From: Greg Kroah-Hartman Date: Wed, 23 Sep 2015 04:14:48 +0000 (-0700) Subject: 4.2-stable patches X-Git-Tag: v4.1.9~52 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3cc5a10754f7301b0fb38eae773eedf50daf8ab9;p=thirdparty%2Fkernel%2Fstable-queue.git 4.2-stable patches added patches: blk-mq-fix-buffer-overflow-when-reading-sysfs-file-of-pending.patch blk-mq-fix-race-between-timeout-and-freeing-request.patch cxl-allow-release-of-contexts-which-have-been-opened-but-not-started.patch cxl-fix-unbalanced-pci_dev_get-in-cxl_probe.patch cxl-remove-racy-attempt-to-force-eeh-invocation-in-reset.patch ext4-don-t-manipulate-recovery-flag-when-freezing-no-journal-fs.patch igb-fix-oops-caused-by-missing-queue-pairing.patch mac80211-enable-assoc-check-for-mesh-interfaces.patch mips-cps-use-32b-accesses-to-gcrs.patch mips-math-emu-allow-m-f-t-hc-emulation-on-mips-r6.patch mips-math-emu-emulate-missing-bc1-eq-ne-z-instructions.patch nfc-nci-hci-add-check-on-skb-nci_hci_send_cmd-parameter.patch nfc-netlink-add-check-on-nfc_attr_vendor_data.patch nfc-netlink-warning-fix.patch nfc-st-nci-fix-non-accurate-comment-for-st_nci_i2c_read.patch nfc-st-nci-fix-typo-when-changing-from-st21nfcb-to-st-nci.patch nfc-st-nci-fix-use-of-uninitialized-variables-in-error-path.patch nfc-st-nci-free-data-with-irrelevant-ndlc-pcb_sync-value.patch nfc-st-nci-remove-data-from-ack_pending_q-when-receiving-a-sync_ack.patch nfc-st-nci-remove-duplicate-file-platform_data-st_nci.h.patch nfc-st21nfca-fix-use-of-uninitialized-variables-in-error-path.patch revert-ext4-remove-block_device_ejected.patch rtlwifi-rtl8192cu-add-new-device-id.patch rtlwifi-rtl8821ae-fix-an-expression-that-is-always-false.patch tg3-fix-temperature-reporting.patch unshare-unsharing-a-thread-does-not-require-unsharing-a-vm.patch --- diff --git a/queue-4.2/blk-mq-fix-buffer-overflow-when-reading-sysfs-file-of-pending.patch b/queue-4.2/blk-mq-fix-buffer-overflow-when-reading-sysfs-file-of-pending.patch new file mode 100644 index 00000000000..e8ca74617ca --- /dev/null +++ b/queue-4.2/blk-mq-fix-buffer-overflow-when-reading-sysfs-file-of-pending.patch @@ -0,0 +1,73 @@ +From 596f5aad2a704b72934e5abec1b1b4114c16f45b Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Sun, 9 Aug 2015 03:41:50 -0400 +Subject: blk-mq: fix buffer overflow when reading sysfs file of 'pending' + +From: Ming Lei + +commit 596f5aad2a704b72934e5abec1b1b4114c16f45b upstream. + +There may be lots of pending requests so that the buffer of PAGE_SIZE +can't hold them at all. + +One typical example is scsi-mq, the queue depth(.can_queue) of +scsi_host and blk-mq is quite big but scsi_device's queue_depth +is a bit small(.cmd_per_lun), then it is quite easy to have lots +of pending requests in hw queue. + +This patch fixes the following warning and the related memory +destruction. + +[ 359.025101] fill_read_buffer: blk_mq_hw_sysfs_show+0x0/0x7d returned bad count^M +[ 359.055595] irq event stamp: 15537^M +[ 359.055606] general protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC ^M +[ 359.055614] Dumping ftrace buffer:^M +[ 359.055660] (ftrace buffer empty)^M +[ 359.055672] Modules linked in: nbd ipv6 kvm_intel kvm serio_raw^M +[ 359.055678] CPU: 4 PID: 21631 Comm: stress-ng-sysfs Not tainted 4.2.0-rc5-next-20150805 #434^M +[ 359.055679] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011^M +[ 359.055682] task: ffff8802161cc000 ti: ffff88021b4a8000 task.ti: ffff88021b4a8000^M +[ 359.055693] RIP: 0010:[] [] __kmalloc+0xe8/0x152^M + +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-mq-sysfs.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +--- a/block/blk-mq-sysfs.c ++++ b/block/blk-mq-sysfs.c +@@ -141,15 +141,26 @@ static ssize_t blk_mq_sysfs_completed_sh + + static ssize_t sysfs_list_show(char *page, struct list_head *list, char *msg) + { +- char *start_page = page; + struct request *rq; ++ int len = snprintf(page, PAGE_SIZE - 1, "%s:\n", msg); + +- page += sprintf(page, "%s:\n", msg); ++ list_for_each_entry(rq, list, queuelist) { ++ const int rq_len = 2 * sizeof(rq) + 2; + +- list_for_each_entry(rq, list, queuelist) +- page += sprintf(page, "\t%p\n", rq); ++ /* if the output will be truncated */ ++ if (PAGE_SIZE - 1 < len + rq_len) { ++ /* backspacing if it can't hold '\t...\n' */ ++ if (PAGE_SIZE - 1 < len + 5) ++ len -= rq_len; ++ len += snprintf(page + len, PAGE_SIZE - 1 - len, ++ "\t...\n"); ++ break; ++ } ++ len += snprintf(page + len, PAGE_SIZE - 1 - len, ++ "\t%p\n", rq); ++ } + +- return page - start_page; ++ return len; + } + + static ssize_t blk_mq_sysfs_rq_list_show(struct blk_mq_ctx *ctx, char *page) diff --git a/queue-4.2/blk-mq-fix-race-between-timeout-and-freeing-request.patch b/queue-4.2/blk-mq-fix-race-between-timeout-and-freeing-request.patch new file mode 100644 index 00000000000..9e8b2a4adf9 --- /dev/null +++ b/queue-4.2/blk-mq-fix-race-between-timeout-and-freeing-request.patch @@ -0,0 +1,226 @@ +From 0048b4837affd153897ed1222283492070027aa9 Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Sun, 9 Aug 2015 03:41:51 -0400 +Subject: blk-mq: fix race between timeout and freeing request + +From: Ming Lei + +commit 0048b4837affd153897ed1222283492070027aa9 upstream. + +Inside timeout handler, blk_mq_tag_to_rq() is called +to retrieve the request from one tag. This way is obviously +wrong because the request can be freed any time and some +fiedds of the request can't be trusted, then kernel oops +might be triggered[1]. + +Currently wrt. blk_mq_tag_to_rq(), the only special case is +that the flush request can share same tag with the request +cloned from, and the two requests can't be active at the same +time, so this patch fixes the above issue by updating tags->rqs[tag] +with the active request(either flush rq or the request cloned +from) of the tag. + +Also blk_mq_tag_to_rq() gets much simplified with this patch. + +Given blk_mq_tag_to_rq() is mainly for drivers and the caller must +make sure the request can't be freed, so in bt_for_each() this +helper is replaced with tags->rqs[tag]. + +[1] kernel oops log +[ 439.696220] BUG: unable to handle kernel NULL pointer dereference at 0000000000000158^M +[ 439.697162] IP: [] blk_mq_tag_to_rq+0x21/0x6e^M +[ 439.700653] PGD 7ef765067 PUD 7ef764067 PMD 0 ^M +[ 439.700653] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC ^M +[ 439.700653] Dumping ftrace buffer:^M +[ 439.700653] (ftrace buffer empty)^M +[ 439.700653] Modules linked in: nbd ipv6 kvm_intel kvm serio_raw^M +[ 439.700653] CPU: 6 PID: 2779 Comm: stress-ng-sigfd Not tainted 4.2.0-rc5-next-20150805+ #265^M +[ 439.730500] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011^M +[ 439.730500] task: ffff880605308000 ti: ffff88060530c000 task.ti: ffff88060530c000^M +[ 439.730500] RIP: 0010:[] [] blk_mq_tag_to_rq+0x21/0x6e^M +[ 439.730500] RSP: 0018:ffff880819203da0 EFLAGS: 00010283^M +[ 439.730500] RAX: ffff880811b0e000 RBX: ffff8800bb465f00 RCX: 0000000000000002^M +[ 439.730500] RDX: 0000000000000000 RSI: 0000000000000202 RDI: 0000000000000000^M +[ 439.730500] RBP: ffff880819203db0 R08: 0000000000000002 R09: 0000000000000000^M +[ 439.730500] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000202^M +[ 439.730500] R13: ffff880814104800 R14: 0000000000000002 R15: ffff880811a2ea00^M +[ 439.730500] FS: 00007f165b3f5740(0000) GS:ffff880819200000(0000) knlGS:0000000000000000^M +[ 439.730500] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b^M +[ 439.730500] CR2: 0000000000000158 CR3: 00000007ef766000 CR4: 00000000000006e0^M +[ 439.730500] Stack:^M +[ 439.730500] 0000000000000008 ffff8808114eed90 ffff880819203e00 ffffffff812dc104^M +[ 439.755663] ffff880819203e40 ffffffff812d9f5e 0000020000000000 ffff8808114eed80^M +[ 439.755663] Call Trace:^M +[ 439.755663] ^M +[ 439.755663] [] bt_for_each+0x6e/0xc8^M +[ 439.755663] [] ? blk_mq_rq_timed_out+0x6a/0x6a^M +[ 439.755663] [] ? blk_mq_rq_timed_out+0x6a/0x6a^M +[ 439.755663] [] blk_mq_tag_busy_iter+0x55/0x5e^M +[ 439.755663] [] ? blk_mq_bio_to_request+0x38/0x38^M +[ 439.755663] [] blk_mq_rq_timer+0x5d/0xd4^M +[ 439.755663] [] call_timer_fn+0xf7/0x284^M +[ 439.755663] [] ? call_timer_fn+0x5/0x284^M +[ 439.755663] [] ? blk_mq_bio_to_request+0x38/0x38^M +[ 439.755663] [] run_timer_softirq+0x1ce/0x1f8^M +[ 439.755663] [] __do_softirq+0x181/0x3a4^M +[ 439.755663] [] irq_exit+0x40/0x94^M +[ 439.755663] [] smp_apic_timer_interrupt+0x33/0x3e^M +[ 439.755663] [] apic_timer_interrupt+0x84/0x90^M +[ 439.755663] ^M +[ 439.755663] [] ? _raw_spin_unlock_irq+0x32/0x4a^M +[ 439.755663] [] finish_task_switch+0xe0/0x163^M +[ 439.755663] [] ? finish_task_switch+0xa2/0x163^M +[ 439.755663] [] __schedule+0x469/0x6cd^M +[ 439.755663] [] schedule+0x82/0x9a^M +[ 439.789267] [] signalfd_read+0x186/0x49a^M +[ 439.790911] [] ? wake_up_q+0x47/0x47^M +[ 439.790911] [] __vfs_read+0x28/0x9f^M +[ 439.790911] [] ? __fget_light+0x4d/0x74^M +[ 439.790911] [] vfs_read+0x7a/0xc6^M +[ 439.790911] [] SyS_read+0x49/0x7f^M +[ 439.790911] [] entry_SYSCALL_64_fastpath+0x12/0x6f^M +[ 439.790911] Code: 48 89 e5 e8 a9 b8 e7 ff 5d c3 0f 1f 44 00 00 55 89 +f2 48 89 e5 41 54 41 89 f4 53 48 8b 47 60 48 8b 1c d0 48 8b 7b 30 48 8b +53 38 <48> 8b 87 58 01 00 00 48 85 c0 75 09 48 8b 97 88 0c 00 00 eb 10 +^M +[ 439.790911] RIP [] blk_mq_tag_to_rq+0x21/0x6e^M +[ 439.790911] RSP ^M +[ 439.790911] CR2: 0000000000000158^M +[ 439.790911] ---[ end trace d40af58949325661 ]---^M + +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-flush.c | 15 ++++++++++++++- + block/blk-mq-tag.c | 4 ++-- + block/blk-mq-tag.h | 12 ++++++++++++ + block/blk-mq.c | 16 +--------------- + block/blk.h | 6 ++++++ + 5 files changed, 35 insertions(+), 18 deletions(-) + +--- a/block/blk-flush.c ++++ b/block/blk-flush.c +@@ -73,6 +73,7 @@ + + #include "blk.h" + #include "blk-mq.h" ++#include "blk-mq-tag.h" + + /* FLUSH/FUA sequences */ + enum { +@@ -226,7 +227,12 @@ static void flush_end_io(struct request + struct blk_flush_queue *fq = blk_get_flush_queue(q, flush_rq->mq_ctx); + + if (q->mq_ops) { ++ struct blk_mq_hw_ctx *hctx; ++ ++ /* release the tag's ownership to the req cloned from */ + spin_lock_irqsave(&fq->mq_flush_lock, flags); ++ hctx = q->mq_ops->map_queue(q, flush_rq->mq_ctx->cpu); ++ blk_mq_tag_set_rq(hctx, flush_rq->tag, fq->orig_rq); + flush_rq->tag = -1; + } + +@@ -308,11 +314,18 @@ static bool blk_kick_flush(struct reques + + /* + * Borrow tag from the first request since they can't +- * be in flight at the same time. ++ * be in flight at the same time. And acquire the tag's ++ * ownership for flush req. + */ + if (q->mq_ops) { ++ struct blk_mq_hw_ctx *hctx; ++ + flush_rq->mq_ctx = first_rq->mq_ctx; + flush_rq->tag = first_rq->tag; ++ fq->orig_rq = first_rq; ++ ++ hctx = q->mq_ops->map_queue(q, first_rq->mq_ctx->cpu); ++ blk_mq_tag_set_rq(hctx, first_rq->tag, flush_rq); + } + + flush_rq->cmd_type = REQ_TYPE_FS; +--- a/block/blk-mq-tag.c ++++ b/block/blk-mq-tag.c +@@ -429,7 +429,7 @@ static void bt_for_each(struct blk_mq_hw + for (bit = find_first_bit(&bm->word, bm->depth); + bit < bm->depth; + bit = find_next_bit(&bm->word, bm->depth, bit + 1)) { +- rq = blk_mq_tag_to_rq(hctx->tags, off + bit); ++ rq = hctx->tags->rqs[off + bit]; + if (rq->q == hctx->queue) + fn(hctx, rq, data, reserved); + } +@@ -453,7 +453,7 @@ static void bt_tags_for_each(struct blk_ + for (bit = find_first_bit(&bm->word, bm->depth); + bit < bm->depth; + bit = find_next_bit(&bm->word, bm->depth, bit + 1)) { +- rq = blk_mq_tag_to_rq(tags, off + bit); ++ rq = tags->rqs[off + bit]; + fn(rq, data, reserved); + } + +--- a/block/blk-mq-tag.h ++++ b/block/blk-mq-tag.h +@@ -89,4 +89,16 @@ static inline void blk_mq_tag_idle(struc + __blk_mq_tag_idle(hctx); + } + ++/* ++ * This helper should only be used for flush request to share tag ++ * with the request cloned from, and both the two requests can't be ++ * in flight at the same time. The caller has to make sure the tag ++ * can't be freed. ++ */ ++static inline void blk_mq_tag_set_rq(struct blk_mq_hw_ctx *hctx, ++ unsigned int tag, struct request *rq) ++{ ++ hctx->tags->rqs[tag] = rq; ++} ++ + #endif +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -559,23 +559,9 @@ void blk_mq_abort_requeue_list(struct re + } + EXPORT_SYMBOL(blk_mq_abort_requeue_list); + +-static inline bool is_flush_request(struct request *rq, +- struct blk_flush_queue *fq, unsigned int tag) +-{ +- return ((rq->cmd_flags & REQ_FLUSH_SEQ) && +- fq->flush_rq->tag == tag); +-} +- + struct request *blk_mq_tag_to_rq(struct blk_mq_tags *tags, unsigned int tag) + { +- struct request *rq = tags->rqs[tag]; +- /* mq_ctx of flush rq is always cloned from the corresponding req */ +- struct blk_flush_queue *fq = blk_get_flush_queue(rq->q, rq->mq_ctx); +- +- if (!is_flush_request(rq, fq, tag)) +- return rq; +- +- return fq->flush_rq; ++ return tags->rqs[tag]; + } + EXPORT_SYMBOL(blk_mq_tag_to_rq); + +--- a/block/blk.h ++++ b/block/blk.h +@@ -22,6 +22,12 @@ struct blk_flush_queue { + struct list_head flush_queue[2]; + struct list_head flush_data_in_flight; + struct request *flush_rq; ++ ++ /* ++ * flush_rq shares tag with this rq, both can't be active ++ * at the same time ++ */ ++ struct request *orig_rq; + spinlock_t mq_flush_lock; + }; + diff --git a/queue-4.2/cxl-allow-release-of-contexts-which-have-been-opened-but-not-started.patch b/queue-4.2/cxl-allow-release-of-contexts-which-have-been-opened-but-not-started.patch new file mode 100644 index 00000000000..fddcc56f736 --- /dev/null +++ b/queue-4.2/cxl-allow-release-of-contexts-which-have-been-opened-but-not-started.patch @@ -0,0 +1,47 @@ +From 7c26b9cf5347c24272152438cdd9675183804425 Mon Sep 17 00:00:00 2001 +From: Andrew Donnellan +Date: Wed, 19 Aug 2015 09:27:18 +1000 +Subject: cxl: Allow release of contexts which have been OPENED but not STARTED + +From: Andrew Donnellan + +commit 7c26b9cf5347c24272152438cdd9675183804425 upstream. + +If we open a context but do not start it (either because we do not attempt +to start it, or because it fails to start for some reason), we are left +with a context in state OPENED. Previously, cxl_release_context() only +allowed releasing contexts in state CLOSED, so attempting to release an +OPENED context would fail. + +In particular, this bug causes available contexts to run out after some EEH +failures, where drivers attempt to release contexts that have failed to +start. + +Allow releasing contexts in any state with a value lower than STARTED, i.e. +OPENED or CLOSED (we can't release a STARTED context as it's currently +using the hardware, and we assume that contexts in any new states which may +be added in future with a value higher than STARTED are also unsafe to +release). + +Fixes: 6f7f0b3df6d4 ("cxl: Add AFU virtual PHB and kernel API") +Signed-off-by: Andrew Donnellan +Signed-off-by: Daniel Axtens +Acked-by: Ian Munsie +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/cxl/api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/cxl/api.c ++++ b/drivers/misc/cxl/api.c +@@ -59,7 +59,7 @@ EXPORT_SYMBOL_GPL(cxl_get_phys_dev); + + int cxl_release_context(struct cxl_context *ctx) + { +- if (ctx->status != CLOSED) ++ if (ctx->status >= STARTED) + return -EBUSY; + + put_device(&ctx->afu->dev); diff --git a/queue-4.2/cxl-fix-unbalanced-pci_dev_get-in-cxl_probe.patch b/queue-4.2/cxl-fix-unbalanced-pci_dev_get-in-cxl_probe.patch new file mode 100644 index 00000000000..e235e7e2881 --- /dev/null +++ b/queue-4.2/cxl-fix-unbalanced-pci_dev_get-in-cxl_probe.patch @@ -0,0 +1,69 @@ +From 2925c2fdf1e0eb642482f5b30577e9435aaa8edb Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Tue, 15 Sep 2015 15:04:07 +1000 +Subject: cxl: Fix unbalanced pci_dev_get in cxl_probe + +From: Daniel Axtens + +commit 2925c2fdf1e0eb642482f5b30577e9435aaa8edb upstream. + +Currently the first thing we do in cxl_probe is to grab a reference +on the pci device. Later on, we call device_register on our adapter. +In our remove path, we call device_unregister, but we never call +pci_dev_put. We therefore leak the device every time we do a +reflash. + +device_register/unregister is sufficient to hold the reference. +Therefore, drop the call to pci_dev_get. + +Here's why this is safe. +The