From: Greg Kroah-Hartman Date: Sun, 10 Apr 2016 17:27:58 +0000 (-0700) Subject: 4.4-stable patches X-Git-Tag: v4.5.1~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2319d34dbb588e0c6342d22faa5d17642087c6bd;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: arc-bitops-remove-non-relevant-comments.patch arc-readl-writel-to-work-in-big-endian-cpu-configuration.patch bitops-do-not-default-to-__clear_bit-for-__clear_bit_unlock.patch drm-amdgpu-disable-runtime-pm-on-px-laptops-without-dgpu-power-control.patch drm-amdgpu-include-the-right-version-of-gmc-header-files-for-iceland.patch drm-radeon-disable-runtime-pm-on-px-laptops-without-dgpu-power-control.patch drm-radeon-don-t-drop-dp-2.7-ghz-link-setup-on-some-cards.patch fs-coredump-prevent-fsuid-0-dumps-into-user-controlled-directories.patch fuse-add-reference-counting-for-fuse_io_priv.patch fuse-do-not-use-iocb-after-it-may-have-been-freed.patch ib-ipoib-fix-for-rare-multicast-join-race-condition.patch ideapad-laptop-add-ideapad-y700-15-to-the-no_hw_rfkill-dmi-list.patch ipr-fix-out-of-bounds-null-overwrite.patch ipr-fix-regression-when-loading-firmware.patch iwlwifi-mvm-fix-paging-memory-leak.patch kbuild-mkspec-fix-grub2-installkernel-issue.patch maintainers-update-mailing-list-and-web-page-for-hwmon-subsystem.patch md-multipath-don-t-hardcopy-bio-in-.make_request-path.patch md-raid5-compare-apples-to-apples-or-sectors-to-sectors.patch md-raid5-preserve-stripe_preread_active-in-break_stripe_batch_list.patch mmc-block-fix-abi-regression-of-mmc_blk_ioctl.patch mmc-mmc_spi-add-card-detect-comments-and-fix-cd-gpio-case.patch mmc-sdhci-fix-data-timeout-part-1.patch mmc-sdhci-fix-data-timeout-part-2.patch mmc-sdhci-fix-override-of-timeout-clk-wrt-max_busy_timeout.patch net-mvneta-enable-change-mac-address-when-interface-is-up.patch of-alloc-anywhere-from-memblock-if-range-not-specified.patch quota-fix-possible-gpf-due-to-uninitialised-pointers.patch raid1-include-bio_end_io_list-in-nr_queued-to-prevent-freeze_array-hang.patch raid10-include-bio_end_io_list-in-nr_queued-to-prevent-freeze_array-hang.patch raid5-check_reshape-shouldn-t-call-mddev_suspend.patch raid5-revert-e9e4c377e2f563-to-fix-a-livelock.patch rapidio-rionet-fix-deadlock-on-smp.patch scripts-coccinelle-modernize.patch scripts-gdb-account-for-changes-in-module-data-structure.patch scripts-kconfig-allow-building-with-make-3.80-again.patch splice-handle-zero-nr_pages-in-splice_to_pipe.patch tracing-fix-crash-from-reading-trace_pipe-with-sendfile.patch tracing-fix-trace_printk-to-print-when-not-using-bprintk.patch tracing-have-preempt-irqs-off-trace-preempt-disabled-functions.patch vfs-show_vfsstat-do-not-ignore-errors-from-show_devname-method.patch xfs-fix-two-memory-leaks-in-xfs_attr_list.c-error-paths.patch xtensa-clear-all-dbreakc-registers-on-start.patch xtensa-fix-preemption-in-clear-copy-_user_highpage.patch xtensa-iss-don-t-hang-if-stdin-eof-is-reached.patch --- diff --git a/queue-4.4/arc-bitops-remove-non-relevant-comments.patch b/queue-4.4/arc-bitops-remove-non-relevant-comments.patch new file mode 100644 index 00000000000..a3bd6e47243 --- /dev/null +++ b/queue-4.4/arc-bitops-remove-non-relevant-comments.patch @@ -0,0 +1,44 @@ +From 2a41b6dc28dc71c1a3f1622612a26edc58f7561e Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Tue, 8 Mar 2016 19:31:24 +0530 +Subject: ARC: bitops: Remove non relevant comments + +From: Vineet Gupta + +commit 2a41b6dc28dc71c1a3f1622612a26edc58f7561e upstream. + +commit 80f420842ff42 removed the ARC bitops microoptimization but failed +to prune the comments to same effect + +Fixes: 80f420842ff42 ("ARC: Make ARC bitops "safer" (add anti-optimization)") +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/include/asm/bitops.h | 15 --------------- + 1 file changed, 15 deletions(-) + +--- a/arch/arc/include/asm/bitops.h ++++ b/arch/arc/include/asm/bitops.h +@@ -35,21 +35,6 @@ static inline void op##_bit(unsigned lon + \ + m += nr >> 5; \ + \ +- /* \ +- * ARC ISA micro-optimization: \ +- * \ +- * Instructions dealing with bitpos only consider lower 5 bits \ +- * e.g (x << 33) is handled like (x << 1) by ASL instruction \ +- * (mem pointer still needs adjustment to point to next word) \ +- * \ +- * Hence the masking to clamp @nr arg can be elided in general. \ +- * \ +- * However if @nr is a constant (above assumed in a register), \ +- * and greater than 31, gcc can optimize away (x << 33) to 0, \ +- * as overflow, given the 32-bit ISA. Thus masking needs to be \ +- * done for const @nr, but no code is generated due to gcc \ +- * const prop. \ +- */ \ + nr &= 0x1f; \ + \ + __asm__ __volatile__( \ diff --git a/queue-4.4/arc-readl-writel-to-work-in-big-endian-cpu-configuration.patch b/queue-4.4/arc-readl-writel-to-work-in-big-endian-cpu-configuration.patch new file mode 100644 index 00000000000..29a89d2ea34 --- /dev/null +++ b/queue-4.4/arc-readl-writel-to-work-in-big-endian-cpu-configuration.patch @@ -0,0 +1,66 @@ +From f778cc65717687a3d3f26dd21bef62cd059f1b8b Mon Sep 17 00:00:00 2001 +From: Lada Trimasova +Date: Wed, 9 Mar 2016 20:21:04 +0300 +Subject: ARC: [BE] readl()/writel() to work in Big Endian CPU configuration + +From: Lada Trimasova + +commit f778cc65717687a3d3f26dd21bef62cd059f1b8b upstream. + +read{l,w}() write{l,w}() primitives should use le{16,32}_to_cpu() and +cpu_to_le{16,32}() respectively to ensure device registers are read +correctly in Big Endian CPU configuration. + +Per Arnd Bergmann +| Most drivers using readl() or readl_relaxed() expect those to perform byte +| swaps on big-endian architectures, as the registers tend to be fixed endian + +This was needed for getting UART to work correctly on a Big Endian ARC. + +The ARC accessors originally were fine, and the bug got introduced +inadventently by commit b8a033023994 ("ARCv2: barriers") + +Fixes: b8a033023994 ("ARCv2: barriers") +Link: http://lkml.kernel.org/r/201603100845.30602.arnd@arndb.de +Cc: Alexey Brodkin +Cc: Arnd Bergmann +Signed-off-by: Lada Trimasova +[vgupta: beefed up changelog, added Fixes/stable tags] +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/include/asm/io.h | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/arch/arc/include/asm/io.h ++++ b/arch/arc/include/asm/io.h +@@ -129,15 +129,23 @@ static inline void __raw_writel(u32 w, v + #define writel(v,c) ({ __iowmb(); writel_relaxed(v,c); }) + + /* +- * Relaxed API for drivers which can handle any ordering themselves ++ * Relaxed API for drivers which can handle barrier ordering themselves ++ * ++ * Also these are defined to perform little endian accesses. ++ * To provide the typical device register semantics of fixed endian, ++ * swap the byte order for Big Endian ++ * ++ * http://lkml.kernel.org/r/201603100845.30602.arnd@arndb.de + */ + #define readb_relaxed(c) __raw_readb(c) +-#define readw_relaxed(c) __raw_readw(c) +-#define readl_relaxed(c) __raw_readl(c) ++#define readw_relaxed(c) ({ u16 __r = le16_to_cpu((__force __le16) \ ++ __raw_readw(c)); __r; }) ++#define readl_relaxed(c) ({ u32 __r = le32_to_cpu((__force __le32) \ ++ __raw_readl(c)); __r; }) + + #define writeb_relaxed(v,c) __raw_writeb(v,c) +-#define writew_relaxed(v,c) __raw_writew(v,c) +-#define writel_relaxed(v,c) __raw_writel(v,c) ++#define writew_relaxed(v,c) __raw_writew((__force u16) cpu_to_le16(v),c) ++#define writel_relaxed(v,c) __raw_writel((__force u32) cpu_to_le32(v),c) + + #include + diff --git a/queue-4.4/bitops-do-not-default-to-__clear_bit-for-__clear_bit_unlock.patch b/queue-4.4/bitops-do-not-default-to-__clear_bit-for-__clear_bit_unlock.patch new file mode 100644 index 00000000000..5c044c03020 --- /dev/null +++ b/queue-4.4/bitops-do-not-default-to-__clear_bit-for-__clear_bit_unlock.patch @@ -0,0 +1,84 @@ +From f75d48644c56a31731d17fa693c8175328957e1d Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Wed, 9 Mar 2016 12:40:54 +0100 +Subject: bitops: Do not default to __clear_bit() for __clear_bit_unlock() + +From: Peter Zijlstra + +commit f75d48644c56a31731d17fa693c8175328957e1d upstream. + +__clear_bit_unlock() is a special little snowflake. While it carries the +non-atomic '__' prefix, it is specifically documented to pair with +test_and_set_bit() and therefore should be 'somewhat' atomic. + +Therefore the generic implementation of __clear_bit_unlock() cannot use +the fully non-atomic __clear_bit() as a default. + +If an arch is able to do better; is must provide an implementation of +__clear_bit_unlock() itself. + +Specifically, this came up as a result of hackbench livelock'ing in +slab_lock() on ARC with SMP + SLUB + !LLSC. + +The issue was incorrect pairing of atomic ops. + + slab_lock() -> bit_spin_lock() -> test_and_set_bit() + slab_unlock() -> __bit_spin_unlock() -> __clear_bit() + +The non serializing __clear_bit() was getting "lost" + + 80543b8e: ld_s r2,[r13,0] <--- (A) Finds PG_locked is set + 80543b90: or r3,r2,1 <--- (B) other core unlocks right here + 80543b94: st_s r3,[r13,0] <--- (C) sets PG_locked (overwrites unlock) + +Fixes ARC STAR 9000817404 (and probably more). + +Reported-by: Vineet Gupta +Tested-by: Vineet Gupta +Signed-off-by: Peter Zijlstra (Intel) +Cc: Andrew Morton +Cc: Christoph Lameter +Cc: David Rientjes +Cc: Helge Deller +Cc: James E.J. Bottomley +Cc: Joonsoo Kim +Cc: Linus Torvalds +Cc: Noam Camus +Cc: Paul E. McKenney +Cc: Pekka Enberg +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20160309114054.GJ6356@twins.programming.kicks-ass.net +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + include/asm-generic/bitops/lock.h | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/include/asm-generic/bitops/lock.h ++++ b/include/asm-generic/bitops/lock.h +@@ -29,16 +29,16 @@ do { \ + * @nr: the bit to set + * @addr: the address to start counting from + * +- * This operation is like clear_bit_unlock, however it is not atomic. +- * It does provide release barrier semantics so it can be used to unlock +- * a bit lock, however it would only be used if no other CPU can modify +- * any bits in the memory until the lock is released (a good example is +- * if the bit lock itself protects access to the other bits in the word). ++ * A weaker form of clear_bit_unlock() as used by __bit_lock_unlock(). If all ++ * the bits in the word are protected by this lock some archs can use weaker ++ * ops to safely unlock. ++ * ++ * See for example x86's implementation. + */ + #define __clear_bit_unlock(nr, addr) \ + do { \ +- smp_mb(); \ +- __clear_bit(nr, addr); \ ++ smp_mb__before_atomic(); \ ++ clear_bit(nr, addr); \ + } while (0) + + #endif /* _ASM_GENERIC_BITOPS_LOCK_H_ */ diff --git a/queue-4.4/drm-amdgpu-disable-runtime-pm-on-px-laptops-without-dgpu-power-control.patch b/queue-4.4/drm-amdgpu-disable-runtime-pm-on-px-laptops-without-dgpu-power-control.patch new file mode 100644 index 00000000000..d9a25d87af7 --- /dev/null +++ b/queue-4.4/drm-amdgpu-disable-runtime-pm-on-px-laptops-without-dgpu-power-control.patch @@ -0,0 +1,73 @@ +From bedf2a65c1aa8fb29ba8527fd00c0f68ec1f55f1 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 2 Mar 2016 12:10:20 -0500 +Subject: drm/amdgpu: disable runtime pm on PX laptops without dGPU power control +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit bedf2a65c1aa8fb29ba8527fd00c0f68ec1f55f1 upstream. + +Some PX laptops don't provide an ACPI method to control dGPU power. On +those systems, the driver is responsible for handling the dGPU power +state. Disable runtime PM on them until support for this is implemented. + +Reviewed-by: Michel Dänzer +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c | 8 ++++---- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 8 +++++++- + 2 files changed, 11 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c +@@ -63,6 +63,10 @@ bool amdgpu_has_atpx(void) { + return amdgpu_atpx_priv.atpx_detected; + } + ++bool amdgpu_has_atpx_dgpu_power_cntl(void) { ++ return amdgpu_atpx_priv.atpx.functions.power_cntl; ++} ++ + /** + * amdgpu_atpx_call - call an ATPX method + * +@@ -142,10 +146,6 @@ static void amdgpu_atpx_parse_functions( + */ + static int amdgpu_atpx_validate(struct amdgpu_atpx *atpx) + { +- /* make sure required functions are enabled */ +- /* dGPU power control is required */ +- atpx->functions.power_cntl = true; +- + if (atpx->functions.px_params) { + union acpi_object *info; + struct atpx_px_params output; +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -61,6 +61,12 @@ static const char *amdgpu_asic_name[] = + "LAST", + }; + ++#if defined(CONFIG_VGA_SWITCHEROO) ++bool amdgpu_has_atpx_dgpu_power_cntl(void); ++#else ++static inline bool amdgpu_has_atpx_dgpu_power_cntl(void) { return false; } ++#endif ++ + bool amdgpu_device_is_px(struct drm_device *dev) + { + struct amdgpu_device *adev = dev->dev_private; +@@ -1469,7 +1475,7 @@ int amdgpu_device_init(struct amdgpu_dev + + if (amdgpu_runtime_pm == 1) + runtime = true; +- if (amdgpu_device_is_px(ddev)) ++ if (amdgpu_device_is_px(ddev) && amdgpu_has_atpx_dgpu_power_cntl()) + runtime = true; + vga_switcheroo_register_client(adev->pdev, &amdgpu_switcheroo_ops, runtime); + if (runtime) diff --git a/queue-4.4/drm-amdgpu-include-the-right-version-of-gmc-header-files-for-iceland.patch b/queue-4.4/drm-amdgpu-include-the-right-version-of-gmc-header-files-for-iceland.patch new file mode 100644 index 00000000000..054ff541c3b --- /dev/null +++ b/queue-4.4/drm-amdgpu-include-the-right-version-of-gmc-header-files-for-iceland.patch @@ -0,0 +1,30 @@ +From 16a8a49be1b878ef6dd5d1663d456e254e54ae3d Mon Sep 17 00:00:00 2001 +From: Ken Wang +Date: Thu, 17 Mar 2016 17:26:57 +0800 +Subject: drm/amdgpu: include the right version of gmc header files for iceland + +From: Ken Wang + +commit 16a8a49be1b878ef6dd5d1663d456e254e54ae3d upstream. + +Signed-off-by: Ken Wang +Reviewed-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/sdma_v2_4.