From: Greg Kroah-Hartman Date: Sun, 29 May 2016 22:20:39 +0000 (-0700) Subject: 4.4-stable patches X-Git-Tag: v3.14.71~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=496b50086397b996c3935c62d7de070633e78db0;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: acpi-osi-fix-an-issue-that-acpi_osi-cannot-disable-acpica-internal-strings.patch bluetooth-vhci-fix-open_timeout-vs.-hdev-race.patch bluetooth-vhci-fix-race-at-creating-hci-device.patch bluetooth-vhci-purge-unhandled-skbs.patch can-fix-handling-of-unmodifiable-configuration-options.patch dell-rbtn-ignore-acpi-notifications-if-device-is-suspended.patch input-pwm-beeper-fix-scheduling-while-atomic.patch irqchip-gic-ensure-ordering-between-read-of-intack-and-shared-data.patch irqchip-gic-v3-configure-all-interrupts-as-non-secure-group-1.patch mfd-omap-usb-tll-fix-scheduling-while-atomic-bug.patch mmc-longer-timeout-for-long-read-time-quirk.patch mmc-mmc-fix-partition-switch-timeout-for-some-emmcs.patch mmc-sdhci-acpi-remove-mmc_cap_bus_width_test-for-intel-controllers.patch mmc-sdhci-pci-remove-mmc_cap_bus_width_test-for-intel-controllers.patch sched-loadavg-fix-loadavg-artifacts-on-fully-idle-and-on-fully-loaded-systems.patch --- diff --git a/queue-4.4/acpi-osi-fix-an-issue-that-acpi_osi-cannot-disable-acpica-internal-strings.patch b/queue-4.4/acpi-osi-fix-an-issue-that-acpi_osi-cannot-disable-acpica-internal-strings.patch new file mode 100644 index 00000000000..a4234dc4c26 --- /dev/null +++ b/queue-4.4/acpi-osi-fix-an-issue-that-acpi_osi-cannot-disable-acpica-internal-strings.patch @@ -0,0 +1,113 @@ +From 30c9bb0d7603e7b3f4d6a0ea231e1cddae020c32 Mon Sep 17 00:00:00 2001 +From: Lv Zheng +Date: Tue, 3 May 2016 16:48:20 +0800 +Subject: ACPI / osi: Fix an issue that acpi_osi=!* cannot disable ACPICA internal strings + +From: Lv Zheng + +commit 30c9bb0d7603e7b3f4d6a0ea231e1cddae020c32 upstream. + +The order of the _OSI related functionalities is as follows: + + acpi_blacklisted() + acpi_dmi_osi_linux() + acpi_osi_setup() + acpi_osi_setup() + acpi_update_interfaces() if "!*" + <<<<<<<<<<<<<<<<<<<<<<<< + parse_args() + __setup("acpi_osi=") + acpi_osi_setup_linux() + acpi_update_interfaces() if "!*" + <<<<<<<<<<<<<<<<<<<<<<<< + acpi_early_init() + acpi_initialize_subsystem() + acpi_ut_initialize_interfaces() + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + acpi_bus_init() + acpi_os_initialize1() + acpi_install_interface_handler(acpi_osi_handler) + acpi_osi_setup_late() + acpi_update_interfaces() for "!" + >>>>>>>>>>>>>>>>>>>>>>>> + acpi_osi_handler() + +Since acpi_osi_setup_linux() can override acpi_dmi_osi_linux(), the command +line setting can override the DMI detection. That's why acpi_blacklisted() +is put before __setup("acpi_osi="). + +Then we can notice the following wrong invocation order. There are +acpi_update_interfaces() (marked by <<<<) calls invoked before +acpi_ut_initialize_interfaces() (marked by ^^^^). This makes it impossible +to use acpi_osi=!* correctly from OSI DMI table or from the command line. +The use of acpi_osi=!* is meant to disable both ACPICA +(acpi_gbl_supported_interfaces) and Linux specific strings +(osi_setup_entries) while the ACPICA part should have stopped working +because of the order issue. + +This patch fixes this issue by moving acpi_update_interfaces() to where +it is invoked for acpi_osi=! (marked by >>>>) as this is ensured to be +invoked after acpi_ut_initialize_interfaces() (marked by ^^^^). Linux +specific strings are still handled in the original place in order to make +the following command line working: acpi_osi=!* acpi_osi="Module Device". + +Note that since acpi_osi=!* is meant to further disable linux specific +string comparing to the acpi_osi=!, there is no such use case in our bug +fixing work and hence there is no one using acpi_osi=!* either from the +command line or from the DMI quirks, this issue is just a theoretical +issue. + +Fixes: 741d81280ad2 (ACPI: Add facility to remove all _OSI strings) +Tested-by: Lukas Wunner +Tested-by: Chen Yu +Signed-off-by: Lv Zheng +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/osl.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +--- a/drivers/acpi/osl.c ++++ b/drivers/acpi/osl.c +@@ -135,7 +135,7 @@ static struct osi_linux { + unsigned int enable:1; + unsigned int dmi:1; + unsigned int cmdline:1; +- unsigned int default_disabling:1; ++ u8 default_disabling; + } osi_linux = {0, 0, 0, 0}; + + static u32 acpi_osi_handler(acpi_string interface, u32 supported) +@@ -1444,10 +1444,13 @@ void __init acpi_osi_setup(char *str) + if (*str == '!') { + str++; + if (*str == '\0') { +- osi_linux.default_disabling = 1; ++ /* Do not override acpi_osi=!* */ ++ if (!osi_linux.default_disabling) ++ osi_linux.default_disabling = ++ ACPI_DISABLE_ALL_VENDOR_STRINGS; + return; + } else if (*str == '*') { +- acpi_update_interfaces(ACPI_DISABLE_ALL_STRINGS); ++ osi_linux.default_disabling = ACPI_DISABLE_ALL_STRINGS; + for (i = 0; i < OSI_STRING_ENTRIES_MAX; i++) { + osi = &osi_setup_entries[i]; + osi->enable = false; +@@ -1520,10 +1523,13 @@ static void __init acpi_osi_setup_late(v + acpi_status status; + + if (osi_linux.default_disabling) { +- status = acpi_update_interfaces(ACPI_DISABLE_ALL_VENDOR_STRINGS); ++ status = acpi_update_interfaces(osi_linux.default_disabling); + + if (ACPI_SUCCESS(status)) +- printk(KERN_INFO PREFIX "Disabled all _OSI OS vendors\n"); ++ printk(KERN_INFO PREFIX "Disabled all _OSI OS vendors%s\n", ++ osi_linux.default_disabling == ++ ACPI_DISABLE_ALL_STRINGS ? ++ " and feature groups" : ""); + } + + for (i = 0; i < OSI_STRING_ENTRIES_MAX; i++) { diff --git a/queue-4.4/bluetooth-vhci-fix-open_timeout-vs.-hdev-race.patch b/queue-4.4/bluetooth-vhci-fix-open_timeout-vs.-hdev-race.patch new file mode 100644 index 00000000000..9c3ecfe4465 --- /dev/null +++ b/queue-4.4/bluetooth-vhci-fix-open_timeout-vs.-hdev-race.patch @@ -0,0 +1,161 @@ +From 373a32c848ae3a1c03618517cce85f9211a6facf Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Sat, 19 Mar 2016 11:05:18 +0100 +Subject: Bluetooth: vhci: fix open_timeout vs. hdev race + +From: Jiri Slaby + +commit 373a32c848ae3a1c03618517cce85f9211a6facf upstream. + +Both vhci_get_user and vhci_release race with open_timeout work. They +both contain cancel_delayed_work_sync, but do not test whether the +work actually created hdev or not. Since the work can be in progress +and _sync will wait for finishing it, we can have data->hdev allocated +when cancel_delayed_work_sync returns. But the call sites do 'if +(data->hdev)' *before* cancel_delayed_work_sync. + +As a result: +* vhci_get_user allocates a second hdev and puts it into + data->hdev. The former is leaked. +* vhci_release does not release data->hdev properly as it thinks there + is none. + +Fix both cases by moving the actual test *after* the call to +cancel_delayed_work_sync. + +This can be hit by this program: + #include + #include + #include + #include + #include + #include + + #include + #include + + int main(int argc, char **argv) + { + int fd; + + srand(time(NULL)); + + while (1) { + const int delta = (rand() % 200 - 100) * 100; + + fd = open("/dev/vhci", O_RDWR); + if (fd < 0) + err(1, "open"); + + usleep(1000000 + delta); + + close(fd); + } + + return 0; + } + +And the result is: +BUG: KASAN: use-after-free in skb_queue_tail+0x13e/0x150 at addr ffff88006b0c1228 +Read of size 8 by task kworker/u13:1/32068 +============================================================================= +BUG kmalloc-192 (Tainted: G E ): kasan: bad access detected +----------------------------------------------------------------------------- + +Disabling lock debugging due to kernel taint +INFO: Allocated in vhci_open+0x50/0x330 [hci_vhci] age=260 cpu=3 pid=32040 +... + kmem_cache_alloc_trace+0x150/0x190 + vhci_open+0x50/0x330 [hci_vhci] + misc_open+0x35b/0x4e0 + chrdev_open+0x23b/0x510 +... +INFO: Freed in vhci_release+0xa4/0xd0 [hci_vhci] age=9 cpu=2 pid=32040 +... + __slab_free+0x204/0x310 + vhci_release+0xa4/0xd0 [hci_vhci] +... +INFO: Slab 0xffffea0001ac3000 objects=16 used=13 fp=0xffff88006b0c1e00 flags=0x5fffff80004080 +INFO: Object 0xffff88006b0c1200 @offset=4608 fp=0xffff88006b0c0600 +Bytes b4 ffff88006b0c11f0: 09 df 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ +Object ffff88006b0c1200: 00 06 0c 6b 00 88 ff ff 00 00 00 00 00 00 00 00 ...k............ +Object ffff88006b0c1210: 10 12 0c 6b 00 88 ff ff 10 12 0c 6b 00 88 ff ff ...k.......k.... +Object ffff88006b0c1220: c0 46 c2 6b 00 88 ff ff c0 46 c2 6b 00 88 ff ff .F.k.....F.k.... +Object ffff88006b0c1230: 01 00 00 00 01 00 00 00 e0 ff ff ff 0f 00 00 00 ................ +Object ffff88006b0c1240: 40 12 0c 6b 00 88 ff ff 40 12 0c 6b 00 88 ff ff @..k....@..k.... +Object ffff88006b0c1250: 50 0d 6e a0 ff ff ff ff 00 02 00 00 00 00 ad de P.n............. +Object ffff88006b0c1260: 00 00 00 00 00 00 00 00 ab 62 02 00 01 00 00 00 .........b...... +Object ffff88006b0c1270: 90 b9 19 81 ff ff ff ff 38 12 0c 6b 00 88 ff ff ........8..k.... +Object ffff88006b0c1280: 03 00 20 00 ff ff ff ff ff ff ff ff 00 00 00 00 .. ............. +Object ffff88006b0c1290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Object ffff88006b0c12a0: 00 00 00 00 00 00 00 00 00 80 cd 3d 00 88 ff ff ...........=.... +Object ffff88006b0c12b0: 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . .............. +Redzone ffff88006b0c12c0: bb bb bb bb bb bb bb bb ........ +Padding ffff88006b0c13f8: 00 00 00 00 00 00 00 00 ........ +CPU: 3 PID: 32068 Comm: kworker/u13:1 Tainted: G B E 4.4.6-0-default #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.1-0-g4adadbd-20151112_172657-sheep25 04/01/2014 +Workqueue: hci0 hci_cmd_work [bluetooth] + 00000000ffffffff ffffffff81926cfa ffff88006be37c68 ffff88006bc27180 + ffff88006b0c1200 ffff88006b0c1234 ffffffff81577993 ffffffff82489320 + ffff88006bc24240 0000000000000046 ffff88006a100000 000000026e51eb80 +Call Trace: +... + [] ? skb_queue_tail+0x13e/0x150 + [] ? vhci_send_frame+0xac/0x100 [hci_vhci] + [] ? hci_send_frame+0x188/0x320 [bluetooth] + [] ? hci_cmd_work+0x115/0x310 [bluetooth] + [] ? process_one_work+0x815/0x1340 + [] ? worker_thread+0xe5/0x11f0 + [] ? process_one_work+0x1340/0x1340 + [] ? kthread+0x1c8/0x230 +... +Memory state around the buggy address: + ffff88006b0c1100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88006b0c1180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +>ffff88006b0c1200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff88006b0c1280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + ffff88006b0c1300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + +Fixes: 23424c0d31 (Bluetooth: Add support creating virtual AMP controllers) +Signed-off-by: Jiri Slaby +Signed-off-by: Marcel Holtmann +Cc: Dmitry Vyukov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/hci_vhci.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/bluetooth/hci_vhci.c ++++ b/drivers/bluetooth/hci_vhci.c +@@ -189,13 +189,13 @@ static inline ssize_t vhci_get_user(stru + break; + + case HCI_VENDOR_PKT: ++ cancel_delayed_work_sync(&data->open_timeout); ++ + if (data->hdev) { + kfree_skb(skb); + return -EBADFD; + } + +- cancel_delayed_work_sync(&data->open_timeout); +- + opcode = *((__u8 *) skb->data); + skb_pull(skb, 1); + +@@ -333,10 +333,12 @@ static int vhci_open(struct inode *inode + static int vhci_release(struct inode *inode, struct file *file) + { + struct vhci_data *data = file->private_data; +- struct hci_dev *hdev = data->hdev; ++ struct hci_dev *hdev; + + cancel_delayed_work_sync(&data->open_timeout); + ++ hdev = data->hdev; ++ + if (hdev) { + hci_unregister_dev(hdev); + hci_free_dev(hdev); diff --git a/queue-4.4/bluetooth-vhci-fix-race-at-creating-hci-device.patch b/queue-4.4/bluetooth-vhci-fix-race-at-creating-hci-device.patch new file mode 100644 index 00000000000..ccfd3f9c3ee --- /dev/null +++ b/queue-4.4/bluetooth-vhci-fix-race-at-creating-hci-device.patch @@ -0,0 +1,91 @@ +From c7c999cb18da88a881e10e07f0724ad0bfaff770 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 14 Apr 2016 17:32:19 +0200 +Subject: Bluetooth: vhci: Fix race at creating hci device + +From: Takashi Iwai + +commit c7c999cb18da88a881e10e07f0724ad0bfaff770 upstream. + +hci_vhci driver creates a hci device object dynamically upon each +HCI_VENDOR_PKT write. Although it checks the already created object +and returns an error, it's still racy and may build multiple hci_dev +objects concurrently when parallel writes are performed, as the device +tracks only a single hci_dev object. + +This patch introduces a mutex to protect against the concurrent device +creations. + +Signed-off-by: Takashi Iwai +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/hci_vhci.c | 23 +++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +--- a/drivers/bluetooth/hci_vhci.c ++++ b/drivers/bluetooth/hci_vhci.c +@@ -50,6 +50,7 @@ struct vhci_data { + wait_queue_head_t read_wait; + struct sk_buff_head readq; + ++ struct mutex open_mutex; + struct delayed_work open_timeout; + }; + +@@ -87,12 +88,15 @@ static int vhci_send_frame(struct hci_de + return 0; + } + +-static int vhci_create_device(struct vhci_data *data, __u8 opcode) ++static int __vhci_create_device(struct vhci_data *data, __u8 opcode) + { + struct hci_dev *hdev; + struct sk_buff *skb; + __u8 dev_type; + ++ if (data->hdev) ++ return -EBADFD; ++ + /* bits 0-1 are dev_type (BR/EDR or AMP) */ + dev_type = opcode & 0x03; + +@@ -151,6 +155,17 @@ static int vhci_create_device(struct vhc + return 0; + } + ++static int vhci_create_device(struct vhci_data *data, __u8 opcode) ++{ ++ int err; ++ ++ mutex_lock(&data->open_mutex); ++ err = __vhci_create_device(data, opcode); ++ mutex_unlock(&data->open_mutex); ++ ++ return err; ++} ++ + static inline ssize_t vhci_get_user(struct vhci_data *data, + struct iov_iter *from) + { +@@ -191,11 +206,6 @@ static inline ssize_t vhci_get_user(stru + case HCI_VENDOR_PKT: + cancel_delayed_work_sync(&data->open_timeout); + +- if (data->hdev) { +- kfree_skb(skb); +- return -EBADFD; +- } +- + opcode = *((__u8 *) skb->data); + skb_pull(skb, 1); + +@@ -320,6 +330,7 @@ static int vhci_open(struct inode *inode + skb_queue_head_init(&data->readq); + init_waitqueue_head(&data->read_wait); + ++ mutex_init(&data->open_mutex); + INIT_DELAYED_WORK(&data->open_timeout, vhci_open_timeout); + + file->private_data = data; diff --git a/queue-4.4/bluetooth-vhci-purge-unhandled-skbs.patch b/queue-4.4/bluetooth-vhci-purge-unhandled-skbs.patch new file mode 100644 index 00000000000..c06d9e6717b --- /dev/null +++ b/queue-4.4/bluetooth-vhci-purge-unhandled-skbs.patch @@ -0,0 +1,85 @@ +From 13407376b255325fa817798800117a839f3aa055 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Sat, 19 Mar 2016 11:49:43 +0100 +Subject: Bluetooth: vhci: purge unhandled skbs + +From: Jiri Slaby + +commit 13407376b255325fa817798800117a839f3aa055 upstream. + +The write handler allocates skbs and queues them into data->readq. +Read side should read them, if there is any. If there is none, skbs +should be dropped by hdev->flush. But this happens only if the device +is HCI_UP, i.e. hdev->power_on work was triggered already. When it was +not, skbs stay allocated in the queue when /dev/vhci is closed. So +purge the queue in ->release. + +Program to reproduce: + #include + #include + #include + #include + + #include + #include + #include + + int main() + { + char buf[] = { 0xff, 0 }; + struct iovec iov = { + .iov_base = buf, + .iov_len = sizeof(buf), + }; + int fd; + + while (1) { + fd = open("/dev/vhci", O_RDWR); + if (fd < 0) + err(1, "open"); + + usleep(50); + + if (writev(fd, &iov, 1) < 0) + err(1, "writev"); + + usleep(50); + + close(fd); + } + + return 0; + } + +Result: +kmemleak: 4609 new suspected memory leaks +unreferenced object 0xffff88059f4d5440 (size 232): + comm "vhci", pid 1084, jiffies 4294912542 (age 37569.296s) + hex dump (first 32 bytes): + 20 f0 23 87 05 88 ff ff 20 f0 23 87 05 88 ff ff .#..... .#..... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: +... + [] __alloc_skb+0x0/0x5a0 + [] vhci_create_device+0x5c/0x580 [hci_vhci] + [] vhci_write+0x306/0x4c8 [hci_vhci] + +Fixes: 23424c0d31 (Bluetooth: Add support creating virtual AMP controllers) +Signed-off-by: Jiri Slaby +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/hci_vhci.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/bluetooth/hci_vhci.c ++++ b/drivers/bluetooth/hci_vhci.c +@@ -344,6 +344,7 @@ static int vhci_release(struct inode *in + hci_free_dev(hdev); + } + ++ skb_queue_purge(&data->readq); + file->private_data = NULL; + kfree(data); + diff --git a/queue-4.4/can-fix-handling-of-unmodifiable-configuration-options.patch b/queue-4.4/can-fix-handling-of-unmodifiable-configuration-options.patch new file mode 100644 index 00000000000..d530d5921bf --- /dev/null +++ b/queue-4.4/can-fix-handling-of-unmodifiable-configuration-options.patch @@ -0,0 +1,187 @@ +From bb208f144cf3f59d8f89a09a80efd04389718907 Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Mon, 21 Mar 2016 20:18:21 +0100 +Subject: can: fix handling of unmodifiable configuration options + +From: Oliver Hartkopp + +commit bb208f144cf3f59d8f89a09a80efd04389718907 upstream. + +As described in 'can: m_can: tag current CAN FD controllers as non-ISO' +(6cfda7fbebe) it is possible to define fixed configuration options by +setting the according bit in 'ctrlmode' and clear it in 'ctrlmode_supported'. +This leads to the incovenience that the fixed configuration bits can not be +passed by netlink even when they have the correct values (e.g. non-ISO, FD). + +This patch fixes that issue and not only allows fixed set bit values to be set +again but now requires(!) to provide these fixed values at configuration time. +A valid CAN FD configuration consists of a nominal/arbitration bittiming, a +data bittiming and a control mode with CAN_CTRLMODE_FD set - which is now +enforced by a new can_validate() function. This fix additionally removed the +inconsistency that was prohibiting the support of 'CANFD-only' controller +drivers, like the RCar CAN FD. + +For this reason a new helper can_set_static_ctrlmode() has been introduced to +provide a proper interface to handle static enabled CAN controller options. + +Reported-by: Ramesh Shanmugasundaram +Signed-off-by: Oliver Hartkopp +Reviewed-by: Ramesh Shanmugasundaram +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/dev.c | 56 +++++++++++++++++++++++++++++++++++++++--- + drivers/net/can/m_can/m_can.c | 2 - + include/linux/can/dev.h | 22 +++++++++++++++- + 3 files changed, 73 insertions(+), 7 deletions(-) + +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -696,11 +696,17 @@ int can_change_mtu(struct net_device *de + /* allow change of MTU according to the CANFD ability of the device */ + switch (new_mtu) { + case CAN_MTU: ++ /* 'CANFD-only' controllers can not switch to CAN_MTU */ ++ if (priv->ctrlmode_static & CAN_CTRLMODE_FD) ++ return -EINVAL; ++ + priv->ctrlmode &= ~CAN_CTRLMODE_FD; + break; + + case CANFD_MTU: +- if (!(priv->ctrlmode_supported & CAN_CTRLMODE_FD)) ++ /* check for potential CANFD ability */ ++ if (!(priv->ctrlmode_supported & CAN_CTRLMODE_FD) && ++ !(priv->ctrlmode_static & CAN_CTRLMODE_FD)) + return -EINVAL; + + priv->ctrlmode |= CAN_CTRLMODE_FD; +@@ -782,6 +788,35 @@ static const struct nla_policy can_polic + = { .len = sizeof(struct can_bittiming_const) }, + }; + ++static int can_validate(struct nlattr *tb[], struct nlattr *data[]) ++{ ++ bool is_can_fd = false; ++ ++ /* Make sure that valid CAN FD configurations always consist of ++ * - nominal/arbitration bittiming ++ * - data bittiming ++ * - control mode with CAN_CTRLMODE_FD set ++ */ ++ ++ if (data[IFLA_CAN_CTRLMODE]) { ++ struct can_ctrlmode *cm = nla_data(data[IFLA_CAN_CTRLMODE]); ++ ++ is_can_fd = cm->flags & cm->mask & CAN_CTRLMODE_FD; ++ } ++ ++ if (is_can_fd) { ++ if (!data[IFLA_CAN_BITTIMING] || !data[IFLA_CAN_DATA_BITTIMING]) ++ return -EOPNOTSUPP; ++ } ++ ++ if (data[IFLA_CAN_DATA_BITTIMING]) { ++ if (!is_can_fd || !data[IFLA_CAN_BITTIMING]) ++ return -EOPNOTSUPP; ++ } ++ ++ return 0; ++} ++ + static int can_changelink(struct net_device *dev, + struct nlattr *tb[], struct nlattr *data[]) + { +@@ -813,19 +848,31 @@ static int can_changelink(struct net_dev + + if (data[IFLA_CAN_CTRLMODE]) { + struct can_ctrlmode *cm; ++ u32 ctrlstatic; ++ u32 maskedflags; + + /* Do not allow changing controller mode while running */ + if (dev->flags & IFF_UP) + return -EBUSY; + cm = nla_data(data[IFLA_CAN_CTRLMODE]); ++ ctrlstatic = priv->ctrlmode_static; ++ maskedflags = cm->flags & cm->mask; ++ ++ /* check whether provided bits are allowed to be passed */ ++ if (cm->mask & ~(priv->ctrlmode_supported | ctrlstatic)) ++ return -EOPNOTSUPP; ++ ++ /* do not check for static fd-non-iso if 'fd' is disabled */ ++ if (!