proposed cxl_probe(pdev) calls cxl_adapter_init: + a) init calls cxl_adapter_alloc, which creates a struct cxl, + conventionally called adapter. This struct contains a + device entry, adapter->dev. + + b) init calls cxl_configure_adapter, where we set + adapter->dev.parent = &dev->dev (here dev is the pci dev) + +So at this point, the cxl adapter's device's parent is the PCI +device that I want to be refcounted properly. + + c) init calls cxl_register_adapter + *) cxl_register_adapter calls device_register(&adapter->dev) + +So now we're in device_register, where dev is the adapter device, and +we want to know if the PCI device is safe after we return. + +device_register(&adapter->dev) calls device_initialize() and then +device_add(). + +device_add() does a get_device(). device_add() also explicitly grabs +the device's parent, and calls get_device() on it: + + parent = get_device(dev->parent); + +So therefore, device_register() takes a lock on the parent PCI dev, +which is what pci_dev_get() was guarding. pci_dev_get() can therefore +be safely removed. + +Fixes: f204e0b8cedd ("cxl: Driver code for powernv PCIe based cards for userspace access") +Signed-off-by: Daniel Axtens +Acked-by: Ian Munsie +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/cxl/pci.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/misc/cxl/pci.c ++++ b/drivers/misc/cxl/pci.c +@@ -1124,8 +1124,6 @@ static int cxl_probe(struct pci_dev *dev + int slice; + int rc; + +- pci_dev_get(dev); +- + if (cxl_verbose) + dump_cxl_config_space(dev); + diff --git a/queue-4.2/cxl-remove-racy-attempt-to-force-eeh-invocation-in-reset.patch b/queue-4.2/cxl-remove-racy-attempt-to-force-eeh-invocation-in-reset.patch new file mode 100644 index 00000000000..8b9d4b06ac0 --- /dev/null +++ b/queue-4.2/cxl-remove-racy-attempt-to-force-eeh-invocation-in-reset.patch @@ -0,0 +1,73 @@ +From 9d8e27673c45927fee9e7d8992ffb325a6b0b0e4 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Fri, 21 Aug 2015 17:25:15 +1000 +Subject: cxl: Remove racy attempt to force EEH invocation in reset + +From: Daniel Axtens + +commit 9d8e27673c45927fee9e7d8992ffb325a6b0b0e4 upstream. + +cxl_reset currently PERSTs the slot, and then repeatedly tries to +read MMIO space in order to kick off EEH. + +There are 2 problems with this: it's unnecessary, and it's racy. + +It's unnecessary because the PERST will bring down the PHB link. +That will be picked up by the CAPP, which will send out an HMI. +Skiboot, noticing an HMI from the CAPP, will send an OPAL +notification to the kernel, which will trigger EEH recovery. + +It's also racy: the EEH recovery triggered by the CAPP will +eventually cause the MMIO space to have its mapping invalidated +and the pointer NULLed out. This races with our attempt to read +the MMIO space. This is causing OOPSes in testing. + +Simply drop all the attempts to force EEH detection, and trust +that Skiboot will send the notification and that we'll act on it. +The Skiboot code to send the EEH notification has been in Skiboot +for as long as CAPP recovery has been supported, so we don't need +to worry about breaking obscure setups with ancient firmware. + +Cc: Ryan Grimm +Fixes: 62fa19d4b4fd ("cxl: Add ability to reset the card") +Signed-off-by: Daniel Axtens +Acked-by: Ian Munsie +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/cxl/pci.c | 16 ---------------- + 1 file changed, 16 deletions(-) + +--- a/drivers/misc/cxl/pci.c ++++ b/drivers/misc/cxl/pci.c +@@ -851,8 +851,6 @@ int cxl_reset(struct cxl *adapter) + { + struct pci_dev *dev = to_pci_dev(adapter->dev.parent); + int rc; +- int i; +- u32 val; + + dev_info(&dev->dev, "CXL reset\n"); + +@@ -869,20 +867,6 @@ int cxl_reset(struct cxl *adapter) + return rc; + } + +- /* the PERST done above fences the PHB. So, reset depends on EEH +- * to unbind the driver, tell Sapphire to reinit the PHB, and rebind +- * the driver. Do an mmio read explictly to ensure EEH notices the +- * fenced PHB. Retry for a few seconds before giving up. */ +- i = 0; +- while (((val = mmio_read32be(adapter->p1_mmio)) != 0xffffffff) && +- (i < 5)) { +- msleep(500); +- i++; +- } +- +- if (val != 0xffffffff) +- dev_err(&dev->dev, "cxl: PERST failed to trigger EEH\n"); +- + return rc; + } + diff --git a/queue-4.2/ext4-don-t-manipulate-recovery-flag-when-freezing-no-journal-fs.patch b/queue-4.2/ext4-don-t-manipulate-recovery-flag-when-freezing-no-journal-fs.patch new file mode 100644 index 00000000000..81f2712c504 --- /dev/null +++ b/queue-4.2/ext4-don-t-manipulate-recovery-flag-when-freezing-no-journal-fs.patch @@ -0,0 +1,66 @@ +From c642dc9e1aaed953597e7092d7df329e6234096e Mon Sep 17 00:00:00 2001 +From: Eric Sandeen +Date: Sat, 15 Aug 2015 10:45:06 -0400 +Subject: ext4: don't manipulate recovery flag when freezing no-journal fs + +From: Eric Sandeen + +commit c642dc9e1aaed953597e7092d7df329e6234096e upstream. + +At some point along this sequence of changes: + +f6e63f9 ext4: fold ext4_nojournal_sops into ext4_sops +bb04457 ext4: support freezing ext2 (nojournal) file systems +9ca9238 ext4: Use separate super_operations structure for no_journal filesystems + +ext4 started setting needs_recovery on filesystems without journals +when they are unfrozen. This makes no sense, and in fact confuses +blkid to the point where it doesn't recognize the filesystem at all. + +(freeze ext2; unfreeze ext2; run blkid; see no output; run dumpe2fs, +see needs_recovery set on fs w/ no journal). + +To fix this, don't manipulate the INCOMPAT_RECOVER feature on +filesystems without journals. + +Reported-by: Stu Mark +Reviewed-by: Jan Kara +Signed-off-by: Eric Sandeen +Signed-off-by: Theodore Ts'o +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/super.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -4833,10 +4833,11 @@ static int ext4_freeze(struct super_bloc + error = jbd2_journal_flush(journal); + if (error < 0) + goto out; ++ ++ /* Journal blocked and flushed, clear needs_recovery flag. */ ++ EXT4_CLEAR_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_RECOVER); + } + +- /* Journal blocked and flushed, clear needs_recovery flag. */ +- EXT4_CLEAR_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_RECOVER); + error = ext4_commit_super(sb, 1); + out: + if (journal) +@@ -4854,8 +4855,11 @@ static int ext4_unfreeze(struct super_bl + if (sb->s_flags & MS_RDONLY) + return 0; + +- /* Reset the needs_recovery flag before the fs is unlocked. */ +- EXT4_SET_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_RECOVER); ++ if (EXT4_SB(sb)->s_journal) { ++ /* Reset the needs_recovery flag before the fs is unlocked. */ ++ EXT4_SET_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_RECOVER); ++ } ++ + ext4_commit_super(sb, 1); + return 0; + } diff --git a/queue-4.2/igb-fix-oops-caused-by-missing-queue-pairing.patch b/queue-4.2/igb-fix-oops-caused-by-missing-queue-pairing.patch new file mode 100644 index 00000000000..8ad53f64fbc --- /dev/null +++ b/queue-4.2/igb-fix-oops-caused-by-missing-queue-pairing.patch @@ -0,0 +1,116 @@ +From 72ddef0506da852dc82f078f37ced8ef4d74a2bf Mon Sep 17 00:00:00 2001 +From: Shota Suzuki +Date: Wed, 1 Jul 2015 09:25:52 +0900 +Subject: igb: Fix oops caused by missing queue pairing + +From: Shota Suzuki + +commit 72ddef0506da852dc82f078f37ced8ef4d74a2bf upstream. + +When initializing igb driver (e.g. 82576, I350), IGB_FLAG_QUEUE_PAIRS is +set if adapter->rss_queues exceeds half of max_rss_queues in +igb_init_queue_configuration(). +On the other hand, IGB_FLAG_QUEUE_PAIRS is not set even if the number of +queues exceeds half of max_combined in igb_set_channels() when changing +the number of queues by "ethtool -L". +In this case, if numvecs is larger than MAX_MSIX_ENTRIES (10), the size +of adapter->msix_entries[], an overflow can occur in +igb_set_interrupt_capability(), which in turn leads to an oops. + +Fix this problem as follows: + - When changing the number of queues by "ethtool -L", set + IGB_FLAG_QUEUE_PAIRS in the same way as initializing igb driver. + - When increasing the size of q_vector, reallocate it appropriately. + (With