) ++{ ++ struct uhid_device *uhid = container_of(work, struct uhid_device, worker); ++ int ret; ++ ++ ret = hid_add_device(uhid->hid); ++ if (ret) { ++ hid_err(uhid->hid, "Cannot register HID device: error %d\n", ret); ++ ++ hid_destroy_device(uhid->hid); ++ uhid->hid = NULL; ++ uhid->running = false; ++ } ++} ++ + static void uhid_queue(struct uhid_device *uhid, struct uhid_event *ev) + { + __u8 newhead; +@@ -498,18 +514,14 @@ static int uhid_dev_create2(struct uhid_ + uhid->hid = hid; + uhid->running = true; + +- ret = hid_add_device(hid); +- if (ret) { +- hid_err(hid, "Cannot register HID device\n"); +- goto err_hid; +- } ++ /* Adding of a HID device is done through a worker, to allow HID drivers ++ * which use feature requests during .probe to work, without they would ++ * be blocked on devlock, which is held by uhid_char_write. ++ */ ++ schedule_work(&uhid->worker); + + return 0; + +-err_hid: +- hid_destroy_device(hid); +- uhid->hid = NULL; +- uhid->running = false; + err_free: + kfree(uhid->rd_data); + uhid->rd_data = NULL; +@@ -550,6 +562,8 @@ static int uhid_dev_destroy(struct uhid_ + uhid->running = false; + wake_up_interruptible(&uhid->report_wait); + ++ cancel_work_sync(&uhid->worker); ++ + hid_destroy_device(uhid->hid); + kfree(uhid->rd_data); + +@@ -612,6 +626,7 @@ static int uhid_char_open(struct inode * + init_waitqueue_head(&uhid->waitq); + init_waitqueue_head(&uhid->report_wait); + uhid->running = false; ++ INIT_WORK(&uhid->worker, uhid_device_add_worker); + + file->private_data = uhid; + nonseekable_open(inode, file); diff --git a/queue-4.7/hp-wmi-fix-wifi-cannot-be-hard-unblocked.patch b/queue-4.7/hp-wmi-fix-wifi-cannot-be-hard-unblocked.patch new file mode 100644 index 00000000000..83a732fb137 --- /dev/null +++ b/queue-4.7/hp-wmi-fix-wifi-cannot-be-hard-unblocked.patch @@ -0,0 +1,47 @@ +From fc8a601e1175ae351f662506030f9939cb7fdbfe Mon Sep 17 00:00:00 2001 +From: Alex Hung +Date: Mon, 13 Jun 2016 19:44:00 +0800 +Subject: hp-wmi: Fix wifi cannot be hard-unblocked + +From: Alex Hung + +commit fc8a601e1175ae351f662506030f9939cb7fdbfe upstream. + +Several users reported wifi cannot be unblocked as discussed in [1]. +This patch removes the use of the 2009 flag by BIOS but uses the actual +WMI function calls - it will be skipped if WMI reports unsupported. + +[1] https://bugzilla.kernel.org/show_bug.cgi?id=69131 + +Signed-off-by: Alex Hung +Tested-by: Evgenii Shatokhin +Signed-off-by: Darren Hart +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/x86/hp-wmi.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/platform/x86/hp-wmi.c ++++ b/drivers/platform/x86/hp-wmi.c +@@ -718,6 +718,11 @@ static int __init hp_wmi_rfkill_setup(st + if (err) + return err; + ++ err = hp_wmi_perform_query(HPWMI_WIRELESS_QUERY, 1, &wireless, ++ sizeof(wireless), 0); ++ if (err) ++ return err; ++ + if (wireless & 0x1) { + wifi_rfkill = rfkill_alloc("hp-wifi", &device->dev, + RFKILL_TYPE_WLAN, +@@ -882,7 +887,7 @@ static int __init hp_wmi_bios_setup(stru + wwan_rfkill = NULL; + rfkill2_count = 0; + +- if (hp_wmi_bios_2009_later() || hp_wmi_rfkill_setup(device)) ++ if (hp_wmi_rfkill_setup(device)) + hp_wmi_rfkill2_setup(device); + + err = device_create_file(&device->dev, &dev_attr_display); diff --git a/queue-4.7/i2c-efm32-fix-a-failure-path-in-efm32_i2c_probe.patch b/queue-4.7/i2c-efm32-fix-a-failure-path-in-efm32_i2c_probe.patch new file mode 100644 index 00000000000..89aff988812 --- /dev/null +++ b/queue-4.7/i2c-efm32-fix-a-failure-path-in-efm32_i2c_probe.patch @@ -0,0 +1,38 @@ +From 7dd91d52a813f99a95d20f539b777e9e6198b931 Mon Sep 17 00:00:00 2001 +From: Alexey Khoroshilov +Date: Sat, 16 Jul 2016 02:36:38 +0300 +Subject: i2c: efm32: fix a failure path in efm32_i2c_probe() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alexey Khoroshilov + +commit 7dd91d52a813f99a95d20f539b777e9e6198b931 upstream. + +There is the only failure path in efm32_i2c_probe(), +where clk_disable_unprepare() is missed. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Acked-by: Uwe Kleine-König +Signed-off-by: Wolfram Sang +Fixes: 1b5b23718b84 ("i2c: efm32: new bus driver") +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-efm32.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-efm32.c ++++ b/drivers/i2c/busses/i2c-efm32.c +@@ -433,7 +433,7 @@ static int efm32_i2c_probe(struct platfo + ret = request_irq(ddata->irq, efm32_i2c_irq, 0, DRIVER_NAME, ddata); + if (ret < 0) { + dev_err(&pdev->dev, "failed to request irq (%d)\n", ret); +- return ret; ++ goto err_disable_clk; + } + + ret = i2c_add_adapter(&ddata->adapter); diff --git a/queue-4.7/iwlwifi-add-new-8260-pci-ids.patch b/queue-4.7/iwlwifi-add-new-8260-pci-ids.patch new file mode 100644 index 00000000000..8ebb56aaef7 --- /dev/null +++ b/queue-4.7/iwlwifi-add-new-8260-pci-ids.patch @@ -0,0 +1,42 @@ +From 4b79deece5d45396422d469afa11f9d69ccb3d8b Mon Sep 17 00:00:00 2001 +From: Oren Givon +Date: Mon, 23 May 2016 09:58:17 +0300 +Subject: iwlwifi: add new 8260 PCI IDs + +From: Oren Givon + +commit 4b79deece5d45396422d469afa11f9d69ccb3d8b upstream. + +Add 3 new 8260 series PCI IDs: + - (0x24F3, 0x10B0) + - (0x24F3, 0xD0B0) + - (0x24F3, 0xB0B0) + +Signed-off-by: Oren Givon +Signed-off-by: David Spinadel +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -433,6 +433,7 @@ static const struct pci_device_id iwl_hw + /* 8000 Series */ + {IWL_PCI_DEVICE(0x24F3, 0x0010, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x1010, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x10B0, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0130, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x1130, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0132, iwl8260_2ac_cfg)}, +@@ -454,6 +455,8 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0x24F3, 0xD010, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0xC050, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0xD050, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0xD0B0, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0xB0B0, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x8010, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x8110, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x9010, iwl8260_2ac_cfg)}, diff --git a/queue-4.7/iwlwifi-add-new-8265.patch b/queue-4.7/iwlwifi-add-new-8265.patch new file mode 100644 index 00000000000..d9a642db57a --- /dev/null +++ b/queue-4.7/iwlwifi-add-new-8265.patch @@ -0,0 +1,48 @@ +From f24bbae565d279cd90c904fe55b539a45631705e Mon Sep 17 00:00:00 2001 +From: Oren Givon +Date: Mon, 23 May 2016 09:58:17 +0300 +Subject: iwlwifi: add new 8265 + +From: Oren Givon + +commit f24bbae565d279cd90c904fe55b539a45631705e upstream. + +Add 6 new 8265 series PCI IDs: + - (0x24FD, 0x1130) + - (0x24FD, 0x0130) + - (0x24FD, 0x0910) + - (0x24FD, 0x0930) + - (0x24FD, 0x0950) + - (0x24FD, 0x0850) + +Signed-off-by: Oren Givon +Signed-off-by: David Spinadel +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -484,6 +484,8 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0x24FD, 0x0010, iwl8265_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24FD, 