From: Greg Kroah-Hartman Date: Sat, 17 Oct 2015 22:04:37 +0000 (-0700) Subject: 4.2-stable patches X-Git-Tag: v3.10.91~34 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=34f5971a308d9addaf8ac930685ea1497e3c3c2e;p=thirdparty%2Fkernel%2Fstable-queue.git 4.2-stable patches added patches: ath10k-fix-peer-limit-enforcement.patch ath10k-fix-per-vif-queue-locking.patch ath10k-reject-11b-tx-fragmentation-configuration.patch ath10k-wake-up-offchannel-queue-properly.patch ath10k-wake-up-queue-upon-vif-creation.patch cifs-use-server-timestamp-for-ntlmv2-authentication.patch device-property-fix-potential-null-pointer-dereference.patch docs-update-howto-for-3.x-4.x-versioning.patch extcon-fix-attached-value-returned-by-is_extcon_changed.patch extcon-fix-signedness-bugs-about-break-error-handling.patch hpsa-fix-an-sprintf-overflow-in-the-reset-handler.patch hv-util-checking-the-wrong-variable.patch ipr-enable-sis-pipe-commands-for-sis-32-devices.patch irqchip-atmel-aic5-use-per-chip-mask-caches-in-mask-unmask.patch irqchip-gic-v3-its-add-missing-cache-flushes.patch mmc-dw_mmc-handle-data-blocks-than-4kb-if-idmac-is-used.patch mtd-nand-sunxi-fix-oob-handling-in-write_xxx-functions.patch mtd-nand-sunxi-fix-sunxi_nand_chips_cleanup.patch mtd-pxa3xx_nand-add-a-default-chunk-size.patch pcmcia-sa11x0-fix-missing-clk_put-in-sa11x0-socket-drivers.patch pm-avs-rockchip-io-depend-on-config_power_avs.patch regmap-debugfs-don-t-bother-actually-printing-when-calculating-max-length.patch regmap-debugfs-ensure-we-don-t-underflow-when-printing-access-masks.patch security-fix-typo-in-security_task_prctl.patch thermal-cpu_cooling-don-t-call-kcalloc-under-rcu_read_lock.patch thermal-cpu_cooling-free-power-table-on-error-or-when-unregistering.patch usb-chipidea-imx-fix-a-typo-for-imx6sx.patch --- diff --git a/queue-4.2/ath10k-fix-peer-limit-enforcement.patch b/queue-4.2/ath10k-fix-peer-limit-enforcement.patch new file mode 100644 index 00000000000..5067946928c --- /dev/null +++ b/queue-4.2/ath10k-fix-peer-limit-enforcement.patch @@ -0,0 +1,58 @@ +From e04cafbc38c70af2aad3810ce24ab0eba8114779 Mon Sep 17 00:00:00 2001 +From: Michal Kazior +Date: Wed, 5 Aug 2015 12:15:24 +0200 +Subject: ath10k: fix peer limit enforcement + +From: Michal Kazior + +commit e04cafbc38c70af2aad3810ce24ab0eba8114779 upstream. + +Firmware peer entries are involved in internal +firmware vdev structures. This was not accounted +for and could lead firmware to crash due to asking +it to do more than it could. + +Fixes: 039a0051ec1a ("ath10k: allocate fw resources for iface combinations") +Signed-off-by: Michal Kazior +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath10k/mac.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -591,11 +591,19 @@ ath10k_mac_get_any_chandef_iter(struct i + static int ath10k_peer_create(struct ath10k *ar, u32 vdev_id, const u8 *addr, + enum wmi_peer_type peer_type) + { ++ struct ath10k_vif *arvif; ++ int num_peers = 0; + int ret; + + lockdep_assert_held(&ar->conf_mutex); + +- if (ar->num_peers >= ar->max_num_peers) ++ num_peers = ar->num_peers; ++ ++ /* Each vdev consumes a peer entry as well */ ++ list_for_each_entry(arvif, &ar->arvifs, list) ++ num_peers++; ++ ++ if (num_peers >= ar->max_num_peers) + return -ENOBUFS; + + ret = ath10k_wmi_peer_create(ar, vdev_id, addr, peer_type); +@@ -4061,6 +4069,11 @@ static int ath10k_add_interface(struct i + sizeof(arvif->bitrate_mask.control[i].vht_mcs)); + } + ++ if (ar->num_peers >= ar->max_num_peers) { ++ ath10k_warn(ar, "refusing vdev creation due to insufficient peer entry resources in firmware\n"); ++ return -ENOBUFS; ++ } ++ + if (ar->free_vdev_map == 0) { + ath10k_warn(ar, "Free vdev map is empty, no more interfaces allowed.\n"); + ret = -EBUSY; diff --git a/queue-4.2/ath10k-fix-per-vif-queue-locking.patch b/queue-4.2/ath10k-fix-per-vif-queue-locking.patch new file mode 100644 index 00000000000..23aecd4648e --- /dev/null +++ b/queue-4.2/ath10k-fix-per-vif-queue-locking.patch @@ -0,0 +1,154 @@ +From acd0b27bb13a09dd0a56d4562d3eb4137a7318b2 Mon Sep 17 00:00:00 2001 +From: Michal Kazior +Date: Thu, 9 Jul 2015 13:08:38 +0200 +Subject: ath10k: fix per-vif queue locking + +From: Michal Kazior + +commit acd0b27bb13a09dd0a56d4562d3eb4137a7318b2 upstream. + +Whenever any vdev was supposed to be paused all Tx +queues were stopped (except offchannel) instead of +only these associated with the given vdev. + +This caused subtle issues with +multi-channel/multi-vif scenarios, e.g. +authentication of station vif could sometimes fail +depending on fw tx pause request timing. + +Fixes: b4aa539dd8f2 ("ath10k: implement tx pause wmi event") +Signed-off-by: Michal Kazior +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath10k/mac.c | 47 ++++++++---------------------- + drivers/net/wireless/ath/ath10k/mac.h | 6 +-- + drivers/net/wireless/ath/ath10k/wmi-tlv.c | 32 +++++++++++++++++--- + 3 files changed, 44 insertions(+), 41 deletions(-) + +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -3034,38 +3034,16 @@ static void ath10k_mac_vif_handle_tx_pau + + lockdep_assert_held(&ar->htt.tx_lock); + +- switch (pause_id) { +- case WMI_TLV_TX_PAUSE_ID_MCC: +- case WMI_TLV_TX_PAUSE_ID_P2P_CLI_NOA: +- case WMI_TLV_TX_PAUSE_ID_P2P_GO_PS: +- case WMI_TLV_TX_PAUSE_ID_AP_PS: +- case WMI_TLV_TX_PAUSE_ID_IBSS_PS: +- switch (action) { +- case WMI_TLV_TX_PAUSE_ACTION_STOP: +- ath10k_mac_vif_tx_lock(arvif, pause_id); +- break; +- case WMI_TLV_TX_PAUSE_ACTION_WAKE: +- ath10k_mac_vif_tx_unlock(arvif, pause_id); +- break; +- default: +- ath10k_warn(ar, "received unknown tx pause action %d on vdev %i, ignoring\n", +- action, arvif->vdev_id); +- break; +- } ++ switch (action) { ++ case WMI_TLV_TX_PAUSE_ACTION_STOP: ++ ath10k_mac_vif_tx_lock(arvif, pause_id); ++ break; ++ case WMI_TLV_TX_PAUSE_ACTION_WAKE: ++ ath10k_mac_vif_tx_unlock(arvif, pause_id); + break; +- case WMI_TLV_TX_PAUSE_ID_AP_PEER_PS: +- case WMI_TLV_TX_PAUSE_ID_AP_PEER_UAPSD: +- case WMI_TLV_TX_PAUSE_ID_STA_ADD_BA: +- case WMI_TLV_TX_PAUSE_ID_HOST: + default: +- /* FIXME: Some pause_ids aren't vdev specific. Instead they +- * target peer_id and tid. Implementing these could improve +- * traffic scheduling fairness across multiple connected +- * stations in AP/IBSS modes. +- */ +- ath10k_dbg(ar, ATH10K_DBG_MAC, +- "mac ignoring unsupported tx pause vdev %i id %d\n", +- arvif->vdev_id, pause_id); ++ ath10k_warn(ar, "received unknown tx pause action %d on vdev %i, ignoring\n", ++ action, arvif->vdev_id); + break; + } + } +@@ -3082,12 +3060,15 @@ static void ath10k_mac_handle_tx_pause_i + struct ath10k_vif *arvif = ath10k_vif_to_arvif(vif); + struct ath10k_mac_tx_pause *arg = data; + ++ if (arvif->vdev_id != arg->vdev_id) ++ return; ++ + ath10k_mac_vif_handle_tx_pause(arvif, arg->pause_id, arg->action); + } + +-void ath10k_mac_handle_tx_pause(struct ath10k *ar, u32 vdev_id, +- enum wmi_tlv_tx_pause_id pause_id, +- enum wmi_tlv_tx_pause_action action) ++void ath10k_mac_handle_tx_pause_vdev(struct ath10k *ar, u32 vdev_id, ++ enum wmi_tlv_tx_pause_id pause_id, ++ enum wmi_tlv_tx_pause_action action) + { + struct ath10k_mac_tx_pause arg = { + .vdev_id = vdev_id, +--- a/drivers/net/wireless/ath/ath10k/mac.h ++++ b/drivers/net/wireless/ath/ath10k/mac.h +@@ -61,9 +61,9 @@ int ath10k_mac_vif_chan(struct ieee80211 + + void ath10k_mac_handle_beacon(struct ath10k *ar, struct sk_buff *skb); + void ath10k_mac_handle_beacon_miss(struct ath10k *ar, u32 vdev_id); +-void ath10k_mac_handle_tx_pause(struct ath10k *ar, u32 vdev_id, +- enum wmi_tlv_tx_pause_id pause_id, +- enum wmi_tlv_tx_pause_action action); ++void ath10k_mac_handle_tx_pause_vdev(struct ath10k *ar, u32 vdev_id, ++ enum wmi_tlv_tx_pause_id pause_id, ++ enum wmi_tlv_tx_pause_action action); + + u8 ath10k_mac_hw_rate_to_idx(const struct ieee80211_supported_band *sband, + u8 hw_rate); +--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c ++++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c +@@ -377,12 +377,34 @@ static int ath10k_wmi_tlv_event_tx_pause + "wmi tlv tx pause pause_id %u action %u vdev_map 0x%08x peer_id %u tid_map 0x%08x\n", + pause_id, action, vdev_map, peer_id, tid_map); + +- for (vdev_id = 0; vdev_map; vdev_id++) { +- if (!(vdev_map & BIT(vdev_id))) +- continue; ++ switch (pause_id) { ++ case WMI_TLV_TX_PAUSE_ID_MCC: ++ case WMI_TLV_TX_PAUSE_ID_P2P_CLI_NOA: ++ case WMI_TLV_TX_PAUSE_ID_P2P_GO_PS: ++ case WMI_TLV_TX_PAUSE_ID_AP_PS: ++ case WMI_TLV_TX_PAUSE_ID_IBSS_PS: ++ for (vdev_id = 0; vdev_map; vdev_id++) { ++ if (!