IGB_FLAG_QUEUE_PAIRS set, the size of q_vector gets larger.) + +Another possible way to fix this problem is to cap the queues at its +initial number, which is the number of the initial online cpus. But this +is not the optimal way because we cannot increase queues when another +cpu becomes online. + +Note that before commit cd14ef54d25b ("igb: Change to use statically +allocated array for MSIx entries"), this problem did not cause oops +but just made the number of queues become 1 because of entering msi_only +mode in igb_set_interrupt_capability(). + +Fixes: 907b7835799f ("igb: Add ethtool support to configure number of channels") +Signed-off-by: Shota Suzuki +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/intel/igb/igb.h | 1 + + drivers/net/ethernet/intel/igb/igb_ethtool.c | 5 ++++- + drivers/net/ethernet/intel/igb/igb_main.c | 16 ++++++++++++++-- + 3 files changed, 19 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/intel/igb/igb.h ++++ b/drivers/net/ethernet/intel/igb/igb.h +@@ -540,6 +540,7 @@ void igb_ptp_rx_pktstamp(struct igb_q_ve + struct sk_buff *skb); + int igb_ptp_set_ts_config(struct net_device *netdev, struct ifreq *ifr); + int igb_ptp_get_ts_config(struct net_device *netdev, struct ifreq *ifr); ++void igb_set_flag_queue_pairs(struct igb_adapter *, const u32); + #ifdef CONFIG_IGB_HWMON + void igb_sysfs_exit(struct igb_adapter *adapter); + int igb_sysfs_init(struct igb_adapter *adapter); +--- a/drivers/net/ethernet/intel/igb/igb_ethtool.c ++++ b/drivers/net/ethernet/intel/igb/igb_ethtool.c +@@ -2991,6 +2991,7 @@ static int igb_set_channels(struct net_d + { + struct igb_adapter *adapter = netdev_priv(netdev); + unsigned int count = ch->combined_count; ++ unsigned int max_combined = 0; + + /* Verify they are not requesting separate vectors */ + if (!count || ch->rx_count || ch->tx_count) +@@ -3001,11 +3002,13 @@ static int igb_set_channels(struct net_d + return -EINVAL; + + /* Verify the number of channels doesn't exceed hw limits */ +- if (count > igb_max_channels(adapter)) ++ max_combined = igb_max_channels(adapter); ++ if (count > max_combined) + return -EINVAL; + + if (count != adapter->rss_queues) { + adapter->rss_queues = count; ++ igb_set_flag_queue_pairs(adapter, max_combined); + + /* Hardware has to reinitialize queues and interrupts to + * match the new configuration. +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -1205,10 +1205,14 @@ static int igb_alloc_q_vector(struct igb + + /* allocate q_vector and rings */ + q_vector = adapter->q_vector[v_idx]; +- if (!q_vector) ++ if (!q_vector) { + q_vector = kzalloc(size, GFP_KERNEL); +- else ++ } else if (size > ksize(q_vector)) { ++ kfree_rcu(q_vector, rcu); ++ q_vector = kzalloc(size, GFP_KERNEL); ++ } else { + memset(q_vector, 0, size); ++ } + if (!q_vector) + return -ENOMEM; + +@@ -2888,6 +2892,14 @@ static void igb_init_queue_configuration + + adapter->rss_queues = min_t(u32, max_rss_queues, num_online_cpus()); + ++ igb_set_flag_queue_pairs(adapter, max_rss_queues); ++} ++ ++void igb_set_flag_queue_pairs(struct igb_adapter *adapter, ++ const u32 max_rss_queues) ++{ ++ struct e1000_hw *hw = &adapter->hw; ++ + /* Determine if we need to pair queues. */ + switch (hw->mac.type) { + case e1000_82575: diff --git a/queue-4.2/mac80211-enable-assoc-check-for-mesh-interfaces.patch b/queue-4.2/mac80211-enable-assoc-check-for-mesh-interfaces.patch new file mode 100644 index 00000000000..0e74cf08880 --- /dev/null +++ b/queue-4.2/mac80211-enable-assoc-check-for-mesh-interfaces.patch @@ -0,0 +1,41 @@ +From 3633ebebab2bbe88124388b7620442315c968e8f Mon Sep 17 00:00:00 2001 +From: Bob Copeland +Date: Sat, 13 Jun 2015 10:16:31 -0400 +Subject: mac80211: enable assoc check for mesh interfaces + +From: Bob Copeland + +commit 3633ebebab2bbe88124388b7620442315c968e8f upstream. + +We already set a station to be associated when peering completes, both +in user space and in the kernel. Thus we should always have an +associated sta before sending data frames to that station. + +Failure to check assoc state can cause crashes in the lower-level driver +due to transmitting unicast data frames before driver sta structures +(e.g. ampdu state in ath9k) are initialized. This occurred when +forwarding in the presence of fixed mesh paths: frames were transmitted +to stations with whom we hadn't yet completed peering. + +Reported-by: Alexis Green +Tested-by: Jesse Jones +Signed-off-by: Bob Copeland +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/tx.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -311,9 +311,6 @@ ieee80211_tx_h_check_assoc(struct ieee80 + if (tx->sdata->vif.type == NL80211_IFTYPE_WDS) + return TX_CONTINUE; + +- if (tx->sdata->vif.type == NL80211_IFTYPE_MESH_POINT) +- return TX_CONTINUE; +- + if (tx->flags & IEEE80211_TX_PS_BUFFERED) + return TX_CONTINUE; + diff --git a/queue-4.2/mips-cps-use-32b-accesses-to-gcrs.patch b/queue-4.2/mips-cps-use-32b-accesses-to-gcrs.patch new file mode 100644 index 00000000000..67760f00dd1 --- /dev/null +++ b/queue-4.2/mips-cps-use-32b-accesses-to-gcrs.patch @@ -0,0 +1,51 @@ +From 90996511187d6282db6d02d3f97006b4dbb5c457 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Wed, 5 Aug 2015 15:42:35 -0700 +Subject: MIPS: CPS: use 32b accesses to GCRs + +From: Paul Burton + +commit 90996511187d6282db6d02d3f97006b4dbb5c457 upstream. + +Commit b677bc03d757 ("MIPS: cps-vec: Use macros for various arithmetics +and memory operations") replaced various load & store instructions +through cps-vec.S with the PTR_L & PTR_S macros. However it was somewhat +overzealous in doing so for CM GCR accesses, since the bit width of the +CM doesn't necessarily match that of the CPU. The registers accessed +(GCR_CL_COHERENCE & GCR_CL_ID) should be safe to simply always access +using 32b instructions, so do so in order to avoid issues when using a +32b CM with a 64b CPU. + +Signed-off-by: Paul Burton +Cc: Markos Chandras +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Cc: James Hogan +Patchwork: https://patchwork.linux-mips.org/patch/10864/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/cps-vec.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/mips/kernel/cps-vec.S ++++ b/arch/mips/kernel/cps-vec.S +@@ -152,7 +152,7 @@ dcache_done: + + /* Enter the coherent domain */ + li t0, 0xff +- PTR_S t0, GCR_CL_COHERENCE_OFS(v1) ++ sw t0, GCR_CL_COHERENCE_OFS(v1) + ehb + + /* Jump to kseg0 */ +@@ -302,7 +302,7 @@ LEAF(mips_cps_boot_vpes) + PTR_L t0, 0(t0) + + /* Calculate a pointer to this cores struct core_boot_config */ +- PTR_L t0, GCR_CL_ID_OFS(t0) ++ lw t0, GCR_CL_ID_OFS(t0) + li t1, COREBOOTCFG_SIZE + mul t0, t0, t1 + PTR_LA t1, mips_cps_core_bootcfg diff --git a/queue-4.2/mips-math-emu-allow-m-f-t-hc-emulation-on-mips-r6.patch b/queue-4.2/mips-math-emu-allow-m-f-t-hc-emulation-on-mips-r6.patch new file mode 100644 index 00000000000..4793dc4965c --- /dev/null +++ b/queue-4.2/mips-math-emu-allow-m-f-t-hc-emulation-on-mips-r6.patch @@ -0,0 +1,42 @@ +From e8f80cc1a6d80587136b015e989a12827e1fcfe5 Mon Sep 17 00:00:00 2001 +From: Markos Chandras +Date: Fri, 17 Jul 2015 10:36:03 +0100 +Subject: MIPS: math-emu: Allow m{f,t}hc emulation on MIPS R6 + +From: Markos Chandras + +commit e8f80cc1a6d80587136b015e989a12827e1fcfe5 upstream. + +The mfhc/mthc instructions are supported on MIPS R6 so emulate +them if needed. + +Signed-off-by: Markos Chandras +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/10737/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/math-emu/cp1emu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/mips/math-emu/cp1emu.c ++++ b/arch/mips/math-emu/cp1emu.c +@@ -1137,7 +1137,7 @@ emul: + break; + + case mfhc_op: +- if (!cpu_has_mips_r2) ++ if (!cpu_has_mips_r2_r6) + goto sigill; + + /* copregister rd -> gpr[rt] */ +@@ -1148,7 +1148,7 @@ emul: + break; + + case mthc_op: +- if (!cpu_has_mips_r2) ++ if (!cpu_has_mips_r2_r6) + goto sigill; + + /* copregister rd <- gpr[rt] */ diff --git a/queue-4.2/mips-math-emu-emulate-missing-bc1-eq-ne-z-instructions.patch b/queue-4.2/mips-math-emu-emulate-missing-bc1-eq-ne-z-instructions.patch new file mode 100644 index 00000000000..7d581e15d67 --- /dev/null +++ b/queue-4.2/mips-math-emu-emulate-missing-bc1-eq-ne-z-instructions.patch @@ -0,0 +1,60 @@ +From c909ca718e8f50cf484ef06a8dd935e738e8e53d Mon Sep 17 00:00:00 2001 +From: Markos Chandras +Date: Fri, 17 Jul 2015 10:38:32 +0100 +Subject: MIPS: math-emu: Emulate missing BC1{EQ,NE}Z instructions + +From: Markos Chandras + +commit c909ca718e8f50cf484ef06a8dd935e738e8e53d upstream. + +Commit c8a34581ec09 ("MIPS: Emulate the BC1{EQ,NE}Z FPU instructions") +added support for emulating the new R6 BC1{EQ,NE}Z branches but it missed +the case where the instruction that caused the exception was not on a DS. + +Signed-off-by: Markos Chandras +Fixes: c8a34581ec09 ("MIPS: Emulate the BC1{EQ,NE}Z FPU instructions") +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/10738/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/math-emu/cp1emu.