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/sdma_v2_4.c ++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v2_4.c +@@ -32,8 +32,8 @@ + #include "oss/oss_2_4_d.h" + #include "oss/oss_2_4_sh_mask.h" + +-#include "gmc/gmc_8_1_d.h" +-#include "gmc/gmc_8_1_sh_mask.h" ++#include "gmc/gmc_7_1_d.h" ++#include "gmc/gmc_7_1_sh_mask.h" + + #include "gca/gfx_8_0_d.h" + #include "gca/gfx_8_0_enum.h" diff --git a/queue-4.4/drm-radeon-disable-runtime-pm-on-px-laptops-without-dgpu-power-control.patch b/queue-4.4/drm-radeon-disable-runtime-pm-on-px-laptops-without-dgpu-power-control.patch new file mode 100644 index 00000000000..cf5daa9077f --- /dev/null +++ b/queue-4.4/drm-radeon-disable-runtime-pm-on-px-laptops-without-dgpu-power-control.patch @@ -0,0 +1,73 @@ +From e64c952efb8e0c15ae82cec8e455ab4910690ef1 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 2 Mar 2016 11:47:29 -0500 +Subject: drm/radeon: disable runtime pm on PX laptops without dGPU power control +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit e64c952efb8e0c15ae82cec8e455ab4910690ef1 upstream. + +Some PX laptops don't provide an ACPI method to control dGPU power. On +those systems, the driver is responsible for handling the dGPU power +state. Disable runtime PM on them until support for this is implemented. + +Reviewed-by: Michel Dänzer +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/radeon_atpx_handler.c | 8 ++++---- + drivers/gpu/drm/radeon/radeon_device.c | 8 +++++++- + 2 files changed, 11 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/radeon/radeon_atpx_handler.c ++++ b/drivers/gpu/drm/radeon/radeon_atpx_handler.c +@@ -62,6 +62,10 @@ bool radeon_has_atpx(void) { + return radeon_atpx_priv.atpx_detected; + } + ++bool radeon_has_atpx_dgpu_power_cntl(void) { ++ return radeon_atpx_priv.atpx.functions.power_cntl; ++} ++ + /** + * radeon_atpx_call - call an ATPX method + * +@@ -141,10 +145,6 @@ static void radeon_atpx_parse_functions( + */ + static int radeon_atpx_validate(struct radeon_atpx *atpx) + { +- /* make sure required functions are enabled */ +- /* dGPU power control is required */ +- atpx->functions.power_cntl = true; +- + if (atpx->functions.px_params) { + union acpi_object *info; + struct atpx_px_params output; +--- a/drivers/gpu/drm/radeon/radeon_device.c ++++ b/drivers/gpu/drm/radeon/radeon_device.c +@@ -103,6 +103,12 @@ static const char radeon_family_name[][1 + "LAST", + }; + ++#if defined(CONFIG_VGA_SWITCHEROO) ++bool radeon_has_atpx_dgpu_power_cntl(void); ++#else ++static inline bool radeon_has_atpx_dgpu_power_cntl(void) { return false; } ++#endif ++ + #define RADEON_PX_QUIRK_DISABLE_PX (1 << 0) + #define RADEON_PX_QUIRK_LONG_WAKEUP (1 << 1) + +@@ -1433,7 +1439,7 @@ int radeon_device_init(struct radeon_dev + * ignore it */ + vga_client_register(rdev->pdev, rdev, NULL, radeon_vga_set_decode); + +- if (rdev->flags & RADEON_IS_PX) ++ if ((rdev->flags & RADEON_IS_PX) && radeon_has_atpx_dgpu_power_cntl()) + runtime = true; + vga_switcheroo_register_client(rdev->pdev, &radeon_switcheroo_ops, runtime); + if (runtime) diff --git a/queue-4.4/drm-radeon-don-t-drop-dp-2.7-ghz-link-setup-on-some-cards.patch b/queue-4.4/drm-radeon-don-t-drop-dp-2.7-ghz-link-setup-on-some-cards.patch new file mode 100644 index 00000000000..682d809c211 --- /dev/null +++ b/queue-4.4/drm-radeon-don-t-drop-dp-2.7-ghz-link-setup-on-some-cards.patch @@ -0,0 +1,51 @@ +From 459ee1c3fd097ab56ababd8ff4bb7ef6a792de33 Mon Sep 17 00:00:00 2001 +From: Mario Kleiner +Date: Sun, 6 Mar 2016 02:39:53 +0100 +Subject: drm/radeon: Don't drop DP 2.7 Ghz link setup on some cards. + +From: Mario Kleiner + +commit 459ee1c3fd097ab56ababd8ff4bb7ef6a792de33 upstream. + +As observed on Apple iMac10,1, DCE-3.2, RV-730, +link rate of 2.7 Ghz is not selected, because +the args.v1.ucConfig flag setting for 2.7 Ghz +gets overwritten by a following assignment of +the transmitter to use. + +Move link rate setup a few lines down to fix this. +In practice this didn't have any positive or +negative effect on display setup on the tested +iMac10,1 so i don't know if backporting to stable +makes sense or not. + +Signed-off-by: Mario Kleiner +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/atombios_encoders.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/radeon/atombios_encoders.c ++++ b/drivers/gpu/drm/radeon/atombios_encoders.c +@@ -892,8 +892,6 @@ atombios_dig_encoder_setup2(struct drm_e + else + args.v1.ucLaneNum = 4; + +- if (ENCODER_MODE_IS_DP(args.v1.ucEncoderMode) && (dp_clock == 270000)) +- args.v1.ucConfig |= ATOM_ENCODER_CONFIG_DPLINKRATE_2_70GHZ; + switch (radeon_encoder->encoder_id) { + case ENCODER_OBJECT_ID_INTERNAL_UNIPHY: + args.v1.ucConfig = ATOM_ENCODER_CONFIG_V2_TRANSMITTER1; +@@ -910,6 +908,10 @@ atombios_dig_encoder_setup2(struct drm_e + args.v1.ucConfig |= ATOM_ENCODER_CONFIG_LINKB; + else + args.v1.ucConfig |= ATOM_ENCODER_CONFIG_LINKA; ++ ++ if (ENCODER_MODE_IS_DP(args.v1.ucEncoderMode) && (dp_clock == 270000)) ++ args.v1.ucConfig |= ATOM_ENCODER_CONFIG_DPLINKRATE_2_70GHZ; ++ + break; + case 2: + case 3: diff --git a/queue-4.4/fs-coredump-prevent-fsuid-0-dumps-into-user-controlled-directories.patch b/queue-4.4/fs-coredump-prevent-fsuid-0-dumps-into-user-controlled-directories.patch new file mode 100644 index 00000000000..2383ce3728a --- /dev/null +++ b/queue-4.4/fs-coredump-prevent-fsuid-0-dumps-into-user-controlled-directories.patch @@ -0,0 +1,165 @@ +From 378c6520e7d29280f400ef2ceaf155c86f05a71a Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Tue, 22 Mar 2016 14:25:36 -0700 +Subject: fs/coredump: prevent fsuid=0 dumps into user-controlled directories + +From: Jann Horn + +commit 378c6520e7d29280f400ef2ceaf155c86f05a71a upstream. + +This commit fixes the following security hole affecting systems where +all of the following conditions are fulfilled: + + - The fs.suid_dumpable sysctl is set to 2. + - The kernel.core_pattern sysctl's value starts with "/". (Systems + where kernel.core_pattern starts with "|/" are not affected.) + - Unprivileged user namespace creation is permitted. (This is + true on Linux >=3.8, but some distributions disallow it by + default using a distro patch.) + +Under these conditions, if a program executes under secure exec rules, +causing it to run with the SUID_DUMP_ROOT flag, then unshares its user +namespace, changes its root directory and crashes, the coredump will be +written using fsuid=0 and a path derived from kernel.core_pattern - but +this path is interpreted relative to the root directory of the process, +allowing the attacker to control where a coredump will be written with +root privileges. + +To fix the security issue, always interpret core_pattern for dumps that +are written under SUID_DUMP_ROOT relative to the root directory of init. + +Signed-off-by: Jann Horn +Acked-by: Kees Cook +Cc: Al Viro +Cc: "Eric W. Biederman" +Cc: Andy Lutomirski +Cc: Oleg Nesterov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/um/drivers/mconsole_kern.c | 2 +- + fs/coredump.c | 30 ++++++++++++++++++++++++++---- + fs/fhandle.c | 2 +- + fs/open.c | 6 ++---- + include/linux/fs.h | 2 +- + kernel/sysctl_binary.c | 2 +- + 6 files changed, 32 insertions(+), 12 deletions(-) + +--- a/arch/um/drivers/mconsole_kern.c ++++ b/arch/um/drivers/mconsole_kern.c +@@ -133,7 +133,7 @@ void mconsole_proc(struct mc_request *re + ptr += strlen("proc"); + ptr = skip_spaces(ptr); + +- file = file_open_root(mnt->mnt_root, mnt, ptr, O_RDONLY); ++ file = file_open_root(mnt->mnt_root, mnt, ptr, O_RDONLY, 0); + if (IS_ERR(file)) { + mconsole_reply(req, "Failed to open file", 1, 0); + printk(KERN_ERR "open /proc/%s: %ld\n", ptr, PTR_ERR(file)); +--- a/fs/coredump.c ++++ b/fs/coredump.c +@@ -32,6 +32,9 @@ + #include + #include + #include ++#include ++#include ++#include + + #include + #include +@@ -627,6 +630,8 @@ void do_coredump(const siginfo_t *siginf + } + } else { + struct inode *inode; ++ int open_flags = O_CREAT | O_RDWR | O_NOFOLLOW | ++ O_LARGEFILE | O_EXCL; + + if (cprm.limit < binfmt->min_coredump) + goto fail_unlock; +@@ -665,10 +670,27 @@ void do_coredump(const siginfo_t *siginf + * what matters is that at least one of the two processes + * writes its coredump successfully, not which one. + */ +- cprm.file = filp_open(cn.corename, +- O_CREAT | 2 | O_NOFOLLOW | +- O_LARGEFILE | O_EXCL, +- 0600); ++ if (need_suid_safe) { ++ /* ++ * Using user namespaces, normal user tasks can change ++ * their current->fs->root to point to arbitrary ++ * directories. Since the intention of the "only dump ++ * with a fully qualified path" rule is to control where ++ * coredumps may be placed using root privileges, ++ * current->fs->root must not be used. Instead, use the ++ * root directory of init_task. ++ */ ++ struct path root; ++ ++ task_lock(&init_task); ++ get_fs_root(init_task.fs, &root); ++ task_unlock(&init_task); ++ cprm.file = file_open_root(root.dentry, root.mnt, ++ cn.corename, open_flags, 0600); ++ path_put(&root); ++ } else { ++ cprm.file = filp_open(cn.corename, open_flags, 0600); ++ } + if (IS_ERR(cprm.file)) + goto fail_unlock; + +--- a/fs/fhandle.c ++++ b/fs/fhandle.c +@@ -228,7 +228,7 @@ long do_handle_open(int mountdirfd, + path_put(&path); + return fd; + } +- file = file_open_root(path.dentry, path.mnt, "", open_flag); ++ file = file_open_root(path.dentry, path.mnt, "", open_flag, 0); + if (IS_ERR(file)) { + put_unused_fd(fd); + retval = PTR_ERR(file); +--- a/fs/open.c ++++ b/fs/open.c +@@ -995,14 +995,12 @@ struct file *filp_open(const char *filen + EXPORT_SYMBOL(filp_open); + + struct file *file_open_root(struct dentry *dentry, struct vfsmount *mnt, +- const char *filename, int flags) ++ const char *filename, int flags, umode_t mode) + { + struct open_flags op; +- int err = build_open_flags(flags, 0, &op); ++ int err = build_open_flags(flags, mode, &op); + if (err) + return ERR_PTR(err); +- if (flags & O_CREAT) +- return ERR_PTR(-EINVAL); + return do_file_open_root(dentry, mnt, filename, &op); + } + EXPORT_SYMBOL(file_open_root); +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -2217,7 +2217,7 @@ extern long do_sys_open(int dfd, const c + extern struct file *file_open_name(struct filename *, int, umode_t); + extern struct file *filp_open(const char *, int, umode_t); + extern struct file *file_open_root(struct dentry *, struct vfsmount *, +- const char *, int); ++ const char *, int, umode_t); + extern struct file * dentry_open(const struct path *, int, const struct cred *); + extern int filp_close(struct file *, fl_owner_t id); + +--- a/kernel/sysctl_binary.c ++++ b/kernel/sysctl_binary.c +@@ -1321,7 +1321,7 @@ static ssize_t binary_sysctl(const int * + } + + mnt = task_active_pid_ns(current)->proc_mnt; +- file = file_open_root(mnt->mnt_root, mnt, pathname, flags); ++ file = file_open_root(mnt->mnt_root, mnt, pathname, flags, 0); + result = PTR_ERR(file); + if (IS_ERR(file)) + goto out_putname; diff --git a/queue-4.4/fuse-add-reference-counting-for-fuse_io_priv.patch b/queue-4.4/fuse-add-reference-counting-for-fuse_io_priv.patch new file mode 100644 index 00000000000..14acc3f26c8 --- /dev/null +++ b/queue-4.4/fuse-add-reference-counting-for-fuse_io_priv.patch @@ -0,0 +1,195 @@ +From 744742d692e37ad5c20630e57d526c8f2e2fe3c9 Mon Sep 17 00:00:00 2001 +From: Seth Forshee +Date: Fri, 11 Mar 2016 10:35:34 -0600 +Subject: fuse: Add reference counting for fuse_io_priv + +From: Seth Forshee + +commit 744742d692e37ad5c20630e57d526c8f2e2fe3c9 upstream. + +The 'reqs' member of fuse_io_priv serves two purposes. First is to track +the number of oustanding async requests to the server and to signal that +the io request is completed. The second is to be a reference count on the +structure to know when it can be freed. + +For sync io requests these purposes can be at odds. fuse_direct_IO() wants +to block until the request is done, and since the signal is sent when +'reqs' reaches 0 it cannot keep a reference to the object. Yet it needs to +use the object after the userspace server has completed processing +requests. This leads to some handshaking and special casing that it +needlessly complicated and responsible for at least one race condition. + +It's much cleaner and safer to maintain a separate reference count for the +object lifecycle and to let 'reqs' just be a count of outstanding requests +to the userspace server. Then we can know for sure when it is safe to free +the object without any handshaking or special cases. + +The catch here is that most of the time these objects are stack allocated +and should not be freed. Initializing these objects with a single reference +that is never released prevents accidental attempts to free the objects. + +Fixes: 9d5722b7777e ("fuse: handle synchronous iocbs internally") +Signed-off-by: Seth Forshee +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/cuse.c | 4 ++-- + fs/fuse/file.c | 28 +++++++++++++++++++++------- + fs/fuse/fuse_i.h | 9 +++++++++ + 3 files changed, 32 insertions(+), 9 deletions(-) + +--- a/fs/fuse/cuse.c ++++ b/fs/fuse/cuse.c +@@ -90,7 +90,7 @@ static struct list_head *cuse_conntbl_he + + static ssize_t cuse_read_iter(struct kiocb *kiocb, struct iov_iter *to) + { +- struct fuse_io_priv io = { .async = 0, .file = kiocb->ki_filp }; ++ struct fuse_io_priv io = FUSE_IO_PRIV_SYNC(kiocb->ki_filp); + loff_t pos = 0; + + return fuse_direct_io(&io, to, &pos, FUSE_DIO_CUSE); +@@ -98,7 +98,7 @@ static ssize_t cuse_read_iter(struct kio + + static ssize_t cuse_write_iter(struct kiocb *kiocb, struct iov_iter *from) + { +- struct fuse_io_priv io = { .async = 0, .file = kiocb->ki_filp }; ++ struct fuse_io_priv io = FUSE_IO_PRIV_SYNC(kiocb->ki_filp); + loff_t pos = 0; + /* + * No locking or generic_write_checks(), the server is +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -528,6 +528,11 @@ static void fuse_release_user_pages(stru + } + } + ++static void fuse_io_release(struct kref *kref) ++{ ++ kfree(container_of(kref, struct fuse_io_priv, refcnt)); ++} ++ + static ssize_t fuse_get_res_by_io(struct fuse_io_priv *io) + { + if (io->err) +@@ -585,8 +590,9 @@ static void fuse_aio_complete(struct fus + } + + io->iocb->ki_complete(io->iocb, res, 0); +- kfree(io); + } ++ ++ kref_put(&io->refcnt, fuse_io_release); + } + + static void fuse_aio_complete_req(struct fuse_conn *fc, struct fuse_req *req) +@@ -613,6 +619,7 @@ static size_t fuse_async_req_send(struct + size_t num_bytes, struct fuse_io_priv *io) + { + spin_lock(&io->lock); ++ kref_get(&io->refcnt); + io->size += num_bytes; + io->reqs++; + spin_unlock(&io->lock); +@@ -691,7 +698,7 @@ static void fuse_short_read(struct fuse_ + + static int fuse_do_readpage(struct file *file, struct page *page) + { +- struct fuse_io_priv io = { .async = 0, .file = file }; ++ struct fuse_io_priv io = FUSE_IO_PRIV_SYNC(file); + struct inode *inode = page->mapping->host; + struct fuse_conn *fc = get_fuse_conn(inode); + struct fuse_req *req; +@@ -984,7 +991,7 @@ static size_t fuse_send_write_pages(stru + size_t res; + unsigned offset; + unsigned i; +- struct fuse_io_priv io = { .async = 0, .file = file }; ++ struct fuse_io_priv io = FUSE_IO_PRIV_SYNC(file); + + for (i = 0; i < req->num_pages; i++) + fuse_wait_on_page_writeback(inode, req->pages[i]->index); +@@ -1398,7 +1405,7 @@ static ssize_t __fuse_direct_read(struct + + static ssize_t fuse_direct_read_iter(struct kiocb *iocb, struct iov_iter *to) + { +- struct fuse_io_priv io = { .async = 0, .file = iocb->ki_filp }; ++ struct fuse_io_priv io = FUSE_IO_PRIV_SYNC(iocb->ki_filp); + return __fuse_direct_read(&io, to, &iocb->ki_pos); + } + +@@ -1406,7 +1413,7 @@ static ssize_t fuse_direct_write_iter(st + { + struct file *file = iocb->ki_filp; + struct inode *inode = file_inode(file); +- struct fuse_io_priv io = { .async = 0, .file = file }; ++ struct fuse_io_priv io = FUSE_IO_PRIV_SYNC(file); + ssize_t res; + + if (is_bad_inode(inode)) +@@ -2807,6 +2814,7 @@ fuse_direct_IO(struct kiocb *iocb, struc + if (!io) + return -ENOMEM; + spin_lock_init(&io->lock); ++ kref_init(&io->refcnt); + io->reqs = 1; + io->bytes = -1; + io->size = 0; +@@ -2830,8 +2838,14 @@ fuse_direct_IO(struct kiocb *iocb, struc + iov_iter_rw(iter) == WRITE) + io->async = false; + +- if (io->async && is_sync) ++ if (io->async && is_sync) { ++ /* ++ * Additional reference to keep io around after ++ * calling fuse_aio_complete() ++ */ ++ kref_get(&io->refcnt); + io->done = &wait; ++ } + + if (iov_iter_rw(iter) == WRITE) { + ret = fuse_direct_io(io, iter, &pos, FUSE_DIO_WRITE); +@@ -2851,7 +2865,7 @@ fuse_direct_IO(struct kiocb *iocb, struc + ret = fuse_get_res_by_io(io); + } + +- kfree(io); ++ kref_put(&io->refcnt, fuse_io_release); + + if (iov_iter_rw(iter) == WRITE) { + if (ret > 0) +--- a/fs/fuse/fuse_i.h ++++ b/fs/fuse/fuse_i.h +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + + /** Max number of pages that can be used in a single read request */ + #define FUSE_MAX_PAGES_PER_REQ 32 +@@ -243,6 +244,7 @@ struct fuse_args { + + /** The request IO state (for asynchronous processing) */ + struct fuse_io_priv { ++ struct kref refcnt; + int async; + spinlock_t lock; + unsigned reqs; +@@ -256,6 +258,13 @@ struct fuse_io_priv { + struct completion *done; + }; + ++#define FUSE_IO_PRIV_SYNC(f) \ ++{ \ ++ .refcnt = { ATOMIC_INIT(1) }, \ ++ .async = 0, \ ++ .file = f, \ ++} ++ + /** + * Request flags + * diff --git a/queue-4.4/fuse-do-not-use-iocb-after-it-may-have-been-freed.patch b/queue-4.4/fuse-do-not-use-iocb-after-it-may-have-been-freed.patch new file mode 100644 index 00000000000..e3ea84ac9fa --- /dev/null +++ b/queue-4.4/fuse-do-not-use-iocb-after-it-may-have-been-freed.patch @@ -0,0 +1,60 @@ +From 7cabc61e01a0a8b663bd2b4c982aa53048218734 Mon Sep 17 00:00:00 2001 +From: Robert Doebbelin +Date: Mon, 7 Mar 2016 09:50:56 +0100 +Subject: fuse: do not use iocb after it may have been freed + +From: Robert Doebbelin + +commit 7cabc61e01a0a8b663bd2b4c982aa53048218734 upstream. + +There's a race in fuse_direct_IO(), whereby is_sync_kiocb() is called on an +iocb that could have been freed if async io has already completed. The fix +in this case is simple and obvious: cache the result before starting io. + +It was discovered by KASan: + +kernel: ================================================================== +kernel: BUG: KASan: use after free in fuse_direct_IO+0xb1a/0xcc0 at addr ffff88036c414390 + +Signed-off-by: Robert Doebbelin +Signed-off-by: Miklos Szeredi +Fixes: bcba24ccdc82 ("fuse: enable asynchronous processing direct IO") +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/file.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -2786,6 +2786,7 @@ fuse_direct_IO(struct kiocb *iocb, struc + loff_t i_size; + size_t count = iov_iter_count(iter); + struct fuse_io_priv *io; ++ bool is_sync = is_sync_kiocb(iocb); + + pos = offset; + inode = file->f_mapping->host; +@@ -2825,11 +2826,11 @@ fuse_direct_IO(struct kiocb *iocb, struc + * to wait on real async I/O requests, so we must submit this request + * synchronously. + */ +- if (!is_sync_kiocb(iocb) && (offset + count > i_size) && ++ if (!is_sync && (offset + count > i_size) && + iov_iter_rw(iter) == WRITE) + io->async = false; + +- if (io->async && is_sync_kiocb(iocb)) ++ if (io->async && is_sync) + io->done = &wait; + + if (iov_iter_rw(iter) == WRITE) { +@@ -2843,7 +2844,7 @@ fuse_direct_IO(struct kiocb *iocb, struc + fuse_aio_complete(io, ret < 0 ? ret : 0, -1); + + /* we have a non-extending, async request, so return */ +- if (!is_sync_kiocb(iocb)) ++ if (!is_sync) + return -EIOCBQUEUED; + + wait_for_completion(&wait); diff --git a/queue-4.4/ib-ipoib-fix-for-rare-multicast-join-race-condition.patch b/queue-4.4/ib-ipoib-fix-for-rare-multicast-join-race-condition.patch new file mode 100644 index 00000000000..0877ec0bb01 --- /dev/null +++ b/queue-4.4/ib-ipoib-fix-for-rare-multicast-join-race-condition.patch @@ -0,0 +1,134 @@ +From 08bc327629cbd63bb2f66677e4b33b643695097c Mon Sep 17 00:00:00 2001 +From: Alex Estrin +Date: Thu, 11 Feb 2016 16:30:51 -0500 +Subject: IB/ipoib: fix for rare multicast join race condition + +From: Alex Estrin + +commit 08bc327629cbd63bb2f66677e4b33b643695097c upstream. + +A narrow window for race condition still exist between +multicast join thread and *dev_flush workers. +A kernel crash caused by prolong erratic link state changes +was observed (most likely a faulty cabling): + +[167275.656270] BUG: unable to handle kernel NULL pointer dereference at +0000000000000020 +[167275.665973] IP: [] ipoib_mcast_join+0xae/0x1d0 [ib_ipoib] +[167275.674443] PGD 0 +[167275.677373] Oops: 0000 [#1] SMP +... +[167275.977530] Call Trace: +[167275.982225] [] ? ipoib_mcast_free+0x200/0x200 [ib_ipoib] +[167275.992024] [] ipoib_mcast_join_task+0x2a7/0x490 +[ib_ipoib] +[167276.002149] [] process_one_work+0x17b/0x470 +[167276.010754] [] worker_thread+0x11b/0x400 +[167276.019088] [] ? rescuer_thread+0x400/0x400 +[167276.027737] [] kthread+0xcf/0xe0 +Here was a hit spot: +ipoib_mcast_join() { +.............. + rec.qkey = priv->broadcast->mcmember.qkey; + ^^^^^^^ +..... + } +Proposed patch should prevent multicast join task to continue +if link state change is detected. + +Signed-off-by: Alex Estrin +Changes from v4: +- as suggested by Doug Ledford, optimized spinlock usage, +i.e. ipoib_mcast_join() is called with lock held. +Changes from v3: +- sync with priv->lock before flag check. +Chages from v2: +- Move check for OPER_UP flag state to mcast_join() to +ensure no event worker is in progress. +- minor style fixes. +Changes from v1: +- No need to lock again if error detected. +Signed-off-by: Doug Ledford +Cc: Nikolay Borisov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/ipoib/ipoib_multicast.c | 24 +++++++++++++++++------- + 1 file changed, 17 insertions(+), 7 deletions(-) + +--- a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c +@@ -456,7 +456,10 @@ out_locked: + return status; + } + +-static void ipoib_mcast_join(struct net_device *dev, struct ipoib_mcast *mcast) ++/* ++ * Caller must hold 'priv->lock' ++ */ ++static int ipoib_mcast_join(struct net_device *dev, struct ipoib_mcast *mcast) + { + struct ipoib_dev_priv *priv = netdev_priv(dev); + struct ib_sa_multicast *multicast; +@@ -466,6 +469,10 @@ static void ipoib_mcast_join(struct net_ + ib_sa_comp_mask comp_mask; + int ret = 0; + ++ if (!priv->broadcast || ++ !test_bit(IPOIB_FLAG_OPER_UP, &priv->flags)) ++ return -EINVAL; ++ + ipoib_dbg_mcast(priv, "joining MGID %pI6\n", mcast->mcmember.mgid.raw); + + rec.mgid = mcast->mcmember.mgid; +@@ -525,20 +532,23 @@ static void ipoib_mcast_join(struct net_ + rec.join_state = 4; + #endif + } ++ spin_unlock_irq(&priv->lock); + + multicast = ib_sa_join_multicast(&ipoib_sa_client, priv->ca, priv->port, + &rec, comp_mask, GFP_KERNEL, + ipoib_mcast_join_complete, mcast); ++ spin_lock_irq(&priv->lock); + if (IS_ERR(multicast)) { + ret = PTR_ERR(multicast); + ipoib_warn(priv, "ib_sa_join_multicast failed, status %d\n", ret); +- spin_lock_irq(&priv->lock); + /* Requeue this join task with a backoff delay */ + __ipoib_mcast_schedule_join_thread(priv, mcast, 1); + clear_bit(IPOIB_MCAST_FLAG_BUSY, &mcast->flags); + spin_unlock_irq(&priv->lock); + complete(&mcast->done); ++ spin_lock_irq(&priv->lock); + } ++ return 0; + } + + void ipoib_mcast_join_task(struct work_struct *work) +@@ -620,9 +630,10 @@ void ipoib_mcast_join_task(struct work_s + /* Found the next unjoined group */ + init_completion(&mcast->done); + set_bit(IPOIB_MCAST_FLAG_BUSY, &mcast->flags); +- spin_unlock_irq(&priv->lock); +- ipoib_mcast_join(dev, mcast); +- spin_lock_irq(&priv->lock); ++ if (ipoib_mcast_join(dev, mcast)) { ++ spin_unlock_irq(&priv->lock); ++ return; ++ } + } else if (!delay_until || + time_before(mcast->delay_until, delay_until)) + delay_until = mcast->delay_until; +@@ -641,10 +652,9 @@ out: + if (mcast) { + init_completion(&mcast->done); + set_bit(IPOIB_MCAST_FLAG_BUSY, &mcast->flags); ++ ipoib_mcast_join(dev, mcast); + } + spin_unlock_irq(&priv->lock); +- if (mcast) +- ipoib_mcast_join(dev, mcast); + } + + int ipoib_mcast_start_thread(struct net_device *dev) diff --git a/queue-4.4/ideapad-laptop-add-ideapad-y700-15-to-the-no_hw_rfkill-dmi-list.patch b/queue-4.4/ideapad-laptop-add-ideapad-y700-15-to-the-no_hw_rfkill-dmi-list.patch new file mode 100644 index 00000000000..966afa42004 --- /dev/null +++ b/queue-4.4/ideapad-laptop-add-ideapad-y700-15-to-the-no_hw_rfkill-dmi-list.patch @@ -0,0 +1,48 @@ +From 4db9675d927a71faa66e5ab128d2390d6329750b Mon Sep 17 00:00:00 2001 +From: John Dahlstrom +Date: Sat, 27 Feb 2016 00:09:58 -0600 +Subject: ideapad-laptop: Add ideapad Y700 (15) to the no_hw_rfkill DMI list + +From: John Dahlstrom + +commit 4db9675d927a71faa66e5ab128d2390d6329750b upstream. + +Some Lenovo ideapad models lack a physical rfkill switch. +On Lenovo models ideapad Y700 Touch-15ISK and ideapad Y700-15ISK, +ideapad-laptop would wrongly report all radios as blocked by +hardware which caused wireless network connections to fail. + +Add these models without an rfkill switch to the no_hw_rfkill list. + +Signed-off-by: John Dahlstrom +Cc: # 3.17.x-: 4fa9dab: ideapad_laptop: Lenovo G50-30 fix rfkill reports wireless blocked +Signed-off-by: Darren Hart +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/x86/ideapad-laptop.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/platform/x86/ideapad-laptop.c ++++ b/drivers/platform/x86/ideapad-laptop.c +@@ -865,6 +865,20 @@ static const struct dmi_system_id no_hw_ + }, + }, + { ++ .ident = "Lenovo ideapad Y700-15ISK", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700-15ISK"), ++ }, ++ }, ++ { ++ .ident = "Lenovo ideapad Y700 Touch-15ISK", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700 Touch-15ISK"), ++ }, ++ }, ++ { + .ident = "Lenovo ideapad Y700-17ISK", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), diff --git a/queue-4.4/ipr-fix-out-of-bounds-null-overwrite.patch b/queue-4.4/ipr-fix-out-of-bounds-null-overwrite.patch new file mode 100644 index 00000000000..09215e904af --- /dev/null +++ b/queue-4.4/ipr-fix-out-of-bounds-null-overwrite.patch @@ -0,0 +1,43 @@ +From d63c7dd5bcb9441af0526d370c43a65ca2c980d9 Mon Sep 17 00:00:00 2001 +From: Insu Yun +Date: Wed, 6 Jan 2016 12:44:01 -0500 +Subject: ipr: Fix out-of-bounds null overwrite + +From: Insu Yun + +commit d63c7dd5bcb9441af0526d370c43a65ca2c980d9 upstream. + +Return value of snprintf is not bound by size value, 2nd argument. +(https://www.kernel.org/doc/htmldocs/kernel-api/API-snprintf.html). +Return value is number of printed chars, can be larger than 2nd +argument. Therefore, it can write null byte out of bounds ofbuffer. +Since snprintf puts null, it does not need to put additional null byte. + +Signed-off-by: Insu Yun +Reviewed-by: Shane Seymour +Signed-off-by: Martin K. Petersen +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/ipr.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/ipr.c ++++ b/drivers/scsi/ipr.c +@@ -4003,13 +4003,12 @@ static ssize_t ipr_store_update_fw(struc + struct ipr_sglist *sglist; + char fname[100]; + char *src; +- int len, result, dnld_size; ++ int result, dnld_size; + + if (!capable(CAP_SYS_ADMIN)) + return -EACCES; + +- len = snprintf(fname, 99, "%s", buf); +- fname[len-1] = '\0'; ++ snprintf(fname, sizeof(fname), "%s", buf); + + if (request_firmware(&fw_entry, fname, &ioa_cfg->pdev->dev)) { + dev_err(&ioa_cfg->pdev->dev, "Firmware file %s not found\n", fname); diff --git a/queue-4.4/ipr-fix-regression-when-loading-firmware.patch b/queue-4.4/ipr-fix-regression-when-loading-firmware.patch new file mode 100644 index 00000000000..9f1a6afba3a --- /dev/null +++ b/queue-4.4/ipr-fix-regression-when-loading-firmware.patch @@ -0,0 +1,50 @@ +From 21b81716c6bff24cda52dc75588455f879ddbfe9 Mon Sep 17 00:00:00 2001 +From: Gabriel Krisman Bertazi +Date: Thu, 25 Feb 2016 13:54:20 -0300 +Subject: ipr: Fix regression when loading firmware + +From: Gabriel Krisman Bertazi + +commit 21b81716c6bff24cda52dc75588455f879ddbfe9 upstream. + +Commit d63c7dd5bcb9 ("ipr: Fix out-of-bounds null overwrite") removed +the end of line handling when storing the update_fw sysfs attribute. +This changed the userpace API because it started refusing writes +terminated by a line feed, which broke the update tools we already have. + +This patch re-adds that handling, so both a write terminated by a line +feed or not can make it through with the update. + +Fixes: d63c7dd5bcb9 ("ipr: Fix out-of-bounds null overwrite") +Signed-off-by: Gabriel Krisman Bertazi +Cc: Insu Yun +Acked-by: Brian King +Signed-off-by: Martin K. Petersen +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/ipr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/scsi/ipr.c ++++ b/drivers/scsi/ipr.c +@@ -4003,6 +4003,7 @@ static ssize_t ipr_store_update_fw(struc + struct ipr_sglist *sglist; + char fname[100]; + char *src; ++ char *endline; + int result, dnld_size; + + if (!capable(CAP_SYS_ADMIN)) +@@ -4010,6 +4011,10 @@ static ssize_t ipr_store_update_fw(struc + + snprintf(fname, sizeof(fname), "%s", buf); + ++ endline = strchr(fname, '\n'); ++ if (endline) ++ *endline = '\0'; ++ + if (request_firmware(&fw_entry, fname, &ioa_cfg->pdev->dev)) { + dev_err(&ioa_cfg->pdev->dev, "Firmware file %s not found\n", fname); + return -EIO; diff --git a/queue-4.4/iwlwifi-mvm-fix-paging-memory-leak.patch b/queue-4.4/iwlwifi-mvm-fix-paging-memory-leak.patch new file mode 100644 index 00000000000..fc07d36d262 --- /dev/null +++ b/queue-4.4/iwlwifi-mvm-fix-paging-memory-leak.patch @@ -0,0 +1,67 @@ +From 905e36ae172c83a30894a3adefab7d4f850fcf54 Mon Sep 17 00:00:00 2001 +From: Matti Gottlieb +Date: Sun, 14 Feb 2016 17:05:39 +0200 +Subject: iwlwifi: mvm: Fix paging memory leak + +From: Matti Gottlieb + +commit 905e36ae172c83a30894a3adefab7d4f850fcf54 upstream. + +If the opmode is stopped and started again we did not free +the paging buffers. Fix that. +In addition when freeing the firmware's paging download +buffer, set the pointer to NULL. + +Signed-off-by: Matti Gottlieb +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/mvm/fw.c | 4 +++- + drivers/net/wireless/iwlwifi/mvm/mvm.h | 3 +++ + drivers/net/wireless/iwlwifi/mvm/ops.c | 2 ++ + 3 files changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/iwlwifi/mvm/fw.c ++++ b/drivers/net/wireless/iwlwifi/mvm/fw.c +@@ -106,7 +106,7 @@ static int iwl_send_tx_ant_cfg(struct iw + sizeof(tx_ant_cmd), &tx_ant_cmd); + } + +-static void iwl_free_fw_paging(struct iwl_mvm *mvm) ++void iwl_free_fw_paging(struct iwl_mvm *mvm) + { + int i; + +@@ -126,6 +126,8 @@ static void iwl_free_fw_paging(struct iw + get_order(mvm->fw_paging_db[i].fw_paging_size)); + } + kfree(mvm->trans->paging_download_buf); ++ mvm->trans->paging_download_buf = NULL; ++ + memset(mvm->fw_paging_db, 0, sizeof(mvm->fw_paging_db)); + } + +--- a/drivers/net/wireless/iwlwifi/mvm/mvm.h ++++ b/drivers/net/wireless/iwlwifi/mvm/mvm.h +@@ -1190,6 +1190,9 @@ void iwl_mvm_rx_umac_scan_complete_notif + void iwl_mvm_rx_umac_scan_iter_complete_notif(struct iwl_mvm *mvm, + struct iwl_rx_cmd_buffer *rxb); + ++/* Paging */ ++void iwl_free_fw_paging(struct iwl_mvm *mvm); ++ + /* MVM debugfs */ + #ifdef CONFIG_IWLWIFI_DEBUGFS + int iwl_mvm_dbgfs_register(struct iwl_mvm *mvm, struct dentry *dbgfs_dir); +--- a/drivers/net/wireless/iwlwifi/mvm/ops.c ++++ b/drivers/net/wireless/iwlwifi/mvm/ops.c +@@ -645,6 +645,8 @@ static void iwl_op_mode_mvm_stop(struct + for (i = 0; i < NVM_MAX_NUM_SECTIONS; i++) + kfree(mvm->nvm_sections[i].data); + ++ iwl_free_fw_paging(mvm); ++ + iwl_mvm_tof_clean(mvm); + + ieee80211_free_hw(mvm->hw); diff --git a/queue-4.4/kbuild-mkspec-fix-grub2-installkernel-issue.patch b/queue-4.4/kbuild-mkspec-fix-grub2-installkernel-issue.patch new file mode 100644 index 00000000000..01e5976c46d --- /dev/null +++ b/queue-4.4/kbuild-mkspec-fix-grub2-installkernel-issue.patch @@ -0,0 +1,52 @@ +From c8b08ca558c0067bc9e15ce3f1e70af260410bb2 Mon Sep 17 00:00:00 2001 +From: Jiri Kosina +Date: Fri, 26 Feb 2016 16:15:17 +0100 +Subject: kbuild/mkspec: fix grub2 installkernel issue + +From: Jiri Kosina + +commit c8b08ca558c0067bc9e15ce3f1e70af260410bb2 upstream. + +mkspec is copying built kernel to temporrary location + + /boot/vmlinuz-$KERNELRELEASE-rpm + +and runs installkernel on it. This however directly leads to grub2 +menuentry for this suffixed binary being generated as well during the run +of installkernel script. + +Later in the process the temporary -rpm suffixed files are removed, and +therefore we end up with spurious (and non-functional) grub2 menu entries +for each installed kernel RPM. + +Fix that by using a different temporary name (prefixed by '.'), so that +the binary is not recognized as an actual kernel binary and no menuentry +is created for it. + +Signed-off-by: Jiri Kosina +Fixes: 3c9c7a14b627 ("rpm-pkg: add %post section to create initramfs and grub hooks") +Signed-off-by: Michal Marek +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/package/mkspec | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/scripts/package/mkspec ++++ b/scripts/package/mkspec +@@ -131,11 +131,11 @@ echo 'rm -rf $RPM_BUILD_ROOT' + echo "" + echo "%post" + echo "if [ -x /sbin/installkernel -a -r /boot/vmlinuz-$KERNELRELEASE -a -r /boot/System.map-$KERNELRELEASE ]; then" +-echo "cp /boot/vmlinuz-$KERNELRELEASE /boot/vmlinuz-$KERNELRELEASE-rpm" +-echo "cp /boot/System.map-$KERNELRELEASE /boot/System.map-$KERNELRELEASE-rpm" ++echo "cp /boot/vmlinuz-$KERNELRELEASE /boot/.vmlinuz-$KERNELRELEASE-rpm" ++echo "cp /boot/System.map-$KERNELRELEASE /boot/.System.map-$KERNELRELEASE-rpm" + echo "rm -f /boot/vmlinuz-$KERNELRELEASE /boot/System.map-$KERNELRELEASE" +-echo "/sbin/installkernel $KERNELRELEASE /boot/vmlinuz-$KERNELRELEASE-rpm /boot/System.map-$KERNELRELEASE-rpm" +-echo "rm -f /boot/vmlinuz-$KERNELRELEASE-rpm /boot/System.map-$KERNELRELEASE-rpm" ++echo "/sbin/installkernel $KERNELRELEASE /boot/.vmlinuz-$KERNELRELEASE-rpm /boot/.System.map-$KERNELRELEASE-rpm" ++echo "rm -f /boot/.vmlinuz-$KERNELRELEASE-rpm /boot/.System.map-$KERNELRELEASE-rpm" + echo "fi" + echo "" + echo "%files" diff --git a/queue-4.4/maintainers-update-mailing-list-and-web-page-for-hwmon-subsystem.patch b/queue-4.4/maintainers-update-mailing-list-and-web-page-for-hwmon-subsystem.patch new file mode 100644 index 00000000000..dc249dee8be --- /dev/null +++ b/queue-4.4/maintainers-update-mailing-list-and-web-page-for-hwmon-subsystem.patch @@ -0,0 +1,423 @@ +From 968ce1b1f45a7d76b5471b19bd035dbecc72f32d Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Tue, 22 Mar 2016 15:11:03 -0700 +Subject: MAINTAINERS: Update mailing list and web page for hwmon subsystem + +From: Guenter Roeck + +commit 968ce1b1f45a7d76b5471b19bd035dbecc72f32d upstream. + +The old web page for the hwmon subsystem is no longer operational, +and the mailing list has become unreliable. Move both to kernel.org. + +Reviewed-by: Jean Delvare +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + MAINTAINERS | 96 ++++++++++++++++++++++++++++++------------------------------ + 1 file changed, 48 insertions(+), 48 deletions(-) + +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -230,13 +230,13 @@ F: kernel/sys_ni.c + + ABIT UGURU 1,2 HARDWARE MONITOR DRIVER + M: Hans de Goede +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: drivers/hwmon/abituguru.c + + ABIT UGURU 3 HARDWARE MONITOR DRIVER + M: Alistair John Strachan +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: drivers/hwmon/abituguru3.c + +@@ -373,14 +373,14 @@ S: Maintained + + ADM1025 HARDWARE MONITOR DRIVER + M: Jean Delvare +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/adm1025 + F: drivers/hwmon/adm1025.c + + ADM1029 HARDWARE MONITOR DRIVER + M: Corentin Labbe +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: drivers/hwmon/adm1029.c + +@@ -425,7 +425,7 @@ F: drivers/video/backlight/adp8860_bl.c + + ADS1015 HARDWARE MONITOR DRIVER + M: Dirk Eibach +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/ads1015 + F: drivers/hwmon/ads1015.c +@@ -438,7 +438,7 @@ F: drivers/macintosh/therm_adt746x.c + + ADT7475 HARDWARE MONITOR DRIVER + M: Jean Delvare +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/adt7475 + F: drivers/hwmon/adt7475.c +@@ -615,7 +615,7 @@ F: include/linux/ccp.h + + AMD FAM15H PROCESSOR POWER MONITORING DRIVER + M: Andreas Herrmann +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/fam15h_power + F: drivers/hwmon/fam15h_power.c +@@ -779,7 +779,7 @@ F: drivers/input/mouse/bcm5974.c + + APPLE SMC DRIVER + M: Henrik Rydberg +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Odd fixes + F: drivers/hwmon/applesmc.c + +@@ -1777,7 +1777,7 @@ F: include/media/as3645a.h + + ASC7621 HARDWARE MONITOR DRIVER + M: George Joseph +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/asc7621 + F: drivers/hwmon/asc7621.c +@@ -1864,7 +1864,7 @@ F: drivers/net/wireless/ath/carl9170/ + + ATK0110 HWMON DRIVER + M: Luca Tettamanti +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: drivers/hwmon/asus_atk0110.c + +@@ -2984,7 +2984,7 @@ F: mm/swap_cgroup.c + + CORETEMP HARDWARE MONITORING DRIVER + M: Fenghua Yu +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/coretemp + F: drivers/hwmon/coretemp.c +@@ -3549,7 +3549,7 @@ T: git git://git.infradead.org/users/vko + + DME1737 HARDWARE MONITOR DRIVER + M: Juerg Haefliger +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/dme1737 + F: drivers/hwmon/dme1737.c +@@ -4262,7 +4262,7 @@ F: include/video/exynos_mipi* + + F71805F HARDWARE MONITORING DRIVER + M: Jean Delvare +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/f71805f + F: drivers/hwmon/f71805f.c +@@ -4341,7 +4341,7 @@ F: fs/* + + FINTEK F75375S HARDWARE MONITOR AND FAN CONTROLLER DRIVER + M: Riku Voipio +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: drivers/hwmon/f75375s.c + F: include/linux/f75375s.h +@@ -4883,8 +4883,8 @@ F: drivers/media/usb/hackrf/ + HARDWARE MONITORING + M: Jean Delvare + M: Guenter Roeck +-L: lm-sensors@lm-sensors.org +-W: http://www.lm-sensors.org/ ++L: linux-hwmon@vger.kernel.org ++W: http://hwmon.wiki.kernel.org/ + T: quilt http://jdelvare.nerim.net/devel/linux/jdelvare-hwmon/ + T: git git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging.git + S: Maintained +@@ -5393,7 +5393,7 @@ F: drivers/usb/atm/ueagle-atm.c + + INA209 HARDWARE MONITOR DRIVER + M: Guenter Roeck +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/ina209 + F: Documentation/devicetree/bindings/i2c/ina209.txt +@@ -5401,7 +5401,7 @@ F: drivers/hwmon/ina209.c + + INA2XX HARDWARE MONITOR DRIVER + M: Guenter Roeck +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/ina2xx + F: drivers/hwmon/ina2xx.c +@@ -5884,7 +5884,7 @@ F: drivers/isdn/hardware/eicon/ + + IT87 HARDWARE MONITORING DRIVER + M: Jean Delvare +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/it87 + F: drivers/hwmon/it87.c +@@ -5920,7 +5920,7 @@ F: drivers/media/dvb-frontends/ix2505v* + + JC42.4 TEMPERATURE SENSOR DRIVER + M: Guenter Roeck +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: drivers/hwmon/jc42.c + F: Documentation/hwmon/jc42 +@@ -5970,14 +5970,14 @@ F: drivers/tty/serial/jsm/ + + K10TEMP HARDWARE MONITORING DRIVER + M: Clemens Ladisch +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/k10temp + F: drivers/hwmon/k10temp.c + + K8TEMP HARDWARE MONITORING DRIVER + M: Rudolf Marek +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/k8temp + F: drivers/hwmon/k8temp.c +@@ -6485,27 +6485,27 @@ F: net/llc/ + + LM73 HARDWARE MONITOR DRIVER + M: Guillaume Ligneul +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: drivers/hwmon/lm73.c + + LM78 HARDWARE MONITOR DRIVER + M: Jean Delvare +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/lm78 + F: drivers/hwmon/lm78.c + + LM83 HARDWARE MONITOR DRIVER + M: Jean Delvare +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/lm83 + F: drivers/hwmon/lm83.c + + LM90 HARDWARE MONITOR DRIVER + M: Jean Delvare +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/lm90 + F: Documentation/devicetree/bindings/hwmon/lm90.txt +@@ -6513,7 +6513,7 @@ F: drivers/hwmon/lm90.c + + LM95234 HARDWARE MONITOR DRIVER + M: Guenter Roeck +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/lm95234 + F: drivers/hwmon/lm95234.c +@@ -6580,7 +6580,7 @@ F: drivers/scsi/sym53c8xx_2/ + + LTC4261 HARDWARE MONITOR DRIVER + M: Guenter Roeck +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/ltc4261 + F: drivers/hwmon/ltc4261.c +@@ -6749,28 +6749,28 @@ F: include/uapi/linux/matroxfb.h + + MAX16065 HARDWARE MONITOR DRIVER + M: Guenter Roeck +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/max16065 + F: drivers/hwmon/max16065.c + + MAX20751 HARDWARE MONITOR DRIVER + M: Guenter Roeck +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/max20751 + F: drivers/hwmon/max20751.c + + MAX6650 HARDWARE MONITOR AND FAN CONTROLLER DRIVER + M: "Hans J. Koch" +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/max6650 + F: drivers/hwmon/max6650.c + + MAX6697 HARDWARE MONITOR DRIVER + M: Guenter Roeck +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/max6697 + F: Documentation/devicetree/bindings/i2c/max6697.txt +@@ -7303,7 +7303,7 @@ F: drivers/scsi/NCR_D700.* + + NCT6775 HARDWARE MONITOR DRIVER + M: Guenter Roeck +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/nct6775 + F: drivers/hwmon/nct6775.c +@@ -8064,7 +8064,7 @@ F: drivers/video/logo/logo_parisc* + + PC87360 HARDWARE MONITORING DRIVER + M: Jim Cromie +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/pc87360 + F: drivers/hwmon/pc87360.c +@@ -8076,7 +8076,7 @@ F: drivers/char/pc8736x_gpio.c + + PC87427 HARDWARE MONITORING DRIVER + M: Jean Delvare +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/pc87427 + F: drivers/hwmon/pc87427.c +@@ -8415,8 +8415,8 @@ F: drivers/rtc/rtc-puv3.c + + PMBUS HARDWARE MONITORING DRIVERS + M: Guenter Roeck +-L: lm-sensors@lm-sensors.org +-W: http://www.lm-sensors.org/ ++L: linux-hwmon@vger.kernel.org ++W: http://hwmon.wiki.kernel.org/ + W: http://www.roeck-us.net/linux/drivers/ + T: git git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging.git + S: Maintained +@@ -8610,7 +8610,7 @@ F: drivers/media/usb/pwc/* + + PWM FAN DRIVER + M: Kamil Debski +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Supported + F: Documentation/devicetree/bindings/hwmon/pwm-fan.txt + F: Documentation/hwmon/pwm-fan +@@ -9882,28 +9882,28 @@ F: Documentation/devicetree/bindings/med + + SMM665 HARDWARE MONITOR DRIVER + M: Guenter Roeck +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/smm665 + F: drivers/hwmon/smm665.c + + SMSC EMC2103 HARDWARE MONITOR DRIVER + M: Steve Glendinning +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/emc2103 + F: drivers/hwmon/emc2103.c + + SMSC SCH5627 HARDWARE MONITOR DRIVER + M: Hans de Goede +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Supported + F: Documentation/hwmon/sch5627 + F: drivers/hwmon/sch5627.c + + SMSC47B397 HARDWARE MONITOR DRIVER + M: Jean Delvare +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/smsc47b397 + F: drivers/hwmon/smsc47b397.c +@@ -10830,7 +10830,7 @@ F: include/linux/mmc/sh_mobile_sdhi.h + + TMP401 HARDWARE MONITOR DRIVER + M: Guenter Roeck +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/tmp401 + F: drivers/hwmon/tmp401.c +@@ -11564,14 +11564,14 @@ F: Documentation/networking/vrf.txt + + VT1211 HARDWARE MONITOR DRIVER + M: Juerg Haefliger +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/vt1211 + F: drivers/hwmon/vt1211.c + + VT8231 HARDWARE MONITOR DRIVER + M: Roger Lucas +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: drivers/hwmon/vt8231.c + +@@ -11590,21 +11590,21 @@ F: drivers/w1/ + + W83791D HARDWARE MONITORING DRIVER + M: Marc Hulsman +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/w83791d + F: drivers/hwmon/w83791d.c + + W83793 HARDWARE MONITORING DRIVER + M: Rudolf Marek +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: Documentation/hwmon/w83793 + F: drivers/hwmon/w83793.c + + W83795 HARDWARE MONITORING DRIVER + M: Jean Delvare +-L: lm-sensors@lm-sensors.org ++L: linux-hwmon@vger.kernel.org + S: Maintained + F: drivers/hwmon/w83795.c + diff --git a/queue-4.4/md-multipath-don-t-hardcopy-bio-in-.make_request-path.patch b/queue-4.4/md-multipath-don-t-hardcopy-bio-in-.make_request-path.patch new file mode 100644 index 00000000000..33c820620ac --- /dev/null +++ b/queue-4.4/md-multipath-don-t-hardcopy-bio-in-.make_request-path.patch @@ -0,0 +1,41 @@ +From fafcde3ac1a418688a734365203a12483b83907a Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Sat, 12 Mar 2016 09:29:40 +0800 +Subject: md: multipath: don't hardcopy bio in .make_request path + +From: Ming Lei + +commit fafcde3ac1a418688a734365203a12483b83907a upstream. + +Inside multipath_make_request(), multipath maps the incoming +bio into low level device's bio, but it is totally wrong to +copy the bio into mapped bio via '*mapped_bio = *bio'. For +example, .