(maskedflags & CAN_CTRLMODE_FD)) ++ ctrlstatic &= ~CAN_CTRLMODE_FD_NON_ISO; + +- /* check whether changed bits are allowed to be modified */ +- if (cm->mask & ~priv->ctrlmode_supported) ++ /* make sure static options are provided by configuration */ ++ if ((maskedflags & ctrlstatic) != ctrlstatic) + return -EOPNOTSUPP; + + /* clear bits to be modified and copy the flag values */ + priv->ctrlmode &= ~cm->mask; +- priv->ctrlmode |= (cm->flags & cm->mask); ++ priv->ctrlmode |= maskedflags; + + /* CAN_CTRLMODE_FD can only be set when driver supports FD */ + if (priv->ctrlmode & CAN_CTRLMODE_FD) +@@ -966,6 +1013,7 @@ static struct rtnl_link_ops can_link_ops + .maxtype = IFLA_CAN_MAX, + .policy = can_policy, + .setup = can_setup, ++ .validate = can_validate, + .newlink = can_newlink, + .changelink = can_changelink, + .get_size = can_get_size, +--- a/drivers/net/can/m_can/m_can.c ++++ b/drivers/net/can/m_can/m_can.c +@@ -955,7 +955,7 @@ static struct net_device *alloc_m_can_de + priv->can.do_get_berr_counter = m_can_get_berr_counter; + + /* CAN_CTRLMODE_FD_NON_ISO is fixed with M_CAN IP v3.0.1 */ +- priv->can.ctrlmode = CAN_CTRLMODE_FD_NON_ISO; ++ can_set_static_ctrlmode(dev, CAN_CTRLMODE_FD_NON_ISO); + + /* CAN_CTRLMODE_FD_NON_ISO can not be changed with M_CAN IP v3.0.1 */ + priv->can.ctrlmode_supported = CAN_CTRLMODE_LOOPBACK | +--- a/include/linux/can/dev.h ++++ b/include/linux/can/dev.h +@@ -40,8 +40,11 @@ struct can_priv { + struct can_clock clock; + + enum can_state state; +- u32 ctrlmode; +- u32 ctrlmode_supported; ++ ++ /* CAN controller features - see include/uapi/linux/can/netlink.h */ ++ u32 ctrlmode; /* current options setting */ ++ u32 ctrlmode_supported; /* options that can be modified by netlink */ ++ u32 ctrlmode_static; /* static enabled options for driver/hardware */ + + int restart_ms; + struct timer_list restart_timer; +@@ -108,6 +111,21 @@ static inline bool can_is_canfd_skb(cons + return skb->len == CANFD_MTU; + } + ++/* helper to define static CAN controller features at device creation time */ ++static inline void can_set_static_ctrlmode(struct net_device *dev, ++ u32 static_mode) ++{ ++ struct can_priv *priv = netdev_priv(dev); ++ ++ /* alloc_candev() succeeded => netdev_priv() is valid at this point */ ++ priv->ctrlmode = static_mode; ++ priv->ctrlmode_static = static_mode; ++ ++ /* override MTU which was set by default in can_setup()? */ ++ if (static_mode & CAN_CTRLMODE_FD) ++ dev->mtu = CANFD_MTU; ++} ++ + /* get data length from can_dlc with sanitized can_dlc */ + u8 can_dlc2len(u8 can_dlc); + diff --git a/queue-4.4/dell-rbtn-ignore-acpi-notifications-if-device-is-suspended.patch b/queue-4.4/dell-rbtn-ignore-acpi-notifications-if-device-is-suspended.patch new file mode 100644 index 00000000000..7f89256c5b4 --- /dev/null +++ b/queue-4.4/dell-rbtn-ignore-acpi-notifications-if-device-is-suspended.patch @@ -0,0 +1,110 @@ +From ff8651237f39cea60dc89b2d9f25d9ede3fc82c0 Mon Sep 17 00:00:00 2001 +From: Gabriele Mazzotta +Date: Tue, 24 May 2016 22:53:08 +0200 +Subject: dell-rbtn: Ignore ACPI notifications if device is suspended +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gabriele Mazzotta + +commit ff8651237f39cea60dc89b2d9f25d9ede3fc82c0 upstream. + +Some BIOSes unconditionally send an ACPI notification to RBTN when the +system is resuming from suspend. This makes dell-rbtn send an input +event to userspace as if a function key was pressed. Prevent this by +ignoring all the notifications received while the device is suspended. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=106031 +Signed-off-by: Gabriele Mazzotta +Tested-by: Alex Hung +Reviewed-by: Pali Rohár +Signed-off-by: Darren Hart +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/x86/dell-rbtn.c | 56 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 56 insertions(+) + +--- a/drivers/platform/x86/dell-rbtn.c ++++ b/drivers/platform/x86/dell-rbtn.c +@@ -28,6 +28,7 @@ struct rbtn_data { + enum rbtn_type type; + struct rfkill *rfkill; + struct input_dev *input_dev; ++ bool suspended; + }; + + +@@ -220,9 +221,55 @@ static const struct acpi_device_id rbtn_ + { "", 0 }, + }; + ++#ifdef CONFIG_PM_SLEEP ++static void ACPI_SYSTEM_XFACE rbtn_clear_suspended_flag(void *context) ++{ ++ struct rbtn_data *rbtn_data = context; ++ ++ rbtn_data->suspended = false; ++} ++ ++static int rbtn_suspend(struct device *dev) ++{ ++ struct acpi_device *device = to_acpi_device(dev); ++ struct rbtn_data *rbtn_data = acpi_driver_data(device); ++ ++ rbtn_data->suspended = true; ++ ++ return 0; ++} ++ ++static int rbtn_resume(struct device *dev) ++{ ++ struct acpi_device *device = to_acpi_device(dev); ++ struct rbtn_data *rbtn_data = acpi_driver_data(device); ++ acpi_status status; ++ ++ /* ++ * Upon resume, some BIOSes send an ACPI notification thet triggers ++ * an unwanted input event. In order to ignore it, we use a flag ++ * that we set at suspend and clear once we have received the extra ++ * ACPI notification. Since ACPI notifications are delivered ++ * asynchronously to drivers, we clear the flag from the workqueue ++ * used to deliver the notifications. This should be enough ++ * to have the flag cleared only after we received the extra ++ * notification, if any. ++ */ ++ status = acpi_os_execute(OSL_NOTIFY_HANDLER, ++ rbtn_clear_suspended_flag, rbtn_data); ++ if (ACPI_FAILURE(status)) ++ rbtn_clear_suspended_flag(rbtn_data); ++ ++ return 0; ++} ++#endif ++ ++static SIMPLE_DEV_PM_OPS(rbtn_pm_ops, rbtn_suspend, rbtn_resume); ++ + static struct acpi_driver rbtn_driver = { + .name = "dell-rbtn", + .ids = rbtn_ids, ++ .drv.pm = &rbtn_pm_ops, + .ops = { + .add = rbtn_add, + .remove = rbtn_remove, +@@ -384,6 +431,15 @@ static void rbtn_notify(struct acpi_devi + { + struct rbtn_data *rbtn_data = device->driver_data; + ++ /* ++ * Some BIOSes send a notification at resume. ++ * Ignore it to prevent unwanted input events. ++ */ ++ if (rbtn_data->suspended) { ++ dev_dbg(&device->dev, "ACPI notification ignored\n"); ++ return; ++ } ++ + if (event != 0x80) { + dev_info(&device->dev, "Received unknown event (0x%x)\n", + event); diff --git a/queue-4.4/input-pwm-beeper-fix-scheduling-while-atomic.patch b/queue-4.4/input-pwm-beeper-fix-scheduling-while-atomic.patch new file mode 100644 index 00000000000..95c953d2f62 --- /dev/null +++ b/queue-4.4/input-pwm-beeper-fix-scheduling-while-atomic.patch @@ -0,0 +1,162 @@ +From f49cf3b8b4c841457244c461c66186a719e13bcc Mon Sep 17 00:00:00 2001 +From: Manfred Schlaegl +Date: Fri, 27 May 2016 16:36:36 -0700 +Subject: Input: pwm-beeper - fix - scheduling while atomic + +From: Manfred Schlaegl + +commit f49cf3b8b4c841457244c461c66186a719e13bcc upstream. + +Pwm config may sleep so defer it using a worker. + +On a Freescale i.MX53 based board we ran into "BUG: scheduling while +atomic" because input_inject_event locks interrupts, but +imx_pwm_config_v2 sleeps. + +Tested on