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +--- a/arch/mips/math-emu/cp1emu.c ++++ b/arch/mips/math-emu/cp1emu.c +@@ -1181,6 +1181,24 @@ emul: + } + break; + ++ case bc1eqz_op: ++ case bc1nez_op: ++ if (!cpu_has_mips_r6 || delay_slot(xcp)) ++ return SIGILL; ++ ++ cond = likely = 0; ++ switch (MIPSInst_RS(ir)) { ++ case bc1eqz_op: ++ if (get_fpr32(¤t->thread.fpu.fpr[MIPSInst_RT(ir)], 0) & 0x1) ++ cond = 1; ++ break; ++ case bc1nez_op: ++ if (!(get_fpr32(¤t->thread.fpu.fpr[MIPSInst_RT(ir)], 0) & 0x1)) ++ cond = 1; ++ break; ++ } ++ goto branch_common; ++ + case bc_op: + if (delay_slot(xcp)) + return SIGILL; +@@ -1207,7 +1225,7 @@ emul: + case bct_op: + break; + } +- ++branch_common: + set_delay_slot(xcp); + if (cond) { + /* diff --git a/queue-4.2/nfc-nci-hci-add-check-on-skb-nci_hci_send_cmd-parameter.patch b/queue-4.2/nfc-nci-hci-add-check-on-skb-nci_hci_send_cmd-parameter.patch new file mode 100644 index 00000000000..baf8f902651 --- /dev/null +++ b/queue-4.2/nfc-nci-hci-add-check-on-skb-nci_hci_send_cmd-parameter.patch @@ -0,0 +1,32 @@ +From 5a9e0ffc0f128ecdf7c770f76c268e4f9f3c9118 Mon Sep 17 00:00:00 2001 +From: Christophe Ricard +Date: Wed, 19 Aug 2015 21:26:42 +0200 +Subject: nfc: nci: hci: Add check on skb nci_hci_send_cmd parameter + +From: Christophe Ricard + +commit 5a9e0ffc0f128ecdf7c770f76c268e4f9f3c9118 upstream. + +skb can be NULL and may lead to a NULL pointer error. + +Add a check condition before setting HCI rx buffer. + +Signed-off-by: Christophe Ricard +Signed-off-by: Samuel Ortiz +Signed-off-by: Greg Kroah-Hartman + +--- + net/nfc/nci/hci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/nfc/nci/hci.c ++++ b/net/nfc/nci/hci.c +@@ -233,7 +233,7 @@ int nci_hci_send_cmd(struct nci_dev *nde + r = nci_request(ndev, nci_hci_send_data_req, (unsigned long)&data, + msecs_to_jiffies(NCI_DATA_TIMEOUT)); + +- if (r == NCI_STATUS_OK) ++ if (r == NCI_STATUS_OK && skb) + *skb = conn_info->rx_skb; + + return r; diff --git a/queue-4.2/nfc-netlink-add-check-on-nfc_attr_vendor_data.patch b/queue-4.2/nfc-netlink-add-check-on-nfc_attr_vendor_data.patch new file mode 100644 index 00000000000..9af59e7527c --- /dev/null +++ b/queue-4.2/nfc-netlink-add-check-on-nfc_attr_vendor_data.patch @@ -0,0 +1,34 @@ +From fe202fe95564023223ce1910c9e352f391abb1d5 Mon Sep 17 00:00:00 2001 +From: Christophe Ricard +Date: Fri, 14 Aug 2015 22:33:40 +0200 +Subject: nfc: netlink: Add check on NFC_ATTR_VENDOR_DATA + +From: Christophe Ricard + +commit fe202fe95564023223ce1910c9e352f391abb1d5 upstream. + +NFC_ATTR_VENDOR_DATA is an optional vendor_cmd argument. +The current code was potentially using a non existing argument +leading to potential catastrophic results. + +Signed-off-by: Christophe Ricard +Signed-off-by: Samuel Ortiz +Signed-off-by: Greg Kroah-Hartman + +--- + net/nfc/netlink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/nfc/netlink.c ++++ b/net/nfc/netlink.c +@@ -1518,8 +1518,8 @@ static int nfc_genl_vendor_cmd(struct sk + if (!dev || !dev->vendor_cmds || !dev->n_vendor_cmds) + return -ENODEV; + +- data = nla_data(info->attrs[NFC_ATTR_VENDOR_DATA]); +- if (data) { ++ if (info->attrs[NFC_ATTR_VENDOR_DATA]) { ++ data = nla_data(info->attrs[NFC_ATTR_VENDOR_DATA]); + data_len = nla_len(info->attrs[NFC_ATTR_VENDOR_DATA]); + if (data_len == 0) + return -EINVAL; diff --git a/queue-4.2/nfc-netlink-warning-fix.patch b/queue-4.2/nfc-netlink-warning-fix.patch new file mode 100644 index 00000000000..cb7c8a65c8d --- /dev/null +++ b/queue-4.2/nfc-netlink-warning-fix.patch @@ -0,0 +1,35 @@ +From adca3c38d807b341a965d0aba8721d0784d8471b Mon Sep 17 00:00:00 2001 +From: Christophe Ricard +Date: Mon, 17 Aug 2015 08:33:43 +0200 +Subject: nfc: netlink: Warning fix + +From: Christophe Ricard + +commit adca3c38d807b341a965d0aba8721d0784d8471b upstream. + +When NFC_ATTR_VENDOR_DATA is not set, data_len is 0 and data is NULL. + +Fixes the following warning: + +net/nfc/netlink.c:1536:3: warning: 'data' may be used uninitialized ++in this function [-Wmaybe-uninitialized] + return cmd->doit(dev, data, data_len); + +Signed-off-by: Christophe Ricard +Signed-off-by: Samuel Ortiz +Signed-off-by: Greg Kroah-Hartman + +--- + net/nfc/netlink.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/nfc/netlink.c ++++ b/net/nfc/netlink.c +@@ -1524,6 +1524,7 @@ static int nfc_genl_vendor_cmd(struct sk + if (data_len == 0) + return -EINVAL; + } else { ++ data = NULL; + data_len = 0; + } + diff --git a/queue-4.2/nfc-st-nci-fix-non-accurate-comment-for-st_nci_i2c_read.patch b/queue-4.2/nfc-st-nci-fix-non-accurate-comment-for-st_nci_i2c_read.patch new file mode 100644 index 00000000000..54ac6b50b52 --- /dev/null +++ b/queue-4.2/nfc-st-nci-fix-non-accurate-comment-for-st_nci_i2c_read.patch @@ -0,0 +1,40 @@ +From e7723b33077b04648213f043bc22654c54e375e4 Mon Sep 17 00:00:00 2001 +From: Christophe Ricard +Date: Fri, 14 Aug 2015 22:33:32 +0200 +Subject: nfc: st-nci: Fix non accurate comment for st_nci_i2c_read + +From: Christophe Ricard + +commit e7723b33077b04648213f043bc22654c54e375e4 upstream. + +Due to a copy and paste error st_nci_i2c_read still contains +st21nfca header comment. + +Signed-off-by: Christophe Ricard +Signed-off-by: Samuel Ortiz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nfc/st-nci/i2c.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +--- a/drivers/nfc/st-nci/i2c.c ++++ b/drivers/nfc/st-nci/i2c.c +@@ -118,15 +118,10 @@ static int st_nci_i2c_write(void *phy_id + /* + * Reads an ndlc frame and returns it in a newly allocated sk_buff. + * returns: +- * frame size : if received frame is complete (find ST_NCI_SOF_EOF at +- * end of read) +- * -EAGAIN : if received frame is incomplete (not find ST_NCI_SOF_EOF +- * at end of read) ++ * 0 : if received frame is complete + * -EREMOTEIO : i2c read error (fatal) + * -EBADMSG : frame was incorrect and discarded +- * (value returned from st_nci_i2c_repack) +- * -EIO : if no ST_NCI_SOF_EOF is found after reaching +- * the read length end sequence ++ * -ENOMEM : cannot allocate skb, frame dropped + */ + static int st_nci_i2c_read(struct st_nci_i2c_phy *phy, + struct sk_buff **skb) diff --git a/queue-4.2/nfc-st-nci-fix-typo-when-changing-from-st21nfcb-to-st-nci.patch b/queue-4.2/nfc-st-nci-fix-typo-when-changing-from-st21nfcb-to-st-nci.patch new file mode 100644 index 00000000000..84301ef5aca --- /dev/null +++ b/queue-4.2/nfc-st-nci-fix-typo-when-changing-from-st21nfcb-to-st-nci.patch @@ -0,0 +1,80 @@ +From 30458aac63c89771d19f023083d64d018562812e Mon Sep 17 00:00:00 2001 +From: Christophe Ricard +Date: Fri, 14 Aug 2015 22:33:31 +0200 +Subject: nfc: st-nci: Fix typo when changing from st21nfcb to st-nci + +From: Christophe Ricard + +commit 30458aac63c89771d19f023083d64d018562812e upstream. + +Replace ST21NFCB with ST_NCI or st21nfcb with st_nci as it +was forgotten in commit "nfc: st-nci: Rename st21nfcb to st-nci" +ed06aeefdac348cfb91a3db5fe1067e3202afd70 + +Signed-off-by: Christophe Ricard +Signed-off-by: Samuel Ortiz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nfc/st-nci/i2c.