0x0110, iwl8265_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24FD, 0x1110, iwl8265_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24FD, 0x1130, iwl8265_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24FD, 0x0130, iwl8265_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24FD, 0x1010, iwl8265_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24FD, 0x0050, iwl8265_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24FD, 0x0150, iwl8265_2ac_cfg)}, +@@ -494,6 +496,10 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0x24FD, 0x0810, iwl8265_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24FD, 0x9110, iwl8265_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24FD, 0x8130, iwl8265_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24FD, 0x0910, iwl8265_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24FD, 0x0930, iwl8265_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24FD, 0x0950, iwl8265_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24FD, 0x0850, iwl8265_2ac_cfg)}, + + /* 9000 Series */ + {IWL_PCI_DEVICE(0x2526, 0x0000, iwl9260_2ac_cfg)}, diff --git a/queue-4.7/iwlwifi-pcie-enable-interrupts-before-releasing-the-nic-s-cpu.patch b/queue-4.7/iwlwifi-pcie-enable-interrupts-before-releasing-the-nic-s-cpu.patch new file mode 100644 index 00000000000..3d95938a2c1 --- /dev/null +++ b/queue-4.7/iwlwifi-pcie-enable-interrupts-before-releasing-the-nic-s-cpu.patch @@ -0,0 +1,58 @@ +From 2aabdbdc17b7c53490337bfc58de3409c84d85d2 Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Wed, 8 Jun 2016 23:07:31 +0300 +Subject: iwlwifi: pcie: enable interrupts before releasing the NIC's CPU + +From: Emmanuel Grumbach + +commit 2aabdbdc17b7c53490337bfc58de3409c84d85d2 upstream. + +The NIC's CPU gets started after the firmware has been +written to its memory. The first thing it does is to +send an interrupt to let the driver know that it is +running. In order to get that interrupt, the driver needs +to make sure it is not masked. Of course, the interrupt +needs to be enabled in the driver before the CPU starts to +run. +I mistakenly inversed those two steps leading to races +which prevented the driver from getting the alive interrupt +from the firmware. +Fix that. + +Fixes: a6bd005fe92 ("iwlwifi: pcie: fix RF-Kill vs. firmware load race") +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +@@ -801,6 +801,8 @@ static int iwl_pcie_load_cpu_sections_80 + + *first_ucode_section = last_read_idx; + ++ iwl_enable_interrupts(trans); ++ + if (cpu == 1) + iwl_write_direct32(trans, FH_UCODE_LOAD_STATUS, 0xFFFF); + else +@@ -980,6 +982,8 @@ static int iwl_pcie_load_given_ucode(str + iwl_pcie_apply_destination(trans); + } + ++ iwl_enable_interrupts(trans); ++ + /* release CPU reset */ + iwl_write32(trans, CSR_RESET, 0); + +@@ -1215,7 +1219,6 @@ static int iwl_trans_pcie_start_fw(struc + ret = iwl_pcie_load_given_ucode_8000(trans, fw); + else + ret = iwl_pcie_load_given_ucode(trans, fw); +- iwl_enable_interrupts(trans); + + /* re-check RF-Kill state since we may have missed the interrupt */ + hw_rfkill = iwl_is_rfkill_set(trans); diff --git a/queue-4.7/iwlwifi-pcie-fix-a-race-in-firmware-loading-flow.patch b/queue-4.7/iwlwifi-pcie-fix-a-race-in-firmware-loading-flow.patch new file mode 100644 index 00000000000..622b94eb23a --- /dev/null +++ b/queue-4.7/iwlwifi-pcie-fix-a-race-in-firmware-loading-flow.patch @@ -0,0 +1,190 @@ +From f16c3ebfa64fdf0e2dc88e6baa72da95ab70ffd7 Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Mon, 13 Jun 2016 08:28:26 +0300 +Subject: iwlwifi: pcie: fix a race in firmware loading flow + +From: Emmanuel Grumbach + +commit f16c3ebfa64fdf0e2dc88e6baa72da95ab70ffd7 upstream. + +Upon firmware load interrupt (FH_TX), the ISR re-enables the +firmware load interrupt only to avoid races with other +flows as described in the commit below. When the firmware +is completely loaded, the thread that is loading the +firmware will enable all the interrupts to make sure that +the driver gets the ALIVE interrupt. +The problem with that is that the thread that is loading +the firmware is actually racing against the ISR and we can +get to the following situation: + +CPU0 CPU1 +iwl_pcie_load_given_ucode + ... + iwl_pcie_load_firmware_chunk + wait_for_interrupt + + ISR handles CSR_INT_BIT_FH_TX + ISR wakes up the thread on CPU0 + /* enable all the interrupts + * to get the ALIVE interrupt + */ + iwl_enable_interrupts + ISR re-enables CSR_INT_BIT_FH_TX only + /* start the firmware */ + iwl_write32(trans, CSR_RESET, 0); + +BUG! ALIVE interrupt will never arrive since it has been +masked by CPU1. + +In order to fix that, change the ISR to first check if +STATUS_INT_ENABLED is set. If so, re-enable all the +interrupts. If STATUS_INT_ENABLED is clear, then we can +check what specific interrupt happened and re-enable only +that specific interrupt (RFKILL or FH_TX). + +All the credit for the analysis goes to Kirtika who did the +actual debugging work. + +Fixes: a6bd005fe92 ("iwlwifi: pcie: fix RF-Kill vs. firmware load race") +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/pcie/internal.h | 21 +++++++++++++++++++-- + drivers/net/wireless/intel/iwlwifi/pcie/rx.c | 16 +++++++++------- + drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 8 -------- + 3 files changed, 28 insertions(+), 17 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/internal.h ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/internal.h +@@ -496,7 +496,7 @@ void iwl_pcie_dump_csr(struct iwl_trans + /***************************************************** + * Helpers + ******************************************************/ +-static inline void iwl_disable_interrupts(struct iwl_trans *trans) ++static inline void _iwl_disable_interrupts(struct iwl_trans *trans) + { + struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans); + +@@ -519,7 +519,16 @@ static inline void iwl_disable_interrupt + IWL_DEBUG_ISR(trans, "Disabled interrupts\n"); + } + +-static inline void iwl_enable_interrupts(struct iwl_trans *trans) ++static inline void iwl_disable_interrupts(struct iwl_trans *trans) ++{ ++ struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans); ++ ++ spin_lock(&trans_pcie->irq_lock); ++ _iwl_disable_interrupts(trans); ++ spin_unlock(&trans_pcie->irq_lock); ++} ++ ++static inline void _iwl_enable_interrupts(struct iwl_trans *trans) + { + struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans); + +@@ -542,6 +551,14 @@ static inline void iwl_enable_interrupts + } + } + ++static inline void iwl_enable_interrupts(struct iwl_trans *trans) ++{ ++ struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans); ++ ++ spin_lock(&trans_pcie->irq_lock); ++ _iwl_enable_interrupts(trans); ++ spin_unlock(&trans_pcie->irq_lock); ++} + static inline void iwl_enable_hw_int_msk_msix(struct iwl_trans *trans, u32 msk) + { + struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans); +--- a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c +@@ -1507,7 +1507,7 @@ irqreturn_t iwl_pcie_irq_handler(int irq + * have anything to service + */ + if (test_bit(STATUS_INT_ENABLED, &trans->status)) +- iwl_enable_interrupts(trans); ++ _iwl_enable_interrupts(trans); + spin_unlock(&trans_pcie->irq_lock); + lock_map_release(&trans->sync_cmd_lockdep_map); + return IRQ_NONE; +@@ -1699,15 +1699,17 @@ irqreturn_t iwl_pcie_irq_handler(int irq + inta & ~trans_pcie->inta_mask); + } + ++ spin_lock(&trans_pcie->irq_lock); ++ /* only Re-enable all interrupt if disabled by irq */ ++ if (test_bit(STATUS_INT_ENABLED, &trans->status)) ++ _iwl_enable_interrupts(trans); + /* we are loading the firmware, enable FH_TX interrupt only */ +- if (handled & CSR_INT_BIT_FH_TX) ++ else if (handled & CSR_INT_BIT_FH_TX) + iwl_enable_fw_load_int(trans); +- /* only Re-enable all interrupt if disabled by irq */ +- else if (test_bit(STATUS_INT_ENABLED, &trans->status)) +- iwl_enable_interrupts(trans); + /* Re-enable RF_KILL if it occurred */ + else if (handled & CSR_INT_BIT_RF_KILL) + iwl_enable_rfkill_int(trans); ++ spin_unlock(&trans_pcie->irq_lock); + + out: + lock_map_release(&trans->sync_cmd_lockdep_map); +@@ -1771,7 +1773,7 @@ void iwl_pcie_reset_ict(struct iwl_trans + return; + + spin_lock(&trans_pcie->irq_lock); +- iwl_disable_interrupts(trans); ++ _iwl_disable_interrupts(trans); + + memset(trans_pcie->ict_tbl, 0, ICT_SIZE); + +@@ -1787,7 +1789,7 @@ void iwl_pcie_reset_ict(struct iwl_trans + trans_pcie->use_ict = true; + trans_pcie->ict_index = 0; + iwl_write32(trans, CSR_INT, trans_pcie->inta_mask); +- iwl_enable_interrupts(trans); ++ _iwl_enable_interrupts(trans); + spin_unlock(&trans_pcie->irq_lock); + } + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +@@ -1037,9 +1037,7 @@ static void _iwl_trans_pcie_stop_device( + was_hw_rfkill = iwl_is_rfkill_set(trans); + + /* tell the device to stop sending interrupts */ +- spin_lock(&trans_pcie->irq_lock); + iwl_disable_interrupts(trans); +- spin_unlock(&trans_pcie->irq_lock); + + /* device going down, Stop using ICT table */ + iwl_pcie_disable_ict(trans); +@@ -1083,9 +1081,7 @@ static void _iwl_trans_pcie_stop_device( + * the time, unless the interrupt is ACKed even if the interrupt + * should be masked. Re-ACK all the interrupts here. + */ +- spin_lock(&trans_pcie->irq_lock); + iwl_disable_interrupts(trans); +- spin_unlock(&trans_pcie->irq_lock); + + /* clear all status bits */ + clear_bit(STATUS_SYNC_HCMD_ACTIVE, &trans->status); +@@ -1570,15 +1566,11 @@ static void iwl_trans_pcie_op_mode_leave + mutex_lock(&trans_pcie->mutex); + + /* disable interrupts - don't enable HW RF kill interrupt */ +- spin_lock(&trans_pcie->irq_lock); + iwl_disable_interrupts(trans); +- spin_unlock(&trans_pcie->irq_lock); + + iwl_pcie_apm_stop(trans, true); + +- spin_lock(&trans_pcie->irq_lock); + iwl_disable_interrupts(trans); +- spin_unlock(&trans_pcie->irq_lock); + + iwl_pcie_disable_ict(trans); + diff --git a/queue-4.7/jbd2-make-journal-y2038-safe.patch b/queue-4.7/jbd2-make-journal-y2038-safe.patch new file mode 100644 index 00000000000..81afd63102c --- /dev/null +++ b/queue-4.7/jbd2-make-journal-y2038-safe.patch @@ -0,0 +1,37 @@ +From abcfb5d979892fc8b12574551fc907c05fe1b11b Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 30 Jun 2016 11:49:01 -0400 +Subject: jbd2: make journal y2038 safe + +From: Arnd Bergmann + +commit abcfb5d979892fc8b12574551fc907c05fe1b11b upstream. + +The jbd2 journal stores the commit time in 64-bit seconds and 32-bit +nanoseconds, which avoids an overflow in 2038, but it gets the numbers +from current_kernel_time(), which uses 'long' seconds on 32-bit +architectures. + +This simply changes the code to call current_kernel_time64() so +we use 64-bit seconds consistently. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Theodore Ts'o +Reviewed-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jbd2/commit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/jbd2/commit.c ++++ b/fs/jbd2/commit.c +@@ -124,7 +124,7 @@ static int journal_submit_commit_record( + struct commit_header *tmp; + struct buffer_head *bh; + int ret; +- struct timespec now = current_kernel_time(); ++ struct timespec64 now = current_kernel_time64(); + + *cbh = NULL; + diff --git a/queue-4.7/media-dvb_ringbuffer-add-memory-barriers.patch b/queue-4.7/media-dvb_ringbuffer-add-memory-barriers.patch new file mode 100644 index 00000000000..3207f4f9b7c --- /dev/null +++ b/queue-4.7/media-dvb_ringbuffer-add-memory-barriers.patch @@ -0,0 +1,176 @@ +From ca6e6126db5494f18c6c6615060d4d803b528bff Mon Sep 17 00:00:00 2001 +From: Soeren Moch +Date: Wed, 11 May 2016 13:49:11 -0300 +Subject: [media] media: dvb_ringbuffer: Add memory barriers + +From: Soeren Moch + +commit ca6e6126db5494f18c6c6615060d4d803b528bff upstream. + +Implement memory barriers according to Documentation/circular-buffers.txt: +- use smp_store_release() to update ringbuffer read/write pointers +- use smp_load_acquire() to load write pointer on reader side +- use ACCESS_ONCE() to load read pointer on writer side + +This fixes data stream corruptions observed e.g. on an ARM Cortex-A9 +quad core system with different types (PCI, USB) of DVB tuners. + +Signed-off-by: Soeren Moch +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/dvb-core/dvb_ringbuffer.c | 74 ++++++++++++++++++++++++++------ + 1 file changed, 61 insertions(+), 13 deletions(-) + +--- a/drivers/media/dvb-core/dvb_ringbuffer.c ++++ b/drivers/media/dvb-core/dvb_ringbuffer.c +@@ -55,7 +55,13 @@ void dvb_ringbuffer_init(struct dvb_ring + + int dvb_ringbuffer_empty(struct dvb_ringbuffer *rbuf) + { +- return (rbuf->pread==rbuf->pwrite); ++ /* smp_load_acquire() to load write pointer on reader side ++ * this pairs with smp_store_release() in dvb_ringbuffer_write(), ++ * dvb_ringbuffer_write_user(), or dvb_ringbuffer_reset() ++ * ++ * for memory barriers also see Documentation/circular-buffers.txt ++ */ ++ return (rbuf->pread == smp_load_acquire(&rbuf->pwrite)); + } + + +@@ -64,7 +70,12 @@ ssize_t dvb_ringbuffer_free(struct dvb_r + { + ssize_t free; + +- free = rbuf->pread - rbuf->pwrite; ++ /* ACCESS_ONCE() to load read pointer on writer side ++ * this pairs with smp_store_release() in dvb_ringbuffer_read(), ++ * dvb_ringbuffer_read_user(), dvb_ringbuffer_flush(), ++ * or dvb_ringbuffer_reset() ++ */ ++ free = ACCESS_ONCE(rbuf->pread) - rbuf->pwrite; + if (free <= 0) + free += rbuf->size; + return free-1; +@@ -76,7 +87,11 @@ ssize_t dvb_ringbuffer_avail(struct dvb_ + { + ssize_t avail; + +- avail = rbuf->pwrite - rbuf->pread; ++ /* smp_load_acquire() to load write pointer on reader side ++ * this pairs with smp_store_release() in dvb_ringbuffer_write(), ++ * dvb_ringbuffer_write_user(), or dvb_ringbuffer_reset() ++ */ ++ avail = smp_load_acquire(&rbuf->pwrite) - rbuf->pread; + if (avail < 0) + avail += rbuf->size; + return avail; +@@ -86,14 +101,25 @@ ssize_t dvb_ringbuffer_avail(struct dvb_ + + void dvb_ringbuffer_flush(struct dvb_ringbuffer *rbuf) + { +- rbuf->pread = rbuf->pwrite; ++ /* dvb_ringbuffer_flush() counts as read operation ++ * smp_load_acquire() to load write pointer ++ * smp_store_release() to update read pointer, this ensures that the ++ * correct pointer is visible for subsequent dvb_ringbuffer_free() ++ * calls on other cpu cores ++ */ ++ smp_store_release(&rbuf->pread, smp_load_acquire(&rbuf->pwrite)); + rbuf->error = 0; + } + EXPORT_SYMBOL(dvb_ringbuffer_flush); + + void dvb_ringbuffer_reset(struct dvb_ringbuffer *rbuf) + { +- rbuf->pread = rbuf->pwrite = 0; ++ /* dvb_ringbuffer_reset() counts as read and write operation ++ * smp_store_release() to update read pointer ++ */ ++ smp_store_release(&rbuf->pread, 0); ++ /* smp_store_release() to update write pointer */ ++ smp_store_release(&rbuf->pwrite, 0); + rbuf->error = 0; + } + +@@ -119,12 +145,17 @@ ssize_t dvb_ringbuffer_read_user(struct + return -EFAULT; + buf += split; + todo -= split; +- rbuf->pread = 0; ++ /* smp_store_release() for read pointer update to ensure ++ * that buf is not overwritten until read is complete, ++ * this pairs with ACCESS_ONCE() in dvb_ringbuffer_free() ++ */ ++ smp_store_release(&rbuf->pread, 0); + } + if (copy_to_user(buf, rbuf->data+rbuf->pread, todo)) + return -EFAULT; + +- rbuf->pread = (rbuf->pread + todo) % rbuf->size; ++ /* smp_store_release() to update read pointer, see above */ ++ smp_store_release(&rbuf->pread, (rbuf->pread + todo) % rbuf->size); + + return len; + } +@@ -139,11 +170,16 @@ void dvb_ringbuffer_read(struct dvb_ring + memcpy(buf, rbuf->data+rbuf->pread, split); + buf += split; + todo -= split; +- rbuf->pread = 0; ++ /* smp_store_release() for read pointer update to ensure ++ * that buf is not overwritten until read is complete, ++ * this pairs with ACCESS_ONCE() in dvb_ringbuffer_free() ++ */ ++ smp_store_release(&rbuf->pread, 0); + } + memcpy(buf, rbuf->data+rbuf->pread, todo); + +- rbuf->pread = (rbuf->pread + todo) % rbuf->size; ++ /* smp_store_release() to update read pointer, see above */ ++ smp_store_release(&rbuf->pread, (rbuf->pread + todo) % rbuf->size); + } + + +@@ -158,10 +194,16 @@ ssize_t dvb_ringbuffer_write(struct dvb_ + memcpy(rbuf->data+rbuf->pwrite, buf, split); + buf += split; + todo -= split; +- rbuf->pwrite = 0; ++ /* smp_store_release() for write pointer update to ensure that ++ * written data is visible on other cpu cores before the pointer ++ * update, this pairs with smp_load_acquire() in ++ * dvb_ringbuffer_empty() or dvb_ringbuffer_avail() ++ */ ++ smp_store_release(&rbuf->pwrite, 0); + } + memcpy(rbuf->data+rbuf->pwrite, buf, todo); +- rbuf->pwrite = (rbuf->pwrite + todo) % rbuf->size; ++ /* smp_store_release() for write pointer update, see above */ ++ smp_store_release(&rbuf->pwrite, (rbuf->pwrite + todo) % rbuf->size); + + return len; + } +@@ -181,12 +223,18 @@ ssize_t dvb_ringbuffer_write_user(struct + return len - todo; + buf += split; + todo -= split; +- rbuf->pwrite = 0; ++ /* smp_store_release() for write pointer update to ensure that ++ * written data is visible on other cpu cores before the pointer ++ * update, this pairs with smp_load_acquire() in ++ * dvb_ringbuffer_empty() or dvb_ringbuffer_avail() ++ */ ++ smp_store_release(&rbuf->pwrite, 0); + } + status = copy_from_user(rbuf->data+rbuf->pwrite, buf, todo); + if (status) + return len - todo; +- rbuf->pwrite = (rbuf->pwrite + todo) % rbuf->size; ++ /* smp_store_release() for write pointer update, see above */ ++ smp_store_release(&rbuf->pwrite, (rbuf->pwrite + todo) % rbuf->size); + + return len; + } diff --git a/queue-4.7/media-usbtv-prevent-access-to-free-d-resources.patch b/queue-4.7/media-usbtv-prevent-access-to-free-d-resources.patch new file mode 100644 index 00000000000..e16909c507c --- /dev/null +++ b/queue-4.7/media-usbtv-prevent-access-to-free-d-resources.patch @@ -0,0 +1,64 @@ +From 2a00932f082aff93c3a55426e0c7af6d0ec03997 Mon Sep 17 00:00:00 2001 +From: Matthew Leach +Date: Fri, 8 Jul 2016 09:04:27 -0300 +Subject: [media] media: usbtv: prevent access to free'd resources + +From: Matthew Leach + +commit 2a00932f082aff93c3a55426e0c7af6d0ec03997 upstream. + +When disconnecting the usbtv device, the sound card is unregistered +from ALSA and the snd member of the usbtv struct is set to NULL. If +the usbtv snd_trigger work is running, this can cause a race condition +where the kernel will attempt to access free'd resources, shown in +[1]. + +This patch fixes the disconnection code by cancelling any snd_trigger +work before unregistering the sound card from ALSA and checking that +the snd member still exists in the work function. + +[1]: + usb 3-1.2: USB disconnect, device number 6 + BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 + IP: [] process_one_work+0x30/0x480 + PGD 405bbf067 PUD 405bbe067 PMD 0 + Call Trace: + [] worker_thread+0x48/0x4e0 + [] ? process_one_work+0x480/0x480 + [] ? process_one_work+0x480/0x480 + [] kthread+0xd8/0xf0 + [] ret_from_fork+0x22/0x40 + [] ? kthread_worker_fn+0x170/0x170 + ---[ end trace 0f3dac5c1a38e610 ]--- + +Signed-off-by: Matthew Leach +Tested-by: Peter Sutton +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/usbtv/usbtv-audio.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/media/usb/usbtv/usbtv-audio.c ++++ b/drivers/media/usb/usbtv/usbtv-audio.c +@@ -278,6 +278,9 @@ static void snd_usbtv_trigger(struct wor + { + struct usbtv *chip = container_of(work, struct usbtv, snd_trigger); + ++ if (!chip->snd) ++ return; ++ + if (atomic_read(&chip->snd_stream)) + usbtv_audio_start(chip); + else +@@ -378,6 +381,8 @@ err: + + void usbtv_audio_free(struct usbtv *usbtv) + { ++ cancel_work_sync(&usbtv->snd_trigger); ++ + if (usbtv->snd && usbtv->udev) { + snd_card_free(usbtv->snd); + usbtv->snd = NULL; diff --git a/queue-4.7/megaraid_sas-do-not-fire-mr_dcmd_pd_list_query-to-controllers-which-do-not-support-it.patch b/queue-4.7/megaraid_sas-do-not-fire-mr_dcmd_pd_list_query-to-controllers-which-do-not-support-it.patch new file mode 100644 index 00000000000..14e7bfc3531 --- /dev/null +++ b/queue-4.7/megaraid_sas-do-not-fire-mr_dcmd_pd_list_query-to-controllers-which-do-not-support-it.patch @@ -0,0 +1,58 @@ +From d9083160c2f6ee456ea867ea2279c1fc6124e56f Mon Sep 17 00:00:00 2001 +From: Sumit Saxena +Date: Fri, 8 Jul 2016 03:30:16 -0700 +Subject: megaraid_sas: Do not fire MR_DCMD_PD_LIST_QUERY to controllers which do not support it + +From: Sumit Saxena + +commit d9083160c2f6ee456ea867ea2279c1fc6124e56f upstream. + +There was an issue reported by Lucz Geza on Dell Perc 6i. As per issue +reported, megaraid_sas driver goes into an infinite error reporting loop +as soon as there is a change in the status of one of the +arrays (degrade, resync online etc ). Below are the error logs reported +continuously- + +Jun 25 08:49:30 ns8 kernel: [ 757.757017] megaraid_sas 0000:02:00.0: DCMD failed/not supported by firmware: megasas_get_pd_list 4115 +Jun 25 08:49:30 ns8 kernel: [ 757.778017] megaraid_sas 0000:02:00.0: DCMD failed/not supported by firmware: megasas_get_pd_list 4115 +Jun 25 08:49:30 ns8 kernel: [ 757.799017] megaraid_sas 0000:02:00.0: DCMD failed/not supported by firmware: megasas_get_pd_list 4115 +Jun 25 08:49:30 ns8 kernel: [ 757.820018] megaraid_sas 0000:02:00.0: DCMD failed/not supported by firmware: megasas_get_pd_list 4115 +Jun 25 08:49:30 ns8 kernel: [ 757.841018] megaraid_sas 0000:02:00.0: DCMD failed/not supported by firmware: megasas_get_pd_list 4115 + +This issue is very much specific to controllers which do not support +DCMD- MR_DCMD_PD_LIST_QUERY. In case of any hotplugging/rescanning of +drives, AEN thread will be scheduled by driver and fire DCMD- +MR_DCMD_PD_LIST_QUERY and if this DCMD is failed then driver will fail +this event processing and will not go ahead for further events. This +will cause infinite loop of same event getting retried infinitely and +causing above mentioned logs. + +Fix for this problem is: not to fire DCMD MR_DCMD_PD_LIST_QUERY for +controllers which do not support it and send DCMD SUCCESS status to AEN +function so that it can go ahead with other event processing. + +Reported-by: Lucz Geza +Signed-off-by: Sumit Saxena +Reviewed-by: Tomas Henzl +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/megaraid/megaraid_sas_base.