(vdev_map & BIT(vdev_id))) ++ continue; + +- vdev_map &= ~BIT(vdev_id); +- ath10k_mac_handle_tx_pause(ar, vdev_id, pause_id, action); ++ vdev_map &= ~BIT(vdev_id); ++ ath10k_mac_handle_tx_pause_vdev(ar, vdev_id, pause_id, ++ action); ++ } ++ break; ++ case WMI_TLV_TX_PAUSE_ID_AP_PEER_PS: ++ case WMI_TLV_TX_PAUSE_ID_AP_PEER_UAPSD: ++ case WMI_TLV_TX_PAUSE_ID_STA_ADD_BA: ++ case WMI_TLV_TX_PAUSE_ID_HOST: ++ ath10k_dbg(ar, ATH10K_DBG_MAC, ++ "mac ignoring unsupported tx pause id %d\n", ++ pause_id); ++ break; ++ default: ++ ath10k_dbg(ar, ATH10K_DBG_MAC, ++ "mac ignoring unknown tx pause vdev %d\n", ++ pause_id); ++ break; + } + + kfree(tb); diff --git a/queue-4.2/ath10k-reject-11b-tx-fragmentation-configuration.patch b/queue-4.2/ath10k-reject-11b-tx-fragmentation-configuration.patch new file mode 100644 index 00000000000..6e940dc67c8 --- /dev/null +++ b/queue-4.2/ath10k-reject-11b-tx-fragmentation-configuration.patch @@ -0,0 +1,66 @@ +From 92092fe528e79c9bd25784ca0ef341d5a1d1b642 Mon Sep 17 00:00:00 2001 +From: Michal Kazior +Date: Mon, 3 Aug 2015 11:16:43 +0200 +Subject: ath10k: reject 11b tx fragmentation configuration + +From: Michal Kazior + +commit 92092fe528e79c9bd25784ca0ef341d5a1d1b642 upstream. + +Even though there's a WMI enum for fragmentation +threshold no known firmware actually implements +it. Moreover it is not possible to rely frame +fragmentation to mac80211 because firmware clears +the "more fragments" bit in frame control making +it impossible for remote devices to reassemble +frames. + +Hence implement a dummy callback just to say +fragmentation isn't supported. This effectively +prevents mac80211 from doing frame fragmentation +in software. + +This fixes Tx becoming broken after setting +fragmentation threshold. + +Fixes: 1010ba4c5d1c ("ath10k: unregister and remove frag_threshold callback") +Signed-off-by: Michal Kazior +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath10k/mac.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -5542,6 +5542,21 @@ static int ath10k_set_rts_threshold(stru + return ret; + } + ++static int ath10k_mac_op_set_frag_threshold(struct ieee80211_hw *hw, u32 value) ++{ ++ /* Even though there's a WMI enum for fragmentation threshold no known ++ * firmware actually implements it. Moreover it is not possible to rely ++ * frame fragmentation to mac80211 because firmware clears the "more ++ * fragments" bit in frame control making it impossible for remote ++ * devices to reassemble frames. ++ * ++ * Hence implement a dummy callback just to say fragmentation isn't ++ * supported. This effectively prevents mac80211 from doing frame ++ * fragmentation in software. ++ */ ++ return -EOPNOTSUPP; ++} ++ + static void ath10k_flush(struct ieee80211_hw *hw, struct ieee80211_vif *vif, + u32 queues, bool drop) + { +@@ -6376,6 +6391,7 @@ static const struct ieee80211_ops ath10k + .remain_on_channel = ath10k_remain_on_channel, + .cancel_remain_on_channel = ath10k_cancel_remain_on_channel, + .set_rts_threshold = ath10k_set_rts_threshold, ++ .set_frag_threshold = ath10k_mac_op_set_frag_threshold, + .flush = ath10k_flush, + .tx_last_beacon = ath10k_tx_last_beacon, + .set_antenna = ath10k_set_antenna, diff --git a/queue-4.2/ath10k-wake-up-offchannel-queue-properly.patch b/queue-4.2/ath10k-wake-up-offchannel-queue-properly.patch new file mode 100644 index 00000000000..cea904477eb --- /dev/null +++ b/queue-4.2/ath10k-wake-up-offchannel-queue-properly.patch @@ -0,0 +1,36 @@ +From 3a73d1a6f22bf13044056543ad43b2a304ee0022 Mon Sep 17 00:00:00 2001 +From: Michal Kazior +Date: Thu, 6 Aug 2015 14:46:54 +0200 +Subject: ath10k: wake up offchannel queue properly + +From: Michal Kazior + +commit 3a73d1a6f22bf13044056543ad43b2a304ee0022 upstream. + +Once HTT Tx queue got full offchannel queue was +stopped and never woken up again. This broke, e.g. +P2P. This could be reproduced after running a lot +of traffic enough to saturate 100% of the driver +Tx queue and then trying to send offchannel +traffic. + +Fixes: 96d828d45e16 ("ath10k: rework tx queue locking") +Signed-off-by: Michal Kazior +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath10k/mac.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -3003,6 +3003,8 @@ void ath10k_mac_tx_unlock(struct ath10k + IEEE80211_IFACE_ITER_RESUME_ALL, + ath10k_mac_tx_unlock_iter, + ar); ++ ++ ieee80211_wake_queue(ar->hw, ar->hw->offchannel_tx_hw_queue); + } + + void ath10k_mac_vif_tx_lock(struct ath10k_vif *arvif, int reason) diff --git a/queue-4.2/ath10k-wake-up-queue-upon-vif-creation.patch b/queue-4.2/ath10k-wake-up-queue-upon-vif-creation.patch new file mode 100644 index 00000000000..ca4da58042a --- /dev/null +++ b/queue-4.2/ath10k-wake-up-queue-upon-vif-creation.patch @@ -0,0 +1,47 @@ +From 6d2d51ecfff13f5f6ffc476dccf4d5b2668072eb Mon Sep 17 00:00:00 2001 +From: Michal Kazior +Date: Fri, 7 Aug 2015 09:08:21 +0200 +Subject: ath10k: wake up queue upon vif creation + +From: Michal Kazior + +commit 6d2d51ecfff13f5f6ffc476dccf4d5b2668072eb upstream. + +Vif's vdev_id is used as queue number. However due +to the tx pausing design in ath10k it was possible +for a new interface to be created with its tx +queue stopped (via ieee80211_stop_queues). This +could in turn leave the interface inoperable until +ath10k_mac_tx_unlock() was called. + +This problem only affected multi-vif scenarios when +new interfaces were created some time later after +other interfaces have been running for some time +and had Tx queue full at some point prior. + +Possible manifestation of the bug was +authentication timeout for a client vif. + +Fixes: 96d828d45e16 ("ath10k: rework tx queue locking") +Signed-off-by: Michal Kazior +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath10k/mac.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -4283,6 +4283,11 @@ static int ath10k_add_interface(struct i + } + } + ++ spin_lock_bh(&ar->htt.tx_lock); ++ if (!ar->tx_paused) ++ ieee80211_wake_queue(ar->hw, arvif->vdev_id); ++ spin_unlock_bh(&ar->htt.tx_lock); ++ + mutex_unlock(&ar->conf_mutex); + return 0; + diff --git a/queue-4.2/cifs-use-server-timestamp-for-ntlmv2-authentication.patch b/queue-4.2/cifs-use-server-timestamp-for-ntlmv2-authentication.patch new file mode 100644 index 00000000000..15188dc743c --- /dev/null +++ b/queue-4.2/cifs-use-server-timestamp-for-ntlmv2-authentication.patch @@ -0,0 +1,123 @@ +From 98ce94c8df762d413b3ecb849e2b966b21606d04 Mon Sep 17 00:00:00 2001 +From: Peter Seiderer +Date: Thu, 17 Sep 2015 21:40:12 +0200 +Subject: cifs: use server timestamp for ntlmv2 authentication + +From: Peter Seiderer + +commit 98ce94c8df762d413b3ecb849e2b966b21606d04 upstream. + +Linux cifs mount with ntlmssp against an Mac OS X (Yosemite +10.10.5) share fails in case the clocks differ more than +/-2h: + +digest-service: digest-request: od failed with 2 proto=ntlmv2 +digest-service: digest-request: kdc failed with -1561745592 proto=ntlmv2 + +Fix this by (re-)using the given server timestamp for the +ntlmv2 authentication (as Windows 7 does). + +A related problem was also reported earlier by Namjae Jaen (see below): + +Windows machine has extended security feature which refuse to allow +authentication when there is time difference between server time and +client time when ntlmv2 negotiation is used. This problem is prevalent +in embedded enviornment where system time is set to default 1970. + +Modern servers send the server timestamp in the TargetInfo Av_Pair +structure in the challenge message [see MS-NLMP 2.2.2.1] +In [MS-NLMP 3.1.5.1.2] it is explicitly mentioned that the client must +use the server provided timestamp if present OR current time if it is +not + +Reported-by: Namjae Jeon +Signed-off-by: Peter Seiderer +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/cifsencrypt.