From: Greg Kroah-Hartman Date: Fri, 14 Oct 2016 09:58:54 +0000 (+0200) Subject: 4.7-stable patches X-Git-Tag: v4.4.25~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5d9f7be0f165f9039ae1223d0bbab5aaba598f31;p=thirdparty%2Fkernel%2Fstable-queue.git 4.7-stable patches added patches: alsa-ali5451-fix-out-of-bound-position-reporting.patch alsa-usb-audio-extend-dragonfly-db-scale-quirk-to-cover-other-variants.patch alsa-usb-line6-use-the-same-declaration-as-definition-in-header-for-midi-manufacturer-id.patch arch-x86-handle-non-enumerated-cpu-after-physical-hotplug.patch arm-cpuidle-fix-error-return-code.patch arm-dts-msm8064-remove-flags-from-spmi-mpp-irqs.patch arm-dts-mvebu-armada-390-add-missing-compatibility-string-and-bracket.patch arm64-fix-dump_backtrace-unwind_frame-with-null-tsk.patch kvm-arm-arm64-vgic-don-t-flush-sync-without-a-working-vgic.patch kvm-arm64-require-in-kernel-irqchip-for-pmu-support.patch kvm-mips-drop-other-cpu-asids-on-guest-mmu-changes.patch kvm-ppc-book3s-pr-allow-access-to-unprivileged-mmcr2-register.patch kvm-ppc-booke-fix-a-sanity-check.patch mfd-88pm80x-double-shifting-bug-in-suspend-resume.patch mfd-atmel-hlcdc-do-not-sleep-in-atomic-context.patch mfd-rtsx_usb-avoid-setting-ucr-current_sg.status.patch mfd-wm8350-i2c-make-sure-the-i2c-regmap-functions-are-compiled.patch usb-dwc3-fix-clear-stall-ep-command-failure.patch x86-apic-get-rid-of-apic_version-array.patch x86-boot-fix-kdump-cleanup-aborted-e820_pram-max_pfn-manipulation.patch x86-dumpstack-fix-x86_32-kernel_stack_pointer-previous-stack-access.patch x86-irq-prevent-force-migration-of-irqs-which-are-not-in-the-vector-domain.patch x86-mm-pkeys-do-not-skip-pkru-register-if-debug-registers-are-not-used.patch x86-pkeys-make-protection-keys-an-eager-feature.patch xen-x86-update-topology-map-for-pv-vcpus.patch --- diff --git a/queue-4.7/alsa-ali5451-fix-out-of-bound-position-reporting.patch b/queue-4.7/alsa-ali5451-fix-out-of-bound-position-reporting.patch new file mode 100644 index 00000000000..e518b5b63b2 --- /dev/null +++ b/queue-4.7/alsa-ali5451-fix-out-of-bound-position-reporting.patch @@ -0,0 +1,43 @@ +From db68577966abc1aeae4ec597b3dcfa0d56e92041 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 21 Sep 2016 14:38:02 +0200 +Subject: ALSA: ali5451: Fix out-of-bound position reporting + +From: Takashi Iwai + +commit db68577966abc1aeae4ec597b3dcfa0d56e92041 upstream. + +The pointer callbacks of ali5451 driver may return the value at the +boundary occasionally, and it results in the kernel warning like + snd_ali5451 0000:00:06.0: BUG: , pos = 16384, buffer size = 16384, period size = 1024 + +It seems that folding the position offset is enough for fixing the +warning and no ill-effect has been seen by that. + +Reported-by: Enrico Mioso +Tested-by: Enrico Mioso +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/ali5451/ali5451.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/ali5451/ali5451.c ++++ b/sound/pci/ali5451/ali5451.c +@@ -1408,6 +1408,7 @@ snd_ali_playback_pointer(struct snd_pcm_ + spin_unlock(&codec->reg_lock); + dev_dbg(codec->card->dev, "playback pointer returned cso=%xh.\n", cso); + ++ cso %= runtime->buffer_size; + return cso; + } + +@@ -1428,6 +1429,7 @@ static snd_pcm_uframes_t snd_ali_pointer + cso = inw(ALI_REG(codec, ALI_CSO_ALPHA_FMS + 2)); + spin_unlock(&codec->reg_lock); + ++ cso %= runtime->buffer_size; + return cso; + } + diff --git a/queue-4.7/alsa-usb-audio-extend-dragonfly-db-scale-quirk-to-cover-other-variants.patch b/queue-4.7/alsa-usb-audio-extend-dragonfly-db-scale-quirk-to-cover-other-variants.patch new file mode 100644 index 00000000000..f0d2bed3182 --- /dev/null +++ b/queue-4.7/alsa-usb-audio-extend-dragonfly-db-scale-quirk-to-cover-other-variants.patch @@ -0,0 +1,81 @@ +From eb1a74b7bea17eea31915c4f76385cefe69d9795 Mon Sep 17 00:00:00 2001 +From: Anssi Hannula +Date: Fri, 23 Sep 2016 06:43:47 +0300 +Subject: ALSA: usb-audio: Extend DragonFly dB scale quirk to cover other variants + +From: Anssi Hannula + +commit eb1a74b7bea17eea31915c4f76385cefe69d9795 upstream. + +The DragonFly quirk added in 42e3121d90f4 ("ALSA: usb-audio: Add a more +accurate volume quirk for AudioQuest DragonFly") applies a custom dB map +on the volume control when its range is reported as 0..50 (0 .. 0.2dB). + +However, there exists at least one other variant (hw v1.0c, as opposed +to the tested v1.2) which reports a different non-sensical volume range +(0..53) and the custom map is therefore not applied for that device. + +This results in all of the volume change appearing close to 100% on +mixer UIs that utilize the dB TLV information. + +Add a fallback case where no dB TLV is reported at all if the control +range is not 0..50 but still 0..N where N <= 1000 (3.9 dB). Also +restrict the quirk to only apply to the volume control as there is also +a mute control which would match the check otherwise. + +Fixes: 42e3121d90f4 ("ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest DragonFly") +Signed-off-by: Anssi Hannula +Reported-by: David W +Tested-by: David W +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer_quirks.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -1831,6 +1831,7 @@ void snd_usb_mixer_rc_memory_change(stru + } + + static void snd_dragonfly_quirk_db_scale(struct usb_mixer_interface *mixer, ++ struct usb_mixer_elem_info *cval, + struct snd_kcontrol *kctl) + { + /* Approximation using 10 ranges based on output measurement on hw v1.2. +@@ -1848,10 +1849,19 @@ static void snd_dragonfly_quirk_db_scale + 41, 50, TLV_DB_MINMAX_ITEM(-441, 0), + ); + +- usb_audio_info(mixer->chip, "applying DragonFly dB scale quirk\n"); +- kctl->tlv.p = scale; +- kctl->vd[0].access |= SNDRV_CTL_ELEM_ACCESS_TLV_READ; +- kctl->vd[0].access &= ~SNDRV_CTL_ELEM_ACCESS_TLV_CALLBACK; ++ if (cval->min == 0 && cval->max == 50) { ++ usb_audio_info(mixer->chip, "applying DragonFly dB scale quirk (0-50 variant)\n"); ++ kctl->tlv.p = scale; ++ kctl->vd[0].access |= SNDRV_CTL_ELEM_ACCESS_TLV_READ; ++ kctl->vd[0].access &= ~SNDRV_CTL_ELEM_ACCESS_TLV_CALLBACK; ++ ++ } else if (cval->min == 0 && cval->max <= 1000) { ++ /* Some other clearly broken DragonFly variant. ++ * At least a 0..53 variant (hw v1.0) exists. ++ */ ++ usb_audio_info(mixer->chip, "ignoring too narrow dB range on a DragonFly device"); ++ kctl->vd[0].access &= ~SNDRV_CTL_ELEM_ACCESS_TLV_CALLBACK; ++ } + } + + void snd_usb_mixer_fu_apply_quirk(struct usb_mixer_interface *mixer, +@@ -1860,8 +1870,8 @@ void snd_usb_mixer_fu_apply_quirk(struct + { + switch (mixer->chip->usb_id) { + case USB_ID(0x21b4, 0x0081): /* AudioQuest DragonFly */ +- if (unitid == 7 && cval->min == 0 && cval->max == 50) +- snd_dragonfly_quirk_db_scale(mixer, kctl); ++ if (unitid == 7 && cval->control == UAC_FU_VOLUME) ++ snd_dragonfly_quirk_db_scale(mixer, cval, kctl); + break; + } + } diff --git a/queue-4.7/alsa-usb-line6-use-the-same-declaration-as-definition-in-header-for-midi-manufacturer-id.patch b/queue-4.7/alsa-usb-line6-use-the-same-declaration-as-definition-in-header-for-midi-manufacturer-id.patch new file mode 100644 index 00000000000..5ff8eae2a9f --- /dev/null +++ b/queue-4.7/alsa-usb-line6-use-the-same-declaration-as-definition-in-header-for-midi-manufacturer-id.patch @@ -0,0 +1,44 @@ +From 8da08ca03b73593d5299893bf29fc08569c3fb5f Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Sun, 25 Sep 2016 22:00:20 +0900 +Subject: ALSA: usb-line6: use the same declaration as definition in header for MIDI manufacturer ID + +From: Takashi Sakamoto + +commit 8da08ca03b73593d5299893bf29fc08569c3fb5f upstream. + +Currently, usb-line6 module exports an array of MIDI manufacturer ID and +usb-pod module uses it. However, the declaration is not the definition in +common header. The difference is explicit length of array. Although +compiler calculates it and everything goes well, it's better to use the +same representation between definition and declaration. + +This commit fills the length of array for usb-line6 module. As a small +good sub-effect, this commit suppress below warnings from static analysis +by sparse v0.5.0. + +sound/usb/line6/driver.c:274:43: error: cannot size expression +sound/usb/line6/driver.c:275:16: error: cannot size expression +sound/usb/line6/driver.c:276:16: error: cannot size expression +sound/usb/line6/driver.c:277:16: error: cannot size expression + +Fixes: 705ececd1c60 ("Staging: add line6 usb driver") +Signed-off-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/line6/driver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/usb/line6/driver.c ++++ b/sound/usb/line6/driver.c +@@ -29,7 +29,7 @@ + /* + This is Line 6's MIDI manufacturer ID. + */ +-const unsigned char line6_midi_id[] = { ++const unsigned char line6_midi_id[3] = { + 0x00, 0x01, 0x0c + }; + EXPORT_SYMBOL_GPL(line6_midi_id); diff --git a/queue-4.7/arch-x86-handle-non-enumerated-cpu-after-physical-hotplug.patch b/queue-4.7/arch-x86-handle-non-enumerated-cpu-after-physical-hotplug.patch new file mode 100644 index 00000000000..6c09ce0ab5d --- /dev/null +++ b/queue-4.7/arch-x86-handle-non-enumerated-cpu-after-physical-hotplug.patch @@ -0,0 +1,82 @@ +From 2a51fe083eba7f99cbda72f5ef90cdf2f4df882c Mon Sep 17 00:00:00 2001 +From: Prarit Bhargava +Date: Mon, 3 Oct 2016 13:07:12 -0400 +Subject: arch/x86: Handle non enumerated CPU after physical hotplug + +From: Prarit Bhargava + +commit 2a51fe083eba7f99cbda72f5ef90cdf2f4df882c upstream. + +When a CPU is physically added to a system then the MADT table is not +updated. + +If subsequently a kdump kernel is started on that physically added CPU then +the ACPI enumeration fails to provide the information for this CPU which is +now the boot CPU of the kdump kernel. + +As a consequence, generic_processor_info() is not invoked for that CPU so +the number of enumerated processors is 0 and none of the initializations, +including the logical package id management, are performed. + +We have code which relies on the correctness of the logical package map and +other information which is initialized via generic_processor_info(). +Executing such code will result in undefined behaviour or kernel crashes. + +This problem applies only to the kdump kernel because a normal kexec will +switch to the original boot CPU, which is enumerated in MADT, before +jumping into the kexec kernel. + +The boot code already has a check for num_processors equal 0 in +prefill_possible_map(). We can use that check as an indicator that the +enumeration of the boot CPU did not happen and invoke generic_processor_info() +for it. That initializes the relevant data for the boot CPU and therefore +prevents subsequent failure. + +[ tglx: Refined the code and rewrote the changelog ] + +Signed-off-by: Prarit Bhargava +Fixes: 1f12e32f4cd5 ("x86/topology: Create logical package id") +Cc: Peter Zijlstra +Cc: Len Brown +Cc: Borislav Petkov +Cc: Andi Kleen +Cc: Jiri Olsa +Cc: Juergen Gross +Cc: dyoung@redhat.com +Cc: Eric Biederman +Cc: kexec@lists.infradead.org +Link: http://lkml.kernel.org/r/1475514432-27682-1-git-send-email-prarit@redhat.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/smpboot.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/smpboot.c ++++ b/arch/x86/kernel/smpboot.c +@@ -1393,9 +1393,21 @@ __init void prefill_possible_map(void) + { + int i, possible; + +- /* no processor from mptable or madt */ +- if (!num_processors) +- num_processors = 1; ++ /* No boot processor was found in mptable or ACPI MADT */ ++ if (!num_processors) { ++ int apicid = boot_cpu_physical_apicid; ++ int cpu = hard_smp_processor_id(); ++ ++ pr_warn("Boot CPU (id %d) not listed by BIOS\n", cpu); ++ ++ /* Make sure boot cpu is enumerated */ ++ if (apic->cpu_present_to_apicid(0) == BAD_APICID && ++ apic->apic_id_valid(apicid)) ++ generic_processor_info(apicid, boot_cpu_apic_version); ++ ++ if (!num_processors) ++ num_processors = 1; ++ } + + i = setup_max_cpus ?: 1; + if (setup_possible_cpus == -1) { diff --git a/queue-4.7/arm-cpuidle-fix-error-return-code.patch b/queue-4.7/arm-cpuidle-fix-error-return-code.patch new file mode 100644 index 00000000000..ff1cd0b4853 --- /dev/null +++ b/queue-4.7/arm-cpuidle-fix-error-return-code.patch @@ -0,0 +1,33 @@ +From af48d7bc3756a0cd882d65bff14ab39746ba57fe Mon Sep 17 00:00:00 2001 +From: Christophe Jaillet +Date: Thu, 11 Aug 2016 15:02:30 +0200 +Subject: ARM: cpuidle: Fix error return code + +From: Christophe Jaillet + +commit af48d7bc3756a0cd882d65bff14ab39746ba57fe upstream. + +We know that 'ret = 0' because it has been tested a few lines above. +So, if 'kzalloc' fails, 0 will be returned instead of an error code. +Return -ENOMEM instead. + +Fixes: a0d46a3dfdc3 ("ARM: cpuidle: Register per cpuidle device") +Signed-off-by: Christophe Jaillet +Acked-by: Lorenzo Pieralisi +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpuidle/cpuidle-arm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/cpuidle/cpuidle-arm.c ++++ b/drivers/cpuidle/cpuidle-arm.c +@@ -135,6 +135,7 @@ static int __init arm_idle_init(void) + dev = kzalloc(sizeof(*dev), GFP_KERNEL); + if (!dev) { + pr_err("Failed to allocate cpuidle device\n"); ++ ret = -ENOMEM; + goto out_fail; + } + dev->cpu = cpu; diff --git a/queue-4.7/arm-dts-msm8064-remove-flags-from-spmi-mpp-irqs.patch b/queue-4.7/arm-dts-msm8064-remove-flags-from-spmi-mpp-irqs.patch new file mode 100644 index 00000000000..f95542dd8e3 --- /dev/null +++ b/queue-4.7/arm-dts-msm8064-remove-flags-from-spmi-mpp-irqs.patch @@ -0,0 +1,158 @@ +From ca88696e8b73a9fa2b1de445747e9235c3a7bd50 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Fri, 5 Aug 2016 10:38:37 +0200 +Subject: ARM: dts: MSM8064 remove flags from SPMI/MPP IRQs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Walleij + +commit ca88696e8b73a9fa2b1de445747e9235c3a7bd50 upstream. + +The Qualcomm PMIC GPIO and MPP lines are problematic: the +are fetched from the main MFD driver with platform_get_irq() +which means that at this point they will all be assigned the +flags set up for the interrupts in the device tree. + +That is problematic since these are flagged as rising edge +and an this point the interrupt descriptor is assigned a +rising edge, while the only thing the GPIO/MPP drivers really +do is issue irq_get_irqchip_state() on the line to read it +out and to provide a .to_irq() helper for *other* IRQ +consumers. + +If another device tree node tries to flag the same IRQ +for use as something else than rising edge, the kernel +irqdomain core will protest like this: + + type mismatch, failed to map hwirq-NN for ! + +Which is what happens when the device tree defines two +contradictory flags for the same interrupt line. + +To work around this and alleviate the problem, assign 0 +as flag for the interrupts taken by the PM GPIO and MPP +drivers. This will lead to the flag being unset, and a +second consumer requesting rising, falling, both or level +interrupts will be respected. This is what the qcom-pm*.dtsi +files already do. + +Switched to using the symbolic name IRQ_TYPE_NONE so that +we get this more readable. + +Fixes: bce360469676 ("ARM: dts: apq8064: add pm8921 mpp support") +Fixes: 874443fe9e33 ("ARM: dts: apq8064: Add pm8921 mfd and its gpio node") +Cc: Srinivas Kandagatla +Cc: Stephen Boyd +Cc: Björn Andersson +Cc: Ivan T. Ivanov +Cc: John Stultz +Cc: Andy Gross +Signed-off-by: Linus Walleij +Signed-off-by: Andy Gross +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/qcom-apq8064.dtsi | 76 +++++++++++++++++++++++++++--------- + 1 file changed, 57 insertions(+), 19 deletions(-) + +--- a/arch/arm/boot/dts/qcom-apq8064.dtsi ++++ b/arch/arm/boot/dts/qcom-apq8064.dtsi +@@ -5,6 +5,7 @@ + #include + #include + #include ++#include + #include + / { + model = "Qualcomm APQ8064"; +@@ -552,22 +553,50 @@ + compatible = "qcom,pm8921-gpio", + "qcom,ssbi-gpio"; + reg = <0x150>; +- interrupts = <192 1>, <193 1>, <194 1>, +- <195 1>, <196 1>, <197 1>, +- <198 1>, <199 1>, <200 1>, +- <201 1>, <202 1>, <203 1>, +- <204 1>, <205 1>, <206 1>, +- <207 1>, <208 1>, <209 1>, +- <210 1>, <211 1>, <212 1>, +- <213 1>, <214 1>, <215 1>, +- <216 1>, <217 1>, <218 1>, +- <219 1>, <220 1>, <221 1>, +- <222 1>, <223 1>, <224 1>, +- <225 1>, <226 1>, <227 1>, +- <228 1>, <229 1>, <230 1>, +- <231 1>, <232 1>, <233 1>, +- <234 1>, <235 1>; +- ++ interrupts = <192 IRQ_TYPE_NONE>, ++ <193 IRQ_TYPE_NONE>, ++ <194 IRQ_TYPE_NONE>, ++ <195 IRQ_TYPE_NONE>, ++ <196 IRQ_TYPE_NONE>, ++ <197 IRQ_TYPE_NONE>, ++ <198 IRQ_TYPE_NONE>, ++ <199 IRQ_TYPE_NONE>, ++ <200 IRQ_TYPE_NONE>, ++ <201 IRQ_TYPE_NONE>, ++ <202 IRQ_TYPE_NONE>, ++ <203 IRQ_TYPE_NONE>, ++ <204 IRQ_TYPE_NONE>, ++ <205 IRQ_TYPE_NONE>, ++ <206 IRQ_TYPE_NONE>, ++ <207 IRQ_TYPE_NONE>, ++ <208 IRQ_TYPE_NONE>, ++ <209 IRQ_TYPE_NONE>, ++ <210 IRQ_TYPE_NONE>, ++ <211 IRQ_TYPE_NONE>, ++ <212 IRQ_TYPE_NONE>, ++ <213 IRQ_TYPE_NONE>, ++ <214 IRQ_TYPE_NONE>, ++ <215 IRQ_TYPE_NONE>, ++ <216 IRQ_TYPE_NONE>, ++ <217 IRQ_TYPE_NONE>, ++ <218 IRQ_TYPE_NONE>, ++ <219 IRQ_TYPE_NONE>, ++ <220 IRQ_TYPE_NONE>, ++ <221 IRQ_TYPE_NONE>, ++ <222 