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/scsi/megaraid/megaraid_sas_base.c ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c +@@ -4079,6 +4079,12 @@ megasas_get_pd_list(struct megasas_insta + struct MR_PD_ADDRESS *pd_addr; + dma_addr_t ci_h = 0; + ++ if (instance->pd_list_not_supported) { ++ dev_info(&instance->pdev->dev, "MR_DCMD_PD_LIST_QUERY " ++ "not supported by firmware\n"); ++ return ret; ++ } ++ + cmd = megasas_get_cmd(instance); + + if (!cmd) { diff --git a/queue-4.7/ovl-disallow-overlayfs-as-upperdir.patch b/queue-4.7/ovl-disallow-overlayfs-as-upperdir.patch new file mode 100644 index 00000000000..c6facea9d0e --- /dev/null +++ b/queue-4.7/ovl-disallow-overlayfs-as-upperdir.patch @@ -0,0 +1,32 @@ +From 76bc8e2843b66f8205026365966b49ec6da39ae7 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Fri, 29 Jul 2016 12:05:24 +0200 +Subject: ovl: disallow overlayfs as upperdir + +From: Miklos Szeredi + +commit 76bc8e2843b66f8205026365966b49ec6da39ae7 upstream. + +This does not work and does not make sense. So instead of fixing it +(probably not hard) just disallow. + +Reported-by: Andrei Vagin +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/super.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/overlayfs/super.c ++++ b/fs/overlayfs/super.c +@@ -404,7 +404,8 @@ static struct ovl_entry *ovl_alloc_entry + static bool ovl_dentry_remote(struct dentry *dentry) + { + return dentry->d_flags & +- (DCACHE_OP_REVALIDATE | DCACHE_OP_WEAK_REVALIDATE); ++ (DCACHE_OP_REVALIDATE | DCACHE_OP_WEAK_REVALIDATE | ++ DCACHE_OP_REAL); + } + + static bool ovl_dentry_weird(struct dentry *dentry) diff --git a/queue-4.7/rc-nuvoton-fix-hang-if-chip-is-configured-for-alternative-efm-io-address.patch b/queue-4.7/rc-nuvoton-fix-hang-if-chip-is-configured-for-alternative-efm-io-address.patch new file mode 100644 index 00000000000..e112683da83 --- /dev/null +++ b/queue-4.7/rc-nuvoton-fix-hang-if-chip-is-configured-for-alternative-efm-io-address.patch @@ -0,0 +1,44 @@ +From 5cac1f67ea0363d463a58ec2d9118268fe2ba5d6 Mon Sep 17 00:00:00 2001 +From: Heiner Kallweit +Date: Thu, 7 Jul 2016 03:17:39 -0300 +Subject: [media] rc: nuvoton: fix hang if chip is configured for alternative EFM IO address +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Heiner Kallweit + +commit 5cac1f67ea0363d463a58ec2d9118268fe2ba5d6 upstream. + +If a system configures the Nuvoton chip to use the alternative +EFM IO address (CR_EFIR2) then after probing the primary EFM IO +address (CR_EFIR) this region is not released. + +If a driver for another function of the Nuvoton Super I/O +chip uses the same probing mechanism then it will hang if +loaded after the nuvoton-cir driver. +This was reported for the nct6775 hwmon driver. + +Fix this by properly releasing the region after probing CR_EFIR. +This regression was introduced with kernel 4.6 so cc it to stable. + +Reported-by: Antti Seppälä +Signed-off-by: Heiner Kallweit +Tested-by: Antti Seppälä +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/rc/nuvoton-cir.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/rc/nuvoton-cir.c ++++ b/drivers/media/rc/nuvoton-cir.c +@@ -401,6 +401,7 @@ static int nvt_hw_detect(struct nvt_dev + /* Check if we're wired for the alternate EFER setup */ + nvt->chip_major = nvt_cr_read(nvt, CR_CHIP_ID_HI); + if (nvt->chip_major == 0xff) { ++ nvt_efm_disable(nvt); + nvt->cr_efir = CR_EFIR2; + nvt->cr_efdr = CR_EFDR2; + nvt_efm_enable(nvt); diff --git a/queue-4.7/regulator-s2mps11-fix-the-voltage-linear-range-for-s2mps15.patch b/queue-4.7/regulator-s2mps11-fix-the-voltage-linear-range-for-s2mps15.patch new file mode 100644 index 00000000000..d9b6bd4d196 --- /dev/null +++ b/queue-4.7/regulator-s2mps11-fix-the-voltage-linear-range-for-s2mps15.patch @@ -0,0 +1,47 @@ +From 04c16b84e49a6d609c88f4f5523237ece3612b74 Mon Sep 17 00:00:00 2001 +From: Alim Akhtar +Date: Tue, 12 Jul 2016 11:26:43 +0530 +Subject: regulator: s2mps11: Fix the voltage linear range for s2mps15 + +From: Alim Akhtar + +commit 04c16b84e49a6d609c88f4f5523237ece3612b74 upstream. + +This patch fixes some of the LDOs and BUCKs voltage range as per +user manual of s2mps15 (REV0.4). + +Fixes: 51af20675800 ("regulator: s2mps11: Add support for S2MPS15 regulators") +Signed-off-by: Alim Akhtar +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/regulator/s2mps11.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/regulator/s2mps11.c ++++ b/drivers/regulator/s2mps11.c +@@ -750,7 +750,7 @@ static const struct regulator_linear_ran + + /* voltage range for s2mps15 LDO 7, 8, 9 and 10 */ + static const struct regulator_linear_range s2mps15_ldo_voltage_ranges4[] = { +- REGULATOR_LINEAR_RANGE(700000, 0xc, 0x18, 25000), ++ REGULATOR_LINEAR_RANGE(700000, 0x10, 0x20, 25000), + }; + + /* voltage range for s2mps15 LDO 1 */ +@@ -760,12 +760,12 @@ static const struct regulator_linear_ran + + /* voltage range for s2mps15 BUCK 1, 2, 3, 4, 5, 6 and 7 */ + static const struct regulator_linear_range s2mps15_buck_voltage_ranges1[] = { +- REGULATOR_LINEAR_RANGE(500000, 0x20, 0xb0, 6250), ++ REGULATOR_LINEAR_RANGE(500000, 0x20, 0xc0, 6250), + }; + + /* voltage range for s2mps15 BUCK 8, 9 and 10 */ + static const struct regulator_linear_range s2mps15_buck_voltage_ranges2[] = { +- REGULATOR_LINEAR_RANGE(1000000, 0x20, 0xc0, 12500), ++ REGULATOR_LINEAR_RANGE(1000000, 0x20, 0x78, 12500), + }; + + static const struct regulator_desc s2mps15_regulators[] = { diff --git a/queue-4.7/remoteproc-fix-potential-race-condition-in-rproc_add.patch b/queue-4.7/remoteproc-fix-potential-race-condition-in-rproc_add.patch new file mode 100644 index 00000000000..5cff2724f21 --- /dev/null +++ b/queue-4.7/remoteproc-fix-potential-race-condition-in-rproc_add.patch @@ -0,0 +1,58 @@ +From d2e12e66a939c54ed84e5f1b6947f0c45f6c56eb Mon Sep 17 00:00:00 2001 +From: Dave Gerlach +Date: Wed, 25 May 2016 15:41:28 -0500 +Subject: remoteproc: Fix potential race condition in rproc_add + +From: Dave Gerlach + +commit d2e12e66a939c54ed84e5f1b6947f0c45f6c56eb upstream. + +rproc_add adds the newly created remoteproc to a list for use by +rproc_get_by_phandle and then does some additional processing to finish +adding the remoteproc. This leaves a small window of time in which the +rproc is available in the list but not yet fully initialized, so if +another driver comes along and gets a handle to the rproc, it will be +invalid. Rearrange the code in rproc_add to make sure the rproc is added +to the list only after it has been successfuly initialized. + +Fixes: fec47d863587 ("remoteproc: introduce rproc_get_by_phandle API") +Signed-off-by: Dave Gerlach +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/remoteproc/remoteproc_core.