__bi_remaining is kept in the copy, especially if +the incoming bio is chained to via bio splitting, so .bi_end_io +can't be called for the mapped bio at all in the completing path +in this kind of situation. + +This patch fixes the issue by using clone style. + +Reported-and-tested-by: Andrea Righi +Signed-off-by: Ming Lei +Signed-off-by: Shaohua Li +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/multipath.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/md/multipath.c ++++ b/drivers/md/multipath.c +@@ -129,7 +129,9 @@ static void multipath_make_request(struc + } + multipath = conf->multipaths + mp_bh->path; + +- mp_bh->bio = *bio; ++ bio_init(&mp_bh->bio); ++ __bio_clone_fast(&mp_bh->bio, bio); ++ + mp_bh->bio.bi_iter.bi_sector += multipath->rdev->data_offset; + mp_bh->bio.bi_bdev = multipath->rdev->bdev; + mp_bh->bio.bi_rw |= REQ_FAILFAST_TRANSPORT; diff --git a/queue-4.4/md-raid5-compare-apples-to-apples-or-sectors-to-sectors.patch b/queue-4.4/md-raid5-compare-apples-to-apples-or-sectors-to-sectors.patch new file mode 100644 index 00000000000..fe57168963f --- /dev/null +++ b/queue-4.4/md-raid5-compare-apples-to-apples-or-sectors-to-sectors.patch @@ -0,0 +1,37 @@ +From e7597e69dec59b65c5525db1626b9d34afdfa678 Mon Sep 17 00:00:00 2001 +From: Jes Sorensen +Date: Tue, 16 Feb 2016 16:44:24 -0500 +Subject: md/raid5: Compare apples to apples (or sectors to sectors) + +From: Jes Sorensen + +commit e7597e69dec59b65c5525db1626b9d34afdfa678 upstream. + +'max_discard_sectors' is in sectors, while 'stripe' is in bytes. + +This fixes the problem where DISCARD would get disabled on some larger +RAID5 configurations (6 or more drives in my testing), while it worked +as expected with smaller configurations. + +Fixes: 620125f2bf8 ("MD: raid5 trim support") +Signed-off-by: Jes Sorensen +Signed-off-by: Shaohua Li +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid5.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -7015,8 +7015,8 @@ static int run(struct mddev *mddev) + } + + if (discard_supported && +- mddev->queue->limits.max_discard_sectors >= stripe && +- mddev->queue->limits.discard_granularity >= stripe) ++ mddev->queue->limits.max_discard_sectors >= (stripe >> 9) && ++ mddev->queue->limits.discard_granularity >= stripe) + queue_flag_set_unlocked(QUEUE_FLAG_DISCARD, + mddev->queue); + else diff --git a/queue-4.4/md-raid5-preserve-stripe_preread_active-in-break_stripe_batch_list.patch b/queue-4.4/md-raid5-preserve-stripe_preread_active-in-break_stripe_batch_list.patch new file mode 100644 index 00000000000..f830f01e582 --- /dev/null +++ b/queue-4.4/md-raid5-preserve-stripe_preread_active-in-break_stripe_batch_list.patch @@ -0,0 +1,65 @@ +From 550da24f8d62fe81f3c13e3ec27602d6e44d43dc Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Wed, 9 Mar 2016 12:58:25 +1100 +Subject: md/raid5: preserve STRIPE_PREREAD_ACTIVE in break_stripe_batch_list + +From: NeilBrown + +commit 550da24f8d62fe81f3c13e3ec27602d6e44d43dc upstream. + +break_stripe_batch_list breaks up a batch and copies some flags from +the batch head to the members, preserving others. + +It doesn't preserve or copy STRIPE_PREREAD_ACTIVE. This is not +normally a problem as STRIPE_PREREAD_ACTIVE is cleared when a +stripe_head is added to a batch, and is not set on stripe_heads +already in a batch. + +However there is no locking to ensure one thread doesn't set the flag +after it has just been cleared in another. This does occasionally happen. + +md/raid5 maintains a count of the number of stripe_heads with +STRIPE_PREREAD_ACTIVE set: conf->preread_active_stripes. When +break_stripe_batch_list clears STRIPE_PREREAD_ACTIVE inadvertently +this could becomes incorrect and will never again return to zero. + +md/raid5 delays the handling of some stripe_heads until +preread_active_stripes becomes zero. So when the above mention race +happens, those stripe_heads become blocked and never progress, +resulting is write to the array handing. + +So: change break_stripe_batch_list to preserve STRIPE_PREREAD_ACTIVE +in the members of a batch. + +URL: https://bugzilla.kernel.org/show_bug.cgi?id=108741 +URL: https://bugzilla.redhat.com/show_bug.cgi?id=1258153 +URL: http://thread.gmane.org/5649C0E9.2030204@zoner.cz +Reported-by: Martin Svec (and others) +Tested-by: Tom Weber +Fixes: 1b956f7a8f9a ("md/raid5: be more selective about distributing flags across batch.") +Signed-off-by: NeilBrown +Signed-off-by: Shaohua Li +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid5.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -4241,7 +4241,6 @@ static void break_stripe_batch_list(stru + WARN_ON_ONCE(sh->state & ((1 << STRIPE_ACTIVE) | + (1 << STRIPE_SYNCING) | + (1 << STRIPE_REPLACED) | +- (1 << STRIPE_PREREAD_ACTIVE) | + (1 << STRIPE_DELAYED) | + (1 << STRIPE_BIT_DELAY) | + (1 << STRIPE_FULL_WRITE) | +@@ -4256,6 +4255,7 @@ static void break_stripe_batch_list(stru + (1 << STRIPE_REPLACED))); + + set_mask_bits(&sh->state, ~(STRIPE_EXPAND_SYNC_FLAGS | ++ (1 << STRIPE_PREREAD_ACTIVE) | + (1 << STRIPE_DEGRADED)), + head_sh->state & (1 << STRIPE_INSYNC)); + diff --git a/queue-4.4/mmc-block-fix-abi-regression-of-mmc_blk_ioctl.patch b/queue-4.4/mmc-block-fix-abi-regression-of-mmc_blk_ioctl.patch new file mode 100644 index 00000000000..22808564c87 --- /dev/null +++ b/queue-4.4/mmc-block-fix-abi-regression-of-mmc_blk_ioctl.patch @@ -0,0 +1,77 @@ +From 83c742c344c08c2bbe338d45c6ec63110e9d5e3d Mon Sep 17 00:00:00 2001 +From: Shawn Lin +Date: Wed, 16 Mar 2016 18:15:47 +0800 +Subject: mmc: block: fix ABI regression of mmc_blk_ioctl + +From: Shawn Lin + +commit 83c742c344c08c2bbe338d45c6ec63110e9d5e3d upstream. + +If mmc_blk_ioctl returns -EINVAL, blkdev_ioctl continues to +work without returning err to user-space. But now we check +CAP_SYS_RAWIO firstly, so we return -EPERM to blkdev_ioctl, +which make blkdev_ioctl return -EPERM to user-space directly. +So this will break all the ioctl with BLKROSET. Now we find +Android-adb suffer it for the following log: + +remount of /system failed; +couldn't make block device writable: Operation not permitted +openat(AT_FDCWD, "/dev/block/platform/ff420000.dwmmc/by-name/system", O_RDONLY) = 3 +ioctl(3, BLKROSET, 0) = -1 EPERM (Operation not permitted) + +Fixes: a5f5774c55a2 ("mmc: block: Add new ioctl to send multi commands") +Signed-off-by: Shawn Lin +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/card/block.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +--- a/drivers/mmc/card/block.c ++++ b/drivers/mmc/card/block.c +@@ -596,6 +596,14 @@ static int mmc_blk_ioctl_cmd(struct bloc + struct mmc_card *card; + int err = 0, ioc_err = 0; + ++ /* ++ * The caller must have CAP_SYS_RAWIO, and must be calling this on the ++ * whole block device, not on a partition. This prevents overspray ++ * between sibling partitions. ++ */ ++ if ((!capable(CAP_SYS_RAWIO)) || (bdev != bdev->bd_contains)) ++ return -EPERM; ++ + idata = mmc_blk_ioctl_copy_from_user(ic_ptr); + if (IS_ERR(idata)) + return PTR_ERR(idata); +@@ -638,6 +646,14 @@ static int mmc_blk_ioctl_multi_cmd(struc + int i, err = 0, ioc_err = 0; + __u64 num_of_cmds; + ++ /* ++ * The caller must have CAP_SYS_RAWIO, and must be calling this on the ++ * whole block device, not on a partition. This prevents overspray ++ * between sibling partitions. ++ */ ++ if ((!capable(CAP_SYS_RAWIO)) || (bdev != bdev->bd_contains)) ++ return -EPERM; ++ + if (copy_from_user(&num_of_cmds, &user->num_of_cmds, + sizeof(num_of_cmds))) + return -EFAULT; +@@ -693,14 +709,6 @@ cmd_err: + static int mmc_blk_ioctl(struct block_device *bdev, fmode_t mode, + unsigned int cmd, unsigned long arg) + { +- /* +- * The caller must have CAP_SYS_RAWIO, and must be calling this on the +- * whole block device, not on a partition. This prevents overspray +- * between sibling partitions. +- */ +- if ((!capable(CAP_SYS_RAWIO)) || (bdev != bdev->bd_contains)) +- return -EPERM; +- + switch (cmd) { + case MMC_IOC_CMD: + return mmc_blk_ioctl_cmd(bdev, diff --git a/queue-4.4/mmc-mmc_spi-add-card-detect-comments-and-fix-cd-gpio-case.patch b/queue-4.4/mmc-mmc_spi-add-card-detect-comments-and-fix-cd-gpio-case.patch new file mode 100644 index 00000000000..6e96984f691 --- /dev/null +++ b/queue-4.4/mmc-mmc_spi-add-card-detect-comments-and-fix-cd-gpio-case.patch @@ -0,0 +1,66 @@ +From bcdc9f260bdce09913db1464be9817170d51044a Mon Sep 17 00:00:00 2001 +From: Magnus Damm +Date: Tue, 16 Feb 2016 13:06:41 +0900 +Subject: mmc: mmc_spi: Add Card Detect comments and fix CD GPIO case + +From: Magnus Damm + +commit bcdc9f260bdce09913db1464be9817170d51044a upstream. + +This patch fixes the MMC SPI driver from doing polling card detect when a +CD GPIO that supports interrupts is specified using the gpios DT property. + +Without this patch the DT node below results in the following output: + + spi_gpio: spi-gpio { /* SD2 @ CN12 */ + compatible = "spi-gpio"; + #address-cells = <1>; + #size-cells = <0>; + gpio-sck = <&gpio6 16 GPIO_ACTIVE_HIGH>; + gpio-mosi = <&gpio6 17 GPIO_ACTIVE_HIGH>; + gpio-miso = <&gpio6 18 GPIO_ACTIVE_HIGH>; + num-chipselects = <1>; + cs-gpios = <&gpio6 21 GPIO_ACTIVE_LOW>; + status = "okay"; + + spi@0 { + compatible = "mmc-spi-slot"; + reg = <0>; + voltage-ranges = <3200 3400>; + spi-max-frequency = <25000000>; + gpios = <&gpio6 22 GPIO_ACTIVE_LOW>; /* CD */ + }; + }; + + # dmesg | grep mmc + mmc_spi spi32766.0: SD/MMC host mmc0, no WP, no poweroff, cd polling + mmc0: host does not support reading read-only switch, assuming write-enable + mmc0: new SDHC card on SPI + mmcblk0: mmc0:0000 SU04G 3.69 GiB + mmcblk0: p1 + +With this patch applied the "cd polling" portion above disappears. + +Signed-off-by: Magnus Damm +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/mmc_spi.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/mmc/host/mmc_spi.c ++++ b/drivers/mmc/host/mmc_spi.c +@@ -1436,6 +1436,12 @@ static int mmc_spi_probe(struct spi_devi + host->pdata->cd_debounce); + if (status != 0) + goto fail_add_host; ++ ++ /* The platform has a CD GPIO signal that may support ++ * interrupts, so let mmc_gpiod_request_cd_irq() decide ++ * if polling is needed or not. ++ */ ++ mmc->caps &= ~MMC_CAP_NEEDS_POLL; + mmc_gpiod_request_cd_irq(mmc); + } + diff --git a/queue-4.4/mmc-sdhci-fix-data-timeout-part-1.patch b/queue-4.4/mmc-sdhci-fix-data-timeout-part-1.patch new file mode 100644 index 00000000000..8cc1073ccd2 --- /dev/null +++ b/queue-4.4/mmc-sdhci-fix-data-timeout-part-1.patch @@ -0,0 +1,36 @@ +From fafcfda9e78cae8796d1799f14e6457790797555 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Tue, 26 Jan 2016 13:40:58 +0000 +Subject: mmc: sdhci: fix data timeout (part 1) + +From: Russell King + +commit fafcfda9e78cae8796d1799f14e6457790797555 upstream. + +The data timeout gives the minimum amount of time that should be +waited before timing out if no data is received from the card. +Simply dividing the nanosecond part by 1000 does not give this +required guarantee, since such a division rounds down. Use +DIV_ROUND_UP() to give the desired timeout. + +Signed-off-by: Russell King +Signed-off-by: Adrian Hunter +Tested-by: Gregory CLEMENT +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -666,7 +666,7 @@ static u8 sdhci_calc_timeout(struct sdhc + if (!data) + target_timeout = cmd->busy_timeout * 1000; + else { +- target_timeout = data->timeout_ns / 1000; ++ target_timeout = DIV_ROUND_UP(data->timeout_ns, 1000); + if (host->clock) + target_timeout += data->timeout_clks / host->clock; + } diff --git a/queue-4.4/mmc-sdhci-fix-data-timeout-part-2.patch b/queue-4.4/mmc-sdhci-fix-data-timeout-part-2.patch new file mode 100644 index 00000000000..ac53fd7e40e --- /dev/null +++ b/queue-4.4/mmc-sdhci-fix-data-timeout-part-2.patch @@ -0,0 +1,56 @@ +From 7f05538af71c7d30b5fc821cbe9f318edc645961 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Tue, 26 Jan 2016 13:41:04 +0000 +Subject: mmc: sdhci: fix data timeout (part 2) + +From: Russell King + +commit 7f05538af71c7d30b5fc821cbe9f318edc645961 upstream. + +The calculation for the timeout based on the number of card clocks is +incorrect. The calculation assumed: + + timeout in microseconds = clock cycles / clock in Hz + +which is clearly a several orders of magnitude wrong. Fix this by +multiplying the clock cycles by 1000000 prior to dividing by the Hz +based clock. Also, as per part 1, ensure that the division rounds +up. + +As this needs 64-bit math via do_div(), avoid it if the clock cycles +is zero. + +Signed-off-by: Russell King +Signed-off-by: Adrian Hunter +Tested-by: Gregory CLEMENT +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -667,8 +667,19 @@ static u8 sdhci_calc_timeout(struct sdhc + target_timeout = cmd->busy_timeout * 1000; + else { + target_timeout = DIV_ROUND_UP(data->timeout_ns, 1000); +- if (host->clock) +- target_timeout += data->timeout_clks / host->clock; ++ if (host->clock && data->timeout_clks) { ++ unsigned long long val; ++ ++ /* ++ * data->timeout_clks is in units of clock cycles. ++ * host->clock is in Hz. target_timeout is in us. ++ * Hence, us = 1000000 * cycles / Hz. Round up. ++ */ ++ val = 1000000 * data->timeout_clks; ++ if (do_div(val, host->clock)) ++ target_timeout++; ++ target_timeout += val; ++ } + } + + /* diff --git a/queue-4.4/mmc-sdhci-fix-override-of-timeout-clk-wrt-max_busy_timeout.patch b/queue-4.4/mmc-sdhci-fix-override-of-timeout-clk-wrt-max_busy_timeout.patch new file mode 100644 index 00000000000..dec9573d56d --- /dev/null +++ b/queue-4.4/mmc-sdhci-fix-override-of-timeout-clk-wrt-max_busy_timeout.patch @@ -0,0 +1,56 @@ +From 995136247915c5cee633d55ba23f6eebf67aa567 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Mon, 7 Mar 2016 13:33:55 +0200 +Subject: mmc: sdhci: Fix override of timeout clk wrt max_busy_timeout + +From: Adrian Hunter + +commit 995136247915c5cee633d55ba23f6eebf67aa567 upstream. + +Normally the timeout clock frequency is read from the capabilities +register. It is also possible to set the value prior to calling +sdhci_add_host() in which case that value will override the +capabilities register value. However that was being done after +calculating max_busy_timeout so that max_busy_timeout was being +calculated using the wrong value of timeout_clk. + +Fix that by moving the override before max_busy_timeout is +calculated. + +The result is that the max_busy_timeout and max_discard +increase for BSW devices so that, for example, the time for +mkfs.ext4 on a 64GB eMMC drops from about 1 minute 40 seconds +to about 20 seconds. + +Note, in the future, the capabilities setting will be tidied up +and this override won't be used anymore. However this fix is +needed for stable. + +Signed-off-by: Adrian Hunter +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -3106,14 +3106,14 @@ int sdhci_add_host(struct