IRQ_TYPE_NONE>, ++ <223 IRQ_TYPE_NONE>, ++ <224 IRQ_TYPE_NONE>, ++ <225 IRQ_TYPE_NONE>, ++ <226 IRQ_TYPE_NONE>, ++ <227 IRQ_TYPE_NONE>, ++ <228 IRQ_TYPE_NONE>, ++ <229 IRQ_TYPE_NONE>, ++ <230 IRQ_TYPE_NONE>, ++ <231 IRQ_TYPE_NONE>, ++ <232 IRQ_TYPE_NONE>, ++ <233 IRQ_TYPE_NONE>, ++ <234 IRQ_TYPE_NONE>, ++ <235 IRQ_TYPE_NONE>; + gpio-controller; + #gpio-cells = <2>; + +@@ -580,9 +609,18 @@ + gpio-controller; + #gpio-cells = <2>; + interrupts = +- <128 1>, <129 1>, <130 1>, <131 1>, +- <132 1>, <133 1>, <134 1>, <135 1>, +- <136 1>, <137 1>, <138 1>, <139 1>; ++ <128 IRQ_TYPE_NONE>, ++ <129 IRQ_TYPE_NONE>, ++ <130 IRQ_TYPE_NONE>, ++ <131 IRQ_TYPE_NONE>, ++ <132 IRQ_TYPE_NONE>, ++ <133 IRQ_TYPE_NONE>, ++ <134 IRQ_TYPE_NONE>, ++ <135 IRQ_TYPE_NONE>, ++ <136 IRQ_TYPE_NONE>, ++ <137 IRQ_TYPE_NONE>, ++ <138 IRQ_TYPE_NONE>, ++ <139 IRQ_TYPE_NONE>; + }; + + rtc@11d { diff --git a/queue-4.7/arm-dts-mvebu-armada-390-add-missing-compatibility-string-and-bracket.patch b/queue-4.7/arm-dts-mvebu-armada-390-add-missing-compatibility-string-and-bracket.patch new file mode 100644 index 00000000000..3e0d1fc890d --- /dev/null +++ b/queue-4.7/arm-dts-mvebu-armada-390-add-missing-compatibility-string-and-bracket.patch @@ -0,0 +1,40 @@ +From 061492cfad9f11dbc32df741a7164f307b69b6e6 Mon Sep 17 00:00:00 2001 +From: Grzegorz Jaszczyk +Date: Thu, 4 Aug 2016 12:14:08 +0200 +Subject: ARM: dts: mvebu: armada-390: add missing compatibility string and bracket + +From: Grzegorz Jaszczyk + +commit 061492cfad9f11dbc32df741a7164f307b69b6e6 upstream. + +The armada-390.dtsi was broken since the first patch which adds Device Tree +files for Armada 39x SoC was introduced. + +Signed-off-by: Grzegorz Jaszczyk +Acked-by: Gregory CLEMENT +Fixes 538da83 ("ARM: mvebu: add Device Tree files for Armada 39x SoC and board") +Signed-off-by: Greg Kroah-Hartman + +Signed-off-by: Gregory CLEMENT + +--- + arch/arm/boot/dts/armada-390.dtsi | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/arm/boot/dts/armada-390.dtsi ++++ b/arch/arm/boot/dts/armada-390.dtsi +@@ -47,6 +47,8 @@ + #include "armada-39x.dtsi" + + / { ++ compatible = "marvell,armada390"; ++ + soc { + internal-regs { + pinctrl@18000 { +@@ -54,4 +56,5 @@ + reg = <0x18000 0x20>; + }; + }; ++ }; + }; diff --git a/queue-4.7/arm64-fix-dump_backtrace-unwind_frame-with-null-tsk.patch b/queue-4.7/arm64-fix-dump_backtrace-unwind_frame-with-null-tsk.patch new file mode 100644 index 00000000000..126c2e14bea --- /dev/null +++ b/queue-4.7/arm64-fix-dump_backtrace-unwind_frame-with-null-tsk.patch @@ -0,0 +1,95 @@ +From b5e7307d9d5a340d2c9fabbe1cee137d4c682c71 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Fri, 23 Sep 2016 17:55:05 +0100 +Subject: arm64: fix dump_backtrace/unwind_frame with NULL tsk + +From: Mark Rutland + +commit b5e7307d9d5a340d2c9fabbe1cee137d4c682c71 upstream. + +In some places, dump_backtrace() is called with a NULL tsk parameter, +e.g. in bug_handler() in arch/arm64, or indirectly via show_stack() in +core code. The expectation is that this is treated as if current were +passed instead of NULL. Similar is true of unwind_frame(). + +Commit a80a0eb70c358f8c ("arm64: make irq_stack_ptr more robust") didn't +take this into account. In dump_backtrace() it compares tsk against +current *before* we check if tsk is NULL, and in unwind_frame() we never +set tsk if it is NULL. + +Due to this, we won't initialise irq_stack_ptr in either function. In +dump_backtrace() this results in calling dump_mem() for memory +immediately above the IRQ stack range, rather than for the relevant +range on the task stack. In unwind_frame we'll reject unwinding frames +on the IRQ stack. + +In either case this results in incomplete or misleading backtrace +information, but is not otherwise problematic. The initial percpu areas +(including the IRQ stacks) are allocated in the linear map, and dump_mem +uses __get_user(), so we shouldn't access anything with side-effects, +and will handle holes safely. + +This patch fixes the issue by having both functions handle the NULL tsk +case before doing anything else with tsk. + +Signed-off-by: Mark Rutland +Fixes: a80a0eb70c358f8c ("arm64: make irq_stack_ptr more robust") +Acked-by: James Morse +Cc: Catalin Marinas +Cc: Will Deacon +Cc: Yang Shi +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/stacktrace.c | 5 ++++- + arch/arm64/kernel/traps.c | 10 +++++----- + 2 files changed, 9 insertions(+), 6 deletions(-) + +--- a/arch/arm64/kernel/stacktrace.c ++++ b/arch/arm64/kernel/stacktrace.c +@@ -43,6 +43,9 @@ int notrace unwind_frame(struct task_str + unsigned long fp = frame->fp; + unsigned long irq_stack_ptr; + ++ if (!tsk) ++ tsk = current; ++ + /* + * Switching between stacks is valid when tracing current and in + * non-preemptible context. +@@ -67,7 +70,7 @@ int notrace unwind_frame(struct task_str + frame->pc = READ_ONCE_NOCHECK(*(unsigned long *)(fp + 8)); + + #ifdef CONFIG_FUNCTION_GRAPH_TRACER +- if (tsk && tsk->ret_stack && ++ if (tsk->ret_stack && + (frame->pc == (unsigned long)return_to_handler)) { + /* + * This is a case where function graph tracer has +--- a/arch/arm64/kernel/traps.c ++++ b/arch/arm64/kernel/traps.c +@@ -149,6 +149,11 @@ static void dump_backtrace(struct pt_reg + unsigned long irq_stack_ptr; + int skip; + ++ pr_debug("%s(regs = %p tsk = %p)\n", __func__, regs, tsk); ++ ++ if (!tsk) ++ tsk = current; ++ + /* + * Switching between stacks is valid when tracing current and in + * non-preemptible context. +@@ -158,11 +163,6 @@ static void dump_backtrace(struct pt_reg + else + irq_stack_ptr = 0; + +- pr_debug("%s(regs = %p tsk = %p)\n", __func__, regs, tsk); +- +- if (!tsk) +- tsk = current; +- + if (tsk == current) { + frame.fp = (unsigned long)__builtin_frame_address(0); + frame.sp = current_stack_pointer; diff --git a/queue-4.7/kvm-arm-arm64-vgic-don-t-flush-sync-without-a-working-vgic.patch b/queue-4.7/kvm-arm-arm64-vgic-don-t-flush-sync-without-a-working-vgic.patch new file mode 100644 index 00000000000..575074e615c --- /dev/null +++ b/queue-4.7/kvm-arm-arm64-vgic-don-t-flush-sync-without-a-working-vgic.patch @@ -0,0 +1,47 @@ +From 0099b7701f5296a758d9e6b945ec96f96847cc2f Mon Sep 17 00:00:00 2001 +From: Christoffer Dall +Date: Tue, 27 Sep 2016 18:53:35 +0200 +Subject: KVM: arm/arm64: vgic: Don't flush/sync without a working vgic + +From: Christoffer Dall + +commit 0099b7701f5296a758d9e6b945ec96f96847cc2f upstream. + +If the vgic hasn't been created and initialized, we shouldn't attempt to +look at its data structures or flush/sync anything to the GIC hardware. + +This fixes an issue reported by Alexander Graf when using a userspace +irqchip. + +Fixes: 0919e84c0fc1 ("KVM: arm/arm64: vgic-new: Add IRQ sync/flush framework") +Reported-by: Alexander Graf +Acked-by: Marc Zyngier +Signed-off-by: Christoffer Dall +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/arm/vgic/vgic.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/virt/kvm/arm/vgic/vgic.c ++++ b/virt/kvm/arm/vgic/vgic.c +@@ -553,6 +553,9 @@ next: + /* Sync back the hardware VGIC state into our emulation after a guest's run. */ + void kvm_vgic_sync_hwstate(struct kvm_vcpu *vcpu) + { ++ if (unlikely(!vgic_initialized(vcpu->kvm))) ++ return; ++ + vgic_process_maintenance_interrupt(vcpu); + vgic_fold_lr_state(vcpu); + vgic_prune_ap_list(vcpu); +@@ -561,6 +564,9 @@ void kvm_vgic_sync_hwstate(struct kvm_vc + /* Flush our emulation state into the GIC hardware before entering the guest. */ + void kvm_vgic_flush_hwstate(struct kvm_vcpu *vcpu) + { ++ if (unlikely(!vgic_initialized(vcpu->kvm))) ++ return; ++ + spin_lock(&vcpu->arch.vgic_cpu.ap_list_lock); + vgic_flush_lr_state(vcpu); + spin_unlock(&vcpu->arch.vgic_cpu.ap_list_lock); diff --git a/queue-4.7/kvm-arm64-require-in-kernel-irqchip-for-pmu-support.patch b/queue-4.7/kvm-arm64-require-in-kernel-irqchip-for-pmu-support.patch new file mode 100644 index 00000000000..2b0c4129a34 --- /dev/null +++ b/queue-4.7/kvm-arm64-require-in-kernel-irqchip-for-pmu-support.patch @@ -0,0 +1,55 @@ +From 6fe407f2d18a4f94216263f91cb7d1f08fa5887c Mon Sep 17 00:00:00 2001 +From: Christoffer Dall +Date: Mon, 26 Sep 2016 18:51:47 -0700 +Subject: KVM: arm64: Require in-kernel irqchip for PMU support + +From: Christoffer Dall + +commit 6fe407f2d18a4f94216263f91cb7d1f08fa5887c upstream. + +If userspace creates a PMU for the VCPU, but doesn't create an in-kernel +irqchip, then we end up in a nasty path where we try to take an +uninitialized spinlock, which can lead to all sorts of breakages. + +Luckily, QEMU