Freescale i.MX53 SoC with 4.6.0. + +Signed-off-by: Manfred Schlaegl +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/misc/pwm-beeper.c | 69 +++++++++++++++++++++++++++------------- + 1 file changed, 48 insertions(+), 21 deletions(-) + +--- a/drivers/input/misc/pwm-beeper.c ++++ b/drivers/input/misc/pwm-beeper.c +@@ -20,21 +20,40 @@ + #include + #include + #include ++#include + + struct pwm_beeper { + struct input_dev *input; + struct pwm_device *pwm; ++ struct work_struct work; + unsigned long period; + }; + + #define HZ_TO_NANOSECONDS(x) (1000000000UL/(x)) + ++static void __pwm_beeper_set(struct pwm_beeper *beeper) ++{ ++ unsigned long period = beeper->period; ++ ++ if (period) { ++ pwm_config(beeper->pwm, period / 2, period); ++ pwm_enable(beeper->pwm); ++ } else ++ pwm_disable(beeper->pwm); ++} ++ ++static void pwm_beeper_work(struct work_struct *work) ++{ ++ struct pwm_beeper *beeper = ++ container_of(work, struct pwm_beeper, work); ++ ++ __pwm_beeper_set(beeper); ++} ++ + static int pwm_beeper_event(struct input_dev *input, + unsigned int type, unsigned int code, int value) + { +- int ret = 0; + struct pwm_beeper *beeper = input_get_drvdata(input); +- unsigned long period; + + if (type != EV_SND || value < 0) + return -EINVAL; +@@ -49,22 +68,31 @@ static int pwm_beeper_event(struct input + return -EINVAL; + } + +- if (value == 0) { +- pwm_disable(beeper->pwm); +- } else { +- period = HZ_TO_NANOSECONDS(value); +- ret = pwm_config(beeper->pwm, period / 2, period); +- if (ret) +- return ret; +- ret = pwm_enable(beeper->pwm); +- if (ret) +- return ret; +- beeper->period = period; +- } ++ if (value == 0) ++ beeper->period = 0; ++ else ++ beeper->period = HZ_TO_NANOSECONDS(value); ++ ++ schedule_work(&beeper->work); + + return 0; + } + ++static void pwm_beeper_stop(struct pwm_beeper *beeper) ++{ ++ cancel_work_sync(&beeper->work); ++ ++ if (beeper->period) ++ pwm_disable(beeper->pwm); ++} ++ ++static void pwm_beeper_close(struct input_dev *input) ++{ ++ struct pwm_beeper *beeper = input_get_drvdata(input); ++ ++ pwm_beeper_stop(beeper); ++} ++ + static int pwm_beeper_probe(struct platform_device *pdev) + { + unsigned long pwm_id = (unsigned long)dev_get_platdata(&pdev->dev); +@@ -87,6 +115,8 @@ static int pwm_beeper_probe(struct platf + goto err_free; + } + ++ INIT_WORK(&beeper->work, pwm_beeper_work); ++ + beeper->input = input_allocate_device(); + if (!beeper->input) { + dev_err(&pdev->dev, "Failed to allocate input device\n"); +@@ -106,6 +136,7 @@ static int pwm_beeper_probe(struct platf + beeper->input->sndbit[0] = BIT(SND_TONE) | BIT(SND_BELL); + + beeper->input->event = pwm_beeper_event; ++ beeper->input->close = pwm_beeper_close; + + input_set_drvdata(beeper->input, beeper); + +@@ -135,7 +166,6 @@ static int pwm_beeper_remove(struct plat + + input_unregister_device(beeper->input); + +- pwm_disable(beeper->pwm); + pwm_free(beeper->pwm); + + kfree(beeper); +@@ -147,8 +177,7 @@ static int __maybe_unused pwm_beeper_sus + { + struct pwm_beeper *beeper = dev_get_drvdata(dev); + +- if (beeper->period) +- pwm_disable(beeper->pwm); ++ pwm_beeper_stop(beeper); + + return 0; + } +@@ -157,10 +186,8 @@ static int __maybe_unused pwm_beeper_res + { + struct pwm_beeper *beeper = dev_get_drvdata(dev); + +- if (beeper->period) { +- pwm_config(beeper->pwm, beeper->period / 2, beeper->period); +- pwm_enable(beeper->pwm); +- } ++ if (beeper->period) ++ __pwm_beeper_set(beeper); + + return 0; + } diff --git a/queue-4.4/irqchip-gic-ensure-ordering-between-read-of-intack-and-shared-data.patch b/queue-4.4/irqchip-gic-ensure-ordering-between-read-of-intack-and-shared-data.patch new file mode 100644 index 00000000000..8c34f0f5594 --- /dev/null +++ b/queue-4.4/irqchip-gic-ensure-ordering-between-read-of-intack-and-shared-data.patch @@ -0,0 +1,89 @@ +From f86c4fbd930ff6fecf3d8a1c313182bd0f49f496 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Tue, 26 Apr 2016 12:00:00 +0100 +Subject: irqchip/gic: Ensure ordering between read of INTACK and shared data + +From: Will Deacon + +commit f86c4fbd930ff6fecf3d8a1c313182bd0f49f496 upstream. + +When an IPI is generated by a CPU, the pattern looks roughly like: + + + smp_wmb(); + + +On the receiving CPU we rely on the fact that, once we've taken the +interrupt, then the freshly written shared data must be visible to us. +Put another way, the CPU isn't going to speculate taking an interrupt. + +Unfortunately, this assumption turns out to be broken. + +Consider that CPUx wants to send an IPI to CPUy, which will cause CPUy +to read some shared_data. Before CPUx has done anything, a random +peripheral raises an IRQ to the GIC and the IRQ line on CPUy is raised. +CPUy then takes the IRQ and starts executing the entry code, heading +towards gic_handle_irq. Furthermore, let's assume that a bunch of the +previous interrupts handled by CPUy were SGIs, so the branch predictor +kicks in and speculates that irqnr will be <16 and we're likely to +head into handle_IPI. The prefetcher then grabs a speculative copy of +shared_data which contains a stale value. + +Meanwhile, CPUx gets round to updating shared_data and asking the GIC +to send an SGI to CPUy. Internally, the GIC decides that the SGI is +more important than the peripheral interrupt (which hasn't yet been +ACKed) but doesn't need to do anything to CPUy, because the IRQ line +is already raised. + +CPUy then reads the ACK register on the GIC, sees the SGI value which +confirms the branch prediction and we end up with a stale shared_data +value. + +This patch fixes the problem by adding an smp_rmb() to the IPI entry +code in gic_handle_irq. As it turns out, the combination of a control +dependency and an ISB instruction from the EOI in the GICv3 driver is +enough to provide the ordering we need, so we add a comment there +justifying the absence of an explicit smp_rmb(). + +Signed-off-by: Will Deacon +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-gic-v3.c | 7 +++++++ + drivers/irqchip/irq-gic.c | 8 ++++++++ + 2 files changed, 15 insertions(+) + +--- a/drivers/irqchip/irq-gic-v3.c ++++ b/drivers/irqchip/irq-gic-v3.c +@@ -361,6 +361,13 @@ static asmlinkage void __exception_irq_e + if (static_key_true(&supports_deactivate)) + gic_write_dir(irqnr); + #ifdef CONFIG_SMP ++ /* ++ * Unlike GICv2, we don't need an smp_rmb() here. ++ * The control dependency from gic_read_iar to ++ * the ISB in gic_write_eoir is enough to ensure ++ * that any shared data read by handle_IPI will ++ * be read after the ACK. ++ */ + handle_IPI(irqnr, regs); + #else + WARN_ONCE(true, "Unexpected SGI received!