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/remoteproc/remoteproc_core.c ++++ b/drivers/remoteproc/remoteproc_core.c +@@ -1264,11 +1264,6 @@ int rproc_add(struct rproc *rproc) + if (ret < 0) + return ret; + +- /* expose to rproc_get_by_phandle users */ +- mutex_lock(&rproc_list_mutex); +- list_add(&rproc->node, &rproc_list); +- mutex_unlock(&rproc_list_mutex); +- + dev_info(dev, "%s is available\n", rproc->name); + + dev_info(dev, "Note: remoteproc is still under development and considered experimental.\n"); +@@ -1276,8 +1271,16 @@ int rproc_add(struct rproc *rproc) + + /* create debugfs entries */ + rproc_create_debug_dir(rproc); ++ ret = rproc_add_virtio_devices(rproc); ++ if (ret < 0) ++ return ret; ++ ++ /* expose to rproc_get_by_phandle users */ ++ mutex_lock(&rproc_list_mutex); ++ list_add(&rproc->node, &rproc_list); ++ mutex_unlock(&rproc_list_mutex); + +- return rproc_add_virtio_devices(rproc); ++ return 0; + } + EXPORT_SYMBOL(rproc_add); + diff --git a/queue-4.7/s5p-mfc-add-release-callback-for-memory-region-devs.patch b/queue-4.7/s5p-mfc-add-release-callback-for-memory-region-devs.patch new file mode 100644 index 00000000000..a6404230fe2 --- /dev/null +++ b/queue-4.7/s5p-mfc-add-release-callback-for-memory-region-devs.patch @@ -0,0 +1,58 @@ +From 6311f1261f59ce5e51fbe5cc3b5e7737197316ac Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Tue, 3 May 2016 16:27:17 -0400 +Subject: s5p-mfc: Add release callback for memory region devs + +From: Javier Martinez Canillas + +commit 6311f1261f59ce5e51fbe5cc3b5e7737197316ac upstream. + +When s5p_mfc_remove() calls put_device() for the reserved memory region +devs, the driver core warns that the dev doesn't have a release callback: + +WARNING: CPU: 0 PID: 591 at drivers/base/core.c:251 device_release+0x8c/0x90 +Device 's5p-mfc-l' does not have a release() function, it is broken and must be fixed. + +Also, the declared DMA memory using dma_declare_coherent_memory() isn't +relased so add a dev .release that calls dma_release_declared_memory(). + +Fixes: 6e83e6e25eb4 ("[media] s5p-mfc: Fix kernel warning on memory init") +Signed-off-by: Javier Martinez Canillas +Tested-by: Marek Szyprowski +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/s5p-mfc/s5p_mfc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c ++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c +@@ -1050,6 +1050,11 @@ static int match_child(struct device *de + return !strcmp(dev_name(dev), (char *)data); + } + ++static void s5p_mfc_memdev_release(struct device *dev) ++{ ++ dma_release_declared_memory(dev); ++} ++ + static void *mfc_get_drv_data(struct platform_device *pdev); + + static int s5p_mfc_alloc_memdevs(struct s5p_mfc_dev *dev) +@@ -1064,6 +1069,7 @@ static int s5p_mfc_alloc_memdevs(struct + } + + dev_set_name(dev->mem_dev_l, "%s", "s5p-mfc-l"); ++ dev->mem_dev_l->release = s5p_mfc_memdev_release; + device_initialize(dev->mem_dev_l); + of_property_read_u32_array(dev->plat_dev->dev.of_node, + "samsung,mfc-l", mem_info, 2); +@@ -1083,6 +1089,7 @@ static int s5p_mfc_alloc_memdevs(struct + } + + dev_set_name(dev->mem_dev_r, "%s", "s5p-mfc-r"); ++ dev->mem_dev_r->release = s5p_mfc_memdev_release; + device_initialize(dev->mem_dev_r); + of_property_read_u32_array(dev->plat_dev->dev.of_node, + "samsung,mfc-r", mem_info, 2); diff --git a/queue-4.7/s5p-mfc-set-device-name-for-reserved-memory-region-devs.patch b/queue-4.7/s5p-mfc-set-device-name-for-reserved-memory-region-devs.patch new file mode 100644 index 00000000000..a4ec4d1f004 --- /dev/null +++ b/queue-4.7/s5p-mfc-set-device-name-for-reserved-memory-region-devs.patch @@ -0,0 +1,50 @@ +From 29debab0a94035a390801d1f177d171d014b7765 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Tue, 3 May 2016 16:27:16 -0400 +Subject: s5p-mfc: Set device name for reserved memory region devs + +From: Javier Martinez Canillas + +commit 29debab0a94035a390801d1f177d171d014b7765 upstream. + +The devices don't have a name set, so makes dev_name() returns NULL which +makes harder to identify the devices that are causing issues, for example: + +WARNING: CPU: 2 PID: 616 at drivers/base/core.c:251 device_release+0x8c/0x90 +Device '(null)' does not have a release() function, it is broken and must be fixed. + +And after setting the device name: + +WARNING: CPU: 0 PID: 591 at drivers/base/core.c:251 device_release+0x8c/0x90 +Device 's5p-mfc-l' does not have a release() function, it is broken and must be fixed. + +Fixes: 6e83e6e25eb4 ("[media] s5p-mfc: Fix kernel warning on memory init") +Signed-off-by: Javier Martinez Canillas +Tested-by: Marek Szyprowski +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/s5p-mfc/s5p_mfc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c ++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c +@@ -1062,6 +1062,8 @@ static int s5p_mfc_alloc_memdevs(struct + mfc_err("Not enough memory\n"); + return -ENOMEM; + } ++ ++ dev_set_name(dev->mem_dev_l, "%s", "s5p-mfc-l"); + device_initialize(dev->mem_dev_l); + of_property_read_u32_array(dev->plat_dev->dev.of_node, + "samsung,mfc-l", mem_info, 2); +@@ -1079,6 +1081,8 @@ static int s5p_mfc_alloc_memdevs(struct + mfc_err("Not enough memory\n"); + return -ENOMEM; + } ++ ++ dev_set_name(dev->mem_dev_r, "%s", "s5p-mfc-r"); + device_initialize(dev->mem_dev_r); + of_property_read_u32_array(dev->plat_dev->dev.of_node, + "samsung,mfc-r", mem_info, 2); diff --git a/queue-4.7/series b/queue-4.7/series index cf95c40ec79..9d63e153555 100644 --- a/queue-4.7/series +++ b/queue-4.7/series @@ -38,3 +38,37 @@ mfd-qcom_rpm-fix-offset-error-for-msm8660.patch mfd-qcom_rpm-parametrize-also-ack-selector-size.patch perf-x86-intel-uncore-fix-uncore-num_counters.patch objtool-add-fixdep-to-objtool-.gitignore.patch +media-usbtv-prevent-access-to-free-d-resources.patch +media-dvb_ringbuffer-add-memory-barriers.patch +rc-nuvoton-fix-hang-if-chip-is-configured-for-alternative-efm-io-address.patch +videobuf2-v4l2-verify-planes-array-in-buffer-dequeueing.patch +vb2-core-skip-planes-array-verification-if-pb-is-null.patch +fix-rc5-decoding-with-fintek-cir-chipset.patch +sur40-lower-poll-interval-to-fix-occasional-fps-drops-to-56-fps.patch +sur40-fix-occasional-oopses-on-device-close.patch +regulator-s2mps11-fix-the-voltage-linear-range-for-s2mps15.patch +dm-fix-second-blk_delay_queue-parameter-to-be-in-msec-units-not-jiffies.patch +dm-set-dmf_suspended-_before_-clearing-dmf_noflush_suspending.patch +xfs-bufferhead-chains-are-invalid-after-end_page_writeback.patch +hp-wmi-fix-wifi-cannot-be-hard-unblocked.patch +s5p-mfc-set-device-name-for-reserved-memory-region-devs.patch +s5p-mfc-add-release-callback-for-memory-region-devs.patch +dm-verity-fec-fix-block-calculation.patch +iwlwifi-pcie-enable-interrupts-before-releasing-the-nic-s-cpu.patch +iwlwifi-pcie-fix-a-race-in-firmware-loading-flow.patch +iwlwifi-add-new-8260-pci-ids.patch +iwlwifi-add-new-8265.patch +bcma-add-pci-id-for-foxconn-s-bcm43142-device.patch +i2c-efm32-fix-a-failure-path-in-efm32_i2c_probe.patch +spi-pxa2xx-clear-all-rft-bits-in-reset_sccr1-on-intel-quark.patch +brcmfmac-restore-stopping-netdev-queue-when-bus-clogs-up.patch +bluetooth-add-support-of-13d3-3490-ar3012-device.patch +bluetooth-fix-l2cap_sock_setsockopt-with-optname-bt_rcvmtu.patch +edac-correct-channel-count-limit.patch +megaraid_sas-do-not-fire-mr_dcmd_pd_list_query-to-controllers-which-do-not-support-it.patch +hid-uhid-fix-timeout-when-probe-races-with-io.patch +ovl-disallow-overlayfs-as-upperdir.patch +remoteproc-fix-potential-race-condition-in-rproc_add.patch +arc-mm-don-t-loose-pte_special-in-pte_modify.patch +arc-dma-fix-address-translation-in-arc_dma_free.patch +jbd2-make-journal-y2038-safe.patch diff --git a/queue-4.7/spi-pxa2xx-clear-all-rft-bits-in-reset_sccr1-on-intel-quark.patch b/queue-4.7/spi-pxa2xx-clear-all-rft-bits-in-reset_sccr1-on-intel-quark.patch new file mode 100644 index 00000000000..b8e5b4cc48f --- /dev/null +++ b/queue-4.7/spi-pxa2xx-clear-all-rft-bits-in-reset_sccr1-on-intel-quark.patch @@ -0,0 +1,41 @@ +From 152bc19e2fc2b7fce7ffbc2a9cea94b147223702 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Wed, 6 Jul 2016 12:08:11 +0300 +Subject: spi: pxa2xx: Clear all RFT bits in reset_sccr1() on Intel Quark + +From: Andy Shevchenko + +commit 152bc19e2fc2b7fce7ffbc2a9cea94b147223702 upstream. + +It seems the commit e5262d0568dc ("spi: spi-pxa2xx: SPI support for Intel Quark +X1000") misses one place to be adapted for Intel Quark, i.e. in reset_sccr1(). + +Clear all RFT bits when call reset_sccr1() on Intel Quark. + +Fixes: e5262d0568dc ("spi: spi-pxa2xx: SPI support for Intel Quark X1000") +Signed-off-by: Andy Shevchenko +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-pxa2xx.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-pxa2xx.c ++++ b/drivers/spi/spi-pxa2xx.c +@@ -585,7 +585,14 @@ static void reset_sccr1(struct driver_da + u32 sccr1_reg; + + sccr1_reg = pxa2xx_spi_read(drv_data, SSCR1) & ~drv_data->int_cr1; +- sccr1_reg &= ~SSCR1_RFT; ++ switch (drv_data->ssp_type) { ++ case QUARK_X1000_SSP: ++ sccr1_reg &= ~QUARK_X1000_SSCR1_RFT; ++ break; ++ default: ++ sccr1_reg &= ~SSCR1_RFT; ++ break; ++ } + sccr1_reg |= chip->threshold; + pxa2xx_spi_write(drv_data, SSCR1, sccr1_reg); + } diff --git a/queue-4.7/sur40-fix-occasional-oopses-on-device-close.patch b/queue-4.7/sur40-fix-occasional-oopses-on-device-close.patch new file mode 100644 index 00000000000..0979ca89614 --- /dev/null +++ b/queue-4.7/sur40-fix-occasional-oopses-on-device-close.patch @@ -0,0 +1,41 @@ +From 6a8588156657e607fcfdffd46c1daae8ba88a1e5 Mon Sep 17 00:00:00 2001 +From: Florian Echtler +Date: Tue, 31 May 2016 17:15:33 -0300 +Subject: [media] sur40: fix occasional oopses on device close + +From: Florian Echtler + +commit 6a8588156657e607fcfdffd46c1daae8ba88a1e5 upstream. + +Closing the V4L2 device sometimes triggers a kernel oops. +Present patch fixes this. + +Signed-off-by: Martin Kaltenbrunner +Signed-off-by: Florian Echtler +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/touchscreen/sur40.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/input/touchscreen/sur40.c ++++ b/drivers/input/touchscreen/sur40.c +@@ -448,7 +448,7 @@ static void sur40_process_video(struct s + + /* return error if streaming was stopped in the meantime */ + if (sur40->sequence == -1) +- goto err_poll; ++ return; + + /* mark as finished */ + new_buf->vb.vb2_buf.timestamp = ktime_get_ns(); +@@ -736,6 +736,7 @@ static int sur40_start_streaming(struct + static void sur40_stop_streaming(struct vb2_queue *vq) + { + struct sur40_state *sur40 = vb2_get_drv_priv(vq); ++ vb2_wait_for_all_buffers(vq); + sur40->sequence = -1; + + /* Release all active buffers */ diff --git a/queue-4.7/sur40-lower-poll-interval-to-fix-occasional-fps-drops-to-56-fps.patch b/queue-4.7/sur40-lower-poll-interval-to-fix-occasional-fps-drops-to-56-fps.patch new file mode 100644 index 00000000000..e9a09b8bd0f --- /dev/null +++ b/queue-4.7/sur40-lower-poll-interval-to-fix-occasional-fps-drops-to-56-fps.patch @@ -0,0 +1,33 @@ +From af766ee005c496b8567976dc3eed7676443ed6de Mon Sep 17 00:00:00 2001 +From: Florian Echtler +Date: Tue, 31 May 2016 17:15:32 -0300 +Subject: [media] sur40: lower poll interval to fix occasional FPS drops to ~56 FPS + +From: Florian Echtler + +commit af766ee005c496b8567976dc3eed7676443ed6de upstream. + +The framerate sometimes drops below 60 Hz if the poll interval is too high. +Lowering it to the minimum of 1 ms fixes this. + +Signed-off-by: Martin Kaltenbrunner +Signed-off-by: Florian Echtler +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/touchscreen/sur40.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/touchscreen/sur40.c ++++ b/drivers/input/touchscreen/sur40.c +@@ -126,7 +126,7 @@ struct sur40_image_header { + #define VIDEO_PACKET_SIZE 16384 + + /* polling interval (ms) */ +-#define POLL_INTERVAL 4 ++#define POLL_INTERVAL 1 + + /* maximum number of contacts FIXME: this is a guess? */ + #define MAX_CONTACTS 64 diff --git a/queue-4.7/vb2-core-skip-planes-array-verification-if-pb-is-null.patch b/queue-4.7/vb2-core-skip-planes-array-verification-if-pb-is-null.patch new file mode 100644 index 00000000000..ab327f910e6 --- /dev/null +++ b/queue-4.7/vb2-core-skip-planes-array-verification-if-pb-is-null.patch @@ -0,0 +1,53 @@ +From 126f40298446a82116e1f92a1aaf72b8c8228fae Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Wed, 11 May 2016 18:44:32 -0300 +Subject: [media] vb2: core: Skip planes array verification if pb is NULL + +From: Sakari Ailus + +commit 126f40298446a82116e1f92a1aaf72b8c8228fae upstream. + +An earlier patch fixing an input validation issue introduced another +issue: vb2_core_dqbuf() is called with pb argument value NULL in some +cases, causing a NULL pointer dereference. Fix this by skipping the +verification as there's nothing to verify. + +Fixes: e7e0c3e26587 ("[media] videobuf2-core: Check user space planes array in dqbuf") + +Signed-off-by: David R +Signed-off-by: Sakari Ailus +Reviewed-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/videobuf2-core.