always creates the VGIC before the PMU, so we can +establish this as ABI and check for the VGIC in the PMU init stage. +This can be relaxed at a later time if we want to support PMU with a +userspace irqchip. + +Cc: Shannon Zhao +Acked-by: Marc Zyngier +Signed-off-by: Christoffer Dall +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/virtual/kvm/devices/vcpu.txt | 4 +++- + virt/kvm/arm/pmu.c | 8 ++++++++ + 2 files changed, 11 insertions(+), 1 deletion(-) + +--- a/Documentation/virtual/kvm/devices/vcpu.txt ++++ b/Documentation/virtual/kvm/devices/vcpu.txt +@@ -30,4 +30,6 @@ Returns: -ENODEV: PMUv3 not supported + attribute + -EBUSY: PMUv3 already initialized + +-Request the initialization of the PMUv3. ++Request the initialization of the PMUv3. This must be done after creating the ++in-kernel irqchip. Creating a PMU with a userspace irqchip is currently not ++supported. +--- a/virt/kvm/arm/pmu.c ++++ b/virt/kvm/arm/pmu.c +@@ -423,6 +423,14 @@ static int kvm_arm_pmu_v3_init(struct kv + if (!kvm_arm_support_pmu_v3()) + return -ENODEV; + ++ /* ++ * We currently require an in-kernel VGIC to use the PMU emulation, ++ * because we do not support forwarding PMU overflow interrupts to ++ * userspace yet. ++ */ ++ if (!irqchip_in_kernel(vcpu->kvm) || !vgic_initialized(vcpu->kvm)) ++ return -ENODEV; ++ + if (!test_bit(KVM_ARM_VCPU_PMU_V3, vcpu->arch.features) || + !kvm_arm_pmu_irq_initialized(vcpu)) + return -ENXIO; diff --git a/queue-4.7/kvm-mips-drop-other-cpu-asids-on-guest-mmu-changes.patch b/queue-4.7/kvm-mips-drop-other-cpu-asids-on-guest-mmu-changes.patch new file mode 100644 index 00000000000..b6c6ae5d229 --- /dev/null +++ b/queue-4.7/kvm-mips-drop-other-cpu-asids-on-guest-mmu-changes.patch @@ -0,0 +1,140 @@ +From 91e4f1b6073dd680d86cdb7e42d7cccca9db39d8 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Thu, 15 Sep 2016 17:20:06 +0100 +Subject: KVM: MIPS: Drop other CPU ASIDs on guest MMU changes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: James Hogan + +commit 91e4f1b6073dd680d86cdb7e42d7cccca9db39d8 upstream. + +When a guest TLB entry is replaced by TLBWI or TLBWR, we only invalidate +TLB entries on the local CPU. This doesn't work correctly on an SMP host +when the guest is migrated to a different physical CPU, as it could pick +up stale TLB mappings from the last time the vCPU ran on that physical +CPU. + +Therefore invalidate both user and kernel host ASIDs on other CPUs, +which will cause new ASIDs to be generated when it next runs on those +CPUs. + +We're careful only to do this if the TLB entry was already valid, and +only for the kernel ASID where the virtual address it mapped is outside +of the guest user address range. + +Signed-off-by: James Hogan +Cc: Paolo Bonzini +Cc: "Radim Krčmář" +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: kvm@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kvm/emulate.c | 63 ++++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 53 insertions(+), 10 deletions(-) + +--- a/arch/mips/kvm/emulate.c ++++ b/arch/mips/kvm/emulate.c +@@ -807,6 +807,47 @@ enum emulation_result kvm_mips_emul_tlbr + return EMULATE_FAIL; + } + ++/** ++ * kvm_mips_invalidate_guest_tlb() - Indicates a change in guest MMU map. ++ * @vcpu: VCPU with changed mappings. ++ * @tlb: TLB entry being removed. ++ * ++ * This is called to indicate a single change in guest MMU mappings, so that we ++ * can arrange TLB flushes on this and other CPUs. ++ */ ++static void kvm_mips_invalidate_guest_tlb(struct kvm_vcpu *vcpu, ++ struct kvm_mips_tlb *tlb) ++{ ++ int cpu, i; ++ bool user; ++ ++ /* No need to flush for entries which are already invalid */ ++ if (!((tlb->tlb_lo[0] | tlb->tlb_lo[1]) & ENTRYLO_V)) ++ return; ++ /* User address space doesn't need flushing for KSeg2/3 changes */ ++ user = tlb->tlb_hi < KVM_GUEST_KSEG0; ++ ++ preempt_disable(); ++ ++ /* ++ * Probe the shadow host TLB for the entry being overwritten, if one ++ * matches, invalidate it ++ */ ++ kvm_mips_host_tlb_inv(vcpu, tlb->tlb_hi); ++ ++ /* Invalidate the whole ASID on other CPUs */ ++ cpu = smp_processor_id(); ++ for_each_possible_cpu(i) { ++ if (i == cpu) ++ continue; ++ if (user) ++ vcpu->arch.guest_user_asid[i] = 0; ++ vcpu->arch.guest_kernel_asid[i] = 0; ++ } ++ ++ preempt_enable(); ++} ++ + /* Write Guest TLB Entry @ Index */ + enum emulation_result kvm_mips_emul_tlbwi(struct kvm_vcpu *vcpu) + { +@@ -826,11 +867,8 @@ enum emulation_result kvm_mips_emul_tlbw + } + + tlb = &vcpu->arch.guest_tlb[index]; +- /* +- * Probe the shadow host TLB for the entry being overwritten, if one +- * matches, invalidate it +- */ +- kvm_mips_host_tlb_inv(vcpu, tlb->tlb_hi); ++ ++ kvm_mips_invalidate_guest_tlb(vcpu, tlb); + + tlb->tlb_mask = kvm_read_c0_guest_pagemask(cop0); + tlb->tlb_hi = kvm_read_c0_guest_entryhi(cop0); +@@ -859,11 +897,7 @@ enum emulation_result kvm_mips_emul_tlbw + + tlb = &vcpu->arch.guest_tlb[index]; + +- /* +- * Probe the shadow host TLB for the entry being overwritten, if one +- * matches, invalidate it +- */ +- kvm_mips_host_tlb_inv(vcpu, tlb->tlb_hi); ++ kvm_mips_invalidate_guest_tlb(vcpu, tlb); + + tlb->tlb_mask = kvm_read_c0_guest_pagemask(cop0); + tlb->tlb_hi = kvm_read_c0_guest_entryhi(cop0); +@@ -982,6 +1016,7 @@ enum emulation_result kvm_mips_emulate_C + int32_t rt, rd, copz, sel, co_bit, op; + uint32_t pc = vcpu->arch.pc; + unsigned long curr_pc; ++ int cpu, i; + + /* + * Update PC and hold onto current PC in case there is +@@ -1089,8 +1124,16 @@ enum emulation_result kvm_mips_emulate_C + vcpu->arch.gprs[rt] + & KVM_ENTRYHI_ASID); + ++ preempt_disable(); + /* Blow away the shadow host TLBs */ + kvm_mips_flush_host_tlb(1); ++ cpu = smp_processor_id(); ++ for_each_possible_cpu(i) ++ if (i != cpu) { ++ vcpu->arch.guest_user_asid[i] = 0; ++ vcpu->arch.guest_kernel_asid[i] = 0; ++ } ++ preempt_enable(); + } + kvm_write_c0_guest_entryhi(cop0, + vcpu->arch.gprs[rt]); diff --git a/queue-4.7/kvm-ppc-book3s-pr-allow-access-to-unprivileged-mmcr2-register.patch b/queue-4.7/kvm-ppc-book3s-pr-allow-access-to-unprivileged-mmcr2-register.patch new file mode 100644 index 00000000000..138d2478824 --- /dev/null +++ b/queue-4.7/kvm-ppc-book3s-pr-allow-access-to-unprivileged-mmcr2-register.patch @@ -0,0 +1,58 @@ +From fa73c3b25bd8d0d393dc6109a1dba3c2aef0451e Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Wed, 21 Sep 2016 15:06:45 +0200 +Subject: KVM: PPC: Book3s PR: Allow access to unprivileged MMCR2 register + +From: Thomas Huth + +commit fa73c3b25bd8d0d393dc6109a1dba3c2aef0451e upstream. + +The MMCR2 register is available twice, one time with number 785 +(privileged access), and one time with number 769 (unprivileged, +but it can be disabled completely). In former times, the Linux +kernel was using the unprivileged register 769 only, but since +commit 8dd75ccb571f3c92c ("powerpc: Use privileged SPR number +for MMCR2"), it uses the privileged register 785 instead. +The KVM-PR code then of course also switched to use the SPR 785, +but this is causing older guest kernels to crash, since these +kernels still access 769 instead. So to support older kernels +with KVM-PR again, we have to support register 769 in KVM-PR, too. + +Fixes: 8dd75ccb571f3c92c48014b3dabd3d51a115ab41 +Signed-off-by: Thomas Huth +Signed-off-by: Paul Mackerras +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/reg.h | 1 + + arch/powerpc/kvm/book3s_emulate.c | 2 ++ + 2 files changed, 3 insertions(+) + +--- a/arch/powerpc/include/asm/reg.h ++++ b/arch/powerpc/include/asm/reg.h +@@ -718,6 +718,7 @@ + #define MMCR0_FCHV 0x00000001UL /* freeze conditions in hypervisor mode */ + #define SPRN_MMCR1 798 + #define SPRN_MMCR2 785 ++#define SPRN_UMMCR2 769 + #define SPRN_MMCRA 0x312 + #define MMCRA_SDSYNC 0x80000000UL /* SDAR synced with SIAR */ + #define MMCRA_SDAR_DCACHE_MISS 0x40000000UL +--- a/arch/powerpc/kvm/book3s_emulate.c ++++ b/arch/powerpc/kvm/book3s_emulate.c +@@ -498,6 +498,7 @@ int kvmppc_core_emulate_mtspr_pr(struct + case SPRN_MMCR0: + case SPRN_MMCR1: + case SPRN_MMCR2: ++ case SPRN_UMMCR2: + #endif + break; + unprivileged: +@@ -640,6 +641,7 @@ int kvmppc_core_emulate_mfspr_pr(struct + case SPRN_MMCR0: + case SPRN_MMCR1: + case SPRN_MMCR2: ++ case SPRN_UMMCR2: + case SPRN_TIR: + #endif + *spr_val = 0; diff --git a/queue-4.7/kvm-ppc-booke-fix-a-sanity-check.patch b/queue-4.7/kvm-ppc-booke-fix-a-sanity-check.patch new file mode 100644 index 00000000000..f0e1f3a3376 --- /dev/null +++ b/queue-4.7/kvm-ppc-booke-fix-a-sanity-check.patch @@ -0,0 +1,33 @@ +From ac0e89bb4744d3882ccd275f2416d9ce22f4e1e7 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 14 Jul 2016 13:15:46 +0300 +Subject: KVM: PPC: BookE: Fix a sanity check + +From: Dan Carpenter + +commit ac0e89bb4744d3882ccd275f2416d9ce22f4e1e7 upstream. + +We use logical negate where bitwise negate was intended. It means that +we never return -EINVAL here. + +Fixes: ce11e48b7fdd ('KVM: PPC: E500: Add userspace debug stub support') +Signed-off-by: Dan Carpenter +Reviewed-by: Alexander Graf +Signed-off-by: Paul Mackerras +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/booke.