sdhci_host *ho + if (caps[0] & SDHCI_TIMEOUT_CLK_UNIT) + host->timeout_clk *= 1000; + ++ if (override_timeout_clk) ++ host->timeout_clk = override_timeout_clk; ++ + mmc->max_busy_timeout = host->ops->get_max_timeout_count ? + host->ops->get_max_timeout_count(host) : 1 << 27; + mmc->max_busy_timeout /= host->timeout_clk; + } + +- if (override_timeout_clk) +- host->timeout_clk = override_timeout_clk; +- + mmc->caps |= MMC_CAP_SDIO_IRQ | MMC_CAP_ERASE | MMC_CAP_CMD23; + mmc->caps2 |= MMC_CAP2_SDIO_IRQ_NOTHREAD; + diff --git a/queue-4.4/net-mvneta-enable-change-mac-address-when-interface-is-up.patch b/queue-4.4/net-mvneta-enable-change-mac-address-when-interface-is-up.patch new file mode 100644 index 00000000000..96728a26b07 --- /dev/null +++ b/queue-4.4/net-mvneta-enable-change-mac-address-when-interface-is-up.patch @@ -0,0 +1,36 @@ +From 928b6519afeb2a5e2dc61154380b545ed66c476a Mon Sep 17 00:00:00 2001 +From: Dmitri Epshtein +Date: Sat, 12 Mar 2016 18:44:18 +0100 +Subject: net: mvneta: enable change MAC address when interface is up + +From: Dmitri Epshtein + +commit 928b6519afeb2a5e2dc61154380b545ed66c476a upstream. + +Function eth_prepare_mac_addr_change() is called as part of MAC +address change. This function check if interface is running. +To enable change MAC address when interface is running: +IFF_LIVE_ADDR_CHANGE flag must be set to dev->priv_flags field + +Fixes: c5aff18204da ("net: mvneta: driver for Marvell Armada 370/XP +network unit") +Signed-off-by: Dmitri Epshtein +Signed-off-by: Gregory CLEMENT +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/marvell/mvneta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -3404,7 +3404,7 @@ static int mvneta_probe(struct platform_ + dev->features = NETIF_F_SG | NETIF_F_IP_CSUM | NETIF_F_TSO; + dev->hw_features |= dev->features; + dev->vlan_features |= dev->features; +- dev->priv_flags |= IFF_UNICAST_FLT; ++ dev->priv_flags |= IFF_UNICAST_FLT | IFF_LIVE_ADDR_CHANGE; + dev->gso_max_segs = MVNETA_MAX_TSO_SEGS; + + err = register_netdev(dev); diff --git a/queue-4.4/of-alloc-anywhere-from-memblock-if-range-not-specified.patch b/queue-4.4/of-alloc-anywhere-from-memblock-if-range-not-specified.patch new file mode 100644 index 00000000000..590b9892c2d --- /dev/null +++ b/queue-4.4/of-alloc-anywhere-from-memblock-if-range-not-specified.patch @@ -0,0 +1,43 @@ +From e53b50c0cbe392c946807abf7d07615a3c588642 Mon Sep 17 00:00:00 2001 +From: Vinayak Menon +Date: Mon, 22 Feb 2016 19:15:44 +0530 +Subject: of: alloc anywhere from memblock if range not specified + +From: Vinayak Menon + +commit e53b50c0cbe392c946807abf7d07615a3c588642 upstream. + +early_init_dt_alloc_reserved_memory_arch passes end as 0 to +__memblock_alloc_base, when limits are not specified. But +__memblock_alloc_base takes end value of 0 as MEMBLOCK_ALLOC_ACCESSIBLE +and limits the end to memblock.current_limit. This results in regions +never being placed in HIGHMEM area, for e.g. CMA. +Let __memblock_alloc_base allocate from anywhere in memory if limits are +not specified. + +Acked-by: Marek Szyprowski +Signed-off-by: Vinayak Menon +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/of/of_reserved_mem.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/of/of_reserved_mem.c ++++ b/drivers/of/of_reserved_mem.c +@@ -32,11 +32,13 @@ int __init __weak early_init_dt_alloc_re + phys_addr_t align, phys_addr_t start, phys_addr_t end, bool nomap, + phys_addr_t *res_base) + { ++ phys_addr_t base; + /* + * We use __memblock_alloc_base() because memblock_alloc_base() + * panic()s on allocation failure. + */ +- phys_addr_t base = __memblock_alloc_base(size, align, end); ++ end = !end ? MEMBLOCK_ALLOC_ANYWHERE : end; ++ base = __memblock_alloc_base(size, align, end); + if (!base) + return -ENOMEM; + diff --git a/queue-4.4/quota-fix-possible-gpf-due-to-uninitialised-pointers.patch b/queue-4.4/quota-fix-possible-gpf-due-to-uninitialised-pointers.patch new file mode 100644 index 00000000000..bd4e5ccd1b0 --- /dev/null +++ b/queue-4.4/quota-fix-possible-gpf-due-to-uninitialised-pointers.patch @@ -0,0 +1,41 @@ +From ab73ef46398e2c0159f3a71de834586422d2a44a Mon Sep 17 00:00:00 2001 +From: Nikolay Borisov +Date: Thu, 3 Mar 2016 10:54:57 +0100 +Subject: quota: Fix possible GPF due to uninitialised pointers + +From: Nikolay Borisov + +commit ab73ef46398e2c0159f3a71de834586422d2a44a upstream. + +When dqget() in __dquot_initialize() fails e.g. due to IO error, +__dquot_initialize() will pass an array of uninitialized pointers to +dqput_all() and thus can lead to deference of random data. Fix the +problem by properly initializing the array. + +Signed-off-by: Nikolay Borisov +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/quota/dquot.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -1398,7 +1398,7 @@ static int dquot_active(const struct ino + static int __dquot_initialize(struct inode *inode, int type) + { + int cnt, init_needed = 0; +- struct dquot **dquots, *got[MAXQUOTAS]; ++ struct dquot **dquots, *got[MAXQUOTAS] = {}; + struct super_block *sb = inode->i_sb; + qsize_t rsv; + int ret = 0; +@@ -1415,7 +1415,6 @@ static int __dquot_initialize(struct ino + int rc; + struct dquot *dquot; + +- got[cnt] = NULL; + if (type != -1 && cnt != type) + continue; + /* diff --git a/queue-4.4/raid1-include-bio_end_io_list-in-nr_queued-to-prevent-freeze_array-hang.patch b/queue-4.4/raid1-include-bio_end_io_list-in-nr_queued-to-prevent-freeze_array-hang.patch new file mode 100644 index 00000000000..006c142a739 --- /dev/null +++ b/queue-4.4/raid1-include-bio_end_io_list-in-nr_queued-to-prevent-freeze_array-hang.patch @@ -0,0 +1,61 @@ +From ccfc7bf1f09d6190ef86693ddc761d5fe3fa47cb Mon Sep 17 00:00:00 2001 +From: Nate Dailey +Date: Mon, 29 Feb 2016 10:43:58 -0500 +Subject: raid1: include bio_end_io_list in nr_queued to prevent freeze_array hang + +From: Nate Dailey + +commit ccfc7bf1f09d6190ef86693ddc761d5fe3fa47cb upstream. + +If raid1d is handling a mix of read and write errors, handle_read_error's +call to freeze_array can get stuck. + +This can happen because, though the bio_end_io_list is initially drained, +writes can be added to it via handle_write_finished as the retry_list +is processed. These writes contribute to nr_pending but are not included +in nr_queued. + +If a later entry on the retry_list triggers a call to handle_read_error, +freeze array hangs waiting for nr_pending == nr_queued+extra. The writes +on the bio_end_io_list aren't included in nr_queued so the condition will +never be satisfied. + +To prevent the hang, include bio_end_io_list writes in nr_queued. + +There's probably a better way to handle decrementing nr_queued, but this +seemed like the safest way to avoid breaking surrounding code. + +I'm happy to supply the script I used to repro this hang. + +Fixes: 55ce74d4bfe1b(md/raid1: ensure device failure recorded before write request returns.) +Signed-off-by: Nate Dailey +Signed-off-by: Shaohua Li +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid1.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -2274,6 +2274,7 @@ static void handle_write_finished(struct + if (fail) { + spin_lock_irq(&conf->device_lock); + list_add(&r1_bio->retry_list, &conf->bio_end_io_list); ++ conf->nr_queued++; + spin_unlock_irq(&conf->device_lock); + md_wakeup_thread(conf->mddev->thread); + } else { +@@ -2391,8 +2392,10 @@ static void raid1d(struct md_thread *thr + LIST_HEAD(tmp); + spin_lock_irqsave(&conf->device_lock, flags); + if (!test_bit(MD_CHANGE_PENDING, &mddev->flags)) { +- list_add(&tmp, &conf->bio_end_io_list); +- list_del_init(&conf->bio_end_io_list); ++ while (!list_empty(&conf->bio_end_io_list)) { ++ list_move(conf->bio_end_io_list.prev, &tmp); ++ conf->nr_queued--; ++ } + } + spin_unlock_irqrestore(&conf->device_lock, flags); + while (!list_empty(&tmp)) { diff --git a/queue-4.4/raid10-include-bio_end_io_list-in-nr_queued-to-prevent-freeze_array-hang.patch b/queue-4.4/raid10-include-bio_end_io_list-in-nr_queued-to-prevent-freeze_array-hang.patch new file mode 100644 index 00000000000..33492935bcd --- /dev/null +++ b/queue-4.4/raid10-include-bio_end_io_list-in-nr_queued-to-prevent-freeze_array-hang.patch @@ -0,0 +1,44 @@ +From 23ddba80ebe836476bb2fa1f5ef305dd1c63dc0b Mon Sep 17 00:00:00 2001 +From: Shaohua Li +Date: Mon, 14 Mar 2016 11:49:32 -0700 +Subject: raid10: include bio_end_io_list in nr_queued to prevent freeze_array hang + +From: Shaohua Li + +commit 23ddba80ebe836476bb2fa1f5ef305dd1c63dc0b upstream. + +This is the raid10 counterpart of the bug fixed by Nate +(raid1: include bio_end_io_list in nr_queued to prevent freeze_array hang) + +Fixes: 95af587e95(md/raid10: ensure device failure recorded before write request returns) +Cc: Nate Dailey +Signed-off-by: Shaohua Li +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid10.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -2664,6 +2664,7 @@ static void handle_write_completed(struc + if (fail) { + spin_lock_irq(&conf->device_lock); + list_add(&r10_bio->retry_list, &conf->bio_end_io_list); ++ conf->nr_queued++; + spin_unlock_irq(&conf->device_lock); + md_wakeup_thread(conf->mddev->thread); + } else { +@@ -2691,8 +2692,10 @@ static void raid10d(struct md_thread *th + LIST_HEAD(tmp); + spin_lock_irqsave(&conf->device_lock, flags); + if (!test_bit(MD_CHANGE_PENDING, &mddev->flags)) { +- list_add(&tmp, &conf->bio_end_io_list); +- list_del_init(&conf->bio_end_io_list); ++ while (!list_empty(&conf->bio_end_io_list)) { ++ list_move(conf->bio_end_io_list.prev, &tmp); ++ conf->nr_queued--; ++ } + } + spin_unlock_irqrestore(&conf->device_lock, flags); + while (!list_empty(&tmp)) { diff --git a/queue-4.4/raid5-check_reshape-shouldn-t-call-mddev_suspend.patch b/queue-4.4/raid5-check_reshape-shouldn-t-call-mddev_suspend.patch new file mode 100644 index 00000000000..5d79be41e73 --- /dev/null +++ b/queue-4.4/raid5-check_reshape-shouldn-t-call-mddev_suspend.patch @@ -0,0 +1,78 @@ +From 27a353c026a879a1001e5eac4bda75b16262c44a Mon Sep 17 00:00:00 2001 +From: Shaohua Li +Date: Wed, 24 Feb 2016 17:38:28 -0800 +Subject: RAID5: check_reshape() shouldn't call mddev_suspend + +From: Shaohua Li + +commit 27a353c026a879a1001e5eac4bda75b16262c44a upstream. + +check_reshape() is called from raid5d thread. raid5d thread shouldn't +call mddev_suspend(), because mddev_suspend() waits for all IO finish +but IO is handled in raid5d thread, we could easily deadlock here. + +This issue is introduced by +738a273 ("md/raid5: fix allocation of 'scribble' array.") + +Reported-and-tested-by: Artur Paszkiewicz +Reviewed-by: NeilBrown +Signed-off-by: Shaohua Li +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid5.c | 18 ++++++++++++++++++ + drivers/md/raid5.h | 2 ++ + 2 files changed, 20 insertions(+) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -2091,6 +2091,14 @@ static int resize_chunks(struct r5conf * + unsigned long cpu; + int err = 0; + ++ /* ++ * Never shrink. And mddev_suspend() could deadlock if this is called ++ * from raid5d. In that case, scribble_disks and scribble_sectors ++ * should equal to new_disks and new_sectors ++ */ ++ if (conf->scribble_disks >= new_disks && ++ conf->scribble_sectors >= new_sectors) ++ return 0; + mddev_suspend(conf->mddev); + get_online_cpus(); + for_each_present_cpu(cpu) { +@@ -2112,6 +2120,10 @@ static int resize_chunks(struct r5conf * + } + put_online_cpus(); + mddev_resume(conf->mddev); ++ if (!err) { ++ conf->scribble_disks = new_disks; ++ conf->scribble_sectors = new_sectors; ++ } + return err; + } + +@@ -6414,6 +6426,12 @@ static int raid5_alloc_percpu(struct r5c + } + put_online_cpus(); + ++ if (!err) { ++ conf->scribble_disks = max(conf->raid_disks, ++ conf->previous_raid_disks); ++ conf->scribble_sectors = max(conf->chunk_sectors, ++ conf->prev_chunk_sectors); ++ } + return err; + } + +--- a/drivers/md/raid5.h ++++ b/drivers/md/raid5.h +@@ -510,6 +510,8 @@ struct r5conf { + * conversions + */ + } __percpu *percpu; ++ int scribble_disks; ++ int scribble_sectors; + #ifdef CONFIG_HOTPLUG_CPU + struct notifier_block cpu_notify; + #endif diff --git a/queue-4.4/raid5-revert-e9e4c377e2f563-to-fix-a-livelock.patch b/queue-4.4/raid5-revert-e9e4c377e2f563-to-fix-a-livelock.patch new file mode 100644 index 00000000000..00003bbc60a --- /dev/null +++ b/queue-4.4/raid5-revert-e9e4c377e2f563-to-fix-a-livelock.patch @@ -0,0 +1,128 @@ +From 6ab2a4b806ae21b6c3e47c5ff1285ec06d505325 Mon Sep 17 00:00:00 2001 +From: Shaohua Li +Date: Thu, 25 Feb 2016 16:24:42 -0800 +Subject: RAID5: revert e9e4c377e2f563 to fix a livelock + +From: Shaohua Li + +commit 6ab2a4b806ae21b6c3e47c5ff1285ec06d505325 upstream. + +Revert commit +e9e4c377e2f563(md/raid5: per hash value and exclusive wait_for_stripe) + +The problem is raid5_get_active_stripe waits on +conf->wait_for_stripe[hash]. Assume hash is 0. My test release stripes +in this order: +- release all stripes with hash 0 +- raid5_get_active_stripe still sleeps since active_stripes > + max_nr_stripes * 3 / 4 +- release all stripes with hash other than 0. active_stripes becomes 0 +- raid5_get_active_stripe still sleeps, since nobody wakes up + wait_for_stripe[0] +The system live locks. The problem is active_stripes isn't a per-hash +count. Revert the patch makes the live lock go away. + +Cc: Yuanhan Liu +Cc: NeilBrown +Signed-off-by: Shaohua Li +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid5.c | 27 ++++++++------------------- + drivers/md/raid5.h | 2 +- + 2 files changed, 9 insertions(+), 20 deletions(-) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -340,8 +340,7 @@ static void release_inactive_stripe_list + int hash) + { + int size; +- unsigned long do_wakeup = 0; +- int i = 0; ++ bool do_wakeup = false; + unsigned long flags; + + if (hash == NR_STRIPE_HASH_LOCKS) { +@@ -362,19 +361,15 @@ static void release_inactive_stripe_list + !list_empty(list)) + atomic_dec(&conf->empty_inactive_list_nr); + list_splice_tail_init(list, conf->inactive_list + hash); +- do_wakeup |= 1 << hash; ++ do_wakeup = true; + spin_unlock_irqrestore(conf->hash_locks + hash, flags); + } + size--; + hash--; + } + +- for (i = 0; i < NR_STRIPE_HASH_LOCKS; i++) { +- if (do_wakeup & (1 << i)) +- wake_up(&conf->wait_for_stripe[i]); +- } +- + if (do_wakeup) { ++ wake_up(&conf->wait_for_stripe); + if (atomic_read(&conf->active_stripes) == 0) + wake_up(&conf->wait_for_quiescent); + if (conf->retry_read_aligned) +@@ -687,15 +682,14 @@ raid5_get_active_stripe(struct r5conf *c + if (!sh) { + set_bit(R5_INACTIVE_BLOCKED, + &conf->cache_state); +- wait_event_exclusive_cmd( +- conf->wait_for_stripe[hash], ++ wait_event_lock_irq( ++ conf->wait_for_stripe, + !list_empty(conf->inactive_list + hash) && + (atomic_read(&conf->active_stripes) + < (conf->max_nr_stripes * 3 / 4) + || !test_bit(R5_INACTIVE_BLOCKED, + &conf->cache_state)), +- spin_unlock_irq(conf->hash_locks + hash), +- spin_lock_irq(conf->hash_locks + hash)); ++ *(conf->hash_locks + hash)); + clear_bit(R5_INACTIVE_BLOCKED, + &conf->cache_state); + } else { +@@ -720,9 +714,6 @@ raid5_get_active_stripe(struct r5conf *c + } + } while (sh == NULL); + +- if (!list_empty(conf->inactive_list + hash)) +- wake_up(&conf->wait_for_stripe[hash]); +- + spin_unlock_irq(conf->hash_locks + hash); + return sh; + } +@@ -2204,7 +2195,7 @@ static int resize_stripes(struct r5conf + cnt = 0; + list_for_each_entry(nsh, &newstripes, lru) { + lock_device_hash_lock(conf, hash); +- wait_event_exclusive_cmd(conf->wait_for_stripe[hash], ++ wait_event_cmd(conf->wait_for_stripe, + !list_empty(conf->inactive_list + hash), + unlock_device_hash_lock(conf, hash), + lock_device_hash_lock(conf, hash)); +@@ -6522,9 +6513,7 @@ static struct r5conf *setup_conf(struct + seqcount_init(&conf->gen_lock); + mutex_init(&conf->cache_size_mutex); + init_waitqueue_head(&conf->wait_for_quiescent); +- for (i = 0; i < NR_STRIPE_HASH_LOCKS; i++) { +- init_waitqueue_head(&conf->wait_for_stripe[i]); +- } ++ init_waitqueue_head(&conf->wait_for_stripe); + init_waitqueue_head(&conf->wait_for_overlap); + INIT_LIST_HEAD(&conf->handle_list); + INIT_LIST_HEAD(&conf->hold_list); +--- a/drivers/md/raid5.h ++++ b/drivers/md/raid5.h +@@ -524,7 +524,7 @@ struct r5conf { + atomic_t empty_inactive_list_nr; + struct llist_head released_stripes; + wait_queue_head_t wait_for_quiescent; +- wait_queue_head_t wait_for_stripe[NR_STRIPE_HASH_LOCKS]; ++ wait_queue_head_t wait_for_stripe; + wait_queue_head_t wait_for_overlap; + unsigned long cache_state; + #define R5_INACTIVE_BLOCKED 1 /* release of inactive stripes blocked, diff --git a/queue-4.4/rapidio-rionet-fix-deadlock-on-smp.patch b/queue-4.4/rapidio-rionet-fix-deadlock-on-smp.patch new file mode 100644 index 00000000000..12151e8d04e --- /dev/null +++ b/queue-4.4/rapidio-rionet-fix-deadlock-on-smp.patch @@ -0,0 +1,48 @@ +From 36915976eca58f2eefa040ba8f9939672564df61 Mon Sep 17 00:00:00 2001 +From: Aurelien Jacquiot +Date: Tue, 22 Mar 2016 14:25:42 -0700 +Subject: rapidio/rionet: fix deadlock on SMP + +From: Aurelien Jacquiot + +commit 36915976eca58f2eefa040ba8f9939672564df61 upstream. + +Fix deadlocking during concurrent receive and transmit operations on SMP +platforms caused by the use of incorrect lock: on transmit 'tx_lock' +spinlock should be used instead of 'lock' which is used for receive +operation. + +This fix is applicable to kernel versions starting from v2.15. + +Signed-off-by: Aurelien Jacquiot +Signed-off-by: Alexandre Bounine +Cc: Matt Porter +Cc: Andre van Herk +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/rionet.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/rionet.c ++++ b/drivers/net/rionet.c +@@ -280,7 +280,7 @@ static void rionet_outb_msg_event(struct + struct net_device *ndev = dev_id; + struct rionet_private *rnet = netdev_priv(ndev); + +- spin_lock(&rnet->lock); ++ spin_lock(&rnet->tx_lock); + + if (netif_msg_intr(rnet)) + printk(KERN_INFO +@@ -299,7 +299,7 @@ static void rionet_outb_msg_event(struct + if (rnet->tx_cnt < RIONET_TX_RING_SIZE) + netif_wake_queue(ndev); + +- spin_unlock(&rnet->lock); ++ spin_unlock(&rnet->tx_lock); + } + + static int rionet_open(struct net_device *ndev) diff --git a/queue-4.4/scripts-coccinelle-modernize.patch b/queue-4.4/scripts-coccinelle-modernize.patch new file mode 100644 index 00000000000..a9507203438 --- /dev/null +++ b/queue-4.4/scripts-coccinelle-modernize.patch @@ -0,0 +1,31 @@ +From 1b669e713f277a4d4b3cec84e13d16544ac8286d Mon Sep 17 00:00:00 2001 +From: Julia Lawall +Date: Thu, 18 Feb 2016 00:16:14 +0100 +Subject: scripts/coccinelle: modernize & + +From: Julia Lawall + +commit 1b669e713f277a4d4b3cec84e13d16544ac8286d upstream. + +& is no longer allowed in column 0, since Coccinelle 1.0.4. + +Signed-off-by: Julia Lawall +Tested-by: Nishanth Menon +Signed-off-by: Michal Marek +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/coccinelle/iterators/use_after_iter.cocci | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/scripts/coccinelle/iterators/use_after_iter.cocci ++++ b/scripts/coccinelle/iterators/use_after_iter.cocci +@@ -123,7 +123,7 @@ list_remove_head(x,c,...) + | + sizeof(<+...c...+>) + | +-&c->member ++ &c->member + | + c = E + | diff --git a/queue-4.4/scripts-gdb-account-for-changes-in-module-data-structure.patch b/queue-4.4/scripts-gdb-account-for-changes-in-module-data-structure.patch new file mode 100644 index 00000000000..d6833c511a9 --- /dev/null +++ b/queue-4.4/scripts-gdb-account-for-changes-in-module-data-structure.patch @@ -0,0 +1,55 @@ +From ad4db3b24a93e52a92ad8f9b0273a9416f202c23 Mon Sep 17 00:00:00 2001 +From: Jan Kiszka +Date: Tue, 22 Mar 2016 14:27:39 -0700 +Subject: scripts/gdb: account for changes in module data structure + +From: Jan Kiszka + +commit ad4db3b24a93e52a92ad8f9b0273a9416f202c23 upstream. + +Commit 7523e4dc5057 ("module: use a structure to encapsulate layout.") +factored out the module_layout structure. Adjust the symbol loader and +the lsmod command to this. + +Signed-off-by: Jan Kiszka +Reviewed-by: Kieran Bingham +Tested-by: Kieran Bingham (qemu-{ARM,x86}) +Cc: Rusty Russell +Cc: Jiri Kosina +Cc: Jason Wessel +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/gdb/linux/modules.py | 5 +++-- + scripts/gdb/linux/symbols.py | 2 +- + 2 files changed, 4 insertions(+), 3 deletions(-) + +--- a/scripts/gdb/linux/modules.py ++++ b/scripts/gdb/linux/modules.py +@@ -73,10 +73,11 @@ class LxLsmod(gdb.Command): + " " if utils.get_long_type().sizeof == 8 else "")) + + for module in module_list(): ++ layout = module['core_layout'] + gdb.write("{address} {name:<19} {size:>8} {ref}".format( +- address=str(module['module_core']).split()[0], ++ address=str(layout['base']).split()[0], + name=module['name'].string(), +- size=str(module['core_size']), ++ size=str(layout['size']), + ref=str(module['refcnt']['counter']))) + + source_list = module['source_list'] +--- a/scripts/gdb/linux/symbols.py ++++ b/scripts/gdb/linux/symbols.py +@@ -108,7 +108,7 @@ lx-symbols command.""" + + def load_module_symbols(self, module): + module_name = module['name'].string() +- module_addr = str(module['module_core']).split()[0] ++ module_addr = str(module['core_layout']['base']).split()[0] + + module_file = self._get_module_file(module_name) + if not module_file and not self.module_files_updated: diff --git a/queue-4.4/scripts-kconfig-allow-building-with-make-3.80-again.patch b/queue-4.4/scripts-kconfig-allow-building-with-make-3.80-again.patch new file mode 100644 index 00000000000..3d6498fddf2 --- /dev/null +++ b/queue-4.4/scripts-kconfig-allow-building-with-make-3.80-again.patch @@ -0,0 +1,41 @@ +From 42f9d3c6888bceef6dc7ba72c77acf47347dcf05 Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Mon, 25 Jan 2016 09:45:47 -0700 +Subject: scripts/kconfig: allow building with make 3.80 again + +From: Jan Beulich + +commit 42f9d3c6888bceef6dc7ba72c77acf47347dcf05 upstream. + +Documentation/Changes still lists this as the minimal required version, +so it ought to remain usable for the time being. + +Fixes: d2036f30cf ("scripts/kconfig/Makefile: Allow KBUILD_DEFCONFIG to be a target") +Signed-off-by: Jan Beulich +Cc: Michael Ellerman +Signed-off-by: Michal Marek +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/kconfig/Makefile | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/scripts/kconfig/Makefile ++++ b/scripts/kconfig/Makefile +@@ -96,13 +96,15 @@ savedefconfig: $(obj)/conf + defconfig: $(obj)/conf + ifeq ($(KBUILD_DEFCONFIG),) + $< $(silent) --defconfig $(Kconfig) +-else ifneq ($(wildcard $(srctree)/arch/$(SRCARCH)/configs/$(KBUILD_DEFCONFIG)),) ++else ++ifneq ($(wildcard $(srctree)/arch/$(SRCARCH)/configs/$(KBUILD_DEFCONFIG)),) + @$(kecho) "*** Default configuration is based on '$(KBUILD_DEFCONFIG)'" + $(Q)$< $(silent) --defconfig=arch/$(SRCARCH)/configs/$(KBUILD_DEFCONFIG) $(Kconfig) + else + @$(kecho) "*** Default configuration is based on target '$(KBUILD_DEFCONFIG)'" + $(Q)$(MAKE) -f $(srctree)/Makefile $(KBUILD_DEFCONFIG) + endif ++endif + + %_defconfig: $(obj)/conf + $(Q)$< $(silent) --defconfig=arch/$(SRCARCH)/configs/$@ $(Kconfig) diff --git a/queue-4.4/series b/queue-4.4/series index 2dd88cc02e2..3ec78f4bcbc 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -130,3 +130,48 @@ watchdog-rc32434_wdt-fix-ioctl-error-handling.patch bluetooth-add-new-ar3012-id-0489-e095.patch bluetooth-fix-potential-buffer-overflow-with-add-advertising.patch cgroup-ignore-css_sets-associated-with-dead-cgroups-during-migration.patch +net-mvneta-enable-change-mac-address-when-interface-is-up.patch +of-alloc-anywhere-from-memblock-if-range-not-specified.patch +vfs-show_vfsstat-do-not-ignore-errors-from-show_devname-method.patch +splice-handle-zero-nr_pages-in-splice_to_pipe.patch +xtensa-iss-don-t-hang-if-stdin-eof-is-reached.patch +xtensa-fix-preemption-in-clear-copy-_user_highpage.patch +xtensa-clear-all-dbreakc-registers-on-start.patch +arc-readl-writel-to-work-in-big-endian-cpu-configuration.patch +arc-bitops-remove-non-relevant-comments.patch +quota-fix-possible-gpf-due-to-uninitialised-pointers.patch +xfs-fix-two-memory-leaks-in-xfs_attr_list.c-error-paths.patch +raid1-include-bio_end_io_list-in-nr_queued-to-prevent-freeze_array-hang.patch +md-raid5-compare-apples-to-apples-or-sectors-to-sectors.patch +raid5-check_reshape-shouldn-t-call-mddev_suspend.patch +raid5-revert-e9e4c377e2f563-to-fix-a-livelock.patch +raid10-include-bio_end_io_list-in-nr_queued-to-prevent-freeze_array-hang.patch +md-raid5-preserve-stripe_preread_active-in-break_stripe_batch_list.patch +md-multipath-don-t-hardcopy-bio-in-.make_request-path.patch +fuse-do-not-use-iocb-after-it-may-have-been-freed.patch +fuse-add-reference-counting-for-fuse_io_priv.patch +scripts-gdb-account-for-changes-in-module-data-structure.patch +fs-coredump-prevent-fsuid-0-dumps-into-user-controlled-directories.patch +rapidio-rionet-fix-deadlock-on-smp.patch +ipr-fix-out-of-bounds-null-overwrite.patch +ipr-fix-regression-when-loading-firmware.patch +iwlwifi-mvm-fix-paging-memory-leak.patch +drm-radeon-disable-runtime-pm-on-px-laptops-without-dgpu-power-control.patch +drm-radeon-don-t-drop-dp-2.7-ghz-link-setup-on-some-cards.patch +drm-amdgpu-disable-runtime-pm-on-px-laptops-without-dgpu-power-control.patch +drm-amdgpu-include-the-right-version-of-gmc-header-files-for-iceland.patch +ib-ipoib-fix-for-rare-multicast-join-race-condition.patch +tracing-have-preempt-irqs-off-trace-preempt-disabled-functions.patch +tracing-fix-crash-from-reading-trace_pipe-with-sendfile.patch +tracing-fix-trace_printk-to-print-when-not-using-bprintk.patch +bitops-do-not-default-to-__clear_bit-for-__clear_bit_unlock.patch +scripts-coccinelle-modernize.patch +scripts-kconfig-allow-building-with-make-3.80-again.patch +kbuild-mkspec-fix-grub2-installkernel-issue.patch +maintainers-update-mailing-list-and-web-page-for-hwmon-subsystem.patch +ideapad-laptop-add-ideapad-y700-15-to-the-no_hw_rfkill-dmi-list.patch +mmc-block-fix-abi-regression-of-mmc_blk_ioctl.patch +mmc-mmc_spi-add-card-detect-comments-and-fix-cd-gpio-case.patch +mmc-sdhci-fix-data-timeout-part-1.patch +mmc-sdhci-fix-data-timeout-part-2.patch +mmc-sdhci-fix-override-of-timeout-clk-wrt-max_busy_timeout.patch diff --git a/queue-4.4/splice-handle-zero-nr_pages-in-splice_to_pipe.patch b/queue-4.4/splice-handle-zero-nr_pages-in-splice_to_pipe.patch new file mode 100644 index 00000000000..ca755594e13 --- /dev/null +++ b/queue-4.4/splice-handle-zero-nr_pages-in-splice_to_pipe.patch @@ -0,0 +1,71 @@ +From d6785d9152147596f60234157da2b02540c3e60f Mon Sep 17 00:00:00 2001 +From: Rabin Vincent +Date: Thu, 10 Mar 2016 21:19:06 +0100 +Subject: splice: handle zero nr_pages in splice_to_pipe() + +From: Rabin Vincent + +commit d6785d9152147596f60234157da2b02540c3e60f upstream. + +Running the following command: + + busybox cat /sys/kernel/debug/tracing/trace_pipe > /dev/null + +with any tracing enabled pretty very quickly leads to various NULL +pointer dereferences and VM BUG_ON()s, such as these: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 + IP: [] generic_pipe_buf_release+0xc/0x40 + Call Trace: + [] splice_direct_to_actor+0x143/0x1e0 + [] ? generic_pipe_buf_nosteal+0x10/0x10 + [] do_splice_direct+0x8f/0xb0 + [] do_sendfile+0x199/0x380 + [] SyS_sendfile64+0x90/0xa0 + [] entry_SYSCALL_64_fastpath+0x12/0x6d + + page dumped because: VM_BUG_ON_PAGE(atomic_read(&page->_count) == 0) + kernel BUG at include/linux/mm.h:367! + invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC + RIP: [] generic_pipe_buf_release+0x3c/0x40 + Call Trace: + [] splice_direct_to_actor+0x143/0x1e0 + [] ? generic_pipe_buf_nosteal+0x10/0x10 + [] do_splice_direct+0x8f/0xb0 + [] do_sendfile+0x199/0x380 + [] SyS_sendfile64+0x90/0xa0 + [] tracesys_phase2+0x84/0x89 + +(busybox's cat uses sendfile(2), unlike the coreutils version) + +This is because tracing_splice_read_pipe() can call splice_to_pipe() +with spd->nr_pages == 0. spd_pages underflows in splice_to_pipe() and +we fill the page pointers and the other fields of the pipe_buffers with +garbage. + +All other callers of splice_to_pipe() avoid calling it when nr_pages == +0, and we could make tracing_splice_read_pipe() do that too, but it +seems reasonable to have splice_to_page() handle this condition +gracefully. + +Signed-off-by: Rabin Vincent +Reviewed-by: Christoph Hellwig +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/splice.