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/media/v4l2-core/videobuf2-core.c ++++ b/drivers/media/v4l2-core/videobuf2-core.c +@@ -1648,7 +1648,7 @@ static int __vb2_get_done_vb(struct vb2_ + void *pb, int nonblocking) + { + unsigned long flags; +- int ret; ++ int ret = 0; + + /* + * Wait for at least one buffer to become available on the done_list. +@@ -1664,10 +1664,12 @@ static int __vb2_get_done_vb(struct vb2_ + spin_lock_irqsave(&q->done_lock, flags); + *vb = list_first_entry(&q->done_list, struct vb2_buffer, done_entry); + /* +- * Only remove the buffer from done_list if v4l2_buffer can handle all +- * the planes. ++ * Only remove the buffer from done_list if all planes can be ++ * handled. Some cases such as V4L2 file I/O and DVB have pb ++ * == NULL; skip the check then as there's nothing to verify. + */ +- ret = call_bufop(q, verify_planes_array, *vb, pb); ++ if (pb) ++ ret = call_bufop(q, verify_planes_array, *vb, pb); + if (!ret) + list_del(&(*vb)->done_entry); + spin_unlock_irqrestore(&q->done_lock, flags); diff --git a/queue-4.7/videobuf2-v4l2-verify-planes-array-in-buffer-dequeueing.patch b/queue-4.7/videobuf2-v4l2-verify-planes-array-in-buffer-dequeueing.patch new file mode 100644 index 00000000000..3cb624d4eb1 --- /dev/null +++ b/queue-4.7/videobuf2-v4l2-verify-planes-array-in-buffer-dequeueing.patch @@ -0,0 +1,56 @@ +From 83934b75c368f529d084815c463a7ef781dc9751 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Sun, 3 Apr 2016 16:31:03 -0300 +Subject: [media] videobuf2-v4l2: Verify planes array in buffer dequeueing + +From: Sakari Ailus + +commit 83934b75c368f529d084815c463a7ef781dc9751 upstream. + +When a buffer is being dequeued using VIDIOC_DQBUF IOCTL, the exact buffer +which will be dequeued is not known until the buffer has been removed from +the queue. The number of planes is specific to a buffer, not to the queue. + +This does lead to the situation where multi-plane buffers may be requested +and queued with n planes, but VIDIOC_DQBUF IOCTL may be passed an argument +struct with fewer planes. + +__fill_v4l2_buffer() however uses the number of planes from the dequeued +videobuf2 buffer, overwriting kernel memory (the m.planes array allocated +in video_usercopy() in v4l2-ioctl.c) if the user provided fewer +planes than the dequeued buffer had. Oops! + +Fixes: b0e0e1f83de3 ("[media] media: videobuf2: Prepare to divide videobuf2") + +Signed-off-by: Sakari Ailus +Acked-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/videobuf2-v4l2.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/media/v4l2-core/videobuf2-v4l2.c ++++ b/drivers/media/v4l2-core/videobuf2-v4l2.c +@@ -74,6 +74,11 @@ static int __verify_planes_array(struct + return 0; + } + ++static int __verify_planes_array_core(struct vb2_buffer *vb, const void *pb) ++{ ++ return __verify_planes_array(vb, pb); ++} ++ + /** + * __verify_length() - Verify that the bytesused value for each plane fits in + * the plane length and that the data offset doesn't exceed the bytesused value. +@@ -437,6 +442,7 @@ static int __fill_vb2_buffer(struct vb2_ + } + + static const struct vb2_buf_ops v4l2_buf_ops = { ++ .verify_planes_array = __verify_planes_array_core, + .fill_user_buffer = __fill_v4l2_buffer, + .fill_vb2_buffer = __fill_vb2_buffer, + .copy_timestamp = __copy_timestamp, diff --git a/queue-4.7/xfs-bufferhead-chains-are-invalid-after-end_page_writeback.patch b/queue-4.7/xfs-bufferhead-chains-are-invalid-after-end_page_writeback.patch new file mode 100644 index 00000000000..3844d4828d6 --- /dev/null +++ b/queue-4.7/xfs-bufferhead-chains-are-invalid-after-end_page_writeback.patch @@ -0,0 +1,134 @@ +From 28b783e47ad702b8e0f4861ef94cdfce6abd7c80 Mon Sep 17 00:00:00 2001 +From: Dave Chinner +Date: Fri, 22 Jul 2016 09:56:38 +1000 +Subject: xfs: bufferhead chains are invalid after end_page_writeback + +From: Dave Chinner + +commit 28b783e47ad702b8e0f4861ef94cdfce6abd7c80 upstream. + +In xfs_finish_page_writeback(), we have a loop that looks like this: + + do { + if (off < bvec->bv_offset) + goto next_bh; + if (off > end) + break; + bh->b_end_io(bh, !error); +next_bh: + off += bh->b_size; + } while ((bh = bh->b_this_page) != head); + +The b_end_io function is end_buffer_async_write(), which will call +end_page_writeback() once all the buffers have marked as no longer +under IO. This issue here is that the only thing currently +protecting both the bufferhead chain and the page from being +reclaimed is the PageWriteback state held on the page. + +While we attempt to limit the loop to just the buffers covered by +the IO, we still read from the buffer size and follow the next +pointer in the bufferhead chain. There is no guarantee that either +of these are valid after the PageWriteback flag has been cleared. +Hence, loops like this are completely unsafe, and result in +use-after-free issues. One such problem was caught by Calvin Owens +with KASAN: + +..... + INFO: Freed in 0x103fc80ec age=18446651500051355200 cpu=2165122683 pid=-1 + free_buffer_head+0x41/0x90 + __slab_free+0x1ed/0x340 + kmem_cache_free+0x270/0x300 + free_buffer_head+0x41/0x90 + try_to_free_buffers+0x171/0x240 + xfs_vm_releasepage+0xcb/0x3b0 + try_to_release_page+0x106/0x190 + shrink_page_list+0x118e/0x1a10 + shrink_inactive_list+0x42c/0xdf0 + shrink_zone_memcg+0xa09/0xfa0 + shrink_zone+0x2c3/0xbc0 +..... + Call Trace: + [] dump_stack+0x68/0x94 + [] print_trailer+0x115/0x1a0 + [] object_err+0x34/0x40 + [] kasan_report_error+0x217/0x530 + [] __asan_report_load8_noabort+0x43/0x50 + [] xfs_destroy_ioend+0x3bf/0x4c0 + [] xfs_end_bio+0x154/0x220 + [] bio_endio+0x158/0x1b0 + [] blk_update_request+0x18b/0xb80 + [] scsi_end_request+0x97/0x5a0 + [] scsi_io_completion+0x438/0x1690 + [] scsi_finish_command+0x375/0x4e0 + [] scsi_softirq_done+0x280/0x340 + + +Where the access is occuring during IO completion after the buffer +had been freed from direct memory reclaim. + +Prevent use-after-free accidents in this end_io processing loop by +pre-calculating the loop conditionals before calling bh->b_end_io(). +The loop is already limited to just the bufferheads covered by the +IO in progress, so the offset checks are sufficient to prevent +accessing buffers in the chain after end_page_writeback() has been +called by the the bh->b_end_io() callout. + +Yet another example of why Bufferheads Must Die. + +Signed-off-by: Dave Chinner +Reported-and-Tested-by: Calvin Owens +Reviewed-by: Christoph Hellwig +Reviewed-by: Brian Foster +Signed-off-by: Dave Chinner +Signed-off-by: Greg Kroah-Hartman + +--- + fs/xfs/xfs_aops.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/fs/xfs/xfs_aops.c ++++ b/fs/xfs/xfs_aops.c +@@ -87,6 +87,12 @@ xfs_find_bdev_for_inode( + * We're now finished for good with this page. Update the page state via the + * associated buffer_heads, paying attention to the start and end offsets that + * we need to process on the page. ++ * ++ * Landmine Warning: bh->b_end_io() will call end_page_writeback() on the last ++ * buffer in the IO. Once it does this, it is unsafe to access the bufferhead or ++ * the page at all, as we may be racing with memory reclaim and it can free both ++ * the bufferhead chain and the page as it will see the page as clean and ++ * unused. + */ + static void + xfs_finish_page_writeback( +@@ -95,8 +101,9 @@ xfs_finish_page_writeback( + int error) + { + unsigned int end = bvec->bv_offset + bvec->bv_len - 1; +- struct buffer_head *head, *bh; ++ struct buffer_head *head, *bh, *next; + unsigned int off = 0; ++ unsigned int bsize; + + ASSERT(bvec->bv_offset < PAGE_SIZE); + ASSERT((bvec->bv_offset & ((1 << inode->i_blkbits) - 1)) == 0); +@@ -105,15 +112,17 @@ xfs_finish_page_writeback( + + bh = head = page_buffers(bvec->bv_page); + ++ bsize = bh->b_size; + do { ++ next = bh->b_this_page; + if (off < bvec->bv_offset) + goto next_bh; + if (off > end) + break; + bh->b_end_io(bh, !error); + next_bh: +- off += bh->b_size; +- } while ((bh = bh->b_this_page) != head); ++ off += bsize; ++ } while ((bh = next) != head); + } + + /*