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kvm/booke.c ++++ b/arch/powerpc/kvm/booke.c +@@ -2038,7 +2038,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug( + if (type == KVMPPC_DEBUG_NONE) + continue; + +- if (type & !(KVMPPC_DEBUG_WATCH_READ | ++ if (type & ~(KVMPPC_DEBUG_WATCH_READ | + KVMPPC_DEBUG_WATCH_WRITE | + KVMPPC_DEBUG_BREAKPOINT)) + return -EINVAL; diff --git a/queue-4.7/mfd-88pm80x-double-shifting-bug-in-suspend-resume.patch b/queue-4.7/mfd-88pm80x-double-shifting-bug-in-suspend-resume.patch new file mode 100644 index 00000000000..fd1b3b14353 --- /dev/null +++ b/queue-4.7/mfd-88pm80x-double-shifting-bug-in-suspend-resume.patch @@ -0,0 +1,42 @@ +From 9a6dc644512fd083400a96ac4a035ac154fe6b8d Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 4 Aug 2016 08:26:56 +0300 +Subject: mfd: 88pm80x: Double shifting bug in suspend/resume + +From: Dan Carpenter + +commit 9a6dc644512fd083400a96ac4a035ac154fe6b8d upstream. + +set_bit() and clear_bit() take the bit number so this code is really +doing "1 << (1 << irq)" which is a double shift bug. It's done +consistently so it won't cause a problem unless "irq" is more than 4. + +Fixes: 70c6cce04066 ('mfd: Support 88pm80x in 80x driver') +Signed-off-by: Dan Carpenter +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/mfd/88pm80x.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/mfd/88pm80x.h ++++ b/include/linux/mfd/88pm80x.h +@@ -350,7 +350,7 @@ static inline int pm80x_dev_suspend(stru + int irq = platform_get_irq(pdev, 0); + + if (device_may_wakeup(dev)) +- set_bit((1 << irq), &chip->wu_flag); ++ set_bit(irq, &chip->wu_flag); + + return 0; + } +@@ -362,7 +362,7 @@ static inline int pm80x_dev_resume(struc + int irq = platform_get_irq(pdev, 0); + + if (device_may_wakeup(dev)) +- clear_bit((1 << irq), &chip->wu_flag); ++ clear_bit(irq, &chip->wu_flag); + + return 0; + } diff --git a/queue-4.7/mfd-atmel-hlcdc-do-not-sleep-in-atomic-context.patch b/queue-4.7/mfd-atmel-hlcdc-do-not-sleep-in-atomic-context.patch new file mode 100644 index 00000000000..4d95f240526 --- /dev/null +++ b/queue-4.7/mfd-atmel-hlcdc-do-not-sleep-in-atomic-context.patch @@ -0,0 +1,38 @@ +From 2c2469bc03d569c49119db2cccb5cb3f0c6a5b33 Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Tue, 6 Sep 2016 14:19:29 +0200 +Subject: mfd: atmel-hlcdc: Do not sleep in atomic context + +From: Boris Brezillon + +commit 2c2469bc03d569c49119db2cccb5cb3f0c6a5b33 upstream. + +readl_poll_timeout() calls usleep_range(), but +regmap_atmel_hlcdc_reg_write() is called in atomic context (regmap +spinlock held). + +Replace the readl_poll_timeout() call by readl_poll_timeout_atomic(). + +Fixes: ea31c0cf9b07 ("mfd: atmel-hlcdc: Implement config synchronization") +Signed-off-by: Boris Brezillon +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mfd/atmel-hlcdc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/mfd/atmel-hlcdc.c ++++ b/drivers/mfd/atmel-hlcdc.c +@@ -50,8 +50,9 @@ static int regmap_atmel_hlcdc_reg_write( + if (reg <= ATMEL_HLCDC_DIS) { + u32 status; + +- readl_poll_timeout(hregmap->regs + ATMEL_HLCDC_SR, status, +- !(status & ATMEL_HLCDC_SIP), 1, 100); ++ readl_poll_timeout_atomic(hregmap->regs + ATMEL_HLCDC_SR, ++ status, !(status & ATMEL_HLCDC_SIP), ++ 1, 100); + } + + writel(val, hregmap->regs + reg); diff --git a/queue-4.7/mfd-rtsx_usb-avoid-setting-ucr-current_sg.status.patch b/queue-4.7/mfd-rtsx_usb-avoid-setting-ucr-current_sg.status.patch new file mode 100644 index 00000000000..a253852af5b --- /dev/null +++ b/queue-4.7/mfd-rtsx_usb-avoid-setting-ucr-current_sg.status.patch @@ -0,0 +1,58 @@ +From 8dcc5ff8fcaf778bb57ab4448fedca9e381d088f Mon Sep 17 00:00:00 2001 +From: Lu Baolu +Date: Thu, 11 Aug 2016 10:39:03 +0800 +Subject: mfd: rtsx_usb: Avoid setting ucr->current_sg.status + +From: Lu Baolu + +commit 8dcc5ff8fcaf778bb57ab4448fedca9e381d088f upstream. + +Member "status" of struct usb_sg_request is managed by usb core. A +spin lock is used to serialize the change of it. The driver could +check the value of req->status, but should avoid changing it without +the hold of the spinlock. Otherwise, it could cause race or error +in usb core. + +This patch could be backported to stable kernels with version later +than v3.14. + +Cc: Alan Stern +Cc: Roger Tseng +Signed-off-by: Lu Baolu +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mfd/rtsx_usb.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/mfd/rtsx_usb.c ++++ b/drivers/mfd/rtsx_usb.c +@@ -46,9 +46,6 @@ static void rtsx_usb_sg_timed_out(unsign + + dev_dbg(&ucr->pusb_intf->dev, "%s: sg transfer timed out", __func__); + usb_sg_cancel(&ucr->current_sg); +- +- /* we know the cancellation is caused by time-out */ +- ucr->current_sg.status = -ETIMEDOUT; + } + + static int rtsx_usb_bulk_transfer_sglist(struct rtsx_ucr *ucr, +@@ -67,12 +64,15 @@ static int rtsx_usb_bulk_transfer_sglist + ucr->sg_timer.expires = jiffies + msecs_to_jiffies(timeout); + add_timer(&ucr->sg_timer); + usb_sg_wait(&ucr->current_sg); +- del_timer_sync(&ucr->sg_timer); ++ if (!del_timer_sync(&ucr->sg_timer)) ++ ret = -ETIMEDOUT; ++ else ++ ret = ucr->current_sg.status; + + if (act_len) + *act_len = ucr->current_sg.bytes; + +- return ucr->current_sg.status; ++ return ret; + } + + int rtsx_usb_transfer_data(struct rtsx_ucr *ucr, unsigned int pipe, diff --git a/queue-4.7/mfd-wm8350-i2c-make-sure-the-i2c-regmap-functions-are-compiled.patch b/queue-4.7/mfd-wm8350-i2c-make-sure-the-i2c-regmap-functions-are-compiled.patch new file mode 100644 index 00000000000..c4b12027c33 --- /dev/null +++ b/queue-4.7/mfd-wm8350-i2c-make-sure-the-i2c-regmap-functions-are-compiled.patch @@ -0,0 +1,38 @@ +From 88003fb10f1fc606e1704611c62ceae95fd1d7da Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= +Date: Fri, 29 Jul 2016 21:29:15 +0200 +Subject: mfd: wm8350-i2c: Make sure the i2c regmap functions are compiled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +commit 88003fb10f1fc606e1704611c62ceae95fd1d7da upstream. + +This fixes a compile failure: + + drivers/built-in.o: In function `wm8350_i2c_probe': + core.c:(.text+0x828b0): undefined reference to `__devm_regmap_init_i2c' + Makefile:953: recipe for target 'vmlinux' failed + +Fixes: 52b461b86a9f ("mfd: Add regmap cache support for wm8350") +Signed-off-by: Uwe Kleine-König +Acked-by: Charles Keepax +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mfd/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mfd/Kconfig ++++ b/drivers/mfd/Kconfig +@@ -1535,6 +1535,7 @@ config MFD_WM8350 + config MFD_WM8350_I2C + bool "Wolfson Microelectronics WM8350 with I2C" + select MFD_WM8350 ++ select REGMAP_I2C + depends on I2C=y + help + The WM8350 is an integrated audio and power management diff --git a/queue-4.7/series b/queue-4.7/series index cbab40bab84..6ccc72490ac 100644 --- a/queue-4.7/series +++ b/queue-4.7/series @@ -1,3 +1,28 @@ powerpc-pseries-use-pci_host_bridge.release_fn-to-kfree-phb.patch cxl-use-pcibios_free_controller_deferred-when-removing-vphbs.patch timekeeping-fix-__ktime_get_fast_ns-regression.patch +usb-dwc3-fix-clear-stall-ep-command-failure.patch +alsa-ali5451-fix-out-of-bound-position-reporting.patch +alsa-usb-audio-extend-dragonfly-db-scale-quirk-to-cover-other-variants.patch +alsa-usb-line6-use-the-same-declaration-as-definition-in-header-for-midi-manufacturer-id.patch +mfd-rtsx_usb-avoid-setting-ucr-current_sg.status.patch +mfd-atmel-hlcdc-do-not-sleep-in-atomic-context.patch +mfd-88pm80x-double-shifting-bug-in-suspend-resume.patch +mfd-wm8350-i2c-make-sure-the-i2c-regmap-functions-are-compiled.patch +xen-x86-update-topology-map-for-pv-vcpus.patch +kvm-ppc-book3s-pr-allow-access-to-unprivileged-mmcr2-register.patch +kvm-mips-drop-other-cpu-asids-on-guest-mmu-changes.patch +kvm-arm64-require-in-kernel-irqchip-for-pmu-support.patch +kvm-arm-arm64-vgic-don-t-flush-sync-without-a-working-vgic.patch +kvm-ppc-booke-fix-a-sanity-check.patch +arm64-fix-dump_backtrace-unwind_frame-with-null-tsk.patch +x86-boot-fix-kdump-cleanup-aborted-e820_pram-max_pfn-manipulation.patch +x86-irq-prevent-force-migration-of-irqs-which-are-not-in-the-vector-domain.patch +x86-pkeys-make-protection-keys-an-eager-feature.patch +x86-apic-get-rid-of-apic_version-array.patch +arch-x86-handle-non-enumerated-cpu-after-physical-hotplug.patch +x86-mm-pkeys-do-not-skip-pkru-register-if-debug-registers-are-not-used.patch +x86-dumpstack-fix-x86_32-kernel_stack_pointer-previous-stack-access.patch +arm-dts-mvebu-armada-390-add-missing-compatibility-string-and-bracket.patch +arm-dts-msm8064-remove-flags-from-spmi-mpp-irqs.patch +arm-cpuidle-fix-error-return-code.patch diff --git a/queue-4.7/usb-dwc3-fix-clear-stall-ep-command-failure.patch b/queue-4.7/usb-dwc3-fix-clear-stall-ep-command-failure.patch new file mode 100644 index 00000000000..b9fab91ac8b --- /dev/null +++ b/queue-4.7/usb-dwc3-fix-clear-stall-ep-command-failure.patch @@ -0,0 +1,45 @@ +From 5e6c88d28ccbe72bedee1fbf4f9fea4764208598 Mon Sep 17 00:00:00 2001 +From: Lu Baolu +Date: Fri, 9 Sep 2016 12:51:27 +0800 +Subject: usb: dwc3: fix Clear Stall EP command failure + +From: Lu Baolu + +commit 5e6c88d28ccbe72bedee1fbf4f9fea4764208598 upstream. + +Commit 50c763f8c1bac ("usb: dwc3: Set the ClearPendIN bit on Clear +Stall EP command") sets ClearPendIN bit for all IN endpoints of +v2.60a+ cores. This causes ClearStall command fails on 2.60+ cores +operating in HighSpeed mode. + +In page 539 of 2.60a specification: + +"When issuing Clear Stall command for IN endpoints in SuperSpeed +mode, the software must set the "ClearPendIN" bit to '1' to +clear any pending IN transcations, so that the device does not +expect any ACK TP from the host for the data sent earlier." + +It's obvious that we only need to apply this rule to those IN +endpoints that currently operating in SuperSpeed mode. + +Fixes: 50c763f8c1bac ("usb: dwc3: Set the ClearPendIN bit on Clear Stall EP command") +Signed-off-by: Lu Baolu +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/gadget.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -363,7 +363,8 @@ static int dwc3_send_clear_stall_ep_cmd( + * IN transfers due to a mishandled error condition. Synopsys + * STAR 9000614252. + */ +- if (dep->direction && (dwc->revision >= DWC3_REVISION_260A)) ++ if (dep->direction && (dwc->revision >= DWC3_REVISION_260A) && ++ (dwc->gadget.speed >= USB_SPEED_SUPER)) + cmd |= DWC3_DEPCMD_CLEARPENDIN; + + memset(¶ms, 0, sizeof(params)); diff --git a/queue-4.7/x86-apic-get-rid-of-apic_version-array.patch b/queue-4.7/x86-apic-get-rid-of-apic_version-array.patch new file mode 100644 index 00000000000..2586095af12 --- /dev/null +++ b/queue-4.7/x86-apic-get-rid-of-apic_version-array.patch @@ -0,0 +1,206 @@ +From cff9ab2b291e64259d97add48fe073c081afe4e2 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Tue, 13 Sep 2016 20:12:32 +0200 +Subject: x86/apic: Get rid of apic_version[] array + +From: Denys Vlasenko + +commit cff9ab2b291e64259d97add48fe073c081afe4e2 upstream. + +The array has a size of MAX_LOCAL_APIC, which can be as large as 32k, so it +can consume up to 128k. + +The array has been there forever and was never used for anything useful +other than a version mismatch check which was introduced in 2009. + +There is no reason to store the version in an array. The kernel is not +prepared to handle different APIC versions anyway, so the real important +part is to detect a version mismatch and warn about it, which can be done +with a single variable as well. + +[ tglx: Massaged changelog ] + +Signed-off-by: Denys Vlasenko +CC: Andy Lutomirski +CC: Borislav Petkov +CC: Brian Gerst +CC: Mike Travis +Link: http://lkml.kernel.org/r/20160913181232.30815-1-dvlasenk@redhat.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/mpspec.h | 2 +- + arch/x86/kernel/acpi/boot.c | 2 +- + arch/x86/kernel/apic/apic.c | 17 +++++++---------- + arch/x86/kernel/apic/io_apic.c | 4 ++-- + arch/x86/kernel/apic/probe_32.c | 2 +- + arch/x86/kernel/smpboot.c | 10 +++++----- + 6 files changed, 17 insertions(+), 20 deletions(-) + +--- a/arch/x86/include/asm/mpspec.h ++++ b/arch/x86/include/asm/mpspec.h +@@ -6,7 +6,6 @@ + #include + #include + +-extern int apic_version[]; + extern int pic_mode; + + #ifdef CONFIG_X86_32 +@@ -40,6 +39,7 @@ extern int mp_bus_id_to_type[MAX_MP_BUSS + extern DECLARE_BITMAP(mp_bus_not_pci, MAX_MP_BUSSES); + + extern unsigned int boot_cpu_physical_apicid; ++extern u8 boot_cpu_apic_version; + extern unsigned long mp_lapic_addr; + + #ifdef CONFIG_X86_LOCAL_APIC +--- a/arch/x86/kernel/acpi/boot.c ++++ b/arch/x86/kernel/acpi/boot.c +@@ -180,7 +180,7 @@ static int acpi_register_lapic(int id, u + } + + if (boot_cpu_physical_apicid != -1U) +- ver = apic_version[boot_cpu_physical_apicid]; ++ ver = boot_cpu_apic_version; + + return generic_processor_info(id, ver); + } +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -64,6 +64,8 @@ unsigned disabled_cpus; + unsigned int boot_cpu_physical_apicid = -1U; + EXPORT_SYMBOL_GPL(boot_cpu_physical_apicid); + ++u8 boot_cpu_apic_version; ++ + /* + * The highest APIC ID seen during enumeration. + */ +@@ -1790,8 +1792,7 @@ void __init init_apic_mappings(void) + * since smp_sanity_check is prepared for such a case + * and disable smp mode + */ +- apic_version[new_apicid] = +- GET_APIC_VERSION(apic_read(APIC_LVR)); ++ boot_cpu_apic_version = GET_APIC_VERSION(apic_read(APIC_LVR)); + } + } + +@@ -1806,13 +1807,10 @@ void __init register_lapic_address(unsig + } + if (boot_cpu_physical_apicid == -1U) { + boot_cpu_physical_apicid = read_apic_id(); +- apic_version[boot_cpu_physical_apicid] = +- GET_APIC_VERSION(apic_read(APIC_LVR)); ++ boot_cpu_apic_version = GET_APIC_VERSION(apic_read(APIC_LVR)); + } + } + +-int apic_version[MAX_LOCAL_APIC]; +- + /* + * Local APIC interrupts + */ +@@ -2102,11 +2100,10 @@ int generic_processor_info(int apicid, i + cpu, apicid); + version = 0x10; + } +- apic_version[apicid] = version; + +- if (version != apic_version[boot_cpu_physical_apicid]) { ++ if (version != boot_cpu_apic_version) { + pr_warning("BIOS bug: APIC version mismatch, boot CPU: %x, CPU %d: version %x\n", +- apic_version[boot_cpu_physical_apicid], cpu, version); ++ boot_cpu_apic_version, cpu, version); + } + + physid_set(apicid, phys_cpu_present_map); +@@ -2249,7 +2246,7 @@ int __init APIC_init_uniprocessor(void) + * Complain if the BIOS pretends there is one. + */ + if (!boot_cpu_has(X86_FEATURE_APIC) && +- APIC_INTEGRATED(apic_version[boot_cpu_physical_apicid])) { ++ APIC_INTEGRATED(boot_cpu_apic_version)) { + pr_err("BIOS bug, local APIC 0x%x not detected!...\n", + boot_cpu_physical_apicid); + return -1; +--- a/arch/x86/kernel/apic/io_apic.c ++++ b/arch/x86/kernel/apic/io_apic.c +@@ -1592,7 +1592,7 @@ void __init setup_ioapic_ids_from_mpc(vo + * no meaning without the serial APIC bus. + */ + if (!(boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) +- || APIC_XAPIC(apic_version[boot_cpu_physical_apicid])) ++ || APIC_XAPIC(boot_cpu_apic_version)) + return; + setup_ioapic_ids_from_mpc_nocheck(); + } +@@ -2422,7 +2422,7 @@ static int io_apic_get_unique_id(int ioa + static u8 io_apic_unique_id(int idx, u8 id) + { + if ((boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) && +- !APIC_XAPIC(apic_version[boot_cpu_physical_apicid])) ++ !APIC_XAPIC(boot_cpu_apic_version)) + return io_apic_get_unique_id(idx, id); + else + return id; +--- a/arch/x86/kernel/apic/probe_32.c ++++ b/arch/x86/kernel/apic/probe_32.c +@@ -153,7 +153,7 @@ early_param("apic", parse_apic); + + void __init default_setup_apic_routing(void) + { +- int version = apic_version[boot_cpu_physical_apicid]; ++ int version = boot_cpu_apic_version; + + if (num_possible_cpus() > 8) { + switch (boot_cpu_data.x86_vendor) { +--- a/arch/x86/kernel/smpboot.c ++++ b/arch/x86/kernel/smpboot.c +@@ -676,7 +676,7 @@ wakeup_secondary_cpu_via_nmi(int apicid, + * Give the other CPU some time to accept the IPI. + */ + udelay(200); +- if (APIC_INTEGRATED(apic_version[boot_cpu_physical_apicid])) { ++ if (APIC_INTEGRATED(boot_cpu_apic_version)) { + maxlvt = lapic_get_maxlvt(); + if (maxlvt > 3) /* Due to the Pentium erratum 3AP. */ + apic_write(APIC_ESR, 0); +@@ -703,7 +703,7 @@ wakeup_secondary_cpu_via_init(int phys_a + /* + * Be paranoid about clearing APIC errors. + */ +- if (APIC_INTEGRATED(apic_version[phys_apicid])) { ++ if (APIC_INTEGRATED(boot_cpu_apic_version)) { + if (maxlvt > 3) /* Due to the Pentium erratum 3AP. */ + apic_write(APIC_ESR, 0); + apic_read(APIC_ESR); +@@ -742,7 +742,7 @@ wakeup_secondary_cpu_via_init(int phys_a + * Determine this based on the APIC version. + * If we don't have an integrated APIC, don't send the STARTUP IPIs. + */ +- if (APIC_INTEGRATED(apic_version[phys_apicid])) ++ if (APIC_INTEGRATED(boot_cpu_apic_version)) + num_starts = 2; + else + num_starts = 0; +@@ -980,7 +980,7 @@ static int do_boot_cpu(int apicid, int c + /* + * Be paranoid about clearing APIC errors. + */ +- if (APIC_INTEGRATED(apic_version[boot_cpu_physical_apicid])) { ++ if (APIC_INTEGRATED(boot_cpu_apic_version)) { + apic_write(APIC_ESR, 0); + apic_read(APIC_ESR); + } +@@ -1235,7 +1235,7 @@ static int __init smp_sanity_check(unsig + /* + * If we couldn't find a local APIC, then get out of here now! + */ +- if (APIC_INTEGRATED(apic_version[boot_cpu_physical_apicid]) && ++ if (APIC_INTEGRATED(boot_cpu_apic_version) && + !boot_cpu_has(X86_FEATURE_APIC)) { + if (!disable_apic) { + pr_err("BIOS bug, local APIC #%d not detected!...