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/drivers/nfc/st-nci/i2c.c ++++ b/drivers/nfc/st-nci/i2c.c +@@ -29,11 +29,11 @@ + + #include "ndlc.h" + +-#define DRIVER_DESC "NCI NFC driver for ST21NFCB" ++#define DRIVER_DESC "NCI NFC driver for ST_NCI" + + /* ndlc header */ +-#define ST21NFCB_FRAME_HEADROOM 1 +-#define ST21NFCB_FRAME_TAILROOM 0 ++#define ST_NCI_FRAME_HEADROOM 1 ++#define ST_NCI_FRAME_TAILROOM 0 + + #define ST_NCI_I2C_MIN_SIZE 4 /* PCB(1) + NCI Packet header(3) */ + #define ST_NCI_I2C_MAX_SIZE 250 /* req 4.2.1 */ +@@ -118,14 +118,14 @@ static int st_nci_i2c_write(void *phy_id + /* + * Reads an ndlc frame and returns it in a newly allocated sk_buff. + * returns: +- * frame size : if received frame is complete (find ST21NFCB_SOF_EOF at ++ * frame size : if received frame is complete (find ST_NCI_SOF_EOF at + * end of read) +- * -EAGAIN : if received frame is incomplete (not find ST21NFCB_SOF_EOF ++ * -EAGAIN : if received frame is incomplete (not find ST_NCI_SOF_EOF + * at end of read) + * -EREMOTEIO : i2c read error (fatal) + * -EBADMSG : frame was incorrect and discarded + * (value returned from st_nci_i2c_repack) +- * -EIO : if no ST21NFCB_SOF_EOF is found after reaching ++ * -EIO : if no ST_NCI_SOF_EOF is found after reaching + * the read length end sequence + */ + static int st_nci_i2c_read(struct st_nci_i2c_phy *phy, +@@ -179,7 +179,7 @@ static int st_nci_i2c_read(struct st_nci + /* + * Reads an ndlc frame from the chip. + * +- * On ST21NFCB, IRQ goes in idle state when read starts. ++ * On ST_NCI, IRQ goes in idle state when read starts. + */ + static irqreturn_t st_nci_irq_thread_fn(int irq, void *phy_id) + { +@@ -325,12 +325,12 @@ static int st_nci_i2c_probe(struct i2c_c + } + } else { + nfc_err(&client->dev, +- "st21nfcb platform resources not available\n"); ++ "st_nci platform resources not available\n"); + return -ENODEV; + } + + r = ndlc_probe(phy, &i2c_phy_ops, &client->dev, +- ST21NFCB_FRAME_HEADROOM, ST21NFCB_FRAME_TAILROOM, ++ ST_NCI_FRAME_HEADROOM, ST_NCI_FRAME_TAILROOM, + &phy->ndlc); + if (r < 0) { + nfc_err(&client->dev, "Unable to register ndlc layer\n"); diff --git a/queue-4.2/nfc-st-nci-fix-use-of-uninitialized-variables-in-error-path.patch b/queue-4.2/nfc-st-nci-fix-use-of-uninitialized-variables-in-error-path.patch new file mode 100644 index 00000000000..622d3055d20 --- /dev/null +++ b/queue-4.2/nfc-st-nci-fix-use-of-uninitialized-variables-in-error-path.patch @@ -0,0 +1,68 @@ +From daaf1e1f1640eb11259954d1d847d8a72ab5b938 Mon Sep 17 00:00:00 2001 +From: Christophe Ricard +Date: Fri, 14 Aug 2015 22:33:34 +0200 +Subject: NFC: st-nci: fix use of uninitialized variables in error path + +From: Christophe Ricard + +commit daaf1e1f1640eb11259954d1d847d8a72ab5b938 upstream. + +st_nci_hci_load_session() calls kfree_skb() on unitialized +variables skb_pipe_info and skb_pipe_list if the call to +nci_hci_connect_gate() failed. Reword the error path to not use +these variables when they are not initialized. While at it, there +seemed to be a memory leak because skb_pipe_info was only freed +once, after the for-loop, even though several ones were created +by nci_hci_send_cmd. + +Acked-by: Christophe Ricard +Signed-off-by: Nicolas Iooss +Signed-off-by: Samuel Ortiz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nfc/st-nci/st-nci_se.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/nfc/st-nci/st-nci_se.c ++++ b/drivers/nfc/st-nci/st-nci_se.c +@@ -189,14 +189,14 @@ int st_nci_hci_load_session(struct nci_d + ST_NCI_DEVICE_MGNT_GATE, + ST_NCI_DEVICE_MGNT_PIPE); + if (r < 0) +- goto free_info; ++ return r; + + /* Get pipe list */ + r = nci_hci_send_cmd(ndev, ST_NCI_DEVICE_MGNT_GATE, + ST_NCI_DM_GETINFO, pipe_list, sizeof(pipe_list), + &skb_pipe_list); + if (r < 0) +- goto free_info; ++ return r; + + /* Complete the existing gate_pipe table */ + for (i = 0; i < skb_pipe_list->len; i++) { +@@ -222,6 +222,7 @@ int st_nci_hci_load_session(struct nci_d + dm_pipe_info->src_host_id != ST_NCI_ESE_HOST_ID) { + pr_err("Unexpected apdu_reader pipe on host %x\n", + dm_pipe_info->src_host_id); ++ kfree_skb(skb_pipe_info); + continue; + } + +@@ -241,13 +242,12 @@ int st_nci_hci_load_session(struct nci_d + ndev->hci_dev->pipes[st_nci_gates[j].pipe].host = + dm_pipe_info->src_host_id; + } ++ kfree_skb(skb_pipe_info); + } + + memcpy(ndev->hci_dev->init_data.gates, st_nci_gates, + sizeof(st_nci_gates)); + +-free_info: +- kfree_skb(skb_pipe_info); + kfree_skb(skb_pipe_list); + return r; + } diff --git a/queue-4.2/nfc-st-nci-free-data-with-irrelevant-ndlc-pcb_sync-value.patch b/queue-4.2/nfc-st-nci-free-data-with-irrelevant-ndlc-pcb_sync-value.patch new file mode 100644 index 00000000000..4088fb0ddf4 --- /dev/null +++ b/queue-4.2/nfc-st-nci-free-data-with-irrelevant-ndlc-pcb_sync-value.patch @@ -0,0 +1,38 @@ +From 8b706884eac958ec16518315053f77e052627084 Mon Sep 17 00:00:00 2001 +From: Christophe Ricard +Date: Fri, 14 Aug 2015 22:33:36 +0200 +Subject: nfc: st-nci: Free data with irrelevant NDLC PCB_SYNC value + +From: Christophe Ricard + +commit 8b706884eac958ec16518315053f77e052627084 upstream. + +PCB_SYNC different than PCB_TYPE_SUPERVISOR or PCB_TYPE_DATAFRAME +should be discarded. + +Irrelevant data may be forwarded up to the ndlc state machine by +phys like spi to prevent missing potential data during "write" +transactions. + +Signed-off-by: Christophe Ricard +Signed-off-by: Samuel Ortiz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nfc/st-nci/ndlc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/nfc/st-nci/ndlc.c ++++ b/drivers/nfc/st-nci/ndlc.c +@@ -198,8 +198,10 @@ static void llt_ndlc_rcv_queue(struct ll + kfree_skb(skb); + break; + } +- } else { ++ } else if ((pcb & PCB_TYPE_MASK) == PCB_TYPE_DATAFRAME) { + nci_recv_frame(ndlc->ndev, skb); ++ } else { ++ kfree_skb(skb); + } + } + } diff --git a/queue-4.2/nfc-st-nci-remove-data-from-ack_pending_q-when-receiving-a-sync_ack.patch b/queue-4.2/nfc-st-nci-remove-data-from-ack_pending_q-when-receiving-a-sync_ack.patch new file mode 100644 index 00000000000..c41090cf74b --- /dev/null +++ b/queue-4.2/nfc-st-nci-remove-data-from-ack_pending_q-when-receiving-a-sync_ack.patch @@ -0,0 +1,31 @@ +From 1d816b6eb513498aa28a0ff1e4db7632bded1707 Mon Sep 17 00:00:00 2001 +From: Christophe Ricard +Date: Fri, 14 Aug 2015 22:33:35 +0200 +Subject: nfc: st-nci: Remove data from ack_pending_q when receiving a SYNC_ACK + +From: Christophe Ricard + +commit 1d816b6eb513498aa28a0ff1e4db7632bded1707 upstream. + +When receiving a NDLC PCB_SYNC_ACK the pending data was never +removed from ack_pending_q and cleared. + +Signed-off-by: Christophe Ricard +Signed-off-by: Samuel Ortiz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nfc/st-nci/ndlc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/nfc/st-nci/ndlc.c ++++ b/drivers/nfc/st-nci/ndlc.c +@@ -171,6 +171,8 @@ static void llt_ndlc_rcv_queue(struct ll + if ((pcb & PCB_TYPE_MASK) == PCB_TYPE_SUPERVISOR) { + switch (pcb & PCB_SYNC_MASK) { + case PCB_SYNC_ACK: ++ skb = skb_dequeue(&ndlc->ack_pending_q); ++ kfree_skb(skb); + del_timer_sync(&ndlc->t1_timer); + del_timer_sync(&ndlc->t2_timer); + ndlc->t2_active = false; diff --git a/queue-4.2/nfc-st-nci-remove-duplicate-file-platform_data-st_nci.h.patch b/queue-4.2/nfc-st-nci-remove-duplicate-file-platform_data-st_nci.h.patch new file mode 100644 index 00000000000..40ffe2e3d8a --- /dev/null +++ b/queue-4.2/nfc-st-nci-remove-duplicate-file-platform_data-st_nci.h.patch @@ -0,0 +1,68 @@ +From 76b733d15874128ee2d0365b4cbe7d51decd8d37 Mon Sep 17 00:00:00 2001 +From: Christophe Ricard +Date: Fri, 14 Aug 2015 22:33:30 +0200 +Subject: nfc: st-nci: Remove duplicate file platform_data/st_nci.h + +From: Christophe Ricard + +commit 76b733d15874128ee2d0365b4cbe7d51decd8d37 upstream. + +commit "nfc: st-nci: Rename st21nfcb to st-nci" adds +include/linux/platform_data/st_nci.h duplicated with +include/linux/platform_data/st-nci.h. + +Only drivers/nfc/st-nci/i2c.c uses platform_data/st_nci.h. + +Reported-by: Hauke Mehrtens +Signed-off-by: Christophe Ricard +Signed-off-by: Samuel Ortiz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nfc/st-nci/i2c.c | 2 +- + include/linux/platform_data/st_nci.h | 29 ----------------------------- + 2 files changed, 1 insertion(+), 30 deletions(-) + +--- a/drivers/nfc/st-nci/i2c.c ++++ b/drivers/nfc/st-nci/i2c.c +@@ -25,7 +25,7 @@ + #include + #include + #include +-#include ++#include + + #include "ndlc.h" + +--- a/include/linux/platform_data/st_nci.h ++++ /dev/null +@@ -1,29 +0,0 @@ +-/* +- * Driver include for ST NCI NFC chip family. +- * +- * Copyright (C) 2014-2015 STMicroelectronics SAS. All rights reserved. +- * +- * This program is free software; you can redistribute it and/or modify it +- * under the terms and conditions of the GNU General Public License, +- * version 2, as published by the Free Software Foundation. +- * +- * This program is distributed in the hope that it will be useful, +- * but WITHOUT ANY WARRANTY; without even the implied warranty of +- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +- * GNU General Public License for more details. +- * +- * You should have received a copy of the GNU General Public License +- * along with this program; if not, see . +- */ +- +-#ifndef _ST_NCI_H_ +-#define _ST_NCI_H_ +- +-#define ST_NCI_DRIVER_NAME "st_nci" +- +-struct st_nci_nfc_platform_data { +- unsigned int gpio_reset; +- unsigned int irq_polarity; +-}; +- +-#endif /* _ST_NCI_H_ */ diff --git a/queue-4.2/nfc-st21nfca-fix-use-of-uninitialized-variables-in-error-path.patch b/queue-4.2/nfc-st21nfca-fix-use-of-uninitialized-variables-in-error-path.patch new file mode 100644 index 00000000000..b17897776c4 --- /dev/null +++ b/queue-4.2/nfc-st21nfca-fix-use-of-uninitialized-variables-in-error-path.patch @@ -0,0 +1,81 @@ +From 5a3570061a131309143a49e4bbdbce7e23f261e7 Mon Sep 17 00:00:00 2001 +From: Christophe Ricard +Date: Fri, 14 Aug 2015 22:33:33 +0200 +Subject: NFC: st21nfca: fix use of uninitialized variables in error path + +From: Christophe Ricard + +commit 5a3570061a131309143a49e4bbdbce7e23f261e7 upstream. + +st21nfca_hci_load_session() calls kfree_skb() on unitialized +variables skb_pipe_info and skb_pipe_list if the call to +nfc_hci_connect_gate() failed. Reword the error path to not use +these variables when they are not initialized. While at it, there +seemed to be a memory leak because skb_pipe_info was only freed +once, after the for-loop, even though several ones were created +by nfc_hci_send_cmd. + +Fixes: ec03ff1a8f9a +("NFC: st21nfca: Remove skb_pipe_list and skb_pipe_info +useless allocation") + +Acked-by: Christophe Ricard +Signed-off-by: Nicolas Iooss +Signed-off-by: Samuel Ortiz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nfc/st21nfca/st21nfca.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/nfc/st21nfca/st21nfca.c ++++ b/drivers/nfc/st21nfca/st21nfca.c +@@ -148,14 +148,14 @@ static int st21nfca_hci_load_session(str + ST21NFCA_DEVICE_MGNT_GATE, + ST21NFCA_DEVICE_MGNT_PIPE); + if (r < 0) +- goto free_info; ++ return r; + + /* Get pipe list */ + r = nfc_hci_send_cmd(hdev, ST21NFCA_DEVICE_MGNT_GATE, + ST21NFCA_DM_GETINFO, pipe_list, sizeof(pipe_list), + &skb_pipe_list); + if (r < 0) +- goto free_info; ++ return r; + + /* Complete the existing gate_pipe table */ + for (i = 0; i < skb_pipe_list->len; i++) { +@@ -181,6 +181,7 @@ static int st21nfca_hci_load_session(str + info->src_host_id != ST21NFCA_ESE_HOST_ID) { + pr_err("Unexpected apdu_reader pipe on host %x\n", + info->src_host_id); ++ kfree_skb(skb_pipe_info); + continue; + } + +@@ -200,6 +201,7 @@ static int st21nfca_hci_load_session(str + hdev->pipes[st21nfca_gates[j].pipe].dest_host = + info->src_host_id; + } ++ kfree_skb(skb_pipe_info); + } + + /* +@@ -214,13 +216,12 @@ static int st21nfca_hci_load_session(str + st21nfca_gates[i].gate, + st21nfca_gates[i].pipe); + if (r < 0) +- goto free_info; ++ goto free_list; + } + } + + memcpy(hdev->init_data.gates, st21nfca_gates, sizeof(st21nfca_gates)); +-free_info: +- kfree_skb(skb_pipe_info); ++free_list: + kfree_skb(skb_pipe_list); + return r; + } diff --git a/queue-4.2/revert-ext4-remove-block_device_ejected.patch b/queue-4.2/revert-ext4-remove-block_device_ejected.patch new file mode 100644 index 00000000000..a4bd761be1b --- /dev/null +++ b/queue-4.2/revert-ext4-remove-block_device_ejected.patch @@ -0,0 +1,101 @@ +From bdfe0cbd746aa9b2509c2f6d6be17193cf7facd7 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sun, 16 Aug 2015 10:03:57 -0400 +Subject: Revert "ext4: remove block_device_ejected" + +From: Theodore Ts'o + +commit bdfe0cbd746aa9b2509c2f6d6be17193cf7facd7 upstream. + +This reverts commit 08439fec266c3cc5702953b4f54bdf5649357de0. + +Unfortunately we still need to test for bdi->dev to avoid a crash when a +USB stick is yanked out while a file system is mounted: + + usb 2-2: USB disconnect, device number 2 + Buffer I/O error on dev sdb1, logical block 15237120, lost sync page write + JBD2: Error -5 detected when updating journal superblock for sdb1-8. + BUG: unable to handle kernel paging request at 34beb000 + IP: [] __percpu_counter_add+0x18/0xc0 + *pdpt = 0000000023db9001 *pde = 0000000000000000 + Oops: 0000 [#1] SMP + CPU: 0 PID: 4083 Comm: umount Tainted: G U OE 4.1.1-040101-generic #201507011435 + Hardware name: LENOVO 7675CTO/7675CTO, BIOS 7NETC2WW (2.22 ) 03/22/2011 + task: ebf06b50 ti: ebebc000 task.ti: ebebc000 + EIP: 0060:[] EFLAGS: 00010082 CPU: 0 + EIP is at __percpu_counter_add+0x18/0xc0 + EAX: f21c8e88 EBX: f21c8e88 ECX: 00000000 EDX: 00000001 + ESI: 00000001 EDI: 00000000 EBP: ebebde60 ESP: ebebde40 + DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 + CR0: 8005003b CR2: 34beb000 CR3: 33354200 CR4: 000007f0 + Stack: + c1abe100 edcb0098 edcb00ec ffffffff f21c8e68 ffffffff f21c8e68 f286d160 + ebebde84 c1160454 00000010 00000282 f72a77f8 00000984 f72a77f8 f286d160 + f286d170 ebebdea0 c11e613f 00000000 00000282 f72a77f8 edd7f4d0 00000000 + Call Trace: + [] account_page_dirtied+0x74/0x110 + [] __set_page_dirty+0x3f/0xb0 + [] mark_buffer_dirty+0x53/0xc0 + [] ext4_commit_super+0x17b/0x250 + [] ext4_put_super+0xc1/0x320 + [] ? fsnotify_unmount_inodes+0x1aa/0x1c0 + [] ? evict_inodes+0xca/0xe0 + [] generic_shutdown_super+0x6a/0xe0 + [] ? prepare_to_wait_event+0xd0/0xd0 + [] ? unregister_shrinker+0x40/0x50 + [] kill_block_super+0x26/0x70 + [] deactivate_locked_super+0x45/0x80 + [] deactivate_super+0x47/0x60 + [] cleanup_mnt+0x39/0x80 + [] __cleanup_mnt+0x10/0x20 + [] task_work_run+0x91/0xd0 + [] do_notify_resume+0x7c/0x90 + [] work_notify + Code: 8b 55 e8 e9 f4 fe ff ff 90 90 90 90 90 90 90 90 90 90 90 55 89 e5 83 ec 20 89 5d f4 89 c3 89 75 f8 89 d6 89 7d fc 89 cf 8b 48 14 <64> 8b 01 89 45 ec 89 c2 8b 45 08 c1 fa 1f 01 75 ec 89 55 f0 89 + EIP: [] __percpu_counter_add+0x18/0xc0 SS:ESP 0068:ebebde40 + CR2: 0000000034beb000 + ---[ end trace dd564a7bea834ecd ]--- + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=101011 + +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/super.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -325,6 +325,22 @@ static void save_error_info(struct super + ext4_commit_super(sb, 1); + } + ++/* ++ * The del_gendisk() function uninitializes the disk-specific data ++ * structures, including the bdi structure, without telling anyone ++ * else. Once this happens, any attempt to call mark_buffer_dirty() ++ * (for example, by ext4_commit_super), will cause a kernel OOPS. ++ * This is a kludge to prevent these oops until we can put in a proper ++ * hook in del_gendisk() to inform the VFS and file system layers. ++ */ ++static int block_device_ejected(struct super_block *sb) ++{ ++ struct inode *bd_inode = sb->s_bdev->bd_inode; ++ struct backing_dev_info *bdi = inode_to_bdi(bd_inode); ++ ++ return bdi->dev == NULL; ++} ++ + static void ext4_journal_commit_callback(journal_t *journal, transaction_t *txn) + { + struct super_block *sb = journal->j_private; +@@ -4617,7 +4633,7 @@ static int ext4_commit_super(struct supe + struct buffer_head *sbh = EXT4_SB(sb)->s_sbh; + int error = 0; + +- if (!sbh) ++ if (!sbh || block_device_ejected(sb)) + return error; + if (buffer_write_io_error(sbh)) { + /* diff --git a/queue-4.2/rtlwifi-rtl8192cu-add-new-device-id.patch b/queue-4.2/rtlwifi-rtl8192cu-add-new-device-id.patch new file mode 100644 index 00000000000..d908b0d6745 --- /dev/null +++ b/queue-4.2/rtlwifi-rtl8192cu-add-new-device-id.patch @@ -0,0 +1,30 @@ +From 1642d09fb9b128e8e538b2a4179962a34f38dff9 Mon Sep 17 00:00:00 2001 +From: Adrien Schildknecht +Date: Wed, 19 Aug 2015 17:33:12 +0200 +Subject: rtlwifi: rtl8192cu: Add new device ID + +From: Adrien Schildknecht + +commit 1642d09fb9b128e8e538b2a4179962a34f38dff9 upstream. + +The v2 of NetGear WNA1000M uses a different idProduct: USB ID 0846:9043 + +Signed-off-by: Adrien Schildknecht +Acked-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtlwifi/rtl8192cu/sw.