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 51 insertions(+), 2 deletions(-) + +--- a/fs/cifs/cifsencrypt.c ++++ b/fs/cifs/cifsencrypt.c +@@ -444,6 +444,48 @@ find_domain_name(struct cifs_ses *ses, c + return 0; + } + ++/* Server has provided av pairs/target info in the type 2 challenge ++ * packet and we have plucked it and stored within smb session. ++ * We parse that blob here to find the server given timestamp ++ * as part of ntlmv2 authentication (or local current time as ++ * default in case of failure) ++ */ ++static __le64 ++find_timestamp(struct cifs_ses *ses) ++{ ++ unsigned int attrsize; ++ unsigned int type; ++ unsigned int onesize = sizeof(struct ntlmssp2_name); ++ unsigned char *blobptr; ++ unsigned char *blobend; ++ struct ntlmssp2_name *attrptr; ++ ++ if (!ses->auth_key.len || !ses->auth_key.response) ++ return 0; ++ ++ blobptr = ses->auth_key.response; ++ blobend = blobptr + ses->auth_key.len; ++ ++ while (blobptr + onesize < blobend) { ++ attrptr = (struct ntlmssp2_name *) blobptr; ++ type = le16_to_cpu(attrptr->type); ++ if (type == NTLMSSP_AV_EOL) ++ break; ++ blobptr += 2; /* advance attr type */ ++ attrsize = le16_to_cpu(attrptr->length); ++ blobptr += 2; /* advance attr size */ ++ if (blobptr + attrsize > blobend) ++ break; ++ if (type == NTLMSSP_AV_TIMESTAMP) { ++ if (attrsize == sizeof(u64)) ++ return *((__le64 *)blobptr); ++ } ++ blobptr += attrsize; /* advance attr value */ ++ } ++ ++ return cpu_to_le64(cifs_UnixTimeToNT(CURRENT_TIME)); ++} ++ + static int calc_ntlmv2_hash(struct cifs_ses *ses, char *ntlmv2_hash, + const struct nls_table *nls_cp) + { +@@ -641,6 +683,7 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, c + struct ntlmv2_resp *ntlmv2; + char ntlmv2_hash[16]; + unsigned char *tiblob = NULL; /* target info blob */ ++ __le64 rsp_timestamp; + + if (ses->server->negflavor == CIFS_NEGFLAVOR_EXTENDED) { + if (!ses->domainName) { +@@ -659,6 +702,12 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, c + } + } + ++ /* Must be within 5 minutes of the server (or in range +/-2h ++ * in case of Mac OS X), so simply carry over server timestamp ++ * (as Windows 7 does) ++ */ ++ rsp_timestamp = find_timestamp(ses); ++ + baselen = CIFS_SESS_KEY_SIZE + sizeof(struct ntlmv2_resp); + tilen = ses->auth_key.len; + tiblob = ses->auth_key.response; +@@ -675,8 +724,8 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, c + (ses->auth_key.response + CIFS_SESS_KEY_SIZE); + ntlmv2->blob_signature = cpu_to_le32(0x00000101); + ntlmv2->reserved = 0; +- /* Must be within 5 minutes of the server */ +- ntlmv2->time = cpu_to_le64(cifs_UnixTimeToNT(CURRENT_TIME)); ++ ntlmv2->time = rsp_timestamp; ++ + get_random_bytes(&ntlmv2->client_chal, sizeof(ntlmv2->client_chal)); + ntlmv2->reserved2 = 0; + diff --git a/queue-4.2/device-property-fix-potential-null-pointer-dereference.patch b/queue-4.2/device-property-fix-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..83990345dbe --- /dev/null +++ b/queue-4.2/device-property-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,39 @@ +From ecc87eed7beeb50c0be0b73322d62135277ea2b0 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Wed, 5 Aug 2015 16:51:11 +0300 +Subject: device property: fix potential NULL pointer dereference + +From: Andy Shevchenko + +commit ecc87eed7beeb50c0be0b73322d62135277ea2b0 upstream. + +In device_add_property_set() we check pset parameter for a NULL, but few lines +later we do a pointer arithmetic without check that will crash kernel in the +set_secondary_fwnode(). + +Here we check if pset parameter is NULL and return immediately. + +Fixes: 16ba08d5c9ec (device property: Introduce firmware node type for platform data) +Signed-off-by: Andy Shevchenko +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/property.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/base/property.c ++++ b/drivers/base/property.c +@@ -27,9 +27,10 @@ + */ + void device_add_property_set(struct device *dev, struct property_set *pset) + { +- if (pset) +- pset->fwnode.type = FWNODE_PDATA; ++ if (!pset) ++ return; + ++ pset->fwnode.type = FWNODE_PDATA; + set_secondary_fwnode(dev, &pset->fwnode); + } + EXPORT_SYMBOL_GPL(device_add_property_set); diff --git a/queue-4.2/docs-update-howto-for-3.x-4.x-versioning.patch b/queue-4.2/docs-update-howto-for-3.x-4.x-versioning.patch new file mode 100644 index 00000000000..58b8cef2b23 --- /dev/null +++ b/queue-4.2/docs-update-howto-for-3.x-4.x-versioning.patch @@ -0,0 +1,91 @@ +From e4144fe5d47c91c92d36cdbd5f31ed8d6e3a57ab Mon Sep 17 00:00:00 2001 +From: Mario Carrillo +Date: Mon, 24 Aug 2015 09:33:09 -0500 +Subject: docs: update HOWTO for 3.x -> 4.x versioning + +From: Mario Carrillo + +commit e4144fe5d47c91c92d36cdbd5f31ed8d6e3a57ab upstream. + +The HOWTO document needed updating for the new kernel versioning. + +Signed-off-by: Mario Carrillo +Signed-off-by: Jonathan Corbet +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/HOWTO | 28 ++++++++++++++-------------- + 1 file changed, 14 insertions(+), 14 deletions(-) + +--- a/Documentation/HOWTO ++++ b/Documentation/HOWTO +@@ -218,16 +218,16 @@ The development process + Linux kernel development process currently consists of a few different + main kernel "branches" and lots of different subsystem-specific kernel + branches. These different branches are: +- - main 3.x kernel tree +- - 3.x.y -stable kernel tree +- - 3.x -git kernel patches ++ - main 4.x kernel tree ++ - 4.x.y -stable kernel tree ++ - 4.x -git kernel patches + - subsystem specific kernel trees and patches +- - the 3.x -next kernel tree for integration tests ++ - the 4.x -next kernel tree for integration tests + +-3.x kernel tree ++4.x kernel tree + ----------------- +-3.x kernels are maintained by Linus Torvalds, and can be found on +-kernel.org in the pub/linux/kernel/v3.x/ directory. Its development ++4.x kernels are maintained by Linus Torvalds, and can be found on ++kernel.org in the pub/linux/kernel/v4.x/ directory. Its development + process is as follows: + - As soon as a new kernel is released a two weeks window is open, + during this period of time maintainers can submit big diffs to +@@ -262,20 +262,20 @@ mailing list about kernel releases: + released according to perceived bug status, not according to a + preconceived timeline." + +-3.x.y -stable kernel tree ++4.x.y -stable kernel tree + --------------------------- + Kernels with 3-part versions are -stable kernels. They contain + relatively small and critical fixes for security problems or significant +-regressions discovered in a given 3.x kernel. ++regressions discovered in a given 4.x kernel. + + This is the recommended branch for users who want the most recent stable + kernel and are not interested in helping test development/experimental + versions. + +-If no 3.x.y kernel is available, then the highest numbered 3.x ++If no 4.x.y kernel is available, then the highest numbered 4.x + kernel is the current stable kernel. + +-3.x.y are maintained by the "stable" team , and ++4.x.y are maintained by the "stable" team , and + are released as needs dictate. The normal release period is approximately + two weeks, but it can be longer if there are no pressing problems. A + security-related problem, instead, can cause a release to happen almost +@@ -285,7 +285,7 @@ The file Documentation/stable_kernel_rul + documents what kinds of changes are acceptable for the -stable tree, and + how the release process works. + +-3.x -git patches ++4.x -git patches + ------------------ + These are daily snapshots of Linus' kernel tree which are managed in a + git repository (hence the name.) These patches are usually released +@@ -317,9 +317,9 @@ revisions to it, and maintainers can mar + accepted, or rejected. Most of these patchwork sites are listed at + http://patchwork.kernel.org/. + +-3.x -next kernel tree for integration tests ++4.x -next kernel tree for integration tests + --------------------------------------------- +-Before updates from subsystem trees are merged into the mainline 3.x ++Before updates from subsystem trees are merged into the mainline 4.x + tree, they need to be integration-tested. For this purpose, a special + testing repository exists into which virtually all subsystem trees are + pulled on an almost daily basis: diff --git a/queue-4.2/extcon-fix-attached-value-returned-by-is_extcon_changed.patch b/queue-4.2/extcon-fix-attached-value-returned-by-is_extcon_changed.patch new file mode 100644 index 00000000000..31e3af3f6a7 --- /dev/null +++ b/queue-4.2/extcon-fix-attached-value-returned-by-is_extcon_changed.patch @@ -0,0 +1,34 @@ +From f4513b065f7dbd37224226ef6e44b09eff742776 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 24 Aug 2015 00:35:36 +0200 +Subject: extcon: Fix attached value returned by is_extcon_changed + +From: Hans de Goede + +commit f4513b065f7dbd37224226ef6e44b09eff742776 upstream. + +is_extcon_changed should only check the idx-th bit of new, not +the entirety of new when setting attached. + +This fixes extcon sending notifications that a cable was inserted when +it gets removed while another cable is still connected. + +Signed-off-by: Hans de Goede +Signed-off-by: Chanwoo Choi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/extcon/extcon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/extcon/extcon.c ++++ b/drivers/extcon/extcon.c +@@ -159,7 +159,7 @@ static int find_cable_index_by_name(stru + static bool is_extcon_changed(u32 prev, u32 new, int idx, bool *attached) + { + if (((prev >> idx) & 0x1) != ((new >> idx) & 0x1)) { +- *attached = new ? true : false; ++ *attached = ((new >> idx) & 0x1) ? true : false; + return true; + } + diff --git a/queue-4.2/extcon-fix-signedness-bugs-about-break-error-handling.patch b/queue-4.2/extcon-fix-signedness-bugs-about-break-error-handling.patch new file mode 100644 index 00000000000..82550a45d4c --- /dev/null +++ b/queue-4.2/extcon-fix-signedness-bugs-about-break-error-handling.patch @@ -0,0 +1,60 @@ +From a598af7f0279195abffbfb9bf2070457e9c89ff3 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 4 Aug 2015 10:47:23 +0300 +Subject: extcon: Fix signedness bugs about break error handling + +From: Dan Carpenter + +commit a598af7f0279195abffbfb9bf2070457e9c89ff3 upstream. + +Unsigned is never less than zero so this error handling won't work. + +Fixes: be052cc87745 ('extcon: Fix hang and extcon_get/set_cable_state().') +Signed-off-by: Dan Carpenter +Reviewed-by: Roger Quadros +[cw00.choi: Change the patch title and fix signedness bug of find_cable_index_by_id() ] +Signed-off-by: Chanwoo Choi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/extcon/extcon.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/extcon/extcon.c ++++ b/drivers/extcon/extcon.c +@@ -126,7 +126,7 @@ static int find_cable_index_by_id(struct + + static int find_cable_id_by_name(struct extcon_dev *edev, const char *name) + { +- unsigned int id = -EINVAL; ++ int id = -EINVAL; + int i = 0; + + /* Find the id of extcon cable */ +@@ -143,7 +143,7 @@ static int find_cable_id_by_name(struct + + static int find_cable_index_by_name(struct extcon_dev *edev, const char *name) + { +- unsigned int id; ++ int id; + + if (edev->max_supported == 0) + return -EINVAL; +@@ -378,7 +378,7 @@ EXPORT_SYMBOL_GPL(extcon_get_cable_state + */ + int extcon_get_cable_state(struct extcon_dev *edev, const char *cable_name) + { +- unsigned int id; ++ int id; + + id = find_cable_id_by_name(edev, cable_name); + if (id < 0) +@@ -426,7 +426,7 @@ EXPORT_SYMBOL_GPL(extcon_set_cable_state + int extcon_set_cable_state(struct extcon_dev *edev, + const char *cable_name, bool cable_state) + { +- unsigned int id; ++ int id; + + id = find_cable_id_by_name(edev, cable_name); + if (id < 0) diff --git a/queue-4.2/hpsa-fix-an-sprintf-overflow-in-the-reset-handler.patch b/queue-4.2/hpsa-fix-an-sprintf-overflow-in-the-reset-handler.patch new file mode 100644 index 00000000000..90670046d2f --- /dev/null +++ b/queue-4.2/hpsa-fix-an-sprintf-overflow-in-the-reset-handler.patch @@ -0,0 +1,67 @@ +From 2dc127bb299d1c7436a08e79193bd0251068356e Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 4 Jun 2015 17:47:56 +0300 +Subject: hpsa: fix an sprintf() overflow in the reset handler + +From: Dan Carpenter + +commit 2dc127bb299d1c7436a08e79193bd0251068356e upstream. + +The string "cmd %d RESET FAILED, new lockup detected" is not quite +large enough so the sprintf() will overflow. I have increased the size +of the buffer and also changed the sprintf calls to snprintf. + +Fixes: 73153fe533bc ('hpsa: use block layer tag for command allocation') +Signed-off-by: Dan Carpenter +Acked-by: Don Brace +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/hpsa.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/scsi/hpsa.c ++++ b/drivers/scsi/hpsa.c +@@ -5104,7 +5104,7 @@ static int hpsa_eh_device_reset_handler( + int rc; + struct ctlr_info *h; + struct hpsa_scsi_dev_t *dev; +- char msg[40]; ++ char msg[48]; + + /* find the controller to which the command to be aborted was sent */ + h = sdev_to_hba(scsicmd->device); +@@ -5122,16 +5122,18 @@ static int hpsa_eh_device_reset_handler( + + /* if controller locked up, we can guarantee command won't complete */ + if (lockup_detected(h)) { +- sprintf(msg, "cmd %d RESET FAILED, lockup detected", +- hpsa_get_cmd_index(scsicmd)); ++ snprintf(msg, sizeof(msg), ++ "cmd %d RESET FAILED, lockup detected", ++ hpsa_get_cmd_index(scsicmd)); + hpsa_show_dev_msg(KERN_WARNING, h, dev, msg); + return FAILED; + } + + /* this reset request might be the result of a lockup; check */ + if (detect_controller_lockup(h)) { +- sprintf(msg, "cmd %d RESET FAILED, new lockup detected", +- hpsa_get_cmd_index(scsicmd)); ++ snprintf(msg, sizeof(msg), ++ "cmd %d RESET FAILED, new lockup detected", ++ hpsa_get_cmd_index(scsicmd)); + hpsa_show_dev_msg(KERN_WARNING, h, dev, msg); + return FAILED; + } +@@ -5145,7 +5147,8 @@ static int hpsa_eh_device_reset_handler( + /* send a reset to the SCSI LUN which the command was sent to */ + rc = hpsa_do_reset(h, dev, dev->scsi3addr, HPSA_RESET_TYPE_LUN, + DEFAULT_REPLY_QUEUE); +- sprintf(msg, "reset %s", rc == 0 ? "completed successfully" : "failed"); ++ snprintf(msg, sizeof(msg), "reset %s", ++ rc == 0 ? "completed successfully" : "failed"); + hpsa_show_dev_msg(KERN_WARNING, h, dev, msg); + return rc == 0 ? SUCCESS : FAILED; + } diff --git a/queue-4.2/hv-util-checking-the-wrong-variable.patch b/queue-4.2/hv-util-checking-the-wrong-variable.patch new file mode 100644 index 00000000000..9bd58c52088 --- /dev/null +++ b/queue-4.2/hv-util-checking-the-wrong-variable.patch @@ -0,0 +1,34 @@ +From 9dd6a06430c94299651d74b9ed5ca8396ab8ff1f Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Sat, 1 Aug 2015 16:08:17 -0700 +Subject: hv: util: checking the wrong variable + +From: Dan Carpenter + +commit 9dd6a06430c94299651d74b9ed5ca8396ab8ff1f upstream. + +We don't catch this allocation failure because there is a typo and we +check the wrong variable. + +Fixes: 14b50f80c32d ('Drivers: hv: util: introduce hv_utils_transport abstraction') + +Signed-off-by: Dan Carpenter +Reviewed-by: Vitaly Kuznetsov +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/hv_utils_transport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hv/hv_utils_transport.c ++++ b/drivers/hv/hv_utils_transport.c +@@ -186,7 +186,7 @@ int hvutil_transport_send(struct hvutil_ + return -EINVAL; + } else if (hvt->mode == HVUTIL_TRANSPORT_NETLINK) { + cn_msg = kzalloc(sizeof(*cn_msg) + len, GFP_ATOMIC); +- if (!msg) ++ if (!cn_msg) + return -ENOMEM; + cn_msg->id.idx = hvt->cn_id.idx; + cn_msg->id.val = hvt->cn_id.val; diff --git a/queue-4.2/ipr-enable-sis-pipe-commands-for-sis-32-devices.patch b/queue-4.2/ipr-enable-sis-pipe-commands-for-sis-32-devices.patch new file mode 100644 index 00000000000..ad3dbe2bf06 --- /dev/null +++ b/queue-4.2/ipr-enable-sis-pipe-commands-for-sis-32-devices.patch @@ -0,0 +1,35 @@ +From e35d7f27fbd51a09a41a5439e39f22a3d102c00b Mon Sep 17 00:00:00 2001 +From: Gabriel Krisman Bertazi +Date: Wed, 19 Aug 2015 11:47:06 -0300 +Subject: ipr: Enable SIS pipe commands for SIS-32 devices. + +From: Gabriel Krisman Bertazi + +commit e35d7f27fbd51a09a41a5439e39f22a3d102c00b upstream. + +Remove unnecessary check that disabled SIS pipe commands for SIS-32 +devices. This change was sufficient to enable raw mode and send SIS +pipe commands for a 57B3 device. + +Fixes: f8ee25d7d239 ("ipr: AF DASD raw mode implementation in ipr driver") +Signed-off-by: Gabriel Krisman Bertazi +Reviewed-by: Wen Xiong +Acked-by: Brian King +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/ipr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/ipr.c ++++ b/drivers/scsi/ipr.c +@@ -4554,7 +4554,7 @@ static ssize_t ipr_store_raw_mode(struct + spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags); + res = (struct ipr_resource_entry *)sdev->hostdata; + if (res) { +- if (ioa_cfg->sis64 && ipr_is_af_dasd_device(res)) { ++ if (ipr_is_af_dasd_device(res)) { + res->raw_mode = simple_strtoul(buf, NULL, 10); + len = strlen(buf); + if (res->sdev) diff --git a/queue-4.2/irqchip-atmel-aic5-use-per-chip-mask-caches-in-mask-unmask.patch b/queue-4.2/irqchip-atmel-aic5-use-per-chip-mask-caches-in-mask-unmask.patch new file mode 100644 index 00000000000..09bab4948fb --- /dev/null +++ b/queue-4.2/irqchip-atmel-aic5-use-per-chip-mask-caches-in-mask-unmask.patch @@ -0,0 +1,79 @@ +From d32dc9aa10c739363c775baf4499416b2e0dc11f Mon Sep 17 00:00:00 2001 +From: Ludovic Desroches +Date: Mon, 21 Sep 2015 15:46:04 +0200 +Subject: irqchip/atmel-aic5: Use per chip mask caches in mask/unmask() + +From: Ludovic Desroches + +commit d32dc9aa10c739363c775baf4499416b2e0dc11f upstream. + +When masking/unmasking interrupts, mask_cache is updated and used later +for suspend/resume. Unfortunately, it always was the mask_cache +associated with the first irq chip which was updated. So when performing +resume, only irqs 0-31 could be enabled. + +Fixes: b1479ebb7720 ("irqchip: atmel-aic: Add atmel AIC/AIC5 drivers") +Signed-off-by: Ludovic Desroches +Cc: +Cc: +Cc: +Cc: +Cc: +Cc: +Cc: +Cc: +Link: http://lkml.kernel.org/r/1442843173-2390-1-git-send-email-ludovic.desroches@atmel.