\n"); +--- a/drivers/irqchip/irq-gic.c ++++ b/drivers/irqchip/irq-gic.c +@@ -347,6 +347,14 @@ static void __exception_irq_entry gic_ha + if (static_key_true(&supports_deactivate)) + writel_relaxed(irqstat, cpu_base + GIC_CPU_DEACTIVATE); + #ifdef CONFIG_SMP ++ /* ++ * Ensure any shared data written by the CPU sending ++ * the IPI is read after we've read the ACK register ++ * on the GIC. ++ * ++ * Pairs with the write barrier in gic_raise_softirq ++ */ ++ smp_rmb(); + handle_IPI(irqnr, regs); + #endif + continue; diff --git a/queue-4.4/irqchip-gic-v3-configure-all-interrupts-as-non-secure-group-1.patch b/queue-4.4/irqchip-gic-v3-configure-all-interrupts-as-non-secure-group-1.patch new file mode 100644 index 00000000000..143011b3a6f --- /dev/null +++ b/queue-4.4/irqchip-gic-v3-configure-all-interrupts-as-non-secure-group-1.patch @@ -0,0 +1,53 @@ +From 7c9b973061b03af62734f613f6abec46c0dd4a88 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Fri, 6 May 2016 19:41:56 +0100 +Subject: irqchip/gic-v3: Configure all interrupts as non-secure Group-1 + +From: Marc Zyngier + +commit 7c9b973061b03af62734f613f6abec46c0dd4a88 upstream. + +The GICv3 driver wrongly assumes that it runs on the non-secure +side of a secure-enabled system, while it could be on a system +with a single security state, or a GICv3 with GICD_CTLR.DS set. + +Either way, it is important to configure this properly, or +interrupts will simply not be delivered on this HW. + +Reported-by: Peter Maydell +Tested-by: Peter Maydell +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-gic-v3.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/irqchip/irq-gic-v3.c ++++ b/drivers/irqchip/irq-gic-v3.c +@@ -387,6 +387,15 @@ static void __init gic_dist_init(void) + writel_relaxed(0, base + GICD_CTLR); + gic_dist_wait_for_rwp(); + ++ /* ++ * Configure SPIs as non-secure Group-1. This will only matter ++ * if the GIC only has a single security state. This will not ++ * do the right thing if the kernel is running in secure mode, ++ * but that's not the intended use case anyway. ++ */ ++ for (i = 32; i < gic_data.irq_nr; i += 32) ++ writel_relaxed(~0, base + GICD_IGROUPR + i / 8); ++ + gic_dist_config(base, gic_data.irq_nr, gic_dist_wait_for_rwp); + + /* Enable distributor with ARE, Group1 */ +@@ -501,6 +510,9 @@ static void gic_cpu_init(void) + + rbase = gic_data_rdist_sgi_base(); + ++ /* Configure SGIs/PPIs as non-secure Group-1 */ ++ writel_relaxed(~0, rbase + GICR_IGROUPR0); ++ + gic_cpu_config(rbase, gic_redist_wait_for_rwp); + + /* Give LPIs a spin */ diff --git a/queue-4.4/mfd-omap-usb-tll-fix-scheduling-while-atomic-bug.patch b/queue-4.4/mfd-omap-usb-tll-fix-scheduling-while-atomic-bug.patch new file mode 100644 index 00000000000..ad768073007 --- /dev/null +++ b/queue-4.4/mfd-omap-usb-tll-fix-scheduling-while-atomic-bug.patch @@ -0,0 +1,111 @@ +From b49b927f16acee626c56a1af4ab4cb062f75b5df Mon Sep 17 00:00:00 2001 +From: Roger Quadros +Date: Mon, 9 May 2016 11:28:37 +0300 +Subject: mfd: omap-usb-tll: Fix scheduling while atomic BUG + +From: Roger Quadros + +commit b49b927f16acee626c56a1af4ab4cb062f75b5df upstream. + +We shouldn't be calling clk_prepare_enable()/clk_prepare_disable() +in an atomic context. + +Fixes the following issue: + +[ 5.830970] ehci-omap: OMAP-EHCI Host Controller driver +[ 5.830974] driver_register 'ehci-omap' +[ 5.895849] driver_register 'wl1271_sdio' +[ 5.896870] BUG: scheduling while atomic: udevd/994/0x00000002 +[ 5.896876] 4 locks held by udevd/994: +[ 5.896904] #0: (&dev->mutex){......}, at: [] __driver_attach+0x60/0xac +[ 5.896923] #1: (&dev->mutex){......}, at: [] __driver_attach+0x70/0xac +[ 5.896946] #2: (tll_lock){+.+...}, at: [] omap_tll_enable+0x2c/0xd0 +[ 5.896966] #3: (prepare_lock){+.+...}, at: [] clk_prepare_lock+0x48/0xe0 +[ 5.897042] Modules linked in: wlcore_sdio(+) ehci_omap(+) dwc3_omap snd_soc_ts3a225e leds_is31fl319x bq27xxx_battery_i2c tsc2007 bq27xxx_battery bq2429x_charger ina2xx tca8418_keypad as5013 leds_tca6507 twl6040_vibra gpio_twl6040 bmp085_i2c(+) palmas_gpadc usb3503 palmas_pwrbutton bmg160_i2c(+) bmp085 bma150(+) bmg160_core bmp280 input_polldev snd_soc_omap_mcbsp snd_soc_omap_mcpdm snd_soc_omap snd_pcm_dmaengine +[ 5.897048] Preemption disabled at:[< (null)>] (null) +[ 5.897051] +[ 5.897059] CPU: 0 PID: 994 Comm: udevd Not tainted 4.6.0-rc5-letux+ #233 +[ 5.897062] Hardware name: Generic OMAP5 (Flattened Device Tree) +[ 5.897076] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[ 5.897087] [] (show_stack) from [] (dump_stack+0x88/0xc0) +[ 5.897099] [] (dump_stack) from [] (__schedule_bug+0xac/0xd0) +[ 5.897111] [] (__schedule_bug) from [] (__schedule+0x88/0x7e4) +[ 5.897120] [] (__schedule) from [] (schedule+0x9c/0xc0) +[ 5.897129] [] (schedule) from [] (schedule_preempt_disabled+0x14/0x20) +[ 5.897140] [] (schedule_preempt_disabled) from [] (mutex_lock_nested+0x258/0x43c) +[ 5.897150] [] (mutex_lock_nested) from [] (clk_prepare_lock+0x48/0xe0) +[ 5.897160] [] (clk_prepare_lock) from [] (clk_prepare+0x10/0x28) +[ 5.897169] [] (clk_prepare) from [] (omap_tll_enable+0x64/0xd0) +[ 5.897180] [] (omap_tll_enable) from [] (usbhs_runtime_resume+0x18/0x17c) +[ 5.897192] [] (usbhs_runtime_resume) from [] (pm_generic_runtime_resume+0x2c/0x40) +[ 5.897202] [] (pm_generic_runtime_resume) from [] (__rpm_callback+0x38/0x68) +[ 5.897210] [] (__rpm_callback) from [] (rpm_callback+0x70/0x88) +[ 5.897218] [] (rpm_callback) from [] (rpm_resume+0x4ec/0x7ec) +[ 5.897227] [] (rpm_resume) from [] (__pm_runtime_resume+0x4c/0x64) +[ 5.897236] [] (__pm_runtime_resume) from [] (driver_probe_device+0x30/0x70) +[ 5.897246] [] (driver_probe_device) from [] (__driver_attach+0x88/0xac) +[ 5.897256] [] (__driver_attach) from [] (bus_for_each_dev+0x50/0x84) +[ 5.897267] [] (bus_for_each_dev) from [] (bus_add_driver+0xcc/0x1e4) +[ 5.897276] [] (bus_add_driver) from [] (driver_register+0xac/0xf4) +[ 5.897286] [] (driver_register) from [] (do_one_initcall+0x100/0x1b8) +[ 5.897296] [] (do_one_initcall) from [] (do_init_module+0x58/0x1c0) +[ 5.897304] [] (do_init_module) from [] (SyS_finit_module+0x88/0x90) +[ 5.897313] [] (SyS_finit_module) from [] (ret_fast_syscall+0x0/0x1c) +[ 5.912697] ------------[ cut here ]------------ +[ 5.912711] WARNING: CPU: 0 PID: 994 at kernel/sched/core.c:2996 _raw_spin_unlock+0x28/0x58 +[ 5.912717] DEBUG_LOCKS_WARN_ON(val > preempt_count()) + +Reported-by: H. Nikolaus Schaller +Tested-by: H. Nikolaus Schaller +Signed-off-by: Roger Quadros +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mfd/omap-usb-tll.