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c +@@ -321,6 +321,7 @@ static struct usb_device_id rtl8192c_usb + {RTL_USB_DEVICE(0x07b8, 0x8188, rtl92cu_hal_cfg)}, /*Abocom - Abocom*/ + {RTL_USB_DEVICE(0x07b8, 0x8189, rtl92cu_hal_cfg)}, /*Funai - Abocom*/ + {RTL_USB_DEVICE(0x0846, 0x9041, rtl92cu_hal_cfg)}, /*NetGear WNA1000M*/ ++ {RTL_USB_DEVICE(0x0846, 0x9043, rtl92cu_hal_cfg)}, /*NG WNA1000Mv2*/ + {RTL_USB_DEVICE(0x0b05, 0x17ba, rtl92cu_hal_cfg)}, /*ASUS-Edimax*/ + {RTL_USB_DEVICE(0x0bda, 0x5088, rtl92cu_hal_cfg)}, /*Thinkware-CC&C*/ + {RTL_USB_DEVICE(0x0df6, 0x0052, rtl92cu_hal_cfg)}, /*Sitecom - Edimax*/ diff --git a/queue-4.2/rtlwifi-rtl8821ae-fix-an-expression-that-is-always-false.patch b/queue-4.2/rtlwifi-rtl8821ae-fix-an-expression-that-is-always-false.patch new file mode 100644 index 00000000000..349ecc02a3d --- /dev/null +++ b/queue-4.2/rtlwifi-rtl8821ae-fix-an-expression-that-is-always-false.patch @@ -0,0 +1,45 @@ +From 251086f588720277a6f5782020a648ce32c4e00b Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Wed, 8 Jul 2015 10:18:50 -0500 +Subject: rtlwifi: rtl8821ae: Fix an expression that is always false + +From: Larry Finger + +commit 251086f588720277a6f5782020a648ce32c4e00b upstream. + +In routine _rtl8821ae_set_media_status(), an incorrect mask results in a test +for AP status to always be false. Similar bugs were fixed in rtl8192cu and +rtl8192de, but this instance was missed at that time. + +Reported-by: David Binderman +Signed-off-by: Larry Finger +Cc: David Binderman +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtlwifi/rtl8821ae/hw.c | 2 +- + drivers/net/wireless/rtlwifi/rtl8821ae/reg.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/rtlwifi/rtl8821ae/hw.c ++++ b/drivers/net/wireless/rtlwifi/rtl8821ae/hw.c +@@ -2180,7 +2180,7 @@ static int _rtl8821ae_set_media_status(s + + rtl_write_byte(rtlpriv, MSR, bt_msr); + rtlpriv->cfg->ops->led_control(hw, ledaction); +- if ((bt_msr & 0xfc) == MSR_AP) ++ if ((bt_msr & MSR_MASK) == MSR_AP) + rtl_write_byte(rtlpriv, REG_BCNTCFG + 1, 0x00); + else + rtl_write_byte(rtlpriv, REG_BCNTCFG + 1, 0x66); +--- a/drivers/net/wireless/rtlwifi/rtl8821ae/reg.h ++++ b/drivers/net/wireless/rtlwifi/rtl8821ae/reg.h +@@ -429,6 +429,7 @@ + #define MSR_ADHOC 0x01 + #define MSR_INFRA 0x02 + #define MSR_AP 0x03 ++#define MSR_MASK 0x03 + + #define RRSR_RSC_OFFSET 21 + #define RRSR_SHORT_OFFSET 23 diff --git a/queue-4.2/tg3-fix-temperature-reporting.patch b/queue-4.2/tg3-fix-temperature-reporting.patch new file mode 100644 index 00000000000..ce4777b4ebd --- /dev/null +++ b/queue-4.2/tg3-fix-temperature-reporting.patch @@ -0,0 +1,36 @@ +From d3d11fe08ccc9bff174fc958722b5661f0932486 Mon Sep 17 00:00:00 2001 +From: Jean Delvare +Date: Tue, 1 Sep 2015 18:07:41 +0200 +Subject: tg3: Fix temperature reporting + +From: Jean Delvare + +commit d3d11fe08ccc9bff174fc958722b5661f0932486 upstream. + +The temperature registers appear to report values in degrees Celsius +while the hwmon API mandates values to be exposed in millidegrees +Celsius. Do the conversion so that the values reported by "sensors" +are correct. + +Fixes: aed93e0bf493 ("tg3: Add hwmon support for temperature") +Signed-off-by: Jean Delvare +Cc: Prashant Sreedharan +Cc: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/broadcom/tg3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -10757,7 +10757,7 @@ static ssize_t tg3_show_temp(struct devi + tg3_ape_scratchpad_read(tp, &temperature, attr->index, + sizeof(temperature)); + spin_unlock_bh(&tp->lock); +- return sprintf(buf, "%u\n", temperature); ++ return sprintf(buf, "%u\n", temperature * 1000); + } + + diff --git a/queue-4.2/unshare-unsharing-a-thread-does-not-require-unsharing-a-vm.patch b/queue-4.2/unshare-unsharing-a-thread-does-not-require-unsharing-a-vm.patch new file mode 100644 index 00000000000..dda621879e0 --- /dev/null +++ b/queue-4.2/unshare-unsharing-a-thread-does-not-require-unsharing-a-vm.patch @@ -0,0 +1,96 @@ +From 12c641ab8270f787dfcce08b5f20ce8b65008096 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Mon, 10 Aug 2015 17:35:07 -0500 +Subject: unshare: Unsharing a thread does not require unsharing a vm + +From: "Eric W. Biederman" + +commit 12c641ab8270f787dfcce08b5f20ce8b65008096 upstream. + +In the logic in the initial commit of unshare made creating a new +thread group for a process, contingent upon creating a new memory +address space for that process. That is wrong. Two separate +processes in different thread groups can share a memory address space +and clone allows creation of such proceses. + +This is significant because it was observed that mm_users > 1 does not +mean that a process is multi-threaded, as reading /proc/PID/maps +temporarily increments mm_users, which allows other processes to +(accidentally) interfere with unshare() calls. + +Correct the check in check_unshare_flags() to test for +!thread_group_empty() for CLONE_THREAD, CLONE_SIGHAND, and CLONE_VM. +For sighand->count > 1 for CLONE_SIGHAND and CLONE_VM. +For !current_is_single_threaded instead of mm_users > 1 for CLONE_VM. + +By using the correct checks in unshare this removes the possibility of +an accidental denial of service attack. + +Additionally using the correct checks in unshare ensures that only an +explicit unshare(CLONE_VM) can possibly trigger the slow path of +current_is_single_threaded(). As an explict unshare(CLONE_VM) is +pointless it is not expected there are many applications that make +that call. + +Fixes: b2e0d98705e60e45bbb3c0032c48824ad7ae0704 userns: Implement unshare of the user namespace +Reported-by: Ricky Zhou +Reported-by: Kees Cook +Reviewed-by: Kees Cook +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/fork.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -1871,13 +1871,21 @@ static int check_unshare_flags(unsigned + CLONE_NEWUSER|CLONE_NEWPID)) + return -EINVAL; + /* +- * Not implemented, but pretend it works if there is nothing to +- * unshare. Note that unsharing CLONE_THREAD or CLONE_SIGHAND +- * needs to unshare vm. ++ * Not implemented, but pretend it works if there is nothing ++ * to unshare. Note that unsharing the address space or the ++ * signal handlers also need to unshare the signal queues (aka ++ * CLONE_THREAD). + */ + if (unshare_flags & (CLONE_THREAD | CLONE_SIGHAND | CLONE_VM)) { +- /* FIXME: get_task_mm() increments ->mm_users */ +- if (atomic_read(¤t->mm->mm_users) > 1) ++ if (!thread_group_empty(current)) ++ return -EINVAL; ++ } ++ if (unshare_flags & (CLONE_SIGHAND | CLONE_VM)) { ++ if (atomic_read(¤t->sighand->count) > 1) ++ return -EINVAL; ++ } ++ if (unshare_flags & CLONE_VM) { ++ if (!current_is_single_threaded()) + return -EINVAL; + } + +@@ -1946,16 +1954,16 @@ SYSCALL_DEFINE1(unshare, unsigned long, + if (unshare_flags & CLONE_NEWUSER) + unshare_flags |= CLONE_THREAD | CLONE_FS; + /* +- * If unsharing a thread from a thread group, must also unshare vm. +- */ +- if (unshare_flags & CLONE_THREAD) +- unshare_flags |= CLONE_VM; +- /* + * If unsharing vm, must also unshare signal handlers. + */ + if (unshare_flags & CLONE_VM) + unshare_flags |= CLONE_SIGHAND; + /* ++ * If unsharing a signal handlers, must also unshare the signal queues. ++ */ ++ if (unshare_flags & CLONE_SIGHAND) ++ unshare_flags |= CLONE_THREAD; ++ /* + * If unsharing namespace, must also unshare filesystem information. + */ + if (unshare_flags & CLONE_NEWNS)