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-atmel-aic5.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +--- a/drivers/irqchip/irq-atmel-aic5.c ++++ b/drivers/irqchip/irq-atmel-aic5.c +@@ -88,28 +88,36 @@ static void aic5_mask(struct irq_data *d + { + struct irq_domain *domain = d->domain; + struct irq_domain_chip_generic *dgc = domain->gc; +- struct irq_chip_generic *gc = dgc->gc[0]; ++ struct irq_chip_generic *bgc = dgc->gc[0]; ++ struct irq_chip_generic *gc = irq_data_get_irq_chip_data(d); + +- /* Disable interrupt on AIC5 */ +- irq_gc_lock(gc); ++ /* ++ * Disable interrupt on AIC5. We always take the lock of the ++ * first irq chip as all chips share the same registers. ++ */ ++ irq_gc_lock(bgc); + irq_reg_writel(gc, d->hwirq, AT91_AIC5_SSR); + irq_reg_writel(gc, 1, AT91_AIC5_IDCR); + gc->mask_cache &= ~d->mask; +- irq_gc_unlock(gc); ++ irq_gc_unlock(bgc); + } + + static void aic5_unmask(struct irq_data *d) + { + struct irq_domain *domain = d->domain; + struct irq_domain_chip_generic *dgc = domain->gc; +- struct irq_chip_generic *gc = dgc->gc[0]; ++ struct irq_chip_generic *bgc = dgc->gc[0]; ++ struct irq_chip_generic *gc = irq_data_get_irq_chip_data(d); + +- /* Enable interrupt on AIC5 */ +- irq_gc_lock(gc); ++ /* ++ * Enable interrupt on AIC5. We always take the lock of the ++ * first irq chip as all chips share the same registers. ++ */ ++ irq_gc_lock(bgc); + irq_reg_writel(gc, d->hwirq, AT91_AIC5_SSR); + irq_reg_writel(gc, 1, AT91_AIC5_IECR); + gc->mask_cache |= d->mask; +- irq_gc_unlock(gc); ++ irq_gc_unlock(bgc); + } + + static int aic5_retrigger(struct irq_data *d) diff --git a/queue-4.2/irqchip-gic-v3-its-add-missing-cache-flushes.patch b/queue-4.2/irqchip-gic-v3-its-add-missing-cache-flushes.patch new file mode 100644 index 00000000000..f2e4d61650f --- /dev/null +++ b/queue-4.2/irqchip-gic-v3-its-add-missing-cache-flushes.patch @@ -0,0 +1,52 @@ +From 5a9a8915c8888b615521b17d70a4342187eae60b Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Sun, 13 Sep 2015 12:14:32 +0100 +Subject: irqchip/gic-v3-its: Add missing cache flushes + +From: Marc Zyngier + +commit 5a9a8915c8888b615521b17d70a4342187eae60b upstream. + +When the ITS is configured for non-cacheable transactions, make sure +that the allocated, zeroed memory is flushed to the Point of +Coherency, allowing the ITS to observe the zeros instead of random +garbage (or even get its own data overwritten by zeros being evicted +from the cache...). + +Fixes: 241a386c7dbb "irqchip: gicv3-its: Use non-cacheable accesses when no shareability" +Reported-and-tested-by: Stuart Yoder +Signed-off-by: Marc Zyngier +Cc: linux-arm-kernel@lists.infradead.org +Cc: Pavel Fedin +Cc: Jason Cooper +Link: http://lkml.kernel.org/r/1442142873-20213-3-git-send-email-marc.zyngier@arm.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-gic-v3-its.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -921,8 +921,10 @@ retry_baser: + * non-cacheable as well. + */ + shr = tmp & GITS_BASER_SHAREABILITY_MASK; +- if (!shr) ++ if (!shr) { + cache = GITS_BASER_nC; ++ __flush_dcache_area(base, alloc_size); ++ } + goto retry_baser; + } + +@@ -1163,6 +1165,8 @@ static struct its_device *its_create_dev + return NULL; + } + ++ __flush_dcache_area(itt, sz); ++ + dev->its = its; + dev->itt = itt; + dev->nr_ites = nr_ites; diff --git a/queue-4.2/mmc-dw_mmc-handle-data-blocks-than-4kb-if-idmac-is-used.patch b/queue-4.2/mmc-dw_mmc-handle-data-blocks-than-4kb-if-idmac-is-used.patch new file mode 100644 index 00000000000..ad58de1aea7 --- /dev/null +++ b/queue-4.2/mmc-dw_mmc-handle-data-blocks-than-4kb-if-idmac-is-used.patch @@ -0,0 +1,199 @@ +From 5959b32e3636f9bfe3f869d1e440bc4a4d660965 Mon Sep 17 00:00:00 2001 +From: Alexey Brodkin +Date: Thu, 25 Jun 2015 11:25:07 +0300 +Subject: mmc: dw_mmc: handle data blocks > than 4kB if IDMAC is used + +From: Alexey Brodkin + +commit 5959b32e3636f9bfe3f869d1e440bc4a4d660965 upstream. + +As per DW MobileStorage databook "each descriptor can transfer up to 4kB +of data in chained mode", moreover buffer size that is put in "des1" is +limited to 13 bits, i.e. for example on attempt to +IDMAC_SET_BUFFER1_SIZE(desc, 8192) size value that's effectively written +will be 0. + +On the platform with 8kB PAGE_SIZE I see dw_mmc gets data blocks in +SG-list of 8kB size and that leads to unpredictable behavior of the +SD/MMC controller. + +In particular on write to FAT partition of SD-card the controller will +stuck in the middle of DMA transaction. + +Solution to the problem is simple - we need to pass large (> 4kB) data +buffers to the controller via multiple descriptors. And that's what +that change does. + +What's interesting I did try original driver on same platform but +configured with 4kB PAGE_SIZE and may confirm that data blocks passed +in SG-list to dw_mmc never exeed 4kB limit - that explains why nobody +ever faced a problem I did. + +Signed-off-by: Alexey Brodkin +Cc: Seungwon Jeon +Cc: Jaehoon Chung +Cc: Ulf Hansson +Cc: arc-linux-dev@synopsys.com +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Jaehoon Chung +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/dw_mmc.c | 109 +++++++++++++++++++++++++++++----------------- + 1 file changed, 71 insertions(+), 38 deletions(-) + +--- a/drivers/mmc/host/dw_mmc.c ++++ b/drivers/mmc/host/dw_mmc.c +@@ -99,6 +99,9 @@ struct idmac_desc { + + __le32 des3; /* buffer 2 physical address */ + }; ++ ++/* Each descriptor can transfer up to 4KB of data in chained mode */ ++#define DW_MCI_DESC_DATA_LENGTH 0x1000 + #endif /* CONFIG_MMC_DW_IDMAC */ + + static bool dw_mci_reset(struct dw_mci *host); +@@ -462,66 +465,96 @@ static void dw_mci_idmac_complete_dma(st + static void dw_mci_translate_sglist(struct dw_mci *host, struct mmc_data *data, + unsigned int sg_len) + { ++ unsigned int desc_len; + int i; + if (host->dma_64bit_address == 1) { +- struct idmac_desc_64addr *desc = host->sg_cpu; ++ struct idmac_desc_64addr *desc_first, *desc_last, *desc; ++ ++ desc_first = desc_last = desc = host->sg_cpu; + +- for (i = 0; i < sg_len; i++, desc++) { ++ for (i = 0; i < sg_len; i++) { + unsigned int length = sg_dma_len(&data->sg[i]); + u64 mem_addr = sg_dma_address(&data->sg[i]); + +- /* +- * Set the OWN bit and disable interrupts for this +- * descriptor +- */ +- desc->des0 = IDMAC_DES0_OWN | IDMAC_DES0_DIC | +- IDMAC_DES0_CH; +- /* Buffer length */ +- IDMAC_64ADDR_SET_BUFFER1_SIZE(desc, length); +- +- /* Physical address to DMA to/from */ +- desc->des4 = mem_addr & 0xffffffff; +- desc->des5 = mem_addr >> 32; ++ for ( ; length ; desc++) { ++ desc_len = (length <= DW_MCI_DESC_DATA_LENGTH) ? ++ length : DW_MCI_DESC_DATA_LENGTH; ++ ++ length -= desc_len; ++ ++ /* ++ * Set the OWN bit and disable interrupts ++ * for this descriptor ++ */ ++ desc->des0 = IDMAC_DES0_OWN | IDMAC_DES0_DIC | ++ IDMAC_DES0_CH; ++ ++ /* Buffer length */ ++ IDMAC_64ADDR_SET_BUFFER1_SIZE(desc, desc_len); ++ ++ /* Physical address to DMA to/from */ ++ desc->des4 = mem_addr & 0xffffffff; ++ desc->des5 = mem_addr >> 32; ++ ++ /* Update physical address for the next desc */ ++ mem_addr += desc_len; ++ ++ /* Save pointer to the last descriptor */ ++ desc_last = desc; ++ } + } + + /* Set first descriptor */ +- desc = host->sg_cpu; +- desc->des0 |= IDMAC_DES0_FD; ++ desc_first->des0 |= IDMAC_DES0_FD; + + /* Set last descriptor */ +- desc = host->sg_cpu + (i - 1) * +- sizeof(struct idmac_desc_64addr); +- desc->des0 &= ~(IDMAC_DES0_CH | IDMAC_DES0_DIC); +- desc->des0 |= IDMAC_DES0_LD; ++ desc_last->des0 &= ~(IDMAC_DES0_CH | IDMAC_DES0_DIC); ++ desc_last->des0 |= IDMAC_DES0_LD; + + } else { +- struct idmac_desc *desc = host->sg_cpu; ++ struct idmac_desc *desc_first, *desc_last, *desc; ++ ++ desc_first = desc_last = desc = host->sg_cpu; + +- for (i = 0; i < sg_len; i++, desc++) { ++ for (i = 0; i < sg_len; i++) { + unsigned int length = sg_dma_len(&data->sg[i]); + u32 mem_addr = sg_dma_address(&data->sg[i]); + +- /* +- * Set the OWN bit and disable interrupts for this +- * descriptor +- */ +- desc->des0 = cpu_to_le32(IDMAC_DES0_OWN | +- IDMAC_DES0_DIC | IDMAC_DES0_CH); +- /* Buffer length */ +- IDMAC_SET_BUFFER1_SIZE(desc, length); ++ for ( ; length ; desc++) { ++ desc_len = (length <= DW_MCI_DESC_DATA_LENGTH) ? ++ length : DW_MCI_DESC_DATA_LENGTH; ++ ++ length -= desc_len; ++ ++ /* ++ * Set the OWN bit and disable interrupts ++ * for this descriptor ++ */ ++ desc->des0 = cpu_to_le32(IDMAC_DES0_OWN | ++ IDMAC_DES0_DIC | ++ IDMAC_DES0_CH); ++ ++ /* Buffer length */ ++ IDMAC_SET_BUFFER1_SIZE(desc, desc_len); + +- /* Physical address to DMA to/from */ +- desc->des2 = cpu_to_le32(mem_addr); ++ /* Physical address to DMA to/from */ ++ desc->des2 = cpu_to_le32(mem_addr); ++ ++ /* Update physical address for the next desc */ ++ mem_addr += desc_len; ++ ++ /* Save pointer to the last descriptor */ ++ desc_last = desc; ++ } + } + + /* Set first descriptor */ +- desc = host->sg_cpu; +- desc->des0 |= cpu_to_le32(IDMAC_DES0_FD); ++ desc_first->des0 |= cpu_to_le32(IDMAC_DES0_FD); + + /* Set last descriptor */ +- desc = host->sg_cpu + (i - 1) * sizeof(struct idmac_desc); +- desc->des0 &= cpu_to_le32(~(IDMAC_DES0_CH | IDMAC_DES0_DIC)); +- desc->des0 |= cpu_to_le32(IDMAC_DES0_LD); ++ desc_last->des0 &= cpu_to_le32(~(IDMAC_DES0_CH | ++ IDMAC_DES0_DIC)); ++ desc_last->des0 |= cpu_to_le32(IDMAC_DES0_LD); + } + + wmb(); +@@ -2394,7 +2427,7 @@ static int dw_mci_init_slot(struct dw_mc + #ifdef CONFIG_MMC_DW_IDMAC + mmc->max_segs = host->ring_size; + mmc->max_blk_size = 65536; +- mmc->max_seg_size = 0x1000; ++ mmc->max_seg_size = DW_MCI_DESC_DATA_LENGTH; + mmc->max_req_size = mmc->max_seg_size * host->ring_size; + mmc->max_blk_count = mmc->max_req_size / 512; + #else diff --git a/queue-4.2/mtd-nand-sunxi-fix-oob-handling-in-write_xxx-functions.patch b/queue-4.2/mtd-nand-sunxi-fix-oob-handling-in-write_xxx-functions.patch new file mode 100644 index 00000000000..0eab30c0401 --- /dev/null +++ b/queue-4.2/mtd-nand-sunxi-fix-oob-handling-in-write_xxx-functions.patch @@ -0,0 +1,77 @@ +From 03a0e8a7c5ea29b5c4e72dfd64900b47a8fb6f2d Mon Sep 17 00:00:00 2001 +From: Boris BREZILLON +Date: Mon, 14 Sep 2015 10:41:03 +0200 +Subject: mtd: nand: sunxi: fix OOB handling in ->write_xxx() functions + +From: Boris BREZILLON + +commit 03a0e8a7c5ea29b5c4e72dfd64900b47a8fb6f2d upstream. + +The USER_DATA register cannot be accessed using byte accessors on A13 +SoCs, thus triggering a bug when using memcpy_toio on this register. +Declare an helper macros to convert an OOB buffer into a suitable +USER_DATA value and vice-versa. + +This patch also fixes an error in the oob_required logic (some OOB data +are not written even if the user required it) by removing the +oob_required condition, which is perfectly valid since the core already +fill ->oob_poi with FFs when oob_required is false. + +Signed-off-by: Boris Brezillon +Fixes: 1fef62c1423b ("mtd: nand: add sunxi NAND flash controller support") +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/sunxi_nand.c | 26 +++++++++----------------- + 1 file changed, 9 insertions(+), 17 deletions(-) + +--- a/drivers/mtd/nand/sunxi_nand.c ++++ b/drivers/mtd/nand/sunxi_nand.c +@@ -138,6 +138,10 @@ + #define NFC_ECC_MODE GENMASK(15, 12) + #define NFC_RANDOM_SEED GENMASK(30, 16) + ++/* NFC_USER_DATA helper macros */ ++#define NFC_BUF_TO_USER_DATA(buf) ((buf)[0] | ((buf)[1] << 8) | \ ++ ((buf)[2] << 16) | ((buf)[3] << 24)) ++ + #define NFC_DEFAULT_TIMEOUT_MS 1000 + + #define NFC_SRAM_SIZE 1024 +@@ -632,15 +636,9 @@ static int sunxi_nfc_hw_ecc_write_page(s + offset = layout->eccpos[i * ecc->bytes] - 4 + mtd->writesize; + + /* Fill OOB data in */ +- if (oob_required) { +- tmp = 0xffffffff; +- memcpy_toio(nfc->regs + NFC_REG_USER_DATA_BASE, &tmp, +- 4); +- } else { +- memcpy_toio(nfc->regs + NFC_REG_USER_DATA_BASE, +- chip->oob_poi + offset - mtd->writesize, +- 4); +- } ++ writel(NFC_BUF_TO_USER_DATA(chip->oob_poi + ++ layout->oobfree[i].offset), ++ nfc->regs + NFC_REG_USER_DATA_BASE); + + chip->cmdfunc(mtd, NAND_CMD_RNDIN, offset, -1); + +@@ -770,14 +768,8 @@ static int sunxi_nfc_hw_syndrome_ecc_wri + offset += ecc->size; + + /* Fill OOB data in */ +- if (oob_required) { +- tmp = 0xffffffff; +- memcpy_toio(nfc->regs + NFC_REG_USER_DATA_BASE, &tmp, +- 4); +- } else { +- memcpy_toio(nfc->regs + NFC_REG_USER_DATA_BASE, oob, +- 4); +- } ++ writel(NFC_BUF_TO_USER_DATA(oob), ++ nfc->regs + NFC_REG_USER_DATA_BASE); + + tmp = NFC_DATA_TRANS | NFC_DATA_SWAP_METHOD | NFC_ACCESS_DIR | + (1 << 30); diff --git a/queue-4.2/mtd-nand-sunxi-fix-sunxi_nand_chips_cleanup.patch b/queue-4.2/mtd-nand-sunxi-fix-sunxi_nand_chips_cleanup.patch new file mode 100644 index 00000000000..4082e2b6f7a --- /dev/null +++ b/queue-4.2/mtd-nand-sunxi-fix-sunxi_nand_chips_cleanup.patch @@ -0,0 +1,33 @@ +From 8e375ccda31ccc73b087134e263c48d2114534f4 Mon Sep 17 00:00:00 2001 +From: Boris BREZILLON +Date: Sun, 13 Sep 2015 18:14:43 +0200 +Subject: mtd: nand: sunxi: fix sunxi_nand_chips_cleanup() + +From: Boris BREZILLON + +commit 8e375ccda31ccc73b087134e263c48d2114534f4 upstream. + +The sunxi_nand_chips_cleanup() function is missing a call to list_del() +which generates a double free error. + +Reported-by: Priit Laes +Signed-off-by: Boris Brezillon +Fixes: 1fef62c1423b ("mtd: nand: add sunxi NAND flash controller support") +Tested-by: Priit Laes +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/sunxi_nand.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mtd/nand/sunxi_nand.c ++++ b/drivers/mtd/nand/sunxi_nand.c +@@ -1312,6 +1312,7 @@ static void sunxi_nand_chips_cleanup(str + node); + nand_release(&chip->mtd); + sunxi_nand_ecc_cleanup(&chip->nand.ecc); ++ list_del(&chip->node); + } + } + diff --git a/queue-4.2/mtd-pxa3xx_nand-add-a-default-chunk-size.patch b/queue-4.2/mtd-pxa3xx_nand-add-a-default-chunk-size.patch new file mode 100644 index 00000000000..377bf41069d --- /dev/null +++ b/queue-4.2/mtd-pxa3xx_nand-add-a-default-chunk-size.patch @@ -0,0 +1,41 @@ +From bc3e00f04cc1fe033a289c2fc2e5c73c0168d360 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Antoine=20T=C3=A9nart?= +Date: Tue, 18 Aug 2015 10:59:10 +0200 +Subject: mtd: pxa3xx_nand: add a default chunk size + +From: =?UTF-8?q?Antoine=20T=C3=A9nart?= + +commit bc3e00f04cc1fe033a289c2fc2e5c73c0168d360 upstream. + +When keeping the configuration set by the bootloader (by using +the marvell,nand-keep-config property), the pxa3xx_nand_detect_config() +function is called and set the chunk size to 512 as a default value if +NDCR_PAGE_SZ is not set. + +In the other case, when not keeping the bootloader configuration, no +chunk size is set. Fix this by adding a default chunk size of 512. + +Fixes: 70ed85232a93 ("mtd: nand: pxa3xx: Introduce multiple page I/O +support") + +Signed-off-by: Antoine Tenart +Acked-by: Robert Jarzmik +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/pxa3xx_nand.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/mtd/nand/pxa3xx_nand.c ++++ b/drivers/mtd/nand/pxa3xx_nand.c +@@ -1473,6 +1473,9 @@ static int pxa3xx_nand_scan(struct mtd_i + if (pdata->keep_config && !pxa3xx_nand_detect_config(info)) + goto KEEP_CONFIG; + ++ /* Set a default chunk size */ ++ info->chunk_size = 512; ++ + ret = pxa3xx_nand_sensing(info); + if (ret) { + dev_info(&info->pdev->dev, "There is no chip on cs %d!