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/splice.c ++++ b/fs/splice.c +@@ -185,6 +185,9 @@ ssize_t splice_to_pipe(struct pipe_inode + unsigned int spd_pages = spd->nr_pages; + int ret, do_wakeup, page_nr; + ++ if (!spd_pages) ++ return 0; ++ + ret = 0; + do_wakeup = 0; + page_nr = 0; diff --git a/queue-4.4/tracing-fix-crash-from-reading-trace_pipe-with-sendfile.patch b/queue-4.4/tracing-fix-crash-from-reading-trace_pipe-with-sendfile.patch new file mode 100644 index 00000000000..d0e413739d3 --- /dev/null +++ b/queue-4.4/tracing-fix-crash-from-reading-trace_pipe-with-sendfile.patch @@ -0,0 +1,40 @@ +From a29054d9478d0435ab01b7544da4f674ab13f533 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Red Hat)" +Date: Fri, 18 Mar 2016 15:46:48 -0400 +Subject: tracing: Fix crash from reading trace_pipe with sendfile + +From: Steven Rostedt (Red Hat) + +commit a29054d9478d0435ab01b7544da4f674ab13f533 upstream. + +If tracing contains data and the trace_pipe file is read with sendfile(), +then it can trigger a NULL pointer dereference and various BUG_ON within the +VM code. + +There's a patch to fix this in the splice_to_pipe() code, but it's also a +good idea to not let that happen from trace_pipe either. + +Link: http://lkml.kernel.org/r/1457641146-9068-1-git-send-email-rabin@rab.in + +Reported-by: Rabin Vincent +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -4949,7 +4949,10 @@ static ssize_t tracing_splice_read_pipe( + + spd.nr_pages = i; + +- ret = splice_to_pipe(pipe, &spd); ++ if (i) ++ ret = splice_to_pipe(pipe, &spd); ++ else ++ ret = 0; + out: + splice_shrink_spd(&spd); + return ret; diff --git a/queue-4.4/tracing-fix-trace_printk-to-print-when-not-using-bprintk.patch b/queue-4.4/tracing-fix-trace_printk-to-print-when-not-using-bprintk.patch new file mode 100644 index 00000000000..5aeb31ccd68 --- /dev/null +++ b/queue-4.4/tracing-fix-trace_printk-to-print-when-not-using-bprintk.patch @@ -0,0 +1,78 @@ +From 3debb0a9ddb16526de8b456491b7db60114f7b5e Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Red Hat)" +Date: Tue, 22 Mar 2016 17:30:58 -0400 +Subject: tracing: Fix trace_printk() to print when not using bprintk() + +From: Steven Rostedt (Red Hat) + +commit 3debb0a9ddb16526de8b456491b7db60114f7b5e upstream. + +The trace_printk() code will allocate extra buffers if the compile detects +that a trace_printk() is used. To do this, the format of the trace_printk() +is saved to the __trace_printk_fmt section, and if that section is bigger +than zero, the buffers are allocated (along with a message that this has +happened). + +If trace_printk() uses a format that is not a constant, and thus something +not guaranteed to be around when the print happens, the compiler optimizes +the fmt out, as it is not used, and the __trace_printk_fmt section is not +filled. This means the kernel will not allocate the special buffers needed +for the trace_printk() and the trace_printk() will not write anything to the +tracing buffer. + +Adding a "__used" to the variable in the __trace_printk_fmt section will +keep it around, even though it is set to NULL. This will keep the string +from being printed in the debugfs/tracing/printk_formats section as it is +not needed. + +Reported-by: Vlastimil Babka +Fixes: 07d777fe8c398 "tracing: Add percpu buffers for trace_printk()" +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/kernel.h | 6 +++--- + kernel/trace/trace_printk.c | 3 +++ + 2 files changed, 6 insertions(+), 3 deletions(-) + +--- a/include/linux/kernel.h ++++ b/include/linux/kernel.h +@@ -607,7 +607,7 @@ do { \ + + #define do_trace_printk(fmt, args...) \ + do { \ +- static const char *trace_printk_fmt \ ++ static const char *trace_printk_fmt __used \ + __attribute__((section("__trace_printk_fmt"))) = \ + __builtin_constant_p(fmt) ? fmt : NULL; \ + \ +@@ -651,7 +651,7 @@ int __trace_printk(unsigned long ip, con + */ + + #define trace_puts(str) ({ \ +- static const char *trace_printk_fmt \ ++ static const char *trace_printk_fmt __used \ + __attribute__((section("__trace_printk_fmt"))) = \ + __builtin_constant_p(str) ? str : NULL; \ + \ +@@ -673,7 +673,7 @@ extern void trace_dump_stack(int skip); + #define ftrace_vprintk(fmt, vargs) \ + do { \ + if (__builtin_constant_p(fmt)) { \ +- static const char *trace_printk_fmt \ ++ static const char *trace_printk_fmt __used \ + __attribute__((section("__trace_printk_fmt"))) = \ + __builtin_constant_p(fmt) ? fmt : NULL; \ + \ +--- a/kernel/trace/trace_printk.c ++++ b/kernel/trace/trace_printk.c +@@ -296,6 +296,9 @@ static int t_show(struct seq_file *m, vo + const char *str = *fmt; + int i; + ++ if (!*fmt) ++ return 0; ++ + seq_printf(m, "0x%lx : \"", *(unsigned long *)fmt); + + /* diff --git a/queue-4.4/tracing-have-preempt-irqs-off-trace-preempt-disabled-functions.patch b/queue-4.4/tracing-have-preempt-irqs-off-trace-preempt-disabled-functions.patch new file mode 100644 index 00000000000..f201396ff52 --- /dev/null +++ b/queue-4.4/tracing-have-preempt-irqs-off-trace-preempt-disabled-functions.patch @@ -0,0 +1,69 @@ +From cb86e05390debcc084cfdb0a71ed4c5dbbec517d Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Red Hat)" +Date: Fri, 18 Mar 2016 12:27:43 -0400 +Subject: tracing: Have preempt(irqs)off trace preempt disabled functions + +From: Steven Rostedt (Red Hat) + +commit cb86e05390debcc084cfdb0a71ed4c5dbbec517d upstream. + +Joel Fernandes reported that the function tracing of preempt disabled +sections was not being reported when running either the preemptirqsoff or +preemptoff tracers. This was due to the fact that the function tracer +callback for those tracers checked if irqs were disabled before tracing. But +this fails when we want to trace preempt off locations as well. + +Joel explained that he wanted to see funcitons where interrupts are enabled +but preemption was disabled. The expected output he wanted: + + <...>-2265 1d.h1 3419us : preempt_count_sub <-irq_exit + <...>-2265 1d..1 3419us : __do_softirq <-irq_exit + <...>-2265 1d..1 3419us : msecs_to_jiffies <-__do_softirq + <...>-2265 1d..1 3420us : irqtime_account_irq <-__do_softirq + <...>-2265 1d..1 3420us : __local_bh_disable_ip <-__do_softirq + <...>-2265 1..s1 3421us : run_timer_softirq <-__do_softirq + <...>-2265 1..s1 3421us : hrtimer_run_pending <-run_timer_softirq + <...>-2265 1..s1 3421us : _raw_spin_lock_irq <-run_timer_softirq + <...>-2265 1d.s1 3422us : preempt_count_add <-_raw_spin_lock_irq + <...>-2265 1d.s2 3422us : _raw_spin_unlock_irq <-run_timer_softirq + <...>-2265 1..s2 3422us : preempt_count_sub <-_raw_spin_unlock_irq + <...>-2265 1..s1 3423us : rcu_bh_qs <-__do_softirq + <...>-2265 1d.s1 3423us : irqtime_account_irq <-__do_softirq + <...>-2265 1d.s1 3423us : __local_bh_enable <-__do_softirq + +There's a comment saying that the irq disabled check is because there's a +possible race that tracing_cpu may be set when the function is executed. But +I don't remember that race. For now, I added a check for preemption being +enabled too to not record the function, as there would be no race if that +was the case. I need to re-investigate this, as I'm now thinking that the +tracing_cpu will always be correct. But no harm in keeping the check for +now, except for the slight performance hit. + +Link: http://lkml.kernel.org/r/1457770386-88717-1-git-send-email-agnel.joel@gmail.com + +Fixes: 5e6d2b9cfa3a "tracing: Use one prologue for the preempt irqs off tracer function tracers" +Reported-by: Joel Fernandes +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_irqsoff.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/kernel/trace/trace_irqsoff.c ++++ b/kernel/trace/trace_irqsoff.c +@@ -109,8 +109,12 @@ static int func_prolog_dec(struct trace_ + return 0; + + local_save_flags(*flags); +- /* slight chance to get a false positive on tracing_cpu */ +- if (!irqs_disabled_flags(*flags)) ++ /* ++ * Slight chance to get a false positive on tracing_cpu, ++ * although I'm starting to think there isn't a chance. ++ * Leave this for now just to be paranoid. ++ */ ++ if (!irqs_disabled_flags(*flags) && !preempt_count()) + return 0; + + *data = per_cpu_ptr(tr->trace_buffer.data, cpu); diff --git a/queue-4.4/vfs-show_vfsstat-do-not-ignore-errors-from-show_devname-method.patch b/queue-4.4/vfs-show_vfsstat-do-not-ignore-errors-from-show_devname-method.patch new file mode 100644 index 00000000000..efeaa748c8e --- /dev/null +++ b/queue-4.4/vfs-show_vfsstat-do-not-ignore-errors-from-show_devname-method.patch @@ -0,0 +1,31 @@ +From 5f8d498d4364f544fee17125787a47553db02afa Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Thu, 19 Mar 2015 11:10:54 +0000 +Subject: vfs: show_vfsstat: do not ignore errors from show_devname method + +From: Dmitry V. Levin + +commit 5f8d498d4364f544fee17125787a47553db02afa upstream. + +Explicitly check show_devname method return code and bail out in case +of an error. This fixes regression introduced by commit 9d4d65748a5c. + +Signed-off-by: Dmitry V. Levin +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc_namespace.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/proc_namespace.c ++++ b/fs/proc_namespace.c +@@ -197,6 +197,8 @@ static int show_vfsstat(struct seq_file + if (sb->s_op->show_devname) { + seq_puts(m, "device "); + err = sb->s_op->show_devname(m, mnt_path.dentry); ++ if (err) ++ goto out; + } else { + if (r->mnt_devname) { + seq_puts(m, "device "); diff --git a/queue-4.4/xfs-fix-two-memory-leaks-in-xfs_attr_list.c-error-paths.patch b/queue-4.4/xfs-fix-two-memory-leaks-in-xfs_attr_list.c-error-paths.patch new file mode 100644 index 00000000000..e59de57e1b7 --- /dev/null +++ b/queue-4.4/xfs-fix-two-memory-leaks-in-xfs_attr_list.c-error-paths.patch @@ -0,0 +1,57 @@ +From 2e83b79b2d6c78bf1b4aa227938a214dcbddc83f Mon Sep 17 00:00:00 2001 +From: Mateusz Guzik +Date: Wed, 2 Mar 2016 09:51:09 +1100 +Subject: xfs: fix two memory leaks in xfs_attr_list.c error paths + +From: Mateusz Guzik + +commit 2e83b79b2d6c78bf1b4aa227938a214dcbddc83f upstream. + +This plugs 2 trivial leaks in xfs_attr_shortform_list and +xfs_attr3_leaf_list_int. + +Signed-off-by: Mateusz Guzik +Reviewed-by: Eric Sandeen +Signed-off-by: Dave Chinner +Signed-off-by: Greg Kroah-Hartman + +--- + fs/xfs/xfs_attr_list.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +--- a/fs/xfs/xfs_attr_list.c ++++ b/fs/xfs/xfs_attr_list.c +@@ -202,8 +202,10 @@ xfs_attr_shortform_list(xfs_attr_list_co + sbp->namelen, + sbp->valuelen, + &sbp->name[sbp->namelen]); +- if (error) ++ if (error) { ++ kmem_free(sbuf); + return error; ++ } + if (context->seen_enough) + break; + cursor->offset++; +@@ -454,14 +456,13 @@ xfs_attr3_leaf_list_int( + args.rmtblkcnt = xfs_attr3_rmt_blocks( + args.dp->i_mount, valuelen); + retval = xfs_attr_rmtval_get(&args); +- if (retval) +- return retval; +- retval = context->put_listent(context, +- entry->flags, +- name_rmt->name, +- (int)name_rmt->namelen, +- valuelen, +- args.value); ++ if (!retval) ++ retval = context->put_listent(context, ++ entry->flags, ++ name_rmt->name, ++ (int)name_rmt->namelen, ++ valuelen, ++ args.value); + kmem_free(args.value); + } else { + retval = context->put_listent(context, diff --git a/queue-4.4/xtensa-clear-all-dbreakc-registers-on-start.patch b/queue-4.4/xtensa-clear-all-dbreakc-registers-on-start.patch new file mode 100644 index 00000000000..865a4ce0416 --- /dev/null +++ b/queue-4.4/xtensa-clear-all-dbreakc-registers-on-start.patch @@ -0,0 +1,34 @@ +From 7de7ac785ae18a2cdc78d7560f48e3213d9ea0ab Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Thu, 3 Mar 2016 18:34:29 +0300 +Subject: xtensa: clear all DBREAKC registers on start + +From: Max Filippov + +commit 7de7ac785ae18a2cdc78d7560f48e3213d9ea0ab upstream. + +There are XCHAL_NUM_DBREAK registers, clear them all. +This also fixes cryptic assembler error message with binutils 2.25 when +XCHAL_NUM_DBREAK is 0: + + as: out of memory allocating 18446744073709551575 bytes after a total + of 495616 bytes + +Signed-off-by: Max Filippov +Signed-off-by: Greg Kroah-Hartman + +--- + arch/xtensa/kernel/head.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/xtensa/kernel/head.S ++++ b/arch/xtensa/kernel/head.S +@@ -128,7 +128,7 @@ ENTRY(_startup) + wsr a0, icountlevel + + .set _index, 0 +- .rept XCHAL_NUM_DBREAK - 1 ++ .rept XCHAL_NUM_DBREAK + wsr a0, SREG_DBREAKC + _index + .set _index, _index + 1 + .endr diff --git a/queue-4.4/xtensa-fix-preemption-in-clear-copy-_user_highpage.patch b/queue-4.4/xtensa-fix-preemption-in-clear-copy-_user_highpage.patch new file mode 100644 index 00000000000..c178a83a6f1 --- /dev/null +++ b/queue-4.4/xtensa-fix-preemption-in-clear-copy-_user_highpage.patch @@ -0,0 +1,49 @@ +From a67cc9aa2dfc6e66addf240bbd79e16e01565e81 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Thu, 25 Feb 2016 23:27:51 +0300 +Subject: xtensa: fix preemption in {clear,copy}_user_highpage + +From: Max Filippov + +commit a67cc9aa2dfc6e66addf240bbd79e16e01565e81 upstream. + +Disabling pagefault makes little sense there, preemption disabling is +what was meant. + +Signed-off-by: Max Filippov +Signed-off-by: Greg Kroah-Hartman + +--- + arch/xtensa/mm/cache.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/xtensa/mm/cache.c ++++ b/arch/xtensa/mm/cache.c +@@ -97,11 +97,11 @@ void clear_user_highpage(struct page *pa + unsigned long paddr; + void *kvaddr = coherent_kvaddr(page, TLBTEMP_BASE_1, vaddr, &paddr); + +- pagefault_disable(); ++ preempt_disable(); + kmap_invalidate_coherent(page, vaddr); + set_bit(PG_arch_1, &page->flags); + clear_page_alias(kvaddr, paddr); +- pagefault_enable(); ++ preempt_enable(); + } + + void copy_user_highpage(struct page *dst, struct page *src, +@@ -113,11 +113,11 @@ void copy_user_highpage(struct page *dst + void *src_vaddr = coherent_kvaddr(src, TLBTEMP_BASE_2, vaddr, + &src_paddr); + +- pagefault_disable(); ++ preempt_disable(); + kmap_invalidate_coherent(dst, vaddr); + set_bit(PG_arch_1, &dst->flags); + copy_page_alias(dst_vaddr, src_vaddr, dst_paddr, src_paddr); +- pagefault_enable(); ++ preempt_enable(); + } + + #endif /* DCACHE_WAY_SIZE > PAGE_SIZE */ diff --git a/queue-4.4/xtensa-iss-don-t-hang-if-stdin-eof-is-reached.patch b/queue-4.4/xtensa-iss-don-t-hang-if-stdin-eof-is-reached.patch new file mode 100644 index 00000000000..c57e375db05 --- /dev/null +++ b/queue-4.4/xtensa-iss-don-t-hang-if-stdin-eof-is-reached.patch @@ -0,0 +1,52 @@ +From 362014c8d9d51d504c167c44ac280169457732be Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Tue, 9 Feb 2016 01:02:38 +0300 +Subject: xtensa: ISS: don't hang if stdin EOF is reached + +From: Max Filippov + +commit 362014c8d9d51d504c167c44ac280169457732be upstream. + +Simulator stdin may be connected to a file, when its end is reached +kernel hangs in infinite loop inside rs_poll, because simc_poll always +signals that descriptor 0 is readable and simc_read always returns 0. +Check simc_read return value and exit loop if it's not positive. Also +don't rewind polling timer if it's zero. + +Signed-off-by: Max Filippov +Signed-off-by: Greg Kroah-Hartman + +--- + arch/xtensa/platforms/iss/console.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/arch/xtensa/platforms/iss/console.c ++++ b/arch/xtensa/platforms/iss/console.c +@@ -100,21 +100,23 @@ static void rs_poll(unsigned long priv) + { + struct tty_port *port = (struct tty_port *)priv; + int i = 0; ++ int rd = 1; + unsigned char c; + + spin_lock(&timer_lock); + + while (simc_poll(0)) { +- simc_read(0, &c, 1); ++ rd = simc_read(0, &c, 1); ++ if (rd <= 0) ++ break; + tty_insert_flip_char(port, c, TTY_NORMAL); + i++; + } + + if (i) + tty_flip_buffer_push(port); +- +- +- mod_timer(&serial_timer, jiffies + SERIAL_TIMER_VALUE); ++ if (rd) ++ mod_timer(&serial_timer, jiffies + SERIAL_TIMER_VALUE); + spin_unlock(&timer_lock); + } +