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/mfd/omap-usb-tll.c ++++ b/drivers/mfd/omap-usb-tll.c +@@ -269,6 +269,8 @@ static int usbtll_omap_probe(struct plat + + if (IS_ERR(tll->ch_clk[i])) + dev_dbg(dev, "can't get clock : %s\n", clkname); ++ else ++ clk_prepare(tll->ch_clk[i]); + } + + pm_runtime_put_sync(dev); +@@ -301,9 +303,12 @@ static int usbtll_omap_remove(struct pla + tll_dev = NULL; + spin_unlock(&tll_lock); + +- for (i = 0; i < tll->nch; i++) +- if (!IS_ERR(tll->ch_clk[i])) ++ for (i = 0; i < tll->nch; i++) { ++ if (!IS_ERR(tll->ch_clk[i])) { ++ clk_unprepare(tll->ch_clk[i]); + clk_put(tll->ch_clk[i]); ++ } ++ } + + pm_runtime_disable(&pdev->dev); + return 0; +@@ -420,7 +425,7 @@ int omap_tll_enable(struct usbhs_omap_pl + if (IS_ERR(tll->ch_clk[i])) + continue; + +- r = clk_prepare_enable(tll->ch_clk[i]); ++ r = clk_enable(tll->ch_clk[i]); + if (r) { + dev_err(tll_dev, + "Error enabling ch %d clock: %d\n", i, r); +@@ -448,7 +453,7 @@ int omap_tll_disable(struct usbhs_omap_p + for (i = 0; i < tll->nch; i++) { + if (omap_usb_mode_needs_tll(pdata->port_mode[i])) { + if (!IS_ERR(tll->ch_clk[i])) +- clk_disable_unprepare(tll->ch_clk[i]); ++ clk_disable(tll->ch_clk[i]); + } + } + diff --git a/queue-4.4/mmc-longer-timeout-for-long-read-time-quirk.patch b/queue-4.4/mmc-longer-timeout-for-long-read-time-quirk.patch new file mode 100644 index 00000000000..b0831d8de91 --- /dev/null +++ b/queue-4.4/mmc-longer-timeout-for-long-read-time-quirk.patch @@ -0,0 +1,63 @@ +From 32ecd320db39bcb007679ed42f283740641b81ea Mon Sep 17 00:00:00 2001 +From: Matt Gumbel +Date: Fri, 20 May 2016 10:33:46 +0300 +Subject: mmc: longer timeout for long read time quirk + +From: Matt Gumbel + +commit 32ecd320db39bcb007679ed42f283740641b81ea upstream. + +008GE0 Toshiba mmc in some Intel Baytrail tablets responds to +MMC_SEND_EXT_CSD in 450-600ms. + +This patch will... + +() Increase the long read time quirk timeout from 300ms to 600ms. Original + author of that quirk says 300ms was only a guess and that the number + may need to be raised in the future. + +() Add this specific MMC to the quirk + +Signed-off-by: Matt Gumbel +Signed-off-by: Adrian Hunter +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/card/block.c | 5 +++-- + drivers/mmc/core/core.c | 4 ++-- + 2 files changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/mmc/card/block.c ++++ b/drivers/mmc/card/block.c +@@ -2514,11 +2514,12 @@ static const struct mmc_fixup blk_fixups + MMC_QUIRK_BLK_NO_CMD23), + + /* +- * Some Micron MMC cards needs longer data read timeout than +- * indicated in CSD. ++ * Some MMC cards need longer data read timeout than indicated in CSD. + */ + MMC_FIXUP(CID_NAME_ANY, CID_MANFID_MICRON, 0x200, add_quirk_mmc, + MMC_QUIRK_LONG_READ_TIME), ++ MMC_FIXUP("008GE0", CID_MANFID_TOSHIBA, CID_OEMID_ANY, add_quirk_mmc, ++ MMC_QUIRK_LONG_READ_TIME), + + /* + * On these Samsung MoviNAND parts, performing secure erase or +--- a/drivers/mmc/core/core.c ++++ b/drivers/mmc/core/core.c +@@ -874,11 +874,11 @@ void mmc_set_data_timeout(struct mmc_dat + /* + * Some cards require longer data read timeout than indicated in CSD. + * Address this by setting the read timeout to a "reasonably high" +- * value. For the cards tested, 300ms has proven enough. If necessary, ++ * value. For the cards tested, 600ms has proven enough. If necessary, + * this value can be increased if other problematic cards require this. + */ + if (mmc_card_long_read_time(card) && data->flags & MMC_DATA_READ) { +- data->timeout_ns = 300000000; ++ data->timeout_ns = 600000000; + data->timeout_clks = 0; + } + diff --git a/queue-4.4/mmc-mmc-fix-partition-switch-timeout-for-some-emmcs.patch b/queue-4.4/mmc-mmc-fix-partition-switch-timeout-for-some-emmcs.patch new file mode 100644 index 00000000000..37f82a16422 --- /dev/null +++ b/queue-4.4/mmc-mmc-fix-partition-switch-timeout-for-some-emmcs.patch @@ -0,0 +1,56 @@ +From 1c447116d017a98c90f8f71c8c5a611e0aa42178 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Thu, 5 May 2016 08:12:28 +0300 +Subject: mmc: mmc: Fix partition switch timeout for some eMMCs + +From: Adrian Hunter + +commit 1c447116d017a98c90f8f71c8c5a611e0aa42178 upstream. + +Some eMMCs set the partition switch timeout too low. + +Now typically eMMCs are considered a critical component (e.g. because +they store the root file system) and consequently are expected to be +reliable. Thus we can neglect the use case where eMMCs can't switch +reliably and we might want a lower timeout to facilitate speedy +recovery. + +Although we could employ a quirk for the cards that are affected (if +we could identify them all), as described above, there is little +benefit to having a low timeout, so instead simply set a minimum +timeout. + +The minimum is set to 300ms somewhat arbitrarily - the examples that +have been seen had a timeout of 10ms but were sometimes taking 60-70ms. + +Signed-off-by: Adrian Hunter +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/core/mmc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/mmc/core/mmc.c ++++ b/drivers/mmc/core/mmc.c +@@ -333,6 +333,9 @@ static void mmc_manage_gp_partitions(str + } + } + ++/* Minimum partition switch timeout in milliseconds */ ++#define MMC_MIN_PART_SWITCH_TIME 300 ++ + /* + * Decode extended CSD. + */ +@@ -397,6 +400,10 @@ static int mmc_decode_ext_csd(struct mmc + + /* EXT_CSD value is in units of 10ms, but we store in ms */ + card->ext_csd.part_time = 10 * ext_csd[EXT_CSD_PART_SWITCH_TIME]; ++ /* Some eMMC set the value too low so set a minimum */ ++ if (card->ext_csd.part_time && ++ card->ext_csd.part_time < MMC_MIN_PART_SWITCH_TIME) ++ card->ext_csd.part_time = MMC_MIN_PART_SWITCH_TIME; + + /* Sleep / awake timeout in 100ns units */ + if (sa_shift > 0 && sa_shift <= 0x17) diff --git a/queue-4.4/mmc-sdhci-acpi-remove-mmc_cap_bus_width_test-for-intel-controllers.patch b/queue-4.4/mmc-sdhci-acpi-remove-mmc_cap_bus_width_test-for-intel-controllers.patch new file mode 100644 index 00000000000..9b50a2bfe76 --- /dev/null +++ b/queue-4.4/mmc-sdhci-acpi-remove-mmc_cap_bus_width_test-for-intel-controllers.patch @@ -0,0 +1,49 @@ +From 265984b36ce82fec67957d452dd2b22e010611e4 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Fri, 20 May 2016 10:33:48 +0300 +Subject: mmc: sdhci-acpi: Remove MMC_CAP_BUS_WIDTH_TEST for Intel controllers + +From: Adrian Hunter + +commit 265984b36ce82fec67957d452dd2b22e010611e4 upstream. + +The CMD19/CMD14 bus width test has been found to be unreliable in +some cases. It is not essential, so simply remove it. + +Signed-off-by: Adrian Hunter +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-acpi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/mmc/host/sdhci-acpi.c ++++ b/drivers/mmc/host/sdhci-acpi.c +@@ -233,7 +233,7 @@ static const struct sdhci_acpi_slot sdhc + .chip = &sdhci_acpi_chip_int, + .caps = MMC_CAP_8_BIT_DATA | MMC_CAP_NONREMOVABLE | + MMC_CAP_HW_RESET | MMC_CAP_1_8V_DDR | +- MMC_CAP_BUS_WIDTH_TEST | MMC_CAP_WAIT_WHILE_BUSY, ++ MMC_CAP_WAIT_WHILE_BUSY, + .caps2 = MMC_CAP2_HC_ERASE_SZ, + .flags = SDHCI_ACPI_RUNTIME_PM, + .quirks = SDHCI_QUIRK_NO_ENDATTR_IN_NOPDESC, +@@ -248,7 +248,7 @@ static const struct sdhci_acpi_slot sdhc + SDHCI_QUIRK_NO_ENDATTR_IN_NOPDESC, + .quirks2 = SDHCI_QUIRK2_HOST_OFF_CARD_ON, + .caps = MMC_CAP_NONREMOVABLE | MMC_CAP_POWER_OFF_CARD | +- MMC_CAP_BUS_WIDTH_TEST | MMC_CAP_WAIT_WHILE_BUSY, ++ MMC_CAP_WAIT_WHILE_BUSY, + .flags = SDHCI_ACPI_RUNTIME_PM, + .pm_caps = MMC_PM_KEEP_POWER, + .probe_slot = sdhci_acpi_sdio_probe_slot, +@@ -260,7 +260,7 @@ static const struct sdhci_acpi_slot sdhc + .quirks = SDHCI_QUIRK_NO_ENDATTR_IN_NOPDESC, + .quirks2 = SDHCI_QUIRK2_CARD_ON_NEEDS_BUS_ON | + SDHCI_QUIRK2_STOP_WITH_TC, +- .caps = MMC_CAP_BUS_WIDTH_TEST | MMC_CAP_WAIT_WHILE_BUSY, ++ .caps = MMC_CAP_WAIT_WHILE_BUSY, + .probe_slot = sdhci_acpi_sd_probe_slot, + }; + diff --git a/queue-4.4/mmc-sdhci-pci-remove-mmc_cap_bus_width_test-for-intel-controllers.patch b/queue-4.4/mmc-sdhci-pci-remove-mmc_cap_bus_width_test-for-intel-controllers.patch new file mode 100644 index 00000000000..42964db1cd9 --- /dev/null +++ b/queue-4.4/mmc-sdhci-pci-remove-mmc_cap_bus_width_test-for-intel-controllers.patch @@ -0,0 +1,47 @@ +From 822969369482166050c5b2f7013501505e025c39 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Fri, 20 May 2016 10:33:47 +0300 +Subject: mmc: sdhci-pci: Remove MMC_CAP_BUS_WIDTH_TEST for Intel controllers + +From: Adrian Hunter + +commit 822969369482166050c5b2f7013501505e025c39 upstream. + +The CMD19/CMD14 bus width test has been found to be unreliable in +some cases. It is not essential, so simply remove it. + +Signed-off-by: Adrian Hunter +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-pci-core.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/mmc/host/sdhci-pci-core.c ++++ b/drivers/mmc/host/sdhci-pci-core.c +@@ -361,7 +361,6 @@ static int byt_emmc_probe_slot(struct sd + { + slot->host->mmc->caps |= MMC_CAP_8_BIT_DATA | MMC_CAP_NONREMOVABLE | + MMC_CAP_HW_RESET | MMC_CAP_1_8V_DDR | +- MMC_CAP_BUS_WIDTH_TEST | + MMC_CAP_WAIT_WHILE_BUSY; + slot->host->mmc->caps2 |= MMC_CAP2_HC_ERASE_SZ; + slot->hw_reset = sdhci_pci_int_hw_reset; +@@ -377,15 +376,13 @@ static int byt_emmc_probe_slot(struct sd + static int byt_sdio_probe_slot(struct sdhci_pci_slot *slot) + { + slot->host->mmc->caps |= MMC_CAP_POWER_OFF_CARD | MMC_CAP_NONREMOVABLE | +- MMC_CAP_BUS_WIDTH_TEST | + MMC_CAP_WAIT_WHILE_BUSY; + return 0; + } + + static int byt_sd_probe_slot(struct sdhci_pci_slot *slot) + { +- slot->host->mmc->caps |= MMC_CAP_BUS_WIDTH_TEST | +- MMC_CAP_WAIT_WHILE_BUSY; ++ slot->host->mmc->caps |= MMC_CAP_WAIT_WHILE_BUSY; + slot->cd_con_id = NULL; + slot->cd_idx = 0; + slot->cd_override_level = true; diff --git a/queue-4.4/sched-loadavg-fix-loadavg-artifacts-on-fully-idle-and-on-fully-loaded-systems.patch b/queue-4.4/sched-loadavg-fix-loadavg-artifacts-on-fully-idle-and-on-fully-loaded-systems.patch new file mode 100644 index 00000000000..68a7bf2bb68 --- /dev/null +++ b/queue-4.4/sched-loadavg-fix-loadavg-artifacts-on-fully-idle-and-on-fully-loaded-systems.patch @@ -0,0 +1,81 @@ +From 20878232c52329f92423d27a60e48b6a6389e0dd Mon Sep 17 00:00:00 2001 +From: Vik Heyndrickx +Date: Thu, 28 Apr 2016 20:46:28 +0200 +Subject: sched/loadavg: Fix loadavg artifacts on fully idle and on fully loaded systems + +From: Vik Heyndrickx + +commit 20878232c52329f92423d27a60e48b6a6389e0dd upstream. + +Systems show a minimal load average of 0.00, 0.01, 0.05 even when they +have no load at all. + +Uptime and /proc/loadavg on all systems with kernels released during the +last five years up until kernel version 4.6-rc5, show a 5- and 15-minute +minimum loadavg of 0.01 and 0.05 respectively. This should be 0.00 on +idle systems, but the way the kernel calculates this value prevents it +from getting lower than the mentioned values. + +Likewise but not as obviously noticeable, a fully loaded system with no +processes waiting, shows a maximum 1/5/15 loadavg of 1.00, 0.99, 0.95 +(multiplied by number of cores). + +Once the (old) load becomes 93 or higher, it mathematically can never +get lower than 93, even when the active (load) remains 0 forever. +This results in the strange 0.00, 0.01, 0.05 uptime values on idle +systems. Note: 93/2048 = 0.0454..., which rounds up to 0.05. + +It is not correct to add a 0.5 rounding (=1024/2048) here, since the +result from this function is fed back into the next iteration again, +so the result of that +0.5 rounding value then gets multiplied by +(2048-2037), and then rounded again, so there is a virtual "ghost" +load created, next to the old and active load terms. + +By changing the way the internally kept value is rounded, that internal +value equivalent now can reach 0.00 on idle, and 1.00 on full load. Upon +increasing load, the internally kept load value is rounded up, when the +load is decreasing, the load value is rounded down. + +The modified code was tested on nohz=off and nohz kernels. It was tested +on vanilla kernel 4.6-rc5 and on centos 7.1 kernel 3.10.0-327. It was +tested on single, dual, and octal cores system. It was tested on virtual +hosts and bare hardware. No unwanted effects have been observed, and the +problems that the patch intended to fix were indeed gone. + +Tested-by: Damien Wyart +Signed-off-by: Vik Heyndrickx +Signed-off-by: Peter Zijlstra (Intel) +Cc: Doug Smythies +Cc: Linus Torvalds +Cc: Mike Galbraith +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 0f004f5a696a ("sched: Cure more NO_HZ load average woes") +Link: http://lkml.kernel.org/r/e8d32bff-d544-7748-72b5-3c86cc71f09f@veribox.net +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched/loadavg.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/kernel/sched/loadavg.c ++++ b/kernel/sched/loadavg.c +@@ -99,10 +99,13 @@ long calc_load_fold_active(struct rq *th + static unsigned long + calc_load(unsigned long load, unsigned long exp, unsigned long active) + { +- load *= exp; +- load += active * (FIXED_1 - exp); +- load += 1UL << (FSHIFT - 1); +- return load >> FSHIFT; ++ unsigned long newload; ++ ++ newload = load * exp + active * (FIXED_1 - exp); ++ if (active >= load) ++ newload += FIXED_1-1; ++ ++ return newload / FIXED_1; + } + + #ifdef CONFIG_NO_HZ_COMMON diff --git a/queue-4.4/series b/queue-4.4/series index 3f64b184eaa..16944f704c3 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -22,3 +22,18 @@ crypto-caam-fix-caam_jr_alloc-ret-code.patch crypto-talitos-fix-ahash-algorithms-registration.patch crypto-sun4i-ss-replace-spinlock_bh-by-spin_lock_irq-save-restore.patch clk-qcom-msm8916-fix-crypto-clock-flags.patch +sched-loadavg-fix-loadavg-artifacts-on-fully-idle-and-on-fully-loaded-systems.patch +mfd-omap-usb-tll-fix-scheduling-while-atomic-bug.patch +input-pwm-beeper-fix-scheduling-while-atomic.patch +irqchip-gic-ensure-ordering-between-read-of-intack-and-shared-data.patch +irqchip-gic-v3-configure-all-interrupts-as-non-secure-group-1.patch +can-fix-handling-of-unmodifiable-configuration-options.patch +mmc-mmc-fix-partition-switch-timeout-for-some-emmcs.patch +mmc-sdhci-acpi-remove-mmc_cap_bus_width_test-for-intel-controllers.patch +acpi-osi-fix-an-issue-that-acpi_osi-cannot-disable-acpica-internal-strings.patch +dell-rbtn-ignore-acpi-notifications-if-device-is-suspended.patch +mmc-longer-timeout-for-long-read-time-quirk.patch +mmc-sdhci-pci-remove-mmc_cap_bus_width_test-for-intel-controllers.patch +bluetooth-vhci-fix-open_timeout-vs.-hdev-race.patch +bluetooth-vhci-purge-unhandled-skbs.patch +bluetooth-vhci-fix-race-at-creating-hci-device.patch