\n", diff --git a/queue-4.2/pcmcia-sa11x0-fix-missing-clk_put-in-sa11x0-socket-drivers.patch b/queue-4.2/pcmcia-sa11x0-fix-missing-clk_put-in-sa11x0-socket-drivers.patch new file mode 100644 index 00000000000..4a833d08fd0 --- /dev/null +++ b/queue-4.2/pcmcia-sa11x0-fix-missing-clk_put-in-sa11x0-socket-drivers.patch @@ -0,0 +1,50 @@ +From 72010aca55264cfe6516a955066c846d3885b0c6 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Thu, 26 Mar 2015 10:22:20 +0000 +Subject: pcmcia: sa11x0: fix missing clk_put() in sa11x0 socket drivers + +From: Russell King + +commit 72010aca55264cfe6516a955066c846d3885b0c6 upstream. + +Fix the lack of clk_put() in sa11xx_base.c's error cleanup paths by +converting the driver to the devm_* API. + +Fixes: 86d88bfca475 ("ARM: 8247/2: pcmcia: sa1100: make use of device clock") +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pcmcia/sa1100_generic.c | 1 - + drivers/pcmcia/sa11xx_base.c | 3 +-- + 2 files changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/pcmcia/sa1100_generic.c ++++ b/drivers/pcmcia/sa1100_generic.c +@@ -93,7 +93,6 @@ static int sa11x0_drv_pcmcia_remove(stru + for (i = 0; i < sinfo->nskt; i++) + soc_pcmcia_remove_one(&sinfo->skt[i]); + +- clk_put(sinfo->clk); + kfree(sinfo); + return 0; + } +--- a/drivers/pcmcia/sa11xx_base.c ++++ b/drivers/pcmcia/sa11xx_base.c +@@ -222,7 +222,7 @@ int sa11xx_drv_pcmcia_probe(struct devic + int i, ret = 0; + struct clk *clk; + +- clk = clk_get(dev, NULL); ++ clk = devm_clk_get(dev, NULL); + if (IS_ERR(clk)) + return PTR_ERR(clk); + +@@ -251,7 +251,6 @@ int sa11xx_drv_pcmcia_probe(struct devic + if (ret) { + while (--i >= 0) + soc_pcmcia_remove_one(&sinfo->skt[i]); +- clk_put(clk); + kfree(sinfo); + } else { + dev_set_drvdata(dev, sinfo); diff --git a/queue-4.2/pm-avs-rockchip-io-depend-on-config_power_avs.patch b/queue-4.2/pm-avs-rockchip-io-depend-on-config_power_avs.patch new file mode 100644 index 00000000000..22bf7a6b9b7 --- /dev/null +++ b/queue-4.2/pm-avs-rockchip-io-depend-on-config_power_avs.patch @@ -0,0 +1,38 @@ +From 28c1f1628ee4b163e615eefe1b6463e3d229a873 Mon Sep 17 00:00:00 2001 +From: Heiko Stuebner +Date: Tue, 4 Aug 2015 21:36:12 +0200 +Subject: PM / AVS: rockchip-io: depend on CONFIG_POWER_AVS + +From: Heiko Stuebner + +commit 28c1f1628ee4b163e615eefe1b6463e3d229a873 upstream. + +The rockchip io-domain driver currently only depends on ARCH_ROCKCHIP +itself. This makes it possible to select the power-domain driver, but +not the POWER_AVS class and results in the iodomain-driver not getting +build in this case. + +So add the additional dependency, which also results in the driver +config option now being placed nicely into the AVS submenu. + +Fixes: 662a958638bd ("PM / AVS: rockchip-io: add driver handling Rockchip io domains") +Signed-off-by: Heiko Stuebner +Acked-by: Kevin Hilman +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/avs/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/power/avs/Kconfig ++++ b/drivers/power/avs/Kconfig +@@ -13,7 +13,7 @@ menuconfig POWER_AVS + + config ROCKCHIP_IODOMAIN + tristate "Rockchip IO domain support" +- depends on ARCH_ROCKCHIP && OF ++ depends on POWER_AVS && ARCH_ROCKCHIP && OF + help + Say y here to enable support io domains on Rockchip SoCs. It is + necessary for the io domain setting of the SoC to match the diff --git a/queue-4.2/regmap-debugfs-don-t-bother-actually-printing-when-calculating-max-length.patch b/queue-4.2/regmap-debugfs-don-t-bother-actually-printing-when-calculating-max-length.patch new file mode 100644 index 00000000000..7bbb89bf9fa --- /dev/null +++ b/queue-4.2/regmap-debugfs-don-t-bother-actually-printing-when-calculating-max-length.patch @@ -0,0 +1,35 @@ +From 176fc2d5770a0990eebff903ba680d2edd32e718 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Sat, 19 Sep 2015 07:12:34 -0700 +Subject: regmap: debugfs: Don't bother actually printing when calculating max length + +From: Mark Brown + +commit 176fc2d5770a0990eebff903ba680d2edd32e718 upstream. + +The in kernel snprintf() will conveniently return the actual length of +the printed string even if not given an output beffer at all so just do +that rather than relying on the user to pass in a suitable buffer, +ensuring that we don't need to worry if the buffer was truncated due to +the size of the buffer passed in. + +Reported-by: Rasmus Villemoes +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/regmap/regmap-debugfs.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/base/regmap/regmap-debugfs.c ++++ b/drivers/base/regmap/regmap-debugfs.c +@@ -32,8 +32,7 @@ static DEFINE_MUTEX(regmap_debugfs_early + /* Calculate the length of a fixed format */ + static size_t regmap_calc_reg_len(int max_val, char *buf, size_t buf_size) + { +- snprintf(buf, buf_size, "%x", max_val); +- return strlen(buf); ++ return snprintf(NULL, 0, "%x", max_val); + } + + static ssize_t regmap_name_read_file(struct file *file, diff --git a/queue-4.2/regmap-debugfs-ensure-we-don-t-underflow-when-printing-access-masks.patch b/queue-4.2/regmap-debugfs-ensure-we-don-t-underflow-when-printing-access-masks.patch new file mode 100644 index 00000000000..95a6905b1af --- /dev/null +++ b/queue-4.2/regmap-debugfs-ensure-we-don-t-underflow-when-printing-access-masks.patch @@ -0,0 +1,34 @@ +From b763ec17ac762470eec5be8ebcc43e4f8b2c2b82 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Sat, 19 Sep 2015 07:00:18 -0700 +Subject: regmap: debugfs: Ensure we don't underflow when printing access masks + +From: Mark Brown + +commit b763ec17ac762470eec5be8ebcc43e4f8b2c2b82 upstream. + +If a read is attempted which is smaller than the line length then we may +underflow the subtraction we're doing with the unsigned size_t type so +move some of the calculation to be additions on the right hand side +instead in order to avoid this. + +Reported-by: Rasmus Villemoes +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/regmap/regmap-debugfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/base/regmap/regmap-debugfs.c ++++ b/drivers/base/regmap/regmap-debugfs.c +@@ -432,7 +432,7 @@ static ssize_t regmap_access_read_file(s + /* If we're in the region the user is trying to read */ + if (p >= *ppos) { + /* ...but not beyond it */ +- if (buf_pos >= count - 1 - tot_len) ++ if (buf_pos + tot_len + 1 >= count) + break; + + /* Format the register */ diff --git a/queue-4.2/security-fix-typo-in-security_task_prctl.patch b/queue-4.2/security-fix-typo-in-security_task_prctl.patch new file mode 100644 index 00000000000..3770866485c --- /dev/null +++ b/queue-4.2/security-fix-typo-in-security_task_prctl.patch @@ -0,0 +1,29 @@ +From b7f76ea2ef6739ee484a165ffbac98deb855d3d3 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Fri, 18 Sep 2015 23:41:23 +0200 +Subject: security: fix typo in security_task_prctl + +From: Jann Horn + +commit b7f76ea2ef6739ee484a165ffbac98deb855d3d3 upstream. + +Signed-off-by: Jann Horn +Reviewed-by: Andy Lutomirski +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/security.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -946,7 +946,7 @@ static inline int security_task_prctl(in + unsigned long arg4, + unsigned long arg5) + { +- return cap_task_prctl(option, arg2, arg3, arg3, arg5); ++ return cap_task_prctl(option, arg2, arg3, arg4, arg5); + } + + static inline void security_task_to_inode(struct task_struct *p, struct inode *inode) diff --git a/queue-4.2/series b/queue-4.2/series index 93215ff3256..8516561e6f0 100644 --- a/queue-4.2/series +++ b/queue-4.2/series @@ -162,3 +162,30 @@ xhci-init-command-timeout-timer-earlier-to-avoid-deleting-it-uninitialized.patch usb-xhci-add-support-for-urb_zero_packet-to-bulk-sg-transfers.patch initialize-msg-shm-ipc-objects-before-doing-ipc_addid.patch batman-adv-make-dat-capability-changes-atomic.patch +thermal-cpu_cooling-don-t-call-kcalloc-under-rcu_read_lock.patch +thermal-cpu_cooling-free-power-table-on-error-or-when-unregistering.patch +hv-util-checking-the-wrong-variable.patch +mmc-dw_mmc-handle-data-blocks-than-4kb-if-idmac-is-used.patch +usb-chipidea-imx-fix-a-typo-for-imx6sx.patch +cifs-use-server-timestamp-for-ntlmv2-authentication.patch +irqchip-atmel-aic5-use-per-chip-mask-caches-in-mask-unmask.patch +irqchip-gic-v3-its-add-missing-cache-flushes.patch +docs-update-howto-for-3.x-4.x-versioning.patch +extcon-fix-signedness-bugs-about-break-error-handling.patch +extcon-fix-attached-value-returned-by-is_extcon_changed.patch +mtd-pxa3xx_nand-add-a-default-chunk-size.patch +mtd-nand-sunxi-fix-sunxi_nand_chips_cleanup.patch +mtd-nand-sunxi-fix-oob-handling-in-write_xxx-functions.patch +hpsa-fix-an-sprintf-overflow-in-the-reset-handler.patch +pm-avs-rockchip-io-depend-on-config_power_avs.patch +device-property-fix-potential-null-pointer-dereference.patch +ath10k-fix-per-vif-queue-locking.patch +ath10k-reject-11b-tx-fragmentation-configuration.patch +ath10k-fix-peer-limit-enforcement.patch +ath10k-wake-up-offchannel-queue-properly.patch +ath10k-wake-up-queue-upon-vif-creation.patch +pcmcia-sa11x0-fix-missing-clk_put-in-sa11x0-socket-drivers.patch +ipr-enable-sis-pipe-commands-for-sis-32-devices.patch +regmap-debugfs-ensure-we-don-t-underflow-when-printing-access-masks.patch +regmap-debugfs-don-t-bother-actually-printing-when-calculating-max-length.patch +security-fix-typo-in-security_task_prctl.patch diff --git a/queue-4.2/thermal-cpu_cooling-don-t-call-kcalloc-under-rcu_read_lock.patch b/queue-4.2/thermal-cpu_cooling-don-t-call-kcalloc-under-rcu_read_lock.patch new file mode 100644 index 00000000000..3e0786ecff7 --- /dev/null +++ b/queue-4.2/thermal-cpu_cooling-don-t-call-kcalloc-under-rcu_read_lock.patch @@ -0,0 +1,125 @@ +From 459ac37506d195713b5e82271a2ac44a777e47df Mon Sep 17 00:00:00 2001 +From: Javi Merino +Date: Mon, 17 Aug 2015 19:21:42 +0100 +Subject: thermal: cpu_cooling: don't call kcalloc() under rcu_read_lock + +From: Javi Merino + +commit 459ac37506d195713b5e82271a2ac44a777e47df upstream. + +build_dyn_power_table() allocates the power table while holding +rcu_read_lock. kcalloc using GFP_KERNEL may sleep, so it can't be +called in an RCU read-side path. + +Move the rcu protection to the part of the function that really needs +it: the part that handles the dev_pm_opp pointer received from +dev_pm_opp_find_freq_ceil(). In the unlikely case that there is an OPP +added to the cpu while this function is running, return -EAGAIN. + +Fixes: c36cf0717631 ("thermal: cpu_cooling: implement the power cooling device API") +Cc: Zhang Rui +Cc: Eduardo Valentin +Signed-off-by: Javi Merino +Signed-off-by: Eduardo Valentin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/thermal/cpu_cooling.c | 47 ++++++++++++++++++++---------------------- + 1 file changed, 23 insertions(+), 24 deletions(-) + +--- a/drivers/thermal/cpu_cooling.c ++++ b/drivers/thermal/cpu_cooling.c +@@ -262,7 +262,9 @@ static int cpufreq_thermal_notifier(stru + * efficiently. Power is stored in mW, frequency in KHz. The + * resulting table is in ascending order. + * +- * Return: 0 on success, -E* on error. ++ * Return: 0 on success, -EINVAL if there are no OPPs for any CPUs, ++ * -ENOMEM if we run out of memory or -EAGAIN if an OPP was ++ * added/enabled while the function was executing. + */ + static int build_dyn_power_table(struct cpufreq_cooling_device *cpufreq_device, + u32 capacitance) +@@ -270,11 +272,9 @@ static int build_dyn_power_table(struct + struct power_table *power_table; + struct dev_pm_opp *opp; + struct device *dev = NULL; +- int num_opps = 0, cpu, i, ret = 0; ++ int num_opps = 0, cpu, i; + unsigned long freq; + +- rcu_read_lock(); +- + for_each_cpu(cpu, &cpufreq_device->allowed_cpus) { + dev = get_cpu_device(cpu); + if (!dev) { +@@ -284,24 +284,20 @@ static int build_dyn_power_table(struct + } + + num_opps = dev_pm_opp_get_opp_count(dev); +- if (num_opps > 0) { ++ if (num_opps > 0) + break; +- } else if (num_opps < 0) { +- ret = num_opps; +- goto unlock; +- } ++ else if (num_opps < 0) ++ return num_opps; + } + +- if (num_opps == 0) { +- ret = -EINVAL; +- goto unlock; +- } ++ if (num_opps == 0) ++ return -EINVAL; + + power_table = kcalloc(num_opps, sizeof(*power_table), GFP_KERNEL); +- if (!power_table) { +- ret = -ENOMEM; +- goto unlock; +- } ++ if (!power_table) ++ return -ENOMEM; ++ ++ rcu_read_lock(); + + for (freq = 0, i = 0; + opp = dev_pm_opp_find_freq_ceil(dev, &freq), !IS_ERR(opp); +@@ -309,6 +305,11 @@ static int build_dyn_power_table(struct + u32 freq_mhz, voltage_mv; + u64 power; + ++ if (i >= num_opps) { ++ rcu_read_unlock(); ++ return -EAGAIN; ++ } ++ + freq_mhz = freq / 1000000; + voltage_mv = dev_pm_opp_get_voltage(opp) / 1000; + +@@ -326,18 +327,16 @@ static int build_dyn_power_table(struct + power_table[i].power = power; + } + +- if (i == 0) { +- ret = PTR_ERR(opp); +- goto unlock; +- } ++ rcu_read_unlock(); ++ ++ if (i != num_opps) ++ return PTR_ERR(opp); + + cpufreq_device->cpu_dev = dev; + cpufreq_device->dyn_power_table = power_table; + cpufreq_device->dyn_power_table_entries = i; + +-unlock: +- rcu_read_unlock(); +- return ret; ++ return 0; + } + + static u32 cpu_freq_to_power(struct cpufreq_cooling_device *cpufreq_device, diff --git a/queue-4.2/thermal-cpu_cooling-free-power-table-on-error-or-when-unregistering.patch b/queue-4.2/thermal-cpu_cooling-free-power-table-on-error-or-when-unregistering.patch new file mode 100644 index 00000000000..b90758e79c6 --- /dev/null +++ b/queue-4.2/thermal-cpu_cooling-free-power-table-on-error-or-when-unregistering.patch @@ -0,0 +1,94 @@ +From eba4f88d5af84e0fcaa5d6eb4fe35a75c47203cb Mon Sep 17 00:00:00 2001 +From: Javi Merino +Date: Mon, 17 Aug 2015 19:21:43 +0100 +Subject: thermal: cpu_cooling: free power table on error or when unregistering + +From: Javi Merino + +commit eba4f88d5af84e0fcaa5d6eb4fe35a75c47203cb upstream. + +The power table is not being freed on error from cpufreq_cooling +register or when unregistering. Free it. + +Fixes: c36cf0717631 ("thermal: cpu_cooling: implement the power cooling device API") +Cc: Zhang Rui +Cc: Eduardo Valentin +Signed-off-by: Javi Merino +Signed-off-by: Eduardo Valentin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/thermal/cpu_cooling.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +--- a/drivers/thermal/cpu_cooling.c ++++ b/drivers/thermal/cpu_cooling.c +@@ -272,7 +272,7 @@ static int build_dyn_power_table(struct + struct power_table *power_table; + struct dev_pm_opp *opp; + struct device *dev = NULL; +- int num_opps = 0, cpu, i; ++ int num_opps = 0, cpu, i, ret = 0; + unsigned long freq; + + for_each_cpu(cpu, &cpufreq_device->allowed_cpus) { +@@ -307,7 +307,8 @@ static int build_dyn_power_table(struct + + if (i >= num_opps) { + rcu_read_unlock(); +- return -EAGAIN; ++ ret = -EAGAIN; ++ goto free_power_table; + } + + freq_mhz = freq / 1000000; +@@ -329,14 +330,21 @@ static int build_dyn_power_table(struct + + rcu_read_unlock(); + +- if (i != num_opps) +- return PTR_ERR(opp); ++ if (i != num_opps) { ++ ret = PTR_ERR(opp); ++ goto free_power_table; ++ } + + cpufreq_device->cpu_dev = dev; + cpufreq_device->dyn_power_table = power_table; + cpufreq_device->dyn_power_table_entries = i; + + return 0; ++ ++free_power_table: ++ kfree(power_table); ++ ++ return ret; + } + + static u32 cpu_freq_to_power(struct cpufreq_cooling_device *cpufreq_device, +@@ -846,7 +854,7 @@ __cpufreq_cooling_register(struct device + ret = get_idr(&cpufreq_idr, &cpufreq_dev->id); + if (ret) { + cool_dev = ERR_PTR(ret); +- goto free_table; ++ goto free_power_table; + } + + snprintf(dev_name, sizeof(dev_name), "thermal-cpufreq-%d", +@@ -888,6 +896,8 @@ __cpufreq_cooling_register(struct device + + remove_idr: + release_idr(&cpufreq_idr, cpufreq_dev->id); ++free_power_table: ++ kfree(cpufreq_dev->dyn_power_table); + free_table: + kfree(cpufreq_dev->freq_table); + free_time_in_idle_timestamp: +@@ -1038,6 +1048,7 @@ void cpufreq_cooling_unregister(struct t + + thermal_cooling_device_unregister(cpufreq_dev->cool_dev); + release_idr(&cpufreq_idr, cpufreq_dev->id); ++ kfree(cpufreq_dev->dyn_power_table); + kfree(cpufreq_dev->time_in_idle_timestamp); + kfree(cpufreq_dev->time_in_idle); + kfree(cpufreq_dev->freq_table); diff --git a/queue-4.2/usb-chipidea-imx-fix-a-typo-for-imx6sx.patch b/queue-4.2/usb-chipidea-imx-fix-a-typo-for-imx6sx.patch new file mode 100644 index 00000000000..4a1c731a2fe --- /dev/null +++ b/queue-4.2/usb-chipidea-imx-fix-a-typo-for-imx6sx.patch @@ -0,0 +1,31 @@ +From 8315b77d72c5f0b18ceb513303d845e73166133c Mon Sep 17 00:00:00 2001 +From: Li Jun +Date: Wed, 16 Sep 2015 14:46:32 +0800 +Subject: usb: chipidea: imx: fix a typo for imx6sx + +From: Li Jun + +commit 8315b77d72c5f0b18ceb513303d845e73166133c upstream. + +Use imx6sx instead of imx6sl's platform flags for imx6sx. + +Fixes: e14db48dfcf3 ("usb: chipidea: imx: add runtime power management support") +Signed-off-by: Li Jun +Signed-off-by: Peter Chen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/chipidea/ci_hdrc_imx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/chipidea/ci_hdrc_imx.c ++++ b/drivers/usb/chipidea/ci_hdrc_imx.c +@@ -56,7 +56,7 @@ static const struct of_device_id ci_hdrc + { .compatible = "fsl,imx27-usb", .data = &imx27_usb_data}, + { .compatible = "fsl,imx6q-usb", .data = &imx6q_usb_data}, + { .compatible = "fsl,imx6sl-usb", .data = &imx6sl_usb_data}, +- { .compatible = "fsl,imx6sx-usb", .data = &imx6sl_usb_data}, ++ { .compatible = "fsl,imx6sx-usb", .data = &imx6sx_usb_data}, + { /* sentinel */ } + }; + MODULE_DEVICE_TABLE(of, ci_hdrc_imx_dt_ids);