\n", diff --git a/queue-4.7/x86-boot-fix-kdump-cleanup-aborted-e820_pram-max_pfn-manipulation.patch b/queue-4.7/x86-boot-fix-kdump-cleanup-aborted-e820_pram-max_pfn-manipulation.patch new file mode 100644 index 00000000000..ba730de2aaf --- /dev/null +++ b/queue-4.7/x86-boot-fix-kdump-cleanup-aborted-e820_pram-max_pfn-manipulation.patch @@ -0,0 +1,99 @@ +From 917db484dc6a69969d317b3e57add4208a8d9d42 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Wed, 21 Sep 2016 12:50:45 -0700 +Subject: x86/boot: Fix kdump, cleanup aborted E820_PRAM max_pfn manipulation + +From: Dan Williams + +commit 917db484dc6a69969d317b3e57add4208a8d9d42 upstream. + +In commit: + + ec776ef6bbe1 ("x86/mm: Add support for the non-standard protected e820 type") + +Christoph references the original patch I wrote implementing pmem support. +The intent of the 'max_pfn' changes in that commit were to enable persistent +memory ranges to be covered by the struct page memmap by default. + +However, that approach was abandoned when Christoph ported the patches [1], and +that functionality has since been replaced by devm_memremap_pages(). + +In the meantime, this max_pfn manipulation is confusing kdump [2] that +assumes that everything covered by the max_pfn is "System RAM". This +results in kdump hanging or crashing. + + [1]: https://lists.01.org/pipermail/linux-nvdimm/2015-March/000348.html + [2]: https://bugzilla.redhat.com/show_bug.cgi?id=1351098 + +So fix it. + +Reported-by: Zhang Yi +Reported-by: Jeff Moyer +Tested-by: Zhang Yi +Signed-off-by: Dan Williams +Reviewed-by: Jeff Moyer +Cc: Andrew Morton +Cc: Boaz Harrosh +Cc: Christoph Hellwig +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Ross Zwisler +Cc: Thomas Gleixner +Cc: linux-nvdimm@lists.01.org +Fixes: ec776ef6bbe1 ("x86/mm: Add support for the non-standard protected e820 type") +Link: http://lkml.kernel.org/r/147448744538.34910.11287693517367139607.stgit@dwillia2-desk3.amr.corp.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/e820.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +--- a/arch/x86/kernel/e820.c ++++ b/arch/x86/kernel/e820.c +@@ -348,7 +348,7 @@ int __init sanitize_e820_map(struct e820 + * continue building up new bios map based on this + * information + */ +- if (current_type != last_type || current_type == E820_PRAM) { ++ if (current_type != last_type) { + if (last_type != 0) { + new_bios[new_bios_entry].size = + change_point[chgidx]->addr - last_addr; +@@ -754,7 +754,7 @@ u64 __init early_reserve_e820(u64 size, + /* + * Find the highest page frame number we have available + */ +-static unsigned long __init e820_end_pfn(unsigned long limit_pfn) ++static unsigned long __init e820_end_pfn(unsigned long limit_pfn, unsigned type) + { + int i; + unsigned long last_pfn = 0; +@@ -765,11 +765,7 @@ static unsigned long __init e820_end_pfn + unsigned long start_pfn; + unsigned long end_pfn; + +- /* +- * Persistent memory is accounted as ram for purposes of +- * establishing max_pfn and mem_map. +- */ +- if (ei->type != E820_RAM && ei->type != E820_PRAM) ++ if (ei->type != type) + continue; + + start_pfn = ei->addr >> PAGE_SHIFT; +@@ -794,12 +790,12 @@ static unsigned long __init e820_end_pfn + } + unsigned long __init e820_end_of_ram_pfn(void) + { +- return e820_end_pfn(MAX_ARCH_PFN); ++ return e820_end_pfn(MAX_ARCH_PFN, E820_RAM); + } + + unsigned long __init e820_end_of_low_ram_pfn(void) + { +- return e820_end_pfn(1UL << (32-PAGE_SHIFT)); ++ return e820_end_pfn(1UL << (32 - PAGE_SHIFT), E820_RAM); + } + + static void early_panic(char *msg) diff --git a/queue-4.7/x86-dumpstack-fix-x86_32-kernel_stack_pointer-previous-stack-access.patch b/queue-4.7/x86-dumpstack-fix-x86_32-kernel_stack_pointer-previous-stack-access.patch new file mode 100644 index 00000000000..d5e50f3da57 --- /dev/null +++ b/queue-4.7/x86-dumpstack-fix-x86_32-kernel_stack_pointer-previous-stack-access.patch @@ -0,0 +1,67 @@ +From 72b4f6a5e903b071f2a7c4eb1418cbe4eefdc344 Mon Sep 17 00:00:00 2001 +From: Josh Poimboeuf +Date: Thu, 18 Aug 2016 10:59:06 -0500 +Subject: x86/dumpstack: Fix x86_32 kernel_stack_pointer() previous stack access + +From: Josh Poimboeuf + +commit 72b4f6a5e903b071f2a7c4eb1418cbe4eefdc344 upstream. + +On x86_32, when an interrupt happens from kernel space, SS and SP aren't +pushed and the existing stack is used. So pt_regs is effectively two +words shorter, and the previous stack pointer is normally the memory +after the shortened pt_regs, aka '®s->sp'. + +But in the rare case where the interrupt hits right after the stack +pointer has been changed to point to an empty stack, like for example +when call_on_stack() is used, the address immediately after the +shortened pt_regs is no longer on the stack. In that case, instead of +'®s->sp', the previous stack pointer should be retrieved from the +beginning of the current stack page. + +kernel_stack_pointer() wants to do that, but it forgets to dereference +the pointer. So instead of returning a pointer to the previous stack, +it returns a pointer to the beginning of the current stack. + +Note that it's probably outside of kernel_stack_pointer()'s scope to be +switching stacks at all. The x86_64 version of this function doesn't do +it, and it would be better for the caller to do it if necessary. But +that's a patch for another day. This just fixes the original intent. + +Signed-off-by: Josh Poimboeuf +Cc: Andy Lutomirski +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Byungchul Park +Cc: Denys Vlasenko +Cc: Frederic Weisbecker +Cc: H. Peter Anvin +Cc: Kees Cook +Cc: Linus Torvalds +Cc: Nilay Vaish +Cc: Peter Zijlstra +Cc: Steven Rostedt +Cc: Thomas Gleixner +Fixes: 0788aa6a23cb ("x86: Prepare removal of previous_esp from i386 thread_info structure") +Link: http://lkml.kernel.org/r/472453d6e9f6a2d4ab16aaed4935f43117111566.1471535549.git.jpoimboe@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/ptrace.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/ptrace.c ++++ b/arch/x86/kernel/ptrace.c +@@ -173,8 +173,8 @@ unsigned long kernel_stack_pointer(struc + return sp; + + prev_esp = (u32 *)(context); +- if (prev_esp) +- return (unsigned long)prev_esp; ++ if (*prev_esp) ++ return (unsigned long)*prev_esp; + + return (unsigned long)regs; + } diff --git a/queue-4.7/x86-irq-prevent-force-migration-of-irqs-which-are-not-in-the-vector-domain.patch b/queue-4.7/x86-irq-prevent-force-migration-of-irqs-which-are-not-in-the-vector-domain.patch new file mode 100644 index 00000000000..1ed26e4df39 --- /dev/null +++ b/queue-4.7/x86-irq-prevent-force-migration-of-irqs-which-are-not-in-the-vector-domain.patch @@ -0,0 +1,84 @@ +From db91aa793ff984ac048e199ea1c54202543952fe Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Mon, 3 Oct 2016 13:17:08 +0300 +Subject: x86/irq: Prevent force migration of irqs which are not in the vector domain + +From: Mika Westerberg + +commit db91aa793ff984ac048e199ea1c54202543952fe upstream. + +When a CPU is about to be offlined we call fixup_irqs() that resets IRQ +affinities related to the CPU in question. The same thing is also done when +the system is suspended to S-states like S3 (mem). + +For each IRQ we try to complete any on-going move regardless whether the +IRQ is actually part of x86_vector_domain. For each IRQ descriptor we fetch +its chip_data, assume it is of type struct apic_chip_data and manipulate it +by clearing old_domain mask etc. For irq_chips that are not part of the +x86_vector_domain, like those created by various GPIO drivers, will find +their chip_data being changed unexpectly. + +Below is an example where GPIO chip owned by pinctrl-sunrisepoint.c gets +corrupted after resume: + + # cat /sys/kernel/debug/gpio + gpiochip0: GPIOs 360-511, parent: platform/INT344B:00, INT344B:00: + gpio-511 ( |sysfs ) in hi + + # rtcwake -s10 -mmem + <10 seconds passes> + + # cat /sys/kernel/debug/gpio + gpiochip0: GPIOs 360-511, parent: platform/INT344B:00, INT344B:00: + gpio-511 ( |sysfs ) in ? + +Note '?' in the output. It means the struct gpio_chip ->get function is +NULL whereas before suspend it was there. + +Fix this by first checking that the IRQ belongs to x86_vector_domain before +we try to use the chip_data as struct apic_chip_data. + +Reported-and-tested-by: Sakari Ailus +Signed-off-by: Mika Westerberg +Link: http://lkml.kernel.org/r/20161003101708.34795-1-mika.westerberg@linux.intel.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/apic/vector.c | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/apic/vector.c ++++ b/arch/x86/kernel/apic/vector.c +@@ -661,11 +661,28 @@ void irq_complete_move(struct irq_cfg *c + */ + void irq_force_complete_move(struct irq_desc *desc) + { +- struct irq_data *irqdata = irq_desc_get_irq_data(desc); +- struct apic_chip_data *data = apic_chip_data(irqdata); +- struct irq_cfg *cfg = data ? &data->cfg : NULL; ++ struct irq_data *irqdata; ++ struct apic_chip_data *data; ++ struct irq_cfg *cfg; + unsigned int cpu; + ++ /* ++ * The function is called for all descriptors regardless of which ++ * irqdomain they belong to. For example if an IRQ is provided by ++ * an irq_chip as part of a GPIO driver, the chip data for that ++ * descriptor is specific to the irq_chip in question. ++ * ++ * Check first that the chip_data is what we expect ++ * (apic_chip_data) before touching it any further. ++ */ ++ irqdata = irq_domain_get_irq_data(x86_vector_domain, ++ irq_desc_get_irq(desc)); ++ if (!irqdata) ++ return; ++ ++ data = apic_chip_data(irqdata); ++ cfg = data ? &data->cfg : NULL; ++ + if (!cfg) + return; + diff --git a/queue-4.7/x86-mm-pkeys-do-not-skip-pkru-register-if-debug-registers-are-not-used.patch b/queue-4.7/x86-mm-pkeys-do-not-skip-pkru-register-if-debug-registers-are-not-used.patch new file mode 100644 index 00000000000..eb1b4062dc8 --- /dev/null +++ b/queue-4.7/x86-mm-pkeys-do-not-skip-pkru-register-if-debug-registers-are-not-used.patch @@ -0,0 +1,49 @@ +From ba6d018e3d2f6a0fad58a668cadf66b2d1f80f59 Mon Sep 17 00:00:00 2001 +From: Nicolas Iooss +Date: Sat, 10 Sep 2016 20:30:45 +0200 +Subject: x86/mm/pkeys: Do not skip PKRU register if debug registers are not used + +From: Nicolas Iooss + +commit ba6d018e3d2f6a0fad58a668cadf66b2d1f80f59 upstream. + +__show_regs() fails to dump the PKRU state when the debug registers are in +their default state because there is a return statement on the debug +register state. + +Change the logic to report PKRU value even when debug registers are in +their default state. + +Fixes:c0b17b5bd4b7 ("x86/mm/pkeys: Dump PKRU with other kernel registers") +Signed-off-by: Nicolas Iooss +Acked-by: Dave Hansen +Link: http://lkml.kernel.org/r/20160910183045.4618-1-nicolas.iooss_linux@m4x.org +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/process_64.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/arch/x86/kernel/process_64.c ++++ b/arch/x86/kernel/process_64.c +@@ -110,12 +110,13 @@ void __show_regs(struct pt_regs *regs, i + get_debugreg(d7, 7); + + /* Only print out debug registers if they are in their non-default state. */ +- if ((d0 == 0) && (d1 == 0) && (d2 == 0) && (d3 == 0) && +- (d6 == DR6_RESERVED) && (d7 == 0x400)) +- return; +- +- printk(KERN_DEFAULT "DR0: %016lx DR1: %016lx DR2: %016lx\n", d0, d1, d2); +- printk(KERN_DEFAULT "DR3: %016lx DR6: %016lx DR7: %016lx\n", d3, d6, d7); ++ if (!((d0 == 0) && (d1 == 0) && (d2 == 0) && (d3 == 0) && ++ (d6 == DR6_RESERVED) && (d7 == 0x400))) { ++ printk(KERN_DEFAULT "DR0: %016lx DR1: %016lx DR2: %016lx\n", ++ d0, d1, d2); ++ printk(KERN_DEFAULT "DR3: %016lx DR6: %016lx DR7: %016lx\n", ++ d3, d6, d7); ++ } + + if (boot_cpu_has(X86_FEATURE_OSPKE)) + printk(KERN_DEFAULT "PKRU: %08x\n", read_pkru()); diff --git a/queue-4.7/x86-pkeys-make-protection-keys-an-eager-feature.patch b/queue-4.7/x86-pkeys-make-protection-keys-an-eager-feature.patch new file mode 100644 index 00000000000..2aeef70c585 --- /dev/null +++ b/queue-4.7/x86-pkeys-make-protection-keys-an-eager-feature.patch @@ -0,0 +1,55 @@ +From d4b05923f579c234137317cdf9a5eb69ddab76d1 Mon Sep 17 00:00:00 2001 +From: Dave Hansen +Date: Fri, 7 Oct 2016 09:23:42 -0700 +Subject: x86/pkeys: Make protection keys an "eager" feature + +From: Dave Hansen + +commit d4b05923f579c234137317cdf9a5eb69ddab76d1 upstream. + +Our XSAVE features are divided into two categories: those that +generate FPU exceptions, and those that do not. MPX and pkeys do +not generate FPU exceptions and thus can not be used lazily. We +disable them when lazy mode is forced on. + +We have a pair of masks to collect these two sets of features, but +XFEATURE_MASK_PKRU was added to the wrong mask: XFEATURE_MASK_LAZY. +Fix it by moving the feature to XFEATURE_MASK_EAGER. + +Note: this only causes problem if you boot with lazy FPU mode +(eagerfpu=off) which is *not* the default. It also only affects +hardware which is not currently publicly available. It looks like +eager mode is going away, but we still need this patch applied +to any kernel that has protection keys and lazy mode, which is 4.6 +through 4.8 at this point, and 4.9 if the lazy removal isn't sent +to Linus for 4.9. + +Fixes: c8df40098451 ("x86/fpu, x86/mm/pkeys: Add PKRU xsave fields and data structures") +Signed-off-by: Dave Hansen +Cc: Dave Hansen +Link: http://lkml.kernel.org/r/20161007162342.28A49813@viggo.jf.intel.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/fpu/xstate.h | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/x86/include/asm/fpu/xstate.h ++++ b/arch/x86/include/asm/fpu/xstate.h +@@ -24,11 +24,12 @@ + XFEATURE_MASK_YMM | \ + XFEATURE_MASK_OPMASK | \ + XFEATURE_MASK_ZMM_Hi256 | \ +- XFEATURE_MASK_Hi16_ZMM | \ +- XFEATURE_MASK_PKRU) ++ XFEATURE_MASK_Hi16_ZMM) + + /* Supported features which require eager state saving */ +-#define XFEATURE_MASK_EAGER (XFEATURE_MASK_BNDREGS | XFEATURE_MASK_BNDCSR) ++#define XFEATURE_MASK_EAGER (XFEATURE_MASK_BNDREGS | \ ++ XFEATURE_MASK_BNDCSR | \ ++ XFEATURE_MASK_PKRU) + + /* All currently supported features */ + #define XCNTXT_MASK (XFEATURE_MASK_LAZY | XFEATURE_MASK_EAGER) diff --git a/queue-4.7/xen-x86-update-topology-map-for-pv-vcpus.patch b/queue-4.7/xen-x86-update-topology-map-for-pv-vcpus.patch new file mode 100644 index 00000000000..f194078bf67 --- /dev/null +++ b/queue-4.7/xen-x86-update-topology-map-for-pv-vcpus.patch @@ -0,0 +1,52 @@ +From a6a198bc60e6c980a56eca24d33dc7f29139f8ea Mon Sep 17 00:00:00 2001 +From: Boris Ostrovsky +Date: Wed, 5 Oct 2016 13:09:33 -0400 +Subject: xen/x86: Update topology map for PV VCPUs + +From: Boris Ostrovsky + +commit a6a198bc60e6c980a56eca24d33dc7f29139f8ea upstream. + +Early during boot topology_update_package_map() computes +logical_pkg_ids for all present processors. + +Later, when processors are brought up, identify_cpu() updates +these values based on phys_pkg_id which is a function of +initial_apicid. On PV guests the latter may point to a +non-existing node, causing logical_pkg_ids to be set to -1. + +Intel's RAPL uses logical_pkg_id (as topology_logical_package_id()) +to index its arrays and therefore in this case will point to index +65535 (since logical_pkg_id is a u16). This could lead to either a +crash or may actually access random memory location. + +As a workaround, we recompute topology during CPU bringup to reset +logical_pkg_id to a valid value. + +(The reason for initial_apicid being bogus is because it is +initial_apicid of the processor from which the guest is launched. +This value is CPUID(1).EBX[31:24]) + +Signed-off-by: Boris Ostrovsky +Signed-off-by: David Vrabel +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/xen/smp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/x86/xen/smp.c ++++ b/arch/x86/xen/smp.c +@@ -87,6 +87,12 @@ static void cpu_bringup(void) + cpu_data(cpu).x86_max_cores = 1; + set_cpu_sibling_map(cpu); + ++ /* ++ * identify_cpu() may have set logical_pkg_id to -1 due ++ * to incorrect phys_proc_id. Let's re-comupte it. ++ */ ++ topology_update_package_map(apic->cpu_present_to_apicid(cpu), cpu); ++ + xen_setup_cpu_clockevents(); + + notify_cpu_starting(cpu);